lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

This is the 5.4.187 stable release

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmI61mcACgkQONu9yGCS
 aT5KWhAAn01XqrGhfEFDz7+Eql3f88DsB+TLl6FXHwOa6KYFeAmNlJkA77FxP/A7
 1KGqC1GhmsiKRK/mEeHC74wwovoqqxolPjsierXVCO2eWjx7QvVx0Bv6MR39Mbsg
 HOz2TCaiUnw4jUEAbnEaMD1sUwRwwH5y66QwnRmoTIlFDvm4/MngrgOufwhbC0Og
 CT3HtdazivtH8E6JRehre/LWxXa3HMct4NdVzOWg7c3mGqF4pGmRirFE7zpenukX
 g1PDtdfoV90GiqwBkswyU4i/R5Lp6OnanExUJtvTthZb3OtnLgnmqoKTv4oSIxQm
 3mjHwQJ4LYAViy3qI7zB1XFzFen45EzBwqwEyUch7748egtekahYhkXIol/yjqIK
 SY8mzwgmaAT0lSGQZHF40Ezs9fiFyIjbKlKQjB1TC4r3Tdo0JJSpX96lHGxWHN8A
 YHE/6Bh2IbEpfjZvakANA7PAZQAlIIiaKq0niCgPFs79TAT1mQ+Dj4Em7FiqLAIQ
 GZd1w+Gpf7zYd6a20flgEehZV4thB1xxd6ur1N8AyI5D+C1tAc35eJXdFVjid6bd
 iVVMshGCFkW4MH+n+0ABhRVTkAQYgiBdQ1Wcu7z6k9uVUhL+DBfWo8hnHBW7B1hv
 vSmku9DfpCbu3nnIHiPR7wvImRBBqbkL4TUKMxdKHG3sLbgTbcw=
 =r5Rq
 -----END PGP SIGNATURE-----

Merge 5.4.187 into android11-5.4-lts

Changes in 5.4.187
	crypto: qcom-rng - ensure buffer for generate is completely filled
	ocfs2: fix crash when initialize filecheck kobj fails
	efi: fix return value of __setup handlers
	net: phy: marvell: Fix invalid comparison in the resume and suspend functions
	net/packet: fix slab-out-of-bounds access in packet_recvmsg()
	atm: eni: Add check for dma_map_single
	hv_netvsc: Add check for kvmalloc_array
	drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings
	net: handle ARPHRD_PIMREG in dev_is_mac_header_xmit()
	net: dsa: Add missing of_node_put() in dsa_port_parse_of
	arm64: fix clang warning about TRAMP_VALIAS
	usb: gadget: rndis: prevent integer overflow in rndis_set_response()
	usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
	usb: usbtmc: Fix bug in pipe direction for control transfers
	Input: aiptek - properly check endpoint type
	perf symbols: Fix symbol size calculation condition
	Revert "selftests/bpf: Add test for bpf_timer overwriting crash"
	Linux 5.4.187

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I84169465999929274ca2d260c278378d16086f39
This commit is contained in:
Greg Kroah-Hartman 2022-03-23 12:28:18 +01:00
commit 400a374bce
18 changed files with 63 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -1,7 +1,7 @@
# SPDX-License-Identifier: GPL-2.0
VERSION = 5
PATCHLEVEL = 4
SUBLEVEL = 186
SUBLEVEL = 187
EXTRAVERSION =
NAME = Kleptomaniac Octopus

4
arch/arm64/include/asm/vectors.h
View File

@ -56,14 +56,14 @@ enum arm64_bp_harden_el1_vectors {
DECLARE_PER_CPU_READ_MOSTLY(const char *, this_cpu_vector);
#ifndef CONFIG_UNMAP_KERNEL_AT_EL0
#define TRAMP_VALIAS 0
#define TRAMP_VALIAS 0ul
#endif
static inline const char *
arm64_get_bp_hardening_vector(enum arm64_bp_harden_el1_vectors slot)
{
if (arm64_kernel_unmapped_at_el0())
return (char *)TRAMP_VALIAS + SZ_2K * slot;
return (char *)(TRAMP_VALIAS + SZ_2K * slot);
WARN_ON_ONCE(slot == EL1_VECTOR_KPTI);

2
drivers/atm/eni.c
View File

@ -1116,6 +1116,8 @@ DPRINTK("iovcnt = %d\n",skb_shinfo(skb)->nr_frags);
}
paddr = dma_map_single(&eni_dev->pci_dev->dev,skb->data,skb->len,
DMA_TO_DEVICE);
if (dma_mapping_error(&eni_dev->pci_dev->dev, paddr))
return enq_next;
ENI_PRV_PADDR(skb) = paddr;
/* prepare DMA queue entries */
j = 0;

17
drivers/crypto/qcom-rng.c
View File

@ -7,6 +7,7 @@
#include <linux/acpi.h>
#include <linux/clk.h>
#include <linux/crypto.h>
#include <linux/iopoll.h>
#include <linux/module.h>
#include <linux/of.h>
#include <linux/platform_device.h>
@ -42,16 +43,19 @@ static int qcom_rng_read(struct qcom_rng *rng, u8 *data, unsigned int max)
{
unsigned int currsize = 0;
u32 val;
int ret;
/* read random data from hardware */
do {
val = readl_relaxed(rng->base + PRNG_STATUS);
if (!(val & PRNG_STATUS_DATA_AVAIL))
break;
ret = readl_poll_timeout(rng->base + PRNG_STATUS, val,
val & PRNG_STATUS_DATA_AVAIL,
200, 10000);
if (ret)
return ret;
val = readl_relaxed(rng->base + PRNG_DATA_OUT);
if (!val)
break;
return -EINVAL;
if ((max - currsize) >= WORD_SZ) {
memcpy(data, &val, WORD_SZ);
@ -60,11 +64,10 @@ static int qcom_rng_read(struct qcom_rng *rng, u8 *data, unsigned int max)
} else {
/* copy only remaining bytes */
memcpy(data, &val, max - currsize);
break;
}
} while (currsize < max);
return currsize;
return 0;
}
static int qcom_rng_generate(struct crypto_rng *tfm,
@ -86,7 +89,7 @@ static int qcom_rng_generate(struct crypto_rng *tfm,
mutex_unlock(&rng->lock);
clk_disable_unprepare(rng->clk);
return 0;
return ret;
}
static int qcom_rng_seed(struct crypto_rng *tfm, const u8 *seed,

2
drivers/firmware/efi/apple-properties.c
View File

@ -23,7 +23,7 @@ static bool dump_properties __initdata;
static int __init dump_properties_enable(char *arg)
{
dump_properties = true;
return 0;
return 1;
}
__setup("dump_apple_properties", dump_properties_enable);

2
drivers/firmware/efi/efi.c
View File

@ -231,7 +231,7 @@ static int __init efivar_ssdt_setup(char *str)
memcpy(efivar_ssdt, str, strlen(str));
else
pr_warn("efivar_ssdt: name too long: %s\n", str);
return 0;
return 1;
}
__setup("efivar_ssdt=", efivar_ssdt_setup);

2
drivers/gpu/drm/panel/panel-simple.c
View File

@ -1619,7 +1619,7 @@ static const struct display_timing innolux_g070y2_l01_timing = {
static const struct panel_desc innolux_g070y2_l01 = {
.timings = &innolux_g070y2_l01_timing,
.num_timings = 1,
.bpc = 6,
.bpc = 8,
.size = {
.width = 152,
.height = 91,

10
drivers/input/tablet/aiptek.c
View File

@ -1801,15 +1801,13 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0);
input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
/* Verify that a device really has an endpoint */
if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
err = usb_find_common_endpoints(intf->cur_altsetting,
NULL, NULL, &endpoint, NULL);
if (err) {
dev_err(&intf->dev,
"interface has %d endpoints, but must have minimum 1\n",
intf->cur_altsetting->desc.bNumEndpoints);
err = -EINVAL;
"interface has no int in endpoints, but must have minimum 1\n");
goto fail3;
}
endpoint = &intf->cur_altsetting->endpoint[0].desc;
/* Go set up our URB, which is called when the tablet receives
* input.

3
drivers/net/hyperv/netvsc_drv.c
View File

@ -1445,6 +1445,9 @@ static void netvsc_get_ethtool_stats(struct net_device *dev,
pcpu_sum = kvmalloc_array(num_possible_cpus(),
sizeof(struct netvsc_ethtool_pcpu_stats),
GFP_KERNEL);
if (!pcpu_sum)
return;
netvsc_get_pcpu_stats(dev, pcpu_sum);
for_each_present_cpu(cpu) {
struct netvsc_ethtool_pcpu_stats *this_sum = &pcpu_sum[cpu];

8
drivers/net/phy/marvell.c
View File

@ -1408,8 +1408,8 @@ static int marvell_suspend(struct phy_device *phydev)
int err;
/* Suspend the fiber mode first */
if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT,
phydev->supported)) {
if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT,
phydev->supported)) {
err = marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE);
if (err < 0)
goto error;
@ -1443,8 +1443,8 @@ static int marvell_resume(struct phy_device *phydev)
int err;
/* Resume the fiber mode first */
if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT,
phydev->supported)) {
if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT,
phydev->supported)) {
err = marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE);
if (err < 0)
goto error;

13
drivers/usb/class/usbtmc.c
View File

@ -1889,6 +1889,7 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data,
struct usbtmc_ctrlrequest request;
u8 *buffer = NULL;
int rv;
unsigned int is_in, pipe;
unsigned long res;
res = copy_from_user(&request, arg, sizeof(struct usbtmc_ctrlrequest));
@ -1898,12 +1899,14 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data,
if (request.req.wLength > USBTMC_BUFSIZE)
return -EMSGSIZE;
is_in = request.req.bRequestType & USB_DIR_IN;
if (request.req.wLength) {
buffer = kmalloc(request.req.wLength, GFP_KERNEL);
if (!buffer)
return -ENOMEM;
if ((request.req.bRequestType & USB_DIR_IN) == 0) {
if (!is_in) {
/* Send control data to device */
res = copy_from_user(buffer, request.data,
request.req.wLength);
@ -1914,8 +1917,12 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data,
}
}
if (is_in)
pipe = usb_rcvctrlpipe(data->usb_dev, 0);
else
pipe = usb_sndctrlpipe(data->usb_dev, 0);
rv = usb_control_msg(data->usb_dev,
usb_rcvctrlpipe(data->usb_dev, 0),
pipe,
request.req.bRequest,
request.req.bRequestType,
request.req.wValue,
@ -1927,7 +1934,7 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data,
goto exit;
}
if (rv && (request.req.bRequestType & USB_DIR_IN)) {
if (rv && is_in) {
/* Read control data from device */
res = copy_to_user(request.data, buffer, rv);
if (res)

22
fs/ocfs2/super.c
View File

@ -1100,17 +1100,6 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
goto read_super_error;
}
root = d_make_root(inode);
if (!root) {
status = -ENOMEM;
mlog_errno(status);
goto read_super_error;
}
sb->s_root = root;
ocfs2_complete_mount_recovery(osb);
osb->osb_dev_kset = kset_create_and_add(sb->s_id, NULL,
&ocfs2_kset->kobj);
if (!osb->osb_dev_kset) {
@ -1128,6 +1117,17 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
goto read_super_error;
}
root = d_make_root(inode);
if (!root) {
status = -ENOMEM;
mlog_errno(status);
goto read_super_error;
}
sb->s_root = root;
ocfs2_complete_mount_recovery(osb);
if (ocfs2_mount_local(osb))
snprintf(nodestr, sizeof(nodestr), "local");
else

1
include/linux/if_arp.h
View File

@ -51,6 +51,7 @@ static inline bool dev_is_mac_header_xmit(const struct net_device *dev)
case ARPHRD_VOID:
case ARPHRD_NONE:
case ARPHRD_RAWIP:
case ARPHRD_PIMREG:
return false;
default:
return true;

1
net/dsa/dsa2.c
View File

@ -669,6 +669,7 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn)
struct net_device *master;
master = of_find_net_device_by_node(ethernet);
of_node_put(ethernet);
if (!master)
return -EPROBE_DEFER;

11
net/packet/af_packet.c
View File

@ -2256,8 +2256,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
copy_skb = skb_get(skb);
skb_head = skb->data;
}
if (copy_skb)
if (copy_skb) {
memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0,
sizeof(PACKET_SKB_CB(copy_skb)->sa.ll));
skb_set_owner_r(copy_skb, sk);
}
}
snaplen = po->rx_ring.frame_size - macoff;
if ((int)snaplen < 0) {
@ -3403,6 +3406,8 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
sock_recv_ts_and_drops(msg, sk, skb);
if (msg->msg_name) {
const size_t max_len = min(sizeof(skb->cb),
sizeof(struct sockaddr_storage));
int copy_len;
/* If the address length field is there to be filled
@ -3425,6 +3430,10 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
msg->msg_namelen = sizeof(struct sockaddr_ll);
}
}
if (WARN_ON_ONCE(copy_len > max_len)) {
copy_len = max_len;
msg->msg_namelen = copy_len;
}
memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
}

2
tools/perf/util/symbol.c
View File

@ -231,7 +231,7 @@ void symbols__fixup_end(struct rb_root_cached *symbols)
prev = curr;
curr = rb_entry(nd, struct symbol, rb_node);
if (prev->end == prev->start && prev->end != curr->start)
if (prev->end == prev->start || prev->end != curr->start)
arch__symbols__fixup_end(prev, curr);
}

32
tools/testing/selftests/bpf/prog_tests/timer_crash.c
View File

@ -1,32 +0,0 @@
// SPDX-License-Identifier: GPL-2.0
#include <test_progs.h>
#include "timer_crash.skel.h"
enum {
MODE_ARRAY,
MODE_HASH,
};
static void test_timer_crash_mode(int mode)
{
struct timer_crash *skel;
skel = timer_crash__open_and_load();
if (!ASSERT_OK_PTR(skel, "timer_crash__open_and_load"))
return;
skel->bss->pid = getpid();
skel->bss->crash_map = mode;
if (!ASSERT_OK(timer_crash__attach(skel), "timer_crash__attach"))
goto end;
usleep(1);
end:
timer_crash__destroy(skel);
}
void test_timer_crash(void)
{
if (test__start_subtest("array"))
test_timer_crash_mode(MODE_ARRAY);
if (test__start_subtest("hash"))
test_timer_crash_mode(MODE_HASH);
}

54
tools/testing/selftests/bpf/progs/timer_crash.c
View File

@ -1,54 +0,0 @@
// SPDX-License-Identifier: GPL-2.0
#include <vmlinux.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_helpers.h>
struct map_elem {
struct bpf_timer timer;
struct bpf_spin_lock lock;
};
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__uint(max_entries, 1);
__type(key, int);
__type(value, struct map_elem);
} amap SEC(".maps");
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 1);
__type(key, int);
__type(value, struct map_elem);
} hmap SEC(".maps");
int pid = 0;
int crash_map = 0; /* 0 for amap, 1 for hmap */
SEC("fentry/do_nanosleep")
int sys_enter(void *ctx)
{
struct map_elem *e, value = {};
void *map = crash_map ? (void *)&hmap : (void *)&amap;
if (bpf_get_current_task_btf()->tgid != pid)
return 0;
*(void **)&value = (void *)0xdeadcaf3;
bpf_map_update_elem(map, &(int){0}, &value, 0);
/* For array map, doing bpf_map_update_elem will do a
* check_and_free_timer_in_array, which will trigger the crash if timer
* pointer was overwritten, for hmap we need to use bpf_timer_cancel.
*/
if (crash_map == 1) {
e = bpf_map_lookup_elem(map, &(int){0});
if (!e)
return 0;
bpf_timer_cancel(&e->timer);
}
return 0;
}
char _license[] SEC("license") = "GPL";