15
404 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
LuK1337
|
7751efe439
|
HACK: binder: Disable freeze related ioctls
This disables Android's app freezer feature, which just happens to be very unstable on Android 13. Incidentally, this is also disabled on stock ROM, for unknown reason. Let's hope that we can revert this on Android 14 ^.^ Fixes: https://gitlab.com/LineageOS/issues/android/-/issues/5384 Change-Id: I9c9074569807f696fe4b4b5ec77ce235b00dcaaf |
||
Michael Bestas
|
a421f676d6
|
Merge tag 'ASB-2024-10-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2024-10-01 * tag 'ASB-2024-10-05_11-5.4' of https://android.googlesource.com/kernel/common: (397 commits) Linux 5.4.283 scsi: aacraid: Fix double-free on probe failure net: dsa: mv8e6xxx: Fix stub function parameters usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() usb: dwc3: st: add missing depopulate in probe error path usb: dwc3: st: fix probed platform device ref count on probe error path usb: dwc3: core: Prevent USB core invalid event buffer address access usb: dwc3: omap: add missing depopulate in probe error path USB: serial: option: add MeiG Smart SRM825L cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller soc: qcom: cmd-db: Map shared memory as WC, not WB nfc: pn533: Add poll mod list filling check nfc: pn533: Add autopoll capability nfc: pn533: Add dev_up/dev_down hooks to phy_ops net: busy-poll: use ktime_get_ns() instead of local_clock() gtp: fix a potential NULL pointer dereference ethtool: check device is present when getting link settings r8152: Factor out OOB link list waits soundwire: stream: fix programming slave ports for non-continous port maps net:rds: Fix possible deadlock in rds_message_put ... Change-Id: Ia6559a770f5db990f2bf6e5a034c63e3d7df4510 |
||
|
Michael Bestas
|
123d88374f
|
Merge tag 'ASB-2024-09-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2024-09-01 CVE-2024-36972 * tag 'ASB-2024-09-05_11-5.4' of https://android.googlesource.com/kernel/common: (59 commits) ANDROID: delete tool added by mistake ANDROID: fix ENOMEM check of binder_proc_ext ANDROID: binder: fix KMI issues due to frozen notification BACKPORT: FROMGIT: binder: frozen notification binder_features flag BACKPORT: FROMGIT: binder: frozen notification BACKPORT: selftests/binderfs: add test for feature files UPSTREAM: docs: binderfs: add section about feature files BACKPORT: binderfs: add support for feature files FROMLIST: binder: fix memory leaks of spam and pending work FROMGIT: Binder: add TF_UPDATE_TXN to replace outdated txn BACKPORT: binder: tell userspace to dump current backtrace when detected oneway spamming UPSTREAM: net: sched: sch_multiq: fix possible OOB write in multiq_tune() FROMLIST: binder: fix UAF caused by offsets overwrite Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()" Linux 5.4.281 tap: add missing verification for short frame tun: add missing verification for short frame filelock: Fix fcntl/close race recovery compat path ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 jfs: don't walk off the end of ealist ... Conflicts: drivers/android/binder.c include/uapi/linux/android/binder.h Change-Id: I0cdb84a8241c0abaf6e5fad140ed19480655d53c |
||
Greg Kroah-Hartman
|
b8b210d80a |
Merge tag 'android11-5.4.283_r00' into android11-5.4
This merges up to the 5.4.283 LTS release into android11-5.4. Included in here are the following commits: * |
||
Carlos Llamas
|
a03c6437cf |
ANDROID: fix ENOMEM check of binder_proc_ext
The check should be done against 'eproc' before it gets dereferenced.
Fixes: d49297739550 ("BACKPORT: binder: use euid from cred instead of using task")
Change-Id: Ief0c08212c4da8bdfdf628474de9dd30ee5a8db0
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Carlos Llamas
|
be02156857 |
ANDROID: binder: fix KMI issues due to frozen notification
The patches to support binder's frozen notification feature break the
KMI. This change fixes such issues by (1) moving proc->delivered_freeze
into the existing proc_wrapper struction, (2) dropping the frozen stats
support and (3) amending the STG due to a harmless enum binder_work_type
addition.
These are the reported KMI issues fixed by this patch:
function symbol 'int __traceiter_binder_transaction_received(void*, struct binder_transaction*)' changed
CRC changed from 0x74e9c98b to 0xfe0f8640
type 'struct binder_proc' changed
byte size changed from 584 to 632
member 'struct list_head delivered_death' changed
offset changed by 256
member 'struct list_head delivered_freeze' was added
13 members ('u32 max_threads' .. 'u64 android_oem_data1') changed
offset changed by 384
type 'struct binder_thread' changed
byte size changed from 464 to 496
2 members ('atomic_t tmp_ref' .. 'bool is_dead') changed
offset changed by 224
4 members ('struct task_struct* task' .. 'enum binder_prio_state prio_state') changed
offset changed by 256
type 'struct binder_stats' changed
byte size changed from 216 to 244
member changed from 'atomic_t br[21]' to 'atomic_t br[23]'
type changed from 'atomic_t[21]' to 'atomic_t[23]'
number of elements changed from 21 to 23
member changed from 'atomic_t bc[19]' to 'atomic_t bc[22]'
offset changed from 672 to 736
type changed from 'atomic_t[19]' to 'atomic_t[22]'
number of elements changed from 19 to 22
member changed from 'atomic_t obj_created[7]' to 'atomic_t obj_created[8]'
offset changed from 1280 to 1440
type changed from 'atomic_t[7]' to 'atomic_t[8]'
number of elements changed from 7 to 8
member changed from 'atomic_t obj_deleted[7]' to 'atomic_t obj_deleted[8]'
offset changed from 1504 to 1696
type changed from 'atomic_t[7]' to 'atomic_t[8]'
number of elements changed from 7 to 8
type 'enum binder_work_type' changed
enumerator 'BINDER_WORK_FROZEN_BINDER' (10) was added
enumerator 'BINDER_WORK_CLEAR_FREEZE_NOTIFICATION' (11) was added
Bug: 363013421
Change-Id: If9f1f14a2eda215a4c9cb0823c50c8e0e8079ef1
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
Yu-Ting Tseng
|
1063c2fa62 |
BACKPORT: FROMGIT: binder: frozen notification binder_features flag
Add a flag to binder_features to indicate that the freeze notification feature is available. Signed-off-by: Yu-Ting Tseng <yutingtseng@google.com> Acked-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20240709070047.4055369-6-yutingtseng@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 363013421 (cherry picked from commit 30b968b002a92870325a5c9d1ce78eba0ce386e7 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next) Change-Id: Ic26c8ae42d27c6fd8f5daed5eecabd1652e29502 [cmllamas: fix trivial conflicts due to missing extended_error] Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Yu-Ting Tseng
|
d1e87637cd |
BACKPORT: FROMGIT: binder: frozen notification
Frozen processes present a significant challenge in binder transactions. When a process is frozen, it cannot, by design, accept and/or respond to binder transactions. As a result, the sender needs to adjust its behavior, such as postponing transactions until the peer process unfreezes. However, there is currently no way to subscribe to these state change events, making it impossible to implement frozen-aware behaviors efficiently. Introduce a binder API for subscribing to frozen state change events. This allows programs to react to changes in peer process state, mitigating issues related to binder transactions sent to frozen processes. Implementation details: For a given binder_ref, the state of frozen notification can be one of the followings: 1. Userspace doesn't want a notification. binder_ref->freeze is null. 2. Userspace wants a notification but none is in flight. list_empty(&binder_ref->freeze->work.entry) = true 3. A notification is in flight and waiting to be read by userspace. binder_ref_freeze.sent is false. 4. A notification was read by userspace and kernel is waiting for an ack. binder_ref_freeze.sent is true. When a notification is in flight, new state change events are coalesced into the existing binder_ref_freeze struct. If userspace hasn't picked up the notification yet, the driver simply rewrites the state. Otherwise, the notification is flagged as requiring a resend, which will be performed once userspace acks the original notification that's inflight. See https://r.android.com/3070045 for how userspace is going to use this feature. Signed-off-by: Yu-Ting Tseng <yutingtseng@google.com> Acked-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20240709070047.4055369-4-yutingtseng@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 363013421 (cherry picked from commit d579b04a52a183db47dfcb7a44304d7747d551e1 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next) Change-Id: I5dd32abba932ca7d03ae58660143e075ed778b81 [cmllamas: fix merge conflicts due to missing 0567461a7a6e] Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Carlos Llamas
|
460de65538 |
BACKPORT: binderfs: add support for feature files
Provide userspace with a mechanism to discover features supported by the binder driver to refrain from using any unsupported ones in the first place. Starting with "oneway_spam_detection" only new features are to be listed under binderfs and all previous ones are assumed to be supported. Assuming an instance of binderfs has been mounted at /dev/binderfs, binder feature files can be found under /dev/binderfs/features/. Usage example: $ mkdir /dev/binderfs $ mount -t binder binder /dev/binderfs $ cat /dev/binderfs/features/oneway_spam_detection 1 Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20210715031805.1725878-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit fc470abf54b2bd6e539065e07905e767b443d719) Bug: 191910201 Signed-off-by: Carlos Llamas <cmllamas@google.com> [cmllamas: fix merge conflicts due to missing 095cf502b31e] Change-Id: Ia5c03aa1881981bee26459e741134b83d5b59693 |
||
|
Carlos Llamas
|
31f1f4b2aa |
FROMLIST: binder: fix memory leaks of spam and pending work
commit 1aa3aaf8953c84bad398adf6c3cabc9d6685bf7d upstream
A transaction complete work is allocated and queued for each
transaction. Under certain conditions the work->type might be marked as
BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT to notify userspace about
potential spamming threads or as BINDER_WORK_TRANSACTION_PENDING when
the target is currently frozen.
However, these work types are not being handled in binder_release_work()
so they will leak during a cleanup. This was reported by syzkaller with
the following kmemleak dump:
BUG: memory leak
unreferenced object 0xffff88810e2d6de0 (size 32):
comm "syz-executor338", pid 5046, jiffies 4294968230 (age 13.590s)
hex dump (first 32 bytes):
e0 6d 2d 0e 81 88 ff ff e0 6d 2d 0e 81 88 ff ff .m-......m-.....
04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81573b75>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
[<ffffffff83d41873>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff83d41873>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff83d41873>] binder_transaction+0x573/0x4050 drivers/android/binder.c:3152
[<ffffffff83d45a05>] binder_thread_write+0x6b5/0x1860 drivers/android/binder.c:4010
[<ffffffff83d486dc>] binder_ioctl_write_read drivers/android/binder.c:5066 [inline]
[<ffffffff83d486dc>] binder_ioctl+0x1b2c/0x3cf0 drivers/android/binder.c:5352
[<ffffffff816b25f2>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff816b25f2>] __do_sys_ioctl fs/ioctl.c:871 [inline]
[<ffffffff816b25f2>] __se_sys_ioctl fs/ioctl.c:857 [inline]
[<ffffffff816b25f2>] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:857
[<ffffffff84b30008>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b30008>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fix the leaks by kfreeing these work types in binder_release_work() and
handle them as a BINDER_WORK_TRANSACTION_COMPLETE cleanup.
Cc: stable@vger.kernel.org
Fixes: a7dc1e6f99df ("binder: tell userspace to dump current backtrace when detected oneway spamming")
Reported-by: syzbot+7f10c1653e35933c0f1e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7f10c1653e35933c0f1e
Suggested-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20230922175138.230331-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[cmllamas: backport to v5.15 by dropping BINDER_WORK_TRANSACTION_PENDING
as commit 0567461a7a6e is not present. Remove fixes tag accordingly.]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Link: https://lore.kernel.org/all/20231208034842.997899-1-cmllamas@google.com/
Change-Id: I8e1ee7af87ef5706544e4f320e9498b8f4855a6b
[cmllamas: also backport to v5.4 to fix OOT 8a09136176f6]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
Li Li
|
334fe73bdd |
FROMGIT: Binder: add TF_UPDATE_TXN to replace outdated txn
When the target process is busy, incoming oneway transactions are queued in the async_todo list. If the clients continue sending extra oneway transactions while the target process is frozen, this queue can become too large to accommodate new transactions. That's why binder driver introduced ONEWAY_SPAM_DETECTION to detect this situation. It's helpful to debug the async binder buffer exhausting issue, but the issue itself isn't solved directly. In real cases applications are designed to send oneway transactions repeatedly, delivering updated inforamtion to the target process. Typical examples are Wi-Fi signal strength and some real time sensor data. Even if the apps might only care about the lastet information, all outdated oneway transactions are still accumulated there until the frozen process is thawed later. For this kind of situations, there's no existing method to skip those outdated transactions and deliver the latest one only. This patch introduces a new transaction flag TF_UPDATE_TXN. To use it, use apps can set this new flag along with TF_ONE_WAY. When such an oneway transaction is to be queued into the async_todo list of a frozen process, binder driver will check if any previous pending transactions can be superseded by comparing their code, flags and target node. If such an outdated pending transaction is found, the latest transaction will supersede that outdated one. This effectively prevents the async binder buffer running out and saves unnecessary binder read workloads. Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Li Li <dualli@google.com> Link: https://lore.kernel.org/r/20220526220018.3334775-2-dualli@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 231624308 Test: manually check async binder buffer size of frozen apps Test: stress test with kernel 4.14/4.19/5.10/5.15 (cherry picked from commit 9864bb4801331daa48514face9d0f4861e4d485b git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next) Change-Id: I1c4bff1eda1ca15aaaad5bf696c8fc00be743176 |
||
Hang Lu
|
2bfddf30aa |
BACKPORT: binder: tell userspace to dump current backtrace when detected oneway spamming
When async binder buffer got exhausted, some normal oneway transactions will also be discarded and may cause system or application failures. By that time, the binder debug information we dump may not be relevant to the root cause. And this issue is difficult to debug if without the backtrace of the thread sending spam. This change will send BR_ONEWAY_SPAM_SUSPECT to userspace when oneway spamming is detected, request to dump current backtrace. Oneway spamming will be reported only once when exceeding the threshold (target process dips below 80% of its oneway space, and current process is responsible for either more than 50 transactions, or more than 50% of the oneway space). And the detection will restart when the async buffer has returned to a healthy state. Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Hang Lu <hangl@codeaurora.org> Link: https://lore.kernel.org/r/1617961246-4502-3-git-send-email-hangl@codeaurora.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 181190340 Change-Id: Id3d2526099bc89f04d8ad3ad6e48141b2a8f2515 (cherry picked from commit a7dc1e6f99df59799ab0128d9c4e47bbeceb934d) Signed-off-by: Hang Lu <hangl@codeaurora.org> [cmllamas: fix trivial merge issue] Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Greg Kroah-Hartman
|
147724ba5f |
This is the 5.4.282 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmbCvnsACgkQONu9yGCS
aT45Zw/9FM9SGzzJpl0jFgvbKhOufwdtzg/CNBRoqFybE+Zmpy0dJvzuurYQFmJZ
bh6b9oPRGKBzT6aolOcN2bxjT1IlvTZ950CIbfYHD38qA7bhkeBKK9i8kuz7REUQ
Bs8H7xMMK9xHrLUWb6gVPfPy2vPiBIE7IMzlhCrKKneInR3OANG70hM3USpt44/1
BxuA87kjJHMe/He4AL7jVL4AO8EpZYrO5WuYA49aLEtrVFKOtbKQ1HgzhUsDgFI4
FA5MXTBx7Cw7NKLcYkykbdScPJ7ZZgakY8283F0s+E8BdqcabeH/l1lvK4/EqHGC
mnz6+9CmSnjyI7pW/X5FCXssmznoxBd9btnLM2ap9610veRqRuolo6VQpv6ONO53
SYMKEkUs2CjS7adG8uGv2+C0t4nw2jWJjjNkyic72vZwlZL9BTJitiy3q96KFYmD
OoRK6e7UQYgraRY8FmirMOjicKtBXASLDvfZ3KuZVconbloQTeYO9mRMLVsTt7Qn
gag021ogc++Ps/75TrmygT5/rv4sV9vXWk/1pFsTdcAdn6kHVTtI+QHACLljrms8
nEQGI/ZET9fZaCrLz56dfswLZzxjemJ7vLMGoweEXltXCG/e6d1tHGW3prYo2ZXC
+wR6jw9q8kSoCSahACDkryAeQsnMkoIoDAJEktnRhBSCtGpUbZE=
=zKyu
-----END PGP SIGNATURE-----
Merge 5.4.282 into android11-5.4-lts
Changes in 5.4.282
EDAC, skx_common: Refactor so that we initialize "dev" in result of adxl decode.
EDAC, skx: Retrieve and print retry_rd_err_log registers
EDAC/skx_common: Add new ADXL components for 2-level memory
EDAC, i10nm: make skx_common.o a separate module
platform/chrome: cros_ec_debugfs: fix wrong EC message version
hfsplus: fix to avoid false alarm of circular locking
x86/of: Return consistent error type from x86_of_pci_irq_enable()
x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling
x86/pci/xen: Fix PCIBIOS_* return code handling
x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
hwmon: (adt7475) Fix default duty on fan is disabled
pwm: stm32: Always do lazy disabling
hwmon: (max6697) Fix underflow when writing limit attributes
hwmon: (max6697) Fix swapped temp{1,8} critical alarms
arm64: dts: qcom: sdm845: add power-domain to UFS PHY
arm64: dts: qcom: msm8996: specify UFS core_clk frequencies
arm64: dts: rockchip: Increase VOP clk rate on RK3328
ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node
ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset
ARM: dts: imx6qdl-kontron-samx6i: fix board reset
ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity
arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux
arm64: dts: amlogic: gx: correct hdmi clocks
m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages
x86/xen: Convert comma to semicolon
m68k: cmpxchg: Fix return value for default case in __arch_xchg()
firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout()
firmware: turris-mox-rwtm: Initialize completion before mailbox
wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
net/smc: Allow SMC-D 1MB DMB allocations
net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined
selftests/bpf: Check length of recv in test_sockmap
lib: objagg: Fix general protection fault
mlxsw: spectrum_acl_erp: Fix object nesting warning
wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()
net: fec: Refactor: #define magic constants
net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
ipvs: Avoid unnecessary calls to skb_is_gso_sctp
netfilter: nf_tables: rise cap on SELinux secmark context
perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation
perf: Fix perf_aux_size() for greater-than 32-bit size
perf: Prevent passing zero nr_pages to rb_alloc_aux()
qed: Improve the stack space of filter_config()
wifi: virt_wifi: avoid reporting connection success with wrong SSID
gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey
wifi: virt_wifi: don't use strlen() in const context
bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
selftests: forwarding: devlink_lib: Wait for udev events after reloading
USB: move snd_usb_pipe_sanity_check into the USB core
media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()
media: imon: Fix race getting ictx->lock
saa7134: Unchecked i2c_transfer function result fixed
media: uvcvideo: Allow entity-defined get_info and get_cur
media: uvcvideo: Override default flags
media: renesas: vsp1: Fix _irqsave and _irq mix
media: renesas: vsp1: Store RPF partition configuration per RPF instance
leds: trigger: Unregister sysfs attributes before calling deactivate()
perf report: Fix condition in sort__sym_cmp()
drm/etnaviv: fix DMA direction handling for cached RW buffers
drm/qxl: Add check for drm_cvt_mode
mfd: omap-usb-tll: Use struct_size to allocate tll
SUNRPC: avoid soft lockup when transmitting UDP to reachable server.
ext4: avoid writing unitialized memory to disk in EA inodes
sparc64: Fix incorrect function signature and add prototype for prom_cif_init
SUNRPC: Fixup gss_status tracepoint error output
PCI: Fix resource double counting on remove & rescan
Input: qt1050 - handle CHIP_ID reading error
RDMA/mlx4: Fix truncated output warning in mad.c
RDMA/mlx4: Fix truncated output warning in alias_GUID.c
RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
ASoC: max98088: Check for clk_prepare_enable() error
mtd: make mtd_test.c a separate module
RDMA/device: Return error earlier if port in not valid
Input: elan_i2c - do not leave interrupt disabled on suspend failure
MIPS: Octeron: remove source file executable bit
powerpc/xmon: Fix disassembly CPU feature checks
macintosh/therm_windtunnel: fix module unload.
bnxt_re: Fix imm_data endianness
netfilter: ctnetlink: use helper function to calculate expect ID
pinctrl: core: fix possible memory leak when pinctrl_enable() fails
pinctrl: single: fix possible memory leak when pinctrl_enable() fails
pinctrl: ti: ti-iodelay: Drop if block with always false condition
pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails
pinctrl: freescale: mxs: Fix refcount of child
fs/nilfs2: remove some unused macros to tame gcc
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
rtc: interface: Add RTC offset to alarm after fix-up
tick/broadcast: Make takeover of broadcast hrtimer reliable
net: netconsole: Disable target before netpoll cleanup
af_packet: Handle outgoing VLAN packets without hardware offloading
ipv6: take care of scope when choosing the src addr
char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
media: venus: fix use after free in vdec_close
hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
drm/amd/display: Check for NULL pointer
udf: Avoid using corrupted block bitmap buffer
m68k: amiga: Turn off Warp1260 interrupts during boot
ext4: check dot and dotdot of dx_root before making dir indexed
ext4: make sure the first directory block is not a hole
wifi: mwifiex: Fix interface type change
leds: ss4200: Convert PCIBIOS_* return codes to errnos
tools/memory-model: Fix bug in lock.cat
hwrng: amd - Convert PCIBIOS_* return codes to errnos
PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
binder: fix hang of unregistered readers
scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
f2fs: fix to don't dirty inode for readonly filesystem
clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
ubi: eba: properly rollback inside self_check_eba
decompress_bunzip2: fix rare decompression failure
kobject_uevent: Fix OOB access within zap_modalias_env()
rtc: cmos: Fix return value of nvmem callbacks
scsi: qla2xxx: During vport delete send async logout explicitly
scsi: qla2xxx: Fix for possible memory corruption
scsi: qla2xxx: Complete command early within lock
scsi: qla2xxx: validate nvme_local_port correctly
perf/x86/intel/pt: Fix topa_entry base length
perf/x86/intel/pt: Fix a topa_entry base address calculation
rtc: isl1208: Fix return value of nvmem callbacks
watchdog/perf: properly initialize the turbo mode timestamp and rearm counter
platform: mips: cpu_hwmon: Disable driver on unsupported hardware
RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
selftests/sigaltstack: Fix ppc64 GCC build
rbd: don't assume rbd_is_lock_owner() for exclusive mappings
drm/panfrost: Mark simple_ondemand governor as softdep
rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait
rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings
Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
nilfs2: handle inconsistent state in nilfs_btnode_create_block()
kdb: address -Wformat-security warnings
kdb: Use the passed prompt in kdb_position_cursor()
jfs: Fix array-index-out-of-bounds in diFree
um: time-travel: fix time-travel-start option
libbpf: Fix no-args func prototype BTF dumping syntax
dma: fix call order in dmam_free_coherent
MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
ipv4: Fix incorrect source address in Record Route option
net: bonding: correctly annotate RCU in bond_should_notify_peers()
tipc: Return non-zero value from tipc_udp_addr2str() on error
net: nexthop: Initialize all fields in dumped nexthops
bpf: Fix a segment issue when downgrading gso_size
mISDN: Fix a use after free in hfcmulti_tx()
apparmor: Fix null pointer deref when receiving skb during sock creation
powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()
ASoC: Intel: Convert to new X86 CPU match macros
ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header
ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable
nvme-pci: add missing condition check for existence of mapped data
mm: avoid overflows in dirty throttling logic
PCI: rockchip: Make 'ep-gpios' DT property optional
PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
parport: Convert printk(KERN_<LEVEL> to pr_<level>(
parport: Standardize use of printmode
dev/parport: fix the array out-of-bounds risk
driver core: Cast to (void *) with __force for __percpu pointer
devres: Fix memory leakage caused by driver API devm_free_percpu()
genirq: Allow the PM device to originate from irq domain
irqchip/imx-irqsteer: Constify irq_chip struct
irqchip/imx-irqsteer: Add runtime PM support
irqchip/imx-irqsteer: Handle runtime power management correctly
remoteproc: imx_rproc: ignore mapping vdev regions
remoteproc: imx_rproc: Fix ignoring mapping vdev regions
remoteproc: imx_rproc: Skip over memory region when node value is NULL
drm/nouveau: prime: fix refcount underflow
drm/vmwgfx: Fix overlay when using Screen Targets
net/iucv: fix use after free in iucv_sock_close()
net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
ipv6: fix ndisc_is_useropt() handling for PIO
HID: wacom: Modify pen IDs
protect the fetch of ->fd[fd] in do_dup2() from mispredictions
ALSA: usb-audio: Correct surround channels in UAC1 channel map
net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
netfilter: ipset: Add list flush to cancel_gc
genirq: Allow irq_chip registration functions to take a const irq_chip
irqchip/mbigen: Fix mbigen node address layout
x86/mm: Fix pti_clone_pgtable() alignment assumption
sctp: move hlist_node and hashent out of sctp_ep_common
sctp: Fix null-ptr-deref in reuseport_add_sock().
net: usb: qmi_wwan: fix memory leak for not ip packets
net: linkwatch: use system_unbound_wq
Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
net: fec: Stop PPS on driver remove
md/raid5: avoid BUG_ON() while continue reshape after reassembling
clocksource/drivers/sh_cmt: Address race condition for clock events
ACPI: battery: create alarm sysfs attribute atomically
ACPI: SBS: manage alarm sysfs attribute through psy core
selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT
PCI: Add Edimax Vendor ID to pci_ids.h
udf: prevent integer overflow in udf_bitmap_free_blocks()
wifi: nl80211: don't give key data to userspace
btrfs: fix bitmap leak when loading free space cache on duplicate entry
drm/amdgpu: Fix the null pointer dereference to ras_manager
media: uvcvideo: Ignore empty TS packets
media: uvcvideo: Fix the bandwdith quirk on USB 3.x
jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
s390/sclp: Prevent release of buffer in I/O
SUNRPC: Fix a race to wake a sync task
ext4: fix wrong unit use in ext4_mb_find_by_goal
arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space
arm64: Add Neoverse-V2 part
arm64: cputype: Add Cortex-X4 definitions
arm64: cputype: Add Neoverse-V3 definitions
arm64: errata: Add workaround for Arm errata 3194386 and 3312417
arm64: cputype: Add Cortex-X3 definitions
arm64: cputype: Add Cortex-A720 definitions
arm64: cputype: Add Cortex-X925 definitions
arm64: errata: Unify speculative SSBS errata logic
arm64: errata: Expand speculative SSBS workaround
arm64: cputype: Add Cortex-X1C definitions
arm64: cputype: Add Cortex-A725 definitions
arm64: errata: Expand speculative SSBS workaround (again)
i2c: smbus: Don't filter out duplicate alerts
i2c: smbus: Improve handling of stuck alerts
i2c: smbus: Send alert notifications to all devices if source not found
bpf: kprobe: remove unused declaring of bpf_kprobe_override
spi: fsl-lpspi: remove unneeded array
spi: spi-fsl-lpspi: Fix scldiv calculation
drm/client: fix null pointer dereference in drm_client_modeset_probe
ALSA: line6: Fix racy access to midibuf
ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
usb: vhci-hcd: Do not drop references before new references are gained
USB: serial: debug: do not echo input by default
usb: gadget: core: Check for unset descriptor
scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
tick/broadcast: Move per CPU pointer access into the atomic section
ntp: Clamp maxerror and esterror to operating range
driver core: Fix uevent_show() vs driver detach race
ntp: Safeguard against time_constant overflow
scsi: mpt3sas: Remove scsi_dma_map() error messages
scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
serial: core: check uartclk for zero to avoid divide by zero
genirq/irqdesc: Honor caller provided affinity in alloc_desc()
power: supply: axp288_charger: Fix constant_charge_voltage writes
power: supply: axp288_charger: Round constant_charge_voltage writes down
tracing: Fix overflow in get_free_elt()
x86/mtrr: Check if fixed MTRRs exist before saving them
drm/bridge: analogix_dp: properly handle zero sized AUX transactions
drm/mgag200: Set DDC timeout in milliseconds
Fix gcc 4.9 build issue in 5.4.y
kbuild: Fix '-S -c' in x86 stack protector scripts
netfilter: nf_tables: set element extended ACK reporting support
netfilter: nf_tables: use timestamp to check for set element timeout
netfilter: nf_tables: prefer nft_chain_validate
drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
arm64: cpufeature: Fix the visibility of compat hwcaps
media: uvcvideo: Use entity get_cur in uvc_ctrl_set
exec: Fix ToCToU between perm check and set-uid/gid usage
nvme/pci: Add APST quirk for Lenovo N60z laptop
ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode
media: Revert "media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()"
Linux 5.4.282
Change-Id: I6d0e4d26021c20136cefafa63b138db47b4069b8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Carlos Llamas
|
f4e5b5151e |
FROMLIST: binder: fix UAF caused by offsets overwrite
Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section. Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn") Cc: Todd Kjos <tkjos@google.com> Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas <cmllamas@google.com> Bug: 352520660 Link: https://lore.kernel.org/all/20240822182353.2129600-1-cmllamas@google.com/ Change-Id: I1b2dd8403b63e5eeb58904558b7b542141c83fc2 Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Carlos Llamas
|
46f1dea17b |
binder: fix hang of unregistered readers
commit 31643d84b8c3d9c846aa0e20bc033e46c68c7e7d upstream. With the introduction of binder_available_for_proc_work_ilocked() in commit |
||
|
Michael Bestas
|
df44b16b4f
|
Merge branch 'android11-5.4-lts' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
* 'android11-5.4-lts' of https://android.googlesource.com/kernel/common: (482 commits) ANDROID: GKI: refresh ABI to include kimage_vaddr ANDROID: preserve CRC for struct tcp_sock ANDROID: 16K: Don't set padding vm_flags on 32-bit archs Linux 5.4.280 i2c: rcar: bring hardware to known state when probing nilfs2: fix kernel bug on rename operation of broken directory tcp: avoid too many retransmit packets tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() net: tcp: fix unexcepted socket die when snd_wnd is 0 tcp: refactor tcp_retransmit_timer() SUNRPC: Fix RPC client cleaned up the freed pipefs dentries libceph: fix race between delayed_work() and ceph_monc_stop() ALSA: hda/realtek: Limit mic boost on VAIO PRO PX nvmem: meson-efuse: Fix return value of nvmem callbacks hpet: Support 32-bit userspace USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k USB: serial: option: add Rolling RW350-GL variants USB: serial: option: add Netprisma LCUK54 series modules ... Conflicts: kernel/gen_kheaders.sh Change-Id: Ib57235b05d1bd369b3852565eabea8e658b59aed |
||
|
Michael Bestas
|
73abf253d5
|
Merge tag 'ASB-2024-06-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2024-06-01 CVE-2024-26926 * tag 'ASB-2024-06-05_11-5.4' of https://android.googlesource.com/kernel/common: ANDROID: ABI fixup for abi break in struct dst_ops BACKPORT: net: fix __dst_negative_advice() race UPSTREAM: selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior Revert "timers: Rename del_timer_sync() to timer_delete_sync()" Reapply "media: ttpci: fix two memleaks in budget_av_attach" Revert "media: rename VFL_TYPE_GRABBER to _VIDEO" Revert "media: media/pci: rename VFL_TYPE_GRABBER to _VIDEO" Revert "media: ttpci: fix two memleaks in budget_av_attach" Revert "net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()" Revert "regmap: allow to define reg_update_bits for no bus configuration" Revert "regmap: Add bulk read/write callbacks into regmap_config" Revert "serial: max310x: fix IO data corruption in batched operations" Revert "geneve: make sure to pull inner header in geneve_rx()" Linux 5.4.274 firmware: meson_sm: fix to avoid potential NULL pointer dereference ip_gre: do not report erspan version on GRE interface erspan: Check IFLA_GRE_ERSPAN_VER is set. VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() Bluetooth: btintel: Fixe build regression x86/alternative: Don't call text_poke() in lazy TLB mode drm/i915/gt: Reset queue_priority_hint on parking x86/mm/pat: fix VM_PAT handling in COW mappings virtio: reenable config if freezing device failed drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put() tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc netfilter: nf_tables: discard table flag update with pending basechain deletion netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path netfilter: nf_tables: release batch on table validation from abort path netfilter: nf_tables: reject new basechain after table flag update fbmon: prevent division by zero in fb_videomode_from_videomode() fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined usb: typec: tcpci: add generic tcpci fallback compatible tools: iio: replace seekdir() in iio_generic_buffer ktest: force $buildonly = 1 for 'make_warnings_file' test type Input: allocate keycode for Display refresh rate toggle block: prevent division by zero in blk_rq_stat_sum() Revert "ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default" SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int drm/amd/display: Fix nanosec stat overflow media: sta2x11: fix irq handler cast isofs: handle CDs with bad root inode but good Joliet root directory scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() sysv: don't call sb_bread() with pointers_lock held Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails Bluetooth: btintel: Fix null ptr deref in btintel_read_version btrfs: send: handle path ref underflow in header iterate_inode_ref() btrfs: export: handle invalid inode or root reference in btrfs_get_parent() btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() ionic: set adminq irq affinity arm64: dts: rockchip: fix rk3399 hdmi ports node arm64: dts: rockchip: fix rk3328 hdmi ports node panic: Flush kernel log buffer at the end VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() wifi: ath9k: fix LNA selection in ath_ant_try_scan() s390/entry: align system call table on 8 bytes x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone ata: sata_mv: Fix PCI device ID table declaration compilation warning scsi: mylex: Fix sysfs buffer lengths ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw net: ravb: Always process TX descriptor ring erspan: make sure erspan_base_hdr is present in skb->head erspan: Add type I version 0 support. init: open /initrd.image with O_LARGEFILE initramfs: switch initramfs unpacking to struct file based APIs fs: add a vfs_fchmod helper fs: add a vfs_fchown helper staging: vc04_services: fix information leak in create_component() staging: vc04_services: changen strncpy() to strscpy_pad() staging: mmal-vchiq: Fix client_component for 64 bit kernel staging: mmal-vchiq: Allocate and free components as required i40e: fix vf may be used uninitialized in this function warning ipv6: Fix infinite recursion in fib6_dump_done(). selftests: reuseaddr_conflict: add missing new line at the end of the output net: stmmac: fix rx queue priority assignment net/sched: act_skbmod: prevent kernel-infoleak bpf, sockmap: Prevent lock inversion deadlock in map delete elem netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() netfilter: nf_tables: flush pending destroy work before exit_net release mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped." vfio/platform: Create persistent IRQ handlers vfio/pci: Create persistent INTx handler vfio: Introduce interface to flush virqfd inject workqueue vfio/pci: Lock external INTx masking ops vfio/pci: Disable auto-enable of exclusive INTx IRQ net/rds: fix possible cp null dereference netfilter: nf_tables: disallow timeout for anonymous sets Bluetooth: Fix TOCTOU in HCI debugfs implementation Bluetooth: hci_event: set the conn encrypted before conn establishes x86/cpufeatures: Add new word for scattered features r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d dm integrity: fix out-of-range warning tcp: properly terminate timers for kernel sockets ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa() nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet USB: core: Fix deadlock in usb_deauthorize_interface() scsi: lpfc: Correct size for wqe for memset() x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled scsi: qla2xxx: Fix command flush on cable pull usb: udc: remove warning when queue disabled ep usb: dwc2: gadget: LPM flow fix usb: dwc2: host: Fix ISOC flow in DDMA mode usb: dwc2: host: Fix hibernation flow usb: dwc2: host: Fix remote wakeup from hibernation scsi: core: Fix unremoved procfs host directory regression ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs usb: cdc-wdm: close race between read and workqueue mmc: core: Avoid negative index with array access mmc: core: Initialize mmc_blk_ioc_data exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes mm/migrate: set swap entry values of THP tail pages properly. mm/memory-failure: fix an incorrect use of tail pages vt: fix memory overlapping when deleting chars in the buffer bounds: support non-power-of-two CONFIG_NR_CPUS powerpc: xor_vmx: Add '-mhard-float' to CFLAGS efivarfs: Request at most 512 bytes for variable names perf/core: Fix reentry problem in perf_output_read_group() loop: loop_set_status_from_info() check before assignment loop: Check for overflow while configuring loop loop: Factor out configuring loop from status loop: Refactor loop_set_status() size calculation loop: Factor out setting loop device size loop: Remove sector_t truncation checks loop: Call loop_config_discard() only after new config is applied Revert "loop: Check for overflow while configuring loop" btrfs: allocate btrfs_ioctl_defrag_range_args on stack printk: Update @console_may_schedule in console_trylock_spinning() xen/events: close evtchn after mapping cleanup x86/speculation: Support intra-function call validation objtool: Add support for intra-function calls objtool: is_fentry_call() crashes if call has no destination fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion vt: fix unicode buffer corruption when deleting characters tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled usb: port: Don't try to peer unused USB ports based on location usb: gadget: ncm: Fix handling of zero block length packets USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform xfrm: Avoid clang fortify warning in copy_to_user_tmpl() netfilter: nf_tables: reject constant set with timeout netfilter: nf_tables: disallow anonymous set with timeout flag netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout comedi: comedi_test: Prevent timers rescheduling during deletion dm snapshot: fix lockup in dm_exception_table_exit ahci: asm1064: asm1166: don't limit reported ports ahci: asm1064: correct count of reported ports x86/CPU/AMD: Update the Zenbleed microcode revisions nilfs2: prevent kernel bug at submit_bh_wbc() nilfs2: use a more common logging style nilfs2: fix failure to detect DAT corruption in btree and direct mappings memtest: use {READ,WRITE}_ONCE in memory scanning drm/vc4: hdmi: do not return negative values from .get_modes() drm/imx/ipuv3: do not return negative values from .get_modes() drm/exynos: do not return negative values from .get_modes() s390/zcrypt: fix reference counting on zcrypt card objects soc: fsl: qbman: Use raw spinlock for cgr_lock soc: fsl: qbman: Add CGR update function soc: fsl: qbman: Add helper for sanity checking cgr ops soc: fsl: qbman: Always disable interrupts when taking cgr_lock ring-buffer: Fix full_waiters_pending in poll ring-buffer: Fix resetting of shortest_full vfio/platform: Disable virqfds on cleanup kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1 speakup: Fix 8bit characters from direct synth slimbus: core: Remove usage of the deprecated ida_simple_xx() API nvmem: meson-efuse: fix function pointer type mismatch firmware: meson_sm: Rework driver as a proper platform driver ext4: fix corruption during on-line resize hwmon: (amc6821) add of_match table mmc: core: Fix switch on gp3 partition dm-raid: fix lockdep waring in "pers->hot_add_disk" Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"" PCI/PM: Drain runtime-idle callbacks before driver removal PCI: Drop pci_device_remove() test of pci_dev->driver btrfs: fix off-by-one chunk length calculation at contains_pending_extent() fuse: don't unhash root mmc: tmio: avoid concurrent runs of mmc_request_done() PM: sleep: wakeirq: fix wake irq warning in system suspend USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M USB: serial: option: add MeiG Smart SLM320 product USB: serial: cp210x: add ID for MGP Instruments PDS100 USB: serial: add device ID for VeriFone adapter USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB powerpc/fsl: Fix mfpmr build errors with newer binutils clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays PM: suspend: Set mem_sleep_current during kernel command line setup parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds parisc: Fix csum_ipv6_magic on 64-bit systems parisc: Fix csum_ipv6_magic on 32-bit systems parisc: Fix ip_fast_csum parisc: Do not hardcode registers in checksum functions mtd: rawnand: meson: fix scrambling mode value in command macro ubi: correct the calculation of fastmap size ubi: Check for too small LEB size in VTBL code ubifs: Set page uptodate in the correct place fat: fix uninitialized field in nostale filehandles ext4: correct best extent lstart adjustment logic selftests/mqueue: Set timeout to 180 seconds crypto: qat - resolve race condition during AER recovery crypto: qat - fix double free during reset sparc: vDSO: fix return value of __setup handler sparc64: NMI watchdog: fix return value of __setup handler KVM: Always flush async #PF workqueue when vCPU is being destroyed media: xc4000: Fix atomicity violation in xc4000_get_frequency serial: max310x: fix NULL pointer dereference in I2C instantiation arm: dts: marvell: Fix maxium->maxim typo in brownstone dts ARM: dts: mmp2-brownstone: Don't redeclare phandle references smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity() smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr() clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd media: staging: ipu3-imgu: Set fields before media_entity_pads_init() wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach timers: Rename del_timer_sync() to timer_delete_sync() timers: Use del_timer_sync() even on UP timers: Update kernel-doc for various functions x86/bugs: Use sysfs_emit() x86/cpu: Support AMD Automatic IBRS Documentation/hw-vuln: Update spectre doc amdkfd: use calloc instead of kzalloc to avoid integer overflow Linux 5.4.273 regmap: Add missing map->bus check spi: spi-mt65xx: Fix NULL pointer access in interrupt handler bpf: report RCU QS in cpumap kthread rcu: add a helper to report consolidated flavor QS netfilter: nf_tables: do not compare internal table flags on updates ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add regulator nodes vcc-dram and vcc1v2 octeontx2-af: Use separate handlers for interrupts net/bnx2x: Prevent access to a freed page in page_pool hsr: Handle failures in module init rds: introduce acquire/release ordering in acquire/release_in_xmit() packet: annotate data-races around ignore_outgoing hsr: Fix uninit-value access in hsr_get_node() s390/vtime: fix average steal time calculation octeontx2-af: Use matching wake_up API variant in CGX command interface usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin staging: greybus: fix get_channel_from_mode() failure path serial: 8250_exar: Don't remove GPIO device on suspend rtc: mt6397: select IRQ_DOMAIN instead of depending on it kconfig: fix infinite loop when expanding a macro at the end of file tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT serial: max310x: fix syntax error in IRQ error message tty: vt: fix 20 vs 0x20 typo in EScsiignore afs: Revert "afs: Hide silly-rename files from userspace" NFS: Fix an off by one in root_nfs_cat() watchdog: stm32_iwdg: initialize default timeout net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn RDMA/device: Fix a race between mad_client and cm_client init scsi: csiostor: Avoid function pointer casts ALSA: usb-audio: Stop parsing channels bits when all channels are found. clk: Fix clk_core_get NULL dereference sparc32: Fix section mismatch in leon_pci_grpci backlight: lp8788: Fully initialize backlight_properties during probe backlight: lm3639: Fully initialize backlight_properties during probe backlight: da9052: Fully initialize backlight_properties during probe backlight: lm3630a: Don't set bl->props.brightness in get_brightness backlight: lm3630a: Initialize backlight_properties on init powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc. drm/msm/dpu: add division of drm_display_mode's hskew parameter powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip media: ttpci: fix two memleaks in budget_av_attach media: media/pci: rename VFL_TYPE_GRABBER to _VIDEO media: rename VFL_TYPE_GRABBER to _VIDEO media: v4l2-core: correctly validate video and metadata ioctls media: go7007: fix a memleak in go7007_load_encoder media: dvb-frontends: avoid stack overflow warnings with clang media: pvrusb2: fix uaf in pvr2_context_set_notify drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int() ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs mtd: rawnand: lpc32xx_mlc: fix irq handler prototype mtd: maps: physmap-core: fix flash size larger than 32-bit crypto: arm/sha - fix function cast warnings mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a ref mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref drm/tegra: put drm_gem_object ref on error in tegra_fb_create clk: hisilicon: hi3519: Release the correct number of gates in hi3519_clk_unregister() PCI: Mark 3ware-9650SE Root Port Extended Tags as broken drm/mediatek: dsi: Fix DSI RGB666 formats and definitions clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times media: pvrusb2: fix pvr2_stream_callback casts media: pvrusb2: remove redundant NULL check media: go7007: add check of return value of go7007_read_addr() media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak perf stat: Avoid metric-only segv ALSA: seq: fix function cast warnings drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode() perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str() PCI: switchtec: Fix an error handling path in switchtec_pci_probe() quota: Fix rcu annotations of inode dquot pointers quota: Fix potential NULL pointer dereference quota: simplify drop_dquot_ref() clk: qcom: reset: Ensure write completion on reset de/assertion clk: qcom: reset: Commonize the de/assert functions clk: qcom: reset: support resetting multiple bits clk: qcom: reset: Allow specifying custom reset delay media: edia: dvbdev: fix a use-after-free media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity media: v4l2-tpg: fix some memleaks in tpg_alloc media: em28xx: annotate unchecked call to media_device_register() perf evsel: Fix duplicate initialization of data->id in evsel__parse_sample() drm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()' perf record: Fix possible incorrect free in record__switch_output() PCI/DPC: Print all TLP Prefixes, not just the first media: tc358743: register v4l2 async device only after successful setup dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA drm/rockchip: lvds: do not overwrite error code drm: Don't treat 0 as -1 in drm_fixp2int_ceil drm/rockchip: inno_hdmi: Fix video timing drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths of tegra_output_probe() drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path of tegra_dsi_probe() drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe() drm/tegra: dsi: Make use of the helper function dev_err_probe() gpu: host1x: mipi: Update tegra_mipi_request() to be node based drm/tegra: dsi: Add missing check for of_find_device_by_node dm: call the resume method on internal suspend dm raid: fix false positive for requeue needed during reshape nfp: flower: handle acti_netdevs allocation failure net/x25: fix incorrect parameter validation in the x25_getsockopt() function net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function udp: fix incorrect parameter validation in the udp_lib_getsockopt() function l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function net: hns3: fix port duplex configure error in IMP reset net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() ipv6: fib6_rules: flush route cache when rule is changed bpf: Fix stackmap overflow check on 32-bit arches bpf: Fix hashtab overflow check on 32-bit arches sr9800: Add check for usbnet_get_endpoints Bluetooth: hci_core: Fix possible buffer overflow Bluetooth: Remove superfluous call to hci_conn_check_pending() igb: Fix missing time sync events igb: move PEROUT and EXTTS isr logic to separate functions mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function SUNRPC: fix some memleaks in gssx_dec_option_array x86, relocs: Ignore relocations in .notes section ACPI: scan: Fix device check notification handling ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address ARM: dts: imx6dl-yapp4: Move phy reset into switch node ARM: dts: arm: realview: Fix development chip ROM compatible value net: ena: Remove ena_select_queue net: ena: cosmetic: fix line break issues wifi: brcmsmac: avoid function pointer casts iommu/amd: Mark interrupt as managed bus: tegra-aconnect: Update dependency to ARCH_TEGRA ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit() arm64: dts: qcom: msm8996: Pad addresses arm64: dts: qcom: msm8996: Move regulator consumers to db820c arm64: dts: qcom: msm8996: Use node references in db820c arm64: dts: qcom: db820c: Move non-soc entries out of /soc bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly bpf: Factor out bpf_spin_lock into helpers. bpf: Add typecast to bpf helpers to help BTF generation arm64: dts: mediatek: mt7622: add missing "device_type" to memory nodes wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer() net: blackhole_dev: fix build warning for ethh set but not used af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc(). sock_diag: annotate data-races around sock_diag_handlers[family] wifi: mwifiex: debugfs: Drop unnecessary error check for debugfs_create_dir() wifi: wilc1000: fix RCU usage in connect path wifi: wilc1000: fix declarations ordering wifi: b43: Disable QoS for bcm4331 wifi: b43: Stop correct queue in DMA worker when QoS is disabled b43: main: Fix use true/false for bool type wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled b43: dma: Fix use true/false for bool type variable wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() timekeeping: Fix cross-timestamp interpolation for non-x86 timekeeping: Fix cross-timestamp interpolation corner case decision timekeeping: Fix cross-timestamp interpolation on counter wrap aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts fs/select: rework stack allocation hack for clang nbd: null check for nla_nest_start do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC Input: gpio_keys_polled - suppress deferred probe error for gpio ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet firewire: core: use long bus reset on gap count error Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security scsi: mpt3sas: Prevent sending diag_reset when the controller is ready btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve dm-verity, dm-crypt: align "struct bvec_iter" correctly block: sed-opal: handle empty atoms when parsing response parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check net/iucv: fix the allocation size of iucv_path_table array RDMA/mlx5: Relax DEVX access upon modify commands HID: multitouch: Add required quirk for Synaptics 0xcddc device MIPS: Clear Cause.BD in instruction_pointer_set x86/xen: Add some null pointer checking to smp.c ASoC: rt5645: Make LattePanda board DMI match more precise selftests: tls: use exact comparison in recv_partial io_uring: drop any code related to SCM_RIGHTS io_uring/unix: drop usage of io_uring socket UPSTREAM: arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts UPSTREAM: arm64: dts: qcom: add PDC interrupt controller for SDM845 Linux 5.4.272 arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts arm64: dts: qcom: add PDC interrupt controller for SDM845 serial: max310x: fix IO data corruption in batched operations serial: max310x: implement I2C support serial: max310x: make accessing revision id interface-agnostic regmap: Add bulk read/write callbacks into regmap_config regmap: allow to define reg_update_bits for no bus configuration serial: max310x: Unprepare and disable clock in error path getrusage: use sig->stats_lock rather than lock_task_sighand() getrusage: use __for_each_thread() getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand() getrusage: add the "signal_struct *sig" local variable y2038: rusage: use __kernel_old_timeval hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed hv_netvsc: use netif_is_bond_master() instead of open code hv_netvsc: Make netvsc/VF binding check both MAC and serial number Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU serial: max310x: prevent infinite while() loop in port startup serial: max310x: use a separate regmap for each port serial: max310x: use regmap methods for SPI batch operations serial: max310x: Make use of device properties serial: max310x: fail probe if clock crystal is unstable serial: max310x: Try to get crystal clock rate from property serial: max310x: Use devm_clk_get_optional() to get the input clock um: allow not setting extra rpaths in the linux binary selftests: mm: fix map_hugetlb failure on 64K page size systems netrom: Fix data-races around sysctl_net_busy_read netrom: Fix a data-race around sysctl_netrom_link_fails_count netrom: Fix a data-race around sysctl_netrom_routing_control netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size netrom: Fix a data-race around sysctl_netrom_transport_busy_delay netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries netrom: Fix a data-race around sysctl_netrom_transport_timeout netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser netrom: Fix a data-race around sysctl_netrom_default_path_quality netfilter: nf_conntrack_h323: Add protection for bmp length out of range netfilter: nft_ct: fix l3num expectations with inet pseudo family net/rds: fix WARNING in rds_conn_connect_if_down net/ipv6: avoid possible UAF in ip6_route_mpath_notify() net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() geneve: make sure to pull inner header in geneve_rx() ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able net: lan78xx: fix runtime PM count underflow on link stop lan78xx: Fix race conditions in suspend/resume handling lan78xx: Fix partial packet errors on suspend/resume lan78xx: Add missing return code checks lan78xx: Fix white space and style issues Linux 5.4.271 gpio: 74x164: Enable output pins after registers are reset fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super cachefiles: fix memory leak in cachefiles_add_cache() x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers mmc: core: Fix eMMC initialization with 1-bit bus connection dmaengine: fsl-qdma: init irq after reg initialization dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read btrfs: dev-replace: properly validate device names wifi: nl80211: reject iftype change with mesh ID change gtp: fix use-after-free and null-ptr-deref in gtp_newlink() afs: Fix endless loop in directory parsing ALSA: Drop leftover snd-rtctimer stuff from Makefile power: supply: bq27xxx-i2c: Do not free non existing IRQ efi/capsule-loader: fix incorrect allocation size rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Bluetooth: Enforce validation on max value of connection interval Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Bluetooth: Avoid potential use-after-free in hci_error_reset net: usb: dm9601: fix wrong return value in dm9601_mdio_read lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() tun: Fix xdp_rxq_info's queue_index when detaching net: ip_tunnel: prevent perpetual headroom growth netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter ANDROID: GKI: update .xml file due to USB changes in 5.4.270 Revert "bpf: Add map and need_defer parameters to .map_fd_put_ptr()" Revert "hrtimer: Report offline hrtimer enqueue" Revert "drm/mipi-dsi: Fix detach call without attach" Linux 5.4.270 scripts/bpf: Fix xdp_md forward declaration typo fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3 netfilter: nf_tables: set dormant flag on hook register failure tls: stop recv() if initial process_rx_list gave us non-DATA tls: rx: drop pointless else after goto tls: rx: jump to a more appropriate label s390: use the correct count for __iowrite64_copy() packet: move from strlcpy with unused retval to strscpy ipv6: sr: fix possible use-after-free and null-ptr-deref afs: Increase buffer size in afs_update_volume_status() ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid nouveau: fix function cast warnings scsi: jazz_esp: Only build if SCSI core is builtin bpf, scripts: Correct GPL license name scripts/bpf: teach bpf_helpers_doc.py to dump BPF helper definitions RDMA/srpt: fix function pointer cast warnings RDMA/srpt: Make debug output more detailed RDMA/bnxt_re: Return error for SRQ resize IB/hfi1: Fix a memleak in init_credit_return usb: roles: don't get/set_role() when usb_role_switch is unregistered usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs usb: cdns3: fix memory double free when handle zero packet usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() ARM: ep93xx: Add terminator to gpiod_lookup_table l2tp: pass correct message length to ip6_append_data PCI/MSI: Prevent MSI hardware interrupt number truncation gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() dm-crypt: don't modify the data when using authenticated encryption IB/hfi1: Fix sdma.h tx->num_descs off-by-one error PCI: tegra: Fix OF node reference leak PCI: tegra: Fix reporting GPIO error value arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node drm/amdgpu: Fix type of second parameter in trans_msg() callback iomap: Set all uptodate bits for an Uptodate page dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata() x86/alternatives: Disable KASAN in apply_alternatives() drm/amdgpu: Check for valid number of registers to read Revert "drm/sun4i: dsi: Change the start delay calculation" ALSA: hda/realtek - Enable micmute LED on and HP system selftests/bpf: Avoid running unprivileged tests with alignment requirements net: bridge: clear bridge's private skb space on xmit spi: mt7621: Fix an error message in mt7621_spi_probe() pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours tcp: add annotations around sk->sk_shutdown accesses tcp: return EPOLLOUT from tcp_poll only when notsent_bytes is half the limit tcp: factor out __tcp_close() helper pmdomain: renesas: r8a77980-sysc: CR7 must be always on s390/qeth: Fix potential loss of L3-IP@ in case of network issues virtio-blk: Ensure no requests in virtqueues before deleting vqs. firewire: core: send bus reset promptly on gap count error scsi: lpfc: Use unsigned type for num_sge hwmon: (coretemp) Enlarge per package core count limit nvmet-fc: abort command when there is no binding netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616 nvmet-tcp: fix nvme tcp ida memory leak regulator: pwm-regulator: Add validity checks in continuous .get_voltage ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers ahci: asm1166: correct count of reported ports fbdev: sis: Error out if pixclock equals zero fbdev: savage: Error out if pixclock equals zero wifi: mac80211: fix race condition on enabling fast-xmit wifi: cfg80211: fix missing interfaces when dumping dmaengine: fsl-qdma: increase size of 'irq_name' dmaengine: shdma: increase size of 'dev_id' scsi: target: core: Add TMF to tmr_list handling sched/rt: Disallow writing invalid values to sched_rt_period_us sched/rt: Fix sysctl_sched_rr_timeslice intial value userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb nilfs2: replace WARN_ONs for invalid DAT metadata block requests memcg: add refcnt for pcpu stock to avoid UAF problem in drain_all_stock() sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset net/sched: Retire dsmark qdisc net/sched: Retire ATM qdisc net/sched: Retire CBQ qdisc KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() Linux 5.4.269 of: gpio unittest kfree() wrong object of: unittest: fix EXPECT text for gpio hog errors net: bcmgenet: Fix EEE implementation Revert "Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting"" netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() lsm: new security_file_ioctl_compat() hook drm/msm/dsi: Enable runtime PM PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend() PM: runtime: add devm_pm_runtime_enable helper nilfs2: fix potential bug in end_buffer_async_write sched/membarrier: reduce the ability to hammer on sys_membarrier net: prevent mss overflow in skb_segment() netfilter: ipset: Missing gc cancellations fixed netfilter: ipset: fix performance regression in swap operation KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache mips: Fix max_mapnr being uninitialized on early stages arch, mm: remove stale mentions of DISCONIGMEM bus: moxtet: Add spi device table Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" tracing: Inform kmemleak of saved_cmdlines allocation pmdomain: core: Move the unused cleanup to a _sync initcall can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) irqchip/irq-brcmstb-l2: Add write memory barrier before exit nfp: flower: prevent re-adding mac index for bonded port nfp: use correct macro for LengthSelect in BAR config nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() nilfs2: fix data corruption in dsync block recovery for small block sizes ALSA: hda/conexant: Add quirk for SWS JS201D mmc: slot-gpio: Allow non-sleeping GPIO ro x86/mm/ident_map: Use gbpages only where full GB page should be mapped. x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 serial: max310x: improve crystal stable clock detection serial: max310x: set default value when reading clock ready bit ring-buffer: Clean ring_buffer_poll_wait() error return iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC staging: iio: ad5933: fix type mismatch regression tracing: Fix wasted memory in saved_cmdlines logic ext4: fix double-free of blocks due to wrong extents moved_len misc: fastrpc: Mark all sessions as invalid in cb_remove binder: signal epoll threads of self-work ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL xen-netback: properly sync TX responses nfc: nci: free rx_data_reassembly skb on NCI device cleanup kbuild: Fix changing ELF file type for output of gen_btf for big endian firewire: core: correct documentation of fw_csr_string() kernel API scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock" i2c: i801: Fix block process call transactions i2c: i801: Remove i801_set_block_buffer_mode usb: f_mass_storage: forbid async queue when shutdown happen USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT HID: wacom: Do not register input devices until after hid_hw_start HID: wacom: generic: Avoid reporting a serial of '0' to userspace mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again tracing/trigger: Fix to return error if failed to alloc snapshot i40e: Fix waiting for queues of all VSIs to be disabled MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() spi: ppc4xx: Drop write-only variable of: unittest: Fix compile in the non-dynamic case of: unittest: add overlay gpio test to catch gpio hog problem btrfs: send: return EOPNOTSUPP on unknown flags btrfs: forbid deleting live subvol qgroup btrfs: forbid creating subvol qgroups netfilter: nft_set_rbtree: skip end interval element from gc net: stmmac: xgmac: fix a typo of register name in DPP safety handling net: stmmac: xgmac: use #define for string constants vhost: use kzalloc() instead of kmalloc() followed by memset() Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID hrtimer: Report offline hrtimer enqueue USB: serial: cp210x: add ID for IMST iM871A-USB USB: serial: option: add Fibocom FM101-GL variant USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e net/af_iucv: clean up a try_then_request_module() netfilter: nft_ct: reject direction for ct id netfilter: nft_compat: restrict match/target protocol to u16 netfilter: nft_compat: reject unused compat flag ppp_async: limit MRU to 64K tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() rxrpc: Fix response to PING RESPONSE ACKs to a dead call inet: read sk->sk_family once in inet_recv_error() hwmon: (coretemp) Fix bogus core_id to attr name mapping hwmon: (coretemp) Fix out-of-bounds memory access hwmon: (aspeed-pwm-tacho) mutex for tach reading atm: idt77252: fix a memleak in open_card_ubr0 selftests: net: avoid just another constant wait net: stmmac: xgmac: fix handling of DPP safety error for DMA channels phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV phy: renesas: rcar-gen3-usb2: Fix returning wrong error code dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA bonding: remove print in bond_verify_device_path HID: apple: Add 2021 magic keyboard FN key mapping HID: apple: Swap the Fn and Left Control keys on Apple keyboards HID: apple: Add support for the 2021 Magic Keyboard net: sysfs: Fix /sys/class/net/<iface> path af_unix: fix lockdep positive in sk_diag_dump_icons() net: ipv4: fix a memleak in ip_setup_cork netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger llc: call sock_orphan() at release time ipv6: Ensure natural alignment of const ipv6 loopback and router addresses ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550() ixgbe: Refactor overtemp event handling ixgbe: Refactor returning internal error codes ixgbe: Remove non-inclusive language net: remove unneeded break scsi: isci: Fix an error code problem in isci_io_request_build() wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update perf: Fix the nr_addr_filters fix drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()' ceph: fix deadlock or deadcode of misusing dget() blk-mq: fix IO hang from sbitmap wakeup race virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings libsubcmd: Fix memory leak in uniq() PCI/AER: Decode Requester ID when no error info found fs/kernfs/dir: obey S_ISGID usb: hub: Replace hardcoded quirk value with BIT() macro PCI: switchtec: Fix stdev_release() crash after surprise hot remove PCI: Only override AMD USB controller if required mfd: ti_am335x_tscadc: Fix TI SoC dependencies i3c: master: cdns: Update maximum prescaler value for i2c clock um: net: Fix return type of uml_net_start_xmit() um: Don't use vfprintf() for os_info() um: Fix naming clash between UML and scheduler leds: trigger: panic: Don't register panic notifier if creating the trigger failed drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()' drm/amdgpu: Let KFD sync with VM fences clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() drm/msm/dpu: Ratelimit framedone timeout msgs media: ddbridge: fix an error code problem in ddb_probe IB/ipoib: Fix mcast list locking drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time ALSA: hda: Intel: add HDA_ARL PCI ID support PCI: add INTEL_HDA_ARL to pci_ids.h media: rockchip: rga: fix swizzling for RGB formats media: stk1160: Fixed high volume of stk1160_dbg messages drm/mipi-dsi: Fix detach call without attach drm/framebuffer: Fix use of uninitialized variable drm/drm_file: fix use of uninitialized variable RDMA/IPoIB: Fix error code return in ipoib_mcast_join fast_dput(): handle underflows gracefully ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument f2fs: fix to check return value of f2fs_reserve_new_block() wifi: cfg80211: free beacon_ies when overridden from hidden BSS wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property md: Whenassemble the array, consult the superblock of the freshest device block: prevent an integer overflow in bvec_try_merge_hw_page ARM: dts: imx23/28: Fix the DMA controller node name ARM: dts: imx23-sansa: Use preferred i2c-gpios properties ARM: dts: imx27-apf27dev: Fix LED name ARM: dts: imx25/27: Pass timing0 ARM: dts: imx1: Fix sram node ARM: dts: imx27: Fix sram node ARM: dts: imx: Use flash@0,0 pattern ARM: dts: imx25/27-eukrea: Fix RTC node name ARM: dts: rockchip: fix rk3036 hdmi ports node scsi: libfc: Fix up timeout error in fc_fcp_rec_error() scsi: libfc: Don't schedule abort twice bpf: Add map and need_defer parameters to .map_fd_put_ptr() wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() ARM: dts: imx7s: Fix nand-controller #size-cells ARM: dts: imx7s: Fix lcdif compatible ARM: dts: imx7d: Fix coresight funnel ports bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk PCI: Add no PM reset quirk for NVIDIA Spectrum devices scsi: lpfc: Fix possible file string name overflow when updating firmware selftests/bpf: Fix pyperf180 compilation failure with clang18 selftests/bpf: satisfy compiler by having explicit return in btf test wifi: rt2x00: restart beacon queue when hardware reset ext4: avoid online resizing failures due to oversized flex bg ext4: remove unnecessary check from alloc_flex_gd() ext4: unify the type of flexbg_size to unsigned int ext4: fix inconsistent between segment fstrim and full fstrim ecryptfs: Reject casefold directory inodes SUNRPC: Fix a suspicious RCU usage warning KVM: s390: fix setting of fpc register s390/ptrace: handle setting of fpc register correctly jfs: fix array-index-out-of-bounds in diNewExt rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock() afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() crypto: stm32/crc32 - fix parsing list of devices pstore/ram: Fix crash when setting number of cpus to an odd number jfs: fix uaf in jfs_evict_inode jfs: fix array-index-out-of-bounds in dbAdjTree jfs: fix slab-out-of-bounds Read in dtSearch UBSAN: array-index-out-of-bounds in dtSplitRoot FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree ACPI: extlog: fix NULL pointer dereference check PNP: ACPI: fix fortify warning ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop audit: Send netlink ACK before setting connection in auditd_set regulator: core: Only increment use_count when enable_count changes perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel powerpc/lib: Validate size for vector operations powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() powerpc: Fix build error due to is_valid_bugaddr() powerpc/mm: Fix null-pointer dereference in pgtable_cache_add x86/entry/ia32: Ensure s32 is sign extended to s64 tick/sched: Preserve number of idle sleeps across CPU hotplug events mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan spi: bcm-qspi: fix SFDP BFPT read by usig mspi read gpio: eic-sprd: Clear interrupt after set the interrupt type drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume drm/exynos: fix accidental on-stack copy of exynos_drm_plane drm/bridge: nxp-ptn3460: simplify some error checking drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking drm: Don't unref the same fb many times by mistake due to deadlock handling gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 netfilter: nf_tables: reject QUEUE/DROP verdict parameters rbd: don't move requests to the running list on errors btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args btrfs: don't warn if discard range is not aligned to sector btrfs: tree-checker: fix inline ref size in error messages btrfs: ref-verify: free ref cache before clearing mount opt net: fec: fix the unhandled context fault from smmu fjes: fix memleaks in fjes_hw_setup netfilter: nf_tables: validate NFPROTO_* family netfilter: nf_tables: restrict anonymous set and map names to 16 bytes net/mlx5e: fix a double-free in arfs_create_groups net/mlx5: Use kfree(ft->g) in arfs_create_groups() net/mlx5: DR, Use the right GVMI number for drop action netlink: fix potential sleeping issue in mqueue_flush_file tcp: Add memory barrier to tcp_push() afs: Hide silly-rename files from userspace tracing: Ensure visibility when inserting an element into tracing_map net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv llc: Drop support for ETH_P_TR_802_2. llc: make llc_ui_sendmsg() more robust against bonding changes vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING net/smc: fix illegal rmb_desc access in SMC-D connection dump x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum powerpc: Use always instead of always-y in for crtsavres.o fs: move S_ISGID stripping into the vfs_*() helpers fs: add mode_strip_sgid() helper mtd: spinand: macronix: Fix MX35LFxGE4AD page size block: Remove special-casing of compound pages rename(): fix the locking of subdirectories ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path nouveau/vmm: don't set addr on the fail path to avoid warning mmc: core: Use mrq.sbc in close-ended ffu arm64: dts: qcom: sdm845: fix USB wakeup interrupt types parisc/firmware: Fix F-extend for PDC addresses rpmsg: virtio: Free driver_override when rpmsg_remove() hwrng: core - Fix page fault dead lock on mmap-ed hwrng PM: hibernate: Enforce ordering during image compression/decompression crypto: api - Disallow identical driver names ext4: allow for the last group to be marked as trimmed serial: sc16is7xx: add check for unsupported SPI modes during probe spi: introduce SPI_MODE_X_MASK macro serial: sc16is7xx: set safe default SPI clock frequency units: add the HZ macros units: change from 'L' to 'UL' units: Add Watt units include/linux/units.h: add helpers for kelvin to/from Celsius conversion PCI: mediatek: Clear interrupt status before dispatching handler Conflicts: include/linux/timer.h mm/memory-failure.c Change-Id: I4974903c79ecddc3d9225b0b723a30b6c83ef572 |
||
|
Greg Kroah-Hartman
|
eb1a0358d1 |
This is the 5.4.278 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmZuzHwACgkQONu9yGCS
aT6M7xAAuCGja5JhZ7ciWjhdxIFxACHrSVm3l/i+bqNAXoDh2rJDKgOize1OTLGR
R1Fq2qBEtfMsoKNa+3DyMCB8D1IsMUrhr8hdM56+AqDBbmaTsDmw+L6vzepwJKVV
ksX2onT5tXdydH95IjqnM7vbadxnU9cLkHZIpckXkb2dDA2kjhMksWSfA+GJfRsY
XReqFYfeQhLWv4c0OWZ//ssSmGWztSVaRCX22jemUJ5MYpQHt3TYQXVpFYkaQLYH
FZHDxBFEr48Gt9bQtnBZ2fyurKX9NdzZF+WwNDuo0DShlEpJB99vYHQ/dIxzxl9R
7VOs3Cj7vvUBSIRPY9DhuhBm7tQrpCvf4w3qUBc0TD+IdPPIIf0ZqDsVUvZGM9JE
T54rnXppxNKlbW8HmYqefc2FBgjrZn08NprrAVqIVhNwFyq+8/ADqdSTTKlD9z1i
S/3Pur7ES2e15YsrjOrDJIpGl3klMrEBbz9XyEHwrTY2vrDjdqOF0NHYUaugnjSd
B+qmUtZxwSjzRok5wgQaf/EbrW78e9q1lTj97QRJfBr0A7MUpDMuQCvmsMoe2HUA
vANx7ty/ubNk/9PLTGyBHUw4/F58Bk5osibAKRmulvlO5g80FsJXEU9WWqQmIkzp
3df+cOL8ipqh0fg/PaUOBCoeVs2HqPHnewOlYRegN41FokQndsE=
=XU0g
-----END PGP SIGNATURE-----
Merge 5.4.278 into android11-5.4-lts
Changes in 5.4.278
x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
speakup: Fix sizeof() vs ARRAY_SIZE() bug
ring-buffer: Fix a race between readers and resize checks
net: smc91x: Fix m68k kernel compilation for ColdFire CPU
nilfs2: fix unexpected freezing of nilfs_segctor_sync()
nilfs2: fix potential hang in nilfs_detach_log_writer()
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class
net: usb: qmi_wwan: add Telit FN920C04 compositions
drm/amd/display: Set color_mgmt_changed to true on unsuspend
ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
ASoC: da7219-aad: fix usage of device_get_named_child_node()
drm/amdkfd: Flush the process wq before creating a kfd_process
nvme: find numa distance only if controller has valid numa id
openpromfs: finish conversion to the new mount API
crypto: bcm - Fix pointer arithmetic
firmware: raspberrypi: Use correct device for DMA mappings
ecryptfs: Fix buffer size for tag 66 packet
nilfs2: fix out-of-range warning
parisc: add missing export of __cmpxchg_u8()
crypto: ccp - drop platform ifdef checks
s390/cio: fix tracepoint subchannel type field
jffs2: prevent xattr node from overflowing the eraseblock
null_blk: Fix missing mutex_destroy() at module removal
md: fix resync softlockup when bitmap size is less than array size
wifi: ath10k: poll service ready message before failing
x86/boot: Ignore relocations in .notes sections in walk_relocs() too
qed: avoid truncating work queue length
scsi: ufs: qcom: Perform read back after writing reset bit
scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
scsi: ufs: core: Perform read back after disabling interrupts
scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
irqchip/alpine-msi: Fix off-by-one in allocation error path
ACPI: disable -Wstringop-truncation
cpufreq: Reorganize checks in cpufreq_offline()
cpufreq: Split cpufreq_offline()
cpufreq: Rearrange locking in cpufreq_remove_dev()
cpufreq: exit() callback is optional
scsi: libsas: Fix the failure of adding phy with zero-address to port
scsi: hpsa: Fix allocation size for Scsi_Host private data
x86/purgatory: Switch to the position-independent small code model
wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger()
wifi: ath10k: populate board data for WCN3990
tcp: minor optimization in tcp_add_backlog()
tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
tcp: avoid premature drops in tcp_add_backlog()
macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"
wifi: carl9170: add a proper sanity check for endpoints
wifi: ar5523: enable proper endpoint verification
sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
Revert "sh: Handle calling csum_partial with misaligned data"
HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
scsi: bfa: Ensure the copied buf is NUL terminated
scsi: qedf: Ensure the copied buf is NUL terminated
wifi: mwl8k: initialize cmd->addr[] properly
usb: aqc111: stop lying about skb->truesize
net: usb: sr9700: stop lying about skb->truesize
m68k: Fix spinlock race in kernel thread creation
m68k: mac: Fix reboot hang on Mac IIci
net: ethernet: cortina: Locking fixes
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
net: usb: smsc95xx: stop lying about skb->truesize
net: openvswitch: fix overwriting ct original tuple for ICMPv6
ipv6: sr: add missing seg6_local_exit
ipv6: sr: fix incorrect unregister order
ipv6: sr: fix invalid unregister error path
drm/amd/display: Fix potential index out of bounds in color transformation function
mtd: rawnand: hynix: fixed typo
fbdev: shmobile: fix snprintf truncation
drm/mediatek: Add 0 size check to mtk_drm_gem_obj
powerpc/fsl-soc: hide unused const variable
fbdev: sisfb: hide unused variables
media: ngene: Add dvb_ca_en50221_init return value check
media: radio-shark2: Avoid led_names truncations
platform/x86: wmi: Make two functions static
fbdev: sh7760fb: allow modular build
drm/arm/malidp: fix a possible null pointer dereference
ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector
RDMA/hns: Use complete parentheses in macros
x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
ext4: avoid excessive credit estimate in ext4_tmpfile()
sunrpc: removed redundant procp check
SUNRPC: Fix gss_free_in_token_pages()
selftests/kcmp: Make the test output consistent and clear
selftests/kcmp: remove unused open mode
RDMA/IPoIB: Fix format truncation compilation errors
netrom: fix possible dead-lock in nr_rt_ioctl()
af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
greybus: lights: check return of get_channel_from_mode
soundwire: cadence/intel: simplify PDI/port mapping
soundwire: intel: don't filter out PDI0/1
soundwire: cadence_master: improve PDI allocation
soundwire: cadence: fix invalid PDI offset
dmaengine: idma64: Add check for dma_set_max_seg_size
firmware: dmi-id: add a release callback function
serial: max3100: Lock port->lock when calling uart_handle_cts_change()
serial: max3100: Update uart_driver_registered on driver removal
serial: max3100: Fix bitwise types
greybus: arche-ctrl: move device table to its right location
iio: pressure: dps310: support negative temperature values
microblaze: Remove gcc flag for non existing early_printk.c file
microblaze: Remove early printk call from cpuinfo-static.c
usb: gadget: u_audio: Clear uac pointer when freed.
stm class: Fix a double free in stm_register_device()
ppdev: Remove usage of the deprecated ida_simple_xx() API
ppdev: Add an error check in register_device
extcon: max8997: select IRQ_DOMAIN instead of depending on it
f2fs: fix to release node block count in error path of f2fs_new_node_page()
serial: sh-sci: protect invalidating RXDMA on shutdown
libsubcmd: Fix parse-options memory leak
Input: ims-pcu - fix printf string overflow
Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation
drm/msm/dpu: Always flush the slave INTF on the CTL
um: Fix return value in ubd_init()
um: Add winch to winch_handlers before registering winch IRQ
media: stk1160: fix bounds checking in stk1160_copy_video()
scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()
powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp
um: Fix the -Wmissing-prototypes warning for __switch_mm
media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
media: cec: cec-api: add locking in cec_release()
null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()
x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y
nfc: nci: Fix uninit-value in nci_rx_work
sunrpc: fix NFSACL RPC retry on soft mount
ipv6: sr: fix memleak in seg6_hmac_init_algo
params: lift param_set_uint_minmax to common code
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
openvswitch: Set the skbuff pkt_type for proper pmtud support.
arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
net: fec: avoid lock evasion when reading pps_enable
nfc: nci: Fix kcov check in nci_rx_work()
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
spi: Don't mark message DMA mapped when no transfer in it is
nvmet: fix ns enable/disable possible hang
net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion
dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
enic: Validate length of nl attributes in enic_set_vf_port
smsc95xx: remove redundant function arguments
smsc95xx: use usbnet->driver_priv
net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM
net:fec: Add fec_enet_deinit()
netfilter: tproxy: bail out if IP has been disabled on the device
kconfig: fix comparison to constant symbols, 'm', 'n'
spi: stm32: Don't warn about spurious interrupts
ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound
ALSA: timer: Set lower bound of start tick time
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
binder: fix max_thread type inconsistency
mmc: core: Do not force a retune before RPMB switch
io_uring: fail NOP if non-zero op flags is passed in
afs: Don't cross .backup mountpoint from backup volume
nilfs2: fix use-after-free of timer for log writer thread
vxlan: Fix regression when dropping packets due to invalid src addresses
x86/mm: Remove broken vsyscall emulation code from the page fault code
f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
media: lgdt3306a: Add a check against null-pointer-def
drm/amdgpu: add error handle to avoid out-of-bounds
ata: pata_legacy: make legacy_exit() work again
ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx
arm64: tegra: Correct Tegra132 I2C alias
md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING
wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU
arm64: dts: hi3798cv200: fix the size of GICR
media: mc: mark the media devnode as registered from the, start
media: mxl5xx: Move xpt structures off stack
media: v4l2-core: hold videodev_lock until dev reg, finishes
fbdev: savage: Handle err return when savagefb_check_var failed
KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode
crypto: ecrdsa - Fix module auto-load on add_key
crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
net/ipv6: Fix route deleting failure when metric equals 0
net/9p: fix uninit-value in p9_client_rpc()
intel_th: pci: Add Meteor Lake-S CPU support
sparc64: Fix number of online CPUs
kdb: Fix buffer overflow during tab-complete
kdb: Use format-strings rather than '\0' injection in kdb_read()
kdb: Fix console handling when editing and tab-completing commands
kdb: Merge identical case statements in kdb_read()
kdb: Use format-specifiers rather than memset() for padding in kdb_read()
net: fix __dst_negative_advice() race
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
sparc: move struct termio to asm/termios.h
ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
s390/ap: Fix crash in AP internal function modify_bitmap()
nfs: fix undefined behavior in nfs_block_bits()
Linux 5.4.278
Change-Id: I0cdcfac77f01b25b5790752b68d92f1eafaa9ddd
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Carlos Llamas
|
e4daa1a1ff |
binder: fix max_thread type inconsistency
commit 42316941335644a98335f209daafa4c122f28983 upstream.
The type defined for the BINDER_SET_MAX_THREADS ioctl was changed from
size_t to __u32 in order to avoid incompatibility issues between 32 and
64-bit kernels. However, the internal types used to copy from user and
store the value were never updated. Use u32 to fix the inconsistency.
Fixes:
|
||
|
Greg Kroah-Hartman
|
85547bc085 |
Merge tag 'android11-5.4.274_r00' into branch 'android11-5.4'
This is the merge of the upstream 5.4.274 relelease into the android11-5.4 branch. Included in here are the following commits: * |
||
|
Greg Kroah-Hartman
|
65d8957031 |
This is the 5.4.275 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmYzoYAACgkQONu9yGCS
aT5Gog/8DiBn13NgIqTvlQucOpiKcQrFS6ghuLjWUj+H+toaBPCoiAaSNzDgk3a6
Vc7aW+/H6035Wpt6qmA9nr9VljS4JgHRlxPbp442zcXoaQabxXstt80s05EgC+ue
MamCnirQwtkSaHYTQDHwumyr+J73b/EM6w0MHinmKJKbmLOpF6ejt87bBN8i1i4N
0/atD79jq6l3wOIwNpJI5hIdc/OwNKnCd0M1lQL60XQgN+4Yc5Gup/BazSnVzTHN
PvkyqJOPSHcOcTkaDsS6t6RRJ5fQcHDihEPILwQuyqDbasyVULaNWxuZjVUeXbIS
rcgrlPTsJB1KjtZuGSkSCmj3FrmBBhs9Fd2HBEGE2UfShJa1c4O/Hbmq3sHvijUQ
i8Oaakkx0Z4XKiXf5djwG0QNm4vT8M+nBDNTxw+/pzWg2L0uzlpVh87YwODsrtT2
/WHQ0B1MFXncCDebweXqlxTWKRCoqR183MjMedDJt25smCKp1RZZR7pJb9c065Mn
bg2benOfKUr/+Us5oiQboV3XZkZiPc39V/E6J9NjYE62EPht6Gb/yoblFKp9t+/f
8MYPXqyAjGGXIzkqD7e1+YyOH6N/96EOZ2TrLhZiMb/3W6+dCjc1YeFtquNmaN9b
pdYhzG3qlneflRNTz/30YKIyMQE5Zv+1DMR2mpBSD4hvSEYCmE4=
=yaox
-----END PGP SIGNATURE-----
Merge 5.4.275 into android11-5.4-lts
Changes in 5.4.275
batman-adv: Avoid infinite loop trying to resize local TT
Bluetooth: Fix memory leak in hci_req_sync_complete()
nouveau: fix function cast warning
net: openvswitch: fix unwanted error log on timeout policy probing
u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file
geneve: fix header validation in geneve[6]_xmit_skb
ipv6: fib: hide unused 'pn' variable
ipv4/route: avoid unused-but-set-variable warning
ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
net/mlx5: Properly link new fs rules into the tree
af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
af_unix: Fix garbage collector racing against connect()
net: ena: Fix potential sign extension issue
btrfs: qgroup: correctly model root qgroup rsv in convert
drm/client: Fully protect modes[] with dev->mode_config.mutex
vhost: Add smp_rmb() in vhost_vq_avail_empty()
selftests: timers: Fix abs() warning in posix_timers test
x86/apic: Force native_apic_mem_read() to use the MOV instruction
btrfs: record delayed inode root in transaction
selftests/ftrace: Limit length in subsystem-enable tests
kprobes: Fix possible use-after-free issue on kprobe registration
Revert "tracing/trigger: Fix to return error if failed to alloc snapshot"
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
tun: limit printing rate when illegal packet received by tun dev
RDMA/rxe: Fix the problem "mutex_destroy missing"
RDMA/mlx5: Fix port number for counter query in multi-port configuration
drm: nv04: Fix out of bounds access
clk: Remove prepare_lock hold assertion in __clk_release()
clk: Mark 'all_lists' as const
clk: remove extra empty line
clk: Print an info line before disabling unused clocks
clk: Initialize struct clk_core kref earlier
clk: Get runtime PM before walking tree during disable_unused
x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ
binder: check offset alignment in binder_get_object()
comedi: vmk80xx: fix incomplete endpoint checking
serial/pmac_zilog: Remove flawed mitigation for rx irq flood
USB: serial: option: add Fibocom FM135-GL variants
USB: serial: option: add support for Fibocom FM650/FG650
USB: serial: option: add Lonsung U8300/U9300 product
USB: serial: option: support Quectel EM060K sub-models
USB: serial: option: add Rolling RW101-GL and RW135-GL support
USB: serial: option: add Telit FN920C04 rmnet compositions
Revert "usb: cdc-wdm: close race between read and workqueue"
usb: dwc2: host: Fix dereference issue in DDMA completion flow.
usb: Disable USB3 LPM at shutdown
speakup: Avoid crash on very long word
fs: sysfs: Fix reference leak in sysfs_break_active_protection()
nouveau: fix instmem race condition around ptr stores
nilfs2: fix OOB in nilfs_set_de_type
KVM: async_pf: Cleanup kvm_setup_async_pf()
arm64: dts: rockchip: fix alphabetical ordering RK3399 puma
arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma
arm64: dts: mediatek: mt7622: fix IR nodename
arm64: dts: mediatek: mt7622: fix ethernet controller "compatible"
arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block
arm64: dts: mt2712: add ethernet device node
arm64: dts: mediatek: mt2712: fix validation errors
ARC: [plat-hsdk]: Remove misplaced interrupt-cells property
vxlan: drop packets from invalid src-address
mlxsw: core: Unregister EMAD trap using FORWARD action
NFC: trf7970a: disable all regulators on removal
net: usb: ax88179_178a: stop lying about skb->truesize
net: gtp: Fix Use-After-Free in gtp_dellink
ipvs: Fix checksumming on GSO of SCTP packets
net: openvswitch: Fix Use-After-Free in ovs_ct_exit
mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
mlxsw: spectrum_acl_tcam: Rate limit error message
mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
mlxsw: spectrum_acl_tcam: Fix warning during rehash
mlxsw: spectrum_acl_tcam: Fix incorrect list API usage
mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work
i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
iavf: Fix TC config comparison with existing adapter TC config
af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().
serial: core: Provide port lock wrappers
serial: mxs-auart: add spinlock around changing cts state
drm/amdgpu: restrict bo mapping within gpu address limits
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
drm/amdgpu: validate the parameters of bo mapping operations more clearly
Revert "crypto: api - Disallow identical driver names"
net/mlx5e: Fix a race in command alloc flow
tracing: Show size of requested perf buffer
tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together
Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853
btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
drm/amdgpu: Fix leak when GPU memory allocation fails
irqchip/gic-v3-its: Prevent double free on error
ethernet: Add helper for assigning packet type when dest address does not match device address
net: b44: set pause params only when interface is up
stackdepot: respect __GFP_NOLOCKDEP allocation flag
mtd: diskonchip: work around ubsan link failure
tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()
dmaengine: owl: fix register access functions
idma64: Don't try to serve interrupts when device is powered off
i2c: smbus: fix NULL function pointer dereference
HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
dm: limit the number of targets and parameter size area
udp: preserve the connected status if only UDP cmsg
serial: core: fix kernel-doc for uart_port_unlock_irqrestore()
Linux 5.4.275
Change-Id: I0ebcbc604c4ef7fb2b1ce4d7a530f57e27a74cb6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Carlos Llamas
|
68a28f551e |
binder: check offset alignment in binder_get_object()
commit aaef73821a3b0194a01bd23ca77774f704a04d40 upstream.
Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
txn") introduced changes to how binder objects are copied. In doing so,
it unintentionally removed an offset alignment check done through calls
to binder_alloc_copy_from_buffer() -> check_buffer().
These calls were replaced in binder_get_object() with copy_from_user(),
so now an explicit offset alignment check is needed here. This avoids
later complications when unwinding the objects gets harder.
It is worth noting this check existed prior to commit
|
||
|
Michael Bestas
|
6120cc56e9
|
Merge tag 'ASB-2024-04-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2024-04-01 * tag 'ASB-2024-04-05_11-5.4' of https://android.googlesource.com/kernel/common: FROMLIST: binder: check offset alignment in binder_get_object() BACKPORT: f2fs: expose # of overprivision segments ANDROID: GKI: Update symbol list for Zebra ANDROID: GKI: db845c: Update symbols list and ABI UPSTREAM: drm/msm/dsi: Enable runtime PM UPSTREAM: PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend() UPSTREAM: PM: runtime: add devm_pm_runtime_enable helper Change-Id: Ie646a1c4ae01dacb93625c5ef26283c0d9f5df33 |
||
|
Carlos Llamas
|
66f4b04cb0 |
FROMLIST: binder: check offset alignment in binder_get_object()
Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
txn") introduced changes to how binder objects are copied. In doing so,
it unintentionally removed an offset alignment check done through calls
to binder_alloc_copy_from_buffer() -> check_buffer().
These calls were replaced in binder_get_object() with copy_from_user(),
so now an explicit offset alignment check is needed here. This avoids
later complications when unwinding the objects gets harder.
It is worth noting this check existed prior to commit
|
||
|
Greg Kroah-Hartman
|
806fb883ea |
This is the 5.4.269 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmXYSHgACgkQONu9yGCS
aT74ag/6AqWJBzK/2xvUCYjfBU5+4ApFWQt47Ly9MKFhFX7YBjQGXS6av1YFA9Kw
i01R9SCpIv2eaDrM7/J0wvXGybemfvQ8VyNngG30QC/0jTc4ZAj0PEbtyHpUaz4F
HWOFfAlHAYcLQWhmjhXitoGUfeyhchWnQZpn45mkT0i3DSAEFc5gsiMlO+jaM8No
hOaAHEpGsd7zlH32NYpWrFI0i54HSCwlaHlQFJ7U+rbWyG935RdLjMAX+488R8oc
KccOj+xb4zQyASdC7qdgPz02U7Tm3UB5s0lLrviDiBrYVxSe77vw2TBEeejF+7ZE
oYqjsygRYmRbKuI55rxyxph7cT93ZctL48DZJ4fT4zVIT9kak3S/NtFs0Hyr3TkY
N6ZlDnd10cj8QsnXXtTd9QgT7Ind+3KySv7sr4a/gLO/N39EYpztrMCc/lKfG/Bu
MPDMXBrEtKkjMelcnISwac9QcOb/MAJaepCWtYgcXbEcaBP+/Or8OM0yZPOEk7SA
3CamE+ou0Ds/c6gnsBw6WDMTJd+sX6sw6+4cMEaWzaWiE12Ryc0gscCDJXjEAYzc
+47PiPijNJ+iPjsos8ZaNnTQHALemgJ4cjolHivsEvAYU1s5cyKjVEgMB1MJN8ib
y19D9L8T9BtG2ukWBxtIXMIt51VZ7B8fXodcYXbyqtV25JZj/k8=
=cJfu
-----END PGP SIGNATURE-----
Merge 5.4.269 into android11-5.4-lts
Changes in 5.4.269
PCI: mediatek: Clear interrupt status before dispatching handler
include/linux/units.h: add helpers for kelvin to/from Celsius conversion
units: Add Watt units
units: change from 'L' to 'UL'
units: add the HZ macros
serial: sc16is7xx: set safe default SPI clock frequency
spi: introduce SPI_MODE_X_MASK macro
serial: sc16is7xx: add check for unsupported SPI modes during probe
ext4: allow for the last group to be marked as trimmed
crypto: api - Disallow identical driver names
PM: hibernate: Enforce ordering during image compression/decompression
hwrng: core - Fix page fault dead lock on mmap-ed hwrng
rpmsg: virtio: Free driver_override when rpmsg_remove()
parisc/firmware: Fix F-extend for PDC addresses
arm64: dts: qcom: sdm845: fix USB wakeup interrupt types
mmc: core: Use mrq.sbc in close-ended ffu
nouveau/vmm: don't set addr on the fail path to avoid warning
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
rename(): fix the locking of subdirectories
block: Remove special-casing of compound pages
mtd: spinand: macronix: Fix MX35LFxGE4AD page size
fs: add mode_strip_sgid() helper
fs: move S_ISGID stripping into the vfs_*() helpers
powerpc: Use always instead of always-y in for crtsavres.o
x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum
net/smc: fix illegal rmb_desc access in SMC-D connection dump
vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
llc: make llc_ui_sendmsg() more robust against bonding changes
llc: Drop support for ETH_P_TR_802_2.
net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
tracing: Ensure visibility when inserting an element into tracing_map
afs: Hide silly-rename files from userspace
tcp: Add memory barrier to tcp_push()
netlink: fix potential sleeping issue in mqueue_flush_file
net/mlx5: DR, Use the right GVMI number for drop action
net/mlx5: Use kfree(ft->g) in arfs_create_groups()
net/mlx5e: fix a double-free in arfs_create_groups
netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
netfilter: nf_tables: validate NFPROTO_* family
fjes: fix memleaks in fjes_hw_setup
net: fec: fix the unhandled context fault from smmu
btrfs: ref-verify: free ref cache before clearing mount opt
btrfs: tree-checker: fix inline ref size in error messages
btrfs: don't warn if discard range is not aligned to sector
btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args
rbd: don't move requests to the running list on errors
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04
drm: Don't unref the same fb many times by mistake due to deadlock handling
drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking
drm/bridge: nxp-ptn3460: simplify some error checking
drm/exynos: fix accidental on-stack copy of exynos_drm_plane
drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume
gpio: eic-sprd: Clear interrupt after set the interrupt type
spi: bcm-qspi: fix SFDP BFPT read by usig mspi read
mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan
tick/sched: Preserve number of idle sleeps across CPU hotplug events
x86/entry/ia32: Ensure s32 is sign extended to s64
powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
powerpc: Fix build error due to is_valid_bugaddr()
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
powerpc/lib: Validate size for vector operations
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
regulator: core: Only increment use_count when enable_count changes
audit: Send netlink ACK before setting connection in auditd_set
ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
PNP: ACPI: fix fortify warning
ACPI: extlog: fix NULL pointer dereference check
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
UBSAN: array-index-out-of-bounds in dtSplitRoot
jfs: fix slab-out-of-bounds Read in dtSearch
jfs: fix array-index-out-of-bounds in dbAdjTree
jfs: fix uaf in jfs_evict_inode
pstore/ram: Fix crash when setting number of cpus to an odd number
crypto: stm32/crc32 - fix parsing list of devices
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
jfs: fix array-index-out-of-bounds in diNewExt
s390/ptrace: handle setting of fpc register correctly
KVM: s390: fix setting of fpc register
SUNRPC: Fix a suspicious RCU usage warning
ecryptfs: Reject casefold directory inodes
ext4: fix inconsistent between segment fstrim and full fstrim
ext4: unify the type of flexbg_size to unsigned int
ext4: remove unnecessary check from alloc_flex_gd()
ext4: avoid online resizing failures due to oversized flex bg
wifi: rt2x00: restart beacon queue when hardware reset
selftests/bpf: satisfy compiler by having explicit return in btf test
selftests/bpf: Fix pyperf180 compilation failure with clang18
scsi: lpfc: Fix possible file string name overflow when updating firmware
PCI: Add no PM reset quirk for NVIDIA Spectrum devices
bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
ARM: dts: imx7d: Fix coresight funnel ports
ARM: dts: imx7s: Fix lcdif compatible
ARM: dts: imx7s: Fix nand-controller #size-cells
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
scsi: libfc: Don't schedule abort twice
scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
ARM: dts: rockchip: fix rk3036 hdmi ports node
ARM: dts: imx25/27-eukrea: Fix RTC node name
ARM: dts: imx: Use flash@0,0 pattern
ARM: dts: imx27: Fix sram node
ARM: dts: imx1: Fix sram node
ARM: dts: imx25/27: Pass timing0
ARM: dts: imx27-apf27dev: Fix LED name
ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
ARM: dts: imx23/28: Fix the DMA controller node name
block: prevent an integer overflow in bvec_try_merge_hw_page
md: Whenassemble the array, consult the superblock of the freshest device
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
wifi: cfg80211: free beacon_ies when overridden from hidden BSS
f2fs: fix to check return value of f2fs_reserve_new_block()
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
fast_dput(): handle underflows gracefully
RDMA/IPoIB: Fix error code return in ipoib_mcast_join
drm/drm_file: fix use of uninitialized variable
drm/framebuffer: Fix use of uninitialized variable
drm/mipi-dsi: Fix detach call without attach
media: stk1160: Fixed high volume of stk1160_dbg messages
media: rockchip: rga: fix swizzling for RGB formats
PCI: add INTEL_HDA_ARL to pci_ids.h
ALSA: hda: Intel: add HDA_ARL PCI ID support
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
IB/ipoib: Fix mcast list locking
media: ddbridge: fix an error code problem in ddb_probe
drm/msm/dpu: Ratelimit framedone timeout msgs
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
drm/amdgpu: Let KFD sync with VM fences
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
leds: trigger: panic: Don't register panic notifier if creating the trigger failed
um: Fix naming clash between UML and scheduler
um: Don't use vfprintf() for os_info()
um: net: Fix return type of uml_net_start_xmit()
i3c: master: cdns: Update maximum prescaler value for i2c clock
mfd: ti_am335x_tscadc: Fix TI SoC dependencies
PCI: Only override AMD USB controller if required
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
usb: hub: Replace hardcoded quirk value with BIT() macro
fs/kernfs/dir: obey S_ISGID
PCI/AER: Decode Requester ID when no error info found
libsubcmd: Fix memory leak in uniq()
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
blk-mq: fix IO hang from sbitmap wakeup race
ceph: fix deadlock or deadcode of misusing dget()
drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
perf: Fix the nr_addr_filters fix
wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
scsi: isci: Fix an error code problem in isci_io_request_build()
net: remove unneeded break
ixgbe: Remove non-inclusive language
ixgbe: Refactor returning internal error codes
ixgbe: Refactor overtemp event handling
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
llc: call sock_orphan() at release time
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
net: ipv4: fix a memleak in ip_setup_cork
af_unix: fix lockdep positive in sk_diag_dump_icons()
net: sysfs: Fix /sys/class/net/<iface> path
HID: apple: Add support for the 2021 Magic Keyboard
HID: apple: Swap the Fn and Left Control keys on Apple keyboards
HID: apple: Add 2021 magic keyboard FN key mapping
bonding: remove print in bond_verify_device_path
dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA
dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
phy: renesas: rcar-gen3-usb2: Fix returning wrong error code
dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV
phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
net: stmmac: xgmac: fix handling of DPP safety error for DMA channels
selftests: net: avoid just another constant wait
atm: idt77252: fix a memleak in open_card_ubr0
hwmon: (aspeed-pwm-tacho) mutex for tach reading
hwmon: (coretemp) Fix out-of-bounds memory access
hwmon: (coretemp) Fix bogus core_id to attr name mapping
inet: read sk->sk_family once in inet_recv_error()
rxrpc: Fix response to PING RESPONSE ACKs to a dead call
tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()
ppp_async: limit MRU to 64K
netfilter: nft_compat: reject unused compat flag
netfilter: nft_compat: restrict match/target protocol to u16
netfilter: nft_ct: reject direction for ct id
net/af_iucv: clean up a try_then_request_module()
USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e
USB: serial: option: add Fibocom FM101-GL variant
USB: serial: cp210x: add ID for IMST iM871A-USB
hrtimer: Report offline hrtimer enqueue
Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID
vhost: use kzalloc() instead of kmalloc() followed by memset()
net: stmmac: xgmac: use #define for string constants
net: stmmac: xgmac: fix a typo of register name in DPP safety handling
netfilter: nft_set_rbtree: skip end interval element from gc
btrfs: forbid creating subvol qgroups
btrfs: forbid deleting live subvol qgroup
btrfs: send: return EOPNOTSUPP on unknown flags
of: unittest: add overlay gpio test to catch gpio hog problem
of: unittest: Fix compile in the non-dynamic case
spi: ppc4xx: Drop write-only variable
ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler
i40e: Fix waiting for queues of all VSIs to be disabled
tracing/trigger: Fix to return error if failed to alloc snapshot
mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
HID: wacom: generic: Avoid reporting a serial of '0' to userspace
HID: wacom: Do not register input devices until after hid_hw_start
USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT
usb: f_mass_storage: forbid async queue when shutdown happen
i2c: i801: Remove i801_set_block_buffer_mode
i2c: i801: Fix block process call transactions
scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock"
firewire: core: correct documentation of fw_csr_string() kernel API
kbuild: Fix changing ELF file type for output of gen_btf for big endian
nfc: nci: free rx_data_reassembly skb on NCI device cleanup
xen-netback: properly sync TX responses
ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL
binder: signal epoll threads of self-work
misc: fastrpc: Mark all sessions as invalid in cb_remove
ext4: fix double-free of blocks due to wrong extents moved_len
tracing: Fix wasted memory in saved_cmdlines logic
staging: iio: ad5933: fix type mismatch regression
iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC
ring-buffer: Clean ring_buffer_poll_wait() error return
serial: max310x: set default value when reading clock ready bit
serial: max310x: improve crystal stable clock detection
x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
mmc: slot-gpio: Allow non-sleeping GPIO ro
ALSA: hda/conexant: Add quirk for SWS JS201D
nilfs2: fix data corruption in dsync block recovery for small block sizes
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
nfp: use correct macro for LengthSelect in BAR config
nfp: flower: prevent re-adding mac index for bonded port
irqchip/irq-brcmstb-l2: Add write memory barrier before exit
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
pmdomain: core: Move the unused cleanup to a _sync initcall
tracing: Inform kmemleak of saved_cmdlines allocation
Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
bus: moxtet: Add spi device table
arch, mm: remove stale mentions of DISCONIGMEM
mips: Fix max_mapnr being uninitialized on early stages
KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
netfilter: ipset: fix performance regression in swap operation
netfilter: ipset: Missing gc cancellations fixed
net: prevent mss overflow in skb_segment()
sched/membarrier: reduce the ability to hammer on sys_membarrier
nilfs2: fix potential bug in end_buffer_async_write
PM: runtime: add devm_pm_runtime_enable helper
PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()
drm/msm/dsi: Enable runtime PM
lsm: new security_file_ioctl_compat() hook
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
Revert "Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting""
net: bcmgenet: Fix EEE implementation
of: unittest: fix EXPECT text for gpio hog errors
of: gpio unittest kfree() wrong object
Linux 5.4.269
Change-Id: Iedabcdbe95a83593f102e237f2a80d2fc7206669
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Carlos Llamas
|
42beab162d |
binder: signal epoll threads of self-work
commit 97830f3c3088638ff90b20dfba2eb4d487bf14d7 upstream.
In (e)poll mode, threads often depend on I/O events to determine when
data is ready for consumption. Within binder, a thread may initiate a
command via BINDER_WRITE_READ without a read buffer and then make use
of epoll_wait() or similar to consume any responses afterwards.
It is then crucial that epoll threads are signaled via wakeup when they
queue their own work. Otherwise, they risk waiting indefinitely for an
event leaving their work unhandled. What is worse, subsequent commands
won't trigger a wakeup either as the thread has pending work.
Fixes:
|
||
Bruno Martins
|
2f84185dd7 |
Merge branch 'android11-5.4-lts' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
* 'android11-5.4-lts' of https://android.googlesource.com/kernel/common: FROMGIT: clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd Linux 5.4.268 arm64: dts: armada-3720-turris-mox: set irq type for RTC perf top: Skip side-band event setup if HAVE_LIBBPF_SUPPORT is not set i2c: s3c24xx: fix transferring more than one message in polling mode i2c: s3c24xx: fix read transfers in polling mode mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure kdb: Fix a potential buffer overflow in kdb_local() kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ ipvs: avoid stat macros calls from preemptible context netfilter: nf_tables: skip dead set elements in netlink dump net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe net: ravb: Fix dma_addr_t truncation in error case net: phy: micrel: populate .soft_reset for KSZ9131 net: qualcomm: rmnet: fix global oob in rmnet_policy s390/pci: fix max size calculation in zpci_memcpy_toio() PCI: keystone: Fix race condition when initializing PHYs nvmet-tcp: Fix the H2C expected PDU len calculation serial: imx: Correct clock error message in function probe() apparmor: avoid crash when parsed profile name is empty perf env: Avoid recursively taking env->bpf_progs.lock perf bpf: Decouple creating the evlist from adding the SB event perf top: Move sb_evlist to 'struct perf_top' perf record: Move sb_evlist to 'struct record' perf env: Add perf_env__numa_node() nvmet-tcp: fix a crash in nvmet_req_complete() nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length perf genelf: Set ELF program header addresses properly software node: Let args be NULL in software_node_get_reference_args acpi: property: Let args be NULL in __acpi_node_get_property_reference serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup() MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup() mips: Fix incorrect max_low_pfn adjustment HID: wacom: Correct behavior when processing some confidence == false touches x86/kvm: Do not try to disable kvmclock if it was not enabled wifi: mwifiex: configure BSSID consistently when starting AP wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code rootfs: Fix support for rootfstype= when root= is given fbdev: flush deferred work in fb_deferred_io_fsync() ALSA: oxygen: Fix right channel of capture volume mixer usb: mon: Fix atomicity violation in mon_bin_vma_fault usb: typec: class: fix typec_altmode_put_partner to put plugs Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs" usb: chipidea: wait controller resume finished for wakeup irq Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only" Revert "usb: dwc3: Soft reset phy on probe for host" usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host() tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug binder: fix unused alloc->free_async_space binder: fix race between mmput() and do_exit() xen-netback: don't produce zero-size SKB frags Revert "ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek" Input: atkbd - use ab83 as id when skipping the getid command binder: fix use-after-free in shinker's callback binder: fix async space check for 0-sized buffers of: unittest: Fix of_count_phandle_with_args() expected value message of: Fix double free in of_parse_phandle_with_args_map mmc: sdhci_omap: Fix TI SoC dependencies clk: si5341: fix an error code problem in si5341_output_clk_set_rate watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO watchdog: set cdev owner before adding drivers: clk: zynqmp: calculate closest mux rate gpu/drm/radeon: fix two memleaks in radeon_vm_init drivers/amd/pm: fix a use-after-free in kv_parse_power_table drm/amd/pm: fix a double-free in si_dpm_init drm/amdgpu/debugfs: fix error code when smc register accessors are NULL media: dvbdev: drop refcount on error path in dvb_device_open() media: cx231xx: fix a memleak in cx231xx_init_isoc drm/bridge: tc358767: Fix return value on error case drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table drm/radeon/dpm: fix a memleak in sumo_parse_power_table drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() drm/drv: propagate errors from drm_modeset_register_all() drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks drm/msm/mdp4: flush vblank event on disable ASoC: cs35l34: Fix GPIO name and drop legacy include ASoC: cs35l33: Fix GPIO name and drop legacy include drm/radeon: check return value of radeon_ring_lock() drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check() drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg() f2fs: fix to avoid dirent corruption drm/bridge: Fix typo in post_disable() description media: pvrusb2: fix use after free on context disconnection RDMA/usnic: Silence uninitialized symbol smatch warnings ARM: davinci: always select CONFIG_CPU_ARM926T ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() Bluetooth: btmtkuart: fix recv_buf() return value Bluetooth: Fix bogus check for re-auth no supported with non-ssp netfilter: nf_tables: mark newset as dead on transaction abort wifi: rtlwifi: rtl8192se: using calculate_bit_shift() wifi: rtlwifi: rtl8192ee: using calculate_bit_shift() wifi: rtlwifi: rtl8192de: using calculate_bit_shift() rtlwifi: rtl8192de: make arrays static const, makes object smaller wifi: rtlwifi: rtl8192ce: using calculate_bit_shift() wifi: rtlwifi: rtl8192cu: using calculate_bit_shift() wifi: rtlwifi: rtl8192c: using calculate_bit_shift() wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift() wifi: rtlwifi: add calculate_bit_shift() dma-mapping: clear dev->dma_mem to NULL after freeing it virtio/vsock: fix logic which reduces credit update messages selftests/net: fix grep checking for fib_nexthop_multiprefix scsi: hisi_sas: Replace with standard error code return value arm64: dts: qcom: sdm845-db845c: correct LED panic indicator scsi: fnic: Return error if vmalloc() failed wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior rtlwifi: Use ffs in <foo>_phy_calculate_bit_shift firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() net/ncsi: Fix netlink major/minor version numbers ncsi: internal.h: Fix a spello ARM: dts: qcom: apq8064: correct XOADC register address wifi: libertas: stop selecting wext bpf, lpm: Fix check prefixlen before walking trie wifi: rtw88: fix RX filter in FIF_ALLMULTI flag NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT blocklayoutdriver: Fix reference leak of pnfs_device_node crypto: scomp - fix req->dst buffer overflow crypto: sahara - do not resize req->src when doing hash operations crypto: sahara - fix processing hash requests with req->nbytes < sg->length crypto: sahara - improve error handling in sahara_sha_process() crypto: sahara - fix wait_for_completion_timeout() error handling crypto: sahara - fix ahash reqsize crypto: virtio - Wait for tasklet to complete on device remove gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() crypto: sahara - fix error handling in sahara_hw_descriptor_create() crypto: sahara - fix processing requests with cryptlen < sg->length crypto: sahara - fix ahash selftest failure crypto: sahara - remove FLAGS_NEW_KEY logic crypto: af_alg - Disallow multiple in-flight AIO requests crypto: ccp - fix memleak in ccp_init_dm_workarea virtio_crypto: Introduce VIRTIO_CRYPTO_NOSPC crypto: virtio - don't use 'default m' crypto: virtio - Handle dataq logic with tasklet selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket mtd: Fix gluebi NULL pointer dereference caused by ftl notifier spi: sh-msiof: Enforce fixed DTDL for R-Car H3 calipso: fix memory leak in netlbl_calipso_add_pass() netlabel: remove unused parameter in netlbl_netlink_auditinfo() net: netlabel: Fix kerneldoc warnings ACPI: LPIT: Avoid u32 multiplication overflow ACPI: video: check for error while searching for backlight device parent mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response powerpc/imc-pmu: Add a null pointer check in update_events_in_group() powerpc/powernv: Add a null pointer check in opal_powercap_init() powerpc/powernv: Add a null pointer check in opal_event_init() powerpc/powernv: Add a null pointer check to scom_debug_init_one() selftests/powerpc: Fix error handling in FPU/VMX preemption tests powerpc/pseries/memhp: Fix access beyond end of drmem array powerpc/pseries/memhotplug: Quieten some DLPAR operations powerpc/44x: select I2C for CURRITUCK powerpc: add crtsavres.o to always-y instead of extra-y EDAC/thunderx: Fix possible out-of-bounds string access x86/lib: Fix overflow when counting digits coresight: etm4x: Fix width of CCITMIN field parport: parport_serial: Add Brainboxes device IDs and geometry parport: parport_serial: Add Brainboxes BAR details uio: Fix use-after-free in uio_open binder: fix comment on binder_alloc_new_buf() return value binder: fix trivial typo of binder_free_buf_locked() binder: use EPOLLERR from eventpoll.h ACPI: resource: Add another DMI match for the TongFang GMxXGxx drm/crtc: fix uninitialized variable use ARM: sun9i: smp: fix return code check of of_property_match_string ida: Fix crash in ida_free when the bitmap is empty Input: xpad - add Razer Wolverine V2 support ARC: fix spare error s390/scm: fix virtual vs physical address confusion Input: i8042 - add nomux quirk for Acer P459-G2-M Input: atkbd - skip ATKBD_CMD_GETID in translated mode reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI tracing: Add size check when printing trace_marker output tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing neighbour: Don't let neigh_forced_gc() disable preemption for long drm/crtc: Fix uninit-value bug in drm_mode_setcrtc jbd2: correct the printing of write_flags in jbd2_write_superblock() clk: rockchip: rk3128: Fix HCLK_OTG gate register drm/exynos: fix a wrong error checking drm/exynos: fix a potential error pointer dereference nvme: introduce helper function to get ctrl state ASoC: da7219: Support low DC impedance headset net/tg3: fix race condition in tg3_reset_task() nouveau/tu102: flush all pdbs on vmm flush ASoC: rt5650: add mutex to avoid the jack detection failure ASoC: cs43130: Fix incorrect frame delay configuration ASoC: cs43130: Fix the position of const qualifier ASoC: Intel: Skylake: mem leak in skl register function ASoC: nau8822: Fix incorrect type in assignment and cast to restricted __be16 ASoC: Intel: Skylake: Fix mem leak in few functions ALSA: hda - Fix speaker and headset mic pin config for CHUWI CoreBook XPro pinctrl: lochnagar: Don't build on MIPS f2fs: explicitly null-terminate the xattr list Revert "ipv6: make ip6_rt_gc_expire an atomic_t" Revert "ipv6: remove max_size check inline with ipv4" Linux 5.4.267 ASoC: meson: codec-glue: fix pcm format cast warning ipv6: remove max_size check inline with ipv4 ipv6: make ip6_rt_gc_expire an atomic_t net/dst: use a smaller percpu_counter batch for dst entries accounting PCI: Disable ATS for specific Intel IPU E2000 devices PCI: Extract ATS disabling to a helper function netfilter: nf_tables: Reject tables of unsupported family net: tls, update curr on splice as well ath10k: Get rid of "per_ce_irq" hw param ath10k: Keep track of which interrupts fired, don't poll them ath10k: Add interrupt summary based CE processing ath10k: Wait until copy complete is actually done before completing mmc: sdhci-sprd: Fix eMMC init failure after hw reset mmc: core: Cancel delayed work before releasing host mmc: rpmb: fixes pause retune on all RPMB partitions. mm: fix unmap_mapping_range high bits shift bug i2c: core: Fix atomic xfer check for non-preempt config firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards mm/memory-failure: check the mapcount of the precise page net: Implement missing SO_TIMESTAMPING_NEW cmsg support bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters() asix: Add check for usbnet_get_endpoints net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues net/qla3xxx: switch from 'pci_' to 'dma_' API i40e: Restore VF MSI-X state during PCI reset ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux ASoC: meson: g12a-tohdmitx: Validate written enum values ASoC: meson: g12a: extract codec-to-codec utils i40e: fix use-after-free in i40e_aqc_add_filters() net: Save and restore msg_namelen in sock_sendmsg net: bcmgenet: Fix FCS generation for fragmented skbuffs ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps can: raw: add support for SO_MARK can: raw: add support for SO_TXTIME/SCM_TXTIME net: sched: em_text: fix possible memory leak in em_text_destroy() i40e: Fix filter input checks to prevent config with invalid values nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local ANDROID: db845c: Enable device tree overlay support Linux 5.4.266 block: Don't invalidate pagecache for invalid falloc modes ring-buffer: Fix wake ups when buffer_percent is set to 100 smb: client: fix OOB in smbCalcSize() usb: fotg210-hcd: delete an incorrect bounds test x86/alternatives: Sync core before enabling interrupts net: rfkill: gpio: set GPIO direction net: 9p: avoid freeing uninit memory in p9pdu_vreadf Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent USB: serial: option: add Quectel RM500Q R13 firmware support USB: serial: option: add Foxconn T99W265 with new baseline USB: serial: option: add Quectel EG912Y module support USB: serial: ftdi_sio: update Actisense PIDs constant names wifi: cfg80211: fix certs build to not depend on file order wifi: cfg80211: Add my certificate iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Input: ipaq-micro-keys - add error handling for devm_kmemdup iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw interconnect: Treat xlate() returning NULL node as an error btrfs: do not allow non subvolume root targets for snapshot smb: client: fix NULL deref in asn1_ber_decoder() ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB ALSA: hda/hdmi: Add quirk to force pin connectivity on NUC10 pinctrl: at91-pio4: use dedicated lock class for IRQ i2c: aspeed: Handle the coalesced stop conditions with the start conditions. afs: Fix overwriting of result of DNS query net: check dev->gso_max_size in gso_features_check() net: warn if gso_type isn't set for a GSO SKB afs: Fix dynamic root lookup DNS check afs: Fix the dynamic root's d_delete to always delete unused dentries net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() net/rose: fix races in rose_kill_by_device() ethernet: atheros: fix a memleak in atl1e_setup_ring_resources net: sched: ife: fix potential use-after-free net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors net/mlx5: Fix fw tracer first block check net/mlx5: improve some comments Revert "net/mlx5e: fix double free of encap_header" wifi: mac80211: mesh_plink: fix matches_local logic s390/vx: fix save/restore of fpu kernel context reset: Fix crash when freeing non-existent optional resets ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5 ANDROID: GKI: fix crc issue in include/net/addrconf.h Revert "cred: switch to using atomic_long_t" Linux 5.4.265 powerpc/ftrace: Fix stack teardown in ftrace_no_trace powerpc/ftrace: Create a dummy stackframe to fix stack unwind mmc: block: Be sure to wait while busy in CQE error recovery ring-buffer: Fix memory leak of free page team: Fix use-after-free when an option instance allocation fails arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS soundwire: stream: fix NULL pointer dereference for multi_link perf: Fix perf_event_validate_size() lockdep splat HID: hid-asus: add const to read-only outgoing usb buffer net: usb: qmi_wwan: claim interface 4 for ZTE MF290 asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad HID: hid-asus: reset the backlight brightness level on resume HID: add ALWAYS_POLL quirk for Apple kb platform/x86: intel_telemetry: Fix kernel doc descriptions bcache: avoid NULL checking to c->root in run_cache_set() bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() bcache: avoid oversize memory allocation by small stripe_size blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" usb: aqc111: check packet for fixup for true limit Revert "PCI: acpiphp: Reassign resources on bridge if necessary" ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants cred: switch to using atomic_long_t appletalk: Fix Use-After-Free in atalk_ioctl net: stmmac: Handle disabled MDIO busses from devicetree net: stmmac: use dev_err_probe() for reporting mdio bus registration failure vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() sign-file: Fix incorrect return values check net: Remove acked SYN flag from packet in the transmit queue correctly qed: Fix a potential use-after-free in qed_cxt_tables_alloc net/rose: Fix Use-After-Free in rose_ioctl atm: Fix Use-After-Free in do_vcc_ioctl atm: solos-pci: Fix potential deadlock on &tx_queue_lock atm: solos-pci: Fix potential deadlock on &cli_queue_lock qca_spi: Fix reset behavior qca_debug: Fix ethtool -G iface tx behavior qca_debug: Prevent crash on TX ring changes net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX afs: Fix refcount underflow from error handling race Revert "psample: Require 'CAP_NET_ADMIN' when joining "packets" group" Revert "mmc: core: add helpers mmc_regulator_enable/disable_vqmmc" Revert "mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled" Revert "genetlink: add CAP_NET_ADMIN test for multicast bind" Revert "drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group" Revert "perf/core: Add a new read format to get a number of lost samples" Revert "perf: Fix perf_event_validate_size()" Revert "hrtimers: Push pending hrtimers away from outgoing CPU earlier" Linux 5.4.264 devcoredump: Send uevent once devcd is ready devcoredump : Serialize devcd_del work smb: client: fix potential NULL deref in parse_dfs_referrals() cifs: Fix non-availability of dedup breaking generic/304 Revert "btrfs: add dmesg output for first mount and last unmount of a filesystem" tools headers UAPI: Sync linux/perf_event.h with the kernel sources drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group psample: Require 'CAP_NET_ADMIN' when joining "packets" group genetlink: add CAP_NET_ADMIN test for multicast bind netlink: don't call ->netlink_bind with table lock held io_uring/af_unix: disable sending io_uring over sockets nilfs2: fix missing error check for sb_set_blocksize call KVM: s390/mm: Properly reset no-dat x86/CPU/AMD: Check vendor in the AMD microcode callback serial: 8250_omap: Add earlycon support for the AM654 UART controller serial: sc16is7xx: address RX timeout interrupt errata ARM: PL011: Fix DMA support usb: typec: class: fix typec_altmode_put_partner to put plugs parport: Add support for Brainboxes IX/UC/PX parallel cards usb: gadget: f_hid: fix report descriptor allocation mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled mmc: core: add helpers mmc_regulator_enable/disable_vqmmc gpiolib: sysfs: Fix error handling on failed export perf: Fix perf_event_validate_size() perf/core: Add a new read format to get a number of lost samples arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names arm64: dts: mediatek: mt7622: fix memory node warning check packet: Move reference count in packet_sock to atomic_long_t tracing: Fix a possible race when disabling buffered events tracing: Fix incomplete locking when disabling buffered events tracing: Always update snapshot buffer size nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage() ALSA: pcm: fix out-of-bounds in snd_pcm_state_names ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt ARM: dts: imx: make gpt node name generic ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle() tracing: Fix a warning when allocating buffered events fails ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate hwmon: (acpi_power_meter) Fix 4.29 MW bug RDMA/bnxt_re: Correct module description string bpf: sockmap, updating the sg structure should also update curr tcp: do not accept ACK of bytes we never sent netfilter: xt_owner: Fix for unsafe access of sk->sk_socket net: hns: fix fake link up on xge port ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() arcnet: restoring support for multiple Sohard Arcnet cards net: arcnet: com20020 fix error handling net: arcnet: Fix RESET flag handling hv_netvsc: rndis_filter needs to select NLS ipv6: fix potential NULL deref in fib6_add() of: dynamic: Fix of_reconfig_get_state_change() return value documentation of: Add missing 'Return' section in kerneldoc comments of: Fix kerneldoc output formatting of: base: Fix some formatting issues and provide missing descriptions of/irq: Make of_msi_map_rid() PCI bus agnostic of/irq: make of_msi_map_get_device_domain() bus agnostic of/iommu: Make of_map_rid() PCI agnostic ACPI/IORT: Make iort_msi_map_rid() PCI agnostic ACPI/IORT: Make iort_get_device_domain IRQ domain agnostic of: base: Add of_get_cpu_state_node() to get idle states for a CPU node drm/amdgpu: correct chunk_ptr to a pointer to chunk. kconfig: fix memory leak from range properties tg3: Increment tx_dropped in tg3_tso_bug() tg3: Move the [rt]x_dropped counters to tg3_napi netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test hrtimers: Push pending hrtimers away from outgoing CPU earlier Revert "HID: core: store the unique system identifier in hid_device" Revert "HID: fix HID device resource race between HID core and debugging support" Linux 5.4.263 mmc: block: Retry commands in CQE error recovery mmc: core: convert comma to semicolon mmc: cqhci: Fix task clearing in CQE error recovery mmc: cqhci: Warn of halt or task clear failure mmc: cqhci: Increase recovery halt timeout cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily cpufreq: imx6q: don't warn for disabling a non-existing frequency scsi: qla2xxx: Fix system crash due to bad pointer access scsi: qla2xxx: Use scsi_cmd_to_rq() instead of scsi_cmnd.request scsi: core: Introduce the scsi_cmd_to_rq() function scsi: qla2xxx: Simplify the code for aborting SCSI commands ima: detect changes to the backing overlay file ovl: skip overlayfs superblocks at global sync ima: annotate iint mutex to avoid lockdep false positive warnings fbdev: stifb: Make the STI next font pointer a 32-bit signed offset mtd: cfi_cmdset_0001: Byte swap OTP info mtd: cfi_cmdset_0001: Support the absence of protection registers s390/cmma: fix detection of DAT pages s390/mm: fix phys vs virt confusion in mark_kernel_pXd() functions family smb3: fix touch -h of symlink net: ravb: Start TX queues after HW initialization succeeded net: ravb: Use pm_runtime_resume_and_get() ravb: Fix races between ravb_tx_timeout_work() and net related ops net: stmmac: xgmac: Disable FPE MMC interrupts ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet Input: xpad - add HyperX Clutch Gladiate Support btrfs: make error messages more clear when getting a chunk map btrfs: send: ensure send_fd is writable btrfs: fix off-by-one when checking chunk map includes logical address btrfs: add dmesg output for first mount and last unmount of a filesystem powerpc: Don't clobber f0/vs0 during fp|altivec register save bcache: revert replacing IS_ERR_OR_NULL with IS_ERR dm verity: don't perform FEC for failed readahead IO dm-verity: align struct dm_verity_fec_io properly ALSA: hda/realtek: Add supported ALC257 for ChromeOS ALSA: hda/realtek: Headset Mic VREF to 100% ALSA: hda: Disable power-save on KONTRON SinglePC mmc: block: Do not lose cache flush during CQE error recovery firewire: core: fix possible memory leak in create_units() pinctrl: avoid reload of p state in list iteration io_uring: fix off-by one bvec index USB: dwc3: qcom: fix wakeup after probe deferral USB: dwc3: qcom: fix resource leaks on probe deferral usb: dwc3: set the dma max_seg_size USB: dwc2: write HCINT with INTMASK applied USB: serial: option: don't claim interface 4 for ZTE MF290 USB: serial: option: fix FM101R-GL defines USB: serial: option: add Fibocom L7xx modules bcache: prevent potential division by zero error bcache: check return value from btree_node_alloc_replacement() dm-delay: fix a race between delay_presuspend and delay_bio hv_netvsc: Mark VF as slave before exposing it to user-mode hv_netvsc: Fix race of register_netdevice_notifier and VF register USB: serial: option: add Luat Air72*U series products s390/dasd: protect device queue against concurrent access bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA KVM: arm64: limit PMU version to PMUv3 for ARMv8.1 arm64: cpufeature: Extract capped perfmon fields ext4: make sure allocate pending entry not fail ext4: fix slab-use-after-free in ext4_es_insert_extent() ext4: using nofail preallocation in ext4_es_insert_extent() ext4: using nofail preallocation in ext4_es_insert_delayed_block() ext4: using nofail preallocation in ext4_es_remove_extent() ext4: use pre-allocated es in __es_remove_extent() ext4: use pre-allocated es in __es_insert_extent() ext4: factor out __es_alloc_extent() and __es_free_extent() ext4: add a new helper to check if es must be kept MIPS: KVM: Fix a build warning about variable set but not used nvmet: nul-terminate the NQNs passed in the connect command nvmet: remove unnecessary ctrl parameter afs: Fix file locking on R/O volumes to operate in local mode afs: Return ENOENT if no cell DNS record can be found net: axienet: Fix check for partial TX checksum amd-xgbe: propagate the correct speed and duplex status amd-xgbe: handle the corner-case during tx completion amd-xgbe: handle corner-case during sfp hotplug arm/xen: fix xen_vcpu_info allocation alignment net: usb: ax88179_178a: fix failed operations during ax88179_reset ipv4: Correct/silence an endian warning in __ip_do_redirect HID: fix HID device resource race between HID core and debugging support HID: core: store the unique system identifier in hid_device drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full ata: pata_isapnp: Add missing error check for devm_ioport_map() drm/panel: simple: Fix Innolux G101ICE-L01 timings drm/panel: simple: Fix Innolux G101ICE-L01 bus flags afs: Make error on cell lookup failure consistent with OpenAFS PCI: keystone: Drop __init from ks_pcie_add_pcie_{ep,port}() RDMA/irdma: Prevent zero-length STAG registration driver core: Release all resources during unbind before updating device links ANDROID: GKI: db845c: Update symbols list and ABI on rpmsg_register_device_override Revert "tracing: Have trace_event_file have ref counters" Linux 5.4.262 netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 5.4) netfilter: nf_tables: disable toggling dormant table state more than once netfilter: nf_tables: fix table flag updates netfilter: nftables: update table flags from the commit phase netfilter: nf_tables: double hook unregistration in netns path netfilter: nf_tables: unregister flowtable hooks on netns exit netfilter: nf_tables: fix memleak when more than 255 elements expired netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction netfilter: nf_tables: defer gc run if previous batch is still pending netfilter: nf_tables: use correct lock to protect gc_list netfilter: nf_tables: GC transaction race with abort path netfilter: nf_tables: GC transaction race with netns dismantle netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path netfilter: nf_tables: remove busy mark and gc batch API netfilter: nft_set_hash: mark set element as dead when deleting from packet path netfilter: nf_tables: adapt set backend to use GC transaction API netfilter: nf_tables: GC transaction API to avoid race with control plane netfilter: nf_tables: don't skip expired elements during walk netfilter: nft_set_rbtree: fix overlap expiration walk netfilter: nft_set_rbtree: fix null deref on element insertion netfilter: nft_set_rbtree: Switch to node list walk for overlap detection netfilter: nf_tables: drop map element references from preparation phase netfilter: nftables: rename set element data activation/deactivation functions netfilter: nf_tables: pass context to nft_set_destroy() tracing: Have trace_event_file have ref counters drm/amdgpu: fix error handling in amdgpu_bo_list_get() ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks ext4: correct the start block of counting reserved clusters ext4: correct return value of ext4_convert_meta_bg ext4: correct offset of gdb backup in non meta_bg group to update_backups ext4: apply umask if ACL support is disabled Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E" nfsd: fix file memleak on client_opens_release media: venus: hfi: add checks to handle capabilities from firmware media: venus: hfi: fix the check to handle session buffer requirement media: venus: hfi_parser: Add check to keep the number of codecs within range media: sharp: fix sharp encoding media: lirc: drop trailing space from scancode transmit i2c: i801: fix potential race in i801_block_transaction_byte_by_byte net: dsa: lan9303: consequently nested-lock physical MDIO Revert ncsi: Propagate carrier gain/loss events to the NCSI controller Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables bluetooth: Add device 13d3:3571 to device tables bluetooth: Add device 0bda:887b to device tables Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559 Bluetooth: btusb: add Realtek 8822CE to usb_device_id table Bluetooth: btusb: Add flag to define wideband speech capability tty: serial: meson: fix hard LOCKUP on crtscts mode serial: meson: Use platform_get_irq() to get the interrupt tty: serial: meson: retrieve port FIFO size from DT serial: meson: remove redundant initialization of variable id ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC ALSA: info: Fix potential deadlock at disconnection parisc/pgtable: Do not drop upper 5 address bits of physical address parisc: Prevent booting 64-bit kernels on PA1.x machines i3c: master: cdns: Fix reading status register mm/cma: use nth_page() in place of direct struct page manipulation dmaengine: stm32-mdma: correct desc prep when channel running mcb: fix error handling for different scenarios when parsing i2c: core: Run atomic i2c xfer when !preemptible kernel/reboot: emergency_restart: Set correct system_state quota: explicitly forbid quota files from being encrypted jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev btrfs: don't arbitrarily slow down delalloc if we're committing PM: hibernate: Clean up sync_read handling in snapshot_write_next() PM: hibernate: Use __get_safe_page() rather than touching the list mmc: vub300: fix an error code clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks parisc/pdc: Add width field to struct pdc_model PCI: keystone: Don't discard .probe() callback PCI: keystone: Don't discard .remove() callback genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware mmc: meson-gx: Remove setting of CMD_CFG_ERROR ACPI: resource: Do IRQ override on TongFang GMxXGxx PCI/sysfs: Protect driver's D3cold preference from user space hvc/xen: fix error path in xen_hvc_init() to always register frontend driver audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare() audit: don't take task_lock() in audit_exe_compare() code path KVM: x86: Ignore MSR_AMD64_TW_CFG access KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space x86/cpu/hygon: Fix the CPU topology evaluation for real scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END randstruct: Fix gcc-plugin performance mode to stay in group media: venus: hfi: add checks to perform sanity on queue pointers cifs: spnego: add ';' in HOST_KEY_LEN tools/power/turbostat: Fix a knl bug macvlan: Don't propagate promisc change to lower dev in passthru net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors net/mlx5_core: Clean driver version and name net/mlx5e: fix double free of encap_header net: stmmac: fix rx budget limit check net: stmmac: Rework stmmac_rx() netfilter: nf_conntrack_bridge: initialize err to 0 net: ethernet: cortina: Fix MTU max setting net: ethernet: cortina: Handle large frames net: ethernet: cortina: Fix max RX frame define bonding: stop the device in bond_setup_by_slave() ptp: annotate data-race around q->head and q->tail xen/events: fix delayed eoi list handling ppp: limit MRU to 64K tipc: Fix kernel-infoleak due to uninitialized TLV value net: hns3: fix variable may not initialized problem in hns3_init_mac_addr() tty: Fix uninit-value access in ppp_sync_receive() ipvlan: add ipvlan_route_v6_outbound() helper NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO wifi: iwlwifi: Use FW rate for non-data frames pwm: Fix double shift bug ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings kgdb: Flush console before entering kgdb on panic drm/amd/display: Avoid NULL dereference of timing generator media: cobalt: Use FIELD_GET() to extract Link Width gfs2: ignore negated quota changes media: vivid: avoid integer overflow media: gspca: cpia1: shift-out-of-bounds in set_flicker i2c: sun6i-p2wi: Prevent potential division by zero usb: gadget: f_ncm: Always set current gadget in ncm_bind() tty: vcc: Add check for kstrdup() in vcc_probe() HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() atm: iphase: Do PCI error checks on own line PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields ALSA: hda: Fix possible null-ptr-deref when assigning a stream ARM: 9320/1: fix stack depot IRQ stack filter jfs: fix array-index-out-of-bounds in diAlloc jfs: fix array-index-out-of-bounds in dbFindLeaf fs/jfs: Add validity check for db_maxag and db_agpref fs/jfs: Add check for negative db_l2nbperpage RDMA/hfi1: Use FIELD_GET() to extract Link Width crypto: pcrypt - Fix hungtask for PADATA_RESET selftests/efivarfs: create-read: fix a resource leak drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 drm/komeda: drop all currently held locks if deadlock happens platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e Bluetooth: Fix double free in hci_conn_cleanup wifi: ath10k: Don't touch the CE interrupt registers after power up net: annotate data-races around sk->sk_dst_pending_confirm net: annotate data-races around sk->sk_tx_queue_mapping wifi: ath10k: fix clang-specific fortify warning wifi: ath9k: fix clang-specific fortify warnings wifi: mac80211: don't return unset power in ieee80211_get_tx_power() wifi: mac80211_hwsim: fix clang-specific fortify warning x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware clocksource/drivers/timer-imx-gpt: Fix potential memory leak perf/core: Bail out early if the request AUX area is out of bound locking/ww_mutex/test: Fix potential workqueue corruption Revert "inet: shrink struct flowi_common" Revert "ipvlan: properly track tx_errors" ANDROID: fix up rpmsg_device ABI break ANDROID: fix up platform_device ABI break Linux 5.4.261 btrfs: use u64 for buffer sizes in the tree search ioctls Revert "mmc: core: Capture correct oemid-bits for eMMC cards" fbdev: fsl-diu-fb: mark wr_reg_wa() static fbdev: imsttfb: fix a resource leak in probe fbdev: imsttfb: Fix error path of imsttfb_probe() spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs netfilter: xt_recent: fix (increase) ipv6 literal buffer length r8169: respect userspace disabling IFF_MULTICAST tg3: power down device only on SYSTEM_POWER_OFF net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs Fix termination state for idr_for_each_entry_ul() net: r8169: Disable multicast filter for RTL8168H and RTL8107E dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. dccp: Call security_inet_conn_request() after setting IPv4 addresses. inet: shrink struct flowi_common tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING llc: verify mac len before reading mac header Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume pwm: sti: Reduce number of allocations and drop usage of chip_data pwm: sti: Avoid conditional gotos regmap: prevent noinc writes from clobbering cache media: dvb-usb-v2: af9035: fix missing unlock media: s3c-camif: Avoid inappropriate kfree() media: bttv: fix use after free error due to btv->timeout timer pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() pcmcia: ds: fix refcount leak in pcmcia_device_add() pcmcia: cs: fix possible hung task and memory leak pccardd() rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs powerpc/pseries: fix potential memory leak in init_cpu_associativity() powerpc/imc-pmu: Use the correct spinlock initializer. powerpc/xive: Fix endian conversion size modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host f2fs: fix to initialize map.m_pblk in f2fs_precache_extents() dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() USB: usbip: fix stub_dev hub disconnect tools: iio: iio_generic_buffer ensure alignment tools: iio: iio_generic_buffer: Fix some integer type and calculation tools: iio: privatize globals and functions in iio_generic_buffer.c file misc: st_core: Do not call kfree_skb() under spin_lock_irqsave() dmaengine: ti: edma: handle irq_of_parse_and_map() errors usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency tty: tty_jobctrl: fix pid memleak in disassociate_ctty() leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu' ledtrig-cpu: Limit to 8 CPUs leds: pwm: Don't disable the PWM when the LED should be off leds: pwm: convert to atomic PWM API leds: pwm: simplify if condition mfd: dln2: Fix double put in dln2_probe ASoC: ams-delta.c: use component after check ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails sh: bios: Revive earlyprintk support RDMA/hfi1: Workaround truncation compilation error scsi: ufs: core: Leave space for '\0' in utf8 desc string ext4: move 'ix' sanity check to corrent position ARM: 9321/1: memset: cast the constant byte to unsigned char hid: cp2112: Fix duplicate workqueue initialization HID: cp2112: Use irqchip template crypto: caam/jr - fix Chacha20 + Poly1305 self test failure crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure nd_btt: Make BTT lanes preemptible sched/rt: Provide migrate_disable/enable() inlines libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value hwrng: geode - fix accessing registers clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped firmware: ti_sci: Mark driver as non removable firmware: ti_sci: Replace HTTP links with HTTPS ones soc: qcom: llcc: Handle a second device without data corruption soc: qcom: Rename llcc-slice to llcc-qcom soc: qcom: llcc cleanup to get rid of sdm845 specific driver file ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator arm64: dts: qcom: sdm845-mtp: fix WiFi configuration drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() drm/radeon: possible buffer overflow drm/rockchip: vop: Fix call to crtc reset helper drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs hwmon: (coretemp) Fix potentially truncated sysfs attribute name platform/x86: wmi: Fix opening of char device platform/x86: wmi: remove unnecessary initializations platform/x86: wmi: Fix probe failure when failing to register WMI devices clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data clk: npcm7xx: Fix incorrect kfree clk: keystone: pll: fix a couple NULL vs IS_ERR() checks clk: imx: Select MXC_CLK for CLK_IMX8QXP clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src clk: qcom: gcc-sm8150: use ARRAY_SIZE instead of specifying num_parents clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies regmap: debugfs: Fix a erroneous check after snprintf() ipvlan: properly track tx_errors net: add DEV_STATS_READ() helper ipv6: avoid atomic fragment on GSO packets ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() tcp: fix cookie_init_timestamp() overflows tcp: Remove one extra ktime_get_ns() from cookie_init_timestamp chtls: fix tp->rcv_tstamp initialization r8169: fix rare issue with broken rx after link-down on RTL8125 r8169: use tp_to_dev instead of open code thermal: core: prevent potential string overflow can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on() can: dev: can_restart(): don't crash kernel if carrier is OK wifi: rtlwifi: fix EDCA limit set by BT coexistence tcp_metrics: do not create an entry from tcp_init_metrics() tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics() tcp_metrics: add missing barriers on delete wifi: mt76: mt7603: rework/fix rx pse hang check wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file() tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed i40e: fix potential memory leaks in i40e_remove() genirq/matrix: Exclude managed interrupts in irq_matrix_allocated() vfs: fix readahead(2) on block devices Linux 5.4.260 tty: 8250: Add support for Intashield IS-100 tty: 8250: Add support for Brainboxes UP cards tty: 8250: Add support for additional Brainboxes UC cards tty: 8250: Remove UC-257 and UC-431 usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device Revert "ARM: dts: Move am33xx and am43xx mmc nodes to sdhci-omap driver" nvmet-tcp: Fix a possible UAF in queue intialization setup nvmet-tcp: move send/recv error handling in the send/recv methods instead of call-sites remove the sx8 block driver ata: ahci: fix enum constants for gcc-13 net: chelsio: cxgb4: add an error code check in t4_load_phy_fw platform/mellanox: mlxbf-tmfifo: Fix a warning message platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e scsi: mpt3sas: Fix in error path fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() ASoC: rt5650: fix the wrong result of key button netfilter: nfnetlink_log: silence bogus compiler warning spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0 fbdev: atyfb: only use ioremap_uc() on i386 and ia64 Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe irqchip/stm32-exti: add missing DT IRQ flag translation Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table x86: Fix .brk attribute in linker script rpmsg: Fix possible refcount leak in rpmsg_register_device_override() rpmsg: glink: Release driver_override rpmsg: Fix calling device_lock() on non-initialized device rpmsg: Fix kfree() of static memory on setting driver_override rpmsg: Constify local variable in field store macro driver: platform: Add helper for safer setting of driver_override ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow ext4: avoid overlapping preallocations due to overflow ext4: add two helper functions extent_logical_end() and pa_logical_end() x86/mm: Fix RESERVE_BRK() for older binutils x86/mm: Simplify RESERVE_BRK() nfsd: lock_rename() needs both directories to live on the same fs f2fs: fix to do sanity check on inode type during garbage collection smbdirect: missing rc checks while waiting for rdma events kobject: Fix slab-out-of-bounds in fill_kobj_path() arm64: fix a concurrency issue in emulation_proc_handler() drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper() x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name perf/core: Fix potential NULL deref nvmem: imx: correct nregs for i.MX6UL nvmem: imx: correct nregs for i.MX6SLL nvmem: imx: correct nregs for i.MX6ULL i2c: aspeed: Fix i2c bus hang in slave read i2c: stm32f7: Fix PEC handling in case of SMBUS transfers i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node() i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node() i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() iio: exynos-adc: request second interupt only when touchscreen mode is used gtp: fix fragmentation needed check with gso gtp: uapi: fix GTPA_MAX tcp: fix wrong RTO timeout when received SACK reneging r8152: Cancel hw_phy_work if we have an error in probe r8152: Run the unload routine if we have errors during probe r8152: Increase USB control msg timeout to 5000ms as per spec net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() igc: Fix ambiguity in the ethtool advertising neighbour: fix various data-races igb: Fix potential memory leak in igb_add_ethtool_nfc_entry treewide: Spelling fix in comment r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1 r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1 virtio-mmio: fix memory leak of vm_dev virtio_balloon: Fix endless deflation and inflation on arm64 mcb-lpc: Reallocate memory region to avoid memory overlapping mcb: Return actual parsed size when reading chameleon table selftests/ftrace: Add new test case which checks non unique symbol mtd: rawnand: marvell: Ensure program page operations are successful Conflicts: drivers/clk/qcom/gcc-sm8150.c drivers/net/ethernet/stmicro/stmmac/stmmac_main.c drivers/soc/qcom/Kconfig drivers/soc/qcom/Makefile drivers/soc/qcom/llcc-qcom.c drivers/usb/dwc3/core.c drivers/usb/gadget/function/f_ncm.c include/linux/soc/qcom/llcc-qcom.h include/net/netfilter/nf_tables.h mm/memory-failure.c net/netfilter/nf_tables_api.c net/netfilter/nft_set_hash.c net/netfilter/nft_set_rbtree.c Notes: * Dropped the following upstream commits: |
||
|
Greg Kroah-Hartman
|
74299cb130 |
This is the 5.4.268 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWy4hYACgkQONu9yGCS aT7SVBAAyx1DlSyJWcqzpESH0+VfqyWHxXlKS6Ip5wT0/+t0gglIKkwU/O0FsRXw pLO24wL0+MuIzgfZZj7wieAOPlGLOonKAvvUHGEMlpfAzyKjmZuW93WLKQlA/Oec uaT2ooQevRQcgXzbuV1yN/CeCnhbtmiQdcwy6OU5QACfzguQYtDbNGpbVHJEyEIW khlr+tj1KgRMzh/Sx76RPg4C/hkZBHun3tPcE0lTg+5QZDSkUj5gEdhVOSG2qmSh Lj9zt/isY3v6Whixel9YoTLr9SukI7ZlKzMrH1kSbGtTW3uZqgqB+7wCi1tWoNE1 Zwu9/kUe1dU1kfwYW8AA5OwupjBjADVnZZx1cKN3nQZG2J8bSKHwHmuZPx3DGhJ1 sxlaQ0nGvcEbCKljlIqsHzx2U22YKk939mVz5Y+MZYT5uwWRHI+iH4yRW97putSP t8tb3uX69Gsl6B+gLu38Mr7kkwyY06xmMnc5dfNCPwh8SxLj3dG7Gft90CNq1JKT q2cwlMEcDZRlC08kwzD7pRehZ6hYLRlTOv8yhQsQefcfzrtsT18Cec5TI2k72NOe fbIY8us3Qsr8JVSYuObGqT8LmkX9pkmRozEXgENvwltijEsWULoO2Hs+Z/yD07z8 RYqtxWxVxFVeHTkrXbbMUTZWhFx5LE+rtxCySpfeFkv0WgRRwa8= =vkKq -----END PGP SIGNATURE----- Merge 5.4.268 into android11-5.4-lts Changes in 5.4.268 f2fs: explicitly null-terminate the xattr list pinctrl: lochnagar: Don't build on MIPS ALSA: hda - Fix speaker and headset mic pin config for CHUWI CoreBook XPro ASoC: Intel: Skylake: Fix mem leak in few functions ASoC: nau8822: Fix incorrect type in assignment and cast to restricted __be16 ASoC: Intel: Skylake: mem leak in skl register function ASoC: cs43130: Fix the position of const qualifier ASoC: cs43130: Fix incorrect frame delay configuration ASoC: rt5650: add mutex to avoid the jack detection failure nouveau/tu102: flush all pdbs on vmm flush net/tg3: fix race condition in tg3_reset_task() ASoC: da7219: Support low DC impedance headset nvme: introduce helper function to get ctrl state drm/exynos: fix a potential error pointer dereference drm/exynos: fix a wrong error checking clk: rockchip: rk3128: Fix HCLK_OTG gate register jbd2: correct the printing of write_flags in jbd2_write_superblock() drm/crtc: Fix uninit-value bug in drm_mode_setcrtc neighbour: Don't let neigh_forced_gc() disable preemption for long tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing tracing: Add size check when printing trace_marker output ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning Input: atkbd - skip ATKBD_CMD_GETID in translated mode Input: i8042 - add nomux quirk for Acer P459-G2-M s390/scm: fix virtual vs physical address confusion ARC: fix spare error Input: xpad - add Razer Wolverine V2 support ida: Fix crash in ida_free when the bitmap is empty ARM: sun9i: smp: fix return code check of of_property_match_string drm/crtc: fix uninitialized variable use ACPI: resource: Add another DMI match for the TongFang GMxXGxx binder: use EPOLLERR from eventpoll.h binder: fix trivial typo of binder_free_buf_locked() binder: fix comment on binder_alloc_new_buf() return value uio: Fix use-after-free in uio_open parport: parport_serial: Add Brainboxes BAR details parport: parport_serial: Add Brainboxes device IDs and geometry coresight: etm4x: Fix width of CCITMIN field x86/lib: Fix overflow when counting digits EDAC/thunderx: Fix possible out-of-bounds string access powerpc: add crtsavres.o to always-y instead of extra-y powerpc/44x: select I2C for CURRITUCK powerpc/pseries/memhotplug: Quieten some DLPAR operations powerpc/pseries/memhp: Fix access beyond end of drmem array selftests/powerpc: Fix error handling in FPU/VMX preemption tests powerpc/powernv: Add a null pointer check to scom_debug_init_one() powerpc/powernv: Add a null pointer check in opal_event_init() powerpc/powernv: Add a null pointer check in opal_powercap_init() powerpc/imc-pmu: Add a null pointer check in update_events_in_group() mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response ACPI: video: check for error while searching for backlight device parent ACPI: LPIT: Avoid u32 multiplication overflow net: netlabel: Fix kerneldoc warnings netlabel: remove unused parameter in netlbl_netlink_auditinfo() calipso: fix memory leak in netlbl_calipso_add_pass() spi: sh-msiof: Enforce fixed DTDL for R-Car H3 mtd: Fix gluebi NULL pointer dereference caused by ftl notifier selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket crypto: virtio - Handle dataq logic with tasklet crypto: virtio - don't use 'default m' virtio_crypto: Introduce VIRTIO_CRYPTO_NOSPC crypto: ccp - fix memleak in ccp_init_dm_workarea crypto: af_alg - Disallow multiple in-flight AIO requests crypto: sahara - remove FLAGS_NEW_KEY logic crypto: sahara - fix ahash selftest failure crypto: sahara - fix processing requests with cryptlen < sg->length crypto: sahara - fix error handling in sahara_hw_descriptor_create() pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump crypto: virtio - Wait for tasklet to complete on device remove crypto: sahara - fix ahash reqsize crypto: sahara - fix wait_for_completion_timeout() error handling crypto: sahara - improve error handling in sahara_sha_process() crypto: sahara - fix processing hash requests with req->nbytes < sg->length crypto: sahara - do not resize req->src when doing hash operations crypto: scomp - fix req->dst buffer overflow blocklayoutdriver: Fix reference leak of pnfs_device_node NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT wifi: rtw88: fix RX filter in FIF_ALLMULTI flag bpf, lpm: Fix check prefixlen before walking trie wifi: libertas: stop selecting wext ARM: dts: qcom: apq8064: correct XOADC register address ncsi: internal.h: Fix a spello net/ncsi: Fix netlink major/minor version numbers firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() rtlwifi: Use ffs in <foo>_phy_calculate_bit_shift wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior scsi: fnic: Return error if vmalloc() failed arm64: dts: qcom: sdm845-db845c: correct LED panic indicator scsi: hisi_sas: Replace with standard error code return value selftests/net: fix grep checking for fib_nexthop_multiprefix virtio/vsock: fix logic which reduces credit update messages dma-mapping: clear dev->dma_mem to NULL after freeing it wifi: rtlwifi: add calculate_bit_shift() wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift() wifi: rtlwifi: rtl8192c: using calculate_bit_shift() wifi: rtlwifi: rtl8192cu: using calculate_bit_shift() wifi: rtlwifi: rtl8192ce: using calculate_bit_shift() rtlwifi: rtl8192de: make arrays static const, makes object smaller wifi: rtlwifi: rtl8192de: using calculate_bit_shift() wifi: rtlwifi: rtl8192ee: using calculate_bit_shift() wifi: rtlwifi: rtl8192se: using calculate_bit_shift() netfilter: nf_tables: mark newset as dead on transaction abort Bluetooth: Fix bogus check for re-auth no supported with non-ssp Bluetooth: btmtkuart: fix recv_buf() return value ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() ARM: davinci: always select CONFIG_CPU_ARM926T RDMA/usnic: Silence uninitialized symbol smatch warnings media: pvrusb2: fix use after free on context disconnection drm/bridge: Fix typo in post_disable() description f2fs: fix to avoid dirent corruption drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg() drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check() drm/radeon: check return value of radeon_ring_lock() ASoC: cs35l33: Fix GPIO name and drop legacy include ASoC: cs35l34: Fix GPIO name and drop legacy include drm/msm/mdp4: flush vblank event on disable drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks drm/drv: propagate errors from drm_modeset_register_all() drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() drm/radeon/dpm: fix a memleak in sumo_parse_power_table drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table drm/bridge: tc358767: Fix return value on error case media: cx231xx: fix a memleak in cx231xx_init_isoc media: dvbdev: drop refcount on error path in dvb_device_open() drm/amdgpu/debugfs: fix error code when smc register accessors are NULL drm/amd/pm: fix a double-free in si_dpm_init drivers/amd/pm: fix a use-after-free in kv_parse_power_table gpu/drm/radeon: fix two memleaks in radeon_vm_init drivers: clk: zynqmp: calculate closest mux rate watchdog: set cdev owner before adding watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling clk: si5341: fix an error code problem in si5341_output_clk_set_rate mmc: sdhci_omap: Fix TI SoC dependencies of: Fix double free in of_parse_phandle_with_args_map of: unittest: Fix of_count_phandle_with_args() expected value message binder: fix async space check for 0-sized buffers binder: fix use-after-free in shinker's callback Input: atkbd - use ab83 as id when skipping the getid command Revert "ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek" xen-netback: don't produce zero-size SKB frags binder: fix race between mmput() and do_exit() binder: fix unused alloc->free_async_space tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host() usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart Revert "usb: dwc3: Soft reset phy on probe for host" Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only" usb: chipidea: wait controller resume finished for wakeup irq Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs" usb: typec: class: fix typec_altmode_put_partner to put plugs usb: mon: Fix atomicity violation in mon_bin_vma_fault ALSA: oxygen: Fix right channel of capture volume mixer fbdev: flush deferred work in fb_deferred_io_fsync() rootfs: Fix support for rootfstype= when root= is given wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors wifi: mwifiex: configure BSSID consistently when starting AP x86/kvm: Do not try to disable kvmclock if it was not enabled HID: wacom: Correct behavior when processing some confidence == false touches mips: Fix incorrect max_low_pfn adjustment MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup() MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup() serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed acpi: property: Let args be NULL in __acpi_node_get_property_reference software node: Let args be NULL in software_node_get_reference_args perf genelf: Set ELF program header addresses properly nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length nvmet-tcp: fix a crash in nvmet_req_complete() perf env: Add perf_env__numa_node() perf record: Move sb_evlist to 'struct record' perf top: Move sb_evlist to 'struct perf_top' perf bpf: Decouple creating the evlist from adding the SB event perf env: Avoid recursively taking env->bpf_progs.lock apparmor: avoid crash when parsed profile name is empty serial: imx: Correct clock error message in function probe() nvmet-tcp: Fix the H2C expected PDU len calculation PCI: keystone: Fix race condition when initializing PHYs s390/pci: fix max size calculation in zpci_memcpy_toio() net: qualcomm: rmnet: fix global oob in rmnet_policy net: phy: micrel: populate .soft_reset for KSZ9131 net: ravb: Fix dma_addr_t truncation in error case net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe netfilter: nf_tables: skip dead set elements in netlink dump ipvs: avoid stat macros calls from preemptible context kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ kdb: Fix a potential buffer overflow in kdb_local() mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure i2c: s3c24xx: fix read transfers in polling mode i2c: s3c24xx: fix transferring more than one message in polling mode perf top: Skip side-band event setup if HAVE_LIBBPF_SUPPORT is not set arm64: dts: armada-3720-turris-mox: set irq type for RTC Linux 5.4.268 Change-Id: I347fc44c3a9947e2b7cb476d622adca58677f78a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Carlos Llamas
|
5c3d4930c7 |
binder: fix unused alloc->free_async_space
commit c6d05e0762ab276102246d24affd1e116a46aa0c upstream. Each transaction is associated with a 'struct binder_buffer' that stores the metadata about its buffer area. Since commit |
||
|
Carlos Llamas
|
252a2a5569 |
binder: fix race between mmput() and do_exit()
commit 9a9ab0d963621d9d12199df9817e66982582d5a5 upstream.
Task A calls binder_update_page_range() to allocate and insert pages on
a remote address space from Task B. For this, Task A pins the remote mm
via mmget_not_zero() first. This can race with Task B do_exit() and the
final mmput() refcount decrement will come from Task A.
Task A | Task B
------------------+------------------
mmget_not_zero() |
| do_exit()
| exit_mm()
| mmput()
mmput() |
exit_mmap() |
remove_vma() |
fput() |
In this case, the work of ____fput() from Task B is queued up in Task A
as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup
work gets executed. However, Task A instead sleep, waiting for a reply
from Task B that never comes (it's dead).
This means the binder_deferred_release() is blocked until an unrelated
binder event forces Task A to go back to userspace. All the associated
death notifications will also be delayed until then.
In order to fix this use mmput_async() that will schedule the work in
the corresponding mm->async_put_work WQ instead of Task A.
Fixes:
|
||
|
Carlos Llamas
|
a53e15e592 |
binder: fix use-after-free in shinker's callback
commit 3f489c2067c5824528212b0fc18b28d51332d906 upstream. The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit |
||
|
Carlos Llamas
|
fc1119a3c6 |
binder: fix async space check for 0-sized buffers
commit 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb upstream.
Move the padding of 0-sized buffers to an earlier stage to account for
this round up during the alloc->free_async_space check.
Fixes:
|
||
|
Carlos Llamas
|
da488e1aad |
binder: fix comment on binder_alloc_new_buf() return value
commit e1090371e02b601cbfcea175c2a6cc7c955fa830 upstream.
Update the comments of binder_alloc_new_buf() to reflect that the return
value of the function is now ERR_PTR(-errno) on failure.
No functional changes in this patch.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Carlos Llamas
|
a92b2797ca |
binder: fix trivial typo of binder_free_buf_locked()
commit 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 upstream. Fix minor misspelling of the function in the comment section. No functional changes in this patch. Cc: stable@vger.kernel.org Fixes: 0f966cba95c7 ("binder: add flag to clear buffer on txn complete") Reviewed-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20231201172212.1813387-7-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Carlos Llamas
|
9774dabad7 |
binder: use EPOLLERR from eventpoll.h
commit 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 upstream.
Use EPOLLERR instead of POLLERR to make sure it is cast to the correct
__poll_t type. This fixes the following sparse issue:
drivers/android/binder.c:5030:24: warning: incorrect type in return expression (different base types)
drivers/android/binder.c:5030:24: expected restricted __poll_t
drivers/android/binder.c:5030:24: got int
Fixes:
|
||
|
Michael Bestas
|
6ef34c09c6
|
Merge tag 'ASB-2023-10-06_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2023-10-01
* tag 'ASB-2023-10-06_11-5.4' of https://android.googlesource.com/kernel/common:
UPSTREAM: arm64: efi: Make efi_rt_lock a raw_spinlock
UPSTREAM: net: sched: sch_qfq: Fix UAF in qfq_dequeue()
UPSTREAM: net/sched: sch_hfsc: Ensure inner classes have fsc curve
UPSTREAM: net/sched: sch_qfq: account for stab overhead in qfq_enqueue
UPSTREAM: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
UPSTREAM: af_unix: Fix null-ptr-deref in unix_stream_sendpage().
Linux 5.4.254
sch_netem: fix issues in netem_change() vs get_dist_table()
alpha: remove __init annotation from exported page_is_ram()
scsi: core: Fix possible memory leak if device_add() fails
scsi: snic: Fix possible memory leak if device_add() fails
scsi: 53c700: Check that command slot is not NULL
scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
scsi: core: Fix legacy /proc parsing buffer overflow
netfilter: nf_tables: report use refcount overflow
nvme-rdma: fix potential unbalanced freeze & unfreeze
nvme-tcp: fix potential unbalanced freeze & unfreeze
btrfs: set cache_block_group_error if we find an error
btrfs: don't stop integrity writeback too early
ibmvnic: Handle DMA unmapping of login buffs in release functions
net/mlx5: Allow 0 for total host VFs
dmaengine: mcf-edma: Fix a potential un-allocated memory access
wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
IB/hfi1: Fix possible panic during hotplug remove
drivers: net: prevent tun_build_skb() to exceed the packet size limit
dccp: fix data-race around dp->dccps_mss_cache
bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
net/packet: annotate data-races around tp->status
mISDN: Update parameter type of dsp_cmx_send()
selftests/rseq: Fix build with undefined __weak
drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
x86: Move gds_ucode_mitigated() declaration to header
x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405
usb: common: usb-conn-gpio: Prevent bailing out if initial role is none
usb: dwc3: Properly handle processing of pending events
usb-storage: alauda: Fix uninit-value in alauda_check_media()
binder: fix memory leak in binder_init()
iio: cros_ec: Fix the allocation size for cros_ec_command
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
x86/pkeys: Revert
|
||
|
Greg Kroah-Hartman
|
38b412a16c |
This is the 5.4.254 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmTc9xQACgkQONu9yGCS
aT4VrQ//aeDhl35R4kgB8ZYcv2EHa9DgE+cDkFYIUruQ029jPET1NkMuXMiWys2K
trzC5VCAawfac8jHR4kAetP2W6ydHgSQprtUxjgjIwKlPgiFQOla5/DXNqMGTv9Y
fFKcIfgpef9OkvPr46LHf1S4i3H8vaVu3pN40gEnIAPu4Rgz3wvbmi6BoSTszThI
MrbOu70iRxVxF8+3HR8G3Ja6bly4dTl2Y36P6G+JPAQc8+X9RT1Yv39kiAg7TSzP
i/SIn2G5pNu2+BMcxUn0SO13YXPYIGQTZ6xLX13QIDEuoqQRjDB9vZPaKoSm7170
Nh1JjvUXy72/zvDJYJWzbrL/o4AfS2tHBNTUq5loXO4LPvbmg18g3Xysuk6vRBmG
NjOpbG9PK3MCwWEQIdEAgtFF6hw74MF/UM7b1Tty3FAaWf4Ca75vY5acqSy4Fhbx
KuBnNGZTaRJRCUFeEBtAz8sIeFCclfuSpBhrQzj8zCkDT59PuiWJ7wyW1yAizMtE
VNvDJFxdQXtU06AHWJxp9msWiXYBZbFfk75MVTxnZLS3SDJuJ40fDjjGCM4WciMg
gBLS+v4tO67KEuhj8t50WJW4Kk7P1Q0j3QkItHOMMRpsJQZF3z8rqEqthAacEaAH
hVvB2OxpXicqpHwrFW3DZuxzgfJd6sofaKq85/2I7FullRyXVjg=
=6G08
-----END PGP SIGNATURE-----
Merge 5.4.254 into android11-5.4-lts
Changes in 5.4.254
mmc: moxart: read scr register without changing byte order
ipv6: adjust ndisc_is_useropt() to also return true for PIO
dmaengine: pl330: Return DMA_PAUSED when transaction is paused
drm/nouveau/gr: enable memory loads on helper invocation on all channels
radix tree test suite: fix incorrect allocation size for pthreads
x86/pkeys: Revert
|
||
Qi Zheng
|
b97dad01c1 |
binder: fix memory leak in binder_init()
commit adb9743d6a08778b78d62d16b4230346d3508986 upstream.
In binder_init(), the destruction of binder_alloc_shrinker_init() is not
performed in the wrong path, which will cause memory leaks. So this commit
introduces binder_alloc_shrinker_exit() and calls it in the wrong path to
fix that.
Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Fixes:
|
||
|
Michael Bestas
|
a8a0447e0d
|
Merge tag 'ASB-2023-06-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2023-06-01 * tag 'ASB-2023-06-05_11-5.4' of https://android.googlesource.com/kernel/common: UPSTREAM: io_uring: have io_kill_timeout() honor the request references UPSTREAM: io_uring: don't drop completion lock before timer is fully initialized UPSTREAM: io_uring: always grab lock in io_cancel_async_work() UPSTREAM: net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize UPSTREAM: cdc_ncm: Fix the build warning UPSTREAM: cdc_ncm: Implement the 32-bit version of NCM Transfer Block UPSTREAM: ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum UPSTREAM: ext4: fix invalid free tracking in ext4_xattr_move_to_block() Revert "Revert "mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse"" FROMLIST: binder: fix UAF caused by faulty buffer cleanup Linux 5.4.242 ASN.1: Fix check for strdup() success iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger() pwm: meson: Explicitly set .polarity in .get_state() xfs: fix forkoff miscalculation related to XFS_LITINO(mp) sctp: Call inet6_destroy_sock() via sk->sk_destruct(). dccp: Call inet6_destroy_sock() via sk->sk_destruct(). inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM). ext4: fix use-after-free in ext4_xattr_set_entry ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() Revert "ext4: fix use-after-free in ext4_xattr_set_entry" x86/purgatory: Don't generate debug info for purgatory.ro MIPS: Define RUNTIME_DISCARD_EXIT in LD script mmc: sdhci_am654: Set HIGH_SPEED_ENA for SDR12 and SDR25 memstick: fix memory leak if card device is never registered nilfs2: initialize unused bytes in segment summary blocks iio: light: tsl2772: fix reading proximity-diodes from device tree xen/netback: use same error messages for same errors nvme-tcp: fix a possible UAF when failing to allocate an io queue s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling net: dsa: b53: mmap: add phy ops scsi: core: Improve scsi_vpd_inquiry() checks scsi: megaraid_sas: Fix fw_crash_buffer_show() selftests: sigaltstack: fix -Wuninitialized Input: i8042 - add quirk for Fujitsu Lifebook A574/H f2fs: Fix f2fs_truncate_partial_nodes ftrace event e1000e: Disable TSO on i219-LM card to increase speed bpf: Fix incorrect verifier pruning due to missing register precision taints mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() i40e: fix i40e_setup_misc_vector() error handling i40e: fix accessing vsi->active_filters without holding lock netfilter: nf_tables: fix ifdef to also consider nf_tables=m virtio_net: bugfix overflow inside xdp_linearize_page() net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg regulator: fan53555: Explicitly include bits header netfilter: br_netfilter: fix recent physdev match breakage arm64: dts: meson-g12-common: specify full DMC range ARM: dts: rockchip: fix a typo error for rk3288 spdif node Linux 5.4.241 xfs: force log and push AIL to clear pinned inodes when aborting mount xfs: don't reuse busy extents on extent trim xfs: consider shutdown in bmapbt cursor delete assert xfs: shut down the filesystem if we screw up quota reservation xfs: report corruption only as a regular error xfs: set inode size after creating symlink xfs: fix up non-directory creation in SGID directories xfs: remove the di_version field from struct icdinode xfs: simplify a check in xfs_ioctl_setattr_check_cowextsize xfs: simplify di_flags2 inheritance in xfs_ialloc xfs: only check the superblock version for dinode size calculation xfs: add a new xfs_sb_version_has_v3inode helper xfs: remove the kuid/kgid conversion wrappers xfs: remove the icdinode di_uid/di_gid members xfs: ensure that the inode uid/gid match values match the icdinode ones xfs: merge the projid fields in struct xfs_icdinode xfs: show the proper user quota options coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug watchdog: sbsa_wdog: Make sure the timeout programming is within the limits i2c: ocores: generate stop condition after timeout in polling mode ubi: Fix deadlock caused by recursively holding work_sem mtd: ubi: wl: Fix a couple of kernel-doc issues ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size asymmetric_keys: log on fatal failures in PE/pkcs7 verify_pefile: relax wrapper length check drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L i2c: imx-lpi2c: clean rx/tx buffers upon new message power: supply: cros_usbpd: reclassify "default case!" as debug net: macb: fix a memory corruption in extended buffer descriptor mode udp6: fix potential access to stale information RDMA/core: Fix GID entry ref leak when create_ah fails sctp: fix a potential overflow in sctp_ifwdtsn_skip qlcnic: check pci_reset_function result niu: Fix missing unwind goto in niu_alloc_channels() 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition mtd: rawnand: stm32_fmc2: remove unsupported EDO mode mtd: rawnand: meson: fix bitmask for length in command word mtdblock: tolerate corrected bit-flips btrfs: fix fast csum implementation detection btrfs: print checksum type and implementation at mount time Bluetooth: Fix race condition in hidp_session_thread Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards ALSA: firewire-tascam: add missing unwind goto in snd_tscm_stream_start_duplex() ALSA: i2c/cs8427: fix iec958 mixer control deactivation ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard ALSA: emu10k1: fix capture interrupt handler unlinking Revert "pinctrl: amd: Disable and mask interrupts on resume" irqdomain: Fix mapping-creation race irqdomain: Refactor __irq_domain_alloc_irqs() irqdomain: Look for existing mapping only once mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() ring-buffer: Fix race while reader and writer are on the same page drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path net_sched: prevent NULL dereference if default qdisc setup failed tracing: Free error logs of tracing instances can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access ftrace: Mark get_lock_parent_ip() __always_inline perf/core: Fix the same task check in perf_event_set_output ALSA: hda/realtek: Add quirk for Clevo X370SNW nilfs2: fix sysfs interface lifetime nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() tty: serial: fsl_lpuart: avoid checking for transfer complete when UARTCTRL_SBK is asserted in lpuart32_tx_empty tty: serial: sh-sci: Fix Rx on RZ/G2L SCI tty: serial: sh-sci: Fix transmit end interrupt handler iio: dac: cio-dac: Fix max DAC write value check for 12-bit iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip USB: serial: option: add Quectel RM500U-CN modem USB: serial: option: add Telit FE990 compositions usb: typec: altmodes/displayport: Fix configure initial pin assignment USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu NFSD: callback request does not use correct credential for AUTH_SYS sunrpc: only free unix grouplist after RCU settles gpio: davinci: Add irq chip flag to skip set wake ipv6: Fix an uninit variable access bug in __ip6_make_skb() sctp: check send stream number after wait_for_sndbuf net: don't let netpoll invoke NAPI if in xmit context icmp: guard against too small mtu wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta pwm: sprd: Explicitly set .polarity in .get_state() pwm: cros-ec: Explicitly set .polarity in .get_state() pinctrl: amd: Disable and mask interrupts on resume pinctrl: amd: disable and mask interrupts on probe pinctrl: amd: Use irqchip template smb3: fix problem with null cifs super block with previous patch treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() Revert "treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()" cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot scsi: ses: Handle enclosure with just a primary component gracefully Linux 5.4.240 gfs2: Always check inode size of inline inodes firmware: arm_scmi: Fix device node validation for mailbox transport net: sched: fix race condition in qdisc_graft() net_sched: add __rcu annotation to netdev->qdisc ext4: fix kernel BUG in 'ext4_write_inline_data_end()' btrfs: scan device in non-exclusive mode s390/uaccess: add missing earlyclobber annotations to __clear_user() drm/etnaviv: fix reference leak when mmaping imported buffer ALSA: usb-audio: Fix regression on detection of Roland VS-100 ALSA: hda/conexant: Partial revert of a quirk for Lenovo NFSv4: Fix hangs when recovering open state after a server reboot pinctrl: at91-pio4: fix domain name assignment xen/netback: don't do grant copy across page boundary Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL cifs: prevent infinite recursion in CIFSGetDFSRefer() Input: focaltech - use explicitly signed char type Input: alps - fix compatibility with -funsigned-char pinctrl: ocelot: Fix alt mode for ocelot net: mvneta: make tx buffer array agnostic net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only bnxt_en: Fix typo in PCI id to device description string mapping i40e: fix registers dump after run ethtool adapter self test s390/vfio-ap: fix memory leak in vfio_ap device driver can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write net/net_failover: fix txq exceeding warning regulator: Handle deferred clk regulator: fix spelling mistake "Cant" -> "Can't" ptp_qoriq: fix memory leak in probe() scsi: megaraid_sas: Fix crash after a double completion mtd: rawnand: meson: invalidate cache on polling ECC bit mips: bmips: BCM6358: disable RAC flush for TP1 dma-mapping: drop the dev argument to arch_sync_dma_for_* ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() fbdev: au1200fb: Fix potential divide by zero fbdev: lxfb: Fix potential divide by zero fbdev: intelfb: Fix potential divide by zero fbdev: nvidia: Fix potential divide by zero sched_getaffinity: don't assume 'cpumask_size()' is fully initialized fbdev: tgafb: Fix potential divide by zero ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() ALSA: asihpi: check pao in control_message() md: avoid signed overflow in slot_store() bus: imx-weim: fix branch condition evaluates to a garbage value fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY ocfs2: fix data corruption after failed write tun: avoid double free in tun_free_netdev sched/fair: Sanitize vruntime of entity being migrated sched/fair: sanitize vruntime of entity being placed dm crypt: add cond_resched() to dmcrypt_write() dm stats: check for and propagate alloc_percpu failure i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() wifi: mac80211: fix qos on mesh interfaces usb: chipidea: core: fix possible concurrent when switch role usb: chipdea: core: fix return -EINVAL if request role is the same with current role usb: cdns3: Fix issue with using incorrect PCI device function dm thin: fix deadlock when swapping to thin device igb: revert rtnl_lock() that causes deadlock fsverity: Remove WQ_UNBOUND from fsverity read workqueue usb: gadget: u_audio: don't let userspace block driver unbind scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR cifs: empty interface list when server doesn't support query interfaces sh: sanitize the flags on sigreturn net: usb: qmi_wwan: add Telit 0x1080 composition net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 scsi: lpfc: Avoid usage of list iterator variable after loop scsi: ufs: core: Add soft dependency on governor_simpleondemand scsi: target: iscsi: Fix an error message in iscsi_check_key() selftests/bpf: check that modifier resolves after pointer m68k: Only force 030 bus error if PC not in exception table ca8210: fix mac_len negative array access riscv: Bump COMMAND_LINE_SIZE value to 1024 thunderbolt: Use const qualifier for `ring_interrupt_index` uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 scsi: qla2xxx: Perform lockless command completion in abort path hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work Bluetooth: btqcomsmd: Fix command timeout after setting BD address net: mdio: thunder: Add missing fwnode_handle_put() hvc/xen: prevent concurrent accesses to the shared ring nvme-tcp: fix nvme_tcp_term_pdu to match spec net/sonic: use dma_mapping_error() for error check erspan: do not use skb_mac_header() in ndo_start_xmit() atm: idt77252: fix kmemleak when rmmod idt77252 net/mlx5: Read the TC mapping of all priorities on ETS query bpf: Adjust insufficient default bpf_jit_limit keys: Do not cache key in task struct if key is requested from kernel thread net/ps3_gelic_net: Use dma_mapping_error net/ps3_gelic_net: Fix RX sk_buff length net: qcom/emac: Fix use after free bug in emac_remove due to race condition xirc2ps_cs: Fix use after free bug in xirc2ps_detach qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info net: usb: smsc95xx: Limit packet length to skb->len scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() i2c: imx-lpi2c: check only for enabled interrupt flags igbvf: Regard vf reset nack as success intel/igbvf: free irq on the error path in igbvf_request_msix() iavf: fix non-tunneled IPv6 UDP packet type and hashing iavf: fix inverted Rx hash condition leading to disabled hash power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() Linux 5.4.239 selftests: Fix the executable permissions for fib_tests.sh BACKPORT: mac80211_hwsim: notify wmediumd of used MAC addresses FROMGIT: mac80211_hwsim: add concurrent channels scanning support over virtio Revert "HID: core: Provide new max_buffer_size attribute to over-ride the default" Revert "HID: uhid: Over-ride the default maximum data buffer value with our own" Linux 5.4.238 HID: uhid: Over-ride the default maximum data buffer value with our own HID: core: Provide new max_buffer_size attribute to over-ride the default PCI: Unify delay handling for reset and resume s390/ipl: add missing intersection check to ipl_report handling serial: 8250_em: Fix UART port type drm/i915: Don't use stolen memory for ring buffers with LLC x86/mm: Fix use of uninitialized buffer in sme_enable() fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks ftrace: Fix invalid address access in lookup_rec() when index is 0 KVM: nVMX: add missing consistency checks for CR0 and CR4 tracing: Make tracepoint lockdep check actually test something tracing: Check field value in hist_field_name() interconnect: fix mem leak when freeing nodes tty: serial: fsl_lpuart: skip waiting for transmission complete when UARTCTRL_SBK is asserted ext4: fix possible double unlock when moving a directory sh: intc: Avoid spurious sizeof-pointer-div warning drm/amdkfd: Fix an illegal memory access ext4: fix task hung in ext4_xattr_delete_inode ext4: fail ext4_iget if special inode unallocated jffs2: correct logic when creating a hole in jffs2_write_begin mmc: atmel-mci: fix race between stop command and start of next command media: m5mols: fix off-by-one loop termination error hwmon: (ina3221) return prober error code hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition hwmon: (adt7475) Fix masking of hysteresis registers hwmon: (adt7475) Display smoothing attributes in correct order ethernet: sun: add check for the mdesc_grab() net/iucv: Fix size of interrupt data net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull ipv4: Fix incorrect table ID in IOCTL path block: sunvdc: add check for mdesc_grab() returning NULL nvmet: avoid potential UAF in nvmet_req_complete() net: usb: smsc75xx: Limit packet length to skb->len nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails net: tunnels: annotate lockless accesses to dev->needed_headroom qed/qed_dev: guard against a possible division by zero i40e: Fix kernel crash during reboot when adapter is in recovery mode ipvlan: Make skb->skb_iif track skb->dev for l3s mode nfc: pn533: initialize struct pn533_out_arg properly tcp: tcp_make_synack() can be called from process context scsi: core: Fix a procfs host directory removal regression scsi: core: Fix a comment in function scsi_host_dev_release() netfilter: nft_redir: correct value of inet type `.maxattrs` ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU() ALSA: hda: Add Intel DG2 PCI ID and HDMI codec vid ALSA: hda: Add Alderlake-S PCI ID and HDMI codec vid ALSA: hda - controller is in GPU on the DG1 ALSA: hda - add Intel DG1 PCI and HDMI ids scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add() docs: Correct missing "d_" prefix for dentry_operations member d_weak_revalidate clk: HI655X: select REGMAP instead of depending on it drm/meson: fix 1px pink line on GXM when scaling video overlay cifs: Move the in_send statistic to __smb_send_rqst() drm/panfrost: Don't sync rpm suspension after mmu flushing xfrm: Allow transport-mode states with AF_UNSPEC selector ext4: fix cgroup writeback accounting with fs-layer encryption ANDROID: preserve CRC for __irq_domain_add() Revert "drm/exynos: Don't reset bridge->next" Revert "drm/bridge: Rename bridge helpers targeting a bridge chain" Revert "drm/bridge: Introduce drm_bridge_get_next_bridge()" Revert "drm: Initialize struct drm_crtc_state.no_vblank from device settings" Revert "drm/msm/mdp5: Add check for kzalloc" Linux 5.4.237 s390/dasd: add missing discipline function UML: define RUNTIME_DISCARD_EXIT sh: define RUNTIME_DISCARD_EXIT s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36 powerpc/vmlinux.lds: Don't discard .rela* for relocatable builds powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT arch: fix broken BuildID for arm64 and riscv x86, vmlinux.lds: Add RUNTIME_DISCARD_EXIT to generic DISCARDS drm/i915: Don't use BAR mappings for ring buffers with LLC ipmi:watchdog: Set panic count to proper value on a panic ipmi/watchdog: replace atomic_add() and atomic_sub() media: ov5640: Fix analogue gain control PCI: Add SolidRun vendor ID macintosh: windfarm: Use unsigned type for 1-bit bitfields alpha: fix R_ALPHA_LITERAL reloc for large modules MIPS: Fix a compilation issue ext4: Fix deadlock during directory rename riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode net/smc: fix fallback failed while sendmsg with fastopen scsi: megaraid_sas: Update max supported LD IDs to 240 btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR netfilter: tproxy: fix deadlock due to missing BH disable bnxt_en: Avoid order-5 memory allocation for TPA data net: caif: Fix use-after-free in cfusbl_device_notify() net: lan78xx: fix accessing the LAN7800's internal phy specific registers from the MAC driver net: usb: lan78xx: Remove lots of set but unused 'ret' variables selftests: nft_nat: ensuring the listening side is up before starting the client ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register ext4: Fix possible corruption when moving a directory scsi: core: Remove the /proc/scsi/${proc_name} directory earlier cifs: Fix uninitialized memory read in smb3_qfs_tcon() SMB3: Backup intent flag missing from some more ops iommu/vt-d: Fix PASID directory pointer coherency irqdomain: Fix domain registration race irqdomain: Change the type of 'size' in __irq_domain_add() to be consistent ipmi:ssif: Add a timer between request retries ipmi:ssif: Increase the message retry time ipmi:ssif: Remove rtc_us_timer ipmi:ssif: resend_msg() cannot fail ipmi:ssif: make ssif_i2c_send() void iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options iommu/amd: Add PCI segment support for ivrs_[ioapic/hpet/acpihid] commands nfc: change order inside nfc_se_io error path ext4: zero i_disksize when initializing the bootloader inode ext4: fix WARNING in ext4_update_inline_data ext4: move where set the MAY_INLINE_DATA flag is set ext4: fix another off-by-one fsmap error on 1k block filesystems ext4: fix RENAME_WHITEOUT handling for inline directories drm/connector: print max_requested_bpc in state debugfs x86/CPU/AMD: Disable XSAVES on AMD family 0x17 fs: prevent out-of-bounds array speculation when closing a file descriptor Linux 5.4.236 staging: rtl8192e: Remove call_usermodehelper starting RadioPower.sh staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling a script wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Linux 5.4.235 dt-bindings: rtc: sun6i-a31-rtc: Loosen the requirements on the clocks media: uvcvideo: Fix race condition with usb_kill_urb media: uvcvideo: Provide sync and async uvc_ctrl_status_event tcp: Fix listen() regression in 5.4.229. Bluetooth: hci_sock: purge socket queues in the destruct() callback x86/resctl: fix scheduler confusion with 'current' x86/resctrl: Apply READ_ONCE/WRITE_ONCE to task_struct.{rmid,closid} net: tls: avoid hanging tasks on the tx_lock phy: rockchip-typec: Fix unsigned comparison with less than zero PCI: Add ACS quirk for Wangxun NICs kernel/fail_function: fix memory leak with using debugfs_lookup() usb: uvc: Enumerate valid values for color matching USB: ene_usb6250: Allocate enough memory for full object usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word() iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word() tools/iio/iio_utils:fix memory leak mei: bus-fixup:upon error print return values of send and receive tty: serial: fsl_lpuart: disable the CTS when send break signal tty: fix out-of-bounds access in tty_driver_lookup_tty() staging: emxx_udc: Add checks for dma_alloc_coherent() media: uvcvideo: Silence memcpy() run-time false positive warnings media: uvcvideo: Quirk for autosuspend in Logitech B910 and C910 media: uvcvideo: Handle errors from calls to usb_string media: uvcvideo: Handle cameras with invalid descriptors mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3 tracing: Add NULL checks for buffer in ring_buffer_free_read_page() thermal: intel: BXT_PMIC: select REGMAP instead of depending on it thermal: intel: quark_dts: fix error pointer dereference scsi: ipr: Work around fortify-string warning rtc: sun6i: Always export the internal oscillator rtc: sun6i: Make external 32k oscillator optional vc_screen: modify vcs_size() handling in vcs_read() tcp: tcp_check_req() can be called from process context ARM: dts: spear320-hmi: correct STMPE GPIO compatible net/sched: act_sample: fix action bind logic nfc: fix memory leak of se_io context in nfc_genl_se_io net/mlx5: Geneve, Fix handling of Geneve object id as error code 9p/rdma: unmap receive dma buffer in rdma_request()/post_recv() 9p/xen: fix connection sequence 9p/xen: fix version parsing net: fix __dev_kfree_skb_any() vs drop monitor sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop ipv6: Add lwtunnel encap size of all siblings in nexthop calculation netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack() watchdog: pcwd_usb: Fix attempting to access uninitialized memory watchdog: Fix kmemleak in watchdog_cdev_register watchdog: at91sam9_wdt: use devm_request_irq to avoid missing free_irq() in error path x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() ubifs: ubifs_writepage: Mark page dirty after writing inode failed ubifs: dirty_cow_znode: Fix memleak in error handling path ubifs: Re-statistic cleaned znode count if commit failed ubi: Fix possible null-ptr-deref in ubi_free_volume() ubifs: Fix memory leak in alloc_wbufs() ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume() ubi: Fix use-after-free when volume resizing failed ubifs: Reserve one leb for each journal head while doing budget ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 ubifs: Fix wrong dirty space budget for dirty inode ubifs: Rectify space budget for ubifs_xrename() ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted ubifs: Fix build errors as symbol undefined ubi: ensure that VID header offset + VID header size <= alloc, size um: vector: Fix memory leak in vector_config fs: f2fs: initialize fsdata in pagecache_write() f2fs: use memcpy_{to,from}_page() where possible pwm: stm32-lp: fix the check on arr and cmp registers update pwm: sifive: Always let the first pwm_apply_state succeed pwm: sifive: Reduce time the controller lock is held fs/jfs: fix shift exponent db_agl2size negative net/sched: Retire tcindex classifier kbuild: Port silent mode detection to future gnu make. wifi: ath9k: use proper statements in conditionals drm/radeon: Fix eDP for single-display iMac11,2 drm/i915/quirks: Add inverted backlight quirk for HP 14-r206nv PCI: Avoid FLR for AMD FCH AHCI adapters PCI: hotplug: Allow marking devices as disconnected during bind/unbind PCI/PM: Observe reset delay irrespective of bridge_d3 scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() scsi: ses: Fix possible desc_ptr out-of-bounds accesses scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() scsi: ses: Don't attach if enclosure has no components scsi: qla2xxx: Fix erroneous link down scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests scsi: qla2xxx: Fix link failure in NPIV environment ktest.pl: Add RUN_TIMEOUT option with default unlimited ktest.pl: Fix missing "end_monitor" when machine check fails ktest.pl: Give back console on Ctrt^C on monitor mm/thp: check and bail out if page in deferred queue already mm: memcontrol: deprecate charge moving media: ipu3-cio2: Fix PM runtime usage_count in driver unbind mips: fix syscall_get_nr alpha: fix FEN fault handling rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails ARM: dts: exynos: correct TMU phandle in Odroid XU ARM: dts: exynos: correct TMU phandle in Exynos4 dm flakey: don't corrupt the zero page dm flakey: fix logic when corrupting a bio thermal: intel: powerclamp: Fix cur_state for multi package system wifi: cfg80211: Fix use after free for wext wifi: rtl8xxxu: Use a longer retry limit of 48 ext4: refuse to create ea block when umounted ext4: optimize ea_inode block expansion ALSA: hda/realtek: Add quirk for HP EliteDesk 800 G6 Tower PC ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls() irqdomain: Drop bogus fwspec-mapping error handling irqdomain: Fix disassociation race irqdomain: Fix association race ima: Align ima_file_mmap() parameters with mmap_file LSM hook Documentation/hw-vuln: Document the interaction between IBRS and STIBP x86/speculation: Allow enabling STIBP with legacy IBRS x86/microcode/AMD: Fix mixed steppings support x86/microcode/AMD: Add a @cpu parameter to the reloading functions x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range x86/kprobes: Fix __recover_optprobed_insn check optimizing logic x86/reboot: Disable SVM, not just VMX, when stopping CPUs x86/reboot: Disable virtualization in an emergency if SVM is supported x86/crash: Disable virt in core NMI crash handler to avoid double shootdown x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) KVM: s390: disable migration mode when dirty tracking is disabled KVM: Destroy target device if coalesced MMIO unregistration fails udf: Fix file corruption when appending just after end of preallocated extent udf: Detect system inodes linked into directory hierarchy udf: Preserve link count of system files udf: Do not update file length for failed writes to inline files udf: Do not bother merging very long extents udf: Truncate added extents on failed expansion ocfs2: fix non-auto defrag path not working issue ocfs2: fix defrag path triggering jbd2 ASSERT f2fs: fix cgroup writeback accounting with fs-layer encryption f2fs: fix information leak in f2fs_move_inline_dirents() fs: hfsplus: fix UAF issue in hfsplus_put_super hfs: fix missing hfs_bnode_get() in __hfs_bnode_create ARM: dts: exynos: correct HDMI phy compatible in Exynos4 s390/kprobes: fix current_kprobe never cleared after kprobes reenter s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler s390: discard .interp section ipmi_ssif: Rename idle state and check rtc: pm8xxx: fix set-alarm race firmware: coreboot: framebuffer: Ignore reserved pixel color bits wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu nfsd: zero out pointers after putting nfsd_files on COPY setup error dm cache: add cond_resched() to various workqueue loops dm thin: add cond_resched() to various workqueue loops drm: panel-orientation-quirks: Add quirk for Lenovo IdeaPad Duet 3 10IGL5 pinctrl: at91: use devm_kasprintf() to avoid potential leaks hwmon: (coretemp) Simplify platform device handling regulator: s5m8767: Bounds check id indexing into arrays regulator: max77802: Bounds check regulator id against opmode ASoC: kirkwood: Iterate over array indexes instead of using pointer math docs/scripts/gdb: add necessary make scripts_gdb step drm/msm/dsi: Add missing check for alloc_ordered_workqueue drm/radeon: free iio for atombios when driver shutdown HID: Add Mapping for System Microphone Mute drm/omap: dsi: Fix excessive stack usage drm/amd/display: Fix potential null-deref in dm_resume uaccess: Add minimum bounds check on kernel buffer size coda: Avoid partial allocation of sig_inputArgs net/mlx5: fw_tracer: Fix debug print ACPI: video: Fix Lenovo Ideapad Z570 DMI match wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup m68k: Check syscall_trace_enter() return code net: bcmgenet: Add a check for oversized packets ACPI: Don't build ACPICA with '-Os' ice: add missing checks for PF vsi type inet: fix fast path in __inet_hash_connect() wifi: mt7601u: fix an integer underflow wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds x86/bugs: Reset speculation control settings on init timers: Prevent union confusion from unexpected restart_syscall() thermal: intel: Fix unsigned comparison with less than zero rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait() wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() blk-iocost: fix divide by 0 error in calc_lcoefs() ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy udf: Define EFSCORRUPTED error code rpmsg: glink: Avoid infinite loop on intent for missing channel media: usb: siano: Fix use after free bugs caused by do_submit_urb media: i2c: ov7670: 0 instead of -EINVAL was returned media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() media: i2c: ov772x: Fix memleak in ov772x_probe() media: ov5675: Fix memleak in ov5675_init_controls() powerpc: Remove linker flag from KBUILD_AFLAGS media: platform: ti: Add missing check for devm_regulator_get remoteproc: qcom_q6v5_mss: Use a carveout to authenticate modem headers MIPS: vpe-mt: drop physical_memsize MIPS: SMP-CPS: fix build error when HOTPLUG_CPU not set powerpc/eeh: Set channel state after notifying the drivers powerpc/eeh: Small refactor of eeh_handle_normal_event() powerpc/rtas: ensure 4KB alignment for rtas_data_buf powerpc/rtas: make all exports GPL powerpc/pseries/lparcfg: add missing RTAS retry status handling powerpc/pseries/lpar: add missing RTAS retry status handling clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled() powerpc/powernv/ioda: Skip unallocated resources when mapping to PE clk: qcom: gpucc-sdm845: fix clk_dis_wait being programmed for CX GDSC Input: ads7846 - don't check penirq immediately for 7845 Input: ads7846 - don't report pressure for ads7845 clk: renesas: cpg-mssr: Remove superfluous check in resume code clk: renesas: cpg-mssr: Use enum clk_reg_layout instead of a boolean flag clk: renesas: cpg-mssr: Fix use after free if cpg_mssr_common_init() failed mtd: rawnand: sunxi: Fix the size of the last OOB region clk: qcom: gcc-qcs404: fix names of the DSI clocks used as parents clk: qcom: gcc-qcs404: disable gpll[04]_out_aux parents mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read() selftests/ftrace: Fix bash specific "==" operator sparc: allow PM configs for sparc32 COMPILE_TEST perf tools: Fix auto-complete on aarch64 perf llvm: Fix inadvertent file creation gfs2: jdata writepage fix cifs: Fix warning and UAF when destroy the MR list cifs: Fix lost destroy smbd connection when MR allocate failed nfsd: fix race to check ls_layouts hid: bigben_probe(): validate report count HID: asus: Fix mute and touchpad-toggle keys on Medion Akoya E1239T HID: asus: Add support for multi-touch touchpad on Medion Akoya E1239T HID: asus: Add report_size to struct asus_touchpad_info HID: asus: Only set EV_REP if we are adding a mapping HID: bigben: use spinlock to safely schedule workers HID: bigben_worker() remove unneeded check on report_field HID: bigben: use spinlock to protect concurrent accesses ASoC: soc-dapm.h: fixup warning struct snd_pcm_substream not declared ASoC: dapm: declare missing structure prototypes spi: synquacer: Fix timeout handling in synquacer_spi_transfer_one() dm: remove flush_scheduled_work() during local_exit() hwmon: (mlxreg-fan) Return zero speed for broken fan spi: bcm63xx-hsspi: Fix multi-bit mode setting spi: bcm63xx-hsspi: fix pm_runtime scsi: aic94xx: Add missing check for dma_map_single() hwmon: (ltc2945) Handle error case in ltc2945_value_store gpio: vf610: connect GPIO label to dev name ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress() drm/mediatek: Clean dangling pointer on bind error path drm/mediatek: Drop unbalanced obj unref drm/mediatek: Use NULL instead of 0 for NULL pointer drm/mediatek: remove cast to pointers passed to kfree gpu: host1x: Don't skip assigning syncpoints to channels drm/msm/mdp5: Add check for kzalloc drm: Initialize struct drm_crtc_state.no_vblank from device settings drm/bridge: Introduce drm_bridge_get_next_bridge() drm/bridge: Rename bridge helpers targeting a bridge chain drm/exynos: Don't reset bridge->next drm/msm/dpu: Add check for pstates drm/msm/dpu: Add check for cstate drm/msm: use strscpy instead of strncpy drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness ALSA: hda/ca0132: minor fix for allocation size ASoC: fsl_sai: initialize is_dsp_mode flag pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain drm/msm/hdmi: Add missing check for alloc_ordered_workqueue gpu: ipu-v3: common: Add of_node_put() for reference returned by of_graph_get_port_by_id() drm/vc4: dpi: Fix format mapping for RGB565 drm/vc4: dpi: Add option for inverting pixel clock and output enable drm/bridge: megachips: Fix error handling in i2c_register_driver() drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC drm/fourcc: Add missing big-endian XRGB1555 and RGB565 formats selftest: fib_tests: Always cleanup before exit selftests/net: Interpret UDP_GRO cmsg data as an int value irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts irqchip/irq-brcmstb-l2: Set IRQ_LEVEL for level triggered interrupts can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of a bus error thermal/drivers/hisi: Drop second sensor hi3660 wifi: mac80211: make rate u32 in sta_set_rate_info_rx() crypto: crypto4xx - Call dma_unmap_page when done wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize() wifi: iwl4965: Add missing check for create_singlethread_workqueue() wifi: iwl3945: Add missing check for create_singlethread_workqueue treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() usb: gadget: udc: Avoid tasklet passing a global RISC-V: time: initialize hrtimer based broadcast clock event device m68k: /proc/hardware should depend on PROC_FS crypto: rsa-pkcs1pad - Use akcipher_request_complete rds: rds_rm_zerocopy_callback() correct order for list_add_tail() libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() Bluetooth: L2CAP: Fix potential user-after-free OPP: fix error checking in opp_migrate_dentry() tap: tap_open(): correctly initialize socket uid tun: tun_chr_open(): correctly initialize socket uid net: add sock_init_data_uid() mptcp: add sk_stop_timer_sync helper irqchip/ti-sci: Fix refcount leak in ti_sci_intr_irq_domain_probe irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains net/mlx5: Enhance debug print in page allocation failure powercap: fix possible name leak in powercap_register_zone() crypto: seqiv - Handle EBUSY correctly crypto: essiv - Handle EBUSY correctly crypto: essiv - remove redundant null pointer check before kfree crypto: ccp - Failure on re-initialization due to duplicate sysfs filename ACPI: battery: Fix missing NUL-termination with large strings wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails ath9k: htc: clean up statistics macros ath9k: hif_usb: simplify if-if to if-else wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function wifi: orinoco: check return value of hermes_write_wordrec() ACPICA: nsrepair: handle cases without a return value correctly lib/mpi: Fix buffer overrun when SG is too long genirq: Fix the return type of kstat_cpu_irqs_sum() ACPICA: Drop port I/O validation for some regions crypto: x86/ghash - fix unaligned access in ghash_setkey() wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave() wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave() wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave() wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave() wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit() wifi: wilc1000: fix potential memory leak in wilc_mac_xmit() wilc1000: let wilc_mac_xmit() return NETDEV_TX_OK wifi: ipw2200: fix memory leak in ipw_wdev_init() wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave() ipw2x00: switch from 'pci_' to 'dma_' API wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() rtlwifi: fix -Wpointer-sign warning wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave() wifi: libertas: fix memory leak in lbs_init_adapter() wifi: iwlegacy: common: don't call dev_kfree_skb() under spin_lock_irqsave() net/wireless: Delete unnecessary checks before the macro call “dev_kfree_skb” wifi: rsi: Fix memory leak in rsi_coex_attach() block: bio-integrity: Copy flags when bio_integrity_payload is cloned sched/rt: pick_next_rt_entity(): check list_entry sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity() s390/dasd: Fix potential memleak in dasd_eckd_init() s390/dasd: Prepare for additional path event handling blk-mq: correct stale comment of .get_budget blk-mq: wait on correct sbitmap_queue in blk_mq_mark_tag_wait blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx block: Limit number of items taken from the I/O scheduler in one go Revert "scsi: core: run queue if SCSI device queue isn't ready and queue is idle" arm64: dts: mediatek: mt7622: Add missing pwm-cells to pwm node ARM: dts: imx7s: correct iomuxc gpr mux controller cells arm64: dts: amlogic: meson-gxl-s905d-phicomm-n1: fix led node name arm64: dts: amlogic: meson-gxl: add missing unit address to eth-phy-mux node name arm64: dts: amlogic: meson-gx: add missing unit address to rng node name arm64: dts: amlogic: meson-gx: add missing SCPI sensors compatible arm64: dts: amlogic: meson-axg: fix SCPI clock dvfs node name arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name ARM: imx: Call ida_simple_remove() for ida_simple_get ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato ARM: OMAP1: call platform_device_put() in error case in omap1_dm_timer_init() arm64: dts: meson: remove CPU opps below 1GHz for G12A boards arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address arm64: dts: meson-g12a: Fix internal Ethernet PHY unit name arm64: dts: meson-gx: Fix Ethernet MAC address unit name ARM: zynq: Fix refcount leak in zynq_early_slcr_init arm64: dts: qcom: qcs404: use symbol names for PCIe resets ARM: OMAP2+: Fix memory leak in realtime_counter_init() HID: asus: use spinlock to safely schedule workers HID: asus: use spinlock to protect concurrent accesses HID: asus: Remove check for same LED brightness on set Linux 5.4.234 USB: core: Don't hold device lock while reading the "descriptors" sysfs file USB: serial: option: add support for VW/Skoda "Carstick LTE" dmaengine: sh: rcar-dmac: Check for error num after dma_set_max_seg_size vc_screen: don't clobber return value in vcs_read net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state HID: core: Fix deadloop in hid_apply_multiplier. neigh: make sure used and confirmed times are valid IB/hfi1: Assign npages earlier btrfs: send: limit number of clones and allocated memory size ACPI: NFIT: fix a potential deadlock during NFIT teardown ARM: dts: rockchip: add power-domains property to dp node on rk3288 arm64: dts: rockchip: drop unused LED mode property from rk3328-roc-cc Conflicts: Documentation/devicetree/bindings/rtc/allwinner,sun6i-a31-rtc.yaml Documentation/devicetree/bindings~HEAD arch/arm/mm/dma-mapping.c drivers/clk/qcom/gcc-qcs404.c drivers/iommu/dma-iommu.c drivers/mtd/ubi/wl.c kernel/dma/direct.c Change-Id: I804ccb5552f305c49ec17b323c6c933cc99e6d39 |
||
|
Carlos Llamas
|
6c88024cab |
binder: fix UAF caused by faulty buffer cleanup
commit bdc1c5fac982845a58d28690cdb56db8c88a530d upstream.
In binder_transaction_buffer_release() the 'failed_at' offset indicates
the number of objects to clean up. However, this function was changed by
commit
|
||
|
Carlos Llamas
|
6d5e0c7837 |
FROMLIST: binder: fix UAF caused by faulty buffer cleanup
In binder_transaction_buffer_release() the 'failed_at' offset indicates
the number of objects to clean up. However, this function was changed by
commit
|
||
Alessandro Astone
|
efe47fcee3 |
UPSTREAM: binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0
Some android userspace is sending BINDER_TYPE_FDA objects with
num_fds=0. Like the previous patch, this is reproducible when
playing a video.
Before commit 09184ae9b575 BINDER_TYPE_FDA objects with num_fds=0
were 'correctly handled', as in no fixup was performed.
After commit 09184ae9b575 we aggregate fixup and skip regions in
binder_ptr_fixup structs and distinguish between the two by using
the skip_size field: if it's 0, then it's a fixup, otherwise skip.
When processing BINDER_TYPE_FDA objects with num_fds=0 we add a
skip region of skip_size=0, and this causes issues because now
binder_do_deferred_txn_copies will think this was a fixup region.
To address that, return early from binder_translate_fd_array to
avoid adding an empty skip region.
Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data")
Acked-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Alessandro Astone <ales.astone@gmail.com>
Link: https://lore.kernel.org/r/20220415120015.52684-1-ales.astone@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 257685302
(cherry picked from commit ef38de9217a04c9077629a24652689d8fdb4c6c6)
Change-Id: I34fab41c0c1beee366a5df4724b263e4385ad13b
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Alessandro Astone
|
1278564d94 |
UPSTREAM: binder: Address corner cases in deferred copy and fixup
When handling BINDER_TYPE_FDA object we are pushing a parent fixup
with a certain skip_size but no scatter-gather copy object, since
the copy is handled standalone.
If BINDER_TYPE_FDA is the last children the scatter-gather copy
loop will never stop to skip it, thus we are left with an item in
the parent fixup list. This will trigger the BUG_ON().
This is reproducible in android when playing a video.
We receive a transaction that looks like this:
obj[0] BINDER_TYPE_PTR, parent
obj[1] BINDER_TYPE_PTR, child
obj[2] BINDER_TYPE_PTR, child
obj[3] BINDER_TYPE_FDA, child
Fixes: 09184ae9b575 ("binder: defer copies of pre-patched txn data")
Acked-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Alessandro Astone <ales.astone@gmail.com>
Link: https://lore.kernel.org/r/20220415120015.52684-2-ales.astone@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 257685302
(cherry picked from commit 2d1746e3fda0c3612143d7c06f8e1d1830c13e23)
Change-Id: I3963a98dfc48b01d7bb8166aaa90341818bf6416
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
Arnd Bergmann
|
aef21da590 |
UPSTREAM: binder: fix pointer cast warning
binder_uintptr_t is not the same as uintptr_t, so converting it into a
pointer requires a second cast:
drivers/android/binder.c: In function 'binder_translate_fd_array':
drivers/android/binder.c:2511:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
2511 | sender_ufda_base = (void __user *)sender_uparent->buffer + fda->parent_offset;
| ^
Fixes: 656e01f3ab54 ("binder: read pre-translated fds from sender buffer")
Acked-by: Todd Kjos <tkjos@google.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20211207122448.1185769-1-arnd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 257685302
(cherry picked from commit 9a0a930fe2535a76ad70d3f43caeccf0d86a3009)
Change-Id: I1c9b86a90bcf2be81012e59e0c472869f551e61a
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
Todd Kjos
|
ce3d788a50 |
UPSTREAM: binder: defer copies of pre-patched txn data
BINDER_TYPE_PTR objects point to memory areas in the source process to be copied into the target buffer as part of a transaction. This implements a scatter- gather model where non-contiguous memory in a source process is "gathered" into a contiguous region in the target buffer. The data can include pointers that must be fixed up to correctly point to the copied data. To avoid making source process pointers visible to the target process, this patch defers the copy until the fixups are known and then copies and fixeups are done together. There is a special case of BINDER_TYPE_FDA which applies the fixup later in the target process context. In this case the user data is skipped (so no untranslated fds become visible to the target). Reviewed-by: Martijn Coenen <maco@android.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-5-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 137131904 Bug: 257685302 (cherry picked from commit 09184ae9b5756cc469db6fd1d1cfdcffbf627c2d) [cmllamas: fix trivial merge conflict] Change-Id: I6de75b192d1e3b2cc73c8d91077d97b608e8c5a9 Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Todd Kjos
|
72967f8752 |
UPSTREAM: binder: read pre-translated fds from sender buffer
This patch is to prepare for an up coming patch where we read pre-translated fds from the sender buffer and translate them before copying them to the target. It does not change run time. The patch adds two new parameters to binder_translate_fd_array() to hold the sender buffer and sender buffer parent. These parameters let us call copy_from_user() directly from the sender instead of using binder_alloc_copy_from_buffer() to copy from the target. Also the patch adds some new alignment checks. Previously the alignment checks would have been done in a different place, but this lets us print more useful error messages. Reviewed-by: Martijn Coenen <maco@android.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20211130185152.437403-4-tkjos@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 137131904 Bug: 257685302 (cherry picked from commit 656e01f3ab54afe71bed066996fc2640881e1220) Change-Id: Ib786020e49bd33e35aec88d43965f9d98021fa53 Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Todd Kjos
|
b007cadee6 |
UPSTREAM: binder: avoid potential data leakage when copying txn
Transactions are copied from the sender to the target
first and objects like BINDER_TYPE_PTR and BINDER_TYPE_FDA
are then fixed up. This means there is a short period where
the sender's version of these objects are visible to the
target prior to the fixups.
Instead of copying all of the data first, copy data only
after any needed fixups have been applied.
Fixes:
|
||
|
Li Li
|
d86fa67db0 |
FROMGIT: Binder: add TF_UPDATE_TXN to replace outdated txn
When the target process is busy, incoming oneway transactions are queued in the async_todo list. If the clients continue sending extra oneway transactions while the target process is frozen, this queue can become too large to accommodate new transactions. That's why binder driver introduced ONEWAY_SPAM_DETECTION to detect this situation. It's helpful to debug the async binder buffer exhausting issue, but the issue itself isn't solved directly. In real cases applications are designed to send oneway transactions repeatedly, delivering updated inforamtion to the target process. Typical examples are Wi-Fi signal strength and some real time sensor data. Even if the apps might only care about the lastet information, all outdated oneway transactions are still accumulated there until the frozen process is thawed later. For this kind of situations, there's no existing method to skip those outdated transactions and deliver the latest one only. This patch introduces a new transaction flag TF_UPDATE_TXN. To use it, use apps can set this new flag along with TF_ONE_WAY. When such an oneway transaction is to be queued into the async_todo list of a frozen process, binder driver will check if any previous pending transactions can be superseded by comparing their code, flags and target node. If such an outdated pending transaction is found, the latest transaction will supersede that outdated one. This effectively prevents the async binder buffer running out and saves unnecessary binder read workloads. Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Li Li <dualli@google.com> Link: https://lore.kernel.org/r/20220526220018.3334775-2-dualli@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 231624308 Test: manually check async binder buffer size of frozen apps Test: stress test with kernel 4.14/4.19/5.10/5.15 (cherry picked from commit 9864bb4801331daa48514face9d0f4861e4d485b git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next) Change-Id: I1c4bff1eda1ca15aaaad5bf696c8fc00be743176 |
||
Luca Stefani
|
b51c054d6d |
UPSTREAM: binder: Return EFAULT if we fail BINDER_ENABLE_ONEWAY_SPAM_DETECTION
All the other ioctl paths return EFAULT in case the
copy_from_user/copy_to_user call fails, make oneway spam detection
follow the same paradigm.
Fixes: a7dc1e6f99df ("binder: tell userspace to dump current backtrace when detected oneway spamming")
Acked-by: Todd Kjos <tkjos@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Luca Stefani <luca.stefani.ge1@gmail.com>
Link: https://lore.kernel.org/r/20210506193726.45118-1-luca.stefani.ge1@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit ced081a436d21a7d34d4d42acb85058f9cf423f2)
Bug: 187129171
Signed-off-by: Connor O'Brien <connoro@google.com>
Change-Id: I7c5e6ec7108c42721de6c82f4c1e9ff3d4f0e88d
|
||
|
Hang Lu
|
edddeb1ad3 |
UPSTREAM: binder: tell userspace to dump current backtrace when detected oneway spamming
When async binder buffer got exhausted, some normal oneway transactions will also be discarded and may cause system or application failures. By that time, the binder debug information we dump may not be relevant to the root cause. And this issue is difficult to debug if without the backtrace of the thread sending spam. This change will send BR_ONEWAY_SPAM_SUSPECT to userspace when oneway spamming is detected, request to dump current backtrace. Oneway spamming will be reported only once when exceeding the threshold (target process dips below 80% of its oneway space, and current process is responsible for either more than 50 transactions, or more than 50% of the oneway space). And the detection will restart when the async buffer has returned to a healthy state. Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Hang Lu <hangl@codeaurora.org> Link: https://lore.kernel.org/r/1617961246-4502-3-git-send-email-hangl@codeaurora.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 181190340 Change-Id: Id3d2526099bc89f04d8ad3ad6e48141b2a8f2515 (cherry picked from commit a7dc1e6f99df59799ab0128d9c4e47bbeceb934d) Signed-off-by: Hang Lu <hangl@codeaurora.org> |