6b029aa535
308 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Carlos Llamas
|
012ab662e2 |
ANDROID: binder: fix pending prio state for early exit
When calling binder_do_set_priority() with the same policy and priority
values as the current task, we exit early since there is nothing to do.
However, the BINDER_PRIO_PENDING state might be set and in this case we
fail to update it. A subsequent call to binder_transaction_priority()
will then read an incorrect state and save the wrong priority. Fix this
by setting thread->prio_state to BINDER_PRIO_SET on our way out.
Bug: 199309216
Fixes: cac827f2619b ("ANDROID: binder: fix race in priority restore")
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I21e906cf4b2ebee908af41fe101ecd458ae1991c
(cherry picked from commit 72193be6d4bd9ad29dacd998c14dff97f7a6c6c9)
|
||
|
Carlos Llamas
|
da97a10882 |
ANDROID: binder: fix race in priority restore
During a reply, the target gets woken up and then the priority of the replier is restored. The order is such to allow the target to process the reply ASAP. Otherwise, we risk the sender getting scheduled out before the wakeup happens. This strategy reduces transaction latency. However, a subsequent transaction from the same target could be started before the priority of the replier gets restored. At this point we save the wrong priority and it gets reinstated at the end of the transaction. This patch allows the incoming transaction to detect the race condition and save the correct next priority. Additionally, the replier will abort its pending priority restore which allows the new transaction to always run at the desired priority. Bug: 148101660 Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: I6fec41ae1a1342023f78212ab1f984e26f068221 (cherry picked from commit cac827f2619b280d418e546a09f25da600dafe5a) [cmllamas: fixed trivial merge conflict] |
||
|
Carlos Llamas
|
308230b9d7 |
ANDROID: binder: switch task argument for binder_thread
Refactor binder priority functions to take in 'struct binder_thread *' instead of just 'struct task_struct *'. This allows access to other thread fields used in subsequent patches. In any case, the same task reference is still available under thread->task. There is no functional impact from this patch. Bug: 148101660 Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: I67b599884580d957d776500e467827e5035c99f6 (cherry picked from commit 759d98484b5b51932d3d11651fa83c6bb268ce03) |
||
|
Carlos Llamas
|
807b6742c9 |
ANDROID: binder: pass desired priority by reference
Avoid making unnecessary stack copies of struct binder_priority and pass the argument by reference instead. Rename 'desired_prio' to 'desired' to match the usage in other priority functions. There is no functional impact from this patch. Bug: 148101660 Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: I66ff5305296e7b9dba56ed265236f2af518f66e0 (cherry picked from commit 52d85f8a16467ce0bca374f885de24918f017371) [cmllamas: fixed minor merge conflict] |
||
|
Carlos Llamas
|
88c3fd6461 |
ANDROID: binder: fold common setup of node_prio
The setup of node_prio is always the same, so just fold this logic into binder_transaction_priority() to avoid duplication. Let's pass the node reference instead, which also gives access to node->inherit_rt. There is no functional impact from this patch. Bug: 148101660 Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: Ib390204556e69c4bc8492cd9cd873773f9cdce42 (cherry picked from commit 498bf715b77c68e54d0289fa66e3f112278f87dc) [cmllamas: fixed minor merge conflicts] |
||
|
Carlos Llamas
|
458b37a82d |
FROMLIST: binder: fix UAF of ref->proc caused by race condition
A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled. The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spin_lock(&ref->proc->inner_lock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so. ================================================================== BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590 CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: dump_backtrace.part.0+0x1d0/0x1e0 show_stack+0x18/0x70 dump_stack_lvl+0x68/0x84 print_report+0x2e4/0x61c kasan_report+0xa4/0x110 kasan_check_range+0xfc/0x1a4 __kasan_check_write+0x3c/0x50 _raw_spin_lock+0xa8/0x150 binder_deferred_func+0x5e0/0x9b0 process_one_work+0x38c/0x5f0 worker_thread+0x9c/0x694 kthread+0x188/0x190 ret_from_fork+0x10/0x20 Signed-off-by: Carlos Llamas <cmllamas@google.com> Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> Bug: 239630375 Link: https://lore.kernel.org/all/20220801182511.3371447-1-cmllamas@google.com/ Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: I5085dd0dc805a780a64c057e5819f82dd8f02868 (cherry picked from commit ae3fa5d16a02ba7c7b170e0e1ab56d6f0ba33964) |
||
Greg Kroah-Hartman
|
82b6e1787f |
Merge branch 'android11-5.4' into 'android11-5.4-lts'
Sync up with android11-5.4 for the following commits: |
||
Todd Kjos
|
7aedba616c |
UPSTREAM: binder: fix async_free_space accounting for empty parcels
commit cfd0d84ba28c18b531648c9d4a35ecca89ad9901 upstream. In 4.13, commit |
||
|
Greg Kroah-Hartman
|
b3174205cf |
This is the 5.4.174 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmHyVbEACgkQONu9yGCS aT6r6BAA13mGwb3g/n6W1539J2McTd3Wq7HhkvGnOQmJAHJKLzp51QYAXgLbRLCM gUOCPXh6o2gt3+lFrhFy0TE9F1VQY7Igyb2RziF9mdAcvEqcBXL11n6kZHGxx0TO rOpv/SoWMd/QrKC7Ytf5zgH+81dGYWr1L1Ge9g7KWmCev15zAvJQ4mQv6a8CQhCD pUZRBvFx8AGS6q/s9ZPZfvVBcHJDNF89/mkkWNzFgIOcXJh/01JdqNK635stUXu4 +hQYUpG2gj9X2i+e0bc2i95pql7M5OAdX3TBlMeiEjKkyXJuyWTCXSO332QLTeaP xF8Z6JQ0n4W4GI9AgQCWwOaDahtlh6rmpVj+iekeYOMMB6Y5zAoFOIu1DTBEwDK6 F+s5KGfV8t5zkWY6iFOUwHTsjeNc4qqX8B6Br3Yjo7HHBxiggNDD5k4IYe0wAvJL NzOTjdvVbG+qRmhGMQMOpLhDJaHVEJCaXCmv1G97AceaL/RcenUZkn3pQZbn5O7u iMFV620WB0tYyfsiWaQrC7HgVZRyoUYBcxuxdm/g8NqYAPM61HOBKQbyaG9jClyf dq+lnvipJzUmeTsrzkd0NON24HS53hYBZPQjxp7xuoFooBUQjd5iYJvPzeLUm2+g /PlDC4B48pZa3zm8z2amyxf7leaxZUqc2d/J8wSGM/lvaJ3BV7M= =eMMF -----END PGP SIGNATURE----- Merge 5.4.174 into android11-5.4-lts Changes in 5.4.174 HID: uhid: Fix worker destroying device without any protection HID: wacom: Reset expected and received contact counts at the same time HID: wacom: Ignore the confidence flag when a touch is removed HID: wacom: Avoid using stale array indicies to read contact count f2fs: fix to do sanity check in is_alive() nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 x86/gpu: Reserve stolen memory for first integrated Intel GPU tools/nolibc: x86-64: Fix startup code bug tools/nolibc: i386: fix initial stack alignment tools/nolibc: fix incorrect truncation of exit code rtc: cmos: take rtc_lock while reading from CMOS media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE media: flexcop-usb: fix control-message timeouts media: mceusb: fix control-message timeouts media: em28xx: fix control-message timeouts media: cpia2: fix control-message timeouts media: s2255: fix control-message timeouts media: dib0700: fix undefined behavior in tuner shutdown media: redrat3: fix control-message timeouts media: pvrusb2: fix control-message timeouts media: stk1160: fix control-message timeouts can: softing_cs: softingcs_probe(): fix memleak on registration failure lkdtm: Fix content of section containing lkdtm_rodata_do_nothing() iommu/io-pgtable-arm-v7s: Add error handle for page table allocation failure dma_fence_array: Fix PENDING_ERROR leak in dma_fence_array_signaled() PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller mm_zone: add function to check if managed dma zone exists mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed pages shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode drm/rockchip: dsi: Hold pm-runtime across bind/unbind drm/rockchip: dsi: Reconfigure hardware on resume() drm/panel: kingdisplay-kd097d04: Delete panel on attach() failure drm/panel: innolux-p079zca: Delete panel on attach() failure drm/rockchip: dsi: Fix unbalanced clock on probe error Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails clk: bcm-2835: Pick the closest clock rate clk: bcm-2835: Remove rounding up the dividers wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND wcn36xx: Release DMA channel descriptor allocations media: videobuf2: Fix the size printk format media: aspeed: fix mode-detect always time out at 2nd run media: em28xx: fix memory leak in em28xx_init_dev media: aspeed: Update signal status immediately to ensure sane hw state arm64: dts: meson-gxbb-wetek: fix HDMI in early boot arm64: dts: meson-gxbb-wetek: fix missing GPIO binding Bluetooth: stop proccessing malicious adv data tee: fix put order in teedev_close_context() media: dmxdev: fix UAF when dvb_register_device() fails crypto: qce - fix uaf on qce_ahash_register_one arm64: dts: ti: k3-j721e: correct cache-sets info tty: serial: atmel: Check return code of dmaengine_submit() tty: serial: atmel: Call dma_async_issue_pending() media: rcar-csi2: Correct the selection of hsfreqrange media: imx-pxp: Initialize the spinlock prior to using it media: si470x-i2c: fix possible memory leak in si470x_i2c_probe() media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released media: venus: core: Fix a resource leak in the error handling path of 'venus_probe()' netfilter: bridge: add support for pppoe filtering arm64: dts: qcom: msm8916: fix MMC controller aliases ACPI: EC: Rework flushing of EC work while suspended to idle drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode() drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms() arm64: dts: ti: k3-j721e: Fix the L2 cache sets tty: serial: uartlite: allow 64 bit address serial: amba-pl011: do not request memory region twice floppy: Fix hang in watchdog when disk is ejected staging: rtl8192e: return error code from rtllib_softmac_init() staging: rtl8192e: rtllib_module: fix error handle case in alloc_rtllib() Bluetooth: btmtksdio: fix resume failure media: dib8000: Fix a memleak in dib8000_init() media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach() media: si2157: Fix "warm" tuner state detection sched/rt: Try to restart rt period timer when rt runtime exceeded rcu/exp: Mark current CPU as exp-QS in IPI loop second pass mwifiex: Fix possible ABBA deadlock xfrm: fix a small bug in xfrm_sa_len() crypto: stm32/cryp - fix xts and race condition in crypto_engine requests crypto: stm32/cryp - fix double pm exit crypto: stm32/cryp - fix lrw chaining mode ARM: dts: gemini: NAS4220-B: fis-index-block with 128 KiB sectors media: dw2102: Fix use after free media: msi001: fix possible null-ptr-deref in msi001_probe() media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes drm/msm/dpu: fix safe status debugfs file drm/bridge: ti-sn65dsi86: Set max register for regmap media: hantro: Fix probe func error path xfrm: interface with if_id 0 should return error xfrm: state and policy should fail if XFRMA_IF_ID 0 ARM: 9159/1: decompressor: Avoid UNPREDICTABLE NOP encoding usb: ftdi-elan: fix memory leak on device disconnect ARM: dts: armada-38x: Add generic compatible to UART nodes mmc: meson-mx-sdio: add IRQ check selinux: fix potential memleak in selinux_add_opt() bpftool: Enable line buffering for stdout x86/mce/inject: Avoid out-of-bounds write when setting flags ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region() pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region() netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check() bpf: Fix SO_RCVBUF/SO_SNDBUF handling in _bpf_setsockopt(). ppp: ensure minimum packet size in ppp_write() rocker: fix a sleeping in atomic bug staging: greybus: audio: Check null pointer fsl/fman: Check for null pointer after calling devm_ioremap Bluetooth: hci_bcm: Check for error irq HID: hid-uclogic-params: Invalid parameter check in uclogic_params_init HID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desc HID: hid-uclogic-params: Invalid parameter check in uclogic_params_huion_init HID: hid-uclogic-params: Invalid parameter check in uclogic_params_frame_init_v1_buttonpad debugfs: lockdown: Allow reading debugfs files that are not world readable net/mlx5e: Don't block routes with nexthop objects in SW Revert "net/mlx5e: Block offload of outer header csum for UDP tunnels" net/mlx5: Set command entry semaphore up once got index free spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe tpm: add request_locality before write TPM_INT_ENABLE can: softing: softing_startstop(): fix set but not used variable warning can: xilinx_can: xcan_probe(): check for error irq pcmcia: fix setting of kthread task states net: mcs7830: handle usb read errors properly ext4: avoid trim error on fs with small groups ALSA: jack: Add missing rwsem around snd_ctl_remove() calls ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls ALSA: hda: Add missing rwsem around snd_ctl_remove() calls RDMA/hns: Validate the pkey index clk: imx8mn: Fix imx8mn_clko1_sels powerpc/prom_init: Fix improper check of prom_getprop() ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA ALSA: oss: fix compile error when OSS_DEBUG is enabled char/mwave: Adjust io port register size binder: fix handling of error during copy iommu/io-pgtable-arm: Fix table descriptor paddr formatting scsi: ufs: Fix race conditions related to driver data PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity() powerpc/powermac: Add additional missing lockdep_register_key() RDMA/core: Let ib_find_gid() continue search even after empty entry RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry ASoC: rt5663: Handle device_property_read_u32_array error codes clk: stm32: Fix ltdc's clock turn off by clk_disable_unused() after system enter shell dmaengine: pxa/mmp: stop referencing config->slave_id iommu/iova: Fix race between FQ timeout and teardown phy: uniphier-usb3ss: fix unintended writing zeros to PHY register ASoC: mediatek: Check for error clk pointer ASoC: samsung: idma: Check of ioremap return value misc: lattice-ecp3-config: Fix task hung when firmware load failed mips: lantiq: add support for clk_set_parent() mips: bcm63xx: add support for clk_set_parent() RDMA/cxgb4: Set queue pair state when being queried of: base: Fix phandle argument length mismatch error message Bluetooth: Fix debugfs entry leak in hci_register_dev() fs: dlm: filter user dlm messages for kernel locks drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR ARM: shmobile: rcar-gen2: Add missing of_node_put() batman-adv: allow netlink usage in unprivileged containers usb: gadget: f_fs: Use stream_open() for endpoint files drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L HID: apple: Do not reset quirks when the Fn key is not found media: b2c2: Add missing check in flexcop_pci_isr: EDAC/synopsys: Use the quirk for version instead of ddr version mlxsw: pci: Add shutdown method in PCI driver drm/bridge: megachips: Ensure both bridges are probed before registration gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use HSI: core: Fix return freed object in hsi_new_client mwifiex: Fix skb_over_panic in mwifiex_usb_recv() rsi: Fix use-after-free in rsi_rx_done_handler() rsi: Fix out-of-bounds read in rsi_read_pkt() usb: uhci: add aspeed ast2600 uhci support floppy: Add max size check for user space request x86/mm: Flush global TLB when switching to trampoline page-table media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds. media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() media: m920x: don't use stack on USB reads iwlwifi: mvm: synchronize with FW after multicast commands ath10k: Fix tx hanging net-sysfs: update the queue counts in the unregistration path net: phy: prefer 1000baseT over 1000baseKX gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock x86/mce: Mark mce_panic() noinstr x86/mce: Mark mce_end() noinstr x86/mce: Mark mce_read_aux() noinstr net: bonding: debug: avoid printing debug logs when bond is not notifying peers bpf: Do not WARN in bpf_warn_invalid_xdp_action() HID: quirks: Allow inverting the absolute X/Y values media: igorplugusb: receiver overflow should be reported media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO audit: ensure userspace is penalized the same as the kernel when under pressure arm64: dts: ls1028a-qds: move rtc node to the correct i2c bus arm64: tegra: Adjust length of CCPLEX cluster MMIO region cpufreq: Fix initialization of min and max frequency QoS requests usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0 ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream iwlwifi: fix leaks/bad data after failed firmware load iwlwifi: remove module loading failure message iwlwifi: mvm: Fix calculation of frame length um: registers: Rename function names to avoid conflicts and build problems jffs2: GC deadlock reading a page that is used in jffs2_write_begin() ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions ACPICA: Utilities: Avoid deleting the same object twice in a row ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R() ACPICA: Fix wrong interpretation of PCC address ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 drm/amdgpu: fixup bad vram size on gmc v8 ACPI: battery: Add the ThinkPad "Not Charging" quirk btrfs: remove BUG_ON() in find_parent_nodes() btrfs: remove BUG_ON(!eie) in find_parent_nodes net: mdio: Demote probed message to debug print mac80211: allow non-standard VHT MCS-10/11 dm btree: add a defensive bounds check to insert_at() dm space map common: add bounds check to sm_ll_lookup_bitmap() net: phy: marvell: configure RGMII delays for 88E1118 net: gemini: allow any RGMII interface mode regulator: qcom_smd: Align probe function with rpmh-regulator serial: pl010: Drop CR register reset on set_termios serial: core: Keep mctrl register state and cached copy in sync random: do not throw away excess input to crng_fast_load parisc: Avoid calling faulthandler_disabled() twice powerpc/6xx: add missing of_node_put powerpc/powernv: add missing of_node_put powerpc/cell: add missing of_node_put powerpc/btext: add missing of_node_put powerpc/watchdog: Fix missed watchdog reset due to memory ordering race i2c: i801: Don't silently correct invalid transfer size powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING i2c: mpc: Correct I2C reset procedure clk: meson: gxbb: Fix the SDM_EN bit for MPLL0 on GXBB powerpc/powermac: Add missing lockdep_register_key() KVM: PPC: Book3S: Suppress failed alloc warning in H_COPY_TOFROM_GUEST w1: Misuse of get_user()/put_user() reported by sparse scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup ALSA: seq: Set upper limit of processed events powerpc: handle kdump appropriately with crash_kexec_post_notifiers option MIPS: OCTEON: add put_device() after of_find_device_by_node() i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters MIPS: Octeon: Fix build errors using clang scsi: sr: Don't use GFP_DMA ASoC: mediatek: mt8173: fix device_node leak power: bq25890: Enable continuous conversion for ADC at charging rpmsg: core: Clean up resources on announce_create failure. crypto: omap-aes - Fix broken pm_runtime_and_get() usage crypto: stm32/crc32 - Fix kernel BUG triggered in probe() crypto: caam - replace this_cpu_ptr with raw_cpu_ptr ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers fuse: Pass correct lend value to filemap_write_and_wait_range() serial: Fix incorrect rs485 polarity on uart open cputime, cpuacct: Include guest time in user time in cpuacct.stat tracing/kprobes: 'nmissed' not showed correctly for kretprobe iwlwifi: mvm: Increase the scan timeout guard to 30 seconds s390/mm: fix 2KB pgtable release race drm/etnaviv: limit submit sizes drm/nouveau/kms/nv04: use vzalloc for nv04_display drm/bridge: analogix_dp: Make PSR-exit block less PCI: pci-bridge-emul: Properly mark reserved PCIe bits in PCI config space PCI: pci-bridge-emul: Correctly set PCIe capabilities PCI: pci-bridge-emul: Set PCI_STATUS_CAP_LIST for PCIe device xfrm: fix policy lookup for ipv6 gre packets btrfs: fix deadlock between quota enable and other quota operations btrfs: check the root node for uptodate before returning it btrfs: respect the max size in the header when activating swap file ext4: make sure to reset inode lockdep class when quota enabling fails ext4: make sure quota gets properly shutdown on error ext4: set csum seed in tmp inode while migrating to extents ext4: Fix BUG_ON in ext4_bread when write quota data ext4: don't use the orphan list when migrating an inode drm/radeon: fix error handling in radeon_driver_open_kms of: base: Improve argument length mismatch error firmware: Update Kconfig help text for Google firmware media: rcar-csi2: Optimize the selection PHTW register Documentation: dmaengine: Correctly describe dmatest with channel unset Documentation: ACPI: Fix data node reference documentation Documentation: refer to config RANDOMIZE_BASE for kernel address-space randomization Documentation: fix firewire.rst ABI file path error scsi: core: Show SCMD_LAST in text form RDMA/hns: Modify the mapping attribute of doorbell to device RDMA/rxe: Fix a typo in opcode name dmaengine: stm32-mdma: fix STM32_MDMA_CTBR_TSEL_MASK Revert "net/mlx5: Add retry mechanism to the command entry index allocation" powerpc/cell: Fix clang -Wimplicit-fallthrough warning powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses bpftool: Remove inclusion of utilities.mak from Makefiles ipv4: avoid quadratic behavior in netns dismantle net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries f2fs: fix to reserve space for IO align feature af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress clk: si5341: Fix clock HW provider cleanup net: axienet: limit minimum TX ring size net: axienet: fix number of TX ring slots for available check net: axienet: increase default TX ring size to 128 rtc: pxa: fix null pointer dereference inet: frags: annotate races around fqdir->dead and fqdir->high_thresh netns: add schedule point in ops_exit_list() xfrm: Don't accidentally set RTO_ONLINK in decode_session4() gre: Don't accidentally set RTO_ONLINK in gre_fill_metadata_dst() libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route() perf script: Fix hex dump character output dmaengine: at_xdmac: Don't start transactions at tx_submit level dmaengine: at_xdmac: Print debug message after realeasing the lock dmaengine: at_xdmac: Fix concurrency over xfers_list dmaengine: at_xdmac: Fix lld view setting dmaengine: at_xdmac: Fix at_xdmac_lld struct definition arm64: dts: qcom: msm8996: drop not documented adreno properties net_sched: restore "mpu xxx" handling bcmgenet: add WOL IRQ check net: ethernet: mtk_eth_soc: fix error checking in mtk_mac_config() dt-bindings: display: meson-dw-hdmi: add missing sound-name-prefix property dt-bindings: display: meson-vpu: Add missing amlogic,canvas property scripts/dtc: dtx_diff: remove broken example from help text lib82596: Fix IRQ check in sni_82596_probe lib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test mtd: nand: bbt: Fix corner case in bad block table handling Revert "ia64: kprobes: Use generic kretprobe trampoline handler" Linux 5.4.174 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia656821e4377afa7ca279a6ed92195989be831b3 |
||
|
Todd Kjos
|
48fc8eebd1 |
binder: fix handling of error during copy
[ Upstream commit fe6b1869243f23a485a106c214bcfdc7aa0ed593 ]
If a memory copy function fails to copy the whole buffer,
a positive integar with the remaining bytes is returned.
In binder_translate_fd_array() this can result in an fd being
skipped due to the failed copy, but the loop continues
processing fds since the early return condition expects a
negative integer on error.
Fix by returning "ret > 0 ? -EINVAL : ret" to handle this case.
Fixes:
|
||
Hang Lu
|
a4e84758f0 |
UPSTREAM: binder: fix the missing BR_FROZEN_REPLY in binder_return_strings
Add BR_FROZEN_REPLY in binder_return_strings to support stat function.
Fixes: ae28c1be1e54 ("binder: BINDER_GET_FROZEN_INFO ioctl")
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Hang Lu <hangl@codeaurora.org>
Link: https://lore.kernel.org/r/1617961246-4502-2-git-send-email-hangl@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 005169157448ca41eff8716d79dc1b8f158229d2)
Bug: 187129171
Signed-off-by: Connor O'Brien <connoro@google.com>
Change-Id: I3b0f67ee9f3a747d9052b7a900f2239b0e4097f5
|
||
|
Greg Kroah-Hartman
|
ba4942c83d |
Merge tag 'android11-5.4.161_r00' into android11-5.4
This is the merge of the upstream LTS release of 5.4.1161 into the android11-5.4 branch. It contains the following commits: |
||
|
Greg Kroah-Hartman
|
7ada083540 |
This is the 5.4.170 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmHVgw8ACgkQONu9yGCS aT71vhAAgVauEQ0nyXBUsH7vqKS6tYdcjoOor8FdNYSfoZ7iY6MptIdtHMVA0MxZ 793CRZDc7cyNtNVhGIomSzLPI4Nb/U5g57xfGrIQZ9Yzv1vcDsC8iEU1GLELWVAO 1gX6oyVJMXQb4JrbGGdP3QPqLPa6ekZ07c3/Dt2p32e+yqm3JvrcaDqklR7qSzBi Nx6VWp2ZxbvDqmzhzzVX+wWoB1darxp1I08ZgPMqsAbn78MelxrOxp8asNVuJQip KusrhdA4xSrXHfzYj1oxSAWctA0mlHJVie+/x+DPDKDP7/zIop+58fEbSEPLcDHA d+19gkNuNR0CtmEPACm/DAPU/iKiuK1YhmfGvPWQHdQCGQxxMKAdS0sH7BqQ2NU6 c7QiRA0Q3JNc+D2TGO5e2u1D5jqsVnBRaEAOnrHwnX6Dx27I8vwIsSKF1Si6TCdU S7whO8n1r7are5Ahaak25qR83wIpn/2fL4Q0AzP7Ox9kue7ceDQ42RfPzNoYh3LS ITJxRbxZYsnOHjlDS4dc5Hih+WioclSALmYhzSbWsjepzyv0EVEup6vzBffY5A4k ENlXQOCV7jZdfZ+ZdMI+kR9cTGO1F7Le5UKp4H+a0qpY/MWIlUI1C7qWDp5YZTsi 2iYwzrOpKCgqrMBhAR2jHeqmqItkal1dsTvrh2Lwc+3FPYRjNoo= =Lkh+ -----END PGP SIGNATURE----- Merge 5.4.170 into android11-5.4-lts Changes in 5.4.170 HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option tee: handle lookup of shm with reference count 0 Input: i8042 - add deferred probe support Input: i8042 - enable deferred probe quirk for ASUS UM325UA tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok(). platform/x86: apple-gmux: use resource_size() with res memblock: fix memblock_phys_alloc() section mismatch error recordmcount.pl: fix typo in s390 mcount regex selinux: initialize proto variable in selinux_ip_postroute_compat() scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources udp: using datalen to cap ipv6 udp max gso segments selftests: Calculate udpgso segment count without header adjustment sctp: use call_rcu to free endpoint net: usb: pegasus: Do not drop long Ethernet frames net: lantiq_xrx200: fix statistics of received bytes NFC: st21nfca: Fix memory leak in device probe and remove ionic: Initialize the 'lif->dbid_inuse' bitmap net/mlx5e: Fix wrong features assignment in case of error selftests/net: udpgso_bench_tx: fix dst ip argument net/ncsi: check for error return from call to nla_put_u32 fsl/fman: Fix missing put_device() call in fman_port_probe i2c: validate user data in compat ioctl nfc: uapi: use kernel size_t to fix user-space builds uapi: fix linux/nfc.h userspace compilation errors xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set. usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. usb: mtu3: add memory barrier before set GPD's HWO usb: mtu3: fix list_head check warning usb: mtu3: set interval of FS intr and isoc endpoint binder: fix async_free_space accounting for empty parcels scsi: vmw_pvscsi: Set residual data length conditionally Input: appletouch - initialize work before device registration Input: spaceball - fix parsing of movement data packets net: fix use-after-free in tw_timer_handler perf script: Fix CPU filtering of a script's switch events Linux 5.4.170 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ic66d754505081f001b420af0ee4c8da1edf5c27f |
||
|
Todd Kjos
|
103b16a8c5 |
binder: fix async_free_space accounting for empty parcels
commit cfd0d84ba28c18b531648c9d4a35ecca89ad9901 upstream. In 4.13, commit |
||
|
Greg Kroah-Hartman
|
a91f4fe26c |
This is the 5.4.165 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmG4oNgACgkQONu9yGCS
aT7/Rw//UdbaPGmrtR7mUi9mXH/BVcD/M5eIFqeKvMWrCSriSN+C5otRWomNNySh
NGTivPXmzVBKTub1TUPCNRrTFHWOn76VqLG1ecm4W6q9bxsKBsLrp2WuUdzLYi76
o+3+MurzbqVC10M26NQGXWY7pF+WOTtxn3SwJVQ4UR7YDzxdP2gRvRvTzam5DjzR
D2q6escg33v+IGCwVTUluTKzya7YJhtsSrlzZZhhxvP60sOwV4GT7rCHXr9mM33w
mvqoqftKMti6HUSaR1VvL+bclctCoYqedwcS/RsN9qv+e/wOMNFy/GsPmTzYh7E1
wWzjDS9/V4Oo47vFm237deKFSi6vXT7kQusb3uUTizca6N5xpwZNSzLGuJTdQkKP
7qZUMbx1e1f904P7mruWe+47Ktu1JCP6B4xo3yBNUTsmzngYqa2WA6pII+iEePtF
KF1P4eb5Roza3NhVO1eKj8dBU6ZqveObX4jIxupl6skJJyK4cT0oqAJRJCSj29Cw
TjJQOxLzp3Q/iOd+kdZQZU8Q9qxJIqEBRhoPOabTmQfV9tnNBFuPRlOj0SDyQguY
30WMLnFlPN/giMMXc7UKrJ3aX6sQSk4qYX4y75a6U+FKF4C52NiunUiIHk2BJljp
hytIooKlAAheR9bMJJJO9qelWWFuo9mhQuDb/p37oAqRAtv3MIg=
=5lsH
-----END PGP SIGNATURE-----
Merge 5.4.165 into android11-5.4-lts
Changes in 5.4.165
serial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30
ntfs: fix ntfs_test_inode and ntfs_init_locked_inode function type
HID: quirks: Add quirk for the Microsoft Surface 3 type-cover
HID: google: add eel USB id
HID: add hid_is_usb() function to make it simpler for USB detection
HID: add USB_HID dependancy to hid-prodikeys
HID: add USB_HID dependancy to hid-chicony
HID: add USB_HID dependancy on some USB HID drivers
HID: bigbenff: prevent null pointer dereference
HID: wacom: fix problems when device is not a valid USB device
HID: check for valid USB device for many HID drivers
can: kvaser_usb: get CAN clock frequency from device
can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter
can: sja1000: fix use after free in ems_pcmcia_add_card()
nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
selftests: netfilter: add a vrf+conntrack testcase
vrf: don't run conntrack on vrf with !dflt qdisc
bpf: Fix the off-by-two error in range markings
ice: ignore dropped packets during init
bonding: make tx_rebalance_counter an atomic
nfp: Fix memory leak in nfp_cpp_area_cache_add()
seg6: fix the iif in the IPv6 socket control block
udp: using datalen to cap max gso segments
iavf: restore MSI state on reset
iavf: Fix reporting when setting descriptor count
IB/hfi1: Correct guard on eager buffer deallocation
mm: bdi: initialize bdi_min_ratio when bdi is unregistered
ALSA: ctl: Fix copy of updated id with element read/write
ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform
ALSA: pcm: oss: Fix negative period/buffer sizes
ALSA: pcm: oss: Limit the period size to 16MB
ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
btrfs: clear extent buffer uptodate when we fail to write it
btrfs: replace the BUG_ON in btrfs_del_root_ref with proper error handling
nfsd: Fix nsfd startup race (again)
tracefs: Have new files inherit the ownership of their parent
clk: qcom: regmap-mux: fix parent clock lookup
drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence.
can: pch_can: pch_can_rx_normal: fix use after free
can: m_can: Disable and ignore ELO interrupt
x86/sme: Explicitly map new EFI memmap table as encrypted
libata: add horkage for ASMedia 1092
wait: add wake_up_pollfree()
binder: use wake_up_pollfree()
signalfd: use wake_up_pollfree()
aio: keep poll requests on waitqueue until completed
aio: fix use-after-free due to missing POLLFREE handling
tracefs: Set all files to the same group ownership as the mount option
block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
qede: validate non LSO skb length
ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer
i40e: Fix failed opcode appearing if handling messages from VF
i40e: Fix pre-set max number of queues for VF
mtd: rawnand: fsmc: Take instruction delay into account
mtd: rawnand: fsmc: Fix timing computation
dt-bindings: net: Reintroduce PHY no lane swap binding
tools build: Remove needless libpython-version feature check that breaks test-all fast path
net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
net: altera: set a couple error code in probe()
net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
net, neigh: clear whole pneigh_entry at alloc time
net/qla3xxx: fix an error code in ql_adapter_up()
selftests/fib_tests: Rework fib_rp_filter_test()
USB: gadget: detect too-big endpoint 0 requests
USB: gadget: zero allocate endpoint 0 buffers
usb: core: config: fix validation of wMaxPacketValue entries
xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending
usb: core: config: using bit mask instead of individual bits
xhci: avoid race between disable slot command and host runtime suspend
iio: trigger: Fix reference counting
iio: trigger: stm32-timer: fix MODULE_ALIAS
iio: stk3310: Don't return error code in interrupt handler
iio: mma8452: Fix trigger reference couting
iio: ltr501: Don't return error code in trigger handler
iio: kxsd9: Don't return error code in trigger handler
iio: itg3200: Call iio_trigger_notify_done() on error
iio: dln2-adc: Fix lockdep complaint
iio: dln2: Check return value of devm_iio_trigger_register()
iio: at91-sama5d2: Fix incorrect sign extension
iio: adc: axp20x_adc: fix charging current reporting on AXP22x
iio: ad7768-1: Call iio_trigger_notify_done() on error
iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
irqchip: nvic: Fix offset for Interrupt Priority Offsets
misc: fastrpc: fix improper packet size calculation
bpf: Add selftests to cover packet access corner cases
Linux 5.4.165
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I756efb854dc947509cf712a292eab0bf72f32694
|
||
Eric Biggers
|
1a478a0522 |
binder: use wake_up_pollfree()
commit a880b28a71e39013e357fd3adccd1d8a31bc69a8 upstream.
wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll
and aio poll are fortunately not affected by this, but it's very
fragile. Thus, the new function wake_up_pollfree() has been introduced.
Convert binder to use wake_up_pollfree().
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes:
|
||
|
Eric Biggers
|
da5ecad710 |
UPSTREAM: binder: use wake_up_pollfree()
commit a880b28a71e39013e357fd3adccd1d8a31bc69a8 upstream.
wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll
and aio poll are fortunately not affected by this, but it's very
fragile. Thus, the new function wake_up_pollfree() has been introduced.
Convert binder to use wake_up_pollfree().
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes:
|
||
|
Greg Kroah-Hartman
|
b2d37d0916 |
Merge branch 'android11-5.4' into 'android11-5.4-lts'
Sync up with android11-5.4 for the following commits: |
||
|
Todd Kjos
|
aaa83768ba |
binder: fix test regression due to sender_euid change
commit c21a80ca0684ec2910344d72556c816cb8940c01 upstream.
This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.
Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Li Li
|
ce664fbdcc |
BACKPORT: FROMGIT: binder: fix freeze race
Currently cgroup freezer is used to freeze the application threads, and
BINDER_FREEZE is used to freeze the corresponding binder interface.
There's already a mechanism in ioctl(BINDER_FREEZE) to wait for any
existing transactions to drain out before actually freezing the binder
interface.
But freezing an app requires 2 steps, freezing the binder interface with
ioctl(BINDER_FREEZE) and then freezing the application main threads with
cgroupfs. This is not an atomic operation. The following race issue
might happen.
1) Binder interface is frozen by ioctl(BINDER_FREEZE);
2) Main thread A initiates a new sync binder transaction to process B;
3) Main thread A is frozen by "echo 1 > cgroup.freeze";
4) The response from process B reaches the frozen thread, which will
unexpectedly fail.
This patch provides a mechanism to check if there's any new pending
transaction happening between ioctl(BINDER_FREEZE) and freezing the
main thread. If there's any, the main thread freezing operation can
be rolled back to finish the pending transaction.
Furthermore, the response might reach the binder driver before the
rollback actually happens. That will still cause failed transaction.
As the other process doesn't wait for another response of the response,
the response transaction failure can be fixed by treating the response
transaction like an oneway/async one, allowing it to reach the frozen
thread. And it will be consumed when the thread gets unfrozen later.
NOTE: This patch reuses the existing definition of struct
binder_frozen_status_info but expands the bit assignments of __u32
member sync_recv.
To ensure backward compatibility, bit 0 of sync_recv still indicates
there's an outstanding sync binder transaction. This patch adds new
information to bit 1 of sync_recv, indicating the binder transaction
happens exactly when there's a race.
If an existing userspace app runs on a new kernel, a sync binder call
will set bit 0 of sync_recv so ioctl(BINDER_GET_FROZEN_INFO) still
return the expected value (true). The app just doesn't check bit 1
intentionally so it doesn't have the ability to tell if there's a race.
This behavior is aligned with what happens on an old kernel which
doesn't set bit 1 at all.
A new userspace app can 1) check bit 0 to know if there's a sync binder
transaction happened when being frozen - same as before; and 2) check
bit 1 to know if that sync binder transaction happened exactly when
there's a race - a new information for rollback decision.
Fixes: 432ff1e91694 ("binder: BINDER_FREEZE ioctl")
Acked-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Li Li <dualli@google.com>
Test: stress test with apps being frozen and initiating binder calls at
the same time, confirmed the pending transactions succeeded.
Link: https://lore.kernel.org/r/20210910164210.2282716-2-dualli@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 198493121
(cherry picked from commit b564171ade70570b7f335fa8ed17adb28409e3ac
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-linus)
Change-Id: I488ba75056f18bb3094ba5007027b76b5caebec9
|
||
Marco Ballesio
|
b1232b020f |
FROMGIT: binder: BINDER_GET_FROZEN_INFO ioctl
User space needs to know if binder transactions occurred to frozen processes. Introduce a new BINDER_GET_FROZEN ioctl and keep track of transactions occurring to frozen proceses. Bug: 180989544 (cherry picked from commit c55019c24b22d6770bd8e2f12fbddf3f83d37547 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-testing) Signed-off-by: Marco Ballesio <balejs@google.com> Signed-off-by: Li Li <dualli@google.com> Acked-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20210316011630.1121213-4-dualli@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ie631f331ba4ca94a3bcdd43dec25fe9ba1306af2 |
||
|
Marco Ballesio
|
a02d0f685d |
FROMGIT: binder: use EINTR for interrupted wait for work
when interrupted by a signal, binder_wait_for_work currently returns -ERESTARTSYS. This error code isn't propagated to user space, but a way to handle interruption due to signals must be provided to code using this API. Replace this instance of -ERESTARTSYS with -EINTR, which is propagated to user space. Bug: 180989544 (cherry picked from commit 48f10b7ed0c23e2df7b2c752ad1d3559dad007f9 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-testing) Signed-off-by: Marco Ballesio <balejs@google.com> Signed-off-by: Li Li <dualli@google.com> Test: built, booted, interrupted a worker thread within Acked-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20210316011630.1121213-3-dualli@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ie6c7993cab699bc2c1a25a2f9d94b200a1156e5d |
||
|
Marco Ballesio
|
e658e9e4bc |
BACKPORT: FROMGIT: binder: BINDER_FREEZE ioctl
Frozen tasks can't process binder transactions, so a way is required to inform transmitting ends of communication failures due to the frozen state of their receiving counterparts. Additionally, races are possible between transitions to frozen state and binder transactions enqueued to a specific process. Implement BINDER_FREEZE ioctl for user space to inform the binder driver about the intention to freeze or unfreeze a process. When the ioctl is called, block the caller until any pending binder transactions toward the target process are flushed. Return an error to transactions to processes marked as frozen. Bug: 180989544 (cherry picked from commit 15949c3cdd97bccdcd45c0c0f6c31058520b6494 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-testing) Co-developed-by: Todd Kjos <tkjos@google.com> Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Marco Ballesio <balejs@google.com> Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Li Li <dualli@google.com> Link: https://lore.kernel.org/r/20210316011630.1121213-2-dualli@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ia1b5951cd99eeb98b59e06c3e27d59062dc725f6 |
||
|
Todd Kjos
|
50c9c8cb33 |
FROMGIT: binder: fix test regression due to sender_euid change
This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.
Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 200688826
(cherry picked from commit c21a80ca0684ec2910344d72556c816cb8940c01
git: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-linus)
Signed-off-by: Todd Kjos <tkjos@google.com>
|
||
|
Todd Kjos
|
1c1f571840 |
BACKPORT: binder: use cred instead of task for getsecid
commit 4d5b5539742d2554591751b4248b0204d20dcc9d upstream.
Use the 'struct cred' saved at binder_open() to lookup
the security ID via security_cred_getsecid(). This
ensures that the security context that opened binder
is the one used to generate the secctx.
Cc: stable@vger.kernel.org # 5.4+
Fixes:
|
||
|
Todd Kjos
|
ea1a2391d5 |
BACKPORT: binder: use cred instead of task for selinux checks
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes:
|
||
|
Todd Kjos
|
1fe8a2bb64 |
BACKPORT: binder: use euid from cred instead of using task
Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.
Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Cc: stable@vger.kernel.org # 4.4+
Fixes:
|
||
|
Todd Kjos
|
db39f49ee7 |
binder: use cred instead of task for getsecid
commit 4d5b5539742d2554591751b4248b0204d20dcc9d upstream.
Use the 'struct cred' saved at binder_open() to lookup
the security ID via security_cred_getsecid(). This
ensures that the security context that opened binder
is the one used to generate the secctx.
Cc: stable@vger.kernel.org # 5.4+
Fixes:
|
||
|
Todd Kjos
|
fc9c470cd5 |
binder: use cred instead of task for selinux checks
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes:
|
||
|
Todd Kjos
|
28a1e470b0 |
binder: use euid from cred instead of using task
commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b upstream.
Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.
Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Cc: stable@vger.kernel.org # 4.4+
Fixes:
|
||
|
Greg Kroah-Hartman
|
f911d1ad48 |
This is the 5.4.159 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGOb28ACgkQONu9yGCS aT6MJBAAogo8gsN6rTK00GgntvDQM2ztV2Rd+uE9/3MQ2JKiSC/XkKIlSMqgtQED z7zo1qQd5ZJ/ON/or6kRRrtRBN2MJMGsAmSk8A8ODG9SbtpVyEr6ttCZMu7uYrKb D5RMlSWtmlgEboLKgZZG9kuxYySlCB/bQQrbzwc6ZfsQGiiuYWedQsr3yDKN/JOi klPhfgV8F+k01zZmr5gMG/L5wGih2G+ENazZkhOSKevnQ6NZ+h2Z52B0oTjbjpt1 ZHFcSOyLvP/Mq4aqc0BkepwLmXqbWud16Obdn22q4ETl0qMQRRMg8kSGj4Jxiz2C 4S0uM8hAfNolCQFydWSLfPZeql3rBCGEY7oFV4t6+NRo09V1jX+ENd2TnkGxV6Je ZClfFzIAdfIz2zRNblPA0REFuMUIa+wIRCKSLtF+x/IhnhdCrj91sGRXXaOfvhlk hao5UvUCTAXInQMV0iABmG4w0Zrf3VERrkr8PCKBk5YeeEQFH4Gik0lM108LjlvU nMU/iMJO2EX4xh8WA+2LxG4S5VMNwI89ft5Hg5ZXhHTqWrw4TJmmIfPYO6xtOWcF 2DvFyoEAezUiiW7Ftny6vi65Vfj59vgA/yvhYrFLR+gRdZKIDM2gOjnuzkIOqSas 9OJnAAVjqmqUENiTtwb5GuV6AXOKRqwcYqOrwsvbRt4ELSW9jnk= =s7Wl -----END PGP SIGNATURE----- Merge 5.4.159 into android11-5.4-lts Changes in 5.4.159 Revert "x86/kvm: fix vcpu-id indexed array sizes" usb: ehci: handshake CMD_RUN instead of STS_HALT usb: gadget: Mark USB_FSL_QE broken on 64-bit usb: musb: Balance list entry in musb_gadget_queue usb-storage: Add compatibility quirk flags for iODD 2531/2541 binder: don't detect sender/target during buffer cleanup printk/console: Allow to disable console output by using console="" or console=null isofs: Fix out of bound access for corrupted isofs image comedi: dt9812: fix DMA buffers on stack comedi: ni_usb6501: fix NULL-deref in command paths comedi: vmk80xx: fix transfer-buffer overflows comedi: vmk80xx: fix bulk-buffer overflow comedi: vmk80xx: fix bulk and interrupt message timeouts staging: r8712u: fix control-message timeout staging: rtl8192u: fix control-message timeouts media: staging/intel-ipu3: css: Fix wrong size comparison imgu_css_fw_init rsi: fix control-message timeout Linux 5.4.159 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ibb41eb745cd6a3a63b7194dd0773689f35817090 |
||
|
Todd Kjos
|
589ac131b3 |
binder: don't detect sender/target during buffer cleanup
commit 32e9f56a96d8d0f23cb2aeb2a3cd18d40393e787 upstream.
When freeing txn buffers, binder_transaction_buffer_release()
attempts to detect whether the current context is the target by
comparing current->group_leader to proc->tsk. This is an unreliable
test. Instead explicitly pass an 'is_failure' boolean.
Detecting the sender was being used as a way to tell if the
transaction failed to be sent. When cleaning up after
failing to send a transaction, there is no need to close
the fds associated with a BINDER_TYPE_FDA object. Now
'is_failure' can be used to accurately detect this case.
Fixes:
|
||
|
Todd Kjos
|
aa2c274c27 |
binder: make sure fd closes complete
commit 5fdb55c1ac9585eb23bb2541d5819224429e103d upstream.
During BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object
cleanup may close 1 or more fds. The close operations are
completed using the task work mechanism -- which means the thread
needs to return to userspace or the file object may never be
dereferenced -- which can lead to hung processes.
Force the binder thread back to userspace if an fd is closed during
BC_FREE_BUFFER handling.
Fixes:
|
||
|
Todd Kjos
|
a151ec4843 |
FROMGIT: binder: make sure fd closes complete
During BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object
cleanup may close 1 or more fds. The close operations are
completed using the task work mechanism -- which means the thread
needs to return to userspace or the file object may never be
dereferenced -- which can lead to hung processes.
Force the binder thread back to userspace if an fd is closed during
BC_FREE_BUFFER handling.
Fixes:
|
||
Frankie.Chang
|
c6c9823ce8 |
BACKPORT: binder: move structs from core file to header file
Moving all structs to header file makes module more extendable, and makes all these structs to be defined in the same file. Signed-off-by: Frankie.Chang <Frankie.Chang@mediatek.com> Acked-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/1605063764-12930-2-git-send-email-Frankie.Chang@mediatek.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 182234755 Change-Id: Ifd9c159195011e9311a5dda6e15f102b584d4b5a (cherry picked from commit 1987f112f1425cba2671d878f6952087e9456a0a) Signed-off-by: Frankie Chang <frankie.chang@mediatek.com> (cherry picked from commit a9c29b897d9ed7cec7f11c59f1035c96c09f4b96) |
||
|
Frankie Chang
|
7285ca6e97 |
ANDROID: Add vendor hooks when syscall prctl finished
Add vendor hook when syscall prctl finished for vendor-specific tuning. Bug: 181819699 Signed-off-by: Frankie Chang <frankie.chang@mediatek.com> Change-Id: Ica42d80ab4b540045330e9c5b211e0e814eed0ff (cherry picked from commit 6904f0001e4ec3c637539c18969e46755eaa01f4) |
||
|
Frankie Chang
|
4b22a63233 |
ANDROID: cgroup: Add vendor hook to the cgroup
Add a vendor hook after attaching a task to a cgroup to recognize the group_id for performance tuning Bug: 181917687 Signed-off-by: Frankie Chang <frankie.chang@mediatek.com> Change-Id: I603afa3d893dd575a7dcb97f83bd9eacb8315bab (cherry picked from commit bed1e2a75b0000d99a00177272b93e5c8430308b) |
||
|
Greg Kroah-Hartman
|
9394e52285 |
Merge tag 'android11-5.4.86_r00' from 'android11-5.4-lts' into 'android11-5.4'
This merges the 5.4.86 upstream LTS release into the android11-5.4 branch so that all devices can get the needed important security and other bugfixes that are in here. All devices must upgrade to remain properly secure from known issues. Bug: 180469075 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I1041e0d08d55a3eb2e0f49b7d2384960f48d9b11 |
||
Yun Hsiang
|
b7f31af2f1 |
ANDROID: sched: add em_pd_energy vendor hook
We add a vendor hook for util to freq calculation in schedutil, so we need to do corresponding change for energy calculation. android_vh_em_pd_energy adjust energy calculation Bug: 178021064 Signed-off-by: Yun Hsiang <yun.hsiang@mediatek.com> Change-Id: Iae772cf07881602eea3f27aeb75fba753e7c2635 |
||
|
Yun Hsiang
|
68ecddcda8 |
ANDROID: schedutil: add vendor hook for adjusting util to freq calculation
Currently, the frequency is calculated by max freq * 1.25 * util / max cap. Add a vendor hook to adjust the frequency when the calculation overestimate. android_vh_map_util_freq adjust util to freq calculation Bug: 177845438 Signed-off-by: Yun Hsiang <yun.hsiang@mediatek.com> Change-Id: I9aa9079f00af7d3380b19f2fe21b75cddd107d15 |
||
|
Greg Kroah-Hartman
|
d45416b62b |
This is the 5.4.86 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl/sW9MACgkQONu9yGCS
aT5SwBAAo6dgHqwmPfuf98/8oVeVqTxcmE7GpzpVRH2+yI7Zwk2ez29tAflcM7lT
LKtR2WFGAxoCL4DUKXeO7Ubwpue5NoBIsJ8/dAYBesojps3WDaFGL55PvJLWwFJ7
5gPtPzynITaqIC1JCFcrJ7OTp7REiCUZRc1CJXJINWAYL1VbEbH8pH904xfFcivy
XnNyL9UiWp1lSB8oF3CRJOaK5M5gY1+wdCFaLVqQn306XDEM8PvZK4G3at/jXWgH
jQjArdtC8M8NwjyTwtqW9JAMV+6CD0/HXk0QboTZg6yiaRrtUsfzMqJ1cvhKcQgO
kLE3rwdnr3/MxuzSnGWbswflG2WCutoah58g0uN8H0nCiui5mKN6x5K+emgDZIoO
ndDnh+/5OE247EK+3CGn/0N8i/fOymrLAnLL4wCXVdlQLMCalnL37ibdfGbAptXi
N3GOGZ2iEglvTsEr5w0r86+AzNskm5EqA7mFGFiAyf9viR2xwYk3RrWf2ZyMRos2
2S7mKcZmw7voDu2TIDIhqydToBKxmYI/mUn3mFFme1h3lwzM3zYG1aovVLfd5NkY
Gx5E/CA/ut/3n0u/dXJ8SxEitBWkqImp5UdYcElQNxQoXnVU4yKmjf6dDL9Wqh+1
ujCiaCUJd3PY0uXXIb6RWWGs2VaL4xiEnk+ZBm0VI9WEUWksSx0=
=jnmv
-----END PGP SIGNATURE-----
Merge 5.4.86 into android11-5.4-lts
Changes in 5.4.86
ARM: dts: sun7i: bananapi: Enable RGMII RX/TX delay on Ethernet PHY
ARM: dts: sun8i: r40: bananapi-m2-berry: Fix dcdc1 regulator
ARM: dts: sun8i: v40: bananapi-m2-berry: Fix ethernet node
pinctrl: merrifield: Set default bias in case no particular value given
pinctrl: baytrail: Avoid clearing debounce value when turning it off
ARM: dts: sun8i: v3s: fix GIC node memory range
ARM: dts: sun7i: pcduino3-nano: enable RGMII RX/TX delay on PHY
ARM: dts: imx6qdl-wandboard-revd1: Remove PAD_GPIO_6 from enetgrp
ARM: dts: imx6qdl-kontron-samx6i: fix I2C_PM scl pin
PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter
gpio: zynq: fix reference leak in zynq_gpio functions
gpio: mvebu: fix potential user-after-free on probe
scsi: bnx2i: Requires MMU
xsk: Fix xsk_poll()'s return type
xsk: Replace datagram_poll by sock_poll_wait
can: softing: softing_netdev_open(): fix error handling
clk: renesas: r9a06g032: Drop __packed for portability
block: Simplify REQ_OP_ZONE_RESET_ALL handling
block: factor out requeue handling from dispatch code
blk-mq: In blk_mq_dispatch_rq_list() "no budget" is a reason to kick
pinctrl: aspeed: Fix GPIO requests on pass-through banks
netfilter: x_tables: Switch synchronization to RCU
netfilter: nft_compat: make sure xtables destructors have run
netfilter: nft_dynset: fix timeouts later than 23 days
afs: Fix memory leak when mounting with multiple source parameters
Revert "gpio: eic-sprd: Use devm_platform_ioremap_resource()"
gpio: eic-sprd: break loop when getting NULL device resource
netfilter: nft_ct: Remove confirmation check for NFT_CT_ID
selftests/bpf/test_offload.py: Reset ethtool features after failed setting
RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait
i40e: Refactor rx_bi accesses
i40e: optimise prefetch page refcount
i40e: avoid premature Rx buffer reuse
ixgbe: avoid premature Rx buffer reuse
selftests: fix poll error in udpgro.sh
net: mvpp2: add mvpp2_phylink_to_port() helper
drm/tegra: replace idr_init() by idr_init_base()
kernel/cpu: add arch override for clear_tasks_mm_cpumask() mm handling
drm/tegra: sor: Disable clocks on error in tegra_sor_init()
habanalabs: put devices before driver removal
arm64: syscall: exit userspace before unmasking exceptions
vxlan: Add needed_headroom for lower device
vxlan: Copy needed_tailroom from lowerdev
scsi: mpt3sas: Increase IOCInit request timeout to 30s
dm table: Remove BUG_ON(in_interrupt())
iwlwifi: pcie: add one missing entry for AX210
drm/amd/display: Init clock value by current vbios CLKs
perf/x86/intel: Check PEBS status correctly
kbuild: avoid split lines in .mod files
soc/tegra: fuse: Fix index bug in get_process_id
usb: mtu3: fix memory corruption in mtu3_debugfs_regset()
USB: serial: option: add interface-number sanity check to flag handling
USB: gadget: f_acm: add support for SuperSpeed Plus
USB: gadget: f_midi: setup SuperSpeed Plus descriptors
usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus
USB: gadget: f_rndis: fix bitrate for SuperSpeed and above
usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul
ARM: dts: exynos: fix roles of USB 3.0 ports on Odroid XU
ARM: dts: exynos: fix USB 3.0 VBUS control and over-current pins on Exynos5410
ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid XU
coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf()
coresight: tmc-etr: Check if page is valid before dma_map_page()
coresight: tmc-etr: Fix barrier packet insertion for perf buffer
coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf()
scsi: megaraid_sas: Check user-provided offsets
HID: i2c-hid: add Vero K147 to descriptor override
serial_core: Check for port state when tty is in error state
Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt()
quota: Sanity-check quota file headers on load
media: msi2500: assign SPI bus number dynamically
crypto: af_alg - avoid undefined behavior accessing salg_name
md: fix a warning caused by a race between concurrent md_ioctl()s
drm/gma500: fix double free of gma_connector
drm/aspeed: Fix Kconfig warning & subsequent build errors
drm/mcde: Fix handling of platform_get_irq() error
drm/tve200: Fix handling of platform_get_irq() error
arm64: dts: renesas: hihope-rzg2-ex: Drop rxc-skew-ps from ethernet-phy node
arm64: dts: renesas: cat875: Remove rxc-skew-ps from ethernet-phy node
soc: renesas: rmobile-sysc: Fix some leaks in rmobile_init_pm_domains()
soc: mediatek: Check if power domains can be powered on at boot time
soc: qcom: geni: More properly switch to DMA mode
Revert "i2c: i2c-qcom-geni: Fix DMA transfer race"
RDMA/bnxt_re: Set queue pair state when being queried
rtc: pcf2127: fix pcf2127_nvmem_read/write() returns
selinux: fix error initialization in inode_doinit_with_dentry()
ARM: dts: aspeed: s2600wf: Fix VGA memory region location
RDMA/rxe: Compute PSN windows correctly
x86/mm/ident_map: Check for errors from ident_pud_init()
ARM: p2v: fix handling of LPAE translation in BE mode
x86/apic: Fix x2apic enablement without interrupt remapping
sched/deadline: Fix sched_dl_global_validate()
sched: Reenable interrupts in do_sched_yield()
drm/amdgpu: fix incorrect enum type
crypto: talitos - Endianess in current_desc_hdr()
crypto: talitos - Fix return type of current_desc_hdr()
crypto: inside-secure - Fix sizeof() mismatch
ASoC: sun4i-i2s: Fix lrck_period computation for I2S justified mode
ARM: dts: aspeed: tiogapass: Remove vuart
drm/amdgpu: fix build_coefficients() argument
powerpc/64: Set up a kernel stack for secondaries before cpu_restore()
spi: img-spfi: fix reference leak in img_spfi_resume
f2fs: call f2fs_get_meta_page_retry for nat page
drm/msm/dsi_pll_10nm: restore VCO rate during restore_state
spi: spi-mem: fix reference leak in spi_mem_access_start
ASoC: pcm: DRAIN support reactivation
selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling
spi: stm32: fix reference leak in stm32_spi_resume
brcmfmac: Fix memory leak for unpaired brcmf_{alloc/free}
arm64: dts: exynos: Include common syscon restart/poweroff for Exynos7
arm64: dts: exynos: Correct psci compatible used on Exynos7
Bluetooth: Fix null pointer dereference in hci_event_packet()
Bluetooth: hci_h5: fix memory leak in h5_close
spi: spi-ti-qspi: fix reference leak in ti_qspi_setup
spi: mt7621: fix missing clk_disable_unprepare() on error in mt7621_spi_probe
spi: tegra20-slink: fix reference leak in slink ops of tegra20
spi: tegra20-sflash: fix reference leak in tegra_sflash_resume
spi: tegra114: fix reference leak in tegra spi ops
spi: bcm63xx-hsspi: fix missing clk_disable_unprepare() on error in bcm63xx_hsspi_resume
mwifiex: fix mwifiex_shutdown_sw() causing sw reset failure
selftest/bpf: Add missed ip6ip6 test back
ASoC: wm8998: Fix PM disable depth imbalance on error
spi: sprd: fix reference leak in sprd_spi_remove
ASoC: arizona: Fix a wrong free in wm8997_probe
RDMa/mthca: Work around -Wenum-conversion warning
MIPS: BCM47XX: fix kconfig dependency bug for BCM47XX_BCMA
crypto: qat - fix status check in qat_hal_put_rel_rd_xfer()
staging: greybus: codecs: Fix reference counter leak in error handling
staging: gasket: interrupt: fix the missed eventfd_ctx_put() in gasket_interrupt.c
media: tm6000: Fix sizeof() mismatches
media: mtk-vcodec: add missing put_device() call in mtk_vcodec_init_dec_pm()
media: mtk-vcodec: add missing put_device() call in mtk_vcodec_release_dec_pm()
media: mtk-vcodec: add missing put_device() call in mtk_vcodec_init_enc_pm()
media: v4l2-fwnode: Return -EINVAL for invalid bus-type
ASoC: meson: fix COMPILE_TEST error
scsi: core: Fix VPD LUN ID designator priorities
media: solo6x10: fix missing snd_card_free in error handling case
video: fbdev: atmel_lcdfb: fix return error code in atmel_lcdfb_of_init()
drm/omap: dmm_tiler: fix return error code in omap_dmm_probe()
Input: ads7846 - fix race that causes missing releases
Input: ads7846 - fix integer overflow on Rt calculation
Input: ads7846 - fix unaligned access on 7845
usb/max3421: fix return error code in max3421_probe()
spi: mxs: fix reference leak in mxs_spi_probe
selftests/bpf: Fix broken riscv build
powerpc: Avoid broken GCC __attribute__((optimize))
powerpc/feature: Fix CPU_FTRS_ALWAYS by removing CPU_FTRS_GENERIC_32
EDAC/mce_amd: Use struct cpuinfo_x86.cpu_die_id for AMD NodeId
crypto: crypto4xx - Replace bitwise OR with logical OR in crypto4xx_build_pd
crypto: omap-aes - Fix PM disable depth imbalance in omap_aes_probe
spi: fix resource leak for drivers without .remove callback
soc: ti: knav_qmss: fix reference leak in knav_queue_probe
soc: ti: Fix reference imbalance in knav_dma_probe
drivers: soc: ti: knav_qmss_queue: Fix error return code in knav_queue_probe
Input: omap4-keypad - fix runtime PM error handling
clk: meson: Kconfig: fix dependency for G12A
RDMA/cxgb4: Validate the number of CQEs
memstick: fix a double-free bug in memstick_check
ARM: dts: at91: sama5d4_xplained: add pincontrol for USB Host
ARM: dts: at91: sama5d3_xplained: add pincontrol for USB Host
mmc: pxamci: Fix error return code in pxamci_probe
orinoco: Move context allocation after processing the skb
qtnfmac: fix error return code in qtnf_pcie_probe()
rsi: fix error return code in rsi_reset_card()
cw1200: fix missing destroy_workqueue() on error in cw1200_init_common
dmaengine: mv_xor_v2: Fix error return code in mv_xor_v2_probe()
arm64: tegra: Fix DT binding for IO High Voltage entry
media: siano: fix memory leak of debugfs members in smsdvb_hotplug
platform/x86: mlx-platform: Remove PSU EEPROM from default platform configuration
platform/x86: mlx-platform: Remove PSU EEPROM from MSN274x platform configuration
samples: bpf: Fix lwt_len_hist reusing previous BPF map
media: imx214: Fix stop streaming
mips: cdmm: fix use-after-free in mips_cdmm_bus_discover
media: max2175: fix max2175_set_csm_mode() error code
slimbus: qcom-ngd-ctrl: Avoid sending power requests without QMI
HSI: omap_ssi: Don't jump to free ID in ssi_add_controller()
ARM: dts: Remove non-existent i2c1 from 98dx3236
arm64: dts: armada-3720-turris-mox: update ethernet-phy handle name
arm64: dts: rockchip: Set dr_mode to "host" for OTG on rk3328-roc-cc
power: supply: axp288_charger: Fix HP Pavilion x2 10 DMI matching
power: supply: bq24190_charger: fix reference leak
genirq/irqdomain: Don't try to free an interrupt that has no mapping
arm64: dts: ls1028a: fix ENETC PTP clock input
arm64: dts: qcom: c630: Polish i2c-hid devices
PCI: Bounds-check command-line resource alignment requests
PCI: Fix overflow in command-line resource alignment requests
PCI: iproc: Fix out-of-bound array accesses
arm64: dts: meson: fix spi-max-frequency on Khadas VIM2
arm64: dts: meson-sm1: fix typo in opp table
soc: amlogic: canvas: add missing put_device() call in meson_canvas_get()
ARM: dts: at91: at91sam9rl: fix ADC triggers
platform/x86: dell-smbios-base: Fix error return code in dell_smbios_init
ath10k: Fix the parsing error in service available event
ath10k: Fix an error handling path
ath10k: Release some resources in an error handling path
SUNRPC: rpc_wake_up() should wake up tasks in the correct order
NFSv4.2: condition READDIR's mask for security label based on LSM state
SUNRPC: xprt_load_transport() needs to support the netid "rdma6"
NFSv4: Fix the alignment of page data in the getdeviceinfo reply
net: sunrpc: Fix 'snprintf' return value check in 'do_xprt_debugfs'
lockd: don't use interval-based rebinding over TCP
NFS: switch nfsiod to be an UNBOUND workqueue.
selftests/seccomp: Update kernel config
vfio-pci: Use io_remap_pfn_range() for PCI IO memory
hwmon: (ina3221) Fix PM usage counter unbalance in ina3221_write_enable
media: saa7146: fix array overflow in vidioc_s_audio()
powerpc/perf: Fix crash with is_sier_available when pmu is not set
powerpc/64: Fix an EMIT_BUG_ENTRY in head_64.S
clocksource/drivers/orion: Add missing clk_disable_unprepare() on error path
clocksource/drivers/cadence_ttc: Fix memory leak in ttc_setup_clockevent()
iio: hrtimer-trigger: Mark hrtimer to expire in hard interrupt context
ARM: dts: at91: sama5d2: map securam as device
bpf: Fix bpf_put_raw_tracepoint()'s use of __module_address()
pinctrl: falcon: add missing put_device() call in pinctrl_falcon_probe()
arm64: dts: rockchip: Fix UART pull-ups on rk3328
memstick: r592: Fix error return in r592_probe()
MIPS: Don't round up kernel sections size for memblock_add()
net/mlx5: Properly convey driver version to firmware
ASoC: jz4740-i2s: add missed checks for clk_get()
dm ioctl: fix error return code in target_message
phy: renesas: rcar-gen3-usb2: disable runtime pm in case of failure
clocksource/drivers/arm_arch_timer: Use stable count reader in erratum sne
clocksource/drivers/arm_arch_timer: Correct fault programming of CNTKCTL_EL1.EVNTI
cpufreq: ap806: Add missing MODULE_DEVICE_TABLE
cpufreq: highbank: Add missing MODULE_DEVICE_TABLE
cpufreq: mediatek: Add missing MODULE_DEVICE_TABLE
cpufreq: qcom: Add missing MODULE_DEVICE_TABLE
cpufreq: st: Add missing MODULE_DEVICE_TABLE
cpufreq: sun50i: Add missing MODULE_DEVICE_TABLE
cpufreq: loongson1: Add missing MODULE_ALIAS
cpufreq: scpi: Add missing MODULE_ALIAS
Bluetooth: btusb: Add the missed release_firmware() in btusb_mtk_setup_firmware()
Bluetooth: btmtksdio: Add the missed release_firmware() in mtk_setup_firmware()
arm64: dts: meson: fix PHY deassert timing requirements
ARM: dts: meson: fix PHY deassert timing requirements
arm64: dts: meson: g12a: x96-max: fix PHY deassert timing requirements
scsi: qedi: Fix missing destroy_workqueue() on error in __qedi_probe
scsi: pm80xx: Fix error return in pm8001_pci_probe()
seq_buf: Avoid type mismatch for seq_buf_init
scsi: fnic: Fix error return code in fnic_probe()
platform/x86: mlx-platform: Fix item counter assignment for MSN2700, MSN24xx systems
powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops
powerpc/pseries/hibernation: remove redundant cacheinfo update
drm/mediatek: avoid dereferencing a null hdmi_phy on an error message
ASoC: amd: change clk_get() to devm_clk_get() and add missed checks
powerpc/mm: sanity_check_fault() should work for all, not only BOOK3S
usb: ehci-omap: Fix PM disable depth umbalance in ehci_hcd_omap_probe
usb: oxu210hp-hcd: Fix memory leak in oxu_create
speakup: fix uninitialized flush_lock
nfsd: Fix message level for normal termination
nfs_common: need lock during iterate through the list
x86/kprobes: Restore BTF if the single-stepping is cancelled
platform/chrome: cros_ec_spi: Don't overwrite spi::mode
bus: fsl-mc: fix error return code in fsl_mc_object_allocate()
s390/cio: fix use-after-free in ccw_device_destroy_console
iwlwifi: mvm: hook up missing RX handlers
erofs: avoid using generic_block_bmap
can: m_can: m_can_config_endisable(): remove double clearing of clock stop request bit
RDMA/core: Do not indicate device ready when device enablement fails
remoteproc: q6v5-mss: fix error handling in q6v5_pds_enable
remoteproc: qcom: fix reference leak in adsp_start
remoteproc: qcom: Fix potential NULL dereference in adsp_init_mmio()
clk: tegra: Fix duplicated SE clock entry
mtd: rawnand: gpmi: fix reference count leak in gpmi ops
mtd: rawnand: meson: Fix a resource leak in init
mtd: rawnand: gpmi: Fix the random DMA timeout issue
extcon: max77693: Fix modalias string
crypto: atmel-i2c - select CONFIG_BITREVERSE
mac80211: don't set set TDLS STA bandwidth wider than possible
ASoC: wm_adsp: remove "ctl" from list on error in wm_adsp_create_control()
irqchip/alpine-msi: Fix freeing of interrupts on allocation error path
watchdog: armada_37xx: Add missing dependency on HAS_IOMEM
watchdog: sirfsoc: Add missing dependency on HAS_IOMEM
watchdog: sprd: remove watchdog disable from resume fail path
watchdog: sprd: check busy bit before new loading rather than after that
watchdog: Fix potential dereferencing of null pointer
ubifs: Fix error return code in ubifs_init_authentication()
um: Monitor error events in IRQ controller
um: tty: Fix handling of close in tty lines
um: chan_xterm: Fix fd leak
sunrpc: fix xs_read_xdr_buf for partial pages receive
RDMA/cma: Don't overwrite sgid_attr after device is released
nfc: s3fwrn5: Release the nfc firmware
powerpc/ps3: use dma_mapping_error()
sparc: fix handling of page table constructor failure
mm: don't wake kswapd prematurely when watermark boosting is disabled
checkpatch: fix unescaped left brace
lan743x: fix rx_napi_poll/interrupt ping-pong
net: bcmgenet: Fix a resource leak in an error handling path in the probe functin
net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function
net: korina: fix return value
libnvdimm/label: Return -ENXIO for no slot in __blk_label_update
watchdog: qcom: Avoid context switch in restart handler
watchdog: coh901327: add COMMON_CLK dependency
clk: ti: Fix memleak in ti_fapll_synth_setup
pwm: zx: Add missing cleanup in error path
pwm: lp3943: Dynamically allocate PWM chip base
perf record: Fix memory leak when using '--user-regs=?' to list registers
qlcnic: Fix error code in probe
virtio_ring: Cut and paste bugs in vring_create_virtqueue_packed()
virtio_net: Fix error code in probe()
virtio_ring: Fix two use after free bugs
clk: at91: sam9x60: remove atmel,osc-bypass support
clk: s2mps11: Fix a resource leak in error handling paths in the probe function
clk: sunxi-ng: Make sure divider tables have sentinel
kconfig: fix return value of do_error_if()
perf probe: Fix memory leak when synthesizing SDT probes
ARM: sunxi: Add machine match for the Allwinner V3 SoC
cfg80211: initialize rekey_data
fix namespaced fscaps when !CONFIG_SECURITY
lwt: Disable BH too in run_lwt_bpf()
drm/amd/display: Prevent bandwidth overflow
drm/amdkfd: Fix leak in dmabuf import
Input: cros_ec_keyb - send 'scancodes' in addition to key events
initramfs: fix clang build failure
Input: goodix - add upside-down quirk for Teclast X98 Pro tablet
vfio/pci/nvlink2: Do not attempt NPU2 setup on POWER8NVL NPU
media: gspca: Fix memory leak in probe
media: sunxi-cir: ensure IR is handled when it is continuous
media: netup_unidvb: Don't leak SPI master in probe error path
media: ipu3-cio2: Remove traces of returned buffers
media: ipu3-cio2: Return actual subdev format
media: ipu3-cio2: Serialise access to pad format
media: ipu3-cio2: Validate mbus format in setting subdev format
media: ipu3-cio2: Make the field on subdev format V4L2_FIELD_NONE
Input: cyapa_gen6 - fix out-of-bounds stack access
ALSA: hda/ca0132 - Change Input Source enum strings.
PM: ACPI: PCI: Drop acpi_pm_set_bridge_wakeup()
Revert "ACPI / resources: Use AE_CTRL_TERMINATE to terminate resources walks"
ACPI: PNP: compare the string length in the matching_id()
ALSA: hda: Fix regressions on clear and reconfig sysfs
ALSA: hda/ca0132 - Fix AE-5 rear headphone pincfg.
ALSA: hda/realtek: make bass spk volume adjustable on a yoga laptop
ALSA: hda/realtek - Enable headset mic of ASUS X430UN with ALC256
ALSA: hda/realtek - Enable headset mic of ASUS Q524UQK with ALC255
ALSA: hda/realtek - Add supported for more Lenovo ALC285 Headset Button
ALSA: pcm: oss: Fix a few more UBSAN fixes
ALSA/hda: apply jack fixup for the Acer Veriton N4640G/N6640G/N2510G
ALSA: hda/realtek: Add quirk for MSI-GP73
ALSA: hda/realtek: Apply jack fixup for Quanta NL3
ALSA: usb-audio: Add VID to support native DSD reproduction on FiiO devices
ALSA: usb-audio: Disable sample read check if firmware doesn't give back
ALSA: core: memalloc: add page alignment for iram
s390/smp: perform initial CPU reset also for SMT siblings
s390/kexec_file: fix diag308 subcode when loading crash kernel
s390/dasd: fix hanging device offline processing
s390/dasd: prevent inconsistent LCU device data
s390/dasd: fix list corruption of pavgroup group list
s390/dasd: fix list corruption of lcu list
binder: add flag to clear buffer on txn complete
ASoC: cx2072x: Fix doubly definitions of Playback and Capture streams
staging: comedi: mf6x4: Fix AI end-of-conversion detection
perf/x86/intel: Add event constraint for CYCLE_ACTIVITY.STALLS_MEM_ANY
perf/x86/intel: Fix rtm_abort_event encoding on Ice Lake
powerpc/perf: Exclude kernel samples while counting events in user space.
crypto: ecdh - avoid unaligned accesses in ecdh_set_secret()
crypto: arm/aes-ce - work around Cortex-A57/A72 silion errata
EDAC/i10nm: Use readl() to access MMIO registers
EDAC/amd64: Fix PCI component registration
cpuset: fix race between hotplug work and later CPU offline
USB: serial: mos7720: fix parallel-port state restore
USB: serial: digi_acceleport: fix write-wakeup deadlocks
USB: serial: keyspan_pda: fix dropped unthrottle interrupts
USB: serial: keyspan_pda: fix write deadlock
USB: serial: keyspan_pda: fix stalled writes
USB: serial: keyspan_pda: fix write-wakeup use-after-free
USB: serial: keyspan_pda: fix tx-unthrottle use-after-free
USB: serial: keyspan_pda: fix write unthrottling
btrfs: do not shorten unpin len for caching block groups
btrfs: trim: fix underflow in trim length to prevent access beyond device boundary
ext4: fix a memory leak of ext4_free_data
ext4: fix deadlock with fs freezing and EA inodes
KVM: arm64: Introduce handling of AArch32 TTBCR2 traps
ARM: dts: pandaboard: fix pinmux for gpio user button of Pandaboard ES
ARM: dts: at91: sama5d2: fix CAN message ram offset and size
xprtrdma: Fix XDRBUF_SPARSE_PAGES support
powerpc: Fix incorrect stw{, ux, u, x} instructions in __set_pte_at
powerpc/rtas: Fix typo of ibm,open-errinjct in RTAS filter
powerpc/feature: Add CPU_FTR_NOEXECUTE to G2_LE
powerpc/xmon: Change printk() to pr_cont()
powerpc/8xx: Fix early debug when SMC1 is relocated
powerpc/mm: Fix verification of MMU_FTR_TYPE_44x
powerpc/powernv/npu: Do not attempt NPU2 setup on POWER8NVL NPU
powerpc/powernv/memtrace: Don't leak kernel memory to user space
powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently
ima: Don't modify file descriptor mode on the fly
um: Remove use of asprinf in umid.c
ceph: fix race in concurrent __ceph_remove_cap invocations
SMB3: avoid confusing warning message on mount to Azure
ubifs: wbuf: Don't leak kernel memory to flash
jffs2: Fix GC exit abnormally
jffs2: Fix ignoring mounting options problem during remounting
jfs: Fix array index bounds check in dbAdjTree
platform/x86: mlx-platform: remove an unused variable
drm/amd/display: Fix memory leaks in S3 resume
drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor()
drm/i915: Fix mismatch between misplaced vma check and vma insert
spi: pxa2xx: Fix use-after-free on unbind
spi: spi-sh: Fix use-after-free on unbind
spi: atmel-quadspi: Fix use-after-free on unbind
spi: davinci: Fix use-after-free on unbind
spi: fsl: fix use of spisel_boot signal on MPC8309
spi: gpio: Don't leak SPI master in probe error path
spi: mxic: Don't leak SPI master in probe error path
spi: pic32: Don't leak DMA channels in probe error path
spi: rb4xx: Don't leak SPI master in probe error path
spi: sc18is602: Don't leak SPI master in probe error path
spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path
spi: synquacer: Disable clock in probe error path
spi: mt7621: Disable clock in probe error path
spi: mt7621: Don't leak SPI master in probe error path
spi: atmel-quadspi: Disable clock in probe error path
spi: atmel-quadspi: Fix AHB memory accesses
soc: qcom: smp2p: Safely acquire spinlock without IRQs
mtd: spinand: Fix OOB read
mtd: parser: cmdline: Fix parsing of part-names with colons
mtd: rawnand: qcom: Fix DMA sync on FLASH_STATUS register read
mtd: rawnand: meson: fix meson_nfc_dma_buffer_release() arguments
scsi: qla2xxx: Fix crash during driver load on big endian machines
scsi: lpfc: Fix invalid sleeping context in lpfc_sli4_nvmet_alloc()
scsi: lpfc: Re-fix use after free in lpfc_rq_buf_free()
iio: buffer: Fix demux update
iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume
iio:light:rpr0521: Fix timestamp alignment and prevent data leak.
iio:light:st_uvis25: Fix timestamp alignment and prevent data leak.
iio:magnetometer:mag3110: Fix alignment and data leak issues.
iio:pressure:mpl3115: Force alignment of buffer
iio:imu:bmi160: Fix too large a buffer.
iio:adc:ti-ads124s08: Fix buffer being too long.
iio:adc:ti-ads124s08: Fix alignment and data leak issues.
md/cluster: block reshape with remote resync job
md/cluster: fix deadlock when node is doing resync job
pinctrl: sunxi: Always call chained_irq_{enter, exit} in sunxi_pinctrl_irq_handler
clk: ingenic: Fix divider calculation with div tables
clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9
clk: tegra: Do not return 0 on failure
device-dax/core: Fix memory leak when rmmod dax.ko
dma-buf/dma-resv: Respect num_fences when initializing the shared fence list.
xen-blkback: set ring->xenblkd to NULL after kthread_stop()
xen/xenbus: Allow watches discard events before queueing
xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path()
xen/xenbus/xen_bus_type: Support will_handle watch callback
xen/xenbus: Count pending messages for each watch
xenbus/xenbus_backend: Disallow pending watch messages
libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels
platform/x86: intel-vbtn: Allow switch events on Acer Switch Alpha 12
PCI: Fix pci_slot_release() NULL pointer dereference
regulator: axp20x: Fix DLDO2 voltage control register mask for AXP22x
rtc: ep93xx: Fix NULL pointer dereference in ep93xx_rtc_read_time
Revert: "ring-buffer: Remove HAVE_64BIT_ALIGNED_ACCESS"
x86/CPU/AMD: Save AMD NodeId as cpu_die_id
Linux 5.4.86
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If271639b9a7c833718f8cfdfbacce5affe7f4189
|
||
|
Todd Kjos
|
5fbf84689f |
binder: add flag to clear buffer on txn complete
commit 0f966cba95c78029f491b433ea95ff38f414a761 upstream. Add a per-transaction flag to indicate that the buffer must be cleared when the transaction is complete to prevent copies of sensitive data from being preserved in memory. Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20201120233743.3617529-1-tkjos@google.com Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
ec9ecb5d11 |
Merge branch 'android11-5.4' into 'android11-5.4-lts'
Sync up with android11-5.4 for the following commits: |
||
|
Greg Kroah-Hartman
|
01435b2e91 |
ANDROID: GKI: net: add vendor hooks for 'struct nf_conn' lifecycle
Some vendors want to add a field when a 'sruct nf_conn' is added so give a hook to handle this. Any memory allocated when trace_android_rvh_nf_conn_alloc() is called needs to be freed when trace_android_rvh_nf_conn_free() is called. Note, if trace_android_rvh_nf_conn_alloc() fails, be sure to be able to handle this in trace_android_rvh_nf_conn_free(), but that should not be an issue as that needs to be addressed in vendor code that runs for 'struct nf_conn' objects that have been created before the vendor code is loaded no matter what. Bug: 171013716 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I67a9be129150690f8c1961accf7d5cdf0d5d50cc |
||
|
Greg Kroah-Hartman
|
20dd49792a |
ANDROID: GKI: net: add vendor hooks for 'struct sock' lifecycle
Some vendors want to add a field when a 'sruct sock' is added so give a hook to handle this. Any memory allocated when trace_android_rvh_sk_alloc() is called needs to be freed when trace_android_rvh_sk_free() is called. Note, if trace_android_rvh_sk_alloc() fails, be sure to be able to handle this in trace_android_rvh_sk_free(), but that should not be an issue as that needs to be addressed in vendor code that runs for 'struct sock' objects that have been created before the vendor code is loaded no matter what. Bug: 171013716 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9ed93e8bffef3cd8fbde4d62fc14596764a85304 |
||
|
Greg Kroah-Hartman
|
7ee5d73d3e |
This is the 5.4.73 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+ahE8ACgkQONu9yGCS
aT4j1A/9HzkKKoqZ2vXYQ1/uEnUqZech9ly1KxpNTBrSZYAtx3MaWY7tGDEx2BqD
y6iw9x4MymhHEbpwLg6YmmdWuMQLNNYJGoyLiPJgWhkE4c7zHadhNz1DcPEI8F7z
bSlUJ3Oebr8gzv0FvUmeVXw7Z2EuOqM1zGgTAZfnKY3DkYHbLnrzUJ4AiI8TNeba
pPIhjfIJ1TvhF+s5ggf2m8OtSWLZ0doCWCPmCFe2WyERX2WYCzPgsm0yL7L7oXME
ZqWpOcClBsiYekBNcZ4kxozhJtArCnv24n9VoXJ/YJIlWKvCA6uC8r527nGN/z08
dfFelj1nDs7/VrCSP4+109EjxLQnSYGgIWP0g0OsC+9wOmrQsYJ1azP1eNjm+NuC
hPa8uYVEZxwVyJuEfu4ZB4NMZBlD2qnHoskvBKbyZ8yaVnbvlMp552XMwsmJBpCs
8wArzabrJEz396LUUIYG829D7NBDuRav1Miu+FTzlbn+xZ/Y/S8OmhoG2stWa4wV
y5x0M0DWgrqiZ9rMkz9A03UNnCInQVTfIBoMl63xFitW4/0vLsln3+CjzlKm7H46
rD/tKACUoCDjR5DN+JwQzmTdL9zBb4p1cXwWjWb6rON3BkXmO0JVAxzurxI9PfX0
ZWDydZ3HNmrm0d3J12zf3kTX56PfPFAGWUsEc4Ntb5zdWXSQJsE=
=fZ3T
-----END PGP SIGNATURE-----
Merge 5.4.73 into android11-5.4-lts
Changes in 5.4.73
ibmveth: Switch order of ibmveth_helper calls.
ibmveth: Identify ingress large send packets.
ipv4: Restore flowi4_oif update before call to xfrm_lookup_route
mlx4: handle non-napi callers to napi_poll
net: fec: Fix phy_device lookup for phy_reset_after_clk_enable()
net: fec: Fix PHY init after phy_reset_after_clk_enable()
net: fix pos incrementment in ipv6_route_seq_next
net/smc: fix valid DMBE buffer sizes
net/tls: sendfile fails with ktls offload
net: usb: qmi_wwan: add Cellient MPL200 card
tipc: fix the skb_unshare() in tipc_buf_append()
socket: fix option SO_TIMESTAMPING_NEW
can: m_can_platform: don't call m_can_class_suspend in runtime suspend
can: j1935: j1939_tp_tx_dat_new(): fix missing initialization of skbcnt
net: j1939: j1939_session_fresh_new(): fix missing initialization of skbcnt
net/ipv4: always honour route mtu during forwarding
net_sched: remove a redundant goto chain check
r8169: fix data corruption issue on RTL8402
cxgb4: handle 4-tuple PEDIT to NAT mode translation
binder: fix UAF when releasing todo list
ALSA: bebob: potential info leak in hwdep_read()
ALSA: hda: fix jack detection with Realtek codecs when in D3
ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close
nvme-pci: disable the write zeros command for Intel 600P/P3100
chelsio/chtls: fix socket lock
chelsio/chtls: correct netdevice for vlan interface
chelsio/chtls: correct function return and return type
ibmvnic: save changed mac address to adapter->mac_addr
net: ftgmac100: Fix Aspeed ast2600 TX hang issue
net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device
net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup
net: Properly typecast int values to set sk_max_pacing_rate
net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels
nexthop: Fix performance regression in nexthop deletion
nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download()
r8169: fix operation under forced interrupt threading
selftests: forwarding: Add missing 'rp_filter' configuration
selftests: rtnetlink: load fou module for kci_test_encap_fou() test
tcp: fix to update snd_wl1 in bulk receiver fast path
icmp: randomize the global rate limiter
ALSA: hda/realtek - The front Mic on a HP machine doesn't work
ALSA: hda/realtek - set mic to auto detect on a HP AIO machine
ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7
ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887
cifs: remove bogus debug code
cifs: Return the error from crypt_message when enc/dec key not found.
SMB3: Resolve data corruption of TCP server info fields
KVM: nVMX: Reset the segment cache when stuffing guest segs
KVM: nVMX: Reload vmcs01 if getting vmcs12's pages fails
KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages
KVM: SVM: Initialize prev_ga_tag before use
ima: Don't ignore errors from crypto_shash_update()
crypto: algif_aead - Do not set MAY_BACKLOG on the async path
crypto: caam/qi - add fallback for XTS with more than 8B IV
EDAC/i5100: Fix error handling order in i5100_init_one()
EDAC/aspeed: Fix handling of platform_get_irq() error
EDAC/ti: Fix handling of platform_get_irq() error
perf/x86/intel/ds: Fix x86_pmu_stop warning for large PEBS
x86/fpu: Allow multiple bits in clearcpuid= parameter
drivers/perf: xgene_pmu: Fix uninitialized resource struct
drivers/perf: thunderx2_pmu: Fix memory resource error handling
sched/fair: Fix wrong cpu selecting from isolated domain
perf/x86/intel/uncore: Update Ice Lake uncore units
perf/x86/intel/uncore: Reduce the number of CBOX counters
x86/nmi: Fix nmi_handle() duration miscalculation
x86/events/amd/iommu: Fix sizeof mismatch
crypto: algif_skcipher - EBUSY on aio should be an error
crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc()
crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call
crypto: picoxcell - Fix potential race condition bug
media: tuner-simple: fix regression in simple_set_radio_freq
media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()"
media: ov5640: Correct Bit Div register in clock tree diagram
media: m5mols: Check function pointer in m5mols_sensor_power
media: uvcvideo: Set media controller entity functions
media: uvcvideo: Silence shift-out-of-bounds warning
media: staging/intel-ipu3: css: Correctly reset some memory
media: omap3isp: Fix memleak in isp_probe
media: i2c: ov5640: Remain in power down for DVP mode unless streaming
media: i2c: ov5640: Separate out mipi configuration from s_power
media: i2c: ov5640: Enable data pins on poweron for DVP mode
media: rcar_drif: Fix fwnode reference leak when parsing DT
media: rcar_drif: Allocate v4l2_async_subdev dynamically
media: rcar-csi2: Allocate v4l2_async_subdev dynamically
crypto: omap-sham - fix digcnt register handling with export/import
hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61}
cypto: mediatek - fix leaks in mtk_desc_ring_alloc
media: mx2_emmaprp: Fix memleak in emmaprp_probe
media: tc358743: initialize variable
media: tc358743: cleanup tc358743_cec_isr
media: rcar-vin: Fix a reference count leak.
media: rockchip/rga: Fix a reference count leak.
media: platform: fcp: Fix a reference count leak.
media: camss: Fix a reference count leak.
media: s5p-mfc: Fix a reference count leak
media: stm32-dcmi: Fix a reference count leak
media: ti-vpe: Fix a missing check and reference count leak
regulator: resolve supply after creating regulator
pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB
spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath()
spi: spi-s3c64xx: Check return values
blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue
ath10k: provide survey info as accumulated data
drm/vkms: fix xrgb on compute crc
Bluetooth: hci_uart: Cancel init work before unregistering
drm/amd/display: Fix wrong return value in dm_update_plane_state()
drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel
ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb()
ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path
wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680
ASoC: qcom: lpass-platform: fix memory leak
ASoC: qcom: lpass-cpu: fix concurrency issue
brcmfmac: check ndev pointer
mwifiex: Do not use GFP_KERNEL in atomic context
staging: rtl8192u: Do not use GFP_KERNEL in atomic context
drm/gma500: fix error check
scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()'
scsi: qla2xxx: Fix wrong return value in qlt_chk_unresolv_exchg()
scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba()
scsi: csiostor: Fix wrong return value in csio_hw_prep_fw()
backlight: sky81452-backlight: Fix refcount imbalance on error
staging: emxx_udc: Fix passing of NULL to dma_alloc_coherent()
VMCI: check return value of get_user_pages_fast() for errors
mm/error_inject: Fix allow_error_inject function signatures.
drm: panel: Fix bpc for OrtusTech COM43H4M85ULC panel
drm/crc-debugfs: Fix memleak in crc_control_write
binder: Remove bogus warning on failed same-process transaction
tty: serial: earlycon dependency
tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()
pty: do tty_flip_buffer_push without port->lock in pty_write
pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare()
pwm: lpss: Add range limit check for the base_unit register value
drivers/virt/fsl_hypervisor: Fix error handling path
video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error
video: fbdev: sis: fix null ptr dereference
video: fbdev: radeon: Fix memleak in radeonfb_pci_register
ASoC: fsl: imx-es8328: add missing put_device() call in imx_es8328_probe()
HID: roccat: add bounds checking in kone_sysfs_write_settings()
drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check()
drm/panfrost: Ensure GPU quirks are always initialised
iomap: Clear page error before beginning a write
pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser
pinctrl: mcp23s08: Fix mcp23x17 precious range
net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow
scsi: mpt3sas: Fix sync irqs
net: stmmac: use netif_tx_start|stop_all_queues() function
cpufreq: armada-37xx: Add missing MODULE_DEVICE_TABLE
drm: mxsfb: check framebuffer pitch
coresight: etm4x: Handle unreachable sink in perf mode
xhci: don't create endpoint debugfs entry before ring buffer is set.
net: dsa: rtl8366: Check validity of passed VLANs
net: dsa: rtl8366: Refactor VLAN/PVID init
net: dsa: rtl8366: Skip PVID setting if not requested
net: wilc1000: clean up resource in error path of init mon interface
ASoC: tlv320aic32x4: Fix bdiv clock rate derivation
net: dsa: rtl8366rb: Support all 4096 VLANs
spi: omap2-mcspi: Improve performance waiting for CHSTAT
ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd()
dmaengine: dmatest: Check list for emptiness before access its last entry
misc: mic: scif: Fix error handling path
ALSA: seq: oss: Avoid mutex lock for a long-time ioctl
usb: dwc2: Fix parameter type in function pointer prototype
quota: clear padding in v2r1_mem2diskdqb()
slimbus: core: check get_addr before removing laddr ida
slimbus: core: do not enter to clock pause mode in core
slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback
ASoC: fsl_sai: Instantiate snd_soc_dai_driver
HID: hid-input: fix stylus battery reporting
nvmem: core: fix possibly memleak when use nvmem_cell_info_to_nvmem_cell()
nl80211: fix OBSS PD min and max offset validation
coresight: etm: perf: Fix warning caused by etm_setup_aux failure
ibmvnic: set up 200GBPS speed
qtnfmac: fix resource leaks on unsupported iftype error return path
iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling
net: enic: Cure the enic api locking trainwreck
mfd: sm501: Fix leaks in probe()
iwlwifi: mvm: split a print to avoid a WARNING in ROC
usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above.
usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well
nl80211: fix non-split wiphy information
usb: dwc2: Fix INTR OUT transfers in DDMA mode.
scsi: target: tcmu: Fix warning: 'page' may be used uninitialized
scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs()
ipmi_si: Fix wrong return value in try_smi_init()
platform/x86: mlx-platform: Remove PSU EEPROM configuration
mwifiex: fix double free
ipvs: clear skb->tstamp in forwarding path
net: korina: fix kfree of rx/tx descriptor array
netfilter: nf_log: missing vlan offload tag and proto
mm/swapfile.c: fix potential memory leak in sys_swapon
mm/memcg: fix device private memcg accounting
mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary
fs: fix NULL dereference due to data race in prepend_path()
selftests/ftrace: Change synthetic event name for inter-event-combined test
i3c: master add i3c_master_attach_boardinfo to preserve boardinfo
IB/mlx4: Fix starvation in paravirt mux/demux
IB/mlx4: Adjust delayed work when a dup is observed
powerpc/pseries: Fix missing of_node_put() in rng_init()
powerpc/icp-hv: Fix missing of_node_put() in success path
RDMA/ucma: Fix locking for ctx->events_reported
RDMA/ucma: Add missing locking around rdma_leave_multicast()
mtd: lpddr: fix excessive stack usage with clang
RDMA/hns: Add a check for current state before modifying QP
RDMA/umem: Fix signature of stub ib_umem_find_best_pgsz()
powerpc/pseries: explicitly reschedule during drmem_lmb list traversal
pseries/drmem: don't cache node id in drmem_lmb struct
RDMA/mlx5: Fix potential race between destroy and CQE poll
mtd: mtdoops: Don't write panic data twice
ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values
arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER
ida: Free allocated bitmap in error path
xfs: limit entries returned when counting fsmap records
xfs: fix deadlock and streamline xfs_getfsmap performance
xfs: fix high key handling in the rt allocator's query_range function
RDMA/umem: Fix ib_umem_find_best_pgsz() for mappings that cross a page boundary
RDMA/umem: Prevent small pages from being returned by ib_umem_find_best_pgsz()
RDMA/qedr: Fix qp structure memory leak
RDMA/qedr: Fix use of uninitialized field
RDMA/qedr: Fix return code if accept is called on a destroyed qp
RDMA/qedr: Fix inline size returned for iWARP
powerpc/book3s64/hash/4k: Support large linear mapping range with 4K
powerpc/tau: Use appropriate temperature sample interval
powerpc/tau: Convert from timer to workqueue
powerpc/tau: Remove duplicated set_thresholds() call
powerpc/tau: Check processor type before enabling TAU interrupt
powerpc/tau: Disable TAU between measurements
powerpc/64s/radix: Fix mm_cpumask trimming race vs kthread_use_mm
RDMA/cma: Remove dead code for kernel rdmacm multicast
RDMA/cma: Consolidate the destruction of a cma_multicast in one place
perf intel-pt: Fix "context_switch event has no tid" error
RDMA/hns: Set the unsupported wr opcode
RDMA/mlx5: Disable IB_DEVICE_MEM_MGT_EXTENSIONS if IB_WR_REG_MR can't work
i40iw: Add support to make destroy QP synchronous
perf stat: Skip duration_time in setup_system_wide
RDMA/hns: Fix the wrong value of rnr_retry when querying qp
RDMA/hns: Fix missing sq_sig_type when querying QP
mtd: rawnand: vf610: disable clk on error handling path in probe
mtd: spinand: gigadevice: Only one dummy byte in QUADIO
mtd: spinand: gigadevice: Add QE Bit
kdb: Fix pager search for multi-line strings
overflow: Include header file with SIZE_MAX declaration
RDMA/ipoib: Set rtnl_link_ops for ipoib interfaces
powerpc/perf: Exclude pmc5/6 from the irrelevant PMU group constraints
powerpc/perf/hv-gpci: Fix starting index value
i3c: master: Fix error return in cdns_i3c_master_probe()
cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_reboot_notifier
IB/rdmavt: Fix sizeof mismatch
RDMA/rxe: Fix skb lifetime in rxe_rcv_mcast_pkt()
maiblox: mediatek: Fix handling of platform_get_irq() error
selftests/powerpc: Fix eeh-basic.sh exit codes
f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info
RDMA/rxe: Handle skb_clone() failure in rxe_recv.c
mm/page_owner: change split_page_owner to take a count
lib/crc32.c: fix trivial typo in preprocessor condition
ramfs: fix nommu mmap with gaps in the page cache
rapidio: fix error handling path
rapidio: fix the missed put_device() for rio_mport_add_riodev
mailbox: avoid timer start from callback
i2c: rcar: Auto select RESET_CONTROLLER
clk: meson: g12a: mark fclk_div2 as critical
PCI: aardvark: Check for errors from pci_bridge_emul_init() call
PCI: iproc: Set affinity mask on MSI interrupts
rpmsg: smd: Fix a kobj leak in in qcom_smd_parse_edge()
PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY
vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn
clk: qcom: gcc-sdm660: Fix wrong parent_map
clk: keystone: sci-clk: fix parsing assigned-clock data during probe
pwm: img: Fix null pointer access in probe
clk: rockchip: Initialize hw to error to avoid undefined behavior
clk: mediatek: add UART0 clock support
module: statically initialize init section freeing data
clk: at91: clk-main: update key before writing AT91_CKGR_MOR
clk: bcm2835: add missing release if devm_clk_hw_register fails
watchdog: Fix memleak in watchdog_cdev_register
watchdog: Use put_device on error
watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3
svcrdma: fix bounce buffers for unaligned offsets and multiple pages
ext4: limit entries returned when counting fsmap records
vfio/pci: Clear token on bypass registration failure
vfio iommu type1: Fix memory leak in vfio_iommu_type1_pin_pages
clk: imx8mq: Fix usdhc parents order
SUNRPC: fix copying of multiple pages in gss_read_proxy_verf()
Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume()
Input: stmfts - fix a & vs && typo
Input: ep93xx_keypad - fix handling of platform_get_irq() error
Input: omap4-keypad - fix handling of platform_get_irq() error
Input: twl4030_keypad - fix handling of platform_get_irq() error
Input: sun4i-ps2 - fix handling of platform_get_irq() error
KVM: x86: emulating RDPID failure shall return #UD rather than #GP
scsi: bfa: Fix error return in bfad_pci_init()
netfilter: conntrack: connection timeout after re-register
netfilter: ebtables: Fixes dropping of small packets in bridge nat
netfilter: nf_fwd_netdev: clear timestamp in forwarding path
arm64: dts: meson: vim3: correct led polarity
ARM: dts: imx6sl: fix rng node
ARM: at91: pm: of_node_put() after its usage
ARM: s3c24xx: fix mmc gpio lookup tables
ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix dcdc1 regulator
arm64: dts: allwinner: h5: remove Mali GPU PMU module
memory: omap-gpmc: Fix a couple off by ones
memory: omap-gpmc: Fix build error without CONFIG_OF
memory: fsl-corenet-cf: Fix handling of platform_get_irq() error
arm64: dts: imx8mq: Add missing interrupts to GPC
arm64: dts: qcom: msm8916: Remove one more thermal trip point unit name
arm64: dts: qcom: pm8916: Remove invalid reg size from wcd_codec
arm64: dts: qcom: msm8916: Fix MDP/DSI interrupts
arm64: dts: renesas: r8a77990: Fix MSIOF1 DMA channels
arm64: dts: renesas: r8a774c0: Fix MSIOF1 DMA channels
arm64: dts: actions: limit address range for pinctrl node
ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers
soc: fsl: qbman: Fix return value on success
ARM: OMAP2+: Restore MPU power domain if cpu_cluster_pm_enter() fails
arm64: dts: zynqmp: Remove additional compatible string for i2c IPs
ARM: dts: meson8: remove two invalid interrupt lines from the GPU node
lightnvm: fix out-of-bounds write to array devices->info[]
powerpc/powernv/dump: Fix race while processing OPAL dump
powerpc/pseries: Avoid using addr_to_pfn in real mode
nvmet: fix uninitialized work for zero kato
NTB: hw: amd: fix an issue about leak system resources
sched/features: Fix !CONFIG_JUMP_LABEL case
perf: correct SNOOPX field offset
i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs
md/bitmap: fix memory leak of temporary bitmap
block: ratelimit handle_bad_sector() message
crypto: ccp - fix error handling
x86/asm: Replace __force_order with a memory clobber
x86/mce: Add Skylake quirk for patrol scrub reported errors
media: firewire: fix memory leak
media: ati_remote: sanity check for both endpoints
media: st-delta: Fix reference count leak in delta_run_work
media: sti: Fix reference count leaks
media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync
media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync
media: exynos4-is: Fix a reference count leak
media: vsp1: Fix runtime PM imbalance on error
media: platform: s3c-camif: Fix runtime PM imbalance on error
media: platform: sti: hva: Fix runtime PM imbalance on error
media: bdisp: Fix runtime PM imbalance on error
media: media/pci: prevent memory leak in bttv_probe
x86/mce: Make mce_rdmsrl() panic on an inaccessible MSR
media: uvcvideo: Ensure all probed info is returned to v4l2
mmc: sdio: Check for CISTPL_VERS_1 buffer size
media: saa7134: avoid a shift overflow
media: venus: fixes for list corruption
fs: dlm: fix configfs memory leak
media: venus: core: Fix runtime PM imbalance in venus_probe
ntfs: add check for mft record size in superblock
ip_gre: set dev->hard_header_len and dev->needed_headroom properly
mac80211: handle lack of sband->bitrates in rates
PM: hibernate: remove the bogus call to get_gendisk() in software_resume()
scsi: mvumi: Fix error return in mvumi_io_attach()
scsi: target: core: Add CONTROL field for trace events
mic: vop: copy data to kernel space then write to io memory
misc: vop: add round_up(x,4) for vring_size to avoid kernel panic
usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc
usb: gadget: function: printer: fix use-after-free in __lock_acquire
udf: Limit sparing table size
udf: Avoid accessing uninitialized data on failed inode read
rtw88: increse the size of rx buffer size
USB: cdc-acm: handle broken union descriptors
usb: dwc3: simple: add support for Hikey 970
can: flexcan: flexcan_chip_stop(): add error handling and propagate error value
ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()
drm/panfrost: add amlogic reset quirk callback
bpf: Limit caller's stack depth 256 for subprogs with tailcalls
misc: rtsx: Fix memory leak in rtsx_pci_probe
reiserfs: only call unlock_new_inode() if I_NEW
opp: Prevent memory leak in dev_pm_opp_attach_genpd()
xfs: make sure the rt allocator doesn't run off the end
usb: ohci: Default to per-port over-current protection
Bluetooth: Only mark socket zapped after unlocking
drm/msm/a6xx: fix a potential overflow issue
iomap: fix WARN_ON_ONCE() from unprivileged users
scsi: ibmvfc: Fix error return in ibmvfc_probe()
scsi: qla2xxx: Warn if done() or free() are called on an already freed srb
selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change
brcmsmac: fix memory leak in wlc_phy_attach_lcnphy
rtl8xxxu: prevent potential memory leak
Fix use after free in get_capset_info callback.
HID: ite: Add USB id match for Acer One S1003 keyboard dock
scsi: qedf: Return SUCCESS if stale rport is encountered
scsi: qedi: Protect active command list to avoid list corruption
scsi: qedi: Fix list_del corruption while removing active I/O
fbmem: add margin check to fb_check_caps()
tty: ipwireless: fix error handling
Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb
ipvs: Fix uninit-value in do_ip_vs_set_ctl()
reiserfs: Fix memory leak in reiserfs_parse_options()
mwifiex: don't call del_timer_sync() on uninitialized timer
ALSA: hda/ca0132 - Add AE-7 microphone selection commands.
ALSA: hda/ca0132 - Add new quirk ID for SoundBlaster AE-7.
scsi: smartpqi: Avoid crashing kernel for controller issues
brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach
usb: core: Solve race condition in anchor cleanup functions
scsi: ufs: ufs-qcom: Fix race conditions caused by ufs_qcom_testbus_config()
dmaengine: dw: Add DMA-channels mask cell support
dmaengine: dw: Activate FIFO-mode for memory peripherals only
ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n()
net: korina: cast KSEG0 address to pointer in kfree
s390/qeth: don't let HW override the configured port role
tty: serial: lpuart: fix lpuart32_write usage
tty: serial: fsl_lpuart: fix lpuart32_poll_get_char
usb: cdc-acm: add quirk to blacklist ETAS ES58X devices
USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync().
usb: cdns3: gadget: free interrupt after gadget has deleted
eeprom: at25: set minimum read/write access stride to 1
usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets.
Linux 5.4.73
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3245a6f313462f8b4ea408c7657a1027ab95b78c
|
||
Jann Horn
|
2b150aa2e3 |
binder: Remove bogus warning on failed same-process transaction
[ Upstream commit e8b8ae7ce32e17a5c29f0289e9e2a39c7dcaa1b8 ]
While binder transactions with the same binder_proc as sender and recipient
are forbidden, transactions with the same task_struct as sender and
recipient are possible (even though currently there is a weird check in
binder_transaction() that rejects them in the target==0 case).
Therefore, task_struct identities can't be used to distinguish whether
the caller is running in the context of the sender or the recipient.
Since I see no easy way to make this WARN_ON() useful and correct, let's
just remove it.
Fixes:
|
||
|
Todd Kjos
|
401d4d79a8 |
binder: fix UAF when releasing todo list
commit f3277cbfba763cd2826396521b9296de67cf1bbc upstream. When releasing a thread todo list when tearing down a binder_proc, the following race was possible which could result in a use-after-free: 1. Thread 1: enter binder_release_work from binder_thread_release 2. Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked() 3. Thread 2: dec nodeA --> 0 (will free node) 4. Thread 1: ACQ inner_proc_lock 5. Thread 2: block on inner_proc_lock 6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA) 7. Thread 1: REL inner_proc_lock 8. Thread 2: ACQ inner_proc_lock 9. Thread 2: todo list cleanup, but work was already dequeued 10. Thread 2: free node 11. Thread 2: REL inner_proc_lock 12. Thread 1: deref w->type (UAF) The problem was that for a BINDER_WORK_NODE, the binder_work element must not be accessed after releasing the inner_proc_lock while processing the todo list elements since another thread might be handling a deref on the node containing the binder_work element leading to the node being freed. Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
YT Chang
|
54cf84a595 |
ANDROID: sched: add restrict vendor hook to modify load balance behavior
For modifying load balance policy, we add the hook on find_busiest_group(). It allows us to modify load balance paths. Bug: 168248326 Signed-off-by: YT Chang <yt.chang@mediatek.com> Change-Id: I77ec043576139806551b978eb1bdf9f637442dfb (cherry picked from commit a2ca8408de6183364b4c17f341f06e875bc7a1c1) (cherry picked from commit 489646b879ede582b6b00803edd3f777aede4d85) |
||
|
Todd Kjos
|
8d3d29f072 |
UPSTREAM: binder: fix UAF when releasing todo list
When releasing a thread todo list when tearing down a binder_proc, the following race was possible which could result in a use-after-free: 1. Thread 1: enter binder_release_work from binder_thread_release 2. Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked() 3. Thread 2: dec nodeA --> 0 (will free node) 4. Thread 1: ACQ inner_proc_lock 5. Thread 2: block on inner_proc_lock 6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA) 7. Thread 1: REL inner_proc_lock 8. Thread 2: ACQ inner_proc_lock 9. Thread 2: todo list cleanup, but work was already dequeued 10. Thread 2: free node 11. Thread 2: REL inner_proc_lock 12. Thread 1: deref w->type (UAF) The problem was that for a BINDER_WORK_NODE, the binder_work element must not be accessed after releasing the inner_proc_lock while processing the todo list elements since another thread might be handling a deref on the node containing the binder_work element leading to the node being freed. Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit f3277cbfba763cd2826396521b9296de67cf1bbc) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I7c1bf0b74824f272664e76206c5dc3b66b9eeaff |