This reverts commit bb9bcf47fb which is
commit 8ea1eebb49 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I7312d7514465b14b40fbc96f35d15a3af057168e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit be1ceb8b7c which is
commit e8d0059000 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I12120ec99b50bb671a10272766641545051785e0
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 427165421c which is
commit cae3873c5b upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I442c411d2dd2a01f30d3d9cba5f83510e3fdc2e1
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 6c71b9b177 which is
commit 871019b22d1bcc9fab2d1feba1b9a564acbb6e99 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: Ia61632b09de4a97dbc231e242f7315d798bf5e96
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit cbc7c29dff which is
commit bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: Ibe8c85403cda0e808e3921d947bd3d0201da521a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit f9d3ba62e8 which is
commit 265f3ed077036f053981f5eea0b5b43e7c5b39ff upstream.
It turns the work_on_cpu() function into an #define, which messes with
the systems that were previously depending on that abi symbol. As this
is a change only for when lockdep is enabled, which is NOT in any
running Android system, it is safe to revert for now.
Bug: 161946584
Change-Id: I5f117cccfb411efb742a4faf1cefcb4826faae15
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.15.140
locking/ww_mutex/test: Fix potential workqueue corruption
perf/core: Bail out early if the request AUX area is out of bound
clocksource/drivers/timer-imx-gpt: Fix potential memory leak
clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
workqueue: Provide one lock class key per work_on_cpu() callsite
x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
wifi: mac80211_hwsim: fix clang-specific fortify warning
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
atl1c: Work around the DMA RX overflow issue
bpf: Detect IP == ksym.end as part of BPF program
wifi: ath9k: fix clang-specific fortify warnings
wifi: ath10k: fix clang-specific fortify warning
net: annotate data-races around sk->sk_tx_queue_mapping
net: annotate data-races around sk->sk_dst_pending_confirm
wifi: ath10k: Don't touch the CE interrupt registers after power up
Bluetooth: btusb: Add date->evt_skb is NULL check
Bluetooth: Fix double free in hci_conn_cleanup
platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
drm/komeda: drop all currently held locks if deadlock happens
drm/amdkfd: Fix a race condition of vram buffer unref in svm code
drm/amd/display: use full update for clip size increase of large plane source
string.h: add array-wrappers for (v)memdup_user()
kernel: kexec: copy user-array safely
kernel: watch_queue: copy user-array safely
drm: vmwgfx_surface.c: copy user-array safely
drm/msm/dp: skip validity check for DP CTS EDID checksum
drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
drm/amdgpu: Fix potential null pointer derefernce
drm/panel: fix a possible null pointer dereference
drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference
drm/amdgpu/vkms: fix a possible null pointer dereference
drm/panel: st7703: Pick different reset sequence
drm/amdkfd: Fix shift out-of-bounds issue
drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL
arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size
selftests/efivarfs: create-read: fix a resource leak
ASoC: soc-card: Add storage for PCI SSID
crypto: pcrypt - Fix hungtask for PADATA_RESET
RDMA/hfi1: Use FIELD_GET() to extract Link Width
scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs
scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool
fs/jfs: Add check for negative db_l2nbperpage
fs/jfs: Add validity check for db_maxag and db_agpref
jfs: fix array-index-out-of-bounds in dbFindLeaf
jfs: fix array-index-out-of-bounds in diAlloc
HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround
ARM: 9320/1: fix stack depot IRQ stack filter
ALSA: hda: Fix possible null-ptr-deref when assigning a stream
PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields
atm: iphase: Do PCI error checks on own line
scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()
PCI: Use FIELD_GET() to extract Link Width
PCI: Extract ATS disabling to a helper function
PCI: Disable ATS for specific Intel IPU E2000 devices
misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller
PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk
HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
exfat: support handle zero-size directory
tty: vcc: Add check for kstrdup() in vcc_probe()
usb: gadget: f_ncm: Always set current gadget in ncm_bind()
9p/trans_fd: Annotate data-racy writes to file::f_flags
9p: v9fs_listxattr: fix %s null argument warning
i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler
i2c: sun6i-p2wi: Prevent potential division by zero
virtio-blk: fix implicit overflow on virtio_max_dma_size
i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.
media: gspca: cpia1: shift-out-of-bounds in set_flicker
media: vivid: avoid integer overflow
gfs2: ignore negated quota changes
gfs2: fix an oops in gfs2_permission
media: cobalt: Use FIELD_GET() to extract Link Width
media: ccs: Fix driver quirk struct documentation
media: imon: fix access to invalid resource for the second interface
drm/amd/display: Avoid NULL dereference of timing generator
kgdb: Flush console before entering kgdb on panic
i2c: dev: copy userspace array safely
ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings
drm/qxl: prevent memory leak
drm/amdgpu: fix software pci_unplug on some chips
pwm: Fix double shift bug
wifi: iwlwifi: Use FW rate for non-data frames
tracing: Reuse logic from perf's get_recursion_context()
tracing/perf: Add interrupt_context_level() helper
sched/core: Optimize in_task() and in_interrupt() a bit
media: cadence: csi2rx: Unregister v4l2 async notifier
media: cec: meson: always include meson sub-directory in Makefile
SUNRPC: ECONNRESET might require a rebind
SUNRPC: Add an IS_ERR() check back to where it was
NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
gfs2: Silence "suspicious RCU usage in gfs2_permission" warning
mptcp: diag: switch to context structure
mptcp: listen diag dump support
net: inet: Remove count from inet_listen_hashbucket
net: inet: Open code inet_hash2 and inet_unhash2
net: inet: Retire port only listening_hash
net: set SOCK_RCU_FREE before inserting socket into hashtable
ipvlan: add ipvlan_route_v6_outbound() helper
tty: Fix uninit-value access in ppp_sync_receive()
net: hns3: fix add VLAN fail issue
net: hns3: refine the definition for struct hclge_pf_to_vf_msg
net: hns3: add byte order conversion for PF to VF mailbox message
net: hns3: add barrier in vf mailbox reply process
net: hns3: fix incorrect capability bit display for copper port
net: hns3: fix variable may not initialized problem in hns3_init_mac_addr()
net: hns3: fix VF reset fail issue
net: hns3: fix VF wrong speed and duplex issue
tipc: Fix kernel-infoleak due to uninitialized TLV value
ppp: limit MRU to 64K
xen/events: fix delayed eoi list handling
ptp: annotate data-race around q->head and q->tail
bonding: stop the device in bond_setup_by_slave()
net: ethernet: cortina: Fix max RX frame define
net: ethernet: cortina: Handle large frames
net: ethernet: cortina: Fix MTU max setting
af_unix: fix use-after-free in unix_stream_read_actor()
netfilter: nf_conntrack_bridge: initialize err to 0
netfilter: nf_tables: use the correct get/put helpers
netfilter: nf_tables: add and use BE register load-store helpers
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
net: stmmac: fix rx budget limit check
net/mlx5e: fix double free of encap_header
net/mlx5e: fix double free of encap_header in update funcs
net/mlx5e: Remove incorrect addition of action fwd flag
net/mlx5e: Move mod hdr allocation to a single place
net/mlx5e: Refactor mod header management API
net/mlx5e: Fix pedit endianness
net/mlx5e: Reduce the size of icosq_str
net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors
macvlan: Don't propagate promisc change to lower dev in passthru
tools/power/turbostat: Fix a knl bug
tools/power/turbostat: Enable the C-state Pre-wake printing
cifs: spnego: add ';' in HOST_KEY_LEN
cifs: fix check of rc in function generate_smb3signingkey
xfs: refactor buffer cancellation table allocation
xfs: don't leak xfs_buf_cancel structures when recovery fails
xfs: convert buf_cancel_table allocation to kmalloc_array
xfs: use invalidate_lock to check the state of mmap_lock
xfs: prevent a UAF when log IO errors race with unmount
xfs: flush inode gc workqueue before clearing agi bucket
xfs: fix use-after-free in xattr node block inactivation
xfs: don't leak memory when attr fork loading fails
xfs: fix intermittent hang during quotacheck
xfs: add missing cmap->br_state = XFS_EXT_NORM update
xfs: Fix false ENOSPC when performing direct write on a delalloc extent in cow fork
xfs: fix inode reservation space for removing transaction
xfs: avoid a UAF when log intent item recovery fails
xfs: fix exception caused by unexpected illegal bestcount in leaf dir
xfs: fix memory leak in xfs_errortag_init
xfs: Fix unreferenced object reported by kmemleak in xfs_sysfs_init()
i915/perf: Fix NULL deref bugs with drm_dbg() calls
media: venus: hfi: add checks to perform sanity on queue pointers
powerpc/perf: Fix disabling BHRB and instruction sampling
randstruct: Fix gcc-plugin performance mode to stay in group
bpf: Fix check_stack_write_fixed_off() to correctly spill imm
bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
scsi: mpt3sas: Fix loop logic
scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers
scsi: qla2xxx: Fix system crash due to bad pointer access
crypto: x86/sha - load modules based on CPU features
x86/cpu/hygon: Fix the CPU topology evaluation for real
KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space
KVM: x86: Ignore MSR_AMD64_TW_CFG access
audit: don't take task_lock() in audit_exe_compare() code path
audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
tty/sysrq: replace smp_processor_id() with get_cpu()
hvc/xen: fix console unplug
hvc/xen: fix error path in xen_hvc_init() to always register frontend driver
hvc/xen: fix event channel handling for secondary consoles
PCI/sysfs: Protect driver's D3cold preference from user space
watchdog: move softlockup_panic back to early_param
ACPI: resource: Do IRQ override on TongFang GMxXGxx
arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer
parisc/pdc: Add width field to struct pdc_model
clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data
clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks
mmc: vub300: fix an error code
mmc: sdhci_am654: fix start loop index for TAP value parsing
PCI/ASPM: Fix L1 substate handling in aspm_attr_store_common()
PCI: exynos: Don't discard .remove() callback
wifi: wilc1000: use vmm_table as array in wilc struct
svcrdma: Drop connection after an RDMA Read error
rcu/tree: Defer setting of jiffies during stall reset
arm64: dts: qcom: ipq6018: Fix hwlock index for SMEM
PM: hibernate: Use __get_safe_page() rather than touching the list
PM: hibernate: Clean up sync_read handling in snapshot_write_next()
rcu: kmemleak: Ignore kmemleak false positives when RCU-freeing objects
btrfs: don't arbitrarily slow down delalloc if we're committing
firmware: qcom_scm: use 64-bit calling convention only when client is 64-bit
ACPI: FPDT: properly handle invalid FPDT subtables
ima: annotate iint mutex to avoid lockdep false positive warnings
ima: detect changes to the backing overlay file
wifi: ath11k: fix temperature event locking
wifi: ath11k: fix dfs radar event locking
wifi: ath11k: fix htt pktlog locking
mmc: meson-gx: Remove setting of CMD_CFG_ERROR
genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
KEYS: trusted: Rollback init_trusted() consistently
PCI: keystone: Don't discard .remove() callback
PCI: keystone: Don't discard .probe() callback
netfilter: nf_tables: remove catchall element in GC sync path
netfilter: nf_tables: split async and sync catchall in two functions
selftests/resctrl: Remove duplicate feature check from CMT test
selftests/resctrl: Reduce failures due to outliers in MBA/MBM tests
ASoC: codecs: wsa-macro: fix uninitialized stack variables with name prefix
jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev
quota: explicitly forbid quota files from being encrypted
kernel/reboot: emergency_restart: Set correct system_state
i2c: core: Run atomic i2c xfer when !preemptible
tracing: Have the user copy of synthetic event address use correct context
mcb: fix error handling for different scenarios when parsing
dmaengine: stm32-mdma: correct desc prep when channel running
s390/cmma: fix detection of DAT pages
mm/cma: use nth_page() in place of direct struct page manipulation
mm/memory_hotplug: use pfn math in place of direct struct page manipulation
mtd: cfi_cmdset_0001: Byte swap OTP info
i3c: master: cdns: Fix reading status register
i3c: master: svc: fix race condition in ibi work thread
i3c: master: svc: fix wrong data return when IBI happen during start frame
i3c: master: svc: fix ibi may not return mandatory data byte
i3c: master: svc: fix check wrong status register in irq handler
i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen
parisc: Prevent booting 64-bit kernels on PA1.x machines
parisc/pgtable: Do not drop upper 5 address bits of physical address
xhci: Enable RPM on controllers that support low-power states
ALSA: info: Fix potential deadlock at disconnection
ALSA: hda/realtek - Add Dell ALC295 to pin fall back table
ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
serial: meson: Use platform_get_irq() to get the interrupt
tty: serial: meson: fix hard LOCKUP on crtscts mode
regmap: Ensure range selector registers are updated after cache sync
cpufreq: stats: Fix buffer overflow detection in trans_stats()
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559
bluetooth: Add device 0bda:887b to device tables
bluetooth: Add device 13d3:3571 to device tables
Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables
Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE
ksmbd: fix slab out of bounds write in smb_inherit_dacl()
arm64: dts: qcom: ipq6018: switch TCSR mutex to MMIO
arm64: dts: qcom: ipq6018: Fix tcsr_mutex register size
powerpc/pseries/ddw: simplify enable_ddw()
Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
Revert "i2c: pxa: move to generic GPIO recovery"
lsm: fix default return value for vm_enough_memory
lsm: fix default return value for inode_getsecctx
sbsa_gwdt: Calculate timeout with 64-bit math
i2c: designware: Disable TX_EMPTY irq while waiting for block length byte
s390/ap: fix AP bus crash on early config change callback invocation
net: ethtool: Fix documentation of ethtool_sprintf()
net: dsa: lan9303: consequently nested-lock physical MDIO
net: phylink: initialize carrier state at creation
i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
f2fs: avoid format-overflow warning
media: lirc: drop trailing space from scancode transmit
media: sharp: fix sharp encoding
media: venus: hfi_parser: Add check to keep the number of codecs within range
media: venus: hfi: fix the check to handle session buffer requirement
media: venus: hfi: add checks to handle capabilities from firmware
media: ccs: Correctly initialise try compose rectangle
nfsd: fix file memleak on client_opens_release
riscv: kprobes: allow writing to x0
mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2
mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors
r8169: fix network lost after resume on DASH systems
mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of AER
media: qcom: camss: Fix pm_domain_on sequence in probe
media: qcom: camss: Fix vfe_get() error jump
media: qcom: camss: Fix VFE-17x vfe_disable_output()
media: qcom: camss: Fix missing vfe_lite clocks check
Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E"
ext4: apply umask if ACL support is disabled
ext4: correct offset of gdb backup in non meta_bg group to update_backups
ext4: correct return value of ext4_convert_meta_bg
ext4: correct the start block of counting reserved clusters
ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
ext4: add missed brelse in update_backups
drm/amd/pm: Handle non-terminated overdrive commands.
drm/i915: Fix potential spectre vulnerability
drm/amdgpu: don't use ATRM for external devices
drm/amdgpu: fix error handling in amdgpu_bo_list_get()
drm/amd/display: Change the DMCUB mailbox memory location from FB to inbox
io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid
powerpc/powernv: Fix fortify source warnings in opal-prd.c
tracing: Have trace_event_file have ref counters
Input: xpad - add VID for Turtle Beach controllers
driver core: Release all resources during unbind before updating device links
Linux 5.15.140
Change-Id: Ie738d72b0c30212abc4aae8f965d78bf9d480ffe
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
and devm_mipi_dsi_device_register_full to resolve the following
build error for Dragonboard 845c:
usr/include/linux/fuse.h:926: found __[us]{8,16,32,64} type without #include <linux/types.h>
ERROR: modpost: "devm_mipi_dsi_attach" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined!
ERROR: modpost: "devm_mipi_dsi_device_register_full" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined!
with updating them to the symbol list and the abi definitions
by the following commands:
$ tools/bazel run //common:db845c_abi_update_symbol_list
$ tools/bazel run //common:kernel_aarch64_abi_update
Bug: 313960184
Change-Id: I0981a027e0ea284c25205deed113618b50b8424c
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 94eb5423d7 which is
commit 3c70342f1f0045dc827bb2f02d814ce31e0e0d05 upstream.
It breaks the Android ABI and if it is really needed can come back in
the future in an ABI-safe way.
Bug: 161946584
Change-Id: I31531da478d4a3e87c532ab9c85980415e07b945
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 794d360b1d which is
commit 1726483b79a72e0150734d5367e4a0238bf8fcff upstream.
It only moves things around a structure, AND it saves lots of memory,
but in doing so breaks the stable Android ABI, so it must be reverted
(Android devices have plenty of kernel memory...) If this is to come
back in the future, it can do so in an abi-safe way.
Bug: 161946584
Change-Id: I5a5a40c6f6982122d766f3fe5cfde3f3514bc9ae
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit a00a293d57 which is
commit 20f3b8eafe0ba5d3c69d5011a9b07739e9645132 upstream.
It breaks the Android ABI and we do not care about Xen on Android, so it
is safe to revert.
Bug: 161946584
Change-Id: I4bf8a87650256a5f4b2faee626557604631ee286
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.15.139
iov_iter, x86: Be consistent about the __user tag on copy_mc_to_user()
sched/uclamp: Ignore (util == 0) optimization in feec() when p_util_max = 0
sched: Fix stop_one_cpu_nowait() vs hotplug
vfs: fix readahead(2) on block devices
writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs
x86/srso: Fix SBPB enablement for (possible) future fixed HW
futex: Don't include process MM in futex key on no-MMU
x86: Share definition of __is_canonical_address()
x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot
x86/boot: Fix incorrect startup_gdt_descr.size
pstore/platform: Add check for kstrdup
genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
i40e: fix potential memory leaks in i40e_remove()
selftests/bpf: Test tail call counting with bpf2bpf and data on stack
selftests/bpf: Correct map_fd to data_fd in tailcalls
udp: add missing WRITE_ONCE() around up->encap_rcv
tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
gve: Use size_add() in call to struct_size()
mlxsw: Use size_mul() in call to struct_size()
tipc: Use size_add() in calls to struct_size()
net: spider_net: Use size_add() in call to struct_size()
wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
wifi: mt76: mt7603: rework/fix rx pse hang check
mt76: dma: use kzalloc instead of devm_kzalloc for txwi
mt76: add support for overriding the device used for DMA mapping
mt76: pass original queue id from __mt76_tx_queue_skb to the driver
wifi: mt76: mt7603: improve stuck beacon handling
tcp_metrics: add missing barriers on delete
tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
tcp_metrics: do not create an entry from tcp_init_metrics()
wifi: rtlwifi: fix EDCA limit set by BT coexistence
can: dev: can_restart(): don't crash kernel if carrier is OK
can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
PM / devfreq: rockchip-dfi: Make pmu regmap mandatory
netfilter: nf_tables: Drop pointless memset when dumping rules
thermal: core: prevent potential string overflow
r8169: use tp_to_dev instead of open code
r8169: fix rare issue with broken rx after link-down on RTL8125
chtls: fix tp->rcv_tstamp initialization
tcp: fix cookie_init_timestamp() overflows
iwlwifi: pcie: adjust to Bz completion descriptor
wifi: iwlwifi: call napi_synchronize() before freeing rx/tx queues
wifi: iwlwifi: pcie: synchronize IRQs before NAPI
wifi: iwlwifi: empty overflow queue during flush
ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
ipv6: avoid atomic fragment on GSO packets
net: add DEV_STATS_READ() helper
ipvlan: properly track tx_errors
regmap: debugfs: Fix a erroneous check after snprintf()
spi: tegra: Fix missing IRQ check in tegra_slink_probe()
clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
clk: qcom: mmcc-msm8998: Don't check halt bit on some branch clks
clk: qcom: mmcc-msm8998: Fix the SMMU GDSC
clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src
clk: imx: Select MXC_CLK for CLK_IMX8QXP
clk: imx: imx8mq: correct error handling path
clk: imx: imx8qxp: Fix elcdif_pll clock
clk: renesas: rzg2l: Simplify multiplication/shift logic
clk: renesas: rzg2l: Use FIELD_GET() for PLL register fields
clk: renesas: rzg2l: Fix computation formula
spi: nxp-fspi: use the correct ioremap function
clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
clk: ti: Add ti_dt_clk_name() helper to use clock-output-names
clk: ti: Update pll and clockdomain clocks to use ti_dt_clk_name()
clk: ti: Update component clocks to use ti_dt_clk_name()
clk: ti: change ti_clk_register[_omap_hw]() API
clk: ti: fix double free in of_ti_divider_clk_setup()
clk: npcm7xx: Fix incorrect kfree
clk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
clk: qcom: config IPQ_APSS_6018 should depend on QCOM_SMEM
platform/x86: wmi: Fix probe failure when failing to register WMI devices
platform/x86: wmi: remove unnecessary initializations
platform/x86: wmi: Fix opening of char device
hwmon: (axi-fan-control) Fix possible NULL pointer dereference
hwmon: (coretemp) Fix potentially truncated sysfs attribute name
drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
drm/rockchip: vop: Fix call to crtc reset helper
drm/radeon: possible buffer overflow
drm/mipi-dsi: Create devm device registration
drm/mipi-dsi: Create devm device attachment
drm/bridge: lt8912b: Switch to devm MIPI-DSI helpers
drm/bridge: lt8912b: Register and attach our DSI device at probe
drm/bridge: lt8912b: Add hot plug detection
drm/bridge: lt8912b: Fix bridge_detach
drm/bridge: lt8912b: Fix crash on bridge detach
drm/bridge: lt8912b: Manually disable HPD only if it was enabled
drm/bridge: lt8912b: Add missing drm_bridge_attach call
drm/bridge: tc358768: Fix use of uninitialized variable
drm/bridge: tc358768: Disable non-continuous clock mode
drm/bridge: tc358768: Fix bit updates
drm/amdkfd: fix some race conditions in vram buffer alloc/free of svm code
drm/mediatek: Fix iommu fault by swapping FBs after updating plane state
drm/mediatek: Fix iommu fault during crtc enabling
drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
drm/bridge: lt9611uxc: Switch to devm MIPI-DSI helpers
drm/bridge: lt9611uxc: Register and attach our DSI device at probe
drm/bridge: lt9611uxc: fix the race in the error path
arm64/arm: xen: enlighten: Fix KPTI checks
drm/rockchip: Fix type promotion bug in rockchip_gem_iommu_map()
xen-pciback: Consider INTx disabled when MSI/MSI-X is enabled
drm/msm/dsi: use msm_gem_kernel_put to free TX buffer
drm: mediatek: mtk_dsi: Fix NO_EOT_PACKET settings/handling
perf: hisi: Fix use-after-free when register pmu fails
ARM: dts: renesas: blanche: Fix typo in GP_11_2 pin name
arm64: dts: qcom: msm8916: Fix iommu local address range
arm64: dts: qcom: msm8992-libra: drop duplicated reserved memory
arm64: dts: qcom: sc7280: Add missing LMH interrupts
arm64: dts: qcom: sdm845-mtp: fix WiFi configuration
ARM64: dts: marvell: cn9310: Use appropriate label for spi1 pins
arm64: dts: qcom: apq8016-sbc: Add missing ADV7533 regulators
ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
soc: qcom: llcc: Handle a second device without data corruption
firmware: ti_sci: Mark driver as non removable
firmware: arm_ffa: Assign the missing IDR allocation ID to the FFA device
clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped
arm64: dts: imx8qm-ss-img: Fix jpegenc compatible entry
arm64: dts: imx8mm: Add sound-dai-cells to micfil node
arm64: dts: imx8mn: Add sound-dai-cells to micfil node
selftests/pidfd: Fix ksft print formats
selftests/resctrl: Ensure the benchmark commands fits to its array
crypto: hisilicon/hpre - Fix a erroneous check after snprintf()
hwrng: geode - fix accessing registers
RDMA/core: Use size_{add,sub,mul}() in calls to struct_size()
scsi: ibmvfc: Fix erroneous use of rtas_busy_delay with hcall return code
libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value
nd_btt: Make BTT lanes preemptible
crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure
crypto: caam/jr - fix Chacha20 + Poly1305 self test failure
crypto: qat - increase size of buffers
hid: cp2112: Fix duplicate workqueue initialization
ARM: 9321/1: memset: cast the constant byte to unsigned char
ext4: move 'ix' sanity check to corrent position
ASoC: fsl: mpc5200_dma.c: Fix warning of Function parameter or member not described
IB/mlx5: Fix rdma counter binding for RAW QP
RDMA/hns: Fix uninitialized ucmd in hns_roce_create_qp_common()
RDMA/hns: Fix signed-unsigned mixed comparisons
RDMA/hns: The UD mode can only be configured with DCQCN
ASoC: fsl: Fix PM disable depth imbalance in fsl_easrc_probe
scsi: ufs: core: Leave space for '\0' in utf8 desc string
RDMA/hfi1: Workaround truncation compilation error
hid: cp2112: Fix IRQ shutdown stopping polling for all IRQs on chip
sh: bios: Revive earlyprintk support
Revert "HID: logitech-hidpp: add a module parameter to keep firmware gestures"
HID: logitech-hidpp: Remove HIDPP_QUIRK_NO_HIDINPUT quirk
HID: logitech-hidpp: Don't restart IO, instead defer hid_connect() only
HID: logitech-hidpp: Revert "Don't restart communication if not necessary"
HID: logitech-hidpp: Move get_wireless_feature_index() check to hidpp_connect_event()
ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
padata: Fix refcnt handling in padata_free_shell()
crypto: qat - fix deadlock in backlog processing
ASoC: ams-delta.c: use component after check
mfd: core: Un-constify mfd_cell.of_reg
mfd: core: Ensure disabled devices are skipped without aborting
mfd: dln2: Fix double put in dln2_probe
mfd: arizona-spi: Set pdata.hpdet_channel for ACPI enumerated devs
leds: turris-omnia: Drop unnecessary mutex locking
leds: turris-omnia: Do not use SMBUS calls
leds: pwm: Don't disable the PWM when the LED should be off
leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
f2fs: compress: fix to avoid use-after-free on dic
f2fs: compress: fix to avoid redundant compress extension
tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
livepatch: Fix missing newline character in klp_resolve_symbols()
dmaengine: idxd: Register dsa_bus_type before registering idxd sub-drivers
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
usb: chipidea: Fix DMA overwrite for Tegra
usb: chipidea: Simplify Tegra DMA alignment code
dmaengine: ti: edma: handle irq_of_parse_and_map() errors
misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
tools: iio: iio_generic_buffer ensure alignment
USB: usbip: fix stub_dev hub disconnect
dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
powerpc: Only define __parse_fpscr() when required
modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host
powerpc/40x: Remove stale PTE_ATOMIC_UPDATES macro
powerpc/xive: Fix endian conversion size
powerpc/imc-pmu: Use the correct spinlock initializer.
powerpc/pseries: fix potential memory leak in init_cpu_associativity()
xhci: Loosen RPM as default policy to cover for AMD xHC 1.1
usb: host: xhci-plat: fix possible kernel oops while resuming
perf machine: Avoid out of bounds LBR memory read
perf hist: Add missing puts to hist__account_cycles
9p/net: fix possible memory leak in p9_check_errors()
i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs
cxl/mem: Fix shutdown order
rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call
pcmcia: cs: fix possible hung task and memory leak pccardd()
pcmcia: ds: fix refcount leak in pcmcia_device_add()
pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
media: i2c: max9286: Fix some redundant of_node_put() calls
media: bttv: fix use after free error due to btv->timeout timer
media: s3c-camif: Avoid inappropriate kfree()
media: vidtv: psi: Add check for kstrdup
media: vidtv: mux: Add check and kfree for kstrdup
media: cedrus: Fix clock/reset sequence
media: dvb-usb-v2: af9035: fix missing unlock
regmap: prevent noinc writes from clobbering cache
pwm: sti: Reduce number of allocations and drop usage of chip_data
pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
llc: verify mac len before reading mac header
hsr: Prevent use after free in prp_create_tagged_frame()
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
bpf: Check map->usercnt after timer->timer is assigned
inet: shrink struct flowi_common
octeontx2-pf: Fix error codes
octeontx2-pf: Fix holes in error code
dccp: Call security_inet_conn_request() after setting IPv4 addresses.
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
net: r8169: Disable multicast filter for RTL8168H and RTL8107E
Fix termination state for idr_for_each_entry_ul()
net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs
selftests: pmtu.sh: fix result checking
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
net/smc: allow cdc msg send rather than drop it with NULL sndbuf_desc
net/smc: put sk reference if close work was canceled
tg3: power down device only on SYSTEM_POWER_OFF
block: remove unneeded return value of bio_check_ro()
blk-core: use pr_warn_ratelimited() in bio_check_ro()
r8169: respect userspace disabling IFF_MULTICAST
i2c: iproc: handle invalid slave state
netfilter: xt_recent: fix (increase) ipv6 literal buffer length
netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs
netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE
ASoC: hdmi-codec: register hpd callback on component probe
spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies
fbdev: imsttfb: Fix error path of imsttfb_probe()
fbdev: imsttfb: fix a resource leak in probe
fbdev: fsl-diu-fb: mark wr_reg_wa() static
tracing/kprobes: Fix the order of argument descriptions
Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
btrfs: use u64 for buffer sizes in the tree search ioctls
Linux 5.15.139
Change-Id: Ia85a72dc6377c9eebcccc33068752ea14c2b584c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 4e14f2d588 which is
commit babddbfb7d upstream.
It breaks the allmodconfig build on Android systems, so it needs to be
reverted. Android does not use kasan, so this is not an issue.
Change-Id: I457322b18e135ac5e49588b6efa6f44e9883755c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
5.15.138 Dragonboard 845c because of recently added symbol,
rpmsg_register_device_override.
So add it to the symbol list and update the abi definitions.
Bug: 313495196
Change-Id: I3a3504b6d2061bfce0abe9801e2ecb210c337b9f
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4 upstream.
The following can crash the kernel:
# cd /sys/kernel/tracing
# echo 'p:sched schedule' > kprobe_events
# exec 5>>events/kprobes/sched/enable
# > kprobe_events
# exec 5>&-
The above commands:
1. Change directory to the tracefs directory
2. Create a kprobe event (doesn't matter what one)
3. Open bash file descriptor 5 on the enable file of the kprobe event
4. Delete the kprobe event (removes the files too)
5. Close the bash file descriptor 5
The above causes a crash!
BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:tracing_release_file_tr+0xc/0x50
What happens here is that the kprobe event creates a trace_event_file
"file" descriptor that represents the file in tracefs to the event. It
maintains state of the event (is it enabled for the given instance?).
Opening the "enable" file gets a reference to the event "file" descriptor
via the open file descriptor. When the kprobe event is deleted, the file is
also deleted from the tracefs system which also frees the event "file"
descriptor.
But as the tracefs file is still opened by user space, it will not be
totally removed until the final dput() is called on it. But this is not
true with the event "file" descriptor that is already freed. If the user
does a write to or simply closes the file descriptor it will reference the
event "file" descriptor that was just freed, causing a use-after-free bug.
To solve this, add a ref count to the event "file" descriptor as well as a
new flag called "FREED". The "file" will not be freed until the last
reference is released. But the FREE flag will be set when the event is
removed to prevent any more modifications to that event from happening,
even if there's still a reference to the event "file" descriptor.
Link: https://lore.kernel.org/linux-trace-kernel/20231031000031.1e705592@gandalf.local.home/
Link: https://lore.kernel.org/linux-trace-kernel/20231031122453.7a48b923@gandalf.local.home
Cc: stable@vger.kernel.org
Cc: Mark Rutland <mark.rutland@arm.com>
Fixes: f5ca233e2e ("tracing: Increase trace array ref count on enable and filter files")
Reported-by: Beau Belgrave <beaub@linux.microsoft.com>
Tested-by: Beau Belgrave <beaub@linux.microsoft.com>
Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit feea65a338 upstream.
As reported by Mahesh & Aneesh, opal_prd_msg_notifier() triggers a
FORTIFY_SOURCE warning:
memcpy: detected field-spanning write (size 32) of single field "&item->msg" at arch/powerpc/platforms/powernv/opal-prd.c:355 (size 4)
WARNING: CPU: 9 PID: 660 at arch/powerpc/platforms/powernv/opal-prd.c:355 opal_prd_msg_notifier+0x174/0x188 [opal_prd]
NIP opal_prd_msg_notifier+0x174/0x188 [opal_prd]
LR opal_prd_msg_notifier+0x170/0x188 [opal_prd]
Call Trace:
opal_prd_msg_notifier+0x170/0x188 [opal_prd] (unreliable)
notifier_call_chain+0xc0/0x1b0
atomic_notifier_call_chain+0x2c/0x40
opal_message_notify+0xf4/0x2c0
This happens because the copy is targeting item->msg, which is only 4
bytes in size, even though the enclosing item was allocated with extra
space following the msg.
To fix the warning define struct opal_prd_msg with a union of the header
and a flex array, and have the memcpy target the flex array.
Reported-by: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
Reported-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Tested-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Reviewed-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20230821142820.497107-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 432e664e7c98c243fab4c3c95bd463bea3aeed28 upstream.
The ATRM ACPI method is for fetching the dGPU vbios rom
image on laptops and all-in-one systems. It should not be
used for external add in cards. If the dGPU is thunderbolt
connected, don't try ATRM.
v2: pci_is_thunderbolt_attached only works for Intel. Use
pdev->external_facing instead.
v3: dev_is_removable() seems to be what we want
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2925
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 08e9ebc75b5bcfec9d226f9e16bab2ab7b25a39a upstream.
The incoming strings might not be terminated by a newline
or a 0.
(found while testing a program that just wrote the string
itself, causing a crash)
Cc: stable@vger.kernel.org
Fixes: e3933f26b6 ("drm/amd/pp: Add edit/commit/show OD clock/voltage support in sysfs")
Signed-off-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 40dd7953f4d606c280074f10d23046b6812708ce upstream.
Wrong check of gdb backup in meta bg as following:
first_group is the first group of meta_bg which contains target group, so
target group is always >= first_group. We check if target group has gdb
backup by comparing first_group with [group + 1] and [group +
EXT4_DESC_PER_BLOCK(sb) - 1]. As group >= first_group, then [group + N] is
> first_group. So no copy of gdb backup in meta bg is done in
setup_new_flex_group_blocks.
No need to do gdb backup copy in meta bg from setup_new_flex_group_blocks
as we always copy updated gdb block to backups at end of
ext4_flex_group_add as following:
ext4_flex_group_add
/* no gdb backup copy for meta bg any more */
setup_new_flex_group_blocks
/* update current group number */
ext4_update_super
sbi->s_groups_count += flex_gd->count;
/*
* if group in meta bg contains backup is added, the primary gdb block
* of the meta bg will be copy to backup in new added group here.
*/
for (; gdb_num <= gdb_num_end; gdb_num++)
update_backups(...)
In summary, we can remove wrong gdb backup copy code in
setup_new_flex_group_blocks.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Link: https://lore.kernel.org/r/20230826174712.4059355-5-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 40ea98396a3659062267d1fe5f99af4f7e4f05e3 upstream.
When big allocate feature is enabled, we need to count and update
reserved clusters before removing a delayed only extent_status entry.
{init|count|get}_rsvd() have already done this, but the start block
number of this counting isn't correct in the following case.
lblk end
| |
v v
-------------------------
| | orig_es
-------------------------
^ ^
len1 is 0 | len2 |
If the start block of the orig_es entry founded is bigger than lblk, we
passed lblk as start block to count_rsvd(), but the length is correct,
finally, the range to be counted is offset. This patch fix this by
passing the start blocks to 'orig_es->lblk + len1'.
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20230824092619.1327976-2-yi.zhang@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 31f13421c004a420c0e9d288859c9ea9259ea0cc upstream.
Commit 0aeaa2559d ("ext4: fix corruption when online resizing a 1K
bigalloc fs") found that primary superblock's offset in its group is
not equal to offset of backup superblock in its group when block size
is 1K and bigalloc is enabled. As group descriptor blocks are right
after superblock, we can't pass block number of gdb to update_backups
for the same reason.
The root casue of the issue above is that leading 1K padding block is
count as data block offset for primary block while backup block has no
padding block offset in its group.
Remove padding data block count to fix the issue for gdb backups.
For meta_bg case, update_backups treat blk_off as block number, do no
conversion in this case.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Link: https://lore.kernel.org/r/20230826174712.4059355-2-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6a26310273c323380da21eb23fcfd50e31140913 upstream.
This reverts commit efa5f1311c4998e9e6317c52bc5ee93b3a0f36df.
I couldn't reproduce the reported issue. What I did, based on a pcap
packet log provided by the reporter:
- Used same chip version (RTL8168h)
- Set MAC address to the one used on the reporters system
- Replayed the EAPOL unicast packet that, according to the reporter,
was filtered out by the mc filter.
The packet was properly received.
Therefore the root cause of the reported issue seems to be somewhere
else. Disabling mc filtering completely for the most common chip
version is a quite big hammer. Therefore revert the change and wait
for further analysis results from the reporter.
Cc: stable@vger.kernel.org
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b6e1bdca463a932c1ac02caa7d3e14bf39288e0c upstream.
check_clock doesn't account for vfe_lite which means that vfe_lite will
never get validated by this routine. Add the clock name to the expected set
to remediate.
Fixes: 7319cdf189 ("media: camss: Add support for VFE hardware version Titan 170")
Cc: stable@vger.kernel.org
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3143ad282fc08bf995ee73e32a9e40c527bf265d upstream.
There are two problems with the current vfe_disable_output() routine.
Firstly we rightly use a spinlock to protect output->gen2.active_num
everywhere except for in the IDLE timeout path of vfe_disable_output().
Even if that is not racy "in practice" somehow it is by happenstance not
by design.
Secondly we do not get consistent behaviour from this routine. On
sc8280xp 50% of the time I get "VFE idle timeout - resetting". In this
case the subsequent capture will succeed. The other 50% of the time, we
don't hit the idle timeout, never do the VFE reset and subsequent
captures stall indefinitely.
Rewrite the vfe_disable_output() routine to
- Quiesce write masters with vfe_wm_stop()
- Set active_num = 0
remembering to hold the spinlock when we do so followed by
- Reset the VFE
Testing on sc8280xp and sdm845 shows this to be a valid fix.
Fixes: 7319cdf189 ("media: camss: Add support for VFE hardware version Titan 170")
Cc: stable@vger.kernel.org
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7405116519ad70b8c7340359bfac8db8279e7ce4 upstream.
We need to make sure camss_configure_pd() happens before
camss_register_entities() as the vfe_get() path relies on the pointer
provided by camss_configure_pd().
Fix the ordering sequence in probe to ensure the pointers vfe_get() demands
are present by the time camss_register_entities() runs.
In order to facilitate backporting to stable kernels I've moved the
configure_pd() call pretty early on the probe() function so that
irrespective of the existence of the old error handling jump labels this
patch should still apply to -next circa Aug 2023 to v5.13 inclusive.
Fixes: 2f6f8af672 ("media: camss: Refactor VFE power domain toggling")
Cc: stable@vger.kernel.org
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 24948e3b7b12e0031a6edb4f49bbb9fb2ad1e4e9 upstream.
Objcg vectors attached to slab pages to store slab object ownership
information are allocated using gfp flags for the original slab
allocation. Depending on slab page order and the size of slab objects,
objcg vector can take several pages.
If the original allocation was done with the __GFP_NOFAIL flag, it
triggered a warning in the page allocation code. Indeed, order > 1 pages
should not been allocated with the __GFP_NOFAIL flag.
Fix this by simply dropping the __GFP_NOFAIL flag when allocating the
objcg vector. It effectively allows to skip the accounting of a single
slab object under a heavy memory pressure.
An alternative would be to implement the mechanism to fallback to order-0
allocations for accounting metadata, which is also not perfect because it
will increase performance penalty and memory footprint of the kernel
memory accounting under memory pressure.
Link: https://lkml.kernel.org/r/ZUp8ZFGxwmCx4ZFr@P9FQF9L96D.corp.robot.car
Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
Reported-by: Christoph Lameter <cl@linux.com>
Closes: https://lkml.kernel.org/r/6b42243e-f197-600a-5d22-56bd728a5ad8@gentwo.org
Acked-by: Shakeel Butt <shakeelb@google.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 724ff68e968b19d786870d333f9952bdd6b119cb upstream.
Initialise the try sink compose rectangle size to the sink compose
rectangle for binner and scaler sub-devices. This was missed due to the
faulty condition that lead to the compose rectangles to be initialised for
the pixel array sub-device where it is not relevant.
Fixes: ccfc97bdb5 ("[media] smiapp: Add driver")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8d0b89398b7ebc52103e055bf36b60b045f5258f upstream.
The hfi parser, parses the capabilities received from venus firmware and
copies them to core capabilities. Consider below api, for example,
fill_caps - In this api, caps in core structure gets updated with the
number of capabilities received in firmware data payload. If the same api
is called multiple times, there is a possibility of copying beyond the max
allocated size in core caps.
Similar possibilities in fill_raw_fmts and fill_profile_level functions.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04 ("media: venus: hfi_parser: add common capability parser")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b18e36dfd6c935da60a971310374f3dfec3c82e1 upstream.
Buffer requirement, for different buffer type, comes from video firmware.
While copying these requirements, there is an OOB possibility when the
payload from firmware is more than expected size. Fix the check to avoid
the OOB possibility.
Cc: stable@vger.kernel.org
Fixes: 09c2845e8f ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
Reviewed-by: Nathan Hebert <nhebert@chromium.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0768a9dd809ef52440b5df7dce5a1c1c7e97abbd upstream.
Supported codec bitmask is populated from the payload from venus firmware.
There is a possible case when all the bits in the codec bitmask is set. In
such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized.
Now while filling the caps for encoder, it can lead to access the caps
array beyong 32 index. Hence leading to OOB write.
The fix counts the supported encoder and decoder. If the count is more than
max, then it skips accessing the caps.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04 ("media: venus: hfi_parser: add common capability parser")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c8a489f820179fb12251e262b50303c29de991ac upstream.
When transmitting, infrared drivers expect an odd number of samples; iow
without a trailing space. No problems have been observed so far, so
this is just belt and braces.
Fixes: 9b6192589b ("media: lirc: implement scancode sending")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e0d4e8acb3789c5a8651061fbab62ca24a45c063 upstream.
With gcc and W=1 option, there's a warning like this:
fs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:
fs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between
1 and 7 bytes into a region of size between 5 and 8
[-Werror=format-overflow=]
1984 | sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev),
MINOR(dev));
| ^~
String "f2fs_page_array_entry-%u:%u" can up to 35. The first "%u" can up
to 4 and the second "%u" can up to 7, so total size is "24 + 4 + 7 = 35".
slab_name's size should be 35 rather than 32.
Cc: stable@vger.kernel.org
Signed-off-by: Su Hui <suhui@nfschina.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f78ca48a8ba9cdec96e8839351e49eec3233b177 upstream.
Currently we set SMBHSTCNT_LAST_BYTE only after the host has started
receiving the last byte. If we get e.g. preempted before setting
SMBHSTCNT_LAST_BYTE, the host may be finished with receiving the byte
before SMBHSTCNT_LAST_BYTE is set.
Therefore change the code to set SMBHSTCNT_LAST_BYTE before writing
SMBHSTSTS_BYTE_DONE for the byte before the last byte. Now the code
is also consistent with what we do in i801_isr_byte_done().
Reported-by: Jean Delvare <jdelvare@suse.com>
Closes: https://lore.kernel.org/linux-i2c/20230828152747.09444625@endymion.delvare/
Cc: stable@vger.kernel.org
Acked-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
