[ Upstream commit 504a10d9e4 ]
On corrupt gfs2 file systems the evict code can try to reference the
journal descriptor structure, jdesc, after it has been freed and set to
NULL. The sequence of events is:
init_journal()
...
fail_jindex:
gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL
if (gfs2_holder_initialized(&ji_gh))
gfs2_glock_dq_uninit(&ji_gh);
fail:
iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode
evict()
gfs2_evict_inode()
evict_linked_inode()
ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks);
<------references the now freed/zeroed sd_jdesc pointer.
The call to gfs2_trans_begin is done because the truncate_inode_pages
call can cause gfs2 events that require a transaction, such as removing
journaled data (jdata) blocks from the journal.
This patch fixes the problem by adding a check for sdp->sd_jdesc to
function gfs2_evict_inode. In theory, this should only happen to corrupt
gfs2 file systems, when gfs2 detects the problem, reports it, then tries
to evict all the system inodes it has read in up to that point.
Bug: 289870854
Reported-by: Yang Lan <lanyang0908@gmail.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 5ae4a618a1)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I501e8631e1b60479023f5e6ad957540f9e10bcd5
Implemented a hook to check if battery swap is enabled in
alarm timer suspend routine. During a battery swap, it is
crucial to ensure that the device remains in a suspended
state, relying on a limited backup power source. It is
essential to prevent any unintended awakenings in this
state, as they could potentially lead to sudden surges
in the power consumption, ultimately resulting in a
device shutdown. Hence, we disable alarmtimer IRQs when
in batteryswap mode.
Bug: 290881352
Change-Id: I31dc30d9a3168bb1356cccba49f0a70fd6b73782
Signed-off-by: Vatsal Parasrampuria <vp9924@zebra.com>
We need to abort the reclaim/compaction by sending
signal(such as SIGUSR2) to the reclaim thread, or
just abort when cpu-usage is too-high or free-mem is enough.
Bug: 289987875
Change-Id: I4b637cbd2b37235eec27a985a9b5b95598247c59
Signed-off-by: shenjiangjiang <shenjiangjiang@oppo.com>
(cherry picked from commit 024628cc9203cbd4f8471d98435b3a3d6f85764d)
[ Upstream commit 5fc46f9421 ]
This reverts commit b0355dbbf1.
The reverted commit clears the secpath on packets received via xfrm interfaces
to support nested IPsec tunnels. This breaks Netfilter policy matching using
xt_policy in the FORWARD chain, as the secpath is missing during forwarding.
Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode.
Fix this regression by reverting the commit until we have a better approach
for nested IPsec tunnels.
Fixes: b0355dbbf1 ("Fix XFRM-I support for nested ESP tunnels")
Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Bug: 288489934
(cherry picked from commit c5449195f8)
Change-Id: Iefaed6d21a641fefb02e0fd0067086a9ae3a802a
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Presently the data buffer used to return the per-UID timeout description
is created based on information provided by the user. It is expected
that the user populates a variable called 'timeouts_array_size' which is
heavily scrutinised to ensure the value provided is appropriate i.e.
smaller than the largest possible value but large enough to contain all
of the data we wish to pass back.
The issue is that the aforementioned scrutiny is imposed on a different
variable to the one expected. Contrary to expectation, the data buffer
is actually being allocated to the size specified in a variable named
'timeouts_array_size_out'. A variable originally designed to only
contain the output information i.e. the size of the data actually copied
to the user for consumption. This value is also user provided and is
not given the same level of scrutiny as the former.
The fix in this case is simple. Ignore 'timeouts_array_size_out' until
it is time to populate (over-write) it ourselves and use
'timeouts_array_size' to shape the buffer as intended.
Bug: 281547360
Change-Id: I95e12879a33a2355f9e4bc0ce2bfc3f229141aa8
Signed-off-by: Lee Jones <joneslee@google.com>
(cherry picked from commit 5a4d20a3eb4e651f88ed2f1f08cee066639ca801)
Leaf changes summary: 1 artifact changed
Changed leaf types summary: 0 leaf type changed
Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 1 Added function
Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable
1 Added function:
[A] 'function void ttm_tt_unpopulate(ttm_bo_device*, ttm_tt*)'
Xclipse GPU driver depends on TTM for graphics buffer allocation and management. It is required by customers to add graphics memory swap to improve overall memory efficiency. However TTM's swap feature can't be used since it selects victim buffer by LRU and we can't choose a specific buffer to swap.
Xclipse GPU driver implements its own swap feature by means of APIs of TTM. But the problem is TTM's buffer allocations statistics in ttm_tt.c which are local to that file. Whenever a graphic buffer is swapped out, the size of total page allocation should be decreased but it is not possible from the outside of ttm_tt.c. If the statistics is not maintained well, TTM ends up swapping out TTM buffers globally which is unexpected.
Bug: 291100620
Change-Id: I0edc4b5e8ae6d9e41e99750eb5f0e62fa78ec1fb
Signed-off-by: Kyongho Cho <pullip.cho@samsung.com>
As a supplement to commit eed2741ae6
("ANDROID: vendor_hook: add hooks to protect locking-tsk in cpu scheduler").
In rwsem read, we missed a lock-holding scenario, add it now.
Bug: 290868674
Change-Id: I718dd942b24b330a79283fc241dcbf47cc34c0c5
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
Add symbol list for Nothing at the first time
2 function symbol(s) added
'struct file_system_type* get_fs_type(const char*)'
'void iterate_supers_type(struct file_system_type*, void(*)(struct super_block*, void*), void*)'
Bug: 290756100
Change-Id: I3cdf16cf21bf04df2c0ab10358e7e7dd4e82c2d1
Signed-off-by: Dylan Chang <dylan.chang@nothing.tech>
Signed-off-by: Giuliano Procida <gprocida@google.com>
In scenarios where pullup relies on resume (get sync) to initialize
the controller and set the run stop bit, then core_init is followed by
gadget_resume which will eventually set run stop bit.
But in cases where the core_init fails, the return value is not sent
back to udc appropriately. So according to UDC the controller has
started but in reality we never set the run stop bit.
On systems like Android, there are uevents sent to HAL depending on
whether the configfs_bind / configfs_disconnect were invoked. In the
above mentioned scnenario, if the core init fails, the run stop won't
be set and the cable plug-out won't result in generation of any
disconnect event and userspace would never get any uevent regarding
cable plug out and we never call pullup(0) again. Furthermore none of
the next Plug-In/Plug-Out's would be known to configfs.
Return back the appropriate result to UDC to let the userspace/
configfs know that the pullup failed so they can take appropriate
action.
Fixes: 77adb8bdf4 ("usb: dwc3: gadget: Allow runtime suspend if UDC unbinded")
Cc: stable <stable@kernel.org>
Change-Id: Ieb281722cdc4fa2ff15545d9edaabdc8c2d70223
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Message-ID: <20230618120949.14868-1-quic_kriskura@quicinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c0aabed9cahttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master)
Bug: 289984280
Change-Id: I633b2c325dd954a3e4cdd636052158a90fd976a3
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
[ Upstream commit 2b947f8769 ]
In renesas_usb3_probe, role_work is bound with renesas_usb3_role_work.
renesas_usb3_start will be called to start the work.
If we remove the driver which will call usbhs_remove, there may be
an unfinished work. The possible sequence is as follows:
CPU0 CPU1
renesas_usb3_role_work
renesas_usb3_remove
usb_role_switch_unregister
device_unregister
kfree(sw)
//free usb3->role_sw
usb_role_switch_set_role
//use usb3->role_sw
The usb3->role_sw could be freed under such circumstance and then
used in usb_role_switch_set_role.
This bug was found by static analysis. And note that removing a
driver is a root-only operation, and should never happen in normal
case. But the root user may directly remove the device which
will also trigger the remove function.
Fix it by canceling the work before cleanup in the renesas_usb3_remove.
Bug: 289003615
Fixes: 39facfa01c ("usb: gadget: udc: renesas_usb3: Add register of usb role switch")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/20230320062931.505170-1-zyytlz.wz@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit df23805209)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I79a1dbeba9a90ee5daf94648ef6a32207b283561
[ Upstream commit 3228cec23b ]
In rkvdec_probe, rkvdec->watchdog_work is bound with
rkvdec_watchdog_func. Then rkvdec_vp9_run may
be called to start the work.
If we remove the module which will call rkvdec_remove
to make cleanup, there may be a unfinished work.
The possible sequence is as follows, which will
cause a typical UAF bug.
Fix it by canceling the work before cleanup in rkvdec_remove.
CPU0 CPU1
|rkvdec_watchdog_func
rkvdec_remove |
rkvdec_v4l2_cleanup|
v4l2_m2m_release |
kfree(m2m_dev); |
|
| v4l2_m2m_get_curr_priv
| m2m_dev->curr_ctx //use
Bug: 289003637
Fixes: cd33c83044 ("media: rkvdec: Add the rkvdec driver")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 6a17add9c6)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ibdf4667315d98ac1cd42545f61e271c291893edd
commit d082d48737 upstream.
KPTI keeps around two PGDs: one for userspace and another for the
kernel. Among other things, set_pgd() contains infrastructure to
ensure that updates to the kernel PGD are reflected in the user PGD
as well.
One side-effect of this is that set_pgd() expects to be passed whole
pages. Unfortunately, init_trampoline_kaslr() passes in a single entry:
'trampoline_pgd_entry'.
When KPTI is on, set_pgd() will update 'trampoline_pgd_entry' (an
8-Byte globally stored [.bss] variable) and will then proceed to
replicate that value into the non-existent neighboring user page
(located +4k away), leading to the corruption of other global [.bss]
stored variables.
Fix it by directly assigning 'trampoline_pgd_entry' and avoiding
set_pgd().
[ dhansen: tweak subject and changelog ]
Bug: 274115504
Fixes: 0925dda596 ("x86/mm/KASLR: Use only one PUD entry for real mode trampoline")
Suggested-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/all/20230614163859.924309-1-lee@kernel.org/g
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 364fdcbb03)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Idc1fc494d7ccb4a8a3765e1f46482583b528a584
commit 43ec16f145 upstream.
There is a crash in relay_file_read, as the var from
point to the end of last subbuf.
The oops looks something like:
pc : __arch_copy_to_user+0x180/0x310
lr : relay_file_read+0x20c/0x2c8
Call trace:
__arch_copy_to_user+0x180/0x310
full_proxy_read+0x68/0x98
vfs_read+0xb0/0x1d0
ksys_read+0x6c/0xf0
__arm64_sys_read+0x20/0x28
el0_svc_common.constprop.3+0x84/0x108
do_el0_svc+0x74/0x90
el0_svc+0x1c/0x28
el0_sync_handler+0x88/0xb0
el0_sync+0x148/0x180
We get the condition by analyzing the vmcore:
1). The last produced byte and last consumed byte
both at the end of the last subbuf
2). A softirq calls function(e.g __blk_add_trace)
to write relay buffer occurs when an program is calling
relay_file_read_avail().
relay_file_read
relay_file_read_avail
relay_file_read_consume(buf, 0, 0);
//interrupted by softirq who will write subbuf
....
return 1;
//read_start point to the end of the last subbuf
read_start = relay_file_read_start_pos
//avail is equal to subsize
avail = relay_file_read_subbuf_avail
//from points to an invalid memory address
from = buf->start + read_start
//system is crashed
copy_to_user(buffer, from, avail)
Bug: 288957094
Link: https://lkml.kernel.org/r/20230419040203.37676-1-zhang.zhengming@h3c.com
Fixes: 8d62fdebda ("relay file read: start-pos fix")
Signed-off-by: Zhang Zhengming <zhang.zhengming@h3c.com>
Reviewed-by: Zhao Lei <zhao_lei1@hoperun.com>
Reviewed-by: Zhou Kete <zhou.kete@h3c.com>
Reviewed-by: Pengcheng Yang <yangpc@wangsu.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f6ee841ff2)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ibbdf65d8bf2268c3e8c09520f595167a2ed41e8b
Snipped from commit 9ca9fb24d5 upstream.
While reworking the poll hashing in the v6.0 kernel, we ended up
grabbing the ctx->uring_lock in poll update/removal. This also fixed
a bug with linked timeouts racing with timeout expiry and poll
removal.
Bring back just the locking fix for that.
Bug: 289229683
Reported-and-tested-by: Querijn Voet <querijnqyn@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 0e388fce7a)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ife3683f26b19af1887ae1c59d3bd8b4e1700c79a
[ Upstream commit 4d56304e58 ]
If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
size is 252 bytes(key->enc_opts.len = 252) then
key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
bypasses the next bounds check and results in an out-of-bounds.
Bug: 288660424
Fixes: 0a6e77784f ("net/sched: allow flower to match tunnel options")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 45f47d2cf1)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I53c534b7d43f4c7da5a9f63556c79d35797aa598
This reverts commit bf82668eb9 which is
commit 9bc61c04ff upstream.
It is removing unused code, but that changes a structure size so revert
it for now to preserve the ABI.
Bug: 161946584
Change-Id: I237cda2e5c07440d25613a1a1e30fa499751c7ac
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In some situations, we want to decrease readaround size for better
performance. So we add this hook.
Bug: 288216516
Change-Id: If2f5f75976c99ff1f82ce29d370f9216926055ab
Signed-off-by: Oven <liyangouwen1@oppo.com>
memory allocations
We add these hooks to avoid key threads blocked in memory allocation
path.
-android_vh_free_unref_page_bypass ----We create a memory pool for the key threads. This hook determines whether a page should be free to the pool or to buddy freelist. It works with a existing hook `android_vh_alloc_pages_reclaim_bypass`, which takes pages out of the pool.
-android_vh_kvmalloc_node_use_vmalloc ----For key threads, we perfer not to run into direct reclaim. So we clear __GFP_DIRECT_RECLAIM flag. For threads which are not that important, we perfer use vmalloc.
-android_vh_should_alloc_pages_retry ----Before key threads run into direct reclaim, we want to retry with a lower watermark.
-android_vh_unreserve_highatomic_bypass ----We want to keep more highatomic pages when unreserve them to avoid highatomic allocation failures.
-android_vh_pageset_update ----We found the default per-cpu pageset is quite few in smartphones with large ram size. This hook is used to increase it to reduce zone->lock contentions.
-android_vh_rmqueue_bulk_bypass ----We found sometimes when key threads run into rmqueue_bulk, it took several milliseconds spinning at zone->lock or filling per-cpu pages. We use this hook to take pages from the mempool mentioned above, rather than grab zone->lock and fill a batch of pages to per-cpu.
Bug: 288216516
Change-Id: I1656032d6819ca627723341987b6094775bc345f
Signed-off-by: Oven <liyangouwen1@oppo.com>
[ Upstream commit 5cdb422c83 ]
xfstest generic/019 reports a bug:
kernel BUG at mm/filemap.c:1619!
RIP: 0010:folio_end_writeback+0x8a/0x90
Call Trace:
end_page_writeback+0x1c/0x60
f2fs_write_end_io+0x199/0x420
bio_endio+0x104/0x180
submit_bio_noacct+0xa5/0x510
submit_bio+0x48/0x80
f2fs_submit_write_bio+0x35/0x300
f2fs_submit_merged_ipu_write+0x2a0/0x2b0
f2fs_write_single_data_page+0x838/0x8b0
f2fs_write_cache_pages+0x379/0xa30
f2fs_write_data_pages+0x30c/0x340
do_writepages+0xd8/0x1b0
__writeback_single_inode+0x44/0x370
writeback_sb_inodes+0x233/0x4d0
__writeback_inodes_wb+0x56/0xf0
wb_writeback+0x1dd/0x2d0
wb_workfn+0x367/0x4a0
process_one_work+0x21d/0x430
worker_thread+0x4e/0x3c0
kthread+0x103/0x130
ret_from_fork+0x2c/0x50
The root cause is: after cp_error is set, f2fs_submit_merged_ipu_write()
in f2fs_write_single_data_page() tries to flush IPU bio in cache, however
f2fs_submit_merged_ipu_write() missed to check validity of @bio parameter,
result in submitting random cached bio which belong to other IO context,
then it will cause use-after-free issue, fix it by adding additional
validity check.
Fixes: 0b20fcec86 ("f2fs: cache global IPU bio")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Bug: 268109575
Change-Id: Ifbdad0f8e8b51592ed63d025cf13965e623a7956
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Changes in 5.10.185
lib: cleanup kstrto*() usage
kernel.h: split out kstrtox() and simple_strtox() to a separate header
test_firmware: Use kstrtobool() instead of strtobool()
test_firmware: prevent race conditions by a correct implementation of locking
test_firmware: fix a memory leak with reqs buffer
power: supply: ab8500: Fix external_power_changed race
power: supply: sc27xx: Fix external_power_changed race
power: supply: bq27xxx: Use mod_delayed_work() instead of cancel() + schedule()
ARM: dts: vexpress: add missing cache properties
tools: gpio: fix debounce_period_us output of lsgpio
power: supply: Ratelimit no data debug output
platform/x86: asus-wmi: Ignore WMI events with codes 0x7B, 0xC0
regulator: Fix error checking for debugfs_create_dir
irqchip/gic-v3: Disable pseudo NMIs on Mediatek devices w/ firmware issues
power: supply: Fix logic checking if system is running from battery
btrfs: scrub: try harder to mark RAID56 block groups read-only
btrfs: handle memory allocation failure in btrfs_csum_one_bio
ASoC: soc-pcm: test if a BE can be prepared
parisc: Improve cache flushing for PCXL in arch_sync_dma_for_cpu()
parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory()
MIPS: Alchemy: fix dbdma2
mips: Move initrd_start check after initrd address sanitisation.
ASoC: dwc: move DMA init to snd_soc_dai_driver probe()
xen/blkfront: Only check REQ_FUA for writes
drm:amd:amdgpu: Fix missing buffer object unlock in failure path
irqchip/gic: Correctly validate OF quirk descriptors
io_uring: hold uring mutex around poll removal
epoll: ep_autoremove_wake_function should use list_del_init_careful
ocfs2: fix use-after-free when unmounting read-only filesystem
ocfs2: check new file size on fallocate call
nios2: dts: Fix tse_mac "max-frame-size" property
nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key()
nilfs2: fix possible out-of-bounds segment allocation in resize ioctl
kexec: support purgatories with .text.hot sections
x86/purgatory: remove PGO flags
powerpc/purgatory: remove PGO flags
nouveau: fix client work fence deletion race
RDMA/uverbs: Restrict usage of privileged QKEYs
net: usb: qmi_wwan: add support for Compal RXM-G1
ALSA: hda/realtek: Add a quirk for Compaq N14JP6
Remove DECnet support from kernel
USB: serial: option: add Quectel EM061KGL series
serial: lantiq: add missing interrupt ack
usb: dwc3: gadget: Reset num TRBs before giving back the request
RDMA/rtrs: Fix the last iu->buf leak in err path
spi: fsl-dspi: avoid SCK glitches with continuous transfers
netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM
net: enetc: correct the indexes of highest and 2nd highest TCs
ping6: Fix send to link-local addresses with VRF.
net/sched: cls_u32: Fix reference counter leak leading to overflow
RDMA/rxe: Remove the unused variable obj
RDMA/rxe: Removed unused name from rxe_task struct
RDMA/rxe: Fix the use-before-initialization error of resp_pkts
iavf: remove mask from iavf_irq_enable_queues()
octeontx2-af: fixed resource availability check
RDMA/mlx5: Initiate dropless RQ for RAW Ethernet functions
RDMA/cma: Always set static rate to 0 for RoCE
IB/uverbs: Fix to consider event queue closing also upon non-blocking mode
IB/isert: Fix dead lock in ib_isert
IB/isert: Fix possible list corruption in CMA handler
IB/isert: Fix incorrect release of isert connection
ipvlan: fix bound dev checking for IPv6 l3s mode
sctp: fix an error code in sctp_sf_eat_auth()
igb: fix nvm.ops.read() error handling
drm/nouveau: don't detect DSM for non-NVIDIA device
drm/nouveau/dp: check for NULL nv_connector->native_mode
drm/nouveau: add nv_encoder pointer check for NULL
ext4: drop the call to ext4_error() from ext4_get_group_info()
net/sched: cls_api: Fix lockup on flushing explicitly created chain
net: lapbether: only support ethernet devices
net: tipc: resize nlattr array to correct size
selftests/ptp: Fix timestamp printf format for PTP_SYS_OFFSET
afs: Fix vlserver probe RTT handling
cgroup: always put cset in cgroup_css_set_put_fork
rcu/kvfree: Avoid freeing new kfree_rcu() memory after old grace period
neighbour: Remove unused inline function neigh_key_eq16()
net: Remove unused inline function dst_hold_and_use()
net: Remove DECnet leftovers from flow.h.
neighbour: delete neigh_lookup_nodev as not used
batman-adv: Switch to kstrtox.h for kstrtou64
mmc: block: ensure error propagation for non-blk
mm/memory_hotplug: extend offline_and_remove_memory() to handle more than one memory block
nilfs2: reject devices with insufficient block count
media: dvbdev: Fix memleak in dvb_register_device
media: dvbdev: fix error logic at dvb_register_device()
media: dvb-core: Fix use-after-free due to race at dvb_register_device()
drm/i915/dg1: Wait for pcode/uncore handshake at startup
drm/i915/gen11+: Only load DRAM information from pcode
um: Fix build w/o CONFIG_PM_SLEEP
Linux 5.10.185
Change-Id: I05ba9c2e38c013c553c9f89e2a6b71ec9bdb0bd3
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 9fcc3c3d26 which is
commit ed779fe4c9 upstream.
It breaks the Android kernel abi and is not needed for Android systems,
so it is safe to revert.
Bug: 161946584
Change-Id: I0aa37ddcb0939b55d0d1b74ab3e0432b02cc5285
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit cccc620970 which is
commit 4faeee0cf8 upstream.
It breaks the Android kernel abi, and if it is needed in the future can
come back in an abi-safe way.
Bug: 161946584
Change-Id: If50dd244848a8aa70b08be347020b263c71f4a61
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.10.183
RDMA/bnxt_re: Code refactor while populating user MRs
RDMA/bnxt_re: Fix the page_size used during the MR creation
RDMA/efa: Fix unsupported page sizes in device
dmaengine: at_xdmac: Fix concurrency over chan's completed_cookie
dmaengine: at_xdmac: Fix race for the tx desc callback
dmaengine: at_xdmac: Move the free desc to the tail of the desc list
dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()
RDMA/bnxt_re: Fix a possible memory leak
RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx
iommu/rockchip: Fix unwind goto issue
iommu/amd: Don't block updates to GATag if guest mode is on
dmaengine: pl330: rename _start to prevent build error
net/mlx5: fw_tracer, Fix event handling
netrom: fix info-leak in nr_write_internal()
af_packet: Fix data-races of pkt_sk(sk)->num.
amd-xgbe: fix the false linkup in xgbe_phy_status
mtd: rawnand: ingenic: fix empty stub helper definitions
af_packet: do not use READ_ONCE() in packet_bind()
tcp: deny tcp_disconnect() when threads are waiting
tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set
net/sched: sch_ingress: Only create under TC_H_INGRESS
net/sched: sch_clsact: Only create under TC_H_CLSACT
net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs
net/sched: Prohibit regrafting ingress or clsact Qdiscs
net: sched: fix NULL pointer dereference in mq_attach
net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report
udp6: Fix race condition in udp6_sendmsg & connect
net/mlx5: Read embedded cpu after init bit cleared
net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
net: dsa: mv88e6xxx: Increase wait after reset deactivation
mtd: rawnand: marvell: ensure timing values are written
mtd: rawnand: marvell: don't set the NAND frequency select
watchdog: menz069_wdt: fix watchdog initialisation
ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs.
mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()
btrfs: abort transaction when sibling keys check fails for leaves
ARM: 9295/1: unwind:fix unwind abort for uleb128 case
media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE
gfs2: Don't deref jdesc in evict
fbdev: modedb: Add 1920x1080 at 60 Hz video mode
fbdev: stifb: Fix info entry in sti_struct on error path
nbd: Fix debugfs_create_dir error checking
block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE
ASoC: dwc: limit the number of overrun messages
xfrm: Check if_id in inbound policy/secpath match
ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs
ASoC: ssm2602: Add workaround for playback distortions
media: dvb_demux: fix a bug for the continuity counter
media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer()
media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
media: netup_unidvb: fix irq init by register it at the end of probe
media: dvb_ca_en50221: fix a size write bug
media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table
media: dvb-core: Fix use-after-free due on race condition at dvb_net
media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()
media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221
s390/pkey: zeroize key blobs
wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value
ARM: dts: stm32: add pin map for CAN controller on stm32f7
arm64/mm: mark private VM_FAULT_X defines as vm_fault_t
scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
wifi: b43: fix incorrect __packed annotation
netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT
ALSA: oss: avoid missing-prototype warnings
drm/msm: Be more shouty if per-process pgtables aren't working
atm: hide unused procfs functions
mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
iio: adc: mxs-lradc: fix the order of two cleanup operations
HID: google: add jewel USB id
HID: wacom: avoid integer overflow in wacom_intuos_inout()
iio: imu: inv_icm42600: fix timestamp reset
iio: light: vcnl4035: fixed chip ID check
iio: dac: mcp4725: Fix i2c_master_send() return value handling
iio: adc: ad7192: Change "shorted" channels to differential
iio: dac: build ad5758 driver when AD5758 is selected
net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
usb: gadget: f_fs: Add unbind event before functionfs_unbind
misc: fastrpc: return -EPIPE to invocations on device removal
misc: fastrpc: reject new invocations during device removal
scsi: stex: Fix gcc 13 warnings
ata: libata-scsi: Use correct device no in ata_find_dev()
x86/boot: Wrap literal addresses in absolute_pointer()
ACPI: thermal: drop an always true check
ath6kl: Use struct_group() to avoid size-mismatched casting
gcc-12: disable '-Wdangling-pointer' warning for now
eth: sun: cassini: remove dead code
mmc: vub300: fix invalid response handling
tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK
btrfs: fix csum_tree_block page iteration to avoid tripping on -Werror=array-bounds
selinux: don't use make's grouped targets feature yet
tracing/probe: trace_probe_primary_from_call(): checked list_first_entry
selftests: mptcp: connect: skip if MPTCP is not supported
selftests: mptcp: pm nl: skip if MPTCP is not supported
ext4: add EA_INODE checking to ext4_iget()
ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find()
ext4: disallow ea_inodes with extended attributes
ext4: add lockdep annotations for i_data_sem for ea_inode's
fbcon: Fix null-ptr-deref in soft_cursor
serial: 8250_tegra: Fix an error handling path in tegra_uart_probe()
test_firmware: fix the memory leak of the allocated firmware buffer
KVM: x86: Account fastpath-only VM-Exits in vCPU stats
KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()
regmap: Account for register length when chunking
tpm, tpm_tis: Request threaded interrupt handler
media: ti-vpe: cal: avoid FIELD_GET assertion
drm/rcar: stop using 'imply' for dependencies
scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)
scsi: dpt_i2o: Do not process completions with invalid addresses
crypto: ccp: Reject SEV commands with mismatching command buffer
crypto: ccp: Play nice with vmalloc'd memory for SEV command structs
selftests: mptcp: diag: skip if MPTCP is not supported
selftests: mptcp: simult flows: skip if MPTCP is not supported
selftests: mptcp: join: skip if MPTCP is not supported
ext4: enable the lazy init thread when remounting read/write
ARM: defconfig: drop CONFIG_DRM_RCAR_LVDS
Linux 5.10.183
Change-Id: Iaaaaa9d53fea0e6f58a5ba1ad86f9150c2cdf8af
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 12cb97ed85 which is
commit fb8fee9efd upstream.
It is part of a series that breaks the Android kernel abi and can be
safely reverted at this point in time. If it needs to come back in the
future, it can be done so in an abi-safe way.
Bug: 161946584
Change-Id: I8b912fb1cd2aa9e0ebfba10aaba93a147a32815b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit b3a9c4081d which is
commit 4c4fce171c upstream.
It is part of a series that breaks the Android kernel abi and can be
safely reverted at this point in time. If it needs to come back in the
future, it can be done so in an abi-safe way.
Bug: 161946584
Change-Id: I20ea532f38c565713dc4a29ad0a35916f851aebe
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 860ad704e4 which is
commit d67dada3e2 upstream.
It is part of a series that breaks the Android kernel abi and can be
safely reverted at this point in time. If it needs to come back in the
future, it can be done so in an abi-safe way.
Bug: 161946584
Change-Id: I33e439ca99e09cee71174eaa1149750bfee93c1e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.10.182
x86/cpu: Add Raptor Lake to Intel family
x86/cpu: Drop spurious underscore from RAPTOR_LAKE #define
power: supply: bq27xxx: fix polarity of current_now
power: supply: bq27xxx: fix sign of current_now for newer ICs
power: supply: bq27xxx: make status more robust
power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status()
power: supply: bq27xxx: expose battery data when CI=1
power: supply: bq27xxx: Move bq27xxx_battery_update() down
power: supply: bq27xxx: Ensure power_supply_changed() is called on current sign changes
power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize
power: supply: core: Refactor power_supply_set_input_current_limit_from_supplier()
power: supply: bq24190: Call power_supply_changed() after updating input current
regulator: Add regmap helper for ramp-delay setting
regulator: pca9450: Convert to use regulator_set_ramp_delay_regmap
regulator: pca9450: Fix BUCK2 enable_mask
net/mlx5: devcom only supports 2 ports
net/mlx5: Devcom, serialize devcom registration
net: phy: mscc: enable VSC8501/2 RGMII RX clock
bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
binder: fix UAF caused by faulty buffer cleanup
ipv{4,6}/raw: fix output xfrm lookup wrt protocol
netfilter: ctnetlink: Support offloaded conntrack entry deletion
Linux 5.10.182
Change-Id: I4c11a7f5fce0d9088f193a488a28b779944291a5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 097ea78d8c which is
commit 3ae6d66b60 upstream.
It breaks the Android kernel ABI and is not needed for Android devices,
so it is safe to revert for now. If it is determined that it is needed
in the future, it can be brought back in an abi-preserving way.
Bug: 161946584
Change-Id: I0b32b3b8d7c81895dd1680f7aec65d38cace080d
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 2bd4ff4ffb which is
commit 56077b56cd upstream.
It breaks the Android kernel ABI and is not needed for Android devices,
so it is safe to revert for now. If it is determined that it is needed
in the future, it can be brought back in an abi-preserving way.
Bug: 161946584
Change-Id: I5fc048bf94f78a38691e3b27cf225536200bcd49
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 2937127d24 which is
commit 35a089b5d7 upstream.
It breaks the Android kernel ABI and is not needed for Android devices,
so it is safe to revert for now. If it is determined that it is needed
in the future, it can be brought back in an abi-preserving way.
Bug: 161946584
Change-Id: Iac2aaf58f7e53317626d0f7f125b55e72228c770
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit a9ef8b2589 which is
commit 37ba017dcc upstream.
It breaks the Android kernel ABI and is not needed for Android devices,
so it is safe to revert for now. If it is determined that it is needed
in the future, it can be brought back in an abi-preserving way.
Bug: 161946584
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie1e6f2b24c5e360577bc66fde8f969eeea96e99d
In commit a2d816f55d ("Bluetooth: hci_bcm: Fall back to getting bdaddr
from EFI if not set"), a "#include <linux/efi.h>" was added which caused
the CRC generation of some bluetooth symbols to be modified due to some
structures now coming into "scope".
Fix this up by hacking in our favorite __GENKSYMS__ test, which fixes
everything up right and all is calm again.
Bug: 161946584
Fixes: a2d816f55d ("Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set")
Change-Id: I5ddb1d3895f079980c3efd64ae773b91da3ca809
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 788791990d which is
commit e22aa14866 upstream.
It breaks the Android kernel abi, so revert it for now. If it is needed
in the future it can be brought back in an ABI-safe way.
Bug: 161946584
Change-Id: Ibbbc25dce5304664307a4d06420c24aa6d6ff708
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit e7fd68abbb which is
commit 1e306ec49a uptream.
It breaks the Android kernel abi, so revert it for now. If it is needed
in the future it can be brought back in an ABI-safe way.
Bug: 161946584
Change-Id: I1c86735875631e9fc0031bab4e87e487298c45e4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 7d8f5ccc82 which is
commit d2c48b2387 upstream.
It breaks the Android kernel abi, so revert it for now. If it is needed
in the future it can be brought back in an ABI-safe way.
Bug: 161946584
Change-Id: I65e8ac1f57e138b38ba4e56a6595925e32029825
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.10.181
driver core: add a helper to setup both the of_node and fwnode of a device
drm/mipi-dsi: Set the fwnode for mipi_dsi_device
ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings
net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe()
linux/dim: Do nothing if no time delta between samples
net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs().
netfilter: conntrack: fix possible bug_on with enable_hooks=1
netlink: annotate accesses to nlk->cb_running
net: annotate sk->sk_err write from do_recvmmsg()
net: deal with most data-races in sk_wait_event()
net: tap: check vlan with eth_type_vlan() method
net: add vlan_get_protocol_and_depth() helper
tcp: factor out __tcp_close() helper
tcp: add annotations around sk->sk_shutdown accesses
ipvlan:Fix out-of-bounds caused by unclear skb->cb
net: datagram: fix data-races in datagram_poll()
af_unix: Fix a data race of sk->sk_receive_queue->qlen.
af_unix: Fix data races around sk->sk_shutdown.
drm/i915/dp: prevent potential div-by-zero
fbdev: arcfb: Fix error handling in arcfb_probe()
ext4: remove an unused variable warning with CONFIG_QUOTA=n
ext4: reflect error codes from ext4_multi_mount_protect() to its callers
ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled
ext4: fix lockdep warning when enabling MMP
ext4: remove redundant mb_regenerate_buddy()
ext4: drop s_mb_bal_lock and convert protected fields to atomic
ext4: add mballoc stats proc file
ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set
ext4: allow ext4_get_group_info() to fail
refscale: Move shutdown from wait_event() to wait_event_idle()
rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access
fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
drm/amd/display: Use DC_LOG_DC in the trasform pixel function
regmap: cache: Return error in cache sync operations for REGCACHE_NONE
arm64: dts: qcom: msm8996: Add missing DWC3 quirks
memstick: r592: Fix UAF bug in r592_remove due to race condition
firmware: arm_sdei: Fix sleep from invalid context BUG
ACPI: EC: Fix oops when removing custom query handlers
remoteproc: stm32_rproc: Add mutex protection for workqueue
drm/tegra: Avoid potential 32-bit integer overflow
ACPICA: Avoid undefined behavior: applying zero offset to null pointer
ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
drm/amd: Fix an out of bounds error in BIOS parser
wifi: ath: Silence memcpy run-time false positive warning
bpf: Annotate data races in bpf_local_storage
wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
ext2: Check block size validity during mount
scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
net: pasemi: Fix return type of pasemi_mac_start_tx()
net: Catch invalid index in XPS mapping
scsi: target: iscsit: Free cmds before session free
lib: cpu_rmap: Avoid use after free on rmap->obj array entries
scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
gfs2: Fix inode height consistency check
ext4: set goal start correctly in ext4_mb_normalize_request
ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
f2fs: fix to drop all dirty pages during umount() if cp_error is set
samples/bpf: Fix fout leak in hbm's run_bpf_prog
wifi: iwlwifi: pcie: fix possible NULL pointer dereference
wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
null_blk: Always check queue mode setting from configfs
wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
wifi: ath11k: Fix SKB corruption in REO destination ring
ipvs: Update width of source for ip_vs_sync_conn_options
Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE
HID: logitech-hidpp: Don't use the USB serial for USB devices
HID: logitech-hidpp: Reconcile USB and Unifying serials
spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3
HID: wacom: generic: Set battery quirk only when we see battery data
usb: typec: tcpm: fix multiple times discover svids error
serial: 8250: Reinit port->pm on port specific driver unbind
mcb-pci: Reallocate memory region to avoid memory overlapping
sched: Fix KCSAN noinstr violation
recordmcount: Fix memory leaks in the uwrite function
RDMA/core: Fix multiple -Warray-bounds warnings
iommu/arm-smmu-qcom: Limit the SMR groups to 128
clk: tegra20: fix gcc-7 constant overflow warning
iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any
Input: xpad - add constants for GIP interface numbers
phy: st: miphy28lp: use _poll_timeout functions for waits
mfd: dln2: Fix memory leak in dln2_probe()
btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c
btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid
btrfs: fix space cache inconsistency after error loading it from disk
xfrm: don't check the default policy if the policy allows the packet
Revert "Fix XFRM-I support for nested ESP tunnels"
drm/msm/dp: unregister audio driver during unbind
drm/msm/dpu: Remove duplicate register defines from INTF
cpupower: Make TSC read per CPU for Mperf monitor
af_key: Reject optional tunnel/BEET mode templates in outbound policies
net: fec: Better handle pm_runtime_get() failing in .remove()
net: phy: dp83867: add w/a for packet errors seen with short cables
ALSA: firewire-digi00x: prevent potential use after free
ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15
vsock: avoid to close connected socket after the timeout
ipv4/tcp: do not use per netns ctl sockets
net: Find dst with sk's xfrm policy not ctl_sk
tcp: fix possible sk_priority leak in tcp_v4_send_reset()
serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
erspan: get the proto with the md version for collect_md
net: hns3: fix sending pfc frames after reset issue
net: hns3: fix reset delay time to avoid configuration timeout
media: netup_unidvb: fix use-after-free at del_timer()
SUNRPC: Fix trace_svc_register() call site
drm/exynos: fix g2d_open/close helper function definitions
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
net/tipc: fix tipc header files for kernel-doc
tipc: add tipc_bearer_min_mtu to calculate min mtu
tipc: do not update mtu if msg_max is too small in mtu negotiation
tipc: check the bearer min mtu properly when setting it by netlink
net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
net: bcmgenet: Restore phy_stop() depending upon suspend/close
wifi: mac80211: fix min center freq offset tracing
wifi: iwlwifi: mvm: don't trust firmware n_channels
scsi: storvsc: Don't pass unused PFNs to Hyper-V host
cassini: Fix a memory leak in the error handling path of cas_init_one()
igb: fix bit_shift to be in [1..8] range
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
netfilter: nft_set_rbtree: fix null deref on element insertion
bridge: always declare tunnel functions
ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go
USB: usbtmc: Fix direction for 0-length ioctl control messages
usb-storage: fix deadlock when a scsi command timeouts more than once
USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
usb: dwc3: debugfs: Resume dwc3 before accessing registers
usb: gadget: u_ether: Fix host MAC address case
usb: typec: altmodes/displayport: fix pin_assignment_show
ALSA: hda: Fix Oops by 9.1 surround channel names
ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
ALSA: hda/realtek: Add quirk for Clevo L140AU
ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
can: kvaser_pciefd: Call request_irq() before enabling interrupts
can: kvaser_pciefd: Empty SRB buffer in probe
can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
can: kvaser_pciefd: Disable interrupts in probe error path
statfs: enforce statfs[64] structure initialization
serial: Add support for Advantech PCI-1611U card
vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
ceph: force updating the msg pointer in non-split case
tpm/tpm_tis: Disable interrupts for more Lenovo devices
powerpc/64s/radix: Fix soft dirty tracking
nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
HID: wacom: Force pen out of prox if no events have been received in a while
HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs
HID: wacom: add three styli to wacom_intuos_get_tool_type
KVM: arm64: Link position-independent string routines into .hyp.text
serial: 8250_exar: derive nr_ports from PCI ID for Acces I/O cards
serial: exar: Add support for Sealevel 7xxxC serial cards
serial: 8250_exar: Add support for USR298x PCI Modems
s390/qdio: get rid of register asm
s390/qdio: fix do_sqbs() inline assembly constraint
watchdog: sp5100_tco: Immediately trigger upon starting.
ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15
writeback, cgroup: remove extra percpu_ref_exit()
net/sched: act_mirred: refactor the handle of xmit
net/sched: act_mirred: better wording on protection against excessive stack growth
act_mirred: use the backlog for nested calls to mirred ingress
spi: fsl-spi: Re-organise transfer bits_per_word adaptation
spi: fsl-cpm: Use 16 bit mode for large transfers with even size
ocfs2: Switch to security_inode_init_security()
ALSA: hda/ca0132: add quirk for EVGA X299 DARK
ALSA: hda: Fix unhandled register update during auto-suspend period
ALSA: hda/realtek: Enable headset onLenovo M70/M90
net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
m68k: Move signal frame following exception on 68020/030
parisc: Handle kgdb breakpoints only in kernel context
parisc: Allow to reboot machine after system halt
gpio: mockup: Fix mode of debugfs files
btrfs: use nofs when cleaning up aborted transactions
dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type
x86/mm: Avoid incomplete Global INVLPG flushes
selftests/memfd: Fix unknown type name build failure
parisc: Fix flush_dcache_page() for usage from irq context
x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms
debugobjects: Don't wake up kswapd from fill_pool()
fbdev: udlfb: Fix endpoint check
net: fix stack overflow when LRO is disabled for virtual interfaces
udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
USB: core: Add routines for endpoint checks in old drivers
USB: sisusbvga: Add endpoint checks
media: radio-shark: Add endpoint checks
net: fix skb leak in __skb_tstamp_tx()
selftests: fib_tests: mute cleanup error message
octeontx2-pf: Fix TSOv6 offload
bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
power: supply: leds: Fix blink to LED on transition
power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
power: supply: bq27xxx: Fix I2C IRQ race on remove
power: supply: bq27xxx: Fix poll_interval handling and races on remove
power: supply: sbs-charger: Fix INHIBITED bit for Status reg
fs: fix undefined behavior in bit shift for SB_NOUSER
coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
x86/show_trace_log_lvl: Ensure stack pointer is aligned, again
ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg
forcedeth: Fix an error handling path in nv_probe()
net/mlx5e: do as little as possible in napi poll when budget is 0
net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs
net/mlx5: Fix error message when failing to allocate device memory
net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay
3c589_cs: Fix an error handling path in tc589_probe()
net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE
Linux 5.10.181
Change-Id: Iaad0b0bb7c1ad061b28ad4ee16e03db935241177
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 3f225f29c6 which is
commit 59b37fe52f upstream.
It breaks some test systems, so obviously the backport to 5.10.y wasn't
quite correct :(
Revert it for now until this can be figured out better.
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I1071c357225a8b41f15767a27b5c56cf94d7a5f7
Changes in 5.10.180
seccomp: Move copy_seccomp() to no failure path.
counter: 104-quad-8: Fix race condition between FLAG and CNTR reads
KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var
bluetooth: Perform careful capability checks in hci_sock_ioctl()
x86/fpu: Prevent FPU state corruption
USB: serial: option: add UNISOC vendor and TOZED LT70C product
driver core: Don't require dynamic_debug for initcall_debug probe timing
iio: adc: palmas_gpadc: fix NULL dereference on rmmod
ASoC: Intel: bytcr_rt5640: Add quirk for the Acer Iconia One 7 B1-750
asm-generic/io.h: suppress endianness warnings for readq() and writeq()
wireguard: timers: cast enum limits members to int in prints
PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock
PCI: qcom: Fix the incorrect register usage in v2.7.0 config
USB: dwc3: fix runtime pm imbalance on probe errors
USB: dwc3: fix runtime pm imbalance on unbind
hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write
hwmon: (adt7475) Use device_property APIs when configuring polarity
posix-cpu-timers: Implement the missing timer_wait_running callback
perf sched: Cast PTHREAD_STACK_MIN to int as it may turn into sysconf(__SC_THREAD_STACK_MIN_VALUE)
blk-mq: release crypto keyslot before reporting I/O complete
blk-crypto: make blk_crypto_evict_key() return void
blk-crypto: make blk_crypto_evict_key() more robust
ext4: use ext4_journal_start/stop for fast commit transactions
staging: iio: resolver: ads1210: fix config mode
xhci: fix debugfs register accesses while suspended
tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem
MIPS: fw: Allow firmware to pass a empty env
ipmi:ssif: Add send_retries increment
ipmi: fix SSIF not responding under certain cond.
kheaders: Use array declaration instead of char
pwm: meson: Fix axg ao mux parents
pwm: meson: Fix g12a ao clk81 name
ring-buffer: Sync IRQ works before buffer destruction
crypto: api - Demote BUG_ON() in crypto_unregister_alg() to a WARN_ON()
crypto: safexcel - Cleanup ring IRQ workqueues on load failure
rcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-ed
reiserfs: Add security prefix to xattr name in reiserfs_security_write()
KVM: nVMX: Emulate NOPs in L2, and PAUSE if it's not intercepted
relayfs: fix out-of-bounds access in relay_file_read
writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs
i2c: omap: Fix standard mode false ACK readings
iommu/amd: Fix "Guest Virtual APIC Table Root Pointer" configuration in IRTE
Revert "ubifs: dirty_cow_znode: Fix memleak in error handling path"
ubifs: Fix memleak when insert_old_idx() failed
ubi: Fix return value overwrite issue in try_write_vid_and_data()
ubifs: Free memory for tmpfile name
sound/oss/dmasound: fix build when drivers are mixed =y/=m
parisc: Fix argument pointer in real64_call_asm()
nilfs2: do not write dirty data after degenerating to read-only
nilfs2: fix infinite loop in nilfs_mdt_get_block()
md/raid10: fix null-ptr-deref in raid10_sync_request
mailbox: zynqmp: Fix IPI isr handling
mailbox: zynqmp: Fix typo in IPI documentation
wifi: rtl8xxxu: RTL8192EU always needs full init
clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent
rcu: Fix missing TICK_DEP_MASK_RCU_EXP dependency check
selftests/resctrl: Return NULL if malloc_and_init_memory() did not alloc mem
selftests/resctrl: Check for return value after write_schemata()
selinux: fix Makefile dependencies of flask.h
selinux: ensure av_permissions.h is built when needed
tpm, tpm_tis: Do not skip reset of original interrupt vector
tpm, tpm_tis: Claim locality before writing TPM_INT_ENABLE register
tpm, tpm_tis: Disable interrupts if tpm_tis_probe_irq() failed
tpm, tpm_tis: Claim locality before writing interrupt registers
tpm, tpm: Implement usage counter for locality
tpm, tpm_tis: Claim locality when interrupts are reenabled on resume
erofs: stop parsing non-compact HEAD index if clusterofs is invalid
erofs: fix potential overflow calculating xattr_isize
drm/rockchip: Drop unbalanced obj unref
drm/vgem: add missing mutex_destroy
drm/probe-helper: Cancel previous job before starting new one
soc: ti: pm33xx: Enable basic PM runtime support for genpd
soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe
arm64: dts: renesas: r8a77990: Remove bogus voltages from OPP table
arm64: dts: renesas: r8a774c0: Remove bogus voltages from OPP table
drm/msm/disp/dpu: check for crtc enable rather than crtc active to release shared resources
EDAC/skx: Fix overflows on the DRAM row address mapping arrays
arm64: dts: qcom: msm8998: Fix stm-stimulus-base reg name
arm64: dts: qcom: sdm845: correct dynamic power coefficients
arm64: dts: qcom: sdm845: Fix the PCI I/O port range
arm64: dts: qcom: msm8998: Fix the PCI I/O port range
arm64: dts: qcom: ipq8074: Fix the PCI I/O port range
arm64: dts: qcom: msm8996: Fix the PCI I/O port range
ARM: dts: qcom: ipq4019: Fix the PCI I/O port range
ARM: dts: qcom: ipq8064: reduce pci IO size to 64K
ARM: dts: qcom: ipq8064: Fix the PCI I/O port range
x86/MCE/AMD: Use an u64 for bank_map
media: bdisp: Add missing check for create_workqueue
firmware: qcom_scm: Clear download bit during reboot
drm/bridge: adv7533: Fix adv7533_mode_valid for adv7533 and adv7535
media: max9286: Free control handler
drm/msm/adreno: Defer enabling runpm until hw_init()
drm/msm/adreno: drop bogus pm_runtime_set_active()
drm: msm: adreno: Disable preemption on Adreno 510
ACPI: processor: Fix evaluating _PDC method when running as Xen dom0
mmc: sdhci-of-esdhc: fix quirk to ignore command inhibit for data
ARM: dts: gta04: fix excess dma channel usage
drm/lima/lima_drv: Add missing unwind goto in lima_pdev_probe()
regulator: core: Consistently set mutex_owner when using ww_mutex_lock_slow()
regulator: core: Avoid lockdep reports when resolving supplies
x86/apic: Fix atomic update of offset in reserve_eilvt_offset()
media: rkvdec: fix use after free bug in rkvdec_remove
media: dm1105: Fix use after free bug in dm1105_remove due to race condition
media: saa7134: fix use after free bug in saa7134_finidev due to race condition
media: rcar_fdp1: simplify error check logic at fdp_open()
media: rcar_fdp1: fix pm_runtime_get_sync() usage count
media: rcar_fdp1: Make use of the helper function devm_platform_ioremap_resource()
media: rcar_fdp1: Fix the correct variable assignments
media: rcar_fdp1: Fix refcount leak in probe and remove function
media: rc: gpio-ir-recv: Fix support for wake-up
media: venus: vdec: Fix non reliable setting of LAST flag
media: venus: vdec: Make decoder return LAST flag for sufficient event
media: venus: preserve DRC state across seeks
media: venus: vdec: Handle DRC after drain
media: venus: dec: Fix handling of the start cmd
regulator: stm32-pwr: fix of_iomap leak
x86/ioapic: Don't return 0 from arch_dynirq_lower_bound()
arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step
debugobject: Prevent init race with static objects
drm/i915: Make intel_get_crtc_new_encoder() less oopsy
tick/sched: Use tick_next_period for lockless quick check
tick/sched: Reduce seqcount held scope in tick_do_update_jiffies64()
tick/sched: Optimize tick_do_update_jiffies64() further
tick: Get rid of tick_period
tick/common: Align tick period with the HZ tick.
wifi: ath6kl: minor fix for allocation size
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list()
wifi: ath6kl: reduce WARN to dev_dbg() in callback
tools: bpftool: Remove invalid \' json escape
wifi: rtw88: mac: Return the original error from rtw_pwr_seq_parser()
wifi: rtw88: mac: Return the original error from rtw_mac_power_switch()
bpf: take into account liveness when propagating precision
bpf: fix precision propagation verbose logging
scm: fix MSG_CTRUNC setting condition for SO_PASSSEC
bpf: Remove misleading spec_v1 check on var-offset stack read
vlan: partially enable SIOCSHWTSTAMP in container
net/packet: annotate accesses to po->xmit
net/packet: convert po->origdev to an atomic flag
net/packet: convert po->auxdata to an atomic flag
scsi: target: Rename struct sense_info to sense_detail
scsi: target: Rename cmd.bad_sector to cmd.sense_info
scsi: target: Make state_list per CPU
scsi: target: Fix multiple LUN_RESET handling
scsi: target: iscsit: Fix TAS handling during conn cleanup
scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS
f2fs: handle dqget error in f2fs_transfer_project_quota()
f2fs: enforce single zone capacity
f2fs: apply zone capacity to all zone type
f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages()
crypto: caam - Clear some memory in instantiate_rng
crypto: sa2ul - Select CRYPTO_DES
wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_rfreg()
wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_reg()
net: qrtr: correct types of trace event parameters
selftests/bpf: Wait for receive in cg_storage_multi test
bpftool: Fix bug for long instructions in program CFG dumps
crypto: drbg - make drbg_prepare_hrng() handle jent instantiation errors
crypto: drbg - Only fail when jent is unavailable in FIPS mode
xsk: Fix unaligned descriptor validation
f2fs: fix to avoid use-after-free for cached IPU bio
scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()
net: ethernet: stmmac: dwmac-rk: fix optional phy regulator handling
bpf, sockmap: fix deadlocks in the sockhash and sockmap
nvme: handle the persistent internal error AER
nvme: fix async event trace event
nvme-fcloop: fix "inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage"
bpf, sockmap: Revert buggy deadlock fix in the sockhash and sockmap
md/raid10: fix leak of 'r10bio->remaining' for recovery
md/raid10: fix memleak for 'conf->bio_split'
md/raid10: fix memleak of md thread
wifi: iwlwifi: yoyo: Fix possible division by zero
wifi: iwlwifi: fw: move memset before early return
jdb2: Don't refuse invalidation of already invalidated buffers
wifi: iwlwifi: make the loop for card preparation effective
wifi: iwlwifi: mvm: check firmware response size
wifi: iwlwifi: fw: fix memory leak in debugfs
ixgbe: Allow flow hash to be set via ethtool
ixgbe: Enable setting RSS table to default values
bpf: Don't EFAULT for getsockopt with optval=NULL
netfilter: nf_tables: don't write table validation state without mutex
net/sched: sch_fq: fix integer overflow of "credit"
ipv4: Fix potential uninit variable access bug in __ip_make_skb()
Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
netlink: Use copy_to_user() for optval in netlink_getsockopt().
net: amd: Fix link leak when verifying config failed
tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.
ipmi: ASPEED_BT_IPMI_BMC: select REGMAP_MMIO instead of depending on it
pstore: Revert pmsg_lock back to a normal mutex
usb: host: xhci-rcar: remove leftover quirk handling
usb: dwc3: gadget: Change condition for processing suspend event
fpga: bridge: fix kernel-doc parameter description
iio: light: max44009: add missing OF device matching
spi: spi-imx: using pm_runtime_resume_and_get instead of pm_runtime_get_sync
spi: imx: Don't skip cleanup in remove's error path
usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition
PCI: imx6: Install the fault handler only on compatible match
ASoC: es8316: Use IRQF_NO_AUTOEN when requesting the IRQ
ASoC: es8316: Handle optional IRQ assignment
linux/vt_buffer.h: allow either builtin or modular for macros
spi: qup: Don't skip cleanup in remove's error path
spi: fsl-spi: Fix CPM/QE mode Litte Endian
vmci_host: fix a race condition in vmci_host_poll() causing GPF
of: Fix modalias string generation
PCI/EDR: Clear Device Status after EDR error recovery
ia64: mm/contig: fix section mismatch warning/error
ia64: salinfo: placate defined-but-not-used warning
scripts/gdb: bail early if there are no clocks
scripts/gdb: bail early if there are no generic PD
coresight: etm_pmu: Set the module field
ASoC: fsl_mqs: move of_node_put() to the correct location
spi: cadence-quadspi: fix suspend-resume implementations
i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path
uapi/linux/const.h: prefer ISO-friendly __typeof__
sh: sq: Fix incorrect element size for allocating bitmap buffer
usb: gadget: tegra-xudc: Fix crash in vbus_draw
usb: chipidea: fix missing goto in `ci_hdrc_probe`
usb: mtu3: fix kernel panic at qmu transfer done irq handler
firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe
tty: serial: fsl_lpuart: adjust buffer length to the intended size
serial: 8250: Add missing wakeup event reporting
staging: rtl8192e: Fix W_DISABLE# does not work after stop/start
spmi: Add a check for remove callback when removing a SPMI driver
macintosh/windfarm_smu_sat: Add missing of_node_put()
powerpc/mpc512x: fix resource printk format warning
powerpc/wii: fix resource printk format warnings
powerpc/sysdev/tsi108: fix resource printk format warnings
macintosh: via-pmu-led: requires ATA to be set
powerpc/rtas: use memmove for potentially overlapping buffer copy
perf/core: Fix hardlockup failure caused by perf throttle
clk: at91: clk-sam9x60-pll: fix return value check
RDMA/siw: Fix potential page_array out of range access
RDMA/rdmavt: Delete unnecessary NULL check
workqueue: Rename "delayed" (delayed by active management) to "inactive"
workqueue: Fix hung time report of worker pools
rtc: omap: include header for omap_rtc_power_off_program prototype
RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()
rtc: meson-vrtc: Use ktime_get_real_ts64() to get the current time
power: supply: generic-adc-battery: fix unit scaling
clk: add missing of_node_put() in "assigned-clocks" property parsing
RDMA/siw: Remove namespace check from siw_netdev_event()
RDMA/cm: Trace icm_send_rej event before the cm state is reset
RDMA/srpt: Add a check for valid 'mad_agent' pointer
IB/hfi1: Fix SDMA mmu_rb_node not being evicted in LRU order
IB/hfi1: Add AIP tx traces
IB/hfi1: Add additional usdma traces
IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests
NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease
firmware: raspberrypi: Introduce devm_rpi_firmware_get()
input: raspberrypi-ts: Release firmware handle when not needed
Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe
RDMA/mlx5: Fix flow counter query via DEVX
SUNRPC: remove the maximum number of retries in call_bind_status
RDMA/mlx5: Use correct device num_ports when modify DC
clocksource/drivers/davinci: Fix memory leak in davinci_timer_register when init fails
openrisc: Properly store r31 to pt_regs on unhandled exceptions
ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline
leds: TI_LMU_COMMON: select REGMAP instead of depending on it
dmaengine: mv_xor_v2: Fix an error code.
leds: tca6507: Fix error handling of using fwnode_property_read_string
pwm: mtk-disp: Don't check the return code of pwmchip_remove()
pwm: mtk-disp: Adjust the clocks to avoid them mismatch
pwm: mtk-disp: Disable shadow registers before setting backlight values
phy: tegra: xusb: Add missing tegra_xusb_port_unregister for usb2_port and ulpi_port
dmaengine: dw-edma: Fix to change for continuous transfer
dmaengine: dw-edma: Fix to enable to issue dma request on DMA processing
dmaengine: at_xdmac: do not enable all cyclic channels
thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe
mfd: tqmx86: Do not access I2C_DETECT register through io_base
mfd: tqmx86: Remove incorrect TQMx90UC board ID
mfd: tqmx86: Add support for TQMx110EB and TQMxE40x
mfd: tqmx86: Specify IO port register range more precisely
mfd: tqmx86: Correct board names for TQMxE39x
afs: Fix updating of i_size with dv jump from server
scripts/gdb: fix lx-timerlist for Python3
btrfs: scrub: reject unsupported scrub flags
s390/dasd: fix hanging blockdevice after request requeue
ia64: fix an addr to taddr in huge_pte_offset()
dm clone: call kmem_cache_destroy() in dm_clone_init() error path
dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path
dm flakey: fix a crash with invalid table line
dm ioctl: fix nested locking in table_clear() to remove deadlock concern
perf auxtrace: Fix address filter entire kernel size
perf intel-pt: Fix CYC timestamps after standalone CBR
arm64: Always load shadow stack pointer directly from the task struct
arm64: Stash shadow stack pointer in the task struct on interrupt
debugobject: Ensure pool refill (again)
sound/oss/dmasound: fix 'dmasound_setup' defined but not used
arm64: dts: qcom: sdm845: correct dynamic power coefficients
scsi: target: core: Avoid smp_processor_id() in preemptible code
netfilter: nf_tables: deactivate anonymous set from preparation phase
tty: create internal tty.h file
tty: audit: move some local functions out of tty.h
tty: move some internal tty lock enums and functions out of tty.h
tty: move some tty-only functions to drivers/tty/tty.h
tty: clean include/linux/tty.h up
tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH
ring-buffer: Ensure proper resetting of atomic variables in ring_buffer_reset_online_cpus
crypto: ccp - Clear PSP interrupt status register before calling handler
mailbox: zynq: Switch to flexible array to simplify code
mailbox: zynqmp: Fix counts of child nodes
dm verity: skip redundant verity_handle_err() on I/O errors
dm verity: fix error handling for check_at_most_once on FEC
scsi: qedi: Fix use after free bug in qedi_remove()
net/ncsi: clear Tx enable mode when handling a Config required AEN
net/sched: cls_api: remove block_cb from driver_list before freeing
sit: update dev->needed_headroom in ipip6_tunnel_bind_dev()
net: dsa: mv88e6xxx: add mv88e6321 rsvd2cpu
writeback: fix call of incorrect macro
watchdog: dw_wdt: Fix the error handling path of dw_wdt_drv_probe()
net/sched: act_mirred: Add carrier check
sfc: Fix module EEPROM reporting for QSFP modules
rxrpc: Fix hard call timeout units
octeontx2-pf: Disable packet I/O for graceful exit
octeontx2-vf: Detach LF resources on probe cleanup
ionic: remove noise from ethtool rxnfc error msg
af_packet: Don't send zero-byte data in packet_sendmsg_spkt().
drm/amdgpu: add a missing lock for AMDGPU_SCHED
ALSA: caiaq: input: Add error handling for unsupported input methods in `snd_usb_caiaq_input_init`
net: dsa: mt7530: fix corrupt frames using trgmii on 40 MHz XTAL MT7621
virtio_net: split free_unused_bufs()
virtio_net: suppress cpu stall when free_unused_bufs
net: enetc: check the index of the SFI rather than the handle
perf vendor events power9: Remove UTF-8 characters from JSON files
perf pmu: zfree() expects a pointer to a pointer to zero it after freeing its contents
perf map: Delete two variable initialisations before null pointer checks in sort__sym_from_cmp()
crypto: sun8i-ss - Fix a test in sun8i_ss_setup_ivs()
perf symbols: Fix return incorrect build_id size in elf_read_build_id()
btrfs: fix btrfs_prev_leaf() to not return the same key twice
btrfs: don't free qgroup space unless specified
btrfs: print-tree: parent bytenr must be aligned to sector size
cifs: fix pcchunk length type in smb2_copychunk_range
platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the Juno Tablet
platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i
inotify: Avoid reporting event with invalid wd
sh: math-emu: fix macro redefined warning
sh: mcount.S: fix build error when PRINTK is not enabled
sh: init: use OF_EARLY_FLATTREE for early init
sh: nmi_debug: fix return value of __setup handler
remoteproc: stm32: Call of_node_put() on iteration error
remoteproc: st: Call of_node_put() on iteration error
ARM: dts: exynos: fix WM8960 clock name in Itop Elite
ARM: dts: s5pv210: correct MIPI CSIS clock name
f2fs: fix potential corruption when moving a directory
drm/panel: otm8009a: Set backlight parent to panel device
drm/amdgpu: fix an amdgpu_irq_put() issue in gmc_v9_0_hw_fini()
drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras
drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend
HID: wacom: Set a default resolution for older tablets
HID: wacom: insert timestamp to packed Bluetooth (BT) events
KVM: x86: hyper-v: Avoid calling kvm_make_vcpus_request_mask() with vcpu_mask==NULL
KVM: x86: do not report a vCPU as preempted outside instruction boundaries
ext4: fix WARNING in mb_find_extent
ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
ext4: fix data races when using cached status extents
ext4: check iomap type only if ext4_iomap_begin() does not fail
ext4: improve error recovery code paths in __ext4_remount()
ext4: fix deadlock when converting an inline directory in nojournal mode
ext4: add bounds checking in get_max_inline_xattr_value_size()
ext4: bail out of ext4_xattr_ibody_get() fails for any reason
ext4: remove a BUG_ON in ext4_mb_release_group_pa()
ext4: fix invalid free tracking in ext4_xattr_move_to_block()
serial: 8250: Fix serial8250_tx_empty() race with DMA Tx
drbd: correctly submit flush bio on barrier
KVM: x86: Ensure PV TLB flush tracepoint reflects KVM behavior
KVM: x86: Fix recording of guest steal time / preempted status
KVM: Fix steal time asm constraints
KVM: x86: Remove obsolete disabling of page faults in kvm_arch_vcpu_put()
KVM: x86: do not set st->preempted when going back to user space
KVM: x86: revalidate steal time cache if MSR value changes
KVM: x86: do not report preemption if the steal time cache is stale
KVM: x86: move guest_pv_has out of user_access section
printk: declare printk_deferred_{enter,safe}() in include/linux/printk.h
drm/exynos: move to use request_irq by IRQF_NO_AUTOEN flag
mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock
drm/amd/display: Fix hang when skipping modeset
Linux 5.10.180
Change-Id: Ie0c8ae79d56d844ec23ec277d91d4c70c3e1e9a8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 04c55383fa ]
In the event of a failure in tcf_change_indev(), u32_set_parms() will
immediately return without decrementing the recently incremented
reference counter. If this happens enough times, the counter will
rollover and the reference freed, leading to a double free which can be
used to do 'bad things'.
In order to prevent this, move the point of possible failure above the
point where the reference counter is incremented. Also save any
meaningful return values to be applied to the return data at the
appropriate point in time.
This issue was caught with KASAN.
Bug: 273251569
Fixes: 705c709126 ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 07f9cc229b)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I95524bfda9a08a40b3d54515e528419dba18dc55
Vatsal Parasrampuria