mirror of
https://github.com/hardkernel/linux.git
synced 2026-06-05 10:31:46 +09:00
d0af2ae8d5b806eeb16b453e0cc136cedd078aed
1164767 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
d0af2ae8d5 |
Merge 6.1.109 into android14-6.1-lts
Changes in 6.1.109 drm: panel-orientation-quirks: Add quirk for OrangePi Neo scsi: ufs: core: Bypass quick recovery if force reset is needed ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown ALSA: hda/conexant: Mute speakers at suspend / shutdown i2c: Fix conditional for substituting empty ACPI functions dma-debug: avoid deadlock between dma debug vs printk and netconsole net: usb: qmi_wwan: add MeiG Smart SRM825L ASoC: amd: yc: Support mic on Lenovo Thinkpad E14 Gen 6 mptcp: make pm_remove_addrs_and_subflows static mptcp: pm: fix RM_ADDR ID for the initial subflow PCI/MSI: Fix UAF in msi_capability_init f2fs: fix to truncate preallocated blocks in f2fs_file_open() mptcp: pm: fullmesh: select the right ID later mptcp: pm: avoid possible UaF when selecting endp mptcp: pm: reuse ID 0 after delete and re-add mptcp: pm: fix ID 0 endp usage after multiple re-creations selftests: mptcp: join: validate fullmesh endp on 1st sf selftests: mptcp: join: check re-using ID of closed subflow selftests: mptcp: add explicit test case for remove/readd selftests: mptcp: join: test for flush/re-add endpoints selftests: mptcp: join: check re-using ID of unused ADD_ADDR selftests: mptcp: join: check re-adding init endp with != id mptcp: pr_debug: add missing \n at the end mptcp: avoid duplicated SUB_CLOSED events selftests: mptcp: join: check removing ID 0 endpoint selftests: mptcp: join: no extra msg if no counter selftests: mptcp: join: check re-re-adding ID 0 endp selftests: mptcp: join: cannot rm sf if closed drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr drm/amd/display: Assign linear_pitch_alignment even for VM drm/amdgpu: fix overflowed array index read warning drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc drm/amd/pm: fix uninitialized variable warning drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr drm/amd/pm: fix warning using uninitialized value of max_vid_step drm/amd/pm: Fix negative array index read drm/amd/pm: fix the Out-of-bounds read warning drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr drm/amdgpu: avoid reading vf2pf info size from FB drm/amd/display: Check gpio_id before used as array index drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 drm/amd/display: Add array index check for hdcp ddc access drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] drm/amd/display: Check msg_id before processing transcation drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create drm/amd/display: Spinlock before reading event drm/amd/display: Ensure index calculation will not overflow drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration drm/amd/amdgpu: Check tbo resource pointer drm/amd/pm: fix uninitialized variable warnings for vangogh_ppt drm/amdgpu/pm: Fix uninitialized variable warning for smu10 drm/amdgpu/pm: Fix uninitialized variable agc_btc_response drm/amdgpu: Fix out-of-bounds write warning drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number drm/amdgpu: fix ucode out-of-bounds read warning drm/amdgpu: fix mc_data out-of-bounds read warning drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device apparmor: fix possible NULL pointer dereference wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem() drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs drm/amdgpu: fix dereference after null check drm/amdgpu: fix the waring dereferencing hive drm/amd/pm: check specific index for aldebaran drm/amdgpu: the warning dereferencing obj for nbio_v7_4 drm/amd/pm: check negtive return for table entries wifi: rtw89: ser: avoid multiple deinit on same CAM drm/amdgpu: update type of buf size to u32 for eeprom functions wifi: iwlwifi: remove fw_running op cpufreq: scmi: Avoid overflow of target_freq in fast switch PCI: al: Check IORESOURCE_BUS existence during probe hwspinlock: Introduce hwspin_lock_bust() RDMA/efa: Properly handle unexpected AQ completions ionic: fix potential irq name truncation pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode. rcu/nocb: Remove buggy bypass lock contention mitigation usbip: Don't submit special requests twice usb: typec: ucsi: Fix null pointer dereference in trace fsnotify: clear PARENT_WATCHED flags lazily regmap: spi: Fix potential off-by-one when calculating reserved size smack: tcp: ipv4, fix incorrect labeling net/mlx5e: SHAMPO, Fix incorrect page release drm/meson: plane: Add error handling drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ dmaengine: altera-msgdma: use irq variant of spin_lock/unlock while invoking callbacks dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor hwmon: (k10temp) Check return value of amd_smn_read() wifi: cfg80211: make hash table duplicates more survivable driver: iio: add missing checks on iio_info's callback access block: remove the blk_flush_integrity call in blk_integrity_unregister drm/amd/display: added NULL check at start of dc_validate_stream drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX drm/amd/display: Skip wbscl_set_scaler_filter if filter is null media: uvcvideo: Enforce alignment of frame and interval virtio_net: Fix napi_skb_cache_put warning Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm Bluetooth: SCO: fix sco_conn related locking and validity issues ext4: fix inode tree inconsistency caused by ENOMEM udf: Limit file size to 4TB ext4: reject casefold inode flag without casefold feature ext4: handle redirtying in ext4_bio_write_page() i2c: Use IS_REACHABLE() for substituting empty ACPI functions Linux 6.1.109 Change-Id: If689bfd671fb92d4092b9221d742121d3f3d669e Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
c59cc7f298 |
Merge 6.1.108 into android14-6.1-lts
Changes in 6.1.108 drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc LoongArch: Remove the unused dma-direct.h btrfs: run delayed iputs when flushing delalloc smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins pinctrl: single: fix potential NULL dereference in pcs_get_function() of: Add cleanup.h based auto release via __free(device_node) markings wifi: wfx: repair open network AP mode wifi: mwifiex: duplicate static structs used in driver instances net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response mptcp: close subflow when receiving TCP+FIN mptcp: sched: check both backup in retrans mptcp: pm: skip connecting to already established sf mptcp: pm: reset MPC endp ID when re-added mptcp: pm: send ACK on an active subflow mptcp: pm: do not remove already closed subflows mptcp: pm: ADD_ADDR 0 is not a new address drm/amdgpu: align pp_power_profile_mode with kernel docs drm/amdgpu/swsmu: always force a state reprogram on init ata: libata-core: Fix null pointer dereference on error usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration" mmc: Avoid open coding by using mmc_op_tuning() mmc: mtk-sd: receive cmd8 data when hs400 tuning fail mptcp: unify pm get_local_id interfaces mptcp: pm: remove mptcp_pm_remove_subflow() mptcp: pm: only mark 'subflow' endp as available mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR of: Introduce for_each_*_child_of_node_scoped() to automate of_node_put() handling thermal: of: Fix OF node leak in thermal_of_trips_init() error path thermal: of: Fix OF node leak in of_thermal_zone_find() error paths ASoC: amd: acp: fix module autoloading ASoC: SOF: amd: Fix for acp init sequence pinctrl: mediatek: common-v2: Fix broken bias-disable for PULL_PU_PD_RSEL_TYPE mm: Fix missing folio invalidation calls during truncation btrfs: fix extent map use-after-free when adding pages to compressed bio soundwire: stream: fix programming slave ports for non-continous port maps phy: xilinx: add runtime PM support phy: xilinx: phy-zynqmp: dynamic clock support for power-save phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume dmaengine: dw: Add peripheral bus width verification dmaengine: dw: Add memory bus width verification Bluetooth: hci_core: Fix not handling hibernation actions iommu: Do not return 0 from map_pages if it doesn't do anything netfilter: nf_tables: restore IP sanity checks for netdev/egress wifi: iwlwifi: fw: fix wgds rev 3 exact size ethtool: check device is present when getting link settings netfilter: nf_tables_ipv6: consider network offset in netdev/egress validation selftests: forwarding: no_forwarding: Down ports on cleanup selftests: forwarding: local_termination: Down ports on cleanup bonding: implement xdo_dev_state_free and call it after deletion gtp: fix a potential NULL pointer dereference sctp: fix association labeling in the duplicate COOKIE-ECHO case drm/amd/display: avoid using null object of framebuffer net: busy-poll: use ktime_get_ns() instead of local_clock() nfc: pn533: Add poll mod list filling check soc: qcom: cmd-db: Map shared memory as WC, not WB cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller USB: serial: option: add MeiG Smart SRM825L usb: dwc3: omap: add missing depopulate in probe error path usb: dwc3: core: Prevent USB core invalid event buffer address access usb: dwc3: st: fix probed platform device ref count on probe error path usb: dwc3: st: add missing depopulate in probe error path usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function usb: cdnsp: fix for Link TRB with TC phy: zynqmp: Enable reference clock correctly igc: Fix reset adapter logics when tx mode change igc: Fix qbv tx latency by setting gtxoffset scsi: aacraid: Fix double-free on probe failure apparmor: fix policy_unpack_test on big endian systems fbdev: offb: fix up missing cleanup.h Linux 6.1.108 Change-Id: I8ef0e85c12e4e2ecccaf467f40d86c559db7d007 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
db06d215a8 |
Revert "posix-timers: Ensure timer ID search-loop limit is valid"
This reverts commit |
||
|
Greg Kroah-Hartman
|
3e3e85a2c0 |
Revert "pid: Replace struct pid 1-element array with flex-array"
This reverts commit |
||
|
Greg Kroah-Hartman
|
524ae3c9d3 |
Merge 6.1.107 into android14-6.1-lts
Changes in 6.1.107
tty: atmel_serial: use the correct RTS flag.
fuse: Initialize beyond-EOF page contents before setting uptodate
char: xillybus: Don't destroy workqueue from work item running on it
char: xillybus: Refine workqueue handling
char: xillybus: Check USB endpoints when probing device
ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET
ALSA: usb-audio: Support Yamaha P-125 quirk entry
xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
thunderbolt: Mark XDomain as unplugged when router is removed
s390/dasd: fix error recovery leading to data corruption on ESE devices
riscv: change XIP's kernel_map.size to be size of the entire kernel
arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE
dm resume: don't return EINVAL when signalled
dm persistent data: fix memory allocation failure
vfs: Don't evict inode under the inode lru traversing context
fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()
s390/cio: rename bitmap_size() -> idset_bitmap_size()
btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
bitmap: introduce generic optimized bitmap_size()
fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume
rtla/osnoise: Prevent NULL dereference in error handling
fs/netfs/fscache_cookie: add missing "n_accesses" check
selinux: fix potential counting error in avc_add_xperms_decision()
mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu
btrfs: zoned: properly take lock to read/update block group's zoned variables
btrfs: tree-checker: add dev extent item checks
drm/amdgpu: Actually check flags for all context ops.
memcg_write_event_control(): fix a user-triggerable oops
drm/amdgpu/jpeg2: properly set atomics vmid field
s390/uv: Panic for set and remove shared access UVC errors
bpf: Fix updating attached freplace prog in prog_array map
nilfs2: prevent WARNING in nilfs_dat_commit_end()
ext4, jbd2: add an optimized bmap for the journal inode
9P FS: Fix wild-memory-access write in v9fs_get_acl
nilfs2: initialize "struct nilfs_binfo_dat"->bi_pad field
mm: khugepaged: fix kernel BUG in hpage_collapse_scan_file()
bpf: Split off basic BPF verifier log into separate file
bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log
posix-timers: Ensure timer ID search-loop limit is valid
pid: Replace struct pid 1-element array with flex-array
gfs2: Rename remaining "transaction" glock references
gfs2: Rename the {freeze,thaw}_super callbacks
gfs2: Rename gfs2_freeze_lock{ => _shared }
gfs2: Rename SDF_{FS_FROZEN => FREEZE_INITIATOR}
gfs2: Rework freeze / thaw logic
gfs2: Stop using gfs2_make_fs_ro for withdraw
Bluetooth: Fix hci_link_tx_to RCU lock usage
wifi: mac80211: take wiphy lock for MAC addr change
wifi: mac80211: fix change_address deadlock during unregister
net: sched: Print msecs when transmit queue time out
net: don't dump stack on queue timeout
jfs: fix shift-out-of-bounds in dbJoin
squashfs: squashfs_read_data need to check if the length is 0
Squashfs: fix variable overflow triggered by sysbot
reiserfs: fix uninit-value in comp_keys
erofs: avoid debugging output for (de)compressed data
quota: Detect loops in quota tree
net:rds: Fix possible deadlock in rds_message_put
net: sctp: fix skb leak in sctp_inq_free()
pppoe: Fix memory leak in pppoe_sendmsg()
wifi: mac80211: fix and simplify unencrypted drop check for mesh
wifi: cfg80211: move A-MSDU check in ieee80211_data_to_8023_exthdr
wifi: cfg80211: factor out bridge tunnel / RFC1042 header check
wifi: mac80211: remove mesh forwarding congestion check
wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces
wifi: mac80211: add a workaround for receiving non-standard mesh A-MSDU
wifi: cfg80211: check A-MSDU format more carefully
docs/bpf: Document BPF_MAP_TYPE_LPM_TRIE map
bpf: Replace bpf_lpm_trie_key 0-length array with flexible array
bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie.
Bluetooth: RFCOMM: Fix not validating setsockopt user input
ext4: check the return value of ext4_xattr_inode_dec_ref()
ext4: fold quota accounting into ext4_xattr_inode_lookup_create()
ext4: do not create EA inode under buffer lock
udf: Fix bogus checksum computation in udf_rename()
bpf, net: Use DEV_STAT_INC()
fou: remove warn in gue_gro_receive on unsupported protocol
jfs: fix null ptr deref in dtInsertEntry
jfs: Fix shift-out-of-bounds in dbDiscardAG
fs/ntfs3: Do copy_to_user out of run_lock
ALSA: usb: Fix UBSAN warning in parse_audio_unit()
igc: Correct the launchtime offset
igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer
net/mlx5e: Take state lock during tx timeout reporter
net/mlx5e: Correctly report errors for ethtool rx flows
atm: idt77252: prevent use after free in dequeue_rx()
net: axienet: Fix register defines comment description
net: dsa: vsc73xx: pass value in phy_write operation
net: dsa: vsc73xx: use read_poll_timeout instead delay loop
net: dsa: vsc73xx: check busy flag in MDIO operations
mlxbf_gige: Remove two unused function declarations
mlxbf_gige: disable RX filters until RX path initialized
mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size
netfilter: allow ipv6 fragments to arrive on different devices
netfilter: flowtable: initialise extack before use
netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
netfilter: nf_tables: Audit log dump reset after the fact
netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj
netfilter: nf_tables: Unconditionally allocate nft_obj_filter
netfilter: nf_tables: A better name for nft_obj_filter
netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx
netfilter: nf_tables: nft_obj_filter fits into cb->ctx
netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx
netfilter: nf_tables: Introduce nf_tables_getobj_single
netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests
net: hns3: fix wrong use of semaphore up
net: hns3: use the user's cfg after reset
net: hns3: fix a deadlock problem when config TC during resetting
ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored
ssb: Fix division by zero issue in ssb_calc_clock_rate
wifi: cfg80211: check wiphy mutex is held for wdev mutex
wifi: mac80211: fix BA session teardown race
mm: Remove kmem_valid_obj()
rcu: Dump memory object info if callback function is invalid
rcu: Eliminate rcu_gp_slow_unregister() false positive
wifi: cw1200: Avoid processing an invalid TIM IE
cgroup: Avoid extra dereference in css_populate_dir()
i2c: riic: avoid potential division by zero
RDMA/rtrs: Fix the problem of variable not initialized fully
s390/smp,mcck: fix early IPI handling
drm/bridge: tc358768: Attempt to fix DSI horizontal timings
i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out
i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer
drm/amdkfd: Move dma unmapping after TLB flush
media: radio-isa: use dev_name to fill in bus_info
staging: iio: resolver: ad2s1210: fix use before initialization
usb: gadget: uvc: cleanup request when not in correct state
drm/amd/display: Validate hw_points_num before using it
staging: ks7010: disable bh on tx_dev_lock
media: s5p-mfc: Fix potential deadlock on condlock
md/raid5-cache: use READ_ONCE/WRITE_ONCE for 'conf->log'
binfmt_misc: cleanup on filesystem umount
drm/tegra: Zero-initialize iosys_map
media: qcom: venus: fix incorrect return value
scsi: spi: Fix sshdr use
gfs2: setattr_chown: Add missing initialization
wifi: iwlwifi: abort scan when rfkill on but device enabled
wifi: iwlwifi: fw: Fix debugfs command sending
clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider
IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock
hwmon: (ltc2992) Avoid division by zero
kbuild: rust_is_available: normalize version matching
kbuild: rust_is_available: handle failures calling `$RUSTC`/`$BINDGEN`
rust: work around `bindgen` 0.69.0 issue
rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT
rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT
arm64: Fix KASAN random tag seed initialization
block: Fix lockdep warning in blk_mq_mark_tag_wait
drm/msm: Reduce fallout of fence signaling vs reclaim hangs
memory: tegra: Skip SID programming if SID registers aren't set
powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu
ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data
hwmon: (pc87360) Bounds check data->innr usage
drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode
Bluetooth: hci_conn: Check non NULL function before calling for HFP offload
gfs2: Refcounting fix in gfs2_thaw_super
nvmet-trace: avoid dereferencing pointer too early
ext4: do not trim the group with corrupted block bitmap
afs: fix __afs_break_callback() / afs_drop_open_mmap() race
fuse: fix UAF in rcu pathwalks
quota: Remove BUG_ON from dqget()
kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files
media: pci: cx23885: check cx23885_vdev_init() return
fs: binfmt_elf_efpic: don't use missing interpreter's properties
scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()
media: drivers/media/dvb-core: copy user arrays safely
net/sun3_82586: Avoid reading past buffer in debug output
drm/lima: set gp bus_stop bit before hard reset
hrtimer: Select housekeeping CPU during migration
virtiofs: forbid newlines in tags
clocksource/drivers/arm_global_timer: Guard against division by zero
netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
md: clean up invalid BUG_ON in md_ioctl
x86: Increase brk randomness entropy for 64-bit systems
memory: stm32-fmc2-ebi: check regmap_read return value
parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367
powerpc/boot: Handle allocation failure in simple_realloc()
powerpc/boot: Only free if realloc() succeeds
btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item()
btrfs: change BUG_ON to assertion when checking for delayed_node root
btrfs: tests: allocate dummy fs_info and root in test_find_delalloc()
btrfs: handle invalid root reference found in may_destroy_subvol()
btrfs: send: handle unexpected data in header buffer in begin_cmd()
btrfs: change BUG_ON to assertion in tree_move_down()
btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent()
f2fs: fix to do sanity check in update_sit_entry
usb: gadget: fsl: Increase size of name buffer for endpoints
nvme: clear caller pointer on identify failure
Bluetooth: bnep: Fix out-of-bound access
firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid
rtc: nct3018y: fix possible NULL dereference
net: hns3: add checking for vf id of mailbox
nvmet-tcp: do not continue for invalid icreq
NFS: avoid infinite loop in pnfs_update_layout.
openrisc: Call setup_memory() earlier in the init sequence
s390/iucv: fix receive buffer virtual vs physical address confusion
irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time
clocksource: Make watchdog and suspend-timing multiplication overflow safe
platform/x86: lg-laptop: fix %s null argument warning
usb: dwc3: core: Skip setting event buffers for host only controllers
fbdev: offb: replace of_node_put with __free(device_node)
irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
ext4: set the type of max_zeroout to unsigned int to avoid overflow
nvmet-rdma: fix possible bad dereference when freeing rsps
drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent
hrtimer: Prevent queuing of hrtimer without a function callback
gtp: pull network headers in gtp_dev_xmit()
media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)
i2c: tegra: allow DVC support to be compiled out
i2c: tegra: allow VI support to be compiled out
i2c: tegra: Do not mark ACPI devices as irq safe
dm suspend: return -ERESTARTSYS instead of -EINTR
net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings
btrfs: replace sb::s_blocksize by fs_info::sectorsize
btrfs: send: allow cloning non-aligned extent if it ends at i_size
drm/amd/display: Adjust cursor position
platform/surface: aggregator: Fix warning when controller is destroyed in probe
drm/amdkfd: reserve the BO before validating it
Bluetooth: hci_core: Fix LE quote calculation
Bluetooth: SMP: Fix assumption of Central always being Initiator
net: dsa: tag_ocelot: do not rely on skb_mac_header() for VLAN xmit
net: dsa: tag_ocelot: call only the relevant portion of __skb_vlan_pop() on TX
net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection
net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q"
net: mscc: ocelot: serialize access to the injection/extraction groups
tc-testing: don't access non-existent variable on exception
selftests/net: synchronize udpgro tests' tx and rx connection
selftests: udpgro: report error when receive failed
tcp/dccp: bypass empty buckets in inet_twsk_purge()
tcp/dccp: do not care about families in inet_twsk_purge()
tcp: prevent concurrent execution of tcp_sk_exit_batch
net: mctp: test: Use correct skb for route input check
kcm: Serialise kcm_sendmsg() for the same socket.
netfilter: nft_counter: Disable BH in nft_counter_offload_stats().
netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
ip6_tunnel: Fix broken GRO
bonding: fix bond_ipsec_offload_ok return type
bonding: fix null pointer deref in bond_ipsec_offload_ok
bonding: fix xfrm real_dev null pointer dereference
bonding: fix xfrm state handling when clearing active slave
ice: Prepare legacy-rx for upcoming XDP multi-buffer support
ice: Add xdp_buff to ice_rx_ring struct
ice: Store page count inside ice_rx_buf
ice: Pull out next_to_clean bump out of ice_put_rx_buf()
ice: fix page reuse when PAGE_SIZE is over 8k
ice: fix ICE_LAST_OFFSET formula
dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()
net: dsa: mv88e6xxx: Fix out-of-bound access
netem: fix return value if duplicate enqueue fails
ipv6: prevent UAF in ip6_send_skb()
ipv6: fix possible UAF in ip6_finish_output2()
ipv6: prevent possible UAF in ip6_xmit()
netfilter: flowtable: validate vlan header
octeontx2-af: Fix CPT AF register offset calculation
net: xilinx: axienet: Always disable promiscuous mode
net: xilinx: axienet: Fix dangling multicast addresses
drm/msm/dpu: don't play tricks with debug macros
drm/msm/dp: fix the max supported bpp logic
drm/msm/dp: reset the link phy params before link training
drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails
mmc: mmc_test: Fix NULL dereference on allocation failure
Bluetooth: MGMT: Add error handling to pair_device()
scsi: core: Fix the return value of scsi_logical_block_count()
ksmbd: the buffer of smb2 query dir response has at least 1 byte
drm/amdgpu: Validate TA binary size
MIPS: Loongson64: Set timer mode in cpu-probe
HID: wacom: Defer calculation of resolution until resolution_code is known
HID: microsoft: Add rumble support to latest xbox controllers
Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3
Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination
cxgb4: add forgotten u64 ivlan cast before shift
KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
mmc: dw_mmc: allow biu and ciu clocks to defer
pmdomain: imx: wait SSAR when i.MX93 power domain on
mptcp: pm: re-using ID of unused removed ADD_ADDR
mptcp: pm: re-using ID of unused removed subflows
mptcp: pm: re-using ID of unused flushed subflows
mptcp: pm: only decrement add_addr_accepted for MPJ req
Revert "usb: gadget: uvc: cleanup request when not in correct state"
Revert "drm/amd/display: Validate hw_points_num before using it"
tcp: do not export tcp_twsk_purge()
hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()
ALSA: timer: Relax start tick time check for slave timer elements
mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0
mm/numa: no task_numa_fault() call if PMD is changed
mm/numa: no task_numa_fault() call if PTE is changed
nfsd: Simplify code around svc_exit_thread() call in nfsd()
nfsd: separate nfsd_last_thread() from nfsd_put()
NFSD: simplify error paths in nfsd_svc()
nfsd: call nfsd_last_thread() before final nfsd_put()
nfsd: drop the nfsd_put helper
nfsd: don't call locks_release_private() twice concurrently
nfsd: Fix a regression in nfsd_setattr()
Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO
drm/amdgpu/vcn: identify unified queue in sw init
drm/amdgpu/vcn: not pause dpg for unified queue
KVM: x86: fire timer when it is migrated and expired, and in oneshot mode
Revert "s390/dasd: Establish DMA alignment"
udp: allow header check for dodgy GSO_UDP_L4 packets.
gso: fix dodgy bit handling for GSO_UDP_L4
net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation
net: drop bad gso csum_start and offset in virtio_net_hdr
wifi: mac80211: add documentation for amsdu_mesh_control
wifi: mac80211: fix mesh path discovery based on unicast packets
wifi: mac80211: fix mesh forwarding
wifi: mac80211: fix flow dissection for forwarded packets
wifi: mac80211: fix receiving mesh packets in forwarding=0 networks
wifi: mac80211: drop bogus static keywords in A-MSDU rx
wifi: mac80211: fix potential null pointer dereference
wifi: cfg80211: fix receiving mesh packets without RFC1042 header
gfs2: Fix another freeze/thaw hang
gfs2: don't withdraw if init_threads() got interrupted
gfs2: Remove LM_FLAG_PRIORITY flag
gfs2: Remove freeze_go_demote_ok
udp: fix receiving fraglist GSO packets
ice: fix W=1 headers mismatch
Revert "jfs: fix shift-out-of-bounds in dbJoin"
net: change maximum number of UDP segments to 128
selftests: net: more strict check in net_helper
Input: MT - limit max slots
tools: move alignment-related macros to new <linux/align.h>
Linux 6.1.107
Change-Id: I11d18ae169b1e55f18f0dc2953df2dd3a1f25624
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
8f2e4ac396 |
Revert "cgroup: Make operations on the cgroup root_list RCU safe"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
b4c085bbdb |
Revert "cgroup: Move rcu_head up near the top of cgroup_root"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
4786dae0bb |
Merge 6.1.106 into android14-6.1-lts
Changes in 6.1.106 mptcp: pass addr to mptcp_pm_alloc_anno_list mptcp: pm: reduce indentation blocks mptcp: pm: don't try to create sf if alloc failed mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set selftests: mptcp: join: test both signal & subflow ASoC: topology: Clean up route loading ASoC: topology: Fix route memory corruption exec: Fix ToCToU between perm check and set-uid/gid usage LoongArch: Define __ARCH_WANT_NEW_STAT in unistd.h nfsd: move reply cache initialization into nfsd startup nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net NFSD: Refactor nfsd_reply_cache_free_locked() NFSD: Rename nfsd_reply_cache_alloc() NFSD: Replace nfsd_prune_bucket() NFSD: Refactor the duplicate reply cache shrinker NFSD: Rewrite synopsis of nfsd_percpu_counters_init() NFSD: Fix frame size warning in svc_export_parse() sunrpc: don't change ->sv_stats if it doesn't exist nfsd: stop setting ->pg_stats for unused stats sunrpc: pass in the sv_stats struct through svc_create_pooled sunrpc: remove ->pg_stats from svc_program sunrpc: use the struct net as the svc proc private nfsd: rename NFSD_NET_* to NFSD_STATS_* nfsd: expose /proc/net/sunrpc/nfsd in net namespaces nfsd: make all of the nfsd stats per-network namespace nfsd: remove nfsd_stats, make th_cnt a global counter nfsd: make svc_stat per-network namespace instead of global nvme/pci: Add APST quirk for Lenovo N60z laptop mptcp: fully established after ADD_ADDR echo on MPJ drm/i915/gem: Fix Virtual Memory mapping boundaries calculation cgroup: Make operations on the cgroup root_list RCU safe drm/i915: Add a function to mmap framebuffer obj drm/i915: Fix a NULL vs IS_ERR() bug drm/i915/gem: Adjust vma offset for framebuffer mmap offset binfmt_flat: Fix corruption when not offsetting data start cgroup: Move rcu_head up near the top of cgroup_root wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values KVM: arm64: Don't pass a TLBI level hint when zapping table entries media: Revert "media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()" Revert "ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error" Linux 6.1.106 Change-Id: Ibdd04313504f34a755a47f1db5def7869ce7882a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
0450b5433d |
ANDROID: fix up abi break in arm64 cpu_hwcaps
In commit |
||
|
Greg Kroah-Hartman
|
d747db6875 |
Merge 6.1.105 into android14-6.1-lts
Changes in 6.1.105 irqchip/mbigen: Fix mbigen node address layout platform/x86/intel/ifs: Gen2 Scan test support platform/x86/intel/ifs: Initialize union ifs_status to zero jump_label: Fix the fix, brown paper bags galore x86/mm: Fix pti_clone_pgtable() alignment assumption x86/mm: Fix pti_clone_entry_text() for i386 sctp: Fix null-ptr-deref in reuseport_add_sock(). net: usb: qmi_wwan: fix memory leak for not ip packets net: bridge: mcast: wait for previous gc cycles when removing port net: linkwatch: use system_unbound_wq Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() l2tp: fix lockdep splat net: fec: Stop PPS on driver remove rcutorture: Fix rcu_torture_fwd_cb_cr() data race md: do not delete safemode_timer in mddev_suspend md/raid5: avoid BUG_ON() while continue reshape after reassembling block: change rq_integrity_vec to respect the iterator rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation clocksource/drivers/sh_cmt: Address race condition for clock events ACPI: battery: create alarm sysfs attribute atomically ACPI: SBS: manage alarm sysfs attribute through psy core wifi: nl80211: disallow setting special AP channel widths net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT af_unix: Don't retry after unix_state_lock_nested() in unix_stream_connect(). PCI: Add Edimax Vendor ID to pci_ids.h udf: prevent integer overflow in udf_bitmap_free_blocks() wifi: nl80211: don't give key data to userspace can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd btrfs: fix bitmap leak when loading free space cache on duplicate entry drm/amdgpu/pm: Fix the param type of set_power_profile_mode drm/amdgpu/pm: Fix the null pointer dereference for smu7 drm/amdgpu: Fix the null pointer dereference to ras_manager drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules drm/amdgpu: Add lock around VF RLCG interface drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr media: amphion: Remove lock in s_ctrl callback drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update drm/amd/display: Add null checker before passing variables media: uvcvideo: Ignore empty TS packets media: uvcvideo: Fix the bandwdith quirk on USB 3.x media: xc2028: avoid use-after-free in load_firmware_cb() ext4: fix uninitialized variable in ext4_inlinedir_to_tree jbd2: avoid memleak in jbd2_journal_write_metadata_buffer s390/sclp: Prevent release of buffer in I/O SUNRPC: Fix a race to wake a sync task bus: mhi: host: pci_generic: add support for Telit FE990 modem Revert "bpftool: Mount bpffs when pinmaps path not under the bpffs" profiling: remove profile=sleep support scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t' irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq() sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime ext4: fix wrong unit use in ext4_mb_find_by_goal arm64: Add Neoverse-V2 part arm64: barrier: Restore spec_bar() macro arm64: cputype: Add Cortex-X4 definitions arm64: cputype: Add Neoverse-V3 definitions arm64: errata: Add workaround for Arm errata 3194386 and 3312417 arm64: cputype: Add Cortex-X3 definitions arm64: cputype: Add Cortex-A720 definitions arm64: cputype: Add Cortex-X925 definitions arm64: errata: Unify speculative SSBS errata logic arm64: errata: Expand speculative SSBS workaround arm64: cputype: Add Cortex-X1C definitions arm64: cputype: Add Cortex-A725 definitions arm64: errata: Expand speculative SSBS workaround (again) i2c: smbus: Improve handling of stuck alerts ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask ASoC: codecs: wsa881x: Correct Soundwire ports mask ASoC: codecs: wsa883x: parse port-mapping information ASoC: codecs: wsa883x: Correct Soundwire ports mask spi: spidev: Add missing spi_device_id for bh2228fv ASoC: SOF: Remove libraries from topology lookups i2c: smbus: Send alert notifications to all devices if source not found bpf: kprobe: remove unused declaring of bpf_kprobe_override kprobes: Fix to check symbol prefixes correctly i2c: qcom-geni: add desc struct to prepare support for I2C Master Hub variant i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume spi: spi-fsl-lpspi: Fix scldiv calculation ALSA: usb-audio: Re-add ScratchAmp quirk entries ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT drm/amd/display: Skip Recompute DSC Params if no Stream on Link drm/client: fix null pointer dereference in drm_client_modeset_probe ALSA: line6: Fix racy access to midibuf ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 usb: vhci-hcd: Do not drop references before new references are gained USB: serial: debug: do not echo input by default usb: gadget: core: Check for unset descriptor usb: gadget: u_serial: Set start_delayed during suspend usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed. scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic tick/broadcast: Move per CPU pointer access into the atomic section vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler ntp: Clamp maxerror and esterror to operating range torture: Enable clocksource watchdog with "tsc=watchdog" clocksource: Scale the watchdog read retries automatically clocksource: Fix brown-bag boolean thinko in cs_watchdog_read() driver core: Fix uevent_show() vs driver detach race ntp: Safeguard against time_constant overflow timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex() serial: core: check uartclk for zero to avoid divide by zero ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx kcov: properly check for softirq context irqchip/xilinx: Fix shift out of bounds genirq/irqdesc: Honor caller provided affinity in alloc_desc() power: supply: axp288_charger: Fix constant_charge_voltage writes power: supply: axp288_charger: Round constant_charge_voltage writes down tracing: Fix overflow in get_free_elt() padata: Fix possible divide-by-0 panic in padata_mt_helper() smb3: fix setting SecurityFlags when encryption is required btrfs: avoid using fixed char array size for tree names x86/mtrr: Check if fixed MTRRs exist before saving them sched/smt: Introduce sched_smt_present_inc/dec() helper sched/smt: Fix unbalance sched_smt_present dec/inc drm/bridge: analogix_dp: properly handle zero sized AUX transactions drm/dp_mst: Skip CSN if topology probing is not done yet drm/lima: Mark simple_ondemand governor as softdep drm/mgag200: Set DDC timeout in milliseconds drm/mgag200: Bind I2C lifetime to DRM device mptcp: mib: count MPJ with backup flag mptcp: export local_address mptcp: pm: fix backup support in signal endpoints selftests: mptcp: join: validate backup in MPJ selftests: mptcp: join: check backup support in signal endp mptcp: pm: deny endp with signal + subflow + port block: use the right type for stub rq_integrity_vec() Revert "drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update" mm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines btrfs: fix corruption after buffer fault in during direct IO append write ipv6: fix source address selection with route leak tools headers arm64: Sync arm64's cputype.h with the kernel sources mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio() block: Call .limit_depth() after .hctx has been set block/mq-deadline: Fix the tag reservation code xfs: fix log recovery buffer allocation for the legacy h_size fixup netfilter: nf_tables: bail out if stateful expression provides no .clone netfilter: nf_tables: allow clone callbacks to sleep netfilter: nf_tables: prefer nft_chain_validate i2c: qcom-geni: fix missing clk_disable_unprepare() and geni_se_resources_off() btrfs: fix double inode unlock for direct IO sync writes Linux 6.1.105 Change-Id: I63c645dee46d43a3f1b166622e1858afba6ae3a8 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
2caf29dc67 |
Merge branch 'android14-6.1' into android14-6.1-lts
Merge the recent changes in android14-6.1 into android14-6.1-lts to catch up on abi changes and other issues fixed there already. Changes included in here are: * |
||
|
Anant Goel
|
5a912daf87 |
ANDROID: OPP: fix function args mismatch for dev_pm_opp_add in pm_opp.h
The function prototype for dev_pm_opp_add differs between a
configuration when CONFIG_PM_OPP is set versus when CONFIG_PM_OPP is not
set.
Fix this mismatch by aligning the function arguments for the dummy
dev_pm_opp_add with the non-dummy version.
Bug: 369659366
Fixes:
|
||
|
meitaogao
|
bcc435d374 |
ANDROID: GKI: Update KMI symbol list for ASR
INFO: 9 function symbol(s) added 'unsigned int kmem_cache_size(struct kmem_cache*)' 'void media_device_unregister_entity(struct media_entity*)' 'void* memset16(uint16_t*, uint16_t, size_t)' 'const char* const* v4l2_ctrl_get_menu(u32)' 'bool v4l2_ctrl_type_op_equal(const struct v4l2_ctrl*, union v4l2_ctrl_ptr, union v4l2_ctrl_ptr)' 'void v4l2_ctrl_type_op_init(const struct v4l2_ctrl*, u32, union v4l2_ctrl_ptr)' 'void v4l2_ctrl_type_op_log(const struct v4l2_ctrl*)' 'void v4l2_m2m_buf_done_and_job_finish(struct v4l2_m2m_dev*, struct v4l2_m2m_ctx*, enum vb2_buffer_state)' 'struct vb2_v4l2_buffer* v4l2_m2m_last_buf(struct v4l2_m2m_queue_ctx*)' Bug: 369670477 Change-Id: I5c3fa32e903685836b7812d33df8ddd6b2c65054 Signed-off-by: meitaogao <meitaogao@asrmicro.com> |
||
|
yipeng xiang
|
9e167c1c27 |
ANDROID: GKI: Export a symbol “next_arg” for honor
Export a symbol “next_arg” in android/abi_gki_aarch64_honor Bug: 368221985 Change-Id: I0bd8fc321752f0fa3d103b56510b33eadcb6e39b Signed-off-by: yipeng xiang <yipengxiang@honor.corp-partner.google.com> |
||
|
Stephen Hemminger
|
4dcae85afd |
BACKPORT: netem: fix return value if duplicate enqueue fails
[ Upstream commit c07ff8592d57ed258afee5a5e04991a48dbaf382 ] There is a bug in netem_enqueue() introduced by commit |
||
|
Kalesh Singh
|
f4bcd4ef0f |
ANDROID: 16K: Fixup padding vm_flags bits on VMA splits
In some cases VMAs are split without the mmap write lock held; later the lock is taken to fixup vm_flags of the original VMA. Since some uppper bits of vm_flags are used to encode the ELF padding ranges, they need to be modified on splits. This is usually handled correctly by __split_vma(). However in the above case, the flags get over witten later under the write lock. Preserve vm_flag bits on reset to correctly represent padding. Bug: 357901498 Change-Id: I1cb75419e614791a47cbdb0341373f619daf0bf2 Signed-off-by: Kalesh Singh <kaleshsingh@google.com> |
||
|
Kalesh Singh
|
9027204d5a |
ANDROID: 16K: Introduce pgsize_migration_inline.h
Introduce inline header to avoid circular dependency. This will be used in a subsequent patch. Also take opportunity to do some small noop refactor in vma_pad_pages() and split_pad_vma() for more robust code. Bug: 357901498 Change-Id: Ia5f447758d0d07ed3e1429ca1e35dcc0741cc22a Signed-off-by: Kalesh Singh <kaleshsingh@google.com> |
||
|
Carlos Llamas
|
03b93dc707 |
FROMLIST: binder: fix BINDER_WORK_FROZEN_BINDER debug logs
The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs
entries and it shows up as "unknown work" when logged:
proc 649
context binder-test
thread 649: l 00 need_return 0 tr 0
ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3
unknown work: type 10
This patch add the freeze work type and is now logged as such:
proc 637
context binder-test
thread 637: l 00 need_return 0 tr 0
ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6
has frozen binder
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-5-cmllamas@google.com/
Change-Id: I06f888aa5218db19eeda79e315385506af09d9d5
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Carlos Llamas
|
9c6fdb6bf8 |
BACKPORT: FROMLIST: binder: fix freeze UAF in binder_release_work()
When a binder reference is cleaned up, any freeze work queued in the associated process should also be removed. Otherwise, the reference is freed while its ref->freeze.work is still queued in proc->work leading to a use-after-free issue as shown by the following KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0 Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211 CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: binder_release_work+0x398/0x3d0 binder_deferred_func+0xb60/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 Allocated by task 703: __kmalloc_cache_noprof+0x130/0x280 binder_thread_write+0xdb4/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 invoke_syscall+0x6c/0x254 Freed by task 211: kfree+0xc4/0x230 binder_deferred_func+0xae8/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 ================================================================== This commit fixes the issue by ensuring any queued freeze work is removed when cleaning up a binder reference. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas <cmllamas@google.com> Bug: 366003708 Link: https://lore.kernel.org/all/20240924184401.76043-4-cmllamas@google.com/ Change-Id: Icc40e7dd6157981f4adbea7243e55be118552321 [cmllamas: drop BINDER_STAT_FREEZE as it's not supported here] Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Carlos Llamas
|
07a43515b0 |
FROMLIST: binder: fix OOB in binder_add_freeze_work()
In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access: ================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] ================================================================== This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; }; Fix the race by checking that the proc is still alive. If not, simply break out of the iteration. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas <cmllamas@google.com> Bug: 366003708 Link: https://lore.kernel.org/all/20240924184401.76043-3-cmllamas@google.com/ Change-Id: I5ec9d49277a23b864862665b52213460750c535e Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Carlos Llamas
|
a26cde4055 |
FROMLIST: binder: fix node UAF in binder_add_freeze_work()
In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped in order to acquire the node->lock first (lock nesting order). This can race with binder_node_release() and trigger a use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff53c04c29dd04 by task freeze/640 CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_add_freeze_work+0x148/0x478 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 Allocated by task 637: __kmalloc_cache_noprof+0x12c/0x27c binder_new_node+0x50/0x700 binder_transaction+0x35ac/0x6f74 binder_thread_write+0xfb8/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 Freed by task 637: kfree+0xf0/0x330 binder_thread_read+0x1e88/0x3a68 binder_ioctl+0x16d8/0x25ac __arm64_sys_ioctl+0x124/0x190 ================================================================== Fix the race by taking a temporary reference on the node before releasing the proc->inner lock. This ensures the node remains alive while in use. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas <cmllamas@google.com> Bug: 366003708 Link: https://lore.kernel.org/all/20240924184401.76043-2-cmllamas@google.com/ Change-Id: I47b053532dd4cd3424d35d6f254ca4d00c426411 Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Philip Chen
|
df571cd9f1 |
FROMGIT: virtio_pmem: Check device status before requesting flush
If a pmem device is in a bad status, the driver side could wait for host ack forever in virtio_pmem_flush(), causing the system to hang. So add a status check in the beginning of virtio_pmem_flush() to return early if the device is not activated. Signed-off-by: Philip Chen <philipchen@chromium.org> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Pankaj Gupta <pankaj.gupta.linux@gmail.com Bug: 358391069 Change-Id: I325e6f0ea047c4c5fa82cf4b590cbf7240f39b7b (cherry picked from commit e25fbcd97cf52c3c9824d44b5c56c19673c3dd50 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master) Signed-off-by: Philip Chen <philipchen@google.com> |
||
|
Kever Yang
|
b2a0a8f709 |
ANDROID: GKI: update rockchip symbols sync with kernel update
INFO: 2 function symbol(s) added 'struct clk* devm_clk_get_enabled(struct device*, const char*)' 'int devm_regulator_bulk_get_enable(struct device*, int, const char* const*)' Bug: 300024866 Change-Id: Ib10dc7eb710fc09c185513ba8bf5789c2c7ef5d1 Signed-off-by: Kever Yang <kever.yang@rock-chips.com> |
||
|
Chenghao Zhao
|
83e7e0486e |
ANDROID: GKI: Update symbol list for honor
Update symbol list for honor in android/abi_gki_aarch64_honor Bug: 369259421 Change-Id: I6954293467a50a758b27444bf51b7205d68dd34d Signed-off-by: Chenghao Zhao <zhaochenghao@honor.com> |
||
|
Vilas Bhat
|
5c7d0d4f4a |
ANDROID: GKI: Update kernel_aarch64_16k build config to match kernel_aarch64
Test: Built & Flashed 16k page size kernel to Pixel 8a. Bug: 361155105 Change-Id: Ibfaa96aeabe627f99effc1ae8dbaf3e86156425e Signed-off-by: Vilas Bhat <vilasbhat@google.com> |
||
|
Chenghao Zhao
|
2cd8ac816d |
ANDROID: ABI: update symbol list for honor
2 function symbol(s) added 'int netdev_get_name(struct net*, char*, int)' 'void tcp_send_active_reset(struct sock*, gfp_t)' Bug: 334000512 Change-Id: I83507ca33d4547088b61c6f83cfb48cc94474185 Signed-off-by: Chenghao Zhao <zhaochenghao@honor.com> |
||
|
Dezhi Huang
|
b5ee53c64e |
ANDROID: Allow vendor modules perform more operationson on sock.
Export netdev_get_name, tcp_send_active_reset functions, allow vendor modules perform more operations on socks and improve users' online experience.When users browse websites or watch videos, we will sense the bad sock is on which device, so that the sock can be switched to another good device by us, so that the internet service will no longer be stuck. In a similar scenario, if the user downloads from multiple devices and the rate of one device is low,we can reset the TCP stream with a lower rate and establish it on the device with a higher rate. Bug: 334000512 Change-Id: I9ed90ea9fe6f3dc9f11ae1661ca9f2f5fdad5820 Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com> (cherry picked from commit 21614c79408f0342363db9874d315fbb3ff6553b) |
||
|
Yuxuan Yan
|
e64a80a096 |
ANDROID: GKI: update symbol list file for xiaomi
add 3 function:
android_vh_page_should_be_protected()
android_vh_page_referenced_check_bypass()
__page_mapcount()
Bug: 348285765
Change-Id: Idbcdf69693a3f4e83ada35aebf3f138648c73d10
Signed-off-by: Yuxuan Yan <yanyuxuan3@xiaomi.corp-partner.google.com>
|
||
|
Yuxuan Yan
|
530ff6a3e6 |
ANDROID: GKI: add vendor hooks android_vh_page_should_be_protected() and
android_vh_modify_scan_control().
add two vendor hooks:
android_vh_page_should_be_protected():protect pages from memory
reclaim.
android_vh_page_referenced_check_bypass():bypass rmap in active list
shrink.
The new vendor data field in scan_control are used to track how many
pages are protected in current reclaim and the "protected / scanned"
rate. These parameters are useful for understanding the impact of page
protection operations on LRU and reclaim, helping us make better
decsions.
Bug: 348285765
Change-Id: I49567a4b1f978821a94da0a8339b2b8fdfd52daf
Signed-off-by: Yuxuan Yan <yanyuxuan3@xiaomi.corp-partner.google.com>
|
||
|
Greg Kroah-Hartman
|
41e1c6f937 |
Merge tag 'android14-6.1.99_r00' into android14-6.1
This merges up to the 6.1.99 LTS release into android14-6.1. This includes the following commits: * |
||
|
Dmitry Skiba
|
3b95e54867 |
ANDROID: Update the ABI symbol list
Adding the following symbols: - __traceiter_android_rvh_try_to_wake_up_success - __traceiter_android_vh_mm_kcompactd_cpu_online - __traceiter_android_vh_vmscan_kswapd_done - __traceiter_mm_vmscan_kswapd_wake - __tracepoint_android_rvh_try_to_wake_up_success - __tracepoint_android_vh_mm_kcompactd_cpu_online - __tracepoint_android_vh_vmscan_kswapd_done - __tracepoint_mm_vmscan_kswapd_wake Bug: 367400751 Change-Id: I658b4961666d93238feaa8f166012b76a69994eb Signed-off-by: Dmitry Skiba <dskiba@google.com> |
||
|
Dmitry Skiba
|
b3a2458fc6 |
ANDROID: mm: add vh for kcompactd_cpu_online()
kcompactd_cpu_online() changes kcompactd cpumask, potentially overwriting any vendor-specific cpumask that was there. This hook allows vendors to re-set the cpumask. Bug: 367400751 Change-Id: I45b92bcd16fbf2d5d76474287db659e32af64201 Signed-off-by: Dmitry Skiba <dskiba@google.com> |
||
|
jiangxinpei
|
532fad0092 |
ANDROID: ABI: update symbol list for honor
1 function symbol(s) added 'int __traceiter_android_vh_should_fault_around(void*, struct vm_fault*, bool*)' Bug: 362663044 Change-Id: Ie7634bc746e40142455c7bd22d876d519a02e0d5 Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> |
||
|
Dezhi Huang
|
145b08312d |
ANDROID: vendor_hooks: add hook to perform targeted memory management
Add vendor_hook trace_android_vh_should_fault_around, allow vendor modules to skip the fault_around processing for less important processes. Bug: 362663044 Bug: 337547131 Change-Id: I792dca2038f5ad7cba1d212ef95407244958609d Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com> (cherry picked from commit 65ebb00fe7977348d5fcfa58985c29181f3ec173) |
||
|
jiangxinpei
|
c105083ac6 |
ANDROID: ABI: update symbol list for honor
3 function symbol(s) added 'int __traceiter_android_vh_do_read_fault(void*, struct vm_fault*, unsigned long)' 'int __traceiter_android_vh_filemap_map_pages(void*, struct file*, unsigned long, unsigned long, vm_fault_t)' 'int __traceiter_android_vh_filemap_read(void*, struct file*, loff_t, size_t)' Bug: 362665923 Change-Id: I49fa40c65d7d24799c815de0c2c02c12d09e8fd8 Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> |
||
|
Sooyong Suk
|
eda4e9fa64 |
ANDROID: mm: add vendor hook in fault and read file
Add a vendor hook to notify vendor module fault and read events. Bug: 362665923 Bug: 351175506 Change-Id: I4c46e9e00aa5f5555fd42a6b0815563497658b34 Signed-off-by: Sooyong Suk <s.suk@samsung.corp-partner.google.com> (cherry picked from commit a9867d872e24fbe658e05f32b770e4b36c6e3773) |
||
|
David Chiang
|
814dd5bfa8 |
ANDROID: Update the ABI symbol list
Adding the following symbols to abi_gki_aarch64_pixel: - mbox_request_channel_byname Bug: 368167673 Change-Id: I031522377372a25bf5f9e97eb4832173463de390 Signed-off-by: David Chiang <davidchiang@google.com> |
||
|
jiangxinpei
|
8a268cb981 |
ANDROID: GKI: Update symbol list for honor
Update symbol list for honor in android/abi_gki_aarch64_honor Bug: 365506689 Change-Id: I604163b979660eaedbc13d3da5c9e3cdb8275e50 Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> |
||
|
jiangxinpei
|
be07389110 |
ANDROID: Allow vendor modules perform operationson on memleak detect
When an LMK (Low Memory Killer) occurs, it is crucial for us to identify the underlying cause of low memory. Based on past experiences, memory leaks are often the root cause in such situations. The purpose of this function is to assist us in identifying which application or type of memory is experiencing memory leaks, thereby enabling us to effectively locate and address the memory leakage issue. Bug: 365506689 Bug: 346707562 Change-Id: I5d7d6bdbca30660f2a552211fd8aff40d3550df7 Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> (cherry picked from commit d61134668c2d37846a6cea3e1ab3c237f2c7bc99) |
||
|
jiangxinpei
|
47871c381d |
ANDROID: GKI: Update symbol list for honor
Update symbol list for honor in android/abi_gki_aarch64_honor Bug: 365506454 Change-Id: I5d9a7a41da2a6f97998fadbbcb447db53b873bcc Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> |
||
|
Dezhi Huang
|
c7b8f95c21 |
ANDROID: Allow vendor modules perform more operations on binder transaction.
Export binder_alloc_copy_from_buffer, allow vendor modules perform more operations on binder transaction and improve user operation fluency and timeliness experience. Bug: 365506454 Bug: 343139379 Change-Id: I4353763099d854a62d0b70b003fbaca00e2c76e4 Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com> (cherry picked from commit d8db83d94e14b48819bba18cb975943c237e33df) |
||
|
Greg Kroah-Hartman
|
20739a07f1 |
Revert "leds: trigger: Remove unused function led_trigger_rename_static()"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
20c4ef91bd |
Revert "leds: trigger: Store brightness set by led_trigger_event()"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
35455634f9 |
Revert "leds: trigger: Call synchronize_rcu() before calling trig->activate()"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
ba60d6bd37 |
Revert "leds: triggers: Flush pending brightness before activating trigger"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
2d60d8fc30 |
Revert "sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table)"
This reverts commit
|
||
|
Daeho Jeong
|
d1f3a046a6 |
FROMGIT: f2fs: prevent atomic file from being dirtied before commit
Keep atomic file clean while updating and make it dirtied during commit
in order to avoid unnecessary and excessive inode updates in the previous
fix.
Fixes: 4bf78322346f ("f2fs: mark inode dirty for FI_ATOMIC_COMMITTED flag")
Change-Id: I2a29d047fa4233632876c61cf909340d1f60c26d
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Bug: 352181300
(cherry picked from commit fccaa81de87e80b1809906f7e438e5766fbdc172
https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev)
Change-Id: I5970e56a5318804cfebea340b5b19d6e0a66dc01
Signed-off-by: Daeho Jeong <daehojeong@google.com>
|
||
|
Greg Kroah-Hartman
|
0733d0505b |
Merge 6.1.104 into android14-6.1-lts
Changes in 6.1.104 arm64: dts: qcom: msm8998: switch USB QMP PHY to new style of bindings arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB sysctl: allow change system v ipc sysctls inside ipc namespace sysctl: allow to change limits for posix messages queues sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table) sysctl: always initialize i_uid/i_gid ext4: make ext4_es_insert_extent() return void ext4: refactor ext4_da_map_blocks() ext4: convert to exclusive lock while inserting delalloc extents ext4: factor out a common helper to query extent map ext4: check the extent status again before inserting delalloc block cpufreq: qcom-nvmem: Convert to platform remove callback returning void cpufreq: qcom-nvmem: Simplify driver data allocation cpufreq: qcom-nvmem: fix memory leaks in probe error paths leds: trigger: Remove unused function led_trigger_rename_static() leds: trigger: Store brightness set by led_trigger_event() leds: trigger: Call synchronize_rcu() before calling trig->activate() leds: triggers: Flush pending brightness before activating trigger mm: restrict the pcp batch scale factor to avoid too long latency mm: page_alloc: control latency caused by zone PCP draining mm/page_alloc: fix pcp->count race between drain_pages_zone() vs __rmqueue_pcplist() f2fs: fix to avoid use SSR allocate when do defragment f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid irqdomain: Fixed unbalanced fwnode get and put drm/udl: Rename struct udl_drm_connector to struct udl_connector drm/udl: Test pixel limit in mode-config's mode-valid function drm/udl: Use USB timeout constant when reading EDID drm/udl: Various improvements to the connector drm/udl: Move connector to modesetting code drm/udl: Remove DRM_CONNECTOR_POLL_HPD drm/i915/dp: Don't switch the LTTPR mode on an active link MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000 MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a MIPS: dts: loongson: Fix liointc IRQ polarity MIPS: dts: loongson: Fix ls2k1000-rtc interrupt HID: amd_sfh: Remove duplicate cleanup HID: amd_sfh: Split sensor and HID initialization HID: amd_sfh: Move sensor discovery before HID device initialization drm/nouveau: prime: fix refcount underflow drm/vmwgfx: Fix overlay when using Screen Targets drm/vmwgfx: Trigger a modeset when the screen moves sched: act_ct: take care of padding in struct zones_ht_key ALSA: hda: conexant: Fix headset auto detect fail in the polling mode Bluetooth: hci_sync: Fix suspending with wrong filter policy net: axienet: start napi before enabling Rx/Tx rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in rtnl_dellink(). ice: respect netif readiness in AF_XDP ZC related ndo's ice: don't busy wait for Rx queue disable in ice_qp_dis() ice: replace synchronize_rcu with synchronize_net ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog net/iucv: fix use after free in iucv_sock_close() drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro net: mvpp2: Don't re-use loop iterator ALSA: hda: Conditionally use snooping for AMD HDMI netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init(). net/mlx5: Lag, don't use the hardcoded value of the first port net/mlx5: Fix missing lock on sync reset reload net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys ipv6: fix ndisc_is_useropt() handling for PIO riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error() arm64: jump_label: Ensure patched jump_labels are visible to all CPUs rust: SHADOW_CALL_STACK is incompatible with Rust platform/chrome: cros_ec_proto: Lock device when updating MKBP version HID: wacom: Modify pen IDs btrfs: zoned: fix zone_unusable accounting on making block group read-write again protect the fetch of ->fd[fd] in do_dup2() from mispredictions mptcp: sched: check both directions for backup ALSA: usb-audio: Correct surround channels in UAC1 channel map ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G Revert "ALSA: firewire-lib: obsolete workqueue for period update" Revert "ALSA: firewire-lib: operate for period elapse event in process context" drm/vmwgfx: Fix a deadlock in dma buf fence polling drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll() net: usb: sr9700: fix uninitialized variable use in sr_mdio_read r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY mptcp: fix user-space PM announced address accounting mptcp: distinguish rcv vs sent backup flag in requests mptcp: fix NL PM announced address accounting mptcp: fix bad RCVPRUNED mib accounting mptcp: pm: only set request_bkup flag when sending MP_PRIO mptcp: fix duplicate data handling selftests: mptcp: always close input's FD if opened netfilter: ipset: Add list flush to cancel_gc Linux 6.1.104 Change-Id: I6e7acf04893dbbfc6dc8e57c1f2bdb487687f227 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
iabdullah
|
6e5b92a6a1 |
ANDROID: GKI: Add symbol list for exynosauto
These symbols are required to use custom driver for writing data into Serial device using common TTY drivers for basic data trasmit via UART/SPI. INFO: 2 function symbol(s) added 'int serdev_device_write(struct serdev_device*, const unsigned char*, size_t, long)' 'void serdev_device_write_wakeup(struct serdev_device*)' Bug: 356635235 Change-Id: Ia365485ad4b533e5e2826add9182bc98b5563f81 Signed-off-by: iabdullah <imrankhan.abdullah@harman.com> |
||
|
Greg Kroah-Hartman
|
1353c19161 |
Revert "spi: microchip-core: switch to use modern name"
This reverts commit
|