commit 6a83d6f3bb upstream.
When a Opencomm2 Headset is connected to a Bluetooth USB dongle,
the audio playback functions properly, but the microphone does not work.
In the dmesg logs, there are messages indicating that the init_pitch
function fails when the capture process begins.
The microphone only functions when the ep pitch control is not set.
Toggling the pitch control off bypasses the init_piatch function
and allows the microphone to work.
Signed-off-by: WhaleChang <whalechang@google.com>
Link: https://lore.kernel.org/r/20231006044852.4181022-1-whalechang@google.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 01bbafc63b upstream.
Static calls invocations aren't well supported from module __init and
__exit functions. Especially the static call from cleanup_trusted() led
to a crash on x86 kernel with CONFIG_DEBUG_VIRTUAL=y.
However, the usage of static call invocations for trusted_key_init()
and trusted_key_exit() don't add any value from either a performance or
security perspective. Hence switch to use indirect function calls instead.
Note here that although it will fix the current crash report, ultimately
the static call infrastructure should be fixed to either support its
future usage from module __init and __exit functions or not.
Reported-and-tested-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Link: https://lore.kernel.org/lkml/ZRhKq6e5nF%2F4ZIV1@fedora/#t
Fixes: 5d0682be31 ("KEYS: trusted: Add generic trusted keys framework")
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit aa3998dbeb upstream.
The introduction of a device link to create a consumer/supplier
relationship between the scsi device of an ATA device and the ATA port
of that ATA device fixes the ordering of system suspend and resume
operations. For suspend, the scsi device is suspended first and the ata
port after it. This is fine as this allows the synchronize cache and
START STOP UNIT commands issued by the scsi disk driver to be executed
before the ata port is disabled.
For resume operations, the ata port is resumed first, followed
by the scsi device. This allows having the request queue of the scsi
device to be unfrozen after the ata port resume is scheduled in EH,
thus avoiding to see new requests prematurely issued to the ATA device.
Since libata sets manage_system_start_stop to 1, the scsi disk resume
operation also results in issuing a START STOP UNIT command to the
device being resumed so that the device exits standby power mode.
However, restoring the ATA device to the active power mode must be
synchronized with libata EH processing of the port resume operation to
avoid either 1) seeing the start stop unit command being received too
early when the port is not yet resumed and ready to accept commands, or
after the port resume process issues commands such as IDENTIFY to
revalidate the device. In this last case, the risk is that the device
revalidation fails with timeout errors as the drive is still spun down.
Commit 0a85890559 ("ata,scsi: do not issue START STOP UNIT on resume")
disabled issuing the START STOP UNIT command to avoid issues with it.
But this is incorrect as transitioning a device to the active power
mode from the standby power mode set on suspend requires a media access
command. The IDENTIFY, READ LOG and SET FEATURES commands executed in
libata EH context triggered by the ata port resume operation may thus
fail.
Fix these synchronization issues is by handling a device power mode
transitions for system suspend and resume directly in libata EH context,
without relying on the scsi disk driver management triggered with the
manage_system_start_stop flag.
To do this, the following libata helper functions are introduced:
1) ata_dev_power_set_standby():
This function issues a STANDBY IMMEDIATE command to transitiom a device
to the standby power mode. For HDDs, this spins down the disks. This
function applies only to ATA and ZAC devices and does nothing otherwise.
This function also does nothing for devices that have the
ATA_FLAG_NO_POWEROFF_SPINDOWN or ATA_FLAG_NO_HIBERNATE_SPINDOWN flag
set.
For suspend, call ata_dev_power_set_standby() in
ata_eh_handle_port_suspend() before the port is disabled and frozen.
ata_eh_unload() is also modified to transition all enabled devices to
the standby power mode when the system is shutdown or devices removed.
2) ata_dev_power_set_active() and
This function applies to ATA or ZAC devices and issues a VERIFY command
for 1 sector at LBA 0 to transition the device to the active power mode.
For HDDs, since this function will complete only once the disk spin up.
Its execution uses the same timeouts as for reset, to give the drive
enough time to complete spinup without triggering a command timeout.
For resume, call ata_dev_power_set_active() in
ata_eh_revalidate_and_attach() after the port has been enabled and
before any other command is issued to the device.
With these changes, the manage_system_start_stop and no_start_on_resume
scsi device flags do not need to be set in ata_scsi_dev_config(). The
flag manage_runtime_start_stop is still set to allow the sd driver to
spinup/spindown a disk through the sd runtime operations.
Fixes: 0a85890559 ("ata,scsi: do not issue START STOP UNIT on resume")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 869b6ea160 upstream.
Eric has reported that commit dabc8b2075 ("quota: fix dqput() to
follow the guarantees dquot_srcu should provide") heavily increases
runtime of generic/270 xfstest for ext4 in nojournal mode. The reason
for this is that ext4 in nojournal mode leaves dquots dirty until the last
dqput() and thus the cleanup done in quota_release_workfn() has to write
them all. Due to the way quota_release_workfn() is written this results
in synchronize_srcu() call for each dirty dquot which makes the dquot
cleanup when turning quotas off extremely slow.
To be able to avoid synchronize_srcu() for each dirty dquot we need to
rework how we track dquots to be cleaned up. Instead of keeping the last
dquot reference while it is on releasing_dquots list, we drop it right
away and mark the dquot with new DQ_RELEASING_B bit instead. This way we
can we can remove dquot from releasing_dquots list when new reference to
it is acquired and thus there's no need to call synchronize_srcu() each
time we drop dq_list_lock.
References: https://lore.kernel.org/all/ZRytn6CxFK2oECUt@debian-BULLSEYE-live-builder-AMD64
Reported-by: Eric Whitney <enwlinux@gmail.com>
Fixes: dabc8b2075 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide")
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dac501397b upstream.
hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)
races when it races with itself.
hidpp_connect_event() primarily runs from a workqueue but it also runs
on probe() and if a "device-connected" packet is received by the hw
when the thread running hidpp_connect_event() from probe() is waiting on
the hw, then a second thread running hidpp_connect_event() will be
started from the workqueue.
This opens the following races (note the below code is simplified):
1. Retrieving + printing the protocol (harmless race):
if (!hidpp->protocol_major) {
hidpp_root_get_protocol_version()
hidpp->protocol_major = response.rap.params[0];
}
We can actually see this race hit in the dmesg in the abrt output
attached to rhbz#2227968:
[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.
[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.
Testing with extra logging added has shown that after this the 2 threads
take turn grabbing the hw access mutex (send_mutex) so they ping-pong
through all the other TOCTOU cases managing to hit all of them:
2. Updating the name to the HIDPP name (harmless race):
if (hidpp->name == hdev->name) {
...
hidpp->name = new_name;
}
3. Initializing the power_supply class for the battery (problematic!):
hidpp_initialize_battery()
{
if (hidpp->battery.ps)
return 0;
probe_battery(); /* Blocks, threads take turns executing this */
hidpp->battery.desc.properties =
devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);
hidpp->battery.ps =
devm_power_supply_register(&hidpp->hid_dev->dev,
&hidpp->battery.desc, cfg);
}
4. Creating delayed input_device (potentially problematic):
if (hidpp->delayed_input)
return;
hidpp->delayed_input = hidpp_allocate_input(hdev);
The really big problem here is 3. Hitting the race leads to the following
sequence:
hidpp->battery.desc.properties =
devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);
hidpp->battery.ps =
devm_power_supply_register(&hidpp->hid_dev->dev,
&hidpp->battery.desc, cfg);
...
hidpp->battery.desc.properties =
devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);
hidpp->battery.ps =
devm_power_supply_register(&hidpp->hid_dev->dev,
&hidpp->battery.desc, cfg);
So now we have registered 2 power supplies for the same battery,
which looks a bit weird from userspace's pov but this is not even
the really big problem.
Notice how:
1. This is all devm-maganaged
2. The hidpp->battery.desc struct is shared between the 2 power supplies
3. hidpp->battery.desc.properties points to the result from the second
devm_kmemdup()
This causes a use after free scenario on USB disconnect of the receiver:
1. The last registered power supply class device gets unregistered
2. The memory from the last devm_kmemdup() call gets freed,
hidpp->battery.desc.properties now points to freed memory
3. The first registered power supply class device gets unregistered,
this involves sending a remove uevent to userspace which invokes
power_supply_uevent() to fill the uevent data
4. power_supply_uevent() uses hidpp->battery.desc.properties which
now points to freed memory leading to backtraces like this one:
Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08
...
Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event
Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0
...
Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30
Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0
Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0
Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0
Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680
Sep 22 20:01:35 eric kernel: power_supply_unregister+0x8e/0xa0
Sep 22 20:01:35 eric kernel: release_nodes+0x3d/0xb0
Sep 22 20:01:35 eric kernel: devres_release_group+0xfc/0x130
Sep 22 20:01:35 eric kernel: hid_device_remove+0x56/0xa0
Sep 22 20:01:35 eric kernel: device_release_driver_internal+0x19f/0x200
Sep 22 20:01:35 eric kernel: bus_remove_device+0xc6/0x130
Sep 22 20:01:35 eric kernel: device_del+0x15c/0x3f0
Sep 22 20:01:35 eric kernel: ? __queue_work+0x1df/0x440
Sep 22 20:01:35 eric kernel: hid_destroy_device+0x4b/0x60
Sep 22 20:01:35 eric kernel: logi_dj_remove+0x9a/0x100 [hid_logitech_dj 5c91534a0ead2b65e04dd799a0437e3b99b21bc4]
Sep 22 20:01:35 eric kernel: hid_device_remove+0x44/0xa0
Sep 22 20:01:35 eric kernel: device_release_driver_internal+0x19f/0x200
Sep 22 20:01:35 eric kernel: bus_remove_device+0xc6/0x130
Sep 22 20:01:35 eric kernel: device_del+0x15c/0x3f0
Sep 22 20:01:35 eric kernel: ? __queue_work+0x1df/0x440
Sep 22 20:01:35 eric kernel: hid_destroy_device+0x4b/0x60
Sep 22 20:01:35 eric kernel: usbhid_disconnect+0x47/0x60 [usbhid 727dcc1c0b94e6b4418727a468398ac3bca492f3]
Sep 22 20:01:35 eric kernel: usb_unbind_interface+0x90/0x270
Sep 22 20:01:35 eric kernel: device_release_driver_internal+0x19f/0x200
Sep 22 20:01:35 eric kernel: bus_remove_device+0xc6/0x130
Sep 22 20:01:35 eric kernel: device_del+0x15c/0x3f0
Sep 22 20:01:35 eric kernel: ? kobject_put+0xa0/0x1d0
Sep 22 20:01:35 eric kernel: usb_disable_device+0xcd/0x1e0
Sep 22 20:01:35 eric kernel: usb_disconnect+0xde/0x2c0
Sep 22 20:01:35 eric kernel: usb_disconnect+0xc3/0x2c0
Sep 22 20:01:35 eric kernel: hub_event+0xe80/0x1c10
There have been quite a few bug reports (see Link tags) about this crash.
Fix all the TOCTOU issues, including the really bad power-supply related
system crash on USB disconnect, by making probe() use the workqueue for
running hidpp_connect_event() too, so that it can never run more then once.
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2227221
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2227968
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2227968
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2242189
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217412#c58
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20231005182638.3776-1-hdegoede@redhat.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 626b13f015 upstream.
Commit ff48b37802 ("scsi: Do not attempt to rescan suspended devices")
modified scsi_rescan_device() to avoid attempting rescanning a suspended
device. However, the modification added a check to verify that a SCSI
device is in the running state without checking if the device request
queue (in the case of block device) is also running, thus allowing the
exectuion of internal requests. Without checking the device request
queue, commit ff48b37802 fix is incomplete and deadlocks on resume can
still happen. Use blk_queue_pm_only() to check if the device request
queue allows executing commands in addition to checking the SCSI device
state.
Reported-by: Petr Tesarik <petr@tesarici.cz>
Fixes: ff48b37802 ("scsi: Do not attempt to rescan suspended devices")
Cc: stable@vger.kernel.org
Tested-by: Petr Tesarik <petr@tesarici.cz>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 528ab3e605 ]
If a duplicate attribute is found using kset_find_obj(), a reference
to that attribute is returned which needs to be disposed accordingly
using kobject_put(). Move the setting name validation into a separate
function to allow for this change without having to duplicate the
cleanup code for this setting.
As a side note, a very similar bug was fixed in
commit 7295a996fd ("platform/x86: dell-sysman: Fix reference leak"),
so it seems that the bug was copied from that driver.
Compile-tested only.
Fixes: 1bcad8e510 ("platform/x86: think-lmi: Fix issues with duplicate attributes")
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://lore.kernel.org/r/20230925142819.74525-2-W_Armin@gmx.de
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit a5efdbcece ]
The delegated action infrastructure is prone to the following
race: different CPUs can try to schedule different delegated
actions on the same subflow at the same time.
Each of them will check different bits via mptcp_subflow_delegate(),
and will try to schedule the action on the related per-cpu napi
instance.
Depending on the timing, both can observe an empty delegated list
node, causing the same entry to be added simultaneously on two different
lists.
The root cause is that the delegated actions infra does not provide
a single synchronization point. Address the issue reserving an additional
bit to mark the subflow as scheduled for delegation. Acquiring such bit
guarantee the caller to own the delegated list node, and being able to
safely schedule the subflow.
Clear such bit only when the subflow scheduling is completed, ensuring
proper barrier in place.
Additionally swap the meaning of the delegated_action bitmask, to allow
the usage of the existing helper to set multiple bit at once.
Fixes: bcd9773431 ("mptcp: use delegate action to schedule 3rd ack retrans")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20231004-send-net-20231004-v1-1-28de4ac663ae@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b2b000069a ]
For an unknown TX CQE error type (probably from a newer hardware),
still free the SKB, update the queue tail, etc., otherwise the
accounting will be wrong.
Also, TX errors can be triggered by injecting corrupted packets, so
replace the WARN_ONCE to ratelimited error logging.
Cc: stable@vger.kernel.org
Fixes: ca9c54d2d6 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
The purpose of the symbol is for getting runnable latency.
Bug: 275806676
Change-Id: I34d8450df16f63d133aaf3e9773a1f5436cbae58
Signed-off-by: Ziyi Cui <ziyic@google.com>
Get direct reclaim info.
Bug: 190795589
Signed-off-by: Martin Liu <liumartin@google.com>
Change-Id: Ie66a3c87484a364a918c19b8e044c82f1afd6749
Signed-off-by: Jack Lee <liangjlee@google.com>
(cherry picked from commit d705ab99ab)
Since Android has pcp list for MIGRATE_CMA[1], it could cause
CMA allocation latency due to not freeing the MIGRATE_ISOLATE
page immediately.
Originally, MIGRATE_ISOLATED page is supposed to go buddy list
with skipping pcp list. Otherwise, the page could be reallocated
from pcp list or staying on the pcp list until the pcp is drained
so that CMA keeps retrying since it couldn't find the freed page
from buddy list. That worked before since the CMA pfnblocks changed
only from MIGRATE_CMA to MIGRATE_ISOLATE and free function logic
in page allocator has checked MIGRATE_ISOLATEness on every CMA
pages using below.
free_unref_page_commit
if (migratetype >= MIGRATE_PCPTYPES)
if(is_migrate_isolate(migratetype))
free_one_page(page);
It worked since enum MIGRATE_CMA was bigger than enum
MIGRATE_PCPTYPES but since [1], the enum MIGRATE_CMA is less than
MIGRATE_PCPTYPES so the logic above doesn't work any more.
It could cause following race
CPU 0 CPU 1
free_unref_page
migratetype = get_pfnblock_migratetype()
set_pcppage_migratetype(MIGRATE_CMA)
cma_alloc
alloc_contig_range
set_migrate_isolate(MIGRATE_ISOLATE)
add the page into pcp list
the page could be reallocated
This patch couldn't fix the race completely due to missing zone->lock
in order-0 page free(for performance reason). However, it's not a new
problem so we need to deal with the issue separately.
[1] ANDROID: mm: add cma pcp list
Bug: 218731671
Signed-off-by: Minchan Kim <minchan@google.com>
Change-Id: Ibea20085ce5bfb4b74b83b041f9bda9a380120f9
(cherry picked from commit d9e4b67784)
Signed-off-by: Richard Chang <richardycc@google.com>
Allow pKVM to set device attributes (nGnRE) on stage-2 entries when
KVM_PGTABLE_PROT_DEVICE is used.
Bug: 303529066
Change-Id: I19ddbd627cb67fb4ad295af6ea5fff129d7a94f7
Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
The hyp tracing support depends on CONFIG_TRACING, not CONFIG_FTRACE.
Also, TRACING might be selected while FTRACE is not leading to a build
error.
Bug: 306320920
Change-Id: I69614b6d1eb0e3d9013e00c2d10836b37034b929
Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
Current implementation of iommu busses driver has temporarily enforce global restriction to a single driver.
This was already the de-facto behaviour, since any possible combination of existing drivers would compete
for at least the PCI or platform bus. Due to this restriction we are not able to probe SMMU v3 driver for PCI bus.
There is an ongoing work in upstream(https://lore.kernel.org/linux-iommu/cover.1696253096.git.robin.murphy@arm.com/#t)
to fix this but we can't backport now as still review in progress.
However, Some of our targets have both SMMU v2 (used by all peripherals except PCIe) and SMMU v3 (PCie) and
they are expected to co-exit in current kernel version.
To cater this requirement, we have implemented a vendor hook, which will skip the pci bus probe for smmuv2 and in
smmuv3 skips all iommu buses execept pcie bus.
Bug: 305648820
Signed-off-by: Venkata Rao Kakani <vkakani@qti.qualcomm.com>
Change-Id: I9304962a7fc7afad93295cc08b3c68f8e340ffe8
commit e994764976 upstream.
sctp_mt_check doesn't validate the flag_count field. An attacker can
take advantage of that to trigger a OOB read and leak memory
information.
Add the field validation in the checkentry function.
Bug: 304913898
Fixes: 2e4e6a17af ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
Cc: stable@vger.kernel.org
Reported-by: Lucas Leong <wmliang@infosec.exchange>
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 4921f9349b)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ife4e69f6218fdaca2a8647b5ed00d875a5ed0d34
In commit 82f9af464e ("ipv6: Remove in6addr_any alternatives."), the
6.1.54 release adds a new include file, which changes the crc generation
of some of the public symbols in that file. Fix that up by adding a
Bug: 161946584
Fixes: 82f9af464e ("ipv6: Remove in6addr_any alternatives.")
Change-Id: I495d21a761e3724ed1ca605496b2b85acb7a77f5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Some qdiscs and classifiers have recently been retired from kernel.
However, tc-testing config is still cluttered with them which causes noise
when using merge_config.sh script to update existing config for tc-testing
compatibility. Remove the config settings for affected qdiscs and
classifiers.
Bug: 254441685
Fixes: fb38306ceb ("net/sched: Retire ATM qdisc")
Fixes: 051d442098 ("net/sched: Retire CBQ qdisc")
Fixes: bbe77c14ee ("net/sched: Retire dsmark qdisc")
Fixes: 265b4da82d ("net/sched: Retire rsvp classifier")
Fixes: 8c710f7525 ("net/sched: Retire tcindex classifier")
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 11b8b2e70a)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ifd5de69f462686075f43c7c98937eb7999a4bd17
This patch adds GKI symbol list for Exynosauto SoC. We need to add
below 3 function symbols and it required by DRM(Direct Rendering Manager)
driver.
3 function symbol(s) added
'void display_timings_release(struct display_timings*)'
'struct display_timings* of_get_display_timings(const struct device_node*)'
'int videomode_from_timings(const struct display_timings*, struct videomode*, unsigned int)'
Bug: 305126879
Change-Id: Ieaf3b82e18c0a3a90c274ed752af8ed84df5c150
Signed-off-by: Hoyoung Lee <hy_fifty.lee@samsung.com>
Currently, while calculating residency and latency values, right
operands may overflow if resulting values are big enough.
To prevent this, albeit unlikely case, play it safe and convert
right operands to left ones' type s64.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Bug: 296029082
Fixes: 30f604283e ("PM / Domains: Allow domain power states to be read from DT")
Change-Id: Id0355d95ff18dc2273fca719aa64e2d32b1f9da5
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
(cherry picked from commit e5d1c87220)
Signed-off-by: Daniel Mentz <danielmentz@google.com>
Add vendor hook for compaction begin/end. The first use would be
to measure compaction durations.
Bug: 229927848
Test: echo 1 > /proc/sys/vm/compact_memory and observe output change in
/sys/kernel/pixel_stat/mm/compaction/mm_compaction_duration
Signed-off-by: Robin Hsu <robinhsu@google.com>
Change-Id: I3d95434bf49b37199056dc9ddfc36a59a7de17b7
Signed-off-by: Richard Chang <richardycc@google.com>
(cherry picked from commit 13b6bd38bb)
Signed-off-by: liangjlee <liangjlee@google.com>
commit 69c5d284f6 upstream.
The xt_u32 module doesn't validate the fields in the xt_u32 structure.
An attacker may take advantage of this to trigger an OOB read by setting
the size fields with a value beyond the arrays boundaries.
Add a checkentry function to validate the structure.
This was originally reported by the ZDI project (ZDI-CAN-18408).
Bug: 304913716
Fixes: 1b50b8a371 ("[NETFILTER]: Add u32 match")
Cc: stable@vger.kernel.org
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 1c164c1e9e)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ic2ff70b303f55f9c3c5db24295bcb223ed7175a7
[ Upstream commit f4f8a78031 ]
The opt_num field is controlled by user mode and is not currently
validated inside the kernel. An attacker can take advantage of this to
trigger an OOB read and potentially leak information.
BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
Read of size 2 at addr ffff88804bc64272 by task poc/6431
CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
Call Trace:
nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
expr_call_ops_eval net/netfilter/nf_tables_core.c:214
nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
[..]
Also add validation to genre, subtype and version fields.
Bug: 304913642
Fixes: 11eeef41d5 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Lucas Leong <wmliang@infosec.exchange>
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 7bb8d52b42)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: If79c79e3f55de8c81b70c19661cb0084b02c3da2
[ Upstream commit 0113d9c9d1 ]
Currently, we assume the skb is associated with a device before calling
__ip_options_compile, which is not always the case if it is re-routed by
ipvs.
When skb->dev is NULL, dev_net(skb->dev) will become null-dereference.
This patch adds a check for the edge case and switch to use the net_device
from the rtable when skb->dev is NULL.
Bug: 304913674
Fixes: ed0de45a10 ("ipv4: recompile ip options in ipv4_link_failure")
Suggested-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
Cc: Vadim Fedorenko <vfedorenko@novek.ru>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 2712545e53)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ie840ff3351e487f7095c49fac4fdd1e81021a982
Changes in 6.1.54
net/ipv6: SKB symmetric hash should incorporate transport ports
mm: multi-gen LRU: rename lrugen->lists[] to lrugen->folios[]
Multi-gen LRU: fix per-zone reclaim
io_uring: always lock in io_apoll_task_func
io_uring: revert "io_uring fix multishot accept ordering"
io_uring/net: don't overflow multishot accept
io_uring: break out of iowq iopoll on teardown
io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used
io_uring: Don't set affinity on a dying sqpoll thread
drm/virtio: Conditionally allocate virtio_gpu_fence
scsi: qla2xxx: Adjust IOCB resource on qpair create
scsi: qla2xxx: Limit TMF to 8 per function
scsi: qla2xxx: Fix deletion race condition
scsi: qla2xxx: fix inconsistent TMF timeout
scsi: qla2xxx: Fix command flush during TMF
scsi: qla2xxx: Fix erroneous link up failure
scsi: qla2xxx: Turn off noisy message log
scsi: qla2xxx: Fix session hang in gnl
scsi: qla2xxx: Fix TMF leak through
scsi: qla2xxx: Remove unsupported ql2xenabledif option
scsi: qla2xxx: Flush mailbox commands on chip reset
scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit()
scsi: qla2xxx: Error code did not return to upper layer
scsi: qla2xxx: Fix firmware resource tracking
null_blk: fix poll request timeout handling
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
clk: qcom: camcc-sc7180: fix async resume during probe
drm/ast: Fix DRAM init on AST2200
ASoC: tegra: Fix SFC conversion for few rates
clk: qcom: turingcc-qcs404: fix missing resume during probe
arm64: dts: renesas: rzg2l: Fix txdv-skew-psec typos
send channel sequence number in SMB3 requests after reconnects
memcg: drop kmem.limit_in_bytes
mm: hugetlb_vmemmap: fix a race between vmemmap pmd split
lib/test_meminit: allocate pages up to order MAX_ORDER
parisc: led: Fix LAN receive and transmit LEDs
parisc: led: Reduce CPU overhead for disk & lan LED computation
cifs: update desired access while requesting for directory lease
pinctrl: cherryview: fix address_space_handler() argument
dt-bindings: clock: xlnx,versal-clk: drop select:false
clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz
clk: imx: pll14xx: align pdiv with reference manual
clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
soc: qcom: qmi_encdec: Restrict string length in decode
clk: qcom: dispcc-sm8450: fix runtime PM imbalance on probe errors
clk: qcom: lpasscc-sc7280: fix missing resume during probe
clk: qcom: q6sstop-qcs404: fix missing resume during probe
clk: qcom: mss-sc7180: fix missing resume during probe
NFS: Fix a potential data corruption
NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
bus: mhi: host: Skip MHI reset if device is in RDDM
net: add SKB_HEAD_ALIGN() helper
net: remove osize variable in __alloc_skb()
net: factorize code in kmalloc_reserve()
net: deal with integer overflows in kmalloc_reserve()
kbuild: rpm-pkg: define _arch conditionally
kbuild: do not run depmod for 'make modules_sign'
tpm_crb: Fix an error handling path in crb_acpi_add()
gfs2: Switch to wait_event in gfs2_logd
gfs2: low-memory forced flush fixes
mailbox: qcom-ipcc: fix incorrect num_chans counting
kconfig: fix possible buffer overflow
Input: iqs7222 - configure power mode before triggering ATI
perf trace: Use zfree() to reduce chances of use after free
perf trace: Really free the evsel->priv area
pwm: atmel-tcb: Convert to platform remove callback returning void
pwm: atmel-tcb: Harmonize resource allocation order
pwm: atmel-tcb: Fix resource freeing in error path and remove
backlight: gpio_backlight: Drop output GPIO direction check for initial power state
Input: tca6416-keypad - always expect proper IRQ number in i2c client
Input: tca6416-keypad - fix interrupt enable disbalance
perf annotate bpf: Don't enclose non-debug code with an assert()
x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
perf vendor events: Update the JSON/events descriptions for power10 platform
perf vendor events: Drop some of the JSON/events for power10 platform
perf vendor events: Drop STORES_PER_INST metric event for power10 platform
perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
pwm: lpc32xx: Remove handling of PWM channels
perf test stat_bpf_counters_cgrp: Fix shellcheck issue about logical operators
perf test stat_bpf_counters_cgrp: Enhance perf stat cgroup BPF counter test
drm/i915: mark requests for GuC virtual engines to avoid use-after-free
blk-throttle: use calculate_io/bytes_allowed() for throtl_trim_slice()
blk-throttle: consider 'carryover_ios/bytes' in throtl_trim_slice()
cifs: use fs_context for automounts
smb: propagate error code of extract_sharename()
net/sched: fq_pie: avoid stalls in fq_pie_timer()
sctp: annotate data-races around sk->sk_wmem_queued
ipv4: annotate data-races around fi->fib_dead
net: read sk->sk_family once in sk_mc_loop()
net: fib: avoid warn splat in flow dissector
xsk: Fix xsk_diag use-after-free error during socket cleanup
drm/i915/gvt: Verify pfn is "valid" before dereferencing "struct page"
drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn()
drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
net: use sk_forward_alloc_get() in sk_get_meminfo()
net: annotate data-races around sk->sk_forward_alloc
mptcp: annotate data-races around msk->rmem_fwd_alloc
ipv4: ignore dst hint for multipath routes
ipv6: ignore dst hint for multipath routes
igb: disable virtualization features on 82580
gve: fix frag_list chaining
veth: Fixing transmit return status for dropped packets
net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
net: phy: micrel: Correct bit assignments for phy_device flags
bpf, sockmap: Fix skb refcnt race after locking changes
af_unix: Fix data-races around user->unix_inflight.
af_unix: Fix data-race around unix_tot_inflight.
af_unix: Fix data-races around sk->sk_shutdown.
af_unix: Fix data race around sk->sk_err.
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
kcm: Destroy mutex in kcm_exit_net()
octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox handler
igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
s390/zcrypt: don't leak memory if dev_set_name() fails
idr: fix param name in idr_alloc_cyclic() doc
ip_tunnels: use DEV_STATS_INC()
net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software and offload
net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too many times
net: dsa: sja1105: complete tc-cbs offload support on SJA1110
bpf: Remove prog->active check for bpf_lsm and bpf_iter
bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf().
bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.
netfilter: nftables: exthdr: fix 4-byte stack OOB write
netfilter: nfnetlink_osf: avoid OOB read
net: hns3: fix tx timeout issue
net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read()
net: hns3: fix debugfs concurrency issue between kfree buffer and read
net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue
net: hns3: fix the port information display when sfp is absent
net: hns3: remove GSO partial feature bit
sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory()
Multi-gen LRU: avoid race in inc_min_seq()
net/mlx5: Free IRQ rmap and notifier on kernel shutdown
ARC: atomics: Add compiler barrier to atomic operations...
clocksource/drivers/arm_arch_timer: Disable timer before programming CVAL
dmaengine: sh: rz-dmac: Fix destination and source data size setting
jbd2: fix checkpoint cleanup performance regression
jbd2: check 'jh->b_transaction' before removing it from checkpoint
jbd2: correct the end of the journal recovery scan range
ext4: add correct group descriptors and reserved GDT blocks to system zone
ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}
f2fs: flush inode if atomic file is aborted
f2fs: avoid false alarm of circular locking
lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix()
hwspinlock: qcom: add missing regmap config for SFPB MMIO implementation
ata: ahci: Add Elkhart Lake AHCI controller
ata: pata_falcon: fix IO base selection for Q40
ata: sata_gemini: Add missing MODULE_DESCRIPTION
ata: pata_ftide010: Add missing MODULE_DESCRIPTION
fuse: nlookup missing decrement in fuse_direntplus_link
btrfs: zoned: do not zone finish data relocation block group
btrfs: fix start transaction qgroup rsv double free
btrfs: free qgroup rsv on io failure
btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
btrfs: set page extent mapped after read_folio in relocate_one_page
btrfs: zoned: re-enable metadata over-commit for zoned mode
btrfs: use the correct superblock to compare fsid in btrfs_validate_super
drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()
mtd: rawnand: brcmnand: Fix crash during the panic_write
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
mtd: spi-nor: Correct flags for Winbond w25q128
mtd: rawnand: brcmnand: Fix potential false time out warning
mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma
drm/amd/display: prevent potential division by zero errors
KVM: SVM: Take and hold ir_list_lock when updating vCPU's Physical ID entry
KVM: SVM: Don't inject #UD if KVM attempts to skip SEV guest insn
KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration
KVM: nSVM: Check instead of asserting on nested TSC scaling support
KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state
KVM: SVM: Set target pCPU during IRTE update if target vCPU is running
KVM: SVM: Skip VMSA init in sev_es_init_vmcb() if pointer is NULL
MIPS: Fix CONFIG_CPU_DADDI_WORKAROUNDS `modules_install' regression
perf hists browser: Fix hierarchy mode header
perf test shell stat_bpf_counters: Fix test on Intel
perf tools: Handle old data in PERF_RECORD_ATTR
perf hists browser: Fix the number of entries for 'e' key
drm/amd/display: always switch off ODM before committing more streams
drm/amd/display: Remove wait while locked
drm/amdgpu: register a dirty framebuffer callback for fbcon
kunit: Fix wild-memory-access bug in kunit_free_suite_set()
net: ipv4: fix one memleak in __inet_del_ifa()
kselftest/runner.sh: Propagate SIGTERM to runner child
selftests: Keep symlinks, when possible
net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add
net: stmmac: fix handling of zero coalescing tx-usecs
net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
hsr: Fix uninit-value access in fill_frame_info()
net: ethernet: adi: adin1110: use eth_broadcast_addr() to assign broadcast address
net:ethernet:adi:adin1110: Fix forwarding offload
net: dsa: sja1105: hide all multicast addresses from "bridge fdb show"
net: dsa: sja1105: propagate exact error code from sja1105_dynamic_config_poll_valid()
net: dsa: sja1105: fix multicast forwarding working only for last added mdb entry
net: dsa: sja1105: serialize sja1105_port_mcast_flood() with other FDB accesses
net: dsa: sja1105: block FDB accesses that are concurrent with a switch reset
r8152: check budget for r8152_poll()
kcm: Fix memory leak in error path of kcm_sendmsg()
platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors
platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
platform/mellanox: NVSW_SN2201 should depend on ACPI
net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
net: macb: Enable PTP unicast
net: macb: fix sleep inside spinlock
ipv6: fix ip6_sock_set_addr_preferences() typo
ipv6: Remove in6addr_any alternatives.
tcp: Factorise sk_family-independent comparison in inet_bind2_bucket_match(_addr_any).
tcp: Fix bind() regression for v4-mapped-v6 wildcard address.
tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address.
ixgbe: fix timestamp configuration code
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
MIPS: Only fiddle with CHECKFLAGS if `need-compiler'
drm/amd/display: Fix a bug when searching for insert_above_mpcc
Linux 6.1.54
Change-Id: I42dc80e7b812eb2bdd28575280b7b88169eb6d58
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 265b4da82d upstream.
The rsvp classifier has served us well for about a quarter of a century but has
has not been getting much maintenance attention due to lack of known users.
Bug: 304913975
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 08569c92f7)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I4716954c5e8d5414a580eb34c699908028aa754b
* changes:
ANDROID: GKI: update .stg due to internal zswap and tracing changes
ANDROID: GKI: db845c: add pcie_capability_clear_and_set_word to the symbol list
ANDROID: GKI: sched: put back the cpu_capacity_inverted variable
Revert "ipv4: fix data-races around inet->inet_id"
Revert "usb: typec: bus: verify partner exists in typec_altmode_attention"
Revert "scsi: core: Use 32-bit hostnum in scsi_host_lookup()"
Revert "media: cec: core: add adap_nb_transmit_canceled() callback"
Revert "media: cec: core: add adap_unconfigured() callback"
Revert "tracing: Introduce pipe_cpumask to avoid race on trace_pipes"
Revert "tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY"
Revert "PCI: Allow drivers to request exclusive config regions"
Revert "PCI: Add locking to RMW PCI Express Capability Register accessors"
Revert "crypto: api - Use work queue in crypto_destroy_instance"
Revert "media: uapi: HEVC: Add num_delta_pocs_of_ref_rps_idx field"
ANDROID: GKI: Fix firmware: smccc build error
ANDROID: GKI: fix up merge issue in drivers/scsi/storvsc_drv.c
Merge 6.1.53 into android14-6.1-lts
Merge 6.1.52 into android14-6.1-lts
Merge 6.1.51 into android14-6.1-lts
Merge 6.1.50 into android14-6.1-lts
Merge 6.1.49 into android14-6.1-lts
Merge 6.1.48 into android14-6.1-lts
Merge 6.1.47 into android14-6.1-lts
Merge 6.1.46 into android14-6.1-lts
Merge 6.1.45 into android14-6.1-lts
Merge 6.1.44 into android14-6.1-lts
commit efb78fa86e ("lib/test_meminit: allocate pages up to order
MAX_ORDER") works great in kernels 6.4 and newer thanks to commit
23baf831a3 ("mm, treewide: redefine MAX_ORDER sanely"), but for older
kernels, the loop is off by one, which causes crashes when the test
runs.
Fix this up by changing "<= MAX_ORDER" "< MAX_ORDER" to allow the test
to work properly for older kernel branches.
Fixes: 421855d0d2 ("lib/test_meminit: allocate pages up to order MAX_ORDER")
Cc: Andrew Donnellan <ajd@linux.ibm.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Xiaoke Wang <xkernel.wang@foxmail.com>
Cc: <stable@vger.kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There are a number of internal-to-the-kernel changes in the recent set
of LTS releases that end up bleeding over into the public .stg file, yet
they are really anonymous pointers when it comes to external modules.
Update the .stg file with these changes as the tooling is being extra
careful, but these are not actual ABI changes so this is safe.
Full details are:
INFO: ABI DIFFERENCES HAVE BEEN DETECTED!
INFO: type 'struct trace_buffer' changed
member 'atomic_t resizing' was added
type 'struct zs_pool' changed
member 'spinlock_t lock' was added
member 'atomic_t compaction_in_progress' was added
member 'rwlock_t migrate_lock' was removed
type 'struct size_class' changed
byte size changed from 136 to 128
member 'spinlock_t lock' was removed
6 members ('struct list_head fullness_list[4]' .. 'struct zs_size_stat stats') changed
offset changed by -64
Bug: 161946584
Change-Id: Ib5bb4a55ef5463ed49f7cd2c90bf73e278fd51e4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
