Switching to kzalloc doesn't mean we can't allocate some extra bytes
for the TX buffer. This was simply an improper merge of commit [1]
by CodeLinaro. The commit was just supposed to replace kmalloc with
kzalloc. Therefore, add back the buffer allocation.
[1]: ae9cf8b759 ("UPSTREAM: USB: gadget: zero allocate endpoint 0 buffers")
Fixes: ae9cf8b759 ("UPSTREAM: USB: gadget: zero allocate endpoint 0 buffers")
Change-Id: I97bcea8f9aed2d9a672b2f92b6cfd998f43b9d95
Signed-off-by: Tashfin Shakeer Rhythm <tashfinshakeerrhythm@gmail.com>
Both glibc and musl define 'struct sched_param' in sched.h, while kernel
has it in uapi/linux/sched/types.h, making it cumbersome to use
sched_getattr(2) or sched_setattr(2) from userspace.
For example, something like this:
#include <sched.h>
#include <linux/sched/types.h>
struct sched_attr sa;
will result in "error: redefinition of ‘struct sched_param’" (note the
code doesn't need sched_param at all -- it needs struct sched_attr
plus some stuff from sched.h).
The situation is, glibc is not going to provide a wrapper for
sched_{get,set}attr, thus the need to include linux/sched_types.h
directly, which leads to the above problem.
Thus, the userspace is left with a few sub-par choices when it wants to
use e.g. sched_setattr(2), such as maintaining a copy of struct
sched_attr definition, or using some other ugly tricks.
OTOH, 'struct sched_param' is well known, defined in POSIX, and it won't
be ever changed (as that would break backward compatibility).
So, while 'struct sched_param' is indeed part of the kernel uapi,
exposing it the way it's done now creates an issue, and hiding it
(like this patch does) fixes that issue, hopefully without creating
another one: common userspace software rely on libc headers, and as
for "special" software (like libc), it looks like glibc and musl
do not rely on kernel headers for 'struct sched_param' definition
(but let's Cc their mailing lists in case it's otherwise).
The alternative to this patch would be to move struct sched_attr to,
say, linux/sched.h, or linux/sched/attr.h (the new file).
Oh, and here is the previous attempt to fix the issue:
https://lore.kernel.org/all/20200528135552.GA87103@google.com/
While I support Linus arguments, the issue is still here
and needs to be fixed.
[ mingo: Linus is right, this shouldn't be needed - but on the other
hand I agree that this header is not really helpful to
user-space as-is. So let's pretend that
<uapi/linux/sched/types.h> is only about sched_attr, and
call this commit a workaround for user-space breakage
that it in reality is ... Also, remove the Fixes tag. ]
Change-Id: I3943f8f4a11a9007ccc392de3ece9e62841e8fcb
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20230808030357.1213829-1-kolyshkin@gmail.com
The checkpoint is the top priority thread which can stop all the filesystem
operations. Let's make it RT priority.
Reviewed-by: Daeho Jeong <daehojeong@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 8a2d9f00d502e6ef68c6d52f0863856040ddd2db)
Change-Id: I7ab430a7294fa9644512f0a32245646944446213
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
We should update age extent in f2fs_do_zero_range() like we
did in f2fs_truncate_data_blocks_range().
Fixes: dfcfcc6d16 ("f2fs: add block_age-based extent cache")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit a84153f939808102dfa10904aa0f743e734a3e1d)
Change-Id: Iab59f94f792dbab8da7ab597d5a219476370a646
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
nr_free may be less than len, we should update age extent cache
w/ range [fofs, len] rather than [fofs, nr_free].
Fixes: dfcfcc6d16 ("f2fs: add block_age-based extent cache")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 8c0ed062ce27f6b7f0a568cb241e2b4dd2d9e6a6)
Change-Id: I0a4546f84fd75db2f13857e4922520ab5885e845
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
Currently we wrongly calculate the new block age to
old * LAST_AGE_WEIGHT / 100.
Fix it to new * (100 - LAST_AGE_WEIGHT) / 100
+ old * LAST_AGE_WEIGHT / 100.
Signed-off-by: qixiaoyu1 <qixiaoyu1@xiaomi.com>
Signed-off-by: xiongping1 <xiongping1@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit b03a41a495df35f8e8d25220878bd6b8472d9396)
Change-Id: I989877caf2517245750e7ed809b2af71f8943f96
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
Otherwise, __lookup_extent_tree() will override the given extent_info which will
be used by caller.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 22a341b43036415718f2d50f5f98b2f891fe17e9)
Change-Id: I5ddc08dd3d299f222b4b9b1334f2e675e37956b6
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
Let's explicitly use the defined values in block_age case only.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit ed2724765e58e3310d3de48f4a1761631b3dd640)
Change-Id: Ibbed9907e98c54a7fc807f5deb9300aeb2d35e70
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
This can avoid confusing tracepoint values.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit fe59109ae5c0b34a8c7c07f693fc501b12b57787)
Change-Id: I64d127fed283cfe93579a031b1b8762d35069f98
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
commit e61b11a737 ("ANDROID: fuse: Allocate zeroed memory for canonical path")
fixes the deadlock that this patch tries to fix.
This reverts commit aeb761e164.
Change-Id: I7137a93cf83b4d2a3cecb2b2de6f9fa14e6a2702
This patch allows the administrator to configure the interface
name of a function using u_ether (e.g., eem, ncm, rndis).
Currently, all such interfaces, regardless of function type, are
always called usb0, usb1, etc. This makes it very cumbersome to
use more than one such type at a time, because userspace cannnot
easily tell the interfaces apart and apply the right
configuration to each one. Interface renaming in userspace based
on driver doesn't help, because the interfaces all have the same
driver. Without this patch, doing this require hacks/workarounds
such as setting fixed MAC addresses on the functions, and then
renaming by MAC address, or scraping configfs after each
interface is created to find out what it is.
Setting the interface name is done by writing to the same
"ifname" configfs attribute that reports the interface name after
the function is bound. The write must contain an interface
pattern such as "usb%d" (which will cause the net core to pick
the next available interface name starting with "usb").
This patch does not allow writing an exact interface name (as
opposed to a pattern) because if the interface already exists at
bind time, the bind will fail and the whole gadget will fail to
activate. This could be allowed in a future patch.
For compatibility with current userspace, when reading an ifname
that has not currently been set, the result is still "(unnamed
net_device)". Once a write to ifname happens, then reading ifname
will return whatever was last written.
Tested by configuring an rndis function and an ncm function on
the same gadget, and writing "rndis%d" to ifname on the rndis
function and "ncm%d" to ifname on the ncm function. When the
gadget was bound, the rndis interface was rndis0 and the ncm
interface was ncm0.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
(cherry picked from commit 63d152149b2d0860ccf8c4e6596b6175b2b7ace6
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next)
Link: https://lore.kernel.org/r/20210113234222.3272933-1-lorenzo@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Change-Id: I04deb6cc1d8a5b8ee82404940de2a79c06fbafe7
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 37e444c8296c14cb5768a1197b24cfc07ee8e0cd ]
snprintf returns the actual length of the buffer created; however,
this is not the case if snprintf truncates its parameter.
See https://lwn.net/Articles/69419/ for a detailed explanation.
The current code correctly handles this case at the expense
of extra code in the return statement.
scnprintf does returns the actual length of the buffer created
making the ?: operator unnecessary in the return
statement.
This change does not alter the functionality of the code.
Change-Id: I518abb00c6bd19d60d95a0ba8577a174feaaa3f3
Signed-off-by: Daniel M German <dmg@turingmachine.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[ Upstream commit a04224da1f3424b2c607b12a3bd1f0e302fb8231 ]
Previously, gadget assignment to the net device occurred exclusively
during the initial binding attempt.
Nevertheless, the gadget pointer could change during bind/unbind
cycles due to various conditions, including the unloading/loading
of the UDC device driver or the detachment/reconnection of an
OTG-capable USB hub device.
This patch relocates the gether_set_gadget() function out from
ncm_opts->bound condition check, ensuring that the correct gadget
is assigned during each bind request.
The provided logs demonstrate the consistency of ncm_opts throughout
the power cycle, while the gadget may change.
* OTG hub connected during boot up and assignment of gadget and
ncm_opts pointer
[ 2.366301] usb 2-1.5: New USB device found, idVendor=2996, idProduct=0105
[ 2.366304] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2.366306] usb 2-1.5: Product: H2H Bridge
[ 2.366308] usb 2-1.5: Manufacturer: Aptiv
[ 2.366309] usb 2-1.5: SerialNumber: 13FEB2021
[ 2.427989] usb 2-1.5: New USB device found, VID=2996, PID=0105
[ 2.428959] dabridge 2-1.5:1.0: dabridge 2-4 total endpoints=5, 0000000093a8d681
[ 2.429710] dabridge 2-1.5:1.0: P(0105) D(22.06.22) F(17.3.16) H(1.1) high-speed
[ 2.429714] dabridge 2-1.5:1.0: Hub 2-2 P(0151) V(06.87)
[ 2.429956] dabridge 2-1.5:1.0: All downstream ports in host mode
[ 2.430093] gadget 000000003c414d59 ------> gadget pointer
* NCM opts and associated gadget pointer during First ncm_bind
[ 34.763929] NCM opts 00000000aa304ac9
[ 34.763930] NCM gadget 000000003c414d59
* OTG capable hub disconnecte or assume driver unload.
[ 97.203114] usb 2-1: USB disconnect, device number 2
[ 97.203118] usb 2-1.1: USB disconnect, device number 3
[ 97.209217] usb 2-1.5: USB disconnect, device number 4
[ 97.230990] dabr_udc deleted
* Reconnect the OTG hub or load driver assaign new gadget pointer.
[ 111.534035] usb 2-1.1: New USB device found, idVendor=2996, idProduct=0120, bcdDevice= 6.87
[ 111.534038] usb 2-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 111.534040] usb 2-1.1: Product: Vendor
[ 111.534041] usb 2-1.1: Manufacturer: Aptiv
[ 111.534042] usb 2-1.1: SerialNumber: Superior
[ 111.535175] usb 2-1.1: New USB device found, VID=2996, PID=0120
[ 111.610995] usb 2-1.5: new high-speed USB device number 8 using xhci-hcd
[ 111.630052] usb 2-1.5: New USB device found, idVendor=2996, idProduct=0105, bcdDevice=21.02
[ 111.630055] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 111.630057] usb 2-1.5: Product: H2H Bridge
[ 111.630058] usb 2-1.5: Manufacturer: Aptiv
[ 111.630059] usb 2-1.5: SerialNumber: 13FEB2021
[ 111.687464] usb 2-1.5: New USB device found, VID=2996, PID=0105
[ 111.690375] dabridge 2-1.5:1.0: dabridge 2-8 total endpoints=5, 000000000d87c961
[ 111.691172] dabridge 2-1.5:1.0: P(0105) D(22.06.22) F(17.3.16) H(1.1) high-speed
[ 111.691176] dabridge 2-1.5:1.0: Hub 2-6 P(0151) V(06.87)
[ 111.691646] dabridge 2-1.5:1.0: All downstream ports in host mode
[ 111.692298] gadget 00000000dc72f7a9 --------> new gadget ptr on connect
* NCM opts and associated gadget pointer during second ncm_bind
[ 113.271786] NCM opts 00000000aa304ac9 -----> same opts ptr used during first bind
[ 113.271788] NCM gadget 00000000dc72f7a9 ----> however new gaget ptr, that will not set
in net_device due to ncm_opts->bound = true
Change-Id: I803f892ccd2a0f9558d4f32d8a3104aba78353ff
Signed-off-by: Hardik Gajjar <hgajjar@de.adit-jv.com>
Link: https://lore.kernel.org/r/20231020153324.82794-1-hgajjar@de.adit-jv.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Revert the following changes to restore to upstream version:
commit d50dafdc03 ("usb: gadget: f_ncm: allocate/free net device upon driver bind/unbind")
commit 2b958bac04 ("usb: gadget: Add check gadget function bind or not")
Reason for revert: Causes gether_set_ifname() support to kernel panic.
Change-Id: I51064467cad63e47a4a9734f18f1a5b95fa8db86
5.18-rc1 has many merge issues and the block io path has been rewritten,
so the tracepoints added here do not work properly anymore (and break
the build.)
If this is really still needed (hint, I strongly doubt it), it can be
redesigned and added back after 5.18-rc1 is released.
Cc: Mohan Srinivasan <srmohan@google.com>
Cc: Amit Pundir <amit.pundir@linaro.org>
Cc: Alistair Strachan <astrachan@google.com>
Fixes: f2fe7bac26dc ("ANDROID: fs: FS tracepoints to track IO.")
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[Jaegeuk Kim: remove fsync tracepoints as well]
Change-Id: I64981f2f692a434b976e50677d3414037d5ee409
* 'upstream-f2fs-stable-linux-4.19.y' of https://android.googlesource.com/kernel/common: (560 commits)
f2fs: reset wait_ms to default if any of the victims have been selected
f2fs: fix some format WARNING in debug.c and sysfs.c
f2fs: don't call f2fs_issue_discard_timeout() when discard_cmd_cnt is 0 in f2fs_put_super()
f2fs: fix iostat parameter for discard
f2fs: Fix spelling mistake in label: free_bio_enrty_cache -> free_bio_entry_cache
f2fs: avoid build warnining in extent_cache
f2fs: add block_age-based extent cache
f2fs: allocate the extent_cache by default
f2fs: refactor extent_cache to support for read and more
f2fs: remove unnecessary __init_extent_tree
f2fs: move internal functions into extent_cache.c
f2fs: specify extent cache for read explicitly
f2fs: introduce f2fs_is_readonly() for readability
f2fs: remove F2FS_SET_FEATURE() and F2FS_CLEAR_FEATURE() macro
f2fs: do some cleanup for f2fs module init
MAINTAINERS: Add f2fs bug tracker link
f2fs: remove the unused flush argument to change_curseg
f2fs: open code allocate_segment_by_default
f2fs: remove struct segment_allocation default_salloc_ops
f2fs: introduce discard_urgent_util sysfs node
...
Conflicts:
fs/crypto/hooks.c
fs/ext4/ioctl.c
fs/ext4/namei.c
fs/f2fs/checkpoint.c
fs/f2fs/data.c
fs/f2fs/dir.c
fs/f2fs/f2fs.h
fs/f2fs/file.c
fs/f2fs/gc.c
fs/f2fs/hash.c
fs/f2fs/inline.c
fs/f2fs/namei.c
fs/f2fs/node.c
fs/f2fs/node.h
fs/f2fs/recovery.c
fs/f2fs/segment.c
fs/f2fs/segment.h
fs/f2fs/super.c
fs/f2fs/sysfs.c
fs/f2fs/xattr.c
fs/libfs.c
fs/ubifs/dir.c
fs/unicode/utf8-core.c
fs/verity/enable.c
fs/verity/signature.c
include/linux/fs.h
include/linux/fscrypt.h
include/uapi/linux/fsverity.h
Change-Id: I555b2ac03d0bc864b8993a006994c68c0f4f8c41
According to spec the TSinfo size should be 4 bytes.
To fix this issue,TSInfo size is increased to 4bytes aligning with the
current standard.
CRs-Fixed: 3910625
Change-Id: I7979fa84af0295d21d4afe1b876af494a5b8fed8
A persistence map is expected to hold refs=2 during its creation.
However, the Fuzzy test can create a persistence map by configuring
a mismatch between attributes and flags using the KEEP MAP attribute
and FD NOMAP flags. This sets the map reference count to 1. The user
then calls fastrpc_internal_munmap_fd to free the map since it
doesn't check flags, which can cause a use-after-free (UAF) for the
file map and shared buffer. Add a check to restrict DMA handle
maps with invalid attributes.
Change-Id: I2f024ef99cc2a0487010504166e3af3433d5302d
Acked-by: Santosh <quic_ssakore@quicinc.com>
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>
commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream.
The current USB-audio driver code doesn't check bLength of each
descriptor at traversing for clock descriptors. That is, when a
device provides a bogus descriptor with a shorter bLength, the driver
might hit out-of-bounds reads.
For addressing it, this patch adds sanity checks to the validator
functions for the clock descriptor traversal. When the descriptor
length is shorter than expected, it's skipped in the loop.
For the clock source and clock multiplier descriptors, we can just
check bLength against the sizeof() of each descriptor type.
OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
of bNrInPins elements and two more fields at its tail, hence those
have to be checked in addition to the sizeof() check.
Bug: 382239029
Reported-by: Benoît Sevens <bsevens@google.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com
Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Benoît Sevens <bsevens@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 45a92cbc88e4013bfed7fd2ccab3ade45f8e896b)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I13e916ffd46fce6fd08f7b9f96cea82bb4bc475d
This reverts commit e525d2cfbe652f4e287a7f84ce397d4f751d3aed.
Reason for revert: not present in android11-5.4
Change-Id: If175677a9002962baf605e632c74435f659e0420
Signed-off-by: Alexander Winkowski <dereference23@outlook.com>
Background:
When CPU is going to idle state, it would inform RCU that
current CPU is entering idle through rcu_idle_enter(),
and RCU will ignore read-side critical sections of this CPU.
However, there is CFI check mechanism inside idle flow and
calls rcu_read_lock(), so "rcu_read_lock() used illegally while idle"
in rcu_read_lock() will be triggered because rcu_idle_enter()
was already called before.
Beside, the pointer of rcu_dereference() might be invalid
due to the RCU read-side critical sections will be ignoring in
this going idle CPU, it might cause problems like:
access the wrong data/address, kernel exception...
Based on above description:
We will add __nocfi to cpuidle_enter_state to avoid
“rcu_read_lock() used illegally while idle!”
and avoid the usage of invalid pointer of rcu_dereference()
in this situation.
Bug: 169017431
Change-Id: I8bbe25704e18cfde351a8f4277dd4b44b07421f5
Signed-off-by: rogercl.yang <rogercl.yang@mediatek.com>
Signed-off-by: Chun-Hung Wu <chun-hung.wu@mediatek.com>
When CONFIG_CFI_CLANG and CONFIG_DYNAMIC_FTRACE are enabled, LLVM will
generate a jump function named ftrace_call.cfi_jt for ftrace_call, which
makes "&ftrace_call" in ftrace_update_ftrace_func() actually the address
of ftrace_call.cfi_jt. As a result, the tracer can't be really enabled
through runtime modification. Use __va_function() to get the actual address
of ftrace_call to fix the issue.
Bug: 184105181
Signed-off-by: Ben Dai <ben.dai@unisoc.com>
Change-Id: Ic9272cd4ab447b3b145d8e397e5c9010c49f7a12
With CFI, the compiler replaces function references with pointers
to the CFI jump table. This breaks passing these addresses to
code running at EL2, where the jump tables are not valid. Add a
__va_function macro similarly to the earlier __pa_function to take
address of the actual function in inline assembly and use that in
kvm_ksym_ref instead.
Bug: 163385976
Change-Id: I097b99409995512c00786300e7d18fe42c720a1b
(cherry picked from commit 2f4d6c9fd77c88ad0500aad4bf1f64aaf2654c49)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
The arm64 module region is a 128 MB region that is kept close to
the core kernel, in order to ensure that relative branches are
always in range. So using the same region for programs that do
not have this restriction is wasteful, and preferably avoided.
Now that the core BPF JIT code permits the alloc/free routines to
be overridden, implement them by vmalloc()/vfree() calls from a
dedicated 128 MB region set aside for BPF programs. This ensures
that BPF programs are still in branching range of each other, which
is something the JIT currently depends upon (and is not guaranteed
when using module_alloc() on KASLR kernels like we do currently).
It also ensures that placement of BPF programs does not correlate
with the placement of the core kernel or modules, making it less
likely that leaking the former will reveal the latter.
This also solves an issue under KASAN, where shadow memory is
needlessly allocated for all BPF programs (which don't require KASAN
shadow pages since they are not KASAN instrumented)
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
Change-Id: Id3a066651f282249e8825b7bcdf9a78e84c1f878
By default, BPF uses module_alloc() to allocate executable memory,
but this is not necessary on all arches and potentially undesirable
on some of them.
So break out the module_alloc() and module_memfree() calls into __weak
functions to allow them to be overridden in arch code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
Change-Id: I582794881942bc0b766515861f2232354860536b
The bpf helper bpf_trace_printk() uses trace_printk() under the hood.
This leads to an alarming warning message originating from trace
buffer allocation which occurs the first time a program using
bpf_trace_printk() is loaded.
We can instead create a trace event for bpf_trace_printk() and enable
it in-kernel when/if we encounter a program using the
bpf_trace_printk() helper. With this approach, trace_printk()
is not used directly and no warning message appears.
This work was started by Steven (see Link) and finished by Alan; added
Steven's Signed-off-by with his permission.
Change-Id: Ie1e4cf1dce934e62613440b5081cb757cdbe982c
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Link: https://lore.kernel.org/r/20200628194334.6238b933@oasis.local.home
Link: https://lore.kernel.org/bpf/1594641154-18897-2-git-send-email-alan.maguire@oracle.com
trace_printk is recommended for debugging purpose as it
requires temporary memory to handle strings. If used
anywhere within the kernel, memory will be allocated to it.
Hence removed it to avoid any unnecessary memory allocation.
Change-Id: If7b0cada91c97b21987f91e0ff7b7a15ce2145e2
Signed-off-by: Faiz Nabi Kuchay <quic_fkuchay@quicinc.com>
Signed-off-by: Hridaya Prajapati <info.hridayaprajapati@gmail.com>
We want to build coresight drivers as builtin drivers. But
adreno-coresight.c in msm_adreno.ko calls coresight functions.
To avoid exporting new symbols in vmlinux and breaking the ABI, this
patch separates adreno-coresight.c into CONFIG_CORESIGHT_ADRENO.
CONFIG_CORESIGHT_ADRENO is only enabled when both coresight and adreno
are builtin drivers.
Bug: 167414982
Bug: 170753932
Signed-off-by: Yabin Cui <yabinc@google.com>
Change-Id: I7488293445ade738ba03cc457320e0d74f910886
Fix the possible OOB write in unpacking the country IE due to
the IE length check against integer division.
CRs-Fixed: 3910626
Change-Id: I800290ab7285fb46ed43a46ce38967046b4881fa
"LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0"
* tag 'LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel:
asoc: codec: avoid out of bound write to map array
asoc: codec: avoid out of bound write to map array
dsp: q6voice: Changing data type from %d to %ld
dsp: q6voice: Add buf size check for cvp cal data
Conflicts:
techpack/audio/asoc/codecs/wcd938x/wcd938x.c
Change-Id: I7d1385928f2945ca39e10a6d5a8b7cc497ea9d26
"LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0"
* tag 'LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.19:
msm: eva: Copy back the validated size to avoid security issue
msm: adsprpc: Avoid double free on map
msm: npu: Fix use after free issue
msm: npu: Fix use after free issue
clk: qcom: lpasscc-scuba: Add Support for AON & AUDIO clock drivers
dt-bindings: clk: lpasscc-scuba: Add support for LPASS AONCC and AUDIOCC
msm: ipa: clean up netdev resources in AFTER_SHUTDOWN cb
Slimbus: slim-msm-ngd: Avoid accessing deallocated stack
Change-Id: I4eb6096f7140d127f8bf3d2c299550aec2720bc1
If extract_metadata() fails, it will free metadata in its own error
path, so it is safe to simply return the provided error value without
worrying about resource handling/releasing.
Moreover, if we simply return in extract_metadata()'s error path, we
can assume the thread of execution will only make it down into the
free_metadata: tag area sometime after extract_metadata()'s success,
in which case metadata will need to be freed without question.
Bug: 234030265
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I1bf42ff9ecef3eea26543526c6955d7823d45c43
if2fs_fill_super
-> f2fs_build_segment_manager
-> create_discard_cmd_control
-> f2fs_start_discard_thread
It invokes kthread_run to create a thread and run issue_discard_thread.
However, if f2fs_build_node_manager fails, the control flow goes to
free_nm and calls f2fs_destroy_node_manager. This function will free
sbi->nm_info. However, if issue_discard_thread accesses sbi->nm_info
after the deallocation, but before the f2fs_stop_discard_thread, it will
cause UAF(Use-after-free).
-> f2fs_destroy_segment_manager
-> destroy_discard_cmd_control
-> f2fs_stop_discard_thread
Fix this by stopping discard thread before f2fs_destroy_node_manager.
Note that, the commit d6d2b491a82e1 introduces the call of
f2fs_available_free_memory into issue_discard_thread.
Cc: stable@vger.kernel.org
Fixes: d6d2b491a82e ("f2fs: allow to change discard policy based on cached discard cmds")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 5429c9dbc9025f9a166f64e22e3a69c94fd5b29b)
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: If121b453455b11b2aded8ba8a3899faad431dbd3
Add proper check to validate table rule count
which may lead to overflow error.
Change-Id: Idfa86878db49ad4803f8902c995eb4186a2d3523
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream.
The usb_get_descriptor() function does DMA so we're not allowed
to use a stack buffer for that. Doing DMA to the stack is not portable
all architectures. Move the "new_device_descriptor" from being stored
on the stack and allocate it with kmalloc() instead.
Bug: 382243530
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices")
Cc: stable@kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Benoît Sevens <bsevens@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 4e54dc4bbc602133217de301d9f814f3e6d22eee)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I469212aa538584e3d8cc5b0087b68c99acf43f64
As we are reading the packet from a shared queue, there is a
possibility to corrupt the packet->size data of shared queue by
malicious FW after validating it in the kernel driver.
Change-Id: I3aae85dea560e2805e7bff2c48d4be763da597de
Signed-off-by: Gopireddy Arunteja Reddy <quic_garuntej@quicinc.com>
