Otherwise, __lookup_extent_tree() will override the given extent_info which will
be used by caller.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 22a341b43036415718f2d50f5f98b2f891fe17e9)
Change-Id: I5ddc08dd3d299f222b4b9b1334f2e675e37956b6
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
Let's explicitly use the defined values in block_age case only.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit ed2724765e58e3310d3de48f4a1761631b3dd640)
Change-Id: Ibbed9907e98c54a7fc807f5deb9300aeb2d35e70
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
This can avoid confusing tracepoint values.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit fe59109ae5c0b34a8c7c07f693fc501b12b57787)
Change-Id: I64d127fed283cfe93579a031b1b8762d35069f98
Signed-off-by: zhaoyuenan <amktiao030215@gmail.com>
commit e61b11a737 ("ANDROID: fuse: Allocate zeroed memory for canonical path")
fixes the deadlock that this patch tries to fix.
This reverts commit aeb761e164.
Change-Id: I7137a93cf83b4d2a3cecb2b2de6f9fa14e6a2702
This patch allows the administrator to configure the interface
name of a function using u_ether (e.g., eem, ncm, rndis).
Currently, all such interfaces, regardless of function type, are
always called usb0, usb1, etc. This makes it very cumbersome to
use more than one such type at a time, because userspace cannnot
easily tell the interfaces apart and apply the right
configuration to each one. Interface renaming in userspace based
on driver doesn't help, because the interfaces all have the same
driver. Without this patch, doing this require hacks/workarounds
such as setting fixed MAC addresses on the functions, and then
renaming by MAC address, or scraping configfs after each
interface is created to find out what it is.
Setting the interface name is done by writing to the same
"ifname" configfs attribute that reports the interface name after
the function is bound. The write must contain an interface
pattern such as "usb%d" (which will cause the net core to pick
the next available interface name starting with "usb").
This patch does not allow writing an exact interface name (as
opposed to a pattern) because if the interface already exists at
bind time, the bind will fail and the whole gadget will fail to
activate. This could be allowed in a future patch.
For compatibility with current userspace, when reading an ifname
that has not currently been set, the result is still "(unnamed
net_device)". Once a write to ifname happens, then reading ifname
will return whatever was last written.
Tested by configuring an rndis function and an ncm function on
the same gadget, and writing "rndis%d" to ifname on the rndis
function and "ncm%d" to ifname on the ncm function. When the
gadget was bound, the rndis interface was rndis0 and the ncm
interface was ncm0.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
(cherry picked from commit 63d152149b2d0860ccf8c4e6596b6175b2b7ace6
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next)
Link: https://lore.kernel.org/r/20210113234222.3272933-1-lorenzo@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Change-Id: I04deb6cc1d8a5b8ee82404940de2a79c06fbafe7
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 37e444c8296c14cb5768a1197b24cfc07ee8e0cd ]
snprintf returns the actual length of the buffer created; however,
this is not the case if snprintf truncates its parameter.
See https://lwn.net/Articles/69419/ for a detailed explanation.
The current code correctly handles this case at the expense
of extra code in the return statement.
scnprintf does returns the actual length of the buffer created
making the ?: operator unnecessary in the return
statement.
This change does not alter the functionality of the code.
Change-Id: I518abb00c6bd19d60d95a0ba8577a174feaaa3f3
Signed-off-by: Daniel M German <dmg@turingmachine.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[ Upstream commit a04224da1f3424b2c607b12a3bd1f0e302fb8231 ]
Previously, gadget assignment to the net device occurred exclusively
during the initial binding attempt.
Nevertheless, the gadget pointer could change during bind/unbind
cycles due to various conditions, including the unloading/loading
of the UDC device driver or the detachment/reconnection of an
OTG-capable USB hub device.
This patch relocates the gether_set_gadget() function out from
ncm_opts->bound condition check, ensuring that the correct gadget
is assigned during each bind request.
The provided logs demonstrate the consistency of ncm_opts throughout
the power cycle, while the gadget may change.
* OTG hub connected during boot up and assignment of gadget and
ncm_opts pointer
[ 2.366301] usb 2-1.5: New USB device found, idVendor=2996, idProduct=0105
[ 2.366304] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2.366306] usb 2-1.5: Product: H2H Bridge
[ 2.366308] usb 2-1.5: Manufacturer: Aptiv
[ 2.366309] usb 2-1.5: SerialNumber: 13FEB2021
[ 2.427989] usb 2-1.5: New USB device found, VID=2996, PID=0105
[ 2.428959] dabridge 2-1.5:1.0: dabridge 2-4 total endpoints=5, 0000000093a8d681
[ 2.429710] dabridge 2-1.5:1.0: P(0105) D(22.06.22) F(17.3.16) H(1.1) high-speed
[ 2.429714] dabridge 2-1.5:1.0: Hub 2-2 P(0151) V(06.87)
[ 2.429956] dabridge 2-1.5:1.0: All downstream ports in host mode
[ 2.430093] gadget 000000003c414d59 ------> gadget pointer
* NCM opts and associated gadget pointer during First ncm_bind
[ 34.763929] NCM opts 00000000aa304ac9
[ 34.763930] NCM gadget 000000003c414d59
* OTG capable hub disconnecte or assume driver unload.
[ 97.203114] usb 2-1: USB disconnect, device number 2
[ 97.203118] usb 2-1.1: USB disconnect, device number 3
[ 97.209217] usb 2-1.5: USB disconnect, device number 4
[ 97.230990] dabr_udc deleted
* Reconnect the OTG hub or load driver assaign new gadget pointer.
[ 111.534035] usb 2-1.1: New USB device found, idVendor=2996, idProduct=0120, bcdDevice= 6.87
[ 111.534038] usb 2-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 111.534040] usb 2-1.1: Product: Vendor
[ 111.534041] usb 2-1.1: Manufacturer: Aptiv
[ 111.534042] usb 2-1.1: SerialNumber: Superior
[ 111.535175] usb 2-1.1: New USB device found, VID=2996, PID=0120
[ 111.610995] usb 2-1.5: new high-speed USB device number 8 using xhci-hcd
[ 111.630052] usb 2-1.5: New USB device found, idVendor=2996, idProduct=0105, bcdDevice=21.02
[ 111.630055] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 111.630057] usb 2-1.5: Product: H2H Bridge
[ 111.630058] usb 2-1.5: Manufacturer: Aptiv
[ 111.630059] usb 2-1.5: SerialNumber: 13FEB2021
[ 111.687464] usb 2-1.5: New USB device found, VID=2996, PID=0105
[ 111.690375] dabridge 2-1.5:1.0: dabridge 2-8 total endpoints=5, 000000000d87c961
[ 111.691172] dabridge 2-1.5:1.0: P(0105) D(22.06.22) F(17.3.16) H(1.1) high-speed
[ 111.691176] dabridge 2-1.5:1.0: Hub 2-6 P(0151) V(06.87)
[ 111.691646] dabridge 2-1.5:1.0: All downstream ports in host mode
[ 111.692298] gadget 00000000dc72f7a9 --------> new gadget ptr on connect
* NCM opts and associated gadget pointer during second ncm_bind
[ 113.271786] NCM opts 00000000aa304ac9 -----> same opts ptr used during first bind
[ 113.271788] NCM gadget 00000000dc72f7a9 ----> however new gaget ptr, that will not set
in net_device due to ncm_opts->bound = true
Change-Id: I803f892ccd2a0f9558d4f32d8a3104aba78353ff
Signed-off-by: Hardik Gajjar <hgajjar@de.adit-jv.com>
Link: https://lore.kernel.org/r/20231020153324.82794-1-hgajjar@de.adit-jv.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Revert the following changes to restore to upstream version:
commit d50dafdc03 ("usb: gadget: f_ncm: allocate/free net device upon driver bind/unbind")
commit 2b958bac04 ("usb: gadget: Add check gadget function bind or not")
Reason for revert: Causes gether_set_ifname() support to kernel panic.
Change-Id: I51064467cad63e47a4a9734f18f1a5b95fa8db86
5.18-rc1 has many merge issues and the block io path has been rewritten,
so the tracepoints added here do not work properly anymore (and break
the build.)
If this is really still needed (hint, I strongly doubt it), it can be
redesigned and added back after 5.18-rc1 is released.
Cc: Mohan Srinivasan <srmohan@google.com>
Cc: Amit Pundir <amit.pundir@linaro.org>
Cc: Alistair Strachan <astrachan@google.com>
Fixes: f2fe7bac26dc ("ANDROID: fs: FS tracepoints to track IO.")
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[Jaegeuk Kim: remove fsync tracepoints as well]
Change-Id: I64981f2f692a434b976e50677d3414037d5ee409
* 'upstream-f2fs-stable-linux-4.19.y' of https://android.googlesource.com/kernel/common: (560 commits)
f2fs: reset wait_ms to default if any of the victims have been selected
f2fs: fix some format WARNING in debug.c and sysfs.c
f2fs: don't call f2fs_issue_discard_timeout() when discard_cmd_cnt is 0 in f2fs_put_super()
f2fs: fix iostat parameter for discard
f2fs: Fix spelling mistake in label: free_bio_enrty_cache -> free_bio_entry_cache
f2fs: avoid build warnining in extent_cache
f2fs: add block_age-based extent cache
f2fs: allocate the extent_cache by default
f2fs: refactor extent_cache to support for read and more
f2fs: remove unnecessary __init_extent_tree
f2fs: move internal functions into extent_cache.c
f2fs: specify extent cache for read explicitly
f2fs: introduce f2fs_is_readonly() for readability
f2fs: remove F2FS_SET_FEATURE() and F2FS_CLEAR_FEATURE() macro
f2fs: do some cleanup for f2fs module init
MAINTAINERS: Add f2fs bug tracker link
f2fs: remove the unused flush argument to change_curseg
f2fs: open code allocate_segment_by_default
f2fs: remove struct segment_allocation default_salloc_ops
f2fs: introduce discard_urgent_util sysfs node
...
Conflicts:
fs/crypto/hooks.c
fs/ext4/ioctl.c
fs/ext4/namei.c
fs/f2fs/checkpoint.c
fs/f2fs/data.c
fs/f2fs/dir.c
fs/f2fs/f2fs.h
fs/f2fs/file.c
fs/f2fs/gc.c
fs/f2fs/hash.c
fs/f2fs/inline.c
fs/f2fs/namei.c
fs/f2fs/node.c
fs/f2fs/node.h
fs/f2fs/recovery.c
fs/f2fs/segment.c
fs/f2fs/segment.h
fs/f2fs/super.c
fs/f2fs/sysfs.c
fs/f2fs/xattr.c
fs/libfs.c
fs/ubifs/dir.c
fs/unicode/utf8-core.c
fs/verity/enable.c
fs/verity/signature.c
include/linux/fs.h
include/linux/fscrypt.h
include/uapi/linux/fsverity.h
Change-Id: I555b2ac03d0bc864b8993a006994c68c0f4f8c41
According to spec the TSinfo size should be 4 bytes.
To fix this issue,TSInfo size is increased to 4bytes aligning with the
current standard.
CRs-Fixed: 3910625
Change-Id: I7979fa84af0295d21d4afe1b876af494a5b8fed8
A persistence map is expected to hold refs=2 during its creation.
However, the Fuzzy test can create a persistence map by configuring
a mismatch between attributes and flags using the KEEP MAP attribute
and FD NOMAP flags. This sets the map reference count to 1. The user
then calls fastrpc_internal_munmap_fd to free the map since it
doesn't check flags, which can cause a use-after-free (UAF) for the
file map and shared buffer. Add a check to restrict DMA handle
maps with invalid attributes.
Change-Id: I2f024ef99cc2a0487010504166e3af3433d5302d
Acked-by: Santosh <quic_ssakore@quicinc.com>
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>
commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream.
The current USB-audio driver code doesn't check bLength of each
descriptor at traversing for clock descriptors. That is, when a
device provides a bogus descriptor with a shorter bLength, the driver
might hit out-of-bounds reads.
For addressing it, this patch adds sanity checks to the validator
functions for the clock descriptor traversal. When the descriptor
length is shorter than expected, it's skipped in the loop.
For the clock source and clock multiplier descriptors, we can just
check bLength against the sizeof() of each descriptor type.
OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
of bNrInPins elements and two more fields at its tail, hence those
have to be checked in addition to the sizeof() check.
Bug: 382239029
Reported-by: Benoît Sevens <bsevens@google.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com
Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Benoît Sevens <bsevens@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 45a92cbc88e4013bfed7fd2ccab3ade45f8e896b)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I13e916ffd46fce6fd08f7b9f96cea82bb4bc475d
This reverts commit e525d2cfbe652f4e287a7f84ce397d4f751d3aed.
Reason for revert: not present in android11-5.4
Change-Id: If175677a9002962baf605e632c74435f659e0420
Signed-off-by: Alexander Winkowski <dereference23@outlook.com>
Background:
When CPU is going to idle state, it would inform RCU that
current CPU is entering idle through rcu_idle_enter(),
and RCU will ignore read-side critical sections of this CPU.
However, there is CFI check mechanism inside idle flow and
calls rcu_read_lock(), so "rcu_read_lock() used illegally while idle"
in rcu_read_lock() will be triggered because rcu_idle_enter()
was already called before.
Beside, the pointer of rcu_dereference() might be invalid
due to the RCU read-side critical sections will be ignoring in
this going idle CPU, it might cause problems like:
access the wrong data/address, kernel exception...
Based on above description:
We will add __nocfi to cpuidle_enter_state to avoid
“rcu_read_lock() used illegally while idle!”
and avoid the usage of invalid pointer of rcu_dereference()
in this situation.
Bug: 169017431
Change-Id: I8bbe25704e18cfde351a8f4277dd4b44b07421f5
Signed-off-by: rogercl.yang <rogercl.yang@mediatek.com>
Signed-off-by: Chun-Hung Wu <chun-hung.wu@mediatek.com>
When CONFIG_CFI_CLANG and CONFIG_DYNAMIC_FTRACE are enabled, LLVM will
generate a jump function named ftrace_call.cfi_jt for ftrace_call, which
makes "&ftrace_call" in ftrace_update_ftrace_func() actually the address
of ftrace_call.cfi_jt. As a result, the tracer can't be really enabled
through runtime modification. Use __va_function() to get the actual address
of ftrace_call to fix the issue.
Bug: 184105181
Signed-off-by: Ben Dai <ben.dai@unisoc.com>
Change-Id: Ic9272cd4ab447b3b145d8e397e5c9010c49f7a12
With CFI, the compiler replaces function references with pointers
to the CFI jump table. This breaks passing these addresses to
code running at EL2, where the jump tables are not valid. Add a
__va_function macro similarly to the earlier __pa_function to take
address of the actual function in inline assembly and use that in
kvm_ksym_ref instead.
Bug: 163385976
Change-Id: I097b99409995512c00786300e7d18fe42c720a1b
(cherry picked from commit 2f4d6c9fd77c88ad0500aad4bf1f64aaf2654c49)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
The arm64 module region is a 128 MB region that is kept close to
the core kernel, in order to ensure that relative branches are
always in range. So using the same region for programs that do
not have this restriction is wasteful, and preferably avoided.
Now that the core BPF JIT code permits the alloc/free routines to
be overridden, implement them by vmalloc()/vfree() calls from a
dedicated 128 MB region set aside for BPF programs. This ensures
that BPF programs are still in branching range of each other, which
is something the JIT currently depends upon (and is not guaranteed
when using module_alloc() on KASLR kernels like we do currently).
It also ensures that placement of BPF programs does not correlate
with the placement of the core kernel or modules, making it less
likely that leaking the former will reveal the latter.
This also solves an issue under KASAN, where shadow memory is
needlessly allocated for all BPF programs (which don't require KASAN
shadow pages since they are not KASAN instrumented)
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
Change-Id: Id3a066651f282249e8825b7bcdf9a78e84c1f878
By default, BPF uses module_alloc() to allocate executable memory,
but this is not necessary on all arches and potentially undesirable
on some of them.
So break out the module_alloc() and module_memfree() calls into __weak
functions to allow them to be overridden in arch code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
Change-Id: I582794881942bc0b766515861f2232354860536b
The bpf helper bpf_trace_printk() uses trace_printk() under the hood.
This leads to an alarming warning message originating from trace
buffer allocation which occurs the first time a program using
bpf_trace_printk() is loaded.
We can instead create a trace event for bpf_trace_printk() and enable
it in-kernel when/if we encounter a program using the
bpf_trace_printk() helper. With this approach, trace_printk()
is not used directly and no warning message appears.
This work was started by Steven (see Link) and finished by Alan; added
Steven's Signed-off-by with his permission.
Change-Id: Ie1e4cf1dce934e62613440b5081cb757cdbe982c
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Link: https://lore.kernel.org/r/20200628194334.6238b933@oasis.local.home
Link: https://lore.kernel.org/bpf/1594641154-18897-2-git-send-email-alan.maguire@oracle.com
trace_printk is recommended for debugging purpose as it
requires temporary memory to handle strings. If used
anywhere within the kernel, memory will be allocated to it.
Hence removed it to avoid any unnecessary memory allocation.
Change-Id: If7b0cada91c97b21987f91e0ff7b7a15ce2145e2
Signed-off-by: Faiz Nabi Kuchay <quic_fkuchay@quicinc.com>
Signed-off-by: Hridaya Prajapati <info.hridayaprajapati@gmail.com>
We want to build coresight drivers as builtin drivers. But
adreno-coresight.c in msm_adreno.ko calls coresight functions.
To avoid exporting new symbols in vmlinux and breaking the ABI, this
patch separates adreno-coresight.c into CONFIG_CORESIGHT_ADRENO.
CONFIG_CORESIGHT_ADRENO is only enabled when both coresight and adreno
are builtin drivers.
Bug: 167414982
Bug: 170753932
Signed-off-by: Yabin Cui <yabinc@google.com>
Change-Id: I7488293445ade738ba03cc457320e0d74f910886
Fix the possible OOB write in unpacking the country IE due to
the IE length check against integer division.
CRs-Fixed: 3910626
Change-Id: I800290ab7285fb46ed43a46ce38967046b4881fa
"LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0"
* tag 'LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel:
asoc: codec: avoid out of bound write to map array
asoc: codec: avoid out of bound write to map array
dsp: q6voice: Changing data type from %d to %ld
dsp: q6voice: Add buf size check for cvp cal data
Conflicts:
techpack/audio/asoc/codecs/wcd938x/wcd938x.c
Change-Id: I7d1385928f2945ca39e10a6d5a8b7cc497ea9d26
"LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0"
* tag 'LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.19:
msm: eva: Copy back the validated size to avoid security issue
msm: adsprpc: Avoid double free on map
msm: npu: Fix use after free issue
msm: npu: Fix use after free issue
clk: qcom: lpasscc-scuba: Add Support for AON & AUDIO clock drivers
dt-bindings: clk: lpasscc-scuba: Add support for LPASS AONCC and AUDIOCC
msm: ipa: clean up netdev resources in AFTER_SHUTDOWN cb
Slimbus: slim-msm-ngd: Avoid accessing deallocated stack
Change-Id: I4eb6096f7140d127f8bf3d2c299550aec2720bc1
If extract_metadata() fails, it will free metadata in its own error
path, so it is safe to simply return the provided error value without
worrying about resource handling/releasing.
Moreover, if we simply return in extract_metadata()'s error path, we
can assume the thread of execution will only make it down into the
free_metadata: tag area sometime after extract_metadata()'s success,
in which case metadata will need to be freed without question.
Bug: 234030265
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I1bf42ff9ecef3eea26543526c6955d7823d45c43
if2fs_fill_super
-> f2fs_build_segment_manager
-> create_discard_cmd_control
-> f2fs_start_discard_thread
It invokes kthread_run to create a thread and run issue_discard_thread.
However, if f2fs_build_node_manager fails, the control flow goes to
free_nm and calls f2fs_destroy_node_manager. This function will free
sbi->nm_info. However, if issue_discard_thread accesses sbi->nm_info
after the deallocation, but before the f2fs_stop_discard_thread, it will
cause UAF(Use-after-free).
-> f2fs_destroy_segment_manager
-> destroy_discard_cmd_control
-> f2fs_stop_discard_thread
Fix this by stopping discard thread before f2fs_destroy_node_manager.
Note that, the commit d6d2b491a82e1 introduces the call of
f2fs_available_free_memory into issue_discard_thread.
Cc: stable@vger.kernel.org
Fixes: d6d2b491a82e ("f2fs: allow to change discard policy based on cached discard cmds")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 5429c9dbc9025f9a166f64e22e3a69c94fd5b29b)
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: If121b453455b11b2aded8ba8a3899faad431dbd3
Add proper check to validate table rule count
which may lead to overflow error.
Change-Id: Idfa86878db49ad4803f8902c995eb4186a2d3523
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream.
The usb_get_descriptor() function does DMA so we're not allowed
to use a stack buffer for that. Doing DMA to the stack is not portable
all architectures. Move the "new_device_descriptor" from being stored
on the stack and allocate it with kmalloc() instead.
Bug: 382243530
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices")
Cc: stable@kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Benoît Sevens <bsevens@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 4e54dc4bbc602133217de301d9f814f3e6d22eee)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I469212aa538584e3d8cc5b0087b68c99acf43f64
As we are reading the packet from a shared queue, there is a
possibility to corrupt the packet->size data of shared queue by
malicious FW after validating it in the kernel driver.
Change-Id: I3aae85dea560e2805e7bff2c48d4be763da597de
Signed-off-by: Gopireddy Arunteja Reddy <quic_garuntej@quicinc.com>
https://source.android.com/docs/security/bulletin/2025-01-01
* tag 'ASB-2025-01-05_4.19-stable' of https://android.googlesource.com/kernel/common: (132 commits)
Revert "UPSTREAM: unicode: Don't special case ignorable code points"
Reapply "UPSTREAM: unicode: Don't special case ignorable code points"
Revert "UPSTREAM: unicode: Don't special case ignorable code points"
Linux 4.19.325
sh: intc: Fix use-after-free bug in register_intc_controller()
modpost: remove incorrect code in do_eisa_entry()
9p/xen: fix release of IRQ
9p/xen: fix init sequence
block: return unsigned int from bdev_io_min
jffs2: fix use of uninitialized variable
ubi: fastmap: Fix duplicate slab cache names while attaching
ubifs: Correct the total block count by deducting journal reservation
rtc: check if __rtc_read_time was successful in rtc_timer_do_work()
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
um: Fix the return value of elf_core_copy_task_fpregs
rpmsg: glink: Propagate TX failures in intentless mode as well
NFSD: Prevent a potential integer overflow
lib: string_helpers: silence snprintf() output truncation warning
usb: dwc3: gadget: Fix checking for number of TRBs left
media: wl128x: Fix atomicity violation in fmc_send_cmd()
...
Conflicts:
arch/arm64/boot/dts/vendor/bindings/clock/adi,axi-clkgen.yaml
arch/arm64/boot/dts/vendor/bindings/clock/axi-clkgen.txt
drivers/rpmsg/qcom_glink_native.c
Change-Id: Iea6ddf20dfaa4419f6e0b2efcee1890bfa8e2554
Decrement and check the ref count of map
inside the lock. Otherwise, two threads may
free the same map.
Change-Id: I081b937bfd3e8da3e2480f062cad6966662994b5
Acked-by: Sharad Kumar <sharku@qti.qualcomm.com>
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>
There is possibility that network will be used after free.
This change is to fix this issue.
Change-Id: I39aa81ddc4a7d1801b2f7157aa21f0051ff2d5a5
Signed-off-by: Gao Wang <quic_gaowang@quicinc.com>
(cherry picked from commit c29b693900)
There is possibility that network will be used after free.
This change is to fix this issue.
Change-Id: I39aa81ddc4a7d1801b2f7157aa21f0051ff2d5a5
Signed-off-by: Gao Wang <quic_gaowang@quicinc.com>
commit 3e6f8d1fa18457d54b20917bd9174d27daf09ab9 upstream.
Similar to
commit 231ad7f409f1 ("Makefile: infer --target from ARCH for CC=clang")
There really is no point in setting --target based on
$CROSS_COMPILE_COMPAT for clang when the integrated assembler is being
used, since
commit ef94340583ee ("arm64: vdso32: drop -no-integrated-as flag").
Allows COMPAT_VDSO to be selected without setting $CROSS_COMPILE_COMPAT
when using clang and lld together.
Before:
$ ARCH=arm64 CROSS_COMPILE_COMPAT=arm-linux-gnueabi- make -j72 LLVM=1 defconfig
$ grep CONFIG_COMPAT_VDSO .config
CONFIG_COMPAT_VDSO=y
$ ARCH=arm64 make -j72 LLVM=1 defconfig
$ grep CONFIG_COMPAT_VDSO .config
$
After:
$ ARCH=arm64 CROSS_COMPILE_COMPAT=arm-linux-gnueabi- make -j72 LLVM=1 defconfig
$ grep CONFIG_COMPAT_VDSO .config
CONFIG_COMPAT_VDSO=y
$ ARCH=arm64 make -j72 LLVM=1 defconfig
$ grep CONFIG_COMPAT_VDSO .config
CONFIG_COMPAT_VDSO=y
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Suggested-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Link: https://lore.kernel.org/r/20211019223646.1146945-5-ndesaulniers@google.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I91e4f7a6944819e9ec0dffc0f19da5436d62fec3
Before commit e42ee61017f5 ("of: Let of_for_each_phandle fallback to
non-negative cell_count") the iterator functions calling
of_for_each_phandle assumed a cell count of 0 if cells_name was NULL.
This corner case was missed when implementing the fallback logic in
e42ee61017f5 and resulted in an endless loop.
Restore the old behaviour of of_count_phandle_with_args() and
of_parse_phandle_with_args() and add a check to
of_phandle_iterator_init() to prevent a similar failure as a safety
precaution. of_parse_phandle_with_args_map() doesn't need a similar fix
as cells_name isn't NULL there.
Affected drivers are:
- drivers/base/power/domain.c
- drivers/base/power/domain.c
- drivers/clk/ti/clk-dra7-atl.c
- drivers/hwmon/ibmpowernv.c
- drivers/i2c/muxes/i2c-demux-pinctrl.c
- drivers/iommu/mtk_iommu.c
- drivers/net/ethernet/freescale/fman/mac.c
- drivers/opp/of.c
- drivers/perf/arm_dsu_pmu.c
- drivers/regulator/of_regulator.c
- drivers/remoteproc/imx_rproc.c
- drivers/soc/rockchip/pm_domains.c
- sound/soc/fsl/imx-audmix.c
- sound/soc/fsl/imx-audmix.c
- sound/soc/meson/axg-card.c
- sound/soc/samsung/tm2_wm5110.c
- sound/soc/samsung/tm2_wm5110.c
Thanks to Geert Uytterhoeven for reporting the issue, Peter Rosin for
helping pinpoint the actual problem and the testers for confirming this
fix.
Fixes: e42ee61017f5 ("of: Let of_for_each_phandle fallback to non-negative cell_count")
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Change-Id: I684efc01df23ea32c578c1da4f8ea6fcf6f03ced
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Rob Herring <robh@kernel.org>
Referencing device tree nodes from a property allows to pass arguments.
This is for example used for referencing gpios. This looks as follows:
gpio_ctrl: gpio-controller {
#gpio-cells = <2>
...
}
someothernode {
gpios = <&gpio_ctrl 5 0 &gpio_ctrl 3 0>;
...
}
To know the number of arguments this must be either fixed, or the
referenced node is checked for a $cells_name (here: "#gpio-cells")
property and with this information the start of the second reference can
be determined.
Currently regulators are referenced with no additional arguments. To
allow some optional arguments without having to change all referenced
nodes this change introduces a way to specify a default cell_count. So
when a phandle is parsed we check for the $cells_name property and use
it as before if present. If it is not present we fall back to
cells_count if non-negative and only fail if cells_count is smaller than
zero.
Change-Id: Ic7a6a5e667d46847becb2a9593a00ba6db49fc98
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Rob Herring <robh@kernel.org>
