Background:
When CPU is going to idle state, it would inform RCU that
current CPU is entering idle through rcu_idle_enter(),
and RCU will ignore read-side critical sections of this CPU.
However, there is CFI check mechanism inside idle flow and
calls rcu_read_lock(), so "rcu_read_lock() used illegally while idle"
in rcu_read_lock() will be triggered because rcu_idle_enter()
was already called before.
Beside, the pointer of rcu_dereference() might be invalid
due to the RCU read-side critical sections will be ignoring in
this going idle CPU, it might cause problems like:
access the wrong data/address, kernel exception...
Based on above description:
We will add __nocfi to cpuidle_enter_state to avoid
“rcu_read_lock() used illegally while idle!”
and avoid the usage of invalid pointer of rcu_dereference()
in this situation.
Bug: 169017431
Change-Id: I8bbe25704e18cfde351a8f4277dd4b44b07421f5
Signed-off-by: rogercl.yang <rogercl.yang@mediatek.com>
Signed-off-by: Chun-Hung Wu <chun-hung.wu@mediatek.com>
When CONFIG_CFI_CLANG and CONFIG_DYNAMIC_FTRACE are enabled, LLVM will
generate a jump function named ftrace_call.cfi_jt for ftrace_call, which
makes "&ftrace_call" in ftrace_update_ftrace_func() actually the address
of ftrace_call.cfi_jt. As a result, the tracer can't be really enabled
through runtime modification. Use __va_function() to get the actual address
of ftrace_call to fix the issue.
Bug: 184105181
Signed-off-by: Ben Dai <ben.dai@unisoc.com>
Change-Id: Ic9272cd4ab447b3b145d8e397e5c9010c49f7a12
With CFI, the compiler replaces function references with pointers
to the CFI jump table. This breaks passing these addresses to
code running at EL2, where the jump tables are not valid. Add a
__va_function macro similarly to the earlier __pa_function to take
address of the actual function in inline assembly and use that in
kvm_ksym_ref instead.
Bug: 163385976
Change-Id: I097b99409995512c00786300e7d18fe42c720a1b
(cherry picked from commit 2f4d6c9fd77c88ad0500aad4bf1f64aaf2654c49)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
The arm64 module region is a 128 MB region that is kept close to
the core kernel, in order to ensure that relative branches are
always in range. So using the same region for programs that do
not have this restriction is wasteful, and preferably avoided.
Now that the core BPF JIT code permits the alloc/free routines to
be overridden, implement them by vmalloc()/vfree() calls from a
dedicated 128 MB region set aside for BPF programs. This ensures
that BPF programs are still in branching range of each other, which
is something the JIT currently depends upon (and is not guaranteed
when using module_alloc() on KASLR kernels like we do currently).
It also ensures that placement of BPF programs does not correlate
with the placement of the core kernel or modules, making it less
likely that leaking the former will reveal the latter.
This also solves an issue under KASAN, where shadow memory is
needlessly allocated for all BPF programs (which don't require KASAN
shadow pages since they are not KASAN instrumented)
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
Change-Id: Id3a066651f282249e8825b7bcdf9a78e84c1f878
By default, BPF uses module_alloc() to allocate executable memory,
but this is not necessary on all arches and potentially undesirable
on some of them.
So break out the module_alloc() and module_memfree() calls into __weak
functions to allow them to be overridden in arch code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
Change-Id: I582794881942bc0b766515861f2232354860536b
The bpf helper bpf_trace_printk() uses trace_printk() under the hood.
This leads to an alarming warning message originating from trace
buffer allocation which occurs the first time a program using
bpf_trace_printk() is loaded.
We can instead create a trace event for bpf_trace_printk() and enable
it in-kernel when/if we encounter a program using the
bpf_trace_printk() helper. With this approach, trace_printk()
is not used directly and no warning message appears.
This work was started by Steven (see Link) and finished by Alan; added
Steven's Signed-off-by with his permission.
Change-Id: Ie1e4cf1dce934e62613440b5081cb757cdbe982c
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Link: https://lore.kernel.org/r/20200628194334.6238b933@oasis.local.home
Link: https://lore.kernel.org/bpf/1594641154-18897-2-git-send-email-alan.maguire@oracle.com
trace_printk is recommended for debugging purpose as it
requires temporary memory to handle strings. If used
anywhere within the kernel, memory will be allocated to it.
Hence removed it to avoid any unnecessary memory allocation.
Change-Id: If7b0cada91c97b21987f91e0ff7b7a15ce2145e2
Signed-off-by: Faiz Nabi Kuchay <quic_fkuchay@quicinc.com>
Signed-off-by: Hridaya Prajapati <info.hridayaprajapati@gmail.com>
We want to build coresight drivers as builtin drivers. But
adreno-coresight.c in msm_adreno.ko calls coresight functions.
To avoid exporting new symbols in vmlinux and breaking the ABI, this
patch separates adreno-coresight.c into CONFIG_CORESIGHT_ADRENO.
CONFIG_CORESIGHT_ADRENO is only enabled when both coresight and adreno
are builtin drivers.
Bug: 167414982
Bug: 170753932
Signed-off-by: Yabin Cui <yabinc@google.com>
Change-Id: I7488293445ade738ba03cc457320e0d74f910886
Fix the possible OOB write in unpacking the country IE due to
the IE length check against integer division.
CRs-Fixed: 3910626
Change-Id: I800290ab7285fb46ed43a46ce38967046b4881fa
"LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0"
* tag 'LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel:
asoc: codec: avoid out of bound write to map array
asoc: codec: avoid out of bound write to map array
dsp: q6voice: Changing data type from %d to %ld
dsp: q6voice: Add buf size check for cvp cal data
Conflicts:
techpack/audio/asoc/codecs/wcd938x/wcd938x.c
Change-Id: I7d1385928f2945ca39e10a6d5a8b7cc497ea9d26
"LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0"
* tag 'LA.UM.9.15.2.r1-11100-KAMORTA.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.19:
msm: eva: Copy back the validated size to avoid security issue
msm: adsprpc: Avoid double free on map
msm: npu: Fix use after free issue
msm: npu: Fix use after free issue
clk: qcom: lpasscc-scuba: Add Support for AON & AUDIO clock drivers
dt-bindings: clk: lpasscc-scuba: Add support for LPASS AONCC and AUDIOCC
msm: ipa: clean up netdev resources in AFTER_SHUTDOWN cb
Slimbus: slim-msm-ngd: Avoid accessing deallocated stack
Change-Id: I4eb6096f7140d127f8bf3d2c299550aec2720bc1
If extract_metadata() fails, it will free metadata in its own error
path, so it is safe to simply return the provided error value without
worrying about resource handling/releasing.
Moreover, if we simply return in extract_metadata()'s error path, we
can assume the thread of execution will only make it down into the
free_metadata: tag area sometime after extract_metadata()'s success,
in which case metadata will need to be freed without question.
Bug: 234030265
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I1bf42ff9ecef3eea26543526c6955d7823d45c43
if2fs_fill_super
-> f2fs_build_segment_manager
-> create_discard_cmd_control
-> f2fs_start_discard_thread
It invokes kthread_run to create a thread and run issue_discard_thread.
However, if f2fs_build_node_manager fails, the control flow goes to
free_nm and calls f2fs_destroy_node_manager. This function will free
sbi->nm_info. However, if issue_discard_thread accesses sbi->nm_info
after the deallocation, but before the f2fs_stop_discard_thread, it will
cause UAF(Use-after-free).
-> f2fs_destroy_segment_manager
-> destroy_discard_cmd_control
-> f2fs_stop_discard_thread
Fix this by stopping discard thread before f2fs_destroy_node_manager.
Note that, the commit d6d2b491a82e1 introduces the call of
f2fs_available_free_memory into issue_discard_thread.
Cc: stable@vger.kernel.org
Fixes: d6d2b491a82e ("f2fs: allow to change discard policy based on cached discard cmds")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 5429c9dbc9025f9a166f64e22e3a69c94fd5b29b)
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: If121b453455b11b2aded8ba8a3899faad431dbd3
Add proper check to validate table rule count
which may lead to overflow error.
Change-Id: Idfa86878db49ad4803f8902c995eb4186a2d3523
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream.
The usb_get_descriptor() function does DMA so we're not allowed
to use a stack buffer for that. Doing DMA to the stack is not portable
all architectures. Move the "new_device_descriptor" from being stored
on the stack and allocate it with kmalloc() instead.
Bug: 382243530
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices")
Cc: stable@kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Benoît Sevens <bsevens@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 4e54dc4bbc602133217de301d9f814f3e6d22eee)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I469212aa538584e3d8cc5b0087b68c99acf43f64
As we are reading the packet from a shared queue, there is a
possibility to corrupt the packet->size data of shared queue by
malicious FW after validating it in the kernel driver.
Change-Id: I3aae85dea560e2805e7bff2c48d4be763da597de
Signed-off-by: Gopireddy Arunteja Reddy <quic_garuntej@quicinc.com>
https://source.android.com/docs/security/bulletin/2025-01-01
* tag 'ASB-2025-01-05_4.19-stable' of https://android.googlesource.com/kernel/common: (132 commits)
Revert "UPSTREAM: unicode: Don't special case ignorable code points"
Reapply "UPSTREAM: unicode: Don't special case ignorable code points"
Revert "UPSTREAM: unicode: Don't special case ignorable code points"
Linux 4.19.325
sh: intc: Fix use-after-free bug in register_intc_controller()
modpost: remove incorrect code in do_eisa_entry()
9p/xen: fix release of IRQ
9p/xen: fix init sequence
block: return unsigned int from bdev_io_min
jffs2: fix use of uninitialized variable
ubi: fastmap: Fix duplicate slab cache names while attaching
ubifs: Correct the total block count by deducting journal reservation
rtc: check if __rtc_read_time was successful in rtc_timer_do_work()
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
um: Fix the return value of elf_core_copy_task_fpregs
rpmsg: glink: Propagate TX failures in intentless mode as well
NFSD: Prevent a potential integer overflow
lib: string_helpers: silence snprintf() output truncation warning
usb: dwc3: gadget: Fix checking for number of TRBs left
media: wl128x: Fix atomicity violation in fmc_send_cmd()
...
Conflicts:
arch/arm64/boot/dts/vendor/bindings/clock/adi,axi-clkgen.yaml
arch/arm64/boot/dts/vendor/bindings/clock/axi-clkgen.txt
drivers/rpmsg/qcom_glink_native.c
Change-Id: Iea6ddf20dfaa4419f6e0b2efcee1890bfa8e2554
Decrement and check the ref count of map
inside the lock. Otherwise, two threads may
free the same map.
Change-Id: I081b937bfd3e8da3e2480f062cad6966662994b5
Acked-by: Sharad Kumar <sharku@qti.qualcomm.com>
Signed-off-by: Abhinav Parihar <quic_parihar@quicinc.com>
There is possibility that network will be used after free.
This change is to fix this issue.
Change-Id: I39aa81ddc4a7d1801b2f7157aa21f0051ff2d5a5
Signed-off-by: Gao Wang <quic_gaowang@quicinc.com>
(cherry picked from commit c29b693900)
There is possibility that network will be used after free.
This change is to fix this issue.
Change-Id: I39aa81ddc4a7d1801b2f7157aa21f0051ff2d5a5
Signed-off-by: Gao Wang <quic_gaowang@quicinc.com>
commit 3e6f8d1fa18457d54b20917bd9174d27daf09ab9 upstream.
Similar to
commit 231ad7f409f1 ("Makefile: infer --target from ARCH for CC=clang")
There really is no point in setting --target based on
$CROSS_COMPILE_COMPAT for clang when the integrated assembler is being
used, since
commit ef94340583ee ("arm64: vdso32: drop -no-integrated-as flag").
Allows COMPAT_VDSO to be selected without setting $CROSS_COMPILE_COMPAT
when using clang and lld together.
Before:
$ ARCH=arm64 CROSS_COMPILE_COMPAT=arm-linux-gnueabi- make -j72 LLVM=1 defconfig
$ grep CONFIG_COMPAT_VDSO .config
CONFIG_COMPAT_VDSO=y
$ ARCH=arm64 make -j72 LLVM=1 defconfig
$ grep CONFIG_COMPAT_VDSO .config
$
After:
$ ARCH=arm64 CROSS_COMPILE_COMPAT=arm-linux-gnueabi- make -j72 LLVM=1 defconfig
$ grep CONFIG_COMPAT_VDSO .config
CONFIG_COMPAT_VDSO=y
$ ARCH=arm64 make -j72 LLVM=1 defconfig
$ grep CONFIG_COMPAT_VDSO .config
CONFIG_COMPAT_VDSO=y
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Suggested-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Link: https://lore.kernel.org/r/20211019223646.1146945-5-ndesaulniers@google.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I91e4f7a6944819e9ec0dffc0f19da5436d62fec3
Before commit e42ee61017f5 ("of: Let of_for_each_phandle fallback to
non-negative cell_count") the iterator functions calling
of_for_each_phandle assumed a cell count of 0 if cells_name was NULL.
This corner case was missed when implementing the fallback logic in
e42ee61017f5 and resulted in an endless loop.
Restore the old behaviour of of_count_phandle_with_args() and
of_parse_phandle_with_args() and add a check to
of_phandle_iterator_init() to prevent a similar failure as a safety
precaution. of_parse_phandle_with_args_map() doesn't need a similar fix
as cells_name isn't NULL there.
Affected drivers are:
- drivers/base/power/domain.c
- drivers/base/power/domain.c
- drivers/clk/ti/clk-dra7-atl.c
- drivers/hwmon/ibmpowernv.c
- drivers/i2c/muxes/i2c-demux-pinctrl.c
- drivers/iommu/mtk_iommu.c
- drivers/net/ethernet/freescale/fman/mac.c
- drivers/opp/of.c
- drivers/perf/arm_dsu_pmu.c
- drivers/regulator/of_regulator.c
- drivers/remoteproc/imx_rproc.c
- drivers/soc/rockchip/pm_domains.c
- sound/soc/fsl/imx-audmix.c
- sound/soc/fsl/imx-audmix.c
- sound/soc/meson/axg-card.c
- sound/soc/samsung/tm2_wm5110.c
- sound/soc/samsung/tm2_wm5110.c
Thanks to Geert Uytterhoeven for reporting the issue, Peter Rosin for
helping pinpoint the actual problem and the testers for confirming this
fix.
Fixes: e42ee61017f5 ("of: Let of_for_each_phandle fallback to non-negative cell_count")
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Change-Id: I684efc01df23ea32c578c1da4f8ea6fcf6f03ced
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Rob Herring <robh@kernel.org>
Referencing device tree nodes from a property allows to pass arguments.
This is for example used for referencing gpios. This looks as follows:
gpio_ctrl: gpio-controller {
#gpio-cells = <2>
...
}
someothernode {
gpios = <&gpio_ctrl 5 0 &gpio_ctrl 3 0>;
...
}
To know the number of arguments this must be either fixed, or the
referenced node is checked for a $cells_name (here: "#gpio-cells")
property and with this information the start of the second reference can
be determined.
Currently regulators are referenced with no additional arguments. To
allow some optional arguments without having to change all referenced
nodes this change introduces a way to specify a default cell_count. So
when a phandle is parsed we check for the $cells_name property and use
it as before if present. If it is not present we fall back to
cells_count if non-negative and only fail if cells_count is smaller than
zero.
Change-Id: Ic7a6a5e667d46847becb2a9593a00ba6db49fc98
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Rob Herring <robh@kernel.org>
https://source.android.com/docs/security/bulletin/2024-12-01
* tag 'ASB-2024-12-05_4.19-stable' of https://android.googlesource.com/kernel/common: (401 commits)
Linux 4.19.324
9p: fix slab cache name creation for real
net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
fs: Fix uninitialized value issue in from_kuid and from_kgid
powerpc/powernv: Free name on error in opal_event_init()
sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
bpf: use kvzmalloc to allocate BPF verifier environment
HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
9p: Avoid creating multiple slab caches with the same name
ALSA: usb-audio: Add endianness annotations
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
ALSA: usb-audio: Add quirks for Dell WD19 dock
ALSA: usb-audio: Support jack detection on Dell dock
ALSA: usb-audio: Add custom mixer status quirks for RME CC devices
ALSA: pcm: Return 0 when size < start_threshold in capture
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
irqchip/gic-v3: Force propagation of the active state with a read-back
USB: serial: option: add Quectel RG650V
USB: serial: option: add Fibocom FG132 0x0112 composition
...
Conflicts:
drivers/usb/dwc3/core.c
drivers/usb/dwc3/core.h
net/qrtr/qrtr.c
Change-Id: I328847813eb875d25c4aa35dcc7ba58ad09b53ae
Add Support for LPASS AON and AUDIO Clock Controller drivers for Audio
clients to be able to control clocks.
Change-Id: I830f00c8342f70479f0e8aff2051966d128e64e2
Signed-off-by: Smeet Raj <quic_smeeraj@quicinc.com>
This reverts commit 62bbb08add179b68e2ce0ede59f3c4b37d6c92a8.
Reason for revert: b/382800956
Bug: 382800956
Change-Id: Ic7a0cdbb060c12c1628a5859d795e78cd6b9341d
Signed-off-by: Todd Kjos <tkjos@google.com>
(cherry picked from commit c376628415656f16d398aad95c218a06805038bd)
Signed-off-by: Lee Jones <joneslee@google.com>
This reverts commit e1ba90026d98e53f5736131f3363424e83315f00.
Reapplying only to re-revert with the correct Change-Id
Bug: 382800956
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: Icdd08040f04ed7e85d31b7f8551ee2ef1d0b95b0
Add bindings for LPASS AON, AUDIO clock controllers on scuba platform
for clients to be able to request for clocks from these clock controllers.
Change-Id: I5d09794c3bfdc1f1874b2edfadfac60863b44b81
Signed-off-by: Smeet Raj <quic_smeeraj@quicinc.com>
Changes in 4.19.325
netlink: terminate outstanding dump on socket close
ocfs2: uncache inode which has failed entering the group
nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint
ocfs2: fix UBSAN warning in ocfs2_verify_volume()
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"
media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set
kbuild: Use uname for LINUX_COMPILE_HOST detection
mm: revert "mm: shmem: fix data-race in shmem_getattr()"
ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet
mac80211: fix user-power when emulating chanctx
selftests/watchdog-test: Fix system accidentally reset after watchdog-test
x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB
net: usb: qmi_wwan: add Quectel RG650V
proc/softirqs: replace seq_printf with seq_put_decimal_ull_width
nvme: fix metadata handling in nvme-passthrough
initramfs: avoid filename buffer overrun
m68k: mvme147: Fix SCSI controller IRQ numbers
m68k: mvme16x: Add and use "mvme16x.h"
m68k: mvme147: Reinstate early console
acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block()
s390/syscalls: Avoid creation of arch/arch/ directory
hfsplus: don't query the device logical block size multiple times
EDAC/fsl_ddr: Fix bad bit shift operations
crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY
crypto: cavium - Fix the if condition to exit loop after timeout
crypto: bcm - add error check in the ahash_hmac_init function
crypto: cavium - Fix an error handling path in cpt_ucode_load_fw()
time: Fix references to _msecs_to_jiffies() handling of values
soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()
mmc: mmc_spi: drop buggy snprintf()
ARM: dts: cubieboard4: Fix DCDC5 regulator constraints
regmap: irq: Set lockdep class for hierarchical IRQ domains
firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused
wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
drm/omap: Fix locking in omap_gem_new_dmabuf()
bpf: Fix the xdp_adjust_tail sample prog issue
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()
drm/etnaviv: consolidate hardware fence handling in etnaviv_gpu
drm/etnaviv: dump: fix sparse warnings
drm/etnaviv: fix power register offset on GC300
drm/etnaviv: hold GPU lock across perfmon sampling
net: rfkill: gpio: Add check for clk_enable()
ALSA: us122l: Use snd_card_free_when_closed() at disconnection
ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
ALSA: 6fire: Release resources at card release
netpoll: Use rcu_access_pointer() in netpoll_poll_lock
trace/trace_event_perf: remove duplicate samples on the first tracepoint event
powerpc/vdso: Flag VDSO64 entry points as functions
mfd: da9052-spi: Change read-mask to write-mask
cpufreq: loongson2: Unregister platform_driver on failure
mtd: rawnand: atmel: Fix possible memory leak
RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey
mfd: rt5033: Fix missing regmap_del_irq_chip()
scsi: bfa: Fix use-after-free in bfad_im_module_exit()
scsi: fusion: Remove unused variable 'rc'
scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()
ocfs2: fix uninitialized value in ocfs2_file_read_iter()
powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static
fbdev/sh7760fb: Alloc DMA memory from hardware device
fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()
dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml format
dt-bindings: clock: axi-clkgen: include AXI clk
clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand
clk: clk-axi-clkgen: make sure to enable the AXI bus clock
perf probe: Correct demangled symbols in C++ program
PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads
PCI: cpqphp: Fix PCIBIOS_* return value confusion
m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x
m68k: coldfire/device.c: only build FEC when HW macros are defined
rpmsg: glink: Add TX_DATA_CONT command while sending
rpmsg: glink: Send READ_NOTIFY command in FIFO full case
rpmsg: glink: Fix GLINK command prefix
rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length
NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir()
vfio/pci: Properly hide first-in-list PCIe extended capability
power: supply: core: Remove might_sleep() from power_supply_put()
net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device
tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets
net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration
marvell: pxa168_eth: fix call balance of pep->clk handling routines
net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken
usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read()
USB: chaoskey: fail open after removal
USB: chaoskey: Fix possible deadlock chaoskey_list_lock
misc: apds990x: Fix missing pm_runtime_disable()
apparmor: fix 'Do simple duplicate message elimination'
usb: ehci-spear: fix call balance of sehci clk handling routines
ext4: supress data-race warnings in ext4_free_inodes_{count,set}()
ext4: fix FS_IOC_GETFSMAP handling
jfs: xattr: check invalid xattr size more strictly
ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata()
PCI: Fix use-after-free of slot->bus on hot remove
tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler
Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}()
ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices
Revert "usb: gadget: composite: fix OS descriptors w_value logic"
serial: sh-sci: Clean sci_ports[0] after at earlycon exit
Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit"
netfilter: ipset: add missing range check in bitmap_ip_uadt
spi: Fix acpi deferred irq probe
ubi: wl: Put source PEB into correct list if trying locking LEB failed
um: ubd: Do not use drvdata in release
um: net: Do not use drvdata in release
serial: 8250: omap: Move pm_runtime_get_sync
um: vector: Do not use drvdata in release
sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled
block: fix ordering between checking BLK_MQ_S_STOPPED request adding
HID: wacom: Interpret tilt data from Intuos Pro BT as signed values
media: wl128x: Fix atomicity violation in fmc_send_cmd()
usb: dwc3: gadget: Fix checking for number of TRBs left
lib: string_helpers: silence snprintf() output truncation warning
NFSD: Prevent a potential integer overflow
rpmsg: glink: Propagate TX failures in intentless mode as well
um: Fix the return value of elf_core_copy_task_fpregs
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
rtc: check if __rtc_read_time was successful in rtc_timer_do_work()
ubifs: Correct the total block count by deducting journal reservation
ubi: fastmap: Fix duplicate slab cache names while attaching
jffs2: fix use of uninitialized variable
block: return unsigned int from bdev_io_min
9p/xen: fix init sequence
9p/xen: fix release of IRQ
modpost: remove incorrect code in do_eisa_entry()
sh: intc: Fix use-after-free bug in register_intc_controller()
Linux 4.19.325
Change-Id: I50250c8bd11f9ff4b40da75225c1cfb060e0c258
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 63e72e551942642c48456a4134975136cdcb9b3c ]
In the error handling for this function, d is freed without ever
removing it from intc_list which would lead to a use after free.
To fix this, let's only add it to the list after everything has
succeeded.
Fixes: 2dcec7a988 ("sh: intc: set_irq_wake() support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0c3e091319e4748cb36ac9a50848903dc6f54054 ]
This function contains multiple bugs after the following commits:
- ac55182899 ("modpost: i2c aliases need no trailing wildcard")
- 6543becf26 ("mod/file2alias: make modalias generation safe for cross compiling")
Commit ac55182899 inserted the following code to do_eisa_entry():
else
strcat(alias, "*");
This is incorrect because 'alias' is uninitialized. If it is not
NULL-terminated, strcat() could cause a buffer overrun.
Even if 'alias' happens to be zero-filled, it would output:
MODULE_ALIAS("*");
This would match anything. As a result, the module could be loaded by
any unrelated uevent from an unrelated subsystem.
Commit ac55182899 introduced another bug.
Prior to that commit, the conditional check was:
if (eisa->sig[0])
This checked if the first character of eisa_device_id::sig was not '\0'.
However, commit ac55182899 changed it as follows:
if (sig[0])
sig[0] is NOT the first character of the eisa_device_id::sig. The
type of 'sig' is 'char (*)[8]', meaning that the type of 'sig[0]' is
'char [8]' instead of 'char'. 'sig[0]' and 'symval' refer to the same
address, which never becomes NULL.
The correct conversion would have been:
if ((*sig)[0])
However, this if-conditional was meaningless because the earlier change
in commit ac551828993e was incorrect.
This commit removes the entire incorrect code, which should never have
been executed.
Fixes: ac55182899 ("modpost: i2c aliases need no trailing wildcard")
Fixes: 6543becf26 ("mod/file2alias: make modalias generation safe for cross compiling")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 7ef3ae82a6ebbf4750967d1ce43bcdb7e44ff74b ]
Large amount of mount hangs observed during hotplugging of 9pfs devices. The
9pfs Xen driver attempts to initialize itself more than once, causing the
frontend and backend to disagree: the backend listens on a channel that the
frontend does not send on, resulting in stalled processing.
Only allow initialization of 9p frontend once.
Fixes: c15fe55d14b3b ("9p/xen: fix connection sequence")
Signed-off-by: Alex Zenla <alex@edera.dev>
Signed-off-by: Alexander Merritt <alexander@edera.dev>
Signed-off-by: Ariadne Conill <ariadne@ariadne.space>
Reviewed-by: Juergen Gross <jgross@suse.com>
Message-ID: <20241119211633.38321-1-alexander@edera.dev>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
