vic
28982 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Alexander Winkowski
|
ef6a2da12b |
ANDROID: Update CFI patchset from android11-5.4
Change-Id: Iff956ce7c2b89d3a442b0b81deba0da323f5d18b Signed-off-by: Alexander Winkowski <dereference23@outlook.com> |
||
|
Ard Biesheuvel
|
27ea10302f |
bpf: add __weak hook for allocating executable memory
By default, BPF uses module_alloc() to allocate executable memory, but this is not necessary on all arches and potentially undesirable on some of them. So break out the module_alloc() and module_memfree() calls into __weak functions to allow them to be overridden in arch code. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Danny Lin <danny@kdrag0n.dev> Change-Id: I582794881942bc0b766515861f2232354860536b |
||
|
Michael Bestas
|
879c3c8219 |
Merge branch 'linux-4.14.y' of github.com:openela/kernel-lts into android-msm-pixel-4.14
* 'linux-4.14.y' of github.com:openela/kernel-lts: (342 commits) LTS: Update to 4.14.355 Revert "parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367" netns: restore ops before calling ops_exit_list cx82310_eth: fix error return code in cx82310_bind() rtmutex: Drop rt_mutex::wait_lock before scheduling locking/rtmutex: Handle non enqueued waiters gracefully in remove_waiter() drm/i915/fence: Mark debug_fence_free() with __maybe_unused ACPI: processor: Fix memory leaks in error paths of processor_add() ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() netns: add pre_exit method to struct pernet_operations net: Add comment about pernet_operations methods and synchronization nilfs2: protect references to superblock parameters exposed in sysfs nilfs2: replace snprintf in show functions with sysfs_emit nilfs2: use time64_t internally tracing: Avoid possible softlockup in tracing_iter_reset() ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance() uprobes: Use kzalloc to allocate xol area clocksource/drivers/imx-tpm: Fix next event not taking effect sometime clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX VMCI: Fix use-after-free when removing resource in vmci_resource_remove() ... Conflicts: drivers/mmc/core/mmc_test.c drivers/net/usb/usbnet.c fs/f2fs/inode.c fs/f2fs/namei.c include/linux/overflow.h Change-Id: Icfff2ec3039c2ce40ed7a9c1d9a6a99269ff4c83 |
||
|
Roland Xu
|
11ae525157 |
rtmutex: Drop rt_mutex::wait_lock before scheduling
commit d33d26036a0274b472299d7dcdaa5fb34329f91b upstream.
rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the
good case it returns with the lock held and in the deadlock case it emits a
warning and goes into an endless scheduling loop with the lock held, which
triggers the 'scheduling in atomic' warning.
Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning
and dropping into the schedule for ever loop.
[ tglx: Moved unlock before the WARN(), removed the pointless comment,
massaged changelog, added Fixes tag ]
Fixes:
|
||
|
Peter Zijlstra
|
5635c800bb |
locking/rtmutex: Handle non enqueued waiters gracefully in remove_waiter()
In -RT task_blocks_on_rt_mutex() may return with -EAGAIN due to (->pi_blocked_on == PI_WAKEUP_INPROGRESS) before it added itself as a waiter. In such a case remove_waiter() must not be called because without a waiter it will trigger the BUG_ON() statement. This was initially reported by Yimin Deng. Thomas Gleixner fixed it then with an explicit check for waiters before calling remove_waiter(). Instead of an explicit NULL check before calling rt_mutex_top_waiter() make the function return NULL if there are no waiters. With that fixed the now pointless NULL check is removed from rt_mutex_slowlock(). Reported-and-debugged-by: Yimin Deng <yimin11.deng@gmail.com> Suggested-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lkml.kernel.org/r/CAAh1qt=DCL9aUXNxanP5BKtiPp3m+qj4yB+gDohhXPVFCxWwzg@mail.gmail.com Link: https://lkml.kernel.org/r/20180327121438.sss7hxg3crqy4ecd@linutronix.de (cherry picked from commit c28d62cf52d791ba5f6db7ce525ed06b86291c82) Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Zheng Yejian
|
fdfd1ef491 |
tracing: Avoid possible softlockup in tracing_iter_reset()
[ Upstream commit 49aa8a1f4d6800721c7971ed383078257f12e8f9 ]
In __tracing_open(), when max latency tracers took place on the cpu,
the time start of its buffer would be updated, then event entries with
timestamps being earlier than start of the buffer would be skipped
(see tracing_iter_reset()).
Softlockup will occur if the kernel is non-preemptible and too many
entries were skipped in the loop that reset every cpu buffer, so add
cond_resched() to avoid it.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Steven Rostedt (VMware)
|
ae2112e6a0 |
ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance()
[ Upstream commit bc1a72afdc4a91844928831cac85731566e03bc6 ] When the ring buffer was first created, the iterator followed the normal producer/consumer operations where it had both a peek() operation, that just returned the event at the current location, and a read(), that would return the event at the current location and also increment the iterator such that the next peek() or read() will return the next event. The only use of the ring_buffer_read() is currently to move the iterator to the next location and nothing now actually reads the event it returns. Rename this function to its actual use case to ring_buffer_iter_advance(), which also adds the "iter" part to the name, which is more meaningful. As the timestamp returned by ring_buffer_read() was never used, there's no reason that this new version should bother having returning it. It will also become a void function. Link: http://lkml.kernel.org/r/20200317213416.018928618@goodmis.org Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Stable-dep-of: 49aa8a1f4d68 ("tracing: Avoid possible softlockup in tracing_iter_reset()") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ac8ffa21dde0c1edcd9dd98b5555a0aa4eea3b1f) Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Sven Schnelle
|
967a7ce0d7 |
uprobes: Use kzalloc to allocate xol area
commit e240b0fde52f33670d1336697c22d90a4fe33c84 upstream.
To prevent unitialized members, use kzalloc to allocate
the xol area.
Fixes:
|
||
|
Zqiang
|
86ed63497a |
smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
[ Upstream commit 77aeb1b685f9db73d276bad4bb30d48505a6fd23 ] For CONFIG_DEBUG_OBJECTS_WORK=y kernels sscs.work defined by INIT_WORK_ONSTACK() is initialized by debug_object_init_on_stack() for the debug check in __init_work() to work correctly. But this lacks the counterpart to remove the tracked object from debug objects again, which will cause a debug object warning once the stack is freed. Add the missing destroy_work_on_stack() invocation to cure that. [ tglx: Massaged changelog ] Signed-off-by: Zqiang <qiang.zhang1211@gmail.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Paul E. McKenney <paulmck@kernel.org> Link: https://lore.kernel.org/r/20240704065213.13559-1-qiang.zhang1211@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2d6a7a1ee3862d129c0e0fbd3cc147e185a379dc) Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Waiman Long
|
9d86ad7186 |
cgroup: Protect css->cgroup write under css_set_lock
[ Upstream commit 57b56d16800e8961278ecff0dc755d46c4575092 ] The writing of css->cgroup associated with the cgroup root in rebind_subsystems() is currently protected only by cgroup_mutex. However, the reading of css->cgroup in both proc_cpuset_show() and proc_cgroup_show() is protected just by css_set_lock. That makes the readers susceptible to racing problems like data tearing or caching. It is also a problem that can be reported by KCSAN. This can be fixed by using READ_ONCE() and WRITE_ONCE() to access css->cgroup. Alternatively, the writing of css->cgroup can be moved under css_set_lock as well which is done by this patch. Signed-off-by: Waiman Long <longman@redhat.com> Signed-off-by: Tejun Heo <tj@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6760357063f593a17613e015aed2051cfd4197c6) Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Hans de Goede
|
38d216ce7a |
printk: Export is_console_locked
This is a preparation patch for adding a number of WARN_CONSOLE_UNLOCKED() calls to the fbcon code, which may be built as a module (event though usually it is not). Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Acked-by: Petr Mladek <pmladek@suse.com> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> (cherry picked from commit d48de54a9dab5370edd2e991f78cc7996cf5483e) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Chen Ridong
|
4284ad6ee1 |
cgroup/cpuset: Prevent UAF in proc_cpuset_show()
commit 1be59c97c83ccd67a519d8a49486b3a8a73ca28a upstream.
An UAF can happen when /proc/cpuset is read as reported in [1].
This can be reproduced by the following methods:
1.add an mdelay(1000) before acquiring the cgroup_lock In the
cgroup_path_ns function.
2.$cat /proc/<pid>/cpuset repeatly.
3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/
$umount /sys/fs/cgroup/cpuset/ repeatly.
The race that cause this bug can be shown as below:
(umount) | (cat /proc/<pid>/cpuset)
css_release | proc_cpuset_show
css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id);
css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...);
cgroup_destroy_root | mutex_lock(&cgroup_mutex);
rebind_subsystems |
cgroup_free_root |
| // cgrp was freed, UAF
| cgroup_path_ns_locked(cgrp,..);
When the cpuset is initialized, the root node top_cpuset.css.cgrp
will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will
allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated
&cgroup_root.cgrp. When the umount operation is executed,
top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.
The problem is that when rebinding to cgrp_dfl_root, there are cases
where the cgroup_root allocated by setting up the root for cgroup v1
is cached. This could lead to a Use-After-Free (UAF) if it is
subsequently freed. The descendant cgroups of cgroup v1 can only be
freed after the css is released. However, the css of the root will never
be released, yet the cgroup_root should be freed when it is unmounted.
This means that obtaining a reference to the css of the root does
not guarantee that css.cgrp->root will not be freed.
Fix this problem by using rcu_read_lock in proc_cpuset_show().
As cgroup_root is kfree_rcu after commit d23b5c577715
("cgroup: Make operations on the cgroup root_list RCU safe"),
css->cgroup won't be freed during the critical section.
To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to
replace task_get_css with task_css.
[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd
Fixes:
|
||
|
Phil Chang
|
b02d82c6ed |
hrtimer: Prevent queuing of hrtimer without a function callback
[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ] The hrtimer function callback must not be NULL. It has to be specified by the call side but it is not validated by the hrtimer code. When a hrtimer is queued without a function callback, the kernel crashes with a null pointer dereference when trying to execute the callback in __run_hrtimer(). Introduce a validation before queuing the hrtimer in hrtimer_start_range_ns(). [anna-maria: Rephrase commit message] Signed-off-by: Phil Chang <phil.chang@mediatek.com> Signed-off-by: Anna-Maria Behnsen <anna-maria@linutronix.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ccef3adcb84816a30b8e535c8c4fcb167904e7b1) [Vegard: fix conflicts in context due to missing commit 138a6b7ae4dedde5513678f57b275eee19c41b6a ("hrtimer: Factor out __hrtimer_start_range_ns()").] Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Tze-nan Wu
|
b28271a442 |
tracing: Fix overflow in get_free_elt()
commit bcf86c01ca4676316557dd482c8416ece8c2e143 upstream.
"tracing_map->next_elt" in get_free_elt() is at risk of overflowing.
Once it overflows, new elements can still be inserted into the tracing_map
even though the maximum number of elements (`max_elts`) has been reached.
Continuing to insert elements after the overflow could result in the
tracing_map containing "tracing_map->max_size" elements, leaving no empty
entries.
If any attempt is made to insert an element into a full tracing_map using
`__tracing_map_insert()`, it will cause an infinite loop with preemption
disabled, leading to a CPU hang problem.
Fix this by preventing any further increments to "tracing_map->next_elt"
once it reaches "tracing_map->max_elt".
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Fixes:
|
||
|
Justin Stitt
|
53390d85b1 |
ntp: Safeguard against time_constant overflow
commit 06c03c8edce333b9ad9c6b207d93d3a5ae7c10c0 upstream. Using syzkaller with the recently reintroduced signed integer overflow sanitizer produces this UBSAN report: UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:738:18 9223372036854775806 + 4 cannot be represented in type 'long' Call Trace: handle_overflow+0x171/0x1b0 __do_adjtimex+0x1236/0x1440 do_adjtimex+0x2be/0x740 The user supplied time_constant value is incremented by four and then clamped to the operating range. Before commit |
||
|
Justin Stitt
|
07f7f40df9 |
ntp: Clamp maxerror and esterror to operating range
[ Upstream commit 87d571d6fb77ec342a985afa8744bb9bb75b3622 ] Using syzkaller alongside the newly reintroduced signed integer overflow sanitizer spits out this report: UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16 9223372036854775807 + 500 cannot be represented in type 'long' Call Trace: handle_overflow+0x171/0x1b0 second_overflow+0x2d6/0x500 accumulate_nsecs_to_secs+0x60/0x160 timekeeping_advance+0x1fe/0x890 update_wall_time+0x10/0x30 time_maxerror is unconditionally incremented and the result is checked against NTP_PHASE_LIMIT, but the increment itself can overflow, resulting in wrap-around to negative space. Before commit |
||
|
Thomas Gleixner
|
6fad54cc7a |
tick/broadcast: Move per CPU pointer access into the atomic section
commit 6881e75237a84093d0986f56223db3724619f26e upstream.
The recent fix for making the take over of the broadcast timer more
reliable retrieves a per CPU pointer in preemptible context.
This went unnoticed as compilers hoist the access into the non-preemptible
region where the pointer is actually used. But of course it's valid that
the compiler keeps it at the place where the code puts it which rightfully
triggers:
BUG: using smp_processor_id() in preemptible [00000000] code:
caller is hotplug_cpu__broadcast_tick_pull+0x1c/0xc0
Move it to the actual usage site which is in a non-preemptible region.
Fixes: f7d43dd206e7 ("tick/broadcast: Make takeover of broadcast hrtimer reliable")
Reported-by: David Wang <00107082@163.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Yu Liao <liaoyu15@huawei.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/87ttg56ers.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f54abf332a2bc0413cfa8bd6a8511f7aa99faea0)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Douglas Anderson
|
4925aa995a |
kdb: Use the passed prompt in kdb_position_cursor()
[ Upstream commit e2e821095949cde46256034975a90f88626a2a73 ]
The function kdb_position_cursor() takes in a "prompt" parameter but
never uses it. This doesn't _really_ matter since all current callers
of the function pass the same value and it's a global variable, but
it's a bit ugly. Let's clean it up.
Found by code inspection. This patch is expected to functionally be a
no-op.
Fixes: 09b35989421d ("kdb: Use format-strings rather than '\0' injection in kdb_read()")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20240528071144.1.I0feb49839c6b6f4f2c4bf34764f5e95de3f55a66@changeid
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 90f2409c1d552f27a2b2bf8dc598d147c4173128)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Arnd Bergmann
|
fbcf6bbfac |
kdb: address -Wformat-security warnings
[ Upstream commit 70867efacf4370b6c7cdfc7a5b11300e9ef7de64 ]
When -Wformat-security is not disabled, using a string pointer
as a format causes a warning:
kernel/debug/kdb/kdb_io.c: In function 'kdb_read':
kernel/debug/kdb/kdb_io.c:365:36: error: format not a string literal and no format arguments [-Werror=format-security]
365 | kdb_printf(kdb_prompt_str);
| ^~~~~~~~~~~~~~
kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr':
kernel/debug/kdb/kdb_io.c:456:20: error: format not a string literal and no format arguments [-Werror=format-security]
456 | kdb_printf(kdb_prompt_str);
| ^~~~~~~~~~~~~~
Use an explcit "%s" format instead.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes:
|
||
|
Wenlin Kang
|
2527458f09 |
kdb: Fix bound check compiler warning
[ Upstream commit ca976bfb3154c7bc67c4651ecd144fdf67ccaee7 ] The strncpy() function may leave the destination string buffer unterminated, better use strscpy() instead. This fixes the following warning with gcc 8.2: kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr': kernel/debug/kdb/kdb_io.c:449:3: warning: 'strncpy' specified bound 256 equals destination size [-Wstringop-truncation] strncpy(kdb_prompt_str, prompt, CMD_BUFLEN); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> Stable-dep-of: 70867efacf43 ("kdb: address -Wformat-security warnings") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b15593e2904d2ff0094b7170f806dba0eeefac75) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Thomas Gleixner
|
dbffea43e8 |
watchdog/perf: properly initialize the turbo mode timestamp and rearm counter
commit f944ffcbc2e1c759764850261670586ddf3bdabb upstream.
For systems on which the performance counter can expire early due to turbo
modes the watchdog handler has a safety net in place which validates that
since the last watchdog event there has at least 4/5th of the watchdog
period elapsed.
This works reliably only after the first watchdog event because the per
CPU variable which holds the timestamp of the last event is never
initialized.
So a first spurious event will validate against a timestamp of 0 which
results in a delta which is likely to be way over the 4/5 threshold of the
period. As this might happen before the first watchdog hrtimer event
increments the watchdog counter, this can lead to false positives.
Fix this by initializing the timestamp before enabling the hardware event.
Reset the rearm counter as well, as that might be non zero after the
watchdog was disabled and reenabled.
Link: https://lkml.kernel.org/r/87frsfu15a.ffs@tglx
Fixes:
|
||
|
Yu Liao
|
3065612975 |
tick/broadcast: Make takeover of broadcast hrtimer reliable
commit f7d43dd206e7e18c182f200e67a8db8c209907fa upstream.
Running the LTP hotplug stress test on a aarch64 machine results in
rcu_sched stall warnings when the broadcast hrtimer was owned by the
un-plugged CPU. The issue is the following:
CPU1 (owns the broadcast hrtimer) CPU2
tick_broadcast_enter()
// shutdown local timer device
broadcast_shutdown_local()
...
tick_broadcast_exit()
clockevents_switch_state(dev, CLOCK_EVT_STATE_ONESHOT)
// timer device is not programmed
cpumask_set_cpu(cpu, tick_broadcast_force_mask)
initiates offlining of CPU1
take_cpu_down()
/*
* CPU1 shuts down and does not
* send broadcast IPI anymore
*/
takedown_cpu()
hotplug_cpu__broadcast_tick_pull()
// move broadcast hrtimer to this CPU
clockevents_program_event()
bc_set_next()
hrtimer_start()
/*
* timer device is not programmed
* because only the first expiring
* timer will trigger clockevent
* device reprogramming
*/
What happens is that CPU2 exits broadcast mode with force bit set, then the
local timer device is not reprogrammed and CPU2 expects to receive the
expired event by the broadcast IPI. But this does not happen because CPU1
is offlined by CPU2. CPU switches the clockevent device to ONESHOT state,
but does not reprogram the device.
The subsequent reprogramming of the hrtimer broadcast device does not
program the clockevent device of CPU2 either because the pending expiry
time is already in the past and the CPU expects the event to be delivered.
As a consequence all CPUs which wait for a broadcast event to be delivered
are stuck forever.
Fix this issue by reprogramming the local timer device if the broadcast
force bit of the CPU is set so that the broadcast hrtimer is delivered.
[ tglx: Massage comment and change log. Add Fixes tag ]
Fixes:
|
||
|
Adrian Hunter
|
26864f03cc |
perf: Prevent passing zero nr_pages to rb_alloc_aux()
[ Upstream commit dbc48c8f41c208082cfa95e973560134489e3309 ]
nr_pages is unsigned long but gets passed to rb_alloc_aux() as an int,
and is stored as an int.
Only power-of-2 values are accepted, so if nr_pages is a 64_bit value, it
will be passed to rb_alloc_aux() as zero.
That is not ideal because:
1. the value is incorrect
2. rb_alloc_aux() is at risk of misbehaving, although it manages to
return -ENOMEM in that case, it is a result of passing zero to get_order()
even though the get_order() result is documented to be undefined in that
case.
Fix by simply validating the maximum supported value in the first place.
Use -ENOMEM error code for consistency with the current error code that
is returned in that case.
Fixes:
|
||
|
Adrian Hunter
|
6f7bc617b3 |
perf: Fix perf_aux_size() for greater-than 32-bit size
[ Upstream commit 3df94a5b1078dfe2b0c03f027d018800faf44c82 ]
perf_buffer->aux_nr_pages uses a 32-bit type, so a cast is needed to
calculate a 64-bit size.
Fixes:
|
||
|
Michael Bestas
|
868d400d41 |
Merge branch 'linux-4.14.y' of github.com:openela/kernel-lts into android-msm-pixel-4.14
* 'linux-4.14.y' of github.com:openela/kernel-lts: (90 commits)
LTS: Update to 4.14.352
filelock: Fix fcntl/close race recovery compat path
jfs: don't walk off the end of ealist
ocfs2: add bounds checking to ocfs2_check_dir_entry()
net: relax socket state check at accept time.
ACPI: processor_idle: Fix invalid comparison with insertion sort for latency
ARM: 9324/1: fix get_user() broken with veneer
filelock: Remove locks reliably when fcntl/close race is detected
hfsplus: fix uninit-value in copy_name
selftests/vDSO: fix clang build errors and warnings
spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices
fs: better handle deep ancestor chains in is_subdir()
Bluetooth: hci_core: cancel all works upon hci_unregister_dev()
net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()
net: usb: qmi_wwan: add Telit FN912 compositions
ALSA: dmaengine_pcm: terminate dmaengine before synchronize
s390/sclp: Fix sclp_init() cleanup on failure
Input: elantech - fix touchpad state on resume for Lenovo N24
wifi: cfg80211: wext: add extra SIOCSIWSCAN data check
mei: demote client disconnect warning on suspend to debug
...
Conflicts:
arch/arm/include/asm/uaccess.h
Change-Id: I102ef6a6b70c7a09e953ca8ed5d44d87952ee5d8
|
||
|
Jinliang Zheng
|
3409634195 |
mm: optimize the redundant loop of mm_update_owner_next()
commit cf3f9a593dab87a032d2b6a6fb205e7f3de4f0a1 upstream. When mm_update_owner_next() is racing with swapoff (try_to_unuse()) or /proc or ptrace or page migration (get_task_mm()), it is impossible to find an appropriate task_struct in the loop whose mm_struct is the same as the target mm_struct. If the above race condition is combined with the stress-ng-zombie and stress-ng-dup tests, such a long loop can easily cause a Hard Lockup in write_lock_irq() for tasklist_lock. Recognize this situation in advance and exit early. Link: https://lkml.kernel.org/r/20240620122123.3877432-1-alexjlzheng@tencent.com Signed-off-by: Jinliang Zheng <alexjlzheng@tencent.com> Acked-by: Michal Hocko <mhocko@suse.com> Cc: Christian Brauner <brauner@kernel.org> Cc: Jens Axboe <axboe@kernel.dk> Cc: Mateusz Guzik <mjguzik@gmail.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Tycho Andersen <tandersen@netflix.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2890a7faf552dd3e4e40e343610ba3e0ba5b788e) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Michael Bestas
|
a3f7e6e9e2 |
Merge branch 'linux-4.14.y' of github.com:openela/kernel-lts into android-msm-pixel-4.14
* 'linux-4.14.y' of github.com:openela/kernel-lts:
LTS: Update to 4.14.350
SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
arm64: dts: rockchip: Add sound-dai-cells for RK3368
tcp: Fix data races around icsk->icsk_af_ops.
ipv6: Fix data races around sk->sk_prot.
ipv6: annotate some data-races around sk->sk_prot
pwm: stm32: Refuse too small period requests
ftruncate: pass a signed offset
batman-adv: Don't accept TT entries for out-of-spec VIDs
batman-adv: include gfp.h for GFP_* defines
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes
hexagon: fix fadvise64_64 calling conventions
tty: mcf: MCF54418 has 10 UARTS
usb: atm: cxacru: fix endpoint checking in cxacru_bind()
usb: musb: da8xx: fix a resource leak in probe()
usb: gadget: printer: SS+ support
net: usb: ax88179_178a: improve link status logs
iio: adc: ad7266: Fix variable checking bug
mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos
x86: stop playing stack games in profile_pc()
i2c: ocores: set IACK bit after core is enabled
i2c: ocores: stop transfer on timeout
nvme: fixup comment for nvme RDMA Provider Type
soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message
media: dvbdev: Initialize sbuf
ALSA: emux: improve patch ioctl data validation
net/iucv: Avoid explicit cpumask var allocation on stack
netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
ASoC: fsl-asoc-card: set priv->pdev before using it
drm/amdgpu: fix UBSAN warning in kv_dpm.c
pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set
pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins
pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins
pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER
usb: xhci: do not perform Soft Retry for some xHCI hosts
xhci: Set correct transferred length for cancelled bulk transfers
xhci: Use soft retry to recover faster from transaction errors
usb: xhci: Remove ep_trb from xhci_cleanup_halted_endpoint()
scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
scsi: mpt3sas: Gracefully handle online firmware update
scsi: mpt3sas: Add ioc_<level> logging macros
iio: dac: ad5592r: fix temperature channel scaling value
iio: dac: ad5592r: un-indent code-block for scale read
iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock
x86/amd_nb: Check for invalid SMN reads
PCI: Add PCI_ERROR_RESPONSE and related definitions
ARM: dts: samsung: smdk4412: fix keypad no-autorepeat
ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat
ARM: dts: samsung: smdkv310: fix keypad no-autorepeat
gcov: add support for GCC 14
drm/radeon: fix UBSAN warning in kv_dpm.c
ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
dmaengine: ioatdma: Fix missing kmem_cache_destroy()
regulator: core: Fix modpost error "regulator_get_regmap" undefined
net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings
virtio_net: checksum offloading handling fix
xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
netrom: Fix a memory leak in nr_heartbeat_expiry()
cipso: fix total option length computation
MIPS: Routerboard 532: Fix vendor retry check code
MIPS: Octeon: Add PCIe link status check
udf: udftime: prevent overflow in udf_disk_stamp_to_time()
udf: Simplify calls to udf_disk_stamp_to_time
udf: Sanitize nanoseconds for time stamps
usb: misc: uss720: check for incompatible versions of the Belkin F5U002
powerpc/io: Avoid clang null pointer arithmetic warnings
powerpc/pseries: Enforce hcall result buffer validity and size
scsi: qedi: Fix crash while reading debugfs attribute
batman-adv: bypass empty buckets in batadv_purge_orig_ref()
rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment
usb-storage: alauda: Check whether the media is initialized
hugetlb_encode.h: fix undefined behaviour (34 << 26)
mm/hugetlb: add mmap() encodings for 32MB and 512MB page sizes
hv_utils: drain the timesync packets on onchannelcallback
nilfs2: fix potential kernel bug due to lack of writeback flag waiting
intel_th: pci: Add Lunar Lake support
intel_th: pci: Add Meteor Lake-S support
intel_th: pci: Add Sapphire Rapids SOC support
intel_th: pci: Add Granite Rapids SOC support
intel_th: pci: Add Granite Rapids support
dmaengine: axi-dmac: fix possible race in remove()
ocfs2: fix races between hole punching and AIO+DIO
ocfs2: use coarse time for new created files
fs/proc: fix softlockup in __read_vmcore
vmci: prevent speculation leaks by sanitizing event in event_deliver()
drm/exynos/vidi: fix memory leak in .get_modes()
drivers: core: synchronize really_probe() and dev_uevent()
net/ipv6: Fix the RT cache flush via sysctl using a previous delay
ipv6/route: Add a missing check on proc_dointvec
Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
tcp: fix race in tcp_v6_syn_recv_sock()
drm/bridge/panel: Fix runtime warning on panel bridge release
iommu/amd: Fix sysfs leak in iommu init
HID: core: remove unnecessary WARN_ON() in implement()
Input: try trimming too long modalias strings
xhci: Apply broken streams quirk to Etron EJ188 xHCI host
xhci: Apply reset resume quirk to Etron EJ188 xHCI host
jfs: xattr: fix buffer overflow for invalid xattr
mei: me: release irq in mei_me_pci_resume error path
USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
nilfs2: return the mapped address from nilfs_get_page()
nilfs2: Remove check for PageError
selftests/mm: compaction_test: fix bogus test success on Aarch64
selftests/mm: conform test to TAP format output
selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages
media: mc: mark the media devnode as registered from the, start
serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler
serial: sc16is7xx: replace hardcoded divisor value with BIT() macro
usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().
af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().
af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().
af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.
af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.
af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().
af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll().
af_unix: Fix data races around sk->sk_shutdown.
af_unix: Annotate data-race of sk->sk_state in unix_inq_len().
af_unix: Fix a data-race in unix_dgram_peer_wake_me().
af_unix: ensure POLLOUT on remote close() for connected dgram socket
ptp: Fix error message on failed pin verification
tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
vxlan: Fix regression when dropping packets due to invalid src addresses
ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
wifi: iwlwifi: mvm: don't read past the mfuart notifcation
wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
Revert "tcp: remove redundant check on tskb"
Revert "tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets"
Revert "scsi: target: Fix SELinux error when systemd-modules loads the target module"
LTS: Update to 4.14.349
x86/kvm: Disable all PV features on crash
x86/kvm: Disable kvmclock on all CPUs on shutdown
x86/kvm: Teardown PV features on boot CPU as well
crypto: algif_aead - fix uninitialized ctx->init
nfs: fix undefined behavior in nfs_block_bits()
ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
sparc: move struct termio to asm/termios.h
kdb: Use format-specifiers rather than memset() for padding in kdb_read()
kdb: Merge identical case statements in kdb_read()
kdb: Fix console handling when editing and tab-completing commands
kdb: Use format-strings rather than '\0' injection in kdb_read()
kdb: Fix buffer overflow during tab-complete
sparc64: Fix number of online CPUs
intel_th: pci: Add Meteor Lake-S CPU support
net/9p: fix uninit-value in p9_client_rpc()
crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode
netfilter: nft_dynset: relax superfluous check on set updates
netfilter: nft_dynset: report EOPNOTSUPP on missing set feature
netfilter: nf_tables: don't skip expired elements during walk
netfilter: nf_tables: drop map element references from preparation phase
netfilter: nf_tables: pass ctx to nf_tables_expr_destroy()
netfilter: nftables: rename set element data activation/deactivation functions
netfilter: nf_tables: pass context to nft_set_destroy()
netfilter: nf_tables: fix set double-free in abort path
netfilter: nf_tables: add nft_set_is_anonymous() helper
fbdev: savage: Handle err return when savagefb_check_var failed
media: v4l2-core: hold videodev_lock until dev reg, finishes
media: mxl5xx: Move xpt structures off stack
arm64: dts: hi3798cv200: fix the size of GICR
md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING
arm64: tegra: Correct Tegra132 I2C alias
ata: pata_legacy: make legacy_exit() work again
neighbour: fix unaligned access to pneigh_entry
vxlan: Fix regression when dropping packets due to invalid src addresses
nilfs2: fix use-after-free of timer for log writer thread
fs/nilfs2: convert timers to use timer_setup()
mmc: core: Do not force a retune before RPMB switch
binder: fix max_thread type inconsistency
ALSA: timer: Set lower bound of start tick time
ALSA: timer: Simplify timer hw resolution calls
ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound
ipvlan: add ipvlan_route_v6_outbound() helper
ipvlan: properly track tx_errors
net: add DEV_STATS_READ() helper
kconfig: fix comparison to constant symbols, 'm', 'n'
net:fec: Add fec_enet_deinit()
net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM
smsc95xx: use usbnet->driver_priv
smsc95xx: remove redundant function arguments
enic: Validate length of nl attributes in enic_set_vf_port
dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion
nvmet: fix ns enable/disable possible hang
spi: Don't mark message DMA mapped when no transfer in it is
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
nfc: nci: Fix kcov check in nci_rx_work()
net: fec: avoid lock evasion when reading pps_enable
net: fec: remove redundant variable 'inc'
virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
openvswitch: Set the skbuff pkt_type for proper pmtud support.
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
params: lift param_set_uint_minmax to common code
ipv6: sr: fix memleak in seg6_hmac_init_algo
nfc: nci: Fix uninit-value in nci_rx_work
x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y
null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()
media: cec: cec-api: add locking in cec_release()
um: Fix the -Wmissing-prototypes warning for __switch_mm
powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp
media: stk1160: fix bounds checking in stk1160_copy_video()
um: Add winch to winch_handlers before registering winch IRQ
um: Fix return value in ubd_init()
Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation
Input: ims-pcu - fix printf string overflow
libsubcmd: Fix parse-options memory leak
f2fs: add error prints for debugging mount failure
extcon: max8997: select IRQ_DOMAIN instead of depending on it
ppdev: Add an error check in register_device
stm class: Fix a double free in stm_register_device()
usb: gadget: u_audio: Clear uac pointer when freed.
greybus: arche-ctrl: move device table to its right location
serial: max3100: Fix bitwise types
serial: max3100: Update uart_driver_registered on driver removal
serial: max3100: Lock port->lock when calling uart_handle_cts_change()
firmware: dmi-id: add a release callback function
dmaengine: idma64: Add check for dma_set_max_seg_size
greybus: lights: check return of get_channel_from_mode
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax
af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
netrom: fix possible dead-lock in nr_rt_ioctl()
RDMA/IPoIB: Fix format truncation compilation errors
RDMA/ipoib: Fix use of sizeof()
selftests/kcmp: remove unused open mode
selftests/kcmp: Make the test output consistent and clear
ext4: avoid excessive credit estimate in ext4_tmpfile()
x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
fbdev: sh7760fb: allow modular build
media: radio-shark2: Avoid led_names truncations
media: ngene: Add dvb_ca_en50221_init return value check
powerpc/fsl-soc: hide unused const variable
drm/mediatek: Add 0 size check to mtk_drm_gem_obj
fbdev: shmobile: fix snprintf truncation
mtd: rawnand: hynix: fixed typo
ipv6: sr: fix invalid unregister error path
ipv6: sr: fix incorrect unregister order
ipv6: sr: add missing seg6_local_exit
net: openvswitch: fix overwriting ct original tuple for ICMPv6
net: usb: smsc95xx: stop lying about skb->truesize
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
m68k: mac: Fix reboot hang on Mac IIci
m68k/mac: Use '030 reset method on SE/30
m68k: Fix spinlock race in kernel thread creation
net: usb: sr9700: stop lying about skb->truesize
wifi: mwl8k: initialize cmd->addr[] properly
scsi: qedf: Ensure the copied buf is NUL terminated
scsi: bfa: Ensure the copied buf is NUL terminated
Revert "sh: Handle calling csum_partial with misaligned data"
sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
wifi: ar5523: enable proper endpoint verification
wifi: carl9170: add a proper sanity check for endpoints
macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"
macintosh/via-macii, macintosh/adb-iop: Clean up whitespace
m68k/mac: Add mutual exclusion for IOP interrupt polling
macintosh/via-macii: Remove BUG_ON assertions
wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger()
scsi: hpsa: Fix allocation size for Scsi_Host private data
scsi: libsas: Fix the failure of adding phy with zero-address to port
ACPI: disable -Wstringop-truncation
irqchip/alpine-msi: Fix off-by-one in allocation error path
scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
scsi: ufs: core: Perform read back after disabling interrupts
scsi: ufs: qcom: Perform read back after writing reset bit
x86/boot: Ignore relocations in .notes sections in walk_relocs() too
wifi: ath10k: poll service ready message before failing
nfsd: drop st_mutex before calling move_to_close_lru()
null_blk: Fix missing mutex_destroy() at module removal
jffs2: prevent xattr node from overflowing the eraseblock
crypto: ccp - drop platform ifdef checks
crypto: ccp - Remove forward declaration
parisc: add missing export of __cmpxchg_u8()
nilfs2: fix out-of-range warning
ecryptfs: Fix buffer size for tag 66 packet
firmware: raspberrypi: Use correct device for DMA mappings
crypto: bcm - Fix pointer arithmetic
ASoC: da7219-aad: fix usage of device_get_named_child_node()
ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
net: usb: qmi_wwan: add Telit FN920C04 compositions
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
nilfs2: fix potential hang in nilfs_detach_log_writer()
nilfs2: fix unexpected freezing of nilfs_segctor_sync()
ring-buffer: Fix a race between readers and resize checks
speakup: Fix sizeof() vs ARRAY_SIZE() bug
Conflicts:
fs/f2fs/segment.c
fs/f2fs/super.c
Change-Id: I4f2f98e18345d5bd4994049b4dea3d98f36f5d8c
|
||
|
Peter Oberparleiter
|
cd513bd7a5 |
gcov: add support for GCC 14
commit c1558bc57b8e5b4da5d821537cd30e2e660861d8 upstream. Using gcov on kernels compiled with GCC 14 results in truncated 16-byte long .gcda files with no usable data. To fix this, update GCOV_COUNTERS to match the value defined by GCC 14. Tested with GCC versions 14.1.0 and 13.2.0. Link: https://lkml.kernel.org/r/20240610092743.1609845-1-oberpar@linux.ibm.com Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com> Reported-by: Allison Henderson <allison.henderson@oracle.com> Reported-by: Chuck Lever III <chuck.lever@oracle.com> Tested-by: Chuck Lever <chuck.lever@oracle.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 48d5f4d66962fde59c78dd0a7cf6bd03b3f49c61) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Paul E. McKenney
|
d3d05ae427 |
rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment
[ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ] The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should not happen, but...". This is only true when testing an RCU whose grace periods are always long enough. This commit therefore fixes this comment. Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOKm74Tw@mail.gmail.com/ Signed-off-by: Paul E. McKenney <paulmck@kernel.org> Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6652029853316f4c273219145ef0e71b148bbe01) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Daniel Thompson
|
c89fb4fb75 |
kdb: Use format-specifiers rather than memset() for padding in kdb_read()
commit c9b51ddb66b1d96e4d364c088da0f1dfb004c574 upstream. Currently when the current line should be removed from the display kdb_read() uses memset() to fill a temporary buffer with spaces. The problem is not that this could be trivially implemented using a format string rather than open coding it. The real problem is that it is possible, on systems with a long kdb_prompt_str, to write past the end of the tmpbuffer. Happily, as mentioned above, this can be trivially implemented using a format string. Make it so! Cc: stable@vger.kernel.org Reviewed-by: Douglas Anderson <dianders@chromium.org> Tested-by: Justin Stitt <justinstitt@google.com> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-5-f236dbe9828d@linaro.org Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2467f3f182eb35627534effd4956fceb2504c127) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Daniel Thompson
|
201f3d45de |
kdb: Merge identical case statements in kdb_read()
commit 6244917f377bf64719551b58592a02a0336a7439 upstream. The code that handles case 14 (down) and case 16 (up) has been copy and pasted despite being byte-for-byte identical. Combine them. Cc: stable@vger.kernel.org # Not a bug fix but it is needed for later bug fixes Reviewed-by: Douglas Anderson <dianders@chromium.org> Tested-by: Justin Stitt <justinstitt@google.com> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-4-f236dbe9828d@linaro.org Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4a89182788f9af9a290c19098382fb972ebe2783) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Daniel Thompson
|
fc2a098bc0 |
kdb: Fix console handling when editing and tab-completing commands
commit db2f9c7dc29114f531df4a425d0867d01e1f1e28 upstream.
Currently, if the cursor position is not at the end of the command buffer
and the user uses the Tab-complete functions, then the console does not
leave the cursor in the correct position.
For example consider the following buffer with the cursor positioned
at the ^:
md kdb_pro 10
^
Pressing tab should result in:
md kdb_prompt_str 10
^
However this does not happen. Instead the cursor is placed at the end
(after then 10) and further cursor movement redraws incorrectly. The
same problem exists when we double-Tab but in a different part of the
code.
Fix this by sending a carriage return and then redisplaying the text to
the left of the cursor.
Cc: stable@vger.kernel.org
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Tested-by: Justin Stitt <justinstitt@google.com>
Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-3-f236dbe9828d@linaro.org
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 21c068c1bbb4c336741749596d004b1965faab2c)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Daniel Thompson
|
f990953b6d |
kdb: Use format-strings rather than '\0' injection in kdb_read()
commit 09b35989421dfd5573f0b4683c7700a7483c71f9 upstream. Currently when kdb_read() needs to reposition the cursor it uses copy and paste code that works by injecting an '\0' at the cursor position before delivering a carriage-return and reprinting the line (which stops at the '\0'). Tidy up the code by hoisting the copy and paste code into an appropriately named function. Additionally let's replace the '\0' injection with a proper field width parameter so that the string will be abridged during formatting instead. Cc: stable@vger.kernel.org # Not a bug fix but it is needed for later bug fixes Tested-by: Justin Stitt <justinstitt@google.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-2-f236dbe9828d@linaro.org Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4edfbbaca46491b06af14e49dcb79ac661d0bbdc) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Daniel Thompson
|
f751d9a9f3 |
kdb: Fix buffer overflow during tab-complete
commit e9730744bf3af04cda23799029342aa3cddbc454 upstream. Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. Reported-by: Justin Stitt <justinstitt@google.com> Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziUJLpw@mail.gmail.com/ Cc: stable@vger.kernel.org Reviewed-by: Douglas Anderson <dianders@chromium.org> Reviewed-by: Justin Stitt <justinstitt@google.com> Tested-by: Justin Stitt <justinstitt@google.com> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-1-f236dbe9828d@linaro.org Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit fb824a99e148ff272a53d71d84122728b5f00992) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Sagi Grimberg
|
45e0b12972 |
params: lift param_set_uint_minmax to common code
[ Upstream commit 2a14c9ae15a38148484a128b84bff7e9ffd90d68 ] It is a useful helper hence move it to common code so others can enjoy it. Suggested-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com> Reviewed-by: Hannes Reinecke <hare@suse.com> Signed-off-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Christoph Hellwig <hch@lst.de> Stable-dep-of: 3ebc46ca8675 ("tcp: Fix shift-out-of-bounds in dctcp_update_alpha().") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 459de98d7a6b3d504b5e8664f32f59a306dd425c) [Harshit: Also lift param_set_uint_minmax from staging lustre driver, it is removed in 4.19.y so this upstream commit didnot try cleaning it up there] Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Vitalii Bursov
|
cd212b4b36 |
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
[ Upstream commit a1fd0b9d751f840df23ef0e75b691fc00cfd4743 ]
Change relax_domain_level checks so that it would be possible
to include or exclude all domains from newidle balancing.
This matches the behavior described in the documentation:
-1 no request. use system default or follow request of others.
0 no search.
1 search siblings (hyperthreads in a core).
"2" enables levels 0 and 1, level_max excludes the last (level_max)
level, and level_max+1 includes all levels.
Fixes:
|
||
|
Valentin Schneider
|
03baaba21b |
sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax
[ Upstream commit 9ae7ab20b4835dbea0e5fc6a5c70171dc354a72e ]
As pointed out in commit
|
||
|
Petr Pavlu
|
a43f1f02b3 |
ring-buffer: Fix a race between readers and resize checks
commit c2274b908db05529980ec056359fae916939fdaa upstream.
The reader code in rb_get_reader_page() swaps a new reader page into the
ring buffer by doing cmpxchg on old->list.prev->next to point it to the
new page. Following that, if the operation is successful,
old->list.next->prev gets updated too. This means the underlying
doubly-linked list is temporarily inconsistent, page->prev->next or
page->next->prev might not be equal back to page for some page in the
ring buffer.
The resize operation in ring_buffer_resize() can be invoked in parallel.
It calls rb_check_pages() which can detect the described inconsistency
and stop further tracing:
[ 190.271762] ------------[ cut here ]------------
[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0
[ 190.271789] Modules linked in: [...]
[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1
[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f
[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014
[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0
[ 190.272023] Code: [...]
[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206
[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80
[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700
[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000
[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720
[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000
[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000
[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0
[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 190.272077] Call Trace:
[ 190.272098] <TASK>
[ 190.272189] ring_buffer_resize+0x2ab/0x460
[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0
[ 190.272206] tracing_resize_ring_buffer+0x65/0x90
[ 190.272216] tracing_entries_write+0x74/0xc0
[ 190.272225] vfs_write+0xf5/0x420
[ 190.272248] ksys_write+0x67/0xe0
[ 190.272256] do_syscall_64+0x82/0x170
[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 190.272373] RIP: 0033:0x7f1bd657d263
[ 190.272381] Code: [...]
[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263
[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001
[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000
[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500
[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002
[ 190.272412] </TASK>
[ 190.272414] ---[ end trace 0000000000000000 ]---
Note that ring_buffer_resize() calls rb_check_pages() only if the parent
trace_buffer has recording disabled. Recent commit d78ab792705c
("tracing: Stop current tracer when resizing buffer") causes that it is
now always the case which makes it more likely to experience this issue.
The window to hit this race is nonetheless very small. To help
reproducing it, one can add a delay loop in rb_get_reader_page():
ret = rb_head_page_replace(reader, cpu_buffer->reader_page);
if (!ret)
goto spin;
for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */
__asm__ __volatile__ ("" : : : "memory");
rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;
.. and then run the following commands on the target system:
echo 1 > /sys/kernel/tracing/events/sched/sched_switch/enable
while true; do
echo 16 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1
echo 8 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1
done &
while true; do
for i in /sys/kernel/tracing/per_cpu/*; do
timeout 0.1 cat $i/trace_pipe; sleep 0.2
done
done
To fix the problem, make sure ring_buffer_resize() doesn't invoke
rb_check_pages() concurrently with a reader operating on the same
ring_buffer_per_cpu by taking its cpu_buffer->reader_lock.
Link: https://lore.kernel.org/linux-trace-kernel/20240517134008.24529-3-petr.pavlu@suse.com
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes:
|
||
|
Michael Bestas
|
6be06baf80 |
Merge branch 'linux-4.14.y' of github.com:openela/kernel-lts into android-msm-pixel-4.14
* 'linux-4.14.y' of github.com:openela/kernel-lts:
LTS: Update to 4.14.348
docs: kernel_include.py: Cope with docutils 0.21
serial: kgdboc: Fix NMI-safety problems from keyboard reset code
btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()
dm: limit the number of targets and parameter size area
Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems"
LTS: Update to 4.14.347
rds: Fix build regression.
RDS: IB: Use DEFINE_PER_CPU_SHARED_ALIGNED for rds_ib_stats
af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().
net: fix out-of-bounds access in ops_init
drm/vmwgfx: Fix invalid reads in fence signaled events
dyndbg: fix old BUG_ON in >control parser
tipc: fix UAF in error path
usb: gadget: f_fs: Fix a race condition when processing setup packets.
usb: gadget: composite: fix OS descriptors w_value logic
firewire: nosy: ensure user_length is taken into account when fetching packet contents
af_unix: Fix garbage collector racing against connect()
af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
net/ipv6: Refactor fib6_rule_action
net: bridge: fix corrupted ethernet header on multicast-to-unicast
net: bridge: use DEV_STATS_INC()
phonet: fix rtm_phonet_notify() skb allocation
rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
tcp: remove redundant check on tskb
net:usb:qmi_wwan: support Rolling modules
fs/9p: drop inodes immediately on non-.L too
gpio: crystalcove: Use -ENOTSUPP consistently
gpio: wcove: Use -ENOTSUPP consistently
9p: explicitly deny setlease attempts
fs/9p: translate O_TRUNC into OTRUNC
fs/9p: only translate RWX permissions for plain 9P2000
selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior
scsi: target: Fix SELinux error when systemd-modules loads the target module
tools/power turbostat: Fix Bzy_MHz documentation typo
tools/power turbostat: Fix added raw MSR output
firewire: ohci: mask bus reset interrupts between ISR and bottom half
ata: sata_gemini: Check clk_enable() result
net: bcmgenet: Reset RBUF on first open
ALSA: line6: Zero-initialize message buffers
scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload
net: mark racy access on sk->sk_rcvbuf
wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc
scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic
tipc: fix a possible memleak in tipc_buf_append
net: bridge: fix multicast-to-unicast with fraglist GSO
net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341
net: dsa: mv88e6xxx: Fix name of switch 88E6141
net: dsa: mv88e6xxx: Add number of MACs in the ATU
net l2tp: drop flow hash on forward
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
bna: ensure the copied buf is NUL terminated
pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
power: rt9455: hide unused rt9455_boost_voltage_values
pinctrl: core: delete incorrect free in pinctrl_enable()
ethernet: Add helper for assigning packet type when dest address does not match device address
ethernet: add a helper for assigning port addresses
net: create netdev->dev_addr assignment helpers
net: slightly optimize eth_type_trans
wifi: nl80211: don't free NULL coalescing rule
dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state"
dmaengine: pl330: issue_pending waits until WFP state
LTS: Update to 4.14.346
Simplify major/minor non-dynamic logic
net: fix unused variable warning in do_tcp_setsockopt()
serial: core: fix kernel-doc for uart_port_unlock_irqrestore()
HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
i2c: smbus: fix NULL function pointer dereference
i2c: add param sanity check to i2c_transfer()
idma64: Don't try to serve interrupts when device is powered off
mtd: diskonchip: work around ubsan link failure
stackdepot: respect __GFP_NOLOCKDEP allocation flag
net: b44: set pause params only when interface is up
irqchip/gic-v3-its: Prevent double free on error
arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together
tracing: Show size of requested perf buffer
Revert "crypto: api - Disallow identical driver names"
drm/amdgpu: validate the parameters of bo mapping operations more clearly
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
drm/amdgpu: restrict bo mapping within gpu address limits
serial: mxs-auart: add spinlock around changing cts state
serial: core: Provide port lock wrappers
i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
ipvs: Fix checksumming on GSO of SCTP packets
bpf: fix bpf_skb_adjust_net/bpf_skb_proto_xlat to deal with gso sctp skbs
docs: segmentation-offloads.txt: add SCTP info
net: gtp: Fix Use-After-Free in gtp_dellink
net: usb: ax88179_178a: stop lying about skb->truesize
NFC: trf7970a: disable all regulators on removal
mlxsw: core: Unregister EMAD trap using FORWARD action
vxlan: drop packets from invalid src-address
ARC: [plat-hsdk]: Remove misplaced interrupt-cells property
arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma
arm64: dts: rockchip: fix alphabetical ordering RK3399 puma
nilfs2: fix OOB in nilfs_set_de_type
fs: sysfs: Fix reference leak in sysfs_break_active_protection()
speakup: Avoid crash on very long word
usb: dwc2: host: Fix dereference issue in DDMA completion flow.
Revert "usb: cdc-wdm: close race between read and workqueue"
USB: serial: option: add Telit FN920C04 rmnet compositions
USB: serial: option: add Rolling RW101-GL and RW135-GL support
USB: serial: option: support Quectel EM060K sub-models
USB: serial: option: add Lonsung U8300/U9300 product
USB: serial: option: add support for Fibocom FM650/FG650
USB: serial: option: add Fibocom FM135-GL variants
serial/pmac_zilog: Remove flawed mitigation for rx irq flood
comedi: vmk80xx: fix incomplete endpoint checking
drm: nv04: Fix out of bounds access
tun: limit printing rate when illegal packet received by tun dev
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
netfilter: nf_tables: __nft_expr_type_get() selects specific family type
Revert "tracing/trigger: Fix to return error if failed to alloc snapshot"
kprobes: Fix possible use-after-free issue on kprobe registration
selftests/ftrace: Limit length in subsystem-enable tests
x86/apic: Force native_apic_mem_read() to use the MOV instruction
selftests: timers: Fix abs() warning in posix_timers test
vhost: Add smp_rmb() in vhost_vq_avail_empty()
tracing: hide unused ftrace_event_id_fops
net/mlx5: Properly link new fs rules into the tree
ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
ipv4/route: avoid unused-but-set-variable warning
geneve: fix header validation in geneve[6]_xmit_skb
nouveau: fix function cast warning
Bluetooth: Fix memory leak in hci_req_sync_complete()
batman-adv: Avoid infinite loop trying to resize local TT
LTS: Update to 4.14.345
net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()
Revert "net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()"
netfilter: nftables: exthdr: fix 4-byte stack OOB write
ext4: fix to check return value of freeze_bdev() in ext4_shutdown()
Revert "ext4: fix to check return value of freeze_bdev() in ext4_shutdown()"
VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()
Bluetooth: btintel: Fixe build regression
x86/mm/pat: fix VM_PAT handling in COW mappings
virtio: reenable config if freezing device failed
tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
fbmon: prevent division by zero in fb_videomode_from_videomode()
fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2
usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined
tools: iio: replace seekdir() in iio_generic_buffer
block: prevent division by zero in blk_rq_stat_sum()
SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int
media: sta2x11: fix irq handler cast
isofs: handle CDs with bad root inode but good Joliet root directory
scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
sysv: don't call sb_bread() with pointers_lock held
Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails
Bluetooth: btintel: Fix null ptr deref in btintel_read_version
btrfs: send: handle path ref underflow in header iterate_inode_ref()
btrfs: export: handle invalid inode or root reference in btrfs_get_parent()
btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()
tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()
arm64: dts: rockchip: fix rk3399 hdmi ports node
VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
wifi: ath9k: fix LNA selection in ath_ant_try_scan()
ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
ata: sata_mv: Fix PCI device ID table declaration compilation warning
ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit
ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw
init: open /initrd.image with O_LARGEFILE
staging: vc04_services: fix information leak in create_component()
staging: vc04_services: changen strncpy() to strscpy_pad()
staging: mmal-vchiq: Fix client_component for 64 bit kernel
staging: mmal-vchiq: Allocate and free components as required
staging: mmal-vchiq: Avoid use of bool in structures
ipv6: Fix infinite recursion in fib6_dump_done().
selftests: reuseaddr_conflict: add missing new line at the end of the output
net/sched: act_skbmod: prevent kernel-infoleak
net: stmmac: fix rx queue priority assignment
net: stmmac: Fix issues when number of Queues >= 4
mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations
Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped."
netfilter: nf_tables: disallow timeout for anonymous sets
Bluetooth: Fix TOCTOU in HCI debugfs implementation
Bluetooth: hci_event: set the conn encrypted before conn establishes
tcp: properly terminate timers for kernel sockets
mptcp: add sk_stop_timer_sync helper
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
USB: core: Fix deadlock in usb_deauthorize_interface()
scsi: lpfc: Correct size for wqe for memset()
x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled
scsi: qla2xxx: Fix command flush on cable pull
usb: udc: remove warning when queue disabled ep
usb: dwc2: host: Fix ISOC flow in DDMA mode
usb: dwc2: host: Fix hibernation flow
powerpc: xor_vmx: Add '-mhard-float' to CFLAGS
efivarfs: Request at most 512 bytes for variable names
perf/core: Fix reentry problem in perf_output_read_group()
loop: Call loop_config_discard() only after new config is applied
Revert "loop: Check for overflow while configuring loop"
btrfs: allocate btrfs_ioctl_defrag_range_args on stack
btrfs: add define for oldest generation
printk: Update @console_may_schedule in console_trylock_spinning()
fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion
ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
ALSA: aica: Fix a long-time build breakage
ALSA: sh: aica: Convert timers to use timer_setup()
usb: cdc-wdm: close race between read and workqueue
USB: cdc-wdm: Fix use after free in service_outstanding_interrupt().
exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
mm/migrate: set swap entry values of THP tail pages properly.
mm/memory-failure: fix an incorrect use of tail pages
vt: fix memory overlapping when deleting chars in the buffer
tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled
usb: port: Don't try to peer unused USB ports based on location
usb: gadget: ncm: Fix handling of zero block length packets
USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command
ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform
xfrm: Avoid clang fortify warning in copy_to_user_tmpl()
netfilter: nf_tables: reject constant set with timeout
netfilter: nf_tables: disallow anonymous set with timeout flag
comedi: comedi_test: Prevent timers rescheduling during deletion
ahci: asm1064: asm1166: don't limit reported ports
ahci: asm1064: correct count of reported ports
nilfs2: prevent kernel bug at submit_bh_wbc()
nilfs2: use a more common logging style
nilfs2: fix failure to detect DAT corruption in btree and direct mappings
memtest: use {READ,WRITE}_ONCE in memory scanning
drm/vc4: hdmi: do not return negative values from .get_modes()
drm/imx/ipuv3: do not return negative values from .get_modes()
s390/zcrypt: fix reference counting on zcrypt card objects
soc: fsl: qbman: Use raw spinlock for cgr_lock
soc: fsl: qbman: Add CGR update function
soc: fsl: qbman: Add helper for sanity checking cgr ops
soc: fsl: qbman: Always disable interrupts when taking cgr_lock
vfio/platform: Disable virqfds on cleanup
kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1
speakup: Fix 8bit characters from direct synth
ext4: fix corruption during on-line resize
hwmon: (amc6821) add of_match table
mmc: core: Fix switch on gp3 partition
dm-raid: fix lockdep waring in "pers->hot_add_disk"
Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
PCI/PM: Drain runtime-idle callbacks before driver removal
PCI: Drop pci_device_remove() test of pci_dev->driver
fuse: don't unhash root
mmc: tmio: avoid concurrent runs of mmc_request_done()
PM: sleep: wakeirq: fix wake irq warning in system suspend
USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M
USB: serial: option: add MeiG Smart SLM320 product
USB: serial: cp210x: add ID for MGP Instruments PDS100
USB: serial: add device ID for VeriFone adapter
USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB
powerpc/fsl: Fix mfpmr build errors with newer binutils
clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays
clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays
PM: suspend: Set mem_sleep_current during kernel command line setup
parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds
parisc: Fix csum_ipv6_magic on 64-bit systems
parisc: Fix csum_ipv6_magic on 32-bit systems
parisc: Fix ip_fast_csum
parisc: Do not hardcode registers in checksum functions
ubi: correct the calculation of fastmap size
ubi: Check for too small LEB size in VTBL code
ubifs: Set page uptodate in the correct place
fat: fix uninitialized field in nostale filehandles
crypto: qat - resolve race condition during AER recovery
crypto: qat - fix double free during reset
sparc64: NMI watchdog: fix return value of __setup handler
KVM: Always flush async #PF workqueue when vCPU is being destroyed
media: xc4000: Fix atomicity violation in xc4000_get_frequency
arm: dts: marvell: Fix maxium->maxim typo in brownstone dts
ARM: dts: mmp2-brownstone: Don't redeclare phandle references
smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity()
smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()
wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
x86/bugs: Use sysfs_emit()
x86/pti: Don't report XenPV as vulnerable
x86/cpu: Support AMD Automatic IBRS
Documentation/hw-vuln: Update spectre doc
LTS: Update to 4.14.344
binder: signal epoll threads of self-work
ANDROID: binder: Add thread->process_todo flag.
scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
scsi: bnx2fc: Remove set but not used variable 'oxid'
net: check dev->gso_max_size in gso_features_check()
driver: staging: count ashmem_range into SLAB_RECLAIMBLE
net: warn if gso_type isn't set for a GSO SKB
staging: android: ashmem: Remove use of unlikely()
ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
ALSA: hda/realtek: Enable headset onLenovo M70/M90
ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB
ALSA: hda/realtek - ALC897 headset MIC no sound
ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform
ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW
ALSA: hda/realtek - The front Mic on a HP machine doesn't work
ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662
ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662
ALSA: hda/realtek - Add Headset Mic supported for HP cPC
ALSA: hda/realtek - More constifications
Add Acer Aspire Ethos 8951G model quirk
devcoredump: Send uevent once devcd is ready
devcoredump : Serialize devcd_del work
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
netfilter: xt_owner: Add supplementary groups option
mtd: cfi_cmdset_0001: Byte swap OTP info
mtd: cfi_cmdset_0001: Support the absence of protection registers
s390/cmma: fix detection of DAT pages
s390/mm: fix phys vs virt confusion in mark_kernel_pXd() functions family
ALSA: hda/realtek: Headset Mic VREF to 100%
hfsplus: unmap the page in the "fail_page" label
ALSA: hda/realtek - Fix microphone noise on ASUS TUF B550M-PLUS
ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887
ALSA: hda/realtek - Add quirk for Tuxedo XC 1509
ALSA: hda/realtek - Headset microphone and internal speaker support for System76 oryp5
ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup
ALSA: hda/realtek - Add support for ALC1220
hv_netvsc: Fix race of register_netdevice_notifier and VF register
hv_netvsc: use reciprocal divide to speed up percent calculation
pwm: sti: Reduce number of allocations and drop usage of chip_data
pwm: sti: Avoid conditional gotos
tools: iio: iio_generic_buffer ensure alignment
tools: iio: iio_generic_buffer: Fix some integer type and calculation
tools: iio: privatize globals and functions in iio_generic_buffer.c file
leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
ledtrig-cpu: Limit to 8 CPUs
leds: pwm: Don't disable the PWM when the LED should be off
leds: pwm: convert to atomic PWM API
leds: pwm: simplify if condition
regmap: debugfs: Fix a erroneous check after snprintf()
regmap: Allow missing device in regmap_name_read_file()
tcp_metrics: add missing barriers on delete
tcp: batch tcp_net_metrics_exit
tcp: fix excessive TLP and RACK timeouts from HZ rounding
tcp: Namespace-ify sysctl_tcp_early_retrans
net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()
ata: libata-core: Do not register PM operations for SAS ports
libata: make ata_port_type const
libata: Add new med_power_with_dipm link_power_management_policy setting
ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q
ALSA: hda - add Lenovo IdeaCentre B550 to the power_save_blacklist
ALSA: hda: Add Intel NUC7i3BNB to the power_save blacklist
ext4: mark group as trimmed only if it was fully scanned
ext4: add new helper interface ext4_try_to_trim_range()
ext4: remove the 'group' parameter of ext4_trim_extent
scsi: qla2xxx: Remove unsupported ql2xenabledif option
scsi: qla2xxx: Add protection mask module parameters
scsi: qla2xxx: Add option for use reserve exch for ELS
scsi: qla2xxx: Reinstate module parameter ql2xenablemsix
scsi: lpfc: remove redundant null check on eqe
usb: typec: tcpci: clear the fault status bit
usb: typec: add fwnode to tcpc
staging: typec: fix endianness mismatch identified by sparse
staging: typec: tcpm: Document data structures
serial: sc16is7xx: fix broken port 0 uart init
sc16is7xx: Set iobase to device index
dlm: fix plock lookup when using multiple lockspaces
drm/tegra: dpaux: Fix incorrect return value of platform_get_irq
drm/tegra: Remove superfluous error messages around platform_get_irq()
ARM: dts: BCM53573: Drop nonexistent #usb-cells
ARM: dts: BCM5301X: Harmonize EHCI/OHCI DT nodes name
wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx
ath9k: use irqsave() in USB's complete callback
wifi: mwifiex: fix error recovery in PCIE buffer descriptor management
mwifiex: switch from 'pci_' to 'dma_' API
mwifiex: drop 'set_consistent_dma_mask' log message
bonding: fix macvlan over alb bond support
net: remove bond_slave_has_mac_rcu()
fbdev: fix potential OOB read in fast_imageblit()
fbdev: Fix sys_imageblit() for arbitrary image widths
fbdev: Improve performance of sys_imageblit()
tty: serial: fsl_lpuart: add earlycon for imx8ulp platform
Revert "tty: serial: fsl_lpuart: drop earlycon entry for i.MX8QXP"
MIPS: cpu-features: Use boot_cpu_type for CPU type based features
MIPS: cpu-features: Enable octeon_cache by cpu_type
fs: dlm: fix mismatch of plock results from userspace
fs: dlm: use dlm_plock_info for do_unlock_close
fs: dlm: change plock interrupted message to debug again
fs: dlm: add pid to debug log
dlm: replace usage of found with dedicated list iterator variable
dlm: improve plock logging if interrupted
nfsd: Remove incorrect check in nfsd4_validate_stateid
nfsd4: kill warnings on testing stateids with mismatched clientids
mmc: meson-gx: remove redundant mmc_request_done() call from irq context
mmc: meson-gx: remove useless lock
PM: sleep: wakeirq: fix wake irq arming
PM / wakeirq: support enabling wake-up irq after runtime_suspend called
scsi: zfcp: Defer fc_rport blocking until after ADISC response
scsi: zfcp: workqueue: set description for port work items with their WWPN as context
btrfs: check for commit error at btrfs_attach_transaction_barrier()
btrfs: simplify IS_ERR/PTR_ERR checks
fs: dlm: interrupt posix locks only when process is killed
dlm: rearrange async condition return
dlm: cleanup plock_op vs plock_xop
ext4: Fix reusing stale buffer heads from last failed mounting
ext4: rename journal_dev to s_journal_dev inside ext4_sb_info
tcp: annotate data-races around tp->linger2
net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX
ceph: don't let check_caps skip sending responses for revoke msgs
ceph: define argument structure for handle_cap_grant
net: bcmgenet: Ensure MDIO unregistration has clocks enabled
net: bcmgenet: Avoid calling platform_device_put() twice in bcmgenet_mii_exit()
net: tcp_input: Neaten DBGUNDO
i2c: xiic: Don't try to handle more interrupt events after error
i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in xiic_process()
i2c: xiic: Fix broken locking on tx_msg
i2c: xiic: Change code alignment to 1 space only
i2c: xiic: Add timeout to the rx fifo wait loop
i2c: xiic: Fix kerneldoc warnings
hwrng: virtio - Fix race on data_avail and actual data
hwrng: virtio - always add a pending request
hwrng: virtio - don't waste entropy
hwrng: virtio - don't wait on cleanup
hwrng: virtio - add an internal buffer
nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()
nfc: constify several pointers to u8, char and sk_buff
irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
irqchip/jcore-aic: Kill use of irq_create_strict_mappings()
Documentation: fix little inconsistencies
usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling
net/rose: fix races in rose_kill_by_device()
reset: Fix crash when freeing non-existent optional resets
ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE
PCI: keystone: Don't discard .probe() callback
PCI: keystone: Don't discard .remove() callback
can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
can: dev: can_restart(): don't crash kernel if carrier is OK
r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1
xen-netback: use default TX queue size for vifs
MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled
arm64: dts: qcom: msm8996: Add missing interrupt to the USB2 controller
sched/rt: pick_next_rt_entity(): check list_entry
regmap: Account for register length in SMBus I/O limits
x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms
ASoC: cs42l51: fix driver to properly autoload with automatic module loading
PCI: qcom: Disable write access to read only registers for IP v2.3.3
pinctrl: amd: Only use special debounce behavior for GPIO 0
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
usb: fotg210-hcd: delete an incorrect bounds test
smb: client: fix OOB in smbCalcSize()
btrfs: do not allow non subvolume root targets for snapshot
pinctrl: at91-pio4: use dedicated lock class for IRQ
net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()
arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names
IB/isert: Fix unaligned immediate-data handling
fbdev: stifb: Make the STI next font pointer a 32-bit signed offset
smb3: fix touch -h of symlink
MIPS: KVM: Fix a build warning about variable set but not used
cifs: spnego: add ';' in HOST_KEY_LEN
macvlan: Don't propagate promisc change to lower dev in passthru
ppp: limit MRU to 64K
ptp: annotate data-race around q->head and q->tail
xen/events: fix delayed eoi list handling
tipc: Fix kernel-infoleak due to uninitialized TLV value
tty: Fix uninit-value access in ppp_sync_receive()
iio: exynos-adc: request second interupt only when touchscreen mode is used
selftests/ftrace: Add new test case which checks non unique symbol
media: v4l2-fwnode: fix v4l2_fwnode_parse_link handling
block: fix signed int overflow in Amiga partition support
iio: addac: stx104: Fix race condition for stx104_write_raw()
ext4: fix to check return value of freeze_bdev() in ext4_shutdown()
btrfs: fix extent buffer leak after tree mod log failure at split_node()
pinctrl: amd: Detect internal GPIO0 debounce handling
ALSA: jack: Fix mutex call in snd_jack_report()
IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors
ARM: 9303/1: kprobes: avoid missing-declaration warnings
LTS: Update to 4.14.343
crypto: af_alg - Work around empty control messages without MSG_MORE
crypto: af_alg - Fix regression on empty requests
spi: spi-mt65xx: Fix NULL pointer access in interrupt handler
net/bnx2x: Prevent access to a freed page in page_pool
hsr: Handle failures in module init
rds: introduce acquire/release ordering in acquire/release_in_xmit()
hsr: Fix uninit-value access in hsr_get_node()
net: hsr: fix placement of logical operator in a multi-line statement
usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin
staging: greybus: fix get_channel_from_mode() failure path
serial: 8250_exar: Don't remove GPIO device on suspend
rtc: mt6397: select IRQ_DOMAIN instead of depending on it
rtc: mediatek: enhance the description for MediaTek PMIC based RTC
tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT
serial: max310x: fix syntax error in IRQ error message
clk: qcom: gdsc: Add support to update GDSC transition delay
NFS: Fix an off by one in root_nfs_cat()
net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()
scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn
scsi: csiostor: Avoid function pointer casts
ALSA: usb-audio: Stop parsing channels bits when all channels are found.
sparc32: Fix section mismatch in leon_pci_grpci
backlight: lp8788: Fully initialize backlight_properties during probe
backlight: lm3639: Fully initialize backlight_properties during probe
backlight: da9052: Fully initialize backlight_properties during probe
backlight: lm3630a: Don't set bl->props.brightness in get_brightness
backlight: lm3630a: Initialize backlight_properties on init
powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.
powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks
drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip
media: go7007: fix a memleak in go7007_load_encoder
media: dvb-frontends: avoid stack overflow warnings with clang
media: pvrusb2: fix uaf in pvr2_context_set_notify
drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()
mtd: rawnand: lpc32xx_mlc: fix irq handler prototype
crypto: arm/sha - fix function cast warnings
crypto: arm - Rename functions to avoid conflict with crypto/sha256.h
mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref
drm/tegra: put drm_gem_object ref on error in tegra_fb_create
clk: hisilicon: hi3519: Release the correct number of gates in hi3519_clk_unregister()
PCI: Mark 3ware-9650SE Root Port Extended Tags as broken
drm/mediatek: dsi: Fix DSI RGB666 formats and definitions
media: pvrusb2: fix pvr2_stream_callback casts
media: go7007: add check of return value of go7007_read_addr()
ALSA: seq: fix function cast warnings
drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()
perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()
quota: Fix rcu annotations of inode dquot pointers
quota: Fix potential NULL pointer dereference
quota: simplify drop_dquot_ref()
quota: check time limit when back out space/inode change
fs/quota: erase unused but set variable warning
quota: code cleanup for __dquot_alloc_space()
clk: qcom: reset: Ensure write completion on reset de/assertion
clk: qcom: reset: Commonize the de/assert functions
clk: qcom: reset: support resetting multiple bits
clk: qcom: reset: Allow specifying custom reset delay
media: edia: dvbdev: fix a use-after-free
media: dvb-core: Fix use-after-free due to race at dvb_register_device()
media: dvbdev: convert DVB device types into an enum
media: dvbdev: fix error logic at dvb_register_device()
media: dvbdev: Fix memleak in dvb_register_device
media: media/dvb: Use kmemdup rather than duplicating its implementation
media: dvbdev: remove double-unlock
media: v4l2-tpg: fix some memleaks in tpg_alloc
media: em28xx: annotate unchecked call to media_device_register()
media: tc358743: register v4l2 async device only after successful setup
drm: Don't treat 0 as -1 in drm_fixp2int_ceil
drm/rockchip: inno_hdmi: Fix video timing
drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path of tegra_dsi_probe()
drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()
drm/tegra: dsi: Make use of the helper function dev_err_probe()
gpu: host1x: mipi: Update tegra_mipi_request() to be node based
drm/tegra: dsi: Add missing check for of_find_device_by_node
dm: call the resume method on internal suspend
dm raid: fix false positive for requeue needed during reshape
net/x25: fix incorrect parameter validation in the x25_getsockopt() function
net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function
udp: fix incorrect parameter validation in the udp_lib_getsockopt() function
l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function
tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function
ipv6: fib6_rules: flush route cache when rule is changed
bpf: Fix stackmap overflow check on 32-bit arches
bpf: Fix hashtab overflow check on 32-bit arches
sr9800: Add check for usbnet_get_endpoints
Bluetooth: hci_core: Fix possible buffer overflow
Bluetooth: Remove superfluous call to hci_conn_check_pending()
igb: Fix missing time sync events
igb: move PEROUT and EXTTS isr logic to separate functions
mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function
SUNRPC: fix some memleaks in gssx_dec_option_array
x86, relocs: Ignore relocations in .notes section
ACPI: scan: Fix device check notification handling
ARM: dts: arm: realview: Fix development chip ROM compatible value
wifi: brcmsmac: avoid function pointer casts
iommu/amd: Mark interrupt as managed
bus: tegra-aconnect: Update dependency to ARCH_TEGRA
ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()
wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()
af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().
sock_diag: annotate data-races around sock_diag_handlers[family]
sock_diag: request _diag module only when the family or proto has been registered
wifi: mwifiex: debugfs: Drop unnecessary error check for debugfs_create_dir()
wifi: b43: Disable QoS for bcm4331
wifi: b43: Stop correct queue in DMA worker when QoS is disabled
b43: main: Fix use true/false for bool type
wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled
wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled
b43: dma: Fix use true/false for bool type variable
timekeeping: Fix cross-timestamp interpolation for non-x86
timekeeping: Fix cross-timestamp interpolation corner case decision
timekeeping: Fix cross-timestamp interpolation on counter wrap
aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
md: Don't clear MD_CLOSING when the raid is about to stop
md: implement ->set_read_only to hook into BLKROSET processing
block: add a new set_read_only method
md: switch to ->check_events for media change notifications
fs/select: rework stack allocation hack for clang
do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
crypto: algif_aead - Only wake up when ctx->more is zero
crypto: af_alg - make some functions static
ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll
ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode
ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC
Input: gpio_keys_polled - suppress deferred probe error for gpio
firewire: core: use long bus reset on gap count error
Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
scsi: mpt3sas: Prevent sending diag_reset when the controller is ready
dm-verity, dm-crypt: align "struct bvec_iter" correctly
block: sed-opal: handle empty atoms when parsing response
net/iucv: fix the allocation size of iucv_path_table array
MIPS: Clear Cause.BD in instruction_pointer_set
x86/xen: Add some null pointer checking to smp.c
x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
xen/events: only register debug interrupt for 2-level events
LTS: Update to 4.14.342
selftests/vm: fix map_hugetlb length used for testing read and write
selftests/vm: fix display of page size in map_hugetlb
getrusage: use sig->stats_lock rather than lock_task_sighand()
getrusage: use __for_each_thread()
getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand()
getrusage: add the "signal_struct *sig" local variable
hv_netvsc: use netif_is_bond_master() instead of open code
um: allow not setting extra rpaths in the linux binary
selftests: mm: fix map_hugetlb failure on 64K page size systems
tools/selftest/vm: allow choosing mem size and page size in map_hugetlb
netrom: Fix data-races around sysctl_net_busy_read
netrom: Fix a data-race around sysctl_netrom_link_fails_count
netrom: Fix a data-race around sysctl_netrom_routing_control
netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout
netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size
netrom: Fix a data-race around sysctl_netrom_transport_busy_delay
netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay
netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries
netrom: Fix a data-race around sysctl_netrom_transport_timeout
netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser
netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser
netrom: Fix a data-race around sysctl_netrom_default_path_quality
netfilter: nf_conntrack_h323: Add protection for bmp length out of range
netfilter: nf_ct_h323: Extend nf_h323_error_boundary to work on bits as well
netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function
netfilter: nf_ct_h323: Out Of Bound Read in Netfilter Conntrack
netfilter: nf_conntrack_h323: Remove typedef struct
geneve: make sure to pull inner header in geneve_rx()
net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb
net: move definition of pcpu_lstats to header file
net: lan78xx: fix runtime PM count underflow on link stop
lan78xx: Fix race conditions in suspend/resume handling
lan78xx: Fix partial packet errors on suspend/resume
lan78xx: Add missing return code checks
lan78xx: Fix white space and style issues
net: usb: lan78xx: Remove lots of set but unused 'ret' variables
net: usb: lan78xx: Disable interrupts before calling generic_handle_irq()
net: lan78xx: Allow for VLAN headers in timeout calcs
ip: validate header length on virtual device xmit
LTS: Update to 4.14.341
gpio: 74x164: Enable output pins after registers are reset
cachefiles: fix memory leak in cachefiles_add_cache()
mmc: core: Fix eMMC initialization with 1-bit bus connection
btrfs: dev-replace: properly validate device names
wifi: nl80211: reject iftype change with mesh ID change
gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
ALSA: Drop leftover snd-rtctimer stuff from Makefile
power: supply: bq27xxx-i2c: Do not free non existing IRQ
efi/capsule-loader: fix incorrect allocation size
Bluetooth: Enforce validation on max value of connection interval
Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST
Bluetooth: Avoid potential use-after-free in hci_error_reset
net: usb: dm9601: fix wrong return value in dm9601_mdio_read
lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected
netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
Conflicts:
drivers/android/binder.c
drivers/block/loop.c
drivers/mmc/host/meson-gx-mmc.c
drivers/staging/typec/tcpm.h
drivers/usb/typec/tcpm/tcpm.c
fs/aio.c
fs/select.c
include/net/netns/ipv4.h
mm/page_alloc.c
net/core/filter.c
net/ipv4/sysctl_net_ipv4.c
net/ipv4/tcp_ipv4.c
sound/usb/stream.c
Change-Id: I90aff1a1b88379a959c6dda1c89e5efb48af5450
|
||
|
Kusanagi Kouichi
|
877c974ee4 |
BACKPORT: tracing: Remove unnecessary DEBUG_FS dependency
Tracing replaced debugfs with tracefs. Signed-off-by: Kusanagi Kouichi <slash@ac.auone-net.jp> Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Link: https://lore.kernel.org/r/20191120104350753.EWCT.12796.ppp.dion.ne.jp@dmta0009.auone-net.jp Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 0e4a459f56c32d3e52ae69a4b447db2f48a65f44) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id61dddcb804cf7a5d62d2d04a455d8b84097c967 |
||
|
Robin H. Johnson
|
e3b3f139e8 |
tracing: Show size of requested perf buffer
commit a90afe8d020da9298c98fddb19b7a6372e2feb45 upstream. If the perf buffer isn't large enough, provide a hint about how large it needs to be for whatever is running. Link: https://lkml.kernel.org/r/20210831043723.13481-1-robbat2@gentoo.org Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> (cherry picked from commit 78b92d50fe6ab79d536f4b12c5bde15f2751414d) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Siddh Raman Pant
|
638cc92651 |
Revert "tracing/trigger: Fix to return error if failed to alloc snapshot"
This reverts commit bcf4a115a5068f3331fafb8c176c1af0da3d8b19 which is
commit 0958b33ef5a04ed91f61cef4760ac412080c4e08 upstream.
The change has an incorrect assumption about the return value because
in the current stable trees for versions 5.15 and before, the following
commit responsible for making 0 a success value is not present:
b8cc44a4d3c1 ("tracing: Remove logic for registering multiple event triggers at a time")
The return value should be 0 on failure in the current tree, because in
the functions event_trigger_callback() and event_enable_trigger_func(),
we have:
ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file);
/*
* The above returns on success the # of functions enabled,
* but if it didn't find any functions it returns zero.
* Consider no functions a failure too.
*/
if (!ret) {
ret = -ENOENT;
Cc: stable@kernel.org # 5.15, 5.10, 5.4, 4.19
Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 34925d01baf3ee62ab21c21efd9e2c44c24c004a)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
Zheng Yejian
|
b13c030fd2 |
kprobes: Fix possible use-after-free issue on kprobe registration
commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream. When unloading a module, its state is changing MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take a time. `is_module_text_address()` and `__module_text_address()` works with MODULE_STATE_LIVE and MODULE_STATE_GOING. If we use `is_module_text_address()` and `__module_text_address()` separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULE_STATE_UNFORMED between those operations. In `check_kprobe_address_safe()`, if the second `__module_text_address()` is failed, that is ignored because it expected a kernel_text address. But it may have failed simply because module->state has been changed to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify non-exist module text address (use-after-free). To fix this problem, we should not use separated `is_module_text_address()` and `__module_text_address()`, but use only `__module_text_address()` once and do `try_module_get(module)` which is only available with MODULE_STATE_LIVE. Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/ Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas") Cc: stable@vger.kernel.org Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> [Fix conflict due to lack dependency commit 223a76b268c9 ("kprobes: Fix coding style issues")] Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b5808d40093403334d939e2c3c417144d12a6f33) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Arnd Bergmann
|
39f0520cea |
tracing: hide unused ftrace_event_id_fops
[ Upstream commit 5281ec83454d70d98b71f1836fb16512566c01cd ]
When CONFIG_PERF_EVENTS, a 'make W=1' build produces a warning about the
unused ftrace_event_id_fops variable:
kernel/trace/trace_events.c:2155:37: error: 'ftrace_event_id_fops' defined but not used [-Werror=unused-const-variable=]
2155 | static const struct file_operations ftrace_event_id_fops = {
Hide this in the same #ifdef as the reference to it.
Link: https://lore.kernel.org/linux-trace-kernel/20240403080702.3509288-7-arnd@kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Zheng Yejian <zhengyejian1@huawei.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ajay Kaher <akaher@vmware.com>
Cc: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: Clément Léger <cleger@rivosinc.com>
Cc: Dan Carpenter <dan.carpenter@linaro.org>
Cc: "Tzvetomir Stoyanov (VMware)" <tz.stoyanov@gmail.com>
Fixes:
|
||
|
Yang Jihong
|
d1bcca1f15 |
perf/core: Fix reentry problem in perf_output_read_group()
commit 6b959ba22d34ca793ffdb15b5715457c78e38b1a upstream.
perf_output_read_group may respond to IPI request of other cores and invoke
__perf_install_in_context function. As a result, hwc configuration is modified.
causing inconsistency and unexpected consequences.
Interrupts are not disabled when perf_output_read_group reads PMU counter.
In this case, IPI request may be received from other cores.
As a result, PMU configuration is modified and an error occurs when
reading PMU counter:
CPU0 CPU1
__se_sys_perf_event_open
perf_install_in_context
perf_output_read_group smp_call_function_single
for_each_sibling_event(sub, leader) { generic_exec_single
if ((sub != event) && remote_function
(sub->state == PERF_EVENT_STATE_ACTIVE)) |
<enter IPI handler: __perf_install_in_context> <----RAISE IPI-----+
__perf_install_in_context
ctx_resched
event_sched_out
armpmu_del
...
hwc->idx = -1; // event->hwc.idx is set to -1
...
<exit IPI>
sub->pmu->read(sub);
armpmu_read
armv8pmu_read_counter
armv8pmu_read_hw_counter
int idx = event->hw.idx; // idx = -1
u64 val = armv8pmu_read_evcntr(idx);
u32 counter = ARMV8_IDX_TO_COUNTER(idx); // invalid counter = 30
read_pmevcntrn(counter) // undefined instruction
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20220902082918.179248-1-yangjihong1@huawei.com
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a2039c87d30177f0fd349ab000e6af25a0d48de8)
[Vegard: fix conflict in context due to missing commit
ece0857258cbaf20b9828157035999f46ca060c8 ("perf/core: Add a new read
format to get a number of lost samples").]
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||
|
John Ogness
|
271b5f6285 |
printk: Update @console_may_schedule in console_trylock_spinning()
[ Upstream commit 8076972468584d4a21dab9aa50e388b3ea9ad8c7 ] console_trylock_spinning() may takeover the console lock from a schedulable context. Update @console_may_schedule to make sure it reflects a trylock acquire. Reported-by: Mukesh Ojha <quic_mojha@quicinc.com> Closes: https://lore.kernel.org/lkml/20240222090538.23017-1-quic_mojha@quicinc.com Fixes: dbdda842fe96 ("printk: Add console owner and waiter logic to load balance console writes") Signed-off-by: John Ogness <john.ogness@linutronix.de> Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com> Reviewed-by: Petr Mladek <pmladek@suse.com> Link: https://lore.kernel.org/r/875xybmo2z.fsf@jogness.linutronix.de Signed-off-by: Petr Mladek <pmladek@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 45f99d441067035dbb3f2a0d9713abe61ea721c5) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> |
||
|
Maulik Shah
|
56a2eacb2e |
PM: suspend: Set mem_sleep_current during kernel command line setup
[ Upstream commit 9bc4ffd32ef8943f5c5a42c9637cfd04771d021b ]
psci_init_system_suspend() invokes suspend_set_ops() very early during
bootup even before kernel command line for mem_sleep_default is setup.
This leads to kernel command line mem_sleep_default=s2idle not working
as mem_sleep_current gets changed to deep via suspend_set_ops() and never
changes back to s2idle.
Set mem_sleep_current along with mem_sleep_default during kernel command
line setup as default suspend mode.
Fixes:
|
||
|
Steffen Maier
|
eff17aaaac |
scsi: zfcp: workqueue: set description for port work items with their WWPN as context
[ Upstream commit 5c750d58e9d78987e2bda6b65441e6f6b961a01e ] As a prerequisite, complement commit |
||
|
Pietro Borrello
|
416820cdaf |
sched/rt: pick_next_rt_entity(): check list_entry
[ Upstream commit 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 ] Commit |
||
|
Toke Høiland-Jørgensen
|
c7eb664d0a |
bpf: Fix stackmap overflow check on 32-bit arches
[ Upstream commit 7a4b21250bf79eef26543d35bd390448646c536b ]
The stackmap code relies on roundup_pow_of_two() to compute the number
of hash buckets, and contains an overflow check by checking if the
resulting value is 0. However, on 32-bit arches, the roundup code itself
can overflow by doing a 32-bit left-shift of an unsigned long value,
which is undefined behaviour, so it is not guaranteed to truncate
neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
contains the same check, copied from the hashtab code.
The commit in the fixes tag actually attempted to fix this, but the fix
did not account for the UB, so the fix only works on CPUs where an
overflow does result in a neat truncation to zero, which is not
guaranteed. Checking the value before rounding does not have this
problem.
Fixes: 6183f4d3a0a2 ("bpf: Check for integer overflow when using roundup_pow_of_two()")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Bui Quang Minh <minhquangbui99@gmail.com>
Message-ID: <20240307120340.99577-4-toke@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit d0e214acc59145ce25113f617311aa79dda39cb3)
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
|