bka
205 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Michael Bestas
|
625042336d |
Merge remote-tracking branch 'common/android-4.9-q' into android-msm-pixel-4.9
* common/android-4.9-q: Linux 4.9.327 kprobes: don't call disarm_kprobe() for disabled kprobes mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y s390/hypfs: avoid error message under KVM arm64: map FDT as RW for early_init_dt_scan() ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead fbdev: fb_pm2fb: Avoid potential divide by zero error HID: hidraw: fix memory leak in hidraw_release() media: pvrusb2: fix memory leak in pvr_probe Bluetooth: L2CAP: Fix build errors in some archs kbuild: Fix include path in scripts/Makefile.modpost x86/bugs: Add "unknown" reporting for MMIO Stale Data x86/cpu: Add Tiger Lake to Intel family s390/mm: do not trigger write fault when vma does not allow VM_WRITE mm: Force TLB flush for PFNMAP mappings before unlink_file_vma() mm/hugetlb: fix hugetlb not supporting softdirty tracking asm-generic: sections: refactor memory_intersects loop: Check for overflow while configuring loop btrfs: check if root is readonly while setting security xattr ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter net: Fix a data-race around sysctl_somaxconn. net: Fix a data-race around sysctl_net_busy_read. net: Fix a data-race around sysctl_net_busy_poll. net: Fix a data-race around sysctl_tstamp_allow_data. ratelimit: Fix data-races in ___ratelimit(). netfilter: nft_payload: report ERANGE for too long offset and length bonding: 802.3ad: fix no transmission of LACPDUs rose: check NULL rose_loopback_neigh->loopback af_key: Do not call xfrm_probe_algs in parallel xfrm: fix refcount leak in __xfrm_policy_check() parisc: Fix exception handler for fldw and fstw instructions Linux 4.9.326 MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 video: fbdev: i740fb: Check the argument of i740_calc_vclk() powerpc/64: Init jump labels before parse_early_param() ALSA: timer: Use deferred fasync helper ALSA: core: Add async signal helpers mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start vfio: Clear the caps->buf to NULL after free tty: serial: Fix refcount leak bug in ucc_uart.c ext4: avoid resizing to a partial cluster size ext4: avoid remove directory when directory is corrupted drivers:md:fix a potential use-after-free bug cxl: Fix a memory leak in an error handling path gadgetfs: ep_io - wait until IRQ finishes usb: host: ohci-ppc-of: Fix refcount leak bug irqchip/tegra: Fix overflow implicit truncation warnings fec: Fix timer capture timing in `fec_ptp_enable_pps()` netfilter: nf_tables: really skip inactive sets when allocating name nios2: add force_successful_syscall_return() nios2: restarts apply only to the first sigframe we build... nios2: fix syscall restart checks nios2: traced syscall does need to check the syscall number nios2: don't leave NULLs in sys_call_table[] nios2: page fault et.al. are *not* restartable syscalls... atm: idt77252: fix use-after-free bugs caused by tst_timer xen/xenbus: fix return type in xenbus_file_read() vsock: Fix memory leak in vsock_connect() pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map SUNRPC: Reinitialise the backchannel request buffers before reuse NFSv4.1: RECLAIM_COMPLETE must handle EACCES can: ems_usb: fix clang's -Wunaligned-access warning btrfs: fix lost error handling when looking up extended ref on log replay ata: libata-eh: Add missing command name rds: add missing barrier to release_refill ALSA: info: Fix llseek return value when using callback net_sched: cls_route: disallow handle of 0 net/9p: Initialize the iounit field during fid creation nios2: time: Read timer in get_cycles only if initialized Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" scsi: sg: Allow waiting for commands to complete on removed device tcp: fix over estimation in sk_forced_mem_schedule() btrfs: reject log replay if there is unsupported RO compat flag net_sched: cls_route: remove from list when handle is 0 dm raid: fix address sanitizer warning in raid_status ext4: correct max_inline_xattr_value_size computing ext4: fix extent status tree race in writeback error recovery path ext4: update s_overhead_clusters in the superblock during an on-line resize ext4: fix use-after-free in ext4_xattr_set_entry ext4: make sure ext4_append() always allocates new block ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h spmi: trace: fix stack-out-of-bound access in SPMI tracing functions x86/olpc: fix 'logical not is only applied to the left hand side' scsi: zfcp: Fix missing auto port scan and thus missing target ports netfilter: nf_tables: fix null deref due to zeroed list head USB: HCD: Fix URB giveback issue in tasklet function MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK powerpc/powernv: Avoid crashing if rng is NULL powerpc/fsl-pci: Fix Class Code of PCIe Root Port PCI: Add defines for normal and subtractive PCI bridges ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() md-raid10: fix KASAN warning fuse: limit nsec bpf: fix overflow in prog accounting drm/nouveau: fix another off-by-one in nvbios_addr parisc: Fix device names in /proc/iomem usbnet: Fix linkwatch use-after-free on disconnect vfs: Check the truncate maximum size in inode_newsize_ok() ALSA: hda/cirrus - support for iMac 12,1 model ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 add barriers to buffer_uptodate and set_buffer_uptodate ALSA: bcd2000: Fix a UAF bug on the error path of probing macintosh/adb: fix oob read in do_adb_query() function random: only call boot_init_stack_canary() once ACPI: video: Shortening quirk list by identifying Clevo by board_name only ACPI: video: Force backlight native for some TongFang devices init/main.c: extract early boot entropy from the passed cmdline init: move stack canary initialization after setup_arch init/main: properly align the multi-line comment init/main: Fix double "the" in comment include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling selinux: fix error initialization in inode_doinit_with_dentry() selinux: Convert isec->lock into a spinlock selinux: Clean up initialization of isec->sclass proc: Pass file mode to proc_pid_make_inode selinux: Minor cleanups ion: Make user_ion_handle_put_nolock() a void function mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle. ARM: crypto: comment out gcc warning that breaks clang builds netfilter: nf_queue: do not allow packet truncation below transport header offset net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() net: ping6: Fix memleak in ipv6_renew_options(). scsi: ufs: host: Hold reference returned by of_parse_phandle() ntfs: fix use-after-free in ntfs_ucsncmp() Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put FROMLIST: binder: fix UAF of ref->proc caused by race condition Conflicts: arch/arm64/kernel/setup.c drivers/staging/android/ion/ion-ioctl.c security/selinux/hooks.c security/selinux/include/objsec.h Change-Id: I8d163f09e42a8570109c6ea89015000a9f5dd279 |
||
|
Carlos Llamas
|
699e4947e3 |
FROMLIST: binder: fix UAF of ref->proc caused by race condition
A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled. The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spin_lock(&ref->proc->inner_lock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so. ================================================================== BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590 CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: dump_backtrace.part.0+0x1d0/0x1e0 show_stack+0x18/0x70 dump_stack_lvl+0x68/0x84 print_report+0x2e4/0x61c kasan_report+0xa4/0x110 kasan_check_range+0xfc/0x1a4 __kasan_check_write+0x3c/0x50 _raw_spin_lock+0xa8/0x150 binder_deferred_func+0x5e0/0x9b0 process_one_work+0x38c/0x5f0 worker_thread+0x9c/0x694 kthread+0x188/0x190 ret_from_fork+0x10/0x20 Signed-off-by: Carlos Llamas <cmllamas@google.com> Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> Bug: 239630375 Link: https://lore.kernel.org/all/20220801182511.3371447-1-cmllamas@google.com/ Signed-off-by: Carlos Llamas <cmllamas@google.com> Change-Id: I5085dd0dc805a780a64c057e5819f82dd8f02868 (cherry picked from commit ae3fa5d16a02ba7c7b170e0e1ab56d6f0ba33964) |
||
|
Michael Bestas
|
43cdebbc57 |
Merge remote-tracking branch 'common/android-4.9-q' into android-msm-pixel-4.9
* common/android-4.9-q:
Linux 4.9.312
block/compat_ioctl: fix range check in BLKGETSIZE
ext4: force overhead calculation if the s_overhead_cluster makes no sense
ext4: fix overhead calculation to account for the reserved gdt blocks
ext4: limit length to bitmap_maxbytes - blocksize in punch_hole
ARC: entry: fix syscall_trace_exit argument
e1000e: Fix possible overflow in LTR decoding
ASoC: soc-dapm: fix two incorrect uses of list iterator
openvswitch: fix OOB access in reserve_sfa_size()
dma: at_xdmac: fix a missing check on list iterator
ata: pata_marvell: Check the 'bmdma_addr' beforing reading
drm/msm/mdp5: check the return of kzalloc()
brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant
cifs: Check the IOCB_DIRECT flag, not O_DIRECT
vxlan: fix error return code in vxlan_fdb_append
ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant
platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative
ARM: vexpress/spc: Avoid negative array index when !SMP
netlink: reset network and mac headers in netlink_dump()
net/packet: fix packet_sock xmit return value checking
dmaengine: imx-sdma: Fix error checking in sdma_event_remap
ALSA: usb-audio: Clear MIDI port active flag after draining
gfs2: assign rgrp glock before compute_bitstructs
mm: page_alloc: fix building error on -Werror=array-compare
etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead
Linux 4.9.311
gcc-plugins: latent_entropy: use /dev/urandom
i2c: pasemi: Wait for write xfers to finish
smp: Fix offline cpu check in flush_smp_call_function_queue()
ARM: davinci: da850-evm: Avoid NULL pointer dereference
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
mm, page_alloc: fix build_zonerefs_node()
drivers: net: slip: fix NPD bug in sl_tx_timeout()
scsi: mvsas: Add PCI ID of RocketRaid 2640
gpu: ipu-v3: Fix dev_dbg frequency output
net: micrel: fix KS8851_MLL Kconfig
scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
drm/amdkfd: Check for potential null return of kmalloc_array()
cifs: potential buffer overflow in handling symlinks
nfc: nci: add flush_workqueue to prevent uaf
net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
veth: Ensure eth header is in skb's linear part
xfrm: policy: match with both mark and mask on user interfaces
arm64: module: remove (NOLOAD) from linker script
mm: don't skip swap entry even if zap_details specified
dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error"
tools build: Use $(shell ) instead of `` to get embedded libperl's ccopts
arm64: patch_text: Fixup last cpu should be master
x86/speculation: Restore speculation related MSRs during S3 resume
x86/pm: Save the MSR validity status at context setup
mm/mempolicy: fix mpol_new leak in shared_policy_replace
mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0)
drbd: Fix five use after free bugs in get_initial_state
drm/imx: Fix memory leak in imx_pd_connector_get_modes
net: stmmac: Fix unset max_speed difference between DT and non-DT platforms
scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()
mm: fix race between MADV_FREE reclaim and blkdev direct IO read
jfs: prevent NULL deref in diFree
virtio_console: eliminate anonymous module_init & module_exit
serial: samsung_tty: do not unlock port->lock for uart_write_wakeup()
SUNRPC/call_alloc: async tasks mustn't block waiting for memory
w1: w1_therm: fixes w1_seq for ds28ea00 sensors
init/main.c: return 1 from handled __setup() functions
Bluetooth: Fix use after free in hci_send_acl
xtensa: fix DTC warning unit_address_format
usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm
scsi: libfc: Fix use after free in fc_exch_abts_resp()
MIPS: fix fortify panic when copying asm exception handlers
bnxt_en: Eliminate unintended link toggle during FW reset
scsi: aha152x: Fix aha152x_setup() __setup handler return value
scsi: pm8001: Fix pm8001_mpi_task_abort_resp()
dm ioctl: prevent potential spectre v1 gadget
iommu/arm-smmu-v3: fix event handling soft lockup
scsi: bfa: Replace snprintf() with sysfs_emit()
scsi: mvsas: Replace snprintf() with sysfs_emit()
powerpc: dts: t104xrdb: fix phy type for FMAN 4/5
ptp: replace snprintf with sysfs_emit
ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
KVM: x86/svm: Clear reserved bits written to PerfEvtSeln MSRs
ARM: 9187/1: JIVE: fix return value of __setup handler
rtc: wm8350: Handle error for wm8350_register_irq
KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated
openvswitch: Fixed nd target mask field in the flow dump.
ARM: dts: spear13xx: Update SPI dma properties
ARM: dts: spear1340: Update serial node properties
ASoC: topology: Allow TLV control to be either read or write
ubi: fastmap: Return error code if memory allocation fails in add_aeb()
mm/memcontrol: return 1 from cgroup.memory __setup() handler
mm/mmap: return 1 from stack_guard_gap __setup() handler
ACPI: CPPC: Avoid out of bounds access when parsing _CPC data
pinctrl: pinconf-generic: Print arguments for bias-pull-*
gfs2: Make sure FITRIM minlen is rounded up to fs block size
ubifs: setflags: Make dirtied_ino_d 8 bytes aligned
ubifs: Add missing iput if do_tmpfile() failed in rename whiteout
KVM: Prevent module exit until all VMs are freed
scsi: qla2xxx: Fix incorrect reporting of task management failure
mmc: host: Return an error when ->enable_sdio_irq() ops is missing
media: hdpvr: initialize dev->worker at hdpvr_register_videodev
video: fbdev: sm712fb: Fix crash in smtcfb_write()
ARM: mmp: Fix failure to remove sram device
ARM: tegra: tamonten: Fix I2C3 pad setting
media: cx88-mpeg: clear interrupt status register before streaming video
ASoC: soc-core: skip zero num_dai component in searching dai name
video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()
video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()
ARM: dts: bcm2837: Add the missing L1/L2 cache information
ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960
video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit
video: fbdev: cirrusfb: check pixclock to avoid divide by zero
video: fbdev: w100fb: Reset global state
video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
ntfs: add sanity check on allocation size
ext4: don't BUG if someone dirty pages without asking ext4 first
spi: tegra20: Use of_device_get_match_data()
PM: core: keep irq flags in device_pm_check_callbacks()
ACPI/APEI: Limit printable size of BERT table data
ACPICA: Avoid walking the ACPI Namespace if it is not there
irqchip/nvic: Release nvic_base upon failure
Fix incorrect type in assignment of ipv6 port for audit
loop: use sysfs_emit() in the sysfs xxx show()
selinux: use correct type for context length
net/x25: Fix null-ptr-deref caused by x25_disconnect
qlcnic: dcb: default to returning -EOPNOTSUPP
net: phy: broadcom: Fix brcm_fet_config_init()
netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options
jfs: fix divide error in dbNextAG
kgdbts: fix return value of __setup handler
kgdboc: fix return value of __setup handler
tty: hvc: fix return value of __setup handler
pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe
pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe
pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init
NFS: remove unneeded check in decode_devicenotify_args()
clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver
clk: clps711x: Terminate clk_div_table with sentinel element
clk: loongson1: Terminate clk_div_table with sentinel element
remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region
clk: qcom: clk-rcg2: Update the frac table for pixel clock
iio: adc: Add check for devm_request_threaded_irq
pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add()
mxser: fix xmit_buf leak in activate when LSR == 0xff
mfd: asic3: Add missing iounmap() on error asic3_mfd_probe
i2c: mux: demux-pinctrl: do not deactivate a master that is not active
af_netlink: Fix shift out of bounds in group mask calculation
USB: storage: ums-realtek: fix error code in rts51x_read_mem()
MIPS: RB532: fix return value of __setup handler
mfd: mc13xxx: Add check for mc13xxx_irq_request
powerpc/sysdev: fix incorrect use to determine if list is empty
power: supply: wm8350-power: Add missing free in free_charger_irq
power: supply: wm8350-power: Handle error for wm8350_register_irq
i2c: xiic: Make bus names unique
KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor()
KVM: x86: Fix emulation in writing cr8
drm/tegra: Fix reference leak in tegra_dsi_ganged_probe
ext2: correct max file size computing
TOMOYO: fix __setup handlers return values
scsi: pm8001: Fix abort all task initialization
scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config()
scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req()
scsi: pm8001: Fix command initialization in pm80XX_send_read_log()
iwlwifi: Fix -EIO error code that is never returned
HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports
power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
ray_cs: Check ioremap return value
ath9k_htc: fix uninit value bugs
drm/edid: Don't clear formats if using deep color
mtd: onenand: Check for error irq
ASoC: imx-es8328: Fix error return code in imx_es8328_probe()
ASoC: mxs: Fix error handling in mxs_sgtl5000_probe
ASoC: dmaengine: do not use a NULL prepare_slave_config() callback
video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of
ASoC: fsi: Add check for clk_enable
ASoC: wm8350: Handle error for wm8350_register_irq
ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
memory: emif: check the pointer temp in get_device_details()
memory: emif: Add check for setup_interrupts
ASoC: atmel_ssc_dai: Handle errors for clk_enable
ASoC: mxs-saif: Handle errors for clk_enable
printk: fix return value of printk.devkmsg __setup handler
arm64: dts: broadcom: Fix sata nodename
arm64: dts: ns2: Fix spi-cpol and spi-cpha property
ALSA: spi: Add check for clk_enable()
ASoC: ti: davinci-i2s: Add check for clk_enable()
media: usb: go7007: s2250-board: fix leak in probe()
soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe
ARM: dts: qcom: ipq4019: fix sleep clock
video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name()
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
perf/x86/intel/pt: Fix address filter config for 32-bit kernel
perf/core: Fix address filter parser for multiple filters
sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa
clocksource: acpi_pm: fix return value of __setup handler
hwmon: (pmbus) Add Vin unit off handling
crypto: ccp - ccp_dmaengine_unregister release dma channels
crypto: vmx - add missing dependencies
PM: suspend: fix return value of __setup handler
PM: hibernate: fix __setup handler error handling
hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING
hwmon: (pmbus) Add mutex to regulator ops
selftests/x86: Add validity check and allow field splitting
spi: tegra114: Add missing IRQ check in tegra_spi_probe
crypto: mxs-dcp - Fix scatterlist processing
crypto: authenc - Fix sleep in atomic context in decrypt_tail
PCI: pciehp: Clear cmd_busy bit in polling mode
brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio
brcmfmac: firmware: Allocate space for default boardrev in nvram
media: davinci: vpif: fix unbalanced runtime PM get
DEC: Limit PMAX memory probing to R3k systems
lib/raid6/test: fix multiple definition linking error
thermal: int340x: Increase bitmap size
carl9170: fix missing bit-wise or operator for tx_params
ARM: dts: exynos: add missing HDMI supplies on SMDK5420
ARM: dts: exynos: add missing HDMI supplies on SMDK5250
ARM: dts: exynos: fix UART3 pins configuration in Exynos5250
video: fbdev: atari: Atari 2 bpp (STe) palette bugfix
video: fbdev: sm712fb: Fix crash in smtcfb_read()
drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()
ALSA: cs4236: fix an incorrect NULL check on list iterator
Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
mempolicy: mbind_range() set_policy() after vma_merge()
mm/pages_alloc.c: don't create ZONE_MOVABLE beyond the end of a node
jffs2: fix memory leak in jffs2_scan_medium
jffs2: fix memory leak in jffs2_do_mount_fs
jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
NFSD: prevent underflow in nfssvc_decode_writeargs()
SUNRPC: avoid race between mod_timer() and del_timer_sync()
ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
clk: uniphier: Fix fixed-rate initialization
iio: inkern: make a best effort on offset calculation
iio: inkern: apply consumer scale on IIO_VAL_INT cases
coresight: Fix TRCCONFIGR.QE sysfs interface
USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
virtio-blk: Use blk_validate_block_size() to validate block size
block: Add a helper to validate the block size
af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
ethernet: sun: Free the coherent when failing in probing
virtio_console: break out of buf poll on remove
netdevice: add the case if dev is NULL
USB: serial: simple: add Nokia phone driver
USB: serial: pl2303: add IBM device IDs
Linux 4.9.310
arm64: Use the clearbhb instruction in mitigations
arm64: add ID_AA64ISAR2_EL1 sys register
KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated
arm64: Mitigate spectre style branch history side channels
KVM: arm64: Add templates for BHB mitigation sequences
arm64: Add percpu vectors for EL1
arm64: entry: Add macro for reading symbol addresses from the trampoline
arm64: entry: Add vectors that have the bhb mitigation sequences
arm64: Move arm64_update_smccc_conduit() out of SSBD ifdef
arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations
arm64: entry: Allow the trampoline text to occupy multiple pages
arm64: entry: Make the kpti trampoline's kpti sequence optional
arm64: entry: Move trampoline macros out of ifdef'd section
arm64: entry: Don't assume tramp_vectors is the start of the vectors
arm64: entry: Allow tramp_alias to access symbols after the 4K boundary
arm64: entry: Move the trampoline data page before the text page
arm64: entry: Free up another register on kpti's tramp_exit path
arm64: entry: Make the trampoline cleanup optional
arm64: entry.S: Add ventry overflow sanity checks
arm64: Add helper to decode register from instruction
arm64: Add Cortex-X2 CPU part definition
arm64: Add Neoverse-N2, Cortex-A710 CPU part definition
arm64: Add part number for Arm Cortex-A77
arm64: Add part number for Neoverse N1
arm64: Make ARM64_ERRATUM_1188873 depend on COMPAT
arm64: Add silicon-errata.txt entry for ARM erratum 1188873
arm64: arch_timer: avoid unused function warning
arm64: arch_timer: Add workaround for ARM erratum 1188873
arm64: arch_timer: Add erratum handler for CPU-specific capability
arm64: arch_timer: Add infrastructure for multiple erratum detection methods
clocksource/drivers/arm_arch_timer: Introduce generic errata handling infrastructure
clocksource/drivers/arm_arch_timer: Remove fsl-a008585 parameter
arm64: capabilities: Add support for checks based on a list of MIDRs
arm64: Add helpers for checking CPU MIDR against a range
arm64: capabilities: Clean up midr range helpers
arm64: capabilities: Add flags to handle the conflicts on late CPU
arm64: capabilities: Prepare for fine grained capabilities
arm64: capabilities: Move errata processing code
arm64: capabilities: Move errata work around check on boot CPU
arm64: capabilities: Update prototype for enable call back
arm64: Add MIDR encoding for Arm Cortex-A55 and Cortex-A35
arm64: Remove useless UAO IPI and describe how this gets enabled
arm64: errata: Provide macro for major and minor cpu revisions
Linux 4.9.309
llc: only change llc->dev when bind() succeeds
mac80211: fix potential double free on mesh join
crypto: qat - disable registration of algorithms
ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU
ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3
ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board
netfilter: nf_tables: initialize registers in nft_do_chain()
ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec
ALSA: cmipci: Restore aux vol on suspend/resume
ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB
ALSA: pcm: Add stream lock during PCM reset ioctl operations
llc: fix netdevice reference leaks in llc_ui_bind()
staging: fbtft: fb_st7789v: reset display before initialization
net: ipv6: fix skb_over_panic in __ip6_append_data
nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
Linux 4.9.308
Input: aiptek - properly check endpoint type
usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
usb: gadget: rndis: prevent integer overflow in rndis_set_response()
atm: eni: Add check for dma_map_single
net/packet: fix slab-out-of-bounds access in packet_recvmsg()
fs: sysfs_emit: Remove PAGE_SIZE alignment check
kselftest/vm: fix tests build with old libc
sfc: extend the locking on mcdi->seqno
tcp: make tcp_read_sock() more robust
nl80211: Update bss channel on channel switch for P2P_CLIENT
atm: firestream: check the return value of ioremap() in fs_init()
can: rcar_canfd: rcar_canfd_channel_probe(): register the CAN device when fully ready
ARM: 9178/1: fix unmet dependency on BITREVERSE for HAVE_ARCH_BITREVERSE
MIPS: smp: fill in sibling and core maps earlier
ARM: dts: rockchip: fix a typo on rk3288 crypto-controller
xfrm: Fix xfrm migrate issues when address family changes
Linux 4.9.307
btrfs: unlock newly allocated extent buffer after error
ARM: fix Thumb2 regression with Spectre BHB
batman-adv: Don't expect inter-netns unique iflink indices
batman-adv: Request iflink once in batadv-on-batadv check
staging: gdm724x: fix use after free in gdm_lte_rx()
ARM: Spectre-BHB: provide empty stub for non-config
selftests/memfd: clean up mapping in mfd_fail_write
tracing: Ensure trace buffer is at least 4096 bytes large
Revert "xen-netback: Check for hotplug-status existence before watching"
net-sysfs: add check for netdevice being present to speed_show
sctp: fix kernel-infoleak for SCTP sockets
gpio: ts4900: Do not set DAT and OE together
NFC: port100: fix use-after-free in port100_send_complete
net/mlx5: Fix size field in bufferx_reg struct
ax25: Fix NULL pointer dereference in ax25_kill_by_device
net: ethernet: lpc_eth: Handle error for clk_enable
ethernet: Fix error handling in xemaclite_of_probe
qed: return status of qed_iov_get_link
net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare()
Linux 4.9.306
xen/netfront: react properly to failing gnttab_end_foreign_access_ref()
xen/gnttab: fix gnttab_end_foreign_access() without page specified
xen: remove gnttab_query_foreign_access()
xen/gntalloc: don't use gnttab_query_foreign_access()
xen/scsifront: don't use gnttab_query_foreign_access() for mapped status
xen/netfront: don't use gnttab_query_foreign_access() for mapped status
xen/blkfront: don't use gnttab_query_foreign_access() for mapped status
xen/grant-table: add gnttab_try_end_foreign_access()
xen/xenbus: don't let xenbus_grant_ring() remove grants in error case
ARM: fix build warning in proc-v7-bugs.c
x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE
x86/build: Fix compiler support check for CONFIG_RETPOLINE
ARM: Do not use NOCROSSREFS directive with ld.lld
ARM: fix co-processor register typo
ARM: fix build error when BPF_SYSCALL is disabled
ARM: include unprivileged BPF status in Spectre V2 reporting
ARM: Spectre-BHB workaround
ARM: use LOADADDR() to get load address of sections
ARM: early traps initialisation
ARM: report Spectre v2 status through sysfs
arm/arm64: smccc/psci: add arm_smccc_1_1_get_conduit()
arm/arm64: Provide a wrapper for SMCCC 1.1 calls
x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT
x86/speculation: Warn about Spectre v2 LFENCE mitigation
x86/speculation: Update link to AMD speculation whitepaper
x86/speculation: Use generic retpoline by default on AMD
x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting
Documentation/hw-vuln: Update spectre doc
x86/speculation: Add eIBRS + Retpoline options
x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
x86/speculation: Merge one test in spectre_v2_user_select_mitigation()
Documentation: refer to config RANDOMIZE_BASE for kernel address-space randomization
Documentation: Add swapgs description to the Spectre v1 documentation
Documentation: Add section about CPU vulnerabilities for Spectre
x86/retpoline: Remove minimal retpoline support
x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support
x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant
Linux 4.9.305
hamradio: fix macro redefine warning
net: dcb: disable softirqs in dcbnl_flush_dev()
memfd: fix F_SEAL_WRITE after shmem huge page allocated
HID: add mapping for KEY_ALL_APPLICATIONS
Input: elan_i2c - fix regulator enable count imbalance after suspend/resume
Input: elan_i2c - move regulator_[en|dis]able() out of elan_[en|dis]able_power()
net: chelsio: cxgb3: check the return value of pci_find_capability()
soc: fsl: qe: Check of ioremap return value
ARM: 9182/1: mmu: fix returns from early_param() and __setup() functions
can: gs_usb: change active_channels's type from atomic_t to u8
efivars: Respect "block" flag in efivar_entry_set_safe()
net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()
net: sxgbe: fix return value of __setup handler
net: stmmac: fix return value of __setup handler
mac80211: fix forwarded mesh frames AC & queue selection
firmware: qemu_fw_cfg: fix kobject leak in probe error path
firmware: Fix a reference count leak.
net: dcb: flush lingering app table entries for unregistered devices
netfilter: nf_queue: fix possible use-after-free
netfilter: nf_queue: don't assume sk is full socket
xfrm: fix MTU regression
ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min
ata: pata_hpt37x: fix PCI clock detection
usb: gadget: clear related members when goto fail
usb: gadget: don't release an existing dev->buf
net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990
i2c: qup: allow COMPILE_TEST
dmaengine: shdma: Fix runtime PM imbalance on error
cifs: fix double free race when mount fails in cifs_get_root()
Input: clear BTN_RIGHT/MIDDLE on buttonpads
i2c: bcm2835: Avoid clock stretching timeouts
mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work
mac80211_hwsim: report NOACK frames in tx_status
Linux 4.9.304
fget: clarify and improve __fget_files() implementation
memblock: use kfree() to release kmalloced memblock regions
tty: n_gsm: fix proper link termination after failed open
tty: n_gsm: fix encoding of control signal octet bit DV
xhci: Prevent futile URB re-submissions due to incorrect return value.
usb: dwc3: gadget: Let the interrupt handler disable bottom halves.
USB: serial: option: add Telit LE910R1 compositions
USB: serial: option: add support for DW5829e
tracefs: Set the group ownership in apply_options() not parse_options()
USB: gadget: validate endpoint index for xilinx udc
usb: gadget: rndis: add spinlock for rndis response list
Revert "USB: serial: ch341: add new Product ID for CH341A"
ata: pata_hpt37x: disable primary channel on HPT371
iio: adc: men_z188_adc: Fix a resource leak in an error handling path
RDMA/ib_srp: Fix a deadlock
configfs: fix a race in configfs_{,un}register_subsystem()
net/mlx5e: Fix wrong return value on ioctl EEPROM query failure
drm/edid: Always set RGB444
openvswitch: Fix setting ipv6 fields causing hw csum failure
gso: do not skip outer ip header in case of ipip and net_failover
net: __pskb_pull_tail() & pskb_carve_frag_list() drop_monitor friends
serial: 8250: of: Fix mapped region size when using reg-offset property
serial: 8250: fix error handling in of_platform_serial_probe()
USB: zaurus: support another broken Zaurus
sr9700: sanity check for packet length
parisc/unaligned: Fix ldw() and stw() unalignment handlers
parisc/unaligned: Fix fldd and fstd unaligned handlers on 32-bit kernel
vhost/vsock: don't check owner in vhost_vsock_stop() while releasing
mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status
Linux 4.9.303
net: usb: qmi_wwan: Add support for Dell DW5829e
tracing: Fix tp_printk option related with tp_printk_stop_on_boot
ata: libata-core: Disable TRIM on M88V29
NFS: Do not report writeback errors in nfs_getattr()
KVM: x86/pmu: Use AMD64_RAW_EVENT_MASK for PERF_TYPE_RAW
lib/iov_iter: initialize "flags" in new pipe_buffer
i2c: brcmstb: fix support for DSL and CM variants
EDAC: Fix calculation of returned address and next offset in edac_align_ptr()
NFS: LOOKUP_DIRECTORY is also ok with symlinks
ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_range()
ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw()
ALSA: hda: Fix missing codec probe on Shenker Dock 15
ALSA: hda: Fix regression on forced probe mask option
libsubcmd: Fix use-after-free for realloc(..., 0)
drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit
iwlwifi: pcie: fix locking when "HW not ready"
vsock: remove vsock from connected table when connect is interrupted by a signal
vsock: correct removal of socket from the list
taskstats: Cleanup the use of task->exit_code
xfrm: Don't accidentally set RTO_ONLINK in decode_session4()
drm/radeon: Fix backlight control on iMac 12,1
quota: make dquot_quota_sync return errors from ->sync_fs
vfs: make freeze_super abort when sync_filesystem returns error
ax25: improve the incomplete fix to avoid UAF and NPD bugs
selftests/zram: Adapt the situation that /dev/zram0 is being used
selftests/zram01.sh: Fix compression ratio calculation
selftests/zram: Skip max_comp_streams interface on newer kernel
net: ieee802154: at86rf230: Stop leaking skb's
btrfs: send: in case of IO error log it
parisc: Fix sglist access in ccio-dma.c
parisc: Fix data TLB miss in sba_unmap_sg
serial: parisc: GSC: fix build when IOSAPIC is not set
net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
Makefile.extrawarn: Move -Wunaligned-access to W=1
UPSTREAM: net: fix skb_panic to output real address
UPSTREAM: xfrm: Make function xfrmi_get_link_net() static
UPSTREAM: xfrm: fix gro_cells leak when remove virtual xfrm interfaces
UPSTREAM: xfrm interface: fix memory leak on creation
UPSTREAM: xfrm: clone XFRMA_SET_MARK in xfrm_do_migrate
UPSTREAM: xfrm/compat: Translate by copying XFRMA_UNSPEC attribute
UPSTREAM: xfrm/compat: memset(0) 64-bit padding at right place
UPSTREAM: xfrm/compat: Don't allocate memory with __GFP_ZERO
UPSTREAM: xfrm/compat: Cleanup WARN()s that can be user-triggered
UPSTREAM: net: xfrm: fix memory leak in xfrm_user_rcv_msg
UPSTREAM: arm64/vdso: don't leak kernel addresses
UPSTREAM: tracing: make PREEMPTIRQ_EVENTS depend on TRACING
UPSTREAM: trace_uprobe: Use %lx to display offset
UPSTREAM: kprobes: Fix random address output of blacklist file
UPSTREAM: mm/huge_memory.c: __split_huge_page() use atomic ClearPageDirty()
UPSTREAM: x86/realmode: Don't leak the trampoline kernel address
UPSTREAM: bpf: bpf_prog_array_alloc() should return a generic non-rcu pointer
UPSTREAM: bpf: fix rcu annotations in compute_effective_progs()
UPSTREAM: optee: add writeback to valid memory type
UPSTREAM: lib/test_printf.c: accept "ptrval" as valid result for plain 'p' tests
UPSTREAM: kdb: use correct pointer when 'btc' calls 'btt'
UPSTREAM: kdb: print real address of pointers instead of hashed addresses
UPSTREAM: powerpc/traps: Fix the message printed when stack overflows
UPSTREAM: f2fs: should use GFP_NOFS for directory inodes
UPSTREAM: zram: off by one in read_block_state()
UPSTREAM: tee: fix put order in teedev_close_context()
UPSTREAM: vsprintf: Replace memory barrier with static_key for random_ptr_key update
UPSTREAM: ARM: 8896/1: VDSO: Don't leak kernel addresses
UPSTREAM: parisc: Show unhashed hardware inventory
UPSTREAM: parisc: Show initial kernel memory layout unhashed
UPSTREAM: parisc: Show unhashed HPA of Dino chip
UPSTREAM: parisc: Show unhashed EISA EEPROM address
UPSTREAM: HID: input: throttle battery uevents
UPSTREAM: HID: steam: select CONFIG_POWER_SUPPLY
UPSTREAM: HID: sony: Fix for broken buttons on DS3 USB dongles
UPSTREAM: HID: input: do not report stylus battery state as "full"
Linux 4.9.302
HID: wacom: add USB_HID dependency
hwmon: (dell-smm) Speed up setting of fan speed
USB: serial: cp210x: add CPI Bulk Coin Recycler id
USB: serial: cp210x: add NCR Retail IO box id
USB: serial: ch341: add support for GW Instek USB2.0-Serial devices
USB: serial: option: add ZTE MF286D modem
USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320
usb: gadget: rndis: check size of RNDIS_MSG_SET command
USB: gadget: validate interface OS descriptor requests
usb: dwc3: gadget: Prevent core from processing stale TRBs
n_tty: wake up poll(POLLRDNORM) on receiving data
bpf: Add kconfig knob for disabling unpriv bpf by default
vt_ioctl: add array_index_nospec to VT_ACTIVATE
vt_ioctl: fix array_index_nospec in vt_setactivate
tipc: rate limit warning for received illegal binding update
net: fix a memleak when uncloning an skb dst and its metadata
net: do not keep the dst cache when uncloning an skb dst and its metadata
ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path
bonding: pair enable_port with slave_arr_updates
ARM: dts: imx6qdl-udoo: Properly describe the SD card detect
staging: fbtft: Fix error path in fbtft_driver_module_init()
ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group
usb: dwc2: gadget: don't try to disable ep0 in dwc2_hsotg_suspend
scsi: target: iscsi: Make sure the np under each tpg is unique
NFSv4 remove zero number of fs_locations entries error check
nfs: nfs4clinet: check the return value of kstrdup()
NFSv4 only print the label when its queried
Revert "net: axienet: Wait for PhyRstCmplt after core reset"
ALSA: line6: Fix misplaced backport of "Fix wrong altsetting for LINE6_PODHD500_1"
serial: sh-sci: Fix misplaced backport of "Fix late enablement of AUTORTS"
Input: i8042 - Fix misplaced backport of "add ASUS Zenbook Flip to noselftest list"
NFSD: Clamp WRITE offsets
NFS: Fix initialisation of nfs_client cl_flags field
ima: Remove ima_policy file before directory
integrity: check the return value of audit_log_start()
Revert "tracefs: Have tracefs directories not set OTH permission bits by default"
Linux 4.9.301
tipc: improve size validations for received domain records
moxart: fix potential use-after-free on remove path
cgroup-v1: Require capabilities to set release_agent
Linux 4.9.300
ext4: fix error handling in ext4_restore_inline_data()
EDAC/xgene: Fix deferred probing
EDAC/altera: Fix deferred probing
rtc: cmos: Evaluate century appropriate
nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client.
scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe
ASoC: fsl: Add missing error handling in pcm030_fabric_probe
net: macsec: Verify that send_sci is on when setting Tx sci explicitly
net: ieee802154: Return meaningful error codes from the netlink helpers
spi: mediatek: Avoid NULL pointer crash in interrupt
spi: bcm-qspi: check for valid cs before applying chip select
iommu/amd: Fix loop timeout issue in iommu_ga_log_enable()
drm/nouveau: fix off by one in BIOS boundary checking
ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx()
ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx()
ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()
af_packet: fix data-race in packet_setsockopt / packet_setsockopt
rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink()
net: amd-xgbe: Fix skb data length underflow
net: amd-xgbe: ensure to reset the tx_timer_active flag
ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback
netfilter: nat: limit port clash resolution attempts
netfilter: nat: remove l4 protocol port rovers
ipv4: tcp: send zero IPID in SYNACK messages
ipv4: raw: lock the socket in raw_bind()
hwmon: (lm90) Reduce maximum conversion rate for G781
drm/msm: Fix wrong size calculation
net-procfs: show net devices bound packet types
NFSv4: nfs_atomic_open() can race when looking up a non-regular file
NFSv4: Handle case where the lookup of a directory fails
ipv4: avoid using shared IP generator for connected sockets
net: fix information leakage in /proc/net/ptype
ipv6_tunnel: Rate limit warning messages
scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()
powerpc/32: Fix boot failure with GCC latent entropy plugin
USB: core: Fix hang in usb_kill_urb by adding memory barriers
usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS
usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge
tty: Add support for Brainboxes UC cards.
tty: n_gsm: fix SW flow control encoding/handling
serial: stm32: fix software flow control transfer
PM: wakeup: simplify the output logic of pm_show_wakelocks()
udf: Fix NULL ptr deref when converting from inline format
udf: Restore i_lenAlloc when inode expansion fails
scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices
s390/hypfs: include z/VM guests with access control group set
Bluetooth: refactor malicious adv data check
can: bcm: fix UAF of bcm op
BACKPORT: ipv6: Implement draft-ietf-6man-rfc4941bis
Linux 4.9.299
ion: Do not 'put' ION handle until after its final use
ion: Protect kref from userspace manipulation
ion: Fix use after free during ION_IOC_ALLOC
ARM: 8800/1: use choice for kernel unwinders
KVM: X86: MMU: Use the correct inherited permissions to get shadow page
KVM: nVMX: fix EPT permissions as reported in exit qualification
NFSv4: Initialise connection to the server in nfs4_alloc_client()
media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
drm/i915: Flush TLBs before releasing backing store
Linux 4.9.298
KVM: do not allow mapping valid but non-reference-counted pages
KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped()
KVM: do not assume PTE is writable after follow_pfn
mm: add follow_pte_pmd()
lib/timerqueue: Rely on rbtree semantics for next timer
rbtree: cache leftmost node internally
cipso,calipso: resolve a number of problems with the DOI refcounts
gianfar: fix jumbo packets+napi+rx overrun crash
gianfar: simplify FCS handling and fix memory leak
drm/ttm/nouveau: don't call tt destroy callback on alloc failure.
gup: document and work around "COW can break either way" issue
Revert "gup: document and work around "COW can break either way" issue"
lib82596: Fix IRQ check in sni_82596_probe
scripts/dtc: dtx_diff: remove broken example from help text
bcmgenet: add WOL IRQ check
net_sched: restore "mpu xxx" handling
dmaengine: at_xdmac: Fix at_xdmac_lld struct definition
dmaengine: at_xdmac: Fix lld view setting
dmaengine: at_xdmac: Print debug message after realeasing the lock
dmaengine: at_xdmac: Don't start transactions at tx_submit level
libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route()
netns: add schedule point in ops_exit_list()
net: axienet: fix number of TX ring slots for available check
net: axienet: Wait for PhyRstCmplt after core reset
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries
net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module
powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses
RDMA/rxe: Fix a typo in opcode name
RDMA/hns: Modify the mapping attribute of doorbell to device
drm/radeon: fix error handling in radeon_driver_open_kms
fuse: fix live lock in fuse_iget()
fuse: fix bad inode
ext4: don't use the orphan list when migrating an inode
ext4: Fix BUG_ON in ext4_bread when write quota data
ext4: set csum seed in tmp inode while migrating to extents
iwlwifi: mvm: Increase the scan timeout guard to 30 seconds
ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers
power: bq25890: Enable continuous conversion for ADC at charging
ASoC: mediatek: mt8173: fix device_node leak
scsi: sr: Don't use GFP_DMA
MIPS: Octeon: Fix build errors using clang
i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters
ALSA: seq: Set upper limit of processed events
w1: Misuse of get_user()/put_user() reported by sparse
i2c: mpc: Correct I2C reset procedure
powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING
i2c: i801: Don't silently correct invalid transfer size
powerpc/btext: add missing of_node_put
powerpc/cell: add missing of_node_put
powerpc/powernv: add missing of_node_put
powerpc/6xx: add missing of_node_put
parisc: Avoid calling faulthandler_disabled() twice
serial: core: Keep mctrl register state and cached copy in sync
serial: pl010: Drop CR register reset on set_termios
dm space map common: add bounds check to sm_ll_lookup_bitmap()
dm btree: add a defensive bounds check to insert_at()
net: mdio: Demote probed message to debug print
btrfs: remove BUG_ON(!eie) in find_parent_nodes
btrfs: remove BUG_ON() in find_parent_nodes()
ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
ACPICA: Utilities: Avoid deleting the same object twice in a row
jffs2: GC deadlock reading a page that is used in jffs2_write_begin()
um: registers: Rename function names to avoid conflicts and build problems
ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0
media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
media: igorplugusb: receiver overflow should be reported
net: bonding: debug: avoid printing debug logs when bond is not notifying peers
ath10k: Fix tx hanging
iwlwifi: mvm: synchronize with FW after multicast commands
media: m920x: don't use stack on USB reads
media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
floppy: Add max size check for user space request
mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
HSI: core: Fix return freed object in hsi_new_client
gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use
media: b2c2: Add missing check in flexcop_pci_isr:
HID: apple: Do not reset quirks when the Fn key is not found
usb: gadget: f_fs: Use stream_open() for endpoint files
ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
fs: dlm: filter user dlm messages for kernel locks
Bluetooth: Fix debugfs entry leak in hci_register_dev()
RDMA/cxgb4: Set queue pair state when being queried
mips: bcm63xx: add support for clk_set_parent()
mips: lantiq: add support for clk_set_parent()
misc: lattice-ecp3-config: Fix task hung when firmware load failed
ASoC: samsung: idma: Check of ioremap return value
dmaengine: pxa/mmp: stop referencing config->slave_id
RDMA/core: Let ib_find_gid() continue search even after empty entry
scsi: ufs: Fix race conditions related to driver data
char/mwave: Adjust io port register size
ALSA: oss: fix compile error when OSS_DEBUG is enabled
powerpc/prom_init: Fix improper check of prom_getprop()
RDMA/hns: Validate the pkey index
ALSA: hda: Add missing rwsem around snd_ctl_remove() calls
ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls
ALSA: jack: Add missing rwsem around snd_ctl_remove() calls
ext4: avoid trim error on fs with small groups
net: mcs7830: handle usb read errors properly
pcmcia: fix setting of kthread task states
can: xilinx_can: xcan_probe(): check for error irq
can: softing: softing_startstop(): fix set but not used variable warning
spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe
fsl/fman: Check for null pointer after calling devm_ioremap
ppp: ensure minimum packet size in ppp_write()
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region()
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region()
usb: ftdi-elan: fix memory leak on device disconnect
media: msi001: fix possible null-ptr-deref in msi001_probe()
media: si2157: Fix "warm" tuner state detection
media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()
media: dib8000: Fix a memleak in dib8000_init()
floppy: Fix hang in watchdog when disk is ejected
serial: amba-pl011: do not request memory region twice
drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()
arm64: dts: qcom: msm8916: fix MMC controller aliases
netfilter: bridge: add support for pppoe filtering
tty: serial: atmel: Call dma_async_issue_pending()
tty: serial: atmel: Check return code of dmaengine_submit()
crypto: qce - fix uaf on qce_ahash_register_one
media: dmxdev: fix UAF when dvb_register_device() fails
Bluetooth: stop proccessing malicious adv data
wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND
Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails
shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode
PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller
can: softing_cs: softingcs_probe(): fix memleak on registration failure
media: stk1160: fix control-message timeouts
media: pvrusb2: fix control-message timeouts
media: redrat3: fix control-message timeouts
media: dib0700: fix undefined behavior in tuner shutdown
media: s2255: fix control-message timeouts
media: cpia2: fix control-message timeouts
media: em28xx: fix control-message timeouts
media: mceusb: fix control-message timeouts
media: flexcop-usb: fix control-message timeouts
rtc: cmos: take rtc_lock while reading from CMOS
nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
HID: wacom: Avoid using stale array indicies to read contact count
HID: uhid: Fix worker destroying device without any protection
rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled
media: uvcvideo: fix division by zero at stream start
drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk()
staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn()
random: fix data race on crng init time
random: fix data race on crng_node_pool
can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}
can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe()
USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status
USB: core: Fix bug in resuming hub's handling of wakeup requests
Bluetooth: bfusb: fix division by zero in send path
Linux 4.9.297
power: reset: ltc2952: Fix use of floating point literals
mISDN: change function names to avoid conflicts
net: udp: fix alignment problem in udp4_seq_show()
ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
phonet: refcount leak in pep_sock_accep
arm64: sysreg: Move to use definitions for all the SCTLR bits
arm64: move !VHE work to end of el2_setup
arm64: reduce el2_setup branching
arm64: Remove a redundancy in sysreg.h
bug: split BUILD_BUG stuff out into <linux/build_bug.h>
rndis_host: support Hytera digital radios
xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate
sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
i40e: Fix incorrect netdev's real number of RX/TX queues
mac80211: initialize variable have_higher_than_11mbit
ieee802154: atusb: fix uninit value in atusb_set_extended_addr
virtio_pci: Support surprise removal of virtio pci device
tracing: Tag trace_percpu_buffer as a percpu pointer
tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()
Bluetooth: btusb: Apply QCA Rome patches for some ATH3012 models
Linux 4.9.296
net: fix use-after-free in tw_timer_handler
Input: spaceball - fix parsing of movement data packets
Input: appletouch - initialize work before device registration
scsi: vmw_pvscsi: Set residual data length conditionally
usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
uapi: fix linux/nfc.h userspace compilation errors
nfc: uapi: use kernel size_t to fix user-space builds
fsl/fman: Fix missing put_device() call in fman_port_probe
selinux: initialize proto variable in selinux_ip_postroute_compat()
recordmcount.pl: fix typo in s390 mcount regex
platform/x86: apple-gmux: use resource_size() with res
HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option
Linux 4.9.295
phonet/pep: refuse to enable an unbound pipe
hamradio: improve the incomplete fix to avoid NPD
hamradio: defer ax25 kfree after unregister_netdev
ax25: NPD bug when detaching AX25 device
hwmon: (lm90) Do not report 'busy' status bit as alarm
ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling
x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
ALSA: drivers: opl3: Fix incorrect use of vp->state
ALSA: jack: Check the return value of kstrdup()
hwmon: (lm90) Fix usage of CONFIG2 register in detect function
drivers: net: smc911x: Check for error irq
fjes: Check for error irq
bonding: fix ad_actor_system option setting to default
qlcnic: potential dereference null pointer of rx_queue->page_ring
IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()
HID: holtek: fix mouse probing
can: kvaser_usb: get CAN clock frequency from device
net: usb: lan78xx: add Allied Telesis AT29M2-AF
Linux 4.9.294
xen/netback: don't queue unlimited number of packages
xen/netback: fix rx queue stall detection
xen/console: harden hvc_xen against event channel storms
xen/netfront: harden netfront against event channel storms
xen/blkfront: harden blkfront against event channel storms
Input: touchscreen - avoid bitwise vs logical OR warning
mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO
ARM: 8805/2: remove unneeded naked function usage
net: lan78xx: Avoid unnecessary self assignment
scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()
fuse: annotate lock in fuse_reverse_inval_entry()
firmware: arm_scpi: Fix string overflow in SCPI genpd driver
net: systemport: Add global locking for descriptor lifecycle
timekeeping: Really make sure wall_to_monotonic isn't positive
USB: serial: option: add Telit FN990 compositions
PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
USB: gadget: bRequestType is a bitfield, not a enum
ixgbe: set X550 MDIO speed before talking to PHY
igbvf: fix double free in `igbvf_probe`
soc/tegra: fuse: Fix bitwise vs. logical OR warning
nfsd: fix use-after-free due to delegation race
dm btree remove: fix use after free in rebalance_children()
recordmcount.pl: look for jgnop instruction as well as bcrl on s390
mac80211: send ADDBA requests using the tid/queue of the aggregation session
hwmon: (dell-smm) Fix warning on /proc/i8k creation error
tracing: Fix a kmemleak false positive in tracing_map
net: netlink: af_netlink: Prevent empty skb by adding a check on len.
i2c: rk3x: Handle a spurious start completion interrupt flag
parisc/agp: Annotate parisc agp init functions with __init
net/mlx4_en: Update reported link modes for 1/10G
nfc: fix segfault in nfc_genl_dump_devices_done
FROMGIT: USB: gadget: bRequestType is a bitfield, not a enum
Linux 4.9.293
irqchip: nvic: Fix offset for Interrupt Priority Offsets
irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
iio: itg3200: Call iio_trigger_notify_done() on error
iio: kxsd9: Don't return error code in trigger handler
iio: ltr501: Don't return error code in trigger handler
iio: mma8452: Fix trigger reference couting
iio: stk3310: Don't return error code in interrupt handler
usb: core: config: using bit mask instead of individual bits
usb: core: config: fix validation of wMaxPacketValue entries
USB: gadget: zero allocate endpoint 0 buffers
USB: gadget: detect too-big endpoint 0 requests
net/qla3xxx: fix an error code in ql_adapter_up()
net, neigh: clear whole pneigh_entry at alloc time
net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
net: altera: set a couple error code in probe()
net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
tracefs: Set all files to the same group ownership as the mount option
signalfd: use wake_up_pollfree()
binder: use wake_up_pollfree()
wait: add wake_up_pollfree()
libata: add horkage for ASMedia 1092
can: pch_can: pch_can_rx_normal: fix use after free
tracefs: Have new files inherit the ownership of their parent
ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
ALSA: pcm: oss: Limit the period size to 16MB
ALSA: pcm: oss: Fix negative period/buffer sizes
ALSA: ctl: Fix copy of updated id with element read/write
mm: bdi: initialize bdi_min_ratio when bdi is unregistered
IB/hfi1: Correct guard on eager buffer deallocation
nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
can: sja1000: fix use after free in ems_pcmcia_add_card()
HID: check for valid USB device for many HID drivers
HID: wacom: fix problems when device is not a valid USB device
HID: add USB_HID dependancy on some USB HID drivers
HID: add USB_HID dependancy to hid-chicony
HID: add USB_HID dependancy to hid-prodikeys
HID: add hid_is_usb() function to make it simpler for USB detection
HID: introduce hid_is_using_ll_driver
UPSTREAM: USB: gadget: zero allocate endpoint 0 buffers
UPSTREAM: USB: gadget: detect too-big endpoint 0 requests
Conflicts:
arch/arm64/include/asm/cputype.h
arch/arm64/kernel/bpi.S
arch/arm64/kernel/cpu_errata.c
arch/arm64/kernel/vdso.c
drivers/clk/qcom/clk-rcg2.c
drivers/media/dvb-core/dmxdev.c
drivers/mmc/core/host.c
drivers/net/usb/lan78xx.c
drivers/staging/android/ion/ion-ioctl.c
drivers/staging/android/ion/ion.c
drivers/staging/android/ion/ion_priv.h
drivers/usb/gadget/composite.c
drivers/usb/gadget/function/rndis.c
drivers/usb/gadget/function/rndis.h
lib/vsprintf.c
mm/memory.c
net/ipv6/ip6_output.c
Change-Id: Ie8bf6aa5dac3ae822cef90decbba577cefedcb31
|
||
|
Wilson Sung
|
67711e47f3 |
Merge android-4.9-q (4.9.292) into android-msm-pixel-4.9-sc-lts
Merge 4.9.292 into android-4.9-q
Linux 4.9.292
* serial: core: fix transmit-buffer reset and memleak
drivers/tty/serial/serial_core.c
* serial: pl011: Add ACPI SBSA UART match id
drivers/tty/serial/amba-pl011.c
* tty: serial: msm_serial: Deactivate RX DMA for polling support
drivers/tty/serial/msm_serial.c
* vgacon: Propagate console boot parameters before calling `vc_resize'
drivers/video/console/vgacon.c
* parisc: Fix "make install" on newer debian releases
arch/parisc/install.sh
* net/rds: correct socket tunable error in rds_tcp_tune()
net/rds/tcp.c
* siphash: use _unaligned version by default
include/linux/siphash.h
lib/siphash.c
* net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
* natsemi: xtensa: fix section mismatch warnings
drivers/net/ethernet/natsemi/xtsonic.c
* fget: check that the fd still exists after getting a ref to it
fs/file.c
* fs: add fget_many() and fput_many()
fs/file.c
fs/file_table.c
include/linux/file.h
include/linux/fs.h
* sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
drivers/ata/sata_fsl.c
* sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
drivers/ata/sata_fsl.c
* kprobes: Limit max data_size of the kretprobe instances
include/linux/kprobes.h
kernel/kprobes.c
* vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
drivers/net/vrf.c
* net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
drivers/net/ethernet/dec/tulip/de4x5.c
* net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
drivers/net/ethernet/dec/tulip/de4x5.c
* ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
* scsi: iscsi: Unblock session then wake up error handler
drivers/scsi/scsi_transport_iscsi.c
* thermal: core: Reset previous low and high trip during thermal zone init
drivers/thermal/thermal_core.c
* s390/setup: avoid using memblock_enforce_memory_limit
arch/s390/kernel/setup.c
* platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
drivers/platform/x86/thinkpad_acpi.c
* net: return correct error code
net/ipv4/devinet.c
* hugetlb: take PMD sharing into account when flushing tlb/caches
mm/hugetlb.c
* NFSv42: Fix pagecache invalidation after COPY/CLONE
fs/nfs/nfs42proc.c
* shm: extend forced shm destroy to support objects from several IPC nses
include/linux/ipc_namespace.h
include/linux/sched.h
include/linux/shm.h
ipc/shm.c
* tty: hvc: replace BUG_ON() with negative return value
drivers/tty/hvc/hvc_xen.c
* xen/netfront: don't trust the backend response data blindly
drivers/net/xen-netfront.c
* xen/netfront: disentangle tx_skb_freelist
drivers/net/xen-netfront.c
* xen/netfront: don't read data from request on the ring page
drivers/net/xen-netfront.c
* xen/netfront: read response from backend only once
drivers/net/xen-netfront.c
* xen/blkfront: don't trust the backend response data blindly
drivers/block/xen-blkfront.c
* xen/blkfront: don't take local copy of a request from the ring page
drivers/block/xen-blkfront.c
* xen/blkfront: read response from backend only once
drivers/block/xen-blkfront.c
* xen: sync include/xen/interface/io/ring.h with Xen's newest version
include/xen/interface/io/ring.h
* fuse: release pipe buf after last use
fs/fuse/dev.c
* NFC: add NCI_UNREG flag to eliminate the race
include/net/nfc/nci_core.h
net/nfc/nci/core.c
* proc/vmcore: fix clearing user buffer by properly using clear_user()
fs/proc/vmcore.c
* vhost/vsock: fix incorrect used length reported to the guest
drivers/vhost/vsock.c
* hugetlbfs: flush TLBs correctly after huge_pmd_unshare
arch/arm/include/asm/tlb.h
arch/ia64/include/asm/tlb.h
arch/s390/include/asm/tlb.h
arch/sh/include/asm/tlb.h
arch/um/include/asm/tlb.h
include/asm-generic/tlb.h
mm/hugetlb.c
mm/memory.c
* tracing: Check pid filtering when creating events
kernel/trace/trace_events.c
* tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows
net/ipv4/tcp_cubic.c
* PM: hibernate: use correct mode for swsusp_close()
kernel/power/hibernate.c
* drm/vc4: fix error code in vc4_create_object()
drivers/gpu/drm/vc4/vc4_bo.c
* scsi: mpt3sas: Fix kernel panic during drive powercycle test
drivers/scsi/mpt3sas/mpt3sas_scsih.c
* ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
arch/arm/mach-socfpga/core.h
arch/arm/mach-socfpga/platsmp.c
* NFSv42: Don't fail clone() unless the OP_CLONE operation failed
fs/nfs/nfs42xdr.c
* net: ieee802154: handle iftypes as u32
include/net/nl802154.h
* ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
sound/soc/soc-topology.c
* ARM: dts: BCM5301X: Add interrupt properties to GPIO node
arch/arm/boot/dts/bcm5301x.dtsi
* tracing: Fix pid filtering when triggers are attached
kernel/trace/trace.h
* xen: detect uninitialized xenbus in xenbus_init
drivers/xen/xenbus/xenbus_probe.c
* xen: don't continue xenstore initialization in case of errors
drivers/xen/xenbus/xenbus_probe.c
* fuse: fix page stealing
fs/fuse/dev.c
* staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
drivers/staging/rtl8192e/rtl8192e/rtl_core.c
* ALSA: ctxfi: Fix out-of-range access
sound/pci/ctxfi/ctamixer.c
sound/pci/ctxfi/ctdaio.c
sound/pci/ctxfi/ctresource.c
sound/pci/ctxfi/ctresource.h
sound/pci/ctxfi/ctsrc.c
* binder: fix test regression due to sender_euid change
drivers/android/binder.c
* usb: hub: Fix locking issues with address0_mutex
drivers/usb/core/hub.c
* usb: hub: Fix usb enumeration issue due to address0 race
drivers/usb/core/hub.c
* USB: serial: option: add Fibocom FM101-GL variants
drivers/usb/serial/option.c
* USB: serial: option: add Telit LE910S1 0x9200 composition
drivers/usb/serial/option.c
* staging: ion: Prevent incorrect reference counting behavour
drivers/staging/android/ion/ion.c
Merge 4.9.291 into android-4.9-q
Linux 4.9.291
* soc/tegra: pmc: Fix imbalanced clock disabling in error code path
drivers/soc/tegra/pmc.c
* usb: max-3421: Use driver data instead of maintaining a list of bound devices
drivers/usb/host/max3421-hcd.c
* ASoC: DAPM: Cover regression by kctl change notification fix
sound/soc/soc-dapm.c
* batman-adv: Don't always reallocate the fragmentation skb head
net/batman-adv/fragmentation.c
* batman-adv: Reserve needed_*room for fragments
net/batman-adv/fragmentation.c
* batman-adv: Consider fragmentation for needed_headroom
net/batman-adv/hard-interface.c
* batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh
net/batman-adv/bridge_loop_avoidance.c
* batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN
net/batman-adv/multicast.c
net/batman-adv/multicast.h
net/batman-adv/soft-interface.c
* batman-adv: Fix own OGM check in aggregated OGMs
net/batman-adv/bat_v_ogm.c
* batman-adv: Keep fragments equally sized
net/batman-adv/fragmentation.c
* drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
* drm/udl: fix control-message timeout
drivers/gpu/drm/udl/udl_connector.c
* cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
net/wireless/util.c
* parisc/sticon: fix reverse colors
drivers/video/console/sticon.c
* btrfs: fix memory ordering between normal and ordered work functions
fs/btrfs/async-thread.c
* mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag
mm/slab.h
* hexagon: export raw I/O routines for modules
arch/hexagon/lib/io.c
* tun: fix bonding active backup with arp monitoring
drivers/net/tun.c
* perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server
arch/x86/events/intel/uncore_snbep.c
* perf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server
arch/x86/events/intel/uncore_snbep.c
* NFC: reorder the logic in nfc_{un,}register_device
net/nfc/core.c
* NFC: reorganize the functions in nci_request
net/nfc/nci/core.c
* platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()'
drivers/platform/x86/hp_accel.c
* mips: bcm63xx: add support for clk_get_parent()
arch/mips/bcm63xx/clk.c
* iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset
drivers/net/ethernet/intel/i40evf/i40evf_main.c
* net: bnx2x: fix variable dereferenced before check
drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h
* sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain()
kernel/sched/core.c
* mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set
arch/mips/Kconfig
* sh: define __BIG_ENDIAN for math-emu
arch/sh/include/asm/sfp-machine.h
* sh: fix kconfig unmet dependency warning for FRAME_POINTER
arch/sh/Kconfig.debug
* maple: fix wrong return value of maple_bus_init().
drivers/sh/maple/maple.c
* sh: check return code of request_irq
arch/sh/kernel/cpu/sh4a/smp-shx3.c
* powerpc/dcr: Use cmplwi instead of 3-argument cmpli
arch/powerpc/sysdev/dcr-low.S
* ALSA: gus: fix null pointer dereference on pointer block
sound/isa/gus/gus_dma.c
* powerpc/5200: dts: fix memory node unit name
arch/powerpc/boot/dts/charon.dts
arch/powerpc/boot/dts/digsy_mtc.dts
arch/powerpc/boot/dts/lite5200.dts
arch/powerpc/boot/dts/lite5200b.dts
arch/powerpc/boot/dts/media5200.dts
arch/powerpc/boot/dts/mpc5200b.dtsi
arch/powerpc/boot/dts/o2d.dts
arch/powerpc/boot/dts/o2d.dtsi
arch/powerpc/boot/dts/o2dnt2.dts
arch/powerpc/boot/dts/o3dnt.dts
arch/powerpc/boot/dts/pcm032.dts
arch/powerpc/boot/dts/tqm5200.dts
* scsi: target: Fix alua_tg_pt_gps_count tracking
drivers/target/target_core_alua.c
* scsi: target: Fix ordered tag handling
drivers/target/target_core_device.c
drivers/target/target_core_internal.h
drivers/target/target_core_transport.c
include/target/target_core_base.h
* MIPS: sni: Fix the build
arch/mips/sni/time.c
* tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc
drivers/tty/tty_buffer.c
* usb: host: ohci-tmio: check return value after calling platform_get_resource()
drivers/usb/host/ohci-tmio.c
* ARM: dts: omap: fix gpmc,mux-add-data type
arch/arm/boot/dts/omap-gpmc-smsc9221.dtsi
arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi
* scsi: advansys: Fix kernel pointer leak
drivers/scsi/advansys.c
* usb: musb: tusb6010: check return value after calling platform_get_resource()
drivers/usb/musb/tusb6010.c
* scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()
drivers/scsi/lpfc/lpfc_sli.c
* PCI/MSI: Destroy sysfs before freeing entries
drivers/pci/msi.c
* parisc/entry: fix trace test in syscall exit path
arch/parisc/kernel/entry.S
* net: mdio-mux: fix unbalanced put_device
drivers/net/phy/mdio-mux.c
* PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros
include/uapi/linux/pci_regs.h
* mm, oom: do not trigger out_of_memory from the #PF
mm/oom_kill.c
* mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks
mm/oom_kill.c
* powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
arch/powerpc/net/bpf_jit_comp64.c
* powerpc/bpf: Validate branch ranges
arch/powerpc/net/bpf_jit.h
arch/powerpc/net/bpf_jit_comp64.c
* ARM: 9156/1: drop cc-option fallbacks for architecture selection
arch/arm/Makefile
* USB: chipidea: fix interrupt deadlock
drivers/usb/chipidea/core.c
* vsock: prevent unnecessary refcnt inc for nonblocking connect
net/vmw_vsock/af_vsock.c
* nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
drivers/nfc/pn533/pn533.c
* llc: fix out-of-bound array index in llc_sk_dev_hash()
include/net/llc.h
* mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration()
mm/zsmalloc.c
* bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed
drivers/net/bonding/bond_sysfs_slave.c
* ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses
drivers/acpi/pmic/intel_pmic.c
* net: davinci_emac: Fix interrupt pacing disable
drivers/net/ethernet/ti/davinci_emac.c
* xen-pciback: Fix return in pm_ctrl_init()
drivers/xen/xen-pciback/conf_space_capability.c
* i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()'
drivers/i2c/busses/i2c-xlr.c
* scsi: qla2xxx: Turn off target reset during issue_lip
drivers/scsi/qla2xxx/qla_gbl.h
drivers/scsi/qla2xxx/qla_mr.c
drivers/scsi/qla2xxx/qla_os.c
* watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT
drivers/watchdog/f71808e_wdt.c
* m68k: set a default value for MEMORY_RESERVE
arch/m68k/Kconfig.machine
* dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result`
drivers/dma/dmaengine.h
* netfilter: nfnetlink_queue: fix OOB when mac header was cleared
net/netfilter/nfnetlink_queue.c
* auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string
drivers/auxdisplay/img-ascii-lcd.c
* dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro
drivers/dma/at_xdmac.c
* mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare()
drivers/mtd/spi-nor/hisi-sfc.c
* fs: orangefs: fix error return code of orangefs_revalidate_lookup()
fs/orangefs/dcache.c
* PCI: aardvark: Don't spam about PIO Response Status
drivers/pci/host/pci-aardvark.c
* drm/plane-helper: fix uninitialized variable reference
drivers/gpu/drm/drm_plane_helper.c
* pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds
fs/nfs/flexfilelayout/flexfilelayoutdev.c
fs/nfs/pnfs_nfs.c
* power: supply: bq27xxx: Fix kernel crash on IRQ handler register error
drivers/power/supply/bq27xxx_battery_i2c.c
* serial: xilinx_uartps: Fix race condition causing stuck TX
drivers/tty/serial/xilinx_uartps.c
* RDMA/mlx4: Return missed an error if device doesn't support steering
drivers/infiniband/hw/mlx4/qp.c
* scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn()
drivers/scsi/csiostor/csio_lnode.c
* power: supply: rt5033_battery: Change voltage values to µV
drivers/power/supply/rt5033_battery.c
* usb: gadget: hid: fix error code in do_config()
drivers/usb/gadget/legacy/hid.c
* serial: 8250_dw: Drop wrong use of ACPI_PTR()
drivers/tty/serial/8250/8250_dw.c
* video: fbdev: chipsfb: use memset_io() instead of memset()
drivers/video/fbdev/chipsfb.c
* memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe
drivers/memory/fsl_ifc.c
* soc/tegra: Fix an error handling path in tegra_powergate_power_up()
drivers/soc/tegra/pmc.c
* arm: dts: omap3-gta04a4: accelerometer irq fix
arch/arm/boot/dts/omap3-gta04.dtsi
* JFS: fix memleak in jfs_mount
fs/jfs/jfs_mount.c
* MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT
arch/mips/Kconfig
* scsi: dc395: Fix error case unwinding
drivers/scsi/dc395x.c
* ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc()
drivers/irqchip/irq-s3c24xx.c
* RDMA/rxe: Fix wrong port_cap_flags
drivers/infiniband/sw/rxe/rxe_param.h
* crypto: pcrypt - Delay write to padata->info
crypto/pcrypt.c
* libertas: Fix possible memory leak in probe and disconnect
drivers/net/wireless/marvell/libertas/if_usb.c
* libertas_tf: Fix possible memory leak in probe and disconnect
drivers/net/wireless/marvell/libertas_tf/if_usb.c
* samples/kretprobes: Fix return value if register_kretprobe() failed
samples/kprobes/kretprobe_example.c
* irq: mips: avoid nested irq_enter()
drivers/irqchip/irq-bcm6345-l1.c
* s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap()
arch/s390/mm/gmap.c
* smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
security/smack/smackfs.c
* phy: micrel: ksz8041nl: do not use power down mode
drivers/net/phy/micrel.c
* mwifiex: Send DELBA requests according to spec
drivers/net/wireless/marvell/mwifiex/11n.c
* platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning
drivers/platform/x86/thinkpad_acpi.c
* mmc: mxs-mmc: disable regulator on error and in the remove function
drivers/mmc/host/mxs-mmc.c
* net: stream: don't purge sk_error_queue in sk_stream_kill_queues()
net/core/stream.c
* drm/msm: uninitialized variable in msm_gem_import()
drivers/gpu/drm/msm/msm_gem.c
* ath10k: fix max antenna gain unit
drivers/net/wireless/ath/ath10k/mac.c
drivers/net/wireless/ath/ath10k/wmi.h
* hwmon: Fix possible memleak in __hwmon_device_register()
drivers/hwmon/hwmon.c
* memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host()
drivers/memstick/host/jmb38x_ms.c
* memstick: avoid out-of-range warning
drivers/memstick/core/ms_block.c
* b43: fix a lower bounds test
drivers/net/wireless/broadcom/b43/phy_g.c
* b43legacy: fix a lower bounds test
drivers/net/wireless/broadcom/b43legacy/radio.c
* crypto: qat - disregard spurious PFVF interrupts
drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
drivers/crypto/qat/qat_common/adf_vf_isr.c
* crypto: qat - detect PFVF collision after ACK
drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
* ath9k: Fix potential interrupt storm on queue reset
drivers/net/wireless/ath/ath9k/main.c
* cpuidle: Fix kobject memory leaks in error paths
drivers/cpuidle/sysfs.c
* media: si470x: Avoid card name truncation
drivers/media/radio/si470x/radio-si470x-i2c.c
drivers/media/radio/si470x/radio-si470x-usb.c
* media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()'
drivers/media/platform/mtk-vpu/mtk_vpu.c
* media: dvb-usb: fix ununit-value in az6027_rc_query
drivers/media/usb/dvb-usb/az6027.c
* cgroup: Make rebind_subsystems() disable v2 controllers all at once
kernel/cgroup.c
* parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling
arch/parisc/kernel/smp.c
* parisc: fix warning in flush_tlb_all
arch/parisc/mm/init.c
* spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe()
drivers/spi/spi-bcm-qspi.c
* ARM: 9136/1: ARMv7-M uses BE-8, not BE-32
arch/arm/mm/Kconfig
* ARM: clang: Do not rely on lr register for stacktrace
arch/arm/kernel/stacktrace.c
* smackfs: use __GFP_NOFAIL for smk_cipso_doi()
security/smack/smackfs.c
* iwlwifi: mvm: disable RX-diversity in powersave
drivers/net/wireless/intel/iwlwifi/mvm/utils.c
* PM: hibernate: Get block device exclusively in swsusp_check()
kernel/power/swap.c
* mwl8k: Fix use-after-free in mwl8k_fw_state_machine()
drivers/net/wireless/marvell/mwl8k.c
* tracing/cfi: Fix cmp_entries_* functions signature mismatch
kernel/trace/tracing_map.c
* lib/xz: Validate the value before assigning it to an enum variable
lib/xz/xz_dec_stream.c
* lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression
lib/decompress_unxz.c
lib/xz/xz_dec_lzma2.c
* memstick: r592: Fix a UAF bug when removing the driver
drivers/memstick/host/r592.c
* ACPI: battery: Accept charges over the design capacity as full
drivers/acpi/battery.c
* ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create()
drivers/net/wireless/ath/dfs_pattern_detector.c
* tracefs: Have tracefs directories not set OTH permission bits by default
fs/tracefs/inode.c
* media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte()
drivers/media/usb/dvb-usb/dibusb-common.c
* ACPICA: Avoid evaluating methods too early during system resume
drivers/acpi/acpica/acglobal.h
drivers/acpi/acpica/hwesleep.c
drivers/acpi/acpica/hwsleep.c
drivers/acpi/acpica/hwxfsleep.c
* ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK
arch/ia64/Kconfig.debug
* media: mceusb: return without resubmitting URB in case of -EPROTO error.
drivers/media/rc/mceusb.c
* media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe()
drivers/media/platform/s5p-mfc/s5p_mfc.c
* media: uvcvideo: Set capability in s_param
drivers/media/usb/uvc/uvc_v4l2.c
* media: netup_unidvb: handle interrupt properly according to the firmware
drivers/media/pci/netup_unidvb/netup_unidvb_core.c
* media: mt9p031: Fix corrupted frame after restarting stream
drivers/media/i2c/mt9p031.c
* x86: Increase exception stack sizes
arch/x86/include/asm/page_64_types.h
* smackfs: Fix use-after-free in netlbl_catmap_walk()
security/smack/smackfs.c
* locking/lockdep: Avoid RCU-induced noinstr fail
kernel/locking/lockdep.c
* MIPS: lantiq: dma: reset correct number of channel
arch/mips/lantiq/xway/dma.c
* MIPS: lantiq: dma: add small delay after reset
arch/mips/lantiq/xway/dma.c
* platform/x86: wmi: do not fail if disabling fails
drivers/platform/x86/wmi.c
* Bluetooth: fix use-after-free error in lock_sock_nested()
net/bluetooth/l2cap_sock.c
* Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
net/bluetooth/sco.c
* USB: iowarrior: fix control-message timeouts
drivers/usb/misc/iowarrior.c
* USB: serial: keyspan: fix memleak on probe errors
drivers/usb/serial/keyspan.c
* iio: dac: ad5446: Fix ad5622_write() return value
drivers/iio/dac/ad5446.c
* quota: correct error number in free_dqentry()
fs/quota/quota_tree.c
* quota: check block number when reading the block in quota file
fs/quota/quota_tree.c
* PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG
drivers/pci/host/pci-aardvark.c
* ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume
sound/core/oss/mixer_oss.c
* ALSA: mixer: oss: Fix racy access to slots
sound/core/oss/mixer_oss.c
* serial: core: Fix initializing and restoring termios speed
drivers/tty/serial/serial_core.c
include/linux/console.h
* powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found
arch/powerpc/platforms/85xx/mpc85xx_pm_ops.c
* power: supply: max17042_battery: use VFSOC for capacity when no rsns
drivers/power/supply/max17042_battery.c
* power: supply: max17042_battery: Prevent int underflow in set_soc_threshold
drivers/power/supply/max17042_battery.c
* signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT
arch/mips/kernel/r2300_fpu.S
arch/mips/kernel/syscall.c
* signal: Remove the bogus sigkill_pending in ptrace_stop
kernel/signal.c
* RDMA/qedr: Fix NULL deref for query_qp on the GSI QP
drivers/infiniband/hw/qedr/verbs.c
* wcn36xx: handle connection loss indication
drivers/net/wireless/ath/wcn36xx/smd.c
* mwifiex: Read a PCI register after writing the TX ring write pointer
drivers/net/wireless/marvell/mwifiex/pcie.c
* wcn36xx: Fix HT40 capability for 2Ghz band
drivers/net/wireless/ath/wcn36xx/main.c
* evm: mark evm_fixmode as __ro_after_init
security/integrity/evm/evm_main.c
* rtl8187: fix control-message timeouts
drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c
* PCI: Mark Atheros QCA6174 to avoid bus reset
drivers/pci/quirks.c
* ath6kl: fix control-message timeout
drivers/net/wireless/ath/ath6kl/usb.c
* ath6kl: fix division by zero in send path
drivers/net/wireless/ath/ath6kl/usb.c
* mwifiex: fix division by zero in fw download path
drivers/net/wireless/marvell/mwifiex/usb.c
* EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell
drivers/edac/sb_edac.c
* regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property
Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt
* regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled
Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt
drivers/regulator/s5m8767.c
* hwmon: (pmbus/lm25066) Add offset coefficients
drivers/hwmon/pmbus/lm25066.c
* btrfs: fix lost error handling when replaying directory deletes
fs/btrfs/tree-log.c
* vmxnet3: do not stop tx queues after netif_device_detach()
drivers/net/vmxnet3/vmxnet3_drv.c
* watchdog: Fix OMAP watchdog early handling
drivers/watchdog/omap_wdt.c
* spi: spl022: fix Microwire full duplex mode
drivers/spi/spi-pl022.c
* xen/netfront: stop tx queues during live migration
drivers/net/xen-netfront.c
* bpf: Prevent increasing bpf_jit_limit above max
include/linux/filter.h
kernel/bpf/core.c
net/core/sysctl_net_core.c
* mmc: winbond: don't build on M68K
drivers/mmc/host/Kconfig
* hyperv/vmbus: include linux/bitops.h
drivers/hv/hyperv_vmbus.h
* sfc: Don't use netif_info before net_device setup
drivers/net/ethernet/sfc/ptp.c
drivers/net/ethernet/sfc/siena_sriov.c
* x86/irq: Ensure PI wakeup handler is unregistered before module unload
arch/x86/kernel/irq.c
* ALSA: timer: Unconditionally unlink slave instances, too
sound/core/timer.c
* ALSA: timer: Fix use-after-free problem
sound/core/timer.c
* ALSA: synth: missing check for possible NULL after the call to kstrdup
sound/synth/emux/emux.c
* ALSA: line6: fix control and interrupt message timeouts
sound/usb/line6/driver.c
sound/usb/line6/driver.h
sound/usb/line6/podhd.c
sound/usb/line6/toneport.c
* ALSA: 6fire: fix control and bulk message timeouts
sound/usb/6fire/comm.c
sound/usb/6fire/firmware.c
* ALSA: ua101: fix division by zero at probe
sound/usb/misc/ua101.c
* media: ite-cir: IR receiver stop working after receive overflow
drivers/media/rc/ite-cir.c
* parisc: Fix ptrace check on syscall return
arch/parisc/kernel/entry.S
* mmc: dw_mmc: Dont wait for DRTO on Write RSP error
drivers/mmc/host/dw_mmc.c
* ocfs2: fix data corruption on truncate
fs/ocfs2/file.c
* libata: fix read log timeout value
drivers/ata/libata-eh.c
include/linux/libata.h
* Input: i8042 - Add quirk for Fujitsu Lifebook T725
drivers/input/serio/i8042-x86ia64io.h
* Input: elantench - fix misreporting trackpoint coordinates
drivers/input/mouse/elantech.c
* xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay
drivers/usb/host/xhci-hub.c
* binder: use cred instead of task for selinux checks
drivers/android/binder.c
include/linux/lsm_hooks.h
include/linux/security.h
security/security.c
security/selinux/hooks.c
* binder: use euid from cred instead of using task
drivers/android/binder.c
* ANDROID: arm64: process: Match upstream formatting when dumping memory areas
arch/arm64/kernel/process.c
* FROMGIT: binder: fix test regression due to sender_euid change
drivers/android/binder.c
* BACKPORT: binder: use cred instead of task for selinux checks
drivers/android/binder.c
include/linux/lsm_hooks.h
include/linux/security.h
security/security.c
security/selinux/hooks.c
* UPSTREAM: binder: use euid from cred instead of using task
drivers/android/binder.c
Merge 4.9.290 into android-4.9-q
Linux 4.9.290
* rsi: fix control-message timeout
drivers/net/wireless/rsi/rsi_91x_usb.c
* staging: rtl8192u: fix control-message timeouts
drivers/staging/rtl8192u/r8192U_core.c
* staging: r8712u: fix control-message timeout
drivers/staging/rtl8712/usb_ops_linux.c
* comedi: vmk80xx: fix bulk and interrupt message timeouts
drivers/staging/comedi/drivers/vmk80xx.c
* comedi: vmk80xx: fix bulk-buffer overflow
drivers/staging/comedi/drivers/vmk80xx.c
* comedi: vmk80xx: fix transfer-buffer overflows
drivers/staging/comedi/drivers/vmk80xx.c
* comedi: ni_usb6501: fix NULL-deref in command paths
drivers/staging/comedi/drivers/ni_usb6501.c
* comedi: dt9812: fix DMA buffers on stack
drivers/staging/comedi/drivers/dt9812.c
* isofs: Fix out of bound access for corrupted isofs image
fs/isofs/inode.c
* printk/console: Allow to disable console output by using console="" or console=null
kernel/printk/printk.c
* usb-storage: Add compatibility quirk flags for iODD 2531/2541
drivers/usb/storage/unusual_devs.h
* usb: musb: Balance list entry in musb_gadget_queue
drivers/usb/musb/musb_gadget.c
* usb: gadget: Mark USB_FSL_QE broken on 64-bit
drivers/usb/gadget/udc/Kconfig
* IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
drivers/infiniband/hw/qib/qib_user_sdma.c
* IB/qib: Use struct_size() helper
drivers/infiniband/hw/qib/qib_user_sdma.c
* Revert "x86/kvm: fix vcpu-id indexed array sizes"
arch/x86/kvm/ioapic.c
arch/x86/kvm/ioapic.h
* usb: hso: fix error handling code of hso_create_net_device
drivers/net/usb/hso.c
* net: hso: register netdev later to avoid a race condition
drivers/net/usb/hso.c
* ARM: 9120/1: Revert "amba: make use of -1 IRQs warn"
drivers/amba/bus.c
* arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed
arch/arc/include/asm/pgtable.h
arch/arm/include/asm/pgtable-2level.h
arch/arm/include/asm/pgtable-3level.h
arch/mips/include/asm/pgtable-32.h
arch/powerpc/include/asm/pte-common.h
include/asm-generic/pgtable.h
* mm/zsmalloc: Prepare to variable MAX_PHYSMEM_BITS
arch/x86/include/asm/pgtable-3level_types.h
mm/zsmalloc.c
* scsi: core: Put LLD module refcnt after SCSI device is released
drivers/scsi/scsi.c
drivers/scsi/scsi_sysfs.c
* UPSTREAM: security: selinux: allow per-file labeling for bpffs
security/selinux/hooks.c
Bug: 210364486
Change-Id: Ia31d19943f4638a9b2ac8122a4c8728a56e8aa0a
Signed-off-by: JohnnLee <johnnlee@google.com>
|
||
|
Greg Kroah-Hartman
|
060bbd5319 |
Merge 4.9.293 into android-4.9-q
Changes in 4.9.293 HID: introduce hid_is_using_ll_driver HID: add hid_is_usb() function to make it simpler for USB detection HID: add USB_HID dependancy to hid-prodikeys HID: add USB_HID dependancy to hid-chicony HID: add USB_HID dependancy on some USB HID drivers HID: wacom: fix problems when device is not a valid USB device HID: check for valid USB device for many HID drivers can: sja1000: fix use after free in ems_pcmcia_add_card() nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done IB/hfi1: Correct guard on eager buffer deallocation mm: bdi: initialize bdi_min_ratio when bdi is unregistered ALSA: ctl: Fix copy of updated id with element read/write ALSA: pcm: oss: Fix negative period/buffer sizes ALSA: pcm: oss: Limit the period size to 16MB ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() tracefs: Have new files inherit the ownership of their parent can: pch_can: pch_can_rx_normal: fix use after free libata: add horkage for ASMedia 1092 wait: add wake_up_pollfree() binder: use wake_up_pollfree() signalfd: use wake_up_pollfree() tracefs: Set all files to the same group ownership as the mount option block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero net: altera: set a couple error code in probe() net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() net, neigh: clear whole pneigh_entry at alloc time net/qla3xxx: fix an error code in ql_adapter_up() USB: gadget: detect too-big endpoint 0 requests USB: gadget: zero allocate endpoint 0 buffers usb: core: config: fix validation of wMaxPacketValue entries usb: core: config: using bit mask instead of individual bits iio: stk3310: Don't return error code in interrupt handler iio: mma8452: Fix trigger reference couting iio: ltr501: Don't return error code in trigger handler iio: kxsd9: Don't return error code in trigger handler iio: itg3200: Call iio_trigger_notify_done() on error iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() irqchip/armada-370-xp: Fix support for Multi-MSI interrupts irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL irqchip: nvic: Fix offset for Interrupt Priority Offsets Linux 4.9.293 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4f94616f8a0fc5c2fa5b41d49108d7c853d5796a |
||
|
Eric Biggers
|
0487ea896e |
binder: use wake_up_pollfree()
commit a880b28a71e39013e357fd3adccd1d8a31bc69a8 upstream. wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll and aio poll are fortunately not affected by this, but it's very fragile. Thus, the new function wake_up_pollfree() has been introduced. Convert binder to use wake_up_pollfree(). Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20211209010455.42744-3-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Todd Kjos
|
404fb10972 |
binder: fix test regression due to sender_euid change
commit c21a80ca0684ec2910344d72556c816cb8940c01 upstream.
This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.
Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Todd Kjos
|
22d4a6dace |
binder: use cred instead of task for selinux checks
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes:
|
||
|
Todd Kjos
|
443fc43d2f |
binder: use euid from cred instead of using task
commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b upstream.
Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.
Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Cc: stable@vger.kernel.org # 4.4+
Fixes:
|
||
|
Todd Kjos
|
31cca22868 |
FROMGIT: binder: fix test regression due to sender_euid change
This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.
Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 200688826
(cherry picked from commit c21a80ca0684ec2910344d72556c816cb8940c01
git: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-linus)
Signed-off-by: Todd Kjos <tkjos@google.com>
|
||
|
Todd Kjos
|
a69d9cd3d4 |
BACKPORT: binder: use cred instead of task for selinux checks
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes:
|
||
|
Todd Kjos
|
a0e450acb1 |
UPSTREAM: binder: use euid from cred instead of using task
commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b upstream.
Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.
Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Cc: stable@vger.kernel.org # 4.4+
Fixes:
|
||
|
Todd Kjos
|
c794707001 |
UPSTREAM: binder: add flag to clear buffer on txn complete
Add a per-transaction flag to indicate that the buffer must be cleared when the transaction is complete to prevent copies of sensitive data from being preserved in memory. Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20201120233743.3617529-1-tkjos@google.com Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 171501513 Change-Id: Ic9338c85cbe3b11ab6f2bda55dce9964bb48447a (cherry picked from commit 0f966cba95c78029f491b433ea95ff38f414a761) Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Sami Tolvanen <samitolvanen@google.com> |
||
|
lucaswei
|
f09d91fe02 |
Merge android-4.9-q (4.9.248) into android-msm-pixel-4.9-lts
Merge 4.9.248 into android-4.9-q
Linux 4.9.248
x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes
Input: i8042 - fix error return code in i8042_setup_aux()
i2c: qup: Fix error return code in qup_i2c_bam_schedule_desc()
gfs2: check for empty rgrp tree in gfs2_ri_update
* tracing: Fix userstacktrace option for instances
kernel/trace/trace.c
kernel/trace/trace.h
spi: bcm2835: Release the DMA channel if probe fails after dma_init
spi: bcm2835: Fix use-after-free on unbind
spi: bcm-qspi: Fix use-after-free on unbind
* spi: Introduce device-managed SPI controller allocation
drivers/spi/spi.c
include/linux/spi/spi.h
iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs
i2c: imx: Check for I2SR_IAL after every byte
i2c: imx: Fix reset of I2SR_IAL flag
cifs: fix potential use-after-free in cifs_echo_request()
ftrace: Fix updating FTRACE_FL_TRAMP
* tty: Fix ->session locking
drivers/tty/tty_io.c
include/linux/tty.h
ALSA: hda/generic: Add option to enforce preferred_dacs pairs
ALSA: hda/realtek - Add new codec supported for ALC897
* tty: Fix ->pgrp locking in tiocspgrp()
drivers/tty/tty_io.c
USB: serial: option: add support for Thales Cinterion EXS82
USB: serial: option: add Fibocom NL668 variants
USB: serial: ch341: sort device-id entries
USB: serial: ch341: add new Product ID for CH341A
USB: serial: kl5kusb105: fix memleak on open
* usb: gadget: f_fs: Use local copy of descriptors for userspace copy
drivers/usb/gadget/function/f_fs.c
* vlan: consolidate VLAN parsing code and limit max parsing depth
include/linux/if_vlan.h
include/net/inet_ecn.h
pinctrl: baytrail: Fix pin being driven low for a while on gpiod_get(..., GPIOD_OUT_HIGH)
pinctrl: baytrail: Replace WARN with dev_info_once when setting direct-irq pin to output
btrfs: sysfs: init devices outside of the chunk_mutex
RDMA/i40iw: Address an mmap handler exploit in i40iw
* spi: Fix controller unregister order harder
drivers/spi/spi.c
Input: i8042 - add ByteSpeed touchpad to noloop table
* Input: xpad - support Ardwiino Controllers
drivers/input/joystick/xpad.c
dt-bindings: net: correct interrupt flags in examples
net/mlx5: Fix wrong address reclaim when command interface is down
net: pasemi: fix error return code in pasemi_mac_open()
cxgb3: fix error return code in t3_sge_alloc_qset()
net/x25: prevent a couple of overflows
ibmvnic: Fix TX completion error handling
ibmvnic: Ensure that SCRQ entry reads are correctly ordered
netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal
* bonding: wait for sysfs kobject destruction before freeing struct slave
drivers/net/bonding/bond_main.c
drivers/net/bonding/bond_sysfs_slave.c
include/net/bonding.h
usbnet: ipheth: fix connectivity with iOS 14
rose: Fix Null pointer dereference in rose_send_frame()
net/af_iucv: set correct sk_protocol for child sockets
ANDROID: cuttlefish_defconfig: Disable CONFIG_KSM
Merge 4.9.247 into android-4.9-q
Linux 4.9.247
* USB: core: Fix regression in Hercules audio card
drivers/usb/core/quirks.c
* USB: core: add endpoint-blacklist quirk
drivers/usb/core/config.c
drivers/usb/core/quirks.c
drivers/usb/core/usb.h
include/linux/usb/quirks.h
* regulator: workaround self-referent regulators
drivers/regulator/core.c
* regulator: avoid resolve_supply() infinite recursion
drivers/regulator/core.c
x86/speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb
usb: gadget: Fix memleak in gadgetfs_fill_super
* usb: gadget: f_midi: Fix memleak in f_midi_alloc
drivers/usb/gadget/function/f_midi.c
* USB: core: Change %pK for __user pointers to %px
drivers/usb/core/devio.c
perf probe: Fix to die_entrypc() returns error correctly
platform/x86: toshiba_acpi: Fix the wrong variable assignment
can: gs_usb: fix endianess problem with candleLight firmware
efivarfs: revert "fix memory leak in efivarfs_create()"
ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq
net: ena: set initial DMA width to avoid intel iommu issue
nfc: s3fwrn5: use signed integer for parsing GPIO numbers
IB/mthca: fix return value of error branch in mthca_init_cq()
bnxt_en: Release PCI regions when DMA mask setup fails during probe.
video: hyperv_fb: Fix the cache type when mapping the VRAM
bnxt_en: fix error return code in bnxt_init_board()
* scsi: ufs: Fix race between shutdown and runtime resume flow
drivers/scsi/ufs/ufshcd.c
batman-adv: set .owner to THIS_MODULE
phy: tegra: xusb: Fix dangling pointer on probe failure
perf/x86: fix sysfs type mismatches
scsi: target: iscsi: Fix cmd abort fabric stop race
scsi: libiscsi: Fix NOP race condition
dmaengine: pl330: _prep_dma_memcpy: Fix wrong burst size
* proc: don't allow async path resolution of /proc/self components
fs/proc/self.c
x86/xen: don't unbind uninitialized lock_kicker_irq
dmaengine: xilinx_dma: use readl_poll_timeout_atomic variant
HID: hid-sensor-hub: Fix issue with devices with no report ID
Input: i8042 - allow insmod to succeed on devices without an i8042 controller
* HID: cypress: Support Varmilo Keyboards' media hotkeys
drivers/hid/hid-ids.h
ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close
ALSA: hda/hdmi: Use single mutex unlock in error paths
* arm64: pgtable: Fix pte_accessible()
arch/arm64/include/asm/pgtable.h
btrfs: inode: Verify inode mode to avoid NULL pointer dereference
btrfs: tree-checker: Enhance chunk checker to validate chunk profile
* PCI: Add device even if driver attach failed
drivers/pci/bus.c
btrfs: fix lockdep splat when reading qgroup config on mount
mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault()
perf event: Check ref_reloc_sym before using it
* BACKPORT: arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm
arch/arm64/include/asm/efi.h
arch/arm64/include/asm/mmu_context.h
Merge 4.9.246 into android-4.9-q
Linux 4.9.246
x86/microcode/intel: Check patch signature before saving microcode for early loading
s390/cpum_sf.c: fix file permission for cpum_sfb_size
mac80211: free sta in sta_info_insert_finish() on errors
mac80211: minstrel: fix tx status processing corner case
mac80211: minstrel: remove deferred sampling code
xtensa: disable preemption around cache alias management calls
* regulator: fix memory leak with repeated set_machine_constraints()
drivers/regulator/core.c
iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum
* ext4: fix bogus warning in ext4_update_dx_flag()
fs/ext4/ext4.h
efivarfs: fix memory leak in efivarfs_create()
tty: serial: imx: keep console clocks always on
ALSA: mixart: Fix mutex deadlock
* ALSA: ctl: fix error path at adding user-defined element set
sound/core/control.c
powerpc/uaccess-flush: fix missing includes in kup-radix.h
* libfs: fix error cast of negative value in simple_attr_write()
fs/libfs.c
xfs: revert "xfs: fix rmap key and record comparison functions"
regulator: ti-abb: Fix array out of bound read access on the first transition
MIPS: Alchemy: Fix memleak in alchemy_clk_setup_cpu
can: m_can: m_can_handle_state_change(): fix state change
can: peak_usb: fix potential integer overflow on shift of a int
can: dev: can_restart(): post buffer from the right context
perf lock: Don't free "lock_seq_stat" if read_count isn't zero
ARM: dts: imx50-evk: Fix the chip select 1 IOMUX
arm: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy
MIPS: export has_transparent_hugepage() for modules
Input: adxl34x - clean up a data type in adxl34x_probe()
* vfs: remove lockdep bogosity in __sb_start_write
fs/super.c
* arm64: psci: Avoid printing in cpu_psci_cpu_die()
arch/arm64/kernel/psci.c
pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq
mlxsw: core: Use variable timeout for EMAD retries
net: ftgmac100: Fix crash when removing driver
tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate
net: usb: qmi_wwan: Set DTR quirk for MR400
sctp: change to hold/put transport for proto_unreach_timer
qlcnic: fix error return code in qlcnic_83xx_restart_hw()
net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request
net/mlx4_core: Fix init_hca fields offset
* netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist()
net/netlabel/netlabel_unlabeled.c
* netlabel: fix our progress tracking in netlbl_unlabel_staticlist()
net/netlabel/netlabel_unlabeled.c
net: Have netpoll bring-up DSA management interface
* net: bridge: add missing counters to ndo_get_stats64 callback
net/bridge/br_device.c
net: b44: fix error return code in b44_init_one()
* inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill()
net/ipv4/inet_diag.c
devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill()
bnxt_en: read EEPROM A2h address using page 0
atm: nicstar: Unmap DMA on send error
* ah6: fix error return code in ah6_input()
net/ipv6/ah6.c
Merge 4.9.245 into android-4.9-q
Linux 4.9.245
ACPI: GED: fix -Wformat
KVM: x86: clflushopt should be treated as a no-op by emulation
mac80211: always wind down STA state
Input: sunkbd - avoid use-after-free in teardown paths
powerpc/8xx: Always fault when _PAGE_ACCESSED is not set
i2c: mux: pca954x: Add missing pca9546 definition to chip_desc
i2c: imx: Fix external abort on interrupt in exit paths
i2c: imx: use clk notifier for rate changes
powerpc/64s: flush L1D after user accesses
powerpc/uaccess: Evaluate macro arguments once, before user access is allowed
powerpc: Fix __clear_user() with KUAP enabled
powerpc: Implement user_access_begin and friends
powerpc: Add a framework for user access tracking
powerpc/64s: flush L1D on kernel entry
powerpc/64s: move some exception handlers out of line
powerpc/64s: Define MASKABLE_RELON_EXCEPTION_PSERIES_OOL
Linux 4.9.244
Convert trailing spaces and periods in path components
* ext4: fix leaking sysfs kobject after failed mount
fs/ext4/super.c
* reboot: fix overflow parsing reboot cpu number
kernel/reboot.c
* Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint"
kernel/reboot.c
* perf/core: Fix race in the perf_mmap_close() function
kernel/events/core.c
xen/events: block rogue events for some time
xen/events: defer eoi in case of excessive number of events
xen/events: use a common cpu hotplug hook for event channels
xen/events: switch user event channels to lateeoi model
xen/pciback: use lateeoi irq binding
xen/scsiback: use lateeoi irq binding
xen/netback: use lateeoi irq binding
xen/blkback: use lateeoi irq binding
xen/events: add a new "late EOI" evtchn framework
xen/events: fix race in evtchn_fifo_unmask()
xen/events: add a proper barrier to 2-level uevent unmasking
xen/events: avoid removing an event channel while handling it
* perf/core: Fix a memory leak in perf_event_parse_addr_filter()
kernel/events/core.c
* perf/core: Fix crash when using HW tracing kernel filters
kernel/events/core.c
* perf/core: Fix bad use of igrab()
include/linux/perf_event.h
kernel/events/core.c
x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP
* random32: make prandom_u32() output unpredictable
drivers/char/random.c
include/linux/prandom.h
kernel/time/timer.c
lib/random32.c
net: Update window_clamp if SOCK_RCVBUF is set
net/x25: Fix null-ptr-deref in x25_connect
net/af_iucv: fix null pointer dereference on shutdown
* IPv6: Set SIT tunnel hard_header_len to zero
net/ipv6/sit.c
* swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb"
lib/swiotlb.c
pinctrl: amd: fix incorrect way to disable debounce filter
pinctrl: amd: use higher precision for 512 RtcClk
drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[]
* don't dump the threads that had been already exiting when zapped.
kernel/exit.c
ocfs2: initialize ip_next_orphan
mei: protect mei_cl_mtu from null dereference
usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode
* ext4: unlock xattr_sem properly in ext4_inline_data_truncate()
fs/ext4/inline.c
* ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA
fs/ext4/super.c
* perf: Fix get_recursion_context()
kernel/events/internal.h
cosa: Add missing kfree in error path of cosa_write
* of/address: Fix of_node memory leak in of_dma_is_coherent
drivers/of/address.c
xfs: fix a missing unlock on error in xfs_fs_map_blocks
xfs: fix rmap key and record comparison functions
xfs: fix flags argument to rmap lookup when converting shared file rmaps
pinctrl: aspeed: Fix GPI only function problem.
iommu/amd: Increase interrupt remapping table limit to 512 entries
scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()
* cfg80211: regulatory: Fix inconsistent format argument
net/wireless/reg.c
mac80211: fix use of skb payload instead of header
drm/amdgpu: perform srbm soft reset always on SDMA resume
scsi: hpsa: Fix memory leak in hpsa_init_one()
gfs2: check for live vs. read-only file system in gfs2_fitrim
gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free
usb: gadget: goku_udc: fix potential crashes in probe
ath9k_htc: Use appropriate rs_datalen type
geneve: add transport ports in route lookup for geneve
i40e: Memory leak in i40e_config_iwarp_qvlist
i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
i40e: Wrong truncation from u16 to u8
i40e: add num_vectors checker in iwarp handler
i40e: Fix a potential NULL pointer dereference
* pinctrl: devicetree: Avoid taking direct reference to device name string
drivers/pinctrl/devicetree.c
Btrfs: fix missing error return if writeback for extent buffer never started
xfs: flush new eof page on truncate to avoid post-eof corruption
can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping
can: peak_usb: add range checking in decode operations
can: can_create_echo_skb(): fix echo skb generation: always use skb_clone()
can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames
can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context
ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link()
perf tools: Add missing swap for ino_generation
* net: xfrm: fix a race condition during allocing spi
net/xfrm/xfrm_state.c
* genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY
kernel/irq/Kconfig
btrfs: reschedule when cloning lots of extents
* time: Prevent undefined behaviour in timespec64_to_ns()
include/linux/time64.h
mm: mempolicy: fix potential pte_unmap_unlock pte error
gfs2: Wake up when sd_glock_disposal becomes zero
* ring-buffer: Fix recursion protection transitions between interrupt context
kernel/trace/ring_buffer.c
* regulator: defer probe when trying to get voltage from unresolved supply
drivers/regulator/core.c
UPSTREAM: thermal/drivers/hisi: Remove bogus const from function return type
* UPSTREAM: net/ipv6: don't reinitialize ndev->cnf.addr_gen_mode on new inet6_dev
net/ipv6/addrconf.c
UPSTREAM: tee: shm: fix use-after-free via temporarily dropped reference
UPSTREAM: Documentation: ip-sysctl.txt: document addr_gen_mode
UPSTREAM: net: crypto set sk to NULL when af_alg_release.
* UPSTREAM: ipv6: don't auto-add link-local address to lag ports
net/ipv6/addrconf.c
* UPSTREAM: ipv6: ndisc: RFC-ietf-6man-ra-pref64-09 is now published as RFC8781
include/net/ndisc.h
* UPSTREAM: binder: fix incorrect cmd to binder_stat_br
drivers/android/binder.c
* UPSTREAM: arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb
arch/arm64/include/asm/mmu_context.h
UPSTREAM: staging: android: vsoc: fix copy_from_user overrun
Merge 4.9.243 into android-4.9-q
Linux 4.9.243
powercap: restrict energy meter to root access
Merge 4.9.242 into android-4.9-q
Linux 4.9.242
Revert "ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE"
ARC: stack unwinding: avoid indefinite looping
* USB: Add NO_LPM quirk for Kingston flash drive
drivers/usb/core/quirks.c
USB: serial: option: add Telit FN980 composition 0x1055
USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231
USB: serial: cyberjack: fix write-URB completion race
serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init
serial: 8250_mtk: Fix uart_get_baud_rate warning
* fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent
kernel/fork.c
* vt: Disable KD_FONT_OP_COPY
drivers/tty/vt/vt.c
ACPI: NFIT: Fix comparison to '-ENXIO'
vsock: use ns_capable_noaudit() on socket create
* scsi: core: Don't start concurrent async scan on same host
drivers/scsi/scsi_scan.c
* of: Fix reserved-memory overlap detection
drivers/of/of_reserved_mem.c
x86/kexec: Use up-to-dated screen_info copy to fill boot params
ARM: dts: sun4i-a10: fix cpu_alert temperature
* tracing: Fix out of bounds write in get_trace_buf
kernel/trace/trace.c
* ftrace: Handle tracing when switching between context
kernel/trace/trace.h
* ftrace: Fix recursion check for NMI test
kernel/trace/trace.h
* kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled
kernel/kthread.c
* ALSA: usb-audio: Add implicit feedback quirk for Qu-16
sound/usb/pcm.c
Fonts: Replace discarded const qualifier
gianfar: Account for Tx PTP timestamp in the skb headroom
gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP
tipc: fix use-after-free in tipc_bcast_get_mode
xen/events: don't use chip_data for legacy IRQs
staging: octeon: Drop on uncorrectable alignment or FCS error
staging: octeon: repair "fixed-link" support
staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice
* KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR
arch/arm64/include/asm/kvm_host.h
* device property: Don't clear secondary pointer for shared primary firmware node
drivers/base/core.c
* device property: Keep secondary firmware node secondary by type
drivers/base/core.c
ARM: s3c24xx: fix missing system reset
ARM: samsung: fix PM debug build with DEBUG_LL but !MMU
hil/parisc: Disable HIL driver when it gets stuck
cachefiles: Handle readpage error correctly
* arm64: berlin: Select DW_APB_TIMER_OF
arch/arm64/Kconfig.platforms
* tty: make FONTX ioctl use the tty pointer they were actually passed
drivers/tty/vt/vt_ioctl.c
rtc: rx8010: don't modify the global rtc ops
vringh: fix __vringh_iov() when riov and wiov are different
* ring-buffer: Return 0 on success from ring_buffer_resize()
kernel/trace/ring_buffer.c
9P: Cast to loff_t before multiplying
libceph: clear con->out_msg on Policy::stateful_server faults
ceph: promote to unsigned long long before shifting
ia64: fix build error with !COREDUMP
ubi: check kthread_should_stop() after the setting of task state
ubifs: dent: Fix some potential memory leaks while iterating entries
powerpc/powernv/elog: Fix race while processing OPAL error log event.
powerpc: Warn about use of smt_snooze_delay
iio:gyro:itg3200: Fix timestamp alignment and prevent data leak.
iio:adc:ti-adc12138 Fix alignment issue with timestamp
iio:light:si1145: Fix timestamp alignment and prevent data leak.
dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status
* vt: keyboard, extend func_buf_lock to readers
drivers/tty/vt/keyboard.c
* vt: keyboard, simplify vt_kdgkbsent
drivers/tty/vt/keyboard.c
usb: host: fsl-mph-dr-of: check return of dma_set_mask()
* usb: dwc3: core: don't trigger runtime pm when remove driver
drivers/usb/dwc3/core.c
* usb: dwc3: core: add phy cleanup for probe error handling
drivers/usb/dwc3/core.c
btrfs: fix use-after-free on readahead extent after failure to create it
btrfs: cleanup cow block on error
btrfs: reschedule if necessary when logging directory items
scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove()
w1: mxc_w1: Fix timeout resolution problem leading to bus error
acpi-cpufreq: Honor _PSD table setting on new AMD CPUs
ACPI: debug: don't allow debugging when ACPI is disabled
ACPI: video: use ACPI backlight for HP 635 Notebook
ACPI / extlog: Check for RDMSR failure
NFS: fix nfs_path in case of a rename retry
* fs: Don't invalidate page buffers in block_write_full_page()
fs/buffer.c
leds: bcm6328, bcm6358: use devres LED registering function
perf/x86/amd/ibs: Fix raw sample data accumulation
perf/x86/amd/ibs: Don't include randomized bits in get_ibs_op_count()
md/raid5: fix oops during stripe resizing
ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node
ARM: dts: s5pv210: move PMU node out of clock controller
ARM: dts: s5pv210: remove DMA controller bus node name to fix dtschema warnings
memory: emif: Remove bogus debugfs error handling
gfs2: add validation checks for size of superblock
* ext4: Detect already used quota file early
fs/ext4/super.c
drivers: watchdog: rdc321x_wdt: Fix race condition bugs
net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid
clk: ti: clockdomain: fix static checker warning
md/bitmap: md_bitmap_get_counter returns wrong blocks
power: supply: test_power: add missing newlines when printing parameters by sysfs
bus/fsl_mc: Do not rely on caller to provide non NULL mc_io
drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values
* arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE
arch/arm64/include/asm/numa.h
USB: adutux: fix debugging
cpufreq: sti-cpufreq: add stih418 support
* kgdb: Make "kgdbcon" work properly with "kgdb_earlycon"
kernel/debug/debug_core.c
* printk: reduce LOG_BUF_SHIFT range for H8300
init/Kconfig
mmc: via-sdmmc: Fix data race bug
media: tw5864: check status of tw5864_frameinterval_get
ath10k: fix VHT NSS calculation when STBC is enabled
video: fbdev: pvr2fb: initialize variables
xfs: fix realtime bitmap/summary file truncation when growing rt volume
ARM: 8997/2: hw_breakpoint: Handle inexact watchpoint addresses
um: change sigio_spinlock to a mutex
* f2fs: fix to check segment boundary during SIT page readahead
fs/f2fs/checkpoint.c
* f2fs: add trace exit in exception path
fs/f2fs/checkpoint.c
sparc64: remove mm_cpumask clearing to fix kthread_use_mm race
powerpc/powernv/smp: Fix spurious DBG() warning
mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish()
* fscrypt: use EEXIST when file already uses different policy
fs/crypto/policy.c
* fscrypto: move ioctl processing more fully into common code
fs/crypto/policy.c
fs/ext4/ext4.h
fs/ext4/ioctl.c
fs/f2fs/f2fs.h
fs/f2fs/file.c
* fscrypt: return -EXDEV for incompatible rename or link into encrypted dir
fs/crypto/policy.c
fs/ext4/namei.c
fs/f2fs/namei.c
ata: sata_rcar: Fix DMA boundary mask
mtd: lpddr: Fix bad logic in print_drs_error
p54: avoid accessing the data mapped to streaming DMA
* fuse: fix page dereference after free
fs/fuse/dev.c
arch/x86/amd/ibs: Fix re-arming IBS Fetch
tipc: fix memory leak caused by tipc_buf_append()
ravb: Fix bit fields checking in ravb_hwtstamp_get()
efivarfs: Replace invalid slashes with exclamation marks in dentries.
powerpc/powernv/opal-dump : Use IRQ_HANDLED instead of numbers in interrupt handler
* scripts/setlocalversion: make git describe output more reliable
scripts/setlocalversion
SUNRPC: ECONNREFUSED should cause a rebind.
* ANDROID: Temporarily disable XFRM_USER_COMPAT filtering
net/xfrm/xfrm_state.c
net/xfrm/xfrm_user.c
* BACKPORT: xfrm/compat: Translate 32-bit user_policy from sockptr
include/net/xfrm.h
net/xfrm/xfrm_state.c
* BACKPORT: xfrm/compat: Add 32=>64-bit messages translator
include/net/xfrm.h
net/xfrm/Kconfig
net/xfrm/xfrm_user.c
* UPSTREAM: xfrm/compat: Attach xfrm dumps to 64=>32 bit translator
net/xfrm/xfrm_user.c
* BACKPORT: xfrm/compat: Add 64=>32-bit messages translator
include/net/xfrm.h
net/xfrm/xfrm_user.c
* BACKPORT: xfrm: Provide API to register translator module
include/net/xfrm.h
net/xfrm/Kconfig
net/xfrm/Makefile
net/xfrm/xfrm_state.c
* UPSTREAM: mm/sl[uo]b: export __kmalloc_track(_node)_caller
mm/slub.c
ANDROID: Publish uncompressed Image on aarch64
* ANDROID: Makefile: append BUILD_NUMBER to version string when defined
Makefile
Change-Id: I345c9bde484cf008679253982f61b2a833527c3e
Signed-off-by: Lucas Wei <lucaswei@google.com>
|
||
|
Todd Kjos
|
6f9b0092dc |
UPSTREAM: binder: fix incorrect cmd to binder_stat_br
commit 26549d177410 ("binder: guarantee txn complete / errors delivered
in-order") passed the locally declared and undefined cmd
to binder_stat_br() which results in a bogus cmd field in a trace
event and BR stats are incremented incorrectly.
Change to use e->cmd which has been initialized.
Signed-off-by: Todd Kjos <tkjos@google.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 26549d177410 ("binder: guarantee txn complete / errors delivered in-order")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 4f9adc8f91ba996374cd9487ecd1180fa99b9438)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3bdef308dcc4453c0c538c1be414801d18d49aa5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Todd Kjos
|
a5b0e8dda9 |
UPSTREAM: binder: fix UAF when releasing todo list
When releasing a thread todo list when tearing down a binder_proc, the following race was possible which could result in a use-after-free: 1. Thread 1: enter binder_release_work from binder_thread_release 2. Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked() 3. Thread 2: dec nodeA --> 0 (will free node) 4. Thread 1: ACQ inner_proc_lock 5. Thread 2: block on inner_proc_lock 6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA) 7. Thread 1: REL inner_proc_lock 8. Thread 2: ACQ inner_proc_lock 9. Thread 2: todo list cleanup, but work was already dequeued 10. Thread 2: free node 11. Thread 2: REL inner_proc_lock 12. Thread 1: deref w->type (UAF) The problem was that for a BINDER_WORK_NODE, the binder_work element must not be accessed after releasing the inner_proc_lock while processing the todo list elements since another thread might be handling a deref on the node containing the binder_work element leading to the node being freed. Signed-off-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com Cc: <stable@vger.kernel.org> # 4.14, 4.19, 5.4, 5.8 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit f3277cbfba763cd2826396521b9296de67cf1bbc) Change-Id: I7c1bf0b74824f272664e76206c5dc3b66b9eeaff Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Petri Gynther
|
ac81de6ec6 |
Merge android-msm-pixel-4.9-rvc-qpr1 into android-msm-pixel-4.9
Signed-off-by: Petri Gynther <pgynther@google.com> Change-Id: Ic6fbec1a341a662ea69d18358c676bcf5cb1e9e7 |
||
|
lucaswei
|
28f89a6c66 |
Merge android-4.9-q (4.9.234) into android-msm-pixel-4.9-lts
Merge 4.9.234 into android-4.9-q
Linux 4.9.234
KVM: arm/arm64: Don't reschedule in unmap_stage2_range()
xen: don't reschedule in preemption off sections
mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible
* do_epoll_ctl(): clean the failure exits up a bit
fs/eventpoll.c
* epoll: Keep a reference on files added to the check list
fs/eventpoll.c
powerpc: Allow 4224 bytes of stack expansion for the signal frame
powerpc/pseries: Do not initiate shutdown when system is running on UPS
net: dsa: b53: check for timeout
ASoC: intel: Fix memleak in sst_media_open
net: fec: correct the error path for regulator disable in probe
i40e: Set RX_ONLY mode for unicast promiscuous on VLAN
* ext4: fix potential negative array index in do_split()
fs/ext4/namei.c
alpha: fix annotation of io{read,write}{16,32}be()
xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init
virtio_ring: Avoid loop when vq is broken in virtqueue_poll
scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases
jffs2: fix UAF problem
xfs: fix inode quota reservation checks
m68knommu: fix overwriting of bits in ColdFire V3 cache control
Input: psmouse - add a newline when printing 'proto' by sysfs
media: vpss: clean up resources in init
media: budget-core: Improve exception handling in budget_register()
* scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices
drivers/scsi/ufs/ufs_quirks.h
drivers/scsi/ufs/ufshcd.c
* ext4: fix checking of directory entry validity for inline directories
fs/ext4/namei.c
* ext4: clean up ext4_match() and callers
fs/ext4/namei.c
* mm, page_alloc: fix core hung in free_pcppages_bulk()
mm/page_alloc.c
* mm: include CMA pages in lowmem_reserve at boot
mm/page_alloc.c
kernel/relay.c: fix memleak on destroy relay channel
romfs: fix uninitialized memory leak in romfs_dev_read()
btrfs: don't show full path of bind mounts in subvol=
btrfs: export helpers for subvolume name/id resolution
khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter()
khugepaged: khugepaged_test_exit() check mmget_still_valid()
tracing/hwlat: Honor the tracing_cpumask
tracing: Clean up the hwlat binding code
perf probe: Fix memory leakage when the probe point is not found
drm/imx: imx-ldb: Disable both channels for split mode in enc->disable()
x86/asm: Add instruction suffixes to bitops
x86/asm: Remove unnecessary \n\t in front of CC_SET() from asm templates
* ANDROID: fix a bug in quota2
net/netfilter/xt_quota2.c
Merge 4.9.233 into android-4.9-q
* UPSTREAM: binder: Prevent context manager from incrementing ref 0
drivers/android/binder.c
Linux 4.9.233
* mm: Avoid calling build_all_zonelists_init under hotplug context
include/linux/mmzone.h
init/main.c
mm/page_alloc.c
khugepaged: retract_page_tables() remember to test exit
sh: landisk: Add missing initialization of sh_io_port_base
ALSA: echoaudio: Fix potential Oops in snd_echo_resume()
mfd: dln2: Run event handler loop under spinlock
fs/ufs: avoid potential u32 multiplication overflow
nfs: Fix getxattr kernel panic and memory overflow
net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init
drm/vmwgfx: Fix two list_for_each loop exit tests
Input: sentelic - fix error return when fsp_reg_write fails
pwm: bcm-iproc: handle clk_get_rate() return
clk: clk-atlas6: fix return value check in atlas6_clk_init()
i2c: rcar: slave: only send STOP event when we have been addressed
iommu/vt-d: Enforce PASID devTLB field mask
iommu/omap: Check for failure of a call to omap_iommu_dump_ctx
gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers
USB: serial: ftdi_sio: clean up receive processing
USB: serial: ftdi_sio: make process-packet buffer unsigned
mfd: arizona: Ensure 32k clock is put on driver unbind and error
pseries: Fix 64 bit logical memory block panic
watchdog: f71808e_wdt: clear watchdog timeout occurred flag
watchdog: f71808e_wdt: remove use of wrong watchdog_info option
watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in watchdog_info.options
kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler
ftrace: Setup correct FTRACE_FL_REGS flags for module
ocfs2: change slot number type s16 to u16
ext2: fix missing percpu_counter_inc
MIPS: CPU#0 is not hotpluggable
mac80211: fix misplaced while instead of if
bcache: allocate meta data pages as compound pages
md/raid5: Fix Force reconstruct-write io stuck in degraded raid5
* net/compat: Add missing sock updates for SCM_RIGHTS
include/net/sock.h
net/compat.c
net/core/sock.c
net: stmmac: dwmac1000: provide multicast filter fallback
net: ethernet: stmmac: Disable hardware multicast filter
powerpc: Fix circular dependency between percpu.h and mmu.h
xtensa: fix xtensa_pmu_setup prototype
iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw()
btrfs: fix memory leaks after failure to lookup checksums during inode logging
btrfs: only search for left_info if there is no right_info in try_merge_free_space
btrfs: don't allocate anonymous block device for user invisible roots
PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context()
smb3: warn on confusing error scenario with sec=krb5
xen/balloon: make the balloon wait interruptible
xen/balloon: fix accounting in alloc_xenballooned_pages error path
ARM: 8992/1: Fix unwind_frame for clang-built kernels
parisc: mask out enable and reserved bits from sba imask
9p: Fix memory leak in v9fs_mount
* ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109
sound/usb/card.h
sound/usb/pcm.c
sound/usb/quirks.c
sound/usb/stream.c
fs/minix: reject too-large maximum file size
fs/minix: don't allow getting deleted inodes
fs/minix: check return value of sb_getblk()
crypto: ccp - Fix use of merged scatterlists
crypto: qat - fix double free in qat_uclo_create_batch_init_list
* ALSA: usb-audio: add quirk for Pioneer DDJ-RB
sound/usb/quirks-table.h
* ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109
sound/usb/quirks-table.h
* ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support
sound/usb/mixer_quirks.c
USB: serial: cp210x: enable usb generic throttle/unthrottle
USB: serial: cp210x: re-enable auto-RTS on open
* net: Set fput_needed iff FDPUT_FPUT is set
net/socket.c
net/nfc/rawsock.c: add CAP_NET_RAW check.
drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
pinctrl-single: fix pcs_parse_pinconf() return value
dlm: Fix kobject memleak
fsl/fman: fix eth hash table allocation
fsl/fman: check dereferencing null pointer
fsl/fman: fix unreachable code
fsl/fman: fix dereference null return value
fsl/fman: use 32-bit unsigned integer
net: spider_net: Fix the size used in a 'dma_free_coherent()' call
wl1251: fix always return 0 error
s390/qeth: don't process empty bridge port events
selftests/powerpc: Fix online CPU selection
selftests/powerpc: Fix CPU affinity for child process
power: supply: check if calc_soc succeeded in pm860x_init_battery
* Smack: prevent underflow in smk_set_cipso()
security/smack/smackfs.c
* Smack: fix another vsscanf out of bounds
security/smack/smackfs.c
scsi: mesh: Fix panic after host or bus reset
usb: dwc2: Fix error path in gadget registration
USB: serial: iuu_phoenix: fix led-activity helpers
drm/imx: tve: fix regulator_disable error path
PCI/ASPM: Add missing newline in sysfs 'policy'
staging: rtl8192u: fix a dubious looking mask before a shift
powerpc/vdso: Fix vdso cpu truncation
mwifiex: Prevent memory corruption handling keys
scsi: scsi_debug: Add check for sdebug_max_queue during module init
drm: panel: simple: Fix bpc for LG LB070WV8 panel
* leds: core: Flush scheduled work for system suspend
drivers/leds/led-class.c
* PCI: Fix pci_cfg_wait queue locking problem
drivers/pci/access.c
xfs: fix reflink quota reservation accounting error
media: exynos4-is: Add missed check for pinctrl_lookup_state()
media: firewire: Using uninitialized values in node_probe()
scsi: eesox: Fix different dev_id between request_irq() and free_irq()
scsi: powertec: Fix different dev_id between request_irq() and free_irq()
drm/radeon: fix array out-of-bounds read and write issues
cxl: Fix kobject memleak
* drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline
drivers/gpu/drm/drm_mipi_dsi.c
scsi: cumana_2: Fix different dev_id between request_irq() and free_irq()
media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities()
leds: lm355x: avoid enum conversion warning
iio: improve IIO_CONCENTRATION channel type description
video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call
console: newport_con: fix an issue about leak related system resources
video: fbdev: sm712fb: fix an issue about iounmap for a wrong address
agp/intel: Fix a memory leak on module initialisation failure
ACPICA: Do not increment operation_region reference counts for field units
bcache: fix super block seq numbers comparision in register_cache_set()
* dyndbg: fix a BUG_ON in ddebug_describe_flags
lib/dynamic_debug.c
bdc: Fix bug causing crash after multiple disconnects
usb: gadget: net2280: fix memory leak on probe error handling paths
iwlegacy: Check the return value of pcie_capability_read_*()
brcmfmac: To fix Bss Info flag definition Bug
* mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
mm/mmap.c
* drm/debugfs: fix plain echo to connector "force" attribute
drivers/gpu/drm/drm_debugfs.c
drm/nouveau: fix multiple instances of reference count leaks
md-cluster: fix wild pointer of unlock_all_bitmaps()
video: fbdev: neofb: fix memory leak in neo_scan_monitor()
drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync
fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
drm/tilcdc: fix leak & null ref in panel_connector_get_modes
ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()
ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()
platform/x86: intel-hid: Fix return value check in check_acpi_dev()
m68k: mac: Fix IOP status/control register writes
m68k: mac: Don't send IOP message until channel is idle
arm64: dts: exynos: Fix silent hang after boot on Espresso
arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property
* EDAC: Fix reference count leaks
drivers/edac/edac_device_sysfs.c
drivers/edac/edac_pci_sysfs.c
* cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
kernel/cgroup.c
* gpio: fix oops resulting from calling of_get_named_gpio(NULL, ...)
drivers/gpio/gpiolib-of.c
* tracepoint: Mark __tracepoint_string's __used
include/linux/tracepoint.h
* Smack: fix use-after-free in smk_write_relabel_self()
security/smack/smackfs.c
usb: hso: check for return value in hso_serial_common_create()
Revert "vxlan: fix tos value before xmit"
net: lan78xx: replace bogus endpoint lookup
vxlan: Ensure FDB dump is performed under RCU
* ipv6: fix memory leaks on IPV6_ADDRFORM path
include/net/addrconf.h
net/ipv6/anycast.c
net/ipv6/ipv6_sockglue.c
* ipv4: Silence suspicious RCU usage warning
net/ipv4/fib_trie.c
* binder: Prevent context manager from incrementing ref 0
drivers/android/binder.c
* xattr: break delegations in {set,remove}xattr
fs/xattr.c
include/linux/xattr.h
tools lib traceevent: Fix memory leak in process_dynamic_array_len
atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
igb: reinit_locked() should be called with rtnl_lock
* cfg80211: check vendor command doit pointer before use
net/wireless/nl80211.c
drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason
net/9p: validate fds in p9_fd_open
leds: 88pm860x: fix use-after-free on unbind
leds: lm3533: fix use-after-free on unbind
leds: da903x: fix use-after-free on unbind
leds: wm831x-status: fix use-after-free on unbind
mtd: properly check all write ioctls for permissions
vgacon: Fix for missing check in scrollback handling
omapfb: dss: Fix max fclk divider for omap36xx
* Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
net/bluetooth/hci_event.c
* Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
net/bluetooth/hci_event.c
* Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
net/bluetooth/hci_event.c
ALSA: seq: oss: Serialize ioctls
net/mlx5e: Don't support phys switch id if not in switchdev mode
USB: serial: qcserial: add EM7305 QDL product ID
* ext4: fix direct I/O read error
fs/ext4/inode.c
* random32: move the pseudo-random 32-bit definitions to prandom.h
include/linux/prandom.h
include/linux/random.h
* random32: remove net_rand_state from the latent entropy gcc plugin
include/linux/random.h
lib/random32.c
* random: fix circular include dependency on arm64 after addition of percpu.h
include/linux/random.h
ARM: percpu.h: fix build error
* random32: update the net random state on interrupt and activity
drivers/char/random.c
include/linux/random.h
kernel/time/timer.c
lib/random32.c
x86/i8259: Use printk_deferred() to prevent deadlock
KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled
xen-netfront: fix potential deadlock in xennet_remove()
Revert "i2c: cadence: Fix the hold bit setting"
net: ethernet: ravb: exit if re-initialization fails in tx timeout
parisc: add support for cmpxchg on u8 pointers
nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame
qed: Disable "MFW indication via attention" SPAM every 5 minutes
usb: hso: Fix debug compile warning on sparc32
* arm64: csum: Fix handling of bad packets
arch/arm64/include/asm/checksum.h
mac80211: mesh: Free pending skb when destroying a mpath
mac80211: mesh: Free ie data when leaving mesh
ibmvnic: Fix IRQ mapping disposal in error path
mlxsw: core: Free EMAD transactions using kfree_rcu()
mlxsw: core: Increase scope of RCU read-side critical section
mlx4: disable device on shutdown
net: lan78xx: fix transfer-buffer memory leak
net: lan78xx: add missing endpoint sanity check
sh: Fix validation of system call number
net/x25: Fix null-ptr-deref in x25_disconnect
net/x25: Fix x25_neigh refcnt leak when x25 disconnect
install several missing uapi headers
* uapi: includes linux/types.h before exporting files
include/uapi/linux/cryptouser.h
include/uapi/linux/pr.h
xfs: fix missed wakeup on l_flush_wait
rds: Prevent kernel-infoleak in rds_notify_queue_get()
fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
* x86, vmlinux.lds: Page-align end of ..page_aligned sections
include/asm-generic/vmlinux.lds.h
x86/build/lto: Fix truncated .bss with -fdata-sections
9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work
9p/trans_fd: abort p9_read_work if req status changed
* f2fs: check if file namelen exceeds max value
fs/f2fs/dir.c
* f2fs: check memory boundary by insane namelen
fs/f2fs/dir.c
* drm: hold gem reference until object is no longer accessed
drivers/gpu/drm/drm_gem.c
drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints
* PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge
drivers/pci/quirks.c
ath9k: release allocated buffer if timed out
ath9k_htc: release allocated buffer if timed out
media: rc: prevent memory leak in cx23888_ir_probe
crypto: ccp - Release all allocated memory if sha type is invalid
net: phy: mdio-bcm-unimac: fix potential NULL dereference in unimac_mdio_probe()
xfs: don't call xfs_da_shrink_inode with NULL bp
xfs: validate cached inodes are free when allocated
xfs: catch inode allocation state mismatch corruption
* BACKPORT: loop: Fix wrong masking of status flags
drivers/block/loop.c
* BACKPORT: loop: Add LOOP_CONFIGURE ioctl
drivers/block/loop.c
include/uapi/linux/loop.h
* BACKPORT: loop: Clean up LOOP_SET_STATUS lo_flags handling
drivers/block/loop.c
include/uapi/linux/loop.h
* BACKPORT: loop: Rework lo_ioctl() __user argument casting
drivers/block/loop.c
* BACKPORT: loop: Move loop_set_status_from_info() and friends up
drivers/block/loop.c
* BACKPORT: loop: Factor out configuring loop from status
drivers/block/loop.c
* BACKPORT: loop: Remove figure_loop_size()
drivers/block/loop.c
* BACKPORT: loop: Refactor loop_set_status() size calculation
drivers/block/loop.c
* BACKPORT: loop: Factor out setting loop device size
drivers/block/loop.c
* BACKPORT: loop: Remove sector_t truncation checks
drivers/block/loop.c
* BACKPORT: loop: Call loop_config_discard() only after new config is applied
drivers/block/loop.c
Change-Id: Ic8aad76543057de6fe453c1790dd17f9df90955c
Signed-off-by: lucaswei <lucaswei@google.com>
|
||
|
Martijn Coenen
|
39dcbed572 |
FROMGIT: binder: print warnings when detecting oneway spamming.
The most common cause of the binder transaction buffer filling up is a client rapidly firing oneway transactions into a process, before it has a chance to handle them. Yet the root cause of this is often hard to debug, because either the system or the app will stop, and by that time binder debug information we dump in bugreports is no longer relevant. This change warns as soon as a process dips below 80% of its oneway space (less than 100kB available in the configuration), when any one process is responsible for either more than 50 transactions, or more than 50% of the oneway space. Signed-off-by: Martijn Coenen <maco@android.com> Signed-off-by: Martijn Coenen <maco@google.com> Acked-by: Todd Kjos <tkjos@google.com> Link: https://lore.kernel.org/r/20200821122544.1277051-1-maco@android.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 261e7818f06ec51e488e007f787ccd7e77272918 git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/ char-misc-next) Bug: 147795659 Change-Id: Idc2b03ddc779880ca4716fdae47a70df43211f25 |
||
|
Jann Horn
|
86ec9d4149 |
UPSTREAM: binder: Prevent context manager from incrementing ref 0
Binder is designed such that a binder_proc never has references to
itself. If this rule is violated, memory corruption can occur when a
process sends a transaction to itself; see e.g.
<https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d>.
There is a remaining edgecase through which such a transaction-to-self
can still occur from the context of a task with BINDER_SET_CONTEXT_MGR
access:
- task A opens /dev/binder twice, creating binder_proc instances P1
and P2
- P1 becomes context manager
- P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its
handle table
- P1 dies (by closing the /dev/binder fd and waiting a bit)
- P2 becomes context manager
- P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its
handle table
[this triggers a warning: "binder: 1974:1974 tried to acquire
reference to desc 0, got 1 instead"]
- task B opens /dev/binder once, creating binder_proc instance P3
- P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way
transaction)
- P2 receives the handle and uses it to call P3 (two-way transaction)
- P3 calls P2 (via magic handle 0) (two-way transaction)
- P2 calls P2 (via handle 1) (two-way transaction)
And then, if P2 does *NOT* accept the incoming transaction work, but
instead closes the binder fd, we get a crash.
Solve it by preventing the context manager from using ACQUIRE on ref 0.
There shouldn't be any legitimate reason for the context manager to do
that.
Additionally, print a warning if someone manages to find another way to
trigger a transaction-to-self bug in the future.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Jann Horn
|
1427acbb8b |
binder: Prevent context manager from incrementing ref 0
commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream.
Binder is designed such that a binder_proc never has references to
itself. If this rule is violated, memory corruption can occur when a
process sends a transaction to itself; see e.g.
<https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d>.
There is a remaining edgecase through which such a transaction-to-self
can still occur from the context of a task with BINDER_SET_CONTEXT_MGR
access:
- task A opens /dev/binder twice, creating binder_proc instances P1
and P2
- P1 becomes context manager
- P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its
handle table
- P1 dies (by closing the /dev/binder fd and waiting a bit)
- P2 becomes context manager
- P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its
handle table
[this triggers a warning: "binder: 1974:1974 tried to acquire
reference to desc 0, got 1 instead"]
- task B opens /dev/binder once, creating binder_proc instance P3
- P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way
transaction)
- P2 receives the handle and uses it to call P3 (two-way transaction)
- P3 calls P2 (via magic handle 0) (two-way transaction)
- P2 calls P2 (via handle 1) (two-way transaction)
And then, if P2 does *NOT* accept the incoming transaction work, but
instead closes the binder fd, we get a crash.
Solve it by preventing the context manager from using ACQUIRE on ref 0.
There shouldn't be any legitimate reason for the context manager to do
that.
Additionally, print a warning if someone manages to find another way to
trigger a transaction-to-self bug in the future.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Todd Kjos
|
305686f818 |
binder: fix UAF when releasing todo list
When releasing a thread todo list when tearing down
a binder_proc, the following race was possible which
could result in a use-after-free:
1. Thread 1: enter binder_release_work from binder_thread_release
2. Thread 2: binder_update_ref_for_handle() calls binder_dec_node_ilocked()
3. Thread 2: dec nodeA --> 0 (will free node)
4. Thread 1: ACQ inner_proc_lock
5. Thread 2: block on inner_proc_lock
6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA)
7. Thread 1: REL inner_proc_lock
8. Thread 2: ACQ inner_proc_lock
9. Thread 2: todo list cleanup, but work was already dequeued
10. Thread 2: free node
11. Thread 2: REL inner_proc_lock
12. Thread 1: deref w->type (UAF)
The problem was that for a BINDER_WORK_NODE, the binder_work element
must not be accessed after releasing the inner_proc_lock while
processing the todo list elements since another thread might be
handling a deref on the node containing the binder_work element
leading to the node being freed.
Bug: 161151868
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I4ae752abfe1aa38872be6f266ddd271802952625
(cherry picked from commit
|
||
|
Todd Kjos
|
9511c11945 |
UPSTREAM: binder: fix incorrect calculation for num_valid
commit 16981742717b04644a41052570fb502682a315d2 upstream.
For BINDER_TYPE_PTR and BINDER_TYPE_FDA transactions, the
num_valid local was calculated incorrectly causing the
range check in binder_validate_ptr() to miss out-of-bounds
offsets.
Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space")
Change-Id: Ida77db13d8e5b726f0b14513f55c2b30277338cd
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213202531.55010-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 145988638
Signed-off-by: Todd Kjos <tkjos@google.com>
|
||
|
Todd Kjos
|
2ea90f03ca |
UPSTREAM: binder: fix incorrect calculation for num_valid
commit 16981742717b04644a41052570fb502682a315d2 upstream.
For BINDER_TYPE_PTR and BINDER_TYPE_FDA transactions, the
num_valid local was calculated incorrectly causing the
range check in binder_validate_ptr() to miss out-of-bounds
offsets.
Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space")
Change-Id: Ida77db13d8e5b726f0b14513f55c2b30277338cd
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213202531.55010-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 145988638
Signed-off-by: Todd Kjos <tkjos@google.com>
|
||
|
Todd Kjos
|
fb932ed0ea |
ANDROID: fix binder change in merge of 4.9.188
The 4.9.188 merge was missing the change to the
binder driver associated with the linux-4.9.y
commit
|
||
|
Todd Kjos
|
dc734d732d |
binder: binder: fix possible UAF when freeing buffer
There is a race between the binder driver cleaning up a completed transaction via binder_free_transaction() and a user calling binder_ioctl(BC_FREE_BUFFER) to release a buffer. It doesn't matter which is first but they need to be protected against running concurrently which can result in a UAF. Bug: 133758011 Change-Id: Ie1426ff3d00218d050d61ff77b333ddf8818b7c9 Signed-off-by: Todd Kjos <tkjos@google.com> |
||
|
Martijn Coenen
|
b6c6212514 |
ANDROID: binder: synchronize_rcu() when using POLLFREE.
commit 5eeb2ca02a2f6084fc57ae5c244a38baab07033a upstream. To prevent races with ep_remove_waitqueue() removing the waitqueue at the same time. Reported-by: syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com Signed-off-by: Martijn Coenen <maco@android.com> Cc: stable <stable@vger.kernel.org> # 4.14+ Signed-off-by: Mattias Nissler <mnissler@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Martijn Coenen
|
a494a71146 |
ANDROID: binder: remove waitqueue when thread exits.
commit f5cb779ba16334b45ba8946d6bfa6d9834d1527f upstream. binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free. Prevent this by using POLLFREE when the thread exits. Signed-off-by: Martijn Coenen <maco@android.com> Reported-by: syzbot <syzkaller@googlegroups.com> Cc: stable <stable@vger.kernel.org> # 4.14 [backport BINDER_LOOPER_STATE_POLL logic as well] Signed-off-by: Mattias Nissler <mnissler@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Martijn Coenen
|
4b5ab4b1a7 |
UPSTREAM: binder: Set end of SG buffer area properly.
In case the target node requests a security context, the extra_buffers_size is increased with the size of the security context. But, that size is not available for use by regular scatter-gather buffers; make sure the ending of that buffer is marked correctly. Bug: 136210786 Acked-by: Todd Kjos <tkjos@google.com> Fixes: ec74136ded79 ("binder: create node flag to request sender's security context") Signed-off-by: Martijn Coenen <maco@android.com> Cc: stable@vger.kernel.org # 5.1+ Link: https://lore.kernel.org/r/20190709110923.220736-1-maco@android.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit a56587065094fd96eb4c2b5ad65571daad32156d) Change-Id: I811842f0d484c9ac2223f5d3185a0783aa21b55e |
||
|
Todd Kjos
|
ebe9182386 |
binder: binder: fix possible UAF when freeing buffer
There is a race between the binder driver cleaning up a completed transaction via binder_free_transaction() and a user calling binder_ioctl(BC_FREE_BUFFER) to release a buffer. It doesn't matter which is first but they need to be protected against running concurrently which can result in a UAF. Bug: 133758011 Change-Id: Ie1426ff3d00218d050d61ff77b333ddf8818b7c9 Signed-off-by: Todd Kjos <tkjos@google.com> |
||
|
Todd Kjos
|
3378ce511d |
ANDROID: fix binder change in merge of 4.9.188
The 4.9.188 merge was missing the change to the
binder driver associated with the linux-4.9.y
commit
|
||
|
Andrea Arcangeli
|
16903f1a5b |
coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.
The core dumping code has always run without holding the mmap_sem for
writing, despite that is the only way to ensure that the entire vma
layout will not change from under it. Only using some signal
serialization on the processes belonging to the mm is not nearly enough.
This was pointed out earlier. For example in Hugh's post from Jul 2017:
https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils
"Not strictly relevant here, but a related note: I was very surprised
to discover, only quite recently, how handle_mm_fault() may be called
without down_read(mmap_sem) - when core dumping. That seems a
misguided optimization to me, which would also be nice to correct"
In particular because the growsdown and growsup can move the
vm_start/vm_end the various loops the core dump does around the vma will
not be consistent if page faults can happen concurrently.
Pretty much all users calling mmget_not_zero()/get_task_mm() and then
taking the mmap_sem had the potential to introduce unexpected side
effects in the core dumping code.
Adding mmap_sem for writing around the ->core_dump invocation is a
viable long term fix, but it requires removing all copy user and page
faults and to replace them with get_dump_page() for all binary formats
which is not suitable as a short term fix.
For the time being this solution manually covers the places that can
confuse the core dump either by altering the vma layout or the vma flags
while it runs. Once ->core_dump runs under mmap_sem for writing the
function mmget_still_valid() can be dropped.
Allowing mmap_sem protected sections to run in parallel with the
coredump provides some minor parallelism advantage to the swapoff code
(which seems to be safe enough by never mangling any vma field and can
keep doing swapins in parallel to the core dumping) and to some other
corner case.
In order to facilitate the backporting I added "Fixes: 86039bd3b4e6"
however the side effect of this same race condition in /proc/pid/mem
should be reproducible since before 2.6.12-rc2 so I couldn't add any
other "Fixes:" because there's no hash beyond the git genesis commit.
Because find_extend_vma() is the only location outside of the process
context that could modify the "mm" structures under mmap_sem for
reading, by adding the mmget_still_valid() check to it, all other cases
that take the mmap_sem for reading don't need the new check after
mmget_not_zero()/get_task_mm(). The expand_stack() in page fault
context also doesn't need the new check, because all tasks under core
dumping are frozen.
Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com
Fixes:
|
||
|
Martijn Coenen
|
76d4c949d9 |
UPSTREAM: binder: Set end of SG buffer area properly.
In case the target node requests a security context, the extra_buffers_size is increased with the size of the security context. But, that size is not available for use by regular scatter-gather buffers; make sure the ending of that buffer is marked correctly. Bug: 136210786 Acked-by: Todd Kjos <tkjos@google.com> Fixes: ec74136ded79 ("binder: create node flag to request sender's security context") Signed-off-by: Martijn Coenen <maco@android.com> Cc: stable@vger.kernel.org # 5.1+ Link: https://lore.kernel.org/r/20190709110923.220736-1-maco@android.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit a56587065094fd96eb4c2b5ad65571daad32156d) |
||
|
Todd Kjos
|
aaab68c364 |
UPSTREAM: binder: check for overflow when alloc for security context
commit 0b0509508beff65c1d50541861bc0d4973487dc5 upstream. When allocating space in the target buffer for the security context, make sure the extra_buffers_size doesn't overflow. This can only happen if the given size is invalid, but an overflow can turn it into a valid size. Fail the transaction if an overflow is detected. Bug: 130571081 Change-Id: Ibaec652d2073491cc426a4a24004a848348316bf Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Todd Kjos
|
f65c15f74b |
UPSTREAM: binder: check for overflow when alloc for security context
commit 0b0509508beff65c1d50541861bc0d4973487dc5 upstream. When allocating space in the target buffer for the security context, make sure the extra_buffers_size doesn't overflow. This can only happen if the given size is invalid, but an overflow can turn it into a valid size. Fail the transaction if an overflow is detected. Bug: 130571081 Change-Id: Ibaec652d2073491cc426a4a24004a848348316bf Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Todd Kjos
|
e7becb7fb9 |
BACKPORT: binder: fix race between munmap() and direct reclaim
commit 5cec2d2e5839f9c0fec319c523a911e0a7fd299f upstream. An munmap() on a binder device causes binder_vma_close() to be called which clears the alloc->vma pointer. If direct reclaim causes binder_alloc_free_page() to be called, there is a race where alloc->vma is read into a local vma pointer and then used later after the mm->mmap_sem is acquired. This can result in calling zap_page_range() with an invalid vma which manifests as a use-after-free in zap_page_range(). The fix is to check alloc->vma after acquiring the mmap_sem (which we were acquiring anyway) and skip zap_page_range() if it has changed to NULL. Bug: 120025196 Change-Id: I2f3284d294326ec7736303374769640a1e028783 Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Todd Kjos <tkjos@google.com> Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org> Cc: stable <stable@vger.kernel.org> # 4.14 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Todd Kjos
|
6f3433c47e |
binder: replace "%p" with "%pK"
commit 8ca86f1639ec5890d400fff9211aca22d0a392eb upstream. The format specifier "%p" can leak kernel addresses. Use "%pK" instead. There were 4 remaining cases in binder.c. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [bwh: Backported to 4.9: adjust context] Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ben Hutchings
|
9cd1447e62 |
binder: Replace "%p" with "%pK" for stable
This was done as part of upstream commits fdfb4a99b6ab "8inder: separate binder allocator structure from binder proc", 19c987241ca1 "binder: separate out binder_alloc functions", and 7a4408c6bd3e "binder: make sure accesses to proc/thread are safe". However, those commits made lots of other changes that are not suitable for stable. Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Petri Gynther
|
b5d151ed14 |
Merge android-4.9 (4.9.165+) into android-msm-bluecross-4.9-lts
commit
|
||
|
Todd Kjos
|
0b90a82cfe |
ANDROID: binder: remove extra declaration left after backport
When backporting commit 1a7c3d9bb7a9 ("binder: create
userspace-to-binder-buffer copy function"), an extra "int target_fd;"
was left in the code. This resulted in the possibility of accessing
an uninitialized variable which was flagged by gcc.
Bug: 67668716
Change-Id: I787ed89579e9d40e8530d79be67cc663ec755e54
Signed-off-by: Todd Kjos <tkjos@google.com>
|
||
|
Todd Kjos
|
c8ddc8cc40 |
FROMGIT: binder: fix BUG_ON found by selinux-testsuite
The selinux-testsuite found an issue resulting in a BUG_ON()
where a conditional relied on a size_t going negative when
checking the validity of a buffer offset.
(cherry picked from commit 5997da82145bb7c9a56d834894cb81f81f219344
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-linus)
Bug: 67668716
Bug: 129349786
Change-Id: Ib3b408717141deadddcb6b95ad98c0b97d9d98ea
Fixes: 7a67a39320df ("binder: add function to copy binder object from buffer")
Reported-by: Paul Moore <paul@paul-moore.com>
Tested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
|
||
|
Todd Kjos
|
70d7ef53ef |
UPSTREAM: binder: fix handling of misaligned binder object
Fixes crash found by syzbot: kernel BUG at drivers/android/binder_alloc.c:LINE! (2) (cherry pick from commit 26528be6720bb40bc8844e97ee73a37e530e9c5e) Bug: 67668716 Reported-and-tested-by: syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ib8597dd05a158f78503d4affe6c5f46ded16a811 |
||
|
Todd Kjos
|
557929bd2c |
UPSTREAM: binder: fix sparse issue in binder_alloc_selftest.c
Fixes sparse issues reported by the kbuild test robot running on https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-testing: bde4a19fc04f5 ("binder: use userspace pointer as base of buffer space") Error output (drivers/android/binder_alloc_selftest.c): sparse: warning: incorrect type in assignment (different address spaces) sparse: expected void *page_addr sparse: got void [noderef] <asn:1> *user_data sparse: error: subtraction of different types can't work Fixed by adding necessary "__user" tags. (cherry pick from commit 36f30937922ce75390c73f99e650e4f2eb56b0e6) Bug: 67668716 Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ia0a16d163251381d4bc04f46a44dddbc18b10a85 |
||
|
Todd Kjos
|
8539b1ea7f |
BACKPORT: binder: use userspace pointer as base of buffer space
Now that alloc->buffer points to the userspace vm_area rename buffer->data to buffer->user_data and rename local pointers that hold user addresses. Also use the "__user" tag to annotate all user pointers so sparse can flag cases where user pointer vaues are copied to kernel pointers. Refactor code to use offsets instead of user pointers. (cherry pick from commit bde4a19fc04f5f46298c86b1acb7a4af1d5f138d) Bug: 67668716 Change-Id: I9d04b844c5994d1f6214da795799e6b373bc9816 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Todd Kjos
|
e60bc94d4f |
UPSTREAM: binder: fix kerneldoc header for struct binder_buffer
Fix the incomplete kerneldoc header for struct binder_buffer. (cherry pick from commit 7a2670a5bc917e4e7c9be5274efc004f9bd1216a) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I6bb942e6a9466b02653349943524462f205af839 |
||
|
Todd Kjos
|
8d24e2a344 |
BACKPORT: binder: remove user_buffer_offset
Remove user_buffer_offset since there is no kernel buffer pointer anymore. (cherry pick from commit c41358a5f5217abd7c051e8d42397e5b80f3b3ed) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I399219867704dc5013453a7738193c742fc970ad |
||
|
Todd Kjos
|
46dc639b9f |
UPSTREAM: binder: remove kernel vm_area for buffer space
Remove the kernel's vm_area and the code that maps buffer pages into it. (cherry pick from commit 880211667b203dd32724f3be224c44c0400aa0a6) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I2595bb8416c2bbfcf97ad3d7380ae94e29c209fb |
||
|
Todd Kjos
|
a2dbf9a1ea |
UPSTREAM: binder: avoid kernel vm_area for buffer fixups
Refactor the functions to validate and fixup struct binder_buffer pointer objects to avoid using vm_area pointers. Instead copy to/from kernel space using binder_alloc_copy_to_buffer() and binder_alloc_copy_from_buffer(). The following functions were refactored: refactor binder_validate_ptr() binder_validate_fixup() binder_fixup_parent() (cherry pick from commit db6b0b810bf945d1991917ffce0e93383101f2fa) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Ic222af9b6c56bf48fd0b65debe981d19a7809e77 |
||
|
Todd Kjos
|
d73356a21e |
BACKPORT: binder: add function to copy binder object from buffer
When creating or tearing down a transaction, the binder driver examines objects in the buffer and takes appropriate action. To do this without needing to dereference pointers into the buffer, the local copies of the objects are needed. This patch introduces a function to validate and copy binder objects from the buffer to a local structure. (cherry pick from commit 7a67a39320dfba4b36d3be5dae4581194e650316) Bug: 67668716 Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: I42dfe238a2d20bdeff479068ca87a80e4577e64a |
||
|
Todd Kjos
|
90a570c956 |
BACKPORT: binder: add functions to copy to/from binder buffers
Avoid vm_area when copying to or from binder buffers. Instead, new copy functions are added that copy from kernel space to binder buffer space. These use kmap_atomic() and kunmap_atomic() to create temporary mappings and then memcpy() is used to copy within that page. Also, kmap_atomic() / kunmap_atomic() use the appropriate cache flushing to support VIVT cache architectures. Allow binder to build if CPU_CACHE_VIVT is defined. Several uses of the new functions are added here. More to follow in subsequent patches. (cherry picked from commit 8ced0c6231ead26eca8cb416dcb7cc1c2cdd41d8) Bug: 67668716 Change-Id: I6a93d2396d0a80c352a1d563fc7fb523a753e38c Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |