bka
33488 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
LuK1337
|
20d7404d1e |
Revert "hrtimers: Handle CPU state correctly on hotplug"
Causes sleep of death.
This reverts commit
|
||
|
Tommy Webb
|
3b5fdef6b4 |
Merge tag 'ASB-2025-03-05_11-5.4' into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2025-03-01 CVE-2024-46852 CVE-2024-50302 CVE-2025-22413 # By Greg Kroah-Hartman (7) and others # Via Greg Kroah-Hartman (3) and Terence Tritton (xWF) (1) * tag 'ASB-2025-03-05_11-5.4': ANDROID: ABI: Cuttlefish Symbol update Revert "net: net_namespace: Optimize the code" Revert "net: add exit_batch_rtnl() method" Revert "gtp: use exit_batch_rtnl() method" Revert "gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp()." Revert "gtp: Destroy device along with udp socket's netns dismantle." Linux 5.4.290 Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals drm/v3d: Assign job pointer to NULL before signaling the fence Input: xpad - add support for wooting two he (arm) Input: xpad - add unofficial Xbox 360 wireless receiver clone Input: atkbd - map F23 key to support default copilot shortcut Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() ext4: fix slab-use-after-free in ext4_split_extent_at() ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path vfio/platform: check the bounds of read/write syscalls net/xen-netback: prevent UAF in xenvif_flush_hash() net: xen-netback: hash.c: Use built-in RCU list checking signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die m68k: Add missing mmap_read_lock() to sys_cacheflush() m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag irqchip/sunxi-nmi: Add missing SKIP_WAKE flag scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request ASoC: wm8994: Add depends on MFD core net: fix data-races around sk->sk_forward_alloc scsi: sg: Fix slab-use-after-free read in sg_release() ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() hrtimers: Handle CPU state correctly on hotplug irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly fs/proc: fix softlockup in __read_vmcore (part 2) net: ethernet: xgbe: re-add aneg to supported features in PHY quirks nvmet: propagate npwg topology poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() kheaders: Ignore silly-rename files hfs: Sanity check the root record mac802154: check local interfaces before deleting sdata list i2c: mux: demux-pinctrl: check initial mux selection, too drm/v3d: Ensure job pointer is set to NULL after job completion nfp: bpf: prevent integer overflow in nfp_bpf_event_output() gtp: Destroy device along with udp socket's netns dismantle. gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp: use exit_batch_rtnl() method net: add exit_batch_rtnl() method net: net_namespace: Optimize the code net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() sctp: sysctl: rto_min/max: avoid using current->nsproxy ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv ocfs2: correct return value of ocfs2_local_free_info() phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: fix code style in devm_of_phy_provider_unregister arm64: dts: rockchip: add hevc power domain clock to rk3328 arm64: dts: rockchip: add #power-domain-cells to power domain nodes arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399 arm64: dts: rockchip: fix defines in pd_vio node for rk3399 iio: inkern: call iio_device_put() only on mapped devices iio: adc: at91: call input_free_device() on allocated iio_dev iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() iio: gyro: fxas21002c: Fix missing data update in trigger handler iio: adc: ti-ads8688: fix information leak in triggered buffer iio: imu: kmx61: fix information leak in triggered buffer iio: light: vcnl4035: fix information leak in triggered buffer iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer iio: pressure: zpa2326: fix information leak in triggered buffer usb: gadget: f_fs: Remove WARN_ON in functionfs_bind usb: fix reference leak in usb_new_device() USB: core: Disable LPM only for non-suspended ports USB: usblp: return error when setting unsupported protocol usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null USB: serial: cp210x: add Phoenix Contact UPS Device usb-storage: Add max sectors quirk for Nokia 208 staging: iio: ad9832: Correct phase range check staging: iio: ad9834: Correct phase range check USB: serial: option: add Neoway N723-EA support USB: serial: option: add MeiG Smart SRM815 drm/amd/display: increase MAX_SURFACES to the value supported by hw ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] drm/amd/display: Add check for granularity in dml ceil/floor helpers sctp: sysctl: auth_enable: avoid using current->nsproxy sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy dm thin: make get_first_thin use rcu-safe list first function tls: Fix tls_sw_sendmsg error handling net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute tcp/dccp: allow a connection when sk_max_ack_backlog is zero tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog net: 802: LLC+SNAP OID:PID lookup on start of skb data ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() dm array: fix cursor index when skipping across block boundaries dm array: fix unreleased btree blocks on closing a faulty array cursor dm array: fix releasing a faulty array block twice in dm_array_cursor_end jbd2: flush filesystem device before updating tail sequence Change-Id: I83cf20e29c63126cd17dfa393dca0ce7dfa47a76 |
||
|
Michael Bestas
|
b9715311a2 |
Merge tag 'ASB-2025-02-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2025-02-01 CVE-2024-53104 CVE-2025-0088 * tag 'ASB-2025-02-05_11-5.4' of https://android.googlesource.com/kernel/common: (449 commits) ANDROID: gki - change networking configuration ANDROID: kernelci build-break for 64-bit riscv clang builds (5.4 only) Revert "BACKPORT: RISC-V: Stop relying on GCC's register allocator's hueristics" Revert "ANDROID: declare sp_in_global outside of CONFIG_FRAME_POINTER" ANDROID: GKI: add Trimble symbol list UPSTREAM: selinux: ignore unknown extended permissions ANDROID: ABI: Update allowed list for galaxy Revert "netfilter: Replace zero-length array with flexible-array member" Revert "tracing: Constify string literal data member in struct trace_event_call" Revert "skb_expand_head() adjust skb->truesize incorrectly" Linux 5.4.289 ftrace: use preempt_enable/disable notrace macros to avoid double fault mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() drm: adv7511: Drop dsi single lane support net/sctp: Prevent autoclose integer overflow in sctp_association_init() sky2: Add device ID 11ab:4373 for Marvell 88E8075 pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking RDMA/uverbs: Prevent integer overflow issue modpost: fix the missed iteration for the max bit in do_input() modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host ... Conflicts: arch/arm64/boot/dts/vendor/bindings/clock/adi,axi-clkgen.yaml arch/arm64/boot/dts/vendor/bindings/clock/axi-clkgen.txt drivers/rpmsg/qcom_glink_native.c drivers/soc/qcom/socinfo.c Change-Id: I60727e0cdd974fda5ca71f938bc2f984a8bbf19a |
||
|
Greg Kroah-Hartman
|
21c9625b20 |
Merge 5.4.290 into android11-5.4-lts
Changes in 5.4.290 jbd2: flush filesystem device before updating tail sequence dm array: fix releasing a faulty array block twice in dm_array_cursor_end dm array: fix unreleased btree blocks on closing a faulty array cursor dm array: fix cursor index when skipping across block boundaries ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() net: 802: LLC+SNAP OID:PID lookup on start of skb data tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog tcp/dccp: allow a connection when sk_max_ack_backlog is zero net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute tls: Fix tls_sw_sendmsg error handling dm thin: make get_first_thin use rcu-safe list first function sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy sctp: sysctl: auth_enable: avoid using current->nsproxy drm/amd/display: Add check for granularity in dml ceil/floor helpers ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] drm/amd/display: increase MAX_SURFACES to the value supported by hw USB: serial: option: add MeiG Smart SRM815 USB: serial: option: add Neoway N723-EA support staging: iio: ad9834: Correct phase range check staging: iio: ad9832: Correct phase range check usb-storage: Add max sectors quirk for Nokia 208 USB: serial: cp210x: add Phoenix Contact UPS Device usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null USB: usblp: return error when setting unsupported protocol USB: core: Disable LPM only for non-suspended ports usb: fix reference leak in usb_new_device() usb: gadget: f_fs: Remove WARN_ON in functionfs_bind iio: pressure: zpa2326: fix information leak in triggered buffer iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer iio: light: vcnl4035: fix information leak in triggered buffer iio: imu: kmx61: fix information leak in triggered buffer iio: adc: ti-ads8688: fix information leak in triggered buffer iio: gyro: fxas21002c: Fix missing data update in trigger handler iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() iio: adc: at91: call input_free_device() on allocated iio_dev iio: inkern: call iio_device_put() only on mapped devices arm64: dts: rockchip: fix defines in pd_vio node for rk3399 arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399 arm64: dts: rockchip: add #power-domain-cells to power domain nodes arm64: dts: rockchip: add hevc power domain clock to rk3328 phy: core: fix code style in devm_of_phy_provider_unregister phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider ocfs2: correct return value of ocfs2_local_free_info() ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv sctp: sysctl: rto_min/max: avoid using current->nsproxy net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() net: net_namespace: Optimize the code net: add exit_batch_rtnl() method gtp: use exit_batch_rtnl() method gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp: Destroy device along with udp socket's netns dismantle. nfp: bpf: prevent integer overflow in nfp_bpf_event_output() drm/v3d: Ensure job pointer is set to NULL after job completion i2c: mux: demux-pinctrl: check initial mux selection, too mac802154: check local interfaces before deleting sdata list hfs: Sanity check the root record kheaders: Ignore silly-rename files poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() nvmet: propagate npwg topology net: ethernet: xgbe: re-add aneg to supported features in PHY quirks fs/proc: fix softlockup in __read_vmcore (part 2) irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly hrtimers: Handle CPU state correctly on hotplug ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() scsi: sg: Fix slab-use-after-free read in sg_release() net: fix data-races around sk->sk_forward_alloc ASoC: wm8994: Add depends on MFD core scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request irqchip/sunxi-nmi: Add missing SKIP_WAKE flag gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal m68k: Add missing mmap_read_lock() to sys_cacheflush() signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die net: xen-netback: hash.c: Use built-in RCU list checking net/xen-netback: prevent UAF in xenvif_flush_hash() vfio/platform: check the bounds of read/write syscalls ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path ext4: fix slab-use-after-free in ext4_split_extent_at() USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" Input: atkbd - map F23 key to support default copilot shortcut Input: xpad - add unofficial Xbox 360 wireless receiver clone Input: xpad - add support for wooting two he (arm) drm/v3d: Assign job pointer to NULL before signaling the fence xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals Linux 5.4.290 Change-Id: Ie2e10bc16d6eb9da965c01168b2b8854e5dfaf8c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Koichiro Den
|
95e4f62df2 |
hrtimers: Handle CPU state correctly on hotplug
commit 2f8dea1692eef2b7ba6a256246ed82c365fdc686 upstream.
Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway
through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to
CPUHP_ONLINE:
Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set
to 1 throughout. However, during a CPU unplug operation, the tick and the
clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online
state, for instance CFS incorrectly assumes that the hrtick is already
active, and the chance of the clockevent device to transition to oneshot
mode is also lost forever for the CPU, unless it goes back to a lower state
than CPUHP_HRTIMERS_PREPARE once.
This round-trip reveals another issue; cpu_base.online is not set to 1
after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().
Aside of that, the bulk of the per CPU state is not reset either, which
means there are dangling pointers in the worst case.
Address this by adding a corresponding startup() callback, which resets the
stale per CPU state and sets the online flag.
[ tglx: Make the new callback unconditionally available, remove the online
modification in the prepare() callback and clear the remaining
state in the starting callback instead of the prepare callback ]
Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier")
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20241220134421.3809834-1-koichiro.den@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
David Howells
|
be1d9d4cb1 |
kheaders: Ignore silly-rename files
[ Upstream commit 973b710b8821c3401ad7a25360c89e94b26884ac ]
Tell tar to ignore silly-rename files (".__afs*" and ".nfs*") when building
the header archive. These occur when a file that is open is unlinked
locally, but hasn't yet been closed. Such files are visible to the user
via the getdents() syscall and so programs may want to do things with them.
During the kernel build, such files may be made during the processing of
header files and the cleanup may get deferred by fput() which may result in
tar seeing these files when it reads the directory, but they may have
disappeared by the time it tries to open them, causing tar to fail with an
error. Further, we don't want to include them in the tarball if they still
exist.
With CONFIG_HEADERS_INSTALL=y, something like the following may be seen:
find: './kernel/.tmp_cpio_dir/include/dt-bindings/reset/.__afs2080': No such file or directory
tar: ./include/linux/greybus/.__afs3C95: File removed before we read it
The find warning doesn't seem to cause a problem.
Fix this by telling tar when called from in gen_kheaders.sh to exclude such
files. This only affects afs and nfs; cifs uses the Windows Hidden
attribute to prevent the file from being seen.
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/r/20241213135013.2964079-2-dhowells@redhat.com
cc: Masahiro Yamada <masahiroy@kernel.org>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: linux-nfs@vger.kernel.org
cc: linux-kernel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
a85d92d704 |
Merge 5.4.289 into android11-5.4-lts
Changes in 5.4.289 net: sched: fix ordering of qlen adjustment usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled PCI/AER: Disable AER service on suspend ALSA: usb: Fix UBSAN warning in parse_audio_unit() PCI: Add ACS quirk for Broadcom BCM5760X NIC i2c: pnx: Fix timeout in wait functions drm/i915: Fix memory leak by correcting cache object name in error handler erofs: fix order >= MAX_ORDER warning due to crafted negative i_size erofs: fix incorrect symlink detection in fast symlink net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll ionic: use ee->offset when returning sprom data net: hinic: Fix cleanup in create_rxqs/txqs() net: ethernet: bgmac-platform: fix an OF node reference leak netfilter: ipset: Fix for recursive locking warning mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk chelsio/chtls: prevent potential integer overflow on 32bit i2c: riic: Always round-up when calculating bus period efivarfs: Fix error on non-existent file USB: serial: option: add TCL IK512 MBIM & ECM USB: serial: option: add MeiG Smart SLM770A USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready USB: serial: option: add MediaTek T7XX compositions USB: serial: option: add Telit FE910C04 rmnet compositions sh: clk: Fix clk_enable() to return 0 on NULL clk zram: refuse to use zero sized block device as backing device btrfs: tree-checker: reject inline extent items with 0 ref count NFS/pnfs: Fix a live lock between recalled layouts and layoutget of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one() nilfs2: prevent use of deleted inode udmabuf: also check for F_SEAL_FUTURE_WRITE of: Fix error path in of_parse_phandle_with_args_map() of: Fix refcount leakage for OF node returned by __of_get_dma_parent() media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg bpf: Check negative offsets in __bpf_skb_min_len() nfsd: restore callback functionality for NFSv4.0 mtd: diskonchip: Cast an operand to prevent potential overflow phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_phy_destroy() fails to destroy the phy dmaengine: mv_xor: fix child node refcount handling in early exit dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset mtd: rawnand: fix double free in atmel_pmecc_create_user() tracing/kprobe: Make trace_kprobe's module callback called after jump_label update scsi: qla1280: Fix hw revision numbering for ISP1020/1040 scsi: megaraid_sas: Fix for a potential deadlock regmap: Use correct format specifier for logging range errors platform/x86: asus-nb-wmi: Ignore unknown event 0xCF scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time virtio-blk: don't keep queue frozen during system suspend epoll: Add synchronous wakeup support for ep_poll_callback MIPS: Probe toolchain support of -msym32 skbuff: introduce skb_expand_head() ipv6: use skb_expand_head in ip6_finish_output2 ipv6: use skb_expand_head in ip6_xmit ipv6: fix possible UAF in ip6_finish_output2() bpf: fix recursive lock when verdict program return SK_PASS tracing: Constify string literal data member in struct trace_event_call btrfs: avoid monopolizing a core when activating a swap file skb_expand_head() adjust skb->truesize incorrectly ipv6: prevent possible UAF in ip6_xmit() selinux: ignore unknown extended permissions Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet IB/mlx5: Introduce and use mlx5_core_is_vf() net/mlx5: Make API mlx5_core_is_ecpf accept const pointer RDMA/mlx5: Enforce same type port association for multiport RoCE RDMA/bnxt_re: Add check for path mtu in modify_qp RDMA/bnxt_re: Fix reporting hw_ver in query_device RDMA/bnxt_re: Fix max_qp_wrs reported drm: bridge: adv7511: Enable SPDIF DAI drm/bridge: adv7511_audio: Update Audio InfoFrame properly netrom: check buffer length before accessing it netfilter: Replace zero-length array with flexible-array member netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext net: llc: reset skb->transport_header ALSA: usb-audio: US16x08: Initialize array before use af_packet: fix vlan_get_tci() vs MSG_PEEK af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK ila: serialize calls to nf_register_net_hooks() wifi: mac80211: wake the queues in case of failure in resume sound: usb: format: don't warn that raw DSD is unsupported bpf: fix potential error return net: usb: qmi_wwan: add Telit FE910C04 compositions irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base ARC: build: Try to guess GCC variant of cross compiler modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host modpost: fix the missed iteration for the max bit in do_input() RDMA/uverbs: Prevent integer overflow issue pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking sky2: Add device ID 11ab:4373 for Marvell 88E8075 net/sctp: Prevent autoclose integer overflow in sctp_association_init() drm: adv7511: Drop dsi single lane support mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() ftrace: use preempt_enable/disable notrace macros to avoid double fault Linux 5.4.289 Change-Id: I2fe8ada5386224ce16b22d4e1eff016656be40f3 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Koichiro Den
|
177516053e |
ftrace: use preempt_enable/disable notrace macros to avoid double fault
Since the backport commit |
||
|
Anton Protopopov
|
f960a6b5d9 |
bpf: fix potential error return
[ Upstream commit c4441ca86afe4814039ee1b32c39d833c1a16bbc ] The bpf_remove_insns() function returns WARN_ON_ONCE(error), where error is a result of bpf_adj_branches(), and thus should be always 0 However, if for any reason it is not 0, then it will be converted to boolean by WARN_ON_ONCE and returned to user space as 1, not an actual error value. Fix this by returning the original err after the WARN check. Signed-off-by: Anton Protopopov <aspsk@isovalent.com> Acked-by: Jiri Olsa <jolsa@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/r/20241210114245.836164-1-aspsk@isovalent.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Masami Hiramatsu (Google)
|
0146a07f95 |
tracing/kprobe: Make trace_kprobe's module callback called after jump_label update
[ Upstream commit d685d55dfc86b1a4bdcec77c3c1f8a83f181264e ]
Make sure the trace_kprobe's module notifer callback function is called
after jump_label's callback is called. Since the trace_kprobe's callback
eventually checks jump_label address during registering new kprobe on
the loading module, jump_label must be updated before this registration
happens.
Link: https://lore.kernel.org/all/173387585556.995044.3157941002975446119.stgit@devnote2/
Fixes:
|
||
|
Greg Kroah-Hartman
|
4d8aad9b5e |
Merge 5.4.288 into android11-5.4-lts
Changes in 5.4.288 usb: host: max3421-hcd: Correctly abort a USB request. ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature usb: ehci-hcd: fix call balance of clocks handling routines usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer xfs: don't drop errno values when we fail to ficlone the entire range bpf, sockmap: Fix update element with same batman-adv: Do not send uninitialized TT changes batman-adv: Remove uninitialized data in full table TT response batman-adv: Do not let TT changes list grows indefinitely tipc: fix NULL deref in cleanup_bearer() net: lapb: increase LAPB_HEADER_LEN ACPI: resource: Fix memory resource type union access qca_spi: Fix clock speed for multiple QCA7000 qca_spi: Make driver probing reliable net/sched: netem: account for backlog updates from child qdisc ACPICA: events/evxfregn: don't release the ContextMutex that was never acquired blk-iocost: clamp inuse and skip noops in __propagate_weights() blk-iocost: fix weight updates of inner active iocgs blk-iocost: Avoid using clamp() on inuse in __propagate_weights() KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status tracing/kprobes: Skip symbol counting logic for module symbols in create_local_trace_kprobe() xen/netfront: fix crash when removing device ALSA: usb-audio: Fix a DMA to stack memory bug Linux 5.4.288 Change-Id: Ie329f210978bae25fa2703d4106a3880bb9ba53c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Nikolay Kuratov
|
20df02cb98 |
tracing/kprobes: Skip symbol counting logic for module symbols in create_local_trace_kprobe()
commit b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols")
avoids checking number_of_same_symbols() for module symbol in
__trace_kprobe_create(), but create_local_trace_kprobe() should avoid this
check too. Doing this check leads to ENOENT for module_name:symbol_name
constructions passed over perf_event_open.
No bug in newer kernels as it was fixed more generally by
commit 9d8616034f16 ("tracing/kprobes: Add symbol counting check when module loads")
Link: https://lore.kernel.org/linux-trace-kernel/20240705161030.b3ddb33a8167013b9b1da202@kernel.org
Fixes: b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols")
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Michael Bestas
|
0262d4e51f |
Merge tag 'ASB-2024-12-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2024-12-01 * tag 'ASB-2024-12-05_11-5.4' of https://android.googlesource.com/kernel/common: (552 commits) UPSTREAM: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT ANDROID: add file for recording allowed ABI breaks Revert "spi: Fix deadlock when adding SPI controllers on SPI buses" Revert "spi: fix use-after-free of the add_lock mutex" ANDROID: declare sp_in_global outside of CONFIG_FRAME_POINTER BACKPORT: RISC-V: Stop relying on GCC's register allocator's hueristics UPSTREAM: x86/percpu: Clean up percpu_add_op() UPSTREAM: x86/percpu: Clean up percpu_from_op() UPSTREAM: x86/percpu: Clean up percpu_to_op() UPSTREAM: x86/percpu: Introduce size abstraction macros BACKPORT: FROMGIT: binder: add delivered_freeze to debugfs output BACKPORT: FROMGIT: binder: fix memleak of proc->delivered_freeze FROMGIT: binder: allow freeze notification for dead nodes FROMGIT: binder: fix BINDER_WORK_CLEAR_FREEZE_NOTIFICATION debug logs FROMGIT: binder: fix BINDER_WORK_FROZEN_BINDER debug logs BACKPORT: FROMGIT: binder: fix freeze UAF in binder_release_work() FROMGIT: binder: fix OOB in binder_add_freeze_work() FROMGIT: binder: fix node UAF in binder_add_freeze_work() Linux 5.4.286 mm: avoid leaving partial pfn mappings around in error case ... Conflicts: arch/arm64/boot/dts/vendor/bindings/gpu/samsung-rotator.txt arch/arm64/boot/dts/vendor/bindings/gpu/samsung-rotator.yaml drivers/clk/qcom/clk-rpmh.c drivers/usb/dwc3/core.c fs/erofs/decompressor.c net/qrtr/qrtr.c Change-Id: Iae3a7502b304d7be66da795411c4f330eef8b693 |
||
|
Greg Kroah-Hartman
|
d93411f753 |
Revert "cgroup: Make operations on the cgroup root_list RCU safe"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
ad8d63bdc6 |
Merge 5.4.287 into android11-5.4-lts
Changes in 5.4.287
netlink: terminate outstanding dump on socket close
net/mlx5: fs, lock FTE when checking if active
net/mlx5e: kTLS, Fix incorrect page refcounting
ocfs2: uncache inode which has failed entering the group
KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN
nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint
ocfs2: fix UBSAN warning in ocfs2_verify_volume()
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"
media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set
kbuild: Use uname for LINUX_COMPILE_HOST detection
mm: revert "mm: shmem: fix data-race in shmem_getattr()"
ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet
mac80211: fix user-power when emulating chanctx
selftests/watchdog-test: Fix system accidentally reset after watchdog-test
ALSA: hda/realtek: Add subwoofer quirk for Infinix ZERO BOOK 13
x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB
net: usb: qmi_wwan: add Quectel RG650V
soc: qcom: Add check devm_kasprintf() returned value
regulator: rk808: Add apply_bit for BUCK3 on RK809
ASoC: stm: Prevent potential division by zero in stm32_sai_mclk_round_rate()
ASoC: stm: Prevent potential division by zero in stm32_sai_get_clk_div()
proc/softirqs: replace seq_printf with seq_put_decimal_ull_width
ipmr: Fix access to mfc_cache_list without lock held
cifs: Fix buffer overflow when parsing NFS reparse points
NFSD: Force all NFSv4.2 COPY requests to be synchronous
nvme: fix metadata handling in nvme-passthrough
x86/xen/pvh: Annotate indirect branch as safe
mips: asm: fix warning when disabling MIPS_FP_SUPPORT
initramfs: avoid filename buffer overrun
nvme-pci: fix freeing of the HMB descriptor table
m68k: mvme147: Fix SCSI controller IRQ numbers
m68k: mvme16x: Add and use "mvme16x.h"
m68k: mvme147: Reinstate early console
acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block()
s390/syscalls: Avoid creation of arch/arch/ directory
hfsplus: don't query the device logical block size multiple times
firmware: google: Unregister driver_info on failure and exit in gsmi
firmware: google: Unregister driver_info on failure
EDAC/bluefield: Fix potential integer overflow
EDAC/fsl_ddr: Fix bad bit shift operations
crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY
crypto: cavium - Fix the if condition to exit loop after timeout
crypto: bcm - add error check in the ahash_hmac_init function
crypto: cavium - Fix an error handling path in cpt_ucode_load_fw()
time: Fix references to _msecs_to_jiffies() handling of values
soc: ti: smartreflex: Use IRQF_NO_AUTOEN flag in request_irq()
soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()
mmc: mmc_spi: drop buggy snprintf()
efi/tpm: Pass correct address to memblock_reserve
tpm: fix signed/unsigned bug when checking event logs
ARM: dts: cubieboard4: Fix DCDC5 regulator constraints
regmap: irq: Set lockdep class for hierarchical IRQ domains
firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused
wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
drm/omap: Fix locking in omap_gem_new_dmabuf()
wifi: p54: Use IRQF_NO_AUTOEN flag in request_irq()
wifi: mwifiex: Use IRQF_NO_AUTOEN flag in request_irq()
drm/imx/ipuv3: Use IRQF_NO_AUTOEN flag in request_irq()
dt-bindings: vendor-prefixes: Add NeoFidelity, Inc
ASoC: fsl_micfil: Drop unnecessary register read
ASoC: fsl_micfil: do not define SHIFT/MASK for single bits
ASoC: fsl_micfil: use GENMASK to define register bit fields
ASoC: fsl_micfil: fix regmap_write_bits usage
bpf: Fix the xdp_adjust_tail sample prog issue
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()
drm/panfrost: Remove unused id_mask from struct panfrost_model
drm/msm/adreno: Use IRQF_NO_AUTOEN flag in request_irq()
drm/etnaviv: dump: fix sparse warnings
drm/etnaviv: fix power register offset on GC300
drm/etnaviv: hold GPU lock across perfmon sampling
bpf, sockmap: Several fixes to bpf_msg_push_data
bpf, sockmap: Several fixes to bpf_msg_pop_data
bpf, sockmap: Fix sk_msg_reset_curr
selftests: net: really check for bg process completion
net: rfkill: gpio: Add check for clk_enable()
ALSA: us122l: Use snd_card_free_when_closed() at disconnection
ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
ALSA: 6fire: Release resources at card release
netpoll: Use rcu_access_pointer() in netpoll_poll_lock
trace/trace_event_perf: remove duplicate samples on the first tracepoint event
powerpc/vdso: Flag VDSO64 entry points as functions
mfd: tps65010: Use IRQF_NO_AUTOEN flag in request_irq() to fix race
mfd: da9052-spi: Change read-mask to write-mask
mfd: intel_soc_pmic_bxtwc: Use dev_err_probe()
mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device
mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device
mfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices
cpufreq: loongson2: Unregister platform_driver on failure
mtd: rawnand: atmel: Fix possible memory leak
RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey
mfd: rt5033: Fix missing regmap_del_irq_chip()
scsi: bfa: Fix use-after-free in bfad_im_module_exit()
scsi: fusion: Remove unused variable 'rc'
scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb()
scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()
ocfs2: fix uninitialized value in ocfs2_file_read_iter()
powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static
fbdev/sh7760fb: Alloc DMA memory from hardware device
fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()
dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml format
dt-bindings: clock: axi-clkgen: include AXI clk
clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand
clk: clk-axi-clkgen: make sure to enable the AXI bus clock
perf cs-etm: Don't flush when packet_queue fills up
perf probe: Correct demangled symbols in C++ program
PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads
PCI: cpqphp: Fix PCIBIOS_* return value confusion
m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x
m68k: coldfire/device.c: only build FEC when HW macros are defined
perf trace: Do not lose last events in a race
perf trace: Avoid garbage when not printing a syscall's arguments
rpmsg: glink: Add TX_DATA_CONT command while sending
rpmsg: glink: Send READ_NOTIFY command in FIFO full case
rpmsg: glink: Fix GLINK command prefix
rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length
NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir()
NFSD: Fix nfsd4_shutdown_copy()
vfio/pci: Properly hide first-in-list PCIe extended capability
power: supply: core: Remove might_sleep() from power_supply_put()
net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device
tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets
net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration
marvell: pxa168_eth: fix call balance of pep->clk handling routines
net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken
ipmr: convert /proc handlers to rcu_read_lock()
ipmr: fix tables suspicious RCU usage
usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read()
usb: yurex: make waiting on yurex_write interruptible
USB: chaoskey: fail open after removal
USB: chaoskey: Fix possible deadlock chaoskey_list_lock
misc: apds990x: Fix missing pm_runtime_disable()
staging: greybus: uart: clean up TIOCGSERIAL
apparmor: fix 'Do simple duplicate message elimination'
usb: ehci-spear: fix call balance of sehci clk handling routines
cgroup: Make operations on the cgroup root_list RCU safe
cgroup: Move rcu_head up near the top of cgroup_root
soc: qcom: socinfo: fix revision check in qcom_socinfo_probe()
ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices
ext4: supress data-race warnings in ext4_free_inodes_{count,set}()
ext4: fix FS_IOC_GETFSMAP handling
jfs: xattr: check invalid xattr size more strictly
ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata()
PCI: Fix use-after-free of slot->bus on hot remove
comedi: Flush partial mappings in error case
tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler
Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}()
Revert "usb: gadget: composite: fix OS descriptors w_value logic"
serial: sh-sci: Clean sci_ports[0] after at earlycon exit
Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit"
netfilter: ipset: add missing range check in bitmap_ip_uadt
spi: Fix acpi deferred irq probe
ubi: wl: Put source PEB into correct list if trying locking LEB failed
um: ubd: Do not use drvdata in release
um: net: Do not use drvdata in release
serial: 8250: omap: Move pm_runtime_get_sync
um: vector: Do not use drvdata in release
sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled
block: fix ordering between checking BLK_MQ_S_STOPPED request adding
HID: wacom: Interpret tilt data from Intuos Pro BT as signed values
media: wl128x: Fix atomicity violation in fmc_send_cmd()
ALSA: hda/realtek: Update ALC225 depop procedure
ALSA: hda/realtek: Set PCBeep to default value for ALC274
ALSA: hda/realtek: Fix Internal Speaker and Mic boost of Infinix Y4 Max
ALSA: hda/realtek: Apply quirk for Medion E15433
usb: dwc3: gadget: Fix checking for number of TRBs left
lib: string_helpers: silence snprintf() output truncation warning
NFSD: Prevent a potential integer overflow
SUNRPC: make sure cache entry active before cache_show
rpmsg: glink: Propagate TX failures in intentless mode as well
um: Fix potential integer overflow during physmem setup
um: Fix the return value of elf_core_copy_task_fpregs
um/sysrq: remove needless variable sp
um: add show_stack_loglvl()
um: Clean up stacktrace dump
um: Always dump trace for specified task in show_stack
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
rtc: st-lpc: Use IRQF_NO_AUTOEN flag in request_irq()
rtc: abx80x: Fix WDT bit position of the status register
rtc: check if __rtc_read_time was successful in rtc_timer_do_work()
ubifs: Correct the total block count by deducting journal reservation
ubi: fastmap: Fix duplicate slab cache names while attaching
ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit
jffs2: fix use of uninitialized variable
block: return unsigned int from bdev_io_min
9p/xen: fix init sequence
9p/xen: fix release of IRQ
rtc: ab-eoz9: don't fail temperature reads on undervoltage notification
modpost: remove incorrect code in do_eisa_entry()
SUNRPC: correct error code comment in xs_tcp_setup_socket()
SUNRPC: Replace internal use of SOCKWQ_ASYNC_NOSPACE
sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport
sh: intc: Fix use-after-free bug in register_intc_controller()
ASoC: fsl_micfil: fix the naming style for mask definition
quota: flush quota_release_work upon quota writeback
btrfs: ref-verify: fix use-after-free after invalid ref action
media: i2c: tc358743: Fix crash in the probe error path when using polling
media: ts2020: fix null-ptr-deref in ts2020_probe()
media: venus: Fix pm_runtime_set_suspended() with runtime pm enabled
media: gspca: ov534-ov772x: Fix off-by-one error in set_frame_rate()
media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()
ovl: Filter invalid inodes with missing lookup function
ftrace: Fix regression with module command in stack_trace_filter
clk: qcom: gcc-qcs404: fix initial rate of GPLL3
ad7780: fix division by zero in ad7780_write_raw()
util_macros.h: fix/rework find_closest() macros
i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs()
dm thin: Add missing destroy_work_on_stack()
nfsd: make sure exp active before svc_export_show
nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur
drm/etnaviv: flush shader L1 cache after user commandstream
iTCO_wdt: mask NMI_NOW bit for update_no_reboot_bit() call
watchdog: mediatek: Make sure system reset gets asserted in mtk_wdt_restart()
can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf is NULL
can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics
ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()
netfilter: x_tables: fix LED ID check in led_tg_check()
net/sched: tbf: correct backlog statistic for GSO packets
can: j1939: j1939_session_new(): fix skb reference counting
net/ipv6: release expired exception dst cached in socket
dccp: Fix memory leak in dccp_feat_change_recv
tipc: add reference counter to bearer
tipc: enable creating a "preliminary" node
tipc: add new AEAD key structure for user API
tipc: Fix use-after-free of kernel socket in cleanup_bearer().
net/qed: allow old cards not supporting "num_images" to work
igb: Fix potential invalid memory access in igb_init_module()
netfilter: ipset: Hold module reference while requesting a module
netfilter: nft_set_hash: skip duplicated elements pending gc run
xen/xenbus: reference count registered modules
xenbus/backend: Add memory pressure handler callback
xenbus/backend: Protect xenbus callback with lock
xen/xenbus: fix locking
xen: Fix the issue of resource not being properly released in xenbus_dev_probe()
x86/asm: Reorder early variables
crypto: x86/aegis128 - access 32-bit arguments as 32-bit
gpio: grgpio: use a helper variable to store the address of ofdev->dev
gpio: grgpio: Add NULL check in grgpio_probe
drm/sti: Add __iomem for mixer_dbg_mxn's parameter
tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg
spi: mpc52xx: Add cancel_work_sync before module remove
ocfs2: free inode when ocfs2_get_init_inode() fails
bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie
bpf: Fix exact match conditions in trie_get_next_key()
HID: wacom: fix when get product name maybe null pointer
tracing: Fix cmp_entries_dup() to respect sort() comparison rules
ocfs2: update seq_file index in ocfs2_dlm_seq_next
scsi: qla2xxx: Fix NVMe and NPIV connect issue
scsi: qla2xxx: Supported speed displayed incorrectly for VPorts
scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt
nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()
bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again
dma-buf: fix dma_fence_array_signaled v4
regmap: detach regmap from dev on regmap_exit
mmc: core: Further prevent card detect during shutdown
s390/cpum_sf: Handle CPU hotplug remove during sampling
media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera
media: cx231xx: Add support for Dexatek USB Video Grabber 1d19:6108
drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model
drm/mcde: Enable module autoloading
drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check()
samples/bpf: Fix a resource leak
net: fec_mpc52xx_phy: Use %pa to format resource_size_t
net: ethernet: fs_enet: Use %pa to format resource_size_t
net/sched: cbs: Fix integer overflow in cbs_set_port_rate()
af_packet: avoid erroring out after sock_init_data() in packet_create()
Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()
net: af_can: do not leave a dangling sk pointer in can_create()
net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()
net: inet: do not leave a dangling sk pointer in inet_create()
net: inet6: do not leave a dangling sk pointer in inet6_create()
wifi: ath5k: add PCI ID for SX76X
wifi: ath5k: add PCI ID for Arcadyan devices
jfs: array-index-out-of-bounds fix in dtReadFirst
jfs: fix shift-out-of-bounds in dbSplit
jfs: fix array-index-out-of-bounds in jfs_readdir
jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
drm/amdgpu: set the right AMDGPU sg segment limitation
wifi: ipw2x00: libipw_rx_any(): fix bad alignment
wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()
Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables
ASoC: hdmi-codec: reorder channel allocation list
rocker: fix link status detection in rocker_carrier_init()
net/neighbor: clear error in case strict check is not set
netpoll: Use rcu_access_pointer() in __netpoll_setup
tracing: Use atomic64_inc_return() in trace_clock_counter()
leds: class: Protect brightness_show() with led_cdev->led_access mutex
scsi: st: Don't modify unknown block number in MTIOCGET
scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device reset
pinctrl: qcom-pmic-gpio: add support for PM8937
nvdimm: rectify the illogical code within nd_dax_probe()
f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode.
PCI: Add 'reset_subordinate' to reset hierarchy below bridge
PCI: Add ACS quirk for Wangxun FF5xxx NICs
i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock
usb: chipidea: udc: handle USB Error Interrupt if IOC not set
powerpc/prom_init: Fixup missing powermac #size-cells
misc: eeprom: eeprom_93cx6: Add quirk for extra read clock cycle
xdp: Simplify devmap cleanup
bpf: fix OOB devmap writes when deleting elements
Revert "unicode: Don't special case ignorable code points"
perf/x86/intel/pt: Fix buffer full but size is 0 case
KVM: arm64: vgic-its: Add a data length check in vgic_its_save_*
KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device
KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE
jffs2: Prevent rtime decompress memory corruption
jffs2: Fix rtime decompressor
ocfs2: Revert "ocfs2: fix the la space leak when unmounting an ocfs2 volume"
modpost: Add .irqentry.text to OTHER_SECTIONS
Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()"
PCI: rockchip-ep: Fix address translation unit programming
ALSA: usb-audio: Fix out of bounds reads when finding clock sources
bpf, xdp: Update devmap comments to reflect napi/rcu usage
Linux 5.4.287
Change-Id: Ib48a7a0e01226c0f910efae2139893c6a139b9b5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
John Fastabend
|
7eb794e1a9 |
bpf, xdp: Update devmap comments to reflect napi/rcu usage
commit 42a84a8cd0ff0cbff5a4595e1304c4567a30267d upstream.
Now that we rely on synchronize_rcu and call_rcu waiting to
exit perempt-disable regions (NAPI) lets update the comments
to reflect this.
Fixes: 0536b85239b84 ("xdp: Simplify devmap cleanup")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Björn Töpel <bjorn.topel@intel.com>
Acked-by: Song Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/1580084042-11598-2-git-send-email-john.fastabend@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Maciej Fijalkowski
|
0f170e91d3 |
bpf: fix OOB devmap writes when deleting elements
[ Upstream commit ab244dd7cf4c291f82faacdc50b45cc0f55b674d ]
Jordy reported issue against XSKMAP which also applies to DEVMAP - the
index used for accessing map entry, due to being a signed integer,
causes the OOB writes. Fix is simple as changing the type from int to
u32, however, when compared to XSKMAP case, one more thing needs to be
addressed.
When map is released from system via dev_map_free(), we iterate through
all of the entries and an iterator variable is also an int, which
implies OOB accesses. Again, change it to be u32.
Example splat below:
[ 160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000
[ 160.731662] #PF: supervisor read access in kernel mode
[ 160.736876] #PF: error_code(0x0000) - not-present page
[ 160.742095] PGD 0 P4D 0
[ 160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP
[ 160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487
[ 160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
[ 160.767642] Workqueue: events_unbound bpf_map_free_deferred
[ 160.773308] RIP: 0010:dev_map_free+0x77/0x170
[ 160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff
[ 160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202
[ 160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024
[ 160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000
[ 160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001
[ 160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122
[ 160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000
[ 160.838310] FS: 0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000
[ 160.846528] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0
[ 160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 160.874092] PKRU: 55555554
[ 160.876847] Call Trace:
[ 160.879338] <TASK>
[ 160.881477] ? __die+0x20/0x60
[ 160.884586] ? page_fault_oops+0x15a/0x450
[ 160.888746] ? search_extable+0x22/0x30
[ 160.892647] ? search_bpf_extables+0x5f/0x80
[ 160.896988] ? exc_page_fault+0xa9/0x140
[ 160.900973] ? asm_exc_page_fault+0x22/0x30
[ 160.905232] ? dev_map_free+0x77/0x170
[ 160.909043] ? dev_map_free+0x58/0x170
[ 160.912857] bpf_map_free_deferred+0x51/0x90
[ 160.917196] process_one_work+0x142/0x370
[ 160.921272] worker_thread+0x29e/0x3b0
[ 160.925082] ? rescuer_thread+0x4b0/0x4b0
[ 160.929157] kthread+0xd4/0x110
[ 160.932355] ? kthread_park+0x80/0x80
[ 160.936079] ret_from_fork+0x2d/0x50
[ 160.943396] ? kthread_park+0x80/0x80
[ 160.950803] ret_from_fork_asm+0x11/0x20
[ 160.958482] </TASK>
Fixes:
|
||
|
Björn Töpel
|
8b69c887f1 |
xdp: Simplify devmap cleanup
[ Upstream commit 0536b85239b8440735cdd910aae0eb076ebbb439 ] After the RCU flavor consolidation [1], call_rcu() and synchronize_rcu() waits for preempt-disable regions (NAPI) in addition to the read-side critical sections. As a result of this, the cleanup code in devmap can be simplified * There is no longer a need to flush in __dev_map_entry_free, since we know that this has been done when the call_rcu() callback is triggered. * When freeing the map, there is no need to explicitly wait for a flush. It's guaranteed to be done after the synchronize_rcu() call in dev_map_free(). The rcu_barrier() is still needed, so that the map is not freed prior the elements. [1] https://lwn.net/Articles/777036/ Signed-off-by: Björn Töpel <bjorn.topel@intel.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Toke Høiland-Jørgensen <toke@redhat.com> Link: https://lore.kernel.org/bpf/20191219061006.21980-2-bjorn.topel@gmail.com Stable-dep-of: ab244dd7cf4c ("bpf: fix OOB devmap writes when deleting elements") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Uros Bizjak
|
c67aeff289 |
tracing: Use atomic64_inc_return() in trace_clock_counter()
[ Upstream commit eb887c4567d1b0e7684c026fe7df44afa96589e6 ] Use atomic64_inc_return(&ref) instead of atomic64_add_return(1, &ref) to use optimized implementation and ease register pressure around the primitive for targets that implement optimized variant. Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Link: https://lore.kernel.org/20241007085651.48544-1-ubizjak@gmail.com Signed-off-by: Uros Bizjak <ubizjak@gmail.com> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Kuan-Wei Chiu
|
a1c78bcc70 |
tracing: Fix cmp_entries_dup() to respect sort() comparison rules
commit e63fbd5f6810ed756bbb8a1549c7d4132968baa9 upstream.
The cmp_entries_dup() function used as the comparator for sort()
violated the symmetry and transitivity properties required by the
sorting algorithm. Specifically, it returned 1 whenever memcmp() was
non-zero, which broke the following expectations:
* Symmetry: If x < y, then y > x.
* Transitivity: If x < y and y < z, then x < z.
These violations could lead to incorrect sorting and failure to
correctly identify duplicate elements.
Fix the issue by directly returning the result of memcmp(), which
adheres to the required comparison properties.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Hou Tao
|
f247471e3a |
bpf: Fix exact match conditions in trie_get_next_key()
[ Upstream commit 27abc7b3fa2e09bbe41e2924d328121546865eda ]
trie_get_next_key() uses node->prefixlen == key->prefixlen to identify
an exact match, However, it is incorrect because when the target key
doesn't fully match the found node (e.g., node->prefixlen != matchlen),
these two nodes may also have the same prefixlen. It will return
expected result when the passed key exist in the trie. However when a
recently-deleted key or nonexistent key is passed to
trie_get_next_key(), it may skip keys and return incorrect result.
Fix it by using node->prefixlen == matchlen to identify exact matches.
When the condition is true after the search, it also implies
node->prefixlen equals key->prefixlen, otherwise, the search would
return NULL instead.
Fixes:
|
||
|
Hou Tao
|
50e06cbb60 |
bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie
[ Upstream commit eae6a075e9537dd69891cf77ca5a88fa8a28b4a1 ]
Add the currently missing handling for the BPF_EXIST and BPF_NOEXIST
flags. These flags can be specified by users and are relevant since LPM
trie supports exact matches during update.
Fixes:
|
||
|
guoweikang
|
43ca32ce12 |
ftrace: Fix regression with module command in stack_trace_filter
commit 45af52e7d3b8560f21d139b3759735eead8b1653 upstream.
When executing the following command:
# echo "write*:mod:ext3" > /sys/kernel/tracing/stack_trace_filter
The current mod command causes a null pointer dereference. While commit
|
||
|
Yafang Shao
|
92f6ebead8 |
cgroup: Make operations on the cgroup root_list RCU safe
commit d23b5c577715892c87533b13923306acc6243f93 upstream. At present, when we perform operations on the cgroup root_list, we must hold the cgroup_mutex, which is a relatively heavyweight lock. In reality, we can make operations on this list RCU-safe, eliminating the need to hold the cgroup_mutex during traversal. Modifications to the list only occur in the cgroup root setup and destroy paths, which should be infrequent in a production environment. In contrast, traversal may occur frequently. Therefore, making it RCU-safe would be beneficial. Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Signed-off-by: Tejun Heo <tj@kernel.org> [fp: adapt to 5.10 mainly because of changes made by e210a89f5b07 ("cgroup.c: add helper __cset_cgroup_from_root to cleanup duplicated codes")] Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> [Shivani: Modified to apply on v5.4.y] Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com> Reviewed-by: Siddh Raman Pant <siddh.raman.pant@oracle.com> Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Levi Yun
|
598b156722 |
trace/trace_event_perf: remove duplicate samples on the first tracepoint event
[ Upstream commit afe5960dc208fe069ddaaeb0994d857b24ac19d1 ]
When a tracepoint event is created with attr.freq = 1,
'hwc->period_left' is not initialized correctly. As a result,
in the perf_swevent_overflow() function, when the first time the event occurs,
it calculates the event overflow and the perf_swevent_set_period() returns 3,
this leads to the event are recorded for three duplicate times.
Step to reproduce:
1. Enable the tracepoint event & starting tracing
$ echo 1 > /sys/kernel/tracing/events/module/module_free
$ echo 1 > /sys/kernel/tracing/tracing_on
2. Record with perf
$ perf record -a --strict-freq -F 1 -e "module:module_free"
3. Trigger module_free event.
$ modprobe -i sunrpc
$ modprobe -r sunrpc
Result:
- Trace pipe result:
$ cat trace_pipe
modprobe-174509 [003] ..... 6504.868896: module_free: sunrpc
- perf sample:
modprobe 174509 [003] 6504.868980: module:module_free: sunrpc
modprobe 174509 [003] 6504.868980: module:module_free: sunrpc
modprobe 174509 [003] 6504.868980: module:module_free: sunrpc
By setting period_left via perf_swevent_set_period() as other sw_event did,
This problem could be solved.
After patch:
- Trace pipe result:
$ cat trace_pipe
modprobe 1153096 [068] 613468.867774: module:module_free: xfs
- perf sample
modprobe 1153096 [068] 613468.867794: module:module_free: xfs
Link: https://lore.kernel.org/20240913021347.595330-1-yeoreum.yun@arm.com
Fixes:
|
||
|
Miguel Ojeda
|
054de36e91 |
time: Fix references to _msecs_to_jiffies() handling of values
[ Upstream commit 92b043fd995a63a57aae29ff85a39b6f30cd440c ] The details about the handling of the "normal" values were moved to the _msecs_to_jiffies() helpers in commit |
||
|
Greg Kroah-Hartman
|
da1a77953e |
Merge 5.4.286 into android11-5.4-lts
Changes in 5.4.286
arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator
arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328
arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards
arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion
ARM: dts: rockchip: fix rk3036 acodec node
ARM: dts: rockchip: drop grf reference from rk3036 hdmi
ARM: dts: rockchip: Fix the spi controller on rk3036
ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
HID: core: zero-initialize the report buffer
security/keys: fix slab-out-of-bounds in key_task_permission
enetc: simplify the return expression of enetc_vf_set_mac_addr()
net: enetc: set MAC address to the VF net_device
sctp: properly validate chunk size in sctp_sf_ootb()
can: c_can: fix {rx,tx}_errors statistics
net: hns3: fix kernel crash when uninstalling driver
media: stb0899_algo: initialize cfr before using it
media: dvbdev: prevent the risk of out of memory access
media: dvb_frontend: don't play tricks with underflow values
media: adv7604: prevent underflow condition when reporting colorspace
ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
media: s5p-jpeg: prevent buffer overflows
media: cx24116: prevent overflows on SNR calculus
media: v4l2-tpg: prevent the risk of a division by zero
pwm: imx-tpm: Use correct MODULO value for EPWM mode
drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
dm cache: correct the number of origin blocks to match the target length
dm cache: fix out-of-bounds access to the dirty bitset when resizing
dm cache: optimize dirty bit checking with find_next_bit when resizing
dm cache: fix potential out-of-bounds access on the first resume
dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow
nfs: Fix KMSAN warning in decode_getfattr_attrs()
btrfs: reinitialize delayed ref list after deleting it from the list
mtd: rawnand: protect access to rawnand devices while in suspend
spi: Fix deadlock when adding SPI controllers on SPI buses
spi: fix use-after-free of the add_lock mutex
net: bridge: xmit: make sure we have at least eth header len bytes
media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
fs/proc: fix compile warning about variable 'vmcore_mmap_ops'
usb: musb: sunxi: Fix accessing an released usb phy
USB: serial: io_edgeport: fix use after free in debug printk
USB: serial: qcserial: add support for Sierra Wireless EM86xx
USB: serial: option: add Fibocom FG132 0x0112 composition
USB: serial: option: add Quectel RG650V
irqchip/gic-v3: Force propagation of the active state with a read-back
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
ALSA: usb-audio: Support jack detection on Dell dock
ALSA: usb-audio: Add quirks for Dell WD19 dock
NFSD: Fix NFSv4's PUTPUBFH operation
ftrace: Fix possible use-after-free issue in ftrace_location()
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
ALSA: usb-audio: Add endianness annotations
9p: Avoid creating multiple slab caches with the same name
HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
bpf: use kvzmalloc to allocate BPF verifier environment
sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
powerpc/powernv: Free name on error in opal_event_init()
fs: Fix uninitialized value issue in from_kuid and from_kgid
net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
md/raid10: improve code of mrdev in raid10_sync_request
mm: clarify a confusing comment for remap_pfn_range()
mm: fix ambiguous comments for better code readability
mm/memory.c: make remap_pfn_range() reject unaligned addr
mm: add remap_pfn_range_notrack
9p: fix slab cache name creation for real
mm: avoid leaving partial pfn mappings around in error case
Linux 5.4.286
Change-Id: I924a69c454558bcb9f11b3748a31c15349b3a705
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Rik van Riel
|
c868a06a3f |
bpf: use kvzmalloc to allocate BPF verifier environment
[ Upstream commit 434247637c66e1be2bc71a9987d4c3f0d8672387 ] The kzmalloc call in bpf_check can fail when memory is very fragmented, which in turn can lead to an OOM kill. Use kvzmalloc to fall back to vmalloc when memory is too fragmented to allocate an order 3 sized bpf verifier environment. Admittedly this is not a very common case, and only happens on systems where memory has already been squeezed close to the limit, but this does not seem like much of a hot path, and it's a simple enough fix. Signed-off-by: Rik van Riel <riel@surriel.com> Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev> Link: https://lore.kernel.org/r/20241008170735.16766766@imladris.surriel.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Zheng Yejian
|
eea46baf14 |
ftrace: Fix possible use-after-free issue in ftrace_location()
commit e60b613df8b6253def41215402f72986fee3fc8d upstream.
KASAN reports a bug:
BUG: KASAN: use-after-free in ftrace_location+0x90/0x120
Read of size 8 at addr ffff888141d40010 by task insmod/424
CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+
[...]
Call Trace:
<TASK>
dump_stack_lvl+0x68/0xa0
print_report+0xcf/0x610
kasan_report+0xb5/0xe0
ftrace_location+0x90/0x120
register_kprobe+0x14b/0xa40
kprobe_init+0x2d/0xff0 [kprobe_example]
do_one_initcall+0x8f/0x2d0
do_init_module+0x13a/0x3c0
load_module+0x3082/0x33d0
init_module_from_file+0xd2/0x130
__x64_sys_finit_module+0x306/0x440
do_syscall_64+0x68/0x140
entry_SYSCALL_64_after_hwframe+0x71/0x79
The root cause is that, in lookup_rec(), ftrace record of some address
is being searched in ftrace pages of some module, but those ftrace pages
at the same time is being freed in ftrace_release_mod() as the
corresponding module is being deleted:
CPU1 | CPU2
register_kprobes() { | delete_module() {
check_kprobe_address_safe() { |
arch_check_ftrace_location() { |
ftrace_location() { |
lookup_rec() // USE! | ftrace_release_mod() // Free!
To fix this issue:
1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();
2. Use ftrace_location_range() instead of lookup_rec() in
ftrace_location();
3. Call synchronize_rcu() before freeing any ftrace pages both in
ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().
Link: https://lore.kernel.org/linux-trace-kernel/20240509192859.1273558-1-zhengyejian1@huawei.com
Cc: stable@vger.kernel.org
Cc: <mhiramat@kernel.org>
Cc: <mark.rutland@arm.com>
Cc: <mathieu.desnoyers@efficios.com>
Fixes:
|
||
|
Greg Kroah-Hartman
|
94424b0fce |
Merge 5.4.285 into android11-5.4-lts
Changes in 5.4.285 usbnet: ipheth: fix carrier detection in modes 1 and 4 net: ethernet: use ip_hdrlen() instead of bit shift net: phy: vitesse: repair vsc73xx autonegotiation scripts: kconfig: merge_config: config files: add a trailing newline arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma ice: fix accounting for filters shared by multiple VSIs net/mlx5e: Add missing link modes to ptys2ethtool_map net: ftgmac100: Enable TX interrupt to avoid TX timeout net: dpaa: Pad packets to ETH_ZLEN spi: nxp-fspi: fix the KASAN report out-of-bounds bug soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" selftests: breakpoints: Fix a typo of function name ASoC: allow module autoloading for table db1200_pids ALSA: hda/realtek - Fixed ALC256 headphone no sound ALSA: hda/realtek - FIxed ALC285 headphone no sound pinctrl: at91: make it work with current gpiolib microblaze: don't treat zero reserved memory regions as error net: ftgmac100: Ensure tx descriptor updates are visible wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead ASoC: tda7419: fix module autoloading drm: komeda: Fix an issue related to normalized zpos spi: bcm63xx: Enable module autoloading x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency ocfs2: add bounds checking to ocfs2_xattr_find_entry() ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() gpio: prevent potential speculation leaks in gpio_device_get_desc() inet: inet_defrag: prevent sk release while still in use bpf: Fix DEVMAP_HASH overflow check on 32-bit arches USB: serial: pl2303: add device id for Macrosilicon MS3020 USB: usbtmc: prevent kernel-usb-infoleak ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() wifi: ath9k: fix parameter check in ath9k_init_debug() wifi: ath9k: Remove error checks when creating debugfs entries fs: explicitly unregister per-superblock BDIs mount: warn only once about timestamp range expiration fs/namespace: fnic: Switch to use %ptTd mount: handle OOM on mnt_warn_timestamp_expiry can: j1939: use correct function name in comment netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire netfilter: nf_tables: reject element expiration with no timeout netfilter: nf_tables: reject expiration higher than timeout wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors mac80211: parse radiotap header when selecting Tx queue wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param sock_map: Add a cond_resched() in sock_hash_free() can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). Bluetooth: btusb: Fix not handling ZPL/short-transfer net: tipc: avoid possible garbage value block, bfq: fix possible UAF for bfqq->bic with merge chain block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() block, bfq: don't break merge chain in bfq_split_bfqq() spi: ppc4xx: handle irq_of_parse_and_map() errors spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property ARM: versatile: fix OF node leak in CPUs prepare reset: berlin: fix OF node leak in probe() error path clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() hwmon: (max16065) Fix overflows seen when writing limits mtd: slram: insert break after errors in parsing the map hwmon: (ntc_thermistor) fix module autoloading power: supply: axp20x_battery: allow disabling battery charging power: supply: axp20x_battery: Remove design from min and max voltage power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() mtd: powernv: Add check devm_kasprintf() returned value drm/stm: Fix an error handling path in stm_drm_platform_probe() drm/amdgpu: Replace one-element array with flexible-array member drm/amdgpu: properly handle vbios fake edid sizing drm/radeon: Replace one-element array with flexible-array member drm/radeon: properly handle vbios fake edid sizing drm/rockchip: vop: Allow 4096px width scaling drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets jfs: fix out-of-bounds in dbNextAG() and diAlloc() drm/msm: Fix incorrect file name output in adreno_request_fw() drm/msm/a5xx: disable preemption in submits by default drm/msm/a5xx: properly clear preemption records on resume drm/msm/a5xx: fix races in preemption evaluation stage ipmi: docs: don't advertise deprecated sysfs entries drm/msm: fix %s null argument error drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() xen: use correct end address of kernel for conflict checking xen/swiotlb: add alignment check for dma buffers tpm: Clean up TPM space after command failure selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c selftests/bpf: Fix compiling flow_dissector.c with musl-libc selftests/bpf: Fix compiling tcp_rtt.c with musl-libc selftests/bpf: Fix error compiling test_lru_map.c xz: cleanup CRC32 edits from 2018 kthread: add kthread_work tracepoints kthread: fix task state in kthread worker if being frozen jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers() ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso ext4: avoid negative min_clusters in find_group_orlov() ext4: return error on ext4_find_inline_entry ext4: avoid OOB when system.data xattr changes underneath the filesystem nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() nilfs2: determine empty node blocks as corrupted nilfs2: fix potential oob read in nilfs_btree_check_delete() bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit perf sched timehist: Fix missing free of session in perf_sched__timehist() perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time perf time-utils: Fix 32-bit nsec parsing clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error PCI: keystone: Fix if-statement expression in ks_pcie_quirk() PCI: xilinx-nwl: Fix register misspelling RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency pinctrl: single: fix missing error code in pcs_probe() clk: ti: dra7-atl: Fix leak of of_nodes pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function watchdog: imx_sc_wdt: Don't disable WDT in suspend RDMA/hns: Optimize hem allocation performance riscv: Fix fp alignment bug in perf_callchain_user() RDMA/cxgb4: Added NULL check for lookup_atid ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() nfsd: call cache_put if xdr_reserve_space returns NULL nfsd: return -EINVAL when namelen is 0 f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() f2fs: fix typo f2fs: fix to update i_ctime in __f2fs_setxattr() f2fs: remove unneeded check condition in __f2fs_setxattr() f2fs: reduce expensive checkpoint trigger frequency iio: adc: ad7606: fix oversampling gpio array iio: adc: ad7606: fix standby gpio state to match the documentation coresight: tmc: sg: Do not leak sg_table netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition tcp: check skb is non-NULL in tcp_rto_delta_us() net: qrtr: Update packets cloning when broadcasting netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS crypto: aead,cipher - zeroize key buffer after use Remove *.orig pattern from .gitignore soc: versatile: integrator: fix OF node leak in probe() error path drm/amd/display: Round calculated vtotal USB: appledisplay: close race between probe and completion handler USB: misc: cypress_cy7c63: check for short transfer USB: class: CDC-ACM: fix race between get_serial and set_serial firmware_loader: Block path traversal tty: rp2: Fix reset with non forgiving PCIe host bridges drbd: Fix atomicity violation in drbd_uuid_set_bm() drbd: Add NULL check for net_conf to prevent dereference in state validation ACPI: sysfs: validate return type of _STR method ACPI: resource: Add another DMI match for the TongFang GMxXGxx wifi: rtw88: 8822c: Fix reported RX band width debugobjects: Fix conditions in fill_pool() f2fs: prevent possible int overflow in dir_block_index() f2fs: avoid potential int overflow in sanity_check_area_boundary() hwrng: mtk - Use devm_pm_runtime_enable vfs: fix race between evice_inodes() and find_inode()&iput() fs: Fix file_set_fowner LSM hook inconsistencies nfs: fix memory leak in error path of nfs4_do_reclaim ASoC: meson: axg: extract sound card utils ASoC: meson: axg-card: fix 'use-after-free' PCI: xilinx-nwl: Use irq_data_get_irq_chip_data() PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler soc: versatile: realview: fix memory leak during device remove soc: versatile: realview: fix soc_dev leak during device remove usb: yurex: Replace snprintf() with the safer scnprintf() variant USB: misc: yurex: fix race between read and write pps: remove usage of the deprecated ida_simple_xx() API pps: add an error check in parport_attach mm: only enforce minimum stack gap size if it's sensible i2c: aspeed: Update the stop sw state when the bus recovery occurs i2c: isch: Add missed 'else' usb: yurex: Fix inconsistent locking bug in yurex_read() mailbox: rockchip: fix a typo in module autoloading mailbox: bcm2835: Fix timeout during suspend mode ceph: remove the incorrect Fw reference check when dirtying pages Minor fixes to the CAIF Transport drivers Kconfig file drivers: net: Fix Kconfig indentation, continued ieee802154: Fix build error net/mlx5: Added cond_resched() to crdump collection netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() netfilter: nf_tables: prevent nf_skb_duplicated corruption Bluetooth: btmrvl_sdio: Refactor irq wakeup Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() net: ethernet: lantiq_etop: fix memory disclosure net: avoid potential underflow in qdisc_pkt_len_init() with UFO net: add more sanity checks to qdisc_pkt_len_init() ipv4: ip_gre: Fix drops of small packets in ipgre_xmit sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start ALSA: hda/realtek: Fix the push button function for the ALC257 ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin f2fs: Require FMODE_WRITE for atomic write ioctls wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() net: hisilicon: hip04: fix OF node leak in probe() net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() net: hisilicon: hns_mdio: fix OF node leak in probe() ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails ACPICA: Fix memory leak if acpi_ps_get_next_field() fails net: sched: consistently use rcu_replace_pointer() in taprio_change() wifi: rtw88: select WANT_DEV_COREDUMP ACPI: EC: Do not release locks during operation region accesses ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() tipc: guard against string buffer overrun net: mvpp2: Increase size of queue_name buffer ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process ACPICA: iasl: handle empty connection_node proc: add config & param to block forcing mem writes wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() nfp: Use IRQF_NO_AUTOEN flag in request_irq() signal: Replace BUG_ON()s ALSA: asihpi: Fix potential OOB array access ALSA: hdsp: Break infinite MIDI input flush loop x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() fbdev: pxafb: Fix possible use after free in pxafb_task() power: reset: brcmstb: Do not go into infinite loop if reset fails ata: sata_sil: Rename sil_blacklist to sil_quirks jfs: UBSAN: shift-out-of-bounds in dbFindBits jfs: Fix uaf in dbFreeBits jfs: check if leafidx greater than num leaves per dmap tree jfs: Fix uninit-value access of new_ea in ea_buffer drm/amd/display: Check stream before comparing them drm/amd/display: Fix index out of bounds in degamma hardware format translation drm/amd/display: Initialize get_bytes_per_element's default to 1 drm/printer: Allow NULL data in devcoredump printer scsi: aacraid: Rearrange order of struct aac_srb_unit drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() of/irq: Refer to actual buffer size in of_irq_parse_one() ext4: ext4_search_dir should return a proper error ext4: fix i_data_sem unlock order in ext4_ind_migrate() spi: s3c64xx: fix timeout counters in flush_fifo selftests: breakpoints: use remaining time to check if suspend succeed selftests: vDSO: fix vDSO symbols lookup for powerpc64 i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume i2c: xiic: Wait for TX empty to avoid missed TX NAKs firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() spi: bcm63xx: Fix module autoloading perf/core: Fix small negative period being ignored parisc: Fix itlb miss handler for 64-bit programs drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS ALSA: core: add isascii() check to card ID generator ext4: no need to continue when the number of entries is 1 ext4: propagate errors from ext4_find_extent() in ext4_insert_range() ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() ext4: aovid use-after-free in ext4_ext_insert_extent() ext4: fix double brelse() the buffer of the extents path ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() parisc: Fix 64-bit userspace syscall path parisc: Fix stack start for ADDR_NO_RANDOMIZE personality of/irq: Support #msi-cells=<0> in of_msi_get_domain drm: omapdrm: Add missing check for alloc_ordered_workqueue jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error mm: krealloc: consider spare memory for __GFP_ZERO ocfs2: fix the la space leak when unmounting an ocfs2 volume ocfs2: fix uninit-value in ocfs2_get_block() ocfs2: reserve space for inline xattr before attaching reflink tree ocfs2: cancel dqi_sync_work before freeing oinfo ocfs2: remove unreasonable unlock in ocfs2_read_blocks ocfs2: fix null-ptr-deref when journal load failed. ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate riscv: define ILLEGAL_POINTER_VALUE for 64bit aoe: fix the potential use-after-free problem in more places clk: rockchip: fix error for unknown clocks media: sun4i_csi: Implement link validate for sun4i_csi subdev media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags media: venus: fix use after free bug in venus_remove due to race condition iio: magnetometer: ak8975: Fix reading for ak099xx sensors tomoyo: fallback to realpath if symlink's pathname does not exist rtc: at91sam9: fix OF node leak in probe() error path Input: adp5589-keys - fix adp5589_gpio_get_value() ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] btrfs: fix a NULL pointer dereference when failed to start a new trasacntion btrfs: wait for fixup workers before stopping cleaner kthread during umount gpio: davinci: fix lazy disable i2c: qcom-geni: Let firmware specify irq trigger flags i2c: qcom-geni: Grow a dev pointer to simplify code i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() arm64: Add Cortex-715 CPU part definition arm64: cputype: Add Neoverse-N3 definitions arm64: errata: Expand speculative SSBS workaround once more uprobes: fix kernel info leak via "[uprobes]" vma nfsd: use ktime_get_seconds() for timestamps nfsd: fix delegation_blocked() to block correctly for at least 30 seconds clk: qcom: rpmh: Simplify clk_rpmh_bcm_send_cmd() clk: qcom: clk-rpmh: Fix overflow in BCM vote r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" r8169: add tally counter fields added with RTL8125 ACPI: battery: Simplify battery hook locking ACPI: battery: Fix possible crash when unregistering a battery hook ext4: fix inode tree inconsistency caused by ENOMEM unicode: Don't special case ignorable code points net: ethernet: cortina: Drop TSO support tracing: Remove precision vsnprintf() check from print event drm/crtc: fix uninitialized variable use even harder tracing: Have saved_cmdlines arrays all in one allocation virtio_console: fix misc probe bugs Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal bpf: Check percpu map value size first s390/facility: Disable compile time optimization for decompressor code s390/mm: Add cond_resched() to cmm_alloc/free_pages() ext4: nested locking for xattr inode s390/cpum_sf: Remove WARN_ON_ONCE statements ktest.pl: Avoid false positives with grub2 skip regex clk: bcm: bcm53573: fix OF node leak in init PCI: Add ACS quirk for Qualcomm SA8775P i2c: i801: Use a different adapter-name for IDF adapters PCI: Mark Creative Labs EMU20k2 INTx masking as broken ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() usb: chipidea: udc: enable suspend interrupt after usb reset usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario virtio_pmem: Check device status before requesting flush tools/iio: Add memory allocation failure check for trigger_name driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute fbdev: sisfb: Fix strbuf array overflow RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt ice: fix VLAN replay after reset SUNRPC: Fix integer overflow in decode_rc_list() tcp: fix to allow timestamp undo if no retransmits were sent tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe netfilter: br_netfilter: fix panic with metadata_dst skb Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change gpio: aspeed: Add the flush write to ensure the write complete. gpio: aspeed: Use devm_clk api to manage clock source igb: Do not bring the device up after non-fatal error net/sched: accept TCA_STAB only for root qdisc net: ibm: emac: mal: fix wrong goto net: annotate lockless accesses to sk->sk_ack_backlog net: annotate lockless accesses to sk->sk_max_ack_backlog sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start ppp: fix ppp_async_encode() illegal access slip: make slhc_remember() more robust against malicious packets locking/lockdep: Fix bad recursion pattern locking/lockdep: Rework lockdep_lock locking/lockdep: Avoid potential access of invalid memory in lock_class lockdep: fix deadlock issue between lockdep and rcu resource: fix region_intersects() vs add_memory_driver_managed() CDC-NCM: avoid overflow in sanity checking HID: plantronics: Workaround for an unexcepted opposite volume key Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" usb: dwc3: core: Stop processing of pending events if controller is halted usb: xhci: Fix problem with xhci resume from suspend usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip hid: intel-ish-hid: Fix uninitialized variable 'rv' in ish_fw_xfer_direct_dma net: Fix an unsafe loop on the list nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error posix-clock: Fix missing timespec64 check in pc_clock_settime() arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols tracing/kprobes: Fix symbol counting logic by looking at modules as well PCI: Add function 0 DMA alias quirk for Glenfly Arise chip fat: fix uninitialized variable mm/swapfile: skip HugeTLB pages for unuse_vma wifi: mac80211: fix potential key use-after-free KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() s390/sclp_vt220: Convert newlines to CRLF instead of LFCR KVM: s390: Change virtual to physical address access in diag 0x258 handler x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race drm/vmwgfx: Handle surface check failure correctly iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() iio: light: opt3001: add missing full-scale range value iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Bluetooth: Remove debugfs directory on module init failure Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 xhci: Fix incorrect stream context type macro USB: serial: option: add support for Quectel EG916Q-GL USB: serial: option: add Telit FN920C04 MBIM compositions parport: Proper fix for array out-of-bounds access x86/resctrl: Annotate get_mem_config() functions as __init x86/apic: Always explicitly disarm TSC-deadline timer nilfs2: propagate directory read errors from nilfs_find_entry() erofs: fix lz4 inplace decompression mac80211: Fix NULL ptr deref for injected rate info RDMA/bnxt_re: Fix incorrect AVID type in WQE structure ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP ipv4: give an IPv4 dev to blackhole_netdev RDMA/bnxt_re: Return more meaningful error drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation macsec: don't increment counters for an unrelated SA net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() net: systemport: fix potential memory leak in bcm_sysport_xmit() genetlink: hold RCU in genlmsg_mcast() smb: client: fix OOBs when building SMB2_IOCTL request usb: typec: altmode should keep reference to parent Bluetooth: bnep: fix wild-memory-access in proto_unregister arm64:uprobe fix the uprobe SWBP_INSN in big-endian arm64: probes: Fix uprobes for big-endian kernels KVM: s390: gaccess: Refactor gpa and length calculation KVM: s390: gaccess: Refactor access address range check KVM: s390: gaccess: Cleanup access to guest pages KVM: s390: gaccess: Check if guest address is in memslot drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA udf: fix uninit-value use in udf_get_fileshortad jfs: Fix sanity check in dbMount tracing: Consider the NULL character when validating the event length net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() be2net: fix potential memory leak in be_xmit() net: usb: usbnet: fix name regression net: sched: fix use-after-free in taprio_change() r8169: avoid unsolicited interrupts posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() ALSA: hda/realtek: Update default depop procedure drm/amd: Guard against bad data for ATIF ACPI method ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue nilfs2: fix kernel bug due to missing clearing of buffer delay flag ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event selinux: improve error checking in sel_write_load() arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning xfrm: validate new SA's prefixlen using SA family when sel.family is unset cgroup: Fix potential overflow issue when checking max_depth wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys mac80211: do drv_reconfig_complete() before restarting all mac80211: Add support to trigger sta disconnect on hardware restart wifi: iwlwifi: mvm: disconnect station vifs if recovery failed wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() dt-bindings: gpu: Convert Samsung Image Rotator to dt-schema gtp: simplify error handling code in 'gtp_encap_enable()' gtp: allow -1 to be specified as file description from userspace net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT bpf: Fix out-of-bounds write in trie_get_next_key() net: support ip generic csum processing in skb_csum_hwoffload_help net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension netfilter: nft_payload: sanitize offset and length before calling skb_checksum() drivers/misc: ti-st: Remove unneeded variable in st_tty_open firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() net: amd: mvme147: Fix probe banner message misc: sgi-gru: Don't disable preemption in GRU driver usbip: tools: Fix detach_port() invalid port error path usb: phy: Fix API devm_usb_put_phy() can not release the phy xhci: Fix Link TRB DMA in command ring stopped completion event Revert "driver core: Fix uevent_show() vs driver detach race" wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower wifi: ath10k: Fix memory leak in management tx wifi: iwlegacy: Clear stale interrupts before resuming device staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() nilfs2: fix potential deadlock with newly created symlinks riscv: Remove unused GENERATING_ASM_OFFSETS ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow nilfs2: fix kernel bug due to missing clearing of checked flag mm: shmem: fix data-race in shmem_getattr() Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" vt: prevent kernel-infoleak in con_font_get() mac80211: always have ieee80211_sta_restart() mm: krealloc: Fix MTE false alarm in __do_krealloc Linux 5.4.285 Change-Id: Ie1859b6122e2fdacf18a1fe83f792b855fd0e54c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Michael Bestas
|
d72549f3a1 |
Merge tag 'ASB-2024-11-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2024-11-01 CVE-2024-36978 CVE-2024-46740 * tag 'ASB-2024-11-05_11-5.4' of https://android.googlesource.com/kernel/common: (126 commits) UPSTREAM: unicode: Don't special case ignorable code points ANDROID: 16K: Fixup padding vm_flags bits on VMA splits ANDROID: 16K: Introduce pgsize_migration_inline.h Revert "clocksource/drivers/timer-of: Remove percpu irq related code" Linux 5.4.284 Revert "parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367" cx82310_eth: fix error return code in cx82310_bind() net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket rtmutex: Drop rt_mutex::wait_lock before scheduling drm/i915/fence: Mark debug_fence_free() with __maybe_unused drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused nvmet-tcp: fix kernel crash if commands allocation fails arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry arm64: acpi: Move get_cpu_for_acpi_id() to a header ACPI: processor: Fix memory leaks in error paths of processor_add() ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() nilfs2: protect references to superblock parameters exposed in sysfs nilfs2: replace snprintf in show functions with sysfs_emit tracing: Avoid possible softlockup in tracing_iter_reset() ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance() ... Conflicts: fs/userfaultfd.c mm/madvise.c Change-Id: I9e0e9c01dd313ea38070f0077983b5e107fb6a0b |
||
|
Byeonguk Jeong
|
91afbc0eb3 |
bpf: Fix out-of-bounds write in trie_get_next_key()
[ Upstream commit 13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21 ]
trie_get_next_key() allocates a node stack with size trie->max_prefixlen,
while it writes (trie->max_prefixlen + 1) nodes to the stack when it has
full paths from the root to leaves. For example, consider a trie with
max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ...
0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with
.prefixlen = 8 make 9 nodes be written on the node stack with size 8.
Fixes:
|
||
|
Xiu Jianfeng
|
4f3e9217fb |
cgroup: Fix potential overflow issue when checking max_depth
[ Upstream commit 3cc4e13bb1617f6a13e5e6882465984148743cf4 ]
cgroup.max.depth is the maximum allowed descent depth below the current
cgroup. If the actual descent depth is equal or larger, an attempt to
create a new child cgroup will fail. However due to the cgroup->max_depth
is of int type and having the default value INT_MAX, the condition
'level > cgroup->max_depth' will never be satisfied, and it will cause
an overflow of the level after it reaches to INT_MAX.
Fix it by starting the level from 0 and using '>=' instead.
It's worth mentioning that this issue is unlikely to occur in reality,
as it's impossible to have a depth of INT_MAX hierarchy, but should be
be avoided logically.
Fixes:
|
||
|
Jinjie Ruan
|
a8219446b9 |
posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()
[ Upstream commit 6e62807c7fbb3c758d233018caf94dfea9c65dbd ]
If get_clock_desc() succeeds, it calls fget() for the clockid's fd,
and get the clk->rwsem read lock, so the error path should release
the lock to make the lock balance and fput the clockid's fd to make
the refcount balance and release the fd related resource.
However the below commit left the error path locked behind resulting in
unbalanced locking. Check timespec64_valid_strict() before
get_clock_desc() to fix it, because the "ts" is not changed
after that.
Fixes: d8794ac20a29 ("posix-clock: Fix missing timespec64 check in pc_clock_settime()")
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Acked-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
[pabeni@redhat.com: fixed commit message typo]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Leo Yan
|
5e3231b352 |
tracing: Consider the NULL character when validating the event length
[ Upstream commit 0b6e2e22cb23105fcb171ab92f0f7516c69c8471 ]
strlen() returns a string length excluding the null byte. If the string
length equals to the maximum buffer length, the buffer will have no
space for the NULL terminating character.
This commit checks this condition and returns failure for it.
Link: https://lore.kernel.org/all/20241007144724.920954-1-leo.yan@arm.com/
Fixes:
|
||
|
Andrii Nakryiko
|
f198659ecb |
tracing/kprobes: Fix symbol counting logic by looking at modules as well
commit 926fe783c8a64b33997fec405cf1af3e61aed441 upstream. Recent changes to count number of matching symbols when creating a kprobe event failed to take into account kernel modules. As such, it breaks kprobes on kernel module symbols, by assuming there is no match. Fix this my calling module_kallsyms_on_each_symbol() in addition to kallsyms_on_each_match_symbol() to perform a proper counting. Link: https://lore.kernel.org/all/20231027233126.2073148-1-andrii@kernel.org/ Cc: Francis Laniel <flaniel@linux.microsoft.com> Cc: stable@vger.kernel.org Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Steven Rostedt <rostedt@goodmis.org> Fixes: b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols") Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Song Liu <song@kernel.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> [ Sherry: It's a fix for previous backport, thus backport together to 5.4.y ] Signed-off-by: Sherry Yang <sherry.yang@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Francis Laniel
|
d3679f63a1 |
tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols
commit b022f0c7e404887a7c5229788fc99eff9f9a80d5 upstream.
When a kprobe is attached to a function that's name is not unique (is
static and shares the name with other functions in the kernel), the
kprobe is attached to the first function it finds. This is a bug as the
function that it is attaching to is not necessarily the one that the
user wants to attach to.
Instead of blindly picking a function to attach to what is ambiguous,
error with EADDRNOTAVAIL to let the user know that this function is not
unique, and that the user must use another unique function with an
address offset to get to the function they want to attach to.
Link: https://lore.kernel.org/all/20231020104250.9537-2-flaniel@linux.microsoft.com/
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Jinjie Ruan
|
e0c966bd3e |
posix-clock: Fix missing timespec64 check in pc_clock_settime()
commit d8794ac20a299b647ba9958f6d657051fc51a540 upstream.
As Andrew pointed out, it will make sense that the PTP core
checked timespec64 struct's tv_sec and tv_nsec range before calling
ptp->info->settime64().
As the man manual of clock_settime() said, if tp.tv_sec is negative or
tp.tv_nsec is outside the range [0..999,999,999], it should return EINVAL,
which include dynamic clocks which handles PTP clock, and the condition is
consistent with timespec64_valid(). As Thomas suggested, timespec64_valid()
only check the timespec is valid, but not ensure that the time is
in a valid range, so check it ahead using timespec64_valid_strict()
in pc_clock_settime() and return -EINVAL if not valid.
There are some drivers that use tp->tv_sec and tp->tv_nsec directly to
write registers without validity checks and assume that the higher layer
has checked it, which is dangerous and will benefit from this, such as
hclge_ptp_settime(), igb_ptp_settime_i210(), _rcar_gen4_ptp_settime(),
and some drivers can remove the checks of itself.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Huang Ying
|
333fbaf686 |
resource: fix region_intersects() vs add_memory_driver_managed()
commit b4afe4183ec77f230851ea139d91e5cf2644c68b upstream.
On a system with CXL memory, the resource tree (/proc/iomem) related to
CXL memory may look like something as follows.
490000000-50fffffff : CXL Window 0
490000000-50fffffff : region0
490000000-50fffffff : dax0.0
490000000-50fffffff : System RAM (kmem)
Because drivers/dax/kmem.c calls add_memory_driver_managed() during
onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL
Window X". This confuses region_intersects(), which expects all "System
RAM" resources to be at the top level of iomem_resource. This can lead to
bugs.
For example, when the following command line is executed to write some
memory in CXL memory range via /dev/mem,
$ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1
dd: error writing '/dev/mem': Bad address
1+0 records in
0+0 records out
0 bytes copied, 0.0283507 s, 0.0 kB/s
the command fails as expected. However, the error code is wrong. It
should be "Operation not permitted" instead of "Bad address". More
seriously, the /dev/mem permission checking in devmem_is_allowed() passes
incorrectly. Although the accessing is prevented later because ioremap()
isn't allowed to map system RAM, it is a potential security issue. During
command executing, the following warning is reported in the kernel log for
calling ioremap() on system RAM.
ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff
WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d
Call Trace:
memremap+0xcb/0x184
xlate_dev_mem_ptr+0x25/0x2f
write_mem+0x94/0xfb
vfs_write+0x128/0x26d
ksys_write+0xac/0xfe
do_syscall_64+0x9a/0xfd
entry_SYSCALL_64_after_hwframe+0x4b/0x53
The details of command execution process are as follows. In the above
resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a
top level resource. So, region_intersects() will report no System RAM
resources in the CXL memory region incorrectly, because it only checks the
top level resources. Consequently, devmem_is_allowed() will return 1
(allow access via /dev/mem) for CXL memory region incorrectly.
Fortunately, ioremap() doesn't allow to map System RAM and reject the
access.
So, region_intersects() needs to be fixed to work correctly with the
resource tree with "System RAM" not at top level as above. To fix it, if
we found a unmatched resource in the top level, we will continue to search
matched resources in its descendant resources. So, we will not miss any
matched resources in resource tree anymore.
In the new implementation, an example resource tree
|------------- "CXL Window 0" ------------|
|-- "System RAM" --|
will behave similar as the following fake resource tree for
region_intersects(, IORESOURCE_SYSTEM_RAM, ),
|-- "System RAM" --||-- "CXL Window 0a" --|
Where "CXL Window 0a" is part of the original "CXL Window 0" that
isn't covered by "System RAM".
Link: https://lkml.kernel.org/r/20240906030713.204292-2-ying.huang@intel.com
Fixes:
|
||
|
Zhiguo Niu
|
a20d4f0d9e |
lockdep: fix deadlock issue between lockdep and rcu
commit a6f88ac32c6e63e69c595bfae220d8641704c9b7 upstream.
There is a deadlock scenario between lockdep and rcu when
rcu nocb feature is enabled, just as following call stack:
rcuop/x
-000|queued_spin_lock_slowpath(lock = 0xFFFFFF817F2A8A80, val = ?)
-001|queued_spin_lock(inline) // try to hold nocb_gp_lock
-001|do_raw_spin_lock(lock = 0xFFFFFF817F2A8A80)
-002|__raw_spin_lock_irqsave(inline)
-002|_raw_spin_lock_irqsave(lock = 0xFFFFFF817F2A8A80)
-003|wake_nocb_gp_defer(inline)
-003|__call_rcu_nocb_wake(rdp = 0xFFFFFF817F30B680)
-004|__call_rcu_common(inline)
-004|call_rcu(head = 0xFFFFFFC082EECC28, func = ?)
-005|call_rcu_zapped(inline)
-005|free_zapped_rcu(ch = ?)// hold graph lock
-006|rcu_do_batch(rdp = 0xFFFFFF817F245680)
-007|nocb_cb_wait(inline)
-007|rcu_nocb_cb_kthread(arg = 0xFFFFFF817F245680)
-008|kthread(_create = 0xFFFFFF80803122C0)
-009|ret_from_fork(asm)
rcuop/y
-000|queued_spin_lock_slowpath(lock = 0xFFFFFFC08291BBC8, val = 0)
-001|queued_spin_lock()
-001|lockdep_lock()
-001|graph_lock() // try to hold graph lock
-002|lookup_chain_cache_add()
-002|validate_chain()
-003|lock_acquire
-004|_raw_spin_lock_irqsave(lock = 0xFFFFFF817F211D80)
-005|lock_timer_base(inline)
-006|mod_timer(inline)
-006|wake_nocb_gp_defer(inline)// hold nocb_gp_lock
-006|__call_rcu_nocb_wake(rdp = 0xFFFFFF817F2A8680)
-007|__call_rcu_common(inline)
-007|call_rcu(head = 0xFFFFFFC0822E0B58, func = ?)
-008|call_rcu_hurry(inline)
-008|rcu_sync_call(inline)
-008|rcu_sync_func(rhp = 0xFFFFFFC0822E0B58)
-009|rcu_do_batch(rdp = 0xFFFFFF817F266680)
-010|nocb_cb_wait(inline)
-010|rcu_nocb_cb_kthread(arg = 0xFFFFFF817F266680)
-011|kthread(_create = 0xFFFFFF8080363740)
-012|ret_from_fork(asm)
rcuop/x and rcuop/y are rcu nocb threads with the same nocb gp thread.
This patch release the graph lock before lockdep call_rcu.
Fixes:
|
||
|
Waiman Long
|
abdc85d630 |
locking/lockdep: Avoid potential access of invalid memory in lock_class
commit 61cc4534b6550997c97a03759ab46b29d44c0017 upstream.
It was found that reading /proc/lockdep after a lockdep splat may
potentially cause an access to freed memory if lockdep_unregister_key()
is called after the splat but before access to /proc/lockdep [1]. This
is due to the fact that graph_lock() call in lockdep_unregister_key()
fails after the clearing of debug_locks by the splat process.
After lockdep_unregister_key() is called, the lock_name may be freed
but the corresponding lock_class structure still have a reference to
it. That invalid memory pointer will then be accessed when /proc/lockdep
is read by a user and a use-after-free (UAF) error will be reported if
KASAN is enabled.
To fix this problem, lockdep_unregister_key() is now modified to always
search for a matching key irrespective of the debug_locks state and
zap the corresponding lock class if a matching one is found.
[1] https://lore.kernel.org/lkml/77f05c15-81b6-bddd-9650-80d5f23fe330@i-love.sakura.ne.jp/
Fixes:
|
||
|
Peter Zijlstra
|
991e129724 |
locking/lockdep: Rework lockdep_lock
commit 248efb2158f1e23750728e92ad9db3ab60c14485 upstream. A few sites want to assert we own the graph_lock/lockdep_lock, provide a more conventional lock interface for it with a number of trivial debug checks. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://lkml.kernel.org/r/20200313102107.GX12561@hirez.programming.kicks-ass.net Signed-off-by: Carlos Llamas <cmllamas@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Peter Zijlstra
|
60519a39ae |
locking/lockdep: Fix bad recursion pattern
commit 10476e6304222ced7df9b3d5fb0a043b3c2a1ad8 upstream. There were two patterns for lockdep_recursion: Pattern-A: if (current->lockdep_recursion) return current->lockdep_recursion = 1; /* do stuff */ current->lockdep_recursion = 0; Pattern-B: current->lockdep_recursion++; /* do stuff */ current->lockdep_recursion--; But a third pattern has emerged: Pattern-C: current->lockdep_recursion = 1; /* do stuff */ current->lockdep_recursion = 0; And while this isn't broken per-se, it is highly dangerous because it doesn't nest properly. Get rid of all Pattern-C instances and shore up Pattern-A with a warning. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://lkml.kernel.org/r/20200313093325.GW12561@hirez.programming.kicks-ass.net Signed-off-by: Carlos Llamas <cmllamas@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Tao Chen
|
d2e35f220c |
bpf: Check percpu map value size first
[ Upstream commit 1d244784be6b01162b732a5a7d637dfc024c3203 ] Percpu map is often used, but the map value size limit often ignored, like issue: https://github.com/iovisor/bcc/issues/2519. Actually, percpu map value size is bound by PCPU_MIN_UNIT_SIZE, so we can check the value size whether it exceeds PCPU_MIN_UNIT_SIZE first, like percpu map of local_storage. Maybe the error message seems clearer compared with "cannot allocate memory". Signed-off-by: Jinke Han <jinkehan@didiglobal.com> Signed-off-by: Tao Chen <chen.dylane@gmail.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Jiri Olsa <jolsa@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20240910144111.1464912-2-chen.dylane@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Steven Rostedt (Google)
|
578d66b048 |
tracing: Have saved_cmdlines arrays all in one allocation
[ Upstream commit 0b18c852cc6fb8284ac0ab97e3e840974a6a8a64 ] The saved_cmdlines have three arrays for mapping PIDs to COMMs: - map_pid_to_cmdline[] - map_cmdline_to_pid[] - saved_cmdlines The map_pid_to_cmdline[] is PID_MAX_DEFAULT in size and holds the index into the other arrays. The map_cmdline_to_pid[] is a mapping back to the full pid as it can be larger than PID_MAX_DEFAULT. And the saved_cmdlines[] just holds the COMMs associated to the pids. Currently the map_pid_to_cmdline[] and saved_cmdlines[] are allocated together (in reality the saved_cmdlines is just in the memory of the rounding of the allocation of the structure as it is always allocated in powers of two). The map_cmdline_to_pid[] array is allocated separately. Since the rounding to a power of two is rather large (it allows for 8000 elements in saved_cmdlines), also include the map_cmdline_to_pid[] array. (This drops it to 6000 by default, which is still plenty for most use cases). This saves even more memory as the map_cmdline_to_pid[] array doesn't need to be allocated. Link: https://lore.kernel.org/linux-trace-kernel/20240212174011.068211d9@gandalf.local.home/ Link: https://lore.kernel.org/linux-trace-kernel/20240220140703.182330529@goodmis.org Cc: Mark Rutland <mark.rutland@arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Tim Chen <tim.c.chen@linux.intel.com> Cc: Vincent Donnefort <vdonnefort@google.com> Cc: Sven Schnelle <svens@linux.ibm.com> Cc: Mete Durlu <meted@linux.ibm.com> Fixes: 44dc5c41b5b1 ("tracing: Fix wasted memory in saved_cmdlines logic") Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Steven Rostedt (Google)
|
49da44d24c |
tracing: Remove precision vsnprintf() check from print event
[ Upstream commit 5efd3e2aef91d2d812290dcb25b2058e6f3f532c ]
This reverts 60be76eeabb3d ("tracing: Add size check when printing
trace_marker output"). The only reason the precision check was added
was because of a bug that miscalculated the write size of the string into
the ring buffer and it truncated it removing the terminating nul byte. On
reading the trace it crashed the kernel. But this was due to the bug in
the code that happened during development and should never happen in
practice. If anything, the precision can hide bugs where the string in the
ring buffer isn't nul terminated and it will not be checked.
Link: https://lore.kernel.org/all/C7E7AF1A-D30F-4D18-B8E5-AF1EF58004F5@linux.ibm.com/
Link: https://lore.kernel.org/linux-trace-kernel/20240227125706.04279ac2@gandalf.local.home
Link: https://lore.kernel.org/all/20240302111244.3a1674be@gandalf.local.home/
Link: https://lore.kernel.org/linux-trace-kernel/20240304174341.2a561d9f@gandalf.local.home
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Fixes: 60be76eeabb3d ("tracing: Add size check when printing trace_marker output")
Reported-by: Sachin Sant <sachinp@linux.ibm.com>
Tested-by: Sachin Sant <sachinp@linux.ibm.com>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Oleg Nesterov
|
fe5e9182d3 |
uprobes: fix kernel info leak via "[uprobes]" vma
commit 34820304cc2cd1804ee1f8f3504ec77813d29c8e upstream.
xol_add_vma() maps the uninitialized page allocated by __create_xol_area()
into userspace. On some architectures (x86) this memory is readable even
without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,
although this doesn't really matter, debugger can read this memory anyway.
Link: https://lore.kernel.org/all/20240929162047.GA12611@redhat.com/
Reported-by: Will Deacon <will@kernel.org>
Fixes:
|
||
|
Luo Gengkun
|
d346599940 |
perf/core: Fix small negative period being ignored
commit 62c0b1061593d7012292f781f11145b2d46f43ab upstream.
In perf_adjust_period, we will first calculate period, and then use
this period to calculate delta. However, when delta is less than 0,
there will be a deviation compared to when delta is greater than or
equal to 0. For example, when delta is in the range of [-14,-1], the
range of delta = delta + 7 is between [-7,6], so the final value of
delta/8 is 0. Therefore, the impact of -1 and -2 will be ignored.
This is unacceptable when the target period is very short, because
we will lose a lot of samples.
Here are some tests and analyzes:
before:
# perf record -e cs -F 1000 ./a.out
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.022 MB perf.data (518 samples) ]
# perf script
...
a.out 396 257.956048: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.957891: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.959730: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.961545: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.963355: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.965163: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.966973: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.968785: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.970593: 23 cs: ffffffff81f4eeec schedul>
...
after:
# perf record -e cs -F 1000 ./a.out
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.058 MB perf.data (1466 samples) ]
# perf script
...
a.out 395 59.338813: 11 cs: ffffffff81f4eeec schedul>
a.out 395 59.339707: 12 cs: ffffffff81f4eeec schedul>
a.out 395 59.340682: 13 cs: ffffffff81f4eeec schedul>
a.out 395 59.341751: 13 cs: ffffffff81f4eeec schedul>
a.out 395 59.342799: 12 cs: ffffffff81f4eeec schedul>
a.out 395 59.343765: 11 cs: ffffffff81f4eeec schedul>
a.out 395 59.344651: 11 cs: ffffffff81f4eeec schedul>
a.out 395 59.345539: 12 cs: ffffffff81f4eeec schedul>
a.out 395 59.346502: 13 cs: ffffffff81f4eeec schedul>
...
test.c
int main() {
for (int i = 0; i < 20000; i++)
usleep(10);
return 0;
}
# time ./a.out
real 0m1.583s
user 0m0.040s
sys 0m0.298s
The above results were tested on x86-64 qemu with KVM enabled using
test.c as test program. Ideally, we should have around 1500 samples,
but the previous algorithm had only about 500, whereas the modified
algorithm now has about 1400. Further more, the new version shows 1
sample per 0.001s, while the previous one is 1 sample per 0.002s.This
indicates that the new algorithm is more sensitive to small negative
values compared to old algorithm.
Fixes:
|
||
|
Thomas Gleixner
|
53e9c1ab16 |
signal: Replace BUG_ON()s
[ Upstream commit 7f8af7bac5380f2d95a63a6f19964e22437166e1 ] These really can be handled gracefully without killing the machine. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Frederic Weisbecker <frederic@kernel.org> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Daniel Borkmann
|
adfbc2440a |
bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit
[ Upstream commit cfe69c50b05510b24e26ccb427c7cc70beafd6c1 ]
The bpf_strtol() and bpf_strtoul() helpers are currently broken on 32bit:
The argument type ARG_PTR_TO_LONG is BPF-side "long", not kernel-side "long"
and therefore always considered fixed 64bit no matter if 64 or 32bit underlying
architecture.
This contract breaks in case of the two mentioned helpers since their BPF_CALL
definition for the helpers was added with {unsigned,}long *res. Meaning, the
transition from BPF-side "long" (BPF program) to kernel-side "long" (BPF helper)
breaks here.
Both helpers call __bpf_strtoll() with "long long" correctly, but later assigning
the result into 32-bit "*(long *)" on 32bit architectures. From a BPF program
point of view, this means upper bits will be seen as uninitialised.
Therefore, fix both BPF_CALL signatures to {s,u}64 types to fix this situation.
Now, changing also uapi/bpf.h helper documentation which generates bpf_helper_defs.h
for BPF programs is tricky: Changing signatures there to __{s,u}64 would trigger
compiler warnings (incompatible pointer types passing 'long *' to parameter of type
'__s64 *' (aka 'long long *')) for existing BPF programs.
Leaving the signatures as-is would be fine as from BPF program point of view it is
still BPF-side "long" and thus equivalent to __{s,u}64 on 64 or 32bit underlying
architectures.
Note that bpf_strtol() and bpf_strtoul() are the only helpers with this issue.
Fixes:
|