commit 1698174271 upstream.
For BINDER_TYPE_PTR and BINDER_TYPE_FDA transactions, the
num_valid local was calculated incorrectly causing the
range check in binder_validate_ptr() to miss out-of-bounds
offsets.
Fixes: bde4a19fc0 ("binder: use userspace pointer as base of buffer space")
Change-Id: Ida77db13d8e5b726f0b14513f55c2b30277338cd
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213202531.55010-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 145988638
Signed-off-by: Todd Kjos <tkjos@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3zQ1wACgkQONu9yGCS
aT6ZDA/+JQyM+mgrU2t5mkq9lXCwL87Jiooy0kKT9b/2EWmW5Gdxp/On9PXfqtfs
uZ+v0A1g1H+582uwuqG1wB2jr3I2AhNnRNbvSypGtk1Kitx9HqVJD/wWRRVCULww
cr3uA/ZOX+deRjOVYP3dhFp7ycn6u5+GxgmFQTLmKAYN8uUqq4/dpWy01iB0nr2A
GcoLm9P96o8P/wIWaykqOvshDrocbFcBL4VuxLeZCbFsAMTiX+jJnyIL8W7gfBJl
M2626S/hESk5DvGcMN3zwOw/nTJlvySUtfqXSvPk0sT90UMx/YZ9QdpS9GkvRb9t
OA1G+iHguEU+Fq/DawUyxwk/kt3nA6cg0q7RSxHo7QP6SGo7OaHHS1myzGDhL8oc
LDKXO2iSSzvXJDlqrU45N+1YhpeiIHCxmDctbUIM9dP4u6wWmQIyYXLrcpupTsm9
StiDBguXFHWSBFhG0+MlTUU5cypVNoN+56wBAUTR6+qoDASTzGvjNbrBsQihODV0
RMFJF17Zvn+UoEohe860EMswUBsJ+F+VSZO5yGuZgsaC/2Ih6M1dxsiNU7RF02gX
fRis6huj1+642ZsEbd2tueYGUaDN1HpMsVkN3AAkD3pJF5lX7AJRwhvRyC8N1jhc
G90KMSk2pR/ItjmUpkKaAhAKhN+oKSzuCPpHj2iGotfWdd4slXQ=
=Ekyt
-----END PGP SIGNATURE-----
Merge 4.19.89 into android-4.19
Changes in 4.19.89
rsi: release skb if rsi_prepare_beacon fails
arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator
sparc64: implement ioremap_uc
lp: fix sparc64 LPSETTIMEOUT ioctl
usb: gadget: u_serial: add missing port entry locking
tty: serial: fsl_lpuart: use the sg count from dma_map_sg
tty: serial: msm_serial: Fix flow control
serial: pl011: Fix DMA ->flush_buffer()
serial: serial_core: Perform NULL checks for break_ctl ops
serial: ifx6x60: add missed pm_runtime_disable
autofs: fix a leak in autofs_expire_indirect()
RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN
iwlwifi: pcie: don't consider IV len in A-MSDU
exportfs_decode_fh(): negative pinned may become positive without the parent locked
audit_get_nd(): don't unlock parent too early
NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error
xfrm: release device reference for invalid state
Input: cyttsp4_core - fix use after free bug
sched/core: Avoid spurious lock dependencies
perf/core: Consistently fail fork on allocation failures
ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.
selftests: kvm: fix build with glibc >= 2.30
rsxx: add missed destroy_workqueue calls in remove
net: ep93xx_eth: fix mismatch of request_mem_region in remove
i2c: core: fix use after free in of_i2c_notify
serial: core: Allow processing sysrq at port unlock time
cxgb4vf: fix memleak in mac_hlist initialization
iwlwifi: mvm: synchronize TID queue removal
iwlwifi: trans: Clear persistence bit when starting the FW
iwlwifi: mvm: Send non offchannel traffic via AP sta
ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+
audit: Embed key into chunk
netfilter: nf_tables: don't use position attribute on rule replacement
ARC: IOC: panic if kernel was started with previously enabled IOC
net/mlx5: Release resource on error flow
clk: sunxi-ng: a64: Fix gate bit of DSI DPHY
ice: Fix NVM mask defines
dlm: fix possible call to kfree() for non-initialized pointer
ARM: dts: exynos: Fix LDO13 min values on Odroid XU3/XU4/HC1
extcon: max8997: Fix lack of path setting in USB device mode
net: ethernet: ti: cpts: correct debug for expired txq skb
rtc: s3c-rtc: Avoid using broken ALMYEAR register
rtc: max77686: Fix the returned value in case of error in 'max77686_rtc_read_time()'
i40e: don't restart nway if autoneg not supported
virtchnl: Fix off by one error
clk: rockchip: fix rk3188 sclk_smc gate data
clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering
ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name
dlm: fix missing idr_destroy for recover_idr
MIPS: SiByte: Enable ZONE_DMA32 for LittleSur
net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2
scsi: zfcp: update kernel message for invalid FCP_CMND length, it's not the CDB
scsi: zfcp: drop default switch case which might paper over missing case
drivers: soc: Allow building the amlogic drivers without ARCH_MESON
bus: ti-sysc: Fix getting optional clocks in clock_roles
ARM: dts: imx6: RDU2: fix eGalax touchscreen node
crypto: ecc - check for invalid values in the key verification test
crypto: bcm - fix normal/non key hash algorithm failure
arm64: dts: zynqmp: Fix node names which contain "_"
pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues
Staging: iio: adt7316: Fix i2c data reading, set the data field
firmware: raspberrypi: Fix firmware calls with large buffers
mm/vmstat.c: fix NUMA statistics updates
clk: rockchip: fix I2S1 clock gate register for rk3328
clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328
sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit
regulator: Fix return value of _set_load() stub
USB: serial: f81534: fix reading old/new IC config
xfs: extent shifting doesn't fully invalidate page cache
net-next/hinic:fix a bug in set mac address
net-next/hinic: fix a bug in rx data flow
ice: Fix return value from NAPI poll
ice: Fix possible NULL pointer de-reference
iomap: FUA is wrong for DIO O_DSYNC writes into unwritten extents
iomap: sub-block dio needs to zeroout beyond EOF
iomap: dio data corruption and spurious errors when pipes fill
iomap: readpages doesn't zero page tail beyond EOF
iw_cxgb4: only reconnect with MPAv1 if the peer aborts
MIPS: OCTEON: octeon-platform: fix typing
net/smc: use after free fix in smc_wr_tx_put_slot()
math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning
nds32: Fix the items of hwcap_str ordering issue.
rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()'
rtc: dt-binding: abx80x: fix resistance scale
ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module
media: coda: fix memory corruption in case more than 32 instances are opened
media: pulse8-cec: return 0 when invalidating the logical address
media: cec: report Vendor ID after initialization
iwlwifi: fix cfg structs for 22000 with different RF modules
ravb: Clean up duplex handling
net/ipv6: re-do dad when interface has IFF_NOARP flag change
dmaengine: coh901318: Fix a double-lock bug
dmaengine: coh901318: Remove unused variable
dmaengine: dw-dmac: implement dma protection control setting
net: qualcomm: rmnet: move null check on dev before dereferecing it
selftests/powerpc: Allocate base registers
selftests/powerpc: Skip test instead of failing
usb: dwc3: debugfs: Properly print/set link state for HS
usb: dwc3: don't log probe deferrals; but do log other error codes
ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion()
f2fs: fix to account preflush command for noflush_merge mode
f2fs: fix count of seg_freed to make sec_freed correct
f2fs: change segment to section in f2fs_ioc_gc_range
ARM: dts: rockchip: Fix the PMU interrupt number for rv1108
ARM: dts: rockchip: Assign the proper GPIO clocks for rv1108
f2fs: fix to allow node segment for GC by ioctl path
sparc: Fix JIT fused branch convergance.
sparc: Correct ctx->saw_frame_pointer logic.
nvme: Free ctrl device name on init failure
dma-mapping: fix return type of dma_set_max_seg_size()
slimbus: ngd: Fix build error on x86
altera-stapl: check for a null key before strcasecmp'ing it
serial: imx: fix error handling in console_setup
i2c: imx: don't print error message on probe defer
clk: meson: Fix GXL HDMI PLL fractional bits width
gpu: host1x: Fix syncpoint ID field size on Tegra186
lockd: fix decoding of TEST results
sctp: increase sk_wmem_alloc when head->truesize is increased
iommu/amd: Fix line-break in error log reporting
ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()
ARM: dts: sun4i: Fix gpio-keys warning
ARM: dts: sun4i: Fix HDMI output DTC warning
ARM: dts: sun5i: a10s: Fix HDMI output DTC warning
ARM: dts: r8a779[01]: Disable unconnected LVDS encoders
ARM: dts: sun7i: Fix HDMI output DTC warning
ARM: dts: sun8i: a23/a33: Fix OPP DTC warnings
ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning
dlm: NULL check before kmem_cache_destroy is not needed
ARM: debug: enable UART1 for socfpga Cyclone5
can: xilinx: fix return type of ndo_start_xmit function
nfsd: fix a warning in __cld_pipe_upcall()
bpf: btf: implement btf_name_valid_identifier()
bpf: btf: check name validity for various types
tools: bpftool: fix a bitfield pretty print issue
ASoC: au8540: use 64-bit arithmetic instead of 32-bit
ARM: OMAP1/2: fix SoC name printing
arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names
arm64: dts: meson-gxbb-nanopi-k2: fix GPIO lines names
arm64: dts: meson-gxbb-odroidc2: fix GPIO lines names
arm64: dts: meson-gxl-khadas-vim: fix GPIO lines names
net/x25: fix called/calling length calculation in x25_parse_address_block
net/x25: fix null_x25_address handling
tools/bpf: make libbpf _GNU_SOURCE friendly
clk: mediatek: Drop __init from mtk_clk_register_cpumuxes()
clk: mediatek: Drop more __init markings for driver probe
soc: renesas: r8a77970-sysc: Correct names of A2DP/A2CN power domains
soc: renesas: r8a77980-sysc: Correct names of A2DP[01] power domains
soc: renesas: r8a77980-sysc: Correct A3VIP[012] power domain hierarchy
kbuild: disable dtc simple_bus_reg warnings by default
tcp: make tcp_space() aware of socket backlog
ARM: dts: mmp2: fix the gpio interrupt cell number
ARM: dts: realview-pbx: Fix duplicate regulator nodes
tcp: fix off-by-one bug on aborting window-probing socket
tcp: fix SNMP under-estimation on failed retransmission
tcp: fix SNMP TCP timeout under-estimation
modpost: skip ELF local symbols during section mismatch check
kbuild: fix single target build for external module
mtd: fix mtd_oobavail() incoherent returned value
ARM: dts: pxa: clean up USB controller nodes
clk: meson: meson8b: fix the offset of vid_pll_dco's N value
clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent
clk: qcom: Fix MSM8998 resets
media: cxd2880-spi: fix probe when dvb_attach fails
ARM: dts: realview: Fix some more duplicate regulator nodes
dlm: fix invalid cluster name warning
net/mlx4_core: Fix return codes of unsupported operations
pstore/ram: Avoid NULL deref in ftrace merging failure path
powerpc/math-emu: Update macros from GCC
clk: renesas: r8a77990: Correct parent clock of DU
clk: renesas: r8a77995: Correct parent clock of DU
MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition
nfsd: Return EPERM, not EACCES, in some SETATTR cases
media: uvcvideo: Abstract streaming object lifetime
tty: serial: qcom_geni_serial: Fix softlock
ARM: dts: sun8i: h3: Fix the system-control register range
tty: Don't block on IO when ldisc change is pending
media: stkwebcam: Bugfix for wrong return values
firmware: qcom: scm: fix compilation error when disabled
clk: qcom: gcc-msm8998: Disable halt check of UFS clocks
sctp: frag_point sanity check
soc: renesas: r8a77990-sysc: Fix initialization order of 3DG-{A,B}
mlxsw: spectrum_router: Relax GRE decap matching check
IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state
IB/hfi1: Close VNIC sdma_progress sleep window
mlx4: Use snprintf instead of complicated strcpy
usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler
clk: renesas: rcar-gen3: Set state when registering SD clocks
ASoC: max9867: Fix power management
ARM: dts: sunxi: Fix PMU compatible strings
ARM: dts: am335x-pdu001: Fix polarity of card detection input
media: vimc: fix start stream when link is disabled
net: aquantia: fix RSS table and key sizes
sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision
fuse: verify nlink
fuse: verify attributes
ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC
ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236
ALSA: pcm: oss: Avoid potential buffer overflows
ALSA: hda - Add mute led support for HP ProBook 645 G4
Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus
Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash
Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers
Input: goodix - add upside-down quirk for Teclast X89 tablet
coresight: etm4x: Fix input validation for sysfs.
Input: Fix memory leak in psxpad_spi_probe
x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all()
x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
xfrm interface: fix memory leak on creation
xfrm interface: avoid corruption on changelink
xfrm interface: fix list corruption for x-netns
xfrm interface: fix management of phydev
CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
CIFS: Fix SMB2 oplock break processing
tty: vt: keyboard: reject invalid keycodes
can: slcan: Fix use-after-free Read in slcan_open
kernfs: fix ino wrap-around detection
jbd2: Fix possible overflow in jbd2_log_space_left()
drm/msm: fix memleak on release
drm/i810: Prevent underflow in ioctl
arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node"
KVM: arm/arm64: vgic: Don't rely on the wrong pending table
KVM: x86: do not modify masked bits of shared MSRs
KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
KVM: x86: Grab KVM's srcu lock when setting nested state
crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize
crypto: af_alg - cast ki_complete ternary op to int
crypto: ccp - fix uninitialized list head
crypto: ecdh - fix big endian bug in ECC library
crypto: user - fix memory leak in crypto_report
spi: atmel: Fix CS high support
mwifiex: update set_mac_address logic
can: ucan: fix non-atomic allocation in completion handler
RDMA/qib: Validate ->show()/store() callbacks before calling them
iomap: Fix pipe page leakage during splicing
thermal: Fix deadlock in thermal thermal_zone_device_check
vcs: prevent write access to vcsu devices
binder: Fix race between mmap() and binder_alloc_print_pages()
binder: Handle start==NULL in binder_update_page_range()
ALSA: hda - Fix pending unsol events at shutdown
md/raid0: Fix an error message in raid0_make_request()
watchdog: aspeed: Fix clock behaviour for ast2600
perf script: Fix invalid LBR/binary mismatch error
splice: don't read more than available pipe space
iomap: partially revert 4721a60109 (simulated directio short read on EFAULT)
xfs: add missing error check in xfs_prepare_shift()
ASoC: rsnd: fixup MIX kctrl registration
KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
net: qrtr: fix memort leak in qrtr_tun_write_iter
appletalk: Fix potential NULL pointer dereference in unregister_snap_client
appletalk: Set error code if register_snap_client failed
Linux 4.19.89
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie3fa59adde9a7e9a6d4684de0e95de14a8b83d0b
commit 2a9edd056e upstream.
The old loop wouldn't stop when reaching `start` if `start==NULL`, instead
continuing backwards to index -1 and crashing.
Luckily you need to be highly privileged to map things at NULL, so it's not
a big problem.
Fix it by adjusting the loop so that the loop variable is always in bounds.
This patch is deliberately minimal to simplify backporting, but IMO this
function could use a refactor. The jump labels in the second loop body are
horrible (the error gotos should be jumping to free_range instead), and
both loops would look nicer if they just iterated upwards through indices.
And the up_read()+mmput() shouldn't be duplicated like that.
Cc: stable@vger.kernel.org
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8eb52a1ee3 upstream.
binder_alloc_print_pages() iterates over
alloc->pages[0..alloc->buffer_size-1] under alloc->mutex.
binder_alloc_mmap_handler() writes alloc->pages and alloc->buffer_size
without holding that lock, and even writes them before the last bailout
point.
Unfortunately we can't take the alloc->mutex in the ->mmap() handler
because mmap_sem can be taken while alloc->mutex is held.
So instead, we have to locklessly check whether the binder_alloc has been
fully initialized with binder_alloc_get_vma(), like in
binder_alloc_new_buf_locked().
Fixes: 8ef4665aa1 ("android: binder: Add page usage in binder stats")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-1-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently /sys/kernel/debug/binder/proc contains
the debug data for every binder_proc instance.
This patch makes this information also available
in a binderfs instance mounted with a mount option
"stats=global" in addition to debugfs. The patch does
not affect the presence of the file in debugfs.
If a binderfs instance is mounted at path /dev/binderfs,
this file would be present at /dev/binderfs/binder_logs/proc.
This change provides an alternate way to access this file when debugfs
is not mounted.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Link: https://lore.kernel.org/r/20190903161655.107408-5-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 4feb80faf4)
Change-Id: I3aa974979f2d4aebbe79ea9df30ede2813826157
Currently, the binder transaction log files 'transaction_log'
and 'failed_transaction_log' live in debugfs at the following locations:
/sys/kernel/debug/binder/failed_transaction_log
/sys/kernel/debug/binder/transaction_log
This patch makes these files also available in a binderfs instance
mounted with the mount option "stats=global".
It does not affect the presence of these files in debugfs.
If a binderfs instance is mounted at path /dev/binderfs, the location of
these files will be as follows:
/dev/binderfs/binder_logs/failed_transaction_log
/dev/binderfs/binder_logs/transaction_log
This change provides an alternate option to access these files when
debugfs is not mounted.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Link: https://lore.kernel.org/r/20190903161655.107408-4-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit c31e73121f4c1ec41143423ac6ce3ce6dafdcec1)
Change-Id: I20d9e6c4c7115297f9740cc42a516c315b3a209e
The following binder stat files currently live in debugfs.
/sys/kernel/debug/binder/state
/sys/kernel/debug/binder/stats
/sys/kernel/debug/binder/transactions
This patch makes these files available in a binderfs instance
mounted with the mount option 'stats=global'. For example, if a binderfs
instance is mounted at path /dev/binderfs, the above files will be
available at the following locations:
/dev/binderfs/binder_logs/state
/dev/binderfs/binder_logs/stats
/dev/binderfs/binder_logs/transactions
This provides a way to access them even when debugfs is not mounted.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20190903161655.107408-3-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 0e13e452da)
Change-Id: Ieeb666a719fb3195133403054de7b103a358e1ae
Currently, all binder state and statistics live in debugfs.
We need this information even when debugfs is not mounted.
This patch adds the mount option 'stats' to enable a binderfs
instance to have binder debug information present in the same.
'stats=global' will enable the global binder statistics. In
the future, 'stats=local' will enable binder statistics local
to the binderfs instance. The two modes 'global' and 'local'
will be mutually exclusive. 'stats=global' option is only available
for a binderfs instance mounted in the initial user namespace.
An attempt to use the option to mount a binderfs instance in
another user namespace will return an EPERM error.
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20190903161655.107408-2-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit f00834518e)
Change-Id: I4c9da221e7e19729a6489436ffa6233864eac4f7
Length of a binderfs device name cannot exceed BINDERFS_MAX_NAME.
This patch adds a check in binderfs_init() to ensure the same
for the default binder devices that will be created in every
binderfs instance.
Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Bug: 136497735
(cherry picked from commit 028fb5822b)
Change-Id: I347a427690ae35c792ce15afc90151937b879ef7
Currently, since each binderfs instance needs its own
private binder devices, every time a binderfs instance is
mounted, all the default binder devices need to be created
via the BINDER_CTL_ADD IOCTL. This patch aims to
add a solution to automatically create the default binder
devices for each binderfs instance that gets mounted.
To achieve this goal, when CONFIG_ANDROID_BINDERFS is set,
the default binder devices specified by CONFIG_ANDROID_BINDER_DEVICES
are created in each binderfs instance instead of global devices
being created by the binder driver.
Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Bug: 136497735
(cherry picked from commit ca2864c6e8)
Change-Id: I4f6c5d95997ffd3df182d6ec32d467b15d1f0c42
Signed-off-by: Hridya Valsaraju <hridya@google.com>
binderfs should not have a separate device_initcall(). When a kernel is
compiled with CONFIG_ANDROID_BINDERFS register the filesystem alongside
CONFIG_ANDROID_IPC. This use-case is especially sensible when users specify
CONFIG_ANDROID_IPC=y, CONFIG_ANDROID_BINDERFS=y and
ANDROID_BINDER_DEVICES="".
When CONFIG_ANDROID_BINDERFS=n then this always succeeds so there's no
regression potential for legacy workloads.
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 5b9633af29)
Change-Id: I91892655d9d36df5218189f7874312eec7ae3c46
Signed-off-by: Hridya Valsaraju <hridya@google.com>
We currently adhere to the reserved devices limit when creating new
binderfs devices in binderfs instances not located in the inital ipc
namespace. But it is still possible to rob the host instances of their 4
reserved devices by creating the maximum allowed number of devices in a
single binderfs instance located in a non-initial ipc namespace and then
mounting 4 separate binderfs instances in non-initial ipc namespaces. That
happens because the limit is currently not respected for the creation of
the initial binder-control device node. Block this nonsense by performing
the same check in binderfs_binder_ctl_create() that we perform in
binderfs_binder_device_create().
Fixes: 36bdf3cae0 ("binderfs: reserve devices for initial mount")
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit da8ddba566)
Change-Id: I7e170260ce79fc23a034ce75450d58ff39a7b902
Signed-off-by: Hridya Valsaraju <hridya@google.com>
The binderfs_binder_ctl_create() call is a no-op on subsequent calls and
the first call is done before we unlock the suberblock. Hence, there is no
need to take inode_lock() in there. Let's remove it.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 29ef1c8e16)
Change-Id: I7c294796ac7891f62387e09dc34332ca4c3ee67b
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Al pointed out that first calling kill_litter_super() before cleaning up
info is more correct since destroying info doesn't depend on the state of
the dentries and inodes. That the opposite remains true is not guaranteed.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 4198479524)
Change-Id: Ie2dfc2c2f17dde25b4215853b05fa8f21fb6b298
Signed-off-by: Hridya Valsaraju <hridya@google.com>
- switch from d_alloc_name() + d_lookup() to lookup_one_len():
Instead of using d_alloc_name() and then doing a d_lookup() with the
allocated dentry to find whether a device with the name we're trying to
create already exists switch to using lookup_one_len(). The latter will
either return the existing dentry or a new one.
- switch from kmalloc() + strscpy() to kmemdup():
Use a more idiomatic way to copy the name for the new dentry that
userspace gave us.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 01b3f1fc56)
Change-Id: I993a7dfa2f48bc6deb305852ff4085dc8dcaae4d
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Al pointed out that on binderfs_fill_super() error
deactivate_locked_super() will call binderfs_kill_super() so all of the
freeing and putting we currently do in binderfs_fill_super() is unnecessary
and buggy. Let's simply return errors and let binderfs_fill_super() take
care of cleaning up on error.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 36975fc3e5)
Change-Id: I89cac3746d67638901e554c3ede6c0f2931e67d4
Signed-off-by: Hridya Valsaraju <hridya@google.com>
- make binderfs control dentry immutable:
We don't allow to unlink it since it is crucial for binderfs to be
useable but if we allow to rename it we make the unlink trivial to
bypass. So prevent renaming too and simply treat the control dentry as
immutable.
- add is_binderfs_control_device() helper:
Take the opportunity and turn the check for the control dentry into a
separate helper is_binderfs_control_device() since it's now used in two
places.
- simplify binderfs_rename():
Instead of hand-rolling our custom version of simple_rename() just dumb
the whole function down to first check whether we're trying to rename the
control dentry. If we do EPERM the caller and if not call simple_rename().
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit e98e6fa186)
Change-Id: I44e49a144b624c360ab8a277970625c64511da15
Signed-off-by: Hridya Valsaraju <hridya@google.com>
The comment stems from an early version of that patchset and is just
confusing now.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 7c4d08fc4d)
Change-Id: I8d5376e217763d7a6203a54516d4220ccdbe268d
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Fix to return a negative error code -ENOMEM from the new_inode() and
d_make_root() error handling cases instead of 0, as done elsewhere in
this function.
Fixes: 849d540ddf ("binderfs: implement "max" mount option")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 7e7ca7744a)
Change-Id: If9d120c4abdbc0d5528c85d2515a9d5e40addfdc
Signed-off-by: Hridya Valsaraju <hridya@google.com>
kbuild reported a build faile in [1]. This is triggered when CONFIG_IPC_NS
is not set. So let's make the use of init_ipc_ns conditional on
CONFIG_IPC_NS being set.
[1]: https://lists.01.org/pipermail/kbuild-all/2019-January/056903.html
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 7fefaadd6a)
Change-Id: I97b0a7a13a82d79d97fe340d4267795e4e6442c7
Signed-off-by: Hridya Valsaraju <hridya@google.com>
The binderfs instance in the initial ipc namespace will always have a
reserve of 4 binder devices unless explicitly capped by specifying a lower
value via the "max" mount option.
This ensures when binder devices are removed (on accident or on purpose)
they can always be recreated without risking that all minor numbers have
already been used up.
Cc: Todd Kjos <tkjos@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 36bdf3cae0)
Change-Id: I001f305659c37e3b631696712332ae2e21464be8
Signed-off-by: Hridya Valsaraju <hridya@google.com>
It doesn't make sense to call the header binder_ctl.h when its sole
existence is tied to binderfs. So give it a sensible name. Users will far
more easily remember binderfs.h than binder_ctl.h.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit c13295ad21)
Change-Id: Ide6275bbbaec2e25df19e11754afb7f1827888b2
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Since binderfs can be mounted by userns root in non-initial user namespaces
some precautions are in order. First, a way to set a maximum on the number
of binder devices that can be allocated per binderfs instance and second, a
way to reserve a reasonable chunk of binderfs devices for the initial ipc
namespace.
A first approach as seen in [1] used sysctls similiar to devpts but was
shown to be flawed (cf. [2] and [3]) since some aspects were unneeded. This
is an alternative approach which avoids sysctls completely and instead
switches to a single mount option.
Starting with this commit binderfs instances can be mounted with a limit on
the number of binder devices that can be allocated. The max=<count> mount
option serves as a per-instance limit. If max=<count> is set then only
<count> number of binder devices can be allocated in this binderfs
instance.
This allows to safely bind-mount binderfs instances into unprivileged user
namespaces since userns root in a non-initial user namespace cannot change
the mount option as long as it does not own the mount namespace the
binderfs mount was created in and hence cannot drain the host of minor
device numbers
[1]: https://lore.kernel.org/lkml/20181221133909.18794-1-christian@brauner.io/
[2]; https://lore.kernel.org/lkml/20181221163316.GA8517@kroah.com/
[3]: https://lore.kernel.org/lkml/CAHRSSEx+gDVW4fKKK8oZNAir9G5icJLyodO8hykv3O0O1jt2FQ@mail.gmail.com/
[4]: https://lore.kernel.org/lkml/20181221192044.5yvfnuri7gdop4rs@brauner.io/
Cc: Todd Kjos <tkjos@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 849d540ddf)
Change-Id: Idfc17f9570d165b05779d0bfdb782117beb9c44e
Signed-off-by: Hridya Valsaraju <hridya@google.com>
When currently mounting binderfs in the same ipc namespace twice:
mount -t binder binder /A
mount -t binder binder /B
then the binderfs instances mounted on /A and /B will be the same, i.e.
they will have the same superblock. This was the first approach that seemed
reasonable. However, this leads to some problems and inconsistencies:
/* private binderfs instance in same ipc namespace */
There is no way for a user to request a private binderfs instance in the
same ipc namespace.
This request has been made in a private mail to me by two independent
people.
/* bind-mounts */
If users want the same binderfs instance to appear in multiple places they
can use bind mounts. So there is no value in having a request for a new
binderfs mount giving them the same instance.
/* unexpected behavior */
It's surprising that request to mount binderfs is not giving the user a new
instance like tmpfs, devpts, ramfs, and others do.
/* past mistakes */
Other pseudo-filesystems once made the same mistakes of giving back the
same superblock when actually requesting a new mount (cf. devpts's
deprecated "newinstance" option).
We should not make the same mistake. Once we've committed to always giving
back the same superblock in the same IPC namespace with the next kernel
release we will not be able to make that change so better to do it now.
/* kdbusfs */
It was pointed out to me that kdbusfs - which is conceptually closely
related to binderfs - also allowed users to get a private kdbusfs instance
in the same IPC namespace by making each mount of kdbusfs a separate
instance. I think that makes a lot of sense.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit b6c770d7c9)
Change-Id: I7e341524f625802429f89966d9edf9cab9ca59f3
Signed-off-by: Hridya Valsaraju <hridya@google.com>
The binderfs filesystem never needs to be mounted by the kernel itself.
This is conceptually wrong and should never have been done in the first
place.
Fixes: 3ad20fe393 ("binder: implement binderfs")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit fdd94acd50d607cf6a971455307e711fd8ee16e)
Change-Id: Ife722830ecb64ab75ccdd012043864ae1b10d792
Signed-off-by: Hridya Valsaraju <hridya@google.com>
As discussed at Linux Plumbers Conference 2018 in Vancouver [1] this is the
implementation of binderfs.
/* Abstract */
binderfs is a backwards-compatible filesystem for Android's binder ipc
mechanism. Each ipc namespace will mount a new binderfs instance. Mounting
binderfs multiple times at different locations in the same ipc namespace
will not cause a new super block to be allocated and hence it will be the
same filesystem instance.
Each new binderfs mount will have its own set of binder devices only
visible in the ipc namespace it has been mounted in. All devices in a new
binderfs mount will follow the scheme binder%d and numbering will always
start at 0.
/* Backwards compatibility */
Devices requested in the Kconfig via CONFIG_ANDROID_BINDER_DEVICES for the
initial ipc namespace will work as before. They will be registered via
misc_register() and appear in the devtmpfs mount. Specifically, the
standard devices binder, hwbinder, and vndbinder will all appear in their
standard locations in /dev. Mounting or unmounting the binderfs mount in
the initial ipc namespace will have no effect on these devices, i.e. they
will neither show up in the binderfs mount nor will they disappear when the
binderfs mount is gone.
/* binder-control */
Each new binderfs instance comes with a binder-control device. No other
devices will be present at first. The binder-control device can be used to
dynamically allocate binder devices. All requests operate on the binderfs
mount the binder-control device resides in.
Assuming a new instance of binderfs has been mounted at /dev/binderfs
via mount -t binderfs binderfs /dev/binderfs. Then a request to create a
new binder device can be made as illustrated in [2].
Binderfs devices can simply be removed via unlink().
/* Implementation details */
- dynamic major number allocation:
When binderfs is registered as a new filesystem it will dynamically
allocate a new major number. The allocated major number will be returned
in struct binderfs_device when a new binder device is allocated.
- global minor number tracking:
Minor are tracked in a global idr struct that is capped at
BINDERFS_MAX_MINOR. The minor number tracker is protected by a global
mutex. This is the only point of contention between binderfs mounts.
- struct binderfs_info:
Each binderfs super block has its own struct binderfs_info that tracks
specific details about a binderfs instance:
- ipc namespace
- dentry of the binder-control device
- root uid and root gid of the user namespace the binderfs instance
was mounted in
- mountable by user namespace root:
binderfs can be mounted by user namespace root in a non-initial user
namespace. The devices will be owned by user namespace root.
- binderfs binder devices without misc infrastructure:
New binder devices associated with a binderfs mount do not use the
full misc_register() infrastructure.
The misc_register() infrastructure can only create new devices in the
host's devtmpfs mount. binderfs does however only make devices appear
under its own mountpoint and thus allocates new character device nodes
from the inode of the root dentry of the super block. This will have
the side-effect that binderfs specific device nodes do not appear in
sysfs. This behavior is similar to devpts allocated pts devices and
has no effect on the functionality of the ipc mechanism itself.
[1]: https://goo.gl/JL2tfX
[2]: program to allocate a new binderfs binder device:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/android/binder_ctl.h>
int main(int argc, char *argv[])
{
int fd, ret, saved_errno;
size_t len;
struct binderfs_device device = { 0 };
if (argc < 2)
exit(EXIT_FAILURE);
len = strlen(argv[1]);
if (len > BINDERFS_MAX_NAME)
exit(EXIT_FAILURE);
memcpy(device.name, argv[1], len);
fd = open("/dev/binderfs/binder-control", O_RDONLY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open binder-control device\n",
strerror(errno));
exit(EXIT_FAILURE);
}
ret = ioctl(fd, BINDER_CTL_ADD, &device);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to allocate new binder device\n",
strerror(errno));
exit(EXIT_FAILURE);
}
printf("Allocated new binder device with major %d, minor %d, and "
"name %s\n", device.major, device.minor,
device.name);
exit(EXIT_SUCCESS);
}
Cc: Martijn Coenen <maco@android.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 136497735
(cherry picked from commit 3ad20fe393)
Change-Id: I145af9b0bc25b3a59a4f663c9e926889c2b41d18
Signed-off-by: Hridya Valsaraju <hridya@google.com>
We already have the DEFINE_SHOW_ATTRIBUTE.There is no need to define
such a macro,so remove BINDER_DEBUG_ENTRY.
Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Reviewed-by: Joey Pabalinas <joeypabalinas@gmail.com>
Acked-by: Todd Kjos <tkjos@android.com>
Bug: 136497735
(cherry picked from commit c13e0a5288)
Change-Id: I48ef17510ea0e252f747a864bd1e98951b0a81ba
Signed-off-by: Hridya Valsaraju <hridya@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3VfEoACgkQONu9yGCS
aT7vHRAAv3fZQ5+Rn0zn0cgYsgG5OGbtHL01aJB99g2Dgf/VmB3OrB2rx+ZF7WVw
Uakab5XZp6rLSxG4LNQy7jjIuxADdDab5xWTlhqpEHVydsFC9IOktT91DW2luf8Y
Xyr8q7sQIS7eV67NkUnUSqri1IdsRNB5qeWmhC0l6+PSuQrk+WF0y5B4TtrjF5Er
GjYTq9RTJh7/luFKUSmxN8+TIwo4uY15b3oqX75LMPObzbH+c5iqp5QiHJh/BQ7/
awf7kxlMay0V/hPRmGomHxX70TgHTF2er0b+HyJwf1OX0zgKycsztWZT+p7qN+DT
yjPWwYJ3kGs/7GwZL7HNhk8p/3aDf9HFHFvbVSty63wgZ8dfo4EuXZ9YfWa+lfI8
Kn4wKeynUvrvNLH9iYug/XuEPjXysQeSlBaL4pZTPTWtipu1MP0OpR05l8UzO2cO
lqWgf0Y7wsunZBeyCLkWd9TCO7gd1s7csdkJAy37rG7mCjN3p83NeMznLlj+H4I8
MHlcAWdlxlWWitKohi0kr/VYiHmhBVsOZu4rQmuCBWuo++HrWwn7XaGBzYsP8Eku
7ZNaS5oJFAjBzKnQxp8i3mgE8ifODuokgPISImyyRWidedfoHcv6Kr+pdEoQ+gjk
nL5xwqKAMsh/vMyxVmetzytULHtvBqJelquzQcfnanyEvBoS46Q=
=EUxi
-----END PGP SIGNATURE-----
Merge 4.19.85 into android-4.19
Changes in 4.19.85
KVM: x86: introduce is_pae_paging
MIPS: BCM63XX: fix switch core reset on BCM6368
scsi: core: Handle drivers which set sg_tablesize to zero
ax88172a: fix information leak on short answers
ipmr: Fix skb headroom in ipmr_get_route().
net: gemini: add missed free_netdev
net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules
slip: Fix memory leak in slip_open error path
ALSA: usb-audio: Fix missing error check at mixer resolution test
ALSA: usb-audio: not submit urb for stopped endpoint
ALSA: usb-audio: Fix incorrect NULL check in create_yamaha_midi_quirk()
ALSA: usb-audio: Fix incorrect size check for processing/extension units
Btrfs: fix log context list corruption after rename exchange operation
Input: ff-memless - kill timer in destroy()
Input: synaptics-rmi4 - fix video buffer size
Input: synaptics-rmi4 - disable the relative position IRQ in the F12 driver
Input: synaptics-rmi4 - do not consume more data than we have (F11, F12)
Input: synaptics-rmi4 - clear IRQ enables for F54
Input: synaptics-rmi4 - destroy F54 poller workqueue when removing
IB/hfi1: Ensure full Gen3 speed in a Gen4 system
IB/hfi1: Use a common pad buffer for 9B and 16B packets
i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present
ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable
ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either
net: ethernet: dwmac-sun8i: Use the correct function in exit path
iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros
mm: mempolicy: fix the wrong return value and potential pages leak of mbind
mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm()
mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup()
mmc: sdhci-of-at91: fix quirk2 overwrite
iio: adc: max9611: explicitly cast gain_selectors
tee: optee: take DT status property into account
ath10k: fix kernel panic by moving pci flush after napi_disable
iio: dac: mcp4922: fix error handling in mcp4922_write_raw
clk: sunxi-ng: h6: fix PWM gate/reset offset
soundwire: Initialize completion for defer messages
soundwire: intel: Fix uninitialized adev deref
arm64: dts: allwinner: a64: Orange Pi Win: Fix SD card node
arm64: dts: allwinner: a64: Olinuxino: fix DRAM voltage
arm64: dts: allwinner: a64: NanoPi-A64: Fix DCDC1 voltage
ALSA: pcm: signedness bug in snd_pcm_plug_alloc()
soc/tegra: pmc: Fix pad voltage configuration for Tegra186
arm64: dts: tegra210-p2180: Correct sdmmc4 vqmmc-supply
y2038: make do_gettimeofday() and get_seconds() inline
ARM: dts: rcar: Correct SATA device sizes to 2 MiB
ARM: dts: at91/trivial: Fix USART1 definition for at91sam9g45
rtc: sysfs: fix NULL check in rtc_add_groups()
rtc: rv8803: fix the rv8803 id in the OF table
remoteproc/davinci: Use %zx for formating size_t
extcon: cht-wc: Return from default case to avoid warnings
cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set
ALSA: seq: Do error checks at creating system ports
ath10k: skip resetting rx filter for WCN3990
ath9k: fix tx99 with monitor mode interface
wil6210: drop Rx multicast packets that are looped-back to STA
wil6210: set edma variables only for Talyn-MB devices
wil6210: prevent usage of tx ring 0 for eDMA
wil6210: fix invalid memory access for rx_buff_mgmt debugfs
ath10k: limit available channels via DT ieee80211-freq-limit
ice: Update request resource command to latest specification
ice: Prevent control queue operations during reset
gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated
ice: Fix and update driver version string
ASoC: dapm: Don't fail creating new DAPM control on NULL pinctrl
ASoC: dpcm: Properly initialise hw->rate_max
ASoC: meson: axg-fifo: report interrupt request failure
ASoC: AMD: Change MCLK to 48Mhz
pinctrl: ingenic: Probe driver at subsys_initcall
MIPS: BCM47XX: Enable USB power on Netgear WNDR3400v3
ARM: dts: exynos: Use i2c-gpio for HDMI-DDC on Arndale
ARM: dts: exynos: Fix HDMI-HPD line handling on Arndale
ARM: dts: exynos: Fix sound in Snow-rev5 Chromebook
liquidio: fix race condition in instruction completion processing
arm64: dts: stratix10: i2c clock running out of spec
ARM: dts: exynos: Fix regulators configuration on Peach Pi/Pit Chromebooks
i40evf: Validate the number of queues a PF sends
i40e: use correct length for strncpy
i40evf: set IFF_UNICAST_FLT flag for the VF
i40e: Check and correct speed values for link on open
i40evf: Don't enable vlan stripping when rx offload is turned on
i40e: hold the rtnl lock on clearing interrupt scheme
i40evf: cancel workqueue sync for adminq when a VF is removed
i40e: Prevent deleting MAC address from VF when set by PF
IB/rxe: avoid back-to-back retries
IB/rxe: fixes for rdma read retry
iwlwifi: drop packets with bad status in CD
iwlwifi: don't WARN on trying to dump dead firmware
iwlwifi: mvm: avoid sending too many BARs
media: vicodec: fix out-of-range values when decoding
media: i2c: Fix pm_runtime_get_if_in_use() usage in sensor drivers
media: ov772x: Disable clk on error path
ARM: dts: pxa: fix the rtc controller
ARM: dts: pxa: fix power i2c base address
rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument
mwifiex: do no submit URB in suspended state
mwifex: free rx_cmd skb in suspended state
brcmfmac: fix wrong strnchr usage
mt76: Fix comparisons with invalid hardware key index
soc: imx: gpc: fix PDN delay
ASoC: rsnd: ssi: Fix issue in dma data address assignment
net: hns3: Fix for multicast failure
net: hns3: Fix error of checking used vlan id
net: hns3: Fix for loopback selftest failed problem
net: hns3: Change the dst mac addr of loopback packet
net/mlx5: Fix atomic_mode enum values
net: phy: mscc: read 'vsc8531,vddmac' as an u32
net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32
ARM: dts: meson8: fix the clock controller register size
ARM: dts: meson8b: fix the clock controller register size
mtd: rawnand: marvell: use regmap_update_bits() for syscon access
mtd: rawnand: fsl_ifc: check result of SRAM initialization
mtd: rawnand: fsl_ifc: fixup SRAM init for newer ctrl versions
mtd: rawnand: qcom: don't include dma-direct.h
IB/mlx5: Change TX affinity assignment in RoCE LAG mode
qxl: fix null-pointer crash during suspend
mac80211: fix saving a few HE values
cfg80211: validate wmm rule when setting
f2fs: avoid wrong decrypted data from disk
net: lan78xx: Bail out if lan78xx_get_endpoints fails
rtnetlink: move type calculation out of loop
ASoC: sgtl5000: avoid division by zero if lo_vag is zero
ath10k: avoid possible memory access violation
ARM: dts: exynos: Disable pull control for S5M8767 PMIC
ath10k: wmi: disable softirq's while calling ieee80211_rx
i2c: mediatek: Use DMA safe buffers for i2c transactions
IB/mlx5: Don't hold spin lock while checking device state
IB/ipoib: Ensure that MTU isn't less than minimum permitted
RDMA/core: Rate limit MAD error messages
RDMA/core: Follow correct unregister order between sysfs and cgroup
mips: txx9: fix iounmap related issue
udf: Fix crash during mount
ASoC: dapm: Avoid uninitialised variable warning
ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation
ata: Disable AHCI ALPM feature for Ampere Computing eMAG SATA
of: make PowerMac cache node search conditional on CONFIG_PPC_PMAC
ARM: dts: omap3-gta04: give spi_lcd node a label so that we can overwrite in other DTS files
ARM: dts: omap3-gta04: fixes for tvout / venc
ARM: dts: omap3-gta04: tvout: enable as display1 alias
ARM: dts: omap3-gta04: fix touchscreen tsc2007
ARM: dts: omap3-gta04: make NAND partitions compatible with recent U-Boot
ARM: dts: omap3-gta04: keep vpll2 always on
f2fs: submit bio after shutdown
failover: Fix error return code in net_failover_create
sched/debug: Explicitly cast sched_feat() to bool
sched/debug: Use symbolic names for task state constants
firmware: arm_scmi: use strlcpy to ensure NULL-terminated strings
arm64: dts: rockchip: Fix VCC5V0_HOST_EN on rk3399-sapphire
ARM: dts: exynos: Disable pull control for PMIC IRQ line on Artik5 board
usb: mtu3: disable vbus rise/fall interrupts of ltssm
dmaengine: dma-jz4780: Don't depend on MACH_JZ4780
dmaengine: dma-jz4780: Further residue status fix
EDAC, sb_edac: Return early on ADDRV bit and address type test
rtc: mt6397: fix possible race condition
rtc: pl030: fix possible race condition
ath9k: add back support for using active monitor interfaces for tx99
dmaengine: at_xdmac: remove a stray bottom half unlock
RDMA/hns: Fix an error code in hns_roce_v2_init_eq_table()
IB/hfi1: Missing return value in error path for user sdma
signal: Always ignore SIGKILL and SIGSTOP sent to the global init
signal: Properly deliver SIGILL from uprobes
signal: Properly deliver SIGSEGV from x86 uprobes
f2fs: fix memory leak of write_io in fill_super()
f2fs: fix memory leak of percpu counter in fill_super()
f2fs: fix setattr project check upon fssetxattr ioctl
scsi: qla2xxx: Use correct qpair for ABTS/CMD
scsi: qla2xxx: Fix iIDMA error
scsi: qla2xxx: Defer chip reset until target mode is enabled
scsi: qla2xxx: Terminate Plogi/PRLI if WWN is 0
scsi: qla2xxx: Fix deadlock between ATIO and HW lock
scsi: qla2xxx: Increase abort timeout value
scsi: qla2xxx: Check for Register disconnect
scsi: qla2xxx: Fix port speed display on chip reset
scsi: qla2xxx: Fix dropped srb resource.
scsi: qla2xxx: Fix duplicate switch's Nport ID entries
scsi: lpfc: Fix GFT_ID and PRLI logic for RSCN
scsi: lpfc: Correct invalid EQ doorbell write on if_type=6
scsi: lpfc: Fix errors in log messages.
scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir()
ARM: imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set
scsi: pm80xx: Corrected dma_unmap_sg() parameter
scsi: pm80xx: Fixed system hang issue during kexec boot
kprobes: Don't call BUG_ON() if there is a kprobe in use on free list
net: aquantia: fix hw_atl_utils_fw_upload_dwords
Drivers: hv: vmbus: Fix synic per-cpu context initialization
nvmem: core: return error code instead of NULL from nvmem_device_get
media: dt-bindings: adv748x: Fix decimal unit addresses
ALSA: hda: Fix implicit definition of pci_iomap() on SH
media: fix: media: pci: meye: validate offset to avoid arbitrary access
media: dvb: fix compat ioctl translation
net: bcmgenet: Fix speed selection for reverse MII
arm64: dts: meson: libretech: update board model
arm64: dts: meson-axg: use the proper compatible for ethmac
ALSA: intel8x0m: Register irq handler after register initializations
arm64: dts: renesas: salvator-common: adv748x: Override secondary addresses
arm64: dts: renesas: r8a77965: Attach the SYS-DMAC to the IPMMU
arm64: dts: renesas: r8a77965: Fix HS-USB compatible
arm64: dts: renesas: r8a77965: Fix clock/reset for usb2_phy1
pinctrl: at91-pio4: fix has_config check in atmel_pctl_dt_subnode_to_map()
llc: avoid blocking in llc_sap_close()
ARM: dts: qcom: ipq4019: fix cpu0's qcom,saw2 reg value
soc: qcom: geni: Don't ignore clk_round_rate() errors in geni_se_clk_tbl_get()
soc: qcom: geni: geni_se_clk_freq_match() should always accept multiples
soc: qcom: wcnss_ctrl: Avoid string overflow
soc: qcom: apr: Avoid string overflow
drivers: qcom: rpmh-rsc: clear wait_for_compl after use
arm64: dts: broadcom: Fix I2C and SPI bus warnings
ARM: dts: bcm: Fix SPI bus warnings
ARM: dts: aspeed: Fix I2C bus warnings
powerpc/vdso: Correct call frame information
ARM: dts: socfpga: Fix I2C bus unit-address error
ARM: dts: sunxi: Fix I2C bus warnings
pinctrl: at91: don't use the same irqchip with multiple gpiochips
ARM: dts: sun9i: Fix I2C bus warnings
android: binder: no outgoing transaction when thread todo has transaction
cxgb4: Fix endianness issue in t4_fwcache()
arm64: fix for bad_mode() handler to always result in panic
block, bfq: inject other-queue I/O into seeky idle queues on NCQ flash
blok, bfq: do not plug I/O if all queues are weight-raised
arm64: dts: meson: Fix erroneous SPI bus warnings
power: supply: ab8500_fg: silence uninitialized variable warnings
power: reset: at91-poweroff: do not procede if at91_shdwc is allocated
power: supply: max8998-charger: Fix platform data retrieval
component: fix loop condition to call unbind() if bind() fails
kernfs: Fix range checks in kernfs_get_target_path
ip_gre: fix parsing gre header in ipgre_err
scsi: ufshcd: Fix NULL pointer dereference for in ufshcd_init
ARM: dts: rockchip: Fix erroneous SPI bus dtc warnings on rk3036
arm64: dts: rockchip: Fix I2C bus unit-address error on rk3399-puma-haikou
ACPI / LPSS: Exclude I2C busses shared with PUNIT from pmc_atom_d3_mask
netfilter: nf_tables: avoid BUG_ON usage
ath9k: Fix a locking bug in ath9k_add_interface()
s390/qeth: uninstall IRQ handler on device removal
s390/qeth: invoke softirqs after napi_schedule()
media: vsp1: Fix vsp1_regs.h license header
media: vsp1: Fix YCbCr planar formats pitch calculation
media: ov2680: don't register the v4l2 subdevice before checking chip ID
PCI/ACPI: Correct error message for ASPM disabling
net: socionext: Fix two sleep-in-atomic-context bugs in ave_rxfifo_reset()
PCI: mediatek: Fix unchecked return value
ARM: dts: xilinx: Fix I2C and SPI bus warnings
serial: uartps: Fix suspend functionality
serial: samsung: Enable baud clock for UART reset procedure in resume
serial: mxs-auart: Fix potential infinite loop
tty: serial: qcom_geni_serial: Fix serial when not used as console
arm64: dts: ti: k3-am65: Change #address-cells and #size-cells of interconnect to 2
samples/bpf: fix a compilation failure
spi/bcm63xx-hsspi: keep pll clk enabled
spi: mediatek: Don't modify spi_transfer when transfer.
ASoC: rt5682: Fix the boost volume at the begining of playback
ipmi_si_pci: fix NULL device in ipmi_si error message
ipmi_si: fix potential integer overflow on large shift
ipmi:dmi: Ignore IPMI SMBIOS entries with a zero base address
ipmi: fix return value of ipmi_set_my_LUN
net: hns3: fix return type of ndo_start_xmit function
net: cavium: fix return type of ndo_start_xmit function
net: ibm: fix return type of ndo_start_xmit function
powerpc/iommu: Avoid derefence before pointer check
selftests/powerpc: Do not fail with reschedule
powerpc/64s/hash: Fix stab_rr off by one initialization
powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request
powerpc/pseries: Disable CPU hotplug across migrations
powerpc: Fix duplicate const clang warning in user access code
RDMA/i40iw: Fix incorrect iterator type
ARM: dts: atmel: Fix I2C and SPI bus warnings
OPP: Protect dev_list with opp_table lock
of/unittest: Fix I2C bus unit-address error
libfdt: Ensure INT_MAX is defined in libfdt_env.h
power: supply: twl4030_charger: fix charging current out-of-bounds
power: supply: twl4030_charger: disable eoc interrupt on linear charge
net: mvpp2: fix the number of queues per cpu for PPv2.2
net: marvell: fix return type of ndo_start_xmit function
net: toshiba: fix return type of ndo_start_xmit function
net: xilinx: fix return type of ndo_start_xmit function
net: broadcom: fix return type of ndo_start_xmit function
net: amd: fix return type of ndo_start_xmit function
net: sun: fix return type of ndo_start_xmit function
net: hns3: Fix for setting speed for phy failed problem
net: hns3: Fix cmdq registers initialization issue for vf
net: hns3: Clear client pointer when initialize client failed or unintialize finished
net: hns3: Fix client initialize state issue when roce client initialize failed
net: hns3: Fix parameter type for q_id in hclge_tm_q_to_qs_map_cfg()
nfp: provide a better warning when ring allocation fails
usb: chipidea: imx: enable OTG overcurrent in case USB subsystem is already started
usb: chipidea: Fix otg event handler
usb: usbtmc: Fix ioctl USBTMC_IOCTL_ABORT_BULK_OUT
s390/zcrypt: enable AP bus scan without a valid default domain
s390/vdso: avoid 64-bit vdso mapping for compat tasks
s390/vdso: correct CFI annotations of vDSO functions
brcmfmac: increase buffer for obtaining firmware capabilities
brcmsmac: Use kvmalloc() for ucode allocations
mlxsw: spectrum: Init shaper for TCs 8..15
PCI: portdrv: Initialize service drivers directly
ARM: dts: am335x-evm: fix number of cpsw
ARM: dts: ti: Fix SPI and I2C bus warnings
f2fs: avoid infinite loop in f2fs_alloc_nid
f2fs: fix to recover inode's uid/gid during POR
ARM: dts: ux500: Correct SCU unit address
ARM: dts: ux500: Fix LCDA clock line muxing
ARM: dts: ste: Fix SPI controller node names
spi: pic32: Use proper enum in dmaengine_prep_slave_rg
crypto: chacha20 - Fix chacha20_block() keystream alignment (again)
cpufeature: avoid warning when compiling with clang
crypto: arm/crc32 - avoid warning when compiling with Clang
ARM: dts: marvell: Fix SPI and I2C bus warnings
x86/mce-inject: Reset injection struct after injection
ARM: dts: stm32: enable display on stm32mp157c-ev1 board
ARM: dts: clearfog: fix sdhci supply property name
ARM: dts: stm32: Fix SPI controller node names
bnx2x: Ignore bandwidth attention in single function mode
PCI/AER: Take reference on error devices
PCI/AER: Don't read upstream ports below fatal errors
PCI/ERR: Use slot reset if available
samples/bpf: fix compilation failure
net: phy: mdio-bcm-unimac: Allow configuring MDIO clock divider
net: micrel: fix return type of ndo_start_xmit function
net: freescale: fix return type of ndo_start_xmit function
x86/CPU: Use correct macros for Cyrix calls
x86/CPU: Change query logic so CPUID is enabled before testing
EDAC: Correct DIMM capacity unit symbol
MIPS: kexec: Relax memory restriction
arm64: dts: rockchip: Fix microSD in rk3399 sapphire board
mlxsw: Make MLXSW_SP1_FWREV_MINOR a hard requirement
media: imx: work around false-positive warning, again
media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init()
media: au0828: Fix incorrect error messages
media: davinci: Fix implicit enum conversion warning
ARM: dts: rockchip: explicitly set vcc_sd0 pin to gpio on rk3188-radxarock
usb: gadget: uvc: configfs: Drop leaked references to config items
usb: gadget: uvc: configfs: Prevent format changes after linking header
usb: gadget: uvc: configfs: Sort frame intervals upon writing
ARM: dts: exynos: Correct audio subsystem parent clock on Peach Chromebooks
i2c: aspeed: fix invalid clock parameters for very large divisors
gpiolib: Fix gpio_direction_* for single direction GPIOs
ARM: at91: pm: call put_device instead of of_node_put in at91_pm_config_ws
phy: brcm-sata: allow PHY_BRCM_SATA driver to be built for DSL SoCs
phy: renesas: rcar-gen3-usb2: fix vbus_ctrl for role sysfs
phy: phy-twl4030-usb: fix denied runtime access
ARM: dts: imx6ull: update vdd_soc voltage for 900MHz operating point
usb: gadget: uvc: Factor out video USB request queueing
usb: gadget: uvc: Only halt video streaming endpoint in bulk mode
coresight: Use ERR_CAST instead of ERR_PTR
coresight: Fix handling of sinks
coresight: perf: Fix per cpu path management
coresight: perf: Disable trace path upon source error
coresight: tmc-etr: Handle driver mode specific ETR buffers
coresight: etm4x: Configure EL2 exception level when kernel is running in HYP
coresight: tmc: Fix byte-address alignment for RRP
coresight: dynamic-replicator: Handle multiple connections
slimbus: ngd: register ngd driver only once.
slimbus: ngd: return proper error code instead of zero
silmbus: ngd: register controller after power up.
misc: kgdbts: Fix restrict error
misc: genwqe: should return proper error value.
vmbus: keep pointer to ring buffer page
vfio/pci: Fix potential memory leak in vfio_msi_cap_len
vfio/pci: Mask buggy SR-IOV VF INTx support
iw_cxgb4: Use proper enumerated type in c4iw_bar2_addrs
scsi: libsas: always unregister the old device if going to discover new
f2fs: fix remount problem of option io_bits
phy: lantiq: Fix compile warning
arm64: dts: fsl: Fix I2C and SPI bus warnings
ARM: dts: imx51-zii-rdu1: Fix the rtc compatible string
arm64: tegra: I2C on Tegra194 is not compatible with Tegra114
ARM: dts: tegra30: fix xcvr-setup-use-fuses
ARM: dts: tegra20: restore address order
ARM: tegra: apalis_t30: fix mmc1 cmd pull-up
ARM: tegra: apalis_t30: fix mcp2515 can controller interrupt polarity
ARM: tegra: colibri_t30: fix mcp2515 can controller interrupt polarity
ARM: dts: paz00: fix wakeup gpio keycode
net: smsc: fix return type of ndo_start_xmit function
net: faraday: fix return type of ndo_start_xmit function
PCI/ERR: Run error recovery callbacks for all affected devices
f2fs: update i_size after DIO completion
f2fs: fix to recover inode's project id during POR
f2fs: mark inode dirty explicitly in recover_inode()
RDMA: Fix dependencies for rdma_user_mmap_io
EDAC: Raise the maximum number of memory controllers
ARM: dts: realview: Fix SPI controller node names
firmware: dell_rbu: Make payload memory uncachable
Bluetooth: hci_serdev: clear HCI_UART_PROTO_READY to avoid closing proto races
Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS
Bluetooth: btrsi: fix bt tx timeout issue
x86/hyperv: Suppress "PCI: Fatal: No config space access function found"
crypto: s5p-sss: Fix race in error handling
crypto: s5p-sss: Fix Fix argument list alignment
crypto: fix a memory leak in rsa-kcs1pad's encryption mode
iwlwifi: dbg: don't crash if the firmware crashes in the middle of a debug dump
iwlwifi: fix non_shared_ant for 22000 devices
iwlwifi: pcie: read correct prph address for newer devices
iwlwifi: api: annotate compressed BA notif array sizes
iwlwifi: pcie: gen2: build A-MSDU only for GSO
iwlwifi: pcie: fit reclaim msg to MAX_MSG_LEN
iwlwifi: mvm: use correct FIFO length
iwlwifi: mvm: Allow TKIP for AP mode
scsi: NCR5380: Clear all unissued commands on host reset
scsi: NCR5380: Have NCR5380_select() return a bool
scsi: NCR5380: Withhold disconnect privilege for REQUEST SENSE
scsi: NCR5380: Use DRIVER_SENSE to indicate valid sense data
scsi: NCR5380: Check for invalid reselection target
scsi: NCR5380: Don't clear busy flag when abort fails
scsi: NCR5380: Don't call dsprintk() following reselection interrupt
scsi: NCR5380: Handle BUS FREE during reselection
scsi: NCR5380: Check for bus reset
arm64: dts: amd: Fix SPI bus warnings
arm64: dts: lg: Fix SPI controller node names
ARM: dts: lpc32xx: Fix SPI controller node names
rtc: isl1208: avoid possible sysfs race
rtc: tx4939: fixup nvmem name and register size
rtc: armada38x: fix possible race condition
netfilter: masquerade: don't flush all conntracks if only one address deleted on device
usb: xhci-mtk: fix ISOC error when interval is zero
usb: usbtmc: uninitialized symbol 'actual' in usbtmc_ioctl_clear
fuse: use READ_ONCE on congestion_threshold and max_background
IB/iser: Fix possible NULL deref at iser_inv_desc()
media: ov2680: fix null dereference at power on
s390/vdso: correct vdso mapping for compat tasks
net: phy: mdio-bcm-unimac: mark PM functions as __maybe_unused
memfd: Use radix_tree_deref_slot_protected to avoid the warning.
slcan: Fix memory leak in error path
Linux 4.19.85
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I0857e66ee2cdd412cd736548a1395bf764a8ab0a
[ Upstream commit 44b73962cb ]
When a process dies, failed reply is sent to the sender of any transaction
queued on a dead thread's todo list. The sender asserts that the
received failed reply corresponds to the head of the transaction stack.
This assert can fail if the dead thread is allowed to send outgoing
transactions when there is already a transaction on its todo list,
because this new transaction can end up on the transaction stack of the
original sender. The following steps illustrate how this assertion can
fail.
1. Thread1 sends txn19 to Thread2
(T1->transaction_stack=txn19, T2->todo+=txn19)
2. Without processing todo list, Thread2 sends txn20 to Thread1
(T1->todo+=txn20, T2->transaction_stack=txn20)
3. T1 processes txn20 on its todo list
(T1->transaction_stack=txn20->txn19, T1->todo=<empty>)
4. T2 dies, T2->todo cleanup attempts to send failed reply for txn19, but
T1->transaction_stack points to txn20 -- assertion failes
Step 2. is the incorrect behavior. When there is a transaction on a
thread's todo list, this thread should not be able to send any outgoing
synchronous transactions. Only the head of the todo list needs to be
checked because only threads that are waiting for proc work can directly
receive work from another thread, and no work is allowed to be queued
on such a thread without waking up the thread. This patch also enforces
that a thread is not waiting for proc work when a work is directly
enqueued to its todo list.
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Sherry Yang <sherryy@android.com>
Reviewed-by: Martijn Coenen <maco@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1GibIACgkQONu9yGCS
aT7z2hAAmv8AsH9IG43m7t6zLroJVswr/9594xk7yPBQgcY3/PW2aTFBCFbsdOL4
yXcj2PSwRiq9K6qAJULrvOvncR9fIILHqzWzyXnoaZ30lR/FxaaFmuHZX/5Ix1tB
e5EEE/EA49UAEjEDaMLq8g2IvibsReDxmSpnXyBJWoyRAdFIElVnMJ2+zvP/wRhF
NKzQj/bj/qecCbis2lUCaVWJFZ6+P/52UbD8lvIwqR3nk2TKsGDcLU6eY3yg4KrB
rEHl5T8KIPrkX3KNIEB8EcFREene+rdpZLLVe4fYwf+gOqfiFXSzZZvweauMkplq
ehlVHkykvQvlsVM2tjBD379z3C4aasZDuMVNMCbAy2FlruLeBQ7gEn77mCJB9VH5
/n/mlc2yizdoowtARCLWOUMfASpdSbqu2SQ7A/3kwG7l6GrpzKSIU2nQgm+41sUZ
QJVtZ3IYsPoYjnU4B3JZzgJnf3M9jcRz/3JegviqhSEbF1gaScJX0cqN8C1idN/v
ZAGCJK9S20/EEEsp5jn+bq2grUehvmD4TVDfot4P+5yRYyBIhMFpbM2RpjydOpwy
+x8D1Q34LYPFgZfQ0vF62vcSBhMBiJ/7j41rUeo44K+Lg00F3yCOyL6FxK6S8h6j
wsD0xLbllMrhV5KRYFizb3QbCHoHYiROIJk76uLvB+Tqq2Jg9VQ=
=qIi2
-----END PGP SIGNATURE-----
Merge 4.19.64 into android-4.19
Changes in 4.19.64
hv_sock: Add support for delayed close
vsock: correct removal of socket from the list
NFS: Fix dentry revalidation on NFSv4 lookup
NFS: Refactor nfs_lookup_revalidate()
NFSv4: Fix lookup revalidate of regular files
usb: dwc2: Disable all EP's on disconnect
usb: dwc2: Fix disable all EP's on disconnect
arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ
binder: fix possible UAF when freeing buffer
ISDN: hfcsusb: checking idx of ep configuration
media: au0828: fix null dereference in error path
ath10k: Change the warning message string
media: cpia2_usb: first wake up, then free in disconnect
media: pvrusb2: use a different format for warnings
NFS: Cleanup if nfs_match_client is interrupted
media: radio-raremono: change devm_k*alloc to k*alloc
iommu/vt-d: Don't queue_iova() if there is no flush queue
iommu/iova: Fix compilation error with !CONFIG_IOMMU_IOVA
Bluetooth: hci_uart: check for missing tty operations
vhost: introduce vhost_exceeds_weight()
vhost_net: fix possible infinite loop
vhost: vsock: add weight support
vhost: scsi: add weight support
sched/fair: Don't free p->numa_faults with concurrent readers
sched/fair: Use RCU accessors consistently for ->numa_group
/proc/<pid>/cmdline: remove all the special cases
/proc/<pid>/cmdline: add back the setproctitle() special case
drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
Fix allyesconfig output.
ceph: hold i_ceph_lock when removing caps for freeing inode
block, scsi: Change the preempt-only flag into a counter
scsi: core: Avoid that a kernel warning appears during system resume
ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL
Linux 4.19.64
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3e9055b677bd8ad9d5070307fae0bc765d444e9d
commit a370003cc3 upstream.
There is a race between the binder driver cleaning
up a completed transaction via binder_free_transaction()
and a user calling binder_ioctl(BC_FREE_BUFFER) to
release a buffer. It doesn't matter which is first but
they need to be protected against running concurrently
which can result in a UAF.
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1BJrAACgkQONu9yGCS
aT6MpRAAt2nuozm5Z/MshFAuGFzddAwPoYtkIPSy8BiPHYjf7x0+D5Ew4dz5OihS
ElfbA94hMOpvhhXlzBU3ZFJsWZIK78gzV6+LiHyb5R97Jdzj/zT4h40y0kxKw+pS
gghnZ6zx+pGSIXm/EsODW2gg98yTrmhBFpUhXpAGoC/71c1vxVlj3jHcuhd778YK
NRlj2tFWJGIBpmXrApo1Eg7qQRj4tzbOjthfgANWPq+EP68PgiOaxMDMMp7IUwju
KrXEFcXlk5aHvfaJ06FSBRBnn45XMyGXPYV/76HsaqkBNmg1r7o02dZKy/0S84Fn
YXoEFxHt6NFOJ52LiO95z7cQ0xeTSYygNCtYXJ70uyDMnrCPXCrKp7DRyka+vDPs
RCrcpB1QjcCb3xTL//SPkNWM3oZEW9CawpRFh9bmqbw/h7ZjaUEuwNIJnunISulu
2fvOjUmFWfUVIARiwKFVuIkXzgf3cSLYZTtiDFC5/yBpkGVNnXqyO7YtWZwnrMHq
L3DC3pOKuYXMa03KWGEzZoCZEXjtoRhRwCSgV7wbK5o90sZeRj/HC1zXEyDPPD/R
7A1rePTuwlAH3gHCJGhYkmYqULx62ZdvV6IC2N7xNxeTL1Y7OVNBT7ZUqexxY6WC
OG1vVxUKNJIvBLYmc6cmQATgR6XH5/B9H2p1YRBLuAQuqHk+jqo=
=ZQf3
-----END PGP SIGNATURE-----
Merge 4.19.63 into android-4.19
Changes in 4.19.63
hvsock: fix epollout hang from race condition
drm/panel: simple: Fix panel_simple_dsi_probe
iio: adc: stm32-dfsdm: manage the get_irq error case
iio: adc: stm32-dfsdm: missing error case during probe
staging: vt6656: use meaningful error code during buffer allocation
usb: core: hub: Disable hub-initiated U1/U2
tty: max310x: Fix invalid baudrate divisors calculator
pinctrl: rockchip: fix leaked of_node references
tty: serial: cpm_uart - fix init when SMC is relocated
drm/amd/display: Fill prescale_params->scale for RGB565
drm/amdgpu/sriov: Need to initialize the HDP_NONSURFACE_BAStE
drm/amd/display: Disable ABM before destroy ABM struct
drm/amdkfd: Fix a potential memory leak
drm/amdkfd: Fix sdma queue map issue
drm/edid: Fix a missing-check bug in drm_load_edid_firmware()
PCI: Return error if cannot probe VF
drm/bridge: tc358767: read display_props in get_modes()
drm/bridge: sii902x: pixel clock unit is 10kHz instead of 1kHz
gpu: host1x: Increase maximum DMA segment size
drm/crc-debugfs: User irqsafe spinlock in drm_crtc_add_crc_entry
drm/crc-debugfs: Also sprinkle irqrestore over early exits
memstick: Fix error cleanup path of memstick_init
tty/serial: digicolor: Fix digicolor-usart already registered warning
tty: serial: msm_serial: avoid system lockup condition
serial: 8250: Fix TX interrupt handling condition
drm/amd/display: Always allocate initial connector state state
drm/virtio: Add memory barriers for capset cache.
phy: renesas: rcar-gen2: Fix memory leak at error paths
drm/amd/display: fix compilation error
powerpc/pseries/mobility: prevent cpu hotplug during DT update
drm/rockchip: Properly adjust to a true clock in adjusted_mode
serial: imx: fix locking in set_termios()
tty: serial_core: Set port active bit in uart_port_activate
usb: gadget: Zero ffs_io_data
mmc: sdhci: sdhci-pci-o2micro: Check if controller supports 8-bit width
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
drm/msm: Depopulate platform on probe failure
serial: mctrl_gpio: Check if GPIO property exisits before requesting it
PCI: sysfs: Ignore lockdep for remove attribute
i2c: stm32f7: fix the get_irq error cases
kbuild: Add -Werror=unknown-warning-option to CLANG_FLAGS
genksyms: Teach parser about 128-bit built-in types
PCI: xilinx-nwl: Fix Multi MSI data programming
iio: iio-utils: Fix possible incorrect mask calculation
powerpc/cacheflush: fix variable set but not used
powerpc/xmon: Fix disabling tracing while in xmon
recordmcount: Fix spurious mcount entries on powerpc
mfd: madera: Add missing of table registration
mfd: core: Set fwnode for created devices
mfd: arizona: Fix undefined behavior
mfd: hi655x-pmic: Fix missing return value check for devm_regmap_init_mmio_clk
mm/swap: fix release_pages() when releasing devmap pages
um: Silence lockdep complaint about mmap_sem
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
RDMA/i40iw: Set queue pair state when being queried
serial: sh-sci: Terminate TX DMA during buffer flushing
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
IB/mlx5: Fixed reporting counters on 2nd port for Dual port RoCE
powerpc/mm: Handle page table allocation failures
IB/ipoib: Add child to parent list only if device initialized
arm64: assembler: Switch ESB-instruction with a vanilla nop if !ARM64_HAS_RAS
PCI: mobiveil: Fix PCI base address in MEM/IO outbound windows
PCI: mobiveil: Fix the Class Code field
kallsyms: exclude kasan local symbols on s390
PCI: mobiveil: Initialize Primary/Secondary/Subordinate bus numbers
PCI: mobiveil: Use the 1st inbound window for MEM inbound transactions
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
perf stat: Fix use-after-freed pointer detected by the smatch tool
perf top: Fix potential NULL pointer dereference detected by the smatch tool
perf session: Fix potential NULL pointer dereference found by the smatch tool
perf annotate: Fix dereferencing freed memory found by the smatch tool
perf hists browser: Fix potential NULL pointer dereference found by the smatch tool
RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM
PCI: dwc: pci-dra7xx: Fix compilation when !CONFIG_GPIOLIB
powerpc/boot: add {get, put}_unaligned_be32 to xz_config.h
block: init flush rq ref count to 1
f2fs: avoid out-of-range memory access
mailbox: handle failed named mailbox channel request
dlm: check if workqueues are NULL before flushing/destroying
powerpc/eeh: Handle hugepages in ioremap space
block/bio-integrity: fix a memory leak bug
sh: prevent warnings when using iounmap
mm/kmemleak.c: fix check for softirq context
9p: pass the correct prototype to read_cache_page
mm/gup.c: mark undo_dev_pagemap as __maybe_unused
mm/gup.c: remove some BUG_ONs from get_gate_page()
memcg, fsnotify: no oom-kill for remote memcg charging
mm/mmu_notifier: use hlist_add_head_rcu()
proc: use down_read_killable mmap_sem for /proc/pid/smaps_rollup
proc: use down_read_killable mmap_sem for /proc/pid/pagemap
proc: use down_read_killable mmap_sem for /proc/pid/clear_refs
proc: use down_read_killable mmap_sem for /proc/pid/map_files
cxgb4: reduce kernel stack usage in cudbg_collect_mem_region()
proc: use down_read_killable mmap_sem for /proc/pid/maps
locking/lockdep: Fix lock used or unused stats error
mm: use down_read_killable for locking mmap_sem in access_remote_vm
locking/lockdep: Hide unused 'class' variable
usb: wusbcore: fix unbalanced get/put cluster_id
usb: pci-quirks: Correct AMD PLL quirk detection
btrfs: inode: Don't compress if NODATASUM or NODATACOW set
x86/sysfb_efi: Add quirks for some devices with swapped width and height
x86/speculation/mds: Apply more accurate check on hypervisor platform
binder: prevent transactions to context manager from its own process.
fpga-manager: altera-ps-spi: Fix build error
mei: me: add mule creek canyon (EHL) device ids
hpet: Fix division by zero in hpet_time_div()
ALSA: ac97: Fix double free of ac97_codec_device
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
ALSA: hda - Add a conexant codec entry to let mute led work
powerpc/xive: Fix loop exit-condition in xive_find_target_in_mask()
powerpc/tm: Fix oops on sigreturn on systems without TM
libnvdimm/bus: Stop holding nvdimm_bus_list_mutex over __nd_ioctl()
access: avoid the RCU grace period for the temporary subjective credentials
Linux 4.19.63
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic31529aa6fd283d16d6bfb182187a9402a4db44f
commit 49ed96943a upstream.
Currently, a transaction to context manager from its own process
is prevented by checking if its binder_proc struct is the same as
that of the sender. However, this would not catch cases where the
process opens the binder device again and uses the new fd to send
a transaction to the context manager.
Reported-by: syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20190715191804.112933-1-hridya@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In case the target node requests a security context, the
extra_buffers_size is increased with the size of the security context.
But, that size is not available for use by regular scatter-gather
buffers; make sure the ending of that buffer is marked correctly.
Bug: 136210786
Acked-by: Todd Kjos <tkjos@google.com>
Fixes: ec74136ded ("binder: create node flag to request sender's security context")
Signed-off-by: Martijn Coenen <maco@android.com>
Cc: stable@vger.kernel.org # 5.1+
Link: https://lore.kernel.org/r/20190709110923.220736-1-maco@android.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a565870650)
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0qx4sACgkQONu9yGCS
aT7Wzw/+Ixgza5VeJICnFgLZ80bYEQP5fDDcTD8psGi8fg/yKpUcHM0tv2Fi/ScQ
dKNKN1zrWtn8e5bC8HE7V5rVFH3iT9gJXL4tebmFg9IOaBoce9wSaDMaptnv4OEw
Ikb8apdrO2cHRWFhyIj9f35d3WE2OWUA4QYhrL17rptyP+k0eBBdyo572qfnheuf
4Yp4X6u8pnSR3fl4sgxzcfNLPXfrF8BMAKEx8/I1YyhUORpeJ/QxZkyFKNLMbUHm
OWIHcw0O4Sfqtx9zWzwmpLk/aF8b98rCieJUDxYakVYD/iLsrdkkCx3IHlvMWdZF
UtNVQbA26KIIFpXYe5gD1My+56grJaSCxAsO6M+c4PRCZ2BP+e6t+k3eASueadqs
Ihq2qZyq1cMBQCeT1Sc3zQZgzwTE7lgzqQLVHiMmMukWv1Sx2xyio3GvN0i51gqz
PCIxslzNhQnpmswCnDXgwaSp7W3YlT6+/zpQnzK1spZsfp8Ab/PkB41WyiPCWBtJ
/Zx+lkdUd8HU8ZoKBoNMPWErX//MKa3NhKvakliPklVkSUfF12+4aB+Iil9H8vag
ie4qmJrGvwg0t5PvRqRqy35fij/kcnJnFJJLlywkzRdTXlFUqqV+09N6hhS0BRgf
YJibc8VptLWXgYRQoQD1J/xF87bcmB7HBnC4jBpdDzCkbTEHoI8=
=zCPG
-----END PGP SIGNATURE-----
Merge 4.19.59 into android-4.19
Changes in 4.19.59
crypto: talitos - rename alternative AEAD algos.
soc: brcmstb: Fix error path for unsupported CPUs
soc: bcm: brcmstb: biuctrl: Register writes require a barrier
Input: elantech - enable middle button support on 2 ThinkPads
samples, bpf: fix to change the buffer size for read()
samples, bpf: suppress compiler warning
mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he()
bpf: sockmap, fix use after free from sleep in psock backlog workqueue
soundwire: stream: fix out of boundary access on port properties
staging:iio:ad7150: fix threshold mode config bit
mac80211: mesh: fix RCU warning
mac80211: free peer keys before vif down in mesh
mwifiex: Fix possible buffer overflows at parsing bss descriptor
iwlwifi: Fix double-free problems in iwl_req_fw_callback()
mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
soundwire: intel: set dai min and max channels correctly
dt-bindings: can: mcp251x: add mcp25625 support
can: mcp251x: add support for mcp25625
can: m_can: implement errata "Needless activation of MRAF irq"
can: af_can: Fix error path of can_init()
net: phy: rename Asix Electronics PHY driver
ibmvnic: Do not close unopened driver during reset
ibmvnic: Refresh device multicast list after reset
ibmvnic: Fix unchecked return codes of memory allocations
ARM: dts: am335x phytec boards: Fix cd-gpios active level
s390/boot: disable address-of-packed-member warning
drm/vmwgfx: Honor the sg list segment size limitation
drm/vmwgfx: fix a warning due to missing dma_parms
riscv: Fix udelay in RV32.
Input: imx_keypad - make sure keyboard can always wake up system
KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy
mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed
ARM: davinci: da850-evm: call regulator_has_full_constraints()
ARM: davinci: da8xx: specify dma_coherent_mask for lcdc
mac80211: only warn once on chanctx_conf being NULL
mac80211: do not start any work during reconfigure flow
bpf, devmap: Fix premature entry free on destroying map
bpf, devmap: Add missing bulk queue free
bpf, devmap: Add missing RCU read lock on flush
bpf, x64: fix stack layout of JITed bpf code
qmi_wwan: add support for QMAP padding in the RX path
qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode
qmi_wwan: extend permitted QMAP mux_id value range
mmc: core: complete HS400 before checking status
md: fix for divide error in status_resync
bnx2x: Check if transceiver implements DDM before access
drm: return -EFAULT if copy_to_user() fails
ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL
net: lio_core: fix potential sign-extension overflow on large shift
scsi: qedi: Check targetname while finding boot target information
quota: fix a problem about transfer quota
net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge()
NFS4: Only set creation opendata if O_CREAT
net :sunrpc :clnt :Fix xps refcount imbalance on the error path
fscrypt: don't set policy for a dead directory
udf: Fix incorrect final NOT_ALLOCATED (hole) extent length
media: stv0297: fix frequency range limit
ALSA: usb-audio: Fix parse of UAC2 Extension Units
ALSA: hda/realtek - Headphone Mic can't record after S3
block, bfq: NULL out the bic when it's no longer valid
perf pmu: Fix uncore PMU alias list for ARM64
x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()
x86/tls: Fix possible spectre-v1 in do_get_thread_area()
Documentation: Add section about CPU vulnerabilities for Spectre
Documentation/admin: Remove the vsyscall=native documentation
mwifiex: Abort at too short BSS descriptor element
mwifiex: Don't abort on small, spec-compliant vendor IEs
USB: serial: ftdi_sio: add ID for isodebug v1
USB: serial: option: add support for GosunCn ME3630 RNDIS mode
Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled"
p54usb: Fix race between disconnect and firmware loading
usb: gadget: ether: Fix race between gether_disconnect and rx_submit
usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset()
usb: renesas_usbhs: add a workaround for a race condition of workqueue
drivers/usb/typec/tps6598x.c: fix portinfo width
drivers/usb/typec/tps6598x.c: fix 4CC cmd write
staging: comedi: dt282x: fix a null pointer deref on interrupt
staging: comedi: amplc_pci230: fix null pointer deref on interrupt
HID: Add another Primax PIXART OEM mouse quirk
lkdtm: support llvm-objcopy
binder: fix memory leak in error path
carl9170: fix misuse of device driver API
VMCI: Fix integer overflow in VMCI handle arrays
MIPS: Remove superfluous check for __linux__
staging: fsl-dpaa2/ethsw: fix memory leak of switchdev_work
staging: bcm2835-camera: Replace spinlock protecting context_map with mutex
staging: bcm2835-camera: Ensure all buffers are returned on disable
staging: bcm2835-camera: Remove check of the number of buffers supplied
staging: bcm2835-camera: Handle empty EOS buffers whilst streaming
staging: rtl8712: reduce stack usage, again
Linux 4.19.59
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I650890ad9d984de0fc729677bd29506cd21338be
commit 1909a671db upstream.
syzkallar found a 32-byte memory leak in a rarely executed error
case. The transaction complete work item was not freed if put_user()
failed when writing the BR_TRANSACTION_COMPLETE to the user command
buffer. Fixed by freeing it before put_user() is called.
Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0b0509508b upstream.
When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.
Bug: 130571081
Change-Id: I03fa4c879895fe4f768d880f87dce329423bfb9a
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5cec2d2e58 upstream.
An munmap() on a binder device causes binder_vma_close() to be called
which clears the alloc->vma pointer.
If direct reclaim causes binder_alloc_free_page() to be called, there
is a race where alloc->vma is read into a local vma pointer and then
used later after the mm->mmap_sem is acquired. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().
The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and skip zap_page_range() if it has changed
to NULL.
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: stable <stable@vger.kernel.org> # 4.19
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 6bf7d3c5c0.
The commit message is for a different patch. Reverting and then adding
the same patch back with the correct commit message.
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: stable <stable@vger.kernel.org> # 4.19
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzKo0YACgkQONu9yGCS
aT4dbQ//U1bo/8bdBJec+a0aNMy3cxzPF1Ozbrb/vEaHofj1BR87hgo4BODBO7pu
6ppwloPle9VFrsfT1FYOjsicUBhT4NmieHlsC3msAR4xlBEbHEOBTEbUdu3HinGV
Jn/uL/NDTrq+wA5rROGOh9sTlQ5w6dqItjHAWvnGkXlerbUJwIgnzbgH5qGBFZhQ
6SbPmqJv5V+C+qYy3yXNs2CnbtS7+cfulLy26MNnkFMEZGbHTWeNbeu9H41AK6T4
xtO8INse28RD6lbAPvW/xb//iAXsOHv+7KF1TgtZq89Z1RmlaqLSdPdgTYvCxm+Y
RhWa8KyIdhADJ8z8sRcPviFI5bR65cfCMUAEgBcFNYYByDv36KCBLsXajn4JbBsF
OOOtqnGaZyAJBZgMXySfVJIXLAx7cUlt07YD9cIdsOzjl1DCMP76XvypeGXLw5Mk
ZBXBJ+By+8jwnE7PAtecij/VH6qCDsfn4HqoRELsRLVahFsnFFid5lutVIjsO21j
QHrwi4hChuYGa89MhD48KyC2ZuaQmbs3rm6F3O0iQ0aipknvlsDoB4jYYp9qRI04
0FYMlZLlVyg+sNYOM2XvTtpOBFa1PFwFwscqXoyt0CGtig0D+pD3gDYExRONj6Fp
8h+OUBWbVHWscceMc6G1p/Qu+YcgmQTu8CFAUO8l/X8xq655c1A=
=isRm
-----END PGP SIGNATURE-----
Merge 4.19.38 into android-4.19
Changes in 4.19.38
netfilter: nft_compat: use refcnt_t type for nft_xt reference count
netfilter: nft_compat: make lists per netns
netfilter: nf_tables: split set destruction in deactivate and destroy phase
netfilter: nft_compat: destroy function must not have side effects
netfilter: nf_tables: warn when expr implements only one of activate/deactivate
netfilter: nf_tables: unbind set in rule from commit path
netfilter: nft_compat: don't use refcount_inc on newly allocated entry
netfilter: nft_compat: use .release_ops and remove list of extension
netfilter: nf_tables: fix set double-free in abort path
netfilter: nf_tables: bogus EBUSY when deleting set after flush
netfilter: nf_tables: bogus EBUSY in helper removal from transaction
net/ibmvnic: Fix RTNL deadlock during device reset
net: mvpp2: fix validate for PPv2.1
ext4: fix some error pointer dereferences
tipc: handle the err returned from cmd header function
loop: do not print warn message if partition scan is successful
drm/rockchip: fix for mailbox read validation.
vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock
ipvs: fix warning on unused variable
powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64
ALSA: hda/ca0132 - Fix build error without CONFIG_PCI
net: dsa: mv88e6xxx: add call to mv88e6xxx_ports_cmode_init to probe for new DSA framework
cifs: fix memory leak in SMB2_read
cifs: do not attempt cifs operation on smb2+ rename error
tracing: Fix a memory leak by early error exit in trace_pid_write()
tracing: Fix buffer_ref pipe ops
gpio: eic: sprd: Fix incorrect irq type setting for the sync EIC
zram: pass down the bvec we need to read into in the work struct
lib/Kconfig.debug: fix build error without CONFIG_BLOCK
MIPS: scall64-o32: Fix indirect syscall number load
trace: Fix preempt_enable_no_resched() abuse
IB/rdmavt: Fix frwr memory registration
RDMA/mlx5: Do not allow the user to write to the clock page
sched/numa: Fix a possible divide-by-zero
ceph: only use d_name directly when parent is locked
ceph: ensure d_name stability in ceph_dentry_hash()
ceph: fix ci->i_head_snapc leak
nfsd: Don't release the callback slot unless it was actually held
sunrpc: don't mark uninitialised items as VALID.
perf/x86/intel: Update KBL Package C-state events to also include PC8/PC9/PC10 counters
Input: synaptics-rmi4 - write config register values to the right offset
vfio/type1: Limit DMA mappings per container
dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid
dmaengine: sh: rcar-dmac: Fix glitch in dmaengine_tx_status
ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning the cache
powerpc/mm/radix: Make Radix require HUGETLB_PAGE
drm/vc4: Fix memory leak during gpu reset.
Revert "drm/i915/fbdev: Actually configure untiled displays"
drm/vc4: Fix compilation error reported by kbuild test bot
USB: Add new USB LPM helpers
USB: Consolidate LPM checks to avoid enabling LPM twice
slip: make slhc_free() silently accept an error pointer
intel_th: gth: Fix an off-by-one in output unassigning
fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
workqueue: Try to catch flush_work() without INIT_WORK().
binder: fix handling of misaligned binder object
sched/deadline: Correctly handle active 0-lag timers
NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
fm10k: Fix a potential NULL pointer dereference
tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
tipc: check link name with right length in tipc_nl_compat_link_set
net: netrom: Fix error cleanup path of nr_proto_init
net/rds: Check address length before reading address family
rxrpc: fix race condition in rxrpc_input_packet()
aio: clear IOCB_HIPRI
aio: use assigned completion handler
aio: separate out ring reservation from req allocation
aio: don't zero entire aio_kiocb aio_get_req()
aio: use iocb_put() instead of open coding it
aio: split out iocb copy from io_submit_one()
aio: abstract out io_event filler helper
aio: initialize kiocb private in case any filesystems expect it.
aio: simplify - and fix - fget/fput for io_submit()
pin iocb through aio.
aio: fold lookup_kiocb() into its sole caller
aio: keep io_event in aio_kiocb
aio: store event at final iocb_put()
Fix aio_poll() races
x86, retpolines: Raise limit for generating indirect calls from switch-case
x86/retpolines: Disable switch jump tables when retpolines are enabled
mm: Fix warning in insert_pfn()
x86/fpu: Don't export __kernel_fpu_{begin,end}()
ipv4: add sanity checks in ipv4_link_failure()
ipv4: set the tcp_min_rtt_wlen range from 0 to one day
mlxsw: spectrum: Fix autoneg status in ethtool
net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query
net: rds: exchange of 8K and 1M pool
net/rose: fix unbound loop in rose_loopback_timer()
net: stmmac: move stmmac_check_ether_addr() to driver probe
net/tls: fix refcount adjustment in fallback
stmmac: pci: Adjust IOT2000 matching
team: fix possible recursive locking when add slaves
net: hns: Fix WARNING when hns modules installed
mlxsw: pci: Reincrease PCI reset timeout
mlxsw: spectrum: Put MC TCs into DWRR mode
net/mlx5e: Fix the max MTU check in case of XDP
net/mlx5e: Fix use-after-free after xdp_return_frame
net/tls: avoid potential deadlock in tls_set_device_offload_rx()
net/tls: don't leak IV and record seq when offload fails
powerpc/fsl: Add FSL_PPC_BOOK3E as supported arch for nospectre_v2 boot arg
Linux 4.19.38
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
When backporting commit 1a7c3d9bb7 ("binder: create
userspace-to-binder-buffer copy function"), an extra "int target_fd;"
was left in the code. This resulted in the possibility of accessing
an uninitialized variable which was flagged by gcc.
Bug: 67668716
Change-Id: I787ed89579e9d40e8530d79be67cc663ec755e54
Signed-off-by: Todd Kjos <tkjos@google.com>
The selinux-testsuite found an issue resulting in a BUG_ON()
where a conditional relied on a size_t going negative when
checking the validity of a buffer offset.
(cherry picked from commit 5997da8214
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-linus)
Bug: 67668716
Change-Id: Ib3b408717141deadddcb6b95ad98c0b97d9d98ea
Fixes: 7a67a39320 ("binder: add function to copy binder object from buffer")
Reported-by: Paul Moore <paul@paul-moore.com>
Tested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Now that alloc->buffer points to the userspace vm_area
rename buffer->data to buffer->user_data and rename
local pointers that hold user addresses. Also use the
"__user" tag to annotate all user pointers so sparse
can flag cases where user pointer vaues are copied to
kernel pointers. Refactor code to use offsets instead
of user pointers.
(cherry pick from commit bde4a19fc0)
Bug: 67668716
Change-Id: I9d04b844c5994d1f6214da795799e6b373bc9816
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Todd Kjos