Skip to content
Snippets Groups Projects
Select Git revision
0 results
Search by author
  • Any Author
0 authors
  1. Apr 11, 2025
  3. Apr 08, 2025
    • Jianan Huang's avatar
      UPSTREAM: f2fs: fix inconsistent dirty state of atomic file · f9c1fd73
      Jianan Huang authored 
      
When testing the atomic write fix patches, the f2fs_bug_on was
triggered as below:

------------[ cut here ]------------
kernel BUG at fs/f2fs/inode.c:935!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 3 UID: 0 PID: 257 Comm: bash Not tainted 6.13.0-rc1-00033-gc283a70d3497 #5
RIP: 0010:f2fs_evict_inode+0x50f/0x520
Call Trace:
 <TASK>
 ? __die_body+0x65/0xb0
 ? die+0x9f/0xc0
 ? do_trap+0xa1/0x170
 ? f2fs_evict_inode+0x50f/0x520
 ? f2fs_evict_inode+0x50f/0x520
 ? handle_invalid_op+0x65/0x80
 ? f2fs_evict_inode+0x50f/0x520
 ? exc_invalid_op+0x39/0x50
 ? asm_exc_invalid_op+0x1a/0x20
 ? __pfx_f2fs_get_dquots+0x10/0x10
 ? f2fs_evict_inode+0x50f/0x520
 ? f2fs_evict_inode+0x2e5/0x520
 evict+0x186/0x2f0
 prune_icache_sb+0x75/0xb0
 super_cache_scan+0x1a8/0x200
 do_shrink_slab+0x163/0x320
 shrink_slab+0x2fc/0x470
 drop_slab+0x82/0xf0
 drop_caches_sysctl_handler+0x4e/0xb0
 proc_sys_call_handler+0x183/0x280
 vfs_write+0x36d/0x450
 ksys_write+0x68/0xd0
 do_syscall_64+0xc8/0x1a0
 ? arch_exit_to_user_mode_prepare+0x11/0x60
 ? irqentry_exit_to_user_mode+0x7e/0xa0

The root cause is: f2fs uses FI_ATOMIC_DIRTIED to indicate dirty
atomic files during commit. If the inode is dirtied during commit,
such as by f2fs_i_pino_write, the vfs inode keeps clean and the
f2fs inode is set to FI_DIRTY_INODE. The FI_DIRTY_INODE flag cann't
be cleared by write_inode later due to the clean vfs inode. Finally,
f2fs_bug_on is triggered due to this inconsistent state when evict.

To reproduce this situation:
- fd = open("/mnt/test.db", O_WRONLY)
- ioctl(fd, F2FS_IOC_START_ATOMIC_WRITE)
- mv /mnt/test.db /mnt/test1.db
- ioctl(fd, F2FS_IOC_COMMIT_ATOMIC_WRITE)
- echo 3 > /proc/sys/vm/drop_caches

To fix this problem, clear FI_DIRTY_INODE after commit, then
f2fs_mark_inode_dirty_sync will ensure a consistent dirty state.

Bug: 395196420

Fixes: fccaa81d ("f2fs: prevent atomic file from being dirtied before commit")
Change-Id: I2c637b4bc544453b07ab124527efb694da9b757f
Signed-off-by: default avatarYunlei He <heyunlei@xiaomi.com>
Signed-off-by: default avatarJianan Huang <huangjianan@xiaomi.com>
Reviewed-by: default avatarChao Yu <chao@kernel.org>
Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 03511e93)
(cherry picked from commit 0e0c5304)
(cherry picked from commit 88c87bc8)
Bug: 397805264
Signed-off-by: default avatarXiuhong Wang <xiuhong.wang@unisoc.com>
(cherry picked from commit 4b5c82cf)
Bug: 409148924
      ASB-2025-04-05_14-5.15
      f9c1fd73
  5. Mar 27, 2025
  7. Mar 18, 2025
    • Quang Le's avatar
      UPSTREAM: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 · 166cd2c9
      Quang Le authored 
      
commit 647cef20 upstream.

Expected behaviour:
In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a
packet in scheduler's queue and decrease scheduler's qlen by one.
Then, pfifo_tail_enqueue() enqueue new packet and increase
scheduler's qlen by one. Finally, pfifo_tail_enqueue() return
`NET_XMIT_CN` status code.

Weird behaviour:
In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a
scheduler that has no packet, the 'drop a packet' step will do nothing.
This means the scheduler's qlen still has value equal 0.
Then, we continue to enqueue new packet and increase scheduler's qlen by
one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by
one and return `NET_XMIT_CN` status code.

The problem is:
Let's say we have two qdiscs: Qdisc_A and Qdisc_B.
 - Qdisc_A's type must have '->graft()' function to create parent/child relationship.
   Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.
 - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.
 - Qdisc_B is configured to have `sch->limit == 0`.
 - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.

Enqueue packet through Qdisc_A will lead to:
 - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)
 - Qdisc_B->q.qlen += 1
 - pfifo_tail_enqueue() return `NET_XMIT_CN`
 - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.

The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.
Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem.
This violate the design where parent's qlen should equal to the sum of its childrens'qlen.

Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.

Bug: 395539871
Fixes: 57dbb2d8 ("sched: add head drop fifo queue")
Reported-by: default avatarQuang Le <quanglex97@gmail.com>
Signed-off-by: default avatarQuang Le <quanglex97@gmail.com>
Signed-off-by: default avatarCong Wang <cong.wang@bytedance.com>
Link: https://patch.msgid.link/20250204005841.223511-2-xiyou.wangcong@gmail.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 79a955ea)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: I94a3851190671bc98666cb659e8419ab2767fb03
      166cd2c9
    • Jamal Hadi Salim's avatar
      UPSTREAM: net: sched: Disallow replacing of child qdisc from one parent to another · b4398c5d
      Jamal Hadi Salim authored 
      
[ Upstream commit bc50835e ]

Lion Ackermann was able to create a UAF which can be abused for privilege
escalation with the following script

Step 1. create root qdisc
tc qdisc add dev lo root handle 1:0 drr

step2. a class for packet aggregation do demonstrate uaf
tc class add dev lo classid 1:1 drr

step3. a class for nesting
tc class add dev lo classid 1:2 drr

step4. a class to graft qdisc to
tc class add dev lo classid 1:3 drr

step5.
tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024

step6.
tc qdisc add dev lo parent 1:2 handle 3:0 drr

step7.
tc class add dev lo classid 3:1 drr

step 8.
tc qdisc add dev lo parent 3:1 handle 4:0 pfifo

step 9. Display the class/qdisc layout

tc class ls dev lo
 class drr 1:1 root leaf 2: quantum 64Kb
 class drr 1:2 root leaf 3: quantum 64Kb
 class drr 3:1 root leaf 4: quantum 64Kb

tc qdisc ls
 qdisc drr 1: dev lo root refcnt 2
 qdisc plug 2: dev lo parent 1:1
 qdisc pfifo 4: dev lo parent 3:1 limit 1000p
 qdisc drr 3: dev lo parent 1:2

step10. trigger the bug <=== prevented by this patch
tc qdisc replace dev lo parent 1:3 handle 4:0

step 11. Redisplay again the qdiscs/classes

tc class ls dev lo
 class drr 1:1 root leaf 2: quantum 64Kb
 class drr 1:2 root leaf 3: quantum 64Kb
 class drr 1:3 root leaf 4: quantum 64Kb
 class drr 3:1 root leaf 4: quantum 64Kb

tc qdisc ls
 qdisc drr 1: dev lo root refcnt 2
 qdisc plug 2: dev lo parent 1:1
 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p
 qdisc drr 3: dev lo parent 1:2

Observe that a) parent for 4:0 does not change despite the replace request.
There can only be one parent.  b) refcount has gone up by two for 4:0 and
c) both class 1:3 and 3:1 are pointing to it.

Step 12.  send one packet to plug
echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))
step13.  send one packet to the grafted fifo
echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))

step14. lets trigger the uaf
tc class delete dev lo classid 1:3
tc class delete dev lo classid 1:1

The semantics of "replace" is for a del/add _on the same node_ and not
a delete from one node(3:1) and add to another node (1:3) as in step10.
While we could "fix" with a more complex approach there could be
consequences to expectations so the patch takes the preventive approach of
"disallow such config".

Bug: 393266309
Joint work with Lion Ackermann <nnamrec@gmail.com>
Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250116013713.900000-1-kuba@kernel.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
(cherry picked from commit deda09c0)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: Id94e8dfb543643e489e33f79af990f23580b9121
      b4398c5d
    • Antoine Tenart's avatar
      UPSTREAM: net: avoid race between device unregistration and ethnl ops · cdd20753
      Antoine Tenart authored 
      
[ Upstream commit 12e070eb ]

The following trace can be seen if a device is being unregistered while
its number of channels are being modified.

  DEBUG_LOCKS_WARN_ON(lock->magic != lock)
  WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120
  CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771
  RIP: 0010:__mutex_lock+0xc8a/0x1120
  Call Trace:
   <TASK>
   ethtool_check_max_channel+0x1ea/0x880
   ethnl_set_channels+0x3c3/0xb10
   ethnl_default_set_doit+0x306/0x650
   genl_family_rcv_msg_doit+0x1e3/0x2c0
   genl_rcv_msg+0x432/0x6f0
   netlink_rcv_skb+0x13d/0x3b0
   genl_rcv+0x28/0x40
   netlink_unicast+0x42e/0x720
   netlink_sendmsg+0x765/0xc20
   __sys_sendto+0x3ac/0x420
   __x64_sys_sendto+0xe0/0x1c0
   do_syscall_64+0x95/0x180
   entry_SYSCALL_64_after_hwframe+0x76/0x7e

This is because unregister_netdevice_many_notify might run before the
rtnl lock section of ethnl operations, eg. set_channels in the above
example. In this example the rss lock would be destroyed by the device
unregistration path before being used again, but in general running
ethnl operations while dismantle has started is not a good idea.

Fix this by denying any operation on devices being unregistered. A check
was already there in ethnl_ops_begin, but not wide enough.

Note that the same issue cannot be seen on the ioctl version
(__dev_ethtool) because the device reference is retrieved from within
the rtnl lock section there. Once dismantle started, the net device is
unlisted and no reference will be found.

Bug: 392852041
Fixes: dde91ccf ("ethtool: do not perform operations on net devices being unregistered")
Signed-off-by: default avatarAntoine Tenart <atenart@kernel.org>
Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: default avatarEdward Cree <ecree.xilinx@gmail.com>
Link: https://patch.msgid.link/20250116092159.50890-1-atenart@kernel.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
(cherry picked from commit b1cb37a3)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: I56dbd897bb6db194d1eab1d5370796d2e3142fe2
      cdd20753
  9. Mar 17, 2025
  11. Mar 13, 2025
    • Qi Han's avatar
      BACKPORT: f2fs: compress: fix inconsistent update of i_blocks in... · 71244f32
      Qi Han authored 
      BACKPORT: f2fs: compress: fix inconsistent update of i_blocks in release_compress_blocks and reserve_compress_blocks

After release a file and subsequently reserve it, the FSCK flag is set
when the file is deleted, as shown in the following backtrace:

F2FS-fs (dm-48): Inconsistent i_blocks, ino:401231, iblocks:1448, sectors:1472
fs_rec_info_write_type+0x58/0x274
f2fs_rec_info_write+0x1c/0x2c
set_sbi_flag+0x74/0x98
dec_valid_block_count+0x150/0x190
f2fs_truncate_data_blocks_range+0x2d4/0x3cc
f2fs_do_truncate_blocks+0x2fc/0x5f0
f2fs_truncate_blocks+0x68/0x100
f2fs_truncate+0x80/0x128
f2fs_evict_inode+0x1a4/0x794
evict+0xd4/0x280
iput+0x238/0x284
do_unlinkat+0x1ac/0x298
__arm64_sys_unlinkat+0x48/0x68
invoke_syscall+0x58/0x11c

For clusters of the following type, i_blocks are decremented by 1 and
i_compr_blocks are incremented by 7 in release_compress_blocks, while
updates to i_blocks and i_compr_blocks are skipped in reserve_compress_blocks.

raw node:
D D D D D D D D
after compress:
C D D D D D D D
after reserve:
C D D D D D D D

Let's update i_blocks and i_compr_blocks properly in reserve_compress_blocks.

Bug: 403145794
Fixes: eb8fbaa5 ("f2fs: compress: fix to check unreleased compressed cluster")
Change-Id: I596af62bbd54941bfc77f30e182db94e81cba59b
Signed-off-by: default avatarQi Han <hanqi@vivo.com>
Reviewed-by: default avatarChao Yu <chao@kernel.org>
Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 26413ce1)
(cherry picked from commit 90d49524)
      71244f32
  13. Mar 10, 2025
    • Kalesh Singh's avatar
      ANDROID: SPF: Fix swap faults racing with fast-mremap · b5ffd823
      Kalesh Singh authored 
      
pte_unmap_same() and pte_offset_map_lock() in do_swap_page()
do not check that the original faulting pmd_t is still the
same before attempting to take the ptl lock for the page table,
nor do they check the mm_struct’s sequence number.

This is problematic if a concurrent fast-mremap happens where
the pmd_t entry has been moved as now the vmf->pmd is pointing
to the wrong page table.

This incorrect page table may not be allocated which will
cause the kernel to panic when attempting to take the ptl
lock on it.

Reinstate the vma refcount trylock since this will prevent a
concurrent mremap on the VMA on which the speculative fault
is happening.

Note fast-mremap still needs to take the page table ptl lock
(pte level) to avoid SPF races due to VMA splitting.

Bug: 398054290
Bug: 400153677
Change-Id: I447f6f1b57bf1e7dd677e3aec47721702c6e6b88
Signed-off-by: default avatarKalesh Singh <kaleshsingh@google.com>
      b5ffd823
  15. Mar 06, 2025
  17. Feb 25, 2025
  19. Feb 22, 2025
    • Greg Kroah-Hartman's avatar
      Merge tag 'android14-5.15.178_r00' into android14-5.15 · c484f2aa
      Greg Kroah-Hartman authored 
      
This merges the android14-5.15.178_r00 tag into the android14-5.15 branch,
catching it up with the latest LTS releases.

It contains the following commits:

*   6ad827953874 Merge 5.15.178 into android14-5.15-lts
|\
| * c16c81c81336 Linux 5.15.178
| * 6cfafcad46e9 drm/v3d: Assign job pointer to NULL before signaling the fence
| * 8b74aa1e1c08 Input: xpad - add support for wooting two he (arm)
| * c9d4d5785f2d Input: xpad - add unofficial Xbox 360 wireless receiver clone
| * 1475c07bf30f Input: atkbd - map F23 key to support default copilot shortcut
| * 66453ea6ed0a ALSA: usb-audio: Add delay quirk for USB Audio Device
| * 20ce02f2f73a Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null"
| * 6068dcff7f19 USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
| * 091a023cf2ae wifi: iwlwifi: add a few rate index validity checks
| * 81d4dd05c412 scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
| * 6ac5dfa57513 ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()
| * 84adb88c8027 platform/chrome: cros_ec_typec: Check for EC driver
| * 542532afe249 fs/ntfs3: Additional check in ntfs_file_release
| * 00767fbd67af Bluetooth: RFCOMM: Fix not validating setsockopt user input
| * 2c2dc87cdebe Bluetooth: SCO: Fix not validating setsockopt user input
| * 92340e6c5122 vfio/platform: check the bounds of read/write syscalls
| * bcf0d815e728 net: sched: fix ets qdisc OOB Indexing
| * 4e3ded34f3f3 gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
| * 322948a57582 mptcp: don't always assume copied data in mptcp_cleanup_rbuf()
| * 2c3524a308b2 regmap: detach regmap from dev on regmap_exit
| * df560e90a4d6 ASoC: samsung: Add missing depends on I2C
| * 72370a2bc2e6 irqchip/sunxi-nmi: Add missing SKIP_WAKE flag
| * 46bdd737a16b scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request
| * 318ebf851143 seccomp: Stub for !CONFIG_SECCOMP
| * 42b4b670bd23 ASoC: samsung: Add missing selects for MFD_WM8994
| * 0783cd485b4a ASoC: wm8994: Add depends on MFD core
* | f90b598b35aa ANDROID: GKI: update abi due to internal struct of_bus change
* | 1c6edccede3d Revert "fs: fix missing declaration of init_files"
* | 89d8a05f92c2 Revert "net: add exit_batch_rtnl() method"
* | 39c2fdc4e4c4 Revert "gtp: use exit_batch_rtnl() method"
* | 30b21c9d99ca Revert "gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp()."
* | 49f62e2fffe0 Revert "gtp: Destroy device along with udp socket's netns dismantle."
* | 52fa24d5c5a1 Merge 5.15.177 into android14-5.15-lts
|\|
| * 003148680b79 Linux 5.15.177
| * 448fe5a1a4b5 Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals
| * 0bd4efe3226d xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals
| * c3d052cae566 net: fix data-races around sk->sk_forward_alloc
| * 198b89dd5a59 scsi: sg: Fix slab-use-after-free read in sg_release()
| * 9a4d196e8a5e x86/xen: fix SLS mitigation in xen_hypercall_iret()
| * 167cbd3e5268 nfsd: add list_head nf_gc to struct nfsd_file
| * e43dd28405e6 ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
| * 6486915fa661 vsock/virtio: discard packets if the transport changes
| * 8a07350fe070 blk-cgroup: Fix UAF in blkcg_unpin_online()
| * e667d5d566a2 Revert "regmap: detach regmap from dev on regmap_exit"
| * d8ebb991790f Revert "drm/amdgpu: rework resume handling for display (v2)"
| * 7a07fb80ea88 iio: adc: rockchip_saradc: fix information leak in triggered buffer
| * b5c2c988cb6a iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on
| * 96ac1454f343 iio: imu: inv_icm42600: fix spi burst write not supported
| * 39f320df3537 Revert "PCI: Use preserve_config in place of pci_flags"
| * ac3dd2497e6e drm/i915/fb: Relax clear color alignment to 64 bytes
| * 15b453db41d3 hrtimers: Handle CPU state correctly on hotplug
| * 59472bf85a3c irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly
| * 2d008d4961b0 gpiolib: cdev: Fix use after free in lineinfo_changed_notify
| * 649b266606bc fs/proc: fix softlockup in __read_vmcore (part 2)
| * 64e5fd96330d filemap: avoid truncating 64-bit offset to 32 bits
| * 9e5fed46ccd2 vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
| * a4606b774de2 vsock: reset socket state when de-assigning the transport
| * 048dbd2b5b85 vsock/virtio: cancel close work in the destructor
| * 92f1b7930f13 net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
| * aba13043e628 x86/asm: Make serialize() always_inline
| * 612269eb3f8f nvmet: propagate npwg topology
| * 7df94f7f9e22 poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll()
| * 1c878c5527e1 ACPI: resource: acpi_dev_irq_override(): Check DMI match last
| * a592ce58ca78 kheaders: Ignore silly-rename files
| * 2d1a5a595bf2 fs: fix missing declaration of init_files
| * 87e207b6aa93 hfs: Sanity check the root record
| * 80aee0bc0dbe mac802154: check local interfaces before deleting sdata list
| * c5f1bc1d2324 i2c: rcar: fix NACK handling when being a target
| * 6c6e0961ccfd i2c: mux: demux-pinctrl: check initial mux selection, too
| * 37c63955ca68 Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data"
| * 2f176c0ec9f5 hwmon: (tmp513) Fix division of negative numbers
| * 14e0a874488e drm/v3d: Ensure job pointer is set to NULL after job completion
| * 83775c9a9a65 net/mlx5: Fix RDMA TX steering prio
| * a04effa1b79f net/mlx5: Refactor mlx5_get_flow_namespace
| * ef6bb594598b net/mlx5: Add priorities for counters in RDMA namespaces
| * 3cc3575223c6 net: xilinx: axienet: Fix IRQ coalescing packet count overflow
| * fdfe7ef525ad nfp: bpf: prevent integer overflow in nfp_bpf_event_output()
| * 036f8d814a2c gtp: Destroy device along with udp socket's netns dismantle.
| * ed8be92df48d gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().
| * a111a7487f65 gtp: use exit_batch_rtnl() method
| * 041325b73abc net: add exit_batch_rtnl() method
| * 3450092cc2d1 pktgen: Avoid out-of-bounds access in get_imix_entries
| * 0ab52a8ca6e1 bpf: Fix bpf_sk_select_reuseport() memory leak
| * 9bb26176fba5 net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()
| * 9f15cd4174d0 phy: usb: Fix clock imbalance for suspend/resume
| * 795537eb2af1 phy: usb: Use slow clock for wake enabled suspend
| * 88b01048f286 mptcp: fix TCP options overflow.
| * 05ba00d97bb4 mptcp: drop port parameter of mptcp_pm_add_addr_signal
| * f44e6d70c100 ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
| * 86f8046aa649 ocfs2: correct return value of ocfs2_local_free_info()
| * 0552befaccd8 phy: usb: Toggle the PHY power during init
| * d0178cb2ccea phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers
| * b2cec0d8f676 of: address: Preserve the flags portion on 1:1 dma-ranges mapping
| * 6a7832e332d9 of: address: Store number of bus flag cells rather than bool
| * 1b868ff7950b of: address: Remove duplicated functions
| * 19ec883a51bd of: address: Fix address translation when address-size is greater than 2
| * b3f6bed9bf61 of/address: Add support for 3 address cell bus
| * bce3629a9e53 of: unittest: Add bus address range parsing tests
| * 437b875e7389 arm64: dts: rockchip: add hevc power domain clock to rk3328
| * f587c1ac6895 block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
| * e43dfc4a9c15 iio: adc: ad7124: Disable all channels at probe time
| * d83ccca9e17e iio: inkern: call iio_device_put() only on mapped devices
| * 028a1ba8e3ba iio: adc: at91: call input_free_device() on allocated iio_dev
| * 060214459b63 iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
| * c31009d2bd49 iio: gyro: fxas21002c: Fix missing data update in trigger handler
| * aae967380068 iio: adc: ti-ads8688: fix information leak in triggered buffer
| * a07f69808441 iio: imu: kmx61: fix information leak in triggered buffer
| * cb488706cdec iio: light: vcnl4035: fix information leak in triggered buffer
| * 006073761888 iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer
| * 64a989aa7475 iio: pressure: zpa2326: fix information leak in triggered buffer
| * 19fc1c83454c usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
| * d9d18e2011c1 usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints
| * 7cdb2d0f1af9 usb: fix reference leak in usb_new_device()
| * 162428a00a0c USB: core: Disable LPM only for non-suspended ports
| * 8309c947b208 USB: usblp: return error when setting unsupported protocol
| * d2de56cc45ee usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null
| * 1c7818e2746e topology: Keep the cpumask unchanged when printing cpumap
| * 85b8a1a3176d usb: dwc3: gadget: fix writing NYET threshold
| * 7f626e8e148c USB: serial: cp210x: add Phoenix Contact UPS Device
| * 2165ef034891 usb-storage: Add max sectors quirk for Nokia 208
| * 2748a203e098 staging: iio: ad9832: Correct phase range check
| * e299dcbfc039 staging: iio: ad9834: Correct phase range check
| * 98645eac8ed4 USB: serial: option: add Neoway N723-EA support
| * f072315c5d41 USB: serial: option: add MeiG Smart SRM815
| * 203f38eb72f2 md/raid5: fix atomicity violation in raid5_cache_count
| * 3b930badf88d scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity
| * 1e5cc8d5b121 drm/amd/display: increase MAX_SURFACES to the value supported by hw
| * dd3f23919b4d ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]
| * 21db38809fb8 ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]
| * 10c24df2e303 riscv: Fix sleeping in invalid context in die()
| * 95793f9684e5 drm/amd/display: Add check for granularity in dml ceil/floor helpers
| * 1dc5da6c4178 sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy
| * 0a0966312ac3 sctp: sysctl: udp_port: avoid using current->nsproxy
| * bd2a29394235 sctp: sysctl: auth_enable: avoid using current->nsproxy
| * 0f78f0946674 sctp: sysctl: rto_min/max: avoid using current->nsproxy
| * 86ddf8118123 sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
| * e52a55ec2d1f dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY
| * 802666a40c71 dm thin: make get_first_thin use rcu-safe list first function
| * 7cb3e77e9b4e afs: Fix the maximum cell name length
| * 781c743e18bf ksmbd: fix a missing return value check bug
| * e719611285cd drm/mediatek: Add support for 180-degree rotation in the display driver
| * b1b2353d768f netfilter: conntrack: clamp maximum hashtable size to INT_MAX
| * 2f2c1ce86708 netfilter: nf_tables: imbalance in flowtable binding
| * 6d6ce5f75d0e tls: Fix tls_sw_sendmsg error handling
| * 8fe5fcf25438 cxgb4: Avoid removal of uninserted tid
| * 0cfe1297df07 bnxt_en: Fix possible memory leak when hwrm_req_replace fails
| * a313d6e6d5f3 net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
| * 10923508eb77 tcp/dccp: allow a connection when sk_max_ack_backlog is zero
| * bcd1557f1d38 tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
| * e67fff8fd12c net: 802: LLC+SNAP OID:PID lookup on start of skb data
| * 8cc8bdfbe065 ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe()
| * 294b9826da0e ASoC: mediatek: disable buffer pre-allocation
| * 1f94fe692b7e exfat: fix the infinite loop in __exfat_free_cluster()
| * 28c21f0ac529 exfat: fix the infinite loop in exfat_readdir()
| * 3995b25d000c dm array: fix cursor index when skipping across block boundaries
| * c850ddd1e1d8 dm array: fix unreleased btree blocks on closing a faulty array cursor
| * 738994872d77 dm array: fix releasing a faulty array block twice in dm_array_cursor_end
| * 6029c4240529 jbd2: flush filesystem device before updating tail sequence
| * d42ad3f161a5 ceph: give up on paths longer than PATH_MAX
* d0c0d12b9278 Merge branch 'android14-5.15' into android14-5.15-lts

Change-Id: Icea9d4979c22c95cda72307fed9433622cf8c8cb
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      c484f2aa
  21. Feb 21, 2025
  23. Feb 20, 2025
    • Takashi.Toida's avatar
      ANDROID: vendor_hooks: printk ignore the loglevel to pstore · ebbd7fff
      Takashi.Toida authored 
      
Usually, we use the console-ramoops in pstore to check printk logs
during a reboot issue.
However, enabling the printk log level for the console
to investigate kernel and/or driver reboot issues sometimes delays
real-time processing.
As a result, the software behavior changes, and other problems may
occur instead.
To address this, we add a hook that allows us to send printk logs
to pstore while ignoring the log level.
We might be able to avoid using a vendorhook here if upstream has
the capability to record all levels of printk logs into pstore,
even if it is no longer called console-ramoops.

Bug: 396580116
Change-Id: I3ad0a0bed4069fd741ebfb47c16ee7400dc2086c
Signed-off-by: default avatar"Takashi.Toida" <Takashi.Toida@sony.com>
      ebbd7fff
  25. Feb 14, 2025
  27. Feb 10, 2025
  29. Feb 07, 2025
    • Greg Kroah-Hartman's avatar
      Merge 5.15.178 into android14-5.15-lts · 6ad82795
      Greg Kroah-Hartman authored 
      
Changes in 5.15.178
	ASoC: wm8994: Add depends on MFD core
	ASoC: samsung: Add missing selects for MFD_WM8994
	seccomp: Stub for !CONFIG_SECCOMP
	scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request
	irqchip/sunxi-nmi: Add missing SKIP_WAKE flag
	ASoC: samsung: Add missing depends on I2C
	regmap: detach regmap from dev on regmap_exit
	mptcp: don't always assume copied data in mptcp_cleanup_rbuf()
	gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
	net: sched: fix ets qdisc OOB Indexing
	vfio/platform: check the bounds of read/write syscalls
	Bluetooth: SCO: Fix not validating setsockopt user input
	Bluetooth: RFCOMM: Fix not validating setsockopt user input
	fs/ntfs3: Additional check in ntfs_file_release
	platform/chrome: cros_ec_typec: Check for EC driver
	ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()
	scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
	wifi: iwlwifi: add a few rate index validity checks
	USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
	Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null"
	ALSA: usb-audio: Add delay quirk for USB Audio Device
	Input: atkbd - map F23 key to support default copilot shortcut
	Input: xpad - add unofficial Xbox 360 wireless receiver clone
	Input: xpad - add support for wooting two he (arm)
	drm/v3d: Assign job pointer to NULL before signaling the fence
	Linux 5.15.178

Change-Id: Ic6dee55bddba7baf0ea8b7b382a0cdf6f3de475e
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      android14-5.15.178_r00
      6ad82795
    • Greg Kroah-Hartman's avatar
      ANDROID: GKI: update abi due to internal struct of_bus change · f90b598b
      Greg Kroah-Hartman authored 
      
In commit 6a7832e3 ("of: address: Store number of bus flag cells
rather than bool"), the internal-to-the-of-core struct "struct of_bus"
changed some fields.  This is allowed as this structure does not go
outside of the OF core code.

Fixes: 6a7832e3 ("of: address: Store number of bus flag cells rather than bool")
Change-Id: Ic24736a1d6307f9d8493ceaf3ccee500478406d7
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      f90b598b
    • Greg Kroah-Hartman's avatar
      Revert "fs: fix missing declaration of init_files" · 1c6edcce
      Greg Kroah-Hartman authored 
      
This reverts commit 2d1a5a59 which is
commit 2b2fc0be upstream.

It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.

Bug: 161946584
Change-Id: I714b7bdf89fa2033f8d3b05edce3cbf6222ee8df
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      1c6edcce
    • Greg Kroah-Hartman's avatar
      Revert "net: add exit_batch_rtnl() method" · 89d8a05f
      Greg Kroah-Hartman authored 
      
This reverts commit 041325b7 which is
commit fd4f101e upstream.

It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.

Bug: 161946584
Change-Id: Id0012b92edfa9cd162c757e0b35b1bb70473c140
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      89d8a05f
    • Greg Kroah-Hartman's avatar
      Revert "gtp: use exit_batch_rtnl() method" · 39c2fdc4
      Greg Kroah-Hartman authored 
      
This reverts commit a111a748 which is
commit 6eedda01 upstream.

It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.

Bug: 161946584
Change-Id: Ide4de81bedb34df80d246245b09bcb402cd92c57
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      39c2fdc4
    • Greg Kroah-Hartman's avatar
      Revert "gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp()." · 30b21c9d
      Greg Kroah-Hartman authored 
      
This reverts commit ed8be92d which is
commit 46841c70 upstream.

It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.

Bug: 161946584
Change-Id: Icd674fdee5592d5461d4e118201a3c61e56f63ed
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      30b21c9d
    • Greg Kroah-Hartman's avatar
      Revert "gtp: Destroy device along with udp socket's netns dismantle." · 49f62e2f
      Greg Kroah-Hartman authored 
      
This reverts commit 036f8d81 which is
commit eb28fd76 upstream.

It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.

Bug: 161946584
Change-Id: Iba39eb18a9bbb97d865f1a93dc28807e4191ee0e
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      49f62e2f
  31. Feb 06, 2025
    • Greg Kroah-Hartman's avatar
      Merge 5.15.177 into android14-5.15-lts · 52fa24d5
      Greg Kroah-Hartman authored 
      
Changes in 5.15.177
	ceph: give up on paths longer than PATH_MAX
	jbd2: flush filesystem device before updating tail sequence
	dm array: fix releasing a faulty array block twice in dm_array_cursor_end
	dm array: fix unreleased btree blocks on closing a faulty array cursor
	dm array: fix cursor index when skipping across block boundaries
	exfat: fix the infinite loop in exfat_readdir()
	exfat: fix the infinite loop in __exfat_free_cluster()
	ASoC: mediatek: disable buffer pre-allocation
	ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe()
	net: 802: LLC+SNAP OID:PID lookup on start of skb data
	tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
	tcp/dccp: allow a connection when sk_max_ack_backlog is zero
	net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
	bnxt_en: Fix possible memory leak when hwrm_req_replace fails
	cxgb4: Avoid removal of uninserted tid
	tls: Fix tls_sw_sendmsg error handling
	netfilter: nf_tables: imbalance in flowtable binding
	netfilter: conntrack: clamp maximum hashtable size to INT_MAX
	drm/mediatek: Add support for 180-degree rotation in the display driver
	ksmbd: fix a missing return value check bug
	afs: Fix the maximum cell name length
	dm thin: make get_first_thin use rcu-safe list first function
	dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY
	sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
	sctp: sysctl: rto_min/max: avoid using current->nsproxy
	sctp: sysctl: auth_enable: avoid using current->nsproxy
	sctp: sysctl: udp_port: avoid using current->nsproxy
	sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy
	drm/amd/display: Add check for granularity in dml ceil/floor helpers
	riscv: Fix sleeping in invalid context in die()
	ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]
	ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]
	drm/amd/display: increase MAX_SURFACES to the value supported by hw
	scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity
	md/raid5: fix atomicity violation in raid5_cache_count
	USB: serial: option: add MeiG Smart SRM815
	USB: serial: option: add Neoway N723-EA support
	staging: iio: ad9834: Correct phase range check
	staging: iio: ad9832: Correct phase range check
	usb-storage: Add max sectors quirk for Nokia 208
	USB: serial: cp210x: add Phoenix Contact UPS Device
	usb: dwc3: gadget: fix writing NYET threshold
	topology: Keep the cpumask unchanged when printing cpumap
	usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null
	USB: usblp: return error when setting unsupported protocol
	USB: core: Disable LPM only for non-suspended ports
	usb: fix reference leak in usb_new_device()
	usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints
	usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
	iio: pressure: zpa2326: fix information leak in triggered buffer
	iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer
	iio: light: vcnl4035: fix information leak in triggered buffer
	iio: imu: kmx61: fix information leak in triggered buffer
	iio: adc: ti-ads8688: fix information leak in triggered buffer
	iio: gyro: fxas21002c: Fix missing data update in trigger handler
	iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
	iio: adc: at91: call input_free_device() on allocated iio_dev
	iio: inkern: call iio_device_put() only on mapped devices
	iio: adc: ad7124: Disable all channels at probe time
	block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
	arm64: dts: rockchip: add hevc power domain clock to rk3328
	of: unittest: Add bus address range parsing tests
	of/address: Add support for 3 address cell bus
	of: address: Fix address translation when address-size is greater than 2
	of: address: Remove duplicated functions
	of: address: Store number of bus flag cells rather than bool
	of: address: Preserve the flags portion on 1:1 dma-ranges mapping
	phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers
	phy: usb: Toggle the PHY power during init
	ocfs2: correct return value of ocfs2_local_free_info()
	ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
	mptcp: drop port parameter of mptcp_pm_add_addr_signal
	mptcp: fix TCP options overflow.
	phy: usb: Use slow clock for wake enabled suspend
	phy: usb: Fix clock imbalance for suspend/resume
	net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()
	bpf: Fix bpf_sk_select_reuseport() memory leak
	pktgen: Avoid out-of-bounds access in get_imix_entries
	net: add exit_batch_rtnl() method
	gtp: use exit_batch_rtnl() method
	gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().
	gtp: Destroy device along with udp socket's netns dismantle.
	nfp: bpf: prevent integer overflow in nfp_bpf_event_output()
	net: xilinx: axienet: Fix IRQ coalescing packet count overflow
	net/mlx5: Add priorities for counters in RDMA namespaces
	net/mlx5: Refactor mlx5_get_flow_namespace
	net/mlx5: Fix RDMA TX steering prio
	drm/v3d: Ensure job pointer is set to NULL after job completion
	hwmon: (tmp513) Fix division of negative numbers
	Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data"
	i2c: mux: demux-pinctrl: check initial mux selection, too
	i2c: rcar: fix NACK handling when being a target
	mac802154: check local interfaces before deleting sdata list
	hfs: Sanity check the root record
	fs: fix missing declaration of init_files
	kheaders: Ignore silly-rename files
	ACPI: resource: acpi_dev_irq_override(): Check DMI match last
	poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll()
	nvmet: propagate npwg topology
	x86/asm: Make serialize() always_inline
	net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
	vsock/virtio: cancel close work in the destructor
	vsock: reset socket state when de-assigning the transport
	vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
	filemap: avoid truncating 64-bit offset to 32 bits
	fs/proc: fix softlockup in __read_vmcore (part 2)
	gpiolib: cdev: Fix use after free in lineinfo_changed_notify
	irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly
	hrtimers: Handle CPU state correctly on hotplug
	drm/i915/fb: Relax clear color alignment to 64 bytes
	Revert "PCI: Use preserve_config in place of pci_flags"
	iio: imu: inv_icm42600: fix spi burst write not supported
	iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on
	iio: adc: rockchip_saradc: fix information leak in triggered buffer
	Revert "drm/amdgpu: rework resume handling for display (v2)"
	Revert "regmap: detach regmap from dev on regmap_exit"
	blk-cgroup: Fix UAF in blkcg_unpin_online()
	vsock/virtio: discard packets if the transport changes
	ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
	nfsd: add list_head nf_gc to struct nfsd_file
	x86/xen: fix SLS mitigation in xen_hypercall_iret()
	scsi: sg: Fix slab-use-after-free read in sg_release()
	net: fix data-races around sk->sk_forward_alloc
	xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals
	Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals
	Linux 5.15.177

Change-Id: I6dc0872727ed313c248c5a37d6ed236c83efa2d7
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
      52fa24d5
  33. Feb 01, 2025