- Apr 11, 2025
-
-
Sungjong Seo authored
When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation. <CPU 0> <CPU 1> mpage_read_folio <<bh on stack>> do_mpage_readpage exfat_get_block bh_read __bh_read get_bh(bh) submit_bh wait_on_buffer ... end_buffer_read_sync __end_buffer_read_notouch unlock_buffer <<keep going>> ... ... ... ... <<bh is not valid out of mpage_read_folio>> . . another_function <<variable A on stack>> put_bh(bh) atomic_dec(bh->b_count) * stack corruption here * This patch returns -EAGAIN if a folio does not have buffers when bh_read needs to be called. By doing this, the caller can fallback to functions like block_read_full_folio(), create a buffer_head in the folio, and then call get_block again. Let's do not call bh_read() with on-stack buffer_head. Fixes: 11a347fb ("exfat: change to get file size from DataLength") Cc: stable@vger.kernel.org Tested-by:Yeongjin Gil <youngjin.gil@samsung.com> Signed-off-by:
Sungjong Seo <sj1557.seo@samsung.com> Reviewed-by:
Yuezhang Mo <Yuezhang.Mo@sony.com> Signed-off-by:
Namjae Jeon <linkinjeon@kernel.org> Change-Id: I66738afe9a8ed22186a49b7b81d569b945487fe0 (cherry picked from commit 1bb7ff42 git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat.git dev) Bug: 397325648 Signed-off-by:
Daniel Rosenberg <drosen@google.com> (cherry picked from commit cfee73c1)
-
xieliujie authored
Add TAINT_AUX in scx_ops_enable() to make it clear sched_ext is an experimental feature in android16-6.12. Enabling experimental features means that no support will be provided by Google if there are issues. Bug: 397116737 Bug: 408943580 Change-Id: I8d87cd6c793827f0b619c104bd3c093b3f3c2368 Signed-off-by:
xieliujie <xieliujie@oppo.com> [jstultz: Tweak to use TAINT_AUX instead of OOT_MODULE] Signed-off-by:
John Stultz <jstultz@google.com>
-
zhengwei authored
1 function symbol(s) added 'int __traceiter_android_vh_security_audit_log_setid(void*, u32, u32, u32)' 1 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_security_audit_log_setid' Bug: 409487715 Change-Id: I736c7a56f46f6e03dd95c58d93d840e0e7de8b6c Signed-off-by:zhengwei <zhengwei2@honor.com>
-
zhengwei authored
Add vendor_hook trace_android_vh_security_audit_log_setid, allow vendor modules to record root state when setted uid or gid to 0. As we all known,There are attack paths frequently used by attackers. When setid to 0, it's most possbility of a hacker is trying to root devices. Bug: 409487715 Change-Id: If3aab719c5c1c01973c5c2f8ec98d8150b9e5786 Signed-off-by: -
Eric Biggers authored
fips140.ko is intended to be used in production, so strip the debug symbols from it to reduce the binary size. Bug: 188620248 Test: tools/bazel run //common:fips140_dist && stat ./out/fips140/dist/fips140.ko Change-Id: I5a181417409f83475652013f6abffbe81fa5dbd2 Signed-off-by:Eric Biggers <ebiggers@google.com>
-
Luca Ceresoli authored
Commit bac3b10b ("driver core: fw_devlink: Stop trying to optimize cycle detection logic") introduced a new struct device *con_dev and a get_dev_from_fwnode() call to get it, but without adding a corresponding put_device(). Closes: https://lore.kernel.org/all/20241204124826.2e055091@booty/ Fixes: bac3b10b ("driver core: fw_devlink: Stop trying to optimize cycle detection logic") Cc: stable@vger.kernel.org Reviewed-by:
Saravana Kannan <saravanak@google.com> Change-Id: I35cc226a3e75df501a648dd182d7cb29e9c21a61 Signed-off-by:
Luca Ceresoli <luca.ceresoli@bootlin.com> Link: https://lore.kernel.org/r/20250213-fix__fw_devlink_relax_cycles_missing_device_put-v2-1-8cd3b03e6a3f@bootlin.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 78eb41f5) Signed-off-by:
Jia-Shiuan Chen <chenjs@google.com>
-
xiaosa liang authored
Add symbol list for oplus in gki/aarch64/symbols/oplus 2 function symbol(s) added 'int __traceiter_android_vh_binder_del_ref(void*, struct task_struct*, uint32_t)' 'int __traceiter_android_vh_binder_new_ref(void*, struct task_struct*, uint32_t, int)' 2 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_binder_del_ref' 'struct tracepoint __tracepoint_android_vh_binder_new_ref' Bug: 186604985 Change-Id: I404aea9cd4ce49a66cc83b77fe2a9af96ed50b61 Signed-off-by:xiaosa liang <liangxiaosa@oppo.com>
-
zhengding chen authored
When servicemanager process added service proxy from other process register the service, we want to know the matching relation between handle in the process and service name. Bug: 186604985 Change-Id: I466ae200cf17bc821c61bd92544a8fbe6b220a25 Signed-off-by:
zhengding chen <chenzhengding@oppo.com> Signed-off-by:
shenshen mao <maoshenshen@oppo.com> Signed-off-by:
-
- Apr 10, 2025
-
-
Willem de Bruijn authored
Classic BPF socket filters with SKB_NET_OFF and SKB_LL_OFF fail to read when these offsets extend into frags. This has been observed with iwlwifi and reproduced with tun with IFF_NAPI_FRAGS. The below straightforward socket filter on UDP port, applied to a RAW socket, will silently miss matching packets. const int offset_proto = offsetof(struct ip6_hdr, ip6_nxt); const int offset_dport = sizeof(struct ip6_hdr) + offsetof(struct udphdr, dest); struct sock_filter filter_code[] = { BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_AD_OFF + SKF_AD_PKTTYPE), BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, PACKET_HOST, 0, 4), BPF_STMT(BPF_LD + BPF_B + BPF_ABS, SKF_NET_OFF + offset_proto), BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 2), BPF_STMT(BPF_LD + BPF_H + BPF_ABS, SKF_NET_OFF + offset_dport), This is unexpected behavior. Socket filter programs should be consistent regardless of environment. Silent misses are particularly concerning as hard to detect. Use skb_copy_bits for offsets outside linear, same as done for non-SKF_(LL|NET) offsets. Offset is always positive after subtracting the reference threshold SKB_(LL|NET)_OFF, so is always >= skb_(mac|network)_offset. The sum of the two is an offset against skb->data, and may be negative, but it cannot point before skb->head, as skb_(mac|network)_offset would too. This appears to go back to when frag support was introduced to sk_run_filter in linux-2.4.4, before the introduction of git. The amount of code change and 8/16/32 bit duplication are unfortunate. But any attempt I made to be smarter saved very few LoC while complicating the code. Fixes: 1da177e4 ("Linux-2.6.12-rc2") Link: https://lore.kernel.org/netdev/20250122200402.3461154-1-maze@google.com/ Link: https://elixir.bootlin.com/linux/2.4.4/source/net/core/filter.c#L244 Reported-by:Matt Moeller <moeller.matt@gmail.com> Co-developed-by:
Maciej Żenczykowski <maze@google.com> Signed-off-by:
Willem de Bruijn <willemb@google.com> Acked-by:
Stanislav Fomichev <sdf@fomichev.me> Link: https://lore.kernel.org/r/20250408132833.195491-2-willemdebruijn.kernel@gmail.com Signed-off-by:
Alexei Starovoitov <ast@kernel.org> (cherry picked from commit d4bac0288a2b444e468e6df9cb4ed69479ddf14a) See: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=d4bac0288a2b444e468e6df9cb4ed69479ddf14a Bug: 384636719 Signed-off-by:
-
Qianfeng Rong authored
2 function symbol(s) added 'int __traceiter_android_rvh_alloc_pages_reclaim_cycle_end(void*, gfp_t, int, int*, unsigned long*, int*, unsigned long)' 'int __traceiter_android_rvh_alloc_pages_reclaim_start(void*, gfp_t, int, int*)' 2 variable symbol(s) added 'struct tracepoint __tracepoint_android_rvh_alloc_pages_reclaim_cycle_end' 'struct tracepoint __tracepoint_android_rvh_alloc_pages_reclaim_start' Bug: 405889864 Change-Id: I2a9655baaa3f6b667bdb17cc8d303ddc24209279 Signed-off-by:Qianfeng Rong <rongqianfeng@vivo.corp-partner.google.com>
-
Qianfeng Rong authored
When allocating memory, we can adjust the water level to open a fast allocation channel for some important foreground processes, while allowing less important background processes to wait. Bug: 405889864 Change-Id: I71d709c8c782aa614d2c9e1d3150ce14a0106acb Signed-off-by: -
Mostafa Saleh authored
Hypervisor uses the ssid_bits field which is not set, so it always reads as zero, this was missed when pasid support was added. Bug: 409547022 Bug: 357781595 Change-Id: I591e28b11c0162245e7b6d074c93383bf28502a3 Signed-off-by:Mostafa Saleh <smostafa@google.com>
-
Zyta Szpak authored
The list is added empty. It will be populated together with vendor modules appearing in vendor repository. Bug: 408377773 Test: tools/bazel run //common:kernel_aarch64_dist Change-Id: I81178fab34f83ea8d37e8bc2fdbe06199c035c8a Signed-off-by:Zyta Szpak <zyta@google.com>
-
Prakruthi Deepak Heragu authored
Add the following symbols to QCOM symbol list gunyah_qtvm_register_notifier gunyah_qtvm_unregister_notifier __traceiter_android_rvh_gh_after_vcpu_run __traceiter_android_rvh_gh_before_vcpu_run __tracepoint_android_rvh_gh_after_vcpu_run __tracepoint_android_rvh_gh_before_vcpu_run Bug: 409352256 Change-Id: Id12d33095b6c1ddf1f61acad934c39f8b05e5790 Signed-off-by:Prakruthi Deepak Heragu <quic_pheragu@quicinc.com>
-
- Apr 09, 2025
-
-
Rui Chen authored
1 function symbol(s) added 'int __traceiter_android_vh_f2fs_create(void*, struct inode*, struct dentry*)' 1 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_f2fs_create' Bug: 407795181 Change-Id: Ib7185533450369aec0dba8982f7b808c395d2c7e Signed-off-by:Rui Chen <chenrui9@honor.com>
-
Keir Fraser authored
This reverts commit ede56033. Reason for revert: Breaks pixel6_pkvm presubmit tests Bug: 409494103 Change-Id: I6cf1cda14c35c748a11f0ecd31720613ffa18372 Signed-off-by:
Keir Fraser <keirf@google.com>
-
- Apr 08, 2025
-
-
Rui Chen authored
Files stored in UFS SLC have approximately 20% better random read performance compared to TLC. Storing some frequently and randomly accessed files in the SLC area can enhance user experience. Bug: 407795181 Change-Id: I571cb8b3821fb43dd4708c49c896e33e9942ab5e Signed-off-by: -
Yifan Hong authored
This reverts commit 386a5a92. Reason for revert: fix issue by adding back AARCH variable. Bug: 406094444 Change-Id: I07c96726b1e9a0d89974cd85dcbc331b090b72da Signed-off-by:
HONG Yifan <elsk@google.com>
-
Venkata Rao Kakani authored
Enable CONFIG_ARM_SCMI_POWER_DOMAIN to enable SCMI power domains. Bug: 408966880 Change-Id: I12249747f6d81fbb0b5fbf265881c58fb704adfb Signed-off-by:Venkata Rao Kakani <quic_vkakani@quicinc.com>
-
wkon-kim authored
The use of ufshcd-priv.h is essential to get ufs device information in ufs host driver. So added ufshcd-priv.h, drivers/ufs/core to unsafe header. Bug: 408086657 Change-Id: Ia258f35af5f1f135dfa17604b0edd5a07a042fe3 Signed-off-by:wkon-kim <wkon.kim@samsung.com>
-
Ricardo Ribalda authored
Vivid requires the following symbols 20 function symbol(s) added 'void __v4l2_ctrl_grab(struct v4l2_ctrl*, bool)' 'int __v4l2_ctrl_modify_dimensions(struct v4l2_ctrl*, u32*)' 'int __v4l2_ctrl_s_ctrl_string(struct v4l2_ctrl*, const char*)' 'u16 cec_get_edid_phys_addr(const u8*, unsigned int, unsigned int*)' 'const struct font_desc* find_font(const char*)' 'void v4l2_ctrl_activate(struct v4l2_ctrl*, bool)' 'void v4l2_ctrl_cluster(unsigned int, struct v4l2_ctrl**)' 'bool v4l2_detect_cvt(unsigned int, unsigned int, unsigned int, unsigned int, u32, bool, const struct v4l2_dv_timings_cap*, struct v4l2_dv_timings*)' 'bool v4l2_detect_gtf(unsigned int, unsigned int, unsigned int, u32, bool, struct v4l2_fract, const struct v4l2_dv_timings_cap*, struct v4l2_dv_timings*)' 'int v4l2_device_put(struct v4l2_device*)' 'void v4l2_event_wake_all(struct video_device*)' 'bool v4l2_find_dv_timings_cap(struct v4l2_dv_timings*, const struct v4l2_dv_timings_cap*, unsigned int, v4l2_check_dv_timings_fnc*, void*)' 'u16 v4l2_phys_addr_for_input(u16, u8)' 'int v4l2_phys_addr_validate(u16, u16*, u16*)' 'bool v4l2_valid_dv_timings(const struct v4l2_dv_timings*, const struct v4l2_dv_timings_cap*, v4l2_check_dv_timings_fnc*, void*)' 'ssize_t vb2_fop_write(struct file*, const char*, size_t, loff_t*)' 'int vb2_ioctl_remove_bufs(struct file*, void*, struct v4l2_remove_buffers*)' 'int vb2_queue_change_type(struct vb2_queue*, unsigned int)' 'void vb2_request_queue(struct media_request*)' 'void vb2_video_unregister_device(struct video_device*)' 1 variable symbol(s) added 'const struct v4l2_dv_timings v4l2_dv_timings_presets[112]' Bug: 385868584 Change-Id: I019753ae2e534fb2fbc3deffddac4ff6d632b824 Signed-off-by:Ricardo Ribalda <ribalda@google.com>
-
Ricardo Ribalda authored
vivid-osd depends on CONFIG_FB, which can be a large dependency. Introduce CONFIG_VIDEO_VIVID_OSD to control enabling support for testing output overlay. Suggested-by:
Slawomir Rosek <srosek@google.com> Co-developed-by:
Ricardo Ribalda <ribalda@chromium.org> Signed-off-by:
Hans Verkuil <hverkuil@xs4all.nl> [hverkuil: add newline to squash checkpatch warning] (cherry picked from commit 20889dde) Bug: 385868584 Change-Id: I865e0aef9b72f9774c7a08634ac5a6312e997b3b Signed-off-by:
-
Ricardo Ribalda authored
Most references to fb_info are already within vivid-osd.c. This patch moves the remaining references into vivid-osd.c. We also take this opportunity to make the function names in vivid-osd more consistent. This is a preparation patch to make CONFIG_FB optional for vivid. Signed-off-by:
-
Ulises Mendez Martinez authored
This reverts commit ddb277b9. Reason for revert: cherry-pick have accidentally removed `AARCH` variable which might break exports protection. Change-Id: I48586601bee13e52b744654ef09b109f09a5c29d
-
Yuan-Jen (淵仁) Cheng authored
Export the header in all_headers_allowlist_aarch64, for pcie drivers to use. Bug: 343869732 Bug: 407023244 Test: Verified the pcie ddk modules are able to include the header. Change-Id: I1ab5144bf58e6591eefc966e7300770543976012 Signed-off-by:Yuan-Jen (淵仁) Cheng <cyuanjen@google.com>
-
liulu liu authored
Add 'binder_alloc_copy_from_buffer' Bug: 408888660 Change-Id: Id114407b192dff6d8ab48ee509c555316202f8e7 Signed-off-by:liulu liu <liulu.liu@honor.corp-partner.google.com>
-
Will Deacon authored
The pKVM FF-A proxy rejects FF-A requests other than FFA_VERSION until version negotiation is complete, which is signalled by setting the global 'has_version_negotiated' variable. To avoid excessive locking, this variable is checked directly from kvm_host_ffa_handler() in response to an FF-A call, but this can race against another CPU performing the negotiation and potentially lead to reading a torn value (incredibly unlikely for a 'bool') or problematic re-ordering of the accesses to 'has_version_negotiated' and 'hyp_ffa_version' whereby a stale version number could be read by __do_ffa_mem_xfer(). Use acquire/release primitives when writing 'has_version_negotiated' with the version lock held and when reading without the lock held. Cc: Sebastian Ene <sebastianene@google.com> Cc: Sudeep Holla <sudeep.holla@arm.com> Cc: Quentin Perret <qperret@google.com> Cc: Oliver Upton <oliver.upton@linux.dev> Cc: Marc Zyngier <maz@kernel.org> Fixes: c9c01262 ("KVM: arm64: Trap FFA_VERSION host call in pKVM") Signed-off-by:
Will Deacon <will@kernel.org> Link: https://lore.kernel.org/r/20250407152755.1041-1-will@kernel.org Signed-off-by:
Oliver Upton <oliver.upton@linux.dev> (cherry picked from commit a344e258 kvmarm/fixes) Signed-off-by:
Will Deacon <willdeacon@google.com> Change-Id: I5ce2a3ea56eff9fb2cc30026a0e46db1ea4d87fd
-
Vincent Donnefort authored
The entire huge stage-2 mapping must be poisonned when reclaiming. Bug: 357781595 Bug: 409228797 Change-Id: Idd103a80be3f6c110b5d6605c213c8393a57535a Signed-off-by:Vincent Donnefort <vdonnefort@google.com>
-
HONG Yifan authored
Kleaf already generates CONFIG_UNUSED_KSYMS_WHITELIST according to the list of provided KMI symbol lists (kernel_build.kmi_symbol_list plus kernel_build.additional_kmi_symbol_lists). CONFIG_UNUSED_KSYMS_WHITELIST is the source of truth, not the wildcard here, especially if --user_kmi_symbol_list is set, or kernel_build.kmi_symbol_list or additional_kmi_symbol_lists contains files in different directories. Use CONFIG_UNUSED_KSYMS_WHITELIST directly. For mainline, CONFIG_UNUSED_KSYMS_WHITELIST is not set, so use an empty file as a placeholder. Bug: 406094444 Change-Id: Ia62c7a2e40ca607ac6f0d7e91c732044ec559282 Signed-off-by:
-
Keir Fraser authored
This reverts commit 247011a0. We require an IOMMU for pVM confidentiality. Bug: 357781595 Bug: 384432312 Change-Id: I858ed7063ef3fc02cef1155c21b7ffdf921a333e Signed-off-by:
-
Greg Kroah-Hartman authored
Steps on the way to 6.12.19 Resolves merge conflicts in: rust/Makefile scripts/Makefile.build Change-Id: Ic32d8ad7549e09c530493d59c194092b74c31f8b Signed-off-by:Greg Kroah-Hartman <gregkh@google.com>
-
Sid Nayyar authored
OEMs customise zram and its allocator for their specific needs. Bug: 408320886 Change-Id: Ib3b859df4eb6151e6f7d41ad03e87b8c2d2c8424 Signed-off-by:Sid Nayyar <sidnayyar@google.com>
-
Greg Kroah-Hartman authored
Steps on the way to 6.12.18 Resolves merge conflicts in: rust/kernel/types.rs scripts/Makefile.build again... Change-Id: If08d5063d461dad8f94d88e87564fe93a67fdcb3 Signed-off-by: -
Lynus Vaz authored
1 function symbol(s) added 'void __folio_batch_release(struct folio_batch*)' Bug: 408450311 Change-Id: I642d3395382d1eca1ccff5d802b61ab1f72ee55a Signed-off-by:Lynus Vaz <quic_lvaz@quicinc.com>
-
ying zuxin authored
1 function symbol(s) added 'int __traceiter_android_rvh_create_worker(void*, struct task_struct*, struct workqueue_attrs*)' 1 variable symbol(s) added 'struct tracepoint __tracepoint_android_rvh_create_worker' Bug: 408116496 Change-Id: Ib478393f4ad513f717114d0a80f082c20249af71 Signed-off-by:ying zuxin <11154159@vivo.com>
-
- Apr 07, 2025
-
-
Yang Yang authored
This hook is used to apply specific scheduling policies to worker->task Bug: 360039558 Bug: 408116496 Change-Id: I4fb79b23bced1c58a6fa5f4d0c19850f11d56e0f Signed-off-by:
Yang Yang <yang.yang@vivo.com> (cherry picked from commit 2041959e) Signed-off-by:
-
ying zuxin authored
6 function symbol(s) added 'void __set_task_comm(struct task_struct*, const char*, bool)' 'int __traceiter_android_rvh_alloc_and_link_pwqs(void*, struct workqueue_struct*, int*, bool*)' 'struct workqueue_attrs* alloc_workqueue_attrs()' 'int apply_workqueue_attrs(struct workqueue_struct*, const struct workqueue_attrs*)' 'int apply_workqueue_attrs_locked(struct workqueue_struct*, const struct workqueue_attrs*)' 'void free_workqueue_attrs(struct workqueue_attrs*)' 1 variable symbol(s) added 'struct tracepoint __tracepoint_android_rvh_alloc_and_link_pwqs' Bug: 408071900 Change-Id: I43ecd5aa9588ea331f40754dad2f069743bb3544 Signed-off-by: -
Yang Yang authored
Export the symbols below: __set_task_comm free_workqueue_attrs alloc_workqueue_attrs apply_workqueue_attrs apply_workqueue_attrs_locked Bug: 348321531 Bug: 408071900 Change-Id: If2a78c3875db138c0364a7f2bb038b0349f5ea91 Signed-off-by:
-
Yang Yang authored
This hook is used to apply specific flags and attrs to workqueue_struct. Bug: 348321531 Bug: 408071900 Change-Id: I877eae65a8d02719e216ab2df6e627e360e11078 Signed-off-by:
-
ying zuxin authored
1 function symbol(s) added 'int __traceiter_android_vh_bd_link_disk_holder(void*, struct block_device*, struct gendisk*)' 1 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_bd_link_disk_holder' Bug: 407947364 Change-Id: I660a6919f3acc25fd67b602b0617948334bf28fa Signed-off-by:
-
