--- /dev/null
+From e1090371e02b601cbfcea175c2a6cc7c955fa830 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:36 +0000
+Subject: binder: fix comment on binder_alloc_new_buf() return value
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit e1090371e02b601cbfcea175c2a6cc7c955fa830 upstream.
+
+Update the comments of binder_alloc_new_buf() to reflect that the return
+value of the function is now ERR_PTR(-errno) on failure.
+
+No functional changes in this patch.
+
+Cc: stable@vger.kernel.org
+Fixes: 57ada2fb2250 ("binder: add log information for binder transaction failures")
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-8-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -535,7 +535,7 @@ err_alloc_buf_struct_failed:
+ * is the sum of the three given sizes (each rounded up to
+ * pointer-sized boundary)
+ *
+- * Return: The allocated buffer or %NULL if error
++ * Return: The allocated buffer or %ERR_PTR(-errno) if error
+ */
+ struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc,
+ size_t data_size,
--- /dev/null
+From 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 1 Dec 2023 17:21:30 +0000
+Subject: binder: use EPOLLERR from eventpoll.h
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 upstream.
+
+Use EPOLLERR instead of POLLERR to make sure it is cast to the correct
+__poll_t type. This fixes the following sparse issue:
+
+ drivers/android/binder.c:5030:24: warning: incorrect type in return expression (different base types)
+ drivers/android/binder.c:5030:24: expected restricted __poll_t
+ drivers/android/binder.c:5030:24: got int
+
+Fixes: f88982679f54 ("binder: check for binder_thread allocation failure in binder_poll()")
+Cc: stable@vger.kernel.org
+Cc: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20231201172212.1813387-2-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -4462,7 +4462,7 @@ static __poll_t binder_poll(struct file
+
+ thread = binder_get_thread(proc);
+ if (!thread)
+- return POLLERR;
++ return EPOLLERR;
+
+ binder_inner_proc_lock(thread->proc);
+ thread->looper |= BINDER_LOOPER_STATE_POLL;
--- /dev/null
+From cc0271a339cc70cae914c3ec20edc2a8058407da Mon Sep 17 00:00:00 2001
+From: James Clark <james.clark@arm.com>
+Date: Wed, 1 Nov 2023 11:52:06 +0000
+Subject: coresight: etm4x: Fix width of CCITMIN field
+
+From: James Clark <james.clark@arm.com>
+
+commit cc0271a339cc70cae914c3ec20edc2a8058407da upstream.
+
+CCITMIN is a 12 bit field and doesn't fit in a u8, so extend it to u16.
+This probably wasn't an issue previously because values higher than 255
+never occurred.
+
+But since commit 4aff040bcc8d ("coresight: etm: Override TRCIDR3.CCITMIN
+on errata affected cpus"), a comparison with 256 was done to enable the
+errata, generating the following W=1 build error:
+
+ coresight-etm4x-core.c:1188:24: error: result of comparison of
+ constant 256 with expression of type 'u8' (aka 'unsigned char') is
+ always false [-Werror,-Wtautological-constant-out-of-range-compare]
+
+ if (drvdata->ccitmin == 256)
+
+Cc: stable@vger.kernel.org
+Fixes: 2e1cdfe184b5 ("coresight-etm4x: Adding CoreSight ETM4x driver")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202310302043.as36UFED-lkp@intel.com/
+Reviewed-by: Mike Leach <mike.leach@linaro.org>
+Signed-off-by: James Clark <james.clark@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20231101115206.70810-1-james.clark@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-etm4x.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-etm4x.h
++++ b/drivers/hwtracing/coresight/coresight-etm4x.h
+@@ -363,7 +363,7 @@ struct etmv4_drvdata {
+ u8 ctxid_size;
+ u8 vmid_size;
+ u8 ccsize;
+- u8 ccitmin;
++ u16 ccitmin;
+ u8 s_ex_level;
+ u8 ns_ex_level;
+ u8 q_support;
Link: https://patchwork.freedesktop.org/patch/msgid/20231208131238.2924571-1-jani.nikula@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/gpu/drm/drm_crtc.c | 3 +--
+ drivers/gpu/drm/drm_crtc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
-diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
-index 52a1bfeef0d9..22eba10af165 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
-@@ -573,7 +573,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
+@@ -573,7 +573,7 @@ int drm_mode_setcrtc(struct drm_device *
struct drm_mode_set set;
uint32_t __user *set_connectors_ptr;
struct drm_modeset_acquire_ctx ctx;
if (!drm_core_check_feature(dev, DRIVER_MODESET))
return -EINVAL;
-@@ -718,7 +718,6 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
+@@ -718,7 +718,6 @@ retry:
goto out;
}
for (i = 0; i < crtc_req->count_connectors; i++) {
connector_set[i] = NULL;
set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
---
-2.43.0
-
input-xpad-add-razer-wolverine-v2-support.patch
arm-sun9i-smp-fix-return-code-check-of-of_property_m.patch
drm-crtc-fix-uninitialized-variable-use.patch
+binder-use-epollerr-from-eventpoll.h.patch
+binder-fix-comment-on-binder_alloc_new_buf-return-value.patch
+uio-fix-use-after-free-in-uio_open.patch
+coresight-etm4x-fix-width-of-ccitmin-field.patch
--- /dev/null
+From 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 Mon Sep 17 00:00:00 2001
+From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+Date: Thu, 21 Dec 2023 17:57:43 +0800
+Subject: uio: Fix use-after-free in uio_open
+
+From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+
+commit 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 upstream.
+
+core-1 core-2
+-------------------------------------------------------
+uio_unregister_device uio_open
+ idev = idr_find()
+device_unregister(&idev->dev)
+put_device(&idev->dev)
+uio_device_release
+ get_device(&idev->dev)
+kfree(idev)
+uio_free_minor(minor)
+ uio_release
+ put_device(&idev->dev)
+ kfree(idev)
+-------------------------------------------------------
+
+In the core-1 uio_unregister_device(), the device_unregister will kfree
+idev when the idev->dev kobject ref is 1. But after core-1
+device_unregister, put_device and before doing kfree, the core-2 may
+get_device. Then:
+1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
+2. When core-2 do uio_release and put_device, the idev will be double
+ freed.
+
+To address this issue, we can get idev atomic & inc idev reference with
+minor_lock.
+
+Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -464,13 +464,13 @@ static int uio_open(struct inode *inode,
+
+ mutex_lock(&minor_lock);
+ idev = idr_find(&uio_idr, iminor(inode));
+- mutex_unlock(&minor_lock);
+ if (!idev) {
+ ret = -ENODEV;
++ mutex_unlock(&minor_lock);
+ goto out;
+ }
+-
+ get_device(&idev->dev);
++ mutex_unlock(&minor_lock);
+
+ if (!try_module_get(idev->owner)) {
+ ret = -ENODEV;
+@@ -1019,9 +1019,8 @@ void uio_unregister_device(struct uio_in
+ idev->info = NULL;
+ mutex_unlock(&idev->info_lock);
+
+- device_unregister(&idev->dev);
+-
+ uio_free_minor(minor);
++ device_unregister(&idev->dev);
+
+ return;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
