{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":15878393,"defaultBranch":"android-13-release-ttz","name":"kernel-msm","ownerLogin":"MotorolaMobilityLLC","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2014-01-13T19:06:34.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/6362357?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1715161765.0","currentOid":""},"activityList":{"items":[{"before":null,"after":"ff8d277ae93eed1adf6ece63158738c0ce4e16b0","ref":"refs/heads/android-14-release-u1tcs34.22-64-6-1","pushedAt":"2024-05-08T09:49:19.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"memshare: Prevent possible integer overflow\n\nPrevent possible integer overflow by sanitizing the alloc request\nsize coming from the client against allottable amount of memory.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-43550\nCRs-Fixed: 3595842\nChange-Id: I74cb0f7b0808f20299586969fd5c810d44c3e576\nSigned-off-by: Manoj Prabhu B <quic_bmanoj@quicinc.com>\nSigned-off-by: VIJAYAN CHENGANNAGARI <quic_vchengan@quicinc.com>\nSigned-off-by: Ashutosh Verma <ashverma@motorola.com>\nReviewed-on: https://gerrit.mot.com/2841279\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"memshare: Prevent possible integer overflow"}},{"before":"628a1751b2a165821774ada6211f98e259e798f2","after":"c0b8e81ebe1f1e3c1173c77e7ade553d9c069489","ref":"refs/heads/android-12-release-s0rcs32.41-10-9-2","pushedAt":"2024-05-08T05:01:34.000Z","pushType":"push","commitsCount":73,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write\n\n[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ]\n\nIn pxa3xx_gcu_write, a count parameter of type size_t is passed to words of\ntype int.  Then, copy_from_user() may cause a heap overflow because it is used\nas the third argument of copy_from_user().\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2022-39842\nBug: 245928838\n\nChange-Id: If3b27ac3720242550e7e9b5547590085a75ee5ba\nSigned-off-by: Hyunwoo Kim <imv4bel@gmail.com>\nSigned-off-by: Helge Deller <deller@gmx.de>\nSigned-off-by: Sasha Levin <sashal@kernel.org>\nSigned-off-by: Gajjala Chakradhar <gajjalac@motorola.com>\nReviewed-on: https://gerrit.mot.com/2480183\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Konstantin Makariev <kmakariev@motorola.com>\nSubmit-Approved: Jira Key\n(cherry picked from commit eb1e6179c10605c8808f3966f85ffc9ca66c138c)","shortMessageHtmlLink":"video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write"}},{"before":null,"after":"b130de6c427c417dea6a73fc370c8cb32e63b472","ref":"refs/heads/android-12-release-s1rxs32.50-13-25","pushedAt":"2024-05-08T04:10:56.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"msm: kgsl: Limit the syncpoint count for AUX commands\n\nKGSL internally has a limit on the length of the list of syncpoints\nsubmitted in a single AUX command. Enforce this limit so we don't\noverwrite memory beyond the structures that track these syncpoints.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-33106\nCRs-Fixed: 3612841\nChange-Id: I261bfd4f786ff7e4fbe07e8bca9e9b8d8b87c950\nSigned-off-by: Lynus Vaz <quic_lvaz@quicinc.com>\nSigned-off-by: Kaushal Sanadhya <quic_ksanadhy@quicinc.com>\nSigned-off-by: Ashutosh Verma <ashverma@motorola.com>\nReviewed-on: https://gerrit.mot.com/2789322\nSLTApproved: Slta Waiver\nSME-Granted: SME Approvals Granted\nTested-by: Jira Key\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key\n(cherry picked from commit 716c138e4d22444ba2f5246ceece073fda59d0c1)","shortMessageHtmlLink":"msm: kgsl: Limit the syncpoint count for AUX commands"}},{"before":null,"after":"cb24c2573e213a1854d745473235ae6679dd4c01","ref":"refs/heads/android-13-release-t1sus33.1-124-6-8-1","pushedAt":"2024-05-07T23:13:04.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"memshare: Prevent possible integer overflow\n\nPrevent possible integer overflow by sanitizing the alloc request\nsize coming from the client against allottable amount of memory.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-43550\nCRs-Fixed: 3595842\nChange-Id: I74cb0f7b0808f20299586969fd5c810d44c3e576\nSigned-off-by: Manoj Prabhu B <quic_bmanoj@quicinc.com>\nSigned-off-by: VIJAYAN CHENGANNAGARI <quic_vchengan@quicinc.com>\nSigned-off-by: Ashutosh Verma <ashverma@motorola.com>\nReviewed-on: https://gerrit.mot.com/2841279\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"memshare: Prevent possible integer overflow"}},{"before":null,"after":"a0d823eec6b084d813e28b9febd9d63a62b6453e","ref":"refs/heads/android-13-release-t1shs33.35-23-20-12","pushedAt":"2024-05-07T22:07:59.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"msm: kgsl: Update gpu work period logging\n\nParallel GPU work can be submitted from several different\nprocesses with the same application UID. Hence update gpu\nwork period logging based on application uid instead of PID.\n\nChange-Id: Ifb18da3a8c251a8dd64b74e2088517d4e6150131\nSigned-off-by: Hareesh Gundu <quic_hareeshg@quicinc.com>\nSigned-off-by: NISARG SHETH <quic_nsheth@quicinc.com>\n(cherry picked from commit e882e63ab6Montana65b64c12ad10386e6a0f0b269d4)","shortMessageHtmlLink":"msm: kgsl: Update gpu work period logging"}},{"before":null,"after":"f7d65cfff19b653213d9bd6b067d070e4aaa2745","ref":"refs/heads/android-14-release-u2um34.27-38-5","pushedAt":"2024-04-30T10:07:42.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"remove moto_sched changes when disabled\n\nChange-Id: Ic2a9da7257d03ec08629602e43504d03e14e9366\nSigned-off-by: chentao8 <chentao8@lenovo.com>\nReviewed-on: https://gerrit.mot.com/2887898\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Zhangqing Huang <huangzq2@motorola.com>\nReviewed-by: Wang Wang <wangwang1@lenovo.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"remove moto_sched changes when disabled"}},{"before":null,"after":"0645d7611091eaa706fa269b2cc209cbbe37cdab","ref":"refs/heads/android-14-release-u1ufn34.41-70r3","pushedAt":"2024-04-30T07:14:14.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"config:fogo5gna:remove aw8838\n\nfogo5g na can't pass new hac standard.\nso just pass old hac standard.\nif use old hac standard.\ndon't need aw8838.\nso remove it.\n\nChange-Id: I66f80a5e1549193c53f394b6481b09c2041c405d\nSigned-off-by: liaohj <liaohj@lenovo.com>\nReviewed-on: https://gerrit.mot.com/2850083\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Wanlong Zhou <zhouwl@motorola.com>\nReviewed-by: Zhenxin Xi <xizx@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"config:fogo5gna:remove aw8838"}},{"before":null,"after":"41ddc7d5e0d2dfebbbd2ee8b67d469dbc04495aa","ref":"refs/heads/android-12-release-s3rxc32.33-8-25","pushedAt":"2024-04-25T08:10:18.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"msm: kgsl: Check user generated timestamp before queuing drawobjs\n\nIn ioctls l(CR) kgsl_ioctl_submit_commands(), if both syncobj\ntype and cmd/marker/sparseobj type are submitted, the syncobj\nis queued first followed by the other obj type. After syncobj\nis successfully queued, in case of failure in get_timestamp\nwhile queuing the other obj, both the command objs are\ndestroyed. As sync obj is already queued, accessing this\nlater would cause a crash.\n\nCompare the user generated timestamp with the drawctxt\ntimestamp and return early in case of error. This avoids\nunnecessary queuing of drawobjs.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-33021\nCRs-Fixed: 3397562 \n\nChange-Id: Iedebd480bc18cd74d2f69d24a9dc1032fab01cdb\nSigned-off-by: Kamal Agrawal <quic_kamaagra@quicinc.com>\nSigned-off-by: Dharshan R <dharshan@mototola.com>\nReviewed-on: https://gerrit.mot.com/2653225\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"msm: kgsl: Check user generated timestamp before queuing drawobjs"}},{"before":"f1c28235b0decd2048fcd463a3918c25c36d855b","after":"1a9ca4963ab2b77273c568af3e8d303ef9024f25","ref":"refs/heads/android-14-release-u1tr34.8-19-11","pushedAt":"2024-04-16T00:09:24.000Z","pushType":"push","commitsCount":2,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"msm: adsprpc : Fix use after free in fastrpc_internal_mem_unmap\n\nThread 1 can make a to call fastrpc_mmap_create under internal mem map\nand release fl->map_mutex. Thread 2 can make call to internal mem unmap,\nacquire fl->map_mutex and get same map though fastrpc_mmap_remove.\nThread 1 fail in fastrpc_mem_map_to_dsp jumps to bail and do map free.\nThread 2 still holds same map which can lead use after free. Serialize\nfastrpc internal mem map and unmap.\n\nChange-Id: I54a3602914b43fc67635c0de193bd21aa13daaa3\nSigned-off-by: Santosh Sakore <quic_ssakore@quicinc.com>\n(cherry picked from commit b1f71f187b5fee55fba5ca529facc3ac13d9f4af)","shortMessageHtmlLink":"msm: adsprpc : Fix use after free in fastrpc_internal_mem_unmap"}},{"before":"2184629309ffcaf0376c88f31b21a77425b70cdb","after":"b155c6a026be2352bc6afd6e1ffa59388783a348","ref":"refs/heads/android-13-release-traa","pushedAt":"2024-04-10T11:09:41.000Z","pushType":"push","commitsCount":4,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"net: qrtr: fifo: Add bounds check on tx path\n\nAdd bounds check on values read from shared memory in the tx path. In\ncases where the VM is misbehaving, the qrtr transport should exit and\nprint a warning when bogus values may cause out of bounds to be read.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-22387\nCRs-Fixed: 3356023\nBug: 276750306\n\nChange-Id: I7ebef28ed8eba4c4da0b32d5114365bbe6bea390\nSigned-off-by: Sarannya S <quic_sarannya@quicinc.com>\n(cherry picked from commit 66646d99cbf4ec28ff9b8fd8d327c6f906d254c4)\nSigned-off-by: Gajjala Chakradhar <gajjalac@motorola.com>\nReviewed-on: https://gerrit.mot.com/2635313\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Konstantin Makariev <kmakariev@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"net: qrtr: fifo: Add bounds check on tx path"}},{"before":null,"after":"a5720393ff33822b84620fce87fadddf6cc213e7","ref":"refs/heads/android-13-release-t3tbs33.2-47-2-4","pushedAt":"2024-04-10T04:36:10.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"Subject: [PATCH] pci: msm: Decouple pci framework from pm ops-CR#3475311\n\npick CR#3475311 to stable line.\nFix \"ds_3gpp_wm_sm_mgr.c:3967\" issue in (CR).\n\nChange-Id: I5c2051a61c4129249de16197b146677fc1bed5fb\nSigned-off-by: guhong <guhong@lenovo.com>\nReviewed-on: https://gerrit.mot.com/2814521\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: panyq6 <panyq6@motorola.com>\nSLTApproved: panyq6 <panyq6@motorola.com>\nSubmit-Approved: panyq6 <panyq6@motorola.com>\nTested-by: panyq6 <panyq6@motorola.com>\n(cherry picked from commit 68dce74b01dd053fb2cd67c3c4d5c28f464e726a)","shortMessageHtmlLink":"Subject: [PATCH] pci: msm: Decouple pci framework from pm ops-CR#3475311"}},{"before":null,"after":"df23a2df32c7d9df6560803027e95c6a44acdde4","ref":"refs/heads/android-14-release-u1tc34.22-64-6","pushedAt":"2024-04-04T21:30:44.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"msm: adsprpc : Fix use after free in fastrpc_internal_mem_unmap\n\nThread 1 can make a to call fastrpc_mmap_create under internal mem map\nand release fl->map_mutex. Thread 2 can make call to internal mem unmap,\nacquire fl->map_mutex and get same map though fastrpc_mmap_remove.\nThread 1 fail in fastrpc_mem_map_to_dsp jumps to bail and do map free.\nThread 2 still holds same map which can lead use after free. Serialize\nfastrpc internal mem map and unmap.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-43514\nCRs-Fixed: 3613254\nBug: 303101664\n\nChange-Id: I54a3602914b43fc67635c0de193bd21aa13daaa3\nSigned-off-by: DEEPAK SANNAPAREDDY <quic_sdeeredd@quicinc.com>\nSigned-off-by: Ashutosh Verma <ashverma@motorola.com>\nReviewed-on: https://gerrit.mot.com/2832044\nSLTApproved: Slta Waiver\nSME-Granted: SME Approvals Granted\nTested-by: Jira Key\nReviewed-by: Chakradhar Gajjala <gajjalac@motorola.com>\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"msm: adsprpc : Fix use after free in fastrpc_internal_mem_unmap"}},{"before":"4024c7b527270fb20f3413c97c310d9f4cadf9f5","after":"2012a0c0182b726804b4c3073154928c5024b756","ref":"refs/heads/android-13-release-t1ssms33.1-121-4-5","pushedAt":"2024-03-25T22:42:02.000Z","pushType":"push","commitsCount":7,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"rpmsg: slatecom: Discard unaligned packet to read\n\nIf intent_alloc_size and chunk size are unaligned with the minimum offset,\nthen ahb_read can lead to bytes overflow as ahb_read is performed\nwith word_size aligned.\n\nIf the received chunk_size is not aligned to word_size, discard packet\nto read.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-33087\nCRs-Fixed: 3508356\nChange-Id: I36fabc8bde22355de1ae32cb026a2a246778d47e\nSigned-off-by: Kaushal Hooda <quic_khooda@quicinc.com>\nSigned-off-by: Ashutosh Verma >ashverma@motorola.com>\nReviewed-on: https://gerrit.mot.com/2758526\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"rpmsg: slatecom: Discard unaligned packet to read"}},{"before":null,"after":"91b0f02f936cce76eca97f587784bb95742bf9c9","ref":"refs/heads/android-14-release-u1sq34.52-21-1","pushedAt":"2024-03-12T03:02:37.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"Wlan: Revert \"icnss2: Remove wlan driver on device shutdown\"\n\nThis reverts commit 66f41bc187636810562bad0db6b2588c50db7b05.\n\nChange-Id: I1927521d3082b6759911ae948b8d3f352f2fd58f\nReviewed-on: https://gerrit.mot.com/2805308\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Xianglong Liao <liaoxl@motorola.com>\nReviewed-by: Yue Sun <sunyue5@lenovo.com>\nReviewed-by: Tao Sun <suntao2@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"Wlan: Revert \"icnss2: Remove wlan driver on device shutdown\""}},{"before":null,"after":"8dfe6cafe5f10c4fcd36c430af1aa53e59cb3f88","ref":"refs/heads/android-13-release-t1ssms33.1-121-4-8","pushedAt":"2024-03-01T13:06:44.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"msm: kgsl: Limit the syncpoint count for AUX commands\n\nKGSL internally has a limit on the length of the list of syncpoints\nsubmitted in a single AUX command. Enforce this limit so we don't\noverwrite memory beyond the structures that track these syncpoints.\n\nChange-Id: I261bfd4f786ff7e4fbe07e8bca9e9b8d8b87c950\nSigned-off-by: Lynus Vaz <quic_lvaz@quicinc.com>\nSigned-off-by: Kaushal Sanadhya <quic_ksanadhy@quicinc.com>","shortMessageHtmlLink":"msm: kgsl: Limit the syncpoint count for AUX commands"}},{"before":null,"after":"c447a3ca872c7cadefffc11dfb0d8050482b5c28","ref":"refs/heads/android-11-release-rzd31.31","pushedAt":"2024-01-29T16:02:22.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"STS fail\n\nChange-Id: If293bdb88da666b9c62a3c6a3d608636ab40a83f\nReviewed-on: https://gerrit.mot.com/2537452\nReviewed-by: <yuebao.tang@tinno.com>\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Suting Xie <xiest1@motorola.com>\nSLTApproved: Suting Xie <xiest1@motorola.com>\nSME-Granted: Suting Xie <xiest1@motorola.com>\nSubmit-Approved: Suting Xie <xiest1@motorola.com>\nTested-by: Suting Xie <xiest1@motorola.com>","shortMessageHtmlLink":"STS fail"}},{"before":null,"after":"8025c1ef4ac12620b5b9aa63c086b2b21a4dd5ca","ref":"refs/heads/android-14-release-u1ug34.23-28-2","pushedAt":"2024-01-23T18:38:15.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"psi: Fix psi state corruption when schedule() races with cgroup move\n\n4117cebf1a9f (\"psi: Optimize task switch inside shared cgroups\")\nintroduced a race condition that corrupts internal psi state. This\nmanifests as kernel warnings, sometimes followed by bogusly high IO\npressure:\n\n  psi: task underflow! cpu=1 t=2 tasks=[0 0 0 0] clear=c set=0\n  (schedule() decreasing RUNNING and ONCPU, both of which are 0)\n\n  psi: incosistent task state! task=2412744:systemd cpu=17 psi_flags=e clear=3 set=0\n  (cgroup_move_task() clearing MEMSTALL and IOWAIT, but task is MEMSTALL | RUNNING | ONCPU)\n\nWhat the offending commit does is batch the two psi callbacks in\nschedule() to reduce the number of cgroup tree updates. When prev is\ndeactivated and removed from the runqueue, nothing is done in psi at\nfirst; when the task switch completes, TSK_RUNNING and TSK_IOWAIT are\nupdated along with TSK_ONCPU.\n\nHowever, the deactivation and the task switch inside schedule() aren't\natomic: pick_next_task() may drop the rq lock for load balancing. When\nthis happens, cgroup_move_task() can run after the task has been\nphysically dequeued, but the psi updates are still pending. Since it\nlooks at the task's scheduler state, it doesn't move everything to the\nnew cgroup that the task switch that follows is about to clear from\nit. cgroup_move_task() will leak the TSK_RUNNING count in the old\ncgroup, and psi_sched_switch() will underflow it in the new cgroup.\n\nA similar thing can happen for iowait. TSK_IOWAIT is usually set when\na p->in_iowait task is dequeued, but again this update is deferred to\nthe switch. cgroup_move_task() can see an unqueued p->in_iowait task\nand move a non-existent TSK_IOWAIT. This results in the inconsistent\ntask state warning, as well as a counter underflow that will result in\npermanent IO ghost pressure being reported.\n\nFix this bug by making cgroup_move_task() use task->psi_flags instead\nof looking at the potentially mismatching scheduler state.\n\n[ We used the scheduler state historically in order to not rely on\n  task->psi_flags for anything but debugging. But that ship has sailed\n  anyway, and this is simpler and more robust.\n\n  We previously already batched TSK_ONCPU clearing with the\n  TSK_RUNNING update inside the deactivation call from schedule(). But\n  that ordering was safe and didn't result in TSK_ONCPU corruption:\n  unl(CR) most places in the scheduler, cgroup_move_task() only checked\n  task_current() and handled TSK_ONCPU if the task was still queued. ]\n\nFixes: 4117cebf1a9f (\"psi: Optimize task switch inside shared cgroups\")\nSigned-off-by: Johannes Weiner <hannes@cmpxchg.org>\nSigned-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>\nLink: https://lkml.kernel.org/r/20210503174917.38579-1-hannes@cmpxchg.org\n\nChange-Id: I83fc22d7ecb515896a526892f40066353a6dadd0\nMot-CRs-fixed: (CR)\nReviewed-on: https://gerrit.mot.com/2408024\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key\nReviewed-on: https://gerrit.mot.com/2817400\nReviewed-by: Hongshu Lou <louhs1@motorola.com>\nReviewed-by: Huosheng Liao <liaohs@motorola.com>","shortMessageHtmlLink":"psi: Fix psi state corruption when schedule() races with cgroup move"}},{"before":null,"after":"583a75c33e2f2420fc2c499eca30fd7d592b696b","ref":"refs/heads/android-13-release-t1tpjs33.75-105-1-3","pushedAt":"2024-01-23T11:53:11.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"FROMLIST: binder: fix UAF caused by faulty buffer cleanup\n\nIn binder_transaction_buffer_release() the 'failed_at' offset indicates\nthe number of objects to clean up. However, this function was changed by\ncommit 44d8047f1d87 (\"binder: use standard functions to allocate fds\"),\nto release all the objects in the buffer when 'failed_at' is zero.\n\nThis introduced an issue when a transaction buffer is released without\nany objects having been processed so far. In this case, 'failed_at' is\nindeed zero yet it is misinterpreted as releasing the entire buffer.\n\nThis leads to use-after-free errors where nodes are incorrectly freed\nand subsequently accessed. Such is the case in the following KASAN\nreport:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30\n  Read of size 8 at addr ffff4faf037cfc58 by task poc/474\n\n  CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   dump_backtrace+0x94/0xec\n   show_stack+0x18/0x24\n   dump_stack_lvl+0x48/0x60\n   print_report+0xf8/0x5b8\n   kasan_report+0xb8/0xfc\n   __asan_load8+0x9c/0xb8\n   binder_thread_read+0xc40/0x1f30\n   binder_ioctl+0xd9c/0x1768\n   __arm64_sys_ioctl+0xd4/0x118\n   invoke_syscall+0x60/0x188\n  [...]\n\n  Allocated by task 474:\n   kasan_save_stack+0x3c/0x64\n   kasan_set_track+0x2c/0x40\n   kasan_save_alloc_info+0x24/0x34\n   __kasan_kmalloc+0xb8/0xbc\n   kmalloc_trace+0x48/0x5c\n   binder_new_node+0x3c/0x3a4\n   binder_transaction+0x2b58/0x36f0\n   binder_thread_write+0x8e0/0x1b78\n   binder_ioctl+0x14a0/0x1768\n   __arm64_sys_ioctl+0xd4/0x118\n   invoke_syscall+0x60/0x188\n  [...]\n\n  Freed by task 475:\n   kasan_save_stack+0x3c/0x64\n   kasan_set_track+0x2c/0x40\n   kasan_save_free_info+0x38/0x5c\n   __kasan_slab_free+0xe8/0x154\n   __kmem_cache_free+0x128/0x2bc\n   kfree+0x58/0x70\n   binder_dec_node_tmpref+0x178/0x1fc\n   binder_transaction_buffer_release+0x430/0x628\n   binder_transaction+0x1954/0x36f0\n   binder_thread_write+0x8e0/0x1b78\n   binder_ioctl+0x14a0/0x1768\n   __arm64_sys_ioctl+0xd4/0x118\n   invoke_syscall+0x60/0x188\n  [...]\n  ==================================================================\n\nIn order to avoid these issues, let's always calculate the intended\n'failed_at' offset beforehand. This is renamed and wrapped in a helper\nfunction to make it clear and convenient.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-21255\n\nFixes: 32e9f56a96d8 (\"binder: don't detect sender/target during buffer cleanup\")\nReported-by: Zi Fan Tan <zifantan@google.com>\nLink: https://b.corp.google.com/issues/275041864\nCc: stable@vger.kernel.org\nSigned-off-by: Carlos Llamas <cmllamas@google.com>\n\nBug: 275041864\nLink: https://lore.kernel.org/all/20230505203020.4101154-1-cmllamas@google.com\nChange-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1\n[cmllamas: drop hunk for missing commit 9864bb480133]\nSigned-off-by: Carlos Llamas <cmllamas@google.com>\nSigned-off-by: Gajjala Chakradhar <gajjalac@motorola.com>\nReviewed-on: https://gerrit.mot.com/2639656\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Konstantin Makariev <kmakariev@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"FROMLIST: binder: fix UAF caused by faulty buffer cleanup"}},{"before":null,"after":"f1c28235b0decd2048fcd463a3918c25c36d855b","ref":"refs/heads/android-14-release-u1tr34.8-19-11","pushedAt":"2024-01-22T13:11:40.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"system will reboot caused by watchdog.\n\nSystem will reboot because watchdog bark triggered.\nWe found that system is very busy at bootup phase,\nwatchdog thread is pending leading watchdog bark.\nSo we change watchdog bark time to 16S.\n\nChange-Id: I6fed16890bf4ad3abf8362e56b7147202a947bb5\nSigned-off-by: wu chao <wuchao13@motorola.com>\nReviewed-on: https://gerrit.mot.com/2781746\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Xinmin Fu <fuxm1@motorola.com>\nReviewed-by: Long Qian <qianl2@motorola.com>\nReviewed-by: gaoyx9 <gaoyx9@motorola.com>\nSLTApproved: gaoyx9 <gaoyx9@motorola.com>\nSubmit-Approved: gaoyx9 <gaoyx9@motorola.com>\nTested-by: gaoyx9 <gaoyx9@motorola.com>","shortMessageHtmlLink":"system will reboot caused by watchdog."}},{"before":null,"after":"56b642dc29e38ccd60db62d2e01999a48fe82bda","ref":"refs/heads/android-14-release-u1ug34.23-23-3","pushedAt":"2024-01-22T07:56:28.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"mmc: fix sdcard nullpoint exception\n\nport from: (CR)\n\nSymptom:\nhost->card is null when call mmc_sd_suspend.\n\nRoot Cause:\nthe another process call mmc_remove_card,then host->card = NULL\n\nSolution:\nadd host->card check when it used.\n\nTest result:\nThe SD card functions normally\n\nChange-Id: Id3312d5be7403457a864e5ddc628fd4e6da0b459\nReviewed-on: https://gerrit.mot.com/2535590\nSLTApproved: Slta Waiver\nSME-Granted: SME Approvals Granted\nTested-by: Jira Key\nReviewed-by: Ying Shen <shenying@motorola.com>\nReviewed-by: Zonghua Liu <a17671@motorola.com>\nReviewed-by: Qiong Xie <xieq2@motorola.com>\nSubmit-Approved: Jira Key\nReviewed-on: https://gerrit.mot.com/2808715\nReviewed-by: Zhenghai Pan <panzh2@lenovo.com>\nReviewed-by: Huosheng Liao <liaohs@motorola.com>","shortMessageHtmlLink":"mmc: fix sdcard nullpoint exception"}},{"before":null,"after":"83fd5c1e511251d5b2df6a0ddf3e1649f907040b","ref":"refs/heads/android-12-release-s2ryas32.58-13-12-5-1-4","pushedAt":"2024-01-12T04:55:42.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"net: qrtr: get svc_id before queueing sk_buff\n\nIn qrtr_endpoint_post, getting svc_id based on sk_buff->cb after sk_buff\nhas been queued to the endpoint leads to a potential use-after-free\nscenario. To avoid this race condition, get the service ID via\nsk_buff->cb before queueing the sk_buff.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2022-33292\nBug: 250627197\nCRs-Fixed: 3152855\n\nChange-Id: I53205fdffc08fd6dc48fd158c7fe5966f38aa978\nSigned-off-by: Tony Truong <quic_truong@quicinc.com>\nSigned-off-by: Ashutosh Verma <ashverma@motorola.com>\nReviewed-on: https://gerrit.mot.com/2601336\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key\nReviewed-on: https://gerrit.mot.com/2637771\n(cherry picked from commit 3a160740c864e4180e89f6203ac2d33fdbfff2d4)","shortMessageHtmlLink":"net: qrtr: get svc_id before queueing sk_buff"}},{"before":null,"after":"62d399c22e75a699674268a98ba8f59b328acc34","ref":"refs/heads/android-11-release-rpjs31.q4u-47-35-17","pushedAt":"2024-01-11T20:31:19.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"sctp: add param size validation for SCTP_PARAM_SET_PRIMARY\n\ncommit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream.\n\nWhen SCTP handles an INIT chunk, it calls for example:\nsctp_sf_do_5_1B_init\n  sctp_verify_init\n    sctp_verify_param\n  sctp_process_init\n    sctp_process_param\n      handling of SCTP_PARAM_SET_PRIMARY\n\nsctp_verify_init() wasn't doing proper size validation and neither the\nlater handling, allowing it to work over the chunk itself, possibly being\nuninitialized memory.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2021-3655\nBug: 197154735\n\nChange-Id: I7435ddba396c7f1efce141e6209db280bffbb6ea\nSigned-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\nSigned-off-by: Gajjala Chakradhar <gajjalac@motorola.com>\nReviewed-on: https://gerrit.mot.com/2197717\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"sctp: add param size validation for SCTP_PARAM_SET_PRIMARY"}},{"before":"0df9925d29dec5ada24e08238cec2a16e5fd38e0","after":"fb25b3dba2bc6319c82baa58ca2942e6cd87c81f","ref":"refs/heads/android-13-release-ttz","pushedAt":"2024-01-11T15:45:21.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"asbraga-motorola","name":null,"path":"/asbraga-motorola","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/108535100?s=80&v=4"},"commit":{"message":"Create kernel-source-request.yml\n\nTemplate for code request issues.","shortMessageHtmlLink":"Create kernel-source-request.yml"}},{"before":null,"after":"47172b99669345721eeefd30ee811773f4ad4718","ref":"refs/heads/android-13-release-t2srs33.72-22-4-1","pushedAt":"2024-01-04T03:22:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"Revert \"spi: spi-msm-geni: Keep device to suspend if PM call fails\"\n\nThis commit is causing Kiev to suspend and never return forcing user to\nhard reset the device. Revert it.\n\nThis reverts commit 08c0ed4f3c89dfa0a2439d47774b7040b018f603.\n\nChange-Id: I64990545042b36c3d2f8767ed4352542c522342b\nsigned-off-by:brunosmp@motorola.com\nReviewed-on: https://gerrit.mot.com/2475049\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Gilberto Gambugge Neto <gambugge@motorola.com>\nSubmit-Approved: Jira Key\n(cherry picked from commit 049e7785a4590a730f5d25dfdb5a11972a19b4d0)\nReviewed-on: https://gerrit.mot.com/2742407\nSubmit-Approved: Gilberto Gambugge Neto <gambugge@motorola.com>","shortMessageHtmlLink":"Revert \"spi: spi-msm-geni: Keep device to suspend if PM call fails\""}},{"before":null,"after":"05e26b23c90af428fb9c5f92818697f4536fd912","ref":"refs/heads/android-13-release-t1tr33.43-20-56","pushedAt":"2023-12-29T06:18:58.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"msm: adsprpc: Handle UAF in fastrpc_buf_free\n\nThread T1 add buffer to fl->cached_bufs and release fl->hlock and holding\nbuffer reference. Now thread T2 will aquire fl->hlock and free buffer in\nfastrpc_cached_buf_list_free(). T1 will dereference the freed buffer.\nMoving reference buffer uses for T1 inside fl->hlock to avoid UAF.\n\nChange-Id: I5f08d5497099133f87d55f5879cfe50c2ba23ae6\nAcked-by: Santosh Sakore <ssakore@qti.qualcomm.com>\nSigned-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>","shortMessageHtmlLink":"msm: adsprpc: Handle UAF in fastrpc_buf_free"}},{"before":null,"after":"dd37976aa68561f103529e0b6c11185e85181e9f","ref":"refs/heads/android-12-release-s1rn32.55-16-13","pushedAt":"2023-12-28T10:24:27.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"net: qrtr: fifo: Add bounds check on tx path\n\nAdd bounds check on values read from shared memory in the tx path. In\ncases where the VM is misbehaving, the qrtr transport should exit and\nprint a warning when bogus values may cause out of bounds to be read.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-22387\nCRs-Fixed: 3356023\nBug: 276750306\n\nChange-Id: I7ebef28ed8eba4c4da0b32d5114365bbe6bea390\nSigned-off-by: Sarannya S <quic_sarannya@quicinc.com>\n(cherry picked from commit 66646d99cbf4ec28ff9b8fd8d327c6f906d254c4)\nSigned-off-by: Gajjala Chakradhar <gajjalac@motorola.com>\nReviewed-on: https://gerrit.mot.com/2635313\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Konstantin Makariev <kmakariev@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"net: qrtr: fifo: Add bounds check on tx path"}},{"before":null,"after":"47172b99669345721eeefd30ee811773f4ad4718","ref":"refs/heads/android-13-release-t2sn33.73-22-3","pushedAt":"2023-12-19T19:35:52.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"Revert \"spi: spi-msm-geni: Keep device to suspend if PM call fails\"\n\nThis commit is causing Kiev to suspend and never return forcing user to\nhard reset the device. Revert it.\n\nThis reverts commit 08c0ed4f3c89dfa0a2439d47774b7040b018f603.\n\nChange-Id: I64990545042b36c3d2f8767ed4352542c522342b\nsigned-off-by:brunosmp@motorola.com\nReviewed-on: https://gerrit.mot.com/2475049\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Gilberto Gambugge Neto <gambugge@motorola.com>\nSubmit-Approved: Jira Key\n(cherry picked from commit 049e7785a4590a730f5d25dfdb5a11972a19b4d0)\nReviewed-on: https://gerrit.mot.com/2742407\nSubmit-Approved: Gilberto Gambugge Neto <gambugge@motorola.com>","shortMessageHtmlLink":"Revert \"spi: spi-msm-geni: Keep device to suspend if PM call fails\""}},{"before":null,"after":"e2e8dc992e1e2d0f22bfa6c4e152aadfd8a8a7ae","ref":"refs/heads/android-13-release-t1sjs33.117-30-3-5","pushedAt":"2023-12-17T01:00:50.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"FROMLIST: binder: fix UAF caused by faulty buffer cleanup\n\nIn binder_transaction_buffer_release() the 'failed_at' offset indicates\nthe number of objects to clean up. However, this function was changed by\ncommit 44d8047f1d87 (\"binder: use standard functions to allocate fds\"),\nto release all the objects in the buffer when 'failed_at' is zero.\n\nThis introduced an issue when a transaction buffer is released without\nany objects having been processed so far. In this case, 'failed_at' is\nindeed zero yet it is misinterpreted as releasing the entire buffer.\n\nThis leads to use-after-free errors where nodes are incorrectly freed\nand subsequently accessed. Such is the case in the following KASAN\nreport:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30\n  Read of size 8 at addr ffff4faf037cfc58 by task poc/474\n\n  CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   dump_backtrace+0x94/0xec\n   show_stack+0x18/0x24\n   dump_stack_lvl+0x48/0x60\n   print_report+0xf8/0x5b8\n   kasan_report+0xb8/0xfc\n   __asan_load8+0x9c/0xb8\n   binder_thread_read+0xc40/0x1f30\n   binder_ioctl+0xd9c/0x1768\n   __arm64_sys_ioctl+0xd4/0x118\n   invoke_syscall+0x60/0x188\n  [...]\n\n  Allocated by task 474:\n   kasan_save_stack+0x3c/0x64\n   kasan_set_track+0x2c/0x40\n   kasan_save_alloc_info+0x24/0x34\n   __kasan_kmalloc+0xb8/0xbc\n   kmalloc_trace+0x48/0x5c\n   binder_new_node+0x3c/0x3a4\n   binder_transaction+0x2b58/0x36f0\n   binder_thread_write+0x8e0/0x1b78\n   binder_ioctl+0x14a0/0x1768\n   __arm64_sys_ioctl+0xd4/0x118\n   invoke_syscall+0x60/0x188\n  [...]\n\n  Freed by task 475:\n   kasan_save_stack+0x3c/0x64\n   kasan_set_track+0x2c/0x40\n   kasan_save_free_info+0x38/0x5c\n   __kasan_slab_free+0xe8/0x154\n   __kmem_cache_free+0x128/0x2bc\n   kfree+0x58/0x70\n   binder_dec_node_tmpref+0x178/0x1fc\n   binder_transaction_buffer_release+0x430/0x628\n   binder_transaction+0x1954/0x36f0\n   binder_thread_write+0x8e0/0x1b78\n   binder_ioctl+0x14a0/0x1768\n   __arm64_sys_ioctl+0xd4/0x118\n   invoke_syscall+0x60/0x188\n  [...]\n  ==================================================================\n\nIn order to avoid these issues, let's always calculate the intended\n'failed_at' offset beforehand. This is renamed and wrapped in a helper\nfunction to make it clear and convenient.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-21255\n\nFixes: 32e9f56a96d8 (\"binder: don't detect sender/target during buffer cleanup\")\nReported-by: Zi Fan Tan <zifantan@google.com>\nLink: https://b.corp.google.com/issues/275041864\nCc: stable@vger.kernel.org\nSigned-off-by: Carlos Llamas <cmllamas@google.com>\n\nBug: 275041864\nLink: https://lore.kernel.org/all/20230505203020.4101154-1-cmllamas@google.com\nChange-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1\n[cmllamas: drop hunk for missing commit 9864bb480133]\nSigned-off-by: Carlos Llamas <cmllamas@google.com>\nSigned-off-by: Gajjala Chakradhar <gajjalac@motorola.com>\nReviewed-on: https://gerrit.mot.com/2639699\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Konstantin Makariev <kmakariev@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"FROMLIST: binder: fix UAF caused by faulty buffer cleanup"}},{"before":null,"after":"4024c7b527270fb20f3413c97c310d9f4cadf9f5","ref":"refs/heads/android-13-release-t1ssms33.1-121-4-5","pushedAt":"2023-12-16T21:33:52.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"FROMLIST: binder: fix UAF caused by faulty buffer cleanup\n\nIn binder_transaction_buffer_release() the 'failed_at' offset indicates\nthe number of objects to clean up. However, this function was changed by\ncommit 44d8047f1d87 (\"binder: use standard functions to allocate fds\"),\nto release all the objects in the buffer when 'failed_at' is zero.\n\nThis introduced an issue when a transaction buffer is released without\nany objects having been processed so far. In this case, 'failed_at' is\nindeed zero yet it is misinterpreted as releasing the entire buffer.\n\nThis leads to use-after-free errors where nodes are incorrectly freed\nand subsequently accessed. Such is the case in the following KASAN\nreport:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30\n  Read of size 8 at addr ffff4faf037cfc58 by task poc/474\n\n  CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   dump_backtrace+0x94/0xec\n   show_stack+0x18/0x24\n   dump_stack_lvl+0x48/0x60\n   print_report+0xf8/0x5b8\n   kasan_report+0xb8/0xfc\n   __asan_load8+0x9c/0xb8\n   binder_thread_read+0xc40/0x1f30\n   binder_ioctl+0xd9c/0x1768\n   __arm64_sys_ioctl+0xd4/0x118\n   invoke_syscall+0x60/0x188\n  [...]\n\n  Allocated by task 474:\n   kasan_save_stack+0x3c/0x64\n   kasan_set_track+0x2c/0x40\n   kasan_save_alloc_info+0x24/0x34\n   __kasan_kmalloc+0xb8/0xbc\n   kmalloc_trace+0x48/0x5c\n   binder_new_node+0x3c/0x3a4\n   binder_transaction+0x2b58/0x36f0\n   binder_thread_write+0x8e0/0x1b78\n   binder_ioctl+0x14a0/0x1768\n   __arm64_sys_ioctl+0xd4/0x118\n   invoke_syscall+0x60/0x188\n  [...]\n\n  Freed by task 475:\n   kasan_save_stack+0x3c/0x64\n   kasan_set_track+0x2c/0x40\n   kasan_save_free_info+0x38/0x5c\n   __kasan_slab_free+0xe8/0x154\n   __kmem_cache_free+0x128/0x2bc\n   kfree+0x58/0x70\n   binder_dec_node_tmpref+0x178/0x1fc\n   binder_transaction_buffer_release+0x430/0x628\n   binder_transaction+0x1954/0x36f0\n   binder_thread_write+0x8e0/0x1b78\n   binder_ioctl+0x14a0/0x1768\n   __arm64_sys_ioctl+0xd4/0x118\n   invoke_syscall+0x60/0x188\n  [...]\n  ==================================================================\n\nIn order to avoid these issues, let's always calculate the intended\n'failed_at' offset beforehand. This is renamed and wrapped in a helper\nfunction to make it clear and convenient.\n\nMot-CRs-fixed: (CR)\nCVE-Fixed: CVE-2023-21255\n\nFixes: 32e9f56a96d8 (\"binder: don't detect sender/target during buffer cleanup\")\nReported-by: Zi Fan Tan <zifantan@google.com>\nLink: https://b.corp.google.com/issues/275041864\nCc: stable@vger.kernel.org\nSigned-off-by: Carlos Llamas <cmllamas@google.com>\n\nBug: 275041864\nLink: https://lore.kernel.org/all/20230505203020.4101154-1-cmllamas@google.com\nChange-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1\n[cmllamas: drop hunk for missing commit 9864bb480133]\nSigned-off-by: Carlos Llamas <cmllamas@google.com>\nSigned-off-by: Gajjala Chakradhar <gajjalac@motorola.com>\nReviewed-on: https://gerrit.mot.com/2639656\nSME-Granted: SME Approvals Granted\nSLTApproved: Slta Waiver\nTested-by: Jira Key\nReviewed-by: Konstantin Makariev <kmakariev@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"FROMLIST: binder: fix UAF caused by faulty buffer cleanup"}},{"before":null,"after":"9cd893836122fa95f2da024f51433fd7c157ac51","ref":"refs/heads/android-12-release-s3ro32.53-15-1","pushedAt":"2023-12-15T19:05:37.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"mbissaromoto","name":null,"path":"/mbissaromoto","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12086507?s=80&v=4"},"commit":{"message":"fogo: Bring up flash[3/3]\n\nDetails:\n  There is no second flash supplier\n  So close this macro\n\nChange-Id: I7f2fd8ed04d3e16ff15cd1ecfc34d9f2710452c6\nSigned-off-by: Simon C <chenzm8@motorola.com>\nReviewed-on: https://gerrit.mot.com/2674947\nReviewed-by: <huqian4@motorola.com>\nSLTApproved: Slta Waiver\nSME-Granted: SME Approvals Granted\nTested-by: Jira Key\nReviewed-by: <liuzy55@motorola.com>\nReviewed-by: Zhichao Chen <chenzc2@motorola.com>\nReviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>\nSubmit-Approved: Jira Key","shortMessageHtmlLink":"fogo: Bring up flash[3/3]"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAERHVJYwA","startCursor":null,"endCursor":null}},"title":"Activity · MotorolaMobilityLLC/kernel-msm"}