tag | 6e5944dee64efc9911d84883ba35c49ac8202969 | |
---|---|---|
tagger | Howard Chen <howardsoc@google.com> | Mon Sep 11 12:20:49 2023 +0800 |
object | f580df859bb06948e26f249d348a74348c237271 |
android14-6.1 August 2023 release 3 Artifacts: https://ci.android.com/builds/submitted/10781043/kernel_aarch64/latest
commit | f580df859bb06948e26f249d348a74348c237271 | [log] [tgz] |
---|---|---|
author | John Stultz <jstultz@google.com> | Sat Aug 26 01:32:59 2023 +0000 |
committer | Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> | Fri Sep 08 11:11:08 2023 +0000 |
tree | a7bfadd7de5e27e5020f5db12609837f97170305 | |
parent | eb739ed4cf12407543b02fb484eda2a546fcecff [diff] |
ANDROID: uid_sys_stats: Use llist for deferred work A use-after-free bug was found in the previous custom lock-free list implementation for the deferred work, so switch functionality to llist implementation. While the previous approach atomically handled the list head, it did not assure the new node's next pointer was assigned before the head was pointed to the node, allowing the consumer to traverse to an invalid next pointer. Additionally, in switching to llists, this patch pulls the entire list off the list head once and processes it separately, reducing the number of atomic operations compared with the custom lists's implementation which pulled one node at a time atomically from the list head. BUG: KASAN: use-after-free in process_notifier+0x270/0x2dc Write of size 8 at addr d4ffff89545c3c58 by task Blocking Thread/3431 Pointer tag: [d4], memory tag: [fe] call trace: dump_backtrace+0xf8/0x118 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x78 print_report+0x178/0x470 kasan_report+0x8c/0xbc kasan_tag_mismatch+0x28/0x3c __hwasan_tag_mismatch+0x30/0x60 process_notifier+0x270/0x2dc notifier_call_chain+0xb4/0x108 blocking_notifier_call_chain+0x54/0x80 profile_task_exit+0x20/0x2c do_exit+0xec/0x1114 __arm64_sys_exit_group+0x0/0x24 get_signal+0x93c/0xa78 do_notify_resume+0x158/0x3fc el0_svc+0x54/0x78 el0t_64_sync_handler+0x44/0xe4 el0t_64_sync+0x190/0x194 Bug: 294468796 Bug: 295787403 Bug: 299197985 Fixes: 8e86825eecfa ("ANDROID: uid_sys_stats: Use a single work for deferred updates") Change-Id: Id377348c239ec720a5237726bc3632544d737e3b Signed-off-by: John Stultz <jstultz@google.com> [nkapron: Squashed with other changes and rewrote the commit message] Signed-off-by: Neill Kapron <nkapron@google.com> (cherry picked from commit 87647c0c54bbfe865691d8b58988a3ce941b905e)
BEST: Make all of your changes to upstream Linux. If appropriate, backport to the stable releases. These patches will be merged automatically in the corresponding common kernels. If the patch is already in upstream Linux, post a backport of the patch that conforms to the patch requirements below.
EXPORT_SYMBOL_GPL()
require an in-tree modular driver that uses the symbol -- so include the new driver or changes to an existing driver in the same patchset as the export.LESS GOOD: Develop your patches out-of-tree (from an upstream Linux point-of-view). Unless these are fixing an Android-specific bug, these are very unlikely to be accepted unless they have been coordinated with kernel-team@android.com. If you want to proceed, post a patch that conforms to the patch requirements below.
scripts/checkpatch.pl
UPSTREAM:
, BACKPORT:
, FROMGIT:
, FROMLIST:
, or ANDROID:
.Change-Id:
tag (see https://gerrit-review.googlesource.com/Documentation/user-changeid.html)Bug:
tag.Signed-off-by:
tag by the author and the submitterAdditional requirements are listed below based on patch type
UPSTREAM:
, BACKPORT:
UPSTREAM:
.(cherry picked from commit ...)
lineimportant patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org>
- then Joe Smith would upload the patch for the common kernel as
UPSTREAM: important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org> Bug: 135791357 Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 (cherry picked from commit c31e73121f4c1ec41143423ac6ce3ce6dafdcec1) Signed-off-by: Joe Smith <joe.smith@foo.org>
BACKPORT:
instead of UPSTREAM:
.UPSTREAM:
(cherry picked from commit ...)
lineBACKPORT: important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org> Bug: 135791357 Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 (cherry picked from commit c31e73121f4c1ec41143423ac6ce3ce6dafdcec1) [joe: Resolved minor conflict in drivers/foo/bar.c ] Signed-off-by: Joe Smith <joe.smith@foo.org>
FROMGIT:
, FROMLIST:
,FROMGIT:
(cherry picked from commit <sha1> <repo> <branch>)
. This must be a stable maintainer branch (not rebased, so don't use linux-next
for example).BACKPORT: FROMGIT:
important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org>
- then Joe Smith would upload the patch for the common kernel as
FROMGIT: important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org> Bug: 135791357 (cherry picked from commit 878a2fd9de10b03d11d2f622250285c7e63deace https://git.kernel.org/pub/scm/linux/kernel/git/foo/bar.git test-branch) Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 Signed-off-by: Joe Smith <joe.smith@foo.org>
FROMLIST:
Link:
tag with a link to the submittal on lore.kernel.orgBug:
tag with the Android bug (required for patches not accepted into a maintainer tree)BACKPORT: FROMLIST:
FROMLIST: important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org> Bug: 135791357 Link: https://lore.kernel.org/lkml/20190619171517.GA17557@someone.com/ Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 Signed-off-by: Joe Smith <joe.smith@foo.org>
ANDROID:
ANDROID:
Fixes:
tag that cites the patch with the bugANDROID: fix android-specific bug in foobar.c This is the detailed description of the important fix Fixes: 1234abcd2468 ("foobar: add cool feature") Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 Signed-off-by: Joe Smith <joe.smith@foo.org>
ANDROID:
Bug:
tag with the Android bug (required for android-specific features)