lineage-22.1
254 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
0e5af42a0a |
Merge 6.1.78 into android14-6.1-lts
Changes in 6.1.78 ext4: regenerate buddy after block freeing failed if under fc replay dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools dmaengine: ti: k3-udma: Report short packet errors dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA phy: renesas: rcar-gen3-usb2: Fix returning wrong error code dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP cifs: failure to add channel on iface should bump up weight drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup net: stmmac: xgmac: fix handling of DPP safety error for DMA channels wifi: mac80211: fix waiting for beacons logic netdevsim: avoid potential loop in nsim_dev_trap_report_work() net: atlantic: Fix DMA mapping for PTP hwts ring selftests: net: cut more slack for gro fwd tests. selftests: net: avoid just another constant wait tunnels: fix out of bounds access when building IPv6 PMTU error atm: idt77252: fix a memleak in open_card_ubr0 octeontx2-pf: Fix a memleak otx2_sq_init hwmon: (aspeed-pwm-tacho) mutex for tach reading hwmon: (coretemp) Fix out-of-bounds memory access hwmon: (coretemp) Fix bogus core_id to attr name mapping inet: read sk->sk_family once in inet_recv_error() drm/i915/gvt: Fix uninitialized variable in handle_mmio() rxrpc: Fix response to PING RESPONSE ACKs to a dead call tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. ppp_async: limit MRU to 64K selftests: cmsg_ipv6: repeat the exact packet netfilter: nft_compat: narrow down revision to unsigned 8-bits netfilter: nft_compat: reject unused compat flag netfilter: nft_compat: restrict match/target protocol to u16 drm/amd/display: Implement bounds check for stream encoder creation in DCN301 netfilter: nft_ct: reject direction for ct id netfilter: nft_set_pipapo: store index in scratch maps netfilter: nft_set_pipapo: add helper to release pcpu scratch area netfilter: nft_set_pipapo: remove scratch_aligned pointer fs/ntfs3: Fix an NULL dereference bug scsi: core: Move scsi_host_busy() out of host lock if it is for per-command blk-iocost: Fix an UBSAN shift-out-of-bounds warning fs: dlm: don't put dlm_local_addrs on heap mtd: parsers: ofpart: add workaround for #size-cells 0 ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter ALSA: usb-audio: add quirk for RODE NT-USB+ USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e USB: serial: option: add Fibocom FM101-GL variant USB: serial: cp210x: add ID for IMST iM871A-USB usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK hrtimer: Report offline hrtimer enqueue Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers Revert "ASoC: amd: Add new dmi entries for acp5x platform" vhost: use kzalloc() instead of kmalloc() followed by memset() RDMA/irdma: Fix support for 64k pages f2fs: add helper to check compression level block: treat poll queue enter similarly to timeouts clocksource: Skip watchdog check for large watchdog intervals net: stmmac: xgmac: use #define for string constants ALSA: usb-audio: Sort quirk table entries net: stmmac: xgmac: fix a typo of register name in DPP safety handling netfilter: nft_set_rbtree: skip end interval element from gc Linux 6.1.78 Change-Id: Iba16875d4cb88deffea077cf69495f9fe447ea23 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Dan Carpenter
|
ec1bedd797 |
fs/ntfs3: Fix an NULL dereference bug
[ Upstream commit b2dd7b953c25ffd5912dda17e980e7168bebcf6c ]
The issue here is when this is called from ntfs_load_attr_list(). The
"size" comes from le32_to_cpu(attr->res.data_size) so it can't overflow
on a 64bit systems but on 32bit systems the "+ 1023" can overflow and
the result is zero. This means that the kmalloc will succeed by
returning the ZERO_SIZE_PTR and then the memcpy() will crash with an
Oops on the next line.
Fixes:
|
||
|
Greg Kroah-Hartman
|
0d9fb52165 |
Merge 6.1.62 into android14-6.1-lts
Changes in 6.1.62
ASoC: simple-card: fixup asoc_simple_probe() error handling
coresight: tmc-etr: Disable warnings for allocation failures
ASoC: tlv320adc3xxx: BUG: Correct micbias setting
net: sched: cls_u32: Fix allocation size in u32_init()
irqchip/riscv-intc: Mark all INTC nodes as initialized
irqchip/stm32-exti: add missing DT IRQ flag translation
dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
powerpc/85xx: Fix math emulation exception
Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
fbdev: atyfb: only use ioremap_uc() on i386 and ia64
fs/ntfs3: Add ckeck in ni_update_parent()
fs/ntfs3: Write immediately updated ntfs state
fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN)
fs/ntfs3: Fix possible NULL-ptr-deref in ni_readpage_cmpr()
fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame()
fs/ntfs3: Fix directory element type detection
fs/ntfs3: Avoid possible memory leak
spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0
netfilter: nfnetlink_log: silence bogus compiler warning
efi: fix memory leak in krealloc failure handling
ASoC: rt5650: fix the wrong result of key button
ASoC: codecs: tas2780: Fix log of failed reset via I2C.
drm/ttm: Reorder sys manager cleanup step
fbdev: omapfb: fix some error codes
fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
scsi: mpt3sas: Fix in error path
drm/amdgpu: Unset context priority is now invalid
gpu/drm: Eliminate DRM_SCHED_PRIORITY_UNSET
LoongArch: Export symbol invalid_pud_table for modules building
LoongArch: Replace kmap_atomic() with kmap_local_page() in copy_user_highpage()
netfilter: nf_tables: audit log object reset once per table
platform/mellanox: mlxbf-tmfifo: Fix a warning message
drm/amdgpu: Reserve fences for VM update
net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
r8152: Check for unplug in rtl_phy_patch_request()
r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en()
powerpc/mm: Fix boot crash with FLATMEM
io_uring: kiocb_done() should *not* trust ->ki_pos if ->{read,write}_iter() failed
ceph_wait_on_conflict_unlink(): grab reference before dropping ->d_lock
power: supply: core: Use blocking_notifier_call_chain to avoid RCU complaint
perf evlist: Avoid frequency mode for the dummy event
x86: KVM: SVM: always update the x2avic msr interception
mm/mempolicy: fix set_mempolicy_home_node() previous VMA pointer
mmap: fix error paths with dup_anon_vma()
ALSA: usb-audio: add quirk flag to enable native DSD for McIntosh devices
PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility
usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()
usb: raw-gadget: properly handle interrupted requests
tty: n_gsm: fix race condition in status line change on dead connections
tty: 8250: Remove UC-257 and UC-431
tty: 8250: Add support for additional Brainboxes UC cards
tty: 8250: Add support for Brainboxes UP cards
tty: 8250: Add support for Intashield IS-100
tty: 8250: Fix port count of PX-257
tty: 8250: Fix up PX-803/PX-857
tty: 8250: Add support for additional Brainboxes PX cards
tty: 8250: Add support for Intashield IX cards
tty: 8250: Add Brainboxes Oxford Semiconductor-based quirks
misc: pci_endpoint_test: Add deviceID for J721S2 PCIe EP device support
ALSA: hda: intel-dsp-config: Fix JSL Chromebook quirk detection
ASoC: SOF: sof-pci-dev: Fix community key quirk detection
Linux 6.1.62
Change-Id: I2f696c88b48e82eb0d925a26ce6716693595d421
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Su Hui
|
6a7a2d5a08 |
fs/ntfs3: Avoid possible memory leak
[ Upstream commit e4494770a5cad3c9d1d2a65ed15d07656c0d9b82 ] smatch warn: fs/ntfs3/fslog.c:2172 last_log_lsn() warn: possible memory leak of 'page_bufs' Jump to label 'out' to free 'page_bufs' and is more consistent with other code. Signed-off-by: Su Hui <suhui@nfschina.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Gabriel Marcano
|
84aabd18c8 |
fs/ntfs3: Fix directory element type detection
[ Upstream commit 85a4780dc96ed9dd643bbadf236552b3320fae26 ] Calling stat() from userspace correctly identified junctions in an NTFS partition as symlinks, but using readdir() and iterating through the directory containing the same junction did not identify the junction as a symlink. When emitting directory contents, check FILE_ATTRIBUTE_REPARSE_POINT attribute to detect junctions and report them as links. Signed-off-by: Gabriel Marcano <gabemarcano@yahoo.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Konstantin Komarov
|
3bff4bb7f9 |
fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame()
[ Upstream commit 9c689c8dc86f8ca99bf91c05f24c8bab38fe7d5f ] Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Konstantin Komarov
|
c8cbae3cbb |
fs/ntfs3: Fix possible NULL-ptr-deref in ni_readpage_cmpr()
[ Upstream commit 32e9212256b88f35466642f9c939bb40cfb2c2de ] Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Konstantin Komarov
|
6fe32f79ab |
fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN)
[ Upstream commit fc471e39e38fea6677017cbdd6d928088a59fc67 ] Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Konstantin Komarov
|
92f9c7c7dd |
fs/ntfs3: Write immediately updated ntfs state
[ Upstream commit 06ccfb00645990a9fcc14249e6d1c25921ecb836 ] Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Konstantin Komarov
|
fc91bb3e1b |
fs/ntfs3: Add ckeck in ni_update_parent()
[ Upstream commit 87d1888aa40f25773fa0b948bcb2545f97e2cb15 ] Check simple case when parent inode equals current inode. Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
788e35fdea |
Merge 6.1.60 into android14-6.1-lts
Changes in 6.1.60
lib/Kconfig.debug: do not enable DEBUG_PREEMPT by default
igc: remove I226 Qbv BaseTime restriction
igc: enable Qbv configuration for 2nd GCL
igc: Remove reset adapter task for i226 during disable tsn config
igc: Add qbv_config_change_errors counter
igc: Add condition for qbv_config_change_errors counter
igc: Fix race condition in PTP tx code
Bluetooth: hci_event: Ignore NULL link key
Bluetooth: Reject connection with the device which has same BD_ADDR
Bluetooth: Fix a refcnt underflow problem for hci_conn
Bluetooth: vhci: Fix race when opening vhci device
Bluetooth: hci_event: Fix coding style
Bluetooth: avoid memcmp() out of bounds warning
ice: fix over-shifted variable
ice: reset first in crash dump kernels
net/smc: return the right falback reason when prefix checks fail
btrfs: fix stripe length calculation for non-zoned data chunk allocation
nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
regmap: fix NULL deref on lookup
KVM: x86: Mask LVTPC when handling a PMI
x86/sev: Disable MMIO emulation from user mode
x86/sev: Check IOBM for IOIO exceptions from user-space
x86/sev: Check for user-space IOIO pointing to kernel space
x86/fpu: Allow caller to constrain xfeatures when copying to uabi buffer
KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2}
x86: KVM: SVM: add support for Invalid IPI Vector interception
x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested()
audit,io_uring: io_uring openat triggers audit reference count underflow
tcp: check mptcp-level constraints for backlog coalescing
mptcp: more conservative check for zero probes
fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e()
fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea()
fs/ntfs3: fix deadlock in mark_as_free_ex
netfilter: nft_payload: fix wrong mac header matching
nvmet-tcp: Fix a possible UAF in queue intialization setup
drm/i915: Retry gtt fault when out of fence registers
drm/mediatek: Correctly free sg_table in gem prime vmap
ALSA: hda/realtek - Fixed ASUS platform headset Mic issue
ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV
ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx
ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors
ASoC: codecs: wcd938x: drop bogus bind error handling
ASoC: codecs: wcd938x: fix unbind tear down order
ASoC: codecs: wcd938x: fix resource leaks on bind errors
qed: fix LL2 RX buffer allocation
xfrm: fix a data-race in xfrm_lookup_with_ifid()
xfrm: fix a data-race in xfrm_gen_index()
xfrm: interface: use DEV_STATS_INC()
wifi: cfg80211: use system_unbound_wq for wiphy work
net: ipv4: fix return value check in esp_remove_trailer
net: ipv6: fix return value check in esp_remove_trailer
net: rfkill: gpio: prevent value glitch during probe
tcp: fix excessive TLP and RACK timeouts from HZ rounding
tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
tcp: Fix listen() warning with v4-mapped-v6 address.
tun: prevent negative ifindex
ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr
net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
octeon_ep: update BQL sent bytes before ringing doorbell
i40e: prevent crash on probe if hw registers have invalid values
net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register()
bonding: Return pointer to data after pull on skb
net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section
selftests: openvswitch: Catch cases where the tests are killed
selftests: netfilter: Run nft_audit.sh in its own netns
netfilter: nft_set_rbtree: .deactivate fails if element has expired
netlink: Correct offload_xstats size
netfilter: nf_tables: do not remove elements if set backend implements .abort
netfilter: nf_tables: revert do not remove elements if set backend implements .abort
net: phy: bcm7xxx: Add missing 16nm EPHY statistics
net: pktgen: Fix interface flags printing
net: avoid UAF on deleted altname
net: fix ifname in netlink ntf during netns move
net: check for altname conflicts when changing netdev's netns
selftests/mm: fix awk usage in charge_reserved_hugetlb.sh and hugetlb_reparenting_test.sh that may cause error
usb: misc: onboard_usb_hub: add Genesys Logic GL850G hub support
usb: misc: onboard_usb_hub: add Genesys Logic GL852G hub support
usb: misc: onboard_usb_hub: add Genesys Logic GL3523 hub support
usb: misc: onboard_hub: add support for Microchip USB2412 USB 2.0 hub
serial: Move uart_change_speed() earlier
serial: Rename uart_change_speed() to uart_change_line_settings()
serial: Reduce spinlocked portion of uart_rs485_config()
serial: 8250: omap: Fix imprecise external abort for omap_8250_pm()
serial: 8250_omap: Fix errors with no_console_suspend
iio: core: introduce iio_device_{claim|release}_buffer_mode() APIs
iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data()
iio: adc: ad7192: Simplify using devm_regulator_get_enable()
iio: adc: ad7192: Correct reference voltage
pwr-mlxbf: extend Kconfig to include gpio-mlxbf3 dependency
ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone
fs-writeback: do not requeue a clean inode having skipped pages
btrfs: prevent transaction block reserve underflow when starting transaction
btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1
btrfs: initialize start_slot in btrfs_log_prealloc_extents
i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
overlayfs: set ctime when setting mtime and atime
gpio: timberdale: Fix potential deadlock on &tgpio->lock
ata: libata-core: Fix compilation warning in ata_dev_config_ncq()
ata: libata-eh: Fix compilation warning in ata_eh_link_report()
tracing: relax trace_event_eval_update() execution with cond_resched()
wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
wifi: iwlwifi: Ensure ack flag is properly cleared.
HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon mouse
HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
Bluetooth: btusb: add shutdown function for QCA6174
Bluetooth: Avoid redundant authentication
Bluetooth: hci_core: Fix build warnings
wifi: cfg80211: Fix 6GHz scan configuration
wifi: mac80211: work around Cisco AP 9115 VHT MPDU length
wifi: mac80211: allow transmitting EAPOL frames with tainted key
wifi: cfg80211: avoid leaking stack data into trace
regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()"
sky2: Make sure there is at least one frag_addr available
ipv4/fib: send notify when delete source address routes
drm: panel-orientation-quirks: Add quirk for One Mix 2S
btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
btrfs: error out when COWing block using a stale transaction
btrfs: error when COWing block from a root that is being deleted
btrfs: error out when reallocating block for defrag using a stale transaction
drm/amd/pm: add unique_id for gc 11.0.3
HID: multitouch: Add required quirk for Synaptics 0xcd7e device
HID: nintendo: reinitialize USB Pro Controller after resuming from suspend
platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
cpufreq: schedutil: Update next_freq when cpufreq_limits change
fprobe: Pass entry_data to handlers
fprobe: Add nr_maxactive to specify rethook_node pool size
fprobe: Fix to ensure the number of active retprobes is not zero
net: xfrm: skip policies marked as dead while reinserting policies
xfrm6: fix inet6_dev refcount underflow problem
net/mlx5: E-switch, register event handler before arming the event
net/mlx5: Handle fw tracer change ownership event based on MTRC
net/mlx5e: Don't offload internal port if filter device is out device
net/tls: split tls_rx_reader_lock
tcp: allow again tcp_disconnect() when threads are waiting
ice: Remove redundant pci_enable_pcie_error_reporting()
Bluetooth: hci_event: Fix using memcmp when comparing keys
selftests: openvswitch: Add version check for pyroute2
tcp_bpf: properly release resources on error paths
net/smc: fix smc clc failed issue when netdevice not in init_net
mtd: rawnand: qcom: Unmap the right resource upon probe failure
mtd: rawnand: pl353: Ensure program page operations are successful
mtd: rawnand: marvell: Ensure program page operations are successful
mtd: rawnand: arasan: Ensure program page operations are successful
mtd: spinand: micron: correct bitmask for ecc status
mtd: physmap-core: Restore map_rom fallback
dt-bindings: mmc: sdhci-msm: correct minimum number of clocks
mmc: sdhci-pci-gli: fix LPM negotiation so x86/S0ix SoCs can suspend
mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw
mmc: core: sdio: hold retuning if sdio in 1-bit mode
mmc: core: Capture correct oemid-bits for eMMC cards
Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
pNFS: Fix a hang in nfs4_evict_inode()
pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats
NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server
ACPI: irq: Fix incorrect return value in acpi_register_gsi()
nfs42: client needs to strip file mode's suid/sgid bit after ALLOCATE op
nvme: sanitize metadata bounce buffer for reads
nvme-pci: add BOGUS_NID for Intel 0a54 device
nvmet-auth: complete a request only after freeing the dhchap pointers
nvme-rdma: do not try to stop unallocated queues
KVM: x86/mmu: Stop zapping invalidated TDP MMU roots asynchronously
HID: input: map battery system charging
USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
USB: serial: option: add entry for Sierra EM9191 with new firmware
USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
perf: Disallow mis-matched inherited group reads
s390/pci: fix iommu bitmap allocation
selftests/ftrace: Add new test case which checks non unique symbol
s390/cio: fix a memleak in css_alloc_subchannel
platform/surface: platform_profile: Propagate error if profile registration fails
platform/x86: intel-uncore-freq: Conditionally create attribute for read frequency
platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
platform/x86: asus-wmi: Only map brightness codes when using asus-wmi backlight control
platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events
gpio: vf610: set value before the direction to avoid a glitch
ASoC: pxa: fix a memory leak in probe()
drm/bridge: ti-sn65dsi86: Associate DSI device lifetime with auxiliary device
serial: 8250: omap: Move uart_write() inside PM section
serial: 8250: omap: convert to modern PM ops
kallsyms: Reduce the memory occupied by kallsyms_seqs_of_names[]
kallsyms: Add helper kallsyms_on_each_match_symbol()
tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols
gpio: vf610: make irq_chip immutable
gpio: vf610: mask the gpio irq in system suspend and support wakeup
phy: mapphone-mdm6600: Fix runtime disable on probe
phy: mapphone-mdm6600: Fix runtime PM for remove
phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
net: move altnames together with the netdevice
Bluetooth: hci_sock: fix slab oob read in create_monitor_event
Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
mptcp: avoid sending RST when closing the initial subflow
selftests: mptcp: join: correctly check for no RST
selftests: mptcp: join: no RST when rm subflow/addr
Linux 6.1.60
Change-Id: I85a246fd8800df019794b531f5befe0a84a3e138
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Konstantin Komarov
|
36a315c923 |
fs/ntfs3: fix deadlock in mark_as_free_ex
commit bfbe5b31caa74ab97f1784fe9ade5f45e0d3de91 upstream. Reported-by: syzbot+e94d98936a0ed08bde43@syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Zeng Heng
|
c1f2638e31 |
fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea()
commit 8e7e27b2ee1e19c4040d4987e345f678a74c0aed upstream.
Here is a BUG report about linux-6.1 from syzbot, but it still remains
within upstream:
BUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
Read of size 1 at addr ffff888021acaf3d by task syz-executor128/3632
Call Trace:
kasan_report+0x139/0x170 mm/kasan/report.c:495
ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
vfs_listxattr fs/xattr.c:457 [inline]
listxattr+0x293/0x2d0 fs/xattr.c:804
path_listxattr fs/xattr.c:828 [inline]
__do_sys_llistxattr fs/xattr.c:846 [inline]
Before derefering field members of `ea` in unpacked_ea_size(), we need to
check whether the EA_FULL struct is located in access validate range.
Similarly, when derefering `ea->name` field member, we need to check
whethe the ea->name is located in access validate range, too.
Fixes:
|
||
Ziqi Zhao
|
fb80a28fef |
fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e()
commit 1f9b94af923c88539426ed811ae7e9543834a5c5 upstream. Upon investigation of the C reproducer provided by Syzbot, it seemed the reproducer was trying to mount a corrupted NTFS filesystem, then issue a rename syscall to some nodes in the filesystem. This can be shown by modifying the reproducer to only include the mount syscall, and investigating the filesystem by e.g. `ls` and `rm` commands. As a result, during the problematic call to `hdr_fine_e`, the `inode` being supplied did not go through `indx_init`, hence the `cmp` function pointer was never set. The fix is simply to check whether `cmp` is not set, and return NULL if that's the case, in order to be consistent with other error scenarios of the `hdr_find_e` method. The rationale behind this patch is that: - We should prevent crashing the kernel even if the mounted filesystem is corrupted. Any syscalls made on the filesystem could return invalid, but the kernel should be able to sustain these calls. - Only very specific corruption would lead to this bug, so it would be a pretty rare case in actual usage anyways. Therefore, introducing a check to specifically protect against this bug seems appropriate. Because of its rarity, an `unlikely` clause is used to wrap around this nullity check. Reported-by: syzbot+60cf892fc31d1f4358fc@syzkaller.appspotmail.com Signed-off-by: Ziqi Zhao <astrajoan@yahoo.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
50874c58d8 |
Merge 6.1.47 into android14-6.1-lts
Changes in 6.1.47 mmc: sdhci-f-sdh30: Replace with sdhci_pltfm cpuidle: psci: Extend information in log about OSI/PC mode cpuidle: psci: Move enabling OSI mode after power domains creation zsmalloc: consolidate zs_pool's migrate_lock and size_class's locks zsmalloc: fix races between modifications of fullness and isolated selftests: forwarding: tc_actions: cleanup temporary files when test is aborted selftests: forwarding: tc_actions: Use ncat instead of nc net/smc: replace mutex rmbs_lock and sndbufs_lock with rw_semaphore net/smc: Fix setsockopt and sysctl to specify same buffer size again net: phy: at803x: Use devm_regulator_get_enable_optional() net: phy: at803x: fix the wol setting functions drm/amdgpu: fix calltrace warning in amddrm_buddy_fini drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1 drm/amdgpu: fix memory leak in mes self test ASoC: Intel: sof_sdw: add quirk for MTL RVP ASoC: Intel: sof_sdw: add quirk for LNL RVP PCI: tegra194: Fix possible array out of bounds access ASoC: SOF: amd: Add pci revision id check drm/stm: ltdc: fix late dereference check drm: rcar-du: remove R-Car H3 ES1.* workarounds ASoC: amd: vangogh: Add check for acp config flags in vangogh platform ARM: dts: imx6dl: prtrvt, prtvt7, prti6q, prtwd2: fix USB related warnings ASoC: Intel: sof_sdw_rt_sdca_jack_common: test SOF_JACK_JDSRC in _exit ASoC: Intel: sof_sdw: Add support for Rex soundwire iopoll: Call cpu_relax() in busy loops ASoC: SOF: Intel: fix SoundWire/HDaudio mutual exclusion dma-remap: use kvmalloc_array/kvfree for larger dma memory remap accel/habanalabs: add pci health check during heartbeat HID: logitech-hidpp: Add USB and Bluetooth IDs for the Logitech G915 TKL Keyboard iommu/amd: Introduce Disable IRTE Caching Support drm/amdgpu: install stub fence into potential unused fence pointers drm/amd/display: Apply 60us prefetch for DCFCLK <= 300Mhz RDMA/mlx5: Return the firmware result upon destroying QP/RQ drm/amd/display: Skip DPP DTO update if root clock is gated drm/amd/display: Enable dcn314 DPP RCO ASoC: SOF: core: Free the firmware trace before calling snd_sof_shutdown() HID: intel-ish-hid: ipc: Add Arrow Lake PCI device ID ALSA: hda/realtek: Add quirks for ROG ALLY CS35l41 audio smb: client: fix warning in cifs_smb3_do_mount() cifs: fix session state check in reconnect to avoid use-after-free issue serial: stm32: Ignore return value of uart_remove_one_port() in .remove() led: qcom-lpg: Fix resource leaks in for_each_available_child_of_node() loops media: v4l2-mem2mem: add lock to protect parameter num_rdy media: camss: set VFE bpl_alignment to 16 for sdm845 and sm8250 usb: gadget: u_serial: Avoid spinlock recursion in __gs_console_push usb: gadget: uvc: queue empty isoc requests if no video buffer is available media: platform: mediatek: vpu: fix NULL ptr dereference thunderbolt: Read retimer NVM authentication status prior tb_retimer_set_inbound_sbtx() usb: chipidea: imx: don't request QoS for imx8ulp usb: chipidea: imx: add missing USB PHY DPDM wakeup setting gfs2: Fix possible data races in gfs2_show_options() pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() thunderbolt: Add Intel Barlow Ridge PCI ID thunderbolt: Limit Intel Barlow Ridge USB3 bandwidth firewire: net: fix use after free in fwnet_finish_incoming_packet() watchdog: sp5100_tco: support Hygon FCH/SCH (Server Controller Hub) Bluetooth: L2CAP: Fix use-after-free Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally ceph: try to dump the msgs when decoding fails drm/amdgpu: Fix potential fence use-after-free v2 fs/ntfs3: Enhance sanity check while generating attr_list fs: ntfs3: Fix possible null-pointer dereferences in mi_read() fs/ntfs3: Mark ntfs dirty when on-disk struct is corrupted ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760 ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() ALSA: hda/realtek: Add quirk for ASUS ROG GX650P ALSA: hda/realtek: Add quirk for ASUS ROG GA402X ALSA: hda/realtek: Add quirk for ASUS ROG GZ301V powerpc/kasan: Disable KCOV in KASAN code Bluetooth: MGMT: Use correct address for memcpy() ring-buffer: Do not swap cpu_buffer during resize process igc: read before write to SRRCTL register drm/amd/display: save restore hdcp state when display is unplugged from mst hub drm/amd/display: phase3 mst hdcp for multiple displays drm/amd/display: fix access hdcp_workqueue assert KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption ARM: dts: nxp/imx6sll: fix wrong property name in usbphy node fbdev/hyperv-fb: Do not set struct fb_info.apertures video/aperture: Only remove sysfb on the default vga pci device btrfs: move out now unused BG from the reclaim list btrfs: convert btrfs_block_group::needs_free_space to runtime flag btrfs: convert btrfs_block_group::seq_zone to runtime flag btrfs: fix use-after-free of new block group that became unused virtio-mmio: don't break lifecycle of vm_dev vduse: Use proper spinlock for IRQ injection vdpa/mlx5: Fix mr->initialized semantics vdpa/mlx5: Delete control vq iotlb in destroy_mr only when necessary cifs: fix potential oops in cifs_oplock_break i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue i2c: hisi: Only handle the interrupt of the driver's transfer i2c: tegra: Fix i2c-tegra DMA config option processing fbdev: mmp: fix value check in mmphw_probe() powerpc/rtas_flash: allow user copy to flash block cache objects vdpa: Add features attr to vdpa_nl_policy for nlattr length check vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check vdpa: Enable strict validation for netlinks ops tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms btrfs: fix incorrect splitting in btrfs_drop_extent_map_range btrfs: fix BUG_ON condition in btrfs_cancel_balance i2c: designware: Correct length byte validation logic i2c: designware: Handle invalid SMBus block data response length value net: xfrm: Fix xfrm_address_filter OOB read net: af_key: fix sadb_x_filter validation net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure xfrm: fix slab-use-after-free in decode_session6 ip6_vti: fix slab-use-after-free in decode_session6 ip_vti: fix potential slab-use-after-free in decode_session6 xfrm: add NULL check in xfrm_update_ae_params xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH virtio_net: notify MAC address change on device initialization virtio-net: set queues after driver_ok net: pcs: Add missing put_device call in miic_create net: phy: fix IRQ-based wake-on-lan over hibernate / power off selftests: mirror_gre_changes: Tighten up the TTL test match drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs net: macb: In ZynqMP resume always configure PS GTR for non-wakeup source octeon_ep: cancel tx_timeout_task later in remove sequence netfilter: nf_tables: fix false-positive lockdep splat netfilter: nf_tables: deactivate catchall elements in next generation ipvs: fix racy memcpy in proc_do_sync_threshold netfilter: nft_dynset: disallow object maps net: phy: broadcom: stub c45 read/write for 54810 team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves net: openvswitch: reject negative ifindex iavf: fix FDIR rule fields masks validation i40e: fix misleading debug logs net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset sfc: don't unregister flow_indr if it was never registered sock: Fix misuse of sk_under_memory_pressure() net: do not allow gso_size to be set to GSO_BY_FRAGS qede: fix firmware halt over suspend and resume ice: Block switchdev mode when ADQ is active and vice versa bus: ti-sysc: Flush posted write on enable before reset arm64: dts: qcom: qrb5165-rb5: fix thermal zone conflict arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4 arm64: dts: rockchip: Disable HS400 for eMMC on ROCK 4C+ ARM: dts: imx: align LED node names with dtschema ARM: dts: imx6: phytec: fix RTC interrupt level arm64: dts: imx8mm: Drop CSI1 PHY reference clock configuration ARM: dts: imx: Set default tuning step for imx6sx usdhc arm64: dts: imx93: Fix anatop node size ASoC: rt5665: add missed regulator_bulk_disable ASoC: meson: axg-tdm-formatter: fix channel slot allocation ALSA: hda/realtek: Add quirks for HP G11 Laptops soc: aspeed: uart-routing: Use __sysfs_match_string soc: aspeed: socinfo: Add kfree for kstrdup ALSA: hda/realtek - Remodified 3k pull low procedure riscv: uaccess: Return the number of bytes effectively not copied serial: 8250: Fix oops for port->pm on uart_change_pm() ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces. cifs: Release folio lock on fscache read hit. virtio-net: Zero max_tx_vq field for VIRTIO_NET_CTRL_MQ_HASH_CONFIG case arm64: dts: rockchip: Fix Wifi/Bluetooth on ROCK Pi 4 boards blk-crypto: dynamically allocate fallback profile mmc: wbsd: fix double mmc_free_host() in wbsd_init() mmc: block: Fix in_flight[issue_type] value error drm/qxl: fix UAF on handle creation drm/i915/sdvo: fix panel_type initialization drm/amd: flush any delayed gfxoff on suspend entry drm/amdgpu: skip fence GFX interrupts disable/enable for S0ix drm/amdgpu/pm: fix throttle_status for other than MP1 11.0.7 ASoC: amd: vangogh: select CONFIG_SND_AMD_ACP_CONFIG drm/amd/display: disable RCO for DCN314 zsmalloc: allow only one active pool compaction context sched/fair: unlink misfit task from cpu overutilized sched/fair: Remove capacity inversion detection drm/amd/display: Implement workaround for writing to OTG_PIXEL_RATE_DIV register hugetlb: do not clear hugetlb dtor until allocating vmemmap netfilter: set default timeout to 3 secs for sctp shutdown send and recv state arm64/ptrace: Ensure that SME is set up for target when writing SSVE state drm/amd/pm: skip the RLC stop when S0i3 suspend for SMU v13.0.4/11 drm/amdgpu: keep irq count in amdgpu_irq_disable_all af_unix: Fix null-ptr-deref in unix_stream_sendpage(). drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove Linux 6.1.47 Change-Id: I7c55c71f43f88a1d44d39c835e3f6e58d4c86279 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
706ba4ef8d |
Merge 6.1.45 into android14-6.1-lts
Changes in 6.1.45 io_uring: gate iowait schedule on having pending requests perf: Fix function pointer case net/mlx5: Free irqs only on shutdown callback net: ipa: only reset hashed tables when supported iommu/arm-smmu-v3: Work around MMU-600 erratum 1076982 iommu/arm-smmu-v3: Document MMU-700 erratum 2812531 iommu/arm-smmu-v3: Add explicit feature for nesting iommu/arm-smmu-v3: Document nesting-related errata arm64: dts: imx8mm-venice-gw7903: disable disp_blk_ctrl arm64: dts: imx8mm-venice-gw7904: disable disp_blk_ctrl arm64: dts: phycore-imx8mm: Label typo-fix of VPU arm64: dts: phycore-imx8mm: Correction in gpio-line-names arm64: dts: imx8mn-var-som: add missing pull-up for onboard PHY reset pinmux arm64: dts: freescale: Fix VPU G2 clock firmware: smccc: Fix use of uninitialised results structure lib/bitmap: workaround const_eval test build failure firmware: arm_scmi: Fix chan_free cleanup on SMC word-at-a-time: use the same return type for has_zero regardless of endianness KVM: s390: fix sthyi error handling erofs: fix wrong primary bvec selection on deduplicated extents wifi: cfg80211: Fix return value in scan logic net/mlx5e: fix double free in macsec_fs_tx_create_crypto_table_groups net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx net/mlx5: fix potential memory leak in mlx5e_init_rep_rx net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer() net/mlx5e: Fix crash moving to switchdev mode when ntuple offload is set net/mlx5e: Move representor neigh cleanup to profile cleanup_tx bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length net: dsa: fix value check in bcm_sf2_sw_probe() perf test uprobe_from_different_cu: Skip if there is no gcc net: sched: cls_u32: Fix match key mis-addressing mISDN: hfcpci: Fix potential deadlock on &hc->lock qed: Fix scheduling in a tasklet while getting stats net: annotate data-races around sk->sk_reserved_mem net: annotate data-race around sk->sk_txrehash net: annotate data-races around sk->sk_max_pacing_rate net: add missing READ_ONCE(sk->sk_rcvlowat) annotation net: add missing READ_ONCE(sk->sk_sndbuf) annotation net: add missing READ_ONCE(sk->sk_rcvbuf) annotation net: annotate data-races around sk->sk_mark net: add missing data-race annotations around sk->sk_peek_off net: add missing data-race annotation for sk_ll_usec net: annotate data-races around sk->sk_priority net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX. ice: Fix RDMA VSI removal during queue rebuild bpf, cpumap: Handle skb as well when clean up ptr_ring net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire net: ll_temac: fix error checking of irq_of_parse_and_map() net: korina: handle clk prepare error in korina_probe() net: netsec: Ignore 'phy-mode' on SynQuacer in DT mode bnxt_en: Fix page pool logic for page size >= 64K bnxt_en: Fix max_mtu setting for multi-buf XDP net: dcb: choose correct policy to parse DCB_ATTR_BCN s390/qeth: Don't call dev_close/dev_open (DOWN/UP) ip6mr: Fix skb_under_panic in ip6mr_cache_report() vxlan: Fix nexthop hash size net/mlx5: fs_core: Make find_closest_ft more generic net/mlx5: fs_core: Skip the FTs in the same FS_TYPE_PRIO_CHAINS fs_prio prestera: fix fallback to previous version on same major version tcp_metrics: fix addr_same() helper tcp_metrics: annotate data-races around tm->tcpm_stamp tcp_metrics: annotate data-races around tm->tcpm_lock tcp_metrics: annotate data-races around tm->tcpm_vals[] tcp_metrics: annotate data-races around tm->tcpm_net tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen rust: allocator: Prevent mis-aligned allocation scsi: zfcp: Defer fc_rport blocking until after ADISC response scsi: storvsc: Limit max_sectors for virtual Fibre Channel devices libceph: fix potential hang in ceph_osdc_notify() USB: zaurus: Add ID for A-300/B-500/C-700 ceph: defer stopping mdsc delayed_work firmware: arm_scmi: Drop OF node reference in the transport channel setup exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree exfat: release s_lock before calling dir_emit() mtd: spinand: toshiba: Fix ecc_get_status mtd: rawnand: meson: fix OOB available bytes for ECC bpf: Disable preemption in bpf_perf_event_output arm64: dts: stratix10: fix incorrect I2C property for SCL signal net: tun_chr_open(): set sk_uid from current_fsuid() net: tap_open(): set sk_uid from current_fsuid() wifi: mt76: mt7615: do not advertise 5 GHz on first phy of MT7615D (DBDC) x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction rbd: prevent busy loop when requesting exclusive lock bpf: Disable preemption in bpf_event_output powerpc/ftrace: Create a dummy stackframe to fix stack unwind arm64/fpsimd: Sync and zero pad FPSIMD state for streaming SVE arm64/fpsimd: Clear SME state in the target task when setting the VL arm64/fpsimd: Sync FPSIMD state with SVE for SME only systems open: make RESOLVE_CACHED correctly test for O_TMPFILE drm/ttm: check null pointer before accessing when swapping drm/i915: Fix premature release of request's reusable memory drm/i915/gt: Cleanup aux invalidation registers clk: imx93: Propagate correct error in imx93_clocks_probe() bpf, cpumap: Make sure kthread is running before map update returns file: reinstate f_pos locking optimization for regular files mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required() fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_load_attr_list() fs/sysv: Null check to prevent null-ptr-deref bug Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb debugobjects: Recheck debug_objects_enabled before reporting net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb fs: Protect reconfiguration of sb read-write from racing writes ext2: Drop fragment support btrfs: remove BUG_ON()'s in add_new_free_space() f2fs: fix to do sanity check on direct node in truncate_dnode() io_uring: annotate offset timeout races mtd: rawnand: omap_elm: Fix incorrect type in assignment mtd: rawnand: rockchip: fix oobfree offset and description mtd: rawnand: rockchip: Align hwecc vs. raw page helper layouts mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() powerpc/mm/altmap: Fix altmap boundary check drm/imx/ipuv3: Fix front porch adjustment upon hactive aligning drm/amd/display: Ensure that planes are in the same order drm/amd/display: skip CLEAR_PAYLOAD_ID_TABLE if device mst_en is 0 selftests/rseq: Play nice with binaries statically linked against glibc 2.35+ f2fs: fix to set flush_merge opt and show noflush_merge f2fs: don't reset unchangable mount option in f2fs_remount() exfat: check if filename entries exceeds max filename length arm64/ptrace: Don't enable SVE when setting streaming SVE drm/amdgpu: add vram reservation based on vram_usagebyfirmware_v2_2 drm/amdgpu: Remove unnecessary domain argument drm/amdgpu: Use apt name for FW reserved region Revert "drm/i915: Disable DC states for all commits" x86/CPU/AMD: Do not leak quotient data after a division by 0 Linux 6.1.45 Change-Id: Ic63af3f07f26c867c9fc361b2f7055dbc04143d2 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
b435525822 |
This is the 6.1.39 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmS38qMACgkQONu9yGCS
aT56yQ//ZuDuw8Ev3HISVgZhE9FpuXC1RSYXiMCAvwA9rH3KnJ4wKVPEhEWLy9P4
jdJaatSLbLOvA7ME7JnwZxz2qahjBxo1tpx6u2S3zrzz4UlAPNLwCxTxxp4X07VI
3fBNvsmucqFSayCrA8t9xgkaJizuCvHZm7eSoyVIigPwbB5igc2b+bNSRcx1Zo+j
SHl4Y4nGK8a47XU9RSlDLVKow0/6rrQLHQ9DLpxACArRHw3h451vD0DMcgOuU/Uv
6qq9u3COcdVw3oc5VENu9XklPmvQkxo3RaCUHyRadVstuc0H/BBUDvEhPn5PcVOV
EdBWlTjmhsQo0aUziK4kotLNeX1VRgKa+rrIUBJn68OHv1SRRPZU/eJ8hkL81dCi
FDPzXDOszixO7pPv1jj7O9kNcwKPuiHPmdaNPCY6jviOHhZnAEub44DpQamxWvU/
kb5MZRRY72wt9iWeI3kscCCSbf6eyjlmDMoYIeLuYn10n7gIDU80eUOBl9bqEsz/
X+OUxaY+XuKbCoucpNmSHHLmynJ5D0CXhl/5qnlgMoSo4UJ5BUIMj2e3ZqsKLfrR
e/09MCRX79y9J+TxUunnQZfq5vBlH1tRsvUyhIfYfW4AaC9BrkOL2XZviQldKY6x
FUmsxh62O3iGRtLOWDKQA5MwoJuD54qVcHr1iidWkO2G8T3ctCc=
=kyUh
-----END PGP SIGNATURE-----
Merge 6.1.39 into android14-6.1-lts
Changes in 6.1.39
drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2
fs: pipe: reveal missing function protoypes
block: Fix the type of the second bdev_op_is_zoned_write() argument
erofs: clean up cached I/O strategies
erofs: avoid tagged pointers to mark sync decompression
erofs: remove tagged pointer helpers
erofs: move zdata.h into zdata.c
erofs: kill hooked chains to avoid loops on deduplicated compressed images
x86/resctrl: Only show tasks' pid in current pid namespace
blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost
x86/sev: Fix calculation of end address based on number of pages
virt: sevguest: Add CONFIG_CRYPTO dependency
blk-mq: fix potential io hang by wrong 'wake_batch'
lockd: drop inappropriate svc_get() from locked_get()
nvme-auth: rename __nvme_auth_[reset|free] to nvme_auth[reset|free]_dhchap
nvme-auth: rename authentication work elements
nvme-auth: remove symbol export from nvme_auth_reset
nvme-auth: no need to reset chap contexts on re-authentication
nvme-core: fix memory leak in dhchap_secret_store
nvme-core: fix memory leak in dhchap_ctrl_secret
nvme-auth: don't ignore key generation failures when initializing ctrl keys
nvme-core: add missing fault-injection cleanup
nvme-core: fix dev_pm_qos memleak
md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
md/raid10: fix overflow of md/safe_mode_delay
md/raid10: fix wrong setting of max_corr_read_errors
md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
md/raid10: fix io loss while replacement replace rdev
md/raid1-10: factor out a helper to add bio to plug
md/raid1-10: factor out a helper to submit normal write
md/raid1-10: submit write io directly if bitmap is not enabled
block: fix blktrace debugfs entries leakage
irqchip/stm32-exti: Fix warning on initialized field overwritten
irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
svcrdma: Prevent page release when nothing was received
erofs: simplify iloc()
erofs: fix compact 4B support for 16k block size
posix-timers: Prevent RT livelock in itimer_delete()
tick/rcu: Fix bogus ratelimit condition
tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode().
clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
PM: domains: fix integer overflow issues in genpd_parse_state()
perf/arm-cmn: Fix DTC reset
x86/mm: Allow guest.enc_status_change_prepare() to fail
x86/tdx: Fix race between set_memory_encrypted() and load_unaligned_zeropad()
drivers/perf: hisi: Don't migrate perf to the CPU going to teardown
powercap: RAPL: Fix CONFIG_IOSF_MBI dependency
PM: domains: Move the verification of in-params from genpd_add_device()
ARM: 9303/1: kprobes: avoid missing-declaration warnings
cpufreq: intel_pstate: Fix energy_performance_preference for passive
thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe()
rcu: Make rcu_cpu_starting() rely on interrupts being disabled
rcu-tasks: Stop rcu_tasks_invoke_cbs() from using never-onlined CPUs
rcutorture: Correct name of use_softirq module parameter
rcuscale: Move shutdown from wait_event() to wait_event_idle()
rcu/rcuscale: Move rcu_scale_*() after kfree_scale_cleanup()
rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale
kselftest: vDSO: Fix accumulation of uninitialized ret when CLOCK_REALTIME is undefined
perf/ibs: Fix interface via core pmu events
x86/mm: Fix __swp_entry_to_pte() for Xen PV guests
locking/atomic: arm: fix sync ops
evm: Complete description of evm_inode_setattr()
evm: Fix build warnings
ima: Fix build warnings
pstore/ram: Add check for kstrdup
igc: Enable and fix RX hash usage by netstack
wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation
wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
libbpf: btf_dump_type_data_check_overflow needs to consider BTF_MEMBER_BITFIELD_SIZE
samples/bpf: Fix buffer overflow in tcp_basertt
spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG
wifi: wilc1000: fix for absent RSN capabilities WFA testcase
wifi: mwifiex: Fix the size of a memory allocation in mwifiex_ret_802_11_scan()
sctp: add bpf_bypass_getsockopt proto callback
libbpf: fix offsetof() and container_of() to work with CO-RE
bpf: Don't EFAULT for {g,s}setsockopt with wrong optlen
spi: dw: Round of n_bytes to power of 2
nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()
bpftool: JIT limited misreported as negative value on aarch64
bpf: Remove bpf trampoline selector
bpf: Fix memleak due to fentry attach failure
selftests/bpf: Do not use sign-file as testcase
regulator: core: Fix more error checking for debugfs_create_dir()
regulator: core: Streamline debugfs operations
wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
wifi: atmel: Fix an error handling path in atmel_probe()
wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
wifi: ray_cs: Fix an error handling path in ray_probe()
wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
samples/bpf: xdp1 and xdp2 reduce XDPBUFSIZE to 60
wifi: ath10k: Trigger STA disconnect after reconfig complete on hardware restart
wifi: mac80211: recalc min chandef for new STA links
selftests/bpf: Fix check_mtu using wrong variable type
wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled
wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown
ice: handle extts in the miscellaneous interrupt thread
selftests: cgroup: fix unexpected failure on test_memcg_low
watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config
watchdog/perf: more properly prevent false positives with turbo modes
kexec: fix a memory leak in crash_shrink_memory()
mmc: mediatek: Avoid ugly error message when SDIO wakeup IRQ isn't used
memstick r592: make memstick_debug_get_tpc_name() static
wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
wifi: mac80211: Fix permissions for valid_links debugfs entry
rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO
wifi: ath11k: Add missing check for ioremap
wifi: iwlwifi: pull from TXQs with softirqs disabled
wifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler()
wifi: mac80211: Remove "Missing iftype sband data/EHT cap" spam
wifi: cfg80211: rewrite merging of inherited elements
wifi: cfg80211: drop incorrect nontransmitted BSS update code
wifi: cfg80211: fix regulatory disconnect with OCB/NAN
wifi: cfg80211/mac80211: Fix ML element common size calculation
wifi: ieee80211: Fix the common size calculation for reconfiguration ML
mmc: Add MMC_QUIRK_BROKEN_SD_CACHE for Kingston Canvas Go Plus from 11/2019
wifi: iwlwifi: mvm: indicate HW decrypt for beacon protection
wifi: ath9k: convert msecs to jiffies where needed
bpf: Factor out socket lookup functions for the TC hookpoint.
bpf: Call __bpf_sk_lookup()/__bpf_skc_lookup() directly via TC hookpoint
bpf: Fix bpf socket lookup from tc/xdp to respect socket VRF bindings
can: length: fix bitstuffing count
can: kvaser_pciefd: Add function to set skb hwtstamps
can: kvaser_pciefd: Set hardware timestamp on transmitted packets
net: stmmac: fix double serdes powerdown
netlink: fix potential deadlock in netlink_set_err()
netlink: do not hard code device address lenth in fdb dumps
bonding: do not assume skb mac_header is set
selftests: rtnetlink: remove netdevsim device after ipsec offload test
gtp: Fix use-after-free in __gtp_encap_destroy().
net: axienet: Move reset before 64-bit DMA detection
ocfs2: Fix use of slab data with sendpage
sfc: fix crash when reading stats while NIC is resetting
net: nfc: Fix use-after-free caused by nfc_llcp_find_local
lib/ts_bm: reset initial match offset for every block of text
netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one
netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value.
ipvlan: Fix return value of ipvlan_queue_xmit()
netlink: Add __sock_i_ino() for __netlink_diag_dump().
drm/amd/display: Add logging for display MALL refresh setting
radeon: avoid double free in ci_dpm_init()
drm/amd/display: Explicitly specify update type per plane info change
drm/bridge: it6505: Move a variable assignment behind a null pointer check in receive_timing_debugfs_show()
Input: drv260x - sleep between polling GO bit
drm/bridge: ti-sn65dsi83: Fix enable error path
drm/bridge: tc358768: always enable HS video mode
drm/bridge: tc358768: fix PLL parameters computation
drm/bridge: tc358768: fix PLL target frequency
drm/bridge: tc358768: fix TCLK_ZEROCNT computation
drm/bridge: tc358768: Add atomic_get_input_bus_fmts() implementation
drm/bridge: tc358768: fix TCLK_TRAILCNT computation
drm/bridge: tc358768: fix THS_ZEROCNT computation
drm/bridge: tc358768: fix TXTAGOCNT computation
drm/bridge: tc358768: fix THS_TRAILCNT computation
drm/vram-helper: fix function names in vram helper doc
ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
ARM: dts: meson8b: correct uart_B and uart_C clock references
mm: call arch_swap_restore() from do_swap_page()
clk: vc5: Use `clamp()` to restrict PLL range
bootmem: remove the vmemmap pages from kmemleak in free_bootmem_page
clk: vc5: Fix .driver_data content in i2c_device_id
clk: vc7: Fix .driver_data content in i2c_device_id
clk: rs9: Fix .driver_data content in i2c_device_id
Input: adxl34x - do not hardcode interrupt trigger type
drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks`
drm/panel: sharp-ls043t1le01: adjust mode settings
driver: soc: xilinx: use _safe loop iterator to avoid a use after free
ASoC: Intel: sof_sdw: remove SOF_SDW_TGL_HDMI for MeteorLake devices
drm/vkms: isolate pixel conversion functionality
drm: Add fixed-point helper to get rounded integer values
drm/vkms: Fix RGB565 pixel conversion
ARM: dts: stm32: Move ethernet MAC EEPROM from SoM to carrier boards
bus: ti-sysc: Fix dispc quirk masking bool variables
arm64: dts: microchip: sparx5: do not use PSCI on reference boards
drm/bridge: tc358767: Switch to devm MIPI-DSI helpers
clk: imx: scu: use _safe list iterator to avoid a use after free
hwmon: (f71882fg) prevent possible division by zero
RDMA/bnxt_re: Disable/kill tasklet only if it is enabled
RDMA/bnxt_re: Fix to remove unnecessary return labels
RDMA/bnxt_re: Use unique names while registering interrupts
RDMA/bnxt_re: Remove a redundant check inside bnxt_re_update_gid
RDMA/bnxt_re: Fix to remove an unnecessary log
drm/msm/dsi: don't allow enabling 14nm VCO with unprogrammed rate
drm/msm/disp/dpu: get timing engine status from intf status register
drm/msm/dpu: Set DPU_DATA_HCTL_EN for in INTF_SC7180_MASK
iommu/virtio: Detach domain on endpoint release
iommu/virtio: Return size mapped for a detached domain
clk: renesas: rzg2l: Fix CPG_SIPLL5_CLK1 register write
ARM: dts: gta04: Move model property out of pinctrl node
drm/bridge: anx7625: Convert to i2c's .probe_new()
drm/bridge: anx7625: Prevent endless probe loop
ARM: dts: qcom: msm8974: do not use underscore in node name (again)
arm64: dts: qcom: msm8916: correct camss unit address
arm64: dts: qcom: msm8916: correct MMC unit address
arm64: dts: qcom: msm8994: correct SPMI unit address
arm64: dts: qcom: msm8996: correct camss unit address
arm64: dts: qcom: sdm630: correct camss unit address
arm64: dts: qcom: sdm845: correct camss unit address
arm64: dts: qcom: sm8350: Add GPI DMA compatible fallback
arm64: dts: qcom: sm8350: correct DMA controller unit address
arm64: dts: qcom: sdm845-polaris: add missing touchscreen child node reg
arm64: dts: qcom: apq8016-sbc: Fix regulator constraints
arm64: dts: qcom: apq8016-sbc: Fix 1.8V power rail on LS expansion
drm/bridge: Introduce pre_enable_prev_first to alter bridge init order
drm/bridge: ti-sn65dsi83: Fix enable/disable flow to meet spec
drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
ARM: ep93xx: fix missing-prototype warnings
ARM: omap2: fix missing tick_broadcast() prototype
arm64: dts: qcom: pm7250b: add missing spmi-vadc include
arm64: dts: qcom: apq8096: fix fixed regulator name property
arm64: dts: mediatek: mt8183: Add mediatek,broken-save-restore-fw to kukui
ARM: dts: stm32: Shorten the AV96 HDMI sound card name
memory: brcmstb_dpfe: fix testing array offset after use
ARM: dts: qcom: apq8074-dragonboard: Set DMA as remotely controlled
ASoC: es8316: Increment max value for ALC Capture Target Volume control
ASoC: es8316: Do not set rate constraints for unsupported MCLKs
ARM: dts: meson8: correct uart_B and uart_C clock references
soc/fsl/qe: fix usb.c build errors
RDMA/irdma: avoid fortify-string warning in irdma_clr_wqes
IB/hfi1: Fix wrong mmu_node used for user SDMA packet after invalidate
RDMA/hns: Fix hns_roce_table_get return value
ARM: dts: iwg20d-q7-common: Fix backlight pwm specifier
arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1
drm/msm/dpu: set DSC flush bit correctly at MDP CTL flush register
fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()
arm64: dts: ti: k3-j7200: Fix physical address of pin
Input: pm8941-powerkey - fix debounce on gen2+ PMICs
ARM: dts: stm32: Fix audio routing on STM32MP15xx DHCOM PDK2
ARM: dts: stm32: fix i2s endpoint format property for stm32mp15xx-dkx
hwmon: (gsc-hwmon) fix fan pwm temperature scaling
hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272
ARM: dts: BCM5301X: fix duplex-full => full-duplex
clk: Export clk_hw_forward_rate_request()
drm/amd/display: Fix a test CalculatePrefetchSchedule()
drm/amd/display: Fix a test dml32_rq_dlg_get_rq_reg()
drm/amdkfd: Fix potential deallocation of previously deallocated memory.
soc: mediatek: SVS: Fix MT8192 GPU node name
drm/amd/display: Fix artifacting on eDP panels when engaging freesync video mode
drm/radeon: fix possible division-by-zero errors
HID: uclogic: Modular KUnit tests should not depend on KUNIT=y
RDMA/rxe: Add ibdev_dbg macros for rxe
RDMA/rxe: Replace pr_xxx by rxe_dbg_xxx in rxe_mw.c
RDMA/rxe: Fix access checks in rxe_check_bind_mw
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
drm/msm/a5xx: really check for A510 in a5xx_gpu_init
RDMA/bnxt_re: wraparound mbox producer index
RDMA/bnxt_re: Avoid calling wake_up threads from spin_lock context
clk: imx: clk-imxrt1050: fix memory leak in imxrt1050_clocks_probe
clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe
clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe
clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()
arm64: dts: qcom: sdm845: Flush RSC sleep & wake votes
arm64: dts: qcom: sm8250-edo: Panel framebuffer is 2.5k instead of 4k
clk: bcm: rpi: Fix off by one in raspberrypi_discover_clocks()
clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()
clk: tegra: tegra124-emc: Fix potential memory leak
ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
drm/msm/dpu: do not enable color-management if DSPPs are not available
drm/msm/dpu: Fix slice_last_group_size calculation
drm/msm/dsi: Use DSC slice(s) packet size to compute word count
drm/msm/dsi: Flip greater-than check for slice_count and slice_per_intf
drm/msm/dsi: Remove incorrect references to slice_count
drm/msm/dp: Free resources after unregistering them
arm64: dts: mediatek: Add cpufreq nodes for MT8192
arm64: dts: mediatek: mt8192: Fix CPUs capacity-dmips-mhz
drm/amdgpu: Fix memcpy() in sienna_cichlid_append_powerplay_table function.
drm/amdgpu: Fix usage of UMC fill record in RAS
drm/msm/dpu: correct MERGE_3D length
clk: vc5: check memory returned by kasprintf()
clk: cdce925: check return value of kasprintf()
clk: si5341: return error if one synth clock registration fails
clk: si5341: check return value of {devm_}kasprintf()
clk: si5341: free unused memory on probe failure
clk: keystone: sci-clk: check return value of kasprintf()
clk: ti: clkctrl: check return value of kasprintf()
drivers: meson: secure-pwrc: always enable DMA domain
ovl: update of dentry revalidate flags after copy up
ASoC: imx-audmix: check return value of devm_kasprintf()
clk: Fix memory leak in devm_clk_notifier_register()
ARM: dts: lan966x: kontron-d10: fix board reset
ARM: dts: lan966x: kontron-d10: fix SPI CS
ASoC: amd: acp: clear pdm dma interrupt mask
PCI: cadence: Fix Gen2 Link Retraining process
PCI: vmd: Reset VMD config register between soft reboots
scsi: qedf: Fix NULL dereference in error handling
pinctrl: bcm2835: Handle gpiochip_add_pin_range() errors
platform/x86: lenovo-yogabook: Fix work race on remove()
platform/x86: lenovo-yogabook: Reprobe devices on remove()
platform/x86: lenovo-yogabook: Set default keyboard backligh brightness on probe()
PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free
scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe()
PCI: pciehp: Cancel bringup sequence if card is not present
PCI: ftpci100: Release the clock resources
pinctrl: sunplus: Add check for kmalloc
PCI: Add pci_clear_master() stub for non-CONFIG_PCI
scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state
perf bench: Add missing setlocale() call to allow usage of %'d style formatting
pinctrl: cherryview: Return correct value if pin in push-pull mode
platform/x86: think-lmi: mutex protection around multiple WMI calls
platform/x86: think-lmi: Correct System password interface
platform/x86: think-lmi: Correct NVME password handling
pinctrl:sunplus: Add check for kmalloc
pinctrl: npcm7xx: Add missing check for ioremap
kcsan: Don't expect 64 bits atomic builtins from 32 bits architectures
powerpc/interrupt: Don't read MSR from interrupt_exit_kernel_prepare()
powerpc/signal32: Force inlining of __unsafe_save_user_regs() and save_tm_user_regs_unsafe()
perf script: Fix allocation of evsel->priv related to per-event dump files
platform/x86: thinkpad_acpi: Fix lkp-tests warnings for platform profiles
perf dwarf-aux: Fix off-by-one in die_get_varname()
platform/x86/dell/dell-rbtn: Fix resources leaking on error path
perf tool x86: Consolidate is_amd check into single function
perf tool x86: Fix perf_env memory leak
powerpc/64s: Fix VAS mm use after free
pinctrl: microchip-sgpio: check return value of devm_kasprintf()
pinctrl: at91-pio4: check return value of devm_kasprintf()
powerpc/powernv/sriov: perform null check on iov before dereferencing iov
powerpc: simplify ppc_save_regs
powerpc: update ppc_save_regs to save current r1 in pt_regs
PCI: qcom: Remove PCIE20_ prefix from register definitions
PCI: qcom: Sort and group registers and bitfield definitions
PCI: qcom: Use lower case for hex
PCI: qcom: Use DWC helpers for modifying the read-only DBI registers
PCI: qcom: Disable write access to read only registers for IP v2.9.0
riscv: uprobes: Restore thread.bad_cause
powerpc/book3s64/mm: Fix DirectMap stats in /proc/meminfo
powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-boundary
PCI: endpoint: Fix Kconfig indent style
PCI: endpoint: Fix a Kconfig prompt of vNTB driver
PCI: endpoint: functions/pci-epf-test: Fix dma_chan direction
PCI: vmd: Fix uninitialized variable usage in vmd_enable_domain()
vfio/mdev: Move the compat_class initialization to module init
hwrng: virtio - Fix race on data_avail and actual data
modpost: remove broken calculation of exception_table_entry size
crypto: nx - fix build warnings when DEBUG_FS is not enabled
modpost: fix section mismatch message for R_ARM_ABS32
modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
crypto: marvell/cesa - Fix type mismatch warning
crypto: jitter - correct health test during initialization
modpost: fix off by one in is_executable_section()
ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard
crypto: kpp - Add helper to set reqsize
crypto: qat - Use helper to set reqsize
crypto: qat - unmap buffer before free for DH
crypto: qat - unmap buffers before free for RSA
NFSv4.2: fix wrong shrinker_id
NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION
SMB3: Do not send lease break acknowledgment if all file handles have been closed
dax: Fix dax_mapping_release() use after free
dax: Introduce alloc_dev_dax_id()
dax/kmem: Pass valid argument to memory_group_register_static
hwrng: st - keep clock enabled while hwrng is registered
kbuild: Disable GCOV for *.mod.o
efi/libstub: Disable PCI DMA before grabbing the EFI memory map
cifs: prevent use-after-free by freeing the cfile later
cifs: do all necessary checks for credits within or before locking
smb: client: fix broken file attrs with nodfs mounts
ksmbd: avoid field overflow warning
arm64: sme: Use STR P to clear FFR context field in streaming SVE mode
x86/efi: Make efi_set_virtual_address_map IBT safe
md/raid1-10: fix casting from randomized structure in raid1_submit_write()
USB: serial: option: add LARA-R6 01B PIDs
usb: dwc3: gadget: Propagate core init errors to UDC during pullup
phy: tegra: xusb: Clear the driver reference in usb-phy dev
iio: adc: ad7192: Fix null ad7192_state pointer access
iio: adc: ad7192: Fix internal/external clock selection
iio: accel: fxls8962af: errata bug only applicable for FXLS8962AF
iio: accel: fxls8962af: fixup buffer scan element type
Revert "drm/amd/display: edp do not add non-edid timings"
mm/mmap: Fix VM_LOCKED check in do_vmi_align_munmap()
ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook
ALSA: hda/realtek: Add quirk for Clevo NPx0SNx
ALSA: jack: Fix mutex call in snd_jack_report()
ALSA: pcm: Fix potential data race at PCM memory allocation helpers
block: fix signed int overflow in Amiga partition support
block: add overflow checks for Amiga partition support
block: change all __u32 annotations to __be32 in affs_hardblocks.h
block: increment diskseq on all media change events
btrfs: fix race when deleting free space root from the dirty cow roots list
SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
w1: w1_therm: fix locking behavior in convert_t
w1: fix loop in w1_fini()
dt-bindings: power: reset: qcom-pon: Only allow reboot-mode pre-pmk8350
f2fs: do not allow to defragment files have FI_COMPRESS_RELEASED
sh: j2: Use ioremap() to translate device tree address into kernel memory
usb: dwc2: platform: Improve error reporting for problems during .remove()
usb: dwc2: Fix some error handling paths
serial: 8250: omap: Fix freeing of resources on failed register
clk: qcom: mmcc-msm8974: remove oxili_ocmemgx_clk
clk: qcom: camcc-sc7180: Add parent dependency to all camera GDSCs
clk: qcom: gcc-ipq6018: Use floor ops for sdcc clocks
clk: qcom: gcc-qcm2290: Mark RCGs shared where applicable
media: usb: Check az6007_read() return value
media: amphion: drop repeated codec data for vc1l format
media: amphion: drop repeated codec data for vc1g format
media: amphion: initiate a drain of the capture queue in dynamic resolution change
media: videodev2.h: Fix struct v4l2_input tuner index comment
media: usb: siano: Fix warning due to null work_func_t function pointer
media: i2c: Correct format propagation for st-mipid02
media: hi846: fix usage of pm_runtime_get_if_in_use()
media: mediatek: vcodec: using decoder status instead of core work count
clk: qcom: reset: support resetting multiple bits
clk: qcom: ipq6018: fix networking resets
clk: qcom: dispcc-qcm2290: Fix BI_TCXO_AO handling
clk: qcom: dispcc-qcm2290: Fix GPLL0_OUT_DIV handling
clk: qcom: mmcc-msm8974: use clk_rcg2_shared_ops for mdp_clk_src clock
staging: vchiq_arm: mark vchiq_platform_init() static
usb: dwc3: qcom: Fix potential memory leak
usb: gadget: u_serial: Add null pointer check in gserial_suspend
extcon: Fix kernel doc of property fields to avoid warnings
extcon: Fix kernel doc of property capability fields to avoid warnings
usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()
usb: hide unused usbfs_notify_suspend/resume functions
usb: misc: eud: Fix eud sysfs path (use 'qcom_eud')
serial: core: lock port for stop_rx() in uart_suspend_port()
serial: 8250: lock port for stop_rx() in omap8250_irq()
serial: core: lock port for start_rx() in uart_resume_port()
serial: 8250: lock port for UART_IER access in omap8250_irq()
kernfs: fix missing kernfs_idr_lock to remove an ID from the IDR
lkdtm: replace ll_rw_block with submit_bh
i3c: master: svc: fix cpu schedule in spin lock
coresight: Fix loss of connection info when a module is unloaded
mfd: rt5033: Drop rt5033-battery sub-device
media: venus: helpers: Fix ALIGN() of non power of two
media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var()
sh: Avoid using IRQ0 on SH3 and SH4
gfs2: Fix duplicate should_fault_in_pages() call
f2fs: fix potential deadlock due to unpaired node_write lock use
f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()
KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove()
usb: dwc3: qcom: Fix an error handling path in dwc3_qcom_probe()
usb: common: usb-conn-gpio: Set last role to unknown before initial detection
usb: dwc3-meson-g12a: Fix an error handling path in dwc3_meson_g12a_probe()
mfd: wcd934x: Fix an error handling path in wcd934x_slim_probe()
mfd: intel-lpss: Add missing check for platform_get_resource
Revert "usb: common: usb-conn-gpio: Set last role to unknown before initial detection"
serial: 8250_omap: Use force_suspend and resume for system suspend
device property: Fix documentation for fwnode_get_next_parent()
device property: Clarify description of returned value in some functions
drivers: fwnode: fix fwnode_irq_get[_byname]()
nvmem: sunplus-ocotp: release otp->clk before return
nvmem: rmem: Use NVMEM_DEVID_AUTO
bus: fsl-mc: don't assume child devices are all fsl-mc devices
mfd: stmfx: Fix error path in stmfx_chip_init
mfd: stmfx: Nullify stmfx->vdd in case of error
KVM: s390: vsie: fix the length of APCB bitmap
KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler
cpufreq: mediatek: correct voltages for MT7622 and MT7623
misc: fastrpc: check return value of devm_kasprintf()
clk: qcom: mmcc-msm8974: fix MDSS_GDSC power flags
hwtracing: hisi_ptt: Fix potential sleep in atomic context
mfd: stmpe: Only disable the regulators if they are enabled
phy: tegra: xusb: check return value of devm_kzalloc()
lib/bitmap: drop optimization of bitmap_{from,to}_arr64
pwm: imx-tpm: force 'real_period' to be zero in suspend
pwm: sysfs: Do not apply state to already disabled PWMs
pwm: ab8500: Fix error code in probe()
pwm: mtk_disp: Fix the disable flow of disp_pwm
md/raid10: fix the condition to call bio_end_io_acct()
rtc: st-lpc: Release some resources in st_rtc_probe() in case of error
drm/i915/psr: Use hw.adjusted mode when calculating io/fast wake times
drm/i915/guc/slpc: Apply min softlimit correctly
f2fs: check return value of freeze_super()
media: cec: i2c: ch7322: also select REGMAP
sctp: fix potential deadlock on &net->sctp.addr_wq_lock
net/sched: act_ipt: add sanity checks on table name and hook locations
net: add a couple of helpers for iph tot_len
net/sched: act_ipt: add sanity checks on skb before calling target
spi: spi-geni-qcom: enable SPI_CONTROLLER_MUST_TX for GPI DMA mode
net: mscc: ocelot: don't report that RX timestamping is enabled by default
net: mscc: ocelot: don't keep PTP configuration of all ports in single structure
net: dsa: felix: don't drop PTP frames with tag_8021q when RX timestamping is disabled
net: dsa: sja1105: always enable the INCL_SRCPT option
net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT
Add MODULE_FIRMWARE() for FIRMWARE_TG357766.
Bluetooth: fix invalid-bdaddr quirk for non-persistent setup
Bluetooth: ISO: use hci_sync for setting CIG parameters
Bluetooth: MGMT: add CIS feature bits to controller information
Bluetooth: MGMT: Use BIT macro when defining bitfields
Bluetooth: MGMT: Fix marking SCAN_RSP as not connectable
ibmvnic: Do not reset dql stats on NON_FATAL err
net: dsa: vsc73xx: fix MTU configuration
mlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init
spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
drm/amdgpu: fix number of fence calculations
drm/amd: Don't try to enable secure display TA multiple times
mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0
f2fs: fix error path handling in truncate_dnode()
octeontx2-af: Fix mapping for NIX block from CGX connection
octeontx2-af: Add validation before accessing cgx and lmac
ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()
powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y
powerpc: dts: turris1x.dts: Fix PCIe MEM size for pci2 node
net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode
net: dsa: tag_sja1105: fix source port decoding in vlan_filtering=0 bridge mode
net: fix net_dev_start_xmit trace event vs skb_transport_offset()
tcp: annotate data races in __tcp_oow_rate_limited()
bpf, btf: Warn but return no error for NULL btf from __register_btf_kfunc_id_set()
xsk: Honor SO_BINDTODEVICE on bind
net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX
fanotify: disallow mount/sb marks on kernel internal pseudo fs
riscv: move memblock_allow_resize() after linear mapping is ready
pptp: Fix fib lookup calls.
net: dsa: tag_sja1105: fix MAC DA patching from meta frames
net: dsa: sja1105: always enable the send_meta options
octeontx-af: fix hardware timestamp configuration
afs: Fix accidental truncation when storing data
s390/qeth: Fix vipa deletion
sh: dma: Fix DMA channel offset calculation
apparmor: fix missing error check for rhashtable_insert_fast
i2c: xiic: Don't try to handle more interrupt events after error
dm: fix undue/missing spaces
dm: avoid split of quoted strings where possible
dm ioctl: have constant on the right side of the test
dm ioctl: Avoid double-fetch of version
extcon: usbc-tusb320: Convert to i2c's .probe_new()
extcon: usbc-tusb320: Unregister typec port on driver removal
btrfs: do not BUG_ON() on tree mod log failure at balance_level()
i2c: qup: Add missing unwind goto in qup_i2c_probe()
irqchip/loongson-pch-pic: Fix potential incorrect hwirq assignment
NFSD: add encoding of op_recall flag for write delegation
irqchip/loongson-pch-pic: Fix initialization of HT vector register
io_uring: wait interruptibly for request completions on exit
mmc: core: disable TRIM on Kingston EMMC04G-M627
mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M
mmc: mmci: Set PROBE_PREFER_ASYNCHRONOUS
mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used.
wifi: cfg80211: fix regulatory disconnect for non-MLO
wifi: ath10k: Serialize wake_tx_queue ops
wifi: mt76: mt7921e: fix init command fail with enabled device
bcache: fixup btree_cache_wait list damage
bcache: Remove unnecessary NULL point check in node allocations
bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent
watch_queue: prevent dangling pipe pointer
um: Use HOST_DIR for mrproper
integrity: Fix possible multiple allocation in integrity_inode_get()
autofs: use flexible array in ioctl structure
mm/damon/ops-common: atomically test and clear young on ptes and pmds
shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs
jffs2: reduce stack usage in jffs2_build_xattr_subsystem()
fs: avoid empty option when generating legacy mount string
ext4: Remove ext4 locking of moved directory
Revert "f2fs: fix potential corruption when moving a directory"
fs: Establish locking order for unrelated directories
fs: Lock moved directories
i2c: nvidia-gpu: Add ACPI property to align with device-tree
i2c: nvidia-gpu: Remove ccgx,firmware-build property
usb: typec: ucsi: Mark dGPUs as DEVICE scope
ipvs: increase ip_vs_conn_tab_bits range for 64BIT
btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile
btrfs: delete unused BGs while reclaiming BGs
btrfs: bail out reclaim process if filesystem is read-only
btrfs: add block-group tree to lockdep classes
btrfs: reinsert BGs failed to reclaim
btrfs: fix race when deleting quota root from the dirty cow roots list
btrfs: fix extent buffer leak after tree mod log failure at split_node()
btrfs: do not BUG_ON() on tree mod log failure at __btrfs_cow_block()
ASoC: mediatek: mt8173: Fix irq error path
ASoC: mediatek: mt8173: Fix snd_soc_component_initialize error path
regulator: tps65219: Fix matching interrupts for their regulators
ARM: dts: qcom: ipq4019: fix broken NAND controller properties override
ARM: orion5x: fix d2net gpio initialization
leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename
blktrace: use inline function for blk_trace_remove() while blktrace is disabled
fs: no need to check source
xfs: explicitly specify cpu when forcing inodegc delayed work to run immediately
xfs: check that per-cpu inodegc workers actually run on that cpu
xfs: disable reaping in fscounters scrub
xfs: fix xfs_inodegc_stop racing with mod_delayed_work
mm/mmap: Fix extra maple tree write
drm/i915: Fix TypeC mode initialization during system resume
drm/i915/tc: Fix TC port link ref init for DP MST during HW readout
drm/i915/tc: Fix system resume MST mode restore for DP-alt sinks
mtd: parsers: refer to ARCH_BCMBCA instead of ARCH_BCM4908
netfilter: nf_tables: unbind non-anonymous set if rule construction fails
netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
netfilter: nf_tables: do not ignore genmask when looking up chain by id
netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
wireguard: queueing: use saner cpu selection wrapping
wireguard: netlink: send staged packets when setting initial private key
tty: serial: fsl_lpuart: add earlycon for imx8ulp platform
block/partition: fix signedness issue for Amiga partitions
sh: mach-r2d: Handle virq offset in cascaded IRL demux
sh: mach-highlander: Handle virq offset in cascaded IRL demux
sh: mach-dreamcast: Handle virq offset in cascaded IRQ demux
sh: hd64461: Handle virq offset for offchip IRQ base and HD64461 IRQ
io_uring: Use io_schedule* in cqring wait
Linux 6.1.39
Change-Id: I5867c943c99c157fa599ecd08da961c632e58302
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Konstantin Komarov
|
9e79f3e8f1 |
fs/ntfs3: Mark ntfs dirty when on-disk struct is corrupted
[ Upstream commit e0f363a98830e8d7d70fbaf91c07ae0b7c57aafe ] Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Jia-Ju Bai
|
1e2205568b |
fs: ntfs3: Fix possible null-pointer dereferences in mi_read()
[ Upstream commit 97498cd610c0d030a7bd49a7efad974790661162 ]
In a previous commit 2681631c2973 ("fs/ntfs3: Add null pointer check to
attr_load_runs_vcn"), ni can be NULL in attr_load_runs_vcn(), and thus it
should be checked before being used.
However, in the call stack of this commit, mft_ni in mi_read() is
aliased with ni in attr_load_runs_vcn(), and it is also used in
mi_read() at two places:
mi_read()
rw_lock = &mft_ni->file.run_lock -> No check
attr_load_runs_vcn(mft_ni, ...)
ni (namely mft_ni) is checked in the previous commit
attr_load_runs_vcn(..., &mft_ni->file.run) -> No check
Thus, to avoid possible null-pointer dereferences, the related checks
should be added.
These bugs are reported by a static analysis tool implemented by myself,
and they are found by extending a known bug fixed in the previous commit.
Thus, they could be theoretical bugs.
Signed-off-by: Jia-Ju Bai <baijiaju@buaa.edu.cn>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Edward Lo
|
4246bbef04 |
fs/ntfs3: Enhance sanity check while generating attr_list
[ Upstream commit fdec309c7672cbee4dc0229ee4cbb33c948a1bdd ] ni_create_attr_list uses WARN_ON to catch error cases while generating attribute list, which only prints out stack trace and may not be enough. This repalces them with more proper error handling flow. [ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e [ 59.673268] #PF: supervisor read access in kernel mode [ 59.678354] #PF: error_code(0x0000) - not-present page [ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0 [ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI [ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4 [ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860 [ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8 [ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282 [ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe [ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0 [ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9 [ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180 [ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050 [ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000 [ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0 [ 59.787607] Call Trace: [ 59.790271] <TASK> [ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10 [ 59.797235] ? kernel_text_address+0xd3/0xe0 [ 59.800856] ? unwind_get_return_address+0x3e/0x60 [ 59.805101] ? __kasan_check_write+0x18/0x20 [ 59.809296] ? preempt_count_sub+0x1c/0xd0 [ 59.813421] ni_ins_attr_ext+0x52c/0x5c0 [ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10 [ 59.821926] ? __vfs_setxattr+0x121/0x170 [ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300 [ 59.829562] ? __vfs_setxattr_locked+0x145/0x170 [ 59.833987] ? vfs_setxattr+0x137/0x2a0 [ 59.836732] ? do_setxattr+0xce/0x150 [ 59.839807] ? setxattr+0x126/0x140 [ 59.842353] ? path_setxattr+0x164/0x180 [ 59.845275] ? __x64_sys_setxattr+0x71/0x90 [ 59.848838] ? do_syscall_64+0x3f/0x90 [ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 59.857046] ? stack_depot_save+0x17/0x20 [ 59.860299] ni_insert_attr+0x1ba/0x420 [ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10 [ 59.867069] ? preempt_count_sub+0x1c/0xd0 [ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50 [ 59.874088] ? __create_object+0x3ae/0x5d0 [ 59.877865] ni_insert_resident+0xc4/0x1c0 [ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10 [ 59.886355] ? kasan_save_alloc_info+0x1f/0x30 [ 59.891117] ? __kasan_kmalloc+0x8b/0xa0 [ 59.894383] ntfs_set_ea+0x90d/0xbf0 [ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10 [ 59.901011] ? kernel_text_address+0xd3/0xe0 [ 59.905308] ? __kernel_text_address+0x16/0x50 [ 59.909811] ? unwind_get_return_address+0x3e/0x60 [ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 59.920250] ? arch_stack_walk+0xa2/0x100 [ 59.924560] ? filter_irq_stacks+0x27/0x80 [ 59.928722] ntfs_setxattr+0x405/0x440 [ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10 [ 59.936634] ? kvmalloc_node+0x2d/0x120 [ 59.940378] ? kasan_save_stack+0x41/0x60 [ 59.943870] ? kasan_save_stack+0x2a/0x60 [ 59.947719] ? kasan_set_track+0x29/0x40 [ 59.951417] ? kasan_save_alloc_info+0x1f/0x30 [ 59.955733] ? __kasan_kmalloc+0x8b/0xa0 [ 59.959598] ? __kmalloc_node+0x68/0x150 [ 59.963163] ? kvmalloc_node+0x2d/0x120 [ 59.966490] ? vmemdup_user+0x2b/0xa0 [ 59.969060] __vfs_setxattr+0x121/0x170 [ 59.972456] ? __pfx___vfs_setxattr+0x10/0x10 [ 59.976008] __vfs_setxattr_noperm+0x97/0x300 [ 59.981562] __vfs_setxattr_locked+0x145/0x170 [ 59.986100] vfs_setxattr+0x137/0x2a0 [ 59.989964] ? __pfx_vfs_setxattr+0x10/0x10 [ 59.993616] ? __kasan_check_write+0x18/0x20 [ 59.997425] do_setxattr+0xce/0x150 [ 60.000304] setxattr+0x126/0x140 [ 60.002967] ? __pfx_setxattr+0x10/0x10 [ 60.006471] ? __virt_addr_valid+0xcb/0x140 [ 60.010461] ? __call_rcu_common.constprop.0+0x1c7/0x330 [ 60.016037] ? debug_smp_processor_id+0x1b/0x30 [ 60.021008] ? kasan_quarantine_put+0x5b/0x190 [ 60.025545] ? putname+0x84/0xa0 [ 60.027910] ? __kasan_slab_free+0x11e/0x1b0 [ 60.031483] ? putname+0x84/0xa0 [ 60.033986] ? preempt_count_sub+0x1c/0xd0 [ 60.036876] ? __mnt_want_write+0xae/0x100 [ 60.040738] ? mnt_want_write+0x8f/0x150 [ 60.044317] path_setxattr+0x164/0x180 [ 60.048096] ? __pfx_path_setxattr+0x10/0x10 [ 60.052096] ? strncpy_from_user+0x175/0x1c0 [ 60.056482] ? debug_smp_processor_id+0x1b/0x30 [ 60.059848] ? fpregs_assert_state_consistent+0x6b/0x80 [ 60.064557] __x64_sys_setxattr+0x71/0x90 [ 60.068892] do_syscall_64+0x3f/0x90 [ 60.072868] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 60.077523] RIP: 0033:0x7feaa86e4469 [ 60.080915] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 60.097353] RSP: 002b:00007ffdbd8311e8 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc [ 60.103386] RAX: ffffffffffffffda RBX: 9461c5e290baac00 RCX: 00007feaa86e4469 [ 60.110322] RDX: 00007ffdbd831fe0 RSI: 00007ffdbd831305 RDI: 00007ffdbd831263 [ 60.116808] RBP: 00007ffdbd836180 R08: 0000000000000001 R09: 00007ffdbd836268 [ 60.123879] R10: 000000000000007d R11: 0000000000000286 R12: 0000000000400500 [ 60.130540] R13: 00007ffdbd836260 R14: 0000000000000000 R15: 0000000000000000 [ 60.136553] </TASK> [ 60.138818] Modules linked in: [ 60.141839] CR2: 000000000000000e [ 60.144831] ---[ end trace 0000000000000000 ]--- [ 60.149058] RIP: 0010:ni_create_attr_list+0x505/0x860 [ 60.153975] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8 [ 60.172443] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282 [ 60.176246] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe [ 60.182752] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0 [ 60.189949] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9 [ 60.196950] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180 [ 60.203671] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050 [ 60.209595] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000 [ 60.216299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 60.222276] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0 Signed-off-by: Edward Lo <loyuantsung@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Tetsuo Handa
|
ccc6de4d4f |
fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_load_attr_list()
commit ea303f72d70ce2f0b0aa94ab127085289768c5a6 upstream. syzbot is reporting too large allocation at ntfs_load_attr_list(), for a crafted filesystem can have huge data_size. Reported-by: syzbot <syzbot+89dbb3a789a5b9711793@syzkaller.appspotmail.com> Link: https://syzkaller.appspot.com/bug?extid=89dbb3a789a5b9711793 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
1ef7816a50 |
Merge branch 'android14-6.1' into 'android14-6.1-lts'
Catches the android14-6.1-lts branch up with the android14-6.1 branch which has had a lot of changes that are needed here to resolve future LTS merges and to ensure that the ABI is kept stable. It contains the following commits: * |
||
|
Konstantin Komarov
|
0ee75a672c |
UPSTREAM: fs/ntfs3: Check fields while reading
commit 0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b upstream. Added new functions index_hdr_check and index_buf_check. Now we check all stuff for correctness while reading from disk. Also fixed bug with stale nfs data. Bug: 286390611 Reported-by: van fantasy <g1042620637@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Fixes: |
||
|
Konstantin Komarov
|
000a9a72ef |
fs/ntfs3: Check fields while reading
commit 0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b upstream.
Added new functions index_hdr_check and index_buf_check.
Now we check all stuff for correctness while reading from disk.
Also fixed bug with stale nfs data.
Reported-by: van fantasy <g1042620637@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Fixes:
|
||
|
Zeng Heng
|
c86a2517df |
ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()
[ Upstream commit 3c675ddffb17a8b1e32efad5c983254af18b12c2 ]
Here is a BUG report from syzbot:
BUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
Read of size 1 at addr ffff888021acaf3d by task syz-executor128/3632
Call Trace:
ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
vfs_listxattr fs/xattr.c:457 [inline]
listxattr+0x293/0x2d0 fs/xattr.c:804
Fix the logic of ea_all iteration. When the ea->name_len is 0,
return immediately, or Add2Ptr() would visit invalid memory
in the next loop.
Fixes:
|
||
|
Greg Kroah-Hartman
|
2a77668d45 |
This is the 6.1.33 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmSC5VIACgkQONu9yGCS
aT5RPhAAiVFNzTuQT4DtPzXUzl9hpNtdtZPVa/z28+SbOZyf2YgyDGXLHvnGbJ/2
8DWDV9uSsxdX2InNqzD/IbRSiHjXprpDssthq3Qr5aPH7FO76uICWndrCk0dhZsK
kI/+J7BqS1vgtaxsZeo/IHmMQJ5oEzx/JzvcyK5po0rykNDCxWNnh8cK4YtFOVtk
eRD8cPWXvJGn88pdPPlQuS75MKBGcAUZLodN//tP+x2bcWzocaTZUCEHL36eLcVc
0CxPykCpFOcLFLIJWQ+pY2/HR2ynTBxYoaXsTpscR+FKbS+Lz9B6PUoXCvqaV2/e
lriLjg22lbqxBbBhEk5NLBVozajtU/gNq6pptp/EnZahwjjyavuToZviWf8NWfs0
2u+zQlolinCKnm+8o18dRn24kI7LbUSD2w+V8FydSQNHMikvu/xHgDdLgzmj2XAf
ZIAkHdGjRzKL2euDPrp28D5vPfCqDjqT2wUE2vUsc+Ax4k6ewFCPs3cweWD8hoFS
fAjTC3Q/oNp6eEbWuWJPxl+DW/tD3ezRGeqrRCXQwubcgwB5iaS5ItdCCfG/lfiJ
PNHf4kpg4FlyBf8aPD+R3QA6KOuS1owNNk3cx72zHs8zPusosHWj9hDrXeYVn06G
gj1SIoC+jC/L5nbYH9WFLnKm9+EQ28lcp9j7f1PdlDhkcJmzBRY=
=Qjnb
-----END PGP SIGNATURE-----
Merge 6.1.33 into android14-6.1-lts
Changes in 6.1.33
RDMA/bnxt_re: Fix the page_size used during the MR creation
phy: amlogic: phy-meson-g12a-mipi-dphy-analog: fix CNTL2_DIF_TX_CTL0 value
RDMA/efa: Fix unsupported page sizes in device
RDMA/hns: Fix timeout attr in query qp for HIP08
RDMA/hns: Fix base address table allocation
RDMA/hns: Modify the value of long message loopback slice
dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()
RDMA/bnxt_re: Fix a possible memory leak
RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx
iommu/rockchip: Fix unwind goto issue
iommu/amd: Don't block updates to GATag if guest mode is on
iommu/amd: Handle GALog overflows
iommu/amd: Fix up merge conflict resolution
nfsd: make a copy of struct iattr before calling notify_change
dmaengine: pl330: rename _start to prevent build error
riscv: Fix unused variable warning when BUILTIN_DTB is set
net/mlx5: Drain health before unregistering devlink
net/mlx5: SF, Drain health before removing device
net/mlx5: fw_tracer, Fix event handling
net/mlx5e: Don't attach netdev profile while handling internal error
net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure
netrom: fix info-leak in nr_write_internal()
af_packet: Fix data-races of pkt_sk(sk)->num.
tls: improve lockless access safety of tls_err_abort()
amd-xgbe: fix the false linkup in xgbe_phy_status
perf ftrace latency: Remove unnecessary "--" from --use-nsec option
mtd: rawnand: ingenic: fix empty stub helper definitions
RDMA/irdma: Prevent QP use after free
RDMA/irdma: Fix Local Invalidate fencing
af_packet: do not use READ_ONCE() in packet_bind()
tcp: deny tcp_disconnect() when threads are waiting
tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set
net/smc: Scan from current RMB list when no position specified
net/smc: Don't use RMBs not mapped to new link in SMCRv2 ADD LINK
net/sched: sch_ingress: Only create under TC_H_INGRESS
net/sched: sch_clsact: Only create under TC_H_CLSACT
net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs
net/sched: Prohibit regrafting ingress or clsact Qdiscs
net: sched: fix NULL pointer dereference in mq_attach
net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report
udp6: Fix race condition in udp6_sendmsg & connect
nfsd: fix double fget() bug in __write_ports_addfd()
nvme: fix the name of Zone Append for verbose logging
net/mlx5e: Fix error handling in mlx5e_refresh_tirs
net/mlx5: Read embedded cpu after init bit cleared
iommu/mediatek: Flush IOTLB completely only if domain has been attached
net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
tcp: fix mishandling when the sack compression is deferred.
net: dsa: mv88e6xxx: Increase wait after reset deactivation
mtd: rawnand: marvell: ensure timing values are written
mtd: rawnand: marvell: don't set the NAND frequency select
rtnetlink: call validate_linkmsg in rtnl_create_link
mptcp: avoid unneeded __mptcp_nmpc_socket() usage
mptcp: add annotations around msk->subflow accesses
mptcp: avoid unneeded address copy
mptcp: simplify subflow_syn_recv_sock()
mptcp: consolidate passive msk socket initialization
mptcp: fix data race around msk->first access
mptcp: add annotations around sk->sk_shutdown accesses
drm/amdgpu: release gpu full access after "amdgpu_device_ip_late_init"
watchdog: menz069_wdt: fix watchdog initialisation
ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs.
ASoC: Intel: soc-acpi-cht: Add quirk for Nextbook Ares 8A tablet
drm/amdgpu: Use the default reset when loading or reloading the driver
mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()
drm/ast: Fix ARM compatibility
btrfs: abort transaction when sibling keys check fails for leaves
ARM: 9295/1: unwind:fix unwind abort for uleb128 case
hwmon: (k10temp) Add PCI ID for family 19, model 78h
media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE
platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield
platform/mellanox: fix potential race in mlxbf-tmfifo driver
gfs2: Don't deref jdesc in evict
drm/amdgpu: set gfx9 onwards APU atomics support to be true
fbdev: imsttfb: Fix use after free bug in imsttfb_probe
fbdev: modedb: Add 1920x1080 at 60 Hz video mode
fbdev: stifb: Fix info entry in sti_struct on error path
nbd: Fix debugfs_create_dir error checking
block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE
nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G
nvme-pci: add quirk for missing secondary temperature thresholds
ASoC: amd: yc: Add DMI entry to support System76 Pangolin 12
ASoC: dwc: limit the number of overrun messages
um: harddog: fix modular build
xfrm: Check if_id in inbound policy/secpath match
ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs
ALSA: hda/realtek: Add quirks for ASUS GU604V and GU603V
ASoC: ssm2602: Add workaround for playback distortions
media: dvb_demux: fix a bug for the continuity counter
media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer()
media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
media: netup_unidvb: fix irq init by register it at the end of probe
media: dvb_ca_en50221: fix a size write bug
media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table
media: dvb-core: Fix use-after-free due on race condition at dvb_net
media: dvb-core: Fix use-after-free due to race at dvb_register_device()
media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()
media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221
ASoC: SOF: debug: conditionally bump runtime_pm counter on exceptions
ASoC: SOF: pcm: fix pm_runtime imbalance in error handling
ASoC: SOF: sof-client-probes: fix pm_runtime imbalance in error handling
ASoC: SOF: pm: save io region state in case of errors in resume
s390/pkey: zeroize key blobs
s390/topology: honour nr_cpu_ids when adding CPUs
ACPI: resource: Add IRQ override quirk for LG UltraPC 17U70P
wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value
ARM: dts: stm32: add pin map for CAN controller on stm32f7
arm64/mm: mark private VM_FAULT_X defines as vm_fault_t
arm64: vdso: Pass (void *) to virt_to_page()
wifi: mac80211: simplify chanctx allocation
wifi: mac80211: consider reserved chanctx for mindef
wifi: mac80211: recalc chanctx mindef before assigning
wifi: iwlwifi: mvm: Add locking to the rate read flow
scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
wifi: b43: fix incorrect __packed annotation
net: wwan: t7xx: Ensure init is completed before system sleep
netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT
nvme-multipath: don't call blk_mark_disk_dead in nvme_mpath_remove_disk
nvme: do not let the user delete a ctrl before a complete initialization
ALSA: oss: avoid missing-prototype warnings
drm/msm: Be more shouty if per-process pgtables aren't working
atm: hide unused procfs functions
ceph: silence smatch warning in reconnect_caps_cb()
drm/amdgpu: skip disabling fence driver src_irqs when device is unplugged
ublk: fix AB-BA lockdep warning
nvme-pci: Add quirk for Teamgroup MP33 SSD
block: Deny writable memory mapping if block is read-only
KVM: arm64: vgic: Fix a circular locking issue
KVM: arm64: vgic: Wrap vgic_its_create() with config_lock
KVM: arm64: vgic: Fix locking comment
media: mediatek: vcodec: Only apply 4K frame sizes on decoder formats
mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
drivers: base: cacheinfo: Fix shared_cpu_map changes in event of CPU hotplug
media: uvcvideo: Don't expose unsupported formats to userspace
iio: accel: st_accel: Fix invalid mount_matrix on devices without ACPI _ONT method
iio: adc: mxs-lradc: fix the order of two cleanup operations
HID: google: add jewel USB id
HID: wacom: avoid integer overflow in wacom_intuos_inout()
iio: imu: inv_icm42600: fix timestamp reset
dt-bindings: iio: adc: renesas,rcar-gyroadc: Fix adi,ad7476 compatible value
iio: light: vcnl4035: fixed chip ID check
iio: adc: stm32-adc: skip adc-channels setup if none is present
iio: adc: ad_sigma_delta: Fix IRQ issue by setting IRQ_DISABLE_UNLAZY flag
iio: dac: mcp4725: Fix i2c_master_send() return value handling
iio: addac: ad74413: fix resistance input processing
iio: adc: ad7192: Change "shorted" channels to differential
iio: adc: stm32-adc: skip adc-diff-channels setup if none is present
iio: dac: build ad5758 driver when AD5758 is selected
net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
dt-bindings: usb: snps,dwc3: Fix "snps,hsphy_interface" type
usb: cdns3: fix NCM gadget RX speed 20x slow than expection at iMX8QM
usb: gadget: f_fs: Add unbind event before functionfs_unbind
md/raid5: fix miscalculation of 'end_sector' in raid5_read_one_chunk()
misc: fastrpc: return -EPIPE to invocations on device removal
misc: fastrpc: reject new invocations during device removal
scsi: stex: Fix gcc 13 warnings
ata: libata-scsi: Use correct device no in ata_find_dev()
drm/amdgpu: enable tmz by default for GC 11.0.1
drm/amd/pm: reverse mclk and fclk clocks levels for SMU v13.0.4
drm/amd/pm: reverse mclk and fclk clocks levels for vangogh
drm/amd/pm: resolve reboot exception for si oland
drm/amd/pm: reverse mclk clocks levels for SMU v13.0.5
drm/amd/pm: reverse mclk and fclk clocks levels for yellow carp
drm/amd/pm: reverse mclk and fclk clocks levels for renoir
x86/mtrr: Revert 90b926e68f50 ("x86/pat: Fix pat_x_mtrr_type() for MTRR disabled case")
mmc: vub300: fix invalid response handling
mmc: pwrseq: sd8787: Fix WILC CHIP_EN and RESETN toggling order
tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK
btrfs: fix csum_tree_block page iteration to avoid tripping on -Werror=array-bounds
phy: qcom-qmp-combo: fix init-count imbalance
phy: qcom-qmp-pcie-msm8996: fix init-count imbalance
block: fix revalidate performance regression
powerpc/iommu: Limit number of TCEs to 512 for H_STUFF_TCE hcall
iommu/amd: Fix domain flush size when syncing iotlb
tpm, tpm_tis: correct tpm_tis_flags enumeration values
riscv: perf: Fix callchain parse error with kernel tracepoint events
io_uring: undeprecate epoll_ctl support
selinux: don't use make's grouped targets feature yet
mtdchar: mark bits of ioctl handler noinline
tracing/timerlat: Always wakeup the timerlat thread
tracing/histograms: Allow variables to have some modifiers
tracing/probe: trace_probe_primary_from_call(): checked list_first_entry
selftests: mptcp: connect: skip if MPTCP is not supported
selftests: mptcp: pm nl: skip if MPTCP is not supported
selftests: mptcp: join: skip if MPTCP is not supported
selftests: mptcp: sockopt: skip if MPTCP is not supported
selftests: mptcp: userspace pm: skip if MPTCP is not supported
mptcp: fix connect timeout handling
mptcp: fix active subflow finalization
ext4: add EA_INODE checking to ext4_iget()
ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find()
ext4: disallow ea_inodes with extended attributes
ext4: add lockdep annotations for i_data_sem for ea_inode's
fbcon: Fix null-ptr-deref in soft_cursor
serial: 8250_tegra: Fix an error handling path in tegra_uart_probe()
serial: cpm_uart: Fix a COMPILE_TEST dependency
powerpc/xmon: Use KSYM_NAME_LEN in array size
test_firmware: fix a memory leak with reqs buffer
test_firmware: fix the memory leak of the allocated firmware buffer
KVM: arm64: Populate fault info for watchpoint
KVM: x86: Account fastpath-only VM-Exits in vCPU stats
ksmbd: fix credit count leakage
ksmbd: fix UAF issue from opinfo->conn
ksmbd: fix incorrect AllocationSize set in smb2_get_info
ksmbd: fix slab-out-of-bounds read in smb2_handle_negotiate
ksmbd: fix multiple out-of-bounds read during context decoding
KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()
fs/ntfs3: Validate MFT flags before replaying logs
regmap: Account for register length when chunking
tpm, tpm_tis: Request threaded interrupt handler
iommu/amd/pgtbl_v2: Fix domain max address
drm/amd/display: Have Payload Properly Created After Resume
xfs: verify buffer contents when we skip log replay
tls: rx: strp: don't use GFP_KERNEL in softirq context
arm64: efi: Use SMBIOS processor version to key off Ampere quirk
selftests: mptcp: diag: skip if MPTCP is not supported
selftests: mptcp: simult flows: skip if MPTCP is not supported
selftests: mptcp: join: avoid using 'cmp --bytes'
ext4: enable the lazy init thread when remounting read/write
Linux 6.1.33
Note, the following commits were reverted from this merge, due to
conflicts with other KVM patches. If they are needed later, they can be
brought back in a way that enables them to actually build properly:
|
||
|
Greg Kroah-Hartman
|
51b8218413 |
Merge 6.1.29 into android14-6.1-lts
Changes in 6.1.29 USB: dwc3: gadget: drop dead hibernation code usb: dwc3: gadget: Execute gadget stop after halting the controller drm/vmwgfx: Remove explicit and broken vblank handling drm/vmwgfx: Fix Legacy Display Unit atomic drm support crypto: ccp - Clear PSP interrupt status register before calling handler perf/x86/core: Zero @lbr instead of returning -1 in x86_perf_get_lbr() stub KVM: x86: Track supported PERF_CAPABILITIES in kvm_caps KVM: x86/pmu: Disallow legacy LBRs if architectural LBRs are available mtd: spi-nor: spansion: Remove NO_SFDP_FLAGS from s28hs512t info mtd: spi-nor: add SFDP fixups for Quad Page Program mtd: spi-nor: Add a RWW flag mtd: spi-nor: spansion: Enable JFFS2 write buffer for Infineon s28hx SEMPER flash qcom: llcc/edac: Support polling mode for ECC handling soc: qcom: llcc: Do not create EDAC platform device on SDM845 mailbox: zynq: Switch to flexible array to simplify code mailbox: zynqmp: Fix counts of child nodes mtd: spi-nor: spansion: Enable JFFS2 write buffer for Infineon s25hx SEMPER flash fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup() drm/amd/display: Ext displays with dock can't recognized after resume KVM: x86/mmu: Avoid indirect call for get_cr3 KVM: x86: Do not unload MMU roots when only toggling CR0.WP with TDP enabled KVM: x86: Make use of kvm_read_cr*_bits() when testing bits KVM: VMX: Make CR0.WP a guest owned bit KVM: x86/mmu: Refresh CR0.WP prior to checking for emulated permission faults ASoC: Intel: soc-acpi-byt: Fix "WM510205" match no longer working scsi: qedi: Fix use after free bug in qedi_remove() drm/amd/display: Remove FPU guards from the DML folder drm/amd/display: Add missing WA and MCLK validation drm/amd/display: Return error code on DSC atomic check failure drm/amd/display: Fixes for dcn32_clk_mgr implementation drm/amd/display: Reset OUTBOX0 r/w pointer on DMUB reset drm/amd/display: Do not clear GPINT register when releasing DMUB from reset drm/amd/display: Update bounding box values for DCN321 ixgbe: Fix panic during XDP_TX with > 64 CPUs octeonxt2-af: mcs: Fix per port bypass config octeontx2-af: mcs: Write TCAM_DATA and TCAM_MASK registers at once octeontx2-af: mcs: Config parser to skip 8B header octeontx2-af: mcs: Fix MCS block interrupt octeontx2-pf: mcs: Fix NULL pointer dereferences octeontx2-pf: mcs: Match macsec ethertype along with DMAC octeontx2-pf: mcs: Clear stats before freeing resource octeontx2-pf: mcs: Fix shared counters logic octeontx2-pf: mcs: Do not reset PN while updating secy net/ncsi: clear Tx enable mode when handling a Config required AEN tcp: fix skb_copy_ubufs() vs BIG TCP net/sched: cls_api: remove block_cb from driver_list before freeing sit: update dev->needed_headroom in ipip6_tunnel_bind_dev() selftests: srv6: make srv6_end_dt46_l3vpn_test more robust net: ipv6: fix skb hash for some RST packets net: dsa: mv88e6xxx: add mv88e6321 rsvd2cpu writeback: fix call of incorrect macro block: Skip destroyed blkg when restart in blkg_destroy_all() watchdog: dw_wdt: Fix the error handling path of dw_wdt_drv_probe() RISC-V: mm: Enable huge page support to kernel_page_present() function i2c: tegra: Fix PEC support for SMBUS block read net/sched: act_mirred: Add carrier check r8152: fix flow control issue of RTL8156A r8152: fix the poor throughput for 2.5G devices r8152: move setting r8153b_rx_agg_chg_indicate() sfc: Fix module EEPROM reporting for QSFP modules rxrpc: Fix hard call timeout units riscv: compat_syscall_table: Fixup compile warning drm/i915/mtl: Add the missing CPU transcoder mask in intel_device_info selftests: netfilter: fix libmnl pkg-config usage octeontx2-af: Secure APR table update with the lock octeontx2-af: Fix start and end bit for scan config octeontx2-af: Fix depth of cam and mem table. octeontx2-pf: Increase the size of dmac filter flows octeontx2-af: Allow mkex profile without DMAC and add L2M/L2B header extraction support octeontx2-pf: Add additional checks while configuring ucast/bcast/mcast rules octeontx2-af: Update/Fix NPC field hash extract feature octeontx2-af: Fix issues with NPC field hash extract octeontx2-af: Skip PFs if not enabled octeontx2-pf: Disable packet I/O for graceful exit octeontx2-vf: Detach LF resources on probe cleanup ionic: remove noise from ethtool rxnfc error msg ethtool: Fix uninitialized number of lanes ionic: catch failure from devlink_alloc af_packet: Don't send zero-byte data in packet_sendmsg_spkt(). drm/amdgpu: add a missing lock for AMDGPU_SCHED ALSA: caiaq: input: Add error handling for unsupported input methods in `snd_usb_caiaq_input_init` KVM: s390: fix race in gmap_make_secure() net: dsa: mt7530: fix corrupt frames using trgmii on 40 MHz XTAL MT7621 net: dsa: mt7530: split-off common parts from mt7531_setup net: dsa: mt7530: fix network connectivity with multiple CPU ports ice: block LAN in case of VF to VF offload virtio_net: suppress cpu stall when free_unused_bufs net: enetc: check the index of the SFI rather than the handle perf record: Fix "read LOST count failed" msg with sample read perf scripts intel-pt-events.py: Fix IPC output for Python 2 perf vendor events s390: Remove UTF-8 characters from JSON file perf tests record_offcpu.sh: Fix redirection of stderr to stdin perf ftrace: Make system wide the default target for latency subcommand perf vendor events power9: Remove UTF-8 characters from JSON files perf pmu: zfree() expects a pointer to a pointer to zero it after freeing its contents perf map: Delete two variable initialisations before null pointer checks in sort__sym_from_cmp() perf cs-etm: Fix timeless decode mode detection crypto: sun8i-ss - Fix a test in sun8i_ss_setup_ivs() crypto: api - Add scaffolding to change completion function signature crypto: engine - Use crypto_request_complete crypto: engine - fix crypto_queue backlog handling perf symbols: Fix return incorrect build_id size in elf_read_build_id() perf tracepoint: Fix memory leak in is_valid_tracepoint() perf stat: Separate bperf from bpf_profiler RISC-V: take text_mutex during alternative patching RISC-V: fix taking the text_mutex twice during sifive errata patching x86/retbleed: Fix return thunk alignment btrfs: fix btrfs_prev_leaf() to not return the same key twice btrfs: zoned: fix wrong use of bitops API in btrfs_ensure_empty_zones btrfs: properly reject clear_cache and v1 cache for block-group-tree btrfs: fix assertion of exclop condition when starting balance btrfs: fix encoded write i_size corruption with no-holes btrfs: don't free qgroup space unless specified btrfs: zero the buffer before marking it dirty in btrfs_redirty_list_add btrfs: make clear_cache mount option to rebuild FST without disabling it btrfs: print-tree: parent bytenr must be aligned to sector size btrfs: fix space cache inconsistency after error loading it from disk btrfs: zoned: zone finish data relocation BG with last IO btrfs: zoned: fix full zone super block reading on ZNS cifs: fix pcchunk length type in smb2_copychunk_range cifs: release leases for deferred close handles when freezing platform/x86/intel-uncore-freq: Return error on write frequency platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the Juno Tablet platform/x86: thinkpad_acpi: Fix platform profiles on T490 platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i platform/x86: thinkpad_acpi: Add profile force ability inotify: Avoid reporting event with invalid wd smb3: fix problem remounting a share after shutdown SMB3: force unmount was failing to close deferred close files sh: math-emu: fix macro redefined warning sh: mcount.S: fix build error when PRINTK is not enabled sh: init: use OF_EARLY_FLATTREE for early init sh: nmi_debug: fix return value of __setup handler proc_sysctl: update docs for __register_sysctl_table() proc_sysctl: enhance documentation remoteproc: stm32: Call of_node_put() on iteration error remoteproc: st: Call of_node_put() on iteration error remoteproc: imx_dsp_rproc: Call of_node_put() on iteration error remoteproc: imx_rproc: Call of_node_put() on iteration error remoteproc: rcar_rproc: Call of_node_put() on iteration error sysctl: clarify register_sysctl_init() base directory order ARM: dts: aspeed: asrock: Correct firmware flash SPI clocks ARM: dts: exynos: fix WM8960 clock name in Itop Elite ARM: dts: s5pv210: correct MIPI CSIS clock name ARM: dts: aspeed: romed8hm3: Fix GPIO polarity of system-fault LED drm/msm/adreno: fix runtime PM imbalance at gpu load drm/bridge: lt8912b: Fix DSI Video Mode drm/i915/color: Fix typo for Plane CSC indexes drm/msm: fix NULL-deref on snapshot tear down drm/msm: fix NULL-deref on irq uninstall drm/msm: fix drm device leak on bind errors drm/msm: fix vram leak on bind errors drm/msm: fix workqueue leak on bind errors drm/i915/dsi: Use unconditional msleep() instead of intel_dsi_msleep() f2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block f2fs: fix potential corruption when moving a directory irqchip/loongson-pch-pic: Fix pch_pic_acpi_init calling irqchip/loongson-eiointc: Fix returned value on parsing MADT drm/panel: otm8009a: Set backlight parent to panel device drm/amd/display: Add NULL plane_state check for cursor disable logic drm/amd/display: Fix 4to1 MPC black screen with DPP RCO drm/amd/display: filter out invalid bits in pipe_fuses drm/amd/display: fix flickering caused by S/G mode drm/amdgpu: fix amdgpu_irq_put call trace in gmc_v10_0_hw_fini drm/amdgpu: fix an amdgpu_irq_put() issue in gmc_v9_0_hw_fini() drm/amdgpu: fix amdgpu_irq_put call trace in gmc_v11_0_hw_fini drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras drm/amdgpu/jpeg: Remove harvest checking for JPEG3 drm/amdgpu: change gfx 11.0.4 external_id range drm/amdgpu: Fix vram recover doesn't work after whole GPU reset (v2) drm/amd/display: Enforce 60us prefetch for 200Mhz DCFCLK modes drm/amd/pm: parse pp_handle under appropriate conditions drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend drm/amd/pm: avoid potential UBSAN issue on legacy asics drm/amdgpu: remove deprecated MES version vars drm/amd: Load MES microcode during early_init drm/amd: Add a new helper for loading/validating microcode drm/amd: Use `amdgpu_ucode_*` helpers for MES HID: wacom: Set a default resolution for older tablets HID: wacom: insert timestamp to packed Bluetooth (BT) events fs/ntfs3: Refactoring of various minor issues drm/msm/adreno: adreno_gpu: Use suspend() instead of idle() on load error f2fs: specify extent cache for read explicitly f2fs: move internal functions into extent_cache.c f2fs: remove unnecessary __init_extent_tree f2fs: refactor extent_cache to support for read and more f2fs: allocate the extent_cache by default f2fs: factor out victim_entry usage from general rb_tree use drm/msm/adreno: Simplify read64/write64 helpers drm/msm: Hangcheck progress detection drm/msm: fix missing wq allocation error handling irqchip/loongarch: Adjust acpi_cascade_irqdomain_init() and sub-routines irqchip/loongson-eiointc: Fix incorrect use of acpi_get_vec_parent irqchip/loongson-eiointc: Fix registration of syscore_ops wifi: rtw88: rtw8821c: Fix rfe_option field width drm/i915/mtl: update scaler source and destination limits for MTL drm/i915: Check pipe source size when using skl+ scalers drm/amd/display: Refactor eDP PSR codes drm/amd/display: Add Z8 allow states to z-state support list drm/amd/display: Add debug option to skip PSR CRTC disable drm/amd/display: Fix Z8 support configurations drm/amd/display: Add minimum Z8 residency debug option drm/amd/display: Update minimum stutter residency for DCN314 Z8 drm/amd/display: Lowering min Z8 residency time ASoC: rt1318: Add RT1318 SDCA vendor-specific driver ASoC: codecs: constify static sdw_slave_ops struct ASoC: codecs: wcd938x: fix accessing regmap on unattached devices drm/amd/display: Update Z8 watermarks for DCN314 drm/amd/display: Update Z8 SR exit/enter latencies drm/amd/display: Change default Z8 watermark values ksmbd: Implements sess->ksmbd_chann_list as xarray ksmbd: fix racy issue from session setup and logoff ksmbd: destroy expired sessions ksmbd: block asynchronous requests when making a delay on session setup ksmbd: fix racy issue from smb2 close and logoff with multichannel drm: Add missing DP DSC extended capability definitions. drm/dsc: fix drm_edp_dsc_sink_output_bpp() DPCD high byte usage locking/rwsem: Add __always_inline annotation to __down_read_common() and inlined callers ext4: fix WARNING in mb_find_extent ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum ext4: fix data races when using cached status extents ext4: check iomap type only if ext4_iomap_begin() does not fail ext4: improve error recovery code paths in __ext4_remount() ext4: improve error handling from ext4_dirhash() ext4: fix deadlock when converting an inline directory in nojournal mode ext4: add bounds checking in get_max_inline_xattr_value_size() ext4: bail out of ext4_xattr_ibody_get() fails for any reason ext4: fix lockdep warning when enabling MMP ext4: remove a BUG_ON in ext4_mb_release_group_pa() ext4: fix invalid free tracking in ext4_xattr_move_to_block() drm/dsc: fix DP_DSC_MAX_BPP_DELTA_* macro values f2fs: fix to do sanity check on extent cache correctly f2fs: inode: fix to do sanity check on extent cache correctly x86/amd_nb: Add PCI ID for family 19h model 78h x86: fix clear_user_rep_good() exception handling annotation spi: fsl-spi: Re-organise transfer bits_per_word adaptation spi: fsl-cpm: Use 16 bit mode for large transfers with even size drm/amd/display: Fix hang when skipping modeset Linux 6.1.29 Change-Id: I576de3e4ff6a12decefda8ca0014ca600da837dd Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
ef75a88787 |
Merge 6.1.28 into android14-6.1-lts
Changes in 6.1.28
ASOC: Intel: sof_sdw: add quirk for Intel 'Rooks County' NUC M15
ASoC: Intel: soc-acpi: add table for Intel 'Rooks County' NUC M15
ASoC: soc-pcm: fix hw->formats cleared by soc_pcm_hw_init() for dpcm
x86/hyperv: Block root partition functionality in a Confidential VM
ASoC: amd: yc: Add DMI entries to support Victus by HP Laptop 16-e1xxx (8A22)
iio: adc: palmas_gpadc: fix NULL dereference on rmmod
ASoC: Intel: bytcr_rt5640: Add quirk for the Acer Iconia One 7 B1-750
ASoC: da7213.c: add missing pm_runtime_disable()
net: wwan: t7xx: do not compile with -Werror
selftests mount: Fix mount_setattr_test builds failed
scsi: mpi3mr: Handle soft reset in progress fault code (0xF002)
net: sfp: add quirk enabling 2500Base-x for HG MXPD-483II
platform/x86: thinkpad_acpi: Add missing T14s Gen1 type to s2idle quirk list
wifi: ath11k: reduce the MHI timeout to 20s
tracing: Error if a trace event has an array for a __field()
asm-generic/io.h: suppress endianness warnings for readq() and writeq()
x86/cpu: Add model number for Intel Arrow Lake processor
wireguard: timers: cast enum limits members to int in prints
wifi: mt76: mt7921e: Set memory space enable in PCI_COMMAND if unset
ASoC: amd: fix ACP version typo mistake
ASoC: amd: ps: update the acp clock source.
arm64: Always load shadow stack pointer directly from the task struct
arm64: Stash shadow stack pointer in the task struct on interrupt
powerpc/boot: Fix boot wrapper code generation with CONFIG_POWER10_CPU
PCI: kirin: Select REGMAP_MMIO
PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock
PCI: qcom: Fix the incorrect register usage in v2.7.0 config
phy: qcom-qmp-pcie: sc8180x PCIe PHY has 2 lanes
IMA: allow/fix UML builds
usb: gadget: udc: core: Invoke usb_gadget_connect only when started
usb: gadget: udc: core: Prevent redundant calls to pullup
usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive
USB: dwc3: fix runtime pm imbalance on probe errors
USB: dwc3: fix runtime pm imbalance on unbind
hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write
hwmon: (adt7475) Use device_property APIs when configuring polarity
tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site
posix-cpu-timers: Implement the missing timer_wait_running callback
media: ov8856: Do not check for for module version
blk-stat: fix QUEUE_FLAG_STATS clear
blk-crypto: don't use struct request_queue for public interfaces
blk-crypto: add a blk_crypto_config_supported_natively helper
blk-crypto: move internal only declarations to blk-crypto-internal.h
blk-crypto: Add a missing include directive
blk-mq: release crypto keyslot before reporting I/O complete
blk-crypto: make blk_crypto_evict_key() return void
blk-crypto: make blk_crypto_evict_key() more robust
staging: iio: resolver: ads1210: fix config mode
tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH
xhci: fix debugfs register accesses while suspended
serial: fix TIOCSRS485 locking
serial: 8250: Fix serial8250_tx_empty() race with DMA Tx
serial: max310x: fix IO data corruption in batched operations
tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem
fs: fix sysctls.c built
MIPS: fw: Allow firmware to pass a empty env
ipmi:ssif: Add send_retries increment
ipmi: fix SSIF not responding under certain cond.
iio: addac: stx104: Fix race condition when converting analog-to-digital
iio: addac: stx104: Fix race condition for stx104_write_raw()
kheaders: Use array declaration instead of char
wifi: mt76: add missing locking to protect against concurrent rx/status calls
pwm: meson: Fix axg ao mux parents
pwm: meson: Fix g12a ao clk81 name
soundwire: qcom: correct setting ignore bit on v1.5.1
pinctrl: qcom: lpass-lpi: set output value before enabling output
ring-buffer: Ensure proper resetting of atomic variables in ring_buffer_reset_online_cpus
ring-buffer: Sync IRQ works before buffer destruction
crypto: api - Demote BUG_ON() in crypto_unregister_alg() to a WARN_ON()
crypto: safexcel - Cleanup ring IRQ workqueues on load failure
crypto: arm64/aes-neonbs - fix crash with CFI enabled
crypto: ccp - Don't initialize CCP for PSP 0x1649
rcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-ed
reiserfs: Add security prefix to xattr name in reiserfs_security_write()
KVM: nVMX: Emulate NOPs in L2, and PAUSE if it's not intercepted
KVM: arm64: Avoid vcpu->mutex v. kvm->lock inversion in CPU_ON
KVM: arm64: Avoid lock inversion when setting the VM register width
KVM: arm64: Use config_lock to protect data ordered against KVM_RUN
KVM: arm64: Use config_lock to protect vgic state
KVM: arm64: vgic: Don't acquire its_lock before config_lock
relayfs: fix out-of-bounds access in relay_file_read
drm/amd/display: Remove stutter only configurations
drm/amd/display: limit timing for single dimm memory
drm/amd/display: fix PSR-SU/DSC interoperability support
drm/amd/display: fix a divided-by-zero error
KVM: RISC-V: Retry fault if vma_lookup() results become invalid
ksmbd: fix racy issue under cocurrent smb2 tree disconnect
ksmbd: call rcu_barrier() in ksmbd_server_exit()
ksmbd: fix NULL pointer dereference in smb2_get_info_filesystem()
ksmbd: fix memleak in session setup
ksmbd: not allow guest user on multichannel
ksmbd: fix deadlock in ksmbd_find_crypto_ctx()
ACPI: video: Remove acpi_backlight=video quirk for Lenovo ThinkPad W530
i2c: omap: Fix standard mode false ACK readings
riscv: mm: remove redundant parameter of create_fdt_early_page_table
tracing: Fix permissions for the buffer_percent file
swsmu/amdgpu_smu: Fix the wrong if-condition
drm/amd/pm: re-enable the gfx imu when smu resume
iommu/amd: Fix "Guest Virtual APIC Table Root Pointer" configuration in IRTE
RISC-V: Align SBI probe implementation with spec
Revert "ubifs: dirty_cow_znode: Fix memleak in error handling path"
ubifs: Fix memleak when insert_old_idx() failed
ubi: Fix return value overwrite issue in try_write_vid_and_data()
ubifs: Free memory for tmpfile name
ubifs: Fix memory leak in do_rename
ceph: fix potential use-after-free bug when trimming caps
xfs: don't consider future format versions valid
cxl/hdm: Fail upon detecting 0-sized decoders
bus: mhi: host: Remove duplicate ee check for syserr
bus: mhi: host: Use mhi_tryset_pm_state() for setting fw error state
bus: mhi: host: Range check CHDBOFF and ERDBOFF
ASoC: dt-bindings: qcom,lpass-rx-macro: correct minItems for clocks
kunit: improve KTAP compliance of KUnit test output
kunit: fix bug in the order of lines in debugfs logs
rcu: Fix missing TICK_DEP_MASK_RCU_EXP dependency check
selftests/resctrl: Return NULL if malloc_and_init_memory() did not alloc mem
selftests/resctrl: Move ->setup() call outside of test specific branches
selftests/resctrl: Allow ->setup() to return errors
selftests/resctrl: Check for return value after write_schemata()
selinux: fix Makefile dependencies of flask.h
selinux: ensure av_permissions.h is built when needed
tpm, tpm_tis: Do not skip reset of original interrupt vector
tpm, tpm_tis: Claim locality before writing TPM_INT_ENABLE register
tpm, tpm_tis: Disable interrupts if tpm_tis_probe_irq() failed
tpm, tpm_tis: Claim locality before writing interrupt registers
tpm, tpm: Implement usage counter for locality
tpm, tpm_tis: Claim locality when interrupts are reenabled on resume
erofs: stop parsing non-compact HEAD index if clusterofs is invalid
erofs: initialize packed inode after root inode is assigned
erofs: fix potential overflow calculating xattr_isize
drm/rockchip: Drop unbalanced obj unref
drm/i915/dg2: Drop one PCI ID
drm/vgem: add missing mutex_destroy
drm/probe-helper: Cancel previous job before starting new one
drm/amdgpu: register a vga_switcheroo client for MacBooks with apple-gmux
tools/x86/kcpuid: Fix avx512bw and avx512lvl fields in Fn00000007
soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe
arm64: dts: renesas: r8a77990: Remove bogus voltages from OPP table
arm64: dts: renesas: r8a774c0: Remove bogus voltages from OPP table
arm64: dts: renesas: r9a07g044: Update IRQ numbers for SSI channels
arm64: dts: renesas: r9a07g054: Update IRQ numbers for SSI channels
arm64: dts: renesas: r9a07g043: Introduce SOC_PERIPHERAL_IRQ() macro to specify interrupt property
arm64: dts: renesas: r9a07g043: Update IRQ numbers for SSI channels
drm/mediatek: dp: Only trigger DRM HPD events if bridge is attached
drm/msm/disp/dpu: check for crtc enable rather than crtc active to release shared resources
EDAC/skx: Fix overflows on the DRAM row address mapping arrays
ARM: dts: qcom-apq8064: Fix opp table child name
regulator: core: Shorten off-on-delay-us for always-on/boot-on by time since booted
arm64: dts: ti: k3-am62-main: Fix GPIO numbers in DT
arm64: dts: ti: k3-am62a7-sk: Fix DDR size to full 4GB
arm64: dts: ti: k3-j721e-main: Remove ti,strobe-sel property
arm64: dts: broadcom: bcmbca: bcm4908: fix NAND interrupt name
arm64: dts: broadcom: bcmbca: bcm4908: fix LED nodenames
arm64: dts: broadcom: bcmbca: bcm4908: fix procmon nodename
arm64: dts: qcom: msm8998: Fix stm-stimulus-base reg name
arm64: dts: qcom: sc7280: fix EUD port properties
arm64: dts: qcom: sdm845: correct dynamic power coefficients
arm64: dts: qcom: sdm845: Fix the PCI I/O port range
arm64: dts: qcom: msm8998: Fix the PCI I/O port range
arm64: dts: qcom: sc7280: Fix the PCI I/O port range
arm64: dts: qcom: ipq8074: Fix the PCI I/O port range
arm64: dts: qcom: ipq6018: Fix the PCI I/O port range
arm64: dts: qcom: msm8996: Fix the PCI I/O port range
arm64: dts: qcom: sm8250: Fix the PCI I/O port range
arm64: dts: qcom: sm8150: Fix the PCI I/O port range
arm64: dts: qcom: sm8450: Fix the PCI I/O port range
ARM: dts: qcom: ipq4019: Fix the PCI I/O port range
ARM: dts: qcom: ipq8064: Fix the PCI I/O port range
ARM: dts: qcom: sdx55: Fix the unit address of PCIe EP node
x86/MCE/AMD: Use an u64 for bank_map
media: bdisp: Add missing check for create_workqueue
media: platform: mtk-mdp3: Add missing check and free for ida_alloc
media: amphion: decoder implement display delay enable
media: av7110: prevent underflow in write_ts_to_decoder()
firmware: qcom_scm: Clear download bit during reboot
drm/bridge: adv7533: Fix adv7533_mode_valid for adv7533 and adv7535
media: max9286: Free control handler
arm64: dts: ti: k3-am625: Correct L2 cache size to 512KB
arm64: dts: ti: k3-am62a7: Correct L2 cache size to 512KB
drm/msm/adreno: drop bogus pm_runtime_set_active()
drm: msm: adreno: Disable preemption on Adreno 510
virt/coco/sev-guest: Double-buffer messages
arm64: dts: qcom: sm8350-microsoft-surface: fix USB dual-role mode property
drm/amd/display/dc/dce60/Makefile: Fix previous attempt to silence known override-init warnings
ACPI: processor: Fix evaluating _PDC method when running as Xen dom0
mmc: sdhci-of-esdhc: fix quirk to ignore command inhibit for data
arm64: dts: qcom: sm8450: fix pcie1 gpios properties name
drm: rcar-du: Fix a NULL vs IS_ERR() bug
ARM: dts: gta04: fix excess dma channel usage
firmware: arm_scmi: Fix xfers allocation on Rx channel
perf/arm-cmn: Move overlapping wp_combine field
ARM: dts: stm32: fix spi1 pin assignment on stm32mp15
arm64: dts: apple: t8103: Disable unused PCIe ports
cpufreq: mediatek: fix passing zero to 'PTR_ERR'
cpufreq: mediatek: fix KP caused by handler usage after regulator_put/clk_put
cpufreq: mediatek: raise proc/sram max voltage for MT8516
cpufreq: mediatek: Raise proc and sram max voltage for MT7622/7623
cpufreq: qcom-cpufreq-hw: Revert adding cpufreq qos
arm64: dts: mediatek: mt8192-asurada: Fix voltage constraint for Vgpu
ACPI: VIOT: Initialize the correct IOMMU fwspec
drm/lima/lima_drv: Add missing unwind goto in lima_pdev_probe()
drm/mediatek: dp: Change the aux retries times when receiving AUX_DEFER
mailbox: mpfs: switch to txdone_poll
soc: bcm: brcmstb: biuctrl: fix of_iomap leak
soc: renesas: renesas-soc: Release 'chipid' from ioremap()
gpu: host1x: Fix potential double free if IOMMU is disabled
gpu: host1x: Fix memory leak of device names
arm64: dts: qcom: sc7280-herobrine-villager: correct trackpad supply
arm64: dts: qcom: sc7180-trogdor-lazor: correct trackpad supply
arm64: dts: qcom: sc7180-trogdor-pazquel: correct trackpad supply
arm64: dts: qcom: msm8994-kitakami: drop unit address from PMI8994 regulator
arm64: dts: qcom: msm8994-msft-lumia-octagon: drop unit address from PMI8994 regulator
arm64: dts: qcom: apq8096-db820c: drop unit address from PMI8994 regulator
drm/ttm: optimize pool allocations a bit v2
drm/ttm/pool: Fix ttm_pool_alloc error path
regulator: core: Consistently set mutex_owner when using ww_mutex_lock_slow()
regulator: core: Avoid lockdep reports when resolving supplies
x86/apic: Fix atomic update of offset in reserve_eilvt_offset()
arm64: dts: qcom: msm8994-angler: Fix cont_splash_mem mapping
arm64: dts: qcom: msm8994-angler: removed clash with smem_region
arm64: dts: sc7180: Rename qspi data12 as data23
arm64: dts: sc7280: Rename qspi data12 as data23
media: mediatek: vcodec: Use 4K frame size when supported by stateful decoder
media: mediatek: vcodec: Make MM21 the default capture format
media: mediatek: vcodec: Force capture queue format to MM21
media: mediatek: vcodec: add params to record lat and core lat_buf count
media: mediatek: vcodec: using each instance lat_buf count replace core ready list
media: mediatek: vcodec: move lat_buf to the top of core list
media: mediatek: vcodec: add core decode done event
media: mediatek: vcodec: remove unused lat_buf
media: mediatek: vcodec: making sure queue_work successfully
media: mediatek: vcodec: change lat thread decode error condition
media: cedrus: fix use after free bug in cedrus_remove due to race condition
media: rkvdec: fix use after free bug in rkvdec_remove
platform/x86/amd/pmf: Move out of BIOS SMN pair for driver probe
platform/x86/amd: pmc: Don't try to read SMU version on Picasso
platform/x86/amd: pmc: Hide SMU version and program attributes for Picasso
platform/x86/amd: pmc: Don't dump data after resume from s0i3 on picasso
platform/x86/amd: pmc: Move idlemask check into `amd_pmc_idlemask_read`
platform/x86/amd: pmc: Utilize SMN index 0 for driver probe
platform/x86/amd: pmc: Move out of BIOS SMN pair for STB init
media: dm1105: Fix use after free bug in dm1105_remove due to race condition
media: saa7134: fix use after free bug in saa7134_finidev due to race condition
media: platform: mtk-mdp3: fix potential frame size overflow in mdp_try_fmt_mplane()
media: rcar_fdp1: Fix refcount leak in probe and remove function
media: v4l: async: Return async sub-devices to subnotifier list
media: hi846: Fix memleak in hi846_init_controls()
drm/amd/display: Fix potential null dereference
media: rc: gpio-ir-recv: Fix support for wake-up
media: venus: dec: Fix handling of the start cmd
media: venus: dec: Fix capture formats enumeration order
regulator: stm32-pwr: fix of_iomap leak
x86/ioapic: Don't return 0 from arch_dynirq_lower_bound()
arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step
perf/arm-cmn: Fix port detection for CMN-700
media: mediatek: vcodec: fix decoder disable pm crash
media: mediatek: vcodec: add remove function for decoder platform driver
debugobject: Prevent init race with static objects
drm/i915: Make intel_get_crtc_new_encoder() less oopsy
tick/common: Align tick period with the HZ tick.
ACPI: bus: Ensure that notify handlers are not running after removal
cpufreq: use correct unit when verify cur freq
rpmsg: glink: Propagate TX failures in intentless mode as well
hwmon: (pmbus/fsp-3y) Fix functionality bitmask in FSP-3Y YM-2151E
platform/chrome: cros_typec_switch: Add missing fwnode_handle_put()
wifi: ath6kl: minor fix for allocation size
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
wifi: ath11k: Use platform_get_irq() to get the interrupt
wifi: ath5k: Use platform_get_irq() to get the interrupt
wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list()
wifi: ath11k: fix SAC bug on peer addition with sta band migration
wifi: brcmfmac: support CQM RSSI notification with older firmware
wifi: ath6kl: reduce WARN to dev_dbg() in callback
tools: bpftool: Remove invalid \' json escape
wifi: rtw88: mac: Return the original error from rtw_pwr_seq_parser()
wifi: rtw88: mac: Return the original error from rtw_mac_power_switch()
bpf: take into account liveness when propagating precision
bpf: fix precision propagation verbose logging
crypto: qat - fix concurrency issue when device state changes
scm: fix MSG_CTRUNC setting condition for SO_PASSSEC
wifi: ath11k: fix deinitialization of firmware resources
selftests/bpf: Fix a fd leak in an error path in network_helpers.c
bpf: Remove misleading spec_v1 check on var-offset stack read
net: pcs: xpcs: remove double-read of link state when using AN
vlan: partially enable SIOCSHWTSTAMP in container
net/packet: annotate accesses to po->xmit
net/packet: convert po->origdev to an atomic flag
net/packet: convert po->auxdata to an atomic flag
libbpf: Fix ld_imm64 copy logic for ksym in light skeleton.
net: dsa: qca8k: remove assignment of an_enabled in pcs_get_state()
netfilter: keep conntrack reference until IPsecv6 policy checks are done
bpf: Fix __reg_bound_offset 64->32 var_off subreg propagation
scsi: target: core: Change the way target_xcopy_do_work() sets restiction on max I/O
scsi: target: Move sess cmd counter to new struct
scsi: target: Move cmd counter allocation
scsi: target: Pass in cmd counter to use during cmd setup
scsi: target: iscsit: isert: Alloc per conn cmd counter
scsi: target: iscsit: Stop/wait on cmds during conn close
scsi: target: Fix multiple LUN_RESET handling
scsi: target: iscsit: Fix TAS handling during conn cleanup
scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS
net: sunhme: Fix uninitialized return code
f2fs: handle dqget error in f2fs_transfer_project_quota()
f2fs: fix uninitialized skipped_gc_rwsem
f2fs: apply zone capacity to all zone type
f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages()
f2fs: fix scheduling while atomic in decompression path
crypto: caam - Clear some memory in instantiate_rng
crypto: sa2ul - Select CRYPTO_DES
wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_rfreg()
wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_reg()
scsi: libsas: Add sas_ata_device_link_abort()
scsi: hisi_sas: Handle NCQ error when IPTT is valid
wifi: rt2x00: Fix memory leak when handling surveys
f2fs: fix iostat lock protection
net: qrtr: correct types of trace event parameters
selftests: xsk: Use correct UMEM size in testapp_invalid_desc
selftests: xsk: Disable IPv6 on VETH1
selftests: xsk: Deflakify STATS_RX_DROPPED test
selftests/bpf: Wait for receive in cg_storage_multi test
bpftool: Fix bug for long instructions in program CFG dumps
crypto: drbg - Only fail when jent is unavailable in FIPS mode
xsk: Fix unaligned descriptor validation
f2fs: fix to avoid use-after-free for cached IPU bio
wifi: iwlwifi: fix duplicate entry in iwl_dev_info_table
bpf/btf: Fix is_int_ptr()
scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()
net: ethernet: stmmac: dwmac-rk: rework optional clock handling
net: ethernet: stmmac: dwmac-rk: fix optional phy regulator handling
wifi: ath11k: fix writing to unintended memory region
bpf, sockmap: fix deadlocks in the sockhash and sockmap
nvmet: fix error handling in nvmet_execute_identify_cns_cs_ns()
nvmet: fix Identify Namespace handling
nvmet: fix Identify Controller handling
nvmet: fix Identify Active Namespace ID list handling
nvmet: fix I/O Command Set specific Identify Controller
nvme: fix async event trace event
nvme-fcloop: fix "inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage"
selftests/bpf: Use read_perf_max_sample_freq() in perf_event_stackmap
selftests/bpf: Fix leaked bpf_link in get_stackid_cannot_attach
blk-mq: don't plug for head insertions in blk_execute_rq_nowait
wifi: iwlwifi: debug: fix crash in __iwl_err()
wifi: iwlwifi: trans: don't trigger d3 interrupt twice
wifi: iwlwifi: mvm: don't set CHECKSUM_COMPLETE for unsupported protocols
bpf, sockmap: Revert buggy deadlock fix in the sockhash and sockmap
f2fs: fix to check return value of f2fs_do_truncate_blocks()
f2fs: fix to check return value of inc_valid_block_count()
md/raid10: fix task hung in raid10d
md/raid10: fix leak of 'r10bio->remaining' for recovery
md/raid10: fix memleak for 'conf->bio_split'
md/raid10: fix memleak of md thread
md/raid10: don't call bio_start_io_acct twice for bio which experienced read error
wifi: iwlwifi: mvm: don't drop unencrypted MCAST frames
wifi: iwlwifi: yoyo: skip dump correctly on hw error
wifi: iwlwifi: yoyo: Fix possible division by zero
wifi: iwlwifi: mvm: initialize seq variable
wifi: iwlwifi: fw: move memset before early return
jdb2: Don't refuse invalidation of already invalidated buffers
io_uring/rsrc: use nospec'ed indexes
wifi: iwlwifi: make the loop for card preparation effective
wifi: mt76: mt7915: expose device tree match table
wifi: mt76: handle failure of vzalloc in mt7615_coredump_work
wifi: mt76: add flexible polling wait-interval support
wifi: mt76: mt7921e: fix probe timeout after reboot
wifi: mt76: fix 6GHz high channel not be scanned
mt76: mt7921: fix kernel panic by accessing unallocated eeprom.data
wifi: mt76: mt7921: fix missing unwind goto in `mt7921u_probe`
wifi: mt76: mt7921e: improve reliability of dma reset
wifi: mt76: mt7921e: stop chip reset worker in unregister hook
wifi: mt76: connac: fix txd multicast rate setting
wifi: iwlwifi: mvm: check firmware response size
netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert()
netfilter: conntrack: fix wrong ct->timeout value
wifi: iwlwifi: fw: fix memory leak in debugfs
ixgbe: Allow flow hash to be set via ethtool
ixgbe: Enable setting RSS table to default values
net/mlx5e: Don't clone flow post action attributes second time
net/mlx5: E-switch, Create per vport table based on devlink encap mode
net/mlx5: E-switch, Don't destroy indirect table in split rule
net/mlx5e: Fix error flow in representor failing to add vport rx rule
net/mlx5: Remove "recovery" arg from mlx5_load_one() function
net/mlx5: Suspend auxiliary devices only in case of PCI device suspend
Revert "net/mlx5: Remove "recovery" arg from mlx5_load_one() function"
net/mlx5: Use recovery timeout on sync reset flow
net/mlx5e: Nullify table pointer when failing to create
net: stmmac:fix system hang when setting up tag_8021q VLAN for DSA ports
bpf: Fix race between btf_put and btf_idr walk.
bpf: Don't EFAULT for getsockopt with optval=NULL
netfilter: nf_tables: don't write table validation state without mutex
net: dpaa: Fix uninitialized variable in dpaa_stop()
net/sched: sch_fq: fix integer overflow of "credit"
ipv4: Fix potential uninit variable access bug in __ip_make_skb()
Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
netlink: Use copy_to_user() for optval in netlink_getsockopt().
net: amd: Fix link leak when verifying config failed
tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.
ipmi: ASPEED_BT_IPMI_BMC: select REGMAP_MMIO instead of depending on it
ASoC: cs35l41: Only disable internal boost
drivers: staging: rtl8723bs: Fix locking in _rtw_join_timeout_handler()
drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler()
pstore: Revert pmsg_lock back to a normal mutex
usb: host: xhci-rcar: remove leftover quirk handling
usb: dwc3: gadget: Change condition for processing suspend event
serial: stm32: Re-assert RTS/DE GPIO in RS485 mode only if more data are transmitted
fpga: bridge: fix kernel-doc parameter description
iio: light: max44009: add missing OF device matching
serial: 8250_bcm7271: Fix arbitration handling
spi: atmel-quadspi: Don't leak clk enable count in pm resume
spi: atmel-quadspi: Free resources even if runtime resume failed in .remove()
spi: imx: Don't skip cleanup in remove's error path
usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition
ASoC: soc-compress: Inherit atomicity from DAI link for Compress FE
PCI: imx6: Install the fault handler only on compatible match
ASoC: es8316: Handle optional IRQ assignment
linux/vt_buffer.h: allow either builtin or modular for macros
spi: qup: Don't skip cleanup in remove's error path
interconnect: qcom: rpm: drop bogus pm domain attach
spi: fsl-spi: Fix CPM/QE mode Litte Endian
vmci_host: fix a race condition in vmci_host_poll() causing GPF
of: Fix modalias string generation
PCI/EDR: Clear Device Status after EDR error recovery
ia64: mm/contig: fix section mismatch warning/error
ia64: salinfo: placate defined-but-not-used warning
scripts/gdb: bail early if there are no clocks
scripts/gdb: bail early if there are no generic PD
HID: amd_sfh: Correct the structure fields
HID: amd_sfh: Correct the sensor enable and disable command
HID: amd_sfh: Fix illuminance value
HID: amd_sfh: Add support for shutdown operation
HID: amd_sfh: Correct the stop all command
HID: amd_sfh: Increase sensor command timeout for SFH1.1
HID: amd_sfh: Handle "no sensors" enabled for SFH1.1
cacheinfo: Check sib_leaf in cache_leaves_are_shared()
coresight: etm_pmu: Set the module field
drm/panel: novatek-nt35950: Improve error handling
ASoC: fsl_mqs: move of_node_put() to the correct location
PCI/PM: Extend D3hot delay for NVIDIA HDA controllers
drm/panel: novatek-nt35950: Only unregister DSI1 if it exists
spi: cadence-quadspi: fix suspend-resume implementations
i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path
i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path
scripts/gdb: raise error with reduced debugging information
uapi/linux/const.h: prefer ISO-friendly __typeof__
sh: sq: Fix incorrect element size for allocating bitmap buffer
usb: gadget: tegra-xudc: Fix crash in vbus_draw
usb: chipidea: fix missing goto in `ci_hdrc_probe`
usb: mtu3: fix kernel panic at qmu transfer done irq handler
firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe
tty: serial: fsl_lpuart: adjust buffer length to the intended size
serial: 8250: Add missing wakeup event reporting
spi: cadence-quadspi: use macro DEFINE_SIMPLE_DEV_PM_OPS
staging: rtl8192e: Fix W_DISABLE# does not work after stop/start
spmi: Add a check for remove callback when removing a SPMI driver
virtio_ring: don't update event idx on get_buf
fbdev: mmp: Fix deferred clk handling in mmphw_probe()
selftests/powerpc/pmu: Fix sample field check in the mmcra_thresh_marked_sample_test
macintosh/windfarm_smu_sat: Add missing of_node_put()
powerpc/perf: Properly detect mpc7450 family
powerpc/mpc512x: fix resource printk format warning
powerpc/wii: fix resource printk format warnings
powerpc/sysdev/tsi108: fix resource printk format warnings
macintosh: via-pmu-led: requires ATA to be set
powerpc/rtas: use memmove for potentially overlapping buffer copy
sched/fair: Fix inaccurate tally of ttwu_move_affine
perf/core: Fix hardlockup failure caused by perf throttle
Revert "objtool: Support addition to set CFA base"
riscv: Fix ptdump when KASAN is enabled
sched/rt: Fix bad task migration for rt tasks
tracing/user_events: Ensure write index cannot be negative
clk: at91: clk-sam9x60-pll: fix return value check
IB/hifi1: add a null check of kzalloc_node in hfi1_ipoib_txreq_init
RDMA/siw: Fix potential page_array out of range access
clk: mediatek: mt2712: Add error handling to clk_mt2712_apmixed_probe()
clk: mediatek: Consistently use GATE_MTK() macro
clk: mediatek: mt7622: Properly use CLK_IS_CRITICAL flag
clk: mediatek: mt8135: Properly use CLK_IS_CRITICAL flag
RDMA/rdmavt: Delete unnecessary NULL check
clk: qcom: gcc-qcm2290: Fix up gcc_sdcc2_apps_clk_src
workqueue: Fix hung time report of worker pools
rtc: omap: include header for omap_rtc_power_off_program prototype
RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()
rtc: meson-vrtc: Use ktime_get_real_ts64() to get the current time
rtc: k3: handle errors while enabling wake irq
RDMA/erdma: Use fixed hardware page size
fs/ntfs3: Fix memory leak if ntfs_read_mft failed
fs/ntfs3: Add check for kmemdup
fs/ntfs3: Fix OOB read in indx_insert_into_buffer
fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de()
iommu/mediatek: Set dma_mask for PGTABLE_PA_35_EN
power: supply: generic-adc-battery: fix unit scaling
clk: add missing of_node_put() in "assigned-clocks" property parsing
RDMA/siw: Remove namespace check from siw_netdev_event()
clk: qcom: gcc-sm6115: Mark RCGs shared where applicable
power: supply: rk817: Fix low SOC bugs
RDMA/cm: Trace icm_send_rej event before the cm state is reset
RDMA/srpt: Add a check for valid 'mad_agent' pointer
IB/hfi1: Fix SDMA mmu_rb_node not being evicted in LRU order
IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests
clk: imx: fracn-gppll: fix the rate table
clk: imx: fracn-gppll: disable hardware select control
clk: imx: imx8ulp: Fix XBAR_DIVBUS and AD_SLOW clock parents
NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease
iommu/amd: Set page size bitmap during V2 domain allocation
clk: qcom: lpasscc-sc7280: Skip qdsp6ss clock registration
clk: qcom: lpassaudiocc-sc7280: Add required gdsc power domain clks in lpass_cc_sc7280_desc
clk: qcom: gcc-sm8350: fix PCIe PIPE clocks handling
clk: qcom: dispcc-qcm2290: get rid of test clock
clk: qcom: dispcc-qcm2290: Remove inexistent DSI1PHY clk
Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe
swiotlb: relocate PageHighMem test away from rmem_swiotlb_setup
swiotlb: fix debugfs reporting of reserved memory pools
RDMA/mlx5: Check pcie_relaxed_ordering_enabled() in UMR
RDMA/mlx5: Fix flow counter query via DEVX
SUNRPC: remove the maximum number of retries in call_bind_status
RDMA/mlx5: Use correct device num_ports when modify DC
clocksource/drivers/davinci: Fix memory leak in davinci_timer_register when init fails
openrisc: Properly store r31 to pt_regs on unhandled exceptions
timekeeping: Fix references to nonexistent ktime_get_fast_ns()
SMB3: Add missing locks to protect deferred close file list
SMB3: Close deferred file handles in case of handle lease break
ext4: fix i_disksize exceeding i_size problem in paritally written case
ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline
pinctrl: renesas: r8a779a0: Remove incorrect AVB[01] pinmux configuration
pinctrl: renesas: r8a779f0: Fix tsn1_avtp_pps pin group
pinctrl: renesas: r8a779g0: Fix Group 4/5 pin functions
pinctrl: renesas: r8a779g0: Fix Group 6/7 pin functions
pinctrl: renesas: r8a779g0: Fix ERROROUTC function names
leds: TI_LMU_COMMON: select REGMAP instead of depending on it
pinctrl: ralink: reintroduce ralink,rt2880-pinmux compatible string
dmaengine: mv_xor_v2: Fix an error code.
leds: tca6507: Fix error handling of using fwnode_property_read_string
pwm: mtk-disp: Disable shadow registers before setting backlight values
pwm: mtk-disp: Configure double buffering before reading in .get_state()
soundwire: cadence: rename sdw_cdns_dai_dma_data as sdw_cdns_dai_runtime
soundwire: intel: don't save hw_params for use in prepare
phy: tegra: xusb: Add missing tegra_xusb_port_unregister for usb2_port and ulpi_port
phy: ti: j721e-wiz: Fix unreachable code in wiz_mode_select()
dma: gpi: remove spurious unlock in gpi_ch_init
dmaengine: dw-edma: Fix to change for continuous transfer
dmaengine: dw-edma: Fix to enable to issue dma request on DMA processing
dmaengine: at_xdmac: do not enable all cyclic channels
pinctrl-bcm2835.c: fix race condition when setting gpio dir
thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe
mfd: tqmx86: Do not access I2C_DETECT register through io_base
mfd: tqmx86: Specify IO port register range more precisely
mfd: tqmx86: Correct board names for TQMxE39x
mfd: ocelot-spi: Fix unsupported bulk read
mfd: arizona-spi: Add missing MODULE_DEVICE_TABLE
hte: tegra: fix 'struct of_device_id' build error
hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id()
ACPI: PM: Do not turn of unused power resources on the Toshiba Click Mini
PM: hibernate: Turn snapshot_test into global variable
PM: hibernate: Do not get block device exclusively in test_resume mode
afs: Fix updating of i_size with dv jump from server
afs: Fix getattr to report server i_size on dirs, not local size
afs: Avoid endless loop if file is larger than expected
parisc: Fix argument pointer in real64_call_asm()
parisc: Ensure page alignment in flush functions
ALSA: usb-audio: Add quirk for Pioneer DDJ-800
ALSA: hda/realtek: Add quirk for ThinkPad P1 Gen 6
ALSA: hda/realtek: Add quirk for ASUS UM3402YAR using CS35L41
ALSA: hda/realtek: support HP Pavilion Aero 13-be0xxx Mute LED
ALSA: hda/realtek: Fix mute and micmute LEDs for an HP laptop
nilfs2: do not write dirty data after degenerating to read-only
nilfs2: fix infinite loop in nilfs_mdt_get_block()
mm: do not reclaim private data from pinned page
drbd: correctly submit flush bio on barrier
md/raid10: fix null-ptr-deref in raid10_sync_request
md/raid5: Improve performance for sequential IO
kasan: hw_tags: avoid invalid virt_to_page()
mtd: core: provide unique name for nvmem device, take two
mtd: core: fix nvmem error reporting
mtd: core: fix error path for nvmem provider
mtd: spi-nor: core: Update flash's current address mode when changing address mode
mailbox: zynqmp: Fix IPI isr handling
kcsan: Avoid READ_ONCE() in read_instrumented_memory()
mailbox: zynqmp: Fix typo in IPI documentation
wifi: rtl8xxxu: RTL8192EU always needs full init
wifi: rtw89: fix potential race condition between napi_init and napi_enable
clk: microchip: fix potential UAF in auxdev release callback
clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent
scripts/gdb: fix lx-timerlist for Python3
btrfs: scrub: reject unsupported scrub flags
s390/dasd: fix hanging blockdevice after request requeue
ia64: fix an addr to taddr in huge_pte_offset()
mm/mempolicy: correctly update prev when policy is equal on mbind
vhost_vdpa: fix unmap process in no-batch mode
dm verity: fix error handling for check_at_most_once on FEC
dm clone: call kmem_cache_destroy() in dm_clone_init() error path
dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path
dm flakey: fix a crash with invalid table line
dm ioctl: fix nested locking in table_clear() to remove deadlock concern
dm: don't lock fs when the map is NULL in process of resume
blk-iocost: avoid 64-bit division in ioc_timer_fn
cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname
cifs: protect session status check in smb2_reconnect()
thunderbolt: Use correct type in tb_port_is_clx_enabled() prototype
bonding (gcc13): synchronize bond_{a,t}lb_xmit() types
wifi: ath11k: synchronize ath11k_mac_he_gi_to_nl80211_he_gi()'s return type
perf auxtrace: Fix address filter entire kernel size
perf intel-pt: Fix CYC timestamps after standalone CBR
block/blk-iocost (gcc13): keep large values in a new enum
sfc (gcc13): synchronize ef100_enqueue_skb()'s return type
i40e: Remove unused i40e status codes
i40e: Remove string printing for i40e_status
i40e: use int for i40e_status
drm/amd/display (gcc13): fix enum mismatch
debugobject: Ensure pool refill (again)
scsi: libsas: Grab the ATA port lock in sas_ata_device_link_abort()
netfilter: nf_tables: deactivate anonymous set from preparation phase
Linux 6.1.28
Change-Id: I61b5133e2d051cc2aa39b8c7c1be3fc25da40210
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Edward Lo
|
a8eaa9a06a |
fs/ntfs3: Validate MFT flags before replaying logs
commit 98bea253aa28ad8be2ce565a9ca21beb4a9419e5 upstream. Log load and replay is part of the metadata handle flow during mount operation. The $MFT record will be loaded and used while replaying logs. However, a malformed $MFT record, say, has RECORD_FLAG_DIR flag set and contains an ATTR_ROOT attribute will misguide kernel to treat it as a directory, and try to free the allocated resources when the corresponding inode is freed, which will cause an invalid kfree because the memory hasn't actually been allocated. [ 101.368647] BUG: KASAN: invalid-free in kvfree+0x2c/0x40 [ 101.369457] [ 101.369986] CPU: 0 PID: 198 Comm: mount Not tainted 6.0.0-rc7+ #5 [ 101.370529] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 101.371362] Call Trace: [ 101.371795] <TASK> [ 101.372157] dump_stack_lvl+0x49/0x63 [ 101.372658] print_report.cold+0xf5/0x689 [ 101.373022] ? ni_write_inode+0x754/0xd90 [ 101.373378] ? kvfree+0x2c/0x40 [ 101.373698] kasan_report_invalid_free+0x77/0xf0 [ 101.374058] ? kvfree+0x2c/0x40 [ 101.374352] ? kvfree+0x2c/0x40 [ 101.374668] __kasan_slab_free+0x189/0x1b0 [ 101.374992] ? kvfree+0x2c/0x40 [ 101.375271] kfree+0x168/0x3b0 [ 101.375717] kvfree+0x2c/0x40 [ 101.376002] indx_clear+0x26/0x60 [ 101.376316] ni_clear+0xc5/0x290 [ 101.376661] ntfs_evict_inode+0x45/0x70 [ 101.377001] evict+0x199/0x280 [ 101.377432] iput.part.0+0x286/0x320 [ 101.377819] iput+0x32/0x50 [ 101.378166] ntfs_loadlog_and_replay+0x143/0x320 [ 101.378656] ? ntfs_bio_fill_1+0x510/0x510 [ 101.378968] ? iput.part.0+0x286/0x320 [ 101.379367] ntfs_fill_super+0xecb/0x1ba0 [ 101.379729] ? put_ntfs+0x1d0/0x1d0 [ 101.380046] ? vsprintf+0x20/0x20 [ 101.380542] ? mutex_unlock+0x81/0xd0 [ 101.380914] ? set_blocksize+0x95/0x150 [ 101.381597] get_tree_bdev+0x232/0x370 [ 101.382254] ? put_ntfs+0x1d0/0x1d0 [ 101.382699] ntfs_fs_get_tree+0x15/0x20 [ 101.383094] vfs_get_tree+0x4c/0x130 [ 101.383675] path_mount+0x654/0xfe0 [ 101.384203] ? putname+0x80/0xa0 [ 101.384540] ? finish_automount+0x2e0/0x2e0 [ 101.384943] ? putname+0x80/0xa0 [ 101.385362] ? kmem_cache_free+0x1c4/0x440 [ 101.385968] ? putname+0x80/0xa0 [ 101.386666] do_mount+0xd6/0xf0 [ 101.387228] ? path_mount+0xfe0/0xfe0 [ 101.387585] ? __kasan_check_write+0x14/0x20 [ 101.387979] __x64_sys_mount+0xca/0x110 [ 101.388436] do_syscall_64+0x3b/0x90 [ 101.388757] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 101.389289] RIP: 0033:0x7fa0f70e948a [ 101.390048] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 101.391297] RSP: 002b:00007ffc24fdecc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 101.391988] RAX: ffffffffffffffda RBX: 000055932c183060 RCX: 00007fa0f70e948a [ 101.392494] RDX: 000055932c183260 RSI: 000055932c1832e0 RDI: 000055932c18bce0 [ 101.393053] RBP: 0000000000000000 R08: 000055932c183280 R09: 0000000000000020 [ 101.393577] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055932c18bce0 [ 101.394044] R13: 000055932c183260 R14: 0000000000000000 R15: 00000000ffffffff [ 101.394747] </TASK> [ 101.395402] [ 101.396047] Allocated by task 198: [ 101.396724] kasan_save_stack+0x26/0x50 [ 101.397400] __kasan_slab_alloc+0x6d/0x90 [ 101.397974] kmem_cache_alloc_lru+0x192/0x5a0 [ 101.398524] ntfs_alloc_inode+0x23/0x70 [ 101.399137] alloc_inode+0x3b/0xf0 [ 101.399534] iget5_locked+0x54/0xa0 [ 101.400026] ntfs_iget5+0xaf/0x1780 [ 101.400414] ntfs_loadlog_and_replay+0xe5/0x320 [ 101.400883] ntfs_fill_super+0xecb/0x1ba0 [ 101.401313] get_tree_bdev+0x232/0x370 [ 101.401774] ntfs_fs_get_tree+0x15/0x20 [ 101.402224] vfs_get_tree+0x4c/0x130 [ 101.402673] path_mount+0x654/0xfe0 [ 101.403160] do_mount+0xd6/0xf0 [ 101.403537] __x64_sys_mount+0xca/0x110 [ 101.404058] do_syscall_64+0x3b/0x90 [ 101.404333] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 101.404816] [ 101.405067] The buggy address belongs to the object at ffff888008cc9ea0 [ 101.405067] which belongs to the cache ntfs_inode_cache of size 992 [ 101.406171] The buggy address is located 232 bytes inside of [ 101.406171] 992-byte region [ffff888008cc9ea0, ffff888008cca280) [ 101.406995] [ 101.408559] The buggy address belongs to the physical page: [ 101.409320] page:00000000dccf19dd refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cc8 [ 101.410654] head:00000000dccf19dd order:2 compound_mapcount:0 compound_pincount:0 [ 101.411533] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) [ 101.412665] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888003695140 [ 101.413209] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000 [ 101.413799] page dumped because: kasan: bad access detected [ 101.414213] [ 101.414427] Memory state around the buggy address: [ 101.414991] ffff888008cc9e80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 [ 101.415785] ffff888008cc9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 101.416933] >ffff888008cc9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 101.417857] ^ [ 101.418566] ffff888008cca000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 101.419704] ffff888008cca080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Signed-off-by: Edward Lo <edward.lo@ambergroup.io> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Cc: Luiz Capitulino <luizcap@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Konstantin Komarov
|
b2bd08be1a |
fs/ntfs3: Refactoring of various minor issues
commit 6827d50b2c430c329af442b64c9176d174f56521 upstream. Removed unused macro. Changed null pointer checking. Fixed inconsistent indenting. Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Cc: Rudi Heitbaum <rudi@heitbaum.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
ZhangPeng
|
d69d5e2a81 |
fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
[ Upstream commit 254e69f284d7270e0abdc023ee53b71401c3ba0c ]
Syzbot reported a null-ptr-deref bug:
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size
(512)
ntfs3: loop0: Mark volume as dirty due to NTFS errors
general protection fault, probably for non-canonical address
0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
RIP: 0010:d_flags_for_inode fs/dcache.c:1980 [inline]
RIP: 0010:__d_add+0x5ce/0x800 fs/dcache.c:2796
Call Trace:
<TASK>
d_splice_alias+0x122/0x3b0 fs/dcache.c:3191
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10e6/0x2df0 fs/namei.c:3688
do_filp_open+0x264/0x4f0 fs/namei.c:3718
do_sys_openat2+0x124/0x4e0 fs/open.c:1310
do_sys_open fs/open.c:1326 [inline]
__do_sys_open fs/open.c:1334 [inline]
__se_sys_open fs/open.c:1330 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1330
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
If the MFT record of ntfs inode is not a base record, inode->i_op can be
NULL. And a null-ptr-deref may happen:
ntfs_lookup()
dir_search_u() # inode->i_op is set to NULL
d_splice_alias()
__d_add()
d_flags_for_inode() # inode->i_op->get_link null-ptr-deref
Fix this by adding a Check on inode->i_op before calling the
d_splice_alias() function.
Fixes:
|
||
|
Zeng Heng
|
9163a5b4ed |
fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de()
[ Upstream commit ab84eee4c7ab929996602eda7832854c35a6dda2 ]
Here is a BUG report from syzbot:
BUG: KASAN: slab-out-of-bounds in hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806
Read of size 16842960 at addr ffff888079cc0600 by task syz-executor934/3631
Call Trace:
memmove+0x25/0x60 mm/kasan/shadow.c:54
hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806
indx_delete_entry+0x74f/0x3670 fs/ntfs3/index.c:2193
ni_remove_name+0x27a/0x980 fs/ntfs3/frecord.c:2910
ntfs_unlink_inode+0x3d4/0x720 fs/ntfs3/inode.c:1712
ntfs_rename+0x41a/0xcb0 fs/ntfs3/namei.c:276
Before using the meta-data in struct INDEX_HDR, we need to
check index header valid or not. Otherwise, the corruptedi
(or malicious) fs image can cause out-of-bounds access which
could make kernel panic.
Fixes:
|
||
|
ZhangPeng
|
17048287ac |
fs/ntfs3: Fix OOB read in indx_insert_into_buffer
[ Upstream commit b8c44949044e5f7f864525fdffe8e95135ce9ce5 ]
Syzbot reported a OOB read bug:
BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0
fs/ntfs3/index.c:1755
Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630
Call Trace:
<TASK>
memmove+0x25/0x60 mm/kasan/shadow.c:54
indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755
indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863
ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548
ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100
lookup_open fs/namei.c:3413 [inline]
If the member struct INDEX_BUFFER *index of struct indx_node is
incorrect, that is, the value of __le32 used is greater than the value
of __le32 total in struct INDEX_HDR. Therefore, OOB read occurs when
memmove is called in indx_insert_into_buffer().
Fix this by adding a check in hdr_find_e().
Fixes:
|
||
Jiasheng Jiang
|
7898db22ed |
fs/ntfs3: Add check for kmemdup
[ Upstream commit e6c3cef24cb0d045f99d5cb039b344874e3cfd74 ]
Since the kmemdup may return NULL pointer,
it should be better to add check for the return value
in order to avoid NULL pointer dereference.
Fixes:
|
||
Chen Zhongjin
|
1bc6bb657d |
fs/ntfs3: Fix memory leak if ntfs_read_mft failed
[ Upstream commit bfa434c60157c9793e9b12c9b68ade02aff9f803 ]
Label ATTR_ROOT in ntfs_read_mft() sets is_root = true and
ni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC
and alloc ni->dir.alloc_run. However two states are not always
consistent and can make memory leak.
1) attr_name in ATTR_ROOT does not fit the condition it will set
is_root = true but NI_FLAG_DIR is not set.
2) next attr_name in ATTR_ALLOC fits the condition and alloc
ni->dir.alloc_run
3) in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees
ni->dir.alloc_run, otherwise it frees ni->file.run
4) because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is
leaked as kmemleak reported:
unreferenced object 0xffff888003bc5480 (size 64):
backtrace:
[<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0
[<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0
[<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3]
[<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3]
[<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3]
[<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3]
[<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3]
[<00000000b9170608>] get_tree_bdev+0x3fb/0x710
[<000000004833798a>] vfs_get_tree+0x8e/0x280
[<000000006e20b8e6>] path_mount+0xf3c/0x1930
[<000000007bf15a5f>] do_mount+0xf3/0x110
...
Fix this by always setting is_root and NI_FLAG_DIR together.
Fixes:
|
||
Suren Baghdasaryan
|
71c7092b68 |
ANDROID: Revert "mm: remove cleancache"
This reverts commit
|
||
Abdun Nihaal
|
543bba3be2 |
fs/ntfs3: Validate attribute data and valid sizes
commit 019d22eb0eb707fc099e6e8fad9b3933236a06d0 upstream.
The data_size and valid_size fields of non resident attributes should be
less than the its alloc_size field, but this is not checked in
ntfs_read_mft function.
Syzbot reports a allocation order warning due to a large unchecked value
of data_size getting assigned to inode->i_size which is then passed to
kcalloc.
Add sanity check for ensuring that the data_size and valid_size fields
are not larger than alloc_size field.
Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963
Reported-and-tested-by: syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com
Fixes: (
|
||
Alon Zahavi
|
ff3b1a6243 |
fs/ntfs3: Fix attr_punch_hole() null pointer derenference
commit 6d5c9e79b726cc473d40e9cb60976dbe8e669624 upstream. The bug occours due to a misuse of `attr` variable instead of `attr_b`. `attr` is being initialized as NULL, then being derenfernced as `attr->res.data_size`. This bug causes a crash of the ntfs3 driver itself, If compiled directly to the kernel, it crashes the whole system. Signed-off-by: Alon Zahavi <zahavi.alon@gmail.com> Co-developed-by: Tal Lossos <tallossos@gmail.com> Signed-off-by: Tal Lossos <tallossos@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Tetsuo Handa
|
73fee7e1e5 |
fs/ntfs3: don't hold ni_lock when calling truncate_setsize()
[ Upstream commit 0226635c304cfd5c9db9b78c259cb713819b057e ]
syzbot is reporting hung task at do_user_addr_fault() [1], for there is
a silent deadlock between PG_locked bit and ni_lock lock.
Since filemap_update_page() calls filemap_read_folio() after calling
folio_trylock() which will set PG_locked bit, ntfs_truncate() must not
call truncate_setsize() which will wait for PG_locked bit to be cleared
when holding ni_lock lock.
Link: https://lore.kernel.org/all/00000000000060d41f05f139aa44@google.com/
Link: https://syzkaller.appspot.com/bug?extid=bed15dbf10294aa4f2ae [1]
Reported-by: syzbot <syzbot+bed15dbf10294aa4f2ae@syzkaller.appspotmail.com>
Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
Co-developed-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes:
|
||
Yin Xiujiang
|
6d076293e5 |
fs/ntfs3: Fix slab-out-of-bounds in r_page
[ Upstream commit ecfbd57cf9c5ca225184ae266ce44ae473792132 ] When PAGE_SIZE is 64K, if read_log_page is called by log_read_rst for the first time, the size of *buffer would be equal to DefaultLogPageSize(4K).But for *buffer operations like memcpy, if the memory area size(n) which being assigned to buffer is larger than 4K (log->page_size(64K) or bytes(64K-page_off)), it will cause an out of boundary error. Call trace: [...] kasan_report+0x44/0x130 check_memory_region+0xf8/0x1a0 memcpy+0xc8/0x100 ntfs_read_run_nb+0x20c/0x460 read_log_page+0xd0/0x1f4 log_read_rst+0x110/0x75c log_replay+0x1e8/0x4aa0 ntfs_loadlog_and_replay+0x290/0x2d0 ntfs_fill_super+0x508/0xec0 get_tree_bdev+0x1fc/0x34c [...] Fix this by setting variable r_page to NULL in log_read_rst. Signed-off-by: Yin Xiujiang <yinxiujiang@kylinos.cn> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Dan Carpenter
|
4d744cee4c |
fs/ntfs3: Delete duplicate condition in ntfs_read_mft()
[ Upstream commit 658015167a8432b88f5d032e9d85d8fd50e5bf2c ]
There were two patches which addressed the same bug and added the same
condition:
commit 6db620863f85 ("fs/ntfs3: Validate data run offset")
commit 887bfc546097 ("fs/ntfs3: Fix slab-out-of-bounds read in run_unpack")
Delete one condition.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Tetsuo Handa
|
fd8aa71b65 |
fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super()
[ Upstream commit 59bfd7a483da36bd202532a3d9ea1f14f3bf3aaf ] syzbot is reporting too large allocation at ntfs_fill_super() [1], for a crafted filesystem can contain bogus inode->i_size. Add __GFP_NOWARN in order to avoid too large allocation warning, than exhausting memory by using kvmalloc(). Link: https://syzkaller.appspot.com/bug?extid=33f3faaa0c08744f7d40 [1] Reported-by: syzot <syzbot+33f3faaa0c08744f7d40@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Tetsuo Handa
|
590a6943a1 |
fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init()
[ Upstream commit 0d0f659bf713662fabed973f9996b8f23c59ca51 ] syzbot is reporting too large allocation at wnd_init() [1], for a crafted filesystem can become wnd->nwnd close to UINT_MAX. Add __GFP_NOWARN in order to avoid too large allocation warning, than exhausting memory by using kvcalloc(). Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 [1] Reported-by: syzot <syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Edward Lo
|
d6379ce242 |
fs/ntfs3: Validate index root when initialize NTFS security
[ Upstream commit bfcdbae0523bd95eb75a739ffb6221a37109881e ] This enhances the sanity check for $SDH and $SII while initializing NTFS security, guarantees these index root are legit. [ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 [ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 [ 162.460851] [ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 [ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 162.462609] Call Trace: [ 162.462954] <TASK> [ 162.463276] dump_stack_lvl+0x49/0x63 [ 162.463822] print_report.cold+0xf5/0x689 [ 162.464608] ? unwind_get_return_address+0x3a/0x60 [ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.466975] kasan_report+0xa7/0x130 [ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 [ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.468536] __asan_load2+0x68/0x90 [ 162.468923] hdr_find_e.isra.0+0x10c/0x320 [ 162.469282] ? cmp_uints+0xe0/0xe0 [ 162.469557] ? cmp_sdh+0x90/0x90 [ 162.469864] ? ni_find_attr+0x214/0x300 [ 162.470217] ? ni_load_mi+0x80/0x80 [ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.470931] ? ntfs_bread_run+0x190/0x190 [ 162.471307] ? indx_get_root+0xe4/0x190 [ 162.471556] ? indx_get_root+0x140/0x190 [ 162.471833] ? indx_init+0x1e0/0x1e0 [ 162.472069] ? fnd_clear+0x115/0x140 [ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 [ 162.472731] indx_find+0x184/0x470 [ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 [ 162.474704] ? do_syscall_64+0x3b/0x90 [ 162.474962] dir_search_u+0x196/0x2f0 [ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 [ 162.475661] ? ntfs_security_init+0x3d6/0x440 [ 162.475906] ? is_sd_valid+0x180/0x180 [ 162.476191] ntfs_extend_init+0x13f/0x2c0 [ 162.476496] ? ntfs_fix_post_read+0x130/0x130 [ 162.476861] ? iput.part.0+0x286/0x320 [ 162.477325] ntfs_fill_super+0x11e0/0x1b50 [ 162.477709] ? put_ntfs+0x1d0/0x1d0 [ 162.477970] ? vsprintf+0x20/0x20 [ 162.478258] ? set_blocksize+0x95/0x150 [ 162.478538] get_tree_bdev+0x232/0x370 [ 162.478789] ? put_ntfs+0x1d0/0x1d0 [ 162.479038] ntfs_fs_get_tree+0x15/0x20 [ 162.479374] vfs_get_tree+0x4c/0x130 [ 162.479729] path_mount+0x654/0xfe0 [ 162.480124] ? putname+0x80/0xa0 [ 162.480484] ? finish_automount+0x2e0/0x2e0 [ 162.480894] ? putname+0x80/0xa0 [ 162.481467] ? kmem_cache_free+0x1c4/0x440 [ 162.482280] ? putname+0x80/0xa0 [ 162.482714] do_mount+0xd6/0xf0 [ 162.483264] ? path_mount+0xfe0/0xfe0 [ 162.484782] ? __kasan_check_write+0x14/0x20 [ 162.485593] __x64_sys_mount+0xca/0x110 [ 162.486024] do_syscall_64+0x3b/0x90 [ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.487141] RIP: 0033:0x7f9d374e948a [ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a [ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 [ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 [ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 [ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff [ 162.493644] </TASK> [ 162.493908] [ 162.494214] The buggy address belongs to the physical page: [ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc [ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) [ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 [ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000 [ 162.500542] page dumped because: kasan: bad access detected [ 162.501057] [ 162.501242] Memory state around the buggy address: [ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 162.503963] ^ [ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Signed-off-by: Edward Lo <edward.lo@ambergroup.io> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Hawkins Jiawei
|
d34485d40b |
fs/ntfs3: Fix slab-out-of-bounds read in run_unpack
[ Upstream commit 887bfc546097fbe8071dac13b2fef73b77920899 ]
Syzkaller reports slab-out-of-bounds bug as follows:
==================================================================
BUG: KASAN: slab-out-of-bounds in run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944
Read of size 1 at addr ffff88801bbdff02 by task syz-executor131/3611
[...]
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
run_unpack+0x8b7/0x970 fs/ntfs3/run.c:944
run_unpack_ex+0xb0/0x7c0 fs/ntfs3/run.c:1057
ntfs_read_mft fs/ntfs3/inode.c:368 [inline]
ntfs_iget5+0xc20/0x3280 fs/ntfs3/inode.c:501
ntfs_loadlog_and_replay+0x124/0x5d0 fs/ntfs3/fsntfs.c:272
ntfs_fill_super+0x1eff/0x37f0 fs/ntfs3/super.c:1018
get_tree_bdev+0x440/0x760 fs/super.c:1323
vfs_get_tree+0x89/0x2f0 fs/super.c:1530
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1326/0x1e20 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
</TASK>
The buggy address belongs to the physical page:
page:ffffea00006ef600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bbd8
head:ffffea00006ef600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88801bbdfe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801bbdfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801bbdff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801bbdff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801bbe0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Kernel will tries to read record and parse MFT from disk in
ntfs_read_mft().
Yet the problem is that during enumerating attributes in record,
kernel doesn't check whether run_off field loading from the disk
is a valid value.
To be more specific, if attr->nres.run_off is larger than attr->size,
kernel will passes an invalid argument run_buf_size in
run_unpack_ex(), which having an integer overflow. Then this invalid
argument will triggers the slab-out-of-bounds Read bug as above.
This patch solves it by adding the sanity check between
the offset to packed runs and attribute size.
link: https://lore.kernel.org/all/0000000000009145fc05e94bd5c3@google.com/#t
Reported-and-tested-by: syzbot+8d6fbb27a6aded64b25b@syzkaller.appspotmail.com
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Edward Lo
|
2f041a19f4 |
fs/ntfs3: Validate resident attribute name
[ Upstream commit 54e45702b648b7c0000e90b3e9b890e367e16ea8 ] Though we already have some sanity checks while enumerating attributes, resident attribute names aren't included. This patch checks the resident attribute names are in the valid ranges. [ 259.209031] BUG: KASAN: slab-out-of-bounds in ni_create_attr_list+0x1e1/0x850 [ 259.210770] Write of size 426 at addr ffff88800632f2b2 by task exp/255 [ 259.211551] [ 259.212035] CPU: 0 PID: 255 Comm: exp Not tainted 6.0.0-rc6 #37 [ 259.212955] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 259.214387] Call Trace: [ 259.214640] <TASK> [ 259.214895] dump_stack_lvl+0x49/0x63 [ 259.215284] print_report.cold+0xf5/0x689 [ 259.215565] ? kasan_poison+0x3c/0x50 [ 259.215778] ? kasan_unpoison+0x28/0x60 [ 259.215991] ? ni_create_attr_list+0x1e1/0x850 [ 259.216270] kasan_report+0xa7/0x130 [ 259.216481] ? ni_create_attr_list+0x1e1/0x850 [ 259.216719] kasan_check_range+0x15a/0x1d0 [ 259.216939] memcpy+0x3c/0x70 [ 259.217136] ni_create_attr_list+0x1e1/0x850 [ 259.217945] ? __rcu_read_unlock+0x5b/0x280 [ 259.218384] ? ni_remove_attr+0x2e0/0x2e0 [ 259.218712] ? kernel_text_address+0xcf/0xe0 [ 259.219064] ? __kernel_text_address+0x12/0x40 [ 259.219434] ? arch_stack_walk+0x9e/0xf0 [ 259.219668] ? __this_cpu_preempt_check+0x13/0x20 [ 259.219904] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ 259.220140] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 259.220561] ni_ins_attr_ext+0x52c/0x5c0 [ 259.220984] ? ni_create_attr_list+0x850/0x850 [ 259.221532] ? run_deallocate+0x120/0x120 [ 259.221972] ? vfs_setxattr+0x128/0x300 [ 259.222688] ? setxattr+0x126/0x140 [ 259.222921] ? path_setxattr+0x164/0x180 [ 259.223431] ? __x64_sys_setxattr+0x6d/0x80 [ 259.223828] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 259.224417] ? mi_find_attr+0x3c/0xf0 [ 259.224772] ni_insert_attr+0x1ba/0x420 [ 259.225216] ? ni_ins_attr_ext+0x5c0/0x5c0 [ 259.225504] ? ntfs_read_ea+0x119/0x450 [ 259.225775] ni_insert_resident+0xc0/0x1c0 [ 259.226316] ? ni_insert_nonresident+0x400/0x400 [ 259.227001] ? __kasan_kmalloc+0x88/0xb0 [ 259.227468] ? __kmalloc+0x192/0x320 [ 259.227773] ntfs_set_ea+0x6bf/0xb30 [ 259.228216] ? ftrace_graph_ret_addr+0x2a/0xb0 [ 259.228494] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 259.228838] ? ntfs_read_ea+0x450/0x450 [ 259.229098] ? is_bpf_text_address+0x24/0x40 [ 259.229418] ? kernel_text_address+0xcf/0xe0 [ 259.229681] ? __kernel_text_address+0x12/0x40 [ 259.229948] ? unwind_get_return_address+0x3a/0x60 [ 259.230271] ? write_profile+0x270/0x270 [ 259.230537] ? arch_stack_walk+0x9e/0xf0 [ 259.230836] ntfs_setxattr+0x114/0x5c0 [ 259.231099] ? ntfs_set_acl_ex+0x2e0/0x2e0 [ 259.231529] ? evm_protected_xattr_common+0x6d/0x100 [ 259.231817] ? posix_xattr_acl+0x13/0x80 [ 259.232073] ? evm_protect_xattr+0x1f7/0x440 [ 259.232351] __vfs_setxattr+0xda/0x120 [ 259.232635] ? xattr_resolve_name+0x180/0x180 [ 259.232912] __vfs_setxattr_noperm+0x93/0x300 [ 259.233219] __vfs_setxattr_locked+0x141/0x160 [ 259.233492] ? kasan_poison+0x3c/0x50 [ 259.233744] vfs_setxattr+0x128/0x300 [ 259.234002] ? __vfs_setxattr_locked+0x160/0x160 [ 259.234837] do_setxattr+0xb8/0x170 [ 259.235567] ? vmemdup_user+0x53/0x90 [ 259.236212] setxattr+0x126/0x140 [ 259.236491] ? do_setxattr+0x170/0x170 [ 259.236791] ? debug_smp_processor_id+0x17/0x20 [ 259.237232] ? kasan_quarantine_put+0x57/0x180 [ 259.237605] ? putname+0x80/0xa0 [ 259.237870] ? __kasan_slab_free+0x11c/0x1b0 [ 259.238234] ? putname+0x80/0xa0 [ 259.238500] ? preempt_count_sub+0x18/0xc0 [ 259.238775] ? __mnt_want_write+0xaa/0x100 [ 259.238990] ? mnt_want_write+0x8b/0x150 [ 259.239290] path_setxattr+0x164/0x180 [ 259.239605] ? setxattr+0x140/0x140 [ 259.239849] ? debug_smp_processor_id+0x17/0x20 [ 259.240174] ? fpregs_assert_state_consistent+0x67/0x80 [ 259.240411] __x64_sys_setxattr+0x6d/0x80 [ 259.240715] do_syscall_64+0x3b/0x90 [ 259.240934] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 259.241697] RIP: 0033:0x7fc6b26e4469 [ 259.242647] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 259.244512] RSP: 002b:00007ffc3c7841f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000bc [ 259.245086] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc6b26e4469 [ 259.246025] RDX: 00007ffc3c784380 RSI: 00007ffc3c7842e0 RDI: 00007ffc3c784238 [ 259.246961] RBP: 00007ffc3c788410 R08: 0000000000000001 R09: 00007ffc3c7884f8 [ 259.247775] R10: 000000000000007f R11: 0000000000000217 R12: 00000000004004e0 [ 259.248534] R13: 00007ffc3c7884f0 R14: 0000000000000000 R15: 0000000000000000 [ 259.249368] </TASK> [ 259.249644] [ 259.249888] Allocated by task 255: [ 259.250283] kasan_save_stack+0x26/0x50 [ 259.250957] __kasan_kmalloc+0x88/0xb0 [ 259.251826] __kmalloc+0x192/0x320 [ 259.252745] ni_create_attr_list+0x11e/0x850 [ 259.253298] ni_ins_attr_ext+0x52c/0x5c0 [ 259.253685] ni_insert_attr+0x1ba/0x420 [ 259.253974] ni_insert_resident+0xc0/0x1c0 [ 259.254311] ntfs_set_ea+0x6bf/0xb30 [ 259.254629] ntfs_setxattr+0x114/0x5c0 [ 259.254859] __vfs_setxattr+0xda/0x120 [ 259.255155] __vfs_setxattr_noperm+0x93/0x300 [ 259.255445] __vfs_setxattr_locked+0x141/0x160 [ 259.255862] vfs_setxattr+0x128/0x300 [ 259.256251] do_setxattr+0xb8/0x170 [ 259.256522] setxattr+0x126/0x140 [ 259.256911] path_setxattr+0x164/0x180 [ 259.257308] __x64_sys_setxattr+0x6d/0x80 [ 259.257637] do_syscall_64+0x3b/0x90 [ 259.257970] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 259.258550] [ 259.258772] The buggy address belongs to the object at ffff88800632f000 [ 259.258772] which belongs to the cache kmalloc-1k of size 1024 [ 259.260190] The buggy address is located 690 bytes inside of [ 259.260190] 1024-byte region [ffff88800632f000, ffff88800632f400) [ 259.261412] [ 259.261743] The buggy address belongs to the physical page: [ 259.262354] page:0000000081e8cac9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x632c [ 259.263722] head:0000000081e8cac9 order:2 compound_mapcount:0 compound_pincount:0 [ 259.264284] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) [ 259.265312] raw: 000fffffc0010200 ffffea0000060d00 dead000000000004 ffff888001041dc0 [ 259.265772] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 259.266305] page dumped because: kasan: bad access detected [ 259.266588] [ 259.266728] Memory state around the buggy address: [ 259.267225] ffff88800632f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 259.267841] ffff88800632f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 259.269111] >ffff88800632f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 259.269626] ^ [ 259.270162] ffff88800632f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 259.270810] ffff88800632f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Signed-off-by: Edward Lo <edward.lo@ambergroup.io> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Edward Lo
|
3f6f75e886 |
fs/ntfs3: Validate buffer length while parsing index
[ Upstream commit 4d42ecda239cc13738d6fd84d098a32e67b368b9 ] indx_read is called when we have some NTFS directory operations that need more information from the index buffers. This adds a sanity check to make sure the returned index buffer length is legit, or we may have some out-of-bound memory accesses. [ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320 [ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245 [ 560.898760] [ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37 [ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 560.900170] Call Trace: [ 560.900407] <TASK> [ 560.900732] dump_stack_lvl+0x49/0x63 [ 560.901108] print_report.cold+0xf5/0x689 [ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320 [ 560.901716] kasan_report+0xa7/0x130 [ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320 [ 560.902208] __asan_load2+0x68/0x90 [ 560.902427] hdr_find_e.isra.0+0x10c/0x320 [ 560.902846] ? cmp_uints+0xe0/0xe0 [ 560.903363] ? cmp_sdh+0x90/0x90 [ 560.903883] ? ntfs_bread_run+0x190/0x190 [ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750 [ 560.904969] ? ntfs_fix_post_read+0xe0/0x130 [ 560.905259] ? __kasan_check_write+0x14/0x20 [ 560.905599] ? up_read+0x1a/0x90 [ 560.905853] ? indx_read+0x22c/0x380 [ 560.906096] indx_find+0x2ef/0x470 [ 560.906352] ? indx_find_buffer+0x2d0/0x2d0 [ 560.906692] ? __kasan_kmalloc+0x88/0xb0 [ 560.906977] dir_search_u+0x196/0x2f0 [ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450 [ 560.907464] ? __kasan_check_write+0x14/0x20 [ 560.907747] ? mutex_lock+0x8f/0xe0 [ 560.907970] ? __mutex_lock_slowpath+0x20/0x20 [ 560.908214] ? kmem_cache_alloc+0x143/0x4b0 [ 560.908459] ntfs_lookup+0xe0/0x100 [ 560.908788] __lookup_slow+0x116/0x220 [ 560.909050] ? lookup_fast+0x1b0/0x1b0 [ 560.909309] ? lookup_fast+0x13f/0x1b0 [ 560.909601] walk_component+0x187/0x230 [ 560.909944] link_path_walk.part.0+0x3f0/0x660 [ 560.910285] ? handle_lookup_down+0x90/0x90 [ 560.910618] ? path_init+0x642/0x6e0 [ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0 [ 560.912559] ? __alloc_file+0x114/0x170 [ 560.913008] path_openat+0x19c/0x1d10 [ 560.913419] ? getname_flags+0x73/0x2b0 [ 560.913815] ? kasan_save_stack+0x3a/0x50 [ 560.914125] ? kasan_save_stack+0x26/0x50 [ 560.914542] ? __kasan_slab_alloc+0x6d/0x90 [ 560.914924] ? kmem_cache_alloc+0x143/0x4b0 [ 560.915339] ? getname_flags+0x73/0x2b0 [ 560.915647] ? getname+0x12/0x20 [ 560.916114] ? __x64_sys_open+0x4c/0x60 [ 560.916460] ? path_lookupat.isra.0+0x230/0x230 [ 560.916867] ? __isolate_free_page+0x2e0/0x2e0 [ 560.917194] do_filp_open+0x15c/0x1f0 [ 560.917448] ? may_open_dev+0x60/0x60 [ 560.917696] ? expand_files+0xa4/0x3a0 [ 560.917923] ? __kasan_check_write+0x14/0x20 [ 560.918185] ? _raw_spin_lock+0x88/0xdb [ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100 [ 560.918783] ? _find_next_bit+0x4a/0x130 [ 560.919026] ? _raw_spin_unlock+0x19/0x40 [ 560.919276] ? alloc_fd+0x14b/0x2d0 [ 560.919635] do_sys_openat2+0x32a/0x4b0 [ 560.920035] ? file_open_root+0x230/0x230 [ 560.920336] ? __rcu_read_unlock+0x5b/0x280 [ 560.920813] do_sys_open+0x99/0xf0 [ 560.921208] ? filp_open+0x60/0x60 [ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180 [ 560.921867] __x64_sys_open+0x4c/0x60 [ 560.922128] do_syscall_64+0x3b/0x90 [ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 560.923030] RIP: 0033:0x7f7dff2e4469 [ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002 [ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469 [ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffd41a211f0 [ 560.926085] RBP: 00007ffd41a252a0 R08: 00007f7dff60fba0 R09: 00007ffd41a25388 [ 560.926405] R10: 0000000000400b80 R11: 0000000000000206 R12: 00000000004004e0 [ 560.926867] R13: 00007ffd41a25380 R14: 0000000000000000 R15: 0000000000000000 [ 560.927241] </TASK> [ 560.927491] [ 560.927755] Allocated by task 245: [ 560.928409] kasan_save_stack+0x26/0x50 [ 560.929271] __kasan_kmalloc+0x88/0xb0 [ 560.929778] __kmalloc+0x192/0x320 [ 560.930023] indx_read+0x249/0x380 [ 560.930224] indx_find+0x2a2/0x470 [ 560.930695] dir_search_u+0x196/0x2f0 [ 560.930892] ntfs_lookup+0xe0/0x100 [ 560.931115] __lookup_slow+0x116/0x220 [ 560.931323] walk_component+0x187/0x230 [ 560.931570] link_path_walk.part.0+0x3f0/0x660 [ 560.931791] path_openat+0x19c/0x1d10 [ 560.932008] do_filp_open+0x15c/0x1f0 [ 560.932226] do_sys_openat2+0x32a/0x4b0 [ 560.932413] do_sys_open+0x99/0xf0 [ 560.932709] __x64_sys_open+0x4c/0x60 [ 560.933417] do_syscall_64+0x3b/0x90 [ 560.933776] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 560.934235] [ 560.934486] The buggy address belongs to the object at ffff888009497000 [ 560.934486] which belongs to the cache kmalloc-512 of size 512 [ 560.935239] The buggy address is located 56 bytes to the right of [ 560.935239] 512-byte region [ffff888009497000, ffff888009497200) [ 560.936153] [ 560.937326] The buggy address belongs to the physical page: [ 560.938228] page:0000000062a3dfae refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9496 [ 560.939616] head:0000000062a3dfae order:1 compound_mapcount:0 compound_pincount:0 [ 560.940219] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) [ 560.942702] raw: 000fffffc0010200 ffffea0000164f80 dead000000000005 ffff888001041c80 [ 560.943932] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 560.944568] page dumped because: kasan: bad access detected [ 560.945735] [ 560.946112] Memory state around the buggy address: [ 560.946870] ffff888009497100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 560.947242] ffff888009497180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 560.947611] >ffff888009497200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 560.947915] ^ [ 560.948249] ffff888009497280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 560.948687] ffff888009497300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Signed-off-by: Edward Lo <edward.lo@ambergroup.io> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Edward Lo
|
b343c40bb7 |
fs/ntfs3: Validate attribute name offset
[ Upstream commit 4f1dc7d9756e66f3f876839ea174df2e656b7f79 ] Although the attribute name length is checked before comparing it to some common names (e.g., $I30), the offset isn't. This adds a sanity check for the attribute name offset, guarantee the validity and prevent possible out-of-bound memory accesses. [ 191.720056] BUG: unable to handle page fault for address: ffffebde00000008 [ 191.721060] #PF: supervisor read access in kernel mode [ 191.721586] #PF: error_code(0x0000) - not-present page [ 191.722079] PGD 0 P4D 0 [ 191.722571] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 191.723179] CPU: 0 PID: 244 Comm: mount Not tainted 6.0.0-rc4 #28 [ 191.723749] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 191.724832] RIP: 0010:kfree+0x56/0x3b0 [ 191.725870] Code: 80 48 01 d8 0f 82 65 03 00 00 48 c7 c2 00 00 00 80 48 2b 15 2c 06 dd 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 0a 069 [ 191.727375] RSP: 0018:ffff8880076f7878 EFLAGS: 00000286 [ 191.727897] RAX: ffffebde00000000 RBX: 0000000000000040 RCX: ffffffff8528d5b9 [ 191.728531] RDX: 0000777f80000000 RSI: ffffffff8522d49c RDI: 0000000000000040 [ 191.729183] RBP: ffff8880076f78a0 R08: 0000000000000000 R09: 0000000000000000 [ 191.729628] R10: ffff888008949fd8 R11: ffffed10011293fd R12: 0000000000000040 [ 191.730158] R13: ffff888008949f98 R14: ffff888008949ec0 R15: ffff888008949fb0 [ 191.730645] FS: 00007f3520cd7e40(0000) GS:ffff88805ba00000(0000) knlGS:0000000000000000 [ 191.731328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 191.731667] CR2: ffffebde00000008 CR3: 0000000009704000 CR4: 00000000000006f0 [ 191.732568] Call Trace: [ 191.733231] <TASK> [ 191.733860] kvfree+0x2c/0x40 [ 191.734632] ni_clear+0x180/0x290 [ 191.735085] ntfs_evict_inode+0x45/0x70 [ 191.735495] evict+0x199/0x280 [ 191.735996] iput.part.0+0x286/0x320 [ 191.736438] iput+0x32/0x50 [ 191.736811] iget_failed+0x23/0x30 [ 191.737270] ntfs_iget5+0x337/0x1890 [ 191.737629] ? ntfs_clear_mft_tail+0x20/0x260 [ 191.738201] ? ntfs_get_block_bmap+0x70/0x70 [ 191.738482] ? ntfs_objid_init+0xf6/0x140 [ 191.738779] ? ntfs_reparse_init+0x140/0x140 [ 191.739266] ntfs_fill_super+0x121b/0x1b50 [ 191.739623] ? put_ntfs+0x1d0/0x1d0 [ 191.739984] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ 191.740466] ? put_ntfs+0x1d0/0x1d0 [ 191.740787] ? sb_set_blocksize+0x6a/0x80 [ 191.741272] get_tree_bdev+0x232/0x370 [ 191.741829] ? put_ntfs+0x1d0/0x1d0 [ 191.742669] ntfs_fs_get_tree+0x15/0x20 [ 191.743132] vfs_get_tree+0x4c/0x130 [ 191.743457] path_mount+0x654/0xfe0 [ 191.743938] ? putname+0x80/0xa0 [ 191.744271] ? finish_automount+0x2e0/0x2e0 [ 191.744582] ? putname+0x80/0xa0 [ 191.745053] ? kmem_cache_free+0x1c4/0x440 [ 191.745403] ? putname+0x80/0xa0 [ 191.745616] do_mount+0xd6/0xf0 [ 191.745887] ? path_mount+0xfe0/0xfe0 [ 191.746287] ? __kasan_check_write+0x14/0x20 [ 191.746582] __x64_sys_mount+0xca/0x110 [ 191.746850] do_syscall_64+0x3b/0x90 [ 191.747122] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 191.747517] RIP: 0033:0x7f351fee948a [ 191.748332] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 191.749341] RSP: 002b:00007ffd51cf3af8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 191.749960] RAX: ffffffffffffffda RBX: 000055b903733060 RCX: 00007f351fee948a [ 191.750589] RDX: 000055b903733260 RSI: 000055b9037332e0 RDI: 000055b90373bce0 [ 191.751115] RBP: 0000000000000000 R08: 000055b903733280 R09: 0000000000000020 [ 191.751537] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055b90373bce0 [ 191.751946] R13: 000055b903733260 R14: 0000000000000000 R15: 00000000ffffffff [ 191.752519] </TASK> [ 191.752782] Modules linked in: [ 191.753785] CR2: ffffebde00000008 [ 191.754937] ---[ end trace 0000000000000000 ]--- [ 191.755429] RIP: 0010:kfree+0x56/0x3b0 [ 191.755725] Code: 80 48 01 d8 0f 82 65 03 00 00 48 c7 c2 00 00 00 80 48 2b 15 2c 06 dd 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 0a 069 [ 191.756744] RSP: 0018:ffff8880076f7878 EFLAGS: 00000286 [ 191.757218] RAX: ffffebde00000000 RBX: 0000000000000040 RCX: ffffffff8528d5b9 [ 191.757580] RDX: 0000777f80000000 RSI: ffffffff8522d49c RDI: 0000000000000040 [ 191.758016] RBP: ffff8880076f78a0 R08: 0000000000000000 R09: 0000000000000000 [ 191.758570] R10: ffff888008949fd8 R11: ffffed10011293fd R12: 0000000000000040 [ 191.758957] R13: ffff888008949f98 R14: ffff888008949ec0 R15: ffff888008949fb0 [ 191.759317] FS: 00007f3520cd7e40(0000) GS:ffff88805ba00000(0000) knlGS:0000000000000000 [ 191.759711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 191.760118] CR2: ffffebde00000008 CR3: 0000000009704000 CR4: 00000000000006f0 Signed-off-by: Edward Lo <edward.lo@ambergroup.io> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Edward Lo
|
a7b23037b3 |
fs/ntfs3: Add null pointer check for inode operations
[ Upstream commit c1ca8ef0262b25493631ecbd9cb8c9893e1481a1 ] This adds a sanity check for the i_op pointer of the inode which is returned after reading Root directory MFT record. We should check the i_op is valid before trying to create the root dentry, otherwise we may encounter a NPD while mounting a image with a funny Root directory MFT record. [ 114.484325] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 114.484811] #PF: supervisor read access in kernel mode [ 114.485084] #PF: error_code(0x0000) - not-present page [ 114.485606] PGD 0 P4D 0 [ 114.485975] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 114.486570] CPU: 0 PID: 237 Comm: mount Tainted: G B 6.0.0-rc4 #28 [ 114.486977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 114.488169] RIP: 0010:d_flags_for_inode+0xe0/0x110 [ 114.488816] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 [ 114.490326] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 [ 114.490695] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea [ 114.490986] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020 [ 114.491364] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05 [ 114.491675] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000 [ 114.491954] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750 [ 114.492397] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 [ 114.492797] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 114.493150] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0 [ 114.493671] Call Trace: [ 114.493890] <TASK> [ 114.494075] __d_instantiate+0x24/0x1c0 [ 114.494505] d_instantiate.part.0+0x35/0x50 [ 114.494754] d_make_root+0x53/0x80 [ 114.494998] ntfs_fill_super+0x1232/0x1b50 [ 114.495260] ? put_ntfs+0x1d0/0x1d0 [ 114.495499] ? vsprintf+0x20/0x20 [ 114.495723] ? set_blocksize+0x95/0x150 [ 114.495964] get_tree_bdev+0x232/0x370 [ 114.496272] ? put_ntfs+0x1d0/0x1d0 [ 114.496502] ntfs_fs_get_tree+0x15/0x20 [ 114.496859] vfs_get_tree+0x4c/0x130 [ 114.497099] path_mount+0x654/0xfe0 [ 114.497507] ? putname+0x80/0xa0 [ 114.497933] ? finish_automount+0x2e0/0x2e0 [ 114.498362] ? putname+0x80/0xa0 [ 114.498571] ? kmem_cache_free+0x1c4/0x440 [ 114.498819] ? putname+0x80/0xa0 [ 114.499069] do_mount+0xd6/0xf0 [ 114.499343] ? path_mount+0xfe0/0xfe0 [ 114.499683] ? __kasan_check_write+0x14/0x20 [ 114.500133] __x64_sys_mount+0xca/0x110 [ 114.500592] do_syscall_64+0x3b/0x90 [ 114.500930] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 114.501294] RIP: 0033:0x7fdc898e948a [ 114.501542] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 114.502716] RSP: 002b:00007ffd793e58f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 114.503175] RAX: ffffffffffffffda RBX: 0000564b2228f060 RCX: 00007fdc898e948a [ 114.503588] RDX: 0000564b2228f260 RSI: 0000564b2228f2e0 RDI: 0000564b22297ce0 [ 114.504925] RBP: 0000000000000000 R08: 0000564b2228f280 R09: 0000000000000020 [ 114.505484] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564b22297ce0 [ 114.505823] R13: 0000564b2228f260 R14: 0000000000000000 R15: 00000000ffffffff [ 114.506562] </TASK> [ 114.506887] Modules linked in: [ 114.507648] CR2: 0000000000000008 [ 114.508884] ---[ end trace 0000000000000000 ]--- [ 114.509675] RIP: 0010:d_flags_for_inode+0xe0/0x110 [ 114.510140] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 [ 114.511762] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 [ 114.512401] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea [ 114.513103] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020 [ 114.513512] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05 [ 114.513831] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000 [ 114.514757] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750 [ 114.515411] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 [ 114.515794] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 114.516208] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0 Signed-off-by: Edward Lo <edward.lo@ambergroup.io> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Shigeru Yoshida
|
2600c80ea7 |
fs/ntfs3: Fix memory leak on ntfs_fill_super() error path
[ Upstream commit 51e76a232f8c037f1d9e9922edc25b003d5f3414 ]
syzbot reported kmemleak as below:
BUG: memory leak
unreferenced object 0xffff8880122f1540 (size 32):
comm "a.out", pid 6664, jiffies 4294939771 (age 25.500s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00 ................
backtrace:
[<ffffffff81b16052>] ntfs_init_fs_context+0x22/0x1c0
[<ffffffff8164aaa7>] alloc_fs_context+0x217/0x430
[<ffffffff81626dd4>] path_mount+0x704/0x1080
[<ffffffff81627e7c>] __x64_sys_mount+0x18c/0x1d0
[<ffffffff84593e14>] do_syscall_64+0x34/0xb0
[<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
This patch fixes this issue by freeing mount options on error path of
ntfs_fill_super().
Reported-by: syzbot+9d67170b20e8f94351c8@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|