lineage-22.1
2665 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
20b90d46a0 |
Merge 6.1.77 into android14-6.1-lts
Changes in 6.1.77
asm-generic: make sparse happy with odd-sized put_unaligned_*()
powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
arm64: irq: set the correct node for VMAP stack
drivers/perf: pmuv3: don't expose SW_INCR event in sysfs
powerpc: Fix build error due to is_valid_bugaddr()
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
powerpc/64s: Fix CONFIG_NUMA=n build due to create_section_mapping()
x86/boot: Ignore NMIs during very early boot
powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
powerpc/lib: Validate size for vector operations
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
debugobjects: Stop accessing objects after releasing hash bucket lock
regulator: core: Only increment use_count when enable_count changes
audit: Send netlink ACK before setting connection in auditd_set
ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
PNP: ACPI: fix fortify warning
ACPI: extlog: fix NULL pointer dereference check
ACPI: NUMA: Fix the logic of getting the fake_pxm value
PM / devfreq: Synchronize devfreq_monitor_[start/stop]
ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
UBSAN: array-index-out-of-bounds in dtSplitRoot
jfs: fix slab-out-of-bounds Read in dtSearch
jfs: fix array-index-out-of-bounds in dbAdjTree
jfs: fix uaf in jfs_evict_inode
pstore/ram: Fix crash when setting number of cpus to an odd number
crypto: octeontx2 - Fix cptvf driver cleanup
erofs: fix ztailpacking for subpage compressed blocks
crypto: stm32/crc32 - fix parsing list of devices
afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu()
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
jfs: fix array-index-out-of-bounds in diNewExt
arch: consolidate arch_irq_work_raise prototypes
s390/vfio-ap: fix sysfs status attribute for AP queue devices
s390/ptrace: handle setting of fpc register correctly
KVM: s390: fix setting of fpc register
SUNRPC: Fix a suspicious RCU usage warning
ecryptfs: Reject casefold directory inodes
ext4: fix inconsistent between segment fstrim and full fstrim
ext4: unify the type of flexbg_size to unsigned int
ext4: remove unnecessary check from alloc_flex_gd()
ext4: avoid online resizing failures due to oversized flex bg
wifi: rt2x00: restart beacon queue when hardware reset
selftests/bpf: satisfy compiler by having explicit return in btf test
selftests/bpf: Fix pyperf180 compilation failure with clang18
wifi: rt2x00: correct wrong BBP register in RxDCOC calibration
selftests/bpf: Fix issues in setup_classid_environment()
soc: xilinx: Fix for call trace due to the usage of smp_processor_id()
soc: xilinx: fix unhandled SGI warning message
scsi: lpfc: Fix possible file string name overflow when updating firmware
PCI: Add no PM reset quirk for NVIDIA Spectrum devices
bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
net: usb: ax88179_178a: avoid two consecutive device resets
scsi: mpi3mr: Add PCI checks where SAS5116 diverges from SAS4116
scsi: arcmsr: Support new PCI device IDs 1883 and 1886
ARM: dts: imx7d: Fix coresight funnel ports
ARM: dts: imx7s: Fix lcdif compatible
ARM: dts: imx7s: Fix nand-controller #size-cells
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
wifi: ath11k: fix race due to setting ATH11K_FLAG_EXT_IRQ_ENABLED too early
bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers
scsi: libfc: Don't schedule abort twice
scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
bpf: Set uattr->batch.count as zero before batched update or deletion
wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()
ARM: dts: rockchip: fix rk3036 hdmi ports node
ARM: dts: imx25/27-eukrea: Fix RTC node name
ARM: dts: imx: Use flash@0,0 pattern
ARM: dts: imx27: Fix sram node
ARM: dts: imx1: Fix sram node
net: phy: at803x: fix passing the wrong reference for config_intr
ionic: pass opcode to devcmd_wait
ionic: bypass firmware cmds when stuck in reset
block/rnbd-srv: Check for unlikely string overflow
ARM: dts: imx25: Fix the iim compatible string
ARM: dts: imx25/27: Pass timing0
ARM: dts: imx27-apf27dev: Fix LED name
ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
ARM: dts: imx23/28: Fix the DMA controller node name
scsi: hisi_sas: Set .phy_attached before notifing phyup event HISI_PHYE_PHY_UP_PM
ice: fix ICE_AQ_VSI_Q_OPT_RSS_* register values
net: atlantic: eliminate double free in error handling logic
net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path
block: prevent an integer overflow in bvec_try_merge_hw_page
md: Whenassemble the array, consult the superblock of the freshest device
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
ice: fix pre-shifted bit usage
arm64: dts: amlogic: fix format for s4 uart node
wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
wifi: cfg80211: free beacon_ies when overridden from hidden BSS
Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066
Bluetooth: hci_sync: fix BR/EDR wakeup bug
Bluetooth: L2CAP: Fix possible multiple reject send
net/smc: disable SEID on non-s390 archs where virtual ISM may be used
bridge: cfm: fix enum typo in br_cc_ccm_tx_parse
i40e: Fix VF disable behavior to block all traffic
octeontx2-af: Fix max NPC MCAM entry check while validating ref_entry
net: dsa: qca8k: put MDIO bus OF node on qca8k_mdio_register() failure
f2fs: fix to check return value of f2fs_reserve_new_block()
ALSA: hda: Refer to correct stream index at loops
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
fast_dput(): handle underflows gracefully
RDMA/IPoIB: Fix error code return in ipoib_mcast_join
drm/panel-edp: Add override_edid_mode quirk for generic edp
drm/bridge: anx7625: Fix Set HPD irq detect window to 2ms
drm/amd/display: Fix tiled display misalignment
f2fs: fix write pointers on zoned device after roll forward
ASoC: amd: Add new dmi entries for acp5x platform
drm/drm_file: fix use of uninitialized variable
drm/framebuffer: Fix use of uninitialized variable
drm/mipi-dsi: Fix detach call without attach
media: stk1160: Fixed high volume of stk1160_dbg messages
media: rockchip: rga: fix swizzling for RGB formats
PCI: add INTEL_HDA_ARL to pci_ids.h
ALSA: hda: Intel: add HDA_ARL PCI ID support
media: rkisp1: Drop IRQF_SHARED
media: rkisp1: Fix IRQ handler return values
media: rkisp1: Store IRQ lines
media: rkisp1: Fix IRQ disable race issue
hwmon: (nct6775) Fix fan speed set failure in automatic mode
f2fs: fix to tag gcing flag on page during block migration
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
IB/ipoib: Fix mcast list locking
media: amphion: remove mutext lock in condition of wait_event
media: ddbridge: fix an error code problem in ddb_probe
media: i2c: imx335: Fix hblank min/max values
drm/amd/display: For prefetch mode > 0, extend prefetch if possible
drm/msm/dpu: Ratelimit framedone timeout msgs
drm/msm/dpu: fix writeback programming for YUV cases
drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786
drm/amd/display: make flip_timestamp_in_us a 64-bit variable
clk: imx: clk-imx8qxp: fix LVDS bypass, pixel and phy clocks
drm/amdgpu: Fix ecc irq enable/disable unpaired
drm/amdgpu: Let KFD sync with VM fences
drm/amdgpu: Fix '*fw' from request_firmware() not released in 'amdgpu_ucode_request()'
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
drm/amdkfd: Fix iterator used outside loop in 'kfd_add_peer_prop()'
ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140
leds: trigger: panic: Don't register panic notifier if creating the trigger failed
um: Fix naming clash between UML and scheduler
um: Don't use vfprintf() for os_info()
um: net: Fix return type of uml_net_start_xmit()
um: time-travel: fix time corruption
i3c: master: cdns: Update maximum prescaler value for i2c clock
xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import
mfd: ti_am335x_tscadc: Fix TI SoC dependencies
mailbox: arm_mhuv2: Fix a bug for mhuv2_sender_interrupt
PCI: Only override AMD USB controller if required
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
perf cs-etm: Bump minimum OpenCSD version to ensure a bugfix is present
usb: hub: Replace hardcoded quirk value with BIT() macro
usb: hub: Add quirk to decrease IN-ep poll interval for Microchip USB491x hub
selftests/sgx: Fix linker script asserts
tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE
fs/kernfs/dir: obey S_ISGID
spmi: mediatek: Fix UAF on device remove
PCI: Fix 64GT/s effective data rate calculation
PCI/AER: Decode Requester ID when no error info found
9p: Fix initialisation of netfs_inode for 9p
misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback
libsubcmd: Fix memory leak in uniq()
drm/amdkfd: Fix lock dependency warning
drm/amdkfd: Fix lock dependency warning with srcu
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
blk-mq: fix IO hang from sbitmap wakeup race
ceph: reinitialize mds feature bit even when session in open
ceph: fix deadlock or deadcode of misusing dget()
ceph: fix invalid pointer access if get_quota_realm return ERR_PTR
drm/amd/powerplay: Fix kzalloc parameter 'ATOM_Tonga_PPM_Table' in 'get_platform_power_management_table()'
drm/amdgpu: Fix with right return code '-EIO' in 'amdgpu_gmc_vram_checking()'
drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
drm/amdkfd: Fix 'node' NULL check in 'svm_range_get_range_boundaries()'
perf: Fix the nr_addr_filters fix
wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
drm: using mul_u32_u32() requires linux/math64.h
scsi: isci: Fix an error code problem in isci_io_request_build()
regulator: ti-abb: don't use devm_platform_ioremap_resource_byname for shared interrupt register
scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler
HID: hidraw: fix a problem of memory leak in hidraw_release()
selftests: net: give more time for GRO aggregation
ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
ipv4: raw: add drop reasons
ipmr: fix kernel panic when forwarding mcast packets
net: lan966x: Fix port configuration when using SGMII interface
tcp: add sanity checks to rx zerocopy
ixgbe: Refactor returning internal error codes
ixgbe: Refactor overtemp event handling
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
net: dsa: qca8k: fix illegal usage of GPIO
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
llc: call sock_orphan() at release time
bridge: mcast: fix disabled snooping after long uptime
selftests: net: add missing config for GENEVE
netfilter: conntrack: correct window scaling with retransmitted SYN
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
net: ipv4: fix a memleak in ip_setup_cork
af_unix: fix lockdep positive in sk_diag_dump_icons()
selftests: net: fix available tunnels detection
net: sysfs: Fix /sys/class/net/<iface> path
selftests: team: Add missing config options
selftests: bonding: Check initial state
arm64: irq: set the correct node for shadow call stack
mm, kmsan: fix infinite recursion due to RCU critical section
Revert "drm/amd/display: Disable PSR-SU on Parade 0803 TCON again"
drm/msm/dsi: Enable runtime PM
LoongArch/smp: Call rcutree_report_cpu_starting() at tlb_init()
gve: Fix use-after-free vulnerability
bonding: remove print in bond_verify_device_path
ASoC: codecs: lpass-wsa-macro: fix compander volume hack
ASoC: codecs: wsa883x: fix PA volume control
drm/amdgpu: Fix missing error code in 'gmc_v6/7/8/9_0_hw_init()'
Linux 6.1.77
Change-Id: I8d69fc7831db64d8a0fad88a318f03052f8bbf69
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
0125855f7e |
Revert "bpf: Add map and need_defer parameters to .map_fd_put_ptr()"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
329c931b9d |
Revert "bpf: Defer the free of inner map when necessary"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
c16bb76a0c |
This is the 6.1.75 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWy7o0ACgkQONu9yGCS
aT76JA/9Gh3VNSLG35LaLyq3xGd827N6DPsMzeFHi+MGSyPVg0auE77QkHD/gZl9
KynmBmz2+9DSoFxymWAS9oEPM8d/vw87AMuSTTct3GKkjEeUcj9lbeOEzgZydXX8
cJSXvcCeKE3FESU/YbQKxo0N+r7tUDmnCR0edss5/FpYni3jPdg7jdESzGhiCHXj
r5rjrTE6h7Z/d+2kaKqlheL4o4OkV0YwnFnU2gC3MOOvLmgvXdOVQQsyaZ+WgSAN
0JS0Q6Xk1xyYWx8iFaLGWIs1pUsQPKxIiRG3N/1KmXITopf2Pu68Yy7ST+YryDkO
nLcNrr3gsQxrM6MYnEhLzlxs3H1KuAVxJ4Y/dNqJnDxn0OJjcY3repwempz5Sxtk
0OLDOsCICAiMHeF8rYIGhm09WdowLz0EH+sqadIGqWKzW/BcXqD+r9mpF1lwk1ZL
FJLgLmtOaG4amI46lEUHQ6ujN7Oad3gLYzudq2zKLeqonSIjm1TuDoMRvHWFsspO
5i9I0x7Vlo3PqCl7kkKVL9PvVHx6BXJGFShABJqa9ao/oHxkOWuIt26pxUoLUN3P
7Wa5WnfdlDd9nR3VGHcVe2ncuRmEfuriYpXvItJ7/KJKyIPkGoPehAh+vbZMoEy0
DwhtD9PPsTlnUufbcZdHavYA1E4y/uXDMOIGB+ERpsTdXh9DwEo=
=2XHn
-----END PGP SIGNATURE-----
Merge 6.1.75 into android14-6.1-lts
Changes in 6.1.75
x86/lib: Fix overflow when counting digits
x86/mce/inject: Clear test status value
EDAC/thunderx: Fix possible out-of-bounds string access
powerpc: remove checks for binutils older than 2.25
powerpc: add crtsavres.o to always-y instead of extra-y
powerpc/44x: select I2C for CURRITUCK
powerpc/pseries/memhp: Fix access beyond end of drmem array
selftests/powerpc: Fix error handling in FPU/VMX preemption tests
powerpc/powernv: Add a null pointer check to scom_debug_init_one()
powerpc/powernv: Add a null pointer check in opal_event_init()
powerpc/powernv: Add a null pointer check in opal_powercap_init()
powerpc/imc-pmu: Add a null pointer check in update_events_in_group()
spi: spi-zynqmp-gqspi: fix driver kconfig dependencies
mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response
ACPI: video: check for error while searching for backlight device parent
ACPI: LPIT: Avoid u32 multiplication overflow
KEYS: encrypted: Add check for strsep
platform/x86/intel/vsec: Enhance and Export intel_vsec_add_aux()
platform/x86/intel/vsec: Support private data
platform/x86/intel/vsec: Use mutex for ida_alloc() and ida_free()
platform/x86/intel/vsec: Fix xa_alloc memory leak
of: Add of_property_present() helper
cpufreq: Use of_property_present() for testing DT property presence
cpufreq: scmi: process the result of devm_of_clk_add_hw_provider()
calipso: fix memory leak in netlbl_calipso_add_pass()
efivarfs: force RO when remounting if SetVariable is not supported
efivarfs: Free s_fs_info on unmount
spi: sh-msiof: Enforce fixed DTDL for R-Car H3
ACPI: LPSS: Fix the fractional clock divider flags
ACPI: extlog: Clear Extended Error Log status when RAS_CEC handled the error
kunit: debugfs: Fix unchecked dereference in debugfs_print_results()
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket
crypto: virtio - Handle dataq logic with tasklet
crypto: sa2ul - Return crypto_aead_setkey to transfer the error
crypto: ccp - fix memleak in ccp_init_dm_workarea
crypto: af_alg - Disallow multiple in-flight AIO requests
crypto: safexcel - Add error handling for dma_map_sg() calls
crypto: sahara - remove FLAGS_NEW_KEY logic
crypto: sahara - fix cbc selftest failure
crypto: sahara - fix ahash selftest failure
crypto: sahara - fix processing requests with cryptlen < sg->length
crypto: sahara - fix error handling in sahara_hw_descriptor_create()
crypto: hisilicon/qm - save capability registers in qm init process
crypto: hisilicon/zip - add zip comp high perf mode configuration
crypto: hisilicon/qm - add a function to set qm algs
crypto: hisilicon/hpre - save capability registers in probe process
crypto: hisilicon/sec2 - save capability registers in probe process
crypto: hisilicon/zip - save capability registers in probe process
pstore: ram_core: fix possible overflow in persistent_ram_init_ecc()
erofs: fix memory leak on short-lived bounced pages
fs: indicate request originates from old mount API
gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
crypto: virtio - Wait for tasklet to complete on device remove
crypto: sahara - avoid skcipher fallback code duplication
crypto: sahara - handle zero-length aes requests
crypto: sahara - fix ahash reqsize
crypto: sahara - fix wait_for_completion_timeout() error handling
crypto: sahara - improve error handling in sahara_sha_process()
crypto: sahara - fix processing hash requests with req->nbytes < sg->length
crypto: sahara - do not resize req->src when doing hash operations
crypto: scomp - fix req->dst buffer overflow
csky: fix arch_jump_label_transform_static override
blocklayoutdriver: Fix reference leak of pnfs_device_node
NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT
SUNRPC: fix _xprt_switch_find_current_entry logic
pNFS: Fix the pnfs block driver's calculation of layoutget size
wifi: plfxlc: check for allocation failure in plfxlc_usb_wreq_async()
wifi: rtw88: fix RX filter in FIF_ALLMULTI flag
bpf, lpm: Fix check prefixlen before walking trie
bpf: Add crosstask check to __bpf_get_stack
wifi: ath11k: Defer on rproc_get failure
wifi: libertas: stop selecting wext
ARM: dts: qcom: apq8064: correct XOADC register address
net/ncsi: Fix netlink major/minor version numbers
firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create()
firmware: meson_sm: populate platform devices from sm device tree data
wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior
arm64: dts: ti: k3-am62a-main: Fix GPIO pin count in DT nodes
arm64: dts: ti: k3-am65-main: Fix DSS irq trigger type
selftests/bpf: Fix erroneous bitmask operation
md: synchronize flush io with array reconfiguration
bpf: enforce precision of R0 on callback return
ARM: dts: qcom: sdx65: correct SPMI node name
arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sc7280: Mark some nodes as 'reserved'
arm64: dts: qcom: sc7280: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sdm845: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sm8150: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sm8250: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sc8280xp: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sm6350: Make watchdog bark interrupt edge triggered
rcu-tasks: Provide rcu_trace_implies_rcu_gp()
bpf: add percpu stats for bpf_map elements insertions/deletions
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
bpf: Defer the free of inner map when necessary
selftests/net: specify the interface when do arping
bpf: fix check for attempt to corrupt spilled pointer
scsi: fnic: Return error if vmalloc() failed
arm64: dts: qcom: qrb5165-rb5: correct LED panic indicator
arm64: dts: qcom: sdm845-db845c: correct LED panic indicator
arm64: dts: qcom: sm8350: Fix DMA0 address
arm64: dts: qcom: sc7280: Fix up GPU SIDs
arm64: dts: qcom: sc7280: Mark Adreno SMMU as DMA coherent
arm64: dts: qcom: sc7280: fix usb_2 wakeup interrupt types
wifi: mt76: mt7921s: fix workqueue problem causes STA association fail
bpf: Fix verification of indirect var-off stack access
arm64: dts: hisilicon: hikey970-pmic: fix regulator cells properties
dt-bindings: media: mediatek: mdp3: correct RDMA and WROT node with generic names
arm64: dts: mediatek: mt8183: correct MDP3 DMA-related nodes
wifi: mt76: mt7921: fix country count limitation for CLC
selftests/bpf: Relax time_tai test for equal timestamps in tai_forward
block: Set memalloc_noio to false on device_add_disk() error path
arm64: dts: renesas: white-hawk-cpu: Fix missing serial console pin control
arm64: dts: imx8mm: Reduce GPU to nominal speed
scsi: hisi_sas: Replace with standard error code return value
scsi: hisi_sas: Rollback some operations if FLR failed
scsi: hisi_sas: Correct the number of global debugfs registers
ARM: dts: stm32: don't mix SCMI and non-SCMI board compatibles
selftests/net: fix grep checking for fib_nexthop_multiprefix
ipmr: support IP_PKTINFO on cache report IGMP msg
virtio/vsock: fix logic which reduces credit update messages
dma-mapping: clear dev->dma_mem to NULL after freeing it
soc: qcom: llcc: Fix dis_cap_alloc and retain_on_pc configuration
arm64: dts: qcom: sm8150-hdk: fix SS USB regulators
block: add check of 'minors' and 'first_minor' in device_add_disk()
arm64: dts: qcom: sc7280: Mark SDHCI hosts as cache-coherent
arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK
arm64: dts: qcom: ipq6018: improve pcie phy pcs reg table
arm64: dts: qcom: ipq6018: Use lowercase hex
arm64: dts: qcom: ipq6018: Pad addresses to 8 hex digits
arm64: dts: qcom: ipq6018: Fix up indentation
wifi: rtlwifi: add calculate_bit_shift()
wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()
wifi: rtlwifi: rtl8192c: using calculate_bit_shift()
wifi: rtlwifi: rtl8192cu: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ce: using calculate_bit_shift()
wifi: rtlwifi: rtl8192de: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ee: using calculate_bit_shift()
wifi: rtlwifi: rtl8192se: using calculate_bit_shift()
wifi: iwlwifi: mvm: set siso/mimo chains to 1 in FW SMPS request
wifi: iwlwifi: mvm: send TX path flush in rfkill
netfilter: nf_tables: mark newset as dead on transaction abort
Bluetooth: Fix bogus check for re-auth no supported with non-ssp
Bluetooth: btmtkuart: fix recv_buf() return value
block: make BLK_DEF_MAX_SECTORS unsigned
null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS
bpf: sockmap, fix proto update hook to avoid dup calls
sctp: support MSG_ERRQUEUE flag in recvmsg()
sctp: fix busy polling
net/sched: act_ct: fix skb leak and crash on ooo frags
mlxbf_gige: Fix intermittent no ip issue
mlxbf_gige: Enable the GigE port in mlxbf_gige_open
ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
ARM: davinci: always select CONFIG_CPU_ARM926T
Revert "drm/tidss: Annotate dma-fence critical section in commit path"
Revert "drm/omapdrm: Annotate dma-fence critical section in commit path"
drm/panfrost: Really power off GPU cores in panfrost_gpu_power_off()
RDMA/usnic: Silence uninitialized symbol smatch warnings
RDMA/hns: Fix inappropriate err code for unsupported operations
drm/panel-elida-kd35t133: hold panel in reset for unprepare
drm/nouveau/fence:: fix warning directly dereferencing a rcu pointer
drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function
drm/tilcdc: Fix irq free on unload
media: pvrusb2: fix use after free on context disconnection
media: mtk-jpegdec: export jpeg decoder functions
media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices
media: verisilicon: Hook the (TRY_)DECODER_CMD stateless ioctls
media: rkvdec: Hook the (TRY_)DECODER_CMD stateless ioctls
drm/bridge: Fix typo in post_disable() description
f2fs: fix to avoid dirent corruption
drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg()
drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()
drm/radeon: check return value of radeon_ring_lock()
drm/tidss: Move reset to the end of dispc_init()
drm/tidss: Return error value from from softreset
drm/tidss: Check for K2G in in dispc_softreset()
drm/tidss: Fix dss reset
ASoC: cs35l33: Fix GPIO name and drop legacy include
ASoC: cs35l34: Fix GPIO name and drop legacy include
drm/msm/mdp4: flush vblank event on disable
drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks
drm/drv: propagate errors from drm_modeset_register_all()
ASoC: Intel: glk_rt5682_max98357a: fix board id mismatch
drm/panfrost: Ignore core_mask for poweroff and disable PWRTRANS irq
drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()
drm/radeon/dpm: fix a memleak in sumo_parse_power_table
drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table
drm/bridge: cdns-mhdp8546: Fix use of uninitialized variable
drm/bridge: tc358767: Fix return value on error case
media: cx231xx: fix a memleak in cx231xx_init_isoc
RDMA/hns: Fix memory leak in free_mr_init()
clk: qcom: gpucc-sm8150: Update the gpu_cc_pll1 config
media: imx-mipi-csis: Fix clock handling in remove()
media: dt-bindings: media: rkisp1: Fix the port description for the parallel interface
media: rkisp1: Fix media device memory leak
drm/panel: st7701: Fix AVCL calculation
f2fs: fix to wait on block writeback for post_read case
f2fs: fix to check compress file in f2fs_move_file_range()
f2fs: fix to update iostat correctly in f2fs_filemap_fault()
media: dvbdev: drop refcount on error path in dvb_device_open()
media: dvb-frontends: m88ds3103: Fix a memory leak in an error handling path of m88ds3103_probe()
clk: renesas: rzg2l-cpg: Reuse code in rzg2l_cpg_reset()
clk: renesas: rzg2l: Check reset monitor registers
drm/msm/dpu: Set input_sel bit for INTF
drm/msm/dpu: Drop enable and frame_count parameters from dpu_hw_setup_misr()
drm/mediatek: Return error if MDP RDMA failed to enable the clock
drm/mediatek: Fix underrun in VDO1 when switches off the layer
drm/amdgpu/debugfs: fix error code when smc register accessors are NULL
drm/amd/pm: fix a double-free in si_dpm_init
drivers/amd/pm: fix a use-after-free in kv_parse_power_table
gpu/drm/radeon: fix two memleaks in radeon_vm_init
drm/amd/pm: fix a double-free in amdgpu_parse_extended_power_table
f2fs: fix to check return value of f2fs_recover_xattr_data
dt-bindings: clock: Update the videocc resets for sm8150
clk: qcom: videocc-sm8150: Update the videocc resets
clk: qcom: videocc-sm8150: Add missing PLL config property
drivers: clk: zynqmp: calculate closest mux rate
drivers: clk: zynqmp: update divider round rate logic
watchdog: set cdev owner before adding
watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO
watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling
watchdog: rti_wdt: Drop runtime pm reference count when watchdog is unused
clk: si5341: fix an error code problem in si5341_output_clk_set_rate
drm/mediatek: dp: Add phy_mtk_dp module as pre-dependency
accel/habanalabs: fix information leak in sec_attest_info()
clk: fixed-rate: fix clk_hw_register_fixed_rate_with_accuracy_parent_hw
pwm: stm32: Use regmap_clear_bits and regmap_set_bits where applicable
pwm: stm32: Use hweight32 in stm32_pwm_detect_channels
pwm: stm32: Fix enable count for clk in .probe()
ASoC: rt5645: Drop double EF20 entry from dmi_platform_data[]
ALSA: scarlett2: Add missing error check to scarlett2_config_save()
ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()
ALSA: scarlett2: Allow passing any output to line_out_remap()
ALSA: scarlett2: Add missing error checks to *_ctl_get()
ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()
mmc: sdhci_am654: Fix TI SoC dependencies
mmc: sdhci_omap: Fix TI SoC dependencies
IB/iser: Prevent invalidating wrong MR
drm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c
drm/amd/pm/smu7: fix a memleak in smu7_hwmgr_backend_init
kselftest/alsa - mixer-test: fix the number of parameters to ksft_exit_fail_msg()
kselftest/alsa - mixer-test: Fix the print format specifier warning
ksmbd: validate the zero field of packet header
of: Fix double free in of_parse_phandle_with_args_map
fbdev: imxfb: fix left margin setting
of: unittest: Fix of_count_phandle_with_args() expected value message
selftests/bpf: Add assert for user stacks in test_task_stack
keys, dns: Fix size check of V1 server-list header
binder: fix async space check for 0-sized buffers
binder: fix unused alloc->free_async_space
mips/smp: Call rcutree_report_cpu_starting() earlier
Input: atkbd - use ab83 as id when skipping the getid command
xen-netback: don't produce zero-size SKB frags
binder: fix race between mmput() and do_exit()
clocksource/drivers/timer-ti-dm: Fix make W=n kerneldoc warnings
powerpc/64s: Increase default stack size to 32KB
tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug
usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host()
usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart
Revert "usb: dwc3: Soft reset phy on probe for host"
Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only"
usb: chipidea: wait controller resume finished for wakeup irq
usb: cdns3: fix uvc failure work since sg support enabled
usb: cdns3: fix iso transfer error when mult is not zero
usb: cdns3: Fix uvc fail when DMA cross 4k boundery since sg enabled
Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs"
usb: typec: class: fix typec_altmode_put_partner to put plugs
usb: mon: Fix atomicity violation in mon_bin_vma_fault
serial: core: fix sanitizing check for RTS settings
serial: core: make sure RS485 cannot be enabled when it is not supported
serial: 8250_bcm2835aux: Restore clock error handling
serial: core, imx: do not set RS485 enabled if it is not supported
serial: imx: Ensure that imx_uart_rs485_config() is called with enabled clock
serial: 8250_exar: Set missing rs485_supported flag
serial: omap: do not override settings for RS485 support
drm/vmwgfx: Fix possible invalid drm gem put calls
drm/vmwgfx: Keep a gem reference to user bos in surfaces
ALSA: oxygen: Fix right channel of capture volume mixer
ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq2xxx
ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on HP ZBook
ALSA: hda/realtek: Enable headset mic on Lenovo M70 Gen5
ksmbd: validate mech token in session setup
ksmbd: fix UAF issue in ksmbd_tcp_new_connection()
ksmbd: only v2 leases handle the directory
io_uring/rw: ensure io->bytes_done is always initialized
fbdev: flush deferred work in fb_deferred_io_fsync()
fbdev: flush deferred IO before closing
scsi: ufs: core: Simplify power management during async scan
scsi: target: core: add missing file_{start,end}_write()
scsi: mpi3mr: Refresh sdev queue depth after controller reset
scsi: mpi3mr: Block PEL Enable Command on Controller Reset and Unrecoverable State
drm/amd: Enable PCIe PME from D3
block: add check that partition length needs to be aligned with block size
block: Fix iterating over an empty bio with bio_for_each_folio_all
netfilter: nf_tables: check if catch-all set element is active in next generation
pwm: jz4740: Don't use dev_err_probe() in .request()
pwm: Fix out-of-bounds access in of_pwm_single_xlate()
md/raid1: Use blk_opf_t for read and write operations
rootfs: Fix support for rootfstype= when root= is given
Bluetooth: Fix atomicity violation in {min,max}_key_size_set
bpf: Fix re-attachment branch in bpf_tracing_prog_attach
LoongArch: Fix and simplify fcsr initialization on execve()
iommu/arm-smmu-qcom: Add missing GMU entry to match table
iommu/dma: Trace bounce buffer usage when mapping buffers
wifi: mt76: fix broken precal loading from MTD for mt7915
wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code
wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors
wifi: mwifiex: configure BSSID consistently when starting AP
Revert "net: rtnetlink: Enslave device before bringing it up"
cxl/port: Fix decoder initialization when nr_targets > interleave_ways
PCI/P2PDMA: Remove reference to pci_p2pdma_map_sg()
PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq() alignment support
PCI: mediatek: Clear interrupt status before dispatching handler
x86/kvm: Do not try to disable kvmclock if it was not enabled
KVM: arm64: vgic-v4: Restore pending state on host userspace write
KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
iio: adc: ad7091r: Pass iio_dev to event handler
HID: wacom: Correct behavior when processing some confidence == false touches
serial: sc16is7xx: add check for unsupported SPI modes during probe
serial: sc16is7xx: set safe default SPI clock frequency
ARM: 9330/1: davinci: also select PINCTRL
mfd: syscon: Fix null pointer dereference in of_syscon_register()
leds: aw2013: Select missing dependency REGMAP_I2C
mfd: intel-lpss: Fix the fractional clock divider flags
mips: dmi: Fix early remap on MIPS32
mips: Fix incorrect max_low_pfn adjustment
riscv: Check if the code to patch lies in the exit section
riscv: Fix module_alloc() that did not reset the linear mapping permissions
riscv: Fix set_memory_XX() and set_direct_map_XX() by splitting huge linear mappings
riscv: Fix set_direct_map_default_noflush() to reset _PAGE_EXEC
riscv: Fixed wrong register in XIP_FIXUP_FLASH_OFFSET macro
MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup()
MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup()
power: supply: cw2015: correct time_to_empty units in sysfs
power: supply: bq256xx: fix some problem in bq256xx_hw_init
serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed
libapi: Add missing linux/types.h header to get the __u64 type on io.h
base/node.c: initialize the accessor list before registering
acpi: property: Let args be NULL in __acpi_node_get_property_reference
software node: Let args be NULL in software_node_get_reference_args
serial: imx: fix tx statemachine deadlock
selftests/sgx: Fix uninitialized pointer dereference in error path
selftests/sgx: Fix uninitialized pointer dereferences in encl_get_entry
selftests/sgx: Include memory clobber for inline asm in test enclave
selftests/sgx: Skip non X86_64 platform
iio: adc: ad9467: fix reset gpio handling
iio: adc: ad9467: don't ignore error codes
iio: adc: ad9467: fix scale setting
perf header: Fix one memory leakage in perf_event__fprintf_event_update()
perf hisi-ptt: Fix one memory leakage in hisi_ptt_process_auxtrace_event()
perf genelf: Set ELF program header addresses properly
tty: change tty_write_lock()'s ndelay parameter to bool
tty: early return from send_break() on TTY_DRIVER_HARDWARE_BREAK
tty: don't check for signal_pending() in send_break()
tty: use 'if' in send_break() instead of 'goto'
usb: cdc-acm: return correct error code on unsupported break
spmi: mtk-pmif: Serialize PMIF status check and command submission
vdpa: Fix an error handling path in eni_vdpa_probe()
nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
nvmet-tcp: fix a crash in nvmet_req_complete()
perf env: Avoid recursively taking env->bpf_progs.lock
cxl/region: fix x9 interleave typo
apparmor: avoid crash when parsed profile name is empty
usb: xhci-mtk: fix a short packet issue of gen1 isoc-in transfer
serial: imx: Correct clock error message in function probe()
nvmet: re-fix tracing strncpy() warning
nvme: trace: avoid memcpy overflow warning
nvmet-tcp: Fix the H2C expected PDU len calculation
PCI: keystone: Fix race condition when initializing PHYs
PCI: mediatek-gen3: Fix translation window size calculation
ASoC: mediatek: sof-common: Add NULL check for normal_link string
s390/pci: fix max size calculation in zpci_memcpy_toio()
net: qualcomm: rmnet: fix global oob in rmnet_policy
net: ethernet: ti: am65-cpsw: Fix max mtu to fit ethernet frames
amt: do not use overwrapped cb area
net: phy: micrel: populate .soft_reset for KSZ9131
mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN
mptcp: strict validation before using mp_opt->hmac
mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req()
mptcp: refine opt_mp_capable determination
block: ensure we hold a queue reference when using queue limits
udp: annotate data-races around up->pending
net: ravb: Fix dma_addr_t truncation in error case
dt-bindings: gpio: xilinx: Fix node address in gpio
drm/amdkfd: Use resource_size() helper function
drm/amdkfd: fixes for HMM mem allocation
net: stmmac: ethtool: Fixed calltrace caused by unbalanced disable_irq_wake calls
bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS
net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe
LoongArch: BPF: Prevent out-of-bounds memory access
mptcp: relax check on MPC passive fallback
netfilter: nf_tables: reject invalid set policy
netfilter: nft_limit: do not ignore unsupported flags
netfilter: nfnetlink_log: use proper helper for fetching physinif
netfilter: nf_queue: remove excess nf_bridge variable
netfilter: propagate net to nf_bridge_get_physindev
netfilter: bridge: replace physindev with physinif in nf_bridge_info
netfilter: nf_tables: do not allow mismatch field size and set key length
netfilter: nf_tables: skip dead set elements in netlink dump
netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description
ipvs: avoid stat macros calls from preemptible context
kdb: Fix a potential buffer overflow in kdb_local()
ethtool: netlink: Add missing ethnl_ops_begin/complete
loop: fix the the direct I/O support check when used on top of block devices
mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure
selftests: mlxsw: qos_pfc: Adjust the test to support 8 lanes
ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work
i2c: s3c24xx: fix read transfers in polling mode
i2c: s3c24xx: fix transferring more than one message in polling mode
block: Remove special-casing of compound pages
riscv: Fix wrong usage of lm_alias() when splitting a huge linear mapping
Revert "KEYS: encrypted: Add check for strsep"
arm64: dts: armada-3720-turris-mox: set irq type for RTC
Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
Linux 6.1.75
Change-Id: I60398ecc9a2e50206fd9d25c0d6c9ad6e1ca71a0
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Hou Tao
|
5a44a664ab |
bpf: Set uattr->batch.count as zero before batched update or deletion
[ Upstream commit 06e5c999f10269a532304e89a6adb2fbfeb0593c ]
generic_map_{delete,update}_batch() doesn't set uattr->batch.count as
zero before it tries to allocate memory for key. If the memory
allocation fails, the value of uattr->batch.count will be incorrect.
Fix it by setting uattr->batch.count as zero beore batched update or
deletion.
Signed-off-by: Hou Tao <houtao1@huawei.com>
Link: https://lore.kernel.org/r/20231208102355.2628918-6-houtao@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Hou Tao
|
d6d6fe4bb1 |
bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers
[ Upstream commit 169410eba271afc9f0fb476d996795aa26770c6d ]
These three bpf_map_{lookup,update,delete}_elem() helpers are also
available for sleepable bpf program, so add the corresponding lock
assertion for sleepable bpf program, otherwise the following warning
will be reported when a sleepable bpf program manipulates bpf map under
interpreter mode (aka bpf_jit_enable=0):
WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......
CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......
RIP: 0010:bpf_map_lookup_elem+0x54/0x60
......
Call Trace:
<TASK>
? __warn+0xa5/0x240
? bpf_map_lookup_elem+0x54/0x60
? report_bug+0x1ba/0x1f0
? handle_bug+0x40/0x80
? exc_invalid_op+0x18/0x50
? asm_exc_invalid_op+0x1b/0x20
? __pfx_bpf_map_lookup_elem+0x10/0x10
? rcu_lockdep_current_cpu_online+0x65/0xb0
? rcu_is_watching+0x23/0x50
? bpf_map_lookup_elem+0x54/0x60
? __pfx_bpf_map_lookup_elem+0x10/0x10
___bpf_prog_run+0x513/0x3b70
__bpf_prog_run32+0x9d/0xd0
? __bpf_prog_enter_sleepable_recur+0xad/0x120
? __bpf_prog_enter_sleepable_recur+0x3e/0x120
bpf_trampoline_6442580665+0x4d/0x1000
__x64_sys_getpgid+0x5/0x30
? do_syscall_64+0x36/0xb0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
</TASK>
Signed-off-by: Hou Tao <houtao1@huawei.com>
Link: https://lore.kernel.org/r/20231204140425.1480317-2-houtao@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Hao Sun
|
4108b86e32 |
bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS
[ Upstream commit 22c7fa171a02d310e3a3f6ed46a698ca8a0060ed ]
For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off
for validation. However, variable offset ptr alu is not prohibited
for this ptr kind. So the variable offset is not checked.
The following prog is accepted:
func#0 @0
0: R1=ctx() R10=fp0
0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()
1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()
2: (b7) r8 = 1024 ; R8_w=1024
3: (37) r8 /= 1 ; R8_w=scalar()
4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0,
smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))
5: (0f) r7 += r8
mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1
mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024
mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1
mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024
6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off
=(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,
var_off=(0x0; 0x400))
6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()
7: (95) exit
This prog loads flow_keys to r7, and adds the variable offset r8
to r7, and finally causes out-of-bounds access:
BUG: unable to handle page fault for address: ffffc90014c80038
[...]
Call Trace:
<TASK>
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]
bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991
bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
__sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475
__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
__x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Fix this by rejecting ptr alu with variable offset on flow_keys.
Applying the patch rejects the program with "R7 pointer arithmetic
on flow_keys prohibited".
Fixes:
|
||
Jiri Olsa
|
6cc9c0af0a |
bpf: Fix re-attachment branch in bpf_tracing_prog_attach
commit 715d82ba636cb3629a6e18a33bb9dbe53f9936ee upstream.
The following case can cause a crash due to missing attach_btf:
1) load rawtp program
2) load fentry program with rawtp as target_fd
3) create tracing link for fentry program with target_fd = 0
4) repeat 3
In the end we have:
- prog->aux->dst_trampoline == NULL
- tgt_prog == NULL (because we did not provide target_fd to link_create)
- prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X)
- the program was loaded for tgt_prog but we have no way to find out which one
BUG: kernel NULL pointer dereference, address: 0000000000000058
Call Trace:
<TASK>
? __die+0x20/0x70
? page_fault_oops+0x15b/0x430
? fixup_exception+0x22/0x330
? exc_page_fault+0x6f/0x170
? asm_exc_page_fault+0x22/0x30
? bpf_tracing_prog_attach+0x279/0x560
? btf_obj_id+0x5/0x10
bpf_tracing_prog_attach+0x439/0x560
__sys_bpf+0x1cf4/0x2de0
__x64_sys_bpf+0x1c/0x30
do_syscall_64+0x41/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
Return -EINVAL in this situation.
Fixes:
|
||
Andrei Matei
|
b1d4d54d32 |
bpf: Fix verification of indirect var-off stack access
[ Upstream commit a833a17aeac73b33f79433d7cee68d5cafd71e4f ]
This patch fixes a bug around the verification of possibly-zero-sized
stack accesses. When the access was done through a var-offset stack
pointer, check_stack_access_within_bounds was incorrectly computing the
maximum-offset of a zero-sized read to be the same as the register's min
offset. Instead, we have to take in account the register's maximum
possible value. The patch also simplifies how the max offset is checked;
the check is now simpler than for min offset.
The bug was allowing accesses to erroneously pass the
check_stack_access_within_bounds() checks, only to later crash in
check_stack_range_initialized() when all the possibly-affected stack
slots are iterated (this time with a correct max offset).
check_stack_range_initialized() is relying on
check_stack_access_within_bounds() for its accesses to the
stack-tracking vector to be within bounds; in the case of zero-sized
accesses, we were essentially only verifying that the lowest possible
slot was within bounds. We would crash when the max-offset of the stack
pointer was >= 0 (which shouldn't pass verification, and hopefully is
not something anyone's code attempts to do in practice).
Thanks Hao for reporting!
Fixes:
|
||
Andrii Nakryiko
|
fc3e3c50a0 |
bpf: fix check for attempt to corrupt spilled pointer
[ Upstream commit ab125ed3ec1c10ccc36bc98c7a4256ad114a3dae ]
When register is spilled onto a stack as a 1/2/4-byte register, we set
slot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,
depending on actual spill size). So to check if some stack slot has
spilled register we need to consult slot_type[7], not slot_type[0].
To avoid the need to remember and double-check this in the future, just
use is_spilled_reg() helper.
Fixes:
|
||
|
Hou Tao
|
62fca83303 |
bpf: Defer the free of inner map when necessary
[ Upstream commit 876673364161da50eed6b472d746ef88242b2368 ] When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map. Fixes: |
||
|
Hou Tao
|
e05b322c82 |
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
[ Upstream commit 20c20bd11a0702ce4dc9300c3da58acf551d9725 ] map is the pointer of outer map, and need_defer needs some explanation. need_defer tells the implementation to defer the reference release of the passed element and ensure that the element is still alive before the bpf program, which may manipulate it, exits. The following three cases will invoke map_fd_put_ptr() and different need_defer values will be passed to these callers: 1) release the reference of the old element in the map during map update or map deletion. The release must be deferred, otherwise the bpf program may incur use-after-free problem, so need_defer needs to be true. 2) release the reference of the to-be-added element in the error path of map update. The to-be-added element is not visible to any bpf program, so it is OK to pass false for need_defer parameter. 3) release the references of all elements in the map during map release. Any bpf program which has access to the map must have been exited and released, so need_defer=false will be OK. These two parameters will be used by the following patches to fix the potential use-after-free problem for map-in-map. Signed-off-by: Hou Tao <houtao1@huawei.com> Link: https://lore.kernel.org/r/20231204140425.1480317-3-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Stable-dep-of: 876673364161 ("bpf: Defer the free of inner map when necessary") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Andrii Nakryiko
|
be1f34b93f |
bpf: enforce precision of R0 on callback return
[ Upstream commit 0acd03a5bd188b0c501d285d938439618bd855c4 ]
Given verifier checks actual value, r0 has to be precise, so we need to
propagate precision properly. r0 also has to be marked as read,
otherwise subsequent state comparisons will ignore such register as
unimportant and precision won't really help here.
Fixes:
|
||
Jordan Rome
|
799a914e48 |
bpf: Add crosstask check to __bpf_get_stack
[ Upstream commit b8e3a87a627b575896e448021e5c2f8a3bc19931 ]
Currently get_perf_callchain only supports user stack walking for
the current task. Passing the correct *crosstask* param will return
0 frames if the task passed to __bpf_get_stack isn't the current
one instead of a single incorrect frame/address. This change
passes the correct *crosstask* param but also does a preemptive
check in __bpf_get_stack if the task is current and returns
-EOPNOTSUPP if it is not.
This issue was found using bpf_get_task_stack inside a BPF
iterator ("iter/task"), which iterates over all tasks.
bpf_get_task_stack works fine for fetching kernel stacks
but because get_perf_callchain relies on the caller to know
if the requested *task* is the current one (via *crosstask*)
it was failing in a confusing way.
It might be possible to get user stacks for all tasks utilizing
something like access_process_vm but that requires the bpf
program calling bpf_get_task_stack to be sleepable and would
therefore be a breaking change.
Fixes:
|
||
Florian Lehner
|
1959a560ac |
bpf, lpm: Fix check prefixlen before walking trie
[ Upstream commit 9b75dbeb36fcd9fc7ed51d370310d0518a387769 ]
When looking up an element in LPM trie, the condition 'matchlen ==
trie->max_prefixlen' will never return true, if key->prefixlen is larger
than trie->max_prefixlen. Consequently all elements in the LPM trie will
be visited and no element is returned in the end.
To resolve this, check key->prefixlen first before walking the LPM trie.
Fixes:
|
||
|
Greg Kroah-Hartman
|
190985b1db |
Revert "bpf: decouple prune and jump points"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
eba57b3513 |
Revert "bpf: remove unnecessary prune and jump points"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
9212bbf98b |
Revert "bpf: Remove unused insn_cnt argument from visit_[func_call_]insn()"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
797e6a76ea |
Revert "bpf: clean up visit_insn()'s instruction processing"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
c7b298c1b5 |
Revert "bpf: Support new 32bit offset jmp instruction"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
1699079678 |
Revert "bpf: handle ldimm64 properly in check_cfg()"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
63ca0ed629 |
Revert "bpf: Fix a verifier bug due to incorrect branch offset comparison with cpu=v4"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
e1b12db2de |
Merge 6.1.72 into android14-6.1-lts
Changes in 6.1.72
keys, dns: Fix missing size check of V1 server-list header
block: Don't invalidate pagecache for invalid falloc modes
ALSA: hda/realtek: enable SND_PCI_QUIRK for hp pavilion 14-ec1xxx series
ALSA: hda/realtek: fix mute/micmute LEDs for a HP ZBook
ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6
mptcp: prevent tcp diag from closing listener subflows
Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()"
drm/mgag200: Fix gamma lut not initialized for G200ER, G200EV, G200SE
cifs: cifs_chan_is_iface_active should be called with chan_lock held
cifs: do not depend on release_iface for maintaining iface_list
KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL
wifi: iwlwifi: pcie: don't synchronize IRQs from IRQ
drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer
netfilter: use skb_ip_totlen and iph_totlen
netfilter: nf_tables: set transport offset from mac header for netdev/egress
nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
octeontx2-af: Fix marking couple of structure as __packed
drm/i915/dp: Fix passing the correct DPCD_REV for drm_dp_set_phy_test_pattern
ice: Fix link_down_on_close message
ice: Shut down VSI with "link-down-on-close" enabled
i40e: Fix filter input checks to prevent config with invalid values
igc: Report VLAN EtherType matching back to user
igc: Check VLAN TCI mask
igc: Check VLAN EtherType mask
ASoC: fsl_rpmsg: Fix error handler with pm_runtime_enable
ASoC: mediatek: mt8186: fix AUD_PAD_TOP register and offset
mlxbf_gige: fix receive packet race condition
net: sched: em_text: fix possible memory leak in em_text_destroy()
r8169: Fix PCI error on system resume
can: raw: add support for SO_MARK
net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps
net: annotate data-races around sk->sk_tsflags
net: annotate data-races around sk->sk_bind_phc
net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
selftests: bonding: do not set port down when adding to bond
ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init
sfc: fix a double-free bug in efx_probe_filters
net: bcmgenet: Fix FCS generation for fragmented skbuffs
netfilter: nft_immediate: drop chain reference counter on error
net: Save and restore msg_namelen in sock_sendmsg
i40e: fix use-after-free in i40e_aqc_add_filters()
ASoC: meson: g12a-toacodec: Validate written enum values
ASoC: meson: g12a-tohdmitx: Validate written enum values
ASoC: meson: g12a-toacodec: Fix event generation
ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux
i40e: Restore VF MSI-X state during PCI reset
igc: Fix hicredit calculation
net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues
net/smc: fix invalid link access in dumping SMC-R connections
octeontx2-af: Always configure NIX TX link credits based on max frame size
octeontx2-af: Re-enable MAC TX in otx2_stop processing
asix: Add check for usbnet_get_endpoints
net: ravb: Wait for operating mode to be applied
bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters()
net: Implement missing SO_TIMESTAMPING_NEW cmsg support
selftests: secretmem: floor the memory size to the multiple of page_size
cpu/SMT: Create topology_smt_thread_allowed()
cpu/SMT: Make SMT control more robust against enumeration failures
srcu: Fix callbacks acceleration mishandling
bpf, x64: Fix tailcall infinite loop
bpf, x86: Simplify the parsing logic of structure parameters
bpf, x86: save/restore regs with BPF_DW size
net: Declare MSG_SPLICE_PAGES internal sendmsg() flag
udp: Convert udp_sendpage() to use MSG_SPLICE_PAGES
splice, net: Add a splice_eof op to file-ops and socket-ops
ipv4, ipv6: Use splice_eof() to flush
udp: introduce udp->udp_flags
udp: move udp->no_check6_tx to udp->udp_flags
udp: move udp->no_check6_rx to udp->udp_flags
udp: move udp->gro_enabled to udp->udp_flags
udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags
udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO
udp: annotate data-races around udp->encap_type
wifi: iwlwifi: yoyo: swap cdb and jacket bits values
arm64: dts: qcom: sdm845: align RPMh regulator nodes with bindings
arm64: dts: qcom: sdm845: Fix PSCI power domain names
fbdev: imsttfb: Release framebuffer and dealloc cmap on error path
fbdev: imsttfb: fix double free in probe()
bpf: decouple prune and jump points
bpf: remove unnecessary prune and jump points
bpf: Remove unused insn_cnt argument from visit_[func_call_]insn()
bpf: clean up visit_insn()'s instruction processing
bpf: Support new 32bit offset jmp instruction
bpf: handle ldimm64 properly in check_cfg()
bpf: fix precision backtracking instruction iteration
blk-mq: make sure active queue usage is held for bio_integrity_prep()
net/mlx5: Increase size of irq name buffer
s390/mm: add missing arch_set_page_dat() call to vmem_crst_alloc()
s390/cpumf: support user space events for counting
f2fs: clean up i_compress_flag and i_compress_level usage
f2fs: convert to use bitmap API
f2fs: assign default compression level
f2fs: set the default compress_level on ioctl
selftests: mptcp: fix fastclose with csum failure
selftests: mptcp: set FAILING_LINKS in run_tests
media: camss: sm8250: Virtual channels for CSID
media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3
ext4: convert move_extent_per_page() to use folios
khugepage: replace try_to_release_page() with filemap_release_folio()
memory-failure: convert truncate_error_page() to use folio
mm: merge folio_has_private()/filemap_release_folio() call pairs
mm, netfs, fscache: stop read optimisation when folio removed from pagecache
filemap: add a per-mapping stable writes flag
block: update the stable_writes flag in bdev_add
smb: client: fix missing mode bits for SMB symlinks
net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats
dpaa2-eth: recycle the RX buffer only after all processing done
ethtool: don't propagate EOPNOTSUPP from dumps
bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
firmware: arm_scmi: Fix frequency truncation by promoting multiplier type
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7
genirq/affinity: Remove the 'firstvec' parameter from irq_build_affinity_masks
genirq/affinity: Pass affinity managed mask array to irq_build_affinity_masks
genirq/affinity: Don't pass irq_affinity_desc array to irq_build_affinity_masks
genirq/affinity: Rename irq_build_affinity_masks as group_cpus_evenly
genirq/affinity: Move group_cpus_evenly() into lib/
lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly
mm/memory_hotplug: add missing mem_hotplug_lock
mm/memory_hotplug: fix error handling in add_memory_resource()
net: sched: call tcf_ct_params_free to free params in tcf_ct_init
netfilter: flowtable: allow unidirectional rules
netfilter: flowtable: cache info of last offload
net/sched: act_ct: offload UDP NEW connections
net/sched: act_ct: Fix promotion of offloaded unreplied tuple
netfilter: flowtable: GC pushes back packets to classic path
net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table
octeontx2-af: Fix pause frame configuration
octeontx2-af: Support variable number of lmacs
btrfs: fix qgroup_free_reserved_data int overflow
btrfs: mark the len field in struct btrfs_ordered_sum as unsigned
ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()
firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards
x86/kprobes: fix incorrect return address calculation in kprobe_emulate_call_indirect
i2c: core: Fix atomic xfer check for non-preempt config
mm: fix unmap_mapping_range high bits shift bug
drm/amdgpu: skip gpu_info fw loading on navi12
drm/amd/display: add nv12 bounding box
mmc: meson-mx-sdhc: Fix initialization frozen issue
mmc: rpmb: fixes pause retune on all RPMB partitions.
mmc: core: Cancel delayed work before releasing host
mmc: sdhci-sprd: Fix eMMC init failure after hw reset
genirq/affinity: Only build SMP-only helper functions on SMP kernels
f2fs: compress: fix to assign compress_level for lz4 correctly
net/sched: act_ct: additional checks for outdated flows
net/sched: act_ct: Always fill offloading tuple iifidx
bpf: Fix a verifier bug due to incorrect branch offset comparison with cpu=v4
bpf: syzkaller found null ptr deref in unix_bpf proto add
media: qcom: camss: Comment CSID dt_id field
smb3: Replace smb2pdu 1-element arrays with flex-arrays
Revert "interconnect: qcom: sm8250: Enable sync_state"
Linux 6.1.72
Change-Id: Id00eb2ae1159d4d5fa0ef914e672c5669cbf5b0a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
bb47960a9d |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
This merges all of the latest changes in 'android14-6.1' into 'android14-6.1-lts' to get it to pass TH again due to new symbols being added. Included in here are the following commits: * |
||
Yonghong Song
|
15db682980 |
bpf: Fix a verifier bug due to incorrect branch offset comparison with cpu=v4
commit dfce9cb3140592b886838e06f3e0c25fea2a9cae upstream.
Bpf cpu=v4 support is introduced in [1] and Commit 4cd58e9af8b9
("bpf: Support new 32bit offset jmp instruction") added support for new
32bit offset jmp instruction. Unfortunately, in function
bpf_adj_delta_to_off(), for new branch insn with 32bit offset, the offset
(plus/minor a small delta) compares to 16-bit offset bound
[S16_MIN, S16_MAX], which caused the following verification failure:
$ ./test_progs-cpuv4 -t verif_scale_pyperf180
...
insn 10 cannot be patched due to 16-bit range
...
libbpf: failed to load object 'pyperf180.bpf.o'
scale_test:FAIL:expect_success unexpected error: -12 (errno 12)
#405 verif_scale_pyperf180:FAIL
Note that due to recent llvm18 development, the patch [2] (already applied
in bpf-next) needs to be applied to bpf tree for testing purpose.
The fix is rather simple. For 32bit offset branch insn, the adjusted
offset compares to [S32_MIN, S32_MAX] and then verification succeeded.
[1] https://lore.kernel.org/all/20230728011143.3710005-1-yonghong.song@linux.dev
[2] https://lore.kernel.org/bpf/20231110193644.3130906-1-yonghong.song@linux.dev
Fixes: 4cd58e9af8b9 ("bpf: Support new 32bit offset jmp instruction")
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20231201024640.3417057-1-yonghong.song@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Andrii Nakryiko
|
803fb6109f |
bpf: fix precision backtracking instruction iteration
[ Upstream commit 4bb7ea946a370707315ab774432963ce47291946 ]
Fix an edge case in __mark_chain_precision() which prematurely stops
backtracking instructions in a state if it happens that state's first
and last instruction indexes are the same. This situations doesn't
necessarily mean that there were no instructions simulated in a state,
but rather that we starting from the instruction, jumped around a bit,
and then ended up at the same instruction before checkpointing or
marking precision.
To distinguish between these two possible situations, we need to consult
jump history. If it's empty or contain a single record "bridging" parent
state and first instruction of processed state, then we indeed
backtracked all instructions in this state. But if history is not empty,
we are definitely not done yet.
Move this logic inside get_prev_insn_idx() to contain it more nicely.
Use -ENOENT return code to denote "we are out of instructions"
situation.
This bug was exposed by verifier_loop1.c's bounded_recursion subtest, once
the next fix in this patch set is applied.
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Fixes:
|
||
|
Andrii Nakryiko
|
b08acd5c46 |
bpf: handle ldimm64 properly in check_cfg()
[ Upstream commit 3feb263bb516ee7e1da0acd22b15afbb9a7daa19 ]
ldimm64 instructions are 16-byte long, and so have to be handled
appropriately in check_cfg(), just like the rest of BPF verifier does.
This has implications in three places:
- when determining next instruction for non-jump instructions;
- when determining next instruction for callback address ldimm64
instructions (in visit_func_call_insn());
- when checking for unreachable instructions, where second half of
ldimm64 is expected to be unreachable;
We take this also as an opportunity to report jump into the middle of
ldimm64. And adjust few test_verifier tests accordingly.
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Reported-by: Hao Sun <sunhao.th@gmail.com>
Fixes:
|
||
|
Yonghong Song
|
2c795ce090 |
bpf: Support new 32bit offset jmp instruction
[ Upstream commit 4cd58e9af8b9d9fff6b7145e742abbfcda0af4af ] Add interpreter/jit/verifier support for 32bit offset jmp instruction. If a conditional jmp instruction needs more than 16bit offset, it can be simulated with a conditional jmp + a 32bit jmp insn. Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20230728011231.3716103-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org> Stable-dep-of: 3feb263bb516 ("bpf: handle ldimm64 properly in check_cfg()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Andrii Nakryiko
|
b1c780ed3c |
bpf: clean up visit_insn()'s instruction processing
[ Upstream commit 653ae3a874aca6764a4c1f5a8bf1b072ade0d6f4 ] Instead of referencing processed instruction repeatedly as insns[t] throughout entire visit_insn() function, take a local insn pointer and work with it in a cleaner way. It makes enhancing this function further a bit easier as well. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/r/20230302235015.2044271-7-andrii@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org> Stable-dep-of: 3feb263bb516 ("bpf: handle ldimm64 properly in check_cfg()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Andrii Nakryiko
|
97bb6dab01 |
bpf: Remove unused insn_cnt argument from visit_[func_call_]insn()
[ Upstream commit dcb2288b1fd9a8cdf2f3b8c0c7b3763346ef515f ] Number of total instructions in BPF program (including subprogs) can and is accessed from env->prog->len. visit_func_call_insn() doesn't do any checks against insn_cnt anymore, relying on push_insn() to do this check internally. So remove unnecessary insn_cnt input argument from visit_func_call_insn() and visit_insn() functions. Suggested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20221207195534.2866030-1-andrii@kernel.org Stable-dep-of: 3feb263bb516 ("bpf: handle ldimm64 properly in check_cfg()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Andrii Nakryiko
|
8266c47d04 |
bpf: remove unnecessary prune and jump points
[ Upstream commit 618945fbed501b6e5865042068a51edfb2dda948 ] Don't mark some instructions as jump points when there are actually no jumps and instructions are just processed sequentially. Such case is handled naturally by precision backtracking logic without the need to update jump history. See get_prev_insn_idx(). It goes back linearly by one instruction, unless current top of jmp_history is pointing to current instruction. In such case we use `st->jmp_history[cnt - 1].prev_idx` to find instruction from which we jumped to the current instruction non-linearly. Also remove both jump and prune point marking for instruction right after unconditional jumps, as program flow can get to the instruction right after unconditional jump instruction only if there is a jump to that instruction from somewhere else in the program. In such case we'll mark such instruction as prune/jump point because it's a destination of a jump. This change has no changes in terms of number of instructions or states processes across Cilium and selftests programs. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: John Fastabend <john.fastabend@gmail.com> Link: https://lore.kernel.org/r/20221206233345.438540-4-andrii@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org> Stable-dep-of: 3feb263bb516 ("bpf: handle ldimm64 properly in check_cfg()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Andrii Nakryiko
|
743f3548d3 |
bpf: decouple prune and jump points
[ Upstream commit bffdeaa8a5af7200b0e74c9d5a41167f86626a36 ] BPF verifier marks some instructions as prune points. Currently these prune points serve two purposes. It's a point where verifier tries to find previously verified state and check current state's equivalence to short circuit verification for current code path. But also currently it's a point where jump history, used for precision backtracking, is updated. This is done so that non-linear flow of execution could be properly backtracked. Such coupling is coincidental and unnecessary. Some prune points are not part of some non-linear jump path, so don't need update of jump history. On the other hand, not all instructions which have to be recorded in jump history necessarily are good prune points. This patch splits prune and jump points into independent flags. Currently all prune points are marked as jump points to minimize amount of changes in this patch, but next patch will perform some optimization of prune vs jmp point placement. No functional changes are intended. Acked-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/r/20221206233345.438540-2-andrii@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org> Stable-dep-of: 3feb263bb516 ("bpf: handle ldimm64 properly in check_cfg()") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Leon Hwang
|
605c8d8f99 |
bpf, x64: Fix tailcall infinite loop
[ Upstream commit 2b5dcb31a19a2e0acd869b12c9db9b2d696ef544 ] From commit |
||
Jiri Olsa
|
ec46fe0ac7 |
UPSTREAM: bpf: Fix prog_array_map_poke_run map poke update
commit 4b7de801606e504e69689df71475d27e35336fb3 upstream.
Lee pointed out issue found by syscaller [0] hitting BUG in prog array
map poke update in prog_array_map_poke_run function due to error value
returned from bpf_arch_text_poke function.
There's race window where bpf_arch_text_poke can fail due to missing
bpf program kallsym symbols, which is accounted for with check for
-EINVAL in that BUG_ON call.
The problem is that in such case we won't update the tail call jump
and cause imbalance for the next tail call update check which will
fail with -EBUSY in bpf_arch_text_poke.
I'm hitting following race during the program load:
CPU 0 CPU 1
bpf_prog_load
bpf_check
do_misc_fixups
prog_array_map_poke_track
map_update_elem
bpf_fd_array_map_update_elem
prog_array_map_poke_run
bpf_arch_text_poke returns -EINVAL
bpf_prog_kallsyms_add
After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next
poke update fails on expected jump instruction check in bpf_arch_text_poke
with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run.
Similar race exists on the program unload.
Fixing this by moving the update to bpf_arch_poke_desc_update function which
makes sure we call __bpf_arch_text_poke that skips the bpf address check.
Each architecture has slightly different approach wrt looking up bpf address
in bpf_arch_text_poke, so instead of splitting the function or adding new
'checkip' argument in previous version, it seems best to move the whole
map_poke_run update as arch specific code.
[0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810
Bug: 309551558
Fixes:
|
||
|
Jiri Olsa
|
57a6b0a464 |
bpf: Fix prog_array_map_poke_run map poke update
commit 4b7de801606e504e69689df71475d27e35336fb3 upstream.
Lee pointed out issue found by syscaller [0] hitting BUG in prog array
map poke update in prog_array_map_poke_run function due to error value
returned from bpf_arch_text_poke function.
There's race window where bpf_arch_text_poke can fail due to missing
bpf program kallsym symbols, which is accounted for with check for
-EINVAL in that BUG_ON call.
The problem is that in such case we won't update the tail call jump
and cause imbalance for the next tail call update check which will
fail with -EBUSY in bpf_arch_text_poke.
I'm hitting following race during the program load:
CPU 0 CPU 1
bpf_prog_load
bpf_check
do_misc_fixups
prog_array_map_poke_track
map_update_elem
bpf_fd_array_map_update_elem
prog_array_map_poke_run
bpf_arch_text_poke returns -EINVAL
bpf_prog_kallsyms_add
After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next
poke update fails on expected jump instruction check in bpf_arch_text_poke
with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run.
Similar race exists on the program unload.
Fixing this by moving the update to bpf_arch_poke_desc_update function which
makes sure we call __bpf_arch_text_poke that skips the bpf address check.
Each architecture has slightly different approach wrt looking up bpf address
in bpf_arch_text_poke, so instead of splitting the function or adding new
'checkip' argument in previous version, it seems best to move the whole
map_poke_run update as arch specific code.
[0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810
Fixes:
|
||
|
Greg Kroah-Hartman
|
f1bc13cb9d |
This is the 6.1.64 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVmHpsACgkQONu9yGCS aT5uvw//SzcE0GImnHnfeN7iXtpFE9O0fhTxsjZCi8/HTXmGWPtQgWscd9y81bAd EHBVr456GXqd6KuIF+03g/r/FYinwWqK375meLfaybw1vSBP+fZttrEGqz6nTnYD yqOxw2bqgz8Xjp63UeNHD6mifpBvVtuAvzrfO1E2Ie/U1OU2uKdjRRv0iijKNeWN liOYTXaddIkVfZR0z6dVTl0hb5dPWsxNmF77kfVpKz4ALIHJcO13DlUuKtQz6Sb6 0ElmJpuonHuUxHzb8e9LLsFy3IvbBqomSscwcd0tngtdUTzhMYFIZLjg2+WQ9Ovq raMGqvS/bKsoyoTBNKL83QB2NyXQb3vkfL0NgLsq9IwDl+r96mP9ctANYGwSjhND o/4sa/fbMFzeInA8Rzh7i56RCNstOBKApJPhBzWuY0f/6b1BZpvZaONyX3fFksWO dMeYT16GgO4lhQXnG3O6mtDT8eoZ1fLf7ZdGEZ2NktcOzXYelNc4aXJke7qdlIop CVxM+Ur+juj+DJymo59a6baXjEgIROdHq83N3CZwetGviPHneGqgYc0K7ETtA33H sH/0KGYAT8SzzjMlnXB0lpjp68WViJfzzo9Wxdf2aDZbL3SdI14GPKMUeDqqeSyU 8bB2Hb4ItccRFW9RriiE3BPGnLGu7PDTkn5TgXDG/bDX54Cb5DQ= =YPzI -----END PGP SIGNATURE----- Merge 6.1.64 into android14-6.1-lts Changes in 6.1.64 locking/ww_mutex/test: Fix potential workqueue corruption lib/generic-radix-tree.c: Don't overflow in peek() perf/core: Bail out early if the request AUX area is out of bound srcu: Fix srcu_struct node grpmask overflow on 64-bit systems selftests/lkdtm: Disable CONFIG_UBSAN_TRAP in test config clocksource/drivers/timer-imx-gpt: Fix potential memory leak clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware smp,csd: Throw an error if a CSD lock is stuck for too long cpu/hotplug: Don't offline the last non-isolated CPU workqueue: Provide one lock class key per work_on_cpu() callsite x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size wifi: plfxlc: fix clang-specific fortify warning wifi: mac80211_hwsim: fix clang-specific fortify warning wifi: mac80211: don't return unset power in ieee80211_get_tx_power() atl1c: Work around the DMA RX overflow issue bpf: Detect IP == ksym.end as part of BPF program wifi: ath9k: fix clang-specific fortify warnings wifi: ath10k: fix clang-specific fortify warning net: annotate data-races around sk->sk_tx_queue_mapping net: annotate data-races around sk->sk_dst_pending_confirm wifi: ath10k: Don't touch the CE interrupt registers after power up vsock: read from socket's error queue bpf: Ensure proper register state printing for cond jumps Bluetooth: btusb: Add date->evt_skb is NULL check Bluetooth: Fix double free in hci_conn_cleanup ACPI: EC: Add quirk for HP 250 G7 Notebook PC tsnep: Fix tsnep_request_irq() format-overflow warning platform/chrome: kunit: initialize lock for fake ec_dev platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e drm/gma500: Fix call trace when psb_gem_mm_init() fails drm/komeda: drop all currently held locks if deadlock happens drm/amdgpu: not to save bo in the case of RAS err_event_athub drm/amdkfd: Fix a race condition of vram buffer unref in svm code drm/amd: Update `update_pcie_parameters` functions to use uint8_t arguments drm/amd/display: use full update for clip size increase of large plane source string.h: add array-wrappers for (v)memdup_user() kernel: kexec: copy user-array safely kernel: watch_queue: copy user-array safely drm_lease.c: copy user-array safely drm: vmwgfx_surface.c: copy user-array safely drm/msm/dp: skip validity check for DP CTS EDID checksum drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga drm/amdgpu: Fix potential null pointer derefernce drm/panel: fix a possible null pointer dereference drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference drm/radeon: fix a possible null pointer dereference drm/amdgpu/vkms: fix a possible null pointer dereference drm/panel: st7703: Pick different reset sequence drm/amdkfd: Fix shift out-of-bounds issue drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size selftests/efivarfs: create-read: fix a resource leak ASoC: soc-card: Add storage for PCI SSID ASoC: SOF: Pass PCI SSID to machine driver crypto: pcrypt - Fix hungtask for PADATA_RESET ASoC: SOF: ipc4: handle EXCEPTION_CAUGHT notification from firmware RDMA/hfi1: Use FIELD_GET() to extract Link Width scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool fs/jfs: Add check for negative db_l2nbperpage fs/jfs: Add validity check for db_maxag and db_agpref jfs: fix array-index-out-of-bounds in dbFindLeaf jfs: fix array-index-out-of-bounds in diAlloc HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround ARM: 9320/1: fix stack depot IRQ stack filter ALSA: hda: Fix possible null-ptr-deref when assigning a stream PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields PCI: mvebu: Use FIELD_PREP() with Link Width atm: iphase: Do PCI error checks on own line PCI: Do error check on own line to split long "if" conditions scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() PCI: Use FIELD_GET() to extract Link Width PCI: Extract ATS disabling to a helper function PCI: Disable ATS for specific Intel IPU E2000 devices misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk ASoC: Intel: soc-acpi-cht: Add Lenovo Yoga Tab 3 Pro YT3-X90 quirk crypto: hisilicon/qm - prevent soft lockup in receive loop HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W exfat: support handle zero-size directory mfd: intel-lpss: Add Intel Lunar Lake-M PCI IDs iio: adc: stm32-adc: harden against NULL pointer deref in stm32_adc_probe() thunderbolt: Apply USB 3.x bandwidth quirk only in software connection manager tty: vcc: Add check for kstrdup() in vcc_probe() usb: dwc3: core: configure TX/RX threshold for DWC3_IP soundwire: dmi-quirks: update HP Omen match f2fs: fix error handling of __get_node_page usb: gadget: f_ncm: Always set current gadget in ncm_bind() 9p/trans_fd: Annotate data-racy writes to file::f_flags 9p: v9fs_listxattr: fix %s null argument warning i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler i2c: fix memleak in i2c_new_client_device() i2c: sun6i-p2wi: Prevent potential division by zero virtio-blk: fix implicit overflow on virtio_max_dma_size i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data. media: gspca: cpia1: shift-out-of-bounds in set_flicker media: vivid: avoid integer overflow gfs2: ignore negated quota changes gfs2: fix an oops in gfs2_permission media: cobalt: Use FIELD_GET() to extract Link Width media: ccs: Fix driver quirk struct documentation media: imon: fix access to invalid resource for the second interface drm/amd/display: Avoid NULL dereference of timing generator kgdb: Flush console before entering kgdb on panic i2c: dev: copy userspace array safely ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings drm/qxl: prevent memory leak ALSA: hda/realtek: Add quirk for ASUS UX7602ZM drm/amdgpu: fix software pci_unplug on some chips pwm: Fix double shift bug mtd: rawnand: tegra: add missing check for platform_get_irq() wifi: iwlwifi: Use FW rate for non-data frames sched/core: Optimize in_task() and in_interrupt() a bit SUNRPC: ECONNRESET might require a rebind mtd: rawnand: intel: check return value of devm_kasprintf() mtd: rawnand: meson: check return value of devm_kasprintf() NFSv4.1: fix handling NFS4ERR_DELAY when testing for session trunking SUNRPC: Add an IS_ERR() check back to where it was NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO SUNRPC: Fix RPC client cleaned up the freed pipefs dentries gfs2: Silence "suspicious RCU usage in gfs2_permission" warning vhost-vdpa: fix use after free in vhost_vdpa_probe() net: set SOCK_RCU_FREE before inserting socket into hashtable ipvlan: add ipvlan_route_v6_outbound() helper tty: Fix uninit-value access in ppp_sync_receive() net: hns3: fix add VLAN fail issue net: hns3: add barrier in vf mailbox reply process net: hns3: fix incorrect capability bit display for copper port net: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs net: hns3: fix variable may not initialized problem in hns3_init_mac_addr() net: hns3: fix VF reset fail issue net: hns3: fix VF wrong speed and duplex issue tipc: Fix kernel-infoleak due to uninitialized TLV value net: mvneta: fix calls to page_pool_get_stats ppp: limit MRU to 64K xen/events: fix delayed eoi list handling ptp: annotate data-race around q->head and q->tail bonding: stop the device in bond_setup_by_slave() net: ethernet: cortina: Fix max RX frame define net: ethernet: cortina: Handle large frames net: ethernet: cortina: Fix MTU max setting af_unix: fix use-after-free in unix_stream_read_actor() netfilter: nf_conntrack_bridge: initialize err to 0 netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() net: stmmac: fix rx budget limit check net: stmmac: avoid rx queue overrun net/mlx5e: fix double free of encap_header net/mlx5e: fix double free of encap_header in update funcs net/mlx5e: Fix pedit endianness net/mlx5e: Reduce the size of icosq_str net/mlx5e: Check return value of snprintf writing to fw_version buffer net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors macvlan: Don't propagate promisc change to lower dev in passthru tools/power/turbostat: Fix a knl bug tools/power/turbostat: Enable the C-state Pre-wake printing cifs: spnego: add ';' in HOST_KEY_LEN cifs: fix check of rc in function generate_smb3signingkey i915/perf: Fix NULL deref bugs with drm_dbg() calls media: venus: hfi: add checks to perform sanity on queue pointers perf intel-pt: Fix async branch flags powerpc/perf: Fix disabling BHRB and instruction sampling randstruct: Fix gcc-plugin performance mode to stay in group bpf: Fix check_stack_write_fixed_off() to correctly spill imm bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END scsi: mpt3sas: Fix loop logic scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers scsi: qla2xxx: Fix system crash due to bad pointer access crypto: x86/sha - load modules based on CPU features x86/cpu/hygon: Fix the CPU topology evaluation for real KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space KVM: x86: Ignore MSR_AMD64_TW_CFG access KVM: x86: Clear bit12 of ICR after APIC-write VM-exit audit: don't take task_lock() in audit_exe_compare() code path audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare() proc: sysctl: prevent aliased sysctls from getting passed to init tty/sysrq: replace smp_processor_id() with get_cpu() tty: serial: meson: fix hard LOCKUP on crtscts mode hvc/xen: fix console unplug hvc/xen: fix error path in xen_hvc_init() to always register frontend driver hvc/xen: fix event channel handling for secondary consoles PCI/sysfs: Protect driver's D3cold preference from user space mm/damon/sysfs: remove requested targets when online-commit inputs mm/damon/sysfs: update monitoring target regions for online input commit watchdog: move softlockup_panic back to early_param mm/damon/lru_sort: avoid divide-by-zero in hot threshold calculation mm/damon/ops-common: avoid divide-by-zero during region hotness calculation mm/damon: implement a function for max nr_accesses safe calculation mm/damon/sysfs: check error from damon_sysfs_update_target() ACPI: resource: Do IRQ override on TongFang GMxXGxx regmap: Ensure range selector registers are updated after cache sync wifi: ath11k: fix temperature event locking wifi: ath11k: fix dfs radar event locking wifi: ath11k: fix htt pktlog locking wifi: ath11k: fix gtk offload status event locking mmc: meson-gx: Remove setting of CMD_CFG_ERROR genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware KEYS: trusted: tee: Refactor register SHM usage KEYS: trusted: Rollback init_trusted() consistently PCI: keystone: Don't discard .remove() callback PCI: keystone: Don't discard .probe() callback arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer parisc/pdc: Add width field to struct pdc_model parisc/power: Add power soft-off when running on qemu clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks ksmbd: handle malformed smb1 message ksmbd: fix slab out of bounds write in smb_inherit_dacl() mmc: vub300: fix an error code mmc: sdhci_am654: fix start loop index for TAP value parsing mmc: Add quirk MMC_QUIRK_BROKEN_CACHE_FLUSH for Micron eMMC Q2J54A PCI/ASPM: Fix L1 substate handling in aspm_attr_store_common() PCI: kirin: Don't discard .remove() callback PCI: exynos: Don't discard .remove() callback wifi: wilc1000: use vmm_table as array in wilc struct svcrdma: Drop connection after an RDMA Read error rcu/tree: Defer setting of jiffies during stall reset arm64: dts: qcom: ipq6018: Fix hwlock index for SMEM PM: hibernate: Use __get_safe_page() rather than touching the list PM: hibernate: Clean up sync_read handling in snapshot_write_next() rcu: kmemleak: Ignore kmemleak false positives when RCU-freeing objects btrfs: don't arbitrarily slow down delalloc if we're committing arm64: dts: qcom: ipq8074: Fix hwlock index for SMEM firmware: qcom_scm: use 64-bit calling convention only when client is 64-bit ACPI: FPDT: properly handle invalid FPDT subtables arm64: dts: qcom: ipq6018: Fix tcsr_mutex register size mfd: qcom-spmi-pmic: Fix reference leaks in revid helper mfd: qcom-spmi-pmic: Fix revid implementation ima: annotate iint mutex to avoid lockdep false positive warnings ima: detect changes to the backing overlay file netfilter: nf_tables: remove catchall element in GC sync path netfilter: nf_tables: split async and sync catchall in two functions selftests/resctrl: Remove duplicate feature check from CMT test selftests/resctrl: Move _GNU_SOURCE define into Makefile selftests/resctrl: Reduce failures due to outliers in MBA/MBM tests hid: lenovo: Resend all settings on reset_resume for compact keyboards ASoC: codecs: wsa-macro: fix uninitialized stack variables with name prefix jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev quota: explicitly forbid quota files from being encrypted kernel/reboot: emergency_restart: Set correct system_state i2c: core: Run atomic i2c xfer when !preemptible tracing: Have the user copy of synthetic event address use correct context driver core: Release all resources during unbind before updating device links mcb: fix error handling for different scenarios when parsing dmaengine: stm32-mdma: correct desc prep when channel running s390/cmma: fix detection of DAT pages mm/cma: use nth_page() in place of direct struct page manipulation mm/memory_hotplug: use pfn math in place of direct struct page manipulation mtd: cfi_cmdset_0001: Byte swap OTP info i3c: master: cdns: Fix reading status register i3c: master: svc: fix race condition in ibi work thread i3c: master: svc: fix wrong data return when IBI happen during start frame i3c: master: svc: fix ibi may not return mandatory data byte i3c: master: svc: fix check wrong status register in irq handler i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen parisc: Prevent booting 64-bit kernels on PA1.x machines parisc/pgtable: Do not drop upper 5 address bits of physical address parisc/power: Fix power soft-off when running on qemu xhci: Enable RPM on controllers that support low-power states fs: add ctime accessors infrastructure smb3: fix creating FIFOs when mounting with "sfu" mount option smb3: fix touch -h of symlink smb3: fix caching of ctime on setxattr smb: client: fix use-after-free bug in cifs_debug_data_proc_show() smb: client: fix potential deadlock when releasing mids cifs: reconnect helper should set reconnect for the right channel cifs: force interface update before a fresh session setup cifs: do not reset chan_max if multichannel is not supported at mount xfs: recovery should not clear di_flushiter unconditionally btrfs: zoned: wait for data BG to be finished on direct IO allocation ALSA: info: Fix potential deadlock at disconnection ALSA: hda/realtek: Enable Mute LED on HP 255 G8 ALSA: hda/realtek - Add Dell ALC295 to pin fall back table ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC ALSA: hda/realtek: Enable Mute LED on HP 255 G10 ALSA: hda/realtek: Add quirks for HP Laptops pmdomain: bcm: bcm2835-power: check if the ASB register is equal to enable pmdomain: imx: Make imx pgc power domain also set the fwnode cpufreq: stats: Fix buffer overflow detection in trans_stats() clk: visconti: remove unused visconti_pll_provider::regmap clk: visconti: Fix undefined behavior bug in struct visconti_pll_provider Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559 bluetooth: Add device 0bda:887b to device tables bluetooth: Add device 13d3:3571 to device tables Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE drm/amd/display: enable dsc_clk even if dsc_pg disabled cxl/region: Validate region mode vs decoder mode cxl/region: Cleanup target list on attach error cxl/region: Move region-position validation to a helper cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails i3c: master: svc: add NACK check after start byte sent i3c: master: svc: fix random hot join failure since timeout error cxl: Unify debug messages when calling devm_cxl_add_port() cxl/mem: Move devm_cxl_add_endpoint() from cxl_core to cxl_mem tools/testing/cxl: Define a fixed volatile configuration to parse cxl/region: Fix x1 root-decoder granularity calculations Revert ncsi: Propagate carrier gain/loss events to the NCSI controller Revert "i2c: pxa: move to generic GPIO recovery" lsm: fix default return value for vm_enough_memory lsm: fix default return value for inode_getsecctx sbsa_gwdt: Calculate timeout with 64-bit math i2c: designware: Disable TX_EMPTY irq while waiting for block length byte s390/ap: fix AP bus crash on early config change callback invocation net: ethtool: Fix documentation of ethtool_sprintf() net: dsa: lan9303: consequently nested-lock physical MDIO net: phylink: initialize carrier state at creation i2c: i801: fix potential race in i801_block_transaction_byte_by_byte f2fs: do not return EFSCORRUPTED, but try to run online repair f2fs: avoid format-overflow warning media: lirc: drop trailing space from scancode transmit media: sharp: fix sharp encoding media: venus: hfi_parser: Add check to keep the number of codecs within range media: venus: hfi: fix the check to handle session buffer requirement media: venus: hfi: add checks to handle capabilities from firmware media: ccs: Correctly initialise try compose rectangle drm/mediatek/dp: fix memory leak on ->get_edid callback audio detection drm/mediatek/dp: fix memory leak on ->get_edid callback error path dm-verity: don't use blocking calls from tasklets nfsd: fix file memleak on client_opens_release LoongArch: Mark __percpu functions as always inline riscv: mm: Update the comment of CONFIG_PAGE_OFFSET riscv: correct pt_level name via pgtable_l5/4_enabled riscv: kprobes: allow writing to x0 mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2 mm: fix for negative counter: nr_file_hugepages mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors mptcp: deal with large GSO size mptcp: add validity check for sending RM_ADDR mptcp: fix setsockopt(IP_TOS) subflow locking r8169: fix network lost after resume on DASH systems r8169: add handling DASH when DASH is disabled mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of AER media: qcom: camss: Fix pm_domain_on sequence in probe media: qcom: camss: Fix vfe_get() error jump media: qcom: camss: Fix VFE-17x vfe_disable_output() media: qcom: camss: Fix VFE-480 vfe_disable_output() media: qcom: camss: Fix missing vfe_lite clocks check media: qcom: camss: Fix invalid clock enable bit disjunction media: qcom: camss: Fix csid-gen2 for test pattern generator Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E" ext4: apply umask if ACL support is disabled ext4: correct offset of gdb backup in non meta_bg group to update_backups ext4: mark buffer new if it is unwritten to avoid stale data exposure ext4: correct return value of ext4_convert_meta_bg ext4: correct the start block of counting reserved clusters ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks ext4: add missed brelse in update_backups ext4: properly sync file size update after O_SYNC direct IO drm/amd/pm: Handle non-terminated overdrive commands. drm/i915: Bump GLK CDCLK frequency when driving multiple pipes drm/i915: Fix potential spectre vulnerability drm/amd/pm: Fix error of MACO flag setting code drm/amdgpu/smu13: drop compute workload workaround drm/amdgpu: don't use pci_is_thunderbolt_attached() drm/amdgpu: don't use ATRM for external devices drm/amdgpu: fix error handling in amdgpu_bo_list_get() drm/amdgpu: lower CS errors to debug severity drm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer() drm/amd/display: Enable fast plane updates on DCN3.2 and above drm/amd/display: Change the DMCUB mailbox memory location from FB to inbox powerpc/powernv: Fix fortify source warnings in opal-prd.c tracing: Have trace_event_file have ref counters Input: xpad - add VID for Turtle Beach controllers mmc: sdhci-pci-gli: GL9755: Mask the replay timer timeout of AER cxl/port: Fix NULL pointer access in devm_cxl_add_port() RISC-V: drop error print from riscv_hartid_to_cpuid() Linux 6.1.64 Change-Id: I9284282aeae5d0f9da957a58147efe0114f8e60a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Shung-Hsi Yu
|
dd56d43244 |
bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
commit 291d044fd51f8484066300ee42afecf8c8db7b3a upstream.
BPF_END and BPF_NEG has a different specification for the source bit in
the opcode compared to other ALU/ALU64 instructions, and is either
reserved or use to specify the byte swap endianness. In both cases the
source bit does not encode source operand location, and src_reg is a
reserved field.
backtrack_insn() currently does not differentiate BPF_END and BPF_NEG
from other ALU/ALU64 instructions, which leads to r0 being incorrectly
marked as precise when processing BPF_ALU | BPF_TO_BE | BPF_END
instructions. This commit teaches backtrack_insn() to correctly mark
precision for such case.
While precise tracking of BPF_NEG and other BPF_END instructions are
correct and does not need fixing, this commit opt to process all BPF_NEG
and BPF_END instructions within the same if-clause to better align with
current convention used in the verifier (e.g. check_alu_op).
Fixes:
|
||
|
Hao Sun
|
947635fa17 |
bpf: Fix check_stack_write_fixed_off() to correctly spill imm
commit 811c363645b33e6e22658634329e95f383dfc705 upstream.
In check_stack_write_fixed_off(), imm value is cast to u32 before being
spilled to the stack. Therefore, the sign information is lost, and the
range information is incorrect when load from the stack again.
For the following prog:
0: r2 = r10
1: *(u64*)(r2 -40) = -44
2: r0 = *(u64*)(r2 - 40)
3: if r0 s<= 0xa goto +2
4: r0 = 1
5: exit
6: r0 = 0
7: exit
The verifier gives:
func#0 @0
0: R1=ctx(off=0,imm=0) R10=fp0
0: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
1: (7a) *(u64 *)(r2 -40) = -44 ; R2_w=fp0 fp-40_w=4294967252
2: (79) r0 = *(u64 *)(r2 -40) ; R0_w=4294967252 R2_w=fp0
fp-40_w=4294967252
3: (c5) if r0 s< 0xa goto pc+2
mark_precise: frame0: last_idx 3 first_idx 0 subseq_idx -1
mark_precise: frame0: regs=r0 stack= before 2: (79) r0 = *(u64 *)(r2 -40)
3: R0_w=4294967252
4: (b7) r0 = 1 ; R0_w=1
5: (95) exit
verification time 7971 usec
stack depth 40
processed 6 insns (limit 1000000) max_states_per_insn 0 total_states 0
peak_states 0 mark_read 0
So remove the incorrect cast, since imm field is declared as s32, and
__mark_reg_known() takes u64, so imm would be correctly sign extended
by compiler.
Fixes: ecdf985d7615 ("bpf: track immediate values written to stack by BPF_ST instruction")
Cc: stable@vger.kernel.org
Signed-off-by: Hao Sun <sunhao.th@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20231101-fix-check-stack-write-v3-1-f05c2b1473d5@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Andrii Nakryiko
|
0a40c609e2 |
bpf: Ensure proper register state printing for cond jumps
[ Upstream commit 1a8a315f008a58f54fecb012b928aa6a494435b3 ] Verifier emits relevant register state involved in any given instruction next to it after `;` to the right, if possible. Or, worst case, on the separate line repeating instruction index. E.g., a nice and simple case would be: 2: (d5) if r0 s<= 0x0 goto pc+1 ; R0_w=0 But if there is some intervening extra output (e.g., precision backtracking log) involved, we are supposed to see the state after the precision backtrack log: 4: (75) if r0 s>= 0x0 goto pc+1 mark_precise: frame0: last_idx 4 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r0 stack= before 2: (d5) if r0 s<= 0x0 goto pc+1 mark_precise: frame0: regs=r0 stack= before 1: (b7) r0 = 0 6: R0_w=0 First off, note that in `6: R0_w=0` instruction index corresponds to the next instruction, not to the conditional jump instruction itself, which is wrong and we'll get to that. But besides that, the above is a happy case that does work today. Yet, if it so happens that precision backtracking had to traverse some of the parent states, this `6: R0_w=0` state output would be missing. This is due to a quirk of print_verifier_state() routine, which performs mark_verifier_state_clean(env) at the end. This marks all registers as "non-scratched", which means that subsequent logic to print *relevant* registers (that is, "scratched ones") fails and doesn't see anything relevant to print and skips the output altogether. print_verifier_state() is used both to print instruction context, but also to print an **entire** verifier state indiscriminately, e.g., during precision backtracking (and in a few other situations, like during entering or exiting subprogram). Which means if we have to print entire parent state before getting to printing instruction context state, instruction context is marked as clean and is omitted. Long story short, this is definitely not intentional. So we fix this behavior in this patch by teaching print_verifier_state() to clear scratch state only if it was used to print instruction state, not the parent/callback state. This is determined by print_all option, so if it's not set, we don't clear scratch state. This fixes missing instruction state for these cases. As for the mismatched instruction index, we fix that by making sure we call print_insn_state() early inside check_cond_jmp_op() before we adjusted insn_idx based on jump branch taken logic. And with that we get desired correct information: 9: (16) if w4 == 0x1 goto pc+9 mark_precise: frame0: last_idx 9 first_idx 9 subseq_idx -1 mark_precise: frame0: parent state regs=r4 stack=: R2_w=1944 R4_rw=P1 R10=fp0 mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx 9 mark_precise: frame0: regs=r4 stack= before 8: (66) if w4 s> 0x3 goto pc+5 mark_precise: frame0: regs=r4 stack= before 7: (b7) r4 = 1 9: R4=1 Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/bpf/20231011223728.3188086-6-andrii@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Kumar Kartikeya Dwivedi
|
aa42a7cb92 |
bpf: Detect IP == ksym.end as part of BPF program
[ Upstream commit 66d9111f3517f85ef2af0337ece02683ce0faf21 ] Now that bpf_throw kfunc is the first such call instruction that has noreturn semantics within the verifier, this also kicks in dead code elimination in unprecedented ways. For one, any instruction following a bpf_throw call will never be marked as seen. Moreover, if a callchain ends up throwing, any instructions after the call instruction to the eventually throwing subprog in callers will also never be marked as seen. The tempting way to fix this would be to emit extra 'int3' instructions which bump the jited_len of a program, and ensure that during runtime when a program throws, we can discover its boundaries even if the call instruction to bpf_throw (or to subprogs that always throw) is emitted as the final instruction in the program. An example of such a program would be this: do_something(): ... r0 = 0 exit foo(): r1 = 0 call bpf_throw r0 = 0 exit bar(cond): if r1 != 0 goto pc+2 call do_something exit call foo r0 = 0 // Never seen by verifier exit // main(ctx): r1 = ... call bar r0 = 0 exit Here, if we do end up throwing, the stacktrace would be the following: bpf_throw foo bar main In bar, the final instruction emitted will be the call to foo, as such, the return address will be the subsequent instruction (which the JIT emits as int3 on x86). This will end up lying outside the jited_len of the program, thus, when unwinding, we will fail to discover the return address as belonging to any program and end up in a panic due to the unreliable stack unwinding of BPF programs that we never expect. To remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as part of the BPF program, so that is_bpf_text_address returns true when such a case occurs, and we are able to unwind reliably when the final instruction ends up being a call instruction. Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20230912233214.1518551-12-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
2b3ea8bdef |
This is the 6.1.63 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVbOmsACgkQONu9yGCS
aT5m1RAAx7hgbFDnLHCGh4YVBbNy8JngItsUBaJcI/67Mk5toNi0x8pqcS8mq7ED
GTwRnRcKaIR2bTyco5Ed2OZn4jMCyHC4oiyBZnHWg6AMuQjSCYzIgm7DzlTCVYZ7
2r8uRbt/uXADTILJ2kwR2mtVpGcwrXa+lsHrMqvt+MvNwRoSVHBHVVYCrAc+JXwR
GXCopzV/RFGS6w4SBsX0K+8pV7GO+bhpxJ1lPz1T/xeLYfT4C3EwSTWDbUXPbez7
IpJ+5yKJXXT9Xn9m/pekwZ/aOirLqtEbDxneEctsjvw140lCoQiEZn6ZRscgNEns
3H+J3Asgc2zXqPzfZFH02TebPj31B8HZ43Upu0okr0hr4A4/4JL9pjXEhm1bON/Z
x3jlTF4dyay4vOGGIEYOAuJSUbn6AqpZ318uBWCd3BSPocihEDMJz2aoazVHcb6k
83MVxfFfEL6s9utcoSXB8VjHa4FQmpMYsozegloUSJJCsizgdzmih0buJYhBB9sI
HbEohW+YAh3cACSn6arXUJIMH5F5xsfD89od2Pj+6UrapdlPz5gCaggA1RZplCho
bjGc1k61Rp2qSdfMEcx+h4ypgoOdhgqZI0YhYDCgBSRcWOXnGrDjFvnnumatcT+H
6vqyX6zlNt6U1NpE56Jtf7gt1Ds6PeoadD0L6B8vjXrkdeXOlUU=
=AZ9s
-----END PGP SIGNATURE-----
Merge 6.1.63 into android14-6.1-lts
Changes in 6.1.63
hwmon: (nct6775) Fix incorrect variable reuse in fan_div calculation
sched/fair: Fix cfs_rq_is_decayed() on !SMP
iov_iter, x86: Be consistent about the __user tag on copy_mc_to_user()
sched/uclamp: Set max_spare_cap_cpu even if max_spare_cap is 0
sched/uclamp: Ignore (util == 0) optimization in feec() when p_util_max = 0
objtool: Propagate early errors
sched: Fix stop_one_cpu_nowait() vs hotplug
vfs: fix readahead(2) on block devices
writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs
x86/srso: Fix SBPB enablement for (possible) future fixed HW
futex: Don't include process MM in futex key on no-MMU
x86/numa: Introduce numa_fill_memblks()
ACPI/NUMA: Apply SRAT proximity domain to entire CFMWS window
x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot
x86/boot: Fix incorrect startup_gdt_descr.size
drivers/clocksource/timer-ti-dm: Don't call clk_get_rate() in stop function
pstore/platform: Add check for kstrdup
string: Adjust strtomem() logic to allow for smaller sources
genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
wifi: cfg80211: add flush functions for wiphy work
wifi: mac80211: move radar detect work to wiphy work
wifi: mac80211: move scan work to wiphy work
wifi: mac80211: move offchannel works to wiphy work
wifi: mac80211: move sched-scan stop work to wiphy work
wifi: mac80211: fix # of MSDU in A-MSDU calculation
wifi: iwlwifi: honor the enable_ini value
i40e: fix potential memory leaks in i40e_remove()
iavf: Fix promiscuous mode configuration flow messages
selftests/bpf: Correct map_fd to data_fd in tailcalls
udp: add missing WRITE_ONCE() around up->encap_rcv
tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
gve: Use size_add() in call to struct_size()
mlxsw: Use size_mul() in call to struct_size()
tls: Only use data field in crypto completion function
tls: Use size_add() in call to struct_size()
tipc: Use size_add() in calls to struct_size()
net: spider_net: Use size_add() in call to struct_size()
net: ethernet: mtk_wed: fix EXT_INT_STATUS_RX_FBUF definitions for MT7986 SoC
wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
wifi: ath11k: fix boot failure with one MSI vector
wifi: mt76: mt7603: rework/fix rx pse hang check
wifi: mt76: mt7603: improve watchdog reset reliablity
wifi: mt76: mt7603: improve stuck beacon handling
wifi: mt76: mt7915: fix beamforming availability check
wifi: ath: dfs_pattern_detector: Fix a memory initialization issue
tcp_metrics: add missing barriers on delete
tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
tcp_metrics: do not create an entry from tcp_init_metrics()
wifi: rtlwifi: fix EDCA limit set by BT coexistence
ACPI: property: Allow _DSD buffer data only for byte accessors
ACPI: video: Add acpi_backlight=vendor quirk for Toshiba Portégé R100
wifi: ath11k: fix Tx power value during active CAC
can: dev: can_restart(): don't crash kernel if carrier is OK
can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
PM / devfreq: rockchip-dfi: Make pmu regmap mandatory
wifi: wfx: fix case where rates are out of order
netfilter: nf_tables: Drop pointless memset when dumping rules
thermal: core: prevent potential string overflow
r8169: use tp_to_dev instead of open code
r8169: fix rare issue with broken rx after link-down on RTL8125
selftests: netfilter: test for sctp collision processing in nf_conntrack
net: skb_find_text: Ignore patterns extending past 'to'
chtls: fix tp->rcv_tstamp initialization
tcp: fix cookie_init_timestamp() overflows
wifi: iwlwifi: call napi_synchronize() before freeing rx/tx queues
wifi: iwlwifi: pcie: synchronize IRQs before NAPI
wifi: iwlwifi: empty overflow queue during flush
Bluetooth: hci_sync: Fix Opcode prints in bt_dev_dbg/err
bpf: Fix unnecessary -EBUSY from htab_lock_bucket
ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
ipv6: avoid atomic fragment on GSO packets
net: add DEV_STATS_READ() helper
ipvlan: properly track tx_errors
regmap: debugfs: Fix a erroneous check after snprintf()
spi: tegra: Fix missing IRQ check in tegra_slink_probe()
clk: qcom: gcc-msm8996: Remove RPM bus clocks
clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
clk: qcom: mmcc-msm8998: Don't check halt bit on some branch clks
clk: qcom: mmcc-msm8998: Fix the SMMU GDSC
clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src
regulator: mt6358: Fail probe on unknown chip ID
clk: imx: Select MXC_CLK for CLK_IMX8QXP
clk: imx: imx8mq: correct error handling path
clk: imx: imx8qxp: Fix elcdif_pll clock
clk: renesas: rcar-gen3: Extend SDnH divider table
clk: renesas: rzg2l: Wait for status bit of SD mux before continuing
clk: renesas: rzg2l: Lock around writes to mux register
clk: renesas: rzg2l: Trust value returned by hardware
clk: renesas: rzg2l: Use FIELD_GET() for PLL register fields
clk: renesas: rzg2l: Fix computation formula
clk: linux/clk-provider.h: fix kernel-doc warnings and typos
spi: nxp-fspi: use the correct ioremap function
clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
clk: ti: change ti_clk_register[_omap_hw]() API
clk: ti: fix double free in of_ti_divider_clk_setup()
clk: npcm7xx: Fix incorrect kfree
clk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
clk: qcom: config IPQ_APSS_6018 should depend on QCOM_SMEM
platform/x86: wmi: Fix probe failure when failing to register WMI devices
platform/x86: wmi: Fix opening of char device
hwmon: (axi-fan-control) Fix possible NULL pointer dereference
hwmon: (coretemp) Fix potentially truncated sysfs attribute name
Revert "hwmon: (sch56xx-common) Add DMI override table"
Revert "hwmon: (sch56xx-common) Add automatic module loading on supported devices"
hwmon: (sch5627) Use bit macros when accessing the control register
hwmon: (sch5627) Disallow write access if virtual registers are locked
hte: tegra: Fix missing error code in tegra_hte_test_probe()
drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
drm/rockchip: vop: Fix call to crtc reset helper
drm/rockchip: vop2: Don't crash for invalid duplicate_state
drm/rockchip: vop2: Add missing call to crtc reset helper
drm/radeon: possible buffer overflow
drm: bridge: it66121: Fix invalid connector dereference
drm/bridge: lt8912b: Add hot plug detection
drm/bridge: lt8912b: Fix bridge_detach
drm/bridge: lt8912b: Fix crash on bridge detach
drm/bridge: lt8912b: Manually disable HPD only if it was enabled
drm/bridge: lt8912b: Add missing drm_bridge_attach call
drm/bridge: tc358768: Fix use of uninitialized variable
drm/bridge: tc358768: Fix bit updates
drm/bridge: tc358768: remove unused variable
drm/bridge: tc358768: Use struct videomode
drm/bridge: tc358768: Print logical values, not raw register values
drm/bridge: tc358768: Use dev for dbg prints, not priv->dev
drm/bridge: tc358768: Rename dsibclk to hsbyteclk
drm/bridge: tc358768: Clean up clock period code
drm/bridge: tc358768: Fix tc358768_ns_to_cnt()
drm/amdkfd: fix some race conditions in vram buffer alloc/free of svm code
drm/amd/display: Check all enabled planes in dm_check_crtc_cursor
drm/amd/display: Refactor dm_get_plane_scale helper
drm/amd/display: Bail from dm_check_crtc_cursor if no relevant change
io_uring/kbuf: Fix check of BID wrapping in provided buffers
io_uring/kbuf: Allow the full buffer id space for provided buffers
drm/mediatek: Fix iommu fault by swapping FBs after updating plane state
drm/mediatek: Fix iommu fault during crtc enabling
drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
gpu: host1x: Correct allocated size for contexts
drm/bridge: lt9611uxc: fix the race in the error path
arm64/arm: xen: enlighten: Fix KPTI checks
drm/rockchip: Fix type promotion bug in rockchip_gem_iommu_map()
xenbus: fix error exit in xenbus_init()
xen-pciback: Consider INTx disabled when MSI/MSI-X is enabled
drm/msm/dsi: use msm_gem_kernel_put to free TX buffer
drm/msm/dsi: free TX buffer in unbind
clocksource/drivers/arm_arch_timer: limit XGene-1 workaround
drm: mediatek: mtk_dsi: Fix NO_EOT_PACKET settings/handling
drivers/perf: hisi: use cpuhp_state_remove_instance_nocalls() for hisi_hns3_pmu uninit process
perf/arm-cmn: Revamp model detection
perf/arm-cmn: Fix DTC domain detection
drivers/perf: hisi_pcie: Check the type first in pmu::event_init()
perf: hisi: Fix use-after-free when register pmu fails
ARM: dts: renesas: blanche: Fix typo in GP_11_2 pin name
arm64: dts: qcom: sdm845: cheza doesn't support LMh node
arm64: dts: qcom: sc7280: link usb3_phy_wrapper_gcc_usb30_pipe_clk
arm64: dts: qcom: msm8916: Fix iommu local address range
arm64: dts: qcom: msm8992-libra: drop duplicated reserved memory
arm64: dts: qcom: sc7280: Add missing LMH interrupts
arm64: dts: qcom: sm8150: add ref clock to PCIe PHYs
arm64: dts: qcom: sm8350: fix pinctrl for UART18
arm64: dts: qcom: sdm845-mtp: fix WiFi configuration
ARM64: dts: marvell: cn9310: Use appropriate label for spi1 pins
arm64: dts: qcom: apq8016-sbc: Add missing ADV7533 regulators
ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
soc: qcom: llcc: Handle a second device without data corruption
kunit: Fix missed memory release in kunit_free_suite_set()
firmware: ti_sci: Mark driver as non removable
arm64: dts: ti: k3-am62a7-sk: Drop i2c-1 to 100Khz
firmware: arm_ffa: Assign the missing IDR allocation ID to the FFA device
firmware: arm_ffa: Allow the FF-A drivers to use 32bit mode of messaging
ARM: dts: am3517-evm: Fix LED3/4 pinmux
clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped
arm64: dts: imx8qm-ss-img: Fix jpegenc compatible entry
arm64: dts: imx8mm: Add sound-dai-cells to micfil node
arm64: dts: imx8mn: Add sound-dai-cells to micfil node
arm64: tegra: Use correct interrupts for Tegra234 TKE
selftests/pidfd: Fix ksft print formats
selftests/resctrl: Ensure the benchmark commands fits to its array
module/decompress: use vmalloc() for gzip decompression workspace
ASoC: cs35l41: Verify PM runtime resume errors in IRQ handler
ASoC: cs35l41: Undo runtime PM changes at driver exit time
ALSA: hda: cs35l41: Fix unbalanced pm_runtime_get()
ALSA: hda: cs35l41: Undo runtime PM changes at driver exit time
KEYS: Include linux/errno.h in linux/verification.h
crypto: hisilicon/hpre - Fix a erroneous check after snprintf()
hwrng: bcm2835 - Fix hwrng throughput regression
hwrng: geode - fix accessing registers
RDMA/core: Use size_{add,sub,mul}() in calls to struct_size()
crypto: qat - ignore subsequent state up commands
crypto: qat - relocate bufferlist logic
crypto: qat - rename bufferlist functions
crypto: qat - change bufferlist logic interface
crypto: qat - generalize crypto request buffers
crypto: qat - extend buffer list interface
crypto: qat - fix unregistration of crypto algorithms
scsi: ibmvfc: Fix erroneous use of rtas_busy_delay with hcall return code
libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value
nd_btt: Make BTT lanes preemptible
crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure
crypto: caam/jr - fix Chacha20 + Poly1305 self test failure
crypto: qat - increase size of buffers
PCI: vmd: Correct PCI Header Type Register's multi-function check
hid: cp2112: Fix duplicate workqueue initialization
crypto: hisilicon/qm - delete redundant null assignment operations
crypto: hisilicon/qm - modify the process of regs dfx
crypto: hisilicon/qm - split a debugfs.c from qm
crypto: hisilicon/qm - fix PF queue parameter issue
ARM: 9321/1: memset: cast the constant byte to unsigned char
ext4: move 'ix' sanity check to corrent position
ASoC: fsl: mpc5200_dma.c: Fix warning of Function parameter or member not described
IB/mlx5: Fix rdma counter binding for RAW QP
RDMA/hns: Fix printing level of asynchronous events
RDMA/hns: Fix uninitialized ucmd in hns_roce_create_qp_common()
RDMA/hns: Fix signed-unsigned mixed comparisons
RDMA/hns: Add check for SL
RDMA/hns: The UD mode can only be configured with DCQCN
ASoC: SOF: core: Ensure sof_ops_free() is still called when probe never ran.
ASoC: fsl: Fix PM disable depth imbalance in fsl_easrc_probe
scsi: ufs: core: Leave space for '\0' in utf8 desc string
RDMA/hfi1: Workaround truncation compilation error
HID: cp2112: Make irq_chip immutable
hid: cp2112: Fix IRQ shutdown stopping polling for all IRQs on chip
sh: bios: Revive earlyprintk support
Revert "HID: logitech-hidpp: add a module parameter to keep firmware gestures"
HID: logitech-hidpp: Remove HIDPP_QUIRK_NO_HIDINPUT quirk
HID: logitech-hidpp: Don't restart IO, instead defer hid_connect() only
HID: logitech-hidpp: Revert "Don't restart communication if not necessary"
HID: logitech-hidpp: Move get_wireless_feature_index() check to hidpp_connect_event()
ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
padata: Fix refcnt handling in padata_free_shell()
crypto: qat - fix deadlock in backlog processing
ASoC: ams-delta.c: use component after check
IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF
mfd: core: Un-constify mfd_cell.of_reg
mfd: core: Ensure disabled devices are skipped without aborting
mfd: dln2: Fix double put in dln2_probe
dt-bindings: mfd: mt6397: Add binding for MT6357
dt-bindings: mfd: mt6397: Split out compatible for MediaTek MT6366 PMIC
mfd: arizona-spi: Set pdata.hpdet_channel for ACPI enumerated devs
leds: turris-omnia: Drop unnecessary mutex locking
leds: turris-omnia: Do not use SMBUS calls
leds: pwm: Don't disable the PWM when the LED should be off
leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
kunit: add macro to allow conditionally exposing static symbols to tests
apparmor: test: make static symbols visible during kunit testing
apparmor: fix invalid reference on profile->disconnected
perf stat: Fix aggr mode initialization
iio: frequency: adf4350: Use device managed functions and fix power down issue.
perf kwork: Fix incorrect and missing free atom in work_push_atom()
perf kwork: Add the supported subcommands to the document
perf kwork: Set ordered_events to true in 'struct perf_tool'
filemap: add filemap_get_folios_tag()
f2fs: convert f2fs_write_cache_pages() to use filemap_get_folios_tag()
f2fs: compress: fix deadloop in f2fs_write_cache_pages()
f2fs: compress: fix to avoid use-after-free on dic
f2fs: compress: fix to avoid redundant compress extension
tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
livepatch: Fix missing newline character in klp_resolve_symbols()
pinctrl: renesas: rzg2l: Make reverse order of enable() for disable()
perf record: Fix BTF type checks in the off-cpu profiling
dmaengine: idxd: Register dsa_bus_type before registering idxd sub-drivers
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
usb: chipidea: Fix DMA overwrite for Tegra
usb: chipidea: Simplify Tegra DMA alignment code
dmaengine: ti: edma: handle irq_of_parse_and_map() errors
misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
tools: iio: iio_generic_buffer ensure alignment
USB: usbip: fix stub_dev hub disconnect
dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
interconnect: qcom: sc7180: Retire DEFINE_QBCM
interconnect: qcom: sc7180: Set ACV enable_mask
interconnect: qcom: sc7280: Set ACV enable_mask
interconnect: qcom: sc8180x: Set ACV enable_mask
interconnect: qcom: sc8280xp: Set ACV enable_mask
interconnect: qcom: sdm845: Retire DEFINE_QBCM
interconnect: qcom: sdm845: Set ACV enable_mask
interconnect: qcom: sm6350: Retire DEFINE_QBCM
interconnect: qcom: sm6350: Set ACV enable_mask
interconnect: move ignore_list out of of_count_icc_providers()
interconnect: qcom: sm8150: Drop IP0 interconnects
interconnect: qcom: sm8150: Retire DEFINE_QBCM
interconnect: qcom: sm8150: Set ACV enable_mask
interconnect: qcom: sm8350: Retire DEFINE_QBCM
interconnect: qcom: sm8350: Set ACV enable_mask
powerpc: Only define __parse_fpscr() when required
modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host
modpost: fix ishtp MODULE_DEVICE_TABLE built on big-endian host
powerpc/40x: Remove stale PTE_ATOMIC_UPDATES macro
powerpc/xive: Fix endian conversion size
powerpc/vas: Limit open window failure messages in log bufffer
powerpc/imc-pmu: Use the correct spinlock initializer.
powerpc/pseries: fix potential memory leak in init_cpu_associativity()
xhci: Loosen RPM as default policy to cover for AMD xHC 1.1
usb: host: xhci-plat: fix possible kernel oops while resuming
perf machine: Avoid out of bounds LBR memory read
perf hist: Add missing puts to hist__account_cycles
9p/net: fix possible memory leak in p9_check_errors()
i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs
cxl/mem: Fix shutdown order
crypto: ccp - Name -1 return value as SEV_RET_NO_FW_CALL
x86/sev: Change snp_guest_issue_request()'s fw_err argument
virt: sevguest: Fix passing a stack buffer as a scatterlist target
rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call
pcmcia: cs: fix possible hung task and memory leak pccardd()
pcmcia: ds: fix refcount leak in pcmcia_device_add()
pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
media: hantro: Check whether reset op is defined before use
media: verisilicon: Do not enable G2 postproc downscale if source is narrower than destination
media: ov5640: Drop dead code using frame_interval
media: ov5640: fix vblank unchange issue when work at dvp mode
media: i2c: max9286: Fix some redundant of_node_put() calls
media: ov5640: Fix a memory leak when ov5640_probe fails
media: bttv: fix use after free error due to btv->timeout timer
media: amphion: handle firmware debug message
media: mtk-jpegenc: Fix bug in JPEG encode quality selection
media: s3c-camif: Avoid inappropriate kfree()
media: vidtv: psi: Add check for kstrdup
media: vidtv: mux: Add check and kfree for kstrdup
media: cedrus: Fix clock/reset sequence
media: cadence: csi2rx: Unregister v4l2 async notifier
media: dvb-usb-v2: af9035: fix missing unlock
media: cec: meson: always include meson sub-directory in Makefile
regmap: prevent noinc writes from clobbering cache
pwm: sti: Reduce number of allocations and drop usage of chip_data
pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
watchdog: ixp4xx: Make sure restart always works
llc: verify mac len before reading mac header
hsr: Prevent use after free in prp_create_tagged_frame()
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
bpf: Check map->usercnt after timer->timer is assigned
inet: shrink struct flowi_common
octeontx2-pf: Fix error codes
octeontx2-pf: Fix holes in error code
net: page_pool: add missing free_percpu when page_pool_init fail
dccp: Call security_inet_conn_request() after setting IPv4 addresses.
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
net: r8169: Disable multicast filter for RTL8168H and RTL8107E
Fix termination state for idr_for_each_entry_ul()
net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs
selftests: pmtu.sh: fix result checking
octeontx2-pf: Rename tot_tx_queues to non_qos_queues
octeontx2-pf: qos send queues management
octeontx2-pf: Free pending and dropped SQEs
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
net/smc: allow cdc msg send rather than drop it with NULL sndbuf_desc
net/smc: put sk reference if close work was canceled
nvme: fix error-handling for io_uring nvme-passthrough
tg3: power down device only on SYSTEM_POWER_OFF
nbd: fix uaf in nbd_open
blk-core: use pr_warn_ratelimited() in bio_check_ro()
virtio/vsock: replace virtio_vsock_pkt with sk_buff
vsock/virtio: remove socket from connected/bound list on shutdown
r8169: respect userspace disabling IFF_MULTICAST
i2c: iproc: handle invalid slave state
netfilter: xt_recent: fix (increase) ipv6 literal buffer length
netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs
netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
RISC-V: Don't fail in riscv_of_parent_hartid() for disabled HARTs
drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE
ASoC: mediatek: mt8186_mt6366_rt1019_rt5682s: trivial: fix error messages
ASoC: hdmi-codec: register hpd callback on component probe
ASoC: dapm: fix clock get name
spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies
fbdev: imsttfb: Fix error path of imsttfb_probe()
fbdev: imsttfb: fix a resource leak in probe
fbdev: fsl-diu-fb: mark wr_reg_wa() static
tracing/kprobes: Fix the order of argument descriptions
io_uring/net: ensure socket is marked connected on connect retry
x86/amd_nb: Use Family 19h Models 60h-7Fh Function 4 IDs
Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
btrfs: use u64 for buffer sizes in the tree search ioctls
wifi: cfg80211: fix kernel-doc for wiphy_delayed_work_flush()
virtio/vsock: don't use skbuff state to account credit
virtio/vsock: remove redundant 'skb_pull()' call
virtio/vsock: don't drop skbuff on copy failure
vsock/loopback: use only sk_buff_head.lock to protect the packet queue
virtio/vsock: fix leaks due to missing skb owner
virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()
virtio/vsock: fix header length on skb merging
Linux 6.1.63
Change-Id: I87b7a539b11c90cfaf16edb07d613f74d54458a4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Hou Tao
|
89d92e4fc5 |
bpf: Check map->usercnt after timer->timer is assigned
[ Upstream commit fd381ce60a2d79cc967506208085336d3d268ae0 ]
When there are concurrent uref release and bpf timer init operations,
the following sequence diagram is possible. It will break the guarantee
provided by bpf_timer: bpf_timer will still be alive after userspace
application releases or unpins the map. It also will lead to kmemleak
for old kernel version which doesn't release bpf_timer when map is
released.
bpf program X:
bpf_timer_init()
lock timer->lock
read timer->timer as NULL
read map->usercnt != 0
process Y:
close(map_fd)
// put last uref
bpf_map_put_uref()
atomic_dec_and_test(map->usercnt)
array_map_free_timers()
bpf_timer_cancel_and_free()
// just return
read timer->timer is NULL
t = bpf_map_kmalloc_node()
timer->timer = t
unlock timer->lock
Fix the problem by checking map->usercnt after timer->timer is assigned,
so when there are concurrent uref release and bpf timer init, either
bpf_timer_cancel_and_free() from uref release reads a no-NULL timer
or the newly-added atomic64_read() returns a zero usercnt.
Because atomic_dec_and_test(map->usercnt) and READ_ONCE(timer->timer)
in bpf_timer_cancel_and_free() are not protected by a lock, so add
a memory barrier to guarantee the order between map->usercnt and
timer->timer. Also use WRITE_ONCE(timer->timer, x) to match the lockless
read of timer->timer in bpf_timer_cancel_and_free().
Reported-by: Hsin-Wei Hung <hsinweih@uci.edu>
Closes: https://lore.kernel.org/bpf/CABcoxUaT2k9hWsS1tNgXyoU3E-=PuOgMn737qK984fbFmfYixQ@mail.gmail.com
Fixes:
|
||
Song Liu
|
1ca7bc1b08 |
bpf: Fix unnecessary -EBUSY from htab_lock_bucket
[ Upstream commit d35381aa73f7e1e8b25f3ed5283287a64d9ddff5 ]
htab_lock_bucket uses the following logic to avoid recursion:
1. preempt_disable();
2. check percpu counter htab->map_locked[hash] for recursion;
2.1. if map_lock[hash] is already taken, return -BUSY;
3. raw_spin_lock_irqsave();
However, if an IRQ hits between 2 and 3, BPF programs attached to the IRQ
logic will not able to access the same hash of the hashtab and get -EBUSY.
This -EBUSY is not really necessary. Fix it by disabling IRQ before
checking map_locked:
1. preempt_disable();
2. local_irq_save();
3. check percpu counter htab->map_locked[hash] for recursion;
3.1. if map_lock[hash] is already taken, return -BUSY;
4. raw_spin_lock().
Similarly, use raw_spin_unlock() and local_irq_restore() in
htab_unlock_bucket().
Fixes:
|
||
|
Greg Kroah-Hartman
|
3858124ea0 |
This is the 6.1.59 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUxmvQACgkQONu9yGCS aT79txAAsdMG7H4n6wai9EsZa6fpenp5MaQdice97FinKvS3El1hmlNOJPY2idAC hFnfhebrWsyStCUcUs2KeiosZwKoKSRuIZ2l43P9o4tNbAoaJfp7EOihCKSJyl1K qcu1P7AJZH2GfR3wS86grRjlembwxYNaFVS+n4a9X3XfoMOTM9TLwIPyKzXmruUv 4FjTH6clfQbg7lu80nPBeps1FKd2XXhiLfFH21ilnSY8ESQEKo0x10Vbi0/LqE/F QxvP2bFRMXyKl9HHQMAkIIjpQH+hZDzpbGx1hoC2I0xc92dTERHzzZxWkuUt2e/Y zGrgQ3gQR8VkpuhPuFRrSu3bZUlEr74zRyp3sXBG0RSOpK13xSYgcdRzBac/L0zT aSqvmIYuLnjf6qE85LEp/NAQAgKxQ2S2nGwSoN+cePb/zB0qlyXNfSsPg2mptOTi MOxgldZg10oNh0VXEayhtoJGUCJBjk1XUor0bAFj4u4GCiBbFfAt3e5fF0jauMva 9b2s89qE5444dr98kdAcd79mEI0xkX9SbjCTY9lwTzA7xk+7iw+vOchLC7fQWoyf gspg7PdzCaFnDAS3WiIR3NqkSlGpv426Kr3kd/8jrLA3VB81Rb6bFX+E7iRzVJsd /YShEGesDA16aZ5BDnOMXMHzFbTEgfNDH1AiJoJcjq/V5cIuSc0= =Dwcv -----END PGP SIGNATURE----- Merge 6.1.59 into android14-6.1-lts Changes in 6.1.59 net: mana: Fix TX CQE error handling mptcp: fix delegated action races drm/i915: Don't set PIPE_CONTROL_FLUSH_L3 for aux inval RDMA/cxgb4: Check skb value for failure to allocate perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 platform/x86: think-lmi: Fix reference leak platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning scsi: Do not rescan devices with a suspended queue HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect quota: Fix slow quotaoff ASoC: amd: yc: Fix non-functional mic on Lenovo 82YM ata: libata-scsi: Disable scsi device manage_system_start_stop net: prevent address rewrite in kernel_bind() arm64: dts: qcom: sm8150: extend the size of the PDC resource dt-bindings: interrupt-controller: renesas,rzg2l-irqc: Update description for '#interrupt-cells' property irqchip: renesas-rzg2l: Fix logic to clear TINT interrupt source KEYS: trusted: Remove redundant static calls usage ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset ALSA: usb-audio: Fix microphone sound on Nexigo webcam. ALSA: hda/realtek: Change model for Intel RVP board ASoC: SOF: amd: fix for firmware reload failure after playback ASoC: simple-card-utils: fixup simple_util_startup() error handling ASoC: Intel: soc-acpi: Add entry for HDMI_In capture support in MTL match table ASoC: Intel: sof_sdw: add support for SKU 0B14 ASoC: Intel: soc-acpi: Add entry for sof_es8336 in MTL match table. ASoC: Use of_property_read_bool() for boolean properties ASoC: fsl_sai: MCLK bind with TX/RX enable bit ASoC: fsl_sai: Don't disable bitclock for i.MX8MP ALSA: hda/realtek: Add quirk for HP Victus 16-d1xxx to enable mute LED ALSA: hda/realtek: Add quirk for mute LEDs on HP ENVY x360 15-eu0xxx ALSA: hda/realtek - ALC287 I2S speaker platform support ALSA: hda/realtek - ALC287 merge RTK codec with CS CS35L41 AMP pinctrl: nuvoton: wpcm450: fix out of bounds write drm/msm/dp: do not reinitialize phy unless retry during link training drm/msm/dsi: skip the wait for video mode done if not applicable drm/msm/dsi: fix irq_of_parse_and_map() error checking drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow drm/msm/dp: Add newlines to debug printks phy: lynx-28g: cancel the CDR check work item on the remove path phy: lynx-28g: lock PHY while performing CDR lock workaround phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers net: dsa: qca8k: fix potential MDIO bus conflict when accessing internal PHYs via management frames can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior can: sun4i_can: Only show Kconfig if ARCH_SUNXI is set arm64: dts: mediatek: mt8195: Set DSU PMU status to fail ravb: Fix up dma_free_coherent() call in ravb_remove() ravb: Fix use-after-free issue in ravb_tx_timeout_work() ieee802154: ca8210: Fix a potential UAF in ca8210_probe mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type xen-netback: use default TX queue size for vifs riscv, bpf: Factor out emit_call for kernel and bpf context riscv, bpf: Sign-extend return values drm/vmwgfx: fix typo of sizeof argument bpf: Fix verifier log for async callback return values net: refine debug info in skb_checksum_help() net: macsec: indicate next pn update when offloading net: phy: mscc: macsec: reject PN update requests net/mlx5e: macsec: use update_pn flag instead of PN comparation ixgbe: fix crash with empty VF macvlan list net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() net/smc: Fix pos miscalculation in statistics pinctrl: renesas: rzn1: Enable missing PINMUX nfc: nci: assert requested protocol is valid workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() tcp: enforce receive buffer memory limits by allowing the tcp window to shrink dmaengine: stm32-mdma: abort resume if no ongoing transfer dmaengine: stm32-dma: fix stm32_dma_prep_slave_sg in case of MDMA chaining dmaengine: stm32-dma: fix residue in case of MDMA chaining dmaengine: stm32-mdma: use Link Address Register to compute residue dmaengine: stm32-mdma: set in_flight_bytes in case CRQA flag is set usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read usb: dwc3: Soft reset phy on probe for host usb: cdns3: Modify the return value of cdns_set_active () to void when CONFIG_PM_SLEEP is disabled usb: hub: Guard against accesses to uninitialized BOS descriptors usb: musb: Get the musb_qh poniter after musb_giveback usb: musb: Modify the "HWVers" register address iio: pressure: bmp280: Fix NULL pointer exception iio: imu: bno055: Fix missing Kconfig dependencies iio: adc: imx8qxp: Fix address for command buffer registers iio: dac: ad3552r: Correct device IDs iio: admv1013: add mixer_vgate corner cases iio: pressure: dps310: Adjust Timeout Settings iio: pressure: ms5611: ms5611_prom_is_valid false negative bug iio: addac: Kconfig: update ad74413r selections arm64: dts: mediatek: mt8195-demo: fix the memory size to 8GB arm64: dts: mediatek: mt8195-demo: update and reorder reserved memory regions drm/atomic-helper: relax unregistered connector check drm/amdgpu: add missing NULL check drm/amd/display: Don't set dpms_off for seamless boot ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA ACPI: EC: Add quirk for the HP Pavilion Gaming 15-dk1xxx ksmbd: not allow to open file if delelete on close bit is set perf/x86/lbr: Filter vsyscall addresses x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs mcb: remove is_added flag from mcb_device struct thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding thunderbolt: Restart XDomain discovery handshake after failure powerpc/47x: Fix 47x syscall return crash libceph: use kernel_connect() ceph: fix incorrect revoked caps assert in ceph_fill_file_size() ceph: fix type promotion bug on 32bit systems Input: powermate - fix use-after-free in powermate_config_complete Input: psmouse - fix fast_reconnect function for PS/2 mode Input: xpad - add PXN V900 support Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case tee: amdtee: fix use-after-free vulnerability in amdtee_close_session mctp: perform route lookups under a RCU read-side lock nfp: flower: avoid rmmod nfp crash issues usb: typec: ucsi: Use GET_CAPABILITY attributes data to set power supply scope cgroup: Remove duplicates in cgroup v1 tasks file dma-buf: add dma_fence_timestamp helper pinctrl: avoid unsafe code pattern in find_pinctrl() scsi: ufs: core: Correct clear TM error log counter: chrdev: fix getting array extensions counter: microchip-tcb-capture: Fix the use of internal GCLK logic usb: typec: altmodes/displayport: Signal hpd low when exiting mode usb: typec: ucsi: Clear EVENT_PENDING bit if ucsi_send_command fails usb: gadget: udc-xilinx: replace memcpy with memcpy_toio usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call usb: cdnsp: Fixes issue with dequeuing not queued requests x86/alternatives: Disable KASAN in apply_alternatives() dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq dmaengine: mediatek: Fix deadlock caused by synchronize_irq() powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE powerpc/64e: Fix wrong test in __ptep_test_and_clear_young() ALSA: hda/realtek - Fixed two speaker platform Linux 6.1.59 Change-Id: Iaae6736993c003cc47f495f275591bbb924f986e Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
2950de8b2d |
Merge 6.1.56 into android14-6.1-lts
Changes in 6.1.56 NFS: Fix error handling for O_DIRECT write scheduling NFS: Fix O_DIRECT locking issues NFS: More O_DIRECT accounting fixes for error paths NFS: Use the correct commit info in nfs_join_page_group() NFS: More fixes for nfs_direct_write_reschedule_io() NFS/pNFS: Report EINVAL errors from connect() to the server SUNRPC: Mark the cred for revalidation if the server rejects it NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server NFSv4.1: fix pnfs MDS=DS session trunking media: v4l: Use correct dependency for camera sensor drivers media: via: Use correct dependency for camera sensor drivers netfs: Only call folio_start_fscache() one time for each folio dm: fix a race condition in retrieve_deps btrfs: improve error message after failure to add delayed dir index item btrfs: remove BUG() after failure to insert delayed dir index item ext4: replace the traditional ternary conditional operator with with max()/min() ext4: move setting of trimmed bit into ext4_try_to_trim_range() ext4: do not let fstrim block system suspend netfilter: nf_tables: don't skip expired elements during walk netfilter: nf_tables: GC transaction API to avoid race with control plane netfilter: nf_tables: adapt set backend to use GC transaction API netfilter: nft_set_hash: mark set element as dead when deleting from packet path netfilter: nf_tables: remove busy mark and gc batch API netfilter: nf_tables: don't fail inserts if duplicate has expired netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path netfilter: nf_tables: GC transaction race with netns dismantle netfilter: nf_tables: GC transaction race with abort path netfilter: nf_tables: use correct lock to protect gc_list netfilter: nf_tables: defer gc run if previous batch is still pending netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC netfilter: nft_set_pipapo: stop GC iteration if GC transaction allocation fails netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration netfilter: nf_tables: fix memleak when more than 255 elements expired ASoC: meson: spdifin: start hw on dai probe netfilter: nf_tables: disallow element removal on anonymous sets bpf: Avoid deadlock when using queue and stack maps from NMI ASoC: rt5640: Revert "Fix sleep in atomic context" ASoC: rt5640: Fix IRQ not being free-ed for HDA jack detect mode ALSA: hda/realtek: Splitting the UX3402 into two separate models netfilter: conntrack: fix extension size table selftests: tls: swap the TX and RX sockets in some tests net/core: Fix ETH_P_1588 flow dissector ASoC: hdaudio.c: Add missing check for devm_kstrdup ASoC: imx-audmix: Fix return error with devm_clk_get() octeon_ep: fix tx dma unmap len values in SG iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set ASoC: SOF: core: Only call sof_ops_free() on remove if the probe was successful iavf: add iavf_schedule_aq_request() helper iavf: schedule a request immediately after add/delete vlan i40e: Fix VF VLAN offloading when port VLAN is configured netfilter, bpf: Adjust timeouts of non-confirmed CTs in bpf_ct_insert_entry() ionic: fix 16bit math issue when PAGE_SIZE >= 64KB igc: Fix infinite initialization loop with early XDP redirect ipv4: fix null-deref in ipv4_link_failure scsi: iscsi_tcp: restrict to TCP sockets powerpc/perf/hv-24x7: Update domain value check dccp: fix dccp_v4_err()/dccp_v6_err() again x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer() net: hsr: Properly parse HSRv1 supervisor frames. platform/x86: intel_scu_ipc: Check status after timeout in busy_loop() platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() platform/x86: intel_scu_ipc: Don't override scu in intel_scu_ipc_dev_simple_command() platform/x86: intel_scu_ipc: Fail IPC send if still busy x86/srso: Fix srso_show_state() side effect x86/srso: Fix SBPB enablement for spec_rstack_overflow=off net: hns3: add cmdq check for vf periodic service task net: hns3: fix GRE checksum offload issue net: hns3: only enable unicast promisc when mac table full net: hns3: fix fail to delete tc flower rules during reset issue net: hns3: add 5ms delay before clear firmware reset irq source net: bridge: use DEV_STATS_INC() team: fix null-ptr-deref when team device type is changed net: rds: Fix possible NULL-pointer dereference netfilter: nf_tables: disable toggling dormant table state more than once netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP i915/pmu: Move execlist stats initialization to execlist specific setup locking/seqlock: Do the lockdep annotation before locking in do_write_seqcount_begin_nested() net: ena: Flush XDP packets on error. bnxt_en: Flush XDP for bnxt_poll_nitroa0()'s NAPI octeontx2-pf: Do xdp_do_flush() after redirects. igc: Expose tx-usecs coalesce setting to user proc: nommu: /proc/<pid>/maps: release mmap read lock proc: nommu: fix empty /proc/<pid>/maps cifs: Fix UAF in cifs_demultiplex_thread() gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() i2c: mux: gpio: Add missing fwnode_handle_put() i2c: xiic: Correct return value check for xiic_reinit() ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2 ARM: dts: samsung: exynos4210-i9100: Fix LCD screen's physical size ARM: dts: qcom: msm8974pro-castor: correct inverted X of touchscreen ARM: dts: qcom: msm8974pro-castor: correct touchscreen function names ARM: dts: qcom: msm8974pro-castor: correct touchscreen syna,nosleep-mode f2fs: optimize iteration over sparse directories f2fs: get out of a repeat loop when getting a locked data page s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_CLR2SECK2 IOCTL arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved wifi: ath11k: fix tx status reporting in encap offload mode wifi: ath11k: Cleanup mac80211 references on failure during tx_complete scsi: qla2xxx: Select qpair depending on which CPU post_cmd() gets called scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() drm/amdkfd: Flush TLB after unmapping for GFX v9.4.3 drm/amdkfd: Insert missing TLB flush on GFX10 and later btrfs: reset destination buffer when read_extent_buffer() gets invalid range vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent() MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled spi: spi-gxp: BUG: Correct spi write return value drm/bridge: ti-sn65dsi83: Do not generate HFP/HBP/HSA and EOT packet bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() bus: ti-sysc: Fix missing AM35xx SoC matching firmware: arm_scmi: Harden perf domain info access firmware: arm_scmi: Fixup perf power-cost/microwatt support power: supply: mt6370: Fix missing error code in mt6370_chg_toggle_cfo() clk: sprd: Fix thm_parents incorrect configuration clk: tegra: fix error return case for recalc_rate ARM: dts: omap: correct indentation ARM: dts: ti: omap: Fix bandgap thermal cells addressing for omap3/4 ARM: dts: Unify pwm-omap-dmtimer node names ARM: dts: Unify pinctrl-single pin group nodes for omap4 ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up power: supply: ucs1002: fix error code in ucs1002_get_property() firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels() xtensa: add default definition for XCHAL_HAVE_DIV32 xtensa: iss/network: make functions static xtensa: boot: don't add include-dirs xtensa: umulsidi3: fix conditional expression xtensa: boot/lib: fix function prototypes power: supply: rk817: Fix node refcount leak selftests/powerpc: Use CLEAN macro to fix make warning selftests/powerpc: Pass make context to children selftests/powerpc: Fix emit_tests to work with run_kselftest.sh soc: imx8m: Enable OCOTP clock for imx8mm before reading registers arm64: dts: imx: Add imx8mm-prt8mm.dtb to build firmware: arm_ffa: Don't set the memory region attributes for MEM_LEND gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip i2c: npcm7xx: Fix callback completion ordering x86/reboot: VMCLEAR active VMCSes before emergency reboot ceph: drop messages from MDS when unmounting dma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock bpf: Annotate bpf_long_memcpy with data_race spi: sun6i: reduce DMA RX transfer width to single byte spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() parisc: sba: Fix compile warning wrt list of SBA devices parisc: iosapic.c: Fix sparse warnings parisc: drivers: Fix sparse warning parisc: irq: Make irq_stack_union static to avoid sparse warning scsi: qedf: Add synchronization between I/O completions and abort scsi: ufs: core: Move __ufshcd_send_uic_cmd() outside host_lock scsi: ufs: core: Poll HCS.UCRDY before issuing a UIC command selftests/ftrace: Correctly enable event in instance-event.tc ring-buffer: Avoid softlockup in ring_buffer_resize() btrfs: assert delayed node locked when removing delayed item selftests: fix dependency checker script ring-buffer: Do not attempt to read past "commit" net/smc: bugfix for smcr v2 server connect success statistic ata: sata_mv: Fix incorrect string length computation in mv_dump_mem() platform/mellanox: mlxbf-bootctl: add NET dependency into Kconfig platform/x86: asus-wmi: Support 2023 ROG X16 tablet mode thermal/of: add missing of_node_put() drm/amd/display: Don't check registers, if using AUX BL control drm/amdgpu/soc21: don't remap HDP registers for SR-IOV drm/amdgpu/nbio4.3: set proper rmmio_remap.reg_offset for SR-IOV drm/amdgpu: Handle null atom context in VBIOS info ioctl riscv: errata: fix T-Head dcache.cva encoding scsi: pm80xx: Use phy-specific SAS address when sending PHY_START command scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command smb3: correct places where ENOTSUPP is used instead of preferred EOPNOTSUPP ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset() spi: nxp-fspi: reset the FLSHxCR1 registers spi: stm32: add a delay before SPI disable ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag spi: intel-pci: Add support for Granite Rapids SPI serial flash bpf: Clarify error expectations from bpf_clone_redirect ALSA: hda: intel-sdw-acpi: Use u8 type for link index ASoC: cs42l42: Ensure a reset pulse meets minimum pulse width. ASoC: cs42l42: Don't rely on GPIOD_OUT_LOW to set RESET initially low firmware: cirrus: cs_dsp: Only log list of algorithms in debug build memblock tests: fix warning: "__ALIGN_KERNEL" redefined memblock tests: fix warning ‘struct seq_file’ declared inside parameter list ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link media: vb2: frame_vector.c: replace WARN_ONCE with a comment NFSv4.1: fix zero value filehandle in post open getattr ASoC: SOF: Intel: MTL: Reduce the DSP init timeout powerpc/watchpoints: Disable preemption in thread_change_pc() powerpc/watchpoint: Disable pagefaults when getting user instruction powerpc/watchpoints: Annotate atomic context in more places ncsi: Propagate carrier gain/loss events to the NCSI controller net: hsr: Add __packed to struct hsr_sup_tlv. tsnep: Fix NAPI scheduling tsnep: Fix NAPI polling with budget 0 LoongArch: Set all reserved memblocks on Node#0 at initialization fbdev/sh7760fb: Depend on FB=y perf build: Define YYNOMEM as YYNOABORT for bison < 3.81 nvme-pci: factor the iod mempool creation into a helper nvme-pci: factor out a nvme_pci_alloc_dev helper nvme-pci: do not set the NUMA node of device if it has none wifi: ath11k: Don't drop tx_status when peer cannot be found scsi: qla2xxx: Fix NULL pointer dereference in target mode nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev smack: Record transmuting in smk_transmuted smack: Retrieve transmuting information in smack_inode_getsecurity() iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race x86/srso: Add SRSO mitigation for Hygon processors KVM: SVM: INTERCEPT_RDTSCP is never intercepted anyway KVM: SVM: Fix TSC_AUX virtualization setup KVM: x86/mmu: Open code leaf invalidation from mmu_notifier KVM: x86/mmu: Do not filter address spaces in for_each_tdp_mmu_root_yield_safe() mptcp: fix bogus receive window shrinkage with multiple subflows misc: rtsx: Fix some platforms can not boot and move the l1ss judgment to probe Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" serial: 8250_port: Check IRQ data before use nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() netfilter: nf_tables: disallow rule removal from chain binding ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q LoongArch: Define relocation types for ABI v2.10 LoongArch: numa: Fix high_memory calculation ata: libata-scsi: link ata port and scsi device ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES io_uring/fs: remove sqe->rw_flags checking from LINKAT i2c: i801: unregister tco_pdev in i801_probe() error path ASoC: amd: yc: Fix non-functional mic on Lenovo 82QF and 82UG kernel/sched: Modify initial boot task idle setup sched/rt: Fix live lock between select_fallback_rq() and RT push netfilter: nf_tables: fix kdoc warnings after gc rework Revert "SUNRPC dont update timeout value on connection reset" timers: Tag (hr)timer softirq as hotplug safe drm/tests: Fix incorrect argument in drm_test_mm_insert_range arm64: defconfig: remove CONFIG_COMMON_CLK_NPCM8XX=y mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions() mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy() mm: memcontrol: fix GFP_NOFS recursion in memory.high enforcement ring-buffer: Update "shortest_full" in polling btrfs: properly report 0 avail for very full file systems media: uvcvideo: Fix OOB read bpf: Add override check to kprobe multi link attach bpf: Fix BTF_ID symbol generation collision bpf: Fix BTF_ID symbol generation collision in tools/ net: thunderbolt: Fix TCPv6 GSO checksum calculation fs/smb/client: Reset password pointer to NULL ata: libata-core: Fix ata_port_request_pm() locking ata: libata-core: Fix port and device removal ata: libata-core: Do not register PM operations for SAS ports ata: libata-sata: increase PMP SRST timeout to 10s drm/i915/gt: Fix reservation address in ggtt_reserve_guc_top power: supply: rk817: Add missing module alias power: supply: ab8500: Set typing and props fs: binfmt_elf_efpic: fix personality for ELF-FDPIC drm/amdkfd: Use gpu_offset for user queue's wptr drm/meson: fix memory leak on ->hpd_notify callback memcg: drop kmem.limit_in_bytes mm, memcg: reconsider kmem.limit_in_bytes deprecation ASoC: amd: yc: Fix a non-functional mic on Lenovo 82TL Linux 6.1.56 Change-Id: Id110614d91d6d60fb6c7622c5af82f219a84a30f Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
David Vernet
|
30ca523f28 |
bpf: Fix verifier log for async callback return values
[ Upstream commit 829955981c557c7fc7416581c4cd68a8a0c28620 ]
The verifier, as part of check_return_code(), verifies that async
callbacks such as from e.g. timers, will return 0. It does this by
correctly checking that R0->var_off is in tnum_const(0), which
effectively checks that it's in a range of 0. If this condition fails,
however, it prints an error message which says that the value should
have been in (0x0; 0x1). This results in possibly confusing output such
as the following in which an async callback returns 1:
At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x1)
The fix is easy -- we should just pass the tnum_const(0) as the correct
range to verbose_invalid_scalar(), which will then print the following:
At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x0)
Fixes:
|
||
|
Greg Kroah-Hartman
|
4f94769349 |
This is the 6.1.54 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUJd8EACgkQONu9yGCS
aT7crQ//ZsUDeoTMsQBU6lB2g32LODO3jVPXdGdRjLvpLVMMnKXXwl3uTC20CQ23
mtlN1mku6OtyPHgorKK9nJoNVTG78v0wXL8iCe5GHEKri45FwmcKlCxtIqboGCcg
bpRkLqfZ/cNVFeV/81n7kMFI/GHST2qym/lJfUkK0BIewXOrJozHMyCriLhG5uc/
XPmXN3LlGmT7Gb2KwJeAgJ9IWrVu5ZEWH6CnpjnLPXMA3FGJiBiYPeGaWRsrdjth
MvACPXKPu5tKAmEs6eyAhB1YbXbswKviDuY+YHeTMoOVYCfJY29VQTI16F6HBGeM
XVCo1AovZV+B9OrgnzYA8x5iZIKCdk/PzUhBi+uUb3nLJhGpD8ha7wOuBjehINeo
22YY+7fmB7lZVSAe14hDH7GjKNdYpxntPVpWCMa1yoCUtqKB1O44/10mj0OjZ5j4
EXKXIe6ho+0Uatubd+3hWRXimz4jzlp7UY1QM9ge5MGp0wOmdLu5Q91T70CrCEJO
RxXZSkHDKGxokXubl4oF0bYYpB1kRVgsNEc4H5i2k+OheyDBmVv3vRPMzT/2yim/
BEqwX6x2sE7kvbsyCO5VxIIVsnAystJEKzdVlRxmrcqkV0FCdqHjwZ9cr0mpqOse
ogdnQgXQpaGUyhdYcpo4U9f+WGi5AHXs3IMbKQN4SDZGDgJHrss=
=XhWe
-----END PGP SIGNATURE-----
Merge 6.1.54 into android14-6.1-lts
Changes in 6.1.54
net/ipv6: SKB symmetric hash should incorporate transport ports
mm: multi-gen LRU: rename lrugen->lists[] to lrugen->folios[]
Multi-gen LRU: fix per-zone reclaim
io_uring: always lock in io_apoll_task_func
io_uring: revert "io_uring fix multishot accept ordering"
io_uring/net: don't overflow multishot accept
io_uring: break out of iowq iopoll on teardown
io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used
io_uring: Don't set affinity on a dying sqpoll thread
drm/virtio: Conditionally allocate virtio_gpu_fence
scsi: qla2xxx: Adjust IOCB resource on qpair create
scsi: qla2xxx: Limit TMF to 8 per function
scsi: qla2xxx: Fix deletion race condition
scsi: qla2xxx: fix inconsistent TMF timeout
scsi: qla2xxx: Fix command flush during TMF
scsi: qla2xxx: Fix erroneous link up failure
scsi: qla2xxx: Turn off noisy message log
scsi: qla2xxx: Fix session hang in gnl
scsi: qla2xxx: Fix TMF leak through
scsi: qla2xxx: Remove unsupported ql2xenabledif option
scsi: qla2xxx: Flush mailbox commands on chip reset
scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit()
scsi: qla2xxx: Error code did not return to upper layer
scsi: qla2xxx: Fix firmware resource tracking
null_blk: fix poll request timeout handling
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
clk: qcom: camcc-sc7180: fix async resume during probe
drm/ast: Fix DRAM init on AST2200
ASoC: tegra: Fix SFC conversion for few rates
clk: qcom: turingcc-qcs404: fix missing resume during probe
arm64: dts: renesas: rzg2l: Fix txdv-skew-psec typos
send channel sequence number in SMB3 requests after reconnects
memcg: drop kmem.limit_in_bytes
mm: hugetlb_vmemmap: fix a race between vmemmap pmd split
lib/test_meminit: allocate pages up to order MAX_ORDER
parisc: led: Fix LAN receive and transmit LEDs
parisc: led: Reduce CPU overhead for disk & lan LED computation
cifs: update desired access while requesting for directory lease
pinctrl: cherryview: fix address_space_handler() argument
dt-bindings: clock: xlnx,versal-clk: drop select:false
clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz
clk: imx: pll14xx: align pdiv with reference manual
clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
soc: qcom: qmi_encdec: Restrict string length in decode
clk: qcom: dispcc-sm8450: fix runtime PM imbalance on probe errors
clk: qcom: lpasscc-sc7280: fix missing resume during probe
clk: qcom: q6sstop-qcs404: fix missing resume during probe
clk: qcom: mss-sc7180: fix missing resume during probe
NFS: Fix a potential data corruption
NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
bus: mhi: host: Skip MHI reset if device is in RDDM
net: add SKB_HEAD_ALIGN() helper
net: remove osize variable in __alloc_skb()
net: factorize code in kmalloc_reserve()
net: deal with integer overflows in kmalloc_reserve()
kbuild: rpm-pkg: define _arch conditionally
kbuild: do not run depmod for 'make modules_sign'
tpm_crb: Fix an error handling path in crb_acpi_add()
gfs2: Switch to wait_event in gfs2_logd
gfs2: low-memory forced flush fixes
mailbox: qcom-ipcc: fix incorrect num_chans counting
kconfig: fix possible buffer overflow
Input: iqs7222 - configure power mode before triggering ATI
perf trace: Use zfree() to reduce chances of use after free
perf trace: Really free the evsel->priv area
pwm: atmel-tcb: Convert to platform remove callback returning void
pwm: atmel-tcb: Harmonize resource allocation order
pwm: atmel-tcb: Fix resource freeing in error path and remove
backlight: gpio_backlight: Drop output GPIO direction check for initial power state
Input: tca6416-keypad - always expect proper IRQ number in i2c client
Input: tca6416-keypad - fix interrupt enable disbalance
perf annotate bpf: Don't enclose non-debug code with an assert()
x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
perf vendor events: Update the JSON/events descriptions for power10 platform
perf vendor events: Drop some of the JSON/events for power10 platform
perf vendor events: Drop STORES_PER_INST metric event for power10 platform
perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
pwm: lpc32xx: Remove handling of PWM channels
perf test stat_bpf_counters_cgrp: Fix shellcheck issue about logical operators
perf test stat_bpf_counters_cgrp: Enhance perf stat cgroup BPF counter test
drm/i915: mark requests for GuC virtual engines to avoid use-after-free
blk-throttle: use calculate_io/bytes_allowed() for throtl_trim_slice()
blk-throttle: consider 'carryover_ios/bytes' in throtl_trim_slice()
cifs: use fs_context for automounts
smb: propagate error code of extract_sharename()
net/sched: fq_pie: avoid stalls in fq_pie_timer()
sctp: annotate data-races around sk->sk_wmem_queued
ipv4: annotate data-races around fi->fib_dead
net: read sk->sk_family once in sk_mc_loop()
net: fib: avoid warn splat in flow dissector
xsk: Fix xsk_diag use-after-free error during socket cleanup
drm/i915/gvt: Verify pfn is "valid" before dereferencing "struct page"
drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn()
drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
net: use sk_forward_alloc_get() in sk_get_meminfo()
net: annotate data-races around sk->sk_forward_alloc
mptcp: annotate data-races around msk->rmem_fwd_alloc
ipv4: ignore dst hint for multipath routes
ipv6: ignore dst hint for multipath routes
igb: disable virtualization features on 82580
gve: fix frag_list chaining
veth: Fixing transmit return status for dropped packets
net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
net: phy: micrel: Correct bit assignments for phy_device flags
bpf, sockmap: Fix skb refcnt race after locking changes
af_unix: Fix data-races around user->unix_inflight.
af_unix: Fix data-race around unix_tot_inflight.
af_unix: Fix data-races around sk->sk_shutdown.
af_unix: Fix data race around sk->sk_err.
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
kcm: Destroy mutex in kcm_exit_net()
octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox handler
igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
s390/zcrypt: don't leak memory if dev_set_name() fails
idr: fix param name in idr_alloc_cyclic() doc
ip_tunnels: use DEV_STATS_INC()
net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software and offload
net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too many times
net: dsa: sja1105: complete tc-cbs offload support on SJA1110
bpf: Remove prog->active check for bpf_lsm and bpf_iter
bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf().
bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.
netfilter: nftables: exthdr: fix 4-byte stack OOB write
netfilter: nfnetlink_osf: avoid OOB read
net: hns3: fix tx timeout issue
net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read()
net: hns3: fix debugfs concurrency issue between kfree buffer and read
net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue
net: hns3: fix the port information display when sfp is absent
net: hns3: remove GSO partial feature bit
sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory()
Multi-gen LRU: avoid race in inc_min_seq()
net/mlx5: Free IRQ rmap and notifier on kernel shutdown
ARC: atomics: Add compiler barrier to atomic operations...
clocksource/drivers/arm_arch_timer: Disable timer before programming CVAL
dmaengine: sh: rz-dmac: Fix destination and source data size setting
jbd2: fix checkpoint cleanup performance regression
jbd2: check 'jh->b_transaction' before removing it from checkpoint
jbd2: correct the end of the journal recovery scan range
ext4: add correct group descriptors and reserved GDT blocks to system zone
ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}
f2fs: flush inode if atomic file is aborted
f2fs: avoid false alarm of circular locking
lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix()
hwspinlock: qcom: add missing regmap config for SFPB MMIO implementation
ata: ahci: Add Elkhart Lake AHCI controller
ata: pata_falcon: fix IO base selection for Q40
ata: sata_gemini: Add missing MODULE_DESCRIPTION
ata: pata_ftide010: Add missing MODULE_DESCRIPTION
fuse: nlookup missing decrement in fuse_direntplus_link
btrfs: zoned: do not zone finish data relocation block group
btrfs: fix start transaction qgroup rsv double free
btrfs: free qgroup rsv on io failure
btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
btrfs: set page extent mapped after read_folio in relocate_one_page
btrfs: zoned: re-enable metadata over-commit for zoned mode
btrfs: use the correct superblock to compare fsid in btrfs_validate_super
drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()
mtd: rawnand: brcmnand: Fix crash during the panic_write
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
mtd: spi-nor: Correct flags for Winbond w25q128
mtd: rawnand: brcmnand: Fix potential false time out warning
mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma
drm/amd/display: prevent potential division by zero errors
KVM: SVM: Take and hold ir_list_lock when updating vCPU's Physical ID entry
KVM: SVM: Don't inject #UD if KVM attempts to skip SEV guest insn
KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration
KVM: nSVM: Check instead of asserting on nested TSC scaling support
KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state
KVM: SVM: Set target pCPU during IRTE update if target vCPU is running
KVM: SVM: Skip VMSA init in sev_es_init_vmcb() if pointer is NULL
MIPS: Fix CONFIG_CPU_DADDI_WORKAROUNDS `modules_install' regression
perf hists browser: Fix hierarchy mode header
perf test shell stat_bpf_counters: Fix test on Intel
perf tools: Handle old data in PERF_RECORD_ATTR
perf hists browser: Fix the number of entries for 'e' key
drm/amd/display: always switch off ODM before committing more streams
drm/amd/display: Remove wait while locked
drm/amdgpu: register a dirty framebuffer callback for fbcon
kunit: Fix wild-memory-access bug in kunit_free_suite_set()
net: ipv4: fix one memleak in __inet_del_ifa()
kselftest/runner.sh: Propagate SIGTERM to runner child
selftests: Keep symlinks, when possible
net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add
net: stmmac: fix handling of zero coalescing tx-usecs
net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
hsr: Fix uninit-value access in fill_frame_info()
net: ethernet: adi: adin1110: use eth_broadcast_addr() to assign broadcast address
net:ethernet:adi:adin1110: Fix forwarding offload
net: dsa: sja1105: hide all multicast addresses from "bridge fdb show"
net: dsa: sja1105: propagate exact error code from sja1105_dynamic_config_poll_valid()
net: dsa: sja1105: fix multicast forwarding working only for last added mdb entry
net: dsa: sja1105: serialize sja1105_port_mcast_flood() with other FDB accesses
net: dsa: sja1105: block FDB accesses that are concurrent with a switch reset
r8152: check budget for r8152_poll()
kcm: Fix memory leak in error path of kcm_sendmsg()
platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors
platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
platform/mellanox: NVSW_SN2201 should depend on ACPI
net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
net: macb: Enable PTP unicast
net: macb: fix sleep inside spinlock
ipv6: fix ip6_sock_set_addr_preferences() typo
ipv6: Remove in6addr_any alternatives.
tcp: Factorise sk_family-independent comparison in inet_bind2_bucket_match(_addr_any).
tcp: Fix bind() regression for v4-mapped-v6 wildcard address.
tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address.
ixgbe: fix timestamp configuration code
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
MIPS: Only fiddle with CHECKFLAGS if `need-compiler'
drm/amd/display: Fix a bug when searching for insert_above_mpcc
Linux 6.1.54
Change-Id: I42dc80e7b812eb2bdd28575280b7b88169eb6d58
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Toke Høiland-Jørgensen
|
e388671635 |
bpf: Avoid deadlock when using queue and stack maps from NMI
[ Upstream commit a34a9f1a19afe9c60ca0ea61dfeee63a1c2baac8 ]
Sysbot discovered that the queue and stack maps can deadlock if they are
being used from a BPF program that can be called from NMI context (such as
one that is attached to a perf HW counter event). To fix this, add an
in_nmi() check and use raw_spin_trylock() in NMI context, erroring out if
grabbing the lock fails.
Fixes:
|
||
Sebastian Andrzej Siewior
|
6cf0d1d5a5 |
bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.
[ Upstream commit 6764e767f4af1e35f87f3497e1182d945de37f93 ]
__bpf_prog_enter_recur() assigns bpf_tramp_run_ctx::saved_run_ctx before
performing the recursion check which means in case of a recursion
__bpf_prog_exit_recur() uses the previously set bpf_tramp_run_ctx::saved_run_ctx
value.
__bpf_prog_enter_sleepable_recur() assigns bpf_tramp_run_ctx::saved_run_ctx
after the recursion check which means in case of a recursion
__bpf_prog_exit_sleepable_recur() uses an uninitialized value. This does not
look right. If I read the entry trampoline code right, then bpf_tramp_run_ctx
isn't initialized upfront.
Align __bpf_prog_enter_sleepable_recur() with __bpf_prog_enter_recur() and
set bpf_tramp_run_ctx::saved_run_ctx before the recursion check is made.
Remove the assignment of saved_run_ctx in kern_sys_bpf() since it happens
a few cycles later.
Fixes:
|
||
|
Sebastian Andrzej Siewior
|
04f92e67b3 |
bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf().
[ Upstream commit 7645629f7dc88cd777f98970134bf1a54c8d77e3 ]
If __bpf_prog_enter_sleepable_recur() detects recursion then it returns
0 without undoing rcu_read_lock_trace(), migrate_disable() or
decrementing the recursion counter. This is fine in the JIT case because
the JIT code will jump in the 0 case to the end and invoke the matching
exit trampoline (__bpf_prog_exit_sleepable_recur()).
This is not the case in kern_sys_bpf() which returns directly to the
caller with an error code.
Add __bpf_prog_exit_sleepable_recur() as clean up in the recursion case.
Fixes:
|