lineage-22.1
11880 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
a7462d7032 |
ANDROID: ABI fixup for abi break in struct dst_ops
In commit 92f1655aa2b2 ("net: fix __dst_negative_advice() race") the
struct dst_ops callback negative_advice is callback changes function
parameters. But as this pointer is part of a structure that is tracked
in the ABI checker, the tool triggers when this is changed.
However, the callback pointer is internal to the networking stack, so
changing the function type is safe, so needing to preserve this is not
required. To do so, switch the function pointer type back to the old
one so that the checking tools pass, AND then do a hard cast of the
function pointer to the new type when assigning and calling the
function.
[6.1.y backport note, work around --Werror=cast-function-type issue by
abusing void * for function pointer types, despite its best effort, C
still let's us shoot our foot off if we really want to!]
Bug: 343727534
Fixes: 92f1655aa2b2 ("net: fix __dst_negative_advice() race")
Change-Id: I48d4ab4bbd29f8edc8fbd7923828b7f78a23e12e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Eric Dumazet
|
bd2bcb81d4 |
BACKPORT: net: fix __dst_negative_advice() race
__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.
RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).
Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.
Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.
Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.
Many thanks to Clement Lecigne for tracking this issue.
This old bug became visible after the blamed commit, using UDP sockets.
Bug: 343727534
Fixes:
|
||
|
Greg Kroah-Hartman
|
0e5af42a0a |
Merge 6.1.78 into android14-6.1-lts
Changes in 6.1.78 ext4: regenerate buddy after block freeing failed if under fc replay dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools dmaengine: ti: k3-udma: Report short packet errors dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA phy: renesas: rcar-gen3-usb2: Fix returning wrong error code dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP cifs: failure to add channel on iface should bump up weight drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup net: stmmac: xgmac: fix handling of DPP safety error for DMA channels wifi: mac80211: fix waiting for beacons logic netdevsim: avoid potential loop in nsim_dev_trap_report_work() net: atlantic: Fix DMA mapping for PTP hwts ring selftests: net: cut more slack for gro fwd tests. selftests: net: avoid just another constant wait tunnels: fix out of bounds access when building IPv6 PMTU error atm: idt77252: fix a memleak in open_card_ubr0 octeontx2-pf: Fix a memleak otx2_sq_init hwmon: (aspeed-pwm-tacho) mutex for tach reading hwmon: (coretemp) Fix out-of-bounds memory access hwmon: (coretemp) Fix bogus core_id to attr name mapping inet: read sk->sk_family once in inet_recv_error() drm/i915/gvt: Fix uninitialized variable in handle_mmio() rxrpc: Fix response to PING RESPONSE ACKs to a dead call tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. ppp_async: limit MRU to 64K selftests: cmsg_ipv6: repeat the exact packet netfilter: nft_compat: narrow down revision to unsigned 8-bits netfilter: nft_compat: reject unused compat flag netfilter: nft_compat: restrict match/target protocol to u16 drm/amd/display: Implement bounds check for stream encoder creation in DCN301 netfilter: nft_ct: reject direction for ct id netfilter: nft_set_pipapo: store index in scratch maps netfilter: nft_set_pipapo: add helper to release pcpu scratch area netfilter: nft_set_pipapo: remove scratch_aligned pointer fs/ntfs3: Fix an NULL dereference bug scsi: core: Move scsi_host_busy() out of host lock if it is for per-command blk-iocost: Fix an UBSAN shift-out-of-bounds warning fs: dlm: don't put dlm_local_addrs on heap mtd: parsers: ofpart: add workaround for #size-cells 0 ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter ALSA: usb-audio: add quirk for RODE NT-USB+ USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e USB: serial: option: add Fibocom FM101-GL variant USB: serial: cp210x: add ID for IMST iM871A-USB usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK hrtimer: Report offline hrtimer enqueue Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers Revert "ASoC: amd: Add new dmi entries for acp5x platform" vhost: use kzalloc() instead of kmalloc() followed by memset() RDMA/irdma: Fix support for 64k pages f2fs: add helper to check compression level block: treat poll queue enter similarly to timeouts clocksource: Skip watchdog check for large watchdog intervals net: stmmac: xgmac: use #define for string constants ALSA: usb-audio: Sort quirk table entries net: stmmac: xgmac: fix a typo of register name in DPP safety handling netfilter: nft_set_rbtree: skip end interval element from gc Linux 6.1.78 Change-Id: Iba16875d4cb88deffea077cf69495f9fe447ea23 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
20b90d46a0 |
Merge 6.1.77 into android14-6.1-lts
Changes in 6.1.77
asm-generic: make sparse happy with odd-sized put_unaligned_*()
powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
arm64: irq: set the correct node for VMAP stack
drivers/perf: pmuv3: don't expose SW_INCR event in sysfs
powerpc: Fix build error due to is_valid_bugaddr()
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
powerpc/64s: Fix CONFIG_NUMA=n build due to create_section_mapping()
x86/boot: Ignore NMIs during very early boot
powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
powerpc/lib: Validate size for vector operations
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
debugobjects: Stop accessing objects after releasing hash bucket lock
regulator: core: Only increment use_count when enable_count changes
audit: Send netlink ACK before setting connection in auditd_set
ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
PNP: ACPI: fix fortify warning
ACPI: extlog: fix NULL pointer dereference check
ACPI: NUMA: Fix the logic of getting the fake_pxm value
PM / devfreq: Synchronize devfreq_monitor_[start/stop]
ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
UBSAN: array-index-out-of-bounds in dtSplitRoot
jfs: fix slab-out-of-bounds Read in dtSearch
jfs: fix array-index-out-of-bounds in dbAdjTree
jfs: fix uaf in jfs_evict_inode
pstore/ram: Fix crash when setting number of cpus to an odd number
crypto: octeontx2 - Fix cptvf driver cleanup
erofs: fix ztailpacking for subpage compressed blocks
crypto: stm32/crc32 - fix parsing list of devices
afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu()
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
jfs: fix array-index-out-of-bounds in diNewExt
arch: consolidate arch_irq_work_raise prototypes
s390/vfio-ap: fix sysfs status attribute for AP queue devices
s390/ptrace: handle setting of fpc register correctly
KVM: s390: fix setting of fpc register
SUNRPC: Fix a suspicious RCU usage warning
ecryptfs: Reject casefold directory inodes
ext4: fix inconsistent between segment fstrim and full fstrim
ext4: unify the type of flexbg_size to unsigned int
ext4: remove unnecessary check from alloc_flex_gd()
ext4: avoid online resizing failures due to oversized flex bg
wifi: rt2x00: restart beacon queue when hardware reset
selftests/bpf: satisfy compiler by having explicit return in btf test
selftests/bpf: Fix pyperf180 compilation failure with clang18
wifi: rt2x00: correct wrong BBP register in RxDCOC calibration
selftests/bpf: Fix issues in setup_classid_environment()
soc: xilinx: Fix for call trace due to the usage of smp_processor_id()
soc: xilinx: fix unhandled SGI warning message
scsi: lpfc: Fix possible file string name overflow when updating firmware
PCI: Add no PM reset quirk for NVIDIA Spectrum devices
bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
net: usb: ax88179_178a: avoid two consecutive device resets
scsi: mpi3mr: Add PCI checks where SAS5116 diverges from SAS4116
scsi: arcmsr: Support new PCI device IDs 1883 and 1886
ARM: dts: imx7d: Fix coresight funnel ports
ARM: dts: imx7s: Fix lcdif compatible
ARM: dts: imx7s: Fix nand-controller #size-cells
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
wifi: ath11k: fix race due to setting ATH11K_FLAG_EXT_IRQ_ENABLED too early
bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers
scsi: libfc: Don't schedule abort twice
scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
bpf: Set uattr->batch.count as zero before batched update or deletion
wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()
ARM: dts: rockchip: fix rk3036 hdmi ports node
ARM: dts: imx25/27-eukrea: Fix RTC node name
ARM: dts: imx: Use flash@0,0 pattern
ARM: dts: imx27: Fix sram node
ARM: dts: imx1: Fix sram node
net: phy: at803x: fix passing the wrong reference for config_intr
ionic: pass opcode to devcmd_wait
ionic: bypass firmware cmds when stuck in reset
block/rnbd-srv: Check for unlikely string overflow
ARM: dts: imx25: Fix the iim compatible string
ARM: dts: imx25/27: Pass timing0
ARM: dts: imx27-apf27dev: Fix LED name
ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
ARM: dts: imx23/28: Fix the DMA controller node name
scsi: hisi_sas: Set .phy_attached before notifing phyup event HISI_PHYE_PHY_UP_PM
ice: fix ICE_AQ_VSI_Q_OPT_RSS_* register values
net: atlantic: eliminate double free in error handling logic
net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path
block: prevent an integer overflow in bvec_try_merge_hw_page
md: Whenassemble the array, consult the superblock of the freshest device
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
ice: fix pre-shifted bit usage
arm64: dts: amlogic: fix format for s4 uart node
wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
wifi: cfg80211: free beacon_ies when overridden from hidden BSS
Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066
Bluetooth: hci_sync: fix BR/EDR wakeup bug
Bluetooth: L2CAP: Fix possible multiple reject send
net/smc: disable SEID on non-s390 archs where virtual ISM may be used
bridge: cfm: fix enum typo in br_cc_ccm_tx_parse
i40e: Fix VF disable behavior to block all traffic
octeontx2-af: Fix max NPC MCAM entry check while validating ref_entry
net: dsa: qca8k: put MDIO bus OF node on qca8k_mdio_register() failure
f2fs: fix to check return value of f2fs_reserve_new_block()
ALSA: hda: Refer to correct stream index at loops
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
fast_dput(): handle underflows gracefully
RDMA/IPoIB: Fix error code return in ipoib_mcast_join
drm/panel-edp: Add override_edid_mode quirk for generic edp
drm/bridge: anx7625: Fix Set HPD irq detect window to 2ms
drm/amd/display: Fix tiled display misalignment
f2fs: fix write pointers on zoned device after roll forward
ASoC: amd: Add new dmi entries for acp5x platform
drm/drm_file: fix use of uninitialized variable
drm/framebuffer: Fix use of uninitialized variable
drm/mipi-dsi: Fix detach call without attach
media: stk1160: Fixed high volume of stk1160_dbg messages
media: rockchip: rga: fix swizzling for RGB formats
PCI: add INTEL_HDA_ARL to pci_ids.h
ALSA: hda: Intel: add HDA_ARL PCI ID support
media: rkisp1: Drop IRQF_SHARED
media: rkisp1: Fix IRQ handler return values
media: rkisp1: Store IRQ lines
media: rkisp1: Fix IRQ disable race issue
hwmon: (nct6775) Fix fan speed set failure in automatic mode
f2fs: fix to tag gcing flag on page during block migration
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
IB/ipoib: Fix mcast list locking
media: amphion: remove mutext lock in condition of wait_event
media: ddbridge: fix an error code problem in ddb_probe
media: i2c: imx335: Fix hblank min/max values
drm/amd/display: For prefetch mode > 0, extend prefetch if possible
drm/msm/dpu: Ratelimit framedone timeout msgs
drm/msm/dpu: fix writeback programming for YUV cases
drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786
drm/amd/display: make flip_timestamp_in_us a 64-bit variable
clk: imx: clk-imx8qxp: fix LVDS bypass, pixel and phy clocks
drm/amdgpu: Fix ecc irq enable/disable unpaired
drm/amdgpu: Let KFD sync with VM fences
drm/amdgpu: Fix '*fw' from request_firmware() not released in 'amdgpu_ucode_request()'
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
drm/amdkfd: Fix iterator used outside loop in 'kfd_add_peer_prop()'
ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140
leds: trigger: panic: Don't register panic notifier if creating the trigger failed
um: Fix naming clash between UML and scheduler
um: Don't use vfprintf() for os_info()
um: net: Fix return type of uml_net_start_xmit()
um: time-travel: fix time corruption
i3c: master: cdns: Update maximum prescaler value for i2c clock
xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import
mfd: ti_am335x_tscadc: Fix TI SoC dependencies
mailbox: arm_mhuv2: Fix a bug for mhuv2_sender_interrupt
PCI: Only override AMD USB controller if required
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
perf cs-etm: Bump minimum OpenCSD version to ensure a bugfix is present
usb: hub: Replace hardcoded quirk value with BIT() macro
usb: hub: Add quirk to decrease IN-ep poll interval for Microchip USB491x hub
selftests/sgx: Fix linker script asserts
tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE
fs/kernfs/dir: obey S_ISGID
spmi: mediatek: Fix UAF on device remove
PCI: Fix 64GT/s effective data rate calculation
PCI/AER: Decode Requester ID when no error info found
9p: Fix initialisation of netfs_inode for 9p
misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback
libsubcmd: Fix memory leak in uniq()
drm/amdkfd: Fix lock dependency warning
drm/amdkfd: Fix lock dependency warning with srcu
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
blk-mq: fix IO hang from sbitmap wakeup race
ceph: reinitialize mds feature bit even when session in open
ceph: fix deadlock or deadcode of misusing dget()
ceph: fix invalid pointer access if get_quota_realm return ERR_PTR
drm/amd/powerplay: Fix kzalloc parameter 'ATOM_Tonga_PPM_Table' in 'get_platform_power_management_table()'
drm/amdgpu: Fix with right return code '-EIO' in 'amdgpu_gmc_vram_checking()'
drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
drm/amdkfd: Fix 'node' NULL check in 'svm_range_get_range_boundaries()'
perf: Fix the nr_addr_filters fix
wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
drm: using mul_u32_u32() requires linux/math64.h
scsi: isci: Fix an error code problem in isci_io_request_build()
regulator: ti-abb: don't use devm_platform_ioremap_resource_byname for shared interrupt register
scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler
HID: hidraw: fix a problem of memory leak in hidraw_release()
selftests: net: give more time for GRO aggregation
ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
ipv4: raw: add drop reasons
ipmr: fix kernel panic when forwarding mcast packets
net: lan966x: Fix port configuration when using SGMII interface
tcp: add sanity checks to rx zerocopy
ixgbe: Refactor returning internal error codes
ixgbe: Refactor overtemp event handling
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
net: dsa: qca8k: fix illegal usage of GPIO
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
llc: call sock_orphan() at release time
bridge: mcast: fix disabled snooping after long uptime
selftests: net: add missing config for GENEVE
netfilter: conntrack: correct window scaling with retransmitted SYN
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
net: ipv4: fix a memleak in ip_setup_cork
af_unix: fix lockdep positive in sk_diag_dump_icons()
selftests: net: fix available tunnels detection
net: sysfs: Fix /sys/class/net/<iface> path
selftests: team: Add missing config options
selftests: bonding: Check initial state
arm64: irq: set the correct node for shadow call stack
mm, kmsan: fix infinite recursion due to RCU critical section
Revert "drm/amd/display: Disable PSR-SU on Parade 0803 TCON again"
drm/msm/dsi: Enable runtime PM
LoongArch/smp: Call rcutree_report_cpu_starting() at tlb_init()
gve: Fix use-after-free vulnerability
bonding: remove print in bond_verify_device_path
ASoC: codecs: lpass-wsa-macro: fix compander volume hack
ASoC: codecs: wsa883x: fix PA volume control
drm/amdgpu: Fix missing error code in 'gmc_v6/7/8/9_0_hw_init()'
Linux 6.1.77
Change-Id: I8d69fc7831db64d8a0fad88a318f03052f8bbf69
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
2dbddbe358 |
This is the 6.1.76 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmW64xYACgkQONu9yGCS aT7kVA/+KKlE3UFuGmV1ZmiHagHF+oRZKSk9m97F5zgfAcEHAcTnnuikzvJHuepU 4hPMsH+tTXafOJLh81bv7IH3RhHtvmQZPQyWUw7ysY9ms/7CZxjkuirxLWI3evUG lre7OiApyOPkxERBfA5f9r2D1ufXC742xcAdaXrn+GSZd4nuId5f0IbHmfdNv/MV zTt6+0qRU3TMpsUdqp0rIm/0KUXtopCDFf2fI/lIImAvN2onuiqDy+TC0FJ0ErTQ C3wTEi1j9u6l3AO51OYm57TbKj/KmVOcQdcQyskHGHbB+7nS9z29LXQyorRUKqkv KTs739kgG8GH0ZegTwPVPCx5t1SBzy8fuzI2c2MMVfNCT6rWJVS7brzeb7zDLuRT 9pSr9MnoQNYMhJ3IlPvgPHKwvpP4t2el7Z8noVTRXHDjrkC238gloHwvH78/b2ao bXO3DRKTzB4Vv/Q8YUPFmj5fhPqz5lnK6idr4r72JSlzfjxtYoPAKwYihDGxmeLN mWikAPepLqoGg/P2ztKhV/fL9TVhJB+d2YM5op/b+pUxZtYdiJODefFF1ebBbF34 sRG12htP7GV/MTkxC7Yu0h3vS3HWVHugHMBIXXUnqlOANMUbyAMEQW+xkdS/W5bd QnowcQr+DT1A5b9P1bYXB7efNiHENxo/jvuJTrzZmLioy1MPqeE= =219k -----END PGP SIGNATURE----- Merge 6.1.76 into android-6.1 Changes in 6.1.76 usb: dwc3: gadget: Refactor EP0 forced stall/restart into a separate API usb: dwc3: gadget: Queue PM runtime idle on disconnect event usb: dwc3: gadget: Handle EP0 request dequeuing properly Revert "nSVM: Check for reserved encodings of TLB_CONTROL in nested VMCB" iio: adc: ad7091r: Set alert bit in config register iio: adc: ad7091r: Allow users to configure device events ext4: allow for the last group to be marked as trimmed arm64: properly install vmlinuz.efi OPP: Pass rounded rate to _set_opp() btrfs: sysfs: validate scrub_speed_max value crypto: api - Disallow identical driver names PM: hibernate: Enforce ordering during image compression/decompression hwrng: core - Fix page fault dead lock on mmap-ed hwrng crypto: s390/aes - Fix buffer overread in CTR mode s390/vfio-ap: unpin pages on gisc registration failure PM / devfreq: Fix buffer overflow in trans_stat_show media: imx355: Enable runtime PM before registering async sub-device rpmsg: virtio: Free driver_override when rpmsg_remove() media: ov9734: Enable runtime PM before registering async sub-device s390/vfio-ap: always filter entire AP matrix s390/vfio-ap: loop over the shadow APCB when filtering guest's AP configuration s390/vfio-ap: let on_scan_complete() callback filter matrix and update guest's APCB mips: Fix max_mapnr being uninitialized on early stages bus: mhi: host: Add alignment check for event ring read pointer bus: mhi: host: Drop chan lock before queuing buffers bus: mhi: host: Add spinlock to protect WP access when queueing TREs parisc/firmware: Fix F-extend for PDC addresses parisc/power: Fix power soft-off button emulation on qemu async: Split async_schedule_node_domain() async: Introduce async_schedule_dev_nocall() iio: adc: ad7091r: Enable internal vref if external vref is not supplied dmaengine: fix NULL pointer in channel unregistration function scsi: ufs: core: Remove the ufshcd_hba_exit() call from ufshcd_async_scan() arm64: dts: qcom: sc7180: fix USB wakeup interrupt types arm64: dts: qcom: sdm845: fix USB wakeup interrupt types arm64: dts: qcom: sm8150: fix USB wakeup interrupt types arm64: dts: qcom: sc7280: fix usb_1 wakeup interrupt types arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts arm64: dts: qcom: sm8150: fix USB DP/DM HS PHY interrupts lsm: new security_file_ioctl_compat() hook docs: kernel_abi.py: fix command injection scripts/get_abi: fix source path leak media: videobuf2-dma-sg: fix vmap callback mmc: core: Use mrq.sbc in close-ended ffu mmc: mmc_spi: remove custom DMA mapped buffers media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run arm64: Rename ARM64_WORKAROUND_2966298 rtc: cmos: Use ACPI alarm for non-Intel x86 systems too rtc: Adjust failure return code for cmos_set_alarm() rtc: mc146818-lib: Adjust failure return code for mc146818_get_time() rtc: Add support for configuring the UIP timeout for RTC reads rtc: Extend timeout for waiting for UIP to clear to 1s nouveau/vmm: don't set addr on the fail path to avoid warning ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path mm/rmap: fix misplaced parenthesis of a likely() mm/sparsemem: fix race in accessing memory_section->usage rename(): fix the locking of subdirectories serial: sc16is7xx: improve regmap debugfs by using one regmap per port serial: sc16is7xx: remove wasteful static buffer in sc16is7xx_regmap_name() serial: sc16is7xx: remove global regmap from struct sc16is7xx_port serial: sc16is7xx: remove unused line structure member serial: sc16is7xx: change EFR lock to operate on each channels serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO serial: sc16is7xx: fix invalid sc16is7xx_lines bitfield in case of probe error serial: sc16is7xx: remove obsolete loop in sc16is7xx_port_irq() serial: sc16is7xx: improve do/while loop in sc16is7xx_irq() LoongArch/smp: Call rcutree_report_cpu_starting() earlier mm: page_alloc: unreserve highatomic page blocks before oom ksmbd: set v2 lease version on lease upgrade ksmbd: fix potential circular locking issue in smb2_set_ea() ksmbd: don't increment epoch if current state and request state are same ksmbd: send lease break notification on FILE_RENAME_INFORMATION ksmbd: Add missing set_freezable() for freezable kthread Revert "drm/amd: Enable PCIe PME from D3" drm/amd/display: pbn_div need be updated for hotplug event wifi: mac80211: fix potential sta-link leak net/smc: fix illegal rmb_desc access in SMC-D connection dump tcp: make sure init the accept_queue's spinlocks once bnxt_en: Wait for FLR to complete during probe vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING llc: make llc_ui_sendmsg() more robust against bonding changes llc: Drop support for ETH_P_TR_802_2. udp: fix busy polling net: fix removing a namespace with conflicting altnames tun: fix missing dropped counter in tun_xdp_act tun: add missing rx stats accounting in tun_xdp_act net: micrel: Fix PTP frame parsing for lan8814 net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv netfs, fscache: Prevent Oops in fscache_put_cache() tracing: Ensure visibility when inserting an element into tracing_map afs: Hide silly-rename files from userspace tcp: Add memory barrier to tcp_push() netlink: fix potential sleeping issue in mqueue_flush_file ipv6: init the accept_queue's spinlocks in inet6_create net/mlx5: DR, Use the right GVMI number for drop action net/mlx5: DR, Can't go to uplink vport on RX rule net/mlx5: Use mlx5 device constant for selecting CQ period mode for ASO net/mlx5e: Allow software parsing when IPsec crypto is enabled net/mlx5e: fix a double-free in arfs_create_groups net/mlx5e: fix a potential double-free in fs_any_create_groups rcu: Defer RCU kthreads wakeup when CPU is dying netfilter: nft_limit: reject configurations that cause integer overflow btrfs: fix infinite directory reads btrfs: set last dir index to the current last index when opening dir btrfs: refresh dir last index during a rewinddir(3) call btrfs: fix race between reading a directory and adding entries to it netfilter: nf_tables: restrict anonymous set and map names to 16 bytes netfilter: nf_tables: validate NFPROTO_* family net: stmmac: Wait a bit for the reset to take effect net: mvpp2: clear BM pool before initialization selftests: netdevsim: fix the udp_tunnel_nic test fjes: fix memleaks in fjes_hw_setup net: fec: fix the unhandled context fault from smmu nbd: always initialize struct msghdr completely btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted btrfs: ref-verify: free ref cache before clearing mount opt btrfs: tree-checker: fix inline ref size in error messages btrfs: don't warn if discard range is not aligned to sector btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args btrfs: don't abort filesystem when attempting to snapshot deleted subvolume rbd: don't move requests to the running list on errors exec: Fix error handling in begin_new_exec() wifi: iwlwifi: fix a memory corruption hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain netfilter: nf_tables: reject QUEUE/DROP verdict parameters platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe ksmbd: fix global oob in ksmbd_nl_policy firmware: arm_scmi: Check mailbox/SMT channel for consistency xfs: read only mounts with fsopen mount API are busted gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 cpufreq: intel_pstate: Refine computation of P-state for given frequency drm: Don't unref the same fb many times by mistake due to deadlock handling drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking drm/tidss: Fix atomic_flush check drm/amd/display: Disable PSR-SU on Parade 0803 TCON again platform/x86: intel-uncore-freq: Fix types in sysfs callbacks drm/bridge: nxp-ptn3460: simplify some error checking drm/amd/display: Port DENTIST hang and TDR fixes to OTG disable W/A drm/amdgpu/pm: Fix the power source flag error erofs: get rid of the remaining kmap_atomic() erofs: fix lz4 inplace decompression media: ov13b10: Support device probe in non-zero ACPI D state media: ov13b10: Enable runtime PM before registering async sub-device bus: mhi: ep: Do not allocate event ring element on stack PM: core: Remove unnecessary (void *) conversions PM: sleep: Fix possible deadlocks in core system-wide PM code thermal: intel: hfi: Refactor enabling code into helper functions thermal: intel: hfi: Disable an HFI instance when all its CPUs go offline thermal: intel: hfi: Add syscore callbacks for system-wide PM fs/pipe: move check to pipe_has_watch_queue() pipe: wakeup wr_wait after setting max_usage ARM: dts: qcom: sdx55: fix USB wakeup interrupt types ARM: dts: samsung: exynos4210-i9100: Unconditionally enable LDO12 ARM: dts: qcom: sdx55: fix pdc '#interrupt-cells' ARM: dts: qcom: sdx55: fix USB DP/DM HS PHY interrupts ARM: dts: qcom: sdx55: fix USB SS wakeup dlm: use kernel_connect() and kernel_bind() serial: core: Provide port lock wrappers serial: sc16is7xx: Use port lock wrappers serial: sc16is7xx: fix unconditional activation of THRI interrupt btrfs: zoned: factor out prepare_allocation_zoned() btrfs: zoned: optimize hint byte for zoned allocator drm/panel-edp: drm/panel-edp: Fix AUO B116XAK01 name and timing Revert "powerpc/64s: Increase default stack size to 32KB" drm/bridge: parade-ps8640: Wait for HPD when doing an AUX transfer drm: panel-simple: add missing bus flags for Tianma tm070jvhg[30/33] drm/bridge: sii902x: Use devm_regulator_bulk_get_enable() drm/bridge: sii902x: Fix probing race issue drm/bridge: sii902x: Fix audio codec unregistration drm/bridge: parade-ps8640: Ensure bridge is suspended in .post_disable() drm/bridge: parade-ps8640: Make sure we drop the AUX mutex in the error case drm/exynos: fix accidental on-stack copy of exynos_drm_plane drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume gpio: eic-sprd: Clear interrupt after set the interrupt type block: Move checking GENHD_FL_NO_PART to bdev_add_partition() drm/bridge: anx7625: Ensure bridge is suspended in disable() spi: bcm-qspi: fix SFDP BFPT read by usig mspi read spi: fix finalize message on error return MIPS: lantiq: register smp_ops on non-smp platforms cxl/region:Fix overflow issue in alloc_hpa() mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan tick/sched: Preserve number of idle sleeps across CPU hotplug events x86/entry/ia32: Ensure s32 is sign extended to s64 serial: core: fix kernel-doc for uart_port_unlock_irqrestore() net/mlx5e: Handle hardware IPsec limits events Linux 6.1.76 Change-Id: I4725561e2ca5df042a1fe307af701e7d5e2d06c8 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
3ca4271578 |
Reapply "Merge tag 'android14-6.1.75_r00' into android14-6.1"
This reverts commit
|
||
Todd Kjos
|
6bad1052c2 |
Revert "Merge tag 'android14-6.1.75_r00' into android14-6.1"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
1dbafe61e3 |
Merge tag 'android14-6.1.75_r00' into android14-6.1
This merges up to the 6.1.75 LTS release into the android14-6.1 branch. Included in here are the following commits: * |
||
Yan Zhai
|
c38ea4a131 |
BACKPORT: gso: fix dodgy bit handling for GSO_UDP_L4
Commit 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4
packets.") checks DODGY bit for UDP, but for packets that can be fed
directly to the device after gso_segs reset, it actually falls through
to fragmentation:
https://lore.kernel.org/all/CAJPywTKDdjtwkLVUW6LRA2FU912qcDmQOQGt2WaDo28KzYDg+A@mail.gmail.com/
This change restores the expected behavior of GSO_UDP_L4 packets.
Fixes: 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 packets.")
Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Change-Id: Id7ff0fac79fb0b4fabb62b09a905f27a5e8cfea7
(cherry picked from commit 9840036786d90cea11a90d1f30b6dc003b34ee67)
[lena: Resolved conflict in net/ipv6/udp_offload.c ]
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|
Greg Kroah-Hartman
|
c16bb76a0c |
This is the 6.1.75 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWy7o0ACgkQONu9yGCS
aT76JA/9Gh3VNSLG35LaLyq3xGd827N6DPsMzeFHi+MGSyPVg0auE77QkHD/gZl9
KynmBmz2+9DSoFxymWAS9oEPM8d/vw87AMuSTTct3GKkjEeUcj9lbeOEzgZydXX8
cJSXvcCeKE3FESU/YbQKxo0N+r7tUDmnCR0edss5/FpYni3jPdg7jdESzGhiCHXj
r5rjrTE6h7Z/d+2kaKqlheL4o4OkV0YwnFnU2gC3MOOvLmgvXdOVQQsyaZ+WgSAN
0JS0Q6Xk1xyYWx8iFaLGWIs1pUsQPKxIiRG3N/1KmXITopf2Pu68Yy7ST+YryDkO
nLcNrr3gsQxrM6MYnEhLzlxs3H1KuAVxJ4Y/dNqJnDxn0OJjcY3repwempz5Sxtk
0OLDOsCICAiMHeF8rYIGhm09WdowLz0EH+sqadIGqWKzW/BcXqD+r9mpF1lwk1ZL
FJLgLmtOaG4amI46lEUHQ6ujN7Oad3gLYzudq2zKLeqonSIjm1TuDoMRvHWFsspO
5i9I0x7Vlo3PqCl7kkKVL9PvVHx6BXJGFShABJqa9ao/oHxkOWuIt26pxUoLUN3P
7Wa5WnfdlDd9nR3VGHcVe2ncuRmEfuriYpXvItJ7/KJKyIPkGoPehAh+vbZMoEy0
DwhtD9PPsTlnUufbcZdHavYA1E4y/uXDMOIGB+ERpsTdXh9DwEo=
=2XHn
-----END PGP SIGNATURE-----
Merge 6.1.75 into android14-6.1-lts
Changes in 6.1.75
x86/lib: Fix overflow when counting digits
x86/mce/inject: Clear test status value
EDAC/thunderx: Fix possible out-of-bounds string access
powerpc: remove checks for binutils older than 2.25
powerpc: add crtsavres.o to always-y instead of extra-y
powerpc/44x: select I2C for CURRITUCK
powerpc/pseries/memhp: Fix access beyond end of drmem array
selftests/powerpc: Fix error handling in FPU/VMX preemption tests
powerpc/powernv: Add a null pointer check to scom_debug_init_one()
powerpc/powernv: Add a null pointer check in opal_event_init()
powerpc/powernv: Add a null pointer check in opal_powercap_init()
powerpc/imc-pmu: Add a null pointer check in update_events_in_group()
spi: spi-zynqmp-gqspi: fix driver kconfig dependencies
mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response
ACPI: video: check for error while searching for backlight device parent
ACPI: LPIT: Avoid u32 multiplication overflow
KEYS: encrypted: Add check for strsep
platform/x86/intel/vsec: Enhance and Export intel_vsec_add_aux()
platform/x86/intel/vsec: Support private data
platform/x86/intel/vsec: Use mutex for ida_alloc() and ida_free()
platform/x86/intel/vsec: Fix xa_alloc memory leak
of: Add of_property_present() helper
cpufreq: Use of_property_present() for testing DT property presence
cpufreq: scmi: process the result of devm_of_clk_add_hw_provider()
calipso: fix memory leak in netlbl_calipso_add_pass()
efivarfs: force RO when remounting if SetVariable is not supported
efivarfs: Free s_fs_info on unmount
spi: sh-msiof: Enforce fixed DTDL for R-Car H3
ACPI: LPSS: Fix the fractional clock divider flags
ACPI: extlog: Clear Extended Error Log status when RAS_CEC handled the error
kunit: debugfs: Fix unchecked dereference in debugfs_print_results()
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket
crypto: virtio - Handle dataq logic with tasklet
crypto: sa2ul - Return crypto_aead_setkey to transfer the error
crypto: ccp - fix memleak in ccp_init_dm_workarea
crypto: af_alg - Disallow multiple in-flight AIO requests
crypto: safexcel - Add error handling for dma_map_sg() calls
crypto: sahara - remove FLAGS_NEW_KEY logic
crypto: sahara - fix cbc selftest failure
crypto: sahara - fix ahash selftest failure
crypto: sahara - fix processing requests with cryptlen < sg->length
crypto: sahara - fix error handling in sahara_hw_descriptor_create()
crypto: hisilicon/qm - save capability registers in qm init process
crypto: hisilicon/zip - add zip comp high perf mode configuration
crypto: hisilicon/qm - add a function to set qm algs
crypto: hisilicon/hpre - save capability registers in probe process
crypto: hisilicon/sec2 - save capability registers in probe process
crypto: hisilicon/zip - save capability registers in probe process
pstore: ram_core: fix possible overflow in persistent_ram_init_ecc()
erofs: fix memory leak on short-lived bounced pages
fs: indicate request originates from old mount API
gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
crypto: virtio - Wait for tasklet to complete on device remove
crypto: sahara - avoid skcipher fallback code duplication
crypto: sahara - handle zero-length aes requests
crypto: sahara - fix ahash reqsize
crypto: sahara - fix wait_for_completion_timeout() error handling
crypto: sahara - improve error handling in sahara_sha_process()
crypto: sahara - fix processing hash requests with req->nbytes < sg->length
crypto: sahara - do not resize req->src when doing hash operations
crypto: scomp - fix req->dst buffer overflow
csky: fix arch_jump_label_transform_static override
blocklayoutdriver: Fix reference leak of pnfs_device_node
NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT
SUNRPC: fix _xprt_switch_find_current_entry logic
pNFS: Fix the pnfs block driver's calculation of layoutget size
wifi: plfxlc: check for allocation failure in plfxlc_usb_wreq_async()
wifi: rtw88: fix RX filter in FIF_ALLMULTI flag
bpf, lpm: Fix check prefixlen before walking trie
bpf: Add crosstask check to __bpf_get_stack
wifi: ath11k: Defer on rproc_get failure
wifi: libertas: stop selecting wext
ARM: dts: qcom: apq8064: correct XOADC register address
net/ncsi: Fix netlink major/minor version numbers
firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create()
firmware: meson_sm: populate platform devices from sm device tree data
wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior
arm64: dts: ti: k3-am62a-main: Fix GPIO pin count in DT nodes
arm64: dts: ti: k3-am65-main: Fix DSS irq trigger type
selftests/bpf: Fix erroneous bitmask operation
md: synchronize flush io with array reconfiguration
bpf: enforce precision of R0 on callback return
ARM: dts: qcom: sdx65: correct SPMI node name
arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sc7280: Mark some nodes as 'reserved'
arm64: dts: qcom: sc7280: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sdm845: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sm8150: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sm8250: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sc8280xp: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sm6350: Make watchdog bark interrupt edge triggered
rcu-tasks: Provide rcu_trace_implies_rcu_gp()
bpf: add percpu stats for bpf_map elements insertions/deletions
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
bpf: Defer the free of inner map when necessary
selftests/net: specify the interface when do arping
bpf: fix check for attempt to corrupt spilled pointer
scsi: fnic: Return error if vmalloc() failed
arm64: dts: qcom: qrb5165-rb5: correct LED panic indicator
arm64: dts: qcom: sdm845-db845c: correct LED panic indicator
arm64: dts: qcom: sm8350: Fix DMA0 address
arm64: dts: qcom: sc7280: Fix up GPU SIDs
arm64: dts: qcom: sc7280: Mark Adreno SMMU as DMA coherent
arm64: dts: qcom: sc7280: fix usb_2 wakeup interrupt types
wifi: mt76: mt7921s: fix workqueue problem causes STA association fail
bpf: Fix verification of indirect var-off stack access
arm64: dts: hisilicon: hikey970-pmic: fix regulator cells properties
dt-bindings: media: mediatek: mdp3: correct RDMA and WROT node with generic names
arm64: dts: mediatek: mt8183: correct MDP3 DMA-related nodes
wifi: mt76: mt7921: fix country count limitation for CLC
selftests/bpf: Relax time_tai test for equal timestamps in tai_forward
block: Set memalloc_noio to false on device_add_disk() error path
arm64: dts: renesas: white-hawk-cpu: Fix missing serial console pin control
arm64: dts: imx8mm: Reduce GPU to nominal speed
scsi: hisi_sas: Replace with standard error code return value
scsi: hisi_sas: Rollback some operations if FLR failed
scsi: hisi_sas: Correct the number of global debugfs registers
ARM: dts: stm32: don't mix SCMI and non-SCMI board compatibles
selftests/net: fix grep checking for fib_nexthop_multiprefix
ipmr: support IP_PKTINFO on cache report IGMP msg
virtio/vsock: fix logic which reduces credit update messages
dma-mapping: clear dev->dma_mem to NULL after freeing it
soc: qcom: llcc: Fix dis_cap_alloc and retain_on_pc configuration
arm64: dts: qcom: sm8150-hdk: fix SS USB regulators
block: add check of 'minors' and 'first_minor' in device_add_disk()
arm64: dts: qcom: sc7280: Mark SDHCI hosts as cache-coherent
arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK
arm64: dts: qcom: ipq6018: improve pcie phy pcs reg table
arm64: dts: qcom: ipq6018: Use lowercase hex
arm64: dts: qcom: ipq6018: Pad addresses to 8 hex digits
arm64: dts: qcom: ipq6018: Fix up indentation
wifi: rtlwifi: add calculate_bit_shift()
wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()
wifi: rtlwifi: rtl8192c: using calculate_bit_shift()
wifi: rtlwifi: rtl8192cu: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ce: using calculate_bit_shift()
wifi: rtlwifi: rtl8192de: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ee: using calculate_bit_shift()
wifi: rtlwifi: rtl8192se: using calculate_bit_shift()
wifi: iwlwifi: mvm: set siso/mimo chains to 1 in FW SMPS request
wifi: iwlwifi: mvm: send TX path flush in rfkill
netfilter: nf_tables: mark newset as dead on transaction abort
Bluetooth: Fix bogus check for re-auth no supported with non-ssp
Bluetooth: btmtkuart: fix recv_buf() return value
block: make BLK_DEF_MAX_SECTORS unsigned
null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS
bpf: sockmap, fix proto update hook to avoid dup calls
sctp: support MSG_ERRQUEUE flag in recvmsg()
sctp: fix busy polling
net/sched: act_ct: fix skb leak and crash on ooo frags
mlxbf_gige: Fix intermittent no ip issue
mlxbf_gige: Enable the GigE port in mlxbf_gige_open
ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
ARM: davinci: always select CONFIG_CPU_ARM926T
Revert "drm/tidss: Annotate dma-fence critical section in commit path"
Revert "drm/omapdrm: Annotate dma-fence critical section in commit path"
drm/panfrost: Really power off GPU cores in panfrost_gpu_power_off()
RDMA/usnic: Silence uninitialized symbol smatch warnings
RDMA/hns: Fix inappropriate err code for unsupported operations
drm/panel-elida-kd35t133: hold panel in reset for unprepare
drm/nouveau/fence:: fix warning directly dereferencing a rcu pointer
drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function
drm/tilcdc: Fix irq free on unload
media: pvrusb2: fix use after free on context disconnection
media: mtk-jpegdec: export jpeg decoder functions
media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices
media: verisilicon: Hook the (TRY_)DECODER_CMD stateless ioctls
media: rkvdec: Hook the (TRY_)DECODER_CMD stateless ioctls
drm/bridge: Fix typo in post_disable() description
f2fs: fix to avoid dirent corruption
drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg()
drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()
drm/radeon: check return value of radeon_ring_lock()
drm/tidss: Move reset to the end of dispc_init()
drm/tidss: Return error value from from softreset
drm/tidss: Check for K2G in in dispc_softreset()
drm/tidss: Fix dss reset
ASoC: cs35l33: Fix GPIO name and drop legacy include
ASoC: cs35l34: Fix GPIO name and drop legacy include
drm/msm/mdp4: flush vblank event on disable
drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks
drm/drv: propagate errors from drm_modeset_register_all()
ASoC: Intel: glk_rt5682_max98357a: fix board id mismatch
drm/panfrost: Ignore core_mask for poweroff and disable PWRTRANS irq
drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()
drm/radeon/dpm: fix a memleak in sumo_parse_power_table
drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table
drm/bridge: cdns-mhdp8546: Fix use of uninitialized variable
drm/bridge: tc358767: Fix return value on error case
media: cx231xx: fix a memleak in cx231xx_init_isoc
RDMA/hns: Fix memory leak in free_mr_init()
clk: qcom: gpucc-sm8150: Update the gpu_cc_pll1 config
media: imx-mipi-csis: Fix clock handling in remove()
media: dt-bindings: media: rkisp1: Fix the port description for the parallel interface
media: rkisp1: Fix media device memory leak
drm/panel: st7701: Fix AVCL calculation
f2fs: fix to wait on block writeback for post_read case
f2fs: fix to check compress file in f2fs_move_file_range()
f2fs: fix to update iostat correctly in f2fs_filemap_fault()
media: dvbdev: drop refcount on error path in dvb_device_open()
media: dvb-frontends: m88ds3103: Fix a memory leak in an error handling path of m88ds3103_probe()
clk: renesas: rzg2l-cpg: Reuse code in rzg2l_cpg_reset()
clk: renesas: rzg2l: Check reset monitor registers
drm/msm/dpu: Set input_sel bit for INTF
drm/msm/dpu: Drop enable and frame_count parameters from dpu_hw_setup_misr()
drm/mediatek: Return error if MDP RDMA failed to enable the clock
drm/mediatek: Fix underrun in VDO1 when switches off the layer
drm/amdgpu/debugfs: fix error code when smc register accessors are NULL
drm/amd/pm: fix a double-free in si_dpm_init
drivers/amd/pm: fix a use-after-free in kv_parse_power_table
gpu/drm/radeon: fix two memleaks in radeon_vm_init
drm/amd/pm: fix a double-free in amdgpu_parse_extended_power_table
f2fs: fix to check return value of f2fs_recover_xattr_data
dt-bindings: clock: Update the videocc resets for sm8150
clk: qcom: videocc-sm8150: Update the videocc resets
clk: qcom: videocc-sm8150: Add missing PLL config property
drivers: clk: zynqmp: calculate closest mux rate
drivers: clk: zynqmp: update divider round rate logic
watchdog: set cdev owner before adding
watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO
watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling
watchdog: rti_wdt: Drop runtime pm reference count when watchdog is unused
clk: si5341: fix an error code problem in si5341_output_clk_set_rate
drm/mediatek: dp: Add phy_mtk_dp module as pre-dependency
accel/habanalabs: fix information leak in sec_attest_info()
clk: fixed-rate: fix clk_hw_register_fixed_rate_with_accuracy_parent_hw
pwm: stm32: Use regmap_clear_bits and regmap_set_bits where applicable
pwm: stm32: Use hweight32 in stm32_pwm_detect_channels
pwm: stm32: Fix enable count for clk in .probe()
ASoC: rt5645: Drop double EF20 entry from dmi_platform_data[]
ALSA: scarlett2: Add missing error check to scarlett2_config_save()
ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()
ALSA: scarlett2: Allow passing any output to line_out_remap()
ALSA: scarlett2: Add missing error checks to *_ctl_get()
ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()
mmc: sdhci_am654: Fix TI SoC dependencies
mmc: sdhci_omap: Fix TI SoC dependencies
IB/iser: Prevent invalidating wrong MR
drm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c
drm/amd/pm/smu7: fix a memleak in smu7_hwmgr_backend_init
kselftest/alsa - mixer-test: fix the number of parameters to ksft_exit_fail_msg()
kselftest/alsa - mixer-test: Fix the print format specifier warning
ksmbd: validate the zero field of packet header
of: Fix double free in of_parse_phandle_with_args_map
fbdev: imxfb: fix left margin setting
of: unittest: Fix of_count_phandle_with_args() expected value message
selftests/bpf: Add assert for user stacks in test_task_stack
keys, dns: Fix size check of V1 server-list header
binder: fix async space check for 0-sized buffers
binder: fix unused alloc->free_async_space
mips/smp: Call rcutree_report_cpu_starting() earlier
Input: atkbd - use ab83 as id when skipping the getid command
xen-netback: don't produce zero-size SKB frags
binder: fix race between mmput() and do_exit()
clocksource/drivers/timer-ti-dm: Fix make W=n kerneldoc warnings
powerpc/64s: Increase default stack size to 32KB
tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug
usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host()
usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart
Revert "usb: dwc3: Soft reset phy on probe for host"
Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only"
usb: chipidea: wait controller resume finished for wakeup irq
usb: cdns3: fix uvc failure work since sg support enabled
usb: cdns3: fix iso transfer error when mult is not zero
usb: cdns3: Fix uvc fail when DMA cross 4k boundery since sg enabled
Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs"
usb: typec: class: fix typec_altmode_put_partner to put plugs
usb: mon: Fix atomicity violation in mon_bin_vma_fault
serial: core: fix sanitizing check for RTS settings
serial: core: make sure RS485 cannot be enabled when it is not supported
serial: 8250_bcm2835aux: Restore clock error handling
serial: core, imx: do not set RS485 enabled if it is not supported
serial: imx: Ensure that imx_uart_rs485_config() is called with enabled clock
serial: 8250_exar: Set missing rs485_supported flag
serial: omap: do not override settings for RS485 support
drm/vmwgfx: Fix possible invalid drm gem put calls
drm/vmwgfx: Keep a gem reference to user bos in surfaces
ALSA: oxygen: Fix right channel of capture volume mixer
ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq2xxx
ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on HP ZBook
ALSA: hda/realtek: Enable headset mic on Lenovo M70 Gen5
ksmbd: validate mech token in session setup
ksmbd: fix UAF issue in ksmbd_tcp_new_connection()
ksmbd: only v2 leases handle the directory
io_uring/rw: ensure io->bytes_done is always initialized
fbdev: flush deferred work in fb_deferred_io_fsync()
fbdev: flush deferred IO before closing
scsi: ufs: core: Simplify power management during async scan
scsi: target: core: add missing file_{start,end}_write()
scsi: mpi3mr: Refresh sdev queue depth after controller reset
scsi: mpi3mr: Block PEL Enable Command on Controller Reset and Unrecoverable State
drm/amd: Enable PCIe PME from D3
block: add check that partition length needs to be aligned with block size
block: Fix iterating over an empty bio with bio_for_each_folio_all
netfilter: nf_tables: check if catch-all set element is active in next generation
pwm: jz4740: Don't use dev_err_probe() in .request()
pwm: Fix out-of-bounds access in of_pwm_single_xlate()
md/raid1: Use blk_opf_t for read and write operations
rootfs: Fix support for rootfstype= when root= is given
Bluetooth: Fix atomicity violation in {min,max}_key_size_set
bpf: Fix re-attachment branch in bpf_tracing_prog_attach
LoongArch: Fix and simplify fcsr initialization on execve()
iommu/arm-smmu-qcom: Add missing GMU entry to match table
iommu/dma: Trace bounce buffer usage when mapping buffers
wifi: mt76: fix broken precal loading from MTD for mt7915
wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code
wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors
wifi: mwifiex: configure BSSID consistently when starting AP
Revert "net: rtnetlink: Enslave device before bringing it up"
cxl/port: Fix decoder initialization when nr_targets > interleave_ways
PCI/P2PDMA: Remove reference to pci_p2pdma_map_sg()
PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq() alignment support
PCI: mediatek: Clear interrupt status before dispatching handler
x86/kvm: Do not try to disable kvmclock if it was not enabled
KVM: arm64: vgic-v4: Restore pending state on host userspace write
KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
iio: adc: ad7091r: Pass iio_dev to event handler
HID: wacom: Correct behavior when processing some confidence == false touches
serial: sc16is7xx: add check for unsupported SPI modes during probe
serial: sc16is7xx: set safe default SPI clock frequency
ARM: 9330/1: davinci: also select PINCTRL
mfd: syscon: Fix null pointer dereference in of_syscon_register()
leds: aw2013: Select missing dependency REGMAP_I2C
mfd: intel-lpss: Fix the fractional clock divider flags
mips: dmi: Fix early remap on MIPS32
mips: Fix incorrect max_low_pfn adjustment
riscv: Check if the code to patch lies in the exit section
riscv: Fix module_alloc() that did not reset the linear mapping permissions
riscv: Fix set_memory_XX() and set_direct_map_XX() by splitting huge linear mappings
riscv: Fix set_direct_map_default_noflush() to reset _PAGE_EXEC
riscv: Fixed wrong register in XIP_FIXUP_FLASH_OFFSET macro
MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup()
MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup()
power: supply: cw2015: correct time_to_empty units in sysfs
power: supply: bq256xx: fix some problem in bq256xx_hw_init
serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed
libapi: Add missing linux/types.h header to get the __u64 type on io.h
base/node.c: initialize the accessor list before registering
acpi: property: Let args be NULL in __acpi_node_get_property_reference
software node: Let args be NULL in software_node_get_reference_args
serial: imx: fix tx statemachine deadlock
selftests/sgx: Fix uninitialized pointer dereference in error path
selftests/sgx: Fix uninitialized pointer dereferences in encl_get_entry
selftests/sgx: Include memory clobber for inline asm in test enclave
selftests/sgx: Skip non X86_64 platform
iio: adc: ad9467: fix reset gpio handling
iio: adc: ad9467: don't ignore error codes
iio: adc: ad9467: fix scale setting
perf header: Fix one memory leakage in perf_event__fprintf_event_update()
perf hisi-ptt: Fix one memory leakage in hisi_ptt_process_auxtrace_event()
perf genelf: Set ELF program header addresses properly
tty: change tty_write_lock()'s ndelay parameter to bool
tty: early return from send_break() on TTY_DRIVER_HARDWARE_BREAK
tty: don't check for signal_pending() in send_break()
tty: use 'if' in send_break() instead of 'goto'
usb: cdc-acm: return correct error code on unsupported break
spmi: mtk-pmif: Serialize PMIF status check and command submission
vdpa: Fix an error handling path in eni_vdpa_probe()
nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
nvmet-tcp: fix a crash in nvmet_req_complete()
perf env: Avoid recursively taking env->bpf_progs.lock
cxl/region: fix x9 interleave typo
apparmor: avoid crash when parsed profile name is empty
usb: xhci-mtk: fix a short packet issue of gen1 isoc-in transfer
serial: imx: Correct clock error message in function probe()
nvmet: re-fix tracing strncpy() warning
nvme: trace: avoid memcpy overflow warning
nvmet-tcp: Fix the H2C expected PDU len calculation
PCI: keystone: Fix race condition when initializing PHYs
PCI: mediatek-gen3: Fix translation window size calculation
ASoC: mediatek: sof-common: Add NULL check for normal_link string
s390/pci: fix max size calculation in zpci_memcpy_toio()
net: qualcomm: rmnet: fix global oob in rmnet_policy
net: ethernet: ti: am65-cpsw: Fix max mtu to fit ethernet frames
amt: do not use overwrapped cb area
net: phy: micrel: populate .soft_reset for KSZ9131
mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN
mptcp: strict validation before using mp_opt->hmac
mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req()
mptcp: refine opt_mp_capable determination
block: ensure we hold a queue reference when using queue limits
udp: annotate data-races around up->pending
net: ravb: Fix dma_addr_t truncation in error case
dt-bindings: gpio: xilinx: Fix node address in gpio
drm/amdkfd: Use resource_size() helper function
drm/amdkfd: fixes for HMM mem allocation
net: stmmac: ethtool: Fixed calltrace caused by unbalanced disable_irq_wake calls
bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS
net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe
LoongArch: BPF: Prevent out-of-bounds memory access
mptcp: relax check on MPC passive fallback
netfilter: nf_tables: reject invalid set policy
netfilter: nft_limit: do not ignore unsupported flags
netfilter: nfnetlink_log: use proper helper for fetching physinif
netfilter: nf_queue: remove excess nf_bridge variable
netfilter: propagate net to nf_bridge_get_physindev
netfilter: bridge: replace physindev with physinif in nf_bridge_info
netfilter: nf_tables: do not allow mismatch field size and set key length
netfilter: nf_tables: skip dead set elements in netlink dump
netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description
ipvs: avoid stat macros calls from preemptible context
kdb: Fix a potential buffer overflow in kdb_local()
ethtool: netlink: Add missing ethnl_ops_begin/complete
loop: fix the the direct I/O support check when used on top of block devices
mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure
selftests: mlxsw: qos_pfc: Adjust the test to support 8 lanes
ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work
i2c: s3c24xx: fix read transfers in polling mode
i2c: s3c24xx: fix transferring more than one message in polling mode
block: Remove special-casing of compound pages
riscv: Fix wrong usage of lm_alias() when splitting a huge linear mapping
Revert "KEYS: encrypted: Add check for strsep"
arm64: dts: armada-3720-turris-mox: set irq type for RTC
Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
Linux 6.1.75
Change-Id: I60398ecc9a2e50206fd9d25c0d6c9ad6e1ca71a0
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Eric Dumazet
|
5453875221 |
inet: read sk->sk_family once in inet_recv_error()
[ Upstream commit eef00a82c568944f113f2de738156ac591bbd5cd ]
inet_recv_error() is called without holding the socket lock.
IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM
socket option and trigger a KCSAN warning.
Fixes:
|
||
Antoine Tenart
|
e37cde7a57 |
tunnels: fix out of bounds access when building IPv6 PMTU error
[ Upstream commit d75abeec401f8c86b470e7028a13fcdc87e5dd06 ]
If the ICMPv6 error is built from a non-linear skb we get the following
splat,
BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240
Read of size 4 at addr ffff88811d402c80 by task netperf/820
CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543
...
kasan_report+0xd8/0x110
do_csum+0x220/0x240
csum_partial+0xc/0x20
skb_tunnel_check_pmtu+0xeb9/0x3280
vxlan_xmit_one+0x14c2/0x4080
vxlan_xmit+0xf61/0x5c00
dev_hard_start_xmit+0xfb/0x510
__dev_queue_xmit+0x7cd/0x32a0
br_dev_queue_push_xmit+0x39d/0x6a0
Use skb_checksum instead of csum_partial who cannot deal with non-linear
SKBs.
Fixes:
|
||
Zhipeng Lu
|
fde3d47efe |
net: ipv4: fix a memleak in ip_setup_cork
[ Upstream commit 5dee6d6923458e26966717f2a3eae7d09fc10bf6 ]
When inetdev_valid_mtu fails, cork->opt should be freed if it is
allocated in ip_setup_cork. Otherwise there could be a memleak.
Fixes:
|
||
|
Eric Dumazet
|
b383d4ea27 |
tcp: add sanity checks to rx zerocopy
[ Upstream commit 577e4432f3ac810049cb7e6b71f4d96ec7c6e894 ]
TCP rx zerocopy intent is to map pages initially allocated
from NIC drivers, not pages owned by a fs.
This patch adds to can_map_frag() these additional checks:
- Page must not be a compound one.
- page->mapping must be NULL.
This fixes the panic reported by ZhangPeng.
syzbot was able to loopback packets built with sendfile(),
mapping pages owned by an ext4 file to TCP rx zerocopy.
r3 = socket$inet_tcp(0x2, 0x1, 0x0)
mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)
r4 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)
connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)
r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
0x181e42, 0x0)
fallocate(r5, 0x0, 0x0, 0x85b8)
sendfile(r4, r5, 0x0, 0x8ba0)
getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,
&(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)
r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
0x181e42, 0x0)
Fixes:
|
||
Nicolas Dichtel
|
d2f1b7fe74 |
ipmr: fix kernel panic when forwarding mcast packets
[ Upstream commit e622502c310f1069fd9f41cd38210553115f610a ] The stacktrace was: [ 86.305548] BUG: kernel NULL pointer dereference, address: 0000000000000092 [ 86.306815] #PF: supervisor read access in kernel mode [ 86.307717] #PF: error_code(0x0000) - not-present page [ 86.308624] PGD 0 P4D 0 [ 86.309091] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 86.309883] CPU: 2 PID: 3139 Comm: pimd Tainted: G U 6.8.0-6wind-knet #1 [ 86.311027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014 [ 86.312728] RIP: 0010:ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985) [ 86.313399] Code: f9 1f 0f 87 85 03 00 00 48 8d 04 5b 48 8d 04 83 49 8d 44 c5 00 48 8b 40 70 48 39 c2 0f 84 d9 00 00 00 49 8b 46 58 48 83 e0 fe <80> b8 92 00 00 00 00 0f 84 55 ff ff ff 49 83 47 38 01 45 85 e4 0f [ 86.316565] RSP: 0018:ffffad21c0583ae0 EFLAGS: 00010246 [ 86.317497] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 86.318596] RDX: ffff9559cb46c000 RSI: 0000000000000000 RDI: 0000000000000000 [ 86.319627] RBP: ffffad21c0583b30 R08: 0000000000000000 R09: 0000000000000000 [ 86.320650] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 86.321672] R13: ffff9559c093a000 R14: ffff9559cc00b800 R15: ffff9559c09c1d80 [ 86.322873] FS: 00007f85db661980(0000) GS:ffff955a79d00000(0000) knlGS:0000000000000000 [ 86.324291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.325314] CR2: 0000000000000092 CR3: 000000002f13a000 CR4: 0000000000350ef0 [ 86.326589] Call Trace: [ 86.327036] <TASK> [ 86.327434] ? show_regs (/build/work/knet/arch/x86/kernel/dumpstack.c:479) [ 86.328049] ? __die (/build/work/knet/arch/x86/kernel/dumpstack.c:421 /build/work/knet/arch/x86/kernel/dumpstack.c:434) [ 86.328508] ? page_fault_oops (/build/work/knet/arch/x86/mm/fault.c:707) [ 86.329107] ? do_user_addr_fault (/build/work/knet/arch/x86/mm/fault.c:1264) [ 86.329756] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.330350] ? __irq_work_queue_local (/build/work/knet/kernel/irq_work.c:111 (discriminator 1)) [ 86.331013] ? exc_page_fault (/build/work/knet/./arch/x86/include/asm/paravirt.h:693 /build/work/knet/arch/x86/mm/fault.c:1515 /build/work/knet/arch/x86/mm/fault.c:1563) [ 86.331702] ? asm_exc_page_fault (/build/work/knet/./arch/x86/include/asm/idtentry.h:570) [ 86.332468] ? ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985) [ 86.333183] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.333920] ipmr_mfc_add (/build/work/knet/./include/linux/rcupdate.h:782 /build/work/knet/net/ipv4/ipmr.c:1009 /build/work/knet/net/ipv4/ipmr.c:1273) [ 86.334583] ? __pfx_ipmr_hash_cmp (/build/work/knet/net/ipv4/ipmr.c:363) [ 86.335357] ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470) [ 86.336135] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.336854] ? ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470) [ 86.337679] do_ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:944) [ 86.338408] ? __pfx_unix_stream_read_actor (/build/work/knet/net/unix/af_unix.c:2862) [ 86.339232] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.339809] ? aa_sk_perm (/build/work/knet/security/apparmor/include/cred.h:153 /build/work/knet/security/apparmor/net.c:181) [ 86.340342] ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:1415) [ 86.340859] raw_setsockopt (/build/work/knet/net/ipv4/raw.c:836) [ 86.341408] ? security_socket_setsockopt (/build/work/knet/security/security.c:4561 (discriminator 13)) [ 86.342116] sock_common_setsockopt (/build/work/knet/net/core/sock.c:3716) [ 86.342747] do_sock_setsockopt (/build/work/knet/net/socket.c:2313) [ 86.343363] __sys_setsockopt (/build/work/knet/./include/linux/file.h:32 /build/work/knet/net/socket.c:2336) [ 86.344020] __x64_sys_setsockopt (/build/work/knet/net/socket.c:2340) [ 86.344766] do_syscall_64 (/build/work/knet/arch/x86/entry/common.c:52 /build/work/knet/arch/x86/entry/common.c:83) [ 86.345433] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.346161] ? syscall_exit_work (/build/work/knet/./include/linux/audit.h:357 /build/work/knet/kernel/entry/common.c:160) [ 86.346938] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.347657] ? syscall_exit_to_user_mode (/build/work/knet/kernel/entry/common.c:215) [ 86.348538] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223) [ 86.349262] ? do_syscall_64 (/build/work/knet/./arch/x86/include/asm/cpufeature.h:171 /build/work/knet/arch/x86/entry/common.c:98) [ 86.349971] entry_SYSCALL_64_after_hwframe (/build/work/knet/arch/x86/entry/entry_64.S:129) The original packet in ipmr_cache_report() may be queued and then forwarded with ip_mr_forward(). This last function has the assumption that the skb dst is set. After the below commit, the skb dst is dropped by ipv4_pktinfo_prepare(), which causes the oops. Fixes: bb7403655b3c ("ipmr: support IP_PKTINFO on cache report IGMP msg") Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20240125141847.1931933-1-nicolas.dichtel@6wind.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
03dc5b73af |
ipv4: raw: add drop reasons
[ Upstream commit 42186e6c00352ce9df9e3f12b1ff82e61978d40b ]
Use existing helpers and drop reason codes for RAW input path.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: e622502c310f ("ipmr: fix kernel panic when forwarding mcast packets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Salvatore Dipietro
|
90fba981ca |
tcp: Add memory barrier to tcp_push()
[ Upstream commit 7267e8dcad6b2f9fce05a6a06335d7040acbc2b6 ] On CPUs with weak memory models, reads and updates performed by tcp_push to the sk variables can get reordered leaving the socket throttled when it should not. The tasklet running tcp_wfree() may also not observe the memory updates in time and will skip flushing any packets throttled by tcp_push(), delaying the sending. This can pathologically cause 40ms extra latency due to bad interactions with delayed acks. Adding a memory barrier in tcp_push removes the bug, similarly to the previous commit |
||
Zhengchao Shao
|
b1e0a68a0c |
tcp: make sure init the accept_queue's spinlocks once
[ Upstream commit 198bc90e0e734e5f98c3d2833e8390cac3df61b2 ]
When I run syz's reproduction C program locally, it causes the following
issue:
pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!
WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)
Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7
30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908
RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900
RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff
R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000
R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000
FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0
Call Trace:
<IRQ>
_raw_spin_unlock (kernel/locking/spinlock.c:186)
inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)
inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)
tcp_check_req (net/ipv4/tcp_minisocks.c:868)
tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
ip_local_deliver_finish (net/ipv4/ip_input.c:234)
__netif_receive_skb_one_core (net/core/dev.c:5529)
process_backlog (./include/linux/rcupdate.h:779)
__napi_poll (net/core/dev.c:6533)
net_rx_action (net/core/dev.c:6604)
__do_softirq (./arch/x86/include/asm/jump_label.h:27)
do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)
</IRQ>
<TASK>
__local_bh_enable_ip (kernel/softirq.c:381)
__dev_queue_xmit (net/core/dev.c:4374)
ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)
__ip_queue_xmit (net/ipv4/ip_output.c:535)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1462)
tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)
tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)
tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)
__release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)
release_sock (net/core/sock.c:3536)
inet_wait_for_connect (net/ipv4/af_inet.c:609)
__inet_stream_connect (net/ipv4/af_inet.c:702)
inet_stream_connect (net/ipv4/af_inet.c:748)
__sys_connect (./include/linux/file.h:45 net/socket.c:2064)
__x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)
do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
RIP: 0033:0x7fa10ff05a3d
Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89
c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48
RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d
RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640
R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20
</TASK>
The issue triggering process is analyzed as follows:
Thread A Thread B
tcp_v4_rcv //receive ack TCP packet inet_shutdown
tcp_check_req tcp_disconnect //disconnect sock
... tcp_set_state(sk, TCP_CLOSE)
inet_csk_complete_hashdance ...
inet_csk_reqsk_queue_add inet_listen //start listen
spin_lock(&queue->rskq_lock) inet_csk_listen_start
... reqsk_queue_alloc
... spin_lock_init
spin_unlock(&queue->rskq_lock) //warning
When the socket receives the ACK packet during the three-way handshake,
it will hold spinlock. And then the user actively shutdowns the socket
and listens to the socket immediately, the spinlock will be initialized.
When the socket is going to release the spinlock, a warning is generated.
Also the same issue to fastopenq.lock.
Move init spinlock to inet_create and inet_accept to make sure init the
accept_queue's spinlocks once.
Fixes:
|
||
Pavel Tikhomirov
|
7ae19ee81c |
netfilter: bridge: replace physindev with physinif in nf_bridge_info
[ Upstream commit 9874808878d9eed407e3977fd11fee49de1e1d86 ]
An skb can be added to a neigh->arp_queue while waiting for an arp
reply. Where original skb's skb->dev can be different to neigh's
neigh->dev. For instance in case of bridging dnated skb from one veth to
another, the skb would be added to a neigh->arp_queue of the bridge.
As skb->dev can be reset back to nf_bridge->physindev and used, and as
there is no explicit mechanism that prevents this physindev from been
freed under us (for instance neigh_flush_dev doesn't cleanup skbs from
different device's neigh queue) we can crash on e.g. this stack:
arp_process
neigh_update
skb = __skb_dequeue(&neigh->arp_queue)
neigh_resolve_output(..., skb)
...
br_nf_dev_xmit
br_nf_pre_routing_finish_bridge_slow
skb->dev = nf_bridge->physindev
br_handle_frame_finish
Let's use plain ifindex instead of net_device link. To peek into the
original net_device we will use dev_get_by_index_rcu(). Thus either we
get device and are safe to use it or we don't get it and drop skb.
Fixes:
|
||
|
Pavel Tikhomirov
|
754ca18ed3 |
netfilter: propagate net to nf_bridge_get_physindev
[ Upstream commit a54e72197037d2c9bfcd70dddaac8c8ccb5b41ba ]
This is a preparation patch for replacing physindev with physinif on
nf_bridge_info structure. We will use dev_get_by_index_rcu to resolve
device, when needed, and it requires net to be available.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
615501d41b |
udp: annotate data-races around up->pending
[ Upstream commit 482521d8e0c6520429478aa6866cd44128b33d5d ]
up->pending can be read without holding the socket lock,
as pointed out by syzbot [1]
Add READ_ONCE() in lockless contexts, and WRITE_ONCE()
on write side.
[1]
BUG: KCSAN: data-race in udpv6_sendmsg / udpv6_sendmsg
write to 0xffff88814e5eadf0 of 4 bytes by task 15547 on cpu 1:
udpv6_sendmsg+0x1405/0x1530 net/ipv6/udp.c:1596
inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:657
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x257/0x310 net/socket.c:2192
__do_sys_sendto net/socket.c:2204 [inline]
__se_sys_sendto net/socket.c:2200 [inline]
__x64_sys_sendto+0x78/0x90 net/socket.c:2200
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
read to 0xffff88814e5eadf0 of 4 bytes by task 15551 on cpu 0:
udpv6_sendmsg+0x22c/0x1530 net/ipv6/udp.c:1373
inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:657
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x37c/0x4d0 net/socket.c:2586
___sys_sendmsg net/socket.c:2640 [inline]
__sys_sendmmsg+0x269/0x500 net/socket.c:2726
__do_sys_sendmmsg net/socket.c:2755 [inline]
__se_sys_sendmmsg net/socket.c:2752 [inline]
__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2752
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
value changed: 0x00000000 -> 0x0000000a
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 15551 Comm: syz-executor.1 Tainted: G W 6.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Fixes:
|
||
|
Eric Dumazet
|
9233a88f4b |
sctp: support MSG_ERRQUEUE flag in recvmsg()
[ Upstream commit 4746b36b1abe11ca32987b2d21e1e770deab17cc ] For some reason sctp_poll() generates EPOLLERR if sk->sk_error_queue is not empty but recvmsg() can not drain the error queue yet. This is needed to better support timestamping. I had to export inet_recv_error(), since sctp can be compiled as a module. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Cc: Willem de Bruijn <willemb@google.com> Acked-by: Xin Long <lucien.xin@gmail.com> Link: https://lore.kernel.org/r/20231212145550.3872051-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: a562c0a2d651 ("sctp: fix busy polling") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Leone Fernando
|
f69365e3a7 |
ipmr: support IP_PKTINFO on cache report IGMP msg
[ Upstream commit bb7403655b3c3eb245d0ee330047cd3e20b3c4af ] In order to support IP_PKTINFO on those packets, we need to call ipv4_pktinfo_prepare. When sending mrouted/pimd daemons a cache report IGMP msg, it is unnecessary to set dst on the newly created skb. It used to be necessary on older versions until commit |
||
|
Greg Kroah-Hartman
|
a272a3f824 |
Revert "ipv4, ipv6: Use splice_eof() to flush"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
f901cbd38f |
Revert "udp: introduce udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
cef6c6be87 |
Revert "udp: move udp->no_check6_tx to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
8806a26646 |
Revert "udp: move udp->no_check6_rx to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
7b70acfd8e |
Revert "udp: move udp->gro_enabled to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
583a8f8204 |
Revert "udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
cdf5cfe6d1 |
Revert "udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
f9f95b82b2 |
Revert "udp: annotate data-races around udp->encap_type"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
e1b12db2de |
Merge 6.1.72 into android14-6.1-lts
Changes in 6.1.72
keys, dns: Fix missing size check of V1 server-list header
block: Don't invalidate pagecache for invalid falloc modes
ALSA: hda/realtek: enable SND_PCI_QUIRK for hp pavilion 14-ec1xxx series
ALSA: hda/realtek: fix mute/micmute LEDs for a HP ZBook
ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6
mptcp: prevent tcp diag from closing listener subflows
Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()"
drm/mgag200: Fix gamma lut not initialized for G200ER, G200EV, G200SE
cifs: cifs_chan_is_iface_active should be called with chan_lock held
cifs: do not depend on release_iface for maintaining iface_list
KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL
wifi: iwlwifi: pcie: don't synchronize IRQs from IRQ
drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer
netfilter: use skb_ip_totlen and iph_totlen
netfilter: nf_tables: set transport offset from mac header for netdev/egress
nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
octeontx2-af: Fix marking couple of structure as __packed
drm/i915/dp: Fix passing the correct DPCD_REV for drm_dp_set_phy_test_pattern
ice: Fix link_down_on_close message
ice: Shut down VSI with "link-down-on-close" enabled
i40e: Fix filter input checks to prevent config with invalid values
igc: Report VLAN EtherType matching back to user
igc: Check VLAN TCI mask
igc: Check VLAN EtherType mask
ASoC: fsl_rpmsg: Fix error handler with pm_runtime_enable
ASoC: mediatek: mt8186: fix AUD_PAD_TOP register and offset
mlxbf_gige: fix receive packet race condition
net: sched: em_text: fix possible memory leak in em_text_destroy()
r8169: Fix PCI error on system resume
can: raw: add support for SO_MARK
net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps
net: annotate data-races around sk->sk_tsflags
net: annotate data-races around sk->sk_bind_phc
net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
selftests: bonding: do not set port down when adding to bond
ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init
sfc: fix a double-free bug in efx_probe_filters
net: bcmgenet: Fix FCS generation for fragmented skbuffs
netfilter: nft_immediate: drop chain reference counter on error
net: Save and restore msg_namelen in sock_sendmsg
i40e: fix use-after-free in i40e_aqc_add_filters()
ASoC: meson: g12a-toacodec: Validate written enum values
ASoC: meson: g12a-tohdmitx: Validate written enum values
ASoC: meson: g12a-toacodec: Fix event generation
ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux
i40e: Restore VF MSI-X state during PCI reset
igc: Fix hicredit calculation
net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues
net/smc: fix invalid link access in dumping SMC-R connections
octeontx2-af: Always configure NIX TX link credits based on max frame size
octeontx2-af: Re-enable MAC TX in otx2_stop processing
asix: Add check for usbnet_get_endpoints
net: ravb: Wait for operating mode to be applied
bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters()
net: Implement missing SO_TIMESTAMPING_NEW cmsg support
selftests: secretmem: floor the memory size to the multiple of page_size
cpu/SMT: Create topology_smt_thread_allowed()
cpu/SMT: Make SMT control more robust against enumeration failures
srcu: Fix callbacks acceleration mishandling
bpf, x64: Fix tailcall infinite loop
bpf, x86: Simplify the parsing logic of structure parameters
bpf, x86: save/restore regs with BPF_DW size
net: Declare MSG_SPLICE_PAGES internal sendmsg() flag
udp: Convert udp_sendpage() to use MSG_SPLICE_PAGES
splice, net: Add a splice_eof op to file-ops and socket-ops
ipv4, ipv6: Use splice_eof() to flush
udp: introduce udp->udp_flags
udp: move udp->no_check6_tx to udp->udp_flags
udp: move udp->no_check6_rx to udp->udp_flags
udp: move udp->gro_enabled to udp->udp_flags
udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags
udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO
udp: annotate data-races around udp->encap_type
wifi: iwlwifi: yoyo: swap cdb and jacket bits values
arm64: dts: qcom: sdm845: align RPMh regulator nodes with bindings
arm64: dts: qcom: sdm845: Fix PSCI power domain names
fbdev: imsttfb: Release framebuffer and dealloc cmap on error path
fbdev: imsttfb: fix double free in probe()
bpf: decouple prune and jump points
bpf: remove unnecessary prune and jump points
bpf: Remove unused insn_cnt argument from visit_[func_call_]insn()
bpf: clean up visit_insn()'s instruction processing
bpf: Support new 32bit offset jmp instruction
bpf: handle ldimm64 properly in check_cfg()
bpf: fix precision backtracking instruction iteration
blk-mq: make sure active queue usage is held for bio_integrity_prep()
net/mlx5: Increase size of irq name buffer
s390/mm: add missing arch_set_page_dat() call to vmem_crst_alloc()
s390/cpumf: support user space events for counting
f2fs: clean up i_compress_flag and i_compress_level usage
f2fs: convert to use bitmap API
f2fs: assign default compression level
f2fs: set the default compress_level on ioctl
selftests: mptcp: fix fastclose with csum failure
selftests: mptcp: set FAILING_LINKS in run_tests
media: camss: sm8250: Virtual channels for CSID
media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3
ext4: convert move_extent_per_page() to use folios
khugepage: replace try_to_release_page() with filemap_release_folio()
memory-failure: convert truncate_error_page() to use folio
mm: merge folio_has_private()/filemap_release_folio() call pairs
mm, netfs, fscache: stop read optimisation when folio removed from pagecache
filemap: add a per-mapping stable writes flag
block: update the stable_writes flag in bdev_add
smb: client: fix missing mode bits for SMB symlinks
net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats
dpaa2-eth: recycle the RX buffer only after all processing done
ethtool: don't propagate EOPNOTSUPP from dumps
bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
firmware: arm_scmi: Fix frequency truncation by promoting multiplier type
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7
genirq/affinity: Remove the 'firstvec' parameter from irq_build_affinity_masks
genirq/affinity: Pass affinity managed mask array to irq_build_affinity_masks
genirq/affinity: Don't pass irq_affinity_desc array to irq_build_affinity_masks
genirq/affinity: Rename irq_build_affinity_masks as group_cpus_evenly
genirq/affinity: Move group_cpus_evenly() into lib/
lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly
mm/memory_hotplug: add missing mem_hotplug_lock
mm/memory_hotplug: fix error handling in add_memory_resource()
net: sched: call tcf_ct_params_free to free params in tcf_ct_init
netfilter: flowtable: allow unidirectional rules
netfilter: flowtable: cache info of last offload
net/sched: act_ct: offload UDP NEW connections
net/sched: act_ct: Fix promotion of offloaded unreplied tuple
netfilter: flowtable: GC pushes back packets to classic path
net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table
octeontx2-af: Fix pause frame configuration
octeontx2-af: Support variable number of lmacs
btrfs: fix qgroup_free_reserved_data int overflow
btrfs: mark the len field in struct btrfs_ordered_sum as unsigned
ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()
firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards
x86/kprobes: fix incorrect return address calculation in kprobe_emulate_call_indirect
i2c: core: Fix atomic xfer check for non-preempt config
mm: fix unmap_mapping_range high bits shift bug
drm/amdgpu: skip gpu_info fw loading on navi12
drm/amd/display: add nv12 bounding box
mmc: meson-mx-sdhc: Fix initialization frozen issue
mmc: rpmb: fixes pause retune on all RPMB partitions.
mmc: core: Cancel delayed work before releasing host
mmc: sdhci-sprd: Fix eMMC init failure after hw reset
genirq/affinity: Only build SMP-only helper functions on SMP kernels
f2fs: compress: fix to assign compress_level for lz4 correctly
net/sched: act_ct: additional checks for outdated flows
net/sched: act_ct: Always fill offloading tuple iifidx
bpf: Fix a verifier bug due to incorrect branch offset comparison with cpu=v4
bpf: syzkaller found null ptr deref in unix_bpf proto add
media: qcom: camss: Comment CSID dt_id field
smb3: Replace smb2pdu 1-element arrays with flex-arrays
Revert "interconnect: qcom: sm8250: Enable sync_state"
Linux 6.1.72
Change-Id: Id00eb2ae1159d4d5fa0ef914e672c5669cbf5b0a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
d3d46ac25c |
Merge 6.1.69 into android14-6.1-lts
Changes in 6.1.69 perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table r8152: add USB device driver for config selection r8152: add vendor/device ID pair for D-Link DUB-E250 r8152: add vendor/device ID pair for ASUS USB-C2500 powerpc/ftrace: Fix stack teardown in ftrace_no_trace ext4: fix warning in ext4_dio_write_end_io() ksmbd: fix memory leak in smb2_lock() afs: Fix refcount underflow from error handling race HID: lenovo: Restrict detection of patched firmware only to USB cptkbd net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX qca_debug: Prevent crash on TX ring changes qca_debug: Fix ethtool -G iface tx behavior qca_spi: Fix reset behavior bnxt_en: Clear resource reservation during resume bnxt_en: Save ring error counters across reset bnxt_en: Fix wrong return value check in bnxt_close_nic() bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic atm: solos-pci: Fix potential deadlock on &cli_queue_lock atm: solos-pci: Fix potential deadlock on &tx_queue_lock net: vlan: introduce skb_vlan_eth_hdr() net: fec: correct queue selection octeontx2-af: fix a use-after-free in rvu_nix_register_reporters octeontx2-pf: Fix promisc mcam entry action octeontx2-af: Update RSS algorithm index atm: Fix Use-After-Free in do_vcc_ioctl net/rose: Fix Use-After-Free in rose_ioctl iavf: Introduce new state machines for flow director iavf: Handle ntuple on/off based on new state machines for flow director qed: Fix a potential use-after-free in qed_cxt_tables_alloc net: Remove acked SYN flag from packet in the transmit queue correctly net: ena: Destroy correct number of xdp queues upon failure net: ena: Fix xdp drops handling due to multibuf packets net: ena: Fix XDP redirection error stmmac: dwmac-loongson: Make sure MDIO is initialized before use sign-file: Fix incorrect return values check vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() dpaa2-switch: fix size of the dma_unmap dpaa2-switch: do not ask for MDB, VLAN and FDB replay net: stmmac: Handle disabled MDIO busses from devicetree appletalk: Fix Use-After-Free in atalk_ioctl net: atlantic: fix double free in ring reinit logic cred: switch to using atomic_long_t fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants ALSA: hda/realtek: Apply mute LED quirk for HP15-db Revert "PCI: acpiphp: Reassign resources on bridge if necessary" PCI: loongson: Limit MRRS to 256 ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE drm/mediatek: Add spinlock for setting vblank event in atomic_begin x86/hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM usb: aqc111: check packet for fixup for true limit stmmac: dwmac-loongson: Add architecture dependency blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" blk-cgroup: bypass blkcg_deactivate_policy after destroying bcache: avoid oversize memory allocation by small stripe_size bcache: remove redundant assignment to variable cur_idx bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() bcache: avoid NULL checking to c->root in run_cache_set() nbd: fold nbd config initialization into nbd_alloc_config() nvme-auth: set explanation code for failure2 msgs nvme: catch errors from nvme_configure_metadata() selftests/bpf: fix bpf_loop_bench for new callback verification scheme LoongArch: Add dependency between vmlinuz.efi and vmlinux.efi LoongArch: Implement constant timer shutdown interface platform/x86: intel_telemetry: Fix kernel doc descriptions HID: glorious: fix Glorious Model I HID report HID: add ALWAYS_POLL quirk for Apple kb nbd: pass nbd_sock to nbd_read_reply() instead of index HID: hid-asus: reset the backlight brightness level on resume HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation net: usb: qmi_wwan: claim interface 4 for ZTE MF290 arm64: add dependency between vmlinuz.efi and Image HID: hid-asus: add const to read-only outgoing usb buffer perf: Fix perf_event_validate_size() lockdep splat btrfs: do not allow non subvolume root targets for snapshot soundwire: stream: fix NULL pointer dereference for multi_link ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify team: Fix use-after-free when an option instance allocation fails drm/amdgpu/sdma5.2: add begin/end_use ring callbacks dmaengine: stm32-dma: avoid bitfield overflow assertion mm/mglru: fix underprotected page cache mm/shmem: fix race in shmem_undo_range w/THP btrfs: free qgroup reserve when ORDERED_IOERR is set btrfs: don't clear qgroup reserved bit in release_folio drm/amdgpu: fix tear down order in amdgpu_vm_pt_free drm/amd/display: Disable PSR-SU on Parade 0803 TCON again drm/i915: Fix remapped stride with CCS on ADL+ smb: client: fix OOB in receive_encrypted_standard() smb: client: fix NULL deref in asn1_ber_decoder() smb: client: fix OOB in smb2_query_reparse_point() ring-buffer: Fix memory leak of free page tracing: Update snapshot buffer on resize if it is allocated ring-buffer: Do not update before stamp when switching sub-buffers ring-buffer: Have saved event hold the entire event ring-buffer: Fix writing to the buffer with max_data_size ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs ring-buffer: Do not try to put back write_stamp ring-buffer: Have rb_time_cmpxchg() set the msb counter too net: tls, update curr on splice as well r8152: avoid to change cfg for all devices r8152: remove rtl_vendor_mode function r8152: fix the autosuspend doesn't work Linux 6.1.69 Change-Id: I695d1d50ca8c00ff505505918bdc59ce9d29d479 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Eric Dumazet
|
158b71f3a9 |
udp: annotate data-races around udp->encap_type
[ Upstream commit 70a36f571362a8de8b8c02d21ae524fc776287f2 ]
syzbot/KCSAN complained about UDP_ENCAP_L2TPINUDP setsockopt() racing.
Add READ_ONCE()/WRITE_ONCE() to document races on this lockless field.
syzbot report was:
BUG: KCSAN: data-race in udp_lib_setsockopt / udp_lib_setsockopt
read-write to 0xffff8881083603fa of 1 bytes by task 16557 on cpu 0:
udp_lib_setsockopt+0x682/0x6c0
udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2779
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read-write to 0xffff8881083603fa of 1 bytes by task 16554 on cpu 1:
udp_lib_setsockopt+0x682/0x6c0
udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2779
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x01 -> 0x05
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 16554 Comm: syz-executor.5 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0
Fixes:
|
||
|
Eric Dumazet
|
8d929b6c11 |
udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO
[ Upstream commit ac9a7f4ce5dda1472e8f44096f33066c6ec1a3b4 ]
Move udp->encap_enabled to udp->udp_flags.
Add udp_test_and_set_bit() helper to allow lockless
udp_tunnel_encap_enable() implementation.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 70a36f571362 ("udp: annotate data-races around udp->encap_type")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
b680a907d1 |
udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags
[ Upstream commit f5f52f0884a595ff99ab1a608643fe4025fca2d5 ]
These are read locklessly, move them to udp_flags to fix data-races.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 70a36f571362 ("udp: annotate data-races around udp->encap_type")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
753886c0b9 |
udp: move udp->gro_enabled to udp->udp_flags
[ Upstream commit e1dc0615c6b08ef36414f08c011965b8fb56198b ]
syzbot reported that udp->gro_enabled can be read locklessly.
Use one atomic bit from udp->udp_flags.
Fixes:
|
||
|
Eric Dumazet
|
a01cff15cc |
udp: move udp->no_check6_rx to udp->udp_flags
[ Upstream commit bcbc1b1de884647aa0318bf74eb7f293d72a1e40 ]
syzbot reported that udp->no_check6_rx can be read locklessly.
Use one atomic bit from udp->udp_flags.
Fixes:
|
||
|
Eric Dumazet
|
50e41aa9ea |
udp: move udp->no_check6_tx to udp->udp_flags
[ Upstream commit a0002127cd746fcaa182ad3386ef6931c37f3bda ]
syzbot reported that udp->no_check6_tx can be read locklessly.
Use one atomic bit from udp->udp_flags
Fixes:
|
||
|
Eric Dumazet
|
e2a4392b61 |
udp: introduce udp->udp_flags
[ Upstream commit 81b36803ac139827538ac5ce4028e750a3c53f53 ]
According to syzbot, it is time to use proper atomic flags
for various UDP flags.
Add udp_flags field, and convert udp->corkflag to first
bit in it.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
David Howells
|
2489502fb1 |
ipv4, ipv6: Use splice_eof() to flush
[ Upstream commit 1d7e4538a5463faa0b0e26a7a7b6bd68c7dfdd78 ] Allow splice to undo the effects of MSG_MORE after prematurely ending a splice/sendfile due to getting an EOF condition (->splice_read() returned 0) after splice had called sendmsg() with MSG_MORE set when the user didn't set MSG_MORE. For UDP, a pending packet will not be emitted if the socket is closed before it is flushed; with this change, it be flushed by ->splice_eof(). For TCP, it's not clear that MSG_MORE is actually effective. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Link: https://lore.kernel.org/r/CAHk-=wh=V579PDYvkpnTobCLGczbgxpMgGmmhqiTyE34Cpi5Gg@mail.gmail.com/ Signed-off-by: David Howells <dhowells@redhat.com> cc: Kuniyuki Iwashima <kuniyu@amazon.com> cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com> cc: David Ahern <dsahern@kernel.org> cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
David Howells
|
ac8c69e448 |
udp: Convert udp_sendpage() to use MSG_SPLICE_PAGES
[ Upstream commit 7ac7c987850c3ec617c778f7bd871804dc1c648d ]
Convert udp_sendpage() to use sendmsg() with MSG_SPLICE_PAGES rather than
directly splicing in the pages itself.
This allows ->sendpage() to be replaced by something that can handle
multiple multipage folios in a single transaction.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
cc: David Ahern <dsahern@kernel.org>
cc: Jens Axboe <axboe@kernel.dk>
cc: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
c48fcb4f49 |
net: annotate data-races around sk->sk_tsflags
[ Upstream commit e3390b30a5dfb112e8e802a59c0f68f947b638b2 ]
sk->sk_tsflags can be read locklessly, add corresponding annotations.
Fixes:
|
||
Vadim Fedorenko
|
5d586f7ca0 |
net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps
[ Upstream commit 8ca5a5790b9a1ce147484d2a2c4e66d2553f3d6c ]
When the feature was added it was enabled for SW timestamps only but
with current hardware the same out-of-order timestamps can be seen.
Let's expand the area for the feature to all types of timestamps.
Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 7f6ca95d16b9 ("net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
c9b484c69d |
This is the 6.1.68 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmV57F0ACgkQONu9yGCS
aT5Ihg//f5xvyjEEbZyE7tFaBBgx8ceQCtteRyi+Jw3Hy65/9neETij0t97IhG37
I89TIAddzNIl51ifl8UYZMWI780HbnW1YdbVLMElbngbmT5rHzIsGpAVCC+SDmMK
NPWXrqWIw6yTVSbTwqKIqOLlEiLxGjdWnPxjoMXBVyje+EcmANBe+fe9qkLq98XC
ZgzrRZyriS8QLMMscy/GmdxIyC32nxebdHDwwE6qgYM8GWNfqLLektX798VGFhra
ByR9bvsJ0PD5m9siCGcx37lVusJDLMjJp4FtMIFTrH63i0sMQm7HKiggJmbCm4lH
Sgbo4iwvSVa2xf1glPJagE9tiah5b0feLqgrQf/ONO2PdCjcERN47472IcQgRvQ+
SDYKScZBSp1/Jd063dHiK/u79uxEBFEdisAkPG2MstjCySEDuhvDrV5R0iKDpQBP
y2FXb4RArqZFrGwS4Zfxx/EQnj3MYJ11a4AE5I0yUGIj7vrFdddayBDBVdwhog84
QhHPH0F/eC/zSMATYSQSCZTTSZ2UoR8NODXyOryoH5tmXlgxXWKq1oFi5nUnysoP
SkGDT0dg+kbReQNA+eyj5qTS4lzincIyP2B4Ple9d75zpx1UENlqVm1xvWLccyFt
3eV/XNRg8dAapsbqvEtW+iev6izutWgcG6p1hToObnbg5uHy6fI=
=+iTJ
-----END PGP SIGNATURE-----
Merge 6.1.68 into android14-6.1-lts
Changes in 6.1.68
vdpa/mlx5: preserve CVQ vringh index
hrtimers: Push pending hrtimers away from outgoing CPU earlier
i2c: designware: Fix corrupted memory seen in the ISR
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
zstd: Fix array-index-out-of-bounds UBSAN warning
tg3: Move the [rt]x_dropped counters to tg3_napi
tg3: Increment tx_dropped in tg3_tso_bug()
kconfig: fix memory leak from range properties
drm/amdgpu: correct chunk_ptr to a pointer to chunk.
x86: Introduce ia32_enabled()
x86/coco: Disable 32-bit emulation by default on TDX and SEV
x86/entry: Convert INT 0x80 emulation to IDTENTRY
x86/entry: Do not allow external 0x80 interrupts
x86/tdx: Allow 32-bit emulation by default
dt: dt-extract-compatibles: Handle cfile arguments in generator function
dt: dt-extract-compatibles: Don't follow symlinks when walking tree
platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code
of: dynamic: Fix of_reconfig_get_state_change() return value documentation
platform/x86: wmi: Skip blocks with zero instances
ipv6: fix potential NULL deref in fib6_add()
octeontx2-pf: Add missing mutex lock in otx2_get_pauseparam
octeontx2-af: Check return value of nix_get_nixlf before using nixlf
hv_netvsc: rndis_filter needs to select NLS
r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
r8152: Add RTL8152_INACCESSIBLE checks to more loops
r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash()
r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1()
r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en()
mlxbf-bootctl: correctly identify secure boot with development keys
platform/mellanox: Add null pointer checks for devm_kasprintf()
platform/mellanox: Check devm_hwmon_device_register_with_groups() return value
arcnet: restoring support for multiple Sohard Arcnet cards
octeontx2-pf: consider both Rx and Tx packet stats for adaptive interrupt coalescing
net: stmmac: fix FPE events losing
xsk: Skip polling event check for unbound socket
octeontx2-af: fix a use-after-free in rvu_npa_register_reporters
i40e: Fix unexpected MFS warning message
iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero
net: bnxt: fix a potential use-after-free in bnxt_init_tc
tcp: fix mid stream window clamp.
ionic: fix snprintf format length warning
ionic: Fix dim work handling in split interrupt mode
ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
net: atlantic: Fix NULL dereference of skb pointer in
net: hns: fix wrong head when modify the tx feature when sending packets
net: hns: fix fake link up on xge port
octeontx2-af: Adjust Tx credits when MCS external bypass is disabled
octeontx2-af: Fix mcs sa cam entries size
octeontx2-af: Fix mcs stats register address
octeontx2-af: Add missing mcs flr handler call
octeontx2-af: Update Tx link register range
dt-bindings: interrupt-controller: Allow #power-domain-cells
netfilter: nft_exthdr: add boolean DCCP option matching
netfilter: nf_tables: fix 'exist' matching on bigendian arches
netfilter: nf_tables: bail out on mismatching dynset and set expressions
netfilter: nf_tables: validate family when identifying table via handle
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
tcp: do not accept ACK of bytes we never sent
bpf: sockmap, updating the sg structure should also update curr
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
mm/damon/sysfs: eliminate potential uninitialized variable warning
tee: optee: Fix supplicant based device enumeration
RDMA/hns: Fix unnecessary err return when using invalid congest control algorithm
RDMA/irdma: Do not modify to SQD on error
RDMA/irdma: Add wait for suspend on SQD
arm64: dts: rockchip: Expand reg size of vdec node for RK3328
arm64: dts: rockchip: Expand reg size of vdec node for RK3399
ASoC: fsl_sai: Fix no frame sync clock issue on i.MX8MP
RDMA/rtrs-srv: Do not unconditionally enable irq
RDMA/rtrs-clt: Start hb after path_up
RDMA/rtrs-srv: Check return values while processing info request
RDMA/rtrs-srv: Free srv_mr iu only when always_invalidate is true
RDMA/rtrs-srv: Destroy path files after making sure no IOs in-flight
RDMA/rtrs-clt: Fix the max_send_wr setting
RDMA/rtrs-clt: Remove the warnings for req in_use check
RDMA/bnxt_re: Correct module description string
RDMA/irdma: Refactor error handling in create CQP
RDMA/irdma: Fix UAF in irdma_sc_ccq_get_cqe_info()
hwmon: (acpi_power_meter) Fix 4.29 MW bug
ASoC: codecs: lpass-tx-macro: set active_decimator correct default value
hwmon: (nzxt-kraken2) Fix error handling path in kraken2_probe()
ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz
RDMA/irdma: Avoid free the non-cqp_request scratch
drm/bridge: tc358768: select CONFIG_VIDEOMODE_HELPERS
arm64: dts: imx8mq: drop usb3-resume-missing-cas from usb
arm64: dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3
ARM: dts: imx6ul-pico: Describe the Ethernet PHY clock
tracing: Fix a warning when allocating buffered events fails
scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt
ARM: dts: imx28-xea: Pass the 'model' property
riscv: fix misaligned access handling of C.SWSP and C.SDSP
md: introduce md_ro_state
md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly()
iommu: Avoid more races around device probe
rethook: Use __rcu pointer for rethook::handler
kprobes: consistent rcu api usage for kretprobe holder
ASoC: amd: yc: Fix non-functional mic on ASUS E1504FA
io_uring/af_unix: disable sending io_uring over sockets
nvme-pci: Add sleep quirk for Kingston drives
io_uring: fix mutex_unlock with unreferenced ctx
ALSA: usb-audio: Add Pioneer DJM-450 mixer controls
ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
ALSA: hda/realtek: add new Framework laptop to quirks
ALSA: hda/realtek: Add Framework laptop 16 to quirks
ring-buffer: Test last update in 32bit version of __rb_time_read()
nilfs2: fix missing error check for sb_set_blocksize call
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
cgroup_freezer: cgroup_freezing: Check if not frozen
checkstack: fix printed address
tracing: Always update snapshot buffer size
tracing: Disable snapshot buffer when stopping instance tracers
tracing: Fix incomplete locking when disabling buffered events
tracing: Fix a possible race when disabling buffered events
packet: Move reference count in packet_sock to atomic_long_t
r8169: fix rtl8125b PAUSE frames blasting when suspended
regmap: fix bogus error on regcache_sync success
platform/surface: aggregator: fix recv_buf() return value
hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
mm: fix oops when filemap_map_pmd() without prealloc_pte
powercap: DTPM: Fix missing cpufreq_cpu_put() calls
md/raid6: use valid sector values to determine if an I/O should wait on the reshape
arm64: dts: mediatek: mt7622: fix memory node warning check
arm64: dts: mediatek: mt8183-kukui-jacuzzi: fix dsi unnecessary cells properties
arm64: dts: mediatek: cherry: Fix interrupt cells for MT6360 on I2C7
arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names
arm64: dts: mediatek: mt8195: Fix PM suspend/resume with venc clocks
arm64: dts: mediatek: mt8183: Fix unit address for scp reserved memory
arm64: dts: mediatek: mt8183: Move thermal-zones to the root node
arm64: dts: mediatek: mt8183-evb: Fix unit_address_vs_reg warning on ntc
binder: fix memory leaks of spam and pending work
coresight: etm4x: Make etm4_remove_dev() return void
coresight: etm4x: Remove bogous __exit annotation for some functions
hwtracing: hisi_ptt: Add dummy callback pmu::read()
misc: mei: client.c: return negative error code in mei_cl_write
misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write
LoongArch: BPF: Don't sign extend memory load operand
LoongArch: BPF: Don't sign extend function return value
ring-buffer: Force absolute timestamp on discard of event
tracing: Set actual size after ring buffer resize
tracing: Stop current tracer when resizing buffer
parisc: Reduce size of the bug_table on 64-bit kernel by half
parisc: Fix asm operand number out of range build error in bug table
arm64: dts: mediatek: add missing space before {
arm64: dts: mt8183: kukui: Fix underscores in node names
perf: Fix perf_event_validate_size()
x86/sev: Fix kernel crash due to late update to read-only ghcb_version
gpiolib: sysfs: Fix error handling on failed export
drm/amdgpu: fix memory overflow in the IB test
drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c
drm/amdgpu: correct the amdgpu runtime dereference usage count
drm/amdgpu: Update ras eeprom support for smu v13_0_0 and v13_0_10
drm/amdgpu: Add EEPROM I2C address support for ip discovery
drm/amdgpu: Remove redundant I2C EEPROM address
drm/amdgpu: Decouple RAS EEPROM addresses from chips
drm/amdgpu: Add support for RAS table at 0x40000
drm/amdgpu: Remove second moot switch to set EEPROM I2C address
drm/amdgpu: Return from switch early for EEPROM I2C address
drm/amdgpu: simplify amdgpu_ras_eeprom.c
drm/amdgpu: Add I2C EEPROM support on smu v13_0_6
drm/amdgpu: Update EEPROM I2C address for smu v13_0_0
usb: gadget: f_hid: fix report descriptor allocation
serial: 8250_dw: Add ACPI ID for Granite Rapids-D UART
parport: Add support for Brainboxes IX/UC/PX parallel cards
cifs: Fix non-availability of dedup breaking generic/304
Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1"
smb: client: fix potential NULL deref in parse_dfs_referrals()
usb: typec: class: fix typec_altmode_put_partner to put plugs
ARM: PL011: Fix DMA support
serial: sc16is7xx: address RX timeout interrupt errata
serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit
serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt
serial: 8250_omap: Add earlycon support for the AM654 UART controller
devcoredump: Send uevent once devcd is ready
x86/CPU/AMD: Check vendor in the AMD microcode callback
USB: gadget: core: adjust uevent timing on gadget unbind
cifs: Fix flushing, invalidation and file size with copy_file_range()
cifs: Fix flushing, invalidation and file size with FICLONE
MIPS: kernel: Clear FPU states when setting up kernel threads
KVM: s390/mm: Properly reset no-dat
KVM: SVM: Update EFER software model on CR0 trap for SEV-ES
MIPS: Loongson64: Reserve vgabios memory on boot
MIPS: Loongson64: Handle more memory types passed from firmware
MIPS: Loongson64: Enable DMA noncoherent support
netfilter: nft_set_pipapo: skip inactive elements during set walk
riscv: Kconfig: Add select ARM_AMBA to SOC_STARFIVE
drm/i915/display: Drop check for doublescan mode in modevalid
drm/i915/lvds: Use REG_BIT() & co.
drm/i915/sdvo: stop caching has_hdmi_monitor in struct intel_sdvo
drm/i915: Skip some timing checks on BXT/GLK DSI transcoders
Linux 6.1.68
Change-Id: I0a824071a80b24dc4a2e0077f305b7cac42235b8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Dong Chenchen
|
55a43bae08 |
net: Remove acked SYN flag from packet in the transmit queue correctly
[ Upstream commit f99cd56230f56c8b6b33713c5be4da5d6766be1f ]
syzkaller report:
kernel BUG at net/core/skbuff.c:3452!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc4-00009-gbee0e7762ad2-dirty #135
RIP: 0010:skb_copy_and_csum_bits (net/core/skbuff.c:3452)
Call Trace:
icmp_glue_bits (net/ipv4/icmp.c:357)
__ip_append_data.isra.0 (net/ipv4/ip_output.c:1165)
ip_append_data (net/ipv4/ip_output.c:1362 net/ipv4/ip_output.c:1341)
icmp_push_reply (net/ipv4/icmp.c:370)
__icmp_send (./include/net/route.h:252 net/ipv4/icmp.c:772)
ip_fragment.constprop.0 (./include/linux/skbuff.h:1234 net/ipv4/ip_output.c:592 net/ipv4/ip_output.c:577)
__ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:295)
ip_output (net/ipv4/ip_output.c:427)
__ip_queue_xmit (net/ipv4/ip_output.c:535)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1462)
__tcp_retransmit_skb (net/ipv4/tcp_output.c:3387)
tcp_retransmit_skb (net/ipv4/tcp_output.c:3404)
tcp_retransmit_timer (net/ipv4/tcp_timer.c:604)
tcp_write_timer (./include/linux/spinlock.h:391 net/ipv4/tcp_timer.c:716)
The panic issue was trigered by tcp simultaneous initiation.
The initiation process is as follows:
TCP A TCP B
1. CLOSED CLOSED
2. SYN-SENT --> <SEQ=100><CTL=SYN> ...
3. SYN-RECEIVED <-- <SEQ=300><CTL=SYN> <-- SYN-SENT
4. ... <SEQ=100><CTL=SYN> --> SYN-RECEIVED
5. SYN-RECEIVED --> <SEQ=100><ACK=301><CTL=SYN,ACK> ...
// TCP B: not send challenge ack for ack limit or packet loss
// TCP A: close
tcp_close
tcp_send_fin
if (!tskb && tcp_under_memory_pressure(sk))
tskb = skb_rb_last(&sk->tcp_rtx_queue); //pick SYN_ACK packet
TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN; // set FIN flag
6. FIN_WAIT_1 --> <SEQ=100><ACK=301><END_SEQ=102><CTL=SYN,FIN,ACK> ...
// TCP B: send challenge ack to SYN_FIN_ACK
7. ... <SEQ=301><ACK=101><CTL=ACK> <-- SYN-RECEIVED //challenge ack
// TCP A: <SND.UNA=101>
8. FIN_WAIT_1 --> <SEQ=101><ACK=301><END_SEQ=102><CTL=SYN,FIN,ACK> ... // retransmit panic
__tcp_retransmit_skb //skb->len=0
tcp_trim_head
len = tp->snd_una - TCP_SKB_CB(skb)->seq // len=101-100
__pskb_trim_head
skb->data_len -= len // skb->len=-1, wrap around
... ...
ip_fragment
icmp_glue_bits //BUG_ON
If we use tcp_trim_head() to remove acked SYN from packet that contains data
or other flags, skb->len will be incorrectly decremented. We can remove SYN
flag that has been acked from rtx_queue earlier than tcp_trim_head(), which
can fix the problem mentioned above.
Fixes:
|
||
|
Greg Kroah-Hartman
|
6b1e1d37f1 |
This is the 6.1.66 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVyywAACgkQONu9yGCS aT420Q//RK1ZeDdGWqAEH84PtuOzFA7gl5aXjmt1r9I1sDFr06ktk9rc67BNo87b Ugubto1UUpM/ZJfpezH1M4DMQ5f67thkRhCv5qvolh80v21duD7G7i1kX3rJsWk1 daJ76RcYXH63/Qv59uT+ADjSIIAH7yF/FGnUSShyznDRwDh/TqujEoh0e25X4YlV MhcCGBS0NE9Rcuwv2XPp84D4psXhPhmOuUVEPVnPLVnXg09XqOVjMV5uW+X4Sqft sc/bzveBmHoPOVtkz71qo1oxsVkKNMcdmD88+Xn9rSBgAkti5MpV/ZCAxRSVZbwF wyBh23gzRQzHXTn45Bf/1wS5zzQ+PIkadCo7hlPbQHguOMGXkdqTgNJf9EwB09I2 DEAWnCNH5orNk0Sltbfo/7Ja2oJtSHkiaUWk4nP1fZN9Vt9yt1xnRkpkaoBh0L7q NmXBFuvrylC44cfQNXIZSqAXduwCvMPyQDm1txSxYDZVrOy82/zVRWcOrytb0PnO zfqSuQKZPoF29ESq2Ti65Zk5e47EjSjYca91gzOlSVBNXx+xTuSoXCL0RXYclT7H umxK5/wmDSQX6wJzd+JNy7H86U753DuSIzA1112IC1GdWNlWWsjca5omEMgt+lqu Xc9q13vg3Ox+tv0MRv+P398b7NwzuMVcLbMoHE+1EzMH0JS636E= =p/en -----END PGP SIGNATURE----- Merge 6.1.66 into android14-6.1-lts Changes in 6.1.66 cifs: Fix FALLOC_FL_ZERO_RANGE by setting i_size if EOF moved cifs: Fix FALLOC_FL_INSERT_RANGE by setting i_size after EOF moved smb: client: report correct st_size for SMB and NFS symlinks pinctrl: avoid reload of p state in list iteration firewire: core: fix possible memory leak in create_units() mmc: sdhci-pci-gli: Disable LPM during initialization mmc: cqhci: Increase recovery halt timeout mmc: cqhci: Warn of halt or task clear failure mmc: cqhci: Fix task clearing in CQE error recovery mmc: block: Retry commands in CQE error recovery mmc: block: Do not lose cache flush during CQE error recovery mmc: block: Be sure to wait while busy in CQE error recovery ALSA: hda: Disable power-save on KONTRON SinglePC ALSA: hda/realtek: Headset Mic VREF to 100% ALSA: hda/realtek: Add supported ALC257 for ChromeOS dm-verity: align struct dm_verity_fec_io properly scsi: Change SCSI device boolean fields to single bit flags scsi: sd: Fix system start for ATA devices drm/amd: Enable PCIe PME from D3 drm/amdgpu: Force order between a read and write to the same address drm/amd/display: Include udelay when waiting for INBOX0 ACK drm/amd/display: Remove min_dst_y_next_start check for Z8 drm/amd/display: Use DRAM speed from validation for dummy p-state drm/amd/display: Update min Z8 residency time to 2100 for DCN314 drm/amd/display: fix ABM disablement dm verity: initialize fec io before freeing it dm verity: don't perform FEC for failed readahead IO nvme: check for valid nvme_identify_ns() before using it powercap: DTPM: Fix unneeded conversions to micro-Watts cpufreq/amd-pstate: Fix the return value of amd_pstate_fast_switch() dma-buf: fix check in dma_resv_add_fence bcache: revert replacing IS_ERR_OR_NULL with IS_ERR iommu/vt-d: Add MTL to quirk list to skip TE disabling KVM: PPC: Book3S HV: Fix KVM_RUN clobbering FP/VEC user registers powerpc: Don't clobber f0/vs0 during fp|altivec register save parisc: Mark ex_table entries 32-bit aligned in assembly.h parisc: Mark ex_table entries 32-bit aligned in uaccess.h parisc: Use natural CPU alignment for bug_table parisc: Mark lock_aligned variables 16-byte aligned on SMP parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes parisc: Mark jump_table naturally aligned parisc: Ensure 32-bit alignment on parisc unwind section parisc: Mark altinstructions read-only and 32-bit aligned btrfs: add dmesg output for first mount and last unmount of a filesystem btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod() btrfs: fix off-by-one when checking chunk map includes logical address btrfs: send: ensure send_fd is writable btrfs: make error messages more clear when getting a chunk map btrfs: fix 64bit compat send ioctl arguments not initializing version member Input: xpad - add HyperX Clutch Gladiate Support auxdisplay: hd44780: move cursor home after clear display command serial: sc16is7xx: Put IOControl register into regmap_volatile serial: sc16is7xx: add missing support for rs485 devicetree properties wifi: cfg80211: fix CQM for non-range use USB: xhci-plat: fix legacy PHY double init USB: core: Change configuration warnings to notices usb: config: fix iteration issue in 'usb_get_bos_descriptor()' ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet dpaa2-eth: increase the needed headroom to account for alignment uapi: propagate __struct_group() attributes to the container union selftests/net: ipsec: fix constant out of range selftests/net: fix a char signedness issue selftests/net: unix: fix unused variable compiler warning selftests/net: mptcp: fix uninitialized variable warnings octeontx2-af: Fix possible buffer overflow net: stmmac: xgmac: Disable FPE MMC interrupts octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64 octeontx2-af: Install TC filter rules in hardware based on priority octeontx2-pf: Restore TC ingress police rules when interface is up r8169: prevent potential deadlock in rtl8169_close ravb: Fix races between ravb_tx_timeout_work() and net related ops net: ravb: Check return value of reset_control_deassert() net: ravb: Use pm_runtime_resume_and_get() net: ravb: Make write access to CXR35 first before accessing other EMAC registers net: ravb: Start TX queues after HW initialization succeeded net: ravb: Stop DMA in case of failures on ravb_open() net: ravb: Keep reverse order of operations in ravb_remove() KVM: x86: Fix lapic timer interrupt lost after loading a snapshot. PCI: Lengthen reset delay for VideoPropulsion Torrent QN16e card octeontx2-af: Initialize 'cntr_val' to fix uninitialized symbol error PCI: qcom-ep: Add dedicated callback for writing to DBI2 registers fbdev: stifb: Make the STI next font pointer a 32-bit signed offset spi: Fix null dereference on suspend drm/amd/display: Restore rptr/wptr for DMCUB as workaround drm/amd/display: Guard against invalid RPTR/WPTR being set cpufreq: imx6q: don't warn for disabling a non-existing frequency cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily iommu/vt-d: Omit devTLB invalidation requests when TES=0 iommu/vt-d: Allocate pasid table in device probe path iommu/vt-d: Add device_block_translation() helper iommu/vt-d: Disable PCI ATS in legacy passthrough mode iommu/vt-d: Make context clearing consistent with context mapping drm/amd/pm: fix a memleak in aldebaran_tables_init mmc: core: add helpers mmc_regulator_enable/disable_vqmmc mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled drm/amd/display: Expand kernel doc for DC drm/amd/display: clean code-style issues in dcn30_set_mpc_shaper_3dlut drm/amd/display: Fix the delta clamping for shaper LUT drm/amd/display: Fix MPCC 1DLUT programming r8169: disable ASPM in case of tx timeout r8169: fix deadlock on RTL8125 in jumbo mtu mode xen: Allow platform PCI interrupt to be shared xen: simplify evtchn_do_upcall() call maze x86/xen: fix percpu vcpu_info allocation x86/apic/msi: Fix misconfigured non-maskable MSI quirk iomap: update ki_pos a little later in iomap_dio_complete Linux 6.1.66 Note, this merge point merges out the following two scsi changes due to them needing to be reverted due to abi breakage and reliance on previous commits that we have already reverted: |
||
|
Greg Kroah-Hartman
|
157836a2ab |
This is the 6.1.65 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVsIPcACgkQONu9yGCS aT7+WBAAzFMBvadFg+miHsQM+j94gOCSSq4F01gjjchdyeB3ybE/CBfIEa9abfmZ X1qaor8H7Khxh0aPr4KiRsmjKXBGJ6lR1RjdOKeLwffs/1iUk1zHqC3V4jGELhAM WumR5Lyc1UOMA5oCk/oxGoDZ0YNzXwBwB3hTrhpvuogCw8A3qMiyzo7J928PmNr9 sPo2TDi8HvQLlOZ8G9omVP9FTK20owJvfAj1u+gJyN/NGVXGqAQSvDpdhZ6BMYNG 0Z6DlMdCkOF/iSCdsZBCwPXH697Qt4pkPoeYpqNEi9H54B/LQaRDg6K5z7ON+w+7 jH9gwwSUXZLsohdpVkPWTnUThAQJDK4Wr5Pnf3GN1avePyxW4X7meathyeqP4jxD Oc8Igh464VraTunddwHJ03paoZ8/jXkheB0kxIsJ/jeKqUzxb/7gC6aYKZ3+DF3a 0WicxlLCNTeai2zJCYPiQsxejJmwQ37PU6dcZzLyZefXqIVPBmLJ72HJ8j2zocm0 zY6ezASdUjzzTQIM3CuzJfTOJ0VSeaUnyqUK64Ye7cKbiAKRbZMiSjaTfoNRo9MP 8KasX7pEzyEjpO0rtpHKc0hM7imltXsYjcdDfJYkKBXSUMWRTI/wPH9RFE4sJHqh NmEG/8bAE0v6HaQJK83lEMHZJFGFTvXWySsXowU4gXpcw82/F54= =OY6r -----END PGP SIGNATURE----- Merge 6.1.65 into android14-6.1-lts Changes in 6.1.65 afs: Fix afs_server_list to be cleaned up with RCU afs: Make error on cell lookup failure consistent with OpenAFS drm/panel: boe-tv101wum-nl6: Fine tune the panel power sequence drm/panel: auo,b101uan08.3: Fine tune the panel power sequence drm/panel: simple: Fix Innolux G101ICE-L01 bus flags drm/panel: simple: Fix Innolux G101ICE-L01 timings wireguard: use DEV_STATS_INC() octeontx2-pf: Fix memory leak during interface down ata: pata_isapnp: Add missing error check for devm_ioport_map() drm/i915: do not clean GT table on error path drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full HID: fix HID device resource race between HID core and debugging support ipv4: Correct/silence an endian warning in __ip_do_redirect net: usb: ax88179_178a: fix failed operations during ax88179_reset net/smc: avoid data corruption caused by decline arm/xen: fix xen_vcpu_info allocation alignment octeontx2-pf: Fix ntuple rule creation to direct packet to VF with higher Rx queue than its PF amd-xgbe: handle corner-case during sfp hotplug amd-xgbe: handle the corner-case during tx completion amd-xgbe: propagate the correct speed and duplex status net: axienet: Fix check for partial TX checksum afs: Return ENOENT if no cell DNS record can be found afs: Fix file locking on R/O volumes to operate in local mode mm,kfence: decouple kfence from page granularity mapping judgement arm64: mm: Fix "rodata=on" when CONFIG_RODATA_FULL_DEFAULT_ENABLED=y i40e: use ERR_PTR error print in i40e messages i40e: Fix adding unsupported cloud filters nvmet: nul-terminate the NQNs passed in the connect command USB: dwc3: qcom: fix resource leaks on probe deferral USB: dwc3: qcom: fix ACPI platform device leak lockdep: Fix block chain corruption cifs: minor cleanup of some headers smb3: allow dumping session and tcon id to improve stats analysis and debugging cifs: print last update time for interface list cifs: distribute channels across interfaces based on speed cifs: account for primary channel in the interface list cifs: fix leak of iface for primary channel MIPS: KVM: Fix a build warning about variable set but not used media: camss: Split power domain management media: camss: Convert to platform remove callback returning void media: qcom: Initialise V4L2 async notifier later media: qcom: camss: Fix V4L2 async notifier error path media: qcom: camss: Fix genpd cleanup ext4: add a new helper to check if es must be kept ext4: factor out __es_alloc_extent() and __es_free_extent() ext4: use pre-allocated es in __es_insert_extent() ext4: use pre-allocated es in __es_remove_extent() ext4: using nofail preallocation in ext4_es_remove_extent() ext4: using nofail preallocation in ext4_es_insert_delayed_block() ext4: using nofail preallocation in ext4_es_insert_extent() ext4: fix slab-use-after-free in ext4_es_insert_extent() ext4: make sure allocate pending entry not fail NFSD: Fix "start of NFS reply" pointer passed to nfsd_cache_update() NFSD: Fix checksum mismatches in the duplicate reply cache arm64: dts: imx8mn-var-som: add 20ms delay to ethernet regulator enable ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA swiotlb-xen: provide the "max_mapping_size" method bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() md: fix bi_status reporting in md_end_clone_io bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up race io_uring/fs: consider link->flags when getting path for LINKAT s390/dasd: protect device queue against concurrent access USB: serial: option: add Luat Air72*U series products hv_netvsc: fix race of netvsc and VF register_netdevice hv_netvsc: Fix race of register_netdevice_notifier and VF register hv_netvsc: Mark VF as slave before exposing it to user-mode dm-delay: fix a race between delay_presuspend and delay_bio bcache: check return value from btree_node_alloc_replacement() bcache: prevent potential division by zero error bcache: fixup init dirty data errors bcache: fixup lock c->root error usb: cdnsp: Fix deadlock issue during using NCM gadget USB: serial: option: add Fibocom L7xx modules USB: serial: option: fix FM101R-GL defines USB: serial: option: don't claim interface 4 for ZTE MF290 usb: typec: tcpm: Skip hard reset when in error recovery USB: dwc2: write HCINT with INTMASK applied usb: dwc3: Fix default mode initialization usb: dwc3: set the dma max_seg_size USB: dwc3: qcom: fix software node leak on probe errors USB: dwc3: qcom: fix wakeup after probe deferral io_uring: fix off-by one bvec index Linux 6.1.65 Change-Id: Iea9267bee56905028a77d03c7fad8def8969246e Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Eric Dumazet
|
008b807fe4 |
tcp: do not accept ACK of bytes we never sent
[ Upstream commit 3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27 ]
This patch is based on a detailed report and ideas from Yepeng Pan
and Christian Rossow.
ACK seq validation is currently following RFC 5961 5.2 guidelines:
The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back. It needs to
be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a
duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK
acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an
ACK, drop the segment, and return". The "ignored" above implies that
the processing of the incoming data segment continues, which means
the ACK value is treated as acceptable. This mitigation makes the
ACK check more stringent since any ACK < SND.UNA wouldn't be
accepted, instead only ACKs that are in the range ((SND.UNA -
MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.
This can be refined for new (and possibly spoofed) flows,
by not accepting ACK for bytes that were never sent.
This greatly improves TCP security at a little cost.
I added a Fixes: tag to make sure this patch will reach stable trees,
even if the 'blamed' patch was adhering to the RFC.
tp->bytes_acked was added in linux-4.2
Following packetdrill test (courtesy of Yepeng Pan) shows
the issue at hand:
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1024) = 0
// ---------------- Handshake ------------------- //
// when window scale is set to 14 the window size can be extended to
// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet
// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)
// ,though this ack number acknowledges some data never
// sent by the server.
+0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14>
+0 > S. 0:0(0) ack 1 <...>
+0 < . 1:1(0) ack 1 win 65535
+0 accept(3, ..., ...) = 4
// For the established connection, we send an ACK packet,
// the ack packet uses ack number 1 - 1073725300 + 2^32,
// where 2^32 is used to wrap around.
// Note: we used 1073725300 instead of 1073725440 to avoid possible
// edge cases.
// 1 - 1073725300 + 2^32 = 3221241997
// Oops, old kernels happily accept this packet.
+0 < . 1:1001(1000) ack 3221241997 win 65535
// After the kernel fix the following will be replaced by a challenge ACK,
// and prior malicious frame would be dropped.
+0 > . 1:1(0) ack 1001
Fixes:
|
||
Shigeru Yoshida
|
64c78c57e3 |
ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
[ Upstream commit 80d875cfc9d3711a029f234ef7d680db79e8fa4b ]
In ipgre_xmit(), skb_pull() may fail even if pskb_inet_may_pull() returns
true. For example, applications can use PF_PACKET to create a malformed
packet with no IP header. This type of packet causes a problem such as
uninit-value access.
This patch ensures that skb_pull() can pull the required size by checking
the skb with pskb_network_may_pull() before skb_pull().
Fixes:
|