lineage-22.1
73174 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Fedor Pchelkin
|
50ee63b800 |
ipvs: avoid stat macros calls from preemptible context
[ Upstream commit d6938c1c76c64f42363d0d1f051e1b4641c2ad40 ]
Inside decrement_ttl() upon discovering that the packet ttl has exceeded,
__IP_INC_STATS and __IP6_INC_STATS macros can be called from preemptible
context having the following backtrace:
check_preemption_disabled: 48 callbacks suppressed
BUG: using __this_cpu_add() in preemptible [00000000] code: curl/1177
caller is decrement_ttl+0x217/0x830
CPU: 5 PID: 1177 Comm: curl Not tainted 6.7.0+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xbd/0xe0
check_preemption_disabled+0xd1/0xe0
decrement_ttl+0x217/0x830
__ip_vs_get_out_rt+0x4e0/0x1ef0
ip_vs_nat_xmit+0x205/0xcd0
ip_vs_in_hook+0x9b1/0x26a0
nf_hook_slow+0xc2/0x210
nf_hook+0x1fb/0x770
__ip_local_out+0x33b/0x640
ip_local_out+0x2a/0x490
__ip_queue_xmit+0x990/0x1d10
__tcp_transmit_skb+0x288b/0x3d10
tcp_connect+0x3466/0x5180
tcp_v4_connect+0x1535/0x1bb0
__inet_stream_connect+0x40d/0x1040
inet_stream_connect+0x57/0xa0
__sys_connect_file+0x162/0x1a0
__sys_connect+0x137/0x160
__x64_sys_connect+0x72/0xb0
do_syscall_64+0x6f/0x140
entry_SYSCALL_64_after_hwframe+0x6e/0x76
RIP: 0033:0x7fe6dbbc34e0
Use the corresponding preemption-aware variants: IP_INC_STATS and
IP6_INC_STATS.
Found by Linux Verification Center (linuxtesting.org).
Fixes:
|
||
Pablo Neira Ayuso
|
4a45e7e7d2 |
netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description
[ Upstream commit 113661e07460a6604aacc8ae1b23695a89e7d4b3 ]
It is still possible to set on the NFT_SET_CONCAT flag by specifying a
set size and no field description, report EINVAL in such case.
Fixes:
|
||
|
Pablo Neira Ayuso
|
b56bce52f9 |
netfilter: nf_tables: skip dead set elements in netlink dump
[ Upstream commit 6b1ca88e4bb63673dc9f9c7f23c899f22c3cb17a ]
Delete from packet path relies on the garbage collector to purge
elements with NFT_SET_ELEM_DEAD_BIT on.
Skip these dead elements from nf_tables_dump_setelem() path, I very
rarely see tests/shell/testcases/maps/typeof_maps_add_delete reports
[DUMP FAILED] showing a mismatch in the expected output with an element
that should not be there.
If the netlink dump happens before GC worker run, it might show dead
elements in the ruleset listing.
nft_rhash_get() already skips dead elements in nft_rhash_cmp(),
therefore, it already does not show the element when getting a single
element via netlink control plane.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Pablo Neira Ayuso
|
9cb084df01 |
netfilter: nf_tables: do not allow mismatch field size and set key length
[ Upstream commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 ]
The set description provides the size of each field in the set whose sum
should not mismatch the set key length, bail out otherwise.
I did not manage to crash nft_set_pipapo with mismatch fields and set key
length so far, but this is UB which must be disallowed.
Fixes:
|
||
Pavel Tikhomirov
|
7ae19ee81c |
netfilter: bridge: replace physindev with physinif in nf_bridge_info
[ Upstream commit 9874808878d9eed407e3977fd11fee49de1e1d86 ]
An skb can be added to a neigh->arp_queue while waiting for an arp
reply. Where original skb's skb->dev can be different to neigh's
neigh->dev. For instance in case of bridging dnated skb from one veth to
another, the skb would be added to a neigh->arp_queue of the bridge.
As skb->dev can be reset back to nf_bridge->physindev and used, and as
there is no explicit mechanism that prevents this physindev from been
freed under us (for instance neigh_flush_dev doesn't cleanup skbs from
different device's neigh queue) we can crash on e.g. this stack:
arp_process
neigh_update
skb = __skb_dequeue(&neigh->arp_queue)
neigh_resolve_output(..., skb)
...
br_nf_dev_xmit
br_nf_pre_routing_finish_bridge_slow
skb->dev = nf_bridge->physindev
br_handle_frame_finish
Let's use plain ifindex instead of net_device link. To peek into the
original net_device we will use dev_get_by_index_rcu(). Thus either we
get device and are safe to use it or we don't get it and drop skb.
Fixes:
|
||
|
Pavel Tikhomirov
|
754ca18ed3 |
netfilter: propagate net to nf_bridge_get_physindev
[ Upstream commit a54e72197037d2c9bfcd70dddaac8c8ccb5b41ba ]
This is a preparation patch for replacing physindev with physinif on
nf_bridge_info structure. We will use dev_get_by_index_rcu to resolve
device, when needed, and it requires net to be available.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Pavel Tikhomirov
|
3f1f505277 |
netfilter: nf_queue: remove excess nf_bridge variable
[ Upstream commit aeaa44075f8e49e2e0ad4507d925e690b7950145 ]
We don't really need nf_bridge variable here. And nf_bridge_info_exists
is better replacement for nf_bridge_info_get in case we are only
checking for existence.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Pavel Tikhomirov
|
52d01a40b7 |
netfilter: nfnetlink_log: use proper helper for fetching physinif
[ Upstream commit c3f9fd54cd87233f53bdf0e191a86b3a5e960e02 ]
We don't use physindev in __build_packet_message except for getting
physinif from it. So let's switch to nf_bridge_get_physinif to get what
we want directly.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Pablo Neira Ayuso
|
dfa01315c3 |
netfilter: nft_limit: do not ignore unsupported flags
[ Upstream commit 91a139cee1202a4599a380810d93c69b5bac6197 ]
Bail out if userspace provides unsupported flags, otherwise future
extensions to the limit expression will be silently ignored by the
kernel.
Fixes:
|
||
|
Pablo Neira Ayuso
|
f00f11aae1 |
netfilter: nf_tables: reject invalid set policy
[ Upstream commit 0617c3de9b4026b87be12b0cb5c35f42c7c66fcb ]
Report -EINVAL in case userspace provides a unsupported set backend
policy.
Fixes:
|
||
Paolo Abeni
|
2f32d518a1 |
mptcp: relax check on MPC passive fallback
[ Upstream commit c0f5aec28edf98906d28f08daace6522adf9ee7a ]
While testing the blamed commit below, I was able to miss (!)
packetdrill failures in the fastopen test-cases.
On passive fastopen the child socket is created by incoming TCP MPC syn,
allow for both MPC_SYN and MPC_ACK header.
Fixes: 724b00c12957 ("mptcp: refine opt_mp_capable determination")
Reviewed-by: Matthieu Baerts <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Eric Dumazet
|
615501d41b |
udp: annotate data-races around up->pending
[ Upstream commit 482521d8e0c6520429478aa6866cd44128b33d5d ]
up->pending can be read without holding the socket lock,
as pointed out by syzbot [1]
Add READ_ONCE() in lockless contexts, and WRITE_ONCE()
on write side.
[1]
BUG: KCSAN: data-race in udpv6_sendmsg / udpv6_sendmsg
write to 0xffff88814e5eadf0 of 4 bytes by task 15547 on cpu 1:
udpv6_sendmsg+0x1405/0x1530 net/ipv6/udp.c:1596
inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:657
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x257/0x310 net/socket.c:2192
__do_sys_sendto net/socket.c:2204 [inline]
__se_sys_sendto net/socket.c:2200 [inline]
__x64_sys_sendto+0x78/0x90 net/socket.c:2200
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
read to 0xffff88814e5eadf0 of 4 bytes by task 15551 on cpu 0:
udpv6_sendmsg+0x22c/0x1530 net/ipv6/udp.c:1373
inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:657
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x37c/0x4d0 net/socket.c:2586
___sys_sendmsg net/socket.c:2640 [inline]
__sys_sendmmsg+0x269/0x500 net/socket.c:2726
__do_sys_sendmmsg net/socket.c:2755 [inline]
__se_sys_sendmmsg net/socket.c:2752 [inline]
__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2752
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
value changed: 0x00000000 -> 0x0000000a
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 15551 Comm: syz-executor.1 Tainted: G W 6.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Fixes:
|
||
|
Eric Dumazet
|
fdf3df297f |
mptcp: refine opt_mp_capable determination
[ Upstream commit 724b00c12957973656d312dce2a110c75ae2c680 ]
OPTIONS_MPTCP_MPC is a combination of three flags.
It would be better to be strict about testing what
flag is expected, at least for code readability.
mptcp_parse_option() already makes the distinction.
- subflow_check_req() should use OPTION_MPTCP_MPC_SYN.
- mptcp_subflow_init_cookie_req() should use OPTION_MPTCP_MPC_ACK.
- subflow_finish_connect() should use OPTION_MPTCP_MPC_SYNACK
- subflow_syn_recv_sock should use OPTION_MPTCP_MPC_ACK
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Fixes:
|
||
|
Eric Dumazet
|
c0749c8770 |
mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req()
[ Upstream commit 66ff70df1a919a066942844bb095d6fcb748d78d ]
syzbot reported that subflow_check_req() was using uninitialized data in
subflow_check_req() [1]
This is because mp_opt.token is only set when OPTION_MPTCP_MPJ_SYN is also set.
While we are are it, fix mptcp_subflow_init_cookie_req()
to test for OPTION_MPTCP_MPJ_ACK.
[1]
BUG: KMSAN: uninit-value in subflow_token_join_request net/mptcp/subflow.c:91 [inline]
BUG: KMSAN: uninit-value in subflow_check_req+0x1028/0x15d0 net/mptcp/subflow.c:209
subflow_token_join_request net/mptcp/subflow.c:91 [inline]
subflow_check_req+0x1028/0x15d0 net/mptcp/subflow.c:209
subflow_v6_route_req+0x269/0x410 net/mptcp/subflow.c:367
tcp_conn_request+0x153a/0x4240 net/ipv4/tcp_input.c:7164
subflow_v6_conn_request+0x3ee/0x510
tcp_rcv_state_process+0x2e1/0x4ac0 net/ipv4/tcp_input.c:6659
tcp_v6_do_rcv+0x11bf/0x1fe0 net/ipv6/tcp_ipv6.c:1669
tcp_v6_rcv+0x480b/0x4fb0 net/ipv6/tcp_ipv6.c:1900
ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
dst_input include/net/dst.h:461 [inline]
ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:314 [inline]
ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core net/core/dev.c:5532 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646
netif_receive_skb_internal net/core/dev.c:5732 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5791
tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2020 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x8ef/0x1490 fs/read_write.c:584
ksys_write+0x20f/0x4c0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x93/0xd0 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Local variable mp_opt created at:
subflow_check_req+0x6d/0x15d0 net/mptcp/subflow.c:145
subflow_v6_route_req+0x269/0x410 net/mptcp/subflow.c:367
CPU: 1 PID: 5924 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Fixes:
|
||
|
Eric Dumazet
|
51e4cb032d |
mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
[ Upstream commit be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb ]
subflow_finish_connect() uses four fields (backup, join_id, thmac, none)
that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set
in mptcp_parse_option()
Fixes:
|
||
|
Eric Dumazet
|
081273082d |
mptcp: strict validation before using mp_opt->hmac
[ Upstream commit c1665273bdc7c201766c65e561c06711f2e050dc ]
mp_opt->hmac contains uninitialized data unless OPTION_MPTCP_MPJ_ACK
was set in mptcp_parse_option().
We must refine the condition before we call subflow_hmac_valid().
Fixes:
|
||
|
Eric Dumazet
|
67feafe7a3 |
mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN
[ Upstream commit 89e23277f9c16df6f9f9c1a1a07f8f132339c15c ]
mptcp_parse_option() currently sets OPTIONS_MPTCP_MPJ, for the three
possible cases handled for MPTCPOPT_MP_JOIN option.
OPTIONS_MPTCP_MPJ is the combination of three flags:
- OPTION_MPTCP_MPJ_SYN
- OPTION_MPTCP_MPJ_SYNACK
- OPTION_MPTCP_MPJ_ACK
This is a problem, because backup, join_id, token, nonce and/or hmac fields
could be left uninitialized in some cases.
Distinguish the three cases, as following patches will need this step.
Fixes:
|
||
Nicolas Dichtel
|
23f9749108 |
Revert "net: rtnetlink: Enslave device before bringing it up"
commit ec4ffd100ffb396eca13ebe7d18938ea80f399c3 upstream. This reverts commit |
||
Gui-Dong Han
|
96860d9ad4 |
Bluetooth: Fix atomicity violation in {min,max}_key_size_set
commit da9065caa594d19b26e1a030fd0cc27bd365d685 upstream.
In min_key_size_set():
if (val > hdev->le_max_key_size || val < SMP_MIN_ENC_KEY_SIZE)
return -EINVAL;
hci_dev_lock(hdev);
hdev->le_min_key_size = val;
hci_dev_unlock(hdev);
In max_key_size_set():
if (val > SMP_MAX_ENC_KEY_SIZE || val < hdev->le_min_key_size)
return -EINVAL;
hci_dev_lock(hdev);
hdev->le_max_key_size = val;
hci_dev_unlock(hdev);
The atomicity violation occurs due to concurrent execution of set_min and
set_max funcs.Consider a scenario where setmin writes a new, valid 'min'
value, and concurrently, setmax writes a value that is greater than the
old 'min' but smaller than the new 'min'. In this case, setmax might check
against the old 'min' value (before acquiring the lock) but write its
value after the 'min' has been updated by setmin. This leads to a
situation where the 'max' value ends up being smaller than the 'min'
value, which is an inconsistency.
This possible bug is found by an experimental static analysis tool
developed by our team, BassCheck[1]. This tool analyzes the locking APIs
to extract function pairs that can be concurrently executed, and then
analyzes the instructions in the paired functions to identify possible
concurrency bugs including data races and atomicity violations. The above
possible bug is reported when our tool analyzes the source code of
Linux 5.17.
To resolve this issue, it is suggested to encompass the validity checks
within the locked sections in both set_min and set_max funcs. The
modification ensures that the validation of 'val' against the
current min/max values is atomic, thus maintaining the integrity of the
settings. With this patch applied, our tool no longer reports the bug,
with the kernel configuration allyesconfig for x86_64. Due to the lack of
associated hardware, we cannot test the patch in runtime testing, and just
verify it according to the code logic.
[1] https://sites.google.com/view/basscheck/
Fixes:
|
||
|
Pablo Neira Ayuso
|
a372f1d01b |
netfilter: nf_tables: check if catch-all set element is active in next generation
commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7 upstream.
When deactivating the catch-all set element, check the state in the next
generation that represents this transaction.
This bug uncovered after the recent removal of the element busy mark
a2dd0233cbc4 ("netfilter: nf_tables: remove busy mark and gc batch API").
Fixes:
|
||
David Howells
|
66b3578797 |
keys, dns: Fix size check of V1 server-list header
commit acc657692aed438e9931438f8c923b2b107aebf9 upstream.
Fix the size check added to dns_resolver_preparse() for the V1 server-list
header so that it doesn't give EINVAL if the size supplied is the same as
the size of the header struct (which should be valid).
This can be tested with:
echo -n -e '\0\0\01\xff\0\0' | keyctl padd dns_resolver desc @p
which will give "add_key: Invalid argument" without this fix.
Fixes: 1997b3cb4217 ("keys, dns: Fix missing size check of V1 server-list header")
Reported-by: Pengfei Xu <pengfei.xu@intel.com>
Link: https://lore.kernel.org/r/ZZ4fyY4r3rqgZL+4@xpf.sh.intel.com/
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
62a1fedeb1 |
ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
[ Upstream commit d375b98e0248980681e5e56b712026174d617198 ]
syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.
Reading frag_off can only be done if we pulled enough bytes
to skb->head. Currently we might access garbage.
[1]
BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
neigh_output include/net/neighbour.h:542 [inline]
ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:451 [inline]
ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027
kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098
__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655
pskb_may_pull_reason include/linux/skbuff.h:2673 [inline]
pskb_may_pull include/linux/skbuff.h:2681 [inline]
ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408
ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
neigh_output include/net/neighbour.h:542 [inline]
ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:451 [inline]
ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Fixes:
|
||
Tao Liu
|
0b5b831122 |
net/sched: act_ct: fix skb leak and crash on ooo frags
[ Upstream commit 3f14b377d01d8357eba032b4cabc8c1149b458b6 ]
act_ct adds skb->users before defragmentation. If frags arrive in order,
the last frag's reference is reset in:
inet_frag_reasm_prepare
skb_morph
which is not straightforward.
However when frags arrive out of order, nobody unref the last frag, and
all frags are leaked. The situation is even worse, as initiating packet
capture can lead to a crash[0] when skb has been cloned and shared at the
same time.
Fix the issue by removing skb_get() before defragmentation. act_ct
returns TC_ACT_CONSUMED when defrag failed or in progress.
[0]:
[ 843.804823] ------------[ cut here ]------------
[ 843.809659] kernel BUG at net/core/skbuff.c:2091!
[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP
[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2
[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022
[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300
[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89
[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202
[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820
[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00
[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000
[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880
[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900
[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000
[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0
[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 843.894229] PKRU: 55555554
[ 843.898539] Call Trace:
[ 843.902772] <IRQ>
[ 843.906922] ? __die_body+0x1e/0x60
[ 843.911032] ? die+0x3c/0x60
[ 843.915037] ? do_trap+0xe2/0x110
[ 843.918911] ? pskb_expand_head+0x2ac/0x300
[ 843.922687] ? do_error_trap+0x65/0x80
[ 843.926342] ? pskb_expand_head+0x2ac/0x300
[ 843.929905] ? exc_invalid_op+0x50/0x60
[ 843.933398] ? pskb_expand_head+0x2ac/0x300
[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20
[ 843.940226] ? pskb_expand_head+0x2ac/0x300
[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240
[ 843.946904] ip_defrag+0x5d4/0x870
[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]
[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct]
[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred]
[ 843.959657] tcf_action_exec+0xa1/0x160
[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower]
[ 843.966010] ? skb_clone+0x53/0xc0
[ 843.969173] tcf_classify+0x24d/0x420
[ 843.972333] tc_run+0x8f/0xf0
[ 843.975465] __netif_receive_skb_core+0x67a/0x1080
[ 843.978634] ? dev_gro_receive+0x249/0x730
[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260
[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0
[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]
[ 843.991170] napi_complete_done+0x72/0x1a0
[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]
[ 843.997501] __napi_poll+0x25/0x1b0
[ 844.000627] net_rx_action+0x256/0x330
[ 844.003705] __do_softirq+0xb3/0x29b
[ 844.006718] irq_exit_rcu+0x9e/0xc0
[ 844.009672] common_interrupt+0x86/0xa0
[ 844.012537] </IRQ>
[ 844.015285] <TASK>
[ 844.017937] asm_common_interrupt+0x26/0x40
[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20
[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb f4 <fa> c3 0f 1f 00 89 fa ec 48 8b 05 ee 88 ed 00 a9 00 00 00 80 75 11
[ 844.028900] RSP: 0018:ffffc90000533e70 EFLAGS: 00000246
[ 844.031725] RAX: 0000000000004000 RBX: 0000000000000001 RCX: 0000000000000000
[ 844.034553] RDX: ffff889ffffc0000 RSI: ffffffff828b7f20 RDI: ffff88a090f45c64
[ 844.037368] RBP: ffff88a0901a2800 R08: ffff88a090f45c00 R09: 00000000000317c0
[ 844.040155] R10: 00ec812281150475 R11: ffff889fffff0e04 R12: ffffffff828b7fa0
[ 844.042962] R13: ffffffff828b7f20 R14: 0000000000000001 R15: 0000000000000000
[ 844.045819] acpi_idle_enter+0x7b/0xc0
[ 844.048621] cpuidle_enter_state+0x7f/0x430
[ 844.051451] cpuidle_enter+0x2d/0x40
[ 844.054279] do_idle+0x1d4/0x240
[ 844.057096] cpu_startup_entry+0x2a/0x30
[ 844.059934] start_secondary+0x104/0x130
[ 844.062787] secondary_startup_64_no_verify+0x16b/0x16b
[ 844.065674] </TASK>
Fixes:
|
||
|
Eric Dumazet
|
b91d31de9a |
sctp: fix busy polling
[ Upstream commit a562c0a2d651e040681b0bfce9b4d229ac3b0b8c ]
Busy polling while holding the socket lock makes litle sense,
because incoming packets wont reach our receive queue.
Fixes:
|
||
|
Eric Dumazet
|
9233a88f4b |
sctp: support MSG_ERRQUEUE flag in recvmsg()
[ Upstream commit 4746b36b1abe11ca32987b2d21e1e770deab17cc ] For some reason sctp_poll() generates EPOLLERR if sk->sk_error_queue is not empty but recvmsg() can not drain the error queue yet. This is needed to better support timestamping. I had to export inet_recv_error(), since sctp can be compiled as a module. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Cc: Willem de Bruijn <willemb@google.com> Acked-by: Xin Long <lucien.xin@gmail.com> Link: https://lore.kernel.org/r/20231212145550.3872051-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: a562c0a2d651 ("sctp: fix busy polling") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
John Fastabend
|
3c0bd2b066 |
bpf: sockmap, fix proto update hook to avoid dup calls
[ Upstream commit 16b2f264983dc264c1560cc0170e760dec1bf54f ]
When sockets are added to a sockmap or sockhash we allocate and init a
psock. Then update the proto ops with sock_map_init_proto the flow is
sock_hash_update_common
sock_map_link
psock = sock_map_psock_get_checked() <-returns existing psock
sock_map_init_proto(sk, psock) <- updates sk_proto
If the socket is already in a map this results in the sock_map_init_proto
being called multiple times on the same socket. We do this because when
a socket is added to multiple maps this might result in a new set of BPF
programs being attached to the socket requiring an updated ops struct.
This creates a rule where it must be safe to call psock_update_sk_prot
multiple times. When we added a fix for UAF through unix sockets in patch
4dd9a38a753fc we broke this rule by adding a sock_hold in that path
to ensure the sock is not released. The result is if a af_unix stream sock
is placed in multiple maps it results in a memory leak because we call
sock_hold multiple times with only a single sock_put on it.
Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock")
Reported-by: Xingwei Lee <xrivendell7@gmail.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/r/20231221232327.43678-2-john.fastabend@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Luiz Augusto von Dentz
|
81f3b6ea31 |
Bluetooth: Fix bogus check for re-auth no supported with non-ssp
[ Upstream commit d03376c185926098cb4d668d6458801eb785c0a5 ] This reverts |
||
Florian Westphal
|
55c88a7efb |
netfilter: nf_tables: mark newset as dead on transaction abort
[ Upstream commit 08e4c8c5919fd405a4d709b4ba43d836894a26eb ]
If a transaction is aborted, we should mark the to-be-released NEWSET dead,
just like commit path does for DEL and DESTROYSET commands.
In both cases all remaining elements will be released via
set->ops->destroy().
The existing abort code does NOT post the actual release to the work queue.
Also the entire __nf_tables_abort() function is wrapped in gc_seq
begin/end pair.
Therefore, async gc worker will never try to release the pending set
elements, as gc sequence is always stale.
It might be possible to speed up transaction aborts via work queue too,
this would result in a race and a possible use-after-free.
So fix this before it becomes an issue.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Arseniy Krasnov
|
542da27eac |
virtio/vsock: fix logic which reduces credit update messages
[ Upstream commit 93b80887668226180ea5f5349cc728ca6dc700ab ]
Add one more condition for sending credit update during dequeue from
stream socket: when number of bytes in the rx queue is smaller than
SO_RCVLOWAT value of the socket. This is actual for non-default value
of SO_RCVLOWAT (e.g. not 1) - idea is to "kick" peer to continue data
transmission, because we need at least SO_RCVLOWAT bytes in our rx
queue to wake up user for reading data (in corner case it is also
possible to stuck both tx and rx sides, this is why 'Fixes' is used).
Fixes:
|
||
Leone Fernando
|
f69365e3a7 |
ipmr: support IP_PKTINFO on cache report IGMP msg
[ Upstream commit bb7403655b3c3eb245d0ee330047cd3e20b3c4af ] In order to support IP_PKTINFO on those packets, we need to call ipv4_pktinfo_prepare. When sending mrouted/pimd daemons a cache report IGMP msg, it is unnecessary to set dst on the newly created skb. It used to be necessary on older versions until commit |
||
Peter Delevoryas
|
ac7c503bd5 |
net/ncsi: Fix netlink major/minor version numbers
[ Upstream commit 3084b58bfd0b9e4b5e034f31f31b42977db35f12 ]
The netlink interface for major and minor version numbers doesn't actually
return the major and minor version numbers.
It reports a u32 that contains the (major, minor, update, alpha1)
components as the major version number, and then alpha2 as the minor
version number.
For whatever reason, the u32 byte order was reversed (ntohl): maybe it was
assumed that the encoded value was a single big-endian u32, and alpha2 was
the minor version.
The correct way to get the supported NC-SI version from the network
controller is to parse the Get Version ID response as described in 8.4.44
of the NC-SI spec[1].
Get Version ID Response Packet Format
Bits
+--------+--------+--------+--------+
Bytes | 31..24 | 23..16 | 15..8 | 7..0 |
+-------+--------+--------+--------+--------+
| 0..15 | NC-SI Header |
+-------+--------+--------+--------+--------+
| 16..19| Response code | Reason code |
+-------+--------+--------+--------+--------+
|20..23 | Major | Minor | Update | Alpha1 |
+-------+--------+--------+--------+--------+
|24..27 | reserved | Alpha2 |
+-------+--------+--------+--------+--------+
| .... other stuff .... |
The major, minor, and update fields are all binary-coded decimal (BCD)
encoded [2]. The spec provides examples below the Get Version ID response
format in section 8.4.44.1, but for practical purposes, this is an example
from a live network card:
root@bmc:~# ncsi-util 0x15
NC-SI Command Response:
cmd: GET_VERSION_ID(0x15)
Response: COMMAND_COMPLETED(0x0000) Reason: NO_ERROR(0x0000)
Payload length = 40
20: 0xf1 0xf1 0xf0 0x00 <<<<<<<<< (major, minor, update, alpha1)
24: 0x00 0x00 0x00 0x00 <<<<<<<<< (_, _, _, alpha2)
28: 0x6d 0x6c 0x78 0x30
32: 0x2e 0x31 0x00 0x00
36: 0x00 0x00 0x00 0x00
40: 0x16 0x1d 0x07 0xd2
44: 0x10 0x1d 0x15 0xb3
48: 0x00 0x17 0x15 0xb3
52: 0x00 0x00 0x81 0x19
This should be parsed as "1.1.0".
"f" in the upper-nibble means to ignore it, contributing zero.
If both nibbles are "f", I think the whole field is supposed to be ignored.
Major and minor are "required", meaning they're not supposed to be "ff",
but the update field is "optional" so I think it can be ff. I think the
simplest thing to do is just set the major and minor to zero instead of
juggling some conditional logic or something.
bcd2bin() from "include/linux/bcd.h" seems to assume both nibbles are 0-9,
so I've provided a custom BCD decoding function.
Alpha1 and alpha2 are ISO/IEC 8859-1 encoded, which just means ASCII
characters as far as I can tell, although the full encoding table for
non-alphabetic characters is slightly different (I think).
I imagine the alpha fields are just supposed to be alphabetic characters,
but I haven't seen any network cards actually report a non-zero value for
either.
If people wrote software against this netlink behavior, and were parsing
the major and minor versions themselves from the u32, then this would
definitely break their code.
[1] https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.0.0.pdf
[2] https://en.wikipedia.org/wiki/Binary-coded_decimal
[2] https://en.wikipedia.org/wiki/ISO/IEC_8859-1
Signed-off-by: Peter Delevoryas <peter@pjd.dev>
Fixes:
|
||
Olga Kornievskaia
|
b10370b1ea |
SUNRPC: fix _xprt_switch_find_current_entry logic
[ Upstream commit 98b4e5137504a5bd9346562b1310cdc13486603b ]
Fix the logic for picking current transport entry.
Fixes:
|
||
Gavrilov Ilia
|
321b3a5592 |
calipso: fix memory leak in netlbl_calipso_add_pass()
[ Upstream commit ec4e9d630a64df500641892f4e259e8149594a99 ]
If IPv6 support is disabled at boot (ipv6.disable=1),
the calipso_init() -> netlbl_calipso_ops_register() function isn't called,
and the netlbl_calipso_ops_get() function always returns NULL.
In this case, the netlbl_calipso_add_pass() function allocates memory
for the doi_def variable but doesn't free it with the calipso_doi_free().
BUG: memory leak
unreferenced object 0xffff888011d68180 (size 64):
comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s)
hex dump (first 32 bytes):
00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<...>] kmalloc include/linux/slab.h:552 [inline]
[<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]
[<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111
[<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739
[<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
[<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800
[<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515
[<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811
[<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
[<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339
[<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934
[<...>] sock_sendmsg_nosec net/socket.c:651 [inline]
[<...>] sock_sendmsg+0x157/0x190 net/socket.c:671
[<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342
[<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396
[<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429
[<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
[<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller
Fixes:
|
||
Todd Kjos
|
f27fc6ba23 | Merge "Merge tag 'android14-6.1.68_r00' into branch 'android14-6.1'" into android14-6.1 | ||
Sarannya S
|
0ce688d88a |
net: qrtr: ns: Return 0 if server port is not present
[ Upstream commit 9bf2e9165f90dc9f416af53c902be7e33930f728 ] When a 'DEL_CLIENT' message is received from the remote, the corresponding server port gets deleted. A DEL_SERVER message is then announced for this server. As part of handling the subsequent DEL_SERVER message, the name- server attempts to delete the server port which results in a '-ENOENT' error. The return value from server_del() is then propagated back to qrtr_ns_worker, causing excessive error prints. To address this, return 0 from control_cmd_del_server() without checking the return value of server_del(), since the above scenario is not an error case and hence server_del() doesn't have any other error return value. Signed-off-by: Sarannya Sasikumar <quic_sarannya@quicinc.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Judy Hsiao
|
f379394a78 |
neighbour: Don't let neigh_forced_gc() disable preemption for long
[ Upstream commit e5dc5afff62f3e97e86c3643ec9fcad23de4f2d3 ] We are seeing cases where neigh_cleanup_and_release() is called by neigh_forced_gc() many times in a row with preemption turned off. When running on a low powered CPU at a low CPU frequency, this has been measured to keep preemption off for ~10 ms. That's not great on a system with HZ=1000 which expects tasks to be able to schedule in with ~1ms latency. Suggested-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Judy Hsiao <judyhsiao@chromium.org> Reviewed-by: David Ahern <dsahern@kernel.org> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Ben Greear
|
d1d138c043 |
wifi: mac80211: handle 320 MHz in ieee80211_ht_cap_ie_to_sta_ht_cap
[ Upstream commit 00f7d153f3358a7c7e35aef66fcd9ceb95d90430 ] The new 320 MHz channel width wasn't handled, so connecting a station to a 320 MHz AP would limit the station to 20 MHz (on HT) after a warning, handle 320 MHz to fix that. Signed-off-by: Ben Greear <greearb@candelatech.com> Link: https://lore.kernel.org/r/20231109182201.495381-1-greearb@candelatech.com [write a proper commit message] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Johannes Berg
|
dd9465b108 |
wifi: cfg80211: lock wiphy mutex for rfkill poll
[ Upstream commit 8e2f6f2366219b3304b227bdd2f04b64c92e3e12 ] We want to guarantee the mutex is held for pretty much all operations, so ensure that here as well. Reported-by: syzbot+7e59a5bfc7a897247e18@syzkaller.appspotmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Edward Adam Davis
|
91edb0cd1b |
mptcp: fix uninit-value in mptcp_incoming_options
[ Upstream commit 237ff253f2d4f6307b7b20434d7cbcc67693298b ] Added initialization use_ack to mptcp_parse_option(). Reported-by: syzbot+b834a6b2decad004cfa1@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Acked-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Joel Fernandes (Google)
|
4316bd568b |
UPSTREAM: net: Use call_rcu_hurry() for dst_release()
In a networking test on ChromeOS, kernels built with the new CONFIG_RCU_LAZY=y Kconfig option fail a networking test in the teardown phase. This failure may be reproduced as follows: ip netns del <name> The CONFIG_RCU_LAZY=y Kconfig option was introduced by earlier commits in this series for the benefit of certain battery-powered systems. This Kconfig option causes call_rcu() to delay its callbacks in order to batch them. This means that a given RCU grace period covers more callbacks, thus reducing the number of grace periods, in turn reducing the amount of energy consumed, which increases battery lifetime which can be a very good thing. This is not a subtle effect: In some important use cases, the battery lifetime is increased by more than 10%. This CONFIG_RCU_LAZY=y option is available only for CPUs that offload callbacks, for example, CPUs mentioned in the rcu_nocbs kernel boot parameter passed to kernels built with CONFIG_RCU_NOCB_CPU=y. Delaying callbacks is normally not a problem because most callbacks do nothing but free memory. If the system is short on memory, a shrinker will kick all currently queued lazy callbacks out of their laziness, thus freeing their memory in short order. Similarly, the rcu_barrier() function, which blocks until all currently queued callbacks are invoked, will also kick lazy callbacks, thus enabling rcu_barrier() to complete in a timely manner. However, there are some cases where laziness is not a good option. For example, synchronize_rcu() invokes call_rcu(), and blocks until the newly queued callback is invoked. It would not be a good for synchronize_rcu() to block for ten seconds, even on an idle system. Therefore, synchronize_rcu() invokes call_rcu_hurry() instead of call_rcu(). The arrival of a non-lazy call_rcu_hurry() callback on a given CPU kicks any lazy callbacks that might be already queued on that CPU. After all, if there is going to be a grace period, all callbacks might as well get full benefit from it. Yes, this could be done the other way around by creating a call_rcu_lazy(), but earlier experience with this approach and feedback at the 2022 Linux Plumbers Conference shifted the approach to call_rcu() being lazy with call_rcu_hurry() for the few places where laziness is inappropriate. Returning to the test failure, use of ftrace showed that this failure cause caused by the aadded delays due to this new lazy behavior of call_rcu() in kernels built with CONFIG_RCU_LAZY=y. Therefore, make dst_release() use call_rcu_hurry() in order to revert to the old test-failure-free behavior. [ paulmck: Apply s/call_rcu_flush/call_rcu_hurry/ feedback from Tejun Heo. ] Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org> Cc: David Ahern <dsahern@kernel.org> Cc: "David S. Miller" <davem@davemloft.net> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: <netdev@vger.kernel.org> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Paul E. McKenney <paulmck@kernel.org> (cherry picked from commit 483c26ff63f42e8898ed43aca0b9953bc91f0cd4) Bug: 258241771 Signed-off-by: Joel Fernandes <joelaf@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/4909041 Reviewed-by: Sean Paul <sean@poorly.run> Reviewed-by: Ross Zwisler <zwisler@google.com> Reviewed-by: Vineeth Pillai <vineethrp@google.com> Signed-off-by: Qais Yousef <qyousef@google.com> Change-Id: Ifd64083bd210a9dfe94c179152f27d310c179507 |
||
|
Pablo Neira Ayuso
|
899194d7e9 |
UPSTREAM: netfilter: nf_tables: bail out on mismatching dynset and set expressions
[ Upstream commit 3701cd390fd731ee7ae8b8006246c8db82c72bea ]
If dynset expressions provided by userspace is larger than the declared
set expressions, then bail out.
Bug: 316085841
Fixes:
|
||
Greg Kroah-Hartman
|
8284d64954 |
Revert "ipv6: remove max_size check inline with ipv4"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
a856aee341 |
Merge 6.1.73 into android14-6.1-lts
Changes in 6.1.73 Revert "nfsd: call nfsd_last_thread() before final nfsd_put()" Revert "nfsd: separate nfsd_last_thread() from nfsd_put()" ipv6: remove max_size check inline with ipv4 cifs: fix flushing folio regression for 6.1 backport Linux 6.1.73 Change-Id: I063d18cb43bb5cb406fdfc6d9b69a90ef1c0d1f9 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
732ef8a408 |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
This syncs up the -lts branch with the changes in the non-lts branch, specifically needed for the ABI symbol updates to allow the build servers to keep running properly. Included in here are commits: * |
||
Jon Maxwell
|
0f22c8a6ef |
ipv6: remove max_size check inline with ipv4
commit af6d10345ca76670c1b7c37799f0d5576ccef277 upstream. In ip6_dst_gc() replace: if (entries > gc_thresh) With: if (entries > ops->gc_thresh) Sending Ipv6 packets in a loop via a raw socket triggers an issue where a route is cloned by ip6_rt_cache_alloc() for each packet sent. This quickly consumes the Ipv6 max_size threshold which defaults to 4096 resulting in these warnings: [1] 99.187805] dst_alloc: 7728 callbacks suppressed [2] Route cache is full: consider increasing sysctl net.ipv6.route.max_size. . . [300] Route cache is full: consider increasing sysctl net.ipv6.route.max_size. When this happens the packet is dropped and sendto() gets a network is unreachable error: remaining pkt 200557 errno 101 remaining pkt 196462 errno 101 . . remaining pkt 126821 errno 101 Implement David Aherns suggestion to remove max_size check seeing that Ipv6 has a GC to manage memory usage. Ipv4 already does not check max_size. Here are some memory comparisons for Ipv4 vs Ipv6 with the patch: Test by running 5 instances of a program that sends UDP packets to a raw socket 5000000 times. Compare Ipv4 and Ipv6 performance with a similar program. Ipv4: Before test: MemFree: 29427108 kB Slab: 237612 kB ip6_dst_cache 1912 2528 256 32 2 : tunables 0 0 0 xfrm_dst_cache 0 0 320 25 2 : tunables 0 0 0 ip_dst_cache 2881 3990 192 42 2 : tunables 0 0 0 During test: MemFree: 29417608 kB Slab: 247712 kB ip6_dst_cache 1912 2528 256 32 2 : tunables 0 0 0 xfrm_dst_cache 0 0 320 25 2 : tunables 0 0 0 ip_dst_cache 44394 44394 192 42 2 : tunables 0 0 0 After test: MemFree: 29422308 kB Slab: 238104 kB ip6_dst_cache 1912 2528 256 32 2 : tunables 0 0 0 xfrm_dst_cache 0 0 320 25 2 : tunables 0 0 0 ip_dst_cache 3048 4116 192 42 2 : tunables 0 0 0 Ipv6 with patch: Errno 101 errors are not observed anymore with the patch. Before test: MemFree: 29422308 kB Slab: 238104 kB ip6_dst_cache 1912 2528 256 32 2 : tunables 0 0 0 xfrm_dst_cache 0 0 320 25 2 : tunables 0 0 0 ip_dst_cache 3048 4116 192 42 2 : tunables 0 0 0 During Test: MemFree: 29431516 kB Slab: 240940 kB ip6_dst_cache 11980 12064 256 32 2 : tunables 0 0 0 xfrm_dst_cache 0 0 320 25 2 : tunables 0 0 0 ip_dst_cache 3048 4116 192 42 2 : tunables 0 0 0 After Test: MemFree: 29441816 kB Slab: 238132 kB ip6_dst_cache 1902 2432 256 32 2 : tunables 0 0 0 xfrm_dst_cache 0 0 320 25 2 : tunables 0 0 0 ip_dst_cache 3048 4116 192 42 2 : tunables 0 0 0 Tested-by: Andrea Mayer <andrea.mayer@uniroma2.it> Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20230112012532.311021-1-jmaxwell37@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Cc: "Jitindar Singh, Suraj" <surajjs@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
7aa979acec |
Revert "splice, net: Add a splice_eof op to file-ops and socket-ops"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
a272a3f824 |
Revert "ipv4, ipv6: Use splice_eof() to flush"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
f901cbd38f |
Revert "udp: introduce udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
cef6c6be87 |
Revert "udp: move udp->no_check6_tx to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
8806a26646 |
Revert "udp: move udp->no_check6_rx to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
7b70acfd8e |
Revert "udp: move udp->gro_enabled to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
583a8f8204 |
Revert "udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
cdf5cfe6d1 |
Revert "udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
f9f95b82b2 |
Revert "udp: annotate data-races around udp->encap_type"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
acd1add3c8 |
Revert "bpf, sockmap: af_unix stream sockets need to hold ref for pair sock"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
e1b12db2de |
Merge 6.1.72 into android14-6.1-lts
Changes in 6.1.72
keys, dns: Fix missing size check of V1 server-list header
block: Don't invalidate pagecache for invalid falloc modes
ALSA: hda/realtek: enable SND_PCI_QUIRK for hp pavilion 14-ec1xxx series
ALSA: hda/realtek: fix mute/micmute LEDs for a HP ZBook
ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6
mptcp: prevent tcp diag from closing listener subflows
Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()"
drm/mgag200: Fix gamma lut not initialized for G200ER, G200EV, G200SE
cifs: cifs_chan_is_iface_active should be called with chan_lock held
cifs: do not depend on release_iface for maintaining iface_list
KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL
wifi: iwlwifi: pcie: don't synchronize IRQs from IRQ
drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer
netfilter: use skb_ip_totlen and iph_totlen
netfilter: nf_tables: set transport offset from mac header for netdev/egress
nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
octeontx2-af: Fix marking couple of structure as __packed
drm/i915/dp: Fix passing the correct DPCD_REV for drm_dp_set_phy_test_pattern
ice: Fix link_down_on_close message
ice: Shut down VSI with "link-down-on-close" enabled
i40e: Fix filter input checks to prevent config with invalid values
igc: Report VLAN EtherType matching back to user
igc: Check VLAN TCI mask
igc: Check VLAN EtherType mask
ASoC: fsl_rpmsg: Fix error handler with pm_runtime_enable
ASoC: mediatek: mt8186: fix AUD_PAD_TOP register and offset
mlxbf_gige: fix receive packet race condition
net: sched: em_text: fix possible memory leak in em_text_destroy()
r8169: Fix PCI error on system resume
can: raw: add support for SO_MARK
net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps
net: annotate data-races around sk->sk_tsflags
net: annotate data-races around sk->sk_bind_phc
net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
selftests: bonding: do not set port down when adding to bond
ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init
sfc: fix a double-free bug in efx_probe_filters
net: bcmgenet: Fix FCS generation for fragmented skbuffs
netfilter: nft_immediate: drop chain reference counter on error
net: Save and restore msg_namelen in sock_sendmsg
i40e: fix use-after-free in i40e_aqc_add_filters()
ASoC: meson: g12a-toacodec: Validate written enum values
ASoC: meson: g12a-tohdmitx: Validate written enum values
ASoC: meson: g12a-toacodec: Fix event generation
ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux
i40e: Restore VF MSI-X state during PCI reset
igc: Fix hicredit calculation
net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues
net/smc: fix invalid link access in dumping SMC-R connections
octeontx2-af: Always configure NIX TX link credits based on max frame size
octeontx2-af: Re-enable MAC TX in otx2_stop processing
asix: Add check for usbnet_get_endpoints
net: ravb: Wait for operating mode to be applied
bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters()
net: Implement missing SO_TIMESTAMPING_NEW cmsg support
selftests: secretmem: floor the memory size to the multiple of page_size
cpu/SMT: Create topology_smt_thread_allowed()
cpu/SMT: Make SMT control more robust against enumeration failures
srcu: Fix callbacks acceleration mishandling
bpf, x64: Fix tailcall infinite loop
bpf, x86: Simplify the parsing logic of structure parameters
bpf, x86: save/restore regs with BPF_DW size
net: Declare MSG_SPLICE_PAGES internal sendmsg() flag
udp: Convert udp_sendpage() to use MSG_SPLICE_PAGES
splice, net: Add a splice_eof op to file-ops and socket-ops
ipv4, ipv6: Use splice_eof() to flush
udp: introduce udp->udp_flags
udp: move udp->no_check6_tx to udp->udp_flags
udp: move udp->no_check6_rx to udp->udp_flags
udp: move udp->gro_enabled to udp->udp_flags
udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags
udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO
udp: annotate data-races around udp->encap_type
wifi: iwlwifi: yoyo: swap cdb and jacket bits values
arm64: dts: qcom: sdm845: align RPMh regulator nodes with bindings
arm64: dts: qcom: sdm845: Fix PSCI power domain names
fbdev: imsttfb: Release framebuffer and dealloc cmap on error path
fbdev: imsttfb: fix double free in probe()
bpf: decouple prune and jump points
bpf: remove unnecessary prune and jump points
bpf: Remove unused insn_cnt argument from visit_[func_call_]insn()
bpf: clean up visit_insn()'s instruction processing
bpf: Support new 32bit offset jmp instruction
bpf: handle ldimm64 properly in check_cfg()
bpf: fix precision backtracking instruction iteration
blk-mq: make sure active queue usage is held for bio_integrity_prep()
net/mlx5: Increase size of irq name buffer
s390/mm: add missing arch_set_page_dat() call to vmem_crst_alloc()
s390/cpumf: support user space events for counting
f2fs: clean up i_compress_flag and i_compress_level usage
f2fs: convert to use bitmap API
f2fs: assign default compression level
f2fs: set the default compress_level on ioctl
selftests: mptcp: fix fastclose with csum failure
selftests: mptcp: set FAILING_LINKS in run_tests
media: camss: sm8250: Virtual channels for CSID
media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3
ext4: convert move_extent_per_page() to use folios
khugepage: replace try_to_release_page() with filemap_release_folio()
memory-failure: convert truncate_error_page() to use folio
mm: merge folio_has_private()/filemap_release_folio() call pairs
mm, netfs, fscache: stop read optimisation when folio removed from pagecache
filemap: add a per-mapping stable writes flag
block: update the stable_writes flag in bdev_add
smb: client: fix missing mode bits for SMB symlinks
net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats
dpaa2-eth: recycle the RX buffer only after all processing done
ethtool: don't propagate EOPNOTSUPP from dumps
bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
firmware: arm_scmi: Fix frequency truncation by promoting multiplier type
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7
genirq/affinity: Remove the 'firstvec' parameter from irq_build_affinity_masks
genirq/affinity: Pass affinity managed mask array to irq_build_affinity_masks
genirq/affinity: Don't pass irq_affinity_desc array to irq_build_affinity_masks
genirq/affinity: Rename irq_build_affinity_masks as group_cpus_evenly
genirq/affinity: Move group_cpus_evenly() into lib/
lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly
mm/memory_hotplug: add missing mem_hotplug_lock
mm/memory_hotplug: fix error handling in add_memory_resource()
net: sched: call tcf_ct_params_free to free params in tcf_ct_init
netfilter: flowtable: allow unidirectional rules
netfilter: flowtable: cache info of last offload
net/sched: act_ct: offload UDP NEW connections
net/sched: act_ct: Fix promotion of offloaded unreplied tuple
netfilter: flowtable: GC pushes back packets to classic path
net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table
octeontx2-af: Fix pause frame configuration
octeontx2-af: Support variable number of lmacs
btrfs: fix qgroup_free_reserved_data int overflow
btrfs: mark the len field in struct btrfs_ordered_sum as unsigned
ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()
firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards
x86/kprobes: fix incorrect return address calculation in kprobe_emulate_call_indirect
i2c: core: Fix atomic xfer check for non-preempt config
mm: fix unmap_mapping_range high bits shift bug
drm/amdgpu: skip gpu_info fw loading on navi12
drm/amd/display: add nv12 bounding box
mmc: meson-mx-sdhc: Fix initialization frozen issue
mmc: rpmb: fixes pause retune on all RPMB partitions.
mmc: core: Cancel delayed work before releasing host
mmc: sdhci-sprd: Fix eMMC init failure after hw reset
genirq/affinity: Only build SMP-only helper functions on SMP kernels
f2fs: compress: fix to assign compress_level for lz4 correctly
net/sched: act_ct: additional checks for outdated flows
net/sched: act_ct: Always fill offloading tuple iifidx
bpf: Fix a verifier bug due to incorrect branch offset comparison with cpu=v4
bpf: syzkaller found null ptr deref in unix_bpf proto add
media: qcom: camss: Comment CSID dt_id field
smb3: Replace smb2pdu 1-element arrays with flex-arrays
Revert "interconnect: qcom: sm8250: Enable sync_state"
Linux 6.1.72
Change-Id: Id00eb2ae1159d4d5fa0ef914e672c5669cbf5b0a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
1e63881f5c |
This is the 6.1.70 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWSsnYACgkQONu9yGCS aT7ZRw//bmrTWoNbFf/qdM11oPF9EHus9FUgSlP5yvNaa6jcPfwGx71NPXUkz+wU xKobh1VwK7TJxq4JHFQeMmupW/8++NeWNygwtYsllwnsMGzHL+mz2Txysrr/mhMx WUs6UVYXRxnuQJJDSqtTvMoyllpAJ1QQxJNuhKKOI1i+0DIu9YjQklD/4eW3cebv 8B9f3CeOyP/oL5Z0MqFTP8OnWx6X3jTbO4caor+qsyR+frgpXgBppTF76RHcd8lX MLVlx7aqr4wcml/uUMsolw8Zjbb719mX+KW3LHltl8wHftZeinYUsu1afnlb5dG1 rAaVgut0PmjTAQ/KwIp54CGO2MADwApMCUXIm0yyKSpNfw+HKR10bpz64HOFp9KQ 368YpjDJ3onkQdrLjV57w37YBRLyWxipeBya2+S4rdyPSfuvPkPCRNVkEDnHVAnH jxEhuoMZ2f/CIA8BT32y4DYDvEaIdfp7jVvEDFREDyIVXRMBhIneMhhyjU+Oe7Rw 1q/sfEJejXFa5VvC+Jl+K5LouP59M5MTq3RkCoYxZKz+bdfpOLEJ6AZJoZHcS02J QlM/pL213nC1ye3tuWFu3tNPzPS/G6LNQfGgSsBUzRn9IX2osn/epNFnCHBIFqlK apjrXObrmqKE6jNvy6ktHUDpnEXPZFpvirSXRN2Lk9SYh76bFP0= =d63o -----END PGP SIGNATURE----- Merge 6.1.70 into android14-6.1-lts Changes in 6.1.70 kasan: disable kasan_non_canonical_hook() for HW tags bpf: Fix prog_array_map_poke_run map poke update HID: i2c-hid: acpi: Unify ACPI ID tables format HID: i2c-hid: Add IDEA5002 to i2c_hid_acpi_blacklist[] drm/amd/display: fix hw rotated modes when PSR-SU is enabled ARM: dts: dra7: Fix DRA7 L3 NoC node register size ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init reset: Fix crash when freeing non-existent optional resets s390/vx: fix save/restore of fpu kernel context wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock wifi: mac80211: check if the existing link config remains unchanged wifi: mac80211: mesh: check element parsing succeeded wifi: mac80211: mesh_plink: fix matches_local logic Revert "net/mlx5e: fix double free of encap_header in update funcs" Revert "net/mlx5e: fix double free of encap_header" net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() net/mlx5: Introduce and use opcode getter in command interface net/mlx5: Prevent high-rate FW commands from populating all slots net/mlx5: Re-organize mlx5_cmd struct net/mlx5e: Fix a race in command alloc flow net/mlx5e: fix a potential double-free in fs_udp_create_groups net/mlx5: Fix fw tracer first block check net/mlx5e: Correct snprintf truncation handling for fw_version buffer net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and above octeontx2-pf: Fix graceful exit during PFC configuration failure net: Return error from sk_stream_wait_connect() if sk_wait_event() fails net: sched: ife: fix potential use-after-free ethernet: atheros: fix a memleak in atl1e_setup_ring_resources net/rose: fix races in rose_kill_by_device() Bluetooth: Fix deadlock in vhci_send_frame Bluetooth: hci_event: shut up a false-positive warning net: mana: select PAGE_POOL net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() afs: Fix the dynamic root's d_delete to always delete unused dentries afs: Fix dynamic root lookup DNS check net: check dev->gso_max_size in gso_features_check() keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry afs: Fix overwriting of result of DNS query afs: Fix use-after-free due to get/remove race in volume tree ASoC: hdmi-codec: fix missing report for jack initial status ASoC: fsl_sai: Fix channel swap issue on i.MX8MP i2c: aspeed: Handle the coalesced stop conditions with the start conditions. x86/xen: add CPU dependencies for 32-bit build pinctrl: at91-pio4: use dedicated lock class for IRQ gpiolib: cdev: add gpio_device locking wrapper around gpio_ioctl() nvme-pci: fix sleeping function called from interrupt context drm/i915/mtl: limit second scaler vertical scaling in ver >= 14 drm/i915: Relocate intel_atomic_setup_scalers() drm/i915: Fix intel_atomic_setup_scalers() plane_state handling drm/i915/dpt: Only do the POT stride remap when using DPT drm/i915/mtl: Add MTL for remapping CCS FBs drm/i915: Fix ADL+ tiled plane stride when the POT stride is smaller than the original interconnect: Treat xlate() returning NULL node as an error iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw interconnect: qcom: sm8250: Enable sync_state Input: ipaq-micro-keys - add error handling for devm_kmemdup scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() iio: triggered-buffer: prevent possible freeing of wrong buffer ALSA: usb-audio: Increase delay in MOTU M quirk usb-storage: Add quirk for incorrect WP on Kingston DT Ultimate 3.0 G3 wifi: cfg80211: Add my certificate wifi: cfg80211: fix certs build to not depend on file order USB: serial: ftdi_sio: update Actisense PIDs constant names USB: serial: option: add Quectel EG912Y module support USB: serial: option: add Foxconn T99W265 with new baseline USB: serial: option: add Quectel RM500Q R13 firmware support ALSA: hda/realtek: Add quirk for ASUS ROG GV302XA Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg Bluetooth: L2CAP: Send reject on command corrupted request Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE Bluetooth: Add more enc key size check net: usb: ax88179_178a: avoid failed operations when device is disconnected Input: soc_button_array - add mapping for airplane mode button net: 9p: avoid freeing uninit memory in p9pdu_vreadf net: rfkill: gpio: set GPIO direction net: ks8851: Fix TX stall caused by TX buffer overrun dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp smb: client: fix OOB in cifsd when receiving compounded resps smb: client: fix potential OOB in cifs_dump_detail() smb: client: fix OOB in SMB2_query_info_init() smb: client: fix OOB in smbCalcSize() drm/i915: Reject async flips with bigjoiner 9p: prevent read overrun in protocol dump tracepoint RISC-V: Fix do_notify_resume / do_work_pending prototype loop: do not enforce max_loop hard limit by (new) default dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client Revert "drm/amd/display: Do not set DRR on pipe commit" btrfs: zoned: no longer count fresh BG region as zone unusable ubifs: fix possible dereference after free ublk: move ublk_cancel_dev() out of ub->mutex selftests: mptcp: join: fix subflow_send_ack lookup Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity" scsi: core: Always send batch on reset or error handling command tracing / synthetic: Disable events after testing in synth_event_gen_test_init() dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata() pinctrl: starfive: jh7100: ignore disabled device tree nodes bus: ti-sysc: Flush posted write only after srst_udelay gpio: dwapb: mask/unmask IRQ when disable/enale it lib/vsprintf: Fix %pfwf when current node refcount == 0 thunderbolt: Fix memory leak in margining_port_remove() KVM: arm64: vgic: Simplify kvm_vgic_destroy() KVM: arm64: vgic: Add a non-locking primitive for kvm_vgic_vcpu_destroy() KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy x86/alternatives: Sync core before enabling interrupts mm/damon/core: make damon_start() waits until kdamond_fn() starts fuse: share lookup state between submount and its parent wifi: cfg80211: fix CQM for non-range use wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x) loop: deprecate autoloading callback loop_probe() Linux 6.1.70 Change-Id: I72bfbd39ae932d290b13d6fdde8e6684a84ec9e1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
d3d46ac25c |
Merge 6.1.69 into android14-6.1-lts
Changes in 6.1.69 perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table r8152: add USB device driver for config selection r8152: add vendor/device ID pair for D-Link DUB-E250 r8152: add vendor/device ID pair for ASUS USB-C2500 powerpc/ftrace: Fix stack teardown in ftrace_no_trace ext4: fix warning in ext4_dio_write_end_io() ksmbd: fix memory leak in smb2_lock() afs: Fix refcount underflow from error handling race HID: lenovo: Restrict detection of patched firmware only to USB cptkbd net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX qca_debug: Prevent crash on TX ring changes qca_debug: Fix ethtool -G iface tx behavior qca_spi: Fix reset behavior bnxt_en: Clear resource reservation during resume bnxt_en: Save ring error counters across reset bnxt_en: Fix wrong return value check in bnxt_close_nic() bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic atm: solos-pci: Fix potential deadlock on &cli_queue_lock atm: solos-pci: Fix potential deadlock on &tx_queue_lock net: vlan: introduce skb_vlan_eth_hdr() net: fec: correct queue selection octeontx2-af: fix a use-after-free in rvu_nix_register_reporters octeontx2-pf: Fix promisc mcam entry action octeontx2-af: Update RSS algorithm index atm: Fix Use-After-Free in do_vcc_ioctl net/rose: Fix Use-After-Free in rose_ioctl iavf: Introduce new state machines for flow director iavf: Handle ntuple on/off based on new state machines for flow director qed: Fix a potential use-after-free in qed_cxt_tables_alloc net: Remove acked SYN flag from packet in the transmit queue correctly net: ena: Destroy correct number of xdp queues upon failure net: ena: Fix xdp drops handling due to multibuf packets net: ena: Fix XDP redirection error stmmac: dwmac-loongson: Make sure MDIO is initialized before use sign-file: Fix incorrect return values check vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() dpaa2-switch: fix size of the dma_unmap dpaa2-switch: do not ask for MDB, VLAN and FDB replay net: stmmac: Handle disabled MDIO busses from devicetree appletalk: Fix Use-After-Free in atalk_ioctl net: atlantic: fix double free in ring reinit logic cred: switch to using atomic_long_t fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants ALSA: hda/realtek: Apply mute LED quirk for HP15-db Revert "PCI: acpiphp: Reassign resources on bridge if necessary" PCI: loongson: Limit MRRS to 256 ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE drm/mediatek: Add spinlock for setting vblank event in atomic_begin x86/hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM usb: aqc111: check packet for fixup for true limit stmmac: dwmac-loongson: Add architecture dependency blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" blk-cgroup: bypass blkcg_deactivate_policy after destroying bcache: avoid oversize memory allocation by small stripe_size bcache: remove redundant assignment to variable cur_idx bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() bcache: avoid NULL checking to c->root in run_cache_set() nbd: fold nbd config initialization into nbd_alloc_config() nvme-auth: set explanation code for failure2 msgs nvme: catch errors from nvme_configure_metadata() selftests/bpf: fix bpf_loop_bench for new callback verification scheme LoongArch: Add dependency between vmlinuz.efi and vmlinux.efi LoongArch: Implement constant timer shutdown interface platform/x86: intel_telemetry: Fix kernel doc descriptions HID: glorious: fix Glorious Model I HID report HID: add ALWAYS_POLL quirk for Apple kb nbd: pass nbd_sock to nbd_read_reply() instead of index HID: hid-asus: reset the backlight brightness level on resume HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation net: usb: qmi_wwan: claim interface 4 for ZTE MF290 arm64: add dependency between vmlinuz.efi and Image HID: hid-asus: add const to read-only outgoing usb buffer perf: Fix perf_event_validate_size() lockdep splat btrfs: do not allow non subvolume root targets for snapshot soundwire: stream: fix NULL pointer dereference for multi_link ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify team: Fix use-after-free when an option instance allocation fails drm/amdgpu/sdma5.2: add begin/end_use ring callbacks dmaengine: stm32-dma: avoid bitfield overflow assertion mm/mglru: fix underprotected page cache mm/shmem: fix race in shmem_undo_range w/THP btrfs: free qgroup reserve when ORDERED_IOERR is set btrfs: don't clear qgroup reserved bit in release_folio drm/amdgpu: fix tear down order in amdgpu_vm_pt_free drm/amd/display: Disable PSR-SU on Parade 0803 TCON again drm/i915: Fix remapped stride with CCS on ADL+ smb: client: fix OOB in receive_encrypted_standard() smb: client: fix NULL deref in asn1_ber_decoder() smb: client: fix OOB in smb2_query_reparse_point() ring-buffer: Fix memory leak of free page tracing: Update snapshot buffer on resize if it is allocated ring-buffer: Do not update before stamp when switching sub-buffers ring-buffer: Have saved event hold the entire event ring-buffer: Fix writing to the buffer with max_data_size ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs ring-buffer: Do not try to put back write_stamp ring-buffer: Have rb_time_cmpxchg() set the msb counter too net: tls, update curr on splice as well r8152: avoid to change cfg for all devices r8152: remove rtl_vendor_mode function r8152: fix the autosuspend doesn't work Linux 6.1.69 Change-Id: I695d1d50ca8c00ff505505918bdc59ce9d29d479 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
bb47960a9d |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
This merges all of the latest changes in 'android14-6.1' into 'android14-6.1-lts' to get it to pass TH again due to new symbols being added. Included in here are the following commits: * |
||
Vinayak Yadawad
|
800cac4b33 |
FROMGIT: wifi: nl80211: Extend del pmksa support for SAE and OWE security
Current handling of del pmksa with SSID is limited to FILS security. In the current change the del pmksa support is extended to SAE/OWE security offloads as well. For OWE/SAE offloads, the PMK is generated and cached at driver/FW, so user app needs the capability to request cache deletion based on SSID for drivers supporting SAE/OWE offload. Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com> Link: https://msgid.link/ecdae726459e0944c377a6a6f6cb2c34d2e057d0.1701262123.git.vinayak.yadawad@broadcom.com [drop whitespace-damaged rdev_ops pointer completely, enabling tracing] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Bug: 301410304 (cherry picked from commit aa0887c4f18e280f8c2aa6964af602bd16c37f54 https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main) Change-Id: Ia665b9760279eb77347e79c97d177cba3beaa107 Signed-off-by: Paul Chen <chenpaul@google.com> |
||
|
John Fastabend
|
a5c3f2b4ce |
bpf: syzkaller found null ptr deref in unix_bpf proto add
commit 8d6650646ce49e9a5b8c5c23eb94f74b1749f70f upstream.
I added logic to track the sock pair for stream_unix sockets so that we
ensure lifetime of the sock matches the time a sockmap could reference
the sock (see fixes tag). I forgot though that we allow af_unix unconnected
sockets into a sock{map|hash} map.
This is problematic because previous fixed expected sk_pair() to exist
and did not NULL check it. Because unconnected sockets have a NULL
sk_pair this resulted in the NULL ptr dereference found by syzkaller.
BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
Call Trace:
<TASK>
...
sock_hold include/net/sock.h:777 [inline]
unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
sock_map_init_proto net/core/sock_map.c:190 [inline]
sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
We considered just checking for the null ptr and skipping taking a ref
on the NULL peer sock. But, if the socket is then connected() after
being added to the sockmap we can cause the original issue again. So
instead this patch blocks adding af_unix sockets that are not in the
ESTABLISHED state.
Reported-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+e8030702aefd3444fb9e@syzkaller.appspotmail.com
Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock")
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20231201180139.328529-2-john.fastabend@gmail.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Vlad Buslov
|
7cbdf36eab |
net/sched: act_ct: Always fill offloading tuple iifidx
commit 9bc64bd0cd765f696fcd40fc98909b1f7c73b2ba upstream.
Referenced commit doesn't always set iifidx when offloading the flow to
hardware. Fix the following cases:
- nf_conn_act_ct_ext_fill() is called before extension is created with
nf_conn_act_ct_ext_add() in tcf_ct_act(). This can cause rule offload with
unspecified iifidx when connection is offloaded after only single
original-direction packet has been processed by tc data path. Always fill
the new nf_conn_act_ct_ext instance after creating it in
nf_conn_act_ct_ext_add().
- Offloading of unidirectional UDP NEW connections is now supported, but ct
flow iifidx field is not updated when connection is promoted to
bidirectional which can result reply-direction iifidx to be zero when
refreshing the connection. Fill in the extension and update flow iifidx
before calling flow_offload_refresh().
Fixes:
|
||
|
Vlad Buslov
|
2be4e8ac2d |
net/sched: act_ct: additional checks for outdated flows
commit a63b6622120cd03a304796dbccb80655b3a21798 upstream.
Current nf_flow_is_outdated() implementation considers any flow table flow
which state diverged from its underlying CT connection status for teardown
which can be problematic in the following cases:
- Flow has never been offloaded to hardware in the first place either
because flow table has hardware offload disabled (flag
NF_FLOWTABLE_HW_OFFLOAD is not set) or because it is still pending on 'add'
workqueue to be offloaded for the first time. The former is incorrect, the
later generates excessive deletions and additions of flows.
- Flow is already pending to be updated on the workqueue. Tearing down such
flows will also generate excessive removals from the flow table, especially
on highly loaded system where the latency to re-offload a flow via 'add'
workqueue can be quite high.
When considering a flow for teardown as outdated verify that it is both
offloaded to hardware and doesn't have any pending updates.
Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple")
Reviewed-by: Paul Blakey <paulb@nvidia.com>
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Vlad Buslov
|
a29b15cc68 |
net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table
[ Upstream commit 125f1c7f26ffcdbf96177abe75b70c1a6ceb17bc ]
The referenced change added custom cleanup code to act_ct to delete any
callbacks registered on the parent block when deleting the
tcf_ct_flow_table instance. However, the underlying issue is that the
drivers don't obtain the reference to the tcf_ct_flow_table instance when
registering callbacks which means that not only driver callbacks may still
be on the table when deleting it but also that the driver can still have
pointers to its internal nf_flowtable and can use it concurrently which
results either warning in netfilter[0] or use-after-free.
Fix the issue by taking a reference to the underlying struct
tcf_ct_flow_table instance when registering the callback and release the
reference when unregistering. Expose new API required for such reference
counting by adding two new callbacks to nf_flowtable_type and implementing
them for act_ct flowtable_ct type. This fixes the issue by extending the
lifetime of nf_flowtable until all users have unregistered.
[0]:
[106170.938634] ------------[ cut here ]------------
[106170.939111] WARNING: CPU: 21 PID: 3688 at include/net/netfilter/nf_flow_table.h:262 mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.940108] Modules linked in: act_ct nf_flow_table act_mirred act_skbedit act_tunnel_key vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa bonding openvswitch nsh rpcrdma rdma_ucm
ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_regis
try overlay mlx5_core
[106170.943496] CPU: 21 PID: 3688 Comm: kworker/u48:0 Not tainted 6.6.0-rc7_for_upstream_min_debug_2023_11_01_13_02 #1
[106170.944361] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[106170.945292] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]
[106170.945846] RIP: 0010:mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.946413] Code: 89 ef 48 83 05 71 a4 14 00 01 e8 f4 06 04 e1 48 83 05 6c a4 14 00 01 48 83 c4 28 5b 5d 41 5c 41 5d c3 48 83 05 d1 8b 14 00 01 <0f> 0b 48 83 05 d7 8b 14 00 01 e9 96 fe ff ff 48 83 05 a2 90 14 00
[106170.947924] RSP: 0018:ffff88813ff0fcb8 EFLAGS: 00010202
[106170.948397] RAX: 0000000000000000 RBX: ffff88811eabac40 RCX: ffff88811eabad48
[106170.949040] RDX: ffff88811eab8000 RSI: ffffffffa02cd560 RDI: 0000000000000000
[106170.949679] RBP: ffff88811eab8000 R08: 0000000000000001 R09: ffffffffa0229700
[106170.950317] R10: ffff888103538fc0 R11: 0000000000000001 R12: ffff88811eabad58
[106170.950969] R13: ffff888110c01c00 R14: ffff888106b40000 R15: 0000000000000000
[106170.951616] FS: 0000000000000000(0000) GS:ffff88885fd40000(0000) knlGS:0000000000000000
[106170.952329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[106170.952834] CR2: 00007f1cefd28cb0 CR3: 000000012181b006 CR4: 0000000000370ea0
[106170.953482] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[106170.954121] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[106170.954766] Call Trace:
[106170.955057] <TASK>
[106170.955315] ? __warn+0x79/0x120
[106170.955648] ? mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.956172] ? report_bug+0x17c/0x190
[106170.956537] ? handle_bug+0x3c/0x60
[106170.956891] ? exc_invalid_op+0x14/0x70
[106170.957264] ? asm_exc_invalid_op+0x16/0x20
[106170.957666] ? mlx5_del_flow_rules+0x10/0x310 [mlx5_core]
[106170.958172] ? mlx5_tc_ct_block_flow_offload_add+0x1240/0x1240 [mlx5_core]
[106170.958788] ? mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.959339] ? mlx5_tc_ct_del_ft_cb+0xc6/0x2b0 [mlx5_core]
[106170.959854] ? mapping_remove+0x154/0x1d0 [mlx5_core]
[106170.960342] ? mlx5e_tc_action_miss_mapping_put+0x4f/0x80 [mlx5_core]
[106170.960927] mlx5_tc_ct_delete_flow+0x76/0xc0 [mlx5_core]
[106170.961441] mlx5_free_flow_attr_actions+0x13b/0x220 [mlx5_core]
[106170.962001] mlx5e_tc_del_fdb_flow+0x22c/0x3b0 [mlx5_core]
[106170.962524] mlx5e_tc_del_flow+0x95/0x3c0 [mlx5_core]
[106170.963034] mlx5e_flow_put+0x73/0xe0 [mlx5_core]
[106170.963506] mlx5e_put_flow_list+0x38/0x70 [mlx5_core]
[106170.964002] mlx5e_rep_update_flows+0xec/0x290 [mlx5_core]
[106170.964525] mlx5e_rep_neigh_update+0x1da/0x310 [mlx5_core]
[106170.965056] process_one_work+0x13a/0x2c0
[106170.965443] worker_thread+0x2e5/0x3f0
[106170.965808] ? rescuer_thread+0x410/0x410
[106170.966192] kthread+0xc6/0xf0
[106170.966515] ? kthread_complete_and_exit+0x20/0x20
[106170.966970] ret_from_fork+0x2d/0x50
[106170.967332] ? kthread_complete_and_exit+0x20/0x20
[106170.967774] ret_from_fork_asm+0x11/0x20
[106170.970466] </TASK>
[106170.970726] ---[ end trace 0000000000000000 ]---
Fixes:
|
||
|
Pablo Neira Ayuso
|
2bb4ecb334 |
netfilter: flowtable: GC pushes back packets to classic path
[ Upstream commit 735795f68b37e9bb49f642407a0d49b1631ea1c7 ]
Since 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded
unreplied tuple"), flowtable GC pushes back flows with IPS_SEEN_REPLY
back to classic path in every run, ie. every second. This is because of
a new check for NF_FLOW_HW_ESTABLISHED which is specific of sched/act_ct.
In Netfilter's flowtable case, NF_FLOW_HW_ESTABLISHED never gets set on
and IPS_SEEN_REPLY is unreliable since users decide when to offload the
flow before, such bit might be set on at a later stage.
Fix it by adding a custom .gc handler that sched/act_ct can use to
deal with its NF_FLOW_HW_ESTABLISHED bit.
Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple")
Reported-by: Vladimir Smelhaus <vl.sm@email.cz>
Reviewed-by: Paul Blakey <paulb@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Paul Blakey
|
df01de08b4 |
net/sched: act_ct: Fix promotion of offloaded unreplied tuple
[ Upstream commit 41f2c7c342d3adb1c4dd5f2e3dd831adff16a669 ]
Currently UNREPLIED and UNASSURED connections are added to the nf flow
table. This causes the following connection packets to be processed
by the flow table which then skips conntrack_in(), and thus such the
connections will remain UNREPLIED and UNASSURED even if reply traffic
is then seen. Even still, the unoffloaded reply packets are the ones
triggering hardware update from new to established state, and if
there aren't any to triger an update and/or previous update was
missed, hardware can get out of sync with sw and still mark
packets as new.
Fix the above by:
1) Not skipping conntrack_in() for UNASSURED packets, but still
refresh for hardware, as before the cited patch.
2) Try and force a refresh by reply-direction packets that update
the hardware rules from new to established state.
3) Remove any bidirectional flows that didn't failed to update in
hardware for re-insertion as bidrectional once any new packet
arrives.
Fixes: 6a9bad0069cf ("net/sched: act_ct: offload UDP NEW connections")
Co-developed-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Paul Blakey <paulb@nvidia.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/1686313379-117663-1-git-send-email-paulb@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Vlad Buslov
|
87466a3745 |
net/sched: act_ct: offload UDP NEW connections
[ Upstream commit 6a9bad0069cf306f3df6ac53cf02438d4e15f296 ]
Modify the offload algorithm of UDP connections to the following:
- Offload NEW connection as unidirectional.
- When connection state changes to ESTABLISHED also update the hardware
flow. However, in order to prevent act_ct from spamming offload add wq for
every packet coming in reply direction in this state verify whether
connection has already been updated to ESTABLISHED in the drivers. If that
it the case, then skip flow_table and let conntrack handle such packets
which will also allow conntrack to potentially promote the connection to
ASSURED.
- When connection state changes to ASSURED set the flow_table flow
NF_FLOW_HW_BIDIRECTIONAL flag which will cause refresh mechanism to offload
the reply direction.
All other protocols have their offload algorithm preserved and are always
offloaded as bidirectional.
Note that this change tries to minimize the load on flow_table add
workqueue. First, it tracks the last ctinfo that was offloaded by using new
flow 'NF_FLOW_HW_ESTABLISHED' flag and doesn't schedule the refresh for
reply direction packets when the offloads have already been updated with
current ctinfo. Second, when 'add' task executes on workqueue it always
update the offload with current flow state (by checking 'bidirectional'
flow flag and obtaining actual ctinfo/cookie through meta action instead of
caching any of these from the moment of scheduling the 'add' work)
preventing the need from scheduling more updates if state changed
concurrently while the 'add' work was pending on workqueue.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Vlad Buslov
|
8b160f2fba |
netfilter: flowtable: cache info of last offload
[ Upstream commit 1a441a9b8be8849957a01413a144f84932c324cb ]
Modify flow table offload to cache the last ct info status that was passed
to the driver offload callbacks by extending enum nf_flow_flags with new
"NF_FLOW_HW_ESTABLISHED" flag. Set the flag if ctinfo was 'established'
during last act_ct meta actions fill call. This infrastructure change is
necessary to optimize promoting of UDP connections from 'new' to
'established' in following patches in this series.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Vlad Buslov
|
c29a7656f8 |
netfilter: flowtable: allow unidirectional rules
[ Upstream commit 8f84780b84d645d6e35467f4a6f3236b20d7f4b2 ]
Modify flow table offload to support unidirectional connections by
extending enum nf_flow_flags with new "NF_FLOW_HW_BIDIRECTIONAL" flag. Only
offload reply direction when the flag is set. This infrastructure change is
necessary to support offloading UDP NEW connections in original direction
in following patches in series.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Xin Long
|
e681f711e9 |
net: sched: call tcf_ct_params_free to free params in tcf_ct_init
[ Upstream commit 1913894100ca53205f2d56091cb34b8eba1de217 ]
This patch is to make the err path simple by calling tcf_ct_params_free(),
so that it won't cause problems when more members are added into param and
need freeing on the err path.
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
John Fastabend
|
90d1f74c3c |
bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
[ Upstream commit 8866730aed5100f06d3d965c22f1c61f74942541 ]
AF_UNIX stream sockets are a paired socket. So sending on one of the pairs
will lookup the paired socket as part of the send operation. It is possible
however to put just one of the pairs in a BPF map. This currently increments
the refcnt on the sock in the sockmap to ensure it is not free'd by the
stack before sockmap cleans up its state and stops any skbs being sent/recv'd
to that socket.
But we missed a case. If the peer socket is closed it will be free'd by the
stack. However, the paired socket can still be referenced from BPF sockmap
side because we hold a reference there. Then if we are sending traffic through
BPF sockmap to that socket it will try to dereference the free'd pair in its
send logic creating a use after free. And following splat:
[59.900375] BUG: KASAN: slab-use-after-free in sk_wake_async+0x31/0x1b0
[59.901211] Read of size 8 at addr ffff88811acbf060 by task kworker/1:2/954
[...]
[59.905468] Call Trace:
[59.905787] <TASK>
[59.906066] dump_stack_lvl+0x130/0x1d0
[59.908877] print_report+0x16f/0x740
[59.910629] kasan_report+0x118/0x160
[59.912576] sk_wake_async+0x31/0x1b0
[59.913554] sock_def_readable+0x156/0x2a0
[59.914060] unix_stream_sendmsg+0x3f9/0x12a0
[59.916398] sock_sendmsg+0x20e/0x250
[59.916854] skb_send_sock+0x236/0xac0
[59.920527] sk_psock_backlog+0x287/0xaa0
To fix let BPF sockmap hold a refcnt on both the socket in the sockmap and its
paired socket. It wasn't obvious how to contain the fix to bpf_unix logic. The
primarily problem with keeping this logic in bpf_unix was: In the sock close()
we could handle the deref by having a close handler. But, when we are destroying
the psock through a map delete operation we wouldn't have gotten any signal
thorugh the proto struct other than it being replaced. If we do the deref from
the proto replace its too early because we need to deref the sk_pair after the
backlog worker has been stopped.
Given all this it seems best to just cache it at the end of the psock and eat 8B
for the af_unix and vsock users. Notice dgram sockets are OK because they handle
locking already.
Fixes:
|
||
Jakub Kicinski
|
5ff1682fec |
ethtool: don't propagate EOPNOTSUPP from dumps
[ Upstream commit cbeb989e41f4094f54bec2cecce993f26f547bea ]
The default dump handler needs to clear ret before returning.
Otherwise if the last interface returns an inconsequential
error this error will propagate to user space.
This may confuse user space (ethtool CLI seems to ignore it,
but YNL doesn't). It will also terminate the dump early
for mutli-skb dump, because netlink core treats EOPNOTSUPP
as a real error.
Fixes:
|
||
|
Eric Dumazet
|
158b71f3a9 |
udp: annotate data-races around udp->encap_type
[ Upstream commit 70a36f571362a8de8b8c02d21ae524fc776287f2 ]
syzbot/KCSAN complained about UDP_ENCAP_L2TPINUDP setsockopt() racing.
Add READ_ONCE()/WRITE_ONCE() to document races on this lockless field.
syzbot report was:
BUG: KCSAN: data-race in udp_lib_setsockopt / udp_lib_setsockopt
read-write to 0xffff8881083603fa of 1 bytes by task 16557 on cpu 0:
udp_lib_setsockopt+0x682/0x6c0
udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2779
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read-write to 0xffff8881083603fa of 1 bytes by task 16554 on cpu 1:
udp_lib_setsockopt+0x682/0x6c0
udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2779
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x01 -> 0x05
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 16554 Comm: syz-executor.5 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0
Fixes:
|
||
|
Eric Dumazet
|
8d929b6c11 |
udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO
[ Upstream commit ac9a7f4ce5dda1472e8f44096f33066c6ec1a3b4 ]
Move udp->encap_enabled to udp->udp_flags.
Add udp_test_and_set_bit() helper to allow lockless
udp_tunnel_encap_enable() implementation.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 70a36f571362 ("udp: annotate data-races around udp->encap_type")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
b680a907d1 |
udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags
[ Upstream commit f5f52f0884a595ff99ab1a608643fe4025fca2d5 ]
These are read locklessly, move them to udp_flags to fix data-races.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 70a36f571362 ("udp: annotate data-races around udp->encap_type")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
753886c0b9 |
udp: move udp->gro_enabled to udp->udp_flags
[ Upstream commit e1dc0615c6b08ef36414f08c011965b8fb56198b ]
syzbot reported that udp->gro_enabled can be read locklessly.
Use one atomic bit from udp->udp_flags.
Fixes:
|
||
|
Eric Dumazet
|
a01cff15cc |
udp: move udp->no_check6_rx to udp->udp_flags
[ Upstream commit bcbc1b1de884647aa0318bf74eb7f293d72a1e40 ]
syzbot reported that udp->no_check6_rx can be read locklessly.
Use one atomic bit from udp->udp_flags.
Fixes:
|
||
|
Eric Dumazet
|
50e41aa9ea |
udp: move udp->no_check6_tx to udp->udp_flags
[ Upstream commit a0002127cd746fcaa182ad3386ef6931c37f3bda ]
syzbot reported that udp->no_check6_tx can be read locklessly.
Use one atomic bit from udp->udp_flags
Fixes:
|
||
|
Eric Dumazet
|
e2a4392b61 |
udp: introduce udp->udp_flags
[ Upstream commit 81b36803ac139827538ac5ce4028e750a3c53f53 ]
According to syzbot, it is time to use proper atomic flags
for various UDP flags.
Add udp_flags field, and convert udp->corkflag to first
bit in it.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
David Howells
|
2489502fb1 |
ipv4, ipv6: Use splice_eof() to flush
[ Upstream commit 1d7e4538a5463faa0b0e26a7a7b6bd68c7dfdd78 ] Allow splice to undo the effects of MSG_MORE after prematurely ending a splice/sendfile due to getting an EOF condition (->splice_read() returned 0) after splice had called sendmsg() with MSG_MORE set when the user didn't set MSG_MORE. For UDP, a pending packet will not be emitted if the socket is closed before it is flushed; with this change, it be flushed by ->splice_eof(). For TCP, it's not clear that MSG_MORE is actually effective. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Link: https://lore.kernel.org/r/CAHk-=wh=V579PDYvkpnTobCLGczbgxpMgGmmhqiTyE34Cpi5Gg@mail.gmail.com/ Signed-off-by: David Howells <dhowells@redhat.com> cc: Kuniyuki Iwashima <kuniyu@amazon.com> cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com> cc: David Ahern <dsahern@kernel.org> cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
David Howells
|
4713b7c756 |
splice, net: Add a splice_eof op to file-ops and socket-ops
[ Upstream commit 2bfc66850952b6921b2033b09729ec59eabbc81d ] Add an optional method, ->splice_eof(), to allow splice to indicate the premature termination of a splice to struct file_operations and struct proto_ops. This is called if sendfile() or splice() encounters all of the following conditions inside splice_direct_to_actor(): (1) the user did not set SPLICE_F_MORE (splice only), and (2) an EOF condition occurred (->splice_read() returned 0), and (3) we haven't read enough to fulfill the request (ie. len > 0 still), and (4) we have already spliced at least one byte. A further patch will modify the behaviour of SPLICE_F_MORE to always be passed to the actor if either the user set it or we haven't yet read sufficient data to fulfill the request. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Link: https://lore.kernel.org/r/CAHk-=wh=V579PDYvkpnTobCLGczbgxpMgGmmhqiTyE34Cpi5Gg@mail.gmail.com/ Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Jakub Kicinski <kuba@kernel.org> cc: Jens Axboe <axboe@kernel.dk> cc: Christoph Hellwig <hch@lst.de> cc: Al Viro <viro@zeniv.linux.org.uk> cc: Matthew Wilcox <willy@infradead.org> cc: Jan Kara <jack@suse.cz> cc: Jeff Layton <jlayton@kernel.org> cc: David Hildenbrand <david@redhat.com> cc: Christian Brauner <brauner@kernel.org> cc: Chuck Lever <chuck.lever@oracle.com> cc: Boris Pismenny <borisp@nvidia.com> cc: John Fastabend <john.fastabend@gmail.com> cc: linux-mm@kvack.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
David Howells
|
ac8c69e448 |
udp: Convert udp_sendpage() to use MSG_SPLICE_PAGES
[ Upstream commit 7ac7c987850c3ec617c778f7bd871804dc1c648d ]
Convert udp_sendpage() to use sendmsg() with MSG_SPLICE_PAGES rather than
directly splicing in the pages itself.
This allows ->sendpage() to be replaced by something that can handle
multiple multipage folios in a single transaction.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
cc: David Ahern <dsahern@kernel.org>
cc: Jens Axboe <axboe@kernel.dk>
cc: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
David Howells
|
6bcc79a4e7 |
net: Declare MSG_SPLICE_PAGES internal sendmsg() flag
[ Upstream commit b841b901c452d92610f739a36e54978453528876 ]
Declare MSG_SPLICE_PAGES, an internal sendmsg() flag, that hints to a
network protocol that it should splice pages from the source iterator
rather than copying the data if it can. This flag is added to a list that
is cleared by sendmsg syscalls on entry.
This is intended as a replacement for the ->sendpage() op, allowing a way
to splice in several multipage folios in one go.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
cc: Jens Axboe <axboe@kernel.dk>
cc: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Thomas Lange
|
c38c5cfd3e |
net: Implement missing SO_TIMESTAMPING_NEW cmsg support
[ Upstream commit 382a32018b74f407008615e0e831d05ed28e81cd ] Commit |
||
Wen Gu
|
84c3833a93 |
net/smc: fix invalid link access in dumping SMC-R connections
[ Upstream commit 9dbe086c69b8902c85cece394760ac212e9e4ccc ]
A crash was found when dumping SMC-R connections. It can be reproduced
by following steps:
- environment: two RNICs on both sides.
- run SMC-R between two sides, now a SMC_LGR_SYMMETRIC type link group
will be created.
- set the first RNIC down on either side and link group will turn to
SMC_LGR_ASYMMETRIC_LOCAL then.
- run 'smcss -R' and the crash will be triggered.
BUG: kernel NULL pointer dereference, address: 0000000000000010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 8000000101fdd067 P4D 8000000101fdd067 PUD 10ce46067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 3 PID: 1810 Comm: smcss Kdump: loaded Tainted: G W E 6.7.0-rc6+ #51
RIP: 0010:__smc_diag_dump.constprop.0+0x36e/0x620 [smc_diag]
Call Trace:
<TASK>
? __die+0x24/0x70
? page_fault_oops+0x66/0x150
? exc_page_fault+0x69/0x140
? asm_exc_page_fault+0x26/0x30
? __smc_diag_dump.constprop.0+0x36e/0x620 [smc_diag]
smc_diag_dump_proto+0xd0/0xf0 [smc_diag]
smc_diag_dump+0x26/0x60 [smc_diag]
netlink_dump+0x19f/0x320
__netlink_dump_start+0x1dc/0x300
smc_diag_handler_dump+0x6a/0x80 [smc_diag]
? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]
sock_diag_rcv_msg+0x121/0x140
? __pfx_sock_diag_rcv_msg+0x10/0x10
netlink_rcv_skb+0x5a/0x110
sock_diag_rcv+0x28/0x40
netlink_unicast+0x22a/0x330
netlink_sendmsg+0x240/0x4a0
__sock_sendmsg+0xb0/0xc0
____sys_sendmsg+0x24e/0x300
? copy_msghdr_from_user+0x62/0x80
___sys_sendmsg+0x7c/0xd0
? __do_fault+0x34/0x1a0
? do_read_fault+0x5f/0x100
? do_fault+0xb0/0x110
__sys_sendmsg+0x4d/0x80
do_syscall_64+0x45/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
When the first RNIC is set down, the lgr->lnk[0] will be cleared and an
asymmetric link will be allocated in lgr->link[SMC_LINKS_PER_LGR_MAX - 1]
by smc_llc_alloc_alt_link(). Then when we try to dump SMC-R connections
in __smc_diag_dump(), the invalid lgr->lnk[0] will be accessed, resulting
in this issue. So fix it by accessing the right link.
Fixes:
|
||
Marc Dionne
|
72fa661778 |
net: Save and restore msg_namelen in sock_sendmsg
[ Upstream commit 01b2885d9415152bcb12ff1f7788f500a74ea0ed ]
Commit 86a7e0b69bd5 ("net: prevent rewrite of msg_name in
sock_sendmsg()") made sock_sendmsg save the incoming msg_name pointer
and restore it before returning, to insulate the caller against
msg_name being changed by the called code. If the address length
was also changed however, we may return with an inconsistent structure
where the length doesn't match the address, and attempts to reuse it may
lead to lost packets.
For example, a kernel that doesn't have commit 1c5950fc6fe9 ("udp6: fix
potential access to stale information") will replace a v4 mapped address
with its ipv4 equivalent, and shorten namelen accordingly from 28 to 16.
If the caller attempts to reuse the resulting msg structure, it will have
the original ipv6 (v4 mapped) address but an incorrect v4 length.
Fixes: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()")
Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Pablo Neira Ayuso
|
81f8a995eb |
netfilter: nft_immediate: drop chain reference counter on error
[ Upstream commit b29be0ca8e816119ccdf95cc7d7c7be9bde005f1 ]
In the init path, nft_data_init() bumps the chain reference counter,
decrement it on error by following the error path which calls
nft_data_release() to restore it.
Fixes: 4bedf9eee016 ("netfilter: nf_tables: fix chain binding transaction logic")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Jörn-Thorben Hinz
|
3edd66bd4e |
net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
[ Upstream commit 7f6ca95d16b96567ce4cf458a2790ff17fa620c3 ] Commit |
||
|
Eric Dumazet
|
ac5fde92b5 |
net: annotate data-races around sk->sk_bind_phc
[ Upstream commit 251cd405a9e6e70b92fe5afbdd17fd5caf9d3266 ]
sk->sk_bind_phc is read locklessly. Add corresponding annotations.
Fixes:
|
||
|
Eric Dumazet
|
c48fcb4f49 |
net: annotate data-races around sk->sk_tsflags
[ Upstream commit e3390b30a5dfb112e8e802a59c0f68f947b638b2 ]
sk->sk_tsflags can be read locklessly, add corresponding annotations.
Fixes:
|
||
Vadim Fedorenko
|
5d586f7ca0 |
net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps
[ Upstream commit 8ca5a5790b9a1ce147484d2a2c4e66d2553f3d6c ]
When the feature was added it was enabled for SW timestamps only but
with current hardware the same out-of-order timestamps can be seen.
Let's expand the area for the feature to all types of timestamps.
Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 7f6ca95d16b9 ("net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Marc Kleine-Budde
|
b2130366a9 |
can: raw: add support for SO_MARK
[ Upstream commit 0826e82b8a32e646b7b32ba8b68ba30812028e47 ] Add support for SO_MARK to the CAN_RAW protocol. This makes it possible to add traffic control filters based on the fwmark. Link: https://lore.kernel.org/all/20221210113653.170346-1-mkl@pengutronix.de Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Stable-dep-of: 7f6ca95d16b9 ("net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Hangyu Hua
|
565460e180 |
net: sched: em_text: fix possible memory leak in em_text_destroy()
[ Upstream commit 8fcb0382af6f1ef50936f1be05b8149eb2f88496 ]
m->data needs to be freed when em_text_destroy is called.
Fixes:
|
||
Siddh Raman Pant
|
a4b0a9b80a |
nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
[ Upstream commit c95f919567d6f1914f13350af61a1b044ac85014 ]
llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls
nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for
getting the headroom and tailroom needed for skb allocation.
Parallelly the nfc_dev can be freed, as the refcount is decreased via
nfc_free_device(), leading to a UAF reported by Syzkaller, which can
be summarized as follows:
(1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()
-> nfc_alloc_send_skb() -> Dereference *nfc_dev
(2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()
-> put_device() -> nfc_release() -> Free *nfc_dev
When a reference to llcp_local is acquired, we do not acquire the same
for the nfc_dev. This leads to freeing even when the llcp_local is in
use, and this is the case with the UAF described above too.
Thus, when we acquire a reference to llcp_local, we should acquire a
reference to nfc_dev, and release the references appropriately later.
References for llcp_local is initialized in nfc_llcp_register_device()
(which is called by nfc_register_device()). Thus, we should acquire a
reference to nfc_dev there.
nfc_unregister_device() calls nfc_llcp_unregister_device() which in
turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is
appropriately released later.
Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
Fixes:
|
||
|
Pablo Neira Ayuso
|
282e3fb612 |
netfilter: nf_tables: set transport offset from mac header for netdev/egress
[ Upstream commit 0ae8e4cca78781401b17721bfb72718fdf7b4912 ]
Before this patch, transport offset (pkt->thoff) provides an offset
relative to the network header. This is fine for the inet families
because skb->data points to the network header in such case. However,
from netdev/egress, skb->data points to the mac header (if available),
thus, pkt->thoff is missing the mac header length.
Add skb_network_offset() to the transport offset (pkt->thoff) for
netdev, so transport header mangling works as expected. Adjust payload
fast eval function to use skb->data now that pkt->thoff provides an
absolute offset. This explains why users report that matching on
egress/netdev works but payload mangling does not.
This patch implicitly fixes payload mangling for IPv4 packets in
netdev/egress given skb_store_bits() requires an offset from skb->data
to reach the transport header.
I suspect that nft_exthdr and the trace infra were also broken from
netdev/egress because they also take skb->data as start, and pkt->thoff
was not correct.
Note that IPv6 is fine because ipv6_find_hdr() already provides a
transport offset starting from skb->data, which includes
skb_network_offset().
The bridge family also uses nft_set_pktinfo_ipv4_validate(), but there
skb_network_offset() is zero, so the update in this patch does not alter
the existing behaviour.
Fixes:
|
||
|
Xin Long
|
9487cc4c90 |
netfilter: use skb_ip_totlen and iph_totlen
[ Upstream commit a13fbf5ed5b4fc9095f12e955ca3a59b5507ff01 ]
There are also quite some places in netfilter that may process IPv4 TCP
GSO packets, we need to replace them too.
In length_mt(), we have to use u_int32_t/int to accept skb_ip_totlen()
return value, otherwise it may overflow and mismatch. This change will
also help us add selftest for IPv4 BIG TCP in the following patch.
Note that we don't need to replace the one in tcpmss_tg4(), as it will
return if there is data after tcphdr in tcpmss_mangle_packet(). The
same in mangle_contents() in nf_nat_helper.c, it returns false when
skb->len + extra > 65535 in enlarge_skb().
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0ae8e4cca787 ("netfilter: nf_tables: set transport offset from mac header for netdev/egress")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Paolo Abeni
|
af9a530765 |
mptcp: prevent tcp diag from closing listener subflows
commit 4c0288299fd09ee7c6fbe2f57421f314d8c981db upstream.
The MPTCP protocol does not expect that any other entity could change
the first subflow status when such socket is listening.
Unfortunately the TCP diag interface allows aborting any TCP socket,
including MPTCP listeners subflows. As reported by syzbot, that trigger
a WARN() and could lead to later bigger trouble.
The MPTCP protocol needs to do some MPTCP-level cleanup actions to
properly shutdown the listener. To keep the fix simple, prevent
entirely the diag interface from stopping such listeners.
We could refine the diag callback in a later, larger patch targeting
net-next.
Fixes: 57fc0f1ceaa4 ("mptcp: ensure listener is unhashed before updating the sk status")
Cc: stable@vger.kernel.org
Reported-by: <syzbot+5a01c3a666e726bc8752@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/netdev/0000000000004f4579060c68431b@google.com/
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts <matttbe@kernel.org>
Link: https://lore.kernel.org/r/20231226-upstream-net-20231226-mptcp-prevent-warn-v1-2-1404dcc431ea@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Edward Adam Davis
|
079eefaecf |
keys, dns: Fix missing size check of V1 server-list header
commit 1997b3cb4217b09e49659b634c94da47f0340409 upstream.
The dns_resolver_preparse() function has a check on the size of the
payload for the basic header of the binary-style payload, but is missing
a check for the size of the V1 server-list payload header after
determining that's what we've been given.
Fix this by getting rid of the the pointer to the basic header and just
assuming that we have a V1 server-list payload and moving the V1 server
list pointer inside the if-statement. Dealing with other types and
versions can be left for when such have been defined.
This can be tested by doing the following with KASAN enabled:
echo -n -e '\x0\x0\x1\x2' | keyctl padd dns_resolver foo @p
and produces an oops like the following:
BUG: KASAN: slab-out-of-bounds in dns_resolver_preparse+0xc9f/0xd60 net/dns_resolver/dns_key.c:127
Read of size 1 at addr ffff888028894084 by task syz-executor265/5069
...
Call Trace:
dns_resolver_preparse+0xc9f/0xd60 net/dns_resolver/dns_key.c:127
__key_create_or_update+0x453/0xdf0 security/keys/key.c:842
key_create_or_update+0x42/0x50 security/keys/key.c:1007
__do_sys_add_key+0x29c/0x450 security/keys/keyctl.c:134
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a
This patch was originally by Edward Adam Davis, but was modified by
Linus.
Fixes: b946001d3bb1 ("keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry")
Reported-and-tested-by: syzbot+94bbb75204a05da3d89f@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/0000000000009b39bc060c73e209@google.com/
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: David Howells <dhowells@redhat.com>
Cc: Edward Adam Davis <eadavis@qq.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Jeffrey E Altman <jaltman@auristor.com>
Cc: Wang Lei <wang840925@gmail.com>
Cc: Jeff Layton <jlayton@redhat.com>
Cc: Steve French <sfrench@us.ibm.com>
Cc: Marc Dionne <marc.dionne@auristor.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jeffrey E Altman <jaltman@auristor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Norihiko Hama
|
bc4d82ee40 |
ANDROID: KMI workaround for CONFIG_NETFILTER_FAMILY_BRIDGE
Enabling CONFIG_NETFILTER_FAMILY_BRIDGE causes the new element,
hooks_bridge[] to be added to netns_nf. Since the KMI is frozen
this could not be added.
The only instantiation of struct netns_nf is as an embedded field
of struct net. So instead of adding the field to struct netns_nf,
a new "struct ext_net" is added that contains struct net and
the new hooks_bridge[] field. An accessor function,
get_nf_hooks_bridge() is added to get a pointer to the new
field.
There is a global init_net of type struct net which must be special
cased since it is not a member of a struct ext_net. All other
instances of struct net are allocated via net_alloc() which now
allocates a struct ext_net.
Since CONFIG_NETFILTER_FAMILY_BRIDGE is a hidden config that is
needed for vendor modules, it is enabled via init/Kconfig.gki.
Bug: 316040984
Fixes: 0145780bfc78 ("fix KASAN-related kernel crash by KMI W/A for NETFILTER_FAMILY_BRIDGE")
Change-Id: I2c7384e3df9b88f12464dc0138986fed12ca626a
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>
|
||
|
Greg Kroah-Hartman
|
0177cfb2a2 |
Merge tag 'android14-6.1.68_r00' into branch 'android14-6.1'
This merges the changes up to 6.1.68 LTS into the android14-6.1 branch. Included in here are the following commits: * |
||
|
Pablo Neira Ayuso
|
928b3b5dde |
UPSTREAM: netfilter: nf_tables: skip set commit for deleted/destroyed sets
commit 7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a upstream.
NFT_MSG_DELSET deactivates all elements in the set, skip
set->ops->commit() to avoid the unnecessary clone (for the pipapo case)
as well as the sync GC cycle, which could deactivate again expired
elements in such set.
Bug: 318548348
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Reported-by: Kevin Rich <kevinrich1337@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
Zhengchao Shao
|
5070b3b594 |
UPSTREAM: ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ]
When I perform the following test operations:
1.ip link add br0 type bridge
2.brctl addif br0 eth0
3.ip addr add 239.0.0.1/32 dev eth0
4.ip addr add 239.0.0.1/32 dev br0
5.ip addr add 224.0.0.1/32 dev br0
6.while ((1))
do
ifconfig br0 up
ifconfig br0 down
done
7.send IGMPv2 query packets to port eth0 continuously. For example,
./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00
1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00"
The preceding tests may trigger the refcnt uaf issue of the mc list. The
stack is as follows:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25)
CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:refcount_warn_saturate (lib/refcount.c:25)
RSP: 0018:ffffb68f00657910 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908
RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900
RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff
R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680
R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00
FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0
Call Trace:
<TASK>
igmp_heard_query (net/ipv4/igmp.c:1068)
igmp_rcv (net/ipv4/igmp.c:1132)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
ip_local_deliver_finish (net/ipv4/ip_input.c:234)
__netif_receive_skb_one_core (net/core/dev.c:5529)
netif_receive_skb_internal (net/core/dev.c:5729)
netif_receive_skb (net/core/dev.c:5788)
br_handle_frame_finish (net/bridge/br_input.c:216)
nf_hook_bridge_pre (net/bridge/br_input.c:294)
__netif_receive_skb_core (net/core/dev.c:5423)
__netif_receive_skb_list_core (net/core/dev.c:5606)
__netif_receive_skb_list (net/core/dev.c:5674)
netif_receive_skb_list_internal (net/core/dev.c:5764)
napi_gro_receive (net/core/gro.c:609)
e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467)
e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805)
__napi_poll (net/core/dev.c:6533)
net_rx_action (net/core/dev.c:6735)
__do_softirq (kernel/softirq.c:554)
run_ksoftirqd (kernel/softirq.c:913)
smpboot_thread_fn (kernel/smpboot.c:164)
kthread (kernel/kthread.c:388)
ret_from_fork (arch/x86/kernel/process.c:153)
ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
</TASK>
The root causes are as follows:
Thread A Thread B
... netif_receive_skb
br_dev_stop ...
br_multicast_leave_snoopers ...
__ip_mc_dec_group ...
__igmp_group_dropped igmp_rcv
igmp_stop_timer igmp_heard_query //ref = 1
ip_ma_put igmp_mod_timer
refcount_dec_and_test igmp_start_timer //ref = 0
... refcount_inc //ref increases from 0
When the device receives an IGMPv2 Query message, it starts the timer
immediately, regardless of whether the device is running. If the device is
down and has left the multicast group, it will cause the mc list refcount
uaf issue.
Bug: 316932391
Fixes:
|
||
|
Greg Kroah-Hartman
|
8968561242 |
ANDROID: fix crc error in put_cmsg caused in 6.1.68
In commit |
||
|
Pablo Neira Ayuso
|
0105571f80 |
netfilter: nf_tables: skip set commit for deleted/destroyed sets
commit 7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a upstream.
NFT_MSG_DELSET deactivates all elements in the set, skip
set->ops->commit() to avoid the unnecessary clone (for the pipapo case)
as well as the sync GC cycle, which could deactivate again expired
elements in such set.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Reported-by: Kevin Rich <kevinrich1337@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
e0690152b8 |
Revert "drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
c9b484c69d |
This is the 6.1.68 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmV57F0ACgkQONu9yGCS
aT5Ihg//f5xvyjEEbZyE7tFaBBgx8ceQCtteRyi+Jw3Hy65/9neETij0t97IhG37
I89TIAddzNIl51ifl8UYZMWI780HbnW1YdbVLMElbngbmT5rHzIsGpAVCC+SDmMK
NPWXrqWIw6yTVSbTwqKIqOLlEiLxGjdWnPxjoMXBVyje+EcmANBe+fe9qkLq98XC
ZgzrRZyriS8QLMMscy/GmdxIyC32nxebdHDwwE6qgYM8GWNfqLLektX798VGFhra
ByR9bvsJ0PD5m9siCGcx37lVusJDLMjJp4FtMIFTrH63i0sMQm7HKiggJmbCm4lH
Sgbo4iwvSVa2xf1glPJagE9tiah5b0feLqgrQf/ONO2PdCjcERN47472IcQgRvQ+
SDYKScZBSp1/Jd063dHiK/u79uxEBFEdisAkPG2MstjCySEDuhvDrV5R0iKDpQBP
y2FXb4RArqZFrGwS4Zfxx/EQnj3MYJ11a4AE5I0yUGIj7vrFdddayBDBVdwhog84
QhHPH0F/eC/zSMATYSQSCZTTSZ2UoR8NODXyOryoH5tmXlgxXWKq1oFi5nUnysoP
SkGDT0dg+kbReQNA+eyj5qTS4lzincIyP2B4Ple9d75zpx1UENlqVm1xvWLccyFt
3eV/XNRg8dAapsbqvEtW+iev6izutWgcG6p1hToObnbg5uHy6fI=
=+iTJ
-----END PGP SIGNATURE-----
Merge 6.1.68 into android14-6.1-lts
Changes in 6.1.68
vdpa/mlx5: preserve CVQ vringh index
hrtimers: Push pending hrtimers away from outgoing CPU earlier
i2c: designware: Fix corrupted memory seen in the ISR
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
zstd: Fix array-index-out-of-bounds UBSAN warning
tg3: Move the [rt]x_dropped counters to tg3_napi
tg3: Increment tx_dropped in tg3_tso_bug()
kconfig: fix memory leak from range properties
drm/amdgpu: correct chunk_ptr to a pointer to chunk.
x86: Introduce ia32_enabled()
x86/coco: Disable 32-bit emulation by default on TDX and SEV
x86/entry: Convert INT 0x80 emulation to IDTENTRY
x86/entry: Do not allow external 0x80 interrupts
x86/tdx: Allow 32-bit emulation by default
dt: dt-extract-compatibles: Handle cfile arguments in generator function
dt: dt-extract-compatibles: Don't follow symlinks when walking tree
platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code
of: dynamic: Fix of_reconfig_get_state_change() return value documentation
platform/x86: wmi: Skip blocks with zero instances
ipv6: fix potential NULL deref in fib6_add()
octeontx2-pf: Add missing mutex lock in otx2_get_pauseparam
octeontx2-af: Check return value of nix_get_nixlf before using nixlf
hv_netvsc: rndis_filter needs to select NLS
r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
r8152: Add RTL8152_INACCESSIBLE checks to more loops
r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash()
r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1()
r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en()
mlxbf-bootctl: correctly identify secure boot with development keys
platform/mellanox: Add null pointer checks for devm_kasprintf()
platform/mellanox: Check devm_hwmon_device_register_with_groups() return value
arcnet: restoring support for multiple Sohard Arcnet cards
octeontx2-pf: consider both Rx and Tx packet stats for adaptive interrupt coalescing
net: stmmac: fix FPE events losing
xsk: Skip polling event check for unbound socket
octeontx2-af: fix a use-after-free in rvu_npa_register_reporters
i40e: Fix unexpected MFS warning message
iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero
net: bnxt: fix a potential use-after-free in bnxt_init_tc
tcp: fix mid stream window clamp.
ionic: fix snprintf format length warning
ionic: Fix dim work handling in split interrupt mode
ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
net: atlantic: Fix NULL dereference of skb pointer in
net: hns: fix wrong head when modify the tx feature when sending packets
net: hns: fix fake link up on xge port
octeontx2-af: Adjust Tx credits when MCS external bypass is disabled
octeontx2-af: Fix mcs sa cam entries size
octeontx2-af: Fix mcs stats register address
octeontx2-af: Add missing mcs flr handler call
octeontx2-af: Update Tx link register range
dt-bindings: interrupt-controller: Allow #power-domain-cells
netfilter: nft_exthdr: add boolean DCCP option matching
netfilter: nf_tables: fix 'exist' matching on bigendian arches
netfilter: nf_tables: bail out on mismatching dynset and set expressions
netfilter: nf_tables: validate family when identifying table via handle
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
tcp: do not accept ACK of bytes we never sent
bpf: sockmap, updating the sg structure should also update curr
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
mm/damon/sysfs: eliminate potential uninitialized variable warning
tee: optee: Fix supplicant based device enumeration
RDMA/hns: Fix unnecessary err return when using invalid congest control algorithm
RDMA/irdma: Do not modify to SQD on error
RDMA/irdma: Add wait for suspend on SQD
arm64: dts: rockchip: Expand reg size of vdec node for RK3328
arm64: dts: rockchip: Expand reg size of vdec node for RK3399
ASoC: fsl_sai: Fix no frame sync clock issue on i.MX8MP
RDMA/rtrs-srv: Do not unconditionally enable irq
RDMA/rtrs-clt: Start hb after path_up
RDMA/rtrs-srv: Check return values while processing info request
RDMA/rtrs-srv: Free srv_mr iu only when always_invalidate is true
RDMA/rtrs-srv: Destroy path files after making sure no IOs in-flight
RDMA/rtrs-clt: Fix the max_send_wr setting
RDMA/rtrs-clt: Remove the warnings for req in_use check
RDMA/bnxt_re: Correct module description string
RDMA/irdma: Refactor error handling in create CQP
RDMA/irdma: Fix UAF in irdma_sc_ccq_get_cqe_info()
hwmon: (acpi_power_meter) Fix 4.29 MW bug
ASoC: codecs: lpass-tx-macro: set active_decimator correct default value
hwmon: (nzxt-kraken2) Fix error handling path in kraken2_probe()
ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz
RDMA/irdma: Avoid free the non-cqp_request scratch
drm/bridge: tc358768: select CONFIG_VIDEOMODE_HELPERS
arm64: dts: imx8mq: drop usb3-resume-missing-cas from usb
arm64: dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3
ARM: dts: imx6ul-pico: Describe the Ethernet PHY clock
tracing: Fix a warning when allocating buffered events fails
scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt
ARM: dts: imx28-xea: Pass the 'model' property
riscv: fix misaligned access handling of C.SWSP and C.SDSP
md: introduce md_ro_state
md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly()
iommu: Avoid more races around device probe
rethook: Use __rcu pointer for rethook::handler
kprobes: consistent rcu api usage for kretprobe holder
ASoC: amd: yc: Fix non-functional mic on ASUS E1504FA
io_uring/af_unix: disable sending io_uring over sockets
nvme-pci: Add sleep quirk for Kingston drives
io_uring: fix mutex_unlock with unreferenced ctx
ALSA: usb-audio: Add Pioneer DJM-450 mixer controls
ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
ALSA: hda/realtek: add new Framework laptop to quirks
ALSA: hda/realtek: Add Framework laptop 16 to quirks
ring-buffer: Test last update in 32bit version of __rb_time_read()
nilfs2: fix missing error check for sb_set_blocksize call
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
cgroup_freezer: cgroup_freezing: Check if not frozen
checkstack: fix printed address
tracing: Always update snapshot buffer size
tracing: Disable snapshot buffer when stopping instance tracers
tracing: Fix incomplete locking when disabling buffered events
tracing: Fix a possible race when disabling buffered events
packet: Move reference count in packet_sock to atomic_long_t
r8169: fix rtl8125b PAUSE frames blasting when suspended
regmap: fix bogus error on regcache_sync success
platform/surface: aggregator: fix recv_buf() return value
hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
mm: fix oops when filemap_map_pmd() without prealloc_pte
powercap: DTPM: Fix missing cpufreq_cpu_put() calls
md/raid6: use valid sector values to determine if an I/O should wait on the reshape
arm64: dts: mediatek: mt7622: fix memory node warning check
arm64: dts: mediatek: mt8183-kukui-jacuzzi: fix dsi unnecessary cells properties
arm64: dts: mediatek: cherry: Fix interrupt cells for MT6360 on I2C7
arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names
arm64: dts: mediatek: mt8195: Fix PM suspend/resume with venc clocks
arm64: dts: mediatek: mt8183: Fix unit address for scp reserved memory
arm64: dts: mediatek: mt8183: Move thermal-zones to the root node
arm64: dts: mediatek: mt8183-evb: Fix unit_address_vs_reg warning on ntc
binder: fix memory leaks of spam and pending work
coresight: etm4x: Make etm4_remove_dev() return void
coresight: etm4x: Remove bogous __exit annotation for some functions
hwtracing: hisi_ptt: Add dummy callback pmu::read()
misc: mei: client.c: return negative error code in mei_cl_write
misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write
LoongArch: BPF: Don't sign extend memory load operand
LoongArch: BPF: Don't sign extend function return value
ring-buffer: Force absolute timestamp on discard of event
tracing: Set actual size after ring buffer resize
tracing: Stop current tracer when resizing buffer
parisc: Reduce size of the bug_table on 64-bit kernel by half
parisc: Fix asm operand number out of range build error in bug table
arm64: dts: mediatek: add missing space before {
arm64: dts: mt8183: kukui: Fix underscores in node names
perf: Fix perf_event_validate_size()
x86/sev: Fix kernel crash due to late update to read-only ghcb_version
gpiolib: sysfs: Fix error handling on failed export
drm/amdgpu: fix memory overflow in the IB test
drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c
drm/amdgpu: correct the amdgpu runtime dereference usage count
drm/amdgpu: Update ras eeprom support for smu v13_0_0 and v13_0_10
drm/amdgpu: Add EEPROM I2C address support for ip discovery
drm/amdgpu: Remove redundant I2C EEPROM address
drm/amdgpu: Decouple RAS EEPROM addresses from chips
drm/amdgpu: Add support for RAS table at 0x40000
drm/amdgpu: Remove second moot switch to set EEPROM I2C address
drm/amdgpu: Return from switch early for EEPROM I2C address
drm/amdgpu: simplify amdgpu_ras_eeprom.c
drm/amdgpu: Add I2C EEPROM support on smu v13_0_6
drm/amdgpu: Update EEPROM I2C address for smu v13_0_0
usb: gadget: f_hid: fix report descriptor allocation
serial: 8250_dw: Add ACPI ID for Granite Rapids-D UART
parport: Add support for Brainboxes IX/UC/PX parallel cards
cifs: Fix non-availability of dedup breaking generic/304
Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1"
smb: client: fix potential NULL deref in parse_dfs_referrals()
usb: typec: class: fix typec_altmode_put_partner to put plugs
ARM: PL011: Fix DMA support
serial: sc16is7xx: address RX timeout interrupt errata
serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit
serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt
serial: 8250_omap: Add earlycon support for the AM654 UART controller
devcoredump: Send uevent once devcd is ready
x86/CPU/AMD: Check vendor in the AMD microcode callback
USB: gadget: core: adjust uevent timing on gadget unbind
cifs: Fix flushing, invalidation and file size with copy_file_range()
cifs: Fix flushing, invalidation and file size with FICLONE
MIPS: kernel: Clear FPU states when setting up kernel threads
KVM: s390/mm: Properly reset no-dat
KVM: SVM: Update EFER software model on CR0 trap for SEV-ES
MIPS: Loongson64: Reserve vgabios memory on boot
MIPS: Loongson64: Handle more memory types passed from firmware
MIPS: Loongson64: Enable DMA noncoherent support
netfilter: nft_set_pipapo: skip inactive elements during set walk
riscv: Kconfig: Add select ARM_AMBA to SOC_STARFIVE
drm/i915/display: Drop check for doublescan mode in modevalid
drm/i915/lvds: Use REG_BIT() & co.
drm/i915/sdvo: stop caching has_hdmi_monitor in struct intel_sdvo
drm/i915: Skip some timing checks on BXT/GLK DSI transcoders
Linux 6.1.68
Change-Id: I0a824071a80b24dc4a2e0077f305b7cac42235b8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
jianzhou
|
7c8fe0d3ae |
Merge keystone/android14-6.1-keystone-qcom-release.6.1.57 (97abf17) into qcom-6.1
* refs/heads/tmp-97abf17:
ANDROID: GKI: Update symbol list for mtk
ANDROID: Update the ABI symbol list
ANDROID: GKI: Update symbol list for mtk
ANDROID: mm: lru_cache_disable skips lru cache drainnig
ANDROID: mm: cma: introduce __cma_alloc API
ANDROID: Update the ABI representation
BACKPORT: fscrypt: support crypto data unit size less than filesystem block size
UPSTREAM: netfilter: nf_tables: remove catchall element in GC sync path
ANDROID: GKI: Update oplus symbol list
ANDROID: vendor_hooks: export tracepoint symbol trace_mm_vmscan_kswapd_wake
BACKPORT: HID: input: map battery system charging
ANDROID: fuse-bpf: Ignore readaheads unless they go to the daemon
FROMGIT: freezer,sched: clean saved_state when restoring it during thaw
FROMGIT: freezer,sched: do not restore saved_state of a thawed task
FROMGIT: f2fs: skip adding a discard command if exists
UPSTREAM: f2fs: clean up zones when not successfully unmounted
UPSTREAM: f2fs: use finish zone command when closing a zone
UPSTREAM: f2fs: check zone write pointer points to the end of zone
UPSTREAM: f2fs: close unused open zones while mounting
UPSTREAM: f2fs: maintain six open zones for zoned devices
ANDROID: update symbol for unisoc whitelist
ANDROID: vendor_hooks: mm: add hook to count the number pages allocated for each slab
ANDROID: Update the ABI symbol list
ANDROID: sched: Add trace_android_rvh_set_user_nice_locked
UPSTREAM: ASoC: soc-compress: Fix deadlock in soc_compr_open_fe
BACKPORT: ASoC: add snd_soc_card_mutex_lock/unlock()
BACKPORT: ASoC: expand snd_soc_dpcm_mutex_lock/unlock()
BACKPORT: ASoC: expand snd_soc_dapm_mutex_lock/unlock()
ANDROID: GKI: Update symbol list for mtk
ANDROID: Update the ABI symbol list
ANDROID: sched: Add vendor hook for update_load_sum
FROMGIT: freezer,sched: clean saved_state when restoring it during thaw
FROMGIT: freezer,sched: do not restore saved_state of a thawed task
ANDROID: GKI: add allowed list for Exynosauto SoC
ANDROID: KVM: arm64: pkvm_module_ops documentation
ANDROID: Update the ABI symbol list
UPSTREAM: usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()
ANDROID: GKI: Update oplus symbol list
UPSTREAM: drm/qxl: fix UAF on handle creation
FROMGIT: usb:gadget:uvc Do not use worker thread to pump isoc usb requests
FROMGIT: usb: gadget: uvc: Fix use-after-free for inflight usb_requests
FROMGIT: usb: gadget: uvc: move video disable logic to its own function
FROMGIT: usb: gadget: uvc: Allocate uvc_requests one at a time
FROMGIT: usb: gadget: uvc: prevent use of disabled endpoint
UPSTREAM: drm/fourcc: Add NV20 and NV30 YUV formats
FROMLIST: virt: geniezone: Add memory relinquish support
FROMGIT: Input: uinput - allow injecting event times
UPSTREAM: PM: hibernate: Fix copying the zero bitmap to safe pages
UPSTREAM: PM: hibernate: don't store zero pages in the image file
UPSTREAM: PM: hibernate: Complain about memory map mismatches during resume
FROMLIST: devcoredump: Send uevent once devcd is ready
FROMLIST: iommu: Avoid more races around device probe
ANDROID: Update the ABI symbol list
FROMLIST: ufs: core: clear cmd if abort success in mcq mode
BACKPORT: wifi: cfg80211: Allow AP/P2PGO to indicate port authorization to peer STA/P2PClient
BACKPORT: wifi: cfg80211: OWE DH IE handling offload
ANDROID: KVM: arm64: mount procfs for pKVM module loading
ANDROID: GKI: Update symbol list for mtk
ANDROID: fuse-bpf: Add NULL pointer check in fuse_release_in
UPSTREAM: serial: 8250_port: Check IRQ data before use
ANDROID: KVM: arm64: Fix error path in pkvm_mem_abort()
ANDROID: abi_gki_aarch64_qcom: Update symbol list
ANDROID: GKI: add allowed list for Exynosauto SoC
ANDROID: Update the ABI symbol list
ANDROID: sched: Add vendor hook for util_fits_cpu
ANDROID: update symbol for unisoc vendor_hooks
ANDROID: vendor_hooks: mm: add hook to count the number pages allocated for each slab
UPSTREAM: usb: gadget: udc: Handle gadget_connect failure during bind operation
ANDROID: Update the ABI symbol list
ANDROID: softirq: Add EXPORT_SYMBOL_GPL for softirq and tasklet
ANDROID: mm/mempolicy.c fix up conversion to queue_folios_pte_range
Revert "net: add sysctl accept_ra_min_rtr_lft"
Revert "net: change accept_ra_min_rtr_lft to affect all RA lifetimes"
Revert "net: release reference to inet6_dev pointer"
Revert "ata,scsi: do not issue START STOP UNIT on resume"
Revert "scsi: sd: Differentiate system and runtime start/stop management"
Revert "scsi: sd: Do not issue commands to suspended disks on shutdown"
Revert "wifi: cfg80211: fix cqm_config access race"
Revert "netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp"
Revert "arm64: errata: Add Cortex-A520 speculative unprivileged load workaround"
Revert "video/aperture: Only remove sysfb on the default vga pci device"
Revert "drm/ast: Use drm_aperture_remove_conflicting_pci_framebuffers"
Revert "fbdev/radeon: use pci aperture helpers"
Revert "drm/gma500: Use drm_aperture_remove_conflicting_pci_framebuffers"
Revert "drm/aperture: Remove primary argument"
Revert "video/aperture: Only kick vgacon when the pdev is decoding vga"
Revert "video/aperture: Move vga handling to pci function"
Revert "fs/nls: make load_nls() take a const parameter"
Revert "dm: fix a race condition in retrieve_deps"
ANDROID: GKI: db845c: add new dma_buf symbols to list
UPSTREAM: lib/test_meminit: fix off-by-one error in test_pages()
ANDROID: GKI: add guards for an include file in net/ethtool/ioctl.c
ANDROID: GKI: update .stg due to internal zswap and tracing changes
ANDROID: GKI: db845c: add pcie_capability_clear_and_set_word to the symbol list
ANDROID: GKI: sched: put back the cpu_capacity_inverted variable
Revert "ipv4: fix data-races around inet->inet_id"
Revert "usb: typec: bus: verify partner exists in typec_altmode_attention"
Revert "scsi: core: Use 32-bit hostnum in scsi_host_lookup()"
Revert "media: cec: core: add adap_nb_transmit_canceled() callback"
Revert "media: cec: core: add adap_unconfigured() callback"
Revert "tracing: Introduce pipe_cpumask to avoid race on trace_pipes"
Revert "tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY"
Revert "PCI: Allow drivers to request exclusive config regions"
Revert "PCI: Add locking to RMW PCI Express Capability Register accessors"
Revert "crypto: api - Use work queue in crypto_destroy_instance"
Revert "media: uapi: HEVC: Add num_delta_pocs_of_ref_rps_idx field"
Linux 6.1.57
xen/events: replace evtchn_rwlock with RCU
ipv6: remove one read_lock()/read_unlock() pair in rt6_check_neigh()
btrfs: file_remove_privs needs an exclusive lock in direct io write
netlink: remove the flex array from struct nlmsghdr
btrfs: fix fscrypt name leak after failure to join log transaction
btrfs: fix an error handling path in btrfs_rename()
vrf: Fix lockdep splat in output path
ipv6: remove nexthop_fib6_nh_bh()
parisc: Restore __ldcw_align for PA-RISC 2.0 processors
ksmbd: fix uaf in smb20_oplock_break_ack
ksmbd: fix race condition between session lookup and expire
x86/sev: Use the GHCB protocol when available for SNP CPUID requests
RDMA/mlx5: Fix NULL string error
RDMA/mlx5: Fix mutex unlocking on error flow for steering anchor creation
RDMA/siw: Fix connection failure handling
RDMA/srp: Do not call scsi_done() from srp_abort()
RDMA/uverbs: Fix typo of sizeof argument
RDMA/cma: Fix truncation compilation warning in make_cma_ports
RDMA/cma: Initialize ib_sa_multicast structure to 0 when join
gpio: pxa: disable pinctrl calls for MMP_GPIO
gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
IB/mlx4: Fix the size of a buffer in add_port_entries()
of: dynamic: Fix potential memory leak in of_changeset_action()
RDMA/core: Require admin capabilities to set system parameters
dm zoned: free dmz->ddev array in dmz_put_zoned_devices
parisc: Fix crash with nr_cpus=1 option
smb: use kernel_connect() and kernel_bind()
intel_idle: add Emerald Rapids Xeon support
HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
HID: sony: remove duplicate NULL check before calling usb_free_urb()
netlink: annotate data-races around sk->sk_err
netlink: Fix potential skb memleak in netlink_ack
netlink: split up copies in the ack construction
sctp: update hb timer immediately after users change hb_interval
sctp: update transport state when processing a dupcook packet
tcp: fix delayed ACKs for MSS boundary condition
tcp: fix quick-ack counting to count actual ACKs of new data
tipc: fix a potential deadlock on &tx->lock
net: stmmac: dwmac-stm32: fix resume on STM32 MCU
ipv4: Set offload_failed flag in fibmatch results
netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure
netfilter: nf_tables: Deduplicate nft_register_obj audit logs
selftests: netfilter: Extend nft_audit.sh
selftests: netfilter: Test nf_tables audit logging
netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp
ibmveth: Remove condition to recompute TCP header checksum.
net: ethernet: ti: am65-cpsw: Fix error code in am65_cpsw_nuss_init_tx_chns()
net: nfc: llcp: Add lock when modifying device list
net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent
ptp: ocp: Fix error handling in ptp_ocp_device_init
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
neighbour: fix data-races around n->output
neighbour: switch to standard rcu, instead of rcu_bh
neighbour: annotate lockless accesses to n->nud_state
bpf: Add BPF_FIB_LOOKUP_SKIP_NEIGH for bpf_fib_lookup
net: fix possible store tearing in neigh_periodic_work()
modpost: add missing else to the "of" check
bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
bpf, sockmap: Do not inc copied_seq when PEEK flag set
bpf: tcp_read_skb needs to pop skb regardless of seq
NFSv4: Fix a nfs4_state_manager() race
ima: rework CONFIG_IMA dependency block
scsi: target: core: Fix deadlock due to recursive locking
ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig
regulator/core: regulator_register: set device->class earlier
iommu/mediatek: Fix share pgtable for iova over 4GB
perf/x86/amd: Do not WARN() on every IRQ
wifi: mac80211: fix potential key use-after-free
regmap: rbtree: Fix wrong register marked as in-cache when creating new node
perf/x86/amd/core: Fix overflow reset on hotplug
wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
Bluetooth: ISO: Fix handling of listen for unicast
Bluetooth: Delete unused hci_req_prepare_suspend() declaration
regulator: mt6358: split ops for buck and linear range LDO regulators
regulator: mt6358: Use linear voltage helpers for single range regulators
regulator: mt6358: Drop *_SSHUB regulators
bpf: Fix tr dereferencing
leds: Drop BUG_ON check for LED_COLOR_ID_MULTI
wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
wifi: cfg80211: add missing kernel-doc for cqm_rssi_work
wifi: cfg80211: fix cqm_config access race
wifi: cfg80211: add a work abstraction with special semantics
wifi: cfg80211: move wowlan disable under locks
wifi: cfg80211: hold wiphy lock in auto-disconnect
wifi: iwlwifi: mvm: Fix a memory corruption issue
wifi: iwlwifi: dbg_ini: fix structure packing
erofs: fix memory leak of LZMA global compressed deduplication
ubi: Refuse attaching if mtd's erasesize is 0
HID: sony: Fix a potential memory leak in sony_probe()
arm64: errata: Add Cortex-A520 speculative unprivileged load workaround
arm64: Add Cortex-A520 CPU part definition
drm/amd: Fix logic error in sienna_cichlid_update_pcie_parameters()
drm/amd: Fix detection of _PR3 on the PCIe root port
net: prevent rewrite of msg_name in sock_sendmsg()
net: replace calls to sock->ops->connect() with kernel_connect()
PCI: qcom: Fix IPQ8074 enumeration
md/raid5: release batch_last before waiting for another stripe_head
wifi: mwifiex: Fix tlv_buf_left calculation
Bluetooth: hci_sync: Fix handling of HCI_QUIRK_STRICT_DUPLICATE_FILTER
Bluetooth: hci_codec: Fix leaking content of local_codecs
qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info
mptcp: userspace pm allow creating id 0 subflow
net: ethernet: mediatek: disable irq before schedule napi
vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
iommu/vt-d: Avoid memory allocation in iommu_suspend()
scsi: zfcp: Fix a double put in zfcp_port_enqueue()
i40e: fix the wrong PTP frequency calculation
hwmon: (nzxt-smart2) add another USB ID
hwmon: (nzxt-smart2) Add device id
block: fix use-after-free of q->q_usage_counter
rbd: take header_rwsem in rbd_dev_refresh() only when updating
rbd: decouple parent info read-in from updating rbd_dev
rbd: decouple header read-in from updating rbd_dev->header
rbd: move rbd_dev_refresh() definition
iommu/arm-smmu-v3: Avoid constructing invalid range commands
iommu/arm-smmu-v3: Set TTL invalidation hint better
drm/amd/display: Adjust the MST resume flow
arm64: cpufeature: Fix CLRBHB and BC detection
net: release reference to inet6_dev pointer
net: change accept_ra_min_rtr_lft to affect all RA lifetimes
net: add sysctl accept_ra_min_rtr_lft
arm64: Avoid repeated AA64MMFR1_EL1 register read on pagefault path
Revert "NFSv4: Retry LOCK on OLD_STATEID during delegation return"
btrfs: use struct fscrypt_str instead of struct qstr
btrfs: setup qstr from dentrys using fscrypt helper
btrfs: use struct qstr instead of name and namelen pairs
ring-buffer: Fix bytes info in per_cpu buffer stats
ring-buffer: remove obsolete comment for free_buffer_page()
mm: page_alloc: fix CMA and HIGHATOMIC landing on the wrong buddy list
mm/page_alloc: leave IRQs enabled for per-cpu page allocations
mm/page_alloc: always remove pages from temporary list
mm: mempolicy: keep VMA walk if both MPOL_MF_STRICT and MPOL_MF_MOVE are specified
mm/mempolicy: convert migrate_page_add() to migrate_folio_add()
mm/mempolicy: convert queue_pages_pte_range() to queue_folios_pte_range()
mm/mempolicy: convert queue_pages_pmd() to queue_folios_pmd()
mm/memory: add vm_normal_folio()
NFSv4: Fix a state manager thread deadlock regression
NFS: rename nfs_client_kset to nfs_kset
NFS: Cleanup unused rpc_clnt variable
ata: libata-scsi: Fix delayed scsi_rescan_device() execution
scsi: Do not attempt to rescan suspended devices
scsi: core: Improve type safety of scsi_rescan_device()
scsi: sd: Do not issue commands to suspended disks on shutdown
scsi: sd: Differentiate system and runtime start/stop management
ata,scsi: do not issue START STOP UNIT on resume
mptcp: process pending subflow error on close
mptcp: move __mptcp_error_report in protocol.c
mptcp: annotate lockless accesses to sk->sk_err
mptcp: fix dangling connection hang-up
mptcp: rename timer related helper to less confusing names
ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates
ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol
spi: zynqmp-gqspi: fix clock imbalance on probe failure
Linux 6.1.56
ASoC: amd: yc: Fix a non-functional mic on Lenovo 82TL
mm, memcg: reconsider kmem.limit_in_bytes deprecation
memcg: drop kmem.limit_in_bytes
drm/meson: fix memory leak on ->hpd_notify callback
drm/amdkfd: Use gpu_offset for user queue's wptr
fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
power: supply: ab8500: Set typing and props
power: supply: rk817: Add missing module alias
drm/i915/gt: Fix reservation address in ggtt_reserve_guc_top
ata: libata-sata: increase PMP SRST timeout to 10s
ata: libata-core: Do not register PM operations for SAS ports
ata: libata-core: Fix port and device removal
ata: libata-core: Fix ata_port_request_pm() locking
fs/smb/client: Reset password pointer to NULL
net: thunderbolt: Fix TCPv6 GSO checksum calculation
bpf: Fix BTF_ID symbol generation collision in tools/
bpf: Fix BTF_ID symbol generation collision
bpf: Add override check to kprobe multi link attach
media: uvcvideo: Fix OOB read
btrfs: properly report 0 avail for very full file systems
ring-buffer: Update "shortest_full" in polling
mm: memcontrol: fix GFP_NOFS recursion in memory.high enforcement
mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()
mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()
arm64: defconfig: remove CONFIG_COMMON_CLK_NPCM8XX=y
drm/tests: Fix incorrect argument in drm_test_mm_insert_range
timers: Tag (hr)timer softirq as hotplug safe
Revert "SUNRPC dont update timeout value on connection reset"
netfilter: nf_tables: fix kdoc warnings after gc rework
sched/rt: Fix live lock between select_fallback_rq() and RT push
kernel/sched: Modify initial boot task idle setup
ASoC: amd: yc: Fix non-functional mic on Lenovo 82QF and 82UG
i2c: i801: unregister tco_pdev in i801_probe() error path
io_uring/fs: remove sqe->rw_flags checking from LINKAT
ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES
ata: libata-scsi: link ata port and scsi device
LoongArch: numa: Fix high_memory calculation
LoongArch: Define relocation types for ABI v2.10
ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q
netfilter: nf_tables: disallow rule removal from chain binding
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
serial: 8250_port: Check IRQ data before use
Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
misc: rtsx: Fix some platforms can not boot and move the l1ss judgment to probe
mptcp: fix bogus receive window shrinkage with multiple subflows
KVM: x86/mmu: Do not filter address spaces in for_each_tdp_mmu_root_yield_safe()
KVM: x86/mmu: Open code leaf invalidation from mmu_notifier
KVM: SVM: Fix TSC_AUX virtualization setup
KVM: SVM: INTERCEPT_RDTSCP is never intercepted anyway
x86/srso: Add SRSO mitigation for Hygon processors
x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race
iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range
smack: Retrieve transmuting information in smack_inode_getsecurity()
smack: Record transmuting in smk_transmuted
nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev
scsi: qla2xxx: Fix NULL pointer dereference in target mode
wifi: ath11k: Don't drop tx_status when peer cannot be found
nvme-pci: do not set the NUMA node of device if it has none
nvme-pci: factor out a nvme_pci_alloc_dev helper
nvme-pci: factor the iod mempool creation into a helper
perf build: Define YYNOMEM as YYNOABORT for bison < 3.81
fbdev/sh7760fb: Depend on FB=y
LoongArch: Set all reserved memblocks on Node#0 at initialization
tsnep: Fix NAPI polling with budget 0
tsnep: Fix NAPI scheduling
net: hsr: Add __packed to struct hsr_sup_tlv.
ncsi: Propagate carrier gain/loss events to the NCSI controller
powerpc/watchpoints: Annotate atomic context in more places
powerpc/watchpoint: Disable pagefaults when getting user instruction
powerpc/watchpoints: Disable preemption in thread_change_pc()
ASoC: SOF: Intel: MTL: Reduce the DSP init timeout
NFSv4.1: fix zero value filehandle in post open getattr
media: vb2: frame_vector.c: replace WARN_ONCE with a comment
ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link
memblock tests: fix warning ‘struct seq_file’ declared inside parameter list
memblock tests: fix warning: "__ALIGN_KERNEL" redefined
firmware: cirrus: cs_dsp: Only log list of algorithms in debug build
ASoC: cs42l42: Don't rely on GPIOD_OUT_LOW to set RESET initially low
ASoC: cs42l42: Ensure a reset pulse meets minimum pulse width.
ALSA: hda: intel-sdw-acpi: Use u8 type for link index
bpf: Clarify error expectations from bpf_clone_redirect
spi: intel-pci: Add support for Granite Rapids SPI serial flash
ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag
spi: stm32: add a delay before SPI disable
spi: nxp-fspi: reset the FLSHxCR1 registers
ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
smb3: correct places where ENOTSUPP is used instead of preferred EOPNOTSUPP
scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command
scsi: pm80xx: Use phy-specific SAS address when sending PHY_START command
riscv: errata: fix T-Head dcache.cva encoding
drm/amdgpu: Handle null atom context in VBIOS info ioctl
drm/amdgpu/nbio4.3: set proper rmmio_remap.reg_offset for SR-IOV
drm/amdgpu/soc21: don't remap HDP registers for SR-IOV
drm/amd/display: Don't check registers, if using AUX BL control
thermal/of: add missing of_node_put()
platform/x86: asus-wmi: Support 2023 ROG X16 tablet mode
platform/mellanox: mlxbf-bootctl: add NET dependency into Kconfig
ata: sata_mv: Fix incorrect string length computation in mv_dump_mem()
net/smc: bugfix for smcr v2 server connect success statistic
ring-buffer: Do not attempt to read past "commit"
selftests: fix dependency checker script
btrfs: assert delayed node locked when removing delayed item
ring-buffer: Avoid softlockup in ring_buffer_resize()
selftests/ftrace: Correctly enable event in instance-event.tc
scsi: ufs: core: Poll HCS.UCRDY before issuing a UIC command
scsi: ufs: core: Move __ufshcd_send_uic_cmd() outside host_lock
scsi: qedf: Add synchronization between I/O completions and abort
parisc: irq: Make irq_stack_union static to avoid sparse warning
parisc: drivers: Fix sparse warning
parisc: iosapic.c: Fix sparse warnings
parisc: sba: Fix compile warning wrt list of SBA devices
nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()
spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain
spi: sun6i: reduce DMA RX transfer width to single byte
bpf: Annotate bpf_long_memcpy with data_race
dma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock
ceph: drop messages from MDS when unmounting
x86/reboot: VMCLEAR active VMCSes before emergency reboot
i2c: npcm7xx: Fix callback completion ordering
gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
firmware: arm_ffa: Don't set the memory region attributes for MEM_LEND
arm64: dts: imx: Add imx8mm-prt8mm.dtb to build
soc: imx8m: Enable OCOTP clock for imx8mm before reading registers
selftests/powerpc: Fix emit_tests to work with run_kselftest.sh
selftests/powerpc: Pass make context to children
selftests/powerpc: Use CLEAN macro to fix make warning
power: supply: rk817: Fix node refcount leak
xtensa: boot/lib: fix function prototypes
xtensa: umulsidi3: fix conditional expression
xtensa: boot: don't add include-dirs
xtensa: iss/network: make functions static
xtensa: add default definition for XCHAL_HAVE_DIV32
firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()
power: supply: ucs1002: fix error code in ucs1002_get_property()
bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up
ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot
ARM: dts: Unify pinctrl-single pin group nodes for omap4
ARM: dts: Unify pwm-omap-dmtimer node names
ARM: dts: ti: omap: Fix bandgap thermal cells addressing for omap3/4
ARM: dts: omap: correct indentation
clk: tegra: fix error return case for recalc_rate
clk: sprd: Fix thm_parents incorrect configuration
power: supply: mt6370: Fix missing error code in mt6370_chg_toggle_cfo()
firmware: arm_scmi: Fixup perf power-cost/microwatt support
firmware: arm_scmi: Harden perf domain info access
bus: ti-sysc: Fix missing AM35xx SoC matching
bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset()
drm/bridge: ti-sn65dsi83: Do not generate HFP/HBP/HSA and EOT packet
spi: spi-gxp: BUG: Correct spi write return value
MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled
vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()
btrfs: reset destination buffer when read_extent_buffer() gets invalid range
drm/amdkfd: Insert missing TLB flush on GFX10 and later
drm/amdkfd: Flush TLB after unmapping for GFX v9.4.3
scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()
scsi: qla2xxx: Select qpair depending on which CPU post_cmd() gets called
wifi: ath11k: Cleanup mac80211 references on failure during tx_complete
wifi: ath11k: fix tx status reporting in encap offload mode
arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved
s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_CLR2SECK2 IOCTL
f2fs: get out of a repeat loop when getting a locked data page
f2fs: optimize iteration over sparse directories
ARM: dts: qcom: msm8974pro-castor: correct touchscreen syna,nosleep-mode
ARM: dts: qcom: msm8974pro-castor: correct touchscreen function names
ARM: dts: qcom: msm8974pro-castor: correct inverted X of touchscreen
ARM: dts: samsung: exynos4210-i9100: Fix LCD screen's physical size
ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2
i2c: xiic: Correct return value check for xiic_reinit()
i2c: mux: gpio: Add missing fwnode_handle_put()
i2c: mux: demux-pinctrl: check the return value of devm_kstrdup()
gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
cifs: Fix UAF in cifs_demultiplex_thread()
proc: nommu: fix empty /proc/<pid>/maps
proc: nommu: /proc/<pid>/maps: release mmap read lock
igc: Expose tx-usecs coalesce setting to user
octeontx2-pf: Do xdp_do_flush() after redirects.
bnxt_en: Flush XDP for bnxt_poll_nitroa0()'s NAPI
net: ena: Flush XDP packets on error.
locking/seqlock: Do the lockdep annotation before locking in do_write_seqcount_begin_nested()
i915/pmu: Move execlist stats initialization to execlist specific setup
netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP
netfilter: nf_tables: disable toggling dormant table state more than once
net: rds: Fix possible NULL-pointer dereference
team: fix null-ptr-deref when team device type is changed
net: bridge: use DEV_STATS_INC()
net: hns3: add 5ms delay before clear firmware reset irq source
net: hns3: fix fail to delete tc flower rules during reset issue
net: hns3: only enable unicast promisc when mac table full
net: hns3: fix GRE checksum offload issue
net: hns3: add cmdq check for vf periodic service task
x86/srso: Fix SBPB enablement for spec_rstack_overflow=off
x86/srso: Fix srso_show_state() side effect
platform/x86: intel_scu_ipc: Fail IPC send if still busy
platform/x86: intel_scu_ipc: Don't override scu in intel_scu_ipc_dev_simple_command()
platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt()
platform/x86: intel_scu_ipc: Check status after timeout in busy_loop()
net: hsr: Properly parse HSRv1 supervisor frames.
x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()
dccp: fix dccp_v4_err()/dccp_v6_err() again
powerpc/perf/hv-24x7: Update domain value check
scsi: iscsi_tcp: restrict to TCP sockets
ipv4: fix null-deref in ipv4_link_failure
igc: Fix infinite initialization loop with early XDP redirect
ionic: fix 16bit math issue when PAGE_SIZE >= 64KB
netfilter, bpf: Adjust timeouts of non-confirmed CTs in bpf_ct_insert_entry()
i40e: Fix VF VLAN offloading when port VLAN is configured
iavf: schedule a request immediately after add/delete vlan
iavf: add iavf_schedule_aq_request() helper
ASoC: SOF: core: Only call sof_ops_free() on remove if the probe was successful
iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set
octeon_ep: fix tx dma unmap len values in SG
ASoC: imx-audmix: Fix return error with devm_clk_get()
ASoC: hdaudio.c: Add missing check for devm_kstrdup
net/core: Fix ETH_P_1588 flow dissector
selftests: tls: swap the TX and RX sockets in some tests
netfilter: conntrack: fix extension size table
ALSA: hda/realtek: Splitting the UX3402 into two separate models
ASoC: rt5640: Fix IRQ not being free-ed for HDA jack detect mode
ASoC: rt5640: Revert "Fix sleep in atomic context"
bpf: Avoid deadlock when using queue and stack maps from NMI
netfilter: nf_tables: disallow element removal on anonymous sets
ASoC: meson: spdifin: start hw on dai probe
netfilter: nf_tables: fix memleak when more than 255 elements expired
netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration
netfilter: nft_set_pipapo: stop GC iteration if GC transaction allocation fails
netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC
netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
netfilter: nf_tables: defer gc run if previous batch is still pending
netfilter: nf_tables: use correct lock to protect gc_list
netfilter: nf_tables: GC transaction race with abort path
netfilter: nf_tables: GC transaction race with netns dismantle
netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
netfilter: nf_tables: don't fail inserts if duplicate has expired
netfilter: nf_tables: remove busy mark and gc batch API
netfilter: nft_set_hash: mark set element as dead when deleting from packet path
netfilter: nf_tables: adapt set backend to use GC transaction API
netfilter: nf_tables: GC transaction API to avoid race with control plane
netfilter: nf_tables: don't skip expired elements during walk
ext4: do not let fstrim block system suspend
ext4: move setting of trimmed bit into ext4_try_to_trim_range()
ext4: replace the traditional ternary conditional operator with with max()/min()
btrfs: remove BUG() after failure to insert delayed dir index item
btrfs: improve error message after failure to add delayed dir index item
dm: fix a race condition in retrieve_deps
netfs: Only call folio_start_fscache() one time for each folio
media: via: Use correct dependency for camera sensor drivers
media: v4l: Use correct dependency for camera sensor drivers
NFSv4.1: fix pnfs MDS=DS session trunking
NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server
SUNRPC: Mark the cred for revalidation if the server rejects it
NFS/pNFS: Report EINVAL errors from connect() to the server
NFS: More fixes for nfs_direct_write_reschedule_io()
NFS: Use the correct commit info in nfs_join_page_group()
NFS: More O_DIRECT accounting fixes for error paths
NFS: Fix O_DIRECT locking issues
NFS: Fix error handling for O_DIRECT write scheduling
ANDROID: GKI: Fix firmware: smccc build error
ANDROID: Move microdroid and crashdump defconfigs to common
Linux 6.1.55
interconnect: Teach lockdep about icc_bw_lock order
net/sched: Retire rsvp classifier
drm/amdgpu: fix amdgpu_cs_p1_user_fence
Revert "memcg: drop kmem.limit_in_bytes"
drm/amd/display: fix the white screen issue when >= 64GB DRAM
ext4: fix rec_len verify error
scsi: pm8001: Setup IRQs on resume
scsi: megaraid_sas: Fix deadlock on firmware crashdump
ata: libahci: clear pending interrupt status
ata: libata: disallow dev-initiated LPM transitions to unsupported states
i2c: aspeed: Reset the i2c controller when timeout occurs
tracefs: Add missing lockdown check to tracefs_create_dir()
nfsd: fix change_info in NFSv4 RENAME replies
selinux: fix handling of empty opts in selinux_fs_context_submount()
tracing: Have option files inc the trace array ref count
tracing: Have current_trace inc the trace array ref count
tracing: Increase trace array ref count on enable and filter files
tracing: Have event inject files inc the trace array ref count
tracing: Have tracing_max_latency inc the trace array ref count
btrfs: check for BTRFS_FS_ERROR in pending ordered assert
btrfs: release path before inode lookup during the ino lookup ioctl
btrfs: fix a compilation error if DEBUG is defined in btree_dirty_folio
btrfs: fix lockdep splat and potential deadlock after failure running delayed items
dm: don't attempt to queue IO under RCU protection
Revert "drm/amd: Disable S/G for APUs when 64GB or more host memory"
md: Put the right device in md_seq_next
nvme: avoid bogus CRTO values
io_uring/net: fix iter retargeting for selected buf
ovl: fix incorrect fdput() on aio completion
ovl: fix failed copyup of fileattr on a symlink
attr: block mode changes of symlinks
Revert "SUNRPC: Fail faster on bad verifier"
md/raid1: fix error: ISO C90 forbids mixed declarations
samples/hw_breakpoint: fix building without module unloading
x86/purgatory: Remove LTO flags
x86/boot/compressed: Reserve more memory for page tables
panic: Reenable preemption in WARN slowpath
scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
scsi: target: core: Fix target_cmd_counter leak
riscv: kexec: Align the kexeced kernel entry
x86/ibt: Suppress spurious ENDBR
selftests: tracing: Fix to unmount tracefs for recovering environment
scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir()
drm: gm12u320: Fix the timeout usage for usb_bulk_msg()
nvmet-tcp: pass iov_len instead of sg->length to bvec_set_page()
nvmet: use bvec_set_page to initialize bvecs
block: factor out a bvec_set_page helper
btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super
btrfs: add a helper to read the superblock metadata_uuid
MIPS: Use "grep -E" instead of "egrep"
misc: fastrpc: Fix incorrect DMA mapping unmap request
misc: fastrpc: Prepare to dynamic dma-buf locking specification
dma-buf: Add unlocked variant of attachment-mapping functions
printk: Consolidate console deferred printing
printk: Keep non-panic-CPUs out of console lock
interconnect: Fix locking for runpm vs reclaim
kobject: Add sanity check for kset->kobj.ktype in kset_register()
media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning
usb: chipidea: add workaround for chipidea PEC bug
usb: ehci: add workaround for chipidea PORTSC.PEC bug
misc: open-dice: make OPEN_DICE depend on HAS_IOMEM
serial: cpm_uart: Avoid suspicious locking
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
tools: iio: iio_generic_buffer: Fix some integer type and calculation
usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
usb: cdns3: Put the cdns set active part outside the spin lock
media: pci: cx23885: replace BUG with error return
media: tuners: qt1010: replace BUG_ON with a regular error
scsi: lpfc: Abort outstanding ELS cmds when mailbox timeout error is detected
media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer
media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
media: anysee: fix null-ptr-deref in anysee_master_xfer
media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
media: mdp3: Fix resource leaks in of_find_device_by_node
PCI: fu740: Set the number of MSI vectors
PCI: vmd: Disable bridge window for domain reset
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
ARM: 9317/1: kexec: Make smp stop calls asynchronous
PCI: dwc: Provide deinit callback for i.MX
jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
ext2: fix datatype of block number in ext2_xattr_set2()
md: raid1: fix potential OOB in raid1_remove_disk()
bus: ti-sysc: Configure uart quirks for k3 SoC
drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer()
drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN314
drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN31
drm/amd/display: Use DTBCLK as refclk instead of DPREFCLK
ALSA: hda: intel-dsp-cfg: add LunarLake support
ASoC: Intel: sof_sdw: Update BT offload config for soundwire config
ASoC: SOF: topology: simplify code to prevent static analysis warnings
drm/amd/display: Fix underflow issue on 175hz timing
samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000'
arm64: dts: qcom: sm8250-edo: correct ramoops pmsg-size
arm64: dts: qcom: sm8150-kumano: correct ramoops pmsg-size
arm64: dts: qcom: sm6350: correct ramoops pmsg-size
arm64: dts: qcom: sm6125-pdx201: correct ramoops pmsg-size
drm/edid: Add quirk for OSVR HDK 2.0
drm/bridge: tc358762: Instruct DSI host to generate HSE packets
libbpf: Free btf_vmlinux when closing bpf_object
wifi: mac80211_hwsim: drop short frames
wifi: mac80211: check for station first in client probe
wifi: cfg80211: ocb: don't leave if not joined
wifi: cfg80211: reject auth/assoc to AP with our address
netfilter: ebtables: fix fortify warnings in size_entry_mwt()
wifi: mac80211: check S1G action frame size
alx: fix OOB-read compiler warning
mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450
tpm_tis: Resend command to recover from data transfer errors
netlink: convert nlk->flags to atomic flags
Bluetooth: Fix hci_suspend_sync crash
crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
net/ipv4: return the real errno instead of -EINVAL
net: Use sockaddr_storage for getsockopt(SO_PEERNAME).
can: sun4i_can: Add support for the Allwinner D1
can: sun4i_can: Add acceptance register quirk
wifi: wil6210: fix fortify warnings
mt76: mt7921: don't assume adequate headroom for SDIO headers
wifi: mwifiex: fix fortify warning
wifi: ath9k: fix printk specifier
wifi: ath9k: fix fortify warnings
ice: Don't tx before switchdev is fully configured
crypto: lrw,xts - Replace strlcpy with strscpy
devlink: remove reload failed checks in params get/set callbacks
selftests/nolibc: fix up kernel parameters support
ACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects
hw_breakpoint: fix single-stepping when using bpf_overflow_handler
perf/imx_ddr: speed up overflow frequency of cycle
perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09
ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
scftorture: Forgive memory-allocation failure if KASAN
rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle()
kernel/fork: beware of __put_task_struct() calling context
ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock
btrfs: output extra debug info if we failed to find an inline backref
autofs: fix memory leak of waitqueues in autofs_catatonic_mode
Linux 6.1.54
drm/amd/display: Fix a bug when searching for insert_above_mpcc
MIPS: Only fiddle with CHECKFLAGS if `need-compiler'
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
ixgbe: fix timestamp configuration code
tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address.
tcp: Fix bind() regression for v4-mapped-v6 wildcard address.
tcp: Factorise sk_family-independent comparison in inet_bind2_bucket_match(_addr_any).
ipv6: Remove in6addr_any alternatives.
ipv6: fix ip6_sock_set_addr_preferences() typo
net: macb: fix sleep inside spinlock
net: macb: Enable PTP unicast
net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
platform/mellanox: NVSW_SN2201 should depend on ACPI
platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors
kcm: Fix memory leak in error path of kcm_sendmsg()
r8152: check budget for r8152_poll()
net: dsa: sja1105: block FDB accesses that are concurrent with a switch reset
net: dsa: sja1105: serialize sja1105_port_mcast_flood() with other FDB accesses
net: dsa: sja1105: fix multicast forwarding working only for last added mdb entry
net: dsa: sja1105: propagate exact error code from sja1105_dynamic_config_poll_valid()
net: dsa: sja1105: hide all multicast addresses from "bridge fdb show"
net:ethernet:adi:adin1110: Fix forwarding offload
net: ethernet: adi: adin1110: use eth_broadcast_addr() to assign broadcast address
hsr: Fix uninit-value access in fill_frame_info()
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
net: stmmac: fix handling of zero coalescing tx-usecs
net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add
selftests: Keep symlinks, when possible
kselftest/runner.sh: Propagate SIGTERM to runner child
net: ipv4: fix one memleak in __inet_del_ifa()
kunit: Fix wild-memory-access bug in kunit_free_suite_set()
drm/amdgpu: register a dirty framebuffer callback for fbcon
drm/amd/display: Remove wait while locked
drm/amd/display: always switch off ODM before committing more streams
perf hists browser: Fix the number of entries for 'e' key
perf tools: Handle old data in PERF_RECORD_ATTR
perf test shell stat_bpf_counters: Fix test on Intel
perf hists browser: Fix hierarchy mode header
MIPS: Fix CONFIG_CPU_DADDI_WORKAROUNDS `modules_install' regression
KVM: SVM: Skip VMSA init in sev_es_init_vmcb() if pointer is NULL
KVM: SVM: Set target pCPU during IRTE update if target vCPU is running
KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state
KVM: nSVM: Check instead of asserting on nested TSC scaling support
KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration
KVM: SVM: Don't inject #UD if KVM attempts to skip SEV guest insn
KVM: SVM: Take and hold ir_list_lock when updating vCPU's Physical ID entry
drm/amd/display: prevent potential division by zero errors
drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma
mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
mtd: rawnand: brcmnand: Fix potential false time out warning
mtd: spi-nor: Correct flags for Winbond w25q128
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
mtd: rawnand: brcmnand: Fix crash during the panic_write
drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()
btrfs: use the correct superblock to compare fsid in btrfs_validate_super
btrfs: zoned: re-enable metadata over-commit for zoned mode
btrfs: set page extent mapped after read_folio in relocate_one_page
btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
btrfs: free qgroup rsv on io failure
btrfs: fix start transaction qgroup rsv double free
btrfs: zoned: do not zone finish data relocation block group
fuse: nlookup missing decrement in fuse_direntplus_link
ata: pata_ftide010: Add missing MODULE_DESCRIPTION
ata: sata_gemini: Add missing MODULE_DESCRIPTION
ata: pata_falcon: fix IO base selection for Q40
ata: ahci: Add Elkhart Lake AHCI controller
hwspinlock: qcom: add missing regmap config for SFPB MMIO implementation
lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix()
f2fs: avoid false alarm of circular locking
f2fs: flush inode if atomic file is aborted
ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}
ext4: add correct group descriptors and reserved GDT blocks to system zone
jbd2: correct the end of the journal recovery scan range
jbd2: check 'jh->b_transaction' before removing it from checkpoint
jbd2: fix checkpoint cleanup performance regression
dmaengine: sh: rz-dmac: Fix destination and source data size setting
clocksource/drivers/arm_arch_timer: Disable timer before programming CVAL
ARC: atomics: Add compiler barrier to atomic operations...
net/mlx5: Free IRQ rmap and notifier on kernel shutdown
Multi-gen LRU: avoid race in inc_min_seq()
sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory()
net: hns3: remove GSO partial feature bit
net: hns3: fix the port information display when sfp is absent
net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue
net: hns3: fix debugfs concurrency issue between kfree buffer and read
net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read()
net: hns3: fix tx timeout issue
netfilter: nfnetlink_osf: avoid OOB read
netfilter: nftables: exthdr: fix 4-byte stack OOB write
bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.
bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf().
bpf: Remove prog->active check for bpf_lsm and bpf_iter
net: dsa: sja1105: complete tc-cbs offload support on SJA1110
net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too many times
net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software and offload
ip_tunnels: use DEV_STATS_INC()
idr: fix param name in idr_alloc_cyclic() doc
s390/zcrypt: don't leak memory if dev_set_name() fails
igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox handler
kcm: Destroy mutex in kcm_exit_net()
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
af_unix: Fix data race around sk->sk_err.
af_unix: Fix data-races around sk->sk_shutdown.
af_unix: Fix data-race around unix_tot_inflight.
af_unix: Fix data-races around user->unix_inflight.
bpf, sockmap: Fix skb refcnt race after locking changes
net: phy: micrel: Correct bit assignments for phy_device flags
net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
veth: Fixing transmit return status for dropped packets
gve: fix frag_list chaining
igb: disable virtualization features on 82580
ipv6: ignore dst hint for multipath routes
ipv4: ignore dst hint for multipath routes
mptcp: annotate data-races around msk->rmem_fwd_alloc
net: annotate data-races around sk->sk_forward_alloc
net: use sk_forward_alloc_get() in sk_get_meminfo()
drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn()
drm/i915/gvt: Verify pfn is "valid" before dereferencing "struct page"
xsk: Fix xsk_diag use-after-free error during socket cleanup
net: fib: avoid warn splat in flow dissector
net: read sk->sk_family once in sk_mc_loop()
ipv4: annotate data-races around fi->fib_dead
sctp: annotate data-races around sk->sk_wmem_queued
net/sched: fq_pie: avoid stalls in fq_pie_timer()
smb: propagate error code of extract_sharename()
cifs: use fs_context for automounts
blk-throttle: consider 'carryover_ios/bytes' in throtl_trim_slice()
blk-throttle: use calculate_io/bytes_allowed() for throtl_trim_slice()
drm/i915: mark requests for GuC virtual engines to avoid use-after-free
perf test stat_bpf_counters_cgrp: Enhance perf stat cgroup BPF counter test
perf test stat_bpf_counters_cgrp: Fix shellcheck issue about logical operators
pwm: lpc32xx: Remove handling of PWM channels
watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
perf vendor events: Drop STORES_PER_INST metric event for power10 platform
perf vendor events: Drop some of the JSON/events for power10 platform
perf vendor events: Update the JSON/events descriptions for power10 platform
x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
perf annotate bpf: Don't enclose non-debug code with an assert()
Input: tca6416-keypad - fix interrupt enable disbalance
Input: tca6416-keypad - always expect proper IRQ number in i2c client
backlight: gpio_backlight: Drop output GPIO direction check for initial power state
pwm: atmel-tcb: Fix resource freeing in error path and remove
pwm: atmel-tcb: Harmonize resource allocation order
pwm: atmel-tcb: Convert to platform remove callback returning void
perf trace: Really free the evsel->priv area
perf trace: Use zfree() to reduce chances of use after free
Input: iqs7222 - configure power mode before triggering ATI
kconfig: fix possible buffer overflow
mailbox: qcom-ipcc: fix incorrect num_chans counting
gfs2: low-memory forced flush fixes
gfs2: Switch to wait_event in gfs2_logd
tpm_crb: Fix an error handling path in crb_acpi_add()
kbuild: do not run depmod for 'make modules_sign'
kbuild: rpm-pkg: define _arch conditionally
net: deal with integer overflows in kmalloc_reserve()
net: factorize code in kmalloc_reserve()
net: remove osize variable in __alloc_skb()
net: add SKB_HEAD_ALIGN() helper
bus: mhi: host: Skip MHI reset if device is in RDDM
NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
NFS: Fix a potential data corruption
clk: qcom: mss-sc7180: fix missing resume during probe
clk: qcom: q6sstop-qcs404: fix missing resume during probe
clk: qcom: lpasscc-sc7280: fix missing resume during probe
clk: qcom: dispcc-sm8450: fix runtime PM imbalance on probe errors
soc: qcom: qmi_encdec: Restrict string length in decode
clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
clk: imx: pll14xx: align pdiv with reference manual
clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz
dt-bindings: clock: xlnx,versal-clk: drop select:false
pinctrl: cherryview: fix address_space_handler() argument
cifs: update desired access while requesting for directory lease
parisc: led: Reduce CPU overhead for disk & lan LED computation
parisc: led: Fix LAN receive and transmit LEDs
lib/test_meminit: allocate pages up to order MAX_ORDER
mm: hugetlb_vmemmap: fix a race between vmemmap pmd split
memcg: drop kmem.limit_in_bytes
send channel sequence number in SMB3 requests after reconnects
arm64: dts: renesas: rzg2l: Fix txdv-skew-psec typos
clk: qcom: turingcc-qcs404: fix missing resume during probe
ASoC: tegra: Fix SFC conversion for few rates
drm/ast: Fix DRAM init on AST2200
clk: qcom: camcc-sc7180: fix async resume during probe
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
null_blk: fix poll request timeout handling
scsi: qla2xxx: Fix firmware resource tracking
scsi: qla2xxx: Error code did not return to upper layer
scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit()
scsi: qla2xxx: Flush mailbox commands on chip reset
scsi: qla2xxx: Remove unsupported ql2xenabledif option
scsi: qla2xxx: Fix TMF leak through
scsi: qla2xxx: Fix session hang in gnl
scsi: qla2xxx: Turn off noisy message log
scsi: qla2xxx: Fix erroneous link up failure
scsi: qla2xxx: Fix command flush during TMF
scsi: qla2xxx: fix inconsistent TMF timeout
scsi: qla2xxx: Fix deletion race condition
scsi: qla2xxx: Limit TMF to 8 per function
scsi: qla2xxx: Adjust IOCB resource on qpair create
drm/virtio: Conditionally allocate virtio_gpu_fence
io_uring: Don't set affinity on a dying sqpoll thread
io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used
io_uring: break out of iowq iopoll on teardown
io_uring/net: don't overflow multishot accept
io_uring: revert "io_uring fix multishot accept ordering"
io_uring: always lock in io_apoll_task_func
Multi-gen LRU: fix per-zone reclaim
mm: multi-gen LRU: rename lrugen->lists[] to lrugen->folios[]
net/ipv6: SKB symmetric hash should incorporate transport ports
ANDROID: GKI: fix up merge issue in drivers/scsi/storvsc_drv.c
Linux 6.1.53
udf: initialize newblock to 0
clk: Avoid invalid function names in CLK_OF_DECLARE()
treewide: Fix probing of devices in DT overlays
clk: Mark a fwnode as initialized when using CLK_OF_DECLARE() macro
md: fix regression for null-ptr-deference in __md_stop()
NFSv4.2: Rework scratch handling for READ_PLUS (again)
NFSv4.2: Fix a potential double free with READ_PLUS
md: Free resources in __md_stop
Revert "drm/amd/display: Do not set drr on pipe commit"
tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY
serial: sc16is7xx: fix regression with GPIO configuration
serial: sc16is7xx: remove obsolete out_thread label
perf/x86/uncore: Correct the number of CHAs on EMR
x86/sgx: Break up long non-preemptible delays in sgx_vepc_release()
USB: core: Fix oversight in SuperSpeed initialization
USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()
USB: core: Change usb_get_device_descriptor() API
USB: core: Unite old scheme and new scheme descriptor reads
usb: typec: bus: verify partner exists in typec_altmode_attention
usb: typec: tcpm: set initial svdm version based on pd revision
of: property: fw_devlink: Add a devlink for panel followers
cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug
crypto: stm32 - fix loop iterating through scatterlist for DMA
s390/dasd: fix string length handling
s390/ipl: add missing secure/has_secure file to ipl type 'unknown'
s390/dcssblk: fix kernel crash with list_add corruption
arm64: sdei: abort running SDEI handlers during crash
pstore/ram: Check start of empty przs during init
mmc: renesas_sdhi: register irqs before registering controller
platform/chrome: chromeos_acpi: print hex string for ACPI_TYPE_BUFFER
x86/MCE: Always save CS register on AMD Zen IF Poison errors
fsverity: skip PKCS#7 parser when keyring is empty
net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
X.509: if signature is unsupported skip validation
r8169: fix ASPM-related issues on a number of systems with NIC version from RTL8168h
x86/sev: Make enc_dec_hypercall() accept a size instead of npages
dccp: Fix out of bounds access in DCCP error handler
dlm: fix plock lookup when using multiple lockspaces
bpf: Fix issue in verifying allow_ptr_leaks
drm/amd/display: Add smu write msg id fail retry process
parisc: Fix /proc/cpuinfo output for lscpu
procfs: block chmod on /proc/thread-self/comm
block: don't add or resize partition on the disk with GENHD_FL_NO_PART
Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
ntb: Fix calculation ntb_transport_tx_free_entry()
ntb: Clean up tx tail index on link down
ntb: Drop packets when qp link is down
PCI/PM: Only read PCI_PM_CTRL register when available
PCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation
PCI: Free released resource after coalescing
scsi: mpt3sas: Perform additional retries if doorbell read returns 0
Revert "scsi: qla2xxx: Fix buffer overrun"
media: venus: hfi_venus: Write to VIDC_CTRL_INIT after unmasking interrupts
media: dvb: symbol fixup for dvb_attach()
ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs.
arm64: csum: Fix OoB access in IP checksum code for negative lengths
i3c: master: svc: fix probe failure when no i3c device exist
LoongArch: mm: Add p?d_leaf() definitions
xtensa: PMU: fix base address for the newer hardware
drm/amd/display: register edp_backlight_control() for DCN301
backlight/lv5207lp: Compare against struct fb_info.device
backlight/bd6107: Compare against struct fb_info.device
backlight/gpio_backlight: Compare against struct fb_info.device
io_uring: break iopolling on signal
XArray: Do not return sibling entries from xa_load()
ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
ipmi_si: fix a memleak in try_smi_init()
PCI: rockchip: Use 64-bit mask on MSI 64-bit PCI address
media: i2c: Add a camera sensor top level menu
media: i2c: ccs: Check rules is non-NULL
cpu/hotplug: Prevent self deadlock on CPU hot-unplug
mm/vmalloc: add a safer version of find_vm_area() for debug
scsi: core: Fix the scsi_set_resid() documentation
printk: ringbuffer: Fix truncating buffer size min_t cast
rcu: dump vmalloc memory info safely
ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
PM / devfreq: Fix leak in devfreq_dev_release()
igb: set max size RX buffer when store bad packet is enabled
skbuff: skb_segment, Call zero copy functions before using skbuff frags
netfilter: xt_sctp: validate the flag_info count
netfilter: xt_u32: validate user space input
netfilter: nft_exthdr: Fix non-linear header modification
netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
virtio_ring: fix avail_wrap_counter in virtqueue_add_packed
cpufreq: Fix the race condition while updating the transition_task of policy
Drivers: hv: vmbus: Don't dereference ACPI root object handle
dmaengine: ste_dma40: Add missing IRQ check in d40_probe
um: Fix hostaudio build errors
mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume()
mtd: spi-nor: Check bus width while setting QE bit
leds: trigger: tty: Do not use LED_ON/OFF constants, use led_blink_set_oneshot instead
leds: Fix BUG_ON check for LED_COLOR_ID_MULTI that is always false
leds: multicolor: Use rounded division when calculating color components
leds: pwm: Fix error code in led_pwm_create_fwnode()
rpmsg: glink: Add check for kstrdup
phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write
phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate
phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328
dmaengine: idxd: Modify the dependence of attribute pasid_enabled
mtd: rawnand: brcmnand: Fix mtd oobsize
tracing: Fix race issue between cpu buffer write and swap
tracing: Remove extra space at the end of hwlat_detector/mode
x86/speculation: Mark all Skylake CPUs as vulnerable to GDS
tick/rcu: Fix false positive "softirq work is pending" messages
platform/x86/amd/pmf: Fix a missing cleanup path
HID: multitouch: Correct devm device reference for hidinput input_dev name
HID: uclogic: Correct devm device reference for hidinput input_dev name
HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()
RDMA/efa: Fix wrong resources deallocation order
RDMA/siw: Correct wrong debug message
RDMA/siw: Balance the reference of cep->kref in the error path
Revert "IB/isert: Fix incorrect release of isert connection"
amba: bus: fix refcount leak
serial: tegra: handle clk prepare error in tegra_uart_hw_init()
interconnect: qcom: bcm-voter: Use enable_maks for keepalive voting
interconnect: qcom: bcm-voter: Improve enable_mask handling
interconnect: qcom: sm8450: Enable sync_state
scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
scsi: core: Use 32-bit hostnum in scsi_host_lookup()
RDMA/irdma: Prevent zero-length STAG registration
coresight: trbe: Fix TRBE potential sleep in atomic context
cgroup:namespace: Remove unused cgroup_namespaces_init()
Revert "f2fs: fix to do sanity check on extent cache correctly"
f2fs: Only lfs mode is allowed with zoned block device feature
f2fs: judge whether discard_unit is section only when have CONFIG_BLK_DEV_ZONED
f2fs: fix to avoid mmap vs set_compress_option case
media: i2c: rdacm21: Fix uninitialized value
media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors
media: ov2680: Fix ov2680_set_fmt() which == V4L2_SUBDEV_FORMAT_TRY not working
media: ov2680: Add ov2680_fill_format() helper function
media: ov2680: Don't take the lock for try_fmt calls
media: ov2680: Remove VIDEO_V4L2_SUBDEV_API ifdef-s
media: ov2680: Fix vflip / hflip set functions
media: ov2680: Fix ov2680_bayer_order()
media: ov2680: Remove auto-gain and auto-exposure controls
media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips
media: ov5640: Fix initial RESETB state and annotate timings
media: ov5640: Enable MIPI interface in ov5640_set_power_mipi()
HID: input: Support devices sending Eraser without Invert
drivers: base: Free devm resources when unregistering a device
USB: gadget: f_mass_storage: Fix unused variable warning
USB: gadget: core: Add missing kerneldoc for vbus_work
docs: ABI: fix spelling/grammar in SBEFIFO timeout interface
media: venus: hfi_venus: Only consider sys_idle_indicator on V1
media: go7007: Remove redundant if statement
media: cec: core: add adap_unconfigured() callback
media: cec: core: add adap_nb_transmit_canceled() callback
platform/x86: dell-sysman: Fix reference leak
iommu/vt-d: Fix to flush cache of PASID directory table
iommu/qcom: Disable and reset context bank before programming
fsi: aspeed: Reset master errors after CFAM reset
IB/uverbs: Fix an potential error pointer dereference
RDMA/hns: Fix CQ and QP cache affinity
RDMA/hns: Fix inaccurate error label name in init instance
RDMA/hns: Fix incorrect post-send with direct wqe of wr-list
RDMA/hns: Fix port active speed
iommu/sprd: Add missing force_aperture
iommu/mediatek: Fix two IOMMU share pagetable issue
iommu/mediatek: Remove unused "mapping" member from mtk_iommu_data
extcon: cht_wc: add POWER_SUPPLY dependency
kernfs: add stub helper for kernfs_generic_poll()
driver core: Call dma_cleanup() on the test_remove path
driver core: test_async: fix an error code
dma-buf/sync_file: Fix docs syntax
interconnect: qcom: qcm2290: Enable sync state
coresight: tmc: Explicit type conversions to prevent integer overflow
RDMA/irdma: Replace one-element array with flexible-array member
scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
RDMA/rxe: Fix incomplete state save in rxe_requester
RDMA/rxe: Split rxe_run_task() into two subroutines
x86/APM: drop the duplicate APM_MINOR_DEV macro
serial: sprd: Fix DMA buffer leak issue
serial: sprd: Assign sprd_port after initialized to avoid wrong access
iio: accel: adxl313: Fix adxl313_i2c_id[] table
scsi: qla4xxx: Add length check when parsing nlattrs
scsi: be2iscsi: Add length check when parsing nlattrs
scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
scsi: iscsi: Add length check for nlattr payload
scsi: iscsi: Rename iscsi_set_param() to iscsi_if_set_param()
scsi: RDMA/srp: Fix residual handling
usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()
media: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init()
media: mediatek: vcodec: fix potential double free
media: mediatek: vcodec: Return NULL if no vdec_fb is found
media: amphion: ensure the bitops don't cross boundaries
media: amphion: fix UNUSED_VALUE issue reported by coverity
media: amphion: fix UNINIT issues reported by coverity
media: amphion: fix REVERSE_INULL issues reported by coverity
media: amphion: fix CHECKED_RETURN issues reported by coverity
media: rkvdec: increase max supported height for H.264
media: mtk-jpeg: Fix use after free bug due to uncanceled work
media: amphion: add helper function to get id name
media: amphion: reinit vpu if reqbufs output 0
dt-bindings: extcon: maxim,max77843: restrict connector properties
scsi: hisi_sas: Fix normally completed I/O analysed as failed
scsi: hisi_sas: Fix warnings detected by sparse
RDMA/siw: Fabricate a GID on tun and loopback devices
media: cx24120: Add retval check for cx24120_message_send()
media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
media: dib7000p: Fix potential division by zero
drivers: usb: smsusb: fix error handling code in smsusb_init_device
iommu: rockchip: Fix directory table address encoding
iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind
media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
media: i2c: tvp5150: check return value of devm_kasprintf()
media: ad5820: Drop unsupported ad5823 from i2c_ and of_device_id tables
media: ov5640: fix low resolution image abnormal issue
RDMA/qedr: Remove a duplicate assignment in irdma_query_ah()
cgroup/cpuset: Inherit parent's load balance state in v2
pNFS: Fix assignment of xprtdata.cred
NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ
NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN
NFSD: da_addr_body field missing in some GETDEVICEINFO replies
fs: lockd: avoid possible wrong NULL parameter
jfs: validate max amount of blocks before allocation.
ext4: fix unttached inode after power cut with orphan file feature enabled
powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
powerpc/mpc5xxx: Add missing fwnode_handle_put()
powerpc/pseries: Fix hcall tracepoints with JUMP_LABEL=n
nfs/blocklayout: Use the passed in gfp flags
powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT
powerpc: Don't include lppaca.h in paca.h
NFSv4.2: Fix READ_PLUS size calculations
NFSv4.2: Fix up READ_PLUS alignment
NFSv4.2: Fix READ_PLUS smatch warnings
NFSv4.2: Rework scratch handling for READ_PLUS
wifi: ath10k: Use RMW accessors for changing LNKCTL
wifi: ath11k: Use RMW accessors for changing LNKCTL
net/mlx5: Use RMW accessors for changing LNKCTL
drm/radeon: Use RMW accessors for changing LNKCTL
drm/amdgpu: Use RMW accessors for changing LNKCTL
powerpc/perf: Convert fsl_emb notifier to state machine callbacks
powerpc/fadump: reset dump area size if fadump memory reserve fails
nvdimm: Fix dereference after free in register_nvdimm_pmu()
nvdimm: Fix memleak of pmu attr_groups in unregister_nvdimm_pmu()
vfio/type1: fix cap_migration information leak
powerpc/radix: Move some functions into #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
clk: imx: composite-8m: fix clock pauses when set_rate would be a no-op
clk: imx8mp: fix sai4 clock
clk: imx: imx8ulp: update SPLL2 type
clk: imx: pllv4: Fix SPLL2 MULT range
clk: qcom: gcc-sm8450: Use floor ops for SDCC RCGs
PCI/ASPM: Use RMW accessors for changing LNKCTL
PCI: pciehp: Use RMW accessors for changing LNKCTL
PCI: Add locking to RMW PCI Express Capability Register accessors
PCI: Allow drivers to request exclusive config regions
pinctrl: mcp23s08: check return value of devm_kasprintf()
PCI: Mark NVIDIA T4 GPUs to avoid bus reset
PCI: microchip: Correct the DED and SEC interrupt bit offsets
clk: qcom: gcc-sm6350: Fix gcc_sdcc2_apps_clk_src
clk: qcom: reset: Use the correct type of sleep/delay based on length
kvm/vfio: ensure kvg instance stays around in kvm_vfio_group_add()
kvm/vfio: Prepare for accepting vfio device fd
clk: qcom: gcc-sm8250: Fix gcc_sdcc2_apps_clk_src
ext4: avoid potential data overflow in next_linear_group
ext4: correct grp validation in ext4_mb_good_group
EDAC/igen6: Fix the issue of no error events
clk: qcom: gcc-sc7180: Fix up gcc_sdcc2_apps_clk_src
clk: sunxi-ng: Modify mismatched function name
PCI/DOE: Fix destroy_work_on_stack() race
drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init()
PCI: qcom-ep: Switch MHI bus master clock off during L1SS
PCI: apple: Initialize pcie->nvecs before use
clk: rockchip: rk3568: Fix PLL rate setting for 78.75MHz
clk: qcom: gcc-sc8280xp: Add missing GDSCs
dt-bindings: clock: qcom,gcc-sc8280xp: Add missing GDSCs
clk: qcom: gcc-sc8280xp: Add missing GDSC flags
clk: qcom: gcc-sc8280xp: Add EMAC GDSCs
clk: qcom: gpucc-sm6350: Fix clock source names
clk: qcom: gpucc-sm6350: Introduce index-based clk lookup
ipmi:ssif: Fix a memory leak when scanning for an adapter
ipmi:ssif: Add check for kstrdup
ALSA: ac97: Fix possible error value of *rac97
of: unittest: Fix overlay type in apply/revert check
of: overlay: Call of_changeset_init() early
ASoC: SOF: amd: clear dsp to host interrupt status
md: raid0: account for split bio in iostat accounting
md/raid0: Fix performance regression for large sequential writes
md/raid0: Factor out helper for mapping and submitting a bio
md: add error_handlers for raid0 and linear
firmware: cs_dsp: Fix new control name check
md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()
md/raid5-cache: fix a deadlock in r5l_exit_log()
bus: ti-sysc: Fix cast to enum warning
arm64: dts: qcom: sc8280xp-x13s: Unreserve NC pins
arm64: dts: qcom: msm8996: Fix dsi1 interrupts
arm64: dts: qcom: msm8998: Add missing power domain to MMSS SMMU
arm64: dts: qcom: msm8998: Drop bus clock reference from MMSS SMMU
arm64: dts: qcom: apq8016-sbc: Fix ov5640 regulator supply names
drm/mediatek: Fix potential memory leak if vmap() fail
ARM: dts: qcom: ipq4019: correct SDHCI XO clock
drm/mediatek: Remove freeing not dynamic allocated memory
bus: ti-sysc: Fix build warning for 64-bit build
drm/mediatek: dp: Add missing error checks in mtk_dp_parse_capabilities
io_uring: fix drain stalls by invalid SQE
block/mq-deadline: use correct way to throttling write requests
audit: fix possible soft lockup in __audit_inode_child()
drm/msm/a2xx: Call adreno_gpu_init() earlier
drm/amd/pm: fix variable dereferenced issue in amdgpu_device_attr_create()
smackfs: Prevent underflow in smk_set_cipso()
drm/msm/dpu: fix the irq index in dpu_encoder_phys_wb_wait_for_commit_done
firmware: meson_sm: fix to avoid potential NULL pointer dereference
drm/msm/mdp5: Don't leak some plane state
soc: qcom: smem: Fix incompatible types in comparison
drm: xlnx: zynqmp_dpsub: Add missing check for dma_set_mask
ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig
drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01
drm/repaper: Reduce temporary buffer size in repaper_fb_dirty()
drm/armada: Fix off-by-one error in armada_overlay_get_property()
ARM: dts: BCM53573: Fix Tenda AC9 switch CPU port
arm64: dts: qcom: sm8150: Fix the I2C7 interrupt
of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
drm/tegra: dpaux: Fix incorrect return value of platform_get_irq
drm/msm: Update dev core dump to not print backwards
md/md-bitmap: hold 'reconfig_mutex' in backlog_store()
md/md-bitmap: remove unnecessary local variable in backlog_store()
md/raid10: use dereference_rdev_and_rrdev() to get devices
md/raid10: factor out dereference_rdev_and_rrdev()
md: restore 'noio_flag' for the last mddev_resume()
md: Change active_io to percpu
md: Factor out is_md_suspended helper
drm/amdgpu: Update min() to min_t() in 'amdgpu_info_ioctl'
arm64: dts: qcom: msm8996-gemini: fix touchscreen VIO supply
arm64: dts: qcom: sdm845: Fix the min frequency of "ice_core_clk"
arm64: dts: qcom: sdm845: Add missing RPMh power domain to GCC
ARM: dts: BCM53573: Fix Ethernet info for Luxul devices
drm: adv7511: Fix low refresh rate register for ADV7533/5
ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)
ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210
ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)
drm/bridge: anx7625: Use common macros for HDCP capabilities
drm/bridge: anx7625: Use common macros for DP power sequencing commands
x86/mm: Fix PAT bit missing from page protection modify mask
block: don't allow enabling a cache on devices that don't support it
block: cleanup queue_wc_store
drm/etnaviv: fix dumping of active MMU context
arm64: tegra: Fix HSUART for Smaug
arm64: dts: qcom: pmi8994: Add missing OVP interrupt
arm64: dts: qcom: pm660l: Add missing short interrupt
arm64: dts: qcom: pm6150l: Add missing short interrupt
arm64: dts: qcom: sm8250-sony-xperia: correct GPIO keys wakeup again
arm64: tegra: Fix HSUART for Jetson AGX Orin
ARM: dts: BCM53573: Use updated "spi-gpio" binding properties
ARM: dts: BCM53573: Add cells sizes to PCIe node
ARM: dts: BCM53573: Drop nonexistent #usb-cells
drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar()
firmware: ti_sci: Use system_state to determine polling
ARM: dts: stm32: Add missing detach mailbox for DHCOM SoM
ARM: dts: stm32: Update to generic ADC channel binding on DHSOM systems
ARM: dts: stm32: Add missing detach mailbox for Odyssey SoM
ARM: dts: stm32: YAML validation fails for Odyssey Boards
ARM: dts: stm32: Add missing detach mailbox for emtrion emSBC-Argon
ARM: dts: stm32: adopt generic iio bindings for adc channels on emstamp-argon
ARM: dts: stm32: YAML validation fails for Argon Boards
ARM: dts: stm32: Rename mdio0 to mdio
arm64: dts: qcom: sm8250: Mark PCIe hosts as DMA coherent
arm64: dts: qcom: pmk8350: fix ADC-TM compatible string
arm64: dts: qcom: pmr735b: fix thermal zone name
arm64: dts: qcom: pm8350b: fix thermal zone name
arm64: dts: qcom: pm8350: fix thermal zone name
arm64: dts: qcom: sm8350: Use proper CPU compatibles
arm64: dts: qcom: sm8350: Add missing LMH interrupts to cpufreq
arm64: dts: qcom: sm8350: Fix CPU idle state residency times
arm64: dts: qcom: sdm845-tama: Set serial indices and stdout-path
arm64: dts: qcom: msm8996: Add missing interrupt to the USB2 controller
arm64: dts: qcom: sc8280xp: Add missing SCM interconnect
arm64: dts: qcom: sc8280xp-crd: Correct vreg_misc_3p3 GPIO
arm64: dts: qcom: sm8250-edo: Rectify gpio-keys
arm64: dts: qcom: sm8250-edo: Add GPIO line names for PMIC GPIOs
arm64: dts: qcom: sm8250-edo: Add gpio line names for TLMM
arm64: dts: qcom: msm8916-l8150: correct light sensor VDDIO supply
arm64: dts: qcom: sm8250: correct dynamic power coefficients
arm64: dts: qcom: sm6350: Fix ZAP region
soc: qcom: ocmem: Fix NUM_PORTS & NUM_MACROS macros
soc: qcom: ocmem: Add OCMEM hardware version print
ASoC: stac9766: fix build errors with REGMAP_AC97
drm/hyperv: Fix a compilation issue because of not including screen_info.h
drm/amd/display: Do not set drr on pipe commit
quota: fix dqput() to follow the guarantees dquot_srcu should provide
quota: add new helper dquot_active()
quota: rename dquot_active() to inode_quota_active()
quota: factor out dquot_write_dquot()
ASoC: cs43130: Fix numerator/denominator mixup
drm/bridge: tc358764: Fix debug print parameter order
netrom: Deny concurrent connect().
net/sched: sch_hfsc: Ensure inner classes have fsc curve
sfc: Check firmware supports Ethernet PTP filter
cteonxt2-pf: Fix backpressure config for multiple PFC priorities to work simultaneously
octeontx2-pf: Fix PFC TX scheduler free
octeontx2-pf: Refactor schedular queue alloc/free calls
hwmon: (tmp513) Fix the channel number in tmp51x_is_visible()
mlxsw: core_hwmon: Adjust module label names based on MTCAP sensor counter
mlxsw: i2c: Limit single transaction buffer size
mlxsw: i2c: Fix chunk size setting in output mailbox buffer
net: arcnet: Do not call kfree_skb() under local_irq_disable()
ice: avoid executing commands on other ports when driving sync
wifi: ath9k: use IS_ERR() with debugfs_create_dir()
arm64: mm: use ptep_clear() instead of pte_clear() in clear_flush()
Bluetooth: btusb: Do not call kfree_skb() under spin_lock_irqsave()
wifi: mwifiex: avoid possible NULL skb pointer dereference
mac80211: make ieee80211_tx_info padding explicit
wifi: nl80211/cfg80211: add forgotten nla_policy for BSS color attribute
wifi: ath9k: protect WMI command response buffer replacement with a lock
wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx
samples/bpf: fix broken map lookup probe
samples/bpf: fix bio latency check with tracepoint
ARM: dts: Add .dts files missing from the build
wifi: mwifiex: Fix missed return in oob checks failed path
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
net: annotate data-races around sk->sk_lingertime
fs: ocfs2: namei: check return value of ocfs2_add_entry()
lwt: Check LWTUNNEL_XMIT_CONTINUE strictly
lwt: Fix return values of BPF xmit ops
hwrng: iproc-rng200 - Implement suspend and resume calls
crypto: caam - fix unchecked return value error
ice: ice_aq_check_events: fix off-by-one check when filling buffer
net-memcg: Fix scope of sockmem pressure indicators
selftests/bpf: Clean up fmod_ret in bench_rename test script
selftests/bpf: Fix repeat option when kfunc_call verification fails
net: tcp: fix unexcepted socket die when snd_wnd is 0
Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()
Bluetooth: hci_sync: Don't double print name in add/remove adv_monitor
Bluetooth: Fix potential use-after-free when clear keys
Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe()
crypto: api - Use work queue in crypto_destroy_instance
crypto: stm32 - Properly handle pm_runtime_get failing
kbuild: rust_is_available: fix confusion when a version appears in the path
kbuild: rust_is_available: add check for `bindgen` invocation
kbuild: rust_is_available: fix version check when CC has multiple arguments
kbuild: rust_is_available: remove -v option
selftests/bpf: fix static assert compilation issue for test_cls_*.c
wifi: mwifiex: fix error recovery in PCIE buffer descriptor management
wifi: mwifiex: Fix OOB and integer underflow when rx packets
wifi: mt76: mt7915: fix power-limits while chan_switch
can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM
spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe()
wifi: mt76: testmode: add nla_policy for MT76_TM_ATTR_TX_LENGTH
bpf: reject unhashed sockets in bpf_sk_assign
udp: re-score reuseport groups when connected sockets are present
wifi: mt76: mt7921: fix non-PSC channel scan fail
wifi: rtw89: debug: Fix error handling in rtw89_debug_priv_btc_manual_set()
regmap: rbtree: Use alloc_flags for memory allocations
hwrng: pic32 - use devm_clk_get_enabled
hwrng: nomadik - keep clock enabled while hwrng is registered
tcp: tcp_enter_quickack_mode() should be static
crypto: qat - change value of default idle filter
bpf: Fix an error in verifying a field in a union
bpf: Clear the probe_addr for uprobe
libbpf: Fix realloc API handling in zero-sized edge cases
bpftool: Use a local bpf_perf_event_value to fix accessing its fields
bpftool: Use a local copy of BPF_LINK_TYPE_PERF_EVENT in pid_iter.bpf.c
bpftool: Define a local bpf_perf_link to fix accessing its fields
bpftool: use a local copy of perf_event to fix accessing :: Bpf_cookie
selftests/bpf: Fix bpf_nf failure upon test rerun
cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit()
x86/efistub: Fix PCI ROM preservation in mixed mode
cpufreq: amd-pstate-ut: Fix kernel panic when loading the driver
cpufreq: amd-pstate-ut: Remove module parameter access
thermal/of: Fix potential uninitialized value access
ACPI: x86: s2idle: Fix a logic error parsing AMD constraints table
ACPI: x86: s2idle: Post-increment variables when getting constraints
irqchip/loongson-eiointc: Fix return value checking of eiointc_index
s390/paes: fix PKEY_TYPE_EP11_AES handling for secure keyblobs
s390/pkey: fix PKEY_TYPE_EP11_AES handling for sysfs attributes
s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_GENSECK2 IOCTL
s390/pkey: fix/harmonize internal keyblob headers
selftests/futex: Order calls to futex_lock_pi
perf/imx_ddr: don't enable counter0 if none of 4 counters are used
sched/rt: Fix sysctl_sched_rr_timeslice intial value
arm64/fpsimd: Only provide the length to cpufeature for xCR registers
arm64/sme: Don't use streaming mode to probe the maximum SME VL
x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved
sched/psi: Select KERNFS as needed
arm64/ptrace: Clean up error handling path in sve_set_common()
selftests/resctrl: Close perf value read fd on errors
selftests/resctrl: Unmount resctrl FS if child fails to run benchmark
selftests/resctrl: Don't leak buffer in fill_cache()
selftests/resctrl: Add resctrl.h into build deps
OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd()
refscale: Fix uninitalized use of wait_queue_head_t
ARM: ptrace: Restore syscall skipping for tracers
ARM: ptrace: Restore syscall restart tracing
vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing
selftests/harness: Actually report SKIP for signal tests
tmpfs: verify {g,u}id mount options correctly
iomap: Remove large folio handling in iomap_invalidate_folio()
fs: Fix error checking for d_hash_and_lookup()
eventfd: prevent underflow for eventfd semaphores
reiserfs: Check the return value from __getblk()
tools/resolve_btfids: Fix setting HOSTCFLAGS
tools/resolve_btfids: Pass HOSTCFLAGS as EXTRA_CFLAGS to prepare targets
tools/resolve_btfids: Tidy HOST_OVERRIDES
tools/resolve_btfids: Compile resolve_btfids as host program
tools/resolve_btfids: Alter how HOSTCC is forced
tools/resolve_btfids: Install subcmd headers
tools/resolve_btfids: Use pkg-config to locate libelf
tools lib subcmd: Add dependency test to install_headers
tools lib subcmd: Make install_headers clearer
tools lib subcmd: Add install target
Revert "net: macsec: preserve ingress frame ordering"
Revert "PCI: tegra194: Enable support for 256 Byte payload"
Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN
udf: Handle error when adding extent to a file
udf: Check consistency of Space Bitmap Descriptor
drm/amd/display: ensure async flips are only accepted for fast updates
net: Avoid address overwrite in kernel_connect
KVM: x86/mmu: Add "never" option to allow sticky disabling of nx_huge_pages
KVM: x86/mmu: Use kstrtobool() instead of strtobool()
tpm: Enable hwrng only for Pluton on AMD CPUs
crypto: rsa-pkcs1pad - Use helper to set reqsize
cpufreq: intel_pstate: set stale CPU frequency to minimum
of: property: Simplify of_link_to_phandle()
platform/mellanox: Fix mlxbf-tmfifo not handling all virtio CONSOLE notifications
tracing: Introduce pipe_cpumask to avoid race on trace_pipes
net: sfp: handle 100G/25G active optical cables in sfp_parse_support
ALSA: seq: oss: Fix racy open/close of MIDI devices
LoongArch: Fix the write_fcsr() macro
LoongArch: Let pmd_present() return true when splitting pmd
scsi: lpfc: Fix incorrect big endian type assignment in bsg loopback path
scsi: storvsc: Always set no_report_opcodes
scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity
sctp: handle invalid error codes without calling BUG()
cifs: fix max_credits implementation
cifs: fix sockaddr comparison in iface_cmp
bnx2x: fix page fault following EEH recovery
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
wifi: mac80211: Use active_links instead of valid_links in Tx
wifi: cfg80211: remove links only on AP
drm/amdgpu: Match against exact bootloader status
net: hns3: restore user pause configure when disable autoneg
scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
scsi: lpfc: Remove reftag check in DIF paths
platform/x86/amd/pmf: Fix unsigned comparison with less than zero
idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM
powerpc/powermac: Use early_* IO variants in via_calibrate_decr()
wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1()
net: usb: qmi_wwan: add Quectel EM05GV2
net: annotate data-races around sk->sk_{rcv|snd}timeo
net: dsa: microchip: KSZ9477 register regmap alignment to 32 bit boundaries
Revert "wifi: ath6k: silence false positive -Wno-dangling-pointer warning on GCC 12"
vmbus_testing: fix wrong python syntax for integer value comparison
clk: fixed-mmio: make COMMON_CLK_FIXED_MMIO depend on HAS_IOMEM
kprobes: Prohibit probing on CFI preamble symbol
security: keys: perform capable check only on privileged operations
staging: fbtft: ili9341: use macro FBTFT_REGISTER_SPI_DRIVER
ALSA: usb-audio: Update for native DSD support quirks
ata: pata_arasan_cf: Use dev_err_probe() instead dev_err() in data_xfer()
ovl: Always reevaluate the file signature for IMA
drm/amd/display: Exit idle optimizations before attempt to access PHY
drm/amd/display: Guard DCN31 PHYD32CLK logic against chip family
drm/amd/smu: use AverageGfxclkFrequency* to replace previous GFX Curr Clock
platform/x86: huawei-wmi: Silence ambient light sensor
platform/x86: asus-wmi: Fix setting RGB mode on some TUF laptops
platform/x86: think-lmi: Use kfree_sensitive instead of kfree
platform/x86/intel/hid: Add HP Dragonfly G2 to VGBS DMI quirks
platform/x86: intel: hid: Always call BTNL ACPI method
ALSA: usb-audio: Add quirk for Microsoft Modern Wireless Headset
ASoC: atmel: Fix the 8K sample parameter in I2SC master
ASoC: rt711-sdca: fix for JD event handling in ClockStop Mode0
ASoC: rt711: fix for JD event handling in ClockStop Mode0
ASoc: codecs: ES8316: Fix DMIC config
ASoC: rt5682-sdw: fix for JD event handling in ClockStop Mode0
fs/nls: make load_nls() take a const parameter
s390/dasd: fix hanging device after request requeue
s390/dasd: use correct number of retries for ERP requests
m68k: Fix invalid .section syntax
ethernet: atheros: fix return value check in atl1c_tso_csum()
ASoC: nau8821: Add DMI quirk mechanism for active-high jack-detect
ASoC: da7219: Check for failure reading AAD IRQ events
ASoC: da7219: Flush pending AAD IRQ when suspending
ksmbd: fix out of bounds in init_smb2_rsp_hdr()
ksmbd: no response from compound read
ksmbd: validate session id and tree id in compound request
ksmbd: fix out of bounds in smb3_decrypt_req()
9p: virtio: make sure 'offs' is initialized in zc_request
9p: virtio: fix unlikely null pointer deref in handle_rerror
media: pci: cx23885: fix error handling for cx23885 ATSC boards
media: pulse8-cec: handle possible ping error
media: amphion: use dev_err_probe
phy: qcom-snps-femto-v2: use qcom_snps_hsphy_suspend/resume error code
Revert "MIPS: unhide PATA_PLATFORM"
media: uapi: HEVC: Add num_delta_pocs_of_ref_rps_idx field
powerpc/boot: Disable power10 features after BOOTAFLAGS assignment
ALSA: hda/realtek: Enable 4 amplifiers instead of 2 on a HP platform
ARM: dts: imx: Set default tuning step for imx7d usdhc
Revert "Revert drm/amd/display: Enable Freesync Video Mode by default"
scsi: ufs: Try harder to change the power mode
Partially revert "drm/amd/display: Fix possible underflow for displays with large vblank"
Revert "bridge: Add extack warning when enabling STP in netns."
Linux 6.1.52
pinctrl: amd: Don't show `Invalid config param` errors
usb: typec: tcpci: clear the fault status bit
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
dt-bindings: sc16is7xx: Add property to change GPIO function
tcpm: Avoid soft reset when partner does not support get_status
fsi: master-ast-cf: Add MODULE_FIRMWARE macro
firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe
serial: sc16is7xx: fix bug when first setting GPIO direction
serial: sc16is7xx: fix broken port 0 uart init
serial: qcom-geni: fix opp vote on shutdown
wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU
wifi: mt76: mt7921: do not support one stream on secondary antenna only
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
staging: rtl8712: fix race condition
HID: wacom: remove the battery when the EKR is off
usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0
usb: dwc3: meson-g12a: do post init to fix broken usb after resumption
ALSA: usb-audio: Fix init call orders for UAC1
USB: serial: option: add FOXCONN T99W368/T99W373 product
USB: serial: option: add Quectel EM05G variant (0x030e)
modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index
mmc: au1xmmc: force non-modular build and remove symbol_get usage
ARM: pxa: remove use of symbol_get()
ksmbd: reduce descriptor size if remaining bytes is less than request size
ksmbd: replace one-element array with flex-array member in struct smb2_ea_info
ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()
ksmbd: fix wrong DataOffset validation of create context
erofs: ensure that the post-EOF tails are all zeroed
Linux 6.1.51
thunderbolt: Fix a backport error for display flickering issue
kallsyms: Fix kallsyms_selftest failure
io_uring/parisc: Adjust pgoff in io_uring mmap() for parisc
parisc: sys_parisc: parisc_personality() is called from asm code
parisc: Cleanup mmap implementation regarding color alignment
lockdep: fix static memory detection even more
ARM: module: Use module_init_layout_section() to spot init sections
arm64: module: Use module_init_layout_section() to spot init sections
arm64: module-plts: inline linux/moduleloader.h
module: Expose module_init_layout_section()
ACPI: thermal: Drop nocrt parameter
Linux 6.1.50
ASoC: amd: vangogh: select CONFIG_SND_AMD_ACP_CONFIG
maple_tree: disable mas_wr_append() when other readers are possible
ASoC: amd: yc: Fix a non-functional mic on Lenovo 82SJ
gpio: sim: pass the GPIO device's software node to irq domain
gpio: sim: dispose of irq mappings before destroying the irq_sim domain
dma-buf/sw_sync: Avoid recursive lock during fence signal
pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function}
pinctrl: renesas: rzv2m: Fix NULL pointer dereference in rzv2m_dt_subnode_to_map()
pinctrl: renesas: rzg2l: Fix NULL pointer dereference in rzg2l_dt_subnode_to_map()
clk: Fix undefined reference to `clk_rate_exclusive_{get,put}'
scsi: core: raid_class: Remove raid_component_add()
scsi: snic: Fix double free in snic_tgt_create()
madvise:madvise_free_pte_range(): don't use mapcount() against large folio for sharing check
can: raw: add missing refcount for memory leak fix
ublk: remove check IO_URING_F_SQE128 in ublk_ch_uring_cmd
thunderbolt: Fix Thunderbolt 3 display flickering issue on 2nd hot plug onwards
cgroup/cpuset: Free DL BW in case can_attach() fails
sched/deadline: Create DL BW alloc, free & check overflow interface
cgroup/cpuset: Iterate only if DEADLINE tasks are present
sched/cpuset: Keep track of SCHED_DEADLINE task in cpusets
sched/cpuset: Bring back cpuset_mutex
cgroup/cpuset: Rename functions dealing with DEADLINE accounting
nfsd: use vfs setgid helper
nfs: use vfs setgid helper
selftests/net: mv bpf/nat6to4.c to net folder
hwmon: (aquacomputer_d5next) Add selective 200ms delay after sending ctrl report
x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4
x86/fpu: Invalidate FPU state correctly on exec()
drm/display/dp: Fix the DP DSC Receiver cap size
drm/i915/dgfx: Enable d3cold at s2idle
drm/vmwgfx: Fix shader stage validation
PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus
media: vcodec: Fix potential array out-of-bounds in encoder queue_setup
pinctrl: amd: Mask wake bits on probe again
of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock
of: unittest: Fix EXPECT for parse_phandle_with_args_map() test
radix tree: remove unused variable
riscv: Fix build errors using binutils2.37 toolchains
riscv: Handle zicsr/zifencei issue between gcc and binutils
lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels
batman-adv: Hold rtnl lock during MTU update via netlink
batman-adv: Fix batadv_v_ogm_aggr_send memory leak
batman-adv: Fix TT global entry leak when client roamed back
batman-adv: Do not get eth header before batadv_check_management_packet
batman-adv: Don't increase MTU when set by user
batman-adv: Trigger events for auto adjusted MTU
selinux: set next pointer before attaching to list
nfsd: Fix race to FREE_STATEID and cl_revoked
NFS: Fix a use after free in nfs_direct_join_group()
mm: memory-failure: fix unexpected return value in soft_offline_page()
mm: add a call to flush_cache_vmap() in vmap_pfn()
mm/gup: handle cont-PTE hugetlb pages correctly in gup_must_unshare() via GUP-fast
ALSA: ymfpci: Fix the missing snd_card_free() call at probe error
shmem: fix smaps BUG sleeping while atomic
mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer
clk: Fix slab-out-of-bounds error in devm_clk_release()
NFSv4: Fix dropped lock for racing OPEN and delegation return
platform/x86: ideapad-laptop: Add support for new hotkeys found on ThinkBook 14s Yoga ITL
wifi: mac80211: limit reorder_buf_filtered to avoid UBSAN warning
ibmveth: Use dcbf rather than dcbfl
ASoC: cs35l41: Correct amp_gain_tlv values
ASoC: amd: yc: Add VivoBook Pro 15 to quirks list for acp6x
io_uring/msg_ring: fix missing lock on overflow for IOPOLL
io_uring/msg_ring: move double lock/unlock helpers higher up
io_uring: extract a io_msg_install_complete helper
io_uring: get rid of double locking
KVM: x86/mmu: Fix an sign-extension bug with mmu_seq that hangs vCPUs
KVM: x86: Preserve TDP MMU roots until they are explicitly invalidated
bonding: fix macvlan over alb bond support
rtnetlink: Reject negative ifindexes in RTM_NEWLINK
netfilter: nf_tables: fix out of memory error handling
netfilter: nf_tables: flush pending destroy work before netlink notifier
i40e: fix potential NULL pointer dereferencing of pf->vf i40e_sync_vsi_filters()
net/sched: fix a qdisc modification with ambiguous command request
igc: Fix the typo in the PTM Control macro
igb: Avoid starting unnecessary workqueues
can: isotp: fix support for transmission of SF without flow control
selftests: bonding: do not set port down before adding to bond
ice: Fix NULL pointer deref during VF reset
Revert "ice: Fix ice VF reset during iavf initialization"
ice: fix receive buffer size miscalculation
ipv4: fix data-races around inet->inet_id
net: validate veth and vxcan peer ifindexes
net: bcmgenet: Fix return value check for fixed_phy_register()
net: bgmac: Fix return value check for fixed_phy_register()
net: dsa: mt7530: fix handling of 802.1X PAE frames
selftests: mlxsw: Fix test failure on Spectrum-4
mlxsw: Fix the size of 'VIRT_ROUTER_MSB'
mlxsw: reg: Fix SSPR register layout
mlxsw: pci: Set time stamp fields also when its type is MIRROR_UTC
ipvlan: Fix a reference count leak warning in ipvlan_ns_exit()
dccp: annotate data-races in dccp_poll()
sock: annotate data-races around prot->memory_pressure
net: dsa: felix: fix oversize frame dropping for always closed tc-taprio gates
devlink: add missing unregister linecard notification
devlink: move code to a dedicated directory
octeontx2-af: SDP: fix receive link config
tracing: Fix memleak due to race between current_tracer and trace
tracing: Fix cpu buffers unavailable due to 'record_disabled' missed
drm/i915/gt: Support aux invalidation on all engines
drm/i915/gt: Poll aux invalidation register bit on invalidation
drm/i915/gt: Ensure memory quiesced before invalidation
drm/i915: Add the gen12_needs_ccs_aux_inv helper
s390/zcrypt: fix reply buffer calculations for CCA replies
s390/zcrypt: remove unnecessary (void *) conversions
can: raw: fix lockdep issue in raw_release()
can: raw: fix receiver memory leak
jbd2: fix a race when checking checkpoint buffer busy
jbd2: remove journal_clean_one_cp_list()
jbd2: remove t_checkpoint_io_list
MIPS: cpu-features: Use boot_cpu_type for CPU type based features
MIPS: cpu-features: Enable octeon_cache by cpu_type
PCI: acpiphp: Reassign resources on bridge if necessary
video/aperture: Move vga handling to pci function
video/aperture: Only kick vgacon when the pdev is decoding vga
drm/aperture: Remove primary argument
drm/gma500: Use drm_aperture_remove_conflicting_pci_framebuffers
fbdev/radeon: use pci aperture helpers
drm/ast: Use drm_aperture_remove_conflicting_pci_framebuffers
xprtrdma: Remap Receive buffers after a reconnect
NFSv4: fix out path in __nfs4_get_acl_uncached
NFSv4.2: fix error handling in nfs42_proc_getxattr
Linux 6.1.49
Revert "f2fs: fix to do sanity check on direct node in truncate_dnode()"
Revert "f2fs: fix to set flush_merge opt and show noflush_merge"
Revert "f2fs: don't reset unchangable mount option in f2fs_remount()"
objtool/x86: Fix SRSO mess
Linux 6.1.48
x86/srso: Correct the mitigation status when SMT is disabled
objtool/x86: Fixup frame-pointer vs rethunk
x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG
x86/srso: Disable the mitigation on unaffected configurations
x86/CPU/AMD: Fix the DIV(0) initial fix attempt
x86/retpoline: Don't clobber RFLAGS during srso_safe_ret()
x86/static_call: Fix __static_call_fixup()
x86/srso: Explain the untraining sequences a bit more
x86/cpu: Cleanup the untrain mess
x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
x86/cpu: Rename original retbleed methods
x86/cpu: Clean up SRSO return thunk mess
x86/alternative: Make custom return thunk unconditional
x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
x86/cpu: Fix __x86_return_thunk symbol type
Linux 6.1.47
mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove
net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled
drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
af_unix: Fix null-ptr-deref in unix_stream_sendpage().
drm/amdgpu: keep irq count in amdgpu_irq_disable_all
drm/amd/pm: skip the RLC stop when S0i3 suspend for SMU v13.0.4/11
arm64/ptrace: Ensure that SME is set up for target when writing SSVE state
netfilter: set default timeout to 3 secs for sctp shutdown send and recv state
hugetlb: do not clear hugetlb dtor until allocating vmemmap
drm/amd/display: Implement workaround for writing to OTG_PIXEL_RATE_DIV register
sched/fair: Remove capacity inversion detection
sched/fair: unlink misfit task from cpu overutilized
zsmalloc: allow only one active pool compaction context
drm/amd/display: disable RCO for DCN314
ASoC: amd: vangogh: select CONFIG_SND_AMD_ACP_CONFIG
drm/amdgpu/pm: fix throttle_status for other than MP1 11.0.7
drm/amdgpu: skip fence GFX interrupts disable/enable for S0ix
drm/amd: flush any delayed gfxoff on suspend entry
drm/i915/sdvo: fix panel_type initialization
drm/qxl: fix UAF on handle creation
mmc: block: Fix in_flight[issue_type] value error
mmc: wbsd: fix double mmc_free_host() in wbsd_init()
blk-crypto: dynamically allocate fallback profile
arm64: dts: rockchip: Fix Wifi/Bluetooth on ROCK Pi 4 boards
virtio-net: Zero max_tx_vq field for VIRTIO_NET_CTRL_MQ_HASH_CONFIG case
cifs: Release folio lock on fscache read hit.
ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces.
serial: 8250: Fix oops for port->pm on uart_change_pm()
riscv: uaccess: Return the number of bytes effectively not copied
ALSA: hda/realtek - Remodified 3k pull low procedure
soc: aspeed: socinfo: Add kfree for kstrdup
soc: aspeed: uart-routing: Use __sysfs_match_string
ALSA: hda/realtek: Add quirks for HP G11 Laptops
ASoC: meson: axg-tdm-formatter: fix channel slot allocation
ASoC: rt5665: add missed regulator_bulk_disable
arm64: dts: imx93: Fix anatop node size
ARM: dts: imx: Set default tuning step for imx6sx usdhc
arm64: dts: imx8mm: Drop CSI1 PHY reference clock configuration
ARM: dts: imx6: phytec: fix RTC interrupt level
ARM: dts: imx: align LED node names with dtschema
arm64: dts: rockchip: Disable HS400 for eMMC on ROCK 4C+
arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4
arm64: dts: qcom: qrb5165-rb5: fix thermal zone conflict
bus: ti-sysc: Flush posted write on enable before reset
ice: Block switchdev mode when ADQ is active and vice versa
qede: fix firmware halt over suspend and resume
net: do not allow gso_size to be set to GSO_BY_FRAGS
sock: Fix misuse of sk_under_memory_pressure()
sfc: don't unregister flow_indr if it was never registered
net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset
i40e: fix misleading debug logs
iavf: fix FDIR rule fields masks validation
net: openvswitch: reject negative ifindex
team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
net: phy: broadcom: stub c45 read/write for 54810
netfilter: nft_dynset: disallow object maps
ipvs: fix racy memcpy in proc_do_sync_threshold
netfilter: nf_tables: deactivate catchall elements in next generation
netfilter: nf_tables: fix false-positive lockdep splat
octeon_ep: cancel tx_timeout_task later in remove sequence
net: macb: In ZynqMP resume always configure PS GTR for non-wakeup source
drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs
selftests: mirror_gre_changes: Tighten up the TTL test match
net: phy: fix IRQ-based wake-on-lan over hibernate / power off
net: pcs: Add missing put_device call in miic_create
virtio-net: set queues after driver_ok
virtio_net: notify MAC address change on device initialization
xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH
xfrm: add NULL check in xfrm_update_ae_params
ip_vti: fix potential slab-use-after-free in decode_session6
ip6_vti: fix slab-use-after-free in decode_session6
xfrm: fix slab-use-after-free in decode_session6
net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure
net: af_key: fix sadb_x_filter validation
net: xfrm: Fix xfrm_address_filter OOB read
i2c: designware: Handle invalid SMBus block data response length value
i2c: designware: Correct length byte validation logic
btrfs: fix BUG_ON condition in btrfs_cancel_balance
btrfs: fix incorrect splitting in btrfs_drop_extent_map_range
tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms
tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
vdpa: Enable strict validation for netlinks ops
vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check
vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
vdpa: Add features attr to vdpa_nl_policy for nlattr length check
powerpc/rtas_flash: allow user copy to flash block cache objects
fbdev: mmp: fix value check in mmphw_probe()
i2c: tegra: Fix i2c-tegra DMA config option processing
i2c: hisi: Only handle the interrupt of the driver's transfer
i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue
cifs: fix potential oops in cifs_oplock_break
vdpa/mlx5: Delete control vq iotlb in destroy_mr only when necessary
vdpa/mlx5: Fix mr->initialized semantics
vduse: Use proper spinlock for IRQ injection
virtio-mmio: don't break lifecycle of vm_dev
btrfs: fix use-after-free of new block group that became unused
btrfs: convert btrfs_block_group::seq_zone to runtime flag
btrfs: convert btrfs_block_group::needs_free_space to runtime flag
btrfs: move out now unused BG from the reclaim list
video/aperture: Only remove sysfb on the default vga pci device
fbdev/hyperv-fb: Do not set struct fb_info.apertures
ARM: dts: nxp/imx6sll: fix wrong property name in usbphy node
KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption
drm/amd/display: fix access hdcp_workqueue assert
drm/amd/display: phase3 mst hdcp for multiple displays
drm/amd/display: save restore hdcp state when display is unplugged from mst hub
igc: read before write to SRRCTL register
ring-buffer: Do not swap cpu_buffer during resize process
Bluetooth: MGMT: Use correct address for memcpy()
powerpc/kasan: Disable KCOV in KASAN code
ALSA: hda/realtek: Add quirk for ASUS ROG GZ301V
ALSA: hda/realtek: Add quirk for ASUS ROG GA402X
ALSA: hda/realtek: Add quirk for ASUS ROG GX650P
ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync()
ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760
fs/ntfs3: Mark ntfs dirty when on-disk struct is corrupted
fs: ntfs3: Fix possible null-pointer dereferences in mi_read()
fs/ntfs3: Enhance sanity check while generating attr_list
drm/amdgpu: Fix potential fence use-after-free v2
ceph: try to dump the msgs when decoding fails
Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally
Bluetooth: L2CAP: Fix use-after-free
watchdog: sp5100_tco: support Hygon FCH/SCH (Server Controller Hub)
firewire: net: fix use after free in fwnet_finish_incoming_packet()
thunderbolt: Limit Intel Barlow Ridge USB3 bandwidth
thunderbolt: Add Intel Barlow Ridge PCI ID
pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()
gfs2: Fix possible data races in gfs2_show_options()
usb: chipidea: imx: add missing USB PHY DPDM wakeup setting
usb: chipidea: imx: don't request QoS for imx8ulp
thunderbolt: Read retimer NVM authentication status prior tb_retimer_set_inbound_sbtx()
media: platform: mediatek: vpu: fix NULL ptr dereference
usb: gadget: uvc: queue empty isoc requests if no video buffer is available
usb: gadget: u_serial: Avoid spinlock recursion in __gs_console_push
media: camss: set VFE bpl_alignment to 16 for sdm845 and sm8250
media: v4l2-mem2mem: add lock to protect parameter num_rdy
led: qcom-lpg: Fix resource leaks in for_each_available_child_of_node() loops
serial: stm32: Ignore return value of uart_remove_one_port() in .remove()
cifs: fix session state check in reconnect to avoid use-after-free issue
smb: client: fix warning in cifs_smb3_do_mount()
ALSA: hda/realtek: Add quirks for ROG ALLY CS35l41 audio
HID: intel-ish-hid: ipc: Add Arrow Lake PCI device ID
ASoC: SOF: core: Free the firmware trace before calling snd_sof_shutdown()
drm/amd/display: Enable dcn314 DPP RCO
drm/amd/display: Skip DPP DTO update if root clock is gated
RDMA/mlx5: Return the firmware result upon destroying QP/RQ
drm/amd/display: Apply 60us prefetch for DCFCLK <= 300Mhz
drm/amdgpu: install stub fence into potential unused fence pointers
iommu/amd: Introduce Disable IRTE Caching Support
HID: logitech-hidpp: Add USB and Bluetooth IDs for the Logitech G915 TKL Keyboard
accel/habanalabs: add pci health check during heartbeat
dma-remap: use kvmalloc_array/kvfree for larger dma memory remap
ASoC: SOF: Intel: fix SoundWire/HDaudio mutual exclusion
iopoll: Call cpu_relax() in busy loops
ASoC: Intel: sof_sdw: Add support for Rex soundwire
ASoC: Intel: sof_sdw_rt_sdca_jack_common: test SOF_JACK_JDSRC in _exit
ARM: dts: imx6dl: prtrvt, prtvt7, prti6q, prtwd2: fix USB related warnings
ASoC: amd: vangogh: Add check for acp config flags in vangogh platform
drm: rcar-du: remove R-Car H3 ES1.* workarounds
drm/stm: ltdc: fix late dereference check
ASoC: SOF: amd: Add pci revision id check
PCI: tegra194: Fix possible array out of bounds access
ASoC: Intel: sof_sdw: add quirk for LNL RVP
ASoC: Intel: sof_sdw: add quirk for MTL RVP
drm/amdgpu: fix memory leak in mes self test
drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1
drm/amdgpu: fix calltrace warning in amddrm_buddy_fini
net: phy: at803x: fix the wol setting functions
net: phy: at803x: Use devm_regulator_get_enable_optional()
net/smc: Fix setsockopt and sysctl to specify same buffer size again
net/smc: replace mutex rmbs_lock and sndbufs_lock with rw_semaphore
selftests: forwarding: tc_actions: Use ncat instead of nc
selftests: forwarding: tc_actions: cleanup temporary files when test is aborted
zsmalloc: fix races between modifications of fullness and isolated
zsmalloc: consolidate zs_pool's migrate_lock and size_class's locks
cpuidle: psci: Move enabling OSI mode after power domains creation
cpuidle: psci: Extend information in log about OSI/PC mode
mmc: sdhci-f-sdh30: Replace with sdhci_pltfm
Linux 6.1.46
drm/amd/pm/smu7: move variables to where they are used
sch_netem: fix issues in netem_change() vs get_dist_table()
alpha: remove __init annotation from exported page_is_ram()
ACPI: scan: Create platform device for CS35L56
platform/x86: serial-multi-instantiate: Auto detect IRQ resource for CSC3551
scsi: qedf: Fix firmware halt over suspend and resume
scsi: qedi: Fix firmware halt over suspend and resume
scsi: fnic: Replace return codes in fnic_clean_pending_aborts()
scsi: core: Fix possible memory leak if device_add() fails
scsi: snic: Fix possible memory leak if device_add() fails
scsi: 53c700: Check that command slot is not NULL
scsi: ufs: renesas: Fix private allocation
scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
scsi: core: Fix legacy /proc parsing buffer overflow
netfilter: nf_tables: report use refcount overflow
nvme-rdma: fix potential unbalanced freeze & unfreeze
nvme-tcp: fix potential unbalanced freeze & unfreeze
btrfs: set cache_block_group_error if we find an error
btrfs: reject invalid reloc tree root keys with stack dump
btrfs: exit gracefully if reloc roots don't match
btrfs: properly clear end of the unreserved range in cow_file_range
btrfs: don't stop integrity writeback too early
btrfs: wait for actual caching progress during allocation
gpio: sim: mark the GPIO chip as a one that can sleep
gpio: ws16c48: Fix off-by-one error in WS16C48 resource region extent
ibmvnic: Ensure login failure recovery is safe from other resets
ibmvnic: Do partial reset on login failure
ibmvnic: Handle DMA unmapping of login buffs in release functions
ibmvnic: Unmap DMA login rsp buffer on send login fail
ibmvnic: Enforce stronger sanity checks on login response
net/mlx5: Reload auxiliary devices in pci error handlers
net/mlx5: Skip clock update work when device is in error state
net/mlx5: LAG, Check correct bucket when modifying LAG
net/mlx5: Allow 0 for total host VFs
dmaengine: owl-dma: Modify mismatched function name
dmaengine: mcf-edma: Fix a potential un-allocated memory access
net: hns3: fix strscpy causing content truncation issue
nexthop: Fix infinite nexthop bucket dump when using maximum nexthop ID
nexthop: Make nexthop bucket dump more efficient
nexthop: Fix infinite nexthop dump when using maximum nexthop ID
net: hns3: fix deadlock issue when externel_lb and reset are executed together
net: hns3: add wait until mac link down
net: hns3: refactor hclge_mac_link_status_wait for interface reuse
net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove
net: phy: at803x: remove set/get wol callbacks for AR8032
net: marvell: prestera: fix handling IPv4 routes with nhid
net: tls: avoid discarding data on record close
RDMA/umem: Set iova in ODP flow
wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
drm/rockchip: Don't spam logs in atomic check
IB/hfi1: Fix possible panic during hotplug remove
iavf: fix potential races for FDIR filters
drivers: vxlan: vnifilter: free percpu vni stats on error path
drivers: net: prevent tun_build_skb() to exceed the packet size limit
dccp: fix data-race around dp->dccps_mss_cache
bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
xsk: fix refcount underflow in error path
tunnels: fix kasan splat when generating ipv4 pmtu error
tcp: add missing family to tcp_set_ca_state() tracepoint
net/smc: Use correct buffer sizes when switching between TCP and SMC
net/packet: annotate data-races around tp->status
mptcp: fix the incorrect judgment for msk->cb_flags
macsec: use DEV_STATS_INC()
mISDN: Update parameter type of dsp_cmx_send()
bpf, sockmap: Fix bug that strp_done cannot be called
bpf, sockmap: Fix map type error in sock_map_del_link
net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
selftests: forwarding: tc_flower: Relax success criterion
selftests: forwarding: Switch off timeout
selftests: forwarding: Skip test when no interfaces are specified
selftests: forwarding: hw_stats_l3_gre: Skip when using veth pairs
selftests: forwarding: ethtool_extended_state: Skip when using veth pairs
selftests: forwarding: ethtool: Skip when using veth pairs
selftests: forwarding: Add a helper to skip test when using veth pairs
selftests/rseq: Fix build with undefined __weak
interconnect: qcom: sm8450: add enable_mask for bcm nodes
interconnect: qcom: Add support for mask-based BCMs
iio: core: Prevent invalid memory access when there is no parent
drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
x86: Move gds_ucode_mitigated() declaration to header
x86/speculation: Add cpu_show_gds() prototype
x86/sev: Do not try to parse for the CC blob on non-AMD hardware
x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405
x86/srso: Fix build breakage with the LLVM linker
usb: typec: altmodes/displayport: Signal hpd when configuring pin assignment
usb: typec: tcpm: Fix response to vsafe0V event
usb: common: usb-conn-gpio: Prevent bailing out if initial role is none
USB: Gadget: core: Help prevent panic during UVC unconfigure
usb: dwc3: Properly handle processing of pending events
usb-storage: alauda: Fix uninit-value in alauda_check_media()
misc: rtsx: judge ASPM Mode to set PETXCFG Reg
binder: fix memory leak in binder_init()
iio: adc: ina2xx: avoid NULL pointer dereference on OF device match
iio: adc: ad7192: Fix ac excitation feature
iio: frequency: admv1013: propagate errors from regulator_get_voltage()
iio: cros_ec: Fix the allocation size for cros_ec_command
io_uring: correct check for O_TMPFILE
drm/amd/display: trigger timing sync only if TG is running
drm/amd/display: fix the build when DRM_AMD_DC_DCN is not set
drm/amd/display: Retain phantom plane/stream if validation fails
drm/amd/display: Disable phantom OTG after enable for plane disable
drm/amd/display: Use update plane and stream routine for DCN32x
drm/amd/display: Avoid ABM when ODM combine is enabled for eDP
drm/amd/display: Update OTG instance in the commit stream
drm/amd/display: Handle seamless boot stream
drm/amd/display: Add function for validate and update new stream
drm/amd/display: Handle virtual hardware detect
drm/amd/pm: avoid unintentional shutdown due to temperature momentary fluctuation
drm/amd/pm: fulfill powerplay peak profiling mode shader/memory clock settings
drm/amd/pm: expose swctf threshold setting for legacy powerplay
drm/amd/pm: fulfill swsmu peak profiling mode shader/memory clock settings
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
radix tree test suite: fix incorrect allocation size for pthreads
hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100
cpuidle: dt_idle_genpd: Add helper function to remove genpd topology
drm/amd/display: limit DPIA link rate to HBR3
drm/amd: Disable S/G for APUs when 64GB or more host memory
drm/amdgpu: add S/G display parameter
drm/amd/display: check attr flag before set cursor degamma on DCN3+
drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()
drm/shmem-helper: Reset vma->vm_ops before calling dma_buf_mmap()
drm/nouveau/nvkm/dp: Add workaround to fix DP 1.3+ DPCD issues
drm/nouveau/gr: enable memory loads on helper invocation on all channels
nvme-pci: add NVME_QUIRK_BOGUS_NID for Samsung PM9B1 256G and 512G
riscv/kexec: handle R_RISCV_CALL_PLT relocation type
riscv,mmio: Fix readX()-to-delay() ordering
riscv/kexec: load initrd high in available memory
net: mana: Fix MANA VF unload when hardware is unresponsive
dmaengine: pl330: Return DMA_PAUSED when transaction is paused
mptcp: fix disconnect vs accept race
mptcp: avoid bogus reset on fallback close
selftests: mptcp: join: fix 'implicit EP' test
selftests: mptcp: join: fix 'delete and re-add' test
ipv6: adjust ndisc_is_useropt() to also return true for PIO
mmc: moxart: read scr register without changing byte order
wireguard: allowedips: expand maximum node depth
selftests: forwarding: Set default IPv6 traceroute utility
wifi: rtw89: fix 8852AE disconnection caused by RX full flags
wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()
KVM: SEV: only access GHCB fields once
KVM: SEV: snapshot the GHCB before accessing it
ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()
ksmbd: validate command request size
tpm: Add a helper for checking hwrng enabled
tpm: Disable RNG for all AMD fTPMs
Revert "loongarch/cpu: Switch to arch_cpu_finalize_init()"
gcc-plugins: Reorganize gimple includes for GCC 13
Linux 6.1.45
x86/CPU/AMD: Do not leak quotient data after a division by 0
Revert "drm/i915: Disable DC states for all commits"
drm/amdgpu: Use apt name for FW reserved region
drm/amdgpu: Remove unnecessary domain argument
drm/amdgpu: add vram reservation based on vram_usagebyfirmware_v2_2
arm64/ptrace: Don't enable SVE when setting streaming SVE
exfat: check if filename entries exceeds max filename length
f2fs: don't reset unchangable mount option in f2fs_remount()
f2fs: fix to set flush_merge opt and show noflush_merge
selftests/rseq: Play nice with binaries statically linked against glibc 2.35+
drm/amd/display: skip CLEAR_PAYLOAD_ID_TABLE if device mst_en is 0
drm/amd/display: Ensure that planes are in the same order
drm/imx/ipuv3: Fix front porch adjustment upon hactive aligning
powerpc/mm/altmap: Fix altmap boundary check
mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()
mtd: rawnand: rockchip: Align hwecc vs. raw page helper layouts
mtd: rawnand: rockchip: fix oobfree offset and description
mtd: rawnand: omap_elm: Fix incorrect type in assignment
io_uring: annotate offset timeout races
f2fs: fix to do sanity check on direct node in truncate_dnode()
btrfs: remove BUG_ON()'s in add_new_free_space()
ext2: Drop fragment support
fs: Protect reconfiguration of sb read-write from racing writes
net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
debugobjects: Recheck debug_objects_enabled before reporting
Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
fs/sysv: Null check to prevent null-ptr-deref bug
fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_load_attr_list()
mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()
file: reinstate f_pos locking optimization for regular files
bpf, cpumap: Make sure kthread is running before map update returns
clk: imx93: Propagate correct error in imx93_clocks_probe()
drm/i915/gt: Cleanup aux invalidation registers
drm/i915: Fix premature release of request's reusable memory
drm/ttm: check null pointer before accessing when swapping
open: make RESOLVE_CACHED correctly test for O_TMPFILE
arm64/fpsimd: Sync FPSIMD state with SVE for SME only systems
arm64/fpsimd: Clear SME state in the target task when setting the VL
arm64/fpsimd: Sync and zero pad FPSIMD state for streaming SVE
powerpc/ftrace: Create a dummy stackframe to fix stack unwind
bpf: Disable preemption in bpf_event_output
rbd: prevent busy loop when requesting exclusive lock
x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction
wifi: mt76: mt7615: do not advertise 5 GHz on first phy of MT7615D (DBDC)
net: tap_open(): set sk_uid from current_fsuid()
net: tun_chr_open(): set sk_uid from current_fsuid()
arm64: dts: stratix10: fix incorrect I2C property for SCL signal
bpf: Disable preemption in bpf_perf_event_output
mtd: rawnand: meson: fix OOB available bytes for ECC
mtd: spinand: toshiba: Fix ecc_get_status
exfat: release s_lock before calling dir_emit()
exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree
firmware: arm_scmi: Drop OF node reference in the transport channel setup
ceph: defer stopping mdsc delayed_work
USB: zaurus: Add ID for A-300/B-500/C-700
libceph: fix potential hang in ceph_osdc_notify()
scsi: storvsc: Limit max_sectors for virtual Fibre Channel devices
scsi: zfcp: Defer fc_rport blocking until after ADISC response
rust: allocator: Prevent mis-aligned allocation
tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen
tcp_metrics: annotate data-races around tm->tcpm_net
tcp_metrics: annotate data-races around tm->tcpm_vals[]
tcp_metrics: annotate data-races around tm->tcpm_lock
tcp_metrics: annotate data-races around tm->tcpm_stamp
tcp_metrics: fix addr_same() helper
prestera: fix fallback to previous version on same major version
net/mlx5: fs_core: Skip the FTs in the same FS_TYPE_PRIO_CHAINS fs_prio
net/mlx5: fs_core: Make find_closest_ft more generic
vxlan: Fix nexthop hash size
ip6mr: Fix skb_under_panic in ip6mr_cache_report()
s390/qeth: Don't call dev_close/dev_open (DOWN/UP)
net: dcb: choose correct policy to parse DCB_ATTR_BCN
bnxt_en: Fix max_mtu setting for multi-buf XDP
bnxt_en: Fix page pool logic for page size >= 64K
net: netsec: Ignore 'phy-mode' on SynQuacer in DT mode
net: korina: handle clk prepare error in korina_probe()
net: ll_temac: fix error checking of irq_of_parse_and_map()
bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire
net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free
net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
bpf, cpumap: Handle skb as well when clean up ptr_ring
ice: Fix RDMA VSI removal during queue rebuild
net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.
net: annotate data-races around sk->sk_priority
net: add missing data-race annotation for sk_ll_usec
net: add missing data-race annotations around sk->sk_peek_off
net: annotate data-races around sk->sk_mark
net: add missing READ_ONCE(sk->sk_rcvbuf) annotation
net: add missing READ_ONCE(sk->sk_sndbuf) annotation
net: add missing READ_ONCE(sk->sk_rcvlowat) annotation
net: annotate data-races around sk->sk_max_pacing_rate
net: annotate data-race around sk->sk_txrehash
net: annotate data-races around sk->sk_reserved_mem
qed: Fix scheduling in a tasklet while getting stats
mISDN: hfcpci: Fix potential deadlock on &hc->lock
net: sched: cls_u32: Fix match key mis-addressing
perf test uprobe_from_different_cu: Skip if there is no gcc
net: dsa: fix value check in bcm_sf2_sw_probe()
rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length
bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing
net/mlx5e: Move representor neigh cleanup to profile cleanup_tx
net/mlx5e: Fix crash moving to switchdev mode when ntuple offload is set
net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer()
net/mlx5: fix potential memory leak in mlx5e_init_rep_rx
net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx
net/mlx5e: fix double free in macsec_fs_tx_create_crypto_table_groups
wifi: cfg80211: Fix return value in scan logic
erofs: fix wrong primary bvec selection on deduplicated extents
KVM: s390: fix sthyi error handling
word-at-a-time: use the same return type for has_zero regardless of endianness
firmware: arm_scmi: Fix chan_free cleanup on SMC
lib/bitmap: workaround const_eval test build failure
firmware: smccc: Fix use of uninitialised results structure
arm64: dts: freescale: Fix VPU G2 clock
arm64: dts: imx8mn-var-som: add missing pull-up for onboard PHY reset pinmux
arm64: dts: phycore-imx8mm: Correction in gpio-line-names
arm64: dts: phycore-imx8mm: Label typo-fix of VPU
arm64: dts: imx8mm-venice-gw7904: disable disp_blk_ctrl
arm64: dts: imx8mm-venice-gw7903: disable disp_blk_ctrl
iommu/arm-smmu-v3: Document nesting-related errata
iommu/arm-smmu-v3: Add explicit feature for nesting
iommu/arm-smmu-v3: Document MMU-700 erratum 2812531
iommu/arm-smmu-v3: Work around MMU-600 erratum 1076982
net: ipa: only reset hashed tables when supported
net/mlx5: Free irqs only on shutdown callback
perf: Fix function pointer case
io_uring: gate iowait schedule on having pending requests
Linux 6.1.44
x86: fix backwards merge of GDS/SRSO bit
xen/netback: Fix buffer overrun triggered by unusual packet
x86/srso: Tie SBPB bit setting to microcode patch detection
x86/srso: Add a forgotten NOENDBR annotation
x86/srso: Fix return thunks in generated code
x86/srso: Add IBPB on VMEXIT
x86/srso: Add IBPB
x86/srso: Add SRSO_NO support
x86/srso: Add IBPB_BRTYPE support
x86/srso: Add a Speculative RAS Overflow mitigation
x86/cpu, kvm: Add support for CPUID_80000021_EAX
x86/bugs: Increase the x86 bugs vector size to two u32s
Documentation/x86: Fix backwards on/off logic about YMM support
x86/mm: Initialize text poking earlier
mm: Move mm_cachep initialization to mm_init()
x86/mm: Use mm_alloc() in poking_init()
x86/mm: fix poking_init() for Xen PV guests
x86/xen: Fix secondary processors' FPU initialization
x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build
KVM: Add GDS_NO support to KVM
x86/speculation: Add Kconfig option for GDS
x86/speculation: Add force option to GDS mitigation
x86/speculation: Add Gather Data Sampling mitigation
x86/fpu: Move FPU initialization into arch_cpu_finalize_init()
x86/fpu: Mark init functions __init
x86/fpu: Remove cpuinfo argument from init functions
x86/init: Initialize signal frame size late
init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init()
init: Invoke arch_cpu_finalize_init() earlier
init: Remove check_bugs() leftovers
um/cpu: Switch to arch_cpu_finalize_init()
sparc/cpu: Switch to arch_cpu_finalize_init()
sh/cpu: Switch to arch_cpu_finalize_init()
mips/cpu: Switch to arch_cpu_finalize_init()
m68k/cpu: Switch to arch_cpu_finalize_init()
loongarch/cpu: Switch to arch_cpu_finalize_init()
ia64/cpu: Switch to arch_cpu_finalize_init()
ARM: cpu: Switch to arch_cpu_finalize_init()
x86/cpu: Switch to arch_cpu_finalize_init()
init: Provide arch_cpu_finalize_init()
Conflicts:
Documentation/devicetree/bindings
Documentation/devicetree/bindings/clock/xlnx,versal-clk.yaml
Documentation/devicetree/bindings/extcon/maxim,max77843.yaml
Documentation/devicetree/bindings/serial/nxp,sc16is7xx.txt
android/abi_gki_aarch64_qcom
drivers/bus/mhi/host/pm.c
drivers/clk/qcom/gcc-sm8250.c
drivers/interconnect/qcom/bcm-voter.c
drivers/interconnect/qcom/icc-rpmh.h
drivers/mailbox/qcom-ipcc.c
Change-Id: I98acc81783883752e19e8d433e3db6977a0ebf7f
Upstream-Build: ks_qcom-android14-6.1-keystone-qcom-release@11252216 UKQ2.231224.001
Signed-off-by: jianzhou <quic_jianzhou@quicinc.com>
|
||
Léo Lam
|
75c27bdb21 |
wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x)
Commit 008afb9f3d57 ("wifi: cfg80211: fix CQM for non-range use"
backported to 6.6.x) causes nl80211_set_cqm_rssi not to release the
wdev lock in some of the error paths.
Of course, the ensuing deadlock causes userland network managers to
break pretty badly, and on typical systems this also causes lockups on
on suspend, poweroff and reboot. See [1], [2], [3] for example reports.
The upstream commit 7e7efdda6adb ("wifi: cfg80211: fix CQM for non-range
use"), committed in November 2023, is completely fine because there was
another commit in August 2023 that removed the wdev lock:
see commit 076fc8775daf ("wifi: cfg80211: remove wdev mutex").
The reason things broke in 6.6.5 is that commit 4338058f6009 was applied
without also applying 076fc8775daf.
Commit 076fc8775daf ("wifi: cfg80211: remove wdev mutex") is a rather
large commit; adjusting the error handling (which is what this commit does)
yields a much simpler patch and was tested to work properly.
Fix the deadlock by releasing the lock before returning.
[1] https://bugzilla.kernel.org/show_bug.cgi?id=218247
[2] https://bbs.archlinux.org/viewtopic.php?id=290976
[3] https://lore.kernel.org/all/87sf4belmm.fsf@turtle.gmx.de/
Link: https://lore.kernel.org/stable/e374bb16-5b13-44cc-b11a-2f4eefb1ecf5@manjaro.org/
Fixes: 008afb9f3d57 ("wifi: cfg80211: fix CQM for non-range use")
Tested-by: "Léo Lam" <leo@leolam.fr>
Tested-by: "Philip Müller" <philm@manjaro.org>
Cc: stable@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: "Léo Lam" <leo@leolam.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Johannes Berg
|
15577a98ef |
wifi: cfg80211: fix CQM for non-range use
commit 7e7efdda6adb385fbdfd6f819d76bc68c923c394 upstream.
[note: this is commit 4a7e92551618f3737b305f62451353ee05662f57 reapplied;
that commit had been reverted in 6.6.6 because it caused regressions, see
https://lore.kernel.org/stable/2023121450-habitual-transpose-68a1@gregkh/
for details]
My prior race fix here broke CQM when ranges aren't used, as
the reporting worker now requires the cqm_config to be set in
the wdev, but isn't set when there's no range configured.
Rather than continuing to special-case the range version, set
the cqm_config always and configure accordingly, also tracking
if range was used or not to be able to clear the configuration
appropriately with the same API, which was actually not right
if both were implemented by a driver for some reason, as is
the case with mac80211 (though there the implementations are
equivalent so it doesn't matter.)
Also, the original multiple-RSSI commit lost checking for the
callback, so might have potentially crashed if a driver had
neither implementation, and userspace tried to use it despite
not being advertised as supported.
Cc: stable@vger.kernel.org
Fixes:
|
||
Rouven Czerwinski
|
e9df9f0891 |
net: rfkill: gpio: set GPIO direction
commit 23484d817082c3005252d8edfc8292c8a1006b5b upstream.
Fix the undefined usage of the GPIO consumer API after retrieving the
GPIO description with GPIO_ASIS. The API documentation mentions that
GPIO_ASIS won't set a GPIO direction and requires the user to set a
direction before using the GPIO.
This can be confirmed on i.MX6 hardware, where rfkill-gpio is no longer
able to enabled/disable a device, presumably because the GPIO controller
was never configured for the output direction.
Fixes: b2f750c3a80b ("net: rfkill: gpio: prevent value glitch during probe")
Cc: stable@vger.kernel.org
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Link: https://msgid.link/20231207075835.3091694-1-r.czerwinski@pengutronix.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Fedor Pchelkin
|
805611157d |
net: 9p: avoid freeing uninit memory in p9pdu_vreadf
commit ff49bf1867578f23a5ffdd38f927f6e1e16796c4 upstream.
If some of p9pdu_readf() calls inside case 'T' in p9pdu_vreadf() fails,
the error path is not handled properly. *wnames or members of *wnames
array may be left uninitialized and invalidly freed.
Initialize *wnames to NULL in beginning of case 'T'. Initialize the first
*wnames array element to NULL and nullify the failing *wnames element so
that the error path freeing loop stops on the first NULL element and
doesn't proceed further.
Found by Linux Verification Center (linuxtesting.org).
Fixes:
|
||
Alex Lu
|
0f7bffd40a |
Bluetooth: Add more enc key size check
commit 04a342cc49a8522e99c9b3346371c329d841dcd2 upstream.
When we are slave role and receives l2cap conn req when encryption has
started, we should check the enc key size to avoid KNOB attack or BLUFFS
attack.
From SIG recommendation, implementations are advised to reject
service-level connections on an encrypted baseband link with key
strengths below 7 octets.
A simple and clear way to achieve this is to place the enc key size
check in hci_cc_read_enc_key_size()
The btmon log below shows the case that lacks enc key size check.
> HCI Event: Connect Request (0x04) plen 10
Address: BB:22:33:44:55:99 (OUI BB-22-33)
Class: 0x480104
Major class: Computer (desktop, notebook, PDA, organizers)
Minor class: Desktop workstation
Capturing (Scanner, Microphone)
Telephony (Cordless telephony, Modem, Headset)
Link type: ACL (0x01)
< HCI Command: Accept Connection Request (0x01|0x0009) plen 7
Address: BB:22:33:44:55:99 (OUI BB-22-33)
Role: Peripheral (0x01)
> HCI Event: Command Status (0x0f) plen 4
Accept Connection Request (0x01|0x0009) ncmd 2
Status: Success (0x00)
> HCI Event: Connect Complete (0x03) plen 11
Status: Success (0x00)
Handle: 1
Address: BB:22:33:44:55:99 (OUI BB-22-33)
Link type: ACL (0x01)
Encryption: Disabled (0x00)
...
> HCI Event: Encryption Change (0x08) plen 4
Status: Success (0x00)
Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
Encryption: Enabled with E0 (0x01)
< HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2
Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
> HCI Event: Command Complete (0x0e) plen 7
Read Encryption Key Size (0x05|0x0008) ncmd 2
Status: Success (0x00)
Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
Key size: 6
// We should check the enc key size
...
> ACL Data RX: Handle 1 flags 0x02 dlen 12
L2CAP: Connection Request (0x02) ident 3 len 4
PSM: 25 (0x0019)
Source CID: 64
< ACL Data TX: Handle 1 flags 0x00 dlen 16
L2CAP: Connection Response (0x03) ident 3 len 8
Destination CID: 64
Source CID: 64
Result: Connection pending (0x0001)
Status: Authorization pending (0x0002)
> HCI Event: Number of Completed Packets (0x13) plen 5
Num handles: 1
Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
Count: 1
#35: len 16 (25 Kb/s)
Latency: 5 msec (2-7 msec ~4 msec)
< ACL Data TX: Handle 1 flags 0x00 dlen 16
L2CAP: Connection Response (0x03) ident 3 len 8
Destination CID: 64
Source CID: 64
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
Cc: stable@vger.kernel.org
Signed-off-by: Alex Lu <alex_lu@realsil.com.cn>
Signed-off-by: Max Chou <max.chou@realtek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Xiao Yao
|
39347d6450 |
Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE
commit 59b047bc98084f8af2c41483e4d68a5adf2fa7f7 upstream.
If two Bluetooth devices both support BR/EDR and BLE, and also
support Secure Connections, then they only need to pair once.
The LTK generated during the LE pairing process may be converted
into a BR/EDR link key for BR/EDR transport, and conversely, a
link key generated during the BR/EDR SSP pairing process can be
converted into an LTK for LE transport. Hence, the link type of
the link key and LTK is not fixed, they can be either an LE LINK
or an ACL LINK.
Currently, in the mgmt_new_irk/ltk/crsk/link_key functions, the
link type is fixed, which could lead to incorrect address types
being reported to the application layer. Therefore, it is necessary
to add link_type/addr_type to the smp_irk/ltk/crsk and link_key,
to ensure the generation of the correct address type.
SMP over BREDR:
Before Fix:
> ACL Data RX: Handle 11 flags 0x02 dlen 12
BR/EDR SMP: Identity Address Information (0x09) len 7
Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Identity Resolving Key (0x0018) plen 30
Random address: 00:00:00:00:00:00 (Non-Resolvable)
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Long Term Key (0x000a) plen 37
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated key from P-256 (0x03)
After Fix:
> ACL Data RX: Handle 11 flags 0x02 dlen 12
BR/EDR SMP: Identity Address Information (0x09) len 7
Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Identity Resolving Key (0x0018) plen 30
Random address: 00:00:00:00:00:00 (Non-Resolvable)
BR/EDR Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Long Term Key (0x000a) plen 37
BR/EDR Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated key from P-256 (0x03)
SMP over LE:
Before Fix:
@ MGMT Event: New Identity Resolving Key (0x0018) plen 30
Random address: 5F:5C:07:37:47:D5 (Resolvable)
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Long Term Key (0x000a) plen 37
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated key from P-256 (0x03)
@ MGMT Event: New Link Key (0x0009) plen 26
BR/EDR Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated Combination key from P-256 (0x08)
After Fix:
@ MGMT Event: New Identity Resolving Key (0x0018) plen 30
Random address: 5E:03:1C:00:38:21 (Resolvable)
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Long Term Key (0x000a) plen 37
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated key from P-256 (0x03)
@ MGMT Event: New Link Key (0x0009) plen 26
Store hint: Yes (0x01)
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated Combination key from P-256 (0x08)
Cc: stable@vger.kernel.org
Signed-off-by: Xiao Yao <xiaoyao@rock-chips.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Frédéric Danis
|
e14a7ebafe |
Bluetooth: L2CAP: Send reject on command corrupted request
commit 78b99eb1faa7371bf9c534690f26a71b6996622d upstream. L2CAP/COS/CED/BI-02-C PTS test send a malformed L2CAP signaling packet with 2 commands in it (a connection request and an unknown command) and expect to get a connection response packet and a command reject packet. The second is currently not sent. Cc: stable@vger.kernel.org Signed-off-by: Frédéric Danis <frederic.danis@collabora.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Hyunwoo Kim
|
37f71e2c9f |
Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
commit 2e07e8348ea454615e268222ae3fc240421be768 upstream.
This can cause a race with bt_sock_ioctl() because
bt_sock_recvmsg() gets the skb from sk->sk_receive_queue
and then frees it without holding lock_sock.
A use-after-free for a skb occurs with the following flow.
```
bt_sock_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
bt_sock_ioctl() -> skb_peek()
```
Add lock_sock to bt_sock_recvmsg() to fix this issue.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Luiz Augusto von Dentz
|
470896ecbc |
Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent
commit 99e67d46e5ff3c7c901af6009edec72d3d363be8 upstream. Before setting HCI_INQUIRY bit check if HCI_OP_INQUIRY was really sent otherwise the controller maybe be generating invalid events or, more likely, it is a result of fuzzing tools attempting to test the right behavior of the stack when unexpected events are generated. Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=218151 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Johannes Berg
|
db57ef0dd4 |
wifi: cfg80211: fix certs build to not depend on file order
commit 3c2a8ebe3fe66a5f77d4c164a0bea8e2ff37b455 upstream. The file for the new certificate (Chen-Yu Tsai's) didn't end with a comma, so depending on the file order in the build rule, we'd end up with invalid C when concatenating the (now two) certificates. Fix that. Cc: stable@vger.kernel.org Reported-by: Biju Das <biju.das.jz@bp.renesas.com> Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org> Fixes: fb768d3b13ff ("wifi: cfg80211: Add my certificate") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Chen-Yu Tsai
|
ec350809cd |
wifi: cfg80211: Add my certificate
commit fb768d3b13ffa325b7e84480d488ac799c9d2cd7 upstream. As announced [1][2], I have taken over maintainership of the wireless-regdb project. Add my certificate so that newer releases are valid to the kernel. Seth's certificate should be kept around for awhile, at least until a few new releases by me happen. This should also be applied to stable trees so that stable kernels can utilize newly released database binaries. [1] https://lore.kernel.org/linux-wireless/CAGb2v657baNMPKU3QADijx7hZa=GUcSv2LEDdn6N=QQaFX8r-g@mail.gmail.com/ [2] https://lore.kernel.org/linux-wireless/ZWmRR5ul7EDfxCan@wens.tw/ Cc: stable@vger.kernel.org Signed-off-by: Chen-Yu Tsai <wens@kernel.org> Acked-by: Seth Forshee <sforshee@kernel.org> Link: https://msgid.link/ZXHGsqs34qZyzZng@wens.tw Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
David Howells
|
791d5409cd |
keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry
[ Upstream commit 39299bdd2546688d92ed9db4948f6219ca1b9542 ]
If a key has an expiration time, then when that time passes, the key is
left around for a certain amount of time before being collected (5 mins by
default) so that EKEYEXPIRED can be returned instead of ENOKEY. This is a
problem for DNS keys because we want to redo the DNS lookup immediately at
that point.
Fix this by allowing key types to be marked such that keys of that type
don't have this extra period, but are reclaimed as soon as they expire and
turn this on for dns_resolver-type keys. To make this easier to handle,
key->expiry is changed to be permanent if TIME64_MAX rather than 0.
Furthermore, give such new-style negative DNS results a 1s default expiry
if no other expiry time is set rather than allowing it to stick around
indefinitely. This shouldn't be zero as ls will follow a failing stat call
immediately with a second with AT_SYMLINK_NOFOLLOW added.
Fixes:
|
||
|
Eric Dumazet
|
3e617c7e39 |
net: check dev->gso_max_size in gso_features_check()
[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ]
Some drivers might misbehave if TSO packets get too big.
GVE for instance uses a 16bit field in its TX descriptor,
and will do bad things if a packet is bigger than 2^16 bytes.
Linux TCP stack honors dev->gso_max_size, but there are
other ways for too big packets to reach an ndo_start_xmit()
handler : virtio_net, af_packet, GRO...
Add a generic check in gso_features_check() and fallback
to GSO when needed.
gso_max_size was added in the blamed commit.
Fixes:
|
||
Liu Jian
|
a70c2dd741 |
net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()
[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ]
I got the below warning trace:
WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify
CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0
Call Trace:
rtnl_dellink
rtnetlink_rcv_msg
netlink_rcv_skb
netlink_unicast
netlink_sendmsg
__sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
entry_SYSCALL_64_after_hwframe
It can be repoduced via:
ip netns add ns1
ip netns exec ns1 ip link add bond0 type bond mode 0
ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
ip netns exec ns1 ip link set bond_slave_1 master bond0
[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off
[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0
[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0
[4] ip netns exec ns1 ip link set bond_slave_1 nomaster
[5] ip netns exec ns1 ip link del veth2
ip netns del ns1
This is all caused by command [1] turning off the rx-vlan-filter function
of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix
incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands
[2] [3] add the same vid to slave and master respectively, causing
command [4] to empty slave->vlan_info. The following command [5] triggers
this problem.
To fix this problem, we should add VLAN_FILTER feature checks in
vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect
addition or deletion of vlan_vid information.
Fixes:
|
||
Arnd Bergmann
|
a1986c429c |
Bluetooth: hci_event: shut up a false-positive warning
[ Upstream commit a5812c68d849505ea657f653446512b85887f813 ]
Turning on -Wstringop-overflow globally exposed a misleading compiler
warning in bluetooth:
net/bluetooth/hci_event.c: In function 'hci_cc_read_class_of_dev':
net/bluetooth/hci_event.c:524:9: error: 'memcpy' writing 3 bytes into a
region of size 0 overflows the destination [-Werror=stringop-overflow=]
524 | memcpy(hdev->dev_class, rp->dev_class, 3);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The problem here is the check for hdev being NULL in bt_dev_dbg() that
leads the compiler to conclude that hdev->dev_class might be an invalid
pointer access.
Add another explicit check for the same condition to make sure gcc sees
this cannot happen.
Fixes:
|
||
|
Eric Dumazet
|
3e0d158579 |
net/rose: fix races in rose_kill_by_device()
[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ]
syzbot found an interesting netdev refcounting issue in
net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1]
Problem is that rose_kill_by_device() can change rose->device
while other threads do not expect the pointer to be changed.
We have to first collect sockets in a temporary array,
then perform the changes while holding the socket
lock and rose_list_lock spinlock (in this order)
Change rose_release() to also acquire rose_list_lock
before releasing the netdev refcount.
[1]
[ 1185.055088][ T7889] ref_tracker: reference already released.
[ 1185.061476][ T7889] ref_tracker: allocated in:
[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10
[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220
[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0
[ 1185.079356][ T7889] do_syscall_64+0x40/0x110
[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 1185.089835][ T7889] ref_tracker: freed in:
[ 1185.094088][ T7889] rose_release+0x2f5/0x570
[ 1185.098629][ T7889] __sock_release+0xae/0x260
[ 1185.103262][ T7889] sock_close+0x1c/0x20
[ 1185.107453][ T7889] __fput+0x270/0xbb0
[ 1185.111467][ T7889] task_work_run+0x14d/0x240
[ 1185.116085][ T7889] get_signal+0x106f/0x2790
[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0
[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240
[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60
[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110
[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 1185.148085][ T7889] ------------[ cut here ]------------
WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
Modules linked in:
CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44
RSP: 0018:ffffc90004917850 EFLAGS: 00010202
RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000
RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001
RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6
R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c
R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff
FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netdev_tracker_free include/linux/netdevice.h:4127 [inline]
netdev_put include/linux/netdevice.h:4144 [inline]
netdev_put include/linux/netdevice.h:4140 [inline]
rose_kill_by_device net/rose/af_rose.c:195 [inline]
rose_device_event+0x25d/0x330 net/rose/af_rose.c:218
notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967
call_netdevice_notifiers_extack net/core/dev.c:2005 [inline]
call_netdevice_notifiers net/core/dev.c:2019 [inline]
__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646
dev_change_flags+0x122/0x170 net/core/dev.c:8682
dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529
dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786
sock_do_ioctl+0x198/0x270 net/socket.c:1234
sock_ioctl+0x22e/0x6b0 net/socket.c:1339
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f0a7147cba9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9
RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004
RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8
</TASK>
Fixes:
|
||
|
Eric Dumazet
|
6707baabe4 |
net: sched: ife: fix potential use-after-free
[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ]
ife_decode() calls pskb_may_pull() two times, we need to reload
ifehdr after the second one, or risk use-after-free as reported
by syzbot:
BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323
CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
__ife_tlv_meta_valid net/ife/ife.c:108 [inline]
ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
tcf_ife_decode net/sched/act_ife.c:739 [inline]
tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879
tc_act include/net/tc_wrapper.h:221 [inline]
tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
tcf_exts_exec include/net/pkt_cls.h:344 [inline]
mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
tc_classify include/net/tc_wrapper.h:227 [inline]
__tcf_classify net/sched/cls_api.c:1703 [inline]
tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
__dev_xmit_skb net/core/dev.c:3828 [inline]
__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
dev_queue_xmit include/linux/netdevice.h:3165 [inline]
packet_xmit+0x237/0x350 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
__do_sys_sendto net/socket.c:2202 [inline]
__se_sys_sendto net/socket.c:2198 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fe9acc7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9
RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003
RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78
</TASK>
Allocated by task 22323:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027
kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1298 [inline]
alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
packet_alloc_skb net/packet/af_packet.c:2930 [inline]
packet_snd net/packet/af_packet.c:3024 [inline]
packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
__do_sys_sendto net/socket.c:2202 [inline]
__se_sys_sendto net/socket.c:2198 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Freed by task 22323:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0xc0/0x180 mm/slub.c:3822
skb_kfree_head net/core/skbuff.c:950 [inline]
skb_free_head+0x110/0x1b0 net/core/skbuff.c:962
pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130
__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655
pskb_may_pull_reason include/linux/skbuff.h:2685 [inline]
pskb_may_pull include/linux/skbuff.h:2693 [inline]
ife_decode+0x394/0x4f0 net/ife/ife.c:82
tcf_ife_decode net/sched/act_ife.c:727 [inline]
tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879
tc_act include/net/tc_wrapper.h:221 [inline]
tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
tcf_exts_exec include/net/pkt_cls.h:344 [inline]
mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
tc_classify include/net/tc_wrapper.h:227 [inline]
__tcf_classify net/sched/cls_api.c:1703 [inline]
tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
__dev_xmit_skb net/core/dev.c:3828 [inline]
__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
dev_queue_xmit include/linux/netdevice.h:3165 [inline]
packet_xmit+0x237/0x350 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
__do_sys_sendto net/socket.c:2202 [inline]
__se_sys_sendto net/socket.c:2198 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The buggy address belongs to the object at ffff88802d730000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 164 bytes inside of
freed 8192-byte region [ffff88802d730000, ffff88802d732000)
The buggy address belongs to the physical page:
page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730
head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544
prep_new_page mm/page_alloc.c:1551 [inline]
get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319
__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x283/0x3c0 mm/slub.c:2070
___slab_alloc+0x979/0x1500 mm/slub.c:3223
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027
kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1298 [inline]
alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
packet_alloc_skb net/packet/af_packet.c:2930 [inline]
packet_snd net/packet/af_packet.c:3024 [inline]
packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1144 [inline]
free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494
__unfreeze_partials+0x226/0x240 mm/slub.c:2655
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3478 [inline]
slab_alloc mm/slub.c:3486 [inline]
__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509
alloc_inode_sb include/linux/fs.h:2937 [inline]
ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408
alloc_inode+0x5d/0x220 fs/inode.c:261
new_inode_pseudo fs/inode.c:1006 [inline]
new_inode+0x22/0x260 fs/inode.c:1032
__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958
ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398
vfs_symlink fs/namei.c:4464 [inline]
vfs_symlink+0x3e5/0x620 fs/namei.c:4448
do_symlinkat+0x25f/0x310 fs/namei.c:4490
__do_sys_symlinkat fs/namei.c:4506 [inline]
__se_sys_symlinkat fs/namei.c:4503 [inline]
__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
Fixes:
|
||
Shigeru Yoshida
|
31edab1222 |
net: Return error from sk_stream_wait_connect() if sk_wait_event() fails
[ Upstream commit cac23b7d7627915d967ce25436d7aae26e88ed06 ]
The following NULL pointer dereference issue occurred:
BUG: kernel NULL pointer dereference, address: 0000000000000000
<...>
RIP: 0010:ccid_hc_tx_send_packet net/dccp/ccid.h:166 [inline]
RIP: 0010:dccp_write_xmit+0x49/0x140 net/dccp/output.c:356
<...>
Call Trace:
<TASK>
dccp_sendmsg+0x642/0x7e0 net/dccp/proto.c:801
inet_sendmsg+0x63/0x90 net/ipv4/af_inet.c:846
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x83/0xe0 net/socket.c:745
____sys_sendmsg+0x443/0x510 net/socket.c:2558
___sys_sendmsg+0xe5/0x150 net/socket.c:2612
__sys_sendmsg+0xa6/0x120 net/socket.c:2641
__do_sys_sendmsg net/socket.c:2650 [inline]
__se_sys_sendmsg net/socket.c:2648 [inline]
__x64_sys_sendmsg+0x45/0x50 net/socket.c:2648
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x43/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
sk_wait_event() returns an error (-EPIPE) if disconnect() is called on the
socket waiting for the event. However, sk_stream_wait_connect() returns
success, i.e. zero, even if sk_wait_event() returns -EPIPE, so a function
that waits for a connection with sk_stream_wait_connect() may misbehave.
In the case of the above DCCP issue, dccp_sendmsg() is waiting for the
connection. If disconnect() is called in concurrently, the above issue
occurs.
This patch fixes the issue by returning error from sk_stream_wait_connect()
if sk_wait_event() fails.
Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Johannes Berg
|
2f635af7d6 |
wifi: mac80211: mesh_plink: fix matches_local logic
[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ]
During refactoring the "else" here got lost, add it back.
Fixes:
|
||
|
Johannes Berg
|
7a07af00aa |
wifi: mac80211: mesh: check element parsing succeeded
[ Upstream commit 1fc4a3eec50d726f4663ad3c0bb0158354d6647a ]
ieee802_11_parse_elems() can return NULL, so we must
check for the return value.
Fixes:
|
||
|
Edward Adam Davis
|
40ba7f9ab8 |
wifi: mac80211: check if the existing link config remains unchanged
[ Upstream commit c1393c132b906fbdf91f6d1c9eb2ef7a00cce64e ]
[Syz report]
WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Modules linked in:
CPU: 1 PID: 5067 Comm: syz-executor413 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3
RSP: 0018:ffffc90003c57248 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519
RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005
RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000
FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 0000000076d22000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sta_apply_auth_flags.constprop.0+0x4b7/0x510 net/mac80211/cfg.c:1674
sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002
ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603
genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
[Analysis]
It is inappropriate to make a link configuration change judgment on an
non-existent and non new link.
[Fix]
Quickly exit when there is a existent link and the link configuration has not
changed.
Fixes:
|
||
qctecmdr
|
77e7062745 | Merge "net: qrtr: Add interruptible timeout in MHI tx path" | ||
|
Florian Westphal
|
30bca9e278 |
UPSTREAM: netfilter: nft_set_pipapo: skip inactive elements during set walk
commit 317eb9685095678f2c9f5a8189de698c5354316a upstream. Otherwise set elements can be deactivated twice which will cause a crash. Bug: 316310313 Reported-by: Xingyuan Mo <hdthky0@gmail.com> Fixes: |
||
|
John Fastabend
|
9b3d3a7f3c |
net: tls, update curr on splice as well
commit c5a595000e2677e865a39f249c056bc05d6e55fd upstream.
The curr pointer must also be updated on the splice similar to how
we do this for other copy types.
Fixes:
|
||
|
Hyunwoo Kim
|
1646b2929d |
appletalk: Fix Use-After-Free in atalk_ioctl
[ Upstream commit 189ff16722ee36ced4d2a2469d4ab65a8fee4198 ]
Because atalk_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with atalk_recvmsg().
A use-after-free for skb occurs with the following flow.
```
atalk_ioctl() -> skb_peek()
atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
```
Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.
Fixes:
|
||
Nikolay Kuratov
|
9a23be1e58 |
vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
[ Upstream commit 60316d7f10b17a7ebb1ead0642fee8710e1560e0 ]
We need to do signed arithmetic if we expect condition
`if (bytes < 0)` to be possible
Found by Linux Verification Center (linuxtesting.org) with SVACE
Fixes:
|
||
Dong Chenchen
|
55a43bae08 |
net: Remove acked SYN flag from packet in the transmit queue correctly
[ Upstream commit f99cd56230f56c8b6b33713c5be4da5d6766be1f ]
syzkaller report:
kernel BUG at net/core/skbuff.c:3452!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc4-00009-gbee0e7762ad2-dirty #135
RIP: 0010:skb_copy_and_csum_bits (net/core/skbuff.c:3452)
Call Trace:
icmp_glue_bits (net/ipv4/icmp.c:357)
__ip_append_data.isra.0 (net/ipv4/ip_output.c:1165)
ip_append_data (net/ipv4/ip_output.c:1362 net/ipv4/ip_output.c:1341)
icmp_push_reply (net/ipv4/icmp.c:370)
__icmp_send (./include/net/route.h:252 net/ipv4/icmp.c:772)
ip_fragment.constprop.0 (./include/linux/skbuff.h:1234 net/ipv4/ip_output.c:592 net/ipv4/ip_output.c:577)
__ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:295)
ip_output (net/ipv4/ip_output.c:427)
__ip_queue_xmit (net/ipv4/ip_output.c:535)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1462)
__tcp_retransmit_skb (net/ipv4/tcp_output.c:3387)
tcp_retransmit_skb (net/ipv4/tcp_output.c:3404)
tcp_retransmit_timer (net/ipv4/tcp_timer.c:604)
tcp_write_timer (./include/linux/spinlock.h:391 net/ipv4/tcp_timer.c:716)
The panic issue was trigered by tcp simultaneous initiation.
The initiation process is as follows:
TCP A TCP B
1. CLOSED CLOSED
2. SYN-SENT --> <SEQ=100><CTL=SYN> ...
3. SYN-RECEIVED <-- <SEQ=300><CTL=SYN> <-- SYN-SENT
4. ... <SEQ=100><CTL=SYN> --> SYN-RECEIVED
5. SYN-RECEIVED --> <SEQ=100><ACK=301><CTL=SYN,ACK> ...
// TCP B: not send challenge ack for ack limit or packet loss
// TCP A: close
tcp_close
tcp_send_fin
if (!tskb && tcp_under_memory_pressure(sk))
tskb = skb_rb_last(&sk->tcp_rtx_queue); //pick SYN_ACK packet
TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN; // set FIN flag
6. FIN_WAIT_1 --> <SEQ=100><ACK=301><END_SEQ=102><CTL=SYN,FIN,ACK> ...
// TCP B: send challenge ack to SYN_FIN_ACK
7. ... <SEQ=301><ACK=101><CTL=ACK> <-- SYN-RECEIVED //challenge ack
// TCP A: <SND.UNA=101>
8. FIN_WAIT_1 --> <SEQ=101><ACK=301><END_SEQ=102><CTL=SYN,FIN,ACK> ... // retransmit panic
__tcp_retransmit_skb //skb->len=0
tcp_trim_head
len = tp->snd_una - TCP_SKB_CB(skb)->seq // len=101-100
__pskb_trim_head
skb->data_len -= len // skb->len=-1, wrap around
... ...
ip_fragment
icmp_glue_bits //BUG_ON
If we use tcp_trim_head() to remove acked SYN from packet that contains data
or other flags, skb->len will be incorrectly decremented. We can remove SYN
flag that has been acked from rtx_queue earlier than tcp_trim_head(), which
can fix the problem mentioned above.
Fixes:
|
||
|
Hyunwoo Kim
|
01540ee236 |
net/rose: Fix Use-After-Free in rose_ioctl
[ Upstream commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53 ]
Because rose_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with rose_accept().
A use-after-free for skb occurs with the following flow.
```
rose_ioctl() -> skb_peek()
rose_accept() -> skb_dequeue() -> kfree_skb()
```
Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue.
Fixes:
|
||
|
Hyunwoo Kim
|
2de2a6cbe1 |
atm: Fix Use-After-Free in do_vcc_ioctl
[ Upstream commit 24e90b9e34f9e039f56b5f25f6e6eb92cdd8f4b3 ]
Because do_vcc_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with vcc_recvmsg().
A use-after-free for skb occurs with the following flow.
```
do_vcc_ioctl() -> skb_peek()
vcc_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
```
Add sk->sk_receive_queue.lock to do_vcc_ioctl() to fix this issue.
Fixes:
|
||
Vladimir Oltean
|
a00dbc6dec |
net: vlan: introduce skb_vlan_eth_hdr()
[ Upstream commit 1f5020acb33f926030f62563c86dffca35c7b701 ]
Similar to skb_eth_hdr() introduced in commit
|
||
Maciej Żenczykowski
|
0da41ddfb2 |
net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX
[ Upstream commit bd4a816752bab609dd6d65ae021387beb9e2ddbd ]
Lorenzo points out that we effectively clear all unknown
flags from PIO when copying them to userspace in the netlink
RTM_NEWPREFIX notification.
We could fix this one at a time as new flags are defined,
or in one fell swoop - I choose the latter.
We could either define 6 new reserved flags (reserved1..6) and handle
them individually (and rename them as new flags are defined), or we
could simply copy the entire unmodified byte over - I choose the latter.
This unfortunately requires some anonymous union/struct magic,
so we add a static assert on the struct size for a little extra safety.
Cc: David Ahern <dsahern@kernel.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Fixes:
|
||
Pranav Mahesh Phansalkar
|
4c8404c710 |
net: qrtr: Add interruptible timeout in MHI tx path
Add interruptible timeout in MHI tx path as current implementation leads to deadlock while unregistering endpoint in probe and sending the data at the same time. Change-Id: If8558cf92a996cd111e7016e391bbabea5bdfa92 Signed-off-by: Pranav Mahesh Phansalkar <quic_pphansal@quicinc.com> |
||
|
qctecmdr
|
6609224546 |
Merge "Merge keystone/android14-6.1-keystone-qcom-release.6.1.43 (ff4725c) into qcom-6.1"
|
||
|
Greg Kroah-Hartman
|
6b1e1d37f1 |
This is the 6.1.66 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVyywAACgkQONu9yGCS aT420Q//RK1ZeDdGWqAEH84PtuOzFA7gl5aXjmt1r9I1sDFr06ktk9rc67BNo87b Ugubto1UUpM/ZJfpezH1M4DMQ5f67thkRhCv5qvolh80v21duD7G7i1kX3rJsWk1 daJ76RcYXH63/Qv59uT+ADjSIIAH7yF/FGnUSShyznDRwDh/TqujEoh0e25X4YlV MhcCGBS0NE9Rcuwv2XPp84D4psXhPhmOuUVEPVnPLVnXg09XqOVjMV5uW+X4Sqft sc/bzveBmHoPOVtkz71qo1oxsVkKNMcdmD88+Xn9rSBgAkti5MpV/ZCAxRSVZbwF wyBh23gzRQzHXTn45Bf/1wS5zzQ+PIkadCo7hlPbQHguOMGXkdqTgNJf9EwB09I2 DEAWnCNH5orNk0Sltbfo/7Ja2oJtSHkiaUWk4nP1fZN9Vt9yt1xnRkpkaoBh0L7q NmXBFuvrylC44cfQNXIZSqAXduwCvMPyQDm1txSxYDZVrOy82/zVRWcOrytb0PnO zfqSuQKZPoF29ESq2Ti65Zk5e47EjSjYca91gzOlSVBNXx+xTuSoXCL0RXYclT7H umxK5/wmDSQX6wJzd+JNy7H86U753DuSIzA1112IC1GdWNlWWsjca5omEMgt+lqu Xc9q13vg3Ox+tv0MRv+P398b7NwzuMVcLbMoHE+1EzMH0JS636E= =p/en -----END PGP SIGNATURE----- Merge 6.1.66 into android14-6.1-lts Changes in 6.1.66 cifs: Fix FALLOC_FL_ZERO_RANGE by setting i_size if EOF moved cifs: Fix FALLOC_FL_INSERT_RANGE by setting i_size after EOF moved smb: client: report correct st_size for SMB and NFS symlinks pinctrl: avoid reload of p state in list iteration firewire: core: fix possible memory leak in create_units() mmc: sdhci-pci-gli: Disable LPM during initialization mmc: cqhci: Increase recovery halt timeout mmc: cqhci: Warn of halt or task clear failure mmc: cqhci: Fix task clearing in CQE error recovery mmc: block: Retry commands in CQE error recovery mmc: block: Do not lose cache flush during CQE error recovery mmc: block: Be sure to wait while busy in CQE error recovery ALSA: hda: Disable power-save on KONTRON SinglePC ALSA: hda/realtek: Headset Mic VREF to 100% ALSA: hda/realtek: Add supported ALC257 for ChromeOS dm-verity: align struct dm_verity_fec_io properly scsi: Change SCSI device boolean fields to single bit flags scsi: sd: Fix system start for ATA devices drm/amd: Enable PCIe PME from D3 drm/amdgpu: Force order between a read and write to the same address drm/amd/display: Include udelay when waiting for INBOX0 ACK drm/amd/display: Remove min_dst_y_next_start check for Z8 drm/amd/display: Use DRAM speed from validation for dummy p-state drm/amd/display: Update min Z8 residency time to 2100 for DCN314 drm/amd/display: fix ABM disablement dm verity: initialize fec io before freeing it dm verity: don't perform FEC for failed readahead IO nvme: check for valid nvme_identify_ns() before using it powercap: DTPM: Fix unneeded conversions to micro-Watts cpufreq/amd-pstate: Fix the return value of amd_pstate_fast_switch() dma-buf: fix check in dma_resv_add_fence bcache: revert replacing IS_ERR_OR_NULL with IS_ERR iommu/vt-d: Add MTL to quirk list to skip TE disabling KVM: PPC: Book3S HV: Fix KVM_RUN clobbering FP/VEC user registers powerpc: Don't clobber f0/vs0 during fp|altivec register save parisc: Mark ex_table entries 32-bit aligned in assembly.h parisc: Mark ex_table entries 32-bit aligned in uaccess.h parisc: Use natural CPU alignment for bug_table parisc: Mark lock_aligned variables 16-byte aligned on SMP parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes parisc: Mark jump_table naturally aligned parisc: Ensure 32-bit alignment on parisc unwind section parisc: Mark altinstructions read-only and 32-bit aligned btrfs: add dmesg output for first mount and last unmount of a filesystem btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod() btrfs: fix off-by-one when checking chunk map includes logical address btrfs: send: ensure send_fd is writable btrfs: make error messages more clear when getting a chunk map btrfs: fix 64bit compat send ioctl arguments not initializing version member Input: xpad - add HyperX Clutch Gladiate Support auxdisplay: hd44780: move cursor home after clear display command serial: sc16is7xx: Put IOControl register into regmap_volatile serial: sc16is7xx: add missing support for rs485 devicetree properties wifi: cfg80211: fix CQM for non-range use USB: xhci-plat: fix legacy PHY double init USB: core: Change configuration warnings to notices usb: config: fix iteration issue in 'usb_get_bos_descriptor()' ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet dpaa2-eth: increase the needed headroom to account for alignment uapi: propagate __struct_group() attributes to the container union selftests/net: ipsec: fix constant out of range selftests/net: fix a char signedness issue selftests/net: unix: fix unused variable compiler warning selftests/net: mptcp: fix uninitialized variable warnings octeontx2-af: Fix possible buffer overflow net: stmmac: xgmac: Disable FPE MMC interrupts octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64 octeontx2-af: Install TC filter rules in hardware based on priority octeontx2-pf: Restore TC ingress police rules when interface is up r8169: prevent potential deadlock in rtl8169_close ravb: Fix races between ravb_tx_timeout_work() and net related ops net: ravb: Check return value of reset_control_deassert() net: ravb: Use pm_runtime_resume_and_get() net: ravb: Make write access to CXR35 first before accessing other EMAC registers net: ravb: Start TX queues after HW initialization succeeded net: ravb: Stop DMA in case of failures on ravb_open() net: ravb: Keep reverse order of operations in ravb_remove() KVM: x86: Fix lapic timer interrupt lost after loading a snapshot. PCI: Lengthen reset delay for VideoPropulsion Torrent QN16e card octeontx2-af: Initialize 'cntr_val' to fix uninitialized symbol error PCI: qcom-ep: Add dedicated callback for writing to DBI2 registers fbdev: stifb: Make the STI next font pointer a 32-bit signed offset spi: Fix null dereference on suspend drm/amd/display: Restore rptr/wptr for DMCUB as workaround drm/amd/display: Guard against invalid RPTR/WPTR being set cpufreq: imx6q: don't warn for disabling a non-existing frequency cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily iommu/vt-d: Omit devTLB invalidation requests when TES=0 iommu/vt-d: Allocate pasid table in device probe path iommu/vt-d: Add device_block_translation() helper iommu/vt-d: Disable PCI ATS in legacy passthrough mode iommu/vt-d: Make context clearing consistent with context mapping drm/amd/pm: fix a memleak in aldebaran_tables_init mmc: core: add helpers mmc_regulator_enable/disable_vqmmc mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled drm/amd/display: Expand kernel doc for DC drm/amd/display: clean code-style issues in dcn30_set_mpc_shaper_3dlut drm/amd/display: Fix the delta clamping for shaper LUT drm/amd/display: Fix MPCC 1DLUT programming r8169: disable ASPM in case of tx timeout r8169: fix deadlock on RTL8125 in jumbo mtu mode xen: Allow platform PCI interrupt to be shared xen: simplify evtchn_do_upcall() call maze x86/xen: fix percpu vcpu_info allocation x86/apic/msi: Fix misconfigured non-maskable MSI quirk iomap: update ki_pos a little later in iomap_dio_complete Linux 6.1.66 Note, this merge point merges out the following two scsi changes due to them needing to be reverted due to abi breakage and reliance on previous commits that we have already reverted: |
||
|
Greg Kroah-Hartman
|
157836a2ab |
This is the 6.1.65 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVsIPcACgkQONu9yGCS aT7+WBAAzFMBvadFg+miHsQM+j94gOCSSq4F01gjjchdyeB3ybE/CBfIEa9abfmZ X1qaor8H7Khxh0aPr4KiRsmjKXBGJ6lR1RjdOKeLwffs/1iUk1zHqC3V4jGELhAM WumR5Lyc1UOMA5oCk/oxGoDZ0YNzXwBwB3hTrhpvuogCw8A3qMiyzo7J928PmNr9 sPo2TDi8HvQLlOZ8G9omVP9FTK20owJvfAj1u+gJyN/NGVXGqAQSvDpdhZ6BMYNG 0Z6DlMdCkOF/iSCdsZBCwPXH697Qt4pkPoeYpqNEi9H54B/LQaRDg6K5z7ON+w+7 jH9gwwSUXZLsohdpVkPWTnUThAQJDK4Wr5Pnf3GN1avePyxW4X7meathyeqP4jxD Oc8Igh464VraTunddwHJ03paoZ8/jXkheB0kxIsJ/jeKqUzxb/7gC6aYKZ3+DF3a 0WicxlLCNTeai2zJCYPiQsxejJmwQ37PU6dcZzLyZefXqIVPBmLJ72HJ8j2zocm0 zY6ezASdUjzzTQIM3CuzJfTOJ0VSeaUnyqUK64Ye7cKbiAKRbZMiSjaTfoNRo9MP 8KasX7pEzyEjpO0rtpHKc0hM7imltXsYjcdDfJYkKBXSUMWRTI/wPH9RFE4sJHqh NmEG/8bAE0v6HaQJK83lEMHZJFGFTvXWySsXowU4gXpcw82/F54= =OY6r -----END PGP SIGNATURE----- Merge 6.1.65 into android14-6.1-lts Changes in 6.1.65 afs: Fix afs_server_list to be cleaned up with RCU afs: Make error on cell lookup failure consistent with OpenAFS drm/panel: boe-tv101wum-nl6: Fine tune the panel power sequence drm/panel: auo,b101uan08.3: Fine tune the panel power sequence drm/panel: simple: Fix Innolux G101ICE-L01 bus flags drm/panel: simple: Fix Innolux G101ICE-L01 timings wireguard: use DEV_STATS_INC() octeontx2-pf: Fix memory leak during interface down ata: pata_isapnp: Add missing error check for devm_ioport_map() drm/i915: do not clean GT table on error path drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full HID: fix HID device resource race between HID core and debugging support ipv4: Correct/silence an endian warning in __ip_do_redirect net: usb: ax88179_178a: fix failed operations during ax88179_reset net/smc: avoid data corruption caused by decline arm/xen: fix xen_vcpu_info allocation alignment octeontx2-pf: Fix ntuple rule creation to direct packet to VF with higher Rx queue than its PF amd-xgbe: handle corner-case during sfp hotplug amd-xgbe: handle the corner-case during tx completion amd-xgbe: propagate the correct speed and duplex status net: axienet: Fix check for partial TX checksum afs: Return ENOENT if no cell DNS record can be found afs: Fix file locking on R/O volumes to operate in local mode mm,kfence: decouple kfence from page granularity mapping judgement arm64: mm: Fix "rodata=on" when CONFIG_RODATA_FULL_DEFAULT_ENABLED=y i40e: use ERR_PTR error print in i40e messages i40e: Fix adding unsupported cloud filters nvmet: nul-terminate the NQNs passed in the connect command USB: dwc3: qcom: fix resource leaks on probe deferral USB: dwc3: qcom: fix ACPI platform device leak lockdep: Fix block chain corruption cifs: minor cleanup of some headers smb3: allow dumping session and tcon id to improve stats analysis and debugging cifs: print last update time for interface list cifs: distribute channels across interfaces based on speed cifs: account for primary channel in the interface list cifs: fix leak of iface for primary channel MIPS: KVM: Fix a build warning about variable set but not used media: camss: Split power domain management media: camss: Convert to platform remove callback returning void media: qcom: Initialise V4L2 async notifier later media: qcom: camss: Fix V4L2 async notifier error path media: qcom: camss: Fix genpd cleanup ext4: add a new helper to check if es must be kept ext4: factor out __es_alloc_extent() and __es_free_extent() ext4: use pre-allocated es in __es_insert_extent() ext4: use pre-allocated es in __es_remove_extent() ext4: using nofail preallocation in ext4_es_remove_extent() ext4: using nofail preallocation in ext4_es_insert_delayed_block() ext4: using nofail preallocation in ext4_es_insert_extent() ext4: fix slab-use-after-free in ext4_es_insert_extent() ext4: make sure allocate pending entry not fail NFSD: Fix "start of NFS reply" pointer passed to nfsd_cache_update() NFSD: Fix checksum mismatches in the duplicate reply cache arm64: dts: imx8mn-var-som: add 20ms delay to ethernet regulator enable ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA swiotlb-xen: provide the "max_mapping_size" method bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() md: fix bi_status reporting in md_end_clone_io bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up race io_uring/fs: consider link->flags when getting path for LINKAT s390/dasd: protect device queue against concurrent access USB: serial: option: add Luat Air72*U series products hv_netvsc: fix race of netvsc and VF register_netdevice hv_netvsc: Fix race of register_netdevice_notifier and VF register hv_netvsc: Mark VF as slave before exposing it to user-mode dm-delay: fix a race between delay_presuspend and delay_bio bcache: check return value from btree_node_alloc_replacement() bcache: prevent potential division by zero error bcache: fixup init dirty data errors bcache: fixup lock c->root error usb: cdnsp: Fix deadlock issue during using NCM gadget USB: serial: option: add Fibocom L7xx modules USB: serial: option: fix FM101R-GL defines USB: serial: option: don't claim interface 4 for ZTE MF290 usb: typec: tcpm: Skip hard reset when in error recovery USB: dwc2: write HCINT with INTMASK applied usb: dwc3: Fix default mode initialization usb: dwc3: set the dma max_seg_size USB: dwc3: qcom: fix software node leak on probe errors USB: dwc3: qcom: fix wakeup after probe deferral io_uring: fix off-by one bvec index Linux 6.1.65 Change-Id: Iea9267bee56905028a77d03c7fad8def8969246e Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Florian Westphal
|
189c2a8293 |
netfilter: nft_set_pipapo: skip inactive elements during set walk
commit 317eb9685095678f2c9f5a8189de698c5354316a upstream.
Otherwise set elements can be deactivated twice which will cause a crash.
Reported-by: Xingyuan Mo <hdthky0@gmail.com>
Fixes:
|
||
Daniel Borkmann
|
6a71d77856 |
packet: Move reference count in packet_sock to atomic_long_t
commit db3fadacaf0c817b222090290d06ca2a338422d0 upstream. In some potential instances the reference count on struct packet_sock could be saturated and cause overflows which gets the kernel a bit confused. To prevent this, move to a 64-bit atomic reference count on 64-bit architectures to prevent the possibility of this type to overflow. Because we can not handle saturation, using refcount_t is not possible in this place. Maybe someday in the future if it changes it could be used. Also, instead of using plain atomic64_t, use atomic_long_t instead. 32-bit machines tend to be memory-limited (i.e. anything that increases a reference uses so much memory that you can't actually get to 2**32 references). 32-bit architectures also tend to have serious problems with 64-bit atomics. Hence, atomic_long_t is the more natural solution. Reported-by: "The UK's National Cyber Security Centre (NCSC)" <security@ncsc.gov.uk> Co-developed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: stable@kernel.org Reviewed-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20231201131021.19999-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Pavel Begunkov
|
f2f57f51b5 |
io_uring/af_unix: disable sending io_uring over sockets
commit 705318a99a138c29a512a72c3e0043b3cd7f55f4 upstream.
File reference cycles have caused lots of problems for io_uring
in the past, and it still doesn't work exactly right and races with
unix_stream_read_generic(). The safest fix would be to completely
disallow sending io_uring files via sockets via SCM_RIGHT, so there
are no possible cycles invloving registered files and thus rendering
SCM accounting on the io_uring side unnecessary.
Cc: <stable@vger.kernel.org>
Fixes:
|
||
Ido Schimmel
|
b5ca945612 |
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
[ Upstream commit e03781879a0d524ce3126678d50a80484a513c4b ]
The "NET_DM" generic netlink family notifies drop locations over the
"events" multicast group. This is problematic since by default generic
netlink allows non-root users to listen to these notifications.
Fix by adding a new field to the generic netlink multicast group
structure that when set prevents non-root users or root without the
'CAP_SYS_ADMIN' capability (in the user namespace owning the network
namespace) from joining the group. Set this field for the "events"
group. Use 'CAP_SYS_ADMIN' rather than 'CAP_NET_ADMIN' because of the
nature of the information that is shared over this group.
Note that the capability check in this case will always be performed
against the initial user namespace since the family is not netns aware
and only operates in the initial network namespace.
A new field is added to the structure rather than using the "flags"
field because the existing field uses uAPI flags and it is inappropriate
to add a new uAPI flag for an internal kernel check. In net-next we can
rework the "flags" field to use internal flags and fold the new field
into it. But for now, in order to reduce the amount of changes, add a
new field.
Since the information can only be consumed by root, mark the control
plane operations that start and stop the tracing as root-only using the
'GENL_ADMIN_PERM' flag.
Tested using [1].
Before:
# capsh -- -c ./dm_repo
# capsh --drop=cap_sys_admin -- -c ./dm_repo
After:
# capsh -- -c ./dm_repo
# capsh --drop=cap_sys_admin -- -c ./dm_repo
Failed to join "events" multicast group
[1]
$ cat dm.c
#include <stdio.h>
#include <netlink/genl/ctrl.h>
#include <netlink/genl/genl.h>
#include <netlink/socket.h>
int main(int argc, char **argv)
{
struct nl_sock *sk;
int grp, err;
sk = nl_socket_alloc();
if (!sk) {
fprintf(stderr, "Failed to allocate socket\n");
return -1;
}
err = genl_connect(sk);
if (err) {
fprintf(stderr, "Failed to connect socket\n");
return err;
}
grp = genl_ctrl_resolve_grp(sk, "NET_DM", "events");
if (grp < 0) {
fprintf(stderr,
"Failed to resolve \"events\" multicast group\n");
return grp;
}
err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE);
if (err) {
fprintf(stderr, "Failed to join \"events\" multicast group\n");
return err;
}
return 0;
}
$ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o dm_repo dm.c
Fixes:
|
||
|
Ido Schimmel
|
07c8229c02 |
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
[ Upstream commit 44ec98ea5ea9cfecd31a5c4cc124703cb5442832 ]
The "psample" generic netlink family notifies sampled packets over the
"packets" multicast group. This is problematic since by default generic
netlink allows non-root users to listen to these notifications.
Fix by marking the group with the 'GENL_UNS_ADMIN_PERM' flag. This will
prevent non-root users or root without the 'CAP_NET_ADMIN' capability
(in the user namespace owning the network namespace) from joining the
group.
Tested using [1].
Before:
# capsh -- -c ./psample_repo
# capsh --drop=cap_net_admin -- -c ./psample_repo
After:
# capsh -- -c ./psample_repo
# capsh --drop=cap_net_admin -- -c ./psample_repo
Failed to join "packets" multicast group
[1]
$ cat psample.c
#include <stdio.h>
#include <netlink/genl/ctrl.h>
#include <netlink/genl/genl.h>
#include <netlink/socket.h>
int join_grp(struct nl_sock *sk, const char *grp_name)
{
int grp, err;
grp = genl_ctrl_resolve_grp(sk, "psample", grp_name);
if (grp < 0) {
fprintf(stderr, "Failed to resolve \"%s\" multicast group\n",
grp_name);
return grp;
}
err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE);
if (err) {
fprintf(stderr, "Failed to join \"%s\" multicast group\n",
grp_name);
return err;
}
return 0;
}
int main(int argc, char **argv)
{
struct nl_sock *sk;
int err;
sk = nl_socket_alloc();
if (!sk) {
fprintf(stderr, "Failed to allocate socket\n");
return -1;
}
err = genl_connect(sk);
if (err) {
fprintf(stderr, "Failed to connect socket\n");
return err;
}
err = join_grp(sk, "config");
if (err)
return err;
err = join_grp(sk, "packets");
if (err)
return err;
return 0;
}
$ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o psample_repo psample.c
Fixes:
|
||
|
John Fastabend
|
af39b80173 |
bpf: sockmap, updating the sg structure should also update curr
[ Upstream commit bb9aefde5bbaf6c168c77ba635c155b4980c2287 ]
Curr pointer should be updated when the sg structure is shifted.
Fixes:
|
||
|
Eric Dumazet
|
008b807fe4 |
tcp: do not accept ACK of bytes we never sent
[ Upstream commit 3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27 ]
This patch is based on a detailed report and ideas from Yepeng Pan
and Christian Rossow.
ACK seq validation is currently following RFC 5961 5.2 guidelines:
The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back. It needs to
be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a
duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK
acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an
ACK, drop the segment, and return". The "ignored" above implies that
the processing of the incoming data segment continues, which means
the ACK value is treated as acceptable. This mitigation makes the
ACK check more stringent since any ACK < SND.UNA wouldn't be
accepted, instead only ACKs that are in the range ((SND.UNA -
MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.
This can be refined for new (and possibly spoofed) flows,
by not accepting ACK for bytes that were never sent.
This greatly improves TCP security at a little cost.
I added a Fixes: tag to make sure this patch will reach stable trees,
even if the 'blamed' patch was adhering to the RFC.
tp->bytes_acked was added in linux-4.2
Following packetdrill test (courtesy of Yepeng Pan) shows
the issue at hand:
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1024) = 0
// ---------------- Handshake ------------------- //
// when window scale is set to 14 the window size can be extended to
// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet
// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)
// ,though this ack number acknowledges some data never
// sent by the server.
+0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14>
+0 > S. 0:0(0) ack 1 <...>
+0 < . 1:1(0) ack 1 win 65535
+0 accept(3, ..., ...) = 4
// For the established connection, we send an ACK packet,
// the ack packet uses ack number 1 - 1073725300 + 2^32,
// where 2^32 is used to wrap around.
// Note: we used 1073725300 instead of 1073725440 to avoid possible
// edge cases.
// 1 - 1073725300 + 2^32 = 3221241997
// Oops, old kernels happily accept this packet.
+0 < . 1:1001(1000) ack 3221241997 win 65535
// After the kernel fix the following will be replaced by a challenge ACK,
// and prior malicious frame would be dropped.
+0 > . 1:1(0) ack 1001
Fixes:
|
||
Phil Sutter
|
7a63521ed0 |
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
[ Upstream commit 7ae836a3d630e146b732fe8ef7d86b243748751f ]
A concurrently running sock_orphan() may NULL the sk_socket pointer in
between check and deref. Follow other users (like nft_meta.c for
instance) and acquire sk_callback_lock before dereferencing sk_socket.
Fixes:
|