lineage-22.1
73174 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
7b70acfd8e |
Revert "udp: move udp->gro_enabled to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
583a8f8204 |
Revert "udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
cdf5cfe6d1 |
Revert "udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
f9f95b82b2 |
Revert "udp: annotate data-races around udp->encap_type"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
acd1add3c8 |
Revert "bpf, sockmap: af_unix stream sockets need to hold ref for pair sock"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
e1b12db2de |
Merge 6.1.72 into android14-6.1-lts
Changes in 6.1.72
keys, dns: Fix missing size check of V1 server-list header
block: Don't invalidate pagecache for invalid falloc modes
ALSA: hda/realtek: enable SND_PCI_QUIRK for hp pavilion 14-ec1xxx series
ALSA: hda/realtek: fix mute/micmute LEDs for a HP ZBook
ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6
mptcp: prevent tcp diag from closing listener subflows
Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()"
drm/mgag200: Fix gamma lut not initialized for G200ER, G200EV, G200SE
cifs: cifs_chan_is_iface_active should be called with chan_lock held
cifs: do not depend on release_iface for maintaining iface_list
KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL
wifi: iwlwifi: pcie: don't synchronize IRQs from IRQ
drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer
netfilter: use skb_ip_totlen and iph_totlen
netfilter: nf_tables: set transport offset from mac header for netdev/egress
nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
octeontx2-af: Fix marking couple of structure as __packed
drm/i915/dp: Fix passing the correct DPCD_REV for drm_dp_set_phy_test_pattern
ice: Fix link_down_on_close message
ice: Shut down VSI with "link-down-on-close" enabled
i40e: Fix filter input checks to prevent config with invalid values
igc: Report VLAN EtherType matching back to user
igc: Check VLAN TCI mask
igc: Check VLAN EtherType mask
ASoC: fsl_rpmsg: Fix error handler with pm_runtime_enable
ASoC: mediatek: mt8186: fix AUD_PAD_TOP register and offset
mlxbf_gige: fix receive packet race condition
net: sched: em_text: fix possible memory leak in em_text_destroy()
r8169: Fix PCI error on system resume
can: raw: add support for SO_MARK
net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps
net: annotate data-races around sk->sk_tsflags
net: annotate data-races around sk->sk_bind_phc
net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
selftests: bonding: do not set port down when adding to bond
ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init
sfc: fix a double-free bug in efx_probe_filters
net: bcmgenet: Fix FCS generation for fragmented skbuffs
netfilter: nft_immediate: drop chain reference counter on error
net: Save and restore msg_namelen in sock_sendmsg
i40e: fix use-after-free in i40e_aqc_add_filters()
ASoC: meson: g12a-toacodec: Validate written enum values
ASoC: meson: g12a-tohdmitx: Validate written enum values
ASoC: meson: g12a-toacodec: Fix event generation
ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux
i40e: Restore VF MSI-X state during PCI reset
igc: Fix hicredit calculation
net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues
net/smc: fix invalid link access in dumping SMC-R connections
octeontx2-af: Always configure NIX TX link credits based on max frame size
octeontx2-af: Re-enable MAC TX in otx2_stop processing
asix: Add check for usbnet_get_endpoints
net: ravb: Wait for operating mode to be applied
bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters()
net: Implement missing SO_TIMESTAMPING_NEW cmsg support
selftests: secretmem: floor the memory size to the multiple of page_size
cpu/SMT: Create topology_smt_thread_allowed()
cpu/SMT: Make SMT control more robust against enumeration failures
srcu: Fix callbacks acceleration mishandling
bpf, x64: Fix tailcall infinite loop
bpf, x86: Simplify the parsing logic of structure parameters
bpf, x86: save/restore regs with BPF_DW size
net: Declare MSG_SPLICE_PAGES internal sendmsg() flag
udp: Convert udp_sendpage() to use MSG_SPLICE_PAGES
splice, net: Add a splice_eof op to file-ops and socket-ops
ipv4, ipv6: Use splice_eof() to flush
udp: introduce udp->udp_flags
udp: move udp->no_check6_tx to udp->udp_flags
udp: move udp->no_check6_rx to udp->udp_flags
udp: move udp->gro_enabled to udp->udp_flags
udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags
udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO
udp: annotate data-races around udp->encap_type
wifi: iwlwifi: yoyo: swap cdb and jacket bits values
arm64: dts: qcom: sdm845: align RPMh regulator nodes with bindings
arm64: dts: qcom: sdm845: Fix PSCI power domain names
fbdev: imsttfb: Release framebuffer and dealloc cmap on error path
fbdev: imsttfb: fix double free in probe()
bpf: decouple prune and jump points
bpf: remove unnecessary prune and jump points
bpf: Remove unused insn_cnt argument from visit_[func_call_]insn()
bpf: clean up visit_insn()'s instruction processing
bpf: Support new 32bit offset jmp instruction
bpf: handle ldimm64 properly in check_cfg()
bpf: fix precision backtracking instruction iteration
blk-mq: make sure active queue usage is held for bio_integrity_prep()
net/mlx5: Increase size of irq name buffer
s390/mm: add missing arch_set_page_dat() call to vmem_crst_alloc()
s390/cpumf: support user space events for counting
f2fs: clean up i_compress_flag and i_compress_level usage
f2fs: convert to use bitmap API
f2fs: assign default compression level
f2fs: set the default compress_level on ioctl
selftests: mptcp: fix fastclose with csum failure
selftests: mptcp: set FAILING_LINKS in run_tests
media: camss: sm8250: Virtual channels for CSID
media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3
ext4: convert move_extent_per_page() to use folios
khugepage: replace try_to_release_page() with filemap_release_folio()
memory-failure: convert truncate_error_page() to use folio
mm: merge folio_has_private()/filemap_release_folio() call pairs
mm, netfs, fscache: stop read optimisation when folio removed from pagecache
filemap: add a per-mapping stable writes flag
block: update the stable_writes flag in bdev_add
smb: client: fix missing mode bits for SMB symlinks
net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats
dpaa2-eth: recycle the RX buffer only after all processing done
ethtool: don't propagate EOPNOTSUPP from dumps
bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
firmware: arm_scmi: Fix frequency truncation by promoting multiplier type
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7
genirq/affinity: Remove the 'firstvec' parameter from irq_build_affinity_masks
genirq/affinity: Pass affinity managed mask array to irq_build_affinity_masks
genirq/affinity: Don't pass irq_affinity_desc array to irq_build_affinity_masks
genirq/affinity: Rename irq_build_affinity_masks as group_cpus_evenly
genirq/affinity: Move group_cpus_evenly() into lib/
lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly
mm/memory_hotplug: add missing mem_hotplug_lock
mm/memory_hotplug: fix error handling in add_memory_resource()
net: sched: call tcf_ct_params_free to free params in tcf_ct_init
netfilter: flowtable: allow unidirectional rules
netfilter: flowtable: cache info of last offload
net/sched: act_ct: offload UDP NEW connections
net/sched: act_ct: Fix promotion of offloaded unreplied tuple
netfilter: flowtable: GC pushes back packets to classic path
net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table
octeontx2-af: Fix pause frame configuration
octeontx2-af: Support variable number of lmacs
btrfs: fix qgroup_free_reserved_data int overflow
btrfs: mark the len field in struct btrfs_ordered_sum as unsigned
ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()
firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards
x86/kprobes: fix incorrect return address calculation in kprobe_emulate_call_indirect
i2c: core: Fix atomic xfer check for non-preempt config
mm: fix unmap_mapping_range high bits shift bug
drm/amdgpu: skip gpu_info fw loading on navi12
drm/amd/display: add nv12 bounding box
mmc: meson-mx-sdhc: Fix initialization frozen issue
mmc: rpmb: fixes pause retune on all RPMB partitions.
mmc: core: Cancel delayed work before releasing host
mmc: sdhci-sprd: Fix eMMC init failure after hw reset
genirq/affinity: Only build SMP-only helper functions on SMP kernels
f2fs: compress: fix to assign compress_level for lz4 correctly
net/sched: act_ct: additional checks for outdated flows
net/sched: act_ct: Always fill offloading tuple iifidx
bpf: Fix a verifier bug due to incorrect branch offset comparison with cpu=v4
bpf: syzkaller found null ptr deref in unix_bpf proto add
media: qcom: camss: Comment CSID dt_id field
smb3: Replace smb2pdu 1-element arrays with flex-arrays
Revert "interconnect: qcom: sm8250: Enable sync_state"
Linux 6.1.72
Change-Id: Id00eb2ae1159d4d5fa0ef914e672c5669cbf5b0a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
1e63881f5c |
This is the 6.1.70 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWSsnYACgkQONu9yGCS aT7ZRw//bmrTWoNbFf/qdM11oPF9EHus9FUgSlP5yvNaa6jcPfwGx71NPXUkz+wU xKobh1VwK7TJxq4JHFQeMmupW/8++NeWNygwtYsllwnsMGzHL+mz2Txysrr/mhMx WUs6UVYXRxnuQJJDSqtTvMoyllpAJ1QQxJNuhKKOI1i+0DIu9YjQklD/4eW3cebv 8B9f3CeOyP/oL5Z0MqFTP8OnWx6X3jTbO4caor+qsyR+frgpXgBppTF76RHcd8lX MLVlx7aqr4wcml/uUMsolw8Zjbb719mX+KW3LHltl8wHftZeinYUsu1afnlb5dG1 rAaVgut0PmjTAQ/KwIp54CGO2MADwApMCUXIm0yyKSpNfw+HKR10bpz64HOFp9KQ 368YpjDJ3onkQdrLjV57w37YBRLyWxipeBya2+S4rdyPSfuvPkPCRNVkEDnHVAnH jxEhuoMZ2f/CIA8BT32y4DYDvEaIdfp7jVvEDFREDyIVXRMBhIneMhhyjU+Oe7Rw 1q/sfEJejXFa5VvC+Jl+K5LouP59M5MTq3RkCoYxZKz+bdfpOLEJ6AZJoZHcS02J QlM/pL213nC1ye3tuWFu3tNPzPS/G6LNQfGgSsBUzRn9IX2osn/epNFnCHBIFqlK apjrXObrmqKE6jNvy6ktHUDpnEXPZFpvirSXRN2Lk9SYh76bFP0= =d63o -----END PGP SIGNATURE----- Merge 6.1.70 into android14-6.1-lts Changes in 6.1.70 kasan: disable kasan_non_canonical_hook() for HW tags bpf: Fix prog_array_map_poke_run map poke update HID: i2c-hid: acpi: Unify ACPI ID tables format HID: i2c-hid: Add IDEA5002 to i2c_hid_acpi_blacklist[] drm/amd/display: fix hw rotated modes when PSR-SU is enabled ARM: dts: dra7: Fix DRA7 L3 NoC node register size ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init reset: Fix crash when freeing non-existent optional resets s390/vx: fix save/restore of fpu kernel context wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock wifi: mac80211: check if the existing link config remains unchanged wifi: mac80211: mesh: check element parsing succeeded wifi: mac80211: mesh_plink: fix matches_local logic Revert "net/mlx5e: fix double free of encap_header in update funcs" Revert "net/mlx5e: fix double free of encap_header" net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() net/mlx5: Introduce and use opcode getter in command interface net/mlx5: Prevent high-rate FW commands from populating all slots net/mlx5: Re-organize mlx5_cmd struct net/mlx5e: Fix a race in command alloc flow net/mlx5e: fix a potential double-free in fs_udp_create_groups net/mlx5: Fix fw tracer first block check net/mlx5e: Correct snprintf truncation handling for fw_version buffer net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and above octeontx2-pf: Fix graceful exit during PFC configuration failure net: Return error from sk_stream_wait_connect() if sk_wait_event() fails net: sched: ife: fix potential use-after-free ethernet: atheros: fix a memleak in atl1e_setup_ring_resources net/rose: fix races in rose_kill_by_device() Bluetooth: Fix deadlock in vhci_send_frame Bluetooth: hci_event: shut up a false-positive warning net: mana: select PAGE_POOL net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() afs: Fix the dynamic root's d_delete to always delete unused dentries afs: Fix dynamic root lookup DNS check net: check dev->gso_max_size in gso_features_check() keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry afs: Fix overwriting of result of DNS query afs: Fix use-after-free due to get/remove race in volume tree ASoC: hdmi-codec: fix missing report for jack initial status ASoC: fsl_sai: Fix channel swap issue on i.MX8MP i2c: aspeed: Handle the coalesced stop conditions with the start conditions. x86/xen: add CPU dependencies for 32-bit build pinctrl: at91-pio4: use dedicated lock class for IRQ gpiolib: cdev: add gpio_device locking wrapper around gpio_ioctl() nvme-pci: fix sleeping function called from interrupt context drm/i915/mtl: limit second scaler vertical scaling in ver >= 14 drm/i915: Relocate intel_atomic_setup_scalers() drm/i915: Fix intel_atomic_setup_scalers() plane_state handling drm/i915/dpt: Only do the POT stride remap when using DPT drm/i915/mtl: Add MTL for remapping CCS FBs drm/i915: Fix ADL+ tiled plane stride when the POT stride is smaller than the original interconnect: Treat xlate() returning NULL node as an error iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw interconnect: qcom: sm8250: Enable sync_state Input: ipaq-micro-keys - add error handling for devm_kmemdup scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() iio: triggered-buffer: prevent possible freeing of wrong buffer ALSA: usb-audio: Increase delay in MOTU M quirk usb-storage: Add quirk for incorrect WP on Kingston DT Ultimate 3.0 G3 wifi: cfg80211: Add my certificate wifi: cfg80211: fix certs build to not depend on file order USB: serial: ftdi_sio: update Actisense PIDs constant names USB: serial: option: add Quectel EG912Y module support USB: serial: option: add Foxconn T99W265 with new baseline USB: serial: option: add Quectel RM500Q R13 firmware support ALSA: hda/realtek: Add quirk for ASUS ROG GV302XA Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg Bluetooth: L2CAP: Send reject on command corrupted request Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE Bluetooth: Add more enc key size check net: usb: ax88179_178a: avoid failed operations when device is disconnected Input: soc_button_array - add mapping for airplane mode button net: 9p: avoid freeing uninit memory in p9pdu_vreadf net: rfkill: gpio: set GPIO direction net: ks8851: Fix TX stall caused by TX buffer overrun dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp smb: client: fix OOB in cifsd when receiving compounded resps smb: client: fix potential OOB in cifs_dump_detail() smb: client: fix OOB in SMB2_query_info_init() smb: client: fix OOB in smbCalcSize() drm/i915: Reject async flips with bigjoiner 9p: prevent read overrun in protocol dump tracepoint RISC-V: Fix do_notify_resume / do_work_pending prototype loop: do not enforce max_loop hard limit by (new) default dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client Revert "drm/amd/display: Do not set DRR on pipe commit" btrfs: zoned: no longer count fresh BG region as zone unusable ubifs: fix possible dereference after free ublk: move ublk_cancel_dev() out of ub->mutex selftests: mptcp: join: fix subflow_send_ack lookup Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity" scsi: core: Always send batch on reset or error handling command tracing / synthetic: Disable events after testing in synth_event_gen_test_init() dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata() pinctrl: starfive: jh7100: ignore disabled device tree nodes bus: ti-sysc: Flush posted write only after srst_udelay gpio: dwapb: mask/unmask IRQ when disable/enale it lib/vsprintf: Fix %pfwf when current node refcount == 0 thunderbolt: Fix memory leak in margining_port_remove() KVM: arm64: vgic: Simplify kvm_vgic_destroy() KVM: arm64: vgic: Add a non-locking primitive for kvm_vgic_vcpu_destroy() KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy x86/alternatives: Sync core before enabling interrupts mm/damon/core: make damon_start() waits until kdamond_fn() starts fuse: share lookup state between submount and its parent wifi: cfg80211: fix CQM for non-range use wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x) loop: deprecate autoloading callback loop_probe() Linux 6.1.70 Change-Id: I72bfbd39ae932d290b13d6fdde8e6684a84ec9e1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
d3d46ac25c |
Merge 6.1.69 into android14-6.1-lts
Changes in 6.1.69 perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table r8152: add USB device driver for config selection r8152: add vendor/device ID pair for D-Link DUB-E250 r8152: add vendor/device ID pair for ASUS USB-C2500 powerpc/ftrace: Fix stack teardown in ftrace_no_trace ext4: fix warning in ext4_dio_write_end_io() ksmbd: fix memory leak in smb2_lock() afs: Fix refcount underflow from error handling race HID: lenovo: Restrict detection of patched firmware only to USB cptkbd net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX qca_debug: Prevent crash on TX ring changes qca_debug: Fix ethtool -G iface tx behavior qca_spi: Fix reset behavior bnxt_en: Clear resource reservation during resume bnxt_en: Save ring error counters across reset bnxt_en: Fix wrong return value check in bnxt_close_nic() bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic atm: solos-pci: Fix potential deadlock on &cli_queue_lock atm: solos-pci: Fix potential deadlock on &tx_queue_lock net: vlan: introduce skb_vlan_eth_hdr() net: fec: correct queue selection octeontx2-af: fix a use-after-free in rvu_nix_register_reporters octeontx2-pf: Fix promisc mcam entry action octeontx2-af: Update RSS algorithm index atm: Fix Use-After-Free in do_vcc_ioctl net/rose: Fix Use-After-Free in rose_ioctl iavf: Introduce new state machines for flow director iavf: Handle ntuple on/off based on new state machines for flow director qed: Fix a potential use-after-free in qed_cxt_tables_alloc net: Remove acked SYN flag from packet in the transmit queue correctly net: ena: Destroy correct number of xdp queues upon failure net: ena: Fix xdp drops handling due to multibuf packets net: ena: Fix XDP redirection error stmmac: dwmac-loongson: Make sure MDIO is initialized before use sign-file: Fix incorrect return values check vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() dpaa2-switch: fix size of the dma_unmap dpaa2-switch: do not ask for MDB, VLAN and FDB replay net: stmmac: Handle disabled MDIO busses from devicetree appletalk: Fix Use-After-Free in atalk_ioctl net: atlantic: fix double free in ring reinit logic cred: switch to using atomic_long_t fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants ALSA: hda/realtek: Apply mute LED quirk for HP15-db Revert "PCI: acpiphp: Reassign resources on bridge if necessary" PCI: loongson: Limit MRRS to 256 ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE drm/mediatek: Add spinlock for setting vblank event in atomic_begin x86/hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM usb: aqc111: check packet for fixup for true limit stmmac: dwmac-loongson: Add architecture dependency blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" blk-cgroup: bypass blkcg_deactivate_policy after destroying bcache: avoid oversize memory allocation by small stripe_size bcache: remove redundant assignment to variable cur_idx bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() bcache: avoid NULL checking to c->root in run_cache_set() nbd: fold nbd config initialization into nbd_alloc_config() nvme-auth: set explanation code for failure2 msgs nvme: catch errors from nvme_configure_metadata() selftests/bpf: fix bpf_loop_bench for new callback verification scheme LoongArch: Add dependency between vmlinuz.efi and vmlinux.efi LoongArch: Implement constant timer shutdown interface platform/x86: intel_telemetry: Fix kernel doc descriptions HID: glorious: fix Glorious Model I HID report HID: add ALWAYS_POLL quirk for Apple kb nbd: pass nbd_sock to nbd_read_reply() instead of index HID: hid-asus: reset the backlight brightness level on resume HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation net: usb: qmi_wwan: claim interface 4 for ZTE MF290 arm64: add dependency between vmlinuz.efi and Image HID: hid-asus: add const to read-only outgoing usb buffer perf: Fix perf_event_validate_size() lockdep splat btrfs: do not allow non subvolume root targets for snapshot soundwire: stream: fix NULL pointer dereference for multi_link ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify team: Fix use-after-free when an option instance allocation fails drm/amdgpu/sdma5.2: add begin/end_use ring callbacks dmaengine: stm32-dma: avoid bitfield overflow assertion mm/mglru: fix underprotected page cache mm/shmem: fix race in shmem_undo_range w/THP btrfs: free qgroup reserve when ORDERED_IOERR is set btrfs: don't clear qgroup reserved bit in release_folio drm/amdgpu: fix tear down order in amdgpu_vm_pt_free drm/amd/display: Disable PSR-SU on Parade 0803 TCON again drm/i915: Fix remapped stride with CCS on ADL+ smb: client: fix OOB in receive_encrypted_standard() smb: client: fix NULL deref in asn1_ber_decoder() smb: client: fix OOB in smb2_query_reparse_point() ring-buffer: Fix memory leak of free page tracing: Update snapshot buffer on resize if it is allocated ring-buffer: Do not update before stamp when switching sub-buffers ring-buffer: Have saved event hold the entire event ring-buffer: Fix writing to the buffer with max_data_size ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs ring-buffer: Do not try to put back write_stamp ring-buffer: Have rb_time_cmpxchg() set the msb counter too net: tls, update curr on splice as well r8152: avoid to change cfg for all devices r8152: remove rtl_vendor_mode function r8152: fix the autosuspend doesn't work Linux 6.1.69 Change-Id: I695d1d50ca8c00ff505505918bdc59ce9d29d479 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
bb47960a9d |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
This merges all of the latest changes in 'android14-6.1' into 'android14-6.1-lts' to get it to pass TH again due to new symbols being added. Included in here are the following commits: * |
||
Vinayak Yadawad
|
800cac4b33 |
FROMGIT: wifi: nl80211: Extend del pmksa support for SAE and OWE security
Current handling of del pmksa with SSID is limited to FILS security. In the current change the del pmksa support is extended to SAE/OWE security offloads as well. For OWE/SAE offloads, the PMK is generated and cached at driver/FW, so user app needs the capability to request cache deletion based on SSID for drivers supporting SAE/OWE offload. Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com> Link: https://msgid.link/ecdae726459e0944c377a6a6f6cb2c34d2e057d0.1701262123.git.vinayak.yadawad@broadcom.com [drop whitespace-damaged rdev_ops pointer completely, enabling tracing] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Bug: 301410304 (cherry picked from commit aa0887c4f18e280f8c2aa6964af602bd16c37f54 https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main) Change-Id: Ia665b9760279eb77347e79c97d177cba3beaa107 Signed-off-by: Paul Chen <chenpaul@google.com> |
||
John Fastabend
|
a5c3f2b4ce |
bpf: syzkaller found null ptr deref in unix_bpf proto add
commit 8d6650646ce49e9a5b8c5c23eb94f74b1749f70f upstream.
I added logic to track the sock pair for stream_unix sockets so that we
ensure lifetime of the sock matches the time a sockmap could reference
the sock (see fixes tag). I forgot though that we allow af_unix unconnected
sockets into a sock{map|hash} map.
This is problematic because previous fixed expected sk_pair() to exist
and did not NULL check it. Because unconnected sockets have a NULL
sk_pair this resulted in the NULL ptr dereference found by syzkaller.
BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
Call Trace:
<TASK>
...
sock_hold include/net/sock.h:777 [inline]
unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
sock_map_init_proto net/core/sock_map.c:190 [inline]
sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
We considered just checking for the null ptr and skipping taking a ref
on the NULL peer sock. But, if the socket is then connected() after
being added to the sockmap we can cause the original issue again. So
instead this patch blocks adding af_unix sockets that are not in the
ESTABLISHED state.
Reported-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+e8030702aefd3444fb9e@syzkaller.appspotmail.com
Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock")
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20231201180139.328529-2-john.fastabend@gmail.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Vlad Buslov
|
7cbdf36eab |
net/sched: act_ct: Always fill offloading tuple iifidx
commit 9bc64bd0cd765f696fcd40fc98909b1f7c73b2ba upstream.
Referenced commit doesn't always set iifidx when offloading the flow to
hardware. Fix the following cases:
- nf_conn_act_ct_ext_fill() is called before extension is created with
nf_conn_act_ct_ext_add() in tcf_ct_act(). This can cause rule offload with
unspecified iifidx when connection is offloaded after only single
original-direction packet has been processed by tc data path. Always fill
the new nf_conn_act_ct_ext instance after creating it in
nf_conn_act_ct_ext_add().
- Offloading of unidirectional UDP NEW connections is now supported, but ct
flow iifidx field is not updated when connection is promoted to
bidirectional which can result reply-direction iifidx to be zero when
refreshing the connection. Fill in the extension and update flow iifidx
before calling flow_offload_refresh().
Fixes:
|
||
|
Vlad Buslov
|
2be4e8ac2d |
net/sched: act_ct: additional checks for outdated flows
commit a63b6622120cd03a304796dbccb80655b3a21798 upstream.
Current nf_flow_is_outdated() implementation considers any flow table flow
which state diverged from its underlying CT connection status for teardown
which can be problematic in the following cases:
- Flow has never been offloaded to hardware in the first place either
because flow table has hardware offload disabled (flag
NF_FLOWTABLE_HW_OFFLOAD is not set) or because it is still pending on 'add'
workqueue to be offloaded for the first time. The former is incorrect, the
later generates excessive deletions and additions of flows.
- Flow is already pending to be updated on the workqueue. Tearing down such
flows will also generate excessive removals from the flow table, especially
on highly loaded system where the latency to re-offload a flow via 'add'
workqueue can be quite high.
When considering a flow for teardown as outdated verify that it is both
offloaded to hardware and doesn't have any pending updates.
Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple")
Reviewed-by: Paul Blakey <paulb@nvidia.com>
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Vlad Buslov
|
a29b15cc68 |
net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table
[ Upstream commit 125f1c7f26ffcdbf96177abe75b70c1a6ceb17bc ]
The referenced change added custom cleanup code to act_ct to delete any
callbacks registered on the parent block when deleting the
tcf_ct_flow_table instance. However, the underlying issue is that the
drivers don't obtain the reference to the tcf_ct_flow_table instance when
registering callbacks which means that not only driver callbacks may still
be on the table when deleting it but also that the driver can still have
pointers to its internal nf_flowtable and can use it concurrently which
results either warning in netfilter[0] or use-after-free.
Fix the issue by taking a reference to the underlying struct
tcf_ct_flow_table instance when registering the callback and release the
reference when unregistering. Expose new API required for such reference
counting by adding two new callbacks to nf_flowtable_type and implementing
them for act_ct flowtable_ct type. This fixes the issue by extending the
lifetime of nf_flowtable until all users have unregistered.
[0]:
[106170.938634] ------------[ cut here ]------------
[106170.939111] WARNING: CPU: 21 PID: 3688 at include/net/netfilter/nf_flow_table.h:262 mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.940108] Modules linked in: act_ct nf_flow_table act_mirred act_skbedit act_tunnel_key vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa bonding openvswitch nsh rpcrdma rdma_ucm
ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_regis
try overlay mlx5_core
[106170.943496] CPU: 21 PID: 3688 Comm: kworker/u48:0 Not tainted 6.6.0-rc7_for_upstream_min_debug_2023_11_01_13_02 #1
[106170.944361] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[106170.945292] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]
[106170.945846] RIP: 0010:mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.946413] Code: 89 ef 48 83 05 71 a4 14 00 01 e8 f4 06 04 e1 48 83 05 6c a4 14 00 01 48 83 c4 28 5b 5d 41 5c 41 5d c3 48 83 05 d1 8b 14 00 01 <0f> 0b 48 83 05 d7 8b 14 00 01 e9 96 fe ff ff 48 83 05 a2 90 14 00
[106170.947924] RSP: 0018:ffff88813ff0fcb8 EFLAGS: 00010202
[106170.948397] RAX: 0000000000000000 RBX: ffff88811eabac40 RCX: ffff88811eabad48
[106170.949040] RDX: ffff88811eab8000 RSI: ffffffffa02cd560 RDI: 0000000000000000
[106170.949679] RBP: ffff88811eab8000 R08: 0000000000000001 R09: ffffffffa0229700
[106170.950317] R10: ffff888103538fc0 R11: 0000000000000001 R12: ffff88811eabad58
[106170.950969] R13: ffff888110c01c00 R14: ffff888106b40000 R15: 0000000000000000
[106170.951616] FS: 0000000000000000(0000) GS:ffff88885fd40000(0000) knlGS:0000000000000000
[106170.952329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[106170.952834] CR2: 00007f1cefd28cb0 CR3: 000000012181b006 CR4: 0000000000370ea0
[106170.953482] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[106170.954121] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[106170.954766] Call Trace:
[106170.955057] <TASK>
[106170.955315] ? __warn+0x79/0x120
[106170.955648] ? mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.956172] ? report_bug+0x17c/0x190
[106170.956537] ? handle_bug+0x3c/0x60
[106170.956891] ? exc_invalid_op+0x14/0x70
[106170.957264] ? asm_exc_invalid_op+0x16/0x20
[106170.957666] ? mlx5_del_flow_rules+0x10/0x310 [mlx5_core]
[106170.958172] ? mlx5_tc_ct_block_flow_offload_add+0x1240/0x1240 [mlx5_core]
[106170.958788] ? mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.959339] ? mlx5_tc_ct_del_ft_cb+0xc6/0x2b0 [mlx5_core]
[106170.959854] ? mapping_remove+0x154/0x1d0 [mlx5_core]
[106170.960342] ? mlx5e_tc_action_miss_mapping_put+0x4f/0x80 [mlx5_core]
[106170.960927] mlx5_tc_ct_delete_flow+0x76/0xc0 [mlx5_core]
[106170.961441] mlx5_free_flow_attr_actions+0x13b/0x220 [mlx5_core]
[106170.962001] mlx5e_tc_del_fdb_flow+0x22c/0x3b0 [mlx5_core]
[106170.962524] mlx5e_tc_del_flow+0x95/0x3c0 [mlx5_core]
[106170.963034] mlx5e_flow_put+0x73/0xe0 [mlx5_core]
[106170.963506] mlx5e_put_flow_list+0x38/0x70 [mlx5_core]
[106170.964002] mlx5e_rep_update_flows+0xec/0x290 [mlx5_core]
[106170.964525] mlx5e_rep_neigh_update+0x1da/0x310 [mlx5_core]
[106170.965056] process_one_work+0x13a/0x2c0
[106170.965443] worker_thread+0x2e5/0x3f0
[106170.965808] ? rescuer_thread+0x410/0x410
[106170.966192] kthread+0xc6/0xf0
[106170.966515] ? kthread_complete_and_exit+0x20/0x20
[106170.966970] ret_from_fork+0x2d/0x50
[106170.967332] ? kthread_complete_and_exit+0x20/0x20
[106170.967774] ret_from_fork_asm+0x11/0x20
[106170.970466] </TASK>
[106170.970726] ---[ end trace 0000000000000000 ]---
Fixes:
|
||
Pablo Neira Ayuso
|
2bb4ecb334 |
netfilter: flowtable: GC pushes back packets to classic path
[ Upstream commit 735795f68b37e9bb49f642407a0d49b1631ea1c7 ]
Since 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded
unreplied tuple"), flowtable GC pushes back flows with IPS_SEEN_REPLY
back to classic path in every run, ie. every second. This is because of
a new check for NF_FLOW_HW_ESTABLISHED which is specific of sched/act_ct.
In Netfilter's flowtable case, NF_FLOW_HW_ESTABLISHED never gets set on
and IPS_SEEN_REPLY is unreliable since users decide when to offload the
flow before, such bit might be set on at a later stage.
Fix it by adding a custom .gc handler that sched/act_ct can use to
deal with its NF_FLOW_HW_ESTABLISHED bit.
Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple")
Reported-by: Vladimir Smelhaus <vl.sm@email.cz>
Reviewed-by: Paul Blakey <paulb@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Paul Blakey
|
df01de08b4 |
net/sched: act_ct: Fix promotion of offloaded unreplied tuple
[ Upstream commit 41f2c7c342d3adb1c4dd5f2e3dd831adff16a669 ]
Currently UNREPLIED and UNASSURED connections are added to the nf flow
table. This causes the following connection packets to be processed
by the flow table which then skips conntrack_in(), and thus such the
connections will remain UNREPLIED and UNASSURED even if reply traffic
is then seen. Even still, the unoffloaded reply packets are the ones
triggering hardware update from new to established state, and if
there aren't any to triger an update and/or previous update was
missed, hardware can get out of sync with sw and still mark
packets as new.
Fix the above by:
1) Not skipping conntrack_in() for UNASSURED packets, but still
refresh for hardware, as before the cited patch.
2) Try and force a refresh by reply-direction packets that update
the hardware rules from new to established state.
3) Remove any bidirectional flows that didn't failed to update in
hardware for re-insertion as bidrectional once any new packet
arrives.
Fixes: 6a9bad0069cf ("net/sched: act_ct: offload UDP NEW connections")
Co-developed-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Paul Blakey <paulb@nvidia.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/1686313379-117663-1-git-send-email-paulb@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Vlad Buslov
|
87466a3745 |
net/sched: act_ct: offload UDP NEW connections
[ Upstream commit 6a9bad0069cf306f3df6ac53cf02438d4e15f296 ]
Modify the offload algorithm of UDP connections to the following:
- Offload NEW connection as unidirectional.
- When connection state changes to ESTABLISHED also update the hardware
flow. However, in order to prevent act_ct from spamming offload add wq for
every packet coming in reply direction in this state verify whether
connection has already been updated to ESTABLISHED in the drivers. If that
it the case, then skip flow_table and let conntrack handle such packets
which will also allow conntrack to potentially promote the connection to
ASSURED.
- When connection state changes to ASSURED set the flow_table flow
NF_FLOW_HW_BIDIRECTIONAL flag which will cause refresh mechanism to offload
the reply direction.
All other protocols have their offload algorithm preserved and are always
offloaded as bidirectional.
Note that this change tries to minimize the load on flow_table add
workqueue. First, it tracks the last ctinfo that was offloaded by using new
flow 'NF_FLOW_HW_ESTABLISHED' flag and doesn't schedule the refresh for
reply direction packets when the offloads have already been updated with
current ctinfo. Second, when 'add' task executes on workqueue it always
update the offload with current flow state (by checking 'bidirectional'
flow flag and obtaining actual ctinfo/cookie through meta action instead of
caching any of these from the moment of scheduling the 'add' work)
preventing the need from scheduling more updates if state changed
concurrently while the 'add' work was pending on workqueue.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Vlad Buslov
|
8b160f2fba |
netfilter: flowtable: cache info of last offload
[ Upstream commit 1a441a9b8be8849957a01413a144f84932c324cb ]
Modify flow table offload to cache the last ct info status that was passed
to the driver offload callbacks by extending enum nf_flow_flags with new
"NF_FLOW_HW_ESTABLISHED" flag. Set the flag if ctinfo was 'established'
during last act_ct meta actions fill call. This infrastructure change is
necessary to optimize promoting of UDP connections from 'new' to
'established' in following patches in this series.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Vlad Buslov
|
c29a7656f8 |
netfilter: flowtable: allow unidirectional rules
[ Upstream commit 8f84780b84d645d6e35467f4a6f3236b20d7f4b2 ]
Modify flow table offload to support unidirectional connections by
extending enum nf_flow_flags with new "NF_FLOW_HW_BIDIRECTIONAL" flag. Only
offload reply direction when the flag is set. This infrastructure change is
necessary to support offloading UDP NEW connections in original direction
in following patches in series.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Xin Long
|
e681f711e9 |
net: sched: call tcf_ct_params_free to free params in tcf_ct_init
[ Upstream commit 1913894100ca53205f2d56091cb34b8eba1de217 ]
This patch is to make the err path simple by calling tcf_ct_params_free(),
so that it won't cause problems when more members are added into param and
need freeing on the err path.
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 125f1c7f26ff ("net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
John Fastabend
|
90d1f74c3c |
bpf, sockmap: af_unix stream sockets need to hold ref for pair sock
[ Upstream commit 8866730aed5100f06d3d965c22f1c61f74942541 ]
AF_UNIX stream sockets are a paired socket. So sending on one of the pairs
will lookup the paired socket as part of the send operation. It is possible
however to put just one of the pairs in a BPF map. This currently increments
the refcnt on the sock in the sockmap to ensure it is not free'd by the
stack before sockmap cleans up its state and stops any skbs being sent/recv'd
to that socket.
But we missed a case. If the peer socket is closed it will be free'd by the
stack. However, the paired socket can still be referenced from BPF sockmap
side because we hold a reference there. Then if we are sending traffic through
BPF sockmap to that socket it will try to dereference the free'd pair in its
send logic creating a use after free. And following splat:
[59.900375] BUG: KASAN: slab-use-after-free in sk_wake_async+0x31/0x1b0
[59.901211] Read of size 8 at addr ffff88811acbf060 by task kworker/1:2/954
[...]
[59.905468] Call Trace:
[59.905787] <TASK>
[59.906066] dump_stack_lvl+0x130/0x1d0
[59.908877] print_report+0x16f/0x740
[59.910629] kasan_report+0x118/0x160
[59.912576] sk_wake_async+0x31/0x1b0
[59.913554] sock_def_readable+0x156/0x2a0
[59.914060] unix_stream_sendmsg+0x3f9/0x12a0
[59.916398] sock_sendmsg+0x20e/0x250
[59.916854] skb_send_sock+0x236/0xac0
[59.920527] sk_psock_backlog+0x287/0xaa0
To fix let BPF sockmap hold a refcnt on both the socket in the sockmap and its
paired socket. It wasn't obvious how to contain the fix to bpf_unix logic. The
primarily problem with keeping this logic in bpf_unix was: In the sock close()
we could handle the deref by having a close handler. But, when we are destroying
the psock through a map delete operation we wouldn't have gotten any signal
thorugh the proto struct other than it being replaced. If we do the deref from
the proto replace its too early because we need to deref the sk_pair after the
backlog worker has been stopped.
Given all this it seems best to just cache it at the end of the psock and eat 8B
for the af_unix and vsock users. Notice dgram sockets are OK because they handle
locking already.
Fixes:
|
||
Jakub Kicinski
|
5ff1682fec |
ethtool: don't propagate EOPNOTSUPP from dumps
[ Upstream commit cbeb989e41f4094f54bec2cecce993f26f547bea ]
The default dump handler needs to clear ret before returning.
Otherwise if the last interface returns an inconsequential
error this error will propagate to user space.
This may confuse user space (ethtool CLI seems to ignore it,
but YNL doesn't). It will also terminate the dump early
for mutli-skb dump, because netlink core treats EOPNOTSUPP
as a real error.
Fixes:
|
||
Eric Dumazet
|
158b71f3a9 |
udp: annotate data-races around udp->encap_type
[ Upstream commit 70a36f571362a8de8b8c02d21ae524fc776287f2 ]
syzbot/KCSAN complained about UDP_ENCAP_L2TPINUDP setsockopt() racing.
Add READ_ONCE()/WRITE_ONCE() to document races on this lockless field.
syzbot report was:
BUG: KCSAN: data-race in udp_lib_setsockopt / udp_lib_setsockopt
read-write to 0xffff8881083603fa of 1 bytes by task 16557 on cpu 0:
udp_lib_setsockopt+0x682/0x6c0
udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2779
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read-write to 0xffff8881083603fa of 1 bytes by task 16554 on cpu 1:
udp_lib_setsockopt+0x682/0x6c0
udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2779
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x01 -> 0x05
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 16554 Comm: syz-executor.5 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0
Fixes:
|
||
|
Eric Dumazet
|
8d929b6c11 |
udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO
[ Upstream commit ac9a7f4ce5dda1472e8f44096f33066c6ec1a3b4 ]
Move udp->encap_enabled to udp->udp_flags.
Add udp_test_and_set_bit() helper to allow lockless
udp_tunnel_encap_enable() implementation.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 70a36f571362 ("udp: annotate data-races around udp->encap_type")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
b680a907d1 |
udp: move udp->accept_udp_{l4|fraglist} to udp->udp_flags
[ Upstream commit f5f52f0884a595ff99ab1a608643fe4025fca2d5 ]
These are read locklessly, move them to udp_flags to fix data-races.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 70a36f571362 ("udp: annotate data-races around udp->encap_type")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
753886c0b9 |
udp: move udp->gro_enabled to udp->udp_flags
[ Upstream commit e1dc0615c6b08ef36414f08c011965b8fb56198b ]
syzbot reported that udp->gro_enabled can be read locklessly.
Use one atomic bit from udp->udp_flags.
Fixes:
|
||
|
Eric Dumazet
|
a01cff15cc |
udp: move udp->no_check6_rx to udp->udp_flags
[ Upstream commit bcbc1b1de884647aa0318bf74eb7f293d72a1e40 ]
syzbot reported that udp->no_check6_rx can be read locklessly.
Use one atomic bit from udp->udp_flags.
Fixes:
|
||
|
Eric Dumazet
|
50e41aa9ea |
udp: move udp->no_check6_tx to udp->udp_flags
[ Upstream commit a0002127cd746fcaa182ad3386ef6931c37f3bda ]
syzbot reported that udp->no_check6_tx can be read locklessly.
Use one atomic bit from udp->udp_flags
Fixes:
|
||
|
Eric Dumazet
|
e2a4392b61 |
udp: introduce udp->udp_flags
[ Upstream commit 81b36803ac139827538ac5ce4028e750a3c53f53 ]
According to syzbot, it is time to use proper atomic flags
for various UDP flags.
Add udp_flags field, and convert udp->corkflag to first
bit in it.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
David Howells
|
2489502fb1 |
ipv4, ipv6: Use splice_eof() to flush
[ Upstream commit 1d7e4538a5463faa0b0e26a7a7b6bd68c7dfdd78 ] Allow splice to undo the effects of MSG_MORE after prematurely ending a splice/sendfile due to getting an EOF condition (->splice_read() returned 0) after splice had called sendmsg() with MSG_MORE set when the user didn't set MSG_MORE. For UDP, a pending packet will not be emitted if the socket is closed before it is flushed; with this change, it be flushed by ->splice_eof(). For TCP, it's not clear that MSG_MORE is actually effective. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Link: https://lore.kernel.org/r/CAHk-=wh=V579PDYvkpnTobCLGczbgxpMgGmmhqiTyE34Cpi5Gg@mail.gmail.com/ Signed-off-by: David Howells <dhowells@redhat.com> cc: Kuniyuki Iwashima <kuniyu@amazon.com> cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com> cc: David Ahern <dsahern@kernel.org> cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
David Howells
|
4713b7c756 |
splice, net: Add a splice_eof op to file-ops and socket-ops
[ Upstream commit 2bfc66850952b6921b2033b09729ec59eabbc81d ] Add an optional method, ->splice_eof(), to allow splice to indicate the premature termination of a splice to struct file_operations and struct proto_ops. This is called if sendfile() or splice() encounters all of the following conditions inside splice_direct_to_actor(): (1) the user did not set SPLICE_F_MORE (splice only), and (2) an EOF condition occurred (->splice_read() returned 0), and (3) we haven't read enough to fulfill the request (ie. len > 0 still), and (4) we have already spliced at least one byte. A further patch will modify the behaviour of SPLICE_F_MORE to always be passed to the actor if either the user set it or we haven't yet read sufficient data to fulfill the request. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Link: https://lore.kernel.org/r/CAHk-=wh=V579PDYvkpnTobCLGczbgxpMgGmmhqiTyE34Cpi5Gg@mail.gmail.com/ Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Jakub Kicinski <kuba@kernel.org> cc: Jens Axboe <axboe@kernel.dk> cc: Christoph Hellwig <hch@lst.de> cc: Al Viro <viro@zeniv.linux.org.uk> cc: Matthew Wilcox <willy@infradead.org> cc: Jan Kara <jack@suse.cz> cc: Jeff Layton <jlayton@kernel.org> cc: David Hildenbrand <david@redhat.com> cc: Christian Brauner <brauner@kernel.org> cc: Chuck Lever <chuck.lever@oracle.com> cc: Boris Pismenny <borisp@nvidia.com> cc: John Fastabend <john.fastabend@gmail.com> cc: linux-mm@kvack.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
David Howells
|
ac8c69e448 |
udp: Convert udp_sendpage() to use MSG_SPLICE_PAGES
[ Upstream commit 7ac7c987850c3ec617c778f7bd871804dc1c648d ]
Convert udp_sendpage() to use sendmsg() with MSG_SPLICE_PAGES rather than
directly splicing in the pages itself.
This allows ->sendpage() to be replaced by something that can handle
multiple multipage folios in a single transaction.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
cc: David Ahern <dsahern@kernel.org>
cc: Jens Axboe <axboe@kernel.dk>
cc: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
David Howells
|
6bcc79a4e7 |
net: Declare MSG_SPLICE_PAGES internal sendmsg() flag
[ Upstream commit b841b901c452d92610f739a36e54978453528876 ]
Declare MSG_SPLICE_PAGES, an internal sendmsg() flag, that hints to a
network protocol that it should splice pages from the source iterator
rather than copying the data if it can. This flag is added to a list that
is cleared by sendmsg syscalls on entry.
This is intended as a replacement for the ->sendpage() op, allowing a way
to splice in several multipage folios in one go.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
cc: Jens Axboe <axboe@kernel.dk>
cc: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: a0002127cd74 ("udp: move udp->no_check6_tx to udp->udp_flags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Thomas Lange
|
c38c5cfd3e |
net: Implement missing SO_TIMESTAMPING_NEW cmsg support
[ Upstream commit 382a32018b74f407008615e0e831d05ed28e81cd ] Commit |
||
Wen Gu
|
84c3833a93 |
net/smc: fix invalid link access in dumping SMC-R connections
[ Upstream commit 9dbe086c69b8902c85cece394760ac212e9e4ccc ]
A crash was found when dumping SMC-R connections. It can be reproduced
by following steps:
- environment: two RNICs on both sides.
- run SMC-R between two sides, now a SMC_LGR_SYMMETRIC type link group
will be created.
- set the first RNIC down on either side and link group will turn to
SMC_LGR_ASYMMETRIC_LOCAL then.
- run 'smcss -R' and the crash will be triggered.
BUG: kernel NULL pointer dereference, address: 0000000000000010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 8000000101fdd067 P4D 8000000101fdd067 PUD 10ce46067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 3 PID: 1810 Comm: smcss Kdump: loaded Tainted: G W E 6.7.0-rc6+ #51
RIP: 0010:__smc_diag_dump.constprop.0+0x36e/0x620 [smc_diag]
Call Trace:
<TASK>
? __die+0x24/0x70
? page_fault_oops+0x66/0x150
? exc_page_fault+0x69/0x140
? asm_exc_page_fault+0x26/0x30
? __smc_diag_dump.constprop.0+0x36e/0x620 [smc_diag]
smc_diag_dump_proto+0xd0/0xf0 [smc_diag]
smc_diag_dump+0x26/0x60 [smc_diag]
netlink_dump+0x19f/0x320
__netlink_dump_start+0x1dc/0x300
smc_diag_handler_dump+0x6a/0x80 [smc_diag]
? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]
sock_diag_rcv_msg+0x121/0x140
? __pfx_sock_diag_rcv_msg+0x10/0x10
netlink_rcv_skb+0x5a/0x110
sock_diag_rcv+0x28/0x40
netlink_unicast+0x22a/0x330
netlink_sendmsg+0x240/0x4a0
__sock_sendmsg+0xb0/0xc0
____sys_sendmsg+0x24e/0x300
? copy_msghdr_from_user+0x62/0x80
___sys_sendmsg+0x7c/0xd0
? __do_fault+0x34/0x1a0
? do_read_fault+0x5f/0x100
? do_fault+0xb0/0x110
__sys_sendmsg+0x4d/0x80
do_syscall_64+0x45/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
When the first RNIC is set down, the lgr->lnk[0] will be cleared and an
asymmetric link will be allocated in lgr->link[SMC_LINKS_PER_LGR_MAX - 1]
by smc_llc_alloc_alt_link(). Then when we try to dump SMC-R connections
in __smc_diag_dump(), the invalid lgr->lnk[0] will be accessed, resulting
in this issue. So fix it by accessing the right link.
Fixes:
|
||
Marc Dionne
|
72fa661778 |
net: Save and restore msg_namelen in sock_sendmsg
[ Upstream commit 01b2885d9415152bcb12ff1f7788f500a74ea0ed ]
Commit 86a7e0b69bd5 ("net: prevent rewrite of msg_name in
sock_sendmsg()") made sock_sendmsg save the incoming msg_name pointer
and restore it before returning, to insulate the caller against
msg_name being changed by the called code. If the address length
was also changed however, we may return with an inconsistent structure
where the length doesn't match the address, and attempts to reuse it may
lead to lost packets.
For example, a kernel that doesn't have commit 1c5950fc6fe9 ("udp6: fix
potential access to stale information") will replace a v4 mapped address
with its ipv4 equivalent, and shorten namelen accordingly from 28 to 16.
If the caller attempts to reuse the resulting msg structure, it will have
the original ipv6 (v4 mapped) address but an incorrect v4 length.
Fixes: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()")
Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Pablo Neira Ayuso
|
81f8a995eb |
netfilter: nft_immediate: drop chain reference counter on error
[ Upstream commit b29be0ca8e816119ccdf95cc7d7c7be9bde005f1 ]
In the init path, nft_data_init() bumps the chain reference counter,
decrement it on error by following the error path which calls
nft_data_release() to restore it.
Fixes: 4bedf9eee016 ("netfilter: nf_tables: fix chain binding transaction logic")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Jörn-Thorben Hinz
|
3edd66bd4e |
net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
[ Upstream commit 7f6ca95d16b96567ce4cf458a2790ff17fa620c3 ] Commit |
||
|
Eric Dumazet
|
ac5fde92b5 |
net: annotate data-races around sk->sk_bind_phc
[ Upstream commit 251cd405a9e6e70b92fe5afbdd17fd5caf9d3266 ]
sk->sk_bind_phc is read locklessly. Add corresponding annotations.
Fixes:
|
||
|
Eric Dumazet
|
c48fcb4f49 |
net: annotate data-races around sk->sk_tsflags
[ Upstream commit e3390b30a5dfb112e8e802a59c0f68f947b638b2 ]
sk->sk_tsflags can be read locklessly, add corresponding annotations.
Fixes:
|
||
Vadim Fedorenko
|
5d586f7ca0 |
net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps
[ Upstream commit 8ca5a5790b9a1ce147484d2a2c4e66d2553f3d6c ]
When the feature was added it was enabled for SW timestamps only but
with current hardware the same out-of-order timestamps can be seen.
Let's expand the area for the feature to all types of timestamps.
Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 7f6ca95d16b9 ("net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Marc Kleine-Budde
|
b2130366a9 |
can: raw: add support for SO_MARK
[ Upstream commit 0826e82b8a32e646b7b32ba8b68ba30812028e47 ] Add support for SO_MARK to the CAN_RAW protocol. This makes it possible to add traffic control filters based on the fwmark. Link: https://lore.kernel.org/all/20221210113653.170346-1-mkl@pengutronix.de Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Stable-dep-of: 7f6ca95d16b9 ("net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Hangyu Hua
|
565460e180 |
net: sched: em_text: fix possible memory leak in em_text_destroy()
[ Upstream commit 8fcb0382af6f1ef50936f1be05b8149eb2f88496 ]
m->data needs to be freed when em_text_destroy is called.
Fixes:
|
||
Siddh Raman Pant
|
a4b0a9b80a |
nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
[ Upstream commit c95f919567d6f1914f13350af61a1b044ac85014 ]
llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls
nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for
getting the headroom and tailroom needed for skb allocation.
Parallelly the nfc_dev can be freed, as the refcount is decreased via
nfc_free_device(), leading to a UAF reported by Syzkaller, which can
be summarized as follows:
(1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()
-> nfc_alloc_send_skb() -> Dereference *nfc_dev
(2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()
-> put_device() -> nfc_release() -> Free *nfc_dev
When a reference to llcp_local is acquired, we do not acquire the same
for the nfc_dev. This leads to freeing even when the llcp_local is in
use, and this is the case with the UAF described above too.
Thus, when we acquire a reference to llcp_local, we should acquire a
reference to nfc_dev, and release the references appropriately later.
References for llcp_local is initialized in nfc_llcp_register_device()
(which is called by nfc_register_device()). Thus, we should acquire a
reference to nfc_dev there.
nfc_unregister_device() calls nfc_llcp_unregister_device() which in
turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is
appropriately released later.
Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
Fixes:
|
||
|
Pablo Neira Ayuso
|
282e3fb612 |
netfilter: nf_tables: set transport offset from mac header for netdev/egress
[ Upstream commit 0ae8e4cca78781401b17721bfb72718fdf7b4912 ]
Before this patch, transport offset (pkt->thoff) provides an offset
relative to the network header. This is fine for the inet families
because skb->data points to the network header in such case. However,
from netdev/egress, skb->data points to the mac header (if available),
thus, pkt->thoff is missing the mac header length.
Add skb_network_offset() to the transport offset (pkt->thoff) for
netdev, so transport header mangling works as expected. Adjust payload
fast eval function to use skb->data now that pkt->thoff provides an
absolute offset. This explains why users report that matching on
egress/netdev works but payload mangling does not.
This patch implicitly fixes payload mangling for IPv4 packets in
netdev/egress given skb_store_bits() requires an offset from skb->data
to reach the transport header.
I suspect that nft_exthdr and the trace infra were also broken from
netdev/egress because they also take skb->data as start, and pkt->thoff
was not correct.
Note that IPv6 is fine because ipv6_find_hdr() already provides a
transport offset starting from skb->data, which includes
skb_network_offset().
The bridge family also uses nft_set_pktinfo_ipv4_validate(), but there
skb_network_offset() is zero, so the update in this patch does not alter
the existing behaviour.
Fixes:
|
||
|
Xin Long
|
9487cc4c90 |
netfilter: use skb_ip_totlen and iph_totlen
[ Upstream commit a13fbf5ed5b4fc9095f12e955ca3a59b5507ff01 ]
There are also quite some places in netfilter that may process IPv4 TCP
GSO packets, we need to replace them too.
In length_mt(), we have to use u_int32_t/int to accept skb_ip_totlen()
return value, otherwise it may overflow and mismatch. This change will
also help us add selftest for IPv4 BIG TCP in the following patch.
Note that we don't need to replace the one in tcpmss_tg4(), as it will
return if there is data after tcphdr in tcpmss_mangle_packet(). The
same in mangle_contents() in nf_nat_helper.c, it returns false when
skb->len + extra > 65535 in enlarge_skb().
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0ae8e4cca787 ("netfilter: nf_tables: set transport offset from mac header for netdev/egress")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Paolo Abeni
|
af9a530765 |
mptcp: prevent tcp diag from closing listener subflows
commit 4c0288299fd09ee7c6fbe2f57421f314d8c981db upstream.
The MPTCP protocol does not expect that any other entity could change
the first subflow status when such socket is listening.
Unfortunately the TCP diag interface allows aborting any TCP socket,
including MPTCP listeners subflows. As reported by syzbot, that trigger
a WARN() and could lead to later bigger trouble.
The MPTCP protocol needs to do some MPTCP-level cleanup actions to
properly shutdown the listener. To keep the fix simple, prevent
entirely the diag interface from stopping such listeners.
We could refine the diag callback in a later, larger patch targeting
net-next.
Fixes: 57fc0f1ceaa4 ("mptcp: ensure listener is unhashed before updating the sk status")
Cc: stable@vger.kernel.org
Reported-by: <syzbot+5a01c3a666e726bc8752@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/netdev/0000000000004f4579060c68431b@google.com/
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts <matttbe@kernel.org>
Link: https://lore.kernel.org/r/20231226-upstream-net-20231226-mptcp-prevent-warn-v1-2-1404dcc431ea@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Edward Adam Davis
|
079eefaecf |
keys, dns: Fix missing size check of V1 server-list header
commit 1997b3cb4217b09e49659b634c94da47f0340409 upstream.
The dns_resolver_preparse() function has a check on the size of the
payload for the basic header of the binary-style payload, but is missing
a check for the size of the V1 server-list payload header after
determining that's what we've been given.
Fix this by getting rid of the the pointer to the basic header and just
assuming that we have a V1 server-list payload and moving the V1 server
list pointer inside the if-statement. Dealing with other types and
versions can be left for when such have been defined.
This can be tested by doing the following with KASAN enabled:
echo -n -e '\x0\x0\x1\x2' | keyctl padd dns_resolver foo @p
and produces an oops like the following:
BUG: KASAN: slab-out-of-bounds in dns_resolver_preparse+0xc9f/0xd60 net/dns_resolver/dns_key.c:127
Read of size 1 at addr ffff888028894084 by task syz-executor265/5069
...
Call Trace:
dns_resolver_preparse+0xc9f/0xd60 net/dns_resolver/dns_key.c:127
__key_create_or_update+0x453/0xdf0 security/keys/key.c:842
key_create_or_update+0x42/0x50 security/keys/key.c:1007
__do_sys_add_key+0x29c/0x450 security/keys/keyctl.c:134
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a
This patch was originally by Edward Adam Davis, but was modified by
Linus.
Fixes: b946001d3bb1 ("keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry")
Reported-and-tested-by: syzbot+94bbb75204a05da3d89f@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/0000000000009b39bc060c73e209@google.com/
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: David Howells <dhowells@redhat.com>
Cc: Edward Adam Davis <eadavis@qq.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Jeffrey E Altman <jaltman@auristor.com>
Cc: Wang Lei <wang840925@gmail.com>
Cc: Jeff Layton <jlayton@redhat.com>
Cc: Steve French <sfrench@us.ibm.com>
Cc: Marc Dionne <marc.dionne@auristor.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jeffrey E Altman <jaltman@auristor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Norihiko Hama
|
bc4d82ee40 |
ANDROID: KMI workaround for CONFIG_NETFILTER_FAMILY_BRIDGE
Enabling CONFIG_NETFILTER_FAMILY_BRIDGE causes the new element,
hooks_bridge[] to be added to netns_nf. Since the KMI is frozen
this could not be added.
The only instantiation of struct netns_nf is as an embedded field
of struct net. So instead of adding the field to struct netns_nf,
a new "struct ext_net" is added that contains struct net and
the new hooks_bridge[] field. An accessor function,
get_nf_hooks_bridge() is added to get a pointer to the new
field.
There is a global init_net of type struct net which must be special
cased since it is not a member of a struct ext_net. All other
instances of struct net are allocated via net_alloc() which now
allocates a struct ext_net.
Since CONFIG_NETFILTER_FAMILY_BRIDGE is a hidden config that is
needed for vendor modules, it is enabled via init/Kconfig.gki.
Bug: 316040984
Fixes: 0145780bfc78 ("fix KASAN-related kernel crash by KMI W/A for NETFILTER_FAMILY_BRIDGE")
Change-Id: I2c7384e3df9b88f12464dc0138986fed12ca626a
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>
|
||
|
Greg Kroah-Hartman
|
0177cfb2a2 |
Merge tag 'android14-6.1.68_r00' into branch 'android14-6.1'
This merges the changes up to 6.1.68 LTS into the android14-6.1 branch. Included in here are the following commits: * |
||
|
Pablo Neira Ayuso
|
928b3b5dde |
UPSTREAM: netfilter: nf_tables: skip set commit for deleted/destroyed sets
commit 7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a upstream.
NFT_MSG_DELSET deactivates all elements in the set, skip
set->ops->commit() to avoid the unnecessary clone (for the pipapo case)
as well as the sync GC cycle, which could deactivate again expired
elements in such set.
Bug: 318548348
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Reported-by: Kevin Rich <kevinrich1337@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
Zhengchao Shao
|
5070b3b594 |
UPSTREAM: ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ]
When I perform the following test operations:
1.ip link add br0 type bridge
2.brctl addif br0 eth0
3.ip addr add 239.0.0.1/32 dev eth0
4.ip addr add 239.0.0.1/32 dev br0
5.ip addr add 224.0.0.1/32 dev br0
6.while ((1))
do
ifconfig br0 up
ifconfig br0 down
done
7.send IGMPv2 query packets to port eth0 continuously. For example,
./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00
1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00"
The preceding tests may trigger the refcnt uaf issue of the mc list. The
stack is as follows:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25)
CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:refcount_warn_saturate (lib/refcount.c:25)
RSP: 0018:ffffb68f00657910 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908
RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900
RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff
R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680
R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00
FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0
Call Trace:
<TASK>
igmp_heard_query (net/ipv4/igmp.c:1068)
igmp_rcv (net/ipv4/igmp.c:1132)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
ip_local_deliver_finish (net/ipv4/ip_input.c:234)
__netif_receive_skb_one_core (net/core/dev.c:5529)
netif_receive_skb_internal (net/core/dev.c:5729)
netif_receive_skb (net/core/dev.c:5788)
br_handle_frame_finish (net/bridge/br_input.c:216)
nf_hook_bridge_pre (net/bridge/br_input.c:294)
__netif_receive_skb_core (net/core/dev.c:5423)
__netif_receive_skb_list_core (net/core/dev.c:5606)
__netif_receive_skb_list (net/core/dev.c:5674)
netif_receive_skb_list_internal (net/core/dev.c:5764)
napi_gro_receive (net/core/gro.c:609)
e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467)
e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805)
__napi_poll (net/core/dev.c:6533)
net_rx_action (net/core/dev.c:6735)
__do_softirq (kernel/softirq.c:554)
run_ksoftirqd (kernel/softirq.c:913)
smpboot_thread_fn (kernel/smpboot.c:164)
kthread (kernel/kthread.c:388)
ret_from_fork (arch/x86/kernel/process.c:153)
ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
</TASK>
The root causes are as follows:
Thread A Thread B
... netif_receive_skb
br_dev_stop ...
br_multicast_leave_snoopers ...
__ip_mc_dec_group ...
__igmp_group_dropped igmp_rcv
igmp_stop_timer igmp_heard_query //ref = 1
ip_ma_put igmp_mod_timer
refcount_dec_and_test igmp_start_timer //ref = 0
... refcount_inc //ref increases from 0
When the device receives an IGMPv2 Query message, it starts the timer
immediately, regardless of whether the device is running. If the device is
down and has left the multicast group, it will cause the mc list refcount
uaf issue.
Bug: 316932391
Fixes:
|
||
|
Greg Kroah-Hartman
|
8968561242 |
ANDROID: fix crc error in put_cmsg caused in 6.1.68
In commit |
||
|
Pablo Neira Ayuso
|
0105571f80 |
netfilter: nf_tables: skip set commit for deleted/destroyed sets
commit 7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a upstream.
NFT_MSG_DELSET deactivates all elements in the set, skip
set->ops->commit() to avoid the unnecessary clone (for the pipapo case)
as well as the sync GC cycle, which could deactivate again expired
elements in such set.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Reported-by: Kevin Rich <kevinrich1337@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
e0690152b8 |
Revert "drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
c9b484c69d |
This is the 6.1.68 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmV57F0ACgkQONu9yGCS
aT5Ihg//f5xvyjEEbZyE7tFaBBgx8ceQCtteRyi+Jw3Hy65/9neETij0t97IhG37
I89TIAddzNIl51ifl8UYZMWI780HbnW1YdbVLMElbngbmT5rHzIsGpAVCC+SDmMK
NPWXrqWIw6yTVSbTwqKIqOLlEiLxGjdWnPxjoMXBVyje+EcmANBe+fe9qkLq98XC
ZgzrRZyriS8QLMMscy/GmdxIyC32nxebdHDwwE6qgYM8GWNfqLLektX798VGFhra
ByR9bvsJ0PD5m9siCGcx37lVusJDLMjJp4FtMIFTrH63i0sMQm7HKiggJmbCm4lH
Sgbo4iwvSVa2xf1glPJagE9tiah5b0feLqgrQf/ONO2PdCjcERN47472IcQgRvQ+
SDYKScZBSp1/Jd063dHiK/u79uxEBFEdisAkPG2MstjCySEDuhvDrV5R0iKDpQBP
y2FXb4RArqZFrGwS4Zfxx/EQnj3MYJ11a4AE5I0yUGIj7vrFdddayBDBVdwhog84
QhHPH0F/eC/zSMATYSQSCZTTSZ2UoR8NODXyOryoH5tmXlgxXWKq1oFi5nUnysoP
SkGDT0dg+kbReQNA+eyj5qTS4lzincIyP2B4Ple9d75zpx1UENlqVm1xvWLccyFt
3eV/XNRg8dAapsbqvEtW+iev6izutWgcG6p1hToObnbg5uHy6fI=
=+iTJ
-----END PGP SIGNATURE-----
Merge 6.1.68 into android14-6.1-lts
Changes in 6.1.68
vdpa/mlx5: preserve CVQ vringh index
hrtimers: Push pending hrtimers away from outgoing CPU earlier
i2c: designware: Fix corrupted memory seen in the ISR
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
zstd: Fix array-index-out-of-bounds UBSAN warning
tg3: Move the [rt]x_dropped counters to tg3_napi
tg3: Increment tx_dropped in tg3_tso_bug()
kconfig: fix memory leak from range properties
drm/amdgpu: correct chunk_ptr to a pointer to chunk.
x86: Introduce ia32_enabled()
x86/coco: Disable 32-bit emulation by default on TDX and SEV
x86/entry: Convert INT 0x80 emulation to IDTENTRY
x86/entry: Do not allow external 0x80 interrupts
x86/tdx: Allow 32-bit emulation by default
dt: dt-extract-compatibles: Handle cfile arguments in generator function
dt: dt-extract-compatibles: Don't follow symlinks when walking tree
platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code
of: dynamic: Fix of_reconfig_get_state_change() return value documentation
platform/x86: wmi: Skip blocks with zero instances
ipv6: fix potential NULL deref in fib6_add()
octeontx2-pf: Add missing mutex lock in otx2_get_pauseparam
octeontx2-af: Check return value of nix_get_nixlf before using nixlf
hv_netvsc: rndis_filter needs to select NLS
r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
r8152: Add RTL8152_INACCESSIBLE checks to more loops
r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash()
r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1()
r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en()
mlxbf-bootctl: correctly identify secure boot with development keys
platform/mellanox: Add null pointer checks for devm_kasprintf()
platform/mellanox: Check devm_hwmon_device_register_with_groups() return value
arcnet: restoring support for multiple Sohard Arcnet cards
octeontx2-pf: consider both Rx and Tx packet stats for adaptive interrupt coalescing
net: stmmac: fix FPE events losing
xsk: Skip polling event check for unbound socket
octeontx2-af: fix a use-after-free in rvu_npa_register_reporters
i40e: Fix unexpected MFS warning message
iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero
net: bnxt: fix a potential use-after-free in bnxt_init_tc
tcp: fix mid stream window clamp.
ionic: fix snprintf format length warning
ionic: Fix dim work handling in split interrupt mode
ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
net: atlantic: Fix NULL dereference of skb pointer in
net: hns: fix wrong head when modify the tx feature when sending packets
net: hns: fix fake link up on xge port
octeontx2-af: Adjust Tx credits when MCS external bypass is disabled
octeontx2-af: Fix mcs sa cam entries size
octeontx2-af: Fix mcs stats register address
octeontx2-af: Add missing mcs flr handler call
octeontx2-af: Update Tx link register range
dt-bindings: interrupt-controller: Allow #power-domain-cells
netfilter: nft_exthdr: add boolean DCCP option matching
netfilter: nf_tables: fix 'exist' matching on bigendian arches
netfilter: nf_tables: bail out on mismatching dynset and set expressions
netfilter: nf_tables: validate family when identifying table via handle
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
tcp: do not accept ACK of bytes we never sent
bpf: sockmap, updating the sg structure should also update curr
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
mm/damon/sysfs: eliminate potential uninitialized variable warning
tee: optee: Fix supplicant based device enumeration
RDMA/hns: Fix unnecessary err return when using invalid congest control algorithm
RDMA/irdma: Do not modify to SQD on error
RDMA/irdma: Add wait for suspend on SQD
arm64: dts: rockchip: Expand reg size of vdec node for RK3328
arm64: dts: rockchip: Expand reg size of vdec node for RK3399
ASoC: fsl_sai: Fix no frame sync clock issue on i.MX8MP
RDMA/rtrs-srv: Do not unconditionally enable irq
RDMA/rtrs-clt: Start hb after path_up
RDMA/rtrs-srv: Check return values while processing info request
RDMA/rtrs-srv: Free srv_mr iu only when always_invalidate is true
RDMA/rtrs-srv: Destroy path files after making sure no IOs in-flight
RDMA/rtrs-clt: Fix the max_send_wr setting
RDMA/rtrs-clt: Remove the warnings for req in_use check
RDMA/bnxt_re: Correct module description string
RDMA/irdma: Refactor error handling in create CQP
RDMA/irdma: Fix UAF in irdma_sc_ccq_get_cqe_info()
hwmon: (acpi_power_meter) Fix 4.29 MW bug
ASoC: codecs: lpass-tx-macro: set active_decimator correct default value
hwmon: (nzxt-kraken2) Fix error handling path in kraken2_probe()
ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz
RDMA/irdma: Avoid free the non-cqp_request scratch
drm/bridge: tc358768: select CONFIG_VIDEOMODE_HELPERS
arm64: dts: imx8mq: drop usb3-resume-missing-cas from usb
arm64: dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3
ARM: dts: imx6ul-pico: Describe the Ethernet PHY clock
tracing: Fix a warning when allocating buffered events fails
scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt
ARM: dts: imx28-xea: Pass the 'model' property
riscv: fix misaligned access handling of C.SWSP and C.SDSP
md: introduce md_ro_state
md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly()
iommu: Avoid more races around device probe
rethook: Use __rcu pointer for rethook::handler
kprobes: consistent rcu api usage for kretprobe holder
ASoC: amd: yc: Fix non-functional mic on ASUS E1504FA
io_uring/af_unix: disable sending io_uring over sockets
nvme-pci: Add sleep quirk for Kingston drives
io_uring: fix mutex_unlock with unreferenced ctx
ALSA: usb-audio: Add Pioneer DJM-450 mixer controls
ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
ALSA: hda/realtek: add new Framework laptop to quirks
ALSA: hda/realtek: Add Framework laptop 16 to quirks
ring-buffer: Test last update in 32bit version of __rb_time_read()
nilfs2: fix missing error check for sb_set_blocksize call
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
cgroup_freezer: cgroup_freezing: Check if not frozen
checkstack: fix printed address
tracing: Always update snapshot buffer size
tracing: Disable snapshot buffer when stopping instance tracers
tracing: Fix incomplete locking when disabling buffered events
tracing: Fix a possible race when disabling buffered events
packet: Move reference count in packet_sock to atomic_long_t
r8169: fix rtl8125b PAUSE frames blasting when suspended
regmap: fix bogus error on regcache_sync success
platform/surface: aggregator: fix recv_buf() return value
hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
mm: fix oops when filemap_map_pmd() without prealloc_pte
powercap: DTPM: Fix missing cpufreq_cpu_put() calls
md/raid6: use valid sector values to determine if an I/O should wait on the reshape
arm64: dts: mediatek: mt7622: fix memory node warning check
arm64: dts: mediatek: mt8183-kukui-jacuzzi: fix dsi unnecessary cells properties
arm64: dts: mediatek: cherry: Fix interrupt cells for MT6360 on I2C7
arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names
arm64: dts: mediatek: mt8195: Fix PM suspend/resume with venc clocks
arm64: dts: mediatek: mt8183: Fix unit address for scp reserved memory
arm64: dts: mediatek: mt8183: Move thermal-zones to the root node
arm64: dts: mediatek: mt8183-evb: Fix unit_address_vs_reg warning on ntc
binder: fix memory leaks of spam and pending work
coresight: etm4x: Make etm4_remove_dev() return void
coresight: etm4x: Remove bogous __exit annotation for some functions
hwtracing: hisi_ptt: Add dummy callback pmu::read()
misc: mei: client.c: return negative error code in mei_cl_write
misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write
LoongArch: BPF: Don't sign extend memory load operand
LoongArch: BPF: Don't sign extend function return value
ring-buffer: Force absolute timestamp on discard of event
tracing: Set actual size after ring buffer resize
tracing: Stop current tracer when resizing buffer
parisc: Reduce size of the bug_table on 64-bit kernel by half
parisc: Fix asm operand number out of range build error in bug table
arm64: dts: mediatek: add missing space before {
arm64: dts: mt8183: kukui: Fix underscores in node names
perf: Fix perf_event_validate_size()
x86/sev: Fix kernel crash due to late update to read-only ghcb_version
gpiolib: sysfs: Fix error handling on failed export
drm/amdgpu: fix memory overflow in the IB test
drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c
drm/amdgpu: correct the amdgpu runtime dereference usage count
drm/amdgpu: Update ras eeprom support for smu v13_0_0 and v13_0_10
drm/amdgpu: Add EEPROM I2C address support for ip discovery
drm/amdgpu: Remove redundant I2C EEPROM address
drm/amdgpu: Decouple RAS EEPROM addresses from chips
drm/amdgpu: Add support for RAS table at 0x40000
drm/amdgpu: Remove second moot switch to set EEPROM I2C address
drm/amdgpu: Return from switch early for EEPROM I2C address
drm/amdgpu: simplify amdgpu_ras_eeprom.c
drm/amdgpu: Add I2C EEPROM support on smu v13_0_6
drm/amdgpu: Update EEPROM I2C address for smu v13_0_0
usb: gadget: f_hid: fix report descriptor allocation
serial: 8250_dw: Add ACPI ID for Granite Rapids-D UART
parport: Add support for Brainboxes IX/UC/PX parallel cards
cifs: Fix non-availability of dedup breaking generic/304
Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1"
smb: client: fix potential NULL deref in parse_dfs_referrals()
usb: typec: class: fix typec_altmode_put_partner to put plugs
ARM: PL011: Fix DMA support
serial: sc16is7xx: address RX timeout interrupt errata
serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit
serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt
serial: 8250_omap: Add earlycon support for the AM654 UART controller
devcoredump: Send uevent once devcd is ready
x86/CPU/AMD: Check vendor in the AMD microcode callback
USB: gadget: core: adjust uevent timing on gadget unbind
cifs: Fix flushing, invalidation and file size with copy_file_range()
cifs: Fix flushing, invalidation and file size with FICLONE
MIPS: kernel: Clear FPU states when setting up kernel threads
KVM: s390/mm: Properly reset no-dat
KVM: SVM: Update EFER software model on CR0 trap for SEV-ES
MIPS: Loongson64: Reserve vgabios memory on boot
MIPS: Loongson64: Handle more memory types passed from firmware
MIPS: Loongson64: Enable DMA noncoherent support
netfilter: nft_set_pipapo: skip inactive elements during set walk
riscv: Kconfig: Add select ARM_AMBA to SOC_STARFIVE
drm/i915/display: Drop check for doublescan mode in modevalid
drm/i915/lvds: Use REG_BIT() & co.
drm/i915/sdvo: stop caching has_hdmi_monitor in struct intel_sdvo
drm/i915: Skip some timing checks on BXT/GLK DSI transcoders
Linux 6.1.68
Change-Id: I0a824071a80b24dc4a2e0077f305b7cac42235b8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
jianzhou
|
7c8fe0d3ae |
Merge keystone/android14-6.1-keystone-qcom-release.6.1.57 (97abf17) into qcom-6.1
* refs/heads/tmp-97abf17:
ANDROID: GKI: Update symbol list for mtk
ANDROID: Update the ABI symbol list
ANDROID: GKI: Update symbol list for mtk
ANDROID: mm: lru_cache_disable skips lru cache drainnig
ANDROID: mm: cma: introduce __cma_alloc API
ANDROID: Update the ABI representation
BACKPORT: fscrypt: support crypto data unit size less than filesystem block size
UPSTREAM: netfilter: nf_tables: remove catchall element in GC sync path
ANDROID: GKI: Update oplus symbol list
ANDROID: vendor_hooks: export tracepoint symbol trace_mm_vmscan_kswapd_wake
BACKPORT: HID: input: map battery system charging
ANDROID: fuse-bpf: Ignore readaheads unless they go to the daemon
FROMGIT: freezer,sched: clean saved_state when restoring it during thaw
FROMGIT: freezer,sched: do not restore saved_state of a thawed task
FROMGIT: f2fs: skip adding a discard command if exists
UPSTREAM: f2fs: clean up zones when not successfully unmounted
UPSTREAM: f2fs: use finish zone command when closing a zone
UPSTREAM: f2fs: check zone write pointer points to the end of zone
UPSTREAM: f2fs: close unused open zones while mounting
UPSTREAM: f2fs: maintain six open zones for zoned devices
ANDROID: update symbol for unisoc whitelist
ANDROID: vendor_hooks: mm: add hook to count the number pages allocated for each slab
ANDROID: Update the ABI symbol list
ANDROID: sched: Add trace_android_rvh_set_user_nice_locked
UPSTREAM: ASoC: soc-compress: Fix deadlock in soc_compr_open_fe
BACKPORT: ASoC: add snd_soc_card_mutex_lock/unlock()
BACKPORT: ASoC: expand snd_soc_dpcm_mutex_lock/unlock()
BACKPORT: ASoC: expand snd_soc_dapm_mutex_lock/unlock()
ANDROID: GKI: Update symbol list for mtk
ANDROID: Update the ABI symbol list
ANDROID: sched: Add vendor hook for update_load_sum
FROMGIT: freezer,sched: clean saved_state when restoring it during thaw
FROMGIT: freezer,sched: do not restore saved_state of a thawed task
ANDROID: GKI: add allowed list for Exynosauto SoC
ANDROID: KVM: arm64: pkvm_module_ops documentation
ANDROID: Update the ABI symbol list
UPSTREAM: usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()
ANDROID: GKI: Update oplus symbol list
UPSTREAM: drm/qxl: fix UAF on handle creation
FROMGIT: usb:gadget:uvc Do not use worker thread to pump isoc usb requests
FROMGIT: usb: gadget: uvc: Fix use-after-free for inflight usb_requests
FROMGIT: usb: gadget: uvc: move video disable logic to its own function
FROMGIT: usb: gadget: uvc: Allocate uvc_requests one at a time
FROMGIT: usb: gadget: uvc: prevent use of disabled endpoint
UPSTREAM: drm/fourcc: Add NV20 and NV30 YUV formats
FROMLIST: virt: geniezone: Add memory relinquish support
FROMGIT: Input: uinput - allow injecting event times
UPSTREAM: PM: hibernate: Fix copying the zero bitmap to safe pages
UPSTREAM: PM: hibernate: don't store zero pages in the image file
UPSTREAM: PM: hibernate: Complain about memory map mismatches during resume
FROMLIST: devcoredump: Send uevent once devcd is ready
FROMLIST: iommu: Avoid more races around device probe
ANDROID: Update the ABI symbol list
FROMLIST: ufs: core: clear cmd if abort success in mcq mode
BACKPORT: wifi: cfg80211: Allow AP/P2PGO to indicate port authorization to peer STA/P2PClient
BACKPORT: wifi: cfg80211: OWE DH IE handling offload
ANDROID: KVM: arm64: mount procfs for pKVM module loading
ANDROID: GKI: Update symbol list for mtk
ANDROID: fuse-bpf: Add NULL pointer check in fuse_release_in
UPSTREAM: serial: 8250_port: Check IRQ data before use
ANDROID: KVM: arm64: Fix error path in pkvm_mem_abort()
ANDROID: abi_gki_aarch64_qcom: Update symbol list
ANDROID: GKI: add allowed list for Exynosauto SoC
ANDROID: Update the ABI symbol list
ANDROID: sched: Add vendor hook for util_fits_cpu
ANDROID: update symbol for unisoc vendor_hooks
ANDROID: vendor_hooks: mm: add hook to count the number pages allocated for each slab
UPSTREAM: usb: gadget: udc: Handle gadget_connect failure during bind operation
ANDROID: Update the ABI symbol list
ANDROID: softirq: Add EXPORT_SYMBOL_GPL for softirq and tasklet
ANDROID: mm/mempolicy.c fix up conversion to queue_folios_pte_range
Revert "net: add sysctl accept_ra_min_rtr_lft"
Revert "net: change accept_ra_min_rtr_lft to affect all RA lifetimes"
Revert "net: release reference to inet6_dev pointer"
Revert "ata,scsi: do not issue START STOP UNIT on resume"
Revert "scsi: sd: Differentiate system and runtime start/stop management"
Revert "scsi: sd: Do not issue commands to suspended disks on shutdown"
Revert "wifi: cfg80211: fix cqm_config access race"
Revert "netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp"
Revert "arm64: errata: Add Cortex-A520 speculative unprivileged load workaround"
Revert "video/aperture: Only remove sysfb on the default vga pci device"
Revert "drm/ast: Use drm_aperture_remove_conflicting_pci_framebuffers"
Revert "fbdev/radeon: use pci aperture helpers"
Revert "drm/gma500: Use drm_aperture_remove_conflicting_pci_framebuffers"
Revert "drm/aperture: Remove primary argument"
Revert "video/aperture: Only kick vgacon when the pdev is decoding vga"
Revert "video/aperture: Move vga handling to pci function"
Revert "fs/nls: make load_nls() take a const parameter"
Revert "dm: fix a race condition in retrieve_deps"
ANDROID: GKI: db845c: add new dma_buf symbols to list
UPSTREAM: lib/test_meminit: fix off-by-one error in test_pages()
ANDROID: GKI: add guards for an include file in net/ethtool/ioctl.c
ANDROID: GKI: update .stg due to internal zswap and tracing changes
ANDROID: GKI: db845c: add pcie_capability_clear_and_set_word to the symbol list
ANDROID: GKI: sched: put back the cpu_capacity_inverted variable
Revert "ipv4: fix data-races around inet->inet_id"
Revert "usb: typec: bus: verify partner exists in typec_altmode_attention"
Revert "scsi: core: Use 32-bit hostnum in scsi_host_lookup()"
Revert "media: cec: core: add adap_nb_transmit_canceled() callback"
Revert "media: cec: core: add adap_unconfigured() callback"
Revert "tracing: Introduce pipe_cpumask to avoid race on trace_pipes"
Revert "tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY"
Revert "PCI: Allow drivers to request exclusive config regions"
Revert "PCI: Add locking to RMW PCI Express Capability Register accessors"
Revert "crypto: api - Use work queue in crypto_destroy_instance"
Revert "media: uapi: HEVC: Add num_delta_pocs_of_ref_rps_idx field"
Linux 6.1.57
xen/events: replace evtchn_rwlock with RCU
ipv6: remove one read_lock()/read_unlock() pair in rt6_check_neigh()
btrfs: file_remove_privs needs an exclusive lock in direct io write
netlink: remove the flex array from struct nlmsghdr
btrfs: fix fscrypt name leak after failure to join log transaction
btrfs: fix an error handling path in btrfs_rename()
vrf: Fix lockdep splat in output path
ipv6: remove nexthop_fib6_nh_bh()
parisc: Restore __ldcw_align for PA-RISC 2.0 processors
ksmbd: fix uaf in smb20_oplock_break_ack
ksmbd: fix race condition between session lookup and expire
x86/sev: Use the GHCB protocol when available for SNP CPUID requests
RDMA/mlx5: Fix NULL string error
RDMA/mlx5: Fix mutex unlocking on error flow for steering anchor creation
RDMA/siw: Fix connection failure handling
RDMA/srp: Do not call scsi_done() from srp_abort()
RDMA/uverbs: Fix typo of sizeof argument
RDMA/cma: Fix truncation compilation warning in make_cma_ports
RDMA/cma: Initialize ib_sa_multicast structure to 0 when join
gpio: pxa: disable pinctrl calls for MMP_GPIO
gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
IB/mlx4: Fix the size of a buffer in add_port_entries()
of: dynamic: Fix potential memory leak in of_changeset_action()
RDMA/core: Require admin capabilities to set system parameters
dm zoned: free dmz->ddev array in dmz_put_zoned_devices
parisc: Fix crash with nr_cpus=1 option
smb: use kernel_connect() and kernel_bind()
intel_idle: add Emerald Rapids Xeon support
HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
HID: sony: remove duplicate NULL check before calling usb_free_urb()
netlink: annotate data-races around sk->sk_err
netlink: Fix potential skb memleak in netlink_ack
netlink: split up copies in the ack construction
sctp: update hb timer immediately after users change hb_interval
sctp: update transport state when processing a dupcook packet
tcp: fix delayed ACKs for MSS boundary condition
tcp: fix quick-ack counting to count actual ACKs of new data
tipc: fix a potential deadlock on &tx->lock
net: stmmac: dwmac-stm32: fix resume on STM32 MCU
ipv4: Set offload_failed flag in fibmatch results
netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure
netfilter: nf_tables: Deduplicate nft_register_obj audit logs
selftests: netfilter: Extend nft_audit.sh
selftests: netfilter: Test nf_tables audit logging
netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp
ibmveth: Remove condition to recompute TCP header checksum.
net: ethernet: ti: am65-cpsw: Fix error code in am65_cpsw_nuss_init_tx_chns()
net: nfc: llcp: Add lock when modifying device list
net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent
ptp: ocp: Fix error handling in ptp_ocp_device_init
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
neighbour: fix data-races around n->output
neighbour: switch to standard rcu, instead of rcu_bh
neighbour: annotate lockless accesses to n->nud_state
bpf: Add BPF_FIB_LOOKUP_SKIP_NEIGH for bpf_fib_lookup
net: fix possible store tearing in neigh_periodic_work()
modpost: add missing else to the "of" check
bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
bpf, sockmap: Do not inc copied_seq when PEEK flag set
bpf: tcp_read_skb needs to pop skb regardless of seq
NFSv4: Fix a nfs4_state_manager() race
ima: rework CONFIG_IMA dependency block
scsi: target: core: Fix deadlock due to recursive locking
ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig
regulator/core: regulator_register: set device->class earlier
iommu/mediatek: Fix share pgtable for iova over 4GB
perf/x86/amd: Do not WARN() on every IRQ
wifi: mac80211: fix potential key use-after-free
regmap: rbtree: Fix wrong register marked as in-cache when creating new node
perf/x86/amd/core: Fix overflow reset on hotplug
wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
Bluetooth: ISO: Fix handling of listen for unicast
Bluetooth: Delete unused hci_req_prepare_suspend() declaration
regulator: mt6358: split ops for buck and linear range LDO regulators
regulator: mt6358: Use linear voltage helpers for single range regulators
regulator: mt6358: Drop *_SSHUB regulators
bpf: Fix tr dereferencing
leds: Drop BUG_ON check for LED_COLOR_ID_MULTI
wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
wifi: cfg80211: add missing kernel-doc for cqm_rssi_work
wifi: cfg80211: fix cqm_config access race
wifi: cfg80211: add a work abstraction with special semantics
wifi: cfg80211: move wowlan disable under locks
wifi: cfg80211: hold wiphy lock in auto-disconnect
wifi: iwlwifi: mvm: Fix a memory corruption issue
wifi: iwlwifi: dbg_ini: fix structure packing
erofs: fix memory leak of LZMA global compressed deduplication
ubi: Refuse attaching if mtd's erasesize is 0
HID: sony: Fix a potential memory leak in sony_probe()
arm64: errata: Add Cortex-A520 speculative unprivileged load workaround
arm64: Add Cortex-A520 CPU part definition
drm/amd: Fix logic error in sienna_cichlid_update_pcie_parameters()
drm/amd: Fix detection of _PR3 on the PCIe root port
net: prevent rewrite of msg_name in sock_sendmsg()
net: replace calls to sock->ops->connect() with kernel_connect()
PCI: qcom: Fix IPQ8074 enumeration
md/raid5: release batch_last before waiting for another stripe_head
wifi: mwifiex: Fix tlv_buf_left calculation
Bluetooth: hci_sync: Fix handling of HCI_QUIRK_STRICT_DUPLICATE_FILTER
Bluetooth: hci_codec: Fix leaking content of local_codecs
qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info
mptcp: userspace pm allow creating id 0 subflow
net: ethernet: mediatek: disable irq before schedule napi
vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
iommu/vt-d: Avoid memory allocation in iommu_suspend()
scsi: zfcp: Fix a double put in zfcp_port_enqueue()
i40e: fix the wrong PTP frequency calculation
hwmon: (nzxt-smart2) add another USB ID
hwmon: (nzxt-smart2) Add device id
block: fix use-after-free of q->q_usage_counter
rbd: take header_rwsem in rbd_dev_refresh() only when updating
rbd: decouple parent info read-in from updating rbd_dev
rbd: decouple header read-in from updating rbd_dev->header
rbd: move rbd_dev_refresh() definition
iommu/arm-smmu-v3: Avoid constructing invalid range commands
iommu/arm-smmu-v3: Set TTL invalidation hint better
drm/amd/display: Adjust the MST resume flow
arm64: cpufeature: Fix CLRBHB and BC detection
net: release reference to inet6_dev pointer
net: change accept_ra_min_rtr_lft to affect all RA lifetimes
net: add sysctl accept_ra_min_rtr_lft
arm64: Avoid repeated AA64MMFR1_EL1 register read on pagefault path
Revert "NFSv4: Retry LOCK on OLD_STATEID during delegation return"
btrfs: use struct fscrypt_str instead of struct qstr
btrfs: setup qstr from dentrys using fscrypt helper
btrfs: use struct qstr instead of name and namelen pairs
ring-buffer: Fix bytes info in per_cpu buffer stats
ring-buffer: remove obsolete comment for free_buffer_page()
mm: page_alloc: fix CMA and HIGHATOMIC landing on the wrong buddy list
mm/page_alloc: leave IRQs enabled for per-cpu page allocations
mm/page_alloc: always remove pages from temporary list
mm: mempolicy: keep VMA walk if both MPOL_MF_STRICT and MPOL_MF_MOVE are specified
mm/mempolicy: convert migrate_page_add() to migrate_folio_add()
mm/mempolicy: convert queue_pages_pte_range() to queue_folios_pte_range()
mm/mempolicy: convert queue_pages_pmd() to queue_folios_pmd()
mm/memory: add vm_normal_folio()
NFSv4: Fix a state manager thread deadlock regression
NFS: rename nfs_client_kset to nfs_kset
NFS: Cleanup unused rpc_clnt variable
ata: libata-scsi: Fix delayed scsi_rescan_device() execution
scsi: Do not attempt to rescan suspended devices
scsi: core: Improve type safety of scsi_rescan_device()
scsi: sd: Do not issue commands to suspended disks on shutdown
scsi: sd: Differentiate system and runtime start/stop management
ata,scsi: do not issue START STOP UNIT on resume
mptcp: process pending subflow error on close
mptcp: move __mptcp_error_report in protocol.c
mptcp: annotate lockless accesses to sk->sk_err
mptcp: fix dangling connection hang-up
mptcp: rename timer related helper to less confusing names
ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates
ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol
spi: zynqmp-gqspi: fix clock imbalance on probe failure
Linux 6.1.56
ASoC: amd: yc: Fix a non-functional mic on Lenovo 82TL
mm, memcg: reconsider kmem.limit_in_bytes deprecation
memcg: drop kmem.limit_in_bytes
drm/meson: fix memory leak on ->hpd_notify callback
drm/amdkfd: Use gpu_offset for user queue's wptr
fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
power: supply: ab8500: Set typing and props
power: supply: rk817: Add missing module alias
drm/i915/gt: Fix reservation address in ggtt_reserve_guc_top
ata: libata-sata: increase PMP SRST timeout to 10s
ata: libata-core: Do not register PM operations for SAS ports
ata: libata-core: Fix port and device removal
ata: libata-core: Fix ata_port_request_pm() locking
fs/smb/client: Reset password pointer to NULL
net: thunderbolt: Fix TCPv6 GSO checksum calculation
bpf: Fix BTF_ID symbol generation collision in tools/
bpf: Fix BTF_ID symbol generation collision
bpf: Add override check to kprobe multi link attach
media: uvcvideo: Fix OOB read
btrfs: properly report 0 avail for very full file systems
ring-buffer: Update "shortest_full" in polling
mm: memcontrol: fix GFP_NOFS recursion in memory.high enforcement
mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()
mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()
arm64: defconfig: remove CONFIG_COMMON_CLK_NPCM8XX=y
drm/tests: Fix incorrect argument in drm_test_mm_insert_range
timers: Tag (hr)timer softirq as hotplug safe
Revert "SUNRPC dont update timeout value on connection reset"
netfilter: nf_tables: fix kdoc warnings after gc rework
sched/rt: Fix live lock between select_fallback_rq() and RT push
kernel/sched: Modify initial boot task idle setup
ASoC: amd: yc: Fix non-functional mic on Lenovo 82QF and 82UG
i2c: i801: unregister tco_pdev in i801_probe() error path
io_uring/fs: remove sqe->rw_flags checking from LINKAT
ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES
ata: libata-scsi: link ata port and scsi device
LoongArch: numa: Fix high_memory calculation
LoongArch: Define relocation types for ABI v2.10
ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q
netfilter: nf_tables: disallow rule removal from chain binding
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
serial: 8250_port: Check IRQ data before use
Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
misc: rtsx: Fix some platforms can not boot and move the l1ss judgment to probe
mptcp: fix bogus receive window shrinkage with multiple subflows
KVM: x86/mmu: Do not filter address spaces in for_each_tdp_mmu_root_yield_safe()
KVM: x86/mmu: Open code leaf invalidation from mmu_notifier
KVM: SVM: Fix TSC_AUX virtualization setup
KVM: SVM: INTERCEPT_RDTSCP is never intercepted anyway
x86/srso: Add SRSO mitigation for Hygon processors
x86/sgx: Resolves SECS reclaim vs. page fault for EAUG race
iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range
smack: Retrieve transmuting information in smack_inode_getsecurity()
smack: Record transmuting in smk_transmuted
nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev
scsi: qla2xxx: Fix NULL pointer dereference in target mode
wifi: ath11k: Don't drop tx_status when peer cannot be found
nvme-pci: do not set the NUMA node of device if it has none
nvme-pci: factor out a nvme_pci_alloc_dev helper
nvme-pci: factor the iod mempool creation into a helper
perf build: Define YYNOMEM as YYNOABORT for bison < 3.81
fbdev/sh7760fb: Depend on FB=y
LoongArch: Set all reserved memblocks on Node#0 at initialization
tsnep: Fix NAPI polling with budget 0
tsnep: Fix NAPI scheduling
net: hsr: Add __packed to struct hsr_sup_tlv.
ncsi: Propagate carrier gain/loss events to the NCSI controller
powerpc/watchpoints: Annotate atomic context in more places
powerpc/watchpoint: Disable pagefaults when getting user instruction
powerpc/watchpoints: Disable preemption in thread_change_pc()
ASoC: SOF: Intel: MTL: Reduce the DSP init timeout
NFSv4.1: fix zero value filehandle in post open getattr
media: vb2: frame_vector.c: replace WARN_ONCE with a comment
ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link
memblock tests: fix warning ‘struct seq_file’ declared inside parameter list
memblock tests: fix warning: "__ALIGN_KERNEL" redefined
firmware: cirrus: cs_dsp: Only log list of algorithms in debug build
ASoC: cs42l42: Don't rely on GPIOD_OUT_LOW to set RESET initially low
ASoC: cs42l42: Ensure a reset pulse meets minimum pulse width.
ALSA: hda: intel-sdw-acpi: Use u8 type for link index
bpf: Clarify error expectations from bpf_clone_redirect
spi: intel-pci: Add support for Granite Rapids SPI serial flash
ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag
spi: stm32: add a delay before SPI disable
spi: nxp-fspi: reset the FLSHxCR1 registers
ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
smb3: correct places where ENOTSUPP is used instead of preferred EOPNOTSUPP
scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command
scsi: pm80xx: Use phy-specific SAS address when sending PHY_START command
riscv: errata: fix T-Head dcache.cva encoding
drm/amdgpu: Handle null atom context in VBIOS info ioctl
drm/amdgpu/nbio4.3: set proper rmmio_remap.reg_offset for SR-IOV
drm/amdgpu/soc21: don't remap HDP registers for SR-IOV
drm/amd/display: Don't check registers, if using AUX BL control
thermal/of: add missing of_node_put()
platform/x86: asus-wmi: Support 2023 ROG X16 tablet mode
platform/mellanox: mlxbf-bootctl: add NET dependency into Kconfig
ata: sata_mv: Fix incorrect string length computation in mv_dump_mem()
net/smc: bugfix for smcr v2 server connect success statistic
ring-buffer: Do not attempt to read past "commit"
selftests: fix dependency checker script
btrfs: assert delayed node locked when removing delayed item
ring-buffer: Avoid softlockup in ring_buffer_resize()
selftests/ftrace: Correctly enable event in instance-event.tc
scsi: ufs: core: Poll HCS.UCRDY before issuing a UIC command
scsi: ufs: core: Move __ufshcd_send_uic_cmd() outside host_lock
scsi: qedf: Add synchronization between I/O completions and abort
parisc: irq: Make irq_stack_union static to avoid sparse warning
parisc: drivers: Fix sparse warning
parisc: iosapic.c: Fix sparse warnings
parisc: sba: Fix compile warning wrt list of SBA devices
nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid()
spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain
spi: sun6i: reduce DMA RX transfer width to single byte
bpf: Annotate bpf_long_memcpy with data_race
dma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock
ceph: drop messages from MDS when unmounting
x86/reboot: VMCLEAR active VMCSes before emergency reboot
i2c: npcm7xx: Fix callback completion ordering
gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
firmware: arm_ffa: Don't set the memory region attributes for MEM_LEND
arm64: dts: imx: Add imx8mm-prt8mm.dtb to build
soc: imx8m: Enable OCOTP clock for imx8mm before reading registers
selftests/powerpc: Fix emit_tests to work with run_kselftest.sh
selftests/powerpc: Pass make context to children
selftests/powerpc: Use CLEAN macro to fix make warning
power: supply: rk817: Fix node refcount leak
xtensa: boot/lib: fix function prototypes
xtensa: umulsidi3: fix conditional expression
xtensa: boot: don't add include-dirs
xtensa: iss/network: make functions static
xtensa: add default definition for XCHAL_HAVE_DIV32
firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()
power: supply: ucs1002: fix error code in ucs1002_get_property()
bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up
ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot
ARM: dts: Unify pinctrl-single pin group nodes for omap4
ARM: dts: Unify pwm-omap-dmtimer node names
ARM: dts: ti: omap: Fix bandgap thermal cells addressing for omap3/4
ARM: dts: omap: correct indentation
clk: tegra: fix error return case for recalc_rate
clk: sprd: Fix thm_parents incorrect configuration
power: supply: mt6370: Fix missing error code in mt6370_chg_toggle_cfo()
firmware: arm_scmi: Fixup perf power-cost/microwatt support
firmware: arm_scmi: Harden perf domain info access
bus: ti-sysc: Fix missing AM35xx SoC matching
bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset()
drm/bridge: ti-sn65dsi83: Do not generate HFP/HBP/HSA and EOT packet
spi: spi-gxp: BUG: Correct spi write return value
MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled
vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()
btrfs: reset destination buffer when read_extent_buffer() gets invalid range
drm/amdkfd: Insert missing TLB flush on GFX10 and later
drm/amdkfd: Flush TLB after unmapping for GFX v9.4.3
scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id()
scsi: qla2xxx: Select qpair depending on which CPU post_cmd() gets called
wifi: ath11k: Cleanup mac80211 references on failure during tx_complete
wifi: ath11k: fix tx status reporting in encap offload mode
arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved
s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_CLR2SECK2 IOCTL
f2fs: get out of a repeat loop when getting a locked data page
f2fs: optimize iteration over sparse directories
ARM: dts: qcom: msm8974pro-castor: correct touchscreen syna,nosleep-mode
ARM: dts: qcom: msm8974pro-castor: correct touchscreen function names
ARM: dts: qcom: msm8974pro-castor: correct inverted X of touchscreen
ARM: dts: samsung: exynos4210-i9100: Fix LCD screen's physical size
ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2
i2c: xiic: Correct return value check for xiic_reinit()
i2c: mux: gpio: Add missing fwnode_handle_put()
i2c: mux: demux-pinctrl: check the return value of devm_kstrdup()
gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
cifs: Fix UAF in cifs_demultiplex_thread()
proc: nommu: fix empty /proc/<pid>/maps
proc: nommu: /proc/<pid>/maps: release mmap read lock
igc: Expose tx-usecs coalesce setting to user
octeontx2-pf: Do xdp_do_flush() after redirects.
bnxt_en: Flush XDP for bnxt_poll_nitroa0()'s NAPI
net: ena: Flush XDP packets on error.
locking/seqlock: Do the lockdep annotation before locking in do_write_seqcount_begin_nested()
i915/pmu: Move execlist stats initialization to execlist specific setup
netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP
netfilter: nf_tables: disable toggling dormant table state more than once
net: rds: Fix possible NULL-pointer dereference
team: fix null-ptr-deref when team device type is changed
net: bridge: use DEV_STATS_INC()
net: hns3: add 5ms delay before clear firmware reset irq source
net: hns3: fix fail to delete tc flower rules during reset issue
net: hns3: only enable unicast promisc when mac table full
net: hns3: fix GRE checksum offload issue
net: hns3: add cmdq check for vf periodic service task
x86/srso: Fix SBPB enablement for spec_rstack_overflow=off
x86/srso: Fix srso_show_state() side effect
platform/x86: intel_scu_ipc: Fail IPC send if still busy
platform/x86: intel_scu_ipc: Don't override scu in intel_scu_ipc_dev_simple_command()
platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt()
platform/x86: intel_scu_ipc: Check status after timeout in busy_loop()
net: hsr: Properly parse HSRv1 supervisor frames.
x86/mm, kexec, ima: Use memblock_free_late() from ima_free_kexec_buffer()
dccp: fix dccp_v4_err()/dccp_v6_err() again
powerpc/perf/hv-24x7: Update domain value check
scsi: iscsi_tcp: restrict to TCP sockets
ipv4: fix null-deref in ipv4_link_failure
igc: Fix infinite initialization loop with early XDP redirect
ionic: fix 16bit math issue when PAGE_SIZE >= 64KB
netfilter, bpf: Adjust timeouts of non-confirmed CTs in bpf_ct_insert_entry()
i40e: Fix VF VLAN offloading when port VLAN is configured
iavf: schedule a request immediately after add/delete vlan
iavf: add iavf_schedule_aq_request() helper
ASoC: SOF: core: Only call sof_ops_free() on remove if the probe was successful
iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set
octeon_ep: fix tx dma unmap len values in SG
ASoC: imx-audmix: Fix return error with devm_clk_get()
ASoC: hdaudio.c: Add missing check for devm_kstrdup
net/core: Fix ETH_P_1588 flow dissector
selftests: tls: swap the TX and RX sockets in some tests
netfilter: conntrack: fix extension size table
ALSA: hda/realtek: Splitting the UX3402 into two separate models
ASoC: rt5640: Fix IRQ not being free-ed for HDA jack detect mode
ASoC: rt5640: Revert "Fix sleep in atomic context"
bpf: Avoid deadlock when using queue and stack maps from NMI
netfilter: nf_tables: disallow element removal on anonymous sets
ASoC: meson: spdifin: start hw on dai probe
netfilter: nf_tables: fix memleak when more than 255 elements expired
netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration
netfilter: nft_set_pipapo: stop GC iteration if GC transaction allocation fails
netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC
netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
netfilter: nf_tables: defer gc run if previous batch is still pending
netfilter: nf_tables: use correct lock to protect gc_list
netfilter: nf_tables: GC transaction race with abort path
netfilter: nf_tables: GC transaction race with netns dismantle
netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
netfilter: nf_tables: don't fail inserts if duplicate has expired
netfilter: nf_tables: remove busy mark and gc batch API
netfilter: nft_set_hash: mark set element as dead when deleting from packet path
netfilter: nf_tables: adapt set backend to use GC transaction API
netfilter: nf_tables: GC transaction API to avoid race with control plane
netfilter: nf_tables: don't skip expired elements during walk
ext4: do not let fstrim block system suspend
ext4: move setting of trimmed bit into ext4_try_to_trim_range()
ext4: replace the traditional ternary conditional operator with with max()/min()
btrfs: remove BUG() after failure to insert delayed dir index item
btrfs: improve error message after failure to add delayed dir index item
dm: fix a race condition in retrieve_deps
netfs: Only call folio_start_fscache() one time for each folio
media: via: Use correct dependency for camera sensor drivers
media: v4l: Use correct dependency for camera sensor drivers
NFSv4.1: fix pnfs MDS=DS session trunking
NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server
SUNRPC: Mark the cred for revalidation if the server rejects it
NFS/pNFS: Report EINVAL errors from connect() to the server
NFS: More fixes for nfs_direct_write_reschedule_io()
NFS: Use the correct commit info in nfs_join_page_group()
NFS: More O_DIRECT accounting fixes for error paths
NFS: Fix O_DIRECT locking issues
NFS: Fix error handling for O_DIRECT write scheduling
ANDROID: GKI: Fix firmware: smccc build error
ANDROID: Move microdroid and crashdump defconfigs to common
Linux 6.1.55
interconnect: Teach lockdep about icc_bw_lock order
net/sched: Retire rsvp classifier
drm/amdgpu: fix amdgpu_cs_p1_user_fence
Revert "memcg: drop kmem.limit_in_bytes"
drm/amd/display: fix the white screen issue when >= 64GB DRAM
ext4: fix rec_len verify error
scsi: pm8001: Setup IRQs on resume
scsi: megaraid_sas: Fix deadlock on firmware crashdump
ata: libahci: clear pending interrupt status
ata: libata: disallow dev-initiated LPM transitions to unsupported states
i2c: aspeed: Reset the i2c controller when timeout occurs
tracefs: Add missing lockdown check to tracefs_create_dir()
nfsd: fix change_info in NFSv4 RENAME replies
selinux: fix handling of empty opts in selinux_fs_context_submount()
tracing: Have option files inc the trace array ref count
tracing: Have current_trace inc the trace array ref count
tracing: Increase trace array ref count on enable and filter files
tracing: Have event inject files inc the trace array ref count
tracing: Have tracing_max_latency inc the trace array ref count
btrfs: check for BTRFS_FS_ERROR in pending ordered assert
btrfs: release path before inode lookup during the ino lookup ioctl
btrfs: fix a compilation error if DEBUG is defined in btree_dirty_folio
btrfs: fix lockdep splat and potential deadlock after failure running delayed items
dm: don't attempt to queue IO under RCU protection
Revert "drm/amd: Disable S/G for APUs when 64GB or more host memory"
md: Put the right device in md_seq_next
nvme: avoid bogus CRTO values
io_uring/net: fix iter retargeting for selected buf
ovl: fix incorrect fdput() on aio completion
ovl: fix failed copyup of fileattr on a symlink
attr: block mode changes of symlinks
Revert "SUNRPC: Fail faster on bad verifier"
md/raid1: fix error: ISO C90 forbids mixed declarations
samples/hw_breakpoint: fix building without module unloading
x86/purgatory: Remove LTO flags
x86/boot/compressed: Reserve more memory for page tables
panic: Reenable preemption in WARN slowpath
scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
scsi: target: core: Fix target_cmd_counter leak
riscv: kexec: Align the kexeced kernel entry
x86/ibt: Suppress spurious ENDBR
selftests: tracing: Fix to unmount tracefs for recovering environment
scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir()
drm: gm12u320: Fix the timeout usage for usb_bulk_msg()
nvmet-tcp: pass iov_len instead of sg->length to bvec_set_page()
nvmet: use bvec_set_page to initialize bvecs
block: factor out a bvec_set_page helper
btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super
btrfs: add a helper to read the superblock metadata_uuid
MIPS: Use "grep -E" instead of "egrep"
misc: fastrpc: Fix incorrect DMA mapping unmap request
misc: fastrpc: Prepare to dynamic dma-buf locking specification
dma-buf: Add unlocked variant of attachment-mapping functions
printk: Consolidate console deferred printing
printk: Keep non-panic-CPUs out of console lock
interconnect: Fix locking for runpm vs reclaim
kobject: Add sanity check for kset->kobj.ktype in kset_register()
media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning
usb: chipidea: add workaround for chipidea PEC bug
usb: ehci: add workaround for chipidea PORTSC.PEC bug
misc: open-dice: make OPEN_DICE depend on HAS_IOMEM
serial: cpm_uart: Avoid suspicious locking
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
tools: iio: iio_generic_buffer: Fix some integer type and calculation
usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
usb: cdns3: Put the cdns set active part outside the spin lock
media: pci: cx23885: replace BUG with error return
media: tuners: qt1010: replace BUG_ON with a regular error
scsi: lpfc: Abort outstanding ELS cmds when mailbox timeout error is detected
media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer
media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
media: anysee: fix null-ptr-deref in anysee_master_xfer
media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
media: mdp3: Fix resource leaks in of_find_device_by_node
PCI: fu740: Set the number of MSI vectors
PCI: vmd: Disable bridge window for domain reset
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
ARM: 9317/1: kexec: Make smp stop calls asynchronous
PCI: dwc: Provide deinit callback for i.MX
jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
ext2: fix datatype of block number in ext2_xattr_set2()
md: raid1: fix potential OOB in raid1_remove_disk()
bus: ti-sysc: Configure uart quirks for k3 SoC
drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer()
drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN314
drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN31
drm/amd/display: Use DTBCLK as refclk instead of DPREFCLK
ALSA: hda: intel-dsp-cfg: add LunarLake support
ASoC: Intel: sof_sdw: Update BT offload config for soundwire config
ASoC: SOF: topology: simplify code to prevent static analysis warnings
drm/amd/display: Fix underflow issue on 175hz timing
samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000'
arm64: dts: qcom: sm8250-edo: correct ramoops pmsg-size
arm64: dts: qcom: sm8150-kumano: correct ramoops pmsg-size
arm64: dts: qcom: sm6350: correct ramoops pmsg-size
arm64: dts: qcom: sm6125-pdx201: correct ramoops pmsg-size
drm/edid: Add quirk for OSVR HDK 2.0
drm/bridge: tc358762: Instruct DSI host to generate HSE packets
libbpf: Free btf_vmlinux when closing bpf_object
wifi: mac80211_hwsim: drop short frames
wifi: mac80211: check for station first in client probe
wifi: cfg80211: ocb: don't leave if not joined
wifi: cfg80211: reject auth/assoc to AP with our address
netfilter: ebtables: fix fortify warnings in size_entry_mwt()
wifi: mac80211: check S1G action frame size
alx: fix OOB-read compiler warning
mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450
tpm_tis: Resend command to recover from data transfer errors
netlink: convert nlk->flags to atomic flags
Bluetooth: Fix hci_suspend_sync crash
crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
net/ipv4: return the real errno instead of -EINVAL
net: Use sockaddr_storage for getsockopt(SO_PEERNAME).
can: sun4i_can: Add support for the Allwinner D1
can: sun4i_can: Add acceptance register quirk
wifi: wil6210: fix fortify warnings
mt76: mt7921: don't assume adequate headroom for SDIO headers
wifi: mwifiex: fix fortify warning
wifi: ath9k: fix printk specifier
wifi: ath9k: fix fortify warnings
ice: Don't tx before switchdev is fully configured
crypto: lrw,xts - Replace strlcpy with strscpy
devlink: remove reload failed checks in params get/set callbacks
selftests/nolibc: fix up kernel parameters support
ACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects
hw_breakpoint: fix single-stepping when using bpf_overflow_handler
perf/imx_ddr: speed up overflow frequency of cycle
perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09
ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
scftorture: Forgive memory-allocation failure if KASAN
rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle()
kernel/fork: beware of __put_task_struct() calling context
ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock
btrfs: output extra debug info if we failed to find an inline backref
autofs: fix memory leak of waitqueues in autofs_catatonic_mode
Linux 6.1.54
drm/amd/display: Fix a bug when searching for insert_above_mpcc
MIPS: Only fiddle with CHECKFLAGS if `need-compiler'
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
ixgbe: fix timestamp configuration code
tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address.
tcp: Fix bind() regression for v4-mapped-v6 wildcard address.
tcp: Factorise sk_family-independent comparison in inet_bind2_bucket_match(_addr_any).
ipv6: Remove in6addr_any alternatives.
ipv6: fix ip6_sock_set_addr_preferences() typo
net: macb: fix sleep inside spinlock
net: macb: Enable PTP unicast
net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
platform/mellanox: NVSW_SN2201 should depend on ACPI
platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors
kcm: Fix memory leak in error path of kcm_sendmsg()
r8152: check budget for r8152_poll()
net: dsa: sja1105: block FDB accesses that are concurrent with a switch reset
net: dsa: sja1105: serialize sja1105_port_mcast_flood() with other FDB accesses
net: dsa: sja1105: fix multicast forwarding working only for last added mdb entry
net: dsa: sja1105: propagate exact error code from sja1105_dynamic_config_poll_valid()
net: dsa: sja1105: hide all multicast addresses from "bridge fdb show"
net:ethernet:adi:adin1110: Fix forwarding offload
net: ethernet: adi: adin1110: use eth_broadcast_addr() to assign broadcast address
hsr: Fix uninit-value access in fill_frame_info()
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
net: stmmac: fix handling of zero coalescing tx-usecs
net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add
selftests: Keep symlinks, when possible
kselftest/runner.sh: Propagate SIGTERM to runner child
net: ipv4: fix one memleak in __inet_del_ifa()
kunit: Fix wild-memory-access bug in kunit_free_suite_set()
drm/amdgpu: register a dirty framebuffer callback for fbcon
drm/amd/display: Remove wait while locked
drm/amd/display: always switch off ODM before committing more streams
perf hists browser: Fix the number of entries for 'e' key
perf tools: Handle old data in PERF_RECORD_ATTR
perf test shell stat_bpf_counters: Fix test on Intel
perf hists browser: Fix hierarchy mode header
MIPS: Fix CONFIG_CPU_DADDI_WORKAROUNDS `modules_install' regression
KVM: SVM: Skip VMSA init in sev_es_init_vmcb() if pointer is NULL
KVM: SVM: Set target pCPU during IRTE update if target vCPU is running
KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state
KVM: nSVM: Check instead of asserting on nested TSC scaling support
KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration
KVM: SVM: Don't inject #UD if KVM attempts to skip SEV guest insn
KVM: SVM: Take and hold ir_list_lock when updating vCPU's Physical ID entry
drm/amd/display: prevent potential division by zero errors
drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma
mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
mtd: rawnand: brcmnand: Fix potential false time out warning
mtd: spi-nor: Correct flags for Winbond w25q128
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
mtd: rawnand: brcmnand: Fix crash during the panic_write
drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()
btrfs: use the correct superblock to compare fsid in btrfs_validate_super
btrfs: zoned: re-enable metadata over-commit for zoned mode
btrfs: set page extent mapped after read_folio in relocate_one_page
btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
btrfs: free qgroup rsv on io failure
btrfs: fix start transaction qgroup rsv double free
btrfs: zoned: do not zone finish data relocation block group
fuse: nlookup missing decrement in fuse_direntplus_link
ata: pata_ftide010: Add missing MODULE_DESCRIPTION
ata: sata_gemini: Add missing MODULE_DESCRIPTION
ata: pata_falcon: fix IO base selection for Q40
ata: ahci: Add Elkhart Lake AHCI controller
hwspinlock: qcom: add missing regmap config for SFPB MMIO implementation
lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix()
f2fs: avoid false alarm of circular locking
f2fs: flush inode if atomic file is aborted
ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}
ext4: add correct group descriptors and reserved GDT blocks to system zone
jbd2: correct the end of the journal recovery scan range
jbd2: check 'jh->b_transaction' before removing it from checkpoint
jbd2: fix checkpoint cleanup performance regression
dmaengine: sh: rz-dmac: Fix destination and source data size setting
clocksource/drivers/arm_arch_timer: Disable timer before programming CVAL
ARC: atomics: Add compiler barrier to atomic operations...
net/mlx5: Free IRQ rmap and notifier on kernel shutdown
Multi-gen LRU: avoid race in inc_min_seq()
sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory()
net: hns3: remove GSO partial feature bit
net: hns3: fix the port information display when sfp is absent
net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue
net: hns3: fix debugfs concurrency issue between kfree buffer and read
net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read()
net: hns3: fix tx timeout issue
netfilter: nfnetlink_osf: avoid OOB read
netfilter: nftables: exthdr: fix 4-byte stack OOB write
bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.
bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf().
bpf: Remove prog->active check for bpf_lsm and bpf_iter
net: dsa: sja1105: complete tc-cbs offload support on SJA1110
net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too many times
net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software and offload
ip_tunnels: use DEV_STATS_INC()
idr: fix param name in idr_alloc_cyclic() doc
s390/zcrypt: don't leak memory if dev_set_name() fails
igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox handler
kcm: Destroy mutex in kcm_exit_net()
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
af_unix: Fix data race around sk->sk_err.
af_unix: Fix data-races around sk->sk_shutdown.
af_unix: Fix data-race around unix_tot_inflight.
af_unix: Fix data-races around user->unix_inflight.
bpf, sockmap: Fix skb refcnt race after locking changes
net: phy: micrel: Correct bit assignments for phy_device flags
net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
veth: Fixing transmit return status for dropped packets
gve: fix frag_list chaining
igb: disable virtualization features on 82580
ipv6: ignore dst hint for multipath routes
ipv4: ignore dst hint for multipath routes
mptcp: annotate data-races around msk->rmem_fwd_alloc
net: annotate data-races around sk->sk_forward_alloc
net: use sk_forward_alloc_get() in sk_get_meminfo()
drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn()
drm/i915/gvt: Verify pfn is "valid" before dereferencing "struct page"
xsk: Fix xsk_diag use-after-free error during socket cleanup
net: fib: avoid warn splat in flow dissector
net: read sk->sk_family once in sk_mc_loop()
ipv4: annotate data-races around fi->fib_dead
sctp: annotate data-races around sk->sk_wmem_queued
net/sched: fq_pie: avoid stalls in fq_pie_timer()
smb: propagate error code of extract_sharename()
cifs: use fs_context for automounts
blk-throttle: consider 'carryover_ios/bytes' in throtl_trim_slice()
blk-throttle: use calculate_io/bytes_allowed() for throtl_trim_slice()
drm/i915: mark requests for GuC virtual engines to avoid use-after-free
perf test stat_bpf_counters_cgrp: Enhance perf stat cgroup BPF counter test
perf test stat_bpf_counters_cgrp: Fix shellcheck issue about logical operators
pwm: lpc32xx: Remove handling of PWM channels
watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
perf vendor events: Drop STORES_PER_INST metric event for power10 platform
perf vendor events: Drop some of the JSON/events for power10 platform
perf vendor events: Update the JSON/events descriptions for power10 platform
x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
perf annotate bpf: Don't enclose non-debug code with an assert()
Input: tca6416-keypad - fix interrupt enable disbalance
Input: tca6416-keypad - always expect proper IRQ number in i2c client
backlight: gpio_backlight: Drop output GPIO direction check for initial power state
pwm: atmel-tcb: Fix resource freeing in error path and remove
pwm: atmel-tcb: Harmonize resource allocation order
pwm: atmel-tcb: Convert to platform remove callback returning void
perf trace: Really free the evsel->priv area
perf trace: Use zfree() to reduce chances of use after free
Input: iqs7222 - configure power mode before triggering ATI
kconfig: fix possible buffer overflow
mailbox: qcom-ipcc: fix incorrect num_chans counting
gfs2: low-memory forced flush fixes
gfs2: Switch to wait_event in gfs2_logd
tpm_crb: Fix an error handling path in crb_acpi_add()
kbuild: do not run depmod for 'make modules_sign'
kbuild: rpm-pkg: define _arch conditionally
net: deal with integer overflows in kmalloc_reserve()
net: factorize code in kmalloc_reserve()
net: remove osize variable in __alloc_skb()
net: add SKB_HEAD_ALIGN() helper
bus: mhi: host: Skip MHI reset if device is in RDDM
NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
NFS: Fix a potential data corruption
clk: qcom: mss-sc7180: fix missing resume during probe
clk: qcom: q6sstop-qcs404: fix missing resume during probe
clk: qcom: lpasscc-sc7280: fix missing resume during probe
clk: qcom: dispcc-sm8450: fix runtime PM imbalance on probe errors
soc: qcom: qmi_encdec: Restrict string length in decode
clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
clk: imx: pll14xx: align pdiv with reference manual
clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz
dt-bindings: clock: xlnx,versal-clk: drop select:false
pinctrl: cherryview: fix address_space_handler() argument
cifs: update desired access while requesting for directory lease
parisc: led: Reduce CPU overhead for disk & lan LED computation
parisc: led: Fix LAN receive and transmit LEDs
lib/test_meminit: allocate pages up to order MAX_ORDER
mm: hugetlb_vmemmap: fix a race between vmemmap pmd split
memcg: drop kmem.limit_in_bytes
send channel sequence number in SMB3 requests after reconnects
arm64: dts: renesas: rzg2l: Fix txdv-skew-psec typos
clk: qcom: turingcc-qcs404: fix missing resume during probe
ASoC: tegra: Fix SFC conversion for few rates
drm/ast: Fix DRAM init on AST2200
clk: qcom: camcc-sc7180: fix async resume during probe
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
null_blk: fix poll request timeout handling
scsi: qla2xxx: Fix firmware resource tracking
scsi: qla2xxx: Error code did not return to upper layer
scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit()
scsi: qla2xxx: Flush mailbox commands on chip reset
scsi: qla2xxx: Remove unsupported ql2xenabledif option
scsi: qla2xxx: Fix TMF leak through
scsi: qla2xxx: Fix session hang in gnl
scsi: qla2xxx: Turn off noisy message log
scsi: qla2xxx: Fix erroneous link up failure
scsi: qla2xxx: Fix command flush during TMF
scsi: qla2xxx: fix inconsistent TMF timeout
scsi: qla2xxx: Fix deletion race condition
scsi: qla2xxx: Limit TMF to 8 per function
scsi: qla2xxx: Adjust IOCB resource on qpair create
drm/virtio: Conditionally allocate virtio_gpu_fence
io_uring: Don't set affinity on a dying sqpoll thread
io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used
io_uring: break out of iowq iopoll on teardown
io_uring/net: don't overflow multishot accept
io_uring: revert "io_uring fix multishot accept ordering"
io_uring: always lock in io_apoll_task_func
Multi-gen LRU: fix per-zone reclaim
mm: multi-gen LRU: rename lrugen->lists[] to lrugen->folios[]
net/ipv6: SKB symmetric hash should incorporate transport ports
ANDROID: GKI: fix up merge issue in drivers/scsi/storvsc_drv.c
Linux 6.1.53
udf: initialize newblock to 0
clk: Avoid invalid function names in CLK_OF_DECLARE()
treewide: Fix probing of devices in DT overlays
clk: Mark a fwnode as initialized when using CLK_OF_DECLARE() macro
md: fix regression for null-ptr-deference in __md_stop()
NFSv4.2: Rework scratch handling for READ_PLUS (again)
NFSv4.2: Fix a potential double free with READ_PLUS
md: Free resources in __md_stop
Revert "drm/amd/display: Do not set drr on pipe commit"
tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY
serial: sc16is7xx: fix regression with GPIO configuration
serial: sc16is7xx: remove obsolete out_thread label
perf/x86/uncore: Correct the number of CHAs on EMR
x86/sgx: Break up long non-preemptible delays in sgx_vepc_release()
USB: core: Fix oversight in SuperSpeed initialization
USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()
USB: core: Change usb_get_device_descriptor() API
USB: core: Unite old scheme and new scheme descriptor reads
usb: typec: bus: verify partner exists in typec_altmode_attention
usb: typec: tcpm: set initial svdm version based on pd revision
of: property: fw_devlink: Add a devlink for panel followers
cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug
crypto: stm32 - fix loop iterating through scatterlist for DMA
s390/dasd: fix string length handling
s390/ipl: add missing secure/has_secure file to ipl type 'unknown'
s390/dcssblk: fix kernel crash with list_add corruption
arm64: sdei: abort running SDEI handlers during crash
pstore/ram: Check start of empty przs during init
mmc: renesas_sdhi: register irqs before registering controller
platform/chrome: chromeos_acpi: print hex string for ACPI_TYPE_BUFFER
x86/MCE: Always save CS register on AMD Zen IF Poison errors
fsverity: skip PKCS#7 parser when keyring is empty
net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
X.509: if signature is unsupported skip validation
r8169: fix ASPM-related issues on a number of systems with NIC version from RTL8168h
x86/sev: Make enc_dec_hypercall() accept a size instead of npages
dccp: Fix out of bounds access in DCCP error handler
dlm: fix plock lookup when using multiple lockspaces
bpf: Fix issue in verifying allow_ptr_leaks
drm/amd/display: Add smu write msg id fail retry process
parisc: Fix /proc/cpuinfo output for lscpu
procfs: block chmod on /proc/thread-self/comm
block: don't add or resize partition on the disk with GENHD_FL_NO_PART
Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
ntb: Fix calculation ntb_transport_tx_free_entry()
ntb: Clean up tx tail index on link down
ntb: Drop packets when qp link is down
PCI/PM: Only read PCI_PM_CTRL register when available
PCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation
PCI: Free released resource after coalescing
scsi: mpt3sas: Perform additional retries if doorbell read returns 0
Revert "scsi: qla2xxx: Fix buffer overrun"
media: venus: hfi_venus: Write to VIDC_CTRL_INIT after unmasking interrupts
media: dvb: symbol fixup for dvb_attach()
ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs.
arm64: csum: Fix OoB access in IP checksum code for negative lengths
i3c: master: svc: fix probe failure when no i3c device exist
LoongArch: mm: Add p?d_leaf() definitions
xtensa: PMU: fix base address for the newer hardware
drm/amd/display: register edp_backlight_control() for DCN301
backlight/lv5207lp: Compare against struct fb_info.device
backlight/bd6107: Compare against struct fb_info.device
backlight/gpio_backlight: Compare against struct fb_info.device
io_uring: break iopolling on signal
XArray: Do not return sibling entries from xa_load()
ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
ipmi_si: fix a memleak in try_smi_init()
PCI: rockchip: Use 64-bit mask on MSI 64-bit PCI address
media: i2c: Add a camera sensor top level menu
media: i2c: ccs: Check rules is non-NULL
cpu/hotplug: Prevent self deadlock on CPU hot-unplug
mm/vmalloc: add a safer version of find_vm_area() for debug
scsi: core: Fix the scsi_set_resid() documentation
printk: ringbuffer: Fix truncating buffer size min_t cast
rcu: dump vmalloc memory info safely
ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
PM / devfreq: Fix leak in devfreq_dev_release()
igb: set max size RX buffer when store bad packet is enabled
skbuff: skb_segment, Call zero copy functions before using skbuff frags
netfilter: xt_sctp: validate the flag_info count
netfilter: xt_u32: validate user space input
netfilter: nft_exthdr: Fix non-linear header modification
netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
virtio_ring: fix avail_wrap_counter in virtqueue_add_packed
cpufreq: Fix the race condition while updating the transition_task of policy
Drivers: hv: vmbus: Don't dereference ACPI root object handle
dmaengine: ste_dma40: Add missing IRQ check in d40_probe
um: Fix hostaudio build errors
mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume()
mtd: spi-nor: Check bus width while setting QE bit
leds: trigger: tty: Do not use LED_ON/OFF constants, use led_blink_set_oneshot instead
leds: Fix BUG_ON check for LED_COLOR_ID_MULTI that is always false
leds: multicolor: Use rounded division when calculating color components
leds: pwm: Fix error code in led_pwm_create_fwnode()
rpmsg: glink: Add check for kstrdup
phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write
phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate
phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328
dmaengine: idxd: Modify the dependence of attribute pasid_enabled
mtd: rawnand: brcmnand: Fix mtd oobsize
tracing: Fix race issue between cpu buffer write and swap
tracing: Remove extra space at the end of hwlat_detector/mode
x86/speculation: Mark all Skylake CPUs as vulnerable to GDS
tick/rcu: Fix false positive "softirq work is pending" messages
platform/x86/amd/pmf: Fix a missing cleanup path
HID: multitouch: Correct devm device reference for hidinput input_dev name
HID: uclogic: Correct devm device reference for hidinput input_dev name
HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()
RDMA/efa: Fix wrong resources deallocation order
RDMA/siw: Correct wrong debug message
RDMA/siw: Balance the reference of cep->kref in the error path
Revert "IB/isert: Fix incorrect release of isert connection"
amba: bus: fix refcount leak
serial: tegra: handle clk prepare error in tegra_uart_hw_init()
interconnect: qcom: bcm-voter: Use enable_maks for keepalive voting
interconnect: qcom: bcm-voter: Improve enable_mask handling
interconnect: qcom: sm8450: Enable sync_state
scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
scsi: core: Use 32-bit hostnum in scsi_host_lookup()
RDMA/irdma: Prevent zero-length STAG registration
coresight: trbe: Fix TRBE potential sleep in atomic context
cgroup:namespace: Remove unused cgroup_namespaces_init()
Revert "f2fs: fix to do sanity check on extent cache correctly"
f2fs: Only lfs mode is allowed with zoned block device feature
f2fs: judge whether discard_unit is section only when have CONFIG_BLK_DEV_ZONED
f2fs: fix to avoid mmap vs set_compress_option case
media: i2c: rdacm21: Fix uninitialized value
media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors
media: ov2680: Fix ov2680_set_fmt() which == V4L2_SUBDEV_FORMAT_TRY not working
media: ov2680: Add ov2680_fill_format() helper function
media: ov2680: Don't take the lock for try_fmt calls
media: ov2680: Remove VIDEO_V4L2_SUBDEV_API ifdef-s
media: ov2680: Fix vflip / hflip set functions
media: ov2680: Fix ov2680_bayer_order()
media: ov2680: Remove auto-gain and auto-exposure controls
media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips
media: ov5640: Fix initial RESETB state and annotate timings
media: ov5640: Enable MIPI interface in ov5640_set_power_mipi()
HID: input: Support devices sending Eraser without Invert
drivers: base: Free devm resources when unregistering a device
USB: gadget: f_mass_storage: Fix unused variable warning
USB: gadget: core: Add missing kerneldoc for vbus_work
docs: ABI: fix spelling/grammar in SBEFIFO timeout interface
media: venus: hfi_venus: Only consider sys_idle_indicator on V1
media: go7007: Remove redundant if statement
media: cec: core: add adap_unconfigured() callback
media: cec: core: add adap_nb_transmit_canceled() callback
platform/x86: dell-sysman: Fix reference leak
iommu/vt-d: Fix to flush cache of PASID directory table
iommu/qcom: Disable and reset context bank before programming
fsi: aspeed: Reset master errors after CFAM reset
IB/uverbs: Fix an potential error pointer dereference
RDMA/hns: Fix CQ and QP cache affinity
RDMA/hns: Fix inaccurate error label name in init instance
RDMA/hns: Fix incorrect post-send with direct wqe of wr-list
RDMA/hns: Fix port active speed
iommu/sprd: Add missing force_aperture
iommu/mediatek: Fix two IOMMU share pagetable issue
iommu/mediatek: Remove unused "mapping" member from mtk_iommu_data
extcon: cht_wc: add POWER_SUPPLY dependency
kernfs: add stub helper for kernfs_generic_poll()
driver core: Call dma_cleanup() on the test_remove path
driver core: test_async: fix an error code
dma-buf/sync_file: Fix docs syntax
interconnect: qcom: qcm2290: Enable sync state
coresight: tmc: Explicit type conversions to prevent integer overflow
RDMA/irdma: Replace one-element array with flexible-array member
scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
RDMA/rxe: Fix incomplete state save in rxe_requester
RDMA/rxe: Split rxe_run_task() into two subroutines
x86/APM: drop the duplicate APM_MINOR_DEV macro
serial: sprd: Fix DMA buffer leak issue
serial: sprd: Assign sprd_port after initialized to avoid wrong access
iio: accel: adxl313: Fix adxl313_i2c_id[] table
scsi: qla4xxx: Add length check when parsing nlattrs
scsi: be2iscsi: Add length check when parsing nlattrs
scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
scsi: iscsi: Add length check for nlattr payload
scsi: iscsi: Rename iscsi_set_param() to iscsi_if_set_param()
scsi: RDMA/srp: Fix residual handling
usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()
media: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init()
media: mediatek: vcodec: fix potential double free
media: mediatek: vcodec: Return NULL if no vdec_fb is found
media: amphion: ensure the bitops don't cross boundaries
media: amphion: fix UNUSED_VALUE issue reported by coverity
media: amphion: fix UNINIT issues reported by coverity
media: amphion: fix REVERSE_INULL issues reported by coverity
media: amphion: fix CHECKED_RETURN issues reported by coverity
media: rkvdec: increase max supported height for H.264
media: mtk-jpeg: Fix use after free bug due to uncanceled work
media: amphion: add helper function to get id name
media: amphion: reinit vpu if reqbufs output 0
dt-bindings: extcon: maxim,max77843: restrict connector properties
scsi: hisi_sas: Fix normally completed I/O analysed as failed
scsi: hisi_sas: Fix warnings detected by sparse
RDMA/siw: Fabricate a GID on tun and loopback devices
media: cx24120: Add retval check for cx24120_message_send()
media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
media: dib7000p: Fix potential division by zero
drivers: usb: smsusb: fix error handling code in smsusb_init_device
iommu: rockchip: Fix directory table address encoding
iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind
media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
media: i2c: tvp5150: check return value of devm_kasprintf()
media: ad5820: Drop unsupported ad5823 from i2c_ and of_device_id tables
media: ov5640: fix low resolution image abnormal issue
RDMA/qedr: Remove a duplicate assignment in irdma_query_ah()
cgroup/cpuset: Inherit parent's load balance state in v2
pNFS: Fix assignment of xprtdata.cred
NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ
NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN
NFSD: da_addr_body field missing in some GETDEVICEINFO replies
fs: lockd: avoid possible wrong NULL parameter
jfs: validate max amount of blocks before allocation.
ext4: fix unttached inode after power cut with orphan file feature enabled
powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
powerpc/mpc5xxx: Add missing fwnode_handle_put()
powerpc/pseries: Fix hcall tracepoints with JUMP_LABEL=n
nfs/blocklayout: Use the passed in gfp flags
powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT
powerpc: Don't include lppaca.h in paca.h
NFSv4.2: Fix READ_PLUS size calculations
NFSv4.2: Fix up READ_PLUS alignment
NFSv4.2: Fix READ_PLUS smatch warnings
NFSv4.2: Rework scratch handling for READ_PLUS
wifi: ath10k: Use RMW accessors for changing LNKCTL
wifi: ath11k: Use RMW accessors for changing LNKCTL
net/mlx5: Use RMW accessors for changing LNKCTL
drm/radeon: Use RMW accessors for changing LNKCTL
drm/amdgpu: Use RMW accessors for changing LNKCTL
powerpc/perf: Convert fsl_emb notifier to state machine callbacks
powerpc/fadump: reset dump area size if fadump memory reserve fails
nvdimm: Fix dereference after free in register_nvdimm_pmu()
nvdimm: Fix memleak of pmu attr_groups in unregister_nvdimm_pmu()
vfio/type1: fix cap_migration information leak
powerpc/radix: Move some functions into #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
clk: imx: composite-8m: fix clock pauses when set_rate would be a no-op
clk: imx8mp: fix sai4 clock
clk: imx: imx8ulp: update SPLL2 type
clk: imx: pllv4: Fix SPLL2 MULT range
clk: qcom: gcc-sm8450: Use floor ops for SDCC RCGs
PCI/ASPM: Use RMW accessors for changing LNKCTL
PCI: pciehp: Use RMW accessors for changing LNKCTL
PCI: Add locking to RMW PCI Express Capability Register accessors
PCI: Allow drivers to request exclusive config regions
pinctrl: mcp23s08: check return value of devm_kasprintf()
PCI: Mark NVIDIA T4 GPUs to avoid bus reset
PCI: microchip: Correct the DED and SEC interrupt bit offsets
clk: qcom: gcc-sm6350: Fix gcc_sdcc2_apps_clk_src
clk: qcom: reset: Use the correct type of sleep/delay based on length
kvm/vfio: ensure kvg instance stays around in kvm_vfio_group_add()
kvm/vfio: Prepare for accepting vfio device fd
clk: qcom: gcc-sm8250: Fix gcc_sdcc2_apps_clk_src
ext4: avoid potential data overflow in next_linear_group
ext4: correct grp validation in ext4_mb_good_group
EDAC/igen6: Fix the issue of no error events
clk: qcom: gcc-sc7180: Fix up gcc_sdcc2_apps_clk_src
clk: sunxi-ng: Modify mismatched function name
PCI/DOE: Fix destroy_work_on_stack() race
drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init()
PCI: qcom-ep: Switch MHI bus master clock off during L1SS
PCI: apple: Initialize pcie->nvecs before use
clk: rockchip: rk3568: Fix PLL rate setting for 78.75MHz
clk: qcom: gcc-sc8280xp: Add missing GDSCs
dt-bindings: clock: qcom,gcc-sc8280xp: Add missing GDSCs
clk: qcom: gcc-sc8280xp: Add missing GDSC flags
clk: qcom: gcc-sc8280xp: Add EMAC GDSCs
clk: qcom: gpucc-sm6350: Fix clock source names
clk: qcom: gpucc-sm6350: Introduce index-based clk lookup
ipmi:ssif: Fix a memory leak when scanning for an adapter
ipmi:ssif: Add check for kstrdup
ALSA: ac97: Fix possible error value of *rac97
of: unittest: Fix overlay type in apply/revert check
of: overlay: Call of_changeset_init() early
ASoC: SOF: amd: clear dsp to host interrupt status
md: raid0: account for split bio in iostat accounting
md/raid0: Fix performance regression for large sequential writes
md/raid0: Factor out helper for mapping and submitting a bio
md: add error_handlers for raid0 and linear
firmware: cs_dsp: Fix new control name check
md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()
md/raid5-cache: fix a deadlock in r5l_exit_log()
bus: ti-sysc: Fix cast to enum warning
arm64: dts: qcom: sc8280xp-x13s: Unreserve NC pins
arm64: dts: qcom: msm8996: Fix dsi1 interrupts
arm64: dts: qcom: msm8998: Add missing power domain to MMSS SMMU
arm64: dts: qcom: msm8998: Drop bus clock reference from MMSS SMMU
arm64: dts: qcom: apq8016-sbc: Fix ov5640 regulator supply names
drm/mediatek: Fix potential memory leak if vmap() fail
ARM: dts: qcom: ipq4019: correct SDHCI XO clock
drm/mediatek: Remove freeing not dynamic allocated memory
bus: ti-sysc: Fix build warning for 64-bit build
drm/mediatek: dp: Add missing error checks in mtk_dp_parse_capabilities
io_uring: fix drain stalls by invalid SQE
block/mq-deadline: use correct way to throttling write requests
audit: fix possible soft lockup in __audit_inode_child()
drm/msm/a2xx: Call adreno_gpu_init() earlier
drm/amd/pm: fix variable dereferenced issue in amdgpu_device_attr_create()
smackfs: Prevent underflow in smk_set_cipso()
drm/msm/dpu: fix the irq index in dpu_encoder_phys_wb_wait_for_commit_done
firmware: meson_sm: fix to avoid potential NULL pointer dereference
drm/msm/mdp5: Don't leak some plane state
soc: qcom: smem: Fix incompatible types in comparison
drm: xlnx: zynqmp_dpsub: Add missing check for dma_set_mask
ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig
drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01
drm/repaper: Reduce temporary buffer size in repaper_fb_dirty()
drm/armada: Fix off-by-one error in armada_overlay_get_property()
ARM: dts: BCM53573: Fix Tenda AC9 switch CPU port
arm64: dts: qcom: sm8150: Fix the I2C7 interrupt
of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
drm/tegra: dpaux: Fix incorrect return value of platform_get_irq
drm/msm: Update dev core dump to not print backwards
md/md-bitmap: hold 'reconfig_mutex' in backlog_store()
md/md-bitmap: remove unnecessary local variable in backlog_store()
md/raid10: use dereference_rdev_and_rrdev() to get devices
md/raid10: factor out dereference_rdev_and_rrdev()
md: restore 'noio_flag' for the last mddev_resume()
md: Change active_io to percpu
md: Factor out is_md_suspended helper
drm/amdgpu: Update min() to min_t() in 'amdgpu_info_ioctl'
arm64: dts: qcom: msm8996-gemini: fix touchscreen VIO supply
arm64: dts: qcom: sdm845: Fix the min frequency of "ice_core_clk"
arm64: dts: qcom: sdm845: Add missing RPMh power domain to GCC
ARM: dts: BCM53573: Fix Ethernet info for Luxul devices
drm: adv7511: Fix low refresh rate register for ADV7533/5
ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)
ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210
ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)
drm/bridge: anx7625: Use common macros for HDCP capabilities
drm/bridge: anx7625: Use common macros for DP power sequencing commands
x86/mm: Fix PAT bit missing from page protection modify mask
block: don't allow enabling a cache on devices that don't support it
block: cleanup queue_wc_store
drm/etnaviv: fix dumping of active MMU context
arm64: tegra: Fix HSUART for Smaug
arm64: dts: qcom: pmi8994: Add missing OVP interrupt
arm64: dts: qcom: pm660l: Add missing short interrupt
arm64: dts: qcom: pm6150l: Add missing short interrupt
arm64: dts: qcom: sm8250-sony-xperia: correct GPIO keys wakeup again
arm64: tegra: Fix HSUART for Jetson AGX Orin
ARM: dts: BCM53573: Use updated "spi-gpio" binding properties
ARM: dts: BCM53573: Add cells sizes to PCIe node
ARM: dts: BCM53573: Drop nonexistent #usb-cells
drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar()
firmware: ti_sci: Use system_state to determine polling
ARM: dts: stm32: Add missing detach mailbox for DHCOM SoM
ARM: dts: stm32: Update to generic ADC channel binding on DHSOM systems
ARM: dts: stm32: Add missing detach mailbox for Odyssey SoM
ARM: dts: stm32: YAML validation fails for Odyssey Boards
ARM: dts: stm32: Add missing detach mailbox for emtrion emSBC-Argon
ARM: dts: stm32: adopt generic iio bindings for adc channels on emstamp-argon
ARM: dts: stm32: YAML validation fails for Argon Boards
ARM: dts: stm32: Rename mdio0 to mdio
arm64: dts: qcom: sm8250: Mark PCIe hosts as DMA coherent
arm64: dts: qcom: pmk8350: fix ADC-TM compatible string
arm64: dts: qcom: pmr735b: fix thermal zone name
arm64: dts: qcom: pm8350b: fix thermal zone name
arm64: dts: qcom: pm8350: fix thermal zone name
arm64: dts: qcom: sm8350: Use proper CPU compatibles
arm64: dts: qcom: sm8350: Add missing LMH interrupts to cpufreq
arm64: dts: qcom: sm8350: Fix CPU idle state residency times
arm64: dts: qcom: sdm845-tama: Set serial indices and stdout-path
arm64: dts: qcom: msm8996: Add missing interrupt to the USB2 controller
arm64: dts: qcom: sc8280xp: Add missing SCM interconnect
arm64: dts: qcom: sc8280xp-crd: Correct vreg_misc_3p3 GPIO
arm64: dts: qcom: sm8250-edo: Rectify gpio-keys
arm64: dts: qcom: sm8250-edo: Add GPIO line names for PMIC GPIOs
arm64: dts: qcom: sm8250-edo: Add gpio line names for TLMM
arm64: dts: qcom: msm8916-l8150: correct light sensor VDDIO supply
arm64: dts: qcom: sm8250: correct dynamic power coefficients
arm64: dts: qcom: sm6350: Fix ZAP region
soc: qcom: ocmem: Fix NUM_PORTS & NUM_MACROS macros
soc: qcom: ocmem: Add OCMEM hardware version print
ASoC: stac9766: fix build errors with REGMAP_AC97
drm/hyperv: Fix a compilation issue because of not including screen_info.h
drm/amd/display: Do not set drr on pipe commit
quota: fix dqput() to follow the guarantees dquot_srcu should provide
quota: add new helper dquot_active()
quota: rename dquot_active() to inode_quota_active()
quota: factor out dquot_write_dquot()
ASoC: cs43130: Fix numerator/denominator mixup
drm/bridge: tc358764: Fix debug print parameter order
netrom: Deny concurrent connect().
net/sched: sch_hfsc: Ensure inner classes have fsc curve
sfc: Check firmware supports Ethernet PTP filter
cteonxt2-pf: Fix backpressure config for multiple PFC priorities to work simultaneously
octeontx2-pf: Fix PFC TX scheduler free
octeontx2-pf: Refactor schedular queue alloc/free calls
hwmon: (tmp513) Fix the channel number in tmp51x_is_visible()
mlxsw: core_hwmon: Adjust module label names based on MTCAP sensor counter
mlxsw: i2c: Limit single transaction buffer size
mlxsw: i2c: Fix chunk size setting in output mailbox buffer
net: arcnet: Do not call kfree_skb() under local_irq_disable()
ice: avoid executing commands on other ports when driving sync
wifi: ath9k: use IS_ERR() with debugfs_create_dir()
arm64: mm: use ptep_clear() instead of pte_clear() in clear_flush()
Bluetooth: btusb: Do not call kfree_skb() under spin_lock_irqsave()
wifi: mwifiex: avoid possible NULL skb pointer dereference
mac80211: make ieee80211_tx_info padding explicit
wifi: nl80211/cfg80211: add forgotten nla_policy for BSS color attribute
wifi: ath9k: protect WMI command response buffer replacement with a lock
wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx
samples/bpf: fix broken map lookup probe
samples/bpf: fix bio latency check with tracepoint
ARM: dts: Add .dts files missing from the build
wifi: mwifiex: Fix missed return in oob checks failed path
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
net: annotate data-races around sk->sk_lingertime
fs: ocfs2: namei: check return value of ocfs2_add_entry()
lwt: Check LWTUNNEL_XMIT_CONTINUE strictly
lwt: Fix return values of BPF xmit ops
hwrng: iproc-rng200 - Implement suspend and resume calls
crypto: caam - fix unchecked return value error
ice: ice_aq_check_events: fix off-by-one check when filling buffer
net-memcg: Fix scope of sockmem pressure indicators
selftests/bpf: Clean up fmod_ret in bench_rename test script
selftests/bpf: Fix repeat option when kfunc_call verification fails
net: tcp: fix unexcepted socket die when snd_wnd is 0
Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()
Bluetooth: hci_sync: Don't double print name in add/remove adv_monitor
Bluetooth: Fix potential use-after-free when clear keys
Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe()
crypto: api - Use work queue in crypto_destroy_instance
crypto: stm32 - Properly handle pm_runtime_get failing
kbuild: rust_is_available: fix confusion when a version appears in the path
kbuild: rust_is_available: add check for `bindgen` invocation
kbuild: rust_is_available: fix version check when CC has multiple arguments
kbuild: rust_is_available: remove -v option
selftests/bpf: fix static assert compilation issue for test_cls_*.c
wifi: mwifiex: fix error recovery in PCIE buffer descriptor management
wifi: mwifiex: Fix OOB and integer underflow when rx packets
wifi: mt76: mt7915: fix power-limits while chan_switch
can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM
spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe()
wifi: mt76: testmode: add nla_policy for MT76_TM_ATTR_TX_LENGTH
bpf: reject unhashed sockets in bpf_sk_assign
udp: re-score reuseport groups when connected sockets are present
wifi: mt76: mt7921: fix non-PSC channel scan fail
wifi: rtw89: debug: Fix error handling in rtw89_debug_priv_btc_manual_set()
regmap: rbtree: Use alloc_flags for memory allocations
hwrng: pic32 - use devm_clk_get_enabled
hwrng: nomadik - keep clock enabled while hwrng is registered
tcp: tcp_enter_quickack_mode() should be static
crypto: qat - change value of default idle filter
bpf: Fix an error in verifying a field in a union
bpf: Clear the probe_addr for uprobe
libbpf: Fix realloc API handling in zero-sized edge cases
bpftool: Use a local bpf_perf_event_value to fix accessing its fields
bpftool: Use a local copy of BPF_LINK_TYPE_PERF_EVENT in pid_iter.bpf.c
bpftool: Define a local bpf_perf_link to fix accessing its fields
bpftool: use a local copy of perf_event to fix accessing :: Bpf_cookie
selftests/bpf: Fix bpf_nf failure upon test rerun
cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit()
x86/efistub: Fix PCI ROM preservation in mixed mode
cpufreq: amd-pstate-ut: Fix kernel panic when loading the driver
cpufreq: amd-pstate-ut: Remove module parameter access
thermal/of: Fix potential uninitialized value access
ACPI: x86: s2idle: Fix a logic error parsing AMD constraints table
ACPI: x86: s2idle: Post-increment variables when getting constraints
irqchip/loongson-eiointc: Fix return value checking of eiointc_index
s390/paes: fix PKEY_TYPE_EP11_AES handling for secure keyblobs
s390/pkey: fix PKEY_TYPE_EP11_AES handling for sysfs attributes
s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_GENSECK2 IOCTL
s390/pkey: fix/harmonize internal keyblob headers
selftests/futex: Order calls to futex_lock_pi
perf/imx_ddr: don't enable counter0 if none of 4 counters are used
sched/rt: Fix sysctl_sched_rr_timeslice intial value
arm64/fpsimd: Only provide the length to cpufeature for xCR registers
arm64/sme: Don't use streaming mode to probe the maximum SME VL
x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved
sched/psi: Select KERNFS as needed
arm64/ptrace: Clean up error handling path in sve_set_common()
selftests/resctrl: Close perf value read fd on errors
selftests/resctrl: Unmount resctrl FS if child fails to run benchmark
selftests/resctrl: Don't leak buffer in fill_cache()
selftests/resctrl: Add resctrl.h into build deps
OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd()
refscale: Fix uninitalized use of wait_queue_head_t
ARM: ptrace: Restore syscall skipping for tracers
ARM: ptrace: Restore syscall restart tracing
vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing
selftests/harness: Actually report SKIP for signal tests
tmpfs: verify {g,u}id mount options correctly
iomap: Remove large folio handling in iomap_invalidate_folio()
fs: Fix error checking for d_hash_and_lookup()
eventfd: prevent underflow for eventfd semaphores
reiserfs: Check the return value from __getblk()
tools/resolve_btfids: Fix setting HOSTCFLAGS
tools/resolve_btfids: Pass HOSTCFLAGS as EXTRA_CFLAGS to prepare targets
tools/resolve_btfids: Tidy HOST_OVERRIDES
tools/resolve_btfids: Compile resolve_btfids as host program
tools/resolve_btfids: Alter how HOSTCC is forced
tools/resolve_btfids: Install subcmd headers
tools/resolve_btfids: Use pkg-config to locate libelf
tools lib subcmd: Add dependency test to install_headers
tools lib subcmd: Make install_headers clearer
tools lib subcmd: Add install target
Revert "net: macsec: preserve ingress frame ordering"
Revert "PCI: tegra194: Enable support for 256 Byte payload"
Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN
udf: Handle error when adding extent to a file
udf: Check consistency of Space Bitmap Descriptor
drm/amd/display: ensure async flips are only accepted for fast updates
net: Avoid address overwrite in kernel_connect
KVM: x86/mmu: Add "never" option to allow sticky disabling of nx_huge_pages
KVM: x86/mmu: Use kstrtobool() instead of strtobool()
tpm: Enable hwrng only for Pluton on AMD CPUs
crypto: rsa-pkcs1pad - Use helper to set reqsize
cpufreq: intel_pstate: set stale CPU frequency to minimum
of: property: Simplify of_link_to_phandle()
platform/mellanox: Fix mlxbf-tmfifo not handling all virtio CONSOLE notifications
tracing: Introduce pipe_cpumask to avoid race on trace_pipes
net: sfp: handle 100G/25G active optical cables in sfp_parse_support
ALSA: seq: oss: Fix racy open/close of MIDI devices
LoongArch: Fix the write_fcsr() macro
LoongArch: Let pmd_present() return true when splitting pmd
scsi: lpfc: Fix incorrect big endian type assignment in bsg loopback path
scsi: storvsc: Always set no_report_opcodes
scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity
sctp: handle invalid error codes without calling BUG()
cifs: fix max_credits implementation
cifs: fix sockaddr comparison in iface_cmp
bnx2x: fix page fault following EEH recovery
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
wifi: mac80211: Use active_links instead of valid_links in Tx
wifi: cfg80211: remove links only on AP
drm/amdgpu: Match against exact bootloader status
net: hns3: restore user pause configure when disable autoneg
scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
scsi: lpfc: Remove reftag check in DIF paths
platform/x86/amd/pmf: Fix unsigned comparison with less than zero
idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM
powerpc/powermac: Use early_* IO variants in via_calibrate_decr()
wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1()
net: usb: qmi_wwan: add Quectel EM05GV2
net: annotate data-races around sk->sk_{rcv|snd}timeo
net: dsa: microchip: KSZ9477 register regmap alignment to 32 bit boundaries
Revert "wifi: ath6k: silence false positive -Wno-dangling-pointer warning on GCC 12"
vmbus_testing: fix wrong python syntax for integer value comparison
clk: fixed-mmio: make COMMON_CLK_FIXED_MMIO depend on HAS_IOMEM
kprobes: Prohibit probing on CFI preamble symbol
security: keys: perform capable check only on privileged operations
staging: fbtft: ili9341: use macro FBTFT_REGISTER_SPI_DRIVER
ALSA: usb-audio: Update for native DSD support quirks
ata: pata_arasan_cf: Use dev_err_probe() instead dev_err() in data_xfer()
ovl: Always reevaluate the file signature for IMA
drm/amd/display: Exit idle optimizations before attempt to access PHY
drm/amd/display: Guard DCN31 PHYD32CLK logic against chip family
drm/amd/smu: use AverageGfxclkFrequency* to replace previous GFX Curr Clock
platform/x86: huawei-wmi: Silence ambient light sensor
platform/x86: asus-wmi: Fix setting RGB mode on some TUF laptops
platform/x86: think-lmi: Use kfree_sensitive instead of kfree
platform/x86/intel/hid: Add HP Dragonfly G2 to VGBS DMI quirks
platform/x86: intel: hid: Always call BTNL ACPI method
ALSA: usb-audio: Add quirk for Microsoft Modern Wireless Headset
ASoC: atmel: Fix the 8K sample parameter in I2SC master
ASoC: rt711-sdca: fix for JD event handling in ClockStop Mode0
ASoC: rt711: fix for JD event handling in ClockStop Mode0
ASoc: codecs: ES8316: Fix DMIC config
ASoC: rt5682-sdw: fix for JD event handling in ClockStop Mode0
fs/nls: make load_nls() take a const parameter
s390/dasd: fix hanging device after request requeue
s390/dasd: use correct number of retries for ERP requests
m68k: Fix invalid .section syntax
ethernet: atheros: fix return value check in atl1c_tso_csum()
ASoC: nau8821: Add DMI quirk mechanism for active-high jack-detect
ASoC: da7219: Check for failure reading AAD IRQ events
ASoC: da7219: Flush pending AAD IRQ when suspending
ksmbd: fix out of bounds in init_smb2_rsp_hdr()
ksmbd: no response from compound read
ksmbd: validate session id and tree id in compound request
ksmbd: fix out of bounds in smb3_decrypt_req()
9p: virtio: make sure 'offs' is initialized in zc_request
9p: virtio: fix unlikely null pointer deref in handle_rerror
media: pci: cx23885: fix error handling for cx23885 ATSC boards
media: pulse8-cec: handle possible ping error
media: amphion: use dev_err_probe
phy: qcom-snps-femto-v2: use qcom_snps_hsphy_suspend/resume error code
Revert "MIPS: unhide PATA_PLATFORM"
media: uapi: HEVC: Add num_delta_pocs_of_ref_rps_idx field
powerpc/boot: Disable power10 features after BOOTAFLAGS assignment
ALSA: hda/realtek: Enable 4 amplifiers instead of 2 on a HP platform
ARM: dts: imx: Set default tuning step for imx7d usdhc
Revert "Revert drm/amd/display: Enable Freesync Video Mode by default"
scsi: ufs: Try harder to change the power mode
Partially revert "drm/amd/display: Fix possible underflow for displays with large vblank"
Revert "bridge: Add extack warning when enabling STP in netns."
Linux 6.1.52
pinctrl: amd: Don't show `Invalid config param` errors
usb: typec: tcpci: clear the fault status bit
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
dt-bindings: sc16is7xx: Add property to change GPIO function
tcpm: Avoid soft reset when partner does not support get_status
fsi: master-ast-cf: Add MODULE_FIRMWARE macro
firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe
serial: sc16is7xx: fix bug when first setting GPIO direction
serial: sc16is7xx: fix broken port 0 uart init
serial: qcom-geni: fix opp vote on shutdown
wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU
wifi: mt76: mt7921: do not support one stream on secondary antenna only
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
staging: rtl8712: fix race condition
HID: wacom: remove the battery when the EKR is off
usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0
usb: dwc3: meson-g12a: do post init to fix broken usb after resumption
ALSA: usb-audio: Fix init call orders for UAC1
USB: serial: option: add FOXCONN T99W368/T99W373 product
USB: serial: option: add Quectel EM05G variant (0x030e)
modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index
mmc: au1xmmc: force non-modular build and remove symbol_get usage
ARM: pxa: remove use of symbol_get()
ksmbd: reduce descriptor size if remaining bytes is less than request size
ksmbd: replace one-element array with flex-array member in struct smb2_ea_info
ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob()
ksmbd: fix wrong DataOffset validation of create context
erofs: ensure that the post-EOF tails are all zeroed
Linux 6.1.51
thunderbolt: Fix a backport error for display flickering issue
kallsyms: Fix kallsyms_selftest failure
io_uring/parisc: Adjust pgoff in io_uring mmap() for parisc
parisc: sys_parisc: parisc_personality() is called from asm code
parisc: Cleanup mmap implementation regarding color alignment
lockdep: fix static memory detection even more
ARM: module: Use module_init_layout_section() to spot init sections
arm64: module: Use module_init_layout_section() to spot init sections
arm64: module-plts: inline linux/moduleloader.h
module: Expose module_init_layout_section()
ACPI: thermal: Drop nocrt parameter
Linux 6.1.50
ASoC: amd: vangogh: select CONFIG_SND_AMD_ACP_CONFIG
maple_tree: disable mas_wr_append() when other readers are possible
ASoC: amd: yc: Fix a non-functional mic on Lenovo 82SJ
gpio: sim: pass the GPIO device's software node to irq domain
gpio: sim: dispose of irq mappings before destroying the irq_sim domain
dma-buf/sw_sync: Avoid recursive lock during fence signal
pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function}
pinctrl: renesas: rzv2m: Fix NULL pointer dereference in rzv2m_dt_subnode_to_map()
pinctrl: renesas: rzg2l: Fix NULL pointer dereference in rzg2l_dt_subnode_to_map()
clk: Fix undefined reference to `clk_rate_exclusive_{get,put}'
scsi: core: raid_class: Remove raid_component_add()
scsi: snic: Fix double free in snic_tgt_create()
madvise:madvise_free_pte_range(): don't use mapcount() against large folio for sharing check
can: raw: add missing refcount for memory leak fix
ublk: remove check IO_URING_F_SQE128 in ublk_ch_uring_cmd
thunderbolt: Fix Thunderbolt 3 display flickering issue on 2nd hot plug onwards
cgroup/cpuset: Free DL BW in case can_attach() fails
sched/deadline: Create DL BW alloc, free & check overflow interface
cgroup/cpuset: Iterate only if DEADLINE tasks are present
sched/cpuset: Keep track of SCHED_DEADLINE task in cpusets
sched/cpuset: Bring back cpuset_mutex
cgroup/cpuset: Rename functions dealing with DEADLINE accounting
nfsd: use vfs setgid helper
nfs: use vfs setgid helper
selftests/net: mv bpf/nat6to4.c to net folder
hwmon: (aquacomputer_d5next) Add selective 200ms delay after sending ctrl report
x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4
x86/fpu: Invalidate FPU state correctly on exec()
drm/display/dp: Fix the DP DSC Receiver cap size
drm/i915/dgfx: Enable d3cold at s2idle
drm/vmwgfx: Fix shader stage validation
PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus
media: vcodec: Fix potential array out-of-bounds in encoder queue_setup
pinctrl: amd: Mask wake bits on probe again
of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock
of: unittest: Fix EXPECT for parse_phandle_with_args_map() test
radix tree: remove unused variable
riscv: Fix build errors using binutils2.37 toolchains
riscv: Handle zicsr/zifencei issue between gcc and binutils
lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels
batman-adv: Hold rtnl lock during MTU update via netlink
batman-adv: Fix batadv_v_ogm_aggr_send memory leak
batman-adv: Fix TT global entry leak when client roamed back
batman-adv: Do not get eth header before batadv_check_management_packet
batman-adv: Don't increase MTU when set by user
batman-adv: Trigger events for auto adjusted MTU
selinux: set next pointer before attaching to list
nfsd: Fix race to FREE_STATEID and cl_revoked
NFS: Fix a use after free in nfs_direct_join_group()
mm: memory-failure: fix unexpected return value in soft_offline_page()
mm: add a call to flush_cache_vmap() in vmap_pfn()
mm/gup: handle cont-PTE hugetlb pages correctly in gup_must_unshare() via GUP-fast
ALSA: ymfpci: Fix the missing snd_card_free() call at probe error
shmem: fix smaps BUG sleeping while atomic
mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer
clk: Fix slab-out-of-bounds error in devm_clk_release()
NFSv4: Fix dropped lock for racing OPEN and delegation return
platform/x86: ideapad-laptop: Add support for new hotkeys found on ThinkBook 14s Yoga ITL
wifi: mac80211: limit reorder_buf_filtered to avoid UBSAN warning
ibmveth: Use dcbf rather than dcbfl
ASoC: cs35l41: Correct amp_gain_tlv values
ASoC: amd: yc: Add VivoBook Pro 15 to quirks list for acp6x
io_uring/msg_ring: fix missing lock on overflow for IOPOLL
io_uring/msg_ring: move double lock/unlock helpers higher up
io_uring: extract a io_msg_install_complete helper
io_uring: get rid of double locking
KVM: x86/mmu: Fix an sign-extension bug with mmu_seq that hangs vCPUs
KVM: x86: Preserve TDP MMU roots until they are explicitly invalidated
bonding: fix macvlan over alb bond support
rtnetlink: Reject negative ifindexes in RTM_NEWLINK
netfilter: nf_tables: fix out of memory error handling
netfilter: nf_tables: flush pending destroy work before netlink notifier
i40e: fix potential NULL pointer dereferencing of pf->vf i40e_sync_vsi_filters()
net/sched: fix a qdisc modification with ambiguous command request
igc: Fix the typo in the PTM Control macro
igb: Avoid starting unnecessary workqueues
can: isotp: fix support for transmission of SF without flow control
selftests: bonding: do not set port down before adding to bond
ice: Fix NULL pointer deref during VF reset
Revert "ice: Fix ice VF reset during iavf initialization"
ice: fix receive buffer size miscalculation
ipv4: fix data-races around inet->inet_id
net: validate veth and vxcan peer ifindexes
net: bcmgenet: Fix return value check for fixed_phy_register()
net: bgmac: Fix return value check for fixed_phy_register()
net: dsa: mt7530: fix handling of 802.1X PAE frames
selftests: mlxsw: Fix test failure on Spectrum-4
mlxsw: Fix the size of 'VIRT_ROUTER_MSB'
mlxsw: reg: Fix SSPR register layout
mlxsw: pci: Set time stamp fields also when its type is MIRROR_UTC
ipvlan: Fix a reference count leak warning in ipvlan_ns_exit()
dccp: annotate data-races in dccp_poll()
sock: annotate data-races around prot->memory_pressure
net: dsa: felix: fix oversize frame dropping for always closed tc-taprio gates
devlink: add missing unregister linecard notification
devlink: move code to a dedicated directory
octeontx2-af: SDP: fix receive link config
tracing: Fix memleak due to race between current_tracer and trace
tracing: Fix cpu buffers unavailable due to 'record_disabled' missed
drm/i915/gt: Support aux invalidation on all engines
drm/i915/gt: Poll aux invalidation register bit on invalidation
drm/i915/gt: Ensure memory quiesced before invalidation
drm/i915: Add the gen12_needs_ccs_aux_inv helper
s390/zcrypt: fix reply buffer calculations for CCA replies
s390/zcrypt: remove unnecessary (void *) conversions
can: raw: fix lockdep issue in raw_release()
can: raw: fix receiver memory leak
jbd2: fix a race when checking checkpoint buffer busy
jbd2: remove journal_clean_one_cp_list()
jbd2: remove t_checkpoint_io_list
MIPS: cpu-features: Use boot_cpu_type for CPU type based features
MIPS: cpu-features: Enable octeon_cache by cpu_type
PCI: acpiphp: Reassign resources on bridge if necessary
video/aperture: Move vga handling to pci function
video/aperture: Only kick vgacon when the pdev is decoding vga
drm/aperture: Remove primary argument
drm/gma500: Use drm_aperture_remove_conflicting_pci_framebuffers
fbdev/radeon: use pci aperture helpers
drm/ast: Use drm_aperture_remove_conflicting_pci_framebuffers
xprtrdma: Remap Receive buffers after a reconnect
NFSv4: fix out path in __nfs4_get_acl_uncached
NFSv4.2: fix error handling in nfs42_proc_getxattr
Linux 6.1.49
Revert "f2fs: fix to do sanity check on direct node in truncate_dnode()"
Revert "f2fs: fix to set flush_merge opt and show noflush_merge"
Revert "f2fs: don't reset unchangable mount option in f2fs_remount()"
objtool/x86: Fix SRSO mess
Linux 6.1.48
x86/srso: Correct the mitigation status when SMT is disabled
objtool/x86: Fixup frame-pointer vs rethunk
x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG
x86/srso: Disable the mitigation on unaffected configurations
x86/CPU/AMD: Fix the DIV(0) initial fix attempt
x86/retpoline: Don't clobber RFLAGS during srso_safe_ret()
x86/static_call: Fix __static_call_fixup()
x86/srso: Explain the untraining sequences a bit more
x86/cpu: Cleanup the untrain mess
x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
x86/cpu: Rename original retbleed methods
x86/cpu: Clean up SRSO return thunk mess
x86/alternative: Make custom return thunk unconditional
x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
x86/cpu: Fix __x86_return_thunk symbol type
Linux 6.1.47
mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove
net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled
drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
af_unix: Fix null-ptr-deref in unix_stream_sendpage().
drm/amdgpu: keep irq count in amdgpu_irq_disable_all
drm/amd/pm: skip the RLC stop when S0i3 suspend for SMU v13.0.4/11
arm64/ptrace: Ensure that SME is set up for target when writing SSVE state
netfilter: set default timeout to 3 secs for sctp shutdown send and recv state
hugetlb: do not clear hugetlb dtor until allocating vmemmap
drm/amd/display: Implement workaround for writing to OTG_PIXEL_RATE_DIV register
sched/fair: Remove capacity inversion detection
sched/fair: unlink misfit task from cpu overutilized
zsmalloc: allow only one active pool compaction context
drm/amd/display: disable RCO for DCN314
ASoC: amd: vangogh: select CONFIG_SND_AMD_ACP_CONFIG
drm/amdgpu/pm: fix throttle_status for other than MP1 11.0.7
drm/amdgpu: skip fence GFX interrupts disable/enable for S0ix
drm/amd: flush any delayed gfxoff on suspend entry
drm/i915/sdvo: fix panel_type initialization
drm/qxl: fix UAF on handle creation
mmc: block: Fix in_flight[issue_type] value error
mmc: wbsd: fix double mmc_free_host() in wbsd_init()
blk-crypto: dynamically allocate fallback profile
arm64: dts: rockchip: Fix Wifi/Bluetooth on ROCK Pi 4 boards
virtio-net: Zero max_tx_vq field for VIRTIO_NET_CTRL_MQ_HASH_CONFIG case
cifs: Release folio lock on fscache read hit.
ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces.
serial: 8250: Fix oops for port->pm on uart_change_pm()
riscv: uaccess: Return the number of bytes effectively not copied
ALSA: hda/realtek - Remodified 3k pull low procedure
soc: aspeed: socinfo: Add kfree for kstrdup
soc: aspeed: uart-routing: Use __sysfs_match_string
ALSA: hda/realtek: Add quirks for HP G11 Laptops
ASoC: meson: axg-tdm-formatter: fix channel slot allocation
ASoC: rt5665: add missed regulator_bulk_disable
arm64: dts: imx93: Fix anatop node size
ARM: dts: imx: Set default tuning step for imx6sx usdhc
arm64: dts: imx8mm: Drop CSI1 PHY reference clock configuration
ARM: dts: imx6: phytec: fix RTC interrupt level
ARM: dts: imx: align LED node names with dtschema
arm64: dts: rockchip: Disable HS400 for eMMC on ROCK 4C+
arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4
arm64: dts: qcom: qrb5165-rb5: fix thermal zone conflict
bus: ti-sysc: Flush posted write on enable before reset
ice: Block switchdev mode when ADQ is active and vice versa
qede: fix firmware halt over suspend and resume
net: do not allow gso_size to be set to GSO_BY_FRAGS
sock: Fix misuse of sk_under_memory_pressure()
sfc: don't unregister flow_indr if it was never registered
net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset
i40e: fix misleading debug logs
iavf: fix FDIR rule fields masks validation
net: openvswitch: reject negative ifindex
team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
net: phy: broadcom: stub c45 read/write for 54810
netfilter: nft_dynset: disallow object maps
ipvs: fix racy memcpy in proc_do_sync_threshold
netfilter: nf_tables: deactivate catchall elements in next generation
netfilter: nf_tables: fix false-positive lockdep splat
octeon_ep: cancel tx_timeout_task later in remove sequence
net: macb: In ZynqMP resume always configure PS GTR for non-wakeup source
drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs
selftests: mirror_gre_changes: Tighten up the TTL test match
net: phy: fix IRQ-based wake-on-lan over hibernate / power off
net: pcs: Add missing put_device call in miic_create
virtio-net: set queues after driver_ok
virtio_net: notify MAC address change on device initialization
xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH
xfrm: add NULL check in xfrm_update_ae_params
ip_vti: fix potential slab-use-after-free in decode_session6
ip6_vti: fix slab-use-after-free in decode_session6
xfrm: fix slab-use-after-free in decode_session6
net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure
net: af_key: fix sadb_x_filter validation
net: xfrm: Fix xfrm_address_filter OOB read
i2c: designware: Handle invalid SMBus block data response length value
i2c: designware: Correct length byte validation logic
btrfs: fix BUG_ON condition in btrfs_cancel_balance
btrfs: fix incorrect splitting in btrfs_drop_extent_map_range
tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms
tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
vdpa: Enable strict validation for netlinks ops
vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check
vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
vdpa: Add features attr to vdpa_nl_policy for nlattr length check
powerpc/rtas_flash: allow user copy to flash block cache objects
fbdev: mmp: fix value check in mmphw_probe()
i2c: tegra: Fix i2c-tegra DMA config option processing
i2c: hisi: Only handle the interrupt of the driver's transfer
i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue
cifs: fix potential oops in cifs_oplock_break
vdpa/mlx5: Delete control vq iotlb in destroy_mr only when necessary
vdpa/mlx5: Fix mr->initialized semantics
vduse: Use proper spinlock for IRQ injection
virtio-mmio: don't break lifecycle of vm_dev
btrfs: fix use-after-free of new block group that became unused
btrfs: convert btrfs_block_group::seq_zone to runtime flag
btrfs: convert btrfs_block_group::needs_free_space to runtime flag
btrfs: move out now unused BG from the reclaim list
video/aperture: Only remove sysfb on the default vga pci device
fbdev/hyperv-fb: Do not set struct fb_info.apertures
ARM: dts: nxp/imx6sll: fix wrong property name in usbphy node
KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption
drm/amd/display: fix access hdcp_workqueue assert
drm/amd/display: phase3 mst hdcp for multiple displays
drm/amd/display: save restore hdcp state when display is unplugged from mst hub
igc: read before write to SRRCTL register
ring-buffer: Do not swap cpu_buffer during resize process
Bluetooth: MGMT: Use correct address for memcpy()
powerpc/kasan: Disable KCOV in KASAN code
ALSA: hda/realtek: Add quirk for ASUS ROG GZ301V
ALSA: hda/realtek: Add quirk for ASUS ROG GA402X
ALSA: hda/realtek: Add quirk for ASUS ROG GX650P
ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync()
ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760
fs/ntfs3: Mark ntfs dirty when on-disk struct is corrupted
fs: ntfs3: Fix possible null-pointer dereferences in mi_read()
fs/ntfs3: Enhance sanity check while generating attr_list
drm/amdgpu: Fix potential fence use-after-free v2
ceph: try to dump the msgs when decoding fails
Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally
Bluetooth: L2CAP: Fix use-after-free
watchdog: sp5100_tco: support Hygon FCH/SCH (Server Controller Hub)
firewire: net: fix use after free in fwnet_finish_incoming_packet()
thunderbolt: Limit Intel Barlow Ridge USB3 bandwidth
thunderbolt: Add Intel Barlow Ridge PCI ID
pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()
gfs2: Fix possible data races in gfs2_show_options()
usb: chipidea: imx: add missing USB PHY DPDM wakeup setting
usb: chipidea: imx: don't request QoS for imx8ulp
thunderbolt: Read retimer NVM authentication status prior tb_retimer_set_inbound_sbtx()
media: platform: mediatek: vpu: fix NULL ptr dereference
usb: gadget: uvc: queue empty isoc requests if no video buffer is available
usb: gadget: u_serial: Avoid spinlock recursion in __gs_console_push
media: camss: set VFE bpl_alignment to 16 for sdm845 and sm8250
media: v4l2-mem2mem: add lock to protect parameter num_rdy
led: qcom-lpg: Fix resource leaks in for_each_available_child_of_node() loops
serial: stm32: Ignore return value of uart_remove_one_port() in .remove()
cifs: fix session state check in reconnect to avoid use-after-free issue
smb: client: fix warning in cifs_smb3_do_mount()
ALSA: hda/realtek: Add quirks for ROG ALLY CS35l41 audio
HID: intel-ish-hid: ipc: Add Arrow Lake PCI device ID
ASoC: SOF: core: Free the firmware trace before calling snd_sof_shutdown()
drm/amd/display: Enable dcn314 DPP RCO
drm/amd/display: Skip DPP DTO update if root clock is gated
RDMA/mlx5: Return the firmware result upon destroying QP/RQ
drm/amd/display: Apply 60us prefetch for DCFCLK <= 300Mhz
drm/amdgpu: install stub fence into potential unused fence pointers
iommu/amd: Introduce Disable IRTE Caching Support
HID: logitech-hidpp: Add USB and Bluetooth IDs for the Logitech G915 TKL Keyboard
accel/habanalabs: add pci health check during heartbeat
dma-remap: use kvmalloc_array/kvfree for larger dma memory remap
ASoC: SOF: Intel: fix SoundWire/HDaudio mutual exclusion
iopoll: Call cpu_relax() in busy loops
ASoC: Intel: sof_sdw: Add support for Rex soundwire
ASoC: Intel: sof_sdw_rt_sdca_jack_common: test SOF_JACK_JDSRC in _exit
ARM: dts: imx6dl: prtrvt, prtvt7, prti6q, prtwd2: fix USB related warnings
ASoC: amd: vangogh: Add check for acp config flags in vangogh platform
drm: rcar-du: remove R-Car H3 ES1.* workarounds
drm/stm: ltdc: fix late dereference check
ASoC: SOF: amd: Add pci revision id check
PCI: tegra194: Fix possible array out of bounds access
ASoC: Intel: sof_sdw: add quirk for LNL RVP
ASoC: Intel: sof_sdw: add quirk for MTL RVP
drm/amdgpu: fix memory leak in mes self test
drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1
drm/amdgpu: fix calltrace warning in amddrm_buddy_fini
net: phy: at803x: fix the wol setting functions
net: phy: at803x: Use devm_regulator_get_enable_optional()
net/smc: Fix setsockopt and sysctl to specify same buffer size again
net/smc: replace mutex rmbs_lock and sndbufs_lock with rw_semaphore
selftests: forwarding: tc_actions: Use ncat instead of nc
selftests: forwarding: tc_actions: cleanup temporary files when test is aborted
zsmalloc: fix races between modifications of fullness and isolated
zsmalloc: consolidate zs_pool's migrate_lock and size_class's locks
cpuidle: psci: Move enabling OSI mode after power domains creation
cpuidle: psci: Extend information in log about OSI/PC mode
mmc: sdhci-f-sdh30: Replace with sdhci_pltfm
Linux 6.1.46
drm/amd/pm/smu7: move variables to where they are used
sch_netem: fix issues in netem_change() vs get_dist_table()
alpha: remove __init annotation from exported page_is_ram()
ACPI: scan: Create platform device for CS35L56
platform/x86: serial-multi-instantiate: Auto detect IRQ resource for CSC3551
scsi: qedf: Fix firmware halt over suspend and resume
scsi: qedi: Fix firmware halt over suspend and resume
scsi: fnic: Replace return codes in fnic_clean_pending_aborts()
scsi: core: Fix possible memory leak if device_add() fails
scsi: snic: Fix possible memory leak if device_add() fails
scsi: 53c700: Check that command slot is not NULL
scsi: ufs: renesas: Fix private allocation
scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
scsi: core: Fix legacy /proc parsing buffer overflow
netfilter: nf_tables: report use refcount overflow
nvme-rdma: fix potential unbalanced freeze & unfreeze
nvme-tcp: fix potential unbalanced freeze & unfreeze
btrfs: set cache_block_group_error if we find an error
btrfs: reject invalid reloc tree root keys with stack dump
btrfs: exit gracefully if reloc roots don't match
btrfs: properly clear end of the unreserved range in cow_file_range
btrfs: don't stop integrity writeback too early
btrfs: wait for actual caching progress during allocation
gpio: sim: mark the GPIO chip as a one that can sleep
gpio: ws16c48: Fix off-by-one error in WS16C48 resource region extent
ibmvnic: Ensure login failure recovery is safe from other resets
ibmvnic: Do partial reset on login failure
ibmvnic: Handle DMA unmapping of login buffs in release functions
ibmvnic: Unmap DMA login rsp buffer on send login fail
ibmvnic: Enforce stronger sanity checks on login response
net/mlx5: Reload auxiliary devices in pci error handlers
net/mlx5: Skip clock update work when device is in error state
net/mlx5: LAG, Check correct bucket when modifying LAG
net/mlx5: Allow 0 for total host VFs
dmaengine: owl-dma: Modify mismatched function name
dmaengine: mcf-edma: Fix a potential un-allocated memory access
net: hns3: fix strscpy causing content truncation issue
nexthop: Fix infinite nexthop bucket dump when using maximum nexthop ID
nexthop: Make nexthop bucket dump more efficient
nexthop: Fix infinite nexthop dump when using maximum nexthop ID
net: hns3: fix deadlock issue when externel_lb and reset are executed together
net: hns3: add wait until mac link down
net: hns3: refactor hclge_mac_link_status_wait for interface reuse
net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove
net: phy: at803x: remove set/get wol callbacks for AR8032
net: marvell: prestera: fix handling IPv4 routes with nhid
net: tls: avoid discarding data on record close
RDMA/umem: Set iova in ODP flow
wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
drm/rockchip: Don't spam logs in atomic check
IB/hfi1: Fix possible panic during hotplug remove
iavf: fix potential races for FDIR filters
drivers: vxlan: vnifilter: free percpu vni stats on error path
drivers: net: prevent tun_build_skb() to exceed the packet size limit
dccp: fix data-race around dp->dccps_mss_cache
bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
xsk: fix refcount underflow in error path
tunnels: fix kasan splat when generating ipv4 pmtu error
tcp: add missing family to tcp_set_ca_state() tracepoint
net/smc: Use correct buffer sizes when switching between TCP and SMC
net/packet: annotate data-races around tp->status
mptcp: fix the incorrect judgment for msk->cb_flags
macsec: use DEV_STATS_INC()
mISDN: Update parameter type of dsp_cmx_send()
bpf, sockmap: Fix bug that strp_done cannot be called
bpf, sockmap: Fix map type error in sock_map_del_link
net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
selftests: forwarding: tc_flower: Relax success criterion
selftests: forwarding: Switch off timeout
selftests: forwarding: Skip test when no interfaces are specified
selftests: forwarding: hw_stats_l3_gre: Skip when using veth pairs
selftests: forwarding: ethtool_extended_state: Skip when using veth pairs
selftests: forwarding: ethtool: Skip when using veth pairs
selftests: forwarding: Add a helper to skip test when using veth pairs
selftests/rseq: Fix build with undefined __weak
interconnect: qcom: sm8450: add enable_mask for bcm nodes
interconnect: qcom: Add support for mask-based BCMs
iio: core: Prevent invalid memory access when there is no parent
drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
x86: Move gds_ucode_mitigated() declaration to header
x86/speculation: Add cpu_show_gds() prototype
x86/sev: Do not try to parse for the CC blob on non-AMD hardware
x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405
x86/srso: Fix build breakage with the LLVM linker
usb: typec: altmodes/displayport: Signal hpd when configuring pin assignment
usb: typec: tcpm: Fix response to vsafe0V event
usb: common: usb-conn-gpio: Prevent bailing out if initial role is none
USB: Gadget: core: Help prevent panic during UVC unconfigure
usb: dwc3: Properly handle processing of pending events
usb-storage: alauda: Fix uninit-value in alauda_check_media()
misc: rtsx: judge ASPM Mode to set PETXCFG Reg
binder: fix memory leak in binder_init()
iio: adc: ina2xx: avoid NULL pointer dereference on OF device match
iio: adc: ad7192: Fix ac excitation feature
iio: frequency: admv1013: propagate errors from regulator_get_voltage()
iio: cros_ec: Fix the allocation size for cros_ec_command
io_uring: correct check for O_TMPFILE
drm/amd/display: trigger timing sync only if TG is running
drm/amd/display: fix the build when DRM_AMD_DC_DCN is not set
drm/amd/display: Retain phantom plane/stream if validation fails
drm/amd/display: Disable phantom OTG after enable for plane disable
drm/amd/display: Use update plane and stream routine for DCN32x
drm/amd/display: Avoid ABM when ODM combine is enabled for eDP
drm/amd/display: Update OTG instance in the commit stream
drm/amd/display: Handle seamless boot stream
drm/amd/display: Add function for validate and update new stream
drm/amd/display: Handle virtual hardware detect
drm/amd/pm: avoid unintentional shutdown due to temperature momentary fluctuation
drm/amd/pm: fulfill powerplay peak profiling mode shader/memory clock settings
drm/amd/pm: expose swctf threshold setting for legacy powerplay
drm/amd/pm: fulfill swsmu peak profiling mode shader/memory clock settings
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
radix tree test suite: fix incorrect allocation size for pthreads
hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100
cpuidle: dt_idle_genpd: Add helper function to remove genpd topology
drm/amd/display: limit DPIA link rate to HBR3
drm/amd: Disable S/G for APUs when 64GB or more host memory
drm/amdgpu: add S/G display parameter
drm/amd/display: check attr flag before set cursor degamma on DCN3+
drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()
drm/shmem-helper: Reset vma->vm_ops before calling dma_buf_mmap()
drm/nouveau/nvkm/dp: Add workaround to fix DP 1.3+ DPCD issues
drm/nouveau/gr: enable memory loads on helper invocation on all channels
nvme-pci: add NVME_QUIRK_BOGUS_NID for Samsung PM9B1 256G and 512G
riscv/kexec: handle R_RISCV_CALL_PLT relocation type
riscv,mmio: Fix readX()-to-delay() ordering
riscv/kexec: load initrd high in available memory
net: mana: Fix MANA VF unload when hardware is unresponsive
dmaengine: pl330: Return DMA_PAUSED when transaction is paused
mptcp: fix disconnect vs accept race
mptcp: avoid bogus reset on fallback close
selftests: mptcp: join: fix 'implicit EP' test
selftests: mptcp: join: fix 'delete and re-add' test
ipv6: adjust ndisc_is_useropt() to also return true for PIO
mmc: moxart: read scr register without changing byte order
wireguard: allowedips: expand maximum node depth
selftests: forwarding: Set default IPv6 traceroute utility
wifi: rtw89: fix 8852AE disconnection caused by RX full flags
wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()
KVM: SEV: only access GHCB fields once
KVM: SEV: snapshot the GHCB before accessing it
ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()
ksmbd: validate command request size
tpm: Add a helper for checking hwrng enabled
tpm: Disable RNG for all AMD fTPMs
Revert "loongarch/cpu: Switch to arch_cpu_finalize_init()"
gcc-plugins: Reorganize gimple includes for GCC 13
Linux 6.1.45
x86/CPU/AMD: Do not leak quotient data after a division by 0
Revert "drm/i915: Disable DC states for all commits"
drm/amdgpu: Use apt name for FW reserved region
drm/amdgpu: Remove unnecessary domain argument
drm/amdgpu: add vram reservation based on vram_usagebyfirmware_v2_2
arm64/ptrace: Don't enable SVE when setting streaming SVE
exfat: check if filename entries exceeds max filename length
f2fs: don't reset unchangable mount option in f2fs_remount()
f2fs: fix to set flush_merge opt and show noflush_merge
selftests/rseq: Play nice with binaries statically linked against glibc 2.35+
drm/amd/display: skip CLEAR_PAYLOAD_ID_TABLE if device mst_en is 0
drm/amd/display: Ensure that planes are in the same order
drm/imx/ipuv3: Fix front porch adjustment upon hactive aligning
powerpc/mm/altmap: Fix altmap boundary check
mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()
mtd: rawnand: rockchip: Align hwecc vs. raw page helper layouts
mtd: rawnand: rockchip: fix oobfree offset and description
mtd: rawnand: omap_elm: Fix incorrect type in assignment
io_uring: annotate offset timeout races
f2fs: fix to do sanity check on direct node in truncate_dnode()
btrfs: remove BUG_ON()'s in add_new_free_space()
ext2: Drop fragment support
fs: Protect reconfiguration of sb read-write from racing writes
net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
debugobjects: Recheck debug_objects_enabled before reporting
Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
fs/sysv: Null check to prevent null-ptr-deref bug
fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_load_attr_list()
mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()
file: reinstate f_pos locking optimization for regular files
bpf, cpumap: Make sure kthread is running before map update returns
clk: imx93: Propagate correct error in imx93_clocks_probe()
drm/i915/gt: Cleanup aux invalidation registers
drm/i915: Fix premature release of request's reusable memory
drm/ttm: check null pointer before accessing when swapping
open: make RESOLVE_CACHED correctly test for O_TMPFILE
arm64/fpsimd: Sync FPSIMD state with SVE for SME only systems
arm64/fpsimd: Clear SME state in the target task when setting the VL
arm64/fpsimd: Sync and zero pad FPSIMD state for streaming SVE
powerpc/ftrace: Create a dummy stackframe to fix stack unwind
bpf: Disable preemption in bpf_event_output
rbd: prevent busy loop when requesting exclusive lock
x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction
wifi: mt76: mt7615: do not advertise 5 GHz on first phy of MT7615D (DBDC)
net: tap_open(): set sk_uid from current_fsuid()
net: tun_chr_open(): set sk_uid from current_fsuid()
arm64: dts: stratix10: fix incorrect I2C property for SCL signal
bpf: Disable preemption in bpf_perf_event_output
mtd: rawnand: meson: fix OOB available bytes for ECC
mtd: spinand: toshiba: Fix ecc_get_status
exfat: release s_lock before calling dir_emit()
exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree
firmware: arm_scmi: Drop OF node reference in the transport channel setup
ceph: defer stopping mdsc delayed_work
USB: zaurus: Add ID for A-300/B-500/C-700
libceph: fix potential hang in ceph_osdc_notify()
scsi: storvsc: Limit max_sectors for virtual Fibre Channel devices
scsi: zfcp: Defer fc_rport blocking until after ADISC response
rust: allocator: Prevent mis-aligned allocation
tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen
tcp_metrics: annotate data-races around tm->tcpm_net
tcp_metrics: annotate data-races around tm->tcpm_vals[]
tcp_metrics: annotate data-races around tm->tcpm_lock
tcp_metrics: annotate data-races around tm->tcpm_stamp
tcp_metrics: fix addr_same() helper
prestera: fix fallback to previous version on same major version
net/mlx5: fs_core: Skip the FTs in the same FS_TYPE_PRIO_CHAINS fs_prio
net/mlx5: fs_core: Make find_closest_ft more generic
vxlan: Fix nexthop hash size
ip6mr: Fix skb_under_panic in ip6mr_cache_report()
s390/qeth: Don't call dev_close/dev_open (DOWN/UP)
net: dcb: choose correct policy to parse DCB_ATTR_BCN
bnxt_en: Fix max_mtu setting for multi-buf XDP
bnxt_en: Fix page pool logic for page size >= 64K
net: netsec: Ignore 'phy-mode' on SynQuacer in DT mode
net: korina: handle clk prepare error in korina_probe()
net: ll_temac: fix error checking of irq_of_parse_and_map()
bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire
net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free
net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
bpf, cpumap: Handle skb as well when clean up ptr_ring
ice: Fix RDMA VSI removal during queue rebuild
net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.
net: annotate data-races around sk->sk_priority
net: add missing data-race annotation for sk_ll_usec
net: add missing data-race annotations around sk->sk_peek_off
net: annotate data-races around sk->sk_mark
net: add missing READ_ONCE(sk->sk_rcvbuf) annotation
net: add missing READ_ONCE(sk->sk_sndbuf) annotation
net: add missing READ_ONCE(sk->sk_rcvlowat) annotation
net: annotate data-races around sk->sk_max_pacing_rate
net: annotate data-race around sk->sk_txrehash
net: annotate data-races around sk->sk_reserved_mem
qed: Fix scheduling in a tasklet while getting stats
mISDN: hfcpci: Fix potential deadlock on &hc->lock
net: sched: cls_u32: Fix match key mis-addressing
perf test uprobe_from_different_cu: Skip if there is no gcc
net: dsa: fix value check in bcm_sf2_sw_probe()
rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length
bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing
net/mlx5e: Move representor neigh cleanup to profile cleanup_tx
net/mlx5e: Fix crash moving to switchdev mode when ntuple offload is set
net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer()
net/mlx5: fix potential memory leak in mlx5e_init_rep_rx
net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx
net/mlx5e: fix double free in macsec_fs_tx_create_crypto_table_groups
wifi: cfg80211: Fix return value in scan logic
erofs: fix wrong primary bvec selection on deduplicated extents
KVM: s390: fix sthyi error handling
word-at-a-time: use the same return type for has_zero regardless of endianness
firmware: arm_scmi: Fix chan_free cleanup on SMC
lib/bitmap: workaround const_eval test build failure
firmware: smccc: Fix use of uninitialised results structure
arm64: dts: freescale: Fix VPU G2 clock
arm64: dts: imx8mn-var-som: add missing pull-up for onboard PHY reset pinmux
arm64: dts: phycore-imx8mm: Correction in gpio-line-names
arm64: dts: phycore-imx8mm: Label typo-fix of VPU
arm64: dts: imx8mm-venice-gw7904: disable disp_blk_ctrl
arm64: dts: imx8mm-venice-gw7903: disable disp_blk_ctrl
iommu/arm-smmu-v3: Document nesting-related errata
iommu/arm-smmu-v3: Add explicit feature for nesting
iommu/arm-smmu-v3: Document MMU-700 erratum 2812531
iommu/arm-smmu-v3: Work around MMU-600 erratum 1076982
net: ipa: only reset hashed tables when supported
net/mlx5: Free irqs only on shutdown callback
perf: Fix function pointer case
io_uring: gate iowait schedule on having pending requests
Linux 6.1.44
x86: fix backwards merge of GDS/SRSO bit
xen/netback: Fix buffer overrun triggered by unusual packet
x86/srso: Tie SBPB bit setting to microcode patch detection
x86/srso: Add a forgotten NOENDBR annotation
x86/srso: Fix return thunks in generated code
x86/srso: Add IBPB on VMEXIT
x86/srso: Add IBPB
x86/srso: Add SRSO_NO support
x86/srso: Add IBPB_BRTYPE support
x86/srso: Add a Speculative RAS Overflow mitigation
x86/cpu, kvm: Add support for CPUID_80000021_EAX
x86/bugs: Increase the x86 bugs vector size to two u32s
Documentation/x86: Fix backwards on/off logic about YMM support
x86/mm: Initialize text poking earlier
mm: Move mm_cachep initialization to mm_init()
x86/mm: Use mm_alloc() in poking_init()
x86/mm: fix poking_init() for Xen PV guests
x86/xen: Fix secondary processors' FPU initialization
x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build
KVM: Add GDS_NO support to KVM
x86/speculation: Add Kconfig option for GDS
x86/speculation: Add force option to GDS mitigation
x86/speculation: Add Gather Data Sampling mitigation
x86/fpu: Move FPU initialization into arch_cpu_finalize_init()
x86/fpu: Mark init functions __init
x86/fpu: Remove cpuinfo argument from init functions
x86/init: Initialize signal frame size late
init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init()
init: Invoke arch_cpu_finalize_init() earlier
init: Remove check_bugs() leftovers
um/cpu: Switch to arch_cpu_finalize_init()
sparc/cpu: Switch to arch_cpu_finalize_init()
sh/cpu: Switch to arch_cpu_finalize_init()
mips/cpu: Switch to arch_cpu_finalize_init()
m68k/cpu: Switch to arch_cpu_finalize_init()
loongarch/cpu: Switch to arch_cpu_finalize_init()
ia64/cpu: Switch to arch_cpu_finalize_init()
ARM: cpu: Switch to arch_cpu_finalize_init()
x86/cpu: Switch to arch_cpu_finalize_init()
init: Provide arch_cpu_finalize_init()
Conflicts:
Documentation/devicetree/bindings
Documentation/devicetree/bindings/clock/xlnx,versal-clk.yaml
Documentation/devicetree/bindings/extcon/maxim,max77843.yaml
Documentation/devicetree/bindings/serial/nxp,sc16is7xx.txt
android/abi_gki_aarch64_qcom
drivers/bus/mhi/host/pm.c
drivers/clk/qcom/gcc-sm8250.c
drivers/interconnect/qcom/bcm-voter.c
drivers/interconnect/qcom/icc-rpmh.h
drivers/mailbox/qcom-ipcc.c
Change-Id: I98acc81783883752e19e8d433e3db6977a0ebf7f
Upstream-Build: ks_qcom-android14-6.1-keystone-qcom-release@11252216 UKQ2.231224.001
Signed-off-by: jianzhou <quic_jianzhou@quicinc.com>
|
||
Léo Lam
|
75c27bdb21 |
wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x)
Commit 008afb9f3d57 ("wifi: cfg80211: fix CQM for non-range use"
backported to 6.6.x) causes nl80211_set_cqm_rssi not to release the
wdev lock in some of the error paths.
Of course, the ensuing deadlock causes userland network managers to
break pretty badly, and on typical systems this also causes lockups on
on suspend, poweroff and reboot. See [1], [2], [3] for example reports.
The upstream commit 7e7efdda6adb ("wifi: cfg80211: fix CQM for non-range
use"), committed in November 2023, is completely fine because there was
another commit in August 2023 that removed the wdev lock:
see commit 076fc8775daf ("wifi: cfg80211: remove wdev mutex").
The reason things broke in 6.6.5 is that commit 4338058f6009 was applied
without also applying 076fc8775daf.
Commit 076fc8775daf ("wifi: cfg80211: remove wdev mutex") is a rather
large commit; adjusting the error handling (which is what this commit does)
yields a much simpler patch and was tested to work properly.
Fix the deadlock by releasing the lock before returning.
[1] https://bugzilla.kernel.org/show_bug.cgi?id=218247
[2] https://bbs.archlinux.org/viewtopic.php?id=290976
[3] https://lore.kernel.org/all/87sf4belmm.fsf@turtle.gmx.de/
Link: https://lore.kernel.org/stable/e374bb16-5b13-44cc-b11a-2f4eefb1ecf5@manjaro.org/
Fixes: 008afb9f3d57 ("wifi: cfg80211: fix CQM for non-range use")
Tested-by: "Léo Lam" <leo@leolam.fr>
Tested-by: "Philip Müller" <philm@manjaro.org>
Cc: stable@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: "Léo Lam" <leo@leolam.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Johannes Berg
|
15577a98ef |
wifi: cfg80211: fix CQM for non-range use
commit 7e7efdda6adb385fbdfd6f819d76bc68c923c394 upstream.
[note: this is commit 4a7e92551618f3737b305f62451353ee05662f57 reapplied;
that commit had been reverted in 6.6.6 because it caused regressions, see
https://lore.kernel.org/stable/2023121450-habitual-transpose-68a1@gregkh/
for details]
My prior race fix here broke CQM when ranges aren't used, as
the reporting worker now requires the cqm_config to be set in
the wdev, but isn't set when there's no range configured.
Rather than continuing to special-case the range version, set
the cqm_config always and configure accordingly, also tracking
if range was used or not to be able to clear the configuration
appropriately with the same API, which was actually not right
if both were implemented by a driver for some reason, as is
the case with mac80211 (though there the implementations are
equivalent so it doesn't matter.)
Also, the original multiple-RSSI commit lost checking for the
callback, so might have potentially crashed if a driver had
neither implementation, and userspace tried to use it despite
not being advertised as supported.
Cc: stable@vger.kernel.org
Fixes:
|
||
Rouven Czerwinski
|
e9df9f0891 |
net: rfkill: gpio: set GPIO direction
commit 23484d817082c3005252d8edfc8292c8a1006b5b upstream.
Fix the undefined usage of the GPIO consumer API after retrieving the
GPIO description with GPIO_ASIS. The API documentation mentions that
GPIO_ASIS won't set a GPIO direction and requires the user to set a
direction before using the GPIO.
This can be confirmed on i.MX6 hardware, where rfkill-gpio is no longer
able to enabled/disable a device, presumably because the GPIO controller
was never configured for the output direction.
Fixes: b2f750c3a80b ("net: rfkill: gpio: prevent value glitch during probe")
Cc: stable@vger.kernel.org
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Link: https://msgid.link/20231207075835.3091694-1-r.czerwinski@pengutronix.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Fedor Pchelkin
|
805611157d |
net: 9p: avoid freeing uninit memory in p9pdu_vreadf
commit ff49bf1867578f23a5ffdd38f927f6e1e16796c4 upstream.
If some of p9pdu_readf() calls inside case 'T' in p9pdu_vreadf() fails,
the error path is not handled properly. *wnames or members of *wnames
array may be left uninitialized and invalidly freed.
Initialize *wnames to NULL in beginning of case 'T'. Initialize the first
*wnames array element to NULL and nullify the failing *wnames element so
that the error path freeing loop stops on the first NULL element and
doesn't proceed further.
Found by Linux Verification Center (linuxtesting.org).
Fixes:
|
||
Alex Lu
|
0f7bffd40a |
Bluetooth: Add more enc key size check
commit 04a342cc49a8522e99c9b3346371c329d841dcd2 upstream.
When we are slave role and receives l2cap conn req when encryption has
started, we should check the enc key size to avoid KNOB attack or BLUFFS
attack.
From SIG recommendation, implementations are advised to reject
service-level connections on an encrypted baseband link with key
strengths below 7 octets.
A simple and clear way to achieve this is to place the enc key size
check in hci_cc_read_enc_key_size()
The btmon log below shows the case that lacks enc key size check.
> HCI Event: Connect Request (0x04) plen 10
Address: BB:22:33:44:55:99 (OUI BB-22-33)
Class: 0x480104
Major class: Computer (desktop, notebook, PDA, organizers)
Minor class: Desktop workstation
Capturing (Scanner, Microphone)
Telephony (Cordless telephony, Modem, Headset)
Link type: ACL (0x01)
< HCI Command: Accept Connection Request (0x01|0x0009) plen 7
Address: BB:22:33:44:55:99 (OUI BB-22-33)
Role: Peripheral (0x01)
> HCI Event: Command Status (0x0f) plen 4
Accept Connection Request (0x01|0x0009) ncmd 2
Status: Success (0x00)
> HCI Event: Connect Complete (0x03) plen 11
Status: Success (0x00)
Handle: 1
Address: BB:22:33:44:55:99 (OUI BB-22-33)
Link type: ACL (0x01)
Encryption: Disabled (0x00)
...
> HCI Event: Encryption Change (0x08) plen 4
Status: Success (0x00)
Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
Encryption: Enabled with E0 (0x01)
< HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2
Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
> HCI Event: Command Complete (0x0e) plen 7
Read Encryption Key Size (0x05|0x0008) ncmd 2
Status: Success (0x00)
Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
Key size: 6
// We should check the enc key size
...
> ACL Data RX: Handle 1 flags 0x02 dlen 12
L2CAP: Connection Request (0x02) ident 3 len 4
PSM: 25 (0x0019)
Source CID: 64
< ACL Data TX: Handle 1 flags 0x00 dlen 16
L2CAP: Connection Response (0x03) ident 3 len 8
Destination CID: 64
Source CID: 64
Result: Connection pending (0x0001)
Status: Authorization pending (0x0002)
> HCI Event: Number of Completed Packets (0x13) plen 5
Num handles: 1
Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
Count: 1
#35: len 16 (25 Kb/s)
Latency: 5 msec (2-7 msec ~4 msec)
< ACL Data TX: Handle 1 flags 0x00 dlen 16
L2CAP: Connection Response (0x03) ident 3 len 8
Destination CID: 64
Source CID: 64
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
Cc: stable@vger.kernel.org
Signed-off-by: Alex Lu <alex_lu@realsil.com.cn>
Signed-off-by: Max Chou <max.chou@realtek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Xiao Yao
|
39347d6450 |
Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE
commit 59b047bc98084f8af2c41483e4d68a5adf2fa7f7 upstream.
If two Bluetooth devices both support BR/EDR and BLE, and also
support Secure Connections, then they only need to pair once.
The LTK generated during the LE pairing process may be converted
into a BR/EDR link key for BR/EDR transport, and conversely, a
link key generated during the BR/EDR SSP pairing process can be
converted into an LTK for LE transport. Hence, the link type of
the link key and LTK is not fixed, they can be either an LE LINK
or an ACL LINK.
Currently, in the mgmt_new_irk/ltk/crsk/link_key functions, the
link type is fixed, which could lead to incorrect address types
being reported to the application layer. Therefore, it is necessary
to add link_type/addr_type to the smp_irk/ltk/crsk and link_key,
to ensure the generation of the correct address type.
SMP over BREDR:
Before Fix:
> ACL Data RX: Handle 11 flags 0x02 dlen 12
BR/EDR SMP: Identity Address Information (0x09) len 7
Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Identity Resolving Key (0x0018) plen 30
Random address: 00:00:00:00:00:00 (Non-Resolvable)
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Long Term Key (0x000a) plen 37
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated key from P-256 (0x03)
After Fix:
> ACL Data RX: Handle 11 flags 0x02 dlen 12
BR/EDR SMP: Identity Address Information (0x09) len 7
Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Identity Resolving Key (0x0018) plen 30
Random address: 00:00:00:00:00:00 (Non-Resolvable)
BR/EDR Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Long Term Key (0x000a) plen 37
BR/EDR Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated key from P-256 (0x03)
SMP over LE:
Before Fix:
@ MGMT Event: New Identity Resolving Key (0x0018) plen 30
Random address: 5F:5C:07:37:47:D5 (Resolvable)
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Long Term Key (0x000a) plen 37
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated key from P-256 (0x03)
@ MGMT Event: New Link Key (0x0009) plen 26
BR/EDR Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated Combination key from P-256 (0x08)
After Fix:
@ MGMT Event: New Identity Resolving Key (0x0018) plen 30
Random address: 5E:03:1C:00:38:21 (Resolvable)
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
@ MGMT Event: New Long Term Key (0x000a) plen 37
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated key from P-256 (0x03)
@ MGMT Event: New Link Key (0x0009) plen 26
Store hint: Yes (0x01)
LE Address: F8:7D:76:F2:12:F3 (OUI F8-7D-76)
Key type: Authenticated Combination key from P-256 (0x08)
Cc: stable@vger.kernel.org
Signed-off-by: Xiao Yao <xiaoyao@rock-chips.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Frédéric Danis
|
e14a7ebafe |
Bluetooth: L2CAP: Send reject on command corrupted request
commit 78b99eb1faa7371bf9c534690f26a71b6996622d upstream. L2CAP/COS/CED/BI-02-C PTS test send a malformed L2CAP signaling packet with 2 commands in it (a connection request and an unknown command) and expect to get a connection response packet and a command reject packet. The second is currently not sent. Cc: stable@vger.kernel.org Signed-off-by: Frédéric Danis <frederic.danis@collabora.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Hyunwoo Kim
|
37f71e2c9f |
Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
commit 2e07e8348ea454615e268222ae3fc240421be768 upstream.
This can cause a race with bt_sock_ioctl() because
bt_sock_recvmsg() gets the skb from sk->sk_receive_queue
and then frees it without holding lock_sock.
A use-after-free for a skb occurs with the following flow.
```
bt_sock_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
bt_sock_ioctl() -> skb_peek()
```
Add lock_sock to bt_sock_recvmsg() to fix this issue.
Cc: stable@vger.kernel.org
Fixes:
|
||
Luiz Augusto von Dentz
|
470896ecbc |
Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent
commit 99e67d46e5ff3c7c901af6009edec72d3d363be8 upstream. Before setting HCI_INQUIRY bit check if HCI_OP_INQUIRY was really sent otherwise the controller maybe be generating invalid events or, more likely, it is a result of fuzzing tools attempting to test the right behavior of the stack when unexpected events are generated. Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=218151 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Johannes Berg
|
db57ef0dd4 |
wifi: cfg80211: fix certs build to not depend on file order
commit 3c2a8ebe3fe66a5f77d4c164a0bea8e2ff37b455 upstream. The file for the new certificate (Chen-Yu Tsai's) didn't end with a comma, so depending on the file order in the build rule, we'd end up with invalid C when concatenating the (now two) certificates. Fix that. Cc: stable@vger.kernel.org Reported-by: Biju Das <biju.das.jz@bp.renesas.com> Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org> Fixes: fb768d3b13ff ("wifi: cfg80211: Add my certificate") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Chen-Yu Tsai
|
ec350809cd |
wifi: cfg80211: Add my certificate
commit fb768d3b13ffa325b7e84480d488ac799c9d2cd7 upstream. As announced [1][2], I have taken over maintainership of the wireless-regdb project. Add my certificate so that newer releases are valid to the kernel. Seth's certificate should be kept around for awhile, at least until a few new releases by me happen. This should also be applied to stable trees so that stable kernels can utilize newly released database binaries. [1] https://lore.kernel.org/linux-wireless/CAGb2v657baNMPKU3QADijx7hZa=GUcSv2LEDdn6N=QQaFX8r-g@mail.gmail.com/ [2] https://lore.kernel.org/linux-wireless/ZWmRR5ul7EDfxCan@wens.tw/ Cc: stable@vger.kernel.org Signed-off-by: Chen-Yu Tsai <wens@kernel.org> Acked-by: Seth Forshee <sforshee@kernel.org> Link: https://msgid.link/ZXHGsqs34qZyzZng@wens.tw Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
David Howells
|
791d5409cd |
keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry
[ Upstream commit 39299bdd2546688d92ed9db4948f6219ca1b9542 ]
If a key has an expiration time, then when that time passes, the key is
left around for a certain amount of time before being collected (5 mins by
default) so that EKEYEXPIRED can be returned instead of ENOKEY. This is a
problem for DNS keys because we want to redo the DNS lookup immediately at
that point.
Fix this by allowing key types to be marked such that keys of that type
don't have this extra period, but are reclaimed as soon as they expire and
turn this on for dns_resolver-type keys. To make this easier to handle,
key->expiry is changed to be permanent if TIME64_MAX rather than 0.
Furthermore, give such new-style negative DNS results a 1s default expiry
if no other expiry time is set rather than allowing it to stick around
indefinitely. This shouldn't be zero as ls will follow a failing stat call
immediately with a second with AT_SYMLINK_NOFOLLOW added.
Fixes:
|
||
|
Eric Dumazet
|
3e617c7e39 |
net: check dev->gso_max_size in gso_features_check()
[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ]
Some drivers might misbehave if TSO packets get too big.
GVE for instance uses a 16bit field in its TX descriptor,
and will do bad things if a packet is bigger than 2^16 bytes.
Linux TCP stack honors dev->gso_max_size, but there are
other ways for too big packets to reach an ndo_start_xmit()
handler : virtio_net, af_packet, GRO...
Add a generic check in gso_features_check() and fallback
to GSO when needed.
gso_max_size was added in the blamed commit.
Fixes:
|
||
Liu Jian
|
a70c2dd741 |
net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()
[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ]
I got the below warning trace:
WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify
CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0
Call Trace:
rtnl_dellink
rtnetlink_rcv_msg
netlink_rcv_skb
netlink_unicast
netlink_sendmsg
__sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
entry_SYSCALL_64_after_hwframe
It can be repoduced via:
ip netns add ns1
ip netns exec ns1 ip link add bond0 type bond mode 0
ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
ip netns exec ns1 ip link set bond_slave_1 master bond0
[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off
[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0
[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0
[4] ip netns exec ns1 ip link set bond_slave_1 nomaster
[5] ip netns exec ns1 ip link del veth2
ip netns del ns1
This is all caused by command [1] turning off the rx-vlan-filter function
of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix
incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands
[2] [3] add the same vid to slave and master respectively, causing
command [4] to empty slave->vlan_info. The following command [5] triggers
this problem.
To fix this problem, we should add VLAN_FILTER feature checks in
vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect
addition or deletion of vlan_vid information.
Fixes:
|
||
Arnd Bergmann
|
a1986c429c |
Bluetooth: hci_event: shut up a false-positive warning
[ Upstream commit a5812c68d849505ea657f653446512b85887f813 ]
Turning on -Wstringop-overflow globally exposed a misleading compiler
warning in bluetooth:
net/bluetooth/hci_event.c: In function 'hci_cc_read_class_of_dev':
net/bluetooth/hci_event.c:524:9: error: 'memcpy' writing 3 bytes into a
region of size 0 overflows the destination [-Werror=stringop-overflow=]
524 | memcpy(hdev->dev_class, rp->dev_class, 3);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The problem here is the check for hdev being NULL in bt_dev_dbg() that
leads the compiler to conclude that hdev->dev_class might be an invalid
pointer access.
Add another explicit check for the same condition to make sure gcc sees
this cannot happen.
Fixes:
|
||
|
Eric Dumazet
|
3e0d158579 |
net/rose: fix races in rose_kill_by_device()
[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ]
syzbot found an interesting netdev refcounting issue in
net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1]
Problem is that rose_kill_by_device() can change rose->device
while other threads do not expect the pointer to be changed.
We have to first collect sockets in a temporary array,
then perform the changes while holding the socket
lock and rose_list_lock spinlock (in this order)
Change rose_release() to also acquire rose_list_lock
before releasing the netdev refcount.
[1]
[ 1185.055088][ T7889] ref_tracker: reference already released.
[ 1185.061476][ T7889] ref_tracker: allocated in:
[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10
[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220
[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0
[ 1185.079356][ T7889] do_syscall_64+0x40/0x110
[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 1185.089835][ T7889] ref_tracker: freed in:
[ 1185.094088][ T7889] rose_release+0x2f5/0x570
[ 1185.098629][ T7889] __sock_release+0xae/0x260
[ 1185.103262][ T7889] sock_close+0x1c/0x20
[ 1185.107453][ T7889] __fput+0x270/0xbb0
[ 1185.111467][ T7889] task_work_run+0x14d/0x240
[ 1185.116085][ T7889] get_signal+0x106f/0x2790
[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0
[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240
[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60
[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110
[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 1185.148085][ T7889] ------------[ cut here ]------------
WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
Modules linked in:
CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44
RSP: 0018:ffffc90004917850 EFLAGS: 00010202
RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000
RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001
RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6
R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c
R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff
FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netdev_tracker_free include/linux/netdevice.h:4127 [inline]
netdev_put include/linux/netdevice.h:4144 [inline]
netdev_put include/linux/netdevice.h:4140 [inline]
rose_kill_by_device net/rose/af_rose.c:195 [inline]
rose_device_event+0x25d/0x330 net/rose/af_rose.c:218
notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967
call_netdevice_notifiers_extack net/core/dev.c:2005 [inline]
call_netdevice_notifiers net/core/dev.c:2019 [inline]
__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646
dev_change_flags+0x122/0x170 net/core/dev.c:8682
dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529
dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786
sock_do_ioctl+0x198/0x270 net/socket.c:1234
sock_ioctl+0x22e/0x6b0 net/socket.c:1339
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f0a7147cba9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9
RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004
RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8
</TASK>
Fixes:
|
||
|
Eric Dumazet
|
6707baabe4 |
net: sched: ife: fix potential use-after-free
[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ]
ife_decode() calls pskb_may_pull() two times, we need to reload
ifehdr after the second one, or risk use-after-free as reported
by syzbot:
BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323
CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
__ife_tlv_meta_valid net/ife/ife.c:108 [inline]
ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
tcf_ife_decode net/sched/act_ife.c:739 [inline]
tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879
tc_act include/net/tc_wrapper.h:221 [inline]
tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
tcf_exts_exec include/net/pkt_cls.h:344 [inline]
mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
tc_classify include/net/tc_wrapper.h:227 [inline]
__tcf_classify net/sched/cls_api.c:1703 [inline]
tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
__dev_xmit_skb net/core/dev.c:3828 [inline]
__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
dev_queue_xmit include/linux/netdevice.h:3165 [inline]
packet_xmit+0x237/0x350 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
__do_sys_sendto net/socket.c:2202 [inline]
__se_sys_sendto net/socket.c:2198 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fe9acc7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9
RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003
RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78
</TASK>
Allocated by task 22323:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027
kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1298 [inline]
alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
packet_alloc_skb net/packet/af_packet.c:2930 [inline]
packet_snd net/packet/af_packet.c:3024 [inline]
packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
__do_sys_sendto net/socket.c:2202 [inline]
__se_sys_sendto net/socket.c:2198 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Freed by task 22323:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0xc0/0x180 mm/slub.c:3822
skb_kfree_head net/core/skbuff.c:950 [inline]
skb_free_head+0x110/0x1b0 net/core/skbuff.c:962
pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130
__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655
pskb_may_pull_reason include/linux/skbuff.h:2685 [inline]
pskb_may_pull include/linux/skbuff.h:2693 [inline]
ife_decode+0x394/0x4f0 net/ife/ife.c:82
tcf_ife_decode net/sched/act_ife.c:727 [inline]
tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879
tc_act include/net/tc_wrapper.h:221 [inline]
tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
tcf_exts_exec include/net/pkt_cls.h:344 [inline]
mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
tc_classify include/net/tc_wrapper.h:227 [inline]
__tcf_classify net/sched/cls_api.c:1703 [inline]
tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
__dev_xmit_skb net/core/dev.c:3828 [inline]
__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
dev_queue_xmit include/linux/netdevice.h:3165 [inline]
packet_xmit+0x237/0x350 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
__do_sys_sendto net/socket.c:2202 [inline]
__se_sys_sendto net/socket.c:2198 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The buggy address belongs to the object at ffff88802d730000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 164 bytes inside of
freed 8192-byte region [ffff88802d730000, ffff88802d732000)
The buggy address belongs to the physical page:
page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730
head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544
prep_new_page mm/page_alloc.c:1551 [inline]
get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319
__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x283/0x3c0 mm/slub.c:2070
___slab_alloc+0x979/0x1500 mm/slub.c:3223
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027
kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1298 [inline]
alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
packet_alloc_skb net/packet/af_packet.c:2930 [inline]
packet_snd net/packet/af_packet.c:3024 [inline]
packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1144 [inline]
free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494
__unfreeze_partials+0x226/0x240 mm/slub.c:2655
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3478 [inline]
slab_alloc mm/slub.c:3486 [inline]
__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509
alloc_inode_sb include/linux/fs.h:2937 [inline]
ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408
alloc_inode+0x5d/0x220 fs/inode.c:261
new_inode_pseudo fs/inode.c:1006 [inline]
new_inode+0x22/0x260 fs/inode.c:1032
__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958
ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398
vfs_symlink fs/namei.c:4464 [inline]
vfs_symlink+0x3e5/0x620 fs/namei.c:4448
do_symlinkat+0x25f/0x310 fs/namei.c:4490
__do_sys_symlinkat fs/namei.c:4506 [inline]
__se_sys_symlinkat fs/namei.c:4503 [inline]
__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
Fixes:
|
||
Shigeru Yoshida
|
31edab1222 |
net: Return error from sk_stream_wait_connect() if sk_wait_event() fails
[ Upstream commit cac23b7d7627915d967ce25436d7aae26e88ed06 ]
The following NULL pointer dereference issue occurred:
BUG: kernel NULL pointer dereference, address: 0000000000000000
<...>
RIP: 0010:ccid_hc_tx_send_packet net/dccp/ccid.h:166 [inline]
RIP: 0010:dccp_write_xmit+0x49/0x140 net/dccp/output.c:356
<...>
Call Trace:
<TASK>
dccp_sendmsg+0x642/0x7e0 net/dccp/proto.c:801
inet_sendmsg+0x63/0x90 net/ipv4/af_inet.c:846
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x83/0xe0 net/socket.c:745
____sys_sendmsg+0x443/0x510 net/socket.c:2558
___sys_sendmsg+0xe5/0x150 net/socket.c:2612
__sys_sendmsg+0xa6/0x120 net/socket.c:2641
__do_sys_sendmsg net/socket.c:2650 [inline]
__se_sys_sendmsg net/socket.c:2648 [inline]
__x64_sys_sendmsg+0x45/0x50 net/socket.c:2648
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x43/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
sk_wait_event() returns an error (-EPIPE) if disconnect() is called on the
socket waiting for the event. However, sk_stream_wait_connect() returns
success, i.e. zero, even if sk_wait_event() returns -EPIPE, so a function
that waits for a connection with sk_stream_wait_connect() may misbehave.
In the case of the above DCCP issue, dccp_sendmsg() is waiting for the
connection. If disconnect() is called in concurrently, the above issue
occurs.
This patch fixes the issue by returning error from sk_stream_wait_connect()
if sk_wait_event() fails.
Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Johannes Berg
|
2f635af7d6 |
wifi: mac80211: mesh_plink: fix matches_local logic
[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ]
During refactoring the "else" here got lost, add it back.
Fixes:
|
||
|
Johannes Berg
|
7a07af00aa |
wifi: mac80211: mesh: check element parsing succeeded
[ Upstream commit 1fc4a3eec50d726f4663ad3c0bb0158354d6647a ]
ieee802_11_parse_elems() can return NULL, so we must
check for the return value.
Fixes:
|
||
|
Edward Adam Davis
|
40ba7f9ab8 |
wifi: mac80211: check if the existing link config remains unchanged
[ Upstream commit c1393c132b906fbdf91f6d1c9eb2ef7a00cce64e ]
[Syz report]
WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Modules linked in:
CPU: 1 PID: 5067 Comm: syz-executor413 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3
RSP: 0018:ffffc90003c57248 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519
RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005
RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000
FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 0000000076d22000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sta_apply_auth_flags.constprop.0+0x4b7/0x510 net/mac80211/cfg.c:1674
sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002
ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068
rdev_add_station net/wireless/rdev-ops.h:201 [inline]
nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603
genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
[Analysis]
It is inappropriate to make a link configuration change judgment on an
non-existent and non new link.
[Fix]
Quickly exit when there is a existent link and the link configuration has not
changed.
Fixes:
|
||
qctecmdr
|
77e7062745 | Merge "net: qrtr: Add interruptible timeout in MHI tx path" | ||
Florian Westphal
|
30bca9e278 |
UPSTREAM: netfilter: nft_set_pipapo: skip inactive elements during set walk
commit 317eb9685095678f2c9f5a8189de698c5354316a upstream. Otherwise set elements can be deactivated twice which will cause a crash. Bug: 316310313 Reported-by: Xingyuan Mo <hdthky0@gmail.com> Fixes: |
||
|
John Fastabend
|
9b3d3a7f3c |
net: tls, update curr on splice as well
commit c5a595000e2677e865a39f249c056bc05d6e55fd upstream.
The curr pointer must also be updated on the splice similar to how
we do this for other copy types.
Fixes:
|
||
|
Hyunwoo Kim
|
1646b2929d |
appletalk: Fix Use-After-Free in atalk_ioctl
[ Upstream commit 189ff16722ee36ced4d2a2469d4ab65a8fee4198 ]
Because atalk_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with atalk_recvmsg().
A use-after-free for skb occurs with the following flow.
```
atalk_ioctl() -> skb_peek()
atalk_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
```
Add sk->sk_receive_queue.lock to atalk_ioctl() to fix this issue.
Fixes:
|
||
Nikolay Kuratov
|
9a23be1e58 |
vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
[ Upstream commit 60316d7f10b17a7ebb1ead0642fee8710e1560e0 ]
We need to do signed arithmetic if we expect condition
`if (bytes < 0)` to be possible
Found by Linux Verification Center (linuxtesting.org) with SVACE
Fixes:
|
||
Dong Chenchen
|
55a43bae08 |
net: Remove acked SYN flag from packet in the transmit queue correctly
[ Upstream commit f99cd56230f56c8b6b33713c5be4da5d6766be1f ]
syzkaller report:
kernel BUG at net/core/skbuff.c:3452!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc4-00009-gbee0e7762ad2-dirty #135
RIP: 0010:skb_copy_and_csum_bits (net/core/skbuff.c:3452)
Call Trace:
icmp_glue_bits (net/ipv4/icmp.c:357)
__ip_append_data.isra.0 (net/ipv4/ip_output.c:1165)
ip_append_data (net/ipv4/ip_output.c:1362 net/ipv4/ip_output.c:1341)
icmp_push_reply (net/ipv4/icmp.c:370)
__icmp_send (./include/net/route.h:252 net/ipv4/icmp.c:772)
ip_fragment.constprop.0 (./include/linux/skbuff.h:1234 net/ipv4/ip_output.c:592 net/ipv4/ip_output.c:577)
__ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:295)
ip_output (net/ipv4/ip_output.c:427)
__ip_queue_xmit (net/ipv4/ip_output.c:535)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1462)
__tcp_retransmit_skb (net/ipv4/tcp_output.c:3387)
tcp_retransmit_skb (net/ipv4/tcp_output.c:3404)
tcp_retransmit_timer (net/ipv4/tcp_timer.c:604)
tcp_write_timer (./include/linux/spinlock.h:391 net/ipv4/tcp_timer.c:716)
The panic issue was trigered by tcp simultaneous initiation.
The initiation process is as follows:
TCP A TCP B
1. CLOSED CLOSED
2. SYN-SENT --> <SEQ=100><CTL=SYN> ...
3. SYN-RECEIVED <-- <SEQ=300><CTL=SYN> <-- SYN-SENT
4. ... <SEQ=100><CTL=SYN> --> SYN-RECEIVED
5. SYN-RECEIVED --> <SEQ=100><ACK=301><CTL=SYN,ACK> ...
// TCP B: not send challenge ack for ack limit or packet loss
// TCP A: close
tcp_close
tcp_send_fin
if (!tskb && tcp_under_memory_pressure(sk))
tskb = skb_rb_last(&sk->tcp_rtx_queue); //pick SYN_ACK packet
TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN; // set FIN flag
6. FIN_WAIT_1 --> <SEQ=100><ACK=301><END_SEQ=102><CTL=SYN,FIN,ACK> ...
// TCP B: send challenge ack to SYN_FIN_ACK
7. ... <SEQ=301><ACK=101><CTL=ACK> <-- SYN-RECEIVED //challenge ack
// TCP A: <SND.UNA=101>
8. FIN_WAIT_1 --> <SEQ=101><ACK=301><END_SEQ=102><CTL=SYN,FIN,ACK> ... // retransmit panic
__tcp_retransmit_skb //skb->len=0
tcp_trim_head
len = tp->snd_una - TCP_SKB_CB(skb)->seq // len=101-100
__pskb_trim_head
skb->data_len -= len // skb->len=-1, wrap around
... ...
ip_fragment
icmp_glue_bits //BUG_ON
If we use tcp_trim_head() to remove acked SYN from packet that contains data
or other flags, skb->len will be incorrectly decremented. We can remove SYN
flag that has been acked from rtx_queue earlier than tcp_trim_head(), which
can fix the problem mentioned above.
Fixes:
|
||
|
Hyunwoo Kim
|
01540ee236 |
net/rose: Fix Use-After-Free in rose_ioctl
[ Upstream commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53 ]
Because rose_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with rose_accept().
A use-after-free for skb occurs with the following flow.
```
rose_ioctl() -> skb_peek()
rose_accept() -> skb_dequeue() -> kfree_skb()
```
Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue.
Fixes:
|
||
|
Hyunwoo Kim
|
2de2a6cbe1 |
atm: Fix Use-After-Free in do_vcc_ioctl
[ Upstream commit 24e90b9e34f9e039f56b5f25f6e6eb92cdd8f4b3 ]
Because do_vcc_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with vcc_recvmsg().
A use-after-free for skb occurs with the following flow.
```
do_vcc_ioctl() -> skb_peek()
vcc_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
```
Add sk->sk_receive_queue.lock to do_vcc_ioctl() to fix this issue.
Fixes:
|
||
Vladimir Oltean
|
a00dbc6dec |
net: vlan: introduce skb_vlan_eth_hdr()
[ Upstream commit 1f5020acb33f926030f62563c86dffca35c7b701 ]
Similar to skb_eth_hdr() introduced in commit
|
||
Maciej Żenczykowski
|
0da41ddfb2 |
net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX
[ Upstream commit bd4a816752bab609dd6d65ae021387beb9e2ddbd ]
Lorenzo points out that we effectively clear all unknown
flags from PIO when copying them to userspace in the netlink
RTM_NEWPREFIX notification.
We could fix this one at a time as new flags are defined,
or in one fell swoop - I choose the latter.
We could either define 6 new reserved flags (reserved1..6) and handle
them individually (and rename them as new flags are defined), or we
could simply copy the entire unmodified byte over - I choose the latter.
This unfortunately requires some anonymous union/struct magic,
so we add a static assert on the struct size for a little extra safety.
Cc: David Ahern <dsahern@kernel.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Fixes:
|
||
Pranav Mahesh Phansalkar
|
4c8404c710 |
net: qrtr: Add interruptible timeout in MHI tx path
Add interruptible timeout in MHI tx path as current implementation leads to deadlock while unregistering endpoint in probe and sending the data at the same time. Change-Id: If8558cf92a996cd111e7016e391bbabea5bdfa92 Signed-off-by: Pranav Mahesh Phansalkar <quic_pphansal@quicinc.com> |
||
|
qctecmdr
|
6609224546 |
Merge "Merge keystone/android14-6.1-keystone-qcom-release.6.1.43 (ff4725c) into qcom-6.1"
|
||
|
Greg Kroah-Hartman
|
6b1e1d37f1 |
This is the 6.1.66 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVyywAACgkQONu9yGCS aT420Q//RK1ZeDdGWqAEH84PtuOzFA7gl5aXjmt1r9I1sDFr06ktk9rc67BNo87b Ugubto1UUpM/ZJfpezH1M4DMQ5f67thkRhCv5qvolh80v21duD7G7i1kX3rJsWk1 daJ76RcYXH63/Qv59uT+ADjSIIAH7yF/FGnUSShyznDRwDh/TqujEoh0e25X4YlV MhcCGBS0NE9Rcuwv2XPp84D4psXhPhmOuUVEPVnPLVnXg09XqOVjMV5uW+X4Sqft sc/bzveBmHoPOVtkz71qo1oxsVkKNMcdmD88+Xn9rSBgAkti5MpV/ZCAxRSVZbwF wyBh23gzRQzHXTn45Bf/1wS5zzQ+PIkadCo7hlPbQHguOMGXkdqTgNJf9EwB09I2 DEAWnCNH5orNk0Sltbfo/7Ja2oJtSHkiaUWk4nP1fZN9Vt9yt1xnRkpkaoBh0L7q NmXBFuvrylC44cfQNXIZSqAXduwCvMPyQDm1txSxYDZVrOy82/zVRWcOrytb0PnO zfqSuQKZPoF29ESq2Ti65Zk5e47EjSjYca91gzOlSVBNXx+xTuSoXCL0RXYclT7H umxK5/wmDSQX6wJzd+JNy7H86U753DuSIzA1112IC1GdWNlWWsjca5omEMgt+lqu Xc9q13vg3Ox+tv0MRv+P398b7NwzuMVcLbMoHE+1EzMH0JS636E= =p/en -----END PGP SIGNATURE----- Merge 6.1.66 into android14-6.1-lts Changes in 6.1.66 cifs: Fix FALLOC_FL_ZERO_RANGE by setting i_size if EOF moved cifs: Fix FALLOC_FL_INSERT_RANGE by setting i_size after EOF moved smb: client: report correct st_size for SMB and NFS symlinks pinctrl: avoid reload of p state in list iteration firewire: core: fix possible memory leak in create_units() mmc: sdhci-pci-gli: Disable LPM during initialization mmc: cqhci: Increase recovery halt timeout mmc: cqhci: Warn of halt or task clear failure mmc: cqhci: Fix task clearing in CQE error recovery mmc: block: Retry commands in CQE error recovery mmc: block: Do not lose cache flush during CQE error recovery mmc: block: Be sure to wait while busy in CQE error recovery ALSA: hda: Disable power-save on KONTRON SinglePC ALSA: hda/realtek: Headset Mic VREF to 100% ALSA: hda/realtek: Add supported ALC257 for ChromeOS dm-verity: align struct dm_verity_fec_io properly scsi: Change SCSI device boolean fields to single bit flags scsi: sd: Fix system start for ATA devices drm/amd: Enable PCIe PME from D3 drm/amdgpu: Force order between a read and write to the same address drm/amd/display: Include udelay when waiting for INBOX0 ACK drm/amd/display: Remove min_dst_y_next_start check for Z8 drm/amd/display: Use DRAM speed from validation for dummy p-state drm/amd/display: Update min Z8 residency time to 2100 for DCN314 drm/amd/display: fix ABM disablement dm verity: initialize fec io before freeing it dm verity: don't perform FEC for failed readahead IO nvme: check for valid nvme_identify_ns() before using it powercap: DTPM: Fix unneeded conversions to micro-Watts cpufreq/amd-pstate: Fix the return value of amd_pstate_fast_switch() dma-buf: fix check in dma_resv_add_fence bcache: revert replacing IS_ERR_OR_NULL with IS_ERR iommu/vt-d: Add MTL to quirk list to skip TE disabling KVM: PPC: Book3S HV: Fix KVM_RUN clobbering FP/VEC user registers powerpc: Don't clobber f0/vs0 during fp|altivec register save parisc: Mark ex_table entries 32-bit aligned in assembly.h parisc: Mark ex_table entries 32-bit aligned in uaccess.h parisc: Use natural CPU alignment for bug_table parisc: Mark lock_aligned variables 16-byte aligned on SMP parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes parisc: Mark jump_table naturally aligned parisc: Ensure 32-bit alignment on parisc unwind section parisc: Mark altinstructions read-only and 32-bit aligned btrfs: add dmesg output for first mount and last unmount of a filesystem btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod() btrfs: fix off-by-one when checking chunk map includes logical address btrfs: send: ensure send_fd is writable btrfs: make error messages more clear when getting a chunk map btrfs: fix 64bit compat send ioctl arguments not initializing version member Input: xpad - add HyperX Clutch Gladiate Support auxdisplay: hd44780: move cursor home after clear display command serial: sc16is7xx: Put IOControl register into regmap_volatile serial: sc16is7xx: add missing support for rs485 devicetree properties wifi: cfg80211: fix CQM for non-range use USB: xhci-plat: fix legacy PHY double init USB: core: Change configuration warnings to notices usb: config: fix iteration issue in 'usb_get_bos_descriptor()' ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet dpaa2-eth: increase the needed headroom to account for alignment uapi: propagate __struct_group() attributes to the container union selftests/net: ipsec: fix constant out of range selftests/net: fix a char signedness issue selftests/net: unix: fix unused variable compiler warning selftests/net: mptcp: fix uninitialized variable warnings octeontx2-af: Fix possible buffer overflow net: stmmac: xgmac: Disable FPE MMC interrupts octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64 octeontx2-af: Install TC filter rules in hardware based on priority octeontx2-pf: Restore TC ingress police rules when interface is up r8169: prevent potential deadlock in rtl8169_close ravb: Fix races between ravb_tx_timeout_work() and net related ops net: ravb: Check return value of reset_control_deassert() net: ravb: Use pm_runtime_resume_and_get() net: ravb: Make write access to CXR35 first before accessing other EMAC registers net: ravb: Start TX queues after HW initialization succeeded net: ravb: Stop DMA in case of failures on ravb_open() net: ravb: Keep reverse order of operations in ravb_remove() KVM: x86: Fix lapic timer interrupt lost after loading a snapshot. PCI: Lengthen reset delay for VideoPropulsion Torrent QN16e card octeontx2-af: Initialize 'cntr_val' to fix uninitialized symbol error PCI: qcom-ep: Add dedicated callback for writing to DBI2 registers fbdev: stifb: Make the STI next font pointer a 32-bit signed offset spi: Fix null dereference on suspend drm/amd/display: Restore rptr/wptr for DMCUB as workaround drm/amd/display: Guard against invalid RPTR/WPTR being set cpufreq: imx6q: don't warn for disabling a non-existing frequency cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily iommu/vt-d: Omit devTLB invalidation requests when TES=0 iommu/vt-d: Allocate pasid table in device probe path iommu/vt-d: Add device_block_translation() helper iommu/vt-d: Disable PCI ATS in legacy passthrough mode iommu/vt-d: Make context clearing consistent with context mapping drm/amd/pm: fix a memleak in aldebaran_tables_init mmc: core: add helpers mmc_regulator_enable/disable_vqmmc mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled drm/amd/display: Expand kernel doc for DC drm/amd/display: clean code-style issues in dcn30_set_mpc_shaper_3dlut drm/amd/display: Fix the delta clamping for shaper LUT drm/amd/display: Fix MPCC 1DLUT programming r8169: disable ASPM in case of tx timeout r8169: fix deadlock on RTL8125 in jumbo mtu mode xen: Allow platform PCI interrupt to be shared xen: simplify evtchn_do_upcall() call maze x86/xen: fix percpu vcpu_info allocation x86/apic/msi: Fix misconfigured non-maskable MSI quirk iomap: update ki_pos a little later in iomap_dio_complete Linux 6.1.66 Note, this merge point merges out the following two scsi changes due to them needing to be reverted due to abi breakage and reliance on previous commits that we have already reverted: |
||
|
Greg Kroah-Hartman
|
157836a2ab |
This is the 6.1.65 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVsIPcACgkQONu9yGCS aT7+WBAAzFMBvadFg+miHsQM+j94gOCSSq4F01gjjchdyeB3ybE/CBfIEa9abfmZ X1qaor8H7Khxh0aPr4KiRsmjKXBGJ6lR1RjdOKeLwffs/1iUk1zHqC3V4jGELhAM WumR5Lyc1UOMA5oCk/oxGoDZ0YNzXwBwB3hTrhpvuogCw8A3qMiyzo7J928PmNr9 sPo2TDi8HvQLlOZ8G9omVP9FTK20owJvfAj1u+gJyN/NGVXGqAQSvDpdhZ6BMYNG 0Z6DlMdCkOF/iSCdsZBCwPXH697Qt4pkPoeYpqNEi9H54B/LQaRDg6K5z7ON+w+7 jH9gwwSUXZLsohdpVkPWTnUThAQJDK4Wr5Pnf3GN1avePyxW4X7meathyeqP4jxD Oc8Igh464VraTunddwHJ03paoZ8/jXkheB0kxIsJ/jeKqUzxb/7gC6aYKZ3+DF3a 0WicxlLCNTeai2zJCYPiQsxejJmwQ37PU6dcZzLyZefXqIVPBmLJ72HJ8j2zocm0 zY6ezASdUjzzTQIM3CuzJfTOJ0VSeaUnyqUK64Ye7cKbiAKRbZMiSjaTfoNRo9MP 8KasX7pEzyEjpO0rtpHKc0hM7imltXsYjcdDfJYkKBXSUMWRTI/wPH9RFE4sJHqh NmEG/8bAE0v6HaQJK83lEMHZJFGFTvXWySsXowU4gXpcw82/F54= =OY6r -----END PGP SIGNATURE----- Merge 6.1.65 into android14-6.1-lts Changes in 6.1.65 afs: Fix afs_server_list to be cleaned up with RCU afs: Make error on cell lookup failure consistent with OpenAFS drm/panel: boe-tv101wum-nl6: Fine tune the panel power sequence drm/panel: auo,b101uan08.3: Fine tune the panel power sequence drm/panel: simple: Fix Innolux G101ICE-L01 bus flags drm/panel: simple: Fix Innolux G101ICE-L01 timings wireguard: use DEV_STATS_INC() octeontx2-pf: Fix memory leak during interface down ata: pata_isapnp: Add missing error check for devm_ioport_map() drm/i915: do not clean GT table on error path drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full HID: fix HID device resource race between HID core and debugging support ipv4: Correct/silence an endian warning in __ip_do_redirect net: usb: ax88179_178a: fix failed operations during ax88179_reset net/smc: avoid data corruption caused by decline arm/xen: fix xen_vcpu_info allocation alignment octeontx2-pf: Fix ntuple rule creation to direct packet to VF with higher Rx queue than its PF amd-xgbe: handle corner-case during sfp hotplug amd-xgbe: handle the corner-case during tx completion amd-xgbe: propagate the correct speed and duplex status net: axienet: Fix check for partial TX checksum afs: Return ENOENT if no cell DNS record can be found afs: Fix file locking on R/O volumes to operate in local mode mm,kfence: decouple kfence from page granularity mapping judgement arm64: mm: Fix "rodata=on" when CONFIG_RODATA_FULL_DEFAULT_ENABLED=y i40e: use ERR_PTR error print in i40e messages i40e: Fix adding unsupported cloud filters nvmet: nul-terminate the NQNs passed in the connect command USB: dwc3: qcom: fix resource leaks on probe deferral USB: dwc3: qcom: fix ACPI platform device leak lockdep: Fix block chain corruption cifs: minor cleanup of some headers smb3: allow dumping session and tcon id to improve stats analysis and debugging cifs: print last update time for interface list cifs: distribute channels across interfaces based on speed cifs: account for primary channel in the interface list cifs: fix leak of iface for primary channel MIPS: KVM: Fix a build warning about variable set but not used media: camss: Split power domain management media: camss: Convert to platform remove callback returning void media: qcom: Initialise V4L2 async notifier later media: qcom: camss: Fix V4L2 async notifier error path media: qcom: camss: Fix genpd cleanup ext4: add a new helper to check if es must be kept ext4: factor out __es_alloc_extent() and __es_free_extent() ext4: use pre-allocated es in __es_insert_extent() ext4: use pre-allocated es in __es_remove_extent() ext4: using nofail preallocation in ext4_es_remove_extent() ext4: using nofail preallocation in ext4_es_insert_delayed_block() ext4: using nofail preallocation in ext4_es_insert_extent() ext4: fix slab-use-after-free in ext4_es_insert_extent() ext4: make sure allocate pending entry not fail NFSD: Fix "start of NFS reply" pointer passed to nfsd_cache_update() NFSD: Fix checksum mismatches in the duplicate reply cache arm64: dts: imx8mn-var-som: add 20ms delay to ethernet regulator enable ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA swiotlb-xen: provide the "max_mapping_size" method bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() md: fix bi_status reporting in md_end_clone_io bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up race io_uring/fs: consider link->flags when getting path for LINKAT s390/dasd: protect device queue against concurrent access USB: serial: option: add Luat Air72*U series products hv_netvsc: fix race of netvsc and VF register_netdevice hv_netvsc: Fix race of register_netdevice_notifier and VF register hv_netvsc: Mark VF as slave before exposing it to user-mode dm-delay: fix a race between delay_presuspend and delay_bio bcache: check return value from btree_node_alloc_replacement() bcache: prevent potential division by zero error bcache: fixup init dirty data errors bcache: fixup lock c->root error usb: cdnsp: Fix deadlock issue during using NCM gadget USB: serial: option: add Fibocom L7xx modules USB: serial: option: fix FM101R-GL defines USB: serial: option: don't claim interface 4 for ZTE MF290 usb: typec: tcpm: Skip hard reset when in error recovery USB: dwc2: write HCINT with INTMASK applied usb: dwc3: Fix default mode initialization usb: dwc3: set the dma max_seg_size USB: dwc3: qcom: fix software node leak on probe errors USB: dwc3: qcom: fix wakeup after probe deferral io_uring: fix off-by one bvec index Linux 6.1.65 Change-Id: Iea9267bee56905028a77d03c7fad8def8969246e Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Florian Westphal
|
189c2a8293 |
netfilter: nft_set_pipapo: skip inactive elements during set walk
commit 317eb9685095678f2c9f5a8189de698c5354316a upstream.
Otherwise set elements can be deactivated twice which will cause a crash.
Reported-by: Xingyuan Mo <hdthky0@gmail.com>
Fixes:
|
||
Daniel Borkmann
|
6a71d77856 |
packet: Move reference count in packet_sock to atomic_long_t
commit db3fadacaf0c817b222090290d06ca2a338422d0 upstream. In some potential instances the reference count on struct packet_sock could be saturated and cause overflows which gets the kernel a bit confused. To prevent this, move to a 64-bit atomic reference count on 64-bit architectures to prevent the possibility of this type to overflow. Because we can not handle saturation, using refcount_t is not possible in this place. Maybe someday in the future if it changes it could be used. Also, instead of using plain atomic64_t, use atomic_long_t instead. 32-bit machines tend to be memory-limited (i.e. anything that increases a reference uses so much memory that you can't actually get to 2**32 references). 32-bit architectures also tend to have serious problems with 64-bit atomics. Hence, atomic_long_t is the more natural solution. Reported-by: "The UK's National Cyber Security Centre (NCSC)" <security@ncsc.gov.uk> Co-developed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: stable@kernel.org Reviewed-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20231201131021.19999-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Pavel Begunkov
|
f2f57f51b5 |
io_uring/af_unix: disable sending io_uring over sockets
commit 705318a99a138c29a512a72c3e0043b3cd7f55f4 upstream.
File reference cycles have caused lots of problems for io_uring
in the past, and it still doesn't work exactly right and races with
unix_stream_read_generic(). The safest fix would be to completely
disallow sending io_uring files via sockets via SCM_RIGHT, so there
are no possible cycles invloving registered files and thus rendering
SCM accounting on the io_uring side unnecessary.
Cc: <stable@vger.kernel.org>
Fixes:
|
||
Ido Schimmel
|
b5ca945612 |
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
[ Upstream commit e03781879a0d524ce3126678d50a80484a513c4b ]
The "NET_DM" generic netlink family notifies drop locations over the
"events" multicast group. This is problematic since by default generic
netlink allows non-root users to listen to these notifications.
Fix by adding a new field to the generic netlink multicast group
structure that when set prevents non-root users or root without the
'CAP_SYS_ADMIN' capability (in the user namespace owning the network
namespace) from joining the group. Set this field for the "events"
group. Use 'CAP_SYS_ADMIN' rather than 'CAP_NET_ADMIN' because of the
nature of the information that is shared over this group.
Note that the capability check in this case will always be performed
against the initial user namespace since the family is not netns aware
and only operates in the initial network namespace.
A new field is added to the structure rather than using the "flags"
field because the existing field uses uAPI flags and it is inappropriate
to add a new uAPI flag for an internal kernel check. In net-next we can
rework the "flags" field to use internal flags and fold the new field
into it. But for now, in order to reduce the amount of changes, add a
new field.
Since the information can only be consumed by root, mark the control
plane operations that start and stop the tracing as root-only using the
'GENL_ADMIN_PERM' flag.
Tested using [1].
Before:
# capsh -- -c ./dm_repo
# capsh --drop=cap_sys_admin -- -c ./dm_repo
After:
# capsh -- -c ./dm_repo
# capsh --drop=cap_sys_admin -- -c ./dm_repo
Failed to join "events" multicast group
[1]
$ cat dm.c
#include <stdio.h>
#include <netlink/genl/ctrl.h>
#include <netlink/genl/genl.h>
#include <netlink/socket.h>
int main(int argc, char **argv)
{
struct nl_sock *sk;
int grp, err;
sk = nl_socket_alloc();
if (!sk) {
fprintf(stderr, "Failed to allocate socket\n");
return -1;
}
err = genl_connect(sk);
if (err) {
fprintf(stderr, "Failed to connect socket\n");
return err;
}
grp = genl_ctrl_resolve_grp(sk, "NET_DM", "events");
if (grp < 0) {
fprintf(stderr,
"Failed to resolve \"events\" multicast group\n");
return grp;
}
err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE);
if (err) {
fprintf(stderr, "Failed to join \"events\" multicast group\n");
return err;
}
return 0;
}
$ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o dm_repo dm.c
Fixes:
|
||
|
Ido Schimmel
|
07c8229c02 |
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
[ Upstream commit 44ec98ea5ea9cfecd31a5c4cc124703cb5442832 ]
The "psample" generic netlink family notifies sampled packets over the
"packets" multicast group. This is problematic since by default generic
netlink allows non-root users to listen to these notifications.
Fix by marking the group with the 'GENL_UNS_ADMIN_PERM' flag. This will
prevent non-root users or root without the 'CAP_NET_ADMIN' capability
(in the user namespace owning the network namespace) from joining the
group.
Tested using [1].
Before:
# capsh -- -c ./psample_repo
# capsh --drop=cap_net_admin -- -c ./psample_repo
After:
# capsh -- -c ./psample_repo
# capsh --drop=cap_net_admin -- -c ./psample_repo
Failed to join "packets" multicast group
[1]
$ cat psample.c
#include <stdio.h>
#include <netlink/genl/ctrl.h>
#include <netlink/genl/genl.h>
#include <netlink/socket.h>
int join_grp(struct nl_sock *sk, const char *grp_name)
{
int grp, err;
grp = genl_ctrl_resolve_grp(sk, "psample", grp_name);
if (grp < 0) {
fprintf(stderr, "Failed to resolve \"%s\" multicast group\n",
grp_name);
return grp;
}
err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE);
if (err) {
fprintf(stderr, "Failed to join \"%s\" multicast group\n",
grp_name);
return err;
}
return 0;
}
int main(int argc, char **argv)
{
struct nl_sock *sk;
int err;
sk = nl_socket_alloc();
if (!sk) {
fprintf(stderr, "Failed to allocate socket\n");
return -1;
}
err = genl_connect(sk);
if (err) {
fprintf(stderr, "Failed to connect socket\n");
return err;
}
err = join_grp(sk, "config");
if (err)
return err;
err = join_grp(sk, "packets");
if (err)
return err;
return 0;
}
$ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o psample_repo psample.c
Fixes:
|
||
|
John Fastabend
|
af39b80173 |
bpf: sockmap, updating the sg structure should also update curr
[ Upstream commit bb9aefde5bbaf6c168c77ba635c155b4980c2287 ]
Curr pointer should be updated when the sg structure is shifted.
Fixes:
|
||
|
Eric Dumazet
|
008b807fe4 |
tcp: do not accept ACK of bytes we never sent
[ Upstream commit 3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27 ]
This patch is based on a detailed report and ideas from Yepeng Pan
and Christian Rossow.
ACK seq validation is currently following RFC 5961 5.2 guidelines:
The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back. It needs to
be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a
duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK
acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an
ACK, drop the segment, and return". The "ignored" above implies that
the processing of the incoming data segment continues, which means
the ACK value is treated as acceptable. This mitigation makes the
ACK check more stringent since any ACK < SND.UNA wouldn't be
accepted, instead only ACKs that are in the range ((SND.UNA -
MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.
This can be refined for new (and possibly spoofed) flows,
by not accepting ACK for bytes that were never sent.
This greatly improves TCP security at a little cost.
I added a Fixes: tag to make sure this patch will reach stable trees,
even if the 'blamed' patch was adhering to the RFC.
tp->bytes_acked was added in linux-4.2
Following packetdrill test (courtesy of Yepeng Pan) shows
the issue at hand:
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1024) = 0
// ---------------- Handshake ------------------- //
// when window scale is set to 14 the window size can be extended to
// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet
// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)
// ,though this ack number acknowledges some data never
// sent by the server.
+0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14>
+0 > S. 0:0(0) ack 1 <...>
+0 < . 1:1(0) ack 1 win 65535
+0 accept(3, ..., ...) = 4
// For the established connection, we send an ACK packet,
// the ack packet uses ack number 1 - 1073725300 + 2^32,
// where 2^32 is used to wrap around.
// Note: we used 1073725300 instead of 1073725440 to avoid possible
// edge cases.
// 1 - 1073725300 + 2^32 = 3221241997
// Oops, old kernels happily accept this packet.
+0 < . 1:1001(1000) ack 3221241997 win 65535
// After the kernel fix the following will be replaced by a challenge ACK,
// and prior malicious frame would be dropped.
+0 > . 1:1(0) ack 1001
Fixes:
|
||
Phil Sutter
|
7a63521ed0 |
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
[ Upstream commit 7ae836a3d630e146b732fe8ef7d86b243748751f ]
A concurrently running sock_orphan() may NULL the sk_socket pointer in
between check and deref. Follow other users (like nft_meta.c for
instance) and acquire sk_callback_lock before dereferencing sk_socket.
Fixes:
|
||
|
Pablo Neira Ayuso
|
3176160c22 |
netfilter: nf_tables: validate family when identifying table via handle
[ Upstream commit f6e1532a2697b81da00bfb184e99d15e01e9d98c ]
Validate table family when looking up for it via NFTA_TABLE_HANDLE.
Fixes:
|
||
|
Pablo Neira Ayuso
|
96f8654b70 |
netfilter: nf_tables: bail out on mismatching dynset and set expressions
[ Upstream commit 3701cd390fd731ee7ae8b8006246c8db82c72bea ]
If dynset expressions provided by userspace is larger than the declared
set expressions, then bail out.
Fixes:
|
||
|
Florian Westphal
|
c9704c2619 |
netfilter: nf_tables: fix 'exist' matching on bigendian arches
[ Upstream commit 63331e37fb227e796894b31d713697612c8dee7f ] Maze reports "tcp option fastopen exists" fails to match on OpenWrt 22.03.5, r20134-5f15225c1e (5.10.176) router. "tcp option fastopen exists" translates to: inet [ exthdr load tcpopt 1b @ 34 + 0 present => reg 1 ] [ cmp eq reg 1 0x00000001 ] .. but existing nft userspace generates a 1-byte compare. On LSB (x86), "*reg32 = 1" is identical to nft_reg_store8(reg32, 1), but not on MSB, which will place the 1 last. IOW, on bigendian aches the cmp8 is awalys false. Make sure we store this in a consistent fashion, so existing userspace will also work on MSB (bigendian). Regardless of this patch we can also change nft userspace to generate 'reg32 == 0' and 'reg32 != 0' instead of u8 == 0 // u8 == 1 when adding 'option x missing/exists' expressions as well. Fixes: |
||
Jeremy Sowden
|
0bfbfd9423 |
netfilter: nft_exthdr: add boolean DCCP option matching
[ Upstream commit b9f9a485fb0eb80b0e2b90410b28cbb9b0e85687 ] The xt_dccp iptables module supports the matching of DCCP packets based on the presence or absence of DCCP options. Extend nft_exthdr to add this functionality to nftables. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=930 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de> Stable-dep-of: 63331e37fb22 ("netfilter: nf_tables: fix 'exist' matching on bigendian arches") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Shigeru Yoshida
|
64c78c57e3 |
ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
[ Upstream commit 80d875cfc9d3711a029f234ef7d680db79e8fa4b ]
In ipgre_xmit(), skb_pull() may fail even if pskb_inet_may_pull() returns
true. For example, applications can use PF_PACKET to create a malformed
packet with no IP header. This type of packet causes a problem such as
uninit-value access.
This patch ensures that skb_pull() can pull the required size by checking
the skb with pskb_network_may_pull() before skb_pull().
Fixes:
|
||
|
Paolo Abeni
|
c91685ac1b |
tcp: fix mid stream window clamp.
[ Upstream commit 58d3aade20cdddbac6c9707ac0f3f5f8c1278b74 ]
After the blamed commit below, if the user-space application performs
window clamping when tp->rcv_wnd is 0, the TCP socket will never be
able to announce a non 0 receive window, even after completely emptying
the receive buffer and re-setting the window clamp to higher values.
Refactor tcp_set_window_clamp() to address the issue: when the user
decreases the current clamp value, set rcv_ssthresh according to the
same logic used at buffer initialization, but ensuring reserved mem
provisioning.
To avoid code duplication factor-out the relevant bits from
tcp_adjust_rcv_ssthresh() in a new helper and reuse it in the above
scenario.
When increasing the clamp value, give the rcv_ssthresh a chance to grow
according to previously implemented heuristic.
Fixes:
|
||
Yewon Choi
|
2c0cbb97b1 |
xsk: Skip polling event check for unbound socket
[ Upstream commit e4d008d49a7135214e0ee70537405b6a069e3a3f ]
In xsk_poll(), checking available events and setting mask bits should
be executed only when a socket has been bound. Setting mask bits for
unbound socket is meaningless.
Currently, it checks events even when xsk_check_common() failed.
To prevent this, we move goto location (skip_tx) after that checking.
Fixes: 1596dae2f17e ("xsk: check IFF_UP earlier in Tx path")
Signed-off-by: Yewon Choi <woni9911@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
Link: https://lore.kernel.org/bpf/20231201061048.GA1510@libra05
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
a3f5de10b5 |
ipv6: fix potential NULL deref in fib6_add()
[ Upstream commit 75475bb51e78a3f54ad2f69380f2a1c985e85f2d ]
If fib6_find_prefix() returns NULL, we should silently fallback
using fib6_null_entry regardless of RT6_DEBUG value.
syzbot reported:
WARNING: CPU: 0 PID: 5477 at net/ipv6/ip6_fib.c:1516 fib6_add+0x310d/0x3fa0 net/ipv6/ip6_fib.c:1516
Modules linked in:
CPU: 0 PID: 5477 Comm: syz-executor.0 Not tainted 6.7.0-rc2-syzkaller-00029-g9b6de136b5f0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:fib6_add+0x310d/0x3fa0 net/ipv6/ip6_fib.c:1516
Code: 00 48 8b 54 24 68 e8 42 22 00 00 48 85 c0 74 14 49 89 c6 e8 d5 d3 c2 f7 eb 5d e8 ce d3 c2 f7 e9 ca 00 00 00 e8 c4 d3 c2 f7 90 <0f> 0b 90 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 38 80 3c 01 00
RSP: 0018:ffffc90005067740 EFLAGS: 00010293
RAX: ffffffff89cba5bc RBX: ffffc90005067ab0 RCX: ffff88801a2e9dc0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90005067980 R08: ffffffff89cbca85 R09: 1ffff110040d4b85
R10: dffffc0000000000 R11: ffffed10040d4b86 R12: 00000000ffffffff
R13: 1ffff110051c3904 R14: ffff8880206a5c00 R15: ffff888028e1c820
FS: 00007f763783c6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f763783bff8 CR3: 000000007f74d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__ip6_ins_rt net/ipv6/route.c:1303 [inline]
ip6_route_add+0x88/0x120 net/ipv6/route.c:3847
ipv6_route_ioctl+0x525/0x7b0 net/ipv6/route.c:4467
inet6_ioctl+0x21a/0x270 net/ipv6/af_inet6.c:575
sock_do_ioctl+0x152/0x460 net/socket.c:1220
sock_ioctl+0x615/0x8c0 net/socket.c:1339
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82
Fixes:
|
||
Jozsef Kadlecsik
|
875ee3a09e |
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
[ Upstream commit 28628fa952fefc7f2072ce6e8016968cc452b1ba ]
Linkui Xiao reported that there's a race condition when ipset swap and destroy is
called, which can lead to crash in add/del/test element operations. Swap then
destroy are usual operations to replace a set with another one in a production
system. The issue can in some cases be reproduced with the script:
ipset create hash_ip1 hash:net family inet hashsize 1024 maxelem 1048576
ipset add hash_ip1 172.20.0.0/16
ipset add hash_ip1 192.168.0.0/16
iptables -A INPUT -m set --match-set hash_ip1 src -j ACCEPT
while [ 1 ]
do
# ... Ongoing traffic...
ipset create hash_ip2 hash:net family inet hashsize 1024 maxelem 1048576
ipset add hash_ip2 172.20.0.0/16
ipset swap hash_ip1 hash_ip2
ipset destroy hash_ip2
sleep 0.05
done
In the race case the possible order of the operations are
CPU0 CPU1
ip_set_test
ipset swap hash_ip1 hash_ip2
ipset destroy hash_ip2
hash_net_kadt
Swap replaces hash_ip1 with hash_ip2 and then destroy removes hash_ip2 which
is the original hash_ip1. ip_set_test was called on hash_ip1 and because destroy
removed it, hash_net_kadt crashes.
The fix is to force ip_set_swap() to wait for all readers to finish accessing the
old set pointers by calling synchronize_rcu().
The first version of the patch was written by Linkui Xiao <xiaolinkui@kylinos.cn>.
v2: synchronize_rcu() is moved into ip_set_swap() in order not to burden
ip_set_destroy() unnecessarily when all sets are destroyed.
v3: Florian Westphal pointed out that all netfilter hooks run with rcu_read_lock() held
and em_ipset.c wraps the entire ip_set_test() in rcu read lock/unlock pair.
So there's no need to extend the rcu read locked area in ipset itself.
Closes: https://lore.kernel.org/all/69e7963b-e7f8-3ad0-210-7b86eebf7f78@netfilter.org/
Reported by: Linkui Xiao <xiaolinkui@kylinos.cn>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
fc9e81c1a1 |
ANDROID: Fix up merge issues in 6.1.64 in net/netfilter/nf_tables_api.c
When merging 6.1.64 into the 'android14-6.1-lts' branch, which contained
a subset of the upstream changes in nf_tables_api.c, the merge got
confused and did it "backwards", backing out some of the needed fixes.
This happens when we cherry-pick a subset of the upstream fixes into the
'android14-6.1' branch and then merge the LTS changes.
Fixes:
|
||
|
jianzhou
|
29f0788ed7 |
Merge keystone/android14-6.1-keystone-qcom-release.6.1.43 (ff4725c) into qcom-6.1
* refs/heads/tmp-ff4725c:
UPSTREAM: usb: gadget: udc: Handle gadget_connect failure during bind operation
ANDROID: GKI: Update oplus symbol list
ANDROID: fs/passthrough: Fix compatibility with R/O file system
ANDROID: vendor_hooks: add hooks for adjust kvmalloc_node alloc_flags
FROMLIST: usb: typec: tcpm: Fix sink caps op current check
UPSTREAM: scsi: ufs: core: Add advanced RPMB support where UFSHCI 4.0 does not support EHS length in UTRD
ANDROID: ABI: Update symbol list for MediatTek
ANDROID: vendor_hooks: Add hook for mmc queue
Revert "proc: allow pid_revalidate() during LOOKUP_RCU"
UPSTREAM: scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5
ANDROID: GKI: Update symbols to symbol list
ANDROID: vendor_hook: Add hook to tune readaround size
ANDROID: add for tuning readahead size
ANDROID: vendor_hooks: Add hooks to avoid key threads stalled in memory allocations
ANDROID: GKI: Update oplus symbol list
ANDROID: vendor_hooks: add hooks for adjust kvmalloc_node alloc_flags
UPSTREAM: netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
ANDROID: GKI: Update oplus symbol list update oplus symbol list for Addding hooks for adjusting alloc_flags
ANDROID: vendor_hooks: Add hooks for adjusting alloc_flags
ANDROID: ABI: Update symbol list for imx
ANDROID: abi_gki_aarch64_qcom: Add __netif_rx
ANDROID: ABI: Update sony symbol list and stg
ANDROID: mmc: Add vendor hooks for sdcard failure diagnostics
ANDROID: Update symbol list for mtk
UPSTREAM: scsi: ufs: mcq: Fix the search/wrap around logic
UPSTREAM: scsi: ufs: core: Fix ufshcd_inc_sq_tail() function bug
FROMLIST: ufs: core: Expand MCQ queue slot to DeviceQueueDepth + 1
Revert "ANDROID: KVM: arm64: Don't allocate from handle_host_mem_abort"
BACKPORT: usb: typec: altmodes/displayport: Signal hpd when configuring pin assignment
UPSTREAM: mm: multi-gen LRU: don't spin during memcg release
UPSTREAM: vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
BACKPORT: usb: gadget: uvc: Add missing initialization of ssp config descriptor
BACKPORT: usb: gadget: unconditionally allocate hs/ss descriptor in bind operation
UPSTREAM: usb: gadget: f_uvc: change endpoint allocation in uvc_function_bind()
UPSTREAM: usb: gadget: function: Remove unused declarations
UPSTREAM: usb: gadget: uvc: clean up comments and styling in video_pump
UPSTREAM: mm/page_alloc: use write_seqlock_irqsave() instead write_seqlock() + local_irq_save().
UPSTREAM: cpuidle: teo: Update idle duration estimate when choosing shallower state
BACKPORT: Revert "PCI: dwc: Wait for link up only if link is started"
UPSTREAM: ravb: Fix use-after-free issue in ravb_tx_timeout_work()
UPSTREAM: ravb: Fix up dma_free_coherent() call in ravb_remove()
BACKPORT: usb: typec: altmodes/displayport: Signal hpd low when exiting mode
ANDROID: KVM: arm64: Fix KVM_HOST_S2_DEFAULT_MMIO_PTE encoding
ANDROID: Update the ABI symbol list
ANDROID: fs/proc: Perform priority inheritance around access_remote_vm()
UPSTREAM: serial: 8250_dw: fall back to poll if there's no interrupt
ANDROID: Update the ABI representation
ANDROID: power: Add vendor hook for suspend
ANDROID: Update the ABI symbol list
UPSTREAM: of: reserved-mem: print out reserved-mem details during boot
ANDROID: GKI: Update symbol list for xiaomi "abi_gki_aarch64_xiaomi"
ANDROID: Update symbols list and ABI for qcom
ANDROID: fuse-bpf: Add NULL pointer check in fuse_entry_revalidate
ANDROID: GKI: Update oplus symbol list update oplus symbol list for Addding hooks for adjusting alloc_flags
ANDROID: vendor_hooks: Add hooks for adjusting alloc_flags
UPSTREAM: libceph: harden msgr2.1 frame segment length checks
ANDROID: Update the ABI symbol list
ANDROID: mm: Add vendor hook in filemap_get_folio()
UPSTREAM: netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP
UPSTREAM: netfilter: ipset: Add schedule point in call_ad().
UPSTREAM: net: xfrm: Fix xfrm_address_filter OOB read
UPSTREAM: igb: set max size RX buffer when store bad packet is enabled
ANDROID: GKI: fix ABI breakage in struct hid_device
UPSTREAM: HID: input: map battery system charging
FROMGIT: maple_tree: add GFP_KERNEL to allocations in mas_expected_entries()
UPSTREAM: maple_tree: replace data before marking dead in split and spanning store
UPSTREAM: maple_tree: change mas_adopt_children() parent usage
UPSTREAM: maple_tree: introduce mas_tree_parent() definition
UPSTREAM: maple_tree: introduce mas_put_in_tree()
UPSTREAM: maple_tree: reorder replacement of nodes to avoid live lock
ANDROID: GKI: add allowed list for Exynosauto SoC
ANDROID: Update the ABI symbol list
ANDROID: Update the ABI symbol list
ANDROID: KVM: Update nVHE stack size to 8KB
ANDROID: Update the ABI symbol list
ANDROID: mm: Add vendor hook in rmqueue()
FROMLIST: virt: geniezone: Add memory pin/unpin support
FROMLIST: virt: geniezone: Add block-based demand paging support
FROMLIST: virt: geniezone: Add demand paging support
ANDROID: virt: geniezone: Refactoring memory region support
ANDROID: virt: geniezone: Refactor code comments from mainline v6 accordingly
ANDROID: virt: geniezone: Refactoring vgic to align with upstream v6
ANDROID: virt: geniezone: Refactoring vcpu to align with upstream v6
ANDROID: virt: geniezone: Refactoring vm capability to align with upstream v6
ANDROID: virt: geniezone: Refactoring irqfd to align with upstream v6
ANDROID: sched: Add EXPORT_SYMBOL_GPL for sched_wakeup
ANDROID: vendor_hooks: Export direct reclaim trace points
ANDROID: mm: freeing MIGRATE_ISOLATE page instantly
ANDROID: KVM: arm64: Allow setting device attr in stage-2 PTEs
ANDROID: KVM: arm64: Fix hyp tracing build dependencies
Revert "arm64: errata: Mitigate Ampere1 erratum AC03_CPU_38 at stage-2"
Revert "locking/rtmutex: Fix task->pi_waiters integrity"
Revert "ring-buffer: Fix wrong stat of cpu_buffer->read"
FROMLIST: Revert "fuse: Apply flags2 only when userspace set the FUSE_INIT_EXT"
Revert "sched/psi: Fix avgs_work re-arm in psi_avgs_work()"
Revert "sched/psi: Rearrange polling code in preparation"
Revert "sched/psi: Rename existing poll members in preparation"
Revert "sched/psi: Extract update_triggers side effect"
Revert "sched/psi: Allow unprivileged polling of N*2s period"
Revert "sched/psi: use kernfs polling functions for PSI trigger polling"
Revert "Revert "8250: add support for ASIX devices with a FIFO bug""
ANDROID: GKI: Fix block/genhd.c exports from having their CRC changed
Revert "blk-mq: fix potential io hang by wrong 'wake_batch'"
Revert "bpf: Remove bpf trampoline selector"
Revert "drm/bridge: Introduce pre_enable_prev_first to alter bridge init order"
Revert "drm/bridge: ti-sn65dsi83: Fix enable/disable flow to meet spec"
Linux 6.1.43
dma-buf: fix an error pointer vs NULL bug
dma-buf: keep the signaling time of merged fences v3
test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation
selftests: mptcp: sockopt: use 'iptables-legacy' if available
mptcp: ensure subflow is unhashed before cleaning the backlog
cpufreq: intel_pstate: Drop ACPI _PSS states table patching
ACPI: processor: perflib: Avoid updating frequency QoS unnecessarily
ACPI: processor: perflib: Use the "no limit" frequency QoS
drm/amd/display: Write to correct dirty_rect
drm/amd/display: perform a bounds check before filling dirty rectangles
tracing: Fix trace_event_raw_event_synth() if else statement
drm/amd/display: set per pipe dppclk to 0 when dpp is off
rbd: retrieve and check lock owner twice before blocklisting
rbd: harden get_lock_owner_info() a bit
rbd: make get_lock_owner_info() return a single locker or NULL
dm cache policy smq: ensure IO doesn't prevent cleaner policy progress
drm/i915/dpt: Use shmem for dpt objects
ceph: never send metrics if disable_send_metrics is set
PM: sleep: wakeirq: fix wake irq arming
arm64/sme: Set new vector length before reallocating
ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register
s390/dasd: print copy pair message only for the correct error
s390/dasd: fix hanging device after quiesce/resume
LoongArch: BPF: Enable bpf_probe_read{, str}() on LoongArch
LoongArch: BPF: Fix check condition to call lu32id in move_imm()
Revert "um: Use swap() to make code cleaner"
soundwire: fix enumeration completion
selftests: mptcp: join: only check for ip6tables if needed
net: dsa: qca8k: fix mdb add/del case with 0 VID
net: dsa: qca8k: fix broken search_and_del
net: dsa: qca8k: fix search_and_insert wrong handling of new rule
virtio-net: fix race between set queues and probe
xen: speed up grant-table reclaim
proc/vmcore: fix signedness bug in read_from_oldmem()
locking/rtmutex: Fix task->pi_waiters integrity
irqchip/gic-v4.1: Properly lock VPEs when doing a directLPI invalidation
irq-bcm6345-l1: Do not assume a fixed block to cpu mapping
tpm_tis: Explicitly check for error code
ACPI/IORT: Remove erroneous id_count check in iort_node_get_rmr_info()
nfsd: Remove incorrect check in nfsd4_validate_stateid
file: always lock position for FMODE_ATOMIC_POS
x86/MCE/AMD: Decrement threshold_bank refcount when removing threshold blocks
btrfs: check for commit error at btrfs_attach_transaction_barrier()
btrfs: check if the transaction was aborted at btrfs_wait_for_commit()
btrfs: account block group tree when calculating global reserve size
hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled
hwmon: (k10temp) Enable AMD3255 Proc to show negative temperature
ALSA: hda/relatek: Enable Mute LED on HP 250 G8
ALSA: hda/realtek: Support ASUS G713PV laptop
Revert "xhci: add quirk for host controllers that don't update endpoint DCS"
tty: n_gsm: fix UAF in gsm_cleanup_mux
staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
staging: r8712: Fix memory leak in _r8712_init_xmit_priv()
Documentation: security-bugs.rst: clarify CVE handling
Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group
Revert "usb: xhci: tegra: Fix error check"
usb: xhci-mtk: set the dma max_seg_size
usb: cdns3: fix incorrect calculation of ep_buf_size when more than one config
USB: quirks: add quirk for Focusrite Scarlett
usb: ohci-at91: Fix the unhandle interrupt when resume
usb: misc: ehset: fix wrong if condition
usb: dwc3: don't reset device side if dwc3 was configured as host-only
usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy
Revert "usb: dwc3: core: Enable AutoRetry feature in the controller"
usb: typec: Use sysfs_emit_at when concatenating the string
usb: typec: Iterate pds array when showing the pd list
usb: typec: Set port->pd before adding device for typec_port
can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED
USB: serial: simple: sort driver entries
USB: serial: simple: add Kaufmann RKS+CAN VCP
USB: serial: option: add Quectel EC200A module support
USB: serial: option: support Quectel EM060K_128
serial: sifive: Fix sifive_serial_console_setup() section
serial: 8250_dw: Preserve original value of DLF register
serial: qcom-geni: drop bogus runtime pm state update
KVM: x86: Disallow KVM_SET_SREGS{2} if incoming CR0 is invalid
KVM: VMX: Don't fudge CR0 and CR4 for restricted L2 guest
KVM: Grab a reference to KVM for VM and vCPU stats file descriptors
usb: gadget: core: remove unbalanced mutex_unlock in usb_gadget_activate
USB: gadget: Fix the memory leak in raw_gadget driver
usb: gadget: call usb_gadget_check_config() to verify UDC capability
Revert "usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init()"
tracing: Fix warning in trace_buffered_event_disable()
ring-buffer: Fix wrong stat of cpu_buffer->read
ata: pata_ns87415: mark ns87560_tf_read static
ublk: fail to recover device if queue setup is interrupted
ublk: fail to start device if queue setup is interrupted
ublk_drv: move ublk_get_device_from_id into ublk_ctrl_uring_cmd
drm/msm: Disallow submit with fence id 0
drm/msm: Switch idr_lock to spinlock
RDMA/irdma: Report correct WC error
RDMA/irdma: Fix op_type reporting in CQEs
drm/amd/display: Unlock on error path in dm_handle_mst_sideband_msg_ready_event()
drm/amd: Fix an error handling mistake in psp_sw_init()
dm raid: protect md_stop() with 'reconfig_mutex'
dm raid: clean up four equivalent goto tags in raid_ctr()
dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths
xenbus: check xen_domain in xenbus_probe_initcall
drm/i915: Fix an error handling path in igt_write_huge()
smb3: do not set NTLMSSP_VERSION flag for negotiate not auth request
block: Fix a source code comment in include/uapi/linux/blkzoned.h
ASoC: fsl_spdif: Silence output on stop
cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws()
cxl/acpi: Fix a use-after-free in cxl_parse_cfmws()
drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb()
RDMA/bnxt_re: Prevent handling any completions after qp destroy
RDMA/mthca: Fix crash when polling CQ for shared QPs
RDMA/irdma: Fix data race on CQP request done
RDMA/irdma: Fix data race on CQP completion stats
RDMA/irdma: Add missing read barriers
drm/msm/adreno: Fix snapshot BINDLESS_DATA size
drm/msm/dpu: drop enum dpu_core_perf_data_bus_id
RDMA/mlx4: Make check for invalid flags stricter
tipc: stop tipc crypto on failure in tipc_node_create
tipc: check return value of pskb_trim()
benet: fix return value check in be_lancer_xmit_workarounds()
net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64
net/sched: mqprio: add extack to mqprio_parse_nlattr()
net/sched: mqprio: refactor nlattr parsing to a separate function
mm: suppress mm fault logging if fatal signal already pending
netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
netfilter: nft_set_rbtree: fix overlap expiration walk
igc: Fix Kernel Panic during ndo_tx_timeout callback
x86/traps: Fix load_unaligned_zeropad() handling for shared TDX memory
platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100
net: stmmac: Apply redundant write work around on 4.xx too
octeontx2-af: Fix hash extraction enable configuration
octeontx2-af: Removed unnecessary debug messages.
team: reset team's flags when down link is P2P device
bonding: reset bond's flags when down link is P2P device
ice: Fix memory management in ice_ethtool_fdir.c
tcp: Reduce chance of collisions in inet6_hashfn().
ipv6 addrconf: fix bug where deleting a mngtmpaddr can create a new temporary address
ethernet: atheros: fix return value check in atl1e_tso_csum()
atheros: fix return value check in atl1_tso()
phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
vxlan: fix GRO with VXLAN-GPE
vxlan: generalize vxlan_parse_gpe_hdr and remove unused args
vxlan: calculate correct header length for GPE
net: hns3: fix wrong bw weight of disabled tc issue
net: hns3: fix wrong tc bandwidth weight data issue
net: hns3: fix the imp capability bit cannot exceed 32 bits issue
net: phy: marvell10g: fix 88x3310 power up
iavf: check for removal state before IAVF_FLAG_PF_COMMS_FAILED
iavf: fix potential deadlock on allocation failure
i40e: Fix an NULL vs IS_ERR() bug for debugfs_create_dir()
media: amphion: Fix firmware path to match linux-firmware
media: staging: atomisp: select V4L2_FWNODE
soundwire: qcom: update status correctly with mask
phy: qcom-snps-femto-v2: properly enable ref clock
phy: qcom-snps-femto-v2: keep cfg_ahb_clk enabled during runtime suspend
phy: qcom-snps: correct struct qcom_snps_hsphy kerneldoc
phy: phy-mtk-dp: Fix an error code in probe()
drm/amd/display: Prevent vtotal from being set to 0
drm/amd/display: Fix possible underflow for displays with large vblank
drm/amd/display: update extended blank for dcn314 onwards
drm/amd/display: Add FAMS validation before trying to use it
drm/amd/display: fix dc/core/dc.c kernel-doc
drm/amd/display: Rework comments on dc file
maple_tree: fix 32 bit mas_next testing
maple_tree: add __init and __exit to test module
test_maple_tree: test modifications while iterating
tracing/probes: Fix to record 0-length data_loc in fetch_store_string*() if fails
Revert "tracing: Add "(fault)" name injection to kernel probes"
tracing: Allow synthetic events to pass around stacktraces
tracing/probes: Fix to avoid double count of the string length on the array
tracing/probes: Add symstr type for dynamic events
mptcp: do not rely on implicit state check in mptcp_listen()
mptcp: introduce 'sk' to replace 'sock->sk' in mptcp_listen()
arm64: errata: Mitigate Ampere1 erratum AC03_CPU_38 at stage-2
KVM: arm64: Condition HW AF updates on config option
drm/ttm: never consider pinned BOs for eviction&swap
tty: fix hang on tty device with no_room set
n_tty: Rename tail to old_tail in n_tty_read()
drm/ttm: Don't leak a resource on eviction error
drm/ttm: Don't print error message if eviction was interrupted
drm/amd/display: Set minimum requirement for using PSR-SU on Phoenix
drm/amd/display: Set minimum requirement for using PSR-SU on Rembrandt
drm/amd/display: Update correct DCN314 register header
drm/amd/display: fix dcn315 single stream crb allocation
drm/amd/display: add pixel rate based CRB allocation support
drm/amd/display: fix unbounded requesting for high pixel rate modes on dcn315
drm/amd/display: use low clocks for no plane configs
drm/amd/display: add ODM case when looking for first split pipe
drm/amd/display: Use min transition for all SubVP plane add/remove
drm/amd/display: Include surface of unaffected streams
drm/amd/display: Copy DC context in the commit streams
drm/amd/display: Enable new commit sequence only for DCN32x
drm/amd/display: Rework context change check
drm/amd/display: Check if link state is valid
drm/amd/display: add FB_DAMAGE_CLIPS support
PCI: rockchip: Don't advertise MSI-X in PCIe capabilities
PCI: rockchip: Fix window mapping and address translation for endpoint
PCI: rockchip: Remove writes to unused registers
PCI/ASPM: Avoid link retraining race
PCI/ASPM: Factor out pcie_wait_for_retrain()
PCI/ASPM: Return 0 or -ETIMEDOUT from pcie_retrain_link()
MIPS: Loongson: Fix build error when make modules_install
MIPS: Loongson: Move arch cflags to MIPS top level Makefile
i2c: nomadik: Remove a useless call in the remove function
i2c: nomadik: Use devm_clk_get_enabled()
i2c: nomadik: Remove unnecessary goto label
i2c: Improve size determinations
i2c: Delete error messages for failed memory allocations
btrfs: fix race between quota disable and relocation
gpio: mvebu: fix irq domain leak
gpio: mvebu: Make use of devm_pwmchip_add
pwm: Add a stub for devm_pwmchip_add()
gpio: tps68470: Make tps68470_gpio_output() always set the initial value
io_uring: don't audit the capability check in io_uring_create()
KVM: s390: pv: fix index value of replaced ASCE
powerpc/pseries/vas: Hold mmap_mutex after mmap lock during window close
blk-mq: Fix stall due to recursive flush plug
jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint
drm/amd: Align SMU11 SMU_MSG_OverridePcieParameters implementation with SMU13
drm/amd: Move helper for dynamic speed switch check out of smu13
ovl: fix null pointer dereference in ovl_permission()
drm/amd/display: Keep PHY active for dp config
platform/x86/amd/pmf: reduce verbosity of apmf_get_system_params
platform/x86/amd/pmf: Notify OS power slider update
netfilter: nf_tables: fix underflow in chain reference counter
netfilter: nf_tables: fix underflow in object reference counter
ANDROID: ABI: Update STG ABI to format version 2
Linux 6.1.42
Revert "drm/amd/display: edp do not add non-edid timings"
drm/amd/display: Add polling method to handle MST reply packet
drm/amd/display: fix linux dp link lost handled only one time
drm/amd/display: Clean up errors & warnings in amdgpu_dm.c
drm/amd/display: force connector state when bpc changes during compliance
drm/dp_mst: Clear MSG_RDY flag before sending new message
drm/amd/display: fix some coding style issues
drm/amd/display: use max_dsc_bpp in amdgpu_dm
selftests/bpf: Fix sk_assign on s390x
selftests/bpf: Workaround verification failure for fexit_bpf2bpf/func_replace_return_code
selftests/bpf: make test_align selftest more robust
bpf: aggressively forget precise markings during state checkpointing
bpf: stop setting precise in current state
bpf: allow precision tracking for programs with subprogs
scripts/kallsyms: update the usage in the comment block
scripts/kallsyms.c Make the comment up-to-date with current implementation
kallsyms: add kallsyms_seqs_of_names to list of special symbols
spi: dw: Remove misleading comment for Mount Evans SoC
drm/ttm: fix bulk_move corruption when adding a entry
tracing/histograms: Return an error if we fail to add histogram to hist_vars list
jbd2: recheck chechpointing non-dirty buffer
net: phy: prevent stale pointer dereference in phy_init()
tcp: annotate data-races around fastopenq.max_qlen
tcp: annotate data-races around icsk->icsk_user_timeout
tcp: annotate data-races around tp->notsent_lowat
tcp: annotate data-races around rskq_defer_accept
tcp: annotate data-races around tp->linger2
tcp: annotate data-races around icsk->icsk_syn_retries
tcp: annotate data-races around tp->keepalive_probes
tcp: annotate data-races around tp->keepalive_intvl
tcp: annotate data-races around tp->keepalive_time
tcp: annotate data-races around tp->tsoffset
tcp: annotate data-races around tp->tcp_tx_delay
Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()
Bluetooth: ISO: fix iso_conn related locking and validity issues
Bluetooth: hci_event: call disconnect callback before deleting conn
Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync
netfilter: nf_tables: skip bound chain on rule flush
netfilter: nf_tables: skip bound chain in netns release path
netfilter: nft_set_pipapo: fix improper element removal
netfilter: nf_tables: can't schedule in nft_chain_validate
netfilter: nf_tables: fix spurious set element insertion failure
ALSA: hda/realtek: Fix generic fixup definition for cs35l41 amp
llc: Don't drop packet from non-root netns.
fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe
Revert "tcp: avoid the lookup process failing to get sk in ehash table"
net:ipv6: check return value of pskb_trim()
net: ipv4: Use kfree_sensitive instead of kfree
tcp: annotate data-races around tcp_rsk(req)->ts_recent
tcp: annotate data-races around tcp_rsk(req)->txhash
net: ipv4: use consistent txhash in TIME_WAIT and SYN_RECV
igc: Prevent garbled TX queue with XDP ZEROCOPY
igc: Avoid transmit queue timeout for XDP
bpf, arm64: Fix BTI type used for freplace attached functions
bpf: Repeat check_max_stack_depth for async callbacks
bpf: Fix subprog idx logic in check_max_stack_depth
octeontx2-pf: Dont allocate BPIDs for LBK interfaces
security: keys: Modify mismatched function name
iavf: fix reset task race with iavf_remove()
iavf: fix a deadlock caused by rtnl and driver's lock circular dependencies
iavf: Wait for reset in callbacks which trigger it
iavf: make functions static where possible
iavf: send VLAN offloading caps once after VFR
iavf: Move netdev_update_features() into watchdog task
iavf: use internal state to free traffic IRQs
iavf: Fix out-of-bounds when setting channels on remove
iavf: Fix use-after-free in free_netdev
net: dsa: microchip: correct KSZ8795 static MAC table access
net: dsa: microchip: ksz8_r_sta_mac_table(): Avoid using error code for empty entries
net: dsa: microchip: ksz8: Make ksz8_r_sta_mac_table() static
net: dsa: microchip: ksz8: Separate static MAC table operations for code reuse
net: sched: cls_bpf: Undo tcf_bind_filter in case of an error
net: sched: cls_u32: Undo refcount decrement in case update failed
net: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode
net: sched: cls_matchall: Undo tcf_bind_filter in case of failure after mall_set_parms
ASoC: SOF: ipc3-dtrace: uninitialized data in dfsentry_trace_filter_write()
cifs: fix mid leak during reconnection after timeout threshold
net: ethernet: mtk_eth_soc: handle probe deferral
bridge: Add extack warning when enabling STP in netns.
net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field()
dsa: mv88e6xxx: Do a final check before timing out
kallsyms: strip LTO-only suffixes from promoted global functions
kallsyms: Correctly sequence symbols when CONFIG_LTO_CLANG=y
kallsyms: Improve the performance of kallsyms_lookup_name()
spi: s3c64xx: clear loopback bit after loopback test
btrfs: be a bit more careful when setting mirror_num_ret in btrfs_map_block
perf build: Fix library not found error when using CSLIBS
fbdev: imxfb: Removed unneeded release_mem_region
fbdev: imxfb: warn about invalid left/right margin
spi: bcm63xx: fix max prepend length
pinctrl: renesas: rzg2l: Handle non-unique subnode names
pinctrl: renesas: rzv2m: Handle non-unique subnode names
sched/psi: use kernfs polling functions for PSI trigger polling
sched/psi: Allow unprivileged polling of N*2s period
sched/psi: Extract update_triggers side effect
sched/psi: Rename existing poll members in preparation
sched/psi: Rearrange polling code in preparation
sched/psi: Fix avgs_work re-arm in psi_avgs_work()
sched/fair: Use recent_used_cpu to test p->cpus_ptr
ASoC: qcom: q6apm: do not close GPR port before closing graph
ASoC: codecs: wcd938x: fix dB range for HPHL and HPHR
ASoC: codecs: wcd938x: fix mbhc impedance loglevel
ASoC: amd: acp: fix for invalid dai id handling in acp_get_byte_count()
net: hns3: fix strncpy() not using dest-buf length as length issue
igb: Fix igb_down hung on surprise removal
wifi: iwlwifi: pcie: add device id 51F1 for killer 1675
wifi: iwlwifi: mvm: avoid baid size integer overflow
wifi: iwlwifi: Add support for new PCI Id
wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()
devlink: report devlink_port_type_warn source device
net: ethernet: litex: add support for 64 bit stats
wifi: ath11k: fix memory leak in WMI firmware stats
spi: dw: Add compatible for Intel Mount Evans SoC
wifi: mac80211_hwsim: Fix possible NULL dereference
wifi: ath11k: add support default regdb while searching board-2.bin for WCN6855
bpf: tcp: Avoid taking fast sock lock in iterator
bpf: Address KCSAN report on bpf_lru_list
bpf: Print a warning only if writing to unprivileged_bpf_disabled.
wifi: ath11k: fix registration of 6Ghz-only phy without the full channel range
sched/fair: Don't balance task to its current running CPU
rcu: Mark additional concurrent load from ->cpu_no_qs.b.exp
rcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic()
ACPI: video: Add backlight=native DMI quirk for Dell Studio 1569
FS: JFS: Check for read-only mounted filesystem in txBegin
FS: JFS: Fix null-ptr-deref Read in txBegin
MIPS: dec: prom: Address -Warray-bounds warning
fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev
udf: Fix uninitialized array access for some pathnames
ovl: check type and offset of struct vfsmount in ovl_entry
HID: add quirk for 03f0:464a HP Elite Presenter Mouse
quota: fix warning in dqgrab()
quota: Properly disable quotas when add_dquot_ref() fails
ALSA: emu10k1: roll up loops in DSP setup code for Audigy
drm/radeon: Fix integer overflow in radeon_cs_parser_init
ext4: correct inline offset when handling xattrs in inode body
ASoC: codecs: wcd938x: fix soundwire initialisation race
ASoC: codecs: wcd938x: fix codec initialisation race
ASoC: codecs: wcd934x: fix resource leaks on component remove
ASoC: codecs: wcd938x: fix missing mbhc init error handling
ASoC: codecs: wcd938x: fix resource leaks on component remove
ASoC: tegra: Fix AMX byte map
ASoC: qdsp6: audioreach: fix topology probe deferral
ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove
ASoC: codecs: wcd938x: fix missing clsh ctrl error handling
ASoC: cs42l51: fix driver to properly autoload with automatic module loading
ASoC: rt5640: Fix sleep in atomic context
ASoC: tegra: Fix ADX byte map
ASoC: fsl_sai: Revert "ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode"
ASoC: fsl_sai: Disable bit clock with transmitter
drm/amd/display: Keep PHY active for DP displays on DCN31
drm/amd/display: check TG is non-null before checking if enabled
drm/amd/display: Disable MPC split by default on special asic
drm/amd/display: only accept async flips for fast updates
drm/client: Fix memory leak in drm_client_modeset_probe
drm/client: Fix memory leak in drm_client_target_cloned
drm/amdgpu/pm: make mclk consistent for smu 13.0.7
drm/amdgpu/pm: make gfxclock consistent for sienna cichlid
drm/amdgpu/vkms: relax timer deactivation by hrtimer_try_to_cancel
dma-buf/dma-resv: Stop leaking on krealloc() failure
selftests: tc: add ConnTrack procfs kconfig
can: gs_usb: gs_can_open(): improve error handling
can: bcm: Fix UAF in bcm_proc_show()
can: mcp251xfd: __mcp251xfd_chip_set_mode(): increase poll timeout
arm64/fpsimd: Ensure SME storage is allocated after SVE VL changes
regmap: Account for register length in SMBus I/O limits
of: Preserve "of-display" device name for compatibility
regmap: Drop initial version of maximum transfer length fixes
selftests: tc: add 'ct' action kconfig dep
selftests: tc: set timeout to 15 minutes
btrfs: fix race between balance and cancel/pause
fuse: ioctl: translate ENOSYS in outarg
btrfs: zoned: fix memory leak after finding block group with super blocks
btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand
fuse: Apply flags2 only when userspace set the FUSE_INIT_EXT
fuse: revalidate: don't invalidate if interrupted
btrfs: fix warning when putting transaction with qgroups enabled after abort
perf probe: Add test for regression introduced by switch to die_get_decl_file()
keys: Fix linking a duplicate key to a keyring's assoc_array
maple_tree: fix node allocation testing on 32 bit
maple_tree: set the node limit when creating a new root node
ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx
ALSA: hda/realtek: Add quirk for Clevo NS70AU
ALSA: hda/realtek - remove 3k pull low procedure
io_uring: treat -EAGAIN for REQ_F_NOWAIT as final for io-wq
Linux 6.1.41
x86/cpu/amd: Add a Zenbleed fix
x86/cpu/amd: Move the errata checking functionality up
Linux 6.1.40
net/ncsi: change from ndo_set_mac_address to dev_set_mac_address
net/ncsi: make one oem_gma function for all mfr id
drm/atomic: Fix potential use-after-free in nonblocking commits
net/sched: sch_qfq: reintroduce lmax bound check for MTU
swiotlb: mark swiotlb_memblock_alloc() as __init
Revert "drm/amd: Disable PSR-SU on Parade 0803 TCON"
MIPS: kvm: Fix build error with KVM_MIPS_DEBUG_COP0_COUNTERS enabled
scsi: qla2xxx: Fix end of loop test
scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
scsi: qla2xxx: Pointer may be dereferenced
scsi: qla2xxx: Correct the index of array
scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
scsi: qla2xxx: Fix potential NULL pointer dereference
scsi: qla2xxx: Fix buffer overrun
scsi: qla2xxx: Avoid fcport pointer dereference
scsi: qla2xxx: Array index may go out of bound
scsi: qla2xxx: Fix mem access after free
scsi: qla2xxx: Wait for io return on terminate rport
scsi: qla2xxx: Fix hang in task management
scsi: qla2xxx: Fix task management cmd fail due to unavailable resource
scsi: qla2xxx: Fix task management cmd failure
scsi: qla2xxx: Multi-que support for TMF
tracing/user_events: Fix struct arg size match check
tracing/probes: Fix to update dynamic data counter if fetcharg uses it
tracing/probes: Fix not to count error code to total length
selftests: mptcp: pm_nl_ctl: fix 32-bit support
selftests: mptcp: depend on SYN_COOKIES
selftests: mptcp: userspace_pm: report errors with 'remove' tests
selftests: mptcp: userspace_pm: use correct server port
selftests: mptcp: sockopt: return error if wrong mark
selftests: mptcp: connect: fail if nft supposed to work
tracing: Fix null pointer dereference in tracing_err_log_open()
fprobe: Ensure running fprobe_exit_handler() finished before calling rethook_free()
fprobe: Release rethook after the ftrace_ops is unregistered
pwm: meson: fix handling of period/duty if greater than UINT_MAX
pwm: meson: modify and simplify calculation in meson_pwm_get_state
PM: QoS: Restore support for default value on frequency QoS
perf/x86: Fix lockdep warning in for_each_sibling_event() on SPR
xtensa: ISS: fix call to split_if_spec
cifs: if deferred close is disabled then close files immediately
drm/amd/pm: conditionally disable pcie lane/speed switching for SMU13
drm/amd/pm: share the code around SMU13 pcie parameters update
ftrace: Fix possible warning on checking all pages used in ftrace_process_locs()
ring-buffer: Fix deadloop issue on reading trace_pipe
net: ena: fix shift-out-of-bounds in exponential backoff
regmap-irq: Fix out-of-bounds access when allocating config buffers
perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start()
samples: ftrace: Save required argument registers in sample trampolines
nvme: don't reject probe due to duplicate IDs for single-ported PCIe devices
tracing: Fix memory leak of iter->temp when reading trace_pipe
tracing/histograms: Add histograms to hist_vars if they have referenced variables
dm: verity-loadpin: Add NULL pointer check for 'bdev' parameter
s390/decompressor: fix misaligned symbol build error
bus: ixp4xx: fix IXP4XX_EXP_T1_MASK
Revert "8250: add support for ASIX devices with a FIFO bug"
soundwire: qcom: fix storing port config out-of-bounds
opp: Fix use-after-free in lazy_opp_tables after probe deferral
meson saradc: fix clock divider mask length
xhci: Show ZHAOXIN xHCI root hub speed correctly
xhci: Fix TRB prefetch issue of ZHAOXIN hosts
xhci: Fix resume issue of some ZHAOXIN hosts
ceph: don't let check_caps skip sending responses for revoke msgs
ceph: fix blindly expanding the readahead windows
ceph: add a dedicated private data for netfs rreq
libceph: harden msgr2.1 frame segment length checks
firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool()
tty: serial: imx: fix rs485 rx after tx
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
serial: atmel: don't enable IRQs prematurely
drm/ttm: Don't leak a resource on swapout move error
drm/amdgpu: avoid restore process run into dead loop.
drm/amd/display: Add monitor specific edid quirk
drm/amd/display: Correct `DMUB_FW_VERSION` macro
drm/amd/display: add a NULL pointer check
drm/amd: Disable PSR-SU on Parade 0803 TCON
drm/amdgpu: fix clearing mappings for BOs that are always valid in VM
drm/amd/display: disable seamless boot if force_odm_combine is enabled
drm/amd/display: Remove Phantom Pipe Check When Calculating K1 and K2
drm/amd/display: edp do not add non-edid timings
drm/amd/display: fix seamless odm transitions
drm/rockchip: vop: Leave vblank enabled in self-refresh
drm/atomic: Allow vblank-enabled + self-refresh "disable"
scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used()
fs: dlm: fix mismatch of plock results from userspace
fs: dlm: make F_SETLK use unkillable wait_event
fs: dlm: interrupt posix locks only when process is killed
fs: dlm: fix cleanup pending ops when interrupted
fs: dlm: return positive pid value for F_GETLK
dm init: add dm-mod.waitfor to wait for asynchronously probed block devices
md/raid0: add discard support for the 'original' layout
mfd: pm8008: Fix module autoloading
misc: pci_endpoint_test: Re-init completion for every test
misc: pci_endpoint_test: Free IRQs before removing the device
PCI: rockchip: Set address alignment for endpoint mode
PCI: rockchip: Use u32 variable to access 32-bit registers
PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core
PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked
PCI: rockchip: Write PCI Device ID to correct register
PCI: rockchip: Assert PCI Configuration Enable bit after probe
PCI: epf-test: Fix DMA transfer completion detection
PCI: epf-test: Fix DMA transfer completion initialization
PCI: qcom: Disable write access to read only registers for IP v2.3.3
PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
PCI: Release resource invalidated by coalescing
PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold
s390/zcrypt: do not retry administrative requests
scsi: mpi3mr: Propagate sense data for admin queue SCSI I/O
dm integrity: reduce vmalloc space footprint on 32-bit architectures
hwrng: imx-rngc - fix the timeout for init and self check
jfs: jfs_dmap: Validate db_l2nbperpage while mounting
ext2/dax: Fix ext2_setsize when len is page aligned
soc: qcom: mdt_loader: Fix unconditional call to scm_pas_mem_setup
fs: dlm: revert check required context while close
ext4: only update i_reserved_data_blocks on successful block allocation
ext4: turn quotas off if mount failed after enabling quotas
ext4: fix to check return value of freeze_bdev() in ext4_shutdown()
ext4: fix wrong unit use in ext4_mb_new_blocks
ext4: get block from bh in ext4_free_blocks for fast commit replay
ext4: fix wrong unit use in ext4_mb_clear_bb
ext4: Fix reusing stale buffer heads from last failed mounting
MIPS: KVM: Fix NULL pointer dereference
MIPS: Loongson: Fix cpu_probe_loongson() again
powerpc/64s: Fix native_hpte_remove() to be irq-safe
powerpc/security: Fix Speculation_Store_Bypass reporting on Power10
misc: fastrpc: Create fastrpc scalar with correct buffer count
powerpc: Fail build if using recordmcount with binutils v2.37
tracing/user_events: Fix incorrect return value for writing operation when events are disabled
kasan: add kasan_tag_mismatch prototype
net: phy: dp83td510: fix kernel stall during netboot in DP83TD510E PHY driver
net: bcmgenet: Ensure MDIO unregistration has clocks enabled
mtd: rawnand: meson: fix unaligned DMA buffers handling
tpm: return false from tpm_amd_is_rng_defective on non-x86 platforms
tpm: tis_i2c: Limit write bursts to I2C_SMBUS_BLOCK_MAX (32) bytes
tpm: tis_i2c: Limit read bursts to I2C_SMBUS_BLOCK_MAX (32) bytes
tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation
tpm: Do not remap from ACPI resources again for Pluton TPM
pinctrl: amd: Unify debounce handling into amd_pinconf_set()
pinctrl: amd: Drop pull up select configuration
pinctrl: amd: Use amd_pinconf_set() for all config options
pinctrl: amd: Only use special debounce behavior for GPIO 0
pinctrl: amd: Revert "pinctrl: amd: disable and mask interrupts on probe"
pinctrl: amd: Detect and mask spurious interrupts
pinctrl: amd: Fix mistake in handling clearing pins at startup
pinctrl: amd: Detect internal GPIO0 debounce handling
pinctrl: amd: Add fields for interrupt status and wake status
pinctrl: amd: Adjust debugfs output
pinctrl: amd: Add Z-state wake control bits
f2fs: fix deadlock in i_xattr_sem and inode page lock
f2fs: fix the wrong condition to determine atomic context
drm/amd/pm: add abnormal fan detection for smu 13.0.0
drm/amdgpu: Fix minmax warning
drm/amdgpu: add the fan abnormal detection feature
drm/amd/pm: revise the ASPM settings for thunderbolt attached scenario
drm/amdgpu/sdma4: set align mask to 255
drm/client: Send hotplug event after registering a client
cifs: fix session state check in smb2_find_smb_ses
ovl: fix null pointer dereference in ovl_get_acl_rcu()
ovl: let helper ovl_i_path_real() return the realinode
fs/ntfs3: Check fields while reading
nvme-pci: fix DMA direction of unmapping integrity data
net/sched: sch_qfq: account for stab overhead in qfq_enqueue
net/sched: sch_qfq: refactor parsing of netlink parameters
wifi: rtw89: debug: fix error code in rtw89_debug_priv_send_h2c_set()
net/sched: make psched_mtu() RTNL-less safe
netdevsim: fix uninitialized data in nsim_dev_trap_fa_cookie_write()
riscv: mm: fix truncation warning on RV32
net/sched: flower: Ensure both minimum and maximum ports are specified
bpf: cpumap: Fix memory leak in cpu_map_update_elem
wifi: airo: avoid uninitialized warning in airo_get_rate()
erofs: fix fsdax unavailability for chunk-based regular files
erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF
erofs: avoid useless loops in z_erofs_pcluster_readmore() when reading beyond EOF
octeontx2-pf: Add additional check for MCAM rules
drm/i915: Fix one wrong caching mode enum usage
drm/i915: Don't preserve dpll_hw_state for slave crtc in Bigjoiner
riscv, bpf: Fix inconsistent JIT image generation
nvme: fix the NVME_ID_NS_NVM_STS_MASK definition
igc: Fix inserting of empty frame for launchtime
igc: Fix launchtime before start of cycle
kernel/trace: Fix cleanup logic of enable_trace_eprobe
platform/x86: wmi: Break possible infinite loop when parsing GUID
net: dsa: qca8k: Add check for skb_copy
ipv6/addrconf: fix a potential refcount underflow for idev
NTB: ntb_tool: Add check for devm_kcalloc
NTB: ntb_transport: fix possible memory leak while device_register() fails
ntb: intel: Fix error handling in intel_ntb_pci_driver_init()
NTB: amd: Fix error handling in amd_ntb_pci_driver_init()
ntb: idt: Fix error handling in idt_pci_driver_init()
udp6: fix udp6_ehashfn() typo
icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().
net: prevent skb corruption on frag list segmentation
net: bgmac: postpone turning IRQs off to avoid SoC hangs
ionic: remove WARN_ON to prevent panic_on_warn
octeontx2-af: Move validation of ptp pointer before its usage
octeontx2-af: Promisc enable/disable through mbox
gve: Set default duplex configuration to full
net/sched: cls_fw: Fix improper refcount update leads to use-after-free
net: mvneta: fix txq_map in case of txq_number==1
bpf: Fix max stack depth check for async callbacks
scsi: ufs: ufs-mediatek: Add dependency for RESET_CONTROLLER
scsi: qla2xxx: Fix error code in qla2x00_start_sp()
blk-crypto: use dynamic lock class for blk_crypto_profile::lock
igc: Handle PPS start time programming for past time values
igc: set TP bit in 'supported' and 'advertising' fields of ethtool_link_ksettings
net/mlx5e: Check for NOT_READY flag state after locking
net/mlx5e: fix memory leak in mlx5e_ptp_open
net/mlx5e: fix memory leak in mlx5e_fs_tt_redirect_any_create
net/mlx5e: fix double free in mlx5e_destroy_flow_table
igc: Remove delay during TX ring configuration
ice: Fix max_rate check while configuring TX rate limits
drm/panel: simple: Add Powertip PH800480T013 drm_display_mode flags
swiotlb: reduce the number of areas to match actual memory pool size
swiotlb: reduce the swiotlb buffer size on allocation failure
swiotlb: always set the number of areas before allocating the pool
drm/bridge: ti-sn65dsi86: Fix auxiliary bus lifetime
drm/panel: simple: Add connector_type for innolux_at043tn24
ksmbd: fix out of bounds read in smb2_sess_setup
ksmbd: add missing compound request handing in some commands
workqueue: clean up WORK_* constant types, clarify masking
net: lan743x: Don't sleep in atomic context
HID: amd_sfh: Fix for shift-out-of-bounds
HID: amd_sfh: Rename the float32 variable
Linux 6.1.39
io_uring: Use io_schedule* in cqring wait
sh: hd64461: Handle virq offset for offchip IRQ base and HD64461 IRQ
sh: mach-dreamcast: Handle virq offset in cascaded IRQ demux
sh: mach-highlander: Handle virq offset in cascaded IRL demux
sh: mach-r2d: Handle virq offset in cascaded IRL demux
block/partition: fix signedness issue for Amiga partitions
tty: serial: fsl_lpuart: add earlycon for imx8ulp platform
wireguard: netlink: send staged packets when setting initial private key
wireguard: queueing: use saner cpu selection wrapping
netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
netfilter: nf_tables: do not ignore genmask when looking up chain by id
netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
netfilter: nf_tables: unbind non-anonymous set if rule construction fails
mtd: parsers: refer to ARCH_BCMBCA instead of ARCH_BCM4908
drm/i915/tc: Fix system resume MST mode restore for DP-alt sinks
drm/i915/tc: Fix TC port link ref init for DP MST during HW readout
drm/i915: Fix TypeC mode initialization during system resume
mm/mmap: Fix extra maple tree write
xfs: fix xfs_inodegc_stop racing with mod_delayed_work
xfs: disable reaping in fscounters scrub
xfs: check that per-cpu inodegc workers actually run on that cpu
xfs: explicitly specify cpu when forcing inodegc delayed work to run immediately
fs: no need to check source
blktrace: use inline function for blk_trace_remove() while blktrace is disabled
leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename
ARM: orion5x: fix d2net gpio initialization
ARM: dts: qcom: ipq4019: fix broken NAND controller properties override
regulator: tps65219: Fix matching interrupts for their regulators
ASoC: mediatek: mt8173: Fix snd_soc_component_initialize error path
ASoC: mediatek: mt8173: Fix irq error path
btrfs: do not BUG_ON() on tree mod log failure at __btrfs_cow_block()
btrfs: fix extent buffer leak after tree mod log failure at split_node()
btrfs: fix race when deleting quota root from the dirty cow roots list
btrfs: reinsert BGs failed to reclaim
btrfs: add block-group tree to lockdep classes
btrfs: bail out reclaim process if filesystem is read-only
btrfs: delete unused BGs while reclaiming BGs
btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile
ipvs: increase ip_vs_conn_tab_bits range for 64BIT
usb: typec: ucsi: Mark dGPUs as DEVICE scope
i2c: nvidia-gpu: Remove ccgx,firmware-build property
i2c: nvidia-gpu: Add ACPI property to align with device-tree
fs: Lock moved directories
fs: Establish locking order for unrelated directories
Revert "f2fs: fix potential corruption when moving a directory"
ext4: Remove ext4 locking of moved directory
fs: avoid empty option when generating legacy mount string
jffs2: reduce stack usage in jffs2_build_xattr_subsystem()
shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs
mm/damon/ops-common: atomically test and clear young on ptes and pmds
autofs: use flexible array in ioctl structure
integrity: Fix possible multiple allocation in integrity_inode_get()
um: Use HOST_DIR for mrproper
watch_queue: prevent dangling pipe pointer
bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent
bcache: Remove unnecessary NULL point check in node allocations
bcache: fixup btree_cache_wait list damage
wifi: mt76: mt7921e: fix init command fail with enabled device
wifi: ath10k: Serialize wake_tx_queue ops
wifi: cfg80211: fix regulatory disconnect for non-MLO
mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used.
mmc: mmci: Set PROBE_PREFER_ASYNCHRONOUS
mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M
mmc: core: disable TRIM on Kingston EMMC04G-M627
io_uring: wait interruptibly for request completions on exit
irqchip/loongson-pch-pic: Fix initialization of HT vector register
NFSD: add encoding of op_recall flag for write delegation
irqchip/loongson-pch-pic: Fix potential incorrect hwirq assignment
i2c: qup: Add missing unwind goto in qup_i2c_probe()
btrfs: do not BUG_ON() on tree mod log failure at balance_level()
extcon: usbc-tusb320: Unregister typec port on driver removal
extcon: usbc-tusb320: Convert to i2c's .probe_new()
dm ioctl: Avoid double-fetch of version
dm ioctl: have constant on the right side of the test
dm: avoid split of quoted strings where possible
dm: fix undue/missing spaces
i2c: xiic: Don't try to handle more interrupt events after error
apparmor: fix missing error check for rhashtable_insert_fast
sh: dma: Fix DMA channel offset calculation
s390/qeth: Fix vipa deletion
afs: Fix accidental truncation when storing data
octeontx-af: fix hardware timestamp configuration
net: dsa: sja1105: always enable the send_meta options
net: dsa: tag_sja1105: fix MAC DA patching from meta frames
pptp: Fix fib lookup calls.
riscv: move memblock_allow_resize() after linear mapping is ready
fanotify: disallow mount/sb marks on kernel internal pseudo fs
net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX
xsk: Honor SO_BINDTODEVICE on bind
bpf, btf: Warn but return no error for NULL btf from __register_btf_kfunc_id_set()
tcp: annotate data races in __tcp_oow_rate_limited()
net: fix net_dev_start_xmit trace event vs skb_transport_offset()
net: dsa: tag_sja1105: fix source port decoding in vlan_filtering=0 bridge mode
net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode
powerpc: dts: turris1x.dts: Fix PCIe MEM size for pci2 node
powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y
ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()
octeontx2-af: Add validation before accessing cgx and lmac
octeontx2-af: Fix mapping for NIX block from CGX connection
f2fs: fix error path handling in truncate_dnode()
mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0
drm/amd: Don't try to enable secure display TA multiple times
drm/amdgpu: fix number of fence calculations
spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
mlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init
net: dsa: vsc73xx: fix MTU configuration
ibmvnic: Do not reset dql stats on NON_FATAL err
Bluetooth: MGMT: Fix marking SCAN_RSP as not connectable
Bluetooth: MGMT: Use BIT macro when defining bitfields
Bluetooth: MGMT: add CIS feature bits to controller information
Bluetooth: ISO: use hci_sync for setting CIG parameters
Bluetooth: fix invalid-bdaddr quirk for non-persistent setup
Add MODULE_FIRMWARE() for FIRMWARE_TG357766.
net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT
net: dsa: sja1105: always enable the INCL_SRCPT option
net: dsa: felix: don't drop PTP frames with tag_8021q when RX timestamping is disabled
net: mscc: ocelot: don't keep PTP configuration of all ports in single structure
net: mscc: ocelot: don't report that RX timestamping is enabled by default
spi: spi-geni-qcom: enable SPI_CONTROLLER_MUST_TX for GPI DMA mode
net/sched: act_ipt: add sanity checks on skb before calling target
net: add a couple of helpers for iph tot_len
net/sched: act_ipt: add sanity checks on table name and hook locations
sctp: fix potential deadlock on &net->sctp.addr_wq_lock
media: cec: i2c: ch7322: also select REGMAP
f2fs: check return value of freeze_super()
drm/i915/guc/slpc: Apply min softlimit correctly
drm/i915/psr: Use hw.adjusted mode when calculating io/fast wake times
rtc: st-lpc: Release some resources in st_rtc_probe() in case of error
md/raid10: fix the condition to call bio_end_io_acct()
pwm: mtk_disp: Fix the disable flow of disp_pwm
pwm: ab8500: Fix error code in probe()
pwm: sysfs: Do not apply state to already disabled PWMs
pwm: imx-tpm: force 'real_period' to be zero in suspend
lib/bitmap: drop optimization of bitmap_{from,to}_arr64
phy: tegra: xusb: check return value of devm_kzalloc()
mfd: stmpe: Only disable the regulators if they are enabled
hwtracing: hisi_ptt: Fix potential sleep in atomic context
clk: qcom: mmcc-msm8974: fix MDSS_GDSC power flags
misc: fastrpc: check return value of devm_kasprintf()
cpufreq: mediatek: correct voltages for MT7622 and MT7623
KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler
KVM: s390: vsie: fix the length of APCB bitmap
mfd: stmfx: Nullify stmfx->vdd in case of error
mfd: stmfx: Fix error path in stmfx_chip_init
bus: fsl-mc: don't assume child devices are all fsl-mc devices
nvmem: rmem: Use NVMEM_DEVID_AUTO
nvmem: sunplus-ocotp: release otp->clk before return
drivers: fwnode: fix fwnode_irq_get[_byname]()
device property: Clarify description of returned value in some functions
device property: Fix documentation for fwnode_get_next_parent()
serial: 8250_omap: Use force_suspend and resume for system suspend
Revert "usb: common: usb-conn-gpio: Set last role to unknown before initial detection"
mfd: intel-lpss: Add missing check for platform_get_resource
mfd: wcd934x: Fix an error handling path in wcd934x_slim_probe()
usb: dwc3-meson-g12a: Fix an error handling path in dwc3_meson_g12a_probe()
usb: common: usb-conn-gpio: Set last role to unknown before initial detection
usb: dwc3: qcom: Fix an error handling path in dwc3_qcom_probe()
usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove()
KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()
f2fs: fix potential deadlock due to unpaired node_write lock use
gfs2: Fix duplicate should_fault_in_pages() call
sh: Avoid using IRQ0 on SH3 and SH4
media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var()
media: venus: helpers: Fix ALIGN() of non power of two
mfd: rt5033: Drop rt5033-battery sub-device
coresight: Fix loss of connection info when a module is unloaded
i3c: master: svc: fix cpu schedule in spin lock
lkdtm: replace ll_rw_block with submit_bh
kernfs: fix missing kernfs_idr_lock to remove an ID from the IDR
serial: 8250: lock port for UART_IER access in omap8250_irq()
serial: core: lock port for start_rx() in uart_resume_port()
serial: 8250: lock port for stop_rx() in omap8250_irq()
serial: core: lock port for stop_rx() in uart_suspend_port()
usb: misc: eud: Fix eud sysfs path (use 'qcom_eud')
usb: hide unused usbfs_notify_suspend/resume functions
usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()
extcon: Fix kernel doc of property capability fields to avoid warnings
extcon: Fix kernel doc of property fields to avoid warnings
usb: gadget: u_serial: Add null pointer check in gserial_suspend
usb: dwc3: qcom: Fix potential memory leak
staging: vchiq_arm: mark vchiq_platform_init() static
clk: qcom: mmcc-msm8974: use clk_rcg2_shared_ops for mdp_clk_src clock
clk: qcom: dispcc-qcm2290: Fix GPLL0_OUT_DIV handling
clk: qcom: dispcc-qcm2290: Fix BI_TCXO_AO handling
clk: qcom: ipq6018: fix networking resets
clk: qcom: reset: support resetting multiple bits
media: mediatek: vcodec: using decoder status instead of core work count
media: hi846: fix usage of pm_runtime_get_if_in_use()
media: i2c: Correct format propagation for st-mipid02
media: usb: siano: Fix warning due to null work_func_t function pointer
media: videodev2.h: Fix struct v4l2_input tuner index comment
media: amphion: initiate a drain of the capture queue in dynamic resolution change
media: amphion: drop repeated codec data for vc1g format
media: amphion: drop repeated codec data for vc1l format
media: usb: Check az6007_read() return value
clk: qcom: gcc-qcm2290: Mark RCGs shared where applicable
clk: qcom: gcc-ipq6018: Use floor ops for sdcc clocks
clk: qcom: camcc-sc7180: Add parent dependency to all camera GDSCs
clk: qcom: mmcc-msm8974: remove oxili_ocmemgx_clk
serial: 8250: omap: Fix freeing of resources on failed register
usb: dwc2: Fix some error handling paths
usb: dwc2: platform: Improve error reporting for problems during .remove()
sh: j2: Use ioremap() to translate device tree address into kernel memory
f2fs: do not allow to defragment files have FI_COMPRESS_RELEASED
dt-bindings: power: reset: qcom-pon: Only allow reboot-mode pre-pmk8350
w1: fix loop in w1_fini()
w1: w1_therm: fix locking behavior in convert_t
SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
btrfs: fix race when deleting free space root from the dirty cow roots list
block: increment diskseq on all media change events
block: change all __u32 annotations to __be32 in affs_hardblocks.h
block: add overflow checks for Amiga partition support
block: fix signed int overflow in Amiga partition support
ALSA: pcm: Fix potential data race at PCM memory allocation helpers
ALSA: jack: Fix mutex call in snd_jack_report()
ALSA: hda/realtek: Add quirk for Clevo NPx0SNx
ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook
mm/mmap: Fix VM_LOCKED check in do_vmi_align_munmap()
Revert "drm/amd/display: edp do not add non-edid timings"
iio: accel: fxls8962af: fixup buffer scan element type
iio: accel: fxls8962af: errata bug only applicable for FXLS8962AF
iio: adc: ad7192: Fix internal/external clock selection
iio: adc: ad7192: Fix null ad7192_state pointer access
phy: tegra: xusb: Clear the driver reference in usb-phy dev
usb: dwc3: gadget: Propagate core init errors to UDC during pullup
USB: serial: option: add LARA-R6 01B PIDs
md/raid1-10: fix casting from randomized structure in raid1_submit_write()
x86/efi: Make efi_set_virtual_address_map IBT safe
arm64: sme: Use STR P to clear FFR context field in streaming SVE mode
ksmbd: avoid field overflow warning
smb: client: fix broken file attrs with nodfs mounts
cifs: do all necessary checks for credits within or before locking
cifs: prevent use-after-free by freeing the cfile later
efi/libstub: Disable PCI DMA before grabbing the EFI memory map
kbuild: Disable GCOV for *.mod.o
hwrng: st - keep clock enabled while hwrng is registered
dax/kmem: Pass valid argument to memory_group_register_static
dax: Introduce alloc_dev_dax_id()
dax: Fix dax_mapping_release() use after free
SMB3: Do not send lease break acknowledgment if all file handles have been closed
NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION
NFSv4.2: fix wrong shrinker_id
crypto: qat - unmap buffers before free for RSA
crypto: qat - unmap buffer before free for DH
crypto: qat - Use helper to set reqsize
crypto: kpp - Add helper to set reqsize
ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard
modpost: fix off by one in is_executable_section()
crypto: jitter - correct health test during initialization
crypto: marvell/cesa - Fix type mismatch warning
modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
modpost: fix section mismatch message for R_ARM_ABS32
crypto: nx - fix build warnings when DEBUG_FS is not enabled
modpost: remove broken calculation of exception_table_entry size
hwrng: virtio - Fix race on data_avail and actual data
vfio/mdev: Move the compat_class initialization to module init
PCI: vmd: Fix uninitialized variable usage in vmd_enable_domain()
PCI: endpoint: functions/pci-epf-test: Fix dma_chan direction
PCI: endpoint: Fix a Kconfig prompt of vNTB driver
PCI: endpoint: Fix Kconfig indent style
powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-boundary
powerpc/book3s64/mm: Fix DirectMap stats in /proc/meminfo
riscv: uprobes: Restore thread.bad_cause
PCI: qcom: Disable write access to read only registers for IP v2.9.0
PCI: qcom: Use DWC helpers for modifying the read-only DBI registers
PCI: qcom: Use lower case for hex
PCI: qcom: Sort and group registers and bitfield definitions
PCI: qcom: Remove PCIE20_ prefix from register definitions
powerpc: update ppc_save_regs to save current r1 in pt_regs
powerpc: simplify ppc_save_regs
powerpc/powernv/sriov: perform null check on iov before dereferencing iov
pinctrl: at91-pio4: check return value of devm_kasprintf()
pinctrl: microchip-sgpio: check return value of devm_kasprintf()
powerpc/64s: Fix VAS mm use after free
perf tool x86: Fix perf_env memory leak
perf tool x86: Consolidate is_amd check into single function
platform/x86/dell/dell-rbtn: Fix resources leaking on error path
perf dwarf-aux: Fix off-by-one in die_get_varname()
platform/x86: thinkpad_acpi: Fix lkp-tests warnings for platform profiles
perf script: Fix allocation of evsel->priv related to per-event dump files
powerpc/signal32: Force inlining of __unsafe_save_user_regs() and save_tm_user_regs_unsafe()
powerpc/interrupt: Don't read MSR from interrupt_exit_kernel_prepare()
kcsan: Don't expect 64 bits atomic builtins from 32 bits architectures
pinctrl: npcm7xx: Add missing check for ioremap
pinctrl:sunplus: Add check for kmalloc
platform/x86: think-lmi: Correct NVME password handling
platform/x86: think-lmi: Correct System password interface
platform/x86: think-lmi: mutex protection around multiple WMI calls
pinctrl: cherryview: Return correct value if pin in push-pull mode
perf bench: Add missing setlocale() call to allow usage of %'d style formatting
scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state
PCI: Add pci_clear_master() stub for non-CONFIG_PCI
pinctrl: sunplus: Add check for kmalloc
PCI: ftpci100: Release the clock resources
PCI: pciehp: Cancel bringup sequence if card is not present
scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe()
PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free
platform/x86: lenovo-yogabook: Set default keyboard backligh brightness on probe()
platform/x86: lenovo-yogabook: Reprobe devices on remove()
platform/x86: lenovo-yogabook: Fix work race on remove()
pinctrl: bcm2835: Handle gpiochip_add_pin_range() errors
scsi: qedf: Fix NULL dereference in error handling
PCI: vmd: Reset VMD config register between soft reboots
PCI: cadence: Fix Gen2 Link Retraining process
ASoC: amd: acp: clear pdm dma interrupt mask
ARM: dts: lan966x: kontron-d10: fix SPI CS
ARM: dts: lan966x: kontron-d10: fix board reset
clk: Fix memory leak in devm_clk_notifier_register()
ASoC: imx-audmix: check return value of devm_kasprintf()
ovl: update of dentry revalidate flags after copy up
drivers: meson: secure-pwrc: always enable DMA domain
clk: ti: clkctrl: check return value of kasprintf()
clk: keystone: sci-clk: check return value of kasprintf()
clk: si5341: free unused memory on probe failure
clk: si5341: check return value of {devm_}kasprintf()
clk: si5341: return error if one synth clock registration fails
clk: cdce925: check return value of kasprintf()
clk: vc5: check memory returned by kasprintf()
drm/msm/dpu: correct MERGE_3D length
drm/amdgpu: Fix usage of UMC fill record in RAS
drm/amdgpu: Fix memcpy() in sienna_cichlid_append_powerplay_table function.
arm64: dts: mediatek: mt8192: Fix CPUs capacity-dmips-mhz
arm64: dts: mediatek: Add cpufreq nodes for MT8192
drm/msm/dp: Free resources after unregistering them
drm/msm/dsi: Remove incorrect references to slice_count
drm/msm/dsi: Flip greater-than check for slice_count and slice_per_intf
drm/msm/dsi: Use DSC slice(s) packet size to compute word count
drm/msm/dpu: Fix slice_last_group_size calculation
drm/msm/dpu: do not enable color-management if DSPPs are not available
ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
clk: tegra: tegra124-emc: Fix potential memory leak
clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()
clk: bcm: rpi: Fix off by one in raspberrypi_discover_clocks()
arm64: dts: qcom: sm8250-edo: Panel framebuffer is 2.5k instead of 4k
arm64: dts: qcom: sdm845: Flush RSC sleep & wake votes
clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()
clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe
clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe
clk: imx: clk-imxrt1050: fix memory leak in imxrt1050_clocks_probe
RDMA/bnxt_re: Avoid calling wake_up threads from spin_lock context
RDMA/bnxt_re: wraparound mbox producer index
drm/msm/a5xx: really check for A510 in a5xx_gpu_init
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
RDMA/rxe: Fix access checks in rxe_check_bind_mw
RDMA/rxe: Replace pr_xxx by rxe_dbg_xxx in rxe_mw.c
RDMA/rxe: Add ibdev_dbg macros for rxe
HID: uclogic: Modular KUnit tests should not depend on KUNIT=y
drm/radeon: fix possible division-by-zero errors
drm/amd/display: Fix artifacting on eDP panels when engaging freesync video mode
soc: mediatek: SVS: Fix MT8192 GPU node name
drm/amdkfd: Fix potential deallocation of previously deallocated memory.
drm/amd/display: Fix a test dml32_rq_dlg_get_rq_reg()
drm/amd/display: Fix a test CalculatePrefetchSchedule()
clk: Export clk_hw_forward_rate_request()
ARM: dts: BCM5301X: fix duplex-full => full-duplex
hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272
hwmon: (gsc-hwmon) fix fan pwm temperature scaling
ARM: dts: stm32: fix i2s endpoint format property for stm32mp15xx-dkx
ARM: dts: stm32: Fix audio routing on STM32MP15xx DHCOM PDK2
Input: pm8941-powerkey - fix debounce on gen2+ PMICs
arm64: dts: ti: k3-j7200: Fix physical address of pin
fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()
drm/msm/dpu: set DSC flush bit correctly at MDP CTL flush register
arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1
ARM: dts: iwg20d-q7-common: Fix backlight pwm specifier
RDMA/hns: Fix hns_roce_table_get return value
IB/hfi1: Fix wrong mmu_node used for user SDMA packet after invalidate
RDMA/irdma: avoid fortify-string warning in irdma_clr_wqes
soc/fsl/qe: fix usb.c build errors
ARM: dts: meson8: correct uart_B and uart_C clock references
ASoC: es8316: Do not set rate constraints for unsupported MCLKs
ASoC: es8316: Increment max value for ALC Capture Target Volume control
ARM: dts: qcom: apq8074-dragonboard: Set DMA as remotely controlled
memory: brcmstb_dpfe: fix testing array offset after use
ARM: dts: stm32: Shorten the AV96 HDMI sound card name
arm64: dts: mediatek: mt8183: Add mediatek,broken-save-restore-fw to kukui
arm64: dts: qcom: apq8096: fix fixed regulator name property
arm64: dts: qcom: pm7250b: add missing spmi-vadc include
ARM: omap2: fix missing tick_broadcast() prototype
ARM: ep93xx: fix missing-prototype warnings
drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
drm/bridge: ti-sn65dsi83: Fix enable/disable flow to meet spec
drm/bridge: Introduce pre_enable_prev_first to alter bridge init order
arm64: dts: qcom: apq8016-sbc: Fix 1.8V power rail on LS expansion
arm64: dts: qcom: apq8016-sbc: Fix regulator constraints
arm64: dts: qcom: sdm845-polaris: add missing touchscreen child node reg
arm64: dts: qcom: sm8350: correct DMA controller unit address
arm64: dts: qcom: sm8350: Add GPI DMA compatible fallback
arm64: dts: qcom: sdm845: correct camss unit address
arm64: dts: qcom: sdm630: correct camss unit address
arm64: dts: qcom: msm8996: correct camss unit address
arm64: dts: qcom: msm8994: correct SPMI unit address
arm64: dts: qcom: msm8916: correct MMC unit address
arm64: dts: qcom: msm8916: correct camss unit address
ARM: dts: qcom: msm8974: do not use underscore in node name (again)
drm/bridge: anx7625: Prevent endless probe loop
drm/bridge: anx7625: Convert to i2c's .probe_new()
ARM: dts: gta04: Move model property out of pinctrl node
clk: renesas: rzg2l: Fix CPG_SIPLL5_CLK1 register write
iommu/virtio: Return size mapped for a detached domain
iommu/virtio: Detach domain on endpoint release
drm/msm/dpu: Set DPU_DATA_HCTL_EN for in INTF_SC7180_MASK
drm/msm/disp/dpu: get timing engine status from intf status register
drm/msm/dsi: don't allow enabling 14nm VCO with unprogrammed rate
RDMA/bnxt_re: Fix to remove an unnecessary log
RDMA/bnxt_re: Remove a redundant check inside bnxt_re_update_gid
RDMA/bnxt_re: Use unique names while registering interrupts
RDMA/bnxt_re: Fix to remove unnecessary return labels
RDMA/bnxt_re: Disable/kill tasklet only if it is enabled
hwmon: (f71882fg) prevent possible division by zero
clk: imx: scu: use _safe list iterator to avoid a use after free
drm/bridge: tc358767: Switch to devm MIPI-DSI helpers
arm64: dts: microchip: sparx5: do not use PSCI on reference boards
bus: ti-sysc: Fix dispc quirk masking bool variables
ARM: dts: stm32: Move ethernet MAC EEPROM from SoM to carrier boards
drm/vkms: Fix RGB565 pixel conversion
drm: Add fixed-point helper to get rounded integer values
drm/vkms: isolate pixel conversion functionality
ASoC: Intel: sof_sdw: remove SOF_SDW_TGL_HDMI for MeteorLake devices
driver: soc: xilinx: use _safe loop iterator to avoid a use after free
drm/panel: sharp-ls043t1le01: adjust mode settings
drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks`
Input: adxl34x - do not hardcode interrupt trigger type
clk: rs9: Fix .driver_data content in i2c_device_id
clk: vc7: Fix .driver_data content in i2c_device_id
clk: vc5: Fix .driver_data content in i2c_device_id
bootmem: remove the vmemmap pages from kmemleak in free_bootmem_page
clk: vc5: Use `clamp()` to restrict PLL range
mm: call arch_swap_restore() from do_swap_page()
ARM: dts: meson8b: correct uart_B and uart_C clock references
ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
drm/vram-helper: fix function names in vram helper doc
drm/bridge: tc358768: fix THS_TRAILCNT computation
drm/bridge: tc358768: fix TXTAGOCNT computation
drm/bridge: tc358768: fix THS_ZEROCNT computation
drm/bridge: tc358768: fix TCLK_TRAILCNT computation
drm/bridge: tc358768: Add atomic_get_input_bus_fmts() implementation
drm/bridge: tc358768: fix TCLK_ZEROCNT computation
drm/bridge: tc358768: fix PLL target frequency
drm/bridge: tc358768: fix PLL parameters computation
drm/bridge: tc358768: always enable HS video mode
drm/bridge: ti-sn65dsi83: Fix enable error path
Input: drv260x - sleep between polling GO bit
drm/bridge: it6505: Move a variable assignment behind a null pointer check in receive_timing_debugfs_show()
drm/amd/display: Explicitly specify update type per plane info change
radeon: avoid double free in ci_dpm_init()
drm/amd/display: Add logging for display MALL refresh setting
netlink: Add __sock_i_ino() for __netlink_diag_dump().
ipvlan: Fix return value of ipvlan_queue_xmit()
netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value.
netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one
lib/ts_bm: reset initial match offset for every block of text
net: nfc: Fix use-after-free caused by nfc_llcp_find_local
sfc: fix crash when reading stats while NIC is resetting
ocfs2: Fix use of slab data with sendpage
net: axienet: Move reset before 64-bit DMA detection
gtp: Fix use-after-free in __gtp_encap_destroy().
selftests: rtnetlink: remove netdevsim device after ipsec offload test
bonding: do not assume skb mac_header is set
netlink: do not hard code device address lenth in fdb dumps
netlink: fix potential deadlock in netlink_set_err()
net: stmmac: fix double serdes powerdown
can: kvaser_pciefd: Set hardware timestamp on transmitted packets
can: kvaser_pciefd: Add function to set skb hwtstamps
can: length: fix bitstuffing count
bpf: Fix bpf socket lookup from tc/xdp to respect socket VRF bindings
bpf: Call __bpf_sk_lookup()/__bpf_skc_lookup() directly via TC hookpoint
bpf: Factor out socket lookup functions for the TC hookpoint.
wifi: ath9k: convert msecs to jiffies where needed
wifi: iwlwifi: mvm: indicate HW decrypt for beacon protection
mmc: Add MMC_QUIRK_BROKEN_SD_CACHE for Kingston Canvas Go Plus from 11/2019
wifi: ieee80211: Fix the common size calculation for reconfiguration ML
wifi: cfg80211/mac80211: Fix ML element common size calculation
wifi: cfg80211: fix regulatory disconnect with OCB/NAN
wifi: cfg80211: drop incorrect nontransmitted BSS update code
wifi: cfg80211: rewrite merging of inherited elements
wifi: mac80211: Remove "Missing iftype sband data/EHT cap" spam
wifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler()
wifi: iwlwifi: pull from TXQs with softirqs disabled
wifi: ath11k: Add missing check for ioremap
rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO
wifi: mac80211: Fix permissions for valid_links debugfs entry
wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
memstick r592: make memstick_debug_get_tpc_name() static
mmc: mediatek: Avoid ugly error message when SDIO wakeup IRQ isn't used
kexec: fix a memory leak in crash_shrink_memory()
watchdog/perf: more properly prevent false positives with turbo modes
watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config
selftests: cgroup: fix unexpected failure on test_memcg_low
ice: handle extts in the miscellaneous interrupt thread
wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown
wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled
selftests/bpf: Fix check_mtu using wrong variable type
wifi: mac80211: recalc min chandef for new STA links
wifi: ath10k: Trigger STA disconnect after reconfig complete on hardware restart
samples/bpf: xdp1 and xdp2 reduce XDPBUFSIZE to 60
wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
wifi: ray_cs: Fix an error handling path in ray_probe()
wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
wifi: atmel: Fix an error handling path in atmel_probe()
wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
regulator: core: Streamline debugfs operations
regulator: core: Fix more error checking for debugfs_create_dir()
selftests/bpf: Do not use sign-file as testcase
bpf: Fix memleak due to fentry attach failure
bpf: Remove bpf trampoline selector
bpftool: JIT limited misreported as negative value on aarch64
nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()
spi: dw: Round of n_bytes to power of 2
bpf: Don't EFAULT for {g,s}setsockopt with wrong optlen
libbpf: fix offsetof() and container_of() to work with CO-RE
sctp: add bpf_bypass_getsockopt proto callback
wifi: mwifiex: Fix the size of a memory allocation in mwifiex_ret_802_11_scan()
wifi: wilc1000: fix for absent RSN capabilities WFA testcase
spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG
samples/bpf: Fix buffer overflow in tcp_basertt
libbpf: btf_dump_type_data_check_overflow needs to consider BTF_MEMBER_BITFIELD_SIZE
wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation
igc: Enable and fix RX hash usage by netstack
pstore/ram: Add check for kstrdup
ima: Fix build warnings
evm: Fix build warnings
evm: Complete description of evm_inode_setattr()
locking/atomic: arm: fix sync ops
x86/mm: Fix __swp_entry_to_pte() for Xen PV guests
perf/ibs: Fix interface via core pmu events
kselftest: vDSO: Fix accumulation of uninitialized ret when CLOCK_REALTIME is undefined
rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale
rcu/rcuscale: Move rcu_scale_*() after kfree_scale_cleanup()
rcuscale: Move shutdown from wait_event() to wait_event_idle()
rcutorture: Correct name of use_softirq module parameter
rcu-tasks: Stop rcu_tasks_invoke_cbs() from using never-onlined CPUs
rcu: Make rcu_cpu_starting() rely on interrupts being disabled
thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe()
cpufreq: intel_pstate: Fix energy_performance_preference for passive
ARM: 9303/1: kprobes: avoid missing-declaration warnings
PM: domains: Move the verification of in-params from genpd_add_device()
powercap: RAPL: Fix CONFIG_IOSF_MBI dependency
drivers/perf: hisi: Don't migrate perf to the CPU going to teardown
x86/tdx: Fix race between set_memory_encrypted() and load_unaligned_zeropad()
x86/mm: Allow guest.enc_status_change_prepare() to fail
perf/arm-cmn: Fix DTC reset
PM: domains: fix integer overflow issues in genpd_parse_state()
clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode().
tick/rcu: Fix bogus ratelimit condition
posix-timers: Prevent RT livelock in itimer_delete()
erofs: fix compact 4B support for 16k block size
erofs: simplify iloc()
svcrdma: Prevent page release when nothing was received
irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
irqchip/stm32-exti: Fix warning on initialized field overwritten
block: fix blktrace debugfs entries leakage
md/raid1-10: submit write io directly if bitmap is not enabled
md/raid1-10: factor out a helper to submit normal write
md/raid1-10: factor out a helper to add bio to plug
md/raid10: fix io loss while replacement replace rdev
md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
md/raid10: fix wrong setting of max_corr_read_errors
md/raid10: fix overflow of md/safe_mode_delay
md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
nvme-core: fix dev_pm_qos memleak
nvme-core: add missing fault-injection cleanup
nvme-auth: don't ignore key generation failures when initializing ctrl keys
nvme-core: fix memory leak in dhchap_ctrl_secret
nvme-core: fix memory leak in dhchap_secret_store
nvme-auth: no need to reset chap contexts on re-authentication
nvme-auth: remove symbol export from nvme_auth_reset
nvme-auth: rename authentication work elements
nvme-auth: rename __nvme_auth_[reset|free] to nvme_auth[reset|free]_dhchap
lockd: drop inappropriate svc_get() from locked_get()
blk-mq: fix potential io hang by wrong 'wake_batch'
virt: sevguest: Add CONFIG_CRYPTO dependency
x86/sev: Fix calculation of end address based on number of pages
blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost
x86/resctrl: Only show tasks' pid in current pid namespace
erofs: kill hooked chains to avoid loops on deduplicated compressed images
erofs: move zdata.h into zdata.c
erofs: remove tagged pointer helpers
erofs: avoid tagged pointers to mark sync decompression
erofs: clean up cached I/O strategies
block: Fix the type of the second bdev_op_is_zoned_write() argument
fs: pipe: reveal missing function protoypes
drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2
Linux 6.1.38
drm/amd/display: Ensure vmin and vmax adjust for DCE
drm/amdgpu: Validate VM ioctl flags.
docs: Set minimal gtags / GNU GLOBAL version to 6.6.5
scripts/tags.sh: Resolve gtags empty index generation
perf symbols: Symbol lookup with kcore can fail if multiple segments match stext
nubus: Partially revert proc_create_single_data() conversion
execve: always mark stack as growing down during early stack setup
PCI/ACPI: Call _REG when transitioning D-states
PCI/ACPI: Validate acpi_pci_set_power_state() parameter
drm/amd/display: Do not update DRR while BW optimizations pending
drm/amd/display: Remove optimization for VRR updates
xtensa: fix lock_mm_and_find_vma in case VMA not found
Linux 6.1.37
xtensa: fix NOMMU build with lock_mm_and_find_vma() conversion
csky: fix up lock_mm_and_find_vma() conversion
parisc: fix expand_stack() conversion
sparc32: fix lock_mm_and_find_vma() conversion
Revert "thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe"
HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651.
HID: wacom: Use ktime_t rather than int when dealing with timestamps
HID: hidraw: fix data race on device refcount
fbdev: fix potential OOB read in fast_imageblit()
mm: always expand the stack with the mmap write lock held
execve: expand new process stack manually ahead of time
mm: make find_extend_vma() fail if write lock not held
powerpc/mm: convert coprocessor fault to lock_mm_and_find_vma()
mm/fault: convert remaining simple cases to lock_mm_and_find_vma()
arm/mm: Convert to using lock_mm_and_find_vma()
riscv/mm: Convert to using lock_mm_and_find_vma()
mips/mm: Convert to using lock_mm_and_find_vma()
powerpc/mm: Convert to using lock_mm_and_find_vma()
arm64/mm: Convert to using lock_mm_and_find_vma()
mm: make the page fault mmap locking killable
mm: introduce new 'lock_mm_and_find_vma()' page fault helper
maple_tree: fix potential out-of-bounds access in mas_wr_end_piv()
can: isotp: isotp_sendmsg(): fix return error fix on TX path
x86/smp: Cure kexec() vs. mwait_play_dead() breakage
x86/smp: Use dedicated cache-line for mwait_play_dead()
x86/smp: Remove pointless wmb()s from native_stop_other_cpus()
x86/smp: Dont access non-existing CPUID leaf
x86/smp: Make stop_other_cpus() more robust
x86/microcode/AMD: Load late on both threads too
mm, hwpoison: when copy-on-write hits poison, take page offline
mm, hwpoison: try to recover from copy-on write faults
mptcp: ensure listener is unhashed before updating the sk status
mm/mmap: Fix error return in do_vmi_align_munmap()
mm/mmap: Fix error path in do_vmi_align_munmap()
Revert "gpiolib: Fix irq_domain resource tracking for gpiochip_irqchip_add_domain()"
Linux 6.1.36
smb: move client and server files to common directory fs/smb
i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle
x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys
KVM: arm64: Restore GICv2-on-GICv3 functionality
vhost_net: revert upend_idx only on retriable error
vhost_vdpa: tell vqs about the negotiated
drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
drm/exynos: vidi: fix a wrong error return
null_blk: Fix: memory release when memory_backed=1
ARM: dts: Fix erroneous ADS touchscreen polarities
i2c: mchp-pci1xxxx: Avoid cast to incompatible function type
ALSA: hda/realtek: Add "Intel Reference board" and "NUC 13" SSID in the ALC256
ASoC: fsl_sai: Enable BCI bit if SAI works on synchronous mode with BYP asserted
s390/purgatory: disable branch profiling
gfs2: Don't get stuck writing page onto itself under direct I/O
ASoC: amd: yc: Add Thinkpad Neo14 to quirks list for acp6x
ASoC: nau8824: Add quirk to active-high jack-detect
soundwire: qcom: add proper error paths in qcom_swrm_startup()
soundwire: dmi-quirks: add new mapping for HP Spectre x360
ASoC: simple-card: Add missing of_node_put() in case of error
ASoC: codecs: wcd938x-sdw: do not set can_multi_write flag
spi: lpspi: disable lpspi module irq in DMA mode
s390/cio: unregister device when the only path is gone
arm64: dts: qcom: sc7280-qcard: drop incorrect dai-cells from WCD938x SDW
arm64: dts: qcom: sc7280-idp: drop incorrect dai-cells from WCD938x SDW
Input: soc_button_array - add invalid acpi_index DMI quirk handling
nvme: improve handling of long keep alives
nvme: check IO start time when deciding to defer KA
nvme: double KA polling frequency to avoid KATO with TBKAS on
usb: gadget: udc: fix NULL dereference in remove()
btrfs: fix an uninitialized variable warning in btrfs_log_inode
nfcsim.c: Fix error checking for debugfs_create_dir
media: cec: core: don't set last_initiator if tx in progress
media: cec: core: disable adapter in cec_devnode_unregister
smb3: missing null check in SMB2_change_notify
arm64: Add missing Set/Way CMO encodings
HID: wacom: Add error check to wacom_parse_and_register()
scsi: target: iscsi: Prevent login threads from racing between each other
gpiolib: Fix irq_domain resource tracking for gpiochip_irqchip_add_domain()
gpio: sifive: add missing check for platform_get_irq
gpiolib: Fix GPIO chip IRQ initialization restriction
arm64: dts: rockchip: fix nEXTRST on SOQuartz
arm64: dts: rockchip: Enable GPU on SOQuartz CM4
revert "net: align SO_RCVMARK required privileges with SO_MARK"
sch_netem: acquire qdisc lock in netem_change()
platform/x86/amd/pmf: Register notify handler only if SPS is enabled
selftests: forwarding: Fix race condition in mirror installation
io_uring/net: use the correct msghdr union member in io_sendmsg_copy_hdr
bpf: Force kprobe multi expected_attach_type for kprobe_multi link
bpf/btf: Accept function names that contain dots
Revert "net: phy: dp83867: perform soft reset and retain established link"
netfilter: nfnetlink_osf: fix module autoload
netfilter: nf_tables: disallow updates of anonymous sets
netfilter: nf_tables: reject unbound chain set before commit phase
netfilter: nf_tables: reject unbound anonymous set before commit phase
netfilter: nf_tables: disallow element updates of bound anonymous sets
netfilter: nft_set_pipapo: .walk does not deal with generations
netfilter: nf_tables: drop map element references from preparation phase
netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain
netfilter: nf_tables: fix chain binding transaction logic
be2net: Extend xmit workaround to BE3 chip
net: dsa: mt7530: fix handling of LLDP frames
net: dsa: mt7530: fix handling of BPDUs on MT7530 switch
net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch
ipvs: align inner_mac_header for encapsulation
mmc: usdhi60rol0: fix deferred probing
mmc: sh_mmcif: fix deferred probing
mmc: sdhci-acpi: fix deferred probing
mmc: owl: fix deferred probing
mmc: omap_hsmmc: fix deferred probing
mmc: omap: fix deferred probing
mmc: mvsdio: fix deferred probing
mmc: mtk-sd: fix deferred probing
net: qca_spi: Avoid high load if QCA7000 is not available
sfc: use budget for TX completions
net/mlx5: DR, Fix wrong action data allocation in decap action
xfrm: Linearize the skb after offloading if needed.
selftests: net: fcnal-test: check if FIPS mode is enabled
selftests: net: vrf-xfrm-tests: change authentication and encryption algos
selftests: net: tls: check if FIPS mode is enabled
bpf: Fix a bpf_jit_dump issue for x86_64 with sysctl bpf_jit_enable.
xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets
bpf: Fix verifier id tracking of scalars on spill
bpf: track immediate values written to stack by BPF_ST instruction
KVM: arm64: PMU: Restore the host's PMUSERENR_EL0
xfrm: Ensure policies always checked on XFRM-I input path
xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c
xfrm: Treat already-verified secpath entries as optional
ieee802154: hwsim: Fix possible memory leaks
mmc: meson-gx: fix deferred probing
memfd: check for non-NULL file_seals in memfd_create() syscall
x86/mm: Avoid using set_pgd() outside of real PGD pages
nilfs2: prevent general protection fault in nilfs_clear_dirty_page()
io_uring/poll: serialize poll linked timer start with poll removal
arm64: dts: rockchip: Fix rk356x PCIe register and range mappings
regmap: spi-avmm: Fix regmap_bus max_raw_write
regulator: pca9450: Fix LDO3OUT and LDO4OUT MASK
spi: spi-geni-qcom: correctly handle -EPROBE_DEFER from dma_request_chan()
wifi: iwlwifi: pcie: Handle SO-F device for PCI id 0x7AF0
bpf: ensure main program has an extable
mmc: sunxi: fix deferred probing
mmc: bcm2835: fix deferred probing
mmc: sdhci-spear: fix deferred probing
mmc: mmci: stm32: fix max busy timeout calculation
mmc: meson-gx: remove redundant mmc_request_done() call from irq context
mmc: sdhci-msm: Disable broken 64-bit DMA on MSM8916
mmc: litex_mmc: set PROBE_PREFER_ASYNCHRONOUS
cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex in freezer_css_{online,offline}()
cgroup: Do not corrupt task iteration when rebinding subsystem
mptcp: consolidate fallback and non fallback state machine
mptcp: fix possible list corruption on passive MPJ
mptcp: fix possible divide by zero in recvmsg()
mptcp: handle correctly disconnect() failures
io_uring/net: disable partial retries for recvmsg with cmsg
io_uring/net: clear msg_controllen on partial sendmsg retry
PCI: hv: Add a per-bus mutex state_lock
PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic
PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev
Revert "PCI: hv: Fix a timing issue which causes kdump to fail occasionally"
PCI: hv: Fix a race condition bug in hv_pci_query_relations()
Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs
Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails
KVM: Avoid illegal stage2 mapping on invalid memory slot
ACPI: sleep: Avoid breaking S3 wakeup due to might_sleep()
nilfs2: fix buffer corruption due to concurrent device reads
scripts: fix the gfp flags header path in gfp-translate
writeback: fix dereferencing NULL mapping->host on writeback_page_template
selftests: mptcp: join: fix "userspace pm add & remove address"
selftests: mptcp: join: skip fail tests if not supported
selftests: mptcp: join: skip userspace PM tests if not supported
selftests: mptcp: join: skip test if iptables/tc cmds fail
selftests: mptcp: sockopt: skip TCP_INQ checks if not supported
selftests: mptcp: diag: skip listen tests if not supported
selftests/mount_setattr: fix redefine struct mount_attr build error
selftests: mptcp: join: skip MPC backups tests if not supported
selftests: mptcp: join: skip fullmesh flag tests if not supported
selftests: mptcp: join: skip backup if set flag on ID not supported
selftests: mptcp: join: skip implicit tests if not supported
selftests: mptcp: join: support RM_ADDR for used endpoints or not
selftests: mptcp: join: skip Fastclose tests if not supported
selftests: mptcp: join: support local endpoint being tracked or not
selftests: mptcp: join: skip check if MIB counter not supported
selftests: mptcp: join: helpers to skip tests
selftests: mptcp: join: use 'iptables-legacy' if available
selftests: mptcp: lib: skip if not below kernel version
selftests: mptcp: userspace pm: skip if not supported
selftests: mptcp: userspace pm: skip if 'ip' tool is unavailable
selftests: mptcp: sockopt: skip getsockopt checks if not supported
selftests: mptcp: sockopt: relax expected returned size
selftests: mptcp: pm nl: skip fullmesh flag checks if not supported
selftests: mptcp: pm nl: remove hardcoded default limits
selftests: mptcp: connect: skip disconnect tests if not supported
selftests: mptcp: connect: skip transp tests if not supported
selftests: mptcp: lib: skip if missing symbol
selftests: mptcp: join: fix ShellCheck warnings
selftests: mptcp: remove duplicated entries in usage
tick/common: Align tick period during sched_timer setup
ksmbd: validate session id and tree id in the compound request
ksmbd: fix out-of-bound read in smb2_write
ksmbd: validate command payload size
tpm_crb: Add support for CRB devices based on Pluton
tpm, tpm_tis: Claim locality in interrupt handler
mm: Fix copy_from_user_nofault().
ata: libata-scsi: Avoid deadlock on rescan after device resume
tty: serial: fsl_lpuart: reduce RX watermark to 0 on LS1028A
tty: serial: fsl_lpuart: make rx_watermark configurable for different platforms
drm/amd/display: fix the system hang while disable PSR
drm/amd/display: Add wrapper to call planes and stream update
drm/amd/display: Use dc_update_planes_and_stream
ANDROID: GKI: irq-gic-v3: fix up breakage in 6.1.35 merge
Linux 6.1.35
kbuild: Update assembler calls to use proper flags and language target
MIPS: Prefer cc-option for additions to cflags
MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option
x86/boot/compressed: prefer cc-option for CFLAGS additions
scsi: target: core: Fix error path in target_setup_session()
neighbour: delete neigh_lookup_nodev as not used
net/sched: act_api: add specific EXT_WARN_MSG for tc action
Revert "net/sched: act_api: move TCA_EXT_WARN_MSG to the correct hierarchy"
net/sched: act_api: move TCA_EXT_WARN_MSG to the correct hierarchy
drm/amdgpu: Don't set struct drm_driver.output_poll_changed
rcu/kvfree: Avoid freeing new kfree_rcu() memory after old grace period
parisc: Delete redundant register definitions in <asm/assembly.h>
afs: Fix vlserver probe RTT handling
octeon_ep: Add missing check for ioremap
selftests/ptp: Fix timestamp printf format for PTP_SYS_OFFSET
net: tipc: resize nlattr array to correct size
dm: don't lock fs when the map is NULL during suspend or resume
sfc: fix XDP queues mode with legacy IRQ
net: macsec: fix double free of percpu stats
net: lapbether: only support ethernet devices
net: dsa: felix: fix taprio guard band overflow at 10Mbps with jumbo frames
net/sched: cls_api: Fix lockup on flushing explicitly created chain
ext4: drop the call to ext4_error() from ext4_get_group_info()
cifs: fix lease break oops in xfstest generic/098
selftests: forwarding: hw_stats_l3: Set addrgenmode in a separate step
net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting
net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs
sched: add new attr TCA_EXT_WARN_MSG to report tc extact message
selftests/tc-testing: Fix SFB db test
selftests/tc-testing: Fix Error: failed to find target LOG
selftests/tc-testing: Fix Error: Specified qdisc kind is unknown.
drm/nouveau: add nv_encoder pointer check for NULL
drm/nouveau/dp: check for NULL nv_connector->native_mode
drm/bridge: ti-sn65dsi86: Avoid possible buffer overflow
drm/nouveau: don't detect DSM for non-NVIDIA device
net: phylink: use a dedicated helper to parse usgmii control word
net: phylink: report correct max speed for QUSGMII
igb: fix nvm.ops.read() error handling
igc: Fix possible system crash when loading module
igc: Clean the TX buffer and TX descriptor ring
sctp: fix an error code in sctp_sf_eat_auth()
ipvlan: fix bound dev checking for IPv6 l3s mode
net: ethtool: correct MAX attribute value for stats
IB/isert: Fix incorrect release of isert connection
IB/isert: Fix possible list corruption in CMA handler
IB/isert: Fix dead lock in ib_isert
RDMA/mlx5: Fix affinity assignment
IB/uverbs: Fix to consider event queue closing also upon non-blocking mode
RDMA/cma: Always set static rate to 0 for RoCE
RDMA/mlx5: Create an indirect flow table for steering anchor
RDMA/mlx5: Initiate dropless RQ for RAW Ethernet functions
octeontx2-af: fix lbk link credits on cn10k
octeontx2-af: fixed resource availability check
iavf: remove mask from iavf_irq_enable_queues()
RDMA/rxe: Fix the use-before-initialization error of resp_pkts
RDMA/rxe: Removed unused name from rxe_task struct
wifi: mac80211: take lock before setting vif links
wifi: cfg80211: fix link del callback to call correct handler
wifi: mac80211: fix link activation settings order
net/sched: cls_u32: Fix reference counter leak leading to overflow
octeontx2-af: Fix promiscuous mode
net/sched: act_pedit: Parse L3 Header for L4 offset
net/sched: act_pedit: remove extra check for key type
net/sched: simplify tcf_pedit_act
igb: Fix extts capture value format for 82580/i354/i350
ping6: Fix send to link-local addresses with VRF.
net: enetc: correct the indexes of highest and 2nd highest TCs
netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE
ice: Fix XDP memory leak when NIC is brought up and down
netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM
netfilter: nf_tables: integrate pipapo into commit protocol
spi: fsl-dspi: avoid SCK glitches with continuous transfers
spi: cadence-quadspi: Add missing check for dma_set_mask
RDMA/rxe: Fix ref count error in check_rkey()
RDMA/rxe: Fix packet length checks
RDMA/rtrs: Fix rxe_dealloc_pd warning
RDMA/rtrs: Fix the last iu->buf leak in err path
usb: dwc3: gadget: Reset num TRBs before giving back the request
USB: dwc3: fix use-after-free on core driver unbind
USB: dwc3: qcom: fix NULL-deref on suspend
usb: gadget: udc: core: Prevent soft_connect_store() race
usb: gadget: udc: core: Offload usb_udc_vbus_handler processing
usb: typec: Fix fast_role_swap_current show function
usb: typec: ucsi: Fix command cancellation
serial: lantiq: add missing interrupt ack
USB: serial: option: add Quectel EM061KGL series
clk: pxa: fix NULL pointer dereference in pxa3xx_clk_update_accr
thunderbolt: Mask ring interrupt on Intel hardware as well
thunderbolt: dma_test: Use correct value for absent rings when creating paths
thunderbolt: Do not touch CL state configuration during discovery
ALSA: hda/realtek: Add a quirk for Compaq N14JP6
drm/amdgpu: add missing radeon secondary PCI ID
drm/amd/pm: workaround for compute workload type on some skus
drm/amd: Tighten permissions on VBIOS flashing attributes
drm/amd: Make sure image is written to trigger VBIOS image update flow
drm/amd/display: edp do not add non-edid timings
net: usb: qmi_wwan: add support for Compal RXM-G1
drm/amdgpu: vcn_4_0 set instance 0 init sched score to 1
RDMA/uverbs: Restrict usage of privileged QKEYs
nouveau: fix client work fence deletion race
net: ethernet: stmicro: stmmac: fix possible memory leak in __stmmac_open
dm thin: fix issue_discard to pass GFP_NOIO to __blkdev_issue_discard
dm thin metadata: check fail_io before using data_sm
ALSA: usb-audio: Add quirk flag for HEM devices to enable native DSD playback
ALSA: usb-audio: Fix broken resume due to UAC3 power state
btrfs: can_nocow_file_extent should pass down args->strict from callers
btrfs: fix iomap_begin length for nocow writes
btrfs: do not ASSERT() on duplicated global roots
powerpc/purgatory: remove PGO flags
riscv/purgatory: remove PGO flags
x86/purgatory: remove PGO flags
kexec: support purgatories with .text.hot sections
io_uring/net: save msghdr->msg_control for retries
LoongArch: Fix perf event id calculation
nilfs2: reject devices with insufficient block count
nilfs2: fix possible out-of-bounds segment allocation in resize ioctl
nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key()
nios2: dts: Fix tse_mac "max-frame-size" property
zswap: do not shrink if cgroup may not zswap
ocfs2: check new file size on fallocate call
ocfs2: fix use-after-free when unmounting read-only filesystem
epoll: ep_autoremove_wake_function should use list_del_init_careful
wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid()
wifi: cfg80211: fix locking in regulatory disconnect
irqchip/gic: Correctly validate OF quirk descriptors
NVMe: Add MAXIO 1602 to bogus nid list.
io_uring: unlock sqd->lock before sq thread release CPU
drm:amd:amdgpu: Fix missing buffer object unlock in failure path
xen/blkfront: Only check REQ_FUA for writes
ASoC: dwc: move DMA init to snd_soc_dai_driver probe()
ASoC: cs35l41: Fix default regmap values for some registers
mips: Move initrd_start check after initrd address sanitisation.
MIPS: Alchemy: fix dbdma2
MIPS: Restore Au1300 support
MIPS: unhide PATA_PLATFORM
parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory()
parisc: Improve cache flushing for PCXL in arch_sync_dma_for_cpu()
ASoC: Intel: avs: Add missing checks on FE startup
ASoC: Intel: avs: Account for UID of ACPI device
ASoC: soc-pcm: test if a BE can be prepared
btrfs: handle memory allocation failure in btrfs_csum_one_bio
btrfs: scrub: try harder to mark RAID56 block groups read-only
drm: panel-orientation-quirks: Change Air's quirk to support Air Plus
power: supply: Fix logic checking if system is running from battery
irqchip/meson-gpio: Mark OF related data as maybe unused
irqchip/gic-v3: Disable pseudo NMIs on Mediatek devices w/ firmware issues
regulator: Fix error checking for debugfs_create_dir
platform/x86: asus-wmi: Ignore WMI events with codes 0x7B, 0xC0
PCI/DPC: Quirk PIO log size for Intel Ice Lake Root Ports
power: supply: Ratelimit no data debug output
selftests: gpio: gpio-sim: Fix BUG: test FAILED due to recent change
tools: gpio: fix debounce_period_us output of lsgpio
ARM: dts: vexpress: add missing cache properties
power: supply: bq27xxx: Use mod_delayed_work() instead of cancel() + schedule()
power: supply: sc27xx: Fix external_power_changed race
power: supply: ab8500: Fix external_power_changed race
of: overlay: Fix missing of_node_put() in error case of init_overlay_changeset()
ksmbd: validate smb request protocol id
EDAC/qcom: Get rid of hardcoded register offsets
qcom: llcc/edac: Fix the base address used for accessing LLCC banks
cgroup: fix missing cpus_read_{lock,unlock}() in cgroup_transfer_tasks()
cgroup: always put cset in cgroup_css_set_put_fork
cgroup: bpf: use cgroup_lock()/cgroup_unlock() wrappers
test_firmware: prevent race conditions by a correct implementation of locking
test_firmware: Use kstrtobool() instead of strtobool()
x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed
Revert "Bluetooth: fix debugfs registration"
Revert "Bluetooth: hci_sync: add lock to protect HCI_UNREGISTER"
Revert "net/ipv6: fix bool/int mismatch for skip_notify_on_dev_down"
Revert "neighbour: fix unaligned access to pneigh_entry"
Revert "tcp: deny tcp_disconnect() when threads are waiting"
Revert "bpf, sockmap: Pass skb ownership through read_skb"
Revert "bpf, sockmap: Convert schedule_work into delayed_work"
Revert "bpf, sockmap: Reschedule is now done through backlog"
Revert "bpf, sockmap: Improved check for empty queue"
Revert "bpf, sockmap: Handle fin correctly"
Revert "bpf, sockmap: TCP data stall on recv before accept"
Revert "bpf, sockmap: Wake up polling after data copy"
Revert "bpf, sockmap: Incorrectly handling copied_seq"
Linux 6.1.34
Revert "staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE"
wifi: rtw88: correct PS calculation for SUPPORTS_DYNAMIC_PS
wifi: rtw89: correct PS calculation for SUPPORTS_DYNAMIC_PS
ext4: only check dquot_initialize_needed() when debugging
Revert "ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled"
ksmbd: check the validation of pdu_size in ksmbd_conn_handler_loop
ksmbd: fix out-of-bound read in parse_lease_state()
ksmbd: fix out-of-bound read in deassemble_neg_contexts()
vhost_vdpa: support PACKED when setting-getting vring_base
vhost: support PACKED when setting-getting vring_base
vduse: avoid empty string for dev name
riscv: fix kprobe __user string arg print fault issue
soundwire: stream: Add missing clear of alloc_slave_rt
eeprom: at24: also select REGMAP
riscv: mm: Ensure prot of VM_WRITE and VM_EXEC must be readable
i2c: sprd: Delete i2c adapter in .remove's error path
gpio: sim: fix memory corruption when adding named lines and unnamed hogs
firmware: arm_ffa: Set handle field to zero in memory descriptor
i2c: mv64xxx: Fix reading invalid status value in atomic mode
arm64: dts: imx8mn-beacon: Fix SPI CS pinmux
blk-mq: fix blk_mq_hw_ctx active request accounting
ASoC: simple-card-utils: fix PCM constraint error check
ASoC: mediatek: mt8195: fix use-after-free in driver remove path
ASoC: mediatek: mt8195-afe-pcm: Convert to platform remove callback returning void
arm64: dts: imx8-ss-dma: assign default clock rate for lpuarts
arm64: dts: imx8qm-mek: correct GPIOs for USDHC2 CD and WP signals
arm64: dts: qcom: sc7180-lite: Fix SDRAM freq for misidentified sc7180-lite boards
ASoC: codecs: wsa881x: do not set can_multi_write flag
ASoC: codecs: wsa883x: do not set can_multi_write flag
ARM: dts: at91: sama7g5ek: fix debounce delay property for shdwc
ARM: at91: pm: fix imbalanced reference counter for ethernet devices
arm64: dts: qcom: sc8280xp: Flush RSC sleep & wake votes
mm: page_table_check: Ensure user pages are not slab pages
mm: page_table_check: Make it dependent on EXCLUSIVE_SYSTEM_RAM
usb: usbfs: Use consistent mmap functions
usb: usbfs: Enforce page requirements for mmap
pinctrl: meson-axg: add missing GPIOA_18 gpio group
soc: qcom: icc-bwmon: fix incorrect error code passed to dev_err_probe()
virtio_net: use control_buf for coalesce params
rbd: get snapshot context after exclusive lock is ensured to be held
rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting
tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta'
Bluetooth: hci_qca: fix debugfs registration
Bluetooth: fix debugfs registration
Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
s390/dasd: Use correct lock while counting channel queue length
ceph: fix use-after-free bug for inodes when flushing capsnaps
selftests: mptcp: update userspace pm subflow tests
selftests: mptcp: update userspace pm addr tests
mptcp: update userspace pm infos
mptcp: add address into userspace pm list
mptcp: only send RM_ADDR in nl_cmd_remove
can: j1939: avoid possible use-after-free when j1939_can_rx_register fails
can: j1939: change j1939_netdev_lock type to mutex
can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in J1939 Socket
wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()
drm/amd/display: Reduce sdp bw after urgent to 90%
drm/amd/pm: Fix power context allocation in SMU13
drm/amdgpu: change reserved vram info print
drm/amdgpu: fix xclk freq on CHIP_STONEY
drm/amd/pm: conditionally disable pcie lane switching for some sienna_cichlid SKUs
drm/i915/gt: Use the correct error value when kernel_context() fails
ALSA: hda/realtek: Add quirks for Asus ROG 2024 laptops using CS35L41
ALSA: hda/realtek: Add Lenovo P3 Tower platform
ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01
ALSA: ice1712,ice1724: fix the kcontrol->id initialization
ALSA: hda/realtek: Add quirk for Clevo NS50AU
ALSA: cmipci: Fix kctl->id initialization
ALSA: gus: Fix kctl->id initialization
ALSA: ymfpci: Fix kctl->id initialization
ALSA: hda: Fix kctl->id initialization
Input: fix open count when closing inhibited device
Input: psmouse - fix OOB access in Elantech protocol
Input: xpad - delete a Razer DeathAdder mouse VID/PID entry
batman-adv: Broken sync while rescheduling delayed work
bnxt_en: Implement .set_port / .unset_port UDP tunnel callbacks
bnxt_en: Prevent kernel panic when receiving unexpected PHC_UPDATE event
bnxt_en: Skip firmware fatal error recovery if chip is not accessible
bnxt_en: Query default VLAN before VNIC setup on a VF
bnxt_en: Don't issue AP reset during ethtool's reset operation
net: bcmgenet: Fix EEE implementation
lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release()
drm/amdgpu: fix Null pointer dereference error in amdgpu_device_recover_vram
bpf: Add extra path pointer check to d_path helper
net: sched: fix possible refcount leak in tc_chain_tmplt_add()
net: sched: act_police: fix sparse errors in tcf_police_dump()
net: sched: move rtm_tca_policy declaration to include file
drm/i915/selftests: Add some missing error propagation
drm/i915/selftests: Stop using kthread_stop()
net: sched: add rcu annotations around qdisc->qdisc_sleeping
rfs: annotate lockless accesses to RFS sock flow table
rfs: annotate lockless accesses to sk->sk_rxhash
tcp: gso: really support BIG TCP
ipv6: rpl: Fix Route of Death.
netfilter: nf_tables: out-of-bound check in chain blob
netfilter: ipset: Add schedule point in call_ad().
netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
netfilter: nft_bitwise: fix register tracking
selftests/bpf: Fix sockopt_sk selftest
selftests/bpf: Verify optval=NULL case
wifi: cfg80211: fix locking in sched scan stop work
qed/qede: Fix scheduling while atomic
wifi: mac80211: don't translate beacon/presp addrs
wifi: mac80211: mlme: fix non-inheritence element
wifi: cfg80211: reject bad AP MLD address
wifi: mac80211: use correct iftype HE cap
Bluetooth: L2CAP: Add missing checks for invalid DCID
Bluetooth: ISO: don't try to remove CIG if there are bound CIS left
Bluetooth: Fix l2cap_disconnect_req deadlock
Bluetooth: hci_sync: add lock to protect HCI_UNREGISTER
drm/i915: Use 18 fast wake AUX sync len
drm/i915: Explain the magic numbers for AUX SYNC/precharge length
net/sched: fq_pie: ensure reasonable TCA_FQ_PIE_QUANTUM values
net: enetc: correct rx_bytes statistics of XDP
net: enetc: correct the statistics of rx bytes
net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT
net/ipv6: fix bool/int mismatch for skip_notify_on_dev_down
bpf: Fix elem_size not being set for inner maps
bpf: Fix UAF in task local storage
net/ipv4: ping_group_range: allow GID from 2147483648 to 4294967294
net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods
neighbour: fix unaligned access to pneigh_entry
bpf, sockmap: Avoid potential NULL dereference in sk_psock_verdict_data_ready()
wifi: mt76: mt7615: fix possible race in mt7615_mac_sta_poll
afs: Fix setting of mtime when creating a file/dir/symlink
spi: qup: Request DMA before enabling clocks
platform/surface: aggregator_tabletsw: Add support for book mode in KIP subsystem
platform/surface: aggregator: Allow completion work-items to be executed in parallel
spi: mt65xx: make sure operations completed before unloading
net: sfp: fix state loss when updating state_hw_mask
scsi: megaraid_sas: Add flexible array member for SGLs
Revert "Revert "binder_alloc: add missing mmap_lock calls when using the VMA""
Revert "Revert "android: binder: stop saving a pointer to the VMA""
Revert "binder: add lockless binder_alloc_(set|get)_vma()"
Revert "binder: fix UAF caused by faulty buffer cleanup"
Revert "binder: fix UAF of alloc->vma in race with munmap()"
ANDROID: GKI: add skb_pull_data to android/abi_gki_aarch64_virtual_device
ANDROID: GKI: preserve CRC generation for some bluetooth symbols
Revert "Revert "usb: gadget: udc: core: Invoke usb_gadget_connect only when started""
Revert "tipc: add tipc_bearer_min_mtu to calculate min mtu"
Revert "tipc: do not update mtu if msg_max is too small in mtu negotiation"
Revert "tipc: check the bearer min mtu properly when setting it by netlink"
Revert "platform: Provide a remove callback that returns no value"
Revert "ASoC: fsl_micfil: Fix error handler with pm_runtime_enable"
Revert "firmware: arm_sdei: Fix sleep from invalid context BUG"
ANDROID: add memset32 to db835c list of exported symbols needed.
Revert "uapi/linux/const.h: prefer ISO-friendly __typeof__"
Revert "posix-cpu-timers: Implement the missing timer_wait_running callback"
Revert "KVM: arm64: Avoid vcpu->mutex v. kvm->lock inversion in CPU_ON"
Revert "KVM: arm64: Avoid lock inversion when setting the VM register width"
Revert "KVM: arm64: Use config_lock to protect data ordered against KVM_RUN"
Revert "KVM: arm64: Use config_lock to protect vgic state"
Revert "KVM: arm64: vgic: Don't acquire its_lock before config_lock"
ANDROID: add Android KABI build files to root .gitignore file
ANDROID: add more gki_module headers to .gitignore file
Linux 6.1.33
ext4: enable the lazy init thread when remounting read/write
selftests: mptcp: join: avoid using 'cmp --bytes'
selftests: mptcp: simult flows: skip if MPTCP is not supported
selftests: mptcp: diag: skip if MPTCP is not supported
arm64: efi: Use SMBIOS processor version to key off Ampere quirk
tls: rx: strp: don't use GFP_KERNEL in softirq context
xfs: verify buffer contents when we skip log replay
drm/amd/display: Have Payload Properly Created After Resume
iommu/amd/pgtbl_v2: Fix domain max address
tpm, tpm_tis: Request threaded interrupt handler
regmap: Account for register length when chunking
fs/ntfs3: Validate MFT flags before replaying logs
KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()
ksmbd: fix multiple out-of-bounds read during context decoding
ksmbd: fix slab-out-of-bounds read in smb2_handle_negotiate
ksmbd: fix incorrect AllocationSize set in smb2_get_info
ksmbd: fix UAF issue from opinfo->conn
ksmbd: fix credit count leakage
KVM: x86: Account fastpath-only VM-Exits in vCPU stats
KVM: arm64: Populate fault info for watchpoint
test_firmware: fix the memory leak of the allocated firmware buffer
test_firmware: fix a memory leak with reqs buffer
powerpc/xmon: Use KSYM_NAME_LEN in array size
serial: cpm_uart: Fix a COMPILE_TEST dependency
serial: 8250_tegra: Fix an error handling path in tegra_uart_probe()
fbcon: Fix null-ptr-deref in soft_cursor
ext4: add lockdep annotations for i_data_sem for ea_inode's
ext4: disallow ea_inodes with extended attributes
ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find()
ext4: add EA_INODE checking to ext4_iget()
mptcp: fix active subflow finalization
mptcp: fix connect timeout handling
selftests: mptcp: userspace pm: skip if MPTCP is not supported
selftests: mptcp: sockopt: skip if MPTCP is not supported
selftests: mptcp: join: skip if MPTCP is not supported
selftests: mptcp: pm nl: skip if MPTCP is not supported
selftests: mptcp: connect: skip if MPTCP is not supported
tracing/probe: trace_probe_primary_from_call(): checked list_first_entry
tracing/histograms: Allow variables to have some modifiers
tracing/timerlat: Always wakeup the timerlat thread
mtdchar: mark bits of ioctl handler noinline
selinux: don't use make's grouped targets feature yet
io_uring: undeprecate epoll_ctl support
riscv: perf: Fix callchain parse error with kernel tracepoint events
tpm, tpm_tis: correct tpm_tis_flags enumeration values
iommu/amd: Fix domain flush size when syncing iotlb
powerpc/iommu: Limit number of TCEs to 512 for H_STUFF_TCE hcall
block: fix revalidate performance regression
phy: qcom-qmp-pcie-msm8996: fix init-count imbalance
phy: qcom-qmp-combo: fix init-count imbalance
btrfs: fix csum_tree_block page iteration to avoid tripping on -Werror=array-bounds
tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK
mmc: pwrseq: sd8787: Fix WILC CHIP_EN and RESETN toggling order
mmc: vub300: fix invalid response handling
x86/mtrr: Revert 90b926e68f50 ("x86/pat: Fix pat_x_mtrr_type() for MTRR disabled case")
drm/amd/pm: reverse mclk and fclk clocks levels for renoir
drm/amd/pm: reverse mclk and fclk clocks levels for yellow carp
drm/amd/pm: reverse mclk clocks levels for SMU v13.0.5
drm/amd/pm: resolve reboot exception for si oland
drm/amd/pm: reverse mclk and fclk clocks levels for vangogh
drm/amd/pm: reverse mclk and fclk clocks levels for SMU v13.0.4
drm/amdgpu: enable tmz by default for GC 11.0.1
ata: libata-scsi: Use correct device no in ata_find_dev()
scsi: stex: Fix gcc 13 warnings
misc: fastrpc: reject new invocations during device removal
misc: fastrpc: return -EPIPE to invocations on device removal
md/raid5: fix miscalculation of 'end_sector' in raid5_read_one_chunk()
usb: gadget: f_fs: Add unbind event before functionfs_unbind
usb: cdns3: fix NCM gadget RX speed 20x slow than expection at iMX8QM
dt-bindings: usb: snps,dwc3: Fix "snps,hsphy_interface" type
net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
iio: dac: build ad5758 driver when AD5758 is selected
iio: adc: stm32-adc: skip adc-diff-channels setup if none is present
iio: adc: ad7192: Change "shorted" channels to differential
iio: addac: ad74413: fix resistance input processing
iio: dac: mcp4725: Fix i2c_master_send() return value handling
iio: adc: ad_sigma_delta: Fix IRQ issue by setting IRQ_DISABLE_UNLAZY flag
iio: adc: stm32-adc: skip adc-channels setup if none is present
iio: light: vcnl4035: fixed chip ID check
dt-bindings: iio: adc: renesas,rcar-gyroadc: Fix adi,ad7476 compatible value
iio: imu: inv_icm42600: fix timestamp reset
HID: wacom: avoid integer overflow in wacom_intuos_inout()
HID: google: add jewel USB id
iio: adc: mxs-lradc: fix the order of two cleanup operations
iio: accel: st_accel: Fix invalid mount_matrix on devices without ACPI _ONT method
media: uvcvideo: Don't expose unsupported formats to userspace
drivers: base: cacheinfo: Fix shared_cpu_map changes in event of CPU hotplug
mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
media: mediatek: vcodec: Only apply 4K frame sizes on decoder formats
KVM: arm64: vgic: Fix locking comment
KVM: arm64: vgic: Wrap vgic_its_create() with config_lock
KVM: arm64: vgic: Fix a circular locking issue
block: Deny writable memory mapping if block is read-only
nvme-pci: Add quirk for Teamgroup MP33 SSD
ublk: fix AB-BA lockdep warning
drm/amdgpu: skip disabling fence driver src_irqs when device is unplugged
ceph: silence smatch warning in reconnect_caps_cb()
atm: hide unused procfs functions
drm/msm: Be more shouty if per-process pgtables aren't working
ALSA: oss: avoid missing-prototype warnings
nvme: do not let the user delete a ctrl before a complete initialization
nvme-multipath: don't call blk_mark_disk_dead in nvme_mpath_remove_disk
netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT
net: wwan: t7xx: Ensure init is completed before system sleep
wifi: b43: fix incorrect __packed annotation
scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
wifi: iwlwifi: mvm: Add locking to the rate read flow
wifi: mac80211: recalc chanctx mindef before assigning
wifi: mac80211: consider reserved chanctx for mindef
wifi: mac80211: simplify chanctx allocation
arm64: vdso: Pass (void *) to virt_to_page()
arm64/mm: mark private VM_FAULT_X defines as vm_fault_t
ARM: dts: stm32: add pin map for CAN controller on stm32f7
wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value
ACPI: resource: Add IRQ override quirk for LG UltraPC 17U70P
s390/topology: honour nr_cpu_ids when adding CPUs
s390/pkey: zeroize key blobs
ASoC: SOF: pm: save io region state in case of errors in resume
ASoC: SOF: sof-client-probes: fix pm_runtime imbalance in error handling
ASoC: SOF: pcm: fix pm_runtime imbalance in error handling
ASoC: SOF: debug: conditionally bump runtime_pm counter on exceptions
media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221
media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()
media: dvb-core: Fix use-after-free due to race at dvb_register_device()
media: dvb-core: Fix use-after-free due on race condition at dvb_net
media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table
media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
media: dvb_ca_en50221: fix a size write bug
media: netup_unidvb: fix irq init by register it at the end of probe
media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer()
media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
media: dvb_demux: fix a bug for the continuity counter
ASoC: ssm2602: Add workaround for playback distortions
ALSA: hda/realtek: Add quirks for ASUS GU604V and GU603V
ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs
xfrm: Check if_id in inbound policy/secpath match
um: harddog: fix modular build
ASoC: dwc: limit the number of overrun messages
ASoC: amd: yc: Add DMI entry to support System76 Pangolin 12
nvme-pci: add quirk for missing secondary temperature thresholds
nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G
block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE
nbd: Fix debugfs_create_dir error checking
fbdev: stifb: Fix info entry in sti_struct on error path
fbdev: modedb: Add 1920x1080 at 60 Hz video mode
fbdev: imsttfb: Fix use after free bug in imsttfb_probe
drm/amdgpu: set gfx9 onwards APU atomics support to be true
gfs2: Don't deref jdesc in evict
platform/mellanox: fix potential race in mlxbf-tmfifo driver
platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield
media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE
hwmon: (k10temp) Add PCI ID for family 19, model 78h
ARM: 9295/1: unwind:fix unwind abort for uleb128 case
btrfs: abort transaction when sibling keys check fails for leaves
drm/ast: Fix ARM compatibility
mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()
drm/amdgpu: Use the default reset when loading or reloading the driver
ASoC: Intel: soc-acpi-cht: Add quirk for Nextbook Ares 8A tablet
ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs.
watchdog: menz069_wdt: fix watchdog initialisation
drm/amdgpu: release gpu full access after "amdgpu_device_ip_late_init"
mptcp: add annotations around sk->sk_shutdown accesses
mptcp: fix data race around msk->first access
mptcp: consolidate passive msk socket initialization
mptcp: simplify subflow_syn_recv_sock()
mptcp: avoid unneeded address copy
mptcp: add annotations around msk->subflow accesses
mptcp: avoid unneeded __mptcp_nmpc_socket() usage
rtnetlink: call validate_linkmsg in rtnl_create_link
mtd: rawnand: marvell: don't set the NAND frequency select
mtd: rawnand: marvell: ensure timing values are written
net: dsa: mv88e6xxx: Increase wait after reset deactivation
tcp: fix mishandling when the sack compression is deferred.
net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
iommu/mediatek: Flush IOTLB completely only if domain has been attached
net/mlx5: Read embedded cpu after init bit cleared
net/mlx5e: Fix error handling in mlx5e_refresh_tirs
nvme: fix the name of Zone Append for verbose logging
nfsd: fix double fget() bug in __write_ports_addfd()
udp6: Fix race condition in udp6_sendmsg & connect
net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report
net: sched: fix NULL pointer dereference in mq_attach
net/sched: Prohibit regrafting ingress or clsact Qdiscs
net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs
net/sched: sch_clsact: Only create under TC_H_CLSACT
net/sched: sch_ingress: Only create under TC_H_INGRESS
net/smc: Don't use RMBs not mapped to new link in SMCRv2 ADD LINK
net/smc: Scan from current RMB list when no position specified
tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set
tcp: deny tcp_disconnect() when threads are waiting
af_packet: do not use READ_ONCE() in packet_bind()
RDMA/irdma: Fix Local Invalidate fencing
RDMA/irdma: Prevent QP use after free
mtd: rawnand: ingenic: fix empty stub helper definitions
perf ftrace latency: Remove unnecessary "--" from --use-nsec option
amd-xgbe: fix the false linkup in xgbe_phy_status
tls: improve lockless access safety of tls_err_abort()
af_packet: Fix data-races of pkt_sk(sk)->num.
netrom: fix info-leak in nr_write_internal()
net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure
net/mlx5e: Don't attach netdev profile while handling internal error
net/mlx5: fw_tracer, Fix event handling
net/mlx5: SF, Drain health before removing device
net/mlx5: Drain health before unregistering devlink
riscv: Fix unused variable warning when BUILTIN_DTB is set
dmaengine: pl330: rename _start to prevent build error
nfsd: make a copy of struct iattr before calling notify_change
iommu/amd: Fix up merge conflict resolution
iommu/amd: Handle GALog overflows
iommu/amd: Don't block updates to GATag if guest mode is on
iommu/rockchip: Fix unwind goto issue
RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx
RDMA/bnxt_re: Fix a possible memory leak
dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()
RDMA/hns: Modify the value of long message loopback slice
RDMA/hns: Fix base address table allocation
RDMA/hns: Fix timeout attr in query qp for HIP08
RDMA/efa: Fix unsupported page sizes in device
phy: amlogic: phy-meson-g12a-mipi-dphy-analog: fix CNTL2_DIF_TX_CTL0 value
RDMA/bnxt_re: Fix the page_size used during the MR creation
Linux 6.1.32
tools headers UAPI: Sync the linux/in.h with the kernel sources
netfilter: ctnetlink: Support offloaded conntrack entry deletion
cpufreq: amd-pstate: Add ->fast_switch() callback
cpufreq: amd-pstate: Update policy->cur in amd_pstate_adjust_perf()
block: fix bio-cache for passthru IO
Revert "thermal/drivers/mellanox: Use generic thermal_zone_get_trip() function"
bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
drm/amd: Don't allow s0ix on APUs older than Raven
octeontx2-af: Add validation for lmac type
RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task"
wifi: iwlwifi: mvm: fix potential memory leak
wifi: iwlwifi: mvm: support wowlan info notification version 2
wifi: rtw89: correct 5 MHz mask setting
net: phy: mscc: enable VSC8501/2 RGMII RX clock
page_pool: fix inconsistency for page_pool_ring_[un]lock()
net: page_pool: use in_softirq() instead
vfio/type1: check pfn valid before converting to struct page
blk-mq: fix race condition in active queue accounting
bpf, sockmap: Incorrectly handling copied_seq
bpf, sockmap: Wake up polling after data copy
bpf, sockmap: TCP data stall on recv before accept
bpf, sockmap: Handle fin correctly
bpf, sockmap: Improved check for empty queue
bpf, sockmap: Reschedule is now done through backlog
bpf, sockmap: Convert schedule_work into delayed_work
bpf, sockmap: Pass skb ownership through read_skb
gpio-f7188x: fix chip name and pin count on Nuvoton chip
net/mlx5: E-switch, Devcom, sync devcom events and devcom comp register
tls: rx: strp: preserve decryption status of skbs when needed
tls: rx: strp: factor out copying skb data
tls: rx: strp: force mixed decrypted records into copy mode
tls: rx: strp: fix determining record length in copy mode
tls: rx: strp: set the skb->len of detached / CoW'ed skbs
tls: rx: device: fix checking decryption status
platform/x86/amd/pmf: Fix CnQF and auto-mode after resume
selftests/bpf: Fix pkg-config call building sign-file
firmware: arm_ffa: Fix usage of partition info get count flag
ipv{4,6}/raw: fix output xfrm lookup wrt protocol
inet: Add IP_LOCAL_PORT_RANGE socket option
Linux 6.1.31
net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE
3c589_cs: Fix an error handling path in tc589_probe()
net/smc: Reset connection when trying to use SMCRv2 fails.
regulator: mt6359: add read check for PMIC MT6359
firmware: arm_ffa: Set reserved/MBZ fields to zero in the memory descriptors
arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay
net/mlx5: Devcom, serialize devcom registration
net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
net/mlx5: Collect command failures data only for known commands
net/mlx5: Fix error message when failing to allocate device memory
net/mlx5: DR, Check force-loopback RC QP capability independently from RoCE
net/mlx5: Handle pairing of E-switch via uplink un/load APIs
net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs
net/mlx5e: do as little as possible in napi poll when budget is 0
net/mlx5e: Use correct encap attribute during invalidation
net/mlx5e: Fix deadlock in tc route query code
net/mlx5e: Fix SQ wake logic in ptp napi_poll context
platform/mellanox: mlxbf-pmc: fix sscanf() error checking
forcedeth: Fix an error handling path in nv_probe()
sctp: fix an issue that plpmtu can never go to complete state
cxl: Wait Memory_Info_Valid before access memory related info
ASoC: Intel: avs: Access path components under lock
ASoC: Intel: avs: Fix declaration of enum avs_channel_config
ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg
x86/show_trace_log_lvl: Ensure stack pointer is aligned, again
xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
x86/pci/xen: populate MSI sysfs entries
ARM: dts: imx6qdl-mba6: Add missing pvcie-supply regulator
coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
platform/x86: ISST: Remove 8 socket limit
regulator: pca9450: Fix BUCK2 enable_mask
fs: fix undefined behavior in bit shift for SB_NOUSER
firmware: arm_ffa: Fix FFA device names for logical partitions
firmware: arm_ffa: Check if ffa_driver remove is present before executing
optee: fix uninited async notif value
power: supply: sbs-charger: Fix INHIBITED bit for Status reg
power: supply: bq24190: Call power_supply_changed() after updating input current
power: supply: bq25890: Call power_supply_changed() after updating input current or voltage
power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize
power: supply: bq27xxx: Ensure power_supply_changed() is called on current sign changes
power: supply: bq27xxx: Move bq27xxx_battery_update() down
power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status()
power: supply: bq27xxx: Fix poll_interval handling and races on remove
power: supply: bq27xxx: Fix I2C IRQ race on remove
power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
power: supply: mt6360: add a check of devm_work_autocancel in mt6360_charger_probe
power: supply: leds: Fix blink to LED on transition
cifs: mapchars mount option ignored
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
lan966x: Fix unloading/loading of the driver
bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps
bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
octeontx2-pf: Fix TSOv6 offload
selftests: fib_tests: mute cleanup error message
drm: fix drmm_mutex_init()
net: fix skb leak in __skb_tstamp_tx()
ASoC: lpass: Fix for KASAN use_after_free out of bounds
media: radio-shark: Add endpoint checks
USB: sisusbvga: Add endpoint checks
USB: core: Add routines for endpoint checks in old drivers
udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
net: fix stack overflow when LRO is disabled for virtual interfaces
fbdev: udlfb: Fix endpoint check
debugobjects: Don't wake up kswapd from fill_pool()
irqchip/mips-gic: Use raw spinlock for gic_lock
irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable
x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms
perf/x86/uncore: Correct the number of CHAs on SPR
drm/amd/amdgpu: limit one queue per gang
selftests/memfd: Fix unknown type name build failure
binder: fix UAF of alloc->vma in race with munmap()
binder: fix UAF caused by faulty buffer cleanup
binder: add lockless binder_alloc_(set|get)_vma()
Revert "android: binder: stop saving a pointer to the VMA"
Revert "binder_alloc: add missing mmap_lock calls when using the VMA"
drm/amd/pm: Fix output of pp_od_clk_voltage
drm/amd/pm: add missing NotifyPowerSource message mapping for SMU13.0.7
drm/radeon: reintroduce radeon_dp_work_func content
drm/mgag200: Fix gamma lut not initialized.
dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type
btrfs: use nofs when cleaning up aborted transactions
gpio: mockup: Fix mode of debugfs files
parisc: Handle kprobes breakpoints only in kernel context
parisc: Enable LOCKDEP support
parisc: Allow to reboot machine after system halt
parisc: Fix flush_dcache_page() for usage from irq context
parisc: Handle kgdb breakpoints only in kernel context
parisc: Use num_present_cpus() in alternative patching code
xtensa: add __bswap{si,di}2 helpers
xtensa: fix signal delivery to FDPIC process
m68k: Move signal frame following exception on 68020/030
net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
ASoC: rt5682: Disable jack detection interrupt during suspend
power: supply: bq25890: Fix external_power_changed race
power: supply: axp288_fuel_gauge: Fix external_power_changed race
mmc: block: ensure error propagation for non-blk
mmc: sdhci-esdhc-imx: make "no-mmc-hs400" works
SUNRPC: Don't change task->tk_status after the call to rpc_exit_task
ALSA: hda/realtek: Enable headset onLenovo M70/M90
ALSA: hda: Fix unhandled register update during auto-suspend period
ALSA: hda/ca0132: add quirk for EVGA X299 DARK
platform/x86/intel/ifs: Annotate work queue on stack so object debug does not complain
x86/mm: Avoid incomplete Global INVLPG flushes
arm64: Also reset KASAN tag if page is not PG_mte_tagged
ocfs2: Switch to security_inode_init_security()
drm/amd/display: hpd rx irq not working with eDP interface
net: dsa: mv88e6xxx: Add RGMII delay to 88E6320
platform/x86: hp-wmi: Fix cast to smaller integer type warning
skbuff: Proactively round up to kmalloc bucket size
drm/amdgpu/mes11: enable reg active poll
drm/amd/amdgpu: update mes11 api def
watchdog: sp5100_tco: Immediately trigger upon starting.
tpm: Prevent hwrng from activating during resume
tpm: Re-enable TPM chip boostrapping non-tpm_tis TPM drivers
tpm, tpm_tis: startup chip before testing for interrupts
tpm_tis: Use tpm_chip_{start,stop} decoration inside tpm_tis_resume
tpm, tpm_tis: Only handle supported interrupts
tpm, tpm_tis: Avoid cache incoherency in test for interrupts
usb: dwc3: fix gadget mode suspend interrupt handler issue
Linux 6.1.30
drm/amdgpu: reserve the old gc_11_0_*_mes.bin
drm/amd/amdgpu: introduce gc_*_mes_2.bin v2
drm/amdgpu: declare firmware for new MES 11.0.4
crypto: testmgr - fix RNG performance in fuzz tests
remoteproc: imx_dsp_rproc: Fix kernel test robot sparse warning
rethook, fprobe: do not trace rethook related functions
rethook: use preempt_{disable, enable}_notrace in rethook_trampoline_handler
arm64: mte: Do not set PG_mte_tagged if tags were not initialized
s390/qdio: fix do_sqbs() inline assembly constraint
s390/crypto: use vector instructions only if available for ChaCha20
s390/dasd: fix command reject error on ESE devices
nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
powerpc/64s/radix: Fix soft dirty tracking
tpm/tpm_tis: Disable interrupts for more Lenovo devices
powerpc/iommu: Incorrect DDW Table is referenced for SR-IOV device
powerpc/iommu: DMA address offset is incorrectly calculated with 2MB TCEs
dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries
drm/amdgpu/gfx11: update gpu_clock_counter logic
drm/amdgpu: refine get gpu clock counter method
drm/amdgpu/gfx11: Adjust gfxoff before powergating on gfx11 as well
drm/amdgpu/gfx10: Disable gfxoff before disabling powergating.
drm/amdgpu/gmc11: implement get_vbios_fb_size()
drm/amd/pm: fix possible power mode mismatch between driver and PMFW
ceph: force updating the msg pointer in non-split case
vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
thunderbolt: Clear registers properly when auto clear isn't in use
serial: qcom-geni: fix enabling deactivated interrupt
serial: 8250_exar: Add support for USR298x PCI Modems
serial: Add support for Advantech PCI-1611U card
mm: fix zswap writeback race condition
maple_tree: make maple state reusable after mas_empty_area()
statfs: enforce statfs[64] structure initialization
KVM: Fix vcpu_array[0] races
ksmbd: fix global-out-of-bounds in smb2_find_context_vals
ksmbd: fix wrong UserName check in session_user
ksmbd: allocate one more byte for implied bcc[0]
ksmbd: smb2: Allow messages padded to 8byte boundary
SMB3: drop reference to cfile before sending oplock break
SMB3: Close all deferred handles of inode in case of handle lease break
wifi: rtw88: use work to update rate to avoid RCU warning
can: kvaser_pciefd: Disable interrupts in probe error path
can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
can: kvaser_pciefd: Empty SRB buffer in probe
can: kvaser_pciefd: Call request_irq() before enabling interrupts
can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
ALSA: hda/realtek: Fix mute and micmute LEDs for yet another HP laptop
ALSA: hda/realtek: Add quirk for HP EliteBook G10 laptops
ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
ALSA: hda/realtek: Add quirk for Clevo L140AU
ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
ALSA: hda: Fix Oops by 9.1 surround channel names
xhci: Fix incorrect tracking of free space on transfer rings
xhci-pci: Only run d3cold avoidance quirk for s2idle
Revert "usb: gadget: udc: core: Invoke usb_gadget_connect only when started"
Revert "usb: gadget: udc: core: Prevent redundant calls to pullup"
usb: typec: altmodes/displayport: fix pin_assignment_show
usb: gadget: u_ether: Fix host MAC address case
usb: dwc3: debugfs: Resume dwc3 before accessing registers
usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume()
USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
usb-storage: fix deadlock when a scsi command timeouts more than once
USB: usbtmc: Fix direction for 0-length ioctl control messages
ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go
bridge: always declare tunnel functions
netfilter: nft_set_rbtree: fix null deref on element insertion
netfilter: nf_tables: fix nft_trans type confusion
net: selftests: Fix optstring
net: pcs: xpcs: fix C73 AN not getting enabled
net: wwan: iosm: fix NULL pointer dereference when removing device
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
igb: fix bit_shift to be in [1..8] range
net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset
cassini: Fix a memory leak in the error handling path of cas_init_one()
tun: Fix memory leak for detached NAPI queue.
net: tun: rebuild error handling in tun_get_user
scsi: storvsc: Don't pass unused PFNs to Hyper-V host
wifi: iwlwifi: mvm: don't trust firmware n_channels
wifi: iwlwifi: mvm: fix OEM's name in the tas approved list
wifi: iwlwifi: fix OEM's name in the ppag approved list
wifi: iwlwifi: fw: fix DBGI dump
wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock
wifi: mac80211: Abort running color change when stopping the AP
wifi: mac80211: fix min center freq offset tracing
wifi: mac80211: fortify the spinlock against deadlock by interrupt
wifi: cfg80211: Drop entries with invalid BSSIDs in RNR
ice: Fix ice VF reset during iavf initialization
ice: introduce clear_reset_state operation
net: bcmgenet: Restore phy_stop() depending upon suspend/close
net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
can: dev: fix missing CAN XL support in can_put_echo_skb()
s390/cio: include subchannels without devices also for evaluation
tipc: check the bearer min mtu properly when setting it by netlink
tipc: do not update mtu if msg_max is too small in mtu negotiation
tipc: add tipc_bearer_min_mtu to calculate min mtu
virtio_net: Fix error unwinding of XDP initialization
virtio-net: Maintain reverse cleanup order
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
drm/exynos: fix g2d_open/close helper function definitions
ASoC: SOF: topology: Fix logic for copying tuples
ASoC: mediatek: mt8186: Fix use-after-free in driver remove path
SUNRPC: Fix trace_svc_register() call site
SUNRPC: always free ctxt when freeing deferred request
SUNRPC: double free xprt_ctxt while still in use
media: netup_unidvb: fix use-after-free at del_timer()
net: hns3: fix reset timeout when enable full VF
net: hns3: fix reset delay time to avoid configuration timeout
net: hns3: fix sending pfc frames after reset issue
net: hns3: fix output information incomplete for dumping tx queue info with debugfs
net: dsa: rzn1-a5psw: disable learning for standalone ports
net: dsa: rzn1-a5psw: fix STP states handling
net: dsa: rzn1-a5psw: enable management frames for CPU port
erspan: get the proto with the md version for collect_md
serial: 8250_bcm7271: fix leak in `brcmuart_probe`
serial: 8250_bcm7271: balance clk_enable calls
serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
tcp: fix possible sk_priority leak in tcp_v4_send_reset()
vsock: avoid to close connected socket after the timeout
sfc: disable RXFCS and RXALL features by default
ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15
wifi: mt76: connac: fix stats->tx_bytes calculation
ALSA: firewire-digi00x: prevent potential use after free
net: phy: dp83867: add w/a for packet errors seen with short cables
net: fec: Better handle pm_runtime_get() failing in .remove()
selftets: seg6: disable rp_filter by default in srv6_end_dt4_l3vpn_test
selftests: seg6: disable DAD on IPv6 router cfg for srv6_end_dt4_l3vpn_test
drm/msm: Fix submit error-path leaks
af_key: Reject optional tunnel/BEET mode templates in outbound policies
xfrm: Reject optional tunnel/BEET mode templates in outbound policies
cpupower: Make TSC read per CPU for Mperf monitor
ASoC: fsl_micfil: Fix error handler with pm_runtime_enable
platform: Provide a remove callback that returns no value
dt-bindings: display/msm: dsi-controller-main: Document qcom, master-dsi and qcom, sync-dual-dsi
drm/msm/dpu: Remove duplicate register defines from INTF
drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header
drm/msm/dpu: Assign missing writeback log_mask
drm/msm/dp: unregister audio driver during unbind
Revert "Fix XFRM-I support for nested ESP tunnels"
xfrm: don't check the default policy if the policy allows the packet
drm/amdgpu: drop gfx_v11_0_cp_ecc_error_irq_funcs
platform/x86: hp-wmi: add micmute to hp_wmi_keymap struct
platform/x86: Move existing HP drivers to a new hp subdir
parisc: Replace regular spinlock with spin_trylock on panic path
mfd: intel-lpss: Add Intel Meteor Lake PCH-S LPSS PCI IDs
mfd: dln2: Fix memory leak in dln2_probe()
mfd: intel_soc_pmic_chtwc: Add Lenovo Yoga Book X90F to intel_cht_wc_models
soundwire: bus: Fix unbalanced pm_runtime_put() causing usage count underflow
soundwire: qcom: gracefully handle too many ports in DT
phy: st: miphy28lp: use _poll_timeout functions for waits
soundwire: dmi-quirks: add remapping for Intel 'Rooks County' NUC M15
recordmcount: Fix memory leaks in the uwrite function
lkdtm/stackleak: Fix noinstr violation
sched: Fix KCSAN noinstr violation
mcb-pci: Reallocate memory region to avoid memory overlapping
serial: 8250: Reinit port->pm on port specific driver unbind
usb: typec: tcpm: fix multiple times discover svids error
HID: wacom: generic: Set battery quirk only when we see battery data
HID: Ignore battery for ELAN touchscreen on ROG Flow X13 GV301RA
HID: apple: Set the tilde quirk flag on the Geyser 3
ASoC: amd: yc: Add ThinkBook 14 G5+ ARP to quirks list for acp6x
ASoC: amd: Add Dell G15 5525 to quirks list
ALSA: hda: LNL: add HD Audio PCI ID
usb: typec: ucsi: acpi: add quirk for ASUS Zenbook UM325
spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3
HID: logitech-hidpp: Reconcile USB and Unifying serials
HID: logitech-hidpp: Don't use the USB serial for USB devices
ASoC: amd: yc: Add DMI entries to support HP OMEN 16-n0xxx (8A42)
staging: axis-fifo: initialize timeouts in init only
HID: apple: Set the tilde quirk flag on the Geyser 4 and later
staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE
Bluetooth: btrtl: Add the support for RTL8851B
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
Bluetooth: Add new quirk for broken set random RPA timeout for ATS2851
Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set
Bluetooth: btintel: Add LE States quirk support
Bluetooth: btrtl: check for NULL in btrtl_set_quirks()
Bluetooth: Improve support for Actions Semi ATS2851 based devices
Bluetooth: btrtl: add support for the RTL8723CS
Bluetooth: Add new quirk for broken local ext features page 2
Bluetooth: btusb: Add new PID/VID 04ca:3801 for MT7663
ipvs: Update width of source for ip_vs_sync_conn_options
nbd: fix incomplete validation of ioctl arg
wifi: ath11k: Fix SKB corruption in REO destination ring
wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
null_blk: Always check queue mode setting from configfs
wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO
wifi: ath11k: Ignore frags from uninitialized peer in dp.
block, bfq: Fix division by zero error on zero wsum
wifi: iwlwifi: mvm: fix ptk_pn memory leak
wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
wifi: iwlwifi: add a new PCI device ID for BZ device
wifi: iwlwifi: pcie: fix possible NULL pointer dereference
md: fix soft lockup in status_resync
bpf: Add preempt_count_{sub,add} into btf id deny list
samples/bpf: Fix fout leak in hbm's run_bpf_prog
f2fs: fix to check readonly condition correctly
f2fs: fix to drop all dirty pages during umount() if cp_error is set
f2fs: Fix system crash due to lack of free space in LFS
crypto: jitter - permanent and intermittent health errors
ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
ext4: set goal start correctly in ext4_mb_normalize_request
scsi: ufs: ufs-pci: Add support for Intel Lunar Lake
gfs2: Fix inode height consistency check
scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
lib: cpu_rmap: Avoid use after free on rmap->obj array entries
scsi: target: iscsit: Free cmds before session free
netdev: Enforce index cap in netdev_get_tx_queue
net: Catch invalid index in XPS mapping
net: pasemi: Fix return type of pasemi_mac_start_tx()
bnxt: avoid overflow in bnxt_get_nvram_directory()
scsi: lpfc: Correct used_rpi count when devloss tmo fires with no recovery
scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
ext2: Check block size validity during mount
wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device
bpf: Annotate data races in bpf_local_storage
wifi: ath: Silence memcpy run-time false positive warning
media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
media: Prefer designated initializers over memset for subdev pad ops
drm/amdgpu: Fix sdma v4 sw fini error
drm/amd: Fix an out of bounds error in BIOS parser
drm/amd/display: Correct DML calculation to follow HW SPEC
ACPI: video: Remove desktops without backlight DMI quirks
irqchip/gicv3: Workaround for NVIDIA erratum T241-FABRIC-4
arm64: dts: qcom: sdm845-polaris: Drop inexistent properties
ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
ACPICA: Avoid undefined behavior: applying zero offset to null pointer
drm/msm/dp: Clean up handling of DP AUX interrupts
drm/tegra: Avoid potential 32-bit integer overflow
remoteproc: stm32_rproc: Add mutex protection for workqueue
drm/amd/display: fixed dcn30+ underflow issue
ACPI: EC: Fix oops when removing custom query handlers
firmware: arm_sdei: Fix sleep from invalid context BUG
arm64: dts: imx8mq-librem5: Remove dis_u3_susphy_quirk from usb_dwc3_0
memstick: r592: Fix UAF bug in r592_remove due to race condition
drm/rockchip: dw_hdmi: cleanup drm encoder during unbind
ACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()
media: pvrusb2: VIDEO_PVRUSB2 depends on DVB_CORE to use dvb_* symbols
media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish
media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish()
arm64: dts: qcom: msm8996: Add missing DWC3 quirks
remoteproc: imx_dsp_rproc: Add custom memory copy implementation for i.MX DSP Cores
regmap: cache: Return error in cache sync operations for REGCACHE_NONE
drm/amd/display: Use DC_LOG_DC in the trasform pixel function
drm/amd/display: Enable HostVM based on rIOMMU active
platform/x86: x86-android-tablets: Add Acer Iconia One 7 B1-750 data
drm/amd/display: Correct DML calculation to align HW formula
drm/amd/display: populate subvp cmd info only for the top pipe
drm/displayid: add displayid_get_header() and check bounds better
fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
open: return EINVAL for O_DIRECTORY | O_CREAT
rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access
selftests: cgroup: Add 'malloc' failures checks in test_memcontrol
refscale: Move shutdown from wait_event() to wait_event_idle()
ext4: allow ext4_get_group_info() to fail
ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set
ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled
ext4: reflect error codes from ext4_multi_mount_protect() to its callers
fbdev: arcfb: Fix error handling in arcfb_probe()
drm/i915: taint kernel when force probing unsupported devices
drm/i915: Expand force_probe to block probe of devices as well.
drm/i915/dp: prevent potential div-by-zero
drm/i915: Fix NULL ptr deref by checking new_crtc_state
drm/i915/guc: Don't capture Gen8 regs on Xe devices
af_unix: Fix data races around sk->sk_shutdown.
af_unix: Fix a data race of sk->sk_receive_queue->qlen.
net: datagram: fix data-races in datagram_poll()
net: mscc: ocelot: fix stat counter register values
ipvlan:Fix out-of-bounds caused by unclear skb->cb
gve: Remove the code of clearing PBA bit
tcp: add annotations around sk->sk_shutdown accesses
net: add vlan_get_protocol_and_depth() helper
net: deal with most data-races in sk_wait_event()
net: annotate sk->sk_err write from do_recvmmsg()
netlink: annotate accesses to nlk->cb_running
bonding: fix send_peer_notif overflow
netfilter: conntrack: fix possible bug_on with enable_hooks=1
netfilter: nf_tables: always release netdev hooks from notifier
net: phy: bcm7xx: Correct read from expansion register
net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs().
net: stmmac: Initialize MAC_ONEUS_TIC_COUNTER register
linux/dim: Do nothing if no time delta between samples
tick/broadcast: Make broadcast device replacement work correctly
scsi: ufs: core: Fix I/O hang that occurs when BKOPS fails in W-LUN suspend
net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe()
net: skb_partial_csum_set() fix against transport header magic value
ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings
drm/mipi-dsi: Set the fwnode for mipi_dsi_device
drm/fbdev-generic: prohibit potential out-of-bounds access
Linux 6.1.29
drm/amd/display: Fix hang when skipping modeset
spi: fsl-cpm: Use 16 bit mode for large transfers with even size
spi: fsl-spi: Re-organise transfer bits_per_word adaptation
x86: fix clear_user_rep_good() exception handling annotation
x86/amd_nb: Add PCI ID for family 19h model 78h
f2fs: inode: fix to do sanity check on extent cache correctly
f2fs: fix to do sanity check on extent cache correctly
drm/dsc: fix DP_DSC_MAX_BPP_DELTA_* macro values
ext4: fix invalid free tracking in ext4_xattr_move_to_block()
ext4: remove a BUG_ON in ext4_mb_release_group_pa()
ext4: fix lockdep warning when enabling MMP
ext4: bail out of ext4_xattr_ibody_get() fails for any reason
ext4: add bounds checking in get_max_inline_xattr_value_size()
ext4: fix deadlock when converting an inline directory in nojournal mode
ext4: improve error handling from ext4_dirhash()
ext4: improve error recovery code paths in __ext4_remount()
ext4: check iomap type only if ext4_iomap_begin() does not fail
ext4: fix data races when using cached status extents
ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
ext4: fix WARNING in mb_find_extent
locking/rwsem: Add __always_inline annotation to __down_read_common() and inlined callers
drm/dsc: fix drm_edp_dsc_sink_output_bpp() DPCD high byte usage
drm: Add missing DP DSC extended capability definitions.
ksmbd: fix racy issue from smb2 close and logoff with multichannel
ksmbd: block asynchronous requests when making a delay on session setup
ksmbd: destroy expired sessions
ksmbd: fix racy issue from session setup and logoff
ksmbd: Implements sess->ksmbd_chann_list as xarray
drm/amd/display: Change default Z8 watermark values
drm/amd/display: Update Z8 SR exit/enter latencies
drm/amd/display: Update Z8 watermarks for DCN314
ASoC: codecs: wcd938x: fix accessing regmap on unattached devices
ASoC: codecs: constify static sdw_slave_ops struct
ASoC: rt1318: Add RT1318 SDCA vendor-specific driver
drm/amd/display: Lowering min Z8 residency time
drm/amd/display: Update minimum stutter residency for DCN314 Z8
drm/amd/display: Add minimum Z8 residency debug option
drm/amd/display: Fix Z8 support configurations
drm/amd/display: Add debug option to skip PSR CRTC disable
drm/amd/display: Add Z8 allow states to z-state support list
drm/amd/display: Refactor eDP PSR codes
drm/i915: Check pipe source size when using skl+ scalers
drm/i915/mtl: update scaler source and destination limits for MTL
wifi: rtw88: rtw8821c: Fix rfe_option field width
irqchip/loongson-eiointc: Fix registration of syscore_ops
irqchip/loongson-eiointc: Fix incorrect use of acpi_get_vec_parent
irqchip/loongarch: Adjust acpi_cascade_irqdomain_init() and sub-routines
drm/msm: fix missing wq allocation error handling
drm/msm: Hangcheck progress detection
drm/msm/adreno: Simplify read64/write64 helpers
f2fs: factor out victim_entry usage from general rb_tree use
f2fs: allocate the extent_cache by default
f2fs: refactor extent_cache to support for read and more
f2fs: remove unnecessary __init_extent_tree
f2fs: move internal functions into extent_cache.c
f2fs: specify extent cache for read explicitly
drm/msm/adreno: adreno_gpu: Use suspend() instead of idle() on load error
fs/ntfs3: Refactoring of various minor issues
HID: wacom: insert timestamp to packed Bluetooth (BT) events
HID: wacom: Set a default resolution for older tablets
drm/amd: Use `amdgpu_ucode_*` helpers for MES
drm/amd: Add a new helper for loading/validating microcode
drm/amd: Load MES microcode during early_init
drm/amdgpu: remove deprecated MES version vars
drm/amd/pm: avoid potential UBSAN issue on legacy asics
drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend
drm/amd/pm: parse pp_handle under appropriate conditions
drm/amd/display: Enforce 60us prefetch for 200Mhz DCFCLK modes
drm/amdgpu: Fix vram recover doesn't work after whole GPU reset (v2)
drm/amdgpu: change gfx 11.0.4 external_id range
drm/amdgpu/jpeg: Remove harvest checking for JPEG3
drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras
drm/amdgpu: fix amdgpu_irq_put call trace in gmc_v11_0_hw_fini
drm/amdgpu: fix an amdgpu_irq_put() issue in gmc_v9_0_hw_fini()
drm/amdgpu: fix amdgpu_irq_put call trace in gmc_v10_0_hw_fini
drm/amd/display: fix flickering caused by S/G mode
drm/amd/display: filter out invalid bits in pipe_fuses
drm/amd/display: Fix 4to1 MPC black screen with DPP RCO
drm/amd/display: Add NULL plane_state check for cursor disable logic
drm/panel: otm8009a: Set backlight parent to panel device
irqchip/loongson-eiointc: Fix returned value on parsing MADT
irqchip/loongson-pch-pic: Fix pch_pic_acpi_init calling
f2fs: fix potential corruption when moving a directory
f2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block
drm/i915/dsi: Use unconditional msleep() instead of intel_dsi_msleep()
drm/msm: fix workqueue leak on bind errors
drm/msm: fix vram leak on bind errors
drm/msm: fix drm device leak on bind errors
drm/msm: fix NULL-deref on irq uninstall
drm/msm: fix NULL-deref on snapshot tear down
drm/i915/color: Fix typo for Plane CSC indexes
drm/bridge: lt8912b: Fix DSI Video Mode
drm/msm/adreno: fix runtime PM imbalance at gpu load
ARM: dts: aspeed: romed8hm3: Fix GPIO polarity of system-fault LED
ARM: dts: s5pv210: correct MIPI CSIS clock name
ARM: dts: exynos: fix WM8960 clock name in Itop Elite
ARM: dts: aspeed: asrock: Correct firmware flash SPI clocks
sysctl: clarify register_sysctl_init() base directory order
remoteproc: rcar_rproc: Call of_node_put() on iteration error
remoteproc: imx_rproc: Call of_node_put() on iteration error
remoteproc: imx_dsp_rproc: Call of_node_put() on iteration error
remoteproc: st: Call of_node_put() on iteration error
remoteproc: stm32: Call of_node_put() on iteration error
proc_sysctl: enhance documentation
proc_sysctl: update docs for __register_sysctl_table()
sh: nmi_debug: fix return value of __setup handler
sh: init: use OF_EARLY_FLATTREE for early init
sh: mcount.S: fix build error when PRINTK is not enabled
sh: math-emu: fix macro redefined warning
SMB3: force unmount was failing to close deferred close files
smb3: fix problem remounting a share after shutdown
inotify: Avoid reporting event with invalid wd
platform/x86: thinkpad_acpi: Add profile force ability
platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i
platform/x86: thinkpad_acpi: Fix platform profiles on T490
platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the Juno Tablet
platform/x86/intel-uncore-freq: Return error on write frequency
cifs: release leases for deferred close handles when freezing
cifs: fix pcchunk length type in smb2_copychunk_range
btrfs: zoned: fix full zone super block reading on ZNS
btrfs: zoned: zone finish data relocation BG with last IO
btrfs: fix space cache inconsistency after error loading it from disk
btrfs: print-tree: parent bytenr must be aligned to sector size
btrfs: make clear_cache mount option to rebuild FST without disabling it
btrfs: zero the buffer before marking it dirty in btrfs_redirty_list_add
btrfs: don't free qgroup space unless specified
btrfs: fix encoded write i_size corruption with no-holes
btrfs: fix assertion of exclop condition when starting balance
btrfs: properly reject clear_cache and v1 cache for block-group-tree
btrfs: zoned: fix wrong use of bitops API in btrfs_ensure_empty_zones
btrfs: fix btrfs_prev_leaf() to not return the same key twice
x86/retbleed: Fix return thunk alignment
RISC-V: fix taking the text_mutex twice during sifive errata patching
RISC-V: take text_mutex during alternative patching
perf stat: Separate bperf from bpf_profiler
perf tracepoint: Fix memory leak in is_valid_tracepoint()
perf symbols: Fix return incorrect build_id size in elf_read_build_id()
crypto: engine - fix crypto_queue backlog handling
crypto: engine - Use crypto_request_complete
crypto: api - Add scaffolding to change completion function signature
crypto: sun8i-ss - Fix a test in sun8i_ss_setup_ivs()
perf cs-etm: Fix timeless decode mode detection
perf map: Delete two variable initialisations before null pointer checks in sort__sym_from_cmp()
perf pmu: zfree() expects a pointer to a pointer to zero it after freeing its contents
perf vendor events power9: Remove UTF-8 characters from JSON files
perf ftrace: Make system wide the default target for latency subcommand
perf tests record_offcpu.sh: Fix redirection of stderr to stdin
perf vendor events s390: Remove UTF-8 characters from JSON file
perf scripts intel-pt-events.py: Fix IPC output for Python 2
perf record: Fix "read LOST count failed" msg with sample read
net: enetc: check the index of the SFI rather than the handle
virtio_net: suppress cpu stall when free_unused_bufs
ice: block LAN in case of VF to VF offload
net: dsa: mt7530: fix network connectivity with multiple CPU ports
net: dsa: mt7530: split-off common parts from mt7531_setup
net: dsa: mt7530: fix corrupt frames using trgmii on 40 MHz XTAL MT7621
KVM: s390: fix race in gmap_make_secure()
ALSA: caiaq: input: Add error handling for unsupported input methods in `snd_usb_caiaq_input_init`
drm/amdgpu: add a missing lock for AMDGPU_SCHED
af_packet: Don't send zero-byte data in packet_sendmsg_spkt().
ionic: catch failure from devlink_alloc
ethtool: Fix uninitialized number of lanes
ionic: remove noise from ethtool rxnfc error msg
octeontx2-vf: Detach LF resources on probe cleanup
octeontx2-pf: Disable packet I/O for graceful exit
octeontx2-af: Skip PFs if not enabled
octeontx2-af: Fix issues with NPC field hash extract
octeontx2-af: Update/Fix NPC field hash extract feature
octeontx2-pf: Add additional checks while configuring ucast/bcast/mcast rules
octeontx2-af: Allow mkex profile without DMAC and add L2M/L2B header extraction support
octeontx2-pf: Increase the size of dmac filter flows
octeontx2-af: Fix depth of cam and mem table.
octeontx2-af: Fix start and end bit for scan config
octeontx2-af: Secure APR table update with the lock
selftests: netfilter: fix libmnl pkg-config usage
drm/i915/mtl: Add the missing CPU transcoder mask in intel_device_info
riscv: compat_syscall_table: Fixup compile warning
rxrpc: Fix hard call timeout units
sfc: Fix module EEPROM reporting for QSFP modules
r8152: move setting r8153b_rx_agg_chg_indicate()
r8152: fix the poor throughput for 2.5G devices
r8152: fix flow control issue of RTL8156A
net/sched: act_mirred: Add carrier check
i2c: tegra: Fix PEC support for SMBUS block read
RISC-V: mm: Enable huge page support to kernel_page_present() function
watchdog: dw_wdt: Fix the error handling path of dw_wdt_drv_probe()
block: Skip destroyed blkg when restart in blkg_destroy_all()
writeback: fix call of incorrect macro
net: dsa: mv88e6xxx: add mv88e6321 rsvd2cpu
net: ipv6: fix skb hash for some RST packets
selftests: srv6: make srv6_end_dt46_l3vpn_test more robust
sit: update dev->needed_headroom in ipip6_tunnel_bind_dev()
net/sched: cls_api: remove block_cb from driver_list before freeing
tcp: fix skb_copy_ubufs() vs BIG TCP
net/ncsi: clear Tx enable mode when handling a Config required AEN
octeontx2-pf: mcs: Do not reset PN while updating secy
octeontx2-pf: mcs: Fix shared counters logic
octeontx2-pf: mcs: Clear stats before freeing resource
octeontx2-pf: mcs: Match macsec ethertype along with DMAC
octeontx2-pf: mcs: Fix NULL pointer dereferences
octeontx2-af: mcs: Fix MCS block interrupt
octeontx2-af: mcs: Config parser to skip 8B header
octeontx2-af: mcs: Write TCAM_DATA and TCAM_MASK registers at once
octeonxt2-af: mcs: Fix per port bypass config
ixgbe: Fix panic during XDP_TX with > 64 CPUs
drm/amd/display: Update bounding box values for DCN321
drm/amd/display: Do not clear GPINT register when releasing DMUB from reset
drm/amd/display: Reset OUTBOX0 r/w pointer on DMUB reset
drm/amd/display: Fixes for dcn32_clk_mgr implementation
drm/amd/display: Return error code on DSC atomic check failure
drm/amd/display: Add missing WA and MCLK validation
drm/amd/display: Remove FPU guards from the DML folder
scsi: qedi: Fix use after free bug in qedi_remove()
ASoC: Intel: soc-acpi-byt: Fix "WM510205" match no longer working
KVM: x86/mmu: Refresh CR0.WP prior to checking for emulated permission faults
KVM: VMX: Make CR0.WP a guest owned bit
KVM: x86: Make use of kvm_read_cr*_bits() when testing bits
KVM: x86: Do not unload MMU roots when only toggling CR0.WP with TDP enabled
KVM: x86/mmu: Avoid indirect call for get_cr3
drm/amd/display: Ext displays with dock can't recognized after resume
fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
mtd: spi-nor: spansion: Enable JFFS2 write buffer for Infineon s25hx SEMPER flash
mailbox: zynqmp: Fix counts of child nodes
mailbox: zynq: Switch to flexible array to simplify code
soc: qcom: llcc: Do not create EDAC platform device on SDM845
qcom: llcc/edac: Support polling mode for ECC handling
mtd: spi-nor: spansion: Enable JFFS2 write buffer for Infineon s28hx SEMPER flash
mtd: spi-nor: Add a RWW flag
mtd: spi-nor: add SFDP fixups for Quad Page Program
mtd: spi-nor: spansion: Remove NO_SFDP_FLAGS from s28hs512t info
KVM: x86/pmu: Disallow legacy LBRs if architectural LBRs are available
KVM: x86: Track supported PERF_CAPABILITIES in kvm_caps
perf/x86/core: Zero @lbr instead of returning -1 in x86_perf_get_lbr() stub
crypto: ccp - Clear PSP interrupt status register before calling handler
drm/vmwgfx: Fix Legacy Display Unit atomic drm support
drm/vmwgfx: Remove explicit and broken vblank handling
usb: dwc3: gadget: Execute gadget stop after halting the controller
USB: dwc3: gadget: drop dead hibernation code
Linux 6.1.28
netfilter: nf_tables: deactivate anonymous set from preparation phase
scsi: libsas: Grab the ATA port lock in sas_ata_device_link_abort()
debugobject: Ensure pool refill (again)
drm/amd/display (gcc13): fix enum mismatch
i40e: use int for i40e_status
i40e: Remove string printing for i40e_status
i40e: Remove unused i40e status codes
sfc (gcc13): synchronize ef100_enqueue_skb()'s return type
block/blk-iocost (gcc13): keep large values in a new enum
perf intel-pt: Fix CYC timestamps after standalone CBR
perf auxtrace: Fix address filter entire kernel size
wifi: ath11k: synchronize ath11k_mac_he_gi_to_nl80211_he_gi()'s return type
bonding (gcc13): synchronize bond_{a,t}lb_xmit() types
thunderbolt: Use correct type in tb_port_is_clx_enabled() prototype
cifs: protect session status check in smb2_reconnect()
cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname
blk-iocost: avoid 64-bit division in ioc_timer_fn
dm: don't lock fs when the map is NULL in process of resume
dm ioctl: fix nested locking in table_clear() to remove deadlock concern
dm flakey: fix a crash with invalid table line
dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path
dm clone: call kmem_cache_destroy() in dm_clone_init() error path
dm verity: fix error handling for check_at_most_once on FEC
vhost_vdpa: fix unmap process in no-batch mode
mm/mempolicy: correctly update prev when policy is equal on mbind
ia64: fix an addr to taddr in huge_pte_offset()
s390/dasd: fix hanging blockdevice after request requeue
btrfs: scrub: reject unsupported scrub flags
scripts/gdb: fix lx-timerlist for Python3
clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent
clk: microchip: fix potential UAF in auxdev release callback
wifi: rtw89: fix potential race condition between napi_init and napi_enable
wifi: rtl8xxxu: RTL8192EU always needs full init
mailbox: zynqmp: Fix typo in IPI documentation
kcsan: Avoid READ_ONCE() in read_instrumented_memory()
mailbox: zynqmp: Fix IPI isr handling
mtd: spi-nor: core: Update flash's current address mode when changing address mode
mtd: core: fix error path for nvmem provider
mtd: core: fix nvmem error reporting
mtd: core: provide unique name for nvmem device, take two
kasan: hw_tags: avoid invalid virt_to_page()
md/raid5: Improve performance for sequential IO
md/raid10: fix null-ptr-deref in raid10_sync_request
drbd: correctly submit flush bio on barrier
mm: do not reclaim private data from pinned page
nilfs2: fix infinite loop in nilfs_mdt_get_block()
nilfs2: do not write dirty data after degenerating to read-only
ALSA: hda/realtek: Fix mute and micmute LEDs for an HP laptop
ALSA: hda/realtek: support HP Pavilion Aero 13-be0xxx Mute LED
ALSA: hda/realtek: Add quirk for ASUS UM3402YAR using CS35L41
ALSA: hda/realtek: Add quirk for ThinkPad P1 Gen 6
ALSA: usb-audio: Add quirk for Pioneer DDJ-800
parisc: Ensure page alignment in flush functions
parisc: Fix argument pointer in real64_call_asm()
afs: Avoid endless loop if file is larger than expected
afs: Fix getattr to report server i_size on dirs, not local size
afs: Fix updating of i_size with dv jump from server
PM: hibernate: Do not get block device exclusively in test_resume mode
PM: hibernate: Turn snapshot_test into global variable
ACPI: PM: Do not turn of unused power resources on the Toshiba Click Mini
hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id()
hte: tegra: fix 'struct of_device_id' build error
mfd: arizona-spi: Add missing MODULE_DEVICE_TABLE
mfd: ocelot-spi: Fix unsupported bulk read
mfd: tqmx86: Correct board names for TQMxE39x
mfd: tqmx86: Specify IO port register range more precisely
mfd: tqmx86: Do not access I2C_DETECT register through io_base
thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe
pinctrl-bcm2835.c: fix race condition when setting gpio dir
dmaengine: at_xdmac: do not enable all cyclic channels
dmaengine: dw-edma: Fix to enable to issue dma request on DMA processing
dmaengine: dw-edma: Fix to change for continuous transfer
dma: gpi: remove spurious unlock in gpi_ch_init
phy: ti: j721e-wiz: Fix unreachable code in wiz_mode_select()
phy: tegra: xusb: Add missing tegra_xusb_port_unregister for usb2_port and ulpi_port
soundwire: intel: don't save hw_params for use in prepare
soundwire: cadence: rename sdw_cdns_dai_dma_data as sdw_cdns_dai_runtime
pwm: mtk-disp: Configure double buffering before reading in .get_state()
pwm: mtk-disp: Disable shadow registers before setting backlight values
leds: tca6507: Fix error handling of using fwnode_property_read_string
dmaengine: mv_xor_v2: Fix an error code.
pinctrl: ralink: reintroduce ralink,rt2880-pinmux compatible string
leds: TI_LMU_COMMON: select REGMAP instead of depending on it
pinctrl: renesas: r8a779g0: Fix ERROROUTC function names
pinctrl: renesas: r8a779g0: Fix Group 6/7 pin functions
pinctrl: renesas: r8a779g0: Fix Group 4/5 pin functions
pinctrl: renesas: r8a779f0: Fix tsn1_avtp_pps pin group
pinctrl: renesas: r8a779a0: Remove incorrect AVB[01] pinmux configuration
ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline
ext4: fix i_disksize exceeding i_size problem in paritally written case
SMB3: Close deferred file handles in case of handle lease break
SMB3: Add missing locks to protect deferred close file list
timekeeping: Fix references to nonexistent ktime_get_fast_ns()
openrisc: Properly store r31 to pt_regs on unhandled exceptions
clocksource/drivers/davinci: Fix memory leak in davinci_timer_register when init fails
RDMA/mlx5: Use correct device num_ports when modify DC
SUNRPC: remove the maximum number of retries in call_bind_status
RDMA/mlx5: Fix flow counter query via DEVX
RDMA/mlx5: Check pcie_relaxed_ordering_enabled() in UMR
swiotlb: fix debugfs reporting of reserved memory pools
swiotlb: relocate PageHighMem test away from rmem_swiotlb_setup
Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe
clk: qcom: dispcc-qcm2290: Remove inexistent DSI1PHY clk
clk: qcom: dispcc-qcm2290: get rid of test clock
clk: qcom: gcc-sm8350: fix PCIe PIPE clocks handling
clk: qcom: lpassaudiocc-sc7280: Add required gdsc power domain clks in lpass_cc_sc7280_desc
clk: qcom: lpasscc-sc7280: Skip qdsp6ss clock registration
iommu/amd: Set page size bitmap during V2 domain allocation
NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease
clk: imx: imx8ulp: Fix XBAR_DIVBUS and AD_SLOW clock parents
clk: imx: fracn-gppll: disable hardware select control
clk: imx: fracn-gppll: fix the rate table
IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests
IB/hfi1: Fix SDMA mmu_rb_node not being evicted in LRU order
RDMA/srpt: Add a check for valid 'mad_agent' pointer
RDMA/cm: Trace icm_send_rej event before the cm state is reset
power: supply: rk817: Fix low SOC bugs
clk: qcom: gcc-sm6115: Mark RCGs shared where applicable
RDMA/siw: Remove namespace check from siw_netdev_event()
clk: add missing of_node_put() in "assigned-clocks" property parsing
power: supply: generic-adc-battery: fix unit scaling
iommu/mediatek: Set dma_mask for PGTABLE_PA_35_EN
fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de()
fs/ntfs3: Fix OOB read in indx_insert_into_buffer
fs/ntfs3: Add check for kmemdup
fs/ntfs3: Fix memory leak if ntfs_read_mft failed
RDMA/erdma: Use fixed hardware page size
rtc: k3: handle errors while enabling wake irq
rtc: meson-vrtc: Use ktime_get_real_ts64() to get the current time
RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()
rtc: omap: include header for omap_rtc_power_off_program prototype
workqueue: Fix hung time report of worker pools
clk: qcom: gcc-qcm2290: Fix up gcc_sdcc2_apps_clk_src
RDMA/rdmavt: Delete unnecessary NULL check
clk: mediatek: mt8135: Properly use CLK_IS_CRITICAL flag
clk: mediatek: mt7622: Properly use CLK_IS_CRITICAL flag
clk: mediatek: Consistently use GATE_MTK() macro
clk: mediatek: mt2712: Add error handling to clk_mt2712_apmixed_probe()
RDMA/siw: Fix potential page_array out of range access
IB/hifi1: add a null check of kzalloc_node in hfi1_ipoib_txreq_init
clk: at91: clk-sam9x60-pll: fix return value check
tracing/user_events: Ensure write index cannot be negative
sched/rt: Fix bad task migration for rt tasks
riscv: Fix ptdump when KASAN is enabled
Revert "objtool: Support addition to set CFA base"
perf/core: Fix hardlockup failure caused by perf throttle
sched/fair: Fix inaccurate tally of ttwu_move_affine
powerpc/rtas: use memmove for potentially overlapping buffer copy
macintosh: via-pmu-led: requires ATA to be set
powerpc/sysdev/tsi108: fix resource printk format warnings
powerpc/wii: fix resource printk format warnings
powerpc/mpc512x: fix resource printk format warning
powerpc/perf: Properly detect mpc7450 family
macintosh/windfarm_smu_sat: Add missing of_node_put()
selftests/powerpc/pmu: Fix sample field check in the mmcra_thresh_marked_sample_test
fbdev: mmp: Fix deferred clk handling in mmphw_probe()
virtio_ring: don't update event idx on get_buf
spmi: Add a check for remove callback when removing a SPMI driver
staging: rtl8192e: Fix W_DISABLE# does not work after stop/start
spi: cadence-quadspi: use macro DEFINE_SIMPLE_DEV_PM_OPS
serial: 8250: Add missing wakeup event reporting
tty: serial: fsl_lpuart: adjust buffer length to the intended size
firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe
usb: mtu3: fix kernel panic at qmu transfer done irq handler
usb: chipidea: fix missing goto in `ci_hdrc_probe`
usb: gadget: tegra-xudc: Fix crash in vbus_draw
sh: sq: Fix incorrect element size for allocating bitmap buffer
uapi/linux/const.h: prefer ISO-friendly __typeof__
scripts/gdb: raise error with reduced debugging information
i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path
i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path
spi: cadence-quadspi: fix suspend-resume implementations
drm/panel: novatek-nt35950: Only unregister DSI1 if it exists
PCI/PM: Extend D3hot delay for NVIDIA HDA controllers
ASoC: fsl_mqs: move of_node_put() to the correct location
drm/panel: novatek-nt35950: Improve error handling
coresight: etm_pmu: Set the module field
cacheinfo: Check sib_leaf in cache_leaves_are_shared()
HID: amd_sfh: Handle "no sensors" enabled for SFH1.1
HID: amd_sfh: Increase sensor command timeout for SFH1.1
HID: amd_sfh: Correct the stop all command
HID: amd_sfh: Add support for shutdown operation
HID: amd_sfh: Fix illuminance value
HID: amd_sfh: Correct the sensor enable and disable command
HID: amd_sfh: Correct the structure fields
scripts/gdb: bail early if there are no generic PD
scripts/gdb: bail early if there are no clocks
ia64: salinfo: placate defined-but-not-used warning
ia64: mm/contig: fix section mismatch warning/error
PCI/EDR: Clear Device Status after EDR error recovery
of: Fix modalias string generation
vmci_host: fix a race condition in vmci_host_poll() causing GPF
spi: fsl-spi: Fix CPM/QE mode Litte Endian
interconnect: qcom: rpm: drop bogus pm domain attach
spi: qup: Don't skip cleanup in remove's error path
linux/vt_buffer.h: allow either builtin or modular for macros
ASoC: es8316: Handle optional IRQ assignment
PCI: imx6: Install the fault handler only on compatible match
ASoC: soc-compress: Inherit atomicity from DAI link for Compress FE
usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition
spi: imx: Don't skip cleanup in remove's error path
spi: atmel-quadspi: Free resources even if runtime resume failed in .remove()
spi: atmel-quadspi: Don't leak clk enable count in pm resume
serial: 8250_bcm7271: Fix arbitration handling
iio: light: max44009: add missing OF device matching
fpga: bridge: fix kernel-doc parameter description
serial: stm32: Re-assert RTS/DE GPIO in RS485 mode only if more data are transmitted
usb: dwc3: gadget: Change condition for processing suspend event
usb: host: xhci-rcar: remove leftover quirk handling
pstore: Revert pmsg_lock back to a normal mutex
drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler()
drivers: staging: rtl8723bs: Fix locking in _rtw_join_timeout_handler()
ASoC: cs35l41: Only disable internal boost
ipmi: ASPEED_BT_IPMI_BMC: select REGMAP_MMIO instead of depending on it
tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.
net: amd: Fix link leak when verifying config failed
netlink: Use copy_to_user() for optval in netlink_getsockopt().
Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
ipv4: Fix potential uninit variable access bug in __ip_make_skb()
net/sched: sch_fq: fix integer overflow of "credit"
net: dpaa: Fix uninitialized variable in dpaa_stop()
netfilter: nf_tables: don't write table validation state without mutex
bpf: Don't EFAULT for getsockopt with optval=NULL
bpf: Fix race between btf_put and btf_idr walk.
net: stmmac:fix system hang when setting up tag_8021q VLAN for DSA ports
net/mlx5e: Nullify table pointer when failing to create
net/mlx5: Use recovery timeout on sync reset flow
Revert "net/mlx5: Remove "recovery" arg from mlx5_load_one() function"
net/mlx5: Suspend auxiliary devices only in case of PCI device suspend
net/mlx5: Remove "recovery" arg from mlx5_load_one() function
net/mlx5e: Fix error flow in representor failing to add vport rx rule
net/mlx5: E-switch, Don't destroy indirect table in split rule
net/mlx5: E-switch, Create per vport table based on devlink encap mode
net/mlx5e: Don't clone flow post action attributes second time
ixgbe: Enable setting RSS table to default values
ixgbe: Allow flow hash to be set via ethtool
wifi: iwlwifi: fw: fix memory leak in debugfs
netfilter: conntrack: fix wrong ct->timeout value
netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert()
wifi: iwlwifi: mvm: check firmware response size
wifi: mt76: connac: fix txd multicast rate setting
wifi: mt76: mt7921e: stop chip reset worker in unregister hook
wifi: mt76: mt7921e: improve reliability of dma reset
wifi: mt76: mt7921: fix missing unwind goto in `mt7921u_probe`
mt76: mt7921: fix kernel panic by accessing unallocated eeprom.data
wifi: mt76: fix 6GHz high channel not be scanned
wifi: mt76: mt7921e: fix probe timeout after reboot
wifi: mt76: add flexible polling wait-interval support
wifi: mt76: handle failure of vzalloc in mt7615_coredump_work
wifi: mt76: mt7915: expose device tree match table
wifi: iwlwifi: make the loop for card preparation effective
io_uring/rsrc: use nospec'ed indexes
jdb2: Don't refuse invalidation of already invalidated buffers
wifi: iwlwifi: fw: move memset before early return
wifi: iwlwifi: mvm: initialize seq variable
wifi: iwlwifi: yoyo: Fix possible division by zero
wifi: iwlwifi: yoyo: skip dump correctly on hw error
wifi: iwlwifi: mvm: don't drop unencrypted MCAST frames
md/raid10: don't call bio_start_io_acct twice for bio which experienced read error
md/raid10: fix memleak of md thread
md/raid10: fix memleak for 'conf->bio_split'
md/raid10: fix leak of 'r10bio->remaining' for recovery
md/raid10: fix task hung in raid10d
f2fs: fix to check return value of inc_valid_block_count()
f2fs: fix to check return value of f2fs_do_truncate_blocks()
bpf, sockmap: Revert buggy deadlock fix in the sockhash and sockmap
wifi: iwlwifi: mvm: don't set CHECKSUM_COMPLETE for unsupported protocols
wifi: iwlwifi: trans: don't trigger d3 interrupt twice
wifi: iwlwifi: debug: fix crash in __iwl_err()
blk-mq: don't plug for head insertions in blk_execute_rq_nowait
selftests/bpf: Fix leaked bpf_link in get_stackid_cannot_attach
selftests/bpf: Use read_perf_max_sample_freq() in perf_event_stackmap
nvme-fcloop: fix "inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage"
nvme: fix async event trace event
nvmet: fix I/O Command Set specific Identify Controller
nvmet: fix Identify Active Namespace ID list handling
nvmet: fix Identify Controller handling
nvmet: fix Identify Namespace handling
nvmet: fix error handling in nvmet_execute_identify_cns_cs_ns()
bpf, sockmap: fix deadlocks in the sockhash and sockmap
wifi: ath11k: fix writing to unintended memory region
net: ethernet: stmmac: dwmac-rk: fix optional phy regulator handling
net: ethernet: stmmac: dwmac-rk: rework optional clock handling
scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()
bpf/btf: Fix is_int_ptr()
wifi: iwlwifi: fix duplicate entry in iwl_dev_info_table
f2fs: fix to avoid use-after-free for cached IPU bio
xsk: Fix unaligned descriptor validation
crypto: drbg - Only fail when jent is unavailable in FIPS mode
bpftool: Fix bug for long instructions in program CFG dumps
selftests/bpf: Wait for receive in cg_storage_multi test
selftests: xsk: Deflakify STATS_RX_DROPPED test
selftests: xsk: Disable IPv6 on VETH1
selftests: xsk: Use correct UMEM size in testapp_invalid_desc
net: qrtr: correct types of trace event parameters
f2fs: fix iostat lock protection
wifi: rt2x00: Fix memory leak when handling surveys
scsi: hisi_sas: Handle NCQ error when IPTT is valid
scsi: libsas: Add sas_ata_device_link_abort()
wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_reg()
wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_rfreg()
crypto: sa2ul - Select CRYPTO_DES
crypto: caam - Clear some memory in instantiate_rng
f2fs: fix scheduling while atomic in decompression path
f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages()
f2fs: apply zone capacity to all zone type
f2fs: fix uninitialized skipped_gc_rwsem
f2fs: handle dqget error in f2fs_transfer_project_quota()
net: sunhme: Fix uninitialized return code
scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS
scsi: target: iscsit: Fix TAS handling during conn cleanup
scsi: target: Fix multiple LUN_RESET handling
scsi: target: iscsit: Stop/wait on cmds during conn close
scsi: target: iscsit: isert: Alloc per conn cmd counter
scsi: target: Pass in cmd counter to use during cmd setup
scsi: target: Move cmd counter allocation
scsi: target: Move sess cmd counter to new struct
scsi: target: core: Change the way target_xcopy_do_work() sets restiction on max I/O
bpf: Fix __reg_bound_offset 64->32 var_off subreg propagation
netfilter: keep conntrack reference until IPsecv6 policy checks are done
net: dsa: qca8k: remove assignment of an_enabled in pcs_get_state()
libbpf: Fix ld_imm64 copy logic for ksym in light skeleton.
net/packet: convert po->auxdata to an atomic flag
net/packet: convert po->origdev to an atomic flag
net/packet: annotate accesses to po->xmit
vlan: partially enable SIOCSHWTSTAMP in container
net: pcs: xpcs: remove double-read of link state when using AN
bpf: Remove misleading spec_v1 check on var-offset stack read
selftests/bpf: Fix a fd leak in an error path in network_helpers.c
wifi: ath11k: fix deinitialization of firmware resources
scm: fix MSG_CTRUNC setting condition for SO_PASSSEC
crypto: qat - fix concurrency issue when device state changes
bpf: fix precision propagation verbose logging
bpf: take into account liveness when propagating precision
wifi: rtw88: mac: Return the original error from rtw_mac_power_switch()
wifi: rtw88: mac: Return the original error from rtw_pwr_seq_parser()
tools: bpftool: Remove invalid \' json escape
wifi: ath6kl: reduce WARN to dev_dbg() in callback
wifi: brcmfmac: support CQM RSSI notification with older firmware
wifi: ath11k: fix SAC bug on peer addition with sta band migration
wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list()
wifi: ath5k: Use platform_get_irq() to get the interrupt
wifi: ath11k: Use platform_get_irq() to get the interrupt
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
wifi: ath6kl: minor fix for allocation size
platform/chrome: cros_typec_switch: Add missing fwnode_handle_put()
hwmon: (pmbus/fsp-3y) Fix functionality bitmask in FSP-3Y YM-2151E
rpmsg: glink: Propagate TX failures in intentless mode as well
cpufreq: use correct unit when verify cur freq
ACPI: bus: Ensure that notify handlers are not running after removal
tick/common: Align tick period with the HZ tick.
drm/i915: Make intel_get_crtc_new_encoder() less oopsy
debugobject: Prevent init race with static objects
media: mediatek: vcodec: add remove function for decoder platform driver
media: mediatek: vcodec: fix decoder disable pm crash
perf/arm-cmn: Fix port detection for CMN-700
arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step
x86/ioapic: Don't return 0 from arch_dynirq_lower_bound()
regulator: stm32-pwr: fix of_iomap leak
media: venus: dec: Fix capture formats enumeration order
media: venus: dec: Fix handling of the start cmd
media: rc: gpio-ir-recv: Fix support for wake-up
drm/amd/display: Fix potential null dereference
media: hi846: Fix memleak in hi846_init_controls()
media: v4l: async: Return async sub-devices to subnotifier list
media: rcar_fdp1: Fix refcount leak in probe and remove function
media: platform: mtk-mdp3: fix potential frame size overflow in mdp_try_fmt_mplane()
media: saa7134: fix use after free bug in saa7134_finidev due to race condition
media: dm1105: Fix use after free bug in dm1105_remove due to race condition
platform/x86/amd: pmc: Move out of BIOS SMN pair for STB init
platform/x86/amd: pmc: Utilize SMN index 0 for driver probe
platform/x86/amd: pmc: Move idlemask check into `amd_pmc_idlemask_read`
platform/x86/amd: pmc: Don't dump data after resume from s0i3 on picasso
platform/x86/amd: pmc: Hide SMU version and program attributes for Picasso
platform/x86/amd: pmc: Don't try to read SMU version on Picasso
platform/x86/amd/pmf: Move out of BIOS SMN pair for driver probe
media: rkvdec: fix use after free bug in rkvdec_remove
media: cedrus: fix use after free bug in cedrus_remove due to race condition
media: mediatek: vcodec: change lat thread decode error condition
media: mediatek: vcodec: making sure queue_work successfully
media: mediatek: vcodec: remove unused lat_buf
media: mediatek: vcodec: add core decode done event
media: mediatek: vcodec: move lat_buf to the top of core list
media: mediatek: vcodec: using each instance lat_buf count replace core ready list
media: mediatek: vcodec: add params to record lat and core lat_buf count
media: mediatek: vcodec: Force capture queue format to MM21
media: mediatek: vcodec: Make MM21 the default capture format
media: mediatek: vcodec: Use 4K frame size when supported by stateful decoder
arm64: dts: sc7280: Rename qspi data12 as data23
arm64: dts: sc7180: Rename qspi data12 as data23
arm64: dts: qcom: msm8994-angler: removed clash with smem_region
arm64: dts: qcom: msm8994-angler: Fix cont_splash_mem mapping
x86/apic: Fix atomic update of offset in reserve_eilvt_offset()
regulator: core: Avoid lockdep reports when resolving supplies
regulator: core: Consistently set mutex_owner when using ww_mutex_lock_slow()
drm/ttm/pool: Fix ttm_pool_alloc error path
drm/ttm: optimize pool allocations a bit v2
arm64: dts: qcom: apq8096-db820c: drop unit address from PMI8994 regulator
arm64: dts: qcom: msm8994-msft-lumia-octagon: drop unit address from PMI8994 regulator
arm64: dts: qcom: msm8994-kitakami: drop unit address from PMI8994 regulator
arm64: dts: qcom: sc7180-trogdor-pazquel: correct trackpad supply
arm64: dts: qcom: sc7180-trogdor-lazor: correct trackpad supply
arm64: dts: qcom: sc7280-herobrine-villager: correct trackpad supply
gpu: host1x: Fix memory leak of device names
gpu: host1x: Fix potential double free if IOMMU is disabled
soc: renesas: renesas-soc: Release 'chipid' from ioremap()
soc: bcm: brcmstb: biuctrl: fix of_iomap leak
mailbox: mpfs: switch to txdone_poll
drm/mediatek: dp: Change the aux retries times when receiving AUX_DEFER
drm/lima/lima_drv: Add missing unwind goto in lima_pdev_probe()
ACPI: VIOT: Initialize the correct IOMMU fwspec
arm64: dts: mediatek: mt8192-asurada: Fix voltage constraint for Vgpu
cpufreq: qcom-cpufreq-hw: Revert adding cpufreq qos
cpufreq: mediatek: Raise proc and sram max voltage for MT7622/7623
cpufreq: mediatek: raise proc/sram max voltage for MT8516
cpufreq: mediatek: fix KP caused by handler usage after regulator_put/clk_put
cpufreq: mediatek: fix passing zero to 'PTR_ERR'
arm64: dts: apple: t8103: Disable unused PCIe ports
ARM: dts: stm32: fix spi1 pin assignment on stm32mp15
perf/arm-cmn: Move overlapping wp_combine field
firmware: arm_scmi: Fix xfers allocation on Rx channel
ARM: dts: gta04: fix excess dma channel usage
drm: rcar-du: Fix a NULL vs IS_ERR() bug
arm64: dts: qcom: sm8450: fix pcie1 gpios properties name
mmc: sdhci-of-esdhc: fix quirk to ignore command inhibit for data
ACPI: processor: Fix evaluating _PDC method when running as Xen dom0
drm/amd/display/dc/dce60/Makefile: Fix previous attempt to silence known override-init warnings
arm64: dts: qcom: sm8350-microsoft-surface: fix USB dual-role mode property
virt/coco/sev-guest: Double-buffer messages
drm: msm: adreno: Disable preemption on Adreno 510
drm/msm/adreno: drop bogus pm_runtime_set_active()
arm64: dts: ti: k3-am62a7: Correct L2 cache size to 512KB
arm64: dts: ti: k3-am625: Correct L2 cache size to 512KB
media: max9286: Free control handler
drm/bridge: adv7533: Fix adv7533_mode_valid for adv7533 and adv7535
firmware: qcom_scm: Clear download bit during reboot
media: av7110: prevent underflow in write_ts_to_decoder()
media: amphion: decoder implement display delay enable
media: platform: mtk-mdp3: Add missing check and free for ida_alloc
media: bdisp: Add missing check for create_workqueue
x86/MCE/AMD: Use an u64 for bank_map
ARM: dts: qcom: sdx55: Fix the unit address of PCIe EP node
ARM: dts: qcom: ipq8064: Fix the PCI I/O port range
ARM: dts: qcom: ipq4019: Fix the PCI I/O port range
arm64: dts: qcom: sm8450: Fix the PCI I/O port range
arm64: dts: qcom: sm8150: Fix the PCI I/O port range
arm64: dts: qcom: sm8250: Fix the PCI I/O port range
arm64: dts: qcom: msm8996: Fix the PCI I/O port range
arm64: dts: qcom: ipq6018: Fix the PCI I/O port range
arm64: dts: qcom: ipq8074: Fix the PCI I/O port range
arm64: dts: qcom: sc7280: Fix the PCI I/O port range
arm64: dts: qcom: msm8998: Fix the PCI I/O port range
arm64: dts: qcom: sdm845: Fix the PCI I/O port range
arm64: dts: qcom: sdm845: correct dynamic power coefficients
arm64: dts: qcom: sc7280: fix EUD port properties
arm64: dts: qcom: msm8998: Fix stm-stimulus-base reg name
arm64: dts: broadcom: bcmbca: bcm4908: fix procmon nodename
arm64: dts: broadcom: bcmbca: bcm4908: fix LED nodenames
arm64: dts: broadcom: bcmbca: bcm4908: fix NAND interrupt name
arm64: dts: ti: k3-j721e-main: Remove ti,strobe-sel property
arm64: dts: ti: k3-am62a7-sk: Fix DDR size to full 4GB
arm64: dts: ti: k3-am62-main: Fix GPIO numbers in DT
regulator: core: Shorten off-on-delay-us for always-on/boot-on by time since booted
ARM: dts: qcom-apq8064: Fix opp table child name
EDAC/skx: Fix overflows on the DRAM row address mapping arrays
drm/msm/disp/dpu: check for crtc enable rather than crtc active to release shared resources
drm/mediatek: dp: Only trigger DRM HPD events if bridge is attached
arm64: dts: renesas: r9a07g043: Update IRQ numbers for SSI channels
arm64: dts: renesas: r9a07g043: Introduce SOC_PERIPHERAL_IRQ() macro to specify interrupt property
arm64: dts: renesas: r9a07g054: Update IRQ numbers for SSI channels
arm64: dts: renesas: r9a07g044: Update IRQ numbers for SSI channels
arm64: dts: renesas: r8a774c0: Remove bogus voltages from OPP table
arm64: dts: renesas: r8a77990: Remove bogus voltages from OPP table
soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe
tools/x86/kcpuid: Fix avx512bw and avx512lvl fields in Fn00000007
drm/amdgpu: register a vga_switcheroo client for MacBooks with apple-gmux
drm/probe-helper: Cancel previous job before starting new one
drm/vgem: add missing mutex_destroy
drm/i915/dg2: Drop one PCI ID
drm/rockchip: Drop unbalanced obj unref
erofs: fix potential overflow calculating xattr_isize
erofs: initialize packed inode after root inode is assigned
erofs: stop parsing non-compact HEAD index if clusterofs is invalid
tpm, tpm_tis: Claim locality when interrupts are reenabled on resume
tpm, tpm: Implement usage counter for locality
tpm, tpm_tis: Claim locality before writing interrupt registers
tpm, tpm_tis: Disable interrupts if tpm_tis_probe_irq() failed
tpm, tpm_tis: Claim locality before writing TPM_INT_ENABLE register
tpm, tpm_tis: Do not skip reset of original interrupt vector
selinux: ensure av_permissions.h is built when needed
selinux: fix Makefile dependencies of flask.h
selftests/resctrl: Check for return value after write_schemata()
selftests/resctrl: Allow ->setup() to return errors
selftests/resctrl: Move ->setup() call outside of test specific branches
selftests/resctrl: Return NULL if malloc_and_init_memory() did not alloc mem
rcu: Fix missing TICK_DEP_MASK_RCU_EXP dependency check
kunit: fix bug in the order of lines in debugfs logs
kunit: improve KTAP compliance of KUnit test output
ASoC: dt-bindings: qcom,lpass-rx-macro: correct minItems for clocks
bus: mhi: host: Range check CHDBOFF and ERDBOFF
bus: mhi: host: Use mhi_tryset_pm_state() for setting fw error state
bus: mhi: host: Remove duplicate ee check for syserr
cxl/hdm: Fail upon detecting 0-sized decoders
xfs: don't consider future format versions valid
ceph: fix potential use-after-free bug when trimming caps
ubifs: Fix memory leak in do_rename
ubifs: Free memory for tmpfile name
ubi: Fix return value overwrite issue in try_write_vid_and_data()
ubifs: Fix memleak when insert_old_idx() failed
Revert "ubifs: dirty_cow_znode: Fix memleak in error handling path"
RISC-V: Align SBI probe implementation with spec
iommu/amd: Fix "Guest Virtual APIC Table Root Pointer" configuration in IRTE
drm/amd/pm: re-enable the gfx imu when smu resume
swsmu/amdgpu_smu: Fix the wrong if-condition
tracing: Fix permissions for the buffer_percent file
riscv: mm: remove redundant parameter of create_fdt_early_page_table
i2c: omap: Fix standard mode false ACK readings
ACPI: video: Remove acpi_backlight=video quirk for Lenovo ThinkPad W530
ksmbd: fix deadlock in ksmbd_find_crypto_ctx()
ksmbd: not allow guest user on multichannel
ksmbd: fix memleak in session setup
ksmbd: fix NULL pointer dereference in smb2_get_info_filesystem()
ksmbd: call rcu_barrier() in ksmbd_server_exit()
ksmbd: fix racy issue under cocurrent smb2 tree disconnect
KVM: RISC-V: Retry fault if vma_lookup() results become invalid
drm/amd/display: fix a divided-by-zero error
drm/amd/display: fix PSR-SU/DSC interoperability support
drm/amd/display: limit timing for single dimm memory
drm/amd/display: Remove stutter only configurations
relayfs: fix out-of-bounds access in relay_file_read
KVM: arm64: vgic: Don't acquire its_lock before config_lock
KVM: arm64: Use config_lock to protect vgic state
KVM: arm64: Use config_lock to protect data ordered against KVM_RUN
KVM: arm64: Avoid lock inversion when setting the VM register width
KVM: arm64: Avoid vcpu->mutex v. kvm->lock inversion in CPU_ON
KVM: nVMX: Emulate NOPs in L2, and PAUSE if it's not intercepted
reiserfs: Add security prefix to xattr name in reiserfs_security_write()
rcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-ed
crypto: ccp - Don't initialize CCP for PSP 0x1649
crypto: arm64/aes-neonbs - fix crash with CFI enabled
crypto: safexcel - Cleanup ring IRQ workqueues on load failure
crypto: api - Demote BUG_ON() in crypto_unregister_alg() to a WARN_ON()
ring-buffer: Sync IRQ works before buffer destruction
ring-buffer: Ensure proper resetting of atomic variables in ring_buffer_reset_online_cpus
pinctrl: qcom: lpass-lpi: set output value before enabling output
soundwire: qcom: correct setting ignore bit on v1.5.1
pwm: meson: Fix g12a ao clk81 name
pwm: meson: Fix axg ao mux parents
wifi: mt76: add missing locking to protect against concurrent rx/status calls
kheaders: Use array declaration instead of char
iio: addac: stx104: Fix race condition for stx104_write_raw()
iio: addac: stx104: Fix race condition when converting analog-to-digital
ipmi: fix SSIF not responding under certain cond.
ipmi:ssif: Add send_retries increment
MIPS: fw: Allow firmware to pass a empty env
fs: fix sysctls.c built
tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem
serial: max310x: fix IO data corruption in batched operations
serial: 8250: Fix serial8250_tx_empty() race with DMA Tx
serial: fix TIOCSRS485 locking
xhci: fix debugfs register accesses while suspended
tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH
staging: iio: resolver: ads1210: fix config mode
blk-crypto: make blk_crypto_evict_key() more robust
blk-crypto: make blk_crypto_evict_key() return void
blk-mq: release crypto keyslot before reporting I/O complete
blk-crypto: Add a missing include directive
blk-crypto: move internal only declarations to blk-crypto-internal.h
blk-crypto: add a blk_crypto_config_supported_natively helper
blk-crypto: don't use struct request_queue for public interfaces
blk-stat: fix QUEUE_FLAG_STATS clear
media: ov8856: Do not check for for module version
posix-cpu-timers: Implement the missing timer_wait_running callback
tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site
hwmon: (adt7475) Use device_property APIs when configuring polarity
hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write
USB: dwc3: fix runtime pm imbalance on unbind
USB: dwc3: fix runtime pm imbalance on probe errors
usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive
usb: gadget: udc: core: Prevent redundant calls to pullup
usb: gadget: udc: core: Invoke usb_gadget_connect only when started
IMA: allow/fix UML builds
phy: qcom-qmp-pcie: sc8180x PCIe PHY has 2 lanes
PCI: qcom: Fix the incorrect register usage in v2.7.0 config
PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock
PCI: kirin: Select REGMAP_MMIO
powerpc/boot: Fix boot wrapper code generation with CONFIG_POWER10_CPU
arm64: Stash shadow stack pointer in the task struct on interrupt
arm64: Always load shadow stack pointer directly from the task struct
ASoC: amd: ps: update the acp clock source.
ASoC: amd: fix ACP version typo mistake
wifi: mt76: mt7921e: Set memory space enable in PCI_COMMAND if unset
wireguard: timers: cast enum limits members to int in prints
x86/cpu: Add model number for Intel Arrow Lake processor
asm-generic/io.h: suppress endianness warnings for readq() and writeq()
tracing: Error if a trace event has an array for a __field()
wifi: ath11k: reduce the MHI timeout to 20s
platform/x86: thinkpad_acpi: Add missing T14s Gen1 type to s2idle quirk list
net: sfp: add quirk enabling 2500Base-x for HG MXPD-483II
scsi: mpi3mr: Handle soft reset in progress fault code (0xF002)
selftests mount: Fix mount_setattr_test builds failed
net: wwan: t7xx: do not compile with -Werror
ASoC: da7213.c: add missing pm_runtime_disable()
ASoC: Intel: bytcr_rt5640: Add quirk for the Acer Iconia One 7 B1-750
iio: adc: palmas_gpadc: fix NULL dereference on rmmod
ASoC: amd: yc: Add DMI entries to support Victus by HP Laptop 16-e1xxx (8A22)
x86/hyperv: Block root partition functionality in a Confidential VM
ASoC: soc-pcm: fix hw->formats cleared by soc_pcm_hw_init() for dpcm
ASoC: Intel: soc-acpi: add table for Intel 'Rooks County' NUC M15
ASOC: Intel: sof_sdw: add quirk for Intel 'Rooks County' NUC M15
Linux 6.1.27
riscv: No need to relocate the dtb as it lies in the fixmap region
riscv: Do not set initial_boot_params to the linear address of the dtb
riscv: Move early dtb mapping into the fixmap region
driver core: Don't require dynamic_debug for initcall_debug probe timing
USB: serial: option: add UNISOC vendor and TOZED LT70C product
btrfs: fix uninitialized variable warnings
bluetooth: Perform careful capability checks in hci_sock_ioctl()
gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xNU
drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var
wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
mptcp: fix accept vs worker race
mptcp: stops worker on unaccepted sockets at listener close
mm/mempolicy: fix use-after-free of VMA iterator
KVM: arm64: Retry fault if vma_lookup() results become invalid
phy: phy-brcm-usb: Utilize platform_get_irq_byname_optional()
um: Only disable SSE on clang to work around old GCC bugs
Linux 6.1.26
ASN.1: Fix check for strdup() success
ASoC: fsl_sai: Fix pins setting for i.MX8QM platform
ASoC: fsl_asrc_dma: fix potential null-ptr-deref
ASoC: SOF: pm: Tear down pipelines only if DSP was active
mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock
fpga: bridge: properly initialize bridge device before populating children
iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger()
Input: pegasus-notetaker - check pipe type when probing
gcc: disable '-Warray-bounds' for gcc-13 too
sctp: Call inet6_destroy_sock() via sk->sk_destruct().
dccp: Call inet6_destroy_sock() via sk->sk_destruct().
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
purgatory: fix disabling debug info
fuse: always revalidate rename target dentry
MIPS: Define RUNTIME_DISCARD_EXIT in LD script
KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
KVM: arm64: Make vcpu flag updates non-preemptible
sched/fair: Fixes for capacity inversion detection
sched/fair: Consider capacity inversion in util_fits_cpu()
sched/fair: Detect capacity inversion
mm/mmap: regression fix for unmapped_area{_topdown}
mm: page_alloc: skip regions with hugetlbfs pages when allocating 1G pages
mm: kmsan: handle alloc failures in kmsan_vmap_pages_range_noflush()
mm: kmsan: handle alloc failures in kmsan_ioremap_page_range()
mm/huge_memory.c: warn with pr_warn_ratelimited instead of VM_WARN_ON_ONCE_FOLIO
mm/khugepaged: check again on anon uffd-wp during isolation
mm/userfaultfd: fix uffd-wp handling for THP migration entries
Conflicts:
Documentation/devicetree/bindings
Documentation/devicetree/bindings/ata/ceva,ahci-1v84.yaml
Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml
Documentation/devicetree/bindings/iio/adc/renesas,rcar-gyroadc.yaml
Documentation/devicetree/bindings/power/reset/qcom,pon.yaml
Documentation/devicetree/bindings/sound/qcom,lpass-rx-macro.yaml
Documentation/devicetree/bindings/sound/tas2562.yaml
Documentation/devicetree/bindings/sound/tas2770.yaml
Documentation/devicetree/bindings/sound/tas27xx.yaml
Documentation/devicetree/bindings/usb/cdns,usb3.yaml
Documentation/devicetree/bindings/usb/snps,dwc3.yaml
drivers/bus/mhi/host/boot.c
drivers/cpufreq/qcom-cpufreq-hw.c
drivers/edac/qcom_edac.c
drivers/firmware/qcom_scm.c
drivers/gpu/drm/bridge/analogix/anx7625.c
drivers/interconnect/qcom/icc-rpm.c
drivers/interconnect/qcom/icc-rpm.h
drivers/soc/qcom/llcc-qcom.c
drivers/soc/qcom/mdt_loader.c
drivers/ufs/host/ufs-qcom.c
include/linux/soc/qcom/llcc-qcom.h
Change-Id: I8b5c01908c4448ee74e3c086747fd18ad1015f4b
Upstream-Build: ks_qcom-android14-6.1-keystone-qcom-release@11171449 UKQ2.231203.001
Signed-off-by: jianzhou <quic_jianzhou@quicinc.com>
Signed-off-by: Maria Yu <quic_aiquny@quicinc.com>
|
||
|
Pranav Mahesh Phansalkar
|
892c420281 |
net: qrtr: Add check to validate callback data
Add check to validate data in gunyah read callback. Change-Id: Ib8b61b274ac80a5377c12a968b89aeb5486cd38b Signed-off-by: Pranav Mahesh Phansalkar <quic_pphansal@quicinc.com> |
||
|
Greg Kroah-Hartman
|
31e1ff253d |
ANDROID: Fix up unneeded crc break in af_vsock.c
In commit |
||
|
Greg Kroah-Hartman
|
f1bc13cb9d |
This is the 6.1.64 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVmHpsACgkQONu9yGCS aT5uvw//SzcE0GImnHnfeN7iXtpFE9O0fhTxsjZCi8/HTXmGWPtQgWscd9y81bAd EHBVr456GXqd6KuIF+03g/r/FYinwWqK375meLfaybw1vSBP+fZttrEGqz6nTnYD yqOxw2bqgz8Xjp63UeNHD6mifpBvVtuAvzrfO1E2Ie/U1OU2uKdjRRv0iijKNeWN liOYTXaddIkVfZR0z6dVTl0hb5dPWsxNmF77kfVpKz4ALIHJcO13DlUuKtQz6Sb6 0ElmJpuonHuUxHzb8e9LLsFy3IvbBqomSscwcd0tngtdUTzhMYFIZLjg2+WQ9Ovq raMGqvS/bKsoyoTBNKL83QB2NyXQb3vkfL0NgLsq9IwDl+r96mP9ctANYGwSjhND o/4sa/fbMFzeInA8Rzh7i56RCNstOBKApJPhBzWuY0f/6b1BZpvZaONyX3fFksWO dMeYT16GgO4lhQXnG3O6mtDT8eoZ1fLf7ZdGEZ2NktcOzXYelNc4aXJke7qdlIop CVxM+Ur+juj+DJymo59a6baXjEgIROdHq83N3CZwetGviPHneGqgYc0K7ETtA33H sH/0KGYAT8SzzjMlnXB0lpjp68WViJfzzo9Wxdf2aDZbL3SdI14GPKMUeDqqeSyU 8bB2Hb4ItccRFW9RriiE3BPGnLGu7PDTkn5TgXDG/bDX54Cb5DQ= =YPzI -----END PGP SIGNATURE----- Merge 6.1.64 into android14-6.1-lts Changes in 6.1.64 locking/ww_mutex/test: Fix potential workqueue corruption lib/generic-radix-tree.c: Don't overflow in peek() perf/core: Bail out early if the request AUX area is out of bound srcu: Fix srcu_struct node grpmask overflow on 64-bit systems selftests/lkdtm: Disable CONFIG_UBSAN_TRAP in test config clocksource/drivers/timer-imx-gpt: Fix potential memory leak clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware smp,csd: Throw an error if a CSD lock is stuck for too long cpu/hotplug: Don't offline the last non-isolated CPU workqueue: Provide one lock class key per work_on_cpu() callsite x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size wifi: plfxlc: fix clang-specific fortify warning wifi: mac80211_hwsim: fix clang-specific fortify warning wifi: mac80211: don't return unset power in ieee80211_get_tx_power() atl1c: Work around the DMA RX overflow issue bpf: Detect IP == ksym.end as part of BPF program wifi: ath9k: fix clang-specific fortify warnings wifi: ath10k: fix clang-specific fortify warning net: annotate data-races around sk->sk_tx_queue_mapping net: annotate data-races around sk->sk_dst_pending_confirm wifi: ath10k: Don't touch the CE interrupt registers after power up vsock: read from socket's error queue bpf: Ensure proper register state printing for cond jumps Bluetooth: btusb: Add date->evt_skb is NULL check Bluetooth: Fix double free in hci_conn_cleanup ACPI: EC: Add quirk for HP 250 G7 Notebook PC tsnep: Fix tsnep_request_irq() format-overflow warning platform/chrome: kunit: initialize lock for fake ec_dev platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e drm/gma500: Fix call trace when psb_gem_mm_init() fails drm/komeda: drop all currently held locks if deadlock happens drm/amdgpu: not to save bo in the case of RAS err_event_athub drm/amdkfd: Fix a race condition of vram buffer unref in svm code drm/amd: Update `update_pcie_parameters` functions to use uint8_t arguments drm/amd/display: use full update for clip size increase of large plane source string.h: add array-wrappers for (v)memdup_user() kernel: kexec: copy user-array safely kernel: watch_queue: copy user-array safely drm_lease.c: copy user-array safely drm: vmwgfx_surface.c: copy user-array safely drm/msm/dp: skip validity check for DP CTS EDID checksum drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga drm/amdgpu: Fix potential null pointer derefernce drm/panel: fix a possible null pointer dereference drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference drm/radeon: fix a possible null pointer dereference drm/amdgpu/vkms: fix a possible null pointer dereference drm/panel: st7703: Pick different reset sequence drm/amdkfd: Fix shift out-of-bounds issue drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size selftests/efivarfs: create-read: fix a resource leak ASoC: soc-card: Add storage for PCI SSID ASoC: SOF: Pass PCI SSID to machine driver crypto: pcrypt - Fix hungtask for PADATA_RESET ASoC: SOF: ipc4: handle EXCEPTION_CAUGHT notification from firmware RDMA/hfi1: Use FIELD_GET() to extract Link Width scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool fs/jfs: Add check for negative db_l2nbperpage fs/jfs: Add validity check for db_maxag and db_agpref jfs: fix array-index-out-of-bounds in dbFindLeaf jfs: fix array-index-out-of-bounds in diAlloc HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround ARM: 9320/1: fix stack depot IRQ stack filter ALSA: hda: Fix possible null-ptr-deref when assigning a stream PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields PCI: mvebu: Use FIELD_PREP() with Link Width atm: iphase: Do PCI error checks on own line PCI: Do error check on own line to split long "if" conditions scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() PCI: Use FIELD_GET() to extract Link Width PCI: Extract ATS disabling to a helper function PCI: Disable ATS for specific Intel IPU E2000 devices misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk ASoC: Intel: soc-acpi-cht: Add Lenovo Yoga Tab 3 Pro YT3-X90 quirk crypto: hisilicon/qm - prevent soft lockup in receive loop HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W exfat: support handle zero-size directory mfd: intel-lpss: Add Intel Lunar Lake-M PCI IDs iio: adc: stm32-adc: harden against NULL pointer deref in stm32_adc_probe() thunderbolt: Apply USB 3.x bandwidth quirk only in software connection manager tty: vcc: Add check for kstrdup() in vcc_probe() usb: dwc3: core: configure TX/RX threshold for DWC3_IP soundwire: dmi-quirks: update HP Omen match f2fs: fix error handling of __get_node_page usb: gadget: f_ncm: Always set current gadget in ncm_bind() 9p/trans_fd: Annotate data-racy writes to file::f_flags 9p: v9fs_listxattr: fix %s null argument warning i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler i2c: fix memleak in i2c_new_client_device() i2c: sun6i-p2wi: Prevent potential division by zero virtio-blk: fix implicit overflow on virtio_max_dma_size i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data. media: gspca: cpia1: shift-out-of-bounds in set_flicker media: vivid: avoid integer overflow gfs2: ignore negated quota changes gfs2: fix an oops in gfs2_permission media: cobalt: Use FIELD_GET() to extract Link Width media: ccs: Fix driver quirk struct documentation media: imon: fix access to invalid resource for the second interface drm/amd/display: Avoid NULL dereference of timing generator kgdb: Flush console before entering kgdb on panic i2c: dev: copy userspace array safely ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings drm/qxl: prevent memory leak ALSA: hda/realtek: Add quirk for ASUS UX7602ZM drm/amdgpu: fix software pci_unplug on some chips pwm: Fix double shift bug mtd: rawnand: tegra: add missing check for platform_get_irq() wifi: iwlwifi: Use FW rate for non-data frames sched/core: Optimize in_task() and in_interrupt() a bit SUNRPC: ECONNRESET might require a rebind mtd: rawnand: intel: check return value of devm_kasprintf() mtd: rawnand: meson: check return value of devm_kasprintf() NFSv4.1: fix handling NFS4ERR_DELAY when testing for session trunking SUNRPC: Add an IS_ERR() check back to where it was NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO SUNRPC: Fix RPC client cleaned up the freed pipefs dentries gfs2: Silence "suspicious RCU usage in gfs2_permission" warning vhost-vdpa: fix use after free in vhost_vdpa_probe() net: set SOCK_RCU_FREE before inserting socket into hashtable ipvlan: add ipvlan_route_v6_outbound() helper tty: Fix uninit-value access in ppp_sync_receive() net: hns3: fix add VLAN fail issue net: hns3: add barrier in vf mailbox reply process net: hns3: fix incorrect capability bit display for copper port net: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs net: hns3: fix variable may not initialized problem in hns3_init_mac_addr() net: hns3: fix VF reset fail issue net: hns3: fix VF wrong speed and duplex issue tipc: Fix kernel-infoleak due to uninitialized TLV value net: mvneta: fix calls to page_pool_get_stats ppp: limit MRU to 64K xen/events: fix delayed eoi list handling ptp: annotate data-race around q->head and q->tail bonding: stop the device in bond_setup_by_slave() net: ethernet: cortina: Fix max RX frame define net: ethernet: cortina: Handle large frames net: ethernet: cortina: Fix MTU max setting af_unix: fix use-after-free in unix_stream_read_actor() netfilter: nf_conntrack_bridge: initialize err to 0 netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() net: stmmac: fix rx budget limit check net: stmmac: avoid rx queue overrun net/mlx5e: fix double free of encap_header net/mlx5e: fix double free of encap_header in update funcs net/mlx5e: Fix pedit endianness net/mlx5e: Reduce the size of icosq_str net/mlx5e: Check return value of snprintf writing to fw_version buffer net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors macvlan: Don't propagate promisc change to lower dev in passthru tools/power/turbostat: Fix a knl bug tools/power/turbostat: Enable the C-state Pre-wake printing cifs: spnego: add ';' in HOST_KEY_LEN cifs: fix check of rc in function generate_smb3signingkey i915/perf: Fix NULL deref bugs with drm_dbg() calls media: venus: hfi: add checks to perform sanity on queue pointers perf intel-pt: Fix async branch flags powerpc/perf: Fix disabling BHRB and instruction sampling randstruct: Fix gcc-plugin performance mode to stay in group bpf: Fix check_stack_write_fixed_off() to correctly spill imm bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END scsi: mpt3sas: Fix loop logic scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers scsi: qla2xxx: Fix system crash due to bad pointer access crypto: x86/sha - load modules based on CPU features x86/cpu/hygon: Fix the CPU topology evaluation for real KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space KVM: x86: Ignore MSR_AMD64_TW_CFG access KVM: x86: Clear bit12 of ICR after APIC-write VM-exit audit: don't take task_lock() in audit_exe_compare() code path audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare() proc: sysctl: prevent aliased sysctls from getting passed to init tty/sysrq: replace smp_processor_id() with get_cpu() tty: serial: meson: fix hard LOCKUP on crtscts mode hvc/xen: fix console unplug hvc/xen: fix error path in xen_hvc_init() to always register frontend driver hvc/xen: fix event channel handling for secondary consoles PCI/sysfs: Protect driver's D3cold preference from user space mm/damon/sysfs: remove requested targets when online-commit inputs mm/damon/sysfs: update monitoring target regions for online input commit watchdog: move softlockup_panic back to early_param mm/damon/lru_sort: avoid divide-by-zero in hot threshold calculation mm/damon/ops-common: avoid divide-by-zero during region hotness calculation mm/damon: implement a function for max nr_accesses safe calculation mm/damon/sysfs: check error from damon_sysfs_update_target() ACPI: resource: Do IRQ override on TongFang GMxXGxx regmap: Ensure range selector registers are updated after cache sync wifi: ath11k: fix temperature event locking wifi: ath11k: fix dfs radar event locking wifi: ath11k: fix htt pktlog locking wifi: ath11k: fix gtk offload status event locking mmc: meson-gx: Remove setting of CMD_CFG_ERROR genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware KEYS: trusted: tee: Refactor register SHM usage KEYS: trusted: Rollback init_trusted() consistently PCI: keystone: Don't discard .remove() callback PCI: keystone: Don't discard .probe() callback arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer parisc/pdc: Add width field to struct pdc_model parisc/power: Add power soft-off when running on qemu clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks ksmbd: handle malformed smb1 message ksmbd: fix slab out of bounds write in smb_inherit_dacl() mmc: vub300: fix an error code mmc: sdhci_am654: fix start loop index for TAP value parsing mmc: Add quirk MMC_QUIRK_BROKEN_CACHE_FLUSH for Micron eMMC Q2J54A PCI/ASPM: Fix L1 substate handling in aspm_attr_store_common() PCI: kirin: Don't discard .remove() callback PCI: exynos: Don't discard .remove() callback wifi: wilc1000: use vmm_table as array in wilc struct svcrdma: Drop connection after an RDMA Read error rcu/tree: Defer setting of jiffies during stall reset arm64: dts: qcom: ipq6018: Fix hwlock index for SMEM PM: hibernate: Use __get_safe_page() rather than touching the list PM: hibernate: Clean up sync_read handling in snapshot_write_next() rcu: kmemleak: Ignore kmemleak false positives when RCU-freeing objects btrfs: don't arbitrarily slow down delalloc if we're committing arm64: dts: qcom: ipq8074: Fix hwlock index for SMEM firmware: qcom_scm: use 64-bit calling convention only when client is 64-bit ACPI: FPDT: properly handle invalid FPDT subtables arm64: dts: qcom: ipq6018: Fix tcsr_mutex register size mfd: qcom-spmi-pmic: Fix reference leaks in revid helper mfd: qcom-spmi-pmic: Fix revid implementation ima: annotate iint mutex to avoid lockdep false positive warnings ima: detect changes to the backing overlay file netfilter: nf_tables: remove catchall element in GC sync path netfilter: nf_tables: split async and sync catchall in two functions selftests/resctrl: Remove duplicate feature check from CMT test selftests/resctrl: Move _GNU_SOURCE define into Makefile selftests/resctrl: Reduce failures due to outliers in MBA/MBM tests hid: lenovo: Resend all settings on reset_resume for compact keyboards ASoC: codecs: wsa-macro: fix uninitialized stack variables with name prefix jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev quota: explicitly forbid quota files from being encrypted kernel/reboot: emergency_restart: Set correct system_state i2c: core: Run atomic i2c xfer when !preemptible tracing: Have the user copy of synthetic event address use correct context driver core: Release all resources during unbind before updating device links mcb: fix error handling for different scenarios when parsing dmaengine: stm32-mdma: correct desc prep when channel running s390/cmma: fix detection of DAT pages mm/cma: use nth_page() in place of direct struct page manipulation mm/memory_hotplug: use pfn math in place of direct struct page manipulation mtd: cfi_cmdset_0001: Byte swap OTP info i3c: master: cdns: Fix reading status register i3c: master: svc: fix race condition in ibi work thread i3c: master: svc: fix wrong data return when IBI happen during start frame i3c: master: svc: fix ibi may not return mandatory data byte i3c: master: svc: fix check wrong status register in irq handler i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen parisc: Prevent booting 64-bit kernels on PA1.x machines parisc/pgtable: Do not drop upper 5 address bits of physical address parisc/power: Fix power soft-off when running on qemu xhci: Enable RPM on controllers that support low-power states fs: add ctime accessors infrastructure smb3: fix creating FIFOs when mounting with "sfu" mount option smb3: fix touch -h of symlink smb3: fix caching of ctime on setxattr smb: client: fix use-after-free bug in cifs_debug_data_proc_show() smb: client: fix potential deadlock when releasing mids cifs: reconnect helper should set reconnect for the right channel cifs: force interface update before a fresh session setup cifs: do not reset chan_max if multichannel is not supported at mount xfs: recovery should not clear di_flushiter unconditionally btrfs: zoned: wait for data BG to be finished on direct IO allocation ALSA: info: Fix potential deadlock at disconnection ALSA: hda/realtek: Enable Mute LED on HP 255 G8 ALSA: hda/realtek - Add Dell ALC295 to pin fall back table ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC ALSA: hda/realtek: Enable Mute LED on HP 255 G10 ALSA: hda/realtek: Add quirks for HP Laptops pmdomain: bcm: bcm2835-power: check if the ASB register is equal to enable pmdomain: imx: Make imx pgc power domain also set the fwnode cpufreq: stats: Fix buffer overflow detection in trans_stats() clk: visconti: remove unused visconti_pll_provider::regmap clk: visconti: Fix undefined behavior bug in struct visconti_pll_provider Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559 bluetooth: Add device 0bda:887b to device tables bluetooth: Add device 13d3:3571 to device tables Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE drm/amd/display: enable dsc_clk even if dsc_pg disabled cxl/region: Validate region mode vs decoder mode cxl/region: Cleanup target list on attach error cxl/region: Move region-position validation to a helper cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails i3c: master: svc: add NACK check after start byte sent i3c: master: svc: fix random hot join failure since timeout error cxl: Unify debug messages when calling devm_cxl_add_port() cxl/mem: Move devm_cxl_add_endpoint() from cxl_core to cxl_mem tools/testing/cxl: Define a fixed volatile configuration to parse cxl/region: Fix x1 root-decoder granularity calculations Revert ncsi: Propagate carrier gain/loss events to the NCSI controller Revert "i2c: pxa: move to generic GPIO recovery" lsm: fix default return value for vm_enough_memory lsm: fix default return value for inode_getsecctx sbsa_gwdt: Calculate timeout with 64-bit math i2c: designware: Disable TX_EMPTY irq while waiting for block length byte s390/ap: fix AP bus crash on early config change callback invocation net: ethtool: Fix documentation of ethtool_sprintf() net: dsa: lan9303: consequently nested-lock physical MDIO net: phylink: initialize carrier state at creation i2c: i801: fix potential race in i801_block_transaction_byte_by_byte f2fs: do not return EFSCORRUPTED, but try to run online repair f2fs: avoid format-overflow warning media: lirc: drop trailing space from scancode transmit media: sharp: fix sharp encoding media: venus: hfi_parser: Add check to keep the number of codecs within range media: venus: hfi: fix the check to handle session buffer requirement media: venus: hfi: add checks to handle capabilities from firmware media: ccs: Correctly initialise try compose rectangle drm/mediatek/dp: fix memory leak on ->get_edid callback audio detection drm/mediatek/dp: fix memory leak on ->get_edid callback error path dm-verity: don't use blocking calls from tasklets nfsd: fix file memleak on client_opens_release LoongArch: Mark __percpu functions as always inline riscv: mm: Update the comment of CONFIG_PAGE_OFFSET riscv: correct pt_level name via pgtable_l5/4_enabled riscv: kprobes: allow writing to x0 mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2 mm: fix for negative counter: nr_file_hugepages mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors mptcp: deal with large GSO size mptcp: add validity check for sending RM_ADDR mptcp: fix setsockopt(IP_TOS) subflow locking r8169: fix network lost after resume on DASH systems r8169: add handling DASH when DASH is disabled mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of AER media: qcom: camss: Fix pm_domain_on sequence in probe media: qcom: camss: Fix vfe_get() error jump media: qcom: camss: Fix VFE-17x vfe_disable_output() media: qcom: camss: Fix VFE-480 vfe_disable_output() media: qcom: camss: Fix missing vfe_lite clocks check media: qcom: camss: Fix invalid clock enable bit disjunction media: qcom: camss: Fix csid-gen2 for test pattern generator Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E" ext4: apply umask if ACL support is disabled ext4: correct offset of gdb backup in non meta_bg group to update_backups ext4: mark buffer new if it is unwritten to avoid stale data exposure ext4: correct return value of ext4_convert_meta_bg ext4: correct the start block of counting reserved clusters ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks ext4: add missed brelse in update_backups ext4: properly sync file size update after O_SYNC direct IO drm/amd/pm: Handle non-terminated overdrive commands. drm/i915: Bump GLK CDCLK frequency when driving multiple pipes drm/i915: Fix potential spectre vulnerability drm/amd/pm: Fix error of MACO flag setting code drm/amdgpu/smu13: drop compute workload workaround drm/amdgpu: don't use pci_is_thunderbolt_attached() drm/amdgpu: don't use ATRM for external devices drm/amdgpu: fix error handling in amdgpu_bo_list_get() drm/amdgpu: lower CS errors to debug severity drm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer() drm/amd/display: Enable fast plane updates on DCN3.2 and above drm/amd/display: Change the DMCUB mailbox memory location from FB to inbox powerpc/powernv: Fix fortify source warnings in opal-prd.c tracing: Have trace_event_file have ref counters Input: xpad - add VID for Turtle Beach controllers mmc: sdhci-pci-gli: GL9755: Mask the replay timer timeout of AER cxl/port: Fix NULL pointer access in devm_cxl_add_port() RISC-V: drop error print from riscv_hartid_to_cpuid() Linux 6.1.64 Change-Id: I9284282aeae5d0f9da957a58147efe0114f8e60a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
0c2e40b9a3 |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
This catches the android14-6.1-lts branch up with the latest changes in the android14-6.1 branch, including a number of important symbols being added for tracking. This includes the following commits: * |
||
Greg Kroah-Hartman
|
db46c77f3d |
Revert "wifi: cfg80211: fix CQM for non-range use"
This reverts commit
|
||
Jong eon Park
|
ddf142e5a8 |
ANDROID: netlink: add netlink poll and hooks
In huge uevents generating system, especially for user apps who have small size of rcvbuf socket, it has been reported that netlink overrun happens quite frequently. Moreover, if there's no POLLERR (caused by this netlink overrun) handler in user apps, the system can almost be stucked by calling 'poll' repeatedly. Regarding this issue, I have sent a kernel netlink patch to linux maintainers and got replied that this is absolutely user app's problem, must not addressing kernel. Until Android team look into this issue and some modification comes out, we need kernel patch for temporary. To minimize the effect by this patch to the others who have never met this issue, I would like to just add netlink's dedicated poll and its hooks. Please refer to below v1/v2 patch links for history. v1: https://lore.kernel.org/netdev/20231110110002.7279f895@kernel.org/T/#t v2: https://lore.kernel.org/netdev/d599922fd89b3e61c7cf531a03ea8b81cbcb003e.camel@redhat.com/T/#t Bug: 300009377 Link: https://lore.kernel.org/netdev/d599922fd89b3e61c7cf531a03ea8b81cbcb003e.camel@redhat.com/T/#t Change-Id: I4f11399d61c10332ba05bac64cfa1e92bb111565 Signed-off-by: Jong eon Park <jongeon.park@samsung.com> |
||
|
Zhengchao Shao
|
94445d9583 |
ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ]
When I perform the following test operations:
1.ip link add br0 type bridge
2.brctl addif br0 eth0
3.ip addr add 239.0.0.1/32 dev eth0
4.ip addr add 239.0.0.1/32 dev br0
5.ip addr add 224.0.0.1/32 dev br0
6.while ((1))
do
ifconfig br0 up
ifconfig br0 down
done
7.send IGMPv2 query packets to port eth0 continuously. For example,
./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00
1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00"
The preceding tests may trigger the refcnt uaf issue of the mc list. The
stack is as follows:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25)
CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:refcount_warn_saturate (lib/refcount.c:25)
RSP: 0018:ffffb68f00657910 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908
RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900
RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff
R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680
R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00
FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0
Call Trace:
<TASK>
igmp_heard_query (net/ipv4/igmp.c:1068)
igmp_rcv (net/ipv4/igmp.c:1132)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
ip_local_deliver_finish (net/ipv4/ip_input.c:234)
__netif_receive_skb_one_core (net/core/dev.c:5529)
netif_receive_skb_internal (net/core/dev.c:5729)
netif_receive_skb (net/core/dev.c:5788)
br_handle_frame_finish (net/bridge/br_input.c:216)
nf_hook_bridge_pre (net/bridge/br_input.c:294)
__netif_receive_skb_core (net/core/dev.c:5423)
__netif_receive_skb_list_core (net/core/dev.c:5606)
__netif_receive_skb_list (net/core/dev.c:5674)
netif_receive_skb_list_internal (net/core/dev.c:5764)
napi_gro_receive (net/core/gro.c:609)
e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467)
e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805)
__napi_poll (net/core/dev.c:6533)
net_rx_action (net/core/dev.c:6735)
__do_softirq (kernel/softirq.c:554)
run_ksoftirqd (kernel/softirq.c:913)
smpboot_thread_fn (kernel/smpboot.c:164)
kthread (kernel/kthread.c:388)
ret_from_fork (arch/x86/kernel/process.c:153)
ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
</TASK>
The root causes are as follows:
Thread A Thread B
... netif_receive_skb
br_dev_stop ...
br_multicast_leave_snoopers ...
__ip_mc_dec_group ...
__igmp_group_dropped igmp_rcv
igmp_stop_timer igmp_heard_query //ref = 1
ip_ma_put igmp_mod_timer
refcount_dec_and_test igmp_start_timer //ref = 0
... refcount_inc //ref increases from 0
When the device receives an IGMPv2 Query message, it starts the timer
immediately, regardless of whether the device is running. If the device is
down and has left the multicast group, it will cause the mc list refcount
uaf issue.
Fixes:
|
||
|
Johannes Berg
|
307a6525c8 |
wifi: cfg80211: fix CQM for non-range use
commit 7e7efdda6adb385fbdfd6f819d76bc68c923c394 upstream.
My prior race fix here broke CQM when ranges aren't used, as
the reporting worker now requires the cqm_config to be set in
the wdev, but isn't set when there's no range configured.
Rather than continuing to special-case the range version, set
the cqm_config always and configure accordingly, also tracking
if range was used or not to be able to clear the configuration
appropriately with the same API, which was actually not right
if both were implemented by a driver for some reason, as is
the case with mac80211 (though there the implementations are
equivalent so it doesn't matter.)
Also, the original multiple-RSSI commit lost checking for the
callback, so might have potentially crashed if a driver had
neither implementation, and userspace tried to use it despite
not being advertised as supported.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Pablo Neira Ayuso
|
72bdb74622 |
UPSTREAM: netfilter: nf_tables: remove catchall element in GC sync path
[ Upstream commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630 ]
The expired catchall element is not deactivated and removed from GC sync
path. This path holds mutex so just call nft_setelem_data_deactivate()
and nft_setelem_catchall_remove() before queueing the GC work.
Bug: 310691882
Fixes: 4a9e12ea7e70 ("netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC")
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit
|
||
D. Wythe
|
94a0ae698b |
net/smc: avoid data corruption caused by decline
[ Upstream commit e6d71b437abc2f249e3b6a1ae1a7228e09c6e563 ]
We found a data corruption issue during testing of SMC-R on Redis
applications.
The benchmark has a low probability of reporting a strange error as
shown below.
"Error: Protocol error, got "\xe2" as reply type byte"
Finally, we found that the retrieved error data was as follows:
0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C
0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2
It is quite obvious that this is a SMC DECLINE message, which means that
the applications received SMC protocol message.
We found that this was caused by the following situations:
client server
¦ clc proposal
------------->
¦ clc accept
<-------------
¦ clc confirm
------------->
wait llc confirm
send llc confirm
¦failed llc confirm
¦ x------
(after 2s)timeout
wait llc confirm rsp
wait decline
(after 1s) timeout
(after 2s) timeout
¦ decline
-------------->
¦ decline
<--------------
As a result, a decline message was sent in the implementation, and this
message was read from TCP by the already-fallback connection.
This patch double the client timeout as 2x of the server value,
With this simple change, the Decline messages should never cross or
collide (during Confirm link timeout).
This issue requires an immediate solution, since the protocol updates
involve a more long-term solution.
Fixes:
|
||
Kunwu Chan
|
e784313dd0 |
ipv4: Correct/silence an endian warning in __ip_do_redirect
[ Upstream commit c0e2926266af3b5acf28df0a8fc6e4d90effe0bb ]
net/ipv4/route.c:783:46: warning: incorrect type in argument 2 (different base types)
net/ipv4/route.c:783:46: expected unsigned int [usertype] key
net/ipv4/route.c:783:46: got restricted __be32 [usertype] new_gw
Fixes:
|
||
|
Greg Kroah-Hartman
|
55d4929d66 |
Revert "virtio/vsock: replace virtio_vsock_pkt with sk_buff"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
5418948a0a |
Revert "vsock/virtio: remove socket from connected/bound list on shutdown"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
98f663d79a |
Revert "virtio/vsock: don't use skbuff state to account credit"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
497503c6ec |
Revert "virtio/vsock: remove redundant 'skb_pull()' call"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
5b9223a56f |
Revert "virtio/vsock: don't drop skbuff on copy failure"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
ec573670da |
Revert "virtio/vsock: fix leaks due to missing skb owner"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
e8ad0104af |
Revert "virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
db612631b7 |
Revert "virtio/vsock: fix header length on skb merging"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
7ccdce2dc4 |
Revert "vsock/loopback: use only sk_buff_head.lock to protect the packet queue"
This reverts commit
|
||
|
Paolo Abeni
|
9e9e2107ae |
mptcp: fix setsockopt(IP_TOS) subflow locking
commit 7679d34f97b7a09fd565f5729f79fd61b7c55329 upstream.
The MPTCP implementation of the IP_TOS socket option uses the lockless
variant of the TOS manipulation helper and does not hold such lock at
the helper invocation time.
Add the required locking.
Fixes:
|
||
Geliang Tang
|
dba6f08cef |
mptcp: add validity check for sending RM_ADDR
commit 8df220b29282e8b450ea57be62e1eccd4996837c upstream.
This patch adds the validity check for sending RM_ADDRs for userspace PM
in mptcp_pm_remove_addrs(), only send a RM_ADDR when the address is in the
anno_list or conn_list.
Fixes: 8b1c94da1e48 ("mptcp: only send RM_ADDR in nl_cmd_remove")
Cc: stable@vger.kernel.org
Signed-off-by: Geliang Tang <geliang.tang@suse.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts <matttbe@kernel.org>
Link: https://lore.kernel.org/r/20231114-upstream-net-20231113-mptcp-misc-fixes-6-7-rc2-v1-3-7b9cd6a7b7f4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Paolo Abeni
|
70ff9b65a7 |
mptcp: deal with large GSO size
commit 9fce92f050f448a0d1ddd9083ef967d9930f1e52 upstream.
After the blamed commit below, the TCP sockets (and the MPTCP subflows)
can build egress packets larger than 64K. That exceeds the maximum DSS
data size, the length being misrepresent on the wire and the stream being
corrupted, as later observed on the receiver:
WARNING: CPU: 0 PID: 9696 at net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/0x26e0
CPU: 0 PID: 9696 Comm: syz-executor.7 Not tainted 6.6.0-rc5-gcd8bdf563d46 #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705
RSP: 0018:ffffc90000006e80 EFLAGS: 00010246
RAX: ffffffff83e9f674 RBX: ffff88802f45d870 RCX: ffff888102ad0000
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908
RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a
R10: dffffc0000000000 R11: ffffed100e548c8b R12: 0000000000013908
R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29
FS: 00007f239c47e700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
<IRQ>
mptcp_data_ready+0x263/0xac0 net/mptcp/protocol.c:819
subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409
tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151
tcp_rcv_established+0x950/0x1d90 net/ipv4/tcp_input.c:6098
tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483
tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749
ip6_protocol_deliver_rcu+0xd6b/0x1ae0 net/ipv6/ip6_input.c:438
ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:483
ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304
__netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532
process_backlog+0x353/0x660 net/core/dev.c:5974
__napi_poll+0xc6/0x5a0 net/core/dev.c:6536
net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603
__do_softirq+0x184/0x524 kernel/softirq.c:553
do_softirq+0xdd/0x130 kernel/softirq.c:454
Address the issue explicitly bounding the maximum GSO size to what MPTCP
actually allows.
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/450
Fixes:
|
||
Johnathan Mantey
|
677fc3780f |
Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
commit 9e2e7efbbbff69d8340abb56d375dd79d1f5770f upstream.
This reverts commit 3780bb29311eccb7a1c9641032a112eed237f7e3.
The cited commit introduced unwanted behavior.
The intent for the commit was to be able to detect carrier loss/gain
for just the NIC connected to the BMC. The unwanted effect is a
carrier loss for auxiliary paths also causes the BMC to lose
carrier. The BMC never regains carrier despite the secondary NIC
regaining a link.
This change, when merged, needs to be backported to stable kernels.
5.4-stable, 5.10-stable, 5.15-stable, 6.1-stable, 6.5-stable
Fixes: 3780bb29311e ("ncsi: Propagate carrier gain/loss events to the NCSI controller")
CC: stable@vger.kernel.org
Signed-off-by: Johnathan Mantey <johnathanx.mantey@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
3f100cc63a |
netfilter: nf_tables: split async and sync catchall in two functions
[ Upstream commit 8837ba3e58ea1e3d09ae36db80b1e80853aada95 ]
list_for_each_entry_safe() does not work for the async case which runs
under RCU, therefore, split GC logic for catchall in two functions
instead, one for each of the sync and async GC variants.
The catchall sync GC variant never sees a _DEAD bit set on ever, thus,
this handling is removed in such case, moreover, allocate GC sync batch
via GFP_KERNEL.
Fixes: 93995bf4af2c ("netfilter: nf_tables: remove catchall element in GC sync path")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Pablo Neira Ayuso
|
13e2d49647 |
netfilter: nf_tables: remove catchall element in GC sync path
[ Upstream commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630 ]
The expired catchall element is not deactivated and removed from GC sync
path. This path holds mutex so just call nft_setelem_data_deactivate()
and nft_setelem_catchall_remove() before queueing the GC work.
Fixes: 4a9e12ea7e70 ("netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC")
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Chuck Lever
|
6aa3cab6be |
svcrdma: Drop connection after an RDMA Read error
commit 197115ebf358cb440c73e868b2a0a5ef728decc6 upstream. When an RPC Call message cannot be pulled from the client, that is a message loss, by definition. Close the connection to trigger the client to resend. Cc: <stable@vger.kernel.org> Reviewed-by: Tom Talpey <tom@talpey.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Dan Carpenter
|
18a169810c |
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
[ Upstream commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 ]
The problem is in nft_byteorder_eval() where we are iterating through a
loop and writing to dst[0], dst[1], dst[2] and so on... On each
iteration we are writing 8 bytes. But dst[] is an array of u32 so each
element only has space for 4 bytes. That means that every iteration
overwrites part of the previous element.
I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
issue. I think that the reason we have not detected this bug in testing
is that most of time we only write one element.
Fixes:
|
||
Linkui Xiao
|
6a15d97104 |
netfilter: nf_conntrack_bridge: initialize err to 0
[ Upstream commit a44af08e3d4d7566eeea98d7a29fe06e7b9de944 ]
K2CI reported a problem:
consume_skb(skb);
return err;
[nf_br_ip_fragment() error] uninitialized symbol 'err'.
err is not initialized, because returning 0 is expected, initialize err
to 0.
Fixes:
|
||
|
Eric Dumazet
|
d179189eec |
af_unix: fix use-after-free in unix_stream_read_actor()
[ Upstream commit 4b7b492615cf3017190f55444f7016812b66611d ]
syzbot reported the following crash [1]
After releasing unix socket lock, u->oob_skb can be changed
by another thread. We must temporarily increase skb refcount
to make sure this other thread will not free the skb under us.
[1]
BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297
CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
unix_stream_recv_urg net/unix/af_unix.c:2587 [inline]
unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666
unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0xe2/0x170 net/socket.c:1066
____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803
___sys_recvmsg+0x115/0x1a0 net/socket.c:2845
__sys_recvmsg+0x114/0x1e0 net/socket.c:2875
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fc67492c559
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559
RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004
RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340
R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388
</TASK>
Allocated by task 5295:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523
__alloc_skb+0x287/0x330 net/core/skbuff.c:641
alloc_skb include/linux/skbuff.h:1286 [inline]
alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
sock_alloc_send_skb include/net/sock.h:1884 [inline]
queue_oob net/unix/af_unix.c:2147 [inline]
unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Freed by task 5295:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
kmem_cache_free+0xf8/0x340 mm/slub.c:3831
kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015
__kfree_skb net/core/skbuff.c:1073 [inline]
consume_skb net/core/skbuff.c:1288 [inline]
consume_skb+0xdf/0x170 net/core/skbuff.c:1282
queue_oob net/unix/af_unix.c:2178 [inline]
unix_stream_sendmsg+0xd49/0x10a0 net/unix/af_unix.c:2301
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The buggy address belongs to the object at ffff88801f3b9c80
which belongs to the cache skbuff_head_cache of size 240
The buggy address is located 68 bytes inside of
freed 240-byte region [ffff88801f3b9c80, ffff88801f3b9d70)
The buggy address belongs to the physical page:
page:ffffea00007cee40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f3b9
flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888142a60640 dead000000000122 0000000000000000
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5299, tgid 5283 (syz-executor107), ts 103803840339, free_ts 103600093431
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0xa25/0x36c0 mm/page_alloc.c:3312
__alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4568
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab+0x251/0x380 mm/slub.c:2017
new_slab mm/slub.c:2070 [inline]
___slab_alloc+0x8c7/0x1580 mm/slub.c:3223
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
kmem_cache_alloc_node+0x132/0x3c0 mm/slub.c:3523
__alloc_skb+0x287/0x330 net/core/skbuff.c:641
alloc_skb include/linux/skbuff.h:1286 [inline]
alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
sock_alloc_send_skb include/net/sock.h:1884 [inline]
queue_oob net/unix/af_unix.c:2147 [inline]
unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1137 [inline]
free_unref_page_prepare+0x4f8/0xa90 mm/page_alloc.c:2347
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2487
__unfreeze_partials+0x21d/0x240 mm/slub.c:2655
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3478 [inline]
slab_alloc mm/slub.c:3486 [inline]
__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
kmem_cache_alloc+0x15d/0x380 mm/slub.c:3502
vm_area_dup+0x21/0x2f0 kernel/fork.c:500
__split_vma+0x17d/0x1070 mm/mmap.c:2365
split_vma mm/mmap.c:2437 [inline]
vma_modify+0x25d/0x450 mm/mmap.c:2472
vma_modify_flags include/linux/mm.h:3271 [inline]
mprotect_fixup+0x228/0xc80 mm/mprotect.c:635
do_mprotect_pkey+0x852/0xd60 mm/mprotect.c:809
__do_sys_mprotect mm/mprotect.c:830 [inline]
__se_sys_mprotect mm/mprotect.c:827 [inline]
__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:827
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Memory state around the buggy address:
ffff88801f3b9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801f3b9c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
>ffff88801f3b9c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801f3b9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
ffff88801f3b9d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
Fixes:
|
||
|
Shigeru Yoshida
|
1e83edbc42 |
tipc: Fix kernel-infoleak due to uninitialized TLV value
[ Upstream commit fb317eb23b5ee4c37b0656a9a52a3db58d9dd072 ]
KMSAN reported the following kernel-infoleak issue:
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
copy_to_iter include/linux/uio.h:197 [inline]
simple_copy_to_iter net/core/datagram.c:532 [inline]
__skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg net/socket.c:1066 [inline]
__sys_recvfrom+0x476/0x860 net/socket.c:2246
__do_sys_recvfrom net/socket.c:2264 [inline]
__se_sys_recvfrom net/socket.c:2260 [inline]
__x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
__alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1286 [inline]
tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline]
tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170
tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324
genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545
genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x997/0xd60 net/socket.c:2588
___sys_sendmsg+0x271/0x3b0 net/socket.c:2642
__sys_sendmsg net/socket.c:2671 [inline]
__do_sys_sendmsg net/socket.c:2680 [inline]
__se_sys_sendmsg net/socket.c:2678 [inline]
__x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Bytes 34-35 of 36 are uninitialized
Memory access of size 36 starts at ffff88802d464a00
Data copied to user address 00007ff55033c0a0
CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
=====================================================
tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is
calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and
the length of TLV value passed as an argument, and aligns the result to a
multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes.
If the size of struct tlv_desc plus the length of TLV value is not aligned,
the current implementation leaves the remaining bytes uninitialized. This
is the cause of the above kernel-infoleak issue.
This patch resolves this issue by clearing data up to an aligned size.
Fixes:
|
||
Stanislav Fomichev
|
12af02d24a |
net: set SOCK_RCU_FREE before inserting socket into hashtable
[ Upstream commit 871019b22d1bcc9fab2d1feba1b9a564acbb6e99 ]
We've started to see the following kernel traces:
WARNING: CPU: 83 PID: 0 at net/core/filter.c:6641 sk_lookup+0x1bd/0x1d0
Call Trace:
<IRQ>
__bpf_skc_lookup+0x10d/0x120
bpf_sk_lookup+0x48/0xd0
bpf_sk_lookup_tcp+0x19/0x20
bpf_prog_<redacted>+0x37c/0x16a3
cls_bpf_classify+0x205/0x2e0
tcf_classify+0x92/0x160
__netif_receive_skb_core+0xe52/0xf10
__netif_receive_skb_list_core+0x96/0x2b0
napi_complete_done+0x7b5/0xb70
<redacted>_poll+0x94/0xb0
net_rx_action+0x163/0x1d70
__do_softirq+0xdc/0x32e
asm_call_irq_on_stack+0x12/0x20
</IRQ>
do_softirq_own_stack+0x36/0x50
do_softirq+0x44/0x70
__inet_hash can race with lockless (rcu) readers on the other cpus:
__inet_hash
__sk_nulls_add_node_rcu
<- (bpf triggers here)
sock_set_flag(SOCK_RCU_FREE)
Let's move the SOCK_RCU_FREE part up a bit, before we are inserting
the socket into hashtables. Note, that the race is really harmless;
the bpf callers are handling this situation (where listener socket
doesn't have SOCK_RCU_FREE set) correctly, so the only
annoyance is a WARN_ONCE.
More details from Eric regarding SOCK_RCU_FREE timeline:
Commit
|
||
felix
|
7749fd2dbe |
SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
[ Upstream commit bfca5fb4e97c46503ddfc582335917b0cc228264 ]
RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()
workqueue,which takes care about pipefs superblock locking.
In some special scenarios, when kernel frees the pipefs sb of the
current client and immediately alloctes a new pipefs sb,
rpc_remove_pipedir function would misjudge the existence of pipefs
sb which is not the one it used to hold. As a result,
the rpc_remove_pipedir would clean the released freed pipefs dentries.
To fix this issue, rpc_remove_pipedir should check whether the
current pipefs sb is consistent with the original pipefs sb.
This error can be catched by KASAN:
=========================================================
[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200
[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503
[ 250.500549] Workqueue: events rpc_free_client_work
[ 250.501001] Call Trace:
[ 250.502880] kasan_report+0xb6/0xf0
[ 250.503209] ? dget_parent+0x195/0x200
[ 250.503561] dget_parent+0x195/0x200
[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10
[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90
[ 250.504781] rpc_remove_client_dir+0xf5/0x150
[ 250.505195] rpc_free_client_work+0xe4/0x230
[ 250.505598] process_one_work+0x8ee/0x13b0
...
[ 22.039056] Allocated by task 244:
[ 22.039390] kasan_save_stack+0x22/0x50
[ 22.039758] kasan_set_track+0x25/0x30
[ 22.040109] __kasan_slab_alloc+0x59/0x70
[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240
[ 22.040889] __d_alloc+0x31/0x8e0
[ 22.041207] d_alloc+0x44/0x1f0
[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140
[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110
[ 22.042459] rpc_create_client_dir+0x34/0x150
[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0
[ 22.043284] rpc_client_register+0x136/0x4e0
[ 22.043689] rpc_new_client+0x911/0x1020
[ 22.044057] rpc_create_xprt+0xcb/0x370
[ 22.044417] rpc_create+0x36b/0x6c0
...
[ 22.049524] Freed by task 0:
[ 22.049803] kasan_save_stack+0x22/0x50
[ 22.050165] kasan_set_track+0x25/0x30
[ 22.050520] kasan_save_free_info+0x2b/0x50
[ 22.050921] __kasan_slab_free+0x10e/0x1a0
[ 22.051306] kmem_cache_free+0xa5/0x390
[ 22.051667] rcu_core+0x62c/0x1930
[ 22.051995] __do_softirq+0x165/0x52a
[ 22.052347]
[ 22.052503] Last potentially related work creation:
[ 22.052952] kasan_save_stack+0x22/0x50
[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0
[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0
[ 22.054209] dentry_free+0xb2/0x140
[ 22.054540] __dentry_kill+0x3be/0x540
[ 22.054900] shrink_dentry_list+0x199/0x510
[ 22.055293] shrink_dcache_parent+0x190/0x240
[ 22.055703] do_one_tree+0x11/0x40
[ 22.056028] shrink_dcache_for_umount+0x61/0x140
[ 22.056461] generic_shutdown_super+0x70/0x590
[ 22.056879] kill_anon_super+0x3a/0x60
[ 22.057234] rpc_kill_sb+0x121/0x200
Fixes:
|
||
|
Dan Carpenter
|
19d7dbf71e |
SUNRPC: Add an IS_ERR() check back to where it was
[ Upstream commit 4f3ed837186fc0d2722ba8d2457a594322e9c2ef ] This IS_ERR() check was deleted during in a cleanup because, at the time, the rpcb_call_async() function could not return an error pointer. That changed in commit |
||
Trond Myklebust
|
8d02b6fb3c |
SUNRPC: ECONNRESET might require a rebind
[ Upstream commit 4b09ca1508a60be30b2e3940264e93d7aeb5c97e ]
If connect() is returning ECONNRESET, it usually means that nothing is
listening on that port. If so, a rebind might be required in order to
obtain the new port on which the RPC service is listening.
Fixes:
|
||
Dominique Martinet
|
07c11a5249 |
9p: v9fs_listxattr: fix %s null argument warning
[ Upstream commit 9b5c6281838fc84683dd99b47302d81fce399918 ]
W=1 warns about null argument to kprintf:
In file included from fs/9p/xattr.c:12:
In function ‘v9fs_xattr_get’,
inlined from ‘v9fs_listxattr’ at fs/9p/xattr.c:142:9:
include/net/9p/9p.h:55:2: error: ‘%s’ directive argument is null
[-Werror=format-overflow=]
55 | _p9_debug(level, __func__, fmt, ##__VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use an empty string instead of :
- this is ok 9p-wise because p9pdu_vwritef serializes a null string
and an empty string the same way (one '0' word for length)
- since this degrades the print statements, add new single quotes for
xattr's name delimter (Old: "file = (null)", new: "file = ''")
Link: https://lore.kernel.org/r/20231008060138.517057-1-suhui@nfschina.com
Suggested-by: Su Hui <suhui@nfschina.com>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Acked-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Message-ID: <20231025103445.1248103-2-asmadeus@codewreck.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Marco Elver
|
3851d844d7 |
9p/trans_fd: Annotate data-racy writes to file::f_flags
[ Upstream commit 355f074609dbf3042900ea9d30fcd2b0c323a365 ] syzbot reported: | BUG: KCSAN: data-race in p9_fd_create / p9_fd_create | | read-write to 0xffff888130fb3d48 of 4 bytes by task 15599 on cpu 0: | p9_fd_open net/9p/trans_fd.c:842 [inline] | p9_fd_create+0x210/0x250 net/9p/trans_fd.c:1092 | p9_client_create+0x595/0xa70 net/9p/client.c:1010 | v9fs_session_init+0xf9/0xd90 fs/9p/v9fs.c:410 | v9fs_mount+0x69/0x630 fs/9p/vfs_super.c:123 | legacy_get_tree+0x74/0xd0 fs/fs_context.c:611 | vfs_get_tree+0x51/0x190 fs/super.c:1519 | do_new_mount+0x203/0x660 fs/namespace.c:3335 | path_mount+0x496/0xb30 fs/namespace.c:3662 | do_mount fs/namespace.c:3675 [inline] | __do_sys_mount fs/namespace.c:3884 [inline] | [...] | | read-write to 0xffff888130fb3d48 of 4 bytes by task 15563 on cpu 1: | p9_fd_open net/9p/trans_fd.c:842 [inline] | p9_fd_create+0x210/0x250 net/9p/trans_fd.c:1092 | p9_client_create+0x595/0xa70 net/9p/client.c:1010 | v9fs_session_init+0xf9/0xd90 fs/9p/v9fs.c:410 | v9fs_mount+0x69/0x630 fs/9p/vfs_super.c:123 | legacy_get_tree+0x74/0xd0 fs/fs_context.c:611 | vfs_get_tree+0x51/0x190 fs/super.c:1519 | do_new_mount+0x203/0x660 fs/namespace.c:3335 | path_mount+0x496/0xb30 fs/namespace.c:3662 | do_mount fs/namespace.c:3675 [inline] | __do_sys_mount fs/namespace.c:3884 [inline] | [...] | | value changed: 0x00008002 -> 0x00008802 Within p9_fd_open(), O_NONBLOCK is added to f_flags of the read and write files. This may happen concurrently if e.g. mounting process modifies the fd in another thread. Mark the plain read-modify-writes as intentional data-races, with the assumption that the result of executing the accesses concurrently will always result in the same result despite the accesses themselves not being atomic. Reported-by: syzbot+e441aeeb422763cc5511@syzkaller.appspotmail.com Signed-off-by: Marco Elver <elver@google.com> Link: https://lore.kernel.org/r/ZO38mqkS0TYUlpFp@elver.google.com Signed-off-by: Dominique Martinet <asmadeus@codewreck.org> Message-ID: <20231025103445.1248103-1-asmadeus@codewreck.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
ZhengHan Wang
|
87624b1f9b |
Bluetooth: Fix double free in hci_conn_cleanup
[ Upstream commit a85fb91e3d728bdfc80833167e8162cce8bc7004 ]
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
This patch also fixes the refcounting in hci_conn_add_sysfs() and
hci_conn_del_sysfs() to take into account device_add() failures.
This fixes CVE-2023-28464.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Arseniy Krasnov
|
8093dd759e |
vsock: read from socket's error queue
[ Upstream commit 49dbe25adac42d3e06f65d1420946bec65896222 ] This adds handling of MSG_ERRQUEUE input flag in receive call. This flag is used to read socket's error queue instead of data queue. Possible scenario of error queue usage is receiving completions for transmission with MSG_ZEROCOPY flag. This patch also adds new defines: 'SOL_VSOCK' and 'VSOCK_RECVERR'. Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
1c6a6c926a |
net: annotate data-races around sk->sk_dst_pending_confirm
[ Upstream commit eb44ad4e635132754bfbcb18103f1dcb7058aedd ] This field can be read or written without socket lock being held. Add annotations to avoid load-store tearing. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Ping-Ke Shih
|
2be24c47ac |
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
[ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang@realtek.com> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
2b3ea8bdef |
This is the 6.1.63 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVbOmsACgkQONu9yGCS
aT5m1RAAx7hgbFDnLHCGh4YVBbNy8JngItsUBaJcI/67Mk5toNi0x8pqcS8mq7ED
GTwRnRcKaIR2bTyco5Ed2OZn4jMCyHC4oiyBZnHWg6AMuQjSCYzIgm7DzlTCVYZ7
2r8uRbt/uXADTILJ2kwR2mtVpGcwrXa+lsHrMqvt+MvNwRoSVHBHVVYCrAc+JXwR
GXCopzV/RFGS6w4SBsX0K+8pV7GO+bhpxJ1lPz1T/xeLYfT4C3EwSTWDbUXPbez7
IpJ+5yKJXXT9Xn9m/pekwZ/aOirLqtEbDxneEctsjvw140lCoQiEZn6ZRscgNEns
3H+J3Asgc2zXqPzfZFH02TebPj31B8HZ43Upu0okr0hr4A4/4JL9pjXEhm1bON/Z
x3jlTF4dyay4vOGGIEYOAuJSUbn6AqpZ318uBWCd3BSPocihEDMJz2aoazVHcb6k
83MVxfFfEL6s9utcoSXB8VjHa4FQmpMYsozegloUSJJCsizgdzmih0buJYhBB9sI
HbEohW+YAh3cACSn6arXUJIMH5F5xsfD89od2Pj+6UrapdlPz5gCaggA1RZplCho
bjGc1k61Rp2qSdfMEcx+h4ypgoOdhgqZI0YhYDCgBSRcWOXnGrDjFvnnumatcT+H
6vqyX6zlNt6U1NpE56Jtf7gt1Ds6PeoadD0L6B8vjXrkdeXOlUU=
=AZ9s
-----END PGP SIGNATURE-----
Merge 6.1.63 into android14-6.1-lts
Changes in 6.1.63
hwmon: (nct6775) Fix incorrect variable reuse in fan_div calculation
sched/fair: Fix cfs_rq_is_decayed() on !SMP
iov_iter, x86: Be consistent about the __user tag on copy_mc_to_user()
sched/uclamp: Set max_spare_cap_cpu even if max_spare_cap is 0
sched/uclamp: Ignore (util == 0) optimization in feec() when p_util_max = 0
objtool: Propagate early errors
sched: Fix stop_one_cpu_nowait() vs hotplug
vfs: fix readahead(2) on block devices
writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs
x86/srso: Fix SBPB enablement for (possible) future fixed HW
futex: Don't include process MM in futex key on no-MMU
x86/numa: Introduce numa_fill_memblks()
ACPI/NUMA: Apply SRAT proximity domain to entire CFMWS window
x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot
x86/boot: Fix incorrect startup_gdt_descr.size
drivers/clocksource/timer-ti-dm: Don't call clk_get_rate() in stop function
pstore/platform: Add check for kstrdup
string: Adjust strtomem() logic to allow for smaller sources
genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
wifi: cfg80211: add flush functions for wiphy work
wifi: mac80211: move radar detect work to wiphy work
wifi: mac80211: move scan work to wiphy work
wifi: mac80211: move offchannel works to wiphy work
wifi: mac80211: move sched-scan stop work to wiphy work
wifi: mac80211: fix # of MSDU in A-MSDU calculation
wifi: iwlwifi: honor the enable_ini value
i40e: fix potential memory leaks in i40e_remove()
iavf: Fix promiscuous mode configuration flow messages
selftests/bpf: Correct map_fd to data_fd in tailcalls
udp: add missing WRITE_ONCE() around up->encap_rcv
tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
gve: Use size_add() in call to struct_size()
mlxsw: Use size_mul() in call to struct_size()
tls: Only use data field in crypto completion function
tls: Use size_add() in call to struct_size()
tipc: Use size_add() in calls to struct_size()
net: spider_net: Use size_add() in call to struct_size()
net: ethernet: mtk_wed: fix EXT_INT_STATUS_RX_FBUF definitions for MT7986 SoC
wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
wifi: ath11k: fix boot failure with one MSI vector
wifi: mt76: mt7603: rework/fix rx pse hang check
wifi: mt76: mt7603: improve watchdog reset reliablity
wifi: mt76: mt7603: improve stuck beacon handling
wifi: mt76: mt7915: fix beamforming availability check
wifi: ath: dfs_pattern_detector: Fix a memory initialization issue
tcp_metrics: add missing barriers on delete
tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
tcp_metrics: do not create an entry from tcp_init_metrics()
wifi: rtlwifi: fix EDCA limit set by BT coexistence
ACPI: property: Allow _DSD buffer data only for byte accessors
ACPI: video: Add acpi_backlight=vendor quirk for Toshiba Portégé R100
wifi: ath11k: fix Tx power value during active CAC
can: dev: can_restart(): don't crash kernel if carrier is OK
can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
PM / devfreq: rockchip-dfi: Make pmu regmap mandatory
wifi: wfx: fix case where rates are out of order
netfilter: nf_tables: Drop pointless memset when dumping rules
thermal: core: prevent potential string overflow
r8169: use tp_to_dev instead of open code
r8169: fix rare issue with broken rx after link-down on RTL8125
selftests: netfilter: test for sctp collision processing in nf_conntrack
net: skb_find_text: Ignore patterns extending past 'to'
chtls: fix tp->rcv_tstamp initialization
tcp: fix cookie_init_timestamp() overflows
wifi: iwlwifi: call napi_synchronize() before freeing rx/tx queues
wifi: iwlwifi: pcie: synchronize IRQs before NAPI
wifi: iwlwifi: empty overflow queue during flush
Bluetooth: hci_sync: Fix Opcode prints in bt_dev_dbg/err
bpf: Fix unnecessary -EBUSY from htab_lock_bucket
ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
ipv6: avoid atomic fragment on GSO packets
net: add DEV_STATS_READ() helper
ipvlan: properly track tx_errors
regmap: debugfs: Fix a erroneous check after snprintf()
spi: tegra: Fix missing IRQ check in tegra_slink_probe()
clk: qcom: gcc-msm8996: Remove RPM bus clocks
clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
clk: qcom: mmcc-msm8998: Don't check halt bit on some branch clks
clk: qcom: mmcc-msm8998: Fix the SMMU GDSC
clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src
regulator: mt6358: Fail probe on unknown chip ID
clk: imx: Select MXC_CLK for CLK_IMX8QXP
clk: imx: imx8mq: correct error handling path
clk: imx: imx8qxp: Fix elcdif_pll clock
clk: renesas: rcar-gen3: Extend SDnH divider table
clk: renesas: rzg2l: Wait for status bit of SD mux before continuing
clk: renesas: rzg2l: Lock around writes to mux register
clk: renesas: rzg2l: Trust value returned by hardware
clk: renesas: rzg2l: Use FIELD_GET() for PLL register fields
clk: renesas: rzg2l: Fix computation formula
clk: linux/clk-provider.h: fix kernel-doc warnings and typos
spi: nxp-fspi: use the correct ioremap function
clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
clk: ti: change ti_clk_register[_omap_hw]() API
clk: ti: fix double free in of_ti_divider_clk_setup()
clk: npcm7xx: Fix incorrect kfree
clk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
clk: qcom: config IPQ_APSS_6018 should depend on QCOM_SMEM
platform/x86: wmi: Fix probe failure when failing to register WMI devices
platform/x86: wmi: Fix opening of char device
hwmon: (axi-fan-control) Fix possible NULL pointer dereference
hwmon: (coretemp) Fix potentially truncated sysfs attribute name
Revert "hwmon: (sch56xx-common) Add DMI override table"
Revert "hwmon: (sch56xx-common) Add automatic module loading on supported devices"
hwmon: (sch5627) Use bit macros when accessing the control register
hwmon: (sch5627) Disallow write access if virtual registers are locked
hte: tegra: Fix missing error code in tegra_hte_test_probe()
drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
drm/rockchip: vop: Fix call to crtc reset helper
drm/rockchip: vop2: Don't crash for invalid duplicate_state
drm/rockchip: vop2: Add missing call to crtc reset helper
drm/radeon: possible buffer overflow
drm: bridge: it66121: Fix invalid connector dereference
drm/bridge: lt8912b: Add hot plug detection
drm/bridge: lt8912b: Fix bridge_detach
drm/bridge: lt8912b: Fix crash on bridge detach
drm/bridge: lt8912b: Manually disable HPD only if it was enabled
drm/bridge: lt8912b: Add missing drm_bridge_attach call
drm/bridge: tc358768: Fix use of uninitialized variable
drm/bridge: tc358768: Fix bit updates
drm/bridge: tc358768: remove unused variable
drm/bridge: tc358768: Use struct videomode
drm/bridge: tc358768: Print logical values, not raw register values
drm/bridge: tc358768: Use dev for dbg prints, not priv->dev
drm/bridge: tc358768: Rename dsibclk to hsbyteclk
drm/bridge: tc358768: Clean up clock period code
drm/bridge: tc358768: Fix tc358768_ns_to_cnt()
drm/amdkfd: fix some race conditions in vram buffer alloc/free of svm code
drm/amd/display: Check all enabled planes in dm_check_crtc_cursor
drm/amd/display: Refactor dm_get_plane_scale helper
drm/amd/display: Bail from dm_check_crtc_cursor if no relevant change
io_uring/kbuf: Fix check of BID wrapping in provided buffers
io_uring/kbuf: Allow the full buffer id space for provided buffers
drm/mediatek: Fix iommu fault by swapping FBs after updating plane state
drm/mediatek: Fix iommu fault during crtc enabling
drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
gpu: host1x: Correct allocated size for contexts
drm/bridge: lt9611uxc: fix the race in the error path
arm64/arm: xen: enlighten: Fix KPTI checks
drm/rockchip: Fix type promotion bug in rockchip_gem_iommu_map()
xenbus: fix error exit in xenbus_init()
xen-pciback: Consider INTx disabled when MSI/MSI-X is enabled
drm/msm/dsi: use msm_gem_kernel_put to free TX buffer
drm/msm/dsi: free TX buffer in unbind
clocksource/drivers/arm_arch_timer: limit XGene-1 workaround
drm: mediatek: mtk_dsi: Fix NO_EOT_PACKET settings/handling
drivers/perf: hisi: use cpuhp_state_remove_instance_nocalls() for hisi_hns3_pmu uninit process
perf/arm-cmn: Revamp model detection
perf/arm-cmn: Fix DTC domain detection
drivers/perf: hisi_pcie: Check the type first in pmu::event_init()
perf: hisi: Fix use-after-free when register pmu fails
ARM: dts: renesas: blanche: Fix typo in GP_11_2 pin name
arm64: dts: qcom: sdm845: cheza doesn't support LMh node
arm64: dts: qcom: sc7280: link usb3_phy_wrapper_gcc_usb30_pipe_clk
arm64: dts: qcom: msm8916: Fix iommu local address range
arm64: dts: qcom: msm8992-libra: drop duplicated reserved memory
arm64: dts: qcom: sc7280: Add missing LMH interrupts
arm64: dts: qcom: sm8150: add ref clock to PCIe PHYs
arm64: dts: qcom: sm8350: fix pinctrl for UART18
arm64: dts: qcom: sdm845-mtp: fix WiFi configuration
ARM64: dts: marvell: cn9310: Use appropriate label for spi1 pins
arm64: dts: qcom: apq8016-sbc: Add missing ADV7533 regulators
ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
soc: qcom: llcc: Handle a second device without data corruption
kunit: Fix missed memory release in kunit_free_suite_set()
firmware: ti_sci: Mark driver as non removable
arm64: dts: ti: k3-am62a7-sk: Drop i2c-1 to 100Khz
firmware: arm_ffa: Assign the missing IDR allocation ID to the FFA device
firmware: arm_ffa: Allow the FF-A drivers to use 32bit mode of messaging
ARM: dts: am3517-evm: Fix LED3/4 pinmux
clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped
arm64: dts: imx8qm-ss-img: Fix jpegenc compatible entry
arm64: dts: imx8mm: Add sound-dai-cells to micfil node
arm64: dts: imx8mn: Add sound-dai-cells to micfil node
arm64: tegra: Use correct interrupts for Tegra234 TKE
selftests/pidfd: Fix ksft print formats
selftests/resctrl: Ensure the benchmark commands fits to its array
module/decompress: use vmalloc() for gzip decompression workspace
ASoC: cs35l41: Verify PM runtime resume errors in IRQ handler
ASoC: cs35l41: Undo runtime PM changes at driver exit time
ALSA: hda: cs35l41: Fix unbalanced pm_runtime_get()
ALSA: hda: cs35l41: Undo runtime PM changes at driver exit time
KEYS: Include linux/errno.h in linux/verification.h
crypto: hisilicon/hpre - Fix a erroneous check after snprintf()
hwrng: bcm2835 - Fix hwrng throughput regression
hwrng: geode - fix accessing registers
RDMA/core: Use size_{add,sub,mul}() in calls to struct_size()
crypto: qat - ignore subsequent state up commands
crypto: qat - relocate bufferlist logic
crypto: qat - rename bufferlist functions
crypto: qat - change bufferlist logic interface
crypto: qat - generalize crypto request buffers
crypto: qat - extend buffer list interface
crypto: qat - fix unregistration of crypto algorithms
scsi: ibmvfc: Fix erroneous use of rtas_busy_delay with hcall return code
libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value
nd_btt: Make BTT lanes preemptible
crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure
crypto: caam/jr - fix Chacha20 + Poly1305 self test failure
crypto: qat - increase size of buffers
PCI: vmd: Correct PCI Header Type Register's multi-function check
hid: cp2112: Fix duplicate workqueue initialization
crypto: hisilicon/qm - delete redundant null assignment operations
crypto: hisilicon/qm - modify the process of regs dfx
crypto: hisilicon/qm - split a debugfs.c from qm
crypto: hisilicon/qm - fix PF queue parameter issue
ARM: 9321/1: memset: cast the constant byte to unsigned char
ext4: move 'ix' sanity check to corrent position
ASoC: fsl: mpc5200_dma.c: Fix warning of Function parameter or member not described
IB/mlx5: Fix rdma counter binding for RAW QP
RDMA/hns: Fix printing level of asynchronous events
RDMA/hns: Fix uninitialized ucmd in hns_roce_create_qp_common()
RDMA/hns: Fix signed-unsigned mixed comparisons
RDMA/hns: Add check for SL
RDMA/hns: The UD mode can only be configured with DCQCN
ASoC: SOF: core: Ensure sof_ops_free() is still called when probe never ran.
ASoC: fsl: Fix PM disable depth imbalance in fsl_easrc_probe
scsi: ufs: core: Leave space for '\0' in utf8 desc string
RDMA/hfi1: Workaround truncation compilation error
HID: cp2112: Make irq_chip immutable
hid: cp2112: Fix IRQ shutdown stopping polling for all IRQs on chip
sh: bios: Revive earlyprintk support
Revert "HID: logitech-hidpp: add a module parameter to keep firmware gestures"
HID: logitech-hidpp: Remove HIDPP_QUIRK_NO_HIDINPUT quirk
HID: logitech-hidpp: Don't restart IO, instead defer hid_connect() only
HID: logitech-hidpp: Revert "Don't restart communication if not necessary"
HID: logitech-hidpp: Move get_wireless_feature_index() check to hidpp_connect_event()
ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
padata: Fix refcnt handling in padata_free_shell()
crypto: qat - fix deadlock in backlog processing
ASoC: ams-delta.c: use component after check
IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF
mfd: core: Un-constify mfd_cell.of_reg
mfd: core: Ensure disabled devices are skipped without aborting
mfd: dln2: Fix double put in dln2_probe
dt-bindings: mfd: mt6397: Add binding for MT6357
dt-bindings: mfd: mt6397: Split out compatible for MediaTek MT6366 PMIC
mfd: arizona-spi: Set pdata.hpdet_channel for ACPI enumerated devs
leds: turris-omnia: Drop unnecessary mutex locking
leds: turris-omnia: Do not use SMBUS calls
leds: pwm: Don't disable the PWM when the LED should be off
leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
kunit: add macro to allow conditionally exposing static symbols to tests
apparmor: test: make static symbols visible during kunit testing
apparmor: fix invalid reference on profile->disconnected
perf stat: Fix aggr mode initialization
iio: frequency: adf4350: Use device managed functions and fix power down issue.
perf kwork: Fix incorrect and missing free atom in work_push_atom()
perf kwork: Add the supported subcommands to the document
perf kwork: Set ordered_events to true in 'struct perf_tool'
filemap: add filemap_get_folios_tag()
f2fs: convert f2fs_write_cache_pages() to use filemap_get_folios_tag()
f2fs: compress: fix deadloop in f2fs_write_cache_pages()
f2fs: compress: fix to avoid use-after-free on dic
f2fs: compress: fix to avoid redundant compress extension
tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
livepatch: Fix missing newline character in klp_resolve_symbols()
pinctrl: renesas: rzg2l: Make reverse order of enable() for disable()
perf record: Fix BTF type checks in the off-cpu profiling
dmaengine: idxd: Register dsa_bus_type before registering idxd sub-drivers
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
usb: chipidea: Fix DMA overwrite for Tegra
usb: chipidea: Simplify Tegra DMA alignment code
dmaengine: ti: edma: handle irq_of_parse_and_map() errors
misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
tools: iio: iio_generic_buffer ensure alignment
USB: usbip: fix stub_dev hub disconnect
dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
interconnect: qcom: sc7180: Retire DEFINE_QBCM
interconnect: qcom: sc7180: Set ACV enable_mask
interconnect: qcom: sc7280: Set ACV enable_mask
interconnect: qcom: sc8180x: Set ACV enable_mask
interconnect: qcom: sc8280xp: Set ACV enable_mask
interconnect: qcom: sdm845: Retire DEFINE_QBCM
interconnect: qcom: sdm845: Set ACV enable_mask
interconnect: qcom: sm6350: Retire DEFINE_QBCM
interconnect: qcom: sm6350: Set ACV enable_mask
interconnect: move ignore_list out of of_count_icc_providers()
interconnect: qcom: sm8150: Drop IP0 interconnects
interconnect: qcom: sm8150: Retire DEFINE_QBCM
interconnect: qcom: sm8150: Set ACV enable_mask
interconnect: qcom: sm8350: Retire DEFINE_QBCM
interconnect: qcom: sm8350: Set ACV enable_mask
powerpc: Only define __parse_fpscr() when required
modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host
modpost: fix ishtp MODULE_DEVICE_TABLE built on big-endian host
powerpc/40x: Remove stale PTE_ATOMIC_UPDATES macro
powerpc/xive: Fix endian conversion size
powerpc/vas: Limit open window failure messages in log bufffer
powerpc/imc-pmu: Use the correct spinlock initializer.
powerpc/pseries: fix potential memory leak in init_cpu_associativity()
xhci: Loosen RPM as default policy to cover for AMD xHC 1.1
usb: host: xhci-plat: fix possible kernel oops while resuming
perf machine: Avoid out of bounds LBR memory read
perf hist: Add missing puts to hist__account_cycles
9p/net: fix possible memory leak in p9_check_errors()
i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs
cxl/mem: Fix shutdown order
crypto: ccp - Name -1 return value as SEV_RET_NO_FW_CALL
x86/sev: Change snp_guest_issue_request()'s fw_err argument
virt: sevguest: Fix passing a stack buffer as a scatterlist target
rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call
pcmcia: cs: fix possible hung task and memory leak pccardd()
pcmcia: ds: fix refcount leak in pcmcia_device_add()
pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
media: hantro: Check whether reset op is defined before use
media: verisilicon: Do not enable G2 postproc downscale if source is narrower than destination
media: ov5640: Drop dead code using frame_interval
media: ov5640: fix vblank unchange issue when work at dvp mode
media: i2c: max9286: Fix some redundant of_node_put() calls
media: ov5640: Fix a memory leak when ov5640_probe fails
media: bttv: fix use after free error due to btv->timeout timer
media: amphion: handle firmware debug message
media: mtk-jpegenc: Fix bug in JPEG encode quality selection
media: s3c-camif: Avoid inappropriate kfree()
media: vidtv: psi: Add check for kstrdup
media: vidtv: mux: Add check and kfree for kstrdup
media: cedrus: Fix clock/reset sequence
media: cadence: csi2rx: Unregister v4l2 async notifier
media: dvb-usb-v2: af9035: fix missing unlock
media: cec: meson: always include meson sub-directory in Makefile
regmap: prevent noinc writes from clobbering cache
pwm: sti: Reduce number of allocations and drop usage of chip_data
pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
watchdog: ixp4xx: Make sure restart always works
llc: verify mac len before reading mac header
hsr: Prevent use after free in prp_create_tagged_frame()
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
bpf: Check map->usercnt after timer->timer is assigned
inet: shrink struct flowi_common
octeontx2-pf: Fix error codes
octeontx2-pf: Fix holes in error code
net: page_pool: add missing free_percpu when page_pool_init fail
dccp: Call security_inet_conn_request() after setting IPv4 addresses.
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
net: r8169: Disable multicast filter for RTL8168H and RTL8107E
Fix termination state for idr_for_each_entry_ul()
net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs
selftests: pmtu.sh: fix result checking
octeontx2-pf: Rename tot_tx_queues to non_qos_queues
octeontx2-pf: qos send queues management
octeontx2-pf: Free pending and dropped SQEs
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
net/smc: allow cdc msg send rather than drop it with NULL sndbuf_desc
net/smc: put sk reference if close work was canceled
nvme: fix error-handling for io_uring nvme-passthrough
tg3: power down device only on SYSTEM_POWER_OFF
nbd: fix uaf in nbd_open
blk-core: use pr_warn_ratelimited() in bio_check_ro()
virtio/vsock: replace virtio_vsock_pkt with sk_buff
vsock/virtio: remove socket from connected/bound list on shutdown
r8169: respect userspace disabling IFF_MULTICAST
i2c: iproc: handle invalid slave state
netfilter: xt_recent: fix (increase) ipv6 literal buffer length
netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs
netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
RISC-V: Don't fail in riscv_of_parent_hartid() for disabled HARTs
drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE
ASoC: mediatek: mt8186_mt6366_rt1019_rt5682s: trivial: fix error messages
ASoC: hdmi-codec: register hpd callback on component probe
ASoC: dapm: fix clock get name
spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies
fbdev: imsttfb: Fix error path of imsttfb_probe()
fbdev: imsttfb: fix a resource leak in probe
fbdev: fsl-diu-fb: mark wr_reg_wa() static
tracing/kprobes: Fix the order of argument descriptions
io_uring/net: ensure socket is marked connected on connect retry
x86/amd_nb: Use Family 19h Models 60h-7Fh Function 4 IDs
Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
btrfs: use u64 for buffer sizes in the tree search ioctls
wifi: cfg80211: fix kernel-doc for wiphy_delayed_work_flush()
virtio/vsock: don't use skbuff state to account credit
virtio/vsock: remove redundant 'skb_pull()' call
virtio/vsock: don't drop skbuff on copy failure
vsock/loopback: use only sk_buff_head.lock to protect the packet queue
virtio/vsock: fix leaks due to missing skb owner
virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()
virtio/vsock: fix header length on skb merging
Linux 6.1.63
Change-Id: I87b7a539b11c90cfaf16edb07d613f74d54458a4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
bf9a785d04 |
Merge tag 'android14-6.1.57_r00' into branch 'android14-6.1'
This merges the upstream 6.1.y LTS releases up to 6.1.57 into the android14-6.1 branch. Included in here are the following commits: * |
||
|
Greg Kroah-Hartman
|
0d9fb52165 |
Merge 6.1.62 into android14-6.1-lts
Changes in 6.1.62
ASoC: simple-card: fixup asoc_simple_probe() error handling
coresight: tmc-etr: Disable warnings for allocation failures
ASoC: tlv320adc3xxx: BUG: Correct micbias setting
net: sched: cls_u32: Fix allocation size in u32_init()
irqchip/riscv-intc: Mark all INTC nodes as initialized
irqchip/stm32-exti: add missing DT IRQ flag translation
dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
powerpc/85xx: Fix math emulation exception
Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
fbdev: atyfb: only use ioremap_uc() on i386 and ia64
fs/ntfs3: Add ckeck in ni_update_parent()
fs/ntfs3: Write immediately updated ntfs state
fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN)
fs/ntfs3: Fix possible NULL-ptr-deref in ni_readpage_cmpr()
fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame()
fs/ntfs3: Fix directory element type detection
fs/ntfs3: Avoid possible memory leak
spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0
netfilter: nfnetlink_log: silence bogus compiler warning
efi: fix memory leak in krealloc failure handling
ASoC: rt5650: fix the wrong result of key button
ASoC: codecs: tas2780: Fix log of failed reset via I2C.
drm/ttm: Reorder sys manager cleanup step
fbdev: omapfb: fix some error codes
fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
scsi: mpt3sas: Fix in error path
drm/amdgpu: Unset context priority is now invalid
gpu/drm: Eliminate DRM_SCHED_PRIORITY_UNSET
LoongArch: Export symbol invalid_pud_table for modules building
LoongArch: Replace kmap_atomic() with kmap_local_page() in copy_user_highpage()
netfilter: nf_tables: audit log object reset once per table
platform/mellanox: mlxbf-tmfifo: Fix a warning message
drm/amdgpu: Reserve fences for VM update
net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
r8152: Check for unplug in rtl_phy_patch_request()
r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en()
powerpc/mm: Fix boot crash with FLATMEM
io_uring: kiocb_done() should *not* trust ->ki_pos if ->{read,write}_iter() failed
ceph_wait_on_conflict_unlink(): grab reference before dropping ->d_lock
power: supply: core: Use blocking_notifier_call_chain to avoid RCU complaint
perf evlist: Avoid frequency mode for the dummy event
x86: KVM: SVM: always update the x2avic msr interception
mm/mempolicy: fix set_mempolicy_home_node() previous VMA pointer
mmap: fix error paths with dup_anon_vma()
ALSA: usb-audio: add quirk flag to enable native DSD for McIntosh devices
PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility
usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()
usb: raw-gadget: properly handle interrupted requests
tty: n_gsm: fix race condition in status line change on dead connections
tty: 8250: Remove UC-257 and UC-431
tty: 8250: Add support for additional Brainboxes UC cards
tty: 8250: Add support for Brainboxes UP cards
tty: 8250: Add support for Intashield IS-100
tty: 8250: Fix port count of PX-257
tty: 8250: Fix up PX-803/PX-857
tty: 8250: Add support for additional Brainboxes PX cards
tty: 8250: Add support for Intashield IX cards
tty: 8250: Add Brainboxes Oxford Semiconductor-based quirks
misc: pci_endpoint_test: Add deviceID for J721S2 PCIe EP device support
ALSA: hda: intel-dsp-config: Fix JSL Chromebook quirk detection
ASoC: SOF: sof-pci-dev: Fix community key quirk detection
Linux 6.1.62
Change-Id: I2f696c88b48e82eb0d925a26ce6716693595d421
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
d3f3412122 |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
This syncs up the android14-6.1-lts branch with many changes that have happened in the android14-6.1 branch. Included in here are the following commits: |
||
|
Vinayak Yadawad
|
8f46c34931 |
BACKPORT: wifi: cfg80211: Allow AP/P2PGO to indicate port authorization to peer STA/P2PClient
In 4way handshake offload, cfg80211_port_authorized enables driver to indicate successful 4way handshake to cfg80211 layer. Currently this path of port authorization is restricted to interface type NL80211_IFTYPE_STATION and NL80211_IFTYPE_P2P_CLIENT. This patch extends the support for NL80211_IFTYPE_AP and NL80211_IFTYPE_P2P_GO interfaces to authorize peer STA/P2P_CLIENT, whenever authentication is offloaded on the AP/P2P_GO interface. Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com> Link: https://lore.kernel.org/r/dee3b0a2b4f617e932c90bff4504a89389273632.1695721435.git.vinayak.yadawad@broadcom.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Bug: 301410304 (cherry picked from commit e4e7e3af73694380f0d9a742d13b80598a3393e9) [chenpaul: adjust the format by checkpatch] Signed-off-by: Paul Chen <chenpaul@google.com> Change-Id: Id9704d7b412396f45e888895e42ba161ecb0ab56 |
||
Arseniy Krasnov
|
830c11c9c0 |
virtio/vsock: fix header length on skb merging
commit f7154d967bc4ee25ea1572937550e711b2525474 upstream.
This fixes appending newly arrived skbuff to the last skbuff of the
socket's queue. Problem fires when we are trying to append data to skbuff
which was already processed in dequeue callback at least once. Dequeue
callback calls function 'skb_pull()' which changes 'skb->len'. In current
implementation 'skb->len' is used to update length in header of the last
skbuff after new data was copied to it. This is bug, because value in
header is used to calculate 'rx_bytes'/'fwd_cnt' and thus must be not
be changed during skbuff's lifetime.
Bug starts to fire since:
commit 077706165717
("virtio/vsock: don't use skbuff state to account credit")
It presents before, but didn't triggered due to a little bit buggy
implementation of credit calculation logic. So use Fixes tag for it.
Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit")
Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Shigeru Yoshida
|
cd12535b97 |
virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()
commit 34c4effacfc329aeca5635a69fd9e0f6c90b4101 upstream. KMSAN reported the following uninit-value access issue: ===================================================== BUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was stored to memory at: virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline] virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit was created at: slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline] virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58 virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline] virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 CPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: vsock-loopback vsock_loopback_work ===================================================== The following simple reproducer can cause the issue described above: int main(void) { int sock; struct sockaddr_vm addr = { .svm_family = AF_VSOCK, .svm_cid = VMADDR_CID_ANY, .svm_port = 1234, }; sock = socket(AF_VSOCK, SOCK_STREAM, 0); connect(sock, (struct sockaddr *)&addr, sizeof(addr)); return 0; } This issue occurs because the `buf_alloc` and `fwd_cnt` fields of the `struct virtio_vsock_hdr` are not initialized when a new skb is allocated in `virtio_transport_init_hdr()`. This patch resolves the issue by initializing these fields during allocation. Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Reported-and-tested-by: syzbot+0c8ce1da0ac31abbadcd@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0c8ce1da0ac31abbadcd Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://lore.kernel.org/r/20231104150531.257952-1-syoshida@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Bobby Eshleman
|
a6650e78c4 |
virtio/vsock: fix leaks due to missing skb owner
commit f9d2b1e146e0f82f3d04629afd92698522058361 upstream.
This patch sets the skb owner in the recv and send path for virtio.
For the send path, this solves the leak caused when
virtio_transport_purge_skbs() finds skb->sk is always NULL and therefore
never matches it with the current socket. Setting the owner upon
allocation fixes this.
For the recv path, this ensures correctness of accounting and also
correct transfer of ownership in vsock_loopback (when skbs are sent from
one socket and received by another).
Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Signed-off-by: Bobby Eshleman <bobby.eshleman@bytedance.com>
Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://lore.kernel.org/all/ZCCbATwov4U+GBUv@pop-os.localdomain/
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Stefano Garzarella
|
bb1c9a5907 |
vsock/loopback: use only sk_buff_head.lock to protect the packet queue
commit b465518dc27da1ed74b8cbada4659708aac35adb upstream.
pkt_list_lock was used before commit 71dc9ec9ac7d ("virtio/vsock:
replace virtio_vsock_pkt with sk_buff") to protect the packet queue.
After that commit we switched to sk_buff and we are using
sk_buff_head.lock in almost every place to protect the packet queue
except in vsock_loopback_work() when we call skb_queue_splice_init().
As reported by syzbot, this caused unlocked concurrent access to the
packet queue between vsock_loopback_work() and
vsock_loopback_cancel_pkt() since it is not holding pkt_list_lock.
With the introduction of sk_buff_head, pkt_list_lock is redundant and
can cause confusion, so let's remove it and use sk_buff_head.lock
everywhere to protect the packet queue access.
Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Cc: bobby.eshleman@bytedance.com
Reported-and-tested-by: syzbot+befff0a9536049e7902e@syzkaller.appspotmail.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Bobby Eshleman <bobby.eshleman@bytedance.com>
Reviewed-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Arseniy Krasnov
|
1e5f00e9db |
virtio/vsock: don't drop skbuff on copy failure
commit 8daaf39f7f6ef53a11817f6a11ec104016c3545f upstream.
This returns behaviour of SOCK_STREAM read as before skbuff usage. When
copying to user fails current skbuff won't be dropped, but returned to
sockets's queue. Technically instead of 'skb_dequeue()', 'skb_peek()' is
called and when skbuff becomes empty, it is removed from queue by
'__skb_unlink()'.
Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Bobby Eshleman <bobby.eshleman@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Arseniy Krasnov
|
883a3db221 |
virtio/vsock: remove redundant 'skb_pull()' call
commit 6825e6b4f8e53799d83bc39ca6ec5baed4e2adde upstream.
Since we now no longer use 'skb->len' to update credit, there is no sense
to update skbuff state, because it is used only once after dequeue to
copy data and then will be released.
Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Bobby Eshleman <bobby.eshleman@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Arseniy Krasnov
|
5852a2b573 |
virtio/vsock: don't use skbuff state to account credit
commit 077706165717686a2a6a71405fef036cd5b37ae0 upstream.
'skb->len' can vary when we partially read the data, this complicates the
calculation of credit to be updated in 'virtio_transport_inc_rx_pkt()/
virtio_transport_dec_rx_pkt()'.
Also in 'virtio_transport_dec_rx_pkt()' we were miscalculating the
credit since 'skb->len' was redundant.
For these reasons, let's replace the use of skbuff state to calculate new
'rx_bytes'/'fwd_cnt' values with explicit value as input argument. This
makes code more simple, because it is not needed to change skbuff state
before each call to update 'rx_bytes'/'fwd_cnt'.
Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Bobby Eshleman <bobby.eshleman@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Florian Westphal
|
587e6308d6 |
netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
[ Upstream commit 80abbe8a8263106fe45a4f293b92b5c74cc9cc8a ]
The ipv6 redirect target was derived from the ipv4 one, i.e. its
identical to a 'dnat' with the first (primary) address assigned to the
network interface. The code has been moved around to make it usable
from nf_tables too, but its still the same as it was back when this
was added in 2012.
IPv6, however, has different types of addresses, if the 'wrong' address
comes first the redirection does not work.
In Daniels case, the addresses are:
inet6 ::ffff:192 ...
inet6 2a01: ...
... so the function attempts to redirect to the mapped address.
Add more checks before the address is deemed correct:
1. If the packets' daddr is scoped, search for a scoped address too
2. skip tentative addresses
3. skip mapped addresses
Use the first address that appears to match our needs.
Reported-by: Daniel Huhardeaux <tech@tootai.net>
Closes: https://lore.kernel.org/netfilter/71be06b8-6aa0-4cf9-9e0b-e2839b01b22f@tootai.net/
Fixes:
|
||
|
Jeremy Sowden
|
8fa280d1a9 |
netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs
[ Upstream commit 6f56ad1b92328997e1b1792047099df6f8d7acb5 ]
`nf_nat_redirect_ipv4` takes a `struct nf_nat_ipv4_multi_range_compat`,
but converts it internally to a `struct nf_nat_range2`. Change the
function to take the latter, factor out the code now shared with
`nf_nat_redirect_ipv6`, move the conversion to the xt_REDIRECT module,
and update the ipv4 range initialization in the nft_redir module.
Replace a bare hex constant for 127.0.0.1 with a macro.
Remove `WARN_ON`. `nf_nat_setup_info` calls `nf_ct_is_confirmed`:
/* Can't setup nat info for confirmed ct. */
if (nf_ct_is_confirmed(ct))
return NF_ACCEPT;
This means that `ct` cannot be null or the kernel will crash, and
implies that `ctinfo` is `IP_CT_NEW` or `IP_CT_RELATED`.
nft_redir has separate ipv4 and ipv6 call-backs which share much of
their code, and an inet one switch containing a switch that calls one of
the others based on the family of the packet. Merge the ipv4 and ipv6
ones into the inet one in order to get rid of the duplicate code.
Const-qualify the `priv` pointer since we don't need to write through
it.
Assign `priv->flags` to the range instead of OR-ing it in.
Set the `NF_NAT_RANGE_PROTO_SPECIFIED` flag once during init, rather
than on every eval.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Stable-dep-of: 80abbe8a8263 ("netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Maciej Żenczykowski
|
d85670128f |
netfilter: xt_recent: fix (increase) ipv6 literal buffer length
[ Upstream commit 7b308feb4fd2d1c06919445c65c8fbf8e9fd1781 ]
in6_pton() supports 'low-32-bit dot-decimal representation'
(this is useful with DNS64/NAT64 networks for example):
# echo +aaaa:bbbb:cccc:dddd:eeee:ffff:1.2.3.4 > /proc/self/net/xt_recent/DEFAULT
# cat /proc/self/net/xt_recent/DEFAULT
src=aaaa:bbbb:cccc:dddd:eeee:ffff:0102:0304 ttl: 0 last_seen: 9733848829 oldest_pkt: 1 9733848829
but the provided buffer is too short:
# echo +aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255 > /proc/self/net/xt_recent/DEFAULT
-bash: echo: write error: Invalid argument
Fixes:
|
||
Filippo Storniolo
|
1fecefb092 |
vsock/virtio: remove socket from connected/bound list on shutdown
[ Upstream commit 3a5cc90a4d1756072619fe511d07621bdef7f120 ]
If the same remote peer, using the same port, tries to connect
to a server on a listening port more than once, the server will
reject the connection, causing a "connection reset by peer"
error on the remote peer. This is due to the presence of a
dangling socket from a previous connection in both the connected
and bound socket lists.
The inconsistency of the above lists only occurs when the remote
peer disconnects and the server remains active.
This bug does not occur when the server socket is closed:
virtio_transport_release() will eventually schedule a call to
virtio_transport_do_close() and the latter will remove the socket
from the bound and connected socket lists and clear the sk_buff.
However, virtio_transport_do_close() will only perform the above
actions if it has been scheduled, and this will not happen
if the server is processing the shutdown message from a remote peer.
To fix this, introduce a call to vsock_remove_sock()
when the server is handling a client disconnect.
This is to remove the socket from the bound and connected socket
lists without clearing the sk_buff.
Fixes:
|
||
|
Bobby Eshleman
|
baddcc2c71 |
virtio/vsock: replace virtio_vsock_pkt with sk_buff
[ Upstream commit 71dc9ec9ac7d3eee785cdc986c3daeb821381e20 ]
This commit changes virtio/vsock to use sk_buff instead of
virtio_vsock_pkt. Beyond better conforming to other net code, using
sk_buff allows vsock to use sk_buff-dependent features in the future
(such as sockmap) and improves throughput.
This patch introduces the following performance changes:
Tool: Uperf
Env: Phys Host + L1 Guest
Payload: 64k
Threads: 16
Test Runs: 10
Type: SOCK_STREAM
Before: commit b7bfaa761d760 ("Linux 6.2-rc3")
Before
------
g2h: 16.77Gb/s
h2g: 10.56Gb/s
After
-----
g2h: 21.04Gb/s
h2g: 10.76Gb/s
Signed-off-by: Bobby Eshleman <bobby.eshleman@bytedance.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 3a5cc90a4d17 ("vsock/virtio: remove socket from connected/bound list on shutdown")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
D. Wythe
|
f4277cb562 |
net/smc: put sk reference if close work was canceled
[ Upstream commit aa96fbd6d78d9770323b21e2c92bd38821be8852 ]
Note that we always hold a reference to sock when attempting
to submit close_work. Therefore, if we have successfully
canceled close_work from pending, we MUST release that reference
to avoid potential leaks.
Fixes:
|
||
|
D. Wythe
|
2d563aa752 |
net/smc: allow cdc msg send rather than drop it with NULL sndbuf_desc
[ Upstream commit c5bf605ba4f9d6fbbb120595ab95002f4716edcb ]
This patch re-fix the issues mentioned by commit 22a825c541d7
("net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()").
Blocking sending message do solve the issues though, but it also
prevents the peer to receive the final message. Besides, in logic,
whether the sndbuf_desc is NULL or not have no impact on the processing
of cdc message sending.
Hence that, this patch allows the cdc message sending but to check the
sndbuf_desc with care in smc_cdc_tx_handler().
Fixes: 22a825c541d7 ("net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()")
Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
D. Wythe
|
9d976cd3e3 |
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
[ Upstream commit 5211c9729484c923f8d2e06bd29f9322cc42bb8f ]
Considering scenario:
smc_cdc_rx_handler
__smc_release
sock_set_flag
smc_close_active()
sock_set_flag
__set_bit(DEAD) __set_bit(DONE)
Dues to __set_bit is not atomic, the DEAD or DONE might be lost.
if the DEAD flag lost, the state SMC_CLOSED will be never be reached
in smc_close_passive_work:
if (sock_flag(sk, SOCK_DEAD) &&
smc_close_sent_any_close(conn)) {
sk->sk_state = SMC_CLOSED;
} else {
/* just shutdown, but not yet closed locally */
sk->sk_state = SMC_APPFINCLOSEWAIT;
}
Replace sock_set_flags or __set_bit to set_bit will fix this problem.
Since set_bit is atomic.
Fixes:
|
||
Kuniyuki Iwashima
|
db68ac51fe |
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
[ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ] Initially, commit |
||
|
Kuniyuki Iwashima
|
414d36c117 |
dccp: Call security_inet_conn_request() after setting IPv4 addresses.
[ Upstream commit fa2df45af13091f76b89adb84a28f13818d5d631 ] Initially, commit |
||
Jian Shen
|
e129327d80 |
net: page_pool: add missing free_percpu when page_pool_init fail
[ Upstream commit 8ffbd1669ed1d58939d6e878dffaa2f60bf961a4 ]
When ptr_ring_init() returns failure in page_pool_init(), free_percpu()
is not called to free pool->recycle_stats, which may cause memory
leak.
Fixes:
|
||
|
Shigeru Yoshida
|
4c731e98fe |
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
[ Upstream commit 19b3f72a41a8751e26bffc093bb7e1cef29ad579 ] syzbot reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 strlen lib/string.c:418 [inline] strstr+0xb8/0x2f0 lib/string.c:756 tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd TIPC bearer-related names including link names must be null-terminated strings. If a link name which is not null-terminated is passed through netlink, strstr() and similar functions can cause buffer overrun. This causes the above issue. This patch changes the nla_policy for bearer-related names from NLA_STRING to NLA_NUL_STRING. This resolves the issue by ensuring that only null-terminated strings are accepted as bearer-related names. syzbot reported similar uninit-value issue related to bearer names [2]. The root cause of this issue is that a non-null-terminated bearer name was passed. This patch also resolved this issue. Fixes: |
||
|
Dan Carpenter
|
6086258bd5 |
hsr: Prevent use after free in prp_create_tagged_frame()
[ Upstream commit 876f8ab52363f649bcc74072157dfd7adfbabc0d ]
The prp_fill_rct() function can fail. In that situation, it frees the
skb and returns NULL. Meanwhile on the success path, it returns the
original skb. So it's straight forward to fix bug by using the returned
value.
Fixes:
|
||
Willem de Bruijn
|
f980e9a57d |
llc: verify mac len before reading mac header
[ Upstream commit 7b3ba18703a63f6fd487183b9262b08e5632da1b ]
LLC reads the mac header with eth_hdr without verifying that the skb
has an Ethernet header.
Syzbot was able to enter llc_rcv on a tun device. Tun can insert
packets without mac len and with user configurable skb->protocol
(passing a tun_pi header when not configuring IFF_NO_PI).
BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218
__netif_receive_skb_one_core net/core/dev.c:5523 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
netif_receive_skb_internal net/core/dev.c:5723 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5782
tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002
Add a mac_len test before all three eth_hdr(skb) calls under net/llc.
There are further uses in include/net/llc_pdu.h. All these are
protected by a test skb->protocol == ETH_P_802_2. Which does not
protect against this tun scenario.
But the mac_len test added in this patch in llc_fixup_skb will
indirectly protect those too. That is called from llc_rcv before any
other LLC code.
It is tempting to just add a blanket mac_len check in llc_rcv, but
not sure whether that could break valid LLC paths that do not assume
an Ethernet header. 802.2 LLC may be used on top of non-802.3
protocols in principle. The below referenced commit shows that used
to, on top of Token Ring.
At least one of the three eth_hdr uses goes back to before the start
of git history. But the one that syzbot exercises is introduced in
this commit. That commit is old enough (2008), that effectively all
stable kernels should receive this.
Fixes:
|
||
|
Hangyu Hua
|
b9793c9c03 |
9p/net: fix possible memory leak in p9_check_errors()
[ Upstream commit ce07087964208eee2ca2f9ee4a98f8b5d9027fe6 ]
When p9pdu_readf() is called with "s?d" attribute, it allocates a pointer
that will store a string. But when p9pdu_readf() fails while handling "d"
then this pointer will not be freed in p9_check_errors().
Fixes:
|
||
Yan Zhai
|
fae5cc598e |
ipv6: avoid atomic fragment on GSO packets
[ Upstream commit 03d6c848bfb406e9ef6d9846d759e97beaeea113 ]
When the ipv6 stack output a GSO packet, if its gso_size is larger than
dst MTU, then all segments would be fragmented. However, it is possible
for a GSO packet to have a trailing segment with smaller actual size
than both gso_size as well as the MTU, which leads to an "atomic
fragment". Atomic fragments are considered harmful in RFC-8021. An
Existing report from APNIC also shows that atomic fragments are more
likely to be dropped even it is equivalent to a no-op [1].
Add an extra check in the GSO slow output path. For each segment from
the original over-sized packet, if it fits with the path MTU, then avoid
generating an atomic fragment.
Link: https://www.potaroo.net/presentations/2022-03-01-ipv6-frag.pdf [1]
Fixes:
|
||
Marcel Ziswiler
|
4bb26ec7ed |
Bluetooth: hci_sync: Fix Opcode prints in bt_dev_dbg/err
[ Upstream commit 530886897c789cf77c9a0d4a7cc5549f0768b5f8 ] Printed Opcodes may be missing leading zeros: Bluetooth: hci0: Opcode 0x c03 failed: -110 Fix this by always printing leading zeros: Bluetooth: hci0: Opcode 0x0c03 failed: -110 Fixes: |
||
|
Eric Dumazet
|
6d88d4b1bb |
tcp: fix cookie_init_timestamp() overflows
[ Upstream commit 73ed8e03388d16c12fc577e5c700b58a29045a15 ]
cookie_init_timestamp() is supposed to return a 64bit timestamp
suitable for both TSval determination and setting of skb->tstamp.
Unfortunately it uses 32bit fields and overflows after
2^32 * 10^6 nsec (~49 days) of uptime.
Generated TSval are still correct, but skb->tstamp might be set
far away in the past, potentially confusing other layers.
tcp_ns_to_ts() is changed to return a full 64bit value,
ts and ts_now variables are changed to u64 type,
and TSMASK is removed in favor of shifts operations.
While we are at it, change this sequence:
ts >>= TSBITS;
ts--;
ts <<= TSBITS;
ts |= options;
to:
ts -= (1UL << TSBITS);
Fixes:
|
||
|
Phil Sutter
|
2acedc5372 |
net: skb_find_text: Ignore patterns extending past 'to'
[ Upstream commit c4eee56e14fe001e1cff54f0b438a5e2d0dd7454 ]
Assume that caller's 'to' offset really represents an upper boundary for
the pattern search, so patterns extending past this offset are to be
rejected.
The old behaviour also was kind of inconsistent when it comes to
fragmentation (or otherwise non-linear skbs): If the pattern started in
between 'to' and 'from' offsets but extended to the next fragment, it
was not found if 'to' offset was still within the current fragment.
Test the new behaviour in a kselftest using iptables' string match.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Fixes:
|
||
|
Phil Sutter
|
9709c6d759 |
netfilter: nf_tables: Drop pointless memset when dumping rules
[ Upstream commit 30fa41a0f6df4c85790cc6499ddc4a926a113bfa ]
None of the dump callbacks uses netlink_callback::args beyond the first
element, no need to zero the data.
Fixes:
|
||
|
Eric Dumazet
|
14a7e73b28 |
tcp_metrics: do not create an entry from tcp_init_metrics()
[ Upstream commit a135798e6e200ecb2f864cecca6d257ba278370c ]
tcp_init_metrics() only wants to get metrics if they were
previously stored in the cache. Creating an entry is adding
useless costs, especially when tcp_no_metrics_save is set.
Fixes:
|
||
|
Eric Dumazet
|
52ec0669f4 |
tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
[ Upstream commit 081480014a64a69d901f8ef1ffdd56d6085cf87e ]
We need to set tp->snd_ssthresh to TCP_INFINITE_SSTHRESH
in the case tcp_get_metrics() fails for some reason.
Fixes:
|
||
|
Eric Dumazet
|
e850efcf2b |
tcp_metrics: add missing barriers on delete
[ Upstream commit cbc3a153222805d65f821e10f4f78b6afce06f86 ]
When removing an item from RCU protected list, we must prevent
store-tearing, using rcu_assign_pointer() or WRITE_ONCE().
Fixes:
|
||
Gustavo A. R. Silva
|
254187a64a |
tipc: Use size_add() in calls to struct_size()
[ Upstream commit 2506a91734754de690869824fb0d1ac592ec1266 ]
If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.
Fixes:
|
||
|
Gustavo A. R. Silva
|
065cb7ae3f |
tls: Use size_add() in call to struct_size()
[ Upstream commit a2713257ee2be22827d7bc248302d408c91bfb95 ]
If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.
Fixes:
|
||
Herbert Xu
|
8ae1873864 |
tls: Only use data field in crypto completion function
[ Upstream commit 8d338c76f7cfe0eb4bc46078b1c09c8c5fc75353 ]
The crypto_async_request passed to the completion is not guaranteed
to be the original request object. Only the data field can be relied
upon.
Fix this by storing the socket pointer with the AEAD request.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: a2713257ee2b ("tls: Use size_add() in call to struct_size()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Aananth V
|
5dd1344de3 |
tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
[ Upstream commit e326578a21414738de45f77badd332fb00bd0f58 ]
For passive TCP Fast Open sockets that had SYN/ACK timeout and did not
send more data in SYN_RECV, upon receiving the final ACK in 3WHS, the
congestion state may awkwardly stay in CA_Loss mode unless the CA state
was undone due to TCP timestamp checks. However, if
tcp_rcv_synrecv_state_fastopen() decides not to undo, then we should
enter CA_Open, because at that point we have received an ACK covering
the retransmitted SYNACKs. Currently, the icsk_ca_state is only set to
CA_Open after we receive an ACK for a data-packet. This is because
tcp_ack does not call tcp_fastretrans_alert (and tcp_process_loss) if
!prior_packets
Note that tcp_process_loss() calls tcp_try_undo_recovery(), so having
tcp_rcv_synrecv_state_fastopen() decide that if we're in CA_Loss we
should call tcp_try_undo_recovery() is consistent with that, and
low risk.
Fixes:
|
||
|
Eric Dumazet
|
a08ff0544b |
udp: add missing WRITE_ONCE() around up->encap_rcv
[ Upstream commit 6d5a12eb91224d707f8691dccb40a5719fe5466d ]
UDP_ENCAP_ESPINUDP_NON_IKE setsockopt() writes over up->encap_rcv
while other cpus read it.
Fixes:
|
||
|
Johannes Berg
|
9c6269f5d1 |
wifi: mac80211: fix # of MSDU in A-MSDU calculation
[ Upstream commit 428e8976a15f849ad92b1c1e38dda2a684350ff7 ]
During my refactoring I wanted to get rid of the switch,
but replaced it with the wrong calculation. Fix that.
Fixes:
|
||
|
Johannes Berg
|
cee323e56c |
wifi: mac80211: move sched-scan stop work to wiphy work
[ Upstream commit eadfb54756aea5610d8d0a467f66305f777c85dd ]
This also has the wiphy locked here then. We need to use
the _locked version of cfg80211_sched_scan_stopped() now,
which also fixes an old deadlock there.
Fixes:
|
||
|
Johannes Berg
|
0568d1e889 |
wifi: mac80211: move offchannel works to wiphy work
[ Upstream commit 97c19e42b264e6b71a9ff9deea04c19f621805b9 ]
Make the offchannel works wiphy works to have the
wiphy locked for executing them.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: eadfb54756ae ("wifi: mac80211: move sched-scan stop work to wiphy work")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Johannes Berg
|
ef41361519 |
wifi: mac80211: move scan work to wiphy work
[ Upstream commit 201712512cbbda360f62c222a4bab260350462a0 ]
Move the scan work to wiphy work, which also simplifies
the way we handle the work vs. the scan configuration.
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: eadfb54756ae ("wifi: mac80211: move sched-scan stop work to wiphy work")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Johannes Berg
|
09915293c3 |
wifi: mac80211: move radar detect work to wiphy work
[ Upstream commit 228e4f931b0e630dacca8dd867ddd863aea53913 ]
Move the radar detect work to wiphy work in order
to lock the wiphy for it without doing it manually.
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: eadfb54756ae ("wifi: mac80211: move sched-scan stop work to wiphy work")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Johannes Berg
|
697fb94e3e |
wifi: cfg80211: add flush functions for wiphy work
[ Upstream commit 56cfb8ce1f7f6c4e5ca571a2ec0880e131cd0311 ]
There may be sometimes reasons to actually run the work
if it's pending, add flush functions for both regular and
delayed wiphy work that will do this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: eadfb54756ae ("wifi: mac80211: move sched-scan stop work to wiphy work")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
qctecmdr
|
400fcacf7f | Merge "net: qrtr: Fix race condition with MHI -EAGAIN" | ||
|
qctecmdr
|
1bab95f360 |
Merge "Merge keystone/android14-6.1-keystone-qcom-release.6.1.25 (2e792b4) into qcom-6.1"
|