[ Upstream commit b0e256f3dd2ba6532f37c5c22e07cb07a36031ee ]
Clone already always provides a current view of the lookup table, use it
to destroy the set, otherwise it is possible to destroy elements twice.
This fix requires:
212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol")
which came after:
9827a0e6e2 ("netfilter: nft_set_pipapo: release elements in clone from abort path").
Bug: 330876672
Fixes: 9827a0e6e2 ("netfilter: nft_set_pipapo: release elements in clone from abort path")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit ff90050771412b91e928093ccd8736ae680063c2)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I8c0811e69f82681c7fcfdca1111f1702e27bb80e
commit e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb upstream.
Similarly to previous commit, the submitting thread (recvmsg/sendmsg)
may exit as soon as the async crypto handler calls complete().
Reorder scheduling the work before calling complete().
This seems more logical in the first place, as it's
the inverse order of what the submitting thread will do.
Bug: 326214245
Reported-by: valis <sec@valis.email>
Fixes: a42055e8d2 ("net/tls: Add support for async encryption of records for performance")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Lee: Fixed merge-conflict in Stable branches linux-6.1.y and older]
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 196f198ca6fce04ba6ce262f5a0e4d567d7d219d)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I3128347d1e45018db30b6f2336ece2a4a3a630db
(cherry picked from commit e78d26a9ec366b108c89099b148ae3cea6f1a8e9)
commit 01acb2e8666a6529697141a6017edbf206921913 upstream.
Remove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER
event is reported, otherwise a stale reference to netdevice remains in
the hook list.
Bug: 332803585
Fixes: 60a3815da7 ("netfilter: add inet ingress support")
Cc: stable@vger.kernel.org
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 70f17b48c86622217a58d5099d29242fc9adac58)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I28482dca416b61dcf2e722ba0aef62d2d41a8f23
[ Upstream commit aec7961916f3f9e88766e2688992da6980f11b8d ]
The submitting thread (one which called recvmsg/sendmsg)
may exit as soon as the async crypto handler calls complete()
so any code past that point risks touching already freed data.
Try to avoid the locking and extra flags altogether.
Have the main thread hold an extra reference, this way
we can depend solely on the atomic ref counter for
synchronization.
Don't futz with reiniting the completion, either, we are now
tightly controlling when completion fires.
Bug: 326214245
Reported-by: valis <sec@valis.email>
Fixes: 0cada33241 ("net/tls: fix race condition causing kernel panic")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 7a3ca06d04d589deec81f56229a9a9d62352ce01)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Idda32dd68ed26ae5c85c985305f52c3b2245e32c
[ Upstream commit c57ca512f3b68ddcd62bda9cc24a8f5584ab01b1 ]
Factor out waiting for async encrypt and decrypt to finish.
There are already multiple copies and a subsequent fix will
need more. No functional changes.
Note that crypto_wait_req() returns wait->err
Bug: 326214245
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: aec7961916f3 ("tls: fix race between async notify and socket close")
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 2c6841c88201e13967583f0f8a9f9b54b9cde404)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I7355c32d284623e08650c4d2b2a7d3be40f0cc0c
commit 16603605b667b70da974bea8216c93e7db043bf1 upstream.
Anonymous sets are never used with timeout from userspace, reject this.
Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.
Bug: 329055463
Cc: stable@vger.kernel.org
Fixes: 761da2935d ("netfilter: nf_tables: add set timeout API support")
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 72c1efe3f247a581667b7d368fff3bd9a03cd57a)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I8c1c818e3d155d5edefee0b741568104081efb38
This reverts commit 6bad1052c2, it is the
LTS merge that had to previously get reverted due to being merged too
early.
Cc: Todd Kjos <tkjos@google.com>
Change-Id: I31b7d660bd833cf022ac4870f6d01e723fda5182
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit e26d3009efda338f19016df4175f354a9bd0a4ab upstream.
Never used from userspace, disallow these parameters.
Bug: 329205828
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit b7be6c737a179a76901c872f6b4c1d00552d9a1b)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I3d8358a6dee3246e3ac56697dbb2be8fdc5f716f
This reverts commit 1dbafe61e3.
Reason for revert: Too early. Needs to wait until 2024-03-27
Change-Id: I769b944bd089aa2278659ec87f7ba4ac4e74ee4a
Signed-off-by: Todd Kjos <tkjos@google.com>
[ Upstream commit 32b55c5ff9103b8508c1e04bfa5a08c64e7a925f ]
tls_decrypt_sg doesn't take a reference on the pages from clear_skb,
so the put_page() in tls_decrypt_done releases them, and we trigger
a use-after-free in process_rx_list when we try to read from the
partially-read skb.
Bug: 326214405
Fixes: fd31f3996a ("tls: rx: decrypt into a fresh skb")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit d684763534b969cca1022e2a28645c7cc91f7fa5)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ifdd765d0af082523d1432436b6f6d2c094c48dca
Commit 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4
packets.") checks DODGY bit for UDP, but for packets that can be fed
directly to the device after gso_segs reset, it actually falls through
to fragmentation:
https://lore.kernel.org/all/CAJPywTKDdjtwkLVUW6LRA2FU912qcDmQOQGt2WaDo28KzYDg+A@mail.gmail.com/
This change restores the expected behavior of GSO_UDP_L4 packets.
Fixes: 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 packets.")
Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Change-Id: Id7ff0fac79fb0b4fabb62b09a905f27a5e8cfea7
(cherry picked from commit 9840036786d90cea11a90d1f30b6dc003b34ee67)
[lena: Resolved conflict in net/ipv6/udp_offload.c ]
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 60c0c230c6f046da536d3df8b39a20b9a9fd6af0 upstream.
rbtree lazy gc on insert might collect an end interval element that has
been just added in this transactions, skip end interval elements that
are not yet active.
Bug: 325477234
Fixes: f718863aca46 ("netfilter: nft_set_rbtree: fix overlap expiration walk")
Cc: stable@vger.kernel.org
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 1296c110c5)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I42f7bca418d47948292b15ace9f371b81ccd7fe8
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWy7o0ACgkQONu9yGCS
aT76JA/9Gh3VNSLG35LaLyq3xGd827N6DPsMzeFHi+MGSyPVg0auE77QkHD/gZl9
KynmBmz2+9DSoFxymWAS9oEPM8d/vw87AMuSTTct3GKkjEeUcj9lbeOEzgZydXX8
cJSXvcCeKE3FESU/YbQKxo0N+r7tUDmnCR0edss5/FpYni3jPdg7jdESzGhiCHXj
r5rjrTE6h7Z/d+2kaKqlheL4o4OkV0YwnFnU2gC3MOOvLmgvXdOVQQsyaZ+WgSAN
0JS0Q6Xk1xyYWx8iFaLGWIs1pUsQPKxIiRG3N/1KmXITopf2Pu68Yy7ST+YryDkO
nLcNrr3gsQxrM6MYnEhLzlxs3H1KuAVxJ4Y/dNqJnDxn0OJjcY3repwempz5Sxtk
0OLDOsCICAiMHeF8rYIGhm09WdowLz0EH+sqadIGqWKzW/BcXqD+r9mpF1lwk1ZL
FJLgLmtOaG4amI46lEUHQ6ujN7Oad3gLYzudq2zKLeqonSIjm1TuDoMRvHWFsspO
5i9I0x7Vlo3PqCl7kkKVL9PvVHx6BXJGFShABJqa9ao/oHxkOWuIt26pxUoLUN3P
7Wa5WnfdlDd9nR3VGHcVe2ncuRmEfuriYpXvItJ7/KJKyIPkGoPehAh+vbZMoEy0
DwhtD9PPsTlnUufbcZdHavYA1E4y/uXDMOIGB+ERpsTdXh9DwEo=
=2XHn
-----END PGP SIGNATURE-----
Merge 6.1.75 into android14-6.1-lts
Changes in 6.1.75
x86/lib: Fix overflow when counting digits
x86/mce/inject: Clear test status value
EDAC/thunderx: Fix possible out-of-bounds string access
powerpc: remove checks for binutils older than 2.25
powerpc: add crtsavres.o to always-y instead of extra-y
powerpc/44x: select I2C for CURRITUCK
powerpc/pseries/memhp: Fix access beyond end of drmem array
selftests/powerpc: Fix error handling in FPU/VMX preemption tests
powerpc/powernv: Add a null pointer check to scom_debug_init_one()
powerpc/powernv: Add a null pointer check in opal_event_init()
powerpc/powernv: Add a null pointer check in opal_powercap_init()
powerpc/imc-pmu: Add a null pointer check in update_events_in_group()
spi: spi-zynqmp-gqspi: fix driver kconfig dependencies
mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response
ACPI: video: check for error while searching for backlight device parent
ACPI: LPIT: Avoid u32 multiplication overflow
KEYS: encrypted: Add check for strsep
platform/x86/intel/vsec: Enhance and Export intel_vsec_add_aux()
platform/x86/intel/vsec: Support private data
platform/x86/intel/vsec: Use mutex for ida_alloc() and ida_free()
platform/x86/intel/vsec: Fix xa_alloc memory leak
of: Add of_property_present() helper
cpufreq: Use of_property_present() for testing DT property presence
cpufreq: scmi: process the result of devm_of_clk_add_hw_provider()
calipso: fix memory leak in netlbl_calipso_add_pass()
efivarfs: force RO when remounting if SetVariable is not supported
efivarfs: Free s_fs_info on unmount
spi: sh-msiof: Enforce fixed DTDL for R-Car H3
ACPI: LPSS: Fix the fractional clock divider flags
ACPI: extlog: Clear Extended Error Log status when RAS_CEC handled the error
kunit: debugfs: Fix unchecked dereference in debugfs_print_results()
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket
crypto: virtio - Handle dataq logic with tasklet
crypto: sa2ul - Return crypto_aead_setkey to transfer the error
crypto: ccp - fix memleak in ccp_init_dm_workarea
crypto: af_alg - Disallow multiple in-flight AIO requests
crypto: safexcel - Add error handling for dma_map_sg() calls
crypto: sahara - remove FLAGS_NEW_KEY logic
crypto: sahara - fix cbc selftest failure
crypto: sahara - fix ahash selftest failure
crypto: sahara - fix processing requests with cryptlen < sg->length
crypto: sahara - fix error handling in sahara_hw_descriptor_create()
crypto: hisilicon/qm - save capability registers in qm init process
crypto: hisilicon/zip - add zip comp high perf mode configuration
crypto: hisilicon/qm - add a function to set qm algs
crypto: hisilicon/hpre - save capability registers in probe process
crypto: hisilicon/sec2 - save capability registers in probe process
crypto: hisilicon/zip - save capability registers in probe process
pstore: ram_core: fix possible overflow in persistent_ram_init_ecc()
erofs: fix memory leak on short-lived bounced pages
fs: indicate request originates from old mount API
gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
crypto: virtio - Wait for tasklet to complete on device remove
crypto: sahara - avoid skcipher fallback code duplication
crypto: sahara - handle zero-length aes requests
crypto: sahara - fix ahash reqsize
crypto: sahara - fix wait_for_completion_timeout() error handling
crypto: sahara - improve error handling in sahara_sha_process()
crypto: sahara - fix processing hash requests with req->nbytes < sg->length
crypto: sahara - do not resize req->src when doing hash operations
crypto: scomp - fix req->dst buffer overflow
csky: fix arch_jump_label_transform_static override
blocklayoutdriver: Fix reference leak of pnfs_device_node
NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT
SUNRPC: fix _xprt_switch_find_current_entry logic
pNFS: Fix the pnfs block driver's calculation of layoutget size
wifi: plfxlc: check for allocation failure in plfxlc_usb_wreq_async()
wifi: rtw88: fix RX filter in FIF_ALLMULTI flag
bpf, lpm: Fix check prefixlen before walking trie
bpf: Add crosstask check to __bpf_get_stack
wifi: ath11k: Defer on rproc_get failure
wifi: libertas: stop selecting wext
ARM: dts: qcom: apq8064: correct XOADC register address
net/ncsi: Fix netlink major/minor version numbers
firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create()
firmware: meson_sm: populate platform devices from sm device tree data
wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior
arm64: dts: ti: k3-am62a-main: Fix GPIO pin count in DT nodes
arm64: dts: ti: k3-am65-main: Fix DSS irq trigger type
selftests/bpf: Fix erroneous bitmask operation
md: synchronize flush io with array reconfiguration
bpf: enforce precision of R0 on callback return
ARM: dts: qcom: sdx65: correct SPMI node name
arm64: dts: qcom: sc7180: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sc7280: Mark some nodes as 'reserved'
arm64: dts: qcom: sc7280: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sdm845: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sm8150: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sm8250: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sc8280xp: Make watchdog bark interrupt edge triggered
arm64: dts: qcom: sm6350: Make watchdog bark interrupt edge triggered
rcu-tasks: Provide rcu_trace_implies_rcu_gp()
bpf: add percpu stats for bpf_map elements insertions/deletions
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
bpf: Defer the free of inner map when necessary
selftests/net: specify the interface when do arping
bpf: fix check for attempt to corrupt spilled pointer
scsi: fnic: Return error if vmalloc() failed
arm64: dts: qcom: qrb5165-rb5: correct LED panic indicator
arm64: dts: qcom: sdm845-db845c: correct LED panic indicator
arm64: dts: qcom: sm8350: Fix DMA0 address
arm64: dts: qcom: sc7280: Fix up GPU SIDs
arm64: dts: qcom: sc7280: Mark Adreno SMMU as DMA coherent
arm64: dts: qcom: sc7280: fix usb_2 wakeup interrupt types
wifi: mt76: mt7921s: fix workqueue problem causes STA association fail
bpf: Fix verification of indirect var-off stack access
arm64: dts: hisilicon: hikey970-pmic: fix regulator cells properties
dt-bindings: media: mediatek: mdp3: correct RDMA and WROT node with generic names
arm64: dts: mediatek: mt8183: correct MDP3 DMA-related nodes
wifi: mt76: mt7921: fix country count limitation for CLC
selftests/bpf: Relax time_tai test for equal timestamps in tai_forward
block: Set memalloc_noio to false on device_add_disk() error path
arm64: dts: renesas: white-hawk-cpu: Fix missing serial console pin control
arm64: dts: imx8mm: Reduce GPU to nominal speed
scsi: hisi_sas: Replace with standard error code return value
scsi: hisi_sas: Rollback some operations if FLR failed
scsi: hisi_sas: Correct the number of global debugfs registers
ARM: dts: stm32: don't mix SCMI and non-SCMI board compatibles
selftests/net: fix grep checking for fib_nexthop_multiprefix
ipmr: support IP_PKTINFO on cache report IGMP msg
virtio/vsock: fix logic which reduces credit update messages
dma-mapping: clear dev->dma_mem to NULL after freeing it
soc: qcom: llcc: Fix dis_cap_alloc and retain_on_pc configuration
arm64: dts: qcom: sm8150-hdk: fix SS USB regulators
block: add check of 'minors' and 'first_minor' in device_add_disk()
arm64: dts: qcom: sc7280: Mark SDHCI hosts as cache-coherent
arm64: dts: qcom: ipq6018: fix clock rates for GCC_USB0_MOCK_UTMI_CLK
arm64: dts: qcom: ipq6018: improve pcie phy pcs reg table
arm64: dts: qcom: ipq6018: Use lowercase hex
arm64: dts: qcom: ipq6018: Pad addresses to 8 hex digits
arm64: dts: qcom: ipq6018: Fix up indentation
wifi: rtlwifi: add calculate_bit_shift()
wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()
wifi: rtlwifi: rtl8192c: using calculate_bit_shift()
wifi: rtlwifi: rtl8192cu: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ce: using calculate_bit_shift()
wifi: rtlwifi: rtl8192de: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ee: using calculate_bit_shift()
wifi: rtlwifi: rtl8192se: using calculate_bit_shift()
wifi: iwlwifi: mvm: set siso/mimo chains to 1 in FW SMPS request
wifi: iwlwifi: mvm: send TX path flush in rfkill
netfilter: nf_tables: mark newset as dead on transaction abort
Bluetooth: Fix bogus check for re-auth no supported with non-ssp
Bluetooth: btmtkuart: fix recv_buf() return value
block: make BLK_DEF_MAX_SECTORS unsigned
null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS
bpf: sockmap, fix proto update hook to avoid dup calls
sctp: support MSG_ERRQUEUE flag in recvmsg()
sctp: fix busy polling
net/sched: act_ct: fix skb leak and crash on ooo frags
mlxbf_gige: Fix intermittent no ip issue
mlxbf_gige: Enable the GigE port in mlxbf_gige_open
ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
ARM: davinci: always select CONFIG_CPU_ARM926T
Revert "drm/tidss: Annotate dma-fence critical section in commit path"
Revert "drm/omapdrm: Annotate dma-fence critical section in commit path"
drm/panfrost: Really power off GPU cores in panfrost_gpu_power_off()
RDMA/usnic: Silence uninitialized symbol smatch warnings
RDMA/hns: Fix inappropriate err code for unsupported operations
drm/panel-elida-kd35t133: hold panel in reset for unprepare
drm/nouveau/fence:: fix warning directly dereferencing a rcu pointer
drm/bridge: tpd12s015: Drop buggy __exit annotation for remove function
drm/tilcdc: Fix irq free on unload
media: pvrusb2: fix use after free on context disconnection
media: mtk-jpegdec: export jpeg decoder functions
media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices
media: verisilicon: Hook the (TRY_)DECODER_CMD stateless ioctls
media: rkvdec: Hook the (TRY_)DECODER_CMD stateless ioctls
drm/bridge: Fix typo in post_disable() description
f2fs: fix to avoid dirent corruption
drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg()
drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()
drm/radeon: check return value of radeon_ring_lock()
drm/tidss: Move reset to the end of dispc_init()
drm/tidss: Return error value from from softreset
drm/tidss: Check for K2G in in dispc_softreset()
drm/tidss: Fix dss reset
ASoC: cs35l33: Fix GPIO name and drop legacy include
ASoC: cs35l34: Fix GPIO name and drop legacy include
drm/msm/mdp4: flush vblank event on disable
drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks
drm/drv: propagate errors from drm_modeset_register_all()
ASoC: Intel: glk_rt5682_max98357a: fix board id mismatch
drm/panfrost: Ignore core_mask for poweroff and disable PWRTRANS irq
drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()
drm/radeon/dpm: fix a memleak in sumo_parse_power_table
drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table
drm/bridge: cdns-mhdp8546: Fix use of uninitialized variable
drm/bridge: tc358767: Fix return value on error case
media: cx231xx: fix a memleak in cx231xx_init_isoc
RDMA/hns: Fix memory leak in free_mr_init()
clk: qcom: gpucc-sm8150: Update the gpu_cc_pll1 config
media: imx-mipi-csis: Fix clock handling in remove()
media: dt-bindings: media: rkisp1: Fix the port description for the parallel interface
media: rkisp1: Fix media device memory leak
drm/panel: st7701: Fix AVCL calculation
f2fs: fix to wait on block writeback for post_read case
f2fs: fix to check compress file in f2fs_move_file_range()
f2fs: fix to update iostat correctly in f2fs_filemap_fault()
media: dvbdev: drop refcount on error path in dvb_device_open()
media: dvb-frontends: m88ds3103: Fix a memory leak in an error handling path of m88ds3103_probe()
clk: renesas: rzg2l-cpg: Reuse code in rzg2l_cpg_reset()
clk: renesas: rzg2l: Check reset monitor registers
drm/msm/dpu: Set input_sel bit for INTF
drm/msm/dpu: Drop enable and frame_count parameters from dpu_hw_setup_misr()
drm/mediatek: Return error if MDP RDMA failed to enable the clock
drm/mediatek: Fix underrun in VDO1 when switches off the layer
drm/amdgpu/debugfs: fix error code when smc register accessors are NULL
drm/amd/pm: fix a double-free in si_dpm_init
drivers/amd/pm: fix a use-after-free in kv_parse_power_table
gpu/drm/radeon: fix two memleaks in radeon_vm_init
drm/amd/pm: fix a double-free in amdgpu_parse_extended_power_table
f2fs: fix to check return value of f2fs_recover_xattr_data
dt-bindings: clock: Update the videocc resets for sm8150
clk: qcom: videocc-sm8150: Update the videocc resets
clk: qcom: videocc-sm8150: Add missing PLL config property
drivers: clk: zynqmp: calculate closest mux rate
drivers: clk: zynqmp: update divider round rate logic
watchdog: set cdev owner before adding
watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO
watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling
watchdog: rti_wdt: Drop runtime pm reference count when watchdog is unused
clk: si5341: fix an error code problem in si5341_output_clk_set_rate
drm/mediatek: dp: Add phy_mtk_dp module as pre-dependency
accel/habanalabs: fix information leak in sec_attest_info()
clk: fixed-rate: fix clk_hw_register_fixed_rate_with_accuracy_parent_hw
pwm: stm32: Use regmap_clear_bits and regmap_set_bits where applicable
pwm: stm32: Use hweight32 in stm32_pwm_detect_channels
pwm: stm32: Fix enable count for clk in .probe()
ASoC: rt5645: Drop double EF20 entry from dmi_platform_data[]
ALSA: scarlett2: Add missing error check to scarlett2_config_save()
ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()
ALSA: scarlett2: Allow passing any output to line_out_remap()
ALSA: scarlett2: Add missing error checks to *_ctl_get()
ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()
mmc: sdhci_am654: Fix TI SoC dependencies
mmc: sdhci_omap: Fix TI SoC dependencies
IB/iser: Prevent invalidating wrong MR
drm/amdkfd: Confirm list is non-empty before utilizing list_first_entry in kfd_topology.c
drm/amd/pm/smu7: fix a memleak in smu7_hwmgr_backend_init
kselftest/alsa - mixer-test: fix the number of parameters to ksft_exit_fail_msg()
kselftest/alsa - mixer-test: Fix the print format specifier warning
ksmbd: validate the zero field of packet header
of: Fix double free in of_parse_phandle_with_args_map
fbdev: imxfb: fix left margin setting
of: unittest: Fix of_count_phandle_with_args() expected value message
selftests/bpf: Add assert for user stacks in test_task_stack
keys, dns: Fix size check of V1 server-list header
binder: fix async space check for 0-sized buffers
binder: fix unused alloc->free_async_space
mips/smp: Call rcutree_report_cpu_starting() earlier
Input: atkbd - use ab83 as id when skipping the getid command
xen-netback: don't produce zero-size SKB frags
binder: fix race between mmput() and do_exit()
clocksource/drivers/timer-ti-dm: Fix make W=n kerneldoc warnings
powerpc/64s: Increase default stack size to 32KB
tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug
usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host()
usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart
Revert "usb: dwc3: Soft reset phy on probe for host"
Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only"
usb: chipidea: wait controller resume finished for wakeup irq
usb: cdns3: fix uvc failure work since sg support enabled
usb: cdns3: fix iso transfer error when mult is not zero
usb: cdns3: Fix uvc fail when DMA cross 4k boundery since sg enabled
Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs"
usb: typec: class: fix typec_altmode_put_partner to put plugs
usb: mon: Fix atomicity violation in mon_bin_vma_fault
serial: core: fix sanitizing check for RTS settings
serial: core: make sure RS485 cannot be enabled when it is not supported
serial: 8250_bcm2835aux: Restore clock error handling
serial: core, imx: do not set RS485 enabled if it is not supported
serial: imx: Ensure that imx_uart_rs485_config() is called with enabled clock
serial: 8250_exar: Set missing rs485_supported flag
serial: omap: do not override settings for RS485 support
drm/vmwgfx: Fix possible invalid drm gem put calls
drm/vmwgfx: Keep a gem reference to user bos in surfaces
ALSA: oxygen: Fix right channel of capture volume mixer
ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq2xxx
ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on HP ZBook
ALSA: hda/realtek: Enable headset mic on Lenovo M70 Gen5
ksmbd: validate mech token in session setup
ksmbd: fix UAF issue in ksmbd_tcp_new_connection()
ksmbd: only v2 leases handle the directory
io_uring/rw: ensure io->bytes_done is always initialized
fbdev: flush deferred work in fb_deferred_io_fsync()
fbdev: flush deferred IO before closing
scsi: ufs: core: Simplify power management during async scan
scsi: target: core: add missing file_{start,end}_write()
scsi: mpi3mr: Refresh sdev queue depth after controller reset
scsi: mpi3mr: Block PEL Enable Command on Controller Reset and Unrecoverable State
drm/amd: Enable PCIe PME from D3
block: add check that partition length needs to be aligned with block size
block: Fix iterating over an empty bio with bio_for_each_folio_all
netfilter: nf_tables: check if catch-all set element is active in next generation
pwm: jz4740: Don't use dev_err_probe() in .request()
pwm: Fix out-of-bounds access in of_pwm_single_xlate()
md/raid1: Use blk_opf_t for read and write operations
rootfs: Fix support for rootfstype= when root= is given
Bluetooth: Fix atomicity violation in {min,max}_key_size_set
bpf: Fix re-attachment branch in bpf_tracing_prog_attach
LoongArch: Fix and simplify fcsr initialization on execve()
iommu/arm-smmu-qcom: Add missing GMU entry to match table
iommu/dma: Trace bounce buffer usage when mapping buffers
wifi: mt76: fix broken precal loading from MTD for mt7915
wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code
wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors
wifi: mwifiex: configure BSSID consistently when starting AP
Revert "net: rtnetlink: Enslave device before bringing it up"
cxl/port: Fix decoder initialization when nr_targets > interleave_ways
PCI/P2PDMA: Remove reference to pci_p2pdma_map_sg()
PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq() alignment support
PCI: mediatek: Clear interrupt status before dispatching handler
x86/kvm: Do not try to disable kvmclock if it was not enabled
KVM: arm64: vgic-v4: Restore pending state on host userspace write
KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
iio: adc: ad7091r: Pass iio_dev to event handler
HID: wacom: Correct behavior when processing some confidence == false touches
serial: sc16is7xx: add check for unsupported SPI modes during probe
serial: sc16is7xx: set safe default SPI clock frequency
ARM: 9330/1: davinci: also select PINCTRL
mfd: syscon: Fix null pointer dereference in of_syscon_register()
leds: aw2013: Select missing dependency REGMAP_I2C
mfd: intel-lpss: Fix the fractional clock divider flags
mips: dmi: Fix early remap on MIPS32
mips: Fix incorrect max_low_pfn adjustment
riscv: Check if the code to patch lies in the exit section
riscv: Fix module_alloc() that did not reset the linear mapping permissions
riscv: Fix set_memory_XX() and set_direct_map_XX() by splitting huge linear mappings
riscv: Fix set_direct_map_default_noflush() to reset _PAGE_EXEC
riscv: Fixed wrong register in XIP_FIXUP_FLASH_OFFSET macro
MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup()
MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup()
power: supply: cw2015: correct time_to_empty units in sysfs
power: supply: bq256xx: fix some problem in bq256xx_hw_init
serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed
libapi: Add missing linux/types.h header to get the __u64 type on io.h
base/node.c: initialize the accessor list before registering
acpi: property: Let args be NULL in __acpi_node_get_property_reference
software node: Let args be NULL in software_node_get_reference_args
serial: imx: fix tx statemachine deadlock
selftests/sgx: Fix uninitialized pointer dereference in error path
selftests/sgx: Fix uninitialized pointer dereferences in encl_get_entry
selftests/sgx: Include memory clobber for inline asm in test enclave
selftests/sgx: Skip non X86_64 platform
iio: adc: ad9467: fix reset gpio handling
iio: adc: ad9467: don't ignore error codes
iio: adc: ad9467: fix scale setting
perf header: Fix one memory leakage in perf_event__fprintf_event_update()
perf hisi-ptt: Fix one memory leakage in hisi_ptt_process_auxtrace_event()
perf genelf: Set ELF program header addresses properly
tty: change tty_write_lock()'s ndelay parameter to bool
tty: early return from send_break() on TTY_DRIVER_HARDWARE_BREAK
tty: don't check for signal_pending() in send_break()
tty: use 'if' in send_break() instead of 'goto'
usb: cdc-acm: return correct error code on unsupported break
spmi: mtk-pmif: Serialize PMIF status check and command submission
vdpa: Fix an error handling path in eni_vdpa_probe()
nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
nvmet-tcp: fix a crash in nvmet_req_complete()
perf env: Avoid recursively taking env->bpf_progs.lock
cxl/region: fix x9 interleave typo
apparmor: avoid crash when parsed profile name is empty
usb: xhci-mtk: fix a short packet issue of gen1 isoc-in transfer
serial: imx: Correct clock error message in function probe()
nvmet: re-fix tracing strncpy() warning
nvme: trace: avoid memcpy overflow warning
nvmet-tcp: Fix the H2C expected PDU len calculation
PCI: keystone: Fix race condition when initializing PHYs
PCI: mediatek-gen3: Fix translation window size calculation
ASoC: mediatek: sof-common: Add NULL check for normal_link string
s390/pci: fix max size calculation in zpci_memcpy_toio()
net: qualcomm: rmnet: fix global oob in rmnet_policy
net: ethernet: ti: am65-cpsw: Fix max mtu to fit ethernet frames
amt: do not use overwrapped cb area
net: phy: micrel: populate .soft_reset for KSZ9131
mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN
mptcp: strict validation before using mp_opt->hmac
mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req()
mptcp: refine opt_mp_capable determination
block: ensure we hold a queue reference when using queue limits
udp: annotate data-races around up->pending
net: ravb: Fix dma_addr_t truncation in error case
dt-bindings: gpio: xilinx: Fix node address in gpio
drm/amdkfd: Use resource_size() helper function
drm/amdkfd: fixes for HMM mem allocation
net: stmmac: ethtool: Fixed calltrace caused by unbalanced disable_irq_wake calls
bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS
net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe
LoongArch: BPF: Prevent out-of-bounds memory access
mptcp: relax check on MPC passive fallback
netfilter: nf_tables: reject invalid set policy
netfilter: nft_limit: do not ignore unsupported flags
netfilter: nfnetlink_log: use proper helper for fetching physinif
netfilter: nf_queue: remove excess nf_bridge variable
netfilter: propagate net to nf_bridge_get_physindev
netfilter: bridge: replace physindev with physinif in nf_bridge_info
netfilter: nf_tables: do not allow mismatch field size and set key length
netfilter: nf_tables: skip dead set elements in netlink dump
netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description
ipvs: avoid stat macros calls from preemptible context
kdb: Fix a potential buffer overflow in kdb_local()
ethtool: netlink: Add missing ethnl_ops_begin/complete
loop: fix the the direct I/O support check when used on top of block devices
mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure
selftests: mlxsw: qos_pfc: Adjust the test to support 8 lanes
ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work
i2c: s3c24xx: fix read transfers in polling mode
i2c: s3c24xx: fix transferring more than one message in polling mode
block: Remove special-casing of compound pages
riscv: Fix wrong usage of lm_alias() when splitting a huge linear mapping
Revert "KEYS: encrypted: Add check for strsep"
arm64: dts: armada-3720-turris-mox: set irq type for RTC
Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
Linux 6.1.75
Change-Id: I60398ecc9a2e50206fd9d25c0d6c9ad6e1ca71a0
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
We need the updates in the normal branch due to the symbol changes
happening. This consists of the following changes:
* 92432f07d6 ANDROID: GKI: Update the ABI symbol list
* b86713e341 UPSTREAM: virtio: Add support for no-reset virtio PCI PM
* 7dc3b2e49e UPSTREAM: netfilter: nf_tables: check if catch-all set element is active in next generation
* 8d4d76a2bd UPSTREAM: net: tls, update curr on splice as well
* 9e2b775333 ANDROID: Update the ABI symbol list
* 5a1f8b6b46 ANDROID: Add pci_read_config_word to virtual device symbol list
* e356cae969 ANDROID: Export kthread_set_per_cpu
* 81c922621d ANDROID: GKI: fix ABI breakage in struct ipv6_devconf
* 20131b787f Reapply "net: release reference to inet6_dev pointer"
* c2c0273029 Reapply "net: change accept_ra_min_rtr_lft to affect all RA lifetimes"
* a8053aadca Reapply "net: add sysctl accept_ra_min_rtr_lft"
* fc6c1b3acb ANDROID: GKI: explicit include of stringify.h
* 8481b97df5 BACKPORT: erofs: fix infinite loop due to a race of filling compressed_bvecs
* 886c9d1fc2 ANDROID: arm64: virt: Invalidate tlb once the balloon before reporting/inflating
* 4aedc102c3 ANDROID: arm64: virt: Make the page_relinquish call generic
* d3f73f0452 UPSTREAM: drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks
* df2fe1add7 UPSTREAM: drm/msm/dsi: Enable runtime PM
* 6053d8ffd4 UPSTREAM: arm64: scs: Disable LTO for SCS patching code
* 696293ef72 ANDROID: GKI: Update symbol list for mtk
* 6338e41509 BACKPORT: f2fs: Restrict max filesize for 16K f2fs
* 8c8bcbdf0b BACKPORT: f2fs: Support Block Size == Page Size
* eb20497d6d ANDROID: abi_gki_aarch64_qcom: Update symbol list
* 1e6c1ca9a2 UPSTREAM: usb: typec: tcpm: fix the PD disabled case
* ba97ad7b91 UPSTREAM: netfilter: nf_tables: reject QUEUE/DROP verdict parameters
* 76f0396b57 ANDROID: ABI: Update oplus symbol list
* 016b640235 ANDROID: fuse: Fix the issue of fuse_dentry_canonical_path
* 5eb1cbb384 ANDROID: Update the ABI symbol list
* b53c3cb351 ANDROID: Export cpufreq_driver_test_flags()
* 9b476ebe99 ANDROID: Build null_blk and scsi_debug as kernel modules
* 01472f3af1 ANDROID: GKI: Update the pixel symbol list
* fbcd29ac45 ANDROID: usb: dwc3: export tracepoint for dwc3 read/write
* 0123832f68 ANDROID: scsi: ufs: add vendor hook to override key reprogramming
* 7ce117301e ANDROID: vendor_hooks: Add hook for binder_detect_low_async_space_locked
* 7b6a6228df ANDROID: Update the ABI symbol list
* db94de2a17 ANDROID: Update the ABI representation
* e08371bcf5 UPSTREAM: usb: typec: tcpm: Support multiple capabilities
* 4025820c61 UPSTREAM: usb: typec: tcpm: Parse Accessory Mode information
Change-Id: Ibe422d476544081f14095e025b2a77ab70c577df
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7 upstream.
When deactivating the catch-all set element, check the state in the next
generation that represents this transaction.
This bug uncovered after the recent removal of the element busy mark
a2dd0233cbc4 ("netfilter: nf_tables: remove busy mark and gc batch API").
Bug: 323034444
Fixes: aaa31047a6 ("netfilter: nftables: add catch-all set element support")
Cc: stable@vger.kernel.org
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a372f1d01b)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I40ac92a33db48a2709079d27d7d529946ba297c7
commit c5a595000e2677e865a39f249c056bc05d6e55fd upstream.
The curr pointer must also be updated on the splice similar to how
we do this for other copy types.
Bug: 322282717
Fixes: d829e9c411 ("tls: convert to generic sk_msg interface")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Reported-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20231206232706.374377-2-john.fastabend@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit ba5efd8544fa62ae85daeb36077468bf2ce974ab)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: If942207e6338993096c9fbc8ce4c23a6bbecaf2e
commit f342de4e2f33e0e39165d8639387aa6c19dff660 upstream.
This reverts commit e0abdadcc6.
core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP
verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar,
or 0.
Due to the reverted commit, its possible to provide a positive
value, e.g. NF_ACCEPT (1), which results in use-after-free.
Its not clear to me why this commit was made.
NF_QUEUE is not used by nftables; "queue" rules in nftables
will result in use of "nft_queue" expression.
If we later need to allow specifiying errno values from userspace
(do not know why), this has to call NF_DROP_GETERR and check that
"err <= 0" holds true.
Bug: 323034288
Fixes: e0abdadcc6 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters")
Cc: stable@vger.kernel.org
Reported-by: Notselwyn <notselwyn@pwning.tech>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 8e34430e33)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ie6c699cea6f92cd4a7642f196d5f5cbffe268a6d
Backmerge the latest android14-6.1 changes into the lts branch to keep
up to date. Contains the following commits:
* 3578913b2e UPSTREAM: net/rose: Fix Use-After-Free in rose_ioctl
* 8fbed1ea00 UPSTREAM: ida: Fix crash in ida_free when the bitmap is empty
* 6ce5bb744e ANDROID: GKI: Update symbol list for mtk
* 7cbad58851 Reapply "perf: Disallow mis-matched inherited group reads"
* 067a03c44e ANDROID: GKI: Add Pasa symbol list
* b6be1a36f7 FROMGIT: mm: memcg: don't periodically flush stats when memcg is disabled
* d0e2d333f9 ANDROID: Update the ABI symbol list
* 10558542a1 ANDROID: sched: export update_misfit_status symbol
* a0b3b39898 ANDROID: GKI: Add ASR KMI symbol list
* 599710db0f FROMGIT: usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
* 9265fa90c1 FROMLIST: usb: core: Prevent null pointer dereference in update_port_device_state
* 2730733d54 ANDROID: gki_defconfig: Enable CONFIG_NVME_MULTIPATH
* 4f668f5682 BACKPORT: irqchip/gic-v3: Work around affinity issues on ASR8601
* 473a871315 BACKPORT: irqchip/gic-v3: Improve affinity helper
* 6c32acf537 UPSTREAM: sched/fair: Limit sched slice duration
* 7088d250bf ANDROID: Update the ABI symbol list
* c249740414 ANDROID: idle_inject: Export function symbols
* 990d341477 ANDROID: Update the ABI symbol list
* be92a6a1b4 ANDROID: GKI: Remove CONFIG_MEDIA_CEC_RC
* fa9ac43f16 BACKPORT: usb: host: xhci: Avoid XHCI resume delay if SSUSB device is not present
* f27fc6ba23 Merge "Merge tag 'android14-6.1.68_r00' into branch 'android14-6.1'" into android14-6.1
|\
| * 0177cfb2a2 Merge tag 'android14-6.1.68_r00' into branch 'android14-6.1'
* c96cea1a3c ANDROID: Update the ABI symbol list
* c2fbc12180 ANDROID: uid_sys_stats: Drop CONFIG_UID_SYS_STATS_DEBUG logic
* 90bd30bdef ANDROID: Update the ABI symbol list
* 3280560843 ANDROID: Update the ABI symbol list
* 427210e440 UPSTREAM: usb: gadget: uvc: Remove nested locking
* 9267e267be ANDROID: uid_sys_stats: Fully initialize uid_entry_tmp value
* 2d3f0c9d41 ANDROID: Roll back some code to fix system_server registers psi trigger failed.
* bd77c97c76 UPSTREAM: usb: gadget: uvc: Fix use are free during STREAMOFF
* 21c71a7d0e ANDROID: GKI: Add symbol list for Nothing
* aba5a3fe09 ANDROID: Enable CONFIG_LAZY_RCU in x86 gki_defconfig
* 204160394a ANDROID: fuse-bpf: Fix the issue of abnormal lseek system calls
* 947708f1ff ANDROID: ABI: Update symbol list for imx
* 7eedea7abf BACKPORT: PM: sleep: Fix possible deadlocks in core system-wide PM code
* e1a20dd9ff UPSTREAM: async: Introduce async_schedule_dev_nocall()
* e4b0e14f83 UPSTREAM: async: Split async_schedule_node_domain()
* 6b4c816d17 FROMGIT: BACKPORT: mm: update mark_victim tracepoints fields
* d97ea65296 ANDROID: Enable CONFIG_LAZY_RCU in arm64 gki_defconfig
* 90d68cedd1 FROMLIST: rcu: Provide a boot time parameter to control lazy RCU
* a079cc5876 ANDROID: rcu: Add a minimum time for marking boot as completed
* ffe09c06a8 UPSTREAM: rcu: Disable laziness if lazy-tracking says so
* d07488d26e UPSTREAM: rcu: Track laziness during boot and suspend
* 4316bd568b UPSTREAM: net: Use call_rcu_hurry() for dst_release()
* b9427245f0 UPSTREAM: workqueue: Make queue_rcu_work() use call_rcu_hurry()
* 72fdf7f606 UPSTREAM: percpu-refcount: Use call_rcu_hurry() for atomic switch
* ced65a053b UPSTREAM: io_uring: use call_rcu_hurry if signaling an eventfd
* 84c8157d06 UPSTREAM: rcu: Update synchronize_rcu_mult() comment for call_rcu_hurry()
* 3751416eeb UPSTREAM: scsi/scsi_error: Use call_rcu_hurry() instead of call_rcu()
* 52193e9489 UPSTREAM: rcu/rcutorture: Use call_rcu_hurry() where needed
* 83f8ba569f UPSTREAM: rcu/rcuscale: Use call_rcu_hurry() for async reader test
* 9b625f4978 UPSTREAM: rcu/sync: Use call_rcu_hurry() instead of call_rcu
* c570c8fea3 BACKPORT: rcu: Shrinker for lazy rcu
* 4957579439 UPSTREAM: rcu: Refactor code a bit in rcu_nocb_do_flush_bypass()
* 66a832fe38 UPSTREAM: rcu: Make call_rcu() lazy to save power
* 4fb09fb4f7 UPSTREAM: rcu: Fix missing nocb gp wake on rcu_barrier()
* 64c59ad2c3 UPSTREAM: rcu: Fix late wakeup when flush of bypass cblist happens
* 0799ace265 ANDROID: Update the ABI symbol list
* 65db2f8ed3 ANDROID: GKI: add GKI symbol list for Exynosauto SoC
* cfe8cce4e8 UPSTREAM: coresight: tmc: Don't enable TMC when it's not ready.
* 899194d7e9 UPSTREAM: netfilter: nf_tables: bail out on mismatching dynset and set expressions
* e6712ed4f0 ANDROID: ABI: Update oplus symbol list
* 24bb8fc82e ANDROID: vendor_hooks: add hooks in driver/android/binder.c
* 55930b39ca ANDROID: GKI: Update honda symbol list for xt_LOG
* 3160b69e20 ANDROID: GKI: Update honda symbol list for ebt filter
* 4dc7f98815 ANDROID: GKI: Update honda symbol list for ebtables
* 39a0823340 ANDROID: GKI: Update honda symbol list for net scheduler
* dd0098bdb4 ANDROID: GKI: Update honda symbol list for led-trigger
* 66a20ed4b8 ANDROID: GKI: Add initial symbol list for honda
* 28dbe4d613 ANDROID: GKI: add symbols to ABI
* 97100e867e FROMGIT: usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart
* 36248a15a7 FROMGIT: usb: dwc3: set pm runtime active before resume common
Change-Id: I8d9586a94c3182cd365d1e3b651a7552c7c9949b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53 ]
Because rose_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with rose_accept().
A use-after-free for skb occurs with the following flow.
```
rose_ioctl() -> skb_peek()
rose_accept() -> skb_dequeue() -> kfree_skb()
```
Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue.
Bug: 321175740
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 3f1f6a94d8858706863fe90da35663f6e24be274)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I94d2aae6221fb95cb285e1a6d0c6fe39a70e35d2
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWrpWwACgkQONu9yGCS
aT4NCxAAy3cItCclN2JVrdjKW8htc81fhEhUdB1oDwz8+U9SJJ0E7psR0H8p8KTM
2OTT9pVhfaZ2Usjml/PVjzBxR26o4jsUV3Ls/GMbrGnUBwPXFUXI4WAFhPKOvc4W
IKffdO9SVFMQVygsCR02mld/BJiRp6Yak+p9z0Kmre74G+Wv7uq+yeYkqxJdIRZo
owg6UwItEQ+gxhK+eRw0Cdp4pXr7NARY8l4POWuFxMylKwLPACdr/MxFsmG5a3u7
Gzw+Gygmm9OZoX5R/qtgY2WodAO2WsAwiEKPfY1nNqQ/8lcGpmb6LqXwfY2ea4Mn
UMGonnxYcN8Xca4Eq2OTsAfe9E7NmdvRbLrhVM0RNepVZWaiaGJO7BXKiyVV1OY0
T5JJjZZexAuAJ183Vj8FYzp0V6FJn2f/U1rVaLwO4Fk4kBN5qaXWgaB3UP0BBlhM
nI1yjPY0Ti0j9OcZpCxKGzwLIyNX9njbIINCt2rdkAw25aJyjuzG+h76IMyz1q5+
cDf3Oet+FTkDr8W8FuH7AKMgRKhuXHm49xWnKHy4+PCA5zBnidNT8+ipaDgeCSS7
2kMM+F1LSb031Oys0V7Xqf1diWvdhpAhmaTYSpzF1QNIbPv4dsQOgeuRP1rqZcMc
RsqxNNkbqVIsuu9PE2x5pWQyqzeF6mDx+yJA/fSWm6N8akPEEpc=
=AE28
-----END PGP SIGNATURE-----
Merge 6.1.74 into android14-6.1-lts
Changes in 6.1.74
f2fs: explicitly null-terminate the xattr list
pinctrl: lochnagar: Don't build on MIPS
ALSA: hda - Fix speaker and headset mic pin config for CHUWI CoreBook XPro
mptcp: fix uninit-value in mptcp_incoming_options
wifi: cfg80211: lock wiphy mutex for rfkill poll
wifi: avoid offset calculation on NULL pointer
wifi: mac80211: handle 320 MHz in ieee80211_ht_cap_ie_to_sta_ht_cap
debugfs: fix automount d_fsdata usage
ALSA: hda: intel-nhlt: Ignore vbps when looking for DMIC 32 bps format
nvme-core: fix a memory leak in nvme_ns_info_from_identify()
drm/amd/display: update dcn315 lpddr pstate latency
drm/amdgpu: Fix cat debugfs amdgpu_regs_didt causes kernel null pointer
smb: client, common: fix fortify warnings
blk-mq: don't count completed flush data request as inflight in case of quiesce
nvme-core: check for too small lba shift
hwtracing: hisi_ptt: Handle the interrupt in hardirq context
hwtracing: hisi_ptt: Don't try to attach a task
ASoC: wm8974: Correct boost mixer inputs
arm64: dts: rockchip: fix rk356x pcie msg interrupt name
ASoC: Intel: Skylake: Fix mem leak in few functions
ASoC: nau8822: Fix incorrect type in assignment and cast to restricted __be16
ASoC: Intel: Skylake: mem leak in skl register function
ASoC: cs43130: Fix the position of const qualifier
ASoC: cs43130: Fix incorrect frame delay configuration
ASoC: rt5650: add mutex to avoid the jack detection failure
ASoC: Intel: skl_hda_dsp_generic: Drop HDMI routes when HDMI is not available
nouveau/tu102: flush all pdbs on vmm flush
ASoC: amd: yc: Add DMI entry to support System76 Pangolin 13
ASoC: hdac_hda: Conditionally register dais for HDMI and Analog
net/tg3: fix race condition in tg3_reset_task()
ASoC: da7219: Support low DC impedance headset
ASoC: ops: add correct range check for limiting volume
nvme: introduce helper function to get ctrl state
nvme: prevent potential spectre v1 gadget
arm64: dts: rockchip: Fix PCI node addresses on rk3399-gru
drm/amdgpu: Add NULL checks for function pointers
drm/exynos: fix a potential error pointer dereference
drm/exynos: fix a wrong error checking
hwmon: (corsair-psu) Fix probe when built-in
LoongArch: Preserve syscall nr across execve()
clk: rockchip: rk3568: Add PLL rate for 292.5MHz
clk: rockchip: rk3128: Fix HCLK_OTG gate register
jbd2: correct the printing of write_flags in jbd2_write_superblock()
jbd2: increase the journal IO's priority
drm/crtc: Fix uninit-value bug in drm_mode_setcrtc
neighbour: Don't let neigh_forced_gc() disable preemption for long
platform/x86: intel-vbtn: Fix missing tablet-mode-switch events
jbd2: fix soft lockup in journal_finish_inode_data_buffers()
tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing
tracing: Add size check when printing trace_marker output
stmmac: dwmac-loongson: drop useless check for compatible fallback
MIPS: dts: loongson: drop incorrect dwmac fallback compatible
tracing: Fix uaf issue when open the hist or hist_debug file
ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI
Input: psmouse - enable Synaptics InterTouch for ThinkPad L14 G1
reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning
Input: atkbd - skip ATKBD_CMD_GETID in translated mode
Input: i8042 - add nomux quirk for Acer P459-G2-M
s390/scm: fix virtual vs physical address confusion
ARC: fix spare error
wifi: iwlwifi: pcie: avoid a NULL pointer dereference
Input: xpad - add Razer Wolverine V2 support
kselftest: alsa: fixed a print formatting warning
HID: nintendo: fix initializer element is not constant error
platform/x86: thinkpad_acpi: fix for incorrect fan reporting on some ThinkPad systems
ASoC: Intel: bytcr_rt5640: Add quirk for the Medion Lifetab S10346
ASoC: Intel: bytcr_rt5640: Add new swapped-speakers quirk
ALSA: hda/realtek: Add quirks for ASUS Zenbook 2022 Models
dm audit: fix Kconfig so DM_AUDIT depends on BLK_DEV_DM
HID: nintendo: Prevent divide-by-zero on code
smb: client: fix potential OOB in smb2_dump_detail()
i2c: rk3x: fix potential spinlock recursion on poll
drm/amd/display: get dprefclk ss info from integration info table
pinctrl: cy8c95x0: Fix typo
pinctrl: cy8c95x0: Fix get_pincfg
ida: Fix crash in ida_free when the bitmap is empty
virtio_blk: fix snprintf truncation compiler warning
net: qrtr: ns: Return 0 if server port is not present
ARM: sun9i: smp: fix return code check of of_property_match_string
drm/crtc: fix uninitialized variable use
ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 13-ay0xxx
ACPI: resource: Add another DMI match for the TongFang GMxXGxx
ASoC: SOF: Intel: hda-codec: Delay the codec device registration
btf, scripts: Exclude Rust CUs with pahole
bpf: Add --skip_encoding_btf_inconsistent_proto, --btf_gen_optimized to pahole flags for v1.25
ksmbd: don't allow O_TRUNC open on read-only share
ksmbd: free ppace array on error in parse_dacl
Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
binder: use EPOLLERR from eventpoll.h
binder: fix use-after-free in shinker's callback
binder: fix trivial typo of binder_free_buf_locked()
binder: fix comment on binder_alloc_new_buf() return value
uio: Fix use-after-free in uio_open
parport: parport_serial: Add Brainboxes BAR details
parport: parport_serial: Add Brainboxes device IDs and geometry
leds: ledtrig-tty: Free allocated ttyname buffer on deactivate
PCI: Add ACS quirk for more Zhaoxin Root Ports
coresight: etm4x: Fix width of CCITMIN field
scripts/decode_stacktrace.sh: optionally use LLVM utilities
Linux 6.1.74
Change-Id: Icd69871d2272d5c26e253cfe54d2a8b637e616b5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 2e7ef287f07c74985f1bf2858bedc62bd9ebf155 ]
idev->mc_ifc_count can be written over without proper locking.
Originally found by syzbot [1], fix this issue by encapsulating calls
to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with
mutex_lock() and mutex_unlock() accordingly as these functions
should only be called with mc_lock per their declarations.
[1]
BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work
write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:
mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline]
ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725
addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949
addrconf_notify+0x310/0x980
notifier_call_chain kernel/notifier.c:93 [inline]
raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461
__dev_notify_flags+0x205/0x3d0
dev_change_flags+0xab/0xd0 net/core/dev.c:8685
do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916
rtnl_group_changelink net/core/rtnetlink.c:3458 [inline]
__rtnl_newlink net/core/rtnetlink.c:3717 [inline]
rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754
rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558
netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910
...
write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1:
mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700
worker_thread+0x525/0x730 kernel/workqueue.c:2781
...
Fixes: 2d9a93b490 ("mld: convert from timer to delayed work")
Reported-by: syzbot+a9400cabb1d784e49abf@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/000000000000994e09060ebcdffb@google.com/
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Acked-by: Taehee Yoo <ap420073@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://lore.kernel.org/r/20240117172102.12001-1-n.zhandarovich@fintech.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f1172f3ee3a98754d95b968968920a7d03fdebcc ]
Accessing an ethernet device that is powered off or clock gated might
cause the CPU to hang. Add ethnl_ops_begin/complete in
ethnl_set_features() to protect against this.
Fixes: 0980bfcd69 ("ethtool: set netdev features with FEATURES_SET request")
Signed-off-by: Ludvig Pärsson <ludvig.parsson@axis.com>
Link: https://lore.kernel.org/r/20240117-etht2-v2-1-1a96b6e8c650@axis.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit d6938c1c76c64f42363d0d1f051e1b4641c2ad40 ]
Inside decrement_ttl() upon discovering that the packet ttl has exceeded,
__IP_INC_STATS and __IP6_INC_STATS macros can be called from preemptible
context having the following backtrace:
check_preemption_disabled: 48 callbacks suppressed
BUG: using __this_cpu_add() in preemptible [00000000] code: curl/1177
caller is decrement_ttl+0x217/0x830
CPU: 5 PID: 1177 Comm: curl Not tainted 6.7.0+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xbd/0xe0
check_preemption_disabled+0xd1/0xe0
decrement_ttl+0x217/0x830
__ip_vs_get_out_rt+0x4e0/0x1ef0
ip_vs_nat_xmit+0x205/0xcd0
ip_vs_in_hook+0x9b1/0x26a0
nf_hook_slow+0xc2/0x210
nf_hook+0x1fb/0x770
__ip_local_out+0x33b/0x640
ip_local_out+0x2a/0x490
__ip_queue_xmit+0x990/0x1d10
__tcp_transmit_skb+0x288b/0x3d10
tcp_connect+0x3466/0x5180
tcp_v4_connect+0x1535/0x1bb0
__inet_stream_connect+0x40d/0x1040
inet_stream_connect+0x57/0xa0
__sys_connect_file+0x162/0x1a0
__sys_connect+0x137/0x160
__x64_sys_connect+0x72/0xb0
do_syscall_64+0x6f/0x140
entry_SYSCALL_64_after_hwframe+0x6e/0x76
RIP: 0033:0x7fe6dbbc34e0
Use the corresponding preemption-aware variants: IP_INC_STATS and
IP6_INC_STATS.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 8d8e20e2d7 ("ipvs: Decrement ttl")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Julian Anastasov <ja@ssi.bg>
Acked-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 113661e07460a6604aacc8ae1b23695a89e7d4b3 ]
It is still possible to set on the NFT_SET_CONCAT flag by specifying a
set size and no field description, report EINVAL in such case.
Fixes: 1b6345d416 ("netfilter: nf_tables: check NFT_SET_CONCAT flag if field_count is specified")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 6b1ca88e4bb63673dc9f9c7f23c899f22c3cb17a ]
Delete from packet path relies on the garbage collector to purge
elements with NFT_SET_ELEM_DEAD_BIT on.
Skip these dead elements from nf_tables_dump_setelem() path, I very
rarely see tests/shell/testcases/maps/typeof_maps_add_delete reports
[DUMP FAILED] showing a mismatch in the expected output with an element
that should not be there.
If the netlink dump happens before GC worker run, it might show dead
elements in the ruleset listing.
nft_rhash_get() already skips dead elements in nft_rhash_cmp(),
therefore, it already does not show the element when getting a single
element via netlink control plane.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 ]
The set description provides the size of each field in the set whose sum
should not mismatch the set key length, bail out otherwise.
I did not manage to crash nft_set_pipapo with mismatch fields and set key
length so far, but this is UB which must be disallowed.
Fixes: f3a2181e16 ("netfilter: nf_tables: Support for sets with multiple ranged fields")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 9874808878d9eed407e3977fd11fee49de1e1d86 ]
An skb can be added to a neigh->arp_queue while waiting for an arp
reply. Where original skb's skb->dev can be different to neigh's
neigh->dev. For instance in case of bridging dnated skb from one veth to
another, the skb would be added to a neigh->arp_queue of the bridge.
As skb->dev can be reset back to nf_bridge->physindev and used, and as
there is no explicit mechanism that prevents this physindev from been
freed under us (for instance neigh_flush_dev doesn't cleanup skbs from
different device's neigh queue) we can crash on e.g. this stack:
arp_process
neigh_update
skb = __skb_dequeue(&neigh->arp_queue)
neigh_resolve_output(..., skb)
...
br_nf_dev_xmit
br_nf_pre_routing_finish_bridge_slow
skb->dev = nf_bridge->physindev
br_handle_frame_finish
Let's use plain ifindex instead of net_device link. To peek into the
original net_device we will use dev_get_by_index_rcu(). Thus either we
get device and are safe to use it or we don't get it and drop skb.
Fixes: c4e70a87d9 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit a54e72197037d2c9bfcd70dddaac8c8ccb5b41ba ]
This is a preparation patch for replacing physindev with physinif on
nf_bridge_info structure. We will use dev_get_by_index_rcu to resolve
device, when needed, and it requires net to be available.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit aeaa44075f8e49e2e0ad4507d925e690b7950145 ]
We don't really need nf_bridge variable here. And nf_bridge_info_exists
is better replacement for nf_bridge_info_get in case we are only
checking for existence.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit c3f9fd54cd87233f53bdf0e191a86b3a5e960e02 ]
We don't use physindev in __build_packet_message except for getting
physinif from it. So let's switch to nf_bridge_get_physinif to get what
we want directly.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 9874808878d9 ("netfilter: bridge: replace physindev with physinif in nf_bridge_info")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 91a139cee1202a4599a380810d93c69b5bac6197 ]
Bail out if userspace provides unsupported flags, otherwise future
extensions to the limit expression will be silently ignored by the
kernel.
Fixes: c7862a5f0d ("netfilter: nft_limit: allow to invert matching criteria")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit c0f5aec28edf98906d28f08daace6522adf9ee7a ]
While testing the blamed commit below, I was able to miss (!)
packetdrill failures in the fastopen test-cases.
On passive fastopen the child socket is created by incoming TCP MPC syn,
allow for both MPC_SYN and MPC_ACK header.
Fixes: 724b00c12957 ("mptcp: refine opt_mp_capable determination")
Reviewed-by: Matthieu Baerts <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 724b00c12957973656d312dce2a110c75ae2c680 ]
OPTIONS_MPTCP_MPC is a combination of three flags.
It would be better to be strict about testing what
flag is expected, at least for code readability.
mptcp_parse_option() already makes the distinction.
- subflow_check_req() should use OPTION_MPTCP_MPC_SYN.
- mptcp_subflow_init_cookie_req() should use OPTION_MPTCP_MPC_ACK.
- subflow_finish_connect() should use OPTION_MPTCP_MPC_SYNACK
- subflow_syn_recv_sock should use OPTION_MPTCP_MPC_ACK
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Fixes: 74c7dfbee3 ("mptcp: consolidate in_opt sub-options fields in a bitmask")
Link: https://lore.kernel.org/r/20240111194917.4044654-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit c1665273bdc7c201766c65e561c06711f2e050dc ]
mp_opt->hmac contains uninitialized data unless OPTION_MPTCP_MPJ_ACK
was set in mptcp_parse_option().
We must refine the condition before we call subflow_hmac_valid().
Fixes: f296234c98 ("mptcp: Add handling of incoming MP_JOIN requests")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Krystad <peter.krystad@linux.intel.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Mat Martineau <martineau@kernel.org>
Cc: Geliang Tang <geliang.tang@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20240111194917.4044654-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 89e23277f9c16df6f9f9c1a1a07f8f132339c15c ]
mptcp_parse_option() currently sets OPTIONS_MPTCP_MPJ, for the three
possible cases handled for MPTCPOPT_MP_JOIN option.
OPTIONS_MPTCP_MPJ is the combination of three flags:
- OPTION_MPTCP_MPJ_SYN
- OPTION_MPTCP_MPJ_SYNACK
- OPTION_MPTCP_MPJ_ACK
This is a problem, because backup, join_id, token, nonce and/or hmac fields
could be left uninitialized in some cases.
Distinguish the three cases, as following patches will need this step.
Fixes: f296234c98 ("mptcp: Add handling of incoming MP_JOIN requests")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Krystad <peter.krystad@linux.intel.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Mat Martineau <martineau@kernel.org>
Cc: Geliang Tang <geliang.tang@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20240111194917.4044654-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit ec4ffd100ffb396eca13ebe7d18938ea80f399c3 upstream.
This reverts commit a4abfa627c.
The patch broke:
> ip link set dummy0 up
> ip link set dummy0 master bond0 down
This last command is useful to be able to enslave an interface with only
one netlink message.
After discussion, there is no good reason to support:
> ip link set dummy0 down
> ip link set dummy0 master bond0 up
because the bond interface already set the slave up when it is up.
Cc: stable@vger.kernel.org
Fixes: a4abfa627c ("net: rtnetlink: Enslave device before bringing it up")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://lore.kernel.org/r/20240108094103.2001224-2-nicolas.dichtel@6wind.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit da9065caa594d19b26e1a030fd0cc27bd365d685 upstream.
In min_key_size_set():
if (val > hdev->le_max_key_size || val < SMP_MIN_ENC_KEY_SIZE)
return -EINVAL;
hci_dev_lock(hdev);
hdev->le_min_key_size = val;
hci_dev_unlock(hdev);
In max_key_size_set():
if (val > SMP_MAX_ENC_KEY_SIZE || val < hdev->le_min_key_size)
return -EINVAL;
hci_dev_lock(hdev);
hdev->le_max_key_size = val;
hci_dev_unlock(hdev);
The atomicity violation occurs due to concurrent execution of set_min and
set_max funcs.Consider a scenario where setmin writes a new, valid 'min'
value, and concurrently, setmax writes a value that is greater than the
old 'min' but smaller than the new 'min'. In this case, setmax might check
against the old 'min' value (before acquiring the lock) but write its
value after the 'min' has been updated by setmin. This leads to a
situation where the 'max' value ends up being smaller than the 'min'
value, which is an inconsistency.
This possible bug is found by an experimental static analysis tool
developed by our team, BassCheck[1]. This tool analyzes the locking APIs
to extract function pairs that can be concurrently executed, and then
analyzes the instructions in the paired functions to identify possible
concurrency bugs including data races and atomicity violations. The above
possible bug is reported when our tool analyzes the source code of
Linux 5.17.
To resolve this issue, it is suggested to encompass the validity checks
within the locked sections in both set_min and set_max funcs. The
modification ensures that the validation of 'val' against the
current min/max values is atomic, thus maintaining the integrity of the
settings. With this patch applied, our tool no longer reports the bug,
with the kernel configuration allyesconfig for x86_64. Due to the lack of
associated hardware, we cannot test the patch in runtime testing, and just
verify it according to the code logic.
[1] https://sites.google.com/view/basscheck/
Fixes: 18f81241b7 ("Bluetooth: Move {min,max}_key_size debugfs ...")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <2045gemini@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7 upstream.
When deactivating the catch-all set element, check the state in the next
generation that represents this transaction.
This bug uncovered after the recent removal of the element busy mark
a2dd0233cbc4 ("netfilter: nf_tables: remove busy mark and gc batch API").
Fixes: aaa31047a6 ("netfilter: nftables: add catch-all set element support")
Cc: stable@vger.kernel.org
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit acc657692aed438e9931438f8c923b2b107aebf9 upstream.
Fix the size check added to dns_resolver_preparse() for the V1 server-list
header so that it doesn't give EINVAL if the size supplied is the same as
the size of the header struct (which should be valid).
This can be tested with:
echo -n -e '\0\0\01\xff\0\0' | keyctl padd dns_resolver desc @p
which will give "add_key: Invalid argument" without this fix.
Fixes: 1997b3cb4217 ("keys, dns: Fix missing size check of V1 server-list header")
Reported-by: Pengfei Xu <pengfei.xu@intel.com>
Link: https://lore.kernel.org/r/ZZ4fyY4r3rqgZL+4@xpf.sh.intel.com/
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pablo Neira Ayuso
Jakub Kicinski
Sabrina Dubroca
Greg Kroah-Hartman
Todd Kjos
Yan Zhai
John Fastabend
Carlos Llamas
Florian Westphal
Hyunwoo Kim
Nikita Zhandarovich
Ludvig Pärsson
Fedor Pchelkin
Pavel Tikhomirov
Paolo Abeni
Eric Dumazet
Nicolas Dichtel
Gui-Dong Han
David Howells
Tao Liu