a9ea3113d4
848 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Zhihao Cheng
|
c3ee18fefa |
BACKPORT: FROMLIST: ovl: get_acl: Fix null pointer dereference at realinode in rcu-walk mode
Following process:
P1 P2
path_openat
link_path_walk
may_lookup
inode_permission(rcu)
ovl_permission
acl_permission_check
check_acl
get_cached_acl_rcu
ovl_get_inode_acl
realinode = ovl_inode_real(ovl_inode)
drop_cache
__dentry_kill(ovl_dentry)
iput(ovl_inode)
ovl_destroy_inode(ovl_inode)
dput(oi->__upperdentry)
dentry_kill(upperdentry)
dentry_unlink_inode
upperdentry->d_inode = NULL
ovl_inode_upper
upperdentry = ovl_i_dentry_upper(ovl_inode)
d_inode(upperdentry) // returns NULL
IS_POSIXACL(realinode) // NULL pointer dereference
, will trigger an null pointer dereference at realinode:
[ 205.472797] BUG: kernel NULL pointer dereference, address:
0000000000000028
[ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted
6.3.0-12064-g2edfa098e750-dirty #1216
[ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300
[ 205.489584] Call Trace:
[ 205.489812] <TASK>
[ 205.490014] ovl_get_inode_acl+0x26/0x30
[ 205.490466] get_cached_acl_rcu+0x61/0xa0
[ 205.490908] generic_permission+0x1bf/0x4e0
[ 205.491447] ovl_permission+0x79/0x1b0
[ 205.491917] inode_permission+0x15e/0x2c0
[ 205.492425] link_path_walk+0x115/0x550
[ 205.493311] path_lookupat.isra.0+0xb2/0x200
[ 205.493803] filename_lookup+0xda/0x240
[ 205.495747] vfs_fstatat+0x7b/0xb0
Fetch a reproducer in [Link].
Use the helper ovl_i_path_realinode() to get realinode and then do
non-nullptr checking.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217404
Fixes:
|
||
|
Zhihao Cheng
|
8d59a7676c |
BACKPORT: FROMLIST: ovl: ovl_permission: Fix null pointer dereference at realinode in rcu-walk mode
Following process:
P1 P2
path_lookupat
link_path_walk
inode_permission
ovl_permission
ovl_i_path_real(inode, &realpath)
path->dentry = ovl_i_dentry_upper(inode)
drop_cache
__dentry_kill(ovl_dentry)
iput(ovl_inode)
ovl_destroy_inode(ovl_inode)
dput(oi->__upperdentry)
dentry_kill(upperdentry)
dentry_unlink_inode
upperdentry->d_inode = NULL
realinode = d_inode(realpath.dentry) // return NULL
inode_permission(realinode)
inode->i_sb // NULL pointer dereference
, will trigger an null pointer dereference at realinode:
[ 335.664979] BUG: kernel NULL pointer dereference,
address: 0000000000000002
[ 335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0
[ 335.669956] RIP: 0010:inode_permission+0x33/0x2c0
[ 335.678939] Call Trace:
[ 335.679165] <TASK>
[ 335.679371] ovl_permission+0xde/0x320
[ 335.679723] inode_permission+0x15e/0x2c0
[ 335.680090] link_path_walk+0x115/0x550
[ 335.680771] path_lookupat.isra.0+0xb2/0x200
[ 335.681170] filename_lookup+0xda/0x240
[ 335.681922] vfs_statx+0xa6/0x1f0
[ 335.682233] vfs_fstatat+0x7b/0xb0
Fetch a reproducer in [Link].
Use the helper ovl_i_path_realinode() to get realinode and then do
non-nullptr checking.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217405
Fixes:
|
||
|
Zhihao Cheng
|
2de1ee6dd8 |
BACKPORT: FROMLIST: ovl: Let helper ovl_i_path_real() return the realinode
Let helper ovl_i_path_real() return the realinode to prepare for checking non-null realinode in rcu walking path. Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Bug: 285105314 Link: https://lore.kernel.org/lkml/20230516-topografie-gejubelt-dba162b6e735@brauner/T/ Change-Id: I4fed6fe0874215eb381b6879565a98b855916931 Signed-off-by: Pradeep P V K <quic_pragalla@quicinc.com> |
||
Greg Kroah-Hartman
|
c747c01851 |
This is the 6.1.11 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPkywAACgkQONu9yGCS
aT42Kw/9FFrdwv29yND651dPIglYKgO0Oz27/LFNGqst1A/G1ITzfs/94NSRr+9j
uvwmBLbC+n/OXYavliBVWlPaYUCLqoFSfR+q953yz/UT0803E8BUvQ8NN8O7lsg7
hfbWJaASxt5puy2pBFypeWM+OXoVOvUBj3VhbgtUwwcYLPuYafj9rCAytdIIf5fr
RKWBLfx7As4OJ+Hb3KNkolTkFDTfV5+zqCAc9Ko474d1bpRnF15UdQN8Kkinr2+O
YNGTvDT8jR8eAk/9PiCNrG7DEMSKaczP8n/ap6PikD/KnK7ShtCLwZztLnmu65g1
vZG+cnEda8FuY3Ms03UrHhKqzMzBY/vslzBNMBTNmDsr+b7ilhffAYXPKS8s7xrg
bJjmfzfITFAjXrml25enVO0V9RtTxv6E07U7SnDrLsvE2KBFZfUR/3Xl70bVBb0S
db60kmEoq3XHHtoVySOHlfihVHSy02V9dlFcLOYMQsDHsGVsRXOR87g6d7+rJS3h
hYWz5YxMLJUr2qn2836DPBnX9Ix0VjDx+X2fB4bNYzKc1dMlgzbpYrhk9LEOUDsx
emJuqZskjkLby9Bw36N3eHW3fKPOFrwpYwPWYJHdWx1mmFSNdV6MdfEtZXpuEkFJ
iFyJPeeODGadoiznnXTaBFfhozRj+B6FXrY6pkF+WMoSt8ZlZpM=
=vu7j
-----END PGP SIGNATURE-----
Merge 6.1.11 into android14-6.1
Changes in 6.1.11
firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region
bus: sunxi-rsb: Fix error handling in sunxi_rsb_init()
arm64: dts: imx8m-venice: Remove incorrect 'uart-has-rtscts'
arm64: dts: freescale: imx8dxl: fix sc_pwrkey's property name linux,keycode
ASoC: amd: acp-es8336: Drop reference count of ACPI device after use
ASoC: Intel: bytcht_es8316: Drop reference count of ACPI device after use
ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use
ASoC: Intel: bytcr_rt5640: Drop reference count of ACPI device after use
ASoC: Intel: bytcr_wm5102: Drop reference count of ACPI device after use
ASoC: Intel: sof_es8336: Drop reference count of ACPI device after use
ASoC: Intel: avs: Implement PCI shutdown
bpf: Fix off-by-one error in bpf_mem_cache_idx()
bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() helpers
ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()
bpf: Fix to preserve reg parent/live fields when copying range info
selftests/filesystems: grant executable permission to run_fat_tests.sh
ASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write()
bpf: Add missing btf_put to register_btf_id_dtor_kfuncs
media: v4l2-ctrls-api.c: move ctrl->is_new = 1 to the correct line
bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX
arm64: dts: imx8mm-verdin: Do not power down eth-phy
drm/vc4: hdmi: make CEC adapter name unique
drm/ssd130x: Init display before the SSD130X_DISPLAY_ON command
scsi: Revert "scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT"
bpf: Fix the kernel crash caused by bpf_setsockopt().
ALSA: memalloc: Workaround for Xen PV
vhost/net: Clear the pending messages when the backend is removed
copy_oldmem_kernel() - WRITE is "data source", not destination
WRITE is "data source", not destination...
READ is "data destination", not source...
zcore: WRITE is "data source", not destination...
memcpy_real(): WRITE is "data source", not destination...
fix iov_iter_bvec() "direction" argument
fix 'direction' argument of iov_iter_{init,bvec}()
fix "direction" argument of iov_iter_kvec()
use less confusing names for iov_iter direction initializers
vhost-scsi: unbreak any layout for response
ice: Prevent set_channel from changing queues while RDMA active
qede: execute xdp_do_flush() before napi_complete_done()
virtio-net: execute xdp_do_flush() before napi_complete_done()
dpaa_eth: execute xdp_do_flush() before napi_complete_done()
dpaa2-eth: execute xdp_do_flush() before napi_complete_done()
skb: Do mix page pool and page referenced frags in GRO
sfc: correctly advertise tunneled IPv6 segmentation
net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices
net: wwan: t7xx: Fix Runtime PM initialization
block, bfq: replace 0/1 with false/true in bic apis
block, bfq: fix uaf for bfqq in bic_set_bfqq()
netrom: Fix use-after-free caused by accept on already connected socket
fscache: Use wait_on_bit() to wait for the freeing of relinquished volume
platform/x86/amd/pmf: update to auto-mode limits only after AMT event
platform/x86/amd/pmf: Add helper routine to update SPS thermals
platform/x86/amd/pmf: Fix to update SPS default pprof thermals
platform/x86/amd/pmf: Add helper routine to check pprof is balanced
platform/x86/amd/pmf: Fix to update SPS thermals when power supply change
platform/x86/amd/pmf: Ensure mutexes are initialized before use
platform/x86: thinkpad_acpi: Fix thinklight LED brightness returning 255
drm/i915/guc: Fix locking when searching for a hung request
drm/i915: Fix request ref counting during error capture & debugfs dump
drm/i915: Fix up locking around dumping requests lists
drm/i915/adlp: Fix typo for reference clock
net/tls: tls_is_tx_ready() checked list_entry
ALSA: firewire-motu: fix unreleased lock warning in hwdep device
netfilter: br_netfilter: disable sabotage_in hook after first suppression
block: ublk: extending queue_size to fix overflow
kunit: fix kunit_test_init_section_suites(...)
squashfs: harden sanity check in squashfs_read_xattr_id_table
maple_tree: should get pivots boundary by type
sctp: do not check hb_timer.expires when resetting hb_timer
net: phy: meson-gxl: Add generic dummy stubs for MMD register access
drm/panel: boe-tv101wum-nl6: Ensure DSI writes succeed during disable
ip/ip6_gre: Fix changing addr gen mode not generating IPv6 link local address
ip/ip6_gre: Fix non-point-to-point tunnel not generating IPv6 link local address
riscv: kprobe: Fixup kernel panic when probing an illegal position
igc: return an error if the mac type is unknown in igc_ptp_systim_to_hwtstamp()
octeontx2-af: Fix devlink unregister
can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate
can: raw: fix CAN FD frame transmissions over CAN XL devices
can: mcp251xfd: mcp251xfd_ring_set_ringparam(): assign missing tx_obj_num_coalesce_irq
ata: libata: Fix sata_down_spd_limit() when no link speed is reported
selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning
selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided
selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs
selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking
virtio-net: Keep stop() to follow mirror sequence of open()
net: openvswitch: fix flow memory leak in ovs_flow_cmd_new
efi: fix potential NULL deref in efi_mem_reserve_persistent
rtc: sunplus: fix format string for printing resource
certs: Fix build error when PKCS#11 URI contains semicolon
kbuild: modinst: Fix build error when CONFIG_MODULE_SIG_KEY is a PKCS#11 URI
i2c: designware-pci: Add new PCI IDs for AMD NAVI GPU
i2c: mxs: suppress probe-deferral error message
scsi: target: core: Fix warning on RT kernels
x86/aperfmperf: Erase stale arch_freq_scale values when disabling frequency invariance readings
perf/x86/intel: Add Emerald Rapids
perf/x86/intel/cstate: Add Emerald Rapids
scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress
scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
i2c: rk3x: fix a bunch of kernel-doc warnings
Revert "gfs2: stop using generic_writepages in gfs2_ail1_start_one"
x86/build: Move '-mindirect-branch-cs-prefix' out of GCC-only block
platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010 table
platform/x86: hp-wmi: Handle Omen Key event
platform/x86: gigabyte-wmi: add support for B450M DS3H WIFI-CF
platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN
net/x25: Fix to not accept on connected socket
drm/amd/display: Fix timing not changning when freesync video is enabled
bcache: Silence memcpy() run-time false positive warnings
iio: adc: stm32-dfsdm: fill module aliases
usb: dwc3: qcom: enable vbus override when in OTG dr-mode
usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait
vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
fbcon: Check font dimension limits
cgroup/cpuset: Fix wrong check in update_parent_subparts_cpumask()
hv_netvsc: Fix missed pagebuf entries in netvsc_dma_map/unmap()
ARM: dts: imx7d-smegw01: Fix USB host over-current polarity
net: qrtr: free memory on error path in radix_tree_insert()
can: isotp: split tx timer into transmission and timeout
can: isotp: handle wait_event_interruptible() return values
watchdog: diag288_wdt: do not use stack buffers for hardware data
watchdog: diag288_wdt: fix __diag288() inline assembly
ALSA: hda/realtek: Add Acer Predator PH315-54
ALSA: hda/realtek: fix mute/micmute LEDs, speaker don't work for a HP platform
ASoC: codecs: wsa883x: correct playback min/max rates
ASoC: SOF: sof-audio: unprepare when swidget->use_count > 0
ASoC: SOF: sof-audio: skip prepare/unprepare if swidget is NULL
ASoC: SOF: keep prepare/unprepare widgets in sink path
efi: Accept version 2 of memory attributes table
rtc: efi: Enable SET/GET WAKEUP services as optional
iio: hid: fix the retval in accel_3d_capture_sample
iio: hid: fix the retval in gyro_3d_capture_sample
iio: adc: xilinx-ams: fix devm_krealloc() return value check
iio: adc: berlin2-adc: Add missing of_node_put() in error path
iio: imx8qxp-adc: fix irq flood when call imx8qxp_adc_read_raw()
iio:adc:twl6030: Enable measurements of VUSB, VBAT and others
iio: light: cm32181: Fix PM support on system with 2 I2C resources
iio: imu: fxos8700: fix ACCEL measurement range selection
iio: imu: fxos8700: fix incomplete ACCEL and MAGN channels readback
iio: imu: fxos8700: fix IMU data bits returned to user space
iio: imu: fxos8700: fix map label of channel type to MAGN sensor
iio: imu: fxos8700: fix swapped ACCEL and MAGN channels readback
iio: imu: fxos8700: fix incorrect ODR mode readback
iio: imu: fxos8700: fix failed initialization ODR mode assignment
iio: imu: fxos8700: remove definition FXOS8700_CTRL_ODR_MIN
iio: imu: fxos8700: fix MAGN sensor scale and unit
nvmem: brcm_nvram: Add check for kzalloc
nvmem: sunxi_sid: Always use 32-bit MMIO reads
nvmem: qcom-spmi-sdam: fix module autoloading
parisc: Fix return code of pdc_iodc_print()
parisc: Replace hardcoded value with PRIV_USER constant in ptrace.c
parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case
riscv: disable generation of unwind tables
Revert "mm: kmemleak: alloc gray object for reserved region with direct map"
mm: multi-gen LRU: fix crash during cgroup migration
mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps
mm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath()
usb: gadget: f_uac2: Fix incorrect increment of bNumEndpoints
usb: typec: ucsi: Don't attempt to resume the ports before they exist
usb: gadget: udc: do not clear gadget driver.bus
kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup()
HV: hv_balloon: fix memory leak with using debugfs_lookup()
x86/debug: Fix stack recursion caused by wrongly ordered DR7 accesses
fpga: m10bmc-sec: Fix probe rollback
fpga: stratix10-soc: Fix return value check in s10_ops_write_init()
mm/uffd: fix pte marker when fork() without fork event
mm/swapfile: add cond_resched() in get_swap_pages()
mm/khugepaged: fix ->anon_vma race
mm, mremap: fix mremap() expanding for vma's with vm_ops->close()
mm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups
highmem: round down the address passed to kunmap_flush_on_unmap()
ia64: fix build error due to switch case label appearing next to declaration
Squashfs: fix handling and sanity checking of xattr_ids count
maple_tree: fix mas_empty_area_rev() lower bound validation
migrate: hugetlb: check for hugetlb shared PMD in node migration
dma-buf: actually set signaling bit for private stub fences
serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler
drm/i915: Avoid potential vm use-after-free
drm/i915: Fix potential bit_17 double-free
drm/amd: Fix initialization for nbio 4.3.0
drm/amd/pm: drop unneeded dpm features disablement for SMU 13.0.4/11
drm/amdgpu: update wave data type to 3 for gfx11
nvmem: core: initialise nvmem->id early
nvmem: core: remove nvmem_config wp_gpio
nvmem: core: fix cleanup after dev_set_name()
nvmem: core: fix registration vs use race
nvmem: core: fix device node refcounting
nvmem: core: fix cell removal on error
nvmem: core: fix return value
phy: qcom-qmp-combo: fix runtime suspend
serial: 8250_dma: Fix DMA Rx completion race
serial: 8250_dma: Fix DMA Rx rearm race
platform/x86/amd: pmc: add CONFIG_SERIO dependency
ASoC: SOF: sof-audio: prepare_widgets: Check swidget for NULL on sink failure
iio:adc:twl6030: Enable measurement of VAC
powerpc/64s/radix: Fix crash with unaligned relocated kernel
powerpc/64s: Fix local irq disable when PMIs are disabled
powerpc/imc-pmu: Revert nest_init_lock to being a mutex
fs/ntfs3: Validate attribute data and valid sizes
ovl: Use "buf" flexible array for memcpy() destination
f2fs: initialize locks earlier in f2fs_fill_super()
fbdev: smscufx: fix error handling code in ufx_usb_probe
f2fs: fix to do sanity check on i_extra_isize in is_alive()
wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads
gfs2: Cosmetic gfs2_dinode_{in,out} cleanup
gfs2: Always check inode size of inline inodes
bpf: Skip invalid kfunc call in backtrack_insn
Linux 6.1.11
Change-Id: I69722bc9711b91f2fca18de59746ada373f64c5e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Kees Cook
|
07a96977b2 |
ovl: Use "buf" flexible array for memcpy() destination
commit cf8aa9bf97cadf85745506c6a3e244b22c268d63 upstream. The "buf" flexible array needs to be the memcpy() destination to avoid false positive run-time warning from the recent FORTIFY_SOURCE hardening: memcpy: detected field-spanning write (size 93) of single field "&fh->fb" at fs/overlayfs/export.c:799 (size 21) Reported-by: syzbot+9d14351a171d0d1c7955@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/000000000000763a6c05e95a5985@google.com/ Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
936f394ef7 |
This is the 6.1.9 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPaFzoACgkQONu9yGCS aT6Y7Q//bOQ+QfUsJ9oi0hCQpC4L4REaM/WpqyWFn+/75KB4KDZ7IGaHAZ8UZSPQ DwZ0aoIAapQyAL7Q5WUDnG51Q07Xi4NfWPHNlz1FqAKdJu2D8uAmYP9I6M0JpEbg nV5ki8UXETkIu7EnfS7+5MjHLt99DaA+W0Z1J+qqXONRoszELUNfMdTZMoqVX5Vx gqmSpHmySt2mhSr8k4Inx5OvhF6pZ9mQVq0baUEieAcyaRXSRBBLTtOgntcYyq+R aAoCV5E+lLDZVkjntc6wKtTECD6zegfXCBqZdxQ1RUt5SBTn7K2XnGqQt+V3UbeH 5kFwUngvnpGDQeS8VuzWo+yGBLu0cp6PShP329SbO5o0bY8qRxiWfr37sxfMq/yh F947AjG2wWouCK4xle68/O6GvZNLtKJI1Z0MihpFKmeLbvL0S88rkSnhwjPQ5qBe kK8RfUATLKkl6XoTyJT/v/o+/tlAuHj3txrH3zsB0MQWuuxBkZ1JAAnmDnBCcvIJ BAr6HFRFr6kTfcREnMKkWr2EXO98DGrk0Eg9FTedm1F4RSL8iGQenTXNmRMhSxFv /MtF0sRwkstI+v7EINmmK+wNJeye03WjmWDjJVxIqOwfmGC5EfCGhGV4CfmdnBsE N18DZMZ5oc9ft/zmH9Pi/vJUlwRHDS52uQ3r7K3TYXHHveT62FE= =8rzU -----END PGP SIGNATURE----- Merge 6.1.9 into android14-6.1 Changes in 6.1.9 memory: tegra: Remove clients SID override programming memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe() memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() arm64: dts: qcom: sc8280xp: fix primary USB-DP PHY reset dmaengine: qcom: gpi: Set link_rx bit on GO TRE for rx operation dmaengine: ti: k3-udma: Do conditional decrement of UDMA_CHAN_RT_PEER_BCNT_REG soc: imx: imx8mp-blk-ctrl: enable global pixclk with HDMI_TX_PHY PD arm64: dts: imx8mp-phycore-som: Remove invalid PMIC property ARM: dts: imx6ul-pico-dwarf: Use 'clock-frequency' ARM: dts: imx7d-pico: Use 'clock-frequency' ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' arm64: dts: verdin-imx8mm: fix dahlia audio playback arm64: dts: imx8mm-beacon: Fix ecspi2 pinmux arm64: dts: verdin-imx8mm: fix dev board audio playback arm64: dts: imx93-11x11-evk: correct clock and strobe pad setting ARM: imx: add missing of_node_put() soc: imx: imx8mp-blk-ctrl: don't set power device name arm64: dts: imx8mp: Fix missing GPC Interrupt arm64: dts: imx8mp: Fix power-domain typo arm64: dts: imx8mp-evk: pcie0-refclk cosmetic cleanup HID: intel_ish-hid: Add check for ishtp_dma_tx_map arm64: dts: imx8mm-venice-gw7901: fix USB2 controller OC polarity soc: imx8m: Fix incorrect check for of_clk_get_by_name() reset: ti-sci: honor TI_SCI_PROTOCOL setting when not COMPILE_TEST reset: uniphier-glue: Fix possible null-ptr-deref EDAC/highbank: Fix memory leak in highbank_mc_probe() firmware: arm_scmi: Harden shared memory access in fetch_response firmware: arm_scmi: Harden shared memory access in fetch_notification firmware: arm_scmi: Fix virtio channels cleanup on shutdown interconnect: qcom: msm8996: Provide UFS clocks to A2NoC interconnect: qcom: msm8996: Fix regmap max_register values HID: amd_sfh: Fix warning unwind goto tomoyo: fix broken dependency on *.conf.default RDMA/rxe: Fix inaccurate constants in rxe_type_info RDMA/rxe: Prevent faulty rkey generation erofs: fix kvcalloc() misuse with __GFP_NOFAIL arm64: dts: marvell: AC5/AC5X: Fix address for UART1 RDMA/core: Fix ib block iterator counter overflow IB/hfi1: Reject a zero-length user expected buffer IB/hfi1: Reserve user expected TIDs IB/hfi1: Fix expected receive setup error exit issues IB/hfi1: Immediately remove invalid memory from hardware IB/hfi1: Remove user expected buffer invalidate race affs: initialize fsdata in affs_truncate() PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe() arm64: dts: qcom: msm8992: Don't use sfpb mutex arm64: dts: qcom: msm8992-libra: Fix the memory map kbuild: export top-level LDFLAGS_vmlinux only to scripts/Makefile.vmlinux kbuild: fix 'make modules' error when CONFIG_DEBUG_INFO_BTF_MODULES=y phy: ti: fix Kconfig warning and operator precedence drm/msm/gpu: Fix potential double-free NFSD: fix use-after-free in nfsd4_ssc_setup_dul() ARM: dts: at91: sam9x60: fix the ddr clock for sam9x60 drm/vc4: bo: Fix drmm_mutex_init memory hog phy: usb: sunplus: Fix potential null-ptr-deref in sp_usb_phy_probe() bpf: hash map, avoid deadlock with suitable hash mask amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent amd-xgbe: Delay AN timeout during KR training bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation drm/vc4: bo: Fix unused variable warning phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() net: nfc: Fix use-after-free in local_cleanup() net: wan: Add checks for NULL for utdm in undo_uhdlc_init and unmap_si_regs net: enetc: avoid deadlock in enetc_tx_onestep_tstamp() net: lan966x: add missing fwnode_handle_put() for ports node sch_htb: Avoid grafting on htb_destroy_class_offload when destroying htb gpio: mxc: Protect GPIO irqchip RMW with bgpio spinlock gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid pinctrl: rockchip: fix reading pull type on rk3568 net: stmmac: Fix queue statistics reading net/sched: sch_taprio: fix possible use-after-free l2tp: convert l2tp_tunnel_list to idr l2tp: close all race conditions in l2tp_tunnel_register() net: usb: sr9700: Handle negative len net: mdio: validate parameter addr in mdiobus_get_phy() HID: check empty report_list in hid_validate_values() HID: check empty report_list in bigben_probe() net: stmmac: fix invalid call to mdiobus_get_phy() pinctrl: rockchip: fix mux route data for rk3568 ARM: dts: stm32: Fix qspi pinctrl phandle for stm32mp15xx-dhcor-som ARM: dts: stm32: Fix qspi pinctrl phandle for stm32mp15xx-dhcom-som ARM: dts: stm32: Fix qspi pinctrl phandle for stm32mp157c-emstamp-argon ARM: dts: stm32: Fix qspi pinctrl phandle for stm32mp151a-prtt1l HID: revert CHERRY_MOUSE_000C quirk block/rnbd-clt: fix wrong max ID in ida_alloc_max usb: ucsi: Ensure connector delayed work items are flushed usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait usb: gadget: f_fs: Ensure ep0req is dequeued before free_request netfilter: conntrack: handle tcp challenge acks during connection reuse Bluetooth: Fix a buffer overflow in mgmt_mesh_add() Bluetooth: hci_conn: Fix memory leaks Bluetooth: hci_sync: fix memory leak in hci_update_adv_data() Bluetooth: ISO: Avoid circular locking dependency Bluetooth: ISO: Fix possible circular locking dependency Bluetooth: hci_event: Fix Invalid wait context Bluetooth: Fix possible deadlock in rfcomm_sk_state_change net: ipa: disable ipa interrupt during suspend net/mlx5e: Avoid false lock dependency warning on tc_ht even more net/mlx5: E-switch, Fix setting of reserved fields on MODIFY_SCHEDULING_ELEMENT net/mlx5e: QoS, Fix wrongfully setting parent_element_id on MODIFY_SCHEDULING_ELEMENT net/mlx5e: Set decap action based on attr for sample net/mlx5: E-switch, Fix switchdev mode after devlink reload net: mlx5: eliminate anonymous module_init & module_exit drm/panfrost: fix GENERIC_ATOMIC64 dependency dmaengine: Fix double increment of client_count in dma_chan_get() net: macb: fix PTP TX timestamp failure due to packet padding virtio-net: correctly enable callback during start_xmit l2tp: prevent lockdep issue in l2tp_tunnel_register() HID: betop: check shape of output reports drm/i915/selftests: Unwind hugepages to drop wakeref on error cifs: fix potential deadlock in cache_refresh_path() dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node() dmaengine: tegra: Fix memory leak in terminate_all() phy: phy-can-transceiver: Skip warning if no "max-bitrate" drm/amd/display: fix issues with driver unload net: sched: gred: prevent races when adding offloads to stats nvme-pci: fix timeout request state check tcp: avoid the lookup process failing to get sk in ehash table usb: dwc3: fix extcon dependency ptdma: pt_core_execute_cmd() should use spinlock device property: fix of node refcount leak in fwnode_graph_get_next_endpoint() w1: fix deadloop in __w1_remove_master_device() w1: fix WARNING after calling w1_process() driver core: Fix test_async_probe_init saves device in wrong array selftests/net: toeplitz: fix race on tpacket_v3 block close net: dsa: microchip: ksz9477: port map correction in ALU table entry register thermal: Validate new state in cur_state_store() thermal/core: fix error code in __thermal_cooling_device_register() thermal: core: call put_device() only after device_register() fails net: stmmac: enable all safety features by default bnxt: Do not read past the end of test names tcp: fix rate_app_limited to default to 1 scsi: iscsi: Fix multiple iSCSI session unbind events sent to userspace ASoC: SOF: pm: Set target state earlier ASoC: SOF: pm: Always tear down pipelines before DSP suspend ASoC: SOF: Add FW state to debugfs ASoC: amd: yc: Add Razer Blade 14 2022 into DMI table spi: cadence: Fix busy cycles calculation cpufreq: CPPC: Add u64 casts to avoid overflowing cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist ASoC: mediatek: mt8186: support rt5682s_max98360 ASoC: mediatek: mt8186: Add machine support for max98357a ASoC: amd: yc: Add ASUS M5402RA into DMI table ASoC: support machine driver with max98360 kcsan: test: don't put the expect array on the stack cpufreq: Add SM6375 to cpufreq-dt-platdev blocklist ASoC: fsl_micfil: Correct the number of steps on SX controls drm/msm/a6xx: Avoid gx gbit halt during rpm suspend net: usb: cdc_ether: add support for Thales Cinterion PLS62-W modem drm: Add orientation quirk for Lenovo ideapad D330-10IGL s390/debug: add _ASM_S390_ prefix to header guard s390: expicitly align _edata and _end symbols on page boundary xen/pvcalls: free active map buffer on pvcalls_front_free_map perf/x86/cstate: Add Meteor Lake support perf/x86/msr: Add Meteor Lake support perf/x86/msr: Add Emerald Rapids perf/x86/intel/uncore: Add Emerald Rapids nolibc: fix fd_set type tools/nolibc: Fix S_ISxxx macros tools/nolibc: fix missing includes causing build issues at -O0 tools/nolibc: prevent gcc from making memset() loop over itself cpufreq: armada-37xx: stop using 0 as NULL pointer ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97 CODEC ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA drm/amdkfd: Add sync after creating vram bo drm/amdkfd: Fix NULL pointer error for GC 11.0.1 on mGPU cifs: fix potential memory leaks in session setup spi: spidev: remove debug messages that access spidev->spi without locking KVM: s390: interrupt: use READ_ONCE() before cmpxchg() scsi: hisi_sas: Use abort task set to reset SAS disks when discovered scsi: hisi_sas: Set a port invalid only if there are no devices attached when refreshing port id r8152: add vendor/device ID pair for Microsoft Devkit platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD platform/x86: asus-nb-wmi: Add alternate mapping for KEY_CAMERA platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK platform/x86: asus-wmi: Add quirk wmi_ignore_fan platform/x86: asus-wmi: Ignore fan on E410MA platform/x86: simatic-ipc: correct name of a model platform/x86: simatic-ipc: add another model lockref: stop doing cpu_relax in the cmpxchg loop ata: pata_cs5535: Don't build on UML firmware: coreboot: Check size of table entry and use flex-array btrfs: zoned: enable metadata over-commit for non-ZNS setup Revert "selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID" arm64: efi: Recover from synchronous exceptions occurring in firmware arm64: efi: Avoid workqueue to check whether EFI runtime is live arm64: efi: Account for the EFI runtime stack in stack unwinder Bluetooth: hci_sync: cancel cmd_timer if hci_open failed drm/i915: Allow panel fixed modes to have differing sync polarities drm/i915: Allow alternate fixed modes always for eDP drm/amdgpu: complete gfxoff allow signal during suspend without delay io_uring/msg_ring: fix remote queue to disabled ring wifi: mac80211: Proper mark iTXQs for resumption wifi: mac80211: Fix iTXQ AMPDU fragmentation handling sched/fair: Check if prev_cpu has highest spare cap in feec() sched/uclamp: Fix a uninitialized variable warnings vfio/type1: Respect IOMMU reserved regions in vfio_test_domain_fgsp() scsi: hpsa: Fix allocation size for scsi_host_alloc() kvm/vfio: Fix potential deadlock on vfio group_lock nfsd: don't free files unconditionally in __nfsd_file_cache_purge module: Don't wait for GOING modules ftrace: Export ftrace_free_filter() to modules tracing: Make sure trace_printk() can output as soon as it can be used trace_events_hist: add check for return value of 'create_hist_field' ftrace/scripts: Update the instructions for ftrace-bisect.sh cifs: Fix oops due to uncleared server->smbd_conn in reconnect ksmbd: add max connections parameter ksmbd: do not sign response to session request for guest login ksmbd: downgrade ndr version error message to debug ksmbd: limit pdu length size according to connection status ovl: fix tmpfile leak ovl: fail on invalid uid/gid mapping at copy up io_uring/net: cache provided buffer group value for multishot receives KVM: x86/vmx: Do not skip segment attributes if unusable bit is set KVM: arm64: GICv4.1: Fix race with doorbell on VPE activation/deactivation scsi: ufs: core: Fix devfreq deadlocks riscv: fix -Wundef warning for CONFIG_RISCV_BOOT_SPINWAIT thermal: intel: int340x: Protect trip temperature from concurrent updates regulator: dt-bindings: samsung,s2mps14: add lost samsung,ext-control-gpios ipv6: fix reachability confirmation with proxy_ndp ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment EDAC/device: Respect any driver-supplied workqueue polling value EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info platform/x86: thinkpad_acpi: Fix profile modes on Intel platforms drm/display/dp_mst: Correct the kref of port. drm/amd/pm: add missing AllowIHInterrupt message mapping for SMU13.0.0 drm/amdgpu: remove unconditional trap enable on add gfx11 queues drm/amdgpu/display/mst: Fix mst_state->pbn_div and slot count assignments drm/amdgpu/display/mst: limit payload to be updated one by one drm/amdgpu/display/mst: update mst_mgr relevant variable when long HPD io_uring: inline io_req_task_work_add() io_uring: inline __io_req_complete_post() io_uring: hold locks for io_req_complete_failed io_uring: use io_req_task_complete() in timeout io_uring: remove io_req_tw_post_queue io_uring: inline __io_req_complete_put() net: mana: Fix IRQ name - add PCI and queue number io_uring: always prep_async for drain requests i2c: designware: use casting of u64 in clock multiplication to avoid overflow i2c: designware: Fix unbalanced suspended flag drm/drm_vma_manager: Add drm_vma_node_allow_once() drm/i915: Fix a memory leak with reused mmap_offset iavf: fix temporary deadlock and failure to set MAC address iavf: schedule watchdog immediately when changing primary MAC netlink: prevent potential spectre v1 gadgets net: fix UaF in netns ops registration error path net: fec: Use page_pool_put_full_page when freeing rx buffers nvme: simplify transport specific device attribute handling nvme: consolidate setting the tagset flags nvme-fc: fix initialization order drm/i915/selftest: fix intel_selftest_modify_policy argument types ACPI: video: Add backlight=native DMI quirk for HP Pavilion g6-1d80nr ACPI: video: Add backlight=native DMI quirk for HP EliteBook 8460p ACPI: video: Add backlight=native DMI quirk for Asus U46E netfilter: nft_set_rbtree: Switch to node list walk for overlap detection netfilter: nft_set_rbtree: skip elements in transaction from garbage collection netlink: annotate data races around nlk->portid netlink: annotate data races around dst_portid and dst_group netlink: annotate data races around sk_state ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() ipv4: prevent potential spectre v1 gadget in fib_metrics_match() net: dsa: microchip: fix probe of I2C-connected KSZ8563 net: ethernet: adi: adin1110: Fix multicast offloading netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE netrom: Fix use-after-free of a listening socket. platform/x86: asus-wmi: Fix kbd_dock_devid tablet-switch reporting platform/x86: apple-gmux: Move port defines to apple-gmux.h platform/x86: apple-gmux: Add apple_gmux_detect() helper ACPI: video: Fix apple gmux detection tracing/osnoise: Use built-in RCU list checking net/sched: sch_taprio: do not schedule in taprio_reset() sctp: fail if no bound addresses can be used for a given scope riscv/kprobe: Fix instruction simulation of JALR nvme: fix passthrough csi check gpio: mxc: Unlock on error path in mxc_flip_edge() gpio: ep93xx: Fix port F hwirq numbers in handler net: ravb: Fix lack of register setting after system resumed for Gen3 net: ravb: Fix possible hang if RIS2_QFF1 happen net: mctp: add an explicit reference from a mctp_sk_key to sock net: mctp: move expiry timer delete to unhash net: mctp: hold key reference when looking up a general key net: mctp: mark socks as dead on unhash, prevent re-add thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() riscv: Move call to init_cpu_topology() to later initialization stage net/tg3: resolve deadlock in tg3_reset_task() during EEH tsnep: Fix TX queue stop/wake for multiple queues net: mdio-mux-meson-g12a: force internal PHY off on mux switch Partially revert "perf/arm-cmn: Optimise DTC counter accesses" block: ublk: move ublk_chr_class destroying after devices are removed treewide: fix up files incorrectly marked executable tools: gpio: fix -c option of gpio-event-mon Fix up more non-executable files marked executable Revert "mm/compaction: fix set skip in fast_find_migrateblock" Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode" Input: i8042 - add Clevo PCX0DX to i8042 quirk table x86/sev: Add SEV-SNP guest feature negotiation support acpi: Fix suspend with Xen PV dt-bindings: riscv: fix underscore requirement for multi-letter extensions dt-bindings: riscv: fix single letter canonical order x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL dt-bindings: i2c: renesas,rzv2m: Fix SoC specific string netfilter: conntrack: unify established states for SCTP paths perf/x86/amd: fix potential integer overflow on shift of a int amdgpu: fix build on non-DCN platforms. Linux 6.1.9 Change-Id: I750dee519337922880b87841f6732565961c6b0a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Miklos Szeredi
|
42fea1c352 |
ovl: fail on invalid uid/gid mapping at copy up
commit 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 upstream.
If st_uid/st_gid doesn't have a mapping in the mounter's user_ns, then
copy-up should fail, just like it would fail if the mounter task was doing
the copy using "cp -a".
There's a corner case where the "cp -a" would succeed but copy up fail: if
there's a mapping of the invalid uid/gid (65534 by default) in the user
namespace. This is because stat(2) will return this value if the mapping
doesn't exist in the current user_ns and "cp -a" will in turn be able to
create a file with this uid/gid.
This behavior would be inconsistent with POSIX ACL's, which return -1 for
invalid uid/gid which result in a failed copy.
For consistency and simplicity fail the copy of the st_uid/st_gid are
invalid.
Fixes:
|
||
|
Miklos Szeredi
|
caa0ea9250 |
ovl: fix tmpfile leak
commit baabaa505563362b71f2637aedd7b807d270656c upstream.
Missed an error cleanup.
Reported-by: syzbot+fd749a7ea127a84e0ffd@syzkaller.appspotmail.com
Fixes:
|
||
|
Greg Kroah-Hartman
|
9a38b58eee |
This is the 6.1.3 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmO1VPMACgkQONu9yGCS aT43Og//RoOLMIYeZo3Hj6hJWv12bYOOwKDqORV1E7up5pA564nzgZ18z9ftxR36 gjjATO4vM+6CYnkmtAZxbw6DZMgmqz4aYqR0nsjMFibV2iLPAb/zK23Kp1afaLbs rQjD0LwOlCH2YdIoFfcOONCoLeimy51woOXATlngmDEz0+6du4OznvRvIROzBEpX lcJZh5XcAIgGZa4VKapkLHXc01kdBRrn5D3M8S2gHxgM8MAcOmt7nKDUxuviX1zP JquY6vSVMhK2dCYgLr+dMdwHAe4LGX5M+T0hbLIw8IFjo9R//Efq0+chZY+4vdnx HD/9U5Sg0E/XtbcwvdU1Uu0k0kXG1g4pA09fOL0ph7GJeZntSQPMNunPyL9S8XKF g7nsM1dd3j0Gak99TTCQPxCjqa2jS5BDMZyT7iOHvXURmhOpjgVHcL/nZx5m2irG uFzCbwqZYZrmyfMqz8r6fIWt5x3lKpjd6QvBxc0xlCX6WzItmpADZl8ZnHFHxjPd pgFKZKaWAK8aAOYSdsKpx1t0VFO7z/5T0y6IH9WTzdmnjOQeyVuJ511u9leuo6Oy tNo+WZx+pevXs7phr1IMQ6sM0O+BotQaN21RP2mwxNNut/Cx3T+PStPnx0u03Be3 0lE+OBcqv3bUYKHj4mB7HdY+RB5ECHKBe+IOeXAox5gA/SbSwzs= =FalZ -----END PGP SIGNATURE----- Merge 6.1.3 into android14-6.1 Changes in 6.1.3 eventpoll: add EPOLL_URING_WAKE poll wakeup flag eventfd: provide a eventfd_signal_mask() helper io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups nvme-pci: fix doorbell buffer value endianness nvme-pci: fix mempool alloc size nvme-pci: fix page size checks ACPI: resource: do IRQ override on XMG Core 15 ACPI: resource: do IRQ override on Lenovo 14ALC7 ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks ACPI: video: Fix Apple GMUX backlight detection block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq ata: ahci: Fix PCS quirk application for suspend nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition nvmet: don't defer passthrough commands with trivial effects to the workqueue fs/ntfs3: Validate BOOT record_size fs/ntfs3: Add overflow check for attribute size fs/ntfs3: Validate data run offset fs/ntfs3: Add null pointer check to attr_load_runs_vcn fs/ntfs3: Fix memory leak on ntfs_fill_super() error path fs/ntfs3: Add null pointer check for inode operations fs/ntfs3: Validate attribute name offset fs/ntfs3: Validate buffer length while parsing index fs/ntfs3: Validate resident attribute name fs/ntfs3: Fix slab-out-of-bounds read in run_unpack soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15 phy: sun4i-usb: Introduce port2 SIDDQ quirk phy: sun4i-usb: Add support for the H616 USB PHY fs/ntfs3: Validate index root when initialize NTFS security fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init() fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super() fs/ntfs3: Delete duplicate condition in ntfs_read_mft() fs/ntfs3: Fix slab-out-of-bounds in r_page objtool: Fix SEGFAULT iommu/mediatek: Fix crash on isr after kexec() powerpc/rtas: avoid device tree lookups in rtas_os_term() powerpc/rtas: avoid scheduling in rtas_os_term() rtc: msc313: Fix function prototype mismatch in msc313_rtc_probe() NFSD: fix use-after-free in __nfs42_ssc_open() kprobes: kretprobe events missing on 2-core KVM guest HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint HID: plantronics: Additional PIDs for double volume key presses quirk futex: Fix futex_waitv() hrtimer debug object leak on kcalloc error rtmutex: Add acquire semantics for rtmutex lock acquisition slow path mm, mremap: fix mremap() expanding vma with addr inside vma mm/mempolicy: fix memory leak in set_mempolicy_home_node system call kmsan: export kmsan_handle_urb kmsan: include linux/vmalloc.h pstore: Properly assign mem_type property pstore/zone: Use GFP_ATOMIC to allocate zone buffer hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount ACPI: x86: s2idle: Force AMD GUID/_REV 2 on HP Elitebook 865 ACPI: x86: s2idle: Stop using AMD specific codepath for Rembrandt+ binfmt: Fix error return code in load_elf_fdpic_binary() ovl: Use ovl mounter's fsuid and fsgid in ovl_link() ovl: update ->f_iocb_flags when ovl_change_flags() modifies ->f_flags ALSA: line6: correct midi status byte when receiving data from podxt ALSA: line6: fix stack overflow in line6_midi_transmit ALSA: hda/hdmi: Static PCM mapping again with AMD HDMI codecs pnode: terminate at peers of source mfd: mt6360: Add bounds checking in Regmap read/write call-backs md: fix a crash in mempool_free mm, compaction: fix fast_isolate_around() to stay within boundaries f2fs: should put a page when checking the summary info f2fs: allow to read node block after shutdown block: Do not reread partition table on exclusively open device mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING tpm: acpi: Call acpi_put_table() to fix memory leak tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails kcsan: Instrument memcpy/memset/memmove with newer Clang Linux 6.1.3 Change-Id: I3ac637177b476ff43ad964c687327a7cbb62d017 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
2712923303 |
This is the 6.1.2 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmOwLA8ACgkQONu9yGCS
aT6RYxAAhsnIlIBCtaca7Uio9TZdluV7Fzn3c9+QogVisrwVMTtP1iHX43ofFC89
BCmiQOS9fForddjNP0vkqjZlshMYYSCDPX0s0mK6R4UoNPVg8oehZ9vJfOiR3MMX
C3fApQQhYf5Bx/rC50i58ChdAw/Dqj0WNBZX/ZWod4B2JKUq7ORk7GjnorfuJxuP
xO2K6KdpajZufkxtTyKtwqK8FG3dkZP9YF6MqFIvTfQ8qkLnQsrL3moFGU9giSH5
swRCFH/QII+kumKS2bir87QHz0CmvtSa3Ob4DyKiJMkNN8tspE7nOMkds4usCov6
+yM84sWp03j2RKFyadctAMKwdH16IGU0kdgqlhb9OmzGNRvX6/l5q4+QzqzPJHHQ
F+v/PEJoKz3K6CK2ai8DPXoTUMgDDCaYDHg139Tv2Dj/ulDg9xzJ+CS6WBMQxMoU
xO1OWhpLMDKT8soPogGY13yOsSbhPY6ef3+//eRczxLf8bg3qzoKo362PjqHVxlq
IY01Ul+MB3M4NdFuFNMKM2/DBHn9qBeoZdQxnQ/vpxhBbpP2hIyEflyfsUQOmUYU
lWBcnxbSLxf87CmJ3f1VSsms6kbgnxYJyNBgkXiU3WHFfcRZqoU/R+SFu2THRMPt
ugor1zCHNxBBIdDEMRDWJvDTt34vRsT51Xbig+hH5BVdiKQzQ3k=
=MYDV
-----END PGP SIGNATURE-----
Merge 6.1.2 into android14-6.1
Changes in 6.1.2
MIPS: DTS: CI20: fix reset line polarity of the ethernet controller
usb: musb: remove extra check in musb_gadget_vbus_draw
arm64: dts: renesas: r8a779g0: Fix HSCIF0 "brg_int" clock
arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins
arm64: dts: qcom: sm8250-sony-xperia-edo: fix touchscreen bias-disable
arm64: dts: qcom: sdm845-xiaomi-polaris: fix codec pin conf name
arm64: dts: qcom: msm8996: Add MSM8996 Pro support
arm64: dts: qcom: msm8996: fix supported-hw in cpufreq OPP tables
arm64: dts: qcom: msm8996: fix GPU OPP table
ARM: dts: qcom: apq8064: fix coresight compatible
arm64: dts: qcom: sdm630: fix UART1 pin bias
arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias
arm64: dts: qcom: msm8916: Drop MSS fallback compatible
arm64: dts: fsd: fix drive strength macros as per FSD HW UM
arm64: dts: fsd: fix drive strength values as per FSD HW UM
memory: renesas-rpc-if: Clear HS bit during hardware initialization
objtool, kcsan: Add volatile read/write instrumentation to whitelist
ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96
ARM: dts: stm32: Fix AV96 WLAN regulator gpio property
drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
firmware: ti_sci: Fix polled mode during system suspend
riscv: dts: microchip: fix memory node unit address for icicle
arm64: dts: qcom: pm660: Use unique ADC5_VCOIN address in node name
arm64: dts: qcom: sm8250: correct LPASS pin pull down
arm64: dts: qcom: sc7180-trogdor-homestar: fully configure secondary I2S pins
soc: qcom: llcc: make irq truly optional
arm64: dts: qcom: sm8150: fix UFS PHY registers
arm64: dts: qcom: sm8250: fix UFS PHY registers
arm64: dts: qcom: sm8350: fix UFS PHY registers
arm64: dts: qcom: sm8450: fix UFS PHY registers
arm64: dts: qcom: msm8996: fix sound card reset line polarity
arm64: dts: qcom: sm8250-mtp: fix reset line polarity
arm64: dts: qcom: sc7280: fix codec reset line polarity for CRD 3.0/3.1
arm64: dts: qcom: sc7280: fix codec reset line polarity for CRD 1.0/2.0
arm64: dts: qcom: sm8250: drop bogus DP PHY clock
arm64: dts: qcom: sm6350: drop bogus DP PHY clock
soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index
arm64: dts: qcom: pm6350: Include header for KEY_POWER
arm64: dts: qcom: sm6125: fix SDHCI CQE reg names
arm64: dts: renesas: r8a779f0: Fix HSCIF "brg_int" clock
arm64: dts: renesas: r8a779f0: Fix SCIF "brg_int" clock
arm64: dts: renesas: r9a09g011: Fix unit address format error
arm64: dts: renesas: r9a09g011: Fix I2C SoC specific strings
dt-bindings: pwm: fix microchip corePWM's pwm-cells
soc: sifive: ccache: fix missing iounmap() in error path in sifive_ccache_init()
soc: sifive: ccache: fix missing free_irq() in error path in sifive_ccache_init()
soc: sifive: ccache: fix missing of_node_put() in sifive_ccache_init()
arm64: dts: mt7986: fix trng node name
soc/tegra: cbb: Use correct master_id mask for CBB NOC in Tegra194
soc/tegra: cbb: Update slave maps for Tegra234
soc/tegra: cbb: Add checks for potential out of bound errors
soc/tegra: cbb: Check firewall before enabling error reporting
arm64: dts: qcom: sc7280: Mark all Qualcomm reference boards as LTE
arm: dts: spear600: Fix clcd interrupt
riscv: dts: microchip: fix the icicle's #pwm-cells
soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe
soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
arm64: mm: kfence: only handle translation faults
perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init()
drivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init()
perf/arm_dmc620: Fix hotplug callback leak in dmc620_pmu_init()
perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()
arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node
arm64: dts: ti: k3-j721e-main: Drop dma-coherent in crypto node
arm64: dts: ti: k3-j7200-mcu-wakeup: Drop dma-coherent in crypto node
arm64: dts: ti: k3-j721s2: Fix the interrupt ranges property for main & wkup gpio intr
riscv: dts: microchip: remove pcie node from the sev kit
ARM: dts: nuvoton: Remove bogus unit addresses from fixed-partition nodes
arm64: dts: mediatek: mt8195: Fix CPUs capacity-dmips-mhz
arm64: dts: mt7896a: Fix unit_address_vs_reg warning for oscillator
arm64: dts: mt6779: Fix devicetree build warnings
arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators
arm64: dts: mt2712e: Fix unit address for pinctrl node
arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names
arm64: dts: mt2712-evb: Fix usb vbus regulators unit names
arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings
arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name
arm64: tegra: Fix Prefetchable aperture ranges of Tegra234 PCIe controllers
arm64: tegra: Fix non-prefetchable aperture of PCIe C3 controller
arm64: dts: mt7986: move wed_pcie node
ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
ARM: dts: turris-omnia: Add ethernet aliases
ARM: dts: turris-omnia: Add switch port 6 node
arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC
soc: apple: sart: Stop casting function pointer signatures
soc: apple: rtkit: Stop casting function pointer signatures
drivers/perf: hisi: Fix some event id for hisi-pcie-pmu
seccomp: Move copy_seccomp() to no failure path.
pstore/ram: Fix error return code in ramoops_probe()
ARM: mmp: fix timer_read delay
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
arch: arm64: apple: t8103: Use standard "iommu" node name
tpm: tis_i2c: Fix sanity check interrupt enable mask
tpm: Add flag to use default cancellation policy
tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init()
tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
ovl: remove privs in ovl_copyfile()
ovl: remove privs in ovl_fallocate()
sched/uclamp: Fix relationship between uclamp and migration margin
sched/uclamp: Make task_fits_capacity() use util_fits_cpu()
sched/uclamp: Fix fits_capacity() check in feec()
sched/uclamp: Make select_idle_capacity() use util_fits_cpu()
sched/uclamp: Make asym_fits_capacity() use util_fits_cpu()
sched/uclamp: Make cpu_overutilized() use util_fits_cpu()
sched/uclamp: Cater for uclamp in find_energy_efficient_cpu()'s early exit condition
cpuidle: dt: Return the correct numbers of parsed idle states
alpha: fix TIF_NOTIFY_SIGNAL handling
alpha: fix syscall entry in !AUDUT_SYSCALL case
sched/psi: Fix possible missing or delayed pending event
x86/sgx: Reduce delay and interference of enclave release
PM: hibernate: Fix mistake in kerneldoc comment
fs: don't audit the capability check in simple_xattr_list()
cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()
x86/split_lock: Add sysctl to control the misery mode
ACPI: irq: Fix some kernel-doc issues
selftests/ftrace: event_triggers: wait longer for test_event_enable
perf: Fix possible memleak in pmu_dev_alloc()
lib/debugobjects: fix stat count and optimize debug_objects_mem_init
platform/x86: huawei-wmi: fix return value calculation
timerqueue: Use rb_entry_safe() in timerqueue_getnext()
proc: fixup uptime selftest
lib/fonts: fix undefined behavior in bit shift for get_default_font
ocfs2: fix memory leak in ocfs2_stack_glue_init()
selftests: cgroup: fix unsigned comparison with less than zero
cpufreq: qcom-hw: Fix the frequency returned by cpufreq_driver->get()
MIPS: vpe-mt: fix possible memory leak while module exiting
MIPS: vpe-cmp: fix possible memory leak while module exiting
selftests/efivarfs: Add checking of the test return value
PNP: fix name memory leak in pnp_alloc_dev()
mailbox: pcc: Reset pcc_chan_count to zero in case of PCC probe failure
ACPI: pfr_telemetry: use ACPI_FREE() to free acpi_object
ACPI: pfr_update: use ACPI_FREE() to free acpi_object
perf/x86/intel/uncore: Fix reference count leak in sad_cfg_iio_topology()
perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()
perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()
perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box()
platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()
thermal: core: fix some possible name leaks in error paths
irqchip/loongson-pch-pic: Fix translate callback for DT path
irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init()
irqchip/loongson-liointc: Fix improper error handling in liointc_init()
EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()
NFSD: Finish converting the NFSv2 GETACL result encoder
NFSD: Finish converting the NFSv3 GETACL result encoder
nfsd: don't call nfsd_file_put from client states seqfile display
genirq/irqdesc: Don't try to remove non-existing sysfs files
cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
lib/notifier-error-inject: fix error when writing -errno to debugfs file
debugfs: fix error when writing negative value to atomic_t debugfs file
ocfs2: fix memory leak in ocfs2_mount_volume()
rapidio: fix possible name leaks when rio_add_device() fails
rapidio: rio: fix possible name leak in rio_register_mport()
clocksource/drivers/sh_cmt: Access registers according to spec
futex: Resend potentially swallowed owner death notification
cpu/hotplug: Make target_store() a nop when target == state
cpu/hotplug: Do not bail-out in DYING/STARTING sections
clocksource/drivers/timer-ti-dm: Fix warning for omap_timer_match
clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock()
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
x86/xen: Fix memory leak in xen_init_lock_cpu()
xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
PM: runtime: Do not call __rpm_callback() from rpm_idle()
erofs: check the uniqueness of fsid in shared domain in advance
erofs: Fix pcluster memleak when its block address is zero
erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails
erofs: validate the extent length for uncompressed pclusters
platform/chrome: cros_ec_typec: zero out stale pointers
platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
platform/x86: intel_scu_ipc: fix possible name leak in __intel_scu_ipc_register()
MIPS: BCM63xx: Add check for NULL for clk in clk_enable
MIPS: OCTEON: warn only once if deprecated link status is being used
lockd: set other missing fields when unlocking files
nfsd: return error if nfs4_setacl fails
NFSD: pass range end to vfs_fsync_range() instead of count
fs: sysv: Fix sysv_nblocks() returns wrong value
rapidio: fix possible UAF when kfifo_alloc() fails
eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
relay: fix type mismatch when allocating memory in relay_create_buf()
hfs: Fix OOB Write in hfs_asc2mac
rapidio: devices: fix missing put_device in mport_cdev_open
ipc: fix memory leak in init_mqueue_fs()
platform/mellanox: mlxbf-pmc: Fix event typo
selftests/bpf: Add missing bpf_iter_vma_offset__destroy call
wifi: fix multi-link element subelement iteration
wifi: mac80211: mlme: fix null-ptr deref on failed assoc
wifi: mac80211: check link ID in auth/assoc continuation
wifi: mac80211: fix ifdef symbol name
drm/atomic-helper: Don't allocate new plane state in CRTC check
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
wifi: rtl8xxxu: Fix reading the vendor of combo chips
wifi: ath11k: fix firmware assert during bandwidth change for peer sta
drm/bridge: adv7533: remove dynamic lane switching from adv7533 bridge
libbpf: Fix use-after-free in btf_dump_name_dups
libbpf: Fix memory leak in parse_usdt_arg()
selftests/bpf: Fix memory leak caused by not destroying skeleton
selftest/bpf: Fix memory leak in kprobe_multi_test
selftests/bpf: Fix error failure of case test_xdp_adjust_tail_grow
selftest/bpf: Fix error usage of ASSERT_OK in xdp_adjust_tail.c
libbpf: Use elf_getshdrnum() instead of e_shnum
libbpf: Deal with section with no data gracefully
libbpf: Fix null-pointer dereference in find_prog_by_sec_insn()
drm: lcdif: Switch to limited range for RGB to YUV conversion
ata: libata: fix NCQ autosense logic
pinctrl: ocelot: add missing destroy_workqueue() in error path in ocelot_pinctrl_probe()
ASoC: Intel: avs: Fix DMA mask assignment
ASoC: Intel: avs: Fix potential RX buffer overflow
ipmi: kcs: Poll OBF briefly to reduce OBE latency
drm/amdgpu: Revert "drm/amdgpu: getting fan speed pwm for vega10 properly"
drm/amdgpu/powerplay/psm: Fix memory leak in power state init
net: ethernet: adi: adin1110: Fix SPI transfers
samples/bpf: Fix map iteration in xdp1_user
samples/bpf: Fix MAC address swapping in xdp2_kern
selftests/bpf: fix missing BPF object files
drm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe
Input: iqs7222 - protect against undefined slider size
media: v4l2-ctrls: Fix off-by-one error in integer menu control check
media: coda: jpeg: Add check for kmalloc
media: amphion: reset instance if it's aborted before codec header parsed
media: adv748x: afe: Select input port when initializing AFE
media: v4l2-ioctl.c: Unify YCbCr/YUV terms in format descriptions
media: cedrus: hevc: Fix offset adjustments
media: mediatek: vcodec: fix h264 cavlc bitstream fail
drm/i915/guc: Limit scheduling properties to avoid overflow
drm/i915: Fix compute pre-emption w/a to apply to compute engines
media: i2c: hi846: Fix memory leak in hi846_parse_dt()
media: i2c: ad5820: Fix error path
venus: pm_helpers: Fix error check in vcodec_domains_get()
soreuseport: Fix socket selection for SO_INCOMING_CPU.
media: i2c: ov5648: Free V4L2 fwnode data on unbind
media: exynos4-is: don't rely on the v4l2_async_subdev internals
libbpf: Btf dedup identical struct test needs check for nested structs/arrays
can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device
can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event
can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT
can: kvaser_usb_leaf: Set Warning state even without bus errors
can: kvaser_usb_leaf: Fix improved state not being reported
can: kvaser_usb_leaf: Fix wrong CAN state after stopping
can: kvaser_usb_leaf: Fix bogus restart events
can: kvaser_usb: Add struct kvaser_usb_busparams
can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming
clk: renesas: r8a779f0: Fix SD0H clock name
clk: renesas: r8a779a0: Fix SD0H clock name
ASoC: dt-bindings: rt5682: Set sound-dai-cells to 1
drm/i915/guc: Add error-capture init warnings when needed
drm/i915/guc: Fix GuC error capture sizing estimation and reporting
dw9768: Enable low-power probe on ACPI
drm/amd/display: wait for vblank during pipe programming
drm/rockchip: lvds: fix PM usage counter unbalance in poweron
drm/i915: Handle all GTs on driver (un)load paths
drm/i915: Refactor ttm ghost obj detection
drm/i915: Encapsulate lmem rpm stuff in intel_runtime_pm
drm/i915/dgfx: Grab wakeref at i915_ttm_unmap_virtual
clk: renesas: r9a06g032: Repair grave increment error
drm: lcdif: change burst size to 256B
drm/panel/panel-sitronix-st7701: Fix RTNI calculation
spi: Update reference to struct spi_controller
drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED
drm/msm/mdp5: stop overriding drvdata
ima: Handle -ESTALE returned by ima_filter_rule_match()
drm/msm/hdmi: use devres helper for runtime PM management
bpf: Clobber stack slot when writing over spilled PTR_TO_BTF_ID
bpf: Fix slot type check in check_stack_write_var_off
drm/msm/dpu1: Account for DSC's bits_per_pixel having 4 fractional bits
drm/msm/dsi: Remove useless math in DSC calculations
drm/msm/dsi: Remove repeated calculation of slice_per_intf
drm/msm/dsi: Use DIV_ROUND_UP instead of conditional increment on modulo
drm/msm/dsi: Reuse earlier computed dsc->slice_chunk_size
drm/msm/dsi: Appropriately set dsc->mux_word_size based on bpc
drm/msm/dsi: Migrate to drm_dsc_compute_rc_parameters()
drm/msm/dsi: Account for DSC's bits_per_pixel having 4 fractional bits
drm/msm/dsi: Disallow 8 BPC DSC configuration for alternative BPC values
drm/msm/dsi: Prevent signed BPG offsets from bleeding into adjacent bits
media: platform: mtk-mdp3: fix error handling in mdp_cmdq_send()
media: platform: mtk-mdp3: fix error handling about components clock_on
media: platform: mtk-mdp3: fix error handling in mdp_probe()
media: rkvdec: Add required padding
media: vivid: fix compose size exceed boundary
media: platform: exynos4-is: fix return value check in fimc_md_probe()
bpf: propagate precision in ALU/ALU64 operations
bpf: propagate precision across all frames, not just the last one
clk: qcom: gcc-ipq806x: use parent_data for the last remaining entry
clk: qcom: dispcc-sm6350: Add CLK_OPS_PARENT_ENABLE to pixel&byte src
clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs
mtd: Fix device name leak when register device failed in add_mtd_device()
mtd: core: fix possible resource leak in init_mtd()
Input: joystick - fix Kconfig warning for JOYSTICK_ADC
wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port
media: camss: Clean up received buffers on failed start of streaming
media: camss: Do not attach an already attached power domain on MSM8916 platform
clk: renesas: r8a779f0: Fix HSCIF parent clocks
clk: renesas: r8a779f0: Fix SCIF parent clocks
virt/sev-guest: Add a MODULE_ALIAS
net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write()
rxrpc: Fix ack.bufferSize to be 0 when generating an ack
drm: lcdif: Set and enable FIFO Panic threshold
wifi: rtw89: use u32_encode_bits() to fill MAC quota value
drm: rcar-du: Drop leftovers dependencies from Kconfig
regmap-irq: Use the new num_config_regs property in regmap_add_irq_chip_fwnode
drbd: use blk_queue_max_discard_sectors helper
bfq: fix waker_bfqq inconsistency crash
drm/radeon: Add the missed acpi_put_table() to fix memory leak
dt-bindings: pinctrl: update uart/mmc bindings for MT7986 SoC
pinctrl: mediatek: fix the pinconf register offset of some pins
wifi: iwlwifi: mei: make sure ownership confirmed message is sent
wifi: iwlwifi: mei: don't send SAP commands if AMT is disabled
wifi: iwlwifi: mei: fix tx DHCP packet for devices with new Tx API
wifi: iwlwifi: mei: avoid blocking sap messages handling due to rtnl lock
wifi: iwlwifi: mei: fix potential NULL-ptr deref after clone
module: Fix NULL vs IS_ERR checking for module_get_next_page
ASoC: codecs: wsa883x: Use proper shutdown GPIO polarity
ASoC: codecs: wsa883x: use correct header file
selftests/bpf: Fix xdp_synproxy compilation failure in 32-bit arch
selftests/bpf: Fix incorrect ASSERT in the tcp_hdr_options test
drm/mediatek: Modify dpi power on/off sequence.
ASoC: pxa: fix null-pointer dereference in filter()
nvmet: only allocate a single slab for bvecs
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()
nvme: return err on nvme_init_non_mdts_limits fail
wifi: rtw89: Fix some error handling path in rtw89_core_sta_assoc()
regulator: qcom-rpmh: Fix PMR735a S3 regulator spec
drm/fourcc: Fix vsub/hsub for Q410 and Q401
ALSA: memalloc: Allocate more contiguous pages for fallback case
integrity: Fix memory leakage in keyring allocation error path
ima: Fix misuse of dereference of pointer in template_desc_init_fields()
block: clear ->slave_dir when dropping the main slave_dir reference
dm: cleanup open_table_device
dm: cleanup close_table_device
dm: make sure create and remove dm device won't race with open and close table
dm: track per-add_disk holder relations in DM
selftests/bpf: fix memory leak of lsm_cgroup
wifi: ath10k: Fix return value in ath10k_pci_init()
drm/msm/a6xx: Fix speed-bin detection vs probe-defer
mtd: lpddr2_nvm: Fix possible null-ptr-deref
Input: elants_i2c - properly handle the reset GPIO when power is off
ASoC: amd: acp: Fix possible UAF in acp_dma_open
net: ethernet: mtk_eth_soc: do not overwrite mtu configuration running reset routine
media: amphion: add lock around vdec_g_fmt
media: amphion: apply vb2_queue_error instead of setting manually
media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init()
media: solo6x10: fix possible memory leak in solo_sysfs_init()
media: platform: exynos4-is: Fix error handling in fimc_md_init()
media: amphion: Fix error handling in vpu_driver_init()
media: videobuf-dma-contig: use dma_mmap_coherent
net: ethernet: mtk_eth_soc: fix RSTCTRL_PPE{0,1} definitions
udp: Clean up some functions.
net: Return errno in sk->sk_prot->get_port().
mtd: spi-nor: hide jedec_id sysfs attribute if not present
mtd: spi-nor: Fix the number of bytes for the dummy cycles
clk: imx93: correct the flexspi1 clock setting
bpf: Pin the start cgroup in cgroup_iter_seq_init()
HID: i2c: let RMI devices decide what constitutes wakeup event
clk: imx93: unmap anatop base in error handling path
clk: imx93: correct enet clock
bpf: Move skb->len == 0 checks into __bpf_redirect
HID: hid-sensor-custom: set fixed size for custom attributes
clk: imx: imxrt1050: fix IMXRT1050_CLK_LCDIF_APB offsets
pinctrl: k210: call of_node_put()
wifi: rtw89: fix physts IE page check
ASoC: Intel: Skylake: Fix Kconfig dependency
ASoC: Intel: avs: Lock substream before snd_pcm_stop()
ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT
ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
regulator: core: use kfree_const() to free space conditionally
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
drm/amdgpu: fix pci device refcount leak
drm/i915/guc: make default_lists const data
selftests/bpf: Make sure zero-len skbs aren't redirectable
selftests/bpf: Mount debugfs in setns_by_fd
bonding: fix link recovery in mode 2 when updelay is nonzero
clk: microchip: check for null return of devm_kzalloc()
mtd: core: Fix refcount error in del_mtd_device()
mtd: maps: pxa2xx-flash: fix memory leak in probe
drbd: remove call to memset before free device/resource/connection
drbd: destroy workqueue when drbd device was freed
ASoC: qcom: Add checks for devm_kcalloc
ASoC: qcom: cleanup and fix dependency of QCOM_COMMON
ASoC: mediatek: mt8186: Correct I2S shared clocks
media: vimc: Fix wrong function called when vimc_init() fails
media: imon: fix a race condition in send_packet()
media: imx: imx7-media-csi: Clear BIT_MIPI_DOUBLE_CMPNT for <16b formats
media: mt9p031: Drop bogus v4l2_subdev_get_try_crop() call from mt9p031_init_cfg()
clk: imx8mn: rename vpu_pll to m7_alt_pll
clk: imx: replace osc_hdmi with dummy
clk: imx: rename video_pll1 to video_pll
clk: imx8mn: fix imx8mn_sai2_sels clocks list
clk: imx8mn: fix imx8mn_enet_phy_sels clocks list
pinctrl: pinconf-generic: add missing of_node_put()
media: dvb-core: Fix ignored return value in dvb_register_frontend()
media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
x86/boot: Skip realmode init code when running as Xen PV guest
media: sun6i-mipi-csi2: Require both pads to be connected for streaming
media: sun8i-a83t-mipi-csi2: Require both pads to be connected for streaming
media: sun6i-mipi-csi2: Register async subdev with no sensor attached
media: sun8i-a83t-mipi-csi2: Register async subdev with no sensor attached
media: amphion: try to wakeup vpu core to avoid failure
media: amphion: cancel vpu before release instance
media: amphion: lock and check m2m_ctx in event handler
media: mediatek: vcodec: Fix getting NULL pointer for dst buffer
media: mediatek: vcodec: Fix h264 set lat buffer error
media: mediatek: vcodec: Setting lat buf to lat_list when lat decode error
media: mediatek: vcodec: Core thread depends on core_list
media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC
drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
ASoC: dt-bindings: wcd9335: fix reset line polarity in example
ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd
drm/msm/mdp5: fix reading hw revision on db410c platform
NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding
NFSv4.2: Always decode the security label
NFSv4.2: Fix a memory stomp in decode_attr_security_label
NFSv4.2: Fix initialisation of struct nfs4_label
NFSv4: Fix a credential leak in _nfs4_discover_trunking()
NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
NFS: Fix an Oops in nfs_d_automount()
ALSA: asihpi: fix missing pci_disable_device()
wifi: plfxlc: fix potential memory leak in __lf_x_usb_enable_rx()
wifi: rtl8xxxu: Fix use after rcu_read_unlock in rtl8xxxu_bss_info_changed
wifi: iwlwifi: mvm: fix double free on tx path.
ASoC: mediatek: mt8173: Enable IRQ when pdata is ready
clk: mediatek: fix dependency of MT7986 ADC clocks
drm/amd/pm/smu11: BACO is supported when it's in BACO state
amdgpu/nv.c: Corrected typo in the video capabilities resolution
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
drm/amdkfd: Fix memory leakage
drm/i915/bios: fix a memory leak in generate_lfp_data_ptrs
ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
clk: visconti: Fix memory leak in visconti_register_pll()
netfilter: conntrack: set icmpv6 redirects as RELATED
Input: wistron_btns - disable on UML
bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes
bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect
bonding: uninitialized variable in bond_miimon_inspect()
spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE
wifi: nl80211: Add checks for nla_nest_start() in nl80211_send_iface()
wifi: mac80211: fix memory leak in ieee80211_if_add()
wifi: mac80211: fix maybe-unused warning
wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails
wifi: mt76: mt7921: fix antenna signal are way off in monitor mode
wifi: mt76: mt7915: fix mt7915_mac_set_timing()
wifi: mt76: mt7915: fix reporting of TX AGGR histogram
wifi: mt76: mt7921: fix reporting of TX AGGR histogram
wifi: mt76: mt7915: rework eeprom tx paths and streams init
wifi: mt76: mt7915: Fix chainmask calculation on mt7915 DBDC
wifi: mt76: mt7921: fix wrong power after multiple SAR set
wifi: mt76: fix coverity overrun-call in mt76_get_txpower()
wifi: mt76: mt7921: Add missing __packed annotation of struct mt7921_clc
wifi: mt76: do not send firmware FW_FEATURE_NON_DL region
mt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2()
regulator: core: fix module refcount leak in set_supply()
clk: qcom: lpass-sc7280: Fix pm_runtime usage
clk: qcom: lpass-sc7180: Fix pm_runtime usage
clk: qcom: clk-krait: fix wrong div2 functions
Revert "net: hsr: use hlist_head instead of list_head for mac addresses"
hsr: Add a rcu-read lock to hsr_forward_skb().
hsr: Avoid double remove of a node.
hsr: Disable netpoll.
hsr: Synchronize sending frames to have always incremented outgoing seq nr.
hsr: Synchronize sequence number updates.
configfs: fix possible memory leak in configfs_create_dir()
regulator: core: fix resource leak in regulator_register()
hwmon: (jc42) Convert register access and caching to regmap/regcache
hwmon: (jc42) Restore the min/max/critical temperatures on resume
bpf: Add dummy type reference to nf_conn___init to fix type deduplication
bpf, sockmap: fix race in sock_map_free()
ALSA: pcm: Set missing stop_operating flag at undoing trigger start
media: saa7164: fix missing pci_disable_device()
media: ov5640: set correct default link frequency
ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
pinctrl: thunderbay: fix possible memory leak in thunderbay_build_functions()
xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()
SUNRPC: Fix missing release socket in rpc_sockname()
NFSv4.2: Set the correct size scratch buffer for decoding READ_PLUS
NFS: Allow very small rsize & wsize again
NFSv4.x: Fail client initialisation if state manager thread can't run
riscv, bpf: Emit fixed-length instructions for BPF_PSEUDO_FUNC
bpftool: Fix memory leak in do_build_table_cb
hwmon: (emc2305) fix unable to probe emc2301/2/3
hwmon: (emc2305) fix pwm never being able to set lower
mmc: alcor: fix return value check of mmc_add_host()
mmc: moxart: fix return value check of mmc_add_host()
mmc: mxcmmc: fix return value check of mmc_add_host()
mmc: pxamci: fix return value check of mmc_add_host()
mmc: rtsx_pci: fix return value check of mmc_add_host()
mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
mmc: toshsd: fix return value check of mmc_add_host()
mmc: vub300: fix return value check of mmc_add_host()
mmc: wmt-sdmmc: fix return value check of mmc_add_host()
mmc: litex_mmc: ensure `host->irq == 0` if polling
mmc: atmel-mci: fix return value check of mmc_add_host()
mmc: omap_hsmmc: fix return value check of mmc_add_host()
mmc: meson-gx: fix return value check of mmc_add_host()
mmc: via-sdmmc: fix return value check of mmc_add_host()
mmc: wbsd: fix return value check of mmc_add_host()
mmc: mmci: fix return value check of mmc_add_host()
mmc: renesas_sdhi: alway populate SCC pointer
memstick/ms_block: Add check for alloc_ordered_workqueue
mmc: core: Normalize the error handling branch in sd_read_ext_regs()
nvme: pass nr_maps explicitly to nvme_alloc_io_tag_set
regulator: qcom-labibb: Fix missing of_node_put() in qcom_labibb_regulator_probe()
media: c8sectpfe: Add of_node_put() when breaking out of loop
media: coda: Add check for dcoda_iram_alloc
media: coda: Add check for kmalloc
media: staging: stkwebcam: Restore MEDIA_{USB,CAMERA}_SUPPORT dependencies
clk: samsung: Fix memory leak in _samsung_clk_register_pll()
spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode
wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
wifi: rtl8xxxu: Fix the channel width reporting
wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
blktrace: Fix output non-blktrace event when blk_classic option enabled
bpf: Do not zero-extend kfunc return values
clk: socfpga: Fix memory leak in socfpga_gate_init()
net: vmw_vsock: vmci: Check memcpy_from_msg()
net: defxx: Fix missing err handling in dfx_init()
net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload()
net: stmmac: fix possible memory leak in stmmac_dvr_probe()
drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
ipvs: use u64_stats_t for the per-cpu counters
of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop()
ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
net: farsync: Fix kmemleak when rmmods farsync
net/tunnel: wait until all sk_user_data reader finish before releasing the sock
net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave()
net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave()
net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave()
hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
net: setsockopt: fix IPV6_UNICAST_IF option for connected sockets
af_unix: call proto_unregister() in the error path in af_unix_init()
net: amd-xgbe: Fix logic around active and passive cables
net: amd-xgbe: Check only the minimum speed for active/passive cables
can: tcan4x5x: Remove invalid write in clear_interrupts
can: m_can: Call the RAM init directly from m_can_chip_config
can: tcan4x5x: Fix use of register error status mask
net: ethernet: ti: am65-cpsw: Fix PM runtime leakage in am65_cpsw_nuss_ndo_slave_open()
net: lan9303: Fix read error execution path
ntb_netdev: Use dev_kfree_skb_any() in interrupt context
sctp: sysctl: make extra pointers netns aware
Bluetooth: hci_core: fix error handling in hci_register_dev()
Bluetooth: MGMT: Fix error report for ADD_EXT_ADV_PARAMS
Bluetooth: Fix EALREADY and ELOOP cases in bt_status()
Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
Bluetooth: btintel: Fix missing free skb in btintel_setup_combined()
Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
octeontx2-af: cn10k: mcs: Fix a resource leak in the probe and remove functions
stmmac: fix potential division by 0
i40e: Fix the inability to attach XDP program on downed interface
net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path
apparmor: fix a memleak in multi_transaction_new()
apparmor: fix lockdep warning when removing a namespace
apparmor: Fix abi check to include v8 abi
apparmor: Fix regression in stacking due to label flags
crypto: hisilicon/qm - fix incorrect parameters usage
crypto: hisilicon/qm - re-enable communicate interrupt before notifying PF
crypto: sun8i-ss - use dma_addr instead u32
crypto: nitrox - avoid double free on error path in nitrox_sriov_init()
crypto: tcrypt - fix return value for multiple subtests
scsi: core: Fix a race between scsi_done() and scsi_timeout()
apparmor: Use pointer to struct aa_label for lbs_cred
PCI: dwc: Fix n_fts[] array overrun
RDMA/core: Fix order of nldev_exit call
PCI: pci-epf-test: Register notifier if only core_init_notifier is enabled
f2fs: Fix the race condition of resize flag between resizefs
crypto: rockchip - do not do custom power management
crypto: rockchip - do not store mode globally
crypto: rockchip - add fallback for cipher
crypto: rockchip - add fallback for ahash
crypto: rockchip - better handle cipher key
crypto: rockchip - remove non-aligned handling
crypto: rockchip - rework by using crypto_engine
apparmor: Fix memleak in alloc_ns()
fortify: Do not cast to "unsigned char"
f2fs: fix to invalidate dcc->f2fs_issue_discard in error path
f2fs: fix gc mode when gc_urgent_high_remaining is 1
f2fs: fix normal discard process
f2fs: allow to set compression for inlined file
f2fs: fix the assign logic of iocb
f2fs: fix to destroy sbi->post_read_wq in error path of f2fs_fill_super()
RDMA/irdma: Report the correct link speed
scsi: qla2xxx: Fix set-but-not-used variable warnings
RDMA/siw: Fix immediate work request flush to completion queue
IB/mad: Don't call to function that might sleep while in atomic context
PCI: vmd: Disable MSI remapping after suspend
PCI: imx6: Initialize PHY before deasserting core reset
f2fs: fix to avoid accessing uninitialized spinlock
RDMA/restrack: Release MR restrack when delete
RDMA/core: Make sure "ib_port" is valid when access sysfs node
RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port
RDMA/siw: Set defined status for work completion with undefined status
RDMA/irdma: Fix inline for multiple SGE's
RDMA/irdma: Fix RQ completion opcode
RDMA/irdma: Do not request 2-level PBLEs for CQ alloc
scsi: scsi_debug: Fix a warning in resp_write_scat()
crypto: ccree - Remove debugfs when platform_driver_register failed
crypto: cryptd - Use request context instead of stack for sub-request
crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set()
RDMA/rxe: Fix mr->map double free
RDMA/hns: Fix ext_sge num error when post send
RDMA/hns: Fix incorrect sge nums calculation
PCI: Check for alloc failure in pci_request_irq()
RDMA/hfi: Decrease PCI device reference count in error path
crypto: ccree - Make cc_debugfs_global_fini() available for module init function
RDMA/irdma: Initialize net_type before checking it
RDMA/hns: fix memory leak in hns_roce_alloc_mr()
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
dt-bindings: imx6q-pcie: Fix clock names for imx6sx and imx8mq
dt-bindings: visconti-pcie: Fix interrupts array max constraints
PCI: endpoint: pci-epf-vntb: Fix call pci_epc_mem_free_addr() in error path
scsi: hpsa: Fix possible memory leak in hpsa_init_one()
crypto: tcrypt - Fix multibuffer skcipher speed test mem leak
padata: Always leave BHs disabled when running ->parallel()
padata: Fix list iterator in padata_do_serial()
crypto: x86/aegis128 - fix possible crash with CFI enabled
crypto: x86/aria - fix crash with CFI enabled
crypto: x86/sha1 - fix possible crash with CFI enabled
crypto: x86/sha256 - fix possible crash with CFI enabled
crypto: x86/sha512 - fix possible crash with CFI enabled
crypto: x86/sm3 - fix possible crash with CFI enabled
crypto: x86/sm4 - fix crash with CFI enabled
crypto: arm64/sm3 - add NEON assembly implementation
crypto: arm64/sm3 - fix possible crash with CFI enabled
crypto: hisilicon/qm - fix 'QM_XEQ_DEPTH_CAP' mask value
scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
scsi: hpsa: Fix error handling in hpsa_add_sas_host()
scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
scsi: efct: Fix possible memleak in efct_device_init()
scsi: scsi_debug: Fix a warning in resp_verify()
scsi: scsi_debug: Fix a warning in resp_report_zones()
scsi: fcoe: Fix possible name leak when device_register() fails
scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper()
scsi: ipr: Fix WARNING in ipr_init()
scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
scsi: snic: Fix possible UAF in snic_tgt_create()
scsi: ufs: core: Fix the polling implementation
RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps()
f2fs: set zstd compress level correctly
f2fs: fix to enable compress for newly created file if extension matches
f2fs: avoid victim selection from previous victim section
RDMA/nldev: Fix failure to send large messages
crypto: qat - fix error return code in adf_probe
crypto: amlogic - Remove kcalloc without check
crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe()
riscv/mm: add arch hook arch_clear_hugepage_flags
RDMA: Disable IB HW for UML
RDMA/hfi1: Fix error return code in parse_platform_config()
RDMA/srp: Fix error return code in srp_parse_options()
PCI: vmd: Fix secondary bus reset for Intel bridges
orangefs: Fix sysfs not cleanup when dev init failed
RDMA/hns: Fix the gid problem caused by free mr
RDMA/hns: Fix AH attr queried by query_qp
RDMA/hns: Fix PBL page MTR find
RDMA/hns: Fix page size cap from firmware
RDMA/hns: Fix error code of CMD
RDMA/hns: Fix XRC caps on HIP08
RISC-V: Fix unannoted hardirqs-on in return to userspace slow-path
RISC-V: Fix MEMREMAP_WB for systems with Svpbmt
riscv: Fix crash during early errata patching
crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
hwrng: amd - Fix PCI device refcount leak
hwrng: geode - Fix PCI device refcount leak
IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
RISC-V: Align the shadow stack
f2fs: fix iostat parameter for discard
riscv: Fix P4D_SHIFT definition for 3-level page table mode
drivers: dio: fix possible memory leak in dio_init()
serial: tegra: Read DMA status before terminating
serial: 8250_bcm7271: Fix error handling in brcmuart_init()
drivers: staging: r8188eu: Fix sleep-in-atomic-context bug in rtw_join_timeout_handler
class: fix possible memory leak in __class_register()
vfio: platform: Do not pass return buffer to ACPI _RST method
vfio/iova_bitmap: Fix PAGE_SIZE unaligned bitmaps
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
uio: uio_dmem_genirq: Fix deadlock between irq config and handling
usb: fotg210-udc: Fix ages old endianness issues
interconnect: qcom: sc7180: fix dropped const of qcom_icc_bcm
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
usb: typec: Check for ops->exit instead of ops->enter in altmode_exit
usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
usb: typec: tipd: Cleanup resources if devm_tps6598_psy_register fails
usb: typec: tipd: Fix spurious fwnode_handle_put in error path
usb: typec: tipd: Fix typec_unregister_port error paths
usb: musb: omap2430: Fix probe regression for missing resources
extcon: usbc-tusb320: Update state on probe even if no IRQ pending
USB: gadget: Fix use-after-free during usb config switch
serial: amba-pl011: avoid SBSA UART accessing DMACR register
serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle.
serial: stm32: move dma_request_chan() before clk_prepare_enable()
serial: pch: Fix PCI device refcount leak in pch_request_dma()
serial: altera_uart: fix locking in polling mode
serial: sunsab: Fix error handling in sunsab_init()
habanalabs: fix return value check in hl_fw_get_sec_attest_data()
test_firmware: fix memory leak in test_firmware_init()
misc: ocxl: fix possible name leak in ocxl_file_register_afu()
ocxl: fix pci device refcount leak when calling get_function_0()
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()
cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
iio: temperature: ltc2983: make bulk write buffer DMA-safe
iio: adis: add '__adis_enable_irq()' implementation
counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update
coresight: trbe: remove cpuhp instance node before remove cpuhp state
coresight: cti: Fix null pointer error on CTI init before ETM
tracing/user_events: Fix call print_fmt leak
usb: roles: fix of node refcount leak in usb_role_switch_is_parent()
usb: core: hcd: Fix return value check in usb_hcd_setup_local_mem()
usb: gadget: f_hid: fix f_hidg lifetime vs cdev
usb: gadget: f_hid: fix refcount leak on error path
drivers: mcb: fix resource leak in mcb_probe()
mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
chardev: fix error handling in cdev_device_add()
vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries
i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
staging: rtl8192u: Fix use after free in ieee80211_rx()
staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
vme: Fix error not catched in fake_init()
gpiolib: cdev: fix NULL-pointer dereferences
gpiolib: protect the GPIO device against being dropped while in use by user-space
i2c: mux: reg: check return value after calling platform_get_resource()
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
usb: storage: Add check for kcalloc
usb: typec: wusb3801: fix fwnode refcount leak in wusb3801_probe()
tracing/hist: Fix issue of losting command info in error_log
ksmbd: Fix resource leak in ksmbd_session_rpc_open()
samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe()
thermal/drivers/imx8mm_thermal: Validate temperature range
thermal/drivers/k3_j72xx_bandgap: Fix the debug print message
thermal/of: Fix memory leak on thermal_of_zone_register() failure
thermal/drivers/qcom/temp-alarm: Fix inaccurate warning for gen2
thermal/drivers/qcom/lmh: Fix irq handler return value
fbdev: ssd1307fb: Drop optional dependency
fbdev: pm2fb: fix missing pci_disable_device()
fbdev: via: Fix error in via_core_init()
fbdev: vermilion: decrease reference count in error path
fbdev: ep93xx-fb: Add missing clk_disable_unprepare in ep93xxfb_probe()
fbdev: geode: don't build on UML
fbdev: uvesafb: don't build on UML
fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
led: qcom-lpg: Fix sleeping in atomic
perf tools: Fix "kernel lock contention analysis" test by not printing warnings in quiet mode
perf stat: Use evsel__is_hybrid() more
perf stat: Move common code in print_metric_headers()
HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
power: supply: fix residue sysfs file in error handle route of __power_supply_register()
watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running
perf trace: Return error if a system call doesn't exist
perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number
perf trace: Handle failure when trace point folder is missed
perf symbol: correction while adjusting symbol
power: supply: z2_battery: Fix possible memleak in z2_batt_probe()
power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe()
HSI: omap_ssi_core: Fix error handling in ssi_init()
power: supply: ab8500: Fix error handling in ab8500_charger_init()
power: supply: Fix refcount leak in rk817_charger_probe
power: supply: bq25890: Factor out regulator registration code
power: supply: bq25890: Convert to i2c's .probe_new()
power: supply: bq25890: Ensure pump_express_work is cancelled on remove
perf branch: Fix interpretation of branch records
power: supply: fix null pointer dereferencing in power_supply_get_battery_info
gfs2: Partially revert gfs2_inode_lookup change
leds: is31fl319x: Fix setting current limit for is31fl319{0,1,3}
perf off_cpu: Fix a typo in BTF tracepoint name, it should be 'btf_trace_sched_switch'
ftrace: Allow WITH_ARGS flavour of graph tracer with shadow call stack
perf stat: Do not delay the workload with --delay
RDMA/siw: Fix pointer cast warning
fs/ntfs3: Avoid UBSAN error on true_sectors_per_clst()
fs/ntfs3: Harden against integer overflows
phy: marvell: phy-mvebu-a3700-comphy: Reset COMPHY registers before USB 3.0 power on
phy: qcom-qmp-pcie: drop bogus register update
dmaengine: idxd: Make max batch size attributes in sysfs invisible for Intel IAA
dmaengine: apple-admac: Allocate cache SRAM to channels
remoteproc: core: Auto select rproc-virtio device id
phy: qcom-qmp-pcie: drop power-down delay config
phy: qcom-qmp-pcie: replace power-down delay
phy: qcom-qmp-pcie: fix sc8180x initialisation
phy: qcom-qmp-pcie: fix ipq8074-gen3 initialisation
phy: qcom-qmp-pcie: fix ipq6018 initialisation
phy: qcom-qmp-usb: clean up power-down handling
phy: qcom-qmp-usb: drop sc8280xp power-down delay
phy: qcom-qmp-usb: drop power-down delay config
phy: qcom-qmp-usb: clean up status polling
phy: qcom-qmp-usb: drop start and pwrdn-ctrl abstraction
phy: qcom-qmp-usb: correct registers layout for IPQ8074 USB3 PHY
iommu/s390: Fix duplicate domain attachments
iommu/sun50i: Fix reset release
iommu/sun50i: Consider all fault sources for reset
iommu/sun50i: Fix R/W permission check
iommu/sun50i: Fix flush size
iommu/sun50i: Implement .iotlb_sync_map
iommu/rockchip: fix permission bits in page table entries v2
dmaengine: idxd: Make read buffer sysfs attributes invisible for Intel IAA
phy: qcom-qmp-usb: fix sc8280xp PCS_USB offset
phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices
phy: usb: Use slow clock for wake enabled suspend
phy: usb: Fix clock imbalance for suspend/resume
include/uapi/linux/swab: Fix potentially missing __always_inline
pwm: tegra: Improve required rate calculation
pwm: tegra: Ensure the clock rate is not less than needed
phy: qcom-qmp-pcie: split register tables into common and extra parts
phy: qcom-qmp-pcie: split pcs_misc init cfg for ipq8074 pcs table
phy: qcom-qmp-pcie: support separate tables for EP mode
phy: qcom-qmp-pcie: Support SM8450 PCIe1 PHY in EP mode
phy: qcom-qmp-pcie: Fix high latency with 4x2 PHY when ASPM is enabled
phy: qcom-qmp-pcie: Fix sm8450_qmp_gen4x2_pcie_pcs_tbl[] register names
fs/ntfs3: Fix slab-out-of-bounds read in ntfs_trim_fs
dmaengine: idxd: Fix crc_val field for completion record
rtc: rzn1: Check return value in rzn1_rtc_probe
rtc: class: Fix potential memleak in devm_rtc_allocate_device()
rtc: pcf2127: Convert to .probe_new()
rtc: cmos: Call cmos_wake_setup() from cmos_do_probe()
rtc: cmos: Call rtc_wake_setup() from cmos_do_probe()
rtc: cmos: Eliminate forward declarations of some functions
rtc: cmos: Rename ACPI-related functions
rtc: cmos: Disable ACPI RTC event on removal
rtc: snvs: Allow a time difference on clock register read
rtc: pcf85063: Fix reading alarm
iommu/mediatek: Check return value after calling platform_get_resource()
iommu: Avoid races around device probe
iommu/amd: Fix pci device refcount leak in ppr_notifier()
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
macintosh: fix possible memory leak in macio_add_one_device()
macintosh/macio-adb: check the return value of ioremap()
powerpc/52xx: Fix a resource leak in an error handling path
cxl: Fix refcount leak in cxl_calc_capp_routing
powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds
powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data()
powerpc/pseries: fix the object owners enum value in plpks driver
powerpc/pseries: Fix the H_CALL error code in PLPKS driver
powerpc/pseries: Return -EIO instead of -EINTR for H_ABORTED error
powerpc/pseries: fix plpks_read_var() code for different consumers
kprobes: Fix check for probe enabled in kill_kprobe()
powerpc: dts: turris1x.dts: Add channel labels for temperature sensor
powerpc/perf: callchain validate kernel stack pointer bounds
powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
powerpc/hv-gpci: Fix hv_gpci event list
selftests/powerpc: Fix resource leaks
iommu/mediatek: Add platform_device_put for recovering the device refcnt
iommu/mediatek: Use component_match_add
iommu/mediatek: Add error path for loop of mm_dts_parse
iommu/mediatek: Validate number of phandles associated with "mediatek,larbs"
iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY
pwm: sifive: Call pwm_sifive_update_clock() while mutex is held
pwm: mtk-disp: Fix the parameters calculated by the enabled flag of disp_pwm
pwm: mediatek: always use bus clock for PWM on MT7622
RISC-V: KVM: Fix reg_val check in kvm_riscv_vcpu_set_reg_config()
remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()
remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()
remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove
remoteproc: qcom_q6v5_pas: detach power domains on remove
remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region()
remoteproc: qcom: q6v5: Fix missing clk_disable_unprepare() in q6v5_wcss_qcs404_power_on()
powerpc/pseries/eeh: use correct API for error log size
dt-bindings: mfd: qcom,spmi-pmic: Drop PWM reg dependency
mfd: axp20x: Do not sleep in the power off handler
mfd: bd957x: Fix Kconfig dependency on REGMAP_IRQ
mfd: qcom_rpm: Fix an error handling path in qcom_rpm_probe()
mfd: pm8008: Fix return value check in pm8008_probe()
netfilter: flowtable: really fix NAT IPv6 offload
rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe()
rtc: pcf85063: fix pcf85063_clkout_control
iommu/mediatek: Fix forever loop in error handling
nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
net: macsec: fix net device access prior to holding a lock
bonding: add missed __rcu annotation for curr_active_slave
bonding: do failover when high prio link up
mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
block, bfq: fix possible uaf for 'bfqq->bic'
selftests/bpf: Select CONFIG_FUNCTION_ERROR_INJECTION
bpf: prevent leak of lsm program after failed attach
media: v4l2-ctrls-api.c: add back dropped ctrl->is_new = 1
net: enetc: avoid buffer leaks on xdp_do_redirect() failure
nfc: pn533: Clear nfc_target before being used
unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg()
r6040: Fix kmemleak in probe and remove
net: dsa: mv88e6xxx: avoid reg_lock deadlock in mv88e6xxx_setup_port()
igc: Enhance Qbv scheduling by using first flag bit
igc: Use strict cycles for Qbv scheduling
igc: Add checking for basetime less than zero
igc: allow BaseTime 0 enrollment for Qbv
igc: recalculate Qbv end_time by considering cycle time
igc: Set Qbv start_time and end_time to end_time if not being configured in GCL
rtc: mxc_v2: Add missing clk_disable_unprepare()
devlink: hold region lock when flushing snapshots
selftests: devlink: fix the fd redirect in dummy_reporter_test
openvswitch: Fix flow lookup to use unmasked key
soc: mediatek: pm-domains: Fix the power glitch issue
arm64: dts: mt8183: Fix Mali GPU clock
devlink: protect devlink dump by the instance lock
skbuff: Account for tail adjustment during pull operations
mailbox: mpfs: read the system controller's status
mailbox: arm_mhuv2: Fix return value check in mhuv2_probe()
mailbox: zynq-ipi: fix error handling while device_register() fails
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
myri10ge: Fix an error handling path in myri10ge_probe()
net: stream: purge sk_error_queue in sk_stream_kill_queues()
mctp: serial: Fix starting value for frame check sequence
cifs: don't leak -ENOMEM in smb2_open_file()
net: dsa: microchip: remove IRQF_TRIGGER_FALLING in request_threaded_irq
mctp: Remove device type check at unregister
HID: amd_sfh: Add missing check for dma_alloc_coherent
net: fec: check the return value of build_skb()
rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state()
arm64: make is_ttbrX_addr() noinstr-safe
ARM: dts: aspeed: rainier,everest: Move reserved memory regions
video: hyperv_fb: Avoid taking busy spinlock on panic path
x86/hyperv: Remove unregister syscore call from Hyper-V cleanup
binfmt_misc: fix shift-out-of-bounds in check_special_flags
arm64: dts: qcom: sm8450: disable SDHCI SDR104/SDR50 on all boards
arm64: dts: qcom: sm6350: Add apps_smmu with streamID to SDHCI 1/2 nodes
fs: jfs: fix shift-out-of-bounds in dbAllocAG
udf: Avoid double brelse() in udf_rename()
jfs: Fix fortify moan in symlink
fs: jfs: fix shift-out-of-bounds in dbDiscardAG
ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value
ACPI: EC: Add quirk for the HP Pavilion Gaming 15-cx0041ur
ACPICA: Fix error code path in acpi_ds_call_control_method()
thermal/core: Ensure that thermal device is registered in thermal_zone_get_temp
ACPI: video: Change GIGABYTE GB-BXBT-2807 quirk to force_none
ACPI: video: Change Sony Vaio VPCEH3U1E quirk to force_native
ACPI: video: Add force_vendor quirk for Sony Vaio PCG-FRV35
ACPI: video: Add force_native quirk for Sony Vaio VPCY11S1E
nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
nilfs2: fix shift-out-of-bounds due to too large exponent of block size
acct: fix potential integer overflow in encode_comp_t()
x86/apic: Handle no CONFIG_X86_X2APIC on systems with x2APIC enabled by BIOS
ACPI: x86: Add skip i2c clients quirk for Lenovo Yoga Tab 3 Pro (YT3-X90F)
btrfs: do not panic if we can't allocate a prealloc extent state
ACPI: x86: Add skip i2c clients quirk for Medion Lifetab S10346
hfs: fix OOB Read in __hfs_brec_find
drm/etnaviv: add missing quirks for GC300
media: imx-jpeg: Disable useless interrupt to avoid kernel panic
brcmfmac: return error when getting invalid max_flowrings from dongle
wifi: ath9k: verify the expected usb_endpoints are present
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
ASoC: codecs: rt298: Add quirk for KBL-R RVP platform
ASoC: Intel: avs: Add quirk for KBL-R RVP platform
ipmi: fix memleak when unload ipmi driver
wifi: ath10k: Delay the unmapping of the buffer
openvswitch: Use kmalloc_size_roundup() to match ksize() usage
bnx2: Use kmalloc_size_roundup() to match ksize() usage
drm/amd/display: skip commit minimal transition state
drm/amd/display: prevent memory leak
drm/edid: add a quirk for two LG monitors to get them to work on 10bpc
Revert "drm/amd/display: Limit max DSC target bpp for specific monitors"
drm/rockchip: use pm_runtime_resume_and_get() instead of pm_runtime_get_sync()
blk-mq: avoid double ->queue_rq() because of early timeout
HID: apple: fix key translations where multiple quirks attempt to translate the same key
HID: apple: enable APPLE_ISO_TILDE_QUIRK for the keyboards of Macs with the T2 chip
wifi: ath11k: Fix qmi_msg_handler data structure initialization
qed (gcc13): use u16 for fid to be big enough
drm/meson: Fix return type of meson_encoder_cvbs_mode_valid()
bpf: make sure skb->len != 0 when redirecting to a tunneling device
net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
hamradio: baycom_epp: Fix return type of baycom_send_packet()
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
wifi: brcmfmac: Fix potential NULL pointer dereference in 'brcmf_c_preinit_dcmds()'
HID: input: do not query XP-PEN Deco LW battery
HID: uclogic: Add support for XP-PEN Deco LW
igb: Do not free q_vector unless new one was allocated
drm/amdgpu: Fix type of second parameter in trans_msg() callback
drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback
s390/ctcm: Fix return type of ctc{mp,}m_tx()
s390/netiucv: Fix return type of netiucv_tx()
s390/lcs: Fix return type of lcs_start_xmit()
drm/amd/display: Use min transition for SubVP into MPO
drm/amd/display: Disable DRR actions during state commit
drm/msm: Use drm_mode_copy()
drm/rockchip: Use drm_mode_copy()
drm/sti: Use drm_mode_copy()
drm/mediatek: Fix return type of mtk_hdmi_bridge_mode_valid()
drivers/md/md-bitmap: check the return value of md_bitmap_get_counter()
md/raid0, raid10: Don't set discard sectors for request queue
md/raid1: stop mdx_raid1 thread when raid1 array run failed
drm/amd/display: Workaround to increase phantom pipe vactive in pipesplit
drm/amd/display: fix array index out of bound error in bios parser
nvme-auth: don't override ctrl keys before validation
net: add atomic_long_t to net_device_stats fields
ipv6/sit: use DEV_STATS_INC() to avoid data-races
mrp: introduce active flags to prevent UAF when applicant uninit
net: ethernet: mtk_eth_soc: drop packets to WDMA if the ring is full
bpf/verifier: Use kmalloc_size_roundup() to match ksize() usage
ppp: associate skb with a device at tx
drm/amd/display: Fix display corruption w/ VSR enable
bpf: Fix a BTF_ID_LIST bug with CONFIG_DEBUG_INFO_BTF not set
bpf: Prevent decl_tag from being referenced in func_proto arg
ethtool: avoiding integer overflow in ethtool_phys_id()
media: dvb-frontends: fix leak of memory fw
media: dvbdev: adopts refcnt to avoid UAF
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
media: mediatek: vcodec: Can't set dst buffer to done when lat decode error
blk-mq: fix possible memleak when register 'hctx' failed
ALSA: usb-audio: Add quirk for Tascam Model 12
drm/amdgpu: Fix potential double free and null pointer dereference
drm/amd/display: Use the largest vready_offset in pipe group
drm/amd/display: Fix DTBCLK disable requests and SRC_SEL programming
ASoC: amd: yc: Add Xiaomi Redmi Book Pro 14 2022 into DMI table
libbpf: Avoid enum forward-declarations in public API in C++ mode
regulator: core: fix use_count leakage when handling boot-on
wifi: mt76: do not run mt76u_status_worker if the device is not running
hwmon: (nct6775) add ASUS CROSSHAIR VIII/TUF/ProArt B550M
selftests/bpf: Fix conflicts with built-in functions in bpf_iter_ksym
nfs: fix possible null-ptr-deref when parsing param
mmc: f-sdh30: Add quirks for broken timeout clock capability
mmc: renesas_sdhi: add quirk for broken register layout
mmc: renesas_sdhi: better reset from HS400 mode
mmc: sdhci-tegra: Issue CMD and DAT resets together
media: si470x: Fix use-after-free in si470x_int_in_callback()
clk: st: Fix memory leak in st_of_quadfs_setup()
regulator: core: Use different devices for resource allocation and DT lookup
ice: synchronize the misc IRQ when tearing down Tx tracker
Bluetooth: hci_bcm: Add CYW4373A0 support
Bluetooth: Add quirk to disable extended scanning
Bluetooth: Add quirk to disable MWS Transport Configuration
regulator: core: Fix resolve supply lookup issue
crypto: hisilicon/hpre - fix resource leak in remove process
scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs
scsi: ufs: Reduce the START STOP UNIT timeout
crypto: hisilicon/qm - increase the memory of local variables
Revert "PCI: Clear PCI_STATUS when setting up device"
scsi: elx: libefc: Fix second parameter type in state callbacks
hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
scsi: smartpqi: Add new controller PCI IDs
scsi: smartpqi: Correct device removal for multi-actuator devices
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
scsi: target: iscsi: Fix a race condition between login_work and the login thread
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
orangefs: Fix kmemleak in orangefs_sysfs_init()
orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()
hwmon: (jc42) Fix missing unlock on error in jc42_write()
ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove()
ASoC: Intel: Skylake: Fix driver hang during shutdown
ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link()
ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume()
ASoC: mediatek: mt8183: fix refcount leak in mt8183_mt6358_ts3a227_max98357_dev_probe()
ALSA: hda/hdmi: fix i915 silent stream programming flow
ALSA: hda/hdmi: set default audio parameters for KAE silent-stream
ALSA: hda/hdmi: fix stream-id config keep-alive for rt suspend
ASoC: wm8994: Fix potential deadlock
ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
ASoC: rt5670: Remove unbalanced pm_runtime_put()
drm/i915/display: Don't disable DDI/Transcoder when setting phy test pattern
LoadPin: Ignore the "contents" argument of the LSM hooks
lkdtm: cfi: Make PAC test work with GCC 7 and 8
pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion
drm/amd/pm: avoid large variable on kernel stack
perf debug: Set debug_peo_args and redirect_to_stderr variable to correct values in perf_quiet_option()
perf tools: Make quiet mode consistent between tools
perf probe: Check -v and -q options in the right place
MIPS: ralink: mt7621: avoid to init common ralink reset controller
perf test: Fix "all PMU test" to skip parametrized events
afs: Fix lost servers_outstanding count
cfi: Fix CFI failure with KASAN
pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES
ima: Simplify ima_lsm_copy_rule
Input: iqs7222 - drop unused device node references
Input: iqs7222 - report malformed properties
Input: iqs7222 - add support for IQS7222A v1.13+
dt-bindings: input: iqs7222: Reduce 'linux,code' to optional
dt-bindings: input: iqs7222: Correct minimum slider size
dt-bindings: input: iqs7222: Add support for IQS7222A v1.13+
ALSA: usb-audio: Workaround for XRUN at prepare
ALSA: usb-audio: add the quirk for KT0206 device
ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB
ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list
HID: logitech-hidpp: Guard FF init code against non-USB devices
usb: cdnsp: fix lack of ZLP for ep0
usb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq
arm64: dts: qcom: sm6350: fix USB-DP PHY registers
arm64: dts: qcom: sm8250: fix USB-DP PHY registers
dt-bindings: clocks: imx8mp: Add ID for usb suspend clock
clk: imx: imx8mp: add shared clk gate for usb suspend clk
usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode
usb: dwc3: core: defer probe on ulpi_read_id timeout
usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init
xhci: Prevent infinite loop in transaction errors recovery for streams
HID: wacom: Ensure bootloader PID is usable in hidraw mode
HID: mcp2221: don't connect hidraw
loop: Fix the max_loop commandline argument treatment when it is set to 0
9p: set req refcount to zero to avoid uninitialized usage
security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6
reiserfs: Add missing calls to reiserfs_security_free()
iio: fix memory leak in iio_device_register_eventset()
iio: adc: ad_sigma_delta: do not use internal iio_dev lock
iio: adc128s052: add proper .data members in adc128_of_match table
iio: addac: ad74413r: fix integer promotion bug in ad74413_get_input_current_offset()
regulator: core: fix deadlock on regulator enable
spi: fsl_spi: Don't change speed while chipselect is active
floppy: Fix memory leak in do_floppy_init()
gcov: add support for checksum field
test_maple_tree: add test for mas_spanning_rebalance() on insufficient data
maple_tree: fix mas_spanning_rebalance() on insufficient data
fbdev: fbcon: release buffer when fbcon_do_set_font() failed
ovl: fix use inode directly in rcu-walk mode
btrfs: do not BUG_ON() on ENOMEM when dropping extent items for a range
mm/gup: disallow FOLL_FORCE|FOLL_WRITE on hugetlb mappings
scsi: qla2xxx: Fix crash when I/O abort times out
blk-iolatency: Fix memory leak on add_disk() failures
io_uring/net: introduce IORING_SEND_ZC_REPORT_USAGE flag
io_uring: add completion locking for iopoll
io_uring: dont remove file from msg_ring reqs
io_uring: improve io_double_lock_ctx fail handling
io_uring/net: ensure compat import handlers clear free_iov
io_uring/net: fix cleanup after recycle
io_uring: protect cq_timeouts with timeout_lock
io_uring: remove iopoll spinlock
net: stmmac: fix errno when create_singlethread_workqueue() fails
media: dvbdev: fix build warning due to comments
media: dvbdev: fix refcnt bug
drm/amd/display: revert Disable DRR actions during state commit
mfd: qcom_rpm: Use devm_of_platform_populate() to simplify code
pwm: tegra: Fix 32 bit build
Linux 6.1.2
Change-Id: I8f7c080f3b8288ed319fc0e25aaefb7ad5cd6b84
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Al Viro
|
bc2e0c5bb9 |
ovl: update ->f_iocb_flags when ovl_change_flags() modifies ->f_flags
commit 456b59e757b0c558df550764a4fd5ae6877e93f8 upstream. ovl_change_flags() is an open-coded variant of fs/fcntl.c:setfl() and it got missed by commit |
||
Zhang Tianci
|
d84a696c86 |
ovl: Use ovl mounter's fsuid and fsgid in ovl_link()
commit 5b0db51215e895a361bc63132caa7cca36a53d6a upstream.
There is a wrong case of link() on overlay:
$ mkdir /lower /fuse /merge
$ mount -t fuse /fuse
$ mkdir /fuse/upper /fuse/work
$ mount -t overlay /merge -o lowerdir=/lower,upperdir=/fuse/upper,\
workdir=work
$ touch /merge/file
$ chown bin.bin /merge/file // the file's caller becomes "bin"
$ ln /merge/file /merge/lnkfile
Then we will get an error(EACCES) because fuse daemon checks the link()'s
caller is "bin", it denied this request.
In the changing history of ovl_link(), there are two key commits:
The first is commit
|
||
Chen Zhongjin
|
ac551b1f50 |
ovl: fix use inode directly in rcu-walk mode
commit 672e4268b2863d7e4978dfed29552b31c2f9bd4e upstream.
ovl_dentry_revalidate_common() can be called in rcu-walk mode. As document
said, "in rcu-walk mode, d_parent and d_inode should not be used without
care".
Check inode here to protect access under rcu-walk mode.
Fixes:
|
||
Amir Goldstein
|
7e48315397 |
ovl: remove privs in ovl_fallocate()
[ Upstream commit 23a8ce16419a3066829ad4a8b7032a75817af65b ]
Underlying fs doesn't remove privs because fallocate is called with
privileged mounter credentials.
This fixes some failure in fstests generic/683..687.
Fixes:
|
||
|
Amir Goldstein
|
155428ea20 |
ovl: remove privs in ovl_copyfile()
[ Upstream commit b306e90ffabdaa7e3b3350dbcd19b7663e71ab17 ]
Underlying fs doesn't remove privs because copy_range/remap_range are
called with privileged mounter credentials.
This fixes some failures in fstest generic/673.
Fixes:
|
||
|
Greg Kroah-Hartman
|
71f335db47 |
Merge f721d24e5d ("Merge tag 'pull-tmpfile' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs") into android-mainline
Steps on the way to 6.1-rc1 Resolves merge conflicts in: include/uapi/linux/fuse.h Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9c642d47e57e26958f55f8e9ef6920594631531b |
||
|
Greg Kroah-Hartman
|
9570608aa4 |
Merge 9f4b9beeb9 ("Merge tag '6.1-rc-ksmbd-fixes' of git://git.samba.org/ksmbd") into android-mainline
Steps on the way to 6.1-rc1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I11ca009eac59ec3a24300b9f3bb4c73b7006ec8d |
||
Linus Torvalds
|
f721d24e5d |
tmpfile API change
-----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQQqUNBr3gm4hGXdBJlZ7Krx/gZQ6wUCY0DP2AAKCRBZ7Krx/gZQ 6/+qAQCEGQWpcC5MB17zylaX7gqzhgAsDrwtpevlno3aIv/1pQD/YWr/E8tf7WTW ERXRXMRx1cAzBJhUhVgIY+3ANfU2Rg4= =cko4 -----END PGP SIGNATURE----- Merge tag 'pull-tmpfile' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs tmpfile updates from Al Viro: "Miklos' ->tmpfile() signature change; pass an unopened struct file to it, let it open the damn thing. Allows to add tmpfile support to FUSE" * tag 'pull-tmpfile' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fuse: implement ->tmpfile() vfs: open inside ->tmpfile() vfs: move open right after ->tmpfile() vfs: make vfs_tmpfile() static ovl: use vfs_tmpfile_open() helper cachefiles: use vfs_tmpfile_open() helper cachefiles: only pass inode to *mark_inode_inuse() helpers cachefiles: tmpfile error handling cleanup hugetlbfs: cleanup mknod and tmpfile vfs: add vfs_tmpfile_open() helper |
||
|
Greg Kroah-Hartman
|
29afb146b9 |
Merge f4309528f3 ("Merge tag 'dlm-6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm") into android-mainline
Steps on the way to 6.1-rc1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I957ac825ed313be8ce0b1d27754ed20604f23659 |
||
|
Linus Torvalds
|
4c0ed7d8d6 |
whack-a-mole: constifying struct path *
-----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQQqUNBr3gm4hGXdBJlZ7Krx/gZQ6wUCYzxmRQAKCRBZ7Krx/gZQ 6+/kAQD2xyf+i4zOYVBr1NB3qBbhVS1zrni1NbC/kT3dJPgTvwEA7z7eqwnrN4zg scKFP8a3yPoaQBfs4do5PolhuSr2ngA= =NBI+ -----END PGP SIGNATURE----- Merge tag 'pull-path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs constification updates from Al Viro: "whack-a-mole: constifying struct path *" * tag 'pull-path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ecryptfs: constify path spufs: constify path nd_jump_link(): constify path audit_init_parent(): constify path __io_setxattr(): constify path do_proc_readlink(): constify path overlayfs: constify path fs/notify: constify path may_linkat(): constify path do_sys_name_to_handle(): constify path ->getprocattr(): attribute name is const char *, TYVM... |
||
|
Linus Torvalds
|
7a3353c5c4 |
struct file-related stuff
-----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQQqUNBr3gm4hGXdBJlZ7Krx/gZQ6wUCYzxjIQAKCRBZ7Krx/gZQ 6/FPAQCNCZygQzd+54//vo4kTwv5T2Bv3hS8J51rASPJT87/BQD/TfCLS5urt/Gt 81A1dFOfnTXseofuBKyGSXwQm0dWpgA= =PLre -----END PGP SIGNATURE----- Merge tag 'pull-file' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs file updates from Al Viro: "struct file-related stuff" * tag 'pull-file' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: dma_buf_getfile(): don't bother with ->f_flags reassignments Change calling conventions for filldir_t locks: fix TOCTOU race when granting write lease |
||
|
Miklos Szeredi
|
2b1a77461f |
ovl: use vfs_tmpfile_open() helper
If tmpfile is used for copy up, then use this helper to create the tmpfile and open it at the same time. This will later allow filesystems such as fuse to do this operation atomically. Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> |
||
|
Al Viro
|
2d3430875a |
overlayfs: constify path
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
||
Christian Brauner
|
6344e66970
|
xattr: constify value argument in vfs_setxattr()
Now that we don't perform translations directly in vfs_setxattr() anymore we can constify the @value argument in vfs_setxattr(). This also allows us to remove the hack to cast from a const in ovl_do_setxattr(). Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> Reviewed-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org> |
||
|
Christian Brauner
|
7e1401acd9
|
ovl: use vfs_set_acl_prepare()
The posix_acl_from_xattr() helper should mainly be used in i_op->get_acl() handlers. It translates from the uapi struct into the kernel internal POSIX ACL representation and doesn't care about mount idmappings. Use the vfs_set_acl_prepare() helper to generate a kernel internal POSIX ACL representation in struct posix_acl format taking care to map from the mount idmapping into the filesystem's idmapping. The returned struct posix_acl is in the correct format to be cached by the VFS or passed to the filesystem's i_op->set_acl() method to write to the backing store. Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> Reviewed-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org> |
||
|
Greg Kroah-Hartman
|
feeb390843 |
Merge 072c92b1b1 ("Merge tag 'audit-pr-20220823' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit") into android-mainline
Steps on the way to 6.0-rc2 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4762c2adc4fffbf57bf8f5db33a85649eb27fe41 |
||
|
Greg Kroah-Hartman
|
d57a19712b |
Merge c8a684e2e1 ("Merge tag 'leds-5.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/pavel/linux-leds") into android-mainline
Steps on the way to 6.0-rc1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I18b6eeecc97bf78be9dffc0e6c9cb190ac2e7fcb |
||
|
Al Viro
|
25885a35a7 |
Change calling conventions for filldir_t
filldir_t instances (directory iterators callbacks) used to return 0 for
"OK, keep going" or -E... for "stop". Note that it's *NOT* how the
error values are reported - the rules for those are callback-dependent
and ->iterate{,_shared}() instances only care about zero vs. non-zero
(look at emit_dir() and friends).
So let's just return bool ("should we keep going?") - it's less confusing
that way. The choice between "true means keep going" and "true means
stop" is bikesheddable; we have two groups of callbacks -
do something for everything in directory, until we run into problem
and
find an entry in directory and do something to it.
The former tended to use 0/-E... conventions - -E<something> on failure.
The latter tended to use 0/1, 1 being "stop, we are done".
The callers treated anything non-zero as "stop", ignoring which
non-zero value did they get.
"true means stop" would be more natural for the second group; "true
means keep going" - for the first one. I tried both variants and
the things like
if allocation failed
something = -ENOMEM;
return true;
just looked unnatural and asking for trouble.
[folded suggestion from Matthew Wilcox <willy@infradead.org>]
Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||
|
Christian Brauner
|
abfcf55d8b
|
acl: handle idmapped mounts for idmapped filesystems
Ensure that POSIX ACLs checking, getting, and setting works correctly
for filesystems mountable with a filesystem idmapping ("fs_idmapping")
that want to support idmapped mounts ("mnt_idmapping").
Note that no filesystems mountable with an fs_idmapping do yet support
idmapped mounts. This is required infrastructure work to unblock this.
As we explained in detail in [1] the fs_idmapping is irrelevant for
getxattr() and setxattr() when mapping the ACL_{GROUP,USER} {g,u}ids
stored in the uapi struct posix_acl_xattr_entry in
posix_acl_fix_xattr_{from,to}_user().
But for acl_permission_check() and posix_acl_{g,s}etxattr_idmapped_mnt()
the fs_idmapping matters.
acl_permission_check():
During lookup POSIX ACLs are retrieved directly via i_op->get_acl() and
are returned via the kernel internal struct posix_acl which contains
e_{g,u}id members of type k{g,u}id_t that already take the
fs_idmapping into acccount.
For example, a POSIX ACL stored with u4 on the backing store is mapped
to k10000004 in the fs_idmapping. The mnt_idmapping remaps the POSIX ACL
to k20000004. In order to do that the fs_idmapping needs to be taken
into account but that doesn't happen yet (Again, this is a
counterfactual currently as fuse doesn't support idmapped mounts
currently. It's just used as a convenient example.):
fs_idmapping: u0:k10000000:r65536
mnt_idmapping: u0:v20000000:r65536
ACL_USER: k10000004
acl_permission_check()
-> check_acl()
-> get_acl()
-> i_op->get_acl() == fuse_get_acl()
-> posix_acl_from_xattr(u0:k10000000:r65536 /* fs_idmapping */, ...)
{
k10000004 = make_kuid(u0:k10000000:r65536 /* fs_idmapping */,
u4 /* ACL_USER */);
}
-> posix_acl_permission()
{
-1 = make_vfsuid(u0:v20000000:r65536 /* mnt_idmapping */,
&init_user_ns,
k10000004);
vfsuid_eq_kuid(-1, k10000004 /* caller_fsuid */)
}
In order to correctly map from the fs_idmapping into mnt_idmapping we
require the relevant fs_idmaping to be passed:
acl_permission_check()
-> check_acl()
-> get_acl()
-> i_op->get_acl() == fuse_get_acl()
-> posix_acl_from_xattr(u0:k10000000:r65536 /* fs_idmapping */, ...)
{
k10000004 = make_kuid(u0:k10000000:r65536 /* fs_idmapping */,
u4 /* ACL_USER */);
}
-> posix_acl_permission()
{
v20000004 = make_vfsuid(u0:v20000000:r65536 /* mnt_idmapping */,
u0:k10000000:r65536 /* fs_idmapping */,
k10000004);
vfsuid_eq_kuid(v20000004, k10000004 /* caller_fsuid */)
}
The initial_idmapping is only correct for the current situation because
all filesystems that currently support idmapped mounts do not support
being mounted with an fs_idmapping.
Note that ovl_get_acl() is used to retrieve the POSIX ACLs from the
relevant lower layer and the lower layer's mnt_idmapping needs to be
taken into account and so does the fs_idmapping. See
|
||
|
Greg Kroah-Hartman
|
d555e47af6 |
Merge 526942b813 ("Merge tag 'ata-5.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata") into android-mainline
Steps on the way to 6.0-rc1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia5d8d07975a1d38e7cc872e45bd7c0e84d54cfa3 |
||
|
Linus Torvalds
|
65512eb0e9 |
overlayfs update for 6.0
-----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSQHSd0lITzzeNWNm3h3BK/laaZPAUCYvDeCAAKCRDh3BK/laaZ PGjCAP9TVuId3X7Akroc9W+qswPzwlW3fwtE6+9F6ABeNJNPZAEAgU2bp95vqZRh OWP+ptnskceBcX/cRkfxkmgtiNE21wk= =sucY -----END PGP SIGNATURE----- Merge tag 'ovl-update-6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs update from Miklos Szeredi: "Just a small update" * tag 'ovl-update-6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: fix spelling mistakes ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() ovl: improve ovl_get_acl() if POSIX ACL support is off ovl: fix some kernel-doc comments ovl: warn if trusted xattr creation fails |
||
|
Linus Torvalds
|
a782e86649 |
Saner handling of "lseek should fail with ESPIPE" - gets rid of
magical no_llseek thing and makes checks consistent. In particular, ad-hoc "can we do splice via internal pipe" checks got saner (and somewhat more permissive, which is what Jason had been after, AFAICT) Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQQqUNBr3gm4hGXdBJlZ7Krx/gZQ6wUCYug2xgAKCRBZ7Krx/gZQ 6wxWAQDqeg+xMq2FGPXmgjCa+Cp3PXH96Lp6f3hHzakIDx+t8gEAxvuiXAD22Mct 6S1SKuGj0iDIuM4L7hUiWTiY/bDXSAc= =3EC/ -----END PGP SIGNATURE----- Merge tag 'pull-work.lseek' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs lseek updates from Al Viro: "Jason's lseek series. Saner handling of 'lseek should fail with ESPIPE' - this gets rid of the magical no_llseek thing and makes checks consistent. In particular, the ad-hoc "can we do splice via internal pipe" checks got saner (and somewhat more permissive, which is what Jason had been after, AFAICT)" * tag 'pull-work.lseek' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fs: remove no_llseek fs: check FMODE_LSEEK to control internal pipe splicing vfio: do not set FMODE_LSEEK flag dma-buf: remove useless FMODE_LSEEK flag fs: do not compare against ->llseek fs: clear or set FMODE_LSEEK based on llseek function |
||
|
Greg Kroah-Hartman
|
97e751d393 |
Merge 0fac198def ("Merge tag 'fs.idmapped.overlay.acl.v5.20' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux") into android-mainline
Steps on the way to 6.0-rc1 Resolves merge conflicts in: fs/overlayfs/inode.c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I382394f56b40b1dd317004e1c42a51ebc11a09bb |
||
|
Greg Kroah-Hartman
|
b4286aafc3 |
Merge bdfae5ce38 ("Merge tag 'fs.idmapped.vfsuid.v5.20' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux") into android-mainline
Steps on the way to 6.0-rc1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I8086188e24a5e25b8b6b289353823365786d6fe2 |
||
William Dean
|
4f1196288d |
ovl: fix spelling mistakes
fix follow spelling misktakes: decendant ==> descendant indentify ==> identify underlaying ==> underlying Reported-by: Hacash Robot <hacashRobot@santino.com> Signed-off-by: William Dean <williamsukatube@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> |
||
|
Linus Torvalds
|
bdfae5ce38 |
fs.idmapped.vfsuid.v5.20
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCYufP6AAKCRCRxhvAZXjc
omzRAQCGJ11r7T0C7t1kTdQiFSs5XN9ksFa86Hfj3dHEBIj+LQEA+bZ2/LLpElDz
zPekgXkFQqdMr+FUL8sk94dzHT0GAgk=
=BcK/
-----END PGP SIGNATURE-----
Merge tag 'fs.idmapped.vfsuid.v5.20' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
Pull fs idmapping updates from Christian Brauner:
"This introduces the new vfs{g,u}id_t types we agreed on. Similar to
k{g,u}id_t the new types are just simple wrapper structs around
regular {g,u}id_t types.
They allow to establish a type safety boundary in the VFS for idmapped
mounts preventing confusion betwen {g,u}ids mapped into an idmapped
mount and {g,u}ids mapped into the caller's or the filesystem's
idmapping.
An initial set of helpers is introduced that allows to operate on
vfs{g,u}id_t types. We will remove all references to non-type safe
idmapped mounts helpers in the very near future. The patches do
already exist.
This converts the core attribute changing codepaths which become
significantly easier to reason about because of this change.
Just a few highlights here as the patches give detailed overviews of
what is happening in the commit messages:
- The kernel internal struct iattr contains type safe vfs{g,u}id_t
values clearly communicating that these values have to take a given
mount's idmapping into account.
- The ownership values placed in struct iattr to change ownership are
identical for idmapped and non-idmapped mounts going forward. This
also allows to simplify stacking filesystems such as overlayfs that
change attributes In other words, they always represent the values.
- Instead of open coding checks for whether ownership changes have
been requested and an actual update of the inode is required we now
have small static inline wrappers that abstract this logic away
removing a lot of code duplication from individual filesystems that
all open-coded the same checks"
* tag 'fs.idmapped.vfsuid.v5.20' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
mnt_idmapping: align kernel doc and parameter order
mnt_idmapping: use new helpers in mapped_fs{g,u}id()
fs: port HAS_UNMAPPED_ID() to vfs{g,u}id_t
mnt_idmapping: return false when comparing two invalid ids
attr: fix kernel doc
attr: port attribute changes to new types
security: pass down mount idmapping to setattr hook
quota: port quota helpers mount ids
fs: port to iattr ownership update helpers
fs: introduce tiny iattr ownership update helpers
fs: use mount types in iattr
fs: add two type safe mapping helpers
mnt_idmapping: add vfs{g,u}id_t
|
||
Jiachen Zhang
|
dd524b7f31 |
ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh()
Some code paths cannot guarantee the inode have any dentry alias. So
WARN_ON() all !dentry may flood the kernel logs.
For example, when an overlayfs inode is watched by inotifywait (1), and
someone is trying to read the /proc/$(pidof inotifywait)/fdinfo/INOTIFY_FD,
at that time if the dentry has been reclaimed by kernel (such as
echo 2 > /proc/sys/vm/drop_caches), there will be a WARN_ON(). The
printed call stack would be like:
? show_mark_fhandle+0xf0/0xf0
show_mark_fhandle+0x4a/0xf0
? show_mark_fhandle+0xf0/0xf0
? seq_vprintf+0x30/0x50
? seq_printf+0x53/0x70
? show_mark_fhandle+0xf0/0xf0
inotify_fdinfo+0x70/0x90
show_fdinfo.isra.4+0x53/0x70
seq_show+0x130/0x170
seq_read+0x153/0x440
vfs_read+0x94/0x150
ksys_read+0x5f/0xe0
do_syscall_64+0x59/0x1e0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
So let's drop WARN_ON() to avoid kernel log flooding.
Reported-by: Hongbo Yin <yinhongbo@bytedance.com>
Signed-off-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
Signed-off-by: Tianci Zhang <zhangtianci.1997@bytedance.com>
Fixes:
|
||
Yang Xu
|
ded536561a |
ovl: improve ovl_get_acl() if POSIX ACL support is off
Provide a proper stub for the !CONFIG_FS_POSIX_ACL case. Signed-off-by: Yang Xu <xuyang2018.jy@fujitsu.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> |
||
Yang Li
|
9c5dd8034e |
ovl: fix some kernel-doc comments
Remove warnings found by running scripts/kernel-doc, which is caused by using 'make W=1'. fs/overlayfs/super.c:311: warning: Function parameter or member 'dentry' not described in 'ovl_statfs' fs/overlayfs/super.c:311: warning: Excess function parameter 'sb' description in 'ovl_statfs' fs/overlayfs/super.c:357: warning: Function parameter or member 'm' not described in 'ovl_show_options' fs/overlayfs/super.c:357: warning: Function parameter or member 'dentry' not described in 'ovl_show_options' Reported-by: Abaci Robot <abaci@linux.alibaba.com> Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> |
||
|
Miklos Szeredi
|
b10b85fe51 |
ovl: warn if trusted xattr creation fails
When mounting overlayfs in an unprivileged user namespace, trusted xattr creation will fail. This will lead to failures in some file operations, e.g. in the following situation: mkdir lower upper work merged mkdir lower/directory mount -toverlay -olowerdir=lower,upperdir=upper,workdir=work none merged rmdir merged/directory mkdir merged/directory The last mkdir will fail: mkdir: cannot create directory 'merged/directory': Input/output error The cause for these failures is currently extremely non-obvious and hard to debug. Hence, warn the user and suggest using the userxattr mount option, if it is not already supplied and xattr creation fails during the self-check. Reported-by: Alois Wohlschlager <alois1@gmx-topmail.de> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> |
||
Jason A. Donenfeld
|
4e3299eadd |
fs: do not compare against ->llseek
Now vfs_llseek() can simply check for FMODE_LSEEK; if it's set, we know that ->llseek() won't be NULL and if it's not we should just fail with -ESPIPE. A couple of other places where we used to check for special values of ->llseek() (somewhat inconsistently) switched to checking FMODE_LSEEK. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
||
|
Christian Brauner
|
7c4d37c269
|
Revert "ovl: turn of SB_POSIXACL with idmapped layers temporarily"
This reverts commit
|
||
|
Christian Brauner
|
1aa5fef575
|
ovl: handle idmappings in ovl_get_acl()
During permission checking overlayfs will call
ovl_permission()
-> generic_permission()
-> acl_permission_check()
-> check_acl()
-> get_acl()
-> inode->i_op->get_acl() == ovl_get_acl()
-> get_acl() /* on the underlying filesystem */
-> inode->i_op->get_acl() == /*lower filesystem callback */
-> posix_acl_permission()
passing through the get_acl() request to the underlying filesystem.
Before returning these values to the VFS we need to take the idmapping of the
relevant layer into account and translate any ACL_{GROUP,USER} values according
to the idmapped mount.
We cannot alter the ACLs returned from the relevant layer directly as that
would alter the cached values filesystem wide for the lower filesystem. Instead
we can clone the ACLs and then apply the relevant idmapping of the layer.
This is obviously only relevant when idmapped layers are used.
Link: https://lore.kernel.org/r/20220708090134.385160-4-brauner@kernel.org
Cc: Seth Forshee <sforshee@digitalocean.com>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Miklos Szeredi <mszeredi@redhat.com>
Cc: linux-unionfs@vger.kernel.org
Reviewed-by: Seth Forshee <sforshee@digitalocean.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
|
||
|
Christian Brauner
|
0c5fd887d2
|
acl: move idmapped mount fixup into vfs_{g,s}etxattr()
This cycle we added support for mounting overlayfs on top of idmapped mounts.
Recently I've started looking into potential corner cases when trying to add
additional tests and I noticed that reporting for POSIX ACLs is currently wrong
when using idmapped layers with overlayfs mounted on top of it.
I'm going to give a rather detailed explanation to both the origin of the
problem and the solution.
Let's assume the user creates the following directory layout and they have a
rootfs /var/lib/lxc/c1/rootfs. The files in this rootfs are owned as you would
expect files on your host system to be owned. For example, ~/.bashrc for your
regular user would be owned by 1000:1000 and /root/.bashrc would be owned by
0:0. IOW, this is just regular boring filesystem tree on an ext4 or xfs
filesystem.
The user chooses to set POSIX ACLs using the setfacl binary granting the user
with uid 4 read, write, and execute permissions for their .bashrc file:
setfacl -m u:4:rwx /var/lib/lxc/c2/rootfs/home/ubuntu/.bashrc
Now they to expose the whole rootfs to a container using an idmapped mount. So
they first create:
mkdir -pv /vol/contpool/{ctrover,merge,lowermap,overmap}
mkdir -pv /vol/contpool/ctrover/{over,work}
chown 10000000:10000000 /vol/contpool/ctrover/{over,work}
The user now creates an idmapped mount for the rootfs:
mount-idmapped/mount-idmapped --map-mount=b:0:10000000:65536 \
/var/lib/lxc/c2/rootfs \
/vol/contpool/lowermap
This for example makes it so that /var/lib/lxc/c2/rootfs/home/ubuntu/.bashrc
which is owned by uid and gid 1000 as being owned by uid and gid 10001000 at
/vol/contpool/lowermap/home/ubuntu/.bashrc.
Assume the user wants to expose these idmapped mounts through an overlayfs
mount to a container.
mount -t overlay overlay \
-o lowerdir=/vol/contpool/lowermap, \
upperdir=/vol/contpool/overmap/over, \
workdir=/vol/contpool/overmap/work \
/vol/contpool/merge
The user can do this in two ways:
(1) Mount overlayfs in the initial user namespace and expose it to the
container.
(2) Mount overlayfs on top of the idmapped mounts inside of the container's
user namespace.
Let's assume the user chooses the (1) option and mounts overlayfs on the host
and then changes into a container which uses the idmapping 0:10000000:65536
which is the same used for the two idmapped mounts.
Now the user tries to retrieve the POSIX ACLs using the getfacl command
getfacl -n /vol/contpool/lowermap/home/ubuntu/.bashrc
and to their surprise they see:
# file: vol/contpool/merge/home/ubuntu/.bashrc
# owner: 1000
# group: 1000
user::rw-
user:4294967295:rwx
group::r--
mask::rwx
other::r--
indicating the the uid wasn't correctly translated according to the idmapped
mount. The problem is how we currently translate POSIX ACLs. Let's inspect the
callchain in this example:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:0:4k /* initial idmapping */
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
|> vfs_getxattr()
| -> __vfs_getxattr()
| -> handler->get == ovl_posix_acl_xattr_get()
| -> ovl_xattr_get()
| -> vfs_getxattr()
| -> __vfs_getxattr()
| -> handler->get() /* lower filesystem callback */
|> posix_acl_fix_xattr_to_user()
{
4 = make_kuid(&init_user_ns, 4);
4 = mapped_kuid_fs(&init_user_ns /* no idmapped mount */, 4);
/* FAILURE */
-1 = from_kuid(0:10000000:65536 /* caller's idmapping */, 4);
}
If the user chooses to use option (2) and mounts overlayfs on top of idmapped
mounts inside the container things don't look that much better:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:10000000:65536
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
|> vfs_getxattr()
| -> __vfs_getxattr()
| -> handler->get == ovl_posix_acl_xattr_get()
| -> ovl_xattr_get()
| -> vfs_getxattr()
| -> __vfs_getxattr()
| -> handler->get() /* lower filesystem callback */
|> posix_acl_fix_xattr_to_user()
{
4 = make_kuid(&init_user_ns, 4);
4 = mapped_kuid_fs(&init_user_ns, 4);
/* FAILURE */
-1 = from_kuid(0:10000000:65536 /* caller's idmapping */, 4);
}
As is easily seen the problem arises because the idmapping of the lower mount
isn't taken into account as all of this happens in do_gexattr(). But
do_getxattr() is always called on an overlayfs mount and inode and thus cannot
possible take the idmapping of the lower layers into account.
This problem is similar for fscaps but there the translation happens as part of
vfs_getxattr() already. Let's walk through an fscaps overlayfs callchain:
setcap 'cap_net_raw+ep' /var/lib/lxc/c2/rootfs/home/ubuntu/.bashrc
The expected outcome here is that we'll receive the cap_net_raw capability as
we are able to map the uid associated with the fscap to 0 within our container.
IOW, we want to see 0 as the result of the idmapping translations.
If the user chooses option (1) we get the following callchain for fscaps:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:0:4k /* initial idmapping */
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
-> vfs_getxattr()
-> xattr_getsecurity()
-> security_inode_getsecurity() ________________________________
-> cap_inode_getsecurity() | |
{ V |
10000000 = make_kuid(0:0:4k /* overlayfs idmapping */, 10000000); |
10000000 = mapped_kuid_fs(0:0:4k /* no idmapped mount */, 10000000); |
/* Expected result is 0 and thus that we own the fscap. */ |
0 = from_kuid(0:10000000:65536 /* caller's idmapping */, 10000000); |
} |
-> vfs_getxattr_alloc() |
-> handler->get == ovl_other_xattr_get() |
-> vfs_getxattr() |
-> xattr_getsecurity() |
-> security_inode_getsecurity() |
-> cap_inode_getsecurity() |
{ |
0 = make_kuid(0:0:4k /* lower s_user_ns */, 0); |
10000000 = mapped_kuid_fs(0:10000000:65536 /* idmapped mount */, 0); |
10000000 = from_kuid(0:0:4k /* overlayfs idmapping */, 10000000); |
|____________________________________________________________________|
}
-> vfs_getxattr_alloc()
-> handler->get == /* lower filesystem callback */
And if the user chooses option (2) we get:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:10000000:65536
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
-> vfs_getxattr()
-> xattr_getsecurity()
-> security_inode_getsecurity() _______________________________
-> cap_inode_getsecurity() | |
{ V |
10000000 = make_kuid(0:10000000:65536 /* overlayfs idmapping */, 0); |
10000000 = mapped_kuid_fs(0:0:4k /* no idmapped mount */, 10000000); |
/* Expected result is 0 and thus that we own the fscap. */ |
0 = from_kuid(0:10000000:65536 /* caller's idmapping */, 10000000); |
} |
-> vfs_getxattr_alloc() |
-> handler->get == ovl_other_xattr_get() |
|-> vfs_getxattr() |
-> xattr_getsecurity() |
-> security_inode_getsecurity() |
-> cap_inode_getsecurity() |
{ |
0 = make_kuid(0:0:4k /* lower s_user_ns */, 0); |
10000000 = mapped_kuid_fs(0:10000000:65536 /* idmapped mount */, 0); |
0 = from_kuid(0:10000000:65536 /* overlayfs idmapping */, 10000000); |
|____________________________________________________________________|
}
-> vfs_getxattr_alloc()
-> handler->get == /* lower filesystem callback */
We can see how the translation happens correctly in those cases as the
conversion happens within the vfs_getxattr() helper.
For POSIX ACLs we need to do something similar. However, in contrast to fscaps
we cannot apply the fix directly to the kernel internal posix acl data
structure as this would alter the cached values and would also require a rework
of how we currently deal with POSIX ACLs in general which almost never take the
filesystem idmapping into account (the noteable exception being FUSE but even
there the implementation is special) and instead retrieve the raw values based
on the initial idmapping.
The correct values are then generated right before returning to userspace. The
fix for this is to move taking the mount's idmapping into account directly in
vfs_getxattr() instead of having it be part of posix_acl_fix_xattr_to_user().
To this end we split out two small and unexported helpers
posix_acl_getxattr_idmapped_mnt() and posix_acl_setxattr_idmapped_mnt(). The
former to be called in vfs_getxattr() and the latter to be called in
vfs_setxattr().
Let's go back to the original example. Assume the user chose option (1) and
mounted overlayfs on top of idmapped mounts on the host:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:0:4k /* initial idmapping */
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
|> vfs_getxattr()
| |> __vfs_getxattr()
| | -> handler->get == ovl_posix_acl_xattr_get()
| | -> ovl_xattr_get()
| | -> vfs_getxattr()
| | |> __vfs_getxattr()
| | | -> handler->get() /* lower filesystem callback */
| | |> posix_acl_getxattr_idmapped_mnt()
| | {
| | 4 = make_kuid(&init_user_ns, 4);
| | 10000004 = mapped_kuid_fs(0:10000000:65536 /* lower idmapped mount */, 4);
| | 10000004 = from_kuid(&init_user_ns, 10000004);
| | |_______________________
| | } |
| | |
| |> posix_acl_getxattr_idmapped_mnt() |
| { |
| V
| 10000004 = make_kuid(&init_user_ns, 10000004);
| 10000004 = mapped_kuid_fs(&init_user_ns /* no idmapped mount */, 10000004);
| 10000004 = from_kuid(&init_user_ns, 10000004);
| } |_________________________________________________
| |
| |
|> posix_acl_fix_xattr_to_user() |
{ V
10000004 = make_kuid(0:0:4k /* init_user_ns */, 10000004);
/* SUCCESS */
4 = from_kuid(0:10000000:65536 /* caller's idmapping */, 10000004);
}
And similarly if the user chooses option (1) and mounted overayfs on top of
idmapped mounts inside the container:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:10000000:65536
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
|> vfs_getxattr()
| |> __vfs_getxattr()
| | -> handler->get == ovl_posix_acl_xattr_get()
| | -> ovl_xattr_get()
| | -> vfs_getxattr()
| | |> __vfs_getxattr()
| | | -> handler->get() /* lower filesystem callback */
| | |> posix_acl_getxattr_idmapped_mnt()
| | {
| | 4 = make_kuid(&init_user_ns, 4);
| | 10000004 = mapped_kuid_fs(0:10000000:65536 /* lower idmapped mount */, 4);
| | 10000004 = from_kuid(&init_user_ns, 10000004);
| | |_______________________
| | } |
| | |
| |> posix_acl_getxattr_idmapped_mnt() |
| { V
| 10000004 = make_kuid(&init_user_ns, 10000004);
| 10000004 = mapped_kuid_fs(&init_user_ns /* no idmapped mount */, 10000004);
| 10000004 = from_kuid(0(&init_user_ns, 10000004);
| |_________________________________________________
| } |
| |
|> posix_acl_fix_xattr_to_user() |
{ V
10000004 = make_kuid(0:0:4k /* init_user_ns */, 10000004);
/* SUCCESS */
4 = from_kuid(0:10000000:65536 /* caller's idmappings */, 10000004);
}
The last remaining problem we need to fix here is ovl_get_acl(). During
ovl_permission() overlayfs will call:
ovl_permission()
-> generic_permission()
-> acl_permission_check()
-> check_acl()
-> get_acl()
-> inode->i_op->get_acl() == ovl_get_acl()
> get_acl() /* on the underlying filesystem)
->inode->i_op->get_acl() == /*lower filesystem callback */
-> posix_acl_permission()
passing through the get_acl request to the underlying filesystem. This will
retrieve the acls stored in the lower filesystem without taking the idmapping
of the underlying mount into account as this would mean altering the cached
values for the lower filesystem. So we block using ACLs for now until we
decided on a nice way to fix this. Note this limitation both in the
documentation and in the code.
The most straightforward solution would be to have ovl_get_acl() simply
duplicate the ACLs, update the values according to the idmapped mount and
return it to acl_permission_check() so it can be used in posix_acl_permission()
forgetting them afterwards. This is a bit heavy handed but fairly
straightforward otherwise.
Link: https://github.com/brauner/mount-idmapped/issues/9
Link: https://lore.kernel.org/r/20220708090134.385160-2-brauner@kernel.org
Cc: Seth Forshee <sforshee@digitalocean.com>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Miklos Szeredi <mszeredi@redhat.com>
Cc: linux-unionfs@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Reviewed-by: Seth Forshee <sforshee@digitalocean.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
|
||
|
Christian Brauner
|
45598fd4e2 |
overlayfs fixes for 5.19-rc7
-----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSQHSd0lITzzeNWNm3h3BK/laaZPAUCYs11GgAKCRDh3BK/laaZ PAD3APsHu08aHid5O/zPnD/90BNqAo3ruvu2WhI5wa8Dacd5SwEAgoSlH2Tx3iy9 4zWK4zZX98qAGyI+ij5aejc0TvONqAE= =4KjV -----END PGP SIGNATURE----- gpgsig -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCYtHI7gAKCRCRxhvAZXjc om98AP4mv9E1tosKU0J/Img5rcBnjMtpEinHTqiuwXsslBGK3AEAokeq3w/MDAGI ML1w4hqe1GCS5gi1UaXSnAFOqsP3LQY= =W/4m -----END PGP SIGNATURE----- Merge tag 'ovl-fixes-5.19-rc7' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs into fs.idmapped.overlay.acl Bring in Miklos' tree which contains the temporary fix for POSIX ACLs with overlayfs on top of idmapped layers. We will add a proper fix on top of it and then revert the temporary fix. Cc: Seth Forshee <sforshee@digitalocean.com> Cc: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> |
||
David Anderson
|
ee4200d565 |
ANDROID: overlayfs: inode_owner_or_capable called during execv
Using old_creds as an indication that we are not overriding the credentials, bypass call to inode_owner_or_capable. This solves a problem with all execv calls being blocked when using the caller's credentials. Bug: 204981027 Link: https://lore.kernel.org/lkml/20201021151903.652827-5-salyzyn@android.com/ Signed-off-by: David Anderson <dvander@google.com> Signed-off-by: Mark Salyzyn <salyzyn@android.com> Change-Id: I6b196483f7a3fa431f4f174c6671c2118e0088dd |
||
|
David Anderson
|
ae23eedb3f |
ANDROID: overlayfs: override_creds=off option bypass creator_cred
By default, all access to the upper, lower and work directories is the recorded mounter's MAC and DAC credentials. The incoming accesses are checked against the caller's credentials. If the principles of least privilege are applied, the mounter's credentials might not overlap the credentials of the caller's when accessing the overlayfs filesystem. For example, a file that a lower DAC privileged caller can execute, is MAC denied to the generally higher DAC privileged mounter, to prevent an attack vector. We add the option to turn off override_creds in the mount options; all subsequent operations after mount on the filesystem will be only the caller's credentials. The module boolean parameter and mount option override_creds is also added as a presence check for this "feature", existence of /sys/module/overlay/parameters/override_creds. It was not always this way. Circa 4.6 there was no recorded mounter's credentials, instead privileged access to upper or work directories were temporarily increased to perform the operations. The MAC (selinux) policies were caller's in all cases. override_creds=off partially returns us to this older access model minus the insecure temporary credential increases. This is to permit use in a system with non-overlapping security models for each executable including the agent that mounts the overlayfs filesystem. In Android this is the case since init, which performs the mount operations, has a minimal MAC set of privileges to reduce any attack surface, and services that use the content have a different set of MAC privileges (eg: read, for vendor labelled configuration, execute for vendor libraries and modules). The caveats are not a problem in the Android usage model, however they should be fixed for completeness and for general use in time. Bug: 231996550 Link: https://lore.kernel.org/lkml/20211117015806.2192263-4-dvander@google.com Signed-off-by: David Anderson <dvander@google.com> Signed-off-by: Mark Salyzyn <salyzyn@android.com> Change-Id: I21516b3af483790fb0a7bfdeabf4770c486dbcbc |
||
|
Greg Kroah-Hartman
|
a9544c86e3 |
Merge 72a8e05d4f ("Merge tag 'ovl-fixes-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs") into android-mainline
Steps on the way to 5.19-rc7 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I60779599871b20103e656e440a395417de8ff44c |
||
|
Christian Brauner
|
4a47c6385b |
ovl: turn of SB_POSIXACL with idmapped layers temporarily
This cycle we added support for mounting overlayfs on top of idmapped
mounts. Recently I've started looking into potential corner cases when
trying to add additional tests and I noticed that reporting for POSIX ACLs
is currently wrong when using idmapped layers with overlayfs mounted on top
of it.
I have sent out an patch that fixes this and makes POSIX ACLs work
correctly but the patch is a bit bigger and we're already at -rc5 so I
recommend we simply don't raise SB_POSIXACL when idmapped layers are
used. Then we can fix the VFS part described below for the next merge
window so we can have good exposure in -next.
I'm going to give a rather detailed explanation to both the origin of the
problem and mention the solution so people know what's going on.
Let's assume the user creates the following directory layout and they have
a rootfs /var/lib/lxc/c1/rootfs. The files in this rootfs are owned as you
would expect files on your host system to be owned. For example, ~/.bashrc
for your regular user would be owned by 1000:1000 and /root/.bashrc would
be owned by 0:0. IOW, this is just regular boring filesystem tree on an
ext4 or xfs filesystem.
The user chooses to set POSIX ACLs using the setfacl binary granting the
user with uid 4 read, write, and execute permissions for their .bashrc
file:
setfacl -m u:4:rwx /var/lib/lxc/c2/rootfs/home/ubuntu/.bashrc
Now they to expose the whole rootfs to a container using an idmapped
mount. So they first create:
mkdir -pv /vol/contpool/{ctrover,merge,lowermap,overmap}
mkdir -pv /vol/contpool/ctrover/{over,work}
chown 10000000:10000000 /vol/contpool/ctrover/{over,work}
The user now creates an idmapped mount for the rootfs:
mount-idmapped/mount-idmapped --map-mount=b:0:10000000:65536 \
/var/lib/lxc/c2/rootfs \
/vol/contpool/lowermap
This for example makes it so that
/var/lib/lxc/c2/rootfs/home/ubuntu/.bashrc which is owned by uid and gid
1000 as being owned by uid and gid 10001000 at
/vol/contpool/lowermap/home/ubuntu/.bashrc.
Assume the user wants to expose these idmapped mounts through an overlayfs
mount to a container.
mount -t overlay overlay \
-o lowerdir=/vol/contpool/lowermap, \
upperdir=/vol/contpool/overmap/over, \
workdir=/vol/contpool/overmap/work \
/vol/contpool/merge
The user can do this in two ways:
(1) Mount overlayfs in the initial user namespace and expose it to the
container.
(2) Mount overlayfs on top of the idmapped mounts inside of the container's
user namespace.
Let's assume the user chooses the (1) option and mounts overlayfs on the
host and then changes into a container which uses the idmapping
0:10000000:65536 which is the same used for the two idmapped mounts.
Now the user tries to retrieve the POSIX ACLs using the getfacl command
getfacl -n /vol/contpool/lowermap/home/ubuntu/.bashrc
and to their surprise they see:
# file: vol/contpool/merge/home/ubuntu/.bashrc
# owner: 1000
# group: 1000
user::rw-
user:4294967295:rwx
group::r--
mask::rwx
other::r--
indicating the uid wasn't correctly translated according to the idmapped
mount. The problem is how we currently translate POSIX ACLs. Let's inspect
the callchain in this example:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:0:4k /* initial idmapping */
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
|> vfs_getxattr()
| -> __vfs_getxattr()
| -> handler->get == ovl_posix_acl_xattr_get()
| -> ovl_xattr_get()
| -> vfs_getxattr()
| -> __vfs_getxattr()
| -> handler->get() /* lower filesystem callback */
|> posix_acl_fix_xattr_to_user()
{
4 = make_kuid(&init_user_ns, 4);
4 = mapped_kuid_fs(&init_user_ns /* no idmapped mount */, 4);
/* FAILURE */
-1 = from_kuid(0:10000000:65536 /* caller's idmapping */, 4);
}
If the user chooses to use option (2) and mounts overlayfs on top of
idmapped mounts inside the container things don't look that much better:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:10000000:65536
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
|> vfs_getxattr()
| -> __vfs_getxattr()
| -> handler->get == ovl_posix_acl_xattr_get()
| -> ovl_xattr_get()
| -> vfs_getxattr()
| -> __vfs_getxattr()
| -> handler->get() /* lower filesystem callback */
|> posix_acl_fix_xattr_to_user()
{
4 = make_kuid(&init_user_ns, 4);
4 = mapped_kuid_fs(&init_user_ns, 4);
/* FAILURE */
-1 = from_kuid(0:10000000:65536 /* caller's idmapping */, 4);
}
As is easily seen the problem arises because the idmapping of the lower
mount isn't taken into account as all of this happens in do_gexattr(). But
do_getxattr() is always called on an overlayfs mount and inode and thus
cannot possible take the idmapping of the lower layers into account.
This problem is similar for fscaps but there the translation happens as
part of vfs_getxattr() already. Let's walk through an fscaps overlayfs
callchain:
setcap 'cap_net_raw+ep' /var/lib/lxc/c2/rootfs/home/ubuntu/.bashrc
The expected outcome here is that we'll receive the cap_net_raw capability
as we are able to map the uid associated with the fscap to 0 within our
container. IOW, we want to see 0 as the result of the idmapping
translations.
If the user chooses option (1) we get the following callchain for fscaps:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:0:4k /* initial idmapping */
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
-> vfs_getxattr()
-> xattr_getsecurity()
-> security_inode_getsecurity() ________________________________
-> cap_inode_getsecurity() | |
{ V |
10000000 = make_kuid(0:0:4k /* overlayfs idmapping */, 10000000); |
10000000 = mapped_kuid_fs(0:0:4k /* no idmapped mount */, 10000000); |
/* Expected result is 0 and thus that we own the fscap. */ |
0 = from_kuid(0:10000000:65536 /* caller's idmapping */, 10000000); |
} |
-> vfs_getxattr_alloc() |
-> handler->get == ovl_other_xattr_get() |
-> vfs_getxattr() |
-> xattr_getsecurity() |
-> security_inode_getsecurity() |
-> cap_inode_getsecurity() |
{ |
0 = make_kuid(0:0:4k /* lower s_user_ns */, 0); |
10000000 = mapped_kuid_fs(0:10000000:65536 /* idmapped mount */, 0); |
10000000 = from_kuid(0:0:4k /* overlayfs idmapping */, 10000000); |
|____________________________________________________________________|
}
-> vfs_getxattr_alloc()
-> handler->get == /* lower filesystem callback */
And if the user chooses option (2) we get:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:10000000:65536
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
-> vfs_getxattr()
-> xattr_getsecurity()
-> security_inode_getsecurity() _______________________________
-> cap_inode_getsecurity() | |
{ V |
10000000 = make_kuid(0:10000000:65536 /* overlayfs idmapping */, 0); |
10000000 = mapped_kuid_fs(0:0:4k /* no idmapped mount */, 10000000); |
/* Expected result is 0 and thus that we own the fscap. */ |
0 = from_kuid(0:10000000:65536 /* caller's idmapping */, 10000000); |
} |
-> vfs_getxattr_alloc() |
-> handler->get == ovl_other_xattr_get() |
|-> vfs_getxattr() |
-> xattr_getsecurity() |
-> security_inode_getsecurity() |
-> cap_inode_getsecurity() |
{ |
0 = make_kuid(0:0:4k /* lower s_user_ns */, 0); |
10000000 = mapped_kuid_fs(0:10000000:65536 /* idmapped mount */, 0); |
0 = from_kuid(0:10000000:65536 /* overlayfs idmapping */, 10000000); |
|____________________________________________________________________|
}
-> vfs_getxattr_alloc()
-> handler->get == /* lower filesystem callback */
We can see how the translation happens correctly in those cases as the
conversion happens within the vfs_getxattr() helper.
For POSIX ACLs we need to do something similar. However, in contrast to
fscaps we cannot apply the fix directly to the kernel internal posix acl
data structure as this would alter the cached values and would also require
a rework of how we currently deal with POSIX ACLs in general which almost
never take the filesystem idmapping into account (the noteable exception
being FUSE but even there the implementation is special) and instead
retrieve the raw values based on the initial idmapping.
The correct values are then generated right before returning to
userspace. The fix for this is to move taking the mount's idmapping into
account directly in vfs_getxattr() instead of having it be part of
posix_acl_fix_xattr_to_user().
To this end we simply move the idmapped mount translation into a separate
step performed in vfs_{g,s}etxattr() instead of in
posix_acl_fix_xattr_{from,to}_user().
To see how this fixes things let's go back to the original example. Assume
the user chose option (1) and mounted overlayfs on top of idmapped mounts
on the host:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:0:4k /* initial idmapping */
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
|> vfs_getxattr()
| |> __vfs_getxattr()
| | -> handler->get == ovl_posix_acl_xattr_get()
| | -> ovl_xattr_get()
| | -> vfs_getxattr()
| | |> __vfs_getxattr()
| | | -> handler->get() /* lower filesystem callback */
| | |> posix_acl_getxattr_idmapped_mnt()
| | {
| | 4 = make_kuid(&init_user_ns, 4);
| | 10000004 = mapped_kuid_fs(0:10000000:65536 /* lower idmapped mount */, 4);
| | 10000004 = from_kuid(&init_user_ns, 10000004);
| | |_______________________
| | } |
| | |
| |> posix_acl_getxattr_idmapped_mnt() |
| { |
| V
| 10000004 = make_kuid(&init_user_ns, 10000004);
| 10000004 = mapped_kuid_fs(&init_user_ns /* no idmapped mount */, 10000004);
| 10000004 = from_kuid(&init_user_ns, 10000004);
| } |_________________________________________________
| |
| |
|> posix_acl_fix_xattr_to_user() |
{ V
10000004 = make_kuid(0:0:4k /* init_user_ns */, 10000004);
/* SUCCESS */
4 = from_kuid(0:10000000:65536 /* caller's idmapping */, 10000004);
}
And similarly if the user chooses option (1) and mounted overayfs on top of
idmapped mounts inside the container:
idmapped mount /vol/contpool/merge: 0:10000000:65536
caller's idmapping: 0:10000000:65536
overlayfs idmapping (ofs->creator_cred): 0:10000000:65536
sys_getxattr()
-> path_getxattr()
-> getxattr()
-> do_getxattr()
|> vfs_getxattr()
| |> __vfs_getxattr()
| | -> handler->get == ovl_posix_acl_xattr_get()
| | -> ovl_xattr_get()
| | -> vfs_getxattr()
| | |> __vfs_getxattr()
| | | -> handler->get() /* lower filesystem callback */
| | |> posix_acl_getxattr_idmapped_mnt()
| | {
| | 4 = make_kuid(&init_user_ns, 4);
| | 10000004 = mapped_kuid_fs(0:10000000:65536 /* lower idmapped mount */, 4);
| | 10000004 = from_kuid(&init_user_ns, 10000004);
| | |_______________________
| | } |
| | |
| |> posix_acl_getxattr_idmapped_mnt() |
| { V
| 10000004 = make_kuid(&init_user_ns, 10000004);
| 10000004 = mapped_kuid_fs(&init_user_ns /* no idmapped mount */, 10000004);
| 10000004 = from_kuid(0(&init_user_ns, 10000004);
| |_________________________________________________
| } |
| |
|> posix_acl_fix_xattr_to_user() |
{ V
10000004 = make_kuid(0:0:4k /* init_user_ns */, 10000004);
/* SUCCESS */
4 = from_kuid(0:10000000:65536 /* caller's idmappings */, 10000004);
}
The last remaining problem we need to fix here is ovl_get_acl(). During
ovl_permission() overlayfs will call:
ovl_permission()
-> generic_permission()
-> acl_permission_check()
-> check_acl()
-> get_acl()
-> inode->i_op->get_acl() == ovl_get_acl()
> get_acl() /* on the underlying filesystem)
->inode->i_op->get_acl() == /*lower filesystem callback */
-> posix_acl_permission()
passing through the get_acl request to the underlying filesystem. This will
retrieve the acls stored in the lower filesystem without taking the
idmapping of the underlying mount into account as this would mean altering
the cached values for the lower filesystem. The simple solution is to have
ovl_get_acl() simply duplicate the ACLs, update the values according to the
idmapped mount and return it to acl_permission_check() so it can be used in
posix_acl_permission(). Since overlayfs doesn't cache ACLs they'll be
released right after.
Link: https://github.com/brauner/mount-idmapped/issues/9
Cc: Seth Forshee <sforshee@digitalocean.com>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: linux-unionfs@vger.kernel.org
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Fixes:
|
||
|
Greg Kroah-Hartman
|
78dcf9434c |
Merge f8a52af9d0 ("Merge tag 'i2c-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux") into android-mainline
Steps on the way to 5.19-rc1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I7a6f4006a216fc4828361ba7ec74e6a8e3849877 |