lineage-22.0
827 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
012423e6bd |
Merge 5.10.228 into android12-5.10-lts
Changes in 5.10.228 ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 net: enetc: add missing static descriptor and inline keyword posix-clock: Fix missing timespec64 check in pc_clock_settime() arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 fat: fix uninitialized variable mm/swapfile: skip HugeTLB pages for unuse_vma wifi: mac80211: fix potential key use-after-free KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() io_uring/sqpoll: do not allow pinning outside of cpuset io_uring/sqpoll: retain test for whether the CPU is valid io_uring/sqpoll: do not put cpumask on stack s390/sclp_vt220: Convert newlines to CRLF instead of LFCR KVM: s390: Change virtual to physical address access in diag 0x258 handler x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET x86/cpufeatures: Add a IBPB_NO_RET BUG flag x86/entry: Have entry_ibpb() invalidate return predictions x86/bugs: Skip RSB fill at VMEXIT x86/bugs: Do not use UNTRAIN_RET with IBPB on entry blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race io_uring/sqpoll: close race on waiting for sqring entries drm/radeon: Fix encoder->possible_clones drm/vmwgfx: Handle surface check failure correctly iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() iio: light: veml6030: fix ALS sensor resolution iio: light: veml6030: fix IIO device retrieval from embedded device iio: light: opt3001: add missing full-scale range value iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Bluetooth: Remove debugfs directory on module init failure Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 xhci: Fix incorrect stream context type macro USB: serial: option: add support for Quectel EG916Q-GL USB: serial: option: add Telit FN920C04 MBIM compositions parport: Proper fix for array out-of-bounds access x86/resctrl: Annotate get_mem_config() functions as __init x86/apic: Always explicitly disarm TSC-deadline timer x86/entry_32: Do not clobber user EFLAGS.ZF x86/entry_32: Clear CPU buffers after register restore in NMI return irqchip/gic-v4: Don't allow a VMOVP on a dying VPE mptcp: track and update contiguous data status mptcp: handle consistently DSS corruption tcp: fix mptcp DSS corruption due to large pmtu xmit nilfs2: propagate directory read errors from nilfs_find_entry() powerpc/mm: Always update max/min_low_pfn in mem_topology_setup() ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Linux 5.10.228 Change-Id: I46a08618e1091915449af89690af27a230a28855 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
9e57ad4546 |
Merge 0ce9d89343 ("clk: ti: dra7-atl: Fix leak of of_nodes") into android12-5.10-lts
Steps on the way to 5.10.226 Resolves merge conflicts in: drivers/dma-buf/heaps/heap-helpers.c drivers/usb/dwc3/core.h fs/ext4/inline.c Change-Id: Id7ab496884e549fc85b6fff8254fb56d6785d78c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Ryusuke Konishi
|
c1d0476885 |
nilfs2: propagate directory read errors from nilfs_find_entry()
commit 08cfa12adf888db98879dbd735bc741360a34168 upstream.
Syzbot reported that a task hang occurs in vcs_open() during a fuzzing
test for nilfs2.
The root cause of this problem is that in nilfs_find_entry(), which
searches for directory entries, ignores errors when loading a directory
page/folio via nilfs_get_folio() fails.
If the filesystem images is corrupted, and the i_size of the directory
inode is large, and the directory page/folio is successfully read but
fails the sanity check, for example when it is zero-filled,
nilfs_check_folio() may continue to spit out error messages in bursts.
Fix this issue by propagating the error to the callers when loading a
page/folio fails in nilfs_find_entry().
The current interface of nilfs_find_entry() and its callers is outdated
and cannot propagate error codes such as -EIO and -ENOMEM returned via
nilfs_find_entry(), so fix it together.
Link: https://lkml.kernel.org/r/20241004033640.6841-1-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Ryusuke Konishi
|
d20674f316 |
nilfs2: fix potential oob read in nilfs_btree_check_delete()
[ Upstream commit f9c96351aa6718b42a9f42eaf7adce0356bdb5e8 ]
The function nilfs_btree_check_delete(), which checks whether degeneration
to direct mapping occurs before deleting a b-tree entry, causes memory
access outside the block buffer when retrieving the maximum key if the
root node has no entries.
This does not usually happen because b-tree mappings with 0 child nodes
are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen
if the b-tree root node read from a device is configured that way, so fix
this potential issue by adding a check for that case.
Link: https://lkml.kernel.org/r/20240904081401.16682-4-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Ryusuke Konishi
|
e2290906bb |
nilfs2: determine empty node blocks as corrupted
[ Upstream commit 111b812d3662f3a1b831d19208f83aa711583fe6 ]
Due to the nature of b-trees, nilfs2 itself and admin tools such as
mkfs.nilfs2 will never create an intermediate b-tree node block with 0
child nodes, nor will they delete (key, pointer)-entries that would result
in such a state. However, it is possible that a b-tree node block is
corrupted on the backing device and is read with 0 child nodes.
Because operation is not guaranteed if the number of child nodes is 0 for
intermediate node blocks other than the root node, modify
nilfs_btree_node_broken(), which performs sanity checks when reading a
b-tree node block, so that such cases will be judged as metadata
corruption.
Link: https://lkml.kernel.org/r/20240904081401.16682-3-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Ryusuke Konishi
|
24bf40740a |
nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()
[ Upstream commit 9403001ad65ae4f4c5de368bdda3a0636b51d51a ]
Patch series "nilfs2: fix potential issues with empty b-tree nodes".
This series addresses three potential issues with empty b-tree nodes that
can occur with corrupted filesystem images, including one recently
discovered by syzbot.
This patch (of 3):
If a b-tree is broken on the device, and the b-tree height is greater than
2 (the level of the root node is greater than 1) even if the number of
child nodes of the b-tree root is 0, a NULL pointer dereference occurs in
nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().
This is because, when the number of child nodes of the b-tree root is 0,
nilfs_btree_do_lookup() does not set the block buffer head in any of
path[x].bp_bh, leaving it as the initial value of NULL, but if the level
of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),
which accesses the buffer memory of path[x].bp_bh, is called.
Fix this issue by adding a check to nilfs_btree_root_broken(), which
performs sanity checks when reading the root node from the device, to
detect this inconsistency.
Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause
early on.
Link: https://lkml.kernel.org/r/20240904081401.16682-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20240902084101.138971-1-lizhi.xu@windriver.com
Link: https://lkml.kernel.org/r/20240904081401.16682-2-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Greg Kroah-Hartman
|
7d3ca1ed3f |
This is the 5.10.226 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmbiry8ACgkQONu9yGCS
aT6N3g//bWYo3l5q543ygloK7UBTkuyJFWb0ENBbu0J9qlnYaSeKDvqjmMUPBHKi
ZCAzL5nHmAfPMSbjRnltsl54Z7X69264BNLv62M86VnGVDrD7Y93Sn+Ts9jJoTYR
k97HrSojKsqrC2MZLaLuDnoeReoHpeAn4rwIs8mAaApxv48NfRh65KRkipkkRi0N
S7UXC82a8NyjF9wQaB2+Cdt2S0SD2706074X/0jXBAM3YR+5lF3NFgXylmUULTWi
kmCCauGhvfsR9vGIXBAYfX/thF3FSuffJjrWQ3i3/v75PyfoLZ4CruRGXIKM5UBN
TDEqx1Fx+fDXjgH07DYjFLBxQnv9wTgAtflXJj4qfaULO3NonBZHW3xIBe8foO2b
6858JdPcSA2LJ1wUxTc8BuYzgiwz5aCbGa0cLJCyJKYhJXGToweFyDM1nS2V66MD
TF43J/8zv9OAbj6TIT8WisfCgDMIIeMg/RsoaduGZViEN2Sg46XHN4ciZ7eakJOq
j3JFaAan+WPDlYpBLv1tCz+e6IDexugnbP43+E+eY8Xl6UDKUaXd3NiT728W84ll
0KULycqOteiFy7KN6NJx0oLA3YarQciatRm99zA8pnBBvqy0yJXYxWxmmaSQiGo+
VvNTrz6uc+ISP9TJfuPm8KH7NwQVhrjsndXaW2HWgoQ+fWgSZjU=
=abQi
-----END PGP SIGNATURE-----
Merge 5.10.226 into android12-5.10-lts
Changes in 5.10.226
drm: panel-orientation-quirks: Add quirk for OrangePi Neo
ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown
ALSA: hda/conexant: Mute speakers at suspend / shutdown
i2c: Fix conditional for substituting empty ACPI functions
dma-debug: avoid deadlock between dma debug vs printk and netconsole
net: usb: qmi_wwan: add MeiG Smart SRM825L
drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
drm/amdgpu: fix overflowed array index read warning
drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr
drm/amd/pm: fix warning using uninitialized value of max_vid_step
drm/amd/pm: fix the Out-of-bounds read warning
drm/amdgpu: fix uninitialized scalar variable warning
drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr
drm/amdgpu: avoid reading vf2pf info size from FB
drm/amd/display: Check gpio_id before used as array index
drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6
drm/amd/display: Add array index check for hdcp ddc access
drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
drm/amd/display: Check msg_id before processing transcation
drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create
drm/amdgpu/pm: Fix uninitialized variable agc_btc_response
drm/amdgpu: Fix out-of-bounds write warning
drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
drm/amdgpu: fix ucode out-of-bounds read warning
drm/amdgpu: fix mc_data out-of-bounds read warning
drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device
apparmor: fix possible NULL pointer dereference
drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs
drm/amdgpu: the warning dereferencing obj for nbio_v7_4
drm/amd/pm: check negtive return for table entries
wifi: iwlwifi: remove fw_running op
PCI: al: Check IORESOURCE_BUS existence during probe
hwspinlock: Introduce hwspin_lock_bust()
ionic: fix potential irq name truncation
usbip: Don't submit special requests twice
usb: typec: ucsi: Fix null pointer dereference in trace
fsnotify: clear PARENT_WATCHED flags lazily
smack: tcp: ipv4, fix incorrect labeling
drm/meson: plane: Add error handling
wifi: cfg80211: make hash table duplicates more survivable
block: remove the blk_flush_integrity call in blk_integrity_unregister
drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
media: uvcvideo: Enforce alignment of frame and interval
block: initialize integrity buffer to zero before writing it to media
drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr
bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode
net: set SOCK_RCU_FREE before inserting socket into hashtable
virtio_net: Fix napi_skb_cache_put warning
rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow
udf: Limit file size to 4TB
ext4: handle redirtying in ext4_bio_write_page()
i2c: Use IS_REACHABLE() for substituting empty ACPI functions
bpf, cgroup: Assign cgroup in cgroup_sk_alloc when called from interrupt
sch/netem: fix use after free in netem_dequeue
ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices
ALSA: hda/realtek: add patch for internal mic in Lenovo V145
ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx
ata: libata: Fix memory leak for error path in ata_host_alloc()
irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE"
Bluetooth: MGMT: Ignore keys being loaded with invalid type
mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
mmc: sdhci-of-aspeed: fix module autoloading
fuse: update stats for pages in dropped aux writeback list
fuse: use unsigned type for getxattr/listxattr size truncation
clk: qcom: clk-alpha-pll: Fix the pll post div mask
clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API
can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open
tracing: Avoid possible softlockup in tracing_iter_reset()
ila: call nf_unregister_net_hooks() sooner
sched: sch_cake: fix bulk flow accounting logic for host fairness
nilfs2: fix missing cleanup on rollforward recovery error
nilfs2: fix state management in error path of log writing function
btrfs: fix use-after-free after failure to create a snapshot
mptcp: pr_debug: add missing \n at the end
mptcp: pm: avoid possible UaF when selecting endp
nfsd: move reply cache initialization into nfsd startup
nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net
NFSD: Refactor nfsd_reply_cache_free_locked()
NFSD: Rename nfsd_reply_cache_alloc()
NFSD: Replace nfsd_prune_bucket()
NFSD: Refactor the duplicate reply cache shrinker
NFSD: simplify error paths in nfsd_svc()
NFSD: Rewrite synopsis of nfsd_percpu_counters_init()
NFSD: Fix frame size warning in svc_export_parse()
sunrpc: don't change ->sv_stats if it doesn't exist
nfsd: stop setting ->pg_stats for unused stats
sunrpc: pass in the sv_stats struct through svc_create_pooled
sunrpc: remove ->pg_stats from svc_program
sunrpc: use the struct net as the svc proc private
nfsd: rename NFSD_NET_* to NFSD_STATS_*
nfsd: expose /proc/net/sunrpc/nfsd in net namespaces
nfsd: make all of the nfsd stats per-network namespace
nfsd: remove nfsd_stats, make th_cnt a global counter
nfsd: make svc_stat per-network namespace instead of global
ALSA: hda: Add input value sanity checks to HDMI channel map controls
smack: unix sockets: fix accept()ed socket label
irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
af_unix: Remove put_pid()/put_cred() in copy_peercred().
iommu: sun50i: clear bypass register
netfilter: nf_conncount: fix wrong variable type
udf: Avoid excessive partition lengths
media: vivid: fix wrong sizeimage value for mplane
leds: spi-byte: Call of_node_put() on error path
wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
usb: uas: set host status byte on data completion error
media: vivid: don't set HDMI TX controls if there are no HDMI outputs
PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)
media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
pcmcia: Use resource_size function on resource object
can: bcm: Remove proc entry when dev is unregistered.
igb: Fix not clearing TimeSync interrupts for 82580
svcrdma: Catch another Reply chunk overflow case
platform/x86: dell-smbios: Fix error path in dell_smbios_init()
tcp_bpf: fix return value of tcp_bpf_sendmsg()
igc: Unlock on error in igc_io_resume()
drivers/net/usb: Remove all strcpy() uses
net: usb: don't write directly to netdev->dev_addr
usbnet: modern method to get random MAC
bareudp: Fix device stats updates.
fou: remove sparse errors
gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers
gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers
fou: Fix null-ptr-deref in GRO.
net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
net: dsa: vsc73xx: fix possible subblocks range of CAPT block
ASoC: topology: Properly initialize soc_enum values
dm init: Handle minors larger than 255
iommu/vt-d: Handle volatile descriptor status read
cgroup: Protect css->cgroup write under css_set_lock
um: line: always fill *error_out in setup_one_line()
devres: Initialize an uninitialized struct member
pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
hwmon: (adc128d818) Fix underflows seen when writing limit attributes
hwmon: (lm95234) Fix underflows seen when writing limit attributes
hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
btrfs: replace BUG_ON with ASSERT in walk_down_proc()
btrfs: clean up our handling of refs == 0 in snapshot delete
PCI: Add missing bridge lock to pci_bus_lock()
net: dpaa: avoid on-stack arrays of NR_CPUS elements
kselftests: dmabuf-heaps: Ensure the driver name is null-terminated
btrfs: initialize location to fix -Wmaybe-uninitialized in btrfs_lookup_dentry()
s390/vmlinux.lds.S: Move ro_after_init section behind rodata section
HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
Input: uinput - reject requests with unreasonable number of slots
usbnet: ipheth: race between ipheth_close and error handling
Squashfs: sanity check symbolic link size
of/irq: Prevent device address out-of-bounds read in interrupt map walk
lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed
ata: pata_macio: Use WARN instead of BUG
NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations
staging: iio: frequency: ad9834: Validate frequency parameter value
iio: buffer-dmaengine: fix releasing dma channel on error
iio: fix scale application in iio_convert_raw_to_processed_unlocked
iio: adc: ad7124: fix chip ID mismatch
binder: fix UAF caused by offsets overwrite
nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc
uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic
VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX
clocksource/drivers/imx-tpm: Fix next event not taking effect sometime
clocksource/drivers/timer-of: Remove percpu irq related code
uprobes: Use kzalloc to allocate xol area
perf/aux: Fix AUX buffer serialization
nilfs2: replace snprintf in show functions with sysfs_emit
nilfs2: protect references to superblock parameters exposed in sysfs
ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add()
ACPI: processor: Fix memory leaks in error paths of processor_add()
arm64: acpi: Move get_cpu_for_acpi_id() to a header
arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
nvmet-tcp: fix kernel crash if commands allocation fails
drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused
drm/i915/fence: Mark debug_fence_free() with __maybe_unused
mmc: cqhci: Fix checking of CQHCI_HALT state
rtmutex: Drop rt_mutex::wait_lock before scheduling
x86/mm: Fix PTI for i386 some more
net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket
memcg: protect concurrent access to mem_cgroup_idr
Linux 5.10.226
Change-Id: I3c0afd32ba78775f67cde6d73b4dbf931bbc4770
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
b22678f8ef |
Merge ddee5b4b6a ("mptcp: pm: avoid possible UaF when selecting endp") into android12-5.10-lts
Steps on the way to 5.10.226 Change-Id: I4ee8b8e793b6ecb98c7078125d994b46b1165c2e Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Ryusuke Konishi
|
157c0d94b4 |
nilfs2: protect references to superblock parameters exposed in sysfs
[ Upstream commit 683408258917541bdb294cd717c210a04381931e ]
The superblock buffers of nilfs2 can not only be overwritten at runtime
for modifications/repairs, but they are also regularly swapped, replaced
during resizing, and even abandoned when degrading to one side due to
backing device issues. So, accessing them requires mutual exclusion using
the reader/writer semaphore "nilfs->ns_sem".
Some sysfs attribute show methods read this superblock buffer without the
necessary mutual exclusion, which can cause problems with pointer
dereferencing and memory access, so fix it.
Link: https://lkml.kernel.org/r/20240811100320.9913-1-konishi.ryusuke@gmail.com
Fixes:
|
||
Qing Wang
|
0630e3d435 |
nilfs2: replace snprintf in show functions with sysfs_emit
[ Upstream commit 3bcd6c5bd483287f4a09d3d59a012d47677b6edc ] Patch series "nilfs2 updates". This patch (of 2): coccicheck complains about the use of snprintf() in sysfs show functions. Fix the coccicheck warning: WARNING: use scnprintf or sprintf. Use sysfs_emit instead of scnprintf or sprintf makes more sense. Link: https://lkml.kernel.org/r/1635151862-11547-1-git-send-email-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/1634095759-4625-1-git-send-email-wangqing@vivo.com Link: https://lkml.kernel.org/r/1635151862-11547-2-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Qing Wang <wangqing@vivo.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Stable-dep-of: 683408258917 ("nilfs2: protect references to superblock parameters exposed in sysfs") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Ryusuke Konishi
|
efdde00d4a |
nilfs2: fix state management in error path of log writing function
commit 6576dd6695f2afca3f4954029ac4a64f82ba60ab upstream. After commit |
||
|
Ryusuke Konishi
|
07e4dc2fe0 |
nilfs2: fix missing cleanup on rollforward recovery error
commit 5787fcaab9eb5930f5378d6a1dd03d916d146622 upstream.
In an error injection test of a routine for mount-time recovery, KASAN
found a use-after-free bug.
It turned out that if data recovery was performed using partial logs
created by dsync writes, but an error occurred before starting the log
writer to create a recovered checkpoint, the inodes whose data had been
recovered were left in the ns_dirty_files list of the nilfs object and
were not freed.
Fix this issue by cleaning up inodes that have read the recovery data if
the recovery routine fails midway before the log writer starts.
Link: https://lkml.kernel.org/r/20240810065242.3701-1-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Greg Kroah-Hartman
|
b84ad15be5 |
This is the 5.10.224 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmbCv24ACgkQONu9yGCS
aT7lNRAAzP2lSCUHROaMTldoQdahqoWqwFSiMI9p32HYLTerpg1GHVsi1IUvD+pv
zhmUG9w+ACbSbZ9337G61FeEDCIBzgqaIXLCtbK2Be9nWMa9I1ZtMSFUKoSmVJBw
YbrI/UOscJmAf44G6DeMp+N+/S2o7INK463u51SYjufo/zhFF8KsYElm23p06kgn
lTkkUAoo9mSVvEr64zbjwLrWyBWTlcvYH/xrkWeJWXl+hBv0K5Ig9IBm0sc0DSQR
fErADzDLFkmD9pduZbMwbzUUzC8ST41KKjTgClaHQhSMeoLoWT8CJM5Swwds4XVE
JkoClkqnj3+stYFpLFm9UUgZ12wu/9slzgRCN6fTraSNT8gE9F9BRJXFGL+3S5OO
oHKZYEEPTZDsD3PihgufJ4Ft27+KpMUzAgQUmVH/y47wrVJ2pf4fCK8LKT0MbjBi
pjZaDRCxwo1aORL3+jYJBVRecrNqQ0DhacYOKznhb2KKeaHojIwLaE6k/W/0Q8U5
1uMYv+NJ3LWDNzGcNUTCfNtuDELOpkp24Xc8RN0MK2iMMMyfjMpgKssjSBZtz0QW
NH0UVpfiWKECKH+m03NeFnYdMuK8/VyM8vatkcemz0FfgJP2UazeiVwSujfS2r2S
0TtsCMPP3kgKa9mAnni7lQs4wkG+OTNDNZqbuDqFZ1rHUS2Usrg=
=8i2e
-----END PGP SIGNATURE-----
Merge 5.10.224 into android12-5.10-lts
Changes in 5.10.224
EDAC/skx_common: Add new ADXL components for 2-level memory
EDAC, i10nm: make skx_common.o a separate module
platform/chrome: cros_ec_debugfs: fix wrong EC message version
hfsplus: fix to avoid false alarm of circular locking
x86/of: Return consistent error type from x86_of_pci_irq_enable()
x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling
x86/pci/xen: Fix PCIBIOS_* return code handling
x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
hwmon: (adt7475) Fix default duty on fan is disabled
pwm: stm32: Always do lazy disabling
hwmon: (max6697) Fix underflow when writing limit attributes
hwmon: (max6697) Fix swapped temp{1,8} critical alarms
arm64: dts: qcom: sdm845: add power-domain to UFS PHY
soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data() callers
arm64: dts: qcom: msm8996: specify UFS core_clk frequencies
soc: qcom: pdr: protect locator_addr with the main mutex
soc: qcom: pdr: fix parsing of domains lists
arm64: dts: rockchip: Increase VOP clk rate on RK3328
ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node
ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset
ARM: dts: imx6qdl-kontron-samx6i: fix board reset
ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects
ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity
arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property
arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux
arm64: dts: amlogic: gx: correct hdmi clocks
m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages
x86/xen: Convert comma to semicolon
m68k: cmpxchg: Fix return value for default case in __arch_xchg()
ARM: pxa: spitz: use gpio descriptors for audio
ARM: spitz: fix GPIO assignment for backlight
firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout()
firmware: turris-mox-rwtm: Initialize completion before mailbox
wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
selftests/bpf: Fix prog numbers in test_sockmap
net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP
net/smc: Allow SMC-D 1MB DMB allocations
net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined
selftests/bpf: Check length of recv in test_sockmap
lib: objagg: Fix general protection fault
mlxsw: spectrum_acl_erp: Fix object nesting warning
mlxsw: spectrum_acl_bloom_filter: Make mlxsw_sp_acl_bf_key_encode() more flexible
mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors
ath11k: dp: stop rx pktlog before suspend
wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers
wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()
net: fec: Refactor: #define magic constants
net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
ipvs: Avoid unnecessary calls to skb_is_gso_sctp
netfilter: nf_tables: rise cap on SELinux secmark context
perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation
perf: Fix perf_aux_size() for greater-than 32-bit size
perf: Prevent passing zero nr_pages to rb_alloc_aux()
qed: Improve the stack space of filter_config()
wifi: virt_wifi: avoid reporting connection success with wrong SSID
gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey
wifi: virt_wifi: don't use strlen() in const context
selftests/bpf: Close fd in error path in drop_on_reuseport
bpf: annotate BTF show functions with __printf
bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o
selftests: forwarding: devlink_lib: Wait for udev events after reloading
xdp: fix invalid wait context of page_pool_destroy()
drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before regulators
drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()
media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()
media: imon: Fix race getting ictx->lock
saa7134: Unchecked i2c_transfer function result fixed
media: uvcvideo: Allow entity-defined get_info and get_cur
media: uvcvideo: Override default flags
media: renesas: vsp1: Fix _irqsave and _irq mix
media: renesas: vsp1: Store RPF partition configuration per RPF instance
leds: trigger: Unregister sysfs attributes before calling deactivate()
perf report: Fix condition in sort__sym_cmp()
drm/etnaviv: fix DMA direction handling for cached RW buffers
drm/qxl: Add check for drm_cvt_mode
Revert "leds: led-core: Fix refcount leak in of_led_get()"
ext4: fix infinite loop when replaying fast_commit
media: venus: flush all buffers in output plane streamoff
mfd: omap-usb-tll: Use struct_size to allocate tll
xprtrdma: Rename frwr_release_mr()
xprtrdma: Fix rpcrdma_reqs_reset()
SUNRPC: avoid soft lockup when transmitting UDP to reachable server.
ext4: avoid writing unitialized memory to disk in EA inodes
sparc64: Fix incorrect function signature and add prototype for prom_cif_init
SUNRPC: Fixup gss_status tracepoint error output
PCI: Fix resource double counting on remove & rescan
coresight: Fix ref leak when of_coresight_parse_endpoint() fails
Input: qt1050 - handle CHIP_ID reading error
RDMA/mlx4: Fix truncated output warning in mad.c
RDMA/mlx4: Fix truncated output warning in alias_GUID.c
RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
ASoC: max98088: Check for clk_prepare_enable() error
mtd: make mtd_test.c a separate module
RDMA/device: Return error earlier if port in not valid
Input: elan_i2c - do not leave interrupt disabled on suspend failure
MIPS: Octeron: remove source file executable bit
powerpc/xmon: Fix disassembly CPU feature checks
macintosh/therm_windtunnel: fix module unload.
RDMA/hns: Fix missing pagesize and alignment check in FRMR
bnxt_re: Fix imm_data endianness
netfilter: ctnetlink: use helper function to calculate expect ID
net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports
net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports
pinctrl: rockchip: update rk3308 iomux routes
pinctrl: core: fix possible memory leak when pinctrl_enable() fails
pinctrl: single: fix possible memory leak when pinctrl_enable() fails
pinctrl: ti: ti-iodelay: Drop if block with always false condition
pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails
pinctrl: freescale: mxs: Fix refcount of child
fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP
fs/nilfs2: remove some unused macros to tame gcc
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
rtc: interface: Add RTC offset to alarm after fix-up
dt-bindings: thermal: correct thermal zone node name limit
tick/broadcast: Make takeover of broadcast hrtimer reliable
net: netconsole: Disable target before netpoll cleanup
af_packet: Handle outgoing VLAN packets without hardware offloading
ipv6: take care of scope when choosing the src addr
sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE tasks
char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
media: venus: fix use after free in vdec_close
hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
ext2: Verify bitmap and itable block numbers before using them
drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
scsi: qla2xxx: Fix optrom version displayed in FDMI
drm/amd/display: Check for NULL pointer
sched/fair: Use all little CPUs for CPU-bound workloads
apparmor: use kvfree_sensitive to free data->data
task_work: s/task_work_cancel()/task_work_cancel_func()/
task_work: Introduce task_work_cancel() again
udf: Avoid using corrupted block bitmap buffer
m68k: amiga: Turn off Warp1260 interrupts during boot
ext4: check dot and dotdot of dx_root before making dir indexed
ext4: make sure the first directory block is not a hole
wifi: mwifiex: Fix interface type change
leds: ss4200: Convert PCIBIOS_* return codes to errnos
jbd2: make jbd2_journal_get_max_txn_bufs() internal
KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()
tools/memory-model: Fix bug in lock.cat
hwrng: amd - Convert PCIBIOS_* return codes to errnos
PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
binder: fix hang of unregistered readers
dev/parport: fix the array out-of-bounds risk
scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
f2fs: fix to don't dirty inode for readonly filesystem
clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
ubi: eba: properly rollback inside self_check_eba
decompress_bunzip2: fix rare decompression failure
kbuild: Fix '-S -c' in x86 stack protector scripts
kobject_uevent: Fix OOB access within zap_modalias_env()
devres: Fix devm_krealloc() wasting memory
rtc: cmos: Fix return value of nvmem callbacks
scsi: qla2xxx: During vport delete send async logout explicitly
scsi: qla2xxx: Fix for possible memory corruption
scsi: qla2xxx: Fix flash read failure
scsi: qla2xxx: Complete command early within lock
scsi: qla2xxx: validate nvme_local_port correctly
perf/x86/intel/pt: Fix topa_entry base length
perf/x86/intel/pt: Fix a topa_entry base address calculation
rtc: isl1208: Fix return value of nvmem callbacks
watchdog/perf: properly initialize the turbo mode timestamp and rearm counter
platform: mips: cpu_hwmon: Disable driver on unsupported hardware
RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
selftests/sigaltstack: Fix ppc64 GCC build
rbd: don't assume rbd_is_lock_owner() for exclusive mappings
MIPS: ip30: ip30-console: Add missing include
MIPS: Loongson64: env: Hook up Loongsson-2K
drm/panfrost: Mark simple_ondemand governor as softdep
rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait
rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings
Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
nilfs2: handle inconsistent state in nilfs_btnode_create_block()
io_uring/io-wq: limit retrying worker initialisation
kernel: rerun task_work while freezing in get_signal()
kdb: address -Wformat-security warnings
kdb: Use the passed prompt in kdb_position_cursor()
jfs: Fix array-index-out-of-bounds in diFree
um: time-travel: fix time-travel-start option
f2fs: fix start segno of large section
libbpf: Fix no-args func prototype BTF dumping syntax
dma: fix call order in dmam_free_coherent
MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
ipv4: Fix incorrect source address in Record Route option
net: bonding: correctly annotate RCU in bond_should_notify_peers()
netfilter: nft_set_pipapo_avx2: disable softinterrupts
tipc: Return non-zero value from tipc_udp_addr2str() on error
net: stmmac: Correct byte order of perfect_match
net: nexthop: Initialize all fields in dumped nexthops
bpf: Fix a segment issue when downgrading gso_size
mISDN: Fix a use after free in hfcmulti_tx()
apparmor: Fix null pointer deref when receiving skb during sock creation
powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()
lirc: rc_dev_get_from_fd(): fix file leak
ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable
ceph: fix incorrect kmalloc size of pagevec mempool
nvme: split command copy into a helper
nvme-pci: add missing condition check for existence of mapped data
fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT
powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC
fuse: name fs_context consistently
fuse: verify {g,u}id mount options correctly
sysctl: always initialize i_uid/i_gid
ext4: factor out a common helper to query extent map
ext4: check the extent status again before inserting delalloc block
soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver
drivers: soc: xilinx: check return status of get_api_version()
driver core: Cast to (void *) with __force for __percpu pointer
devres: Fix memory leakage caused by driver API devm_free_percpu()
genirq: Allow the PM device to originate from irq domain
irqchip/imx-irqsteer: Constify irq_chip struct
irqchip/imx-irqsteer: Add runtime PM support
irqchip/imx-irqsteer: Handle runtime power management correctly
remoteproc: imx_rproc: ignore mapping vdev regions
remoteproc: imx_rproc: Fix ignoring mapping vdev regions
remoteproc: imx_rproc: Skip over memory region when node value is NULL
drm/nouveau: prime: fix refcount underflow
drm/vmwgfx: Fix overlay when using Screen Targets
sched: act_ct: take care of padding in struct zones_ht_key
net/iucv: fix use after free in iucv_sock_close()
net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
ipv6: fix ndisc_is_useropt() handling for PIO
riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()
platform/chrome: cros_ec_proto: Lock device when updating MKBP version
HID: wacom: Modify pen IDs
protect the fetch of ->fd[fd] in do_dup2() from mispredictions
ALSA: usb-audio: Correct surround channels in UAC1 channel map
ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G
net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY
mptcp: fix duplicate data handling
netfilter: ipset: Add list flush to cancel_gc
genirq: Allow irq_chip registration functions to take a const irq_chip
irqchip/mbigen: Fix mbigen node address layout
x86/mm: Fix pti_clone_pgtable() alignment assumption
x86/mm: Fix pti_clone_entry_text() for i386
sctp: move hlist_node and hashent out of sctp_ep_common
sctp: Fix null-ptr-deref in reuseport_add_sock().
net: usb: qmi_wwan: fix memory leak for not ip packets
net: linkwatch: use system_unbound_wq
Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
l2tp: fix lockdep splat
net: fec: Stop PPS on driver remove
rcutorture: Fix rcu_torture_fwd_cb_cr() data race
md: do not delete safemode_timer in mddev_suspend
md/raid5: avoid BUG_ON() while continue reshape after reassembling
clocksource/drivers/sh_cmt: Address race condition for clock events
ACPI: battery: create alarm sysfs attribute atomically
ACPI: SBS: manage alarm sysfs attribute through psy core
selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT
PCI: Add Edimax Vendor ID to pci_ids.h
udf: prevent integer overflow in udf_bitmap_free_blocks()
wifi: nl80211: don't give key data to userspace
btrfs: fix bitmap leak when loading free space cache on duplicate entry
drm/amdgpu: Fix the null pointer dereference to ras_manager
drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules
media: uvcvideo: Ignore empty TS packets
media: uvcvideo: Fix the bandwdith quirk on USB 3.x
jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
s390/sclp: Prevent release of buffer in I/O
SUNRPC: Fix a race to wake a sync task
sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime
ext4: fix wrong unit use in ext4_mb_find_by_goal
arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space
arm64: Add Neoverse-V2 part
arm64: cputype: Add Cortex-X4 definitions
arm64: cputype: Add Neoverse-V3 definitions
arm64: errata: Add workaround for Arm errata 3194386 and 3312417
arm64: cputype: Add Cortex-X3 definitions
arm64: cputype: Add Cortex-A720 definitions
arm64: cputype: Add Cortex-X925 definitions
arm64: errata: Unify speculative SSBS errata logic
arm64: errata: Expand speculative SSBS workaround
arm64: cputype: Add Cortex-X1C definitions
arm64: cputype: Add Cortex-A725 definitions
arm64: errata: Expand speculative SSBS workaround (again)
i2c: smbus: Improve handling of stuck alerts
ASoC: codecs: wsa881x: Correct Soundwire ports mask
i2c: smbus: Send alert notifications to all devices if source not found
bpf: kprobe: remove unused declaring of bpf_kprobe_override
kprobes: Fix to check symbol prefixes correctly
spi: spi-fsl-lpspi: Fix scldiv calculation
ALSA: usb-audio: Re-add ScratchAmp quirk entries
drm/client: fix null pointer dereference in drm_client_modeset_probe
ALSA: line6: Fix racy access to midibuf
ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
usb: vhci-hcd: Do not drop references before new references are gained
USB: serial: debug: do not echo input by default
usb: gadget: core: Check for unset descriptor
usb: gadget: u_serial: Set start_delayed during suspend
scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
tick/broadcast: Move per CPU pointer access into the atomic section
ntp: Clamp maxerror and esterror to operating range
driver core: Fix uevent_show() vs driver detach race
ntp: Safeguard against time_constant overflow
scsi: mpt3sas: Remove scsi_dma_map() error messages
scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
irqchip/meson-gpio: support more than 8 channels gpio irq
irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t'
serial: core: check uartclk for zero to avoid divide by zero
irqchip/xilinx: Fix shift out of bounds
genirq/irqdesc: Honor caller provided affinity in alloc_desc()
power: supply: axp288_charger: Fix constant_charge_voltage writes
power: supply: axp288_charger: Round constant_charge_voltage writes down
tracing: Fix overflow in get_free_elt()
padata: Fix possible divide-by-0 panic in padata_mt_helper()
x86/mtrr: Check if fixed MTRRs exist before saving them
drm/bridge: analogix_dp: properly handle zero sized AUX transactions
drm/mgag200: Set DDC timeout in milliseconds
mptcp: sched: check both directions for backup
mptcp: distinguish rcv vs sent backup flag in requests
mptcp: fix NL PM announced address accounting
mptcp: mib: count MPJ with backup flag
mptcp: export local_address
mptcp: pm: fix backup support in signal endpoints
samples: Add fs error monitoring example
samples: Make fs-monitor depend on libc and headers
Add gitignore file for samples/fanotify/ subdirectory
Fix gcc 4.9 build issue in 5.10.y
PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
netfilter: nf_tables: set element extended ACK reporting support
netfilter: nf_tables: use timestamp to check for set element timeout
netfilter: nf_tables: allow clone callbacks to sleep
netfilter: nf_tables: prefer nft_chain_validate
drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.
arm64: cpufeature: Fix the visibility of compat hwcaps
media: uvcvideo: Use entity get_cur in uvc_ctrl_set
exec: Fix ToCToU between perm check and set-uid/gid usage
nvme/pci: Add APST quirk for Lenovo N60z laptop
vdpa: Make use of PFN_PHYS/PFN_UP/PFN_DOWN helper macro
vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler
wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values
ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode
media: Revert "media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()"
Linux 5.10.224
Change-Id: I7cd19d506c4c86df918a280598946060a494a161
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Ryusuke Konishi
|
5f0a6800b8 |
nilfs2: handle inconsistent state in nilfs_btnode_create_block()
commit 4811f7af6090e8f5a398fbdd766f903ef6c0d787 upstream.
Syzbot reported that a buffer state inconsistency was detected in
nilfs_btnode_create_block(), triggering a kernel bug.
It is not appropriate to treat this inconsistency as a bug; it can occur
if the argument block address (the buffer index of the newly created
block) is a virtual block number and has been reallocated due to
corruption of the bitmap used to manage its allocation state.
So, modify nilfs_btnode_create_block() and its callers to treat it as a
possible filesystem error, rather than triggering a kernel bug.
Link: https://lkml.kernel.org/r/20240725052007.4562-1-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Ryusuke Konishi
|
84ffa27eb0 |
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
[ Upstream commit 0f3819e8c483771a59cf9d3190cd68a7a990083c ] According to the C standard 3.4.3p3, the result of signed integer overflow is undefined. The macro nilfs_cnt32_ge(), which compares two sequence numbers, uses signed integer subtraction that can overflow, and therefore the result of the calculation may differ from what is expected due to undefined behavior in different environments. Similar to an earlier change to the jiffies-related comparison macros in commit |
||
Alex Shi
|
9d6571b1c4 |
fs/nilfs2: remove some unused macros to tame gcc
[ Upstream commit e7920b3e9d9f5470d5ff7d883e72a47addc0a137 ] There some macros are unused and cause gcc warning. Remove them. fs/nilfs2/segment.c:137:0: warning: macro "nilfs_cnt32_gt" is not used [-Wunused-macros] fs/nilfs2/segment.c:144:0: warning: macro "nilfs_cnt32_le" is not used [-Wunused-macros] fs/nilfs2/segment.c:143:0: warning: macro "nilfs_cnt32_lt" is not used [-Wunused-macros] Link: https://lkml.kernel.org/r/1607552733-24292-1-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Stable-dep-of: 0f3819e8c483 ("nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
875057880e |
This is the 5.10.222 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmaY9zYACgkQONu9yGCS aT6v5g//WMifSZz85CUFaqgs65rwVfhTMpYtUeL5LiDuy+SMou6ViV3A93FpTkmj FJBvrr2y0bn8Y5Dp/fwYj10XUz+THZte/yEVnPh/NkV107FZD3fKa6GTnJY7H/XY 4SoOGfPB4yfx+MpN6ZpLsu4cAt6FW8P+QfKOxBEboGkJSGpjEbGYFMtyZAMjknia QE8cKQ3LnMrQzHIizil5dZVlYaiMgJtlKTtUeVI1ixmaGDb3rCsnCVvMRvZnW95V aSgyJNrNix7a5tRgYwZHZp4t3p9iT2lyIFM3/y7TKcglVCMPw4nbsDdLNNq11qrk RdTdScR+9eKyJsEGVYOhXZFUFzOgHW22xyx0CCZmDMeu08WPNl4vhGewnndQy3yd 6jdTRYDrU6SQNQ0AjRZXcdmfopIQxetHE7ZEKvbgBW6+u9oySYU8phPCNkma2JWr O2eY5AOF8zgPAdAzvF9Bt/qTlwLNjP0zczoIRX7HSvV03Nh9cQvgzKdSCfuPDU4a FX7mlokgweYa7WoWGPkzOlgMaJZksqstDnhbuwONoMPrNFTUjgm429K87iPdwzqC Yv4uDrpFXgkhfD4Aoks4wDpE2LgBKWz5Wnpo+WW4fjcrXtcIV2tTD9FkMjBv3ECv A8TTWsXxQtm3V54R4h7fAXg9KnZBuIYYDnB2u1317ZdaDkZRuPQ= =X2/A -----END PGP SIGNATURE----- Merge 5.10.222 into android12-5.10-lts Changes in 5.10.222 Compiler Attributes: Add __uninitialized macro drm/lima: fix shared irq handling on driver remove media: dvb: as102-fe: Fix as10x_register_addr packing media: dvb-usb: dib0700_devices: Add missing release_firmware() IB/core: Implement a limit on UMAD receive List scsi: qedf: Make qedf_execute_tmf() non-preemptible crypto: aead,cipher - zeroize key buffer after use drm/amdgpu: Initialize timestamp for some legacy SOCs drm/amd/display: Check index msg_id before read or write drm/amd/display: Check pipe offset before setting vblank drm/amd/display: Skip finding free audio for unknown engine_id media: dw2102: Don't translate i2c read into write sctp: prefer struct_size over open coded arithmetic firmware: dmi: Stop decoding on broken entry Input: ff-core - prefer struct_size over open coded arithmetic net: dsa: mv88e6xxx: Correct check for empty list media: dvb-frontends: tda18271c2dd: Remove casting during div media: s2255: Use refcount_t instead of atomic_t for num_channels media: dvb-frontends: tda10048: Fix integer overflow i2c: i801: Annotate apanel_addr as __ro_after_init powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n orangefs: fix out-of-bounds fsid access kunit: Fix timeout message powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD jffs2: Fix potential illegal address access in jffs2_free_inode s390/pkey: Wipe sensitive data on failure UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() tcp_metrics: validate source addr length wifi: wilc1000: fix ies_len type in connect path bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() selftests: fix OOM in msg_zerocopy selftest selftests: make order checking verbose in msg_zerocopy selftest inet_diag: Initialize pad field in struct inet_diag_req_v2 nilfs2: fix inode number range checks nilfs2: add missing check for inode numbers on directory entries mm: optimize the redundant loop of mm_update_owner_next() mm: avoid overflows in dirty throttling logic Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct fsnotify: Do not generate events for O_PATH file descriptors Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes drm/amdgpu/atomfirmware: silence UBSAN warning mtd: rawnand: Bypass a couple of sanity checks during NAND identification bnx2x: Fix multiple UBSAN array-index-out-of-bounds bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues ima: Avoid blocking in RCU read-side critical section media: dw2102: fix a potential buffer overflow i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 nvme-multipath: find NUMA path only for online numa-node nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro nvmet: fix a possible leak when destroy a ctrl during qp establishment kbuild: fix short log for AS in link-vmlinux.sh nilfs2: fix incorrect inode allocation from reserved inodes mm: prevent derefencing NULL ptr in pfn_section_valid() filelock: fix potential use-after-free in posix_lock_inode fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading vfs: don't mod negative dentry count when on shrinker list tcp: fix incorrect undo caused by DSACK of TLP retransmit octeontx2-af: Fix incorrect value output on error path in rvu_check_rsrc_availability() net: lantiq_etop: add blank line after declaration net: ethernet: lantiq_etop: fix double free in detach ppp: reject claimed-as-LCP but actually malformed packets ethtool: netlink: do not return SQI value if link is down udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). net/sched: Fix UAF when resolving a clash s390: Mark psw in __load_psw_mask() as __unitialized ARM: davinci: Convert comma to semicolon octeontx2-af: fix detection of IP layer tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() tcp: avoid too many retransmit packets net: ks8851: Fix potential TX stall after interface reopen USB: serial: option: add Telit generic core-dump composition USB: serial: option: add Telit FN912 rmnet compositions USB: serial: option: add Fibocom FM350-GL USB: serial: option: add support for Foxconn T99W651 USB: serial: option: add Netprisma LCUK54 series modules USB: serial: option: add Rolling RW350-GL variants USB: serial: mos7840: fix crash on resume USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor hpet: Support 32-bit userspace nvmem: meson-efuse: Fix return value of nvmem callbacks ALSA: hda/realtek: Enable Mute LED on HP 250 G7 ALSA: hda/realtek: Limit mic boost on VAIO PRO PX libceph: fix race between delayed_work() and ceph_monc_stop() wireguard: allowedips: avoid unaligned 64-bit memory accesses wireguard: queueing: annotate intentional data race in cpu round robin wireguard: send: annotate intentional data race in checking empty queue x86/retpoline: Move a NOENDBR annotation to the SRSO dummy return thunk efi: ia64: move IA64-only declarations to new asm/efi.h header ipv6: annotate data-races around cnf.disable_ipv6 ipv6: prevent NULL dereference in ip6_output() bpf: Allow reads from uninit stack nilfs2: fix kernel bug on rename operation of broken directory i2c: rcar: bring hardware to known state when probing i2c: mark HostNotify target address as used i2c: rcar: Add R-Car Gen4 support i2c: rcar: reset controller is mandatory for Gen3+ i2c: rcar: introduce Gen4 devices i2c: rcar: ensure Gen3+ reset does not disturb local targets i2c: rcar: clear NO_RXDMA flag after resetting i2c: rcar: fix error code in probe() Linux 5.10.222 Change-Id: I39dedaef039a49c1b8b53dd83b83d481593ffb95 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Ryusuke Konishi
|
a9a466a69b |
nilfs2: fix kernel bug on rename operation of broken directory
commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream.
Syzbot reported that in rename directory operation on broken directory on
nilfs2, __block_write_begin_int() called to prepare block write may fail
BUG_ON check for access exceeding the folio/page size.
This is because nilfs_dotdot(), which gets parent directory reference
entry ("..") of the directory to be moved or renamed, does not check
consistency enough, and may return location exceeding folio/page size for
broken directories.
Fix this issue by checking required directory entries ("." and "..") in
the first chunk of the directory in nilfs_dotdot().
Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
Fixes:
|
||
|
Ryusuke Konishi
|
1e99ce37e9 |
nilfs2: fix incorrect inode allocation from reserved inodes
commit 93aef9eda1cea9e84ab2453fcceb8addad0e46f1 upstream.
If the bitmap block that manages the inode allocation status is corrupted,
nilfs_ifile_create_inode() may allocate a new inode from the reserved
inode area where it should not be allocated.
Previous fix commit d325dc6eb763 ("nilfs2: fix use-after-free bug of
struct nilfs_root"), fixed the problem that reserved inodes with inode
numbers less than NILFS_USER_INO (=11) were incorrectly reallocated due to
bitmap corruption, but since the start number of non-reserved inodes is
read from the super block and may change, in which case inode allocation
may occur from the extended reserved inode area.
If that happens, access to that inode will cause an IO error, causing the
file system to degrade to an error state.
Fix this potential issue by adding a wraparound option to the common
metadata object allocation routine and by modifying
nilfs_ifile_create_inode() to disable the option so that it only allocates
inodes with inode numbers greater than or equal to the inode number read
in "nilfs->ns_first_ino", regardless of the bitmap status of reserved
inodes.
Link: https://lkml.kernel.org/r/20240623051135.4180-4-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: Hillf Danton <hdanton@sina.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Ryusuke Konishi
|
2f2fa9cf7c |
nilfs2: add missing check for inode numbers on directory entries
commit bb76c6c274683c8570ad788f79d4b875bde0e458 upstream. Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis. Link: https://lkml.kernel.org/r/20240623051135.4180-3-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8 Reported-by: Jan Kara <jack@suse.cz> Closes: https://lkml.kernel.org/r/20240617075758.wewhukbrjod5fp5o@quack3 Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: Hillf Danton <hdanton@sina.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ryusuke Konishi
|
731011ac6c |
nilfs2: fix inode number range checks
commit e2fec219a36e0993642844be0f345513507031f4 upstream. Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time. Link: https://lkml.kernel.org/r/20240623051135.4180-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240623051135.4180-2-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: Hillf Danton <hdanton@sina.com> Cc: Jan Kara <jack@suse.cz> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
2ebd481b31 |
Merge 5.10.221 into android12-5.10-lts
Changes in 5.10.221 tracing/selftests: Fix kprobe event name test for .isra. functions null_blk: Print correct max open zones limit in null_init_zoned_dev() wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() wifi: cfg80211: pmsr: use correct nla_get_uX functions wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef wifi: iwlwifi: mvm: check n_ssids before accessing the ssids wifi: iwlwifi: mvm: don't read past the mfuart notifcation wifi: mac80211: correctly parse Spatial Reuse Parameter Set element net/ncsi: add NCSI Intel OEM command to keep PHY up net/ncsi: Simplify Kconfig/dts control flow net/ncsi: Fix the multi thread manner of NCSI driver ipv6: sr: block BH in seg6_output_core() and seg6_input_core() net: sched: sch_multiq: fix possible OOB write in multiq_tune() vxlan: Fix regression when dropping packets due to invalid src addresses tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP ptp: Fix error message on failed pin verification af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). ipv6: fix possible race in __fib6_drop_pcpu_from() usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete drm/amd/display: Handle Y carry-over in VCP X.Y calculation serial: sc16is7xx: replace hardcoded divisor value with BIT() macro serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler mmc: davinci: Don't strip remove function when driver is builtin selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages selftests/mm: conform test to TAP format output selftests/mm: compaction_test: fix bogus test success on Aarch64 btrfs: fix leak of qgroup extent records after transaction abort nilfs2: Remove check for PageError nilfs2: return the mapped address from nilfs_get_page() nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages mei: me: release irq in mei_me_pci_resume error path jfs: xattr: fix buffer overflow for invalid xattr xhci: Set correct transferred length for cancelled bulk transfers xhci: Apply reset resume quirk to Etron EJ188 xHCI host xhci: Apply broken streams quirk to Etron EJ188 xHCI host scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory powerpc/uaccess: Fix build errors seen with GCC 13/14 Input: try trimming too long modalias strings SUNRPC: return proper error from gss_wrap_req_priv gpio: tqmx86: fix typo in Kconfig label HID: core: remove unnecessary WARN_ON() in implement() gpio: tqmx86: store IRQ trigger type and unmask status separately iommu/amd: Introduce pci segment structure iommu/amd: Fix sysfs leak in iommu init iommu: Return right value in iommu_sva_bind_device() HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() drm/vmwgfx: 3D disabled should not effect STDU memory limits net: sfp: Always call `sfp_sm_mod_remove()` on remove net: hns3: add cond_resched() to hns3 ring buffer init process liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet drm/komeda: check for error-valued pointer drm/bridge/panel: Fix runtime warning on panel bridge release tcp: fix race in tcp_v6_syn_recv_sock() net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters net/ipv6: Fix the RT cache flush via sysctl using a previous delay ionic: fix use after netif_napi_del() iio: adc: ad9467: fix scan type sign iio: dac: ad5592r: fix temperature channel scaling value iio: imu: inv_icm42600: delete unneeded update watermark call drivers: core: synchronize really_probe() and dev_uevent() drm/exynos/vidi: fix memory leak in .get_modes() drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found vmci: prevent speculation leaks by sanitizing event in event_deliver() fs/proc: fix softlockup in __read_vmcore ocfs2: use coarse time for new created files ocfs2: fix races between hole punching and AIO+DIO PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id dmaengine: axi-dmac: fix possible race in remove() remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs intel_th: pci: Add Granite Rapids support intel_th: pci: Add Granite Rapids SOC support intel_th: pci: Add Sapphire Rapids SOC support intel_th: pci: Add Meteor Lake-S support intel_th: pci: Add Lunar Lake support nilfs2: fix potential kernel bug due to lack of writeback flag waiting tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level hugetlb_encode.h: fix undefined behaviour (34 << 26) mptcp: ensure snd_una is properly initialized on connect mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID mptcp: pm: update add_addr counters after connect remoteproc: k3-r5: Jump to error handling labels in start/stop errors greybus: Fix use-after-free bug in gb_interface_release due to race condition. usb-storage: alauda: Check whether the media is initialized i2c: at91: Fix the functionality flags of the slave-only interface i2c: designware: Fix the functionality flags of the slave-only interface zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING padata: Disable BH when taking works lock on MT path rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment rcutorture: Fix invalid context warning when enable srcu barrier testing block/ioctl: prefer different overflow check selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh selftests/bpf: Fix flaky test btf_map_in_map/lookup_update batman-adv: bypass empty buckets in batadv_purge_orig_ref() wifi: ath9k: work around memset overflow warning af_packet: avoid a false positive warning in packet_setsockopt() drop_monitor: replace spin_lock by raw_spin_lock scsi: qedi: Fix crash while reading debugfs attribute kselftest: arm64: Add a null pointer check netpoll: Fix race condition in netpoll_owner_active HID: Add quirk for Logitech Casa touchpad ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl drm/amd/display: Exit idle optimizations before HDCP execution ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 drm/lima: add mask irq callback to gp and pp drm/lima: mask irqs in timeout path before hard reset powerpc/pseries: Enforce hcall result buffer validity and size powerpc/io: Avoid clang null pointer arithmetic warnings power: supply: cros_usbpd: provide ID table for avoiding fallback match iommu/arm-smmu-v3: Free MSIs in case of ENOMEM f2fs: remove clear SB_INLINECRYPT flag in default_options usb: misc: uss720: check for incompatible versions of the Belkin F5U002 udf: udftime: prevent overflow in udf_disk_stamp_to_time() PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports MIPS: Octeon: Add PCIe link status check serial: exar: adding missing CTI and Exar PCI ids MIPS: Routerboard 532: Fix vendor retry check code mips: bmips: BCM6358: make sure CBR is correctly set tracing: Build event generation tests only as modules cipso: fix total option length computation netrom: Fix a memory leak in nr_heartbeat_expiry() ipv6: prevent possible NULL deref in fib6_nh_init() ipv6: prevent possible NULL dereference in rt6_probe() xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() netns: Make get_net_ns() handle zero refcount net qca_spi: Make interrupt remembering atomic net/sched: act_api: rely on rcu in tcf_idr_check_alloc net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() tipc: force a dst refcount before doing decryption net/sched: act_ct: set 'net' pointer when creating new nf_flow_table sched: act_ct: add netns into the key of tcf_ct_flow_table net: stmmac: No need to calculate speed divider when offload is disabled virtio_net: checksum offloading handling fix netfilter: ipset: Fix suspicious rcu_dereference_protected() net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings regulator: core: Fix modpost error "regulator_get_regmap" undefined dmaengine: ioat: switch from 'pci_' to 'dma_' API dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting() dmaengine: ioatdma: Fix leaking on version mismatch dmaengine: ioat: use PCI core macros for PCIe Capability dmaengine: ioatdma: Fix error path in ioat3_dma_probe() dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe() dmaengine: ioatdma: Fix missing kmem_cache_destroy() ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." RDMA/mlx5: Add check for srq max_sge attribute ALSA: hda/realtek: Limit mic boost on N14AP7 drm/radeon: fix UBSAN warning in kv_dpm.c gcov: add support for GCC 14 kcov: don't lose track of remote references during softirqs i2c: ocores: set IACK bit after core is enabled dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema drm/amd/display: revert Exit idle optimizations before HDCP execution ARM: dts: samsung: smdkv310: fix keypad no-autorepeat ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat ARM: dts: samsung: smdk4412: fix keypad no-autorepeat rtlwifi: rtl8192de: Style clean-ups wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power pmdomain: ti-sci: Fix duplicate PD referrals knfsd: LOOKUP can return an illegal error value spmi: hisi-spmi-controller: Do not override device identifier bcache: fix variable length array abuse in btree_iter tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test x86/cpu/vfm: Add new macros to work with (vendor/family/model) values x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL r8169: remove unneeded memory barrier in rtl_tx r8169: improve rtl_tx r8169: improve rtl8169_start_xmit r8169: remove nr_frags argument from rtl_tx_slots_avail r8169: remove not needed check in rtl8169_start_xmit r8169: Fix possible ring buffer corruption on fragmented Tx packets. Revert "kheaders: substituting --sort in archive creation" kheaders: explicitly define file modes for archived headers perf/core: Fix missing wakeup when waiting for context reference PCI: Add PCI_ERROR_RESPONSE and related definitions x86/amd_nb: Check for invalid SMN reads cifs: missed ref-counting smb session in find smb: client: fix deadlock in smb2_find_smb_tcon() ACPI: Add quirks for AMD Renoir/Lucienne CPUs to force the D3 hint ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 for StorageD3Enable ACPI: x86: Add another system to quirk list for forcing StorageD3Enable ACPI: x86: utils: Add Cezanne to the list for forcing StorageD3Enable ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable ACPI: x86: Force StorageD3Enable on more products Input: ili210x - fix ili251x_read_touch_data() return value pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins pinctrl/rockchip: separate struct rockchip_pin_bank to a head file pinctrl: rockchip: use dedicated pinctrl type for RK3328 pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set drm/amdgpu: fix UBSAN warning in kv_dpm.c netfilter: nf_tables: validate family when identifying table via handle SUNRPC: Fix null pointer dereference in svc_rqst_free() SUNRPC: Fix a NULL pointer deref in trace_svc_stats_latency() SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation SUNRPC: Fix svcxdr_init_encode's buflen calculation nfsd: hold a lighter-weight client reference over CB_RECALL_ANY ASoC: fsl-asoc-card: set priv->pdev before using it net: dsa: microchip: fix initial port flush problem net: phy: micrel: add Microchip KSZ 9477 to the device table xdp: Move the rxq_info.mem clearing to unreg_mem_model() xdp: Allow registering memory model without rxq reference xdp: Remove WARN() from __xdp_reg_mem_model() sparc: fix old compat_sys_select() sparc: fix compat recv/recvfrom syscalls parisc: use correct compat recv/recvfrom syscalls netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep mtd: partitions: redboot: Added conversion of operands to a larger type bpf: Add a check for struct bpf_fib_lookup size net/iucv: Avoid explicit cpumask var allocation on stack net/dpaa2: Avoid explicit cpumask var allocation on stack ALSA: emux: improve patch ioctl data validation media: dvbdev: Initialize sbuf soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message drm/radeon/radeon_display: Decrease the size of allocated memory nvme: fixup comment for nvme RDMA Provider Type drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA gpio: davinci: Validate the obtained number of IRQs gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) x86: stop playing stack games in profile_pc() ocfs2: fix DIO failure due to insufficient transaction credits mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos mmc: sdhci: Do not invert write-protect twice mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() counter: ti-eqep: enable clock at probe iio: adc: ad7266: Fix variable checking bug iio: chemical: bme680: Fix pressure value output iio: chemical: bme680: Fix calibration data variable iio: chemical: bme680: Fix overflows in compensate() functions iio: chemical: bme680: Fix sensor data read operation net: usb: ax88179_178a: improve link status logs usb: gadget: printer: SS+ support usb: gadget: printer: fix races against disable usb: musb: da8xx: fix a resource leak in probe() usb: atm: cxacru: fix endpoint checking in cxacru_bind() serial: 8250_omap: Implementation of Errata i2310 tty: mcf: MCF54418 has 10 UARTS net: can: j1939: Initialize unused data in j1939_send_one() net: can: j1939: recover socket queue on CAN bus error during BAM transmission net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new kbuild: Install dtb files as 0644 in Makefile.dtbinst csky, hexagon: fix broken sys_sync_file_range hexagon: fix fadvise64_64 calling conventions drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes drm/i915/gt: Fix potential UAF by revoke of fence registers drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes batman-adv: Don't accept TT entries for out-of-spec VIDs ata: ahci: Clean up sysfs file on error ata: libata-core: Fix double free on error ftruncate: pass a signed offset syscalls: fix compat_sys_io_pgetevents_time64 usage mtd: spinand: macronix: Add support for serial NAND flash pwm: stm32: Refuse too small period requests nfs: Leave pages in the pagecache if readpage failed ipv6: annotate some data-races around sk->sk_prot ipv6: Fix data races around sk->sk_prot. tcp: Fix data races around icsk->icsk_af_ops. drivers: fix typo in firmware/efi/memmap.c efi: Correct comment on efi_memmap_alloc efi: memmap: Move manipulation routines into x86 arch tree efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures efi/x86: Free EFI memory map only when installing a new one. KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node arm64: dts: rockchip: Add sound-dai-cells for RK3368 xdp: xdp_mem_allocator can be NULL in trace_mem_connect(). serial: 8250_omap: Fix Errata i2310 with RX FIFO level check tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() Linux 5.10.221 Change-Id: Icac1c62fcbda5102be7ea031121f28d6fee36875 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
fedef46c69 |
This is the 5.10.219 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmZuzl4ACgkQONu9yGCS
aT7+ohAAyRkTis6xeME1FWIJthCJl8FzUq9nfN+OccK3TwCbXyZKXlZK8lVz0T5U
DvG1Tg+rR76+hIJghMIy2FEPRBA19WMq9a+Ms2ZyyggPrlgksFivO8N8YgnIxabb
EJPN7pAzO+GA+vd8YeGeK1ldq8QUISlN35s+hkur1jeBctWRcpHeOTjIej/Qytmj
ny1o7hCp179+SPygSEYEYtguACaQflhfBjOgAQ9DwWjP6vO2W9Vb16X4tiT0udHm
ExPjOwxbEMN/7m9gKrnl6WcIROSOy55FnfcYZP+NRY4jBlANUgXF1ca9hAhcIKSv
oOyeRN5S3FZAdxIHG9SFU9b6MPwJSeO5ETQyfiRGNFRkXOa2tKknNSsuACu8kSwx
SKJIpcuW1DkortwsYFbilXdl6TrK6oCcEczV5qtludcRoDznfUGejb5e81v3yYkO
no6ORvBJSBnEObY+gpexvxQp2Ae1+YkSLJaDzYWMC+JHBIgWTz2F2qJJkP6bRAUV
QduFTdTenDnL7zW3DseZGJKotU95cUoKNAwa7wfboZeygHc2+KaUOchKcqI0P9dZ
pS27RzcAJJ2uufujofyxOOhzFKw98WFurfNsMZTDBwHuqReoiRAS7pi0PeTMuqUv
GC8V1eIKgeWdI+pdTZLXylziiM41IylLjU/hxCrsykb+EwFa5NY=
=B1lK
-----END PGP SIGNATURE-----
Merge 5.10.219 into android12-5.10-lts
Changes in 5.10.219
x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
speakup: Fix sizeof() vs ARRAY_SIZE() bug
ring-buffer: Fix a race between readers and resize checks
net: smc91x: Fix m68k kernel compilation for ColdFire CPU
nilfs2: fix unexpected freezing of nilfs_segctor_sync()
nilfs2: fix potential hang in nilfs_detach_log_writer()
ALSA: core: Fix NULL module pointer assignment at card init
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class
net: usb: qmi_wwan: add Telit FN920C04 compositions
drm/amd/display: Set color_mgmt_changed to true on unsuspend
ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
regulator: vqmmc-ipq4019: fix module autoloading
ASoC: rt715: add vendor clear control register
ASoC: da7219-aad: fix usage of device_get_named_child_node()
drm/amdkfd: Flush the process wq before creating a kfd_process
nvme: find numa distance only if controller has valid numa id
openpromfs: finish conversion to the new mount API
crypto: bcm - Fix pointer arithmetic
firmware: raspberrypi: Use correct device for DMA mappings
ecryptfs: Fix buffer size for tag 66 packet
nilfs2: fix out-of-range warning
parisc: add missing export of __cmpxchg_u8()
crypto: ccp - drop platform ifdef checks
crypto: x86/nh-avx2 - add missing vzeroupper
crypto: x86/sha256-avx2 - add missing vzeroupper
s390/cio: fix tracepoint subchannel type field
jffs2: prevent xattr node from overflowing the eraseblock
soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE
null_blk: Fix missing mutex_destroy() at module removal
md: fix resync softlockup when bitmap size is less than array size
wifi: ath10k: poll service ready message before failing
x86/boot: Ignore relocations in .notes sections in walk_relocs() too
qed: avoid truncating work queue length
scsi: ufs: qcom: Perform read back after writing reset bit
scsi: ufs-qcom: Fix ufs RST_n spec violation
scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US
scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0
scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5
scsi: ufs: qcom: Perform read back after writing unipro mode
scsi: ufs: qcom: Perform read back after writing CGC enable
scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
scsi: ufs: core: Perform read back after disabling interrupts
scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
irqchip/alpine-msi: Fix off-by-one in allocation error path
irqchip/loongson-pch-msi: Fix off-by-one on allocation error path
ACPI: disable -Wstringop-truncation
gfs2: Fix "ignore unlock failures after withdraw"
selftests/bpf: Fix umount cgroup2 error in test_sockmap
cpufreq: Reorganize checks in cpufreq_offline()
cpufreq: Split cpufreq_offline()
cpufreq: Rearrange locking in cpufreq_remove_dev()
cpufreq: exit() callback is optional
net: export inet_lookup_reuseport and inet6_lookup_reuseport
net: remove duplicate reuseport_lookup functions
udp: Avoid call to compute_score on multiple sites
scsi: libsas: Fix the failure of adding phy with zero-address to port
scsi: hpsa: Fix allocation size for Scsi_Host private data
x86/purgatory: Switch to the position-independent small code model
wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger()
wifi: ath10k: populate board data for WCN3990
tcp: avoid premature drops in tcp_add_backlog()
net: give more chances to rcu in netdev_wait_allrefs_any()
macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"
wifi: carl9170: add a proper sanity check for endpoints
wifi: ar5523: enable proper endpoint verification
sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
Revert "sh: Handle calling csum_partial with misaligned data"
selftests/binderfs: use the Makefile's rules, not Make's implicit rules
HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
scsi: bfa: Ensure the copied buf is NUL terminated
scsi: qedf: Ensure the copied buf is NUL terminated
wifi: mwl8k: initialize cmd->addr[] properly
usb: aqc111: stop lying about skb->truesize
net: usb: sr9700: stop lying about skb->truesize
m68k: Fix spinlock race in kernel thread creation
m68k: mac: Fix reboot hang on Mac IIci
net: ipv6: fix wrong start position when receive hop-by-hop fragment
eth: sungem: remove .ndo_poll_controller to avoid deadlocks
net: ethernet: cortina: Locking fixes
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
net: usb: smsc95xx: stop lying about skb->truesize
net: openvswitch: fix overwriting ct original tuple for ICMPv6
ipv6: sr: add missing seg6_local_exit
ipv6: sr: fix incorrect unregister order
ipv6: sr: fix invalid unregister error path
net/mlx5: Discard command completions in internal error
drm/amd/display: Fix potential index out of bounds in color transformation function
ASoC: soc-acpi: add helper to identify parent driver.
ASoC: Intel: Disable route checks for Skylake boards
mtd: rawnand: hynix: fixed typo
fbdev: shmobile: fix snprintf truncation
drm/meson: vclk: fix calculation of 59.94 fractional rates
drm/mediatek: Add 0 size check to mtk_drm_gem_obj
powerpc/fsl-soc: hide unused const variable
fbdev: sisfb: hide unused variables
media: ngene: Add dvb_ca_en50221_init return value check
media: radio-shark2: Avoid led_names truncations
drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference
fbdev: sh7760fb: allow modular build
media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries
drm/arm/malidp: fix a possible null pointer dereference
drm: vc4: Fix possible null pointer dereference
ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
drm/bridge: lt9611: Don't log an error when DSI host can't be found
drm/bridge: tc358775: Don't log an error when DSI host can't be found
drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector
drm/mipi-dsi: use correct return type for the DSC functions
RDMA/hns: Refactor the hns_roce_buf allocation flow
RDMA/hns: Create QP with selected QPN for bank load balance
RDMA/hns: Fix incorrect symbol types
RDMA/hns: Fix return value in hns_roce_map_mr_sg
RDMA/hns: Use complete parentheses in macros
RDMA/hns: Modify the print level of CQE error
clk: qcom: mmcc-msm8998: fix venus clock issue
x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
ext4: avoid excessive credit estimate in ext4_tmpfile()
sunrpc: removed redundant procp check
ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple
ext4: fix unit mismatch in ext4_mb_new_blocks_simple
ext4: try all groups in ext4_mb_new_blocks_simple
ext4: remove unused parameter from ext4_mb_new_blocks_simple()
ext4: fix potential unnitialized variable
SUNRPC: Fix gss_free_in_token_pages()
selftests/kcmp: Make the test output consistent and clear
selftests/kcmp: remove unused open mode
RDMA/IPoIB: Fix format truncation compilation errors
net: qrtr: fix null-ptr-deref in qrtr_ns_remove
net: qrtr: ns: Fix module refcnt
netrom: fix possible dead-lock in nr_rt_ioctl()
af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
greybus: lights: check return of get_channel_from_mode
f2fs: fix to wait on page writeback in __clone_blkaddrs()
soundwire: cadence: fix invalid PDI offset
dmaengine: idma64: Add check for dma_set_max_seg_size
firmware: dmi-id: add a release callback function
serial: max3100: Lock port->lock when calling uart_handle_cts_change()
serial: max3100: Update uart_driver_registered on driver removal
serial: max3100: Fix bitwise types
greybus: arche-ctrl: move device table to its right location
serial: sc16is7xx: add proper sched.h include for sched_set_fifo()
f2fs: compress: support chksum
f2fs: add compress_mode mount option
f2fs: compress: clean up parameter of __f2fs_cluster_blocks()
f2fs: compress: remove unneeded preallocation
f2fs: introduce FI_COMPRESS_RELEASED instead of using IMMUTABLE bit
f2fs: compress: fix to relocate check condition in f2fs_{release,reserve}_compress_blocks()
f2fs: add cp_error check in f2fs_write_compressed_pages
f2fs: fix to force keeping write barrier for strict fsync mode
f2fs: do not allow partial truncation on pinned file
f2fs: fix typos in comments
f2fs: fix to relocate check condition in f2fs_fallocate()
f2fs: fix to check pinfile flag in f2fs_move_file_range()
iio: pressure: dps310: support negative temperature values
fpga: region: change FPGA indirect article to an
fpga: region: Rename dev to parent for parent device
docs: driver-api: fpga: avoid using UTF-8 chars
fpga: region: Use standard dev_release for class driver
fpga: region: add owner module and take its refcount
microblaze: Remove gcc flag for non existing early_printk.c file
microblaze: Remove early printk call from cpuinfo-static.c
usb: gadget: u_audio: Clear uac pointer when freed.
stm class: Fix a double free in stm_register_device()
ppdev: Remove usage of the deprecated ida_simple_xx() API
ppdev: Add an error check in register_device
extcon: max8997: select IRQ_DOMAIN instead of depending on it
PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3
PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3
f2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock
f2fs: fix to release node block count in error path of f2fs_new_node_page()
f2fs: compress: don't allow unaligned truncation on released compress inode
serial: sh-sci: protect invalidating RXDMA on shutdown
libsubcmd: Fix parse-options memory leak
s390/ipl: Fix incorrect initialization of len fields in nvme reipl block
s390/ipl: Fix incorrect initialization of nvme dump block
Input: ims-pcu - fix printf string overflow
Input: ioc3kbd - convert to platform remove callback returning void
Input: ioc3kbd - add device table
mmc: sdhci_am654: Add tuning algorithm for delay chain
mmc: sdhci_am654: Write ITAPDLY for DDR52 timing
mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel
mmc: sdhci_am654: Add OTAP/ITAP delay enable
mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock
mmc: sdhci_am654: Fix ITAPDLY for HS400 timing
Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation
drm/msm/dpu: Always flush the slave INTF on the CTL
um: Fix return value in ubd_init()
um: Add winch to winch_handlers before registering winch IRQ
um: vector: fix bpfflash parameter evaluation
drm/bridge: tc358775: fix support for jeida-18 and jeida-24
media: stk1160: fix bounds checking in stk1160_copy_video()
scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()
media: flexcop-usb: clean up endpoint sanity checks
media: flexcop-usb: fix sanity check of bNumEndpoints
powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp
um: Fix the -Wmissing-prototypes warning for __switch_mm
media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
media: cec: cec-api: add locking in cec_release()
media: core headers: fix kernel-doc warnings
media: cec: fix a deadlock situation
media: cec: call enable_adap on s_log_addrs
media: cec: abort if the current transmit was canceled
media: cec: correctly pass on reply results
media: cec: use call_op and check for !unregistered
media: cec-adap.c: drop activate_cnt, use state info instead
media: cec: core: avoid recursive cec_claim_log_addrs
media: cec: core: avoid confusing "transmit timed out" message
null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()
regulator: bd71828: Don't overwrite runtime voltages
x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y
nfc: nci: Fix uninit-value in nci_rx_work
ASoC: tas2552: Add TX path for capturing AUDIO-OUT data
sunrpc: fix NFSACL RPC retry on soft mount
rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL
ipv6: sr: fix memleak in seg6_hmac_init_algo
params: lift param_set_uint_minmax to common code
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
openvswitch: Set the skbuff pkt_type for proper pmtud support.
arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
net: fec: avoid lock evasion when reading pps_enable
tls: fix missing memory barrier in tls_init
nfc: nci: Fix kcov check in nci_rx_work()
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
netfilter: nft_payload: restore vlan q-in-q match support
spi: Don't mark message DMA mapped when no transfer in it is
nvmet: fix ns enable/disable possible hang
net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion
dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
bpf: Fix potential integer overflow in resolve_btfids
enic: Validate length of nl attributes in enic_set_vf_port
net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM
bpf: Allow delete from sockmap/sockhash only if update is allowed
net:fec: Add fec_enet_deinit()
netfilter: tproxy: bail out if IP has been disabled on the device
kconfig: fix comparison to constant symbols, 'm', 'n'
spi: stm32: Don't warn about spurious interrupts
ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound
hwmon: (shtc1) Fix property misspelling
ALSA: timer: Set lower bound of start tick time
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
media: cec: core: add adap_nb_transmit_canceled() callback
SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
binder: fix max_thread type inconsistency
mmc: core: Do not force a retune before RPMB switch
io_uring: fail NOP if non-zero op flags is passed in
afs: Don't cross .backup mountpoint from backup volume
nilfs2: fix use-after-free of timer for log writer thread
vxlan: Fix regression when dropping packets due to invalid src addresses
x86/mm: Remove broken vsyscall emulation code from the page fault code
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
media: lgdt3306a: Add a check against null-pointer-def
drm/amdgpu: add error handle to avoid out-of-bounds
ata: pata_legacy: make legacy_exit() work again
ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx
arm64: tegra: Correct Tegra132 I2C alias
arm64: dts: qcom: qcs404: fix bluetooth device address
md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING
wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU
wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE
wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path
arm64: dts: hi3798cv200: fix the size of GICR
media: mc: mark the media devnode as registered from the, start
media: mxl5xx: Move xpt structures off stack
media: v4l2-core: hold videodev_lock until dev reg, finishes
mmc: core: Add mmc_gpiod_set_cd_config() function
mmc: sdhci-acpi: Sort DMI quirks alphabetically
mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working
mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A
fbdev: savage: Handle err return when savagefb_check_var failed
KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode
crypto: ecrdsa - Fix module auto-load on add_key
crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
net/ipv6: Fix route deleting failure when metric equals 0
net/9p: fix uninit-value in p9_client_rpc()
intel_th: pci: Add Meteor Lake-S CPU support
sparc64: Fix number of online CPUs
watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin
kdb: Fix buffer overflow during tab-complete
kdb: Use format-strings rather than '\0' injection in kdb_read()
kdb: Fix console handling when editing and tab-completing commands
kdb: Merge identical case statements in kdb_read()
kdb: Use format-specifiers rather than memset() for padding in kdb_read()
net: fix __dst_negative_advice() race
sparc: move struct termio to asm/termios.h
ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
s390/ap: Fix crash in AP internal function modify_bitmap()
nfs: fix undefined behavior in nfs_block_bits()
NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS
scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5
f2fs: compress: fix compression chksum
RDMA/hns: Use mutex instead of spinlock for ida allocation
RDMA/hns: Fix CQ and QP cache affinity
Linux 5.10.219
Change-Id: I0e21ff44d28df2a2802a9fb35f0959bb5ab528fc
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Ryusuke Konishi
|
0ecfe3a928 |
nilfs2: fix potential kernel bug due to lack of writeback flag waiting
commit a4ca369ca221bb7e06c725792ac107f0e48e82e7 upstream.
Destructive writes to a block device on which nilfs2 is mounted can cause
a kernel bug in the folio/page writeback start routine or writeback end
routine (__folio_start_writeback in the log below):
kernel BUG at mm/page-writeback.c:3070!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
...
RIP: 0010:__folio_start_writeback+0xbaa/0x10e0
Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff
e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>
0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00
...
Call Trace:
<TASK>
nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]
nilfs_segctor_construct+0x181/0x6b0 [nilfs2]
nilfs_segctor_thread+0x548/0x11c0 [nilfs2]
kthread+0x2f0/0x390
ret_from_fork+0x4b/0x80
ret_from_fork_asm+0x1a/0x30
</TASK>
This is because when the log writer starts a writeback for segment summary
blocks or a super root block that use the backing device's page cache, it
does not wait for the ongoing folio/page writeback, resulting in an
inconsistent writeback state.
Fix this issue by waiting for ongoing writebacks when putting
folios/pages on the backing device into writeback state.
Link: https://lkml.kernel.org/r/20240530141556.4411-1-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Ryusuke Konishi
|
c77ad608df |
nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
[ Upstream commit 7373a51e7998b508af7136530f3a997b286ce81c ]
The error handling in nilfs_empty_dir() when a directory folio/page read
fails is incorrect, as in the old ext2 implementation, and if the
folio/page cannot be read or nilfs_check_folio() fails, it will falsely
determine the directory as empty and corrupt the file system.
In addition, since nilfs_empty_dir() does not immediately return on a
failed folio/page read, but continues to loop, this can cause a long loop
with I/O if i_size of the directory's inode is also corrupted, causing the
log writer thread to wait and hang, as reported by syzbot.
Fix these issues by making nilfs_empty_dir() immediately return a false
value (0) if it fails to get a directory folio/page.
Link: https://lkml.kernel.org/r/20240604134255.7165-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+c8166c541d3971bf6c87@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c8166c541d3971bf6c87
Fixes:
|
||
Matthew Wilcox (Oracle)
|
adf1b931d5 |
nilfs2: return the mapped address from nilfs_get_page()
[ Upstream commit 09a46acb3697e50548bb265afa1d79163659dd85 ] In prepartion for switching from kmap() to kmap_local(), return the kmap address from nilfs_get_page() instead of having the caller look up page_address(). [konishi.ryusuke: fixed a missing blank line after declaration] Link: https://lkml.kernel.org/r/20231127143036.2425-7-konishi.ryusuke@gmail.com Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Matthew Wilcox (Oracle)
|
8b56df81b3 |
nilfs2: Remove check for PageError
[ Upstream commit 79ea65563ad8aaab309d61eeb4d5019dd6cf5fa0 ]
If read_mapping_page() encounters an error, it returns an errno, not a
page with PageError set, so this test is not needed.
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Ryusuke Konishi
|
67fa90d4a2 |
nilfs2: fix use-after-free of timer for log writer thread
commit f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 upstream.
Patch series "nilfs2: fix log writer related issues".
This bug fix series covers three nilfs2 log writer-related issues,
including a timer use-after-free issue and potential deadlock issue on
unmount, and a potential freeze issue in event synchronization found
during their analysis. Details are described in each commit log.
This patch (of 3):
A use-after-free issue has been reported regarding the timer sc_timer on
the nilfs_sc_info structure.
The problem is that even though it is used to wake up a sleeping log
writer thread, sc_timer is not shut down until the nilfs_sc_info structure
is about to be freed, and is used regardless of the thread's lifetime.
Fix this issue by limiting the use of sc_timer only while the log writer
thread is alive.
Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com
Fixes:
|
||
Arnd Bergmann
|
dae53e39cd |
nilfs2: fix out-of-range warning
[ Upstream commit c473bcdd80d4ab2ae79a7a509a6712818366e32a ]
clang-14 points out that v_size is always smaller than a 64KB
page size if that is configured by the CPU architecture:
fs/nilfs2/ioctl.c:63:19: error: result of comparison of constant 65536 with expression of type '__u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare]
if (argv->v_size > PAGE_SIZE)
~~~~~~~~~~~~ ^ ~~~~~~~~~
This is ok, so just shut up that warning with a cast.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20240328143051.1069575-7-arnd@kernel.org
Fixes:
|
||
|
Ryusuke Konishi
|
eff7cdf890 |
nilfs2: fix potential hang in nilfs_detach_log_writer()
commit eb85dace897c5986bc2f36b3c783c6abb8a4292e upstream.
Syzbot has reported a potential hang in nilfs_detach_log_writer() called
during nilfs2 unmount.
Analysis revealed that this is because nilfs_segctor_sync(), which
synchronizes with the log writer thread, can be called after
nilfs_segctor_destroy() terminates that thread, as shown in the call trace
below:
nilfs_detach_log_writer
nilfs_segctor_destroy
nilfs_segctor_kill_thread --> Shut down log writer thread
flush_work
nilfs_iput_work_func
nilfs_dispose_list
iput
nilfs_evict_inode
nilfs_transaction_commit
nilfs_construct_segment (if inode needs sync)
nilfs_segctor_sync --> Attempt to synchronize with
log writer thread
*** DEADLOCK ***
Fix this issue by changing nilfs_segctor_sync() so that the log writer
thread returns normally without synchronizing after it terminates, and by
forcing tasks that are already waiting to complete once after the thread
terminates.
The skipped inode metadata flushout will then be processed together in the
subsequent cleanup work in nilfs_segctor_destroy().
Link: https://lkml.kernel.org/r/20240520132621.4054-4-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+e3973c409251e136fdd0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e3973c409251e136fdd0
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Cc: "Bai, Shuangpeng" <sjb7183@psu.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Ryusuke Konishi
|
89e07418a6 |
nilfs2: fix unexpected freezing of nilfs_segctor_sync()
commit 936184eadd82906992ff1f5ab3aada70cce44cee upstream.
A potential and reproducible race issue has been identified where
nilfs_segctor_sync() would block even after the log writer thread writes a
checkpoint, unless there is an interrupt or other trigger to resume log
writing.
This turned out to be because, depending on the execution timing of the
log writer thread running in parallel, the log writer thread may skip
responding to nilfs_segctor_sync(), which causes a call to schedule()
waiting for completion within nilfs_segctor_sync() to lose the opportunity
to wake up.
The reason why waking up the task waiting in nilfs_segctor_sync() may be
skipped is that updating the request generation issued using a shared
sequence counter and adding an wait queue entry to the request wait queue
to the log writer, are not done atomically. There is a possibility that
log writing and request completion notification by nilfs_segctor_wakeup()
may occur between the two operations, and in that case, the wait queue
entry is not yet visible to nilfs_segctor_wakeup() and the wake-up of
nilfs_segctor_sync() will be carried over until the next request occurs.
Fix this issue by performing these two operations simultaneously within
the lock section of sc_state_lock. Also, following the memory barrier
guidelines for event waiting loops, move the call to set_current_state()
in the same location into the event waiting loop to ensure that a memory
barrier is inserted just before the event condition determination.
Link: https://lkml.kernel.org/r/20240520132621.4054-3-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Greg Kroah-Hartman
|
c15c1199d6 |
Merge 5.10.216 into android12-5.10-lts
Changes in 5.10.216
batman-adv: Avoid infinite loop trying to resize local TT
Bluetooth: Fix memory leak in hci_req_sync_complete()
media: cec: core: remove length check of Timer Status
nouveau: fix function cast warning
net: openvswitch: fix unwanted error log on timeout policy probing
u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
geneve: fix header validation in geneve[6]_xmit_skb
octeontx2-af: Fix NIX SQ mode and BP config
ipv6: fib: hide unused 'pn' variable
ipv4/route: avoid unused-but-set-variable warning
ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
Bluetooth: SCO: Fix not validating setsockopt user input
netfilter: complete validation of user input
net/mlx5: Properly link new fs rules into the tree
af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
af_unix: Fix garbage collector racing against connect()
net: ena: Fix potential sign extension issue
net: ena: Wrong missing IO completions check order
net: ena: Fix incorrect descriptor free behavior
iommu/vt-d: Allocate local memory for page request queue
mailbox: imx: fix suspend failue
btrfs: qgroup: correctly model root qgroup rsv in convert
drm/client: Fully protect modes[] with dev->mode_config.mutex
vhost: Add smp_rmb() in vhost_vq_avail_empty()
x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n
selftests: timers: Fix abs() warning in posix_timers test
x86/apic: Force native_apic_mem_read() to use the MOV instruction
irqflags: Explicitly ignore lockdep_hrtimer_exit() argument
btrfs: record delayed inode root in transaction
riscv: Enable per-task stack canaries
riscv: process: Fix kernel gp leakage
selftests/ftrace: Limit length in subsystem-enable tests
kprobes: Fix possible use-after-free issue on kprobe registration
Revert "tracing/trigger: Fix to return error if failed to alloc snapshot"
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
netfilter: nft_set_pipapo: do not free live element
tun: limit printing rate when illegal packet received by tun dev
RDMA/rxe: Fix the problem "mutex_destroy missing"
RDMA/cm: Print the old state when cm_destroy_id gets timeout
RDMA/mlx5: Fix port number for counter query in multi-port configuration
drm: nv04: Fix out of bounds access
drm/panel: visionox-rm69299: don't unregister DSI device
clk: Remove prepare_lock hold assertion in __clk_release()
clk: Mark 'all_lists' as const
clk: remove extra empty line
clk: Print an info line before disabling unused clocks
clk: Initialize struct clk_core kref earlier
clk: Get runtime PM before walking tree during disable_unused
x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ
binder: check offset alignment in binder_get_object()
thunderbolt: Avoid notify PM core about runtime PM resume
thunderbolt: Fix wake configurations after device unplug
comedi: vmk80xx: fix incomplete endpoint checking
serial/pmac_zilog: Remove flawed mitigation for rx irq flood
USB: serial: option: add Fibocom FM135-GL variants
USB: serial: option: add support for Fibocom FM650/FG650
USB: serial: option: add Lonsung U8300/U9300 product
USB: serial: option: support Quectel EM060K sub-models
USB: serial: option: add Rolling RW101-GL and RW135-GL support
USB: serial: option: add Telit FN920C04 rmnet compositions
Revert "usb: cdc-wdm: close race between read and workqueue"
usb: dwc2: host: Fix dereference issue in DDMA completion flow.
usb: Disable USB3 LPM at shutdown
mei: me: disable RPL-S on SPS and IGN firmwares
speakup: Avoid crash on very long word
fs: sysfs: Fix reference leak in sysfs_break_active_protection()
init/main.c: Fix potential static_command_line memory overflow
drm/amdgpu: validate the parameters of bo mapping operations more clearly
nouveau: fix instmem race condition around ptr stores
nilfs2: fix OOB in nilfs_set_de_type
arm64: dts: rockchip: fix alphabetical ordering RK3399 puma
arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma
arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro dts
arm64: dts: mediatek: mt7622: add support for coherent DMA
arm64: dts: mediatek: mt7622: introduce nodes for Wireless Ethernet Dispatch
arm64: dts: mediatek: mt7622: fix clock controllers
arm64: dts: mediatek: mt7622: fix IR nodename
arm64: dts: mediatek: mt7622: fix ethernet controller "compatible"
arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block
arm64: dts: mediatek: mt2712: fix validation errors
ARC: [plat-hsdk]: Remove misplaced interrupt-cells property
wifi: iwlwifi: mvm: remove old PASN station when adding a new one
vxlan: drop packets from invalid src-address
mlxsw: core: Unregister EMAD trap using FORWARD action
NFC: trf7970a: disable all regulators on removal
ipv4: check for NULL idev in ip_route_use_hint()
net: usb: ax88179_178a: stop lying about skb->truesize
net: gtp: Fix Use-After-Free in gtp_dellink
ipvs: Fix checksumming on GSO of SCTP packets
net: openvswitch: Fix Use-After-Free in ovs_ct_exit
mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
mlxsw: spectrum_acl_tcam: Rate limit error message
mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
mlxsw: spectrum_acl_tcam: Fix warning during rehash
mlxsw: spectrum_acl_tcam: Fix incorrect list API usage
mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work
netfilter: nf_tables: honor table dormant flag from netdev release event path
i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
i40e: Report MFS in decimal base instead of hex
iavf: Fix TC config comparison with existing adapter TC config
net: ethernet: ti: am65-cpts: Fix PTPv1 message type on TX packets
af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().
serial: core: Provide port lock wrappers
serial: mxs-auart: add spinlock around changing cts state
Revert "crypto: api - Disallow identical driver names"
net/mlx5e: Fix a race in command alloc flow
tracing: Show size of requested perf buffer
tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together
PM / devfreq: Fix buffer overflow in trans_stat_show
Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853
btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
cpu: Re-enable CPU mitigations by default for !X86 architectures
arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3
drm/amdgpu: Fix leak when GPU memory allocation fails
irqchip/gic-v3-its: Prevent double free on error
ethernet: Add helper for assigning packet type when dest address does not match device address
net: b44: set pause params only when interface is up
stackdepot: respect __GFP_NOLOCKDEP allocation flag
mtd: diskonchip: work around ubsan link failure
tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()
dmaengine: owl: fix register access functions
idma64: Don't try to serve interrupts when device is powered off
dma: xilinx_dpdma: Fix locking
riscv: fix VMALLOC_START definition
riscv: Fix TASK_SIZE on 64-bit NOMMU
i2c: smbus: fix NULL function pointer dereference
HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
udp: preserve the connected status if only UDP cmsg
serial: core: fix kernel-doc for uart_port_unlock_irqrestore()
riscv: Disable STACKPROTECTOR_PER_TASK if GCC_PLUGIN_RANDSTRUCT is enabled
Linux 5.10.216
Change-Id: Ia2bf3ba6ed3f36a56f71543442427eb770a2400b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
9100d24dfd |
This is the 5.10.215 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmYaZdgACgkQONu9yGCS
aT4oMxAA0pATFAq8RN5f9CmYlMg5HqHgzZ8lJv8P0/reOINhUa+F5sJb1n+x+Ch4
WQbmiFeZRzfsKZ2qKhIdNR0Lg+9JOr/DtYXdSBZ6InfSWrTAIrQ9fjl5Warkmcgg
O4WbgF5BVgU3vGFATgxLvnUZwhR1D7WK93oMDunzrT7+OqyncU3f1Uj53ZAu9030
z18UNqnTxDLYH/CMGwAeRkaZqBev9gZ1HdgQWA27SVLqWQwZq0al81Cmlo+ECVmk
5dF6V2pid4qfKGJjDDfx1NS0PVnoP68iK4By1SXyoFV9VBiSwp77nUUyDr7YsHsT
u8GpZHr9jZvSO5/xtKv20NPLejTPCRKc06CbkwpikDRtGOocBL8em0GuVqlf8hMs
KwDb6ZEzYhXZGPJHbJM+aRD1tq/KHw9X7TrldOszMQPr6lubBtscPbg1FCg3OlcC
HUrtub0i275x7TH0dJeRTD8TRE9jRmF+tl7KQytEJM3JRrquFjLyhDj+/VJnZkiB
lzj3FRf4zshzgz4+CAeqXO/8Lu8b3fGYmcW1acCmk7emjDcXUKojPj/Aig6T4l7P
oCWDY3+w1E6eiyE8BazxY1KUa/41ld0VJnlW5JWGRaDFTJwrk0h6/rvf9qImSckw
IGx24UezRyp6NS1op3Qm2iwHLr41pFRfKxNm9ppgH9iBPzOhe38=
=pkLL
-----END PGP SIGNATURE-----
Merge 5.10.215 into android12-5.10-lts
Changes in 5.10.215
amdkfd: use calloc instead of kzalloc to avoid integer overflow
Documentation/hw-vuln: Update spectre doc
x86/cpu: Support AMD Automatic IBRS
x86/bugs: Use sysfs_emit()
timers: Update kernel-doc for various functions
timers: Use del_timer_sync() even on UP
timers: Rename del_timer_sync() to timer_delete_sync()
wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
media: staging: ipu3-imgu: Set fields before media_entity_pads_init()
clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd
smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()
smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity()
arm: dts: marvell: Fix maxium->maxim typo in brownstone dts
drm/vmwgfx: stop using ttm_bo_create v2
drm/vmwgfx: switch over to the new pin interface v2
drm/vmwgfx/vmwgfx_cmdbuf_res: Remove unused variable 'ret'
drm/vmwgfx: Fix some static checker warnings
drm/vmwgfx: Fix possible null pointer derefence with invalid contexts
serial: max310x: fix NULL pointer dereference in I2C instantiation
media: xc4000: Fix atomicity violation in xc4000_get_frequency
KVM: Always flush async #PF workqueue when vCPU is being destroyed
sparc64: NMI watchdog: fix return value of __setup handler
sparc: vDSO: fix return value of __setup handler
crypto: qat - fix double free during reset
crypto: qat - resolve race condition during AER recovery
selftests/mqueue: Set timeout to 180 seconds
ext4: correct best extent lstart adjustment logic
block: introduce zone_write_granularity limit
block: Clear zone limits for a non-zoned stacked queue
bounds: support non-power-of-two CONFIG_NR_CPUS
fat: fix uninitialized field in nostale filehandles
ubifs: Set page uptodate in the correct place
ubi: Check for too small LEB size in VTBL code
ubi: correct the calculation of fastmap size
mtd: rawnand: meson: fix scrambling mode value in command macro
parisc: Avoid clobbering the C/B bits in the PSW with tophys and tovirt macros
parisc: Fix ip_fast_csum
parisc: Fix csum_ipv6_magic on 32-bit systems
parisc: Fix csum_ipv6_magic on 64-bit systems
parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds
PM: suspend: Set mem_sleep_current during kernel command line setup
clk: qcom: gcc-ipq6018: fix terminating of frequency table arrays
clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays
clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays
clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays
powerpc/fsl: Fix mfpmr build errors with newer binutils
USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB
USB: serial: add device ID for VeriFone adapter
USB: serial: cp210x: add ID for MGP Instruments PDS100
USB: serial: option: add MeiG Smart SLM320 product
USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M
PM: sleep: wakeirq: fix wake irq warning in system suspend
mmc: tmio: avoid concurrent runs of mmc_request_done()
fuse: fix root lookup with nonzero generation
fuse: don't unhash root
usb: typec: ucsi: Clean up UCSI_CABLE_PROP macros
printk/console: Split out code that enables default console
serial: Lock console when calling into driver before registration
btrfs: fix off-by-one chunk length calculation at contains_pending_extent()
PCI: Drop pci_device_remove() test of pci_dev->driver
PCI/PM: Drain runtime-idle callbacks before driver removal
PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities()
PCI: Cache PCIe Device Capabilities register
PCI: Work around Intel I210 ROM BAR overlap defect
PCI/ASPM: Make Intel DG2 L1 acceptable latency unlimited
PCI/DPC: Quirk PIO log size for certain Intel Root Ports
PCI/DPC: Quirk PIO log size for Intel Raptor Lake Root Ports
Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
dm-raid: fix lockdep waring in "pers->hot_add_disk"
mac802154: fix llsec key resources release in mac802154_llsec_key_del
mm: swap: fix race between free_swap_and_cache() and swapoff()
mmc: core: Fix switch on gp3 partition
drm/etnaviv: Restore some id values
hwmon: (amc6821) add of_match table
ext4: fix corruption during on-line resize
nvmem: meson-efuse: fix function pointer type mismatch
slimbus: core: Remove usage of the deprecated ida_simple_xx() API
phy: tegra: xusb: Add API to retrieve the port number of phy
usb: gadget: tegra-xudc: Use dev_err_probe()
usb: gadget: tegra-xudc: Fix USB3 PHY retrieval logic
speakup: Fix 8bit characters from direct synth
PCI/ERR: Clear AER status only when we control AER
PCI/AER: Block runtime suspend when handling errors
nfs: fix UAF in direct writes
kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1
PCI: dwc: endpoint: Fix advertised resizable BAR size
vfio/platform: Disable virqfds on cleanup
ring-buffer: Fix waking up ring buffer readers
ring-buffer: Do not set shortest_full when full target is hit
ring-buffer: Fix resetting of shortest_full
ring-buffer: Fix full_waiters_pending in poll
soc: fsl: qbman: Always disable interrupts when taking cgr_lock
soc: fsl: qbman: Add helper for sanity checking cgr ops
soc: fsl: qbman: Add CGR update function
soc: fsl: qbman: Use raw spinlock for cgr_lock
s390/zcrypt: fix reference counting on zcrypt card objects
drm/panel: do not return negative error codes from drm_panel_get_modes()
drm/exynos: do not return negative values from .get_modes()
drm/imx/ipuv3: do not return negative values from .get_modes()
drm/vc4: hdmi: do not return negative values from .get_modes()
memtest: use {READ,WRITE}_ONCE in memory scanning
nilfs2: fix failure to detect DAT corruption in btree and direct mappings
nilfs2: prevent kernel bug at submit_bh_wbc()
cpufreq: dt: always allocate zeroed cpumask
x86/CPU/AMD: Update the Zenbleed microcode revisions
net: hns3: tracing: fix hclgevf trace event strings
wireguard: netlink: check for dangling peer via is_dead instead of empty list
wireguard: netlink: access device through ctx instead of peer
ahci: asm1064: correct count of reported ports
ahci: asm1064: asm1166: don't limit reported ports
drm/amd/display: Return the correct HDCP error code
drm/amd/display: Fix noise issue on HDMI AV mute
dm snapshot: fix lockup in dm_exception_table_exit
vxge: remove unnecessary cast in kfree()
x86/stackprotector/32: Make the canary into a regular percpu variable
x86/pm: Work around false positive kmemleak report in msr_build_context()
scripts: kernel-doc: Fix syntax error due to undeclared args variable
comedi: comedi_test: Prevent timers rescheduling during deletion
cpufreq: brcmstb-avs-cpufreq: fix up "add check for cpufreq_cpu_get's return value"
netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
netfilter: nf_tables: disallow anonymous set with timeout flag
netfilter: nf_tables: reject constant set with timeout
Drivers: hv: vmbus: Calculate ring buffer size for more efficient use of memory
xfrm: Avoid clang fortify warning in copy_to_user_tmpl()
KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()
ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform
USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command
usb: gadget: ncm: Fix handling of zero block length packets
usb: port: Don't try to peer unused USB ports based on location
tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled
mei: me: add arrow lake point S DID
mei: me: add arrow lake point H DID
vt: fix unicode buffer corruption when deleting characters
fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion
tee: optee: Fix kernel panic caused by incorrect error handling
xen/events: close evtchn after mapping cleanup
printk: Update @console_may_schedule in console_trylock_spinning()
btrfs: allocate btrfs_ioctl_defrag_range_args on stack
x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix
x86/bugs: Add asm helpers for executing VERW
x86/entry_64: Add VERW just before userspace transition
x86/entry_32: Add VERW just before userspace transition
x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key
KVM/VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH
KVM/VMX: Move VERW closer to VMentry for MDS mitigation
x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set
Documentation/hw-vuln: Add documentation for RFDS
x86/rfds: Mitigate Register File Data Sampling (RFDS)
KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests
perf/core: Fix reentry problem in perf_output_read_group()
efivarfs: Request at most 512 bytes for variable names
powerpc: xor_vmx: Add '-mhard-float' to CFLAGS
serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO
mm/memory-failure: fix an incorrect use of tail pages
mm/migrate: set swap entry values of THP tail pages properly.
init: open /initrd.image with O_LARGEFILE
wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
hexagon: vmlinux.lds.S: handle attributes section
mmc: core: Initialize mmc_blk_ioc_data
mmc: core: Avoid negative index with array access
net: ll_temac: platform_get_resource replaced by wrong function
usb: cdc-wdm: close race between read and workqueue
ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
scsi: core: Fix unremoved procfs host directory regression
staging: vc04_services: changen strncpy() to strscpy_pad()
staging: vc04_services: fix information leak in create_component()
USB: core: Add hub_get() and hub_put() routines
usb: dwc2: host: Fix remote wakeup from hibernation
usb: dwc2: host: Fix hibernation flow
usb: dwc2: host: Fix ISOC flow in DDMA mode
usb: dwc2: gadget: LPM flow fix
usb: udc: remove warning when queue disabled ep
usb: typec: ucsi: Ack unsupported commands
usb: typec: ucsi: Clear UCSI_CCI_RESET_COMPLETE before reset
scsi: qla2xxx: Split FCE|EFT trace control
scsi: qla2xxx: Fix command flush on cable pull
scsi: qla2xxx: Delay I/O Abort on PCI error
x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled
PCI/DPC: Quirk PIO log size for Intel Ice Lake Root Ports
scsi: lpfc: Correct size for wqe for memset()
USB: core: Fix deadlock in usb_deauthorize_interface()
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa()
tcp: properly terminate timers for kernel sockets
ACPICA: debugger: check status of acpi_evaluate_object() in acpi_db_walk_for_fields()
bpf: Protect against int overflow for stack access size
Octeontx2-af: fix pause frame configuration in GMP mode
dm integrity: fix out-of-range warning
r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d
x86/cpufeatures: Add new word for scattered features
Bluetooth: hci_event: set the conn encrypted before conn establishes
Bluetooth: Fix TOCTOU in HCI debugfs implementation
netfilter: nf_tables: disallow timeout for anonymous sets
net/rds: fix possible cp null dereference
vfio/pci: Disable auto-enable of exclusive INTx IRQ
vfio/pci: Lock external INTx masking ops
vfio: Introduce interface to flush virqfd inject workqueue
vfio/pci: Create persistent INTx handler
vfio/platform: Create persistent IRQ handlers
vfio/fsl-mc: Block calling interrupt handler without trigger
io_uring: ensure '0' is returned on file registration success
Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped."
mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations
x86/srso: Add SRSO mitigation for Hygon processors
block: add check that partition length needs to be aligned with block size
netfilter: nf_tables: reject new basechain after table flag update
netfilter: nf_tables: flush pending destroy work before exit_net release
netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
netfilter: validate user input for expected length
vboxsf: Avoid an spurious warning if load_nls_xxx() fails
bpf, sockmap: Prevent lock inversion deadlock in map delete elem
net/sched: act_skbmod: prevent kernel-infoleak
net: stmmac: fix rx queue priority assignment
erspan: make sure erspan_base_hdr is present in skb->head
selftests: reuseaddr_conflict: add missing new line at the end of the output
ipv6: Fix infinite recursion in fib6_dump_done().
udp: do not transition UDP GRO fraglist partial checksums to unnecessary
octeontx2-pf: check negative error code in otx2_open()
i40e: fix i40e_count_filters() to count only active/new filters
i40e: fix vf may be used uninitialized in this function warning
scsi: qla2xxx: Update manufacturer details
scsi: qla2xxx: Update manufacturer detail
Revert "usb: phy: generic: Get the vbus supply"
udp: do not accept non-tunnel GSO skbs landing in a tunnel
net: ravb: Always process TX descriptor ring
arm64: dts: qcom: sc7180: Remove clock for bluetooth on Trogdor
arm64: dts: qcom: sc7180-trogdor: mark bluetooth address as broken
ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw
ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit
scsi: mylex: Fix sysfs buffer lengths
ata: sata_mv: Fix PCI device ID table declaration compilation warning
ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
driver core: Introduce device_link_wait_removal()
of: dynamic: Synchronize of_changeset_destroy() with the devlink removals
x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()
s390/entry: align system call table on 8 bytes
riscv: Fix spurious errors from __get/put_kernel_nofault
x86/bugs: Fix the SRSO mitigation on Zen3/4
x86/retpoline: Do the necessary fixup to the Zen3/4 srso return thunk for !SRSO
mptcp: don't account accept() of non-MPC client as fallback to TCP
x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word
objtool: Add asm version of STACK_FRAME_NON_STANDARD
wifi: ath9k: fix LNA selection in ath_ant_try_scan()
VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
panic: Flush kernel log buffer at the end
arm64: dts: rockchip: fix rk3328 hdmi ports node
arm64: dts: rockchip: fix rk3399 hdmi ports node
ionic: set adminq irq affinity
pstore/zone: Add a null pointer check to the psz_kmsg_read
tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()
btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()
btrfs: export: handle invalid inode or root reference in btrfs_get_parent()
btrfs: send: handle path ref underflow in header iterate_inode_ref()
net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()
Bluetooth: btintel: Fix null ptr deref in btintel_read_version
Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails
pinctrl: renesas: checker: Limit cfg reg enum checks to provided IDs
sysv: don't call sb_bread() with pointers_lock held
scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
isofs: handle CDs with bad root inode but good Joliet root directory
media: sta2x11: fix irq handler cast
ext4: add a hint for block bitmap corrupt state in mb_groups
ext4: forbid commit inconsistent quota data when errors=remount-ro
drm/amd/display: Fix nanosec stat overflow
SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int
Revert "ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default"
libperf evlist: Avoid out-of-bounds access
block: prevent division by zero in blk_rq_stat_sum()
RDMA/cm: add timeout to cm_destroy_id wait
Input: allocate keycode for Display refresh rate toggle
platform/x86: touchscreen_dmi: Add an extra entry for a variant of the Chuwi Vi8 tablet
ktest: force $buildonly = 1 for 'make_warnings_file' test type
ring-buffer: use READ_ONCE() to read cpu_buffer->commit_page in concurrent environment
tools: iio: replace seekdir() in iio_generic_buffer
usb: typec: tcpci: add generic tcpci fallback compatible
usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined
fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2
drivers/nvme: Add quirks for device 126f:2262
fbmon: prevent division by zero in fb_videomode_from_videomode()
netfilter: nf_tables: release batch on table validation from abort path
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
netfilter: nf_tables: discard table flag update with pending basechain deletion
tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
virtio: reenable config if freezing device failed
x86/mm/pat: fix VM_PAT handling in COW mappings
drm/i915/gt: Reset queue_priority_hint on parking
Bluetooth: btintel: Fixe build regression
VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()
kbuild: dummy-tools: adjust to stricter stackprotector check
scsi: sd: Fix wrong zone_write_granularity value during revalidate
x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk
x86/head/64: Re-enable stack protection
Linux 5.10.215
Change-Id: I45a0a9c4a0683ff5ef97315690f1f884f666e1b5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Jeongjun Park
|
7061c7efbb |
nilfs2: fix OOB in nilfs_set_de_type
commit c4a7dc9523b59b3e73fd522c73e95e072f876b16 upstream.
The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is
defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function,
which uses this array, specifies the index to read from the array in the
same way as "(mode & S_IFMT) >> S_SHIFT".
static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode
*inode)
{
umode_t mode = inode->i_mode;
de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob
}
However, when the index is determined this way, an out-of-bounds (OOB)
error occurs by referring to an index that is 1 larger than the array size
when the condition "mode & S_IFMT == S_IFMT" is satisfied. Therefore, a
patch to resize the nilfs_type_by_mode array should be applied to prevent
OOB errors.
Link: https://lkml.kernel.org/r/20240415182048.7144-1-konishi.ryusuke@gmail.com
Reported-by: syzbot+2e22057de05b9f3b30d8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2e22057de05b9f3b30d8
Fixes:
|
||
|
Ryusuke Konishi
|
f0fe7ad5af |
nilfs2: prevent kernel bug at submit_bh_wbc()
[ Upstream commit 269cdf353b5bdd15f1a079671b0f889113865f20 ]
Fix a bug where nilfs_get_block() returns a successful status when
searching and inserting the specified block both fail inconsistently. If
this inconsistent behavior is not due to a previously fixed bug, then an
unexpected race is occurring, so return a temporary error -EAGAIN instead.
This prevents callers such as __block_write_begin_int() from requesting a
read into a buffer that is not mapped, which would cause the BUG_ON check
for the BH_Mapped flag in submit_bh_wbc() to fail.
Link: https://lkml.kernel.org/r/20240313105827.5296-3-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Ryusuke Konishi
|
c3b5c5c31e |
nilfs2: fix failure to detect DAT corruption in btree and direct mappings
[ Upstream commit f2f26b4a84a0ef41791bd2d70861c8eac748f4ba ]
Patch series "nilfs2: fix kernel bug at submit_bh_wbc()".
This resolves a kernel BUG reported by syzbot. Since there are two
flaws involved, I've made each one a separate patch.
The first patch alone resolves the syzbot-reported bug, but I think
both fixes should be sent to stable, so I've tagged them as such.
This patch (of 2):
Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data
to a nilfs2 file system whose metadata is corrupted.
There are two flaws involved in this issue.
The first flaw is that when nilfs_get_block() locates a data block using
btree or direct mapping, if the disk address translation routine
nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata
corruption, it can be passed back to nilfs_get_block(). This causes
nilfs_get_block() to misidentify an existing block as non-existent,
causing both data block lookup and insertion to fail inconsistently.
The second flaw is that nilfs_get_block() returns a successful status in
this inconsistent state. This causes the caller __block_write_begin_int()
or others to request a read even though the buffer is not mapped,
resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()
failing.
This fixes the first issue by changing the return value to code -EINVAL
when a conversion using DAT fails with code -ENOENT, avoiding the
conflicting condition that leads to the kernel bug described above. Here,
code -EINVAL indicates that metadata corruption was detected during the
block lookup, which will be properly handled as a file system error and
converted to -EIO when passing through the nilfs2 bmap layer.
Link: https://lkml.kernel.org/r/20240313105827.5296-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20240313105827.5296-2-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Greg Kroah-Hartman
|
66e91da883 |
This is the 5.10.210 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmXYTLkACgkQONu9yGCS
aT4+fhAAqqR/Cvx53ZKMQ8GZTCudAZnr/Dz6kWYwxhhhIbQjDpCaf9mgsrEDaQS2
ancSZjzYaOUIXq/IsthXxQIUhiZbuM3iuSEi7+odWgSYdkFyzuUt8MWLBGSaB5Er
ojn+APtq7vPXTSnp7uMwqMC3/BHCKkeYIjRVevhhHBKG5d3lzkV1xU8NcvMkLaly
CIRxpWXD3w2b7K0GEbb/zN1GQEHDCQcxjuaJoe/5FKGJkqd3T31eyiJTRumCCMcz
j8vkGkYmcMJpWf04iLgVA1p13I5/HGrXdEBI/GutN8IABIC3Cp42jW8phHYKW5ZM
a4R25LZG5buND1Ubpq+EDrYn3EaPek5XRki0w8ZAXfNa3rYc+N6mQjkzNSOzhJ/5
VNsn3EAE1Dwtar5Z3ASe9ugDbh+0bgx85PbfaADK88V+qWb3DVr1TBWmDNu2vfVP
rv4I0EKu9r3vOE8aNMEBuhAVkIK3mEQUxwab6RKNrMby/5Uwa+ugrrUtQd8V+T1S
j6r6v7u7aZ8mhYO7d6WSvAKL85lCWGbs3WRIKCJZmDRyqWrWW9tVWRN9wrZ2QnRr
iaCQKk8P474P7/j1zwnmih8l4wS1oszveNziWwd0fi1Nn/WQYM+JKYQvpuQijmQ+
J9jLyWo7a59zffIE6mzJdNwFy9hlw9X+VnJmExk/Q88Z7Bt5wPQ=
=laYd
-----END PGP SIGNATURE-----
Merge 5.10.210 into android12-5.10-lts
Changes in 5.10.210
usb: cdns3: Fixes for sparse warnings
usb: cdns3: fix uvc failure work since sg support enabled
usb: cdns3: fix incorrect calculation of ep_buf_size when more than one config
usb: cdns3: fix iso transfer error when mult is not zero
usb: cdns3: Fix uvc fail when DMA cross 4k boundery since sg enabled
PCI: mediatek: Clear interrupt status before dispatching handler
units: change from 'L' to 'UL'
units: add the HZ macros
serial: sc16is7xx: set safe default SPI clock frequency
spi: introduce SPI_MODE_X_MASK macro
serial: sc16is7xx: add check for unsupported SPI modes during probe
iio: adc: ad7091r: Set alert bit in config register
iio: adc: ad7091r: Allow users to configure device events
iio: adc: ad7091r: Enable internal vref if external vref is not supplied
dmaengine: fix NULL pointer in channel unregistration function
iio:adc:ad7091r: Move exports into IIO_AD7091R namespace.
ext4: allow for the last group to be marked as trimmed
crypto: api - Disallow identical driver names
PM: hibernate: Enforce ordering during image compression/decompression
hwrng: core - Fix page fault dead lock on mmap-ed hwrng
crypto: s390/aes - Fix buffer overread in CTR mode
rpmsg: virtio: Free driver_override when rpmsg_remove()
bus: mhi: host: Drop chan lock before queuing buffers
parisc/firmware: Fix F-extend for PDC addresses
async: Split async_schedule_node_domain()
async: Introduce async_schedule_dev_nocall()
arm64: dts: qcom: sdm845: fix USB wakeup interrupt types
arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts
lsm: new security_file_ioctl_compat() hook
scripts/get_abi: fix source path leak
mmc: core: Use mrq.sbc in close-ended ffu
mmc: mmc_spi: remove custom DMA mapped buffers
rtc: Adjust failure return code for cmos_set_alarm()
nouveau/vmm: don't set addr on the fail path to avoid warning
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
rename(): fix the locking of subdirectories
block: Remove special-casing of compound pages
stddef: Introduce DECLARE_FLEX_ARRAY() helper
smb3: Replace smb2pdu 1-element arrays with flex-arrays
mm: vmalloc: introduce array allocation functions
KVM: use __vcalloc for very large allocations
net/smc: fix illegal rmb_desc access in SMC-D connection dump
tcp: make sure init the accept_queue's spinlocks once
bnxt_en: Wait for FLR to complete during probe
vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
llc: make llc_ui_sendmsg() more robust against bonding changes
llc: Drop support for ETH_P_TR_802_2.
net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
tracing: Ensure visibility when inserting an element into tracing_map
afs: Hide silly-rename files from userspace
tcp: Add memory barrier to tcp_push()
netlink: fix potential sleeping issue in mqueue_flush_file
ipv6: init the accept_queue's spinlocks in inet6_create
net/mlx5: DR, Use the right GVMI number for drop action
net/mlx5e: fix a double-free in arfs_create_groups
netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
netfilter: nf_tables: validate NFPROTO_* family
net: mvpp2: clear BM pool before initialization
selftests: netdevsim: fix the udp_tunnel_nic test
fjes: fix memleaks in fjes_hw_setup
net: fec: fix the unhandled context fault from smmu
btrfs: ref-verify: free ref cache before clearing mount opt
btrfs: tree-checker: fix inline ref size in error messages
btrfs: don't warn if discard range is not aligned to sector
btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args
btrfs: don't abort filesystem when attempting to snapshot deleted subvolume
rbd: don't move requests to the running list on errors
exec: Fix error handling in begin_new_exec()
wifi: iwlwifi: fix a memory corruption
netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04
drm: Don't unref the same fb many times by mistake due to deadlock handling
drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking
drm/tidss: Fix atomic_flush check
drm/bridge: nxp-ptn3460: simplify some error checking
PM: sleep: Use dev_printk() when possible
PM: sleep: Avoid calling put_device() under dpm_list_mtx
PM: core: Remove unnecessary (void *) conversions
PM: sleep: Fix possible deadlocks in core system-wide PM code
fs/pipe: move check to pipe_has_watch_queue()
pipe: wakeup wr_wait after setting max_usage
ARM: dts: samsung: exynos4210-i9100: Unconditionally enable LDO12
arm64: dts: qcom: sc7180: Use pdc interrupts for USB instead of GIC interrupts
arm64: dts: qcom: sc7180: fix USB wakeup interrupt types
media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run
mm: use __pfn_to_section() instead of open coding it
mm/sparsemem: fix race in accessing memory_section->usage
btrfs: remove err variable from btrfs_delete_subvolume
btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted
drm: panel-simple: add missing bus flags for Tianma tm070jvhg[30/33]
drm/exynos: fix accidental on-stack copy of exynos_drm_plane
drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume
gpio: eic-sprd: Clear interrupt after set the interrupt type
spi: bcm-qspi: fix SFDP BFPT read by usig mspi read
mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan
tick/sched: Preserve number of idle sleeps across CPU hotplug events
x86/entry/ia32: Ensure s32 is sign extended to s64
powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
drivers/perf: pmuv3: don't expose SW_INCR event in sysfs
powerpc: Fix build error due to is_valid_bugaddr()
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
x86/boot: Ignore NMIs during very early boot
powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
powerpc/lib: Validate size for vector operations
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
debugobjects: Stop accessing objects after releasing hash bucket lock
regulator: core: Only increment use_count when enable_count changes
audit: Send netlink ACK before setting connection in auditd_set
ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
PNP: ACPI: fix fortify warning
ACPI: extlog: fix NULL pointer dereference check
PM / devfreq: Synchronize devfreq_monitor_[start/stop]
ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
UBSAN: array-index-out-of-bounds in dtSplitRoot
jfs: fix slab-out-of-bounds Read in dtSearch
jfs: fix array-index-out-of-bounds in dbAdjTree
jfs: fix uaf in jfs_evict_inode
pstore/ram: Fix crash when setting number of cpus to an odd number
crypto: stm32/crc32 - fix parsing list of devices
afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu()
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
jfs: fix array-index-out-of-bounds in diNewExt
s390/ptrace: handle setting of fpc register correctly
KVM: s390: fix setting of fpc register
SUNRPC: Fix a suspicious RCU usage warning
ecryptfs: Reject casefold directory inodes
ext4: fix inconsistent between segment fstrim and full fstrim
ext4: unify the type of flexbg_size to unsigned int
ext4: remove unnecessary check from alloc_flex_gd()
ext4: avoid online resizing failures due to oversized flex bg
wifi: rt2x00: restart beacon queue when hardware reset
selftests/bpf: satisfy compiler by having explicit return in btf test
selftests/bpf: Fix pyperf180 compilation failure with clang18
scsi: lpfc: Fix possible file string name overflow when updating firmware
PCI: Add no PM reset quirk for NVIDIA Spectrum devices
bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
scsi: arcmsr: Support new PCI device IDs 1883 and 1886
ARM: dts: imx7d: Fix coresight funnel ports
ARM: dts: imx7s: Fix lcdif compatible
ARM: dts: imx7s: Fix nand-controller #size-cells
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
scsi: libfc: Don't schedule abort twice
scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
bpf: Set uattr->batch.count as zero before batched update or deletion
ARM: dts: rockchip: fix rk3036 hdmi ports node
ARM: dts: imx25/27-eukrea: Fix RTC node name
ARM: dts: imx: Use flash@0,0 pattern
ARM: dts: imx27: Fix sram node
ARM: dts: imx1: Fix sram node
ionic: pass opcode to devcmd_wait
block/rnbd-srv: Check for unlikely string overflow
ARM: dts: imx25: Fix the iim compatible string
ARM: dts: imx25/27: Pass timing0
ARM: dts: imx27-apf27dev: Fix LED name
ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
ARM: dts: imx23/28: Fix the DMA controller node name
net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path
block: prevent an integer overflow in bvec_try_merge_hw_page
md: Whenassemble the array, consult the superblock of the freshest device
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
wifi: cfg80211: free beacon_ies when overridden from hidden BSS
Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066
Bluetooth: L2CAP: Fix possible multiple reject send
i40e: Fix VF disable behavior to block all traffic
f2fs: fix to check return value of f2fs_reserve_new_block()
ALSA: hda: Refer to correct stream index at loops
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
fast_dput(): handle underflows gracefully
RDMA/IPoIB: Fix error code return in ipoib_mcast_join
drm/amd/display: Fix tiled display misalignment
f2fs: fix write pointers on zoned device after roll forward
drm/drm_file: fix use of uninitialized variable
drm/framebuffer: Fix use of uninitialized variable
drm/mipi-dsi: Fix detach call without attach
media: stk1160: Fixed high volume of stk1160_dbg messages
media: rockchip: rga: fix swizzling for RGB formats
PCI: add INTEL_HDA_ARL to pci_ids.h
ALSA: hda: Intel: add HDA_ARL PCI ID support
ALSA: hda: intel-dspcfg: add filters for ARL-S and ARL
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
IB/ipoib: Fix mcast list locking
media: ddbridge: fix an error code problem in ddb_probe
drm/msm/dpu: Ratelimit framedone timeout msgs
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786
drm/amdgpu: Let KFD sync with VM fences
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
leds: trigger: panic: Don't register panic notifier if creating the trigger failed
um: Fix naming clash between UML and scheduler
um: Don't use vfprintf() for os_info()
um: net: Fix return type of uml_net_start_xmit()
i3c: master: cdns: Update maximum prescaler value for i2c clock
xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import
mfd: ti_am335x_tscadc: Fix TI SoC dependencies
PCI: Only override AMD USB controller if required
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
usb: hub: Replace hardcoded quirk value with BIT() macro
tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE
fs/kernfs/dir: obey S_ISGID
PCI/AER: Decode Requester ID when no error info found
libsubcmd: Fix memory leak in uniq()
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
blk-mq: fix IO hang from sbitmap wakeup race
ceph: fix deadlock or deadcode of misusing dget()
drm/amd/powerplay: Fix kzalloc parameter 'ATOM_Tonga_PPM_Table' in 'get_platform_power_management_table()'
drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
perf: Fix the nr_addr_filters fix
wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
drm: using mul_u32_u32() requires linux/math64.h
scsi: isci: Fix an error code problem in isci_io_request_build()
scsi: core: Introduce enum scsi_disposition
scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler
ip6_tunnel: use dev_sw_netstats_rx_add()
ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
net-zerocopy: Refactor frag-is-remappable test.
tcp: add sanity checks to rx zerocopy
ixgbe: Remove non-inclusive language
ixgbe: Refactor returning internal error codes
ixgbe: Refactor overtemp event handling
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
llc: call sock_orphan() at release time
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
net: ipv4: fix a memleak in ip_setup_cork
af_unix: fix lockdep positive in sk_diag_dump_icons()
net: sysfs: Fix /sys/class/net/<iface> path
HID: apple: Add support for the 2021 Magic Keyboard
HID: apple: Add 2021 magic keyboard FN key mapping
bonding: remove print in bond_verify_device_path
uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++
PM: sleep: Fix error handling in dpm_prepare()
dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools
dmaengine: ti: k3-udma: Report short packet errors
dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA
dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
phy: renesas: rcar-gen3-usb2: Fix returning wrong error code
dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV
phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case
net: stmmac: xgmac: fix handling of DPP safety error for DMA channels
selftests: net: avoid just another constant wait
tunnels: fix out of bounds access when building IPv6 PMTU error
atm: idt77252: fix a memleak in open_card_ubr0
hwmon: (aspeed-pwm-tacho) mutex for tach reading
hwmon: (coretemp) Fix out-of-bounds memory access
hwmon: (coretemp) Fix bogus core_id to attr name mapping
inet: read sk->sk_family once in inet_recv_error()
rxrpc: Fix response to PING RESPONSE ACKs to a dead call
tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()
ppp_async: limit MRU to 64K
netfilter: nft_compat: reject unused compat flag
netfilter: nft_compat: restrict match/target protocol to u16
netfilter: nft_ct: reject direction for ct id
netfilter: nft_set_pipapo: store index in scratch maps
netfilter: nft_set_pipapo: add helper to release pcpu scratch area
netfilter: nft_set_pipapo: remove scratch_aligned pointer
scsi: core: Move scsi_host_busy() out of host lock if it is for per-command
blk-iocost: Fix an UBSAN shift-out-of-bounds warning
net/af_iucv: clean up a try_then_request_module()
USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e
USB: serial: option: add Fibocom FM101-GL variant
USB: serial: cp210x: add ID for IMST iM871A-USB
usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK
hrtimer: Report offline hrtimer enqueue
Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU
Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID
vhost: use kzalloc() instead of kmalloc() followed by memset()
clocksource: Skip watchdog check for large watchdog intervals
net: stmmac: xgmac: use #define for string constants
net: stmmac: xgmac: fix a typo of register name in DPP safety handling
netfilter: nft_set_rbtree: skip end interval element from gc
btrfs: forbid creating subvol qgroups
btrfs: do not ASSERT() if the newly created subvolume already got read
btrfs: forbid deleting live subvol qgroup
btrfs: send: return EOPNOTSUPP on unknown flags
of: unittest: Fix compile in the non-dynamic case
net: openvswitch: limit the number of recursions from action sets
spi: ppc4xx: Drop write-only variable
ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
net: sysfs: Fix /sys/class/net/<iface> path for statistics
MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler
i40e: Fix waiting for queues of all VSIs to be disabled
tracing/trigger: Fix to return error if failed to alloc snapshot
mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
ALSA: hda/realtek: Fix the external mic not being recognised for Acer Swift 1 SF114-32
ALSA: hda/realtek: Enable Mute LED on HP Laptop 14-fq0xxx
HID: wacom: generic: Avoid reporting a serial of '0' to userspace
HID: wacom: Do not register input devices until after hid_hw_start
usb: ucsi_acpi: Fix command completion handling
USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT
usb: f_mass_storage: forbid async queue when shutdown happen
media: ir_toy: fix a memleak in irtoy_tx
powerpc/kasan: Fix addr error caused by page alignment
i2c: i801: Remove i801_set_block_buffer_mode
i2c: i801: Fix block process call transactions
modpost: trim leading spaces when processing source files list
scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock"
lsm: fix the logic in security_inode_getsecctx()
firewire: core: correct documentation of fw_csr_string() kernel API
kbuild: Fix changing ELF file type for output of gen_btf for big endian
nfc: nci: free rx_data_reassembly skb on NCI device cleanup
net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()
xen-netback: properly sync TX responses
ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL
binder: signal epoll threads of self-work
misc: fastrpc: Mark all sessions as invalid in cb_remove
ext4: fix double-free of blocks due to wrong extents moved_len
tracing: Fix wasted memory in saved_cmdlines logic
staging: iio: ad5933: fix type mismatch regression
iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC
iio: accel: bma400: Fix a compilation problem
media: rc: bpf attach/detach requires write permission
hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove
ring-buffer: Clean ring_buffer_poll_wait() error return
serial: max310x: set default value when reading clock ready bit
serial: max310x: improve crystal stable clock detection
x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
mmc: slot-gpio: Allow non-sleeping GPIO ro
ALSA: hda/conexant: Add quirk for SWS JS201D
nilfs2: fix data corruption in dsync block recovery for small block sizes
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked
nfp: use correct macro for LengthSelect in BAR config
nfp: flower: prevent re-adding mac index for bonded port
wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()
irqchip/irq-brcmstb-l2: Add write memory barrier before exit
irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update
s390/qeth: Fix potential loss of L3-IP@ in case of network issues
ceph: prevent use-after-free in encode_cap_msg()
of: property: fix typo in io-channels
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
pmdomain: core: Move the unused cleanup to a _sync initcall
tracing: Inform kmemleak of saved_cmdlines allocation
Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
bus: moxtet: Add spi device table
PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq() alignment support
mips: Fix max_mapnr being uninitialized on early stages
crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init
serial: Add rs485_supported to uart_port
serial: 8250_exar: Fill in rs485_supported
serial: 8250_exar: Set missing rs485_supported flag
scripts/decode_stacktrace.sh: silence stderr messages from addr2line/nm
scripts/decode_stacktrace.sh: support old bash version
scripts: decode_stacktrace: demangle Rust symbols
scripts/decode_stacktrace.sh: optionally use LLVM utilities
netfilter: ipset: fix performance regression in swap operation
netfilter: ipset: Missing gc cancellations fixed
hrtimer: Ignore slack time for RT tasks in schedule_hrtimeout_range()
Revert "arm64: Stash shadow stack pointer in the task struct on interrupt"
net: prevent mss overflow in skb_segment()
sched/membarrier: reduce the ability to hammer on sys_membarrier
nilfs2: fix potential bug in end_buffer_async_write
nilfs2: replace WARN_ONs for invalid DAT metadata block requests
dm: limit the number of targets and parameter size area
PM: runtime: add devm_pm_runtime_enable helper
PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()
drm/msm/dsi: Enable runtime PM
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
net: bcmgenet: Fix EEE implementation
PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq()
Linux 5.10.210
Change-Id: I5e7327f58dd6abd26ac2b1e328a81c1010d1147c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Ryusuke Konishi
|
c90746c03b |
nilfs2: replace WARN_ONs for invalid DAT metadata block requests
commit 5124a0a549857c4b87173280e192eea24dea72ad upstream. If DAT metadata file block access fails due to corruption of the DAT file or abnormal virtual block numbers held by b-trees or inodes, a kernel warning is generated. This replaces the WARN_ONs by error output, so that a kernel, booted with panic_on_warn, does not panic. This patch also replaces the detected return code -ENOENT with another internal code -EINVAL to notify the bmap layer of metadata corruption. When the bmap layer sees -EINVAL, it handles the abnormal situation with nilfs_bmap_convert_error() and finally returns code -EIO as it should. Link: https://lkml.kernel.org/r/0000000000005cc3d205ea23ddcf@google.com Link: https://lkml.kernel.org/r/20230126164114.6911-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: <syzbot+5d5d25f90f195a3cfcb4@syzkaller.appspotmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ryusuke Konishi
|
f3e4963566 |
nilfs2: fix potential bug in end_buffer_async_write
commit 5bc09b397cbf1221f8a8aacb1152650c9195b02b upstream. According to a syzbot report, end_buffer_async_write(), which handles the completion of block device writes, may detect abnormal condition of the buffer async_write flag and cause a BUG_ON failure when using nilfs2. Nilfs2 itself does not use end_buffer_async_write(). But, the async_write flag is now used as a marker by commit |
||
|
Ryusuke Konishi
|
98a4026b22 |
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
commit 38296afe3c6ee07319e01bb249aa4bb47c07b534 upstream.
Syzbot reported a hang issue in migrate_pages_batch() called by mbind()
and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.
While migrate_pages_batch() locks a folio and waits for the writeback to
complete, the log writer thread that should bring the writeback to
completion picks up the folio being written back in
nilfs_lookup_dirty_data_buffers() that it calls for subsequent log
creation and was trying to lock the folio. Thus causing a deadlock.
In the first place, it is unexpected that folios/pages in the middle of
writeback will be updated and become dirty. Nilfs2 adds a checksum to
verify the validity of the log being written and uses it for recovery at
mount, so data changes during writeback are suppressed. Since this is
broken, an unclean shutdown could potentially cause recovery to fail.
Investigation revealed that the root cause is that the wait for writeback
completion in nilfs_page_mkwrite() is conditional, and if the backing
device does not require stable writes, data may be modified without
waiting.
Fix these issues by making nilfs_page_mkwrite() wait for writeback to
finish regardless of the stable write requirement of the backing device.
Link: https://lkml.kernel.org/r/20240131145657.4209-1-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Ryusuke Konishi
|
364a66be2a |
nilfs2: fix data corruption in dsync block recovery for small block sizes
commit 67b8bcbaed4777871bb0dcc888fb02a614a98ab1 upstream. The helper function nilfs_recovery_copy_block() of nilfs_recovery_dsync_blocks(), which recovers data from logs created by data sync writes during a mount after an unclean shutdown, incorrectly calculates the on-page offset when copying repair data to the file's page cache. In environments where the block size is smaller than the page size, this flaw can cause data corruption and leak uninitialized memory bytes during the recovery process. Fix these issues by correcting this byte offset calculation on the page. Link: https://lkml.kernel.org/r/20240124121936.10575-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
001d2105f6 |
This is the 5.10.204 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmV56W4ACgkQONu9yGCS aT7epxAAz6RM0Id+xXS3pb8CcyYncjrWlVRwLJn2zdJit1oWBHePonCQURaOiwMA 2IvUUjqeTL/lr1h8L2gRled7EVDMrSv0z4IBDOl4BdF2Z0TfwLhRKiT04RmyHQrG k08SnS51IFsKmsUYUMf/SYBu1uvK5rXggjLjXvLsObRQJUOZbQwMdKIXge4+N1js zvoU5DNF+FhWoCQO7uExG7rFv9Hv5ftdCQz5u3Aon0+B7wJMFzDie38TCkPMzptU ydKILRFAlf3096OcHtS6JBEsPetViOoytyv2pgFzaWMfHJnbnI4d8kRoI9r1GZwA 6S9Yfli0ZKPur/1FVsMsYs8PHABiBwKw2tRmT15oOtE3+xg08F408jcUccL+vi/v qXOqhX6wpesw6+MTgOXTjJhSxRHBzKMey1iSBWB5E8g7wuB6DRm0KDl5FaUHbdTf GLXFtgpHZdbCPKyolcTTESjxnNBzc+wUY8YTekEdmppy4uWS7B9Vml44nP1ej0+Z P1Q2iNMkABYjoRW3hVXgSdfoHX/dJSu/+tmeNba1Ay8Tj0PWVqRZ99cagG+F53Sg iCNJhrfwK+uznwo9/4bcKXZXTKhUROtzoxcPNdRONyCiqlFSq1WtkjADzVBV75od 9EbLTJqh5GtfBoA4W6rzyt9tjNevZHHChOsT4e8uEnnCFZJeK7Q= =qOMN -----END PGP SIGNATURE----- Merge 5.10.204 into android12-5.10-lts Changes in 5.10.204 hrtimers: Push pending hrtimers away from outgoing CPU earlier i2c: designware: Fix corrupted memory seen in the ISR netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test tg3: Move the [rt]x_dropped counters to tg3_napi tg3: Increment tx_dropped in tg3_tso_bug() kconfig: fix memory leak from range properties drm/amdgpu: correct chunk_ptr to a pointer to chunk. platform/x86: asus-wmi: Add support for SW_TABLET_MODE on UX360 platform/x86: asus-nb-wmi: Allow configuring SW_TABLET_MODE method with a module option platform/x86: asus-nb-wmi: Add tablet_mode_sw=lid-flip quirk for the TP200s asus-wmi: Add dgpu disable method platform/x86: asus-wmi: Adjust tablet/lidflip handling to use enum platform/x86: asus-wmi: Add support for ROG X13 tablet mode platform/x86: asus-wmi: Simplify tablet-mode-switch probing platform/x86: asus-wmi: Simplify tablet-mode-switch handling platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code of: base: Fix some formatting issues and provide missing descriptions of: Fix kerneldoc output formatting of: Add missing 'Return' section in kerneldoc comments of: dynamic: Fix of_reconfig_get_state_change() return value documentation ipv6: fix potential NULL deref in fib6_add() octeontx2-pf: Add missing mutex lock in otx2_get_pauseparam hv_netvsc: rndis_filter needs to select NLS mlxbf-bootctl: correctly identify secure boot with development keys net: arcnet: com20020 fix error handling arcnet: restoring support for multiple Sohard Arcnet cards i40e: Fix unexpected MFS warning message net: bnxt: fix a potential use-after-free in bnxt_init_tc ionic: fix snprintf format length warning ionic: Fix dim work handling in split interrupt mode ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() net: hns: fix fake link up on xge port netfilter: xt_owner: Fix for unsafe access of sk->sk_socket tcp: do not accept ACK of bytes we never sent bpf: sockmap, updating the sg structure should also update curr tee: optee: Fix supplicant based device enumeration arm64: dts: rockchip: Expand reg size of vdec node for RK3399 RDMA/rtrs-clt: Remove the warnings for req in_use check RDMA/bnxt_re: Correct module description string hwmon: (acpi_power_meter) Fix 4.29 MW bug ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate tracing: Fix a warning when allocating buffered events fails scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle() ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt riscv: fix misaligned access handling of C.SWSP and C.SDSP ALSA: pcm: fix out-of-bounds in snd_pcm_state_names ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5 nilfs2: fix missing error check for sb_set_blocksize call nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage() checkstack: fix printed address tracing: Always update snapshot buffer size tracing: Disable snapshot buffer when stopping instance tracers tracing: Fix incomplete locking when disabling buffered events tracing: Fix a possible race when disabling buffered events packet: Move reference count in packet_sock to atomic_long_t arm64: dts: mediatek: mt7622: fix memory node warning check arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names arm64: dts: mediatek: mt8183: Fix unit address for scp reserved memory misc: mei: client.c: return negative error code in mei_cl_write misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write ring-buffer: Force absolute timestamp on discard of event tracing: Set actual size after ring buffer resize tracing: Stop current tracer when resizing buffer perf/core: Add a new read format to get a number of lost samples perf: Fix perf_event_validate_size() gpiolib: sysfs: Fix error handling on failed export drm/amdgpu: correct the amdgpu runtime dereference usage count usb: gadget: f_hid: fix report descriptor allocation parport: Add support for Brainboxes IX/UC/PX parallel cards Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1" usb: typec: class: fix typec_altmode_put_partner to put plugs ARM: PL011: Fix DMA support serial: sc16is7xx: address RX timeout interrupt errata serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt serial: 8250_omap: Add earlycon support for the AM654 UART controller x86/CPU/AMD: Check vendor in the AMD microcode callback KVM: s390/mm: Properly reset no-dat MIPS: Loongson64: Reserve vgabios memory on boot MIPS: Loongson64: Enable DMA noncoherent support io_uring/af_unix: disable sending io_uring over sockets netlink: don't call ->netlink_bind with table lock held genetlink: add CAP_NET_ADMIN test for multicast bind psample: Require 'CAP_NET_ADMIN' when joining "packets" group drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group netfilter: nft_set_pipapo: skip inactive elements during set walk platform/x86: asus-wmi: Fix kbd_dock_devid tablet-switch reporting tools headers UAPI: Sync linux/perf_event.h with the kernel sources platform/x86: asus-wmi: Document the dgpu_disable sysfs attribute mmc: block: Be sure to wait while busy in CQE error recovery Revert "btrfs: add dmesg output for first mount and last unmount of a filesystem" cifs: Fix non-availability of dedup breaking generic/304 smb: client: fix potential NULL deref in parse_dfs_referrals() devcoredump : Serialize devcd_del work devcoredump: Send uevent once devcd is ready r8169: fix rtl8125b PAUSE frames blasting when suspended Linux 5.10.204 Change-Id: Ic65cbf2bdbf57c9cea815a17fcec35c0b72168a2 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Ryusuke Konishi
|
35a7f92507 |
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
commit 675abf8df1353e0e3bde314993e0796c524cfbf0 upstream. If nilfs2 reads a disk image with corrupted segment usage metadata, and its segment usage information is marked as an error for the segment at the write location, nilfs_sufile_set_segment_usage() can trigger WARN_ONs during log writing. Segments newly allocated for writing with nilfs_sufile_alloc() will not have this error flag set, but this unexpected situation will occur if the segment indexed by either nilfs->ns_segnum or nilfs->ns_nextnum (active segment) was marked in error. Fix this issue by inserting a sanity check to treat it as a file system corruption. Since error returns are not allowed during the execution phase where nilfs_sufile_set_segment_usage() is used, this inserts the sanity check into nilfs_sufile_mark_dirty() which pre-reads the buffer containing the segment usage record to be updated and sets it up in a dirty state for writing. In addition, nilfs_sufile_set_segment_usage() is also called when canceling log writing and undoing segment usage update, so in order to avoid issuing the same kernel warning in that case, in case of cancellation, avoid checking the error flag in nilfs_sufile_set_segment_usage(). Link: https://lkml.kernel.org/r/20231205085947.4431-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+14e9f834f6ddecece094@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=14e9f834f6ddecece094 Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ryusuke Konishi
|
8df769d92b |
nilfs2: fix missing error check for sb_set_blocksize call
commit d61d0ab573649789bf9eb909c89a1a193b2e3d10 upstream. When mounting a filesystem image with a block size larger than the page size, nilfs2 repeatedly outputs long error messages with stack traces to the kernel log, such as the following: getblk(): invalid block size 8192 requested logical block size: 512 ... Call Trace: dump_stack_lvl+0x92/0xd4 dump_stack+0xd/0x10 bdev_getblk+0x33a/0x354 __breadahead+0x11/0x80 nilfs_search_super_root+0xe2/0x704 [nilfs2] load_nilfs+0x72/0x504 [nilfs2] nilfs_mount+0x30f/0x518 [nilfs2] legacy_get_tree+0x1b/0x40 vfs_get_tree+0x18/0xc4 path_mount+0x786/0xa88 __ia32_sys_mount+0x147/0x1a8 __do_fast_syscall_32+0x56/0xc8 do_fast_syscall_32+0x29/0x58 do_SYSENTER_32+0x15/0x18 entry_SYSENTER_32+0x98/0xf1 ... This overloads the system logger. And to make matters worse, it sometimes crashes the kernel with a memory access violation. This is because the return value of the sb_set_blocksize() call, which should be checked for errors, is not checked. The latter issue is due to out-of-buffer memory being accessed based on a large block size that caused sb_set_blocksize() to fail for buffers read with the initial minimum block size that remained unupdated in the super_block structure. Since nilfs2 mkfs tool does not accept block sizes larger than the system page size, this has been overlooked. However, it is possible to create this situation by intentionally modifying the tool or by passing a filesystem image created on a system with a large page size to a system with a smaller page size and mounting it. Fix this issue by inserting the expected error handling for the call to sb_set_blocksize(). Link: https://lkml.kernel.org/r/20231129141547.4726-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
3e7bedcc0e |
This is the 5.10.198 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUlq8kACgkQONu9yGCS
aT5GiA//fiURwpUcawIhvgYewMVp+ovJ+mpX5IT+bMbW9Ur0sBhtiiU+WDNYxMru
34xbSQ/+o2a6N2tmK1JF7o76e2sHw/aRgaoDHkN5oEG+lbRH7TdCv6O0QRFAthcd
sJL+SX/GclcKW0ZHDjJX9Wt5Lq3gqVYlqJlCsw6gI/1JrQTxStrSQh7yRbrYSqpY
wGWEq19IrE/ToZFTBuPEEvlBswszGrI88lVtjvRzIdczQVyFLAoEQ2GNPWl3XNBh
ygGnwiHjk3a+QhZ30evIv2LX+tlGmpLy7gdLDsdZF7RfEkNHQ92IgaHvFDs8JqDg
QnRE8KCrC2V45OIQRRnA5NVtD3LBYM0bUhbqqLiNvTMiSIBWge4efJwxyYcTTfkX
MTmbo9z/bIVFdpgCQtneRw3eUyfbRKQ1cUvtmkuXIVLzvZUQaVMpXVZ6pz864E54
3nJrl2HJtIdJsRX5M4unL+AXNLRoJUbfb4hbzAD0Tg8Wbdgrn7vL/z6JmIzA2ssQ
+R/52ghimOThGTUbCi2pJx/cpKhegkJEJ7+JwUhS9L9ybA93g/bD0n9zy6JXpd/H
Cct0JWbiukbDp1CTLQ6Qm9TK5HANW2fXMHoR3H5ltPojNZwN7/pgYqN6ppjtBKVe
gA3k8KYkZoXjbF6VS1B5Y83wJ+H+39Luk/DSmm1ZNvYPHxmz+q0=
=2MQy
-----END PGP SIGNATURE-----
Merge 5.10.198 into android12-5.10-lts
Changes in 5.10.198
NFS: Use the correct commit info in nfs_join_page_group()
NFS/pNFS: Report EINVAL errors from connect() to the server
SUNRPC: Mark the cred for revalidation if the server rejects it
tracing: Increase trace array ref count on enable and filter files
ata: ahci: Drop pointless VPRINTK() calls and convert the remaining ones
ata: libahci: clear pending interrupt status
ext4: remove the 'group' parameter of ext4_trim_extent
ext4: add new helper interface ext4_try_to_trim_range()
ext4: scope ret locally in ext4_try_to_trim_range()
ext4: change s_last_trim_minblks type to unsigned long
ext4: mark group as trimmed only if it was fully scanned
ext4: replace the traditional ternary conditional operator with with max()/min()
ext4: move setting of trimmed bit into ext4_try_to_trim_range()
ext4: do not let fstrim block system suspend
tracing: Have event inject files inc the trace array ref count
netfilter: nf_tables: integrate pipapo into commit protocol
netfilter: nf_tables: don't skip expired elements during walk
netfilter: nf_tables: GC transaction API to avoid race with control plane
netfilter: nf_tables: adapt set backend to use GC transaction API
netfilter: nft_set_hash: mark set element as dead when deleting from packet path
netfilter: nf_tables: remove busy mark and gc batch API
netfilter: nf_tables: don't fail inserts if duplicate has expired
netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
netfilter: nf_tables: GC transaction race with netns dismantle
netfilter: nf_tables: GC transaction race with abort path
netfilter: nf_tables: use correct lock to protect gc_list
netfilter: nf_tables: defer gc run if previous batch is still pending
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention
netfilter: nft_set_pipapo: stop GC iteration if GC transaction allocation fails
netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration
netfilter: nf_tables: fix memleak when more than 255 elements expired
ASoC: meson: spdifin: start hw on dai probe
netfilter: nf_tables: disallow element removal on anonymous sets
bpf: Avoid deadlock when using queue and stack maps from NMI
selftests/tls: Add {} to avoid static checker warning
selftests: tls: swap the TX and RX sockets in some tests
ASoC: imx-audmix: Fix return error with devm_clk_get()
i40e: Fix VF VLAN offloading when port VLAN is configured
ipv4: fix null-deref in ipv4_link_failure
powerpc/perf/hv-24x7: Update domain value check
dccp: fix dccp_v4_err()/dccp_v6_err() again
platform/x86: intel_scu_ipc: Check status after timeout in busy_loop()
platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt()
platform/x86: intel_scu_ipc: Don't override scu in intel_scu_ipc_dev_simple_command()
platform/x86: intel_scu_ipc: Fail IPC send if still busy
x86/srso: Fix srso_show_state() side effect
x86/srso: Fix SBPB enablement for spec_rstack_overflow=off
net: hns3: only enable unicast promisc when mac table full
net: hns3: add 5ms delay before clear firmware reset irq source
net: bridge: use DEV_STATS_INC()
team: fix null-ptr-deref when team device type is changed
netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP
seqlock: avoid -Wshadow warnings
seqlock: Rename __seqprop() users
seqlock: Prefix internal seqcount_t-only macros with a "do_"
locking/seqlock: Do the lockdep annotation before locking in do_write_seqcount_begin_nested()
bnxt_en: Flush XDP for bnxt_poll_nitroa0()'s NAPI
net: rds: Fix possible NULL-pointer dereference
gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
i2c: mux: demux-pinctrl: check the return value of devm_kstrdup()
netfilter: nf_tables: unregister flowtable hooks on netns exit
netfilter: nf_tables: double hook unregistration in netns path
Input: i8042 - rename i8042-x86ia64io.h to i8042-acpipnpio.h
Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN
mmc: renesas_sdhi: probe into TMIO after SCC parameters have been setup
mmc: renesas_sdhi: populate SCC pointer at the proper place
mmc: tmio: support custom irq masks
mmc: renesas_sdhi: register irqs before registering controller
media: venus: core: Add io base variables for each block
media: venus: hfi,pm,firmware: Convert to block relative addressing
media: venus: hfi: Define additional 6xx registers
media: venus: core: Add differentiator IS_V6(core)
media: venus: hfi: Add a 6xx boot logic
media: venus: hfi_venus: Write to VIDC_CTRL_INIT after unmasking interrupts
netfilter: use actual socket sk for REJECT action
netfilter: nft_exthdr: Support SCTP chunks
netfilter: nf_tables: add and use nft_sk helper
netfilter: nf_tables: add and use nft_thoff helper
netfilter: nft_exthdr: break evaluation if setting TCP option fails
netfilter: exthdr: add support for tcp option removal
netfilter: nft_exthdr: Fix non-linear header modification
ata: libata: Rename link flag ATA_LFLAG_NO_DB_DELAY
ata: ahci: Add support for AMD A85 FCH (Hudson D4)
ata: ahci: Rename board_ahci_mobile
ata: ahci: Add Elkhart Lake AHCI controller
btrfs: reset destination buffer when read_extent_buffer() gets invalid range
MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled
bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset()
bus: ti-sysc: Fix missing AM35xx SoC matching
clk: tegra: fix error return case for recalc_rate
ARM: dts: omap: correct indentation
ARM: dts: ti: omap: Fix bandgap thermal cells addressing for omap3/4
ARM: dts: motorola-mapphone: Configure lower temperature passive cooling
ARM: dts: motorola-mapphone: Add 1.2GHz OPP
ARM: dts: motorola-mapphone: Drop second ti,wlcore compatible value
ARM: dts: am335x: Guardian: Update beeper label
ARM: dts: Unify pwm-omap-dmtimer node names
ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot
bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up
power: supply: ucs1002: fix error code in ucs1002_get_property()
xtensa: add default definition for XCHAL_HAVE_DIV32
xtensa: iss/network: make functions static
xtensa: boot: don't add include-dirs
xtensa: boot/lib: fix function prototypes
gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
i2c: npcm7xx: Fix callback completion ordering
dma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock
parisc: sba: Fix compile warning wrt list of SBA devices
parisc: iosapic.c: Fix sparse warnings
parisc: drivers: Fix sparse warning
parisc: irq: Make irq_stack_union static to avoid sparse warning
scsi: qedf: Add synchronization between I/O completions and abort
selftests/ftrace: Correctly enable event in instance-event.tc
ring-buffer: Avoid softlockup in ring_buffer_resize()
selftests: fix dependency checker script
ring-buffer: Do not attempt to read past "commit"
platform/mellanox: mlxbf-bootctl: add NET dependency into Kconfig
scsi: pm80xx: Use phy-specific SAS address when sending PHY_START command
scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command
ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
spi: nxp-fspi: reset the FLSHxCR1 registers
bpf: Clarify error expectations from bpf_clone_redirect
media: vb2: frame_vector.c: replace WARN_ONCE with a comment
powerpc/watchpoints: Disable preemption in thread_change_pc()
ncsi: Propagate carrier gain/loss events to the NCSI controller
fbdev/sh7760fb: Depend on FB=y
perf build: Define YYNOMEM as YYNOABORT for bison < 3.81
sched/cpuacct: Fix user/system in shown cpuacct.usage*
sched/cpuacct: Fix charge percpu cpuusage
sched/cpuacct: Optimize away RCU read lock
cgroup: Fix suspicious rcu_dereference_check() usage warning
ACPI: Check StorageD3Enable _DSD property in ACPI code
nvme-pci: factor the iod mempool creation into a helper
nvme-pci: factor out a nvme_pci_alloc_dev helper
nvme-pci: do not set the NUMA node of device if it has none
watchdog: iTCO_wdt: No need to stop the timer in probe
watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running
netfilter: nft_exthdr: Search chunks in SCTP packets only
netfilter: nft_exthdr: Fix for unsafe packet data read
nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev
smack: Record transmuting in smk_transmuted
smack: Retrieve transmuting information in smack_inode_getsecurity()
Smack:- Use overlay inode label in smack_inode_copy_up()
Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
serial: 8250_port: Check IRQ data before use
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
netfilter: nf_tables: disallow rule removal from chain binding
ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q
ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES
i2c: i801: unregister tco_pdev in i801_probe() error path
Revert "SUNRPC dont update timeout value on connection reset"
proc: nommu: /proc/<pid>/maps: release mmap read lock
ring-buffer: Update "shortest_full" in polling
btrfs: properly report 0 avail for very full file systems
bpf: Fix BTF_ID symbol generation collision
bpf: Fix BTF_ID symbol generation collision in tools/
net: thunderbolt: Fix TCPv6 GSO checksum calculation
ata: libata-core: Fix ata_port_request_pm() locking
ata: libata-core: Fix port and device removal
ata: libata-core: Do not register PM operations for SAS ports
ata: libata-sata: increase PMP SRST timeout to 10s
fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
spi: spi-zynqmp-gqspi: Fix runtime PM imbalance in zynqmp_qspi_probe
spi: zynqmp-gqspi: fix clock imbalance on probe failure
NFS: Cleanup unused rpc_clnt variable
NFS: rename nfs_client_kset to nfs_kset
NFSv4: Fix a state manager thread deadlock regression
ring-buffer: remove obsolete comment for free_buffer_page()
ring-buffer: Fix bytes info in per_cpu buffer stats
drm/mediatek: Fix backport issue in mtk_drm_gem_prime_vmap()
rbd: move rbd_dev_refresh() definition
rbd: decouple header read-in from updating rbd_dev->header
rbd: decouple parent info read-in from updating rbd_dev
rbd: take header_rwsem in rbd_dev_refresh() only when updating
block: fix use-after-free of q->q_usage_counter
Revert "clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz"
Revert "PCI: qcom: Disable write access to read only registers for IP v2.3.3"
scsi: zfcp: Fix a double put in zfcp_port_enqueue()
qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info
wifi: mwifiex: Fix tlv_buf_left calculation
net: replace calls to sock->ops->connect() with kernel_connect()
net: prevent rewrite of msg_name in sock_sendmsg()
arm64: Add Cortex-A520 CPU part definition
ubi: Refuse attaching if mtd's erasesize is 0
wifi: iwlwifi: dbg_ini: fix structure packing
wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
bpf: Fix tr dereferencing
drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
regmap: rbtree: Fix wrong register marked as in-cache when creating new node
ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig
scsi: target: core: Fix deadlock due to recursive locking
ima: rework CONFIG_IMA dependency block
NFSv4: Fix a nfs4_state_manager() race
modpost: add missing else to the "of" check
net: fix possible store tearing in neigh_periodic_work()
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent
net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
net: nfc: llcp: Add lock when modifying device list
net: ethernet: ti: am65-cpsw: Fix error code in am65_cpsw_nuss_init_tx_chns()
netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp
netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure
net: stmmac: dwmac-stm32: fix resume on STM32 MCU
tipc: fix a potential deadlock on &tx->lock
tcp: fix quick-ack counting to count actual ACKs of new data
tcp: fix delayed ACKs for MSS boundary condition
sctp: update transport state when processing a dupcook packet
sctp: update hb timer immediately after users change hb_interval
cpupower: add Makefile dependencies for install targets
dm zoned: free dmz->ddev array in dmz_put_zoned_devices
RDMA/core: Require admin capabilities to set system parameters
of: dynamic: Fix potential memory leak in of_changeset_action()
IB/mlx4: Fix the size of a buffer in add_port_entries()
gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
gpio: pxa: disable pinctrl calls for MMP_GPIO
RDMA/cma: Initialize ib_sa_multicast structure to 0 when join
RDMA/cma: Fix truncation compilation warning in make_cma_ports
RDMA/uverbs: Fix typo of sizeof argument
RDMA/siw: Fix connection failure handling
RDMA/mlx5: Fix NULL string error
parisc: Restore __ldcw_align for PA-RISC 2.0 processors
netfilter: nf_tables: fix kdoc warnings after gc rework
netfilter: nftables: exthdr: fix 4-byte stack OOB write
mmc: renesas_sdhi: only reset SCC when its pointer is populated
xen/events: replace evtchn_rwlock with RCU
Linux 5.10.198
Change-Id: Iabfdf919ae63e41a565e523087d800ebc20e5448
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Pan Bian
|
7130a87ca3 |
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
commit 7ee29facd8a9c5a26079148e36bcf07141b3a6bc upstream.
In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the
reference count of bh when the call to nilfs_dat_translate() fails. If
the reference count hits 0 and its owner page gets unlocked, bh may be
freed. However, bh->b_page is dereferenced to put the page after that,
which may result in a use-after-free bug. This patch moves the release
operation after unlocking and putting the page.
NOTE: The function in question is only called in GC, and in combination
with current userland tools, address translation using DAT does not occur
in that function, so the code path that causes this issue will not be
executed. However, it is possible to run that code path by intentionally
modifying the userland GC library or by calling the GC ioctl directly.
[konishi.ryusuke@gmail.com: NOTE added to the commit log]
Link: https://lkml.kernel.org/r/1543201709-53191-1-git-send-email-bianpan2016@163.com
Link: https://lkml.kernel.org/r/20230921141731.10073-1-konishi.ryusuke@gmail.com
Fixes:
|
||
|
Greg Kroah-Hartman
|
8026d5839b |
This is the 5.10.195 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUJdfMACgkQONu9yGCS
aT7i/w//Wbvt3F9hF/9Rmg9A4J23OWl2o07Z8Fi0a4F4B0FJjuQGSPRvpSvKtIWv
+7taCzOw9+Qi52hTR7BK+QpLpEPgMbv1IdgyPu1gtjL4WHuKk1aOeafISYuQDgeZ
XSFoV1EGjxkg3wbMZkucnmQVitGxC/iV0ojvxKleiIE9UNzceQclGmmBL0FwmEYp
c91XKEACZ5K/spSyyxocP4Fw6mbk98ISiju+74op5EDFry9qnIYa2pU/au3gZvh/
TScOYOQsBojOFTy/wuEfpOiVBK9gLFq8du0J/gHS2aUqswkp/qFcpH7wbS5Po3+l
Ja9a76o2B4btMCz6UhyhwzB+0QTQ1Gdea35FHRbF3d4ssNJDqDtwBCHqd3zeMUYo
uTDhyTsSGV40Gm9A5Sojyzjgj4X12rQ0ffL+zcXfXe60flE8SNIxR8DiIXPlAsC+
pgNQ5l/HcdJE1abRoTkvpsptaT2sNXgwZZij+VOBI3Vp4wr61U69CfP/QWWPZZF5
ECEh8ZDK1roiEyBjn6njqXmt5vbmNasgI5umgnNPBgKEB2OLXqox6rn9XK0qMJ+X
/oiCaL9RveU/QL5qNvV6Z2beXPwT51Vdy8+bQBfb5bUFRGQcTVIWaBRG0ZIHeSGm
pG10/VAnCGtNrC6M/HVGd0Wyih+ur65Jz/rNKbkMX69cvJuxPWk=
=RAs8
-----END PGP SIGNATURE-----
Merge 5.10.195 into android12-5.10-lts
Changes in 5.10.195
erofs: ensure that the post-EOF tails are all zeroed
ARM: pxa: remove use of symbol_get()
mmc: au1xmmc: force non-modular build and remove symbol_get usage
net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index
rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
USB: serial: option: add Quectel EM05G variant (0x030e)
USB: serial: option: add FOXCONN T99W368/T99W373 product
usb: dwc3: meson-g12a: do post init to fix broken usb after resumption
usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0
HID: wacom: remove the battery when the EKR is off
staging: rtl8712: fix race condition
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
configfs: fix a race in configfs_lookup()
serial: qcom-geni: fix opp vote on shutdown
serial: sc16is7xx: fix broken port 0 uart init
serial: sc16is7xx: fix bug when first setting GPIO direction
firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe
fsi: master-ast-cf: Add MODULE_FIRMWARE macro
nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
pinctrl: amd: Don't show `Invalid config param` errors
ASoC: rt5682: Fix a problem with error handling in the io init function of the soundwire
ARM: dts: imx: update sdma node name format
ARM: dts: imx7s: Drop dma-apb interrupt-names
ARM: dts: imx: Adjust dma-apbh node name
ARM: dts: imx: Set default tuning step for imx7d usdhc
phy: qcom-snps-femto-v2: use qcom_snps_hsphy_suspend/resume error code
media: pulse8-cec: handle possible ping error
media: pci: cx23885: fix error handling for cx23885 ATSC boards
9p: virtio: make sure 'offs' is initialized in zc_request
ASoC: da7219: Flush pending AAD IRQ when suspending
ASoC: da7219: Check for failure reading AAD IRQ events
ethernet: atheros: fix return value check in atl1c_tso_csum()
vxlan: generalize vxlan_parse_gpe_hdr and remove unused args
m68k: Fix invalid .section syntax
s390/dasd: use correct number of retries for ERP requests
s390/dasd: fix hanging device after request requeue
fs/nls: make load_nls() take a const parameter
ASoc: codecs: ES8316: Fix DMIC config
ASoC: atmel: Fix the 8K sample parameter in I2SC master
platform/x86: intel: hid: Always call BTNL ACPI method
platform/x86: huawei-wmi: Silence ambient light sensor
drm/amd/display: Exit idle optimizations before attempt to access PHY
ovl: Always reevaluate the file signature for IMA
ata: pata_arasan_cf: Use dev_err_probe() instead dev_err() in data_xfer()
security: keys: perform capable check only on privileged operations
kprobes: Prohibit probing on CFI preamble symbol
clk: fixed-mmio: make COMMON_CLK_FIXED_MMIO depend on HAS_IOMEM
vmbus_testing: fix wrong python syntax for integer value comparison
net: usb: qmi_wwan: add Quectel EM05GV2
idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM
scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
bnx2x: fix page fault following EEH recovery
sctp: handle invalid error codes without calling BUG()
scsi: storvsc: Always set no_report_opcodes
ALSA: seq: oss: Fix racy open/close of MIDI devices
tracing: Introduce pipe_cpumask to avoid race on trace_pipes
platform/mellanox: Fix mlxbf-tmfifo not handling all virtio CONSOLE notifications
net: Avoid address overwrite in kernel_connect
udf: Check consistency of Space Bitmap Descriptor
udf: Handle error when adding extent to a file
Revert "net: macsec: preserve ingress frame ordering"
reiserfs: Check the return value from __getblk()
eventfd: Export eventfd_ctx_do_read()
eventfd: prevent underflow for eventfd semaphores
fs: Fix error checking for d_hash_and_lookup()
tmpfs: verify {g,u}id mount options correctly
selftests/harness: Actually report SKIP for signal tests
refscale: Fix uninitalized use of wait_queue_head_t
OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd()
selftests/resctrl: Don't leak buffer in fill_cache()
selftests/resctrl: Unmount resctrl FS if child fails to run benchmark
selftests/resctrl: Close perf value read fd on errors
x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved
perf/imx_ddr: don't enable counter0 if none of 4 counters are used
s390/pkey: fix/harmonize internal keyblob headers
s390/paes: fix PKEY_TYPE_EP11_AES handling for secure keyblobs
x86/efistub: Fix PCI ROM preservation in mixed mode
cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit()
bpftool: Use a local bpf_perf_event_value to fix accessing its fields
bpf: Clear the probe_addr for uprobe
tcp: tcp_enter_quickack_mode() should be static
hwrng: nomadik - keep clock enabled while hwrng is registered
regmap: rbtree: Use alloc_flags for memory allocations
udp: re-score reuseport groups when connected sockets are present
bpf: reject unhashed sockets in bpf_sk_assign
wifi: mt76: testmode: add nla_policy for MT76_TM_ATTR_TX_LENGTH
spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe()
can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM
wifi: mwifiex: Fix OOB and integer underflow when rx packets
wifi: mwifiex: fix error recovery in PCIE buffer descriptor management
selftests/bpf: fix static assert compilation issue for test_cls_*.c
crypto: stm32 - Properly handle pm_runtime_get failing
crypto: api - Use work queue in crypto_destroy_instance
Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe()
Bluetooth: Fix potential use-after-free when clear keys
net: tcp: fix unexcepted socket die when snd_wnd is 0
selftests/bpf: Clean up fmod_ret in bench_rename test script
ice: ice_aq_check_events: fix off-by-one check when filling buffer
crypto: caam - fix unchecked return value error
hwrng: iproc-rng200 - Implement suspend and resume calls
lwt: Fix return values of BPF xmit ops
lwt: Check LWTUNNEL_XMIT_CONTINUE strictly
fs: ocfs2: namei: check return value of ocfs2_add_entry()
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
wifi: mwifiex: Fix missed return in oob checks failed path
samples/bpf: fix broken map lookup probe
wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx
wifi: ath9k: protect WMI command response buffer replacement with a lock
wifi: mwifiex: avoid possible NULL skb pointer dereference
Bluetooth: btusb: Do not call kfree_skb() under spin_lock_irqsave()
wifi: ath9k: use IS_ERR() with debugfs_create_dir()
net: arcnet: Do not call kfree_skb() under local_irq_disable()
mlxsw: i2c: Fix chunk size setting in output mailbox buffer
mlxsw: i2c: Limit single transaction buffer size
hwmon: (tmp513) Fix the channel number in tmp51x_is_visible()
net/sched: sch_hfsc: Ensure inner classes have fsc curve
netrom: Deny concurrent connect().
drm/bridge: tc358764: Fix debug print parameter order
quota: factor out dquot_write_dquot()
quota: rename dquot_active() to inode_quota_active()
quota: add new helper dquot_active()
quota: fix dqput() to follow the guarantees dquot_srcu should provide
ASoC: stac9766: fix build errors with REGMAP_AC97
soc: qcom: ocmem: Add OCMEM hardware version print
soc: qcom: ocmem: Fix NUM_PORTS & NUM_MACROS macros
arm64: dts: qcom: msm8996: Add missing interrupt to the USB2 controller
drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar()
ARM: dts: BCM5301X: Harmonize EHCI/OHCI DT nodes name
ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch
ARM: dts: BCM53573: Drop nonexistent #usb-cells
ARM: dts: BCM53573: Add cells sizes to PCIe node
ARM: dts: BCM53573: Use updated "spi-gpio" binding properties
drm/etnaviv: fix dumping of active MMU context
x86/mm: Fix PAT bit missing from page protection modify mask
ARM: dts: s3c64xx: align pinctrl with dtschema
ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)
ARM: dts: s5pv210: adjust node names to DT spec
ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210
ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)
drm: adv7511: Fix low refresh rate register for ADV7533/5
ARM: dts: BCM53573: Fix Ethernet info for Luxul devices
arm64: dts: qcom: sdm845: Add missing RPMh power domain to GCC
arm64: dts: qcom: sdm845: Fix the min frequency of "ice_core_clk"
drm/amdgpu: Update min() to min_t() in 'amdgpu_info_ioctl'
md/bitmap: don't set max_write_behind if there is no write mostly device
md/md-bitmap: hold 'reconfig_mutex' in backlog_store()
drm/tegra: Remove superfluous error messages around platform_get_irq()
drm/tegra: dpaux: Fix incorrect return value of platform_get_irq
of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
drm/armada: Fix off-by-one error in armada_overlay_get_property()
drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01
ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig
drm: xlnx: zynqmp_dpsub: Add missing check for dma_set_mask
drm/msm/mdp5: Don't leak some plane state
firmware: meson_sm: fix to avoid potential NULL pointer dereference
smackfs: Prevent underflow in smk_set_cipso()
drm/amd/pm: fix variable dereferenced issue in amdgpu_device_attr_create()
drm/msm/a2xx: Call adreno_gpu_init() earlier
audit: fix possible soft lockup in __audit_inode_child()
bus: ti-sysc: Fix build warning for 64-bit build
drm/mediatek: Fix potential memory leak if vmap() fail
bus: ti-sysc: Fix cast to enum warning
of: unittest: Fix overlay type in apply/revert check
ALSA: ac97: Fix possible error value of *rac97
ipmi:ssif: Add check for kstrdup
ipmi:ssif: Fix a memory leak when scanning for an adapter
drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init()
clk: sunxi-ng: Modify mismatched function name
clk: qcom: gcc-sc7180: use ARRAY_SIZE instead of specifying num_parents
clk: qcom: gcc-sc7180: Fix up gcc_sdcc2_apps_clk_src
ext4: correct grp validation in ext4_mb_good_group
clk: qcom: gcc-sm8250: use ARRAY_SIZE instead of specifying num_parents
clk: qcom: gcc-sm8250: Fix gcc_sdcc2_apps_clk_src
clk: qcom: reset: Use the correct type of sleep/delay based on length
PCI: Mark NVIDIA T4 GPUs to avoid bus reset
pinctrl: mcp23s08: check return value of devm_kasprintf()
PCI: pciehp: Use RMW accessors for changing LNKCTL
PCI/ASPM: Use RMW accessors for changing LNKCTL
clk: imx8mp: fix sai4 clock
clk: imx: composite-8m: fix clock pauses when set_rate would be a no-op
vfio/type1: fix cap_migration information leak
powerpc/fadump: reset dump area size if fadump memory reserve fails
powerpc/perf: Convert fsl_emb notifier to state machine callbacks
drm/amdgpu: Use RMW accessors for changing LNKCTL
drm/radeon: Use RMW accessors for changing LNKCTL
net/mlx5: Use RMW accessors for changing LNKCTL
wifi: ath10k: Use RMW accessors for changing LNKCTL
powerpc: Don't include lppaca.h in paca.h
powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT
nfs/blocklayout: Use the passed in gfp flags
powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
jfs: validate max amount of blocks before allocation.
fs: lockd: avoid possible wrong NULL parameter
NFSD: da_addr_body field missing in some GETDEVICEINFO replies
NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN
NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ
media: ad5820: Drop unsupported ad5823 from i2c_ and of_device_id tables
media: i2c: tvp5150: check return value of devm_kasprintf()
media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
drivers: usb: smsusb: fix error handling code in smsusb_init_device
media: dib7000p: Fix potential division by zero
media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
media: cx24120: Add retval check for cx24120_message_send()
scsi: hisi_sas: Print SAS address for v3 hw erroneous completion print
scsi: libsas: Introduce more SAM status code aliases in enum exec_status
scsi: hisi_sas: Modify v3 HW SSP underflow error processing
scsi: hisi_sas: Modify v3 HW SATA completion error processing
scsi: hisi_sas: Fix warnings detected by sparse
scsi: hisi_sas: Fix normally completed I/O analysed as failed
media: rkvdec: increase max supported height for H.264
media: mediatek: vcodec: Return NULL if no vdec_fb is found
usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()
scsi: RDMA/srp: Fix residual handling
scsi: iscsi: Rename iscsi_set_param() to iscsi_if_set_param()
scsi: iscsi: Add length check for nlattr payload
scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
scsi: be2iscsi: Add length check when parsing nlattrs
scsi: qla4xxx: Add length check when parsing nlattrs
serial: sprd: Assign sprd_port after initialized to avoid wrong access
serial: sprd: Fix DMA buffer leak issue
x86/APM: drop the duplicate APM_MINOR_DEV macro
scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
coresight: tmc: Explicit type conversions to prevent integer overflow
dma-buf/sync_file: Fix docs syntax
driver core: test_async: fix an error code
IB/uverbs: Fix an potential error pointer dereference
fsi: aspeed: Reset master errors after CFAM reset
iommu/qcom: Disable and reset context bank before programming
iommu/vt-d: Fix to flush cache of PASID directory table
media: go7007: Remove redundant if statement
USB: gadget: f_mass_storage: Fix unused variable warning
media: ov5640: Enable MIPI interface in ov5640_set_power_mipi()
media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips
media: ov2680: Remove auto-gain and auto-exposure controls
media: ov2680: Fix ov2680_bayer_order()
media: ov2680: Fix vflip / hflip set functions
media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors
cgroup:namespace: Remove unused cgroup_namespaces_init()
scsi: core: Use 32-bit hostnum in scsi_host_lookup()
scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
serial: tegra: handle clk prepare error in tegra_uart_hw_init()
amba: bus: fix refcount leak
Revert "IB/isert: Fix incorrect release of isert connection"
RDMA/siw: Balance the reference of cep->kref in the error path
RDMA/siw: Correct wrong debug message
HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()
HID: multitouch: Correct devm device reference for hidinput input_dev name
x86/speculation: Mark all Skylake CPUs as vulnerable to GDS
tracing: Fix race issue between cpu buffer write and swap
mtd: rawnand: brcmnand: Fix mtd oobsize
phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328
phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate
phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write
rpmsg: glink: Add check for kstrdup
mtd: spi-nor: Check bus width while setting QE bit
mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume()
um: Fix hostaudio build errors
dmaengine: ste_dma40: Add missing IRQ check in d40_probe
cpufreq: Fix the race condition while updating the transition_task of policy
virtio_ring: fix avail_wrap_counter in virtqueue_add_packed
igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
netfilter: xt_u32: validate user space input
netfilter: xt_sctp: validate the flag_info count
skbuff: skb_segment, Call zero copy functions before using skbuff frags
igb: set max size RX buffer when store bad packet is enabled
PM / devfreq: Fix leak in devfreq_dev_release()
ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
printk: ringbuffer: Fix truncating buffer size min_t cast
scsi: core: Fix the scsi_set_resid() documentation
ipmi_si: fix a memleak in try_smi_init()
ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
backlight/gpio_backlight: Compare against struct fb_info.device
backlight/bd6107: Compare against struct fb_info.device
backlight/lv5207lp: Compare against struct fb_info.device
xtensa: PMU: fix base address for the newer hardware
arm64: csum: Fix OoB access in IP checksum code for negative lengths
media: dvb: symbol fixup for dvb_attach()
Revert "scsi: qla2xxx: Fix buffer overrun"
scsi: mpt3sas: Perform additional retries if doorbell read returns 0
ntb: Drop packets when qp link is down
ntb: Clean up tx tail index on link down
ntb: Fix calculation ntb_transport_tx_free_entry()
Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
procfs: block chmod on /proc/thread-self/comm
parisc: Fix /proc/cpuinfo output for lscpu
dlm: fix plock lookup when using multiple lockspaces
dccp: Fix out of bounds access in DCCP error handler
X.509: if signature is unsupported skip validation
net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
fsverity: skip PKCS#7 parser when keyring is empty
pstore/ram: Check start of empty przs during init
s390/ipl: add missing secure/has_secure file to ipl type 'unknown'
crypto: stm32 - fix loop iterating through scatterlist for DMA
cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug
usb: typec: bus: verify partner exists in typec_altmode_attention
USB: core: Unite old scheme and new scheme descriptor reads
USB: core: Change usb_get_device_descriptor() API
USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()
USB: core: Fix oversight in SuperSpeed initialization
usb: typec: tcpci: clear the fault status bit
tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY
md/md-bitmap: remove unnecessary local variable in backlog_store()
udf: initialize newblock to 0
net/ipv6: SKB symmetric hash should incorporate transport ports
io_uring: always lock in io_apoll_task_func
io_uring: break out of iowq iopoll on teardown
io_uring: break iopolling on signal
scsi: qla2xxx: Fix deletion race condition
scsi: qla2xxx: fix inconsistent TMF timeout
scsi: qla2xxx: Fix erroneous link up failure
scsi: qla2xxx: Turn off noisy message log
scsi: qla2xxx: Remove unsupported ql2xenabledif option
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
drm/ast: Fix DRAM init on AST2200
lib/test_meminit: allocate pages up to order MAX_ORDER
parisc: led: Fix LAN receive and transmit LEDs
parisc: led: Reduce CPU overhead for disk & lan LED computation
pinctrl: cherryview: fix address_space_handler() argument
dt-bindings: clock: xlnx,versal-clk: drop select:false
clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz
clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
soc: qcom: qmi_encdec: Restrict string length in decode
NFS: Fix a potential data corruption
NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
kconfig: fix possible buffer overflow
backlight: gpio_backlight: Drop output GPIO direction check for initial power state
perf annotate bpf: Don't enclose non-debug code with an assert()
x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
pwm: lpc32xx: Remove handling of PWM channels
net/sched: fq_pie: avoid stalls in fq_pie_timer()
sctp: annotate data-races around sk->sk_wmem_queued
ipv4: annotate data-races around fi->fib_dead
net: read sk->sk_family once in sk_mc_loop()
drm/i915/gvt: Save/restore HW status to support GVT suspend/resume
drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
ipv4: ignore dst hint for multipath routes
igb: disable virtualization features on 82580
veth: Fixing transmit return status for dropped packets
net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
af_unix: Fix data-races around user->unix_inflight.
af_unix: Fix data-race around unix_tot_inflight.
af_unix: Fix data-races around sk->sk_shutdown.
af_unix: Fix data race around sk->sk_err.
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
kcm: Destroy mutex in kcm_exit_net()
igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
s390/zcrypt: don't leak memory if dev_set_name() fails
idr: fix param name in idr_alloc_cyclic() doc
ip_tunnels: use DEV_STATS_INC()
net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software and offload
net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too many times
netfilter: nfnetlink_osf: avoid OOB read
net: hns3: fix the port information display when sfp is absent
sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory()
ext4: add correct group descriptors and reserved GDT blocks to system zone
ata: sata_gemini: Add missing MODULE_DESCRIPTION
ata: pata_ftide010: Add missing MODULE_DESCRIPTION
fuse: nlookup missing decrement in fuse_direntplus_link
btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
btrfs: use the correct superblock to compare fsid in btrfs_validate_super
mtd: rawnand: brcmnand: Fix crash during the panic_write
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
mtd: rawnand: brcmnand: Fix potential false time out warning
drm/amd/display: prevent potential division by zero errors
perf hists browser: Fix hierarchy mode header
perf tools: Handle old data in PERF_RECORD_ATTR
perf hists browser: Fix the number of entries for 'e' key
ACPI: APEI: explicit init of HEST and GHES in apci_init()
arm64: sdei: abort running SDEI handlers during crash
scsi: qla2xxx: If fcport is undergoing deletion complete I/O with retry
scsi: qla2xxx: Consolidate zio threshold setting for both FCP & NVMe
scsi: qla2xxx: Fix crash in PCIe error handling
scsi: qla2xxx: Flush mailbox commands on chip reset
ARM: dts: samsung: exynos4210-i9100: Fix LCD screen's physical size
ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2
bus: mhi: host: Skip MHI reset if device is in RDDM
net: ipv4: fix one memleak in __inet_del_ifa()
selftests/kselftest/runner/run_one(): allow running non-executable files
kselftest/runner.sh: Propagate SIGTERM to runner child
net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add
net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
hsr: Fix uninit-value access in fill_frame_info()
r8152: check budget for r8152_poll()
kcm: Fix memory leak in error path of kcm_sendmsg()
platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors
platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
ipv6: fix ip6_sock_set_addr_preferences() typo
ixgbe: fix timestamp configuration code
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
drm/amd/display: Fix a bug when searching for insert_above_mpcc
parisc: Drop loops_per_jiffy from per_cpu struct
Linux 5.10.195
Change-Id: I4eef618f573b6d4201e05c9cf56088d77d712d97
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Ryusuke Konishi
|
f1d637b63d |
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
commit cdaac8e7e5a059f9b5e816cda257f08d0abffacd upstream.
A syzbot stress test using a corrupted disk image reported that
mark_buffer_dirty() called from __nilfs_mark_inode_dirty() or
nilfs_palloc_commit_alloc_entry() may output a kernel warning, and can
panic if the kernel is booted with panic_on_warn.
This is because nilfs2 keeps buffer pointers in local structures for some
metadata and reuses them, but such buffers may be forcibly discarded by
nilfs_clear_dirty_page() in some critical situations.
This issue is reported to appear after commit 28a65b49eb53 ("nilfs2: do
not write dirty data after degenerating to read-only"), but the issue has
potentially existed before.
Fix this issue by checking the uptodate flag when attempting to reuse an
internally held buffer, and reloading the metadata instead of reusing the
buffer if the flag was lost.
Link: https://lkml.kernel.org/r/20230818131804.7758-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+cdfcae656bac88ba0e2d@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/0000000000003da75f05fdeffd12@google.com
Fixes:
|
||
|
Ryusuke Konishi
|
0e11bb5ad3 |
nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
commit f83913f8c5b882a312e72b7669762f8a5c9385e4 upstream. A syzbot stress test reported that create_empty_buffers() called from nilfs_lookup_dirty_data_buffers() can cause a general protection fault. Analysis using its reproducer revealed that the back reference "mapping" from a page/folio has been changed to NULL after dirty page/folio gang lookup in nilfs_lookup_dirty_data_buffers(). Fix this issue by excluding pages/folios from being collected if, after acquiring a lock on each page/folio, its back reference "mapping" differs from the pointer to the address space struct that held the page/folio. Link: https://lkml.kernel.org/r/20230805132038.6435-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+0ad741797f4565e7e2d2@syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/0000000000002930a705fc32b231@google.com Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
412095349f |
Merge 5.10.191 into android12-5.10-lts
Changes in 5.10.191
wireguard: allowedips: expand maximum node depth
mmc: moxart: read scr register without changing byte order
ipv6: adjust ndisc_is_useropt() to also return true for PIO
bpf: allow precision tracking for programs with subprogs
bpf: stop setting precise in current state
bpf: aggressively forget precise markings during state checkpointing
selftests/bpf: make test_align selftest more robust
selftests/bpf: Workaround verification failure for fexit_bpf2bpf/func_replace_return_code
selftests/bpf: Fix sk_assign on s390x
dmaengine: pl330: Return DMA_PAUSED when transaction is paused
riscv,mmio: Fix readX()-to-delay() ordering
drm/nouveau/gr: enable memory loads on helper invocation on all channels
drm/shmem-helper: Reset vma->vm_ops before calling dma_buf_mmap()
drm/amd/display: check attr flag before set cursor degamma on DCN3+
hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100
radix tree test suite: fix incorrect allocation size for pthreads
x86/pkeys: Revert
|