f4b76e8165
33138 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Michael Bestas
|
f4b76e8165
|
Merge tag 'ASB-2023-04-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2023-04-01 CVE-2022-4696 CVE-2023-20941 * tag 'ASB-2023-04-05_11-5.4' of https://android.googlesource.com/kernel/common: UPSTREAM: ext4: fix kernel BUG in 'ext4_write_inline_data_end()' UPSTREAM: hid: bigben_probe(): validate report count UPSTREAM: HID: bigben: use spinlock to safely schedule workers BACKPORT: of: base: Skip CPU nodes with "fail"/"fail-..." status UPSTREAM: HID: bigben_worker() remove unneeded check on report_field UPSTREAM: HID: bigben: use spinlock to protect concurrent accesses UPSTREAM: hwrng: virtio - add an internal buffer UPSTREAM: ext4: fix another off-by-one fsmap error on 1k block filesystems UPSTREAM: ext4: refuse to create ea block when umounted UPSTREAM: ext4: optimize ea_inode block expansion UPSTREAM: ext4: allocate extended attribute value in vmalloc area BACKPORT: FROMGIT: cgroup: Use separate src/dst nodes when preloading css_sets for migration Revert "iommu: Add gfp parameter to iommu_ops::map" Revert "iommu/amd: Pass gfp flags to iommu_map_page() in amd_iommu_map()" Revert "RDMA/usnic: use iommu_map_atomic() under spin_lock()" Linux 5.4.233 bpf: add missing header file include Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs" ext4: Fix function prototype mismatch for ext4_feat_ktype wifi: mwifiex: Add missing compatible string for SD8787 uaccess: Add speculation barrier to copy_from_user() mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh drm/i915/gvt: fix double free bug in split_2MB_gtt_entry alarmtimer: Prevent starvation by small intervals and SIG_IGN powerpc: dts: t208x: Disable 10G on MAC1 and MAC2 can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS KVM: x86: Fail emulation during EMULTYPE_SKIP on any exception random: always mix cycle counter in add_latent_entropy() powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G wifi: rtl8xxxu: gen2: Turn on the rate control drm/etnaviv: don't truncate physical page address drm: etnaviv: fix common struct sg_table related issues scatterlist: add generic wrappers for iterating over sgtable objects dma-mapping: add generic helpers for mapping sgtable objects Linux 5.4.232 iommu/amd: Pass gfp flags to iommu_map_page() in amd_iommu_map() net: sched: sch: Fix off by one in htb_activate_prios() ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak nilfs2: fix underflow in second superblock position calculations kvm: initialize all of the kvm_debugregs structure before sending it to userspace i40e: Add checking for null for nlmsg_find_attr() ipv6: Fix tcp socket connection with DSCP. ipv6: Fix datagram socket connection with DSCP. ixgbe: add double of VLAN header when computing the max MTU net: mpls: fix stale pointer if allocation fails during device rename net: stmmac: Restrict warning on disabling DMA store and fwd mode bnxt_en: Fix mqprio and XDP ring checking logic net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list net: bgmac: fix BCM5358 support by setting correct flags i40e: add double of VLAN header when computing the max MTU ixgbe: allow to increase MTU to 3K with XDP enabled revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" net: Fix unwanted sign extension in netdev_stats_to_stats64() Revert "mm: Always release pages to the buddy allocator in memblock_free_late()." hugetlb: check for undefined shift on 32 bit architectures sched/psi: Fix use-after-free in ep_remove_wait_queue() ALSA: hda/realtek - fixed wrong gpio assigned ALSA: hda/conexant: add a new hda codec SN6180 mmc: mmc_spi: fix error handling in mmc_spi_probe() mmc: sdio: fix possible resource leaks in some error paths ipv4: Fix incorrect route flushing when source address is deleted Revert "ipv4: Fix incorrect route flushing when source address is deleted" xfs: sync lazy sb accounting on quiesce of read-only mounts xfs: prevent UAF in xfs_log_item_in_current_chkpt xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks xfs: ensure inobt record walks always make forward progress xfs: fix missing CoW blocks writeback conversion retry xfs: only relog deferred intent items if free space in the log gets low xfs: expose the log push threshold xfs: periodically relog deferred intent items xfs: change the order in which child and parent defer ops are finished xfs: fix an incore inode UAF in xfs_bui_recover xfs: clean up xfs_bui_item_recover iget/trans_alloc/ilock ordering xfs: clean up bmap intent item recovery checking xfs: xfs_defer_capture should absorb remaining transaction reservation xfs: xfs_defer_capture should absorb remaining block reservations xfs: proper replay of deferred ops queued during log recovery xfs: fix finobt btree block recovery ordering xfs: log new intent items created as part of finishing recovered intent items xfs: refactor xfs_defer_finish_noroll xfs: turn dfp_intent into a xfs_log_item xfs: merge the ->diff_items defer op into ->create_intent xfs: merge the ->log_item defer op into ->create_intent xfs: factor out a xfs_defer_create_intent helper xfs: remove the xfs_inode_log_item_t typedef xfs: remove the xfs_efd_log_item_t typedef xfs: remove the xfs_efi_log_item_t typedef netfilter: nft_tproxy: restrict to prerouting hook btrfs: free device in btrfs_close_devices for a single device filesystem aio: fix mremap after fork null-deref nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association s390/decompressor: specify __decompress() buf len to avoid overflow net: sched: sch: Bounds check priority net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC net/rose: Fix to not accept on connected socket tools/virtio: fix the vringh test for virtio ring changes ASoC: cs42l56: fix DT probe selftests/bpf: Verify copy_register_state() preserves parent/live fields migrate: hugetlb: check for hugetlb shared PMD in node migration bpf: Always return target ifindex in bpf_fib_lookup nvme-pci: Move enumeration by class to be last in the table arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive arm64: dts: meson-g12-common: Make mmc host controller interrupts level-sensitive arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte ceph: flush cap releases when the session is flushed usb: typec: altmodes/displayport: Fix probe pin assign check usb: core: add quirk for Alcor Link AK9563 smartcard reader net: USB: Fix wrong-direction WARNING in plusb.c pinctrl: intel: Restore the pins that used to be in Direct IRQ mode pinctrl: single: fix potential NULL dereference pinctrl: aspeed: Fix confusing types in return value ALSA: pci: lx6464es: fix a debug loop selftests: forwarding: lib: quote the sysctl values rds: rds_rm_zerocopy_callback() use list_first_entry() ice: Do not use WQ_MEM_RECLAIM flag for workqueue ionic: clean interrupt before enabling queue to avoid credit race net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal PHY bonding: fix error checking in bond_debug_reregister() xfrm: fix bug with DSCP copy to v6 from v4 tunnel RDMA/usnic: use iommu_map_atomic() under spin_lock() iommu: Add gfp parameter to iommu_ops::map IB/IPoIB: Fix legacy IPoIB due to wrong number of queues IB/hfi1: Restore allocated resources on failed copyout can: j1939: do not wait 250 ms if the same addr was already claimed tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() btrfs: zlib: zero-initialize zlib workspace btrfs: limit device extents to the device size iio:adc:twl6030: Enable measurement of VAC wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads f2fs: fix to do sanity check on i_extra_isize in is_alive() fbdev: smscufx: fix error handling code in ufx_usb_probe powerpc/imc-pmu: Revert nest_init_lock to being a mutex serial: 8250_dma: Fix DMA Rx rearm race serial: 8250_dma: Fix DMA Rx completion race xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() mm: swap: properly update readahead statistics in unuse_pte_range() nvmem: core: fix cell removal on error Squashfs: fix handling and sanity checking of xattr_ids count mm/swapfile: add cond_resched() in get_swap_pages() fpga: stratix10-soc: Fix return value check in s10_ops_write_init() mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps riscv: disable generation of unwind tables parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case parisc: Fix return code of pdc_iodc_print() iio:adc:twl6030: Enable measurements of VUSB, VBAT and others iio: adc: berlin2-adc: Add missing of_node_put() in error path iio: hid: fix the retval in accel_3d_capture_sample efi: Accept version 2 of memory attributes table watchdog: diag288_wdt: fix __diag288() inline assembly watchdog: diag288_wdt: do not use stack buffers for hardware data fbcon: Check font dimension limits Input: i8042 - add Clevo PCX0DX to i8042 quirk table Input: i8042 - add TUXEDO devices to i8042 quirk tables Input: i8042 - merge quirk tables Input: i8042 - move __initconst to fix code styling warning vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait usb: dwc3: qcom: enable vbus override when in OTG dr-mode usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API iio: adc: stm32-dfsdm: fill module aliases net/x25: Fix to not accept on connected socket i2c: rk3x: fix a bunch of kernel-doc warnings scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress scsi: target: core: Fix warning on RT kernels efi: fix potential NULL deref in efi_mem_reserve_persistent net: openvswitch: fix flow memory leak in ovs_flow_cmd_new virtio-net: Keep stop() to follow mirror sequence of open() selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning ata: libata: Fix sata_down_spd_limit() when no link speed is reported can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate net: phy: meson-gxl: Add generic dummy stubs for MMD register access squashfs: harden sanity check in squashfs_read_xattr_id_table netfilter: br_netfilter: disable sabotage_in hook after first suppression netrom: Fix use-after-free caused by accept on already connected socket fix "direction" argument of iov_iter_kvec() fix iov_iter_bvec() "direction" argument WRITE is "data source", not destination... scsi: Revert "scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT" arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region Linux 5.4.231 Revert "xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()" usb: host: xhci-plat: add wakeup entry at sysfs Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt ipv6: ensure sane device mtu in tunnels exit: Use READ_ONCE() for all oops/warn limit reads docs: Fix path paste-o for /sys/kernel/warn_count panic: Expose "warn_count" to sysfs panic: Introduce warn_limit panic: Consolidate open-coded panic_on_warn checks exit: Allow oops_limit to be disabled exit: Expose "oops_count" to sysfs exit: Put an upper limit on how often we can oops ia64: make IA64_MCA_RECOVERY bool instead of tristate csky: Fix function name in csky_alignment() and die() h8300: Fix build errors from do_exit() to make_task_dead() transition hexagon: Fix function name in die() objtool: Add a missing comma to avoid string concatenation exit: Add and use make_task_dead. mm: kasan: do not panic if both panic_on_warn and kasan_multishot set panic: unset panic_on_warn inside panic() sysctl: add a new register_sysctl_init() interface dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init blk-cgroup: fix missing pd_online_fn() while activating policy bpf: Skip task with pid=1 in send_signal_common() ARM: dts: imx: Fix pca9547 i2c-mux node name x86/asm: Fix an assembler warning with current binutils clk: Fix pointer casting to prevent oops in devm_clk_release() perf/x86/amd: fix potential integer overflow on shift of a int netfilter: conntrack: unify established states for SCTP paths x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL block: fix and cleanup bio_check_ro nfsd: Ensure knfsd shuts down when the "nfsd" pseudofs is unmounted Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode" net: mdio-mux-meson-g12a: force internal PHY off on mux switch net: xgene: Move shared header file into include/linux net/phy/mdio-i2c: Move header file to include/linux/mdio net/tg3: resolve deadlock in tg3_reset_task() during EEH thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() net: ravb: Fix possible hang if RIS2_QFF1 happen sctp: fail if no bound addresses can be used for a given scope net/sched: sch_taprio: do not schedule in taprio_reset() netrom: Fix use-after-free of a listening socket. netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE ipv4: prevent potential spectre v1 gadget in fib_metrics_match() ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() netlink: annotate data races around sk_state netlink: annotate data races around dst_portid and dst_group netlink: annotate data races around nlk->portid netfilter: nft_set_rbtree: skip elements in transaction from garbage collection net: fix UaF in netns ops registration error path netlink: prevent potential spectre v1 gadgets EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info EDAC/device: Respect any driver-supplied workqueue polling value ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment thermal: intel: int340x: Protect trip temperature from concurrent updates KVM: x86/vmx: Do not skip segment attributes if unusable bit is set cifs: Fix oops due to uncleared server->smbd_conn in reconnect ftrace/scripts: Update the instructions for ftrace-bisect.sh trace_events_hist: add check for return value of 'create_hist_field' tracing: Make sure trace_printk() can output as soon as it can be used module: Don't wait for GOING modules scsi: hpsa: Fix allocation size for scsi_host_alloc() Bluetooth: hci_sync: cancel cmd_timer if hci_open failed Revert "Revert "xhci: Set HCD flag to defer primary roothub registration"" fs: reiserfs: remove useless new_opts in reiserfs_remount netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state Revert "selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID" mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting mmc: sdhci-esdhc-imx: disable the CMD CRC check for standard tuning mmc: sdhci-esdhc-imx: clear pending interrupt and halt cqhci lockref: stop doing cpu_relax in the cmpxchg loop platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD scsi: hisi_sas: Set a port invalid only if there are no devices attached when refreshing port id KVM: s390: interrupt: use READ_ONCE() before cmpxchg() spi: spidev: remove debug messages that access spidev->spi without locking ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97 CODEC cpufreq: armada-37xx: stop using 0 as NULL pointer s390/debug: add _ASM_S390_ prefix to header guard drm: Add orientation quirk for Lenovo ideapad D330-10IGL ASoC: fsl_micfil: Correct the number of steps on SX controls cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist tcp: fix rate_app_limited to default to 1 net: dsa: microchip: ksz9477: port map correction in ALU table entry register driver core: Fix test_async_probe_init saves device in wrong array w1: fix WARNING after calling w1_process() w1: fix deadloop in __w1_remove_master_device() tcp: avoid the lookup process failing to get sk in ehash table dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node() dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling dmaengine: xilinx_dma: use devm_platform_ioremap_resource() HID: betop: check shape of output reports net: macb: fix PTP TX timestamp failure due to packet padding dmaengine: Fix double increment of client_count in dma_chan_get() drm/panfrost: fix GENERIC_ATOMIC64 dependency net: mlx5: eliminate anonymous module_init & module_exit usb: gadget: f_fs: Ensure ep0req is dequeued before free_request usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait HID: revert CHERRY_MOUSE_000C quirk net: stmmac: fix invalid call to mdiobus_get_phy() HID: check empty report_list in bigben_probe() HID: check empty report_list in hid_validate_values() net: mdio: validate parameter addr in mdiobus_get_phy() net: usb: sr9700: Handle negative len l2tp: Don't sleep and disable BH under writer-side sk_callback_lock l2tp: Serialize access to sk_user_data with sk_callback_lock net: fix a concurrency bug in l2tp_tunnel_register() net/sched: sch_taprio: fix possible use-after-free wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode net: wan: Add checks for NULL for utdm in undo_uhdlc_init and unmap_si_regs net: nfc: Fix use-after-free in local_cleanup() phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation amd-xgbe: Delay AN timeout during KR training amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent affs: initialize fsdata in affs_truncate() IB/hfi1: Fix expected receive setup error exit issues IB/hfi1: Reserve user expected TIDs IB/hfi1: Reject a zero-length user expected buffer RDMA/core: Fix ib block iterator counter overflow tomoyo: fix broken dependency on *.conf.default EDAC/highbank: Fix memory leak in highbank_mc_probe() HID: intel_ish-hid: Add check for ishtp_dma_tx_map ARM: imx: add missing of_node_put() ARM: imx35: Retrieve the IIM base address from devicetree ARM: imx31: Retrieve the IIM base address from devicetree ARM: imx27: Retrieve the SYSCTRL base address from devicetree ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe() clk: Provide new devm_clk helpers for prepared and enabled clocks clk: generalize devm_clk_get() a bit Linux 5.4.230 mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix drm/amd/display: Fix set scaling doesn's work drm/i915: re-disable RC6p on Sandy Bridge gsmi: fix null-deref in gsmi_get_variable serial: atmel: fix incorrect baudrate setup dmaengine: tegra210-adma: fix global intr clear serial: pch_uart: Pass correct sg to dma_unmap_sg() dt-bindings: phy: g12a-usb3-pcie-phy: fix compatible string documentation usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() usb: gadget: g_webcam: Send color matching descriptor per frame usb: typec: altmodes/displayport: Fix pin assignment calculation usb: typec: altmodes/displayport: Add pin assignment helper usb: host: ehci-fsl: Fix module alias USB: serial: cp210x: add SCALANCE LPE-9000 device id USB: gadgetfs: Fix race between mounting and unmounting cifs: do not include page data when checking signature btrfs: fix race between quota rescan and disable leading to NULL pointer deref mmc: sunxi-mmc: Fix clock refcount imbalance during unbind comedi: adv_pci1760: Fix PWM instruction handling usb: core: hub: disable autosuspend for TI TUSB8041 misc: fastrpc: Fix use-after-free race condition for maps misc: fastrpc: Don't remove map on creater_process and device_release USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 USB: serial: option: add Quectel EM05CN modem USB: serial: option: add Quectel EM05CN (SG) modem USB: serial: option: add Quectel EC200U modem USB: serial: option: add Quectel EM05-G (RS) modem USB: serial: option: add Quectel EM05-G (CS) modem USB: serial: option: add Quectel EM05-G (GR) modem prlimit: do_prlimit needs to have a speculation check xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables usb: acpi: add helper to check port lpm capability using acpi _DSM xhci: Add a flag to disable USB3 lpm on a xhci root port level. xhci: Add update_hub_device override for PCI xHCI hosts xhci: Fix null pointer dereference when host dies usb: xhci: Check endpoint is valid before dereferencing it xhci-pci: set the dma max_seg_size ALSA: hda/realtek - Turn on power early drm/i915/gt: Reset twice efi: fix userspace infinite retry read efivars after EFI runtime services page fault nilfs2: fix general protection fault in nilfs_btree_insert() Add exception protection processing for vd in axi_chan_handle_err function wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices f2fs: let's avoid panic if extent_tree is not created RDMA/srp: Move large values to a new enum for gcc13 net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID pNFS/filelayout: Fix coalescing test for single DS Revert "net: add atomic_long_t to net_device_stats fields" Revert "PM/devfreq: governor: Add a private governor_data for governor" Linux 5.4.229 tipc: call tipc_lxc_xmit without holding node_read_lock ocfs2: fix freeing uninitialized resource on ocfs2_dlm_shutdown tipc: Add a missing case of TIPC_DIRECT_MSG type tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't started tipc: fix use-after-free in tipc_disc_rcv() Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout" mm: Always release pages to the buddy allocator in memblock_free_late(). efi: fix NULL-deref in init error path arm64: cmpxchg_double*: hazard against entire exchange variable arm64: atomics: remove LL/SC trampolines arm64: atomics: format whitespace consistently drm/virtio: Fix GEM handle creation UAF x86/resctrl: Fix task CLOSID/RMID update race x86/resctrl: Use task_curr() instead of task_struct->on_cpu to prevent unnecessary IPI iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe() iommu/mediatek-v1: Add error handle for mtk_iommu_probe net/mlx5: Fix ptp max frequency adjustment range net/mlx5: Rename ptp clock info net/sched: act_mpls: Fix warning during failed attribute validation nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() hvc/xen: lock console list traversal tipc: fix unexpected link reset due to discovery messages tipc: eliminate checking netns if node established tipc: improve throughput between nodes in netns regulator: da9211: Use irq handler when ready EDAC/device: Fix period calculation in edac_device_reset_delay_period() x86/boot: Avoid using Intel mnemonics in AT&T syntax asm powerpc/imc-pmu: Fix use of mutex in IRQs disabled section netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. ext4: fix uninititialized value in 'ext4_evict_inode' ext4: fix use-after-free in ext4_orphan_cleanup ext4: lost matching-pair of trace in ext4_truncate ext4: fix bug_on in __es_tree_search caused by bad quota inode quota: Factor out setup of quota inode jbd2: use the correct print format usb: ulpi: defer ulpi_register on ulpi_read_id timeout wifi: wilc1000: sdio: fix module autoloading ipv6: raw: Deduct extension header length in rawv6_push_pending_frames ixgbe: fix pci device refcount leak platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe drm/msm/adreno: Make adreno quirks not overwrite each other cifs: Fix uninitialized memory read for smb311 posix symlink create ALSA: hda/hdmi: Add a HP device 0x8715 to force connect list ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF net/ulp: prevent ULP without clone op from entering the LISTEN status s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() s390/kexec: fix ipl report address for kdump perf auxtrace: Fix address filter duplicate symbol selection docs: Fix the docs build with Sphinx 6.0 efi: tpm: Avoid READ_ONCE() for accessing the event log KVM: arm64: Fix S1PTW handling on RO memslots net: sched: disallow noqueue for qdisc classes driver core: Fix bus_type.match() error handling in __driver_attach() selftests: set the BUILD variable to absolute path selftests: Fix kselftest O=objdir build from cluttering top level objdir parisc: Align parisc MADV_XXX constants with all other architectures mbcache: Avoid nesting of cache->c_list_lock under bit locks hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling hfs/hfsplus: use WARN_ON for sanity check ext4: don't allow journal inode to have encrypt flag riscv: uaccess: fix type of 0 variable on error in get_user() nfsd: fix handling of readdir in v4root vs. mount upcall timeout x86/bugs: Flush IBP in ib_prctl_set() ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet udf: Fix extension of the last extent in the file caif: fix memory leak in cfctrl_linkup_request() drm/i915: unpin on error in intel_vgpu_shadow_mm_pin() usb: rndis_host: Secure rndis_query check against int overflow drivers/net/bonding/bond_3ad: return when there's no aggregator perf tools: Fix resources leak in perf_data__open_dir() net: sched: cbq: dont intepret cls results when asked to drop net: sched: atm: dont intepret cls results when asked to drop RDMA/mlx5: Fix validation of max_rd_atomic caps for DC RDMA/uverbs: Silence shiftTooManyBitsSigned warning net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe net: amd-xgbe: add missed tasklet_kill vhost: fix range used in translate_desc() nfc: Fix potential resource leaks qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure net: sched: fix memory leak in tcindex_set_parms net: hns3: add interrupts re-initialization while doing VF FLR nfsd: shut down the NFSv4 state objects before the filecache bpf: pull before calling skb_postpull_rcsum() SUNRPC: ensure the matching upcall is in-flight upon downcall ext4: fix deadlock due to mbcache entry corruption mbcache: automatically delete entries from cache on freeing ext4: fix race when reusing xattr blocks ext4: unindent codeblock in ext4_xattr_block_set() ext4: remove EA inode entry from mbcache on inode eviction mbcache: add functions to delete entry if unused mbcache: don't reclaim used entries ext4: use kmemdup() to replace kmalloc + memcpy fs: ext4: initialize fsdata in pagecache_write() ext4: use memcpy_to_page() in pagecache_write() mm/highmem: Lift memcpy_[to|from]_page to core ext4: correct inconsistent error msg in nojournal mode ext4: goto right label 'failed_mount3a' ravb: Fix "failed to switch device to config mode" message during unbind KVM: nVMX: Properly expose ENABLE_USR_WAIT_PAUSE control to L1 KVM: VMX: Fix the spelling of CPU_BASED_USE_TSC_OFFSETTING KVM: VMX: Rename NMI_PENDING to NMI_WINDOW KVM: VMX: Rename INTERRUPT_PENDING to INTERRUPT_WINDOW KVM: retpolines: x86: eliminate retpoline from vmx.c exit handlers KVM: x86: optimize more exit handlers in vmx.c perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor dm thin: resume even if in FAIL mode media: s5p-mfc: Fix in register read and write for H264 media: s5p-mfc: Clear workbit to handle error condition media: s5p-mfc: Fix to handle reference queue during finishing PM/devfreq: governor: Add a private governor_data for governor btrfs: replace strncpy() with strscpy() ext4: allocate extended attribute value in vmalloc area ext4: avoid unaccounted block allocation when expanding inode ext4: initialize quota before expanding inode in setproject ioctl ext4: fix inode leak in ext4_xattr_inode_create() on an error path ext4: avoid BUG_ON when creating xattrs ext4: fix error code return to user-space in ext4_get_branch() ext4: fix corruption when online resizing a 1K bigalloc fs ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline ext4: init quota for 'old.inode' in 'ext4_rename' ext4: fix bug_on in __es_tree_search caused by bad boot loader inode ext4: fix reserved cluster accounting in __es_remove_extent() ext4: add helper to check quota inums ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode ext4: fix undefined behavior in bit shift for ext4_check_flag_values ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop drm/vmwgfx: Validate the box size for the snooped cursor drm/connector: send hotplug uevent on connector cleanup device_cgroup: Roll back to original exceptions after copy failure parisc: led: Fix potential null-ptr-deref in start_task() iommu/amd: Fix ivrs_acpihid cmdline parsing code crypto: n2 - add missing hash statesize PCI/sysfs: Fix double free in error path PCI: Fix pci_device_is_present() for VFs by checking PF ipmi: fix use after free in _ipmi_destroy_user() ima: Fix a potential NULL pointer access in ima_restore_measurement_list mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type() ipmi: fix long wait in unload when IPMI disconnect efi: Add iMac Pro 2017 to uefi skip cert quirk md/bitmap: Fix bitmap chunk size overflow issues cifs: fix missing display of three mount options cifs: fix confusing debug message media: dvb-core: Fix UAF due to refcount races at releasing media: dvb-core: Fix double free in dvb_register_device() ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line tracing/hist: Fix wrong return value in parse_action_params() x86/microcode/intel: Do not retry microcode reloading on the APs tracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx' dm cache: set needs_check flag after aborting metadata dm cache: Fix UAF in destroy() dm clone: Fix UAF in clone_dtr() dm integrity: Fix UAF in dm_integrity_dtr() dm thin: Fix UAF in run_timer_softirq() dm thin: Use last transaction's pmd->root when commit failed dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort binfmt: Fix error return code in load_elf_fdpic_binary() binfmt: Move install_exec_creds after setup_new_exec to match binfmt_elf cpufreq: Init completion before kobject_init_and_add() selftests: Use optional USERCFLAGS and USERLDFLAGS arm64: dts: qcom: sdm850-lenovo-yoga-c630: correct I2C12 pins drive strength ARM: ux500: do not directly dereference __iomem btrfs: fix resolving backrefs for inline extent followed by prealloc mmc: sdhci-sprd: Disable CLK_AUTO when the clock is less than 400K ktest.pl minconfig: Unset configs instead of just removing them kest.pl: Fix grub2 menu handling for rebooting soc: qcom: Select REMAP_MMIO for LLCC driver media: stv0288: use explicitly signed char net/af_packet: make sure to pull mac header net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING f2fs: should put a page when checking the summary info mm, compaction: fix fast_isolate_around() to stay within boundaries md: fix a crash in mempool_free pnode: terminate at peers of source ALSA: line6: fix stack overflow in line6_midi_transmit ALSA: line6: correct midi status byte when receiving data from podxt ovl: Use ovl mounter's fsuid and fsgid in ovl_link() hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount HID: plantronics: Additional PIDs for double volume key presses quirk HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint powerpc/rtas: avoid scheduling in rtas_os_term() powerpc/rtas: avoid device tree lookups in rtas_os_term() objtool: Fix SEGFAULT nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition nvme: resync include/linux/nvme.h with nvmecli ata: ahci: Fix PCS quirk application for suspend nvme-pci: fix doorbell buffer value endianness cifs: fix oops during encryption media: dvbdev: fix refcnt bug media: dvbdev: fix build warning due to comments gcov: add support for checksum field regulator: core: fix deadlock on regulator enable iio: adc128s052: add proper .data members in adc128_of_match table iio: adc: ad_sigma_delta: do not use internal iio_dev lock reiserfs: Add missing calls to reiserfs_security_free() HID: wacom: Ensure bootloader PID is usable in hidraw mode usb: dwc3: core: defer probe on ulpi_read_id timeout ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion ASoC: rt5670: Remove unbalanced pm_runtime_put() ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() ASoC: wm8994: Fix potential deadlock ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume() ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link() ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() ASoC: Intel: Skylake: Fix driver hang during shutdown ALSA: hda: add snd_hdac_stop_streams() helper ALSA/ASoC: hda: move/rename snd_hdac_ext_stop_streams to hdac_stream.c orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init() orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() clk: st: Fix memory leak in st_of_quadfs_setup() media: si470x: Fix use-after-free in si470x_int_in_callback() mmc: f-sdh30: Add quirks for broken timeout clock capability regulator: core: fix use_count leakage when handling boot-on blk-mq: fix possible memleak when register 'hctx' failed media: dvb-usb: fix memory leak in dvb_usb_adapter_init() media: dvbdev: adopts refcnt to avoid UAF media: dvb-frontends: fix leak of memory fw bpf: Prevent decl_tag from being referenced in func_proto arg ppp: associate skb with a device at tx mrp: introduce active flags to prevent UAF when applicant uninit net: add atomic_long_t to net_device_stats fields md/raid1: stop mdx_raid1 thread when raid1 array run failed drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() drm/sti: Use drm_mode_copy() drm/rockchip: Use drm_mode_copy() s390/lcs: Fix return type of lcs_start_xmit() s390/netiucv: Fix return type of netiucv_tx() s390/ctcm: Fix return type of ctc{mp,}m_tx() igb: Do not free q_vector unless new one was allocated wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() hamradio: baycom_epp: Fix return type of baycom_send_packet() net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() bpf: make sure skb->len != 0 when redirecting to a tunneling device ipmi: fix memleak when unload ipmi driver ASoC: codecs: rt298: Add quirk for KBL-R RVP platform wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out wifi: ath9k: verify the expected usb_endpoints are present brcmfmac: return error when getting invalid max_flowrings from dongle drm/etnaviv: add missing quirks for GC300 hfs: fix OOB Read in __hfs_brec_find acct: fix potential integer overflow in encode_comp_t() nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() ACPICA: Fix error code path in acpi_ds_call_control_method() fs: jfs: fix shift-out-of-bounds in dbDiscardAG udf: Avoid double brelse() in udf_rename() fs: jfs: fix shift-out-of-bounds in dbAllocAG binfmt_misc: fix shift-out-of-bounds in check_special_flags rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state() net: stream: purge sk_error_queue in sk_stream_kill_queues() myri10ge: Fix an error handling path in myri10ge_probe() rxrpc: Fix missing unlock in rxrpc_do_sendmsg() net_sched: reject TCF_EM_SIMPLE case for complex ematch module mailbox: zynq-ipi: fix error handling while device_register() fails skbuff: Account for tail adjustment during pull operations openvswitch: Fix flow lookup to use unmasked key rtc: mxc_v2: Add missing clk_disable_unprepare() r6040: Fix kmemleak in probe and remove nfc: pn533: Clear nfc_target before being used mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure NFSD: Add tracepoints to NFSD's duplicate reply cache nfsd: Define the file access mode enum for tracing rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe() rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region() remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev() pwm: sifive: Call pwm_sifive_update_clock() while mutex is held selftests/powerpc: Fix resource leaks powerpc/hv-gpci: Fix hv_gpci event list powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() powerpc/perf: callchain validate kernel stack pointer bounds powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data() cxl: Fix refcount leak in cxl_calc_capp_routing powerpc/52xx: Fix a resource leak in an error handling path macintosh/macio-adb: check the return value of ioremap() macintosh: fix possible memory leak in macio_add_one_device() iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() iommu/amd: Fix pci device refcount leak in ppr_notifier() rtc: pcf85063: Fix reading alarm rtc: snvs: Allow a time difference on clock register read include/uapi/linux/swab: Fix potentially missing __always_inline RDMA/siw: Fix pointer cast warning power: supply: fix null pointer dereferencing in power_supply_get_battery_info HSI: omap_ssi_core: Fix error handling in ssi_init() perf symbol: correction while adjusting symbol perf trace: Handle failure when trace point folder is missed perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number perf trace: Add a strtoul() method to 'struct syscall_arg_fmt' perf trace: Allow associating scnprintf routines with well known arg names perf trace: Add the syscall_arg_fmt pointer to syscall_arg perf trace: Factor out the initialization of syscal_arg_fmt->scnprintf perf trace: Separate 'struct syscall_fmt' definition from syscall_fmts variable perf trace: Return error if a system call doesn't exist power: supply: fix residue sysfs file in error handle route of __power_supply_register() HSI: omap_ssi_core: fix possible memory leak in ssi_probe() HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() fbdev: vermilion: decrease reference count in error path fbdev: via: Fix error in via_core_init() fbdev: pm2fb: fix missing pci_disable_device() fbdev: ssd1307fb: Drop optional dependency samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe() tracing/hist: Fix issue of losting command info in error_log usb: storage: Add check for kcalloc i2c: ismt: Fix an out-of-bounds bug in ismt_access() vme: Fix error not catched in fake_init() staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() staging: rtl8192u: Fix use after free in ieee80211_rx() i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe chardev: fix error handling in cdev_device_add() mcb: mcb-parse: fix error handing in chameleon_parse_gdd() drivers: mcb: fix resource leak in mcb_probe() usb: gadget: f_hid: fix refcount leak on error path usb: gadget: f_hid: fix f_hidg lifetime vs cdev usb: gadget: f_hid: optional SETUP/SET_REPORT mode usb: roles: fix of node refcount leak in usb_role_switch_is_parent() counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() misc: ocxl: fix possible name leak in ocxl_file_register_afu() test_firmware: fix memory leak in test_firmware_init() serial: sunsab: Fix error handling in sunsab_init() serial: altera_uart: fix locking in polling mode tty: serial: altera_uart_{r,t}x_chars() need only uart_port tty: serial: clean up stop-tx part in altera_uart_tx_chars() serial: pch: Fix PCI device refcount leak in pch_request_dma() serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle. serial: amba-pl011: avoid SBSA UART accessing DMACR register usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() usb: typec: Check for ops->exit instead of ops->enter in altmode_exit staging: vme_user: Fix possible UAF in tsi148_dma_list_add usb: fotg210-udc: Fix ages old endianness issues uio: uio_dmem_genirq: Fix deadlock between irq config and handling uio: uio_dmem_genirq: Fix missing unlock in irq configuration vfio: platform: Do not pass return buffer to ACPI _RST method class: fix possible memory leak in __class_register() serial: tegra: Read DMA status before terminating tty: serial: tegra: Activate RX DMA transfer by request drivers: dio: fix possible memory leak in dio_init() IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces hwrng: geode - Fix PCI device refcount leak hwrng: amd - Fix PCI device refcount leak crypto: img-hash - Fix variable dereferenced before check 'hdev->req' orangefs: Fix sysfs not cleanup when dev init failed RDMA/hfi1: Fix error return code in parse_platform_config() crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe() f2fs: avoid victim selection from previous victim section RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps() scsi: snic: Fix possible UAF in snic_tgt_create() scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails scsi: ipr: Fix WARNING in ipr_init() scsi: fcoe: Fix possible name leak when device_register() fails scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() scsi: hpsa: Fix error handling in hpsa_add_sas_host() scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add() crypto: tcrypt - Fix multibuffer skcipher speed test mem leak scsi: hpsa: Fix possible memory leak in hpsa_init_one() RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed crypto: ccree - Make cc_debugfs_global_fini() available for module init function RDMA/hfi: Decrease PCI device reference count in error path PCI: Check for alloc failure in pci_request_irq() crypto: ccree - Remove debugfs when platform_driver_register failed crypto: ccree - swap SHA384 and SHA512 larval hashes at build time scsi: scsi_debug: Fix a warning in resp_write_scat() RDMA/siw: Set defined status for work completion with undefined status RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port RDMA/siw: Fix immediate work request flush to completion queue f2fs: fix normal discard process RDMA/core: Fix order of nldev_exit call apparmor: Use pointer to struct aa_label for lbs_cred apparmor: Fix abi check to include v8 abi apparmor: fix lockdep warning when removing a namespace apparmor: fix a memleak in multi_transaction_new() stmmac: fix potential division by 0 Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() ntb_netdev: Use dev_kfree_skb_any() in interrupt context net: lan9303: Fix read error execution path can: tcan4x5x: Remove invalid write in clear_interrupts net: amd-xgbe: Check only the minimum speed for active/passive cables net: amd-xgbe: Fix logic around active and passive cables net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave() hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave() net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave() net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave() net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave() net/tunnel: wait until all sk_user_data reader finish before releasing the sock net: farsync: Fix kmemleak when rmmods farsync ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop() drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload() net: defxx: Fix missing err handling in dfx_init() net: vmw_vsock: vmci: Check memcpy_from_msg() clk: socfpga: Fix memory leak in socfpga_gate_init() clk: socfpga: use clk_hw_register for a5/c5 clk: socfpga: clk-pll: Remove unused variable 'rc' blktrace: Fix output non-blktrace event when blk_classic option enabled wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode clk: samsung: Fix memory leak in _samsung_clk_register_pll() media: coda: Add check for kmalloc media: coda: Add check for dcoda_iram_alloc media: c8sectpfe: Add of_node_put() when breaking out of loop mmc: mmci: fix return value check of mmc_add_host() mmc: wbsd: fix return value check of mmc_add_host() mmc: via-sdmmc: fix return value check of mmc_add_host() mmc: meson-gx: fix return value check of mmc_add_host() mmc: omap_hsmmc: fix return value check of mmc_add_host() mmc: atmel-mci: fix return value check of mmc_add_host() mmc: wmt-sdmmc: fix return value check of mmc_add_host() mmc: vub300: fix return value check of mmc_add_host() mmc: toshsd: fix return value check of mmc_add_host() mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() mmc: pxamci: fix return value check of mmc_add_host() mmc: mxcmmc: fix return value check of mmc_add_host() mmc: moxart: fix return value check of mmc_add_host() mmc: alcor: fix return value check of mmc_add_host() NFSv4.x: Fail client initialisation if state manager thread can't run SUNRPC: Fix missing release socket in rpc_sockname() xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt media: saa7164: fix missing pci_disable_device() bpf, sockmap: fix race in sock_map_free() regulator: core: fix resource leak in regulator_register() configfs: fix possible memory leak in configfs_create_dir() hsr: Avoid double remove of a node. clk: qcom: clk-krait: fix wrong div2 functions regulator: core: fix module refcount leak in set_supply() wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE bonding: uninitialized variable in bond_miimon_inspect() bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data netfilter: conntrack: set icmpv6 redirects as RELATED ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() ASoC: mediatek: mt8173: Enable IRQ when pdata is ready wifi: iwlwifi: mvm: fix double free on tx path. ALSA: asihpi: fix missing pci_disable_device() NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn NFSv4.2: Fix initialisation of struct nfs4_label NFSv4.2: Fix a memory stomp in decode_attr_security_label NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd ASoC: dt-bindings: wcd9335: fix reset line polarity in example drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() media: dvb-core: Fix ignored return value in dvb_register_frontend() pinctrl: pinconf-generic: add missing of_node_put() clk: imx: replace osc_hdmi with dummy clk: imx8mn: correct the usb1_ctrl parent to be usb_bus media: imon: fix a race condition in send_packet() mtd: maps: pxa2xx-flash: fix memory leak in probe bonding: fix link recovery in mode 2 when updelay is nonzero bonding: Rename slave_arr to usable_slaves bonding: Export skip slave logic to function clk: rockchip: Fix memory leak in rockchip_clk_register_pll() regulator: core: use kfree_const() to free space conditionally ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT HID: hid-sensor-custom: set fixed size for custom attributes bpf: Move skb->len == 0 checks into __bpf_redirect media: videobuf-dma-contig: use dma_mmap_coherent media: platform: exynos4-is: Fix error handling in fimc_md_init() media: solo6x10: fix possible memory leak in solo_sysfs_init() Input: elants_i2c - properly handle the reset GPIO when power is off mtd: lpddr2_nvm: Fix possible null-ptr-deref wifi: ath10k: Fix return value in ath10k_pci_init() ima: Fix misuse of dereference of pointer in template_desc_init_fields() integrity: Fix memory leakage in keyring allocation error path amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table() regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() ASoC: pxa: fix null-pointer dereference in filter() drm/mediatek: Modify dpi power on/off sequence. drm/radeon: Add the missed acpi_put_table() to fix memory leak rxrpc: Fix ack.bufferSize to be 0 when generating an ack net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write() media: camss: Clean up received buffers on failed start of streaming wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port mtd: Fix device name leak when register device failed in add_mtd_device() bpf: propagate precision in ALU/ALU64 operations media: vivid: fix compose size exceed boundary ima: Handle -ESTALE returned by ima_filter_rule_match() ima: Fix fall-through warnings for Clang ima: Rename internal filter rule functions drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure spi: Update reference to struct spi_controller clk: renesas: r9a06g032: Repair grave increment error can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming can: kvaser_usb: Add struct kvaser_usb_busparams can: kvaser_usb_leaf: Fix bogus restart events can: kvaser_usb_leaf: Fix wrong CAN state after stopping can: kvaser_usb_leaf: Fix improved state not being reported can: kvaser_usb_leaf: Set Warning state even without bus errors can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device can: kvaser_usb: do not increase tx statistics when sending error message frames media: i2c: ad5820: Fix error path pata_ipx4xx_cf: Fix unsigned comparison with less than zero wifi: rtl8xxxu: Fix reading the vendor of combo chips wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() rapidio: devices: fix missing put_device in mport_cdev_open hfs: Fix OOB Write in hfs_asc2mac relay: fix type mismatch when allocating memory in relay_create_buf() eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD rapidio: fix possible UAF when kfifo_alloc() fails fs: sysv: Fix sysv_nblocks() returns wrong value MIPS: OCTEON: warn only once if deprecated link status is being used MIPS: BCM63xx: Add check for NULL for clk in clk_enable platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() PM: runtime: Do not call __rpm_callback() from rpm_idle() PM: runtime: Improve path in rpm_idle() when no callback xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() x86/xen: Fix memory leak in xen_init_lock_cpu() x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() xen/events: only register debug interrupt for 2-level events uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled rapidio: rio: fix possible name leak in rio_register_mport() rapidio: fix possible name leaks when rio_add_device() fails ocfs2: fix memory leak in ocfs2_mount_volume() ocfs2: rewrite error handling of ocfs2_fill_super ocfs2: ocfs2_mount_volume does cleanup job before return error debugfs: fix error when writing negative value to atomic_t debugfs file docs: fault-injection: fix non-working usage of negative values lib/notifier-error-inject: fix error when writing -errno to debugfs file libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() genirq/irqdesc: Don't try to remove non-existing sysfs files nfsd: don't call nfsd_file_put from client states seqfile display EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox() PNP: fix name memory leak in pnp_alloc_dev() selftests/efivarfs: Add checking of the test return value MIPS: vpe-cmp: fix possible memory leak while module exiting MIPS: vpe-mt: fix possible memory leak while module exiting ocfs2: fix memory leak in ocfs2_stack_glue_init() lib/fonts: fix undefined behavior in bit shift for get_default_font proc: fixup uptime selftest timerqueue: Use rb_entry_safe() in timerqueue_getnext() perf: Fix possible memleak in pmu_dev_alloc() selftests/ftrace: event_triggers: wait longer for test_event_enable fs: don't audit the capability check in simple_xattr_list() PM: hibernate: Fix mistake in kerneldoc comment alpha: fix syscall entry in !AUDUT_SYSCALL case cpuidle: dt: Return the correct numbers of parsed idle states tpm/tpm_crb: Fix error message in __crb_relinquish_locality() pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP ARM: mmp: fix timer_read delay pstore/ram: Fix error return code in ramoops_probe() arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC ARM: dts: turris-omnia: Add switch port 6 node ARM: dts: turris-omnia: Add ethernet aliases ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name arm64: dts: mt2712-evb: Fix usb vbus regulators unit names arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names arm64: dts: mt2712e: Fix unit address for pinctrl node arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init() soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of pm_runtime_get_sync arm: dts: spear600: Fix clcd interrupt drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias ARM: dts: qcom: apq8064: fix coresight compatible usb: musb: remove extra check in musb_gadget_vbus_draw net: loopback: use NET_NAME_PREDICTABLE for name_assign_type Bluetooth: L2CAP: Fix u8 overflow HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10 HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch 10E HID: ite: Add support for Acer S1002 keyboard-dock xen-netback: move removal of "hotplug-status" to the right place igb: Initialize mailbox message for VF reset USB: serial: f81534: fix division by zero on line-speed change USB: serial: f81232: fix division by zero on line-speed change USB: serial: cp210x: add Kamstrup RF sniffer PIDs USB: serial: option: add Quectel EM05-G modem usb: gadget: uvc: Prevent buffer overflow in setup handler udf: Fix extending file within last block udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size udf: Fix preallocation discarding at indirect extent boundary udf: Discard preallocation before extending file with a hole tracing/ring-buffer: Only do full wait when cpu != RING_BUFFER_ALL_CPUS ANDROID: Add more hvc devices for virtio-console. Revert "can: af_can: fix NULL pointer dereference in can_rcv_filter" ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark" Linux 5.4.228 ASoC: ops: Correct bounds check for second channel on SX controls can: mcba_usb: Fix termination command argument can: sja1000: fix size of OCR_MODE_MASK define pinctrl: meditatek: Startup with the IRQs disabled ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() nfp: fix use-after-free in area_cache_get() block: unhash blkdev part inode when the part is deleted mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page x86/smpboot: Move rcu_cpu_starting() earlier net: bpf: Allow TC programs to call BPF_FUNC_skb_change_head Linux 5.4.227 can: esd_usb: Allow REC and TEC to return to zero net: mvneta: Fix an out of bounds check ipv6: avoid use-after-free in ip6_fragment() net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() xen/netback: fix build warning ethernet: aeroflex: fix potential skb leak in greth_init_rings() ipv4: Fix incorrect route flushing when table ID 0 is used ipv4: Fix incorrect route flushing when source address is deleted tipc: Fix potential OOB in tipc_link_proto_rcv() net: hisilicon: Fix potential use-after-free in hix5hd2_rx() net: hisilicon: Fix potential use-after-free in hisi_femac_rx() net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wq net: stmmac: fix "snps,axi-config" node property parsing nvme initialize core quirks before calling nvme_init_subsystem NFC: nci: Bounds check struct nfc_target arrays i40e: Disallow ip4 and ip6 l4_4_bytes i40e: Fix for VF MAC address 0 i40e: Fix not setting default xps_cpus after reset net: mvneta: Prevent out of bounds read in mvneta_config_rss() xen-netfront: Fix NULL sring after live migration net: encx24j600: Fix invalid logic in reading of MISTAT register net: encx24j600: Add parentheses to fix precedence mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() selftests: rtnetlink: correct xfrm policy rule in kci_test_ipsec_offload net: dsa: ksz: Check return value Bluetooth: Fix not cleanup led when bt_init fails Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() af_unix: Get user_ns from in_skb in unix_diag_get_exact(). igb: Allocate MSI-X vector when testing e1000e: Fix TX dispatch condition gpio: amd8111: Fix PCI device reference count leak drm/bridge: ti-sn65dsi86: Fix output polarity setting bug ca8210: Fix crash by zero initializing data ieee802154: cc2520: Fix error return code in cc2520_hw_init() can: af_can: fix NULL pointer dereference in can_rcv_filter HID: core: fix shift-out-of-bounds in hid_report_raw_event HID: hid-lg4ff: Add check for empty lbuf HID: usbhid: Add ALWAYS_POLL quirk for some mice drm/shmem-helper: Remove errant put in error path KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field mm/gup: fix gup_pud_range() for dax memcg: fix possible use-after-free in memcg_write_event_control() media: v4l2-dv-timings.c: fix too strict blanking sanity checks Revert "net: dsa: b53: Fix valid setting for MDB entries" xen/netback: don't call kfree_skb() with interrupts disabled xen/netback: do some code cleanup xen/netback: Ensure protocol headers don't fall in the non-linear area mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths mm/khugepaged: fix GUP-fast interaction by sending IPI mm/khugepaged: take the right locks for page table retraction net: usb: qmi_wwan: add u-blox 0x1342 composition 9p/xen: check logical size for buffer size fbcon: Use kzalloc() in fbcon_prepare_logo() regulator: twl6030: fix get status of twl6032 regulators ASoC: soc-pcm: Add NULL check in BE reparenting btrfs: send: avoid unaligned encoded writes when attempting to clone range ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event regulator: slg51000: Wait after asserting CS pin 9p/fd: Use P9_HDRSZ for header size ARM: dts: rockchip: disable arm_global_timer on rk3066 and rk3188 ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementation ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels ARM: dts: rockchip: rk3188: fix lcdc1-rgb24 node name ARM: dts: rockchip: fix ir-receiver node names arm: dts: rockchip: fix node name for hym8563 rtc arm64: dts: rockchip: keep I2S1 disabled for GPIO function on ROCK Pi 4 series Conflicts: Documentation/devicetree/bindings/phy/amlogic,meson-g12a-usb3-pcie-phy.yaml arch/arm64/boot/dts/vendor/bindings/phy/amlogic,g12a-usb3-pcie-phy.yaml arch/arm64/boot/dts/vendor/bindings/phy/amlogic,meson-g12a-usb3-pcie-phy.yaml arch/arm64/include/asm/atomic_ll_sc.h drivers/edac/qcom_edac.c drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c drivers/net/ethernet/stmicro/stmmac/stmmac_main.c drivers/usb/gadget/function/f_fs.c drivers/usb/host/xhci-plat.c sound/soc/soc-pcm.c Change-Id: I4e8cffcac6c78ecf1a16d24ee01551747552fdf2 |
||
Greg Kroah-Hartman
|
b86f2ce54f |
Merge tag 'android11-5.4.233_r00' into android11-5.4
This is the merge of the upstream LTS release of 5.4.233 into the android11-5.4 branch. It contains the following commits: |
||
Tejun Heo
|
7cfbc7501b |
BACKPORT: FROMGIT: cgroup: Use separate src/dst nodes when preloading css_sets for migration
Each cset (css_set) is pinned by its tasks. When we're moving tasks around
across csets for a migration, we need to hold the source and destination
csets to ensure that they don't go away while we're moving tasks about. This
is done by linking cset->mg_preload_node on either the
mgctx->preloaded_dst_csets or mgctx->preloaded_dst_csets list. Using the
same cset->mg_preload_node for both the src and dst lists was deemed okay as
a cset can't be both the source and destination at the same time.
Unfortunately, this overloading becomes problematic when multiple tasks are
involved in a migration and some of them are identity noop migrations while
others are actually moving across cgroups. For example, this can happen with
the following sequence on cgroup1:
#1> mkdir -p /sys/fs/cgroup/misc/a/b
#2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs
#3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS &
#4> PID=$!
#5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks
#6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs
the process including the group leader back into a. In this final migration,
non-leader threads would be doing identity migration while the group leader
is doing an actual one.
After #3, let's say the whole process was in cset A, and that after #4, the
leader moves to cset B. Then, during #6, the following happens:
1. cgroup_migrate_add_src() is called on B for the leader.
2. cgroup_migrate_add_src() is called on A for the other threads.
3. cgroup_migrate_prepare_dst() is called. It scans the src list.
3. It notices that B wants to migrate to A, so it tries to A to the dst
list but realizes that its ->mg_preload_node is already busy.
4. and then it notices A wants to migrate to A as it's an identity
migration, it culls it by list_del_init()'ing its ->mg_preload_node and
putting references accordingly.
5. The rest of migration takes place with B on the src list but nothing on
the dst list.
This means that A isn't held while migration is in progress. If all tasks
leave A before the migration finishes and the incoming task pins it, the
cset will be destroyed leading to use-after-free.
This is caused by overloading cset->mg_preload_node for both src and dst
preload lists. We wanted to exclude the cset from the src list but ended up
inadvertently excluding it from the dst list too.
This patch fixes the issue by separating out cset->mg_preload_node into
->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst
preloadings don't interfere with each other.
Bug: 236582926
Change-Id: Ieaf1c0c8fc23753570897fd6e48a54335ab939ce
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Mukesh Ojha <quic_mojha@quicinc.com>
Reported-by: shisiyuan <shisiyuan19870131@gmail.com>
Link: http://lkml.kernel.org/r/1654187688-27411-1-git-send-email-shisiyuan@xiaomi.com
Link: https://lore.kernel.org/lkml/Yh+RGIJ0f3nrqIiN@slm.duckdns.org/#t
Fixes:
|
||
|
Greg Kroah-Hartman
|
6bb176e034 |
Merge 5.4.233 into android11-5.4-lts
Changes in 5.4.233 dma-mapping: add generic helpers for mapping sgtable objects scatterlist: add generic wrappers for iterating over sgtable objects drm: etnaviv: fix common struct sg_table related issues drm/etnaviv: don't truncate physical page address wifi: rtl8xxxu: gen2: Turn on the rate control powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G random: always mix cycle counter in add_latent_entropy() KVM: x86: Fail emulation during EMULTYPE_SKIP on any exception KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len powerpc: dts: t208x: Disable 10G on MAC1 and MAC2 alarmtimer: Prevent starvation by small intervals and SIG_IGN drm/i915/gvt: fix double free bug in split_2MB_gtt_entry mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh uaccess: Add speculation barrier to copy_from_user() wifi: mwifiex: Add missing compatible string for SD8787 ext4: Fix function prototype mismatch for ext4_feat_ktype Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs" bpf: add missing header file include Linux 5.4.233 Change-Id: I83441dec5bd3c2ad6af19017fe9b467f7ffa2ea5 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Linus Torvalds
|
c6cc0121d4 |
bpf: add missing header file include
commit f3dd0c53370e70c0f9b7e931bbec12916f3bb8cc upstream.
Commit 74e19ef0ff80 ("uaccess: Add speculation barrier to
copy_from_user()") built fine on x86-64 and arm64, and that's the extent
of my local build testing.
It turns out those got the <linux/nospec.h> include incidentally through
other header files (<linux/kvm_host.h> in particular), but that was not
true of other architectures, resulting in build errors
kernel/bpf/core.c: In function ‘___bpf_prog_run’:
kernel/bpf/core.c:1913:3: error: implicit declaration of function ‘barrier_nospec’
so just make sure to explicitly include the proper <linux/nospec.h>
header file to make everybody see it.
Fixes: 74e19ef0ff80 ("uaccess: Add speculation barrier to copy_from_user()")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Viresh Kumar <viresh.kumar@linaro.org>
Reported-by: Huacai Chen <chenhuacai@loongson.cn>
Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Dave Hansen
|
6c750ed036 |
uaccess: Add speculation barrier to copy_from_user()
commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 upstream. The results of "access_ok()" can be mis-speculated. The result is that you can end speculatively: if (access_ok(from, size)) // Right here even for bad from/size combinations. On first glance, it would be ideal to just add a speculation barrier to "access_ok()" so that its results can never be mis-speculated. But there are lots of system calls just doing access_ok() via "copy_to_user()" and friends (example: fstat() and friends). Those are generally not problematic because they do not _consume_ data from userspace other than the pointer. They are also very quick and common system calls that should not be needlessly slowed down. "copy_from_user()" on the other hand uses a user-controller pointer and is frequently followed up with code that might affect caches. Take something like this: if (!copy_from_user(&kernelvar, uptr, size)) do_something_with(kernelvar); If userspace passes in an evil 'uptr' that *actually* points to a kernel addresses, and then do_something_with() has cache (or other) side-effects, it could allow userspace to infer kernel data values. Add a barrier to the common copy_from_user() code to prevent mis-speculated values which happen after the copy. Also add a stub for architectures that do not define barrier_nospec(). This makes the macro usable in generic code. Since the barrier is now usable in generic code, the x86 #ifdef in the BPF code can also go away. Reported-by: Jordy Zomer <jordyzomer@google.com> Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Daniel Borkmann <daniel@iogearbox.net> # BPF bits Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Thomas Gleixner
|
100cf2af1b |
alarmtimer: Prevent starvation by small intervals and SIG_IGN
commit d125d1349abeb46945dc5e98f7824bf688266f13 upstream. syzbot reported a RCU stall which is caused by setting up an alarmtimer with a very small interval and ignoring the signal. The reproducer arms the alarm timer with a relative expiry of 8ns and an interval of 9ns. Not a problem per se, but that's an issue when the signal is ignored because then the timer is immediately rearmed because there is no way to delay that rearming to the signal delivery path. See posix_timer_fn() and commit |
||
|
Greg Kroah-Hartman
|
abc4ede193 |
This is the 5.4.232 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmP2AZoACgkQONu9yGCS aT4Kog//cMOCPvc+9yam5NCZj76k9jzIfteKMZzvSyxjV/ShPGynLIwcR26vE4j1 CtEB0aknuxgpqthfCahjjf51POhYLJD62H62UtTfxgIkWxnETd8F6y2xvuVXsds5 mC0LUzQ9md6slgTTIobQF9ilIGAt/yKPOg89fUXNYzNsO2us46XZCmZOXg5MVwlI hXYQuVBze1VhWt40J8TYDFckjoQLUgH6lBawWHC8/r2MBBydzX1cZEyL2TXhDfFS 7t9gWXKteAFE6GWfgAY6MrtqGx+X25Xe7qds4V8v6FgxR2MFeo94+k3DbhXRnjjY gA6czJBurGzhiXWo2E4laYlEMfsY0qkl17M49C/LwkJhZCSjF60b0Vo0dNfLLogZ cWsG6qcrfV8/js5h97kFSluWZ4VM7xTgcJQ/qtU/O8IprRQioCERjvm4Dl+/emXI ycFaiZOP3RvYdHxADIsItm46C7WzpzqZpjjs+9jHEaACrnOQfepGGFmgImMd9P8r kkU5KUtPQoAgSFfPz1tvJgyQiazONRAKtg1UprPOnLN0PsBQrE8ekCOk9lDoW60l t+G2lC0dJBYkcKC+4jHa9y18U7wz/eYdYE+K/u8kUENYFLSBfYxIqbXPxQZcq6aO TnyVr1n+Dd3HXtLX58+vDE2RUjosvCXctBGrE6Q56d8AKXh6FvM= =rk4j -----END PGP SIGNATURE----- Merge 5.4.232 into android11-5.4-lts Changes in 5.4.232 firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX scsi: Revert "scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT" WRITE is "data source", not destination... fix iov_iter_bvec() "direction" argument fix "direction" argument of iov_iter_kvec() netrom: Fix use-after-free caused by accept on already connected socket netfilter: br_netfilter: disable sabotage_in hook after first suppression squashfs: harden sanity check in squashfs_read_xattr_id_table net: phy: meson-gxl: Add generic dummy stubs for MMD register access can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate ata: libata: Fix sata_down_spd_limit() when no link speed is reported selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking virtio-net: Keep stop() to follow mirror sequence of open() net: openvswitch: fix flow memory leak in ovs_flow_cmd_new efi: fix potential NULL deref in efi_mem_reserve_persistent scsi: target: core: Fix warning on RT kernels scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress i2c: rk3x: fix a bunch of kernel-doc warnings net/x25: Fix to not accept on connected socket iio: adc: stm32-dfsdm: fill module aliases usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API usb: dwc3: qcom: enable vbus override when in OTG dr-mode usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF Input: i8042 - move __initconst to fix code styling warning Input: i8042 - merge quirk tables Input: i8042 - add TUXEDO devices to i8042 quirk tables Input: i8042 - add Clevo PCX0DX to i8042 quirk table fbcon: Check font dimension limits watchdog: diag288_wdt: do not use stack buffers for hardware data watchdog: diag288_wdt: fix __diag288() inline assembly efi: Accept version 2 of memory attributes table iio: hid: fix the retval in accel_3d_capture_sample iio: adc: berlin2-adc: Add missing of_node_put() in error path iio:adc:twl6030: Enable measurements of VUSB, VBAT and others parisc: Fix return code of pdc_iodc_print() parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case riscv: disable generation of unwind tables mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps fpga: stratix10-soc: Fix return value check in s10_ops_write_init() mm/swapfile: add cond_resched() in get_swap_pages() Squashfs: fix handling and sanity checking of xattr_ids count nvmem: core: fix cell removal on error mm: swap: properly update readahead statistics in unuse_pte_range() xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() serial: 8250_dma: Fix DMA Rx completion race serial: 8250_dma: Fix DMA Rx rearm race powerpc/imc-pmu: Revert nest_init_lock to being a mutex fbdev: smscufx: fix error handling code in ufx_usb_probe f2fs: fix to do sanity check on i_extra_isize in is_alive() wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads iio:adc:twl6030: Enable measurement of VAC btrfs: limit device extents to the device size btrfs: zlib: zero-initialize zlib workspace ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw can: j1939: do not wait 250 ms if the same addr was already claimed IB/hfi1: Restore allocated resources on failed copyout IB/IPoIB: Fix legacy IPoIB due to wrong number of queues iommu: Add gfp parameter to iommu_ops::map RDMA/usnic: use iommu_map_atomic() under spin_lock() xfrm: fix bug with DSCP copy to v6 from v4 tunnel bonding: fix error checking in bond_debug_reregister() net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal PHY ionic: clean interrupt before enabling queue to avoid credit race ice: Do not use WQ_MEM_RECLAIM flag for workqueue rds: rds_rm_zerocopy_callback() use list_first_entry() selftests: forwarding: lib: quote the sysctl values ALSA: pci: lx6464es: fix a debug loop pinctrl: aspeed: Fix confusing types in return value pinctrl: single: fix potential NULL dereference pinctrl: intel: Restore the pins that used to be in Direct IRQ mode net: USB: Fix wrong-direction WARNING in plusb.c usb: core: add quirk for Alcor Link AK9563 smartcard reader usb: typec: altmodes/displayport: Fix probe pin assign check ceph: flush cap releases when the session is flushed riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive arm64: dts: meson-g12-common: Make mmc host controller interrupts level-sensitive arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive nvme-pci: Move enumeration by class to be last in the table bpf: Always return target ifindex in bpf_fib_lookup migrate: hugetlb: check for hugetlb shared PMD in node migration selftests/bpf: Verify copy_register_state() preserves parent/live fields ASoC: cs42l56: fix DT probe tools/virtio: fix the vringh test for virtio ring changes net/rose: Fix to not accept on connected socket net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC net: sched: sch: Bounds check priority s390/decompressor: specify __decompress() buf len to avoid overflow nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association aio: fix mremap after fork null-deref btrfs: free device in btrfs_close_devices for a single device filesystem netfilter: nft_tproxy: restrict to prerouting hook xfs: remove the xfs_efi_log_item_t typedef xfs: remove the xfs_efd_log_item_t typedef xfs: remove the xfs_inode_log_item_t typedef xfs: factor out a xfs_defer_create_intent helper xfs: merge the ->log_item defer op into ->create_intent xfs: merge the ->diff_items defer op into ->create_intent xfs: turn dfp_intent into a xfs_log_item xfs: refactor xfs_defer_finish_noroll xfs: log new intent items created as part of finishing recovered intent items xfs: fix finobt btree block recovery ordering xfs: proper replay of deferred ops queued during log recovery xfs: xfs_defer_capture should absorb remaining block reservations xfs: xfs_defer_capture should absorb remaining transaction reservation xfs: clean up bmap intent item recovery checking xfs: clean up xfs_bui_item_recover iget/trans_alloc/ilock ordering xfs: fix an incore inode UAF in xfs_bui_recover xfs: change the order in which child and parent defer ops are finished xfs: periodically relog deferred intent items xfs: expose the log push threshold xfs: only relog deferred intent items if free space in the log gets low xfs: fix missing CoW blocks writeback conversion retry xfs: ensure inobt record walks always make forward progress xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks xfs: prevent UAF in xfs_log_item_in_current_chkpt xfs: sync lazy sb accounting on quiesce of read-only mounts Revert "ipv4: Fix incorrect route flushing when source address is deleted" ipv4: Fix incorrect route flushing when source address is deleted mmc: sdio: fix possible resource leaks in some error paths mmc: mmc_spi: fix error handling in mmc_spi_probe() ALSA: hda/conexant: add a new hda codec SN6180 ALSA: hda/realtek - fixed wrong gpio assigned sched/psi: Fix use-after-free in ep_remove_wait_queue() hugetlb: check for undefined shift on 32 bit architectures Revert "mm: Always release pages to the buddy allocator in memblock_free_late()." net: Fix unwanted sign extension in netdev_stats_to_stats64() revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" ixgbe: allow to increase MTU to 3K with XDP enabled i40e: add double of VLAN header when computing the max MTU net: bgmac: fix BCM5358 support by setting correct flags sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence bnxt_en: Fix mqprio and XDP ring checking logic net: stmmac: Restrict warning on disabling DMA store and fwd mode net: mpls: fix stale pointer if allocation fails during device rename ixgbe: add double of VLAN header when computing the max MTU ipv6: Fix datagram socket connection with DSCP. ipv6: Fix tcp socket connection with DSCP. i40e: Add checking for null for nlmsg_find_attr() kvm: initialize all of the kvm_debugregs structure before sending it to userspace nilfs2: fix underflow in second superblock position calculations ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak net: sched: sch: Fix off by one in htb_activate_prios() iommu/amd: Pass gfp flags to iommu_map_page() in amd_iommu_map() Linux 5.4.232 Change-Id: I607aaac0f8477eb9a0f059e0a9d2f5c037fb19fc Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Munehisa Kamata
|
7caeb5457b |
sched/psi: Fix use-after-free in ep_remove_wait_queue()
commit c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe upstream.
If a non-root cgroup gets removed when there is a thread that registered
trigger and is polling on a pressure file within the cgroup, the polling
waitqueue gets freed in the following path:
do_rmdir
cgroup_rmdir
kernfs_drain_open_files
cgroup_file_release
cgroup_pressure_release
psi_trigger_destroy
However, the polling thread still has a reference to the pressure file and
will access the freed waitqueue when the file is closed or upon exit:
fput
ep_eventpoll_release
ep_free
ep_remove_wait_queue
remove_wait_queue
This results in use-after-free as pasted below.
The fundamental problem here is that cgroup_file_release() (and
consequently waitqueue's lifetime) is not tied to the file's real lifetime.
Using wake_up_pollfree() here might be less than ideal, but it is in line
with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()")
since the waitqueue's lifetime is not tied to file's one and can be
considered as another special case. While this would be fixable by somehow
making cgroup_file_release() be tied to the fput(), it would require
sizable refactoring at cgroups or higher layer which might be more
justifiable if we identify more cases like this.
BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0
Write of size 4 at addr ffff88810e625328 by task a.out/4404
CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38
Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017
Call Trace:
<TASK>
dump_stack_lvl+0x73/0xa0
print_report+0x16c/0x4e0
kasan_report+0xc3/0xf0
kasan_check_range+0x2d2/0x310
_raw_spin_lock_irqsave+0x60/0xc0
remove_wait_queue+0x1a/0xa0
ep_free+0x12c/0x170
ep_eventpoll_release+0x26/0x30
__fput+0x202/0x400
task_work_run+0x11d/0x170
do_exit+0x495/0x1130
do_group_exit+0x100/0x100
get_signal+0xd67/0xde0
arch_do_signal_or_restart+0x2a/0x2b0
exit_to_user_mode_prepare+0x94/0x100
syscall_exit_to_user_mode+0x20/0x40
do_syscall_64+0x52/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Allocated by task 4404:
kasan_set_track+0x3d/0x60
__kasan_kmalloc+0x85/0x90
psi_trigger_create+0x113/0x3e0
pressure_write+0x146/0x2e0
cgroup_file_write+0x11c/0x250
kernfs_fop_write_iter+0x186/0x220
vfs_write+0x3d8/0x5c0
ksys_write+0x90/0x110
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 4407:
kasan_set_track+0x3d/0x60
kasan_save_free_info+0x27/0x40
____kasan_slab_free+0x11d/0x170
slab_free_freelist_hook+0x87/0x150
__kmem_cache_free+0xcb/0x180
psi_trigger_destroy+0x2e8/0x310
cgroup_file_release+0x4f/0xb0
kernfs_drain_open_files+0x165/0x1f0
kernfs_drain+0x162/0x1a0
__kernfs_remove+0x1fb/0x310
kernfs_remove_by_name_ns+0x95/0xe0
cgroup_addrm_files+0x67f/0x700
cgroup_destroy_locked+0x283/0x3c0
cgroup_rmdir+0x29/0x100
kernfs_iop_rmdir+0xd1/0x140
vfs_rmdir+0xfe/0x240
do_rmdir+0x13d/0x280
__x64_sys_rmdir+0x2c/0x30
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes:
|
||
Shiju Jose
|
56ee31167c |
tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw
commit 3e46d910d8acf94e5360126593b68bf4fee4c4a1 upstream.
poll() and select() on per_cpu trace_pipe and trace_pipe_raw do not work
since kernel 6.1-rc6. This issue is seen after the commit
42fb0a1e84ff525ebe560e2baf9451ab69127e2b ("tracing/ring-buffer: Have
polling block on watermark").
This issue is firstly detected and reported, when testing the CXL error
events in the rasdaemon and also erified using the test application for poll()
and select().
This issue occurs for the per_cpu case, when calling the ring_buffer_poll_wait(),
in kernel/trace/ring_buffer.c, with the buffer_percent > 0 and then wait until the
percentage of pages are available. The default value set for the buffer_percent is 50
in the kernel/trace/trace.c.
As a fix, allow userspace application could set buffer_percent as 0 through
the buffer_percent_fops, so that the task will wake up as soon as data is added
to any of the specific cpu buffer.
Link: https://lore.kernel.org/linux-trace-kernel/20230202182309.742-2-shiju.jose@huawei.com
Cc: <mhiramat@kernel.org>
Cc: <mchehab@kernel.org>
Cc: <linux-edac@vger.kernel.org>
Cc: stable@vger.kernel.org
Fixes: 42fb0a1e84ff5 ("tracing/ring-buffer: Have polling block on watermark")
Signed-off-by: Shiju Jose <shiju.jose@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Michael Bestas
|
c066ac93be
|
Merge tag 'ASB-2023-02-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2023-02-01 CVE-2022-39189 CVE-2022-39842 CVE-2022-41222 CVE-2023-20937 CVE-2023-20938 CVE-2022-0850 * tag 'ASB-2023-02-05_11-5.4' of https://android.googlesource.com/kernel/common: ANDROID: ABI: Cuttlefish Symbol update UPSTREAM: media: dvb-core: Fix UAF due to refcount races at releasing ANDROID: abi_gki_aarch64_qcom: Add hrtimer_sleeper_start_expires UPSTREAM: ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark" UPSTREAM: usb: gadget: f_hid: fix f_hidg lifetime vs cdev UPSTREAM: usb: gadget: f_hid: optional SETUP/SET_REPORT mode ANDROID: add TEST_MAPPING for net/, include/net UPSTREAM: nfp: fix use-after-free in area_cache_get() UPSTREAM: proc: avoid integer type confusion in get_proc_long UPSTREAM: proc: proc_skip_spaces() shouldn't think it is working on C strings ANDROID: usb: f_accessory: Check buffer size when initialised via composite BACKPORT: mm: don't be stuck to rmap lock on reclaim path ANDROID: Add more hvc devices for virtio-console. Revert "mmc: sdhci: Fix voltage switch delay" ANDROID: gki_defconfig: add CONFIG_FUNCTION_ERROR_INJECTION Linux 5.4.226 ipc/sem: Fix dangling sem_array access in semtimedop race v4l2: don't fall back to follow_pfn() if pin_user_pages_fast() fails proc: proc_skip_spaces() shouldn't think it is working on C strings proc: avoid integer type confusion in get_proc_long mmc: sdhci: Fix voltage switch delay mmc: sdhci: use FIELD_GET for preset value bit masks char: tpm: Protect tpm_pm_suspend with locks Revert "clocksource/drivers/riscv: Events are stopped during CPU suspend" x86/ioremap: Fix page aligned size calculation in __ioremap_caller() Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM x86/pm: Add enumeration check before spec MSRs save/restore setup x86/tsx: Add a feature bit for TSX control MSR support nvme: ensure subsystem reset is single threaded nvme: restrict management ioctls to admin epoll: check for events when removing a timed out thread from the wait queue epoll: call final ep_events_available() check under the lock tracing/ring-buffer: Have polling block on watermark ipv4: Fix route deletion when nexthop info is not specified ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference selftests: net: fix nexthop warning cleanup double ip typo selftests: net: add delete nexthop route warning test Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled parisc: Increase FRAME_WARN to 2048 bytes on parisc xtensa: increase size of gcc stack frame check parisc: Increase size of gcc stack frame check iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() pinctrl: single: Fix potential division by zero ASoC: ops: Fix bounds check for _sx controls mm: Fix '.data.once' orphan section warning arm64: errata: Fix KVM Spectre-v2 mitigation selection for Cortex-A57/A72 arm64: Fix panic() when Spectre-v2 causes Spectre-BHB to re-allocate KVM vectors tracing: Free buffers when a used dynamic event is removed mmc: sdhci-sprd: Fix no reset data and command after voltage switch mmc: sdhci-esdhc-imx: correct CQHCI exit halt state check mmc: core: Fix ambiguous TRIM and DISCARD arg mmc: mmc_test: Fix removal of debugfs file pinctrl: intel: Save and restore pins in "direct IRQ" mode x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3 nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() tools/vm/slabinfo-gnuplot: use "grep -E" instead of "egrep" error-injection: Add prompt for function error injection net/mlx5: DR, Fix uninitialized var warning hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() hwmon: (coretemp) Check for null before removing sysfs attrs net: ethernet: renesas: ravb: Fix promiscuous mode after system resumed sctp: fix memory leak in sctp_stream_outq_migrate() packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE net: tun: Fix use-after-free in tun_detach() afs: Fix fileserver probe RTT handling net: hsr: Fix potential use-after-free dsa: lan9303: Correct stat name net: ethernet: nixge: fix NULL dereference net/9p: Fix a potential socket leak in p9_socket_open net: net_netdev: Fix error handling in ntb_netdev_init_module() net: phy: fix null-ptr-deref while probe() failed wifi: cfg80211: fix buffer overflow in elem comparison qlcnic: fix sleep-in-atomic-context bugs caused by msleep can: cc770: cc770_isa_probe(): add missing free_cc770dev() can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() net/mlx5e: Fix use-after-free when reverting termination table net/mlx5: Fix uninitialized variable bug in outlen_write() of: property: decrement node refcount in of_fwnode_get_reference_args() hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails hwmon: (i5500_temp) fix missing pci_disable_device() scripts/faddr2line: Fix regression in name resolution on ppc64le iio: light: rpr0521: add missing Kconfig dependencies iio: health: |
||
|
Greg Kroah-Hartman
|
e367c7b762 |
This is the 5.4.231 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPgo/YACgkQONu9yGCS aT4o0RAAlt2uWRXaiDW2cYi1dKAuqk8Iyf0tlonzDkSESy6Qy28rw62BIbBRHFNv ObPjlz4FgI9ZfSVBsolFjBACTXvzS/fPvvqBEVmWqLA0+cN0/RRsJ8AJYV+wxV4U j0h+asxtkaWxhPmsnr0FtVG6KnqMCZkYCJYzkEwMmGZqmhkvqZVtGO5Hxwa+pTuD A+EpvsRCeqK42GqM1nn14er7Cej2bX6eM+MX1vhA/rNGgf4OrHSs5CQaLWFioFUO VN1I2/aiC+iqpF8poPC4evDgko291s+QYvtIRqcfCGjJqpfwGDWA8xReZPXKD4+4 JeY0WXHxtbjg1B+FQKZR4ESYlZfBLejI94CN32VJ3uI6CV+VgIyJMBXQ1Vs09OeN IEighGiXTHezS5NvHQTL/Y3CSooWuCxIQMmJelSW6Kr7tLpZ4/GMr4V2RU0XO9tF l3SRR/Q+w8IRtPsNNbmTB9wWJxcuyTHavrl6mG2DUy86UbJhoxjyYj7XUpiVyzbc /UmbHLXdeg9QCayhiHtCvPfcJF8EWoqoYfKSTJrj3B2ysQo7aPVK3D2/cYGRQ80A EssOD3IzC+QiBb30TzGJzJ5xaIMcaDZb61Hs7afYkhYUjQyqoQEh6ZxS8x0SCHFE 8YsVkwNm47Iw9ySPhfIIZiTfxMcK8n2zN85rAlfonlWasblr9Ok= =uM6z -----END PGP SIGNATURE----- Merge 5.4.231 into android11-5.4-lts Changes in 5.4.231 clk: generalize devm_clk_get() a bit clk: Provide new devm_clk helpers for prepared and enabled clocks memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe() memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' ARM: imx27: Retrieve the SYSCTRL base address from devicetree ARM: imx31: Retrieve the IIM base address from devicetree ARM: imx35: Retrieve the IIM base address from devicetree ARM: imx: add missing of_node_put() HID: intel_ish-hid: Add check for ishtp_dma_tx_map EDAC/highbank: Fix memory leak in highbank_mc_probe() tomoyo: fix broken dependency on *.conf.default RDMA/core: Fix ib block iterator counter overflow IB/hfi1: Reject a zero-length user expected buffer IB/hfi1: Reserve user expected TIDs IB/hfi1: Fix expected receive setup error exit issues affs: initialize fsdata in affs_truncate() amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent amd-xgbe: Delay AN timeout during KR training bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() net: nfc: Fix use-after-free in local_cleanup() net: wan: Add checks for NULL for utdm in undo_uhdlc_init and unmap_si_regs gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid net/sched: sch_taprio: fix possible use-after-free net: fix a concurrency bug in l2tp_tunnel_register() l2tp: Serialize access to sk_user_data with sk_callback_lock l2tp: Don't sleep and disable BH under writer-side sk_callback_lock net: usb: sr9700: Handle negative len net: mdio: validate parameter addr in mdiobus_get_phy() HID: check empty report_list in hid_validate_values() HID: check empty report_list in bigben_probe() net: stmmac: fix invalid call to mdiobus_get_phy() HID: revert CHERRY_MOUSE_000C quirk usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait usb: gadget: f_fs: Ensure ep0req is dequeued before free_request net: mlx5: eliminate anonymous module_init & module_exit drm/panfrost: fix GENERIC_ATOMIC64 dependency dmaengine: Fix double increment of client_count in dma_chan_get() net: macb: fix PTP TX timestamp failure due to packet padding HID: betop: check shape of output reports dmaengine: xilinx_dma: use devm_platform_ioremap_resource() dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node() tcp: avoid the lookup process failing to get sk in ehash table w1: fix deadloop in __w1_remove_master_device() w1: fix WARNING after calling w1_process() driver core: Fix test_async_probe_init saves device in wrong array net: dsa: microchip: ksz9477: port map correction in ALU table entry register tcp: fix rate_app_limited to default to 1 cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist ASoC: fsl_micfil: Correct the number of steps on SX controls drm: Add orientation quirk for Lenovo ideapad D330-10IGL s390/debug: add _ASM_S390_ prefix to header guard cpufreq: armada-37xx: stop using 0 as NULL pointer ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97 CODEC ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets spi: spidev: remove debug messages that access spidev->spi without locking KVM: s390: interrupt: use READ_ONCE() before cmpxchg() scsi: hisi_sas: Set a port invalid only if there are no devices attached when refreshing port id platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK lockref: stop doing cpu_relax in the cmpxchg loop mmc: sdhci-esdhc-imx: clear pending interrupt and halt cqhci mmc: sdhci-esdhc-imx: disable the CMD CRC check for standard tuning mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting Revert "selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID" netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state fs: reiserfs: remove useless new_opts in reiserfs_remount Revert "Revert "xhci: Set HCD flag to defer primary roothub registration"" Bluetooth: hci_sync: cancel cmd_timer if hci_open failed scsi: hpsa: Fix allocation size for scsi_host_alloc() module: Don't wait for GOING modules tracing: Make sure trace_printk() can output as soon as it can be used trace_events_hist: add check for return value of 'create_hist_field' ftrace/scripts: Update the instructions for ftrace-bisect.sh cifs: Fix oops due to uncleared server->smbd_conn in reconnect KVM: x86/vmx: Do not skip segment attributes if unusable bit is set thermal: intel: int340x: Protect trip temperature from concurrent updates ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment EDAC/device: Respect any driver-supplied workqueue polling value EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info netlink: prevent potential spectre v1 gadgets net: fix UaF in netns ops registration error path netfilter: nft_set_rbtree: skip elements in transaction from garbage collection netlink: annotate data races around nlk->portid netlink: annotate data races around dst_portid and dst_group netlink: annotate data races around sk_state ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() ipv4: prevent potential spectre v1 gadget in fib_metrics_match() netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE netrom: Fix use-after-free of a listening socket. net/sched: sch_taprio: do not schedule in taprio_reset() sctp: fail if no bound addresses can be used for a given scope net: ravb: Fix possible hang if RIS2_QFF1 happen thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() net/tg3: resolve deadlock in tg3_reset_task() during EEH net/phy/mdio-i2c: Move header file to include/linux/mdio net: xgene: Move shared header file into include/linux net: mdio-mux-meson-g12a: force internal PHY off on mux switch Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode" nfsd: Ensure knfsd shuts down when the "nfsd" pseudofs is unmounted block: fix and cleanup bio_check_ro x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL netfilter: conntrack: unify established states for SCTP paths perf/x86/amd: fix potential integer overflow on shift of a int clk: Fix pointer casting to prevent oops in devm_clk_release() x86/asm: Fix an assembler warning with current binutils ARM: dts: imx: Fix pca9547 i2c-mux node name bpf: Skip task with pid=1 in send_signal_common() blk-cgroup: fix missing pd_online_fn() while activating policy dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init sysctl: add a new register_sysctl_init() interface panic: unset panic_on_warn inside panic() mm: kasan: do not panic if both panic_on_warn and kasan_multishot set exit: Add and use make_task_dead. objtool: Add a missing comma to avoid string concatenation hexagon: Fix function name in die() h8300: Fix build errors from do_exit() to make_task_dead() transition csky: Fix function name in csky_alignment() and die() ia64: make IA64_MCA_RECOVERY bool instead of tristate exit: Put an upper limit on how often we can oops exit: Expose "oops_count" to sysfs exit: Allow oops_limit to be disabled panic: Consolidate open-coded panic_on_warn checks panic: Introduce warn_limit panic: Expose "warn_count" to sysfs docs: Fix path paste-o for /sys/kernel/warn_count exit: Use READ_ONCE() for all oops/warn limit reads ipv6: ensure sane device mtu in tunnels Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt usb: host: xhci-plat: add wakeup entry at sysfs Revert "xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()" Linux 5.4.231 Change-Id: I0f670158dd88a589d5f56246d094d3392a1784f9 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Kees Cook
|
a7cc1b5d76 |
exit: Use READ_ONCE() for all oops/warn limit reads
commit 7535b832c6399b5ebfc5b53af5c51dd915ee2538 upstream. Use a temporary variable to take full advantage of READ_ONCE() behavior. Without this, the report (and even the test) might be out of sync with the initial test. Reported-by: Peter Zijlstra <peterz@infradead.org> Link: https://lore.kernel.org/lkml/Y5x7GXeluFmZ8E0E@hirez.programming.kicks-ass.net Fixes: 9fc9e278a5c0 ("panic: Introduce warn_limit") Fixes: d4ccd54d28d3 ("exit: Put an upper limit on how often we can oops") Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Jann Horn <jannh@google.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Petr Mladek <pmladek@suse.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Luis Chamberlain <mcgrof@kernel.org> Cc: Marco Elver <elver@google.com> Cc: tangmeng <tangmeng@uniontech.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Kees Cook
|
6f18d28c26 |
panic: Expose "warn_count" to sysfs
commit 8b05aa26336113c4cea25f1c333ee8cd4fc212a6 upstream. Since Warn count is now tracked and is a fairly interesting signal, add the entry /sys/kernel/warn_count to expose it to userspace. Cc: Petr Mladek <pmladek@suse.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: tangmeng <tangmeng@uniontech.com> Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Tiezhu Yang <yangtiezhu@loongson.cn> Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20221117234328.594699-6-keescook@chromium.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Kees Cook
|
7c1273646f |
panic: Introduce warn_limit
commit 9fc9e278a5c0b708eeffaf47d6eb0c82aa74ed78 upstream. Like oops_limit, add warn_limit for limiting the number of warnings when panic_on_warn is not set. Cc: Jonathan Corbet <corbet@lwn.net> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Baolin Wang <baolin.wang@linux.alibaba.com> Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> Cc: Eric Biggers <ebiggers@google.com> Cc: Huang Ying <ying.huang@intel.com> Cc: Petr Mladek <pmladek@suse.com> Cc: tangmeng <tangmeng@uniontech.com> Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com> Cc: Tiezhu Yang <yangtiezhu@loongson.cn> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: linux-doc@vger.kernel.org Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20221117234328.594699-5-keescook@chromium.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Kees Cook
|
51538bdde3 |
panic: Consolidate open-coded panic_on_warn checks
commit 79cc1ba7badf9e7a12af99695a557e9ce27ee967 upstream. Several run-time checkers (KASAN, UBSAN, KFENCE, KCSAN, sched) roll their own warnings, and each check "panic_on_warn". Consolidate this into a single function so that future instrumentation can be added in a single location. Cc: Marco Elver <elver@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Juri Lelli <juri.lelli@redhat.com> Cc: Vincent Guittot <vincent.guittot@linaro.org> Cc: Dietmar Eggemann <dietmar.eggemann@arm.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Ben Segall <bsegall@google.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Daniel Bristot de Oliveira <bristot@redhat.com> Cc: Valentin Schneider <vschneid@redhat.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Konovalov <andreyknvl@gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: David Gow <davidgow@google.com> Cc: tangmeng <tangmeng@uniontech.com> Cc: Jann Horn <jannh@google.com> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Petr Mladek <pmladek@suse.com> Cc: "Paul E. McKenney" <paulmck@kernel.org> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com> Cc: Tiezhu Yang <yangtiezhu@loongson.cn> Cc: kasan-dev@googlegroups.com Cc: linux-mm@kvack.org Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Marco Elver <elver@google.com> Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com> Link: https://lore.kernel.org/r/20221117234328.594699-4-keescook@chromium.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Kees Cook
|
7020a9234e |
exit: Allow oops_limit to be disabled
commit de92f65719cd672f4b48397540b9f9eff67eca40 upstream. In preparation for keeping oops_limit logic in sync with warn_limit, have oops_limit == 0 disable checking the Oops counter. Cc: Jann Horn <jannh@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Baolin Wang <baolin.wang@linux.alibaba.com> Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> Cc: Eric Biggers <ebiggers@google.com> Cc: Huang Ying <ying.huang@intel.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: linux-doc@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Kees Cook
|
5a3482f2c1 |
exit: Expose "oops_count" to sysfs
commit 9db89b41117024f80b38b15954017fb293133364 upstream. Since Oops count is now tracked and is a fairly interesting signal, add the entry /sys/kernel/oops_count to expose it to userspace. Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Jann Horn <jannh@google.com> Cc: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20221117234328.594699-3-keescook@chromium.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Jann Horn
|
28facdf7b0 |
exit: Put an upper limit on how often we can oops
commit d4ccd54d28d3c8598e2354acc13e28c060961dbb upstream. Many Linux systems are configured to not panic on oops; but allowing an attacker to oops the system **really** often can make even bugs that look completely unexploitable exploitable (like NULL dereferences and such) if each crash elevates a refcount by one or a lock is taken in read mode, and this causes a counter to eventually overflow. The most interesting counters for this are 32 bits wide (like open-coded refcounts that don't use refcount_t). (The ldsem reader count on 32-bit platforms is just 16 bits, but probably nobody cares about 32-bit platforms that much nowadays.) So let's panic the system if the kernel is constantly oopsing. The speed of oopsing 2^32 times probably depends on several factors, like how long the stack trace is and which unwinder you're using; an empirically important one is whether your console is showing a graphical environment or a text console that oopses will be printed to. In a quick single-threaded benchmark, it looks like oopsing in a vfork() child with a very short stack trace only takes ~510 microseconds per run when a graphical console is active; but switching to a text console that oopses are printed to slows it down around 87x, to ~45 milliseconds per run. (Adding more threads makes this faster, but the actual oops printing happens under &die_lock on x86, so you can maybe speed this up by a factor of around 2 and then any further improvement gets eaten up by lock contention.) It looks like it would take around 8-12 days to overflow a 32-bit counter with repeated oopsing on a multi-core X86 system running a graphical environment; both me (in an X86 VM) and Seth (with a distro kernel on normal hardware in a standard configuration) got numbers in that ballpark. 12 days aren't *that* short on a desktop system, and you'd likely need much longer on a typical server system (assuming that people don't run graphical desktop environments on their servers), and this is a *very* noisy and violent approach to exploiting the kernel; and it also seems to take orders of magnitude longer on some machines, probably because stuff like EFI pstore will slow it down a ton if that's active. Signed-off-by: Jann Horn <jannh@google.com> Link: https://lore.kernel.org/r/20221107201317.324457-1-jannh@google.com Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20221117234328.594699-2-keescook@chromium.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Eric W. Biederman
|
9a18c9c833 |
exit: Add and use make_task_dead.
commit 0e25498f8cd43c1b5aa327f373dd094e9a006da7 upstream. There are two big uses of do_exit. The first is it's design use to be the guts of the exit(2) system call. The second use is to terminate a task after something catastrophic has happened like a NULL pointer in kernel code. Add a function make_task_dead that is initialy exactly the same as do_exit to cover the cases where do_exit is called to handle catastrophic failure. In time this can probably be reduced to just a light wrapper around do_task_dead. For now keep it exactly the same so that there will be no behavioral differences introducing this new concept. Replace all of the uses of do_exit that use it for catastraphic task cleanup with make_task_dead to make it clear what the code is doing. As part of this rename rewind_stack_do_exit rewind_stack_and_make_dead. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Tiezhu Yang
|
119f6bcef7 |
panic: unset panic_on_warn inside panic()
commit 1a2383e8b84c0451fd9b1eec3b9aab16f30b597c upstream. In the current code, the following three places need to unset panic_on_warn before calling panic() to avoid recursive panics: kernel/kcsan/report.c: print_report() kernel/sched/core.c: __schedule_bug() mm/kfence/report.c: kfence_report_error() In order to avoid copy-pasting "panic_on_warn = 0" all over the places, it is better to move it inside panic() and then remove it from the other places. Link: https://lkml.kernel.org/r/1644324666-15947-4-git-send-email-yangtiezhu@loongson.cn Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Reviewed-by: Marco Elver <elver@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Baoquan He <bhe@redhat.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Xuefeng Li <lixuefeng@loongson.cn> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Hao Sun
|
4923160393 |
bpf: Skip task with pid=1 in send_signal_common()
[ Upstream commit a3d81bc1eaef48e34dd0b9b48eefed9e02a06451 ] The following kernel panic can be triggered when a task with pid=1 attaches a prog that attempts to send killing signal to itself, also see [1] for more details: Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b CPU: 3 PID: 1 Comm: systemd Not tainted 6.1.0-09652-g59fe41b5255f #148 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x100/0x178 lib/dump_stack.c:106 panic+0x2c4/0x60f kernel/panic.c:275 do_exit.cold+0x63/0xe4 kernel/exit.c:789 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x2460/0x2600 kernel/signal.c:2858 arch_do_signal_or_restart+0x78/0x5d0 arch/x86/kernel/signal.c:306 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd So skip task with pid=1 in bpf_send_signal_common() to avoid the panic. [1] https://lore.kernel.org/bpf/20221222043507.33037-1-sunhao.th@gmail.com Signed-off-by: Hao Sun <sunhao.th@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/bpf/20230106084838.12690-1-sunhao.th@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Natalia Petrova
|
31b2414abe |
trace_events_hist: add check for return value of 'create_hist_field'
commit 8b152e9150d07a885f95e1fd401fc81af202d9a4 upstream.
Function 'create_hist_field' is called recursively at
trace_events_hist.c:1954 and can return NULL-value that's why we have
to check it to avoid null pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Link: https://lkml.kernel.org/r/20230111120409.4111-1-n.petrova@fintech.ru
Cc: stable@vger.kernel.org
Fixes:
|
||
Steven Rostedt (Google)
|
76b2390fdc |
tracing: Make sure trace_printk() can output as soon as it can be used
commit 3bb06eb6e9acf7c4a3e1b5bc87aed398ff8e2253 upstream.
Currently trace_printk() can be used as soon as early_trace_init() is
called from start_kernel(). But if a crash happens, and
"ftrace_dump_on_oops" is set on the kernel command line, all you get will
be:
[ 0.456075] <idle>-0 0dN.2. 347519us : Unknown type 6
[ 0.456075] <idle>-0 0dN.2. 353141us : Unknown type 6
[ 0.456075] <idle>-0 0dN.2. 358684us : Unknown type 6
This is because the trace_printk() event (type 6) hasn't been registered
yet. That gets done via an early_initcall(), which may be early, but not
early enough.
Instead of registering the trace_printk() event (and other ftrace events,
which are not trace events) via an early_initcall(), have them registered at
the same time that trace_printk() can be used. This way, if there is a
crash before early_initcall(), then the trace_printk()s will actually be
useful.
Link: https://lkml.kernel.org/r/20230104161412.019f6c55@gandalf.local.home
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Fixes:
|
||
Petr Pavlu
|
4a4a22dda0 |
module: Don't wait for GOING modules
commit 0254127ab977e70798707a7a2b757c9f3c971210 upstream. During a system boot, it can happen that the kernel receives a burst of requests to insert the same module but loading it eventually fails during its init call. For instance, udev can make a request to insert a frequency module for each individual CPU when another frequency module is already loaded which causes the init function of the new module to return an error. Since commit |
||
Luis Gerhorst
|
81b3374944 |
bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation
[ Upstream commit e4f4db47794c9f474b184ee1418f42e6a07412b6 ]
To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to
insufficient speculative store bypass mitigation") inserts lfence
instructions after 1) initializing a stack slot and 2) spilling a
pointer to the stack.
However, this does not cover cases where a stack slot is first
initialized with a pointer (subject to sanitization) but then
overwritten with a scalar (not subject to sanitization because
the slot was already initialized). In this case, the second write
may be subject to speculative store bypass (SSB) creating a
speculative pointer-as-scalar type confusion. This allows the
program to subsequently leak the numerical pointer value using,
for example, a branch-based cache side channel.
To fix this, also sanitize scalars if they write a stack slot
that previously contained a pointer. Assuming that pointer-spills
are only generated by LLVM on register-pressure, the performance
impact on most real-world BPF programs should be small.
The following unprivileged BPF bytecode drafts a minimal exploit
and the mitigation:
[...]
// r6 = 0 or 1 (skalar, unknown user input)
// r7 = accessible ptr for side channel
// r10 = frame pointer (fp), to be leaked
//
r9 = r10 # fp alias to encourage ssb
*(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked
// lfence added here because of pointer spill to stack.
//
// Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor
// for no r9-r10 dependency.
//
*(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr
// 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,
// store may be subject to SSB
//
// fix: also add an lfence when the slot contained a ptr
//
r8 = *(u64 *)(r9 - 8)
// r8 = architecturally a scalar, speculatively a ptr
//
// leak ptr using branch-based cache side channel:
r8 &= 1 // choose bit to leak
if r8 == 0 goto SLOW // no mispredict
// architecturally dead code if input r6 is 0,
// only executes speculatively iff ptr bit is 1
r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)
SLOW:
[...]
After running this, the program can time the access to *(r7 + 0) to
determine whether the chosen pointer bit was 0 or 1. Repeat this 64
times to recover the whole address on amd64.
In summary, sanitization can only be skipped if one scalar is
overwritten with another scalar. Scalar-confusion due to speculative
store bypass can not lead to invalid accesses because the pointer
bounds deducted during verification are enforced using branchless
logic. See
|
||
Lee Jones
|
d0f21836e3 |
ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
bc37d9c8b3 |
This is the 5.4.230 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPPeCUACgkQONu9yGCS aT7d6g/9G6IgNQKClKxhVaIvcumu4QJXxLE8VOKlMaaCu3Ehby3zEuIgwNkM02CO DXzPmhHC/0KsCw4i/eNANhUndEBtrfl8esPBkTJRYQQV7NvOCEXa+73t68xnGgOY mRrCGeWdwnpIezaoOWn0IbWSkeW/zAytiBywYbYlOiJ+8CwUFRozviZq/m45kFmg AYgTMi1XYX+kxBDyhkWnHNttHyUwq0/lUySpvvaSQB8pIP8QFWf28y8lvQZbwmBT w3CiM/WbG2iGIidf1YYDKN/yLJuWaqZe/SZhOWgH6odle7EgIUCRHTuEcpgENS1D mYvBHcjeMv0KM2WOJVpspRyUMcfpDe/5ALJyNwqEg1f/U4Egjj/7NYtTYOukak4J We4x67F0KiKta+CObF3gw/BhCbzI0WI7vuT+jgq+/MTTCeul1NacdCbiZQzHPucy 2f6OOTrORzgHWJ4yHmEqdOOaDI/3qYBV7bLwZLdTGmCz9KozA9yCfEXufF88XH4l wrpUsHty5kUMCcgVwEAdea0+xbVtXxQwR5vZ54dt/cIxpBgW60RsFJp4lS5+OC4C 438hOpon/uupn2miIlLBi91ImXo/dofAUT1BoK/3gK50TGgslCJwOM6NzCvu67he Ssy59p+VKxUhzRjLOQG+82Ec9mSMGew5Pq0wTNwbsti40F41pnk= =YlBJ -----END PGP SIGNATURE----- Merge 5.4.230 into android11-5.4-lts Changes in 5.4.230 pNFS/filelayout: Fix coalescing test for single DS selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats RDMA/srp: Move large values to a new enum for gcc13 f2fs: let's avoid panic if extent_tree is not created wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices Add exception protection processing for vd in axi_chan_handle_err function nilfs2: fix general protection fault in nilfs_btree_insert() efi: fix userspace infinite retry read efivars after EFI runtime services page fault drm/i915/gt: Reset twice ALSA: hda/realtek - Turn on power early xhci-pci: set the dma max_seg_size usb: xhci: Check endpoint is valid before dereferencing it xhci: Fix null pointer dereference when host dies xhci: Add update_hub_device override for PCI xHCI hosts xhci: Add a flag to disable USB3 lpm on a xhci root port level. usb: acpi: add helper to check port lpm capability using acpi _DSM xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables prlimit: do_prlimit needs to have a speculation check USB: serial: option: add Quectel EM05-G (GR) modem USB: serial: option: add Quectel EM05-G (CS) modem USB: serial: option: add Quectel EM05-G (RS) modem USB: serial: option: add Quectel EC200U modem USB: serial: option: add Quectel EM05CN (SG) modem USB: serial: option: add Quectel EM05CN modem USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 misc: fastrpc: Don't remove map on creater_process and device_release misc: fastrpc: Fix use-after-free race condition for maps usb: core: hub: disable autosuspend for TI TUSB8041 comedi: adv_pci1760: Fix PWM instruction handling mmc: sunxi-mmc: Fix clock refcount imbalance during unbind btrfs: fix race between quota rescan and disable leading to NULL pointer deref cifs: do not include page data when checking signature USB: gadgetfs: Fix race between mounting and unmounting USB: serial: cp210x: add SCALANCE LPE-9000 device id usb: host: ehci-fsl: Fix module alias usb: typec: altmodes/displayport: Add pin assignment helper usb: typec: altmodes/displayport: Fix pin assignment calculation usb: gadget: g_webcam: Send color matching descriptor per frame usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 dt-bindings: phy: g12a-usb3-pcie-phy: fix compatible string documentation serial: pch_uart: Pass correct sg to dma_unmap_sg() dmaengine: tegra210-adma: fix global intr clear serial: atmel: fix incorrect baudrate setup gsmi: fix null-deref in gsmi_get_variable drm/i915: re-disable RC6p on Sandy Bridge drm/amd/display: Fix set scaling doesn's work drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma Linux 5.4.230 Change-Id: I6ea8f9dd4f7fe6db9ffdf34f8b914498aa7e34c3 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Greg Kroah-Hartman
|
96b02125dd |
prlimit: do_prlimit needs to have a speculation check
commit 739790605705ddcf18f21782b9c99ad7d53a8c11 upstream. do_prlimit() adds the user-controlled resource value to a pointer that will subsequently be dereferenced. In order to help prevent this codepath from being used as a spectre "gadget" a barrier needs to be added after checking the range. Reported-by: Jordy Zomer <jordyzomer@google.com> Tested-by: Jordy Zomer <jordyzomer@google.com> Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
68fdd20442 |
This is the 5.4.229 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPHzUQACgkQONu9yGCS
aT7QohAAtxV33qGSKGUdKMZk1JzIYuc8tAa+CHZhTi6xjTsoy1a5MlQGrj8a9YQ7
/5VvwslGSn29h/ThO/ai04CfeOsWugMtnuo4mT4+198DgH0CNQMlfWq2c25cCvY6
dIrrMTA7B2YhpdbjM4vkX8QIAxBVCHOVkseSammhMnujP7d+k4LtC6rRV4uiF+lD
cKtsIJn8h+pezBeo5+pjvcTwndaAoApVOES4uOjJcf9pYOOoHxyi+8StpiO+j2Pv
sRvkbvvmpS+IWAH+DMa3SAFI3C3AihX2Fu0rIFzUZByAviB1NmyWluX5mU54wW3R
P80fl0rQFwuygEBU1UqTXe4hQ8YYwpJGAQzbLR22a11IT2MSO+vMRINdqG1un2BE
T9hHix5R0JMeIN9AP7nKGBLrEZ3V6DqxEBz6ZC1sOUIIVQv93twtiwb0rNM0e7pq
PpkIXpwXPIgqFDGXrd0y5ksRT08jJUKCRttuRVWkcGX8adotngWnrl0WBI5zqSuo
B+x8X9Dw7YblJ6yQ+8mAZGk0Mj3j+cb4uhuRaz/6rqHmFOrbHm+JDXvPzZY65xy3
k8Ebtq5CxINLDwahfb/o13MgbmzMPPNPPp0cz23zOhm88OmwVzB4hAoB/1CfHZvF
XhSbZMVBhhP9hYr2gYl902EQeZGE5yjk5xhFT5Wrh7QoZaPW2XM=
=as6n
-----END PGP SIGNATURE-----
Merge 5.4.229 into android11-5.4-lts
Changes in 5.4.229
tracing/ring-buffer: Only do full wait when cpu != RING_BUFFER_ALL_CPUS
udf: Discard preallocation before extending file with a hole
udf: Fix preallocation discarding at indirect extent boundary
udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size
udf: Fix extending file within last block
usb: gadget: uvc: Prevent buffer overflow in setup handler
USB: serial: option: add Quectel EM05-G modem
USB: serial: cp210x: add Kamstrup RF sniffer PIDs
USB: serial: f81232: fix division by zero on line-speed change
USB: serial: f81534: fix division by zero on line-speed change
igb: Initialize mailbox message for VF reset
xen-netback: move removal of "hotplug-status" to the right place
HID: ite: Add support for Acer S1002 keyboard-dock
HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch 10E
HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10
HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk
Bluetooth: L2CAP: Fix u8 overflow
net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
usb: musb: remove extra check in musb_gadget_vbus_draw
ARM: dts: qcom: apq8064: fix coresight compatible
arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias
drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
arm: dts: spear600: Fix clcd interrupt
soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of pm_runtime_get_sync
soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe
soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init()
perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()
arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators
arm64: dts: mt2712e: Fix unit address for pinctrl node
arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names
arm64: dts: mt2712-evb: Fix usb vbus regulators unit names
arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name
ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
ARM: dts: turris-omnia: Add ethernet aliases
ARM: dts: turris-omnia: Add switch port 6 node
arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC
pstore/ram: Fix error return code in ramoops_probe()
ARM: mmp: fix timer_read delay
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
cpuidle: dt: Return the correct numbers of parsed idle states
alpha: fix syscall entry in !AUDUT_SYSCALL case
PM: hibernate: Fix mistake in kerneldoc comment
fs: don't audit the capability check in simple_xattr_list()
selftests/ftrace: event_triggers: wait longer for test_event_enable
perf: Fix possible memleak in pmu_dev_alloc()
timerqueue: Use rb_entry_safe() in timerqueue_getnext()
proc: fixup uptime selftest
lib/fonts: fix undefined behavior in bit shift for get_default_font
ocfs2: fix memory leak in ocfs2_stack_glue_init()
MIPS: vpe-mt: fix possible memory leak while module exiting
MIPS: vpe-cmp: fix possible memory leak while module exiting
selftests/efivarfs: Add checking of the test return value
PNP: fix name memory leak in pnp_alloc_dev()
perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()
irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()
nfsd: don't call nfsd_file_put from client states seqfile display
genirq/irqdesc: Don't try to remove non-existing sysfs files
cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
lib/notifier-error-inject: fix error when writing -errno to debugfs file
docs: fault-injection: fix non-working usage of negative values
debugfs: fix error when writing negative value to atomic_t debugfs file
ocfs2: ocfs2_mount_volume does cleanup job before return error
ocfs2: rewrite error handling of ocfs2_fill_super
ocfs2: fix memory leak in ocfs2_mount_volume()
rapidio: fix possible name leaks when rio_add_device() fails
rapidio: rio: fix possible name leak in rio_register_mport()
clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
xen/events: only register debug interrupt for 2-level events
x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
x86/xen: Fix memory leak in xen_init_lock_cpu()
xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
PM: runtime: Improve path in rpm_idle() when no callback
PM: runtime: Do not call __rpm_callback() from rpm_idle()
platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
MIPS: BCM63xx: Add check for NULL for clk in clk_enable
MIPS: OCTEON: warn only once if deprecated link status is being used
fs: sysv: Fix sysv_nblocks() returns wrong value
rapidio: fix possible UAF when kfifo_alloc() fails
eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
relay: fix type mismatch when allocating memory in relay_create_buf()
hfs: Fix OOB Write in hfs_asc2mac
rapidio: devices: fix missing put_device in mport_cdev_open
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
wifi: rtl8xxxu: Fix reading the vendor of combo chips
pata_ipx4xx_cf: Fix unsigned comparison with less than zero
media: i2c: ad5820: Fix error path
can: kvaser_usb: do not increase tx statistics when sending error message frames
can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device
can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event
can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT
can: kvaser_usb_leaf: Set Warning state even without bus errors
can: kvaser_usb_leaf: Fix improved state not being reported
can: kvaser_usb_leaf: Fix wrong CAN state after stopping
can: kvaser_usb_leaf: Fix bogus restart events
can: kvaser_usb: Add struct kvaser_usb_busparams
can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming
clk: renesas: r9a06g032: Repair grave increment error
spi: Update reference to struct spi_controller
drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
ima: Rename internal filter rule functions
ima: Fix fall-through warnings for Clang
ima: Handle -ESTALE returned by ima_filter_rule_match()
media: vivid: fix compose size exceed boundary
bpf: propagate precision in ALU/ALU64 operations
mtd: Fix device name leak when register device failed in add_mtd_device()
wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port
media: camss: Clean up received buffers on failed start of streaming
net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write()
rxrpc: Fix ack.bufferSize to be 0 when generating an ack
drm/radeon: Add the missed acpi_put_table() to fix memory leak
drm/mediatek: Modify dpi power on/off sequence.
ASoC: pxa: fix null-pointer dereference in filter()
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()
integrity: Fix memory leakage in keyring allocation error path
ima: Fix misuse of dereference of pointer in template_desc_init_fields()
wifi: ath10k: Fix return value in ath10k_pci_init()
mtd: lpddr2_nvm: Fix possible null-ptr-deref
Input: elants_i2c - properly handle the reset GPIO when power is off
media: solo6x10: fix possible memory leak in solo_sysfs_init()
media: platform: exynos4-is: Fix error handling in fimc_md_init()
media: videobuf-dma-contig: use dma_mmap_coherent
bpf: Move skb->len == 0 checks into __bpf_redirect
HID: hid-sensor-custom: set fixed size for custom attributes
ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT
ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
regulator: core: use kfree_const() to free space conditionally
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
bonding: Export skip slave logic to function
bonding: Rename slave_arr to usable_slaves
bonding: fix link recovery in mode 2 when updelay is nonzero
mtd: maps: pxa2xx-flash: fix memory leak in probe
media: imon: fix a race condition in send_packet()
clk: imx8mn: correct the usb1_ctrl parent to be usb_bus
clk: imx: replace osc_hdmi with dummy
pinctrl: pinconf-generic: add missing of_node_put()
media: dvb-core: Fix ignored return value in dvb_register_frontend()
media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC
drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
ASoC: dt-bindings: wcd9335: fix reset line polarity in example
ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd
NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding
NFSv4.2: Fix a memory stomp in decode_attr_security_label
NFSv4.2: Fix initialisation of struct nfs4_label
NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
ALSA: asihpi: fix missing pci_disable_device()
wifi: iwlwifi: mvm: fix double free on tx path.
ASoC: mediatek: mt8173: Enable IRQ when pdata is ready
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
netfilter: conntrack: set icmpv6 redirects as RELATED
bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect
bonding: uninitialized variable in bond_miimon_inspect()
spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE
wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails
regulator: core: fix module refcount leak in set_supply()
clk: qcom: clk-krait: fix wrong div2 functions
hsr: Avoid double remove of a node.
configfs: fix possible memory leak in configfs_create_dir()
regulator: core: fix resource leak in regulator_register()
bpf, sockmap: fix race in sock_map_free()
media: saa7164: fix missing pci_disable_device()
ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()
SUNRPC: Fix missing release socket in rpc_sockname()
NFSv4.x: Fail client initialisation if state manager thread can't run
mmc: alcor: fix return value check of mmc_add_host()
mmc: moxart: fix return value check of mmc_add_host()
mmc: mxcmmc: fix return value check of mmc_add_host()
mmc: pxamci: fix return value check of mmc_add_host()
mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
mmc: toshsd: fix return value check of mmc_add_host()
mmc: vub300: fix return value check of mmc_add_host()
mmc: wmt-sdmmc: fix return value check of mmc_add_host()
mmc: atmel-mci: fix return value check of mmc_add_host()
mmc: omap_hsmmc: fix return value check of mmc_add_host()
mmc: meson-gx: fix return value check of mmc_add_host()
mmc: via-sdmmc: fix return value check of mmc_add_host()
mmc: wbsd: fix return value check of mmc_add_host()
mmc: mmci: fix return value check of mmc_add_host()
media: c8sectpfe: Add of_node_put() when breaking out of loop
media: coda: Add check for dcoda_iram_alloc
media: coda: Add check for kmalloc
clk: samsung: Fix memory leak in _samsung_clk_register_pll()
spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode
wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
blktrace: Fix output non-blktrace event when blk_classic option enabled
clk: socfpga: clk-pll: Remove unused variable 'rc'
clk: socfpga: use clk_hw_register for a5/c5
clk: socfpga: Fix memory leak in socfpga_gate_init()
net: vmw_vsock: vmci: Check memcpy_from_msg()
net: defxx: Fix missing err handling in dfx_init()
net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload()
drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop()
ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
net: farsync: Fix kmemleak when rmmods farsync
net/tunnel: wait until all sk_user_data reader finish before releasing the sock
net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave()
net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave()
net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave()
hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
net: amd-xgbe: Fix logic around active and passive cables
net: amd-xgbe: Check only the minimum speed for active/passive cables
can: tcan4x5x: Remove invalid write in clear_interrupts
net: lan9303: Fix read error execution path
ntb_netdev: Use dev_kfree_skb_any() in interrupt context
Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
stmmac: fix potential division by 0
apparmor: fix a memleak in multi_transaction_new()
apparmor: fix lockdep warning when removing a namespace
apparmor: Fix abi check to include v8 abi
apparmor: Use pointer to struct aa_label for lbs_cred
RDMA/core: Fix order of nldev_exit call
f2fs: fix normal discard process
RDMA/siw: Fix immediate work request flush to completion queue
RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port
RDMA/siw: Set defined status for work completion with undefined status
scsi: scsi_debug: Fix a warning in resp_write_scat()
crypto: ccree - swap SHA384 and SHA512 larval hashes at build time
crypto: ccree - Remove debugfs when platform_driver_register failed
PCI: Check for alloc failure in pci_request_irq()
RDMA/hfi: Decrease PCI device reference count in error path
crypto: ccree - Make cc_debugfs_global_fini() available for module init function
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
scsi: hpsa: Fix possible memory leak in hpsa_init_one()
crypto: tcrypt - Fix multibuffer skcipher speed test mem leak
scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
scsi: hpsa: Fix error handling in hpsa_add_sas_host()
scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
scsi: fcoe: Fix possible name leak when device_register() fails
scsi: ipr: Fix WARNING in ipr_init()
scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
scsi: snic: Fix possible UAF in snic_tgt_create()
RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps()
f2fs: avoid victim selection from previous victim section
crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe()
RDMA/hfi1: Fix error return code in parse_platform_config()
orangefs: Fix sysfs not cleanup when dev init failed
crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
hwrng: amd - Fix PCI device refcount leak
hwrng: geode - Fix PCI device refcount leak
IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
drivers: dio: fix possible memory leak in dio_init()
tty: serial: tegra: Activate RX DMA transfer by request
serial: tegra: Read DMA status before terminating
class: fix possible memory leak in __class_register()
vfio: platform: Do not pass return buffer to ACPI _RST method
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
uio: uio_dmem_genirq: Fix deadlock between irq config and handling
usb: fotg210-udc: Fix ages old endianness issues
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
usb: typec: Check for ops->exit instead of ops->enter in altmode_exit
usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
serial: amba-pl011: avoid SBSA UART accessing DMACR register
serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle.
serial: pch: Fix PCI device refcount leak in pch_request_dma()
tty: serial: clean up stop-tx part in altera_uart_tx_chars()
tty: serial: altera_uart_{r,t}x_chars() need only uart_port
serial: altera_uart: fix locking in polling mode
serial: sunsab: Fix error handling in sunsab_init()
test_firmware: fix memory leak in test_firmware_init()
misc: ocxl: fix possible name leak in ocxl_file_register_afu()
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update
usb: roles: fix of node refcount leak in usb_role_switch_is_parent()
usb: gadget: f_hid: optional SETUP/SET_REPORT mode
usb: gadget: f_hid: fix f_hidg lifetime vs cdev
usb: gadget: f_hid: fix refcount leak on error path
drivers: mcb: fix resource leak in mcb_probe()
mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
chardev: fix error handling in cdev_device_add()
i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
staging: rtl8192u: Fix use after free in ieee80211_rx()
staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
vme: Fix error not catched in fake_init()
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
usb: storage: Add check for kcalloc
tracing/hist: Fix issue of losting command info in error_log
samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe()
fbdev: ssd1307fb: Drop optional dependency
fbdev: pm2fb: fix missing pci_disable_device()
fbdev: via: Fix error in via_core_init()
fbdev: vermilion: decrease reference count in error path
fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
power: supply: fix residue sysfs file in error handle route of __power_supply_register()
perf trace: Return error if a system call doesn't exist
perf trace: Separate 'struct syscall_fmt' definition from syscall_fmts variable
perf trace: Factor out the initialization of syscal_arg_fmt->scnprintf
perf trace: Add the syscall_arg_fmt pointer to syscall_arg
perf trace: Allow associating scnprintf routines with well known arg names
perf trace: Add a strtoul() method to 'struct syscall_arg_fmt'
perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number
perf trace: Handle failure when trace point folder is missed
perf symbol: correction while adjusting symbol
HSI: omap_ssi_core: Fix error handling in ssi_init()
power: supply: fix null pointer dereferencing in power_supply_get_battery_info
RDMA/siw: Fix pointer cast warning
include/uapi/linux/swab: Fix potentially missing __always_inline
rtc: snvs: Allow a time difference on clock register read
rtc: pcf85063: Fix reading alarm
iommu/amd: Fix pci device refcount leak in ppr_notifier()
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
macintosh: fix possible memory leak in macio_add_one_device()
macintosh/macio-adb: check the return value of ioremap()
powerpc/52xx: Fix a resource leak in an error handling path
cxl: Fix refcount leak in cxl_calc_capp_routing
powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data()
powerpc/perf: callchain validate kernel stack pointer bounds
powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
powerpc/hv-gpci: Fix hv_gpci event list
selftests/powerpc: Fix resource leaks
pwm: sifive: Call pwm_sifive_update_clock() while mutex is held
remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()
remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region()
rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe()
nfsd: Define the file access mode enum for tracing
NFSD: Add tracepoints to NFSD's duplicate reply cache
nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
nfc: pn533: Clear nfc_target before being used
r6040: Fix kmemleak in probe and remove
rtc: mxc_v2: Add missing clk_disable_unprepare()
openvswitch: Fix flow lookup to use unmasked key
skbuff: Account for tail adjustment during pull operations
mailbox: zynq-ipi: fix error handling while device_register() fails
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
myri10ge: Fix an error handling path in myri10ge_probe()
net: stream: purge sk_error_queue in sk_stream_kill_queues()
rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state()
binfmt_misc: fix shift-out-of-bounds in check_special_flags
fs: jfs: fix shift-out-of-bounds in dbAllocAG
udf: Avoid double brelse() in udf_rename()
fs: jfs: fix shift-out-of-bounds in dbDiscardAG
ACPICA: Fix error code path in acpi_ds_call_control_method()
nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
acct: fix potential integer overflow in encode_comp_t()
hfs: fix OOB Read in __hfs_brec_find
drm/etnaviv: add missing quirks for GC300
brcmfmac: return error when getting invalid max_flowrings from dongle
wifi: ath9k: verify the expected usb_endpoints are present
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
ASoC: codecs: rt298: Add quirk for KBL-R RVP platform
ipmi: fix memleak when unload ipmi driver
bpf: make sure skb->len != 0 when redirecting to a tunneling device
net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
hamradio: baycom_epp: Fix return type of baycom_send_packet()
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
igb: Do not free q_vector unless new one was allocated
s390/ctcm: Fix return type of ctc{mp,}m_tx()
s390/netiucv: Fix return type of netiucv_tx()
s390/lcs: Fix return type of lcs_start_xmit()
drm/rockchip: Use drm_mode_copy()
drm/sti: Use drm_mode_copy()
drivers/md/md-bitmap: check the return value of md_bitmap_get_counter()
md/raid1: stop mdx_raid1 thread when raid1 array run failed
net: add atomic_long_t to net_device_stats fields
mrp: introduce active flags to prevent UAF when applicant uninit
ppp: associate skb with a device at tx
bpf: Prevent decl_tag from being referenced in func_proto arg
media: dvb-frontends: fix leak of memory fw
media: dvbdev: adopts refcnt to avoid UAF
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
blk-mq: fix possible memleak when register 'hctx' failed
regulator: core: fix use_count leakage when handling boot-on
mmc: f-sdh30: Add quirks for broken timeout clock capability
media: si470x: Fix use-after-free in si470x_int_in_callback()
clk: st: Fix memory leak in st_of_quadfs_setup()
hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()
ALSA/ASoC: hda: move/rename snd_hdac_ext_stop_streams to hdac_stream.c
ALSA: hda: add snd_hdac_stop_streams() helper
ASoC: Intel: Skylake: Fix driver hang during shutdown
ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link()
ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume()
ASoC: wm8994: Fix potential deadlock
ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
ASoC: rt5670: Remove unbalanced pm_runtime_put()
pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion
pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES
ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB
ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list
usb: dwc3: core: defer probe on ulpi_read_id timeout
HID: wacom: Ensure bootloader PID is usable in hidraw mode
reiserfs: Add missing calls to reiserfs_security_free()
iio: adc: ad_sigma_delta: do not use internal iio_dev lock
iio: adc128s052: add proper .data members in adc128_of_match table
regulator: core: fix deadlock on regulator enable
gcov: add support for checksum field
media: dvbdev: fix build warning due to comments
media: dvbdev: fix refcnt bug
cifs: fix oops during encryption
nvme-pci: fix doorbell buffer value endianness
ata: ahci: Fix PCS quirk application for suspend
nvme: resync include/linux/nvme.h with nvmecli
nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition
objtool: Fix SEGFAULT
powerpc/rtas: avoid device tree lookups in rtas_os_term()
powerpc/rtas: avoid scheduling in rtas_os_term()
HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint
HID: plantronics: Additional PIDs for double volume key presses quirk
hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount
ovl: Use ovl mounter's fsuid and fsgid in ovl_link()
ALSA: line6: correct midi status byte when receiving data from podxt
ALSA: line6: fix stack overflow in line6_midi_transmit
pnode: terminate at peers of source
md: fix a crash in mempool_free
mm, compaction: fix fast_isolate_around() to stay within boundaries
f2fs: should put a page when checking the summary info
mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak
tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak
SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails
net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO
net/af_packet: make sure to pull mac header
media: stv0288: use explicitly signed char
soc: qcom: Select REMAP_MMIO for LLCC driver
kest.pl: Fix grub2 menu handling for rebooting
ktest.pl minconfig: Unset configs instead of just removing them
mmc: sdhci-sprd: Disable CLK_AUTO when the clock is less than 400K
btrfs: fix resolving backrefs for inline extent followed by prealloc
ARM: ux500: do not directly dereference __iomem
arm64: dts: qcom: sdm850-lenovo-yoga-c630: correct I2C12 pins drive strength
selftests: Use optional USERCFLAGS and USERLDFLAGS
cpufreq: Init completion before kobject_init_and_add()
binfmt: Move install_exec_creds after setup_new_exec to match binfmt_elf
binfmt: Fix error return code in load_elf_fdpic_binary()
dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort
dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata
dm thin: Use last transaction's pmd->root when commit failed
dm thin: Fix UAF in run_timer_softirq()
dm integrity: Fix UAF in dm_integrity_dtr()
dm clone: Fix UAF in clone_dtr()
dm cache: Fix UAF in destroy()
dm cache: set needs_check flag after aborting metadata
tracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'
x86/microcode/intel: Do not retry microcode reloading on the APs
tracing/hist: Fix wrong return value in parse_action_params()
tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line
ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod
media: dvb-core: Fix double free in dvb_register_device()
media: dvb-core: Fix UAF due to refcount races at releasing
cifs: fix confusing debug message
cifs: fix missing display of three mount options
md/bitmap: Fix bitmap chunk size overflow issues
efi: Add iMac Pro 2017 to uefi skip cert quirk
ipmi: fix long wait in unload when IPMI disconnect
mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type()
ima: Fix a potential NULL pointer access in ima_restore_measurement_list
ipmi: fix use after free in _ipmi_destroy_user()
PCI: Fix pci_device_is_present() for VFs by checking PF
PCI/sysfs: Fix double free in error path
crypto: n2 - add missing hash statesize
iommu/amd: Fix ivrs_acpihid cmdline parsing code
parisc: led: Fix potential null-ptr-deref in start_task()
device_cgroup: Roll back to original exceptions after copy failure
drm/connector: send hotplug uevent on connector cleanup
drm/vmwgfx: Validate the box size for the snooped cursor
ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
ext4: fix undefined behavior in bit shift for ext4_check_flag_values
ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode
ext4: add helper to check quota inums
ext4: fix reserved cluster accounting in __es_remove_extent()
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
ext4: init quota for 'old.inode' in 'ext4_rename'
ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline
ext4: fix corruption when online resizing a 1K bigalloc fs
ext4: fix error code return to user-space in ext4_get_branch()
ext4: avoid BUG_ON when creating xattrs
ext4: fix inode leak in ext4_xattr_inode_create() on an error path
ext4: initialize quota before expanding inode in setproject ioctl
ext4: avoid unaccounted block allocation when expanding inode
ext4: allocate extended attribute value in vmalloc area
btrfs: replace strncpy() with strscpy()
PM/devfreq: governor: Add a private governor_data for governor
media: s5p-mfc: Fix to handle reference queue during finishing
media: s5p-mfc: Clear workbit to handle error condition
media: s5p-mfc: Fix in register read and write for H264
dm thin: resume even if in FAIL mode
perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor
perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data
KVM: x86: optimize more exit handlers in vmx.c
KVM: retpolines: x86: eliminate retpoline from vmx.c exit handlers
KVM: VMX: Rename INTERRUPT_PENDING to INTERRUPT_WINDOW
KVM: VMX: Rename NMI_PENDING to NMI_WINDOW
KVM: VMX: Fix the spelling of CPU_BASED_USE_TSC_OFFSETTING
KVM: nVMX: Properly expose ENABLE_USR_WAIT_PAUSE control to L1
ravb: Fix "failed to switch device to config mode" message during unbind
ext4: goto right label 'failed_mount3a'
ext4: correct inconsistent error msg in nojournal mode
mm/highmem: Lift memcpy_[to|from]_page to core
ext4: use memcpy_to_page() in pagecache_write()
fs: ext4: initialize fsdata in pagecache_write()
ext4: use kmemdup() to replace kmalloc + memcpy
mbcache: don't reclaim used entries
mbcache: add functions to delete entry if unused
ext4: remove EA inode entry from mbcache on inode eviction
ext4: unindent codeblock in ext4_xattr_block_set()
ext4: fix race when reusing xattr blocks
mbcache: automatically delete entries from cache on freeing
ext4: fix deadlock due to mbcache entry corruption
SUNRPC: ensure the matching upcall is in-flight upon downcall
bpf: pull before calling skb_postpull_rcsum()
nfsd: shut down the NFSv4 state objects before the filecache
net: hns3: add interrupts re-initialization while doing VF FLR
net: sched: fix memory leak in tcindex_set_parms
qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure
nfc: Fix potential resource leaks
vhost: fix range used in translate_desc()
net: amd-xgbe: add missed tasklet_kill
net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe
RDMA/uverbs: Silence shiftTooManyBitsSigned warning
RDMA/mlx5: Fix validation of max_rd_atomic caps for DC
net: sched: atm: dont intepret cls results when asked to drop
net: sched: cbq: dont intepret cls results when asked to drop
perf tools: Fix resources leak in perf_data__open_dir()
drivers/net/bonding/bond_3ad: return when there's no aggregator
usb: rndis_host: Secure rndis_query check against int overflow
drm/i915: unpin on error in intel_vgpu_shadow_mm_pin()
caif: fix memory leak in cfctrl_linkup_request()
udf: Fix extension of the last extent in the file
ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet
x86/bugs: Flush IBP in ib_prctl_set()
nfsd: fix handling of readdir in v4root vs. mount upcall timeout
riscv: uaccess: fix type of 0 variable on error in get_user()
ext4: don't allow journal inode to have encrypt flag
hfs/hfsplus: use WARN_ON for sanity check
hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
mbcache: Avoid nesting of cache->c_list_lock under bit locks
parisc: Align parisc MADV_XXX constants with all other architectures
selftests: Fix kselftest O=objdir build from cluttering top level objdir
selftests: set the BUILD variable to absolute path
driver core: Fix bus_type.match() error handling in __driver_attach()
net: sched: disallow noqueue for qdisc classes
KVM: arm64: Fix S1PTW handling on RO memslots
efi: tpm: Avoid READ_ONCE() for accessing the event log
docs: Fix the docs build with Sphinx 6.0
perf auxtrace: Fix address filter duplicate symbol selection
s390/kexec: fix ipl report address for kdump
s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
net/ulp: prevent ULP without clone op from entering the LISTEN status
ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
ALSA: hda/hdmi: Add a HP device 0x8715 to force connect list
cifs: Fix uninitialized memory read for smb311 posix symlink create
drm/msm/adreno: Make adreno quirks not overwrite each other
platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe
ixgbe: fix pci device refcount leak
ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
wifi: wilc1000: sdio: fix module autoloading
usb: ulpi: defer ulpi_register on ulpi_read_id timeout
jbd2: use the correct print format
quota: Factor out setup of quota inode
ext4: fix bug_on in __es_tree_search caused by bad quota inode
ext4: lost matching-pair of trace in ext4_truncate
ext4: fix use-after-free in ext4_orphan_cleanup
ext4: fix uninititialized value in 'ext4_evict_inode'
netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
powerpc/imc-pmu: Fix use of mutex in IRQs disabled section
x86/boot: Avoid using Intel mnemonics in AT&T syntax asm
EDAC/device: Fix period calculation in edac_device_reset_delay_period()
regulator: da9211: Use irq handler when ready
tipc: improve throughput between nodes in netns
tipc: eliminate checking netns if node established
tipc: fix unexpected link reset due to discovery messages
hvc/xen: lock console list traversal
nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()
net/sched: act_mpls: Fix warning during failed attribute validation
net/mlx5: Rename ptp clock info
net/mlx5: Fix ptp max frequency adjustment range
iommu/mediatek-v1: Add error handle for mtk_iommu_probe
iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe()
x86/resctrl: Use task_curr() instead of task_struct->on_cpu to prevent unnecessary IPI
x86/resctrl: Fix task CLOSID/RMID update race
drm/virtio: Fix GEM handle creation UAF
arm64: atomics: format whitespace consistently
arm64: atomics: remove LL/SC trampolines
arm64: cmpxchg_double*: hazard against entire exchange variable
efi: fix NULL-deref in init error path
mm: Always release pages to the buddy allocator in memblock_free_late().
Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout"
tipc: fix use-after-free in tipc_disc_rcv()
tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't started
tipc: Add a missing case of TIPC_DIRECT_MSG type
ocfs2: fix freeing uninitialized resource on ocfs2_dlm_shutdown
tipc: call tipc_lxc_xmit without holding node_read_lock
Linux 5.4.229
Change-Id: If8e35d5d3e707352766ae3e4b665fd2369d9382b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Yang Jihong
|
c42cb66a89 |
tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line
commit c1ac03af6ed45d05786c219d102f37eb44880f28 upstream.
print_trace_line may overflow seq_file buffer. If the event is not
consumed, the while loop keeps peeking this event, causing a infinite loop.
Link: https://lkml.kernel.org/r/20221129113009.182425-1-yangjihong1@huawei.com
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: stable@vger.kernel.org
Fixes:
|
||
Zheng Yejian
|
cb03fc217b |
tracing/hist: Fix wrong return value in parse_action_params()
commit 2cc6a528882d0e0ccbc1bca5f95b8c963cedac54 upstream.
When number of synth fields is more than SYNTH_FIELDS_MAX,
parse_action_params() should return -EINVAL.
Link: https://lore.kernel.org/linux-trace-kernel/20221207034635.2253990-1-zhengyejian1@huawei.com
Cc: <mhiramat@kernel.org>
Cc: <zanussi@kernel.org>
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Zheng Yejian
|
cf79d5410a |
tracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'
commit 82470f7d9044842618c847a7166de2b7458157a7 upstream. When generate a synthetic event with many params and then create a trace action for it [1], kernel panic happened [2]. It is because that in trace_action_create() 'data->n_params' is up to SYNTH_FIELDS_MAX (current value is 64), and array 'data->var_ref_idx' keeps indices into array 'hist_data->var_refs' for each synthetic event param, but the length of 'data->var_ref_idx' is TRACING_MAP_VARS_MAX (current value is 16), so out-of-bound write happened when 'data->n_params' more than 16. In this case, 'data->match_data.event' is overwritten and eventually cause the panic. To solve the issue, adjust the length of 'data->var_ref_idx' to be SYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write. [1] # cd /sys/kernel/tracing/ # echo "my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\ int v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\ int v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\ int v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\ int v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\ int v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\ int v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\ int v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\ int v63" >> synthetic_events # echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm=="bash"' >> \ events/sched/sched_waking/trigger # echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\ pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\ pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\ pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\ pid,pid,pid,pid,pid,pid,pid,pid,pid)" >> events/sched/sched_switch/trigger [2] BUG: unable to handle page fault for address: ffff91c900000000 PGD 61001067 P4D 61001067 PUD 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 2 PID: 322 Comm: bash Tainted: G W 6.1.0-rc8+ #229 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:strcmp+0xc/0x30 Code: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee c3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14 07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3 RSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000 RBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000 R10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580 R13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538 FS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0 Call Trace: <TASK> __find_event_file+0x55/0x90 action_create+0x76c/0x1060 event_hist_trigger_parse+0x146d/0x2060 ? event_trigger_write+0x31/0xd0 trigger_process_regex+0xbb/0x110 event_trigger_write+0x6b/0xd0 vfs_write+0xc8/0x3e0 ? alloc_fd+0xc0/0x160 ? preempt_count_add+0x4d/0xa0 ? preempt_count_add+0x70/0xa0 ksys_write+0x5f/0xe0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f1d1d0cf077 Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 RSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077 RDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001 RBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142 R10: 000056392639c017 R11: 0000000000000246 R12: 0000000000000143 R13: 00007f1d1d1ae6a0 R14: 00007f1d1d1aa4a0 R15: 00007f1d1d1a98a0 </TASK> Modules linked in: CR2: ffff91c900000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:strcmp+0xc/0x30 Code: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee c3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14 07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3 RSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000 RBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000 R10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580 R13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538 FS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0 Link: https://lore.kernel.org/linux-trace-kernel/20221207035143.2278781-1-zhengyejian1@huawei.com Cc: <mhiramat@kernel.org> Cc: <zanussi@kernel.org> Cc: stable@vger.kernel.org Fixes: d380dcde9a07 ("tracing: Fix now invalid var_ref_vals assumption in trace action") Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Rickard x Andersson
|
2a0e42877d |
gcov: add support for checksum field
commit e96b95c2b7a63a454b6498e2df67aac14d046d13 upstream. In GCC version 12.1 a checksum field was added. This patch fixes a kernel crash occurring during boot when using gcov-kernel with GCC version 12.2. The crash occurred on a system running on i.MX6SX. Link: https://lkml.kernel.org/r/20221220102318.3418501-1-rickaran@axis.com Fixes: 977ef30a7d88 ("gcov: support GCC 12.1 and newer compilers") Signed-off-by: Rickard x Andersson <rickaran@axis.com> Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com> Tested-by: Peter Oberparleiter <oberpar@linux.ibm.com> Reviewed-by: Martin Liska <mliska@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Stanislav Fomichev
|
89357aa97b |
bpf: Prevent decl_tag from being referenced in func_proto arg
[ Upstream commit f17472d4599697d701aa239b4c475a506bccfd19 ]
Syzkaller managed to hit another decl_tag issue:
btf_func_proto_check kernel/bpf/btf.c:4506 [inline]
btf_check_all_types kernel/bpf/btf.c:4734 [inline]
btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763
btf_parse kernel/bpf/btf.c:5042 [inline]
btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709
bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342
__sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034
__do_sys_bpf kernel/bpf/syscall.c:5093 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5091 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091
do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being
referenced in func_proto") but for the argument.
Reported-by: syzbot+8dd0551dda6020944c5d@syzkaller.appspotmail.com
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20221123035422.872531-2-sdf@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Zheng Yejian
|
a815a3e019 |
acct: fix potential integer overflow in encode_comp_t()
[ Upstream commit c5f31c655bcc01b6da53b836ac951c1556245305 ]
The integer overflow is descripted with following codes:
> 317 static comp_t encode_comp_t(u64 value)
> 318 {
> 319 int exp, rnd;
......
> 341 exp <<= MANTSIZE;
> 342 exp += value;
> 343 return exp;
> 344 }
Currently comp_t is defined as type of '__u16', but the variable 'exp' is
type of 'int', so overflow would happen when variable 'exp' in line 343 is
greater than 65535.
Link: https://lkml.kernel.org/r/20210515140631.369106-3-zhengyejian1@huawei.com
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Cc: Hanjun Guo <guohanjun@huawei.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Zhang Jinhao <zhangjinhao2@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Zqiang
|
3d92527a91 |
rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state()
[ Upstream commit ceb1c8c9b8aa9199da46a0f29d2d5f08d9b44c15 ] Running rcutorture with non-zero fqs_duration module parameter in a kernel built with CONFIG_PREEMPTION=y results in the following splat: BUG: using __this_cpu_read() in preemptible [00000000] code: rcu_torture_fqs/398 caller is __this_cpu_preempt_check+0x13/0x20 CPU: 3 PID: 398 Comm: rcu_torture_fqs Not tainted 6.0.0-rc1-yoctodev-standard+ Call Trace: <TASK> dump_stack_lvl+0x5b/0x86 dump_stack+0x10/0x16 check_preemption_disabled+0xe5/0xf0 __this_cpu_preempt_check+0x13/0x20 rcu_force_quiescent_state.part.0+0x1c/0x170 rcu_force_quiescent_state+0x1e/0x30 rcu_torture_fqs+0xca/0x160 ? rcu_torture_boost+0x430/0x430 kthread+0x192/0x1d0 ? kthread_complete_and_exit+0x30/0x30 ret_from_fork+0x22/0x30 </TASK> The problem is that rcu_force_quiescent_state() uses __this_cpu_read() in preemptible code instead of the proper raw_cpu_read(). This commit therefore changes __this_cpu_read() to raw_cpu_read(). Signed-off-by: Zqiang <qiang1.zhang@intel.com> Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by: Paul E. McKenney <paulmck@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Zheng Yejian
|
19b651db94 |
tracing/hist: Fix issue of losting command info in error_log
[ Upstream commit 608c6ed3337850c767ab0dd6c583477922233e29 ]
When input some constructed invalid 'trigger' command, command info
in 'error_log' are lost [1].
The root cause is that there is a path that event_hist_trigger_parse()
is recursely called once and 'last_cmd' which save origin command is
cleared, then later calling of hist_err() will no longer record origin
command info:
event_hist_trigger_parse() {
last_cmd_set() // <1> 'last_cmd' save origin command here at first
create_actions() {
onmatch_create() {
action_create() {
trace_action_create() {
trace_action_create_field_var() {
create_field_var_hist() {
event_hist_trigger_parse() { // <2> recursely called once
hist_err_clear() // <3> 'last_cmd' is cleared here
}
hist_err() // <4> No longer find origin command!!!
Since 'glob' is empty string while running into the recurse call, we
can trickly check it and bypass the call of hist_err_clear() to solve it.
[1]
# cd /sys/kernel/tracing
# echo "my_synth_event int v1; int v2; int v3;" >> synthetic_events
# echo 'hist:keys=pid' >> events/sched/sched_waking/trigger
# echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\
pid,pid1)" >> events/sched/sched_switch/trigger
# cat error_log
[ 8.405018] hist:sched:sched_switch: error: Couldn't find synthetic event
Command:
hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1)
^
[ 8.816902] hist:sched:sched_switch: error: Couldn't find field
Command:
hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1)
^
[ 8.816902] hist:sched:sched_switch: error: Couldn't parse field variable
Command:
hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1)
^
[ 8.999880] : error: Couldn't find field
Command:
^
[ 8.999880] : error: Couldn't parse field variable
Command:
^
[ 8.999880] : error: Couldn't find field
Command:
^
[ 8.999880] : error: Couldn't create histogram for field
Command:
^
Link: https://lore.kernel.org/linux-trace-kernel/20221207135326.3483216-1-zhengyejian1@huawei.com
Cc: <mhiramat@kernel.org>
Cc: <zanussi@kernel.org>
Fixes:
|
||
|
Yang Jihong
|
fe783eeac4 |
blktrace: Fix output non-blktrace event when blk_classic option enabled
[ Upstream commit f596da3efaf4130ff61cd029558845808df9bf99 ]
When the blk_classic option is enabled, non-blktrace events must be
filtered out. Otherwise, events of other types are output in the blktrace
classic format, which is unexpected.
The problem can be triggered in the following ways:
# echo 1 > /sys/kernel/debug/tracing/options/blk_classic
# echo 1 > /sys/kernel/debug/tracing/events/enable
# echo blk > /sys/kernel/debug/tracing/current_tracer
# cat /sys/kernel/debug/tracing/trace_pipe
Fixes:
|
||
Andrii Nakryiko
|
d70fa0a6ce |
bpf: propagate precision in ALU/ALU64 operations
[ Upstream commit a3b666bfa9c9edc05bca62a87abafe0936bd7f97 ]
When processing ALU/ALU64 operations (apart from BPF_MOV, which is
handled correctly already; and BPF_NEG and BPF_END are special and don't
have source register), if destination register is already marked
precise, this causes problem with potentially missing precision tracking
for the source register. E.g., when we have r1 >>= r5 and r1 is marked
precise, but r5 isn't, this will lead to r5 staying as imprecise. This
is due to the precision backtracking logic stopping early when it sees
r1 is already marked precise. If r1 wasn't precise, we'd keep
backtracking and would add r5 to the set of registers that need to be
marked precise. So there is a discrepancy here which can lead to invalid
and incompatible states matched due to lack of precision marking on r5.
If r1 wasn't precise, precision backtracking would correctly mark both
r1 and r5 as precise.
This is simple to fix, though. During the forward instruction simulation
pass, for arithmetic operations of `scalar <op>= scalar` form (where
<op> is ALU or ALU64 operations), if destination register is already
precise, mark source register as precise. This applies only when both
involved registers are SCALARs. `ptr += scalar` and `scalar += ptr`
cases are already handled correctly.
This does have (negative) effect on some selftest programs and few
Cilium programs. ~/baseline-tmp-results.csv are veristat results with
this patch, while ~/baseline-results.csv is without it. See post
scriptum for instructions on how to make Cilium programs testable with
veristat. Correctness has a price.
$ ./veristat -C -e file,prog,insns,states ~/baseline-results.csv ~/baseline-tmp-results.csv | grep -v '+0'
File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF)
----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- -------------------
bpf_cubic.bpf.linked1.o bpf_cubic_cong_avoid 997 1700 +703 (+70.51%) 62 90 +28 (+45.16%)
test_l4lb.bpf.linked1.o balancer_ingress 4559 5469 +910 (+19.96%) 118 126 +8 (+6.78%)
----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- -------------------
$ ./veristat -C -e file,prog,verdict,insns,states ~/baseline-results-cilium.csv ~/baseline-tmp-results-cilium.csv | grep -v '+0'
File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF)
------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- -------------------
bpf_host.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%)
bpf_host.o tail_nodeport_nat_ipv6_egress 3396 3446 +50 (+1.47%) 201 203 +2 (+1.00%)
bpf_lxc.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%)
bpf_overlay.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%)
bpf_xdp.o tail_lb_ipv4 71736 73442 +1706 (+2.38%) 4295 4370 +75 (+1.75%)
------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- -------------------
P.S. To make Cilium ([0]) programs libbpf-compatible and thus
veristat-loadable, apply changes from topmost commit in [1], which does
minimal changes to Cilium source code, mostly around SEC() annotations
and BPF map definitions.
[0] https://github.com/cilium/cilium/
[1] https://github.com/anakryiko/cilium/commits/libbpf-friendliness
Fixes:
|
||
Gavrilov Ilia
|
657fea0a8d |
relay: fix type mismatch when allocating memory in relay_create_buf()
[ Upstream commit 4d8586e04602fe42f0a782d2005956f8b6302678 ]
The 'padding' field of the 'rchan_buf' structure is an array of 'size_t'
elements, but the memory is allocated for an array of 'size_t *' elements.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Link: https://lkml.kernel.org/r/20221129092002.3538384-1-Ilia.Gavrilov@infotecs.ru
Fixes:
|
||
Yang Yingliang
|
d25bf9af86 |
genirq/irqdesc: Don't try to remove non-existing sysfs files
[ Upstream commit 9049e1ca41983ab773d7ea244bee86d7835ec9f5 ]
Fault injection tests trigger warnings like this:
kernfs: can not remove 'chip_name', no directory
WARNING: CPU: 0 PID: 253 at fs/kernfs/dir.c:1616 kernfs_remove_by_name_ns+0xce/0xe0
RIP: 0010:kernfs_remove_by_name_ns+0xce/0xe0
Call Trace:
<TASK>
remove_files.isra.1+0x3f/0xb0
sysfs_remove_group+0x68/0xe0
sysfs_remove_groups+0x41/0x70
__kobject_del+0x45/0xc0
kobject_del+0x29/0x40
free_desc+0x42/0x70
irq_free_descs+0x5e/0x90
The reason is that the interrupt descriptor sysfs handling does not roll
back on a failing kobject_add() during allocation. If the descriptor is
freed later on, kobject_del() is invoked with a not added kobject resulting
in the above warnings.
A proper rollback in case of a kobject_add() failure would be the straight
forward solution. But this is not possible due to the way how interrupt
descriptor sysfs handling works.
Interrupt descriptors are allocated before sysfs becomes available. So the
sysfs files for the early allocated descriptors are added later in the boot
process. At this point there can be nothing useful done about a failing
kobject_add(). For consistency the interrupt descriptor allocation always
treats kobject_add() failures as non-critical and just emits a warning.
To solve this problem, keep track in the interrupt descriptor whether
kobject_add() was successful or not and make the invocation of
kobject_del() conditional on that.
[ tglx: Massage changelog, comments and use a state bit. ]
Fixes:
|
||
Chen Zhongjin
|
248fa44cde |
perf: Fix possible memleak in pmu_dev_alloc()
[ Upstream commit e8d7a90c08ce963c592fb49845f2ccc606a2ac21 ]
In pmu_dev_alloc(), when dev_set_name() failed, it will goto free_dev
and call put_device(pmu->dev) to release it.
However pmu->dev->release is assigned after this, which makes warning
and memleak.
Call dev_set_name() after pmu->dev->release = pmu_dev_release to fix it.
Device '(null)' does not have a release() function...
WARNING: CPU: 2 PID: 441 at drivers/base/core.c:2332 device_release+0x1b9/0x240
...
Call Trace:
<TASK>
kobject_put+0x17f/0x460
put_device+0x20/0x30
pmu_dev_alloc+0x152/0x400
perf_pmu_register+0x96b/0xee0
...
kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
unreferenced object 0xffff888014759000 (size 2048):
comm "modprobe", pid 441, jiffies 4294931444 (age 38.332s)
backtrace:
[<0000000005aed3b4>] kmalloc_trace+0x27/0x110
[<000000006b38f9b8>] pmu_dev_alloc+0x50/0x400
[<00000000735f17be>] perf_pmu_register+0x96b/0xee0
[<00000000e38477f1>] 0xffffffffc0ad8603
[<000000004e162216>] do_one_initcall+0xd0/0x4e0
...
Fixes:
|
||
xiongxin
|
c907c55dc7 |
PM: hibernate: Fix mistake in kerneldoc comment
[ Upstream commit 6e5d7300cbe7c3541bc31f16db3e9266e6027b4b ]
The actual maximum image size formula in hibernate_preallocate_memory()
is as follows:
max_size = (count - (size + PAGES_FOR_IO)) / 2
- 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE);
but the one in the kerneldoc comment of the function is different and
incorrect.
Fixes:
|
||
Pratyush Yadav
|
0758b50692 |
tracing/ring-buffer: Only do full wait when cpu != RING_BUFFER_ALL_CPUS
full_hit() directly uses cpu as an array index. Since
RING_BUFFER_ALL_CPUS == -1, calling full_hit() with cpu ==
RING_BUFFER_ALL_CPUS will cause an invalid memory access.
The upstream commit 42fb0a1e84ff ("tracing/ring-buffer: Have polling
block on watermark") already does this. This was missed when backporting
to v5.4.y.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
Fixes:
|
||
|
Greg Kroah-Hartman
|
4ae923b7c6 |
Merge 5.4.227 into android11-5.4-lts
Changes in 5.4.227 arm64: dts: rockchip: keep I2S1 disabled for GPIO function on ROCK Pi 4 series arm: dts: rockchip: fix node name for hym8563 rtc ARM: dts: rockchip: fix ir-receiver node names ARM: dts: rockchip: rk3188: fix lcdc1-rgb24 node name ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementation ARM: dts: rockchip: disable arm_global_timer on rk3066 and rk3188 9p/fd: Use P9_HDRSZ for header size regulator: slg51000: Wait after asserting CS pin ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event btrfs: send: avoid unaligned encoded writes when attempting to clone range ASoC: soc-pcm: Add NULL check in BE reparenting regulator: twl6030: fix get status of twl6032 regulators fbcon: Use kzalloc() in fbcon_prepare_logo() 9p/xen: check logical size for buffer size net: usb: qmi_wwan: add u-blox 0x1342 composition mm/khugepaged: take the right locks for page table retraction mm/khugepaged: fix GUP-fast interaction by sending IPI mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths xen/netback: Ensure protocol headers don't fall in the non-linear area xen/netback: do some code cleanup xen/netback: don't call kfree_skb() with interrupts disabled Revert "net: dsa: b53: Fix valid setting for MDB entries" media: v4l2-dv-timings.c: fix too strict blanking sanity checks memcg: fix possible use-after-free in memcg_write_event_control() mm/gup: fix gup_pud_range() for dax KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field drm/shmem-helper: Remove errant put in error path HID: usbhid: Add ALWAYS_POLL quirk for some mice HID: hid-lg4ff: Add check for empty lbuf HID: core: fix shift-out-of-bounds in hid_report_raw_event can: af_can: fix NULL pointer dereference in can_rcv_filter ieee802154: cc2520: Fix error return code in cc2520_hw_init() ca8210: Fix crash by zero initializing data drm/bridge: ti-sn65dsi86: Fix output polarity setting bug gpio: amd8111: Fix PCI device reference count leak e1000e: Fix TX dispatch condition igb: Allocate MSI-X vector when testing af_unix: Get user_ns from in_skb in unix_diag_get_exact(). Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() Bluetooth: Fix not cleanup led when bt_init fails net: dsa: ksz: Check return value selftests: rtnetlink: correct xfrm policy rule in kci_test_ipsec_offload mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() net: encx24j600: Add parentheses to fix precedence net: encx24j600: Fix invalid logic in reading of MISTAT register xen-netfront: Fix NULL sring after live migration net: mvneta: Prevent out of bounds read in mvneta_config_rss() i40e: Fix not setting default xps_cpus after reset i40e: Fix for VF MAC address 0 i40e: Disallow ip4 and ip6 l4_4_bytes NFC: nci: Bounds check struct nfc_target arrays nvme initialize core quirks before calling nvme_init_subsystem net: stmmac: fix "snps,axi-config" node property parsing net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wq net: hisilicon: Fix potential use-after-free in hisi_femac_rx() net: hisilicon: Fix potential use-after-free in hix5hd2_rx() tipc: Fix potential OOB in tipc_link_proto_rcv() ipv4: Fix incorrect route flushing when source address is deleted ipv4: Fix incorrect route flushing when table ID 0 is used ethernet: aeroflex: fix potential skb leak in greth_init_rings() xen/netback: fix build warning net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() ipv6: avoid use-after-free in ip6_fragment() net: mvneta: Fix an out of bounds check can: esd_usb: Allow REC and TEC to return to zero Linux 5.4.227 Change-Id: Idd4fa0e113a2b94326764baa669ff6fb02797adb Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Lee Jones
|
57e53c3fa3 |
ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark"
This reverts commit
|
||
|
Michael Bestas
|
7714527f2d
|
Merge tag 'LA.UM.9.14.r1-21000-LAHAINA.QSSI13.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4 into android13-5.4-lahaina
"LA.UM.9.14.r1-21000-LAHAINA.QSSI13.0" * tag 'LA.UM.9.14.r1-21000-LAHAINA.QSSI13.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4: net: rmnet: add ioctl support for IP route utility net: usbnet: Add mechanism to throttle usb0 RX traffic in USB SS core_ctl: Add check for available cpus before accessing per_cpus msm: kgsl: Remove protected GPUCC registers from snapshot msm: mhi_dev: Avoiding double free in MHI UCI layer msm: ipa3: add new ETH PDU QMI msm: ipa3: add new ETH PDU pipes and ETH PDU event msm: ipa3: rmnet: header file update for eth pdu msm: ipa3: add MPLS support to existing IPA GRE struct wifi: cfg80211: fix BSS refcounting bugs wifi: cfg80211: avoid nontransmitted BSS list corruption wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() cnss2: Add support for handling AFC memory request from FW qcedev: check num_fds during unmap kernel-msm: ipa_eth: Dynamic IPA NTN3 ETH client moderation configuration msm: kgsl: Cleanup correctly when platform probe fails Revert "arm64: mm: Don't invalidate FROM_DEVICE buffers at start of DMA transfer" virt: haven: rm_core: Clean up sequence idr earlier virt: haven: rm_core: Re-use alloc'd message when sending requests virt: haven: rm_core: Guard against unexpected messages virt: haven: rm_core: Rename connection variables virt: haven: rm_core: Remove current_recv_buffer tracking virt: haven: rm_core: Always allocate a connection for notifications defconfig : Enable xt_multiport module for iptables icnss: Add debug fs entry to call PSF callback icnss2: Enable power supply framework for 5.4 kernel virt: haven: rm_core: Validate notifications using payload size only pci: msm: Disable BDF halt for sdxlemur ANDROID: ABI: Update allowed list for QCOM usb: gadget: cdev: Requeue the request outside spinlock Conflicts: arch/arm64/boot/dts/vendor/bindings/gpio/gpio-altera.txt arch/arm64/mm/cache.S drivers/net/usb/ax88179_178a.c net/wireless/scan.c Change-Id: I432c73b27169086d5a0431d2b049a8d98e0432fa |
||
|
Michael Bestas
|
635c74d37d
|
Merge tag 'ASB-2022-12-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2022-12-01 CVE-2022-23960 * tag 'ASB-2022-12-05_11-5.4' of https://android.googlesource.com/kernel/common: UPSTREAM: bpf: Ensure correct locking around vulnerable function find_vpid() UPSTREAM: HID: roccat: Fix use-after-free in roccat_read() ANDROID: arm64: mm: perform clean & invalidation in __dma_map_area UPSTREAM: mmc: hsq: Fix data stomping during mmc recovery UPSTREAM: pinctrl: sunxi: Fix name for A100 R_PIO BACKPORT: mmc: core: Fix UHS-I SD 1.8V workaround branch UPSTREAM: Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression UPSTREAM: wifi: mac80211_hwsim: set virtio device ready in probe() BACKPORT: f2fs: don't use casefolded comparison for "." and ".." UPSTREAM: Revert "mm/cma.c: remove redundant cma_mutex lock" UPSTREAM: usb: dwc3: Try usb-role-switch first in dwc3_drd_init BACKPORT: usb: typec: ucsi: Fix reuse of completion structure BACKPORT: tipc: fix incorrect order of state message data sanity check UPSTREAM: net: fix up skbs delta_truesize in UDP GRO frag_list UPSTREAM: cgroup-v1: Correct privileges check in release_agent writes UPSTREAM: mm: don't try to NUMA-migrate COW pages that have other uses UPSTREAM: usb: raw-gadget: fix handling of dual-direction-capable endpoints UPSTREAM: selinux: check return value of sel_make_avc_files UPSTREAM: usb: musb: select GENERIC_PHY instead of depending on it BACKPORT: driver core: Fix error return code in really_probe() UPSTREAM: fscrypt: fix derivation of SipHash keys on big endian CPUs BACKPORT: fscrypt: rename FS_KEY_DERIVATION_NONCE_SIZE UPSTREAM: socionext: account for napi_gro_receive never returning GRO_DROP UPSTREAM: net: socionext: netsec: fix xdp stats accounting BACKPORT: fs: align IOCB_* flags with RWF_* flags UPSTREAM: efi: capsule-loader: Fix use-after-free in efi_capsule_write BACKPORT: ARM: 9039/1: assembler: generalize byte swapping macro into rev_l BACKPORT: ARM: 9035/1: uncompress: Add be32tocpu macro UPSTREAM: drm/meson: Fix overflow implicit truncation warnings UPSTREAM: irqchip/tegra: Fix overflow implicit truncation warnings UPSTREAM: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write ANDROID: GKI: db845c: Update symbols list and ABI Linux 5.4.219 wifi: mac80211: fix MBSSID parsing use-after-free wifi: mac80211: don't parse mbssid in assoc response mac80211: mlme: find auth challenge directly Revert "fs: check FMODE_LSEEK to control internal pipe splicing" Linux 5.4.218 Input: xpad - fix wireless 360 controller breaking after suspend Input: xpad - add supported devices as contributed on github wifi: cfg80211: update hidden BSSes to avoid WARN_ON wifi: mac80211_hwsim: avoid mac80211 warning on bad rate wifi: cfg80211: avoid nontransmitted BSS list corruption wifi: cfg80211: fix BSS refcounting bugs wifi: cfg80211: ensure length byte is present before access wifi: cfg80211/mac80211: reject bad MBSSID elements wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() random: use expired timer rather than wq for mixing fast pool random: avoid reading two cache lines on irq randomness random: restore O_NONBLOCK support USB: serial: qcserial: add new usb-id for Dell branded EM7455 scsi: stex: Properly zero out the passthrough command structure efi: Correct Macmini DMI match in uefi cert quirk ALSA: hda: Fix position reporting on Poulsbo random: clamp credited irq bits to maximum mixed ceph: don't truncate file in atomic_open nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure nilfs2: fix leak of nilfs_root in case of writer thread creation failure nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() rpmsg: qcom: glink: replace strncpy() with strscpy_pad() mmc: core: Terminate infinite loop in SD-UHS voltage switch mmc: core: Replace with already defined values for readability USB: serial: ftdi_sio: fix 300 bps rate for SIO usb: mon: make mmapped memory read only arch: um: Mark the stack non-executable to fix a binutils warning um: Cleanup compiler warning in arch/x86/um/tls_32.c um: Cleanup syscall_handler_t cast in syscalls_32.h net/ieee802154: fix uninit value bug in dgram_sendmsg scsi: qedf: Fix a UAF bug in __qedf_probe() ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property firmware: arm_scmi: Add SCMI PM driver remove routine fs: fix UAF/GPF bug in nilfs_mdt_destroy perf tools: Fixup get_current_dir_name() compilation mm: pagewalk: Fix race between unmap and page walker Linux 5.4.217 docs: update mediator information in CoC docs Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 Revert "drm/amdgpu: use dirty framebuffer helper" xfs: remove unused variable 'done' xfs: fix uninitialized variable in xfs_attr3_leaf_inactive xfs: streamline xfs_attr3_leaf_inactive xfs: move incore structures out of xfs_da_format.h xfs: fix memory corruption during remote attr value buffer invalidation xfs: refactor remote attr value buffer invalidation xfs: fix IOCB_NOWAIT handling in xfs_file_dio_aio_read xfs: fix s_maxbytes computation on 32-bit kernels xfs: truncate should remove all blocks, not just to the end of the page cache xfs: introduce XFS_MAX_FILEOFF xfs: fix misuse of the XFS_ATTR_INCOMPLETE flag x86/speculation: Add RSB VM Exit protections x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current x86/speculation: Disable RRSBA behavior x86/bugs: Add Cannon lake to RETBleed affected CPU list x86/cpu/amd: Enumerate BTC_NO x86/common: Stamp out the stepping madness x86/speculation: Fill RSB on vmexit for IBRS KVM: VMX: Fix IBRS handling after vmexit KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS KVM: VMX: Convert launched argument to flags KVM: VMX: Flatten __vmx_vcpu_run() KVM/nVMX: Use __vmx_vcpu_run in nested_vmx_check_vmentry_hw KVM/VMX: Use TEST %REG,%REG instead of CMP $0,%REG in vmenter.S x86/speculation: Remove x86_spec_ctrl_mask x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit x86/speculation: Fix SPEC_CTRL write on SMT state change x86/speculation: Fix firmware entry SPEC_CTRL handling x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n x86/speculation: Change FILL_RETURN_BUFFER to work with objtool intel_idle: Disable IBRS during long idle x86/bugs: Report Intel retbleed vulnerability x86/bugs: Split spectre_v2_select_mitigation() and spectre_v2_user_select_mitigation() x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS x86/bugs: Optimize SPEC_CTRL MSR writes x86/entry: Add kernel IBRS implementation x86/entry: Remove skip_r11rcx x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value x86/bugs: Add AMD retbleed= boot parameter x86/bugs: Report AMD retbleed vulnerability x86/cpufeatures: Move RETPOLINE flags to word 11 x86/kvm/vmx: Make noinstr clean x86/cpu: Add a steppings field to struct x86_cpu_id x86/cpu: Add consistent CPU match macros x86/devicetable: Move x86 specific macro out of generic code Revert "x86/cpu: Add a steppings field to struct x86_cpu_id" Revert "x86/speculation: Add RSB VM Exit protections" Linux 5.4.216 clk: iproc: Do not rely on node name for correct PLL setup clk: imx: imx6sx: remove the SET_RATE_PARENT flag for QSPI clocks selftests: Fix the if conditions of in test_extra_filter() nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices nvme: add new line after variable declatation usbnet: Fix memory leak in usbnet_disconnect() Input: melfas_mip4 - fix return value check in mip4_probe() Revert "drm: bridge: analogix/dp: add panel prepare/unprepare in suspend/resume time" soc: sunxi: sram: Fix debugfs info for A64 SRAM C soc: sunxi: sram: Fix probe function ordering issues soc: sunxi_sram: Make use of the helper function devm_platform_ioremap_resource() soc: sunxi: sram: Prevent the driver from being unbound soc: sunxi: sram: Actually claim SRAM regions ARM: dts: am33xx: Fix MMCHS0 dma properties ARM: dts: Move am33xx and am43xx mmc nodes to sdhci-omap driver media: dvb_vb2: fix possible out of bound access mm: fix madivse_pageout mishandling on non-LRU page mm/migrate_device.c: flush TLB while holding PTL mm: prevent page_frag_alloc() from corrupting the memory mm/page_alloc: fix race condition between build_all_zonelists and page allocation mmc: moxart: fix 4-bit bus width and remove 8-bit bus width libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205 Revert "net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()" ntfs: fix BUG_ON in ntfs_lookup_inode_by_name() ARM: dts: integrator: Tag PCI host with device_type clk: ingenic-tcu: Properly enable registers before accessing timers net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 uas: ignore UAS for Thinkplus chips usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS uas: add no-uas quirk for Hiksemi usb_disk Linux 5.4.215 ext4: make directory inode spreading reflect flexbg size xfs: fix use-after-free when aborting corrupt attr inactivation xfs: fix an ABBA deadlock in xfs_rename xfs: don't commit sunit/swidth updates to disk if that would cause repair failures xfs: split the sunit parameter update into two parts xfs: refactor agfl length computation function xfs: use bitops interface for buf log item AIL flag check xfs: stabilize insert range start boundary to avoid COW writeback race xfs: fix some memory leaks in log recovery xfs: always log corruption errors xfs: constify the buffer pointer arguments to error functions xfs: convert EIO to EFSCORRUPTED when log contents are invalid xfs: Fix deadlock between AGI and AGF when target_ip exists in xfs_rename() xfs: attach dquots and reserve quota blocks during unwritten conversion xfs: range check ri_cnt when recovering log items xfs: add missing assert in xfs_fsmap_owner_from_rmap xfs: slightly tweak an assert in xfs_fs_map_blocks xfs: replace -EIO with -EFSCORRUPTED for corrupt metadata ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0 workqueue: don't skip lockdep work dependency in cancel_work_sync() drm/rockchip: Fix return type of cdn_dp_connector_mode_valid drm/amd/display: Limit user regamma to a valid value drm/amdgpu: use dirty framebuffer helper Drivers: hv: Never allocate anything besides framebuffer from framebuffer memory region cifs: always initialize struct msghdr smb_msg completely usb: xhci-mtk: fix issue of out-of-bounds array access s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup serial: tegra-tcu: Use uart_xmit_advance(), fixes icount.tx accounting serial: tegra: Use uart_xmit_advance(), fixes icount.tx accounting serial: Create uart_xmit_advance() net: sched: fix possible refcount leak in tc_new_tfilter() net: sunhme: Fix packet reception for len < RX_COPY_THRESHOLD perf kcore_copy: Do not check /proc/modules is unchanged perf jit: Include program header in ELF files can: gs_usb: gs_can_open(): fix race dev->can.state condition netfilter: ebtables: fix memory leak when blob is malformed net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs net/sched: taprio: avoid disabling offload when it was never enabled of: mdio: Add of_node_put() when breaking out of for_each_xx i40e: Fix set max_tx_rate when it is lower than 1 Mbps i40e: Fix VF set max MTU size iavf: Fix set max MTU size with port VLAN and jumbo frames iavf: Fix bad page state MIPS: Loongson32: Fix PHY-mode being left unspecified MIPS: lantiq: export clk_get_io() for lantiq_wdt.ko net: team: Unsync device addresses on ndo_stop ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header iavf: Fix cached head and tail value for iavf_get_tx_pending netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find() netfilter: nf_conntrack_irc: Tighten matching on DCC message netfilter: nf_conntrack_sip: fix ct_sip_walk_headers arm64: dts: rockchip: Remove 'enable-active-low' from rk3399-puma arm64: dts: rockchip: Set RK3399-Gru PCLK_EDP to 24 MHz arm64: dts: rockchip: Pull up wlan wake# on Gru-Bob mm/slub: fix to return errno if kmalloc() fails efi: libstub: check Shim mode using MokSBStateRT ALSA: hda/realtek: Enable 4-speaker output Dell Precision 5530 laptop ALSA: hda/realtek: Add quirk for ASUS GA503R laptop ALSA: hda/realtek: Add pincfg for ASUS G533Z HP jack ALSA: hda/realtek: Add pincfg for ASUS G513 HP jack ALSA: hda/realtek: Re-arrange quirk table entries ALSA: hda/realtek: Add quirk for Huawei WRT-WX9 ALSA: hda: add Intel 5 Series / 3400 PCI DID ALSA: hda/tegra: set depop delay for tegra USB: serial: option: add Quectel RM520N USB: serial: option: add Quectel BG95 0x0203 composition USB: core: Fix RST error in hub.c Revert "usb: gadget: udc-xilinx: replace memcpy with memcpy_toio" Revert "usb: add quirks for Lenovo OneLink+ Dock" usb: cdns3: fix issue with rearming ISO OUT endpoint usb: gadget: udc-xilinx: replace memcpy with memcpy_toio usb: add quirks for Lenovo OneLink+ Dock tty: serial: atmel: Preserve previous USART mode if RS485 disabled serial: atmel: remove redundant assignment in rs485_config tty/serial: atmel: RS485 & ISO7816: wait for TXRDY before sending data wifi: mac80211: Fix UAF in ieee80211_scan_rx() usb: xhci-mtk: relax TT periodic bandwidth allocation usb: xhci-mtk: allow multiple Start-Split in a microframe usb: xhci-mtk: add some schedule error number usb: xhci-mtk: add a function to (un)load bandwidth info usb: xhci-mtk: use @sch_tt to check whether need do TT schedule usb: xhci-mtk: add only one extra CS for FS/LS INTR usb: xhci-mtk: get the microframe boundary for ESIT usb: dwc3: gadget: Avoid duplicate requests to enable Run/Stop usb: dwc3: gadget: Don't modify GEVNTCOUNT in pullup() usb: dwc3: gadget: Refactor pullup() usb: dwc3: gadget: Prevent repeat pullup() usb: dwc3: Issue core soft reset before enabling run/stop usb: dwc3: gadget: Avoid starting DWC3 gadget during UDC unbind ALSA: hda/sigmatel: Fix unused variable warning for beep power change cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write mksysmap: Fix the mismatch of 'L0' symbols in System.map MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked net: usb: qmi_wwan: add Quectel RM520N ALSA: hda/tegra: Align BDL entry to 4KB boundary ALSA: hda/sigmatel: Keep power up while beep is enabled rxrpc: Fix calc of resend age rxrpc: Fix local destruction being repeated regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe() ASoC: nau8824: Fix semaphore unbalance at error paths iomap: iomap that extends beyond EOF should be marked dirty MAINTAINERS: add Chandan as xfs maintainer for 5.4.y cifs: don't send down the destination address to sendmsg for a SOCK_STREAM cifs: revalidate mapping when doing direct writes tracing: hold caller_addr to hardirq_{enable,disable}_ip task_stack, x86/cea: Force-inline stack helpers ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() drm/meson: Fix OSD1 RGB to YCbCr coefficient drm/meson: Correct OSD1 global alpha value gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in mpc85xx NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0 of: fdt: fix off-by-one error in unflatten_dt_nodes() Revert "USB: core: Prevent nested device-reset calls" Revert "io_uring: disable polling pollfree files" Revert "netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y" Revert "sched/deadline: Fix priority inheritance with multiple scheduling classes" Revert "kernel/sched: Remove dl_boosted flag comment" Revert "mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse" Revert "fs: check FMODE_LSEEK to control internal pipe splicing" Linux 5.4.214 tracefs: Only clobber mode/uid/gid on remount if asked soc: fsl: select FSL_GUTS driver for DPIO net: dp83822: disable rx error interrupt mm: Fix TLB flush for not-first PFNMAP mappings in unmap_region() usb: storage: Add ASUS <0x0b05:0x1932> to IGNORE_UAS platform/x86: acer-wmi: Acer Aspire One AOD270/Packard Bell Dot keymap fixes perf/arm_pmu_platform: fix tests for platform_get_irq() failure nvmet-tcp: fix unhandled tcp states in nvmet_tcp_state_change() Input: iforce - add support for Boeder Force Feedback Wheel ieee802154: cc2520: add rc code in cc2520_tx() tg3: Disable tg3 device on system reboot to avoid triggering AER hid: intel-ish-hid: ishtp: Fix ishtp client sending disordered message HID: ishtp-hid-clientHID: ishtp-hid-client: Fix comment typo drm/msm/rd: Fix FIFO-full deadlock Linux 5.4.213 MIPS: loongson32: ls1c: Fix hang during startup x86/nospec: Fix i386 RSB stuffing sch_sfb: Also store skb len before calling child enqueue tcp: fix early ETIMEDOUT after spurious non-SACK RTO nvme-tcp: fix UAF when detecting digest errors RDMA/mlx5: Set local port to one when accessing counters ipv6: sr: fix out-of-bounds read when setting HMAC data. RDMA/siw: Pass a pointer to virt_to_page() i40e: Fix kernel crash during module removal tipc: fix shift wrapping bug in map_get() sch_sfb: Don't assume the skb is still around after enqueueing to child afs: Use the operation issue time instead of the reply time for callbacks rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2() netfilter: nf_conntrack_irc: Fix forged IP logic netfilter: br_netfilter: Drop dst references before setting. RDMA/hns: Fix supported page size soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs RDMA/cma: Fix arguments order in net device validation regulator: core: Clean up on enable failure ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node smb3: missing inode locks in punch hole cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty subtree cgroup: Optimize single thread migration scsi: lpfc: Add missing destroy_workqueue() in error path scsi: mpt3sas: Fix use-after-free warning nvmet: fix a use-after-free debugfs: add debugfs_lookup_and_remove() kprobes: Prohibit probes in gate area ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() ALSA: aloop: Fix random zeros in capture data when using jiffies timer ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() drm/amdgpu: mmVM_L2_CNTL3 register not initialized correctly fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() drm/radeon: add a force flush to delay work when radeon drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup. drm/gem: Fix GEM handle release errors scsi: megaraid_sas: Fix double kfree() USB: serial: ch341: fix disabled rx timer on older devices USB: serial: ch341: fix lost character on LCR updates usb: dwc3: disable USB core PHY management usb: dwc3: fix PHY disable sequence btrfs: harden identification of a stale device drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk ALSA: seq: Fix data-race at module auto-loading ALSA: seq: oss: Fix data-race for max_midi_devs access net: mac802154: Fix a condition in the receive path ip: fix triggering of 'icmp redirect' wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected driver core: Don't probe devices after bus_type.match() probe deferral usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS USB: core: Prevent nested device-reset calls s390: fix nospec table alignments s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages usb-storage: Add ignore-residue quirk for NXP PN7462AU USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) usb: dwc2: fix wrong order of phy_power_on and phy_init usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode USB: serial: option: add Quectel EM060K modem USB: serial: option: add support for OPPO R11 diag port USB: serial: cp210x: add Decagon UCA device id xhci: Add grace period after xHC start to prevent premature runtime suspend. thunderbolt: Use the actual buffer in tb_async_error() gpio: pca953x: Add mutex_lock for regcache sync in PM hwmon: (gpio-fan) Fix array out of bounds access clk: bcm: rpi: Fix error handling of raspberrypi_fw_get_rate Input: rk805-pwrkey - fix module autoloading clk: core: Fix runtime PM sequence in clk_core_unprepare() Revert "clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops" clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup binder: fix UAF of ref->proc caused by race condition USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id misc: fastrpc: fix memory corruption on open misc: fastrpc: fix memory corruption on probe iio: adc: mcp3911: use correct formula for AD conversion Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete vt: Clear selection before changing the font powerpc: align syscall table for ppc32 staging: rtl8712: fix use after free bugs serial: fsl_lpuart: RS485 RTS polariy is inverse net/smc: Remove redundant refcount increase Revert "sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb" tcp: annotate data-race around challenge_timestamp sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb kcm: fix strp_init() order and cleanup ethernet: rocker: fix sleep in atomic context bug in neigh_timer_handler net: sched: tbf: don't call qdisc_put() while holding tree lock Revert "xhci: turn off port power in shutdown" wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() ieee802154/adf7242: defer destroy_workqueue call iio: adc: mcp3911: make use of the sign bit platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg drm/msm/dsi: fix the inconsistent indenting net: dp83822: disable false carrier interrupt Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" fs: only do a memory barrier for the first set_buffer_uptodate() net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd() efi: capsule-loader: Fix use-after-free in efi_capsule_write Linux 5.4.212 net: neigh: don't call kfree_skb() under spin_lock_irqsave() net/af_packet: check len when min_header_len equals to 0 io_uring: disable polling pollfree files kprobes: don't call disarm_kprobe() for disabled kprobes lib/vdso: Mark do_hres() and do_coarse() as __always_inline lib/vdso: Let do_coarse() return 0 to simplify the callsite btrfs: tree-checker: check for overlapping extent items netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y drm/amd/display: Fix pixel clock programming s390/hypfs: avoid error message under KVM neigh: fix possible DoS due to net iface start/stop loop drm/amd/display: clear optc underflow before turn off odm clock drm/amd/display: Avoid MPC infinite loop btrfs: unify lookup return value when dir entry is missing btrfs: do not pin logs too early during renames btrfs: introduce btrfs_lookup_match_dir mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse bpf: Don't redirect packets with invalid pkt_len ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead fbdev: fb_pm2fb: Avoid potential divide by zero error HID: hidraw: fix memory leak in hidraw_release() media: pvrusb2: fix memory leak in pvr_probe udmabuf: Set the DMA mask for the udmabuf device (v2) HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report Bluetooth: L2CAP: Fix build errors in some archs kbuild: Fix include path in scripts/Makefile.modpost x86/bugs: Add "unknown" reporting for MMIO Stale Data s390/mm: do not trigger write fault when vma does not allow VM_WRITE mm: Force TLB flush for PFNMAP mappings before unlink_file_vma() scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq perf/x86/intel/uncore: Fix broken read_counter() for SNB IMC PMU md: call __md_stop_writes in md_stop mm/hugetlb: fix hugetlb not supporting softdirty tracking ACPI: processor: Remove freq Qos request for all CPUs s390: fix double free of GS and RI CBs on fork() failure asm-generic: sections: refactor memory_intersects loop: Check for overflow while configuring loop x86/unwind/orc: Unwind ftrace trampolines with correct ORC entry btrfs: check if root is readonly while setting security xattr btrfs: add info when mount fails due to stale replace target btrfs: replace: drop assert for suspended replace btrfs: fix silent failure when deleting root reference ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter net: Fix a data-race around sysctl_somaxconn. net: Fix a data-race around netdev_budget_usecs. net: Fix a data-race around netdev_budget. net: Fix a data-race around sysctl_net_busy_read. net: Fix a data-race around sysctl_net_busy_poll. net: Fix a data-race around sysctl_tstamp_allow_data. ratelimit: Fix data-races in ___ratelimit(). net: Fix data-races around netdev_tstamp_prequeue. net: Fix data-races around weight_p and dev_weight_[rt]x_bias. netfilter: nft_tunnel: restrict it to netdev family netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families netfilter: nft_payload: do not truncate csum_offset and csum_type netfilter: nft_payload: report ERANGE for too long offset and length bnxt_en: fix NQ resource accounting during vf creation on 57500 chips netfilter: ebtables: reject blobs that don't provide all entry points net: ipvtap - add __init/__exit annotations to module init/exit funcs bonding: 802.3ad: fix no transmission of LACPDUs net: moxa: get rid of asymmetry in DMA mapping/unmapping net/mlx5e: Properly disable vlan strip on non-UL reps rose: check NULL rose_loopback_neigh->loopback SUNRPC: RPC level errors should set task->tk_rpc_status af_key: Do not call xfrm_probe_algs in parallel xfrm: fix refcount leak in __xfrm_policy_check() kernel/sched: Remove dl_boosted flag comment sched/deadline: Fix priority inheritance with multiple scheduling classes sched/deadline: Fix stale throttling on de-/boosted tasks sched/deadline: Unthrottle PI boosted threads while enqueuing pinctrl: amd: Don't save/restore interrupt status and wake status bits Revert "selftests/bpf: Fix test_align verifier log patterns" Revert "selftests/bpf: Fix "dubious pointer arithmetic" test" usb: cdns3: Fix issue for clear halt endpoint kernel/sys_ni: add compat entry for fadvise64_64 parisc: Fix exception handler for fldw and fstw instructions audit: fix potential double free on error path from fsnotify_add_inode_mark Revert "USB: HCD: Fix URB giveback issue in tasklet function" Linux 5.4.211 btrfs: raid56: don't trust any cached sector in __raid56_parity_recover() btrfs: only write the sectors in the vertical stripe which has data stripes can: j1939: j1939_session_destroy(): fix memory leak of skbs can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with netdev_warn_once() tracing/probes: Have kprobes and uprobes use $COMM too MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 video: fbdev: i740fb: Check the argument of i740_calc_vclk() powerpc/64: Init jump labels before parse_early_param() smb3: check xattr value length earlier f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page() ALSA: timer: Use deferred fasync helper ALSA: core: Add async signal helpers powerpc/32: Don't always pass -mcpu=powerpc to the compiler watchdog: export lockup_detector_reconfigure RISC-V: Add fast call path of crash_kexec() riscv: mmap with PROT_WRITE but no PROT_READ is invalid mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start vfio: Clear the caps->buf to NULL after free tty: serial: Fix refcount leak bug in ucc_uart.c lib/list_debug.c: Detect uninitialized lists ext4: avoid resizing to a partial cluster size ext4: avoid remove directory when directory is corrupted drivers:md:fix a potential use-after-free bug nvmet-tcp: fix lockdep complaint on nvmet_tcp_wq flush during queue teardown dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed selftests/kprobe: Do not test for GRP/ without event failures um: add "noreboot" command line option for PANIC_TIMEOUT=-1 setups PCI/ACPI: Guard ARM64-specific mcfg_quirks cxl: Fix a memory leak in an error handling path gadgetfs: ep_io - wait until IRQ finishes scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input clk: qcom: ipq8074: dont disable gcc_sleep_clk_src vboxguest: Do not use devm for irq usb: renesas: Fix refcount leak bug usb: host: ohci-ppc-of: Fix refcount leak bug drm/meson: Fix overflow implicit truncation warnings irqchip/tegra: Fix overflow implicit truncation warnings usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info usb: cdns3 fix use-after-free at workaround 2 PCI: Add ACS quirk for Broadcom BCM5750x NICs drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() locking/atomic: Make test_and_*_bit() ordered on failure gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file igb: Add lock to avoid data race fec: Fix timer capture timing in `fec_ptp_enable_pps()` i40e: Fix to stop tx_timeout recovery if GLOBR fails ice: Ignore EEXIST when setting promisc mode net: dsa: microchip: ksz9477: fix fdb_dump last invalid entry net: moxa: pass pdev instead of ndev to DMA functions net: dsa: mv88e6060: prevent crash on an unused port powerpc/pci: Fix get_phb_number() locking netfilter: nf_tables: really skip inactive sets when allocating name clk: rockchip: add sclk_mac_lbtest to rk3188_critical_clocks iavf: Fix adminq error handling nios2: add force_successful_syscall_return() nios2: restarts apply only to the first sigframe we build... nios2: fix syscall restart checks nios2: traced syscall does need to check the syscall number nios2: don't leave NULLs in sys_call_table[] nios2: page fault et.al. are *not* restartable syscalls... tee: add overflow check in register_shm_helper() dpaa2-eth: trace the allocated address instead of page struct atm: idt77252: fix use-after-free bugs caused by tst_timer xen/xenbus: fix return type in xenbus_file_read() nfp: ethtool: fix the display error of `ethtool -m DEVNAME` NTB: ntb_tool: uninitialized heap data in tool_fn_write() tools build: Switch to new openssl API for test-libcrypto tools/vm/slabinfo: use alphabetic order when two values are equal dt-bindings: arm: qcom: fix MSM8916 MTP compatibles vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout() vsock: Fix memory leak in vsock_connect() plip: avoid rcu debug splat geneve: do not use RT_TOS for IPv6 flowlabel ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool pinctrl: sunxi: Add I/O bias setting for H6 R-PIO pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map net: bgmac: Fix a BUG triggered by wrong bytes_compl devlink: Fix use-after-free after a failed reload SUNRPC: Reinitialise the backchannel request buffers before reuse sunrpc: fix expiry of auth creds can: mcp251x: Fix race condition on receive interrupt NFSv4/pnfs: Fix a use-after-free bug in open NFSv4.1: RECLAIM_COMPLETE must handle EACCES NFSv4: Fix races in the legacy idmapper upcall NFSv4.1: Handle NFS4ERR_DELAY replies to OP_SEQUENCE correctly NFSv4.1: Don't decrease the value of seq_nr_highest_sent Documentation: ACPI: EINJ: Fix obsolete example apparmor: Fix memleak in aa_simple_write_to_buffer() apparmor: fix reference count leak in aa_pivotroot() apparmor: fix overlapping attachment computation apparmor: fix aa_label_asxprint return check apparmor: Fix failed mount permission check error message apparmor: fix absroot causing audited secids to begin with = apparmor: fix quiet_denied for file rules can: ems_usb: fix clang's -Wunaligned-access warning tracing: Have filter accept "common_cpu" to be consistent btrfs: fix lost error handling when looking up extended ref on log replay mmc: pxamci: Fix an error handling path in pxamci_probe() mmc: pxamci: Fix another error handling path in pxamci_probe() ata: libata-eh: Add missing command name rds: add missing barrier to release_refill ALSA: info: Fix llseek return value when using callback net_sched: cls_route: disallow handle of 0 net/9p: Initialize the iounit field during fid creation Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" scsi: sg: Allow waiting for commands to complete on removed device tcp: fix over estimation in sk_forced_mem_schedule() KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq KVM: Add infrastructure and macro to mark VM as bugged btrfs: reject log replay if there is unsupported RO compat flag net_sched: cls_route: remove from list when handle is 0 iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails timekeeping: contribute wall clock to rng on time change ACPI: CPPC: Do not prevent CPPC from working in the future dm writecache: set a default MAX_WRITEBACK_JOBS dm thin: fix use-after-free crash in dm_sm_register_threshold_callback dm raid: fix address sanitizer warning in raid_status dm raid: fix address sanitizer warning in raid_resume intel_th: pci: Add Meteor Lake-P support intel_th: pci: Add Raptor Lake-S PCH support intel_th: pci: Add Raptor Lake-S CPU support ext4: correct the misjudgment in ext4_iget_extra_inode ext4: correct max_inline_xattr_value_size computing ext4: fix extent status tree race in writeback error recovery path ext4: update s_overhead_clusters in the superblock during an on-line resize ext4: fix use-after-free in ext4_xattr_set_entry ext4: make sure ext4_append() always allocates new block ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h btrfs: reset block group chunk force if we have to wait tpm: eventlog: Fix section mismatch for DEBUG_SECTION_MISMATCH kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification spmi: trace: fix stack-out-of-bound access in SPMI tracing functions x86/olpc: fix 'logical not is only applied to the left hand side' scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error injection scsi: qla2xxx: Turn off multi-queue for 8G adapters scsi: qla2xxx: Fix discovery issues in FC-AL topology scsi: zfcp: Fix missing auto port scan and thus missing target ports video: fbdev: s3fb: Check the size of screen before memset_io() video: fbdev: arkfb: Check the size of screen before memset_io() video: fbdev: vt8623fb: Check the size of screen before memset_io() tools/thermal: Fix possible path truncations video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() x86/numa: Use cpumask_available instead of hardcoded NULL check scripts/faddr2line: Fix vmlinux detection on arm64 genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO powerpc/pci: Fix PHB numbering when using opal-phbid kprobes: Forbid probing on trampoline and BPF code areas perf symbol: Fail to read phdr workaround powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address powerpc/xive: Fix refcount leak in xive_get_max_prio powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32 video: fbdev: sis: fix typos in SiS_GetModeID() video: fbdev: amba-clcd: Fix refcount leak bugs watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() ASoC: audio-graph-card: Add of_node_put() in fail path fuse: Remove the control interface for virtio-fs ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp() s390/zcore: fix race when reading from hardware system area iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop mfd: max77620: Fix refcount leak in max77620_initialise_fps mfd: t7l66xb: Drop platform disable callback kfifo: fix kfifo_to_user() return type rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge iommu/exynos: Handle failed IOMMU device registration properly tty: n_gsm: fix missing corner cases in gsmld_poll() tty: n_gsm: fix DM command tty: n_gsm: fix wrong T1 retry count handling vfio/ccw: Do not change FSM state in subchannel event remoteproc: qcom: wcnss: Fix handling of IRQs tty: n_gsm: fix race condition in gsmld_write() tty: n_gsm: fix packet re-transmission without open control channel tty: n_gsm: fix non flow control frames during mux flow off profiling: fix shift too large makes kernel panic ASoC: codecs: wcd9335: move gains from SX_TLV to S8_TLV ASoC: codecs: msm8916-wcd-digital: move gains from SX_TLV to S8_TLV serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty() ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe ASoC: codecs: da7210: add check for i2c_add_driver ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe opp: Fix error check in dev_pm_opp_attach_genpd() jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted ext4: recover csum seed of tmp_inode after migrating to extents jbd2: fix outstanding credits assert in jbd2_journal_commit_transaction() null_blk: fix ida error handling in null_add_dev() RDMA/rxe: Fix error unwind in rxe_create_qp() mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region platform/olpc: Fix uninitialized data in debugfs write USB: serial: fix tty-port initialized comments PCI: tegra194: Fix link up retry sequence PCI: tegra194: Fix Root Port interrupt handling HID: alps: Declare U1_UNICORN_LEGACY support mmc: cavium-thunderx: Add of_node_put() when breaking out of loop mmc: cavium-octeon: Add of_node_put() when breaking out of loop gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() RDMA/hfi1: fix potential memory leak in setup_base_ctxt() RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event RDMA/hns: Fix incorrect clearing of interrupt status register usb: gadget: udc: amd5536 depends on HAS_DMA scsi: smartpqi: Fix DMA direction for RAID requests mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R memstick/ms_block: Fix a memory leak memstick/ms_block: Fix some incorrect memory allocation mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback intel_th: msu: Fix vmalloced buffers intel_th: msu-sink: Potential dereference of null pointer intel_th: Fix a resource leak in an error handling path soundwire: bus_type: fix remove and shutdown support clk: qcom: camcc-sdm845: Fix topology around titan_top power domain clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks clk: qcom: ipq8074: fix NSS port frequency tables usb: host: xhci: use snprintf() in xhci_decode_trb() clk: qcom: clk-krait: unlock spin after mux completion driver core: fix potential deadlock in __driver_attach misc: rtsx: Fix an error handling path in rtsx_pci_probe() clk: mediatek: reset: Fix written reset bit offset usb: xhci: tegra: Fix error check usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe fpga: altera-pr-ip: fix unsigned comparison with less than zero mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path mtd: partitions: Fix refcount leak in parse_redboot_of mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release HID: cp2112: prevent a buffer overflow in cp2112_xfer() mtd: rawnand: meson: Fix a potential double free issue mtd: maps: Fix refcount leak in ap_flash_init mtd: maps: Fix refcount leak in of_flash_probe_versatile clk: renesas: r9a06g032: Fix UART clkgrp bitsel dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock net: rose: fix netdev reference changes netdevsim: Avoid allocation warnings triggered from user space iavf: Fix max_rate limiting crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS wifi: libertas: Fix possible refcount leak in if_usb_probe() wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue wifi: wil6210: debugfs: fix uninitialized variable use in `wil_write_file_wmi()` i2c: mux-gpmux: Add of_node_put() when breaking out of loop i2c: cadence: Support PEC for SMBus block read Bluetooth: hci_intel: Add check for platform_driver_register can: pch_can: pch_can_error(): initialize errc before using it can: error: specify the values of data[5..7] of CAN error frames can: usb_8dev: do not report txerr and rxerr during bus-off can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off can: sun4i_can: do not report txerr and rxerr during bus-off can: hi311x: do not report txerr and rxerr during bus-off can: sja1000: do not report txerr and rxerr during bus-off can: rcar_can: do not report txerr and rxerr during bus-off can: pch_can: do not report txerr and rxerr during bus-off selftests/bpf: fix a test for snprintf() overflow wifi: p54: add missing parentheses in p54_flush() wifi: p54: Fix an error handling path in p54spi_probe() wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() fs: check FMODE_LSEEK to control internal pipe splicing selftests: timers: clocksource-switch: fix passing errors from child selftests: timers: valid-adjtimex: build fix for newer toolchains libbpf: Fix the name of a reused map tcp: make retransmitted SKB fit into the send window drm/exynos/exynos7_drm_decon: free resources when clk_set_parent() failed. mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init() media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in softirq drm/msm/mdp5: Fix global state lock backoff drm: bridge: sii8620: fix possible off-by-one drm/mediatek: dpi: Only enable dpi after the bridge is enabled drm/mediatek: dpi: Remove output format of YUV drm/rockchip: Fix an error handling path rockchip_dp_probe() drm/rockchip: vop: Don't crash for invalid duplicate_state() crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE drm/vc4: dsi: Correct DSI divider calculations drm/vc4: plane: Fix margin calculations for the right/bottom edges drm/vc4: plane: Remove subpixel positioning check media: hdpvr: fix error value returns in hdpvr_read drm/mcde: Fix refcount leak in mcde_dsi_bind drm: bridge: adv7511: Add check for mipi_dsi_driver_register wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() ath9k: fix use-after-free in ath9k_hif_usb_rx_cb media: tw686x: Register the irq at the end of probe i2c: Fix a potential use after free drm: adv7511: override i2c address of cec before accessing it drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() drm/mipi-dbi: align max_chunk to 2 in spi_transfer wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c() ath10k: do not enforce interrupt trigger type dm: return early from dm_pr_call() if DM device is suspended thermal/tools/tmon: Include pthread and time headers in tmon.h nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt() regulator: of: Fix refcount leak bug in of_get_regulation_constraints() blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created erofs: avoid consecutive detection for Highmem memory arm64: dts: mt7622: fix BPI-R64 WPS button bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() ARM: dts: qcom: pm8841: add required thermal-sensor-cells soc: qcom: aoss: Fix refcount leak in qmp_cooling_devices_register cpufreq: zynq: Fix refcount leak in zynq_get_revision ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init ARM: OMAP2+: Fix refcount leak in omapdss_init_of ARM: dts: qcom: mdm9615: add missing PMIC GPIO reg soc: fsl: guts: machine variable might be unset ARM: dts: ast2600-evb: fix board compatible ARM: dts: ast2500-evb: fix board compatible x86/pmem: Fix platform-device leak in error path ARM: bcm: Fix refcount leak in bcm_kona_smc_init meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init ARM: findbit: fix overflowing offset spi: spi-rspi: Fix PIO fallback on RZ platforms selinux: Add boundary check in put_entry() PM: hibernate: defer device probing when resuming from hibernation ARM: shmobile: rcar-gen2: Increase refcount for new reference arm64: dts: allwinner: a64: orangepi-win: Fix LED node name arm64: dts: qcom: ipq8074: fix NAND node name ACPI: LPSS: Fix missing check in register_device_clock() ACPI: PM: save NVS memory for Lenovo G40-45 ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI quirks ARM: OMAP2+: display: Fix refcount leak bug spi: synquacer: Add missing clk_disable_unprepare() ARM: dts: imx6ul: fix qspi node compatible ARM: dts: imx6ul: fix lcdif node compatible ARM: dts: imx6ul: fix csi node compatible ARM: dts: imx6ul: change operating-points to uint32-matrix ARM: dts: imx6ul: add missing properties for sram wait: Fix __wait_event_hrtimeout for RT/DL tasks genirq: Don't return error on missing optional irq_request_resources() ext2: Add more validity checks for inode counts arm64: fix oops in concurrently setting insn_emulation sysctls arm64: Do not forget syscall when starting a new thread. x86: Handle idle=nomwait cmdline properly for x86_idle epoll: autoremove wakers even more aggressively netfilter: nf_tables: fix null deref due to zeroed list head netfilter: nf_tables: do not allow RULE_ID to refer to another chain netfilter: nf_tables: do not allow SET_ID to refer to another table arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC USB: HCD: Fix URB giveback issue in tasklet function coresight: Clear the connection field properly MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK powerpc/powernv: Avoid crashing if rng is NULL powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E powerpc/fsl-pci: Fix Class Code of PCIe Root Port PCI: Add defines for normal and subtractive PCI bridges ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() md-raid10: fix KASAN warning serial: mvebu-uart: uart2 error bits clearing fuse: limit nsec iio: light: isl29028: Fix the warning in isl29028_remove() drm/amdgpu: Check BO's requested pinning domains against its preferred_domains drm/nouveau: fix another off-by-one in nvbios_addr drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode parisc: Fix device names in /proc/iomem ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() usbnet: Fix linkwatch use-after-free on disconnect fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters thermal: sysfs: Fix cooling_device_stats_setup() error code path fs: Add missing umask strip in vfs_tmpfile vfs: Check the truncate maximum size in inode_newsize_ok() tty: vt: initialize unicode screen buffer ALSA: hda/realtek: Add quirk for another Asus K42JZ model ALSA: hda/cirrus - support for iMac 12,1 model ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model mm/mremap: hold the rmap lock in write mode when moving page table entries. KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case HID: wacom: Don't register pad_input for touch switch HID: wacom: Only report rotation for art pen add barriers to buffer_uptodate and set_buffer_uptodate wifi: mac80211_hwsim: use 32-bit skb cookie wifi: mac80211_hwsim: add back erroneously removed cast wifi: mac80211_hwsim: fix race condition in pending packet igc: Remove _I_PHY_ID checking ALSA: bcd2000: Fix a UAF bug on the error path of probing scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover" x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments Makefile: link with -z noexecstack --no-warn-rwx-segments Conflicts: Documentation/devicetree/bindings/arm/qcom.yaml Documentation/devicetree/bindings~HEAD arch/x86/boot/compressed/Makefile drivers/mmc/core/sd.c drivers/rpmsg/qcom_glink_native.c drivers/usb/dwc3/core.c drivers/usb/dwc3/gadget.c drivers/usb/typec/ucsi/ucsi.c net/core/dev.c net/netfilter/nf_conntrack_irc.c Change-Id: I796398110bc61fa6a8bb94f7ef41b9209683dbf7 |
||
|
Tejun Heo
|
35963b3182 |
memcg: fix possible use-after-free in memcg_write_event_control()
commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 upstream. memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to |