This reverts commit 30cc13fe89.
It does not have a direct commit relation in upstream, and was lovingly
hand-crafted just for the 4.19.y kernel tree with the hope that it would
be useful to someone.
Unfortunately for us, it breaks the Android kernel abi and so, if it is
really needed in the future, must be brought back in an abi-safe way
then.
Bug: 161946584
Change-Id: I12a953b74673556a3b94a0b8bbdc453f3c08db04
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 855a2b559d which is
commit e03781879a0d524ce3126678d50a80484a513c4b upstream.
Well, it reverts portions of it, the main portion was already removed in
the merge of 4.19.302 due to other changes happening in the
net/netlink/genetlink.c file. The main, abi breakage, was removed here
as well. If all of this is needed in the Android 4.19 tree, it can be
brought back in an abi-safe way by applying the original patch, NOT by
reverting this revert, as that will not work properly.
Bug: 161946584
Change-Id: I4a2384672c0258853ffbc26416b426b3aafd809f
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit ece0857258 which is
commit 119a784c81270eb88e573174ed2209225d646656 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I9f973774a99437a3dcfecf32eff8e7ddcfd418ed
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit f5d6ab0167 which is
commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I7db90bfbe74a408b807480c811382e38731f0c53
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 9a2fc41acb which is
commit 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: Ifdc5474de6e7488eb24959df1697b61b2e3e7880
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Nothing fancy here. Keeping full history is not required.
`git checkout mainline/master -- scripts/checkpatch.pl`
This may need to be done periodically.
Bug: 316492624
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I4c90b50197ca7277c59e96bf332ecf795c4f3d12
* sm8250/lineage-20:
msm: vidc: fix error during debugfs init
Squashed revert of recent blk-mq changes
fixup! qcacld-3.0: Use freq hint in scan for ssid
Revert "macsec: use DEV_STATS_INC()"
Revert "net: add DEV_STATS_READ() helper"
Linux 4.19.300
net: sched: fix race condition in qdisc_graft()
iomap: Set all uptodate bits for an Uptodate page
scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids
drm/amdgpu: fix error handling in amdgpu_bo_list_get()
ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
ext4: correct return value of ext4_convert_meta_bg
ext4: correct offset of gdb backup in non meta_bg group to update_backups
ext4: apply umask if ACL support is disabled
Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E"
media: venus: hfi: add checks to handle capabilities from firmware
media: venus: hfi: fix the check to handle session buffer requirement
media: venus: hfi_parser: Add check to keep the number of codecs within range
media: sharp: fix sharp encoding
media: lirc: drop trailing space from scancode transmit
i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
net: dsa: lan9303: consequently nested-lock physical MDIO
tty: serial: meson: fix hard LOCKUP on crtscts mode
serial: meson: Use platform_get_irq() to get the interrupt
tty: serial: meson: retrieve port FIFO size from DT
serial: meson: remove redundant initialization of variable id
tty: serial: meson: if no alias specified use an available id
ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
ALSA: info: Fix potential deadlock at disconnection
parisc/pgtable: Do not drop upper 5 address bits of physical address
parisc: Prevent booting 64-bit kernels on PA1.x machines
dmaengine: stm32-mdma: correct desc prep when channel running
mcb: fix error handling for different scenarios when parsing
quota: explicitly forbid quota files from being encrypted
jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev
PM: hibernate: Clean up sync_read handling in snapshot_write_next()
PM: hibernate: Use __get_safe_page() rather than touching the list
mmc: vub300: fix an error code
clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
parisc/pdc: Add width field to struct pdc_model
PCI: keystone: Don't discard .probe() callback
PCI: keystone: Don't discard .remove() callback
genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
mmc: meson-gx: Remove setting of CMD_CFG_ERROR
PCI/sysfs: Protect driver's D3cold preference from user space
hvc/xen: fix error path in xen_hvc_init() to always register frontend driver
audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
audit: don't take task_lock() in audit_exe_compare() code path
KVM: x86: Ignore MSR_AMD64_TW_CFG access
randstruct: Fix gcc-plugin performance mode to stay in group
media: venus: hfi: add checks to perform sanity on queue pointers
cifs: spnego: add ';' in HOST_KEY_LEN
macvlan: Don't propagate promisc change to lower dev in passthru
net: ethernet: cortina: Fix MTU max setting
net: ethernet: cortina: Handle large frames
net: ethernet: cortina: Fix max RX frame define
ptp: annotate data-race around q->head and q->tail
xen/events: fix delayed eoi list handling
ppp: limit MRU to 64K
tipc: Fix kernel-infoleak due to uninitialized TLV value
tty: Fix uninit-value access in ppp_sync_receive()
ipvlan: add ipvlan_route_v6_outbound() helper
NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
pwm: Fix double shift bug
drm/amd/display: Avoid NULL dereference of timing generator
gfs2: ignore negated quota changes
media: vivid: avoid integer overflow
media: gspca: cpia1: shift-out-of-bounds in set_flicker
i2c: sun6i-p2wi: Prevent potential division by zero
usb: gadget: f_ncm: Always set current gadget in ncm_bind()
tty: vcc: Add check for kstrdup() in vcc_probe()
HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()
atm: iphase: Do PCI error checks on own line
ALSA: hda: Fix possible null-ptr-deref when assigning a stream
ARM: 9320/1: fix stack depot IRQ stack filter
jfs: fix array-index-out-of-bounds in diAlloc
jfs: fix array-index-out-of-bounds in dbFindLeaf
fs/jfs: Add validity check for db_maxag and db_agpref
fs/jfs: Add check for negative db_l2nbperpage
RDMA/hfi1: Use FIELD_GET() to extract Link Width
crypto: pcrypt - Fix hungtask for PADATA_RESET
selftests/efivarfs: create-read: fix a resource leak
drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL
drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
Bluetooth: Fix double free in hci_conn_cleanup
net: annotate data-races around sk->sk_dst_pending_confirm
net: annotate data-races around sk->sk_tx_queue_mapping
wifi: ath10k: fix clang-specific fortify warning
wifi: ath9k: fix clang-specific fortify warnings
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
clocksource/drivers/timer-imx-gpt: Fix potential memory leak
perf/core: Bail out early if the request AUX area is out of bound
locking/ww_mutex/test: Fix potential workqueue corruption
Revert "ipvlan: properly track tx_errors"
ANDROID: fix up platform_device ABI break
Linux 4.19.299
btrfs: use u64 for buffer sizes in the tree search ioctls
Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
fbdev: fsl-diu-fb: mark wr_reg_wa() static
fbdev: imsttfb: fix a resource leak in probe
fbdev: imsttfb: Fix error path of imsttfb_probe()
netfilter: xt_recent: fix (increase) ipv6 literal buffer length
r8169: respect userspace disabling IFF_MULTICAST
tg3: power down device only on SYSTEM_POWER_OFF
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
net/smc: wait for pending work before clcsock release_sock
net/smc: postpone release of clcsock
net: r8169: Disable multicast filter for RTL8168H and RTL8107E
r8169: improve rtl_set_rx_mode
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
dccp: Call security_inet_conn_request() after setting IPv4 addresses.
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
llc: verify mac len before reading mac header
Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
pwm: sti: Reduce number of allocations and drop usage of chip_data
pwm: sti: Avoid conditional gotos
media: dvb-usb-v2: af9035: fix missing unlock
media: s3c-camif: Avoid inappropriate kfree()
media: bttv: fix use after free error due to btv->timeout timer
pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
pcmcia: ds: fix refcount leak in pcmcia_device_add()
pcmcia: cs: fix possible hung task and memory leak pccardd()
f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
USB: usbip: fix stub_dev hub disconnect
tools: iio: iio_generic_buffer ensure alignment
tools: iio: iio_generic_buffer: Fix some integer type and calculation
tools: iio: privatize globals and functions in iio_generic_buffer.c file
misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
dmaengine: ti: edma: handle irq_of_parse_and_map() errors
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
ledtrig-cpu: Limit to 8 CPUs
leds: pwm: Don't disable the PWM when the LED should be off
leds: pwm: convert to atomic PWM API
leds: pwm: simplify if condition
mfd: dln2: Fix double put in dln2_probe
ASoC: ams-delta.c: use component after check
ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
sh: bios: Revive earlyprintk support
RDMA/hfi1: Workaround truncation compilation error
ext4: move 'ix' sanity check to corrent position
ARM: 9321/1: memset: cast the constant byte to unsigned char
hid: cp2112: Fix duplicate workqueue initialization
HID: cp2112: Use irqchip template
nd_btt: Make BTT lanes preemptible
sched/rt: Provide migrate_disable/enable() inlines
hwrng: geode - fix accessing registers
clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped
firmware: ti_sci: Mark driver as non removable
ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
drm/radeon: possible buffer overflow
drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
hwmon: (coretemp) Fix potentially truncated sysfs attribute name
platform/x86: wmi: Fix opening of char device
platform/x86: wmi: remove unnecessary initializations
platform/x86: wmi: Fix probe failure when failing to register WMI devices
clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
clk: npcm7xx: Fix incorrect kfree
clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
regmap: debugfs: Fix a erroneous check after snprintf()
ipvlan: properly track tx_errors
net: add DEV_STATS_READ() helper
macsec: use DEV_STATS_INC()
macsec: Fix traffic counters/statistics
ipv6: avoid atomic fragment on GSO packets
ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
chtls: fix tp->rcv_tstamp initialization
thermal: core: prevent potential string overflow
can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
can: dev: can_restart(): don't crash kernel if carrier is OK
can: dev: move driver related infrastructure into separate subdir
wifi: rtlwifi: fix EDCA limit set by BT coexistence
tcp_metrics: do not create an entry from tcp_init_metrics()
tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
tcp_metrics: add missing barriers on delete
i40e: fix potential memory leaks in i40e_remove()
genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
vfs: fix readahead(2) on block devices
Linux 4.19.298
tty: 8250: Add support for Intashield IS-100
tty: 8250: Add support for Brainboxes UP cards
tty: 8250: Add support for additional Brainboxes UC cards
tty: 8250: Remove UC-257 and UC-431
usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility
PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
remove the sx8 block driver
ata: ahci: fix enum constants for gcc-13
net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
scsi: mpt3sas: Fix in error path
fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
ASoC: rt5650: fix the wrong result of key button
netfilter: nfnetlink_log: silence bogus compiler warning
fbdev: atyfb: only use ioremap_uc() on i386 and ia64
Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
irqchip/stm32-exti: add missing DT IRQ flag translation
Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table
ASoC: simple-card: fixup asoc_simple_probe() error handling
MAINTAINERS: r8169: Update path to the driver
x86: Fix .brk attribute in linker script
rpmsg: Fix possible refcount leak in rpmsg_register_device_override()
rpmsg: glink: Release driver_override
rpmsg: Fix calling device_lock() on non-initialized device
rpmsg: Fix kfree() of static memory on setting driver_override
rpmsg: Constify local variable in field store macro
driver: platform: Add helper for safer setting of driver_override
x86/mm: Fix RESERVE_BRK() for older binutils
x86/mm: Simplify RESERVE_BRK()
nfsd: lock_rename() needs both directories to live on the same fs
f2fs: fix to do sanity check on inode type during garbage collection
smbdirect: missing rc checks while waiting for rdma events
kobject: Fix slab-out-of-bounds in fill_kobj_path()
arm64: fix a concurrency issue in emulation_proc_handler()
drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper()
ARM: 8933/1: replace Sun/Solaris style flag on section directive
NFS: Don't call generic_error_remove_page() while holding locks
x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility
iio: exynos-adc: request second interupt only when touchscreen mode is used
perf/core: Fix potential NULL deref
nvmem: imx: correct nregs for i.MX6UL
nvmem: imx: correct nregs for i.MX6SLL
i2c: stm32f7: Fix PEC handling in case of SMBUS transfers
i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node()
i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node()
i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node()
i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
gtp: fix fragmentation needed check with gso
igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
treewide: Spelling fix in comment
r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1
r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1
r8169: rename r8169.c to r8169_main.c
virtio-mmio: fix memory leak of vm_dev
virtio_balloon: Fix endless deflation and inflation on arm64
mcb-lpc: Reallocate memory region to avoid memory overlapping
mcb: Return actual parsed size when reading chameleon table
selftests/ftrace: Add new test case which checks non unique symbol
mmc: core: sdio: hold retuning if sdio in 1-bit mode
mmc: sdio: Don't re-initialize powered-on removable SDIO cards at resume
BACKPORT: blk-mq: fix is_flush_rq
BACKPORT: blk-mq: clear stale request in tags->rq[] before freeing one request pool
BACKPORT: blk-mq: clearing flush request reference in tags->rqs[]
BACKPORT: blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter
Change-Id: I77108c833458ca6e870e9a884b91af20b22b0928
When CONFIG_DEBUG_FS is disabled, the call to
debugfs_create_dir will result in an error.
Add a check of the config to avoid the error.
Change-Id: I7a79dbc5c4c5e1e3192a11d55ad9b7994788f30f
Signed-off-by: ziqic <quic_ziqic_01@quicinc.com>
"LA.UM.9.12.r1-17600.04-SMxx50.QSSI14.0"
* tag 'LA.UM.9.12.r1-17600.04-SMxx50.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.19:
BACKPORT: blk-mq: fix is_flush_rq
BACKPORT: blk-mq: clear stale request in tags->rq[] before freeing one request pool
BACKPORT: blk-mq: clearing flush request reference in tags->rqs[]
BACKPORT: blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter
Conflicts:
block/blk-mq-tag.c
block/blk-mq-tag.h
block/blk-mq.c
Change-Id: I7d9036406b384ced9b64346fc4107b23f8893f34
https://source.android.com/docs/security/bulletin/2023-12-01
* tag 'ASB-2023-12-05_4.19-stable' of https://android.googlesource.com/kernel/common:
Revert "macsec: use DEV_STATS_INC()"
Revert "net: add DEV_STATS_READ() helper"
Linux 4.19.300
net: sched: fix race condition in qdisc_graft()
iomap: Set all uptodate bits for an Uptodate page
scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids
drm/amdgpu: fix error handling in amdgpu_bo_list_get()
ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
ext4: correct return value of ext4_convert_meta_bg
ext4: correct offset of gdb backup in non meta_bg group to update_backups
ext4: apply umask if ACL support is disabled
Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E"
media: venus: hfi: add checks to handle capabilities from firmware
media: venus: hfi: fix the check to handle session buffer requirement
media: venus: hfi_parser: Add check to keep the number of codecs within range
media: sharp: fix sharp encoding
media: lirc: drop trailing space from scancode transmit
i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
net: dsa: lan9303: consequently nested-lock physical MDIO
tty: serial: meson: fix hard LOCKUP on crtscts mode
serial: meson: Use platform_get_irq() to get the interrupt
tty: serial: meson: retrieve port FIFO size from DT
serial: meson: remove redundant initialization of variable id
tty: serial: meson: if no alias specified use an available id
ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
ALSA: info: Fix potential deadlock at disconnection
parisc/pgtable: Do not drop upper 5 address bits of physical address
parisc: Prevent booting 64-bit kernels on PA1.x machines
dmaengine: stm32-mdma: correct desc prep when channel running
mcb: fix error handling for different scenarios when parsing
quota: explicitly forbid quota files from being encrypted
jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev
PM: hibernate: Clean up sync_read handling in snapshot_write_next()
PM: hibernate: Use __get_safe_page() rather than touching the list
mmc: vub300: fix an error code
clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
parisc/pdc: Add width field to struct pdc_model
PCI: keystone: Don't discard .probe() callback
PCI: keystone: Don't discard .remove() callback
genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
mmc: meson-gx: Remove setting of CMD_CFG_ERROR
PCI/sysfs: Protect driver's D3cold preference from user space
hvc/xen: fix error path in xen_hvc_init() to always register frontend driver
audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
audit: don't take task_lock() in audit_exe_compare() code path
KVM: x86: Ignore MSR_AMD64_TW_CFG access
randstruct: Fix gcc-plugin performance mode to stay in group
media: venus: hfi: add checks to perform sanity on queue pointers
cifs: spnego: add ';' in HOST_KEY_LEN
macvlan: Don't propagate promisc change to lower dev in passthru
net: ethernet: cortina: Fix MTU max setting
net: ethernet: cortina: Handle large frames
net: ethernet: cortina: Fix max RX frame define
ptp: annotate data-race around q->head and q->tail
xen/events: fix delayed eoi list handling
ppp: limit MRU to 64K
tipc: Fix kernel-infoleak due to uninitialized TLV value
tty: Fix uninit-value access in ppp_sync_receive()
ipvlan: add ipvlan_route_v6_outbound() helper
NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
pwm: Fix double shift bug
drm/amd/display: Avoid NULL dereference of timing generator
gfs2: ignore negated quota changes
media: vivid: avoid integer overflow
media: gspca: cpia1: shift-out-of-bounds in set_flicker
i2c: sun6i-p2wi: Prevent potential division by zero
usb: gadget: f_ncm: Always set current gadget in ncm_bind()
tty: vcc: Add check for kstrdup() in vcc_probe()
HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()
atm: iphase: Do PCI error checks on own line
ALSA: hda: Fix possible null-ptr-deref when assigning a stream
ARM: 9320/1: fix stack depot IRQ stack filter
jfs: fix array-index-out-of-bounds in diAlloc
jfs: fix array-index-out-of-bounds in dbFindLeaf
fs/jfs: Add validity check for db_maxag and db_agpref
fs/jfs: Add check for negative db_l2nbperpage
RDMA/hfi1: Use FIELD_GET() to extract Link Width
crypto: pcrypt - Fix hungtask for PADATA_RESET
selftests/efivarfs: create-read: fix a resource leak
drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL
drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
Bluetooth: Fix double free in hci_conn_cleanup
net: annotate data-races around sk->sk_dst_pending_confirm
net: annotate data-races around sk->sk_tx_queue_mapping
wifi: ath10k: fix clang-specific fortify warning
wifi: ath9k: fix clang-specific fortify warnings
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
clocksource/drivers/timer-imx-gpt: Fix potential memory leak
perf/core: Bail out early if the request AUX area is out of bound
locking/ww_mutex/test: Fix potential workqueue corruption
Revert "ipvlan: properly track tx_errors"
ANDROID: fix up platform_device ABI break
Linux 4.19.299
btrfs: use u64 for buffer sizes in the tree search ioctls
Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
fbdev: fsl-diu-fb: mark wr_reg_wa() static
fbdev: imsttfb: fix a resource leak in probe
fbdev: imsttfb: Fix error path of imsttfb_probe()
netfilter: xt_recent: fix (increase) ipv6 literal buffer length
r8169: respect userspace disabling IFF_MULTICAST
tg3: power down device only on SYSTEM_POWER_OFF
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
net/smc: wait for pending work before clcsock release_sock
net/smc: postpone release of clcsock
net: r8169: Disable multicast filter for RTL8168H and RTL8107E
r8169: improve rtl_set_rx_mode
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
dccp: Call security_inet_conn_request() after setting IPv4 addresses.
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
llc: verify mac len before reading mac header
Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
pwm: sti: Reduce number of allocations and drop usage of chip_data
pwm: sti: Avoid conditional gotos
media: dvb-usb-v2: af9035: fix missing unlock
media: s3c-camif: Avoid inappropriate kfree()
media: bttv: fix use after free error due to btv->timeout timer
pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
pcmcia: ds: fix refcount leak in pcmcia_device_add()
pcmcia: cs: fix possible hung task and memory leak pccardd()
f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
USB: usbip: fix stub_dev hub disconnect
tools: iio: iio_generic_buffer ensure alignment
tools: iio: iio_generic_buffer: Fix some integer type and calculation
tools: iio: privatize globals and functions in iio_generic_buffer.c file
misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
dmaengine: ti: edma: handle irq_of_parse_and_map() errors
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
ledtrig-cpu: Limit to 8 CPUs
leds: pwm: Don't disable the PWM when the LED should be off
leds: pwm: convert to atomic PWM API
leds: pwm: simplify if condition
mfd: dln2: Fix double put in dln2_probe
ASoC: ams-delta.c: use component after check
ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
sh: bios: Revive earlyprintk support
RDMA/hfi1: Workaround truncation compilation error
ext4: move 'ix' sanity check to corrent position
ARM: 9321/1: memset: cast the constant byte to unsigned char
hid: cp2112: Fix duplicate workqueue initialization
HID: cp2112: Use irqchip template
nd_btt: Make BTT lanes preemptible
sched/rt: Provide migrate_disable/enable() inlines
hwrng: geode - fix accessing registers
clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped
firmware: ti_sci: Mark driver as non removable
ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
drm/radeon: possible buffer overflow
drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
hwmon: (coretemp) Fix potentially truncated sysfs attribute name
platform/x86: wmi: Fix opening of char device
platform/x86: wmi: remove unnecessary initializations
platform/x86: wmi: Fix probe failure when failing to register WMI devices
clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
clk: npcm7xx: Fix incorrect kfree
clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
regmap: debugfs: Fix a erroneous check after snprintf()
ipvlan: properly track tx_errors
net: add DEV_STATS_READ() helper
macsec: use DEV_STATS_INC()
macsec: Fix traffic counters/statistics
ipv6: avoid atomic fragment on GSO packets
ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
chtls: fix tp->rcv_tstamp initialization
thermal: core: prevent potential string overflow
can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
can: dev: can_restart(): don't crash kernel if carrier is OK
can: dev: move driver related infrastructure into separate subdir
wifi: rtlwifi: fix EDCA limit set by BT coexistence
tcp_metrics: do not create an entry from tcp_init_metrics()
tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
tcp_metrics: add missing barriers on delete
i40e: fix potential memory leaks in i40e_remove()
genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
vfs: fix readahead(2) on block devices
Linux 4.19.298
tty: 8250: Add support for Intashield IS-100
tty: 8250: Add support for Brainboxes UP cards
tty: 8250: Add support for additional Brainboxes UC cards
tty: 8250: Remove UC-257 and UC-431
usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility
PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
remove the sx8 block driver
ata: ahci: fix enum constants for gcc-13
net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
scsi: mpt3sas: Fix in error path
fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
ASoC: rt5650: fix the wrong result of key button
netfilter: nfnetlink_log: silence bogus compiler warning
fbdev: atyfb: only use ioremap_uc() on i386 and ia64
Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
irqchip/stm32-exti: add missing DT IRQ flag translation
Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table
ASoC: simple-card: fixup asoc_simple_probe() error handling
MAINTAINERS: r8169: Update path to the driver
x86: Fix .brk attribute in linker script
rpmsg: Fix possible refcount leak in rpmsg_register_device_override()
rpmsg: glink: Release driver_override
rpmsg: Fix calling device_lock() on non-initialized device
rpmsg: Fix kfree() of static memory on setting driver_override
rpmsg: Constify local variable in field store macro
driver: platform: Add helper for safer setting of driver_override
x86/mm: Fix RESERVE_BRK() for older binutils
x86/mm: Simplify RESERVE_BRK()
nfsd: lock_rename() needs both directories to live on the same fs
f2fs: fix to do sanity check on inode type during garbage collection
smbdirect: missing rc checks while waiting for rdma events
kobject: Fix slab-out-of-bounds in fill_kobj_path()
arm64: fix a concurrency issue in emulation_proc_handler()
drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper()
ARM: 8933/1: replace Sun/Solaris style flag on section directive
NFS: Don't call generic_error_remove_page() while holding locks
x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility
iio: exynos-adc: request second interupt only when touchscreen mode is used
perf/core: Fix potential NULL deref
nvmem: imx: correct nregs for i.MX6UL
nvmem: imx: correct nregs for i.MX6SLL
i2c: stm32f7: Fix PEC handling in case of SMBUS transfers
i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node()
i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node()
i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node()
i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
gtp: fix fragmentation needed check with gso
igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
treewide: Spelling fix in comment
r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1
r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1
r8169: rename r8169.c to r8169_main.c
virtio-mmio: fix memory leak of vm_dev
virtio_balloon: Fix endless deflation and inflation on arm64
mcb-lpc: Reallocate memory region to avoid memory overlapping
mcb: Return actual parsed size when reading chameleon table
selftests/ftrace: Add new test case which checks non unique symbol
mmc: core: sdio: hold retuning if sdio in 1-bit mode
mmc: sdio: Don't re-initialize powered-on removable SDIO cards at resume
Conflicts:
drivers/clk/qcom/clk-rcg2.c
drivers/leds/leds-pwm.c
drivers/mmc/core/sdio.c
drivers/rpmsg/qcom_glink_native.c
drivers/thermal/thermal_core.c
drivers/usb/gadget/function/f_ncm.c
Change-Id: I230a2c820e39dd863a874bfc0c7a411896b0ba9c
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmV53vEACgkQONu9yGCS
aT4wng/9ECVr1tNbX+0oo5p4GFnY2wR3I39TslGkS048Yo1UiW/m7WX2nDJPhJXO
YLLiSsm0xOKZEn1xDh99L5kIWZHeHywajMdrIDZwRhOtBj8RHX0NyWQQzxg2ftxs
7IrgXyt/38b6kcQ2or8rqPqINGeZWAErukMfGMQZIMkp48D68cyfPDk0xfFwryAL
mfn1tQOe6OgPFSbNR7MiV1mWzC6f06J6ZOx3kUvS6tqu0ZF61yhE8QkB/U2dQb/z
S7VTM4BQ5NuW9BiGfLF39OAppEZ7jB/JZjCzh5h2ZUWpKhxl09u5FFqT81fOqtBN
b/rhPnNnG1gFarGChrRbdvU4YnomBce7f7knpe0/vUiZW+UBxIW5yagUoXz7Eo0X
Lyowuj5bXhDAJ1T/G/AV8Fv0eIunBRUyXcdeF6qeHWV2NzDmcYbswY6gh5eWDZL3
ST83NvEq+p5uGzZHEbjbP3AX0P5wHDPAkhLXKLCwTsylHKrfL12e1+FWY2Jv40PA
Ze+8SNCZrdHIYXZWSczrGZJM+GJh1KCkOQt/wSkGzPPAmoqcOTyMqD7Tj7o8qUER
lQGDYzEO7+ZGMQ3QtSqQ//3Mlaeh4JYjzEYgpuXA7bFeepn/9FVDUurKZW39A/o5
0TTWsgwRlt2j92Jfi8ajbT5aAVJ0+o6KFqElUhc2onMMEWngUXs=
=Ryx9
-----END PGP SIGNATURE-----
Merge 4.19.302 into android-4.19-stable
Changes in 4.19.302
spi: imx: add a device specific prepare_message callback
spi: imx: move wml setting to later than setup_transfer
spi: imx: correct wml as the last sg length
spi: imx: mx51-ecspi: Move some initialisation to prepare_message hook.
media: davinci: vpif_capture: fix potential double free
hrtimers: Push pending hrtimers away from outgoing CPU earlier
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
tg3: Move the [rt]x_dropped counters to tg3_napi
tg3: Increment tx_dropped in tg3_tso_bug()
kconfig: fix memory leak from range properties
drm/amdgpu: correct chunk_ptr to a pointer to chunk.
ipv6: fix potential NULL deref in fib6_add()
hv_netvsc: rndis_filter needs to select NLS
net: arcnet: Fix RESET flag handling
net: arcnet: com20020 fix error handling
arcnet: restoring support for multiple Sohard Arcnet cards
ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
net: hns: fix fake link up on xge port
netfilter: xt_owner: Add supplementary groups option
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
tcp: do not accept ACK of bytes we never sent
RDMA/bnxt_re: Correct module description string
hwmon: (acpi_power_meter) Fix 4.29 MW bug
tracing: Fix a warning when allocating buffered events fails
scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
ARM: dts: imx: make gpt node name generic
ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt
ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
packet: Move reference count in packet_sock to atomic_long_t
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
tracing: Always update snapshot buffer size
tracing: Fix incomplete locking when disabling buffered events
tracing: Fix a possible race when disabling buffered events
perf/core: Add a new read format to get a number of lost samples
perf: Fix perf_event_validate_size()
gpiolib: sysfs: Fix error handling on failed export
usb: gadget: f_hid: fix report descriptor allocation
parport: Add support for Brainboxes IX/UC/PX parallel cards
usb: typec: class: fix typec_altmode_put_partner to put plugs
serial: sc16is7xx: address RX timeout interrupt errata
serial: 8250_omap: Add earlycon support for the AM654 UART controller
x86/CPU/AMD: Check vendor in the AMD microcode callback
KVM: s390/mm: Properly reset no-dat
nilfs2: fix missing error check for sb_set_blocksize call
netlink: don't call ->netlink_bind with table lock held
genetlink: add CAP_NET_ADMIN test for multicast bind
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
tools headers UAPI: Sync linux/perf_event.h with the kernel sources
IB/isert: Fix unaligned immediate-data handling
devcoredump : Serialize devcd_del work
devcoredump: Send uevent once devcd is ready
Linux 4.19.302
Change-Id: If04a1c5d3950ac7c1cbe4b71df951dcf3e8e8ed1
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit af54d778a03853801d681c98c0c2a6c316ef9ca7 ]
dev_coredumpm() creates a devcoredump device and adds it
to the core kernel framework which eventually end up
sending uevent to the user space and later creates a
symbolic link to the failed device. An application
running in userspace may be interested in this symbolic
link to get the name of the failed device.
In a issue scenario, once uevent sent to the user space
it start reading '/sys/class/devcoredump/devcdX/failing_device'
to get the actual name of the device which might not been
created and it is in its path of creation.
To fix this, suppress sending uevent till the failing device
symbolic link gets created and send uevent once symbolic
link is created successfully.
Fixes: 833c95456a ("device coredump: add new device coredump class")
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1700232572-25823-1-git-send-email-quic_mojha@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 01daccf748323dfc61112f474cf2ba81015446b0 ]
In following scenario(diagram), when one thread X running dev_coredumpm()
adds devcd device to the framework which sends uevent notification to
userspace and another thread Y reads this uevent and call to
devcd_data_write() which eventually try to delete the queued timer that
is not initialized/queued yet.
So, debug object reports some warning and in the meantime, timer is
initialized and queued from X path. and from Y path, it gets reinitialized
again and timer->entry.pprev=NULL and try_to_grab_pending() stucks.
To fix this, introduce mutex and a boolean flag to serialize the behaviour.
cpu0(X) cpu1(Y)
dev_coredump() uevent sent to user space
device_add() ======================> user space process Y reads the
uevents writes to devcd fd
which results into writes to
devcd_data_write()
mod_delayed_work()
try_to_grab_pending()
del_timer()
debug_assert_init()
INIT_DELAYED_WORK()
schedule_delayed_work()
debug_object_fixup()
timer_fixup_assert_init()
timer_setup()
do_init_timer()
/*
Above call reinitializes
the timer to
timer->entry.pprev=NULL
and this will be checked
later in timer_pending() call.
*/
timer_pending()
!hlist_unhashed_lockless(&timer->entry)
!h->pprev
/*
del_timer() checks h->pprev and finds
it to be NULL due to which
try_to_grab_pending() stucks.
*/
Link: https://lore.kernel.org/lkml/2e1f81e2-428c-f11f-ce92-eb11048cb271@quicinc.com/
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
Link: https://lore.kernel.org/r/1663073424-13663-1-git-send-email-quic_mojha@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: af54d778a038 ("devcoredump: Send uevent once devcd is ready")
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 0b089c1ef7047652b13b4cdfdb1e0e7dbdb8c9ab upstream.
Currently we allocate rx buffers in a single contiguous buffers for
headers (iser and iscsi) and data trailer. This means that most likely the
data starting offset is aligned to 76 bytes (size of both headers).
This worked fine for years, but at some point this broke, resulting in
data corruptions in isert when a command comes with immediate data and the
underlying backend device assumes 512 bytes buffer alignment.
We assume a hard-requirement for all direct I/O buffers to be 512 bytes
aligned. To fix this, we should avoid passing unaligned buffers for I/O.
Instead, we allocate our recv buffers with some extra space such that we
can have the data portion align to 512 byte boundary. This also means that
we cannot reference headers or data using structure but rather
accessors (as they may move based on alignment). Also, get rid of the
wrong __packed annotation from iser_rx_desc as this has only harmful
effects (not aligned to anything).
This affects the rx descriptors for iscsi login and data plane.
Fixes: 3d75ca0adef4 ("block: introduce multi-page bvec helpers")
Link: https://lore.kernel.org/r/20200904195039.31687-1-sagi@grimberg.me
Reported-by: Stephen Rust <srust@blockbridge.com>
Tested-by: Doug Dumitru <doug@dumitru.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 65ba872a6971c11ceb342c3330f059289c0e6bdb upstream.
To pick the trivial change in:
119a784c81270eb8 ("perf/core: Add a new read format to get a number of lost samples")
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20220819003644.508916-2-namhyung@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e03781879a0d524ce3126678d50a80484a513c4b upstream.
The "NET_DM" generic netlink family notifies drop locations over the
"events" multicast group. This is problematic since by default generic
netlink allows non-root users to listen to these notifications.
Fix by adding a new field to the generic netlink multicast group
structure that when set prevents non-root users or root without the
'CAP_SYS_ADMIN' capability (in the user namespace owning the network
namespace) from joining the group. Set this field for the "events"
group. Use 'CAP_SYS_ADMIN' rather than 'CAP_NET_ADMIN' because of the
nature of the information that is shared over this group.
Note that the capability check in this case will always be performed
against the initial user namespace since the family is not netns aware
and only operates in the initial network namespace.
A new field is added to the structure rather than using the "flags"
field because the existing field uses uAPI flags and it is inappropriate
to add a new uAPI flag for an internal kernel check. In net-next we can
rework the "flags" field to use internal flags and fold the new field
into it. But for now, in order to reduce the amount of changes, add a
new field.
Since the information can only be consumed by root, mark the control
plane operations that start and stop the tracing as root-only using the
'GENL_ADMIN_PERM' flag.
Tested using [1].
Before:
# capsh -- -c ./dm_repo
# capsh --drop=cap_sys_admin -- -c ./dm_repo
After:
# capsh -- -c ./dm_repo
# capsh --drop=cap_sys_admin -- -c ./dm_repo
Failed to join "events" multicast group
[1]
$ cat dm.c
#include <stdio.h>
#include <netlink/genl/ctrl.h>
#include <netlink/genl/genl.h>
#include <netlink/socket.h>
int main(int argc, char **argv)
{
struct nl_sock *sk;
int grp, err;
sk = nl_socket_alloc();
if (!sk) {
fprintf(stderr, "Failed to allocate socket\n");
return -1;
}
err = genl_connect(sk);
if (err) {
fprintf(stderr, "Failed to connect socket\n");
return err;
}
grp = genl_ctrl_resolve_grp(sk, "NET_DM", "events");
if (grp < 0) {
fprintf(stderr,
"Failed to resolve \"events\" multicast group\n");
return grp;
}
err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE);
if (err) {
fprintf(stderr, "Failed to join \"events\" multicast group\n");
return err;
}
return 0;
}
$ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o dm_repo dm.c
Fixes: 9a8afc8d39 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol")
Reported-by: "The UK's National Cyber Security Centre (NCSC)" <security@ncsc.gov.uk>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://lore.kernel.org/r/20231206213102.1824398-3-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is a partial backport of upstream commit 4d54cc32112d ("mptcp:
avoid lock_fast usage in accept path"). It is only a partial backport
because the patch in the link below was erroneously squash-merged into
upstream commit 4d54cc32112d ("mptcp: avoid lock_fast usage in accept
path"). Below is the original patch description from Florian Westphal:
"
genetlink sets NL_CFG_F_NONROOT_RECV for its netlink socket so anyone can
subscribe to multicast messages.
rtnetlink doesn't allow this unconditionally, rtnetlink_bind() restricts
bind requests to CAP_NET_ADMIN for a few groups.
This allows to set GENL_UNS_ADMIN_PERM flag on genl mcast groups to
mandate CAP_NET_ADMIN.
This will be used by the upcoming mptcp netlink event facility which
exposes the token (mptcp connection identifier) to userspace.
"
Link: https://lore.kernel.org/mptcp/20210213000001.379332-8-mathew.j.martineau@linux.intel.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
From: Florian Westphal <fw@strlen.de>
commit f2764bd4f6a8dffaec3e220728385d9756b3c2cb upstream.
When I added support to allow generic netlink multicast groups to be
restricted to subscribers with CAP_NET_ADMIN I was unaware that a
genl_bind implementation already existed in the past.
It was reverted due to ABBA deadlock:
1. ->netlink_bind gets called with the table lock held.
2. genetlink bind callback is invoked, it grabs the genl lock.
But when a new genl subsystem is (un)registered, these two locks are
taken in reverse order.
One solution would be to revert again and add a comment in genl
referring 1e82a62fec613, "genetlink: remove genl_bind").
This would need a second change in mptcp to not expose the raw token
value anymore, e.g. by hashing the token with a secret key so userspace
can still associate subflow events with the correct mptcp connection.
However, Paolo Abeni reminded me to double-check why the netlink table is
locked in the first place.
I can't find one. netlink_bind() is already called without this lock
when userspace joins a group via NETLINK_ADD_MEMBERSHIP setsockopt.
Same holds for the netlink_unbind operation.
Digging through the history, commit f773608026
("netlink: access nlk groups safely in netlink bind and getname")
expanded the lock scope.
commit 3a20773beeeeade ("net: netlink: cap max groups which will be considered in netlink_bind()")
... removed the nlk->ngroups access that the lock scope
extension was all about.
Reduce the lock scope again and always call ->netlink_bind without
the table lock.
The Fixes tag should be vs. the patch mentioned in the link below,
but that one got squash-merged into the patch that came earlier in the
series.
Fixes: 4d54cc32112d8d ("mptcp: avoid lock_fast usage in accept path")
Link: https://lore.kernel.org/mptcp/20210213000001.379332-8-mathew.j.martineau@linux.intel.com/T/#u
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Xin Long <lucien.xin@gmail.com>
Cc: Johannes Berg <johannes.berg@intel.com>
Cc: Sean Tranchetti <stranche@codeaurora.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d61d0ab573649789bf9eb909c89a1a193b2e3d10 upstream.
When mounting a filesystem image with a block size larger than the page
size, nilfs2 repeatedly outputs long error messages with stack traces to
the kernel log, such as the following:
getblk(): invalid block size 8192 requested
logical block size: 512
...
Call Trace:
dump_stack_lvl+0x92/0xd4
dump_stack+0xd/0x10
bdev_getblk+0x33a/0x354
__breadahead+0x11/0x80
nilfs_search_super_root+0xe2/0x704 [nilfs2]
load_nilfs+0x72/0x504 [nilfs2]
nilfs_mount+0x30f/0x518 [nilfs2]
legacy_get_tree+0x1b/0x40
vfs_get_tree+0x18/0xc4
path_mount+0x786/0xa88
__ia32_sys_mount+0x147/0x1a8
__do_fast_syscall_32+0x56/0xc8
do_fast_syscall_32+0x29/0x58
do_SYSENTER_32+0x15/0x18
entry_SYSENTER_32+0x98/0xf1
...
This overloads the system logger. And to make matters worse, it sometimes
crashes the kernel with a memory access violation.
This is because the return value of the sb_set_blocksize() call, which
should be checked for errors, is not checked.
The latter issue is due to out-of-buffer memory being accessed based on a
large block size that caused sb_set_blocksize() to fail for buffers read
with the initial minimum block size that remained unupdated in the
super_block structure.
Since nilfs2 mkfs tool does not accept block sizes larger than the system
page size, this has been overlooked. However, it is possible to create
this situation by intentionally modifying the tool or by passing a
filesystem image created on a system with a large page size to a system
with a smaller page size and mounting it.
Fix this issue by inserting the expected error handling for the call to
sb_set_blocksize().
Link: https://lkml.kernel.org/r/20231129141547.4726-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 27072b8e18a73ffeffb1c140939023915a35134b upstream.
When the CMMA state needs to be reset, the no-dat bit also needs to be
reset. Failure to do so could cause issues in the guest, since the
guest expects the bit to be cleared after a reset.
Cc: <stable@vger.kernel.org>
Reviewed-by: Nico Boehr <nrb@linux.ibm.com>
Message-ID: <20231109123624.37314-1-imbrenda@linux.ibm.com>
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9b8493dc43044376716d789d07699f17d538a7c4 upstream.
Commit in Fixes added an AMD-specific microcode callback. However, it
didn't check the CPU vendor the kernel runs on explicitly.
The only reason the Zenbleed check in it didn't run on other x86 vendors
hardware was pure coincidental luck:
if (!cpu_has_amd_erratum(c, amd_zenbleed))
return;
gives true on other vendors because they don't have those families and
models.
However, with the removal of the cpu_has_amd_erratum() in
05f5f73936fa ("x86/CPU/AMD: Drop now unused CPU erratum checking function")
that coincidental condition is gone, leading to the zenbleed check
getting executed on other vendors too.
Add the explicit vendor check for the whole callback as it should've
been done in the first place.
Fixes: 522b1d69219d ("x86/cpu/amd: Add a Zenbleed fix")
Cc: <stable@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20231201184226.16749-1-bp@alien8.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8e42c301ce64e0dcca547626eb486877d502d336 upstream.
Currently there is no support for earlycon on the AM654 UART
controller. This commit adds it.
Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com>
Reviewed-by: Vignesh Raghavendra <vigneshr@ti.com>
Link: https://lore.kernel.org/r/20231031131242.15516-1-rwahl@gmx.de
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 08ce9a1b72e38cf44c300a44ac5858533eb3c860 upstream.
This device has a silicon bug that makes it report a timeout interrupt
but no data in the FIFO.
The datasheet states the following in the errata section 18.1.4:
"If the host reads the receive FIFO at the same time as a
time-out interrupt condition happens, the host might read 0xCC
(time-out) in the Interrupt Indication Register (IIR), but bit 0
of the Line Status Register (LSR) is not set (means there is no
data in the receive FIFO)."
The errata description seems to indicate it concerns only polled mode of
operation when reading bit 0 of the LSR register. However, tests have
shown and NXP has confirmed that the RXLVL register also yields 0 when
the bug is triggered, and hence the IRQ driven implementation in this
driver is equally affected.
This bug has hit us on production units and when it does, sc16is7xx_irq()
would spin forever because sc16is7xx_port_irq() keeps seeing an
interrupt in the IIR register that is not cleared because the driver
does not call into sc16is7xx_handle_rx() unless the RXLVL register
reports at least one byte in the FIFO.
Fix this by always reading one byte from the FIFO when this condition
is detected in order to clear the interrupt. This approach was
confirmed to be correct by NXP through their support channels.
Tested by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Signed-off-by: Daniel Mack <daniel@zonque.org>
Co-Developed-by: Maxim Popov <maxim.snafu@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20231123072818.1394539-1-daniel@zonque.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b17b7fe6dd5c6ff74b38b0758ca799cdbb79e26e upstream.
When typec_altmode_put_partner is called by a plug altmode upon release,
the port altmode the plug belongs to will not remove its reference to the
plug. The check to see if the altmode being released evaluates against the
released altmode's partner instead of the calling altmode itself, so change
adev in typec_altmode_put_partner to properly refer to the altmode being
released.
typec_altmode_set_partner is not run for port altmodes, so also add a check
in typec_altmode_release to prevent typec_altmode_put_partner() calls on
port altmode release.
Fixes: 8a37d87d72 ("usb: typec: Bus type for alternate modes")
Cc: stable@vger.kernel.org
Signed-off-by: RD Babiera <rdbabiera@google.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20231129192349.1773623-2-rdbabiera@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 61890dc28f7d9e9aac8a9471302613824c22fae4 upstream.
The commit 89ff3dfac604 ("usb: gadget: f_hid: fix f_hidg lifetime vs
cdev") has introduced a bug that leads to hid device corruption after
the replug operation.
Reverse device managed memory allocation for the report descriptor
to fix the issue.
Tested:
This change was tested on the AMD EthanolX CRB server with the BMC
based on the OpenBMC distribution. The BMC provides KVM functionality
via the USB gadget device:
- before: KVM page refresh results in a broken USB device,
- after: KVM page refresh works without any issues.
Fixes: 89ff3dfac604 ("usb: gadget: f_hid: fix f_hidg lifetime vs cdev")
Cc: stable@vger.kernel.org
Signed-off-by: Konstantin Aladyshev <aladyshev22@gmail.com>
Link: https://lore.kernel.org/r/20231206080744.253-2-aladyshev22@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 95dd1e34ff5bbee93a28ff3947eceaf6de811b1a ]
If gpio_set_transitory() fails, we should free the GPIO again. Most
notably, the flag FLAG_REQUESTED has previously been set in
gpiod_request_commit(), and should be reset on failure.
To my knowledge, this does not affect any current users, since the
gpio_set_transitory() mainly returns 0 and -ENOTSUPP, which is converted
to 0. However the gpio_set_transitory() function calles the .set_config()
function of the corresponding GPIO chip and there are some GPIO drivers in
which some (unlikely) branches return other values like -EPROBE_DEFER,
and -EINVAL. In these cases, the above mentioned FLAG_REQUESTED would not
be reset, which results in the pin being blocked until the next reboot.
Fixes: e10f72bf4b ("gpio: gpiolib: Generalise state persistence beyond sleep")
Signed-off-by: Boerge Struempfel <boerge.struempfel@gmail.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b ]
Budimir noted that perf_event_validate_size() only checks the size of
the newly added event, even though the sizes of all existing events
can also change due to not all events having the same read_format.
When we attach the new event, perf_group_attach(), we do re-compute
the size for all events.
Fixes: a723968c0e ("perf: Fix u16 overflows")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 119a784c81270eb88e573174ed2209225d646656 ]
Sometimes we want to know an accurate number of samples even if it's
lost. Currenlty PERF_RECORD_LOST is generated for a ring-buffer which
might be shared with other events. So it's hard to know per-event
lost count.
Add event->lost_samples field and PERF_FORMAT_LOST to retrieve it from
userspace.
Original-patch-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20220616180623.1358843-1-namhyung@kernel.org
Stable-dep-of: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit c0591b1cccf708a47bc465c62436d669a4213323 upstream.
Function trace_buffered_event_disable() is responsible for freeing pages
backing buffered events and this process can run concurrently with
trace_event_buffer_lock_reserve().
The following race is currently possible:
* Function trace_buffered_event_disable() is called on CPU 0. It
increments trace_buffered_event_cnt on each CPU and waits via
synchronize_rcu() for each user of trace_buffered_event to complete.
* After synchronize_rcu() is finished, function
trace_buffered_event_disable() has the exclusive access to
trace_buffered_event. All counters trace_buffered_event_cnt are at 1
and all pointers trace_buffered_event are still valid.
* At this point, on a different CPU 1, the execution reaches
trace_event_buffer_lock_reserve(). The function calls
preempt_disable_notrace() and only now enters an RCU read-side
critical section. The function proceeds and reads a still valid
pointer from trace_buffered_event[CPU1] into the local variable
"entry". However, it doesn't yet read trace_buffered_event_cnt[CPU1]
which happens later.
* Function trace_buffered_event_disable() continues. It frees
trace_buffered_event[CPU1] and decrements
trace_buffered_event_cnt[CPU1] back to 0.
* Function trace_event_buffer_lock_reserve() continues. It reads and
increments trace_buffered_event_cnt[CPU1] from 0 to 1. This makes it
believe that it can use the "entry" that it already obtained but the
pointer is now invalid and any access results in a use-after-free.
Fix the problem by making a second synchronize_rcu() call after all
trace_buffered_event values are set to NULL. This waits on all potential
users in trace_event_buffer_lock_reserve() that still read a previous
pointer from trace_buffered_event.
Link: https://lore.kernel.org/all/20231127151248.7232-2-petr.pavlu@suse.com/
Link: https://lkml.kernel.org/r/20231205161736.19663-4-petr.pavlu@suse.com
Cc: stable@vger.kernel.org
Fixes: 0fc1b09ff1 ("tracing: Use temp buffer when filtering events")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7fed14f7ac9cf5e38c693836fe4a874720141845 upstream.
The following warning appears when using buffered events:
[ 203.556451] WARNING: CPU: 53 PID: 10220 at kernel/trace/ring_buffer.c:3912 ring_buffer_discard_commit+0x2eb/0x420
[...]
[ 203.670690] CPU: 53 PID: 10220 Comm: stress-ng-sysin Tainted: G E 6.7.0-rc2-default #4 56e6d0fcf5581e6e51eaaecbdaec2a2338c80f3a
[ 203.670704] Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017
[ 203.670709] RIP: 0010:ring_buffer_discard_commit+0x2eb/0x420
[ 203.735721] Code: 4c 8b 4a 50 48 8b 42 48 49 39 c1 0f 84 b3 00 00 00 49 83 e8 01 75 b1 48 8b 42 10 f0 ff 40 08 0f 0b e9 fc fe ff ff f0 ff 47 08 <0f> 0b e9 77 fd ff ff 48 8b 42 10 f0 ff 40 08 0f 0b e9 f5 fe ff ff
[ 203.735734] RSP: 0018:ffffb4ae4f7b7d80 EFLAGS: 00010202
[ 203.735745] RAX: 0000000000000000 RBX: ffffb4ae4f7b7de0 RCX: ffff8ac10662c000
[ 203.735754] RDX: ffff8ac0c750be00 RSI: ffff8ac10662c000 RDI: ffff8ac0c004d400
[ 203.781832] RBP: ffff8ac0c039cea0 R08: 0000000000000000 R09: 0000000000000000
[ 203.781839] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 203.781842] R13: ffff8ac10662c000 R14: ffff8ac0c004d400 R15: ffff8ac10662c008
[ 203.781846] FS: 00007f4cd8a67740(0000) GS:ffff8ad798880000(0000) knlGS:0000000000000000
[ 203.781851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 203.781855] CR2: 0000559766a74028 CR3: 00000001804c4000 CR4: 00000000001506f0
[ 203.781862] Call Trace:
[ 203.781870] <TASK>
[ 203.851949] trace_event_buffer_commit+0x1ea/0x250
[ 203.851967] trace_event_raw_event_sys_enter+0x83/0xe0
[ 203.851983] syscall_trace_enter.isra.0+0x182/0x1a0
[ 203.851990] do_syscall_64+0x3a/0xe0
[ 203.852075] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 203.852090] RIP: 0033:0x7f4cd870fa77
[ 203.982920] Code: 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 b8 89 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 43 0e 00 f7 d8 64 89 01 48
[ 203.982932] RSP: 002b:00007fff99717dd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000089
[ 203.982942] RAX: ffffffffffffffda RBX: 0000558ea1d7b6f0 RCX: 00007f4cd870fa77
[ 203.982948] RDX: 0000000000000000 RSI: 00007fff99717de0 RDI: 0000558ea1d7b6f0
[ 203.982957] RBP: 00007fff99717de0 R08: 00007fff997180e0 R09: 00007fff997180e0
[ 203.982962] R10: 00007fff997180e0 R11: 0000000000000246 R12: 00007fff99717f40
[ 204.049239] R13: 00007fff99718590 R14: 0000558e9f2127a8 R15: 00007fff997180b0
[ 204.049256] </TASK>
For instance, it can be triggered by running these two commands in
parallel:
$ while true; do
echo hist:key=id.syscall:val=hitcount > \
/sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger;
done
$ stress-ng --sysinfo $(nproc)
The warning indicates that the current ring_buffer_per_cpu is not in the
committing state. It happens because the active ring_buffer_event
doesn't actually come from the ring_buffer_per_cpu but is allocated from
trace_buffered_event.
The bug is in function trace_buffered_event_disable() where the
following normally happens:
* The code invokes disable_trace_buffered_event() via
smp_call_function_many() and follows it by synchronize_rcu(). This
increments the per-CPU variable trace_buffered_event_cnt on each
target CPU and grants trace_buffered_event_disable() the exclusive
access to the per-CPU variable trace_buffered_event.
* Maintenance is performed on trace_buffered_event, all per-CPU event
buffers get freed.
* The code invokes enable_trace_buffered_event() via
smp_call_function_many(). This decrements trace_buffered_event_cnt and
releases the access to trace_buffered_event.
A problem is that smp_call_function_many() runs a given function on all
target CPUs except on the current one. The following can then occur:
* Task X executing trace_buffered_event_disable() runs on CPU 0.
* The control reaches synchronize_rcu() and the task gets rescheduled on
another CPU 1.
* The RCU synchronization finishes. At this point,
trace_buffered_event_disable() has the exclusive access to all
trace_buffered_event variables except trace_buffered_event[CPU0]
because trace_buffered_event_cnt[CPU0] is never incremented and if the
buffer is currently unused, remains set to 0.
* A different task Y is scheduled on CPU 0 and hits a trace event. The
code in trace_event_buffer_lock_reserve() sees that
trace_buffered_event_cnt[CPU0] is set to 0 and decides the use the
buffer provided by trace_buffered_event[CPU0].
* Task X continues its execution in trace_buffered_event_disable(). The
code incorrectly frees the event buffer pointed by
trace_buffered_event[CPU0] and resets the variable to NULL.
* Task Y writes event data to the now freed buffer and later detects the
created inconsistency.
The issue is observable since commit dea499781a11 ("tracing: Fix warning
in trace_buffered_event_disable()") which moved the call of
trace_buffered_event_disable() in __ftrace_event_enable_disable()
earlier, prior to invoking call->class->reg(.. TRACE_REG_UNREGISTER ..).
The underlying problem in trace_buffered_event_disable() is however
present since the original implementation in commit 0fc1b09ff1
("tracing: Use temp buffer when filtering events").
Fix the problem by replacing the two smp_call_function_many() calls with
on_each_cpu_mask() which invokes a given callback on all CPUs.
Link: https://lore.kernel.org/all/20231127151248.7232-2-petr.pavlu@suse.com/
Link: https://lkml.kernel.org/r/20231205161736.19663-2-petr.pavlu@suse.com
Cc: stable@vger.kernel.org
Fixes: 0fc1b09ff1 ("tracing: Use temp buffer when filtering events")
Fixes: dea499781a11 ("tracing: Fix warning in trace_buffered_event_disable()")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7be76461f302ec05cbd62b90b2a05c64299ca01f upstream.
It use to be that only the top level instance had a snapshot buffer (for
latency tracers like wakeup and irqsoff). The update of the ring buffer
size would check if the instance was the top level and if so, it would
also update the snapshot buffer as it needs to be the same as the main
buffer.
Now that lower level instances also has a snapshot buffer, they too need
to update their snapshot buffer sizes when the main buffer is changed,
otherwise the following can be triggered:
# cd /sys/kernel/tracing
# echo 1500 > buffer_size_kb
# mkdir instances/foo
# echo irqsoff > instances/foo/current_tracer
# echo 1000 > instances/foo/buffer_size_kb
Produces:
WARNING: CPU: 2 PID: 856 at kernel/trace/trace.c:1938 update_max_tr_single.part.0+0x27d/0x320
Which is:
ret = ring_buffer_swap_cpu(tr->max_buffer.buffer, tr->array_buffer.buffer, cpu);
if (ret == -EBUSY) {
[..]
}
WARN_ON_ONCE(ret && ret != -EAGAIN && ret != -EBUSY); <== here
That's because ring_buffer_swap_cpu() has:
int ret = -EINVAL;
[..]
/* At least make sure the two buffers are somewhat the same */
if (cpu_buffer_a->nr_pages != cpu_buffer_b->nr_pages)
goto out;
[..]
out:
return ret;
}
Instead, update all instances' snapshot buffer sizes when their main
buffer size is updated.
Link: https://lkml.kernel.org/r/20231205220010.454662151@goodmis.org
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Fixes: 6d9b3fa5e7 ("tracing: Move tracing_max_latency into trace_array")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 675abf8df1353e0e3bde314993e0796c524cfbf0 upstream.
If nilfs2 reads a disk image with corrupted segment usage metadata, and
its segment usage information is marked as an error for the segment at the
write location, nilfs_sufile_set_segment_usage() can trigger WARN_ONs
during log writing.
Segments newly allocated for writing with nilfs_sufile_alloc() will not
have this error flag set, but this unexpected situation will occur if the
segment indexed by either nilfs->ns_segnum or nilfs->ns_nextnum (active
segment) was marked in error.
Fix this issue by inserting a sanity check to treat it as a file system
corruption.
Since error returns are not allowed during the execution phase where
nilfs_sufile_set_segment_usage() is used, this inserts the sanity check
into nilfs_sufile_mark_dirty() which pre-reads the buffer containing the
segment usage record to be updated and sets it up in a dirty state for
writing.
In addition, nilfs_sufile_set_segment_usage() is also called when
canceling log writing and undoing segment usage update, so in order to
avoid issuing the same kernel warning in that case, in case of
cancellation, avoid checking the error flag in
nilfs_sufile_set_segment_usage().
Link: https://lkml.kernel.org/r/20231205085947.4431-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+14e9f834f6ddecece094@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=14e9f834f6ddecece094
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit db3fadacaf0c817b222090290d06ca2a338422d0 upstream.
In some potential instances the reference count on struct packet_sock
could be saturated and cause overflows which gets the kernel a bit
confused. To prevent this, move to a 64-bit atomic reference count on
64-bit architectures to prevent the possibility of this type to overflow.
Because we can not handle saturation, using refcount_t is not possible
in this place. Maybe someday in the future if it changes it could be
used. Also, instead of using plain atomic64_t, use atomic_long_t instead.
32-bit machines tend to be memory-limited (i.e. anything that increases
a reference uses so much memory that you can't actually get to 2**32
references). 32-bit architectures also tend to have serious problems
with 64-bit atomics. Hence, atomic_long_t is the more natural solution.
Reported-by: "The UK's National Cyber Security Centre (NCSC)" <security@ncsc.gov.uk>
Co-developed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable@kernel.org
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20231201131021.19999-1-daniel@iogearbox.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1c2b1049af3f86545fcc5fae0fc725fb64b3a09e ]
devm_kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure. Ensure the allocation was successful
by checking the pointer validity.
Release the id allocated in 'mmdc_pmu_init' when 'devm_kasprintf'
return NULL
Suggested-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Fixes: e76bdfd740 ("ARM: imx: Added perf functionality to mmdc driver")
Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 235f2b548d7f4ac5931d834f05d3f7f5166a2e72 ]
When an error occurs in the for loop of beiscsi_init_wrb_handle(), we
should free phwi_ctxt->be_wrbq before returning an error code to prevent
potential memleak.
Fixes: a7909b396b ("[SCSI] be2iscsi: Fix dynamic CID allocation Mechanism in driver")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Link: https://lore.kernel.org/r/20231123081941.24854-1-dinghao.liu@zju.edu.cn
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 34209fe83ef8404353f91ab4ea4035dbc9922d04 ]
Function trace_buffered_event_disable() produces an unexpected warning
when the previous call to trace_buffered_event_enable() fails to
allocate pages for buffered events.
The situation can occur as follows:
* The counter trace_buffered_event_ref is at 0.
* The soft mode gets enabled for some event and
trace_buffered_event_enable() is called. The function increments
trace_buffered_event_ref to 1 and starts allocating event pages.
* The allocation fails for some page and trace_buffered_event_disable()
is called for cleanup.
* Function trace_buffered_event_disable() decrements
trace_buffered_event_ref back to 0, recognizes that it was the last
use of buffered events and frees all allocated pages.
* The control goes back to trace_buffered_event_enable() which returns.
The caller of trace_buffered_event_enable() has no information that
the function actually failed.
* Some time later, the soft mode is disabled for the same event.
Function trace_buffered_event_disable() is called. It warns on
"WARN_ON_ONCE(!trace_buffered_event_ref)" and returns.
Buffered events are just an optimization and can handle failures. Make
trace_buffered_event_enable() exit on the first failure and left any
cleanup later to when trace_buffered_event_disable() is called.
Link: https://lore.kernel.org/all/20231127151248.7232-2-petr.pavlu@suse.com/
Link: https://lkml.kernel.org/r/20231205161736.19663-3-petr.pavlu@suse.com
Fixes: 0fc1b09ff1 ("tracing: Use temp buffer when filtering events")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 1fefca6c57fb928d2131ff365270cbf863d89c88 ]
The ACPI specification says:
"If an error occurs while obtaining the meter reading or if the value
is not available then an Integer with all bits set is returned"
Since the "integer" is 32 bits in case of the ACPI power meter,
userspace will get a power reading of 2^32 * 1000 miliwatts (~4.29 MW)
in case of such an error. This was discovered due to a lm_sensors
bugreport (https://github.com/lm-sensors/lm-sensors/issues/460).
Fix this by returning -ENODATA instead.
Tested-by: <urbinek@gmail.com>
Fixes: de584afa5e ("hwmon driver for ACPI 4.0 power meters")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://lore.kernel.org/r/20231124182747.13956-1-W_Armin@gmx.de
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 422b19f7f006e813ee0865aadce6a62b3c263c42 ]
The word "Driver" is repeated twice in the "modinfo bnxt_re"
output description. Fix it.
Fixes: 1ac5a40479 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Link: https://lore.kernel.org/r/1700555387-6277-1-git-send-email-selvin.xavier@broadcom.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27 ]
This patch is based on a detailed report and ideas from Yepeng Pan
and Christian Rossow.
ACK seq validation is currently following RFC 5961 5.2 guidelines:
The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back. It needs to
be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a
duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK
acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an
ACK, drop the segment, and return". The "ignored" above implies that
the processing of the incoming data segment continues, which means
the ACK value is treated as acceptable. This mitigation makes the
ACK check more stringent since any ACK < SND.UNA wouldn't be
accepted, instead only ACKs that are in the range ((SND.UNA -
MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.
This can be refined for new (and possibly spoofed) flows,
by not accepting ACK for bytes that were never sent.
This greatly improves TCP security at a little cost.
I added a Fixes: tag to make sure this patch will reach stable trees,
even if the 'blamed' patch was adhering to the RFC.
tp->bytes_acked was added in linux-4.2
Following packetdrill test (courtesy of Yepeng Pan) shows
the issue at hand:
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1024) = 0
// ---------------- Handshake ------------------- //
// when window scale is set to 14 the window size can be extended to
// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet
// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)
// ,though this ack number acknowledges some data never
// sent by the server.
+0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14>
+0 > S. 0:0(0) ack 1 <...>
+0 < . 1:1(0) ack 1 win 65535
+0 accept(3, ..., ...) = 4
// For the established connection, we send an ACK packet,
// the ack packet uses ack number 1 - 1073725300 + 2^32,
// where 2^32 is used to wrap around.
// Note: we used 1073725300 instead of 1073725440 to avoid possible
// edge cases.
// 1 - 1073725300 + 2^32 = 3221241997
// Oops, old kernels happily accept this packet.
+0 < . 1:1001(1000) ack 3221241997 win 65535
// After the kernel fix the following will be replaced by a challenge ACK,
// and prior malicious frame would be dropped.
+0 > . 1:1(0) ack 1001
Fixes: 354e4aa391 ("tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Yepeng Pan <yepeng.pan@cispa.de>
Reported-by: Christian Rossow <rossow@cispa.de>
Acked-by: Neal Cardwell <ncardwell@google.com>
Link: https://lore.kernel.org/r/20231205161841.2702925-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 7ae836a3d630e146b732fe8ef7d86b243748751f ]
A concurrently running sock_orphan() may NULL the sk_socket pointer in
between check and deref. Follow other users (like nft_meta.c for
instance) and acquire sk_callback_lock before dereferencing sk_socket.
Fixes: 0265ab44ba ("[NETFILTER]: merge ipt_owner/ip6t_owner in xt_owner")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ea6cc2fd8a2b89ab6dcd096ba6dbc1ecbdf26564 ]
The XT_OWNER_SUPPL_GROUPS flag causes GIDs specified with XT_OWNER_GID
to be also checked in the supplementary groups of a process.
f_cred->group_info cannot be modified during its lifetime and f_cred
holds a reference to it so it's safe to use.
Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 7ae836a3d630 ("netfilter: xt_owner: Fix for unsafe access of sk->sk_socket")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f708aba40f9c1eeb9c7e93ed4863b5f85b09b288 ]
If a xge port just connect with an optical module and no fiber,
it may have a fake link up because there may be interference on
the hardware. This patch adds an anti-shake to avoid the problem.
And the time of anti-shake is base on tests.
Fixes: b917078c1c ("net: hns: Add ACPI support to check SFP present")
Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Greg Kroah-Hartman
Treehugger Robot
Lee Jones
Michael Bestas
ziqic
Greg Kroah-Hartman
Mukesh Ojha
Sagi Grimberg
Namhyung Kim
Ido Schimmel
Ryusuke Konishi
Claudio Imbrenda
Borislav Petkov (AMD)
Ronald Wahl
Daniel Mack
RD Babiera
Cameron Williams
Konstantin Aladyshev
Boerge Struempfel
Peter Zijlstra
Petr Pavlu
Steven Rostedt (Google)
Daniel Borkmann
Jason Zhang
Philipp Zabel
Anson Huang
Kunwu Chan
Dinghao Liu
Armin Wolf
Kalesh AP
Eric Dumazet
Phil Sutter
Lukasz Pawelczyk
Yonglong Liu