mirror of
https://github.com/hardkernel/linux.git
synced 2026-06-10 04:48:04 +09:00
3b2e004494de3fa54fffaf220eeb1512cc49dada
1165241 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Lingbo Kong
|
bd403f3989 |
wifi: mac80211: correctly parse Spatial Reuse Parameter Set element
[ Upstream commit a26d8dc5227f449a54518a8b40733a54c6600a8b ]
Currently, the way of parsing Spatial Reuse Parameter Set element is
incorrect and some members of struct ieee80211_he_obss_pd are not assigned.
To address this issue, it must be parsed in the order of the elements of
Spatial Reuse Parameter Set defined in the IEEE Std 802.11ax specification.
The diagram of the Spatial Reuse Parameter Set element (IEEE Std 802.11ax
-2021-9.4.2.252).
-------------------------------------------------------------------------
| | | | |Non-SRG| SRG | SRG | SRG | SRG |
|Element|Length| Element | SR |OBSS PD|OBSS PD|OBSS PD| BSS |Partial|
| ID | | ID |Control| Max | Min | Max |Color | BSSID |
| | |Extension| | Offset| Offset|Offset |Bitmap|Bitmap |
-------------------------------------------------------------------------
Fixes:
|
||
|
Emmanuel Grumbach
|
a8bc8276af |
wifi: iwlwifi: mvm: don't read past the mfuart notifcation
[ Upstream commit 4bb95f4535489ed830cf9b34b0a891e384d1aee4 ]
In case the firmware sends a notification that claims it has more data
than it has, we will read past that was allocated for the notification.
Remove the print of the buffer, we won't see it by default. If needed,
we can see the content with tracing.
This was reported by KFENCE.
Fixes:
|
||
|
Miri Korenblit
|
9e719ae3ab |
wifi: iwlwifi: mvm: check n_ssids before accessing the ssids
[ Upstream commit 60d62757df30b74bf397a2847a6db7385c6ee281 ]
In some versions of cfg80211, the ssids poinet might be a valid one even
though n_ssids is 0. Accessing the pointer in this case will cuase an
out-of-bound access. Fix this by checking n_ssids first.
Fixes:
|
||
|
Shahar S Matityahu
|
ca4c230788 |
wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef
[ Upstream commit 87821b67dea87addbc4ab093ba752753b002176a ]
The driver should call iwl_dbg_tlv_free even if debugfs is not defined
since ini mode does not depend on debugfs ifdef.
Fixes:
|
||
|
Johannes Berg
|
8014a7dbbf |
wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
[ Upstream commit 4a7aace2899711592327463c1a29ffee44fcc66e ]
We don't actually support >64 even for HE devices, so revert
back to 64. This fixes an issue where the session is refused
because the queue is configured differently from the actual
session later.
Fixes:
|
||
|
Lin Ma
|
a5c20830fb |
wifi: cfg80211: pmsr: use correct nla_get_uX functions
[ Upstream commit ab904521f4de52fef4f179d2dfc1877645ef5f5c ] The commit |
||
|
Remi Pommarel
|
6d540b0317 |
wifi: cfg80211: Lock wiphy in cfg80211_get_station
[ Upstream commit 642f89daa34567d02f312d03e41523a894906dae ]
Wiphy should be locked before calling rdev_get_station() (see lockdep
assert in ieee80211_get_station()).
This fixes the following kernel NULL dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000
[0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] SMP
Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath
CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705
Hardware name: RPT (r1) (DT)
Workqueue: bat_events batadv_v_elp_throughput_metric_update
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
lr : sta_set_sinfo+0xcc/0xbd4
sp : ffff000007b43ad0
x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98
x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000
x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc
x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000
x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d
x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e
x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000
x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000
x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90
x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000
Call trace:
ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
sta_set_sinfo+0xcc/0xbd4
ieee80211_get_station+0x2c/0x44
cfg80211_get_station+0x80/0x154
batadv_v_elp_get_throughput+0x138/0x1fc
batadv_v_elp_throughput_metric_update+0x1c/0xa4
process_one_work+0x1ec/0x414
worker_thread+0x70/0x46c
kthread+0xdc/0xe0
ret_from_fork+0x10/0x20
Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)
This happens because STA has time to disconnect and reconnect before
batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In
this situation, ath10k_sta_state() can be in the middle of resetting
arsta data when the work queue get chance to be scheduled and ends up
accessing it. Locking wiphy prevents that.
Fixes:
|
||
|
Johannes Berg
|
96c950d6b0 |
wifi: cfg80211: fully move wiphy work to unbound workqueue
[ Upstream commit e296c95eac655008d5a709b8cf54d0018da1c916 ]
Previously I had moved the wiphy work to the unbound
system workqueue, but missed that when it restarts and
during resume it was still using the normal system
workqueue. Fix that.
Fixes:
|
||
|
Remi Pommarel
|
9c49b58b9a |
wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
[ Upstream commit 44c06bbde6443de206b30f513100b5670b23fc5e ]
The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
softirq context. However using only spin_lock() to get sta->ps_lock in
ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
take this same lock ending in deadlock. Below is an example of rcu stall
that arises in such situation.
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)
CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742
Hardware name: RPT (r1) (DT)
pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : queued_spin_lock_slowpath+0x58/0x2d0
lr : invoke_tx_handlers_early+0x5b4/0x5c0
sp : ffff00001ef64660
x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
Call trace:
queued_spin_lock_slowpath+0x58/0x2d0
ieee80211_tx+0x80/0x12c
ieee80211_tx_pending+0x110/0x278
tasklet_action_common.constprop.0+0x10c/0x144
tasklet_action+0x20/0x28
_stext+0x11c/0x284
____do_softirq+0xc/0x14
call_on_irq_stack+0x24/0x34
do_softirq_own_stack+0x18/0x20
do_softirq+0x74/0x7c
__local_bh_enable_ip+0xa0/0xa4
_ieee80211_wake_txqs+0x3b0/0x4b8
__ieee80211_wake_queue+0x12c/0x168
ieee80211_add_pending_skbs+0xec/0x138
ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
ieee80211_mps_sta_status_update+0x18/0x24
sta_apply_parameters+0x3bc/0x4c0
ieee80211_change_station+0x1b8/0x2dc
nl80211_set_station+0x444/0x49c
genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
genl_rcv_msg+0x1b0/0x244
netlink_rcv_skb+0x38/0x10c
genl_rcv+0x34/0x48
netlink_unicast+0x254/0x2bc
netlink_sendmsg+0x190/0x3b4
____sys_sendmsg+0x1e8/0x218
___sys_sendmsg+0x68/0x8c
__sys_sendmsg+0x44/0x84
__arm64_sys_sendmsg+0x20/0x28
do_el0_svc+0x6c/0xe8
el0_svc+0x14/0x48
el0t_64_sync_handler+0xb0/0xb4
el0t_64_sync+0x14c/0x150
Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
on the same CPU that is holding the lock.
Fixes:
|
||
|
Nicolas Escande
|
617dadbfb2 |
wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
[ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ]
The hwmp code use objects of type mesh_preq_queue, added to a list in
ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath
gets deleted, ex mesh interface is removed, the entries in that list will
never get cleaned. Fix this by flushing all corresponding items of the
preq_queue in mesh_path_flush_pending().
This should take care of KASAN reports like this:
unreferenced object 0xffff00000668d800 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s)
hex dump (first 32 bytes):
00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....
8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
unreferenced object 0xffff000009051f00 (size 128):
comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s)
hex dump (first 32 bytes):
90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....
36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....
backtrace:
[<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
[<00000000049bd418>] kmalloc_trace+0x34/0x80
[<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
[<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
[<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
[<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
[<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
[<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
[<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
[<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
[<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
[<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
[<00000000b36425d1>] worker_thread+0x9c/0x634
[<0000000005852dd5>] kthread+0x1bc/0x1c4
[<000000005fccd770>] ret_from_fork+0x10/0x20
Fixes:
|
||
|
Greg Kroah-Hartman
|
c034535679 |
Revert "macsec: Enable devices to advertise whether they update sk_buff md_dst during offloads"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
35df421fc4 |
Revert "macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
f17db53dd9 |
Revert "net/mlx5e: Advertise mlx5 ethernet driver updates sk_buff md_dst for MACsec"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
62184d7812 |
Merge 6.1.90 into android14-6.1-lts
Changes in 6.1.90
smb: client: fix rename(2) regression against samba
cifs: reinstate original behavior again for forceuid/forcegid
HID: intel-ish-hid: ipc: Fix dev_err usage with uninitialized dev->devc
HID: logitech-dj: allow mice to use all types of reports
arm64: dts: rockchip: set PHY address of MT7531 switch to 0x1f
arm64: dts: rockchip: enable internal pull-up on Q7_USB_ID for RK3399 Puma
arm64: dts: rockchip: fix alphabetical ordering RK3399 puma
arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma
arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro dts
arm64: dts: mediatek: mt8183: Add power-domains properity to mfgcfg
arm64: dts: mediatek: mt8192: Add missing gce-client-reg to mutex
arm64: dts: mediatek: mt8195: Add missing gce-client-reg to vpp/vdosys
arm64: dts: mediatek: mt8195: Add missing gce-client-reg to mutex
arm64: dts: mediatek: mt8192-asurada: Update min voltage constraint for MT6315
arm64: dts: mediatek: mt8195-cherry: Update min voltage constraint for MT6315
arm64: dts: mediatek: mt7622: fix clock controllers
arm64: dts: mediatek: mt7622: fix IR nodename
arm64: dts: mediatek: mt7622: fix ethernet controller "compatible"
arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block
arm64: dts: mediatek: mt2712: fix validation errors
arm64: dts: rockchip: regulator for sd needs to be always on for BPI-R2Pro
ARC: [plat-hsdk]: Remove misplaced interrupt-cells property
wifi: iwlwifi: mvm: remove old PASN station when adding a new one
wifi: iwlwifi: mvm: return uid from iwl_mvm_build_scan_cmd
vxlan: drop packets from invalid src-address
mlxsw: core: Unregister EMAD trap using FORWARD action
ARM: dts: microchip: at91-sama7g5ek: Replace regulator-suspend-voltage with the valid property
icmp: prevent possible NULL dereferences from icmp_build_probe()
bridge/br_netlink.c: no need to return void function
bnxt_en: refactor reset close code
bnxt_en: Fix the PCI-AER routines
NFC: trf7970a: disable all regulators on removal
ax25: Fix netdev refcount issue
net: make SK_MEMORY_PCPU_RESERV tunable
net: fix sk_memory_allocated_{add|sub} vs softirqs
ipv4: check for NULL idev in ip_route_use_hint()
net: usb: ax88179_178a: stop lying about skb->truesize
net: gtp: Fix Use-After-Free in gtp_dellink
Bluetooth: MGMT: Fix failing to MGMT_OP_ADD_UUID/MGMT_OP_REMOVE_UUID
Bluetooth: hci_sync: Using hci_cmd_sync_submit when removing Adv Monitor
Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional()
ipvs: Fix checksumming on GSO of SCTP packets
net: openvswitch: Fix Use-After-Free in ovs_ct_exit
mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
mlxsw: spectrum_acl_tcam: Rate limit error message
mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
mlxsw: spectrum_acl_tcam: Fix warning during rehash
mlxsw: spectrum_acl_tcam: Fix incorrect list API usage
mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work
eth: bnxt: fix counting packets discarded due to OOM and netpoll
netfilter: nf_tables: honor table dormant flag from netdev release event path
i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
i40e: Report MFS in decimal base instead of hex
iavf: Fix TC config comparison with existing adapter TC config
net: ethernet: ti: am65-cpts: Fix PTPv1 message type on TX packets
af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().
cifs: Replace remaining 1-element arrays
Revert "crypto: api - Disallow identical driver names"
virtio_net: Do not send RSS key if it is not supported
fork: defer linking file vma until vma is fully initialized
x86/cpu: Fix check for RDPKRU in __show_regs()
rust: don't select CONSTRUCTORS
rust: make mutually exclusive with CFI_CLANG
Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853
Bluetooth: qca: fix NULL-deref on non-serdev suspend
mmc: sdhci-msm: pervent access to suspended controller
smb: client: Fix struct_group() usage in __packed structs
smb3: fix lock ordering potential deadlock in cifs_sync_mid_result
HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
cpu: Re-enable CPU mitigations by default for !X86 architectures
LoongArch: Fix callchain parse error with kernel tracepoint events
LoongArch: Fix access error when read fault on a write-only VMA
arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3
drm/amdgpu: Fix leak when GPU memory allocation fails
irqchip/gic-v3-its: Prevent double free on error
ACPI: CPPC: Use access_width over bit_width for system memory accesses
ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro
ACPI: CPPC: Fix access width used for PCC registers
ethernet: Add helper for assigning packet type when dest address does not match device address
net: b44: set pause params only when interface is up
stackdepot: respect __GFP_NOLOCKDEP allocation flag
fbdev: fix incorrect address computation in deferred IO
udp: preserve the connected status if only UDP cmsg
mtd: diskonchip: work around ubsan link failure
rust: remove `params` from `module` macro example
x86/tdx: Preserve shared bit on mprotect()
dmaengine: owl: fix register access functions
dmaengine: tegra186: Fix residual calculation
idma64: Don't try to serve interrupts when device is powered off
phy: marvell: a3700-comphy: Fix out of bounds read
phy: marvell: a3700-comphy: Fix hardcoded array size
phy: freescale: imx8m-pcie: Refine i.MX8MM PCIe PHY driver
phy: freescale: imx8m-pcie: fix pcie link-up instability
phy: rockchip-snps-pcie3: fix bifurcation on rk3588
phy: rockchip-snps-pcie3: fix clearing PHP_GRF_PCIESEL_CON bits
dma: xilinx_dpdma: Fix locking
dmaengine: idxd: Fix oops during rmmod on single-CPU platforms
riscv: fix VMALLOC_START definition
riscv: Fix TASK_SIZE on 64-bit NOMMU
phy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered
i2c: smbus: fix NULL function pointer dereference
bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
macsec: Enable devices to advertise whether they update sk_buff md_dst during offloads
macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
net/mlx5e: Advertise mlx5 ethernet driver updates sk_buff md_dst for MACsec
Linux 6.1.90
Change-Id: I219f777f40437540b268e077abe7b78b69e31cf5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
beb491c1c2 |
Merge 6.1.89 into android14-6.1-lts
Changes in 6.1.89 Revert "ASoC: ti: Convert Pandora ASoC to GPIO descriptors" Linux 6.1.89 Change-Id: I63d6feedaca8c7f9263ee59a551e9ef158a43f26 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
3b75c4ca77 |
ANDROID: update .stg for change to struct clk_core
In commit |
||
|
Greg Kroah-Hartman
|
077eb0a09d |
Revert "usb: xhci: Add timeout argument in address_device USB HCD callback"
This reverts commit
|
||
|
sunshijie
|
1a72e2f692 |
ANDROID: GKI: update symbol list file for xiaomi
1 function symbol(s) added 'struct folio* __filemap_get_folio(struct address_space*, unsigned long, int, gfp_t)' Bug: 348207246 Change-Id: Ic2e06000526b4274496c3a4c931f18397c7cc682 Signed-off-by: sunshijie <sunshijie@xiaomi.corp-partner.google.com> |
||
|
liliangliang
|
cd89d4fa07 |
ANDROID: GKI: Update symbol list for vivo
update vivo symbol list for adding hooks for fuse request 2 function symbol(s) added 'int __traceiter_android_vh_fuse_request_end(void*, struct task_struct*)' 'int __traceiter_android_vh_queue_request_and_unlock(void*, struct wait_queue_head*, bool)' 2 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_fuse_request_end' 'struct tracepoint __tracepoint_android_vh_queue_request_and_unlock' Bug: 348109269 Change-Id: I8d2b08b7afbca85f4b766bbe658005aa740b6285 Signed-off-by: liliangliang <liliangliang@vivo.com> |
||
|
liliangliang
|
40f3c9d658 |
ANDROID: vendor_hooks: add vendor hooks for fuse request
Add hooks to fuse queue request and request end so we can do boost to those background tasks which block the UX related task. Bug: 333220630 Change-Id: I9be59ed88675c5102c57ba9cbd26cf4df3d2fd7f Signed-off-by: liliangliang <liliangliang@vivo.com> (cherry picked from commit e520c2932df0d1bbf83ae45c82ac01fd41655d77) |
||
|
nischaljain
|
f9840ee562 |
ANDROID: Update the ABI symbol list
Adding the following symbols: - dev_pm_opp_remove_all_dynamic - devm_devfreq_add_device - devm_devfreq_remove_device Bug: 347848156 Change-Id: I917b23e4a3d84e7779e4443aa7ee450d44cf4585 Signed-off-by: nischaljain <nischaljain@google.com> |
||
|
Greg Kroah-Hartman
|
992f4a2013 |
Merge 6.1.88 into android14-6.1-lts
Changes in 6.1.88 drm/vmwgfx: Enable DMA mappings with SEV drm/amdgpu: fix incorrect active rb bitmap for gfx11 drm/amdgpu: fix incorrect number of active RBs for gfx11 drm/amd/display: Do not recursively call manual trigger programming io_uring: Fix io_cqring_wait() not restoring sigmask on get_timespec64() failure SUNRPC: Fix rpcgss_context trace event acceptor field selftests/ftrace: Limit length in subsystem-enable tests random: handle creditable entropy from atomic process context net: usb: ax88179_178a: avoid writing the mac address before first reading drm/i915/vma: Fix UAF on destroy against retire race x86/efi: Drop EFI stub .bss from .data section x86/efi: Disregard setup header of loaded image x86/efistub: Reinstate soft limit for initrd loading x86/efi: Drop alignment flags from PE section headers x86/boot: Remove the 'bugger off' message x86/boot: Omit compression buffer from PE/COFF image memory footprint x86/boot: Drop redundant code setting the root device x86/boot: Drop references to startup_64 x86/boot: Grab kernel_info offset from zoffset header directly x86/boot: Set EFI handover offset directly in header asm x86/boot: Define setup size in linker script x86/boot: Derive file size from _edata symbol x86/boot: Construct PE/COFF .text section from assembler x86/boot: Drop PE/COFF .reloc section x86/boot: Split off PE/COFF .data section x86/boot: Increase section and file alignment to 4k/512 x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section x86/mm: Remove P*D_PAGE_MASK and P*D_PAGE_SIZE macros x86/head/64: Add missing __head annotation to startup_64_load_idt() x86/head/64: Move the __head definition to <asm/init.h> x86/sme: Move early SME kernel encryption handling into .head.text x86/sev: Move early startup code into .head.text section x86/efistub: Remap kernel text read-only before dropping NX attribute netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() netfilter: br_netfilter: skip conntrack input hook for promisc packets netfilter: nft_set_pipapo: do not free live element netfilter: flowtable: validate pppoe header netfilter: flowtable: incorrect pppoe tuple af_unix: Call manage_oob() for every skb in unix_stream_read_generic(). af_unix: Don't peek OOB data without MSG_OOB. net/mlx5: Lag, restore buckets number to default after hash LAG deactivation net/mlx5e: Prevent deadlock while disabling aRFS ice: tc: allow zero flags in parsing tc flower tun: limit printing rate when illegal packet received by tun dev net: dsa: mt7530: fix mirroring frames received on local port net: ethernet: ti: am65-cpsw-nuss: cleanup DMA Channels before using them RDMA/rxe: Fix the problem "mutex_destroy missing" RDMA/cm: Print the old state when cm_destroy_id gets timeout RDMA/mlx5: Fix port number for counter query in multi-port configuration s390/qdio: handle deferred cc1 s390/cio: fix race condition during online processing drm: nv04: Fix out of bounds access drm/panel: visionox-rm69299: don't unregister DSI device ARM: omap2: n8x0: stop instantiating codec platform data PCI: Avoid FLR for SolidRun SNET DPU rev 1 HID: kye: Sort kye devices usb: pci-quirks: Reduce the length of a spinlock section in usb_amd_find_chipset_info() PCI: Delay after FLR of Solidigm P44 Pro NVMe x86/quirks: Include linux/pnp.h for arch_pnpbios_disabled() thunderbolt: Log function name of the called quirk thunderbolt: Add debug log for link controller power quirk PCI: Execute quirk_enable_clear_retrain_link() earlier PCI: switchtec: Use normal comment style PCI: switchtec: Add support for PCIe Gen5 devices ALSA: scarlett2: Move USB IDs out from device_info struct ALSA: scarlett2: Add support for Clarett 8Pre USB ASoC: ti: Convert Pandora ASoC to GPIO descriptors ALSA: scarlett2: Default mixer driver to enabled ALSA: scarlett2: Add correct product series name to messages ALSA: scarlett2: Add Focusrite Clarett+ 2Pre and 4Pre support ALSA: scarlett2: Add Focusrite Clarett 2Pre and 4Pre USB support PCI/DPC: Use FIELD_GET() PCI: Simplify pcie_capability_clear_and_set_word() to ..._clear_word() ALSA: scarlett2: Rename scarlett_gen2 to scarlett2 drm: panel-orientation-quirks: Add quirk for Lenovo Legion Go usb: xhci: Add timeout argument in address_device USB HCD callback usb: new quirk to reduce the SET_ADDRESS request timeout clk: Remove prepare_lock hold assertion in __clk_release() clk: Print an info line before disabling unused clocks clk: Initialize struct clk_core kref earlier clk: Get runtime PM before walking tree during disable_unused clk: remove unnecessary (void*) conversions clk: Show active consumers of clocks in debugfs clk: Get runtime PM before walking tree for clk_summary clk: mediatek: mt8192: Correctly unregister and free clocks on failure clk: mediatek: mt8192: Propagate struct device for gate clocks clk: mediatek: clk-gate: Propagate struct device with mtk_clk_register_gates() clk: mediatek: clk-mtk: Propagate struct device for composites clk: mediatek: clk-mux: Propagate struct device for mtk-mux clk: mediatek: clk-mtk: Extend mtk_clk_simple_probe() clk: mediatek: Do a runtime PM get on controllers during probe x86/bugs: Fix BHI retpoline check x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ ALSA: hda/realtek - Enable audio jacks of Haier Boyue G42 with ALC269VC binder: check offset alignment in binder_get_object() thunderbolt: Avoid notify PM core about runtime PM resume thunderbolt: Fix wake configurations after device unplug comedi: vmk80xx: fix incomplete endpoint checking serial: mxs-auart: add spinlock around changing cts state serial/pmac_zilog: Remove flawed mitigation for rx irq flood serial: stm32: Return IRQ_NONE in the ISR if no handling happend serial: stm32: Reset .throttled state in .startup() USB: serial: option: add Fibocom FM135-GL variants USB: serial: option: add support for Fibocom FM650/FG650 USB: serial: option: add Lonsung U8300/U9300 product USB: serial: option: support Quectel EM060K sub-models USB: serial: option: add Rolling RW101-GL and RW135-GL support USB: serial: option: add Telit FN920C04 rmnet compositions Revert "usb: cdc-wdm: close race between read and workqueue" usb: dwc2: host: Fix dereference issue in DDMA completion flow. usb: Disable USB3 LPM at shutdown usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error mei: me: disable RPL-S on SPS and IGN firmwares speakup: Avoid crash on very long word fs: sysfs: Fix reference leak in sysfs_break_active_protection() KVM: x86: Snapshot if a vCPU's vendor model is AMD vs. Intel compatible KVM: x86/pmu: Disable support for adaptive PEBS KVM: x86/pmu: Do not mask LVTPC when handling a PMI on AMD platforms arm64: hibernate: Fix level3 translation fault in swsusp_save() init/main.c: Fix potential static_command_line memory overflow mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled drm/amdgpu: validate the parameters of bo mapping operations more clearly drm/vmwgfx: Sort primary plane formats by order of preference drm/vmwgfx: Fix crtc's atomic check conditional nouveau: fix instmem race condition around ptr stores bootconfig: use memblock_free_late to free xbc memory to buddy nilfs2: fix OOB in nilfs_set_de_type net: dsa: mt7530: set all CPU ports in MT7531_CPU_PMAP net: dsa: introduce preferred_default_local_cpu_port and use on MT7530 net: dsa: mt7530: fix improper frames on all 25MHz and 40MHz XTAL MT7530 net: dsa: mt7530: fix enabling EEE on MT7531 switch on all boards ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf ksmbd: validate request buffer size in smb2_allocate_rsp_buf() ksmbd: clear RENAME_NOREPLACE before calling vfs_rename ksmbd: common: use struct_group_attr instead of struct_group for network_open_info PCI/ASPM: Fix deadlock when enabling ASPM Linux 6.1.88 Change-Id: If2755c815fcd2d20cb858a547d2698b8dffe9016 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
af0a15ff84 |
Merge 6.1.87 into android14-6.1-lts
Changes in 6.1.87
smb3: fix Open files on server counter going negative
ata: libata-scsi: Fix ata_scsi_dev_rescan() error path
batman-adv: Avoid infinite loop trying to resize local TT
ring-buffer: Only update pages_touched when a new page is touched
Bluetooth: Fix memory leak in hci_req_sync_complete()
drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11
PM: s2idle: Make sure CPUs will wakeup directly on resume
media: cec: core: remove length check of Timer Status
arm64: dts: imx8-ss-conn: fix usdhc wrong lpcg clock order
Revert "drm/qxl: simplify qxl_fence_wait"
nouveau: fix function cast warning
scsi: hisi_sas: Modify the deadline for ata_wait_after_reset()
scsi: qla2xxx: Fix off by one in qla_edif_app_getstats()
net: openvswitch: fix unwanted error log on timeout policy probing
u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
geneve: fix header validation in geneve[6]_xmit_skb
bnxt_en: Reset PTP tx_avail after possible firmware reset
net: ks8851: Inline ks8851_rx_skb()
net: ks8851: Handle softirqs at the end of IRQ thread to fix hang
af_unix: Clear stale u->oob_skb.
octeontx2-af: Fix NIX SQ mode and BP config
ipv6: fib: hide unused 'pn' variable
ipv4/route: avoid unused-but-set-variable warning
ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
Bluetooth: SCO: Fix not validating setsockopt user input
Bluetooth: L2CAP: Fix not validating setsockopt user input
netfilter: complete validation of user input
net/mlx5: Properly link new fs rules into the tree
net/mlx5e: Fix mlx5e_priv_init() cleanup flow
net/mlx5e: HTB, Fix inconsistencies with QoS SQs number
net: sparx5: fix wrong config being used when reconfiguring PCS
net: dsa: mt7530: trap link-local frames regardless of ST Port State
af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
af_unix: Fix garbage collector racing against connect()
net: ena: Fix potential sign extension issue
net: ena: Wrong missing IO completions check order
net: ena: Fix incorrect descriptor free behavior
tracing: hide unused ftrace_event_id_fops
iommu/vt-d: Allocate local memory for page request queue
btrfs: qgroup: correctly model root qgroup rsv in convert
btrfs: record delayed inode root in transaction
btrfs: qgroup: convert PREALLOC to PERTRANS after record_root_in_trans
io_uring/net: restore msg_control on sendzc retry
kprobes: Fix possible use-after-free issue on kprobe registration
drm/i915/vrr: Disable VRR when using bigjoiner
drm/amdkfd: Reset GPU on queue preemption failure
drm/ast: Fix soft lockup
drm/client: Fully protect modes[] with dev->mode_config.mutex
vhost: Add smp_rmb() in vhost_vq_avail_empty()
vhost: Add smp_rmb() in vhost_enable_notify()
perf/x86: Fix out of range data
x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n
selftests: timers: Fix abs() warning in posix_timers test
x86/apic: Force native_apic_mem_read() to use the MOV instruction
irqflags: Explicitly ignore lockdep_hrtimer_exit() argument
x86/bugs: Fix return type of spectre_bhi_state()
x86/bugs: Fix BHI documentation
x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES
x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr'
x86/bugs: Fix BHI handling of RRSBA
x86/bugs: Clarify that syscall hardening isn't a BHI mitigation
x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto
x86/bugs: Replace CONFIG_SPECTRE_BHI_{ON,OFF} with CONFIG_MITIGATION_SPECTRE_BHI
drm/i915/cdclk: Fix CDCLK programming order when pipes are active
drm/i915: Disable port sync when bigjoiner is used
drm/amdgpu: Reset dGPU if suspend got aborted
drm/amdgpu: always force full reset for SOC21
drm/amd/display: fix disable otg wa logic in DCN316
Linux 6.1.87
Change-Id: I58ee851cc95f3b34e037dbfc46490730abcabb84
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
37db5a6cac |
Reapply "scsi: core: Add struct for args to execution functions"
This reverts commit |
||
|
Greg Kroah-Hartman
|
faf34a67eb |
Merge 6.1.86 into android14-6.1-lts
Changes in 6.1.86 amdkfd: use calloc instead of kzalloc to avoid integer overflow wifi: ath9k: fix LNA selection in ath_ant_try_scan() bnx2x: Fix firmware version string character counts wifi: rtw89: pci: enlarge RX DMA buffer to consider size of RX descriptor VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() wifi: iwlwifi: pcie: Add the PCI device id for new hardware panic: Flush kernel log buffer at the end cpuidle: Avoid potential overflow in integer multiplication arm64: dts: rockchip: fix rk3328 hdmi ports node arm64: dts: rockchip: fix rk3399 hdmi ports node ionic: set adminq irq affinity net: skbuff: add overflow debug check to pull/push helpers firmware: tegra: bpmp: Return directly after a failed kzalloc() in get_filename() wifi: brcmfmac: Add DMI nvram filename quirk for ACEPC W5 Pro pstore/zone: Add a null pointer check to the psz_kmsg_read tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() net: pcs: xpcs: Return EINVAL in the internal methods dma-direct: Leak pages on dma_set_decrypted() failure wifi: ath11k: decrease MHI channel buffer length to 8KB cpufreq: Don't unregister cpufreq cooling on CPU hotplug btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() btrfs: export: handle invalid inode or root reference in btrfs_get_parent() btrfs: send: handle path ref underflow in header iterate_inode_ref() ice: use relative VSI index for VFs instead of PF VSI number net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() Bluetooth: btintel: Fix null ptr deref in btintel_read_version Bluetooth: btmtk: Add MODULE_FIRMWARE() for MT7922 drm/vc4: don't check if plane->state->fb == state->fb Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails drm: panel-orientation-quirks: Add quirk for GPD Win Mini pinctrl: renesas: checker: Limit cfg reg enum checks to provided IDs sysv: don't call sb_bread() with pointers_lock held scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() isofs: handle CDs with bad root inode but good Joliet root directory ASoC: Intel: common: DMI remap for rebranded Intel NUC M15 (LAPRC710) laptops rcu-tasks: Repair RCU Tasks Trace quiescence check Julia Lawall reported this null pointer dereference, this should fix it. media: sta2x11: fix irq handler cast ALSA: firewire-lib: handle quirk to calculate payload quadlets as data block counter ext4: add a hint for block bitmap corrupt state in mb_groups ext4: forbid commit inconsistent quota data when errors=remount-ro drm/amd/display: Fix nanosec stat overflow drm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init() SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int Revert "ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default" libperf evlist: Avoid out-of-bounds access input/touchscreen: imagis: Correct the maximum touch area value block: prevent division by zero in blk_rq_stat_sum() RDMA/cm: add timeout to cm_destroy_id wait Input: imagis - use FIELD_GET where applicable Input: allocate keycode for Display refresh rate toggle platform/x86: touchscreen_dmi: Add an extra entry for a variant of the Chuwi Vi8 tablet perf/x86/amd/lbr: Discard erroneous branch entries ktest: force $buildonly = 1 for 'make_warnings_file' test type ring-buffer: use READ_ONCE() to read cpu_buffer->commit_page in concurrent environment tools: iio: replace seekdir() in iio_generic_buffer bus: mhi: host: Add MHI_PM_SYS_ERR_FAIL state usb: gadget: uvc: mark incomplete frames with UVC_STREAM_ERR thunderbolt: Keep the domain powered when USB4 port is in redrive mode usb: typec: tcpci: add generic tcpci fallback compatible usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined thermal/of: Assume polling-delay(-passive) 0 when absent ASoC: soc-core.c: Skip dummy codec when adding platforms fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 io_uring: clear opcode specific data for an early failure drivers/nvme: Add quirks for device 126f:2262 fbmon: prevent division by zero in fb_videomode_from_videomode() netfilter: nf_tables: release batch on table validation from abort path netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path netfilter: nf_tables: discard table flag update with pending basechain deletion tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc gcc-plugins/stackleak: Avoid .head.text section Revert "scsi: sd: usb_storage: uas: Access media prior to querying device properties" Revert "scsi: core: Add struct for args to execution functions" scsi: sd: usb_storage: uas: Access media prior to querying device properties virtio: reenable config if freezing device failed randomize_kstack: Improve entropy diffusion platform/x86: intel-vbtn: Update tablet mode switch at end of probe Bluetooth: btintel: Fixe build regression net: mpls: error out if inner headers are not set VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() Revert "drm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()" Linux 6.1.86 Change-Id: I385fd199fb709d2f63ac02f9f9d1c3061fbbf93f Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
a28d27f66e |
ANDROID: fix crc issue in net/ipv4/inet_fragment.c
In commit |
||
|
Greg Kroah-Hartman
|
da08c217d8 |
ANDROID: preserve CRC values in struct sk_buff due to ip_defrag_offset removal
In commit |
||
|
luoyongjie
|
12709c5c1e |
ANDROID: GKI: add symbol list for meizu
INFO: 4 function symbol(s) added 'int clk_set_duty_cycle(struct clk*, unsigned int, unsigned int)' 'void console_verbose()' 'int gpiod_get_direction(struct gpio_desc*)' 'int register_sysrq_key(int, const struct sysrq_key_op*)' Bug: 347789958 Change-Id: I4d05058f0be53b26fece99bbb843a9aa1a438294 Signed-off-by: luoyongjie <luoyongjie1@meizu.com> |
||
|
Ian Rogers
|
bda57805ab |
UPSTREAM: objtool: Fix HOSTCC flag usage
HOSTCC is always wanted when building objtool. Setting CC to HOSTCC
happens after tools/scripts/Makefile.include is included, meaning
flags (like CFLAGS) are set assuming say CC is gcc, but then it can be
later set to HOSTCC which may be clang. tools/scripts/Makefile.include
is needed for host set up and common macros in objtool's
Makefile. Rather than override the CC variable to HOSTCC, just pass CC
as HOSTCC to the sub-makes of Makefile.build, the libsubcmd builds and
also to the linkage step.
Signed-off-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20230126190606.40739-4-irogers@google.com
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Bug: 336872347
Bug: 335829879
Test: build x86_64 kernel with glibc 2.38
Change-Id: I1d672d0bb64f72d3fc571537de5f75d4068e79cc
(cherry picked from commit
|
||
|
Ian Rogers
|
b5164fdc98 |
UPSTREAM: objtool: Properly support make V=1
The Q variable was being used but never correctly set up. Add the
setting up and use in place of @.
Signed-off-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20230126190606.40739-3-irogers@google.com
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Bug: 336872347
Bug: 335829879
Test: build x86_64 kernel with glibc 2.38
Change-Id: I2ac9a1d0c3a56c6109375e92b3d46e08fd5a71cd
(cherry picked from commit
|
||
|
Ian Rogers
|
fd5c2e1399 |
UPSTREAM: objtool: Install libsubcmd in build
Including from tools/lib can create inadvertent dependencies. Install
libsubcmd in the objtool build and then include the headers from
there.
Signed-off-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20230126190606.40739-2-irogers@google.com
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Bug: 336872347
Bug: 335829879
Test: build x86_64 kernel with glibc 2.38
Change-Id: Id09c5b222519073214dbc01e151e59b18afb1ea8
(cherry picked from commit
|
||
|
Kuniyuki Iwashima
|
de6fb073c6 |
UPSTREAM: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.
[ Upstream commit 9841991a446c87f90f66f4b9fee6fe934c1336a2 ] Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly. However, the peer socket still can send MSG_OOB message and queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading NULL pointer dereference. [0] To fix the issue, let's update unix_sk(sk)->oob_skb under the sk_receive_queue's lock and take it everywhere we touch oob_skb. Note that we defer kfree_skb() in manage_oob() to silence lockdep false-positive (See [1]). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events delayed_fput RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> unix_release_sock (net/unix/af_unix.c:654) unix_release (net/unix/af_unix.c:1050) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:423) delayed_fput (fs/file_table.c:444 (discriminator 3)) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) </TASK> Modules linked in: CR2: 0000000000000008 Bug: 342490466 Link: https://lore.kernel.org/netdev/a00d3993-c461-43f2-be6d-07259c98509a@rbox.co/ [1] Fixes: 1279f9d9dec2 ("af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.") Reported-by: Billy Jheng Bing-Jhong <billy@starlabs.sg> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240516134835.8332-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 518a994aa0b87d96f1bc6678a7035df5d1fcd7a1) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: Ibf78b113496b5388a63207e7e582f77ddda8dec5 |
||
|
Kuniyuki Iwashima
|
0e9ee9221f |
UPSTREAM: af_unix: Don't peek OOB data without MSG_OOB.
[ Upstream commit 22dd70eb2c3d754862964377a75abafd3167346b ]
Currently, we can read OOB data without MSG_OOB by using MSG_PEEK
when OOB data is sitting on the front row, which is apparently
wrong.
>>> from socket import *
>>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
>>> c1.send(b'a', MSG_OOB)
1
>>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
b'a'
If manage_oob() is called when no data has been copied, we only
check if the socket enables SO_OOBINLINE or MSG_PEEK is not used.
Otherwise, the skb is returned as is.
However, here we should return NULL if MSG_PEEK is set and no data
has been copied.
Also, in such a case, we should not jump to the redo label because
we will be caught in the loop and hog the CPU until normal data
comes in.
Then, we need to handle skb == NULL case with the if-clause below
the manage_oob() block.
With this patch:
>>> from socket import *
>>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
>>> c1.send(b'a', MSG_OOB)
1
>>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
BlockingIOError: [Errno 11] Resource temporarily unavailable
Bug: 342490466
Fixes:
|
||
|
Kuniyuki Iwashima
|
30d168eb06 |
UPSTREAM: af_unix: Clear stale u->oob_skb.
[ Upstream commit b46f4eaa4f0ec38909fb0072eea3aeddb32f954e ]
syzkaller started to report deadlock of unix_gc_lock after commit
4090fa373f0e ("af_unix: Replace garbage collection algorithm."), but
it just uncovers the bug that has been there since commit
|
||
|
Jaegeuk Kim
|
c0618d182a |
Revert "f2fs: fix to tag gcing flag on page during block migration"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
eb44d83053 |
Linux 6.1.94
Link: https://lore.kernel.org/r/20240613113214.134806994@linuxfoundation.org Tested-by: SeongJae Park <sj@kernel.org> Tested-by: Pavel Machek (CIP) <pavel@denx.de> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Mateusz Jończyk <mat.jonczyk@o2.pl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ingo Molnar
|
6d6fe13cca |
smp: Provide 'setup_max_cpus' definition on UP too
commit 3c2f8859ae1ce53f2a89c8e4ca4092101afbff67 upstream. This was already defined locally by init/main.c, but let's make it generic, as arch/x86/kernel/cpu/topology.c is going to make use of it to have more uniform code. Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Enzo Matsumiya
|
b09b556e48 |
smb: client: fix deadlock in smb2_find_smb_tcon()
commit 02c418774f76a0a36a6195c9dbf8971eb4130a15 upstream. Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such deadlock. Cc: stable@vger.kernel.org Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de> Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Puranjay Mohan
|
3174d8b7c9 |
powerpc/bpf: enforce full ordering for ATOMIC operations with BPF_FETCH
commit b1e7cee96127468c2483cf10c2899c9b5cf79bf8 upstream.
The Linux Kernel Memory Model [1][2] requires RMW operations that have a
return value to be fully ordered.
BPF atomic operations with BPF_FETCH (including BPF_XCHG and
BPF_CMPXCHG) return a value back so they need to be JITed to fully
ordered operations. POWERPC currently emits relaxed operations for
these.
We can show this by running the following litmus-test:
PPC SB+atomic_add+fetch
{
0:r0=x; (* dst reg assuming offset is 0 *)
0:r1=2; (* src reg *)
0:r2=1;
0:r4=y; (* P0 writes to this, P1 reads this *)
0:r5=z; (* P1 writes to this, P0 reads this *)
0:r6=0;
1:r2=1;
1:r4=y;
1:r5=z;
}
P0 | P1 ;
stw r2, 0(r4) | stw r2,0(r5) ;
| ;
loop:lwarx r3, r6, r0 | ;
mr r8, r3 | ;
add r3, r3, r1 | sync ;
stwcx. r3, r6, r0 | ;
bne loop | ;
mr r1, r8 | ;
| ;
lwa r7, 0(r5) | lwa r7,0(r4) ;
~exists(0:r7=0 /\ 1:r7=0)
Witnesses
Positive: 9 Negative: 3
Condition ~exists (0:r7=0 /\ 1:r7=0)
Observation SB+atomic_add+fetch Sometimes 3 9
This test shows that the older store in P0 is reordered with a newer
load to a different address. Although there is a RMW operation with
fetch between them. Adding a sync before and after RMW fixes the issue:
Witnesses
Positive: 9 Negative: 0
Condition ~exists (0:r7=0 /\ 1:r7=0)
Observation SB+atomic_add+fetch Never 0 9
[1] https://www.kernel.org/doc/Documentation/memory-barriers.txt
[2] https://www.kernel.org/doc/Documentation/atomic_t.txt
Fixes:
|
||
|
Omar Sandoval
|
1ff2bd566f |
btrfs: fix crash on racing fsync and size-extending write into prealloc
commit 9d274c19a71b3a276949933859610721a453946b upstream. We have been seeing crashes on duplicate keys in btrfs_set_item_key_safe(): BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192) ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:2620! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs] With the following stack trace: #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4) #1 btrfs_drop_extents (fs/btrfs/file.c:411:4) #2 log_one_extent (fs/btrfs/tree-log.c:4732:9) #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9) #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9) #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8) #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8) #7 btrfs_sync_file (fs/btrfs/file.c:1933:8) #8 vfs_fsync_range (fs/sync.c:188:9) #9 vfs_fsync (fs/sync.c:202:9) #10 do_fsync (fs/sync.c:212:9) #11 __do_sys_fdatasync (fs/sync.c:225:9) #12 __se_sys_fdatasync (fs/sync.c:223:1) #13 __x64_sys_fdatasync (fs/sync.c:223:1) #14 do_syscall_x64 (arch/x86/entry/common.c:52:14) #15 do_syscall_64 (arch/x86/entry/common.c:83:7) #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121) So we're logging a changed extent from fsync, which is splitting an extent in the log tree. But this split part already exists in the tree, triggering the BUG(). This is the state of the log tree at the time of the crash, dumped with drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py) to get more details than btrfs_print_leaf() gives us: >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"]) leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610 leaf 33439744 flags 0x100000000000000 fs uuid e5bd3946-400c-4223-8923-190ef1f18677 chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 7 transid 9 size 8192 nbytes 8473563889606862198 block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 sequence 204 flags 0x10(PREALLOC) atime 1716417703.220000000 (2024-05-22 15:41:43) ctime 1716417704.983333333 (2024-05-22 15:41:44) mtime 1716417704.983333333 (2024-05-22 15:41:44) otime 17592186044416.000000000 (559444-03-08 01:40:16) item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13 index 195 namelen 3 name: 193 item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37 location key (0 UNKNOWN.0 0) type XATTR transid 7 data_len 1 name_len 6 name: user.a data a item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53 generation 9 type 1 (regular) extent data disk byte 303144960 nr 12288 extent data offset 0 nr 4096 ram 12288 extent compression 0 (none) item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 4096 nr 8192 item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 8192 nr 4096 ... So the real problem happened earlier: notice that items 4 (4k-12k) and 5 (8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and item 5 starts at i_size. Here is the state of the filesystem tree at the time of the crash: >>> root = prog.crashed_thread().stack_trace()[2]["inode"].root >>> ret, nodes, slots = btrfs_search_slot(root, BtrfsKey(450, 0, 0)) >>> print_extent_buffer(nodes[0]) leaf 30425088 level 0 items 184 generation 9 owner 5 leaf 30425088 flags 0x100000000000000 fs uuid e5bd3946-400c-4223-8923-190ef1f18677 chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da ... item 179 key (450 INODE_ITEM 0) itemoff 4907 itemsize 160 generation 7 transid 7 size 4096 nbytes 12288 block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 sequence 6 flags 0x10(PREALLOC) atime 1716417703.220000000 (2024-05-22 15:41:43) ctime 1716417703.220000000 (2024-05-22 15:41:43) mtime 1716417703.220000000 (2024-05-22 15:41:43) otime 1716417703.220000000 (2024-05-22 15:41:43) item 180 key (450 INODE_REF 256) itemoff 4894 itemsize 13 index 195 namelen 3 name: 193 item 181 key (450 XATTR_ITEM 1640047104) itemoff 4857 itemsize 37 location key (0 UNKNOWN.0 0) type XATTR transid 7 data_len 1 name_len 6 name: user.a data a item 182 key (450 EXTENT_DATA 0) itemoff 4804 itemsize 53 generation 9 type 1 (regular) extent data disk byte 303144960 nr 12288 extent data offset 0 nr 8192 ram 12288 extent compression 0 (none) item 183 key (450 EXTENT_DATA 8192) itemoff 4751 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 8192 nr 4096 Item 5 in the log tree corresponds to item 183 in the filesystem tree, but nothing matches item 4. Furthermore, item 183 is the last item in the leaf. btrfs_log_prealloc_extents() is responsible for logging prealloc extents beyond i_size. It first truncates any previously logged prealloc extents that start beyond i_size. Then, it walks the filesystem tree and copies the prealloc extent items to the log tree. If it hits the end of a leaf, then it calls btrfs_next_leaf(), which unlocks the tree and does another search. However, while the filesystem tree is unlocked, an ordered extent completion may modify the tree. In particular, it may insert an extent item that overlaps with an extent item that was already copied to the log tree. This may manifest in several ways depending on the exact scenario, including an EEXIST error that is silently translated to a full sync, overlapping items in the log tree, or this crash. This particular crash is triggered by the following sequence of events: - Initially, the file has i_size=4k, a regular extent from 0-4k, and a prealloc extent beyond i_size from 4k-12k. The prealloc extent item is the last item in its B-tree leaf. - The file is fsync'd, which copies its inode item and both extent items to the log tree. - An xattr is set on the file, which sets the BTRFS_INODE_COPY_EVERYTHING flag. - The range 4k-8k in the file is written using direct I/O. i_size is extended to 8k, but the ordered extent is still in flight. - The file is fsync'd. Since BTRFS_INODE_COPY_EVERYTHING is set, this calls copy_inode_items_to_log(), which calls btrfs_log_prealloc_extents(). - btrfs_log_prealloc_extents() finds the 4k-12k prealloc extent in the filesystem tree. Since it starts before i_size, it skips it. Since it is the last item in its B-tree leaf, it calls btrfs_next_leaf(). - btrfs_next_leaf() unlocks the path. - The ordered extent completion runs, which converts the 4k-8k part of the prealloc extent to written and inserts the remaining prealloc part from 8k-12k. - btrfs_next_leaf() does a search and finds the new prealloc extent 8k-12k. - btrfs_log_prealloc_extents() copies the 8k-12k prealloc extent into the log tree. Note that it overlaps with the 4k-12k prealloc extent that was copied to the log tree by the first fsync. - fsync calls btrfs_log_changed_extents(), which tries to log the 4k-8k extent that was written. - This tries to drop the range 4k-8k in the log tree, which requires adjusting the start of the 4k-12k prealloc extent in the log tree to 8k. - btrfs_set_item_key_safe() sees that there is already an extent starting at 8k in the log tree and calls BUG(). Fix this by detecting when we're about to insert an overlapping file extent item in the log tree and truncating the part that would overlap. CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: Omar Sandoval <osandov@fb.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Anna Schumaker
|
e601937b5b |
NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS
commit f06d1b10cb016d5aaecdb1804fefca025387bd10 upstream.
Olga showed me a case where the client was sending multiple READ_PLUS
calls to the server in parallel, and the server replied
NFS4ERR_OPNOTSUPP to each. The client would fall back to READ for the
first reply, but fail to retry the other calls.
I fix this by removing the test for NFS_CAP_READ_PLUS in
nfs4_read_plus_not_supported(). This allows us to reschedule any
READ_PLUS call that has a NFS4ERR_OPNOTSUPP return value, even after the
capability has been cleared.
Reported-by: Olga Kornievskaia <kolga@netapp.com>
Fixes:
|
||
|
Sergey Shtylyov
|
a54419e60e |
nfs: fix undefined behavior in nfs_block_bits()
commit 3c0a2e0b0ae661457c8505fecc7be5501aa7a715 upstream. Shifting *signed int* typed constant 1 left by 31 bits causes undefined behavior. Specify the correct *unsigned long* type by using 1UL instead. Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Cc: stable@vger.kernel.org Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> Reviewed-by: Benjamin Coddington <bcodding@redhat.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ilpo Järvinen
|
728b663f5e |
EDAC/igen6: Convert PCIBIOS_* return codes to errnos
commit f8367a74aebf88dc8b58a0db6a6c90b4cb8fc9d3 upstream.
errcmd_enable_error_reporting() uses pci_{read,write}_config_word()
that return PCIBIOS_* codes. The return code is then returned all the
way into the probe function igen6_probe() that returns it as is. The
probe functions, however, should return normal errnos.
Convert PCIBIOS_* returns code using pcibios_err_to_errno() into normal
errno before returning it from errcmd_enable_error_reporting().
Fixes:
|
||
|
Frank Li
|
4e060b308d |
i3c: master: svc: fix invalidate IBI type and miss call client IBI handler
commit 38baed9b8600008e5d7bc8cb9ceccc1af3dd54b7 upstream.
In an In-Band Interrupt (IBI) handle, the code logic is as follows:
1: writel(SVC_I3C_MCTRL_REQUEST_AUTO_IBI | SVC_I3C_MCTRL_IBIRESP_AUTO,
master->regs + SVC_I3C_MCTRL);
2: ret = readl_relaxed_poll_timeout(master->regs + SVC_I3C_MSTATUS, val,
SVC_I3C_MSTATUS_IBIWON(val), 0, 1000);
...
3: ibitype = SVC_I3C_MSTATUS_IBITYPE(status);
ibiaddr = SVC_I3C_MSTATUS_IBIADDR(status);
SVC_I3C_MSTATUS_IBIWON may be set before step 1. Thus, step 2 will return
immediately, and the I3C controller has not sent out the 9th SCL yet.
Consequently, ibitype and ibiaddr are 0, resulting in an unknown IBI type
occurrence and missing call I3C client driver's IBI handler.
A typical case is that SVC_I3C_MSTATUS_IBIWON is set when an IBI occurs
during the controller send start frame in svc_i3c_master_xfer().
Clear SVC_I3C_MSTATUS_IBIWON before issue SVC_I3C_MCTRL_REQUEST_AUTO_IBI
to fix this issue.
Cc: stable@vger.kernel.org
Fixes: 5e5e3c92e748 ("i3c: master: svc: fix wrong data return when IBI happen during start frame")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/r/20240506164009.21375-3-Frank.Li@nxp.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Harald Freudenberger
|
07c8050f8c |
s390/cpacf: Make use of invalid opcode produce a link error
commit 32e8bd6423fc127d2b37bdcf804fd76af3bbec79 upstream. Instead of calling BUG() at runtime introduce and use a prototype for a non-existing function to produce a link error during compile when a not supported opcode is used with the __cpacf_query() or __cpacf_check_opcode() inline functions. Suggested-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Juergen Christ <jchrist@linux.ibm.com> Cc: stable@vger.kernel.org Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Harald Freudenberger
|
1d39dcff47 |
s390/cpacf: Split and rework cpacf query functions
commit 830999bd7e72f4128b9dfa37090d9fa8120ce323 upstream.
Rework the cpacf query functions to use the correct RRE
or RRF instruction formats and set register fields within
instructions correctly.
Fixes:
|
||
|
Harald Freudenberger
|
8c5f5911c1 |
s390/ap: Fix crash in AP internal function modify_bitmap()
commit d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9 upstream. A system crash like this Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 Fault in home space mode while using kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Oops: 0038 ilc:3 [#1] PREEMPT SMP Modules linked in: mlx5_ib ... CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 Hardware name: IBM 3931 A01 704 (LPAR) Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a 0000014b75e7b600: 18b2 lr %r11,%r2 #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616 >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) 0000014b75e7b60c: a7680001 lhi %r6,1 0000014b75e7b610: 187b lr %r7,%r11 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654 0000014b75e7b616: 18e9 lr %r14,%r9 Call Trace: [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8 ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8) [<0000014b75e7b758>] apmask_store+0x68/0x140 [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8 [<0000014b75598524>] vfs_write+0x1b4/0x448 [<0000014b7559894c>] ksys_write+0x74/0x100 [<0000014b7618a440>] __do_syscall+0x268/0x328 [<0000014b761a3558>] system_call+0x70/0x98 INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8 Kernel panic - not syncing: Fatal exception: panic_on_oops occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX. The fix is simple: use unsigned long values for the internal variables. The correct checks are already in place in the function but a simple int for the internal variables was used with the possibility to overflow. Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Tested-by: Marc Hartmayer <mhartmay@linux.ibm.com> Reviewed-by: Holger Dengler <dengler@linux.ibm.com> Cc: <stable@vger.kernel.org> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Helge Deller
|
ff19ea00a5 |
parisc: Define sigset_t in parisc uapi header
commit 487fa28fa8b60417642ac58e8beda6e2509d18f9 upstream. The util-linux debian package fails to build on parisc, because sigset_t isn't defined in asm/signal.h when included from userspace. Move the sigset_t type from internal header to the uapi header to fix the build. Link: https://buildd.debian.org/status/fetch.php?pkg=util-linux&arch=hppa&ver=2.40-7&stamp=1714163443&raw=0 Signed-off-by: Helge Deller <deller@gmx.de> Cc: stable@vger.kernel.org # v6.0+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Helge Deller
|
bca17801fb |
parisc: Define HAVE_ARCH_HUGETLB_UNMAPPED_AREA
commit d4a599910193b85f76c100e30d8551c8794f8c2a upstream. Define the HAVE_ARCH_HUGETLB_UNMAPPED_AREA macro like other platforms do in their page.h files to avoid this compile warning: arch/parisc/mm/hugetlbpage.c:25:1: warning: no previous prototype for 'hugetlb_get_unmapped_area' [-Wmissing-prototypes] Signed-off-by: Helge Deller <deller@gmx.de> Cc: stable@vger.kernel.org # 6.0+ Reported-by: John David Anglin <dave.anglin@bell.net> Tested-by: John David Anglin <dave.anglin@bell.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Baokun Li
|
e941b712e7 |
ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
commit 0c0b4a49d3e7f49690a6827a41faeffad5df7e21 upstream.
Syzbot reports a warning as follows:
============================================
WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290
Modules linked in:
CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7
RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419
Call Trace:
<TASK>
ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375
generic_shutdown_super+0x136/0x2d0 fs/super.c:641
kill_block_super+0x44/0x90 fs/super.c:1675
ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327
[...]
============================================
This is because when finding an entry in ext4_xattr_block_cache_find(), if
ext4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown
in the __entry_find(), won't be put away, and eventually trigger the above
issue in mb_cache_destroy() due to reference count leakage.
So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.
Reported-by: syzbot+dd43bd0f7474512edc47@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=dd43bd0f7474512edc47
Fixes:
|