mirror of
https://github.com/hardkernel/linux.git
synced 2026-06-11 13:27:06 +09:00
3b2e004494de3fa54fffaf220eeb1512cc49dada
1165241 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Kuniyuki Iwashima
|
84a352b7eb |
af_unix: Clear stale u->oob_skb.
[ Upstream commit b46f4eaa4f0ec38909fb0072eea3aeddb32f954e ]
syzkaller started to report deadlock of unix_gc_lock after commit
4090fa373f0e ("af_unix: Replace garbage collection algorithm."), but
it just uncovers the bug that has been there since commit
|
||
|
Marek Vasut
|
492337a4fb |
net: ks8851: Handle softirqs at the end of IRQ thread to fix hang
[ Upstream commit be0384bf599cf1eb8d337517feeb732d71f75a6f ]
The ks8851_irq() thread may call ks8851_rx_pkts() in case there are
any packets in the MAC FIFO, which calls netif_rx(). This netif_rx()
implementation is guarded by local_bh_disable() and local_bh_enable().
The local_bh_enable() may call do_softirq() to run softirqs in case
any are pending. One of the softirqs is net_rx_action, which ultimately
reaches the driver .start_xmit callback. If that happens, the system
hangs. The entire call chain is below:
ks8851_start_xmit_par from netdev_start_xmit
netdev_start_xmit from dev_hard_start_xmit
dev_hard_start_xmit from sch_direct_xmit
sch_direct_xmit from __dev_queue_xmit
__dev_queue_xmit from __neigh_update
__neigh_update from neigh_update
neigh_update from arp_process.constprop.0
arp_process.constprop.0 from __netif_receive_skb_one_core
__netif_receive_skb_one_core from process_backlog
process_backlog from __napi_poll.constprop.0
__napi_poll.constprop.0 from net_rx_action
net_rx_action from __do_softirq
__do_softirq from call_with_stack
call_with_stack from do_softirq
do_softirq from __local_bh_enable_ip
__local_bh_enable_ip from netif_rx
netif_rx from ks8851_irq
ks8851_irq from irq_thread_fn
irq_thread_fn from irq_thread
irq_thread from kthread
kthread from ret_from_fork
The hang happens because ks8851_irq() first locks a spinlock in
ks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)
and with that spinlock locked, calls netif_rx(). Once the execution
reaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again
which attempts to claim the already locked spinlock again, and the
hang happens.
Move the do_softirq() call outside of the spinlock protected section
of ks8851_irq() by disabling BHs around the entire spinlock protected
section of ks8851_irq() handler. Place local_bh_enable() outside of
the spinlock protected section, so that it can trigger do_softirq()
without the ks8851_par.c ks8851_lock_par() spinlock being held, and
safely call ks8851_start_xmit_par() without attempting to lock the
already locked spinlock.
Since ks8851_irq() is protected by local_bh_disable()/local_bh_enable()
now, replace netif_rx() with __netif_rx() which is not duplicating the
local_bh_disable()/local_bh_enable() calls.
Fixes:
|
||
|
Marek Vasut
|
be03315452 |
net: ks8851: Inline ks8851_rx_skb()
[ Upstream commit f96f700449b6d190e06272f1cf732ae8e45b73df ] Both ks8851_rx_skb_par() and ks8851_rx_skb_spi() call netif_rx(skb), inline the netif_rx(skb) call directly into ks8851_common.c and drop the .rx_skb callback and ks8851_rx_skb() wrapper. This removes one indirect call from the driver, no functional change otherwise. Signed-off-by: Marek Vasut <marex@denx.de> Link: https://lore.kernel.org/r/20240405203204.82062-1-marex@denx.de Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: be0384bf599c ("net: ks8851: Handle softirqs at the end of IRQ thread to fix hang") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Pavan Chebbi
|
ecedcd7e39 |
bnxt_en: Reset PTP tx_avail after possible firmware reset
[ Upstream commit faa12ca245585379d612736a4b5e98e88481ea59 ]
It is possible that during error recovery and firmware reset,
there is a pending TX PTP packet waiting for the timestamp.
We need to reset this condition so that after recovery, the
tx_avail count for PTP is reset back to the initial value.
Otherwise, we may not accept any PTP TX timestamps after
recovery.
Fixes:
|
||
|
Eric Dumazet
|
4a1b65d1e5 |
geneve: fix header validation in geneve[6]_xmit_skb
[ Upstream commit d8a6213d70accb403b82924a1c229e733433a5ef ]
syzbot is able to trigger an uninit-value in geneve_xmit() [1]
Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())
uses skb_protocol(skb, true), pskb_inet_may_pull() is only using
skb->protocol.
If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,
pskb_inet_may_pull() does nothing at all.
If a vlan tag was provided by the caller (af_packet in the syzbot case),
the network header might not point to the correct location, and skb
linear part could be smaller than expected.
Add skb_vlan_inet_prepare() to perform a complete mac validation.
Use this in geneve for the moment, I suspect we need to adopt this
more broadly.
v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest
- Only call __vlan_get_protocol() for vlan types.
Link: https://lore.kernel.org/netdev/20240404100035.3270a7d5@kernel.org/
v2,v3 - Addressed Sabrina comments on v1 and v2
Link: https://lore.kernel.org/netdev/Zg1l9L2BNoZWZDZG@hog/
[1]
BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]
BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030
geneve_xmit_skb drivers/net/geneve.c:910 [inline]
geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030
__netdev_start_xmit include/linux/netdevice.h:4903 [inline]
netdev_start_xmit include/linux/netdevice.h:4917 [inline]
xmit_one net/core/dev.c:3531 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
__dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335
dev_queue_xmit include/linux/netdevice.h:3091 [inline]
packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
__sys_sendto+0x685/0x830 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2199
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1318 [inline]
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
packet_alloc_skb net/packet/af_packet.c:2930 [inline]
packet_snd net/packet/af_packet.c:3024 [inline]
packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:745
__sys_sendto+0x685/0x830 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1d0 net/socket.c:2199
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Fixes:
|
||
|
Eric Dumazet
|
2a523f14a3 |
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
[ Upstream commit 237f3cf13b20db183d3706d997eedc3c49eacd44 ]
syzbot reported an illegal copy in xsk_setsockopt() [1]
Make sure to validate setsockopt() @optlen parameter.
[1]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420
Read of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549
CPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
copy_from_sockptr include/linux/sockptr.h:55 [inline]
xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420
do_sock_setsockopt+0x3af/0x720 net/socket.c:2311
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fb40587de69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69
RDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006
RBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000
R10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08
</TASK>
Allocated by task 7549:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x233/0x4a0 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
__cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869
do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
The buggy address belongs to the object at ffff888028c6cde0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 1 bytes to the right of
allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)
The buggy address belongs to the physical page:
page:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c
anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001
raw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
__alloc_pages+0x256/0x680 mm/page_alloc.c:4569
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page+0x5f/0x160 mm/slub.c:2175
allocate_slab mm/slub.c:2338 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2391
___slab_alloc+0xc73/0x1260 mm/slub.c:3525
__slab_alloc mm/slub.c:3610 [inline]
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc_node+0x2db/0x4e0 mm/slub.c:3973
kmalloc_node include/linux/slab.h:648 [inline]
__vmalloc_area_node mm/vmalloc.c:3197 [inline]
__vmalloc_node_range+0x5f9/0x14a0 mm/vmalloc.c:3392
__vmalloc_node mm/vmalloc.c:3457 [inline]
vzalloc+0x79/0x90 mm/vmalloc.c:3530
bpf_check+0x260/0x19010 kernel/bpf/verifier.c:21162
bpf_prog_load+0x1667/0x20f0 kernel/bpf/syscall.c:2895
__sys_bpf+0x4ee/0x810 kernel/bpf/syscall.c:5631
__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
page last free pid 6650 tgid 6647 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x95d/0xa80 mm/page_alloc.c:2346
free_unref_page_list+0x5a3/0x850 mm/page_alloc.c:2532
release_pages+0x2117/0x2400 mm/swap.c:1042
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34d/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:392
exit_mmap+0x4b6/0xd40 mm/mmap.c:3300
__mmput+0x115/0x3c0 kernel/fork.c:1345
exit_mm+0x220/0x310 kernel/exit.c:569
do_exit+0x99e/0x27e0 kernel/exit.c:865
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
get_signal+0x176e/0x1850 kernel/signal.c:2907
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:212
do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Memory state around the buggy address:
ffff888028c6cc80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
ffff888028c6cd00: fa fc fc fc fa fc fc fc 00 fc fc fc 06 fc fc fc
>ffff888028c6cd80: fa fc fc fc fa fc fc fc fa fc fc fc 02 fc fc fc
^
ffff888028c6ce00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
ffff888028c6ce80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
Fixes:
|
||
|
Petr Tesarik
|
ac1c10b4eb |
u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file
[ Upstream commit 38a15d0a50e0a43778561a5861403851f0b0194c ]
Fix bogus lockdep warnings if multiple u64_stats_sync variables are
initialized in the same file.
With CONFIG_LOCKDEP, seqcount_init() is a macro which declares:
static struct lock_class_key __key;
Since u64_stats_init() is a function (albeit an inline one), all calls
within the same file end up using the same instance, effectively treating
them all as a single lock-class.
Fixes:
|
||
|
Ilya Maximets
|
0b44500559 |
net: openvswitch: fix unwanted error log on timeout policy probing
[ Upstream commit 4539f91f2a801c0c028c252bffae56030cfb2cae ]
On startup, ovs-vswitchd probes different datapath features including
support for timeout policies. While probing, it tries to execute
certain operations with OVS_PACKET_ATTR_PROBE or OVS_FLOW_ATTR_PROBE
attributes set. These attributes tell the openvswitch module to not
log any errors when they occur as it is expected that some of the
probes will fail.
For some reason, setting the timeout policy ignores the PROBE attribute
and logs a failure anyway. This is causing the following kernel log
on each re-start of ovs-vswitchd:
kernel: Failed to associated timeout policy `ovs_test_tp'
Fix that by using the same logging macro that all other messages are
using. The message will still be printed at info level when needed
and will be rate limited, but with a net rate limiter instead of
generic printk one.
The nf_ct_set_timeout() itself will still print some info messages,
but at least this change makes logging in openvswitch module more
consistent.
Fixes:
|
||
|
Dan Carpenter
|
9fc74e367b |
scsi: qla2xxx: Fix off by one in qla_edif_app_getstats()
[ Upstream commit 4406e4176f47177f5e51b4cc7e6a7a2ff3dbfbbd ]
The app_reply->elem[] array is allocated earlier in this function and it
has app_req.num_ports elements. Thus this > comparison needs to be >= to
prevent memory corruption.
Fixes:
|
||
|
Xiang Chen
|
438b9a71b2 |
scsi: hisi_sas: Modify the deadline for ata_wait_after_reset()
[ Upstream commit 0098c55e0881f0b32591f2110410d5c8b7f9bd5a ]
We found that the second parameter of function ata_wait_after_reset() is
incorrectly used. We call smp_ata_check_ready_type() to poll the device
type until the 30s timeout, so the correct deadline should be (jiffies +
30000).
Fixes:
|
||
|
Arnd Bergmann
|
b7dc2e6b87 |
nouveau: fix function cast warning
[ Upstream commit 185fdb4697cc9684a02f2fab0530ecdd0c2f15d4 ]
Calling a function through an incompatible pointer type causes breaks
kcfi, so clang warns about the assignment:
drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowof.c:73:10: error: cast from 'void (*)(const void *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
73 | .fini = (void(*)(void *))kfree,
Avoid this with a trivial wrapper.
Fixes:
|
||
|
Alex Constantino
|
84fb600635 |
Revert "drm/qxl: simplify qxl_fence_wait"
[ Upstream commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea ] This reverts commit |
||
|
Frank Li
|
24c0c5867a |
arm64: dts: imx8-ss-conn: fix usdhc wrong lpcg clock order
[ Upstream commit c6ddd6e7b166532a0816825442ff60f70aed9647 ]
The actual clock show wrong frequency:
echo on >/sys/devices/platform/bus\@5b000000/5b010000.mmc/power/control
cat /sys/kernel/debug/mmc0/ios
clock: 200000000 Hz
actual clock: 166000000 Hz
^^^^^^^^^
.....
According to
sdhc0_lpcg: clock-controller@5b200000 {
compatible = "fsl,imx8qxp-lpcg";
reg = <0x5b200000 0x10000>;
#clock-cells = <1>;
clocks = <&clk IMX_SC_R_SDHC_0 IMX_SC_PM_CLK_PER>,
<&conn_ipg_clk>, <&conn_axi_clk>;
clock-indices = <IMX_LPCG_CLK_0>, <IMX_LPCG_CLK_4>,
<IMX_LPCG_CLK_5>;
clock-output-names = "sdhc0_lpcg_per_clk",
"sdhc0_lpcg_ipg_clk",
"sdhc0_lpcg_ahb_clk";
power-domains = <&pd IMX_SC_R_SDHC_0>;
}
"per_clk" should be IMX_LPCG_CLK_0 instead of IMX_LPCG_CLK_5.
After correct clocks order:
echo on >/sys/devices/platform/bus\@5b000000/5b010000.mmc/power/control
cat /sys/kernel/debug/mmc0/ios
clock: 200000000 Hz
actual clock: 198000000 Hz
^^^^^^^^
...
Fixes:
|
||
|
Nini Song
|
49054b3ed2 |
media: cec: core: remove length check of Timer Status
commit ce5d241c3ad4568c12842168288993234345c0eb upstream. The valid_la is used to check the length requirements, including special cases of Timer Status. If the length is shorter than 5, that means no Duration Available is returned, the message will be forced to be invalid. However, the description of Duration Available in the spec is that this parameter may be returned when these cases, or that it can be optionally return when these cases. The key words in the spec description are flexible choices. Remove the special length check of Timer Status to fit the spec which is not compulsory about that. Signed-off-by: Nini Song <nini.song@mediatek.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Anna-Maria Behnsen
|
bccc8d1550 |
PM: s2idle: Make sure CPUs will wakeup directly on resume
commit 3c89a068bfd0698a5478f4cf39493595ef757d5e upstream.
s2idle works like a regular suspend with freezing processes and freezing
devices. All CPUs except the control CPU go into idle. Once this is
completed the control CPU kicks all other CPUs out of idle, so that they
reenter the idle loop and then enter s2idle state. The control CPU then
issues an swait() on the suspend state and therefore enters the idle loop
as well.
Due to being kicked out of idle, the other CPUs leave their NOHZ states,
which means the tick is active and the corresponding hrtimer is programmed
to the next jiffie.
On entering s2idle the CPUs shut down their local clockevent device to
prevent wakeups. The last CPU which enters s2idle shuts down its local
clockevent and freezes timekeeping.
On resume, one of the CPUs receives the wakeup interrupt, unfreezes
timekeeping and its local clockevent and starts the resume process. At that
point all other CPUs are still in s2idle with their clockevents switched
off. They only resume when they are kicked by another CPU or after resuming
devices and then receiving a device interrupt.
That means there is no guarantee that all CPUs will wakeup directly on
resume. As a consequence there is no guarantee that timers which are queued
on those CPUs and should expire directly after resume, are handled. Also
timer list timers which are remotely queued to one of those CPUs after
resume will not result in a reprogramming IPI as the tick is
active. Queueing a hrtimer will also not result in a reprogramming IPI
because the first hrtimer event is already in the past.
The recent introduction of the timer pull model (7ee988770326 ("timers:
Implement the hierarchical pull model")) amplifies this problem, if the
current migrator is one of the non woken up CPUs. When a non pinned timer
list timer is queued and the queuing CPU goes idle, it relies on the still
suspended migrator CPU to expire the timer which will happen by chance.
The problem exists since commit
|
||
|
Tim Huang
|
bd9b94055c |
drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11
commit 31729e8c21ecfd671458e02b6511eb68c2225113 upstream. While doing multiple S4 stress tests, GC/RLC/PMFW get into an invalid state resulting into hard hangs. Adding a GFX reset as workaround just before sending the MP1_UNLOAD message avoids this failure. Signed-off-by: Tim Huang <Tim.Huang@amd.com> Acked-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: Mario Limonciello <superm1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Dmitry Antipov
|
66fab1e120 |
Bluetooth: Fix memory leak in hci_req_sync_complete()
commit 45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810 upstream.
In 'hci_req_sync_complete()', always free the previous sync
request state before assigning reference to a new one.
Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=39ec16ff6cc18b1d066d
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Steven Rostedt (Google)
|
2d5f12de4c |
ring-buffer: Only update pages_touched when a new page is touched
commit ffe3986fece696cf65e0ef99e74c75f848be8e30 upstream.
The "buffer_percent" logic that is used by the ring buffer splice code to
only wake up the tasks when there's no data after the buffer is filled to
the percentage of the "buffer_percent" file is dependent on three
variables that determine the amount of data that is in the ring buffer:
1) pages_read - incremented whenever a new sub-buffer is consumed
2) pages_lost - incremented every time a writer overwrites a sub-buffer
3) pages_touched - incremented when a write goes to a new sub-buffer
The percentage is the calculation of:
(pages_touched - (pages_lost + pages_read)) / nr_pages
Basically, the amount of data is the total number of sub-bufs that have been
touched, minus the number of sub-bufs lost and sub-bufs consumed. This is
divided by the total count to give the buffer percentage. When the
percentage is greater than the value in the "buffer_percent" file, it
wakes up splice readers waiting for that amount.
It was observed that over time, the amount read from the splice was
constantly decreasing the longer the trace was running. That is, if one
asked for 60%, it would read over 60% when it first starts tracing, but
then it would be woken up at under 60% and would slowly decrease the
amount of data read after being woken up, where the amount becomes much
less than the buffer percent.
This was due to an accounting of the pages_touched incrementation. This
value is incremented whenever a writer transfers to a new sub-buffer. But
the place where it was incremented was incorrect. If a writer overflowed
the current sub-buffer it would go to the next one. If it gets preempted
by an interrupt at that time, and the interrupt performs a trace, it too
will end up going to the next sub-buffer. But only one should increment
the counter. Unfortunately, that was not the case.
Change the cmpxchg() that does the real switch of the tail-page into a
try_cmpxchg(), and on success, perform the increment of pages_touched. This
will only increment the counter once for when the writer moves to a new
sub-buffer, and not when there's a race and is incremented for when a
writer and its preempting writer both move to the same new sub-buffer.
Link: https://lore.kernel.org/linux-trace-kernel/20240409151309.0d0e5056@gandalf.local.home
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes:
|
||
|
Sven Eckelmann
|
3fe79b2c83 |
batman-adv: Avoid infinite loop trying to resize local TT
commit b1f532a3b1e6d2e5559c7ace49322922637a28aa upstream.
If the MTU of one of an attached interface becomes too small to transmit
the local translation table then it must be resized to fit inside all
fragments (when enabled) or a single packet.
But if the MTU becomes too low to transmit even the header + the VLAN
specific part then the resizing of the local TT will never succeed. This
can for example happen when the usable space is 110 bytes and 11 VLANs are
on top of batman-adv. In this case, at least 116 byte would be needed.
There will just be an endless spam of
batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)
in the log but the function will never finish. Problem here is that the
timeout will be halved all the time and will then stagnate at 0 and
therefore never be able to reduce the table even more.
There are other scenarios possible with a similar result. The number of
BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too
high to fit inside a packet. Such a scenario can therefore happen also with
only a single VLAN + 7 non-purgable addresses - requiring at least 120
bytes.
While this should be handled proactively when:
* interface with too low MTU is added
* VLAN is added
* non-purgeable local mac is added
* MTU of an attached interface is reduced
* fragmentation setting gets disabled (which most likely requires dropping
attached interfaces)
not all of these scenarios can be prevented because batman-adv is only
consuming events without the the possibility to prevent these actions
(non-purgable MAC address added, MTU of an attached interface is reduced).
It is therefore necessary to also make sure that the code is able to handle
also the situations when there were already incompatible system
configuration are present.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Damien Le Moal
|
0559b2d759 |
ata: libata-scsi: Fix ata_scsi_dev_rescan() error path
commit 79336504781e7fee5ddaf046dcc186c8dfdf60b1 upstream.
Commit 0c76106cb975 ("scsi: sd: Fix TCG OPAL unlock on system resume")
incorrectly handles failures of scsi_resume_device() in
ata_scsi_dev_rescan(), leading to a double call to
spin_unlock_irqrestore() to unlock a device port. Fix this by redefining
the goto labels used in case of errors and only unlock the port
scsi_scan_mutex when scsi_resume_device() fails.
Bug found with the Smatch static checker warning:
drivers/ata/libata-scsi.c:4774 ata_scsi_dev_rescan()
error: double unlocked 'ap->lock' (orig line 4757)
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Fixes: 0c76106cb975 ("scsi: sd: Fix TCG OPAL unlock on system resume")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Steve French
|
ca5962bdc5 |
smb3: fix Open files on server counter going negative
commit 28e0947651ce6a2200b9a7eceb93282e97d7e51a upstream.
We were decrementing the count of open files on server twice
for the case where we were closing cached directories.
Fixes:
|
||
|
Greg Kroah-Hartman
|
20b90d46a0 |
Merge 6.1.77 into android14-6.1-lts
Changes in 6.1.77
asm-generic: make sparse happy with odd-sized put_unaligned_*()
powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
arm64: irq: set the correct node for VMAP stack
drivers/perf: pmuv3: don't expose SW_INCR event in sysfs
powerpc: Fix build error due to is_valid_bugaddr()
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
powerpc/64s: Fix CONFIG_NUMA=n build due to create_section_mapping()
x86/boot: Ignore NMIs during very early boot
powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
powerpc/lib: Validate size for vector operations
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
debugobjects: Stop accessing objects after releasing hash bucket lock
regulator: core: Only increment use_count when enable_count changes
audit: Send netlink ACK before setting connection in auditd_set
ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
PNP: ACPI: fix fortify warning
ACPI: extlog: fix NULL pointer dereference check
ACPI: NUMA: Fix the logic of getting the fake_pxm value
PM / devfreq: Synchronize devfreq_monitor_[start/stop]
ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on synchronous events
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
UBSAN: array-index-out-of-bounds in dtSplitRoot
jfs: fix slab-out-of-bounds Read in dtSearch
jfs: fix array-index-out-of-bounds in dbAdjTree
jfs: fix uaf in jfs_evict_inode
pstore/ram: Fix crash when setting number of cpus to an odd number
crypto: octeontx2 - Fix cptvf driver cleanup
erofs: fix ztailpacking for subpage compressed blocks
crypto: stm32/crc32 - fix parsing list of devices
afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu()
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
jfs: fix array-index-out-of-bounds in diNewExt
arch: consolidate arch_irq_work_raise prototypes
s390/vfio-ap: fix sysfs status attribute for AP queue devices
s390/ptrace: handle setting of fpc register correctly
KVM: s390: fix setting of fpc register
SUNRPC: Fix a suspicious RCU usage warning
ecryptfs: Reject casefold directory inodes
ext4: fix inconsistent between segment fstrim and full fstrim
ext4: unify the type of flexbg_size to unsigned int
ext4: remove unnecessary check from alloc_flex_gd()
ext4: avoid online resizing failures due to oversized flex bg
wifi: rt2x00: restart beacon queue when hardware reset
selftests/bpf: satisfy compiler by having explicit return in btf test
selftests/bpf: Fix pyperf180 compilation failure with clang18
wifi: rt2x00: correct wrong BBP register in RxDCOC calibration
selftests/bpf: Fix issues in setup_classid_environment()
soc: xilinx: Fix for call trace due to the usage of smp_processor_id()
soc: xilinx: fix unhandled SGI warning message
scsi: lpfc: Fix possible file string name overflow when updating firmware
PCI: Add no PM reset quirk for NVIDIA Spectrum devices
bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
net: usb: ax88179_178a: avoid two consecutive device resets
scsi: mpi3mr: Add PCI checks where SAS5116 diverges from SAS4116
scsi: arcmsr: Support new PCI device IDs 1883 and 1886
ARM: dts: imx7d: Fix coresight funnel ports
ARM: dts: imx7s: Fix lcdif compatible
ARM: dts: imx7s: Fix nand-controller #size-cells
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
wifi: ath11k: fix race due to setting ATH11K_FLAG_EXT_IRQ_ENABLED too early
bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers
scsi: libfc: Don't schedule abort twice
scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
bpf: Set uattr->batch.count as zero before batched update or deletion
wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()
ARM: dts: rockchip: fix rk3036 hdmi ports node
ARM: dts: imx25/27-eukrea: Fix RTC node name
ARM: dts: imx: Use flash@0,0 pattern
ARM: dts: imx27: Fix sram node
ARM: dts: imx1: Fix sram node
net: phy: at803x: fix passing the wrong reference for config_intr
ionic: pass opcode to devcmd_wait
ionic: bypass firmware cmds when stuck in reset
block/rnbd-srv: Check for unlikely string overflow
ARM: dts: imx25: Fix the iim compatible string
ARM: dts: imx25/27: Pass timing0
ARM: dts: imx27-apf27dev: Fix LED name
ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
ARM: dts: imx23/28: Fix the DMA controller node name
scsi: hisi_sas: Set .phy_attached before notifing phyup event HISI_PHYE_PHY_UP_PM
ice: fix ICE_AQ_VSI_Q_OPT_RSS_* register values
net: atlantic: eliminate double free in error handling logic
net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path
block: prevent an integer overflow in bvec_try_merge_hw_page
md: Whenassemble the array, consult the superblock of the freshest device
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
ice: fix pre-shifted bit usage
arm64: dts: amlogic: fix format for s4 uart node
wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
wifi: cfg80211: free beacon_ies when overridden from hidden BSS
Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for QCA2066
Bluetooth: hci_sync: fix BR/EDR wakeup bug
Bluetooth: L2CAP: Fix possible multiple reject send
net/smc: disable SEID on non-s390 archs where virtual ISM may be used
bridge: cfm: fix enum typo in br_cc_ccm_tx_parse
i40e: Fix VF disable behavior to block all traffic
octeontx2-af: Fix max NPC MCAM entry check while validating ref_entry
net: dsa: qca8k: put MDIO bus OF node on qca8k_mdio_register() failure
f2fs: fix to check return value of f2fs_reserve_new_block()
ALSA: hda: Refer to correct stream index at loops
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
fast_dput(): handle underflows gracefully
RDMA/IPoIB: Fix error code return in ipoib_mcast_join
drm/panel-edp: Add override_edid_mode quirk for generic edp
drm/bridge: anx7625: Fix Set HPD irq detect window to 2ms
drm/amd/display: Fix tiled display misalignment
f2fs: fix write pointers on zoned device after roll forward
ASoC: amd: Add new dmi entries for acp5x platform
drm/drm_file: fix use of uninitialized variable
drm/framebuffer: Fix use of uninitialized variable
drm/mipi-dsi: Fix detach call without attach
media: stk1160: Fixed high volume of stk1160_dbg messages
media: rockchip: rga: fix swizzling for RGB formats
PCI: add INTEL_HDA_ARL to pci_ids.h
ALSA: hda: Intel: add HDA_ARL PCI ID support
media: rkisp1: Drop IRQF_SHARED
media: rkisp1: Fix IRQ handler return values
media: rkisp1: Store IRQ lines
media: rkisp1: Fix IRQ disable race issue
hwmon: (nct6775) Fix fan speed set failure in automatic mode
f2fs: fix to tag gcing flag on page during block migration
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
IB/ipoib: Fix mcast list locking
media: amphion: remove mutext lock in condition of wait_event
media: ddbridge: fix an error code problem in ddb_probe
media: i2c: imx335: Fix hblank min/max values
drm/amd/display: For prefetch mode > 0, extend prefetch if possible
drm/msm/dpu: Ratelimit framedone timeout msgs
drm/msm/dpu: fix writeback programming for YUV cases
drm/amdgpu: fix ftrace event amdgpu_bo_move always move on same heap
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786
drm/amd/display: make flip_timestamp_in_us a 64-bit variable
clk: imx: clk-imx8qxp: fix LVDS bypass, pixel and phy clocks
drm/amdgpu: Fix ecc irq enable/disable unpaired
drm/amdgpu: Let KFD sync with VM fences
drm/amdgpu: Fix '*fw' from request_firmware() not released in 'amdgpu_ucode_request()'
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
drm/amdkfd: Fix iterator used outside loop in 'kfd_add_peer_prop()'
ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140
leds: trigger: panic: Don't register panic notifier if creating the trigger failed
um: Fix naming clash between UML and scheduler
um: Don't use vfprintf() for os_info()
um: net: Fix return type of uml_net_start_xmit()
um: time-travel: fix time corruption
i3c: master: cdns: Update maximum prescaler value for i2c clock
xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import
mfd: ti_am335x_tscadc: Fix TI SoC dependencies
mailbox: arm_mhuv2: Fix a bug for mhuv2_sender_interrupt
PCI: Only override AMD USB controller if required
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
perf cs-etm: Bump minimum OpenCSD version to ensure a bugfix is present
usb: hub: Replace hardcoded quirk value with BIT() macro
usb: hub: Add quirk to decrease IN-ep poll interval for Microchip USB491x hub
selftests/sgx: Fix linker script asserts
tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE
fs/kernfs/dir: obey S_ISGID
spmi: mediatek: Fix UAF on device remove
PCI: Fix 64GT/s effective data rate calculation
PCI/AER: Decode Requester ID when no error info found
9p: Fix initialisation of netfs_inode for 9p
misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback
libsubcmd: Fix memory leak in uniq()
drm/amdkfd: Fix lock dependency warning
drm/amdkfd: Fix lock dependency warning with srcu
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
blk-mq: fix IO hang from sbitmap wakeup race
ceph: reinitialize mds feature bit even when session in open
ceph: fix deadlock or deadcode of misusing dget()
ceph: fix invalid pointer access if get_quota_realm return ERR_PTR
drm/amd/powerplay: Fix kzalloc parameter 'ATOM_Tonga_PPM_Table' in 'get_platform_power_management_table()'
drm/amdgpu: Fix with right return code '-EIO' in 'amdgpu_gmc_vram_checking()'
drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
drm/amdkfd: Fix 'node' NULL check in 'svm_range_get_range_boundaries()'
perf: Fix the nr_addr_filters fix
wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
drm: using mul_u32_u32() requires linux/math64.h
scsi: isci: Fix an error code problem in isci_io_request_build()
regulator: ti-abb: don't use devm_platform_ioremap_resource_byname for shared interrupt register
scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler
HID: hidraw: fix a problem of memory leak in hidraw_release()
selftests: net: give more time for GRO aggregation
ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
ipv4: raw: add drop reasons
ipmr: fix kernel panic when forwarding mcast packets
net: lan966x: Fix port configuration when using SGMII interface
tcp: add sanity checks to rx zerocopy
ixgbe: Refactor returning internal error codes
ixgbe: Refactor overtemp event handling
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
net: dsa: qca8k: fix illegal usage of GPIO
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
llc: call sock_orphan() at release time
bridge: mcast: fix disabled snooping after long uptime
selftests: net: add missing config for GENEVE
netfilter: conntrack: correct window scaling with retransmitted SYN
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
net: ipv4: fix a memleak in ip_setup_cork
af_unix: fix lockdep positive in sk_diag_dump_icons()
selftests: net: fix available tunnels detection
net: sysfs: Fix /sys/class/net/<iface> path
selftests: team: Add missing config options
selftests: bonding: Check initial state
arm64: irq: set the correct node for shadow call stack
mm, kmsan: fix infinite recursion due to RCU critical section
Revert "drm/amd/display: Disable PSR-SU on Parade 0803 TCON again"
drm/msm/dsi: Enable runtime PM
LoongArch/smp: Call rcutree_report_cpu_starting() at tlb_init()
gve: Fix use-after-free vulnerability
bonding: remove print in bond_verify_device_path
ASoC: codecs: lpass-wsa-macro: fix compander volume hack
ASoC: codecs: wsa883x: fix PA volume control
drm/amdgpu: Fix missing error code in 'gmc_v6/7/8/9_0_hw_init()'
Linux 6.1.77
Change-Id: I8d69fc7831db64d8a0fad88a318f03052f8bbf69
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
f28d3f0d96 |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
We need the abi updates to be merged to the -lts branch so we can
properly track the new symbols. This includes the following commit:
|
||
|
John Scheible
|
8672a5ee4d |
ANDROID: Update the ABI symbol list
Adding the following symbols: - devm_pm_runtime_enable Bug: 335356311 Change-Id: Iecd45183cead8807974bb2a065c48aab86e47e89 Signed-off-by: John Scheible <johnscheible@google.com> |
||
|
Will McVicker
|
089d1b8f6d |
ANDROID: Add known structs used by modules to KMI
This adds `struct dwc3` and `struct kernel_all_info` to the KMI via fake GKI symbols as we know some partners are using these in their out-of-tree drivers. This ensures that future changes to these structs will not break partner builds. Bug: 332277393 Bug: 236036821 Change-Id: Ifa1ac6b71d58415339a63f16a79c1f713dda789f Signed-off-by: Will McVicker <willmcvicker@google.com> |
||
|
Greg Kroah-Hartman
|
7a8376be74 |
ANDROID: use reserved cpucaps for new capability
In commit |
||
|
Greg Kroah-Hartman
|
c801066eca |
Revert "mm/sparsemem: fix race in accessing memory_section->usage"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
2dbddbe358 |
Merge 6.1.76 into android-6.1
Changes in 6.1.76 usb: dwc3: gadget: Refactor EP0 forced stall/restart into a separate API usb: dwc3: gadget: Queue PM runtime idle on disconnect event usb: dwc3: gadget: Handle EP0 request dequeuing properly Revert "nSVM: Check for reserved encodings of TLB_CONTROL in nested VMCB" iio: adc: ad7091r: Set alert bit in config register iio: adc: ad7091r: Allow users to configure device events ext4: allow for the last group to be marked as trimmed arm64: properly install vmlinuz.efi OPP: Pass rounded rate to _set_opp() btrfs: sysfs: validate scrub_speed_max value crypto: api - Disallow identical driver names PM: hibernate: Enforce ordering during image compression/decompression hwrng: core - Fix page fault dead lock on mmap-ed hwrng crypto: s390/aes - Fix buffer overread in CTR mode s390/vfio-ap: unpin pages on gisc registration failure PM / devfreq: Fix buffer overflow in trans_stat_show media: imx355: Enable runtime PM before registering async sub-device rpmsg: virtio: Free driver_override when rpmsg_remove() media: ov9734: Enable runtime PM before registering async sub-device s390/vfio-ap: always filter entire AP matrix s390/vfio-ap: loop over the shadow APCB when filtering guest's AP configuration s390/vfio-ap: let on_scan_complete() callback filter matrix and update guest's APCB mips: Fix max_mapnr being uninitialized on early stages bus: mhi: host: Add alignment check for event ring read pointer bus: mhi: host: Drop chan lock before queuing buffers bus: mhi: host: Add spinlock to protect WP access when queueing TREs parisc/firmware: Fix F-extend for PDC addresses parisc/power: Fix power soft-off button emulation on qemu async: Split async_schedule_node_domain() async: Introduce async_schedule_dev_nocall() iio: adc: ad7091r: Enable internal vref if external vref is not supplied dmaengine: fix NULL pointer in channel unregistration function scsi: ufs: core: Remove the ufshcd_hba_exit() call from ufshcd_async_scan() arm64: dts: qcom: sc7180: fix USB wakeup interrupt types arm64: dts: qcom: sdm845: fix USB wakeup interrupt types arm64: dts: qcom: sm8150: fix USB wakeup interrupt types arm64: dts: qcom: sc7280: fix usb_1 wakeup interrupt types arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts arm64: dts: qcom: sm8150: fix USB DP/DM HS PHY interrupts lsm: new security_file_ioctl_compat() hook docs: kernel_abi.py: fix command injection scripts/get_abi: fix source path leak media: videobuf2-dma-sg: fix vmap callback mmc: core: Use mrq.sbc in close-ended ffu mmc: mmc_spi: remove custom DMA mapped buffers media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run arm64: Rename ARM64_WORKAROUND_2966298 rtc: cmos: Use ACPI alarm for non-Intel x86 systems too rtc: Adjust failure return code for cmos_set_alarm() rtc: mc146818-lib: Adjust failure return code for mc146818_get_time() rtc: Add support for configuring the UIP timeout for RTC reads rtc: Extend timeout for waiting for UIP to clear to 1s nouveau/vmm: don't set addr on the fail path to avoid warning ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path mm/rmap: fix misplaced parenthesis of a likely() mm/sparsemem: fix race in accessing memory_section->usage rename(): fix the locking of subdirectories serial: sc16is7xx: improve regmap debugfs by using one regmap per port serial: sc16is7xx: remove wasteful static buffer in sc16is7xx_regmap_name() serial: sc16is7xx: remove global regmap from struct sc16is7xx_port serial: sc16is7xx: remove unused line structure member serial: sc16is7xx: change EFR lock to operate on each channels serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO serial: sc16is7xx: fix invalid sc16is7xx_lines bitfield in case of probe error serial: sc16is7xx: remove obsolete loop in sc16is7xx_port_irq() serial: sc16is7xx: improve do/while loop in sc16is7xx_irq() LoongArch/smp: Call rcutree_report_cpu_starting() earlier mm: page_alloc: unreserve highatomic page blocks before oom ksmbd: set v2 lease version on lease upgrade ksmbd: fix potential circular locking issue in smb2_set_ea() ksmbd: don't increment epoch if current state and request state are same ksmbd: send lease break notification on FILE_RENAME_INFORMATION ksmbd: Add missing set_freezable() for freezable kthread Revert "drm/amd: Enable PCIe PME from D3" drm/amd/display: pbn_div need be updated for hotplug event wifi: mac80211: fix potential sta-link leak net/smc: fix illegal rmb_desc access in SMC-D connection dump tcp: make sure init the accept_queue's spinlocks once bnxt_en: Wait for FLR to complete during probe vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING llc: make llc_ui_sendmsg() more robust against bonding changes llc: Drop support for ETH_P_TR_802_2. udp: fix busy polling net: fix removing a namespace with conflicting altnames tun: fix missing dropped counter in tun_xdp_act tun: add missing rx stats accounting in tun_xdp_act net: micrel: Fix PTP frame parsing for lan8814 net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv netfs, fscache: Prevent Oops in fscache_put_cache() tracing: Ensure visibility when inserting an element into tracing_map afs: Hide silly-rename files from userspace tcp: Add memory barrier to tcp_push() netlink: fix potential sleeping issue in mqueue_flush_file ipv6: init the accept_queue's spinlocks in inet6_create net/mlx5: DR, Use the right GVMI number for drop action net/mlx5: DR, Can't go to uplink vport on RX rule net/mlx5: Use mlx5 device constant for selecting CQ period mode for ASO net/mlx5e: Allow software parsing when IPsec crypto is enabled net/mlx5e: fix a double-free in arfs_create_groups net/mlx5e: fix a potential double-free in fs_any_create_groups rcu: Defer RCU kthreads wakeup when CPU is dying netfilter: nft_limit: reject configurations that cause integer overflow btrfs: fix infinite directory reads btrfs: set last dir index to the current last index when opening dir btrfs: refresh dir last index during a rewinddir(3) call btrfs: fix race between reading a directory and adding entries to it netfilter: nf_tables: restrict anonymous set and map names to 16 bytes netfilter: nf_tables: validate NFPROTO_* family net: stmmac: Wait a bit for the reset to take effect net: mvpp2: clear BM pool before initialization selftests: netdevsim: fix the udp_tunnel_nic test fjes: fix memleaks in fjes_hw_setup net: fec: fix the unhandled context fault from smmu nbd: always initialize struct msghdr completely btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted btrfs: ref-verify: free ref cache before clearing mount opt btrfs: tree-checker: fix inline ref size in error messages btrfs: don't warn if discard range is not aligned to sector btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args btrfs: don't abort filesystem when attempting to snapshot deleted subvolume rbd: don't move requests to the running list on errors exec: Fix error handling in begin_new_exec() wifi: iwlwifi: fix a memory corruption hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain netfilter: nf_tables: reject QUEUE/DROP verdict parameters platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe ksmbd: fix global oob in ksmbd_nl_policy firmware: arm_scmi: Check mailbox/SMT channel for consistency xfs: read only mounts with fsopen mount API are busted gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 cpufreq: intel_pstate: Refine computation of P-state for given frequency drm: Don't unref the same fb many times by mistake due to deadlock handling drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking drm/tidss: Fix atomic_flush check drm/amd/display: Disable PSR-SU on Parade 0803 TCON again platform/x86: intel-uncore-freq: Fix types in sysfs callbacks drm/bridge: nxp-ptn3460: simplify some error checking drm/amd/display: Port DENTIST hang and TDR fixes to OTG disable W/A drm/amdgpu/pm: Fix the power source flag error erofs: get rid of the remaining kmap_atomic() erofs: fix lz4 inplace decompression media: ov13b10: Support device probe in non-zero ACPI D state media: ov13b10: Enable runtime PM before registering async sub-device bus: mhi: ep: Do not allocate event ring element on stack PM: core: Remove unnecessary (void *) conversions PM: sleep: Fix possible deadlocks in core system-wide PM code thermal: intel: hfi: Refactor enabling code into helper functions thermal: intel: hfi: Disable an HFI instance when all its CPUs go offline thermal: intel: hfi: Add syscore callbacks for system-wide PM fs/pipe: move check to pipe_has_watch_queue() pipe: wakeup wr_wait after setting max_usage ARM: dts: qcom: sdx55: fix USB wakeup interrupt types ARM: dts: samsung: exynos4210-i9100: Unconditionally enable LDO12 ARM: dts: qcom: sdx55: fix pdc '#interrupt-cells' ARM: dts: qcom: sdx55: fix USB DP/DM HS PHY interrupts ARM: dts: qcom: sdx55: fix USB SS wakeup dlm: use kernel_connect() and kernel_bind() serial: core: Provide port lock wrappers serial: sc16is7xx: Use port lock wrappers serial: sc16is7xx: fix unconditional activation of THRI interrupt btrfs: zoned: factor out prepare_allocation_zoned() btrfs: zoned: optimize hint byte for zoned allocator drm/panel-edp: drm/panel-edp: Fix AUO B116XAK01 name and timing Revert "powerpc/64s: Increase default stack size to 32KB" drm/bridge: parade-ps8640: Wait for HPD when doing an AUX transfer drm: panel-simple: add missing bus flags for Tianma tm070jvhg[30/33] drm/bridge: sii902x: Use devm_regulator_bulk_get_enable() drm/bridge: sii902x: Fix probing race issue drm/bridge: sii902x: Fix audio codec unregistration drm/bridge: parade-ps8640: Ensure bridge is suspended in .post_disable() drm/bridge: parade-ps8640: Make sure we drop the AUX mutex in the error case drm/exynos: fix accidental on-stack copy of exynos_drm_plane drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume gpio: eic-sprd: Clear interrupt after set the interrupt type block: Move checking GENHD_FL_NO_PART to bdev_add_partition() drm/bridge: anx7625: Ensure bridge is suspended in disable() spi: bcm-qspi: fix SFDP BFPT read by usig mspi read spi: fix finalize message on error return MIPS: lantiq: register smp_ops on non-smp platforms cxl/region:Fix overflow issue in alloc_hpa() mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan tick/sched: Preserve number of idle sleeps across CPU hotplug events x86/entry/ia32: Ensure s32 is sign extended to s64 serial: core: fix kernel-doc for uart_port_unlock_irqrestore() net/mlx5e: Handle hardware IPsec limits events Linux 6.1.76 Change-Id: I4725561e2ca5df042a1fe307af701e7d5e2d06c8 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
0eac7b614d |
Merge branch 'android14-6.1' into branch 'android14-6.1-lts'
Catch up on some ABI updates from the non-lts branch. This includes the following commits: * |
||
|
Pablo Neira Ayuso
|
77fec6cefe |
UPSTREAM: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
commit 0d459e2ffb541841714839e8228b845458ed3b27 upstream. The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. Bug: 332996726 Cc: stable@vger.kernel.org Fixes: |
||
|
Pablo Neira Ayuso
|
e27468009d |
UPSTREAM: netfilter: nf_tables: release batch on table validation from abort path
commit a45e6889575c2067d3c0212b6bc1022891e65b91 upstream. Unlike early commit path stage which triggers a call to abort, an explicit release of the batch is required on abort, otherwise mutex is released and commit_list remains in place. Add WARN_ON_ONCE to ensure commit_list is empty from the abort path before releasing the mutex. After this patch, commit_list is always assumed to be empty before grabbing the mutex, therefore |
||
|
Pablo Neira Ayuso
|
26f2c9be9e |
UPSTREAM: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
commit 552705a3650bbf46a22b1adedc1b04181490fc36 upstream.
While the rhashtable set gc runs asynchronously, a race allows it to
collect elements from anonymous sets with timeouts while it is being
released from the commit path.
Mingi Cho originally reported this issue in a different path in 6.1.x
with a pipapo set with low timeouts which is not possible upstream since
7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set
element timeout").
Fix this by setting on the dead flag for anonymous sets to skip async gc
in this case.
According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on
transaction abort"), Florian plans to accelerate abort path by releasing
objects via workqueue, therefore, this sets on the dead flag for abort
path too.
Bug: 329205787
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Pablo Neira Ayuso
|
99aea323a3 |
UPSTREAM: netfilter: nft_set_pipapo: release elements in clone only from destroy path
[ Upstream commit b0e256f3dd2ba6532f37c5c22e07cb07a36031ee ] Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: |
||
|
Dylan Chang
|
b76ed11859 |
ANDROID: GKI: Add symbol list for Nothing
2 function symbol(s) added 'char* dentry_path_raw(const struct dentry*, char*, int)' 'int fscrypt_file_open(struct inode*, struct file*)' Bug: 334026503 Change-Id: I20b224d5336753a1fa8783178be60dbaae35b3ba Signed-off-by: Dylan Chang <dylan.chang@nothing.tech> |
||
|
Greg Kroah-Hartman
|
cd5d98c055 |
Linux 6.1.86
Link: https://lore.kernel.org/r/20240411095412.671665933@linuxfoundation.org Tested-by: Pavel Machek (CIP) <pavel@denx.de> Tested-by: SeongJae Park <sj@kernel.org> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: kernelci.org bot <bot@kernelci.org> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Tested-by: Mateusz Jończyk <mat.jonczyk@o2.pl> Tested-by: Kelsey Steele <kelseysteele@linux.microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ma Jun
|
c5f9fe2c1e |
Revert "drm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()"
commit 03c6284df179de3a4a6e0684764b1c71d2a405e2 upstream. This patch causes the following iounmap erorr and calltrace iounmap: bad address 00000000d0b3631f The original patch was unjustified because amdgpu_device_fini_sw() will always cleanup the rmmio mapping. This reverts commit eb4f139888f636614dab3bcce97ff61cefc4b3a7. Signed-off-by: Ma Jun <Jun.Ma2@amd.com> Suggested-by: Christian König <christian.koenig@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Vasiliy Kovalev
|
eea65ed738 |
VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()
commit e606e4b71798cc1df20e987dde2468e9527bd376 upstream.
The changes are similar to those given in the commit 19b070fefd0d
("VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()").
Fix filling of the msg and msg_payload in dg_info struct, which prevents a
possible "detected field-spanning write" of memcpy warning that is issued
by the tracking mechanism __fortify_memcpy_chk.
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Link: https://lore.kernel.org/r/20240219105315.76955-1-kovalev@altlinux.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Florian Westphal
|
cea93dae3e |
net: mpls: error out if inner headers are not set
commit 025f8ad20f2e3264d11683aa9cbbf0083eefbdcd upstream.
mpls_gso_segment() assumes skb_inner_network_header() returns
a valid result:
mpls_hlen = skb_inner_network_header(skb) - skb_network_header(skb);
if (unlikely(!mpls_hlen || mpls_hlen % MPLS_HLEN))
goto out;
if (unlikely(!pskb_may_pull(skb, mpls_hlen)))
With syzbot reproducer, skb_inner_network_header() yields 0,
skb_network_header() returns 108, so this will
"pskb_may_pull(skb, -108)))" which triggers a newly added
DEBUG_NET_WARN_ON_ONCE() check:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5068 at include/linux/skbuff.h:2723 pskb_may_pull_reason include/linux/skbuff.h:2723 [inline]
WARNING: CPU: 0 PID: 5068 at include/linux/skbuff.h:2723 pskb_may_pull include/linux/skbuff.h:2739 [inline]
WARNING: CPU: 0 PID: 5068 at include/linux/skbuff.h:2723 mpls_gso_segment+0x773/0xaa0 net/mpls/mpls_gso.c:34
[..]
skb_mac_gso_segment+0x383/0x740 net/core/gso.c:53
nsh_gso_segment+0x40a/0xad0 net/nsh/nsh.c:108
skb_mac_gso_segment+0x383/0x740 net/core/gso.c:53
__skb_gso_segment+0x324/0x4c0 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
[..]
sch_direct_xmit+0x11a/0x5f0 net/sched/sch_generic.c:327
[..]
packet_sendmsg+0x46a9/0x6130 net/packet/af_packet.c:3113
[..]
First iteration of this patch made mpls_hlen signed and changed
test to error out to "mpls_hlen <= 0 || ..".
Eric Dumazet said:
> I was thinking about adding a debug check in skb_inner_network_header()
> if inner_network_header is zero (that would mean it is not 'set' yet),
> but this would trigger even after your patch.
So add new skb_inner_network_header_was_set() helper and use that.
The syzbot reproducer injects data via packet socket. The skb that gets
allocated and passed down the stack has ->protocol set to NSH (0x894f)
and gso_type set to SKB_GSO_UDP | SKB_GSO_DODGY.
This gets passed to skb_mac_gso_segment(), which sees NSH as ptype to
find a callback for. nsh_gso_segment() retrieves next type:
proto = tun_p_to_eth_p(nsh_hdr(skb)->np);
... which is MPLS (TUN_P_MPLS_UC). It updates skb->protocol and then
calls mpls_gso_segment(). Inner offsets are all 0, so mpls_gso_segment()
ends up with a negative header size.
In case more callers rely on silent handling of such large may_pull values
we could also 'legalize' this behaviour, either replacing the debug check
with (len > INT_MAX) test or removing it and instead adding a comment
before existing
if (unlikely(len > skb->len))
return SKB_DROP_REASON_PKT_TOO_SMALL;
test in pskb_may_pull_reason(), saying that this check also implicitly
takes care of callers that miscompute header sizes.
Cc: Simon Horman <horms@kernel.org>
Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push helpers")
Reported-by: syzbot+99d15fcdb0132a1e1a82@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/00000000000043b1310611e388aa@google.com/raw
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20240222140321.14080-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Luiz Augusto von Dentz
|
21f5cfed1e |
Bluetooth: btintel: Fixe build regression
commit 6e62ebfb49eb65bdcbfc5797db55e0ce7f79c3dd upstream.
This fixes the following build regression:
drivers-bluetooth-btintel.c-btintel_read_version()-warn:
passing-zero-to-PTR_ERR
Fixes: b79e04091010 ("Bluetooth: btintel: Fix null ptr deref in btintel_read_version")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Gwendal Grignou
|
00e34ff1ce |
platform/x86: intel-vbtn: Update tablet mode switch at end of probe
[ Upstream commit 434e5781d8cd2d0ed512d920c6cdeba4b33a2e81 ]
ACER Vivobook Flip (TP401NAS) virtual intel switch is implemented as
follow:
Device (VGBI)
{
Name (_HID, EisaId ("INT33D6") ...
Name (VBDS, Zero)
Method (_STA, 0, Serialized) // _STA: Status ...
Method (VBDL, 0, Serialized)
{
PB1E |= 0x20
VBDS |= 0x40
}
Method (VGBS, 0, Serialized)
{
Return (VBDS) /* \_SB_.PCI0.SBRG.EC0_.VGBI.VBDS */
}
...
}
By default VBDS is set to 0. At boot it is set to clamshell (bit 6 set)
only after method VBDL is executed.
Since VBDL is now evaluated in the probe routine later, after the device
is registered, the retrieved value of VBDS was still 0 ("tablet mode")
when setting up the virtual switch.
Make sure to evaluate VGBS after VBDL, to ensure the
convertible boots in clamshell mode, the expected default.
Fixes:
|
||
|
Kees Cook
|
e80b4980af |
randomize_kstack: Improve entropy diffusion
[ Upstream commit 9c573cd313433f6c1f7236fe64b9b743500c1628 ]
The kstack_offset variable was really only ever using the low bits for
kernel stack offset entropy. Add a ror32() to increase bit diffusion.
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Fixes:
|
||
|
David Hildenbrand
|
649e564636 |
virtio: reenable config if freezing device failed
commit 310227f42882c52356b523e2f4e11690eebcd2ab upstream.
Currently, we don't reenable the config if freezing the device failed.
For example, virtio-mem currently doesn't support suspend+resume, and
trying to freeze the device will always fail. Afterwards, the device
will no longer respond to resize requests, because it won't get notified
about config changes.
Let's fix this by re-enabling the config if freezing fails.
Fixes:
|
||
|
Martin K. Petersen
|
3a9c459091 |
scsi: sd: usb_storage: uas: Access media prior to querying device properties
[ Upstream commit 321da3dc1f3c92a12e3c5da934090d2992a8814c ] It has been observed that some USB/UAS devices return generic properties hardcoded in firmware for mode pages for a period of time after a device has been discovered. The reported properties are either garbage or they do not accurately reflect the characteristics of the physical storage device attached in the case of a bridge. Prior to commit |
||
|
Greg Kroah-Hartman
|
345b6b8319 |
Revert "scsi: core: Add struct for args to execution functions"
This reverts commit |
||
|
Greg Kroah-Hartman
|
f1465ff4c8 |
Revert "scsi: sd: usb_storage: uas: Access media prior to querying device properties"
This reverts commit
|
||
|
Ard Biesheuvel
|
cf0650adb6 |
gcc-plugins/stackleak: Avoid .head.text section
commit e7d24c0aa8e678f41457d1304e2091cac6fd1a2e upstream.
The .head.text section carries the startup code that runs with the MMU
off or with a translation of memory that deviates from the ordinary one.
So avoid instrumentation with the stackleak plugin, which already avoids
.init.text and .noinstr.text entirely.
Fixes: 48204aba801f1b51 ("x86/sme: Move early SME kernel encryption handling into .head.text")
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202403221630.2692c998-oliver.sang@intel.com
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20240328064256.2358634-2-ardb+git@google.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Thadeu Lima de Souza Cascardo
|
2b85977977 |
tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
commit
|
||
|
Pablo Neira Ayuso
|
2aeb805a1b |
netfilter: nf_tables: discard table flag update with pending basechain deletion
commit 1bc83a019bbe268be3526406245ec28c2458a518 upstream.
Hook unregistration is deferred to the commit phase, same occurs with
hook updates triggered by the table dormant flag. When both commands are
combined, this results in deleting a basechain while leaving its hook
still registered in the core.
Fixes:
|
||
|
Pablo Neira Ayuso
|
8d3a58af50 |
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
commit 0d459e2ffb541841714839e8228b845458ed3b27 upstream.
The commit mutex should not be released during the critical section
between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
worker could collect expired objects and get the released commit lock
within the same GC sequence.
nf_tables_module_autoload() temporarily releases the mutex to load
module dependencies, then it goes back to replay the transaction again.
Move it at the end of the abort phase after nft_gc_seq_end() is called.
Cc: stable@vger.kernel.org
Fixes:
|
||
|
Pablo Neira Ayuso
|
fcd1993a29 |
netfilter: nf_tables: release batch on table validation from abort path
commit a45e6889575c2067d3c0212b6bc1022891e65b91 upstream. Unlike early commit path stage which triggers a call to abort, an explicit release of the batch is required on abort, otherwise mutex is released and commit_list remains in place. Add WARN_ON_ONCE to ensure commit_list is empty from the abort path before releasing the mutex. After this patch, commit_list is always assumed to be empty before grabbing the mutex, therefore |