This reverts commit 062de5f4e4 which is
commit eb50844d728f11e87491f7c7af15a4a737f1159d upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I2833326c84fb62df39111b13d7875eb71459781e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 4b07ce83e9 which is
commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I5458aa41226201953c4c9be42e4c3993293c8b7b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 6.1.134
watch_queue: fix pipe accounting mismatch
x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
cpufreq: scpi: compare kHz instead of Hz
smack: dont compile ipv6 code unless ipv6 is configured
cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
x86/fpu: Fix guest FPU state buffer allocation size
x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct()
x86/platform: Only allow CONFIG_EISA for 32-bit
x86/sev: Add missing RIP_REL_REF() invocations during sme_enable()
lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock
PM: sleep: Adjust check before setting power.must_resume
selinux: Chain up tool resolving errors in install_policy.sh
EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
EDAC/ie31200: Fix the DIMM size mask for several SoCs
EDAC/ie31200: Fix the error path order of ie31200_init()
thermal: int340x: Add NULL check for adev
PM: sleep: Fix handling devices with direct_complete set on errors
lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()
perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures
media: verisilicon: HEVC: Initialize start_bit field
media: platform: allgro-dvt: unregister v4l2_device on the error path
ASoC: cs35l41: check the return value from spi_setup()
HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
ALSA: hda/realtek: Always honor no_shutup_pins
ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible
drm/bridge: ti-sn65dsi86: Fix multiple instances
drm/dp_mst: Fix drm RAD print
drm/bridge: it6505: fix HDCP V match check is not performed correctly
drm: xlnx: zynqmp: Fix max dma segment size
drm/vkms: Fix use after free and double free on init error
PCI: Use downstream bridges for distributing resources
drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
PCI/ASPM: Fix link state exit during switch upstream function removal
drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host
PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload
PCI: brcmstb: Use internal register to change link capability
PCI: brcmstb: Fix error path after a call to regulator_bulk_get()
PCI: brcmstb: Fix potential premature regulator disabling
PCI/portdrv: Only disable pciehp interrupts early when needed
PCI: Avoid reset when disabled via sysfs
drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters()
PCI: Remove stray put_device() in pci_register_host_bridge()
PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
drm/amd/display: avoid NPD when ASIC does not support DMUB
PCI: pciehp: Don't enable HPIE when resuming in poll mode
fbdev: au1100fb: Move a variable assignment behind a null pointer check
mdacon: rework dependency list
fbdev: sm501fb: Add some geometry checks.
clk: amlogic: gxbb: drop incorrect flag on 32k clock
crypto: hisilicon/sec2 - fix for aead authsize alignment
remoteproc: core: Clear table_sz when rproc_shutdown
of: property: Increase NR_FWNODE_REFERENCE_ARGS
remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
libbpf: Fix hypothetical STT_SECTION extern NULL deref case
selftests/bpf: Fix string read in strncmp benchmark
clk: samsung: Fix UBSAN panic in samsung_clk_init()
clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
bpf: Use preempt_count() directly in bpf_send_signal_common()
lib: 842: Improve error handling in sw842_compress()
pinctrl: renesas: rza2: Fix missing of_node_put() call
pinctrl: renesas: rzg2l: Fix missing of_node_put() call
clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
RDMA/core: Don't expose hw_counters outside of init net namespace
RDMA/mlx5: Fix calculation of total invalidated pages
RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()
remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
IB/mad: Check available slots before posting receive WRs
pinctrl: tegra: Set SFIO mode to Mux Register
clk: amlogic: g12b: fix cluster A parent data
clk: amlogic: gxbb: drop non existing 32k clock parent
selftests/bpf: Select NUMA_NO_NODE to create map
clk: amlogic: g12a: fix mmc A peripheral clock
x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
power: supply: max77693: Fix wrong conversion of charge input threshold value
crypto: nx - Fix uninitialised hv_nxc on error
RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
pinctrl: renesas: rzv2m: Fix missing of_node_put() call
mfd: sm501: Switch to BIT() to mitigate integer overflows
x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment
crypto: hisilicon/sec2 - fix for aead auth key length
clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
soundwire: slave: fix an OF node reference leak in soundwire slave device
coresight: catu: Fix number of pages while using 64k pages
coresight-etm4x: add isb() before reading the TRCSTATR
iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio
iio: accel: msa311: Fix failure to release runtime pm if direct mode claim fails.
usb: xhci: correct debug message page size calculation
fs/ntfs3: Fix a couple integer overflows on 32bit systems
iio: adc: ad7124: Fix comparison of channel configs
perf evlist: Add success path to evlist__create_syswide_maps
perf units: Fix insufficient array space
kexec: initialize ELF lowest address to ULONG_MAX
ocfs2: validate l_tree_depth to avoid out-of-bounds access
arch/powerpc: drop GENERIC_PTDUMP from mpc885_ads_defconfig
NFSv4: Don't trigger uneccessary scans for return-on-close delegations
fuse: fix dax truncate/punch_hole fault path
um: remove copy_from_kernel_nofault_allowed
i3c: master: svc: Fix missing the IBI rules
perf python: Fixup description of sample.id event member
perf python: Decrement the refcount of just created event on failure
perf python: Don't keep a raw_data pointer to consumed ring buffer space
perf python: Check if there is space to copy all the event
staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES
fs/procfs: fix the comment above proc_pid_wchan()
perf tools: annotate asm_pure_loop.S
objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
exfat: fix the infinite loop in exfat_find_last_cluster()
rtnetlink: Allocate vfinfo size for VF GUIDs when supported
rndis_host: Flag RNDIS modems as WWAN devices
ksmbd: use aead_request_free to match aead_request_alloc
ksmbd: fix multichannel connection failure
net/mlx5e: SHAMPO, Make reserved size independent of page size
ring-buffer: Fix bytes_dropped calculation issue
LoongArch: Fix help text of CMDLINE_EXTEND in Kconfig
ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid
octeontx2-af: Fix mbox INTR handler when num VFs > 64
octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
sched/smt: Always inline sched_smt_active()
context_tracking: Always inline ct_{nmi,irq}_{enter,exit}()
rcu-tasks: Always inline rcu_irq_work_resched()
wifi: iwlwifi: fw: allocate chained SG tables for dump
wifi: iwlwifi: mvm: use the right version of the rate API
nvme-tcp: fix possible UAF in nvme_tcp_poll
nvme-pci: clean up CMBMSC when registering CMB fails
nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
wifi: brcmfmac: keep power during suspend if board requires it
affs: generate OFS sequence numbers starting at 1
affs: don't write overlarge OFS data block size fields
ALSA: hda/realtek: Fix Asus Z13 2025 audio
ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0
platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet
HID: i2c-hid: improve i2c_hid_get_report error message
ALSA: hda/realtek: Add support for ASUS ROG Strix G614 Laptops using CS35L41 HDA
ALSA: hda/realtek: Add support for ASUS Zenbook UM3406KA Laptops using CS35L41 HDA
sched/deadline: Use online cpus for validating runtime
locking/semaphore: Use wake_q to wake up processes outside lock critical section
x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
drm/amd: Keep display off while going into S4
ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
can: statistics: use atomic access in hot path
memory: omap-gpmc: drop no compatible check
hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
spufs: fix a leak on spufs_new_file() failure
spufs: fix gang directory lifetimes
spufs: fix a leak in spufs_create_context()
riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and make_call_ra
ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
ntb: intel: Fix using link status DB's
ASoC: imx-card: Add NULL check in imx_card_probe()
netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only
netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
net_sched: skbprio: Remove overly strict queue assertions
net: mvpp2: Prevent parser TCAM memory corruption
udp: Fix memory accounting leak.
vsock: avoid timeout during connect() if the socket is closing
tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
netfilter: nft_tunnel: fix geneve_opt type confusion addition
ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS
net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on destroy
net: fix geneve_opt length integer overflow
ipv6: Start path selection from the first nexthop
ipv6: Do not consider link down nexthops in path selection
arcnet: Add NULL check in com20020pci_probe()
io_uring/filetable: ensure node switch is always done, if needed
drm/amdgpu/gfx11: fix num_mec
tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform
tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers
usbnet:fix NPE during rx_complete
LoongArch: Increase ARCH_DMA_MINALIGN up to 16
LoongArch: BPF: Fix off-by-one error in build_prologue()
LoongArch: BPF: Use move_addr() for BPF_PSEUDO_FUNC
platform/x86: ISST: Correct command storage data length
ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()
perf/x86/intel: Apply static call for drain_pebs
perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read
kunit/overflow: Fix UB in overflow_allocation_test
btrfs: handle errors from btrfs_dec_ref() properly
x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD
ksmbd: add bounds check for create lease context
ksmbd: fix use-after-free in ksmbd_sessions_deregister()
ksmbd: fix session use-after-free in multichannel connection
ksmbd: validate zero num_subauth before sub_auth is accessed
tracing: Fix use-after-free in print_graph_function_flags during tracer switching
tracing: Ensure module defining synth event cannot be unloaded while tracing
tracing: Fix synth event printk format for str fields
tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
arm64: Don't call NULL in do_compat_alignment_fixup()
ext4: don't over-report free space or inodes in statvfs
ext4: fix OOB read when checking dotdot dir
jfs: fix slab-out-of-bounds read in ea_get()
jfs: add index corruption check to DT_GETPAGE()
media: streamzap: fix race between device disconnection and urb callback
nfsd: put dl_stid if fail to queue dl_recall
NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
tracing: Do not use PERF enums when perf is not defined
Linux 6.1.134
Change-Id: I839a629271fb53021a249cc4f69a668d78f723e3
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 6.1.132
clockevents/drivers/i8253: Fix stop sequence for timer 0
sched/isolation: Prevent boot crash when the boot CPU is nohz_full
hrtimer: Use and report correct timerslack values for realtime tasks
fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super
fbdev: hyperv_fb: iounmap() the correct memory when removing a device
pinctrl: bcm281xx: Fix incorrect regmap max_registers value
netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template.
ice: fix memory leak in aRFS after reset
netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around
sched: address a potential NULL pointer dereference in the GRED scheduler.
wifi: cfg80211: cancel wiphy_work before freeing wiphy
Bluetooth: hci_event: Fix enabling passive scanning
Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context"
net: dsa: mv88e6xxx: Verify after ATU Load ops
net: mctp i2c: Copy headers if cloned
netpoll: hold rcu read lock in __netpoll_send_skb()
drm/hyperv: Fix address space leak when Hyper-V DRM device is removed
Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()
net/mlx5: handle errors in mlx5_chains_create_table()
eth: bnxt: do not update checksum in bnxt_xdp_build_skb()
net: switchdev: Convert blocking notification chain to a raw one
bonding: fix incorrect MAC address setting to receive NS messages
netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
ipvs: prevent integer overflow in do_ip_vs_get_ctl()
net_sched: Prevent creation of classes with TC_H_ROOT
netfilter: nft_exthdr: fix offset with ipv4_find_option()
gre: Fix IPv6 link-local address generation.
net: openvswitch: remove misbehaving actions length check
net/mlx5: Bridge, fix the crash caused by LAG state check
net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices
nvme-fc: go straight to connecting state when initializing
hrtimers: Mark is_migration_base() with __always_inline
powercap: call put_device() on an error path in powercap_register_control_type()
iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
scsi: core: Use GFP_NOIO to avoid circular locking dependency
scsi: qla1280: Fix kernel oops when debug level > 2
ACPI: resource: IRQ override for Eluktronics MECH-17
smb: client: fix noisy when tree connecting to DFS interlink targets
alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support
vboxsf: fix building with GCC 15
HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell
HID: intel-ish-hid: Send clock sync message immediately after reset
HID: ignore non-functional sensor in HP 5MP Camera
HID: hid-apple: Apple Magic Keyboard a3203 USB-C support
HID: apple: fix up the F6 key on the Omoton KB066 keyboard
sched: Clarify wake_up_q()'s write to task->wake_q.next
platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e
platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles
s390/cio: Fix CHPID "configure" attribute caching
thermal/cpufreq_cooling: Remove structure member documentation
Xen/swiotlb: mark xen_swiotlb_fixup() __init
ALSA: hda/realtek: Limit mic boost on Positivo ARN50
ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()
ASoC: rsnd: adjust convert rate limitation
ASoC: arizona/madera: use fsleep() in up/down DAPM event delays.
ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module
net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors
nvme-pci: quirk Acer FA100 for non-uniqueue identifiers
nvme-tcp: add basic support for the C2HTermReq PDU
nvmet-rdma: recheck queue state is LIVE in state lock in recv done
sctp: Fix undefined behavior in left shift operation
nvme: only allow entering LIVE from CONNECTING state
ASoC: tas2770: Fix volume scale
ASoC: tas2764: Fix power control mask
ASoC: tas2764: Set the SDOUT polarity correctly
fuse: don't truncate cached, mutated symlink
perf/x86/intel: Use better start period for frequency mode
x86/irq: Define trace events conditionally
mptcp: safety check before fallback
drm/nouveau: Do not override forced connector status
block: fix 'kmem_cache of name 'bio-108' already exists'
io_uring: return error pointer from io_mem_alloc()
io_uring: add ring freeing helper
mm: add nommu variant of vm_insert_pages()
io_uring: get rid of remap_pfn_range() for mapping rings/sqes
io_uring: don't attempt to mmap larger than what the user asks for
io_uring: fix corner case forgetting to vunmap
xfs: pass refcount intent directly through the log intent code
xfs: pass xfs_extent_free_item directly through the log intent code
xfs: fix confusing xfs_extent_item variable names
xfs: pass the xfs_bmbt_irec directly through the log intent code
xfs: pass per-ag references to xfs_free_extent
xfs: validate block number being freed before adding to xefi
xfs: fix bounds check in xfs_defer_agfl_block()
xfs: use deferred frees for btree block freeing
xfs: reserve less log space when recovering log intent items
xfs: move the xfs_rtbitmap.c declarations to xfs_rtbitmap.h
xfs: convert rt bitmap extent lengths to xfs_rtbxlen_t
xfs: consider minlen sized extents in xfs_rtallocate_extent_block
xfs: don't leak recovered attri intent items
xfs: make rextslog computation consistent with mkfs
xfs: fix 32-bit truncation in xfs_compute_rextslog
xfs: don't allow overly small or large realtime volumes
xfs: remove unused fields from struct xbtree_ifakeroot
xfs: recompute growfsrtfree transaction reservation while growing rt volume
xfs: force all buffers to be written during btree bulk load
xfs: initialise di_crc in xfs_log_dinode
xfs: add lock protection when remove perag from radix tree
xfs: fix perag leak when growfs fails
xfs: ensure logflagsp is initialized in xfs_bmap_del_extent_real
xfs: update dir3 leaf block metadata after swap
xfs: reset XFS_ATTR_INCOMPLETE filter on node removal
xfs: remove conditional building of rt geometry validator functions
Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ
Input: i8042 - add required quirks for missing old boardnames
Input: i8042 - swap old quirk combination with new quirk for several devices
Input: i8042 - swap old quirk combination with new quirk for more devices
USB: serial: ftdi_sio: add support for Altera USB Blaster 3
USB: serial: option: add Telit Cinterion FE990B compositions
USB: serial: option: fix Telit Cinterion FE990A name
USB: serial: option: match on interface class for Telit FN990B
x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
drm/atomic: Filter out redundant DPMS calls
drm/dp_mst: Fix locking when skipping CSN before topology probing
drm/amd/display: Restore correct backlight brightness after a GPU reset
drm/amd/display: Assign normalized_pix_clk when color depth = 14
drm/amd/display: Fix slab-use-after-free on hdcp_work
clk: samsung: update PLL locktime for PLL142XX used on FSD platform
ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model
qlcnic: fix memory leak issues in qlcnic_sriov_common.c
rust: Disallow BTF generation with Rust + LTO
lib/buildid: Handle memfd_secret() files in build_id_parse()
tcp: fix races in tcp_abort()
tcp: fix forever orphan socket caused by tcp_abort
leds: mlxreg: Use devm_mutex_init() for mutex initialization
ASoC: ops: Consistently treat platform_max as control value
drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
scripts: generate_rust_analyzer: Handle sub-modules with no Makefile
scripts: `make rust-analyzer` for out-of-tree modules
scripts: generate_rust_analyzer: provide `cfg`s for `core` and `alloc`
scripts: generate_rust_analyzer: add missing macros deps
cifs: Fix integer overflow while processing acregmax mount option
cifs: Fix integer overflow while processing acdirmax mount option
cifs: Fix integer overflow while processing actimeo mount option
cifs: Fix integer overflow while processing closetimeo mount option
i2c: ali1535: Fix an error handling path in ali1535_probe()
i2c: ali15x3: Fix an error handling path in ali15x3_probe()
i2c: sis630: Fix an error handling path in sis630_probe()
arm64: mm: Populate vmemmap at the page level if not section aligned
smb3: add support for IAKerb
smb: client: Fix match_session bug preventing session reuse
HID: apple: disable Fn key handling on the Omoton KB066
nvme-tcp: Fix a C2HTermReq error message
smb: client: fix potential UAF in cifs_dump_full_key()
firmware: imx-scu: fix OF node leak in .probe()
arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply
xfrm_output: Force software GSO only in tunnel mode
soc: imx8m: Remove global soc_uid
soc: imx8m: Use devm_* to simplify probe failure handling
soc: imx8m: Unregister cpufreq and soc dev in cleanup path
ARM: dts: bcm2711: PL011 UARTs are actually r1p5
RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx
ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP
ARM: dts: bcm2711: Don't mark timer regs unconfigured
RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path
RDMA/hns: Fix soft lockup during bt pages loop
RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db()
RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common()
RDMA/hns: Fix wrong value of max_sge_rd
Bluetooth: Fix error code in chan_alloc_skb_cb()
ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().
net: atm: fix use after free in lec_send()
net: lwtunnel: fix recursion loops
net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES
Revert "gre: Fix IPv6 link-local address generation."
i2c: omap: fix IRQ storms
can: rcar_canfd: Fix page entries in the AFL list
can: flexcan: only change CAN state when link up in system PM
can: flexcan: disable transceiver during system PM
drm/v3d: Don't run jobs that have errors flagged in its fence
regulator: check that dummy regulator has been probed before using it
arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card
mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops
mmc: atmel-mci: Add missing clk_disable_unprepare()
proc: fix UAF in proc_get_inode()
ARM: shmobile: smp: Enforce shmobile_smp_* alignment
efi/libstub: Avoid physical address 0x0 when doing random allocation
xsk: fix an integer overflow in xp_create_and_assign_umem()
batman-adv: Ignore own maximum aggregation size during RX
soc: qcom: pdr: Fix the potential deadlock
drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
drm/amdgpu: Fix JPEG video caps max size for navi1x and raven
ksmbd: fix incorrect validation for num_aces field of smb_acl
drm/amd/display: Use HW lock mgr for PSR1 when only one eDP
mptcp: Fix data stream corruption in the address announcement
netfilter: nft_counter: Use u64_stats_t for statistic.
drm/mediatek: Fix coverity issue with unintentional integer overflow
media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning
arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S
drm/amdgpu: fix use-after-free bug
fs/ntfs3: Change new sparse cluster processing
wifi: iwlwifi: mvm: ensure offloading TID queue exists
mm/migrate: fix shmem xarray update during migration
block, bfq: fix re-introduced UAF in bic_set_bfqq()
xfs: give xfs_extfree_intent its own perag reference
Linux 6.1.132
Change-Id: If8f5c0975337904552609e4542f88d5516d3d64d
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit cae9d2b162 which is
commit 5ce4645c23cf5f048eb8e9ce49e514bababdee85 upstream.
It breaks Android testing and can be brought back in the future
in an safe way if it is really needed.
Bug: 411037744
Change-Id: I02ba2e4b3c519bad7686ddec5fa8a8ff7036768b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit b753821e06 which is
commit bac76cf89816bff06c4ec2f3df97dc34e150a1c4 upstream.
It breaks Android testing and can be brought back in the future
in an safe way if it is really needed.
Bug: 411037744
Change-Id: I8a0f8b55aa851ea12f13f76ee45d705b1433cd42
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In commit 9aeb68337a ("io_uring: get rid of remap_pfn_range() for
mapping rings/sqes") struct io_ring_ctx had some new fields added to fix
some security issues. This is an internal-to-the-io_uring-core
structure, but happens to have a pointer to this structure in other
structures that we track for ABI compliance. Because this is not an
"anonymous" pointer, it breaks the ABI checking. But as this is an
internal structure it is safe to change as no external module ever
accesses this structure at all.
The .stg update is:
type 'struct io_ring_ctx' changed
byte size changed from 1344 to 1408
member 'unsigned short n_ring_pages' was added
member 'unsigned short n_sqe_pages' was added
member 'struct page** ring_pages' was added
member 'struct page** sqe_pages' was added
Change-Id: I8029a8028271d85a19770702c024a4bac0746851
Fixes: 9aeb68337a ("io_uring: get rid of remap_pfn_range() for mapping rings/sqes")
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In commit 9aeb68337a ("io_uring: get rid of remap_pfn_range() for
mapping rings/sqes"), direct access to vm_flags was attempted, but
that's not allowed anymore in the Android 6.1 branch due to other
upstream changes merged into here. Fix this up by calling the proper
vm_flags_set() function instead.
Fixes: 9aeb68337a ("io_uring: get rid of remap_pfn_range() for mapping rings/sqes")
Change-Id: I05bdf96a2f6760e9388237d71d2471c373e29c0c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 8a388c1fabeb6606e16467b23242416c0dbeffad upstream.
NFSD sends CB_RECALL_ANY to clients when the server is low on
memory or that client has a large number of delegations outstanding.
We've seen cases where NFSD attempts to send CB_RECALL_ANY requests
to disconnected clients, and gets confused. These calls never go
anywhere if a backchannel transport to the target client isn't
available. Before the server can send any backchannel operation, the
client has to connect first and then do a BIND_CONN_TO_SESSION.
This patch doesn't address the root cause of the confusion, but
there's no need to queue up these optional operations if they can't
go anywhere.
Fixes: 44df6f439a ("NFSD: add delegation reaper to react to low memory condition")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 230ca758453c63bd38e4d9f4a21db698f7abada8 upstream.
Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we
increment the reference count of dl_stid.
We expect that after the corresponding work_struct is processed, the
reference count of dl_stid will be decremented through the callback
function nfsd4_cb_recall_release.
However, if the call to nfsd4_run_cb fails, the incremented reference
count of dl_stid will not be decremented correspondingly, leading to the
following nfs4_stid leak:
unreferenced object 0xffff88812067b578 (size 344):
comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)
hex dump (first 32 bytes):
01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........
00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N..
backtrace:
kmem_cache_alloc+0x4b9/0x700
nfsd4_process_open1+0x34/0x300
nfsd4_open+0x2d1/0x9d0
nfsd4_proc_compound+0x7a2/0xe30
nfsd_dispatch+0x241/0x3e0
svc_process_common+0x5d3/0xcc0
svc_process+0x2a3/0x320
nfsd+0x180/0x2e0
kthread+0x199/0x1d0
ret_from_fork+0x30/0x50
ret_from_fork_asm+0x1b/0x30
unreferenced object 0xffff8881499f4d28 (size 368):
comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I....
30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... .......
backtrace:
kmem_cache_alloc+0x4b9/0x700
nfs4_alloc_stid+0x29/0x210
alloc_init_deleg+0x92/0x2e0
nfs4_set_delegation+0x284/0xc00
nfs4_open_delegation+0x216/0x3f0
nfsd4_process_open2+0x2b3/0xee0
nfsd4_open+0x770/0x9d0
nfsd4_proc_compound+0x7a2/0xe30
nfsd_dispatch+0x241/0x3e0
svc_process_common+0x5d3/0xcc0
svc_process+0x2a3/0x320
nfsd+0x180/0x2e0
kthread+0x199/0x1d0
ret_from_fork+0x30/0x50
ret_from_fork_asm+0x1b/0x30
Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if
fail to queue dl_recall.
Cc: stable@vger.kernel.org
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f656cfbc7a293a039d6a0c7100e1c846845148c1 upstream.
Syzkaller has reported a general protection fault at function
ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer
dereference of dev->raw pointer, even though it is checked for NULL in
the same function, which means there is a race condition. It occurs due
to the incorrect order of actions in the streamzap_disconnect() function:
rc_unregister_device() is called before usb_kill_urb(). The dev->raw
pointer is freed and set to NULL in rc_unregister_device(), and only
after that usb_kill_urb() waits for in-progress requests to finish.
If rc_unregister_device() is called while streamzap_callback() handler is
not finished, this can lead to accessing freed resources. Thus
rc_unregister_device() should be called after usb_kill_urb().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 8e9e606400 ("V4L/DVB: staging/lirc: port lirc_streamzap to ir-core")
Cc: stable@vger.kernel.org
Reported-by: syzbot+34008406ee9a31b13c73@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=34008406ee9a31b13c73
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a8dfb2168906944ea61acfc87846b816eeab882d upstream.
If the file system is corrupted, the header.stblindex variable
may become greater than 127. Because of this, an array access out
of bounds may occur:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:3096:10
index 237 is out of range for type 'struct dtslot[128]'
CPU: 0 UID: 0 PID: 5822 Comm: syz-executor740 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
dtReadFirst+0x622/0xc50 fs/jfs/jfs_dtree.c:3096
dtReadNext fs/jfs/jfs_dtree.c:3147 [inline]
jfs_readdir+0x9aa/0x3c50 fs/jfs/jfs_dtree.c:2862
wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65
iterate_dir+0x571/0x800 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:403 [inline]
__se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
---[ end trace ]---
Add a stblindex check for corruption.
Reported-by: syzbot <syzbot+9120834fc227768625ba@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=9120834fc227768625ba
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fdf480da5837c23b146c4743c18de97202fcab37 upstream.
During the "size_check" label in ea_get(), the code checks if the extended
attribute list (xattr) size matches ea_size. If not, it logs
"ea_get: invalid extended attribute" and calls print_hex_dump().
Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds
INT_MAX (2,147,483,647). Then ea_size is clamped:
int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper
limit is treated as an int, causing an overflow above 2^31 - 1. This leads
"size" to wrap around and become negative (-184549328).
The "size" is then passed to print_hex_dump() (called "len" in
print_hex_dump()), it is passed as type size_t (an unsigned
type), this is then stored inside a variable called
"int remaining", which is then assigned to "int linelen" which
is then passed to hex_dump_to_buffer(). In print_hex_dump()
the for loop, iterates through 0 to len-1, where len is
18446744073525002176, calling hex_dump_to_buffer()
on each iteration:
for (i = 0; i < len; i += rowsize) {
linelen = min(remaining, rowsize);
remaining -= rowsize;
hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
linebuf, sizeof(linebuf), ascii);
...
}
The expected stopping condition (i < len) is effectively broken
since len is corrupted and very large. This eventually leads to
the "ptr+i" being passed to hex_dump_to_buffer() to get closer
to the end of the actual bounds of "ptr", eventually an out of
bounds access is done in hex_dump_to_buffer() in the following
for loop:
for (j = 0; j < len; j++) {
if (linebuflen < lx + 2)
goto overflow2;
ch = ptr[j];
...
}
To fix this we should validate "EALIST_SIZE(ea_buf->xattr)"
before it is utilised.
Reported-by: syzbot <syzbot+4e6e7e4279d046613bc5@syzkaller.appspotmail.com>
Tested-by: syzbot <syzbot+4e6e7e4279d046613bc5@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=4e6e7e4279d046613bc5
Fixes: d9f9d96136cb ("jfs: xattr: check invalid xattr size more strictly")
Cc: stable@vger.kernel.org
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d5e206778e96e8667d3bde695ad372c296dc9353 upstream.
Mounting a corrupted filesystem with directory which contains '.' dir
entry with rec_len == block size results in out-of-bounds read (later
on, when the corrupted directory is removed).
ext4_empty_dir() assumes every ext4 directory contains at least '.'
and '..' as directory entries in the first data block. It first loads
the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()
and then uses its rec_len member to compute the location of '..' dir
entry (in ext4_next_entry). It assumes the '..' dir entry fits into the
same data block.
If the rec_len of '.' is precisely one block (4KB), it slips through the
sanity checks (it is considered the last directory entry in the data
block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the
memory slot allocated to the data block. The following call to
ext4_check_dir_entry() on new value of de then dereferences this pointer
which results in out-of-bounds mem access.
Fix this by extending __ext4_check_dir_entry() to check for '.' dir
entries that reach the end of data block. Make sure to ignore the phony
dir entries for checksum (by checking name_len for non-zero).
Note: This is reported by KASAN as use-after-free in case another
structure was recently freed from the slot past the bound, but it is
really an OOB read.
This issue was found by syzkaller tool.
Call Trace:
[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710
[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375
[ 38.595158]
[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1
[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 38.595304] Call Trace:
[ 38.595308] <TASK>
[ 38.595311] dump_stack_lvl+0xa7/0xd0
[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0
[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595349] print_report+0xaa/0x250
[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595368] ? kasan_addr_to_slab+0x9/0x90
[ 38.595378] kasan_report+0xab/0xe0
[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595400] __ext4_check_dir_entry+0x67e/0x710
[ 38.595410] ext4_empty_dir+0x465/0x990
[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10
[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10
[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0
[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10
[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10
[ 38.595478] ? down_write+0xdb/0x140
[ 38.595487] ? __pfx_down_write+0x10/0x10
[ 38.595497] ext4_rmdir+0xee/0x140
[ 38.595506] vfs_rmdir+0x209/0x670
[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190
[ 38.595529] do_rmdir+0x363/0x3c0
[ 38.595537] ? __pfx_do_rmdir+0x10/0x10
[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0
[ 38.595561] __x64_sys_unlinkat+0xf0/0x130
[ 38.595570] do_syscall_64+0x5b/0x180
[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: ac27a0ec11 ("[PATCH] ext4: initial copy of files from ext3")
Signed-off-by: Jakub Acs <acsjakub@amazon.de>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Cc: linux-ext4@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Mahmoud Adam <mngyadam@amazon.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Link: https://patch.msgid.link/b3ae36a6794c4a01944c7d70b403db5b@amazon.de
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f87d3af7419307ae26e705a2b2db36140db367a2 upstream.
This fixes an analogus bug that was fixed in xfs in commit
4b8d867ca6e2 ("xfs: don't over-report free space or inodes in
statvfs") where statfs can report misleading / incorrect information
where project quota is enabled, and the free space is less than the
remaining quota.
This commit will resolve a test failure in generic/762 which tests for
this bug.
Cc: stable@kernel.org
Fixes: 689c958cbe ("ext4: add project quota support")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7e6b3fcc9c5294aeafed0dbe1a09a1bc899bd0f2 upstream.
Lockdep reports this deadlock log:
osnoise: could not start sampling thread
============================================
WARNING: possible recursive locking detected
--------------------------------------------
CPU0
----
lock(cpu_hotplug_lock);
lock(cpu_hotplug_lock);
Call Trace:
<TASK>
print_deadlock_bug+0x282/0x3c0
__lock_acquire+0x1610/0x29a0
lock_acquire+0xcb/0x2d0
cpus_read_lock+0x49/0x120
stop_per_cpu_kthreads+0x7/0x60
start_kthread+0x103/0x120
osnoise_hotplug_workfn+0x5e/0x90
process_one_work+0x44f/0xb30
worker_thread+0x33e/0x5e0
kthread+0x206/0x3b0
ret_from_fork+0x31/0x50
ret_from_fork_asm+0x11/0x20
</TASK>
This is the deadlock scenario:
osnoise_hotplug_workfn()
guard(cpus_read_lock)(); // first lock call
start_kthread(cpu)
if (IS_ERR(kthread)) {
stop_per_cpu_kthreads(); {
cpus_read_lock(); // second lock call. Cause the AA deadlock
}
}
It is not necessary to call stop_per_cpu_kthreads() which stops osnoise
kthread for every other CPUs in the system if a failure occurs during
hotplug of a certain CPU.
For start_per_cpu_kthreads(), if the start_kthread() call fails,
this function calls stop_per_cpu_kthreads() to handle the error.
Therefore, similarly, there is no need to call stop_per_cpu_kthreads()
again within start_kthread().
So just remove stop_per_cpu_kthreads() from start_kthread to solve this issue.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20250321095249.2739397-1-ranxiaokai627@163.com
Fixes: c8895e271f ("trace/osnoise: Support hotplug operations")
Signed-off-by: Ran Xiaokai <ran.xiaokai@zte.com.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4d38328eb442dc06aec4350fd9594ffa6488af02 upstream.
The printk format for synth event uses "%.*s" to print string fields,
but then only passes the pointer part as var arg.
Replace %.*s with %s as the C string is guaranteed to be null-terminated.
The output in print fmt should never have been updated as __get_str()
handles the string limit because it can access the length of the string in
the string meta data that is saved in the ring buffer.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 8db4d6bfbb ("tracing: Change synthetic event string format to limit printed length")
Link: https://lore.kernel.org/20250325165202.541088-1-douglas.raillard@arm.com
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 21581dd4e7ff6c07d0ab577e3c32b13a74b31522 upstream.
Currently, using synth_event_delete() will fail if the event is being
used (tracing in progress), but that is normally done in the module exit
function. At that stage, failing is problematic as returning a non-zero
status means the module will become locked (impossible to unload or
reload again).
Instead, ensure the module exit function does not get called in the
first place by increasing the module refcnt when the event is enabled.
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 35ca5207c2 ("tracing: Add synthetic event command generation functions")
Link: https://lore.kernel.org/20250318180906.226841-1-douglas.raillard@arm.com
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7f81f27b1093e4895e87b74143c59c055c3b1906 upstream.
Kairui reported a UAF issue in print_graph_function_flags() during
ftrace stress testing [1]. This issue can be reproduced if puting a
'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(),
and executing the following script:
$ echo function_graph > current_tracer
$ cat trace > /dev/null &
$ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point
$ echo timerlat > current_tracer
The root cause lies in the two calls to print_graph_function_flags
within print_trace_line during each s_show():
* One through 'iter->trace->print_line()';
* Another through 'event->funcs->trace()', which is hidden in
print_trace_fmt() before print_trace_line returns.
Tracer switching only updates the former, while the latter continues
to use the print_line function of the old tracer, which in the script
above is print_graph_function_flags.
Moreover, when switching from the 'function_graph' tracer to the
'timerlat' tracer, s_start only calls graph_trace_close of the
'function_graph' tracer to free 'iter->private', but does not set
it to NULL. This provides an opportunity for 'event->funcs->trace()'
to use an invalid 'iter->private'.
To fix this issue, set 'iter->private' to NULL immediately after
freeing it in graph_trace_close(), ensuring that an invalid pointer
is not passed to other tracers. Additionally, clean up the unnecessary
'iter->private = NULL' during each 'cat trace' when using wakeup and
irqsoff tracers.
[1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Zheng Yejian <zhengyejian1@huawei.com>
Link: https://lore.kernel.org/20250320122137.23635-1-wutengda@huaweicloud.com
Fixes: eecb91b9f9 ("tracing: Fix memleak due to race between current_tracer and trace")
Closes: https://lore.kernel.org/all/CAMgjq7BW79KDSCyp+tZHjShSzHsScSiJxn5ffskp-QzVM06fxw@mail.gmail.com/
Reported-by: Kairui Song <kasong@tencent.com>
Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bf21e29d78cd2c2371023953d9c82dfef82ebb36 upstream.
Access psid->sub_auth[psid->num_subauth - 1] without checking
if num_subauth is non-zero leads to an out-of-bounds read.
This patch adds a validation step to ensure num_subauth != 0
before sub_auth is accessed.
Cc: stable@vger.kernel.org
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fa4cdb8cbca7d6cb6aa13e4d8d83d1103f6345db upstream.
There is a race condition between session setup and
ksmbd_sessions_deregister. The session can be freed before the connection
is added to channel list of session.
This patch check reference count of session before freeing it.
Cc: stable@vger.kernel.org
Reported-by: Sean Heelan <seanheelan@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 15a9605f8d69dc85005b1a00c31a050b8625e1aa upstream.
In multichannel mode, UAF issue can occur in session_deregister
when the second channel sets up a session through the connection of
the first channel. session that is freed through the global session
table can be accessed again through ->sessions of connection.
Cc: stable@vger.kernel.org
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2ff0e408db36c21ed3fa5e3c1e0e687c82cf132f upstream.
Syzkaller has reported a warning in to_nfit_bus_uuid(): "only secondary
bus families can be translated". This warning is emited if the argument
is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first
verifies that a user-provided value call_pkg->nd_family of type u64 is
not equal to 0. Then the value is converted to int, and only after that
is compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid
argument to acpi_nfit_ctl(), if call_pkg->nd_family is non-zero, while
the lower 32 bits are zero.
Furthermore, it is best to return EINVAL immediately upon seeing the
invalid user input. The WARNING is insufficient to prevent further
undefined behavior based on other invalid user input.
All checks of the input value should be applied to the original variable
call_pkg->nd_family.
[iweiny: update commit message]
Fixes: 6450ddbd5d ("ACPI: NFIT: Define runtime firmware activation commands")
Cc: stable@vger.kernel.org
Reported-by: syzbot+c80d8dc0d9fa81a3cd8c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c80d8dc0d9fa81a3cd8c
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Link: https://patch.msgid.link/20250123163945.251-1-m.masimov@mt-integration.ru
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3ef938c3503563bfc2ac15083557f880d29c2e64 upstream.
On the following path, flush_tlb_range() can be used for zapping normal
PMD entries (PMD entries that point to page tables) together with the PTE
entries in the pointed-to page table:
collapse_pte_mapped_thp
pmdp_collapse_flush
flush_tlb_range
The arm64 version of flush_tlb_range() has a comment describing that it can
be used for page table removal, and does not use any last-level
invalidation optimizations. Fix the X86 version by making it behave the
same way.
Currently, X86 only uses this information for the following two purposes,
which I think means the issue doesn't have much impact:
- In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be
IPI'd to avoid issues with speculative page table walks.
- In Hyper-V TLB paravirtualization, again for lazy TLB stuff.
The patch "x86/mm: only invalidate final translations with INVLPGB" which
is currently under review (see
<https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>)
would probably be making the impact of this a lot worse.
Fixes: 016c4d92cd ("x86/mm/tlb: Add freed_tables argument to flush_tlb_mm_range")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20250103-x86-collapse-flush-fix-v1-1-3c521856cfa6@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d90c9de9de2f1712df56de6e4f7d6982d358cabe upstream.
TSC could be reset in deep ACPI sleep states, even with invariant TSC.
That's the reason we have sched_clock() save/restore functions, to deal
with this situation. But what happens is that such functions are guarded
with a check for the stability of sched_clock - if not considered stable,
the save/restore routines aren't executed.
On top of that, we have a clear comment in native_sched_clock() saying
that *even* with TSC unstable, we continue using TSC for sched_clock due
to its speed.
In other words, if we have a situation of TSC getting detected as unstable,
it marks the sched_clock as unstable as well, so subsequent S3 sleep cycles
could bring bogus sched_clock values due to the lack of the save/restore
mechanism, causing warnings like this:
[22.954918] ------------[ cut here ]------------
[22.954923] Delta way too big! 18446743750843854390 ts=18446744072977390405 before=322133536015 after=322133536015 write stamp=18446744072977390405
[22.954923] If you just came from a suspend/resume,
[22.954923] please switch to the trace global clock:
[22.954923] echo global > /sys/kernel/tracing/trace_clock
[22.954923] or add trace_clock=global to the kernel command line
[22.954937] WARNING: CPU: 2 PID: 5728 at kernel/trace/ring_buffer.c:2890 rb_add_timestamp+0x193/0x1c0
Notice that the above was reproduced even with "trace_clock=global".
The fix for that is to _always_ save/restore the sched_clock on suspend
cycle _if TSC is used_ as sched_clock - only if we fallback to jiffies
the sched_clock_stable() check becomes relevant to save/restore the
sched_clock.
Debugged-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/20250215210314.351480-1-gpiccoli@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 92e9bac18124682c4b99ede9ee3bcdd68f121e92 upstream.
The 'device_name' array doesn't exist out of the
'overflow_allocation_test' function scope. However, it is being used as
a driver name when calling 'kunit_driver_create' from
'kunit_device_register'. It produces the kernel panic with KASAN
enabled.
Since this variable is used in one place only, remove it and pass the
device name into kunit_device_register directly as an ascii string.
Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
Reviewed-by: David Gow <davidgow@google.com>
Link: https://lore.kernel.org/r/20240815000431.401869-1-ivan.orlov0322@gmail.com
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f9bdf1f953392c9edd69a7f884f78c0390127029 upstream.
The WARN_ON(this_cpu_read(cpu_hw_events.enabled)) in the
intel_pmu_save_and_restart_reload() is triggered, when sampling read
topdown events.
In a NMI handler, the cpu_hw_events.enabled is set and used to indicate
the status of core PMU. The generic pmu->pmu_disable_count, updated in
the perf_pmu_disable/enable pair, is not touched.
However, the perf_pmu_disable/enable pair is invoked when sampling read
in a NMI handler. The cpuc->enabled is mistakenly set by the
perf_pmu_enable().
Avoid disabling PMU if the core PMU is already disabled.
Merge the logic together.
Fixes: 7b2c05a15d ("perf/x86/intel: Generic support for hardware TopDown metrics")
Suggested-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20250121152303.3128733-2-kan.liang@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4279e72cab31dd3eb8c89591eb9d2affa90ab6aa upstream.
The function call “dmaengine_unmap_put(unmap)” was used in an if branch.
The same call was immediately triggered by a subsequent goto statement.
Thus avoid such a call repetition.
This issue was detected by using the Coccinelle software.
Fixes: 5648e56d03 ("NTB: ntb_perf: Add full multi-port NTB API support")
Cc: stable@vger.kernel.org
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9462e74c5c983cce34019bfb27f734552bebe59f upstream.
After resume/online turbo limit ratio (TRL) is restored partially if
the admin explicitly changed TRL from user space.
A hash table is used to store SST mail box and MSR settings when modified
to restore those settings after resume or online. This uses a struct
isst_cmd field "data" to store these settings. This is a 64 bit field.
But isst_store_new_cmd() is only assigning as u32. This results in
truncation of 32 bits.
Change the argument to u64 from u32.
Fixes: f607874f35 ("platform/x86: ISST: Restore state on resume")
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250328224749.2691272-1-srinivas.pandruvada@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 52266f1015a8b5aabec7d127f83d105f702b388e upstream.
Vincent reported that running XDP synproxy program on LoongArch results
in the following error:
JIT doesn't support bpf-to-bpf calls
With dmesg:
multi-func JIT bug 1391 != 1390
The root cause is that verifier will refill the imm with the correct
addresses of bpf_calls for BPF_PSEUDO_FUNC instructions and then run
the last pass of JIT. So we generate different JIT code for the same
instruction in two passes (one for placeholder and the other for the
real address). Let's use move_addr() instead.
See commit 64f50f6575 ("LoongArch, bpf: Use 4 instructions for
function address in JIT") for a similar fix.
Cc: stable@vger.kernel.org
Fixes: 69c087ba62 ("bpf: Add bpf_for_each_map_elem() helper")
Fixes: bb035ef0cc ("LoongArch: BPF: Support mixing bpf2bpf and tailcalls")
Reported-by: Vincent Li <vincent.mc.li@gmail.com>
Tested-by: Vincent Li <vincent.mc.li@gmail.com>
Closes: https://lore.kernel.org/loongarch/CAK3+h2yfM9FTNiXvEQBkvtuoJrvzmN4c_NZsFXqEk4Cj1tsBNA@mail.gmail.com/T/#u
Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4103cfe9dcb88010ae4911d3ff417457d1b6a720 upstream.
ARCH_DMA_MINALIGN is 1 by default, but some LoongArch-specific devices
(such as APBDMA) require 16 bytes alignment. When the data buffer length
is too small, the hardware may make an error writing cacheline. Thus, it
is dangerous to allocate a small memory buffer for DMA. It's always safe
to define ARCH_DMA_MINALIGN as L1_CACHE_BYTES but unnecessary (kmalloc()
need small memory objects). Therefore, just increase it to 16.
Cc: stable@vger.kernel.org
Tested-by: Binbin Zhou <zhoubinbin@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 51de3600093429e3b712e5f091d767babc5dd6df upstream.
Missing usbnet_going_away Check in Critical Path.
The usb_submit_urb function lacks a usbnet_going_away
validation, whereas __usbnet_queue_skb includes this check.
This inconsistency creates a race condition where:
A URB request may succeed, but the corresponding SKB data
fails to be queued.
Subsequent processes:
(e.g., rx_complete → defer_bh → __skb_unlink(skb, list))
attempt to access skb->next, triggering a NULL pointer
dereference (Kernel Panic).
Fixes: 04e906839a05 ("usbnet: fix cyclical race on disconnect with work queue")
Cc: stable@vger.kernel.org
Signed-off-by: Ying Lu <luying1@xiaomi.com>
Link: https://patch.msgid.link/4c9ef2efaa07eb7f9a5042b74348a67e5a3a7aea.1743584159.git.luying1@xiaomi.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
