Changes in 6.1.117
arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-eaidk-610
arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator
arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328
arm64: dts: rockchip: Fix wakeup prop names on PineNote BT node
arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards
arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion
arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc
arm64: dts: imx8qm: Fix VPU core alias name
arm64: dts: imx8qxp: Add VPU subsystem file
arm64: dts: imx8-ss-vpu: Fix imx8qm VPU IRQs
arm64: dts: imx8mp: correct sdhc ipg clk
ARM: dts: rockchip: fix rk3036 acodec node
ARM: dts: rockchip: drop grf reference from rk3036 hdmi
ARM: dts: rockchip: Fix the spi controller on rk3036
ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
HID: core: zero-initialize the report buffer
platform/x86/amd/pmc: Detect when STB is not available
sunrpc: handle -ENOTCONN in xs_tcp_setup_socket()
NFSv3: only use NFS timeout for MOUNT when protocols are compatible
NFSv3: handle out-of-order write replies.
nfs: avoid i_lock contention in nfs_clear_invalid_mapping
security/keys: fix slab-out-of-bounds in key_task_permission
net: enetc: set MAC address to the VF net_device
sctp: properly validate chunk size in sctp_sf_ootb()
can: c_can: fix {rx,tx}_errors statistics
ice: change q_index variable type to s16 to store -1 value
i40e: fix race condition by adding filter's intermediate sync state
net: hns3: fix kernel crash when uninstalling driver
net: phy: ti: add PHY_RST_AFTER_CLK_EN flag
net: stmmac: Fix unbalanced IRQ wake disable warning on single irq case
virtio_net: Add hash_key_length check
net: arc: fix the device for dma_map_single/dma_unmap_single
net: arc: rockchip: fix emac mdio node support
Revert "ALSA: hda/conexant: Mute speakers at suspend / shutdown"
media: stb0899_algo: initialize cfr before using it
media: dvbdev: prevent the risk of out of memory access
media: dvb_frontend: don't play tricks with underflow values
media: adv7604: prevent underflow condition when reporting colorspace
scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer
ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
tools/lib/thermal: Fix sampling handler context ptr
thermal/of: support thermal zones w/o trips subnode
ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove
media: ar0521: don't overflow when checking PLL values
media: s5p-jpeg: prevent buffer overflows
media: cx24116: prevent overflows on SNR calculus
media: pulse8-cec: fix data timestamp at pulse8_setup()
media: v4l2-tpg: prevent the risk of a division by zero
media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation
can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
ksmbd: Fix the missing xa_store error check
ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp
pwm: imx-tpm: Use correct MODULO value for EPWM mode
drm/amdgpu: Adjust debugfs eviction and IB access permissions
drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
thermal/drivers/qcom/lmh: Remove false lockdep backtrace
dm cache: correct the number of origin blocks to match the target length
dm cache: fix flushing uninitialized delayed_work on cache_ctr error
dm cache: fix out-of-bounds access to the dirty bitset when resizing
dm cache: optimize dirty bit checking with find_next_bit when resizing
dm cache: fix potential out-of-bounds access on the first resume
dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow
ALSA: usb-audio: Add quirk for HP 320 FHD Webcam
ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3
posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone
nfs: Fix KMSAN warning in decode_getfattr_attrs()
net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc()
net: vertexcom: mse102x: Fix possible double free of TX skb
mptcp: use sock_kfree_s instead of kfree
arm64: Kconfig: Make SME depend on BROKEN for now
btrfs: reinitialize delayed ref list after deleting it from the list
riscv/purgatory: align riscv_kernel_entry
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
Revert "wifi: mac80211: fix RCU list iterations"
net: do not delay dst_entries_add() in dst_release()
kselftest/arm64: Initialise current at build time in signal tests
media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
filemap: Fix bounds checking in filemap_read()
fs/proc: fix compile warning about variable 'vmcore_mmap_ops'
signal: restore the override_rlimit logic
usb: musb: sunxi: Fix accessing an released usb phy
usb: dwc3: fix fault at system suspend if device was already runtime suspended
usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()
USB: serial: io_edgeport: fix use after free in debug printk
USB: serial: qcserial: add support for Sierra Wireless EM86xx
USB: serial: option: add Fibocom FG132 0x0112 composition
USB: serial: option: add Quectel RG650V
irqchip/gic-v3: Force propagation of the active state with a read-back
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
ucounts: fix counter leak in inc_rlimit_get_ucounts()
ASoC: amd: yc: fix internal mic on Xiaomi Book Pro 14 2022
net: sched: use RCU read-side critical section in taprio_dump()
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
media: amphion: Fix VPU core alias name
Linux 6.1.117
Change-Id: Ib8a7f11f5567a9ab25f77bdf672338f1ac116853
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 6.1.116
cpufreq: Generalize of_perf_domain_get_sharing_cpumask phandle format
cpufreq: Avoid a bad reference count on CPU node
selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test
mm: remove kern_addr_valid() completely
fs/proc/kcore: avoid bounce buffer for ktext data
fs/proc/kcore: convert read_kcore() to read_kcore_iter()
fs/proc/kcore: reinstate bounce buffer for KCORE_TEXT regions
fs/proc/kcore.c: allow translation of physical memory addresses
cgroup: Fix potential overflow issue when checking max_depth
wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd()
mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING
wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys
wifi: ath11k: Fix invalid ring usage in full monitor mode
wifi: brcm80211: BRCM_TRACING should depend on TRACING
RDMA/cxgb4: Dump vendor specific QP details
RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down
RDMA/bnxt_re: synchronize the qp-handle table array
wifi: iwlwifi: mvm: disconnect station vifs if recovery failed
wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()
ASoC: cs42l51: Fix some error handling paths in cs42l51_probe()
macsec: Fix use-after-free while sending the offloading packet
net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data
ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow()
gtp: allow -1 to be specified as file description from userspace
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()
bpf: Fix out-of-bounds write in trie_get_next_key()
netfilter: Fix use-after-free in get_info()
netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs
net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension
mlxsw: spectrum_ptp: Add missing verification before pushing Tx header
mlxsw: spectrum_router: Add support for double entry RIFs
mlxsw: spectrum_ipip: Rename Spectrum-2 ip6gre operations
mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address
netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
iomap: convert iomap_unshare_iter to use large folios
iomap: improve shared block detection in iomap_unshare_iter
iomap: don't bother unsharing delalloc extents
iomap: share iomap_unshare_iter predicate code with fsdax
fsdax: remove zeroing code from dax_unshare_iter
fsdax: dax_unshare_iter needs to copy entire blocks
iomap: turn iomap_want_unshare_iter into an inline function
compiler-gcc: be consistent with underscores use for `no_sanitize`
compiler-gcc: remove attribute support check for `__no_sanitize_address__`
kasan: Fix Software Tag-Based KASAN with GCC
firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state()
afs: Automatically generate trace tag enums
afs: Fix missing subdir edit when renamed between parent dirs
ACPI: CPPC: Make rmw_lock a raw_spin_lock
fs/ntfs3: Check if more than chunk-size bytes are written
fs/ntfs3: Fix warning possible deadlock in ntfs_set_state
fs/ntfs3: Stale inode instead of bad
fs/ntfs3: Fix possible deadlock in mi_read
fs/ntfs3: Additional check in ni_clear()
scsi: scsi_transport_fc: Allow setting rport state to current state
net: amd: mvme147: Fix probe banner message
NFS: remove revoked delegation from server's delegation list
misc: sgi-gru: Don't disable preemption in GRU driver
usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler
usb: gadget: dummy_hcd: Set transfer interval to 1 microframe
usb: gadget: dummy_hcd: execute hrtimer callback in softirq context
USB: gadget: dummy-hcd: Fix "task hung" problem
ALSA: usb-audio: Add quirks for Dell WD19 dock
usbip: tools: Fix detach_port() invalid port error path
usb: phy: Fix API devm_usb_put_phy() can not release the phy
usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes()
xhci: Fix Link TRB DMA in command ring stopped completion event
xhci: Use pm_runtime_get to prevent RPM on unsupported systems
Revert "driver core: Fix uevent_show() vs driver detach race"
wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower
wifi: ath10k: Fix memory leak in management tx
wifi: cfg80211: clear wdev->cqm_config pointer on free
wifi: iwlegacy: Clear stale interrupts before resuming device
staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()
iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr()
iio: light: veml6030: fix microlux value calculation
nilfs2: fix potential deadlock with newly created symlinks
block: fix sanity checks in blk_rq_map_user_bvec
cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction
riscv: vdso: Prevent the compiler from inserting calls to memset()
ALSA: hda/realtek: Limit internal Mic boost on Dell platform
riscv: efi: Set NX compat flag in PE/COFF header
riscv: Use '%u' to format the output of 'cpu'
riscv: Remove unused GENERATING_ASM_OFFSETS
riscv: Remove duplicated GET_RM
cxl/acpi: Move rescan to the workqueue
cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices()
mm/page_alloc: rename ALLOC_HIGH to ALLOC_MIN_RESERVE
mm/page_alloc: treat RT tasks similar to __GFP_HIGH
mm/page_alloc: explicitly record high-order atomic allocations in alloc_flags
mm/page_alloc: explicitly define what alloc flags deplete min reserves
mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves
mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves
ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
mctp i2c: handle NULL header address
ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1
nvmet-auth: assign dh_key to NULL after kfree_sensitive
kasan: remove vmalloc_percpu test
io_uring: rename kiocb_end_write() local helper
fs: create kiocb_{start,end}_write() helpers
io_uring: use kiocb_{start,end}_write() helpers
io_uring/rw: fix missing NOWAIT check for O_DIRECT start write
mm: migrate: try again if THP split is failed due to page refcnt
migrate: convert unmap_and_move() to use folios
migrate: convert migrate_pages() to use folios
mm/migrate.c: stop using 0 as NULL pointer
migrate_pages: organize stats with struct migrate_pages_stats
migrate_pages: separate hugetlb folios migration
migrate_pages: restrict number of pages to migrate in batch
migrate_pages: split unmap_and_move() to _unmap() and _move()
vmscan,migrate: fix page count imbalance on node stats when demoting pages
io_uring: always lock __io_cqring_overflow_flush
x86/bugs: Use code segment selector for VERW operand
wifi: mac80211: fix NULL dereference at band check in starting tx ba session
nilfs2: fix kernel bug due to missing clearing of checked flag
wifi: iwlwifi: mvm: fix 6 GHz scan construction
mm: shmem: fix data-race in shmem_getattr()
LoongArch: Fix build errors due to backported TIMENS
mtd: spi-nor: winbond: fix w25q128 regression
drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing
drm/amd/display: Skip on writeback when it's not applicable
vt: prevent kernel-infoleak in con_font_get()
mm: avoid gcc complaint about pointer casting
migrate_pages_batch: fix statistics for longterm pin retry
Linux 6.1.116
Change-Id: Iaffbf84fc3f7e545b5a8d2956b3c57df84abdab4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Steps on the way to 6.1.116
Resolves merge conflicts in:
mm/page_alloc.c
Change-Id: Ia976acbcca01bc21d497c9c1a9a5ba791a39c593
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Steps on the way to 6.1.116
Resolves merge conflicts in:
net/wireless/core.c
Change-Id: Ia10a58f63842e7bbc9440d960071985de9a399b8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Steps on the way to 6.1.116
Resolves merge conflicts in:
fs/iomap/buffered-io.c
Change-Id: Ibe7e7f5a94bee171200931351878cf40e37b8bbc
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit ae53d09f11 which is
commit 56440d7ec28d60f8da3bfa09062b3368ff9b16db upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I62229b26a4fd7dd4141a0342e3b7298ed3ee7942
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 376d15bad7 which is
commit 0388a152fc upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I831a3ddef1d1e76795c45d163806299017f1ba51
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 04de065652 which is
commit 968d64578e upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I47ee264f550533f670ef559661d69b923e2ca6c4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit e1e87568a2 which is
commit 40d7903386df4d18f04d90510ba90eedee260085 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I37284d886dabab9e9b153c7aba3eaa8e14b3523f
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 63f9dae763 which is
commit 60f07e22a7 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I6e8012e954f8af96fad62aa49672c678eb50af86
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 14841bb7a5 which is
commit 13f8f1e05f1dc36dbba6cba0ae03354c0dafcde7 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I3e6141d5184c37814b1ea62f3e2966e97e3e3932
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 354b3847ea which is
commit ef08c0fadd upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: Icaca1349a9483085afa6a282dd303efb138f64ba
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit e36d975b04 which is
commit f0db885fb0 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I56b3a1daccf44443aa4142534777b97bb3a70d14
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit e0deb60b16 which is
commit c35ba0ac48355df1d11fcce85945f76c42d250ac upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: Ia59eb26941a34ef70e635dc012b3daaf58ac6d8c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 85ca88f931 which is
commit 705e3ce37bccdf2ed6f848356ff355f480d51a91 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I996ae30bcbeab414995da2ba4608d703122710c9
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
We reverted the commit that renamed del_timer_sync() to
timer_delete_sync() a long while back, but that broke the build when
commit 5071beb59e ("tcp/dccp: Don't use timer_pending() in
reqsk_queue_unlink().") was applied. So fix it up to use the old
function name instead, allowing the build to work properly.
Fixes: 5071beb59e ("tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().")
Change-Id: I88112c8da97506f5c0028119f318ae8f730105fa
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 6.1.115
bpf: Use raw_spinlock_t in ringbuf
iio: accel: bma400: Fix uninitialized variable field_value in tap event handling.
bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
bpf: devmap: provide rxq after redirect
bpf: Fix memory leak in bpf_core_apply
RDMA/bnxt_re: Fix incorrect AVID type in WQE structure
RDMA/bnxt_re: Add a check for memory allocation
x86/resctrl: Avoid overflow in MB settings in bw_validate()
ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin
s390/pci: Handle PCI error codes other than 0x3a
bpf: fix kfunc btf caching for modules
iio: frequency: {admv4420,adrf6780}: format Kconfig entries
iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig
drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check
selftests/bpf: Fix cross-compiling urandom_read
ALSA: hda/cs8409: Fix possible NULL dereference
RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP
RDMA/irdma: Fix misspelling of "accept*"
RDMA/srpt: Make slab cache names unique
ipv4: give an IPv4 dev to blackhole_netdev
RDMA/bnxt_re: Return more meaningful error
RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages
drm/msm/dpu: make sure phys resources are properly initialized
drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation
drm/msm: Avoid NULL dereference in msm_disp_state_print_regs()
drm/msm: Allocate memory for disp snapshot with kvzalloc()
net: usb: usbnet: fix race in probe failure
octeontx2-af: Fix potential integer overflows on integer shifts
drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring
macsec: don't increment counters for an unrelated SA
netdevsim: use cond_resched() in nsim_dev_trap_report_work()
net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit()
net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid
net: xilinx: axienet: fix potential memory leak in axienet_start_xmit()
net: systemport: fix potential memory leak in bcm_sysport_xmit()
irqchip/renesas-rzg2l: Align struct member names to tabs
irqchip/renesas-rzg2l: Document structure members
irqchip/renesas-rzg2l: Add support for suspend to RAM
irqchip/renesas-rzg2l: Fix missing put_device
drm/msm/dpu: Wire up DSC mask for active CTL configuration
drm/msm/dpu: don't always program merge_3d block
tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
genetlink: hold RCU in genlmsg_mcast()
ravb: Remove setting of RX software timestamp
net: ravb: Only advertise Rx/Tx timestamps if hardware supports it
scsi: target: core: Fix null-ptr-deref in target_alloc_device()
smb: client: fix OOBs when building SMB2_IOCTL request
usb: typec: altmode should keep reference to parent
s390: Initialize psw mask in perf_arch_fetch_caller_regs()
Bluetooth: bnep: fix wild-memory-access in proto_unregister
net/mlx5: Remove redundant cmdif revision check
net/mlx5: split mlx5_cmd_init() to probe and reload routines
net/mlx5: Fix command bitmask initialization
net/mlx5: Unregister notifier on eswitch init failure
riscv, bpf: Make BPF_CMPXCHG fully ordered
bpf: Fix iter/task tid filtering
arm64:uprobe fix the uprobe SWBP_INSN in big-endian
arm64: probes: Fix uprobes for big-endian kernels
xhci: dbgtty: remove kfifo_out() wrapper
xhci: dbgtty: use kfifo from tty_port struct
xhci: dbc: honor usb transfer size boundaries.
usb: gadget: f_uac2: Replace snprintf() with the safer scnprintf() variant
usb: gadget: f_uac2: fix non-newline-terminated function name
usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store
usb: gadget: Add function wakeup support
XHCI: Separate PORT and CAPs macros into dedicated file
usb: dwc3: core: Fix system suspend on TI AM62 platforms
tty/serial: Make ->dcd_change()+uart_handle_dcd_change() status bool active
serial: Make uart_handle_cts_change() status param bool active
serial: imx: Update mctrl old_status on RTSD interrupt
block, bfq: fix procress reference leakage for bfqq in merge chain
exec: don't WARN for racy path_noexec check
fs/ntfs3: Add more attributes checks in mi_enum_attr()
drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA
ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values
ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit
arm64: Force position-independent veneers
udf: refactor udf_current_aext() to handle error
udf: fix uninit-value use in udf_get_fileshortad
ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string
platform/x86: dell-sysman: add support for alienware products
LoongArch: Add support to clone a time namespace
LoongArch: Don't crash in stack_top() for tasks without vDSO
jfs: Fix sanity check in dbMount
tracing: Consider the NULL character when validating the event length
xfrm: extract dst lookup parameters into a struct
xfrm: respect ip protocols rules criteria when performing dst lookups
net/sun3_82586: fix potential memory leak in sun3_82586_send_packet()
be2net: fix potential memory leak in be_xmit()
net: plip: fix break; causing plip to never transmit
octeon_ep: Implement helper for iterating packets in Rx queue
octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx()
net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x
netfilter: xtables: fix typo causing some targets not to load on IPv6
net: wwan: fix global oob in wwan_rtnl_policy
docs: net: reformat driver.rst from a list to sections
net: provide macros for commonly copied lockless queue stop/wake code
net/sched: adjust device watchdog timer to detect stopped queue at right time
net: fix races in netdev_tx_sent_queue()/dev_watchdog()
net: usb: usbnet: fix name regression
net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers
net: sched: fix use-after-free in taprio_change()
r8169: avoid unsolicited interrupts
posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()
Bluetooth: SCO: Fix UAF on sco_sock_timeout
Bluetooth: ISO: Fix UAF on iso_sock_timeout
bpf,perf: Fix perf_event_detach_bpf_prog error handling
ASoC: dt-bindings: davinci-mcasp: Fix interrupts property
ASoC: dt-bindings: davinci-mcasp: Fix interrupt properties
ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()
powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request()
ALSA: hda/realtek: Update default depop procedure
cpufreq/cppc: Move and rename cppc_cpufreq_{perf_to_khz|khz_to_perf}()
cpufreq: CPPC: fix perf_to_khz/khz_to_perf conversion exception
btrfs: fix passing 0 to ERR_PTR in btrfs_search_dir_index_item()
btrfs: zoned: fix zone unusable accounting for freed reserved extent
drm/amd: Guard against bad data for ATIF ACPI method
ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[]
ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context
ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue
nilfs2: fix kernel bug due to missing clearing of buffer delay flag
openat2: explicitly return -E2BIG for (usize > PAGE_SIZE)
KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory
KVM: arm64: Don't eagerly teardown the vgic on init error
ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593
LoongArch: Get correct cores_per_package for SMT systems
xfrm: fix one more kernel-infoleak in algo dumping
hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event
drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too
selinux: improve error checking in sel_write_load()
serial: protect uart_port_dtr_rts() in uart_shutdown() too
net: phy: dp83822: Fix reset pin definitions
ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()
platform/x86: dell-wmi: Ignore suspend notifications
ACPI: PRM: Clean up guid type in struct prm_handler_info
arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning
xfrm: validate new SA's prefixlen using SA family when sel.family is unset
Linux 6.1.115
Change-Id: I3348b13afe931340f904062b8a22d8d6c4a46d5c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit f033c87fda47e272bb4f75dc7b03677261d91158 upstream.
Starting with commit f6038de293 ("arm64: dts: imx8qm: Fix VPU core
alias name") the alias for VPU cores uses dashes instead of underscores.
Adjust the alias stem accordingly. Fixes the errors:
amphion-vpu-core 2d040000.vpu-core: can't get vpu core id
amphion-vpu-core 2d050000.vpu-core: can't get vpu core id
Fixes: f6038de293 ("arm64: dts: imx8qm: Fix VPU core alias name")
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Reviewed-by: Ming Qian <ming.qian@nxp.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f upstream.
During loopback communication, a dangling pointer can be created in
vsk->trans, potentially leading to a Use-After-Free condition. This
issue is resolved by initializing vsk->trans to NULL.
Cc: stable <stable@kernel.org>
Fixes: 06a8fc7836 ("VSOCK: Introduce virtio_vsock_common.ko")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Signed-off-by: Wongi Lee <qwerty@theori.io>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Message-Id: <2024102245-strive-crib-c8d3@gregkh>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit de156f3cf70e17dc6ff4c3c364bb97a6db961ffd upstream.
Xiaomi Book Pro 14 2022 (MIA2210-AD) requires a quirk entry for its
internal microphone to be enabled.
This is likely due to similar reasons as seen previously on Redmi Book
14/15 Pro 2022 models (since they likely came with similar firmware):
- commit dcff8b7ca9 ("ASoC: amd: yc: Add Xiaomi Redmi Book Pro 15 2022
into DMI table")
- commit c1dd6bf619 ("ASoC: amd: yc: Add Xiaomi Redmi Book Pro 14 2022
into DMI table")
A quirk would likely be needed for Xiaomi Book Pro 15 2022 models, too.
However, I do not have such device on hand so I will leave it for now.
Signed-off-by: Mingcong Bai <jeffbai@aosc.io>
Link: https://patch.msgid.link/20241106024052.15748-1-jeffbai@aosc.io
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 464cb98f1c07298c4c10e714ae0c36338d18d316 upstream.
Christoffer reports that on some implementations, writing to
GICR_ISACTIVER0 (and similar GICD registers) can race badly with a guest
issuing a deactivation of that interrupt via the system register interface.
There are multiple reasons to this:
- this uses an early write-acknoledgement memory type (nGnRE), meaning
that the write may only have made it as far as some interconnect
by the time the store is considered "done"
- the GIC itself is allowed to buffer the write until it decides to
take it into account (as long as it is in finite time)
The effects are that the activation may not have taken effect by the time
the kernel enters the guest, forcing an immediate exit, or that a guest
deactivation occurs before the interrupt is active, doing nothing.
In order to guarantee that the write to the ISACTIVER register has taken
effect, read back from it, forcing the interconnect to propagate the write,
and the GIC to process the write before returning the read.
Reported-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Christoffer Dall <christoffer.dall@arm.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20241106084418.3794612-1-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream.
The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb)
is a use after free of the "urb" pointer. Store the "dev" pointer at the
start of the function to avoid this issue.
Fixes: 984f686832 ("USB: serial: io_edgeport.c: remove dbg() usage")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7dd08a0b4193087976db6b3ee7807de7e8316f96 upstream.
The "*cmd" variable can be controlled by the user via debugfs. That means
"new_cam" can be as high as 255 while the size of the uc->updated[] array
is UCSI_MAX_ALTMODES (30).
The call tree is:
ucsi_cmd() // val comes from simple_attr_write_xsigned()
-> ucsi_send_command()
-> ucsi_send_command_common()
-> ucsi_run_command() // calls ucsi->ops->sync_control()
-> ucsi_ccg_sync_control()
Fixes: 170a6726d0 ("usb: typec: ucsi: add support for separate DP altmode devices")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/325102b3-eaa8-4918-a947-22aca1146586@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 498dbd9aea205db9da674994b74c7bf8e18448bd upstream.
Commit 6ed05c68cb ("usb: musb: sunxi: Explicitly release USB PHY on
exit") will cause that usb phy @glue->xceiv is accessed after released.
1) register platform driver @sunxi_musb_driver
// get the usb phy @glue->xceiv
sunxi_musb_probe() -> devm_usb_get_phy().
2) register and unregister platform driver @musb_driver
musb_probe() -> sunxi_musb_init()
use the phy here
//the phy is released here
musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy()
3) register @musb_driver again
musb_probe() -> sunxi_musb_init()
use the phy here but the phy has been released at 2).
...
Fixed by reverting the commit, namely, removing devm_usb_put_phy()
from sunxi_musb_exit().
Fixes: 6ed05c68cb ("usb: musb: sunxi: Explicitly release USB PHY on exit")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20241029-sunxi_fix-v1-1-9431ed2ab826@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9e05e5c7ee8758141d2db7e8fea2cab34500c6ed upstream.
Prior to commit d646969055 ("Reimplement RLIMIT_SIGPENDING on top of
ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of
signals. However now it's enforced unconditionally, even if
override_rlimit is set. This behavior change caused production issues.
For example, if the limit is reached and a process receives a SIGSEGV
signal, sigqueue_alloc fails to allocate the necessary resources for the
signal delivery, preventing the signal from being delivered with siginfo.
This prevents the process from correctly identifying the fault address and
handling the error. From the user-space perspective, applications are
unaware that the limit has been reached and that the siginfo is
effectively 'corrupted'. This can lead to unpredictable behavior and
crashes, as we observed with java applications.
Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip
the comparison to max there if override_rlimit is set. This effectively
restores the old behavior.
Link: https://lkml.kernel.org/r/20241104195419.3962584-1-roman.gushchin@linux.dev
Fixes: d646969055 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
Co-developed-by: Andrei Vagin <avagin@google.com>
Signed-off-by: Andrei Vagin <avagin@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Alexey Gladkov <legion@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ace149e0830c380ddfce7e466fe860ca502fe4ee upstream.
If the caller supplies an iocb->ki_pos value that is close to the
filesystem upper limit, and an iterator with a count that causes us to
overflow that limit, then filemap_read() enters an infinite loop.
This behaviour was discovered when testing xfstests generic/525 with the
"localio" optimisation for loopback NFS mounts.
Reported-by: Mike Snitzer <snitzer@kernel.org>
Fixes: c2a9737f45 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
Tested-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6e4b4f0eca upstream.
When building with clang the toolchain refuses to link the signals
testcases since the assembly code has a reference to current which has
no initialiser so is placed in the BSS:
/tmp/signals-af2042.o: in function `fake_sigreturn':
<unknown>:51:(.text+0x40): relocation truncated to fit: R_AARCH64_LD_PREL_LO19 against symbol `current' defined in .bss section in /tmp/test_signals-ec1160.o
Since the first statement in main() initialises current we may as well
fix this by moving the initialisation to build time so the variable
doesn't end up in the BSS.
Signed-off-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Link: https://lore.kernel.org/r/20230111-arm64-kselftest-clang-v1-4-89c69d377727@kernel.org
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ac888d58869bb99753e7652be19a151df9ecb35d upstream.
dst_entries_add() uses per-cpu data that might be freed at netns
dismantle from ip6_route_net_exit() calling dst_entries_destroy()
Before ip6_route_net_exit() can be called, we release all
the dsts associated with this netns, via calls to dst_release(),
which waits an rcu grace period before calling dst_destroy()
dst_entries_add() use in dst_destroy() is racy, because
dst_entries_destroy() could have been called already.
Decrementing the number of dsts must happen sooner.
Notes:
1) in CONFIG_XFRM case, dst_destroy() can call
dst_release_immediate(child), this might also cause UAF
if the child does not have DST_NOCOUNT set.
IPSEC maintainers might take a look and see how to address this.
2) There is also discussion about removing this count of dst,
which might happen in future kernels.
Fixes: f886497212 ("ipv4: fix dst race in sk_dst_get()")
Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Xin Long <lucien.xin@gmail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ resolved conflict due to bc9d3a9f2a ("net: dst: Switch to rcuref_t
reference counting") is not in the tree ]
Signed-off-by: Abdelkareem Abdelsaamad <kareemem@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fb197c5d2fd24b9af3d4697d0cf778645846d6d5 upstream.
When alignment handling is delegated to the kernel, everything must be
word-aligned in purgatory, since the trap handler is then set to the
kexec one. Without the alignment, hitting the exception would
ultimately crash. On other occasions, the kernel's handler would take
care of exceptions.
This has been tested on a JH7110 SoC with oreboot and its SBI delegating
unaligned access exceptions and the kernel configured to handle them.
Fixes: 736e30af58 ("RISC-V: Add purgatory")
Signed-off-by: Daniel Maslowski <cyrevolt@gmail.com>
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Link: https://lore.kernel.org/r/20240719170437.247457-1-cyrevolt@gmail.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c9a75ec45f1111ef530ab186c2a7684d0a0c9245 upstream.
At insert_delayed_ref() if we need to update the action of an existing
ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's
ref_add_list using list_del(), which leaves the ref's add_list member
not reinitialized, as list_del() sets the next and prev members of the
list to LIST_POISON1 and LIST_POISON2, respectively.
If later we end up calling drop_delayed_ref() against the ref, which can
happen during merging or when destroying delayed refs due to a transaction
abort, we can trigger a crash since at drop_delayed_ref() we call
list_empty() against the ref's add_list, which returns false since
the list was not reinitialized after the list_del() and as a consequence
we call list_del() again at drop_delayed_ref(). This results in an
invalid list access since the next and prev members are set to poison
pointers, resulting in a splat if CONFIG_LIST_HARDENED and
CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences
otherwise.
So fix this by deleting from the list with list_del_init() instead.
Fixes: 1d57ee9416 ("btrfs: improve delayed refs iterations")
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 81235ae0c846e1fb46a2c6fe9283fe2b2b24f7dc upstream.
Although support for SME was merged in v5.19, we've since uncovered a
number of issues with the implementation, including issues which might
corrupt the FPSIMD/SVE/SME state of arbitrary tasks. While there are
patches to address some of these issues, ongoing review has highlighted
additional functional problems, and more time is necessary to analyse
and fix these.
For now, mark SME as BROKEN in the hope that we can fix things properly
in the near future. As SME is an OPTIONAL part of ARMv9.2+, and there is
very little extant hardware, this should not adversely affect the vast
majority of users.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Cc: stable@vger.kernel.org # 5.19
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20241106164220.2789279-1-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
