Android14 5.15 #1
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tbalden
pushed a commit
that referenced
this pull request
Nov 7, 2023
Thread #1: [122554.641906][ T92] f2fs_getxattr+0xd4/0x5fc -> waiting for f2fs_down_read(&F2FS_I(inode)->i_xattr_sem); [122554.641927][ T92] __f2fs_get_acl+0x50/0x284 [122554.641948][ T92] f2fs_init_acl+0x84/0x54c [122554.641969][ T92] f2fs_init_inode_metadata+0x460/0x5f0 [122554.641990][ T92] f2fs_add_inline_entry+0x11c/0x350 -> Locked dir->inode_page by f2fs_get_node_page() [122554.642009][ T92] f2fs_do_add_link+0x100/0x1e4 [122554.642025][ T92] f2fs_create+0xf4/0x22c [122554.642047][ T92] vfs_create+0x130/0x1f4 Thread #2: [123996.386358][ T92] __get_node_page+0x8c/0x504 -> waiting for dir->inode_page lock [123996.386383][ T92] read_all_xattrs+0x11c/0x1f4 [123996.386405][ T92] __f2fs_setxattr+0xcc/0x528 [123996.386424][ T92] f2fs_setxattr+0x158/0x1f4 -> f2fs_down_write(&F2FS_I(inode)->i_xattr_sem); [123996.386443][ T92] __f2fs_set_acl+0x328/0x430 [123996.386618][ T92] f2fs_set_acl+0x38/0x50 [123996.386642][ T92] posix_acl_chmod+0xc8/0x1c8 [123996.386669][ T92] f2fs_setattr+0x5e0/0x6bc [123996.386689][ T92] notify_change+0x4d8/0x580 [123996.386717][ T92] chmod_common+0xd8/0x184 [123996.386748][ T92] do_fchmodat+0x60/0x124 [123996.386766][ T92] __arm64_sys_fchmodat+0x28/0x3c Bug: 305658663 Bug: 280545073 Fixes: 27161f1 "f2fs: avoid race in between read xattr & write xattr" Cc: <stable@vger.kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit 82d8a4f) Change-Id: Iec383216e1887e11c69374d28e4ecdedda133919 (cherry picked from commit 0765cda)
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
…cheduler" See also commit 9102217. Revert the code that sends requests back to the I/O scheduler if dispatching fails because it is suspected to have introduced the following BFQ crash: ================================================================== BUG: KASAN: invalid-access in bfq_get_queue+0x500/0x560 Write at addr faffff8056fd8b30 by task Thread-11/27396 Pointer tag: [fa], memory tag: [fe] CPU: 5 PID: 27396 Comm: Thread-11 Tainted: G S W OE 5.15.110-android14-7-00150-gf82b53108826-ab10234611 #1 Call trace: dump_backtrace+0xf8/0x1e8 dump_stack_lvl+0x74/0xa4 print_report+0x344/0x958 kasan_report+0x90/0xe4 __do_kernel_fault+0xc4/0x2ac do_bad_area+0x3c/0x154 do_tag_check_fault+0x18/0x24 do_mem_abort+0x60/0x134 el1_abort+0x38/0x54 el1h_64_sync_handler+0x54/0x88 el1h_64_sync+0x78/0x7c bfq_get_queue+0x500/0x560 bfq_insert_requests+0x98c/0x1474 blk_mq_sched_insert_requests+0xec/0x334 blk_mq_flush_plug_list+0x138/0x234 blk_flush_plug_list+0x118/0x164 read_pages+0x38c/0x408 page_cache_ra_unbounded+0x22c/0x2f4 do_sync_mmap_readahead+0x1a4/0x208 filemap_fault+0x27c/0x8f4 f2fs_filemap_fault+0x28/0xfc __do_fault+0xc0/0x204 handle_pte_fault+0x28c/0xdf8 do_handle_mm_fault+0x504/0x7b8 do_page_fault+0x5dc/0x798 do_translation_fault+0x40/0x54 do_mem_abort+0x60/0x134 el0_ia+0x74/0x158 el0t_64_sync_handler+0xac/0xe4 el0t_64_sync+0x1b0/0x1b4 The buggy address belongs to the object at ffffff8056fd8a50 which belongs to the cache bfq_io_cq of size 232 The buggy address is located 224 bytes inside of 232-byte region [ffffff8056fd8a50, ffffff8056fd8b38) The buggy address belongs to the physical page: page:00000000a0db99e0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xfaffff8056fd8a50 pfn:0xd6fd8 head:00000000a0db99e0 order:1 compound_mapcount:0 flags: 0x4000000000010200(slab|head|zone=1|kasantag=0x0) raw: 4000000000010200 fffffffe2306b300 0000000400000004 f2ffff800a71f700 raw: faffff8056fd8a50 000000008022001d 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff8056fd8900: fe fe fe fe fe fe fd fd fd fd fd fd fd fd fd fd ffffff8056fd8a00: fd fd fd fd fd fe fe fe fe fe fe fe fe fe fe fe >ffffff8056fd8b00: fe fe fe fe fb fb fb fb fb fb fb fb fb fb fb fb ^ ffffff8056fd8c00: fb fb fb f4 f4 f4 f4 f4 f4 f4 f4 f4 f4 f4 f4 f4 ffffff8056fd8d00: f4 f4 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ================================================================== Bug: 285769645 Signed-off-by: Bart Van Assche <bvanassche@google.com> (cherry picked from https://partner-android-review.googlesource.com/q/commit:9c9a32d53ed33cf623ea114c3ebc3bb45cafebe5) Merged-In: Ia870feee81988ae47a2be0e1b145d18165588f8a Change-Id: Ia870feee81988ae47a2be0e1b145d18165588f8a
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
…inal issue This reverts commit 27161f1 "f2fs: avoid race in between read xattr & write xattr". That introduced a deadlock case: Thread #1: [122554.641906][ T92] f2fs_getxattr+0xd4/0x5fc -> waiting for f2fs_down_read(&F2FS_I(inode)->i_xattr_sem); [122554.641927][ T92] __f2fs_get_acl+0x50/0x284 [122554.641948][ T92] f2fs_init_acl+0x84/0x54c [122554.641969][ T92] f2fs_init_inode_metadata+0x460/0x5f0 [122554.641990][ T92] f2fs_add_inline_entry+0x11c/0x350 -> Locked dir->inode_page by f2fs_get_node_page() [122554.642009][ T92] f2fs_do_add_link+0x100/0x1e4 [122554.642025][ T92] f2fs_create+0xf4/0x22c [122554.642047][ T92] vfs_create+0x130/0x1f4 Thread #2: [123996.386358][ T92] __get_node_page+0x8c/0x504 -> waiting for dir->inode_page lock [123996.386383][ T92] read_all_xattrs+0x11c/0x1f4 [123996.386405][ T92] __f2fs_setxattr+0xcc/0x528 [123996.386424][ T92] f2fs_setxattr+0x158/0x1f4 -> f2fs_down_write(&F2FS_I(inode)->i_xattr_sem); [123996.386443][ T92] __f2fs_set_acl+0x328/0x430 [123996.386618][ T92] f2fs_set_acl+0x38/0x50 [123996.386642][ T92] posix_acl_chmod+0xc8/0x1c8 [123996.386669][ T92] f2fs_setattr+0x5e0/0x6bc [123996.386689][ T92] notify_change+0x4d8/0x580 [123996.386717][ T92] chmod_common+0xd8/0x184 [123996.386748][ T92] do_fchmodat+0x60/0x124 [123996.386766][ T92] __arm64_sys_fchmodat+0x28/0x3c Let's take a look at the original issue back. Thread A: Thread B: -f2fs_getxattr -lookup_all_xattrs -xnid = F2FS_I(inode)->i_xattr_nid; -f2fs_setxattr -__f2fs_setxattr -write_all_xattrs -truncate_xattr_node ... ... -write_checkpoint ... ... -alloc_nid <- nid reuse -get_node_page -f2fs_bug_on <- nid != node_footer->nid I think we don't need to truncate xattr pages eagerly which introduces lots of data races without big benefits. Bug: 280545073 Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/linux-f2fs-devel/20230613233940.3643362-1-jaegeuk@kernel.org/T/#u Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from https://android-review.googlesource.com/q/commit:674d8f63c2c4c47c91ce17d6f03f15551c3a92e5) (cherry picked from https://partner-android-review.googlesource.com/q/commit:4267131147965dd25945d64c2f8678ffc1e32004) Merged-In: Ifdbaf7defa50b479d82d2c945aa9d48e2e2317ed Change-Id: Ifdbaf7defa50b479d82d2c945aa9d48e2e2317ed
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
…inal issue This reverts commit 27161f1 "f2fs: avoid race in between read xattr & write xattr". That introduced a deadlock case: Thread #1: [122554.641906][ T92] f2fs_getxattr+0xd4/0x5fc -> waiting for f2fs_down_read(&F2FS_I(inode)->i_xattr_sem); [122554.641927][ T92] __f2fs_get_acl+0x50/0x284 [122554.641948][ T92] f2fs_init_acl+0x84/0x54c [122554.641969][ T92] f2fs_init_inode_metadata+0x460/0x5f0 [122554.641990][ T92] f2fs_add_inline_entry+0x11c/0x350 -> Locked dir->inode_page by f2fs_get_node_page() [122554.642009][ T92] f2fs_do_add_link+0x100/0x1e4 [122554.642025][ T92] f2fs_create+0xf4/0x22c [122554.642047][ T92] vfs_create+0x130/0x1f4 Thread #2: [123996.386358][ T92] __get_node_page+0x8c/0x504 -> waiting for dir->inode_page lock [123996.386383][ T92] read_all_xattrs+0x11c/0x1f4 [123996.386405][ T92] __f2fs_setxattr+0xcc/0x528 [123996.386424][ T92] f2fs_setxattr+0x158/0x1f4 -> f2fs_down_write(&F2FS_I(inode)->i_xattr_sem); [123996.386443][ T92] __f2fs_set_acl+0x328/0x430 [123996.386618][ T92] f2fs_set_acl+0x38/0x50 [123996.386642][ T92] posix_acl_chmod+0xc8/0x1c8 [123996.386669][ T92] f2fs_setattr+0x5e0/0x6bc [123996.386689][ T92] notify_change+0x4d8/0x580 [123996.386717][ T92] chmod_common+0xd8/0x184 [123996.386748][ T92] do_fchmodat+0x60/0x124 [123996.386766][ T92] __arm64_sys_fchmodat+0x28/0x3c Let's take a look at the original issue back. Thread A: Thread B: -f2fs_getxattr -lookup_all_xattrs -xnid = F2FS_I(inode)->i_xattr_nid; -f2fs_setxattr -__f2fs_setxattr 10000 -write_all_xattrs -truncate_xattr_node ... ... -write_checkpoint ... ... -alloc_nid <- nid reuse -get_node_page -f2fs_bug_on <- nid != node_footer->nid I think we don't need to truncate xattr pages eagerly which introduces lots of data races without big benefits. Bug: 280545073 Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/linux-f2fs-devel/20230613233940.3643362-1-jaegeuk@kernel.org/T/#u Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> Change-Id: Ifdbaf7defa50b479d82d2c945aa9d48e2e2317ed
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
[ Upstream commit 90cbed5 ] If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which is actually skb->cb, and IPCB(skb_in)->opt will be used in __ip_options_echo. It is possible that memcpy is out of bounds and lead to stack overflow. We should clear skb->cb before ip_local_out or ip6_local_out. v2: 1. clean the stack info 2. use IPCB/IP6CB instead of skb->cb crash on stable-5.10(reproduce in kasan kernel). Stack info: [ 2203.651571] BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x589/0x800 [ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task swapper/3/0 [ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted 5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1 [ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014 [ 2203.655475] Call Trace: [ 2203.655481] <IRQ> [ 2203.655501] dump_stack+0x9c/0xd3 [ 2203.655514] print_address_description.constprop.0+0x19/0x170 [ 2203.655530] __kasan_report.cold+0x6c/0x84 [ 2203.655586] kasan_report+0x3a/0x50 [ 2203.655594] check_memory_region+0xfd/0x1f0 [ 2203.655601] memcpy+0x39/0x60 [ 2203.655608] __ip_options_echo+0x589/0x800 [ 2203.655654] __icmp_send+0x59a/0x960 [ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4] [ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT] [ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables] [ 2203.655821] nf_hook_slow+0x69/0x100 [ 2203.655828] __ip_local_out+0x21e/0x2b0 [ 2203.655857] ip_local_out+0x28/0x90 [ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan] [ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan] [ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan] [ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan] [ 2203.655984] xmit_one.constprop.0+0xe1/0x280 [ 2203.655992] dev_hard_start_xmit+0x62/0x100 [ 2203.656000] sch_direct_xmit+0x215/0x640 [ 2203.656028] __qdisc_run+0x153/0x1f0 [ 2203.656069] __dev_queue_xmit+0x77f/0x1030 [ 2203.656173] ip_finish_output2+0x59b/0xc20 [ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0 [ 2203.656312] ip_finish_output+0x168/0x190 [ 2203.656320] ip_output+0x12d/0x220 [ 2203.656357] __ip_queue_xmit+0x392/0x880 [ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0 [ 2203.656436] __tcp_retransmit_skb+0x475/0xa30 [ 2203.656505] tcp_retransmit_skb+0x2d/0x190 [ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0 [ 2203.656519] tcp_write_timer_handler+0x3ba/0x510 [ 2203.656529] tcp_write_timer+0x55/0x180 [ 2203.656542] call_timer_fn+0x3f/0x1d0 [ 2203.656555] expire_timers+0x160/0x200 [ 2203.656562] run_timer_softirq+0x1f4/0x480 [ 2203.656606] __do_softirq+0xfd/0x402 [ 2203.656613] asm_call_irq_on_stack+0x12/0x20 [ 2203.656617] </IRQ> [ 2203.656623] do_softirq_own_stack+0x37/0x50 [ 2203.656631] irq_exit_rcu+0x134/0x1a0 [ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80 [ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 2203.656654] RIP: 0010:default_idle+0x13/0x20 [ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08 [ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256 [ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX: ffffffffaf290191 [ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI: ffff88811a3c4f60 [ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88811a3c4f63 [ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12: 0000000000000003 [ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15: 0000000000000000 [ 2203.656729] default_idle_call+0x5a/0x150 [ 2203.656735] cpuidle_idle_call+0x1c6/0x220 [ 2203.656780] do_idle+0xab/0x100 [ 2203.656786] cpu_startup_entry+0x19/0x20 [ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb [ 2203.657409] The buggy address belongs to the page: [ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a388 [ 2203.658665] flags: 0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff) [ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208 0000000000000000 [ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 2203.658686] page dumped because: kasan: bad access detected To reproduce(ipvlan with IPVLAN_MODE_L3): Env setting: ======================================================= modprobe ipvlan ipvlan_default_mode=1 sysctl net.ipv4.conf.eth0.forwarding=1 iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j MASQUERADE ip link add gw link eth0 type ipvlan ip -4 addr add 20.0.0.254/24 dev gw ip netns add net1 ip link add ipv1 link eth0 type ipvlan ip link set ipv1 netns net1 ip netns exec net1 ip link set ipv1 up ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1 ip netns exec net1 route add default gw 20.0.0.254 ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10% ifconfig gw up iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with icmp-port-unreachable ======================================================= And then excute the shell(curl any address of eth0 can reach): for((i=1;i<=100000;i++)) do ip netns exec net1 curl x.x.x.x:8888 done ======================================================= Bug: 289225588 Fixes: 2ad7bf3 ("ipvlan: Initial check-in of the IPVLAN driver.") Signed-off-by: "t.feng" <fengtao40@huawei.com> Suggested-by: Florian Westphal <fw@strlen.de> Reviewed-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 610a433) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I08a12f6e3b1614210867cd23e9071918dc380faf
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
Lockdep reports a circular lock dependency between the srcu and the config_lock: [ 262.179917] -> #1 (&kvm->srcu){.+.+}-{0:0}: [ 262.182010] __synchronize_srcu+0xb0/0x224 [ 262.183422] synchronize_srcu_expedited+0x24/0x34 [ 262.184554] kvm_io_bus_register_dev+0x324/0x50c [ 262.185650] vgic_register_redist_iodev+0x254/0x398 [ 262.186740] vgic_v3_set_redist_base+0x3b0/0x724 [ 262.188087] kvm_vgic_addr+0x364/0x600 [ 262.189189] vgic_set_common_attr+0x90/0x544 [ 262.190278] vgic_v3_set_attr+0x74/0x9c [ 262.191432] kvm_device_ioctl+0x2a0/0x4e4 [ 262.192515] __arm64_sys_ioctl+0x7ac/0x1ba8 [ 262.193612] invoke_syscall.constprop.0+0x70/0x1e0 [ 262.195006] do_el0_svc+0xe4/0x2d4 [ 262.195929] el0_svc+0x44/0x8c [ 262.196917] el0t_64_sync_handler+0xf4/0x120 [ 262.198238] el0t_64_sync+0x190/0x194 [ 262.199224] [ 262.199224] -> #0 (&kvm->arch.config_lock){+.+.}-{3:3}: [ 262.201094] __lock_acquire+0x2b70/0x626c [ 262.202245] lock_acquire+0x454/0x778 [ 262.203132] __mutex_lock+0x190/0x8b4 [ 262.204023] mutex_lock_nested+0x24/0x30 [ 262.205100] vgic_mmio_write_v3_misc+0x5c/0x2a0 [ 262.206178] dispatch_mmio_write+0xd8/0x258 [ 262.207498] __kvm_io_bus_write+0x1e0/0x350 [ 262.208582] kvm_io_bus_write+0xe0/0x1cc [ 262.209653] io_mem_abort+0x2ac/0x6d8 [ 262.210569] kvm_handle_guest_abort+0x9b8/0x1f88 [ 262.211937] handle_exit+0xc4/0x39c [ 262.212971] kvm_arch_vcpu_ioctl_run+0x90c/0x1c04 [ 262.214154] kvm_vcpu_ioctl+0x450/0x12f8 [ 262.215233] __arm64_sys_ioctl+0x7ac/0x1ba8 [ 262.216402] invoke_syscall.constprop.0+0x70/0x1e0 [ 262.217774] do_el0_svc+0xe4/0x2d4 [ 262.218758] el0_svc+0x44/0x8c [ 262.219941] el0t_64_sync_handler+0xf4/0x120 [ 262.221110] el0t_64_sync+0x190/0x194 Note that the current report, which can be triggered by the vgic_irq kselftest, is a triple chain that includes slots_lock, but after inverting the slots_lock/config_lock dependency, the actual problem reported above remains. In several places, the vgic code calls kvm_io_bus_register_dev(), which synchronizes the srcu, while holding config_lock (#1). And the MMIO handler takes the config_lock while holding the srcu read lock (#0). Break dependency #1, by registering the distributor and redistributors without holding config_lock. The ITS also uses kvm_io_bus_register_dev() but already relies on slots_lock to serialize calls. The distributor iodev is created on the first KVM_RUN call. Multiple threads will race for vgic initialization, and only the first one will see !vgic_ready() under the lock. To serialize those threads, rely on slots_lock rather than config_lock. Redistributors are created earlier, through KVM_DEV_ARM_VGIC_GRP_ADDR ioctls and vCPU creation. Similarly, serialize the iodev creation with slots_lock, and the rest with config_lock. Fixes: f003277 ("KVM: arm64: Use config_lock to protect vgic state") Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Reviewed-by: Oliver Upton <oliver.upton@linux.dev> Signed-off-by: Marc Zyngier <maz@kernel.org> Link: https://lore.kernel.org/r/20230518100914.2837292-2-jean-philippe@linaro.org (cherry picked from commit 59112e9) Signed-off-by: Will Deacon <willdeacon@google.com> Bug: 278750073 Change-Id: Ib3b4846646f148af95746d786fc55b589b3217b6
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
syzbot found arm64 builds would crash in sock_recv_mark() when CONFIG_HARDENED_USERCOPY=y x86 and powerpc are not detecting the issue because they define user_access_begin. This will be handled in a different patch, because a check_object_size() is missing. Only data from skb->cb[] can be copied directly to/from user space, as explained in commit 79a8a64 ("net: Whitelist the skbuff_head_cache "cb" field") syzbot report was: usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90 lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90 sp : ffff80000fb9b9a0 x29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00 x26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000 x23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8 x20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000 x17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118 x14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400 x11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00 x8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c Call trace: usercopy_abort+0x90/0x94 mm/usercopy.c:90 __check_heap_object+0xa8/0x100 mm/slub.c:4761 check_heap_object mm/usercopy.c:196 [inline] __check_object_size+0x208/0x6b8 mm/usercopy.c:251 check_object_size include/linux/thread_info.h:199 [inline] __copy_to_user include/linux/uaccess.h:115 [inline] put_cmsg+0x408/0x464 net/core/scm.c:238 sock_recv_mark net/socket.c:975 [inline] __sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984 sock_recv_cmsgs include/net/sock.h:2728 [inline] packet_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482 ____sys_recvmsg+0x110/0x3a0 ___sys_recvmsg net/socket.c:2737 [inline] __sys_recvmsg+0x194/0x210 net/socket.c:2767 __do_sys_recvmsg net/socket.c:2777 [inline] __se_sys_recvmsg net/socket.c:2774 [inline] __arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52 el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193 el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000) Bug: 254441685 Fixes: 6fd1d51 ("net: SO_RCVMARK socket option for SO_MARK with recvmsg()") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Erin MacNeil <lnx.erin@gmail.com> Reviewed-by: Alexander Lobakin <alexandr.lobakin@intel.com> Link: https://lore.kernel.org/r/20230213160059.3829741-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 2558b80) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I5efc36c872cc640429a8ef538eb5ce043fc8dbb2
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
When ufshcd_err_handler() is executed, CQ event interrupt can enter waiting
for the same lock. This can happen in ufshcd_handle_mcq_cq_events() and
also in ufs_mtk_mcq_intr(). The following warning message will be generated
when &hwq->cq_lock is used in IRQ context with IRQ enabled. Use
ufshcd_mcq_poll_cqe_lock() with spin_lock_irqsave instead of spin_lock to
resolve the deadlock issue.
[name:lockdep&]WARNING: inconsistent lock state
[name:lockdep&]--------------------------------
[name:lockdep&]inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
[name:lockdep&]kworker/u16:4/260 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffffff8028444600 (&hwq->cq_lock){?.-.}-{2:2}, at:
ufshcd_mcq_poll_cqe_lock+0x30/0xe0
[name:lockdep&]{IN-HARDIRQ-W} state was registered at:
lock_acquire+0x17c/0x33c
_raw_spin_lock+0x5c/0x7c
ufshcd_mcq_poll_cqe_lock+0x30/0xe0
ufs_mtk_mcq_intr+0x60/0x1bc [ufs_mediatek_mod]
__handle_irq_event_percpu+0x140/0x3ec
handle_irq_event+0x50/0xd8
handle_fasteoi_irq+0x148/0x2b0
generic_handle_domain_irq+0x4c/0x6c
gic_handle_irq+0x58/0x134
call_on_irq_stack+0x40/0x74
do_interrupt_handler+0x84/0xe4
el1_interrupt+0x3c/0x78
<snip>
Possible unsafe locking scenario:
CPU0
----
lock(&hwq->cq_lock);
<Interrupt>
lock(&hwq->cq_lock);
*** DEADLOCK ***
2 locks held by kworker/u16:4/260:
[name:lockdep&]
stack backtrace:
CPU: 7 PID: 260 Comm: kworker/u16:4 Tainted: G S W OE
6.1.17-mainline-android14-2-g277223301adb #1
Workqueue: ufs_eh_wq_0 ufshcd_err_handler
Call trace:
dump_backtrace+0x10c/0x160
show_stack+0x20/0x30
dump_stack_lvl+0x98/0xd8
dump_stack+0x20/0x60
print_usage_bug+0x584/0x76c
mark_lock_irq+0x488/0x510
mark_lock+0x1ec/0x25c
__lock_acquire+0x4d8/0xffc
lock_acquire+0x17c/0x33c
_raw_spin_lock+0x5c/0x7c
ufshcd_mcq_poll_cqe_lock+0x30/0xe0
ufshcd_poll+0x68/0x1b0
ufshcd_transfer_req_compl+0x9c/0xc8
ufshcd_err_handler+0x3bc/0xea0
process_one_work+0x2f4/0x7e8
worker_thread+0x234/0x450
kthread+0x110/0x134
ret_from_fork+0x10/0x20
Bug: 254441685
Fixes: ed97506 ("scsi: ufs: core: mcq: Add completion support in poll")
Reviewed-by: Can Guo <quic_cang@quicinc.com>
Reviewed-by: Stanley Chu <stanley.chu@mediatek.com>
Signed-off-by: Alice Chao <alice.chao@mediatek.com>
Link: https://lore.kernel.org/r/20230424080400.8955-1-alice.chao@mediatek.com
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 948afc6)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: If4af26c78561e0fd3f92bd039976380617cc3550
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
When booting with 'kasan.vmalloc=off', a kernel configured with support for KASAN_HW_TAGS will explode at boot time due to bogus use of virt_to_page() on a vmalloc adddress. With CONFIG_DEBUG_VIRTUAL selected this will be reported explicitly, and with or without CONFIG_DEBUG_VIRTUAL the kernel will dereference a bogus address: | ------------[ cut here ]------------ | virt_to_phys used for non-linear address: (____ptrval____) (0xffff800008000000) | WARNING: CPU: 0 PID: 0 at arch/arm64/mm/physaddr.c:15 __virt_to_phys+0x78/0x80 | Modules linked in: | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.3.0-rc3-00073-g83865133300d-dirty aosp-mirror#4 | Hardware name: linux,dummy-virt (DT) | pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : __virt_to_phys+0x78/0x80 | lr : __virt_to_phys+0x78/0x80 | sp : ffffcd076afd3c80 | x29: ffffcd076afd3c80 x28: 0068000000000f07 x27: ffff800008000000 | x26: fffffbfff0000000 x25: fffffbffff000000 x24: ff00000000000000 | x23: ffffcd076ad3c000 x22: fffffc0000000000 x21: ffff800008000000 | x20: ffff800008004000 x19: ffff800008000000 x18: ffff800008004000 | x17: 666678302820295f x16: ffffffffffffffff x15: 0000000000000004 | x14: ffffcd076b009e88 x13: 0000000000000fff x12: 0000000000000003 | x11: 00000000ffffefff x10: c0000000ffffefff x9 : 0000000000000000 | x8 : 0000000000000000 x7 : 205d303030303030 x6 : 302e30202020205b | x5 : ffffcd076b41d63f x4 : ffffcd076afd3827 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : ffffcd076afd3a30 x0 : 000000000000004f | Call trace: | __virt_to_phys+0x78/0x80 | __kasan_unpoison_vmalloc+0xd4/0x478 | __vmalloc_node_range+0x77c/0x7b8 | __vmalloc_node+0x54/0x64 | init_IRQ+0x94/0xc8 | start_kernel+0x194/0x420 | __primary_switched+0xbc/0xc4 | ---[ end trace 0000000000000000 ]--- | Unable to handle kernel paging request at virtual address 03fffacbe27b8000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004 | CM = 0, WnR = 0 | swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041bc5000 | [03fff 10000 acbe27b8000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: | CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.3.0-rc3-00073-g83865133300d-dirty aosp-mirror#4 | Hardware name: linux,dummy-virt (DT) | pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : __kasan_unpoison_vmalloc+0xe4/0x478 | lr : __kasan_unpoison_vmalloc+0xd4/0x478 | sp : ffffcd076afd3ca0 | x29: ffffcd076afd3ca0 x28: 0068000000000f07 x27: ffff800008000000 | x26: 0000000000000000 x25: 03fffacbe27b8000 x24: ff00000000000000 | x23: ffffcd076ad3c000 x22: fffffc0000000000 x21: ffff800008000000 | x20: ffff800008004000 x19: ffff800008000000 x18: ffff800008004000 | x17: 666678302820295f x16: ffffffffffffffff x15: 0000000000000004 | x14: ffffcd076b009e88 x13: 0000000000000fff x12: 0000000000000001 | x11: 0000800008000000 x10: ffff800008000000 x9 : ffffb2f8dee00000 | x8 : 000ffffb2f8dee00 x7 : 205d303030303030 x6 : 302e30202020205b | x5 : ffffcd076b41d63f x4 : ffffcd076afd3827 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : ffffcd076afd3a30 x0 : ffffb2f8dee00000 | Call trace: | __kasan_unpoison_vmalloc+0xe4/0x478 | __vmalloc_node_range+0x77c/0x7b8 | __vmalloc_node+0x54/0x64 | init_IRQ+0x94/0xc8 | start_kernel+0x194/0x420 | __primary_switched+0xbc/0xc4 | Code: d34cfc08 aa1f03fa 8b081b39 d503201f (f9400328) | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: Attempted to kill the idle task! This is because init_vmalloc_pages() erroneously calls virt_to_page() on a vmalloc address, while virt_to_page() is only valid for addresses in the linear/direct map. Since init_vmalloc_pages() expects virtual addresses in the vmalloc range, it must use vmalloc_to_page() rather than virt_to_page(). We call init_vmalloc_pages() from __kasan_unpoison_vmalloc(), where we check !is_vmalloc_or_module_addr(), suggesting that we might encounter a non-vmalloc address. Luckily, this never happens. By design, we only call __kasan_unpoison_vmalloc() on pointers in the vmalloc area, and I have verified that we don't violate that expectation. Given that, is_vmalloc_or_module_addr() must always be true for any legitimate argument to __kasan_unpoison_vmalloc(). Correct init_vmalloc_pages() to use vmalloc_to_page(), and remove the redundant and misleading use of is_vmalloc_or_module_addr() in __kasan_unpoison_vmalloc(). Bug: 254441685 Link: https://lkml.kernel.org/r/20230418164212.1775741-1-mark.rutland@arm.com Fixes: 6c2f761 ("kasan: fix zeroing vmalloc memory with HW_TAGS") Signed-off-by: Mark Rutland <mark.rutland@arm.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Konovalov <andreyknvl@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Marco Elver <elver@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> (cherry picked from commit 29083fd) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I64bebeea4b1625e8f648ef6f99b99cc1dd4e6faa
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
Thread #1: [122554.641906][ T92] f2fs_getxattr+0xd4/0x5fc -> waiting for f2fs_down_read(&F2FS_I(inode)->i_xattr_sem); [122554.641927][ T92] __f2fs_get_acl+0x50/0x284 [122554.641948][ T92] f2fs_init_acl+0x84/0x54c [122554.641969][ T92] f2fs_init_inode_metadata+0x460/0x5f0 [122554.641990][ T92] f2fs_add_inline_entry+0x11c/0x350 -> Locked dir->inode_page by f2fs_get_node_page() [122554.642009][ T92] f2fs_do_add_link+0x100/0x1e4 [122554.642025][ T92] f2fs_create+0xf4/0x22c [122554.642047][ T92] vfs_create+0x130/0x1f4 Thread #2: [123996.386358][ T92] __get_node_page+0x8c/0x504 -> waiting for dir->inode_page lock [123996.386383][ T92] read_all_xattrs+0x11c/0x1f4 [123996.386405][ T92] __f2fs_setxattr+0xcc/0x528 [123996.386424][ T92] f2fs_setxattr+0x158/0x1f4 -> f2fs_down_write(&F2FS_I(inode)->i_xattr_sem); [123996.386443][ T92] __f2fs_set_acl+0x328/0x430 [123996.386618][ T92] f2fs_set_acl+0x38/0x50 [123996.386642][ T92] posix_acl_chmod+0xc8/0x1c8 [123996.386669][ T92] f2fs_setattr+0x5e0/0x6bc [123996.386689][ T92] notify_change+0x4d8/0x580 [123996.386717][ T92] chmod_common+0xd8/0x184 [123996.386748][ T92] do_fchmodat+0x60/0x124 [123996.386766][ T92] __arm64_sys_fchmodat+0x28/0x3c Bug: 280545073 Fixes: 27161f1 "f2fs: avoid race in between read xattr & write xattr" Cc: <stable@vger.kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit 82d8a4f) Change-Id: Iec383216e1887e11c69374d28e4ecdedda133919
tbalden
pushed a commit
that referenced
this pull request
Dec 13, 2023
[ Upstream commit 6eaf41e ] Skip bound chain when flushing table rules, the rule that owns this chain releases these objects. Otherwise, the following warning is triggered: WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] Bug: 294357305 Fixes: d0e2c7d ("netfilter: nf_tables: add NFT_CHAIN_BINDING") Reported-by: Kevin Rich <kevinrich1337@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e18922c) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I48f43d0ce3410efec2513479a1f4c7708a097b01
tbalden
pushed a commit
that referenced
this pull request
Sep 21, 2024
… lock. [ Upstream commit 9841991 ] Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly. However, the peer socket still can send MSG_OOB message and queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading NULL pointer dereference. [0] To fix the issue, let's update unix_sk(sk)->oob_skb under the sk_receive_queue's lock and take it everywhere we touch oob_skb. Note that we defer kfree_skb() in manage_oob() to silence lockdep false-positive (See [1]). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events delayed_fput RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> unix_release_sock (net/unix/af_unix.c:654) unix_release (net/unix/af_unix.c:1050) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:423) delayed_fput (fs/file_table.c:444 (discriminator 3)) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) </TASK> Modules linked in: CR2: 0000000000000008 Bug: 342490466 Bug: 351700379 Link: https://lore.kernel.org/netdev/a00d3993-c461-43f2-be6d-07259c98509a@rbox.co/ [1] Fixes: 1279f9d ("af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.") Reported-by: Billy Jheng Bing-Jhong <billy@starlabs.sg> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240516134835.8332-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 518a994) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: Ibf78b113496b5388a63207e7e582f77ddda8dec5 (cherry picked from commit 685a016) Signed-off-by: Pindar Yang <pindaryang@google.com>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 3d887d5 ] As drm_dp_get_mst_branch_device_by_guid() is called from drm_dp_get_mst_branch_device_by_guid(), mstb parameter has to be checked, otherwise NULL dereference may occur in the call to the memcpy() and cause following: [12579.365869] BUG: kernel NULL pointer dereference, address: 0000000000000049 [12579.365878] #PF: supervisor read access in kernel mode [12579.365880] #PF: error_code(0x0000) - not-present page [12579.365882] PGD 0 P4D 0 [12579.365887] Oops: 0000 [#1] PREEMPT SMP NOPTI ... [12579.365895] Workqueue: events_long drm_dp_mst_up_req_work [12579.365899] RIP: 0010:memcmp+0xb/0x29 [12579.365921] Call Trace: [12579.365927] get_mst_branch_device_by_guid_helper+0x22/0x64 [12579.365930] drm_dp_mst_up_req_work+0x137/0x416 [12579.365933] process_one_work+0x1d0/0x419 [12579.365935] worker_thread+0x11a/0x289 [12579.365938] kthread+0x13e/0x14f [12579.365941] ? process_one_work+0x419/0x419 [12579.365943] ? kthread_blkcg+0x31/0x31 [12579.365946] ret_from_fork+0x1f/0x30 As get_mst_branch_device_by_guid_helper() is recursive, moving condition to the first line allow to remove a similar one for step over of NULL elements inside a loop. Fixes: 5e93b82 ("drm/dp/mst: move GUID storage from mgr, port to only mst branch") Cc: <stable@vger.kernel.org> # 4.14+ Signed-off-by: Lukasz Majczak <lma@semihalf.com> Reviewed-by: Radoslaw Biernacki <rad@chromium.org> Signed-off-by: Manasi Navare <navaremanasi@chromium.org> Link: https://patchwork.freedesktop.org/patch/msgid/20230922063410.23626-1-lma@semihalf.com Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
commit babddbf upstream. when the checked address is illegal,the corresponding shadow address from kasan_mem_to_shadow may have no mapping in mmu table. Access such shadow address causes kernel oops. Here is a sample about oops on arm64(VA 39bit) with KASAN_SW_TAGS and KASAN_OUTLINE on: [ffffffb80aaaaaaa] pgd=000000005d3ce003, p4d=000000005d3ce003, pud=000000005d3ce003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 3 PID: 100 Comm: sh Not tainted 6.6.0-rc1-dirty #43 Hardware name: linux,dummy-virt (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __hwasan_load8_noabort+0x5c/0x90 lr : do_ib_ob+0xf4/0x110 ffffffb80aaaaaaa is the shadow address for efffff80aaaaaaaa. The problem is reading invalid shadow in kasan_check_range. The generic kasan also has similar oops. It only reports the shadow address which causes oops but not the original address. Commit 2f004ee("x86/kasan: Print original address on #GP") introduce to kasan_non_canonical_hook but limit it to KASAN_INLINE. This patch extends it to KASAN_OUTLINE mode. Link: https://lkml.kernel.org/r/20231009073748.159228-1-haibo.li@mediatek.com Fixes: 2f004ee("x86/kasan: Print original address on #GP") Signed-off-by: Haibo Li <haibo.li@mediatek.com> Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Haibo Li <haibo.li@mediatek.com> Cc: Matthias Brugger <matthias.bgg@gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
commit bc056e7 upstream. When we calculate the end position of ext4_free_extent, this position may be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not the first case of adjusting the best extent, that is, new_bex_end > 0, the following BUG_ON will be triggered: ========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430 Call Trace: <TASK> ext4_mb_use_best_found+0x203/0x2f0 ext4_mb_try_best_found+0x163/0x240 ext4_mb_regular_allocator+0x158/0x1550 ext4_mb_new_blocks+0x86a/0xe10 ext4_ext_map_blocks+0xb0c/0x13a0 ext4_map_blocks+0x2cd/0x8f0 ext4_iomap_begin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomap_dio_rw+0x243/0xcb0 iomap_dio_rw+0x16/0x80 ========================================================= A simple reproducer demonstrating the problem: mkfs.ext4 -F /dev/sda -b 4096 100M mount /dev/sda /tmp/test fallocate -l1M /tmp/test/tmp fallocate -l10M /tmp/test/file fallocate -i -o 1M -l16777203M /tmp/test/file fsstress -d /tmp/test -l 0 -n 100000 -p 8 & sleep 10 && killall -9 fsstress rm -f /tmp/test/tmp xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192" We simply refactor the logic for adjusting the best extent by adding a temporary ext4_free_extent ex and use extent_logical_end() to avoid overflow, which also simplifies the code. Cc: stable@kernel.org # 6.4 Fixes: 93cdf49 ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()") Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com> Link: https://lore.kernel.org/r/20230724121059.11834-3-libaokun1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Baokun Li <libaokun1@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
commit 6c2f421 upstream. Several core drivers and buses expect that driver_override is a dynamically allocated memory thus later they can kfree() it. However such assumption is not documented, there were in the past and there are already users setting it to a string literal. This leads to kfree() of static memory during device release (e.g. in error paths or during unbind): kernel BUG at ../mm/slub.c:3960! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM ... (kfree) from [<c058da50>] (platform_device_release+0x88/0xb4) (platform_device_release) from [<c0585be0>] (device_release+0x2c/0x90) (device_release) from [<c0a69050>] (kobject_put+0xec/0x20c) (kobject_put) from [<c0f2f120>] (exynos5_clk_probe+0x154/0x18c) (exynos5_clk_probe) from [<c058de70>] (platform_drv_probe+0x6c/0xa4) (platform_drv_probe) from [<c058b7ac>] (really_probe+0x280/0x414) (really_probe) from [<c058baf4>] (driver_probe_device+0x78/0x1c4) (driver_probe_device) from [<c0589854>] (bus_for_each_drv+0x74/0xb8) (bus_for_each_drv) from [<c058b48c>] (__device_attach+0xd4/0x16c) (__device_attach) from [<c058a638>] (bus_probe_device+0x88/0x90) (bus_probe_device) from [<c05871fc>] (device_add+0x3dc/0x62c) (device_add) from [<c075ff10>] (of_platform_device_create_pdata+0x94/0xbc) (of_platform_device_create_pdata) from [<c07600ec>] (of_platform_bus_create+0x1a8/0x4fc) (of_platform_bus_create) from [<c0760150>] (of_platform_bus_create+0x20c/0x4fc) (of_platform_bus_create) from [<c07605f0>] (of_platform_populate+0x84/0x118) (of_platform_populate) from [<c0f3c964>] (of_platform_default_populate_init+0xa0/0xb8) (of_platform_default_populate_init) from [<c01031f8>] (do_one_initcall+0x8c/0x404) Provide a helper which clearly documents the usage of driver_override. This will allow later to reuse the helper and reduce the amount of duplicated code. Convert the platform driver to use a new helper and make the driver_override field const char (it is not modified by the core). Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20220419113435.246203-2-krzysztof.kozlowski@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit daa9ada ] Erhard reported that his G5 was crashing with v6.6-rc kernels: mpic: Setting up HT PICs workarounds for U3/U4 BUG: Unable to handle kernel data access at 0xfeffbb62ffec65fe Faulting instruction address: 0xc00000000005dc40 Oops: Kernel access of bad area, sig: 11 [#1] BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Tainted: G T 6.6.0-rc3-PMacGS #1 Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac NIP: c00000000005dc40 LR: c000000000066660 CTR: c000000000007730 REGS: c0000000022bf510 TRAP: 0380 Tainted: G T (6.6.0-rc3-PMacGS) MSR: 9000000000001032 <SF,HV,ME,IR,DR,RI> CR: 44004242 XER: 00000000 IRQMASK: 3 GPR00: 0000000000000000 c0000000022bf7b0 c0000000010c0b00 00000000000001ac GPR04: 0000000003c80000 0000000000000300 c0000000f20001ae 0000000000000300 GPR08: 0000000000000006 feffbb62ffec65ff 0000000000000001 0000000000000000 GPR12: 9000000000001032 c000000002362000 c000000000f76b80 000000000349ecd8 GPR16: 0000000002367ba8 0000000002367f08 0000000000000006 0000000000000000 GPR20: 00000000000001ac c000000000f6f920 c0000000022cd985 000000000000000c GPR24: 0000000000000300 00000003b0a3691d c0003e008030000e 0000000000000000 GPR28: c00000000000000c c0000000f20001ee feffbb62ffec65fe 00000000000001ac NIP hash_page_do_lazy_icache+0x50/0x100 LR __hash_page_4K+0x420/0x590 Call Trace: hash_page_mm+0x364/0x6f0 do_hash_fault+0x114/0x2b0 data_access_common_virt+0x198/0x1f0 --- interrupt: 300 at mpic_init+0x4bc/0x10c4 NIP: c000000002020a5c LR: c000000002020a04 CTR: 0000000000000000 REGS: c0000000022bf9f0 TRAP: 0300 Tainted: G T (6.6.0-rc3-PMacGS) MSR: 9000000000001032 <SF,HV,ME,IR,DR,RI> CR: 24004248 XER: 00000000 DAR: c0003e008030000e DSISR: 40000000 IRQMASK: 1 ... NIP mpic_init+0x4bc/0x10c4 LR mpic_init+0x464/0x10c4 --- interrupt: 300 pmac_setup_one_mpic+0x258/0x2dc pmac_pic_init+0x28c/0x3d8 init_IRQ+0x90/0x140 start_kernel+0x57c/0x78c start_here_common+0x1c/0x20 A bisect pointed to the breakage beginning with commit 9fee28b ("powerpc: implement the new page table range API"). Analysis of the oops pointed to a struct page with a corrupted compound_head being loaded via page_folio() -> _compound_head() in hash_page_do_lazy_icache(). The access by the mpic code is to an MMIO address, so the expectation is that the struct page for that address would be initialised by init_unavailable_range(), as pointed out by Aneesh. Instrumentation showed that was not the case, which eventually lead to the realisation that pfn_valid() was returning false for that address, causing the struct page to not be initialised. Because the system is using FLATMEM, the version of pfn_valid() in memory_model.h is used: static inline int pfn_valid(unsigned long pfn) { ... return pfn >= pfn_offset && (pfn - pfn_offset) < max_mapnr; } Which relies on max_mapnr being initialised. Early in boot max_mapnr is zero meaning no PFNs are valid. max_mapnr is initialised in mem_init() called via: start_kernel() mm_core_init() # init/main.c:928 mem_init() But that is too late for the usage in init_unavailable_range() called via: start_kernel() setup_arch() # init/main.c:893 paging_init() free_area_init() init_unavailable_range() Although max_mapnr is currently set in mem_init(), the value is actually already available much earlier, as soon as mem_topology_setup() has completed, which is also before paging_init() is called. So move the initialisation there, which causes paging_init() to correctly initialise the struct page and fixes the bug. This bug seems to have been lurking for years, but went unnoticed because the pre-folio code was inspecting the uninitialised page->flags but not dereferencing it. Thanks to Erhard and Aneesh for help debugging. Reported-by: Erhard Furtner <erhard_f@mailbox.org> Closes: https://lore.kernel.org/all/20230929132750.3cd98452@yea/ Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://msgid.link/20231023112500.1550208-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 4428399 ] The lt8912b driver, in its bridge detach function, calls drm_connector_unregister() and drm_connector_cleanup(). drm_connector_unregister() should be called only for connectors explicitly registered with drm_connector_register(), which is not the case in lt8912b. The driver's drm_connector_funcs.destroy hook is set to drm_connector_cleanup(). Thus the driver should not call either drm_connector_unregister() nor drm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a crash on bridge detach: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000 [0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks CPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2 Hardware name: Toradex Verdin AM62 on Verdin Development Board (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_connector_cleanup+0x78/0x2d4 [drm] lr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b] sp : ffff800082ed3a90 x29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000 x26: 0000000000000000 x25: dead000000000122 x24: dead000000000122 x23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000 x20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8 x17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038 x14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e x11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48 x8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0 x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: drm_connector_cleanup+0x78/0x2d4 [drm] lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b] drm_bridge_detach+0x44/0x84 [drm] drm_encoder_cleanup+0x40/0xb8 [drm] drmm_encoder_alloc_release+0x1c/0x30 [drm] drm_managed_release+0xac/0x148 [drm] drm_dev_put.part.0+0x88/0xb8 [drm] devm_drm_dev_init_release+0x14/0x24 [drm] devm_action_release+0x14/0x20 release_nodes+0x5c/0x90 devres_release_all+0x8c/0xe0 device_unbind_cleanup+0x18/0x68 device_release_driver_internal+0x208/0x23c driver_detach+0x4c/0x94 bus_remove_driver+0x70/0xf4 driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 tidss_platform_driver_exit+0x18/0xb2c [tidss] __arm64_sys_delete_module+0x1a0/0x2b4 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x60/0x10c do_el0_svc_compat+0x1c/0x40 el0_svc_compat+0x40/0xac el0t_32_sync_handler+0xb0/0x138 el0t_32_sync+0x194/0x198 Code: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420) Fixes: 30e2ae9 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge") Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> Reviewed-by: Robert Foss <rfoss@kernel.org> Signed-off-by: Robert Foss <rfoss@kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20230804-lt8912b-v1-2-c542692c6a2f@ideasonboard.com Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 265f3ed ] All callers of work_on_cpu() share the same lock class key for all the functions queued. As a result the workqueue related locking scenario for a function A may be spuriously accounted as an inversion against the locking scenario of function B such as in the following model: long A(void *arg) { mutex_lock(&mutex); mutex_unlock(&mutex); } long B(void *arg) { } void launchA(void) { work_on_cpu(0, A, NULL); } void launchB(void) { mutex_lock(&mutex); work_on_cpu(1, B, NULL); mutex_unlock(&mutex); } launchA and launchB running concurrently have no chance to deadlock. However the above can be reported by lockdep as a possible locking inversion because the works containing A() and B() are treated as belonging to the same locking class. The following shows an existing example of such a spurious lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 6.6.0-rc1-00065-g934ebd6e5359 #35409 Not tainted ------------------------------------------------------ kworker/0:1/9 is trying to acquire lock: ffffffff9bc72f30 (cpu_hotplug_lock){++++}-{0:0}, at: _cpu_down+0x57/0x2b0 but task is already holding lock: ffff9e3bc0057e60 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: process_scheduled_works+0x216/0x500 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 ((work_completion)(&wfc.work)){+.+.}-{0:0}: __flush_work+0x83/0x4e0 work_on_cpu+0x97/0xc0 rcu_nocb_cpu_offload+0x62/0xb0 rcu_nocb_toggle+0xd0/0x1d0 kthread+0xe6/0x120 ret_from_fork+0x2f/0x40 ret_from_fork_asm+0x1b/0x30 -> #1 (rcu_state.barrier_mutex){+.+.}-{3:3}: __mutex_lock+0x81/0xc80 rcu_nocb_cpu_deoffload+0x38/0xb0 rcu_nocb_toggle+0x144/0x1d0 kthread+0xe6/0x120 ret_from_fork+0x2f/0x40 ret_from_fork_asm+0x1b/0x30 -> #0 (cpu_hotplug_lock){++++}-{0:0}: __lock_acquire+0x1538/0x2500 lock_acquire+0xbf/0x2a0 percpu_down_write+0x31/0x200 _cpu_down+0x57/0x2b0 __cpu_down_maps_locked+0x10/0x20 work_for_cpu_fn+0x15/0x20 process_scheduled_works+0x2a7/0x500 worker_thread+0x173/0x330 kthread+0xe6/0x120 ret_from_fork+0x2f/0x40 ret_from_fork_asm+0x1b/0x30 other info that might help us debug this: Chain exists of: cpu_hotplug_lock --> rcu_state.barrier_mutex --> (work_completion)(&wfc.work) Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock((work_completion)(&wfc.work)); lock(rcu_state.barrier_mutex); lock((work_completion)(&wfc.work)); lock(cpu_hotplug_lock); *** DEADLOCK *** 2 locks held by kworker/0:1/9: #0: ffff900481068b38 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x212/0x500 #1: ffff9e3bc0057e60 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: process_scheduled_works+0x216/0x500 stack backtrace: CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.0-rc1-00065-g934ebd6e5359 #35409 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Workqueue: events work_for_cpu_fn Call Trace: rcu-torture: rcu_torture_read_exit: Start of episode <TASK> dump_stack_lvl+0x4a/0x80 check_noncircular+0x132/0x150 __lock_acquire+0x1538/0x2500 lock_acquire+0xbf/0x2a0 ? _cpu_down+0x57/0x2b0 percpu_down_write+0x31/0x200 ? _cpu_down+0x57/0x2b0 _cpu_down+0x57/0x2b0 __cpu_down_maps_locked+0x10/0x20 work_for_cpu_fn+0x15/0x20 process_scheduled_works+0x2a7/0x500 worker_thread+0x173/0x330 ? __pfx_worker_thread+0x10/0x10 kthread+0xe6/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK Fix this with providing one lock class key per work_on_cpu() caller. Reported-and-tested-by: Paul E. McKenney <paulmck@kernel.org> Signed-off-by: Frederic Weisbecker <frederic@kernel.org> Signed-off-by: Tejun Heo <tj@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 170c75d ] As talked about in commit d66d24a ("ath10k: Keep track of which interrupts fired, don't poll them"), if we access the copy engine register at a bad time then ath10k can go boom. However, it's not necessarily easy to know when it's safe to access them. The ChromeOS test labs saw a crash that looked like this at shutdown/reboot time (on a chromeos-5.15 kernel, but likely the problem could also reproduce upstream): Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP ... CPU: 4 PID: 6168 Comm: reboot Not tainted 5.15.111-lockdep-19350-g1d624fe6758f #1 010b9b233ab055c27c6dc88efb0be2f4e9e86f51 Hardware name: Google Kingoftown (DT) ... pc : ath10k_snoc_read32+0x50/0x74 [ath10k_snoc] lr : ath10k_snoc_read32+0x24/0x74 [ath10k_snoc] ... Call trace: ath10k_snoc_read32+0x50/0x74 [ath10k_snoc ...] ath10k_ce_disable_interrupt+0x190/0x65c [ath10k_core ...] ath10k_ce_disable_interrupts+0x8c/0x120 [ath10k_core ...] ath10k_snoc_hif_stop+0x78/0x660 [ath10k_snoc ...] ath10k_core_stop+0x13c/0x1ec [ath10k_core ...] ath10k_halt+0x398/0x5b0 [ath10k_core ...] ath10k_stop+0xfc/0x1a8 [ath10k_core ...] drv_stop+0x148/0x6b4 [mac80211 ...] ieee80211_stop_device+0x70/0x80 [mac80211 ...] ieee80211_do_stop+0x10d8/0x15b0 [mac80211 ...] ieee80211_stop+0x144/0x1a0 [mac80211 ...] __dev_close_many+0x1e8/0x2c0 dev_close_many+0x198/0x33c dev_close+0x140/0x210 cfg80211_shutdown_all_interfaces+0xc8/0x1e0 [cfg80211 ...] ieee80211_remove_interfaces+0x118/0x5c4 [mac80211 ...] ieee80211_unregister_hw+0x64/0x1f4 [mac80211 ...] ath10k_mac_unregister+0x4c/0xf0 [ath10k_core ...] ath10k_core_unregister+0x80/0xb0 [ath10k_core ...] ath10k_snoc_free_resources+0xb8/0x1ec [ath10k_snoc ...] ath10k_snoc_shutdown+0x98/0xd0 [ath10k_snoc ...] platform_shutdown+0x7c/0xa0 device_shutdown+0x3e0/0x58c kernel_restart_prepare+0x68/0xa0 kernel_restart+0x28/0x7c Though there's no known way to reproduce the problem, it makes sense that it would be the same issue where we're trying to access copy engine registers when it's not allowed. Let's fix this by changing how we "disable" the interrupts. Instead of tweaking the copy engine registers we'll just use disable_irq() and enable_irq(). Then we'll configure the interrupts once at power up time. Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1 Signed-off-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20230630151842.1.If764ede23c4e09a43a842771c2ddf99608f25f8e@changeid Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 624820f ] fix crash because of null pointers [ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8 [ 6104.969667] #PF: supervisor read access in kernel mode [ 6104.969668] #PF: error_code(0x0000) - not-present page [ 6104.969670] PGD 0 P4D 0 [ 6104.969673] Oops: 0000 [#1] SMP NOPTI [ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb] [ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246 [ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006 [ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000 [ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001 [ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0 [ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90 [ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000 [ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0 [ 6104.969701] PKRU: 55555554 [ 6104.969702] Call Trace: [ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb] [ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth] [ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth] [ 6104.969753] rfkill_set_block+0x92/0x160 [ 6104.969755] rfkill_fop_write+0x136/0x1e0 [ 6104.969759] __vfs_write+0x18/0x40 [ 6104.969761] vfs_write+0xdf/0x1c0 [ 6104.969763] ksys_write+0xb1/0xe0 [ 6104.969765] __x64_sys_write+0x1a/0x20 [ 6104.969769] do_syscall_64+0x51/0x180 [ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 6104.969773] RIP: 0033:0x7f5a21f18fef [ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef [ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012 [ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017 [ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002 [ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0 Signed-off-by: youwan Wang <wangyouwan@126.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 5104fdf ] In certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log: 1. Navigate to the directory: /sys/kernel/debug/dri/0 2. Execute command: cat amdgpu_regs_smc 3. Exception Log:: [4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000 [4005007.702562] #PF: supervisor instruction fetch in kernel mode [4005007.702567] #PF: error_code(0x0010) - not-present page [4005007.702570] PGD 0 P4D 0 [4005007.702576] Oops: 0010 [#1] SMP NOPTI [4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u [4005007.702590] RIP: 0010:0x0 [4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. [4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 [4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 [4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 [4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 [4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 [4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 [4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 [4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 [4005007.702633] Call Trace: [4005007.702636] <TASK> [4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu] [4005007.703002] full_proxy_read+0x5c/0x80 [4005007.703011] vfs_read+0x9f/0x1a0 [4005007.703019] ksys_read+0x67/0xe0 [4005007.703023] __x64_sys_read+0x19/0x20 [4005007.703028] do_syscall_64+0x5c/0xc0 [4005007.703034] ? do_user_addr_fault+0x1e3/0x670 [4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0 [4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20 [4005007.703052] ? irqentry_exit+0x19/0x30 [4005007.703057] ? exc_page_fault+0x89/0x160 [4005007.703062] ? asm_exc_page_fault+0x8/0x30 [4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae [4005007.703075] RIP: 0033:0x7f5e07672992 [4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24 [4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992 [4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003 [4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010 [4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000 [4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 [4005007.703105] </TASK> [4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca [4005007.703184] CR2: 0000000000000000 [4005007.703188] ---[ end trace ac65a538d240da39 ]--- [4005007.800865] RIP: 0010:0x0 [4005007.800871] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. [4005007.800874] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206 [4005007.800878] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68 [4005007.800881] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000 [4005007.800883] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980 [4005007.800886] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000 [4005007.800888] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000 [4005007.800891] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000 [4005007.800895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [4005007.800898] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0 Signed-off-by: Qu Huang <qu.huang@linux.dev> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 87c3a58 ] Except on x86, preempt_count is always accessed with READ_ONCE(). Repeated invocations in macros like irq_count() produce repeated loads. These redundant instructions appear in various fast paths. In the one shown below, for example, irq_count() is evaluated during kernel entry if !tick_nohz_full_cpu(smp_processor_id()). 0001ed0a <irq_enter_rcu>: 1ed0a: 4e56 0000 linkw %fp,#0 1ed0e: 200f movel %sp,%d0 1ed10: 0280 ffff e000 andil #-8192,%d0 1ed16: 2040 moveal %d0,%a0 1ed18: 2028 0008 movel %a0@(8),%d0 1ed1c: 0680 0001 0000 addil #65536,%d0 1ed22: 2140 0008 movel %d0,%a0@(8) 1ed26: 082a 0001 000f btst #1,%a2@(15) 1ed2c: 670c beqs 1ed3a <irq_enter_rcu+0x30> 1ed2e: 2028 0008 movel %a0@(8),%d0 1ed32: 2028 0008 movel %a0@(8),%d0 1ed36: 2028 0008 movel %a0@(8),%d0 1ed3a: 4e5e unlk %fp 1ed3c: 4e75 rts This patch doesn't prevent the pointless btst and beqs instructions above, but it does eliminate 2 of the 3 pointless move instructions here and elsewhere. On x86, preempt_count is per-cpu data and the problem does not arise presumably because the compiler is free to optimize more effectively. This patch was tested on m68k and x86. I was expecting no changes to object code for x86 and mostly that's what I saw. However, there were a few places where code generation was perturbed for some reason. The performance issue addressed here is minor on uniprocessor m68k. I got a 0.01% improvement from this patch for a simple "find /sys -false" benchmark. For architectures and workloads susceptible to cache line bounce the improvement is expected to be larger. The only SMP architecture I have is x86, and as x86 unaffected I have not done any further measurements. Fixes: 1511583 ("preempt: Cleanup the macro maze a bit") Signed-off-by: Finn Thain <fthain@linux-m68k.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> Link: https://lore.kernel.org/r/0a403120a682a525e6db2d81d1a3ffcc137c3742.1694756831.git.fthain@linux-m68k.org Signed-off-by: Sasha Levin <sashal@kernel.org>
9E7A
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 18f0394 ] Inspired by syzbot reports using a stack of multiple ipvlan devices. Reduce stack size needed in ipvlan_process_v6_outbound() by moving the flowi6 struct used for the route lookup in an non inlined helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, immediately reclaimed. Also make sure ipvlan_process_v4_outbound() is not inlined. We might also have to lower MAX_NEST_DEV, because only syzbot uses setups with more than four stacked devices. BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) stack guard page: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <#DF> </#DF> <TASK> [<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline] [<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] [<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline] [<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline] [<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline] [<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline] [<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline] [<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 [<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline] [<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] [<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff84d4a65e>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff84d4a65e>] neigh_resolve_output+0x64e/0x750 net/core/neighbour.c:1560 [<ffffffff855ce503>] neigh_output include/net/neighbour.h:545 [inline] [<ffffffff855ce503>] ip6_finish_output2+0x1643/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff855b9ce4>] dst_output include/net/dst.h:444 [inline] [<ffffffff855b9ce4>] NF_HOOK include/linux/netfilter.h:309 [inline] [<ffffffff855b9ce4>] ip6_xmit+0x11a4/0x1b20 net/ipv6/ip6_output.c:352 [<ffffffff8597984e>] sctp_v6_xmit+0x9ae/0x1230 net/sctp/ipv6.c:250 [<ffffffff8594623e>] sctp_packet_transmit+0x25de/0x2bc0 net/sctp/output.c:653 [<ffffffff858f5142>] sctp_packet_singleton+0x202/0x310 net/sctp/outqueue.c:783 [<ffffffff858ea411>] sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] [<ffffffff858ea411>] sctp_outq_flush+0x661/0x3d40 net/sctp/outqueue.c:1212 [<ffffffff858f02f9>] sctp_outq_uncork+0x79/0xb0 net/sctp/outqueue.c:764 [<ffffffff8589f060>] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] [<ffffffff8589f060>] sctp_do_sm+0x55c0/0x5c30 net/sctp/sm_sideeffect.c:1170 [<ffffffff85941567>] sctp_primitive_ASSOCIATE+0x97/0xc0 net/sctp/primitive.c:73 [<ffffffff859408b2>] sctp_sendmsg_to_asoc+0xf62/0x17b0 net/sctp/socket.c:1839 [<ffffffff85910b5e>] sctp_sendmsg+0x212e/0x33b0 net/sctp/socket.c:2029 [<ffffffff8544d559>] inet_sendmsg+0x149/0x310 net/ipv4/af_inet.c:849 [<ffffffff84c6c4d2>] sock_sendmsg_nosec net/socket.c:716 [inline] [<ffffffff84c6c4d2>] sock_sendmsg net/socket.c:736 [inline] [<ffffffff84c6c4d2>] ____sys_sendmsg+0x572/0x8c0 net/socket.c:2504 [<ffffffff84c6ca91>] ___sys_sendmsg net/socket.c:2558 [inline] [<ffffffff84c6ca91>] __sys_sendmsg+0x271/0x360 net/socket.c:2587 [<ffffffff84c6cbff>] __do_sys_sendmsg net/socket.c:2596 [inline] [<ffffffff84c6cbff>] __se_sys_sendmsg net/socket.c:2594 [inline] [<ffffffff84c6cbff>] __x64_sys_sendmsg+0x7f/0x90 net/socket.c:2594 [<ffffffff85b32553>] do_syscall_x64 arch/x86/entry/common.c:51 [inline] [<ffffffff85b32553>] do_syscall_64+0x53/0x80 arch/x86/entry/common.c:84 [<ffffffff85c00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 2ad7bf3 ("ipvlan: Initial check-in of the IPVLAN driver.") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Mahesh Bandewar <maheshb@google.com> Cc: Willem de Bruijn <willemb@google.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 3cffa2d ] Commit 9eed321 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. In the fo F438 llowing splat [1], the issue is that a lapbether device has been created on a bonding device without members. Then adding a non ARPHRD_ETHER member forced the bonding master to change its type. The fix is to make sure we call dev_close() in bond_setup_by_slave() so that the potential linked lapbether devices (or any other devices having assumptions on the physical device) are removed. A similar bug has been addressed in commit 40baec2 ("bonding: fix panic on non-ARPHRD_ETHER enslave failure") [1] skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0 kernel BUG at net/core/skbuff.c:192 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:188 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 lr : skb_panic net/core/skbuff.c:188 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 sp : ffff800096a06aa0 x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000 x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140 x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100 x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001 x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00 x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 Call trace: skb_panic net/core/skbuff.c:188 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 skb_push+0xf0/0x108 net/core/skbuff.c:2446 ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384 dev_hard_header include/linux/netdevice.h:3136 [inline] lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 __lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326 lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332 bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539 dev_ifsioc+0x754/0x9ac dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786 sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217 sock_ioctl+0x4e8/0x834 net/socket.c:1322 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl fs/ioctl.c:857 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:857 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: aa1803e6 aa1903e7 a90023f5 94785b8b (d4210000) Fixes: 872254d ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com> Reviewed-by: Hangbin Liu <liuhangbin@gmail.com> Link: https://lore.kernel.org/r/20231109180102.4085183-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
[ Upstream commit 95ff036 ] The kernel build robot reported a UAF error while running xfs/433 (edited somewhat for brevity): BUG: KASAN: use-after-free in xfs_attr3_node_inactive (fs/xfs/xfs_attr_inactive.c:214) xfs Read of size 4 at addr ffff88820ac2bd44 by task kworker/0:2/139 CPU: 0 PID: 139 Comm: kworker/0:2 Tainted: G S 5.19.0-rc2-00004-g7cf2b0f9611b #1 Hardware name: Hewlett-Packard p6-1451cx/2ADA, BIOS 8.15 02/05/2013 Workqueue: xfs-inodegc/sdb4 xfs_inodegc_worker [xfs] Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) print_address_description+0x1f/0x200 print_report.cold (mm/kasan/report.c:430) kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) xfs_attr3_node_inactive (fs/xfs/xfs_attr_inactive.c:214) xfs xfs_attr3_root_inactive (fs/xfs/xfs_attr_inactive.c:296) xfs xfs_attr_inactive (fs/xfs/xfs_attr_inactive.c:371) xfs xfs_inactive (fs/xfs/xfs_inode.c:1781) xfs xfs_inodegc_worker (fs/xfs/xfs_icache.c:1837 fs/xfs/xfs_icache.c:1860) xfs process_one_work worker_thread kthread ret_from_fork </TASK> Allocated by task 139: kasan_save_stack (mm/kasan/common.c:39) __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) kmem_cache_alloc (mm/slab.h:750 mm/slub.c:3214 mm/slub.c:3222 mm/slub.c:3229 mm/slub.c:3239) _xfs_buf_alloc (include/linux/instrumented.h:86 include/linux/atomic/atomic-instrumented.h:41 fs/xfs/xfs_buf.c:232) xfs xfs_buf_get_map (fs/xfs/xfs_buf.c:660) xfs xfs_buf_read_map (fs/xfs/xfs_buf.c:777) xfs xfs_trans_read_buf_map (fs/xfs/xfs_trans_buf.c:289) xfs xfs_da_read_buf (fs/xfs/libxfs/xfs_da_btree.c:2652) xfs xfs_da3_node_read (fs/xfs/libxfs/xfs_da_btree.c:392) xfs xfs_attr3_root_inactive (fs/xfs/xfs_attr_inactive.c:272) xfs xfs_attr_inactive (fs/xfs/xfs_attr_inactive.c:371) xfs xfs_inactive (fs/xfs/xfs_inode.c:1781) xfs xfs_inodegc_worker (fs/xfs/xfs_icache.c:1837 fs/xfs/xfs_icache.c:1860) xfs process_one_work worker_thread kthread ret_from_fork Freed by task 139: kasan_save_stack (mm/kasan/common.c:39) kasan_set_track (mm/kasan/common.c:45) kasan_set_free_info (mm/kasan/generic.c:372) __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374) kmem_cache_free (mm/slub.c:1753 mm/slub.c:3507 mm/slub.c:3524) xfs_buf_rele (fs/xfs/xfs_buf.c:1040) xfs xfs_attr3_node_inactive (fs/xfs/xfs_attr_inactive.c:210) xfs xfs_attr3_root_inactive (fs/xfs/xfs_attr_inactive.c:296) xfs xfs_attr_inactive (fs/xfs/xfs_attr_inactive.c:371) xfs xfs_inactive (fs/xfs/xfs_inode.c:1781) xfs xfs_inodegc_worker (fs/xfs/xfs_icache.c:1837 fs/xfs/xfs_icache.c:1860) xfs process_one_work worker_thread kthread ret_from_fork I reproduced this for my own satisfaction, and got the same report, along with an extra morsel: The buggy address belongs to the object at ffff88802103a800 which belongs to the cache xfs_buf of size 432 The buggy address is located 396 bytes inside of 432-byte region [ffff88802103a800, ffff88802103a9b0) I tracked this code down to: error = xfs_trans_get_buf(*trans, mp->m_ddev_targp, child_blkno, XFS_FSB_TO_BB(mp, mp->m_attr_geo->fsbcount), 0, &child_bp); if (error) return error; error = bp->b_error; That doesn't look right -- I think this should be dereferencing child_bp, not bp. Looking through the codebase history, I think this was added by commit 2911edb ("xfs: remove the mappedbno argument to xfs_da_get_buf"), which replaced a call to xfs_da_get_buf with the current call to xfs_trans_get_buf. Not sure why we trans_brelse'd @bp earlier in the function, but I'm guessing it's to avoid pinning too many buffers in memory while we inactivate the bottom of the attr tree. Hence we now have to get the buffer back. I /think/ this was supposed to check child_bp->b_error and fail the rest of the invalidation if child_bp had experienced any kind of IO or corruption error. I bet the xfs_da3_node_read earlier in the loop will catch most cases of incoming on-disk corruption which makes this check mostly moot unless someone corrupts the buffer and the AIL pushes it out to disk while the buffer's unlocked. In the first case we'll never get to the bad check, and in the second case the AIL will shut down the log, at which point there's no reason to check b_error. Remove the check, and null out @bp to avoid this problem in the future. Cc: hch@lst.de Reported-by: kernel test robot <oliver.sang@intel.com> Fixes: 2911edb ("xfs: remove the mappedbno argument to xfs_da_get_buf") Signed-off-by: Darrick J. Wong <djwong@kernel.org> Reviewed-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com> Acked-by: Chandan Babu R <chandanbabu@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
commit 146a15b upstream. Prior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly byte-swap NOP when compiling for big-endian, and the resulting series of bytes happened to match the encoding of FNMADD S21, S30, S0, S0. This went unnoticed until commit: 34f66c4 ("arm64: Use a positive cpucap for FP/SIMD") Prior to that commit, the kernel would always enable the use of FPSIMD early in boot when __cpu_setup() initialized CPACR_EL1, and so usage of FNMADD within the kernel was not detected, but could result in the corruption of user or kernel FPSIMD state. After that commit, the instructions happen to trap during boot prior to FPSIMD being detected and enabled, e.g. | Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD | CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 | Hardware name: linux,dummy-virt (DT) | pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : __pi_strcmp+0x1c/0x150 | lr : populate_properties+0xe4/0x254 | sp : ffffd014173d3ad0 | x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000 | x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008 | x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044 | x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005 | x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000 | x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000 | x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000 | x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000 | x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a | x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8 | Kernel panic - not syncing: Unhandled exception | CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 | Hardware name: linux,dummy-virt (DT) | Call trace: | dump_backtrace+0xec/0x108 | show_stack+0x18/0x2c | dump_stack_lvl+0x50/0x68 | dump_stack+0x18/0x24 | panic+0x13c/0x340 | el1t_64_irq_handler+0x0/0x1c | el1_abort+0x0/0x5c | el1h_64_sync+0x64/0x68 | __pi_strcmp+0x1c/0x150 | unflatten_dt_nodes+0x1e8/0x2d8 | __unflatten_device_tree+0x5c/0x15c | unflatten_device_tree+0x38/0x50 | setup_arch+0x164/0x1e0 | start_kernel+0x64/0x38c | __primary_switched+0xbc/0xc4 Restrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is either GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked commit. Closes: ClangBuiltLinux/linux#1948 Link: llvm/llvm-project@1379b15 Signed-off-by: Nathan Chancellor <nathan@kernel.org> Cc: stable@vger.kernel.org Acked-by: Mark Rutland <mark.rutland@arm.com> Link: https://lore.kernel.org/r/20231025-disable-arm64-be-ias-b4-llvm-15-v1-1-b25263ed8b23@kernel.org Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
commit e14aec2 upstream. Fix kernel crash in AP bus code caused by very early invocation of the config change callback function via SCLP. After a fresh IML of the machine the crypto cards are still offline and will get switched online only with activation of any LPAR which has the card in it's configuration. A crypto card coming online is reported to the LPAR via SCLP and the AP bus offers a callback function to get this kind of information. However, it may happen that the callback is invoked before the AP bus init function is complete. As the callback triggers a synchronous AP bus scan, the scan may already run but some internal states are not initialized by the AP bus init function resulting in a crash like this: [ 11.635859] Unable to handle kernel pointer dereference in virtual kernel address space [ 11.635861] Failing address: 0000000000000000 TEID: 0000000000000887 [ 11.635862] Fault in home space mode while using kernel ASCE. [ 11.635864] AS:00000000894c4007 R3:00000001fece8007 S:00000001fece7800 P:000000000000013d [ 11.635879] Oops: 0004 ilc:1 [#1] SMP [ 11.635882] Modules linked in: [ 11.635884] CPU: 5 PID: 42 Comm: kworker/5:0 Not tainted 6.6.0-rc3-00003-g4dbf7cdc6b42 aosp-mirror#12 [ 11.635886] Hardware name: IBM 3931 A01 751 (LPAR) [ 11.635887] Workqueue: events_long ap_scan_bus [ 11.635891] Krnl PSW : 0704c00180000000 0000000000000000 (0x0) [ 11.635895] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 [ 11.635897] Krnl GPRS: 0000000001000a00 0000000000000000 0000000000000006 0000000089591940 [ 11.635899] 0000000080000000 0000000000000a00 0000000000000000 0000000000000000 [ 11.635901] 0000000081870c00 0000000089591000 000000008834e4e2 0000000002625a00 [ 11.635903] 0000000081734200 0000038000913c18 000000008834c6d6 0000038000913ac8 [ 11.635906] Krnl Code:>0000000000000000: 0000 illegal [ 11.635906] 0000000000000002: 0000 illegal [ 11.635906] 0000000000000004: 0000 illegal [ 11.635906] 0000000000000006: 0000 illegal [ 11.635906] 0000000000000008: 0000 illegal [ 11.635906] 000000000000000a: 0000 illegal [ 11.635906] 000000000000000c: 0000 illegal [ 11.635906] 000000000000000e: 0000 illegal [ 11.635915] Call Trace: [ 11.635916] [<0000000000000000>] 0x0 [ 11.635918] [<000000008834e4e2>] ap_queue_init_state+0x82/0xb8 [ 11.635921] [<000000008834ba1c>] ap_scan_domains+0x6fc/0x740 [ 11.635923] [<000000008834c092>] ap_scan_adapter+0x632/0x8b0 [ 11.635925] [<000000008834c3e4>] ap_scan_bus+0xd4/0x288 [ 11.635927] [<00000000879a33ba>] process_one_work+0x19a/0x410 [ 11.635930] Discipline DIAG cannot be used without z/VM [ 11.635930] [<00000000879a3a2c>] worker_thread+0x3fc/0x560 [ 11.635933] [<00000000879aea60>] kthread+0x120/0x128 [ 11.635936] [<000000008792afa4>] __ret_from_fork+0x3c/0x58 [ 11.635938] [<00000000885ebe62>] ret_from_fork+0xa/0x30 [ 11.635942] Last Breaking-Event-Address: [ 11.635942] [<000000008834c6d4>] ap_wait+0xcc/0x148 This patch improves the ap_bus_force_rescan() function which is invoked by the config change callback by checking if a first initial AP bus scan has been done. If not, the force rescan request is simple ignored. Anyhow it does not make sense to trigger AP bus re-scans even before the very first bus scan is complete. Cc: stable@vger.kernel.org Reviewed-by: Holger Dengler <dengler@linux.ibm.com> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
commit 5a22fbc upstream. When LAN9303 is MDIO-connected two callchains exist into mdio->bus->write(): 1. switch ports 1&2 ("physical" PHYs): virtual (switch-internal) MDIO bus (lan9303_switch_ops->phy_{read|write})-> lan9303_mdio_phy_{read|write} -> mdiobus_{read|write}_nested 2. LAN9303 virtual PHY: virtual MDIO bus (lan9303_phy_{read|write}) -> lan9303_virt_phy_reg_{read|write} -> regmap -> lan9303_mdio_{read|write} If the latter functions just take mutex_lock(&sw_dev->device->bus->mdio_lock) it triggers a LOCKDEP false-positive splat. It's false-positive because the first mdio_lock in the second callchain above belongs to virtual MDIO bus, the second mdio_lock belongs to physical MDIO bus. Consequent annotation in lan9303_mdio_{read|write} as nested lock (similar to lan9303_mdio_phy_{read|write}, it's the same physical MDIO bus) prevents the following splat: WARNING: possible circular locking dependency detected 5.15.71 #1 Not tainted ------------------------------------------------------ kworker/u4:3/609 is trying to acquire lock: ffff000011531c68 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}, at: regmap_lock_mutex but task is already holding lock: ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&bus->mdio_lock){+.+.}-{3:3}: lock_acquire __mutex_lock mutex_lock_nested lan9303_mdio_read _regmap_read regmap_read lan9303_probe lan9303_mdio_probe mdio_probe really_probe __driver_probe_device driver_probe_device __device_attach_driver bus_for_each_drv __device_attach device_initial_probe bus_probe_device deferred_probe_work_func process_one_work worker_thread kthread ret_from_fork -> #0 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}: __lock_acquire lock_acquire.part.0 lock_acquire __mutex_lock mutex_lock_nested regmap_lock_mutex regmap_read lan9303_phy_read dsa_slave_phy_read __mdiobus_read mdiobus_read get_phy_device mdiobus_scan __mdiobus_register dsa_register_switch lan9303_probe lan9303_mdio_probe mdio_probe really_probe __driver_probe_device driver_probe_device __device_attach_driver bus_for_each_drv __device_attach device_initial_probe bus_probe_device deferred_probe_work_func process_one_work worker_thread kthread ret_from_fork other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&bus->mdio_lock); lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); lock(&bus->mdio_lock); lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); *** DEADLOCK *** 5 locks held by kworker/u4:3/609: #0: ffff000002842938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work #1: ffff80000bacbd60 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work #2: ffff000007645178 (&dev->mutex){....}-{3:3}, at: __device_attach aosp-mirror#3: ffff8000096e6e78 (dsa2_mutex){+.+.}-{3:3}, at: dsa_register_switch aosp-mirror#4: ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read stack backtrace: CPU: 1 PID: 609 Comm: kworker/u4:3 Not tainted 5.15.71 #1 Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace show_stack dump_stack_lvl dump_stack print_circular_bug check_noncircular __lock_acquire lock_acquire.part.0 lock_acquire __mutex_lock mutex_lock_nested regmap_lock_mutex regmap_read lan9303_phy_read dsa_slave_phy_read __mdiobus_read mdiobus_read get_phy_device mdiobus_scan __mdiobus_register dsa_register_switch lan9303_probe lan9303_mdio_probe ... Cc: stable@vger.kernel.org Fixes: dc70058 ("net: dsa: LAN9303: add MDIO managed mode support") Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://lore.kernel.org/r/20231027065741.534971-1-alexander.sverdlin@siemens.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tbalden
pushed a commit
that referenced
this pull request
Oct 28, 2024
commit bb32500 upstream. The following can crash the kernel: # cd /sys/kernel/tracing # echo 'p:sched schedule' > kprobe_events # exec 5>>events/kprobes/sched/enable # > kprobe_events # exec 5>&- The above commands: 1. Change directory to the tracefs directory 2. Create a kprobe event (doesn't matter what one) 3. Open bash file descriptor 5 on the enable file of the kprobe event 4. Delete the kprobe event (removes the files too) 5. Close the bash file descriptor 5 The above causes a crash! BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:tracing_release_file_tr+0xc/0x50 What happens here is that the kprobe event creates a trace_event_file "file" descriptor that represents the file in tracefs to the event. It maintains state of the event (is it enabled for the given instance?). Opening the "enable" file gets a reference to the event "file" descriptor via the open file descriptor. When the kprobe event is deleted, the file is also deleted from the tracefs system which also frees the event "file" descriptor. But as the tracefs file is still opened by user space, it will not be totally removed until the final dput() is called on it. But this is not true with the event "file" descriptor that is already freed. If the user does a write to or simply closes the file descriptor it will reference the event "file" descriptor that was just freed, causing a use-after-free bug. To solve this, add a ref count to the event "file" descriptor as well as a new flag called "FREED". The "file" will not be freed until the last reference is released. But the FREE flag will be set when the event is removed to prevent any more modifications to that event from happening, even if there's still a reference to the event "file" descriptor. Link: https://lore.kernel.org/linux-trace-kernel/20231031000031.1e705592@gandalf.local.home/ Link: https://lore.kernel.org/linux-trace-kernel/20231031122453.7a48b923@gandalf.local.home Cc: stable@vger.kernel.org Cc: Mark Rutland <mark.rutland@arm.com> Fixes: f5ca233 ("tracing: Increase trace array ref count on enable and filter files") Reported-by: Beau Belgrave <beaub@linux.microsoft.com> Tested-by: Beau Belgrave <beaub@linux.microsoft.com> Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 15b453d. Fix missing struct hrtimer_cpu_base initialize in CPU hotplug Online process when the device is awakened from a deep state by reverting hrtimer referenced modifies in android13-5.15-2025-03_r1. Bug:407861080 Change-Id: I8eebcdc59c1ae2a61a5032e07da98326a9484189 Signed-off-by: Max Wang <max.wang@unisoc.com>
…) into android14-5.15-lts Steps on the way to 5.15.179 Resolves merge conflicts in: drivers/pci/quirks.c Change-Id: I7a7489e117a308d1f6bd6c63cdb961839f363d9b Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
…to android14-5.15-lts Steps on the way to 5.15.179 Change-Id: I243966d44792f528928f47a5acc2875a712ae7a7 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
…text patching area as VM_ALLOC") into android14-5.15-lts Steps on the way to 5.15.179 Resolves merge conflicts in: fs/f2fs/file.c mm/oom_kill.c Change-Id: Id4ed2302ea8f138a62ffb2ee12ecc31203421d08 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
…into android14-5.15-lts Steps on the way to 5.15.179 resolves merge conflicts in: drivers/net/gtp.c Change-Id: I73a3f3e22d7b9c92b631eea599bfd2cc8961aabb Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In commit 668ef6c ("scsi: core: Don't memset() the entire scsi_cmnd in scsi_init_command()"), the cmd->submitter field is accessed, but due to previous Android-ABI breaking commits being reverted, this is not a valid field in the scsi command structure. So remove the line, fixing the build properly. Fixes: 668ef6c ("scsi: core: Don't memset() the entire scsi_cmnd in scsi_init_command()") Change-Id: I4523d86c142a25acae0b28d249e5e6f6a0189d72 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
…_hid_remove()") into android14-5.15-lts Steps on the way to 5.15.179 Change-Id: Id4fa2bebee797b95bd3da3fbc42d165e33a27d9a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.15.179
afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY
afs: Fix directory format encoding struct
hung_task: move hung_task sysctl interface to hung_task.c
sysctl: use const for typically used max/min proc sysctls
sysctl: share unsigned long const values
fs: move inode sysctls to its own file
fs: move fs stat sysctls to file_table.c
fs: fix proc_handler for sysctl_nr_open
block: deprecate autoloading based on dev_t
block: retry call probe after request_module in blk_request_module
nbd: don't allow reconnect after disconnect
pstore/blk: trivial typo fixes
nvme: Add error check for xa_store in nvme_get_effects_log
partitions: ldm: remove the initial kernel-doc notation
select: Fix unbalanced user_access_end()
afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call
sched/psi: Use task->psi_flags to clear in CPU migration
sched/fair: Fix value reported by hot tasks pulled in /proc/schedstat
drm/etnaviv: Fix page property being used for non writecombine buffers
HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections
drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table
genirq: Make handle_enforce_irqctx() unconditionally available
ipmi: ipmb: Add check devm_kasprintf() returned value
wifi: rtlwifi: do not complete firmware loading needlessly
wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step
wifi: rtlwifi: wait for firmware loading before releasing memory
wifi: rtlwifi: fix init_sw_vars leak when probe fails
wifi: rtlwifi: usb: fix workqueue leak when probe fails
spi: zynq-qspi: Add check for clk_enable()
dt-bindings: mmc: controller: clarify the address-cells description
spi: dt-bindings: add schema listing peripheral-specific properties
dt-bindings: Another pass removing cases of 'allOf' containing a '$ref'
dt-bindings: leds: Add Qualcomm Light Pulse Generator binding
dt-bindings: leds: Optional multi-led unit address
dt-bindings: leds: Add multicolor PWM LED bindings
dt-bindings: leds: class-multicolor: reference class directly in multi-led node
dt-bindings: leds: class-multicolor: Fix path to color definitions
rtlwifi: replace usage of found with dedicated list iterator variable
wifi: rtlwifi: remove unused timer and related code
wifi: rtlwifi: remove unused dualmac control leftovers
wifi: rtlwifi: remove unused check_buddy_priv
wifi: rtlwifi: destroy workqueue at rtl_deinit_core
wifi: rtlwifi: fix memory leaks and invalid access at probe error path
wifi: rtlwifi: pci: wait for firmware loading before releasing memory
HID: multitouch: Add support for lenovo Y9000P Touchpad
Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad"
HID: multitouch: fix support for Goodix PID 0x01e9
regulator: dt-bindings: mt6315: Drop regulator-compatible property
ACPI: fan: cleanup resources in the error path of .probe()
cpupower: fix TSC MHz calculation
dt-bindings: mfd: bd71815: Fix rsense and typos
leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata()
cpufreq: schedutil: Fix superfluous updates caused by need_freq_update
clk: imx8mp: Fix clkout1/2 support
team: prevent adding a device which is already a team device lower
regulator: of: Implement the unwind path of of_regulator_match()
samples/landlock: Fix possible NULL dereference in parse_path()
wifi: wlcore: fix unbalanced pm_runtime calls
net/smc: fix data error when recvmsg with MSG_PEEK flag
landlock: Move filesystem helpers and add a new one
landlock: Handle weird files
wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO
cpufreq: ACPI: Fix max-frequency computation
selftests: harness: fix printing of mismatch values in __EXPECT()
wifi: cfg80211: Handle specific BSSID in 6GHz scanning
wifi: cfg80211: adjust allocation of colocated AP data
clk: analogbits: Fix incorrect calculation of vco rate delta
selftests/landlock: Fix error message
net: let net.core.dev_weight always be non-zero
net/mlxfw: Drop hard coded max FW flash image size
net: avoid race between device unregistration and ethnl ops
net: sched: Disallow replacing of child qdisc from one parent to another
netfilter: nft_flow_offload: update tcp state flags under lock
net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()
tcp_cubic: fix incorrect HyStart round start detection
net/rose: prevent integer overflows in rose_setsockopt()
tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind
libbpf: Fix segfault due to libelf functions not setting errno
ASoC: sun4i-spdif: Add clock multiplier settings
perf header: Fix one memory leakage in process_bpf_btf()
perf header: Fix one memory leakage in process_bpf_prog_info()
perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info()
ASoC: renesas: rz-ssi: Use only the proper amount of dividers
ktest.pl: Remove unused declarations in run_bisect_test function
crypto: hisilicon/sec - add some comments for soft fallback
crypto: hisilicon/sec - delete redundant blank lines
crypto: hisilicon/sec2 - optimize the error return process
crypto: hisilicon/sec2 - fix for aead icv error
crypto: hisilicon/sec2 - fix for aead invalid authsize
crypto: ixp4xx - fix OF node reference leaks in init_ixp_crypto()
padata: fix sysfs store callback check
perf top: Don't complain about lack of vmlinux when not resolving some kernel samples
perf report: Fix misleading help message about --demangle
bpf: Send signals asynchronously if !preemptible
padata: fix UAF in padata_reorder
padata: add pd get/put refcnt helper
padata: avoid UAF for reorder_work
ARM: at91: pm: change BU Power Switch to automatic mode
arm64: dts: mt8183: set DMIC one-wire mode on Damu
arm64: dts: mediatek: mt8516: fix GICv2 range
arm64: dts: mediatek: mt8516: fix wdt irq type
arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks
arm64: dts: mediatek: mt8516: add i2c clock-div property
arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A
RDMA/mlx4: Avoid false error about access to uninitialized gids array
rdma/cxgb4: Prevent potential integer overflow on 32bit
arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property
arm64: dts: mediatek: mt8173-elm: Drop regulator-compatible property
arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names
arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names
arm64: dts: mediatek: mt8183: kenzo: Support second source touchscreen
arm64: dts: mediatek: mt8183: willow: Support second source touchscreen
memory: Add LPDDR2-info helpers
memory: tegra20-emc: Support matching timings by LPDDR2 configuration
memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()
arm64: dts: mediatek: mt8183-kukui-jacuzzi: Drop pp3300_panel voltage settings
arm64: dts: qcom: msm8996: Fix up USB3 interrupts
arm64: dts: qcom: msm8994: Describe USB interrupts
arm64: dts: qcom: msm8916: correct sleep clock frequency
arm64: dts: qcom: msm8994: correct sleep clock frequency
arm64: dts: qcom: sc7280: correct sleep clock frequency
arm64: dts: qcom: sm6125: correct sleep clock frequency
arm64: dts: qcom: sm8250: correct sleep clock frequency
arm64: dts: qcom: sm8350: correct sleep clock frequency
arm64: dts: qcom: sm8150-microsoft-surface-duo: fix typos in da7280 properties
arm64: dts: qcom: sdm845: Fix interrupt types of camss interrupts
ARM: dts: mediatek: mt7623: fix IR nodename
fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device()
RDMA/mlx5: Remove iova from struct mlx5_core_mkey
RDMA/mlx5: Enforce umem boundaries for explicit ODP page faults
RDMA/mlx5: Fix indirect mkey ODP page count
xen/x86: free_p2m_page: use memblock_free_ptr() to free a virtual pointer
memblock: drop memblock_free_early_nid() and memblock_free_early()
of: reserved-memory: Do not make kmemleak ignore freed address
efi: sysfb_efi: fix W=1 warnings when EFI is not set
media: rc: iguanair: handle timeouts
media: lmedm04: Handle errors for lme2510_int_read
PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy()
media: marvell: Add check for clk_enable()
media: i2c: imx412: Add missing newline to prints
media: i2c: ov9282: Correct the exposure offset
media: mipi-csis: Add check for clk_enable()
media: camif-core: Add check for clk_enable()
media: uvcvideo: Propagate buf->error to userspace
mtd: hyperbus: Make hyperbus_unregister_device() return void
mtd: hyperbus: hbmc-am654: Convert to platform remove callback returning void
mtd: hyperbus: hbmc-am654: fix an OF node reference leak
staging: media: imx: fix OF node leak in imx_media_add_of_subdevs()
PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()
scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1
scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails
ocfs2: mark dquot as inactive if failed to start trans while releasing dquot
module: Extend the preempt disabled section in dereference_symbol_descriptor().
NFSv4.2: fix COPY_NOTIFY xdr buf size calculation
NFSv4.2: mark OFFLOAD_CANCEL MOVEABLE
tools/bootconfig: Fix the wrong format specifier
xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO
dmaengine: ti: edma: fix OF node reference leaks in edma_driver
rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read
ubifs: skip dumping tnc tree when zroot is null
net: hns3: fix oops when unload drivers paralleling
gpio: mxc: remove dead code after switch to DT-only
net: fec: implement TSO descriptor cleanup
ipmr: do not call mr_mfc_uses_dev() for unres entries
PM: hibernate: Add error handling for syscore_suspend()
net: rose: fix timer races against user threads
net: netdevsim: try to close UDP port harness races
net: davicom: fix UAF in dm9000_drv_remove
ptp: Properly handle compat ioctls
perf trace: Fix runtime error of index out of bounds
vsock: Allow retrying on connect() failure
bgmac: reduce max frame size to support just MTU 1500
net: sh_eth: Fix missing rtnl lock in suspend/resume path
net: hsr: fix fill_frame_info() regression vs VLAN packets
genksyms: fix memory leak when the same symbol is added from source
genksyms: fix memory leak when the same symbol is read from *.symref file
kconfig: fix file name in warnings when loading KCONFIG_DEFCONFIG_LIST
kconfig: add warn-unknown-symbols sanity check
kconfig: require a space after '#' for valid input
kconfig: remove unused code for S_DEF_AUTO in conf_read_simple()
kconfig: deduplicate code in conf_read_simple()
kconfig: WERROR unmet symbol dependency
kconfig: fix memory leak in sym_warn_unmet_dep()
hexagon: fix using plain integer as NULL pointer warning in cmpxchg
hexagon: Fix unbalanced spinlock in die()
f2fs: Introduce linear search for dentries
NFSD: Reset cb_seq_status after NFS4ERR_DELAY
netfilter: nf_tables: reject mismatching sum of field_len with set key length
ktest.pl: Check kernelrelease return in get_version
ALSA: usb-audio: Add delay quirk for iBasso DC07 Pro
net: usb: rtl8150: enable basic endpoint checking
drivers/card_reader/rtsx_usb: Restore interrupt based detection
usb: gadget: f_tcm: Fix Get/SetInterface return value
usb: dwc3: core: Defer the probe until USB power supply ready
usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE
usb: typec: tcpci: Prevent Sink disconnection before vPpsShutdown in SPR PPS
mptcp: consolidate suboption status
media: uvcvideo: Fix double free in error path
usb: gadget: f_tcm: Don't free command immediately
btrfs: output the reason for open_ctree() failure
btrfs: fix use-after-free when attempting to join an aborted transaction
btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents()
btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling
sched: Don't try to catch up excess steal time.
lockdep: Fix upper limit for LOCKDEP_*_BITS configs
x86/amd_nb: Restrict init function to AMD-based systems
printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX
safesetid: check size of policy writes
tun: fix group permission check
mmc: core: Respect quirk_max_rate for non-UHS SDIO card
wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()
tomoyo: don't emit warning in tomoyo_write_control()
mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id
HID: Wacom: Add PCI Wacom device support
net/mlx5: use do_aux_work for PHC overflow checks
wifi: iwlwifi: avoid memory leak
i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz
APEI: GHES: Have GHES honor the panic= setting
net: wwan: iosm: Fix hibernation by re-binding the driver around it
mmc: sdhci-msm: Correctly set the load for the regulator
tipc: re-order conditions in tipc_crypto_key_rcv()
selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack()
Input: allocate keycode for phone linking
platform/x86: acer-wmi: Ignore AC events
x86/mm: Don't disable PCID when INVLPG has been fixed by microcode
usb: chipidea: ci_hdrc_imx: use dev_err_probe()
usb: chipidea/ci_hdrc_imx: Convert to platform remove callback returning void
usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe()
net/ncsi: Add NC-SI 1.2 Get MC MAC Address command
net/ncsi: fix locking in Get MAC Address handling
gpio: xilinx: Convert gpio_lock to raw spinlock
xfs: report realtime block quota limits on realtime directories
xfs: don't over-report free space or inodes in statvfs
usb: xhci: Add timeout argument in address_device USB HCD callback
usb: xhci: Fix NULL pointer dereference on certain command aborts
nvme: handle connectivity loss in nvme_set_queue_count
firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry
gpu: drm_dp_cec: fix broken CEC adapter properties check
tg3: Disable tg3 PCIe AER on system reboot
udp: gso: do not drop small packets when PMTU reduces
gpio: pca953x: Improve interrupt support
net: atlantic: fix warning during hot unplug
net: rose: lock the socket in rose_bind()
x86/xen: fix xen_hypercall_hvm() to not clobber %rbx
x86/xen: add FRAME_END to xen_hypercall_hvm()
netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
tun: revert fix group permission check
cpufreq: s3c64xx: Fix compilation warning
leds: lp8860: Write full EEPROM, not only half of it
drm/modeset: Handle tiled displays in pan_display_atomic.
s390/futex: Fix FUTEX_OP_ANDN implementation
m68k: vga: Fix I/O defines
binfmt_flat: Fix integer overflow bug on 32 bit systems
arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma
KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()
KVM: s390: vsie: fix some corner-cases when grabbing vsie pages
drm/amd/pm: Mark MM activity as unsupported
drm/komeda: Add check for komeda_get_layer_fourcc_list()
drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes
Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc
Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection
clk: sunxi-ng: a100: enable MMC clock reparenting
clk: qcom: clk-alpha-pll: fix alpha mode configuration
clk: qcom: gcc-sm6350: Add missing parent_map for two clocks
clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg
clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate
blk-cgroup: Fix class @block_class's subsystem refcount leakage
efi: libstub: Use '-std=gnu11' to fix build with GCC 15
perf bench: Fix undefined behavior in cmpworker()
of: Correct child specifier used as input of the 2nd nexus node
of: Fix of_find_node_opts_by_path() handling of alias+path+options
of: reserved-memory: Fix using wrong number of cells to get property 'alignment'
HID: hid-sensor-hub: don't use stale platform-data on remove
wifi: rtlwifi: rtl8821ae: Fix media status report
wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
usb: gadget: f_tcm: Translate error to sense
usb: gadget: f_tcm: Decrement command ref count on cleanup
usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint
usb: gadget: f_tcm: Don't prepare BOT write request twice
soc: qcom: socinfo: Avoid out of bounds read of serial number
serial: sh-sci: Drop __initdata macro for port_cfg
serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use
MIPS: Loongson64: remove ROM Size unit in boardinfo
powerpc/pseries/eeh: Fix get PE state translation
dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit()
dm-crypt: track tag_offset in convert_context
mips/math-emu: fix emulation of the prefx instruction
Revert "media: uvcvideo: Require entities to have a non-zero unique ID"
ALSA: hda/realtek: Enable headset mic on Positivo C6400
PCI: endpoint: Finish virtual EP removal in pci_epf_remove_vepf()
nvme-pci: Add TUXEDO InfinityFlex to Samsung sleep quirk
nvme-pci: Add TUXEDO IBP Gen9 to Samsung sleep quirk
scsi: qla2xxx: Move FCE Trace buffer allocation to user control
scsi: storvsc: Set correct data length for sending SCSI command without payload
kbuild: Move -Wenum-enum-conversion to W=2
x86/boot: Use '-std=gnu11' to fix build with GCC 15
arm64: dts: qcom: sm8350: Fix MPSS memory length
crypto: qce - fix priority to be less than ARMv8 CE
xfs: Add error handling for xfs_reflink_cancel_cow_range
media: ccs: Clean up parsed CCS static data on parse failure
iio: light: as73211: fix channel handling in only-color triggered buffer
soc: qcom: smem_state: fix missing of_node_put in error path
media: mc: fix endpoint iteration
media: ov5640: fix get_light_freq on auto
media: ccs: Fix CCS static data parsing for large block sizes
media: ccs: Fix cleanup order in ccs_probe()
media: uvcvideo: Fix event flags in uvc_ctrl_send_events
media: uvcvideo: Remove redundant NULL assignment
crypto: qce - fix goto jump in error path
crypto: qce - unregister previously registered algos in error path
nvmem: qcom-spmi-sdam: Set size in struct nvmem_config
nvmem: core: improve range check for nvmem_cell_write()
vfio/platform: check the bounds of read/write syscalls
pnfs/flexfiles: retry getting layout segment for reads
ocfs2: fix incorrect CPU endianness conversion causing mount failure
ocfs2: handle a symlink read error correctly
nilfs2: fix possible int overflows in nilfs_fiemap()
NFC: nci: Add bounds checking in nci_hci_create_pipe()
mtd: onenand: Fix uninitialized retlen in do_otp_read()
misc: fastrpc: Fix registered buffer page address
net/ncsi: wait for the last response to Deselect Package before configuring channel
net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset
ptp: Ensure info->enable callback is always set
MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static
net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling
gpio: xilinx: remove excess kernel doc
memory: tegra20-emc: Correct memory device mask
ocfs2: check dir i_size in ocfs2_find_entry
mptcp: prevent excessive coalescing on receive
tty: xilinx_uartps: split sysrq handling
nfsd: clear acl_access/acl_default after releasing them
NFSD: fix hang in nfsd4_shutdown_callback
HID: multitouch: Add NULL check in mt_input_configured
ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu()
vrf: use RCU protection in l3mdev_l3_out()
team: better TEAM_OPTION_TYPE_STRING validation
arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
drm/i915/selftests: avoid using uninitialized context
gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0
gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ
gpio: bcm-kona: Add missing newline to dev_err format string
xen: remove a confusing comment on auto-translated guest I/O
x86/xen: allow larger contiguous memory regions in PV guests
media: cxd2841er: fix 64-bit division on gcc-9
media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread
PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P
vfio/pci: Enable iowrite64 and ioread64 for vfio pci
Grab mm lock before grabbing pt lock
x86/mm/tlb: Only trim the mm_cpumask once a second
orangefs: fix a oob in orangefs_debug_write
ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V
batman-adv: fix panic during interface removal
batman-adv: Ignore neighbor throughput metrics in error case
KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel
perf/x86/intel: Ensure LBRs are disabled when a CPU is starting
usb: roles: set switch registered flag early on
usb: gadget: udc: renesas_usb3: Fix compiler warning
usb: dwc2: gadget: remove of_node reference upon udc_stop
USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI
usb: core: fix pipe creation for get_bMaxPacketSize0
USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist
USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone
usb: gadget: f_midi: fix MIDI Streaming descriptor lengths
USB: hub: Ignore non-compliant devices with too many configs or interfaces
USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk
usb: cdc-acm: Check control transfer buffer size before access
usb: cdc-acm: Fix handling of oversized fragments
USB: serial: option: add MeiG Smart SLM828
USB: serial: option: add Telit Cinterion FN990B compositions
USB: serial: option: fix Telit Cinterion FN990A name
USB: serial: option: drop MeiG Smart defines
can: c_can: fix unbalanced runtime PM disable in error path
can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero
alpha: make stack 16-byte aligned (most cases)
efi: Avoid cold plugged memory for placing the kernel
cgroup: fix race between fork and cgroup.kill
serial: 8250: Fix fifo underflow on flush
alpha: align stack for page fault and user unaligned trap handlers
gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock
partitions: mac: fix handling of bogus partition table
regmap-irq: Add missing kfree()
arm64: Handle .ARM.attributes section in linker scripts
mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw()
btrfs: fix hole expansion when writing at an offset beyond EOF
clocksource: Replace cpumask_weight() with cpumask_empty()
clocksource: Use pr_info() for "Checking clocksource synchronization" message
clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context
ipv4: add RCU protection to ip4_dst_hoplimit()
net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu()
net: add dev_net_rcu() helper
ipv4: use RCU protection in rt_is_expired()
ipv4: use RCU protection in inet_select_addr()
Namespaceify min_pmtu sysctl
Namespaceify mtu_expires sysctl
selftest: net: Test IPv4 PMTU exceptions with DSCP and ECN
net: ipv4: Cache pmtu for all packet paths if multipath enabled
ipv4: use RCU protection in __ip_rt_update_pmtu()
ipv6: use RCU protection in ip6_default_advmss()
ndisc: use RCU protection in ndisc_alloc_skb()
neighbour: delete redundant judgment statements
neighbour: use RCU protection in __neigh_notify()
arp: use RCU protection in arp_xmit()
openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
ndisc: extend RCU protection in ndisc_send_skb()
ipv6: mcast: add RCU protection to mld_newpack()
drm/tidss: Fix issue in irq handling causing irq-flood issue
drm/tidss: Clear the interrupt status for interrupts being disabled
drm/v3d: Stop active perfmon if it is being destroyed
kdb: Do not assume write() callback available
x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0
alpha: replace hardcoded stack offsets with autogenerated ones
nilfs2: do not output warnings when clearing dirty buffers
nilfs2: do not force clear folio if buffer is referenced
nilfs2: protect access to buffers with no active references
can: ems_pci: move ASIX AX99100 ids to pci_ids.h
serial: 8250_pci: add support for ASIX AX99100
parport_pc: add support for ASIX AX99100
netdevsim: print human readable IP address
selftests: rtnetlink: update netdevsim ipsec output format
ARM: dts: dra7: Add bus_dma_limit for l4 cfg bus
f2fs: fix to wait dio completion
x86/i8253: Disable PIT timer 0 when not in use
Revert "btrfs: avoid monopolizing a core when activating a swap file"
btrfs: avoid monopolizing a core when activating a swap file
pps: Fix a use-after-free
arm64: mte: Do not allow PROT_MTE on MAP_HUGETLB user mappings
crypto: testmgr - fix wrong key length for pkcs1pad
crypto: testmgr - Fix wrong test case of RSA
crypto: testmgr - fix version number of RSA tests
crypto: testmgr - populate RSA CRT parameters in RSA test vectors
crypto: testmgr - some more fixes to RSA test vectors
media: imx-jpeg: Fix potential error pointer dereference in detach_pm()
mm: update mark_victim tracepoints fields
memcg: fix soft lockup in the OOM process
ksmbd: fix integer overflows on 32 bit systems
drm/probe-helper: Create a HPD IRQ event helper for a single connector
drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event()
ASoC: renesas: rz-ssi: Add a check for negative sample_space
arm64: dts: mediatek: mt8183: Disable DSI display output by default
tpm: Use managed allocation for bios event log
tpm: Change to kvalloc() in eventlog/acpi.c
kfence: allow use of a deferrable timer
kfence: enable check kfence canary on panic via boot param
kfence: skip __GFP_THISNODE allocations on NUMA systems
soc: mediatek: mtk-devapc: Switch to devm_clk_get_enabled()
soc: mediatek: mtk-devapc: Fix leaking IO map on error paths
soc/mediatek: mtk-devapc: Convert to platform remove callback returning void
soc: mediatek: mtk-devapc: Fix leaking IO map on driver remove
media: uvcvideo: Set error_idx during ctrl_commit errors
media: uvcvideo: Refactor iterators
media: uvcvideo: Only save async fh if success
batman-adv: Drop initialization of flexible ethtool_link_ksettings
batman-adv: Drop unmanaged ELP metric worker
usb: dwc3: Increase DWC3 controller halt timeout
usb: dwc3: Fix timeout issue during controller enter/exit from halt state
USB: gadget: f_midi: f_midi_complete to call queue_work
powerpc/64s/mm: Move __real_pte stubs into hash-4k.h
powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline
ALSA: hda/realtek: Fixup ALC225 depop procedure
powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC
geneve: Fix use-after-free in geneve_find_dev().
gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().
geneve: Suppress list corruption splat in geneve_destroy_tunnels().
net: extract port range fields from fl_flow_key
flow_dissector: Fix handling of mixed port and port-range keys
flow_dissector: Fix port range key handling in BPF conversion
net: Add non-RCU dev_getbyhwaddr() helper
arp: switch to dev_getbyhwaddr() in arp_req_set_public()
power: supply: da9150-fg: fix potential overflow
nvme/ioctl: add missing space in err message
bpf: skip non exist keys in generic_map_lookup_batch
tee: optee: Fix supplicant wait loop
drop_monitor: fix incorrect initialization order
nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()
ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED
acct: perform last write from workqueue
acct: block access to kernel internal filesystems
mtd: rawnand: cadence: fix error code in cadence_nand_init()
mtd: rawnand: cadence: use dma_map_resource for sdma address
mtd: rawnand: cadence: fix incorrect device in dma_unmap_single
x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit
IB/mlx5: Set and get correct qp_num for a DCT QP
ovl: use wrappers to all vfs_*xattr() calls
ovl: pass ofs to creation operations
ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
scsi: core: Don't memset() the entire scsi_cmnd in scsi_init_command()
scsi: core: Clear driver private data when retrying request
RDMA/mlx5: Fix bind QP error cleanup flow
sunrpc: suppress warnings for unused procfs functions
ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports
Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response
afs: remove variable nr_servers
afs: Make it possible to find the volumes that are using a server
afs: Fix the server_list to unuse a displaced server rather than putting it
net: loopback: Avoid sending IP packets without an Ethernet header
net: cadence: macb: Synchronize stats calculations
ASoC: es8328: fix route from DAC to output
ipvs: Always clear ipvs_property flag in skb_scrub_packet()
tcp: Defer ts_recent changes until req is owned
net: mvpp2: cls: Fixed Non IP flow, with vlan tag flow defination.
net/mlx5: IRQ, Fix null string in debug print
seg6: add support for SRv6 H.Encaps.Red behavior
seg6: add support for SRv6 H.L2Encaps.Red behavior
include: net: add static inline dst_dev_overhead() to dst.h
net: ipv6: seg6_iptunnel: mitigate 2-realloc issue
net: ipv6: fix dst ref loop on input in seg6 lwt
net: ipv6: rpl_iptunnel: mitigate 2-realloc issue
net: ipv6: fix dst ref loop on input in rpl lwt
x86/CPU: Fix warm boot hang regression on AMD SC1100 SoC systems
ftrace: Avoid potential division by zero in function_stat_show()
ALSA: usb-audio: Re-add sample rate quirk for Pioneer DJM-900NXS2
perf/core: Fix low freq setting via IOC_PERIOD
drm/amd/display: Fix HPD after gpu reset
i2c: npcm: disable interrupt enable bit before devm_request_irq
usbnet: gl620a: fix endpoint checking in genelink_bind()
net: enetc: fix the off-by-one issue in enetc_map_tx_buffs()
net: enetc: update UDP checksum when updating originTimestamp field
net: enetc: correct the xdp_tx statistics
phy: tegra: xusb: reset VBUS & ID OVERRIDE
phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in refclk
mptcp: always handle address removal under msk socket lock
vmlinux.lds: Ensure that const vars with relocations are mapped R/O
sched/core: Prevent rescheduling when interrupts are disabled
intel_idle: Handle older CPUs, which stop the TSC in deeper C states, correctly
pfifo_tail_enqueue: Drop new packet when sch->limit == 0
smb: client: Add check for next_buffer in receive_encrypted_standard()
drm/amdgpu: Check extended configuration space register when system uses large bar
drm/amdgpu: disable BAR resize on Dell G5 SE
Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'"
HID: appleir: Fix potential NULL dereference at raw event handle
gpio: rcar: Use raw_spinlock to protect register access
gpio: aggregator: protect driver attr handlers against module unload
ALSA: hda: intel: Add Dell ALC3271 to power_save denylist
ALSA: hda/realtek: update ALC222 depop optimize
drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M
platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e
x86/cacheinfo: Validate CPUID leaf 0x2 EDX output
x86/cpu: Validate CPUID leaf 0x2 EDX output
x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63
wifi: cfg80211: regulatory: improve invalid hints checking
wifi: nl80211: reject cooked mode if it is set along with other flags
rapidio: add check for rio_add_net() in rio_scan_alloc_net()
rapidio: fix an API misues when rio_add_net() fails
s390/traps: Fix test_monitor_call() inline assembly
block: fix conversion of GPT partition name to 7-bit
mm/page_alloc: fix uninitialized variable
mm: don't skip arch_sync_kernel_mappings() in error paths
wifi: iwlwifi: limit printed string from FW file
HID: google: fix unused variable warning under !CONFIG_ACPI
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch
net: gso: fix ownership in __udp_gso_segment
caif_virtio: fix wrong pointer check in cfv_probe()
hwmon: (pmbus) Initialise page count in pmbus_identify()
hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table
hwmon: (ad7314) Validate leading zero bits and return error
ALSA: usx2y: validate nrpacks module parameter on probe
llc: do not use skb_get() before dev_queue_xmit()
hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe()
drm/sched: Fix preprocessor guard
be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink
net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error
ppp: Fix KMSAN uninit-value warning with bpf
vlan: enforce underlying device type
x86/sgx: Support loading enclave page without VMA permissions check
x86/sgx: Move PTE zap code to new sgx_zap_enclave_ptes()
x86/sgx: Export sgx_encl_{grow,shrink}()
x86/sgx: Support VA page allocation without reclaiming
x86/sgx: Fix size overflows in sgx_encl_create()
exfat: fix soft lockup in exfat_clear_bitmap
net-timestamp: support TCP GSO case for a few missing flags
sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
net: ipv6: fix dst ref loop in ila lwtunnel
net: ipv6: fix missing dst ref drop in ila lwtunnel
gpio: rcar: Fix missing of_node_put() call
Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection"
usb: renesas_usbhs: Call clk_put()
usb: renesas_usbhs: Use devm_usb_get_phy()
usb: hub: lack of clearing xHC resources
usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader
usb: renesas_usbhs: Flush the notify_hotplug_work
usb: atm: cxacru: fix a flaw in existing endpoint checks
usb: dwc3: Set SUSPENDENABLE soon after phy init
usb: dwc3: gadget: Prevent irq storm when TH re-executes
usb: typec: ucsi: increase timeout for PPM reset operations
usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality
usb: gadget: Set self-powered based on MaxPower and bmAttributes
usb: gadget: Fix setting self-powered state on suspend
usb: gadget: Check bmAttributes only if configuration is valid
xhci: pci: Fix indentation in the PCI device ID definitions
usb: xhci: Enable the TRB overfetch quirk on VIA VL805
Squashfs: check the inode number is not the invalid value of zero
mei: me: add panther lake P DID
intel_th: pci: Add Arrow Lake support
intel_th: pci: Add Panther Lake-H support
intel_th: pci: Add Panther Lake-P/U support
slimbus: messaging: Free transaction ID in delayed interrupt scenario
bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock
eeprom: digsy_mtc: Make GPIO lookup table match the device
drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl
media: uvcvideo: Avoid invalid memory access
media: uvcvideo: Avoid returning invalid controls
md: select BLOCK_LEGACY_AUTOLOAD
mtd: rawnand: cadence: fix unchecked dereference
spi-mxs: Fix chipselect glitch
nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link
nilfs2: eliminate staggered calls to kunmap in nilfs_rename
nilfs2: handle errors that nilfs_prepare_chunk() may return
media: uvcvideo: Fix crash during unbind if gpio unit is in use
media: uvcvideo: Remove dangling pointers
bpf, vsock: Invoke proto::close on close()
vsock: Keep the binding until socket destruction
vsock: Orphan socket after transport release
sched: sch_cake: add bounds checks to host bulk flow fairness counts
kbuild: userprogs: use correct lld when linking through clang
net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels
Linux 5.15.179
Change-Id: I70dce3131dc3d03aa50dd416eeb64dbc97d1b9d8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.15.180
vlan: fix memory leak in vlan_newlink()
clockevents/drivers/i8253: Fix stop sequence for timer 0
sched/isolation: Prevent boot crash when the boot CPU is nohz_full
ipv6: Fix signed integer overflow in __ip6_append_data
fbdev: hyperv_fb: iounmap() the correct memory when removing a device
pinctrl: bcm281xx: Fix incorrect regmap max_registers value
netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template.
ice: fix memory leak in aRFS after reset
net: dsa: mv88e6xxx: Verify after ATU Load ops
netpoll: hold rcu read lock in __netpoll_send_skb()
Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()
net/mlx5: handle errors in mlx5_chains_create_table()
netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
ipvs: prevent integer overflow in do_ip_vs_get_ctl()
net_sched: Prevent creation of classes with TC_H_ROOT
netfilter: nft_exthdr: fix offset with ipv4_find_option()
gre: Fix IPv6 link-local address generation.
slab: clean up function prototypes
slab: Introduce kmalloc_size_roundup()
openvswitch: Use kmalloc_size_roundup() to match ksize() usage
net: openvswitch: remove misbehaving actions length check
net/mlx5: Bridge, fix the crash caused by LAG state check
net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices
nvme-fc: go straight to connecting state when initializing
hrtimers: Mark is_migration_base() with __always_inline
powercap: call put_device() on an error path in powercap_register_control_type()
iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
scsi: core: Use GFP_NOIO to avoid circular locking dependency
scsi: qla1280: Fix kernel oops when debug level > 2
ACPI: resource: IRQ override for Eluktronics MECH-17
alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support
vboxsf: fix building with GCC 15
HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell
HID: ignore non-functional sensor in HP 5MP Camera
sched: Clarify wake_up_q()'s write to task->wake_q.next
s390/cio: Fix CHPID "configure" attribute caching
thermal/cpufreq_cooling: Remove structure member documentation
ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()
ASoC: arizona/madera: use fsleep() in up/down DAPM event delays.
ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module
net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors
nvmet-rdma: recheck queue state is LIVE in state lock in recv done
sctp: Fix undefined behavior in left shift operation
nvme: only allow entering LIVE from CONNECTING state
ASoC: tas2770: Fix volume scale
ASoC: tas2764: Fix power control mask
ASoC: tas2764: Set the SDOUT polarity correctly
fuse: don't truncate cached, mutated symlink
x86/irq: Define trace events conditionally
mptcp: safety check before fallback
drm/nouveau: Do not override forced connector status
block: fix 'kmem_cache of name 'bio-108' already exists'
USB: serial: ftdi_sio: add support for Altera USB Blaster 3
USB: serial: option: add Telit Cinterion FE990B compositions
USB: serial: option: fix Telit Cinterion FE990A name
USB: serial: option: match on interface class for Telit FN990B
x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
drm/atomic: Filter out redundant DPMS calls
drm/amd/display: Restore correct backlight brightness after a GPU reset
drm/amd/display: Assign normalized_pix_clk when color depth = 14
drm/amd/display: Fix slab-use-after-free on hdcp_work
qlcnic: fix memory leak issues in qlcnic_sriov_common.c
lib/buildid: Handle memfd_secret() files in build_id_parse()
tcp: fix races in tcp_abort()
ASoC: ops: Consistently treat platform_max as control value
drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
cifs: Fix integer overflow while processing acregmax mount option
cifs: Fix integer overflow while processing acdirmax mount option
cifs: Fix integer overflow while processing actimeo mount option
cifs: Fix integer overflow while processing closetimeo mount option
i2c: ali1535: Fix an error handling path in ali1535_probe()
i2c: ali15x3: Fix an error handling path in ali15x3_probe()
i2c: sis630: Fix an error handling path in sis630_probe()
drm/amd/display: Check for invalid input params when building scaling params
drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params
smb: client: Fix match_session bug preventing session reuse
smb: client: fix potential UAF in cifs_debug_files_proc_show()
firmware: imx-scu: fix OF node leak in .probe()
xfrm_output: Force software GSO only in tunnel mode
ARM: dts: bcm2711: PL011 UARTs are actually r1p5
RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx
ARM: dts: bcm2711: Don't mark timer regs unconfigured
RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path
RDMA/hns: Remove redundant 'phy_addr' in hns_roce_hem_list_find_mtt()
RDMA/hns: Fix soft lockup during bt pages loop
RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db()
RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common()
RDMA/hns: Fix wrong value of max_sge_rd
Bluetooth: Fix error code in chan_alloc_skb_cb()
ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().
net: atm: fix use after free in lec_send()
net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES
Revert "gre: Fix IPv6 link-local address generation."
i2c: omap: fix IRQ storms
drm/v3d: Don't run jobs that have errors flagged in its fence
regulator: check that dummy regulator has been probed before using it
mmc: atmel-mci: Add missing clk_disable_unprepare()
proc: fix UAF in proc_get_inode()
ARM: shmobile: smp: Enforce shmobile_smp_* alignment
batman-adv: Ignore own maximum aggregation size during RX
soc: qcom: pdr: Fix the potential deadlock
drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
drm/amdgpu: Fix JPEG video caps max size for navi1x and raven
mptcp: Fix data stream corruption in the address announcement
arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S
Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
bpf, sockmap: Fix race between element replace and close()
ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names
HID: hid-plantronics: Add mic mute mapping and generalize quirks
atm: Fix NULL pointer dereference
ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
ARM: 9351/1: fault: Add "cut here" line for prefetch aborts
ARM: Remove address checking for MMUless devices
netfilter: socket: Lookup orig tuple for IPv6 SNAT
ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx
counter: stm32-lptimer-cnt: fix error handling when enabling
counter: microchip-tcb-capture: Fix undefined counter channel state on probe
tty: serial: 8250: Add some more device IDs
tty: serial: 8250: Add Brainboxes XC devices
net: usb: qmi_wwan: add Telit Cinterion FN990B composition
net: usb: qmi_wwan: add Telit Cinterion FE990B composition
net: usb: usbnet: restore usb%d name exception for local mac addresses
memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
serial: 8250_dma: terminate correct DMA in tx_dma_flush()
media: i2c: et8ek8: Don't strip remove function when driver is builtin
watch_queue: fix pipe accounting mismatch
x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
cpufreq: scpi: compare kHz instead of Hz
cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct()
x86/platform: Only allow CONFIG_EISA for 32-bit
PM: sleep: Adjust check before setting power.must_resume
selinux: Chain up tool resolving errors in install_policy.sh
EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
EDAC/ie31200: Fix the DIMM size mask for several SoCs
EDAC/ie31200: Fix the error path order of ie31200_init()
thermal: int340x: Add NULL check for adev
PM: sleep: Fix handling devices with direct_complete set on errors
lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()
perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
media: platform: allgro-dvt: unregister v4l2_device on the error path
HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
ALSA: hda/realtek: Always honor no_shutup_pins
ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible
drm/bridge: ti-sn65dsi86: Fix multiple instances
drm/dp_mst: Fix drm RAD print
drm: xlnx: zynqmp: Fix max dma segment size
drm/vkms: Fix use after free and double free on init error
drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
PCI/ASPM: Fix link state exit during switch upstream function removal
PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload
PCI: brcmstb: Use internal register to change link capability
PCI/portdrv: Only disable pciehp interrupts early when needed
PCI: Avoid reset when disabled via sysfs
drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters()
PCI: Remove stray put_device() in pci_register_host_bridge()
PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
PCI: pciehp: Don't enable HPIE when resuming in poll mode
fbdev: au1100fb: Move a variable assignment behind a null pointer check
mdacon: rework dependency list
fbdev: sm501fb: Add some geometry checks.
clk: amlogic: gxbb: drop incorrect flag on 32k clock
crypto: hisilicon/sec2 - fix for aead authsize alignment
remoteproc: core: Clear table_sz when rproc_shutdown
of: property: Increase NR_FWNODE_REFERENCE_ARGS
remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
libbpf: Fix hypothetical STT_SECTION extern NULL deref case
clk: samsung: Fix UBSAN panic in samsung_clk_init()
clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
bpf: Use preempt_count() directly in bpf_send_signal_common()
lib: 842: Improve error handling in sw842_compress()
pinctrl: renesas: rza2: Fix missing of_node_put() call
pinctrl: renesas: rzg2l: Fix missing of_node_put() call
clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
RDMA/core: Don't expose hw_counters outside of init net namespace
remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
IB/mad: Check available slots before posting receive WRs
pinctrl: tegra: Set SFIO mode to Mux Register
clk: amlogic: g12b: fix cluster A parent data
clk: amlogic: gxbb: drop non existing 32k clock parent
clk: amlogic: g12a: fix mmc A peripheral clock
x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
power: supply: max77693: Fix wrong conversion of charge input threshold value
crypto: nx - Fix uninitialised hv_nxc on error
RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
mfd: sm501: Switch to BIT() to mitigate integer overflows
x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment
crypto: hisilicon/sec2 - fix for aead auth key length
clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
soundwire: slave: fix an OF node reference leak in soundwire slave device
coresight: catu: Fix number of pages while using 64k pages
iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio
fs/ntfs3: Fix a couple integer overflows on 32bit systems
iio: adc: ad7124: Fix comparison of channel configs
perf units: Fix insufficient array space
kexec: initialize ELF lowest address to ULONG_MAX
ocfs2: validate l_tree_depth to avoid out-of-bounds access
NFSv4: Don't trigger uneccessary scans for return-on-close delegations
fuse: fix dax truncate/punch_hole fault path
i3c: master: svc: Fix missing the IBI rules
perf python: Fixup description of sample.id event member
perf python: Decrement the refcount of just created event on failure
perf python: Don't keep a raw_data pointer to consumed ring buffer space
perf python: Check if there is space to copy all the event
fs/procfs: fix the comment above proc_pid_wchan()
objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
exfat: fix the infinite loop in exfat_find_last_cluster()
rtnetlink: Allocate vfinfo size for VF GUIDs when supported
ksmbd: use aead_request_free to match aead_request_alloc
ksmbd: fix multichannel connection failure
ring-buffer: Fix bytes_dropped calculation issue
ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid
octeontx2-af: Fix mbox INTR handler when num VFs > 64
octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
sched/smt: Always inline sched_smt_active()
wifi: iwlwifi: fw: allocate chained SG tables for dump
nvme-tcp: fix possible UAF in nvme_tcp_poll
nvme-pci: clean up CMBMSC when registering CMB fails
nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
affs: generate OFS sequence numbers starting at 1
affs: don't write overlarge OFS data block size fields
ksmbd: fix incorrect validation for num_aces field of smb_acl
sched/deadline: Use online cpus for validating runtime
locking/semaphore: Use wake_q to wake up processes outside lock critical section
x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
drm/amd: Keep display off while going into S4
ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
can: statistics: use atomic access in hot path
hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
spufs: fix a leak on spufs_new_file() failure
spufs: fix a leak in spufs_create_context()
riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and make_call_ra
ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
ntb: intel: Fix using link status DB's
ASoC: imx-card: Add NULL check in imx_card_probe()
netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only
netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
net_sched: skbprio: Remove overly strict queue assertions
net: mvpp2: Prevent parser TCAM memory corruption
vsock: avoid timeout during connect() if the socket is closing
tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
netfilter: nft_tunnel: fix geneve_opt type confusion addition
ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS
net: fix geneve_opt length integer overflow
arcnet: Add NULL check in com20020pci_probe()
can: flexcan: only change CAN state when link up in system PM
can: flexcan: disable transceiver during system PM
mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0
mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops
tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform
tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers
drm/amd/pm: Fix negative array index read
drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration
usbnet:fix NPE during rx_complete
platform/x86: ISST: Correct command storage data length
ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()
btrfs: handle errors from btrfs_dec_ref() properly
x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
tracing: Fix use-after-free in print_graph_function_flags during tracer switching
tracing: Ensure module defining synth event cannot be unloaded while tracing
tracing: Fix synth event printk format for str fields
tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
ext4: don't over-report free space or inodes in statvfs
ext4: fix OOB read when checking dotdot dir
jfs: fix slab-out-of-bounds read in ea_get()
jfs: add index corruption check to DT_GETPAGE()
nfsd: put dl_stid if fail to queue dl_recall
NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume
mm, slab: remove duplicate kernel-doc comment for ksize()
tracing: Do not use PERF enums when perf is not defined
mmc: sdhci-brcmstb: Initialize base_clk to NULL in sdhci_brcmstb_probe()
Linux 5.15.180
Change-Id: I68dd89447505df1932831ef89c38bef45cc8b7ff
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Android has mounted the v1 cpuset controller using filesystem type "cpuset" (not "cgroup") since 2015 [1], and depends on the resulting behavior where the controller name is not added as a prefix for cgroupfs files. [2] Later, a problem was discovered where cpu hotplug onlining did not affect the cpuset/cpus files, which Android carried an out-of-tree patch to address for a while. An attempt was made to upstream this patch, but the recommendation was to use the "cpuset_v2_mode" mount option instead. [3] An effort was made to do so, but this fails with "cgroup: Unknown parameter 'cpuset_v2_mode'" because commit e1cba4b ("cgroup: Add mount flag to enable cpuset to use v2 behavior in v1 cgroup") did not update the special cased cpuset_mount(), and only the cgroup (v1) filesystem type was updated. Add parameter parsing to the cpuset filesystem type so that cpuset_v2_mode works like the cgroup filesystem type: $ mkdir /dev/cpuset $ mount -t cpuset -ocpuset_v2_mode none /dev/cpuset $ mount|grep cpuset none on /dev/cpuset type cgroup (rw,relatime,cpuset,noprefix,cpuset_v2_mode,release_agent=/sbin/cpuset_release_agent) [1] https://cs.android.com/android/_/android/platform/system/core/+/b769c8d24fd7be96f8968aa4c80b669525b930d3 [2] https://cs.android.com/android/platform/superproject/main/+/main:system/core/libprocessgroup/setup/cgroup_map_write.cpp;drc=2dac5d89a0f024a2d0cc46a80ba4ee13472f1681;l=192 [3] https://lore.kernel.org/lkml/f795f8be-a184-408a-0b5a-553d26061385@redhat.com/T/ Fixes: e1cba4b ("cgroup: Add mount flag to enable cpuset to use v2 behavior in v1 cgroup") Signed-off-by: T.J. Mercier <tjmercier@google.com> Acked-by: Waiman Long <longman@redhat.com> Reviewed-by: Kamalesh Babulal <kamalesh.babulal@oracle.com> Acked-by: Michal Koutný <mkoutny@suse.com> Signed-off-by: Tejun Heo <tj@kernel.org> (cherry picked from commit 1bf67c8 https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git for-6.15-fixes) Bug: 409240872 Change-Id: I24726766d247e2638c719b56bd7d2d536085f6e4 Signed-off-by: T.J. Mercier <tjmercier@google.com>
[ Upstream commit 0c3057a ] The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal. Bug: 403920173 Reported-by: Mingi Cho <mincho@theori.io> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Fixes: 066a3b5 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop") Link: https://patch.msgid.link/20250306232355.93864-2-xiyou.wangcong@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 78533c4) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: Ieac912ddc0bc44e999fe0d29ddf3a3842abdfa14
30 function symbol(s) added 'int __devm_reset_control_bulk_get(struct device*, int, struct reset_control_bulk_data*, bool, bool, bool)' 'bool cancel_work(struct work_struct*)' 'void drm_connector_set_link_status_property(struct drm_connector*, uint64_t)' 'int drm_dp_read_desc(struct drm_dp_aux*, struct drm_dp_desc*, bool)' 'int drm_dp_read_downstream_info(struct drm_dp_aux*, const u8*, u8*)' 'int drm_dp_read_dpcd_caps(struct drm_dp_aux*, u8*)' 'bool drm_dp_read_sink_count_cap(struct drm_connector*, const u8*, const struct drm_dp_desc*)' 'bool drm_dp_send_real_edid_checksum(struct drm_dp_aux*, u8)' 'struct typec_mux* fwnode_typec_mux_get(struct fwnode_handle*, const struct typec_altmode_desc*)' 'struct typec_switch* fwnode_typec_switch_get(struct fwnode_handle*)' 'struct i2c_client* i2c_new_smbus_alert_device(struct i2c_adapter*, struct i2c_smbus_alert_setup*)' 's32 i2c_smbus_write_block_data(const struct i2c_client*, u8, u8, const u8*)' 'int of_i2c_get_board_info(struct device*, struct device_node*, struct i2c_board_info*)' 'bool pci_dev_run_wake(struct pci_dev*)' 'void pci_disable_msix(struct pci_dev*)' 'int pci_enable_msix_range(struct pci_dev*, struct msix_entry*, int, int)' 'int pci_prepare_to_sleep(struct pci_dev*)' 'int pci_status_get_and_clear_errors(struct pci_dev*)' 'int pcie_set_readrq(struct pci_dev*, int)' 'int pcim_set_mwi(struct pci_dev*)' 'int phy_start_aneg(struct phy_device*)' 'int regulator_register_supply_alias(struct device*, const char*, struct device*, const char*)' 'void regulator_unregister_supply_alias(struct device*, const char*)' 'int reset_control_bulk_acquire(int, struct reset_control_bulk_data*)' 'int reset_control_bulk_deassert(int, struct reset_control_bulk_data*)' 'void reset_control_bulk_release(int, struct reset_control_bulk_data*)' 'int rproc_of_parse_firmware(struct device*, int, const char**)' 'void typec_mux_put(struct typec_mux*)' 'void typec_switch_put(struct typec_switch*)' 'int typec_switch_set(struct typec_switch*, enum typec_orientation)' Bug: 412942114 Change-Id: I1842bc089179d3c24d03e37d6bca0f57dbade837 Signed-off-by: James Tai <james.tai@realtek.com>
7 function symbol(s) added 'int spi_mem_exec_op(struct spi_mem *mem, const struct spi_mem_op *op)' 'ssize_t spi_mem_dirmap_read(struct spi_mem_dirmap_desc *desc, u64 offs, size_t len, void *buf)' 'ssize_t spi_mem_dirmap_write(struct spi_mem_dirmap_desc *desc, u64 offs, size_t len, const void *buf)' 'int spi_mem_driver_register_with_owner(struct spi_mem_driver *memdrv, struct module *owner)' 'const char *spi_mem_get_name(struct spi_mem *mem)' 'struct spi_mem_dirmap_desc * devm_spi_mem_dirmap_create(struct device *dev, struct spi_mem *mem, const struct spi_mem_dirmap_info *info)' 'void spi_mem_driver_unregister(struct spi_mem_driver *memdrv)' Bug: 410966005 Change-Id: I4f3e0275d7678757102d75ab32b6680f32e1e3a5 Signed-off-by: Zhipeng Wei <zhipeng5.wei@tcl.corp-partner.google.com>
This patch repurposes a ANDROID_KABI_RESERVE slot used for LTS backports for feature backports. Slot 4 is repurposed as parts of slot 1 are already used for accept_ra_min_lft on some branches. Bug: 315069348 Signed-off-by: Patrick Rohr <prohr@google.com> Change-Id: I19b9dfc16d891fb6fe48ec4379c6fa3dcb6adf89
This merges the android14-5.15.180_r00 tag into the android14-5.15 branch,
catching it up with the latest LTS releases.
It contains the following commits:
* c46ef9e6bc99 Revert "of: property: Increase NR_FWNODE_REFERENCE_ARGS"
* 13c8555e7f26 Revert "can: statistics: use atomic access in hot path"
* 90a66c1e3f48 Merge 5.15.180 into android14-5.15-lts
|\
| * f7347f400572 Linux 5.15.180
| * 0d709c0ccceb mmc: sdhci-brcmstb: Initialize base_clk to NULL in sdhci_brcmstb_probe()
| * 35254cb9d115 tracing: Do not use PERF enums when perf is not defined
| * 3e47f3a703c6 mm, slab: remove duplicate kernel-doc comment for ksize()
| * c1030da07a24 mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume
| * 58bc361822db NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
| * cdb796137c57 nfsd: put dl_stid if fail to queue dl_recall
| * b0274ddac570 jfs: add index corruption check to DT_GETPAGE()
| * 78c9cbde8880 jfs: fix slab-out-of-bounds read in ea_get()
| * b7531a4f99c3 ext4: fix OOB read when checking dotdot dir
| * 1b77a8c7f8b7 ext4: don't over-report free space or inodes in statvfs
| * 37e8719b1791 tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
| * 585464695f63 tracing: Fix synth event printk format for str fields
| * caefd40151f7 tracing: Ensure module defining synth event cannot be unloaded while tracing
| * 81a85b12132c tracing: Fix use-after-free in print_graph_function_flags during tracer switching
| * 801bc749fe66 mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
| * 7fbfe8d99b2f ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
| * 92ba06aef655 acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
| * 0a8f806ea6b5 x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
| * 5ac5f2a3a8ff x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
| * 2c4fe45351e5 btrfs: handle errors from btrfs_dec_ref() properly
| * 7b02f69bfb19 ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()
| * 1df48e8773cf platform/x86: ISST: Correct command storage data length
| * 95789c2f94fd usbnet:fix NPE during rx_complete
| * 4331ae2788e7 drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration
| * e549cd6da1f2 drm/amd/pm: Fix negative array index read
| * 91264238e941 tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers
| * 557f6adcd07d tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform
| * f8100551939b mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops
| * 6991fabddd6f mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0
| * 4c671d0377b8 can: flexcan: disable transceiver during system PM
| * c79d1fba305d can: flexcan: only change CAN state when link up in system PM
| * ef8b29398ea6 arcnet: Add NULL check in com20020pci_probe()
| * b4513ad0f391 net: fix geneve_opt length integer overflow
| * 0baa3f0369a9 ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS
| * ca2adfc03cd6 netfilter: nft_tunnel: fix geneve_opt type confusion addition
| * e7479a2549cb tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
| * 0162cb87b3cd vsock: avoid timeout during connect() if the socket is closing
| * e3711163d14d net: mvpp2: Prevent parser TCAM memory corruption
| * 32ee79682315 net_sched: skbprio: Remove overly strict queue assertions
| * a7e89541d05b netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
| * b87f19c495cb netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only
| * 018e6cf2503e ASoC: imx-card: Add NULL check in imx_card_probe()
| * 03fd0444e719 ntb: intel: Fix using link status DB's
| * 2429bdf26a0f ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
| * de237129b9fd riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and make_call_ra
| * c4e72a0d7544 spufs: fix a leak in spufs_create_context()
| * 53b189651c33 spufs: fix a leak on spufs_new_file() failure
| * 90c4a3eaa7d5 hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
| * 051be169fb7c can: statistics: use atomic access in hot path
| * fe2ffc3442bf ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
| * c3021a955e77 drm/amd: Keep display off while going into S4
| * 3c9a43eef01d x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
| * 46c66d975a58 locking/semaphore: Use wake_q to wake up processes outside lock critical section
| * 26d4d84aa6cf sched/deadline: Use online cpus for validating runtime
| * c3a3484d9d31 ksmbd: fix incorrect validation for num_aces field of smb_acl
| * 397e6aa03f9a affs: don't write overlarge OFS data block size fields
| * 4441c2658337 affs: generate OFS sequence numbers starting at 1
| * 35d7887ab2d1 nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
| * 7b860d9a4d56 nvme-pci: clean up CMBMSC when registering CMB fails
| * 8dad8a6b4f61 nvme-tcp: fix possible UAF in nvme_tcp_poll
| * 2be5bed3e089 wifi: iwlwifi: fw: allocate chained SG tables for dump
| * 7929187c67a3 sched/smt: Always inline sched_smt_active()
| * cb615d3fdaae octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
| * f1e97333d34a octeontx2-af: Fix mbox INTR handler when num VFs > 64
| * 190d766abe6f ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid
| * 1db23504775a ring-buffer: Fix bytes_dropped calculation issue
| * 55cf766eba06 ksmbd: fix multichannel connection failure
| * 571b342d4688 ksmbd: use aead_request_free to match aead_request_alloc
| * bb7bdf636cef rtnetlink: Allocate vfinfo size for VF GUIDs when supported
| * 52a6316af117 exfat: fix the infinite loop in exfat_find_last_cluster()
| * 9b76b198cf20 objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
| * b20a4ca247a5 fs/procfs: fix the comment above proc_pid_wchan()
| * ccf40f82638d perf python: Check if there is space to copy all the event
| * 69abc7554403 perf python: Don't keep a raw_data pointer to consumed ring buffer space
| * cdf417656af5 perf python: Decrement the refcount of just created event on failure
| * be0f2d515164 perf python: Fixup description of sample.id event member
| * 1c0bd3d322ae i3c: master: svc: Fix missing the IBI rules
| * c5d2d17aecb4 fuse: fix dax truncate/punch_hole fault path
| * 257fd2aa2893 NFSv4: Don't trigger uneccessary scans for return-on-close delegations
| * 17c99ab3db2b ocfs2: validate l_tree_depth to avoid out-of-bounds access
| * d2421351549c kexec: initialize ELF lowest address to ULONG_MAX
| * adb0ac53b73e perf units: Fix insufficient array space
| * 201e7d7c0e32 iio: adc: ad7124: Fix comparison of channel configs
| * 0922d86a7a60 fs/ntfs3: Fix a couple integer overflows on 32bit systems
| * 7041fafd0dc6 iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio
| * 473362787faf coresight: catu: Fix number of pages while using 64k pages
| * abb8f3369f44 soundwire: slave: fix an OF node reference leak in soundwire slave device
| * ae44c01f3fbb isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
| * b9d693b3bc25 clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
| * f19a85216aa8 crypto: hisilicon/sec2 - fix for aead auth key length
| * 1c644d8ab3f6 x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment
| * ab776df91d67 mfd: sm501: Switch to BIT() to mitigate integer overflows
| * f0447ceb8a31 RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
| * 6d662e7666f2 crypto: nx - Fix uninitialised hv_nxc on error
| * a2d672786704 power: supply: max77693: Fix wrong conversion of charge input threshold value
| * 9b35d55bfc9f x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
| * 93c6fb0d18ad clk: amlogic: g12a: fix mmc A peripheral clock
| * f95e0f36e592 clk: amlogic: gxbb: drop non existing 32k clock parent
| * cc2817165e5e clk: amlogic: g12b: fix cluster A parent data
| * 8c9652d29438 pinctrl: tegra: Set SFIO mode to Mux Register
| * b26ed1d80c48 IB/mad: Check available slots before posting receive WRs
| * 79103371b574 remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
| * 9a5b7f8842a9 RDMA/core: Don't expose hw_counters outside of init net namespace
| * d82fd0fb9750 clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
| * f6adccd0a887 pinctrl: renesas: rzg2l: Fix missing of_node_put() call
| * 93a0760d371e pinctrl: renesas: rza2: Fix missing of_node_put() call
| * 3b619f280328 lib: 842: Improve error handling in sw842_compress()
| * eba7778cf9b9 bpf: Use preempt_count() directly in bpf_send_signal_common()
| * 948b7898a81a clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
| * d974e177369c clk: samsung: Fix UBSAN panic in samsung_clk_init()
| * b28c6712afb6 libbpf: Fix hypothetical STT_SECTION extern NULL deref case
| * be6a831b44fe remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
| * 791de7357bdd of: property: Increase NR_FWNODE_REFERENCE_ARGS
| * 6e66bca8cd51 remoteproc: core: Clear table_sz when rproc_shutdown
| * cca86355466f crypto: hisilicon/sec2 - fix for aead authsize alignment
| * d512627292bc clk: amlogic: gxbb: drop incorrect flag on 32k clock
| * 8a16be14db76 fbdev: sm501fb: Add some geometry checks.
| * 7dc76ac3eb84 mdacon: rework dependency list
| * dbac029069f8 fbdev: au1100fb: Move a variable assignment behind a null pointer check
| * 272a425d77ca PCI: pciehp: Don't enable HPIE when resuming in poll mode
| * 9ac06e063209 drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
| * ce7ebca5488f PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
| * 8916ca26d4e6 PCI: Remove stray put_device() in pci_register_host_bridge()
| * bb4a1eb2c6a1 drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters()
| * 9a376697fcac PCI: Avoid reset when disabled via sysfs
| * 8656d24467a9 PCI/portdrv: Only disable pciehp interrupts early when needed
| * df97eb2fd468 PCI: brcmstb: Use internal register to change link capability
| * fa2fcc7706fe PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload
| * e5cd58f61e9d PCI/ASPM: Fix link state exit during switch upstream function removal
| * 01be87ebbf44 drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
| * 67ccd3e9fdc7 drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
| * 49a69f67f535 drm/vkms: Fix use after free and double free on init error
| * 9842973b93c4 drm: xlnx: zynqmp: Fix max dma segment size
| * 1b990d384b28 drm/dp_mst: Fix drm RAD print
| * 271755cd8ff0 drm/bridge: ti-sn65dsi86: Fix multiple instances
| * b02c23f38fe2 ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible
| * 1cfb0ed41174 ALSA: hda/realtek: Always honor no_shutup_pins
| * c877ac2c888d HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
| * 2453d54d6700 media: platform: allgro-dvt: unregister v4l2_device on the error path
| * f343b4420263 perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
| * 3a96b835f82e lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()
| * 4eb3afae45cd PM: sleep: Fix handling devices with direct_complete set on errors
| * 3155d5261b51 thermal: int340x: Add NULL check for adev
| * c5e1a3d67651 EDAC/ie31200: Fix the error path order of ie31200_init()
| * 1f64ad3034dc EDAC/ie31200: Fix the DIMM size mask for several SoCs
| * 537a5a3de19b EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
| * ed68a544b931 selinux: Chain up tool resolving errors in install_policy.sh
| * 24045932e7e0 PM: sleep: Adjust check before setting power.must_resume
| * 3914a222d673 x86/platform: Only allow CONFIG_EISA for 32-bit
| * 3047aba14253 x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct()
| * dc6e7db76a35 cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
| * 74e918950ba9 cpufreq: scpi: compare kHz instead of Hz
| * 990d17f5d35d x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
| * 471c89b7d4f5 watch_queue: fix pipe accounting mismatch
| * ece3fc1c1019 media: i2c: et8ek8: Don't strip remove function when driver is builtin
| * 03c4c633a022 serial: 8250_dma: terminate correct DMA in tx_dma_flush()
| * 31f0eaed6914 memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
| * df594b4bf294 net: usb: usbnet: restore usb%d name exception for local mac addresses
| * f9f2b4139ac5 net: usb: qmi_wwan: add Telit Cinterion FE990B composition
| * 7a8e62c90f27 net: usb: qmi_wwan: add Telit Cinterion FN990B composition
| * 7802030f86e4 tty: serial: 8250: Add Brainboxes XC devices
| * 463e16de8ab4 tty: serial: 8250: Add some more device IDs
| * 1e82f28f2958 counter: microchip-tcb-capture: Fix undefined counter channel state on probe
| * 889c71c613c0 counter: stm32-lptimer-cnt: fix error handling when enabling
| * ce37a881271a ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx
| * 1ca2169cc19d netfilter: socket: Lookup orig tuple for IPv6 SNAT
| * 523b9c2ed5dc ARM: Remove address checking for MMUless devices
| * 7da1f403ad80 ARM: 9351/1: fault: Add "cut here" line for prefetch aborts
| * db8e5866d1aa ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
| * d7f1e4a53a51 atm: Fix NULL pointer dereference
| * 2498a3a95c80 HID: hid-plantronics: Add mic mute mapping and generalize quirks
| * 6e8093be53ed ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names
| * fdb2cd8957ac bpf, sockmap: Fix race between element replace and close()
| * 22b49d6e4f39 Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
| * f50efd386116 arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S
| * 590327b49706 mptcp: Fix data stream corruption in the address announcement
| * 037e753561ec drm/amdgpu: Fix JPEG video caps max size for navi1x and raven
| * 9b2da9c673a0 drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
| * daba84612236 soc: qcom: pdr: Fix the potential deadlock
| * a35b68e55089 batman-adv: Ignore own maximum aggregation size during RX
| * 4a7d4f01f440 ARM: shmobile: smp: Enforce shmobile_smp_* alignment
| * 4b0b8445b6fd proc: fix UAF in proc_get_inode()
| * 4667e64b3916 mmc: atmel-mci: Add missing clk_disable_unprepare()
| * 8e500180904a regulator: check that dummy regulator has been probed before using it
| * f45a322c9994 drm/v3d: Don't run jobs that have errors flagged in its fence
| * 0ffefd3117fb i2c: omap: fix IRQ storms
| * 4d9c2a0d8a27 Revert "gre: Fix IPv6 link-local address generation."
| * fc0f223ea342 net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES
| * 82d9084a9789 net: atm: fix use after free in lec_send()
| * d2ae4cc39c1a ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().
| * 596a883c4ce2 ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
| * 76304cba8cba Bluetooth: Fix error code in chan_alloc_skb_cb()
| * 33a839830dcc RDMA/hns: Fix wrong value of max_sge_rd
| * 1d9e126a5db7 RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common()
| * bd3774c05c8f RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db()
| * efe544462fc0 RDMA/hns: Fix soft lockup during bt pages loop
| * e6f5739f13f0 RDMA/hns: Remove redundant 'phy_addr' in hns_roce_hem_list_find_mtt()
| * 48dc65b3dd0c RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path
| * 0eb62974d6fa ARM: dts: bcm2711: Don't mark timer regs unconfigured
| * 4296c2f111d6 RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx
| * 5608b9b07a39 ARM: dts: bcm2711: PL011 UARTs are actually r1p5
| * 7a64c8ebf73e xfrm_output: Force software GSO only in tunnel mode
| * 7631e903a1d0 firmware: imx-scu: fix OF node leak in .probe()
| * a140224bcf87 smb: client: fix potential UAF in cifs_debug_files_proc_show()
| * 9b7cabd24812 smb: client: Fix match_session bug preventing session reuse
| * f435192e00bc drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params
| * 53ce3ffe7b09 drm/amd/display: Check for invalid input params when building scaling params
| * b4d89d5cb794 i2c: sis630: Fix an error handling path in sis630_probe()
| * 449aaab1338b i2c: ali15x3: Fix an error handling path in ali15x3_probe()
| * 35092c242e10 i2c: ali1535: Fix an error handling path in ali1535_probe()
| * 513f6cf2e906 cifs: Fix integer overflow while processing closetimeo mount option
| * ea8e5dd4e4cd cifs: Fix integer overflow while processing actimeo mount option
| * 0c26edf477e0 cifs: Fix integer overflow while processing acdirmax mount option
| * a13351624a6a cifs: Fix integer overflow while processing acregmax mount option
| * 2fc361f0d32c ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
| * b14482befdb6 drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
| * c402f184a053 ASoC: ops: Consistently treat platform_max as control value
| * 5defdaddd53a tcp: fix races in tcp_abort()
| * 105c66116a8b lib/buildid: Handle memfd_secret() files in build_id_parse()
| * 68ae5ef2dc98 qlcnic: fix memory leak issues in qlcnic_sriov_common.c
| * 1397715b011b drm/amd/display: Fix slab-use-after-free on hdcp_work
| * 0c0016712e5d drm/amd/display: Assign normalized_pix_clk when color depth = 14
| * 9e8637d974f7 drm/amd/display: Restore correct backlight brightness after a GPU reset
| * 70b8c6f7b061 drm/atomic: Filter out redundant DPMS calls
| * 18b5d857c649 x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
| * 479258418366 USB: serial: option: match on interface class for Telit FN990B
| * 8d57aa9f5207 USB: serial: option: fix Telit Cinterion FE990A name
| * 9ce2056eaada USB: serial: option: add Telit Cinterion FE990B compositions
| * cdc013ff804b USB: serial: ftdi_sio: add support for Altera USB Blaster 3
| * a755c6d1dfe7 block: fix 'kmem_cache of name 'bio-108' already exists'
| * e51d136d3369 drm/nouveau: Do not override forced connector status
| * d42130a5a228 mptcp: safety check before fallback
| * 4d63301ae35c x86/irq: Define trace events conditionally
| * c21d1fa13902 fuse: don't truncate cached, mutated symlink
| * 0cae84544670 ASoC: tas2764: Set the SDOUT polarity correctly
| * 631bc990daea ASoC: tas2764: Fix power control mask
| * 2a0177da8a81 ASoC: tas2770: Fix volume scale
| * fb97ca69cc21 nvme: only allow entering LIVE from CONNECTING state
| * f7580f081edd sctp: Fix undefined behavior in left shift operation
| * f25a991ea177 nvmet-rdma: recheck queue state is LIVE in state lock in recv done
| * 75308c6bb93e net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors
| * eed857c0d173 ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module
| * e1b6ee40153b ASoC: arizona/madera: use fsleep() in up/down DAPM event delays.
| * 92d029655812 ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()
| * 5664d28540ae thermal/cpufreq_cooling: Remove structure member documentation
| * 9f5921f38f46 s390/cio: Fix CHPID "configure" attribute caching
| * 64577690e49c sched: Clarify wake_up_q()'s write to task->wake_q.next
| * 007a849126ef HID: ignore non-functional sensor in HP 5MP Camera
| * 6e0397d0a4ec HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell
| * 3ad860fd4be1 vboxsf: fix building with GCC 15
| * 01f5839123d6 alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support
| * e8ed82ff391b ACPI: resource: IRQ override for Eluktronics MECH-17
| * c737e2a5fb7f scsi: qla1280: Fix kernel oops when debug level > 2
| * 67aad09faab8 scsi: core: Use GFP_NOIO to avoid circular locking dependency
| * b388e185bfad iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
| * 4a2ea3dd4eb9 powercap: call put_device() on an error path in powercap_register_control_type()
| * 54595d6e8b6f hrtimers: Mark is_migration_base() with __always_inline
| * c26d65527f31 nvme-fc: go straight to connecting state when initializing
| * e4cb0dd364af net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices
| * f90c4d657248 net/mlx5: Bridge, fix the crash caused by LAG state check
| * 057dbc5b72e9 net: openvswitch: remove misbehaving actions length check
| * 23721bbf1481 openvswitch: Use kmalloc_size_roundup() to match ksize() usage
| * b6be0f687841 slab: Introduce kmalloc_size_roundup()
| * 4207e812e49f slab: clean up function prototypes
| * cb4407c921e1 gre: Fix IPv6 link-local address generation.
| * 46ea2a7a8c27 netfilter: nft_exthdr: fix offset with ipv4_find_option()
| * 003d92c91cdb net_sched: Prevent creation of classes with TC_H_ROOT
| * 65b0a61ca237 ipvs: prevent integer overflow in do_ip_vs_get_ctl()
| * e8544a5a97be netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
| * 29c419c64e9b net/mlx5: handle errors in mlx5_chains_create_table()
| * 77d9b2d60b57 Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()
| * b018706f5fdb netpoll: hold rcu read lock in __netpoll_send_skb()
| * 7274119e8128 net: dsa: mv88e6xxx: Verify after ATU Load ops
| * e6902101f34f ice: fix memory leak in aRFS after reset
| * 595e855a0f38 netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template.
| * 10e33014552c pinctrl: bcm281xx: Fix incorrect regmap max_registers value
| * 179cf97ee278 fbdev: hyperv_fb: iounmap() the correct memory when removing a device
| * 70549c80fe80 ipv6: Fix signed integer overflow in __ip6_append_data
| * 21c0225b66b8 sched/isolation: Prevent boot crash when the boot CPU is nohz_full
| * cfd5ee5a6684 clockevents/drivers/i8253: Fix stop sequence for timer 0
| * f5dc10b910bd vlan: fix memory leak in vlan_newlink()
* | 34dddb469b06 Merge 5.15.179 into android14-5.15-lts
|\|
| * 0c935c049b5c Linux 5.15.179
| * bf500b0d0cfe net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels
| * 02e43735932d kbuild: userprogs: use correct lld when linking through clang
| * bb0245fa72b7 sched: sch_cake: add bounds checks to host bulk flow fairness counts
| * bab61f41c942 vsock: Orphan socket after transport release
| * e48fcb403c2d vsock: Keep the binding until socket destruction
| * 857428f4acc1 bpf, vsock: Invoke proto::close on close()
| * 117f7a2975ba media: uvcvideo: Remove dangling pointers
| * 0fdd7cc59338 media: uvcvideo: Fix crash during unbind if gpio unit is in use
| * 607dc724b162 nilfs2: handle errors that nilfs_prepare_chunk() may return
| * e5606b783307 nilfs2: eliminate staggered calls to kunmap in nilfs_rename
| * 1fa500f494f1 nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link
| * 1cd7fd082c78 spi-mxs: Fix chipselect glitch
| * cd0938805875 mtd: rawnand: cadence: fix unchecked dereference
| * 3e9899c12d5a md: select BLOCK_LEGACY_AUTOLOAD
| * 1a7c8039d2ee media: uvcvideo: Avoid returning invalid controls
| * 69b06b05ff94 media: uvcvideo: Avoid invalid memory access
| * 4e15cf870d2c drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl
| * ade9362dec18 eeprom: digsy_mtc: Make GPIO lookup table match the device
| * 7746f3bb8917 bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock
| * 09d34c4cbc38 slimbus: messaging: Free transaction ID in delayed interrupt scenario
| * 1437d13ca83e intel_th: pci: Add Panther Lake-P/U support
| * cebbd798ff25 intel_th: pci: Add Panther Lake-H support
| * 8875af55b825 intel_th: pci: Add Arrow Lake support
| * e1651332291e mei: me: add panther lake P DID
| * cf46f88b92cf Squashfs: check the inode number is not the invalid value of zero
| * ac9a7d4c9007 usb: xhci: Enable the TRB overfetch quirk on VIA VL805
| * 41eae5d6e308 xhci: pci: Fix indentation in the PCI device ID definitions
| * c3a772540220 usb: gadget: Check bmAttributes only if configuration is valid
| * 7e6b36d92dce usb: gadget: Fix setting self-powered state on suspend
| * 2b229d7b8a59 usb: gadget: Set self-powered based on MaxPower and bmAttributes
| * a0dc4a3bdede usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality
| * 3d8b87be73e9 usb: typec: ucsi: increase timeout for PPM reset operations
| * 00ac1ea9c0cd usb: dwc3: gadget: Prevent irq storm when TH re-executes
| * 78669d6f45a5 usb: dwc3: Set SUSPENDENABLE soon after phy init
| * bf4409f84023 usb: atm: cxacru: fix a flaw in existing endpoint checks
| * 3248c1f833f9 usb: renesas_usbhs: Flush the notify_hotplug_work
| * a1ad97347a45 usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader
| * 894b4c75eadf usb: hub: lack of clearing xHC resources
| * ec4b6f492ea1 usb: renesas_usbhs: Use devm_usb_get_phy()
| * 50b9010da101 usb: renesas_usbhs: Call clk_put()
| * 30e37db26120 Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection"
| * 329393a0325b gpio: rcar: Fix missing of_node_put() call
| * f185b6d0aeea net: ipv6: fix missing dst ref drop in ila lwtunnel
| * 82043c99801e net: ipv6: fix dst ref loop in ila lwtunnel
| * 5cb300dcdd27 sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
| * 49bf31477184 net-timestamp: support TCP GSO case for a few missing flags
| * 413e908f13ce exfat: fix soft lockup in exfat_clear_bitmap
| * 6d099f3f7b27 x86/sgx: Fix size overflows in sgx_encl_create()
| * a2d112a3b408 x86/sgx: Support VA page allocation without reclaiming
| * 51e5bc6d39d1 x86/sgx: Export sgx_encl_{grow,shrink}()
| * 48fa260f15b6 x86/sgx: Move PTE zap code to new sgx_zap_enclave_ptes()
| * 110a40c51415 x86/sgx: Support loading enclave page without VMA permissions check
| * 0fb7aa04c19e vlan: enforce underlying device type
| * 4e2191b0fd0c ppp: Fix KMSAN uninit-value warning with bpf
| * b7d8d4529984 net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error
| * 671aaa17bd31 be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink
| * 3f9e7298053c drm/sched: Fix preprocessor guard
| * e9813e0887fe hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe()
| * 9b6f083db141 llc: do not use skb_get() before dev_queue_xmit()
| * e2eebbb52d15 ALSA: usx2y: validate nrpacks module parameter on probe
| * afa9cd90e765 hwmon: (ad7314) Validate leading zero bits and return error
| * 996340f3db89 hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table
| * 13de3056e38c hwmon: (pmbus) Initialise page count in pmbus_identify()
| * 8e4e08ca4cc6 caif_virtio: fix wrong pointer check in cfv_probe()
| * 455217ac9db0 net: gso: fix ownership in __udp_gso_segment
| * 17451b795002 nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch
* | 5c6a566ac577 Merge 01b18a330cda ("HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()") into android14-5.15-lts
|\|
| * 01b18a330cda HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
| * 4283afde4f8d HID: google: fix unused variable warning under !CONFIG_ACPI
| * 47616b82f2d4 wifi: iwlwifi: limit printed string from FW file
| * b4739de37538 mm: don't skip arch_sync_kernel_mappings() in error paths
| * 955c5a1ddd6e mm/page_alloc: fix uninitialized variable
| * 51e0101ab9e9 block: fix conversion of GPT partition name to 7-bit
| * 03f075d56063 s390/traps: Fix test_monitor_call() inline assembly
| * cdd9f58f7fe4 rapidio: fix an API misues when rio_add_net() fails
| * 181d4daaefb3 rapidio: add check for rio_add_net() in rio_scan_alloc_net()
| * cd1bdcb77fdc wifi: nl80211: reject cooked mode if it is set along with other flags
| * 6a5e3b23054c wifi: cfg80211: regulatory: improve invalid hints checking
| * d8786dfa9f45 x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63
| * 61104ea20840 x86/cpu: Validate CPUID leaf 0x2 EDX output
| * dafc649de271 x86/cacheinfo: Validate CPUID leaf 0x2 EDX output
| * 421c91ba9099 platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e
| * 63c2c523f5ca drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M
| * ffcc3f070263 ALSA: hda/realtek: update ALC222 depop optimize
| * 6ea0f0a47640 ALSA: hda: intel: Add Dell ALC3271 to power_save denylist
| * 807789018186 gpio: aggregator: protect driver attr handlers against module unload
| * 7c1f36f9c9ac gpio: rcar: Use raw_spinlock to protect register access
| * b1d95d733cd6 HID: appleir: Fix potential NULL dereference at raw event handle
| * a3325fdbee9b Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'"
| * 6486abfcf891 drm/amdgpu: disable BAR resize on Dell G5 SE
| * 4be891399cdc drm/amdgpu: Check extended configuration space register when system uses large bar
| * f618aeb6cad2 smb: client: Add check for next_buffer in receive_encrypted_standard()
| * a56a6e8589a9 pfifo_tail_enqueue: Drop new packet when sch->limit == 0
| * e38f9d761b34 intel_idle: Handle older CPUs, which stop the TSC in deeper C states, correctly
| * 288fdb8dcb71 sched/core: Prevent rescheduling when interrupts are disabled
| * 3d67976d304e vmlinux.lds: Ensure that const vars with relocations are mapped R/O
| * 7cca31035c05 mptcp: always handle address removal under msk socket lock
| * b66eb3f54ac3 phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in refclk
| * f07c325f54c4 phy: tegra: xusb: reset VBUS & ID OVERRIDE
| * d20b23a5412c net: enetc: correct the xdp_tx statistics
| * ccce797d9052 net: enetc: update UDP checksum when updating originTimestamp field
| * b68d88b79975 net: enetc: fix the off-by-one issue in enetc_map_tx_buffs()
| * 9bcb8cbc3e5d usbnet: gl620a: fix endpoint checking in genelink_bind()
| * e3aea1dba97d i2c: npcm: disable interrupt enable bit before devm_request_irq
| * c327a355a4ff drm/amd/display: Fix HPD after gpu reset
| * 922e18d67bc0 perf/core: Fix low freq setting via IOC_PERIOD
| * fca3b89abc92 ALSA: usb-audio: Re-add sample rate quirk for Pioneer DJM-900NXS2
| * 3d738b53ed6c ftrace: Avoid potential division by zero in function_stat_show()
| * 7163da88c07b x86/CPU: Fix warm boot hang regression on AMD SC1100 SoC systems
| * 2daabaa55c7c net: ipv6: fix dst ref loop on input in rpl lwt
| * c0b11dc50590 net: ipv6: rpl_iptunnel: mitigate 2-realloc issue
| * dbd4f89a4a58 net: ipv6: fix dst ref loop on input in seg6 lwt
* | c29cf44a0aa0 ANDROID: GKI: fix build in scsi_lib.c
* | def997cf2675 Merge 634710a372ba ("net: ipv6: seg6_iptunnel: mitigate 2-realloc issue") into android14-5.15-lts
|\|
| * 634710a372ba net: ipv6: seg6_iptunnel: mitigate 2-realloc issue
| * 8513e56e31fc include: net: add static inline dst_dev_overhead() to dst.h
| * 3e97606c954f seg6: add support for SRv6 H.L2Encaps.Red behavior
| * 86df97f030be seg6: add support for SRv6 H.Encaps.Red behavior
| * bf5801cc24cc net/mlx5: IRQ, Fix null string in debug print
| * b8e0dd7ff319 net: mvpp2: cls: Fixed Non IP flow, with vlan tag flow defination.
| * 0e70cec1839f tcp: Defer ts_recent changes until req is owned
| * a3c25f8374c2 ipvs: Always clear ipvs_property flag in skb_scrub_packet()
| * eba344580acb ASoC: es8328: fix route from DAC to output
| * 39a26120ad99 net: cadence: macb: Synchronize stats calculations
| * 718725496191 net: loopback: Avoid sending IP packets without an Ethernet header
| * 806fcc99e4c0 afs: Fix the server_list to unuse a displaced server rather than putting it
| * 9055fb0bb4f4 afs: Make it possible to find the volumes that are using a server
| * ba335b157a6a afs: remove variable nr_servers
| * 1154e50e53e4 Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response
| * a340768d7311 ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports
| * a8f4ceb21f65 sunrpc: suppress warnings for unused procfs functions
| * f36cf97e4978 RDMA/mlx5: Fix bind QP error cleanup flow
| * 66fee638e4dd scsi: core: Clear driver private data when retrying request
| * 668ef6c54ca7 scsi: core: Don't memset() the entire scsi_cmnd in scsi_init_command()
| * 4b49d939b5a7 ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
| * 802d342bf8bc ovl: pass ofs to creation operations
| * be2343e08165 ovl: use wrappers to all vfs_*xattr() calls
| * 1cd7f84c88ae IB/mlx5: Set and get correct qp_num for a DCT QP
| * 9a7fc5641c6f x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit
| * b0c7cda8d636 mtd: rawnand: cadence: fix incorrect device in dma_unmap_single
| * 099a31651850 mtd: rawnand: cadence: use dma_map_resource for sdma address
| * 0301f9b44877 mtd: rawnand: cadence: fix error code in cadence_nand_init()
| * 29853440da38 acct: block access to kernel internal filesystems
| * 5d5b936cfa4b acct: perform last write from workqueue
| * d97d560f7d36 ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED
| * 924b239f9704 nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()
| * 872c7c7e57a7 drop_monitor: fix incorrect initialization order
| * c0a9a9481591 tee: optee: Fix supplicant wait loop
| * a3feeb1b4cb2 bpf: skip non exist keys in generic_map_lookup_batch
| * 3bb2204ec30f nvme/ioctl: add missing space in err message
| * 9f3891867e8e power: supply: da9150-fg: fix potential overflow
| * ef305447885e arp: switch to dev_getbyhwaddr() in arp_req_set_public()
| * e860d5103591 net: Add non-RCU dev_getbyhwaddr() helper
| * 2af45b1f2962 flow_dissector: Fix port range key handling in BPF conversion
| * fbb727e4934a flow_dissector: Fix handling of mixed port and port-range keys
| * 65196ee66ec2 net: extract port range fields from fl_flow_key
| * a94e59db1d89 geneve: Suppress list corruption splat in geneve_destroy_tunnels().
| * cb15bb1bde0b gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().
| * f74f65601467 geneve: Fix use-after-free in geneve_find_dev().
* | defdae7722cc Revert "pps: Fix a use-after-free"
* | 89ebfe271bf6 Merge 6847b3e40bb9 ("powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC") into android14-5.15-lts
|\|
| * 6847b3e40bb9 powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC
| * 718d0480ca3a ALSA: hda/realtek: Fixup ALC225 depop procedure
| * 71f427413d2d powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline
| * 61a45806db46 powerpc/64s/mm: Move __real_pte stubs into hash-4k.h
| * b09957657d77 USB: gadget: f_midi: f_midi_complete to call queue_work
| * 006a4e9069a1 usb: dwc3: Fix timeout issue during controller enter/exit from halt state
| * 47cc53c3ebe3 usb: dwc3: Increase DWC3 controller halt timeout
| * 3c0e0aecb78c batman-adv: Drop unmanaged ELP metric worker
| * 6ad063461332 batman-adv: Drop initialization of flexible ethtool_link_ksettings
| * d775f9e9e663 media: uvcvideo: Only save async fh if success
| * e0360e009904 media: uvcvideo: Refactor iterators
| * 972f412da53b media: uvcvideo: Set error_idx during ctrl_commit errors
| * c113bccf1f87 soc: mediatek: mtk-devapc: Fix leaking IO map on driver remove
| * c3fa28e6cac8 soc/mediatek: mtk-devapc: Convert to platform remove callback returning void
| * 4dd78251db13 soc: mediatek: mtk-devapc: Fix leaking IO map on error paths
| * 10185d020c8f soc: mediatek: mtk-devapc: Switch to devm_clk_get_enabled()
| * f03ad378249f kfence: skip __GFP_THISNODE allocations on NUMA systems
| * 8e19db074ab3 kfence: enable check kfence canary on panic via boot param
| * b7792fe79fbe kfence: allow use of a deferrable timer
| * 0621d2599d6e tpm: Change to kvalloc() in eventlog/acpi.c
| * 906ac470b16c tpm: Use managed allocation for bios event log
| * 5e8bee0e4914 arm64: dts: mediatek: mt8183: Disable DSI display output by default
| * 4a06ed6b962b ASoC: renesas: rz-ssi: Add a check for negative sample_space
| * 8c4b9b0c3950 drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event()
| * 5211d75e2cb7 drm/probe-helper: Create a HPD IRQ event helper for a single connector
| * f3b9fb276459 ksmbd: fix integer overflows on 32 bit systems
| * a9042dbc1ed4 memcg: fix soft lockup in the OOM process
| * 4edae3ff6d4e mm: update mark_victim tracepoints fields
| * a32ba399a030 media: imx-jpeg: Fix potential error pointer dereference in detach_pm()
| * e290d1fe37f7 crypto: testmgr - some more fixes to RSA test vectors
| * add54f963938 crypto: testmgr - populate RSA CRT parameters in RSA test vectors
| * 40689219a28b crypto: testmgr - fix version number of RSA tests
| * bd258be9a8be crypto: testmgr - Fix wrong test case of RSA
| * 8fbf27a746c3 crypto: testmgr - fix wrong key length for pkcs1pad
| * 4969dcc05bc3 arm64: mte: Do not allow PROT_MTE on MAP_HUGETLB user mappings
| * c4041b6b0a7a pps: Fix a use-after-free
| * 26f2fdc47fea btrfs: avoid monopolizing a core when activating a swap file
| * dc550af962b7 Revert "btrfs: avoid monopolizing a core when activating a swap file"
| * caae54426402 x86/i8253: Disable PIT timer 0 when not in use
| * 3aa5254d8096 f2fs: fix to wait dio completion
| * 234549fb3db3 ARM: dts: dra7: Add bus_dma_limit for l4 cfg bus
| * c97306464928 selftests: rtnetlink: update netdevsim ipsec output format
| * 28435f5d9d08 netdevsim: print human readable IP address
| * 810109436b28 parport_pc: add support for ASIX AX99100
| * 79cf08014ef3 serial: 8250_pci: add support for ASIX AX99100
* | 703fbc6d3080 Revert "cgroup: fix race between fork and cgroup.kill"
* | 92c01285ddc5 Revert "Namespaceify min_pmtu sysctl"
* | d444bbf290bf Revert "Namespaceify mtu_expires sysctl"
* | 694b49de0c39 Revert "selftest: net: Test IPv4 PMTU exceptions with DSCP and ECN"
* | b58c38c1cb6c Revert "net: ipv4: Cache pmtu for all packet paths if multipath enabled"
* | e011cc010345 Revert "ipv4: use RCU protection in __ip_rt_update_pmtu()"
* | f75cc9b727d1 Merge 1840fb92baf4 ("can: ems_pci: move ASIX AX99100 ids to pci_ids.h") into android14-5.15-lts
|\|
| * 1840fb92baf4 can: ems_pci: move ASIX AX99100 ids to pci_ids.h
| * d8ff250e085a nilfs2: protect access to buffers with no active references
| * f51ff43c4c5a nilfs2: do not force clear folio if buffer is referenced
| * 1bf43414ccff nilfs2: do not output warnings when clearing dirty buffers
| * c6ddb3848599 alpha: replace hardcoded stack offsets with autogenerated ones
| * 5fb8cda2fcea x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0
| * 9c0a3aab4b8d kdb: Do not assume write() callback available
| * 22e19c8c5f6b drm/v3d: Stop active perfmon if it is being destroyed
| * 37054243cf5d drm/tidss: Clear the interrupt status for interrupts being disabled
| * 2b7db8abf84f drm/tidss: Fix issue in irq handling causing irq-flood issue
| * 29fa42197f26 ipv6: mcast: add RCU protection to mld_newpack()
| * e24d225e4cb8 ndisc: extend RCU protection in ndisc_send_skb()
| * a884f57600e4 openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
| * d9366ac2f956 arp: use RCU protection in arp_xmit()
| * 40d8f2f2a373 neighbour: use RCU protection in __neigh_notify()
| * 44e359552378 neighbour: delete redundant judgment statements
| * b870256dd2a5 ndisc: use RCU protection in ndisc_alloc_skb()
| * 28de355b63ad ipv6: use RCU protection in ip6_default_advmss()
| * ce3c6165fce0 ipv4: use RCU protection in __ip_rt_update_pmtu()
| * fc07a232326a net: ipv4: Cache pmtu for all packet paths if multipath enabled
| * a7246d3949c2 selftest: net: Test IPv4 PMTU exceptions with DSCP and ECN
| * 7385291def47 Namespaceify mtu_expires sysctl
| * 686792179f20 Namespaceify min_pmtu sysctl
| * 4561343d2b6c ipv4: use RCU protection in inet_select_addr()
| * 50d356db0542 ipv4: use RCU protection in rt_is_expired()
| * 6e0d21491686 net: add dev_net_rcu() helper
| * c22b8d77816e net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu()
| * 0e5ea98edc3b ipv4: add RCU protection to ip4_dst_hoplimit()
| * 60f54f0d4ea5 clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context
| * a02540d4401f clocksource: Use pr_info() for "Checking clocksource synchronization" message
| * 4ae5e361537d clocksource: Replace cpumask_weight() with cpumask_empty()
| * acfebfb2abf3 btrfs: fix hole expansion when writing at an offset beyond EOF
| * e4291f26c501 mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw()
| * 9abfb2c8693d arm64: Handle .ARM.attributes section in linker scripts
| * 78be8f779b20 regmap-irq: Add missing kfree()
| * 40a35d14f3c0 partitions: mac: fix handling of bogus partition table
| * 4647cb4e0013 gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock
| * ede3fa7b0cb6 alpha: align stack for page fault and user unaligned trap handlers
| * bf3f395b9c37 serial: 8250: Fix fifo underflow on flush
| * 19f3e16bc9f7 cgroup: fix race between fork and cgroup.kill
| * 4d832459170d efi: Avoid cold plugged memory for placing the kernel
| * b737d6439113 alpha: make stack 16-byte aligned (most cases)
| * f1767d255807 can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero
| * f7a43d1563ac can: c_can: fix unbalanced runtime PM disable in error path
| * 9fccb6b65510 USB: serial: option: drop MeiG Smart defines
* | 382f86c1aec2 Revert "usb: roles: set switch registered flag early on"
* | ab556cfd243f Merge 412458d7e92b ("USB: serial: option: fix Telit Cinterion FN990A name") into android14-5.15-lts
|\|
| * 412458d7e92b USB: serial: option: fix Telit Cinterion FN990A name
| * 60f0765d673b USB: serial: option: add Telit Cinterion FN990B compositions
| * 95fcacb5b9a9 USB: serial: option: add MeiG Smart SLM828
| * 6878c61a3880 usb: cdc-acm: Fix handling of oversized fragments
| * 871619c2b78f usb: cdc-acm: Check control transfer buffer size before access
| * 9ee5bb1938f3 USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk
| * d3a67adb365c USB: hub: Ignore non-compliant devices with too many configs or interfaces
| * d8e86700c8a8 usb: gadget: f_midi: fix MIDI Streaming descriptor lengths
| * aeda961736f3 USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone
| * 6afdad04f6c1 USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist
| * b605fd13b832 usb: core: fix pipe creation for get_bMaxPacketSize0
| * 1af4043ec5bc USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI
| * ef5e915db375 usb: dwc2: gadget: remove of_node reference upon udc_stop
| * 626ab15ddc4b usb: gadget: udc: renesas_usb3: Fix compiler warning
| * 6a902573f2ca usb: roles: set switch registered flag early on
* | 223b84ceae5a Revert "NFSD: fix hang in nfsd4_shutdown_callback"
* | 1bd94dcfe373 Merge f4ca0cf536b1 ("perf/x86/intel: Ensure LBRs are disabled when a CPU is starting") into android14-5.15-lts
|\|
| * f4ca0cf536b1 perf/x86/intel: Ensure LBRs are disabled when a CPU is starting
| * 45fa526b0f5a KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel
| * 2e8f0f0e0097 batman-adv: Ignore neighbor throughput metrics in error case
| * f0a16c6c7976 batman-adv: fix panic during interface removal
| * 6b7d69806c42 ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V
| * 8725882b0f69 orangefs: fix a oob in orangefs_debug_write
| * 848b58151775 x86/mm/tlb: Only trim the mm_cpumask once a second
| * cd8de1f521d5 Grab mm lock before grabbing pt lock
| * 69b812149b8b vfio/pci: Enable iowrite64 and ioread64 for vfio pci
| * 20b7d9675437 PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P
| * 59a707ad952e media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread
| * d485a8b22794 media: cxd2841er: fix 64-bit division on gcc-9
| * ba842a609ff8 x86/xen: allow larger contiguous memory regions in PV guests
| * 5b750e76dfd5 xen: remove a confusing comment on auto-translated guest I/O
| * d340047cf29b gpio: bcm-kona: Add missing newline to dev_err format string
| * f66a5da15f14 gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ
| * 54b0de7b6abe gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0
| * 092dc83b9a3c drm/i915/selftests: avoid using uninitialized context
| * 88a3e6afaf00 arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
| * f443687ad20c team: better TEAM_OPTION_TYPE_STRING validation
| * 5bb4228c3226 vrf: use RCU protection in l3mdev_l3_out()
| * 80f70686857e ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu()
| * 2052b44cd0a6 HID: multitouch: Add NULL check in mt_input_configured
| * efa8a261c575 NFSD: fix hang in nfsd4_shutdown_callback
| * 6f7cfee1a316 nfsd: clear acl_access/acl_default after releasing them
| * e22a97700901 tty: xilinx_uartps: split sysrq handling
| * 59cf03ddf127 mptcp: prevent excessive coalescing on receive
| * 03b605ac1e5b ocfs2: check dir i_size in ocfs2_find_entry
| * ad73b43e6908 memory: tegra20-emc: Correct memory device mask
| * 12a1cf9db178 gpio: xilinx: remove excess kernel doc
* | e2004dd1a721 Merge 9772e2e15482 ("net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling") into android14-5.15-lts
|\|
| * 9772e2e15482 net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling
| * 3fec5d194fc9 MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static
| * 1334c64a5d1d ptp: Ensure info->enable callback is always set
| * 0eda6b12a108 net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset
| * 83db3d545d39 net/ncsi: wait for the last response to Deselect Package before configuring channel
| * 2ed6d46f8037 misc: fastrpc: Fix registered buffer page address
| * 820603335006 mtd: onenand: Fix uninitialized retlen in do_otp_read()
| * 10b3f947b609 NFC: nci: Add bounds checking in nci_hci_create_pipe()
| * 8f41df5fd4c1 nilfs2: fix possible int overflows in nilfs_fiemap()
| * 8aee4184c5b7 ocfs2: handle a symlink read error correctly
| * 5a1c86066f1b ocfs2: fix incorrect CPU endianness conversion causing mount failure
| * c00e53672d7d pnfs/flexfiles: retry getting layout segment for reads
| * f65ce06387f8 vfio/platform: check the bounds of read/write syscalls
| * 66325de71801 nvmem: core: improve range check for nvmem_cell_write()
| * c897de3d1f4d nvmem: qcom-spmi-sdam: Set size in struct nvmem_config
| * f52f00efd8c0 crypto: qce - unregister previously registered algos in error path
| * efae52c61150 crypto: qce - fix goto jump in error path
| * 14810fb99091 media: uvcvideo: Remove redundant NULL assignment
| * 74512c021525 media: uvcvideo: Fix event flags in uvc_ctrl_send_events
| * 1662c5812b84 media: ccs: Fix cleanup order in ccs_probe()
| * 66a2c461703e media: ccs: Fix CCS static data parsing for large block sizes
| * d6fae50f5eb7 media: ov5640: fix get_light_freq on auto
| * 9a6c627f3fe4 media: mc: fix endpoint iteration
| * 9e6cd5f99496 soc: qcom: smem_state: fix missing of_node_put in error path
| * 1880c45ebe14 iio: light: as73211: fix channel handling in only-color triggered buffer
| * 22d1dcd0b053 media: ccs: Clean up parsed CCS static data on parse failure
| * 6bdbb75ffc6c xfs: Add error handling for xfs_reflink_cancel_cow_range
| * 4e9af1ddbc98 crypto: qce - fix priority to be less than ARMv8 CE
| * 231dfd6bb61e arm64: dts: qcom: sm8350: Fix MPSS memory length
| * e7e06872144e x86/boot: Use '-std=gnu11' to fix build with GCC 15
| * 81a3a0c1a68f kbuild: Move -Wenum-enum-conversion to W=2
| * 2bce0a6a4433 scsi: storvsc: Set correct data length for sending SCSI command without payload
| * 73d3d3c66f10 scsi: qla2xxx: Move FCE Trace buffer allocation to user control
| * ad88fd9ee93a nvme-pci: Add TUXEDO IBP Gen9 to Samsung sleep quirk
| * 662964484f8a nvme-pci: Add TUXEDO InfinityFlex to Samsung sleep quirk
| * d88422ccb97f PCI: endpoint: Finish virtual EP removal in pci_epf_remove_vepf()
| * abe03cd5d5b7 ALSA: hda/realtek: Enable headset mic on Positivo C6400
| * 94e418935e1d Revert "media: uvcvideo: Require entities to have a non-zero unique ID"
| * d24476777e8b mips/math-emu: fix emulation of the prefx instruction
| * 63b759c9680e dm-crypt: track tag_offset in convert_context
| * 84d6db1a7327 dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit()
| * 453a0a22ceb8 powerpc/pseries/eeh: Fix get PE state translation
| * a3d92e7af72a MIPS: Loongson64: remove ROM Size unit in boardinfo
| * 48a6a4dfa5c8 serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use
| * 6b7947990681 serial: sh-sci: Drop __initdata macro for port_cfg
* | 6d39fe38156c Merge 2d09d3c9afa2 ("soc: qcom: socinfo: Avoid out of bounds read of serial number") into android14-5.15-lts
|\|
| * 2d09d3c9afa2 soc: qcom: socinfo: Avoid out of bounds read of serial number
| * 5fa25ae6484b usb: gadget: f_tcm: Don't prepare BOT write request twice
| * d5e48551866e usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint
| * 45956a34f9a8 usb: gadget: f_tcm: Decrement command ref count on cleanup
| * 93facdc47dc6 usb: gadget: f_tcm: Translate error to sense
| * 61541d9b5a23 wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
| * 7f44aa9d3960 wifi: rtlwifi: rtl8821ae: Fix media status report
| * e27d77db198a HID: hid-sensor-hub: don't use stale platform-data on remove
| * c0a158e7634a of: reserved-memory: Fix using wrong number of cells to get property 'alignment'
| * 4f7c0deea1b3 of: Fix of_find_node_opts_by_path() handling of alias+path+options
| * 87141db6d148 of: Correct child specifier used as input of the 2nd nexus node
| * a0d751d2d8ec perf bench: Fix undefined behavior in cmpworker()
| * be042a185cc5 efi: libstub: Use '-std=gnu11' to fix build with GCC 15
| * 38287f779b34 blk-cgroup: Fix class @block_class's subsystem refcount leakage
| * 44bd016cbaa3 clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate
| * 4e2996526679 clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg
| * 175af15551ed clk: qcom: gcc-sm6350: Add missing parent_map for two clocks
| * 4d8d1f443a6c clk: qcom: clk-alpha-pll: fix alpha mode configuration
| * 45d563356db6 clk: sunxi-ng: a100: enable MMC clock reparenting
| * f26831839566 Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection
| * cf601a24120c Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc
| * 250164081da0 drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes
| * 5098970ecc1d drm/komeda: Add check for komeda_get_layer_fourcc_list()
| * e89f74ef6bee drm/amd/pm: Mark MM activity as unsupported
| * 224fa21f00fc KVM: s390: vsie: fix some corner-cases when grabbing vsie pages
| * 7c4899239d0f KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()
| * b0e8b635a331 arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma
| * bc8ca18b8ef4 binfmt_flat: Fix integer overflow bug on 32 bit systems
| * 20ecbadad51a m68k: vga: Fix I/O defines
| * 592ffb238132 s390/futex: Fix FUTEX_OP_ANDN implementation
| * 61b4e072b7e8 drm/modeset: Handle tiled displays in pan_display_atomic.
| * 4e2de62318b9 leds: lp8860: Write full EEPROM, not only half of it
| * fc7da1095247 cpufreq: s3c64xx: Fix compilation warning
| * 4defa9ebef14 tun: revert fix group permission check
| * 98a2c685293a netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
| * d85d721f3225 x86/xen: add FRAME_END to xen_hypercall_hvm()
| * aaa15fc4291b x86/xen: fix xen_hypercall_hvm() to not clobber %rbx
| * d308661a0f4e net: rose: lock the socket in rose_bind()
| * 5bb48702e946 net: atlantic: fix warning during hot unplug
| * a6f3981d04d1 gpio: pca953x: Improve interrupt support
| * 61e7e18fa64c udp: gso: do not drop small packets when PMTU reduces
| * 540ffff7925b tg3: Disable tg3 PCIe AER on system reboot
| * 712e6ed39e5c gpu: drm_dp_cec: fix broken CEC adapter properties check
| * 256768b17e62 firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry
| * 51df156e04e5 nvme: handle connectivity loss in nvme_set_queue_count
* | e86162fd0d12 Merge cf30300a216a ("usb: xhci: Fix NULL pointer dereference on certain command aborts") into android14-5.15-lts
|\|
| * cf30300a216a usb: xhci: Fix NULL pointer dereference on certain command aborts
* | 9a52b107004a Revert "usb: xhci: Add timeout argument in address_device USB HCD callback"
* | 74fcc27b2f09 Merge b27f10764d80 ("usb: xhci: Add timeout argument in address_device USB HCD callback") into android14-5.15
|\|
| * b27f10764d80 usb: xhci: Add timeout argument in address_device USB HCD callback
* | f423b207ebb9 Revert "sched/psi: Use task->psi_flags to clear in CPU migration"
* | 8d695ff82c3b Revert "sched/fair: Fix value reported by hot tasks pulled in /proc/schedstat"
* | 8c4d09d1cbcf Revert "usb: typec: tcpci: Prevent Sink disconnection before vPpsShutdown in SPR PPS"
* | 009eb89df4af Merge d31d3dc92775 ("xfs: don't over-report free space or inodes in statvfs") into android14-5.15-lts
|\|
| * d31d3dc92775 xfs: don't over-report free space or inodes in statvfs
| * bd015e2e7f26 xfs: report realtime block quota limits on realtime directories
| * d25041d4a3b2 gpio: xilinx: Convert gpio_lock to raw spinlock
| * 4489cce8e4e7 net/ncsi: fix locking in Get MAC Address handling
| * 8930834d1525 net/ncsi: Add NC-SI 1.2 Get MC MAC Address command
| * 3f46fefab962 usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe()
| * 998b1fa6c218 usb: chipidea/ci_hdrc_imx: Convert to platform remove callback returning void
| * 9794ea40979b usb: chipidea: ci_hdrc_imx: use dev_err_probe()
| * af431197516a x86/mm: Don't disable PCID when INVLPG has been fixed by microcode
| * c56ea30db33d platform/x86: acer-wmi: Ignore AC events
| * 78a88a1690bc Input: allocate keycode for phone linking
| * b191b2b3b5ad selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack()
| * f213bb330fc6 tipc: re-order conditions in tipc_crypto_key_rcv()
| * c9b80829b001 mmc: sdhci-msm: Correctly set the load for the regulator
| * 4dddb00d0397 net: wwan: iosm: Fix hibernation by re-binding the driver around it
| * 5c60cdcff102 APEI: GHES: Have GHES honor the panic= setting
| * 3fa04850ddac i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz
| * 0bae6625cabc wifi: iwlwifi: avoid memory leak
| * 578845229c4e net/mlx5: use do_aux_work for PHC overflow checks
| * 463f5f6402b9 HID: Wacom: Add PCI Wacom device support
| * c16b96035c48 mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id
| * b2bd5857a0d6 tomoyo: don't emit warning in tomoyo_write_control()
| * d280a12e9b87 wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()
| * bafaee99fc23 mmc: core: Respect quirk_max_rate for non-UHS SDIO card
| * 9b560350aa7b tun: fix group permission check
| * ecf6a4a55809 safesetid: check size of policy writes
| * bb8ff054e19f printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX
| * 99795e62e7a5 x86/amd_nb: Restrict init function to AMD-based systems
| * 23434fcf90b9 lockdep: Fix upper limit for LOCKDEP_*_BITS configs
| * 56135262c1f9 sched: Don't try to catch up excess steal time.
| * 13dae4fa17be btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling
| * 367b72fa18b0 btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents()
| * 7e954b6bb95d btrfs: fix use-after-free when attempting to join an aborted transaction
| * 51bcf530c6dc btrfs: output the reason for open_ctree() failure
| * bbb7f49839b5 usb: gadget: f_tcm: Don't free command immediately
| * 3ba8884a56a3 media: uvcvideo: Fix double free in error path
| * 3a7fda57b0f9 mptcp: consolidate suboption status
| * 83a3a5aeb1b1 usb: typec: tcpci: Prevent Sink disconnection before vPpsShutdown in SPR PPS
| * bb52bce4c91c usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE
| * 16d5669ff07f usb: dwc3: core: Defer the probe until USB power supply ready
| * 2cfbf53baeaf usb: gadget: f_tcm: Fix Get/SetInterface return value
| * 3c1f8dfa01b3 drivers/card_reader/rtsx_usb: Restore interrupt based detection
| * d42168f109f9 net: usb: rtl8150: enable basic endpoint checking
| * 10eff770fd16 ALSA: usb-audio: Add delay quirk for iBasso DC07 Pro
| * deec230cb835 ktest.pl: Check kernelrelease return in get_version
| * 5083a7ae4500 netfilter: nf_tables: reject mismatching sum of field_len with set key length
| * d712ca4807ce NFSD: Reset cb_seq_status after NFS4ERR_DELAY
| * b0938ffd39ae f2fs: Introduce linear search for dentries
| * 679bb865c881 hexagon: Fix unbalanced spinlock in die()
| * 8e83dbe9ff32 hexagon: fix using plain integer as NULL pointer warning in cmpxchg
| * 4bd72d9fe11d kconfig: fix memory leak in sym_warn_unmet_dep()
| * 5f45a419bdd1 kconfig: WERROR unmet symbol dependency
| * ccc1287a02ea kconfig: deduplicate code in conf_read_simple()
| * 3e31777acf2d kconfig: remove unused code for S_DEF_AUTO in conf_read_simple()
| * 131f1604fa6b kconfig: require a space after '#' for valid input
| * 6bdf078908c3 kconfig: add warn-unknown-symbols sanity check
| * 4780a614f013 kconfig: fix file name in warnings when loading KCONFIG_DEFCONFIG_LIST
| * c48b8fc7f0a8 genksyms: fix memory leak when the same symbol is read from *.symref file
| * bb28d02726ab genksyms: fix memory leak when the same symbol is added from source
| * 13310513f549 net: hsr: fix fill_frame_info() regression vs VLAN packets
| * df3398504b97 net: sh_eth: Fix missing rtnl lock in suspend/resume path
| * 3ce32a9fb1d2 bgmac: reduce max frame size to support just MTU 1500
| * ab2df791b1d4 vsock: Allow retrying on connect() failure
| * a48ebcd853a4 perf trace: Fix runtime error of index out of bounds
| * 0dd6c67f6cfe ptp: Properly handle compat ioctls
| * 7d7d201eb3b7 net: davicom: fix UAF in dm9000_drv_remove
| * cfb17f637562 net: netdevsim: try to close UDP port harness races
| * 1409b45d4690 net: rose: fix timer races against user threads
| * c499bd77ca2a PM: hibernate: Add error handling for syscore_suspend()
| * 547ef7e8cbb9 ipmr: do not call mr_mfc_uses_dev() for unres entries
| * 6468f3a9842f net: fec: implement TSO descriptor cleanup
| * 5934bfaeaffe gpio: mxc: remove dead code after switch to DT-only
| * 8c640dd3d900 net: hns3: fix oops when unload drivers paralleling
| * 1787cd67bb94 ubifs: skip dumping tnc tree when zroot is null
| * e5536677da80 rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read
| * 2943af7d72d7 dmaengine: ti: edma: fix OF node reference leaks in edma_driver
| * c9cc70bca158 xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO
| * 6be3ea508111 tools/bootconfig: Fix the wrong format specifier
| * 26e5c3c8d780 NFSv4.2: mark OFFLOAD_CANCEL MOVEABLE
| * edcaf4156ced NFSv4.2: fix COPY_NOTIFY xdr buf size calculation
| * f6bae8cc42ab module: Extend the preempt disabled section in dereference_symbol_descriptor().
| * 2e2bb52b8e58 ocfs2: mark dquot as inactive if failed to start trans while releasing dquot
| * fe761befd845 scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails
| * 13186db840b9 scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1
| * 6987e021b64c PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()
| * 68ee578e6e31 staging: media: imx: fix OF node leak in imx_media_add_of_subdevs()
| * 6f3c167de057 mtd: hyperbus: hbmc-am654: fix an OF node reference leak
| * 784a7f4a9efb mtd: hyperbus: hbmc-am654: Convert to platform remove callback returning void
| * c1aea4faa984 mtd: hyperbus: Make hyperbus_unregister_device() return void
| * 3b86841430a6 media: uvcvideo: Propagate buf->error to userspace
| * 235ab2be3572 media: camif-core: Add check for clk_enable()
| * cc0d04ae127d media: mipi-csis: Add check for clk_enable()
| * 5bdd8b64153d media: i2c: ov9282: Correct the exposure offset
| * 8ab5c3af1406 media: i2c: imx412: Add missing newline to prints
| * 333f8f9b6667 media: marvell: Add check for clk_enable()
| * a61cd3df84b3 PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy()
| * 55c326068f6b media: lmedm04: Handle errors for lme2510_int_read
| * 8bea20f4d630 media: rc: iguanair: handle timeouts
| * 0486d65804cc efi: sysfb_efi: fix W=1 warnings when EFI is not set
| * 8049a0845bfc of: reserved-memory: Do not make kmemleak ignore freed address
| * ca36f0848eb8 memblock: drop memblock_free_early_nid() and memblock_free_early()
| * d26e179d2cac xen/x86: free_p2m_page: use memblock_free_ptr() to free a virtual pointer
| * 708ce479ff3c RDMA/mlx5: Fix indirect mkey ODP page count
| * 95b4474c93a0 RDMA/mlx5: Enforce umem boundaries for explicit ODP page faults
| * fe090e183d26 RDMA/mlx5: Remove iova from struct mlx5_core_mkey
| * b9c5f50926e3 fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device()
| * 96cd8661f225 ARM: dts: mediatek: mt7623: fix IR nodename
| * 311afb2be167 arm64: dts: qcom: sdm845: Fix interrupt types of camss interrupts
| * eb3e76baaf1b arm64: dts: qcom: sm8150-microsoft-surface-duo: fix typos in da7280 properties
| * 312e11fc5060 arm64: dts: qcom: sm8350: correct sleep clock frequency
| * 8fbb052b3bd3 arm64: dts: qcom: sm8250: correct sleep clock frequency
| * c990f5e0b2cb arm64: dts: qcom: sm6125: correct sleep clock frequency
| * 88c84e743d4c arm64: dts: qcom: sc7280: correct sleep clock frequency
| * afc66a233ad9 arm64: dts: qcom: msm8994: correct sleep clock frequency
| * 9cc46ab94b61 arm64: dts: qcom: msm8916: correct sleep clock frequency
| * 09153a482e90 arm64: dts: qcom: msm8994: Describe USB interrupts
| * 31952ff5833c arm64: dts: qcom: msm8996: Fix up USB3 interrupts
| * ea7232a05e10 arm64: dts: mediatek: mt8183-kukui-jacuzzi: Drop pp3300_panel voltage settings
| * c3def10c610a memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()
| * d9f36f957bb2 memory: tegra20-emc: Support matching timings by LPDDR2 configuration
| * 0f3c0d94c815 memory: Add LPDDR2-info helpers
| * 4274acb5b996 arm64: dts: mediatek: mt8183: willow: Support second source touchscreen
| * cba8c5daa9d8 arm64: dts: mediatek: mt8183: kenzo: Support second source touchscreen
| * d098183961e0 arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names
| * b9a5544dbad5 arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names
| * 032c92e01aaa arm64: dts: mediatek: mt8173-elm: Drop regulator-compatible property
| * 2a28a21a925f arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property
| * e53ca458f543 rdma/cxgb4: Prevent potential integer overflow on 32bit
| * 160450e4908b RDMA/mlx4: Avoid false error about access to uninitialized gids array
| * f92f10cdb7fa arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A
| * 52a976a83dda arm64: dts: mediatek: mt8516: add i2c clock-div property
| * 6047c27de667 arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks
| * bcc6c817e2ad arm64: dts: mediatek: mt8516: fix wdt irq type
| * 3ad0e4e15581 arm64: dts: mediatek: mt8516: fix GICv2 range
| * 9792f0c9880a arm64: dts: mt8183: set DMIC one-wire mode on Damu
| * abbb15f54a35 ARM: at91: pm: change BU Power Switch to automatic mode
| * 4c6209efea22 padata: avoid UAF for reorder_work
| * 035ed9577b48 padata: add pd get/put refcnt helper
| * f3e0b9f790f8 padata: fix UAF in padata_reorder
| * e306eaaa3d78 bpf: Send signals asynchronously if !preemptible
| * d6becd34dc65 perf report: Fix misleading help message about --demangle
| * 54b587874a7c perf top: Don't complain about lack of vmlinux when not resolving some kernel samples
| * ca0b62b2dc9a padata: fix sysfs store callback check
| * b467ed29b586 crypto: ixp4xx - fix OF node reference leaks in init_ixp_crypto()
| * 778a73f8d38d crypto: hisilicon/sec2 - fix for aead invalid authsize
| * 37e032978e55 crypto: hisilicon/sec2 - fix for aead icv error
| * 017b2680816b crypto: hisilicon/sec2 - optimize the error return process
| * 8f268c476c83 crypto: hisilicon/sec - delete redundant blank lines
| * 0db426905cb4 crypto: hisilicon/sec - add some comments for soft fallback
| * 4086792b8883 ktest.pl: Remove unused declarations in run_bis
57AE
ect_test function
| * 4c45f82e101a ASoC: renesas: rz-ssi: Use only the proper amount of dividers
| * 49c5d851a2bf perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info()
| * ac026a0ba486 perf header: Fix one memory leakage in process_bpf_prog_info()
| * 11491bb26fd9 perf header: Fix one memory leakage in process_bpf_btf()
| * d79fc69eda73 ASoC: sun4i-spdif: Add clock multiplier settings
| * 6a5d02ae6ff8 libbpf: Fix segfault due to libelf functions not setting errno
| * 3c99e59404f3 tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind
| * b8583b54455c net/rose: prevent integer overflows in rose_setsockopt()
| * 3cfabbb18810 tcp_cubic: fix incorrect HyStart round start detection
| * ed8c0300f302 net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()
| * 920f736e6c64 netfilter: nft_flow_offload: update tcp state flags under lock
| * 38646749d6e1 net: sched: Disallow replacing of child qdisc from one parent to another
| * 26bc6076798a net: avoid race between device unregistration and ethnl ops
| * f023bf675814 net/mlxfw: Drop hard coded max FW flash image size
| * 0e2f1d93d287 net: let net.core.dev_weight always be non-zero
| * 0cc8fc34df84 selftests/landlock: Fix error message
| * 78eadb30f5ce clk: analogbits: Fix incorrect calculation of vco rate delta
| * 7d07de96990e wifi: cfg80211: adjust allocation of colocated AP data
| * 7427e4afbd16 wifi: cfg80211: Handle specific BSSID in 6GHz scanning
| * 23b54d193a90 selftests: harness: fix printing of mismatch values in __EXPECT()
| * 28063f72460d cpufreq: ACPI: Fix max-frequency computation
| * 965e41a93fce wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO
| * a1fccf6b72b5 landlock: Handle weird files
| * b32a42383c26 landlock: Move filesystem helpers and add a new one
| * ba079f94cb0a net/smc: fix data error when recvmsg with MSG_PEEK flag
| * 9394c1163c20 wifi: wlcore: fix unbalanced pm_runtime calls
| * a7e98a85990a samples/landlock: Fix possible NULL dereference in parse_path()
| * 332ee5fc52e1 regulator: of: Implement the unwind path of of_regulator_match()
| * bd099a2fa9be team: prevent adding a device which is already a team device lower
| * f5072f5c806f clk: imx8mp: Fix clkout1/2 support
| * 68fb4aafe3bb cpufreq: schedutil: Fix superfluous updates caused by need_freq_update
| * 0e833dc042b9 leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata()
| * 4efb30e564f2 dt-bindings: mfd…
Certain applications treat any shared memory buffer that they obtain as an ashmem buffer, meaning that they will attempt to invoke ashmem ioctl commands on that buffer. Android is transitioning to replacing ashmem with memfd, and memfd currently does not support ashmem ioctl commands. So, when an application attempts to invoke an ashmem ioctl command on a memfd, the invocation will fail and report an error back to the app. In order to preserve compatibility between these apps and memfds, add a shim layer which will handle ashmem ioctl commands for memfds. This also folds in the following commits from the android14-6.1 branch: 1. ANDROID: mm/memfd-ashmem-shim: Fix variable length array usage 2. ANDROID: mm/memfd-ashmem-shim: Simplify buffer name retrieval Bug: 111903542 Bug: 415769373 Change-Id: I268a29ee2805739550d79fd2c21d3cfb5a852642 [isaacmanjarres: resolved trivial merge conflicts in mm/Kconfig and folded in fixes/simplifications that were merged into the android14-6.1 branch after the initial commit landed.] Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Allow the memfd-ashmem-shim ioctl handler to run for any shmem file, so that memfds can handle ashmem ioctl commands. While this allows ashmem ioctl commands to be invoked on more than just memfds, this should be fine, since the ioctl commands don't expose any additional functionality than what is already achievable via other system calls. Bug: 111903542 Change-Id: I0bf57ac5a90dba66e5c2c32beff70bcf9d26db6b Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Enable memfd-ashmem compatibility support. Bug: 111903542 Change-Id: Ia4685272b2f64db737697a3e3c1640d110060111 [isaacmanjarres: resolved trivial merge conflicts in config files.] Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Commit 9474be3 ("binder: add failed transaction logging info") dereferences target_{proc,thread} after they have been potentially freed by binder_proc_dec_tmpref() and binder_thread_dec_tmpref(). This patch delays the release of the two references after their last usage. Fixes the following two errors reported by smatch: drivers/android/binder.c:3562 binder_transaction() error: dereferencing freed memory 'target_proc' drivers/android/binder.c:3563 binder_transaction() error: dereferencing freed memory 'target_thread' Fixes: 9474be3 ("binder: add failed transaction logging info") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20220517185817.598872-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit dafa5e9) Change-Id: I1557b4fcc6eece76dc49247c01baa8b089dec54e Signed-off-by: xiaomei.li <xiaomei.li@unisoc.com> Signed-off-by: Carlos Llamas <cmllamas@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.