Android14 5.15 #1
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit eac0442 upstream. The ITR index (itr_idx) is only 2 bits wide. When constructing the register value for QINT_RQCTL, all fields are ORed together. Without masking, higher bits from itr_idx may overwrite adjacent fields in the register. Apply I40E_QINT_RQCTL_ITR_INDX_MASK to ensure only the intended bits are set. Fixes: 5c3c48a ("i40e: implement virtual device interface") Cc: stable@vger.kernel.org Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Tested-by: Rafal Romanowski <rafal.romanowski@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 456c32e upstream. Since dynamic_events interface on tracefs is compatible with kprobe_events and uprobe_events, it should also check the lockdown status and reject if it is set. Link: https://lore.kernel.org/all/175824455687.45175.3734166065458520748.stgit@devnote2/ Fixes: 17911ff ("tracing: Add locked_down checks to the open calls of files created for tracefs") Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1a194e6 upstream. Fix integer overflow vulnerabilities in fbcon_do_set_font() where font size calculations could overflow when handling user-controlled font parameters. The vulnerabilities occur when: 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount multiplication with user-controlled values that can overflow. 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow 3. This results in smaller allocations than expected, leading to buffer overflows during font data copying. Add explicit overflow checking using check_mul_overflow() and check_add_overflow() kernel helpers to safety validate all size calculations before allocation. Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> Fixes: 39b3cff ("fbcon: prevent user font height or width change from causing potential out-of-bounds access") Cc: George Kennedy <george.kennedy@oracle.com> Cc: stable <stable@vger.kernel.org> Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Simona Vetter <simona@ffwll.ch> Cc: Helge Deller <deller@gmx.de> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com> Cc: Sam Ravnborg <sam@ravnborg.org> Cc: Qianqiang Liu <qianqiang.liu@163.com> Cc: Shixiong Ou <oushixiong@kylinos.cn> Cc: Kees Cook <kees@kernel.org> Cc: <stable@vger.kernel.org> # v5.9+ Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Link: https://lore.kernel.org/r/20250912170023.3931881-1-samasth.norway.ananda@oracle.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9b2f5ef upstream. Commit 1a194e6 ("fbcon: fix integer overflow in fbcon_do_set_font") introduced an out-of-bounds access by storing data and allocation sizes in the same variable. Restore the old size calculation and use the new variable 'alloc_size' for the allocation. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Fixes: 1a194e6 ("fbcon: fix integer overflow in fbcon_do_set_font") Reported-by: Jani Nikula <jani.nikula@linux.intel.com> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020 Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201 Cc: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: George Kennedy <george.kennedy@oracle.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Simona Vetter <simona@ffwll.ch> Cc: Helge Deller <deller@gmx.de> Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com> Cc: Sam Ravnborg <sam@ravnborg.org> Cc: Qianqiang Liu <qianqiang.liu@163.com> Cc: Shixiong Ou <oushixiong@kylinos.cn> Cc: Kees Cook <kees@kernel.org> Cc: <stable@vger.kernel.org> # v5.9+ Cc: Zsolt Kajtar <soci@c64.rulez.org> Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com> Reviewed-by: Qianqiang Liu <qianqiang.liu@163.com> Link: https://lore.kernel.org/r/20250922134619.257684-1-tzimmermann@suse.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 32ca245 upstream. Jann Horn reported a use-after-free in unix_stream_read_generic(). The following sequences reproduce the issue: $ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'y', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'z', MSG_OOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free) Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv(). After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb. Then, the following happens during the next recv() without MSG_OOB 1. unix_stream_read_generic() peeks the first consumed OOB skb 2. manage_oob() returns the next consumed OOB skb 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb 4. unix_stream_read_generic() reads and frees the OOB skb , and the last recv(MSG_OOB) triggers KASAN splat. The 3. above occurs because of the SO_PEEK_OFF code, which does not expect unix_skb_len(skb) to be 0, but this is true for such consumed OOB skbs. while (skip >= unix_skb_len(skb)) { skip -= unix_skb_len(skb); skb = skb_peek_next(skb, &sk->sk_receive_queue); ... } In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs. So, nothing good comes out of such a situation. Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily. Now, while receiving an OOB skb in unix_stream_recv_urg(), if its previous skb is a consumed OOB skb, it is freed. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027) Read of size 4 at addr ffff888106ef2904 by task python3/315 CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:636) unix_stream_read_actor (net/unix/af_unix.c:3027) unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f8911fcea06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06 RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006 RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20 R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:348) kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) __alloc_skb (net/core/skbuff.c:660 (discriminator 4)) alloc_skb_with_frags (./include/linux/skbuff.h:1336 net/core/skbuff.c:6668) sock_alloc_send_pskb (net/core/sock.c:2993) unix_stream_sendmsg (./include/net/sock.h:1847 net/unix/af_unix.c:2256 net/unix/af_unix.c:2418) __sys_sendto (net/socket.c:712 (discriminator 20) net/socket.c:727 (discriminator 20) net/socket.c:2226 (discriminator 20)) __x64_sys_sendto (net/socket.c:2233 (discriminator 1) net/socket.c:2229 (discriminator 1) net/socket.c:2229 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1)) __kasan_slab_free (mm/kasan/common.c:271) kmem_cache_free (mm/slub.c:4643 (discriminator 3) mm/slub.c:4745 (discriminator 3)) unix_stream_read_generic (net/unix/af_unix.c:3010) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) The buggy address belongs to the object at ffff888106ef28c0 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 68 bytes inside of freed 224-byte region [ffff888106ef28c0, ffff888106ef29a0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888106ef3cc0 pfn:0x106ef2 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000040(head|node=0|zone=2) page_type: f5(slab) raw: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004 raw: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000 head: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004 head: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000 head: 0200000000000001 ffffea00041bbc81 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106ef2800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff888106ef2880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff888106ef2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106ef2980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888106ef2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 314001f ("af_unix: Add OOB support") Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Reviewed-by: Jann Horn <jannh@google.com> Link: https://patch.msgid.link/20250619041457.1132791-2-kuni1840@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> [Lee: Shifted hunk inside the if() statement and surrounded the else with {}'s) Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…ce_finalize() commit 41cddf8 upstream. If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb4 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david@redhat.com> Cc: Jérôme Glisse <jglisse@redhat.com> Cc: John Hubbard <jhubbard@nvidia.com> Cc: Alistair Popple <apopple@nvidia.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Hildenbrand <david@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -- mm/migrate.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-)
[ Upstream commit 7b73876 ] Migration may be raced with fallocating hole. remove_inode_single_folio will unmap the folio if the folio is still mapped. However, it's called without folio lock. If the folio is migrated and the mapped pte has been converted to migration entry, folio_mapped() returns false, and won't unmap it. Due to extra refcount held by remove_inode_single_folio, migration fails, restores migration entry to normal pte, and the folio is mapped again. As a result, we triggered BUG in filemap_unaccount_folio. The log is as follows: BUG: Bad page cache in process hugetlb pfn:156c00 page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00 head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0 aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file" flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f4(hugetlb) page dumped because: still mapped when deleted CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x4f/0x70 filemap_unaccount_folio+0xc4/0x1c0 __filemap_remove_folio+0x38/0x1c0 filemap_remove_folio+0x41/0xd0 remove_inode_hugepages+0x142/0x250 hugetlbfs_fallocate+0x471/0x5a0 vfs_fallocate+0x149/0x380 Hold folio lock before checking if the folio is mapped to avold race with migration. Link: https://lkml.kernel.org/r/20250912074139.3575005-1-tujinjiang@huawei.com Fixes: 4aae8d1 ("mm/hugetlbfs: unmap pages if page fault raced with hole punch") Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com> Cc: David Hildenbrand <david@redhat.com> Cc: Kefeng Wang <wangkefeng.wang@huawei.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Muchun Song <muchun.song@linux.dev> Cc: Oscar Salvador <osalvador@suse.de> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> [ folio -> page ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 877b7e6 ] VF state I40E_VF_STATE_ACTIVE is not the only state in which VF is actually active so it should not be used to determine if a VF is allowed to obtain resources. Use I40E_VF_STATE_RESOURCES_LOADED that is set only in i40e_vc_get_vf_resources_msg() and cleared during reset. Fixes: 61125b8 ("i40e: Fix failed opcode appearing if handling messages from VF") Cc: stable@vger.kernel.org Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Tested-by: Rafal Romanowski <rafal.romanowski@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> [ Adjust context ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit f1ad24c ] Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg(). Fixes: c27eac4 ("i40e: Enable ADq and create queue channel/s on VF") Cc: stable@vger.kernel.org Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Tested-by: Kamakshi Nellore <nellorex.kamakshi@intel.com> (A Contingent Worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> [ Adjust context ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit aa6908c ] In Tables 8-12 and 8-22 in the X710/XXV710/XL710 datasheet, the QLEN description states that the maximum size of the descriptor queue is 8k minus 32, or 8160. Signed-off-by: Justin Bronder <jsbronder@cold-front.org> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Link: https://lore.kernel.org/r/20231113231047.548659-2-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: 55d2256 ("i40e: add validation for ring_len param") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 55d2256 ] The `ring_len` parameter provided by the virtual function (VF) is assigned directly to the hardware memory context (HMC) without any validation. To address this, introduce an upper boundary check for both Tx and Rx queue lengths. The maximum number of descriptors supported by the hardware is 8k-32. Additionally, enforce alignment constraints: Tx rings must be a multiple of 8, and Rx rings must be a multiple of 32. Fixes: 5c3c48a ("i40e: implement virtual device interface") Cc: stable@vger.kernel.org Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Tested-by: Rafal Romanowski <rafal.romanowski@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…ameters commit 6f71507 upstream. The scale() functions detects invalid parameters, but continues its calculations anyway. This causes bad results if negative values are used for unsigned operations. Worst case, a division by 0 error will be seen if source_min == source_max. On top of that, after v6.13, the sequence of WARN_ON() followed by clamp() may result in a build error with gcc 13.x. drivers/gpu/drm/i915/display/intel_backlight.c: In function 'scale': include/linux/compiler_types.h:542:45: error: call to '__compiletime_assert_415' declared with attribute error: clamp() low limit source_min greater than high limit source_max This happens if the compiler decides to rearrange the code as follows. if (source_min > source_max) { WARN(..); /* Do the clamp() knowing that source_min > source_max */ source_val = clamp(source_val, source_min, source_max); } else { /* Do the clamp knowing that source_min <= source_max */ source_val = clamp(source_val, source_min, source_max); } Fix the problem by evaluating the return values from WARN_ON and returning immediately after a warning. While at it, fix divide by zero error seen if source_min == source_max. Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Suggested-by: David Laight <david.laight.linux@gmail.com> Cc: David Laight <david.laight.linux@gmail.com> Cc: Jani Nikula <jani.nikula@linux.intel.com> Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20250121145203.2851237-1-linux@roeck-us.net Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250930143827.587035735@linuxfoundation.org Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Tested-by: Vijayendra Suman <vijayendra.suman@oracle.com> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…) into android14-5.15-lts Steps on the way to 5.15.194 Resolves merge conflicts in: include/net/sock.h net/core/sock.c Change-Id: I015c206c8f63af2960228ccd7529aaf408a5f421 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
…r offline timer migration") into android14-5.15-lts
Steps on the way to 5.15.194
Resolves merge conflicts with:
kernel/time/hrtimer.c
by merging away the following commits due to abi issues:
24a65b4 hrtimers: Unconditionally update target CPU base after offline timer migration
e90b685 hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active()
95b76eb hrtimer: Remove unused function
Change-Id: Ie6696cb08f78a73c18a4fdee49050442939eec78
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.15.194
Revert "fbdev: Disable sysfb device registration when removing conflicting FBs"
xfs: short circuit xfs_growfs_data_private() if delta is zero
kunit: kasan_test: disable fortify string checker on kasan_strings() test
mm: introduce and use {pgd,p4d}_populate_kernel()
media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning
media: i2c: imx214: Fix link frequency validation
net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
tracing: Do not add length to print format in synthetic events
mm/rmap: reject hugetlb folios in folio_make_device_exclusive()
flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read
NFSv4: Don't clear capabilities that won't be reset
NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set
NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server
tracing: Fix tracing_marker may trigger page fault during preempt_disable
NFSv4/flexfiles: Fix layout merge mirror check.
tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.
KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code
KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func()
KVM: SVM: Set synthesized TSA CPUID flags
EDAC/altera: Delete an inappropriate dma_free_coherent() call
compiler-clang.h: define __SANITIZE_*__ macros only when undefined
mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN
ocfs2: fix recursive semaphore deadlock in fiemap call
mtd: rawnand: stm32_fmc2: fix ECC overwrite
fuse: check if copy_file_range() returns larger than requested size
fuse: prevent overflow in copy_file_range return value
libceph: fix invalid accesses to ceph_connection_v1_info
mm/khugepaged: fix the address passed to notifier on testing young
mtd: nand: raw: atmel: Fix comment in timings preparation
mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing
mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check
mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table
tty: hvc_console: Call hvc_kick in hvc_write unconditionally
dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks
USB: serial: option: add Telit Cinterion FN990A w/audio compositions
USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions
net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
tunnels: reset the GSO metadata before reusing the skb
igb: fix link test skipping when interface is admin down
genirq: Provide new interfaces for affinity hints
i40e: Use irq_update_affinity_hint()
i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed
can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails
can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
net: hsr: Disable promiscuous mode in offload mode
net: hsr: Add support for MC filtering at the slave device
net: hsr: Add VLAN CTAG filter support
hsr: use rtnl lock when iterating over ports
hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr
dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
regulator: sy7636a: fix lifecycle of power good gpio
hrtimer: Remove unused function
hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active()
hrtimers: Unconditionally update target CPU base after offline timer migration
dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
phy: tegra: xusb: fix device and OF node leak at probe
phy: ti-pipe3: fix device leak at unbind
soc: qcom: mdt_loader: Deal with zero e_shentsize
drm/amdgpu: fix a memory leak in fence cleanup when unloading
drm/i915/power: fix size for for_each_set_bit() in abox iteration
mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
net: hsr: hsr_slave: Fix the promiscuous mode in offload mode
ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported
wifi: mac80211: fix incorrect type for ret
pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch
cgroup: split cgroup_destroy_wq into 3 workqueues
um: virtio_uml: Fix use-after-free after put_device in probe
dpaa2-switch: fix buffer pool seeding for control traffic
qed: Don't collect too many protection override GRC elements
net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure
i40e: remove redundant memory barrier when cleaning Tx descs
tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set"
net: liquidio: fix overflow in octeon_init_instr_queue()
cnic: Fix use-after-free bugs in cnic_delete_task
nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/*
power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery
power: supply: bq27xxx: restrict no-battery detection to bq27000
btrfs: tree-checker: fix the incorrect inode ref size check
mmc: mvsdio: Fix dma_unmap_sg() nents value
KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active
rds: ib: Increment i_fastreg_wrs before bailing out
ASoC: wm8940: Correct typo in control name
ASoC: wm8974: Correct PLL rate rounding
ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message
drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ
drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path
serial: sc16is7xx: fix bug in flow control levels init
xhci: dbc: decouple endpoint allocation from initialization
xhci: dbc: Fix full DbC transfer ring after several reconnects
usb: gadget: dummy_hcd: remove usage of list iterator past the loop body
USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels
phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning
phy: Use device_get_match_data()
phy: ti: omap-usb2: fix device leak at unbind
mptcp: set remote_deny_join_id0 on SYN recv
ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer
mptcp: propagate shutdown to subflows when possible
net: rfkill: gpio: add DT support
net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
ALSA: usb-audio: Fix block comments in mixer_quirks
ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks
ALSA: usb-audio: Avoid multiple assignments in mixer_quirks
ALSA: usb-audio: Simplify NULL comparison in mixer_quirks
ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks
ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5
ALSA: usb-audio: Convert comma to semicolon
ALSA: usb-audio: Fix build with CONFIG_INPUT=n
usb: core: Add 0x prefix to quirks debug output
IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions
arm64: dts: imx8mp: Correct thermal sensor index
cpufreq: Initialize cpufreq-based invariance before subsys
can: rcar_can: rcar_can_resume(): fix s2ram with PSCI
bpf: Reject bpf_timer for PREEMPT_RT
can: bittiming: allow TDC{V,O} to be zero and add can_tdc_const::tdc{v,o,f}_min
can: bittiming: replace CAN units with the generic ones from linux/units.h
can: dev: add generic function can_ethtool_op_get_ts_info_hwts()
can: dev: add generic function can_eth_ioctl_hwts()
can: etas_es58x: advertise timestamping capabilities and add ioctl support
can: etas_es58x: sort the includes by alphabetic order
can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
can: peak_usb: fix shift-out-of-bounds issue
ethernet: rvu-af: Remove slash from the driver name
bnxt_en: correct offset handling for IPv6 destination address
nexthop: Forbid FDB status change while nexthop is in a group
selftests: fib_nexthops: Fix creation of non-FDB nexthops
net: dsa: lantiq_gswip: do also enable or disable cpu port
net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup()
net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port
drm/gma500: Fix null dereference in hdmi teardown
crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
crypto: af_alg - Fix incorrect boolean values in af_alg_ctx
i40e: fix idx validation in i40e_validate_queue_map
i40e: fix input validation logic for action_meta
i40e: add max boundary check for VF filters
i40e: add mask to apply valid bits for itr_idx
tracing: dynevent: Add a missing lockdown check on dynevent
fbcon: fix integer overflow in fbcon_do_set_font
fbcon: Fix OOB access in font allocation
af_unix: Don't leave consecutive consumed OOB skbs.
mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
mm/hugetlb: fix folio is still mapped when deleted
i40e: fix validation of VF state in get resources
i40e: fix idx validation in config queues msg
i40e: increase max descriptors for XL710
i40e: add validation for ring_len param
drm/i915/backlight: Return immediately when scale() finds invalid parameters
Linux 5.15.194
Change-Id: I2e85d339391accb8fba8c8f59f503e265cc0c341
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In commit b9a0e6f ("can: dev: add generic function can_ethtool_op_get_ts_info_hwts()"), a new .h file is added, which messes with the CRC values for some can functions due to structures now being fully defined when they previously were not. Fix this up by only including that when the crc generator is not running. Fixes: b9a0e6f ("can: dev: add generic function can_ethtool_op_get_ts_info_hwts()") Bug: 161946584 Change-Id: I17aa471f14a1aaa176d9d644f2b6f29a0eca8f78 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 25daf9a upstream. Firmware that doesn't provide section headers leave both e_shentsize and e_shnum 0, which obvious isn't compatible with the newly introduced stricter checks. Make the section-related checks conditional on either of these values being non-zero. Fixes: 9f9967f ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header") Reported-by: Val Packett <val@packett.cool> Closes: https://lore.kernel.org/all/ece307c3-7d65-440f-babd-88cf9705b908@packett.cool/ Reported-by: Neil Armstrong <neil.armstrong@linaro.org> Closes: https://lore.kernel.org/all/aec9cd03-6fc2-4dc8-b937-8b7cf7bf4128@linaro.org/ Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com> Fixes: 9f35ab0 ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()") Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-QRD Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20250730-mdt-loader-shentsize-zero-v1-1-04f43186229c@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Cc: Yongqin Liu <yongqin.liu@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 146449535 Change-Id: Iacfaffd1094a328aa884e08b99d42b45fe7e8c3f (cherry picked from commit 91b2c8e) Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
INFO: 3 function symbol(s) added 'int drm_of_encoder_active_endpoint(struct device_node*, struct drm_encoder*, struct of_endpoint*)' 'int drm_of_lvds_get_dual_link_pixel_order(const struct device_node*, const struct device_node*)' 'struct device_node* of_graph_get_port_by_id(struct device_node*, u32)' Bug: 451891594 Change-Id: I444d83c5370c0774674e8ed2a7b888307642fd27 Signed-off-by: James Tai <james.tai@realtek.com>
commit 1b34cbb upstream. Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Bug: 446278751 Fixes: 8ff5909 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9aee87d) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: Ie4b99c532ab77a6e25483ece1f42ed4c4744e70f
5 function symbol(s) added 'int divider_ro_determine_rate(struct clk_hw*, struct clk_rate_request*, const struct clk_div_table*, u8, unsigned long, unsigned int)' 'int kstrtos16(const char*, unsigned int, s16*)' 'int snd_card_free_when_closed(struct snd_card*)' 'void snd_pcm_stream_lock(struct snd_pcm_substream*)' 'void snd_pcm_stream_unlock(struct snd_pcm_substream*)' Bug: 454228076 Change-Id: I34a6710d3e0a7c3dc4c5aa3dda07fd0d220806a1 Signed-off-by: Qinglin Li <qinglin.li@amlogic.com>
A recent security patch in af_alg changed converted bool members of
af_alg_ctx into bitfields. Update assignment to the bitfield to prevent
the following kernelci error:
crypto/af_alg.c: In function ‘af_alg_sendpage’:
crypto/af_alg.c:1033:21: error: overflow in conversion from ‘int’ to ‘unsigned char:1’ changes value from ‘flags & 32768’ to ‘0’ [-Werror=overflow]
1033 | ctx->more = flags & MSG_MORE;
| ^~~~~
This line is no longer present in upstream as of commit dc97391
("sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES)"),
which was introduced after 6.1.
Bug: 454240277
Fixes: 3522ea7 ("UPSTREAM: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg")
Change-Id: I5f1a944aeb44eb7a9b181924ef8b82fe79771353
Signed-off-by: Tiffany Yang <ynaffit@google.com>
This merges the android14-5.15.194_r00 tag into the android14-5.15 branch, catching it up with the latest LTS releases. It contains the following commits: * 4e13bdf ANDROID: GKI: fix crc issue with include/linux/can/dev.h * baebcc4 Merge 5.15.194 into android14-5.15-lts |\ | * 29e53a5 Linux 5.15.194 | * 1c532dd drm/i915/backlight: Return immediately when scale() finds invalid parameters | * 45a7527 i40e: add validation for ring_len param | * 8043ca4 i40e: increase max descriptors for XL710 | * 1fa0aad i40e: fix idx validation in config queues msg | * 8e35c80 i40e: fix validation of VF state in get resources | * 3e85144 mm/hugetlb: fix folio is still mapped when deleted | * 4f52f7c mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() | * 523edfe af_unix: Don't leave consecutive consumed OOB skbs. | * ecbfd9e fbcon: Fix OOB access in font allocation | * b8a6e85 fbcon: fix integer overflow in fbcon_do_set_font | * 0d41604 tracing: dynevent: Add a missing lockdown check on dynevent | * 1b1c3bd i40e: add mask to apply valid bits for itr_idx | * 77a35be i40e: add max boundary check for VF filters | * f8c8e11 i40e: fix input validation logic for action_meta | * 34dfac0 i40e: fix idx validation in i40e_validate_queue_map | * d382d6d crypto: af_alg - Fix incorrect boolean values in af_alg_ctx | * e4c1ec1 crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg | * e15de80 drm/gma500: Fix null dereference in hdmi teardown | * 37821b8 net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port | * e8687ab net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup() | * b9010db net: dsa: lantiq_gswip: do also enable or disable cpu port | * cf2d597 selftests: fib_nexthops: Fix creation of non-FDB nexthops | * 0e7bfe7 nexthop: Forbid FDB status change while nexthop is in a group | * 5d4856a bnxt_en: correct offset handling for IPv6 destination address | * d646358 ethernet: rvu-af: Remove slash from the driver name | * 48822a5 can: peak_usb: fix shift-out-of-bounds issue | * 6eec67b can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow | * 60463a1 can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow | * 7ab8576 can: hi311x: populate ndo_change_mtu() to prevent buffer overflow | * 72de0fa can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow | * 256b64f can: etas_es58x: sort the includes by alphabetic order | * f44124f can: etas_es58x: advertise timestamping capabilities and add ioctl support | * 0a6e1bd can: dev: add generic function can_eth_ioctl_hwts() | * b9a0e6f can: dev: add generic function can_ethtool_op_get_ts_info_hwts() | * 533e322 can: bittiming: replace CAN units with the generic ones from linux/units.h | * 33b83a9 can: bittiming: allow TDC{V,O} to be zero and add can_tdc_const::tdc{v,o,f}_min | * d51c6b5 bpf: Reject bpf_timer for PREEMPT_RT | * 9ebf862 can: rcar_can: rcar_can_resume(): fix s2ram with PSCI | * b32c64d cpufreq: Initialize cpufreq-based invariance before subsys | * db28f97 arm64: dts: imx8mp: Correct thermal sensor index | * bb3eeb3 IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions | * 825c17c usb: core: Add 0x prefix to quirks debug output | * 9ba349a ALSA: usb-audio: Fix build with CONFIG_INPUT=n | * 1746e7a ALSA: usb-audio: Convert comma to semicolon | * b4b94f0 ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 | * 4f92946 ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks | * 790b167 ALSA: usb-audio: Simplify NULL comparison in mixer_quirks | * e4f6ae9 ALSA: usb-audio: Avoid multiple assignments in mixer_quirks | * a4bb77c ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks | * 2f56442 ALSA: usb-audio: Fix block comments in mixer_quirks | * ada2282 net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer | * 98c2894 net: rfkill: gpio: add DT support | * 2f58e6d mptcp: propagate shutdown to subflows when possible | * 773fddf ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer | * dde28a5 mptcp: set remote_deny_join_id0 on SYN recv | * ca9e4e6 phy: ti: omap-usb2: fix device leak at unbind | * f564852 phy: Use device_get_match_data() | * 0df0f4b phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning | * 662b75f USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels | * 94fac89 usb: gadget: dummy_hcd: remove usage of list iterator past the loop body | * dbf216a xhci: dbc: Fix full DbC transfer ring after several reconnects | * 503ba50 xhci: dbc: decouple endpoint allocation from initialization | * 84870a6 serial: sc16is7xx: fix bug in flow control levels init | * dfca6fa drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path | * 51a501e drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ | * 79a06d9 ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message | * e07847f ASoC: wm8974: Correct PLL rate rounding | * 0235a57 ASoC: wm8940: Correct typo in control name | * 2e94bc6 rds: ib: Increment i_fastreg_wrs before bailing out | * 9697890 KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active | * 8a29726 mmc: mvsdio: Fix dma_unmap_sg() nents value | * 4f935a1 btrfs: tree-checker: fix the incorrect inode ref size check | * 29d9125 power: supply: bq27xxx: restrict no-battery detection to bq27000 | * fe0f602 power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery | * 40fb833 nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* | * 0405055 cnic: Fix use-after-free bugs in cnic_delete_task | * 428c1dd net: liquidio: fix overflow in octeon_init_instr_queue() | * 3cae948 Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" | * 33a4fdf tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). | * 17cb9b4 i40e: remove redundant memory barrier when cleaning Tx descs | * 95235d2 net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure | * e0e2457 qed: Don't collect too many protection override GRC elements | * e4343d4 dpaa2-switch: fix buffer pool seeding for control traffic | * 5e94e44 um: virtio_uml: Fix use-after-free after put_device in probe | * f2795d1 cgroup: split cgroup_destroy_wq into 3 workqueues | * f2ede1f pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch | * 0f9cf94 wifi: mac80211: fix incorrect type for ret | * d258797 ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported | * 5f2f50a net: hsr: hsr_slave: Fix the promiscuous mode in offload mode | * 99f7048 mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory | * a8b0032 drm/i915/power: fix size for for_each_set_bit() in abox iteration | * f1b3497 drm/amdgpu: fix a memory leak in fence cleanup when unloading | * 91b2c8e soc: qcom: mdt_loader: Deal with zero e_shentsize | * e3d490f phy: ti-pipe3: fix device leak at unbind | * 4de4344 phy: tegra: xusb: fix device and OF node leak at probe | * 6ac1599 dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees * | dba79e6 Merge 24a65b4 ("hrtimers: Unconditionally update target CPU base after offline timer migration") into android14-5.15-lts |\| | * 24a65b4 hrtimers: Unconditionally update target CPU base after offline timer migration | * e90b685 hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() | * 95b76eb hrtimer: Remove unused function * | 7e493b0 Revert "genirq: Provide new interfaces for affinity hints" * | a4d0167 Revert "i40e: Use irq_update_affinity_hint()" * | 560d085 Revert "i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path" * | 9e0b469 Merge 5d5385f ("regulator: sy7636a: fix lifecycle of power good gpio") into android14-5.15-lts |\| | * 5d5385f regulator: sy7636a: fix lifecycle of power good gpio | * 301a96c dmaengine: ti: edma: Fix memory allocation size for queue_priority_map | * 810167f hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr | * cedfcd0 hsr: use rtnl lock when iterating over ports | * 1100242 net: hsr: Add VLAN CTAG filter support | * 7e0ef98 net: hsr: Add support for MC filtering at the slave device | * d981b96 net: hsr: Disable promiscuous mode in offload mode | * e202ffd can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB | * 5cf37a6 can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails | * 3245eb9 can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed | * b9721a0 i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path | * 7d9bd1c i40e: Use irq_update_affinity_hint() | * e7ddb59 genirq: Provide new interfaces for affinity hints | * 582f5ce igb: fix link test skipping when interface is admin down | * f39a126 tunnels: reset the GSO metadata before reusing the skb | * 93a699d net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() | * e818c35 USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions | * 93e4404 USB: serial: option: add Telit Cinterion FN990A w/audio compositions | * 28d20ff dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks | * d91604c tty: hvc_console: Call hvc_kick in hvc_write unconditionally | * 9cf2429 Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table | * e32a2ea mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer | * 6e2859c mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check | * e0bca4d mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing | * c3f1ea8 mtd: nand: raw: atmel: Fix comment in timings preparation | * 123e31a mm/khugepaged: fix the address passed to notifier on testing young | * ea12ab6 libceph: fix invalid accesses to ceph_connection_v1_info | * 1e1bcbc fuse: prevent overflow in copy_file_range return value | * 5d41589 fuse: check if copy_file_range() returns larger than requested size | * b8af2e7 mtd: rawnand: stm32_fmc2: fix ECC overwrite | * ef30404 ocfs2: fix recursive semaphore deadlock in fiemap call | * 23092f6 mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN | * 5d7267a compiler-clang.h: define __SANITIZE_*__ macros only when undefined | * 8178ccf EDAC/altera: Delete an inappropriate dma_free_coherent() call | * 34b87ac KVM: SVM: Set synthesized TSA CPUID flags | * 54270c1 KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func() | * 2fab1e2 KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code | * 7429b8b tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. | * 5f756d1 NFSv4/flexfiles: Fix layout merge mirror check. | * 9a38cd9 tracing: Fix tracing_marker may trigger page fault during preempt_disable | * c10744f NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server | * 89f4050 NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set | * 9190260 NFSv4: Don't clear capabilities that won't be reset | * 929de8c flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read | * 76b1a7c mm/rmap: reject hugetlb folios in folio_make_device_exclusive() | * 1cdb41d tracing: Do not add length to print format in synthetic events | * d51e47e net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. | * 85d1c5d media: i2c: imx214: Fix link frequency validation | * 6e31585 media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning | * 10d8884 mm: introduce and use {pgd,p4d}_populate_kernel() | * adb2f26 kunit: kasan_test: disable fortify string checker on kasan_strings() test | * 69944b3 xfs: short circuit xfs_growfs_data_private() if delta is zero | * c0950ee Revert "fbdev: Disable sysfb device registration when removing conflicting FBs" * | 025cfd8 Merge android14-5.15 into android14-5.15-lts * | 0795636 Merge 5.15.193 into android14-5.15-lts |/ * 43bb852 Linux 5.15.193 * 70de678 x86/vmscape: Add old Intel CPUs to affected list * 79ec330 x86/vmscape: Warn when STIBP is disabled with SMT * 1cd71b0 x86/bugs: Move cpu_bugs_smt_update() down * 2f4f2f8 x86/vmscape: Enable the mitigation * d5490df x86/vmscape: Add conditional IBPB mitigation * f2ed886 x86/vmscape: Enumerate VMSCAPE bug * a4fff4e Documentation/hw-vuln: Add VMSCAPE documentation Change-Id: I3ac72f56904eb3e26744a7421f78815d2c4c29a1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
chenyuwen reports a f2fs bug as below:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000011
fscrypt_set_bio_crypt_ctx+0x78/0x1e8
f2fs_grab_read_bio+0x78/0x208
f2fs_submit_page_read+0x44/0x154
f2fs_get_read_data_page+0x288/0x5f4
f2fs_get_lock_data_page+0x60/0x190
truncate_partial_data_page+0x108/0x4fc
f2fs_do_truncate_blocks+0x344/0x5f0
f2fs_truncate_blocks+0x6c/0x134
f2fs_truncate+0xd8/0x200
f2fs_iget+0x20c/0x5ac
do_garbage_collect+0x5d0/0xf6c
f2fs_gc+0x22c/0x6a4
f2fs_disable_checkpoint+0xc8/0x310
f2fs_fill_super+0x14bc/0x1764
mount_bdev+0x1b4/0x21c
f2fs_mount+0x20/0x30
legacy_get_tree+0x50/0xbc
vfs_get_tree+0x5c/0x1b0
do_new_mount+0x298/0x4cc
path_mount+0x33c/0x5fc
__arm64_sys_mount+0xcc/0x15c
invoke_syscall+0x60/0x150
el0_svc_common+0xb8/0xf8
do_el0_svc+0x28/0xa0
el0_svc+0x24/0x84
el0t_64_sync_handler+0x88/0xec
It is because inode.i_crypt_info is not initialized during below path:
- mount
- f2fs_fill_super
- f2fs_disable_checkpoint
- f2fs_gc
- f2fs_iget
- f2fs_truncate
So, let's relocate truncation of preallocated blocks to f2fs_file_open(),
after fscrypt_file_open().
Bug: 455892000
Fixes: d4dd19e ("f2fs: do not expose unwritten blocks to user by DIO")
Reported-by: chenyuwen <yuwen.chen@xjmz.com>
Closes: https://lore.kernel.org/linux-kernel/20240517085327.1188515-1-yuwen.chen@xjmz.com
Change-Id: I0ea53cf13eb9b96b943977cca512fe684ef45001
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 298b1e4)
Signed-off-by: Sandeep Dhavale <dhavale@google.com>
commit 960013e upstream. After a recent change [1] in clang's randstruct implementation to randomize structures that only contain function pointers, there is an error because qede_ll_ops get randomized but does not use a designated initializer for the first member: drivers/net/ethernet/qlogic/qede/qede_main.c:206:2: error: a randomized struct can only be initialized with a designated initializer 206 | { | ^ Explicitly initialize the common member using a designated initializer to fix the build. Cc: stable@vger.kernel.org Fixes: 035f7f8 ("randstruct: Enable Clang support") Link: llvm/llvm-project@04364fb [1] Signed-off-by: Nathan Chancellor <nathan@kernel.org> Link: https://patch.msgid.link/20250507-qede-fix-clang-randstruct-v1-1-5ccc15626fba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 6b3ab7f) Bug: 457892834 Change-Id: If0827c47b0b7c388be3509d7872eac8755c723f8 Signed-off-by: Tiffany Yang <ynaffit@google.com>
INFO: 2 function symbol(s) added 'int devm_clk_notifier_register(struct device*, struct clk*, struct notifier_block*)' 'ssize_t iio_write_channel_ext_info(struct iio_channel*, const char*, const char*, size_t)' Bug: 460308489 Change-Id: Id48e91516f45f7970f53e6ba877a95664b814cb7 Signed-off-by: James Tai <james.tai@realtek.com>
10 function symbol(s) added 'int __traceiter_android_vh_watchdog_timer_softlockup(void*, int, struct pt_regs*, bool)' 'int __traceiter_android_vh_wq_lockup_pool(void*, int, unsigned long)' 'struct config_item* config_group_find_item(struct config_group*, const char*)' 'void config_item_init_type_name(struct config_item*, const char*, const struct config_item_type*)' 'void trace_dump_stack(int)' 'int usb_function_activate(struct usb_function*)' 'int usb_function_deactivate(struct usb_function*)' 'int usb_gadget_frame_number(struct usb_gadget*)' 'int v4l2_fill_pixfmt(struct v4l2_pix_format*, u32, u32, u32)' 'void v4l2_simplify_fraction(u32*, u32*, unsigned int, unsigned int)' 2 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_watchdog_timer_softlockup' 'struct tracepoint __tracepoint_android_vh_wq_lockup_pool' Bug: 461408887 Change-Id: I62d37f544dbe60711c0228be5cb8504f5c68f046 Signed-off-by: Qinglin Li <qinglin.li@amlogic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
125 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.