94de3b405c8dee0ffc8de5c06b32fbf00fc4e8f9
2197 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
7622c50ba6 |
Merge 5.15.91 into android13-5.15-lts
Changes in 5.15.91 memory: tegra: Remove clients SID override programming memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe() memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() dmaengine: ti: k3-udma: Do conditional decrement of UDMA_CHAN_RT_PEER_BCNT_REG arm64: dts: imx8mp-phycore-som: Remove invalid PMIC property ARM: dts: imx6ul-pico-dwarf: Use 'clock-frequency' ARM: dts: imx7d-pico: Use 'clock-frequency' ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' arm64: dts: imx8mm-beacon: Fix ecspi2 pinmux ARM: imx: add missing of_node_put() HID: intel_ish-hid: Add check for ishtp_dma_tx_map arm64: dts: imx8mm-venice-gw7901: fix USB2 controller OC polarity soc: imx8m: Fix incorrect check for of_clk_get_by_name() reset: uniphier-glue: Use reset_control_bulk API reset: uniphier-glue: Fix possible null-ptr-deref EDAC/highbank: Fix memory leak in highbank_mc_probe() firmware: arm_scmi: Harden shared memory access in fetch_response firmware: arm_scmi: Harden shared memory access in fetch_notification tomoyo: fix broken dependency on *.conf.default RDMA/core: Fix ib block iterator counter overflow IB/hfi1: Reject a zero-length user expected buffer IB/hfi1: Reserve user expected TIDs IB/hfi1: Fix expected receive setup error exit issues IB/hfi1: Immediately remove invalid memory from hardware IB/hfi1: Remove user expected buffer invalidate race affs: initialize fsdata in affs_truncate() PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe() arm64: dts: qcom: msm8992: Don't use sfpb mutex arm64: dts: qcom: msm8992-libra: Add CPU regulators arm64: dts: qcom: msm8992-libra: Fix the memory map phy: ti: fix Kconfig warning and operator precedence NFSD: fix use-after-free in nfsd4_ssc_setup_dul() ARM: dts: at91: sam9x60: fix the ddr clock for sam9x60 amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent amd-xgbe: Delay AN timeout during KR training bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() net: nfc: Fix use-after-free in local_cleanup() net: wan: Add checks for NULL for utdm in undo_uhdlc_init and unmap_si_regs net: enetc: avoid deadlock in enetc_tx_onestep_tstamp() sch_htb: Avoid grafting on htb_destroy_class_offload when destroying htb gpio: use raw spinlock for gpio chip shadowed data gpio: mxc: Protect GPIO irqchip RMW with bgpio spinlock gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid pinctrl/rockchip: Use temporary variable for struct device pinctrl/rockchip: add error handling for pull/drive register getters pinctrl: rockchip: fix reading pull type on rk3568 net: stmmac: Fix queue statistics reading net/sched: sch_taprio: fix possible use-after-free l2tp: Serialize access to sk_user_data with sk_callback_lock l2tp: Don't sleep and disable BH under writer-side sk_callback_lock l2tp: convert l2tp_tunnel_list to idr l2tp: close all race conditions in l2tp_tunnel_register() octeontx2-pf: Avoid use of GFP_KERNEL in atomic context net: usb: sr9700: Handle negative len net: mdio: validate parameter addr in mdiobus_get_phy() HID: check empty report_list in hid_validate_values() HID: check empty report_list in bigben_probe() net: stmmac: fix invalid call to mdiobus_get_phy() pinctrl: rockchip: fix mux route data for rk3568 HID: revert CHERRY_MOUSE_000C quirk usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait usb: gadget: f_fs: Ensure ep0req is dequeued before free_request Bluetooth: Fix possible deadlock in rfcomm_sk_state_change net: ipa: disable ipa interrupt during suspend net/mlx5: E-switch, Fix setting of reserved fields on MODIFY_SCHEDULING_ELEMENT net: mlx5: eliminate anonymous module_init & module_exit drm/panfrost: fix GENERIC_ATOMIC64 dependency dmaengine: Fix double increment of client_count in dma_chan_get() net: macb: fix PTP TX timestamp failure due to packet padding virtio-net: correctly enable callback during start_xmit l2tp: prevent lockdep issue in l2tp_tunnel_register() HID: betop: check shape of output reports cifs: fix potential deadlock in cache_refresh_path() dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node() phy: phy-can-transceiver: Skip warning if no "max-bitrate" drm/amd/display: fix issues with driver unload nvme-pci: fix timeout request state check tcp: avoid the lookup process failing to get sk in ehash table octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt ptdma: pt_core_execute_cmd() should use spinlock device property: fix of node refcount leak in fwnode_graph_get_next_endpoint() w1: fix deadloop in __w1_remove_master_device() w1: fix WARNING after calling w1_process() driver core: Fix test_async_probe_init saves device in wrong array selftests/net: toeplitz: fix race on tpacket_v3 block close net: dsa: microchip: ksz9477: port map correction in ALU table entry register thermal/core: Remove duplicate information when an error occurs thermal/core: Rename 'trips' to 'num_trips' thermal: Validate new state in cur_state_store() thermal/core: fix error code in __thermal_cooling_device_register() thermal: core: call put_device() only after device_register() fails net: stmmac: enable all safety features by default tcp: fix rate_app_limited to default to 1 scsi: iscsi: Fix multiple iSCSI session unbind events sent to userspace cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist kcsan: test: don't put the expect array on the stack cpufreq: Add SM6375 to cpufreq-dt-platdev blocklist ASoC: fsl_micfil: Correct the number of steps on SX controls net: usb: cdc_ether: add support for Thales Cinterion PLS62-W modem drm: Add orientation quirk for Lenovo ideapad D330-10IGL s390/debug: add _ASM_S390_ prefix to header guard s390: expicitly align _edata and _end symbols on page boundary perf/x86/msr: Add Emerald Rapids perf/x86/intel/uncore: Add Emerald Rapids cpufreq: armada-37xx: stop using 0 as NULL pointer ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97 CODEC ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets spi: spidev: remove debug messages that access spidev->spi without locking KVM: s390: interrupt: use READ_ONCE() before cmpxchg() scsi: hisi_sas: Set a port invalid only if there are no devices attached when refreshing port id r8152: add vendor/device ID pair for Microsoft Devkit platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK lockref: stop doing cpu_relax in the cmpxchg loop firmware: coreboot: Check size of table entry and use flex-array drm/i915: Allow switching away via vga-switcheroo if uninitialized Revert "selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID" drm/i915: Remove unused variable x86: ACPI: cstate: Optimize C3 entry on AMD CPUs fs: reiserfs: remove useless new_opts in reiserfs_remount sysctl: add a new register_sysctl_init() interface kernel/panic: move panic sysctls to its own file panic: unset panic_on_warn inside panic() ubsan: no need to unset panic_on_warn in ubsan_epilogue() kasan: no need to unset panic_on_warn in end_report() exit: Add and use make_task_dead. objtool: Add a missing comma to avoid string concatenation hexagon: Fix function name in die() h8300: Fix build errors from do_exit() to make_task_dead() transition csky: Fix function name in csky_alignment() and die() ia64: make IA64_MCA_RECOVERY bool instead of tristate panic: Separate sysctl logic from CONFIG_SMP exit: Put an upper limit on how often we can oops exit: Expose "oops_count" to sysfs exit: Allow oops_limit to be disabled panic: Consolidate open-coded panic_on_warn checks panic: Introduce warn_limit panic: Expose "warn_count" to sysfs docs: Fix path paste-o for /sys/kernel/warn_count exit: Use READ_ONCE() for all oops/warn limit reads Bluetooth: hci_sync: cancel cmd_timer if hci_open failed drm/amdgpu: complete gfxoff allow signal during suspend without delay scsi: hpsa: Fix allocation size for scsi_host_alloc() KVM: SVM: fix tsc scaling cache logic module: Don't wait for GOING modules tracing: Make sure trace_printk() can output as soon as it can be used trace_events_hist: add check for return value of 'create_hist_field' ftrace/scripts: Update the instructions for ftrace-bisect.sh cifs: Fix oops due to uncleared server->smbd_conn in reconnect i2c: mv64xxx: Remove shutdown method from driver i2c: mv64xxx: Add atomic_xfer method to driver ksmbd: add smbd max io size parameter ksmbd: add max connections parameter ksmbd: do not sign response to session request for guest login ksmbd: downgrade ndr version error message to debug ksmbd: limit pdu length size according to connection status ovl: fail on invalid uid/gid mapping at copy up KVM: x86/vmx: Do not skip segment attributes if unusable bit is set KVM: arm64: GICv4.1: Fix race with doorbell on VPE activation/deactivation thermal: intel: int340x: Protect trip temperature from concurrent updates ipv6: fix reachability confirmation with proxy_ndp ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment EDAC/device: Respect any driver-supplied workqueue polling value EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info net: mana: Fix IRQ name - add PCI and queue number scsi: ufs: core: Fix devfreq deadlocks i2c: designware: use casting of u64 in clock multiplication to avoid overflow netlink: prevent potential spectre v1 gadgets net: fix UaF in netns ops registration error path drm/i915/selftest: fix intel_selftest_modify_policy argument types netfilter: nft_set_rbtree: Switch to node list walk for overlap detection netfilter: nft_set_rbtree: skip elements in transaction from garbage collection netlink: annotate data races around nlk->portid netlink: annotate data races around dst_portid and dst_group netlink: annotate data races around sk_state ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() ipv4: prevent potential spectre v1 gadget in fib_metrics_match() netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE netrom: Fix use-after-free of a listening socket. net/sched: sch_taprio: do not schedule in taprio_reset() sctp: fail if no bound addresses can be used for a given scope riscv/kprobe: Fix instruction simulation of JALR nvme: fix passthrough csi check gpio: mxc: Unlock on error path in mxc_flip_edge() ravb: Rename "no_ptp_cfg_active" and "ptp_cfg_active" variables net: ravb: Fix lack of register setting after system resumed for Gen3 net: ravb: Fix possible hang if RIS2_QFF1 happen net: mctp: mark socks as dead on unhash, prevent re-add thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() net/tg3: resolve deadlock in tg3_reset_task() during EEH net: mdio-mux-meson-g12a: force internal PHY off on mux switch treewide: fix up files incorrectly marked executable tools: gpio: fix -c option of gpio-event-mon Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode" cpufreq: Move to_gov_attr_set() to cpufreq.h cpufreq: governor: Use kobject release() method to free dbs_data kbuild: Allow kernel installation packaging to override pkg-config block: fix and cleanup bio_check_ro x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL netfilter: conntrack: unify established states for SCTP paths perf/x86/amd: fix potential integer overflow on shift of a int Linux 5.15.91 Change-Id: I1a0a227ff3f034e4a07501ebbd97458fb1fec818 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Marcelo Ricardo Leitner
|
3391bd4235 |
sctp: fail if no bound addresses can be used for a given scope
[ Upstream commit 458e279f861d3f61796894cd158b780765a1569f ]
Currently, if you bind the socket to something like:
servaddr.sin6_family = AF_INET6;
servaddr.sin6_port = htons(0);
servaddr.sin6_scope_id = 0;
inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);
And then request a connect to:
connaddr.sin6_family = AF_INET6;
connaddr.sin6_port = htons(20000);
connaddr.sin6_scope_id = if_nametoindex("lo");
inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);
What the stack does is:
- bind the socket
- create a new asoc
- to handle the connect
- copy the addresses that can be used for the given scope
- try to connect
But the copy returns 0 addresses, and the effect is that it ends up
trying to connect as if the socket wasn't bound, which is not the
desired behavior. This unexpected behavior also allows KASLR leaks
through SCTP diag interface.
The fix here then is, if when trying to copy the addresses that can
be used for the scope used in connect() it returns 0 addresses, bail
out. This is what TCP does with a similar reproducer.
Reported-by: Pietro Borrello <borrello@diag.uniroma1.it>
Fixes:
|
||
|
Greg Kroah-Hartman
|
20ec745823 |
Merge 5.15.86 into android13-5.15-lts
Changes in 5.15.86
drm/amd/display: Manually adjust strobe for DCN303
usb: musb: remove extra check in musb_gadget_vbus_draw
arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins
arm64: dts: qcom: sm8250-sony-xperia-edo: fix touchscreen bias-disable
arm64: dts: qcom: msm8996: Add MSM8996 Pro support
arm64: dts: qcom: msm8996: fix supported-hw in cpufreq OPP tables
arm64: dts: qcom: msm8996: fix GPU OPP table
ARM: dts: qcom: apq8064: fix coresight compatible
arm64: dts: qcom: sdm630: fix UART1 pin bias
arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias
arm64: dts: qcom: msm8916: Drop MSS fallback compatible
objtool, kcsan: Add volatile read/write instrumentation to whitelist
ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96
ARM: dts: stm32: Fix AV96 WLAN regulator gpio property
drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
arm64: dts: qcom: pm660: Use unique ADC5_VCOIN address in node name
arm64: dts: qcom: sm8250: correct LPASS pin pull down
soc: qcom: llcc: make irq truly optional
arm64: dts: qcom: Correct QMP PHY child node name
arm64: dts: qcom: sm8150: fix UFS PHY registers
arm64: dts: qcom: sm8250: fix UFS PHY registers
arm64: dts: qcom: sm8350: fix UFS PHY registers
arm64: dts: qcom: sm8250: drop bogus DP PHY clock
soc: qcom: apr: make code more reuseable
soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index
arm64: dts: qcom: sm6125: fix SDHCI CQE reg names
arm: dts: spear600: Fix clcd interrupt
soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of pm_runtime_get_sync
soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe
soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
arm64: Treat ESR_ELx as a 64-bit register
arm64: mm: kfence: only handle translation faults
perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init()
perf/arm_dmc620: Fix hotplug callback leak in dmc620_pmu_init()
perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()
arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node
arm64: dts: ti: k3-j721e-main: Drop dma-coherent in crypto node
ARM: dts: nuvoton: Remove bogus unit addresses from fixed-partition nodes
arm64: dts: mt6779: Fix devicetree build warnings
arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators
arm64: dts: mt2712e: Fix unit address for pinctrl node
arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names
arm64: dts: mt2712-evb: Fix usb vbus regulators unit names
arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings
arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name
ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
ARM: dts: turris-omnia: Add ethernet aliases
ARM: dts: turris-omnia: Add switch port 6 node
arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC
seccomp: Move copy_seccomp() to no failure path.
pstore/ram: Fix error return code in ramoops_probe()
ARM: mmp: fix timer_read delay
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init()
tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
ovl: store lower path in ovl_inode
ovl: use ovl_copy_{real,upper}attr() wrappers
ovl: remove privs in ovl_copyfile()
ovl: remove privs in ovl_fallocate()
sched/fair: Cleanup task_util and capacity type
sched/uclamp: Fix relationship between uclamp and migration margin
sched/uclamp: Make task_fits_capacity() use util_fits_cpu()
sched/uclamp: Make select_idle_capacity() use util_fits_cpu()
sched/fair: Removed useless update of p->recent_used_cpu
sched/core: Introduce sched_asym_cpucap_active()
sched/uclamp: Make asym_fits_capacity() use util_fits_cpu()
cpuidle: dt: Return the correct numbers of parsed idle states
alpha: fix TIF_NOTIFY_SIGNAL handling
alpha: fix syscall entry in !AUDUT_SYSCALL case
x86/sgx: Reduce delay and interference of enclave release
PM: hibernate: Fix mistake in kerneldoc comment
fs: don't audit the capability check in simple_xattr_list()
cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()
selftests/ftrace: event_triggers: wait longer for test_event_enable
perf: Fix possible memleak in pmu_dev_alloc()
lib/debugobjects: fix stat count and optimize debug_objects_mem_init
platform/x86: huawei-wmi: fix return value calculation
timerqueue: Use rb_entry_safe() in timerqueue_getnext()
proc: fixup uptime selftest
lib/fonts: fix undefined behavior in bit shift for get_default_font
ocfs2: fix memory leak in ocfs2_stack_glue_init()
MIPS: vpe-mt: fix possible memory leak while module exiting
MIPS: vpe-cmp: fix possible memory leak while module exiting
selftests/efivarfs: Add checking of the test return value
PNP: fix name memory leak in pnp_alloc_dev()
perf/x86/intel/uncore: Fix reference count leak in sad_cfg_iio_topology()
perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()
perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()
perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box()
platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()
thermal: core: fix some possible name leaks in error paths
irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init()
EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()
SUNRPC: Return true/false (not 1/0) from bool functions
NFSD: Finish converting the NFSv2 GETACL result encoder
nfsd: don't call nfsd_file_put from client states seqfile display
genirq/irqdesc: Don't try to remove non-existing sysfs files
cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
lib/notifier-error-inject: fix error when writing -errno to debugfs file
debugfs: fix error when writing negative value to atomic_t debugfs file
rapidio: fix possible name leaks when rio_add_device() fails
rapidio: rio: fix possible name leak in rio_register_mport()
clocksource/drivers/sh_cmt: Access registers according to spec
mips: ralink: mt7621: define MT7621_SYSC_BASE with __iomem
mips: ralink: mt7621: soc queries and tests as functions
mips: ralink: mt7621: do not use kzalloc too early
futex: Move to kernel/futex/
futex: Resend potentially swallowed owner death notification
cpu/hotplug: Make target_store() a nop when target == state
cpu/hotplug: Do not bail-out in DYING/STARTING sections
clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock()
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
x86/xen: Fix memory leak in xen_init_lock_cpu()
xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
PM: runtime: Do not call __rpm_callback() from rpm_idle()
platform/chrome: cros_ec_typec: Cleanup switch handle return paths
platform/chrome: cros_ec_typec: zero out stale pointers
platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
platform/x86: intel_scu_ipc: fix possible name leak in __intel_scu_ipc_register()
MIPS: BCM63xx: Add check for NULL for clk in clk_enable
MIPS: OCTEON: warn only once if deprecated link status is being used
lockd: set other missing fields when unlocking files
fs: sysv: Fix sysv_nblocks() returns wrong value
rapidio: fix possible UAF when kfifo_alloc() fails
eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
relay: fix type mismatch when allocating memory in relay_create_buf()
hfs: Fix OOB Write in hfs_asc2mac
rapidio: devices: fix missing put_device in mport_cdev_open
platform/mellanox: mlxbf-pmc: Fix event typo
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
wifi: rtl8xxxu: Fix reading the vendor of combo chips
drm/bridge: adv7533: remove dynamic lane switching from adv7533 bridge
libbpf: Fix use-after-free in btf_dump_name_dups
libbpf: Fix null-pointer dereference in find_prog_by_sec_insn()
ata: libata: move ata_{port,link,dev}_dbg to standard pr_XXX() macros
ata: add/use ata_taskfile::{error|status} fields
ata: libata: fix NCQ autosense logic
ipmi: kcs: Poll OBF briefly to reduce OBE latency
drm/amdgpu/powerplay/psm: Fix memory leak in power state init
media: v4l2-ctrls: Fix off-by-one error in integer menu control check
media: coda: jpeg: Add check for kmalloc
media: adv748x: afe: Select input port when initializing AFE
media: i2c: ad5820: Fix error path
venus: pm_helpers: Fix error check in vcodec_domains_get()
soreuseport: Fix socket selection for SO_INCOMING_CPU.
media: exynos4-is: don't rely on the v4l2_async_subdev internals
libbpf: Btf dedup identical struct test needs check for nested structs/arrays
can: kvaser_usb: do not increase tx statistics when sending error message frames
can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device
can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event
can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT
can: kvaser_usb_leaf: Set Warning state even without bus errors
can: kvaser_usb: make use of units.h in assignment of frequency
can: kvaser_usb_leaf: Fix improved state not being reported
can: kvaser_usb_leaf: Fix wrong CAN state after stopping
can: kvaser_usb_leaf: Fix bogus restart events
can: kvaser_usb: Add struct kvaser_usb_busparams
can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming
drm/rockchip: lvds: fix PM usage counter unbalance in poweron
clk: renesas: r9a06g032: Repair grave increment error
spi: Update reference to struct spi_controller
drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
ima: Handle -ESTALE returned by ima_filter_rule_match()
drm/msm/hdmi: drop unused GPIO support
drm/msm/hdmi: use devres helper for runtime PM management
bpf: Fix slot type check in check_stack_write_var_off
media: vivid: fix compose size exceed boundary
media: platform: exynos4-is: fix return value check in fimc_md_probe()
bpf: propagate precision in ALU/ALU64 operations
bpf: Check the other end of slot_type for STACK_SPILL
bpf: propagate precision across all frames, not just the last one
clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs
mtd: Fix device name leak when register device failed in add_mtd_device()
Input: joystick - fix Kconfig warning for JOYSTICK_ADC
wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port
media: camss: Clean up received buffers on failed start of streaming
net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write()
rxrpc: Fix ack.bufferSize to be 0 when generating an ack
bfq: fix waker_bfqq inconsistency crash
drm/radeon: Add the missed acpi_put_table() to fix memory leak
drm/mediatek: Modify dpi power on/off sequence.
ASoC: pxa: fix null-pointer dereference in filter()
libbpf: Fix uninitialized warning in btf_dump_dump_type_data
nvmet: only allocate a single slab for bvecs
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()
nvme: return err on nvme_init_non_mdts_limits fail
regulator: qcom-rpmh: Fix PMR735a S3 regulator spec
drm/fourcc: Add packed 10bit YUV 4:2:0 format
drm/fourcc: Fix vsub/hsub for Q410 and Q401
integrity: Fix memory leakage in keyring allocation error path
ima: Fix misuse of dereference of pointer in template_desc_init_fields()
block: clear ->slave_dir when dropping the main slave_dir reference
wifi: ath10k: Fix return value in ath10k_pci_init()
drm/msm/a6xx: Fix speed-bin detection vs probe-defer
mtd: lpddr2_nvm: Fix possible null-ptr-deref
Input: elants_i2c - properly handle the reset GPIO when power is off
media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init()
media: solo6x10: fix possible memory leak in solo_sysfs_init()
media: platform: exynos4-is: Fix error handling in fimc_md_init()
media: videobuf-dma-contig: use dma_mmap_coherent
inet: add READ_ONCE(sk->sk_bound_dev_if) in inet_csk_bind_conflict()
mtd: spi-nor: hide jedec_id sysfs attribute if not present
mtd: spi-nor: Fix the number of bytes for the dummy cycles
bpf: Move skb->len == 0 checks into __bpf_redirect
HID: hid-sensor-custom: set fixed size for custom attributes
pinctrl: k210: call of_node_put()
ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT
ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
regulator: core: use kfree_const() to free space conditionally
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
drm/amdgpu: fix pci device refcount leak
bonding: fix link recovery in mode 2 when updelay is nonzero
mtd: maps: pxa2xx-flash: fix memory leak in probe
drbd: remove call to memset before free device/resource/connection
drbd: destroy workqueue when drbd device was freed
ASoC: qcom: Add checks for devm_kcalloc
media: vimc: Fix wrong function called when vimc_init() fails
media: imon: fix a race condition in send_packet()
clk: imx8mn: rename vpu_pll to m7_alt_pll
clk: imx: replace osc_hdmi with dummy
clk: imx8mn: fix imx8mn_sai2_sels clocks list
clk: imx8mn: fix imx8mn_enet_phy_sels clocks list
pinctrl: pinconf-generic: add missing of_node_put()
media: dvb-core: Fix ignored return value in dvb_register_frontend()
media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC
drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
ASoC: dt-bindings: wcd9335: fix reset line polarity in example
ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd
NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding
NFSv4.2: Fix a memory stomp in decode_attr_security_label
NFSv4.2: Fix initialisation of struct nfs4_label
NFSv4: Fix a credential leak in _nfs4_discover_trunking()
NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
NFS: Fix an Oops in nfs_d_automount()
ALSA: asihpi: fix missing pci_disable_device()
wifi: iwlwifi: mvm: fix double free on tx path.
ASoC: mediatek: mt8173: Fix debugfs registration for components
ASoC: mediatek: mt8173: Enable IRQ when pdata is ready
drm/amd/pm/smu11: BACO is supported when it's in BACO state
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
drm/amdkfd: Fix memory leakage
ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
netfilter: conntrack: set icmpv6 redirects as RELATED
Input: wistron_btns - disable on UML
bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes
bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect
bonding: uninitialized variable in bond_miimon_inspect()
spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE
wifi: mac80211: fix memory leak in ieee80211_if_add()
wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails
mt76: stop the radar detector after leaving dfs channel
wifi: mt76: mt7921: fix reporting of TX AGGR histogram
wifi: mt76: fix coverity overrun-call in mt76_get_txpower()
regulator: core: fix module refcount leak in set_supply()
clk: qcom: lpass-sc7180: Fix pm_runtime usage
clk: qcom: clk-krait: fix wrong div2 functions
hsr: Add a rcu-read lock to hsr_forward_skb().
hsr: Avoid double remove of a node.
hsr: Disable netpoll.
hsr: Synchronize sending frames to have always incremented outgoing seq nr.
hsr: Synchronize sequence number updates.
configfs: fix possible memory leak in configfs_create_dir()
regulator: core: fix resource leak in regulator_register()
hwmon: (jc42) Convert register access and caching to regmap/regcache
hwmon: (jc42) Restore the min/max/critical temperatures on resume
bpf, sockmap: fix race in sock_map_free()
ALSA: pcm: Set missing stop_operating flag at undoing trigger start
media: saa7164: fix missing pci_disable_device()
ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()
SUNRPC: Fix missing release socket in rpc_sockname()
NFSv4.x: Fail client initialisation if state manager thread can't run
riscv, bpf: Emit fixed-length instructions for BPF_PSEUDO_FUNC
mmc: alcor: fix return value check of mmc_add_host()
mmc: moxart: fix return value check of mmc_add_host()
mmc: mxcmmc: fix return value check of mmc_add_host()
mmc: pxamci: fix return value check of mmc_add_host()
mmc: rtsx_pci: fix return value check of mmc_add_host()
mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
mmc: toshsd: fix return value check of mmc_add_host()
mmc: vub300: fix return value check of mmc_add_host()
mmc: wmt-sdmmc: fix return value check of mmc_add_host()
mmc: atmel-mci: fix return value check of mmc_add_host()
mmc: omap_hsmmc: fix return value check of mmc_add_host()
mmc: meson-gx: fix return value check of mmc_add_host()
mmc: via-sdmmc: fix return value check of mmc_add_host()
mmc: wbsd: fix return value check of mmc_add_host()
mmc: mmci: fix return value check of mmc_add_host()
mmc: renesas_sdhi: alway populate SCC pointer
memstick: ms_block: Add error handling support for add_disk()
memstick/ms_block: Add check for alloc_ordered_workqueue
mmc: core: Normalize the error handling branch in sd_read_ext_regs()
regulator: qcom-labibb: Fix missing of_node_put() in qcom_labibb_regulator_probe()
media: c8sectpfe: Add of_node_put() when breaking out of loop
media: coda: Add check for dcoda_iram_alloc
media: coda: Add check for kmalloc
clk: samsung: Fix memory leak in _samsung_clk_register_pll()
spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode
wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
wifi: rtl8xxxu: Fix the channel width reporting
wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
blktrace: Fix output non-blktrace event when blk_classic option enabled
bpf: Do not zero-extend kfunc return values
clk: socfpga: Fix memory leak in socfpga_gate_init()
net: vmw_vsock: vmci: Check memcpy_from_msg()
net: defxx: Fix missing err handling in dfx_init()
net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload()
net: stmmac: fix possible memory leak in stmmac_dvr_probe()
drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop()
ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
net: farsync: Fix kmemleak when rmmods farsync
net/tunnel: wait until all sk_user_data reader finish before releasing the sock
net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave()
net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave()
net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave()
hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
af_unix: call proto_unregister() in the error path in af_unix_init()
net: amd-xgbe: Fix logic around active and passive cables
net: amd-xgbe: Check only the minimum speed for active/passive cables
can: tcan4x5x: Remove invalid write in clear_interrupts
can: m_can: Call the RAM init directly from m_can_chip_config
can: tcan4x5x: Fix use of register error status mask
net: lan9303: Fix read error execution path
ntb_netdev: Use dev_kfree_skb_any() in interrupt context
sctp: sysctl: make extra pointers netns aware
Bluetooth: MGMT: Fix error report for ADD_EXT_ADV_PARAMS
Bluetooth: btintel: Fix missing free skb in btintel_setup_combined()
Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
stmmac: fix potential division by 0
i40e: Fix the inability to attach XDP program on downed interface
net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path
apparmor: fix a memleak in multi_transaction_new()
apparmor: fix lockdep warning when removing a namespace
apparmor: Fix abi check to include v8 abi
crypto: hisilicon/qm - fix missing destroy qp_idr
crypto: sun8i-ss - use dma_addr instead u32
crypto: nitrox - avoid double free on error path in nitrox_sriov_init()
scsi: core: Fix a race between scsi_done() and scsi_timeout()
apparmor: Use pointer to struct aa_label for lbs_cred
PCI: dwc: Fix n_fts[] array overrun
RDMA/core: Fix order of nldev_exit call
PCI: pci-epf-test: Register notifier if only core_init_notifier is enabled
f2fs: Fix the race condition of resize flag between resizefs
crypto: rockchip - do not do custom power management
crypto: rockchip - do not store mode globally
crypto: rockchip - add fallback for cipher
crypto: rockchip - add fallback for ahash
crypto: rockchip - better handle cipher key
crypto: rockchip - remove non-aligned handling
crypto: rockchip - rework by using crypto_engine
apparmor: Fix memleak in alloc_ns()
f2fs: fix to invalidate dcc->f2fs_issue_discard in error path
f2fs: fix normal discard process
f2fs: fix to destroy sbi->post_read_wq in error path of f2fs_fill_super()
RDMA/irdma: Report the correct link speed
scsi: qla2xxx: Fix set-but-not-used variable warnings
RDMA/siw: Fix immediate work request flush to completion queue
IB/mad: Don't call to function that might sleep while in atomic context
PCI: vmd: Disable MSI remapping after suspend
RDMA/restrack: Release MR restrack when delete
RDMA/core: Make sure "ib_port" is valid when access sysfs node
RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port
RDMA/siw: Set defined status for work completion with undefined status
scsi: scsi_debug: Fix a warning in resp_write_scat()
crypto: ccree - Remove debugfs when platform_driver_register failed
crypto: cryptd - Use request context instead of stack for sub-request
crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set()
RDMA/hns: Repacing 'dseg_len' by macros in fill_ext_sge_inl_data()
RDMA/hns: Fix ext_sge num error when post send
PCI: Check for alloc failure in pci_request_irq()
RDMA/hfi: Decrease PCI device reference count in error path
crypto: ccree - Make cc_debugfs_global_fini() available for module init function
RDMA/hns: fix memory leak in hns_roce_alloc_mr()
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
dt-bindings: imx6q-pcie: Fix clock names for imx6sx and imx8mq
dt-bindings: visconti-pcie: Fix interrupts array max constraints
scsi: hpsa: Fix possible memory leak in hpsa_init_one()
crypto: tcrypt - Fix multibuffer skcipher speed test mem leak
padata: Always leave BHs disabled when running ->parallel()
padata: Fix list iterator in padata_do_serial()
scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
scsi: hpsa: Fix error handling in hpsa_add_sas_host()
scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
scsi: efct: Fix possible memleak in efct_device_init()
scsi: scsi_debug: Fix a warning in resp_verify()
scsi: scsi_debug: Fix a warning in resp_report_zones()
scsi: fcoe: Fix possible name leak when device_register() fails
scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper()
scsi: ipr: Fix WARNING in ipr_init()
scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
scsi: snic: Fix possible UAF in snic_tgt_create()
RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps()
f2fs: avoid victim selection from previous victim section
RDMA/nldev: Fix failure to send large messages
crypto: amlogic - Remove kcalloc without check
crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe()
riscv/mm: add arch hook arch_clear_hugepage_flags
RDMA/hfi1: Fix error return code in parse_platform_config()
RDMA/srp: Fix error return code in srp_parse_options()
PCI: mt7621: Rename mt7621_pci_ to mt7621_pcie_
PCI: mt7621: Add sentinel to quirks table
orangefs: Fix sysfs not cleanup when dev init failed
RDMA/hns: Fix AH attr queried by query_qp
RDMA/hns: Fix PBL page MTR find
RDMA/hns: Fix page size cap from firmware
RDMA/hns: Fix error code of CMD
crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
hwrng: amd - Fix PCI device refcount leak
hwrng: geode - Fix PCI device refcount leak
IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
RISC-V: Align the shadow stack
drivers: dio: fix possible memory leak in dio_init()
serial: tegra: Read DMA status before terminating
serial: 8250_bcm7271: Fix error handling in brcmuart_init()
class: fix possible memory leak in __class_register()
vfio: platform: Do not pass return buffer to ACPI _RST method
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
uio: uio_dmem_genirq: Fix deadlock between irq config and handling
usb: fotg210-udc: Fix ages old endianness issues
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
usb: typec: Check for ops->exit instead of ops->enter in altmode_exit
usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
usb: typec: tipd: Cleanup resources if devm_tps6598_psy_register fails
usb: typec: tipd: Fix spurious fwnode_handle_put in error path
extcon: usbc-tusb320: Add support for mode setting and reset
extcon: usbc-tusb320: Add support for TUSB320L
usb: typec: Factor out non-PD fwnode properties
extcon: usbc-tusb320: Factor out extcon into dedicated functions
extcon: usbc-tusb320: Add USB TYPE-C support
extcon: usbc-tusb320: Update state on probe even if no IRQ pending
serial: amba-pl011: avoid SBSA UART accessing DMACR register
serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle.
serial: stm32: move dma_request_chan() before clk_prepare_enable()
serial: pch: Fix PCI device refcount leak in pch_request_dma()
tty: serial: clean up stop-tx part in altera_uart_tx_chars()
tty: serial: altera_uart_{r,t}x_chars() need only uart_port
serial: altera_uart: fix locking in polling mode
serial: sunsab: Fix error handling in sunsab_init()
test_firmware: fix memory leak in test_firmware_init()
misc: ocxl: fix possible name leak in ocxl_file_register_afu()
ocxl: fix pci device refcount leak when calling get_function_0()
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()
cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
iio: temperature: ltc2983: make bulk write buffer DMA-safe
iio: adis: handle devices that cannot unmask the drdy pin
iio: adis: stylistic changes
iio:imu:adis: Move exports into IIO_ADISLIB namespace
iio: adis: add '__adis_enable_irq()' implementation
counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update
coresight: trbe: remove cpuhp instance node before remove cpuhp state
usb: roles: fix of node refcount leak in usb_role_switch_is_parent()
usb: gadget: f_hid: fix f_hidg lifetime vs cdev
usb: gadget: f_hid: fix refcount leak on error path
drivers: mcb: fix resource leak in mcb_probe()
mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
chardev: fix error handling in cdev_device_add()
i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
staging: rtl8192u: Fix use after free in ieee80211_rx()
staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
vme: Fix error not catched in fake_init()
gpiolib: Get rid of redundant 'else'
gpiolib: cdev: fix NULL-pointer dereferences
gpiolib: make struct comments into real kernel docs
gpiolib: protect the GPIO device against being dropped while in use by user-space
i2c: mux: reg: check return value after calling platform_get_resource()
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
usb: storage: Add check for kcalloc
tracing/hist: Fix issue of losting command info in error_log
ksmbd: Fix resource leak in ksmbd_session_rpc_open()
samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe()
thermal/drivers/imx8mm_thermal: Validate temperature range
thermal/drivers/qcom/temp-alarm: Fix inaccurate warning for gen2
thermal/drivers/qcom/lmh: Fix irq handler return value
fbdev: ssd1307fb: Drop optional dependency
fbdev: pm2fb: fix missing pci_disable_device()
fbdev: via: Fix error in via_core_init()
fbdev: vermilion: decrease reference count in error path
fbdev: ep93xx-fb: Add missing clk_disable_unprepare in ep93xxfb_probe()
fbdev: geode: don't build on UML
fbdev: uvesafb: don't build on UML
fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
power: supply: fix residue sysfs file in error handle route of __power_supply_register()
perf trace: Return error if a system call doesn't exist
perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number
perf trace: Handle failure when trace point folder is missed
perf symbol: correction while adjusting symbol
power: supply: z2_battery: Fix possible memleak in z2_batt_probe()
HSI: omap_ssi_core: Fix error handling in ssi_init()
power: supply: ab8500: Fix error handling in ab8500_charger_init()
power: supply: fix null pointer dereferencing in power_supply_get_battery_info
perf stat: Refactor __run_perf_stat() common code
perf stat: Do not delay the workload with --delay
RDMA/siw: Fix pointer cast warning
fs/ntfs3: Avoid UBSAN error on true_sectors_per_clst()
overflow: Implement size_t saturating arithmetic helpers
fs/ntfs3: Harden against integer overflows
iommu/sun50i: Fix reset release
iommu/sun50i: Consider all fault sources for reset
iommu/sun50i: Fix R/W permission check
iommu/sun50i: Fix flush size
iommu/rockchip: fix permission bits in page table entries v2
phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices
include/uapi/linux/swab: Fix potentially missing __always_inline
pwm: tegra: Improve required rate calculation
fs/ntfs3: Fix slab-out-of-bounds read in ntfs_trim_fs
dmaengine: idxd: Fix crc_val field for completion record
rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0
rtc: cmos: Fix event handler registration ordering issue
rtc: cmos: Fix wake alarm breakage
rtc: cmos: fix build on non-ACPI platforms
rtc: cmos: Call cmos_wake_setup() from cmos_do_probe()
rtc: cmos: Call rtc_wake_setup() from cmos_do_probe()
rtc: cmos: Eliminate forward declarations of some functions
rtc: cmos: Rename ACPI-related functions
rtc: cmos: Disable ACPI RTC event on removal
rtc: snvs: Allow a time difference on clock register read
rtc: pcf85063: Fix reading alarm
iommu/amd: Fix pci device refcount leak in ppr_notifier()
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
macintosh: fix possible memory leak in macio_add_one_device()
macintosh/macio-adb: check the return value of ioremap()
powerpc/52xx: Fix a resource leak in an error handling path
cxl: Fix refcount leak in cxl_calc_capp_routing
powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds
powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data()
powerpc/perf: callchain validate kernel stack pointer bounds
powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
powerpc/hv-gpci: Fix hv_gpci event list
selftests/powerpc: Fix resource leaks
iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY
pwm: sifive: Call pwm_sifive_update_clock() while mutex is held
pwm: mtk-disp: Fix the parameters calculated by the enabled flag of disp_pwm
pwm: mediatek: always use bus clock for PWM on MT7622
remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()
remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()
remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove
remoteproc: qcom_q6v5_pas: detach power domains on remove
remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region()
remoteproc: qcom: q6v5: Fix missing clk_disable_unprepare() in q6v5_wcss_qcs404_power_on()
powerpc/eeh: Drop redundant spinlock initialization
powerpc/pseries/eeh: use correct API for error log size
mfd: bd957x: Fix Kconfig dependency on REGMAP_IRQ
mfd: qcom_rpm: Fix an error handling path in qcom_rpm_probe()
mfd: pm8008: Remove driver data structure pm8008_data
mfd: pm8008: Fix return value check in pm8008_probe()
netfilter: flowtable: really fix NAT IPv6 offload
rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe()
rtc: pcf85063: fix pcf85063_clkout_control
nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
net: macsec: fix net device access prior to holding a lock
mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
block, bfq: fix possible uaf for 'bfqq->bic'
selftests/bpf: Add test for unstable CT lookup API
net: enetc: avoid buffer leaks on xdp_do_redirect() failure
nfc: pn533: Clear nfc_target before being used
unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg()
r6040: Fix kmemleak in probe and remove
igc: Enhance Qbv scheduling by using first flag bit
igc: Use strict cycles for Qbv scheduling
igc: Add checking for basetime less than zero
igc: allow BaseTime 0 enrollment for Qbv
igc: recalculate Qbv end_time by considering cycle time
igc: Lift TAPRIO schedule restriction
igc: Set Qbv start_time and end_time to end_time if not being configured in GCL
rtc: mxc_v2: Add missing clk_disable_unprepare()
selftests: devlink: fix the fd redirect in dummy_reporter_test
openvswitch: Fix flow lookup to use unmasked key
soc: mediatek: pm-domains: Fix the power glitch issue
arm64: dts: mt8183: Fix Mali GPU clock
skbuff: Account for tail adjustment during pull operations
mailbox: mpfs: read the system controller's status
mailbox: arm_mhuv2: Fix return value check in mhuv2_probe()
mailbox: zynq-ipi: fix error handling while device_register() fails
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
myri10ge: Fix an error handling path in myri10ge_probe()
net: stream: purge sk_error_queue in sk_stream_kill_queues()
HID: amd_sfh: Add missing check for dma_alloc_coherent
rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state()
arm64: make is_ttbrX_addr() noinstr-safe
video: hyperv_fb: Avoid taking busy spinlock on panic path
x86/hyperv: Remove unregister syscore call from Hyper-V cleanup
binfmt_misc: fix shift-out-of-bounds in check_special_flags
fs: jfs: fix shift-out-of-bounds in dbAllocAG
udf: Avoid double brelse() in udf_rename()
jfs: Fix fortify moan in symlink
fs: jfs: fix shift-out-of-bounds in dbDiscardAG
ACPICA: Fix error code path in acpi_ds_call_control_method()
nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
nilfs2: fix shift-out-of-bounds due to too large exponent of block size
acct: fix potential integer overflow in encode_comp_t()
hfs: fix OOB Read in __hfs_brec_find
drm/etnaviv: add missing quirks for GC300
media: imx-jpeg: Disable useless interrupt to avoid kernel panic
brcmfmac: return error when getting invalid max_flowrings from dongle
wifi: ath9k: verify the expected usb_endpoints are present
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
ASoC: codecs: rt298: Add quirk for KBL-R RVP platform
ipmi: fix memleak when unload ipmi driver
drm/amd/display: prevent memory leak
Revert "drm/amd/display: Limit max DSC target bpp for specific monitors"
qed (gcc13): use u16 for fid to be big enough
bpf: make sure skb->len != 0 when redirecting to a tunneling device
net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
hamradio: baycom_epp: Fix return type of baycom_send_packet()
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
igb: Do not free q_vector unless new one was allocated
drm/amdgpu: Fix type of second parameter in trans_msg() callback
drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback
s390/ctcm: Fix return type of ctc{mp,}m_tx()
s390/netiucv: Fix return type of netiucv_tx()
s390/lcs: Fix return type of lcs_start_xmit()
drm/msm: Use drm_mode_copy()
drm/rockchip: Use drm_mode_copy()
drm/sti: Use drm_mode_copy()
drm/mediatek: Fix return type of mtk_hdmi_bridge_mode_valid()
drivers/md/md-bitmap: check the return value of md_bitmap_get_counter()
md/raid1: stop mdx_raid1 thread when raid1 array run failed
drm/amd/display: fix array index out of bound error in bios parser
net: add atomic_long_t to net_device_stats fields
ipv6/sit: use DEV_STATS_INC() to avoid data-races
mrp: introduce active flags to prevent UAF when applicant uninit
ppp: associate skb with a device at tx
bpf: Prevent decl_tag from being referenced in func_proto arg
ethtool: avoiding integer overflow in ethtool_phys_id()
media: dvb-frontends: fix leak of memory fw
media: dvbdev: adopts refcnt to avoid UAF
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
blk-mq: fix possible memleak when register 'hctx' failed
drm/amd/display: Use the largest vready_offset in pipe group
libbpf: Avoid enum forward-declarations in public API in C++ mode
regulator: core: fix use_count leakage when handling boot-on
wifi: mt76: do not run mt76u_status_worker if the device is not running
mmc: f-sdh30: Add quirks for broken timeout clock capability
mmc: renesas_sdhi: better reset from HS400 mode
media: si470x: Fix use-after-free in si470x_int_in_callback()
clk: st: Fix memory leak in st_of_quadfs_setup()
crypto: hisilicon/hpre - fix resource leak in remove process
scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs
scsi: ufs: Reduce the START STOP UNIT timeout
scsi: elx: libefc: Fix second parameter type in state callbacks
hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()
tools/include: Add _RET_IP_ and math definitions to kernel.h
KVM: selftests: Fix build regression by using accessor function
hwmon: (jc42) Fix missing unlock on error in jc42_write()
ALSA/ASoC: hda: move/rename snd_hdac_ext_stop_streams to hdac_stream.c
ALSA: hda: add snd_hdac_stop_streams() helper
ASoC: Intel: Skylake: Fix driver hang during shutdown
ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link()
ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume()
ASoC: mediatek: mt8183: fix refcount leak in mt8183_mt6358_ts3a227_max98357_dev_probe()
ASoC: wm8994: Fix potential deadlock
ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
ASoC: rt5670: Remove unbalanced pm_runtime_put()
drm/i915/display: Don't disable DDI/Transcoder when setting phy test pattern
LoadPin: Ignore the "contents" argument of the LSM hooks
pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion
perf debug: Set debug_peo_args and redirect_to_stderr variable to correct values in perf_quiet_option()
afs: Fix lost servers_outstanding count
pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES
ima: Simplify ima_lsm_copy_rule
ALSA: usb-audio: add the quirk for KT0206 device
ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB
ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list
usb: cdnsp: fix lack of ZLP for ep0
usb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq
arm64: dts: qcom: sm8250: fix USB-DP PHY registers
usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode
usb: dwc3: core: defer probe on ulpi_read_id timeout
xhci: Prevent infinite loop in transaction errors recovery for streams
HID: wacom: Ensure bootloader PID is usable in hidraw mode
HID: mcp2221: don't connect hidraw
loop: Fix the max_loop commandline argument treatment when it is set to 0
9p: set req refcount to zero to avoid uninitialized usage
security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6
reiserfs: Add missing calls to reiserfs_security_free()
iio: fix memory leak in iio_device_register_eventset()
iio: adc: ad_sigma_delta: do not use internal iio_dev lock
iio: adc128s052: add proper .data members in adc128_of_match table
regulator: core: fix deadlock on regulator enable
floppy: Fix memory leak in do_floppy_init()
gcov: add support for checksum field
fbdev: fbcon: release buffer when fbcon_do_set_font() failed
ovl: fix use inode directly in rcu-walk mode
btrfs: do not BUG_ON() on ENOMEM when dropping extent items for a range
scsi: qla2xxx: Fix crash when I/O abort times out
net: stmmac: fix errno when create_singlethread_workqueue() fails
media: dvbdev: fix build warning due to comments
media: dvbdev: fix refcnt bug
extcon: usbc-tusb320: Call the Type-C IRQ handler only if a port is registered
mfd: qcom_rpm: Use devm_of_platform_populate() to simplify code
pwm: tegra: Fix 32 bit build
Linux 5.15.86
Change-Id: I4ec30b690e8dbd554044495e26360a86cc042069
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Greg Kroah-Hartman
|
112ff45bb5 |
Merge 5.15.82 into android13-5.15-lts
Changes in 5.15.82
arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
drm/i915: Create a dummy object for gen6 ppgtt
drm/i915/gt: Use i915_vm_put on ppgtt_create error paths
erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
btrfs: sink iterator parameter to btrfs_ioctl_logical_to_ino
btrfs: free btrfs_path before copying inodes to userspace
spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input clock
btrfs: move QUOTA_ENABLED check to rescan_should_stop from btrfs_qgroup_rescan_worker
btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
drm/display/dp_mst: Fix drm_dp_mst_add_affected_dsc_crtcs() return code
drm/amdgpu: update drm_display_info correctly when the edid is read
drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info correctly when the edid is read"
iio: health: afe4403: Fix oob read in afe4403_read_raw
iio: health:
|
||
|
Greg Kroah-Hartman
|
a924bb92c6 |
Merge 5.15.81 into android13-5.15-lts
Changes in 5.15.81 ASoC: fsl_sai: use local device pointer ASoC: fsl_asrc fsl_esai fsl_sai: allow CONFIG_PM=N serial: Add rs485_supported to uart_port serial: fsl_lpuart: Fill in rs485_supported tty: serial: fsl_lpuart: don't break the on-going transfer when global reset sctp: remove the unnecessary sinfo_stream check in sctp_prsctp_prune_unsent sctp: clear out_curr if all frag chunks of current msg are pruned cifs: introduce new helper for cifs_reconnect() cifs: split out dfs code from cifs_reconnect() cifs: support nested dfs links over reconnect cifs: Fix connections leak when tlink setup failed ata: libata-scsi: simplify __ata_scsi_queuecmd() ata: libata-core: do not issue non-internal commands once EH is pending drm/display: Don't assume dual mode adaptors support i2c sub-addressing nvme: add a bogus subsystem NQN quirk for Micron MTFDKBA2T0TFH nvme-pci: add NVME_QUIRK_BOGUS_NID for Micron Nitro nvme-pci: disable namespace identifiers for the MAXIO MAP1001 nvme-pci: disable write zeroes on various Kingston SSD nvme-pci: add NVME_QUIRK_BOGUS_NID for Netac NV7000 iio: ms5611: Simplify IO callback parameters iio: pressure: ms5611: fixed value compensation bug ceph: do not update snapshot context when there is no new snapshot ceph: avoid putting the realm twice when decoding snaps fails x86/sgx: Create utility to validate user provided offset and length x86/sgx: Add overflow check in sgx_validate_offset_length() binder: validate alloc->mm in ->mmap() handler ceph: Use kcalloc for allocating multiple elements ceph: fix NULL pointer dereference for req->r_session wifi: mac80211: fix memory free error when registering wiphy fail wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support riscv: dts: sifive unleashed: Add PWM controlled LEDs audit: fix undefined behavior in bit shift for AUDIT_BIT wifi: airo: do not assign -1 to unsigned char wifi: mac80211: Fix ack frame idr leak when mesh has no route wifi: ath11k: Fix QCN9074 firmware boot on x86 spi: stm32: fix stm32_spi_prepare_mbr() that halves spi clk for every run selftests/bpf: Add verifier test for release_reference() Revert "net: macsec: report real_dev features when HW offloading is enabled" platform/x86: ideapad-laptop: Disable touchpad_switch platform/x86: touchscreen_dmi: Add info for the RCA Cambio W101 v2 2-in-1 platform/x86/intel/pmt: Sapphire Rapids PMT errata fix platform/x86/intel/hid: Add some ACPI device IDs scsi: ibmvfc: Avoid path failures during live migration scsi: scsi_debug: Make the READ CAPACITY response compliant with ZBC drm: panel-orientation-quirks: Add quirk for Acer Switch V 10 (SW5-017) block, bfq: fix null pointer dereference in bfq_bio_bfqg() arm64/syscall: Include asm/ptrace.h in syscall_wrapper header. nvmet: fix memory leak in nvmet_subsys_attr_model_store_locked Revert "drm/amdgpu: Revert "drm/amdgpu: getting fan speed pwm for vega10 properly"" ALSA: usb-audio: add quirk to fix Hamedal C20 disconnect issue RISC-V: vdso: Do not add missing symbols to version section in linker script MIPS: pic32: treat port as signed integer xfrm: fix "disable_policy" on ipv4 early demux xfrm: replay: Fix ESN wrap around for GSO af_key: Fix send_acquire race with pfkey_register ARM: dts: am335x-pcm-953: Define fixed regulators in root node ASoC: hdac_hda: fix hda pcm buffer overflow issue ASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove ASoC: soc-pcm: Don't zero TDM masks in __soc_pcm_open() x86/hyperv: Restore VP assist page after cpu offlining/onlining scsi: storvsc: Fix handling of srb_status and capacity change events ASoC: max98373: Add checks for devm_kcalloc regulator: core: fix kobject release warning and memory leak in regulator_register() spi: dw-dma: decrease reference count in dw_spi_dma_init_mfld() regulator: core: fix UAF in destroy_regulator() bus: sunxi-rsb: Remove the shutdown callback bus: sunxi-rsb: Support atomic transfers tee: optee: fix possible memory leak in optee_register_device() ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl selftests: mptcp: more stable simult_flows tests selftests: mptcp: fix mibit vs mbit mix up net: liquidio: simplify if expression rxrpc: Allow list of in-use local UDP endpoints to be viewed in /proc rxrpc: Use refcount_t rather than atomic_t rxrpc: Fix race between conn bundle lookup and bundle removal [ZDI-CAN-15975] net: dsa: sja1105: disallow C45 transactions on the BASE-TX MDIO bus nfc/nci: fix race with opening and closing net: pch_gbe: fix potential memleak in pch_gbe_tx_queue() 9p/fd: fix issue of list_del corruption in p9_fd_cancel() netfilter: conntrack: Fix data-races around ct mark netfilter: nf_tables: do not set up extensions for end interval iavf: Fix a crash during reset task iavf: Do not restart Tx queues after reset task failure iavf: Fix race condition between iavf_shutdown and iavf_remove ARM: mxs: fix memory leak in mxs_machine_init() ARM: dts: imx6q-prti6q: Fix ref/tcxo-clock-frequency properties net: ethernet: mtk_eth_soc: fix error handling in mtk_open() net/mlx4: Check retval of mlx4_bitmap_init net: mvpp2: fix possible invalid pointer dereference net/qla3xxx: fix potential memleak in ql3xxx_send() octeontx2-af: debugsfs: fix pci device refcount leak net: pch_gbe: fix pci device refcount leak while module exiting nfp: fill splittable of devlink_port_attrs correctly nfp: add port from netdev validation for EEPROM access macsec: Fix invalid error code set Drivers: hv: vmbus: fix double free in the error path of vmbus_add_channel_work() Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register() netfilter: ipset: regression in ip_set_hash_ip.c net/mlx5: Do not query pci info while pci disabled net/mlx5: Fix FW tracer timestamp calculation net/mlx5: Fix handling of entry refcount when command is not issued to FW tipc: set con sock in tipc_conn_alloc tipc: add an extra conn_get in tipc_conn_alloc tipc: check skb_linearize() return value in tipc_disc_rcv() xfrm: Fix oops in __xfrm_state_delete() xfrm: Fix ignored return value in xfrm6_init() net: wwan: iosm: use ACPI_FREE() but not kfree() in ipc_pcie_read_bios_cfg() sfc: fix potential memleak in __ef100_hard_start_xmit() net: sparx5: fix error handling in sparx5_port_open() net: sched: allow act_ct to be built without NF_NAT NFC: nci: fix memory leak in nci_rx_data_packet() regulator: twl6030: re-add TWL6032_SUBCLASS bnx2x: fix pci device refcount leak in bnx2x_vf_is_pcie_pending() dma-buf: fix racing conflict of dma_heap_add() netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface netfilter: flowtable_offload: add missing locking fs: do not update freeing inode i_io_list dccp/tcp: Reset saddr on failure after inet6?_hash_connect(). ipv4: Fix error return code in fib_table_insert() arcnet: fix potential memory leak in com20020_probe() s390/dasd: fix no record found for raw_track_access nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION nfc: st-nci: fix memory leaks in EVT_TRANSACTION nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION net: enetc: manage ENETC_F_QBV in priv->active_offloads only when enabled net: enetc: cache accesses to &priv->si->hw net: enetc: preserve TX ring priority across reconfiguration octeontx2-pf: Add check for devm_kcalloc octeontx2-af: Fix reference count issue in rvu_sdp_init() net: thunderx: Fix the ACPI memory leak s390/crashdump: fix TOD programmable field size lib/vdso: use "grep -E" instead of "egrep" init/Kconfig: fix CC_HAS_ASM_GOTO_TIED_OUTPUT test with dash nios2: add FORCE for vmlinuz.gz mmc: sdhci-brcmstb: Re-organize flags mmc: sdhci-brcmstb: Enable Clock Gating to save power mmc: sdhci-brcmstb: Fix SDHCI_RESET_ALL for CQHCI KVM: arm64: pkvm: Fixup boot mode to reflect that the kernel resumes from EL1 usb: dwc3: exynos: Fix remove() function usb: cdnsp: Fix issue with Clear Feature Halt Endpoint usb: cdnsp: fix issue with ZLP - added TD_SIZE = 1 ext4: fix use-after-free in ext4_ext_shift_extents arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency iio: light: apds9960: fix wrong register for gesture gain iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails bus: ixp4xx: Don't touch bit 7 on IXP42x usb: dwc3: gadget: conditionally remove requests usb: dwc3: gadget: Return -ESHUTDOWN on ep disable usb: dwc3: gadget: Clear ep descriptor last nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty gcov: clang: fix the buffer overflow issue mm: vmscan: fix extreme overreclaim and swap floods KVM: x86: nSVM: leave nested mode on vCPU free KVM: x86: forcibly leave nested mode on vCPU reset KVM: x86: nSVM: harden svm_free_nested against freeing vmcb02 while still in use KVM: x86: add kvm_leave_nested KVM: x86: remove exit_int_info warning in svm_handle_exit x86/tsx: Add a feature bit for TSX control MSR support x86/pm: Add enumeration check before spec MSRs save/restore setup x86/ioremap: Fix page aligned size calculation in __ioremap_caller() Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode ASoC: Intel: bytcht_es8316: Add quirk for the Nanote UMPC-01 tools: iio: iio_generic_buffer: Fix read size serial: 8250: 8250_omap: Avoid RS485 RTS glitch on ->set_termios() Input: goodix - try resetting the controller when no config is set Input: soc_button_array - add use_low_level_irq module parameter Input: soc_button_array - add Acer Switch V 10 to dmi_use_low_level_irq[] Input: i8042 - apply probe defer to more ASUS ZenBook models ASoC: stm32: dfsdm: manage cb buffers cleanup xen-pciback: Allow setting PCI_MSIX_FLAGS_MASKALL too xen/platform-pci: add missing free_irq() in error path platform/x86: asus-wmi: add missing pci_dev_put() in asus_wmi_set_xusb2pr() platform/x86: acer-wmi: Enable SW_TABLET_MODE on Switch V 10 (SW5-017) drm/amdgpu: disable BACO support on more cards zonefs: fix zone report size in __zonefs_io_error() platform/x86: hp-wmi: Ignore Smart Experience App event platform/x86: ideapad-laptop: Fix interrupt storm on fn-lock toggle on some Yoga laptops tcp: configurable source port perturb table size net: usb: qmi_wwan: add Telit 0x103a composition scsi: iscsi: Fix possible memory leak when device_register() failed gpu: host1x: Avoid trying to use GART on Tegra20 dm integrity: flush the journal on suspend dm integrity: clear the journal on suspend fuse: lock inode unconditionally in fuse_fallocate() wifi: wilc1000: validate pairwise and authentication suite offsets wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute wifi: wilc1000: validate number of channels genirq/msi: Shutdown managed interrupts with unsatifiable affinities genirq: Always limit the affinity to online CPUs irqchip/gic-v3: Always trust the managed affinity provided by the core code genirq: Take the proposed affinity at face value if force==true btrfs: free btrfs_path before copying root refs to userspace btrfs: free btrfs_path before copying fspath to userspace btrfs: free btrfs_path before copying subvol info to userspace btrfs: zoned: fix missing endianness conversion in sb_write_pointer btrfs: use kvcalloc in btrfs_get_dev_zone_info btrfs: sysfs: normalize the error handling branch in btrfs_init_sysfs() drm/amd/dc/dce120: Fix audio register mapping, stop triggering KASAN drm/amd/display: No display after resume from WB/CB drm/amdgpu: Enable Aldebaran devices to report CU Occupancy drm/amdgpu: always register an MMU notifier for userptr drm/i915: fix TLB invalidation for Gen12 video and compute engines cifs: fix missed refcounting of ipc tcon Linux 5.15.81 Change-Id: I8add86e459b7e7f0877dbbc9e479a8b208b6bc87 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Firo Yang
|
2addf3cb63 |
sctp: sysctl: make extra pointers netns aware
[ Upstream commit da05cecc4939c0410d56c29e252998b192756318 ] Recently, a customer reported that from their container whose net namespace is different to the host's init_net, they can't set the container's net.sctp.rto_max to any value smaller than init_net.sctp.rto_min. For instance, Host: sudo sysctl net.sctp.rto_min net.sctp.rto_min = 1000 Container: echo 100 > /mnt/proc-net/sctp/rto_min echo 400 > /mnt/proc-net/sctp/rto_max echo: write error: Invalid argument This is caused by the check made from this'commit |
||
|
Zhengchao Shao
|
0dfb9a5663 |
sctp: fix memory leak in sctp_stream_outq_migrate()
[ Upstream commit 9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9 ]
When sctp_stream_outq_migrate() is called to release stream out resources,
the memory pointed to by prio_head in stream out is not released.
The memory leak information is as follows:
unreferenced object 0xffff88801fe79f80 (size 64):
comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s)
hex dump (first 32 bytes):
80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................
90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................
backtrace:
[<ffffffff81b215c6>] kmalloc_trace+0x26/0x60
[<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770
[<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0
[<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30
[<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0
[<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0
[<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120
[<ffffffff8755446a>] __sys_sendto+0x23a/0x340
[<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0
[<ffffffff89978b49>] do_syscall_64+0x39/0xb0
[<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0
Fixes:
|
||
|
Xin Long
|
2ea600b598 |
sctp: clear out_curr if all frag chunks of current msg are pruned
[ Upstream commit 2f201ae14ae0f91dbf1cffea7bb1e29e81d4d108 ]
A crash was reported by Zhen Chen:
list_del corruption, ffffa035ddf01c18->next is NULL
WARNING: CPU: 1 PID: 250682 at lib/list_debug.c:49 __list_del_entry_valid+0x59/0xe0
RIP: 0010:__list_del_entry_valid+0x59/0xe0
Call Trace:
sctp_sched_dequeue_common+0x17/0x70 [sctp]
sctp_sched_fcfs_dequeue+0x37/0x50 [sctp]
sctp_outq_flush_data+0x85/0x360 [sctp]
sctp_outq_uncork+0x77/0xa0 [sctp]
sctp_cmd_interpreter.constprop.0+0x164/0x1450 [sctp]
sctp_side_effects+0x37/0xe0 [sctp]
sctp_do_sm+0xd0/0x230 [sctp]
sctp_primitive_SEND+0x2f/0x40 [sctp]
sctp_sendmsg_to_asoc+0x3fa/0x5c0 [sctp]
sctp_sendmsg+0x3d5/0x440 [sctp]
sock_sendmsg+0x5b/0x70
and in sctp_sched_fcfs_dequeue() it dequeued a chunk from stream
out_curr outq while this outq was empty.
Normally stream->out_curr must be set to NULL once all frag chunks of
current msg are dequeued, as we can see in sctp_sched_dequeue_done().
However, in sctp_prsctp_prune_unsent() as it is not a proper dequeue,
sctp_sched_dequeue_done() is not called to do this.
This patch is to fix it by simply setting out_curr to NULL when the
last frag chunk of current msg is dequeued from out_curr stream in
sctp_prsctp_prune_unsent().
Fixes:
|
||
|
Xin Long
|
1f9f346fbb |
sctp: remove the unnecessary sinfo_stream check in sctp_prsctp_prune_unsent
[ Upstream commit 9f0b773210c27a8f5d98ddb2fc4ba60a42a3285f ]
Since commit
|
||
|
Greg Kroah-Hartman
|
b049ff121c |
Merge 5.15.75 into android13-5.15-lts
Changes in 5.15.75
Revert "fs: check FMODE_LSEEK to control internal pipe splicing"
ALSA: oss: Fix potential deadlock at unregistration
ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free()
ALSA: usb-audio: Fix potential memory leaks
ALSA: usb-audio: Fix NULL dererence at error path
ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530
ALSA: hda/realtek: Correct pin configs for ASUS G533Z
ALSA: hda/realtek: Add quirk for ASUS GV601R laptop
ALSA: hda/realtek: Add Intel Reference SSID to support headset keys
mtd: rawnand: atmel: Unmap streaming DMA mappings
io_uring/net: don't update msg_name if not provided
hv_netvsc: Fix race between VF offering and VF association message from host
cifs: destage dirty pages before re-reading them for cache=none
cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
iio: dac: ad5593r: Fix i2c read protocol requirements
iio: ltc2497: Fix reading conversion results
iio: adc: ad7923: fix channel readings for some variants
iio: pressure: dps310: Refactor startup procedure
iio: pressure: dps310: Reset chip after timeout
xhci: dbc: Fix memory leak in xhci_alloc_dbc()
usb: add quirks for Lenovo OneLink+ Dock
can: kvaser_usb: Fix use of uninitialized completion
can: kvaser_usb_leaf: Fix overread with an invalid command
can: kvaser_usb_leaf: Fix TX queue out of sync after restart
can: kvaser_usb_leaf: Fix CAN state after restart
mmc: sdhci-sprd: Fix minimum clock limit
i2c: designware: Fix handling of real but unexpected device interrupts
fs: dlm: fix race between test_bit() and queue_work()
fs: dlm: handle -EBUSY first in lock arg validation
HID: multitouch: Add memory barriers
quota: Check next/prev free block number after reading from quota file
platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure
ASoC: wcd9335: fix order of Slimbus unprepare/disable
ASoC: wcd934x: fix order of Slimbus unprepare/disable
hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API
net: thunderbolt: Enable DMA paths only after rings are enabled
regulator: qcom_rpm: Fix circular deferral regression
arm64: topology: move store_cpu_topology() to shared code
riscv: topology: fix default topology reporting
RISC-V: Make port I/O string accessors actually work
parisc: fbdev/stifb: Align graphics memory size to 4MB
riscv: Allow PROT_WRITE-only mmap()
riscv: Make VM_WRITE imply VM_READ
riscv: always honor the CONFIG_CMDLINE_FORCE when parsing dtb
riscv: Pass -mno-relax only on lld < 15.0.0
UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
nvmem: core: Fix memleak in nvmem_register()
nvme-multipath: fix possible hang in live ns resize with ANA access
nvme-pci: set min_align_mask before calculating max_hw_sectors
Revert "drm/amdgpu: use dirty framebuffer helper"
dmaengine: mxs: use platform_driver_register
drm/virtio: Check whether transferred 2D BO is shmem
drm/virtio: Unlock reservations on virtio_gpu_object_shmem_init() error
drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb()
drm/udl: Restore display mode on resume
arm64: errata: Add Cortex-A55 to the repeat tlbi list
mm/damon: validate if the pmd entry is present before accessing
mm/mmap: undo ->mmap() when arch_validate_flags() fails
xen/gntdev: Prevent leaking grants
xen/gntdev: Accommodate VMA splitting
PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge
serial: 8250: Let drivers request full 16550A feature probing
serial: 8250: Request full 16550A feature probing for OxSemi PCIe devices
NFSD: Protect against send buffer overflow in NFSv3 READDIR
NFSD: Protect against send buffer overflow in NFSv2 READ
NFSD: Protect against send buffer overflow in NFSv3 READ
powercap: intel_rapl: Use standard Energy Unit for SPR Dram RAPL domain
powerpc/boot: Explicitly disable usage of SPE instructions
slimbus: qcom-ngd: use correct error in message of pdr_add_lookup() failure
slimbus: qcom-ngd: cleanup in probe error path
scsi: qedf: Populate sysfs attributes for vport
gpio: rockchip: request GPIO mux to pinctrl when setting direction
pinctrl: rockchip: add pinmux_ops.gpio_set_direction callback
fbdev: smscufx: Fix use-after-free in ufx_ops_open()
ksmbd: fix endless loop when encryption for response fails
ksmbd: Fix wrong return value and message length check in smb2_ioctl()
ksmbd: Fix user namespace mapping
fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE
btrfs: fix race between quota enable and quota rescan ioctl
btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer
f2fs: complete checkpoints during remount
f2fs: flush pending checkpoints when freezing super
f2fs: increase the limit for reserve_root
f2fs: fix to do sanity check on destination blkaddr during recovery
f2fs: fix to do sanity check on summary info
hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO
hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero
jbd2: wake up journal waiters in FIFO order, not LIFO
jbd2: fix potential buffer head reference count leak
jbd2: fix potential use-after-free in jbd2_fc_wait_bufs
jbd2: add miss release buffer head in fc_do_one_pass()
ext4: avoid crash when inline data creation follows DIO write
ext4: fix null-ptr-deref in ext4_write_info
ext4: make ext4_lazyinit_thread freezable
ext4: fix check for block being out of directory size
ext4: don't increase iversion counter for ea_inodes
ext4: ext4_read_bh_lock() should submit IO if the buffer isn't uptodate
ext4: place buffer head allocation before handle start
ext4: fix dir corruption when ext4_dx_add_entry() fails
ext4: fix miss release buffer head in ext4_fc_write_inode
ext4: fix potential memory leak in ext4_fc_record_modified_inode()
ext4: fix potential memory leak in ext4_fc_record_regions()
ext4: update 'state->fc_regions_size' after successful memory allocation
livepatch: fix race between fork and KLP transition
ftrace: Properly unset FTRACE_HASH_FL_MOD
ring-buffer: Allow splice to read previous partially read pages
ring-buffer: Have the shortest_full queue be the shortest not longest
ring-buffer: Check pending waiters when doing wake ups as well
ring-buffer: Add ring_buffer_wake_waiters()
ring-buffer: Fix race between reset page and reading page
tracing: Disable interrupt or preemption before acquiring arch_spinlock_t
tracing: Wake up ring buffer waiters on closing of the file
tracing: Wake up waiters when tracing is disabled
tracing: Add ioctl() to force ring buffer waiters to wake up
tracing: Move duplicate code of trace_kprobe/eprobe.c into header
tracing: Add "(fault)" name injection to kernel probes
tracing: Fix reading strings from synthetic events
thunderbolt: Explicitly enable lane adapter hotplug events at startup
efi: libstub: drop pointless get_memory_map() call
media: cedrus: Set the platform driver data earlier
media: cedrus: Fix endless loop in cedrus_h265_skip_bits()
blk-wbt: call rq_qos_add() after wb_normal is initialized
KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility
KVM: nVMX: Unconditionally purge queued/injected events on nested "exit"
KVM: nVMX: Don't propagate vmcs12's PERF_GLOBAL_CTRL settings to vmcs02
KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS
staging: greybus: audio_helper: remove unused and wrong debugfs usage
drm/nouveau/kms/nv140-: Disable interlacing
drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()
drm/i915: Fix watermark calculations for gen12+ RC CCS modifier
drm/i915: Fix watermark calculations for gen12+ MC CCS modifier
drm/i915: Fix watermark calculations for gen12+ CCS+CC modifier
drm/amd/display: Fix vblank refcount in vrr transition
smb3: must initialize two ACL struct fields to zero
selinux: use "grep -E" instead of "egrep"
ima: fix blocking of security.ima xattrs of unsupported algorithms
userfaultfd: open userfaultfds with O_RDONLY
ntfs3: rework xattr handlers and switch to POSIX ACL VFS helpers
thermal: cpufreq_cooling: Check the policy first in cpufreq_cooling_register()
sh: machvec: Use char[] for section boundaries
MIPS: SGI-IP27: Free some unused memory
MIPS: SGI-IP27: Fix platform-device leak in bridge_platform_create()
ARM: 9244/1: dump: Fix wrong pg_level in walk_pmd()
ARM: 9247/1: mm: set readonly for MT_MEMORY_RO with ARM_LPAE
objtool: Preserve special st_shndx indexes in elf_update_symbol
nfsd: Fix a memory leak in an error handling path
SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
SUNRPC: Fix svcxdr_init_encode's buflen calculation
NFSD: Protect against send buffer overflow in NFSv2 READDIR
NFSD: Fix handling of oversized NFSv4 COMPOUND requests
wifi: rtlwifi: 8192de: correct checking of IQK reload
wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()
leds: lm3601x: Don't use mutex after it was destroyed
bpf: Fix reference state management for synchronous callbacks
wifi: mac80211: allow bw change during channel switch in mesh
bpftool: Fix a wrong type cast in btf_dumper_int
spi: mt7621: Fix an error message in mt7621_spi_probe()
x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register
xsk: Fix backpressure mechanism on Tx
bpf: Disable preemption when increasing per-cpu map_locked
bpf: Propagate error from htab_lock_bucket() to userspace
bpf: Use this_cpu_{inc|dec|inc_return} for bpf_task_storage_busy
Bluetooth: btusb: mediatek: fix WMT failure during runtime suspend
wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
wifi: rtw88: add missing destroy_workqueue() on error path in rtw_core_init()
selftests/xsk: Avoid use-after-free on ctx
spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume()
spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime()
wifi: rtl8xxxu: Fix skb misuse in TX queue selection
spi: meson-spicc: do not rely on busy flag in pow2 clk ops
bpf: btf: fix truncated last_member_type_id in btf_struct_resolve
wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration
wifi: rtl8xxxu: Remove copy-paste leftover in gen2_update_rate_mask
wifi: mt76: sdio: fix transmitting packet hangs
wifi: mt76: mt7615: add mt7615_mutex_acquire/release in mt7615_sta_set_decap_offload
wifi: mt76: mt7915: do not check state before configuring implicit beamform
Bluetooth: RFCOMM: Fix possible deadlock on socket shutdown/release
net: fs_enet: Fix wrong check in do_pd_setup
bpf: Ensure correct locking around vulnerable function find_vpid()
Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure
netfilter: conntrack: fix the gc rescheduling delay
netfilter: conntrack: revisit the gc initial rescheduling bias
wifi: ath11k: fix number of VHT beamformee spatial streams
x86/microcode/AMD: Track patch allocation size explicitly
x86/cpu: Include the header of init_ia32_feat_ctl()'s prototype
spi: dw: Fix PM disable depth imbalance in dw_spi_bt1_probe
spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe
skmsg: Schedule psock work if the cached skb exists on the psock
i2c: mlxbf: support lock mechanism
Bluetooth: hci_core: Fix not handling link timeouts propertly
xfrm: Reinject transport-mode packets through workqueue
netfilter: nft_fib: Fix for rpath check with VRF devices
spi: s3c64xx: Fix large transfers with DMA
wifi: rtl8xxxu: Fix AIFS written to REG_EDCA_*_PARAM
vhost/vsock: Use kvmalloc/kvfree for larger packets.
eth: alx: take rtnl_lock on resume
mISDN: fix use-after-free bugs in l1oip timer handlers
sctp: handle the error returned from sctp_auth_asoc_init_active_key
tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited
spi: Ensure that sg_table won't be used after being freed
hwmon: (pmbus/mp2888) Fix sensors readouts for MPS Multi-phase mp2888 controller
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
bnx2x: fix potential memory leak in bnx2x_tpa_stop()
net: wwan: iosm: Call mutex_init before locking it
net/ieee802154: reject zero-sized raw_sendmsg()
once: add DO_ONCE_SLOW() for sleepable contexts
net: mvpp2: fix mvpp2 debugfs leak
drm: bridge: adv7511: fix CEC power down control register offset
drm: bridge: adv7511: unregister cec i2c device after cec adapter
drm/bridge: Avoid uninitialized variable warning
drm/mipi-dsi: Detach devices when removing the host
drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling
drm/bridge: parade-ps8640: Fix regulator supply order
drm/dp_mst: fix drm_dp_dpcd_read return value checks
drm:pl111: Add of_node_put() when breaking out of for_each_available_child_of_node()
ASoC: mt6359: fix tests for platform_get_irq() failure
platform/chrome: fix double-free in chromeos_laptop_prepare()
platform/chrome: fix memory corruption in ioctl
ASoC: tas2764: Allow mono streams
ASoC: tas2764: Drop conflicting set_bias_level power setting
ASoC: tas2764: Fix mute/unmute
platform/x86: msi-laptop: Fix old-ec check for backlight registering
platform/x86: msi-laptop: Fix resource cleanup
platform/chrome: cros_ec_typec: Correct alt mode index
drm/amdgpu: add missing pci_disable_device() in amdgpu_pmops_runtime_resume()
drm/bridge: megachips: Fix a null pointer dereference bug
ASoC: rsnd: Add check for rsnd_mod_power_on
ALSA: hda: beep: Simplify keep-power-at-enable behavior
drm/bochs: fix blanking
drm/omap: dss: Fix refcount leak bugs
drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()
mmc: au1xmmc: Fix an error handling path in au1xmmc_probe()
ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API
drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx
drm/msm/dp: correct 1.62G link rate at dp_catalog_ctrl_config_msa()
drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()
ASoC: codecs: tx-macro: fix kcontrol put
ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()
ALSA: dmaengine: increment buffer pointer atomically
mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe()
ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe
ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe
ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe
ASoC: mt6660: Fix PM disable depth imbalance in mt6660_i2c_probe
ALSA: hda/hdmi: Don't skip notification handling during PM operation
memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()
memory: of: Fix refcount leak bug in of_get_ddr_timings()
memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()
locks: fix TOCTOU race when granting write lease
soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
soc: qcom: smem_state: Add refcounting for the 'state->of_node'
ARM: dts: imx6qdl-kontron-samx6i: hook up DDC i2c bus
ARM: dts: turris-omnia: Fix mpp26 pin name and comment
ARM: dts: kirkwood: lsxl: fix serial line
ARM: dts: kirkwood: lsxl: remove first ethernet port
ia64: export memory_add_physaddr_to_nid to fix cxl build error
soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA
arm64: dts: ti: k3-j7200: fix main pinmux range
ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family
ARM: Drop CMDLINE_* dependency on ATAGS
ext4: don't run ext4lazyinit for read-only filesystems
arm64: ftrace: fix module PLTs with mcount
ARM: dts: exynos: fix polarity of VBUS GPIO of Origen
iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX
iio: adc: at91-sama5d2_adc: check return status for pressure and touch
iio: adc: at91-sama5d2_adc: lock around oversampling and sample freq
iio: adc: at91-sama5d2_adc: disable/prepare buffer on suspend/resume
iio: inkern: only release the device node when done with it
iio: inkern: fix return value in devm_of_iio_channel_get_by_name()
iio: ABI: Fix wrong format of differential capacitance channel ABI.
iio: magnetometer: yas530: Change data type of hard_offsets to signed
RDMA/mlx5: Don't compare mkey tags in DEVX indirect mkey
usb: common: debug: Check non-standard control requests
clk: meson: Hold reference returned by of_get_parent()
clk: oxnas: Hold reference returned by of_get_parent()
clk: qoriq: Hold reference returned by of_get_parent()
clk: berlin: Add of_node_put() for of_get_parent()
clk: sprd: Hold reference returned by of_get_parent()
clk: tegra: Fix refcount leak in tegra210_clock_init
clk: tegra: Fix refcount leak in tegra114_clock_init
clk: tegra20: Fix refcount leak in tegra20_clock_init
HSI: omap_ssi: Fix refcount leak in ssi_probe
HSI: omap_ssi_port: Fix dma_map_sg error check
media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop
tty: xilinx_uartps: Fix the ignore_status
media: meson: vdec: add missing clk_disable_unprepare on error in vdec_hevc_start()
media: uvcvideo: Fix memory leak in uvc_gpio_parse
media: uvcvideo: Use entity get_cur in uvc_ctrl_set
media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init
RDMA/rxe: Fix "kernel NULL pointer dereference" error
RDMA/rxe: Fix the error caused by qp->sk
misc: ocxl: fix possible refcount leak in afu_ioctl()
fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()
dmaengine: hisilicon: Disable channels when unregister hisi_dma
dmaengine: hisilicon: Fix CQ head update
dmaengine: hisilicon: Add multi-thread support for a DMA channel
dyndbg: fix static_branch manipulation
dyndbg: fix module.dyndbg handling
dyndbg: let query-modname override actual module name
dyndbg: drop EXPORTed dynamic_debug_exec_queries
clk: qcom: sm6115: Select QCOM_GDSC
mtd: devices: docg3: check the return value of devm_ioremap() in the probe
phy: amlogic: phy-meson-axg-mipi-pcie-analog: Hold reference returned by of_get_parent()
phy: phy-mtk-tphy: fix the phy type setting issue
mtd: rawnand: intel: Read the chip-select line from the correct OF node
mtd: rawnand: intel: Remove undocumented compatible string
mtd: rawnand: fsl_elbc: Fix none ECC mode
RDMA/irdma: Align AE id codes to correct flush code and event
RDMA/srp: Fix srp_abort()
RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall.
RDMA/siw: Fix QP destroy to wait for all references dropped.
ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting()
ata: fix ata_id_has_devslp()
ata: fix ata_id_has_ncq_autosense()
ata: fix ata_id_has_dipm()
mtd: rawnand: meson: fix bit map use in meson_nfc_ecc_correct()
md: Replace snprintf with scnprintf
md/raid5: Ensure stripe_fill happens on non-read IO with journal
md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()
RDMA/cm: Use SLID in the work completion as the DLID in responder side
IB: Set IOVA/LENGTH on IB_MR in core/uverbs layers
xhci: Don't show warning for reinit on known broken suspend
usb: gadget: function: fix dangling pnp_string in f_printer.c
drivers: serial: jsm: fix some leaks in probe
serial: 8250: Toggle IER bits on only after irq has been set up
tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown
phy: qualcomm: call clk_disable_unprepare in the error handling
staging: vt6655: fix some erroneous memory clean-up loops
slimbus: qcom-ngd-ctrl: allow compile testing without QCOM_RPROC_COMMON
firmware: google: Test spinlock on panic path to avoid lockups
serial: 8250: Fix restoring termios speed after suspend
scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
scsi: iscsi: Rename iscsi_conn_queue_work()
scsi: iscsi: Add recv workqueue helpers
scsi: iscsi: Run recv path from workqueue
scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()
clk: qcom: apss-ipq6018: mark apcs_alias0_core_clk as critical
clk: qcom: gcc-sm6115: Override default Alpha PLL regs
RDMA/rxe: Fix resize_finish() in rxe_queue.c
fsi: core: Check error number after calling ida_simple_get
mfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe()
mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq()
mfd: lp8788: Fix an error handling path in lp8788_probe()
mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init()
mfd: fsl-imx25: Fix check for platform_get_irq() errors
mfd: sm501: Add check for platform_driver_register()
clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent
dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup()
usb: mtu3: fix failed runtime suspend in host only mode
spmi: pmic-arb: correct duplicate APID to PPID mapping logic
clk: vc5: Fix 5P49V6901 outputs disabling when enabling FOD
clk: baikal-t1: Fix invalid xGMAC PTP clock divider
clk: baikal-t1: Add shared xGMAC ref/ptp clocks internal parent
clk: baikal-t1: Add SATA internal ref clock buffer
clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration
clk: imx: scu: fix memleak on platform_device_add() fails
clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
clk: ast2600: BCLK comes from EPLL
mailbox: mpfs: fix handling of the reg property
mailbox: mpfs: account for mbox offsets while sending
mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg
powerpc/configs: Properly enable PAPR_SCM in pseries_defconfig
powerpc/math_emu/efp: Include module.h
powerpc/sysdev/fsl_msi: Add missing of_node_put()
powerpc/pci_dn: Add missing of_node_put()
powerpc/powernv: add missing of_node_put() in opal_export_attrs()
powerpc: Fix fallocate and fadvise64_64 compat parameter combination
x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition
powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5
powerpc: Fix SPE Power ISA properties for e500v1 platforms
powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()
powerpc/pseries/vas: Pass hw_cpu_id to node associativity HCALL
crypto: sahara - don't sleep when in softirq
crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr
hwrng: arm-smccc-trng - fix NO_ENTROPY handling
cgroup: Honor caller's cgroup NS when resolving path
hwrng: imx-rngc - Moving IRQ handler registering after imx_rngc_irq_mask_clear()
crypto: qat - fix default value of WDT timer
crypto: hisilicon/qm - fix missing put dfx access
cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset
iommu/omap: Fix buffer overflow in debugfs
crypto: akcipher - default implementation for setting a private key
crypto: ccp - Release dma channels before dmaengine unrgister
crypto: inside-secure - Change swab to swab32
crypto: qat - fix DMA transfer direction
cifs: return correct error in ->calc_signature()
iommu/iova: Fix module config properly
tracing: kprobe: Fix kprobe event gen test module on exit
tracing: kprobe: Make gen test module work in arm and riscv
tracing/osnoise: Fix possible recursive locking in stop_per_cpu_kthreads
kbuild: remove the target in signal traps when interrupted
kbuild: rpm-pkg: fix breakage when V=1 is used
crypto: marvell/octeontx - prevent integer overflows
crypto: cavium - prevent integer overflow loading firmware
thermal/drivers/qcom/tsens-v0_1: Fix MSM8939 fourth sensor hw_id
ACPI: APEI: do not add task_work to kernel thread to avoid memory leak
f2fs: fix race condition on setting FI_NO_EXTENT flag
f2fs: fix to account FS_CP_DATA_IO correctly
selftest: tpm2: Add Client.__del__() to close /dev/tpm* handle
fs: dlm: fix race in lowcomms
rcu: Avoid triggering strict-GP irq-work when RCU is idle
rcu: Back off upon fill_page_cache_func() allocation failure
rcu-tasks: Convert RCU_LOCKDEP_WARN() to WARN_ONCE()
ACPI: video: Add Toshiba Satellite/Portege Z830 quirk
ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address
cpufreq: intel_pstate: Add Tigerlake support in no-HWP mode
MIPS: BCM47XX: Cast memcmp() of function to (void *)
powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue
thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash
ARM: decompressor: Include .data.rel.ro.local
ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 for StorageD3Enable
x86/entry: Work around Clang __bdos() bug
NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data
NFSD: fix use-after-free on source server when doing inter-server copy
wifi: brcmfmac: fix invalid address access when enabling SCAN log level
bpftool: Clear errno after libcap's checks
ice: set tx_tstamps when creating new Tx rings via ethtool
net: ethernet: ti: davinci_mdio: Add workaround for errata i2329
openvswitch: Fix double reporting of drops in dropwatch
openvswitch: Fix overreporting of drops in dropwatch
tcp: annotate data-race around tcp_md5sig_pool_populated
x86/mce: Retrieve poison range from hardware
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
thunderbolt: Add back Intel Falcon Ridge end-to-end flow control workaround
xfrm: Update ipcomp_scratches with NULL when freed
iavf: Fix race between iavf_close and iavf_reset_task
wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
Bluetooth: btintel: Mark Intel controller to support LE_STATES quirk
regulator: core: Prevent integer underflow
wifi: mt76: mt7921: reset msta->airtime_ac while clearing up hw value
Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times
can: bcm: check the result of can_send() in bcm_can_tx()
wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620
wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620
wifi: rt2x00: set VGC gain for both chains of MT7620
wifi: rt2x00: set SoC wmac clock register
wifi: rt2x00: correctly set BBP register 86 for MT7620
hwmon: (sht4x) do not overflow clamping operation on 32-bit platforms
net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
Bluetooth: L2CAP: Fix user-after-free
r8152: Rate limit overflow messages
drm/nouveau/nouveau_bo: fix potential memory leak in nouveau_bo_alloc()
drm: Use size_t type for len variable in drm_copy_field()
drm: Prevent drm_copy_field() to attempt copying a NULL pointer
drm/komeda: Fix handling of atomic commits in the atomic_commit_tail hook
gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init()
drm/amd/display: fix overflow on MIN_I64 definition
udmabuf: Set ubuf->sg = NULL if the creation of sg table fails
drm: bridge: dw_hdmi: only trigger hotplug event on link change
ALSA: usb-audio: Register card at the last interface
drm/vc4: vec: Fix timings for VEC modes
drm: panel-orientation-quirks: Add quirk for Anbernic Win600
platform/chrome: cros_ec: Notify the PM of wake events during resume
platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading
ASoC: SOF: pci: Change DMI match info to support all Chrome platforms
drm/amdgpu: fix initial connector audio value
drm/meson: reorder driver deinit sequence to fix use-after-free bug
drm/meson: explicitly remove aggregate driver at module unload time
mmc: sdhci-msm: add compatible string check for sdm670
drm/dp: Don't rewrite link config when setting phy test pattern
drm/amd/display: Remove interface for periodic interrupt 1
ARM: dts: imx7d-sdb: config the max pressure for tsc2046
ARM: dts: imx6q: add missing properties for sram
ARM: dts: imx6dl: add missing properties for sram
ARM: dts: imx6qp: add missing properties for sram
ARM: dts: imx6sl: add missing properties for sram
ARM: dts: imx6sll: add missing properties for sram
ARM: dts: imx6sx: add missing properties for sram
kselftest/arm64: Fix validatation termination record after EXTRA_CONTEXT
arm64: dts: imx8mq-librem5: Add bq25895 as max17055's power supply
btrfs: dump extra info if one free space cache has more bitmaps than it should
btrfs: scrub: try to fix super block errors
btrfs: don't print information about space cache or tree every remount
ARM: 9242/1: kasan: Only map modules if CONFIG_KASAN_VMALLOC=n
clk: zynqmp: Fix stack-out-of-bounds in strncpy`
media: cx88: Fix a null-ptr-deref bug in buffer_prepare()
media: platform: fix some double free in meson-ge2d and mtk-jpeg and s5p-mfc
clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate
usb: host: xhci-plat: suspend and resume clocks
usb: host: xhci-plat: suspend/resume clks for brcm
dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow
scsi: 3w-9xxx: Avoid disabling device if failing to enable it
nbd: Fix hung when signal interrupts nbd_start_device_ioctl()
iommu/arm-smmu-v3: Make default domain type of HiSilicon PTT device to identity
power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()
staging: vt6655: fix potential memory leak
blk-throttle: prevent overflow while calculating wait time
ata: libahci_platform: Sanity check the DT child nodes number
bcache: fix set_at_max_writeback_rate() for multiple attached devices
soundwire: cadence: Don't overwrite msg->buf during write commands
soundwire: intel: fix error handling on dai registration issues
HID: roccat: Fix use-after-free in roccat_read()
eventfd: guard wake_up in eventfd fs calls as well
md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d
usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()
usb: musb: Fix musb_gadget.c rxstate overflow bug
arm64: dts: imx8mp: Add snps,gfladj-refclk-lpm-sel quirk to USB nodes
usb: dwc3: core: Enable GUCTL1 bit 10 for fixing termination error after resume bug
Revert "usb: storage: Add quirk for Samsung Fit flash"
staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()
staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()
scsi: tracing: Fix compile error in trace_array calls when TRACING is disabled
ext2: Use kvmalloc() for group descriptor array
nvme: copy firmware_rev on each init
nvmet-tcp: add bounds check on Transfer Tag
usb: idmouse: fix an uninit-value in idmouse_open
clk: bcm2835: Make peripheral PLLC critical
clk: bcm2835: Round UART input clock up
perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc
io_uring/af_unix: defer registered files gc to io_uring release
io_uring: correct pinned_vm accounting
io_uring/rw: fix short rw error handling
io_uring/rw: fix error'ed retry return values
io_uring/rw: fix unexpected link breakage
mm: hugetlb: fix UAF in hugetlb_handle_userfault
net: ieee802154: return -EINVAL for unknown addr type
ALSA: usb-audio: Fix last interface check for registration
blk-wbt: fix that 'rwb->wc' is always set to 1 in wbt_init()
net: ethernet: ti: davinci_mdio: fix build for mdio bitbang uses
Revert "net/ieee802154: reject zero-sized raw_sendmsg()"
net/ieee802154: don't warn zero-sized raw_sendmsg()
drm/amd/display: Fix build breakage with CONFIG_DEBUG_FS=n
Kconfig.debug: simplify the dependency of DEBUG_INFO_DWARF4/5
Kconfig.debug: add toolchain checks for DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
lib/Kconfig.debug: Add check for non-constant .{s,u}leb128 support to DWARF5
ext4: continue to expand file system when the target size doesn't reach
thermal: intel_powerclamp: Use first online CPU as control_cpu
gcov: support GCC 12.1 and newer compilers
io-wq: Fix memory leak in worker creation
Linux 5.15.75
Change-Id: I5a3ef9688fb31003940d7e1828f863b9d50f1da9
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Xin Long
|
19d636b663 |
sctp: handle the error returned from sctp_auth_asoc_init_active_key
[ Upstream commit 022152aaebe116a25c39818a07e175a8cd3c1e11 ]
When it returns an error from sctp_auth_asoc_init_active_key(), the
active_key is actually not updated. The old sh_key will be freeed
while it's still used as active key in asoc. Then an use-after-free
will be triggered when sending patckets, as found by syzbot:
sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
sctp_set_owner_w net/sctp/socket.c:132 [inline]
sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863
sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
This patch is to fix it by not replacing the sh_key when it returns
errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key().
For sctp_auth_set_active_key(), old active_key_id will be set back
to asoc->active_key_id when the same thing happens.
Fixes:
|
||
|
Greg Kroah-Hartman
|
ace7d3bc60 |
Merge 5.15.59 into android13-5.15-lts
Changes in 5.15.59
Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
Revert "ocfs2: mount shared volume without ha stack"
ntfs: fix use-after-free in ntfs_ucsncmp()
fs: sendfile handles O_NONBLOCK of out_fd
secretmem: fix unhandled fault in truncate
mm: fix page leak with multiple threads mapping the same page
hugetlb: fix memoryleak in hugetlb_mcopy_atomic_pte
asm-generic: remove a broken and needless ifdef conditional
s390/archrandom: prevent CPACF trng invocations in interrupt context
nouveau/svm: Fix to migrate all requested pages
drm/simpledrm: Fix return type of simpledrm_simple_display_pipe_mode_valid()
watch_queue: Fix missing rcu annotation
watch_queue: Fix missing locking in add_watch_to_object()
tcp: Fix data-races around sysctl_tcp_dsack.
tcp: Fix a data-race around sysctl_tcp_app_win.
tcp: Fix a data-race around sysctl_tcp_adv_win_scale.
tcp: Fix a data-race around sysctl_tcp_frto.
tcp: Fix a data-race around sysctl_tcp_nometrics_save.
tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save.
ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS)
ice: do not setup vlan for loopback VSI
scsi: ufs: host: Hold reference returned by of_parse_phandle()
Revert "tcp: change pingpong threshold to 3"
octeontx2-pf: Fix UDP/TCP src and dst port tc filters
tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf.
tcp: Fix a data-race around sysctl_tcp_limit_output_bytes.
tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
scsi: core: Fix warning in scsi_alloc_sgtables()
scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown
net: ping6: Fix memleak in ipv6_renew_options().
ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr
net/tls: Remove the context from the list in tls_device_down
igmp: Fix data-races around sysctl_igmp_qrv.
net: pcs: xpcs: propagate xpcs_read error to xpcs_get_state_c37_sgmii
net: sungem_phy: Add of_node_put() for reference returned by of_get_parent()
tcp: Fix a data-race around sysctl_tcp_min_tso_segs.
tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen.
tcp: Fix a data-race around sysctl_tcp_autocorking.
tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit.
Documentation: fix sctp_wmem in ip-sysctl.rst
macsec: fix NULL deref in macsec_add_rxsa
macsec: fix error message in macsec_add_rxsa and _txsa
macsec: limit replay window size with XPN
macsec: always read MACSEC_SA_ATTR_PN as a u64
net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa()
net: mld: fix reference count leak in mld_{query | report}_work()
tcp: Fix data-races around sk_pacing_rate.
net: Fix data-races around sysctl_[rw]mem(_offset)?.
tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns.
tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns.
tcp: Fix a data-race around sysctl_tcp_comp_sack_nr.
tcp: Fix data-races around sysctl_tcp_reflect_tos.
ipv4: Fix data-races around sysctl_fib_notify_on_flag_change.
i40e: Fix interface init with MSI interrupts (no MSI-X)
sctp: fix sleep in atomic context bug in timer handlers
octeontx2-pf: cn10k: Fix egress ratelimit configuration
netfilter: nf_queue: do not allow packet truncation below transport header offset
virtio-net: fix the race between refill work and close
perf symbol: Correct address for bss symbols
sfc: disable softirqs for ptp TX
sctp: leave the err path free in sctp_stream_init to sctp_stream_free
ARM: crypto: comment out gcc warning that breaks clang builds
mm/hmm: fault non-owner device private entries
page_alloc: fix invalid watermark check on a negative value
ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow
EDAC/ghes: Set the DIMM label unconditionally
docs/kernel-parameters: Update descriptions for "mitigations=" param with retbleed
locking/rwsem: Allow slowpath writer to ignore handoff bit if not set by first waiter
x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available
Linux 5.15.59
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I00a5e80067e6edfcce68cc0dd54d9bf54c9dbfab
|
||
|
Greg Kroah-Hartman
|
91021ef477 |
Merge 5.15.58 into android-5.15
Changes in 5.15.58 pinctrl: stm32: fix optional IRQ support to gpios riscv: add as-options for modules with assembly compontents mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication lockdown: Fix kexec lockdown bypass with ima policy drm/ttm: fix locking in vmap/vunmap TTM GEM helpers bus: mhi: host: pci_generic: add Telit FN980 v1 hardware revision bus: mhi: host: pci_generic: add Telit FN990 Revert "selftest/vm: verify remap destination address in mremap_test" Revert "selftest/vm: verify mmap addr in mremap_test" PCI: hv: Fix multi-MSI to allow more than one MSI vector PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() PCI: hv: Fix interrupt mapping for multi-MSI serial: mvebu-uart: correctly report configured baudrate value batman-adv: Use netif_rx_any_context() any. Revert "mt76: mt7921: Fix the error handling path of mt7921_pci_probe()" Revert "mt76: mt7921e: fix possible probe failure after reboot" mt76: mt7921: use physical addr to unify register access mt76: mt7921e: fix possible probe failure after reboot mt76: mt7921: Fix the error handling path of mt7921_pci_probe() xfs: fix maxlevels comparisons in the btree staging code xfs: fold perag loop iteration logic into helper function xfs: rename the next_agno perag iteration variable xfs: terminate perag iteration reliably on agcount xfs: fix perag reference leak on iteration race with growfs xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list() r8152: fix a WOL issue ip: Fix data-races around sysctl_ip_default_ttl. xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe RDMA/irdma: Do not advertise 1GB page size for x722 RDMA/irdma: Fix sleep from invalid context BUG pinctrl: ralink: rename MT7628(an) functions to MT76X8 pinctrl: ralink: rename pinctrl-rt2880 to pinctrl-ralink pinctrl: ralink: Check for null return of devm_kcalloc perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() ipv4/tcp: do not use per netns ctl sockets net: tun: split run_ebpf_filter() and pskb_trim() into different "if statement" mm/pagealloc: sysctl: change watermark_scale_factor max limit to 30% sysctl: move some boundary constants from sysctl.c to sysctl_vals tcp: Fix data-races around sysctl_tcp_ecn. drm/amd/display: Support for DMUB HPD interrupt handling drm/amd/display: Add option to defer works of hpd_rx_irq drm/amd/display: Fork thread to offload work of hpd_rx_irq drm/amdgpu/display: add quirk handling for stutter mode drm/amd/display: Ignore First MST Sideband Message Return Error scsi: megaraid: Clear READ queue map's nr_queues scsi: ufs: core: Drop loglevel of WriteBoost message nvme: check for duplicate identifiers earlier nvme: fix block device naming collision e1000e: Enable GPT clock before sending message to CSME Revert "e1000e: Fix possible HW unit hang after an s0ix exit" igc: Reinstate IGC_REMOVED logic and implement it properly ip: Fix data-races around sysctl_ip_no_pmtu_disc. ip: Fix data-races around sysctl_ip_fwd_use_pmtu. ip: Fix data-races around sysctl_ip_fwd_update_priority. ip: Fix data-races around sysctl_ip_nonlocal_bind. ip: Fix a data-race around sysctl_ip_autobind_reuse. ip: Fix a data-race around sysctl_fwmark_reflect. tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. tcp: sk->sk_bound_dev_if once in inet_request_bound_dev_if() tcp: Fix data-races around sysctl_tcp_l3mdev_accept. tcp: Fix data-races around sysctl_tcp_mtu_probing. tcp: Fix data-races around sysctl_tcp_base_mss. tcp: Fix data-races around sysctl_tcp_min_snd_mss. tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. tcp: Fix a data-race around sysctl_tcp_probe_threshold. tcp: Fix a data-race around sysctl_tcp_probe_interval. net: stmmac: fix pm runtime issue in stmmac_dvr_remove() net: stmmac: fix unbalanced ptp clock issue in suspend/resume flow mtd: rawnand: gpmi: validate controller clock rate mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times net: dsa: microchip: ksz_common: Fix refcount leak bug net: skb: introduce kfree_skb_reason() net: skb: use kfree_skb_reason() in tcp_v4_rcv() net: skb: use kfree_skb_reason() in __udp4_lib_rcv() net: socket: rename SKB_DROP_REASON_SOCKET_FILTER net: skb_drop_reason: add document for drop reasons net: netfilter: use kfree_drop_reason() for NF_DROP net: ipv4: use kfree_skb_reason() in ip_rcv_core() net: ipv4: use kfree_skb_reason() in ip_rcv_finish_core() i2c: mlxcpld: Fix register setting for 400KHz frequency i2c: cadence: Change large transfer count reset logic to be unconditional perf tests: Fix Convert perf time to TSC test for hybrid net: stmmac: fix dma queue left shift overflow issue net/tls: Fix race in TLS device down flow igmp: Fix data-races around sysctl_igmp_llm_reports. igmp: Fix a data-race around sysctl_igmp_max_memberships. igmp: Fix data-races around sysctl_igmp_max_msf. tcp: Fix data-races around keepalive sysctl knobs. tcp: Fix data-races around sysctl_tcp_syn(ack)?_retries. tcp: Fix data-races around sysctl_tcp_syncookies. tcp: Fix data-races around sysctl_tcp_migrate_req. tcp: Fix data-races around sysctl_tcp_reordering. tcp: Fix data-races around some timeout sysctl knobs. tcp: Fix a data-race around sysctl_tcp_notsent_lowat. tcp: Fix a data-race around sysctl_tcp_tw_reuse. tcp: Fix data-races around sysctl_max_syn_backlog. tcp: Fix data-races around sysctl_tcp_fastopen. tcp: Fix data-races around sysctl_tcp_fastopen_blackhole_timeout. iavf: Fix handling of dummy receive descriptors pinctrl: armada-37xx: Use temporary variable for struct device pinctrl: armada-37xx: Make use of the devm_platform_ioremap_resource() pinctrl: armada-37xx: Convert to use dev_err_probe() pinctrl: armada-37xx: use raw spinlocks for regmap to avoid invalid wait context i40e: Fix erroneous adapter reinitialization during recovery process ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero net: stmmac: remove redunctant disable xPCS EEE call gpio: pca953x: only use single read/write for No AI mode gpio: pca953x: use the correct range when do regmap sync gpio: pca953x: use the correct register address when regcache sync during init be2net: Fix buffer overflow in be_get_module_eeprom net: dsa: sja1105: silent spi_device_id warnings net: dsa: vitesse-vsc73xx: silent spi_device_id warnings drm/imx/dcss: Add missing of_node_put() in fail path ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. ipv4: Fix data-races around sysctl_fib_multipath_hash_policy. ipv4: Fix data-races around sysctl_fib_multipath_hash_fields. ip: Fix data-races around sysctl_ip_prot_sock. udp: Fix a data-race around sysctl_udp_l3mdev_accept. tcp: Fix data-races around sysctl knobs related to SYN option. tcp: Fix a data-race around sysctl_tcp_early_retrans. tcp: Fix data-races around sysctl_tcp_recovery. tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. tcp: Fix a data-race around sysctl_tcp_retrans_collapse. tcp: Fix a data-race around sysctl_tcp_stdurg. tcp: Fix a data-race around sysctl_tcp_rfc1337. tcp: Fix a data-race around sysctl_tcp_abort_on_overflow. tcp: Fix data-races around sysctl_tcp_max_reordering. gpio: gpio-xilinx: Fix integer overflow KVM: selftests: Fix target thread to be migrated in rseq_test spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers KVM: Don't null dereference ops->destroy mm/mempolicy: fix uninit-value in mpol_rebind_policy() bpf: Make sure mac_header was set before using it sched/deadline: Fix BUG_ON condition for deboosted tasks x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts dlm: fix pending remove if msg allocation fails x86/uaccess: Implement macros for CMPXCHG on user addresses x86/extable: Tidy up redundant handler functions x86/extable: Get rid of redundant macros x86/mce: Deduplicate exception handling x86/extable: Rework the exception table mechanics x86/extable: Provide EX_TYPE_DEFAULT_MCE_SAFE and EX_TYPE_FAULT_MCE_SAFE bitfield.h: Fix "type of reg too small for mask" test x86/entry_32: Remove .fixup usage x86/extable: Extend extable functionality x86/msr: Remove .fixup usage x86/futex: Remove .fixup usage KVM: x86: Use __try_cmpxchg_user() to emulate atomic accesses xhci: dbc: refactor xhci_dbc_init() xhci: dbc: create and remove dbc structure in dbgtty driver. xhci: dbc: Rename xhci_dbc_init and xhci_dbc_exit xhci: Set HCD flag to defer primary roothub registration mt76: fix use-after-free by removing a non-RCU wcid pointer iwlwifi: fw: uefi: add missing include guards crypto: qat - set to zero DH parameters before free crypto: qat - use pre-allocated buffers in datapath crypto: qat - refactor submission logic crypto: qat - add backlog mechanism crypto: qat - fix memory leak in RSA crypto: qat - remove dma_free_coherent() for RSA crypto: qat - remove dma_free_coherent() for DH crypto: qat - add param check for RSA crypto: qat - add param check for DH crypto: qat - re-enable registration of algorithms exfat: fix referencing wrong parent directory information after renaming tracing: Have event format check not flag %p* on __get_dynamic_array() tracing: Place trace_pid_list logic into abstract functions tracing: Fix return value of trace_pid_write() um: virtio_uml: Allow probing from devicetree um: virtio_uml: Fix broken device handling in time-travel Bluetooth: Add bt_skb_sendmsg helper Bluetooth: Add bt_skb_sendmmsg helper Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Bluetooth: Fix passing NULL to PTR_ERR Bluetooth: SCO: Fix sco_send_frame returning skb->len Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks exfat: use updated exfat_chain directly during renaming drm/amd/display: Reset DMCUB before HW init drm/amd/display: Optimize bandwidth on following fast update drm/amd/display: Fix surface optimization regression on Carrizo x86/amd: Use IBPB for firmware calls x86/alternative: Report missing return thunk details watchqueue: make sure to serialize 'wqueue->defunct' properly tty: drivers/tty/, stop using tty_schedule_flip() tty: the rest, stop using tty_schedule_flip() tty: drop tty_schedule_flip() tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() net: usb: ax88179_178a needs FLAG_SEND_ZLP watch-queue: remove spurious double semicolon drm/amd/display: Don't lock connection_mutex for DMUB HPD drm/amd/display: invalid parameter check in dmub_hpd_callback x86/extable: Prefer local labels in .set directives KVM: x86: fix typo in __try_cmpxchg_user causing non-atomicness x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() drm/amdgpu: Off by one in dm_dmub_outbox1_low_irq() x86/entry_32: Fix segment exceptions drm/amd/display: Fix wrong format specifier in amdgpu_dm.c Linux 5.15.58 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id5d721199f6acc2bdaf37ef7d133904993d9160f |
||
|
Greg Kroah-Hartman
|
a9422ed2f1 |
Merge 5.15.46 into android13-5.15-lts
Changes in 5.15.46
binfmt_flat: do not stop relocating GOT entries prematurely on riscv
parisc/stifb: Implement fb_is_primary_device()
parisc/stifb: Keep track of hardware path of graphics card
RISC-V: Mark IORESOURCE_EXCLUSIVE for reserved mem instead of IORESOURCE_BUSY
riscv: Initialize thread pointer before calling C functions
riscv: Fix irq_work when SMP is disabled
riscv: Wire up memfd_secret in UAPI header
riscv: Move alternative length validation into subsection
ALSA: hda/realtek - Add new type for ALC245
ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9520 laptop
ALSA: hda/realtek - Fix microphone noise on ASUS TUF B550M-PLUS
ALSA: usb-audio: Cancel pending work at closing a MIDI substream
USB: serial: pl2303: fix type detection for odd device
USB: serial: option: add Quectel BG95 modem
USB: new quirk for Dell Gen 2 devices
usb: isp1760: Fix out-of-bounds array access
usb: dwc3: gadget: Move null pinter check to proper place
usb: core: hcd: Add support for deferring roothub registration
fs/ntfs3: Update valid size if -EIOCBQUEUED
fs/ntfs3: Fix fiemap + fix shrink file size (to remove preallocated space)
fs/ntfs3: Keep preallocated only if option prealloc enabled
fs/ntfs3: Check new size for limits
fs/ntfs3: In function ntfs_set_acl_ex do not change inode->i_mode if called from function ntfs_init_acl
fs/ntfs3: Fix some memory leaks in an error handling path of 'log_replay()'
fs/ntfs3: Update i_ctime when xattr is added
fs/ntfs3: Restore ntfs_xattr_get_acl and ntfs_xattr_set_acl functions
cifs: fix potential double free during failed mount
cifs: when extending a file with falloc we should make files not-sparse
xhci: Allow host runtime PM as default for Intel Alder Lake N xHCI
platform/x86: intel-hid: fix _DSM function index handling
x86/MCE/AMD: Fix memory leak when threshold_create_bank() fails
perf/x86/intel: Fix event constraints for ICL
x86/kexec: fix memory leak of elf header buffer
x86/sgx: Set active memcg prior to shmem allocation
ptrace/um: Replace PT_DTRACE with TIF_SINGLESTEP
ptrace/xtensa: Replace PT_SINGLESTEP with TIF_SINGLESTEP
ptrace: Reimplement PTRACE_KILL by always sending SIGKILL
btrfs: add "0x" prefix for unsupported optional features
btrfs: return correct error number for __extent_writepage_io()
btrfs: repair super block num_devices automatically
btrfs: fix the error handling for submit_extent_page() for btrfs_do_readpage()
iommu/vt-d: Add RPLS to quirk list to skip TE disabling
drm/vmwgfx: validate the screen formats
drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes
selftests/bpf: Fix vfs_link kprobe definition
selftests/bpf: Fix parsing of prog types in UAPI hdr for bpftool sync
mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue
b43legacy: Fix assigning negative value to unsigned variable
b43: Fix assigning negative value to unsigned variable
ipw2x00: Fix potential NULL dereference in libipw_xmit()
ipv6: fix locking issues with loops over idev->addr_list
fbcon: Consistently protect deferred_takeover with console_lock()
x86/platform/uv: Update TSC sync state for UV5
ACPICA: Avoid cache flush inside virtual machines
mac80211: minstrel_ht: fix where rate stats are stored (fixes debugfs output)
drm/komeda: return early if drm_universal_plane_init() fails.
drm/amd/display: Disabling Z10 on DCN31
rcu-tasks: Fix race in schedule and flush work
rcu: Make TASKS_RUDE_RCU select IRQ_WORK
sfc: ef10: Fix assigning negative value to unsigned variable
ALSA: jack: Access input_dev under mutex
rtw88: 8821c: fix debugfs rssi value
spi: spi-rspi: Remove setting {src,dst}_{addr,addr_width} based on DMA direction
tools/power turbostat: fix ICX DRAM power numbers
scsi: lpfc: Move cfg_log_verbose check before calling lpfc_dmp_dbg()
scsi: lpfc: Fix SCSI I/O completion and abort handler deadlock
scsi: lpfc: Fix call trace observed during I/O with CMF enabled
cpuidle: PSCI: Improve support for suspend-to-RAM for PSCI OSI mode
drm/amd/pm: fix double free in si_parse_power_table()
ASoC: rsnd: care default case on rsnd_ssiu_busif_err_status_clear()
ASoC: rsnd: care return value from rsnd_node_fixed_index()
ath9k: fix QCA9561 PA bias level
media: venus: hfi: avoid null dereference in deinit
media: pci: cx23885: Fix the error handling in cx23885_initdev()
media: cx25821: Fix the warning when removing the module
md/bitmap: don't set sb values if can't pass sanity check
mmc: jz4740: Apply DMA engine limits to maximum segment size
drivers: mmc: sdhci_am654: Add the quirk to set TESTCD bit
scsi: megaraid: Fix error check return value of register_chrdev()
drm/amdgpu/sdma: Fix incorrect calculations of the wptr of the doorbells
scsi: ufs: Use pm_runtime_resume_and_get() instead of pm_runtime_get_sync()
scsi: lpfc: Fix resource leak in lpfc_sli4_send_seq_to_ulp()
ath11k: disable spectral scan during spectral deinit
ASoC: Intel: bytcr_rt5640: Add quirk for the HP Pro Tablet 408
drm/plane: Move range check for format_count earlier
drm/amd/pm: fix the compile warning
ath10k: skip ath10k_halt during suspend for driver state RESTARTING
arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall
drm: msm: fix error check return value of irq_of_parse_and_map()
scsi: target: tcmu: Fix possible data corruption
ipv6: Don't send rs packets to the interface of ARPHRD_TUNNEL
net/mlx5: fs, delete the FTE when there are no rules attached to it
ASoC: dapm: Don't fold register value changes into notifications
mlxsw: spectrum_dcb: Do not warn about priority changes
mlxsw: Treat LLDP packets as control
drm/amdgpu/psp: move PSP memory alloc from hw_init to sw_init
drm/amdgpu/ucode: Remove firmware load type check in amdgpu_ucode_free_bo
regulator: mt6315: Enforce regulator-compatible, not name
HID: bigben: fix slab-out-of-bounds Write in bigben_probe
of: Support more than one crash kernel regions for kexec -s
ASoC: tscs454: Add endianness flag in snd_soc_component_driver
scsi: lpfc: Alter FPIN stat accounting logic
net: remove two BUG() from skb_checksum_help()
s390/preempt: disable __preempt_count_add() optimization for PROFILE_ALL_BRANCHES
perf/amd/ibs: Cascade pmu init functions' return value
sched/core: Avoid obvious double update_rq_clock warning
spi: stm32-qspi: Fix wait_cmd timeout in APM mode
dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC
ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default
ipmi:ssif: Check for NULL msg when handling events and messages
ipmi: Fix pr_fmt to avoid compilation issues
rtlwifi: Use pr_warn instead of WARN_ONCE
mt76: mt7921: accept rx frames with non-standard VHT MCS10-11
mt76: fix encap offload ethernet type check
media: rga: fix possible memory leak in rga_probe
media: coda: limit frame interval enumeration to supported encoder frame sizes
media: hantro: HEVC: unconditionnaly set pps_{cb/cr}_qp_offset values
media: ccs-core.c: fix failure to call clk_disable_unprepare
media: imon: reorganize serialization
media: cec-adap.c: fix is_configuring state
usbnet: Run unregister_netdev() before unbind() again
openrisc: start CPU timer early in boot
nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags
ASoC: rt5645: Fix errorenous cleanup order
nbd: Fix hung on disconnect request if socket is closed before
drm/amd/pm: update smartshift powerboost calc for smu12
drm/amd/pm: update smartshift powerboost calc for smu13
net: phy: micrel: Allow probing without .driver_data
media: exynos4-is: Fix compile warning
media: hantro: Stop using H.264 parameter pic_num
ASoC: max98357a: remove dependency on GPIOLIB
ASoC: rt1015p: remove dependency on GPIOLIB
ACPI: CPPC: Assume no transition latency if no PCCT
nvme: set non-mdts limits in nvme_scan_work
can: mcp251xfd: silence clang's -Wunaligned-access warning
x86/microcode: Add explicit CPU vendor dependency
net: ipa: ignore endianness if there is no header
m68k: atari: Make Atari ROM port I/O write macros return void
rxrpc: Return an error to sendmsg if call failed
rxrpc, afs: Fix selection of abort codes
afs: Adjust ACK interpretation to try and cope with NAT
eth: tg3: silence the GCC 12 array-bounds warning
char: tpm: cr50_i2c: Suppress duplicated error message in .remove()
selftests/bpf: fix btf_dump/btf_dump due to recent clang change
gfs2: use i_lock spin_lock for inode qadata
scsi: target: tcmu: Avoid holding XArray lock when calling lock_page
IB/rdmavt: add missing locks in rvt_ruc_loopback
ARM: dts: ox820: align interrupt controller node name with dtschema
ARM: dts: socfpga: align interrupt controller node name with dtschema
ARM: dts: s5pv210: align DMA channels with dtschema
arm64: dts: qcom: msm8994: Fix the cont_splash_mem address
arm64: dts: qcom: msm8994: Fix BLSP[12]_DMA channels count
PM / devfreq: rk3399_dmc: Disable edev on remove()
crypto: ccree - use fine grained DMA mapping dir
soc: ti: ti_sci_pm_domains: Check for null return of devm_kcalloc
fs: jfs: fix possible NULL pointer dereference in dbFree()
arm64: dts: qcom: sdm845-xiaomi-beryllium: fix typo in panel's vddio-supply property
ALSA: usb-audio: Add quirk bits for enabling/disabling generic implicit fb
ALSA: usb-audio: Move generic implicit fb quirk entries into quirks.c
ARM: OMAP1: clock: Fix UART rate reporting algorithm
powerpc/fadump: Fix fadump to work with a different endian capture kernel
fat: add ratelimit to fat*_ent_bread()
pinctrl: renesas: rzn1: Fix possible null-ptr-deref in sh_pfc_map_resources()
ARM: versatile: Add missing of_node_put in dcscb_init
ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM
ARM: hisi: Add missing of_node_put after of_find_compatible_node
cpufreq: Avoid unnecessary frequency updates due to mismatch
powerpc/rtas: Keep MSR[RI] set when calling RTAS
PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()
KVM: PPC: Book3S HV Nested: L2 LPCR should inherit L1 LPES setting
alpha: fix alloc_zeroed_user_highpage_movable()
tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate
powerpc/powernv/vas: Assign real address to rx_fifo in vas_rx_win_attr
powerpc/xics: fix refcount leak in icp_opal_init()
powerpc/powernv: fix missing of_node_put in uv_init()
macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled
powerpc/iommu: Add missing of_node_put in iommu_init_early_dart
smb3: check for null tcon
RDMA/hfi1: Prevent panic when SDMA is disabled
Input: gpio-keys - cancel delayed work only in case of GPIO
drm: fix EDID struct for old ARM OABI format
drm/bridge_connector: enable HPD by default if supported
dt-bindings: display: sitronix, st7735r: Fix backlight in example
drm/vmwgfx: Fix an invalid read
ath11k: acquire ab->base_lock in unassign when finding the peer by addr
drm: bridge: it66121: Fix the register page length
ath9k: fix ar9003_get_eepmisc
drm/edid: fix invalid EDID extension block filtering
drm/bridge: adv7511: clean up CEC adapter when probe fails
drm: bridge: icn6211: Fix register layout
drm: bridge: icn6211: Fix HFP_HSW_HBP_HI and HFP_MIN handling
mtd: spinand: gigadevice: fix Quad IO for GD5F1GQ5UExxG
spi: qcom-qspi: Add minItems to interconnect-names
ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe
ASoC: mediatek: Fix missing of_node_put in mt2701_wm8960_machine_probe
x86/delay: Fix the wrong asm constraint in delay_loop()
drm/vc4: hvs: Fix frame count register readout
drm/mediatek: Fix mtk_cec_mask()
drm/vc4: hvs: Reset muxes at probe time
drm/vc4: txp: Don't set TXP_VSTART_AT_EOF
drm/vc4: txp: Force alpha to be 0xff if it's disabled
libbpf: Don't error out on CO-RE relos for overriden weak subprogs
x86/PCI: Fix ALi M1487 (IBC) PIRQ router link value interpretation
mptcp: reset the packet scheduler on PRIO change
nl80211: show SSID for P2P_GO interfaces
drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
drm: mali-dp: potential dereference of null pointer
spi: spi-ti-qspi: Fix return value handling of wait_for_completion_timeout
scftorture: Fix distribution of short handler delays
net: dsa: mt7530: 1G can also support 1000BASE-X link mode
ixp4xx_eth: fix error check return value of platform_get_irq()
NFC: NULL out the dev->rfkill to prevent UAF
efi: Add missing prototype for efi_capsule_setup_info
device property: Check fwnode->secondary when finding properties
device property: Allow error pointer to be passed to fwnode APIs
target: remove an incorrect unmap zeroes data deduction
drbd: fix duplicate array initializer
EDAC/dmc520: Don't print an error for each unconfigured interrupt line
mtd: rawnand: denali: Use managed device resources
HID: hid-led: fix maximum brightness for Dream Cheeky
HID: elan: Fix potential double free in elan_input_configured
drm/bridge: Fix error handling in analogix_dp_probe
regulator: da9121: Fix uninit-value in da9121_assign_chip_model()
drm/mediatek: dpi: Use mt8183 output formats for mt8192
signal: Deliver SIGTRAP on perf event asynchronously if blocked
sched/fair: Fix cfs_rq_clock_pelt() for throttled cfs_rq
sched/psi: report zeroes for CPU full at the system level
spi: img-spfi: Fix pm_runtime_get_sync() error checking
cpufreq: Fix possible race in cpufreq online error path
printk: use atomic updates for klogd work
printk: add missing memory barrier to wake_up_klogd()
printk: wake waiters for safe and NMI contexts
ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix
media: i2c: max9286: Use dev_err_probe() helper
media: i2c: max9286: Use "maxim,gpio-poc" property
media: i2c: max9286: fix kernel oops when removing module
media: hantro: Empty encoder capture buffers by default
drm/panel: simple: Add missing bus flags for Innolux G070Y2-L01
ALSA: pcm: Check for null pointer of pointer substream before dereferencing it
mtdblock: warn if opened on NAND
inotify: show inotify mask flags in proc fdinfo
fsnotify: fix wrong lockdep annotations
spi: rockchip: Stop spi slave dma receiver when cs inactive
spi: rockchip: Preset cs-high and clk polarity in setup progress
spi: rockchip: fix missing error on unsupported SPI_CS_HIGH
of: overlay: do not break notify on NOTIFY_{OK|STOP}
selftests/damon: add damon to selftests root Makefile
drm/msm/dp: Modify prototype of encoder based API
drm/msm/hdmi: switch to drm_bridge_connector
drm/msm/dpu: adjust display_v_end for eDP and DP
scsi: iscsi: Fix harmless double shift bug
scsi: ufs: qcom: Fix ufs_qcom_resume()
scsi: ufs: core: Exclude UECxx from SFR dump list
drm/v3d: Fix null pointer dereference of pointer perfmon
selftests/resctrl: Fix null pointer dereference on open failed
libbpf: Fix logic for finding matching program for CO-RE relocation
mtd: spi-nor: core: Check written SR value in spi_nor_write_16bit_sr_and_check()
x86/pm: Fix false positive kmemleak report in msr_build_context()
mtd: rawnand: cadence: fix possible null-ptr-deref in cadence_nand_dt_probe()
mtd: rawnand: intel: fix possible null-ptr-deref in ebu_nand_probe()
x86/speculation: Add missing prototype for unpriv_ebpf_notify()
ASoC: rk3328: fix disabling mclk on pclk probe failure
perf tools: Add missing headers needed by util/data.h
drm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume
drm/msm/dp: stop event kernel thread when DP unbind
drm/msm/dp: fix error check return value of irq_of_parse_and_map()
drm/msm/dp: reset DP controller before transmit phy test pattern
drm/msm/dp: do not stop transmitting phy test pattern during DP phy compliance test
drm/msm/dsi: fix error checks and return values for DSI xmit functions
drm/msm/hdmi: check return value after calling platform_get_resource_byname()
drm/msm/hdmi: fix error check return value of irq_of_parse_and_map()
drm/msm: add missing include to msm_drv.c
drm/panel: panel-simple: Fix proper bpc for AM-1280800N3TZQW-T00H
kunit: fix debugfs code to use enum kunit_status, not bool
drm/rockchip: vop: fix possible null-ptr-deref in vop_bind()
spi: cadence-quadspi: fix Direct Access Mode disable for SoCFPGA
perf tools: Use Python devtools for version autodetection rather than runtime
virtio_blk: fix the discard_granularity and discard_alignment queue limits
nl80211: don't hold RTNL in color change request
x86: Fix return value of __setup handlers
irqchip/exiu: Fix acknowledgment of edge triggered interrupts
irqchip/aspeed-i2c-ic: Fix irq_of_parse_and_map() return value
irqchip/aspeed-scu-ic: Fix irq_of_parse_and_map() return value
x86/mm: Cleanup the control_va_addr_alignment() __setup handler
arm64: fix types in copy_highpage()
regulator: core: Fix enable_count imbalance with EXCLUSIVE_GET
drm/msm/dsi: fix address for second DSI PHY on SDM660
drm/msm/dp: fix event thread stuck in wait_event after kthread_stop()
drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected
drm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected
drm/msm: return an error pointer in msm_gem_prime_get_sg_table()
media: uvcvideo: Fix missing check to determine if element is found in list
arm64: stackleak: fix current_top_of_stack()
iomap: iomap_write_failed fix
spi: spi-fsl-qspi: check return value after calling platform_get_resource_byname()
Revert "cpufreq: Fix possible race in cpufreq online error path"
regulator: qcom_smd: Fix up PM8950 regulator configuration
samples: bpf: Don't fail for a missing VMLINUX_BTF when VMLINUX_H is provided
perf/amd/ibs: Use interrupt regs ip for stack unwinding
ath11k: Don't check arvif->is_started before sending management frames
wilc1000: fix crash observed in AP mode with cfg80211_register_netdevice()
HID: amd_sfh: Modify the bus name
HID: amd_sfh: Modify the hid name
ASoC: fsl: Use dev_err_probe() helper
ASoC: fsl: Fix refcount leak in imx_sgtl5000_probe
ASoC: imx-hdmi: Fix refcount leak in imx_hdmi_probe
ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe
regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt
dma-direct: factor out a helper for DMA_ATTR_NO_KERNEL_MAPPING allocations
dma-direct: don't fail on highmem CMA pages in dma_direct_alloc_pages
ASoC: samsung: Use dev_err_probe() helper
ASoC: samsung: Fix refcount leak in aries_audio_probe
block: Fix the bio.bi_opf comment
kselftest/cgroup: fix test_stress.sh to use OUTPUT dir
scripts/faddr2line: Fix overlapping text section failures
media: aspeed: Fix an error handling path in aspeed_video_probe()
media: exynos4-is: Fix PM disable depth imbalance in fimc_is_probe
mt76: mt7921: Fix the error handling path of mt7921_pci_probe()
mt76: do not attempt to reorder received 802.3 packets without agg session
media: st-delta: Fix PM disable depth imbalance in delta_probe
media: atmel: atmel-isc: Fix PM disable depth imbalance in atmel_isc_probe
media: i2c: rdacm2x: properly set subdev entity function
media: exynos4-is: Change clk_disable to clk_disable_unprepare
media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init
media: vsp1: Fix offset calculation for plane cropping
media: atmel: atmel-sama5d2-isc: fix wrong mask in YUYV format check
media: hantro: HEVC: Fix tile info buffer value computation
Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout
Bluetooth: use hdev lock in activate_scan for hci_is_adv_monitoring
Bluetooth: use hdev lock for accept_list and reject_list in conn req
nvme: set dma alignment to dword
m68k: math-emu: Fix dependencies of math emulation support
sctp: read sk->sk_bound_dev_if once in sctp_rcv()
net: hinic: add missing destroy_workqueue in hinic_pf_to_mgmt_init
ASoC: ti: j721e-evm: Fix refcount leak in j721e_soc_probe_*
kselftest/arm64: bti: force static linking
media: ov7670: remove ov7670_power_off from ov7670_remove
media: i2c: ov5648: fix wrong pointer passed to IS_ERR() and PTR_ERR()
media: staging: media: rkvdec: Make use of the helper function devm_platform_ioremap_resource()
media: rkvdec: h264: Fix dpb_valid implementation
media: rkvdec: h264: Fix bit depth wrap in pps packet
regulator: scmi: Fix refcount leak in scmi_regulator_probe
ext4: reject the 'commit' option on ext2 filesystems
drm/msm/a6xx: Fix refcount leak in a6xx_gpu_init
drm: msm: fix possible memory leak in mdp5_crtc_cursor_set()
x86/sev: Annotate stack change in the #VC handler
drm/msm: don't free the IRQ if it was not requested
selftests/bpf: Add missed ima_setup.sh in Makefile
drm/msm/dpu: handle pm_runtime_get_sync() errors in bind path
drm/i915: Fix CFI violation with show_dynamic_id()
thermal/drivers/bcm2711: Don't clamp temperature at zero
thermal/drivers/broadcom: Fix potential NULL dereference in sr_thermal_probe
thermal/core: Fix memory leak in __thermal_cooling_device_register()
thermal/drivers/imx_sc_thermal: Fix refcount leak in imx_sc_thermal_probe
bfq: Relax waker detection for shared queues
bfq: Allow current waker to defend against a tentative one
ASoC: wm2000: fix missing clk_disable_unprepare() on error in wm2000_anc_transition()
PM: domains: Fix initialization of genpd's next_wakeup
net: macb: Fix PTP one step sync support
NFC: hci: fix sleep in atomic context bugs in nfc_hci_hcp_message_tx
ASoC: max98090: Move check for invalid values before casting in max98090_put_enab_tlv()
net: stmmac: selftests: Use kcalloc() instead of kzalloc()
net: stmmac: fix out-of-bounds access in a selftest
hv_netvsc: Fix potential dereference of NULL pointer
hwmon: (pmbus) Check PEC support before reading other registers
rxrpc: Fix listen() setting the bar too high for the prealloc rings
rxrpc: Don't try to resend the request if we're receiving the reply
rxrpc: Fix overlapping ACK accounting
rxrpc: Don't let ack.previousPacket regress
rxrpc: Fix decision on when to generate an IDLE ACK
net: huawei: hinic: Use devm_kcalloc() instead of devm_kzalloc()
hinic: Avoid some over memory allocation
net: dsa: restrict SMSC_LAN9303_I2C kconfig
net/smc: postpone sk_refcnt increment in connect()
dma-direct: factor out dma_set_{de,en}crypted helpers
dma-direct: don't call dma_set_decrypted for remapped allocations
dma-direct: always leak memory that can't be re-encrypted
dma-direct: don't over-decrypt memory
arm64: dts: rockchip: Move drive-impedance-ohm to emmc phy on rk3399
arm64: dts: mt8192: Fix nor_flash status disable typo
PCI/ACPI: Allow D3 only if Root Port can signal and wake from D3
memory: samsung: exynos5422-dmc: Avoid some over memory allocation
ARM: dts: BCM5301X: update CRU block description
ARM: dts: BCM5301X: Update pin controller node name
ARM: dts: suniv: F1C100: fix watchdog compatible
soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc
soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc
PCI: cadence: Fix find_first_zero_bit() limit
PCI: rockchip: Fix find_first_zero_bit() limit
PCI: mediatek: Fix refcount leak in mtk_pcie_subsys_powerup()
PCI: dwc: Fix setting error return on MSI DMA mapping failure
ARM: dts: ci4x10: Adapt to changes in imx6qdl.dtsi regarding fec clocks
soc: qcom: llcc: Add MODULE_DEVICE_TABLE()
KVM: nVMX: Leave most VM-Exit info fields unmodified on failed VM-Entry
KVM: nVMX: Clear IDT vectoring on nested VM-Exit for double/triple fault
crypto: qat - set CIPHER capability for QAT GEN2
crypto: qat - set COMPRESSION capability for QAT GEN2
crypto: qat - set CIPHER capability for DH895XCC
crypto: qat - set COMPRESSION capability for DH895XCC
platform/chrome: cros_ec: fix error handling in cros_ec_register()
ARM: dts: imx6dl-colibri: Fix I2C pinmuxing
platform/chrome: Re-introduce cros_ec_cmd_xfer and use it for ioctls
can: xilinx_can: mark bit timing constants as const
ARM: dts: stm32: Fix PHY post-reset delay on Avenger96
ARM: dts: bcm2835-rpi-zero-w: Fix GPIO line name for Wifi/BT
ARM: dts: bcm2837-rpi-cm3-io3: Fix GPIO line names for SMPS I2C
ARM: dts: bcm2837-rpi-3-b-plus: Fix GPIO line name of power LED
ARM: dts: bcm2835-rpi-b: Fix GPIO line names
misc: ocxl: fix possible double free in ocxl_file_register_afu
crypto: marvell/cesa - ECB does not IV
gpiolib: of: Introduce hook for missing gpio-ranges
pinctrl: bcm2835: implement hook for missing gpio-ranges
arm: mediatek: select arch timer for mt7629
pinctrl/rockchip: support deferring other gpio params
pinctrl: mediatek: mt8195: enable driver on mtk platforms
arm64: dts: qcom: qrb5165-rb5: Fix can-clock node name
Drivers: hv: vmbus: Fix handling of messages with transaction ID of zero
powerpc/fadump: fix PT_LOAD segment for boot memory area
mfd: ipaq-micro: Fix error check return value of platform_get_irq()
scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac()
soc: bcm: Check for NULL return of devm_kzalloc()
arm64: dts: ti: k3-am64-mcu: remove incorrect UART base clock rates
ASoC: sh: rz-ssi: Check return value of pm_runtime_resume_and_get()
ASoC: sh: rz-ssi: Propagate error codes returned from platform_get_irq_byname()
ASoC: sh: rz-ssi: Release the DMA channels in rz_ssi_probe() error path
firmware: arm_scmi: Fix list protocols enumeration in the base protocol
nvdimm: Fix firmware activation deadlock scenarios
nvdimm: Allow overwrite in the presence of disabled dimms
pinctrl: mvebu: Fix irq_of_parse_and_map() return value
drivers/base/node.c: fix compaction sysfs file leak
dax: fix cache flush on PMD-mapped pages
drivers/base/memory: fix an unlikely reference counting issue in __add_memory_block()
firmware: arm_ffa: Fix uuid parameter to ffa_partition_probe
firmware: arm_ffa: Remove incorrect assignment of driver_data
list: introduce list_is_head() helper and re-use it in list.h
list: fix a data-race around ep->rdllist
drm/msm/dpu: fix error check return value of irq_of_parse_and_map()
powerpc/8xx: export 'cpm_setbrg' for modules
pinctrl: renesas: r8a779a0: Fix GPIO function on I2C-capable pins
pinctrl: renesas: core: Fix possible null-ptr-deref in sh_pfc_map_resources()
powerpc/idle: Fix return value of __setup() handler
powerpc/4xx/cpm: Fix return value of __setup() handler
RDMA/hns: Add the detection for CMDQ status in the device initialization process
arm64: dts: marvell: espressobin-ultra: fix SPI-NOR config
arm64: dts: marvell: espressobin-ultra: enable front USB3 port
ASoC: atmel-pdmic: Remove endianness flag on pdmic component
ASoC: atmel-classd: Remove endianness flag on class d component
proc: fix dentry/inode overinstantiating under /proc/${pid}/net
ipc/mqueue: use get_tree_nodev() in mqueue_get_tree()
PCI: imx6: Fix PERST# start-up sequence
tty: fix deadlock caused by calling printk() under tty_port->lock
crypto: sun8i-ss - rework handling of IV
crypto: sun8i-ss - handle zero sized sg
crypto: cryptd - Protect per-CPU resource by disabling BH.
ARM: dts: at91: sama7g5: remove interrupt-parent from gic node
hugetlbfs: fix hugetlbfs_statfs() locking
Input: sparcspkr - fix refcount leak in bbc_beep_probe
PCI/AER: Clear MULTI_ERR_COR/UNCOR_RCV bits
PCI: microchip: Fix potential race in interrupt handling
hwrng: omap3-rom - fix using wrong clk_disable() in omap_rom_rng_runtime_resume()
powerpc/64: Only WARN if __pa()/__va() called with bad addresses
powerpc/perf: Fix the threshold compare group constraint for power10
powerpc/perf: Fix the threshold compare group constraint for power9
macintosh: via-pmu and via-cuda need RTC_LIB
powerpc/xive: Add some error handling code to 'xive_spapr_init()'
powerpc/xive: Fix refcount leak in xive_spapr_init
powerpc/fsl_rio: Fix refcount leak in fsl_rio_setup
mfd: davinci_voicecodec: Fix possible null-ptr-deref davinci_vc_probe()
nfsd: destroy percpu stats counters after reply cache shutdown
mailbox: forward the hrtimer if not queued and under a lock
RDMA/hfi1: Prevent use of lock before it is initialized
KVM: LAPIC: Drop pending LAPIC timer injection when canceling the timer
Input: stmfts - do not leave device disabled in stmfts_input_open
OPP: call of_node_put() on error path in _bandwidth_supported()
f2fs: support fault injection for dquot_initialize()
f2fs: fix to do sanity check on inline_dots inode
f2fs: fix dereference of stale list iterator after loop body
iommu/amd: Enable swiotlb in all cases
iommu/mediatek: Fix 2 HW sharing pgtable issue
iommu/mediatek: Add list_del in mtk_iommu_remove
iommu/mediatek: Remove clk_disable in mtk_iommu_remove
iommu/mediatek: Add mutex for m4u_group and m4u_dom in data
i2c: at91: use dma safe buffers
cpufreq: mediatek: Use module_init and add module_exit
cpufreq: mediatek: Unregister platform device on exit
iommu/arm-smmu-v3-sva: Fix mm use-after-free
MIPS: Loongson: Use hwmon_device_register_with_groups() to register hwmon
iommu/mediatek: Fix NULL pointer dereference when printing dev_name
i2c: at91: Initialize dma_buf in at91_twi_xfer()
dmaengine: idxd: Fix the error handling path in idxd_cdev_register()
NFS: Do not report EINTR/ERESTARTSYS as mapping errors
NFS: fsync() should report filesystem errors over EINTR/ERESTARTSYS
NFS: Don't report ENOSPC write errors twice
NFS: Do not report flush errors in nfs_write_end()
NFS: Don't report errors from nfs_pageio_complete() more than once
NFSv4/pNFS: Do not fail I/O when we fail to allocate the pNFS layout
NFS: Further fixes to the writeback error handling
video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup
dmaengine: stm32-mdma: remove GISR1 register
dmaengine: stm32-mdma: fix chan initialization in stm32_mdma_irq_handler()
iommu/amd: Increase timeout waiting for GA log enablement
i2c: npcm: Fix timeout calculation
i2c: npcm: Correct register access width
i2c: npcm: Handle spurious interrupts
i2c: rcar: fix PM ref counts in probe error paths
perf build: Fix btf__load_from_kernel_by_id() feature check
perf c2c: Use stdio interface if slang is not supported
perf jevents: Fix event syntax error caused by ExtSel
video: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup
NFS: Always initialise fattr->label in nfs_fattr_alloc()
NFS: Create a new nfs_alloc_fattr_with_label() function
NFS: Convert GFP_NOFS to GFP_KERNEL
NFSv4.1 mark qualified async operations as MOVEABLE tasks
f2fs: fix to avoid f2fs_bug_on() in dec_valid_node_count()
f2fs: fix to do sanity check on block address in f2fs_do_zero_range()
f2fs: fix to clear dirty inode in f2fs_evict_inode()
f2fs: fix deadloop in foreground GC
f2fs: don't need inode lock for system hidden quota
f2fs: fix to do sanity check on total_data_blocks
f2fs: don't use casefolded comparison for "." and ".."
f2fs: fix fallocate to use file_modified to update permissions consistently
f2fs: fix to do sanity check for inline inode
objtool: Fix objtool regression on x32 systems
objtool: Fix symbol creation
wifi: mac80211: fix use-after-free in chanctx code
iwlwifi: mvm: fix assert 1F04 upon reconfig
fs-writeback: writeback_sb_inodes:Recalculate 'wrote' according skipped pages
efi: Do not import certificates from UEFI Secure Boot for T2 Macs
bfq: Avoid false marking of bic as stably merged
bfq: Avoid merging queues with different parents
bfq: Split shared queues on move between cgroups
bfq: Update cgroup information before merging bio
bfq: Drop pointless unlock-lock pair
bfq: Remove pointless bfq_init_rq() calls
bfq: Track whether bfq_group is still online
bfq: Get rid of __bio_blkcg() usage
bfq: Make sure bfqg for which we are queueing requests is online
ext4: mark group as trimmed only if it was fully scanned
ext4: fix use-after-free in ext4_rename_dir_prepare
ext4: fix race condition between ext4_write and ext4_convert_inline_data
ext4: fix warning in ext4_handle_inode_extension
ext4: fix bug_on in ext4_writepages
ext4: filter out EXT4_FC_REPLAY from on-disk superblock field s_state
ext4: fix bug_on in __es_tree_search
ext4: verify dir block before splitting it
ext4: avoid cycles in directory h-tree
ACPI: property: Release subnode properties with data nodes
tty: goldfish: Introduce gf_ioread32()/gf_iowrite32()
tracing: Fix potential double free in create_var_ref()
tracing: Initialize integer variable to prevent garbage return value
drm/amdgpu: add beige goby PCI ID
PCI/PM: Fix bridge_d3_blacklist[] Elo i2 overwrite of Gigabyte X299
PCI: qcom: Fix runtime PM imbalance on probe errors
PCI: qcom: Fix unbalanced PHY init on probe errors
staging: r8188eu: prevent ->Ssid overflow in rtw_wx_set_scan()
mm, compaction: fast_find_migrateblock() should return pfn in the target zone
s390/perf: obtain sie_block from the right address
s390/stp: clock_delta should be signed
dlm: fix plock invalid read
dlm: uninitialized variable on error in dlm_listen_for_all()
dlm: fix missing lkb refcount handling
ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock
scsi: dc395x: Fix a missing check on list iterator
scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled
landlock: Add clang-format exceptions
landlock: Format with clang-format
selftests/landlock: Add clang-format exceptions
selftests/landlock: Normalize array assignment
selftests/landlock: Format with clang-format
samples/landlock: Add clang-format exceptions
samples/landlock: Format with clang-format
landlock: Fix landlock_add_rule(2) documentation
selftests/landlock: Make tests build with old libc
selftests/landlock: Extend tests for minimal valid attribute size
selftests/landlock: Add tests for unknown access rights
selftests/landlock: Extend access right tests to directories
selftests/landlock: Fully test file rename with "remove" access
selftests/landlock: Add tests for O_PATH
landlock: Change landlock_add_rule(2) argument check ordering
landlock: Change landlock_restrict_self(2) check ordering
selftests/landlock: Test landlock_create_ruleset(2) argument check ordering
landlock: Define access_mask_t to enforce a consistent access mask size
landlock: Reduce the maximum number of layers to 16
landlock: Create find_rule() from unmask_layers()
landlock: Fix same-layer rule unions
drm/amdgpu/cs: make commands with 0 chunks illegal behaviour.
drm/nouveau/subdev/bus: Ratelimit logging for fault errors
drm/etnaviv: check for reaped mapping in etnaviv_iommu_unmap_gem
drm/nouveau/clk: Fix an incorrect NULL check on list iterator
drm/nouveau/kms/nv50-: atom: fix an incorrect NULL check on list iterator
drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX
drm/i915/dsi: fix VBT send packet port selection for ICL+
md: fix an incorrect NULL check in does_sb_need_changing
md: fix an incorrect NULL check in md_reload_sb
mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write
mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N
media: coda: Fix reported H264 profile
media: coda: Add more H264 levels for CODA960
ima: remove the IMA_TEMPLATE Kconfig option
Kconfig: Add option for asm goto w/ tied outputs to workaround clang-13 bug
RDMA/hfi1: Fix potential integer multiplication overflow errors
mmc: core: Allows to override the timeout value for ioctl() path
csky: patch_text: Fixup last cpu should be master
irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x
irqchip: irq-xtensa-mx: fix initial IRQ affinity
thermal: devfreq_cooling: use local ops instead of global ops
cfg80211: declare MODULE_FIRMWARE for regulatory.db
mac80211: upgrade passive scan to active scan on DFS channels after beacon rx
um: Use asm-generic/dma-mapping.h
um: chan_user: Fix winch_tramp() return value
um: Fix out-of-bounds read in LDT setup
kexec_file: drop weak attribute from arch_kexec_apply_relocations[_add]
ftrace: Clean up hash direct_functions on register failures
ksmbd: fix outstanding credits related bugs
iommu/msm: Fix an incorrect NULL check on list iterator
iommu/dma: Fix iova map result check bug
Revert "mm/cma.c: remove redundant cma_mutex lock"
mm/page_alloc: always attempt to allocate at least one page during bulk allocation
nodemask.h: fix compilation error with GCC12
hugetlb: fix huge_pmd_unshare address update
mm/memremap: fix missing call to untrack_pfn() in pagemap_range()
xtensa/simdisk: fix proc_read_simdisk()
rtl818x: Prevent using not initialized queues
ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control
carl9170: tx: fix an incorrect use of list iterator
stm: ltdc: fix two incorrect NULL checks on list iterator
bcache: improve multithreaded bch_btree_check()
bcache: improve multithreaded bch_sectors_dirty_init()
bcache: remove incremental dirty sector counting for bch_sectors_dirty_init()
bcache: avoid journal no-space deadlock by reserving 1 journal bucket
serial: pch: don't overwrite xmit->buf[0] by x_char
tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator
gma500: fix an incorrect NULL check on list iterator
arm64: dts: qcom: ipq8074: fix the sleep clock frequency
arm64: tegra: Add missing DFLL reset on Tegra210
clk: tegra: Add missing reset deassertion
phy: qcom-qmp: fix struct clk leak on probe errors
ARM: dts: s5pv210: Remove spi-cs-high on panel in Aries
ARM: pxa: maybe fix gpio lookup tables
SMB3: EBADF/EIO errors in rename/open caused by race condition in smb2_compound_op
docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0
dt-bindings: gpio: altera: correct interrupt-cells
vdpasim: allow to enable a vq repeatedly
blk-iolatency: Fix inflight count imbalances and IO hangs on offline
coresight: core: Fix coresight device probe failure issue
phy: qcom-qmp: fix reset-controller leak on probe errors
net: ipa: fix page free in ipa_endpoint_trans_release()
net: ipa: fix page free in ipa_endpoint_replenish_one()
kseltest/cgroup: Make test_stress.sh work if run interactively
list: test: Add a test for list_is_head()
Revert "random: use static branch for crng_ready()"
staging: r8188eu: delete rtw_wx_read/write32()
RDMA/hns: Remove the num_cqc_timer variable
RDMA/rxe: Generate a completion for unsupported/invalid opcode
MIPS: IP27: Remove incorrect `cpu_has_fpu' override
MIPS: IP30: Remove incorrect `cpu_has_fpu' override
ext4: only allow test_dummy_encryption when supported
interconnect: qcom: sc7180: Drop IP0 interconnects
interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate
fs: add two trivial lookup helpers
exportfs: support idmapped mounts
fs/ntfs3: Fix invalid free in log_replay
md: Don't set mddev private to NULL in raid0 pers->free
md: fix double free of io_acct_set bioset
md: bcache: check the return value of kzalloc() in detached_dev_do_request()
pinctrl/rockchip: support setting input-enable param
block: fix bio_clone_blkg_association() to associate with proper blkcg_gq
Linux 5.15.46
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id50a95d816e662c0cba3d09dbfd561f386d7a52e
|
||
|
Xin Long
|
e796e1fe20 |
sctp: leave the err path free in sctp_stream_init to sctp_stream_free
[ Upstream commit 181d8d2066c000ba0a0e6940a7ad80f1a0e68e9d ]
A NULL pointer dereference was reported by Wei Chen:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:__list_del_entry_valid+0x26/0x80
Call Trace:
<TASK>
sctp_sched_dequeue_common+0x1c/0x90
sctp_sched_prio_dequeue+0x67/0x80
__sctp_outq_teardown+0x299/0x380
sctp_outq_free+0x15/0x20
sctp_association_free+0xc3/0x440
sctp_do_sm+0x1ca7/0x2210
sctp_assoc_bh_rcv+0x1f6/0x340
This happens when calling sctp_sendmsg without connecting to server first.
In this case, a data chunk already queues up in send queue of client side
when processing the INIT_ACK from server in sctp_process_init() where it
calls sctp_stream_init() to alloc stream_in. If it fails to alloc stream_in
all stream_out will be freed in sctp_stream_init's err path. Then in the
asoc freeing it will crash when dequeuing this data chunk as stream_out
is missing.
As we can't free stream out before dequeuing all data from send queue, and
this patch is to fix it by moving the err path stream_out/in freeing in
sctp_stream_init() to sctp_stream_free() which is eventually called when
freeing the asoc in sctp_association_free(). This fix also makes the code
in sctp_process_init() more clear.
Note that in sctp_association_init() when it fails in sctp_stream_init(),
sctp_association_free() will not be called, and in that case it should
go to 'stream_free' err path to free stream instead of 'fail_init'.
Fixes:
|
||
|
Duoming Zhou
|
3688939cd3 |
sctp: fix sleep in atomic context bug in timer handlers
[ Upstream commit b89fc26f741d9f9efb51cba3e9b241cf1380ec5a ]
There are sleep in atomic context bugs in timer handlers of sctp
such as sctp_generate_t3_rtx_event(), sctp_generate_probe_event(),
sctp_generate_t1_init_event(), sctp_generate_timeout_event(),
sctp_generate_t3_rtx_event() and so on.
The root cause is sctp_sched_prio_init_sid() with GFP_KERNEL parameter
that may sleep could be called by different timer handlers which is in
interrupt context.
One of the call paths that could trigger bug is shown below:
(interrupt context)
sctp_generate_probe_event
sctp_do_sm
sctp_side_effects
sctp_cmd_interpreter
sctp_outq_teardown
sctp_outq_init
sctp_sched_set_sched
n->init_sid(..,GFP_KERNEL)
sctp_sched_prio_init_sid //may sleep
This patch changes gfp_t parameter of init_sid in sctp_sched_set_sched()
from GFP_KERNEL to GFP_ATOMIC in order to prevent sleep in atomic
context bugs.
Fixes:
|
||
|
Kuniyuki Iwashima
|
4fdf9bdb28 |
ip: Fix data-races around sysctl_ip_nonlocal_bind.
[ Upstream commit 289d3b21fb0bfc94c4e98f10635bba1824e5f83c ]
While reading sysctl_ip_nonlocal_bind, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Fixes:
|
||
|
Eric Dumazet
|
9b01252e6c |
sctp: read sk->sk_bound_dev_if once in sctp_rcv()
[ Upstream commit a20ea298071f46effa3aaf965bf9bb34c901db3f ]
sctp_rcv() reads sk->sk_bound_dev_if twice while the socket
is not locked. Another cpu could change this field under us.
Fixes:
|
||
|
Greg Kroah-Hartman
|
4154968fe8 |
Merge 5.15.38 into android13-5.15
Changes in 5.15.38
usb: mtu3: fix USB 3.0 dual-role-switch from device to host
USB: quirks: add a Realtek card reader
USB: quirks: add STRING quirk for VCOM device
USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS
USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader
USB: serial: option: add support for Cinterion MV32-WA/MV32-WB
USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions
usb: xhci: tegra:Fix PM usage reference leak of tegra_xusb_unpowergate_partitions
xhci: Enable runtime PM on second Alderlake controller
xhci: stop polling roothubs after shutdown
xhci: increase usb U3 -> U0 link resume timeout from 100ms to 500ms
iio: dac: ad5592r: Fix the missing return value.
iio: dac: ad5446: Fix read_raw not returning set value
iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on()
iio: imu: inv_icm42600: Fix I2C init possible nack
usb: misc: fix improper handling of refcount in uss720_probe()
usb: core: Don't hold the device lock while sleeping in do_proc_control()
usb: typec: ucsi: Fix reuse of completion structure
usb: typec: ucsi: Fix role swapping
usb: gadget: uvc: Fix crash when encoding data for usb request
usb: gadget: configfs: clear deactivation flag in configfs_composite_unbind()
usb: dwc3: Try usb-role-switch first in dwc3_drd_init
usb: dwc3: core: Fix tx/rx threshold settings
usb: dwc3: core: Only handle soft-reset in DCTL
usb: dwc3: gadget: Return proper request status
usb: dwc3: pci: add support for the Intel Meteor Lake-P
usb: cdns3: Fix issue for clear halt endpoint
usb: phy: generic: Get the vbus supply
serial: imx: fix overrun interrupts in DMA mode
serial: amba-pl011: do not time out prematurely when draining tx fifo
serial: 8250: Also set sticky MCR bits in console restoration
serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device
arch_topology: Do not set llc_sibling if llc_id is invalid
ceph: fix possible NULL pointer dereference for req->r_session
bus: mhi: host: pci_generic: Add missing poweroff() PM callback
bus: mhi: host: pci_generic: Flush recovery worker during freeze
arm64: dts: imx8mm-venice: fix spi2 pin configuration
pinctrl: samsung: fix missing GPIOLIB on ARM64 Exynos config
hex2bin: make the function hex_to_bin constant-time
hex2bin: fix access beyond string end
riscv: patch_text: Fixup last cpu should be master
x86/pci/xen: Disable PCI/MSI[-X] masking for XEN_HVM guests
iocost: don't reset the inuse weight of under-weighted debtors
virtio_net: fix wrong buf address calculation when using xdp
cpufreq: qcom-hw: fix the race between LMH worker and cpuhp
cpufreq: qcom-cpufreq-hw: Fix throttle frequency value on EPSS platforms
video: fbdev: udlfb: properly check endpoint type
arm64: dts: meson: remove CPU opps below 1GHz for G12B boards
arm64: dts: meson: remove CPU opps below 1GHz for SM1 boards
iio:imu:bmi160: disable regulator in error path
mtd: rawnand: fix ecc parameters for mt7622
xsk: Fix l2fwd for copy mode + busy poll combo
arm64: dts: imx8qm: Correct SCU clock controller's compatible property
USB: Fix xhci event ring dequeue pointer ERDP update issue
ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue
arm64: dts: imx8mn: Fix SAI nodes
arm64: dts: meson-sm1-bananapi-m5: fix wrong GPIO pin labeling for CON1
phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe
phy: samsung: exynos5250-sata: fix missing device put in probe error paths
ARM: OMAP2+: Fix refcount leak in omap_gic_of_init
bus: ti-sysc: Make omap3 gpt12 quirk handling SoC specific
ARM: dts: dra7: Fix suspend warning for vpe powerdomain
phy: ti: omap-usb2: Fix error handling in omap_usb2_enable_clocks
ARM: dts: at91: Map MCLK for wm8731 on at91sam9g20ek
ARM: dts: at91: sama5d4_xplained: fix pinctrl phandle name
ARM: dts: at91: fix pinctrl phandles
phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe
phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe
interconnect: qcom: sdx55: Drop IP0 interconnects
ARM: dts: Fix mmc order for omap3-gta04
ARM: dts: am3517-evm: Fix misc pinmuxing
ARM: dts: logicpd-som-lv: Fix wrong pinmuxing on OMAP35
ipvs: correctly print the memory size of ip_vs_conn_tab
phy: amlogic: fix error path in phy_g12a_usb3_pcie_probe()
pinctrl: mediatek: moore: Fix build error
mtd: rawnand: Fix return value check of wait_for_completion_timeout
mtd: fix 'part' field data corruption in mtd_info
pinctrl: stm32: Do not call stm32_gpio_get() for edge triggered IRQs in EOI
memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode
net: dsa: Add missing of_node_put() in dsa_port_link_register_of
netfilter: nft_set_rbtree: overlap detection with element re-addition after deletion
bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook
pinctrl: rockchip: fix RK3308 pinmux bits
tcp: md5: incorrect tcp_header_len for incoming connections
pinctrl: stm32: Keep pinctrl block clock enabled when LEVEL IRQ requested
tcp: ensure to use the most recently sent skb when filling the rate sample
wireguard: device: check for metadata_dst with skb_valid_dst()
sctp: check asoc strreset_chunk in sctp_generate_reconf_event
ARM: dts: imx6ull-colibri: fix vqmmc regulator
arm64: dts: imx8mn-ddr4-evk: Describe the 32.768 kHz PMIC clock
pinctrl: pistachio: fix use of irq_of_parse_and_map()
cpufreq: fix memory leak in sun50i_cpufreq_nvmem_probe
net: hns3: clear inited state and stop client after failed to register netdev
net: hns3: modify the return code of hclge_get_ring_chain_from_mbx
net: hns3: add validity check for message data length
net: hns3: add return value for mailbox handling in PF
net/smc: sync err code when tcp connection was refused
ip_gre: Make o_seqno start from 0 in native mode
ip6_gre: Make o_seqno start from 0 in native mode
ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode
tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
tcp: make sure treq->af_specific is initialized
bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create()
clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource()
cpufreq: qcom-cpufreq-hw: Clear dcvs interrupts
net: bcmgenet: hide status block before TX timestamping
net: phy: marvell10g: fix return value on error
net: dsa: mv88e6xxx: Fix port_hidden_wait to account for port_base_addr
drm/sun4i: Remove obsolete references to PHYS_OFFSET
net: dsa: lantiq_gswip: Don't set GSWIP_MII_CFG_RMII_CLK
io_uring: check reserved fields for send/sendmsg
io_uring: check reserved fields for recv/recvmsg
netfilter: conntrack: fix udp offload timeout sysctl
drm/amdkfd: Fix GWS queue count
drm/amd/display: Fix memory leak in dcn21_clock_source_create
tls: Skip tls_append_frag on zero copy size
bnx2x: fix napi API usage sequence
net: fec: add missing of_node_put() in fec_enet_init_stop_mode()
gfs2: Prevent endless loops in gfs2_file_buffered_write
gfs2: Minor retry logic cleanup
gfs2: Make sure not to return short direct writes
gfs2: No short reads or writes upon glock contention
perf arm-spe: Fix addresses of synthesized SPE events
ixgbe: ensure IPsec VF<->PF compatibility
Revert "ibmvnic: Add ethtool private flag for driver-defined queue limits"
tcp: fix F-RTO may not work correctly when receiving DSACK
ASoC: Intel: soc-acpi: correct device endpoints for max98373
ASoC: wm8731: Disable the regulator when probing fails
ext4: fix bug_on in start_this_handle during umount filesystem
arch: xtensa: platforms: Fix deadlock in rs_close()
ksmbd: increment reference count of parent fp
ksmbd: set fixed sector size to FS_SECTOR_SIZE_INFORMATION
bonding: do not discard lowest hash bit for non layer3+4 hashing
x86: __memcpy_flushcache: fix wrong alignment if size > 2^32
cifs: destage any unwritten data to the server before calling copychunk_write
drivers: net: hippi: Fix deadlock in rr_close()
powerpc/perf: Fix 32bit compile
selftest/vm: verify mmap addr in mremap_test
selftest/vm: verify remap destination address in mremap_test
Revert "ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40"
zonefs: Fix management of open zones
zonefs: Clear inode information flags on inode creation
kasan: prevent cpu_quarantine corruption when CPU offline and cache shrink occur at same time
mtd: rawnand: qcom: fix memory corruption that causes panic
netfilter: Update ip6_route_me_harder to consider L3 domain
drm/i915: Check EDID for HDR static metadata when choosing blc
drm/i915: Fix SEL_FETCH_PLANE_*(PIPE_B+) register addresses
net: ethernet: stmmac: fix write to sgmii_adapter_base
ACPI: processor: idle: Avoid falling back to C3 type C-states
thermal: int340x: Fix attr.show callback prototype
btrfs: fix leaked plug after failure syncing log on zoned filesystems
ARM: dts: at91: sama7g5ek: enable pull-up on flexcom3 console lines
ARM: dts: imx8mm-venice-gw{71xx,72xx,73xx}: fix OTG controller OC mode
x86/cpu: Load microcode during restore_processor_state()
perf symbol: Pass is_kallsyms to symbols__fixup_end()
perf symbol: Update symbols__fixup_end()
tty: n_gsm: fix restart handling via CLD command
tty: n_gsm: fix decoupled mux resource
tty: n_gsm: fix mux cleanup after unregister tty device
tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2
tty: n_gsm: fix malformed counter for out of frame data
netfilter: nft_socket: only do sk lookups when indev is available
tty: n_gsm: fix insufficient txframe size
tty: n_gsm: fix wrong DLCI release order
tty: n_gsm: fix missing explicit ldisc flush
tty: n_gsm: fix wrong command retry handling
tty: n_gsm: fix wrong command frame length field encoding
tty: n_gsm: fix wrong signal octets encoding in MSC
tty: n_gsm: fix missing tty wakeup in convergence layer type 2
tty: n_gsm: fix reset fifo race condition
tty: n_gsm: fix incorrect UA handling
tty: n_gsm: fix software flow control handling
perf symbol: Remove arch__symbols__fixup_end()
eeprom: at25: Use DMA safe buffers
objtool: Fix code relocs vs weak symbols
objtool: Fix type of reloc::addend
powerpc/64: Add UADDR64 relocation support
Linux 5.15.38
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic5e398d47dd6240ecde38f635b3085fae7c3c0ab
|
||
|
Xin Long
|
5a4da2e233 |
sctp: check asoc strreset_chunk in sctp_generate_reconf_event
[ Upstream commit 165e3e17fe8fe6a8aab319bc6e631a2e23b9a857 ]
A null pointer reference issue can be triggered when the response of a
stream reconf request arrives after the timer is triggered, such as:
send Incoming SSN Reset Request --->
CPU0:
reconf timer is triggered,
go to the handler code before hold sk lock
<--- reply with Outgoing SSN Reset Request
CPU1:
process Outgoing SSN Reset Request,
and set asoc->strreset_chunk to NULL
CPU0:
continue the handler code, hold sk lock,
and try to hold asoc->strreset_chunk, crash!
In Ying Xu's testing, the call trace is:
[ ] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ ] RIP: 0010:sctp_chunk_hold+0xe/0x40 [sctp]
[ ] Call Trace:
[ ] <IRQ>
[ ] sctp_sf_send_reconf+0x2c/0x100 [sctp]
[ ] sctp_do_sm+0xa4/0x220 [sctp]
[ ] sctp_generate_reconf_event+0xbd/0xe0 [sctp]
[ ] call_timer_fn+0x26/0x130
This patch is to fix it by returning from the timer handler if asoc
strreset_chunk is already set to NULL.
Fixes:
|
||
|
Maciej Żenczykowski
|
23a0beaf3c |
ANDROID: net: introduce ip_local_unbindable_ports sysctl
and associated inet_is_local_unbindable_port() helper function:
use it to make explicitly binding to an unbindable port return
-EPERM 'Operation not permitted'.
Autobind doesn't honour this new sysctl since:
(a) you can simply set both if that's the behaviour you desire
(b) there could be a use for preventing explicit while allowing auto
(c) it's faster in the relatively critical path of doing port selection
during connect() to only check one bitmap instead of both
Various ports may have special use cases which are not suitable for
use by general userspace applications. Currently, ports specified in
ip_local_reserved_ports sysctl will not be returned only in case of
automatic port assignment, but nothing prevents you from explicitly
binding to them - even from an entirely unprivileged process.
In certain cases it is desirable to prevent the host from assigning the
ports even in case of explicit binds, even from superuser processes.
Example use cases might be:
- a port being stolen by the nic for remote serial console, remote
power management or some other sort of debugging functionality
(crash collection, gdb, direct access to some other microcontroller
on the nic or motherboard, remote management of the nic itself).
- a transparent proxy where packets are being redirected: in case
a socket matches this connection, packets from this application
would be incorrectly sent to one of the endpoints.
Initially I wanted to solve this problem via the simple one line:
static inline bool inet_port_requires_bind_service(struct net *net, unsigned short port) {
- return port < net->ipv4.sysctl_ip_prot_sock;
+ return port < net->ipv4.sysctl_ip_prot_sock || inet_is_local_reserved_port(net, port);
}
However, this doesn't work for two reasons:
(a) it changes userspace visible behaviour of the existing local
reserved ports sysctl, and there appears to be enough documentation
on the internet talking about setting it to make this a bad idea
(b) it doesn't prevent privileged apps from using these ports,
CAP_BIND_SERVICE is relatively likely to be available to, for example,
a recursive DNS server so it can listed on port 53, which also needs
to do src port randomization for outgoing queries due to security
reasons (and it thus does manual port binding).
If we *know* that certain ports are simply unusable, then it's better
nothing even gets the opportunity to try to use them. This way we at
least get a quick failure, instead of some sort of timeout (or possibly
even corruption of the data stream of the non-kernel based use case).
Test:
vm:~# cat /proc/sys/net/ipv4/ip_local_unbindable_ports
vm:~# python -c 'import socket; s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0); s.bind(("::", 3967))'
vm:~# python -c 'import socket; s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, 0); s.bind(("::", 3967))'
vm:~# echo 3967 > /proc/sys/net/ipv4/ip_local_unbindable_ports
vm:~# cat /proc/sys/net/ipv4/ip_local_unbindable_ports
3967
vm:~# python -c 'import socket; s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0); s.bind(("::", 3967))'
socket.error: (1, 'Operation not permitted')
vm:~# python -c 'import socket; s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, 0); s.bind(("::", 3967))'
socket.error: (1, 'Operation not permitted')
Cc: Sean Tranchetti <stranche@codeaurora.org>
Cc: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Linux SCTP <linux-sctp@vger.kernel.org>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Bug: 140404597
Change-Id: Ie96207bea90ae1345adf7b45724d0caf4d6e52c2
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
(cherry picked from commit 8a4b8ea595a515e6360dfccdb99cec2a1fed08c0)
|
||
|
Petr Malat
|
90c153ca45 |
sctp: Initialize daddr on peeled off socket
[ Upstream commit 8467dda0c26583547731e7f3ea73fc3856bae3bf ]
Function sctp_do_peeloff() wrongly initializes daddr of the original
socket instead of the peeled off socket, which makes getpeername()
return zeroes instead of the primary address. Initialize the new socket
instead.
Fixes:
|
||
|
Jamie Bainbridge
|
2cb2b3fb20 |
sctp: count singleton chunks in assoc user stats
[ Upstream commit e3d37210df5c41c51147a2d5d465de1a4d77be7a ]
Singleton chunks (INIT, HEARTBEAT PMTU probes, and SHUTDOWN-
COMPLETE) are not counted in SCTP_GET_ASOC_STATS "sas_octrlchunks"
counter available to the assoc owner.
These are all control chunks so they should be counted as such.
Add counting of singleton chunks so they are properly accounted for.
Fixes:
|
||
|
Eric Dumazet
|
1502f15b9f |
sctp: fix kernel-infoleak for SCTP sockets
[ Upstream commit 633593a808980f82d251d0ca89730d8bb8b0220c ]
syzbot reported a kernel infoleak [1] of 4 bytes.
After analysis, it turned out r->idiag_expires is not initialized
if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()
Make sure to clear idiag_timer/idiag_retrans/idiag_expires
and let inet_diag_msg_sctpasoc_fill() fill them again if needed.
[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
instrument_copy_to_user include/linux/instrumented.h:121 [inline]
copyout lib/iov_iter.c:154 [inline]
_copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
copy_to_iter include/linux/uio.h:162 [inline]
simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
__skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425
skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]
netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977
sock_recvmsg_nosec net/socket.c:948 [inline]
sock_recvmsg net/socket.c:966 [inline]
__sys_recvfrom+0x795/0xa10 net/socket.c:2097
__do_sys_recvfrom net/socket.c:2115 [inline]
__se_sys_recvfrom net/socket.c:2111 [inline]
__x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Uninit was created at:
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3247 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1158 [inline]
netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248
__netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373
netlink_dump_start include/linux/netlink.h:254 [inline]
inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341
sock_diag_rcv_msg+0x24a/0x620
netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494
sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:705 [inline]
sock_sendmsg net/socket.c:725 [inline]
sock_write_iter+0x594/0x690 net/socket.c:1061
do_iter_readv_writev+0xa7f/0xc70
do_iter_write+0x52c/0x1500 fs/read_write.c:851
vfs_writev fs/read_write.c:924 [inline]
do_writev+0x645/0xe00 fs/read_write.c:967
__do_sys_writev fs/read_write.c:1040 [inline]
__se_sys_writev fs/read_write.c:1037 [inline]
__x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Bytes 68-71 of 2508 are uninitialized
Memory access of size 2508 starts at ffff888114f9b000
Data copied to user address 00007f7fe09ff2e0
CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes:
|
||
|
Xin Long
|
9f00a2a0c1 |
sctp: hold endpoint before calling cb in sctp_transport_lookup_process
commit f9d31c4cf4c11ff10317f038b9c6f7c3bda6cdd4 upstream.
The same fix in commit 5ec7d18d1813 ("sctp: use call_rcu to free endpoint")
is also needed for dumping one asoc and sock after the lookup.
Fixes:
|
||
|
Xin Long
|
75799e71df |
sctp: use call_rcu to free endpoint
[ Upstream commit 5ec7d18d1813a5bead0b495045606c93873aecbb ]
This patch is to delay the endpoint free by calling call_rcu() to fix
another use-after-free issue in sctp_sock_dump():
BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
Call Trace:
__lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
__lock_sock+0x203/0x350 net/core/sock.c:2253
lock_sock_nested+0xfe/0x120 net/core/sock.c:2774
lock_sock include/net/sock.h:1492 [inline]
sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324
sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091
sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527
__inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049
inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065
netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244
__netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352
netlink_dump_start include/linux/netlink.h:216 [inline]
inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170
__sock_diag_cmd net/core/sock_diag.c:232 [inline]
sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263
netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477
sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274
This issue occurs when asoc is peeled off and the old sk is freed after
getting it by asoc->base.sk and before calling lock_sock(sk).
To prevent the sk free, as a holder of the sk, ep should be alive when
calling lock_sock(). This patch uses call_rcu() and moves sock_put and
ep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to
hold the ep under rcu_read_lock in sctp_transport_traverse_process().
If sctp_endpoint_hold() returns true, it means this ep is still alive
and we have held it and can continue to dump it; If it returns false,
it means this ep is dead and can be freed after rcu_read_unlock, and
we should skip it.
In sctp_sock_dump(), after locking the sk, if this ep is different from
tsp->asoc->ep, it means during this dumping, this asoc was peeled off
before calling lock_sock(), and the sk should be skipped; If this ep is
the same with tsp->asoc->ep, it means no peeloff happens on this asoc,
and due to lock_sock, no peeloff will happen either until release_sock.
Note that delaying endpoint free won't delay the port release, as the
port release happens in sctp_endpoint_destroy() before calling call_rcu().
Also, freeing endpoint by call_rcu() makes it safe to access the sk by
asoc->base.sk in sctp_assocs_seq_show() and sctp_rcv().
Thanks Jones to bring this issue up.
v1->v2:
- improve the changelog.
- add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed.
Reported-by: syzbot+9276d76e83e3bcde6c99@syzkaller.appspotmail.com
Reported-by: Lee Jones <lee.jones@linaro.org>
Fixes:
|
||
|
Xin Long
|
a1fafee96a |
sctp: return true only for pathmtu update in sctp_transport_pl_toobig
[ Upstream commit 75cf662c64dd8543f56c329c69eba18141c8fd9f ]
sctp_transport_pl_toobig() supposes to return true only if there's
pathmtu update, so that in sctp_icmp_frag_needed() it would call
sctp_assoc_sync_pmtu() and sctp_retransmit(). This patch is to fix
these return places in sctp_transport_pl_toobig().
Fixes:
|
||
|
Xin Long
|
8cebfaefcc |
sctp: allow IP fragmentation when PLPMTUD enters Error state
[ Upstream commit 40171248bb8934537fec8fbaf718e57c8add187c ]
Currently when PLPMTUD enters Error state, transport pathmtu will be set
to MIN_PLPMTU(512) while probe is continuing with BASE_PLPMTU(1200). It
will cause pathmtu to stay in a very small value, even if the real pmtu
is some value like 1000.
RFC8899 doesn't clearly say how to set the value in Error state. But one
possibility could be keep using BASE_PLPMTU for the real pmtu, but allow
to do IP fragmentation when it's in Error state.
As it says in rfc8899#section-5.4:
Some paths could be unable to sustain packets of the BASE_PLPMTU
size. The Error State could be implemented to provide robustness to
such paths. This allows fallback to a smaller than desired PLPMTU
rather than suffer connectivity failure. This could utilize methods
such as endpoint IP fragmentation to enable the PL sender to
communicate using packets smaller than the BASE_PLPMTU.
This patch is to set pmtu to BASE_PLPMTU instead of MIN_PLPMTU for Error
state in sctp_transport_pl_send/toobig(), and set packet ipfragok for
non-probe packets when it's in Error state.
Fixes:
|
||
|
Xin Long
|
9d02831e51 |
sctp: add vtag check in sctp_sf_ootb
sctp_sf_ootb() is called when processing DATA chunk in closed state,
and many other places are also using it.
The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.
When fails to verify the vtag from the chunk, this patch sets asoc
to NULL, so that the abort will be made with the vtag from the
received chunk later.
Fixes:
|
||
|
Xin Long
|
ef16b1734f |
sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk
in cookie_wait and cookie_echoed state.
The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.
Note that when fails to verify the vtag from SHUTDOWN-ACK chunk,
SHUTDOWN COMPLETE message will still be sent back to peer, but
with the vtag from SHUTDOWN-ACK chunk, as said in 5) of
rfc4960#section-8.4.
While at it, also remove the unnecessary chunk length check from
sctp_sf_shut_8_4_5(), as it's already done in both places where
it calls sctp_sf_shut_8_4_5().
Fixes:
|
||
|
Xin Long
|
aa0f697e45 |
sctp: add vtag check in sctp_sf_violation
sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk
in cookie_wait state, and some other places are also using it.
The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.
Fixes:
|
||
|
Xin Long
|
a64b341b86 |
sctp: fix the processing for COOKIE_ECHO chunk
1. In closed state: in sctp_sf_do_5_1D_ce():
When asoc is NULL, making packet for abort will use chunk's vtag
in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk
should be verified before using peer.i.init_tag to make packet
for abort in sctp_ootb_pkt_new(), and just discard it if vtag is
not correct.
2. In the other states: in sctp_sf_do_5_2_4_dupcook():
asoc always exists, but duplicate cookie_echo's vtag will be
handled by sctp_tietags_compare() and then take actions, so before
that we only verify the vtag for the abort sent for invalid chunk
length.
Fixes:
|
||
|
Xin Long
|
438b95a7c9 |
sctp: fix the processing for INIT_ACK chunk
Currently INIT_ACK chunk in non-cookie_echoed state is processed in
sctp_sf_discard_chunk() to send an abort with the existent asoc's
vtag if the chunk length is not valid. But the vtag in the chunk's
sctphdr is not verified, which may be exploited by one to cook a
malicious chunk to terminal a SCTP asoc.
sctp_sf_discard_chunk() also is called in many other places to send
an abort, and most of those have this problem. This patch is to fix
it by sending abort with the existent asoc's vtag only if the vtag
from the chunk's sctphdr is verified in sctp_sf_discard_chunk().
Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(),
the chunk length has been verified before sctp_sf_discard_chunk(),
so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and
sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of
sctp_sf_discard_chunk(), then replace it with sctp_sf_discard().
Fixes:
|
||
|
Xin Long
|
eae5783908 |
sctp: fix the processing for INIT chunk
This patch fixes the problems below:
1. In non-shutdown_ack_sent states: in sctp_sf_do_5_1B_init() and
sctp_sf_do_5_2_2_dupinit():
chunk length check should be done before any checks that may cause
to send abort, as making packet for abort will access the init_tag
from init_hdr in sctp_ootb_pkt_new().
2. In shutdown_ack_sent state: in sctp_sf_do_9_2_reshutack():
The same checks as does in sctp_sf_do_5_2_2_dupinit() is needed
for sctp_sf_do_9_2_reshutack().
Fixes:
|
||
|
Xin Long
|
4f7019c7eb |
sctp: use init_tag from inithdr for ABORT chunk
Currently Linux SCTP uses the verification tag of the existing SCTP
asoc when failing to process and sending the packet with the ABORT
chunk. This will result in the peer accepting the ABORT chunk and
removing the SCTP asoc. One could exploit this to terminate a SCTP
asoc.
This patch is to fix it by always using the initiate tag of the
received INIT chunk for the ABORT chunk to be sent.
Fixes:
|
||
|
Eiichi Tsukata
|
a2d859e3fc |
sctp: account stream padding length for reconf chunk
sctp_make_strreset_req() makes repeated calls to sctp_addto_chunk()
which will automatically account for padding on each call. inreq and
outreq are already 4 bytes aligned, but the payload is not and doing
SCTP_PAD4(a + b) (which _sctp_make_chunk() did implicitly here) is
different from SCTP_PAD4(a) + SCTP_PAD4(b) and not enough. It led to
possible attempt to use more buffer than it was allocated and triggered
a BUG_ON.
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Fixes:
|
||
|
Xin Long
|
f7e745f8e9 |
sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
We should always check if skb_header_pointer's return is NULL before
using it, otherwise it may cause null-ptr-deref, as syzbot reported:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196
Call Trace:
<IRQ>
sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109
ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422
ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472
dst_input include/net/dst.h:460 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297
Fixes:
|
||
|
Xin Long
|
ae954bbc45 |
sctp: move the active_key update after sh_keys is added
In commit |
||
|
Marcelo Ricardo Leitner
|
557fb5862c |
sctp: fix return value check in __sctp_rcv_asconf_lookup
As Ben Hutchings noticed, this check should have been inverted: the call
returns true in case of success.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Fixes:
|
||
|
Chen Shen
|
2ebda02714 |
sctp: delete addr based on sin6_scope_id
sctp_inet6addr_event deletes 'addr' from 'local_addr_list' when setting netdev down, but it is possible to delete the incorrect entry (match the first one with the same ipaddr, but the different 'ifindex'), if there are some netdevs with the same 'local-link' ipaddr added already. It should delete the entry depending on 'sin6_addr' and 'sin6_scope_id' both. otherwise, the endpoint will call 'sctp_sf_ootb' if it can't find the according association when receives 'heartbeat', and finally will reply 'abort'. For example: 1.when linux startup the entries in local_addr_list: ifindex:35 addr:fe80::40:43ff:fe80:0 (eths0.201) ifindex:36 addr:fe80::40:43ff:fe80:0 (eths0.209) ifindex:37 addr:fe80::40:43ff:fe80:0 (eths0.210) the route table: local fe80::40:43ff:fe80:0 dev eths0.201 local fe80::40:43ff:fe80:0 dev eths0.209 local fe80::40:43ff:fe80:0 dev eths0.210 2.after 'ifconfig eths0.209 down' the entries in local_addr_list: ifindex:36 addr:fe80::40:43ff:fe80:0 (eths0.209) ifindex:37 addr:fe80::40:43ff:fe80:0 (eths0.210) the route table: local fe80::40:43ff:fe80:0 dev eths0.201 local fe80::40:43ff:fe80:0 dev eths0.210 3.asoc not found for src:[fe80::40:43ff:fe80:0]:37381 dst:[:1]:53335 ::1->fe80::40:43ff:fe80:0 HEARTBEAT fe80::40:43ff:fe80:0->::1 ABORT Signed-off-by: Chen Shen <peterchenshen@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Xin Long
|
eacf078cf4 |
sctp: send pmtu probe only if packet loss in Search Complete state
This patch is to introduce last_rtx_chunks into sctp_transport to detect
if there's any packet retransmission/loss happened by checking against
asoc's rtx_data_chunks in sctp_transport_pl_send().
If there is, namely, transport->last_rtx_chunks != asoc->rtx_data_chunks,
the pmtu probe will be sent out. Otherwise, increment the pl.raise_count
and return when it's in Search Complete state.
With this patch, if in Search Complete state, which is a long period, it
doesn't need to keep probing the current pmtu unless there's data packet
loss. This will save quite some traffic.
v1->v2:
- add the missing Fixes tag.
Fixes:
|
||
|
Xin Long
|
058e6e0ed0 |
sctp: improve the code for pmtu probe send and recv update
This patch does 3 things:
- make sctp_transport_pl_send() and sctp_transport_pl_recv()
return bool type to decide if more probe is needed to send.
- pr_debug() only when probe is really needed to send.
- count pl.raise_count in sctp_transport_pl_send() instead of
sctp_transport_pl_recv(), and it's only incremented for the
1st probe for the same size.
These are preparations for the next patch to make probes happen
only when there's packet loss in Search Complete state.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|
Xin Long
|
02dc2ee7c7 |
sctp: do not update transport pathmtu if SPP_PMTUD_ENABLE is not set
Currently, in sctp_packet_config(), sctp_transport_pmtu_check() is
called to update transport pathmtu with dst's mtu when dst's mtu
has been changed by non sctp stack like xfrm.
However, this should only happen when SPP_PMTUD_ENABLE is set, no
matter where dst's mtu changed. This patch is to fix by checking
SPP_PMTUD_ENABLE flag before calling sctp_transport_pmtu_check().
Thanks Jacek for reporting and looking into this issue.
v1->v2:
- add the missing "{" to fix the build error.
Fixes:
|
||
|
Xin Long
|
58acd10092 |
sctp: update active_key for asoc when old key is being replaced
syzbot reported a call trace:
BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
Call Trace:
sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
sctp_set_owner_w net/sctp/socket.c:131 [inline]
sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865
sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
sock_sendmsg_nosec net/socket.c:703 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:723
This is an use-after-free issue caused by not updating asoc->shkey after
it was replaced in the key list asoc->endpoint_shared_keys, and the old
key was freed.
This patch is to fix by also updating active_key for asoc when old key is
being replaced with a new one. Note that this issue doesn't exist in
sctp_auth_del_key_id(), as it's not allowed to delete the active_key
from the asoc.
Fixes:
|
||
|
Xin Long
|
2f3fdd8d48 |
sctp: trim optlen when it's a huge value in sctp_setsockopt
After commit |
||
|
Yajun Deng
|
01757f536a |
net: Use nlmsg_unicast() instead of netlink_unicast()
It has 'if (err >0 )' statement in nlmsg_unicast(), so use nlmsg_unicast() instead of netlink_unicast(), this looks more concise. v2: remove the change in netfilter. Signed-off-by: Yajun Deng <yajun.deng@linux.dev> Reviewed-by: David Ahern <dsahern@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Xin Long
|
1d11fa231c |
sctp: move 198 addresses from unusable to private scope
The doc draft-stewart-tsvwg-sctp-ipv4-00 that restricts 198 addresses was never published. These addresses as private addresses should be allowed to use in SCTP. As Michael Tuexen suggested, this patch is to move 198 addresses from unusable to private scope. Reported-by: Sérgio <surkamp@gmail.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Xin Long
|
650b2a846d |
sctp: check pl.raise_count separately from its increment
As Marcelo's suggestion this will make code more clear to read. Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Dan Carpenter
|
a34dcbfa14 |
sctp: prevent info leak in sctp_make_heartbeat()
The "hbinfo" struct has a 4 byte hole at the end so we have to zero it
out to prevent stack information from being disclosed.
Fixes:
|
||
|
Linus Torvalds
|
dbe69e4337 |
Merge tag 'net-next-5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
Pull networking updates from Jakub Kicinski:
"Core:
- BPF:
- add syscall program type and libbpf support for generating
instructions and bindings for in-kernel BPF loaders (BPF loaders
for BPF), this is a stepping stone for signed BPF programs
- infrastructure to migrate TCP child sockets from one listener to
another in the same reuseport group/map to improve flexibility
of service hand-off/restart
- add broadcast support to XDP redirect
- allow bypass of the lockless qdisc to improving performance (for
pktgen: +23% with one thread, +44% with 2 threads)
- add a simpler version of "DO_ONCE()" which does not require jump
labels, intended for slow-path usage
- virtio/vsock: introduce SOCK_SEQPACKET support
- add getsocketopt to retrieve netns cookie
- ip: treat lowest address of a IPv4 subnet as ordinary unicast
address allowing reclaiming of precious IPv4 addresses
- ipv6: use prandom_u32() for ID generation
- ip: add support for more flexible field selection for hashing
across multi-path routes (w/ offload to mlxsw)
- icmp: add support for extended RFC 8335 PROBE (ping)
- seg6: add support for SRv6 End.DT46 behavior
- mptcp:
- DSS checksum support (RFC 8684) to detect middlebox meddling
- support Connection-time 'C' flag
- time stamping support
- sctp: packetization Layer Path MTU Discovery (RFC 8899)
- xfrm: speed up state addition with seq set
- WiFi:
- hidden AP discovery on 6 GHz and other HE 6 GHz improvements
- aggregation handling improvements for some drivers
- minstrel improvements for no-ack frames
- deferred rate control for TXQs to improve reaction times
- switch from round robin to virtual time-based airtime scheduler
- add trace points:
- tcp checksum errors
- openvswitch - action execution, upcalls
- socket errors via sk_error_report
Device APIs:
- devlink: add rate API for hierarchical control of max egress rate
of virtual devices (VFs, SFs etc.)
- don't require RCU read lock to be held around BPF hooks in NAPI
context
- page_pool: generic buffer recycling
New hardware/drivers:
- mobile:
- iosm: PCIe Driver for Intel M.2 Modem
- support for Qualcomm MSM8998 (ipa)
- WiFi: Qualcomm QCN9074 and WCN6855 PCI devices
- sparx5: Microchip SparX-5 family of Enterprise Ethernet switches
- Mellanox BlueField Gigabit Ethernet (control NIC of the DPU)
- NXP SJA1110 Automotive Ethernet 10-port switch
- Qualcomm QCA8327 switch support (qca8k)
- Mikrotik 10/25G NIC (atl1c)
Driver changes:
- ACPI support for some MDIO, MAC and PHY devices from Marvell and
NXP (our first foray into MAC/PHY description via ACPI)
- HW timestamping (PTP) support: bnxt_en, ice, sja1105, hns3, tja11xx
- Mellanox/Nvidia NIC (mlx5)
- NIC VF offload of L2 bridging
- support IRQ distribution to Sub-functions
- Marvell (prestera):
- add flower and match all
- devlink trap
- link aggregation
- Netronome (nfp): connection tracking offload
- Intel 1GE (igc): add AF_XDP support
- Marvell DPU (octeontx2): ingress ratelimit offload
- Google vNIC (gve): new ring/descriptor format support
- Qualcomm mobile (rmnet & ipa): inline checksum offload support
- MediaTek WiFi (mt76)
- mt7915 MSI support
- mt7915 Tx status reporting
- mt7915 thermal sensors support
- mt7921 decapsulation offload
- mt7921 enable runtime pm and deep sleep
- Realtek WiFi (rtw88)
- beacon filter support
- Tx antenna path diversity support
- firmware crash information via devcoredump
- Qualcomm WiFi (wcn36xx)
- Wake-on-WLAN support with magic packets and GTK rekeying
- Micrel PHY (ksz886x/ksz8081): add cable test support"
* tag 'net-next-5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (2168 commits)
tcp: change ICSK_CA_PRIV_SIZE definition
tcp_yeah: check struct yeah size at compile time
gve: DQO: Fix off by one in gve_rx_dqo()
stmmac: intel: set PCI_D3hot in suspend
stmmac: intel: Enable PHY WOL option in EHL
net: stmmac: option to enable PHY WOL with PMT enabled
net: say "local" instead of "static" addresses in ndo_dflt_fdb_{add,del}
net: use netdev_info in ndo_dflt_fdb_{add,del}
ptp: Set lookup cookie when creating a PTP PPS source.
net: sock: add trace for socket errors
net: sock: introduce sk_error_report
net: dsa: replay the local bridge FDB entries pointing to the bridge dev too
net: dsa: ensure during dsa_fdb_offload_notify that dev_hold and dev_put are on the same dev
net: dsa: include fdb entries pointing to bridge in the host fdb list
net: dsa: include bridge addresses which are local in the host fdb list
net: dsa: sync static FDB entries on foreign interfaces to hardware
net: dsa: install the host MDB and FDB entries in the master's RX filter
net: dsa: reference count the FDB addresses at the cross-chip notifier level
net: dsa: introduce a separate cross-chip notifier type for host FDBs
net: dsa: reference count the MDB entries at the cross-chip notifier level
...
|