457 Commits

Author	SHA1	Message	Date
Greg Kroah-Hartman	18bea82acf	This is the 6.6.51 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmbisF0ACgkQONu9yGCS aT5Y8xAAqS/rmrC+/qlFvbtAqK+KXLq9BIGvDHW2QHfCyMpSZ6isehVhh64apHE/ /XvJ6a+2iPVp5o52iDTUKzbcDr3Jx/QwhS8Xa/HyQQy1rXIPpJNJb8Vuvkn/B2Cq cPCfTtfPZUUQTd09uAdBhy5NT8hsT2kSVpmSXDnahn9ih8k0tR40udw5Qf7xpWcf HqljbfonLP86mF/SB9m+VhDGF9fekujyb+0iS0OPE+TdvSjKB9ySoeL4PIeTSxrz goZdp9ygAYy8Bks825ztbfQszqIwceHU/xZRaUrGfOOk4A5kwTmbdUQu7ooMc+5F kbpifbewmY1UGn2KTxgj59xCjQ7HLQe+sqacy0/gALzRSajUNyjLn0n4w3UqaJWb pf+gwqHBLgDRfvWctggEdY2ApKgOlM9D7TTpWWB9uv1oR/g3PGfgehZgrMMPgPUw EZ8JiwnITfRaRFiH/vSR3aJKRj6qjb4mX3/U8HgGcACtyFfHgtuI7jzhnX36fRNO FG38bxSUMrJnlohghfBl6zyaruZBMHVaoQzs6MYZ7qrVvCbt3CHivJdaQ85nw0h7 YHa2zYFfT0ztyaSMzWq6JatgI7BZfd8PjobhbRZADBBD39KC8aL8XLoDPnpzWMUY UDlK8n96gOKo0t8ILDWcIisCVGNogcHJlGppC8Fu7ZyKzYsMhN4= =OEL/ -----END PGP SIGNATURE----- Merge 6.6.51 into android15-6.6-lts Changes in 6.6.51 sch/netem: fix use after free in netem_dequeue net: microchip: vcap: Fix use-after-free error in kunit test ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices ALSA: hda/realtek: add patch for internal mic in Lenovo V145 ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx powerpc/qspinlock: Fix deadlock in MCS queue smb: client: fix double put of @cfile in smb2_set_path_size() ksmbd: unset the binding mark of a reused connection ksmbd: Unlock on in ksmbd_tcp_set_interfaces() ata: libata: Fix memory leak for error path in ata_host_alloc() x86/tdx: Fix data leak in mmio_read() perf/x86/intel: Limit the period on Haswell irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init() x86/kaslr: Expose and use the end of the physical memory address space rtmutex: Drop rt_mutex::wait_lock before scheduling nvme-pci: Add sleep quirk for Samsung 990 Evo rust: types: Make Opaque::get const rust: macros: provide correct provenance when constructing THIS_MODULE Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE" Bluetooth: MGMT: Ignore keys being loaded with invalid type mmc: core: apply SD quirks earlier during probe mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K mmc: sdhci-of-aspeed: fix module autoloading mmc: cqhci: Fix checking of CQHCI_HALT state fuse: update stats for pages in dropped aux writeback list fuse: use unsigned type for getxattr/listxattr size truncation fuse: fix memory leak in fuse_create_open clk: starfive: jh7110-sys: Add notifier for PLL0 clock clk: qcom: clk-alpha-pll: Fix the pll post div mask clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y mm: vmalloc: ensure vmap_block is initialised before adding to queue spi: rockchip: Resolve unbalanced runtime PM / system PM handling tracing/osnoise: Use a cpumask to know what threads are kthreads tracing/timerlat: Only clear timer if a kthread exists tracing: Avoid possible softlockup in tracing_iter_reset() tracing/timerlat: Add interface_lock around clearing of kthread in stop_kthread() userfaultfd: don't BUG_ON() if khugepaged yanks our page table userfaultfd: fix checks for huge PMDs fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF eventfs: Use list_del_rcu() for SRCU protected list variable net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup net: mctp-serial: Fix missing escapes on transmit x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported x86/apic: Make x2apic_disable() work correctly Revert "drm/amdgpu: align pp_power_profile_mode with kernel docs" tcp_bpf: fix return value of tcp_bpf_sendmsg() ila: call nf_unregister_net_hooks() sooner sched: sch_cake: fix bulk flow accounting logic for host fairness nilfs2: fix missing cleanup on rollforward recovery error nilfs2: protect references to superblock parameters exposed in sysfs nilfs2: fix state management in error path of log writing function drm/i915: Do not attempt to load the GSC multiple times ALSA: control: Apply sanity check of input values for user elements ALSA: hda: Add input value sanity checks to HDMI channel map controls wifi: ath12k: fix uninitialize symbol error on ath12k_peer_assoc_h_he() wifi: ath12k: fix firmware crash due to invalid peer nss smack: unix sockets: fix accept()ed socket label bpf, verifier: Correct tail_call_reachable for bpf prog ELF: fix kernel.randomize_va_space double read accel/habanalabs/gaudi2: unsecure edma max outstanding register irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 af_unix: Remove put_pid()/put_cred() in copy_peercred(). x86/kmsan: Fix hook for unaligned accesses iommu: sun50i: clear bypass register netfilter: nf_conncount: fix wrong variable type wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check udf: Avoid excessive partition lengths fs/ntfs3: One more reason to mark inode bad riscv: kprobes: Use patch_text_nosync() for insn slots media: vivid: fix wrong sizeimage value for mplane leds: spi-byte: Call of_node_put() on error path wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 usb: uas: set host status byte on data completion error usb: gadget: aspeed_udc: validate endpoint index for ast udc drm/amd/display: Run DC_LOG_DC after checking link->link_enc drm/amd/display: Check HDCP returned status drm/amdgpu: Fix smatch static checker warning drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts media: vivid: don't set HDMI TX controls if there are no HDMI outputs vfio/spapr: Always clear TCEs before unsetting the window ice: Check all ice_vsi_rebuild() errors in function PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Input: ili210x - use kvmalloc() to allocate buffer for firmware update media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse pcmcia: Use resource_size function on resource object drm/amd/display: Check denominator pbn_div before used drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6 can: bcm: Remove proc entry when dev is unregistered. can: m_can: Release irq on error in m_can_open can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD mode rust: Use awk instead of recent xargs rust: kbuild: fix export of bss symbols cifs: Fix FALLOC_FL_ZERO_RANGE to preflush buffered part of target region igb: Fix not clearing TimeSync interrupts for 82580 ice: Add netif_device_attach/detach into PF reset flow platform/x86: dell-smbios: Fix error path in dell_smbios_init() regulator: core: Stub devm_regulator_bulk_get_const() if !CONFIG_REGULATOR can: kvaser_pciefd: Skip redundant NULL pointer check in ISR can: kvaser_pciefd: Remove unnecessary comment can: kvaser_pciefd: Rename board_irq to pci_irq can: kvaser_pciefd: Move reset of DMA RX buffers to the end of the ISR can: kvaser_pciefd: Use a single write when releasing RX buffers Bluetooth: qca: If memdump doesn't work, re-enable IBS Bluetooth: hci_event: Use HCI error defines instead of magic values Bluetooth: hci_conn: Only do ACL connections sequentially Bluetooth: Remove pending ACL connection attempts Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue Bluetooth: hci_sync: Attempt to dequeue connection attempt Bluetooth: hci_sync: Introduce hci_cmd_sync_run/hci_cmd_sync_run_once Bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT igc: Unlock on error in igc_io_resume() hwmon: (hp-wmi-sensors) Check if WMI event data exists net: phy: Fix missing of_node_put() for leds ice: protect XDP configuration with a mutex ice: do not bring the VSI up, if it was down before the XDP setup usbnet: modern method to get random MAC bpf: Add sockptr support for getsockopt bpf: Add sockptr support for setsockopt net/socket: Break down __sys_setsockopt net/socket: Break down __sys_getsockopt bpf, net: Fix a potential race in do_sock_getsockopt() bareudp: Fix device stats updates. fou: Fix null-ptr-deref in GRO. r8152: fix the firmware doesn't work net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN net: dsa: vsc73xx: fix possible subblocks range of CAPT block selftests: net: enable bind tests xen: privcmd: Fix possible access to a freed kirqfd instance firmware: cs_dsp: Don't allow writes to read-only controls phy: zynqmp: Take the phy mutex in xlate ASoC: topology: Properly initialize soc_enum values dm init: Handle minors larger than 255 iommu/vt-d: Handle volatile descriptor status read cgroup: Protect css->cgroup write under css_set_lock um: line: always fill *error_out in setup_one_line() devres: Initialize an uninitialized struct member pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv virtio_ring: fix KMSAN error for premapped mode wifi: rtw88: usb: schedule rx work after everything is set up scsi: ufs: core: Remove SCSI host only if added scsi: pm80xx: Set phy->enable_completion only when we wait for it crypto: qat - fix unintentional re-enabling of error interrupts hwmon: (adc128d818) Fix underflows seen when writing limit attributes hwmon: (lm95234) Fix underflows seen when writing limit attributes hwmon: (nct6775-core) Fix underflows seen when writing limit attributes hwmon: (w83627ehf) Fix underflows seen when writing limit attributes ASoc: TAS2781: replace beXX_to_cpup with get_unaligned_beXX for potentially broken alignment libbpf: Add NULL checks to bpf_object__{prev_map,next_map} drm/amdgpu: Set no_hw_access when VF request full GPU fails ext4: fix possible tid_t sequence overflows jbd2: avoid mount failed when commit block is partial submitted dma-mapping: benchmark: Don't starve others when doing the test wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() drm/amdgpu: reject gang submit on reserved VMIDs smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() fs/ntfs3: Check more cases when directory is corrupted btrfs: replace BUG_ON with ASSERT in walk_down_proc() btrfs: clean up our handling of refs == 0 in snapshot delete btrfs: replace BUG_ON() with error handling at update_ref_for_cow() cxl/region: Verify target positions using the ordered target list riscv: set trap vector earlier PCI: Add missing bridge lock to pci_bus_lock() tcp: Don't drop SYN+ACK for simultaneous connect(). Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() net: dpaa: avoid on-stack arrays of NR_CPUS elements LoongArch: Use correct API to map cmdline in relocate_kernel() regmap: maple: work around gcc-14.1 false-positive warning vfs: Fix potential circular locking through setxattr() and removexattr() i3c: master: svc: resend target address when get NACK i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup kselftests: dmabuf-heaps: Ensure the driver name is null-terminated spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware btrfs: initialize location to fix -Wmaybe-uninitialized in btrfs_lookup_dentry() s390/vmlinux.lds.S: Move ro_after_init section behind rodata section HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup HID: amd_sfh: free driver_data after destroying hid device Input: uinput - reject requests with unreasonable number of slots usbnet: ipheth: race between ipheth_close and error handling Squashfs: sanity check symbolic link size of/irq: Prevent device address out-of-bounds read in interrupt map walk lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed spi: spi-fsl-lpspi: limit PRESCALE bit in TCR register ata: pata_macio: Use WARN instead of BUG smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations riscv: Use WRITE_ONCE() when setting page table entries mm: Introduce pudp/p4dp/pgdp_get() functions riscv: mm: Only compile pgtable.c if MMU riscv: Use accessors to page table entries instead of direct dereference ACPI: CPPC: Add helper to get the highest performance value cpufreq: amd-pstate: Enable amd-pstate preferred core support cpufreq: amd-pstate: fix the highest frequency issue which limits performance tcp: process the 3rd ACK with sk_socket for TFO/MPTCP intel: legacy: Partial revert of field get conversion staging: iio: frequency: ad9834: Validate frequency parameter value iio: buffer-dmaengine: fix releasing dma channel on error iio: fix scale application in iio_convert_raw_to_processed_unlocked iio: adc: ad7124: fix config comparison iio: adc: ad7606: remove frstdata check for serial mode iio: adc: ad7124: fix chip ID mismatch usb: dwc3: core: update LC timer as per USB Spec V3.2 usb: cdns2: Fix controller reset issue usb: dwc3: Avoid waking up gadget during startxfer misc: fastrpc: Fix double free of 'buf' in error path binder: fix UAF caused by offsets overwrite nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic VMCI: Fix use-after-free when removing resource in vmci_resource_remove() clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX clocksource/drivers/imx-tpm: Fix next event not taking effect sometime clocksource/drivers/timer-of: Remove percpu irq related code uprobes: Use kzalloc to allocate xol area perf/aux: Fix AUX buffer serialization mm/vmscan: use folio_migratetype() instead of get_pageblock_migratetype() Revert "mm: skip CMA pages when they are not available" workqueue: wq_watchdog_touch is always called with valid CPU workqueue: Improve scalability of workqueue watchdog touch ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() ACPI: processor: Fix memory leaks in error paths of processor_add() arm64: acpi: Move get_cpu_for_acpi_id() to a header arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry can: mcp251xfd: mcp251xfd_handle_rxif_ring_uinc(): factor out in separate function can: mcp251xfd: rx: prepare to workaround broken RX FIFO head index erratum can: mcp251xfd: clarify the meaning of timestamp can: mcp251xfd: rx: add workaround for erratum DS80000789E 6 of mcp2518fd drm/amd: Add gfx12 swizzle mode defs drm/amdgpu: handle gfx12 in amdgpu_display_verify_sizes ata: libata-scsi: Remove redundant sense_buffer memsets ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf crypto: starfive - Align rsa input data to 32-bit crypto: starfive - Fix nent assignment in rsa dec clk: qcom: ipq9574: Update the alpha PLL type for GPLLs powerpc/64e: remove unused IBM HTW code powerpc/64e: split out nohash Book3E 64-bit code powerpc/64e: Define mmu_pte_psize static powerpc/vdso: Don't discard rela sections ASoC: tegra: Fix CBB error during probe() nvmet-tcp: fix kernel crash if commands allocation fails nvme-pci: allocate tagset on reset if necessary ASoc: SOF: topology: Clear SOF link platform name upon unload ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode clk: qcom: gcc-sm8550: Don't use parking clk_ops for QUPs clk: qcom: gcc-sm8550: Don't park the USB RCG at registration time drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused drm/i915/fence: Mark debug_fence_free() with __maybe_unused gpio: rockchip: fix OF node leak in probe() gpio: modepin: Enable module autoloading smb: client: fix double put of @cfile in smb2_rename_path() riscv: Fix toolchain vector detection riscv: Do not restrict memory size because of linear mapping on nommu ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() membarrier: riscv: Add full memory barrier in switch_mm() x86/mm: Fix PTI for i386 some more btrfs: fix race between direct IO write and fsync when using same fd spi: spi-fsl-lpspi: Fix off-by-one in prescale max Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync Bluetooth: hci_sync: Fix UAF on create_le_conn_complete Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Linux 6.6.51 Change-Id: I4d9ef7a63380e5875e611ee548b4cc87ccea2936 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>	2024-09-12 10:50:00 +00:00
Kuniyuki Iwashima	9c2450cf5d	af_unix: Remove put_pid()/put_cred() in copy_peercred(). ... [ Upstream commit e4bd881d98 ] When (AF_UNIX, SOCK_STREAM) socket connect()s to a listening socket, the listener's sk_peer_pid/sk_peer_cred are copied to the client in copy_peercred(). Then, the client's sk_peer_pid and sk_peer_cred are always NULL, so we need not call put_pid() and put_cred() there. Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-09-12 11:11:29 +02:00
Greg Kroah-Hartman	5f0341154e	Merge 6.6.46 into android15-6.6-lts ... Changes in 6.6.46 irqchip/mbigen: Fix mbigen node address layout platform/x86/intel/ifs: Store IFS generation number platform/x86/intel/ifs: Gen2 Scan test support platform/x86/intel/ifs: Initialize union ifs_status to zero jump_label: Fix the fix, brown paper bags galore x86/mm: Fix pti_clone_pgtable() alignment assumption x86/mm: Fix pti_clone_entry_text() for i386 smb: client: handle lack of FSCTL_GET_REPARSE_POINT support wifi: ath12k: rename the sc naming convention to ab wifi: ath12k: add CE and ext IRQ flag to indicate irq_handler wifi: ath12k: fix soft lockup on suspend sctp: Fix null-ptr-deref in reuseport_add_sock(). net: usb: qmi_wwan: fix memory leak for not ip packets net: bridge: mcast: wait for previous gc cycles when removing port net: linkwatch: use system_unbound_wq ice: Fix reset handler Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor net/smc: add the max value of fallback reason count net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() l2tp: fix lockdep splat net: bcmgenet: Properly overlay PHY and MAC Wake-on-LAN capabilities net: fec: Stop PPS on driver remove gpio: prevent potential speculation leaks in gpio_device_get_desc() hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu rcutorture: Fix rcu_torture_fwd_cb_cr() data race md: do not delete safemode_timer in mddev_suspend md/raid5: avoid BUG_ON() while continue reshape after reassembling block: change rq_integrity_vec to respect the iterator rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation clocksource/drivers/sh_cmt: Address race condition for clock events ACPI: battery: create alarm sysfs attribute atomically ACPI: SBS: manage alarm sysfs attribute through psy core xen: privcmd: Switch from mutex to spinlock for irqfds wifi: nl80211: disallow setting special AP channel widths wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup() net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT af_unix: Don't retry after unix_state_lock_nested() in unix_stream_connect(). PCI: Add Edimax Vendor ID to pci_ids.h udf: prevent integer overflow in udf_bitmap_free_blocks() wifi: nl80211: don't give key data to userspace can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd net: stmmac: qcom-ethqos: enable SGMII loopback during DMA reset on sa8775p-ride-r3 btrfs: do not clear page dirty inside extent_write_locked_range() btrfs: fix bitmap leak when loading free space cache on duplicate entry Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading drm/amd/display: Add delay to improve LTTPR UHBR interop drm/amdgpu: fix potential resource leak warning drm/amdgpu/pm: Fix the param type of set_power_profile_mode drm/amdgpu/pm: Fix the null pointer dereference for smu7 drm/amdgpu: Fix the null pointer dereference to ras_manager drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules drm/admgpu: fix dereferencing null pointer context drm/amdgpu: Add lock around VF RLCG interface drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr media: amphion: Remove lock in s_ctrl callback drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update drm/amd/display: Add null checker before passing variables media: uvcvideo: Ignore empty TS packets media: uvcvideo: Fix the bandwdith quirk on USB 3.x media: xc2028: avoid use-after-free in load_firmware_cb() ext4: fix uninitialized variable in ext4_inlinedir_to_tree jbd2: avoid memleak in jbd2_journal_write_metadata_buffer s390/sclp: Prevent release of buffer in I/O SUNRPC: Fix a race to wake a sync task profiling: remove profile=sleep support scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t' irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq() sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime net: drop bad gso csum_start and offset in virtio_net_hdr arm64: Add Neoverse-V2 part arm64: barrier: Restore spec_bar() macro arm64: cputype: Add Cortex-X4 definitions arm64: cputype: Add Neoverse-V3 definitions arm64: errata: Add workaround for Arm errata 3194386 and 3312417 arm64: cputype: Add Cortex-X3 definitions arm64: cputype: Add Cortex-A720 definitions arm64: cputype: Add Cortex-X925 definitions arm64: errata: Unify speculative SSBS errata logic arm64: errata: Expand speculative SSBS workaround arm64: cputype: Add Cortex-X1C definitions arm64: cputype: Add Cortex-A725 definitions arm64: errata: Expand speculative SSBS workaround (again) i2c: smbus: Improve handling of stuck alerts ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask ASoC: codecs: wsa881x: Correct Soundwire ports mask ASoC: codecs: wsa883x: parse port-mapping information ASoC: codecs: wsa883x: Correct Soundwire ports mask ASoC: codecs: wsa884x: parse port-mapping information ASoC: codecs: wsa884x: Correct Soundwire ports mask ASoC: sti: add missing probe entry for player and reader spi: spidev: Add missing spi_device_id for bh2228fv ASoC: SOF: Remove libraries from topology lookups i2c: smbus: Send alert notifications to all devices if source not found bpf: kprobe: remove unused declaring of bpf_kprobe_override kprobes: Fix to check symbol prefixes correctly i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume spi: spi-fsl-lpspi: Fix scldiv calculation ALSA: usb-audio: Re-add ScratchAmp quirk entries ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT cifs: cifs_inval_name_dfs_link_error: correct the check for fullpath module: warn about excessively long module waits module: make waiting for a concurrent module loader interruptible drm/i915/gem: Fix Virtual Memory mapping boundaries calculation drm/amd/display: Skip Recompute DSC Params if no Stream on Link drm/amdgpu: Forward soft recovery errors to userspace drm/i915/gem: Adjust vma offset for framebuffer mmap offset drm/client: fix null pointer dereference in drm_client_modeset_probe ALSA: line6: Fix racy access to midibuf ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 usb: vhci-hcd: Do not drop references before new references are gained USB: serial: debug: do not echo input by default usb: gadget: core: Check for unset descriptor usb: gadget: midi2: Fix the response for FB info with block 0xff usb: gadget: u_serial: Set start_delayed during suspend usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed. scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES scsi: ufs: core: Do not set link to OFF state while waking up from hibernation scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic tick/broadcast: Move per CPU pointer access into the atomic section vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler ntp: Clamp maxerror and esterror to operating range clocksource: Scale the watchdog read retries automatically clocksource: Fix brown-bag boolean thinko in cs_watchdog_read() driver core: Fix uevent_show() vs driver detach race tracefs: Fix inode allocation tracefs: Use generic inode RCU for synchronizing freeing ntp: Safeguard against time_constant overflow timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex() serial: core: check uartclk for zero to avoid divide by zero memcg: protect concurrent access to mem_cgroup_idr parisc: fix unaligned accesses in BPF parisc: fix a possible DMA corruption ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx kcov: properly check for softirq context irqchip/xilinx: Fix shift out of bounds genirq/irqdesc: Honor caller provided affinity in alloc_desc() LoongArch: Enable general EFI poweroff method power: supply: qcom_battmgr: return EAGAIN when firmware service is not up power: supply: axp288_charger: Fix constant_charge_voltage writes power: supply: axp288_charger: Round constant_charge_voltage writes down tracing: Fix overflow in get_free_elt() padata: Fix possible divide-by-0 panic in padata_mt_helper() smb3: fix setting SecurityFlags when encryption is required eventfs: Don't return NULL in eventfs_create_dir() eventfs: Use SRCU for freeing eventfs_inodes selftests: mm: add s390 to ARCH check btrfs: avoid using fixed char array size for tree names x86/paravirt: Fix incorrect virt spinlock setting on bare metal x86/mtrr: Check if fixed MTRRs exist before saving them sched/smt: Introduce sched_smt_present_inc/dec() helper sched/smt: Fix unbalance sched_smt_present dec/inc sched/core: Introduce sched_set_rq_on/offline() helper sched/core: Fix unbalance set_rq_online/offline() in sched_cpu_deactivate() drm/bridge: analogix_dp: properly handle zero sized AUX transactions drm/dp_mst: Skip CSN if topology probing is not done yet drm/lima: Mark simple_ondemand governor as softdep drm/mgag200: Set DDC timeout in milliseconds drm/mgag200: Bind I2C lifetime to DRM device drm/radeon: Remove __counted_by from StateArray.states[] mptcp: fully established after ADD_ADDR echo on MPJ mptcp: pm: fix backup support in signal endpoints selftests: mptcp: fix error path mptcp: pm: deny endp with signal + subflow + port block: use the right type for stub rq_integrity_vec() Revert "drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update" mm: huge_memory: don't force huge page alignment on 32 bit mm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines btrfs: fix corruption after buffer fault in during direct IO append write netfilter: nf_tables: prefer nft_chain_validate ipv6: fix source address selection with route leak tools headers arm64: Sync arm64's cputype.h with the kernel sources mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio() nouveau: set placement to original placement on uvmm validate. xfs: fix log recovery buffer allocation for the legacy h_size fixup mptcp: pm: reduce indentation blocks mptcp: pm: don't try to create sf if alloc failed mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set selftests: mptcp: join: ability to invert ADD_ADDR check selftests: mptcp: join: test both signal & subflow Revert "selftests: mptcp: simult flows: mark 'unbalanced' tests as flaky" btrfs: fix double inode unlock for direct IO sync writes Linux 6.6.46 Change-Id: Idc45a66598944f07c7f40c58c18270873b016c5c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>	2024-08-17 07:23:13 +00:00
Greg Kroah-Hartman	734ce10f8a	This is the 6.6.44 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmat1HIACgkQONu9yGCS aT7VAxAAtIFXk1NcasgWtNVGeC9Mi08sndFKq//LweSVxbCsZvixslGoFcJojMv2 NLNXaA6nulFfRgaCez38U6wL+UcM+q2CGX7CZcwMJ4mAJvxPLfzq4YPOFed8JGuA OHQWxKITpD7jl+ySMLlNgx+0K6ieSdpaxDKm9witVINFn5ntiyEkM2oXcI2AVVNu gT8O2tFo/91CJMvk2jlKaxRdcYOFc2xs/Y/T0/hWeSIeVlCeHeGeeRqPWyiklcr2 xJr3pDokrxeoZaF4t2TxUdx96UBT1VmEQGQiFdIZOVwSkwNIgtA04oIJLm3RVBVg 13lIPKDZgUs2iGkML3jfsBJtfvRYJVugcGbkgG9eP9kiJ5FPpOce731WGOvZsUmJ kvBLKt8d9f1PNLgZs2RW+NdCUhzyaA5sZyTKTMbNiIvHRK9YS2YcyIucdEZnyvBt KWSLOCOU/9mI8/i+bM6KKBrXteFXL2URRhvKfz2ci3yyK/1dOnh8yvQkdv/X2WFY l/tLKrl948148tJmJdWPM1oKlZgysDElP+W0J+2ZxMQZKV5LOtWgXsVtNPVFGFEp rmdLsfbk2N5Q22QsHqhW2PjrdPOhqHCwwujLbLFT63LcunRghlAw+IkKWGxIaWVN qwg+vTPCGVFX1vfI/dhV9MRjckzK6OKrOMZbRBbUHqyPTHh22Uw= =x29I -----END PGP SIGNATURE----- Merge 6.6.44 into android15-6.6-lts Changes in 6.6.44 powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC spi: spi-microchip-core: Fix the number of chip selects supported spi: atmel-quadspi: Add missing check for clk_prepare EDAC, i10nm: make skx_common.o a separate module rcu/tasks: Fix stale task snaphot for Tasks Trace md: fix deadlock between mddev_suspend and flush bio platform/chrome: cros_ec_debugfs: fix wrong EC message version ubd: refactor the interrupt handler ubd: untagle discard vs write zeroes not support handling block: initialize integrity buffer to zero before writing it to media x86/kconfig: Add as-instr64 macro to properly evaluate AS_WRUSS hfsplus: fix to avoid false alarm of circular locking x86/of: Return consistent error type from x86_of_pci_irq_enable() x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling x86/pci/xen: Fix PCIBIOS_* return code handling x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos kernfs: Convert kernfs_path_from_node_locked() from strlcpy() to strscpy() cgroup/cpuset: Prevent UAF in proc_cpuset_show() hwmon: (adt7475) Fix default duty on fan is disabled block: Call .limit_depth() after .hctx has been set block/mq-deadline: Fix the tag reservation code md: Don't wait for MD_RECOVERY_NEEDED for HOT_REMOVE_DISK ioctl pwm: stm32: Always do lazy disabling nvmet-auth: fix nvmet_auth hash error handling drm/meson: fix canvas release in bind function pwm: atmel-tcb: Fix race condition and convert to guards hwmon: (max6697) Fix underflow when writing limit attributes hwmon: (max6697) Fix swapped temp{1,8} critical alarms arm64: dts: qcom: sc8180x: Correct PCIe slave ports arm64: dts: qcom: sc8180x: switch UFS QMP PHY to new style of bindings arm64: dts: qcom: sc8180x: add power-domain to UFS PHY arm64: dts: qcom: sdm845: add power-domain to UFS PHY arm64: dts: qcom: sm6115: add power-domain to UFS PHY arm64: dts: qcom: sm6350: add power-domain to UFS PHY arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings arm64: dts: qcom: sm8250: add power-domain to UFS PHY arm64: dts: qcom: sm8350: add power-domain to UFS PHY arm64: dts: qcom: sm8450: add power-domain to UFS PHY arm64: dts: qcom: msm8996-xiaomi-common: drop excton from the USB PHY arm64: dts: qcom: sdm850-lenovo-yoga-c630: fix IPA firmware path arm64: dts: qcom: msm8998: enable adreno_smmu by default soc: qcom: pmic_glink: Handle the return value of pmic_glink_init soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data() callers arm64: dts: rockchip: Add sdmmc related properties on rk3308-rock-pi-s arm64: dts: rockchip: Add pinctrl for UART0 to rk3308-rock-pi-s arm64: dts: rockchip: Add mdio and ethernet-phy nodes to rk3308-rock-pi-s arm64: dts: rockchip: Update WIFi/BT related nodes on rk3308-rock-pi-s arm64: dts: qcom: msm8996: specify UFS core_clk frequencies arm64: dts: qcom: sa8775p: mark ethernet devices as DMA-coherent soc: xilinx: rename cpu_number1 to dummy_cpu_number ARM: dts: sunxi: remove duplicated entries in makefile ARM: dts: stm32: Add arm,no-tick-in-suspend to STM32MP15xx STGEN timer arm64: dts: qcom: qrb4210-rb2: make L9A always-on cpufreq: ti-cpufreq: Handle deferred probe with dev_err_probe() OPP: ti: Fix ti_opp_supply_probe wrong return values memory: fsl_ifc: Make FSL_IFC config visible and selectable arm64: dts: ti: k3-am62x: Drop McASP AFIFOs arm64: dts: ti: k3-am625-beagleplay: Drop McASP AFIFOs arm64: dts: ti: k3-am62-verdin: Drop McASP AFIFOs arm64: dts: qcom: qdu1000-idp: drop unused LLCC multi-ch-bit-off arm64: dts: qcom: qdu1000: Add secure qfprom node soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove soc: qcom: pdr: protect locator_addr with the main mutex soc: qcom: pdr: fix parsing of domains lists arm64: dts: rockchip: Increase VOP clk rate on RK3328 arm64: dts: amlogic: sm1: fix spdif compatibles ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset ARM: dts: imx6qdl-kontron-samx6i: fix board reset ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity arm64: dts: mediatek: mt8195: Fix GPU thermal zone name for SVS arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property arm64: dts: mediatek: mt8192-asurada: Add off-on-delay-us for pp3300_mipibrdg arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux arm64: dts: mediatek: mt8183-kukui: Fix the value of `dlg,jack-det-rate` mismatch arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625 arm64: dts: amlogic: gx: correct hdmi clocks arm64: dts: amlogic: add power domain to hdmitx arm64: dts: amlogic: setup hdmi system clock arm64: dts: rockchip: Drop invalid mic-in-differential on rk3568-rock-3a arm64: dts: rockchip: Fix mic-in-differential usage on rk3566-roc-pc arm64: dts: rockchip: Fix mic-in-differential usage on rk3568-evb1-v10 arm64: dts: renesas: r8a779a0: Add missing hypervisor virtual timer IRQ arm64: dts: renesas: r8a779f0: Add missing hypervisor virtual timer IRQ arm64: dts: renesas: r8a779g0: Add missing hypervisor virtual timer IRQ arm64: dts: renesas: r9a07g043u: Add missing hypervisor virtual timer IRQ arm64: dts: renesas: r9a07g044: Add missing hypervisor virtual timer IRQ arm64: dts: renesas: r9a07g054: Add missing hypervisor virtual timer IRQ m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages arm64: dts: imx8mp: Add NPU Node arm64: dts: imx8mp: Fix pgc_mlmix location arm64: dts: imx8mp: add HDMI power-domains arm64: dts: imx8mp: Fix pgc vpu locations x86/xen: Convert comma to semicolon arm64: dts: rockchip: Add missing power-domains for rk356x vop_mmu arm64: dts: rockchip: fix regulator name for Lunzn Fastrhino R6xS arm64: dts: rockchip: fix usb regulator for Lunzn Fastrhino R6xS arm64: dts: rockchip: fix pmu_io supply for Lunzn Fastrhino R6xS arm64: dts: rockchip: remove unused usb2 nodes for Lunzn Fastrhino R6xS arm64: dts: rockchip: disable display subsystem for Lunzn Fastrhino R6xS arm64: dts: rockchip: fixes PHY reset for Lunzn Fastrhino R68S arm64: dts: qcom: sm6350: Add missing qcom,non-secure-domain property cpufreq/amd-pstate: Fix the scaling_max_freq setting on shared memory CPPC systems m68k: cmpxchg: Fix return value for default case in __arch_xchg() ARM: spitz: fix GPIO assignment for backlight vmlinux.lds.h: catch .bss..L* sections into BSS") firmware: turris-mox-rwtm: Do not complete if there are no waiters firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout() firmware: turris-mox-rwtm: Initialize completion before mailbox wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device wifi: ath12k: Correct 6 GHz frequency value in rx status wifi: ath12k: Fix tx completion ring (WBM2SW) setup failure bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer selftests/bpf: Fix prog numbers in test_sockmap net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP wifi: ath12k: change DMA direction while mapping reinjected packets wifi: ath12k: fix invalid memory access while processing fragmented packets wifi: ath12k: fix firmware crash during reo reinject wifi: ath11k: Update Qualcomm Innovation Center, Inc. copyrights wifi: ath11k: fix wrong definition of CE ring's base address wifi: ath12k: fix wrong definition of CE ring's base address tcp: add tcp_done_with_error() helper tcp: fix race in tcp_write_err() tcp: fix races in tcp_v[46]_err() net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined selftests/bpf: Check length of recv in test_sockmap udf: Fix lock ordering in udf_evict_inode() lib: objagg: Fix general protection fault mlxsw: spectrum_acl_erp: Fix object nesting warning mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors perf/x86: Serialize set_attr_rdpmc() jump_label: Fix concurrency issues in static_key_slow_dec() wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he() wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() udf: Fix bogus checksum computation in udf_rename() net: fec: Refactor: #define magic constants net: fec: Fix FEC_ECR_EN1588 being cleared on link-down libbpf: Checking the btf_type kind when fixing variable offsets xfrm: Fix unregister netdevice hang on hardware offload. ipvs: Avoid unnecessary calls to skb_is_gso_sctp netfilter: nf_tables: rise cap on SELinux secmark context wifi: rtw89: 8852b: fix definition of KIP register number wifi: rtl8xxxu: 8188f: Limit TX power index xfrm: Export symbol xfrm_dev_state_delete. bpftool: Mount bpffs when pinmaps path not under the bpffs perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation perf: Fix perf_aux_size() for greater-than 32-bit size perf: Prevent passing zero nr_pages to rb_alloc_aux() perf: Fix default aux_watermark calculation perf/x86/intel/cstate: Fix Alderlake/Raptorlake/Meteorlake wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() xfrm: fix netdev reference count imbalance xfrm: call xfrm_dev_policy_delete when kill policy wifi: virt_wifi: avoid reporting connection success with wrong SSID gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey wifi: virt_wifi: don't use strlen() in const context locking/rwsem: Add __always_inline annotation to __down_write_common() and inlined callers selftests/bpf: Close fd in error path in drop_on_reuseport selftests/bpf: Null checks for links in bpf_tcp_ca selftests/bpf: Close obj in error path in xdp_adjust_tail selftests/resctrl: Move run_benchmark() to a more fitting file selftests/resctrl: Convert perror() to ksft_perror() or ksft_print_msg() selftests/resctrl: Fix closing IMC fds on error and open-code R+W instead of loops bpf: annotate BTF show functions with __printf bna: adjust 'name' buf size of bna_tcb and bna_ccb structures bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT selftests: forwarding: devlink_lib: Wait for udev events after reloading Bluetooth: hci_bcm4377: Use correct unit for timeouts Bluetooth: btintel: Refactor btintel_set_ppag() Bluetooth: btnxpuart: Add handling for boot-signature timeout errors xdp: fix invalid wait context of page_pool_destroy() net: bridge: mst: Check vlan state for egress decision drm/rockchip: vop2: Fix the port mux of VP2 drm/arm/komeda: Fix komeda probe failing if there are no links in the secondary pipeline drm/amdkfd: Fix CU Masking for GFX 9.4.3 drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_dcs_write_seq() drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_generic_write_seq() drm/amd/pm: Fix aldebaran pcie speed reporting drm/amdgpu: Fix memory range calculation drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1 drm/panel: himax-hx8394: Handle errors from mipi_dsi_dcs_set_display_on() better drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before regulators drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare() drm/bridge: Fixed a DP link training bug drm/bridge: it6505: fix hibernate to resume no display issue media: pci: ivtv: Add check for DMA map result media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control() media: imon: Fix race getting ictx->lock media: i2c: Fix imx412 exposure control media: v4l: async: Fix NULL pointer dereference in adding ancillary links s390/mm: Convert make_page_secure to use a folio s390/mm: Convert gmap_make_secure to use a folio s390/uv: Don't call folio_wait_writeback() without a folio reference media: mediatek: vcodec: Handle invalid decoder vsi x86/shstk: Make return uprobe work with shadow stack ipmi: ssif_bmc: prevent integer overflow on 32bit systems saa7134: Unchecked i2c_transfer function result fixed media: i2c: imx219: fix msr access command sequence media: uvcvideo: Disable autosuspend for Insta360 Link media: uvcvideo: Quirk for invalid dev_sof in Logitech C922 media: uvcvideo: Add quirk for invalid dev_sof in Logitech C920 media: uvcvideo: Override default flags drm: zynqmp_dpsub: Fix an error handling path in zynqmp_dpsub_probe() drm: zynqmp_kms: Fix AUX bus not getting unregistered media: rcar-vin: Fix YUYV8_1X16 handling for CSI-2 media: rcar-csi2: Disable runtime_pm in probe error media: rcar-csi2: Cleanup subdevice in remove() media: renesas: vsp1: Fix _irqsave and _irq mix media: renesas: vsp1: Store RPF partition configuration per RPF instance drm/mediatek: Add missing plane settings when async update drm/mediatek: Use 8-bit alpha in ETHDR drm/mediatek: Fix XRGB setting error in OVL drm/mediatek: Fix XRGB setting error in Mixer drm/mediatek: Fix destination alpha error in OVL drm/mediatek: Turn off the layers with zero width or height drm/mediatek: Add OVL compatible name for MT8195 media: imx-jpeg: Drop initial source change event if capture has been setup leds: trigger: Unregister sysfs attributes before calling deactivate() drm/msm/dsi: set VIDEO_COMPRESSION_MODE_CTRL_WC drm/msm/dpu: drop validity checks for clear_pending_flush() ctl op perf test: Make test_arm_callgraph_fp.sh more robust perf pmus: Fixes always false when compare duplicates aliases perf report: Fix condition in sort__sym_cmp() drm/etnaviv: fix DMA direction handling for cached RW buffers drm/qxl: Add check for drm_cvt_mode Revert "leds: led-core: Fix refcount leak in of_led_get()" drm/mediatek: Remove less-than-zero comparison of an unsigned value ext4: fix infinite loop when replaying fast_commit drm/mediatek/dp: switch to ->edid_read callback drm/mediatek/dp: Fix spurious kfree() media: venus: flush all buffers in output plane streamoff perf intel-pt: Fix aux_watermark calculation for 64-bit size perf intel-pt: Fix exclude_guest setting mfd: rsmu: Split core code into separate module mfd: omap-usb-tll: Use struct_size to allocate tll xprtrdma: Fix rpcrdma_reqs_reset() SUNRPC: avoid soft lockup when transmitting UDP to reachable server. NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server ext4: don't track ranges in fast_commit if inode has inlined data ext4: avoid writing unitialized memory to disk in EA inodes leds: flash: leds-qcom-flash: Test the correct variable in init sparc64: Fix incorrect function signature and add prototype for prom_cif_init SUNRPC: Fixup gss_status tracepoint error output iio: Fix the sorting functionality in iio_gts_build_avail_time_table PCI: Fix resource double counting on remove & rescan PCI: keystone: Relocate ks_pcie_set/clear_dbi_mode() PCI: keystone: Don't enable BAR 0 for AM654x PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs() PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup() scsi: ufs: mcq: Fix missing argument 'hba' in MCQ_OPR_OFFSET_n clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock clk: qcom: camcc-sc7280: Add parent dependency to all camera GDSCs iio: frequency: adrf6780: rm clk provider include KVM: PPC: Book3S HV: Fix the set_one_reg for MMCR3 KVM: PPC: Book3S HV: Fix the get_one_reg of SDAR coresight: Fix ref leak when of_coresight_parse_endpoint() fails RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE ASoc: tas2781: Enable RCA-based playback without DSP firmware download ASoC: cs35l56: Accept values greater than 0 as IRQ numbers usb: typec-mux: nb7vpq904m: unregister typec switch on probe error and remove RDMA/cache: Release GID table even if leak is detected clk: qcom: gpucc-sm8350: Park RCG's clk source at XO during disable clk: qcom: gcc-sa8775p: Update the GDSC wait_val fields and flags clk: qcom: gpucc-sa8775p: Remove the CLK_IS_CRITICAL and ALWAYS_ON flags clk: qcom: gpucc-sa8775p: Park RCG's clk source at XO during disable clk: qcom: gpucc-sa8775p: Update wait_val fields for GPU GDSC's interconnect: qcom: qcm2290: Fix mas_snoc_bimc RPM master ID Input: qt1050 - handle CHIP_ID reading error RDMA/mlx4: Fix truncated output warning in mad.c RDMA/mlx4: Fix truncated output warning in alias_GUID.c RDMA/mlx5: Use sq timestamp as QP timestamp when RoCE is disabled RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs ASoC: qcom: Adjust issues in case of DT error in asoc_qcom_lpass_cpu_platform_probe() scsi: lpfc: Fix a possible null pointer dereference hwrng: core - Fix wrong quality calculation at hw rng registration powerpc/prom: Add CPU info to hardware description string later ASoC: max98088: Check for clk_prepare_enable() error mtd: make mtd_test.c a separate module RDMA/device: Return error earlier if port in not valid Input: elan_i2c - do not leave interrupt disabled on suspend failure ASoC: amd: Adjust error handling in case of absent codec device PCI: endpoint: Clean up error handling in vpci_scan_bus() PCI: endpoint: Fix error handling in epf_ntb_epc_cleanup() vhost/vsock: always initialize seqpacket_allow net: missing check virtio nvmem: rockchip-otp: set add_legacy_fixed_of_cells config option crypto: qat - extend scope of lock in adf_cfg_add_key_value_param() clk: qcom: kpss-xcc: Return of_clk_add_hw_provider to transfer the error clk: qcom: Park shared RCGs upon registration clk: en7523: fix rate divider for slic and spi clocks MIPS: Octeron: remove source file executable bit PCI: qcom-ep: Disable resources unconditionally during PERST# assert PCI: dwc: Fix index 0 incorrectly being interpreted as a free ATU slot powerpc/xmon: Fix disassembly CPU feature checks macintosh/therm_windtunnel: fix module unload. RDMA/hns: Check atomic wr length RDMA/hns: Fix unmatch exception handling when init eq table fails RDMA/hns: Fix missing pagesize and alignment check in FRMR RDMA/hns: Fix shift-out-bounds when max_inline_data is 0 RDMA/hns: Fix undifined behavior caused by invalid max_sge RDMA/hns: Fix insufficient extend DB for VFs. iommu/vt-d: Fix identity map bounds in si_domain_init() RDMA/core: Remove NULL check before dev_{put, hold} RDMA: Fix netdev tracker in ib_device_set_netdev bnxt_re: Fix imm_data endianness netfilter: ctnetlink: use helper function to calculate expect ID netfilter: nft_set_pipapo: constify lookup fn args where possible netfilter: nf_set_pipapo: fix initial map fill ipvs: properly dereference pe in ip_vs_add_service gve: Fix XDP TX completion handling when counters overflow net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE ipv4: Fix incorrect TOS in route get reply ipv4: Fix incorrect TOS in fibmatch route get reply net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT fs/ntfs3: Fix transform resident to nonresident for compressed files fs/ntfs3: Deny getting attr data block in compressed frame fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting fs/ntfs3: Fix getting file type fs/ntfs3: Add missing .dirty_folio in address_space_operations pinctrl: rockchip: update rk3308 iomux routes pinctrl: core: fix possible memory leak when pinctrl_enable() fails pinctrl: single: fix possible memory leak when pinctrl_enable() fails pinctrl: ti: ti-iodelay: Drop if block with always false condition pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails pinctrl: freescale: mxs: Fix refcount of child fs/ntfs3: Replace inode_trylock with inode_lock fs/ntfs3: Correct undo if ntfs_create_inode failed fs/ntfs3: Drop stray '\' (backslash) in formatting string fs/ntfs3: Fix field-spanning write in INDEX_HDR pinctrl: renesas: r8a779g0: Fix CANFD5 suffix pinctrl: renesas: r8a779g0: Fix FXR_TXEN[AB] suffixes pinctrl: renesas: r8a779g0: Fix (H)SCIF1 suffixes pinctrl: renesas: r8a779g0: Fix (H)SCIF3 suffixes pinctrl: renesas: r8a779g0: Fix IRQ suffixes pinctrl: renesas: r8a779g0: FIX PWM suffixes pinctrl: renesas: r8a779g0: Fix TCLK suffixes pinctrl: renesas: r8a779g0: Fix TPU suffixes fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP fs/proc/task_mmu.c: add_to_pagemap: remove useless parameter addr fs/proc/task_mmu: don't indicate PM_MMAP_EXCLUSIVE without PM_PRESENT fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped THPs nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro rtc: interface: Add RTC offset to alarm after fix-up fs/ntfs3: Fix the format of the "nocase" mount option fs/ntfs3: Missed error return fs/ntfs3: Keep runs for $MFT::$ATTR_DATA and $MFT::$ATTR_BITMAP powerpc/8xx: fix size given to set_huge_pte_at() s390/dasd: fix error checks in dasd_copy_pair_store() sbitmap: use READ_ONCE to access map->word sbitmap: fix io hung due to race on sbitmap_word::cleared LoongArch: Check TIF_LOAD_WATCH to enable user space watchpoint landlock: Don't lose track of restrictions on cred_transfer hugetlb: force allocating surplus hugepages on mempolicy allowed nodes mm/hugetlb: fix possible recursive locking detected warning mm/mglru: fix div-by-zero in vmpressure_calc_level() mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer mm/mglru: fix overshooting shrinker memory x86/efistub: Avoid returning EFI_SUCCESS on error x86/efistub: Revert to heap allocated boot_params for PE entrypoint exfat: fix potential deadlock on __exfat_get_dentry_set dt-bindings: thermal: correct thermal zone node name limit tick/broadcast: Make takeover of broadcast hrtimer reliable net: netconsole: Disable target before netpoll cleanup af_packet: Handle outgoing VLAN packets without hardware offloading btrfs: fix extent map use-after-free when adding pages to compressed bio kernel: rerun task_work while freezing in get_signal() ipv4: fix source address selection with route leak ipv6: take care of scope when choosing the src addr NFSD: Support write delegations in LAYOUTGET sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE tasks fuse: verify {g,u}id mount options correctly ata: libata-scsi: Fix offsets for the fixed format sense data char: tpm: Fix possible memory leak in tpm_bios_measurements_open() media: venus: fix use after free in vdec_close ata: libata-scsi: Do not overwrite valid sense data when CK_COND=1 ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() ext2: Verify bitmap and itable block numbers before using them io_uring/io-wq: limit retrying worker initialisation drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes scsi: qla2xxx: Fix optrom version displayed in FDMI drm/amd/display: Check for NULL pointer apparmor: use kvfree_sensitive to free data->data cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path cifs: fix reconnect with SMB1 UNIX Extensions cifs: mount with "unix" mount option for SMB1 incorrectly handled task_work: s/task_work_cancel()/task_work_cancel_func()/ task_work: Introduce task_work_cancel() again udf: Avoid using corrupted block bitmap buffer m68k: amiga: Turn off Warp1260 interrupts during boot ext4: check dot and dotdot of dx_root before making dir indexed ext4: make sure the first directory block is not a hole io_uring: tighten task exit cancellations trace/pid_list: Change gfp flags in pid_list_fill_irq() selftests/landlock: Add cred_transfer test wifi: mwifiex: Fix interface type change wifi: rtw88: usb: Fix disconnection after beacon loss drivers: soc: xilinx: check return status of get_api_version() leds: ss4200: Convert PCIBIOS_* return codes to errnos md/md-bitmap: fix writing non bitmap pages leds: mt6360: Fix memory leak in mt6360_init_isnk_properties() media: ivsc: csi: add separate lock for v4l2 control handler media: imx-pxp: Fix ERR_PTR dereference in pxp_probe() jbd2: make jbd2_journal_get_max_txn_bufs() internal jbd2: precompute number of transaction descriptor blocks jbd2: avoid infinite transaction commit loop media: uvcvideo: Fix integer overflow calculating timestamp media: ivsc: csi: don't count privacy on as error KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked() KVM: nVMX: Request immediate exit iff pending nested event needs injection ALSA: ump: Don't update FB name for static blocks ALSA: ump: Force 1 Group for MIDI1 FBs ALSA: usb-audio: Fix microphone sound on HD webcam. ALSA: usb-audio: Move HD Webcam quirk to the right place ALSA: usb-audio: Add a quirk for Sonix HD USB Camera tools/memory-model: Fix bug in lock.cat hwrng: amd - Convert PCIBIOS_* return codes to errnos parisc: Fix warning at drivers/pci/msi/msi.h:121 PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN PCI: dw-rockchip: Fix initial PERST# GPIO value PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio PCI: loongson: Enable MSI in LS7A Root Complex binder: fix hang of unregistered readers dev/parport: fix the array out-of-bounds risk hostfs: fix dev_t handling efi/libstub: Zero initialize heap allocated struct screen_info fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value f2fs: fix to force buffered IO on inline_data inode f2fs: fix to don't dirty inode for readonly filesystem f2fs: fix return value of f2fs_convert_inline_inode() f2fs: use meta inode for GC of atomic file f2fs: use meta inode for GC of COW file clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use ubi: eba: properly rollback inside self_check_eba block: fix deadlock between sd_remove & sd_release mm: fix old/young bit handling in the faulting path decompress_bunzip2: fix rare decompression failure kbuild: Fix '-S -c' in x86 stack protector scripts ASoC: SOF: ipc4-topology: Preserve the DMA Link ID for ChainDMA on unprepare ASoC: amd: yc: Support mic on Lenovo Thinkpad E16 Gen 2 kobject_uevent: Fix OOB access within zap_modalias_env() gve: Fix an edge case for TSO skb validity check ice: Add a per-VF limit on number of FDIR filters devres: Fix devm_krealloc() wasting memory devres: Fix memory leakage caused by driver API devm_free_percpu() irqdomain: Fixed unbalanced fwnode get and put irqchip/imx-irqsteer: Handle runtime power management correctly mm/numa_balancing: teach mpol_to_str about the balancing mode rtc: cmos: Fix return value of nvmem callbacks scsi: lpfc: Allow DEVICE_RECOVERY mode after RSCN receipt if in PRLI_ISSUE state scsi: qla2xxx: During vport delete send async logout explicitly scsi: qla2xxx: Unable to act on RSCN for port online scsi: qla2xxx: Fix for possible memory corruption scsi: qla2xxx: Use QP lock to search for bsg scsi: qla2xxx: Reduce fabric scan duplicate code scsi: qla2xxx: Fix flash read failure scsi: qla2xxx: Complete command early within lock scsi: qla2xxx: validate nvme_local_port correctly perf: Fix event leak upon exit perf: Fix event leak upon exec and file release perf stat: Fix the hard-coded metrics calculation on the hybrid perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR perf/x86/intel/ds: Fix non 0 retire latency on Raptorlake perf/x86/intel/pt: Fix topa_entry base length perf/x86/intel/pt: Fix a topa_entry base address calculation drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8 drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell drm/udl: Remove DRM_CONNECTOR_POLL_HPD drm/dp_mst: Fix all mstb marked as not probed after suspend/resume drm/amdgpu: reset vm state machine after gpu reset(vram lost) drm/amd/amdgpu: Fix uninitialized variable warnings drm/i915/dp: Reset intel_dp->link_trained before retraining the link drm/i915/dp: Don't switch the LTTPR mode on an active link rtc: isl1208: Fix return value of nvmem callbacks rtc: abx80x: Fix return value of nvmem callback on read watchdog/perf: properly initialize the turbo mode timestamp and rearm counter platform: mips: cpu_hwmon: Disable driver on unsupported hardware RDMA/iwcm: Fix a use-after-free related to destroying CM IDs selftests/sigaltstack: Fix ppc64 GCC build dm-verity: fix dm_is_verity_target() when dm-verity is builtin rbd: don't assume rbd_is_lock_owner() for exclusive mappings remoteproc: stm32_rproc: Fix mailbox interrupts queuing remoteproc: imx_rproc: Skip over memory region when node value is NULL remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init MIPS: dts: loongson: Add ISA node MIPS: ip30: ip30-console: Add missing include MIPS: dts: loongson: Fix GMAC phy node MIPS: Loongson64: env: Hook up Loongsson-2K MIPS: Loongson64: Remove memory node for builtin-dtb MIPS: Loongson64: reset: Prioritise firmware service MIPS: Loongson64: Test register availability before use drm/etnaviv: don't block scheduler when GPU is still active drm/panfrost: Mark simple_ondemand governor as softdep rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings lib/build_OID_registry: don't mention the full path of the script in output video: logo: Drop full path of the input filename in generated file Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591 minmax: scsi: fix mis-use of 'clamp()' in sr.c nilfs2: handle inconsistent state in nilfs_btnode_create_block() mm/mglru: fix ineffective protection calculation wifi: mac80211: track capability/opmode NSS separately PCI: Introduce cleanup helpers for device reference counts and locks PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal s390/mm: Fix VM_FAULT_HWPOISON handling in do_exception() f2fs: fix to truncate preallocated blocks in f2fs_file_open() kdb: address -Wformat-security warnings kdb: Use the passed prompt in kdb_position_cursor() jfs: Fix array-index-out-of-bounds in diFree dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels phy: cadence-torrent: Check return value on register read phy: zynqmp: Enable reference clock correctly um: time-travel: fix time-travel-start option um: time-travel: fix signal blocking race/hang f2fs: fix start segno of large section watchdog: rzg2l_wdt: Use pm_runtime_resume_and_get() watchdog: rzg2l_wdt: Check return status of pm_runtime_put() f2fs: fix to update user block counts in block_operations() kbuild: avoid build error when single DTB is turned into composite DTB selftests/bpf: fexit_sleep: Fix stack allocation for arm64 libbpf: Fix no-args func prototype BTF dumping syntax af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash dma: fix call order in dmam_free_coherent bpf, events: Use prog to emit ksymbol event for main program tools/resolve_btfids: Fix comparison of distinct pointer types warning in resolve_btfids MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later ipv4: Fix incorrect source address in Record Route option net: bonding: correctly annotate RCU in bond_should_notify_peers() ice: Fix recipe read procedure netfilter: nft_set_pipapo_avx2: disable softinterrupts tipc: Return non-zero value from tipc_udp_addr2str() on error net: stmmac: Correct byte order of perfect_match net: nexthop: Initialize all fields in dumped nexthops bpf: Fix a segment issue when downgrading gso_size mISDN: Fix a use after free in hfcmulti_tx() apparmor: Fix null pointer deref when receiving skb during sock creation powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap() lirc: rc_dev_get_from_fd(): fix file leak auxdisplay: ht16k33: Drop reference after LED registration ASoC: SOF: imx8m: Fix DSP control regmap retrieval spi: microchip-core: fix the issues in the isr spi: microchip-core: defer asserting chip select until just before write to TX FIFO spi: microchip-core: only disable SPI controller when register value change requires it spi: microchip-core: switch to use modern name spi: microchip-core: fix init function not setting the master and motorola modes spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer nvme-pci: Fix the instructions for disabling power management ASoC: sof: amd: fix for firmware reload failure in Vangogh platform spi: spidev: add correct compatible for Rohm BH2228FV ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable ASoC: TAS2781: Fix tasdev_load_calibrated_data() ceph: fix incorrect kmalloc size of pagevec mempool s390/pci: Refactor arch_setup_msi_irqs() s390/pci: Allow allocation of more than 1 MSI interrupt s390/cpum_cf: Fix endless loop in CF_DIAG event stop iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en io_uring: fix io_match_task must_hold nvme-pci: add missing condition check for existence of mapped data fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT Linux 6.6.44 Change-Id: I84820a334b31726836b88b97417ba6f972a34a35 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>	2024-08-15 13:57:47 +00:00
Kuniyuki Iwashima	412f97f360	af_unix: Don't retry after unix_state_lock_nested() in unix_stream_connect(). ... [ Upstream commit 1ca27e0c8c ] When a SOCK_(STREAM|SEQPACKET) socket connect()s to another one, we need to lock the two sockets to check their states in unix_stream_connect(). We use unix_state_lock() for the server and unix_state_lock_nested() for client with tricky sk->sk_state check to avoid deadlock. The possible deadlock scenario are the following: 1) Self connect() 2) Simultaneous connect() The former is simple, attempt to grab the same lock, and the latter is AB-BA deadlock. After the server's unix_state_lock(), we check the server socket's state, and if it's not TCP_LISTEN, connect() fails with -EINVAL. Then, we avoid the former deadlock by checking the client's state before unix_state_lock_nested(). If its state is not TCP_LISTEN, we can make sure that the client and the server are not identical based on the state. Also, the latter deadlock can be avoided in the same way. Due to the server sk->sk_state requirement, AB-BA deadlock could happen only with TCP_LISTEN sockets. So, if the client's state is TCP_LISTEN, we can give up the second lock to avoid the deadlock. CPU 1 CPU 2 CPU 3 connect(A -> B) connect(B -> A) listen(A) --- --- --- unix_state_lock(B) B->sk_state == TCP_LISTEN READ_ONCE(A->sk_state) == TCP_CLOSE ^^^^^^^^^ ok, will lock A unix_state_lock(A) .--------------' WRITE_ONCE(A->sk_state, TCP_LISTEN) | unix_state_unlock(A) | | unix_state_lock(A) | A->sk_sk_state == TCP_LISTEN | READ_ONCE(B->sk_state) == TCP_LISTEN v ^^^^^^^^^^ unix_state_lock_nested(A) Don't lock B !! Currently, while checking the client's state, we also check if it's TCP_ESTABLISHED, but this is unlikely and can be checked after we know the state is not TCP_CLOSE. Moreover, if it happens after the second lock, we now jump to the restart label, but it's unlikely that the server is not found during the retry, so the jump is mostly to revist the client state check. Let's remove the retry logic and check the state against TCP_CLOSE first. Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-08-14 13:58:43 +02:00
Michal Luczaj	772f9c31bf	af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash ... [ Upstream commit 638f326043 ] AF_UNIX socket tracks the most recent OOB packet (in its receive queue) with an `oob_skb` pointer. BPF redirecting does not account for that: when an OOB packet is moved between sockets, `oob_skb` is left outdated. This results in a single skb that may be accessed from two different sockets. Take the easy way out: silently drop MSG_OOB data targeting any socket that is in a sockmap or a sockhash. Note that such silent drop is akin to the fate of redirected skb's scm_fp_list (SCM_RIGHTS, SCM_CREDENTIALS). For symmetry, forbid MSG_OOB in unix_bpf_recvmsg(). Fixes: 314001f0bf ("af_unix: Add OOB support") Suggested-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Michal Luczaj <mhal@rbox.co> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: Jakub Sitnicki <jakub@cloudflare.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/20240713200218.2140950-2-mhal@rbox.co Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-08-03 08:54:36 +02:00
Greg Kroah-Hartman	4683195a6f	This is the 6.6.35 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmZ1dGEACgkQONu9yGCS aT57UQ//Z/SSHM2y0LWUuvlsU8cRuZonNxr3297UQU8g/FABK5MDo3tkEAJX2WHs 9aXLu6Tq7hEOB/60QVESCFHbiFKzBrWym91bFfdPHTyZDjEBCPEoaPuWF4060CbD vMpeEclaPh1ezYozU21l4c9oBOwf2SsDnkyPl78/cCQL0LXFMuzhOtlRDjqTvHAa 0ev9gBoDyA0q7aAO2Mn52y6X1Oc4+3Wah0ZZB+xPhfzkdoaFI5l1qF5uYugOg/Am BCaHTeJxmslU+QBemgxNQjJ/aJg401xGjug7iVazLMLgHQgzu3iJ6M809sWKVetq Vl6pduKusG1ENWy1cnAF1RgZLNnFg8pWB90apoRNmzr1j61HRQGFitevlGRQNtUp 7BC1tHKwdk70tpYYeT6gcWfSm9TfQimVX7oDVeiHiAdj4kMuk0AYKYy+hytAbkBl vdHKl5idYzvMKswacAxbpHpfr0uJ2O/9+MvO3fyva/pHWVPRrnRuRLTx9MALOwyz ftPcAKJLasrWKTnuJp2EZDufXVHRpFRSZ+znAjWibgb0X9eZAaNSkwZ5WoP4VcFN +t0eUZLtW0pJV6Oh0DjpfTJ3mfZODAZTfn3RA+X2wQ6qvbMB35F+Hdp9mf3pQ0rX TJb8llX3Xj63KBUYMRGOwQKr2/P9cL5opJ4p73jqCF7xUu5M9I8= =H63O -----END PGP SIGNATURE----- Merge 6.6.35 into android15-6.6-lts Changes in 6.6.35 wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() wifi: cfg80211: fully move wiphy work to unbound workqueue wifi: cfg80211: Lock wiphy in cfg80211_get_station wifi: cfg80211: pmsr: use correct nla_get_uX functions wifi: iwlwifi: mvm: don't initialize csa_work twice wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 wifi: iwlwifi: mvm: set properly mac header wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef wifi: iwlwifi: mvm: check n_ssids before accessing the ssids wifi: iwlwifi: mvm: don't read past the mfuart notifcation wifi: mac80211: correctly parse Spatial Reuse Parameter Set element scsi: ufs: mcq: Fix error output and clean up ufshcd_mcq_abort() RISC-V: KVM: No need to use mask when hart-index-bit is 0 RISC-V: KVM: Fix incorrect reg_subtype labels in kvm_riscv_vcpu_set_reg_isa_ext function ax25: Fix refcount imbalance on inbound connections ax25: Replace kfree() in ax25_dev_free() with ax25_dev_put() net/ncsi: Simplify Kconfig/dts control flow net/ncsi: Fix the multi thread manner of NCSI driver net: phy: micrel: fix KSZ9477 PHY issues after suspend/resume bpf: Store ref_ctr_offsets values in bpf_uprobe array bpf: Optimize the free of inner map bpf: Fix a potential use-after-free in bpf_link_free() KVM: SEV-ES: Disallow SEV-ES guests when X86_FEATURE_LBRV is absent KVM: SEV: Do not intercept accesses to MSR_IA32_XSS for SEV-ES guests KVM: SEV-ES: Delegate LBR virtualization to the processor vmxnet3: disable rx data ring on dma allocation failure ipv6: ioam: block BH from ioam6_output() ipv6: sr: block BH in seg6_output_core() and seg6_input_core() net: tls: fix marking packets as decrypted bpf: Set run context for rawtp test_run callback octeontx2-af: Always allocate PF entries from low prioriy zone net/smc: avoid overwriting when adjusting sock bufsizes net: phy: Micrel KSZ8061: fix errata solution not taking effect problem net: sched: sch_multiq: fix possible OOB write in multiq_tune() vxlan: Fix regression when dropping packets due to invalid src addresses tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB mptcp: count CLOSE-WAIT sockets for MPTCP_MIB_CURRESTAB net/mlx5: Stop waiting for PCI if pci channel is offline net/mlx5: Always stop health timer during driver removal net/mlx5: Fix tainted pointer delete is case of flow rules creation fail net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP ptp: Fix error message on failed pin verification ice: fix iteration of TLVs in Preserved Fields Area ice: remove af_xdp_zc_qps bitmap ice: add flag to distinguish reset from .ndo_bpf in XDP rings config net: wwan: iosm: Fix tainted pointer delete is case of region creation fail af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. af_unix: Annodate data-races around sk->sk_state for writers. af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). af_unix: Annotate data-race of sk->sk_state in unix_stream_connect(). af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb(). af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. af_unix: Annotate data-races around sk->sk_sndbuf. af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). af_unix: Use skb_queue_empty_lockless() in unix_release_sock(). af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). ipv6: fix possible race in __fib6_drop_pcpu_from() net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() ksmbd: use rwsem instead of rwlock for lease break firmware: qcom_scm: disable clocks if qcom_scm_bw_enable() fails memory-failure: use a folio in me_huge_page() mm/memory-failure: fix handling of dissolved but not taken off from buddy pages selftests/mm: conform test to TAP format output selftests/mm: log a consistent test name for check_compaction selftests/mm: compaction_test: fix bogus test success on Aarch64 irqchip/riscv-intc: Allow large non-standard interrupt number irqchip/riscv-intc: Introduce Andes hart-level interrupt controller irqchip/riscv-intc: Prevent memory leak when riscv_intc_init_common() fails eventfs: Update all the eventfs_inodes from the events descriptor bpf: fix multi-uprobe PID filtering logic nilfs2: return the mapped address from nilfs_get_page() nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors io_uring/rsrc: don't lock while !TASK_RUNNING io_uring: check for non-NULL file pointer in io_file_can_poll() USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages USB: xen-hcd: Traverse host/ when CONFIG_USB_XEN_HCD is selected usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state mei: me: release irq in mei_me_pci_resume error path tty: n_tty: Fix buffer offsets when lookahead is used serial: port: Don't block system suspend even if bytes are left to xmit landlock: Fix d_parent walk jfs: xattr: fix buffer overflow for invalid xattr xhci: Set correct transferred length for cancelled bulk transfers xhci: Apply reset resume quirk to Etron EJ188 xHCI host xhci: Handle TD clearing for multiple streams case xhci: Apply broken streams quirk to Etron EJ188 xHCI host thunderbolt: debugfs: Fix margin debugfs node creation condition scsi: core: Disable CDL by default scsi: mpi3mr: Fix ATA NCQ priority support scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory scsi: sd: Use READ(16) when reading block zero on large capacity disks gve: Clear napi->skb before dev_kfree_skb_any() powerpc/uaccess: Fix build errors seen with GCC 13/14 HID: nvidia-shield: Add missing check for input_ff_create_memless cxl/test: Add missing vmalloc.h for tools/testing/cxl/test/mem.c cxl/region: Fix memregion leaks in devm_cxl_add_region() cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd cachefiles: remove requests from xarray during flushing requests cachefiles: introduce object ondemand state cachefiles: extract ondemand info field from cachefiles_object cachefiles: resend an open request if the read request's object is closed cachefiles: add spin_lock for cachefiles_ondemand_info cachefiles: add restore command to recover inflight ondemand read requests cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() cachefiles: remove err_put_fd label in cachefiles_ondemand_daemon_read() cachefiles: never get a new anonymous fd if ondemand_id is valid cachefiles: defer exposing anon_fd until after copy_to_user() succeeds cachefiles: flush all requests after setting CACHEFILES_DEAD selftests/ftrace: Fix to check required event file clk: sifive: Do not register clkdevs for PRCI clocks NFSv4.1 enforce rootpath check in fs_location query SUNRPC: return proper error from gss_wrap_req_priv NFS: add barriers when testing for NFS_FSDATA_BLOCKED selftests/tracing: Fix event filter test to retry up to 10 times nvme: fix nvme_pr_* status code parsing drm/panel: sitronix-st7789v: Add check for of_drm_get_panel_orientation platform/x86: dell-smbios: Fix wrong token data in sysfs gpio: tqmx86: fix typo in Kconfig label gpio: tqmx86: introduce shadow register for GPIO output value gpio: tqmx86: store IRQ trigger type and unmask status separately gpio: tqmx86: fix broken IRQ_TYPE_EDGE_BOTH interrupt type HID: core: remove unnecessary WARN_ON() in implement() iommu/amd: Fix sysfs leak in iommu init iommu: Return right value in iommu_sva_bind_device() io_uring/io-wq: Use set_bit() and test_bit() at worker->flags io_uring/io-wq: avoid garbage value of 'match' in io_wq_enqueue() HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() drm/vmwgfx: Refactor drm connector probing for display modes drm/vmwgfx: Filter modes which exceed graphics memory drm/vmwgfx: 3D disabled should not effect STDU memory limits drm/vmwgfx: Remove STDU logic from generic mode_valid function drm/vmwgfx: Don't memcmp equivalent pointers af_unix: Annotate data-race of sk->sk_state in unix_accept(). modpost: do not warn about missing MODULE_DESCRIPTION() for vmlinux.o net: sfp: Always call `sfp_sm_mod_remove()` on remove net: hns3: fix kernel crash problem in concurrent scenario net: hns3: add cond_resched() to hns3 ring buffer init process liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet net: stmmac: dwmac-qcom-ethqos: Configure host DMA width drm/komeda: check for error-valued pointer drm/bridge/panel: Fix runtime warning on panel bridge release tcp: fix race in tcp_v6_syn_recv_sock() net dsa: qca8k: fix usages of device_get_named_child_node() geneve: Fix incorrect inner network header offset when innerprotoinherit is set net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ Bluetooth: fix connection setup in l2cap_connect netfilter: nft_inner: validate mandatory meta and payload netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type x86/asm: Use %c/%n instead of %P operand modifier in asm templates x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking scsi: ufs: core: Quiesce request queues before checking pending cmds net: pse-pd: Use EOPNOTSUPP error code instead of ENOTSUPP gve: ignore nonrelevant GSO type bits when processing TSO headers net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters block: sed-opal: avoid possible wrong address reference in read_sed_opal_key() block: fix request.queuelist usage in flush nvmet-passthru: propagate status from id override functions net/ipv6: Fix the RT cache flush via sysctl using a previous delay net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state net: bridge: mst: fix suspicious rcu usage in br_mst_set_state ionic: fix use after netif_napi_del() af_unix: Read with MSG_PEEK loops if the first unread byte is OOB bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe() ksmbd: move leading slash check to smb2_get_name() ksmbd: fix missing use of get_write in in smb2_set_ea() x86/boot: Don't add the EFI stub to targets, again iio: adc: ad9467: fix scan type sign iio: dac: ad5592r: fix temperature channel scaling value iio: invensense: fix odr switching to same value iio: imu: inv_icm42600: delete unneeded update watermark call drivers: core: synchronize really_probe() and dev_uevent() parisc: Try to fix random segmentation faults in package builds ACPI: x86: Force StorageD3Enable on more products drm/exynos/vidi: fix memory leak in .get_modes() drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found mptcp: ensure snd_una is properly initialized on connect mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID mptcp: pm: update add_addr counters after connect clkdev: Update clkdev id usage to allow for longer names irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() x86/kexec: Fix bug with call depth tracking x86/amd_nb: Check for invalid SMN reads perf/core: Fix missing wakeup when waiting for context reference perf auxtrace: Fix multiple use of --itrace option riscv: fix overlap of allocated page and PTR_ERR tracing/selftests: Fix kprobe event name test for .isra. functions kheaders: explicitly define file modes for archived headers null_blk: Print correct max open zones limit in null_init_zoned_dev() sock_map: avoid race between sock_map_close and sk_psock_put dma-buf: handle testing kthreads creation failure vmci: prevent speculation leaks by sanitizing event in event_deliver() spmi: hisi-spmi-controller: Do not override device identifier knfsd: LOOKUP can return an illegal error value fs/proc: fix softlockup in __read_vmcore ocfs2: use coarse time for new created files ocfs2: fix races between hole punching and AIO+DIO PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id dmaengine: axi-dmac: fix possible race in remove() remoteproc: k3-r5: Wait for core0 power-up before powering up core1 remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs iio: adc: axi-adc: make sure AXI clock is enabled iio: invensense: fix interrupt timestamp alignment riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context rtla/timerlat: Simplify "no value" printing on top rtla/auto-analysis: Replace \t with spaces drm/i915/gt: Disarm breadcrumbs if engines are already idle drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) drm/i915/dpt: Make DPT object unshrinkable drm/i915: Fix audio component initialization intel_th: pci: Add Granite Rapids support intel_th: pci: Add Granite Rapids SOC support intel_th: pci: Add Sapphire Rapids SOC support intel_th: pci: Add Meteor Lake-S support intel_th: pci: Add Lunar Lake support pmdomain: ti-sci: Fix duplicate PD referrals btrfs: zoned: introduce a zone_info struct in btrfs_load_block_group_zone_info btrfs: zoned: factor out per-zone logic from btrfs_load_block_group_zone_info btrfs: zoned: factor out single bg handling from btrfs_load_block_group_zone_info btrfs: zoned: factor out DUP bg handling from btrfs_load_block_group_zone_info btrfs: zoned: fix use-after-free due to race with dev replace xfs: fix imprecise logic in xchk_btree_check_block_owner xfs: fix scrub stats file permissions xfs: fix SEEK_HOLE/DATA for regions with active COW extents xfs: shrink failure needs to hold AGI buffer xfs: ensure submit buffers on LSN boundaries in error handlers xfs: allow sunit mount option to repair bad primary sb stripe values xfs: don't use current->journal_info xfs: allow cross-linking special files without project quota swiotlb: Enforce page alignment in swiotlb_alloc() swiotlb: Reinstate page-alignment for mappings >= PAGE_SIZE swiotlb: extend buffer pre-padding to alloc_align_mask if necessary nilfs2: fix potential kernel bug due to lack of writeback flag waiting tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() mm/huge_memory: don't unpoison huge_zero_folio serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level Revert "fork: defer linking file vma until vma is fully initialized" selftests/net: add lib.sh selftests/net: add variable NS_LIST for lib.sh selftests: forwarding: Avoid failures to source net/lib.sh remoteproc: k3-r5: Jump to error handling labels in start/stop errors cachefiles, erofs: Fix NULL deref in when cachefiles is not doing ondemand-mode selftests/net/lib: update busywait timeout value selftests/net/lib: no need to record ns name if it already exist selftests: net: lib: support errexit with busywait selftests: net: lib: avoid error removing empty netns name greybus: Fix use-after-free bug in gb_interface_release due to race condition. ima: Fix use-after-free on a dentry's dname.name device property: Implement device_is_big_endian() serial: core: Add UPIO_UNKNOWN constant for unknown port type serial: port: Introduce a common helper to read properties serial: 8250_dw: Switch to use uart_read_port_properties() serial: 8250_dw: Replace ACPI device check by a quirk serial: 8250_dw: Don't use struct dw8250_data outside of 8250_dw usb-storage: alauda: Check whether the media is initialized misc: microchip: pci1xxxx: Fix a memory leak in the error handling of gp_aux_bus_probe() i2c: at91: Fix the functionality flags of the slave-only interface i2c: designware: Fix the functionality flags of the slave-only interface zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING Linux 6.6.35 Change-Id: Iba6b5aace575848a178d28c72f6b54b76b6994b8 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>	2024-06-21 13:59:55 +00:00
Rao Shoaib	185c72f6b9	af_unix: Read with MSG_PEEK loops if the first unread byte is OOB ... [ Upstream commit a6736a0add ] Read with MSG_PEEK flag loops if the first byte to read is an OOB byte. commit 22dd70eb2c ("af_unix: Don't peek OOB data without MSG_OOB.") addresses the loop issue but does not address the issue that no data beyond OOB byte can be read. >>> from socket import * >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) >>> c1.send(b'a', MSG_OOB) 1 >>> c1.send(b'b') 1 >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT) b'b' >>> from socket import * >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) >>> c2.setsockopt(SOL_SOCKET, SO_OOBINLINE, 1) >>> c1.send(b'a', MSG_OOB) 1 >>> c1.send(b'b') 1 >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT) b'a' >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT) b'a' >>> c2.recv(1, MSG_DONTWAIT) b'a' >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT) b'b' >>> Fixes: 314001f0bf ("af_unix: Add OOB support") Signed-off-by: Rao Shoaib <Rao.Shoaib@oracle.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240611084639.2248934-1-Rao.Shoaib@oracle.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:36 +02:00
Kuniyuki Iwashima	6fdc1152af	af_unix: Annotate data-race of sk->sk_state in unix_accept(). ... [ Upstream commit 1b536948e8 ] Once sk->sk_state is changed to TCP_LISTEN, it never changes. unix_accept() takes the advantage and reads sk->sk_state without holding unix_state_lock(). Let's use READ_ONCE() there. Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:31 +02:00
Kuniyuki Iwashima	471ec7b77a	af_unix: Use skb_queue_empty_lockless() in unix_release_sock(). ... [ Upstream commit 83690b82d2 ] If the socket type is SOCK_STREAM or SOCK_SEQPACKET, unix_release_sock() checks the length of the peer socket's recvq under unix_state_lock(). However, unix_stream_read_generic() calls skb_unlink() after releasing the lock. Also, for SOCK_SEQPACKET, __skb_try_recv_datagram() unlinks skb without unix_state_lock(). Thues, unix_state_lock() does not protect qlen. Let's use skb_queue_empty_lockless() in unix_release_sock(). Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:20 +02:00
Kuniyuki Iwashima	f1683d07eb	af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). ... [ Upstream commit 45d872f0e6 ] Once sk->sk_state is changed to TCP_LISTEN, it never changes. unix_accept() takes advantage of this characteristics; it does not hold the listener's unix_state_lock() and only acquires recvq lock to pop one skb. It means unix_state_lock() does not prevent the queue length from changing in unix_stream_connect(). Thus, we need to use unix_recvq_full_lockless() to avoid data-race. Now we remove unix_recvq_full() as no one uses it. Note that we can remove READ_ONCE() for sk->sk_max_ack_backlog in unix_recvq_full_lockless() because of the following reasons: (1) For SOCK_DGRAM, it is a written-once field in unix_create1() (2) For SOCK_STREAM and SOCK_SEQPACKET, it is changed under the listener's unix_state_lock() in unix_listen(), and we hold the lock in unix_stream_connect() Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:20 +02:00
Kuniyuki Iwashima	29fce603b1	af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. ... [ Upstream commit bd9f2d0573 ] net->unx.sysctl_max_dgram_qlen is exposed as a sysctl knob and can be changed concurrently. Let's use READ_ONCE() in unix_create1(). Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:20 +02:00
Kuniyuki Iwashima	996ec22ff5	af_unix: Annotate data-races around sk->sk_sndbuf. ... [ Upstream commit b0632e53e0 ] sk_setsockopt() changes sk->sk_sndbuf under lock_sock(), but it's not used in af_unix.c. Let's use READ_ONCE() to read sk->sk_sndbuf in unix_writable(), unix_dgram_sendmsg(), and unix_stream_sendmsg(). Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:19 +02:00
Kuniyuki Iwashima	0ede400c32	af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb(). ... [ Upstream commit af4c733b6b ] unix_stream_read_skb() is called from sk->sk_data_ready() context where unix_state_lock() is not held. Let's use READ_ONCE() there. Fixes: 77462de14a ("af_unix: Add read_sock for stream socket types") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:19 +02:00
Kuniyuki Iwashima	776fcc45e3	af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). ... [ Upstream commit 8a34d4e8d9 ] The following functions read sk->sk_state locklessly and proceed only if the state is TCP_ESTABLISHED. * unix_stream_sendmsg * unix_stream_read_generic * unix_seqpacket_sendmsg * unix_seqpacket_recvmsg Let's use READ_ONCE() there. Fixes: a05d2ad1c1 ("af_unix: Only allow recv on connected seqpacket sockets.") Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:19 +02:00
Kuniyuki Iwashima	3d25de6486	af_unix: Annotate data-race of sk->sk_state in unix_stream_connect(). ... [ Upstream commit a9bf9c7dc6 ] As small optimisation, unix_stream_connect() prefetches the client's sk->sk_state without unix_state_lock() and checks if it's TCP_CLOSE. Later, sk->sk_state is checked again under unix_state_lock(). Let's use READ_ONCE() for the first check and TCP_CLOSE directly for the second check. Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:19 +02:00
Kuniyuki Iwashima	484e036e1a	af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). ... [ Upstream commit eb0718fb3e ] unix_poll() and unix_dgram_poll() read sk->sk_state locklessly and calls unix_writable() which also reads sk->sk_state without holding unix_state_lock(). Let's use READ_ONCE() in unix_poll() and unix_dgram_poll() and pass it to unix_writable(). While at it, we remove TCP_SYN_SENT check in unix_dgram_poll() as that state does not exist for AF_UNIX socket since the code was added. Fixes: 1586a5877d ("af_unix: do not report POLLOUT on listeners") Fixes: 3c73419c09 ("af_unix: fix 'poll for write'/ connected DGRAM sockets") Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:19 +02:00
Kuniyuki Iwashima	4e38d6c049	af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). ... [ Upstream commit 3a0f38eb28 ] ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first and returns -EINVAL if it's TCP_LISTEN. Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of bytes in recvq. However, unix_inq_len() does not hold unix_state_lock(), and the concurrent listen() might change the state after checking sk->sk_state. If the race occurs, 0 is returned for the listener, instead of -EINVAL, because the length of skb with embryo is 0. We could hold unix_state_lock() in unix_inq_len(), but it's overkill given the result is true for pre-listen() TCP_CLOSE state. So, let's use READ_ONCE() for sk->sk_state in unix_inq_len(). Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:19 +02:00
Kuniyuki Iwashima	45733e981e	af_unix: Annodate data-races around sk->sk_state for writers. ... [ Upstream commit 942238f973 ] sk->sk_state is changed under unix_state_lock(), but it's read locklessly in many places. This patch adds WRITE_ONCE() on the writer side. We will add READ_ONCE() to the lockless readers in the following patches. Fixes: 83301b5367 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too") Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:18 +02:00
Kuniyuki Iwashima	8003545ca1	af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. ... [ Upstream commit 26bfb8b570 ] When a SOCK_DGRAM socket connect()s to another socket, the both sockets' sk->sk_state are changed to TCP_ESTABLISHED so that we can register them to BPF SOCKMAP. When the socket disconnects from the peer by connect(AF_UNSPEC), the state is set back to TCP_CLOSE. Then, the peer's state is also set to TCP_CLOSE, but the update is done locklessly and unconditionally. Let's say socket A connect()ed to B, B connect()ed to C, and A disconnects from B. After the first two connect()s, all three sockets' sk->sk_state are TCP_ESTABLISHED: $ ss -xa Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess u_dgr ESTAB 0 0 @A 641 * 642 u_dgr ESTAB 0 0 @B 642 * 643 u_dgr ESTAB 0 0 @C 643 * 0 And after the disconnect, B's state is TCP_CLOSE even though it's still connected to C and C's state is TCP_ESTABLISHED. $ ss -xa Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess u_dgr UNCONN 0 0 @A 641 * 0 u_dgr UNCONN 0 0 @B 642 * 643 u_dgr ESTAB 0 0 @C 643 * 0 In this case, we cannot register B to SOCKMAP. So, when a socket disconnects from the peer, we should not set TCP_CLOSE to the peer if the peer is connected to yet another socket, and this must be done under unix_state_lock(). Note that we use WRITE_ONCE() for sk->sk_state as there are many lockless readers. These data-races will be fixed in the following patches. Fixes: 83301b5367 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-21 14:38:18 +02:00
Greg Kroah-Hartman	40c3aca0d2	This is the 6.6.33 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmZpZrAACgkQONu9yGCS aT7O8A//ROBbQ/DqaLBiHwQ7Dtw2WUKmGeQ5VIv3oP3uHSUt/dnqUlZRui/7zJI5 Rgs5iUsWcaz+hNrp8ESIApseoyYxDJlACg7NRqhGwir0+5EGT3TUZ8m6aEueItx/ UruoQfZBWziI0wopUd8LKUCqnLvm5cpPsM6B6AtRxqPIttTLCOOitnmDsMyaPSnx idEdPJL9gTorQsw9Sds2oRMK2VwS2+lPb73++hZbl1HvgfQnTZqt0+wEWScbZlxA +wpr7z1TaPovRM5rXStTYZNyDUFn4TJ4s+GU6QIoebaJk/yN4fur+dSumb0TZdkt kRYw3onYc+gXmYtRHexCHJTxx6guO4jmCZUdm005oEwKsjFeam8Yx2p3w1DTqDvJ PudGFBQnvfyEXmIMfK4MXcVcO2oHBnXt+JCCp2iAcN+3/0SNtPE8QdlgYRwU7KJu Oin4lCHtIp3ns2HdBJDWgPxo8eFcASOE/CPVRhc/ilhjHtaeNViA6gmoi4IeKv5x huHfSlZmZZkhPTOMSG32mIcB1VZ7kax9DQ6GdhM/n8ZO0MQqs5uk+0PFndy0hRkj HLdZscJFx5v+TofnZwGRX8XmOQwpYTSe+Ynsf5pYBYU0NMwPQHxSd8neaMNgdcWz LNAp3uDvtMOe33qVI1FvspS1W8GF25TyrsXkc3CAw7XGh/zUl7Q= =GyJ2 -----END PGP SIGNATURE----- Merge 6.6.33 into android15-6.6-lts Changes in 6.6.33 x86/tsc: Trust initial offset in architectural TSC-adjust MSRs selftests/ftrace: Fix BTFARG testcase to check fprobe is enabled correctly ftrace: Fix possible use-after-free issue in ftrace_location() tty: n_gsm: fix possible out-of-bounds in gsm0_receive() tty: n_gsm: fix missing receive state reset after mode switch speakup: Fix sizeof() vs ARRAY_SIZE() bug serial: 8250_bcm7271: use default_mux_rate if possible serial: 8520_mtk: Set RTS on shutdown for Rx in-band wakeup Input: try trimming too long modalias strings io_uring: fail NOP if non-zero op flags is passed in Revert "r8169: don't try to disable interrupts if NAPI is, scheduled already" r8169: Fix possible ring buffer corruption on fragmented Tx packets. ring-buffer: Fix a race between readers and resize checks net: mana: Fix the extra HZ in mana_hwc_send_request tools/latency-collector: Fix -Wformat-security compile warns tools/nolibc/stdlib: fix memory error in realloc() net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe() net: lan966x: remove debugfs directory in probe() error path net: smc91x: Fix m68k kernel compilation for ColdFire CPU nilfs2: fix use-after-free of timer for log writer thread nilfs2: fix unexpected freezing of nilfs_segctor_sync() nilfs2: fix potential hang in nilfs_detach_log_writer() fs/ntfs3: Remove max link count info display during driver init fs/ntfs3: Taking DOS names into account during link counting fs/ntfs3: Fix case when index is reused during tree transformation fs/ntfs3: Break dir enumeration if directory contents error ksmbd: avoid to send duplicate oplock break notifications ksmbd: ignore trailing slashes in share paths ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 440/460 G11. ALSA: core: Fix NULL module pointer assignment at card init ALSA: Fix deadlocks with kctl removals at disconnection KEYS: asymmetric: Add missing dependency on CRYPTO_SIG KEYS: asymmetric: Add missing dependencies of FIPS_SIGNATURE_SELFTEST wifi: mac80211: don't use rate mask for scanning wifi: mac80211: ensure beacon is non-S1G prior to extracting the beacon timestamp field wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class dt-bindings: rockchip: grf: Add missing type to 'pcie-phy' node HID: mcp-2221: cancel delayed_work only when CONFIG_IIO is enabled net: usb: qmi_wwan: add Telit FN920C04 compositions drm/amd/display: Set color_mgmt_changed to true on unsuspend drm/amdgpu: Update BO eviction priorities drm/amd/pm: Restore config space after reset drm/amdkfd: Add VRAM accounting for SVM migration drm/amdgpu: Fix the ring buffer size for queue VM flush drm/amdgpu/mes: fix use-after-free issue Revert "net: txgbe: fix i2c dev name cannot match clkdev" Revert "net: txgbe: fix clk_name exceed MAX_DEV_ID limits" cpu: Ignore "mitigations" kernel parameter if CPU_MITIGATIONS=n LoongArch: Lately init pmu after smp is online drm/etnaviv: fix tx clock gating on some GC7000 variants selftests: sud_test: return correct emulated syscall value on RISC-V sched/isolation: Fix boot crash when maxcpus < first housekeeping CPU ASoC: Intel: bytcr_rt5640: Apply Asus T100TA quirk to Asus T100TAM too regulator: irq_helpers: duplicate IRQ name ALSA: hda: cs35l56: Exit cache-only after cs35l56_wait_for_firmware_boot() ASoC: SOF: pcm: Restrict DSP D0i3 during S0ix to IPC3 ASoC: acp: Support microphone from device Acer 315-24p ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating ASoC: dt-bindings: rt5645: add cbj sleeve gpio property ASoC: rt722-sdca: modify channel number to support 4 channels ASoC: rt722-sdca: add headset microphone vrefo setting regulator: qcom-refgen: fix module autoloading regulator: vqmmc-ipq4019: fix module autoloading ASoC: cs35l41: Update DSP1RX5/6 Sources for DSP config ASoC: rt715: add vendor clear control register ASoC: rt715-sdca: volume step modification KVM: selftests: Add test for uaccesses to non-existent vgic-v2 CPUIF Input: xpad - add support for ASUS ROG RAIKIRI fpga: dfl-pci: add PCI subdevice ID for Intel D5005 card bpf, x86: Fix PROBE_MEM runtime load check ALSA: emu10k1: make E-MU FPGA writes potentially more reliable softirq: Fix suspicious RCU usage in __do_softirq() platform/x86: ISST: Add Grand Ridge to HPM CPU list ASoC: da7219-aad: fix usage of device_get_named_child_node() ALSA: hda: intel-dsp-config: harden I2C/I2S codec detection drm/amdgpu: Fix VRAM memory accounting drm/amd/display: Add dtbclk access to dcn315 drm/amd/display: Allocate zero bw after bw alloc enable drm/amd/display: Add VCO speed parameter for DCN31 FPU drm/amd/display: Fix DC mode screen flickering on DCN321 drm/amd/display: Disable seamless boot on 128b/132b encoding drm/amdkfd: Flush the process wq before creating a kfd_process x86/mm: Remove broken vsyscall emulation code from the page fault code nvme: find numa distance only if controller has valid numa id nvmet-auth: return the error code to the nvmet_auth_host_hash() callers nvmet-auth: replace pr_debug() with pr_err() to report an error. nvme: cancel pending I/O if nvme controller is in terminal state nvmet-tcp: fix possible memory leak when tearing down a controller nvmet: fix nvme status code when namespace is disabled epoll: be better about file lifetimes ksmbd: fix uninitialized symbol 'share' in smb2_tree_connect() nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists() openpromfs: finish conversion to the new mount API crypto: bcm - Fix pointer arithmetic mm/slub, kunit: Use inverted data to corrupt kmem cache firmware: raspberrypi: Use correct device for DMA mappings ecryptfs: Fix buffer size for tag 66 packet nilfs2: fix out-of-range warning parisc: add missing export of __cmpxchg_u8() crypto: ccp - drop platform ifdef checks crypto: x86/nh-avx2 - add missing vzeroupper crypto: x86/sha256-avx2 - add missing vzeroupper crypto: x86/sha512-avx2 - add missing vzeroupper s390/cio: fix tracepoint subchannel type field io_uring: use the right type for work_llist empty check rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow rcu: Fix buffer overflow in print_cpu_stall_info() ARM: configs: sunxi: Enable DRM_DW_HDMI jffs2: prevent xattr node from overflowing the eraseblock io-wq: write next_work before dropping acct_lock mm/userfaultfd: Do not place zeropages when zeropages are disallowed s390/mm: Re-enable the shared zeropage for !PV and !skeys KVM guests soc: qcom: pmic_glink: don't traverse clients list without a lock soc: qcom: pmic_glink: notify clients about the current state firmware: qcom: scm: Fix __scm and waitq completion variable initialization soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE null_blk: Fix missing mutex_destroy() at module removal kunit/fortify: Fix mismatched kvalloc()/vfree() usage soc: qcom: pmic_glink: Make client-lock non-sleeping lkdtm: Disable CFI checking for perms functions md: fix resync softlockup when bitmap size is less than array size crypto: qat - specify firmware files for 402xx block: refine the EOF check in blkdev_iomap_begin block: fix and simplify blkdevparts= cmdline parsing block: support to account io_ticks precisely wifi: ath10k: poll service ready message before failing wifi: brcmfmac: pcie: handle randbuf allocation failure wifi: ath11k: don't force enable power save on non-running vdevs bpftool: Fix missing pids during link show wifi: ath12k: use correct flag field for 320 MHz channels wifi: mt76: mt7915: workaround too long expansion sparse warnings x86/boot: Ignore relocations in .notes sections in walk_relocs() too wifi: ieee80211: fix ieee80211_mle_basic_sta_prof_size_ok() wifi: iwlwifi: mvm: allocate STA links only for active links wifi: iwlwifi: mvm: select STA mask only for active links wifi: iwlwifi: reconfigure TLC during HW restart wifi: iwlwifi: mvm: fix check in iwl_mvm_sta_fw_id_mask sched/fair: Add EAS checks before updating root_domain::overutilized ACPI: Fix Generic Initiator Affinity _OSC bit enetc: avoid truncating error message qed: avoid truncating work queue length mlx5: avoid truncating error message mlx5: stop warning for 64KB pages bitops: add missing prototype check dlm: fix user space lock decision to copy lvb wifi: carl9170: re-fix fortified-memset warning bpftool: Mount bpffs on provided dir instead of parent dir bpf: Pack struct bpf_fib_lookup bpf: prevent r10 register from being marked as precise scsi: ufs: qcom: Perform read back after writing reset bit scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US scsi: ufs: qcom: Perform read back after writing unipro mode scsi: ufs: qcom: Perform read back after writing CGC enable scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV scsi: ufs: core: Perform read back after writing UTP_TASK_REQ_LIST_BASE_H scsi: ufs: core: Perform read back after disabling interrupts scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL ACPI: LPSS: Advertise number of chip selects via property locking/atomic/x86: Correct the definition of __arch_try_cmpxchg128() irqchip/alpine-msi: Fix off-by-one in allocation error path irqchip/loongson-pch-msi: Fix off-by-one on allocation error path ACPI: disable -Wstringop-truncation gfs2: Don't forget to complete delayed withdraw gfs2: Fix "ignore unlock failures after withdraw" x86/boot/64: Clear most of CR4 in startup_64(), except PAE, MCE and LA57 selftests/bpf: Fix umount cgroup2 error in test_sockmap tcp: define initial scaling factor value as a macro tcp: increase the default TCP scaling ratio cpufreq: exit() callback is optional x86/pat: Introduce lookup_address_in_pgd_attr() x86/pat: Restructure _lookup_address_cpa() x86/pat: Fix W^X violation false-positives when running as Xen PV guest udp: Avoid call to compute_score on multiple sites openrisc: traps: Don't send signals to kernel mode threads cppc_cpufreq: Fix possible null pointer dereference wifi: iwlwifi: mvm: init vif works only once scsi: libsas: Fix the failure of adding phy with zero-address to port scsi: hpsa: Fix allocation size for Scsi_Host private data x86/purgatory: Switch to the position-independent small code model wifi: ath12k: fix out-of-bound access of qmi_invoke_handler() thermal/drivers/tsens: Fix null pointer dereference dt-bindings: thermal: loongson,ls2k-thermal: Fix binding check issues dt-bindings: thermal: loongson,ls2k-thermal: Add Loongson-2K0500 compatible dt-bindings: thermal: loongson,ls2k-thermal: Fix incorrect compatible definition wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger() gfs2: Get rid of gfs2_alloc_blocks generation parameter gfs2: Convert gfs2_internal_read to folios gfs2: Rename gfs2_lookup_{ simple => meta } gfs2: No longer use 'extern' in function declarations gfs2: Remove ill-placed consistency check gfs2: Fix potential glock use-after-free on unmount gfs2: Mark withdraws as unlikely gfs2: Rename gfs2_withdrawn to gfs2_withdrawing_or_withdrawn gfs2: finish_xmote cleanup gfs2: do_xmote fixes selftests/bpf: Fix a fd leak in error paths in open_netns scsi: ufs: core: mcq: Fix ufshcd_mcq_sqe_search() cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations wifi: ath10k: populate board data for WCN3990 net: dsa: mv88e6xxx: Add support for model-specific pre- and post-reset handlers net: dsa: mv88e6xxx: Avoid EEPROM timeout without EEPROM on 88E6250-family switches tcp: avoid premature drops in tcp_add_backlog() pwm: sti: Prepare removing pwm_chip from driver data pwm: sti: Simplify probe function using devm functions drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() net: give more chances to rcu in netdev_wait_allrefs_any() macintosh/via-macii: Fix "BUG: sleeping function called from invalid context" wifi: carl9170: add a proper sanity check for endpoints bpf: Fix verifier assumptions about socket->sk wifi: ar5523: enable proper endpoint verification bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() Revert "sh: Handle calling csum_partial with misaligned data" wifi: mt76: mt7603: fix tx queue of loopback packets wifi: mt76: mt7603: add wpdma tx eof flag for PSE client reset libbpf: Fix error message in attach_kprobe_multi wifi: nl80211: Avoid address calculations via out of bounds array indexing selftests/binderfs: use the Makefile's rules, not Make's implicit rules selftests/resctrl: fix clang build failure: use LOCAL_HDRS selftests: default to host arch for LLVM builds kunit: Fix kthread reference selftests/bpf: Fix pointer arithmetic in test_xdp_do_redirect HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors scsi: bfa: Ensure the copied buf is NUL terminated scsi: qedf: Ensure the copied buf is NUL terminated scsi: qla2xxx: Fix debugfs output for fw_resource_count kernel/numa.c: Move logging out of numa.h x86/numa: Fix SRAT lookup of CFMWS ranges with numa_fill_memblks() wifi: mwl8k: initialize cmd->addr[] properly HID: amd_sfh: Handle "no sensors" in PM operations usb: aqc111: stop lying about skb->truesize net: usb: sr9700: stop lying about skb->truesize m68k: Fix spinlock race in kernel thread creation m68k: mac: Fix reboot hang on Mac IIci net: ipv6: fix wrong start position when receive hop-by-hop fragment eth: sungem: remove .ndo_poll_controller to avoid deadlocks selftests: net: add more missing kernel config selftests: net: add missing config for amt.sh selftests: net: move amt to socat for better compatibility net: ethernet: cortina: Locking fixes af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg net: usb: smsc95xx: stop lying about skb->truesize net: openvswitch: fix overwriting ct original tuple for ICMPv6 ipv6: sr: add missing seg6_local_exit ipv6: sr: fix incorrect unregister order ipv6: sr: fix invalid unregister error path net/mlx5: Enable 4 ports multiport E-switch net/mlx5: Reload only IB representors upon lag disable/enable net/mlx5: Add a timeout to acquire the command queue semaphore net/mlx5: Discard command completions in internal error s390/bpf: Emit a barrier for BPF_FETCH instructions riscv, bpf: make some atomic operations fully ordered ax25: Use kernel universal linked list to implement ax25_dev_list ax25: Fix reference count leak issues of ax25_dev ax25: Fix reference count leak issue of net_device net: fec: remove .ndo_poll_controller to avoid deadlocks mptcp: SO_KEEPALIVE: fix getsockopt support net: micrel: Fix receiving the timestamp in the frame for lan8841 Bluetooth: compute LE flow credits based on recvbuf space Bluetooth: qca: Fix error code in qca_read_fw_build_info() Bluetooth: ISO: Fix BIS cleanup Bluetooth: Remove usage of the deprecated ida_simple_xx() API Bluetooth: hci_event: Remove code to removed CONFIG_BT_HS Bluetooth: HCI: Remove HCI_AMP support drm/bridge: Fix improper bridge init order with pre_enable_prev_first drm/ci: uprev mesa version: fix container build & crosvm drm/ci: add subset-1-gfx to LAVA_TAGS and adjust shards drm/ci: update device type for volteer devices drm/omapdrm: Fix console by implementing fb_dirty fbdev: Provide I/O-memory helpers as module drm/omapdrm: Fix console with deferred ops printk: Let no_printk() use _printk() dev_printk: Add and use dev_no_printk() drm/lcdif: Do not disable clocks on already suspended hardware drm/dp: Don't attempt AUX transfers when eDP panels are not powered drm/panel: atna33xc20: Fix unbalanced regulator in the case HPD doesn't assert drm/amd/display: Fix potential index out of bounds in color transformation function ASoC: Intel: Disable route checks for Skylake boards ASoC: Intel: avs: ssm4567: Do not ignore route checks mtd: core: Report error if first mtd_otp_size() call fails in mtd_otp_nvmem_add() mtd: rawnand: hynix: fixed typo ASoC: mediatek: Assign dummy when codec not specified for a DAI link fbdev: shmobile: fix snprintf truncation ASoC: kirkwood: Fix potential NULL dereference drm/meson: vclk: fix calculation of 59.94 fractional rates drm/mediatek: Add 0 size check to mtk_drm_gem_obj powerpc/fsl-soc: hide unused const variable ASoC: Intel: common: add ACPI matching tables for Arrow Lake ASoC: SOF: Intel: pci-mtl: use ARL specific firmware definitions ASoC: SOF: Intel: pci-mtl: fix ARL-S definitions ASoC: SOF: Intel: mtl: Correct rom_status_reg ASoC: SOF: Intel: lnl: Correct rom_status_reg ASoC: SOF: Intel: mtl: call dsp dump when boot retry fails ASoC: SOF: Intel: mtl: Disable interrupts when firmware boot failed ASoC: SOF: Intel: mtl: Implement firmware boot state check fbdev: sisfb: hide unused variables selftests: cgroup: skip test_cgcore_lesser_ns_open when cgroup2 mounted without nsdelegate ASoC: Intel: avs: Fix ASRC module initialization ASoC: Intel: avs: Fix potential integer overflow ASoC: Intel: avs: Test result of avs_get_module_entry() media: ngene: Add dvb_ca_en50221_init return value check media: rcar-vin: work around -Wenum-compare-conditional warning media: radio-shark2: Avoid led_names truncations drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference drm/msm/dp: allow voltage swing / pre emphasis of 3 drm/msm/dp: Avoid a long timeout for AUX transfer if nothing connected media: ipu3-cio2: Request IRQ earlier media: dt-bindings: ovti,ov2680: Fix the power supply names media: i2c: et8ek8: Don't strip remove function when driver is builtin media: v4l2-subdev: Fix stream handling for crop API fbdev: sh7760fb: allow modular build media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries drm/arm/malidp: fix a possible null pointer dereference drm: vc4: Fix possible null pointer dereference ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value drm/bridge: anx7625: Don't log an error when DSI host can't be found drm/bridge: icn6211: Don't log an error when DSI host can't be found drm/bridge: lt8912b: Don't log an error when DSI host can't be found drm/bridge: lt9611: Don't log an error when DSI host can't be found drm/bridge: lt9611uxc: Don't log an error when DSI host can't be found drm/bridge: tc358775: Don't log an error when DSI host can't be found drm/bridge: dpc3433: Don't log an error when DSI host can't be found drm/panel: novatek-nt35950: Don't log an error when DSI host can't be found drm/bridge: anx7625: Update audio status while detecting drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector drm/mipi-dsi: use correct return type for the DSC functions media: uvcvideo: Add quirk for Logitech Rally Bar drm/rockchip: vop2: Do not divide height twice for YUV drm/edid: Parse topology block for all DispID structure v1.x media: cadence: csi2rx: configure DPHY before starting source stream clk: samsung: exynosautov9: fix wrong pll clock id value RDMA/mlx5: Uncacheable mkey has neither rb_key or cache_ent RDMA/mlx5: Adding remote atomic access flag to updatable flags clk: mediatek: pllfh: Don't log error for missing fhctl node iommu: Undo pasid attachment only for the devices that have succeeded RDMA/hns: Fix return value in hns_roce_map_mr_sg RDMA/hns: Fix deadlock on SRQ async events. RDMA/hns: Fix UAF for cq async event RDMA/hns: Fix GMV table pagesize RDMA/hns: Use complete parentheses in macros RDMA/hns: Modify the print level of CQE error clk: mediatek: mt8365-mm: fix DPI0 parent clk: rs9: fix wrong default value for clock amplitude clk: qcom: clk-alpha-pll: remove invalid Stromer register offset RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt RDMA/rxe: Allow good work requests to be executed RDMA/rxe: Fix incorrect rxe_put in error path IB/mlx5: Use __iowrite64_copy() for write combining stores clk: renesas: r8a779a0: Fix CANFD parent clock clk: renesas: r9a07g043: Add clock and reset entry for PLIC lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure clk: qcom: dispcc-sm8450: fix DisplayPort clocks clk: qcom: dispcc-sm6350: fix DisplayPort clocks clk: qcom: dispcc-sm8550: fix DisplayPort clocks clk: qcom: mmcc-msm8998: fix venus clock issue x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map x86/insn: Add VEX versions of VPDPBUSD, VPDPBUSDS, VPDPWSSD and VPDPWSSDS ext4: avoid excessive credit estimate in ext4_tmpfile() virt: acrn: stop using follow_pfn drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() sunrpc: removed redundant procp check ext4: fix potential unnitialized variable ext4: remove the redundant folio_wait_stable() of: module: add buffer overflow check in of_modalias() RDMA/bnxt_re: Refactor the queue index update RDMA/bnxt_re: Remove roundup_pow_of_two depth for all hardware queue resources RDMA/bnxt_re: Update the HW interface definitions RDMA/bnxt_re: Adds MSN table capability for Gen P7 adapters bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq SUNRPC: Fix gss_free_in_token_pages() selftests/kcmp: remove unused open mode RDMA/IPoIB: Fix format truncation compilation errors RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw tracing/user_events: Allow events to persist for perfmon_capable users tracing/user_events: Prepare find/delete for same name events tracing/user_events: Fix non-spaced field matching modules: Drop the .export_symbol section from the final modules net: bridge: xmit: make sure we have at least eth header len bytes selftests: net: bridge: increase IGMP/MLD exclude timeout membership interval net: bridge: mst: fix vlan use-after-free net: qrtr: ns: Fix module refcnt netrom: fix possible dead-lock in nr_rt_ioctl() af_packet: do not call packet_read_pending() from tpacket_destruct_skb() sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level sched/core: Fix incorrect initialization of the 'burst' parameter in cpu_max_write() net: wangxun: fix to change Rx features perf record: Delete session after stopping sideband thread perf probe: Add missing libgen.h header needed for using basename() iio: core: Leave private pointer NULL when no private data supplied greybus: lights: check return of get_channel_from_mode phy: qcom: qmp-combo: fix duplicate return in qmp_v4_configure_dp_phy f2fs: multidev: fix to recognize valid zero block address f2fs: fix to wait on page writeback in __clone_blkaddrs() fpga: manager: add owner module and take its refcount fpga: bridge: add owner module and take its refcount counter: linux/counter.h: fix Excess kernel-doc description warning perf annotate: Get rid of duplicate --group option item usb: typec: ucsi: always register a link to USB PD device usb: typec: ucsi: simplify partner's PD caps registration perf stat: Do not fail on metrics on s390 z/VM systems soundwire: cadence: fix invalid PDI offset dmaengine: idma64: Add check for dma_set_max_seg_size firmware: dmi-id: add a release callback function perf record: Lazy load kernel symbols perf machine thread: Remove exited threads by default perf annotate: Split branch stack cycles information out of 'struct annotation_line' perf annotate: Introduce global annotation_options perf report: Convert to the global annotation_options perf top: Convert to the global annotation_options perf annotate: Use global annotation_options perf annotate: Fix annotation_calc_lines() to pass correct address to get_srcline() serial: max3100: Lock port->lock when calling uart_handle_cts_change() serial: max3100: Update uart_driver_registered on driver removal serial: max3100: Fix bitwise types greybus: arche-ctrl: move device table to its right location PCI: tegra194: Fix probe path for Endpoint mode serial: sc16is7xx: add proper sched.h include for sched_set_fifo() module: don't ignore sysfs_create_link() failures interconnect: qcom: qcm2290: Fix mas_snoc_bimc QoS port assignment arm64: dts: meson: fix S4 power-controller node perf tests: Make "test data symbol" more robust on Neoverse N1 perf tests: Apply attributes to all events in object code reading test perf evlist: Add evlist__findnew_tracking_event() helper perf record: Move setting tracking events before record__init_thread_masks() perf record: Fix debug message placement for test consumption dt-bindings: PCI: rcar-pci-host: Add optional regulators dt-bindings: PCI: rcar-pci-host: Add missing IOMMU properties perf bench uprobe: Remove lib64 from libc.so.6 binary path f2fs: compress: fix to relocate check condition in f2fs_{release,reserve}_compress_blocks() f2fs: compress: fix to relocate check condition in f2fs_ioc_{,de}compress_file() f2fs: fix to relocate check condition in f2fs_fallocate() f2fs: fix to check pinfile flag in f2fs_move_file_range() iio: adc: stm32: Fixing err code to not indicate success riscv: dts: starfive: visionfive 2: Remove non-existing TDM hardware coresight: etm4x: Fix unbalanced pm_runtime_enable() perf docs: Document bpf event modifier perf test shell arm_coresight: Increase buffer size for Coresight basic tests iio: pressure: dps310: support negative temperature values iio: adc: ad9467: use spi_get_device_match_data() iio: adc: ad9467: use chip_info variables instead of array iio: adc: adi-axi-adc: convert to regmap iio: buffer-dmaengine: export buffer alloc and free functions iio: add the IIO backend framework iio: adc: ad9467: convert to backend framework iio: adc: adi-axi-adc: move to backend framework iio: adc: adi-axi-adc: only error out in major version mismatch coresight: etm4x: Do not hardcode IOMEM access for register restore coresight: etm4x: Do not save/restore Data trace control registers coresight: etm4x: Safe access for TRCQCLTR coresight: etm4x: Fix access to resource selector registers i915: make inject_virtual_interrupt() void vfio/pci: fix potential memory leak in vfio_intx_enable() fpga: region: add owner module and take its refcount udf: Remove GFP_NOFS allocation in udf_expand_file_adinicb() udf: Convert udf_expand_file_adinicb() to use a folio microblaze: Remove gcc flag for non existing early_printk.c file microblaze: Remove early printk call from cpuinfo-static.c PCI: Wait for Link Training==0 before starting Link retrain perf intel-pt: Fix unassigned instruction op (discovered by MemorySanitizer) pwm: Rename pwm_apply_state() to pwm_apply_might_sleep() leds: pwm: Disable PWM when going to suspend ovl: remove upper umask handling from ovl_create_upper() PCI: of_property: Return error for int_map allocation failure VMCI: Fix an error handling path in vmci_guest_probe_device() dt-bindings: pinctrl: mediatek: mt7622: fix array properties pinctrl: qcom: pinctrl-sm7150: Fix sdc1 and ufs special pins regs watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger watchdog: bd9576: Drop "always-running" property watchdog: sa1100: Fix PTR_ERR_OR_ZERO() vs NULL check in sa1100dog_probe() dt-bindings: phy: qcom,sc8280xp-qmp-ufs-phy: fix msm899[68] power-domains dt-bindings: phy: qcom,usb-snps-femto-v2: use correct fallback for sc8180x dmaengine: idxd: Avoid unnecessary destruction of file_ida usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind. usb: gadget: u_audio: Clear uac pointer when freed. stm class: Fix a double free in stm_register_device() ppdev: Remove usage of the deprecated ida_simple_xx() API ppdev: Add an error check in register_device i2c: cadence: Avoid fifo clear after start i2c: synquacer: Fix an error handling path in synquacer_i2c_probe() perf bench internals inject-build-id: Fix trap divide when collecting just one DSO perf ui browser: Don't save pointer to stack memory extcon: max8997: select IRQ_DOMAIN instead of depending on it dt-bindings: spmi: hisilicon,hisi-spmi-controller: fix binding references PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3 PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3 f2fs: Clean up errors in segment.h f2fs: support printk_ratelimited() in f2fs_printk() f2fs: use BLKS_PER_SEG, BLKS_PER_SEC, and SEGS_PER_SEC f2fs: separate f2fs_gc_range() to use GC for a range f2fs: kill heap-based allocation f2fs: support file pinning for zoned devices f2fs: fix block migration when section is not aligned to pow2 perf ui browser: Avoid SEGV on title perf report: Avoid SEGV in report__setup_sample_type() perf thread: Fixes to thread__new() related to initializing comm perf maps: Move symbol maps functions to maps.c perf symbols: Fix ownership of string in dso__load_vmlinux() f2fs: compress: fix to update i_compr_blocks correctly f2fs: deprecate io_bits f2fs: introduce get_available_block_count() for cleanup f2fs: compress: fix error path of inc_valid_block_count() f2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock f2fs: fix to release node block count in error path of f2fs_new_node_page() f2fs: compress: don't allow unaligned truncation on released compress inode serial: sh-sci: protect invalidating RXDMA on shutdown libsubcmd: Fix parse-options memory leak perf daemon: Fix file leak in daemon_session__control f2fs: fix to add missing iput() in gc_data_segment() usb: fotg210: Add missing kernel doc description perf stat: Don't display metric header for non-leader uncore events perf test: Add a test for strcmp_cpuid_str() expression perf pmu: Move pmu__find_core_pmu() to pmus.c perf pmu: "Compat" supports regular expression matching identifiers perf tools: Use pmus to describe type from attribute perf tools: Add/use PMU reverse lookup from config to name perf pmu: Assume sysfs events are always the same case perf pmu: Count sys and cpuid JSON events separately LoongArch: Fix callchain parse error with kernel tracepoint events again s390/vdso64: filter out munaligned-symbols flag for vdso s390/vdso: Generate unwind information for C modules kbuild: unify vdso_install rules kbuild: fix build ID symlinks to installed debug VDSO files s390/vdso: Create .build-id links for unstripped vdso files s390/vdso: Use standard stack frame layout s390/ipl: Fix incorrect initialization of len fields in nvme reipl block s390/ipl: Fix incorrect initialization of nvme dump block s390/boot: Remove alt_stfle_fac_list from decompressor dt-bindings: PCI: rockchip,rk3399-pcie: Add missing maxItems to ep-gpios gpiolib: acpi: Fix failed in acpi_gpiochip_find() by adding parent node match drm/amd/display: Remove pixle rate limit for subvp drm/amd/display: Revert Remove pixle rate limit for subvp eventfs: Do not differentiate the toplevel events directory iio: accel: mxc4005: allow module autoloading via OF compatible iio: accel: mxc4005: Reset chip on probe() and resume() misc/pvpanic: deduplicate common code misc/pvpanic-pci: register attributes via pci_driver serial: sc16is7xx: replace hardcoded divisor value with BIT() macro serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler eventfs: Create eventfs_root_inode to store dentry eventfs/tracing: Add callback for release of an eventfs_inode eventfs: Free all of the eventfs_inode after RCU eventfs: Have "events" directory get permissions from its parent dt-bindings: adc: axi-adc: update bindings for backend framework dt-bindings: adc: axi-adc: add clocks property Input: ims-pcu - fix printf string overflow mmc: sdhci_am654: Add tuning algorithm for delay chain mmc: sdhci_am654: Write ITAPDLY for DDR52 timing mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel mmc: sdhci_am654: Add OTAP/ITAP delay enable mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock mmc: sdhci_am654: Fix ITAPDLY for HS400 timing Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation media: v4l2-subdev: Document and enforce .s_stream() requirements media: v4l: Don't turn on privacy LED if streamon fails media: ov2680: Clear the 'ret' variable on success media: ov2680: Allow probing if link-frequencies is absent media: ov2680: Do not fail if data-lanes property is absent drm/msm/dsi: Print dual-DSI-adjusted pclk instead of original mode pclk drm/msm/dpu: Always flush the slave INTF on the CTL drm/mediatek: dp: Fix mtk_dp_aux_transfer return value drm/meson: gate px_clk when setting rate um: Fix return value in ubd_init() um: Add winch to winch_handlers before registering winch IRQ um: vector: fix bpfflash parameter evaluation fs/ntfs3: Check 'folio' pointer for NULL fs/ntfs3: Use 64 bit variable to avoid 32 bit overflow fs/ntfs3: Use variable length array instead of fixed size drm/msm/dpu: remove irq_idx argument from IRQ callbacks drm/msm/dpu: extract dpu_core_irq_is_valid() helper drm/msm/dpu: add helper to get IRQ-related data drm/msm/dpu: make the irq table size static drm/msm/dpu: stop using raw IRQ indices in the kernel output drm/msm/dpu: Add callback function pointer check before its call drm/bridge: tc358775: fix support for jeida-18 and jeida-24 media: stk1160: fix bounds checking in stk1160_copy_video() Input: cyapa - add missing input core locking to suspend/resume functions drm/amdgpu: init microcode chip name from ip versions drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode() media: mediatek: vcodec: add encoder power management helper functions media: mediatek: vcodec: fix possible unbalanced PM counter tools/arch/x86/intel_sdsi: Fix maximum meter bundle length tools/arch/x86/intel_sdsi: Fix meter_show display tools/arch/x86/intel_sdsi: Fix meter_certificate decoding platform/x86: thinkpad_acpi: Take hotkey_mutex during hotkey_exit() media: flexcop-usb: fix sanity check of bNumEndpoints powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp um: Fix the -Wmissing-prototypes warning for __switch_mm um: Fix the -Wmissing-prototypes warning for get_thread_reg um: Fix the declaration of kasan_map_memory cxl/trace: Correct DPA field masks for general_media & dram events cxl/region: Fix cxlr_pmem leaks media: sunxi: a83-mips-csi2: also select GENERIC_PHY media: cec: cec-adap: always cancel work in cec_transmit_msg_fh media: cec: cec-api: add locking in cec_release() media: cec: core: avoid recursive cec_claim_log_addrs media: cec: core: avoid confusing "transmit timed out" message Revert "drm/bridge: ti-sn65dsi83: Fix enable error path" drm: zynqmp_dpsub: Always register bridge selftests/powerpc/dexcr: Add -no-pie to hashchk tests drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails ASoC: tas2781: Fix a warning reported by robot kernel test null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup ASoC: cs35l56: Fix to ensure ASP1 registers match cache ALSA: hda: cs35l56: Initialize all ASP1 registers ALSA: hda: cs35l56: Fix lifetime of cs_dsp instance ASoC: mediatek: mt8192: fix register configuration for tdm nouveau: add an ioctl to return vram bar size. nouveau: add an ioctl to report vram usage drm/nouveau: use tile_mode and pte_kind for VM_BIND bo allocations blk-cgroup: fix list corruption from resetting io stat blk-cgroup: fix list corruption from reorder of WRITE ->lqueued blk-cgroup: Properly propagate the iostat update up the hierarchy regulator: bd71828: Don't overwrite runtime voltages xen/x86: add extra pages to unpopulated-alloc if available perf/arm-dmc620: Fix lockdep assert in ->event_init() x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y net: Always descend into dsa/ folder with CONFIG_NET_DSA enabled ipv6: sr: fix missing sk_buff release in seg6_input_core selftests: net: kill smcrouted in the cleanup logic in amt.sh nfc: nci: Fix uninit-value in nci_rx_work ASoC: tas2552: Add TX path for capturing AUDIO-OUT data ASoC: tas2781: Fix wrong loading calibrated data sequence NFSv4: Fixup smatch warning for ambiguous return nfs: keep server info for remounts sunrpc: fix NFSACL RPC retry on soft mount rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL regulator: pickable ranges: don't always cache vsel regulator: tps6287x: Force writing VSEL bit af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. ipv6: sr: fix memleak in seg6_hmac_init_algo regulator: tps6594-regulator: Correct multi-phase configuration tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). pNFS/filelayout: fixup pNfs allocation modes openvswitch: Set the skbuff pkt_type for proper pmtud support. arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY rv: Update rv_en(dis)able_monitor doc to match kernel-doc net: lan966x: Remove ptp traps in case the ptp is not enabled. virtio: delete vq in vp_find_vqs_msix() when request_irq() fails i3c: add actual_len in i3c_priv_xfer i3c: master: svc: rename read_len as actual_len i3c: master: svc: return actual transfer data len i3c: master: svc: change ENXIO to EAGAIN when IBI occurs during start frame Revert "ixgbe: Manual AN-37 for troublesome link partners for X550 SFI" net: fec: avoid lock evasion when reading pps_enable tls: fix missing memory barrier in tls_init net: relax socket state check at accept time. nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() drivers/xen: Improve the late XenStore init protocol ice: Interpret .set_channels() input differently kasan, fortify: properly rename memintrinsics tracing/probes: fix error check in parse_btf_field() tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() netfilter: ipset: Add list flush to cancel_gc netfilter: nft_payload: restore vlan q-in-q match support spi: Don't mark message DMA mapped when no transfer in it is kthread: add kthread_stop_put dma-mapping: benchmark: fix up kthread-related error handling dma-mapping: benchmark: fix node id validation dma-mapping: benchmark: handle NUMA_NO_NODE correctly nvme-tcp: add definitions for TLS cipher suites nvme-multipath: fix io accounting on failover nvmet: fix ns enable/disable possible hang drm/amd/display: Enable colorspace property for MST connectors net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8061 net/mlx5: Lag, do bond only if slaves agree on roce state net/mlx5: Fix MTMP register capability offset in MCAM register net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules net/mlx5e: Fix IPsec tunnel mode offload feature check net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion net/mlx5e: Fix UDP GSO for encapsulated packets dma-buf/sw-sync: don't enable IRQ from sync_print_obj() bpf: Fix potential integer overflow in resolve_btfids ALSA: jack: Use guard() for locking ALSA: core: Remove debugfs at disconnection ALSA: hda/realtek: Adjust G814JZR to use SPI init for amp enic: Validate length of nl attributes in enic_set_vf_port af_unix: Annotate data-race around unix_sk(sk)->addr. af_unix: Read sk->sk_hash under bindlock during bind(). Octeontx2-pf: Free send queue buffers incase of leaf to inner net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM ASoC: cs42l43: Only restrict 44.1kHz for the ASP bpf: Allow delete from sockmap/sockhash only if update is allowed net:fec: Add fec_enet_deinit() net: micrel: Fix lan8841_config_intr after getting out of sleep mode ice: fix accounting if a VLAN already exists selftests: mptcp: simult flows: mark 'unbalanced' tests as flaky selftests: mptcp: add ms units for tc-netem delay selftests: mptcp: join: mark 'fail' tests as flaky ALSA: seq: Fix missing bank setup between MIDI1/MIDI2 UMP conversion ALSA: seq: Don't clear bank selection at event -> UMP MIDI2 conversion net: ti: icssg-prueth: Fix start counter for ft1 filter netfilter: nft_payload: skbuff vlan metadata mangle support netfilter: tproxy: bail out if IP has been disabled on the device netfilter: nft_fib: allow from forward/input without iif selector net/sched: taprio: make q->picos_per_byte available to fill_sched_entry() net/sched: taprio: extend minimum interval restriction to entire cycle too kconfig: fix comparison to constant symbols, 'm', 'n' drm/i915/guc: avoid FIELD_PREP warning drm/i915/gt: Fix CCS id's calculation for CCS mode setting kheaders: use `command -v` to test for existence of `cpio` spi: stm32: Don't warn about spurious interrupts net: dsa: microchip: fix RGMII error in KSZ DSA driver net: ena: Reduce lines with longer column width boundary net: ena: Fix redundant device NUMA node override ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound ALSA: seq: Fix yet another spot for system message conversion powerpc/pseries/lparcfg: drop error message from guest name lookup drm/panel: sitronix-st7789v: fix timing for jt240mhqs_hwt_ek_e3 panel drm/panel: sitronix-st7789v: tweak timing for jt240mhqs_hwt_ek_e3 panel drm/panel: sitronix-st7789v: fix display size for jt240mhqs_hwt_ek_e3 panel hwmon: (intel-m10-bmc-hwmon) Fix multiplier for N6000 board power sensor hwmon: (shtc1) Fix property misspelling ALSA: seq: ump: Fix swapped song position pointer data ALSA: timer: Set lower bound of start tick time x86/efistub: Omit physical KASLR when memory reservations exist efi: libstub: only free priv.runtime_map when allocated x86/pci: Skip early E820 check for ECAM region KVM: x86: Don't advertise guest.MAXPHYADDR as host.MAXPHYADDR in CPUID genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline platform/x86/intel/tpmi: Handle error from tpmi_process_info() platform/x86/intel-uncore-freq: Don't present root domain on error perf util: Add a function for replacing characters in a string perf evlist: Add perf_evlist__go_system_wide() helper RDMA/bnxt_re: Fix the sparse warnings nouveau: report byte usage in VRAM usage. media: vsp1: Remove unbalanced .s_stream(0) calls drm/msm/dpu: make error messages at dpu_core_irq_register_callback() more sensible perf sched timehist: Fix -g/--call-graph option failure f2fs: write missing last sum blk of file pinning section f2fs: use f2fs_{err,info}_ratelimited() for cleanup SUNRPC: Fix loop termination condition in gss_free_in_token_pages() riscv: prevent pt_regs corruption for secondary idle threads riscv: stacktrace: fixed walk_stackframe() Linux 6.6.33 Change-Id: I8f20a358603595403bffddcb05709cd2af54a621 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>	2024-06-13 16:02:20 +00:00
Kuniyuki Iwashima	ac325c7f89	af_unix: Read sk->sk_hash under bindlock during bind(). ... [ Upstream commit 51d1b25a72 ] syzkaller reported data-race of sk->sk_hash in unix_autobind() [0], and the same ones exist in unix_bind_bsd() and unix_bind_abstract(). The three bind() functions prefetch sk->sk_hash locklessly and use it later after validating that unix_sk(sk)->addr is NULL under unix_sk(sk)->bindlock. The prefetched sk->sk_hash is the hash value of unbound socket set in unix_create1() and does not change until bind() completes. There could be a chance that sk->sk_hash changes after the lockless read. However, in such a case, non-NULL unix_sk(sk)->addr is visible under unix_sk(sk)->bindlock, and bind() returns -EINVAL without using the prefetched value. The KCSAN splat is false-positive, but let's silence it by reading sk->sk_hash under unix_sk(sk)->bindlock. [0]: BUG: KCSAN: data-race in unix_autobind / unix_autobind write to 0xffff888034a9fb88 of 4 bytes by task 4468 on cpu 0: __unix_set_addr_hash net/unix/af_unix.c:331 [inline] unix_autobind+0x47a/0x7d0 net/unix/af_unix.c:1185 unix_dgram_connect+0x7e3/0x890 net/unix/af_unix.c:1373 __sys_connect_file+0xd7/0xe0 net/socket.c:2048 __sys_connect+0x114/0x140 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x40/0x50 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x46/0x4e read to 0xffff888034a9fb88 of 4 bytes by task 4465 on cpu 1: unix_autobind+0x28/0x7d0 net/unix/af_unix.c:1134 unix_dgram_connect+0x7e3/0x890 net/unix/af_unix.c:1373 __sys_connect_file+0xd7/0xe0 net/socket.c:2048 __sys_connect+0x114/0x140 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x40/0x50 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x46/0x4e value changed: 0x000000e4 -> 0x000001e3 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 4465 Comm: syz-executor.0 Not tainted 6.8.0-12822-gcd51db110a7e #12 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Fixes: afd20b9290 ("af_unix: Replace the big lock with small locks.") Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240522154218.78088-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-12 11:12:55 +02:00
Kuniyuki Iwashima	302fe8dd14	af_unix: Annotate data-race around unix_sk(sk)->addr. ... [ Upstream commit 97e1db06c7 ] Once unix_sk(sk)->addr is assigned under net->unx.table.locks and unix_sk(sk)->bindlock, *(unix_sk(sk)->addr) and unix_sk(sk)->path are fully set up, and unix_sk(sk)->addr is never changed. unix_getname() and unix_copy_addr() access the two fields locklessly, and commit ae3b564179 ("missing barriers in some of unix_sock ->addr and ->path accesses") added smp_store_release() and smp_load_acquire() pairs. In other functions, we still read unix_sk(sk)->addr locklessly to check if the socket is bound, and KCSAN complains about it. [0] Given these functions have no dependency for *(unix_sk(sk)->addr) and unix_sk(sk)->path, READ_ONCE() is enough to annotate the data-race. Note that it is safe to access unix_sk(sk)->addr locklessly if the socket is found in the hash table. For example, the lockless read of otheru->addr in unix_stream_connect() is safe. Note also that newu->addr there is of the child socket that is still not accessible from userspace, and smp_store_release() publishes the address in case the socket is accept()ed and unix_getname() / unix_copy_addr() is called. [0]: BUG: KCSAN: data-race in unix_bind / unix_listen write (marked) to 0xffff88805f8d1840 of 8 bytes by task 13723 on cpu 0: __unix_set_addr_hash net/unix/af_unix.c:329 [inline] unix_bind_bsd net/unix/af_unix.c:1241 [inline] unix_bind+0x881/0x1000 net/unix/af_unix.c:1319 __sys_bind+0x194/0x1e0 net/socket.c:1847 __do_sys_bind net/socket.c:1858 [inline] __se_sys_bind net/socket.c:1856 [inline] __x64_sys_bind+0x40/0x50 net/socket.c:1856 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x46/0x4e read to 0xffff88805f8d1840 of 8 bytes by task 13724 on cpu 1: unix_listen+0x72/0x180 net/unix/af_unix.c:734 __sys_listen+0xdc/0x160 net/socket.c:1881 __do_sys_listen net/socket.c:1890 [inline] __se_sys_listen net/socket.c:1888 [inline] __x64_sys_listen+0x2e/0x40 net/socket.c:1888 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x46/0x4e value changed: 0x0000000000000000 -> 0xffff88807b5b1b40 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 13724 Comm: syz-executor.4 Not tainted 6.8.0-12822-gcd51db110a7e #12 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240522154002.77857-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-12 11:12:55 +02:00
Kuniyuki Iwashima	d59ae9314b	af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. ... [ Upstream commit 9841991a44 ] Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly. However, the peer socket still can send MSG_OOB message and queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading NULL pointer dereference. [0] To fix the issue, let's update unix_sk(sk)->oob_skb under the sk_receive_queue's lock and take it everywhere we touch oob_skb. Note that we defer kfree_skb() in manage_oob() to silence lockdep false-positive (See [1]). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events delayed_fput RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> unix_release_sock (net/unix/af_unix.c:654) unix_release (net/unix/af_unix.c:1050) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:423) delayed_fput (fs/file_table.c:444 (discriminator 3)) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) </TASK> Modules linked in: CR2: 0000000000000008 Link: https://lore.kernel.org/netdev/a00d3993-c461-43f2-be6d-07259c98509a@rbox.co/ [1] Fixes: 1279f9d9de ("af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.") Reported-by: Billy Jheng Bing-Jhong <billy@starlabs.sg> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240516134835.8332-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-12 11:12:48 +02:00
Breno Leitao	0688d4e499	af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg ... [ Upstream commit 540bf24fba ] A data-race condition has been identified in af_unix. In one data path, the write function unix_release_sock() atomically writes to sk->sk_shutdown using WRITE_ONCE. However, on the reader side, unix_stream_sendmsg() does not read it atomically. Consequently, this issue is causing the following KCSAN splat to occur: BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: unix_release_sock (net/unix/af_unix.c:640) unix_release (net/unix/af_unix.c:1050) sock_close (net/socket.c:659 net/socket.c:1421) __fput (fs/file_table.c:422) __fput_sync (fs/file_table.c:508) __se_sys_close (fs/open.c:1559 fs/open.c:1541) __x64_sys_close (fs/open.c:1541) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: unix_stream_sendmsg (net/unix/af_unix.c:2273) __sock_sendmsg (net/socket.c:730 net/socket.c:745) ____sys_sendmsg (net/socket.c:2584) __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x01 -> 0x03 The line numbers are related to commit dd5a440a31 ("Linux 6.9-rc7"). Commit e1d09c2c2f ("af_unix: Fix data races around sk->sk_shutdown.") addressed a comparable issue in the past regarding sk->sk_shutdown. However, it overlooked resolving this particular data path. This patch only offending unix_stream_sendmsg() function, since the other reads seem to be protected by unix_state_lock() as discussed in Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/ Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Signed-off-by: Breno Leitao <leitao@debian.org> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-06-12 11:11:52 +02:00
Greg Kroah-Hartman	a38b207d4f	ANDROID: GKI: set vfs-only exports into their own namespace ... We have namespaces, so use them for all vfs-exported namespaces so that filesystems can use them, but not anything else. Some in-kernel drivers that do direct filesystem accesses (because they serve up files) are also allowed access to these symbols to keep 'make allmodconfig' builds working properly, but it is not needed for Android kernel images. Bug: 157965270 Bug: 210074446 Cc: Matthias Maennich <maennich@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iaf6140baf3a18a516ab2d5c3966235c42f3f70de	2024-06-05 16:59:27 +00:00
Kuniyuki Iwashima	022d81a709	af_unix: Don't peek OOB data without MSG_OOB. ... [ Upstream commit 22dd70eb2c ] Currently, we can read OOB data without MSG_OOB by using MSG_PEEK when OOB data is sitting on the front row, which is apparently wrong. >>> from socket import * >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) >>> c1.send(b'a', MSG_OOB) 1 >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT) b'a' If manage_oob() is called when no data has been copied, we only check if the socket enables SO_OOBINLINE or MSG_PEEK is not used. Otherwise, the skb is returned as is. However, here we should return NULL if MSG_PEEK is set and no data has been copied. Also, in such a case, we should not jump to the redo label because we will be caught in the loop and hog the CPU until normal data comes in. Then, we need to handle skb == NULL case with the if-clause below the manage_oob() block. With this patch: >>> from socket import * >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) >>> c1.send(b'a', MSG_OOB) 1 >>> c2.recv(1, MSG_PEEK | MSG_DONTWAIT) Traceback (most recent call last): File "<stdin>", line 1, in <module> BlockingIOError: [Errno 11] Resource temporarily unavailable Fixes: 314001f0bf ("af_unix: Add OOB support") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240410171016.7621-3-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-04-27 17:11:32 +02:00
Kuniyuki Iwashima	aea3cb8cfb	af_unix: Call manage_oob() for every skb in unix_stream_read_generic(). ... [ Upstream commit 283454c8a1 ] When we call recv() for AF_UNIX socket, we first peek one skb and calls manage_oob() to check if the skb is sent with MSG_OOB. However, when we fetch the next (and the following) skb, manage_oob() is not called now, leading a wrong behaviour. Let's say a socket send()s "hello" with MSG_OOB and the peer tries to recv() 5 bytes with MSG_PEEK. Here, we should get only "hell" without 'o', but actually not: >>> from socket import * >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) >>> c1.send(b'hello', MSG_OOB) 5 >>> c2.recv(5, MSG_PEEK) b'hello' The first skb fills 4 bytes, and the next skb is peeked but not properly checked by manage_oob(). Let's move up the again label to call manage_oob() for evry skb. With this patch: >>> from socket import * >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) >>> c1.send(b'hello', MSG_OOB) 5 >>> c2.recv(5, MSG_PEEK) b'hell' Fixes: 314001f0bf ("af_unix: Add OOB support") Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240410171016.7621-2-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-04-27 17:11:32 +02:00
Kuniyuki Iwashima	301fdbaa0b	af_unix: Do not use atomic ops for unix_sk(sk)->inflight. ... [ Upstream commit 97af84a6bb ] When touching unix_sk(sk)->inflight, we are always under spin_lock(&unix_gc_lock). Let's convert unix_sk(sk)->inflight to the normal unsigned long. Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/20240123170856.41348-3-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: 47d8ac011f ("af_unix: Fix garbage collector racing against connect()") Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-04-17 11:19:32 +02:00
Kuniyuki Iwashima	601a89ea24	af_unix: Clear stale u->oob_skb. ... [ Upstream commit b46f4eaa4f ] syzkaller started to report deadlock of unix_gc_lock after commit 4090fa373f ("af_unix: Replace garbage collection algorithm."), but it just uncovers the bug that has been there since commit 314001f0bf ("af_unix: Add OOB support"). The repro basically does the following. from socket import * from array import array c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array("i", [c2.fileno()]))], MSG_OOB) c2.recv(1) # blocked as no normal data in recv queue c2.close() # done async and unblock recv() c1.close() # done async and trigger GC A socket sends its file descriptor to itself as OOB data and tries to receive normal data, but finally recv() fails due to async close(). The problem here is wrong handling of OOB skb in manage_oob(). When recvmsg() is called without MSG_OOB, manage_oob() is called to check if the peeked skb is OOB skb. In such a case, manage_oob() pops it out of the receive queue but does not clear unix_sock(sk)->oob_skb. This is wrong in terms of uAPI. Let's say we send "hello" with MSG_OOB, and "world" without MSG_OOB. The 'o' is handled as OOB data. When recv() is called twice without MSG_OOB, the OOB data should be lost. >>> from socket import * >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0) >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data 5 >>> c1.send(b'world') 5 >>> c2.recv(5) # OOB data is not received b'hell' >>> c2.recv(5) # OOB date is skipped b'world' >>> c2.recv(5, MSG_OOB) # This should return an error b'o' In the same situation, TCP actually returns -EINVAL for the last recv(). Also, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set EPOLLPRI even though the data has passed through by previous recv(). To avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing it from recv queue. The reason why the old GC did not trigger the deadlock is because the old GC relied on the receive queue to detect the loop. When it is triggered, the socket with OOB data is marked as GC candidate because file refcount == inflight count (1). However, after traversing all inflight sockets, the socket still has a positive inflight count (1), thus the socket is excluded from candidates. Then, the old GC lose the chance to garbage-collect the socket. With the old GC, the repro continues to create true garbage that will never be freed nor detected by kmemleak as it's linked to the global inflight list. That's why we couldn't even notice the issue. Fixes: 314001f0bf ("af_unix: Add OOB support") Reported-by: syzbot+7f7f201cc2668a8fd169@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7f7f201cc2668a8fd169 Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20240405221057.2406-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-04-17 11:19:29 +02:00
Eric Dumazet	5e7f3e0381	af_unix: fix lockdep positive in sk_diag_dump_icons() ... [ Upstream commit 4d322dce82 ] syzbot reported a lockdep splat [1]. Blamed commit hinted about the possible lockdep violation, and code used unix_state_lock_nested() in an attempt to silence lockdep. It is not sufficient, because unix_state_lock_nested() is already used from unix_state_double_lock(). We need to use a separate subclass. This patch adds a distinct enumeration to make things more explicit. Also use swap() in unix_state_double_lock() as a clean up. v2: add a missing inline keyword to unix_state_lock_nested() [1] WARNING: possible circular locking dependency detected 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Not tainted syz-executor.1/2542 is trying to acquire lock: ffff88808b5df9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863 but task is already holding lock: ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&u->lock/1){+.+.}-{2:2}: lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378 sk_diag_dump_icons net/unix/diag.c:87 [inline] sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157 sk_diag_dump net/unix/diag.c:196 [inline] unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220 netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264 __netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:338 [inline] unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319 sock_diag_rcv_msg+0xe3/0x400 netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2543 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7e6/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x39a/0x520 net/socket.c:1160 call_write_iter include/linux/fs.h:2085 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa74/0xca0 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b -> #0 (rlock-AF_UNIX){+.+.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863 unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x592/0x890 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724 __do_sys_sendmmsg net/socket.c:2753 [inline] __se_sys_sendmmsg net/socket.c:2750 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&u->lock/1); lock(rlock-AF_UNIX); lock(&u->lock/1); lock(rlock-AF_UNIX); *** DEADLOCK *** 1 lock held by syz-executor.1/2542: #0: ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089 stack backtrace: CPU: 1 PID: 2542 Comm: syz-executor.1 Not tainted 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 check_noncircular+0x366/0x490 kernel/locking/lockdep.c:2187 check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863 unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x592/0x890 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724 __do_sys_sendmmsg net/socket.c:2753 [inline] __se_sys_sendmmsg net/socket.c:2750 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f26d887cda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f26d95a60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f26d89abf80 RCX: 00007f26d887cda9 RDX: 000000000000003e RSI: 00000000200bd000 RDI: 0000000000000004 RBP: 00007f26d88c947a R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000008c0 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f26d89abf80 R15: 00007ffcfe081a68 Fixes: 2aac7a2cb0 ("unix_diag: Pending connections IDs NLA") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240130184235.1620738-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>	2024-02-05 20:14:37 +00:00
John Fastabend	484a2f50cc	bpf, sockmap: af_unix stream sockets need to hold ref for pair sock ... [ Upstream commit 8866730aed ] AF_UNIX stream sockets are a paired socket. So sending on one of the pairs will lookup the paired socket as part of the send operation. It is possible however to put just one of the pairs in a BPF map. This currently increments the refcnt on the sock in the sockmap to ensure it is not free'd by the stack before sockmap cleans up its state and stops any skbs being sent/recv'd to that socket. But we missed a case. If the peer socket is closed it will be free'd by the stack. However, the paired socket can still be referenced from BPF sockmap side because we hold a reference there. Then if we are sending traffic through BPF sockmap to that socket it will try to dereference the free'd pair in its send logic creating a use after free. And following splat: [59.900375] BUG: KASAN: slab-use-after-free in sk_wake_async+0x31/0x1b0 [59.901211] Read of size 8 at addr ffff88811acbf060 by task kworker/1:2/954 [...] [59.905468] Call Trace: [59.905787] <TASK> [59.906066] dump_stack_lvl+0x130/0x1d0 [59.908877] print_report+0x16f/0x740 [59.910629] kasan_report+0x118/0x160 [59.912576] sk_wake_async+0x31/0x1b0 [59.913554] sock_def_readable+0x156/0x2a0 [59.914060] unix_stream_sendmsg+0x3f9/0x12a0 [59.916398] sock_sendmsg+0x20e/0x250 [59.916854] skb_send_sock+0x236/0xac0 [59.920527] sk_psock_backlog+0x287/0xaa0 To fix let BPF sockmap hold a refcnt on both the socket in the sockmap and its paired socket. It wasn't obvious how to contain the fix to bpf_unix logic. The primarily problem with keeping this logic in bpf_unix was: In the sock close() we could handle the deref by having a close handler. But, when we are destroying the psock through a map delete operation we wouldn't have gotten any signal thorugh the proto struct other than it being replaced. If we do the deref from the proto replace its too early because we need to deref the sk_pair after the backlog worker has been stopped. Given all this it seems best to just cache it at the end of the psock and eat 8B for the af_unix and vsock users. Notice dgram sockets are OK because they handle locking already. Fixes: 94531cfcbe ("af_unix: Add unix_stream_proto for sockmap") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/20231129012557.95371-2-john.fastabend@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org>	2023-12-08 08:52:23 +01:00
Eric Dumazet	069a3ec329	af_unix: fix use-after-free in unix_stream_read_actor() ... [ Upstream commit 4b7b492615 ] syzbot reported the following crash [1] After releasing unix socket lock, u->oob_skb can be changed by another thread. We must temporarily increase skb refcount to make sure this other thread will not free the skb under us. [1] BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297 CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 unix_stream_recv_urg net/unix/af_unix.c:2587 [inline] unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666 unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0xe2/0x170 net/socket.c:1066 ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803 ___sys_recvmsg+0x115/0x1a0 net/socket.c:2845 __sys_recvmsg+0x114/0x1e0 net/socket.c:2875 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fc67492c559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559 RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340 R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388 </TASK> Allocated by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523 __alloc_skb+0x287/0x330 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] queue_oob net/unix/af_unix.c:2147 [inline] unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 slab_free mm/slub.c:3809 [inline] kmem_cache_free+0xf8/0x340 mm/slub.c:3831 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015 __kfree_skb net/core/skbuff.c:1073 [inline] consume_skb net/core/skbuff.c:1288 [inline] consume_skb+0xdf/0x170 net/core/skbuff.c:1282 queue_oob net/unix/af_unix.c:2178 [inline] unix_stream_sendmsg+0xd49/0x10a0 net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b The buggy address belongs to the object at ffff88801f3b9c80 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 68 bytes inside of freed 240-byte region [ffff88801f3b9c80, ffff88801f3b9d70) The buggy address belongs to the physical page: page:ffffea00007cee40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f3b9 flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000800 ffff888142a60640 dead000000000122 0000000000000000 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5299, tgid 5283 (syz-executor107), ts 103803840339, free_ts 103600093431 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1544 [inline] get_page_from_freelist+0xa25/0x36c0 mm/page_alloc.c:3312 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4568 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 alloc_slab_page mm/slub.c:1870 [inline] allocate_slab+0x251/0x380 mm/slub.c:2017 new_slab mm/slub.c:2070 [inline] ___slab_alloc+0x8c7/0x1580 mm/slub.c:3223 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 __slab_alloc_node mm/slub.c:3375 [inline] slab_alloc_node mm/slub.c:3468 [inline] kmem_cache_alloc_node+0x132/0x3c0 mm/slub.c:3523 __alloc_skb+0x287/0x330 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] queue_oob net/unix/af_unix.c:2147 [inline] unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1137 [inline] free_unref_page_prepare+0x4f8/0xa90 mm/page_alloc.c:2347 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2487 __unfreeze_partials+0x21d/0x240 mm/slub.c:2655 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3478 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc+0x15d/0x380 mm/slub.c:3502 vm_area_dup+0x21/0x2f0 kernel/fork.c:500 __split_vma+0x17d/0x1070 mm/mmap.c:2365 split_vma mm/mmap.c:2437 [inline] vma_modify+0x25d/0x450 mm/mmap.c:2472 vma_modify_flags include/linux/mm.h:3271 [inline] mprotect_fixup+0x228/0xc80 mm/mprotect.c:635 do_mprotect_pkey+0x852/0xd60 mm/mprotect.c:809 __do_sys_mprotect mm/mprotect.c:830 [inline] __se_sys_mprotect mm/mprotect.c:827 [inline] __x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:827 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Memory state around the buggy address: ffff88801f3b9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801f3b9c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc >ffff88801f3b9c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801f3b9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ffff88801f3b9d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb Fixes: 876c14ad01 ("af_unix: fix holding spinlock in oob handling") Reported-and-tested-by: syzbot+7a2d546fa43e49315ed3@syzkaller.appspotmail.com Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Rao Shoaib <rao.shoaib@oracle.com> Reviewed-by: Rao shoaib <rao.shoaib@oracle.com> Link: https://lore.kernel.org/r/20231113134938.168151-1-edumazet@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2023-11-28 17:19:52 +00:00
Kuniyuki Iwashima	ade32bd8a7	af_unix: Fix data-race around unix_tot_inflight. ... unix_tot_inflight is changed under spin_lock(unix_gc_lock), but unix_release_sock() reads it locklessly. Let's use READ_ONCE() for unix_tot_inflight. Note that the writer side was marked by commit 9d6d7f1cb6 ("af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress") BUG: KCSAN: data-race in unix_inflight / unix_release_sock write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: unix_inflight+0x130/0x180 net/unix/scm.c:64 unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 unix_scm_to_skb net/unix/af_unix.c:1832 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x148/0x160 net/socket.c:747 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 __sys_sendmsg+0x94/0x140 net/socket.c:2576 __do_sys_sendmsg net/socket.c:2585 [inline] __se_sys_sendmsg net/socket.c:2583 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 unix_release+0x59/0x80 net/unix/af_unix.c:1058 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1385 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00000000 -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Fixes: 9305cfa444 ("[AF_UNIX]: Make unix_tot_inflight counter non-atomic") Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2023-09-04 11:06:16 +01:00
Eric Dumazet	11695c6e96	net: add missing data-race annotations around sk->sk_peek_off ... sk_getsockopt() runs locklessly, thus we need to annotate the read of sk->sk_peek_off. While we are at it, add corresponding annotations to sk_set_peek_off() and unix_set_peek_off(). Fixes: b9bb53f383 ("sock: convert sk_peek_offset functions to WRITE_ONCE") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2023-07-29 18:13:41 +01:00
Kuniyuki Iwashima	ecb4534b6a	af_unix: Terminate sun_path when bind()ing pathname socket. ... kernel test robot reported slab-out-of-bounds access in strlen(). [0] Commit 06d4c8a808 ("af_unix: Fix fortify_panic() in unix_bind_bsd().") removed unix_mkname_bsd() call in unix_bind_bsd(). If sunaddr->sun_path is not terminated by user and we don't enable CONFIG_INIT_STACK_ALL_ZERO=y, strlen() will do the out-of-bounds access during file creation. Let's go back to strlen()-with-sockaddr_storage way and pack all 108 trickiness into unix_mkname_bsd() with bold comments. [0]: BUG: KASAN: slab-out-of-bounds in strlen (lib/string.c:?) Read of size 1 at addr ffff000015492777 by task fortify_strlen_/168 CPU: 0 PID: 168 Comm: fortify_strlen_ Not tainted 6.5.0-rc1-00333-g3329b603ebba #16 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace (arch/arm64/kernel/stacktrace.c:235) show_stack (arch/arm64/kernel/stacktrace.c:242) dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:365 mm/kasan/report.c:475) kasan_report (mm/kasan/report.c:590) __asan_report_load1_noabort (mm/kasan/report_generic.c:378) strlen (lib/string.c:?) getname_kernel (./include/linux/fortify-string.h:? fs/namei.c:226) kern_path_create (fs/namei.c:3926) unix_bind (net/unix/af_unix.c:1221 net/unix/af_unix.c:1324) __sys_bind (net/socket.c:1792) __arm64_sys_bind (net/socket.c:1801) invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52) el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147) do_el0_svc (arch/arm64/kernel/syscall.c:189) el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?) el0t_64_sync (arch/arm64/kernel/entry.S:591) Allocated by task 168: kasan_set_track (mm/kasan/common.c:45 mm/kasan/common.c:52) kasan_save_alloc_info (mm/kasan/generic.c:512) __kasan_kmalloc (mm/kasan/common.c:383) __kmalloc (mm/slab_common.c:? mm/slab_common.c:998) unix_bind (net/unix/af_unix.c:257 net/unix/af_unix.c:1213 net/unix/af_unix.c:1324) __sys_bind (net/socket.c:1792) __arm64_sys_bind (net/socket.c:1801) invoke_syscall (arch/arm64/kernel/syscall.c:? arch/arm64/kernel/syscall.c:52) el0_svc_common (./include/linux/thread_info.h:127 arch/arm64/kernel/syscall.c:147) do_el0_svc (arch/arm64/kernel/syscall.c:189) el0_svc (./arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:144 arch/arm64/kernel/entry-common.c:648) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:?) el0t_64_sync (arch/arm64/kernel/entry.S:591) The buggy address belongs to the object at ffff000015492700 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 0 bytes to the right of allocated 119-byte region [ffff000015492700, ffff000015492777) The buggy address belongs to the physical page: page:00000000aeab52ba refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x55492 anon flags: 0x3fffc0000000200(slab|node=0|zone=0|lastcpupid=0xffff) page_type: 0xffffffff() raw: 03fffc0000000200 ffff0000084018c0 fffffc00003d0e00 0000000000000005 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000015492600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff000015492680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff000015492700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fc ^ ffff000015492780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff000015492800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 06d4c8a808 ("af_unix: Fix fortify_panic() in unix_bind_bsd().") Reported-by: kernel test robot <oliver.sang@intel.com> Closes: https://lore.kernel.org/netdev/202307262110.659e5e8-oliver.sang@intel.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20230726190828.47874-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>	2023-07-27 11:36:55 +02:00
Kuniyuki Iwashima	06d4c8a808	af_unix: Fix fortify_panic() in unix_bind_bsd(). ... syzkaller found a bug in unix_bind_bsd() [0]. We can reproduce it by bind()ing a socket on a path with length 108. 108 is the size of sun_addr of struct sockaddr_un and is the maximum valid length for the pathname socket. When calling bind(), we use struct sockaddr_storage as the actual buffer size, so terminating sun_addr[108] with null is legitimate as done in unix_mkname_bsd(). However, strlen(sunaddr) for such a case causes fortify_panic() if CONFIG_FORTIFY_SOURCE=y. __fortify_strlen() has no idea about the actual buffer size and see the string as unterminated. Let's use strnlen() to allow sun_addr to be unterminated at 107. [0]: detected buffer overflow in __fortify_strlen kernel BUG at lib/string_helpers.c:1031! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 255 Comm: syz-executor296 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #4 Hardware name: linux,dummy-virt (DT) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : fortify_panic+0x1c/0x20 lib/string_helpers.c:1030 lr : fortify_panic+0x1c/0x20 lib/string_helpers.c:1030 sp : ffff800089817af0 x29: ffff800089817af0 x28: ffff800089817b40 x27: 1ffff00011302f68 x26: 000000000000006e x25: 0000000000000012 x24: ffff800087e60140 x23: dfff800000000000 x22: ffff800089817c20 x21: ffff800089817c8e x20: 000000000000006c x19: ffff00000c323900 x18: ffff800086ab1630 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000001 x14: 1ffff00011302eb8 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 64a26b65474d2a00 x8 : 64a26b65474d2a00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800089817438 x4 : ffff800086ac99e0 x3 : ffff800080f19e8c x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000002c Call trace: fortify_panic+0x1c/0x20 lib/string_helpers.c:1030 _Z16__fortify_strlenPKcU25pass_dynamic_object_size1 include/linux/fortify-string.h:217 [inline] unix_bind_bsd net/unix/af_unix.c:1212 [inline] unix_bind+0xba8/0xc58 net/unix/af_unix.c:1326 __sys_bind+0x1ac/0x248 net/socket.c:1792 __do_sys_bind net/socket.c:1803 [inline] __se_sys_bind net/socket.c:1801 [inline] __arm64_sys_bind+0x7c/0x94 net/socket.c:1801 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x134/0x240 arch/arm64/kernel/syscall.c:139 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:188 el0_svc+0x2c/0x7c arch/arm64/kernel/entry-common.c:647 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: aa0003e1 d0000e80 91030000 97ffc91a (d4210000) Fixes: df8fc4e934 ("kbuild: Enable -fstrict-flex-arrays=3") Reported-by: syzkaller <syzkaller@googlegroups.com> Suggested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20230724213425.22920-2-kuniyu@amazon.com Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-07-25 20:10:05 -07:00
Alexander Mikhalitsyn	a9c49cc2f5	net: scm: introduce and use scm_recv_unix helper ... Recently, our friends from bluetooth subsystem reported [1] that after commit 5e2ff6704a ("scm: add SO_PASSPIDFD and SCM_PIDFD") scm_recv() helper become unusable in kernel modules (because it uses unexported pidfd_prepare() API). We were aware of this issue and workarounded it in a hard way by commit 97154bcf4d ("af_unix: Kconfig: make CONFIG_UNIX bool"). But recently a new functionality was added in the scope of commit 817efd3cad74 ("Bluetooth: hci_sock: Forward credentials to monitor") and after that bluetooth can't be compiled as a kernel module. After some discussion in [1] we decided to split scm_recv() into two helpers, one won't support SCM_PIDFD (used for unix sockets), and another one will be completely the same as it was before commit 5e2ff6704a ("scm: add SO_PASSPIDFD and SCM_PIDFD"). Link: https://lore.kernel.org/lkml/CAJqdLrpFcga4n7wxBhsFqPQiN8PKFVr6U10fKcJ9W7AcZn+o6Q@mail.gmail.com/ [1] Fixes: 5e2ff6704a ("scm: add SO_PASSPIDFD and SCM_PIDFD") Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20230627174314.67688-3-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-06-27 10:50:22 -07:00
Kuniyuki Iwashima	9d797ee2dc	Revert "af_unix: Call scm_recv() only after scm_set_cred()." ... This reverts commit 3f5f118bb6. Konrad reported that desktop environment below cannot be reached after commit 3f5f118bb6 ("af_unix: Call scm_recv() only after scm_set_cred().") - postmarketOS (Alpine Linux w/ musl 1.2.4) - busybox 1.36.1 - GNOME 44.1 - networkmanager 1.42.6 - openrc 0.47 Regarding to the warning of SO_PASSPIDFD, I'll post another patch to suppress it by skipping SCM_PIDFD if scm->pid == NULL in scm_pidfd_recv(). Reported-by: Konrad Dybcio <konradybcio@kernel.org> Link: https://lore.kernel.org/netdev/8c7f9abd-4f84-7296-2788-1e130d6304a0@kernel.org/ Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Tested-by: Ido Schimmel <idosch@nvidia.com> Tested-by: Gal Pressman <gal@nvidia.com> Link: https://lore.kernel.org/r/20230626205837.82086-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-06-27 09:35:53 -07:00
David Howells	dc97391e66	sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) ... Remove ->sendpage() and ->sendpage_locked(). sendmsg() with MSG_SPLICE_PAGES should be used instead. This allows multiple pages and multipage folios to be passed through. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> # for net/can cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> cc: linux-afs@lists.infradead.org cc: mptcp@lists.linux.dev cc: rds-devel@oss.oracle.com cc: tipc-discussion@lists.sourceforge.net cc: virtualization@lists.linux-foundation.org Link: https://lore.kernel.org/r/20230623225513.2732256-16-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-06-24 15:50:13 -07:00
Kuniyuki Iwashima	3f5f118bb6	af_unix: Call scm_recv() only after scm_set_cred(). ... syzkaller hit a WARN_ON_ONCE(!scm->pid) in scm_pidfd_recv(). In unix_stream_read_generic(), if there is no skb in the queue, we could bail out the do-while loop without calling scm_set_cred(): 1. No skb in the queue 2. sk is non-blocking or shutdown(sk, RCV_SHUTDOWN) is called concurrently or peer calls close() If the socket is configured with SO_PASSCRED or SO_PASSPIDFD, scm_recv() would populate cmsg with garbage. Let's not call scm_recv() unless there is skb to receive. WARNING: CPU: 1 PID: 3245 at include/net/scm.h:138 scm_pidfd_recv include/net/scm.h:138 [inline] WARNING: CPU: 1 PID: 3245 at include/net/scm.h:138 scm_recv.constprop.0+0x754/0x850 include/net/scm.h:177 Modules linked in: CPU: 1 PID: 3245 Comm: syz-executor.1 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:scm_pidfd_recv include/net/scm.h:138 [inline] RIP: 0010:scm_recv.constprop.0+0x754/0x850 include/net/scm.h:177 Code: 67 fd e9 55 fd ff ff e8 4a 70 67 fd e9 7f fd ff ff e8 40 70 67 fd e9 3e fb ff ff e8 36 70 67 fd e9 02 fd ff ff e8 8c 3a 20 fd <0f> 0b e9 fe fb ff ff e8 50 70 67 fd e9 2e f9 ff ff e8 46 70 67 fd RSP: 0018:ffffc90009af7660 EFLAGS: 00010216 RAX: 00000000000000a1 RBX: ffff888041e58a80 RCX: ffffc90003852000 RDX: 0000000000040000 RSI: ffffffff842675b4 RDI: 0000000000000007 RBP: ffffc90009af7810 R08: 0000000000000007 R09: 0000000000000013 R10: 00000000000000f8 R11: 0000000000000001 R12: ffffc90009af7db0 R13: 0000000000000000 R14: ffff888041e58a88 R15: 1ffff9200135eecc FS: 00007f6b7113f640(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6b7111de38 CR3: 0000000012a6e002 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> unix_stream_read_generic+0x5fe/0x1f50 net/unix/af_unix.c:2830 unix_stream_recvmsg+0x194/0x1c0 net/unix/af_unix.c:2880 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg+0x188/0x1d0 net/socket.c:1040 ____sys_recvmsg+0x210/0x610 net/socket.c:2712 ___sys_recvmsg+0xff/0x190 net/socket.c:2754 do_recvmmsg+0x25d/0x6c0 net/socket.c:2848 __sys_recvmmsg net/socket.c:2927 [inline] __do_sys_recvmmsg net/socket.c:2950 [inline] __se_sys_recvmmsg net/socket.c:2943 [inline] __x64_sys_recvmmsg+0x224/0x290 net/socket.c:2943 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f6b71da2e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f6b7113ecc8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007f6b71da2e5d RDX: 0000000000000007 RSI: 0000000020006600 RDI: 000000000000000b RBP: 00000000004bc050 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000120 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f6b71e03530 R15: 0000000000000000 </TASK> Fixes: 5e2ff6704a ("scm: add SO_PASSPIDFD and SCM_PIDFD") Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Alexander Mikhalitsyn <alexander@mihalicyn.com> Link: https://lore.kernel.org/r/20230622184351.91544-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-06-24 15:15:01 -07:00
Alexander Mikhalitsyn	7b26952a91	net: core: add getsockopt SO_PEERPIDFD ... Add SO_PEERPIDFD which allows to get pidfd of peer socket holder pidfd. This thing is direct analog of SO_PEERCRED which allows to get plain PID. Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: Leon Romanovsky <leon@kernel.org> Cc: David Ahern <dsahern@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Kees Cook <keescook@chromium.org> Cc: Christian Brauner <brauner@kernel.org> Cc: Kuniyuki Iwashima <kuniyu@amazon.com> Cc: Lennart Poettering <mzxreary@0pointer.de> Cc: Luca Boccassi <bluca@debian.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Stanislav Fomichev <sdf@google.com> Cc: bpf@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-arch@vger.kernel.org Reviewed-by: Christian Brauner <brauner@kernel.org> Acked-by: Stanislav Fomichev <sdf@google.com> Tested-by: Luca Boccassi <bluca@debian.org> Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2023-06-12 10:45:50 +01:00
Alexander Mikhalitsyn	5e2ff6704a	scm: add SO_PASSPIDFD and SCM_PIDFD ... Implement SCM_PIDFD, a new type of CMSG type analogical to SCM_CREDENTIALS, but it contains pidfd instead of plain pid, which allows programmers not to care about PID reuse problem. We mask SO_PASSPIDFD feature if CONFIG_UNIX is not builtin because it depends on a pidfd_prepare() API which is not exported to the kernel modules. Idea comes from UAPI kernel group: https://uapi-group.org/kernel-features/ Big thanks to Christian Brauner and Lennart Poettering for productive discussions about this. Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: Leon Romanovsky <leon@kernel.org> Cc: David Ahern <dsahern@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Kees Cook <keescook@chromium.org> Cc: Christian Brauner <brauner@kernel.org> Cc: Kuniyuki Iwashima <kuniyu@amazon.com> Cc: Lennart Poettering <mzxreary@0pointer.de> Cc: Luca Boccassi <bluca@debian.org> Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-arch@vger.kernel.org Tested-by: Luca Boccassi <bluca@debian.org> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2023-06-12 10:45:49 +01:00
Jakub Kicinski	d4031ec844	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net ... Cross-merge networking fixes after downstream PR. Conflicts: net/ipv4/raw.c 3632679d9e ("ipv{4,6}/raw: fix output xfrm lookup wrt protocol") c85be08fc4 ("raw: Stop using RTO_ONLINK.") https://lore.kernel.org/all/20230525110037.2b532b83@canb.auug.org.au/ Adjacent changes: drivers/net/ethernet/freescale/fec_main.c 9025944fdd ("net: fec: add dma_wmb to ensure correct descriptor values") 144470c88c ("net: fec: using the standard return codes when xdp xmit errors") Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-05-25 19:57:39 -07:00
David Howells	57d44a354a	unix: Convert unix_stream_sendpage() to use MSG_SPLICE_PAGES ... Convert unix_stream_sendpage() to use sendmsg() with MSG_SPLICE_PAGES rather than directly splicing in the pages itself. This allows ->sendpage() to be replaced by something that can handle multiple multipage folios in a single transaction. Signed-off-by: David Howells <dhowells@redhat.com> cc: Kuniyuki Iwashima <kuniyu@amazon.com> cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-05-23 20:48:28 -07:00
David Howells	a0dbf5f818	af_unix: Support MSG_SPLICE_PAGES ... Make AF_UNIX sendmsg() support MSG_SPLICE_PAGES, splicing in pages from the source iterator if possible and copying the data in otherwise. This allows ->sendpage() to be replaced by something that can handle multiple multipage folios in a single transaction. Signed-off-by: David Howells <dhowells@redhat.com> cc: Kuniyuki Iwashima <kuniyu@amazon.com> cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-05-23 20:48:27 -07:00
David Howells	96449f9024	net: Pass max frags into skb_append_pagefrags() ... Pass the maximum number of fragments into skb_append_pagefrags() rather than using MAX_SKB_FRAGS so that it can be used from code that wants to specify sysctl_max_skb_frags. Signed-off-by: David Howells <dhowells@redhat.com> cc: David Ahern <dsahern@kernel.org> cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-05-23 20:48:27 -07:00
John Fastabend	78fa0d61d9	bpf, sockmap: Pass skb ownership through read_skb ... The read_skb hook calls consume_skb() now, but this means that if the recv_actor program wants to use the skb it needs to inc the ref cnt so that the consume_skb() doesn't kfree the sk_buff. This is problematic because in some error cases under memory pressure we may need to linearize the sk_buff from sk_psock_skb_ingress_enqueue(). Then we get this, skb_linearize() __pskb_pull_tail() pskb_expand_head() BUG_ON(skb_shared(skb)) Because we incremented users refcnt from sk_psock_verdict_recv() we hit the bug on with refcnt > 1 and trip it. To fix lets simply pass ownership of the sk_buff through the skb_read call. Then we can drop the consume from read_skb handlers and assume the verdict recv does any required kfree. Bug found while testing in our CI which runs in VMs that hit memory constraints rather regularly. William tested TCP read_skb handlers. [ 106.536188] ------------[ cut here ]------------ [ 106.536197] kernel BUG at net/core/skbuff.c:1693! [ 106.536479] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 106.536726] CPU: 3 PID: 1495 Comm: curl Not tainted 5.19.0-rc5 #1 [ 106.537023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.16.0-1 04/01/2014 [ 106.537467] RIP: 0010:pskb_expand_head+0x269/0x330 [ 106.538585] RSP: 0018:ffffc90000138b68 EFLAGS: 00010202 [ 106.538839] RAX: 000000000000003f RBX: ffff8881048940e8 RCX: 0000000000000a20 [ 106.539186] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff8881048940e8 [ 106.539529] RBP: ffffc90000138be8 R08: 00000000e161fd1a R09: 0000000000000000 [ 106.539877] R10: 0000000000000018 R11: 0000000000000000 R12: ffff8881048940e8 [ 106.540222] R13: 0000000000000003 R14: 0000000000000000 R15: ffff8881048940e8 [ 106.540568] FS: 00007f277dde9f00(0000) GS:ffff88813bd80000(0000) knlGS:0000000000000000 [ 106.540954] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 106.541227] CR2: 00007f277eeede64 CR3: 000000000ad3e000 CR4: 00000000000006e0 [ 106.541569] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 106.541915] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 106.542255] Call Trace: [ 106.542383] <IRQ> [ 106.542487] __pskb_pull_tail+0x4b/0x3e0 [ 106.542681] skb_ensure_writable+0x85/0xa0 [ 106.542882] sk_skb_pull_data+0x18/0x20 [ 106.543084] bpf_prog_b517a65a242018b0_bpf_skskb_http_verdict+0x3a9/0x4aa9 [ 106.543536] ? migrate_disable+0x66/0x80 [ 106.543871] sk_psock_verdict_recv+0xe2/0x310 [ 106.544258] ? sk_psock_write_space+0x1f0/0x1f0 [ 106.544561] tcp_read_skb+0x7b/0x120 [ 106.544740] tcp_data_queue+0x904/0xee0 [ 106.544931] tcp_rcv_established+0x212/0x7c0 [ 106.545142] tcp_v4_do_rcv+0x174/0x2a0 [ 106.545326] tcp_v4_rcv+0xe70/0xf60 [ 106.545500] ip_protocol_deliver_rcu+0x48/0x290 [ 106.545744] ip_local_deliver_finish+0xa7/0x150 Fixes: 04919bed94 ("tcp: Introduce tcp_read_skb()") Reported-by: William Findlay <will@isovalent.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: William Findlay <will@isovalent.com> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/20230523025618.113937-2-john.fastabend@gmail.com	2023-05-23 16:09:47 +02:00
Kuniyuki Iwashima	e1d09c2c2f	af_unix: Fix data races around sk->sk_shutdown. ... KCSAN found a data race around sk->sk_shutdown where unix_release_sock() and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll() and unix_dgram_poll() read it locklessly. We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE(). BUG: KCSAN: data-race in unix_poll / unix_release_sock write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0: unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 unix_release+0x59/0x80 net/unix/af_unix.c:1042 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1397 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1: unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170 sock_poll+0xcf/0x2b0 net/socket.c:1385 vfs_poll include/linux/poll.h:88 [inline] ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855 ep_send_events fs/eventpoll.c:1694 [inline] ep_poll fs/eventpoll.c:1823 [inline] do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258 __do_sys_epoll_wait fs/eventpoll.c:2270 [inline] __se_sys_epoll_wait fs/eventpoll.c:2265 [inline] __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00 -> 0x03 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Fixes: 3c73419c09 ("af_unix: fix 'poll for write'/ connected DGRAM sockets") Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Michal Kubiak <michal.kubiak@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-05-10 19:06:53 -07:00
Kuniyuki Iwashima	679ed006d4	af_unix: Fix a data race of sk->sk_receive_queue->qlen. ... KCSAN found a data race of sk->sk_receive_queue->qlen where recvmsg() updates qlen under the queue lock and sendmsg() checks qlen under unix_state_sock(), not the queue lock, so the reader side needs READ_ONCE(). BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_wait_for_peer write (marked) to 0xffff888019fe7c68 of 4 bytes by task 49792 on cpu 0: __skb_unlink include/linux/skbuff.h:2347 [inline] __skb_try_recv_from_queue+0x3de/0x470 net/core/datagram.c:197 __skb_try_recv_datagram+0xf7/0x390 net/core/datagram.c:263 __unix_dgram_recvmsg+0x109/0x8a0 net/unix/af_unix.c:2452 unix_dgram_recvmsg+0x94/0xa0 net/unix/af_unix.c:2549 sock_recvmsg_nosec net/socket.c:1019 [inline] ____sys_recvmsg+0x3a3/0x3b0 net/socket.c:2720 ___sys_recvmsg+0xc8/0x150 net/socket.c:2764 do_recvmmsg+0x182/0x560 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __do_sys_recvmmsg net/socket.c:2960 [inline] __se_sys_recvmmsg net/socket.c:2953 [inline] __x64_sys_recvmmsg+0x153/0x170 net/socket.c:2953 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffff888019fe7c68 of 4 bytes by task 49793 on cpu 1: skb_queue_len include/linux/skbuff.h:2127 [inline] unix_recvq_full net/unix/af_unix.c:229 [inline] unix_wait_for_peer+0x154/0x1a0 net/unix/af_unix.c:1445 unix_dgram_sendmsg+0x13bc/0x14b0 net/unix/af_unix.c:2048 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x148/0x160 net/socket.c:747 ____sys_sendmsg+0x20e/0x620 net/socket.c:2503 ___sys_sendmsg+0xc6/0x140 net/socket.c:2557 __sys_sendmmsg+0x11d/0x370 net/socket.c:2643 __do_sys_sendmmsg net/socket.c:2672 [inline] __se_sys_sendmmsg net/socket.c:2669 [inline] __x64_sys_sendmmsg+0x58/0x70 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x0000000b -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 49793 Comm: syz-executor.0 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Fixes: 1da177e4c3 ("Linux-2.6.12-rc2") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Michal Kubiak <michal.kubiak@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>	2023-05-10 19:06:53 -07:00