-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmOZpiwACgkQONu9yGCS
aT6whRAArWRCd5yEvuYtdCIPQh70Yz3vhHKkeqKU3AzAOYxYB+UbmRf8i6Cgv5S7
b0Mmla4vV1w+tRZcwdPHXoNrwxQ+r6b89mywResfp+FLAti/Ak1wMNR1l0FGQTeM
z2dIeuhNtVIatvpBw7E1KKGXpSRYfJuzbkT3npKRmWqv1hmcwcqkQ9uZSkFCf3dO
YETpGjOk6Z8/Ml4z6gEWy54+W3nLf3X8G0i1CfDwxkxcCf4fqIgNCaGaT26Q+Yv1
GDKtAzmF/FfxwwIdwxx+Y/Iq3+ccEf2WTRQEDWb8K62TBbNjR+q1+Y3IJCfrBj+H
6sVfnyQm9fTQd7gKLy3gipJxphS4sAZ+OcwY+gMfRQBBHSmccHOC9MhQFgd+wN39
vBnCG0g6x+9J/DESPOXwrTDnWuGW1Grv7avYlJo2L4WTUFsAuDrtGdCRJ+Bwd9PH
VVD6eSmXQdrFe9ttf8CQUERlWmNkAmFvT135Hf+qclNsvp7PbtCX2rjgo27NxVbo
mdOkLLNXBwMNcHjhWhN7MDzoEw7gUqvWWC6vdRgQicrLJphrcV82+C0QIW3A/Uft
tp/HEsHhGCX6mTXN0x9faz9WMXrfI+j6rUs0UoSVBfP+rwtCqweX5qgz5eUj2jjJ
v+edcnh/2t4dVwK2dbsniw8y19tI/VHfyfMJiGSY18LsLlMrHiw=
=QY26
-----END PGP SIGNATURE-----
Merge 5.10.159 into android12-5.10-lts
Changes in 5.10.159
arm64: dts: rockchip: keep I2S1 disabled for GPIO function on ROCK Pi 4 series
arm: dts: rockchip: fix node name for hym8563 rtc
ARM: dts: rockchip: fix ir-receiver node names
arm64: dts: rockchip: fix ir-receiver node names
ARM: dts: rockchip: rk3188: fix lcdc1-rgb24 node name
ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels
ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementation
ASoC: wm8962: Wait for updated value of WM8962_CLOCKING1 register
ARM: dts: rockchip: disable arm_global_timer on rk3066 and rk3188
9p/fd: Use P9_HDRSZ for header size
regulator: slg51000: Wait after asserting CS pin
ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event
btrfs: send: avoid unaligned encoded writes when attempting to clone range
ASoC: soc-pcm: Add NULL check in BE reparenting
regulator: twl6030: fix get status of twl6032 regulators
fbcon: Use kzalloc() in fbcon_prepare_logo()
usb: dwc3: gadget: Disable GUSB2PHYCFG.SUSPHY for End Transfer
9p/xen: check logical size for buffer size
net: usb: qmi_wwan: add u-blox 0x1342 composition
mm/khugepaged: take the right locks for page table retraction
mm/khugepaged: fix GUP-fast interaction by sending IPI
mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
rtc: mc146818: Prevent reading garbage
rtc: mc146818: Detect and handle broken RTCs
rtc: mc146818: Dont test for bit 0-5 in Register D
rtc: cmos: remove stale REVISIT comments
rtc: mc146818-lib: change return values of mc146818_get_time()
rtc: Check return value from mc146818_get_time()
rtc: mc146818-lib: fix RTC presence check
rtc: mc146818-lib: extract mc146818_avoid_UIP
rtc: cmos: avoid UIP when writing alarm time
rtc: cmos: avoid UIP when reading alarm time
rtc: cmos: Replace spin_lock_irqsave with spin_lock in hard IRQ
rtc: mc146818: Reduce spinlock section in mc146818_set_time()
xen/netback: Ensure protocol headers don't fall in the non-linear area
xen/netback: do some code cleanup
xen/netback: don't call kfree_skb() with interrupts disabled
media: videobuf2-core: take mmap_lock in vb2_get_unmapped_area()
Revert "ARM: dts: imx7: Fix NAND controller size-cells"
media: v4l2-dv-timings.c: fix too strict blanking sanity checks
memcg: fix possible use-after-free in memcg_write_event_control()
mm/gup: fix gup_pud_range() for dax
Bluetooth: btusb: Add debug message for CSR controllers
Bluetooth: Fix crash when replugging CSR fake controllers
KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field
drm/vmwgfx: Don't use screen objects when SEV is active
drm/shmem-helper: Remove errant put in error path
drm/shmem-helper: Avoid vm_open error paths
HID: usbhid: Add ALWAYS_POLL quirk for some mice
HID: hid-lg4ff: Add check for empty lbuf
HID: core: fix shift-out-of-bounds in hid_report_raw_event
can: af_can: fix NULL pointer dereference in can_rcv_filter
mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page
rtc: cmos: Disable irq around direct invocation of cmos_interrupt()
rtc: mc146818-lib: fix locking in mc146818_set_time
rtc: mc146818-lib: fix signedness bug in mc146818_get_time()
netfilter: nft_set_pipapo: Actually validate intervals in fields after the first one
ieee802154: cc2520: Fix error return code in cc2520_hw_init()
ca8210: Fix crash by zero initializing data
netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark
drm/bridge: ti-sn65dsi86: Fix output polarity setting bug
gpio: amd8111: Fix PCI device reference count leak
e1000e: Fix TX dispatch condition
igb: Allocate MSI-X vector when testing
drm: bridge: dw_hdmi: fix preference of RGB modes over YUV420
af_unix: Get user_ns from in_skb in unix_diag_get_exact().
vmxnet3: correctly report encapsulated LRO packet
Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn()
Bluetooth: Fix not cleanup led when bt_init fails
net: dsa: ksz: Check return value
selftests: rtnetlink: correct xfrm policy rule in kci_test_ipsec_offload
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
net: encx24j600: Add parentheses to fix precedence
net: encx24j600: Fix invalid logic in reading of MISTAT register
xen-netfront: Fix NULL sring after live migration
net: mvneta: Prevent out of bounds read in mvneta_config_rss()
i40e: Fix not setting default xps_cpus after reset
i40e: Fix for VF MAC address 0
i40e: Disallow ip4 and ip6 l4_4_bytes
NFC: nci: Bounds check struct nfc_target arrays
nvme initialize core quirks before calling nvme_init_subsystem
net: stmmac: fix "snps,axi-config" node property parsing
ip_gre: do not report erspan version on GRE interface
net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wq
net: hisilicon: Fix potential use-after-free in hisi_femac_rx()
net: hisilicon: Fix potential use-after-free in hix5hd2_rx()
tipc: Fix potential OOB in tipc_link_proto_rcv()
ipv4: Fix incorrect route flushing when source address is deleted
ipv4: Fix incorrect route flushing when table ID 0 is used
net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()
tipc: call tipc_lxc_xmit without holding node_read_lock
ethernet: aeroflex: fix potential skb leak in greth_init_rings()
xen/netback: fix build warning
net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()
ipv6: avoid use-after-free in ip6_fragment()
net: mvneta: Fix an out of bounds check
macsec: add missing attribute validation for offload
can: esd_usb: Allow REC and TEC to return to zero
Linux 5.10.159
Change-Id: I3ec26473c358ffda0ea8a8dd91ee265f58739029
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 88956177db179e4eba7cd590971961857d1565b8 ]
When sending packets between nodes in netns, it calls tipc_lxc_xmit() for
peer node to receive the packets where tipc_sk_mcast_rcv()/tipc_sk_rcv()
might be called, and it's pretty much like in tipc_rcv().
Currently the local 'node rw lock' is held during calling tipc_lxc_xmit()
to protect the peer_net not being freed by another thread. However, when
receiving these packets, tipc_node_add_conn() might be called where the
peer 'node rw lock' is acquired. Then a dead lock warning is triggered by
lockdep detector, although it is not a real dead lock:
WARNING: possible recursive locking detected
--------------------------------------------
conn_server/1086 is trying to acquire lock:
ffff8880065cb020 (&n->lock#2){++--}-{2:2}, \
at: tipc_node_add_conn.cold.76+0xaa/0x211 [tipc]
but task is already holding lock:
ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \
at: tipc_node_xmit+0x285/0xb30 [tipc]
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&n->lock#2);
lock(&n->lock#2);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by conn_server/1086:
#0: ffff8880036d1e40 (sk_lock-AF_TIPC){+.+.}-{0:0}, \
at: tipc_accept+0x9c0/0x10b0 [tipc]
#1: ffff8880036d5f80 (sk_lock-AF_TIPC/1){+.+.}-{0:0}, \
at: tipc_accept+0x363/0x10b0 [tipc]
#2: ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \
at: tipc_node_xmit+0x285/0xb30 [tipc]
#3: ffff888012e13370 (slock-AF_TIPC){+...}-{2:2}, \
at: tipc_sk_rcv+0x2da/0x1b40 [tipc]
Call Trace:
<TASK>
dump_stack_lvl+0x44/0x5b
__lock_acquire.cold.77+0x1f2/0x3d7
lock_acquire+0x1d2/0x610
_raw_write_lock_bh+0x38/0x80
tipc_node_add_conn.cold.76+0xaa/0x211 [tipc]
tipc_sk_finish_conn+0x21e/0x640 [tipc]
tipc_sk_filter_rcv+0x147b/0x3030 [tipc]
tipc_sk_rcv+0xbb4/0x1b40 [tipc]
tipc_lxc_xmit+0x225/0x26b [tipc]
tipc_node_xmit.cold.82+0x4a/0x102 [tipc]
__tipc_sendstream+0x879/0xff0 [tipc]
tipc_accept+0x966/0x10b0 [tipc]
do_accept+0x37d/0x590
This patch avoids this warning by not holding the 'node rw lock' before
calling tipc_lxc_xmit(). As to protect the 'peer_net', rcu_read_lock()
should be enough, as in cleanup_net() when freeing the netns, it calls
synchronize_rcu() before the free is continued.
Also since tipc_lxc_xmit() is like the RX path in tipc_rcv(), it makes
sense to call it under rcu_read_lock(). Note that the right lock order
must be:
rcu_read_lock();
tipc_node_read_lock(n);
tipc_node_read_unlock(n);
tipc_lxc_xmit();
rcu_read_unlock();
instead of:
tipc_node_read_lock(n);
rcu_read_lock();
tipc_node_read_unlock(n);
tipc_lxc_xmit();
rcu_read_unlock();
and we have to call tipc_node_read_lock/unlock() twice in
tipc_node_xmit().
Fixes: f73b12812a ("tipc: improve throughput between nodes in netns")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/5bdd1f8fee9db695cfff4528a48c9b9d0523fb00.1670110641.git.lucien.xin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmORvAIACgkQONu9yGCS
aT6OMhAAkxn/BD0mYER+XMJK+z5KIgusOh2TbHJGIkHUmj1u6Fse8VfR1xAjTk5q
y3J0uX5Bung1FIsA8iVF7no1D4ungqsyXUt6cclO8X3dVQAV8ikNDRTu2FFLiywY
4QxJ/h1Nhl+6lb1lqHT+iSEuMAjlUr6DtAq4hb9Xxgbn9hOghTMzg4dZYjXI3cr4
Bxk/tunrp8Rc5ad/I9Gwba0ar23cFDLYNxT6VKn+FBJ2jcj/74ULjwPvT3SyAm2U
hONKAQQZNtGPmGsUXkjdjhz7VaceNlLp0bA92AqCvNEmbnJzjb21qAklfdNAvEGH
yP4GOdxDvmwzPxkxpZfa0I3OYpfxAwT2bG6mVSl7+Ok8LNIiKvvD+TlL0p+nqoe1
LogxV309xqpN+D3EgUnX03lLkJDfWfrZyhEIPgEuRdW7OjixqYOs0hWLmkF0QCi6
vLYRSPnsoxragShq8HrdC/QlLmLCckMy8i7bcCiwpSwcsL/1vVUnb05O6iaFoIc4
56nTifRT5p3nJlnjQhCyPVbxmF8CRlhsRwbOsA+0pklkTQx5qHaYMFLuXsd7nSFG
+le0Kuc+xTMdP/ABgs2s3UdZFh3Zevovt4gaOnYjC6EDbmoeG6DNTTzIbNEwa1vw
D6+Zrw3HePytwJcUNRHthXuTUN2V68YvsXu7zVhKU8mlyj+UXpE=
=Zr7b
-----END PGP SIGNATURE-----
Merge 5.10.158 into android12-5.10-lts
Changes in 5.10.158
btrfs: sink iterator parameter to btrfs_ioctl_logical_to_ino
btrfs: free btrfs_path before copying inodes to userspace
spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input clock
btrfs: move QUOTA_ENABLED check to rescan_should_stop from btrfs_qgroup_rescan_worker
drm/display/dp_mst: Fix drm_dp_mst_add_affected_dsc_crtcs() return code
drm/amdgpu: update drm_display_info correctly when the edid is read
drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info correctly when the edid is read"
btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
iio: health: afe4403: Fix oob read in afe4403_read_raw
iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw
iio: light: rpr0521: add missing Kconfig dependencies
bpf, perf: Use subprog name when reporting subprog ksymbol
scripts/faddr2line: Fix regression in name resolution on ppc64le
ARM: at91: rm9200: fix usb device clock id
libbpf: Handle size overflow for ringbuf mmap
hwmon: (ltc2947) fix temperature scaling
hwmon: (ina3221) Fix shunt sum critical calculation
hwmon: (i5500_temp) fix missing pci_disable_device()
hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
bpf: Do not copy spin lock field from user in bpf_selem_alloc
of: property: decrement node refcount in of_fwnode_get_reference_args()
ixgbevf: Fix resource leak in ixgbevf_init_module()
i40e: Fix error handling in i40e_init_module()
fm10k: Fix error handling in fm10k_init_module()
iavf: remove redundant ret variable
iavf: Fix error handling in iavf_init_module()
e100: switch from 'pci_' to 'dma_' API
e100: Fix possible use after free in e100_xmit_prepare
net/mlx5: Fix uninitialized variable bug in outlen_write()
net/mlx5e: Fix use-after-free when reverting termination table
can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev()
can: cc770: cc770_isa_probe(): add missing free_cc770dev()
qlcnic: fix sleep-in-atomic-context bugs caused by msleep
aquantia: Do not purge addresses when setting the number of rings
wifi: cfg80211: fix buffer overflow in elem comparison
wifi: cfg80211: don't allow multi-BSSID in S1G
wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration
net: phy: fix null-ptr-deref while probe() failed
net: net_netdev: Fix error handling in ntb_netdev_init_module()
net/9p: Fix a potential socket leak in p9_socket_open
net: ethernet: nixge: fix NULL dereference
dsa: lan9303: Correct stat name
tipc: re-fetch skb cb after tipc_msg_validate
net: hsr: Fix potential use-after-free
afs: Fix fileserver probe RTT handling
net: tun: Fix use-after-free in tun_detach()
packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE
sctp: fix memory leak in sctp_stream_outq_migrate()
net: ethernet: renesas: ravb: Fix promiscuous mode after system resumed
hwmon: (coretemp) Check for null before removing sysfs attrs
hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()
net/mlx5: DR, Fix uninitialized var warning
riscv: vdso: fix section overlapping under some conditions
error-injection: Add prompt for function error injection
tools/vm/slabinfo-gnuplot: use "grep -E" instead of "egrep"
nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()
x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3
pinctrl: intel: Save and restore pins in "direct IRQ" mode
net: stmmac: Set MAC's flow control register to reflect current settings
mmc: mmc_test: Fix removal of debugfs file
mmc: core: Fix ambiguous TRIM and DISCARD arg
mmc: sdhci-esdhc-imx: correct CQHCI exit halt state check
mmc: sdhci-sprd: Fix no reset data and command after voltage switch
mmc: sdhci: Fix voltage switch delay
drm/amdgpu: temporarily disable broken Clang builds due to blown stack-frame
drm/i915: Never return 0 if not all requests retired
tracing: Free buffers when a used dynamic event is removed
io_uring: don't hold uring_lock when calling io_run_task_work*
ASoC: ops: Fix bounds check for _sx controls
pinctrl: single: Fix potential division by zero
iommu/vt-d: Fix PCI device refcount leak in has_external_pci()
iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()
parisc: Increase size of gcc stack frame check
xtensa: increase size of gcc stack frame check
parisc: Increase FRAME_WARN to 2048 bytes on parisc
Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled
selftests: net: add delete nexthop route warning test
selftests: net: fix nexthop warning cleanup double ip typo
ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference
ipv4: Fix route deletion when nexthop info is not specified
Revert "tty: n_gsm: avoid call of sleeping functions from atomic context"
x86/tsx: Add a feature bit for TSX control MSR support
x86/pm: Add enumeration check before spec MSRs save/restore setup
i2c: npcm7xx: Fix error handling in npcm_i2c_init()
i2c: imx: Only DMA messages with I2C_M_DMA_SAFE flag set
ACPI: HMAT: remove unnecessary variable initialization
ACPI: HMAT: Fix initiator registration for single-initiator systems
Revert "clocksource/drivers/riscv: Events are stopped during CPU suspend"
char: tpm: Protect tpm_pm_suspend with locks
Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send()
block: unhash blkdev part inode when the part is deleted
proc: avoid integer type confusion in get_proc_long
proc: proc_skip_spaces() shouldn't think it is working on C strings
v4l2: don't fall back to follow_pfn() if pin_user_pages_fast() fails
ipc/sem: Fix dangling sem_array access in semtimedop race
Linux 5.10.158
Change-Id: I8db196fa535e260ed31965b52ed53ef0b6bd526b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 3067bc61fcfe3081bf4807ce65560f499e895e77 ]
As the call trace shows, the original skb was freed in tipc_msg_validate(),
and dereferencing the old skb cb would cause an use-after-free crash.
BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
Call Trace:
<IRQ>
tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
tipc_rcv+0x744/0x1150 [tipc]
...
Allocated by task 47078:
kmem_cache_alloc_node+0x158/0x4d0
__alloc_skb+0x1c1/0x270
tipc_buf_acquire+0x1e/0xe0 [tipc]
tipc_msg_create+0x33/0x1c0 [tipc]
tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
tipc_link_timeout+0x8b8/0xef0 [tipc]
tipc_node_timeout+0x2a1/0x960 [tipc]
call_timer_fn+0x2d/0x1c0
...
Freed by task 47078:
tipc_msg_validate+0x7b/0x440 [tipc]
tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
tipc_rcv+0x744/0x1150 [tipc]
This patch fixes it by re-fetching the skb cb from the new allocated skb
after calling tipc_msg_validate().
Fixes: fc1b6d6de2 ("tipc: introduce TIPC encryption & authentication")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmOKKmsACgkQONu9yGCS
aT73ixAAwyEk1kuY9T0i4JfjPViD9Kg+v64lGLnM88CuGjkxcT4kv2Lg/hURDD+K
pObBEaOWduKVxqH/4GqpeEpqrw3bxxQJUchw1F5C2ZsLjB5mA4u9U0dqExTPIeY2
GSLdkBY/3yWBgDlpWsEHRjhzqx16ZuvHyvMGegHLG5+hNbfmfiFBhVpn8knTFaqv
fXRyC9MAt072thjjuPG6QcWpWAFFTG0PWsEkNWGLw0U07FF+V7O9sWLontHi93sn
seIEUPbjgGEFND2NqLfiLOLZ9m2fBB3P32L66b9rrZNZ2DPmyrNCD0WSLhlzb1OV
8yXiVEkDUozkI6W8fzVtUUjH3gYvB9e37zCYPO6WnAl5cwGhCJz1cpQfN7g7hk9H
iKpetcKf7XFBRmUq2Ftnaq7KPc81dVrQ5mYfrtsT9IYDnWMdF7AcOctN+dKkCS15
QoiJklSeE28b4PZtdt7Uv7OF2qW6w+tMKSD3PJyiBHB46rcQjuuOy7ifa8VqaXHI
ZO+mWUjMMUdo3q0lXoy2i5PMNrul41QMsdnrGaZxXU+LfaCVIubpHghSBHFhnFTY
3r2Fko3ZOsuAOQXX5iCTCstCEev5LH0v74bou355Y0uteueCqpnc/GSEZ8KhP+M0
kqpcyf3e6KAL7TA7eqQdptpFyDW732IgcbU4bQKUMd038Hb5I4o=
=1JWA
-----END PGP SIGNATURE-----
Merge 5.10.157 into android12-5.10-lts
Changes in 5.10.157
scsi: scsi_transport_sas: Fix error handling in sas_phy_add()
ata: libata-scsi: simplify __ata_scsi_queuecmd()
ata: libata-core: do not issue non-internal commands once EH is pending
bridge: switchdev: Notify about VLAN protocol changes
bridge: switchdev: Fix memory leaks when changing VLAN protocol
drm/display: Don't assume dual mode adaptors support i2c sub-addressing
nvme: add a bogus subsystem NQN quirk for Micron MTFDKBA2T0TFH
nvme-pci: add NVME_QUIRK_BOGUS_NID for Micron Nitro
iio: ms5611: Simplify IO callback parameters
iio: pressure: ms5611: fixed value compensation bug
ceph: do not update snapshot context when there is no new snapshot
ceph: avoid putting the realm twice when decoding snaps fails
wifi: mac80211: fix memory free error when registering wiphy fail
wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support
riscv: dts: sifive unleashed: Add PWM controlled LEDs
audit: fix undefined behavior in bit shift for AUDIT_BIT
wifi: airo: do not assign -1 to unsigned char
wifi: mac80211: Fix ack frame idr leak when mesh has no route
spi: stm32: fix stm32_spi_prepare_mbr() that halves spi clk for every run
selftests/bpf: Add verifier test for release_reference()
Revert "net: macsec: report real_dev features when HW offloading is enabled"
platform/x86: touchscreen_dmi: Add info for the RCA Cambio W101 v2 2-in-1
scsi: ibmvfc: Avoid path failures during live migration
scsi: scsi_debug: Make the READ CAPACITY response compliant with ZBC
drm: panel-orientation-quirks: Add quirk for Acer Switch V 10 (SW5-017)
block, bfq: fix null pointer dereference in bfq_bio_bfqg()
arm64/syscall: Include asm/ptrace.h in syscall_wrapper header.
RISC-V: vdso: Do not add missing symbols to version section in linker script
MIPS: pic32: treat port as signed integer
xfrm: fix "disable_policy" on ipv4 early demux
xfrm: replay: Fix ESN wrap around for GSO
af_key: Fix send_acquire race with pfkey_register
ARM: dts: am335x-pcm-953: Define fixed regulators in root node
ASoC: hdac_hda: fix hda pcm buffer overflow issue
ASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove
ASoC: soc-pcm: Don't zero TDM masks in __soc_pcm_open()
scsi: storvsc: Fix handling of srb_status and capacity change events
regulator: core: fix kobject release warning and memory leak in regulator_register()
spi: dw-dma: decrease reference count in dw_spi_dma_init_mfld()
regulator: core: fix UAF in destroy_regulator()
bus: sunxi-rsb: Support atomic transfers
tee: optee: fix possible memory leak in optee_register_device()
ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl
net: liquidio: simplify if expression
rxrpc: Allow list of in-use local UDP endpoints to be viewed in /proc
rxrpc: Use refcount_t rather than atomic_t
rxrpc: Fix race between conn bundle lookup and bundle removal [ZDI-CAN-15975]
nfc/nci: fix race with opening and closing
net: pch_gbe: fix potential memleak in pch_gbe_tx_queue()
9p/fd: fix issue of list_del corruption in p9_fd_cancel()
netfilter: conntrack: Fix data-races around ct mark
ARM: mxs: fix memory leak in mxs_machine_init()
ARM: dts: imx6q-prti6q: Fix ref/tcxo-clock-frequency properties
net: ethernet: mtk_eth_soc: fix error handling in mtk_open()
net/mlx4: Check retval of mlx4_bitmap_init
net/qla3xxx: fix potential memleak in ql3xxx_send()
net: pch_gbe: fix pci device refcount leak while module exiting
nfp: fill splittable of devlink_port_attrs correctly
nfp: add port from netdev validation for EEPROM access
macsec: Fix invalid error code set
Drivers: hv: vmbus: fix double free in the error path of vmbus_add_channel_work()
Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register()
netfilter: ipset: Limit the maximal range of consecutive elements to add/delete
netfilter: ipset: regression in ip_set_hash_ip.c
net/mlx5: Fix FW tracer timestamp calculation
net/mlx5: Fix handling of entry refcount when command is not issued to FW
tipc: set con sock in tipc_conn_alloc
tipc: add an extra conn_get in tipc_conn_alloc
tipc: check skb_linearize() return value in tipc_disc_rcv()
xfrm: Fix ignored return value in xfrm6_init()
sfc: fix potential memleak in __ef100_hard_start_xmit()
net: sched: allow act_ct to be built without NF_NAT
NFC: nci: fix memory leak in nci_rx_data_packet()
regulator: twl6030: re-add TWL6032_SUBCLASS
bnx2x: fix pci device refcount leak in bnx2x_vf_is_pcie_pending()
dma-buf: fix racing conflict of dma_heap_add()
netfilter: flowtable_offload: add missing locking
dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
ipv4: Fix error return code in fib_table_insert()
s390/dasd: fix no record found for raw_track_access
net: arcnet: Fix RESET flag handling
arcnet: fix potential memory leak in com20020_probe()
nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION
nfc: st-nci: fix memory leaks in EVT_TRANSACTION
net: thunderx: Fix the ACPI memory leak
s390/crashdump: fix TOD programmable field size
net: enetc: manage ENETC_F_QBV in priv->active_offloads only when enabled
net: enetc: cache accesses to &priv->si->hw
net: enetc: preserve TX ring priority across reconfiguration
lib/vdso: use "grep -E" instead of "egrep"
usb: dwc3: exynos: Fix remove() function
ext4: fix use-after-free in ext4_ext_shift_extents
arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency
iio: light: apds9960: fix wrong register for gesture gain
iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails
init/Kconfig: fix CC_HAS_ASM_GOTO_TIED_OUTPUT test with dash
nios2: add FORCE for vmlinuz.gz
mmc: sdhci-brcmstb: Re-organize flags
mmc: sdhci-brcmstb: Enable Clock Gating to save power
mmc: sdhci-brcmstb: Fix SDHCI_RESET_ALL for CQHCI
usb: cdns3: Add support for DRD CDNSP
ceph: make ceph_create_session_msg a global symbol
ceph: make iterate_sessions a global symbol
ceph: flush mdlog before umounting
ceph: flush the mdlog before waiting on unsafe reqs
ceph: fix off by one bugs in unsafe_request_wait()
ceph: put the requests/sessions when it fails to alloc memory
ceph: fix possible NULL pointer dereference for req->r_session
ceph: Use kcalloc for allocating multiple elements
ceph: fix NULL pointer dereference for req->r_session
usb: dwc3: gadget: conditionally remove requests
usb: dwc3: gadget: Return -ESHUTDOWN on ep disable
usb: dwc3: gadget: Clear ep descriptor last
nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty
gcov: clang: fix the buffer overflow issue
mm: vmscan: fix extreme overreclaim and swap floods
KVM: x86: nSVM: leave nested mode on vCPU free
KVM: x86: remove exit_int_info warning in svm_handle_exit
x86/ioremap: Fix page aligned size calculation in __ioremap_caller()
binder: avoid potential data leakage when copying txn
binder: read pre-translated fds from sender buffer
binder: defer copies of pre-patched txn data
binder: fix pointer cast warning
binder: Address corner cases in deferred copy and fixup
binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0
Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode
ASoC: Intel: bytcht_es8316: Add quirk for the Nanote UMPC-01
serial: 8250: 8250_omap: Avoid RS485 RTS glitch on ->set_termios()
Input: goodix - try resetting the controller when no config is set
Input: soc_button_array - add use_low_level_irq module parameter
Input: soc_button_array - add Acer Switch V 10 to dmi_use_low_level_irq[]
xen-pciback: Allow setting PCI_MSIX_FLAGS_MASKALL too
xen/platform-pci: add missing free_irq() in error path
platform/x86: asus-wmi: add missing pci_dev_put() in asus_wmi_set_xusb2pr()
platform/x86: acer-wmi: Enable SW_TABLET_MODE on Switch V 10 (SW5-017)
zonefs: fix zone report size in __zonefs_io_error()
platform/x86: hp-wmi: Ignore Smart Experience App event
tcp: configurable source port perturb table size
net: usb: qmi_wwan: add Telit 0x103a composition
gpu: host1x: Avoid trying to use GART on Tegra20
dm integrity: flush the journal on suspend
dm integrity: clear the journal on suspend
wifi: wilc1000: validate pairwise and authentication suite offsets
wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute
wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute
wifi: wilc1000: validate number of channels
genirq/msi: Shutdown managed interrupts with unsatifiable affinities
genirq: Always limit the affinity to online CPUs
irqchip/gic-v3: Always trust the managed affinity provided by the core code
genirq: Take the proposed affinity at face value if force==true
btrfs: free btrfs_path before copying root refs to userspace
btrfs: free btrfs_path before copying fspath to userspace
btrfs: free btrfs_path before copying subvol info to userspace
btrfs: sysfs: normalize the error handling branch in btrfs_init_sysfs()
drm/amd/dc/dce120: Fix audio register mapping, stop triggering KASAN
drm/amdgpu: always register an MMU notifier for userptr
drm/i915: fix TLB invalidation for Gen12 video and compute engines
fuse: lock inode unconditionally in fuse_fallocate()
Linux 5.10.157
Change-Id: Ie53a7379c392879de240237eb8258857b59564a6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit cd0f6421162201e4b22ce757a1966729323185eb ]
If skb_linearize() fails in tipc_disc_rcv(), we need to free the skb instead of
handle it.
Fixes: 25b0b9c4e8 ("tipc: handle collisions of 32-bit node address hash values")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Link: https://lore.kernel.org/r/20221119072832.7896-1-yuehaibing@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit a7b42969d63f47320853a802efd879fbdc4e010e ]
One extra conn_get() is needed in tipc_conn_alloc(), as after
tipc_conn_alloc() is called, tipc_conn_close() may free this
con before deferencing it in tipc_topsrv_accept():
tipc_conn_alloc();
newsk = newsock->sk;
<---- tipc_conn_close();
write_lock_bh(&sk->sk_callback_lock);
newsk->sk_data_ready = tipc_conn_data_ready;
Then an uaf issue can be triggered:
BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc]
Call Trace:
<TASK>
dump_stack_lvl+0x33/0x46
print_report+0x178/0x4b0
kasan_report+0x8c/0x100
kasan_check_range+0x179/0x1e0
tipc_topsrv_accept+0x1e7/0x370 [tipc]
process_one_work+0x6a3/0x1030
worker_thread+0x8a/0xdf0
This patch fixes it by holding it in tipc_conn_alloc(), then after
all accessing in tipc_topsrv_accept() releasing it. Note when does
this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns
0 or -1 only, we don't need to check for "> 0".
Fixes: c5fa7b3cf3 ("tipc: introduce new TIPC server infrastructure")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4 ]
A crash was reported by Wei Chen:
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:tipc_conn_close+0x12/0x100
Call Trace:
tipc_topsrv_exit_net+0x139/0x320
ops_exit_list.isra.9+0x49/0x80
cleanup_net+0x31a/0x540
process_one_work+0x3fa/0x9f0
worker_thread+0x42/0x5c0
It was caused by !con->sock in tipc_conn_close(). In tipc_topsrv_accept(),
con is allocated in conn_idr then its sock is set:
con = tipc_conn_alloc();
... <----[1]
con->sock = newsock;
If tipc_conn_close() is called in anytime of [1], the null-pointer-def
is triggered by con->sock->sk due to con->sock is not yet set.
This patch fixes it by moving the con->sock setting to tipc_conn_alloc()
under s->idr_lock. So that con->sock can never be NULL when getting the
con from s->conn_idr. It will be also safer to move con->server and flag
CF_CONNECTED setting under s->idr_lock, as they should all be set before
tipc_conn_alloc() is called.
Fixes: c5fa7b3cf3 ("tipc: introduce new TIPC server infrastructure")
Reported-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Changes in 5.10.155
fuse: fix readdir cache race
hwspinlock: qcom: correct MMIO max register for newer SoCs
phy: stm32: fix an error code in probe
wifi: cfg80211: silence a sparse RCU warning
wifi: cfg80211: fix memory leak in query_regdb_file()
bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues
bpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK} without FILE
HID: hyperv: fix possible memory leak in mousevsc_probe()
bpf: Support for pointers beyond pkt_end.
bpf: Add helper macro bpf_for_each_reg_in_vstate
bpf: Fix wrong reg type conversion in release_reference()
net: gso: fix panic on frag_list with mixed head alloc types
macsec: delete new rxsc when offload fails
macsec: fix secy->n_rx_sc accounting
macsec: fix detection of RXSCs when toggling offloading
macsec: clear encryption keys from the stack after setting up offload
net: tun: Fix memory leaks of napi_get_frags
bnxt_en: Fix possible crash in bnxt_hwrm_set_coal()
bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer
net: fman: Unregister ethernet device on removal
capabilities: fix undefined behavior in bit shift for CAP_TO_MASK
KVM: s390x: fix SCK locking
KVM: s390: pv: don't allow userspace to set the clock under PV
net: lapbether: fix issue of dev reference count leakage in lapbeth_device_event()
hamradio: fix issue of dev reference count leakage in bpq_device_event()
drm/vc4: Fix missing platform_unregister_drivers() call in vc4_drm_register()
tcp: prohibit TCP_REPAIR_OPTIONS if data was already sent
ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network
can: af_can: fix NULL pointer dereference in can_rx_register()
net: stmmac: dwmac-meson8b: fix meson8b_devm_clk_prepare_enable()
net: broadcom: Fix BCMGENET Kconfig
tipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_header
dmaengine: pxa_dma: use platform_get_irq_optional
dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove()
drivers: net: xgene: disable napi when register irq failed in xgene_enet_open()
perf stat: Fix printing os->prefix in CSV metrics output
net: marvell: prestera: fix memory leak in prestera_rxtx_switch_init()
net: nixge: disable napi when enable interrupts failed in nixge_open()
net/mlx5: Allow async trigger completion execution on single CPU systems
net/mlx5e: E-Switch, Fix comparing termination table instance
net: cpsw: disable napi in cpsw_ndo_open()
net: cxgb3_main: disable napi when bind qsets failed in cxgb_up()
cxgb4vf: shut down the adapter when t4vf_update_port_info() failed in cxgb4vf_open()
net: phy: mscc: macsec: clear encryption keys when freeing a flow
net: atlantic: macsec: clear encryption keys from the stack
ethernet: s2io: disable napi when start nic failed in s2io_card_up()
net: mv643xx_eth: disable napi when init rxq or txq failed in mv643xx_eth_open()
ethernet: tundra: free irq when alloc ring failed in tsi108_open()
net: macvlan: fix memory leaks of macvlan_common_newlink
riscv: process: fix kernel info leakage
riscv: vdso: fix build with llvm
riscv: Enable CMA support
riscv: Separate memory init from paging init
riscv: fix reserved memory setup
arm64: efi: Fix handling of misaligned runtime regions and drop warning
MIPS: jump_label: Fix compat branch range check
mmc: cqhci: Provide helper for resetting both SDHCI and CQHCI
mmc: sdhci-of-arasan: Fix SDHCI_RESET_ALL for CQHCI
mmc: sdhci_am654: Fix SDHCI_RESET_ALL for CQHCI
mmc: sdhci-tegra: Fix SDHCI_RESET_ALL for CQHCI
ALSA: hda/hdmi - enable runtime pm for more AMD display audio
ALSA: hda/ca0132: add quirk for EVGA Z390 DARK
ALSA: hda: fix potential memleak in 'add_widget_node'
ALSA: hda/realtek: Add Positivo C6300 model quirk
ALSA: usb-audio: Add quirk entry for M-Audio Micro
ALSA: usb-audio: Add DSD support for Accuphase DAC-60
vmlinux.lds.h: Fix placement of '.data..decrypted' section
ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure
nilfs2: fix deadlock in nilfs_count_free_blocks()
nilfs2: fix use-after-free bug of ns_writer on remount
drm/i915/dmabuf: fix sg_table handling in map_dma_buf
platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi
btrfs: selftests: fix wrong error check in btrfs_free_dummy_root()
mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI
udf: Fix a slab-out-of-bounds write bug in udf_find_entry()
mm/memremap.c: map FS_DAX device memory as decrypted
can: j1939: j1939_send_one(): fix missing CAN header initialization
cert host tools: Stop complaining about deprecated OpenSSL functions
dmaengine: at_hdmac: Fix at_lli struct definition
dmaengine: at_hdmac: Don't start transactions at tx_submit level
dmaengine: at_hdmac: Start transfer for cyclic channels in issue_pending
dmaengine: at_hdmac: Fix premature completion of desc in issue_pending
dmaengine: at_hdmac: Do not call the complete callback on device_terminate_all
dmaengine: at_hdmac: Protect atchan->status with the channel lock
dmaengine: at_hdmac: Fix concurrency problems by removing atc_complete_all()
dmaengine: at_hdmac: Fix concurrency over descriptor
dmaengine: at_hdmac: Free the memset buf without holding the chan lock
dmaengine: at_hdmac: Fix concurrency over the active list
dmaengine: at_hdmac: Fix descriptor handling when issuing it to hardware
dmaengine: at_hdmac: Fix completion of unissued descriptor in case of errors
dmaengine: at_hdmac: Don't allow CPU to reorder channel enable
dmaengine: at_hdmac: Fix impossible condition
dmaengine: at_hdmac: Check return code of dma_async_device_register
net: tun: call napi_schedule_prep() to ensure we own a napi
mmc: sdhci-esdhc-imx: Convert the driver to DT-only
x86/cpu: Restore AMD's DE_CFG MSR after resume
io_uring: kill goto error handling in io_sqpoll_wait_sq()
Linux 5.10.155
Change-Id: Id7d803ed2db044ef465aab7e80fca8b4b07df258
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmNj1woACgkQONu9yGCS
aT5mQw/+IG2zLoH79zTzQDZF+DYZ+J5WRGVLfx+5mM2j1fGgXWmxADdlzMZTSSAc
XP1hDxHBYQSnQi/kRPuJOKJbV9TysdOV2SSvwzblq6UE4B7tw3q4YE9calfYPaiF
AhvMMAEaXGVHAVSgliRqcgnlq5Yj6nrxjr73O3kuyCWvfv6XToCd6LKFJyHdVniw
kJ7gbkgiOVH/caKyzJxW3uSZ11t4uZ10nu4q+rd3JOLDecPLcPLM28pDTL/znqS0
ECiPypmIrd10UL+V4aiHsBR9wHEJdZULb/SLLwy85EuUeEhmx4i1ylu5JosY77cQ
2CkxHIt8nCKxJ3BziMUbutY40VBs/MP74t1kB5Th/3JK8gsw2+JdUJ7b9RXzb60k
vbFjc3lJugmNsAXqOnibAu/PdoWYi4IC7A2D/gJcWzsEKgVWQptZizJpn5Se3F3+
OCWdqgOiTZiegK55W3w2xbNqSLkuvAfbx18UEWltHhzS1UT7cqGVxx7qcsFhWGfV
rG1yzzF1Skx2BcnBf+6yTczOUcOyLrMyyek3tRD00EWn8o1ik9lKARNKd+b7IUW4
57NUvaGsBp/BRrJobrdx5r7AkTg5AfEWQAM69+vbDUxjKRM02FQlfEycGxcTT2GD
nUUzJMgobd0GW4HU/2rpmMk67QCnJ9guJxRCpcp7ocGkX0x2WYs=
=n9Bi
-----END PGP SIGNATURE-----
Merge 5.10.153 into android12-5.10-lts
Changes in 5.10.153
can: j1939: transport: j1939_session_skb_drop_old(): spin_unlock_irqrestore() before kfree_skb()
can: kvaser_usb: Fix possible completions during init_completion
ALSA: Use del_timer_sync() before freeing timer
ALSA: au88x0: use explicitly signed char
ALSA: rme9652: use explicitly signed char
USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM
usb: dwc3: gadget: Stop processing more requests on IMI
usb: dwc3: gadget: Don't set IMI for no_interrupt
usb: bdc: change state when port disconnected
usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being a V0.96 controller
mtd: rawnand: marvell: Use correct logic for nand-keep-config
xhci: Add quirk to reset host back to default state at shutdown
xhci: Remove device endpoints from bandwidth list when freeing the device
tools: iio: iio_utils: fix digit calculation
iio: light: tsl2583: Fix module unloading
iio: temperature: ltc2983: allocate iio channels once
fbdev: smscufx: Fix several use-after-free bugs
fs/binfmt_elf: Fix memory leak in load_elf_binary()
exec: Copy oldsighand->action under spin-lock
mac802154: Fix LQI recording
scsi: qla2xxx: Use transport-defined speed mask for supported_speeds
drm/msm/dsi: fix memory corruption with too many bridges
drm/msm/hdmi: fix memory corruption with too many bridges
drm/msm/dp: fix IRQ lifetime
mmc: sdhci_am654: 'select', not 'depends' REGMAP_MMIO
mmc: core: Fix kernel panic when remove non-standard SDIO card
counter: microchip-tcb-capture: Handle Signal1 read and Synapse
kernfs: fix use-after-free in __kernfs_remove
perf auxtrace: Fix address filter symbol name match for modules
s390/futex: add missing EX_TABLE entry to __futex_atomic_op()
s390/pci: add missing EX_TABLE entries to __pcistg_mio_inuser()/__pcilg_mio_inuser()
Xen/gntdev: don't ignore kernel unmapping error
xen/gntdev: Prevent leaking grants
mm/memory: add non-anonymous page check in the copy_present_page()
mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages
net: ieee802154: fix error return code in dgram_bind()
media: v4l2: Fix v4l2_i2c_subdev_set_name function documentation
drm/msm: Fix return type of mdp4_lvds_connector_mode_valid
ASoC: qcom: lpass-cpu: mark HDMI TX registers as volatile
arc: iounmap() arg is volatile
ASoC: qcom: lpass-cpu: Mark HDMI TX parity register as volatile
ALSA: ac97: fix possible memory leak in snd_ac97_dev_register()
perf/x86/intel/lbr: Use setup_clear_cpu_cap() instead of clear_cpu_cap()
tipc: fix a null-ptr-deref in tipc_topsrv_accept
net: netsec: fix error handling in netsec_register_mdio()
net: hinic: fix incorrect assignment issue in hinic_set_interrupt_cfg()
net: hinic: fix memory leak when reading function table
net: hinic: fix the issue of CMDQ memory leaks
net: hinic: fix the issue of double release MBOX callback of VF
x86/unwind/orc: Fix unreliable stack dump with gcov
amd-xgbe: fix the SFP compliance codes check for DAC cables
amd-xgbe: add the bit rate quirk for Molex cables
atlantic: fix deadlock at aq_nic_stop
kcm: annotate data-races around kcm->rx_psock
kcm: annotate data-races around kcm->rx_wait
net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed
net: lantiq_etop: don't free skb when returning NETDEV_TX_BUSY
tcp: minor optimization in tcp_add_backlog()
tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
tcp: fix indefinite deferral of RTO with SACK reneging
can: mscan: mpc5xxx: mpc5xxx_can_probe(): add missing put_clock() in error path
can: mcp251x: mcp251x_can_probe(): add missing unregister_candev() in error path
PM: hibernate: Allow hybrid sleep to work with s2idle
media: vivid: s_fbuf: add more sanity checks
media: vivid: dev->bitmap_cap wasn't freed in all cases
media: v4l2-dv-timings: add sanity checks for blanking values
media: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check 'interlaced'
media: vivid: set num_in/outputs to 0 if not supported
ipv6: ensure sane device mtu in tunnels
i40e: Fix ethtool rx-flow-hash setting for X722
i40e: Fix VF hang when reset is triggered on another VF
i40e: Fix flow-type by setting GL_HASH_INSET registers
net: ksz884x: fix missing pci_disable_device() on error in pcidev_init()
PM: domains: Fix handling of unavailable/disabled idle states
net: fec: limit register access on i.MX6UL
ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()
ALSA: aoa: Fix I2S device accounting
openvswitch: switch from WARN to pr_warn
net: ehea: fix possible memory leak in ehea_register_port()
nh: fix scope used to find saddr when adding non gw nh
net/mlx5e: Do not increment ESN when updating IPsec ESN state
net/mlx5: Fix possible use-after-free in async command interface
net/mlx5: Fix crash during sync firmware reset
net: enetc: survive memory pressure without crashing
arm64: Add AMPERE1 to the Spectre-BHB affected list
scsi: sd: Revert "scsi: sd: Remove a local variable"
arm64/mm: Fix __enable_mmu() for new TGRAN range values
arm64/kexec: Test page size support with new TGRAN range values
can: rcar_canfd: rcar_canfd_handle_global_receive(): fix IRQ storm on global FIFO receive
serial: core: move RS485 configuration tasks from drivers into core
serial: Deassert Transmit Enable on probe in driver-specific way
Linux 5.10.153
Change-Id: I1cbca2c5cbaaab34ccd6e055f13c35d900d4ce25
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmNeOLQACgkQONu9yGCS
aT5iwg/9H+n2ReIVRksj51PM2scTLYY/BqBJorvOPDyJx7pmq8X7wOK2wBxdkoeN
11+SnTEanx8pO0tLx6W+ekl1vf/iOAuHRsroBzNoJxhfMrTwyvh/Nq/vaGtiLr/e
PXr0d0SAR/XW0aKz8l3NMHDEmhXJv42ryOuEdGkOcKaOGp50gnPFLHpnbhZWVuWx
QlA/ise0uwdUf9aK8VGnoqmvGmFYrspoEmrGdbAPXebzBDEpMM6SZO4FByy7N1+w
ZyhkL1I12kXYHa1Apyqp+MTu0bYzXO1Lx0W4Hsnhwad/mA8f9A/hOYRh4h0TEudz
Pla9O4qXmmx00UNyWm7nOl9T6y0Q2UbbHBzi1anv9PDeVQLtUgGIjqeaZiQ7usC5
QYbz1pSlfRxLKbKtTGito0+QHVi/u363v+WrlaOA5v2qYKGsR9JCvF24gtMEEuYI
jxh13PccgIiT5C1jGiqbKDjBIxY55mBsD/NjC3Bb8lw/3cXhePU2SNECDsJk/X/8
P4OZxAMdgvGUewqB9Qd3WFMrQVIeOxJpIpZlYLVNB8V7CjHPouOh+dZQApqRd6bE
alddAVmrI5UCJOTTsNiQgm5caBuhBcLIGe6ihMNCq3UOvOxxbVdYfhA+4kYgsqtV
H//XSUOKEA6lRiOov6brui9BL6/hj+UszCxIHxERl1iKX+biGag=
=cy7p
-----END PGP SIGNATURE-----
Merge 5.10.152 into android12-5.10-lts
Changes in 5.10.152
ocfs2: clear dinode links count in case of error
ocfs2: fix BUG when iput after ocfs2_mknod fails
selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
cpufreq: qcom: fix writes in read-only memory region
i2c: qcom-cci: Fix ordering of pm_runtime_xx and i2c_add_adapter
x86/microcode/AMD: Apply the patch early on every logical thread
hwmon/coretemp: Handle large core ID value
ata: ahci-imx: Fix MODULE_ALIAS
ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS
cpufreq: qcom: fix memory leak in error path
kvm: Add support for arch compat vm ioctls
KVM: arm64: vgic: Fix exit condition in scan_its_table()
media: mceusb: set timeout to at least timeout provided
media: venus: dec: Handle the case where find_format fails
block: wbt: Remove unnecessary invoking of wbt_update_limits in wbt_init
blk-wbt: call rq_qos_add() after wb_normal is initialized
arm64: errata: Remove AES hwcap for COMPAT tasks
r8152: add PID for the Lenovo OneLink+ Dock
btrfs: fix processing of delayed data refs during backref walking
btrfs: fix processing of delayed tree block refs during backref walking
ACPI: extlog: Handle multiple records
tipc: Fix recognition of trial period
tipc: fix an information leak in tipc_topsrv_kern_subscr
i40e: Fix DMA mappings leak
HID: magicmouse: Do not set BTN_MOUSE on double report
sfc: Change VF mac via PF as first preference if available.
net/atm: fix proc_mpc_write incorrect return value
net: phy: dp83867: Extend RX strap quirk for SGMII mode
cifs: Fix xid leak in cifs_copy_file_range()
cifs: Fix xid leak in cifs_flock()
cifs: Fix xid leak in cifs_ses_add_channel()
net: hsr: avoid possible NULL deref in skb_clone()
ionic: catch NULL pointer issue on reconfig
nvme-hwmon: rework to avoid devm allocation
nvme-hwmon: Return error code when registration fails
nvme-hwmon: consistently ignore errors from nvme_hwmon_init
nvme-hwmon: kmalloc the NVME SMART log buffer
net: sched: cake: fix null pointer access issue when cake_init() fails
net: sched: delete duplicate cleanup of backlog and qlen
net: sched: sfb: fix null pointer access issue when sfb_init() fails
sfc: include vport_id in filter spec hash and equal()
net: hns: fix possible memory leak in hnae_ae_register()
net: sched: fix race condition in qdisc_graft()
net: phy: dp83822: disable MDI crossover status change interrupt
iommu/vt-d: Allow NVS regions in arch_rmrr_sanity_check()
iommu/vt-d: Clean up si_domain in the init_dmars() error path
drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb()
dmaengine: mxs-dma: Remove the unused .id_table
dmaengine: mxs: use platform_driver_register
tracing: Simplify conditional compilation code in tracing_set_tracer()
tracing: Do not free snapshot if tracer is on cmdline
xen: assume XENFEAT_gnttab_map_avail_bits being set for pv guests
xen/gntdev: Accommodate VMA splitting
mmc: sdhci-tegra: Use actual clock rate for SW tuning correction
riscv: Add machine name to kernel boot log and stack dump output
riscv: always honor the CONFIG_CMDLINE_FORCE when parsing dtb
perf pmu: Validate raw event with sysfs exported format bits
perf: Skip and warn on unknown format 'configN' attrs
fcntl: make F_GETOWN(EX) return 0 on dead owner task
fcntl: fix potential deadlocks for &fown_struct.lock
arm64: dts: qcom: sc7180-trogdor: Fixup modem memory region
arm64: topology: move store_cpu_topology() to shared code
riscv: topology: fix default topology reporting
perf/x86/intel/pt: Relax address filter validation
hv_netvsc: Fix race between VF offering and VF association message from host
ACPI: video: Force backlight native for more TongFang devices
x86/Kconfig: Drop check for -mabi=ms for CONFIG_EFI_STUB
Makefile.debug: re-enable debug info for .S files
mmc: core: Add SD card quirk for broken discard
blk-wbt: fix that 'rwb->wc' is always set to 1 in wbt_init()
mm: /proc/pid/smaps_rollup: fix no vma's null-deref
udp: Update reuse->has_conns under reuseport_lock.
Linux 5.10.152
Change-Id: I2c75b6fd3ae205968bcc3133ebf71b82ff2a19b6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 1c075b192fe41030457cd4a5f7dea730412bca40 ]
This is a follow-up for commit 974cb0e3e7 ("tipc: fix uninit-value
in tipc_nl_compat_name_table_dump") where it should have type casted
sizeof(..) to int to work when TLV_GET_DATA_LEN() returns a negative
value.
syzbot reported a call trace because of it:
BUG: KMSAN: uninit-value in ...
tipc_nl_compat_name_table_dump+0x841/0xea0 net/tipc/netlink_compat.c:934
__tipc_nl_compat_dumpit+0xab2/0x1320 net/tipc/netlink_compat.c:238
tipc_nl_compat_dumpit+0x991/0xb50 net/tipc/netlink_compat.c:321
tipc_nl_compat_recv+0xb6e/0x1640 net/tipc/netlink_compat.c:1324
genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
genl_rcv_msg+0x103f/0x1260 net/netlink/genetlink.c:792
netlink_rcv_skb+0x3a5/0x6c0 net/netlink/af_netlink.c:2501
genl_rcv+0x3c/0x50 net/netlink/genetlink.c:803
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
Reported-by: syzbot+e5dbaaa238680ce206ea@syzkaller.appspotmail.com
Fixes: 974cb0e3e7 ("tipc: fix uninit-value in tipc_nl_compat_name_table_dump")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/ccd6a7ea801b15aec092c3b532a883b4c5708695.1667594933.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 82cb4e4612c633a9ce320e1773114875604a3cce ]
syzbot found a crash in tipc_topsrv_accept:
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Workqueue: tipc_rcv tipc_topsrv_accept
RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487
Call Trace:
<TASK>
tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460
process_one_work+0x991/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
It was caused by srv->listener that might be set to null by
tipc_topsrv_stop() in net .exit whereas it's still used in
tipc_topsrv_accept() worker.
srv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add
a check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to
avoid the null-ptr-deref. To ensure the lsock is not released during the
tipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop()
where it's waiting until the tipc_topsrv_accept worker to be done.
Note that sk_callback_lock is used to protect sk->sk_user_data instead of
srv->listener, and it should check srv in tipc_topsrv_listener_data_ready()
instead. This also ensures that no more tipc_topsrv_accept worker will be
started after tipc_conn_close() is called in tipc_topsrv_stop() where it
sets sk->sk_user_data to null.
Fixes: 0ef897be12 ("tipc: separate topology server listener socket from subcsriber sockets")
Reported-by: syzbot+c5ce866a8d30f4be0651@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Link: https://lore.kernel.org/r/4eee264380c409c61c6451af1059b7fb271a7e7b.1666120790.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 28be7ca4fcfd69a2d52aaa331adbf9dbe91f9e6e ]
The trial period exists until jiffies is after addr_trial_end. But as
jiffies will eventually overflow, just using time_after will eventually
give incorrect results. As the node address is set once the trial period
ends, this can be used to know that we are not in the trial period.
Fixes: e415577f57 ("tipc: correct discovery message handling during address trial period")
Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmMi8SIACgkQONu9yGCS
aT5fNRAAzsIlb9OehdslBs5PcJjQztWRSapzpR+umubzCvVht3HKoPN4EBane+t+
w3y6BUKJEWrTuomO+KpizGzDG82B9kNYkS88TCrZHTu37knH4nl2mze09KGUjz0l
A8OgmwfA7DFaZucNQWxmO5m80USMUJoARxT87bQ1edW9L4phquNHpCXnlDbbX15/
La4d6tQWrEHx7LgxhfxCN4UGJCKzp4xDVnedPsicMALYjEZ6kc9STz95DR+0lQZK
e7FyR6uLit/TtnuVpJYJcHRs9k+MHe5grtQ/VA5PAxB6uMU2Y0G8dzzUrQKZ/L4N
ty/qqKS7zaqqD2ywh8JEPuFJMbAFRerXHEuQ9HI7d3guCYsKICE9eNd5eRLrN/rn
MckBm41/of7vksZvofpx/U4uZdIlNSzF0ybADv/UGMPDyCfEEKOKlok3KFM9UWLK
MWzufJHaX9MF/J5vfrixO7QPol5MKTdUypZ7BhXeXb9b7F2Y/JrYsHgIIzpE+TH1
p1wkfmT3YfHA+6Wl5VnjxvZS6QhcZFTY97hOmVPJ4ge1orAGDK9Jj9FpL6EM4XDb
oaKJU8WB0Ry+YYxjEa0QQY+VWHAEns/lauECM4kJoxDKLo2b5A8qvvpaDGyXz/M4
2/66ZmV2KKOlEiWAC5oVhxPiWxpVbryO0FhEdR2e9WuidmQ27Mc=
=XF1H
-----END PGP SIGNATURE-----
Merge 5.10.143 into android12-5.10-lts
Changes in 5.10.143
NFSD: Fix verifier returned in stable WRITEs
xen-blkfront: Cache feature_persistent value before advertisement
tty: n_gsm: initialize more members at gsm_alloc_mux()
tty: n_gsm: avoid call of sleeping functions from atomic context
efi: libstub: Disable struct randomization
efi: capsule-loader: Fix use-after-free in efi_capsule_write
wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd()
fs: only do a memory barrier for the first set_buffer_uptodate()
Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()"
scsi: qla2xxx: Disable ATIO interrupt coalesce for quad port ISP27XX
scsi: megaraid_sas: Fix double kfree()
drm/gem: Fix GEM handle release errors
drm/amdgpu: Move psp_xgmi_terminate call from amdgpu_xgmi_remove_device to psp_hw_fini
drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup.
drm/radeon: add a force flush to delay work when radeon
parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()
parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines
arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level
net/core/skbuff: Check the return value of skb_copy_bits()
fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init()
drm/amdgpu: mmVM_L2_CNTL3 register not initialized correctly
ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()
ALSA: aloop: Fix random zeros in capture data when using jiffies timer
ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()
kprobes: Prohibit probes in gate area
debugfs: add debugfs_lookup_and_remove()
nvmet: fix a use-after-free
drm/i915: Implement WaEdpLinkRateDataReload
scsi: mpt3sas: Fix use-after-free warning
scsi: lpfc: Add missing destroy_workqueue() in error path
cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty subtree
cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock
cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()
smb3: missing inode locks in punch hole
ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node
regulator: core: Clean up on enable failure
tee: fix compiler warning in tee_shm_register()
RDMA/cma: Fix arguments order in net device validation
soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs
RDMA/hns: Fix supported page size
RDMA/hns: Fix wrong fixed value of qp->rq.wqe_shift
ARM: dts: at91: sama5d27_wlsom1: specify proper regulator output ranges
ARM: dts: at91: sama5d2_icp: specify proper regulator output ranges
ARM: dts: at91: sama5d27_wlsom1: don't keep ldo2 enabled all the time
ARM: dts: at91: sama5d2_icp: don't keep vdd_other enabled all the time
netfilter: br_netfilter: Drop dst references before setting.
netfilter: nf_tables: clean up hook list when offload flags check fails
netfilter: nf_conntrack_irc: Fix forged IP logic
ALSA: usb-audio: Inform the delayed registration more properly
ALSA: usb-audio: Register card again for iface over delayed_register option
rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2()
afs: Use the operation issue time instead of the reply time for callbacks
sch_sfb: Don't assume the skb is still around after enqueueing to child
tipc: fix shift wrapping bug in map_get()
ice: use bitmap_free instead of devm_kfree
i40e: Fix kernel crash during module removal
xen-netback: only remove 'hotplug-status' when the vif is actually destroyed
RDMA/siw: Pass a pointer to virt_to_page()
ipv6: sr: fix out-of-bounds read when setting HMAC data.
IB/core: Fix a nested dead lock as part of ODP flow
RDMA/mlx5: Set local port to one when accessing counters
nvme-tcp: fix UAF when detecting digest errors
nvme-tcp: fix regression that causes sporadic requests to time out
tcp: fix early ETIMEDOUT after spurious non-SACK RTO
sch_sfb: Also store skb len before calling child enqueue
ASoC: mchp-spdiftx: remove references to mchp_i2s_caps
ASoC: mchp-spdiftx: Fix clang -Wbitfield-constant-conversion
MIPS: loongson32: ls1c: Fix hang during startup
swiotlb: avoid potential left shift overflow
iommu/amd: use full 64-bit value in build_completion_wait()
hwmon: (mr75203) fix VM sensor allocation when "intel,vm-map" not defined
hwmon: (mr75203) update pvt->v_num and vm_num to the actual number of used sensors
hwmon: (mr75203) fix voltage equation for negative source input
hwmon: (mr75203) fix multi-channel voltage reading
hwmon: (mr75203) enable polling for all VM channels
arm64: errata: add detection for AMEVCNTR01 incrementing incorrectly
Linux 5.10.143
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ia1bc1b76bcad0e2cb3b27d1a37278b1d24c6b90d
[ Upstream commit e2b224abd9bf45dcb55750479fc35970725a430b ]
There is a shift wrapping bug in this code so anything thing above
31 will return false.
Fixes: 35c55c9877 ("tipc: add neighbor monitoring framework")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmMPexEACgkQONu9yGCS
aT7SIg//QPmoJq2ho7oqDXzdxW67Eay3QZEPDoBol34RxEXoAUpxFB1nQlC3u1aI
OyPNXqQSPkObkXRMAVYStTZWgN3iUngorbsDOM+svGpAxt9zC/6d7JGNdhstaQLG
p/OoWaV7qwnNUsvndhohdmwU9TqjwpbvQwSa570uWQ47nIoxMyIz0iR80GjBSNGf
a2QiJg4OsaVxqxoySB6I6qAceRMbLOZVxW6p963IYC9Fj4j1NmhsPDIy95aidEN5
RG+Ng9GnuYRo0ktlhSje9YKyE5bYhUNCi6GWsCyArAFo0db/2GzRFweZRy5w7MC/
IaFQf93pDZinIBfDJliXfFMBx4YLdI3IHdtILPJvF7d1U5n6pG44knrPkPHzNouf
Ife8SckAPLzZeffobIcOXgoZqM3Xj/5mpHWffPQ2wIpL0ylf4bshPiC8mIRoyblh
ufrzUV6r7uBesp18c6nhjwAKgNVaw4w9+CpDk0qLlDELKNfENJ9wMRAJpcifYJKL
jJVWJh2wXG4kBWbp/2SetMkNNEeqn/PQUVY843uRE2iE76J2lzly5/+gI4DsSN6+
z2ZQL5tzguZvLw0s+si+doU+orbpzXluJncNdJyw8+1A7J2kxSn/Xfks9X3BKDyi
69pxUx627rMJZi4Pwsc1tyoeTVj32EAmUqronHD9tsQKsujIX0M=
=DO69
-----END PGP SIGNATURE-----
Merge 5.10.140 into android12-5.10-lts
Changes in 5.10.140
audit: fix potential double free on error path from fsnotify_add_inode_mark
parisc: Fix exception handler for fldw and fstw instructions
kernel/sys_ni: add compat entry for fadvise64_64
pinctrl: amd: Don't save/restore interrupt status and wake status bits
xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list()
xfs: reject crazy array sizes being fed to XFS_IOC_GETBMAP*
fs: remove __sync_filesystem
vfs: make sync_filesystem return errors from ->sync_fs
xfs: return errors in xfs_fs_sync_fs
xfs: only bother with sync_filesystem during readonly remount
kernel/sched: Remove dl_boosted flag comment
xfrm: fix refcount leak in __xfrm_policy_check()
xfrm: clone missing x->lastused in xfrm_do_migrate
af_key: Do not call xfrm_probe_algs in parallel
xfrm: policy: fix metadata dst->dev xmit null pointer dereference
NFS: Don't allocate nfs_fattr on the stack in __nfs42_ssc_open()
NFSv4.2 fix problems with __nfs42_ssc_open
SUNRPC: RPC level errors should set task->tk_rpc_status
mm/huge_memory.c: use helper function migration_entry_to_page()
mm/smaps: don't access young/dirty bit if pte unpresent
rose: check NULL rose_loopback_neigh->loopback
nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
ice: xsk: Force rings to be sized to power of 2
ice: xsk: prohibit usage of non-balanced queue id
net/mlx5e: Properly disable vlan strip on non-UL reps
net: ipa: don't assume SMEM is page-aligned
net: moxa: get rid of asymmetry in DMA mapping/unmapping
bonding: 802.3ad: fix no transmission of LACPDUs
net: ipvtap - add __init/__exit annotations to module init/exit funcs
netfilter: ebtables: reject blobs that don't provide all entry points
bnxt_en: fix NQ resource accounting during vf creation on 57500 chips
netfilter: nft_payload: report ERANGE for too long offset and length
netfilter: nft_payload: do not truncate csum_offset and csum_type
netfilter: nf_tables: do not leave chain stats enabled on error
netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families
netfilter: nft_tunnel: restrict it to netdev family
netfilter: nftables: remove redundant assignment of variable err
netfilter: nf_tables: consolidate rule verdict trace call
netfilter: nft_cmp: optimize comparison for 16-bytes
netfilter: bitwise: improve error goto labels
netfilter: nf_tables: upfront validation of data via nft_data_init()
netfilter: nf_tables: disallow jump to implicit chain from set element
netfilter: nf_tables: disallow binding to already bound chain
tcp: tweak len/truesize ratio for coalesce candidates
net: Fix data-races around sysctl_[rw]mem(_offset)?.
net: Fix data-races around sysctl_[rw]mem_(max|default).
net: Fix data-races around weight_p and dev_weight_[rt]x_bias.
net: Fix data-races around netdev_max_backlog.
net: Fix data-races around netdev_tstamp_prequeue.
ratelimit: Fix data-races in ___ratelimit().
bpf: Folding omem_charge() into sk_storage_charge()
net: Fix data-races around sysctl_optmem_max.
net: Fix a data-race around sysctl_tstamp_allow_data.
net: Fix a data-race around sysctl_net_busy_poll.
net: Fix a data-race around sysctl_net_busy_read.
net: Fix a data-race around netdev_budget.
net: Fix a data-race around netdev_budget_usecs.
net: Fix data-races around sysctl_fb_tunnels_only_for_init_net.
net: Fix data-races around sysctl_devconf_inherit_init_net.
net: Fix a data-race around sysctl_somaxconn.
ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter
rxrpc: Fix locking in rxrpc's sendmsg
ionic: fix up issues with handling EAGAIN on FW cmds
btrfs: fix silent failure when deleting root reference
btrfs: replace: drop assert for suspended replace
btrfs: add info when mount fails due to stale replace target
btrfs: check if root is readonly while setting security xattr
perf/x86/lbr: Enable the branch type for the Arch LBR by default
x86/unwind/orc: Unwind ftrace trampolines with correct ORC entry
x86/bugs: Add "unknown" reporting for MMIO Stale Data
loop: Check for overflow while configuring loop
asm-generic: sections: refactor memory_intersects
s390: fix double free of GS and RI CBs on fork() failure
ACPI: processor: Remove freq Qos request for all CPUs
xen/privcmd: fix error exit of privcmd_ioctl_dm_op()
mm/hugetlb: fix hugetlb not supporting softdirty tracking
Revert "md-raid: destroy the bitmap after destroying the thread"
md: call __md_stop_writes in md_stop
arm64: Fix match_list for erratum 1286807 on Arm Cortex-A76
Documentation/ABI: Mention retbleed vulnerability info file for sysfs
blk-mq: fix io hung due to missing commit_rqs
perf python: Fix build when PYTHON_CONFIG is user supplied
perf/x86/intel/uncore: Fix broken read_counter() for SNB IMC PMU
scsi: ufs: core: Enable link lost interrupt
scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq
bpf: Don't use tnum_range on array range checking for poke descriptors
Linux 5.10.140
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I29f4b4af2a584dc2f2789aac613583603002464a
[ Upstream commit 02739545951ad4c1215160db7fbf9b7a918d3c0b ]
While reading these sysctl variables, they can be changed concurrently.
Thus, we need to add READ_ONCE() to their readers.
- .sysctl_rmem
- .sysctl_rwmem
- .sysctl_rmem_offset
- .sysctl_wmem_offset
- sysctl_tcp_rmem[1, 2]
- sysctl_tcp_wmem[1, 2]
- sysctl_decnet_rmem[1]
- sysctl_decnet_wmem[1]
- sysctl_tipc_rmem[1]
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmLZpvwACgkQONu9yGCS
aT43nBAAhxJzkIcRI/641//eBLQrmbeNsS4TerYlpPIJAXwfXlF6KX6Ixl0rYcp/
GUid3QlXyDG4TTUB519M1FpaknDGq5vUCzNik82AogzMFLf/KWP6urx4FSeZCt1D
xAdYQHHWKFiyNUlqjT22dPM3/QR1D0BtUKE6QLUdWWhyc1W+gvYx1m10GG6O1z55
eljZScRYvaacvVZ4LiN0ClU9J0n16SqfTg8/jEASr+3yqe4ZKdzFdngGlJrWUCZa
SrR5ijscqoIQ5yTSA5DUZ/N4aAeTgSSXcMfXeZh1CoD4Ak87e2kwBHZAUWQWJrEe
0nfILwU0okZmEOKtwCtYz0iwfFEfB/wKwrZjJ0jV03dL3Ncm7ddj2bQDk0+fLDYZ
AEjflhLZfusQEprM+jr0Qx9UlJo1TA4KssRn1A+cfocKvhfTrVneWO5LcR1Jf6Gq
9z7lgh8iRs4ncEfqh2cCRcSpIJLlPOmACmtA4eD2tk7heGRhfBpL9Hv2KBCHss5o
iMaqRsvVXFZn2KCxZFOR4l0cQvkKkxHWBjiVxrYTV5SrELJ4d2DBc7r93a5vM7W/
tKKGi0IG+0V7fgHvKrRDVZnYWV05NEbit0xd0lgY5YZsOuJIVy024YayuWDFxT5S
xulwcoSzAQiWnhqtrsD9eqWotA1E8i9wCuWHEAPMRmnzTBdENTA=
=cxaP
-----END PGP SIGNATURE-----
Merge 5.10.132 into android12-5.10-lts
Changes in 5.10.132
ALSA: hda - Add fixup for Dell Latitidue E5430
ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model
ALSA: hda/realtek: Fix headset mic for Acer SF313-51
ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671
ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221
ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue
fix race between exit_itimers() and /proc/pid/timers
mm: split huge PUD on wp_huge_pud fallback
tracing/histograms: Fix memory leak problem
net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer
ip: fix dflt addr selection for connected nexthop
ARM: 9213/1: Print message about disabled Spectre workarounds only once
ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction
wifi: mac80211: fix queue selection for mesh/OCB interfaces
cgroup: Use separate src/dst nodes when preloading css_sets for migration
btrfs: return -EAGAIN for NOWAIT dio reads/writes on compressed and inline extents
drm/panfrost: Put mapping instead of shmem obj on panfrost_mmu_map_fault_addr() error
drm/panfrost: Fix shrinker list corruption by madvise IOCTL
fs/remap: constrain dedupe of EOF blocks
nilfs2: fix incorrect masking of permission flags for symlinks
sh: convert nommu io{re,un}map() to static inline functions
Revert "evm: Fix memleak in init_desc"
ext4: fix race condition between ext4_write and ext4_convert_inline_data
ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count
spi: amd: Limit max transfer and message size
ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle
ARM: 9210/1: Mark the FDT_FIXED sections as shareable
net/mlx5e: kTLS, Fix build time constant test in TX
net/mlx5e: kTLS, Fix build time constant test in RX
net/mlx5e: Fix capability check for updating vnic env counters
drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()
ima: Fix a potential integer overflow in ima_appraise_measurement
ASoC: sgtl5000: Fix noise on shutdown/remove
ASoC: tas2764: Add post reset delays
ASoC: tas2764: Fix and extend FSYNC polarity handling
ASoC: tas2764: Correct playback volume range
ASoC: tas2764: Fix amp gain register offset & default
ASoC: Intel: Skylake: Correct the ssp rate discovery in skl_get_ssp_clks()
ASoC: Intel: Skylake: Correct the handling of fmt_config flexible array
net: stmmac: dwc-qos: Disable split header for Tegra194
sysctl: Fix data races in proc_dointvec().
sysctl: Fix data races in proc_douintvec().
sysctl: Fix data races in proc_dointvec_minmax().
sysctl: Fix data races in proc_douintvec_minmax().
sysctl: Fix data races in proc_doulongvec_minmax().
sysctl: Fix data races in proc_dointvec_jiffies().
tcp: Fix a data-race around sysctl_tcp_max_orphans.
inetpeer: Fix data-races around sysctl.
net: Fix data-races around sysctl_mem.
cipso: Fix data-races around sysctl.
icmp: Fix data-races around sysctl.
ipv4: Fix a data-race around sysctl_fib_sync_mem.
ARM: dts: at91: sama5d2: Fix typo in i2s1 node
ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero
drm/i915/selftests: fix a couple IS_ERR() vs NULL tests
drm/i915/gt: Serialize TLB invalidates with GT resets
sysctl: Fix data-races in proc_dointvec_ms_jiffies().
icmp: Fix a data-race around sysctl_icmp_ratelimit.
icmp: Fix a data-race around sysctl_icmp_ratemask.
raw: Fix a data-race around sysctl_raw_l3mdev_accept.
ipv4: Fix data-races around sysctl_ip_dynaddr.
nexthop: Fix data-races around nexthop_compat_mode.
net: ftgmac100: Hold reference returned by of_get_child_by_name()
ima: force signature verification when CONFIG_KEXEC_SIG is configured
ima: Fix potential memory leak in ima_init_crypto()
sfc: fix use after free when disabling sriov
seg6: fix skb checksum evaluation in SRH encapsulation/insertion
seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors
seg6: bpf: fix skb checksum in bpf_push_seg6_encap()
sfc: fix kernel panic when creating VF
net: atlantic: remove deep parameter on suspend/resume functions
net: atlantic: remove aq_nic_deinit() when resume
KVM: x86: Fully initialize 'struct kvm_lapic_irq' in kvm_pv_kick_cpu_op()
net/tls: Check for errors in tls_device_init
mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE
virtio_mmio: Add missing PM calls to freeze/restore
virtio_mmio: Restore guest page size on resume
netfilter: br_netfilter: do not skip all hooks with 0 priority
scsi: hisi_sas: Limit max hw sectors for v3 HW
cpufreq: pmac32-cpufreq: Fix refcount leak bug
platform/x86: hp-wmi: Ignore Sanitization Mode event
net: tipc: fix possible refcount leak in tipc_sk_create()
NFC: nxp-nci: don't print header length mismatch on i2c error
nvme-tcp: always fail a request when sending it failed
nvme: fix regression when disconnect a recovering ctrl
net: sfp: fix memory leak in sfp_probe()
ASoC: ops: Fix off by one in range control validation
pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux()
ASoC: SOF: Intel: hda-loader: Clarify the cl_dsp_init() flow
ASoC: wm5110: Fix DRE control
ASoC: dapm: Initialise kcontrol data for mux/demux controls
ASoC: cs47l15: Fix event generation for low power mux control
ASoC: madera: Fix event generation for OUT1 demux
ASoC: madera: Fix event generation for rate controls
irqchip: or1k-pic: Undefine mask_ack for level triggered hardware
x86: Clear .brk area at early boot
soc: ixp4xx/npe: Fix unused match warning
ARM: dts: stm32: use the correct clock source for CEC on stm32mp151
Revert "can: xilinx_can: Limit CANFD brp to 2"
nvme-pci: phison e16 has bogus namespace ids
signal handling: don't use BUG_ON() for debugging
USB: serial: ftdi_sio: add Belimo device ids
usb: typec: add missing uevent when partner support PD
usb: dwc3: gadget: Fix event pending check
tty: serial: samsung_tty: set dma burst_size to 1
vt: fix memory overlapping when deleting chars in the buffer
serial: 8250: fix return error code in serial8250_request_std_resource()
serial: stm32: Clear prev values before setting RTS delays
serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle
serial: 8250: Fix PM usage_count for console handover
x86/pat: Fix x86_has_pat_wp()
Linux 5.10.132
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I450f357105f90b1b9549dea5de62dc9a160d4ba9
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmLHATwACgkQONu9yGCS
aT7moA//Wzi2KRr1EJxAFYHGJDNX2D4CP1Awcd9MIOUx6PKe4f5cu4MqlLl1Feev
N9dd+M1H1Q+Hobiptr7e40PdtQ+cAAMDYNgjsmJgIA0yrb5bZu4MoOVaKIxHywDG
UtEUxhk1ccdJ6hNsUKFXpjIu51fuUPdiUl6ddV3FzTfFPMbDmnBoUBnWO/4xX2QS
BaX4rlTorK5zFXYvUEoB34Sq5dp4nldiNH8qG0N8UCj0ZQEVKi/Km7aXkMj6saBw
+95BR7b9/rAVR2JNXRLE5Mem1jz19ob/eLZNK22aO+sbipK1vG0oZmXaPKnD7QIU
l+HGCPfokdwGmK49nvugQYiZK0ngDQ1UNEkfz6AYgFBcKWT0H4dLx5C1jAVOef83
PRNenPxeUsLcacIScUOkIgXds6/LoC/3Q683V5sXN4SGOZlImpeKr1zwUfr2mpx6
x314iHDBLihalJnXYPMR/2WShKKCtR0ANmyVXh4LtXuSowpvtj1wJaArXul1oSEP
EkIwTpPbn1jl3AXEWCm/ezKA2c5Qd7j9EYbWd35D4aVx5BB6IeXx3ghDrlQLWgUh
T/VXACa2vYUeKrqmisU/9+U0ARvoCD+uIgRPtnittdYf/1ona5tNhu6MU1s8Sl7G
7j6ReyaDkCTvNPSF9G8pRYNQSZJ+cMBncwNSmHJ+VWODmItXlTE=
=4TFQ
-----END PGP SIGNATURE-----
Merge 5.10.129 into android12-5.10-lts
Changes in 5.10.129
drm/amdgpu: To flush tlb for MMHUB of RAVEN series
ipv6: take care of disable_policy when restoring routes
nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG SX6000LNP (AKA SPECTRIX S40G)
nvdimm: Fix badblocks clear off-by-one error
powerpc/prom_init: Fix kernel config grep
powerpc/book3e: Fix PUD allocation size in map_kernel_page()
powerpc/bpf: Fix use of user_pt_regs in uapi
dm raid: fix accesses beyond end of raid member array
dm raid: fix KASAN warning in raid5_add_disks
s390/archrandom: simplify back to earlier design and initialize earlier
SUNRPC: Fix READ_PLUS crasher
net: rose: fix UAF bugs caused by timer handler
net: usb: ax88179_178a: Fix packet receiving
virtio-net: fix race between ndo_open() and virtio_device_ready()
selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test
net: dsa: bcm_sf2: force pause link settings
net: tun: unlink NAPI from device on destruction
net: tun: stop NAPI when detaching queues
net: dp83822: disable false carrier interrupt
net: dp83822: disable rx error interrupt
RDMA/qedr: Fix reporting QP timeout attribute
RDMA/cm: Fix memory leak in ib_cm_insert_listen
linux/dim: Fix divide by 0 in RDMA DIM
usbnet: fix memory allocation in helpers
net: ipv6: unexport __init-annotated seg6_hmac_net_init()
NFSD: restore EINVAL error translation in nfsd_commit()
caif_virtio: fix race between virtio_device_ready() and ndo_open()
PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events
s390: remove unneeded 'select BUILD_BIN2C'
netfilter: nft_dynset: restore set element counter when failing to update
net/sched: act_api: Notify user space if any actions were flushed before error
net: bonding: fix possible NULL deref in rlb code
net: bonding: fix use-after-free after 802.3ad slave unbind
nfc: nfcmrvl: Fix irq_of_parse_and_map() return value
NFC: nxp-nci: Don't issue a zero length i2c_master_read()
tipc: move bc link creation back to tipc_node_create
epic100: fix use after free on rmmod
io_uring: ensure that send/sendmsg and recv/recvmsg check sqe->ioprio
tunnels: do not assume mac header is set in skb_tunnel_check_pmtu()
net: tun: avoid disabling NAPI twice
xfs: use current->journal_info for detecting transaction recursion
xfs: rename variable mp to parsing_mp
xfs: Skip repetitive warnings about mount options
xfs: ensure xfs_errortag_random_default matches XFS_ERRTAG_MAX
xfs: fix xfs_trans slab cache name
xfs: update superblock counters correctly for !lazysbcount
xfs: fix xfs_reflink_unshare usage of filemap_write_and_wait_range
tcp: add a missing nf_reset_ct() in 3WHS handling
xen/gntdev: Avoid blocking in unmap_grant_pages()
drivers: cpufreq: Add missing of_node_put() in qoriq-cpufreq.c
sit: use min
ipv6/sit: fix ipip6_tunnel_get_prl return value
hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails
selftests/rseq: remove ARRAY_SIZE define from individual tests
selftests/rseq: introduce own copy of rseq uapi header
selftests/rseq: Remove useless assignment to cpu variable
selftests/rseq: Remove volatile from __rseq_abi
selftests/rseq: Introduce rseq_get_abi() helper
selftests/rseq: Introduce thread pointer getters
selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35
selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian
selftests/rseq: Fix ppc32 missing instruction selection "u" and "x" for load/store
selftests/rseq: Fix ppc32 offsets by using long rather than off_t
selftests/rseq: Fix warnings about #if checks of undefined tokens
selftests/rseq: Remove arm/mips asm goto compiler work-around
selftests/rseq: Fix: work-around asm goto compiler bugs
selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread area
selftests/rseq: x86-32: use %gs segment selector for accessing rseq thread area
selftests/rseq: Change type of rseq_offset to ptrdiff_t
xen/blkfront: fix leaking data in shared pages
xen/netfront: fix leaking data in shared pages
xen/netfront: force data bouncing when backend is untrusted
xen/blkfront: force data bouncing when backend is untrusted
xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()
xen/arm: Fix race in RB-tree based P2M accounting
net: usb: qmi_wwan: add Telit 0x1060 composition
net: usb: qmi_wwan: add Telit 0x1070 composition
clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup()
Linux 5.10.129
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I7a2bdb1fd13c78604c728f4cbfb6f659d7a348e3
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmK7+HgACgkQONu9yGCS
aT4Z1w/9G9TGz0bE1QufgINkznpPIgClmX4yRB4iN/9esvlkUhM0RKeCM9tLFfQ0
KtrR3BjyNvfxJk8qbpiAawJSvBbtviAe+/Dm5i6nGqUXt2FnEFg4VYKJIAPt4UAl
ecK5qKJMRxmLWmjE7pQurLYHsxA+s6KHbG/JW7r+l+UBJwQAQwQmD3SYwzGwvcKt
d0FMMwgkaUpIjnI0lENeFVAIGh3G2P7uAFEJibz/40jkY6QKg7n4l7Dy2MvaBTfO
cWiXWYZaN9aQMa2Kt0/50AWDOVNwTSp5k7xsu0S0cnmy90RuUuMSTfkLR30Nwkoc
R/V7XU1PoBUxqsRC0smIwhavZLv58t8IUNAFQzr+jyVnfSBK4dWtCpnQVchoTqIC
I0Q4UutKVAuODYIwXNDZbUzfBYYGrJEI5Mnfva4uDLKoS0lhsMoP142I2jZwnyy/
DzqeEAe0k09HDgKIT55yrIQY6oPIcA8ugiQzUCD44Vw4xs08wqa21iFxakniHTTj
1cKLQeo1lst7Q6+1Uv64zcurzKnaoMlueiDMoo5EJjr0plGUq/6rTDa3+HNlz26n
WSloADqnIlR4SwV9Dmd9XTQktKGqBK7KdH44Kr0DkiDA2pw72RlHhhd6biUyqbxM
K3PF9fSB1eDP+6dwWg7C/ARy8zaNoF+gDcOxBCOqDmK2sEmgrBs=
=Iw+T
-----END PGP SIGNATURE-----
Merge 5.10.127 into android12-5.10-lts
Changes in 5.10.127
vt: drop old FONT ioctls
random: schedule mix_interrupt_randomness() less often
random: quiet urandom warning ratelimit suppression message
ALSA: hda/via: Fix missing beep setup
ALSA: hda/conexant: Fix missing beep setup
ALSA: hda/realtek: Add mute LED quirk for HP Omen laptop
ALSA: hda/realtek - ALC897 headset MIC no sound
ALSA: hda/realtek: Apply fixup for Lenovo Yoga Duet 7 properly
ALSA: hda/realtek: Add quirk for Clevo PD70PNT
ALSA: hda/realtek: Add quirk for Clevo NS50PU
net: openvswitch: fix parsing of nw_proto for IPv6 fragments
btrfs: add error messages to all unrecognized mount options
mmc: sdhci-pci-o2micro: Fix card detect by dealing with debouncing
mtd: rawnand: gpmi: Fix setting busy timeout setting
ata: libata: add qc->flags in ata_qc_complete_template tracepoint
dm era: commit metadata in postsuspend after worker stops
dm mirror log: clear log bits up to BITS_PER_LONG boundary
USB: serial: option: add Telit LE910Cx 0x1250 composition
USB: serial: option: add Quectel EM05-G modem
USB: serial: option: add Quectel RM500K module support
drm/msm: Fix double pm_runtime_disable() call
netfilter: nftables: add nft_parse_register_load() and use it
netfilter: nftables: add nft_parse_register_store() and use it
netfilter: use get_random_u32 instead of prandom
scsi: scsi_debug: Fix zone transition to full condition
drm/msm: use for_each_sgtable_sg to iterate over scatterlist
bpf: Fix request_sock leak in sk lookup helpers
drm/sun4i: Fix crash during suspend after component bind failure
bpf, x86: Fix tail call count offset calculation on bpf2bpf call
phy: aquantia: Fix AN when higher speeds than 1G are not advertised
tipc: simplify the finalize work queue
tipc: fix use-after-free Read in tipc_named_reinit
igb: fix a use-after-free issue in igb_clean_tx_ring
bonding: ARP monitor spams NETDEV_NOTIFY_PEERS notifiers
net/sched: sch_netem: Fix arithmetic in netem_dump() for 32-bit platforms
drm/msm/mdp4: Fix refcount leak in mdp4_modeset_init_intf
drm/msm/dp: check core_initialized before disable interrupts at dp_display_unbind()
drm/msm/dp: fixes wrong connection state caused by failure of link train
drm/msm/dp: deinitialize mainlink if link training failed
drm/msm/dp: promote irq_hpd handle to handle link training correctly
drm/msm/dp: fix connect/disconnect handled at irq_hpd
erspan: do not assume transport header is always set
net/tls: fix tls_sk_proto_close executed repeatedly
udmabuf: add back sanity check
selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh
x86/xen: Remove undefined behavior in setup_features()
MIPS: Remove repetitive increase irq_err_count
afs: Fix dynamic root getattr
ice: ethtool: advertise 1000M speeds properly
regmap-irq: Fix a bug in regmap_irq_enable() for type_in_mask chips
igb: Make DMA faster when CPU is active on the PCIe link
virtio_net: fix xdp_rxq_info bug after suspend/resume
Revert "net/tls: fix tls_sk_proto_close executed repeatedly"
nvme: centralize setting the timeout in nvme_alloc_request
nvme: split nvme_alloc_request()
nvme: mark nvme_setup_passsthru() inline
nvme: don't check nvme_req flags for new req
nvme-pci: allocate nvme_command within driver pdu
nvme-pci: add NO APST quirk for Kioxia device
nvme: move the Samsung X5 quirk entry to the core quirks
gpio: winbond: Fix error code in winbond_gpio_get()
s390/cpumf: Handle events cycles and instructions identical
iio: mma8452: fix probe fail when device tree compatible is used.
iio: adc: vf610: fix conversion mode sysfs node name
usb: typec: wcove: Drop wrong dependency to INTEL_SOC_PMIC
xhci: turn off port power in shutdown
xhci-pci: Allow host runtime PM as default for Intel Raptor Lake xHCI
xhci-pci: Allow host runtime PM as default for Intel Meteor Lake xHCI
usb: gadget: Fix non-unique driver names in raw-gadget driver
USB: gadget: Fix double-free bug in raw_gadget driver
usb: chipidea: udc: check request status before setting device address
f2fs: attach inline_data after setting compression
iio:chemical:ccs811: rearrange iio trigger get and register
iio:accel:bma180: rearrange iio trigger get and register
iio:accel:mxc4005: rearrange iio trigger get and register
iio: accel: mma8452: ignore the return value of reset operation
iio: gyro: mpu3050: Fix the error handling in mpu3050_power_up()
iio: trigger: sysfs: fix use-after-free on remove
iio: adc: stm32: fix maximum clock rate for stm32mp15x
iio: imu: inv_icm42600: Fix broken icm42600 (chip id 0 value)
iio: adc: stm32: Fix ADCs iteration in irq handler
iio: adc: stm32: Fix IRQs on STM32F4 by removing custom spurious IRQs message
iio: adc: axp288: Override TS pin bias current for some models
iio: adc: adi-axi-adc: Fix refcount leak in adi_axi_adc_attach_client
xtensa: xtfpga: Fix refcount leak bug in setup
xtensa: Fix refcount leak bug in time.c
parisc/stifb: Fix fb_is_primary_device() only available with CONFIG_FB_STI
parisc: Enable ARCH_HAS_STRICT_MODULE_RWX
powerpc: Enable execve syscall exit tracepoint
powerpc/rtas: Allow ibm,platform-dump RTAS call with null buffer address
powerpc/powernv: wire up rng during setup_arch
ARM: dts: imx7: Move hsic_phy power domain to HSIC PHY node
ARM: dts: imx6qdl: correct PU regulator ramp delay
ARM: exynos: Fix refcount leak in exynos_map_pmu
soc: bcm: brcmstb: pm: pm-arm: Fix refcount leak in brcmstb_pm_probe
ARM: Fix refcount leak in axxia_boot_secondary
memory: samsung: exynos5422-dmc: Fix refcount leak in of_get_dram_timings
ARM: cns3xxx: Fix refcount leak in cns3xxx_init
modpost: fix section mismatch check for exported init/exit sections
random: update comment from copy_to_user() -> copy_to_iter()
kbuild: link vmlinux only once for CONFIG_TRIM_UNUSED_KSYMS (2nd attempt)
powerpc/pseries: wire up rng during setup_arch()
Linux 5.10.127
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I1a36d81c8c44a8bf1c20cf9e1060394e4927eedb
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmKouFYACgkQONu9yGCS
aT4ZOQ/+LjJruqYS4VVYb/MkIySB4MUdox8aXzu1zX8mlCc7h4DJnWaGjt6nrr62
ZaUTi3gTslajn2PCGzejDVppAdC7K/JRcvHUWWu8otHEZy1itauiwCEKWuUSxOl/
yYdN6AXwBLF1xUZWstDxJOAelAFsQs9IdtsBLc8eTq4VXjnAJYSLWbUjZYwbA+q6
5qAWbdNnnpKML69T8EXdts4rZdtinhVHxZGxu+V+SFJoyi1UxOHgCTwGsJB5Pa0P
EpJ69VCQQfpoju6dWtinFZh0EFW1ycCGZJT0jQ4MuvZO4mDKjaFM0kY70xsDLA6I
ZVSxAMTD80aoCljHY0aJZZGCcOO7o8C3k7uUgeYcW1YqRfG2xz3hNs8TtEVUl+q+
Pnxbn9rPW0gERVMs7jRvkGgXS7Xgs81rCD2NrHVJQz32qDYkTKOeBRo/veWtVPBP
eqt6v0314SiKZuMOwNg4NIPvGykJ+/HrER8fEBVzfHAM16JHkqPBBopG4KESPR2T
b2+xfGQRGu/ZJPcrU0M9efP034OmXEJ/wDY8ExRXULSFlIW3HaYK1sWhOUYoolwn
0Eew8Ej/wq9UzhuWs3QOvJK7XVQch9VLSZiZwbZBfRHTQ1pFGyKyDh4Ab/uWns61
AYyM++VCIOGv4UgHBH6dhT4ff4x33t2CC6+Yr5/yX5t9fu+V5J4=
=7sqT
-----END PGP SIGNATURE-----
Merge 5.10.122 into android12-5.10-lts
Changes in 5.10.122
pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards
staging: greybus: codecs: fix type confusion of list iterator variable
iio: adc: ad7124: Remove shift from scan_type
lkdtm/bugs: Check for the NULL pointer after calling kmalloc
tty: goldfish: Use tty_port_destroy() to destroy port
tty: serial: owl: Fix missing clk_disable_unprepare() in owl_uart_probe
tty: n_tty: Restore EOF push handling behavior
tty: serial: fsl_lpuart: fix potential bug when using both of_alias_get_id and ida_simple_get
usb: usbip: fix a refcount leak in stub_probe()
usb: usbip: add missing device lock on tweak configuration cmd
USB: storage: karma: fix rio_karma_init return
usb: musb: Fix missing of_node_put() in omap2430_probe
staging: fieldbus: Fix the error handling path in anybuss_host_common_probe()
pwm: lp3943: Fix duty calculation in case period was clamped
rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value
usb: dwc3: pci: Fix pm_runtime_get_sync() error checking
misc: fastrpc: fix an incorrect NULL check on list iterator
firmware: stratix10-svc: fix a missing check on list iterator
usb: typec: mux: Check dev_set_name() return value
iio: adc: stmpe-adc: Fix wait_for_completion_timeout return value check
iio: proximity: vl53l0x: Fix return value check of wait_for_completion_timeout
iio: adc: sc27xx: fix read big scale voltage not right
iio: adc: sc27xx: Fine tune the scale calibration values
rpmsg: qcom_smd: Fix returning 0 if irq_of_parse_and_map() fails
phy: qcom-qmp: fix pipe-clock imbalance on power-on failure
serial: sifive: Report actual baud base rather than fixed 115200
coresight: cpu-debug: Replace mutex with mutex_trylock on panic notifier
extcon: ptn5150: Add queue work sync before driver release
soc: rockchip: Fix refcount leak in rockchip_grf_init
clocksource/drivers/riscv: Events are stopped during CPU suspend
rtc: mt6397: check return value after calling platform_get_resource()
serial: meson: acquire port->lock in startup()
serial: 8250_fintek: Check SER_RS485_RTS_* only with RS485
serial: digicolor-usart: Don't allow CS5-6
serial: rda-uart: Don't allow CS5-6
serial: txx9: Don't allow CS5-6
serial: sh-sci: Don't allow CS5-6
serial: sifive: Sanitize CSIZE and c_iflag
serial: st-asc: Sanitize CSIZE and correct PARENB for CS7
serial: stm32-usart: Correct CSIZE, bits, and parity
firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle
bus: ti-sysc: Fix warnings for unbind for serial
driver: base: fix UAF when driver_attach failed
driver core: fix deadlock in __device_attach
watchdog: rti-wdt: Fix pm_runtime_get_sync() error checking
watchdog: ts4800_wdt: Fix refcount leak in ts4800_wdt_probe
ASoC: fsl_sai: Fix FSL_SAI_xDR/xFR definition
clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value
s390/crypto: fix scatterwalk_unmap() callers in AES-GCM
net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog
net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()
net: ethernet: ti: am65-cpsw-nuss: Fix some refcount leaks
net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register
modpost: fix removing numeric suffixes
jffs2: fix memory leak in jffs2_do_fill_super
ubi: fastmap: Fix high cpu usage of ubi_bgt by making sure wl_pool not empty
ubi: ubi_create_volume: Fix use-after-free when volume creation failed
bpf: Fix probe read error in ___bpf_prog_run()
riscv: read-only pages should not be writable
net/smc: fixes for converting from "struct smc_cdc_tx_pend **" to "struct smc_wr_tx_pend_priv *"
nfp: only report pause frame configuration for physical device
sfc: fix considering that all channels have TX queues
sfc: fix wrong tx channel offset with efx_separate_tx_channels
net/mlx5: Don't use already freed action pointer
net/mlx5: correct ECE offset in query qp output
net/mlx5e: Update netdev features after changing XDP state
net: sched: add barrier to fix packet stuck problem for lockless qdisc
tcp: tcp_rtx_synack() can be called from process context
gpio: pca953x: use the correct register address to do regcache sync
afs: Fix infinite loop found by xfstest generic/676
scsi: sd: Fix potential NULL pointer dereference
tipc: check attribute length for bearer name
driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction
perf c2c: Fix sorting in percent_rmt_hitm_cmp()
dmaengine: idxd: set DMA_INTERRUPT cap bit
mips: cpc: Fix refcount leak in mips_cpc_default_phys_base
bootconfig: Make the bootconfig.o as a normal object file
tracing: Fix sleeping function called from invalid context on RT kernel
tracing: Avoid adding tracer option before update_tracer_options
iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()
iommu/arm-smmu-v3: check return value after calling platform_get_resource()
f2fs: remove WARN_ON in f2fs_is_valid_blkaddr
i2c: cadence: Increase timeout per message if necessary
m68knommu: set ZERO_PAGE() to the allocated zeroed page
m68knommu: fix undefined reference to `_init_sp'
dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type
NFSv4: Don't hold the layoutget locks across multiple RPC calls
video: fbdev: hyperv_fb: Allow resolutions with size > 64 MB for Gen1
video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()
xprtrdma: treat all calls not a bcall when bc_serv is NULL
netfilter: nat: really support inet nat without l3 address
netfilter: nf_tables: delete flowtable hooks via transaction list
powerpc/kasan: Force thread size increase with KASAN
netfilter: nf_tables: always initialize flowtable hook list in transaction
ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe
netfilter: nf_tables: release new hooks on unsupported flowtable flags
netfilter: nf_tables: memleak flow rule from commit path
netfilter: nf_tables: bail out early if hardware offload is not supported
xen: unexport __init-annotated xen_xlate_map_ballooned_pages()
af_unix: Fix a data-race in unix_dgram_peer_wake_me().
bpf, arm64: Clear prog->jited_len along prog->jited
net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list
net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure
SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()
net: mdio: unexport __init-annotated mdio_bus_init()
net: xfrm: unexport __init-annotated xfrm4_protocol_init()
net: ipv6: unexport __init-annotated seg6_hmac_init()
net/mlx5: Rearm the FW tracer after each tracer event
net/mlx5: fs, fail conflicting actions
ip_gre: test csum_start instead of transport header
net: altera: Fix refcount leak in altera_tse_mdio_create
drm: imx: fix compiler warning with gcc-12
iio: dummy: iio_simple_dummy: check the return value of kstrdup()
staging: rtl8712: fix a potential memory leak in r871xu_drv_init()
iio: st_sensors: Add a local lock for protecting odr
lkdtm/usercopy: Expand size of "out of frame" object
tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()
tty: Fix a possible resource leak in icom_probe
drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop()
drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()
USB: host: isp116x: check return value after calling platform_get_resource()
drivers: tty: serial: Fix deadlock in sa1100_set_termios()
drivers: usb: host: Fix deadlock in oxu_bus_suspend()
USB: hcd-pci: Fully suspend across freeze/thaw cycle
sysrq: do not omit current cpu when showing backtrace of all active CPUs
usb: dwc2: gadget: don't reset gadget's driver->bus
misc: rtsx: set NULL intfdata when probe fails
extcon: Modify extcon device to be created after driver data is set
clocksource/drivers/sp804: Avoid error on multiple instances
staging: rtl8712: fix uninit-value in usb_read8() and friends
staging: rtl8712: fix uninit-value in r871xu_drv_init()
serial: msm_serial: disable interrupts in __msm_console_write()
kernfs: Separate kernfs_pr_cont_buf and rename_lock.
watchdog: wdat_wdt: Stop watchdog when rebooting the system
md: protect md_unregister_thread from reentrancy
scsi: myrb: Fix up null pointer access on myrb_cleanup()
Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process"
ceph: allow ceph.dir.rctime xattr to be updatable
drm/radeon: fix a possible null pointer dereference
modpost: fix undefined behavior of is_arm_mapping_symbol()
x86/cpu: Elide KCSAN for cpu_has() and friends
jump_label,noinstr: Avoid instrumentation for JUMP_LABEL=n builds
nbd: call genl_unregister_family() first in nbd_cleanup()
nbd: fix race between nbd_alloc_config() and module removal
nbd: fix io hung while disconnecting device
s390/gmap: voluntarily schedule during key setting
cifs: version operations for smb20 unneeded when legacy support disabled
nodemask: Fix return values to be unsigned
vringh: Fix loop descriptors check in the indirect cases
scripts/gdb: change kernel config dumping method
ALSA: hda/conexant - Fix loopback issue with CX20632
ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo Yoga DuetITL 2021
cifs: return errors during session setup during reconnects
cifs: fix reconnect on smb3 mount types
ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files
mmc: block: Fix CQE recovery reset success
net: phy: dp83867: retrigger SGMII AN when link change
nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION
nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling
nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION
ixgbe: fix bcast packets Rx on VF after promisc removal
ixgbe: fix unexpected VLAN Rx in promisc mode on VF
Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag
drm/bridge: analogix_dp: Support PSR-exit to disable transition
drm/atomic: Force bridge self-refresh-exit on CRTC switch
powerpc/32: Fix overread/overwrite of thread_struct via ptrace
powerpc/mm: Switch obsolete dssall to .long
interconnect: qcom: sc7180: Drop IP0 interconnects
interconnect: Restore sync state by ignoring ipa-virt in provider count
md/raid0: Ignore RAID0 layout if the second zone has only one device
PCI: qcom: Fix pipe clock imbalance
zonefs: fix handling of explicit_open option on mount
dmaengine: idxd: add missing callback function to support DMA_INTERRUPT
tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd
Linux 5.10.122
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8b96565fbcb635b2faaf2adcf287c963180c0b92
[ Upstream commit 00aff3590fc0a73bddd3b743863c14e76fd35c0c ]
Free sk in case tipc_sk_insert() fails.
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit cb8092d70a6f5f01ec1490fce4d35efed3ed996c upstream.
Shuang Li reported a NULL pointer dereference crash:
[] BUG: kernel NULL pointer dereference, address: 0000000000000068
[] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc]
[] Call Trace:
[] <IRQ>
[] tipc_bcast_rcv+0xa2/0x190 [tipc]
[] tipc_node_bc_rcv+0x8b/0x200 [tipc]
[] tipc_rcv+0x3af/0x5b0 [tipc]
[] tipc_udp_recv+0xc7/0x1e0 [tipc]
It was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it
creates a node in tipc_node_check_dest(), after inserting the new node
into hashtable in tipc_node_create(), it creates the bc link. However,
there is a gap between this insert and bc link creation, a bc packet
may come in and get the node from the hashtable then try to dereference
its bc link, which is NULL.
This patch is to fix it by moving the bc link creation before inserting
into the hashtable.
Note that for a preliminary node becoming "real", the bc link creation
should also be called before it's rehashed, as we don't create it for
preliminary nodes.
Fixes: 4cbf8ac2fe ("tipc: enable creating a "preliminary" node")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 911600bf5a5e84bfda4d33ee32acc75ecf6159f0 ]
syzbot found the following issue on:
==================================================================
BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0
net/tipc/name_distr.c:413
Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764
CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted
5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0
Hardware name: Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Workqueue: events tipc_net_finalize_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495
mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413
tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
[...]
==================================================================
In the commit
d966ddcc38 ("tipc: fix a deadlock when flushing scheduled work"),
the cancel_work_sync() function just to make sure ONLY the work
tipc_net_finalize_work() is executing/pending on any CPU completed before
tipc namespace is destroyed through tipc_exit_net(). But this function
is not guaranteed the work is the last queued. So, the destroyed instance
may be accessed in the work which will try to enqueue later.
In order to completely fix, we re-order the calling of cancel_work_sync()
to make sure the work tipc_net_finalize_work() was last queued and it
must be completed by calling cancel_work_sync().
Reported-by: syzbot+47af19f3307fc9c5c82e@syzkaller.appspotmail.com
Fixes: d966ddcc38 ("tipc: fix a deadlock when flushing scheduled work")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit be07f056396d6bb40963c45a02951c566ddeef8e ]
This patch is to use "struct work_struct" for the finalize work queue
instead of "struct tipc_net_work", as it can get the "net" and "addr"
from tipc_net's other members and there is no need to add extra net
and addr in tipc_net by defining "struct tipc_net_work".
Note that it's safe to get net from tn->bcl as bcl is always released
after the finalize work queue is done.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmJQLWwACgkQONu9yGCS
aT4R2BAAr/cGnf2/BQ6+zNPW+LlfGn75803yd+oWNL8WzjNiQGrTsQavE1jL0LXP
45iPxvY6eOlP9oEoJGYyNYhzQfUM92Unysa/KemB/xUBsb2If0ZdWk1WB9Lnw0xq
m65kACXovbcg4LsZGpgCv7ln1ykogo+bNMES9P6CLxwKR/DMKUeJxbRNKE/AkD5l
DxF7IJEP+YRbKAtoLM2Xj4KdjVSfRIfs+Pf0A1t43GqAw6tt3beqmzeCwDzuzz5a
DHpXS6PeJjTZOjz4LkuBSbyK5cKGFv1C6o7JVjWSZhDyI5E4OLdNDpNKqcjsXAN+
wMqS1eh4gYUBXmPE44BGwkkugPyaR0/KHUebfkFZG2/H/8DfvrGqlbvsGSFNXxsV
jH2/AV/rOxAFeM/U0c1I4Ve42MU18kdf1MRBo0Dq5xSoN9HFQhNp+HE5jpppgsvi
FYpMqZoQzH31GIjOq7g0zLdj4NTBrkO9dh7kbpH0Xay1yBmigvD2PA4qpsL1+VMI
v73Iq/RJVGUJFAeiYFjn9IGs9EsiKNG08v9uoKS+1m1VLrpVdgwtzo+RjJ/E51Mt
Nk4WK94MyoivkRFKulDasv9yBWdcZCfljc91271UCKCERlyO/bmsTqhffeATGGRh
N/7oxa71BHvxp0VYqvKD6xFUs+jFt9DQmIX7Pl1/yLpaz+sN0no=
=31mv
-----END PGP SIGNATURE-----
Merge 5.10.110 into android12-5.10-lts
Changes in 5.10.110
swiotlb: fix info leak with DMA_FROM_DEVICE
USB: serial: pl2303: add IBM device IDs
USB: serial: simple: add Nokia phone driver
hv: utils: add PTP_1588_CLOCK to Kconfig to fix build
netdevice: add the case if dev is NULL
HID: logitech-dj: add new lightspeed receiver id
xfrm: fix tunnel model fragmentation behavior
ARM: mstar: Select HAVE_ARM_ARCH_TIMER
virtio_console: break out of buf poll on remove
vdpa/mlx5: should verify CTRL_VQ feature exists for MQ
tools/virtio: fix virtio_test execution
ethernet: sun: Free the coherent when failing in probing
gpio: Revert regression in sysfs-gpio (gpiolib.c)
spi: Fix invalid sgs value
net:mcf8390: Use platform_get_irq() to get the interrupt
Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)"
spi: Fix erroneous sgs value with min_t()
Input: zinitix - do not report shadow fingers
af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
net: dsa: microchip: add spi_device_id tables
locking/lockdep: Avoid potential access of invalid memory in lock_class
iommu/iova: Improve 32-bit free space estimate
tpm: fix reference counting for struct tpm_chip
virtio-blk: Use blk_validate_block_size() to validate block size
USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
xhci: fix garbage USBSTS being logged in some cases
xhci: fix runtime PM imbalance in USB2 resume
xhci: make xhci_handshake timeout for xhci_reset() adjustable
xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx()
mei: me: add Alder Lake N device id.
mei: avoid iterator usage outside of list_for_each_entry
coresight: Fix TRCCONFIGR.QE sysfs interface
iio: afe: rescale: use s64 for temporary scale calculations
iio: inkern: apply consumer scale on IIO_VAL_INT cases
iio: inkern: apply consumer scale when no channel scale is available
iio: inkern: make a best effort on offset calculation
greybus: svc: fix an error handling bug in gb_svc_hello()
clk: uniphier: Fix fixed-rate initialization
ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
KEYS: fix length validation in keyctl_pkey_params_get_2()
Documentation: add link to stable release candidate tree
Documentation: update stable tree link
firmware: stratix10-svc: add missing callback parameter on RSU
HID: intel-ish-hid: Use dma_alloc_coherent for firmware update
SUNRPC: avoid race between mod_timer() and del_timer_sync()
NFSD: prevent underflow in nfssvc_decode_writeargs()
NFSD: prevent integer overflow on 32 bit systems
f2fs: fix to unlock page correctly in error path of is_alive()
f2fs: quota: fix loop condition at f2fs_quota_sync()
f2fs: fix to do sanity check on .cp_pack_total_block_count
remoteproc: Fix count check in rproc_coredump_write()
pinctrl: samsung: drop pin banks references on error paths
spi: mxic: Fix the transmit path
mtd: rawnand: protect access to rawnand devices while in suspend
can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
jffs2: fix memory leak in jffs2_do_mount_fs
jffs2: fix memory leak in jffs2_scan_medium
mm/pages_alloc.c: don't create ZONE_MOVABLE beyond the end of a node
mm: invalidate hwpoison page cache page in fault path
mempolicy: mbind_range() set_policy() after vma_merge()
scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
qed: display VF trust config
qed: validate and restrict untrusted VFs vlan promisc mode
riscv: Fix fill_callchain return value
riscv: Increase stack size under KASAN
Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
cifs: prevent bad output lengths in smb2_ioctl_query_info()
cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
ALSA: cs4236: fix an incorrect NULL check on list iterator
ALSA: hda: Avoid unsol event during RPM suspending
ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020
mm: madvise: skip unmapped vma holes passed to process_madvise
mm: madvise: return correct bytes advised with process_madvise
Revert "mm: madvise: skip unmapped vma holes passed to process_madvise"
mm,hwpoison: unmap poisoned page before invalidation
mm/kmemleak: reset tag when compare object pointer
dm integrity: set journal entry unused when shrinking device
drbd: fix potential silent data corruption
can: isotp: sanitize CAN ID checks in isotp_bind()
powerpc/kvm: Fix kvm_use_magic_page
udp: call udp_encap_enable for v6 sockets when enabling encap
arm64: signal: nofpsimd: Do not allocate fp/simd context when not available
arm64: dts: ti: k3-am65: Fix gic-v3 compatible regs
arm64: dts: ti: k3-j721e: Fix gic-v3 compatible regs
arm64: dts: ti: k3-j7200: Fix gic-v3 compatible regs
ACPI: properties: Consistently return -ENOENT if there are no more references
coredump: Also dump first pages of non-executable ELF libraries
ext4: fix ext4_fc_stats trace point
ext4: fix fs corruption when tring to remove a non-empty directory with IO error
drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()
mailbox: tegra-hsp: Flush whole channel
block: limit request dispatch loop duration
block: don't merge across cgroup boundaries if blkcg is enabled
drm/edid: check basic audio support on CEA extension block
video: fbdev: sm712fb: Fix crash in smtcfb_read()
video: fbdev: atari: Atari 2 bpp (STe) palette bugfix
ARM: dts: at91: sama5d2: Fix PMERRLOC resource size
ARM: dts: exynos: fix UART3 pins configuration in Exynos5250
ARM: dts: exynos: add missing HDMI supplies on SMDK5250
ARM: dts: exynos: add missing HDMI supplies on SMDK5420
mgag200 fix memmapsl configuration in GCTL6 register
carl9170: fix missing bit-wise or operator for tx_params
pstore: Don't use semaphores in always-atomic-context code
thermal: int340x: Increase bitmap size
lib/raid6/test: fix multiple definition linking error
exec: Force single empty string when argv is empty
crypto: rsa-pkcs1pad - only allow with rsa
crypto: rsa-pkcs1pad - correctly get hash from source scatterlist
crypto: rsa-pkcs1pad - restore signature length check
crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete()
bcache: fixup multiple threads crash
DEC: Limit PMAX memory probing to R3k systems
media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC
media: davinci: vpif: fix unbalanced runtime PM get
media: davinci: vpif: fix unbalanced runtime PM enable
xtensa: fix stop_machine_cpuslocked call in patch_text
xtensa: fix xtensa_wsr always writing 0
brcmfmac: firmware: Allocate space for default boardrev in nvram
brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path
brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio
brcmfmac: pcie: Fix crashes due to early IRQs
drm/i915/opregion: check port number bounds for SWSCI display power state
drm/i915/gem: add missing boundary check in vm_access
PCI: pciehp: Clear cmd_busy bit in polling mode
PCI: xgene: Revert "PCI: xgene: Fix IB window setup"
regulator: qcom_smd: fix for_each_child.cocci warnings
selinux: check return value of sel_make_avc_files
hwrng: cavium - Check health status while reading random data
hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER
crypto: sun8i-ss - really disable hash on A80
crypto: authenc - Fix sleep in atomic context in decrypt_tail
crypto: mxs-dcp - Fix scatterlist processing
thermal: int340x: Check for NULL after calling kmemdup()
spi: tegra114: Add missing IRQ check in tegra_spi_probe
arm64/mm: avoid fixmap race condition when create pud mapping
selftests/x86: Add validity check and allow field splitting
crypto: rockchip - ECB does not need IV
audit: log AUDIT_TIME_* records only from rules
EVM: fix the evm= __setup handler return value
crypto: ccree - don't attempt 0 len DMA mappings
spi: pxa2xx-pci: Balance reference count for PCI DMA device
hwmon: (pmbus) Add mutex to regulator ops
hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING
nvme: cleanup __nvme_check_ids
block: don't delete queue kobject before its children
PM: hibernate: fix __setup handler error handling
PM: suspend: fix return value of __setup handler
spi: spi-zynqmp-gqspi: Handle error for dma_set_mask
hwrng: atmel - disable trng on failure path
crypto: sun8i-ss - call finalize with bh disabled
crypto: sun8i-ce - call finalize with bh disabled
crypto: amlogic - call finalize with bh disabled
crypto: vmx - add missing dependencies
clocksource/drivers/timer-ti-dm: Fix regression from errata i940 fix
clocksource/drivers/exynos_mct: Refactor resources allocation
clocksource/drivers/exynos_mct: Handle DTS with higher number of interrupts
clocksource/drivers/timer-microchip-pit64b: Use notrace
clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init()
ACPI: APEI: fix return value of __setup handlers
crypto: ccp - ccp_dmaengine_unregister release dma channels
crypto: ccree - Fix use after free in cc_cipher_exit()
vfio: platform: simplify device removal
amba: Make the remove callback return void
hwrng: nomadik - Change clk_disable to clk_disable_unprepare
hwmon: (pmbus) Add Vin unit off handling
clocksource: acpi_pm: fix return value of __setup handler
io_uring: terminate manual loop iterator loop correctly for non-vecs
watch_queue: Fix NULL dereference in error cleanup
watch_queue: Actually free the watch
f2fs: fix to enable ATGC correctly via gc_idle sysfs interface
sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa
sched/core: Export pelt_thermal_tp
rseq: Optimise rseq_get_rseq_cs() and clear_rseq_cs()
rseq: Remove broken uapi field layout on 32-bit little endian
perf/core: Fix address filter parser for multiple filters
perf/x86/intel/pt: Fix address filter config for 32-bit kernel
f2fs: fix missing free nid in f2fs_handle_failed_inode
nfsd: more robust allocation failure handling in nfsd_file_cache_init
f2fs: fix to avoid potential deadlock
btrfs: fix unexpected error path when reflinking an inline extent
f2fs: compress: remove unneeded read when rewrite whole cluster
f2fs: fix compressed file start atomic write may cause data corruption
selftests, x86: fix how check_cc.sh is being invoked
kunit: make kunit_test_timeout compatible with comment
media: staging: media: zoran: fix usage of vb2_dma_contig_set_max_seg_size
media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls
media: mtk-vcodec: potential dereference of null pointer
media: bttv: fix WARNING regression on tunerless devices
ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting
ASoC: generic: simple-card-utils: remove useless assignment
media: coda: Fix missing put_device() call in coda_get_vdoa_data
media: meson: vdec: potential dereference of null pointer
media: hantro: Fix overfill bottom register field name
media: aspeed: Correct value for h-total-pixels
video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen
video: fbdev: controlfb: Fix set but not used warnings
video: fbdev: controlfb: Fix COMPILE_TEST build
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe()
video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name()
firmware: qcom: scm: Remove reassignment to desc following initializer
ARM: dts: qcom: ipq4019: fix sleep clock
soc: qcom: rpmpd: Check for null return of devm_kcalloc
soc: qcom: ocmem: Fix missing put_device() call in of_get_ocmem
soc: qcom: aoss: remove spurious IRQF_ONESHOT flags
arm64: dts: qcom: sdm845: fix microphone bias properties and values
arm64: dts: qcom: sm8150: Correct TCS configuration for apps rsc
firmware: ti_sci: Fix compilation failure when CONFIG_TI_SCI_PROTOCOL is not defined
soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe
ARM: dts: sun8i: v3s: Move the csi1 block to follow address order
ARM: dts: imx: Add missing LVDS decoder on M53Menlo
media: video/hdmi: handle short reads of hdmi info frame.
media: em28xx: initialize refcount before kref_get
media: usb: go7007: s2250-board: fix leak in probe()
media: cedrus: H265: Fix neighbour info buffer size
media: cedrus: h264: Fix neighbour info buffer size
ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put
uaccess: fix nios2 and microblaze get_user_8()
ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp()
ASoC: ti: davinci-i2s: Add check for clk_enable()
ALSA: spi: Add check for clk_enable()
arm64: dts: ns2: Fix spi-cpol and spi-cpha property
arm64: dts: broadcom: Fix sata nodename
printk: fix return value of printk.devkmsg __setup handler
ASoC: mxs-saif: Handle errors for clk_enable
ASoC: atmel_ssc_dai: Handle errors for clk_enable
ASoC: dwc-i2s: Handle errors for clk_enable
ASoC: soc-compress: prevent the potentially use of null pointer
memory: emif: Add check for setup_interrupts
memory: emif: check the pointer temp in get_device_details()
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
arm64: dts: rockchip: Fix SDIO regulator supply properties on rk3399-firefly
m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined
media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED
media: vidtv: Check for null return of vzalloc
ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe
ASoC: wm8350: Handle error for wm8350_register_irq
ASoC: fsi: Add check for clk_enable
video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of
media: saa7134: convert list_for_each to entry variant
media: saa7134: fix incorrect use to determine if list is empty
ivtv: fix incorrect device_caps for ivtvfb
ASoC: rockchip: i2s: Use devm_platform_get_and_ioremap_resource()
ASoC: rockchip: i2s: Fix missing clk_disable_unprepare() in rockchip_i2s_probe
ASoC: SOF: Add missing of_node_put() in imx8m_probe
ASoC: dmaengine: do not use a NULL prepare_slave_config() callback
ASoC: mxs: Fix error handling in mxs_sgtl5000_probe
ASoC: fsl_spdif: Disable TX clock when stop
ASoC: imx-es8328: Fix error return code in imx_es8328_probe()
ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe
mmc: davinci_mmc: Handle error for clk_enable
ASoC: atmel: sam9x5_wm8731: use devm_snd_soc_register_card()
ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe
ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe
ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data
ARM: configs: multi_v5_defconfig: re-enable CONFIG_V4L_PLATFORM_DRIVERS
drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops
drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev
drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe
drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe
drm: bridge: adv7511: Fix ADV7535 HPD enablement
ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern
drm/panfrost: Check for error num after setting mask
libbpf: Fix possible NULL pointer dereference when destroying skeleton
udmabuf: validate ubuf->pagecount
Bluetooth: hci_serdev: call init_rwsem() before p->open()
mtd: onenand: Check for error irq
mtd: rawnand: gpmi: fix controller timings setting
drm/edid: Don't clear formats if using deep color
ionic: fix type complaint in ionic_dev_cmd_clean()
drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl()
drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()
drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function
ath9k_htc: fix uninit value bugs
RDMA/core: Set MR type in ib_reg_user_mr
KVM: PPC: Fix vmx/vsx mixup in mmio emulation
i40e: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb
i40e: respect metadata on XSK Rx to skb
power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe
ray_cs: Check ioremap return value
powerpc: dts: t1040rdb: fix ports names for Seville Ethernet switch
KVM: PPC: Book3S HV: Check return value of kvmppc_radix_init
powerpc/perf: Don't use perf_hw_context for trace IMC PMU
mt76: mt7915: use proper aid value in mt7915_mcu_wtbl_generic_tlv in sta mode
mt76: mt7915: use proper aid value in mt7915_mcu_sta_basic_tlv
mt76: mt7603: check sta_rates pointer in mt7603_sta_rate_tbl_update
mt76: mt7615: check sta_rates pointer in mt7615_sta_rate_tbl_update
net: dsa: mv88e6xxx: Enable port policy support on 6097
scripts/dtc: Call pkg-config POSIXly correct
livepatch: Fix build failure on 32 bits processors
PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge
drm/bridge: dw-hdmi: use safe format when first in bridge chain
power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports
iommu/ipmmu-vmsa: Check for error num after setting mask
drm/amd/pm: enable pm sysfs write for one VF mode
drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug
IB/cma: Allow XRC INI QPs to set their local ACK timeout
dax: make sure inodes are flushed before destroy cache
iwlwifi: Fix -EIO error code that is never returned
iwlwifi: mvm: Fix an error code in iwl_mvm_up()
drm/msm/dp: populate connector of struct dp_panel
drm/msm/dpu: add DSPP blocks teardown
drm/msm/dpu: fix dp audio condition
dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS
scsi: pm8001: Fix command initialization in pm80XX_send_read_log()
scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req()
scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config()
scsi: pm8001: Fix le32 values handling in pm80xx_set_sas_protocol_timer_config()
scsi: pm8001: Fix payload initialization in pm80xx_encrypt_update()
scsi: pm8001: Fix le32 values handling in pm80xx_chip_ssp_io_req()
scsi: pm8001: Fix le32 values handling in pm80xx_chip_sata_req()
scsi: pm8001: Fix NCQ NON DATA command task initialization
scsi: pm8001: Fix NCQ NON DATA command completion handling
scsi: pm8001: Fix abort all task initialization
RDMA/mlx5: Fix the flow of a miss in the allocation of a cache ODP MR
drm/amd/display: Remove vupdate_int_entry definition
TOMOYO: fix __setup handlers return values
ext2: correct max file size computing
drm/tegra: Fix reference leak in tegra_dsi_ganged_probe
power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return
scsi: hisi_sas: Change permission of parameter prot_mask
drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt
bpf, arm64: Call build_prologue() first in first JIT pass
bpf, arm64: Feed byte-offset into bpf line info
gpu: host1x: Fix a memory leak in 'host1x_remove()'
libbpf: Skip forward declaration when counting duplicated type names
powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties()
powerpc/Makefile: Don't pass -mcpu=powerpc64 when building 32-bit
KVM: x86: Fix emulation in writing cr8
KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor()
hv_balloon: rate-limit "Unhandled message" warning
i2c: xiic: Make bus names unique
power: supply: wm8350-power: Handle error for wm8350_register_irq
power: supply: wm8350-power: Add missing free in free_charger_irq
IB/hfi1: Allow larger MTU without AIP
PCI: Reduce warnings on possible RW1C corruption
net: axienet: fix RX ring refill allocation failure handling
mips: DEC: honor CONFIG_MIPS_FP_SUPPORT=n
powerpc/sysdev: fix incorrect use to determine if list is empty
mfd: mc13xxx: Add check for mc13xxx_irq_request
libbpf: Unmap rings when umem deleted
selftests/bpf: Make test_lwt_ip_encap more stable and faster
platform/x86: huawei-wmi: check the return value of device_create_file()
powerpc: 8xx: fix a return value error in mpc8xx_pic_init
vxcan: enable local echo for sent CAN frames
ath10k: Fix error handling in ath10k_setup_msa_resources
mips: cdmm: Fix refcount leak in mips_cdmm_phys_base
MIPS: RB532: fix return value of __setup handler
MIPS: pgalloc: fix memory leak caused by pgd_free()
mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init
RDMA/mlx5: Fix memory leak in error flow for subscribe event routine
bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full
bpf, sockmap: Fix more uncharged while msg has more_data
bpf, sockmap: Fix double uncharge the mem of sk_msg
samples/bpf, xdpsock: Fix race when running for fix duration of time
USB: storage: ums-realtek: fix error code in rts51x_read_mem()
can: isotp: return -EADDRNOTAVAIL when reading from unbound socket
can: isotp: support MSG_TRUNC flag when reading from socket
bareudp: use ipv6_mod_enabled to check if IPv6 enabled
selftests/bpf: Fix error reporting from sock_fields programs
Bluetooth: call hci_le_conn_failed with hdev lock in hci_le_conn_failed
Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt
ipv4: Fix route lookups when handling ICMP redirects and PMTU updates
af_netlink: Fix shift out of bounds in group mask calculation
i2c: meson: Fix wrong speed use from probe
i2c: mux: demux-pinctrl: do not deactivate a master that is not active
selftests/bpf/test_lirc_mode2.sh: Exit with proper code
PCI: Avoid broken MSI on SB600 USB devices
net: bcmgenet: Use stronger register read/writes to assure ordering
tcp: ensure PMTU updates are processed during fastopen
openvswitch: always update flow key after nat
tipc: fix the timer expires after interval 100ms
mfd: asic3: Add missing iounmap() on error asic3_mfd_probe
mxser: fix xmit_buf leak in activate when LSR == 0xff
pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add()
fsi: aspeed: convert to devm_platform_ioremap_resource
fsi: Aspeed: Fix a potential double free
misc: alcor_pci: Fix an error handling path
cpufreq: qcom-cpufreq-nvmem: fix reading of PVS Valid fuse
soundwire: intel: fix wrong register name in intel_shim_wake
clk: qcom: ipq8074: fix PCI-E clock oops
iio: mma8452: Fix probe failing when an i2c_device_id is used
staging:iio:adc:ad7280a: Fix handing of device address bit reversing.
pinctrl: renesas: r8a77470: Reduce size for narrow VIN1 channel
pinctrl: renesas: checker: Fix miscalculation of number of states
clk: qcom: ipq8074: Use floor ops for SDCC1 clock
phy: dphy: Correct lpx parameter and its derivatives(ta_{get,go,sure})
serial: 8250_mid: Balance reference count for PCI DMA device
serial: 8250_lpss: Balance reference count for PCI DMA device
NFS: Use of mapping_set_error() results in spurious errors
serial: 8250: Fix race condition in RTS-after-send handling
iio: adc: Add check for devm_request_threaded_irq
habanalabs: Add check for pci_enable_device
NFS: Return valid errors from nfs2/3_decode_dirent()
dma-debug: fix return value of __setup handlers
clk: imx7d: Remove audio_mclk_root_clk
clk: at91: sama7g5: fix parents of PDMCs' GCLK
clk: qcom: clk-rcg2: Update logic to calculate D value for RCG
clk: qcom: clk-rcg2: Update the frac table for pixel clock
dmaengine: hisi_dma: fix MSI allocate fail when reload hisi_dma
remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region
remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region
remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region
nvdimm/region: Fix default alignment for small regions
clk: actions: Terminate clk_div_table with sentinel element
clk: loongson1: Terminate clk_div_table with sentinel element
clk: clps711x: Terminate clk_div_table with sentinel element
clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver
NFS: remove unneeded check in decode_devicenotify_args()
staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree
staging: mt7621-dts: fix formatting
staging: mt7621-dts: fix pinctrl properties for ethernet
staging: mt7621-dts: fix GB-PC2 devicetree
pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init
pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback
pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get()
pinctrl: mediatek: paris: Fix pingroup pin config state readback
pinctrl: mediatek: paris: Skip custom extra pin config dump for virtual GPIOs
pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe
pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe
tty: hvc: fix return value of __setup handler
kgdboc: fix return value of __setup handler
serial: 8250: fix XOFF/XON sending when DMA is used
kgdbts: fix return value of __setup handler
firmware: google: Properly state IOMEM dependency
driver core: dd: fix return value of __setup handler
jfs: fix divide error in dbNextAG
netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options
NFSv4.1: don't retry BIND_CONN_TO_SESSION on session error
kdb: Fix the putarea helper function
clk: qcom: gcc-msm8994: Fix gpll4 width
clk: Initialize orphan req_rate
xen: fix is_xen_pmu()
net: enetc: report software timestamping via SO_TIMESTAMPING
net: hns3: fix bug when PF set the duplicate MAC address for VFs
net: phy: broadcom: Fix brcm_fet_config_init()
selftests: test_vxlan_under_vrf: Fix broken test case
qlcnic: dcb: default to returning -EOPNOTSUPP
net/x25: Fix null-ptr-deref caused by x25_disconnect
NFSv4/pNFS: Fix another issue with a list iterator pointing to the head
net: dsa: bcm_sf2_cfp: fix an incorrect NULL check on list iterator
fs: fd tables have to be multiples of BITS_PER_LONG
lib/test: use after free in register_test_dev_kmod()
fs: fix fd table size alignment properly
LSM: general protection fault in legacy_parse_param
regulator: rpi-panel: Handle I2C errors/timing to the Atmel
gcc-plugins/stackleak: Exactly match strings instead of prefixes
pinctrl: npcm: Fix broken references to chip->parent_device
block, bfq: don't move oom_bfqq
selinux: use correct type for context length
selinux: allow FIOCLEX and FIONCLEX with policy capability
loop: use sysfs_emit() in the sysfs xxx show()
Fix incorrect type in assignment of ipv6 port for audit
irqchip/qcom-pdc: Fix broken locking
irqchip/nvic: Release nvic_base upon failure
fs/binfmt_elf: Fix AT_PHDR for unusual ELF files
bfq: fix use-after-free in bfq_dispatch_request
ACPICA: Avoid walking the ACPI Namespace if it is not there
lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3
Revert "Revert "block, bfq: honor already-setup queue merges""
ACPI/APEI: Limit printable size of BERT table data
PM: core: keep irq flags in device_pm_check_callbacks()
parisc: Fix handling off probe non-access faults
nvme-tcp: lockdep: annotate in-kernel sockets
spi: tegra20: Use of_device_get_match_data()
locking/lockdep: Iterate lock_classes directly when reading lockdep files
ext4: correct cluster len and clusters changed accounting in ext4_mb_mark_bb
ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit
ext4: don't BUG if someone dirty pages without asking ext4 first
f2fs: fix to do sanity check on curseg->alloc_type
NFSD: Fix nfsd_breaker_owns_lease() return values
f2fs: compress: fix to print raw data size in error path of lz4 decompression
ntfs: add sanity check on allocation size
media: staging: media: zoran: move videodev alloc
media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com
media: staging: media: zoran: fix various V4L2 compliance errors
media: ir_toy: free before error exiting
video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
video: fbdev: w100fb: Reset global state
video: fbdev: cirrusfb: check pixclock to avoid divide by zero
video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit
ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960
ARM: dts: bcm2837: Add the missing L1/L2 cache information
ASoC: madera: Add dependencies on MFD
media: atomisp_gmin_platform: Add DMI quirk to not turn AXP ELDO2 regulator off on some boards
media: atomisp: fix dummy_ptr check to avoid duplicate active_bo
ARM: ftrace: avoid redundant loads or clobbering IP
ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk
arm64: defconfig: build imx-sdma as a module
video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()
video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()
video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit
ARM: dts: bcm2711: Add the missing L1/L2 cache information
ASoC: soc-core: skip zero num_dai component in searching dai name
media: cx88-mpeg: clear interrupt status register before streaming video
uaccess: fix type mismatch warnings from access_ok()
lib/test_lockup: fix kernel pointer check for separate address spaces
ARM: tegra: tamonten: Fix I2C3 pad setting
ARM: mmp: Fix failure to remove sram device
video: fbdev: sm712fb: Fix crash in smtcfb_write()
media: Revert "media: em28xx: add missing em28xx_close_extension"
media: hdpvr: initialize dev->worker at hdpvr_register_videodev
mmc: host: Return an error when ->enable_sdio_irq() ops is missing
media: atomisp: fix bad usage at error handling logic
ALSA: hda/realtek: Add alc256-samsung-headphone fixup
KVM: x86/mmu: Check for present SPTE when clearing dirty bit in TDP MMU
powerpc/kasan: Fix early region not updated correctly
powerpc/lib/sstep: Fix 'sthcx' instruction
powerpc/lib/sstep: Fix build errors with newer binutils
powerpc: Fix build errors with newer binutils
scsi: qla2xxx: Fix stuck session in gpdb
scsi: qla2xxx: Fix scheduling while atomic
scsi: qla2xxx: Fix wrong FDMI data for 64G adapter
scsi: qla2xxx: Fix warning for missing error code
scsi: qla2xxx: Fix device reconnect in loop topology
scsi: qla2xxx: Add devids and conditionals for 28xx
scsi: qla2xxx: Check for firmware dump already collected
scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
scsi: qla2xxx: Fix disk failure to rediscover
scsi: qla2xxx: Fix incorrect reporting of task management failure
scsi: qla2xxx: Fix hang due to session stuck
scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests
scsi: qla2xxx: Fix N2N inconsistent PLOGI
scsi: qla2xxx: Reduce false trigger to login
scsi: qla2xxx: Use correct feature type field during RFF_ID processing
platform: chrome: Split trace include file
KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated
KVM: Prevent module exit until all VMs are freed
KVM: x86: fix sending PV IPI
KVM: SVM: fix panic on out-of-bounds guest IRQ
ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM
ubifs: rename_whiteout: Fix double free for whiteout_ui->data
ubifs: Fix deadlock in concurrent rename whiteout and inode writeback
ubifs: Add missing iput if do_tmpfile() failed in rename whiteout
ubifs: setflags: Make dirtied_ino_d 8 bytes aligned
ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()
ubifs: Fix to add refcount once page is set private
ubifs: rename_whiteout: correct old_dir size computing
wireguard: queueing: use CFI-safe ptr_ring cleanup function
wireguard: socket: free skb in send6 when ipv6 is disabled
wireguard: socket: ignore v6 endpoints when ipv6 is disabled
XArray: Fix xas_create_range() when multi-order entry present
can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path
can: mcba_usb: properly check endpoint type
can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value
XArray: Update the LRU list in xas_split()
rtc: check if __rtc_read_time was successful
gfs2: Make sure FITRIM minlen is rounded up to fs block size
net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware
rxrpc: Fix call timer start racing with call destruction
mailbox: imx: fix wakeup failure from freeze mode
crypto: arm/aes-neonbs-cbc - Select generic cbc and aes
watch_queue: Free the page array when watch_queue is dismantled
pinctrl: pinconf-generic: Print arguments for bias-pull-*
watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function
pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR()
pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE()
ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs
ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
ARM: iop32x: offset IRQ numbers by 1
io_uring: fix memory leak of uid in files registration
riscv module: remove (NOLOAD)
ACPI: CPPC: Avoid out of bounds access when parsing _CPC data
platform/chrome: cros_ec_typec: Check for EC device
can: isotp: restore accidentally removed MSG_PEEK feature
proc: bootconfig: Add null pointer check
staging: mt7621-dts: fix pinctrl-0 items to be size-1 items on ethernet
ASoC: soc-compress: Change the check for codec_dai
batman-adv: Check ptr for NULL before reducing its refcnt
mm/mmap: return 1 from stack_guard_gap __setup() handler
ARM: 9187/1: JIVE: fix return value of __setup handler
mm/memcontrol: return 1 from cgroup.memory __setup() handler
mm/usercopy: return 1 from hardened_usercopy __setup() handler
bpf: Adjust BPF stack helper functions to accommodate skip > 0
bpf: Fix comment for helper bpf_current_task_under_cgroup()
dt-bindings: mtd: nand-controller: Fix the reg property description
dt-bindings: mtd: nand-controller: Fix a comment in the examples
dt-bindings: spi: mxic: The interrupt property is not mandatory
ubi: fastmap: Return error code if memory allocation fails in add_aeb()
ASoC: topology: Allow TLV control to be either read or write
ARM: dts: spear1340: Update serial node properties
ARM: dts: spear13xx: Update SPI dma properties
um: Fix uml_mconsole stop/go
docs: sysctl/kernel: add missing bit to panic_print
openvswitch: Fixed nd target mask field in the flow dump.
KVM: x86/mmu: do compare-and-exchange of gPTE via the user address
can: m_can: m_can_tx_handler(): fix use after free of skb
can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path
coredump: Snapshot the vmas in do_coredump
coredump: Remove the WARN_ON in dump_vma_snapshot
coredump/elf: Pass coredump_params into fill_note_info
coredump: Use the vma snapshot in fill_files_note
arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones
PCI: xgene: Revert "PCI: xgene: Use inbound resources for setup"
Linux 5.10.110
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I12fbe227793dd40c0582588e1700cf88cafd0ac6
[ Upstream commit 6a7d8cff4a3301087dd139293e9bddcf63827282 ]
In the timer callback function tipc_sk_timeout(), we're trying to
reschedule another timeout to retransmit a setup request if destination
link is congested. But we use the incorrect timeout value
(msecs_to_jiffies(100)) instead of (jiffies + msecs_to_jiffies(100)),
so that the timer expires immediately, it's irrelevant for original
description.
In this commit we correct the timeout value in sk_reset_timer()
Fixes: 6787927475 ("tipc: buffer overflow handling in listener socket")
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Link: https://lore.kernel.org/r/20220321042229.314288-1-hoang.h.le@dektech.com.au
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmIx4yUACgkQONu9yGCS
aT5q2A/+OlbFfkWLW5T0p54BIaXQGduXCtKyG81gZeJJPjQH0Meh6rtzea3n9/2/
ESgOBWmoGCX1I9dq8oWgE+krdg4Bu1pSsyWELlVBD5YeovsrdMJokfbZ5AW7wioO
ca/sZpaysp0TiluGSwkU2eYLOeaUNvSUrLPoAK/BjZ4W/INXKQyY3gaG9SqhSEiY
ag13I9BLvltepYWQbgq2MJzI5vKq3DHiQSC4/wDA1J02rfa8+C3pTSYZVKES6+6/
NVend811EpI/XQeQhsTP4wVtOYODJyVrXFIcV2n4MIsw80MhlomJjI/3BYiIYTf4
aYqwdGn0CZTQDCAC/HkNJbttcSw5wyJHGDG3e/QQArQ4L0Tu2ah9pXygIkMs9RXj
ClUlR2sE0HQBtWrMxz9qT5Yo0F33ghU40VaDGUpX9QNs0Tat5hqGpj3KNVutxrk5
D5U5ueXA8DysmjWv8+oawUoRCuYa4NfPPHA9LExkn+oatu/GdCT6j3Ih5pxOOorw
uWijcyvElOvSRvOzBbrLcHmbqV9WIM3cO2ob5I+HbV/agCoytnZS487KY4wp/ZRQ
hd/gc03hIJiyJxIWAFosDAHJYsSnyVHTMDqDNF2EQ/Myto0Tf4idAjThCAl8pE1K
WmcmqArZei0PfFfa68jOtd5CTE/dBQHwamSaQx0Rf9UkxN7sOko=
=PEUE
-----END PGP SIGNATURE-----
Merge 5.10.106 into android12-5.10-lts
Changes in 5.10.106
ARM: boot: dts: bcm2711: Fix HVS register range
clk: qcom: gdsc: Add support to update GDSC transition delay
HID: vivaldi: fix sysfs attributes leak
arm64: dts: armada-3720-turris-mox: Add missing ethernet0 alias
tipc: fix kernel panic when enabling bearer
mISDN: Remove obsolete PIPELINE_DEBUG debugging information
mISDN: Fix memory leak in dsp_pipeline_build()
virtio-blk: Don't use MAX_DISCARD_SEGMENTS if max_discard_seg is zero
isdn: hfcpci: check the return value of dma_set_mask() in setup_hw()
net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare()
esp: Fix BEET mode inter address family tunneling on GSO
qed: return status of qed_iov_get_link
drm/sun4i: mixer: Fix P010 and P210 format numbers
net: dsa: mt7530: fix incorrect test in mt753x_phylink_validate()
ARM: dts: aspeed: Fix AST2600 quad spi group
i40e: stop disabling VFs due to PF error responses
ice: stop disabling VFs due to PF error responses
ice: Align macro names to the specification
ice: Remove unnecessary checker loop
ice: Rename a couple of variables
ice: Fix curr_link_speed advertised speed
ethernet: Fix error handling in xemaclite_of_probe
tipc: fix incorrect order of state message data sanity check
net: ethernet: ti: cpts: Handle error for clk_enable
net: ethernet: lpc_eth: Handle error for clk_enable
ax25: Fix NULL pointer dereference in ax25_kill_by_device
net/mlx5: Fix size field in bufferx_reg struct
net/mlx5: Fix a race on command flush flow
net/mlx5e: Lag, Only handle events from highest priority multipath entry
NFC: port100: fix use-after-free in port100_send_complete
selftests: pmtu.sh: Kill tcpdump processes launched by subshell.
gpio: ts4900: Do not set DAT and OE together
gianfar: ethtool: Fix refcount leak in gfar_get_ts_info
net: phy: DP83822: clear MISR2 register to disable interrupts
sctp: fix kernel-infoleak for SCTP sockets
net: bcmgenet: Don't claim WOL when its not available
selftests/bpf: Add test for bpf_timer overwriting crash
spi: rockchip: Fix error in getting num-cs property
spi: rockchip: terminate dma transmission when slave abort
net-sysfs: add check for netdevice being present to speed_show
hwmon: (pmbus) Clear pmbus fault/warning bits after read
gpio: Return EPROBE_DEFER if gc->to_irq is NULL
Revert "xen-netback: remove 'hotplug-status' once it has served its purpose"
Revert "xen-netback: Check for hotplug-status existence before watching"
ipv6: prevent a possible race condition with lifetimes
tracing: Ensure trace buffer is at least 4096 bytes large
selftest/vm: fix map_fixed_noreplace test failure
selftests/memfd: clean up mapping in mfd_fail_write
ARM: Spectre-BHB: provide empty stub for non-config
fuse: fix pipe buffer lifetime for direct_io
staging: rtl8723bs: Fix access-point mode deadlock
staging: gdm724x: fix use after free in gdm_lte_rx()
net: macb: Fix lost RX packet wakeup race in NAPI receive
mmc: meson: Fix usage of meson_mmc_post_req()
riscv: Fix auipc+jalr relocation range checks
arm64: dts: marvell: armada-37xx: Remap IO space to bus address 0x0
virtio: unexport virtio_finalize_features
virtio: acknowledge all features before access
watch_queue, pipe: Free watchqueue state after clearing pipe ring
watch_queue: Fix to release page in ->release()
watch_queue: Fix to always request a pow-of-2 pipe ring size
watch_queue: Fix the alloc bitmap size to reflect notes allocated
watch_queue: Free the alloc bitmap when the watch_queue is torn down
watch_queue: Fix lack of barrier/sync/lock between post and read
watch_queue: Make comment about setting ->defunct more accurate
x86/boot: Fix memremap of setup_indirect structures
x86/boot: Add setup_indirect support in early_memremap_is_setup_data()
x86/traps: Mark do_int3() NOKPROBE_SYMBOL
ext4: add check to prevent attempting to resize an fs with sparse_super2
ARM: fix Thumb2 regression with Spectre BHB
watch_queue: Fix filter limit check
Linux 5.10.106
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic7943bdf8c771bff4a95fcf0585ec9c24057cb5b
[ Upstream commit c79fcc27be90b308b3fa90811aefafdd4078668c ]
When receiving a state message, function tipc_link_validate_msg()
is called to validate its header portion. Then, its data portion
is validated before it can be accessed correctly. However, current
data sanity check is done after the message header is accessed to
update some link variables.
This commit fixes this issue by moving the data sanity check to
the beginning of state message handling and right after the header
sanity check.
Fixes: 9aa422ad3266 ("tipc: improve size validations for received domain records")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/20220308021200.9245-1-tung.q.nguyen@dektech.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmInm+kACgkQONu9yGCS
aT4/lw/6AoFz3oHbzlft4tCUn4UXQIut8gIiJfrXBnIqw6pa5YQPA1E7hgQBxTnG
v9llnwDRFR7qouXq1qhoXU01vETiRqZ2ClkT/MnvLfRMQcHgtS9B61VgwnpNuNBg
qStZORcqFi6rQHXySUgs2ObF6NZQ3BRyHY2LYqZPj0YkuHIdQo48WtQ9cy0XWZLV
WT49LIVxkTZ6D0fs/k10qRv+M4lmeOzCqEZf4591F0sjoVuTFj3F1xMsSbu8W3xZ
xXxE0hPbN0If3JFhnb3DqdQ20kRNSmrrV1CzYaN09jyP7KHpdIDVT8R1hSau3TFP
3zd2fBWmOP0FPzOVkNnqetMuKspKH8p3kKW2rkTyHYcGtUFzh54Hm0QRpA3CVB3L
JZje9HCkxWiBSl1mwypmBGp88kWOe+n3NRUOhX3yqPoT3R2n45coBV+sfSOakkxv
K8mUw1FFbJTPjgJtMCs57zzxybInnMrAF5/7XA2MgHCr3SVvYQA7+joSPn3CO+0K
zKO4kTdEmD9jTT+3vMDL4Z3VSmOJMVcxCHBTUrac/OBIiBz+7y9WQSc7a6aRbfdu
k3wy7HJ98pmjYB6g73MJcXOtTwXuoTqur4QWU5MCgTw6+qglgRQHr5ILSs35ZeAV
LO1zvAsklOWFMc/3fD8heLmKGBZ0GHcn+0Y7ZqfFKLmqOTnx7tA=
=W+lo
-----END PGP SIGNATURE-----
Merge 5.10.104 into android12-5.10-lts
Changes in 5.10.104
mac80211_hwsim: report NOACK frames in tx_status
mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work
i2c: bcm2835: Avoid clock stretching timeouts
ASoC: rt5668: do not block workqueue if card is unbound
ASoC: rt5682: do not block workqueue if card is unbound
regulator: core: fix false positive in regulator_late_cleanup()
Input: clear BTN_RIGHT/MIDDLE on buttonpads
KVM: arm64: vgic: Read HW interrupt pending state from the HW
tipc: fix a bit overflow in tipc_crypto_key_rcv()
cifs: fix double free race when mount fails in cifs_get_root()
selftests/seccomp: Fix seccomp failure by adding missing headers
dmaengine: shdma: Fix runtime PM imbalance on error
i2c: cadence: allow COMPILE_TEST
i2c: qup: allow COMPILE_TEST
net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990
usb: gadget: don't release an existing dev->buf
usb: gadget: clear related members when goto fail
exfat: reuse exfat_inode_info variable instead of calling EXFAT_I()
exfat: fix i_blocks for files truncated over 4 GiB
tracing: Add test for user space strings when filtering on string pointers
serial: stm32: prevent TDR register overwrite when sending x_char
ata: pata_hpt37x: fix PCI clock detection
drm/amdgpu: check vm ready by amdgpu_vm->evicting flag
tracing: Add ustring operation to filtering string pointers
ALSA: intel_hdmi: Fix reference to PCM buffer address
riscv/efi_stub: Fix get_boot_hartid_from_fdt() return value
riscv: Fix config KASAN && SPARSEMEM && !SPARSE_VMEMMAP
riscv: Fix config KASAN && DEBUG_VIRTUAL
ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min
iommu/amd: Recover from event log overflow
drm/i915: s/JSP2/ICP2/ PCH
xen/netfront: destroy queues before real_num_tx_queues is zeroed
thermal: core: Fix TZ_GET_TRIP NULL pointer dereference
ntb: intel: fix port config status offset for SPR
mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls
xfrm: fix MTU regression
netfilter: fix use-after-free in __nf_register_net_hook()
bpf, sockmap: Do not ignore orig_len parameter
xfrm: fix the if_id check in changelink
xfrm: enforce validity of offload input flags
e1000e: Correct NVM checksum verification flow
net: fix up skbs delta_truesize in UDP GRO frag_list
netfilter: nf_queue: don't assume sk is full socket
netfilter: nf_queue: fix possible use-after-free
netfilter: nf_queue: handle socket prefetch
batman-adv: Request iflink once in batadv-on-batadv check
batman-adv: Request iflink once in batadv_get_real_netdevice
batman-adv: Don't expect inter-netns unique iflink indices
net: ipv6: ensure we call ipv6_mc_down() at most once
net: dcb: flush lingering app table entries for unregistered devices
net/smc: fix connection leak
net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error generated by client
net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error cause by server
rcu/nocb: Fix missed nocb_timer requeue
ice: Fix race conditions between virtchnl handling and VF ndo ops
ice: fix concurrent reset and removal of VFs
sched/topology: Make sched_init_numa() use a set for the deduplicating sort
sched/topology: Fix sched_domain_topology_level alloc in sched_init_numa()
ia64: ensure proper NUMA distance and possible map initialization
mac80211: fix forwarded mesh frames AC & queue selection
net: stmmac: fix return value of __setup handler
mac80211: treat some SAE auth steps as final
iavf: Fix missing check for running netdev
net: sxgbe: fix return value of __setup handler
ibmvnic: register netdev after init of adapter
net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()
ixgbe: xsk: change !netif_carrier_ok() handling in ixgbe_xmit_zc()
efivars: Respect "block" flag in efivar_entry_set_safe()
firmware: arm_scmi: Remove space in MODULE_ALIAS name
ASoC: cs4265: Fix the duplicated control name
can: gs_usb: change active_channels's type from atomic_t to u8
arm64: dts: rockchip: Switch RK3399-Gru DP to SPDIF output
igc: igc_read_phy_reg_gpy: drop premature return
ARM: Fix kgdb breakpoint for Thumb2
ARM: 9182/1: mmu: fix returns from early_param() and __setup() functions
selftests: mlxsw: tc_police_scale: Make test more robust
pinctrl: sunxi: Use unique lockdep classes for IRQs
igc: igc_write_phy_reg_gpy: drop premature return
ibmvnic: free reset-work-item when flushing
memfd: fix F_SEAL_WRITE after shmem huge page allocated
s390/extable: fix exception table sorting
ARM: dts: switch timer config to common devkit8000 devicetree
ARM: dts: Use 32KiHz oscillator on devkit8000
soc: fsl: guts: Revert commit 3c0d64e867
soc: fsl: guts: Add a missing memory allocation failure check
soc: fsl: qe: Check of ioremap return value
ARM: tegra: Move panels to AUX bus
ibmvnic: complete init_done on transport events
net: chelsio: cxgb3: check the return value of pci_find_capability()
iavf: Refactor iavf state machine tracking
nl80211: Handle nla_memdup failures in handle_nan_filter
drm/amdgpu: fix suspend/resume hang regression
net: dcb: disable softirqs in dcbnl_flush_dev()
Input: elan_i2c - move regulator_[en|dis]able() out of elan_[en|dis]able_power()
Input: elan_i2c - fix regulator enable count imbalance after suspend/resume
Input: samsung-keypad - properly state IOMEM dependency
HID: add mapping for KEY_DICTATE
HID: add mapping for KEY_ALL_APPLICATIONS
tracing/histogram: Fix sorting on old "cpu" value
tracing: Fix return value of __setup handlers
btrfs: fix lost prealloc extents beyond eof after full fsync
btrfs: qgroup: fix deadlock between rescan worker and remove qgroup
btrfs: add missing run of delayed items after unlink during log replay
Revert "xfrm: xfrm_state_mtu should return at least 1280 for ipv6"
hamradio: fix macro redefine warning
Linux 5.10.104
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I24dabeba483a0b0123a4e8c10d1a568b11dfb9c8
[ Upstream commit 143de8d97d79316590475dc2a84513c63c863ddf ]
msg_data_sz return a 32bit value, but size is 16bit. This may lead to a
bit overflow.
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmIfSjYACgkQONu9yGCS
aT5uuQ/9GcUx5ur2RT/8hqUmkDZU3PV2KvPbLY9BYfn5i/An/WS7KNlcXMatEd7n
E8G+Sh3hLlb8h+3B9EGYvumssERJSxAaecxhha6NU8dSsUdpKzLvjwfy/5L+giJP
rR6q4yhQaWqt0k7lSdohosIbTuDrr78Q9ifGPRpa2SIDEUDO4R+O/l9XqsCXXDMA
qa5MIC3vZwU6jbwcfkS1cc/kdB5aLT1DRCXW7Ca7YYMFTba3eV8FWr5pC82cjgsS
uIZ34yhMLQm70IDNqZRsMtj7JvpwHGAWsOTDd4HoI+4MdyyrgadSPDRRPzcytStZ
TEllgey/6U+i6Et1wPIpTb/FOOQ3S7uvVBeSdPnDpuv7/BOD75fFg7lOoE9OGcLo
14bmQGUc0FqOUxmtqYu/LmTOc4o/l0S1DCMhn4JquGjqCQa8R7aWVzYjHlG9wF6v
ZI04pB+5hec8vElICFUAdaJe6cR5ttkFq4UEkmkXLeSs1RKtAlE5VZkEU9dTykNn
IY9KYbXNwe492xVCaIZUO2pHpu07tuJ2YLqZypktQt7ndPIjRTeHt3QnFQIVMcug
MyAtDtZaqHQ459xF9caMHnThxsei7t6YWoPGK8/04ngpZS61ORuNIxigKmK/B62H
hmoJolC007zXYeisDgSkhFk4TaDbVpxne9cruVd50mLOZlvDUZY=
=8KvB
-----END PGP SIGNATURE-----
Merge 5.10.103 into android12-5.10-lts
Changes in 5.10.103
cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug
btrfs: tree-checker: check item_size for inode_item
btrfs: tree-checker: check item_size for dev_item
clk: jz4725b: fix mmc0 clock gating
vhost/vsock: don't check owner in vhost_vsock_stop() while releasing
parisc/unaligned: Fix fldd and fstd unaligned handlers on 32-bit kernel
parisc/unaligned: Fix ldw() and stw() unalignment handlers
KVM: x86/mmu: make apf token non-zero to fix bug
drm/amdgpu: disable MMHUB PG for Picasso
drm/i915: Correctly populate use_sagv_wm for all pipes
sr9700: sanity check for packet length
USB: zaurus: support another broken Zaurus
CDC-NCM: avoid overflow in sanity checking
netfilter: nf_tables_offload: incorrect flow offload action array size
x86/fpu: Correct pkru/xstate inconsistency
tee: export teedev_open() and teedev_close_context()
optee: use driver internal tee_context for some rpc
ping: remove pr_err from ping_lookup
perf data: Fix double free in perf_session__delete()
bnx2x: fix driver load from initrd
bnxt_en: Fix active FEC reporting to ethtool
hwmon: Handle failure to register sensor with thermal zone correctly
bpf: Do not try bpf_msg_push_data with len 0
selftests: bpf: Check bpf_msg_push_data return value
bpf: Add schedule points in batch ops
io_uring: add a schedule point in io_add_buffers()
net: __pskb_pull_tail() & pskb_carve_frag_list() drop_monitor friends
tipc: Fix end of loop tests for list_for_each_entry()
gso: do not skip outer ip header in case of ipip and net_failover
openvswitch: Fix setting ipv6 fields causing hw csum failure
drm/edid: Always set RGB444
net/mlx5e: Fix wrong return value on ioctl EEPROM query failure
net/sched: act_ct: Fix flow table lookup after ct clear or switching zones
net: ll_temac: check the return value of devm_kmalloc()
net: Force inlining of checksum functions in net/checksum.h
nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac()
netfilter: nf_tables: fix memory leak during stateful obj update
net/smc: Use a mutex for locking "struct smc_pnettable"
surface: surface3_power: Fix battery readings on batteries without a serial number
udp_tunnel: Fix end of loop test in udp_tunnel_nic_unregister()
net/mlx5: Fix possible deadlock on rule deletion
net/mlx5: Fix wrong limitation of metadata match on ecpf
net/mlx5e: kTLS, Use CHECKSUM_UNNECESSARY for device-offloaded packets
spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op()
regmap-irq: Update interrupt clear register for proper reset
RDMA/rtrs-clt: Fix possible double free in error case
RDMA/rtrs-clt: Kill wait_for_inflight_permits
RDMA/rtrs-clt: Move free_permit from free_clt to rtrs_clt_close
configfs: fix a race in configfs_{,un}register_subsystem()
RDMA/ib_srp: Fix a deadlock
tracing: Have traceon and traceoff trigger honor the instance
iio: adc: men_z188_adc: Fix a resource leak in an error handling path
iio: adc: ad7124: fix mask used for setting AIN_BUFP & AIN_BUFM bits
iio: imu: st_lsm6dsx: wait for settling time in st_lsm6dsx_read_oneshot
iio: Fix error handling for PM
sc16is7xx: Fix for incorrect data being transmitted
ata: pata_hpt37x: disable primary channel on HPT371
Revert "USB: serial: ch341: add new Product ID for CH341A"
usb: gadget: rndis: add spinlock for rndis response list
USB: gadget: validate endpoint index for xilinx udc
tracefs: Set the group ownership in apply_options() not parse_options()
USB: serial: option: add support for DW5829e
USB: serial: option: add Telit LE910R1 compositions
usb: dwc2: drd: fix soft connect when gadget is unconfigured
usb: dwc3: pci: Fix Bay Trail phy GPIO mappings
usb: dwc3: gadget: Let the interrupt handler disable bottom halves.
xhci: re-initialize the HC during resume if HCE was set
xhci: Prevent futile URB re-submissions due to incorrect return value.
driver core: Free DMA range map when device is released
RDMA/cma: Do not change route.addr.src_addr outside state checks
thermal: int340x: fix memory leak in int3400_notify()
riscv: fix oops caused by irqsoff latency tracer
tty: n_gsm: fix encoding of control signal octet bit DV
tty: n_gsm: fix proper link termination after failed open
tty: n_gsm: fix NULL pointer access due to DLCI release
tty: n_gsm: fix wrong tty control line for flow control
tty: n_gsm: fix deadlock in gsmtty_open()
gpio: tegra186: Fix chip_data type confusion
memblock: use kfree() to release kmalloced memblock regions
Linux 5.10.103
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I6b1b827ba2740b36680033a44f04d62b4e5565ab
commit a1f8fec4dac8bc7b172b2bdbd881e015261a6322 upstream.
These tests are supposed to check if the loop exited via a break or not.
However the tests are wrong because if we did not exit via a break then
"p" is not a valid pointer. In that case, it's the equivalent of
"if (*(u32 *)sr == *last_key) {". That's going to work most of the time,
but there is a potential for those to be equal.
Fixes: 1593123a6a ("tipc: add name table dump to new netlink api")
Fixes: 1a1a143daf ("tipc: add publication dump to new netlink api")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmIM5gYACgkQONu9yGCS
aT7LRw//VcpMVitixVf+dgNjlBe7mNb/h2FEWVJzWvOYNQAxPSEYpRLlU3IWSdli
vqqwaps+7kWVIgYQt0ccR5rRp+eg98+QpfYgZO5xfKL0YEspf0+fYDcF99K5Sjrp
aFXX9nONAgCUyW0qb4CUdnL9G61UunR70iyF7Gb77vakI0qB8emYVjvlvbH3MI5M
9AqWt+lBNmRiNw2/1Nz3gvmtHhe2fYtKmJBMcX8gVAN9Ysl2jvnhtOovJzIjldZx
y39PIWDwWq9O7BsaQm8RpYl/LguSS/xwseMMEbcJn0woBqnNg3qOJceaG782/OdD
FTvuTDvyD89tSX9T0jeVlVO+VwhoKTHlMJ1n5dpcJEFgbz0m+VtI3B9PuggWBwz5
0AgBzJKVXahgVrQnMpjw4k73scgyC7VcaAxYH69E+2IThRqxtBbHqETYEiVURUpH
fS+WjDvIOp47z9ARhQD+H8zzSFbx1DnOpbYd9zfdvnzIu2wq4Uerj8m/jk/hwh4/
zo18zVS/50vFL2/YqeKu9YdcuPPa7qlaz/zhnFM6QY65t10a01Q281Z7gFKBPevz
4IaTv9Yky//0XLQTo+/JN/O1W0FUitsei0Jl2g2dmfZoCW48MPFzezVErs37NX5s
1EsEN1jZ+yHIxu2dQwGBKpqvABNAp2rv64yCfsAcevJ52MHlef8=
=qatY
-----END PGP SIGNATURE-----
Merge 5.10.101 into android12-5.10-lts
Changes in 5.10.101
integrity: check the return value of audit_log_start()
ima: Remove ima_policy file before directory
ima: Allow template selection with ima_template[_fmt]= after ima_hash=
ima: Do not print policy rule with inactive LSM labels
mmc: sdhci-of-esdhc: Check for error num after setting mask
can: isotp: fix potential CAN frame reception race in isotp_rcv()
net: phy: marvell: Fix RGMII Tx/Rx delays setting in 88e1121-compatible PHYs
net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs
NFS: Fix initialisation of nfs_client cl_flags field
NFSD: Clamp WRITE offsets
NFSD: Fix offset type in I/O trace points
drm/amdgpu: Set a suitable dev_info.gart_page_size
tracing: Propagate is_signed to expression
NFS: change nfs_access_get_cached to only report the mask
NFSv4 only print the label when its queried
nfs: nfs4clinet: check the return value of kstrdup()
NFSv4.1: Fix uninitialised variable in devicenotify
NFSv4 remove zero number of fs_locations entries error check
NFSv4 expose nfs_parse_server_name function
NFSv4 handle port presence in fs_location server string
x86/perf: Avoid warning for Arch LBR without XSAVE
drm: panel-orientation-quirks: Add quirk for the 1Netbook OneXPlayer
net: sched: Clarify error message when qdisc kind is unknown
powerpc/fixmap: Fix VM debug warning on unmap
scsi: target: iscsi: Make sure the np under each tpg is unique
scsi: ufs: ufshcd-pltfrm: Check the return value of devm_kstrdup()
scsi: qedf: Add stag_work to all the vports
scsi: qedf: Fix refcount issue when LOGO is received during TMF
scsi: pm8001: Fix bogus FW crash for maxcpus=1
scsi: ufs: Treat link loss as fatal error
scsi: myrs: Fix crash in error case
PM: hibernate: Remove register_nosave_region_late()
usb: dwc2: gadget: don't try to disable ep0 in dwc2_hsotg_suspend
perf: Always wake the parent event
nvme-pci: add the IGNORE_DEV_SUBNQN quirk for Intel P4500/P4600 SSDs
net: stmmac: dwmac-sun8i: use return val of readl_poll_timeout()
KVM: eventfd: Fix false positive RCU usage warning
KVM: nVMX: eVMCS: Filter out VM_EXIT_SAVE_VMX_PREEMPTION_TIMER
KVM: nVMX: Also filter MSR_IA32_VMX_TRUE_PINBASED_CTLS when eVMCS
KVM: SVM: Don't kill SEV guest if SMAP erratum triggers in usermode
KVM: VMX: Set vmcs.PENDING_DBG.BS on #DB in STI/MOVSS blocking shadow
riscv: fix build with binutils 2.38
ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group
ARM: dts: Fix boot regression on Skomer
ARM: socfpga: fix missing RESET_CONTROLLER
nvme-tcp: fix bogus request completion when failing to send AER
ACPI/IORT: Check node revision for PMCG resources
PM: s2idle: ACPI: Fix wakeup interrupts handling
drm/rockchip: vop: Correct RK3399 VOP register fields
ARM: dts: Fix timer regression for beagleboard revision c
ARM: dts: meson: Fix the UART compatible strings
ARM: dts: meson8: Fix the UART device-tree schema validation
ARM: dts: meson8b: Fix the UART device-tree schema validation
staging: fbtft: Fix error path in fbtft_driver_module_init()
ARM: dts: imx6qdl-udoo: Properly describe the SD card detect
phy: xilinx: zynqmp: Fix bus width setting for SGMII
ARM: dts: imx7ulp: Fix 'assigned-clocks-parents' typo
usb: f_fs: Fix use-after-free for epfile
gpio: aggregator: Fix calling into sleeping GPIO controllers
drm/vc4: hdmi: Allow DBLCLK modes even if horz timing is odd.
misc: fastrpc: avoid double fput() on failed usercopy
netfilter: ctnetlink: disable helper autoassign
arm64: dts: meson-g12b-odroid-n2: fix typo 'dio2133'
ixgbevf: Require large buffers for build_skb on 82599VF
drm/panel: simple: Assign data from panel_dpi_probe() correctly
ACPI: PM: s2idle: Cancel wakeup before dispatching EC GPE
gpio: sifive: use the correct register to read output values
bonding: pair enable_port with slave_arr_updates
net: dsa: mv88e6xxx: don't use devres for mdiobus
net: dsa: ar9331: register the mdiobus under devres
net: dsa: bcm_sf2: don't use devres for mdiobus
net: dsa: felix: don't use devres for mdiobus
net: dsa: lantiq_gswip: don't use devres for mdiobus
ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path
nfp: flower: fix ida_idx not being released
net: do not keep the dst cache when uncloning an skb dst and its metadata
net: fix a memleak when uncloning an skb dst and its metadata
veth: fix races around rq->rx_notify_masked
net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE
tipc: rate limit warning for received illegal binding update
net: amd-xgbe: disable interrupts during pci removal
dpaa2-eth: unregister the netdev before disconnecting from the PHY
ice: fix an error code in ice_cfg_phy_fec()
ice: fix IPIP and SIT TSO offload
net: mscc: ocelot: fix mutex lock error during ethtool stats read
net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister
vt_ioctl: fix array_index_nospec in vt_setactivate
vt_ioctl: add array_index_nospec to VT_ACTIVATE
n_tty: wake up poll(POLLRDNORM) on receiving data
eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX
usb: dwc2: drd: fix soft connect when gadget is unconfigured
Revert "usb: dwc2: drd: fix soft connect when gadget is unconfigured"
net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
usb: ulpi: Move of_node_put to ulpi_dev_release
usb: ulpi: Call of_node_put correctly
usb: dwc3: gadget: Prevent core from processing stale TRBs
usb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE transition
USB: gadget: validate interface OS descriptor requests
usb: gadget: rndis: check size of RNDIS_MSG_SET command
usb: gadget: f_uac2: Define specific wTerminalType
usb: raw-gadget: fix handling of dual-direction-capable endpoints
USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320
USB: serial: option: add ZTE MF286D modem
USB: serial: ch341: add support for GW Instek USB2.0-Serial devices
USB: serial: cp210x: add NCR Retail IO box id
USB: serial: cp210x: add CPI Bulk Coin Recycler id
speakup-dectlk: Restore pitch setting
phy: ti: Fix missing sentinel for clk_div_table
hwmon: (dell-smm) Speed up setting of fan speed
Makefile.extrawarn: Move -Wunaligned-access to W=1
can: isotp: fix error path in isotp_sendmsg() to unlock wait queue
scsi: lpfc: Remove NVMe support if kernel has NVME_FC disabled
scsi: lpfc: Reduce log messages seen after firmware download
arm64: dts: imx8mq: fix lcdif port node
perf: Fix list corruption in perf_cgroup_switch()
iommu: Fix potential use-after-free during probe
Linux 5.10.101
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic9c80389b155cf05bc1c6a64d0ca92837c83fbb1
[ Upstream commit c7223d687758462826a20e9735305d55bb874c70 ]
It would be easy to craft a message containing an illegal binding table
update operation. This is handled correctly by the code, but the
corresponding warning printout is not rate limited as is should be.
We fix this now.
Fixes: b97bf3fd8f ("[TIPC] Initial merge")
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 9aa422ad326634b76309e8ff342c246800621216 upstream.
The function tipc_mon_rcv() allows a node to receive and process
domain_record structs from peer nodes to track their views of the
network topology.
This patch verifies that the number of members in a received domain
record does not exceed the limit defined by MAX_MON_DOMAIN, something
that may otherwise lead to a stack overflow.
tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where
we are reading a 32 bit message data length field into a uint16. To
avert any risk of bit overflow, we add an extra sanity check for this in
that function. We cannot see that happen with the current code, but
future designers being unaware of this risk, may introduce it by
allowing delivery of very large (> 64k) sk buffers from the bearer
layer. This potential problem was identified by Eric Dumazet.
This fixes CVE-2022-0435
Reported-by: Samuel Page <samuel.page@appgate.com>
Reported-by: Eric Dumazet <edumazet@google.com>
Fixes: 35c55c9877 ("tipc: add neighbor monitoring framework")
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Samuel Page <samuel.page@appgate.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGgq10ACgkQONu9yGCS
aT6KDA/+N9ysKF4cH2zdUMhDAkjCKB3YqTEsJxSfGBkJu2wuncAEEtrKy9jxC+lv
fz6BE1tduit/IQIhGTCXJlfe9NIxwU87f2v5JlHnYeXg4dz72c+Ei236l7ZvkSNE
ii8/ikHGvbbhKv+BTgcRg7jVUMMy6eEpS6iJwMNLB/sHROjZXPogFoiYjbO+Jzc5
0jTciMZv6r4yNhrdHBjhWHe6ZhB94H//Jy8MVYk37NGc5EbJmrMN83GM5ceSmhOZ
PgxxyrVTv+SdGm0XViyK+94HXWGQHLXQF+Nsu3YEZfnNI+HNSPQKTqBLPM1hV7Ak
h+IYW6VHPmcBmQzEdSA67uMKJayKtEwpkqO6aLRcj/NIThRiZoznbrtZOoGSXaU1
0MzQRPum76GA5/SVGgtB8FrE6kcFm74eq82mXvUD+rgCp0HTbIpYQK9ZKSmbFOkv
fYjcpWHZ8PEmffMbtIlVKSffVxcUILoNuQwnr21NGiRUrd54DhNPgVahmCKnvUTb
847bGU/wQJPIF/2SO1rdpaA9MrPqZ/9sMEX3nSdx7xS8D+h2wfJqAJkLq0KBYt7R
sbsXbfqbri893VHBo2YUqby3+7x3uNr118SjyiA8zpHHJpTBrVVImxSnW1z626HT
KNJU4MSulLs+settJKAw1PHGRIGuW5TGSGF94p5LcsZDM2uIabU=
=Wg4d
-----END PGP SIGNATURE-----
Merge 5.10.82 into android12-5.10-lts
Changes in 5.10.82
arm64: zynqmp: Do not duplicate flash partition label property
arm64: zynqmp: Fix serial compatible string
ARM: dts: sunxi: Fix OPPs node name
arm64: dts: allwinner: h5: Fix GPU thermal zone node name
arm64: dts: allwinner: a100: Fix thermal zone node name
staging: wfx: ensure IRQ is ready before enabling it
ARM: dts: NSP: Fix mpcore, mmc node names
scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()
arm64: dts: rockchip: Disable CDN DP on Pinebook Pro
arm64: dts: hisilicon: fix arm,sp805 compatible string
RDMA/bnxt_re: Check if the vlan is valid before reporting
bus: ti-sysc: Add quirk handling for reinit on context lost
bus: ti-sysc: Use context lost quirk for otg
usb: musb: tusb6010: check return value after calling platform_get_resource()
usb: typec: tipd: Remove WARN_ON in tps6598x_block_read
ARM: dts: ux500: Skomer regulator fixes
staging: rtl8723bs: remove possible deadlock when disconnect (v2)
ARM: BCM53016: Specify switch ports for Meraki MR32
arm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency
arm64: dts: qcom: ipq6018: Fix qcom,controlled-remotely property
arm64: dts: freescale: fix arm,sp805 compatible string
ASoC: SOF: Intel: hda-dai: fix potential locking issue
clk: imx: imx6ul: Move csi_sel mux to correct base register
ASoC: nau8824: Add DMI quirk mechanism for active-high jack-detect
scsi: advansys: Fix kernel pointer leak
ALSA: intel-dsp-config: add quirk for APL/GLK/TGL devices based on ES8336 codec
firmware_loader: fix pre-allocated buf built-in firmware use
ARM: dts: omap: fix gpmc,mux-add-data type
usb: host: ohci-tmio: check return value after calling platform_get_resource()
ARM: dts: ls1021a: move thermal-zones node out of soc/
ARM: dts: ls1021a-tsn: use generic "jedec,spi-nor" compatible for flash
ALSA: ISA: not for M68K
tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc
MIPS: sni: Fix the build
scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()
scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()
scsi: target: Fix ordered tag handling
scsi: target: Fix alua_tg_pt_gps_count tracking
iio: imu: st_lsm6dsx: Avoid potential array overflow in st_lsm6dsx_set_odr()
powerpc/5200: dts: fix memory node unit name
ARM: dts: qcom: fix memory and mdio nodes naming for RB3011
ALSA: gus: fix null pointer dereference on pointer block
powerpc/dcr: Use cmplwi instead of 3-argument cmpli
powerpc/8xx: Fix Oops with STRICT_KERNEL_RWX without DEBUG_RODATA_TEST
sh: check return code of request_irq
maple: fix wrong return value of maple_bus_init().
f2fs: fix up f2fs_lookup tracepoints
f2fs: fix to use WHINT_MODE
sh: fix kconfig unmet dependency warning for FRAME_POINTER
sh: math-emu: drop unused functions
sh: define __BIG_ENDIAN for math-emu
f2fs: compress: disallow disabling compress on non-empty compressed file
f2fs: fix incorrect return value in f2fs_sanity_check_ckpt()
clk: ingenic: Fix bugs with divided dividers
clk/ast2600: Fix soc revision for AHB
clk: qcom: gcc-msm8996: Drop (again) gcc_aggre1_pnoc_ahb_clk
mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set
sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain()
perf/x86/vlbr: Add c->flags to vlbr event constraints
blkcg: Remove extra blkcg_bio_issue_init
tracing/histogram: Do not copy the fixed-size char array field over the field size
perf bpf: Avoid memory leak from perf_env__insert_btf()
perf bench futex: Fix memory leak of perf_cpu_map__new()
perf tests: Remove bash construct from record+zstd_comp_decomp.sh
drm/nouveau: hdmigv100.c: fix corrupted HDMI Vendor InfoFrame
net-zerocopy: Copy straggler unaligned data for TCP Rx. zerocopy.
net-zerocopy: Refactor skb frag fast-forward op.
tcp: Fix uninitialized access in skb frags array for Rx 0cp.
tracing: Add length protection to histogram string copies
net: ipa: disable HOLB drop when updating timer
net: bnx2x: fix variable dereferenced before check
bnxt_en: reject indirect blk offload when hw-tc-offload is off
tipc: only accept encrypted MSG_CRYPTO msgs
net: reduce indentation level in sk_clone_lock()
sock: fix /proc/net/sockstat underflow in sk_clone_lock()
net/smc: Make sure the link_id is unique
iavf: Fix return of set the new channel count
iavf: check for null in iavf_fix_features
iavf: free q_vectors before queues in iavf_disable_vf
iavf: Fix failure to exit out from last all-multicast mode
iavf: prevent accidental free of filter structure
iavf: validate pointers
iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset
iavf: Fix for setting queues to 0
MIPS: generic/yamon-dt: fix uninitialized variable error
mips: bcm63xx: add support for clk_get_parent()
mips: lantiq: add support for clk_get_parent()
platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()'
net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove()
net/mlx5: Lag, update tracker when state change event received
net/mlx5: E-Switch, Change mode lock from mutex to rw semaphore
net/mlx5: E-Switch, return error if encap isn't supported
scsi: core: sysfs: Fix hang when device state is set via sysfs
net: sched: act_mirred: drop dst for the direction from egress to ingress
net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove
net: virtio_net_hdr_to_skb: count transport header in UFO
i40e: Fix correct max_pkt_size on VF RX queue
i40e: Fix NULL ptr dereference on VSI filter sync
i40e: Fix changing previously set num_queue_pairs for PFs
i40e: Fix ping is lost after configuring ADq on VF
i40e: Fix warning message and call stack during rmmod i40e driver
i40e: Fix creation of first queue by omitting it if is not power of two
i40e: Fix display error code in dmesg
NFC: reorganize the functions in nci_request
NFC: reorder the logic in nfc_{un,}register_device
net: nfc: nci: Change the NCI close sequence
NFC: add NCI_UNREG flag to eliminate the race
e100: fix device suspend/resume
KVM: PPC: Book3S HV: Use GLOBAL_TOC for kvmppc_h_set_dabr/xdabr()
pinctrl: qcom: sdm845: Enable dual edge errata
perf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server
perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server
s390/kexec: fix return code handling
net: stmmac: dwmac-rk: Fix ethernet on rk3399 based devices
arm64: vdso32: suppress error message for 'make mrproper'
tun: fix bonding active backup with arp monitoring
hexagon: export raw I/O routines for modules
hexagon: clean up timer-regs.h
tipc: check for null after calling kmemdup
ipc: WARN if trying to remove ipc object which is absent
mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag
x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails
powerpc/8xx: Fix pinned TLBs with CONFIG_STRICT_KERNEL_RWX
scsi: qla2xxx: Fix mailbox direction flags in qla2xxx_get_adapter_id()
s390/kexec: fix memory leak of ipl report buffer
block: Check ADMIN before NICE for IOPRIO_CLASS_RT
KVM: nVMX: don't use vcpu->arch.efer when checking host state on nested state load
udf: Fix crash after seekdir
net: stmmac: socfpga: add runtime suspend/resume callback for stratix10 platform
btrfs: fix memory ordering between normal and ordered work functions
parisc/sticon: fix reverse colors
cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
drm/amd/display: Update swizzle mode enums
drm/udl: fix control-message timeout
drm/nouveau: Add a dedicated mutex for the clients list
drm/nouveau: use drm_dev_unplug() during device removal
drm/nouveau: clean up all clients on device removal
drm/i915/dp: Ensure sink rate values are always valid
drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors
scsi: ufs: core: Fix task management completion
scsi: ufs: core: Fix task management completion timeout race
hugetlbfs: flush TLBs correctly after huge_pmd_unshare
RDMA/netlink: Add __maybe_unused to static inline in C file
selinux: fix NULL-pointer dereference when hashtab allocation fails
ASoC: DAPM: Cover regression by kctl change notification fix
usb: max-3421: Use driver data instead of maintaining a list of bound devices
ice: Delete always true check of PF pointer
fs: export an inode_update_time helper
btrfs: update device path inode time instead of bd_inode
x86/Kconfig: Fix an unused variable error in dell-smm-hwmon
ALSA: hda: hdac_ext_stream: fix potential locking issues
ALSA: hda: hdac_stream: fix potential locking issue in snd_hdac_stream_assign()
Revert "perf: Rework perf_event_exit_event()"
Linux 5.10.82
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I56e067875dafc27c2e86fc3b8c47abb3296c6a18
[ Upstream commit 271351d255b09e39c7f6437738cba595f9b235be ]
The MSG_CRYPTO msgs are always encrypted and sent to other nodes
for keys' deployment. But when receiving in peers, if those nodes
do not validate it and make sure it's encrypted, one could craft
a malicious MSG_CRYPTO msg to deploy its key with no need to know
other nodes' keys.
This patch is to do that by checking TIPC_SKB_CB(skb)->decrypted
and discard it if this packet never got decrypted.
Note that this is also a supplementary fix to CVE-2021-43267 that
can be triggered by an unencrypted malicious MSG_CRYPTO msg.
Fixes: 1ef6f7c939 ("tipc: add automatic session key exchange")
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGBh/8ACgkQONu9yGCS
aT4Eqw/+KclqUpaZ3Jb6e7CBIWYg5+XmVdTmnnvOZC82XbHDoRK9ZWfGqhFB6ODv
1KAp5kEBXh0hEmXi94ZQtzhiqr29R0H+rTBRpcpEVg/7PtLyrOQ+MAp8pszaJChO
3zhtN4NkEYV8hfl1T8fo0etcplZvnlK4HDEewFgQ0/WgZciN2J7Cqc47snx9tFia
wnUiSOqM8yalsnLjoFnqQYZF2YouH8pqb5UblWSTUGcjdNBRpRqzdW0Ybokzzj5L
SsZPV3EqNMZg28yBsFB/XMVriJ/jYpHES8m0wJPxE4SJlrI5wcwm/QhufMZbRorJ
hQeTkvQTggk0d2O/RNA2vLFIYhBkHd6w4+PkFpsC+kbwQmArW8x5cNM83KsBL6N0
sc3pF9vVxTroObczgVa6nh9Ux2AhfdtmYGSqXZCX4wHb35QYTyNv4if89WnOLZDm
hri3MfnVs7meLSFXUNH6RTdxz/nqp+TRd3hzLtNmp7EJ3U0CMeqB9G1nzbMi6vhD
1VYSJIuhGiuh3md9U5+xvimqVlckzbRztZBcnKhpV2ZS3Zq++Emf7cNKmRTpnXwC
SDX6ngYdYGvVuyW6UubPINEcGPzGnN/PSVNAEzTw0YsIpZGnjYVsKIlDj3LXDKdo
cSX60b6aEKoCT+LJHHDEMB6MaOVdH+FtDmyNz3fn7BFg9N/711s=
=bsKj
-----END PGP SIGNATURE-----
Merge 5.10.77 into android12-5.10-lts
Changes in 5.10.77
ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images
ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned
ARM: 9134/1: remove duplicate memcpy() definition
ARM: 9138/1: fix link warning with XIP + frame-pointer
ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype
ARM: 9141/1: only warn about XIP address when not compile testing
io_uring: don't take uring_lock during iowq cancel
powerpc/bpf: Fix BPF_MOD when imm == 1
arm64: Avoid premature usercopy failure
ext4: fix possible UAF when remounting r/o a mmp-protected file system
usbnet: sanity check for maxpacket
usbnet: fix error return code in usbnet_probe()
Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"
pinctrl: amd: disable and mask interrupts on probe
ata: sata_mv: Fix the error handling of mv_chip_id()
tipc: fix size validations for the MSG_CRYPTO type
nfc: port100: fix using -ERRNO as command type mask
Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
net/tls: Fix flipped sign in tls_err_abort() calls
mmc: vub300: fix control-message timeouts
mmc: cqhci: clear HALT state after CQE enable
mmc: mediatek: Move cqhci init behind ungate clock
mmc: dw_mmc: exynos: fix the finding clock sample value
mmc: sdhci: Map more voltage level to SDHCI_POWER_330
mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit
ocfs2: fix race between searching chunks and release journal_head from buffer_head
nvme-tcp: fix H2CData PDU send accounting (again)
cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()
cfg80211: fix management registrations locking
net: lan78xx: fix division by zero in send path
mm, thp: bail out early in collapse_file for writeback page
drm/ttm: fix memleak in ttm_transfered_destroy
drm/amdgpu: fix out of bounds write
cgroup: Fix memory leak caused by missing cgroup_bpf_offline
riscv, bpf: Fix potential NULL dereference
tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function
bpf: Fix potential race in tail call compatibility check
bpf: Fix error usage of map_fd and fdget() in generic_map_update_batch()
IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
IB/hfi1: Fix abba locking issue with sc_disable()
nvmet-tcp: fix data digest pointer calculation
nvme-tcp: fix data digest pointer calculation
nvme-tcp: fix possible req->offset corruption
octeontx2-af: Display all enabled PF VF rsrc_alloc entries.
RDMA/mlx5: Set user priority for DCT
arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node
reset: brcmstb-rescal: fix incorrect polarity of status bit
regmap: Fix possible double-free in regcache_rbtree_exit()
net: batman-adv: fix error handling
net-sysfs: initialize uid and gid before calling net_ns_get_ownership
cfg80211: correct bridge/4addr mode check
net: Prevent infinite while loop in skb_tx_hash()
RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string
gpio: xgs-iproc: fix parsing of ngpios property
nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST
mlxsw: pci: Recycle received packet upon allocation failure
net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails
net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent
net: nxp: lpc_eth.c: avoid hang when bringing interface down
net/tls: Fix flipped sign in async_wait.err assignment
phy: phy_ethtool_ksettings_get: Lock the phy for consistency
phy: phy_ethtool_ksettings_set: Move after phy_start_aneg
phy: phy_start_aneg: Add an unlocked version
phy: phy_ethtool_ksettings_set: Lock the PHY while changing settings
sctp: use init_tag from inithdr for ABORT chunk
sctp: fix the processing for INIT_ACK chunk
sctp: fix the processing for COOKIE_ECHO chunk
sctp: add vtag check in sctp_sf_violation
sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
sctp: add vtag check in sctp_sf_ootb
lan743x: fix endianness when accessing descriptors
KVM: s390: clear kicked_mask before sleeping again
KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu
scsi: ufs: ufs-exynos: Correct timeout value setting registers
riscv: fix misalgned trap vector base address
riscv: Fix asan-stack clang build
perf script: Check session->header.env.arch before using it
Linux 5.10.77
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I4cd89af4d20b7a8a1a6d9906233d1aaf026659a8
commit fa40d9734a57bcbfa79a280189799f76c88f7bb0 upstream.
The function tipc_crypto_key_rcv is used to parse MSG_CRYPTO messages
to receive keys from other nodes in the cluster in order to decrypt any
further messages from them.
This patch verifies that any supplied sizes in the message body are
valid for the received message.
Fixes: 1ef6f7c939 ("tipc: add automatic session key exchange")
Signed-off-by: Max VA <maxv@sentinelone.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 55e6f8b3c0 which is
commit 4f0f586bf0c898233d8f316f471a21db2abd522d upstream.
This commit is already in this branch, but in a different fashion, as
CFI is included here. By having this version, there is a crc error that
is due to the use of typedefs. Reverting this commit changes nothing
and fixes the CRC issue.
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I97849a104acbc88599481f6c5c9d024570ec5c87
[ Upstream commit 4f0f586bf0c898233d8f316f471a21db2abd522d ]
list_sort() internally casts the comparison function passed to it
to a different type with constant struct list_head pointers, and
uses this pointer to call the functions, which trips indirect call
Control-Flow Integrity (CFI) checking.
Instead of removing the consts, this change defines the
list_cmp_func_t type and changes the comparison function types of
all list_sort() callers to use const pointers, thus avoiding type
mismatches.
Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210408182843.1754385-10-samitolvanen@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit f4bb62e64c88c93060c051195d3bbba804e56945 upstream.
In tipc_sk_enqueue() we use hardcoded 2 jiffies to extract
socket buffer from generic queue to particular socket.
The 2 jiffies is too short in case there are other high priority
tasks get CPU cycles for multiple jiffies update. As result, no
buffer could be enqueued to particular socket.
To solve this, we switch to use constant timeout 20msecs.
Then, the function will be expired between 2 jiffies (CONFIG_100HZ)
and 20 jiffies (CONFIG_1000HZ).
Fixes: c637c10355 ("tipc: resolve race problem at unicast message reception")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman