* 'for-kernel-version-from-4.1.0' of https://github.com/namjaejeon/linux-exfat-oot:
exfat: github action: run buiuld and tests on for-kernel-version-from-4.1.0 branch
exfat: fix ALIGN_DOWN undefined error
exfat: using ffs instead of internal logic
exfat: using hweight instead of internal logic
exfat: fix ctime is not updated
exfat: fix setting uninitialized time to ctime/atime
exfat: convert to new timestamp accessors
exfat: convert to ctime accessor functions
exfat: fs: pass the request_mask to generic_fillattr
exfat: convert to simple_rename_timestamp
exfat: ensure that ctime is updated whenever the mtime is
exfat: fs: add CONFIG_BUFFER_HEAD
exfat: use fat ioctls definitions from include/uapi/linux/msdos_fs.h
exfat: github action: remove liunx-4.1 source to get more disk space
exfat: support create zero-size directory
exfat: support handle zero-size directory
exfat: add ioctls for accessing attributes
exfat: vfs: get rid of old '->iterate' directory operation
Change-Id: I8ffaa02252b1b11804a7c4c0583ebf5430bcfb49
Prevent possible integer overflow by sanitizing the alloc request
size coming from the client against allottable amount of memory.
Change-Id: I74cb0f7b0808f20299586969fd5c810d44c3e576
Signed-off-by: Manoj Prabhu B <quic_bmanoj@quicinc.com>
Signed-off-by: Michael Bestas <mkbestas@lineageos.org>
"LA.UM.9.12.r1-18200-SMxx50.QSSI14.0"
* tag 'LA.UM.9.12.r1-18200-SMxx50.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.19:
soc: qcom: smem: Add boundary checks for partitions
msm: kgsl: Do not release dma and anon buffers if unmap fails
msm: kgsl: Keep the timeline fence valid for logging
msm: npu: Fix OOB issue in IPC between driver and firmware
Change-Id: I09bfbd4349777d469c5114dd0ae21479a531571f
commit 3c12466b6b7bf1e56f9b32c366a3d83d87afb4de upstream.
Currently EROFS can map another compressed buffer for inplace
decompression, that was used to handle the cases that some pages of
compressed data are actually not in-place I/O.
However, like most simple LZ77 algorithms, LZ4 expects the compressed
data is arranged at the end of the decompressed buffer and it
explicitly uses memmove() to handle overlapping:
__________________________________________________________
|_ direction of decompression --> ____ |_ compressed data _|
Although EROFS arranges compressed data like this, it typically maps two
individual virtual buffers so the relative order is uncertain.
Previously, it was hardly observed since LZ4 only uses memmove() for
short overlapped literals and x86/arm64 memmove implementations seem to
completely cover it up and they don't have this issue. Juhyung reported
that EROFS data corruption can be found on a new Intel x86 processor.
After some analysis, it seems that recent x86 processors with the new
FSRM feature expose this issue with "rep movsb".
Let's strictly use the decompressed buffer for lz4 inplace
decompression for now. Later, as an useful improvement, we could try
to tie up these two buffers together in the correct order.
Reported-and-tested-by: Juhyung Park <qkrwngud825@gmail.com>
Closes: https://lore.kernel.org/r/CAD14+f2AVKf8Fa2OO1aAUdDNTDsVzzR6ctU_oJSmTyd6zSYR2Q@mail.gmail.com
Fixes: 0ffd71bcc3a0 ("staging: erofs: introduce LZ4 decompression inplace")
Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
Cc: stable <stable@vger.kernel.org> # 5.4+
Tested-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20231206045534.3920847-1-hsiangkao@linux.alibaba.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I2a2b773421bbbaef7ec97ec75e0e93bf8a78255e
commit e4c1cf523d820730a86cae2c6d55924833b6f7ac upstream.
This was accidentally fixed up in commit e4c1cf523d82 but we can't
take the full change due to other dependancy issues, so here is just
the actual bugfix that is needed.
[Background]
keltargw reported an issue [1] that with mmaped I/Os, sometimes the
tail of the last page (after file ends) is not filled with zeroes.
The root cause is that such tail page could be wrongly selected for
inplace I/Os so the zeroed part will then be filled with compressed
data instead of zeroes.
A simple fix is to avoid doing inplace I/Os for such tail parts,
actually that was already fixed upstream in commit e4c1cf523d82
("erofs: tidy up z_erofs_do_read_page()") by accident.
[1] https://lore.kernel.org/r/3ad8b469-25db-a297-21f9-75db2d6ad224@linux.alibaba.com
Reported-by: keltargw <keltar.gw@gmail.com>
Fixes: 3883a79abd ("staging: erofs: introduce VLE decompression support")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I7936777249ed01775984c200d405d101fd74d881
commit 001b8ccd0650727e54ec16ef72bf1b8eeab7168e upstream.
In compact 4B, two adjacent lclusters are packed together as a unit to
form on-disk indexes for effective random access, as below:
(amortized = 4, vcnt = 2)
_____________________________________________
|___@_____ encoded bits __________|_ blkaddr _|
0 . amortized * vcnt = 8
. .
. . amortized * vcnt - 4 = 4
. .
.____________________________.
|_type (2 bits)_|_clusterofs_|
Therefore, encoded bits for each pack are 32 bits (4 bytes). IOWs,
since each lcluster can get 16 bits for its type and clusterofs, the
maximum supported lclustersize for compact 4B format is 16k (14 bits).
Fix this to enable compact 4B format for 16k lclusters (blocks), which
is tested on an arm64 server with 16k page size.
Fixes: 152a333a5895 ("staging: erofs: add compacted compression indexes support")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20230601112341.56960-1-hsiangkao@linux.alibaba.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: If1c45681c60f6897bb9d83662e379951084b7a32
[ Upstream commit 8191213a5835b0317c5e4d0d337ae1ae00c75253 ]
z_erofs_do_read_page() may loop infinitely due to the inappropriate
truncation in the below statement. Since the offset is 64 bits and min_t()
truncates the result to 32 bits. The solution is to replace unsigned int
with a 64-bit type, such as erofs_off_t.
cur = end - min_t(unsigned int, offset + end - map->m_la, end);
- For example:
- offset = 0x400160000
- end = 0x370
- map->m_la = 0x160370
- offset + end - map->m_la = 0x400000000
- offset + end - map->m_la = 0x00000000 (truncated as unsigned int)
- Expected result:
- cur = 0
- Actual result:
- cur = 0x370
Signed-off-by: Chunhai Guo <guochunhai@vivo.com>
Fixes: 3883a79abd ("staging: erofs: introduce VLE decompression support")
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Link: https://lore.kernel.org/r/20230710093410.44071-1-guochunhai@vivo.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Change-Id: Ibbabe41c5a338a2def37b9d29cd8c229a44450f9
[ Upstream commit 448b5a1548d87c246c3d0c3df8480d3c6eb6c11a ]
Currently, vmap()s are avoided if physical addresses are
consecutive for decompressed buffers.
I observed that is very common for 4KiB pclusters since the
numbers of decompressed pages are almost 2 or 3.
However, such detection doesn't work for Highmem pages on
32-bit machines, let's fix it now.
Reported-by: Liu Jinbao <liujinbao1@xiaomi.com>
Fixes: 7fc45dbc938a ("staging: erofs: introduce generic decompression backend")
Link: https://lore.kernel.org/r/20220708101001.21242-1-hsiangkao@linux.alibaba.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Change-Id: I5a05bb5e4feae764e820565e4a7f2cbeed8a7a3e
While parsing ESP IE from beacon/probe response frame,
the condition in loop to copy ESP_INFO from the ESP IE is
incorrect which will iterate for 5 times rather than 4 times,
this may cause OOB access.
data < ((uint8_t *)esp_ie + esp_ie->esp_len + 3)
Here adding 3 for esp_ie->esp_len, actually esp_len itself is
1 byte extra (esp_ len = ESP_ID_EXTN + ESP_INFO * 4),
but by adding 3 again will loop for one more iteration
this will cause OOB access.
Remove 3 in loop condition to avoid one more extra iteration
and ignore ESP_ID_EXTN element for total elements, in function
util_scan_update_esp_data.
Change-Id: Ia9226e483672369af36c6914e3ac914fe9de45e5
CRs-Fixed: 3710081
Add condition check to make sure that the end address
of private entry does not go out of partition.
Change-Id: I88b3c69d86d90905b214c13a8c632b134b487a49
Signed-off-by: Sarannya S <quic_sarannya@quicinc.com>
Signed-off-by: Pranav Mahesh Phansalkar <quic_pphansal@quicinc.com>
(cherry picked from commit e9c3b19682)
Power count is coming from user space which can be modified due to
access to shared memory. This change scopes the data locally so
as to avoid vulnerability of count being modified by external
means while executing due to being in shared memory.
CRs-Fixed: 3691744.
Change-Id: I57d13435453195f8aab0c9aad4414d290274ff81
Signed-off-by: Shivi Mangal <quic_smangal@quicinc.com>
"LA.UM.9.15.2.r1-09400-KAMORTA.QSSI14.0"
* tag 'LA.UM.9.15.2.r1-09400-KAMORTA.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/audio-kernel:
Audio legacy: Integer overflow in msm_lsm_ioctl_compat during audio playback usecase. size = sizeof(p_info_32) + p_info_32.param_size; This overflow issue may result heap overflow during copying the data: memcpy(param_info_rsp, &p_info_32, sizeof(p_info_32));
Change-Id: I8869b37a4cc5223d37ec0169efb6eb2965916dd6
"LA.UM.9.12.r1-18100-SMxx50.QSSI14.0"
* tag 'LA.UM.9.12.r1-18100-SMxx50.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.19:
msm: kgsl: Do not release dma and anon buffers if unmap fails
mmc: sdhci-msm: Reset GCC_SDCC_BCR register for SDHC
usb: phy: Enable clock before accessing EUD register space
loop: Select I/O scheduler 'none' from inside add_disk()
BACKPORT: loop: Fix missing discard support when using LOOP_CONFIGURE
UPSTREAM: loop: unset GENHD_FL_NO_PART_SCAN on LOOP_CONFIGURE
loop: Check for overflow while configuring loop
BACKPORT: loop: Set correct device size when using LOOP_CONFIGURE
cnss2: Add support for configuring calibration duration
block: delete part_round_stats and switch to less precise counting
BACKPORT: media: venus: hfi_parser: Add check for number of codecs
BACKPORT: media: venus: hfi: add checks in capabilities from firmware
BACKPORT: media: venus: hfi: fix the check in session buffer requirement
BACKPORT: media: venus: hfi: add checks to perform sanity on queue pointers
vidc_3x: venc: Add missing level in h263
msm: kgsl: Do not free sharedmem if it cannot be unmapped
vidc_3x: Return EBUSY if mbpf check fails
soc: qcom: qmi_encdec: out of bound check for input buffer
Conflicts:
drivers/media/platform/qcom/venus/hfi_parser.c
drivers/media/platform/qcom/venus/hfi_venus.c
Change-Id: I79781403e7d2e6417196eda9f67015c998d1e8d4
https://source.android.com/docs/security/bulletin/2024-02-01
* tag 'ASB-2024-02-05_4.19-stable' of https://android.googlesource.com/kernel/common:
Reapply "perf: Fix perf_event_validate_size()"
UPSTREAM: usb: raw-gadget: properly handle interrupted requests
UPSTREAM: mm/cma: use nth_page() in place of direct struct page manipulation
UPSTREAM: wireguard: allowedips: expand maximum node depth
UPSTREAM: coresight: tmc: Explicit type conversions to prevent integer overflow
UPSTREAM: wireguard: netlink: send staged packets when setting initial private key
UPSTREAM: wireguard: queueing: use saner cpu selection wrapping
UPSTREAM: kheaders: Use array declaration instead of char
UPSTREAM: arm64: efi: Make efi_rt_lock a raw_spinlock
UPSTREAM: sched/psi: Fix use-after-free in ep_remove_wait_queue()
UPSTREAM: usb: musb: mediatek: don't unregister something that wasn't registered
UPSTREAM: xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()
UPSTREAM: xfrm: compat: change expression for switch in xfrm_xlate64
UPSTREAM: perf/core: Call LSM hook after copying perf_event_attr
Linux 4.19.306
crypto: scompress - initialize per-CPU variables on each CPU
Revert "NFSD: Fix possible sleep during nfsd4_release_lockowner()"
i2c: s3c24xx: fix transferring more than one message in polling mode
i2c: s3c24xx: fix read transfers in polling mode
kdb: Fix a potential buffer overflow in kdb_local()
kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ
ipvs: avoid stat macros calls from preemptible context
net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe
net: ravb: Fix dma_addr_t truncation in error case
net: qualcomm: rmnet: fix global oob in rmnet_policy
serial: imx: Correct clock error message in function probe()
apparmor: avoid crash when parsed profile name is empty
perf genelf: Set ELF program header addresses properly
acpi: property: Let args be NULL in __acpi_node_get_property_reference
MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup()
MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup()
HID: wacom: Correct behavior when processing some confidence == false touches
wifi: mwifiex: configure BSSID consistently when starting AP
wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors
wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code
fbdev: flush deferred work in fb_deferred_io_fsync()
ALSA: oxygen: Fix right channel of capture volume mixer
usb: mon: Fix atomicity violation in mon_bin_vma_fault
usb: typec: class: fix typec_altmode_put_partner to put plugs
Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs"
usb: chipidea: wait controller resume finished for wakeup irq
Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only"
Revert "usb: dwc3: Soft reset phy on probe for host"
usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart
usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host()
tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug
binder: fix unused alloc->free_async_space
binder: fix race between mmput() and do_exit()
xen-netback: don't produce zero-size SKB frags
Revert "ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek"
Input: atkbd - use ab83 as id when skipping the getid command
binder: fix async space check for 0-sized buffers
of: unittest: Fix of_count_phandle_with_args() expected value message
of: Fix double free in of_parse_phandle_with_args_map
mmc: sdhci_omap: Fix TI SoC dependencies
watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling
watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO
watchdog: set cdev owner before adding
gpu/drm/radeon: fix two memleaks in radeon_vm_init
drivers/amd/pm: fix a use-after-free in kv_parse_power_table
drm/amd/pm: fix a double-free in si_dpm_init
drm/amdgpu/debugfs: fix error code when smc register accessors are NULL
media: dvbdev: drop refcount on error path in dvb_device_open()
media: cx231xx: fix a memleak in cx231xx_init_isoc
drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table
drm/radeon/dpm: fix a memleak in sumo_parse_power_table
drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()
drm/drv: propagate errors from drm_modeset_register_all()
drm/msm/mdp4: flush vblank event on disable
ASoC: cs35l34: Fix GPIO name and drop legacy include
ASoC: cs35l33: Fix GPIO name and drop legacy include
drm/radeon: check return value of radeon_ring_lock()
drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()
drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg()
f2fs: fix to avoid dirent corruption
drm/bridge: Fix typo in post_disable() description
media: pvrusb2: fix use after free on context disconnection
RDMA/usnic: Silence uninitialized symbol smatch warnings
ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
Bluetooth: btmtkuart: fix recv_buf() return value
Bluetooth: Fix bogus check for re-auth no supported with non-ssp
wifi: rtlwifi: rtl8192se: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ee: using calculate_bit_shift()
wifi: rtlwifi: rtl8192de: using calculate_bit_shift()
rtlwifi: rtl8192de: make arrays static const, makes object smaller
wifi: rtlwifi: rtl8192ce: using calculate_bit_shift()
wifi: rtlwifi: rtl8192cu: using calculate_bit_shift()
wifi: rtlwifi: rtl8192c: using calculate_bit_shift()
wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()
wifi: rtlwifi: add calculate_bit_shift()
dma-mapping: clear dev->dma_mem to NULL after freeing it
scsi: hisi_sas: Replace with standard error code return value
wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior
rtlwifi: Use ffs in <foo>_phy_calculate_bit_shift
firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create()
net/ncsi: Fix netlink major/minor version numbers
ncsi: internal.h: Fix a spello
ARM: dts: qcom: apq8064: correct XOADC register address
wifi: libertas: stop selecting wext
bpf, lpm: Fix check prefixlen before walking trie
NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT
blocklayoutdriver: Fix reference leak of pnfs_device_node
crypto: scomp - fix req->dst buffer overflow
crypto: scompress - Use per-CPU struct instead multiple variables
crypto: scompress - return proper error code for allocation failure
crypto: sahara - do not resize req->src when doing hash operations
crypto: sahara - fix processing hash requests with req->nbytes < sg->length
crypto: sahara - improve error handling in sahara_sha_process()
crypto: sahara - fix wait_for_completion_timeout() error handling
crypto: sahara - fix ahash reqsize
crypto: virtio - Wait for tasklet to complete on device remove
pstore: ram_core: fix possible overflow in persistent_ram_init_ecc()
crypto: sahara - fix error handling in sahara_hw_descriptor_create()
crypto: sahara - fix processing requests with cryptlen < sg->length
crypto: sahara - fix ahash selftest failure
crypto: sahara - remove FLAGS_NEW_KEY logic
crypto: af_alg - Disallow multiple in-flight AIO requests
crypto: ccp - fix memleak in ccp_init_dm_workarea
crypto: virtio - Handle dataq logic with tasklet
selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
calipso: fix memory leak in netlbl_calipso_add_pass()
netlabel: remove unused parameter in netlbl_netlink_auditinfo()
net: netlabel: Fix kerneldoc warnings
ACPI: LPIT: Avoid u32 multiplication overflow
ACPI: video: check for error while searching for backlight device parent
mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response
powerpc/imc-pmu: Add a null pointer check in update_events_in_group()
powerpc/powernv: Add a null pointer check in opal_event_init()
selftests/powerpc: Fix error handling in FPU/VMX preemption tests
powerpc/pseries/memhp: Fix access beyond end of drmem array
powerpc/pseries/memhotplug: Quieten some DLPAR operations
powerpc/44x: select I2C for CURRITUCK
powerpc: remove redundant 'default n' from Kconfig-s
powerpc: add crtsavres.o to always-y instead of extra-y
EDAC/thunderx: Fix possible out-of-bounds string access
x86/lib: Fix overflow when counting digits
coresight: etm4x: Fix width of CCITMIN field
uio: Fix use-after-free in uio_open
binder: fix comment on binder_alloc_new_buf() return value
binder: use EPOLLERR from eventpoll.h
drm/crtc: fix uninitialized variable use
ARM: sun9i: smp: fix return code check of of_property_match_string
Input: xpad - add Razer Wolverine V2 support
ARC: fix spare error
s390/scm: fix virtual vs physical address confusion
Input: i8042 - add nomux quirk for Acer P459-G2-M
Input: atkbd - skip ATKBD_CMD_GETID in translated mode
reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning
ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI
tracing: Add size check when printing trace_marker output
tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing
drm/crtc: Fix uninit-value bug in drm_mode_setcrtc
jbd2: correct the printing of write_flags in jbd2_write_superblock()
clk: rockchip: rk3128: Fix HCLK_OTG gate register
drm/exynos: fix a potential error pointer dereference
ASoC: da7219: Support low DC impedance headset
net/tg3: fix race condition in tg3_reset_task()
ASoC: rt5650: add mutex to avoid the jack detection failure
ASoC: cs43130: Fix incorrect frame delay configuration
ASoC: cs43130: Fix the position of const qualifier
ASoC: Intel: Skylake: mem leak in skl register function
f2fs: explicitly null-terminate the xattr list
UPSTREAM: wifi: cfg80211: fix buffer overflow in elem comparison
UPSTREAM: gcov: clang: fix the buffer overflow issue
BACKPORT: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
UPSTREAM: wifi: cfg80211: avoid nontransmitted BSS list corruption
UPSTREAM: wifi: cfg80211: fix BSS refcounting bugs
UPSTREAM: wifi: cfg80211: ensure length byte is present before access
UPSTREAM: wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
UPSTREAM: wireguard: netlink: avoid variable-sized memcpy on sockaddr
UPSTREAM: wireguard: ratelimiter: disable timings test by default
UPSTREAM: crypto: lib - remove unneeded selection of XOR_BLOCKS
UPSTREAM: wireguard: allowedips: don't corrupt stack when detecting overflow
UPSTREAM: wireguard: ratelimiter: use hrtimer in selftest
UPSTREAM: crypto: arm64/poly1305 - fix a read out-of-bound
UPSTREAM: wifi: mac80211_hwsim: set virtio device ready in probe()
UPSTREAM: crypto: memneq - move into lib/
UPSTREAM: dma-buf: fix use of DMA_BUF_SET_NAME_{A,B} in userspace
BACKPORT: usb: typec: mux: Check dev_set_name() return value
UPSTREAM: wireguard: device: check for metadata_dst with skb_valid_dst()
UPSTREAM: sched/fair: Fix cfs_rq_clock_pelt() for throttled cfs_rq
UPSTREAM: cfg80211: hold bss_lock while updating nontrans_list
UPSTREAM: wireguard: socket: ignore v6 endpoints when ipv6 is disabled
UPSTREAM: wireguard: socket: free skb in send6 when ipv6 is disabled
UPSTREAM: wireguard: queueing: use CFI-safe ptr_ring cleanup function
UPSTREAM: mm: don't try to NUMA-migrate COW pages that have other uses
UPSTREAM: copy_process(): Move fd_install() out of sighand->siglock critical section
UPSTREAM: usb: raw-gadget: fix handling of dual-direction-capable endpoints
UPSTREAM: psi: Fix "no previous prototype" warnings when CONFIG_CGROUPS=n
UPSTREAM: sched/uclamp: Fix rq->uclamp_max not set on first enqueue
UPSTREAM: wireguard: selftests: increase default dmesg log size
UPSTREAM: wireguard: allowedips: add missing __rcu annotation to satisfy sparse
UPSTREAM: sched/uclamp: Fix uclamp_tg_restrict()
UPSTREAM: coresight: etm4x: Fix etm4_count race by moving cpuhp callbacks to init
UPSTREAM: sched/uclamp: Fix a deadlock when enabling uclamp static key
UPSTREAM: mac80211_hwsim: use GFP_ATOMIC under spin lock
UPSTREAM: usercopy: Avoid soft lockups in test_check_nonzero_user()
UPSTREAM: lib: test_user_copy: style cleanup
UPSTREAM: fork: return proper negative error code
Revert "ipv6: make ip6_rt_gc_expire an atomic_t"
Revert "ipv6: remove max_size check inline with ipv4"
Linux 4.19.305
ipv6: remove max_size check inline with ipv4
ipv6: make ip6_rt_gc_expire an atomic_t
net/dst: use a smaller percpu_counter batch for dst entries accounting
net: add a route cache full diagnostic message
PCI: Disable ATS for specific Intel IPU E2000 devices
PCI: Extract ATS disabling to a helper function
netfilter: nf_tables: Reject tables of unsupported family
fuse: nlookup missing decrement in fuse_direntplus_link
mmc: core: Cancel delayed work before releasing host
mmc: rpmb: fixes pause retune on all RPMB partitions.
mm: fix unmap_mapping_range high bits shift bug
firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards
mm/memory-failure: check the mapcount of the precise page
bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters()
asix: Add check for usbnet_get_endpoints
net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues
net/qla3xxx: switch from 'pci_' to 'dma_' API
i40e: Restore VF MSI-X state during PCI reset
i40e: fix use-after-free in i40e_aqc_add_filters()
net: Save and restore msg_namelen in sock_sendmsg
net: bcmgenet: Fix FCS generation for fragmented skbuffs
ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init
net: sched: em_text: fix possible memory leak in em_text_destroy()
i40e: Fix filter input checks to prevent config with invalid values
nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
UPSTREAM: fsverity: skip PKCS#7 parser when keyring is empty
Conflicts:
drivers/hwtracing/coresight/coresight-etm4x.c
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
include/linux/psi.h
mm/memory-failure.c
net/wireless/scan.c
Change-Id: I49b769cb8387e5d5f28730d13cbdf4ffd335dc70
If iommu unmap fails and leaves dma or anon buffers still mapped in the
iommu, do not free them.
Change-Id: Ice0e1a59c1ac0ee7a9d62d8899966b84fa63d5ca
Signed-off-by: Lynus Vaz <quic_lvaz@quicinc.com>
(cherry picked from commit ab27a52cf1)
Currently, if a USB request that was queued by Raw Gadget is interrupted
(via a signal), wait_for_completion_interruptible returns -ERESTARTSYS.
Raw Gadget then attempts to propagate this value to userspace as a return
value from its ioctls. However, when -ERESTARTSYS is returned by a syscall
handler, the kernel internally restarts the syscall.
This doesn't allow userspace applications to interrupt requests queued by
Raw Gadget (which is required when the emulated device is asked to switch
altsettings). It also violates the implied interface of Raw Gadget that a
single ioctl must only queue a single USB request.
Instead, make Raw Gadget do what GadgetFS does: check whether the request
was interrupted (dequeued with status == -ECONNRESET) and report -EINTR to
userspace.
Bug: 254441685
Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface")
Cc: stable <stable@kernel.org>
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://lore.kernel.org/r/0db45b1d7cc466e3d4d1ab353f61d63c977fbbc5.1698350424.git.andreyknvl@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit e8033bde451eddfb9b1bbd6e2d848c1b5c277222)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I7c684cc6079d2ec31986633c29e5a41954b80c84
Patch series "Use nth_page() in place of direct struct page manipulation",
v3.
On SPARSEMEM without VMEMMAP, struct page is not guaranteed to be
contiguous, since each memory section's memmap might be allocated
independently. hugetlb pages can go beyond a memory section size, thus
direct struct page manipulation on hugetlb pages/subpages might give wrong
struct page. Kernel provides nth_page() to do the manipulation properly.
Use that whenever code can see hugetlb pages.
This patch (of 5):
When dealing with hugetlb pages, manipulating struct page pointers
directly can get to wrong struct page, since struct page is not guaranteed
to be contiguous on SPARSEMEM without VMEMMAP. Use nth_page() to handle
it properly.
Without the fix, page_kasan_tag_reset() could reset wrong page tags,
causing a wrong kasan result. No related bug is reported. The fix
comes from code inspection.
Bug: 254441685
Link: https://lkml.kernel.org/r/20230913201248.452081-1-zi.yan@sent.com
Link: https://lkml.kernel.org/r/20230913201248.452081-2-zi.yan@sent.com
Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc")
Signed-off-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Muchun Song <songmuchun@bytedance.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 2e7cfe5cd5b6b0b98abf57a3074885979e187c1c)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ib62455867ec73728b47f7f93e809bd6d0131208a
If iommu unmap fails and leaves dma or anon buffers still mapped in the
iommu, do not free them.
Change-Id: Ice0e1a59c1ac0ee7a9d62d8899966b84fa63d5ca
Signed-off-by: Lynus Vaz <quic_lvaz@quicinc.com>
The timeline fence needs to remain valid for logging purposes. Take an
extra refcount on the timeline dma_fence to make sure it doesn't go
away till we're done with it.
Change-Id: I6670ef7add099a72684c1fe20ed009dff85d1f27
Signed-off-by: Lynus Vaz <quic_lvaz@quicinc.com>
Power count is coming from user space which can be modified due to
access to shared memory. This change scopes the data locally so
as to avoid vulnerability of count being modified by external
means while executing due to being in shared memory.
CRs-Fixed: 3691744.
Change-Id: I57d13435453195f8aab0c9aad4414d290274ff81
Signed-off-by: Shivi Mangal <quic_smangal@quicinc.com>
In the allowedips self-test, nodes are inserted into the tree, but it
generated an even amount of nodes, but for checking maximum node depth,
there is of course the root node, which makes the total number
necessarily odd. With two few nodes added, it never triggered the
maximum depth check like it should have. So, add 129 nodes instead of
128 nodes, and do so with a more straightforward scheme, starting with
all the bits set, and shifting over one each time. Then increase the
maximum depth to 129, and choose a better name for that variable to
make it clear that it represents depth as opposed to bits.
Bug: 254441685
Cc: stable@vger.kernel.org
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://lore.kernel.org/r/20230807132146.2191597-2-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 46622219aae2b67813fe31a7b8cb7da5baff5c8a)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ib18397ecea77df6e10802bd625a06c4dacb2cafd
Perf cs_etm session executed unexpectedly when AUX buffer > 1G.
perf record -C 0 -m ,2G -e cs_etm// -- <workload>
[ perf record: Captured and wrote 2.615 MB perf.data ]
Perf only collect about 2M perf data rather than 2G. This is becasuse
the operation, "nr_pages << PAGE_SHIFT", in coresight tmc driver, will
overflow when nr_pages >= 0x80000(correspond to 1G AUX buffer). The
overflow cause buffer allocation to fail, and TMC driver will alloc
minimal buffer size(1M). You can just get about 2M perf data(1M AUX
buffer + perf data header) at least.
Explicit convert nr_pages to 64 bit to avoid overflow.
Bug: 254441685
Fixes: 22f429f19c41 ("coresight: etm-perf: Add support for ETR backend")
Fixes: 99443ea19e ("coresight: Add generic TMC sg table framework")
Fixes: 2e499bbc1a ("coresight: tmc: implementing TMC-ETF AUX space API")
Signed-off-by: Ruidong Tian <tianruidong@linux.alibaba.com>
Reviewed-by: James Clark <james.clark@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20230804081514.120171-2-tianruidong@linux.alibaba.com
(cherry picked from commit fd380097cdb305582b7a1f9476391330299d2c59)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I0ebd4afabf2b6bef525712416135ffb34d1f7cd3
Packets bound for peers can queue up prior to the device private key
being set. For example, if persistent keepalive is set, a packet is
queued up to be sent as soon as the device comes up. However, if the
private key hasn't been set yet, the handshake message never sends, and
no timer is armed to retry, since that would be pointless.
But, if a user later sets a private key, the expectation is that those
queued packets, such as a persistent keepalive, are actually sent. So
adjust the configuration logic to account for this edge case, and add a
test case to make sure this works.
Maxim noticed this with a wg-quick(8) config to the tune of:
[Interface]
PostUp = wg set %i private-key somefile
[Peer]
PublicKey = ...
Endpoint = ...
PersistentKeepalive = 25
Here, the private key gets set after the device comes up using a PostUp
script, triggering the bug.
Bug: 254441685
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Cc: stable@vger.kernel.org
Reported-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Tested-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@gmail.com/
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit f58d0a9b4c6a7a5199c3af967e43cc8b654604d4)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ibd4ca40b44ec6c2e0e75b026b2f63dfda37b4b34
Using `% nr_cpumask_bits` is slow and complicated, and not totally
robust toward dynamic changes to CPU topologies. Rather than storing the
next CPU in the round-robin, just store the last one, and also return
that value. This simplifies the loop drastically into a much more common
pattern.
Bug: 254441685
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Cc: stable@vger.kernel.org
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Manuel Leiner <manuel.leiner@gmx.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 7387943fa35516f6f8017a3b0e9ce48a3bef9faa)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: If8ee62e0fd2aa01333b63c905734059ac2bf3c6f
Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination
and source buffers. Defining kernel_headers_data as "char" would trip
this check. Since these addresses are treated as byte arrays, define
them as arrays (as done everywhere else).
This was seen with:
$ cat /sys/kernel/kheaders.tar.xz >> /dev/null
detected buffer overflow in memcpy
kernel BUG at lib/string_helpers.c:1027!
...
RIP: 0010:fortify_panic+0xf/0x20
[...]
Call Trace:
<TASK>
ikheaders_read+0x45/0x50 [kheaders]
kernfs_fop_read_iter+0x1a4/0x2f0
...
Bug: 254441685
Reported-by: Jakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/bpf/20230302112130.6e402a98@kernel.org/
Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Tested-by: Jakub Kicinski <kuba@kernel.org>
Fixes: 43d8ce9d65a5 ("Provide in-kernel headers to make extending kernel easier")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230302224946.never.243-kees@kernel.org
(cherry picked from commit b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I73c7530b9c558c1c8dac5f8962dbc31c553c0be7
Running a rt-kernel base on 6.2.0-rc3-rt1 on an Ampere Altra outputs
the following:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 9, name: kworker/u320:0
preempt_count: 2, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by kworker/u320:0/9:
#0: ffff3fff8c27d128 ((wq_completion)efi_rts_wq){+.+.}-{0:0}, at: process_one_work (./include/linux/atomic/atomic-long.h:41)
#1: ffff80000861bdd0 ((work_completion)(&efi_rts_work.work)){+.+.}-{0:0}, at: process_one_work (./include/linux/atomic/atomic-long.h:41)
#2: ffffdf7e1ed3e460 (efi_rt_lock){+.+.}-{3:3}, at: efi_call_rts (drivers/firmware/efi/runtime-wrappers.c:101)
Preemption disabled at:
efi_virtmap_load (./arch/arm64/include/asm/mmu_context.h:248)
CPU: 0 PID: 9 Comm: kworker/u320:0 Tainted: G W 6.2.0-rc3-rt1
Hardware name: WIWYNN Mt.Jade Server System B81.03001.0005/Mt.Jade Motherboard, BIOS 1.08.20220218 (SCP: 1.08.20220218) 2022/02/18
Workqueue: efi_rts_wq efi_call_rts
Call trace:
dump_backtrace (arch/arm64/kernel/stacktrace.c:158)
show_stack (arch/arm64/kernel/stacktrace.c:165)
dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
dump_stack (lib/dump_stack.c:114)
__might_resched (kernel/sched/core.c:10134)
rt_spin_lock (kernel/locking/rtmutex.c:1769 (discriminator 4))
efi_call_rts (drivers/firmware/efi/runtime-wrappers.c:101)
[...]
This seems to come from commit ff7a167961d1 ("arm64: efi: Execute
runtime services from a dedicated stack") which adds a spinlock. This
spinlock is taken through:
efi_call_rts()
\-efi_call_virt()
\-efi_call_virt_pointer()
\-arch_efi_call_virt_setup()
Make 'efi_rt_lock' a raw_spinlock to avoid being preempted.
[ardb: The EFI runtime services are called with a different set of
translation tables, and are permitted to use the SIMD registers.
The context switch code preserves/restores neither, and so EFI
calls must be made with preemption disabled, rather than only
disabling migration.]
Bug: 254441685
Fixes: ff7a167961d1 ("arm64: efi: Execute runtime services from a dedicated stack")
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Cc: <stable@vger.kernel.org> # v6.1+
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
(cherry picked from commit 0e68b5517d3767562889f1d83fdb828c26adb24f)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ica7d8304ae5f4df7486821ee618f8e1455429128
If a non-root cgroup gets removed when there is a thread that registered
trigger and is polling on a pressure file within the cgroup, the polling
waitqueue gets freed in the following path:
do_rmdir
cgroup_rmdir
kernfs_drain_open_files
cgroup_file_release
cgroup_pressure_release
psi_trigger_destroy
However, the polling thread still has a reference to the pressure file and
will access the freed waitqueue when the file is closed or upon exit:
fput
ep_eventpoll_release
ep_free
ep_remove_wait_queue
remove_wait_queue
This results in use-after-free as pasted below.
The fundamental problem here is that cgroup_file_release() (and
consequently waitqueue's lifetime) is not tied to the file's real lifetime.
Using wake_up_pollfree() here might be less than ideal, but it is in line
with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()")
since the waitqueue's lifetime is not tied to file's one and can be
considered as another special case. While this would be fixable by somehow
making cgroup_file_release() be tied to the fput(), it would require
sizable refactoring at cgroups or higher layer which might be more
justifiable if we identify more cases like this.
BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0
Write of size 4 at addr ffff88810e625328 by task a.out/4404
CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38
Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017
Call Trace:
<TASK>
dump_stack_lvl+0x73/0xa0
print_report+0x16c/0x4e0
kasan_report+0xc3/0xf0
kasan_check_range+0x2d2/0x310
_raw_spin_lock_irqsave+0x60/0xc0
remove_wait_queue+0x1a/0xa0
ep_free+0x12c/0x170
ep_eventpoll_release+0x26/0x30
__fput+0x202/0x400
task_work_run+0x11d/0x170
do_exit+0x495/0x1130
do_group_exit+0x100/0x100
get_signal+0xd67/0xde0
arch_do_signal_or_restart+0x2a/0x2b0
exit_to_user_mode_prepare+0x94/0x100
syscall_exit_to_user_mode+0x20/0x40
do_syscall_64+0x52/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Allocated by task 4404:
kasan_set_track+0x3d/0x60
__kasan_kmalloc+0x85/0x90
psi_trigger_create+0x113/0x3e0
pressure_write+0x146/0x2e0
cgroup_file_write+0x11c/0x250
kernfs_fop_write_iter+0x186/0x220
vfs_write+0x3d8/0x5c0
ksys_write+0x90/0x110
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 4407:
kasan_set_track+0x3d/0x60
kasan_save_free_info+0x27/0x40
____kasan_slab_free+0x11d/0x170
slab_free_freelist_hook+0x87/0x150
__kmem_cache_free+0xcb/0x180
psi_trigger_destroy+0x2e8/0x310
cgroup_file_release+0x4f/0xb0
kernfs_drain_open_files+0x165/0x1f0
kernfs_drain+0x162/0x1a0
__kernfs_remove+0x1fb/0x310
kernfs_remove_by_name_ns+0x95/0xe0
cgroup_addrm_files+0x67f/0x700
cgroup_destroy_locked+0x283/0x3c0
cgroup_rmdir+0x29/0x100
kernfs_iop_rmdir+0xd1/0x140
vfs_rmdir+0xfe/0x240
do_rmdir+0x13d/0x280
__x64_sys_rmdir+0x2c/0x30
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Bug: 254441685
Fixes: 0e94682b73bf ("psi: introduce psi monitor")
Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
Signed-off-by: Mengchi Cheng <mengcc@amazon.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Suren Baghdasaryan <surenb@google.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/lkml/20230106224859.4123476-1-kamatam@amazon.com/
Link: https://lore.kernel.org/r/20230214212705.4058045-1-kamatam@amazon.com
(cherry picked from commit c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I9677499b2885149a1070f508931113ad8a02277a
This function only calls mtk_otg_switch_init() when the ->port_mode
is MUSB_OTG so the clean up code should only call mtk_otg_switch_exit()
for that mode.
Bug: 254441685
Fixes: 0990366bab3c ("usb: musb: Add support for MediaTek musb controller")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/Y8/3TqpqiSr0RxFH@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit ba883de971d1ad018f3083d9195b8abe54d87407)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I71fbbad4e139bae46b9101942098295e6e1246b4
int type = nla_type(nla);
if (type > XFRMA_MAX) {
return -EOPNOTSUPP;
}
@type is then used as an array index and can be used
as a Spectre v1 gadget.
if (nla_len(nla) < compat_policy[type].len) {
array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.
Bug: 254441685
Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Dmitry Safonov <dima@arista.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit b6ee896385380aa621102e8ea402ba12db1cabff)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Iac8d61100685ad513e04d2623fe0b79ba331167a
