diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-20 14:14:32 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-20 14:14:32 +0100 |
commit | 6b66a360f4becab547b4e885d47ba97e82e84f6a (patch) | |
tree | b12015641fdae0e7a9c66a71e1caaf307a1dee63 | |
parent | 4a91b9de3cabddfd11a0112d62cb0737cb61c9b3 (diff) | |
download | vulns-master.tar.gz |
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | cve/review/mbox.6.7.1 | 42 | ||||
-rw-r--r-- | cve/review/mbox.6.7.1.cve | 42 | ||||
-rw-r--r-- | cve/review/mbox.6.7.2 | 538 | ||||
-rw-r--r-- | cve/review/mbox.6.7.2.cve | 451 |
4 files changed, 585 insertions, 488 deletions
diff --git a/cve/review/mbox.6.7.1 b/cve/review/mbox.6.7.1 index 000b1705..535e7191 100644 --- a/cve/review/mbox.6.7.1 +++ b/cve/review/mbox.6.7.1 @@ -2394,3 +2394,45 @@ index c6f549f6a4ae..186da2386a06 100644 -- 2.43.2 +From f6c30bfe5a49bc38cae985083a11016800708fea Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Mon, 6 Nov 2023 20:44:34 -0800 +Subject: [PATCH 01/29] f2fs: explicitly null-terminate the xattr list +Status: RO +Content-Length: 1091 +Lines: 33 + +commit e26b6d39270f5eab0087453d9b544189a38c8564 upstream. + +When setting an xattr, explicitly null-terminate the xattr list. This +eliminates the fragile assumption that the unused xattr space is always +zeroed. + +Signed-off-by: Eric Biggers <ebiggers@google.com> +Reviewed-by: Chao Yu <chao@kernel.org> +Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/f2fs/xattr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index 47e88b4d4e7d..a8fc2cac6879 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -754,6 +754,12 @@ static int __f2fs_setxattr(struct inode *inode, int index, + memcpy(pval, value, size); + last->e_value_size = cpu_to_le16(size); + new_hsize += newsize; ++ /* ++ * Explicitly add the null terminator. The unused xattr space ++ * is supposed to always be zeroed, which would make this ++ * unnecessary, but don't depend on that. ++ */ ++ *(u32 *)((u8 *)last + newsize) = 0; + } + + error = write_all_xattrs(inode, new_hsize, base_addr, ipage); +-- +2.43.2 + diff --git a/cve/review/mbox.6.7.1.cve b/cve/review/mbox.6.7.1.cve index dd942f83..4777e1ee 100644 --- a/cve/review/mbox.6.7.1.cve +++ b/cve/review/mbox.6.7.1.cve @@ -1,45 +1,3 @@ -From f6c30bfe5a49bc38cae985083a11016800708fea Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Mon, 6 Nov 2023 20:44:34 -0800 -Subject: [PATCH 01/29] f2fs: explicitly null-terminate the xattr list -Status: RO -Content-Length: 1091 -Lines: 33 - -commit e26b6d39270f5eab0087453d9b544189a38c8564 upstream. - -When setting an xattr, explicitly null-terminate the xattr list. This -eliminates the fragile assumption that the unused xattr space is always -zeroed. - -Signed-off-by: Eric Biggers <ebiggers@google.com> -Reviewed-by: Chao Yu <chao@kernel.org> -Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - fs/f2fs/xattr.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c -index 47e88b4d4e7d..a8fc2cac6879 100644 ---- a/fs/f2fs/xattr.c -+++ b/fs/f2fs/xattr.c -@@ -754,6 +754,12 @@ static int __f2fs_setxattr(struct inode *inode, int index, - memcpy(pval, value, size); - last->e_value_size = cpu_to_le16(size); - new_hsize += newsize; -+ /* -+ * Explicitly add the null terminator. The unused xattr space -+ * is supposed to always be zeroed, which would make this -+ * unnecessary, but don't depend on that. -+ */ -+ *(u32 *)((u8 *)last + newsize) = 0; - } - - error = write_all_xattrs(inode, new_hsize, base_addr, ipage); --- -2.43.2 - From 4f6638562db5f9568dbfbe3a2a6ac80c4832f19e Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon@kernel.org> Date: Sun, 7 Jan 2024 21:24:07 +0900 diff --git a/cve/review/mbox.6.7.2 b/cve/review/mbox.6.7.2 index 93970333..69a577d7 100644 --- a/cve/review/mbox.6.7.2 +++ b/cve/review/mbox.6.7.2 @@ -7003,6 +7003,7 @@ From c299ca356594f485e28e160378899d00cac486fc Mon Sep 17 00:00:00 2001 From: Hangbin Liu <liuhangbin@gmail.com> Date: Sat, 2 Dec 2023 10:00:59 +0800 Subject: [PATCH 133/641] selftests/net: specify the interface when do arping +Status: RO Content-Length: 1976 Lines: 40 @@ -7094,6 +7095,7 @@ From 1db951f27736d43bc4bb3807ed4bd96e255494e8 Mon Sep 17 00:00:00 2001 From: Artem Chernyshev <artem.chernyshev@red-soft.ru> Date: Tue, 28 Nov 2023 14:10:08 +0300 Subject: [PATCH 135/641] scsi: fnic: Return error if vmalloc() failed +Status: RO Content-Length: 1209 Lines: 36 @@ -7608,6 +7610,7 @@ From: Yi-Chia Hsieh <yi-chia.hsieh@mediatek.com> Date: Thu, 12 Oct 2023 15:00:26 -0700 Subject: [PATCH 146/641] wifi: mt76: mt7996: fix uninitialized variable in parsing txfree +Status: RO Content-Length: 1077 Lines: 27 @@ -7644,6 +7647,7 @@ From: Christian Marangi <ansuelsmth@gmail.com> Date: Wed, 18 Oct 2023 15:09:38 +0200 Subject: [PATCH 147/641] wifi: mt76: fix typo in mt76_get_of_eeprom_from_nvmem function +Status: RO Content-Length: 1374 Lines: 37 @@ -7690,6 +7694,7 @@ From: Lorenzo Bianconi <lorenzo@kernel.org> Date: Fri, 20 Oct 2023 12:45:19 +0200 Subject: [PATCH 148/641] wifi: mt76: mt7915: fallback to non-wed mode if platform_get_resource fails in mt7915_mmio_wed_init() +Status: RO Content-Length: 1152 Lines: 30 @@ -7729,6 +7734,7 @@ From: Sujuan Chen <sujuan.chen@mediatek.com> Date: Mon, 23 Oct 2023 23:38:49 +0800 Subject: [PATCH 149/641] wifi: mt76: mt7996: fix the size of struct bss_rate_tlv +Status: RO Content-Length: 963 Lines: 28 @@ -7766,6 +7772,7 @@ From: MeiChia Chiu <meichia.chiu@mediatek.com> Date: Mon, 23 Oct 2023 23:38:54 +0800 Subject: [PATCH 150/641] wifi: mt76: mt7996: fix rate usage of inband discovery frames +Status: RO Content-Length: 1444 Lines: 34 @@ -7808,6 +7815,7 @@ From 1c69fade102d2bcb37da4892eacc4b06bf7237d6 Mon Sep 17 00:00:00 2001 From: StanleyYP Wang <StanleyYP.Wang@mediatek.com> Date: Thu, 2 Nov 2023 18:02:59 +0800 Subject: [PATCH 151/641] wifi: mt76: mt7996: fix alignment of sta info event +Status: RO Content-Length: 946 Lines: 28 @@ -7845,6 +7853,7 @@ From: StanleyYP Wang <StanleyYP.Wang@mediatek.com> Date: Mon, 6 Nov 2023 22:38:53 +0000 Subject: [PATCH 152/641] wifi: mt76: mt7915: fix EEPROM offset of TSSI flag on MT7981 +Status: RO Content-Length: 1175 Lines: 30 @@ -7884,6 +7893,7 @@ From: StanleyYP Wang <StanleyYP.Wang@mediatek.com> Date: Mon, 6 Nov 2023 22:39:31 +0000 Subject: [PATCH 153/641] wifi: mt76: mt7915: also MT7981 is 3T3R but nss2 on 5 GHz band +Status: RO Content-Length: 1464 Lines: 33 @@ -7926,6 +7936,7 @@ From: Arnd Bergmann <arnd@arndb.de> Date: Fri, 10 Nov 2023 15:29:30 +0100 Subject: [PATCH 154/641] wifi: mt76: mt7996: fix mt7996_mcu_all_sta_info_event struct packing +Status: RO Content-Length: 1712 Lines: 44 @@ -7979,6 +7990,7 @@ From: Wang Zhao <wang.zhao@mediatek.com> Date: Fri, 17 Nov 2023 20:54:49 +0800 Subject: [PATCH 155/641] wifi: mt76: mt7921s: fix workqueue problem causes STA association fail +Status: RO Content-Length: 6938 Lines: 171 @@ -8317,6 +8329,7 @@ From: Moudy Ho <moudy.ho@mediatek.com> Date: Tue, 31 Oct 2023 16:33:42 +0800 Subject: [PATCH 161/641] dt-bindings: media: mediatek: mdp3: correct RDMA and WROT node with generic names +Status: RO Content-Length: 4383 Lines: 116 @@ -8732,6 +8745,7 @@ From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com> Date: Wed, 22 Nov 2023 11:06:44 +0800 Subject: [PATCH 166/641] wifi: mt76: mt7921: fix country count limitation for CLC +Status: RO Content-Length: 1969 Lines: 57 @@ -8798,6 +8812,7 @@ From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com> Date: Wed, 22 Nov 2023 11:06:45 +0800 Subject: [PATCH 167/641] wifi: mt76: mt7921: fix CLC command timeout when suspend/resume +Status: RO Content-Length: 3816 Lines: 96 @@ -8902,6 +8917,7 @@ From 05534fc3de5461dec973fcdfbd0002f9ce346056 Mon Sep 17 00:00:00 2001 From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com> Date: Wed, 22 Nov 2023 11:06:46 +0800 Subject: [PATCH 168/641] wifi: mt76: mt7921: fix wrong 6Ghz power type +Status: RO Content-Length: 2845 Lines: 94 @@ -9005,6 +9021,7 @@ From: Miri Korenblit <miriam.rachel.korenblit@intel.com> Date: Thu, 7 Dec 2023 04:50:08 +0200 Subject: [PATCH 169/641] wifi: iwlwifi: don't support triggered EHT CQI feedback +Status: RO Content-Length: 1540 Lines: 31 @@ -9099,6 +9116,7 @@ From: Li Nan <linan122@huawei.com> Date: Mon, 11 Dec 2023 15:53:56 +0800 Subject: [PATCH 171/641] block: Set memalloc_noio to false on device_add_disk() error path +Status: RO Content-Length: 1176 Lines: 31 @@ -9281,6 +9299,7 @@ From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Date: Fri, 8 Dec 2023 12:28:47 +0530 Subject: [PATCH 175/641] scsi: ufs: qcom: Fix the return value of ufs_qcom_ice_program_key() +Status: RO Content-Length: 1304 Lines: 32 @@ -9322,6 +9341,7 @@ From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Date: Fri, 8 Dec 2023 12:28:48 +0530 Subject: [PATCH 176/641] scsi: ufs: qcom: Fix the return value when platform_get_resource_byname() fails +Status: RO Content-Length: 1215 Lines: 31 @@ -9362,6 +9382,7 @@ From: Yihang Li <liyihang9@huawei.com> Date: Thu, 14 Dec 2023 11:45:13 +0800 Subject: [PATCH 177/641] scsi: hisi_sas: Replace with standard error code return value +Status: RO Content-Length: 2054 Lines: 55 @@ -9425,6 +9446,7 @@ From 0cae77c61752c2ddb83f7baf4e0b886b71d50bec Mon Sep 17 00:00:00 2001 From: Yihang Li <liyihang9@huawei.com> Date: Thu, 14 Dec 2023 11:45:14 +0800 Subject: [PATCH 178/641] scsi: hisi_sas: Check before using pointer variables +Status: RO Content-Length: 1717 Lines: 43 @@ -9477,6 +9499,7 @@ From: Yihang Li <liyihang9@huawei.com> Date: Thu, 14 Dec 2023 11:45:15 +0800 Subject: [PATCH 179/641] scsi: hisi_sas: Rollback some operations if FLR failed +Status: RO Content-Length: 1852 Lines: 47 @@ -9533,6 +9556,7 @@ From: Yihang Li <liyihang9@huawei.com> Date: Thu, 14 Dec 2023 11:45:16 +0800 Subject: [PATCH 180/641] scsi: hisi_sas: Correct the number of global debugfs registers +Status: RO Content-Length: 1397 Lines: 34 @@ -9575,6 +9599,7 @@ From 1b71a3be3b7b25ce3c188d3fd09fbc867970fb13 Mon Sep 17 00:00:00 2001 From: Tushar Vyavahare <tushar.vyavahare@intel.com> Date: Thu, 14 Dec 2023 13:00:07 +0000 Subject: [PATCH 181/641] selftests/xsk: Fix for SEND_RECEIVE_UNALIGNED test +Status: RO Content-Length: 3221 Lines: 85 @@ -9757,6 +9782,7 @@ From: Hangbin Liu <liuhangbin@gmail.com> Date: Wed, 13 Dec 2023 14:08:49 +0800 Subject: [PATCH 184/641] selftests/net: fix grep checking for fib_nexthop_multiprefix +Status: RO Content-Length: 2419 Lines: 60 @@ -9825,6 +9851,7 @@ From 7d97858e21fbc472acda7d908357c5fe54a8e439 Mon Sep 17 00:00:00 2001 From: Leone Fernando <leone4fernando@gmail.com> Date: Wed, 13 Dec 2023 17:19:35 +0100 Subject: [PATCH 185/641] ipmr: support IP_PKTINFO on cache report IGMP msg +Status: RO Content-Length: 2108 Lines: 64 @@ -9898,6 +9925,7 @@ From: Arseniy Krasnov <avkrasnov@salutedevices.com> Date: Thu, 14 Dec 2023 15:52:28 +0300 Subject: [PATCH 186/641] virtio/vsock: fix logic which reduces credit update messages +Status: RO Content-Length: 2501 Lines: 61 @@ -9968,6 +9996,7 @@ From: Arseniy Krasnov <avkrasnov@salutedevices.com> Date: Thu, 14 Dec 2023 15:52:29 +0300 Subject: [PATCH 187/641] virtio/vsock: send credit update during setting SO_RCVLOWAT +Status: RO Content-Length: 7285 Lines: 181 @@ -10158,6 +10187,7 @@ From: Joakim Zhang <joakim.zhang@cixtech.com> Date: Thu, 14 Dec 2023 16:25:26 +0800 Subject: [PATCH 188/641] dma-mapping: clear dev->dma_mem to NULL after freeing it +Status: RO Content-Length: 1184 Lines: 36 @@ -10269,6 +10299,7 @@ From: Atul Dhudase <quic_adhudase@quicinc.com> Date: Wed, 6 Dec 2023 21:02:51 +0530 Subject: [PATCH 192/641] soc: qcom: llcc: Fix dis_cap_alloc and retain_on_pc configuration +Status: RO Content-Length: 2810 Lines: 62 @@ -10612,6 +10643,7 @@ From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Date: Mon, 27 Nov 2023 15:15:48 +0100 Subject: [PATCH 197/641] firmware: qcom: qseecom: fix memory leaks in error paths +Status: RO Content-Length: 2912 Lines: 74 @@ -10694,6 +10726,7 @@ From 62d546526c4a07aff8bcc27157f5e84a33a60ab1 Mon Sep 17 00:00:00 2001 From: Abel Vesa <abel.vesa@linaro.org> Date: Thu, 12 Oct 2023 19:05:09 +0300 Subject: [PATCH 198/641] soc: qcom: llcc: Fix LLCC_TRP_ATTR2_CFGn offset +Status: RO Content-Length: 1296 Lines: 31 @@ -10734,6 +10767,7 @@ From: Li Nan <linan122@huawei.com> Date: Tue, 19 Dec 2023 15:59:42 +0800 Subject: [PATCH 199/641] block: add check of 'minors' and 'first_minor' in device_add_disk() +Status: RO Content-Length: 1422 Lines: 37 @@ -12297,6 +12331,7 @@ From: Florian Westphal <fw@strlen.de> Date: Mon, 27 Nov 2023 11:00:37 +0100 Subject: [PATCH 221/641] netfilter: nf_tables: mark newset as dead on transaction abort +Status: RO Content-Length: 1510 Lines: 42 @@ -12348,6 +12383,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Thu, 14 Dec 2023 22:43:22 +0100 Subject: [PATCH 222/641] netfilter: nf_tables: validate chain type update if available +Status: RO Content-Length: 1198 Lines: 39 @@ -12396,6 +12432,7 @@ From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Date: Thu, 30 Nov 2023 14:58:03 +0100 Subject: [PATCH 223/641] Bluetooth: Fix bogus check for re-auth no supported with non-ssp +Status: RO Content-Length: 3029 Lines: 80 @@ -12480,148 +12517,12 @@ index ebf17b51072f..ef8c3bed7361 100644 -- 2.43.2 -From 9efc70cf2554e7a8d5a996a44252f39e5bc4e510 Mon Sep 17 00:00:00 2001 -From: Francesco Dolcini <francesco.dolcini@toradex.com> -Date: Mon, 11 Dec 2023 17:40:18 +0100 -Subject: [PATCH 224/641] Bluetooth: btnxpuart: fix recv_buf() return value -Content-Length: 2609 -Lines: 61 - -[ Upstream commit 94d05394254401e503867c16aff561d3e687dfdc ] - -Serdev recv_buf() callback is supposed to return the amount of bytes -consumed, therefore an int in between 0 and count. - -Do not return a negative number in case of issue, just print an error -and return count. Before this change, in case of error, the returned -negative number was internally converted to 0 in ttyport_receive_buf, -now when the receive buffer is corrupted we return the size of the whole -received data (`count`). This should allow for better recovery in case -receiver/transmitter get out of sync if some data is lost. - -This fixes a WARN in ttyport_receive_buf(). - - Bluetooth: hci0: Frame reassembly failed (-84) - ------------[ cut here ]------------ - serial serial0: receive_buf returns -84 (count = 6) - WARNING: CPU: 0 PID: 37 at drivers/tty/serdev/serdev-ttyport.c:37 ttyport_receive_buf+0xd8/0xf8 - Modules linked in: mwifiex_sdio(+) ... - CPU: 0 PID: 37 Comm: kworker/u4:2 Not tainted 6.7.0-rc2-00147-gf1a09972a45a #1 - Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT) - Workqueue: events_unbound flush_to_ldisc - pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) - pc : ttyport_receive_buf+0xd8/0xf8 - lr : ttyport_receive_buf+0xd8/0xf8 -... - Call trace: - ttyport_receive_buf+0xd8/0xf8 - flush_to_ldisc+0xbc/0x1a4 - process_scheduled_works+0x16c/0x28c - -Closes: https://lore.kernel.org/all/ZWEIhcUXfutb5SY6@francesco-nb.int.toradex.com/ -Fixes: 689ca16e5232 ("Bluetooth: NXP: Add protocol support for NXP Bluetooth chipsets") -Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com> -Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/bluetooth/btnxpuart.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c -index b7e66b7ac570..951fe3014a3f 100644 ---- a/drivers/bluetooth/btnxpuart.c -+++ b/drivers/bluetooth/btnxpuart.c -@@ -1276,11 +1276,10 @@ static int btnxpuart_receive_buf(struct serdev_device *serdev, const u8 *data, - if (IS_ERR(nxpdev->rx_skb)) { - int err = PTR_ERR(nxpdev->rx_skb); - /* Safe to ignore out-of-sync bootloader signatures */ -- if (is_fw_downloading(nxpdev)) -- return count; -- bt_dev_err(nxpdev->hdev, "Frame reassembly failed (%d)", err); -+ if (!is_fw_downloading(nxpdev)) -+ bt_dev_err(nxpdev->hdev, "Frame reassembly failed (%d)", err); - nxpdev->rx_skb = NULL; -- return err; -+ return count; - } - if (!is_fw_downloading(nxpdev)) - nxpdev->hdev->stat.byte_rx += count; --- -2.43.2 - -From 3e2680bd68fab7ba145393e4eb069d6c4d8a30fa Mon Sep 17 00:00:00 2001 -From: Francesco Dolcini <francesco.dolcini@toradex.com> -Date: Mon, 11 Dec 2023 17:40:19 +0100 -Subject: [PATCH 225/641] Bluetooth: btmtkuart: fix recv_buf() return value -Content-Length: 1991 -Lines: 60 - -[ Upstream commit 64057f051f20c2a2184b9db7f8037d928d68a4f4 ] - -Serdev recv_buf() callback is supposed to return the amount of bytes -consumed, therefore an int in between 0 and count. - -Do not return negative number in case of issue, just print an error and -return count. This fixes a WARN in ttyport_receive_buf(). - -Link: https://lore.kernel.org/all/087be419-ec6b-47ad-851a-5e1e3ea5cfcc@kernel.org/ -Fixes: 7237c4c9ec92 ("Bluetooth: mediatek: Add protocol support for MediaTek serial devices") -Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com> -Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/bluetooth/btmtkuart.c | 11 +++-------- - 1 file changed, 3 insertions(+), 8 deletions(-) - -diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c -index 935feab815d9..203a000a84e3 100644 ---- a/drivers/bluetooth/btmtkuart.c -+++ b/drivers/bluetooth/btmtkuart.c -@@ -336,7 +336,7 @@ mtk_stp_split(struct btmtkuart_dev *bdev, const unsigned char *data, int count, - return data; - } - --static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) -+static void btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) - { - struct btmtkuart_dev *bdev = hci_get_drvdata(hdev); - const unsigned char *p_left = data, *p_h4; -@@ -375,25 +375,20 @@ static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) - bt_dev_err(bdev->hdev, - "Frame reassembly failed (%d)", err); - bdev->rx_skb = NULL; -- return err; -+ return; - } - - sz_left -= sz_h4; - p_left += sz_h4; - } -- -- return 0; - } - - static int btmtkuart_receive_buf(struct serdev_device *serdev, const u8 *data, - size_t count) - { - struct btmtkuart_dev *bdev = serdev_device_get_drvdata(serdev); -- int err; - -- err = btmtkuart_recv(bdev->hdev, data, count); -- if (err < 0) -- return err; -+ btmtkuart_recv(bdev->hdev, data, count); - - bdev->hdev->stat.byte_rx += count; - --- -2.43.2 - From 2600dfaac57813ab7813ea571417bcbd503c65fc Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch@lst.de> Date: Wed, 27 Dec 2023 09:23:02 +0000 Subject: [PATCH 226/641] null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS +Status: RO Content-Length: 2020 Lines: 51 @@ -12721,6 +12622,7 @@ From: Kunwu Chan <chentao@kylinos.cn> Date: Tue, 12 Dec 2023 10:40:15 +0800 Subject: [PATCH 228/641] ice: Fix some null pointer dereference issues in ice_ptp.c +Status: RO Content-Length: 1722 Lines: 42 @@ -12771,6 +12673,7 @@ From 38344519bee6b5d3c21b57683bc2c01f8802c358 Mon Sep 17 00:00:00 2001 From: Benjamin Berg <benjamin.berg@intel.com> Date: Tue, 2 Jan 2024 21:35:30 +0200 Subject: [PATCH 229/641] wifi: cfg80211: correct comment about MLD ID +Status: RO Content-Length: 1626 Lines: 38 @@ -12818,6 +12721,7 @@ From: Benjamin Berg <benjamin.berg@intel.com> Date: Tue, 2 Jan 2024 21:35:31 +0200 Subject: [PATCH 230/641] wifi: cfg80211: parse all ML elements in an ML probe response +Status: RO Content-Length: 3021 Lines: 90 @@ -12999,6 +12903,7 @@ From 596e695a3041e6028918bf7ca848c5be1eeb33fc Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet@google.com> Date: Tue, 12 Dec 2023 14:55:50 +0000 Subject: [PATCH 232/641] sctp: support MSG_ERRQUEUE flag in recvmsg() +Status: RO Content-Length: 1733 Lines: 51 @@ -13058,6 +12963,7 @@ From 63b48d3554fc4bbb915decabd9ec10190cd26525 Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet@google.com> Date: Tue, 19 Dec 2023 17:00:17 +0000 Subject: [PATCH 233/641] sctp: fix busy polling +Status: RO Content-Length: 1548 Lines: 46 @@ -13152,6 +13058,7 @@ From 77fcddb6be7ca0c8d2e36b78442e993cdbbf6608 Mon Sep 17 00:00:00 2001 From: Ming Lei <ming.lei@redhat.com> Date: Tue, 19 Dec 2023 09:28:33 +0800 Subject: [PATCH 235/641] blk-cgroup: fix rcu lockdep warning in blkg_lookup() +Status: RO Content-Length: 1385 Lines: 38 @@ -13194,160 +13101,11 @@ index fd482439afbc..b927a4a0ad03 100644 -- 2.43.2 -From f5346df0591d10bc948761ca854b1fae6d2ef441 Mon Sep 17 00:00:00 2001 -From: Tao Liu <taoliu828@163.com> -Date: Thu, 28 Dec 2023 16:14:57 +0800 -Subject: [PATCH 236/641] net/sched: act_ct: fix skb leak and crash on ooo - frags -Content-Length: 6310 -Lines: 141 - -[ Upstream commit 3f14b377d01d8357eba032b4cabc8c1149b458b6 ] - -act_ct adds skb->users before defragmentation. If frags arrive in order, -the last frag's reference is reset in: - - inet_frag_reasm_prepare - skb_morph - -which is not straightforward. - -However when frags arrive out of order, nobody unref the last frag, and -all frags are leaked. The situation is even worse, as initiating packet -capture can lead to a crash[0] when skb has been cloned and shared at the -same time. - -Fix the issue by removing skb_get() before defragmentation. act_ct -returns TC_ACT_CONSUMED when defrag failed or in progress. - -[0]: -[ 843.804823] ------------[ cut here ]------------ -[ 843.809659] kernel BUG at net/core/skbuff.c:2091! -[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP -[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 -[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 -[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 -[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 -[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 -[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 -[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 -[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 -[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 -[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 -[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 -[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 -[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 843.894229] PKRU: 55555554 -[ 843.898539] Call Trace: -[ 843.902772] <IRQ> -[ 843.906922] ? __die_body+0x1e/0x60 -[ 843.911032] ? die+0x3c/0x60 -[ 843.915037] ? do_trap+0xe2/0x110 -[ 843.918911] ? pskb_expand_head+0x2ac/0x300 -[ 843.922687] ? do_error_trap+0x65/0x80 -[ 843.926342] ? pskb_expand_head+0x2ac/0x300 -[ 843.929905] ? exc_invalid_op+0x50/0x60 -[ 843.933398] ? pskb_expand_head+0x2ac/0x300 -[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20 -[ 843.940226] ? pskb_expand_head+0x2ac/0x300 -[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 -[ 843.946904] ip_defrag+0x5d4/0x870 -[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack] -[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct] -[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred] -[ 843.959657] tcf_action_exec+0xa1/0x160 -[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower] -[ 843.966010] ? skb_clone+0x53/0xc0 -[ 843.969173] tcf_classify+0x24d/0x420 -[ 843.972333] tc_run+0x8f/0xf0 -[ 843.975465] __netif_receive_skb_core+0x67a/0x1080 -[ 843.978634] ? dev_gro_receive+0x249/0x730 -[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260 -[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 -[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] -[ 843.991170] napi_complete_done+0x72/0x1a0 -[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] -[ 843.997501] __napi_poll+0x25/0x1b0 -[ 844.000627] net_rx_action+0x256/0x330 -[ 844.003705] __do_softirq+0xb3/0x29b -[ 844.006718] irq_exit_rcu+0x9e/0xc0 -[ 844.009672] common_interrupt+0x86/0xa0 -[ 844.012537] </IRQ> -[ 844.015285] <TASK> -[ 844.017937] asm_common_interrupt+0x26/0x40 -[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 -[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb f4 <fa> c3 0f 1f 00 89 fa ec 48 8b 05 ee 88 ed 00 a9 00 00 00 80 75 11 -[ 844.028900] RSP: 0018:ffffc90000533e70 EFLAGS: 00000246 -[ 844.031725] RAX: 0000000000004000 RBX: 0000000000000001 RCX: 0000000000000000 -[ 844.034553] RDX: ffff889ffffc0000 RSI: ffffffff828b7f20 RDI: ffff88a090f45c64 -[ 844.037368] RBP: ffff88a0901a2800 R08: ffff88a090f45c00 R09: 00000000000317c0 -[ 844.040155] R10: 00ec812281150475 R11: ffff889fffff0e04 R12: ffffffff828b7fa0 -[ 844.042962] R13: ffffffff828b7f20 R14: 0000000000000001 R15: 0000000000000000 -[ 844.045819] acpi_idle_enter+0x7b/0xc0 -[ 844.048621] cpuidle_enter_state+0x7f/0x430 -[ 844.051451] cpuidle_enter+0x2d/0x40 -[ 844.054279] do_idle+0x1d4/0x240 -[ 844.057096] cpu_startup_entry+0x2a/0x30 -[ 844.059934] start_secondary+0x104/0x130 -[ 844.062787] secondary_startup_64_no_verify+0x16b/0x16b -[ 844.065674] </TASK> - -Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") -Signed-off-by: Tao Liu <taoliu828@163.com> -Link: https://lore.kernel.org/r/20231228081457.936732-1-taoliu828@163.com -Signed-off-by: Jakub Kicinski <kuba@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/sched/act_ct.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c -index f69c47945175..3d50215985d5 100644 ---- a/net/sched/act_ct.c -+++ b/net/sched/act_ct.c -@@ -850,7 +850,6 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb, - if (err || !frag) - return err; - -- skb_get(skb); - err = nf_ct_handle_fragments(net, skb, zone, family, &proto, &mru); - if (err) - return err; -@@ -999,12 +998,8 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a, - nh_ofs = skb_network_offset(skb); - skb_pull_rcsum(skb, nh_ofs); - err = tcf_ct_handle_fragments(net, skb, family, p->zone, &defrag); -- if (err == -EINPROGRESS) { -- retval = TC_ACT_STOLEN; -- goto out_clear; -- } - if (err) -- goto drop; -+ goto out_frag; - - err = nf_ct_skb_network_trim(skb, family); - if (err) -@@ -1091,6 +1086,11 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a, - qdisc_skb_cb(skb)->pkt_len = skb->len; - return retval; - -+out_frag: -+ if (err != -EINPROGRESS) -+ tcf_action_inc_drop_qstats(&c->common); -+ return TC_ACT_CONSUMED; -+ - drop: - tcf_action_inc_drop_qstats(&c->common); - return TC_ACT_SHOT; --- -2.43.2 - From eb774a523b3bff499261572aa47451c19afabd96 Mon Sep 17 00:00:00 2001 From: Asmaa Mnebhi <asmaa@nvidia.com> Date: Fri, 5 Jan 2024 10:59:46 -0500 Subject: [PATCH 237/641] mlxbf_gige: Fix intermittent no ip issue +Status: RO Content-Length: 3009 Lines: 85 @@ -17825,6 +17583,7 @@ Subject: [PATCH 300/641] ASoC: SOF: Intel: pci-mtl: fix ARL-S definitions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 4656 Lines: 118 @@ -19468,6 +19227,7 @@ From: Arnd Bergmann <arnd@arndb.de> Date: Wed, 13 Dec 2023 12:23:07 +0100 Subject: [PATCH 323/641] media: i2c: mt9m114: use fsleep() in place of udelay() +Status: RO Content-Length: 1695 Lines: 45 @@ -20923,6 +20683,7 @@ From: Xingyuan Mo <hdthky0@gmail.com> Date: Fri, 8 Dec 2023 21:00:59 +0800 Subject: [PATCH 346/641] accel/habanalabs: fix information leak in sec_attest_info() +Status: RO Content-Length: 1311 Lines: 31 @@ -21063,6 +20824,7 @@ From af73be8a06d28dd691061c8bc5b7d9db11052cfb Mon Sep 17 00:00:00 2001 From: Konrad Dybcio <konrad.dybcio@linaro.org> Date: Mon, 18 Dec 2023 17:02:05 +0100 Subject: [PATCH 348/641] clk: qcom: gcc-sm8550: Mark the PCIe GDSCs votable +Status: RO Content-Length: 1942 Lines: 59 @@ -21131,6 +20893,7 @@ From: Konrad Dybcio <konrad.dybcio@linaro.org> Date: Mon, 18 Dec 2023 17:02:06 +0100 Subject: [PATCH 349/641] clk: qcom: gcc-sm8550: use collapse-voting for PCIe GDSCs +Status: RO Content-Length: 1911 Lines: 62 @@ -23023,6 +22786,7 @@ Subject: [PATCH 370/641] kselftest/alsa - mixer-test: fix the number of MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 1987 Lines: 46 @@ -23081,6 +22845,7 @@ Subject: [PATCH 371/641] kselftest/alsa - mixer-test: Fix the print format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 2565 Lines: 53 @@ -23146,6 +22911,7 @@ Subject: [PATCH 372/641] kselftest/alsa - conf: Stringify the printed errno in MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 1999 Lines: 48 @@ -23603,6 +23369,7 @@ From: Geert Uytterhoeven <geert+renesas@glider.be> Date: Thu, 11 Jan 2024 09:50:25 +0100 Subject: [PATCH 376/641] of: unittest: Fix of_count_phandle_with_args() expected value message +Status: RO Content-Length: 1155 Lines: 30 @@ -28267,6 +28034,7 @@ From 05f7a3475af0faa8bf77f8637c4a40349db4f78f Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Fri, 24 Nov 2023 09:56:32 -0600 Subject: [PATCH 439/641] drm/amd: Enable PCIe PME from D3 +Status: RO Content-Length: 1133 Lines: 33 @@ -28516,6 +28284,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri, 12 Jan 2024 23:28:45 +0100 Subject: [PATCH 443/641] netfilter: nf_tables: check if catch-all set element is active in next generation +Status: RO Content-Length: 1189 Lines: 32 @@ -28815,6 +28584,7 @@ From: Gui-Dong Han <2045gemini@gmail.com> Date: Fri, 22 Dec 2023 23:12:41 +0800 Subject: [PATCH 448/641] Bluetooth: Fix atomicity violation in {min,max}_key_size_set +Status: RO Content-Length: 3357 Lines: 91 @@ -29332,6 +29102,7 @@ Subject: [PATCH 455/641] wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 2826 Lines: 73 @@ -30312,6 +30083,7 @@ From 7035255bb722593441a9d81535741bd817518ddc Mon Sep 17 00:00:00 2001 From: Tadeusz Struk <tstruk@gigaio.com> Date: Mon, 13 Nov 2023 19:03:25 +0100 Subject: [PATCH 465/641] PCI/P2PDMA: Remove reference to pci_p2pdma_map_sg() +Status: RO Content-Length: 1998 Lines: 45 @@ -30366,6 +30138,7 @@ From: Bjorn Helgaas <bhelgaas@google.com> Date: Tue, 21 Nov 2023 12:36:35 -0600 Subject: [PATCH 466/641] x86/pci: Reserve ECAM if BIOS didn't include it in PNP0C02 _CRS +Status: RO Content-Length: 3828 Lines: 85 @@ -30463,6 +30236,7 @@ Subject: [PATCH 467/641] PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 1809 Lines: 42 @@ -30517,6 +30291,7 @@ Subject: [PATCH 468/641] PCI: mediatek: Clear interrupt status before MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 2204 Lines: 52 @@ -32056,6 +31831,7 @@ From fd8af4edef36103c317b3fa89ffde670a9b3e814 Mon Sep 17 00:00:00 2001 From: Dang Huynh <danct12@riseup.net> Date: Fri, 3 Nov 2023 18:42:03 +0700 Subject: [PATCH 485/641] leds: aw2013: Select missing dependency REGMAP_I2C +Status: RO Content-Length: 1086 Lines: 33 @@ -32435,6 +32211,7 @@ From 5072b4c519397a77ac45715455385957d568f54e Mon Sep 17 00:00:00 2001 From: Vincent Whitchurch <vincent.whitchurch@axis.com> Date: Fri, 1 Sep 2023 15:35:43 +0200 Subject: [PATCH 492/641] um: virt-pci: fix platform map offset +Status: RO Content-Length: 944 Lines: 28 @@ -32977,6 +32754,7 @@ From: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Date: Mon, 30 Oct 2023 13:42:18 +0200 Subject: [PATCH 503/641] PCI: Avoid potential out-of-bounds read in pci_dev_for_each_resource() +Status: RO Content-Length: 2239 Lines: 52 @@ -33133,6 +32911,7 @@ From: Nick Forrington <nick.forrington@arm.com> Date: Thu, 2 Nov 2023 16:22:24 +0000 Subject: [PATCH 506/641] perf test: Remove atomics from test_loop to avoid test failures +Status: RO Content-Length: 1778 Lines: 50 @@ -33317,6 +33096,7 @@ From: Umang Jain <umang.jain@ideasonboard.com> Date: Wed, 29 Nov 2023 01:48:45 +0530 Subject: [PATCH 509/641] staging: vc04_services: vchiq_core: Log through struct vchiq_instance +Status: RO Content-Length: 2105 Lines: 50 @@ -33376,6 +33156,7 @@ From: Umang Jain <umang.jain@ideasonboard.com> Date: Wed, 29 Nov 2023 01:49:22 +0530 Subject: [PATCH 510/641] staging: vc04_services: Do not pass NULL to vchiq_log_error() +Status: RO Content-Length: 2749 Lines: 61 @@ -33445,6 +33226,7 @@ From 1b886bd484b631033a373df47f418f2148bb6ce2 Mon Sep 17 00:00:00 2001 From: Veronika Molnarova <vmolnaro@redhat.com> Date: Fri, 1 Dec 2023 20:46:17 +0100 Subject: [PATCH 511/641] perf test record user-regs: Fix mask for vg register +Status: RO Content-Length: 2616 Lines: 60 @@ -34162,6 +33944,7 @@ From: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be> Date: Thu, 5 Oct 2023 17:38:42 +0200 Subject: [PATCH 521/641] selftests/sgx: Fix uninitialized pointer dereference in error path +Status: RO Content-Length: 1505 Lines: 44 @@ -34215,6 +33998,7 @@ From: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be> Date: Thu, 5 Oct 2023 17:38:43 +0200 Subject: [PATCH 522/641] selftests/sgx: Fix uninitialized pointer dereferences in encl_get_entry +Status: RO Content-Length: 1589 Lines: 49 @@ -34273,6 +34057,7 @@ From: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be> Date: Thu, 5 Oct 2023 17:38:44 +0200 Subject: [PATCH 523/641] selftests/sgx: Include memory clobber for inline asm in test enclave +Status: RO Content-Length: 1676 Lines: 48 @@ -34329,6 +34114,7 @@ From b68be58c31b5cb172fd1c7c690a200fbbc19aedf Mon Sep 17 00:00:00 2001 From: Zhao Mengmeng <zhaomengmeng@kylinos.cn> Date: Tue, 5 Dec 2023 21:56:05 -0500 Subject: [PATCH 524/641] selftests/sgx: Skip non X86_64 platform +Status: RO Content-Length: 1681 Lines: 41 @@ -35960,6 +35746,7 @@ Subject: [PATCH 537/641] PCI: epf-mhi: Fix the DMA data direction of MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 1249 Lines: 30 @@ -38596,6 +38383,7 @@ Subject: [PATCH 569/641] PCI: xilinx-xdma: Fix uninitialized symbols in MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 2135 Lines: 48 @@ -38656,6 +38444,7 @@ Subject: [PATCH 570/641] PCI: xilinx-xdma: Fix error code in MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 1568 Lines: 36 @@ -38759,6 +38548,7 @@ Subject: [PATCH 572/641] PCI: keystone: Fix race condition when initializing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 2161 Lines: 53 @@ -38887,6 +38677,7 @@ Subject: [PATCH 574/641] PCI: mediatek-gen3: Fix translation window size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Status: RO Content-Length: 5240 Lines: 148 @@ -39090,6 +38881,7 @@ From: Niklas Schnelle <schnelle@linux.ibm.com> Date: Tue, 28 Nov 2023 16:22:49 +0100 Subject: [PATCH 576/641] s390/pci: fix max size calculation in zpci_memcpy_toio() +Status: RO Content-Length: 4920 Lines: 137 @@ -41306,6 +41098,7 @@ From 2b973b5ba8792110dc047ad8ed22d87597df9797 Mon Sep 17 00:00:00 2001 From: Benjamin Poirier <bpoirier@nvidia.com> Date: Wed, 10 Jan 2024 09:14:35 -0500 Subject: [PATCH 608/641] selftests: bonding: Change script interpreter +Status: RO Content-Length: 1883 Lines: 42 @@ -41620,6 +41413,7 @@ From 7d2d03936a97903ecb7d9554971982947cd86f86 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Wed, 3 Jan 2024 23:34:58 +0100 Subject: [PATCH 615/641] netfilter: nf_tables: reject invalid set policy +Status: RO Content-Length: 1142 Lines: 36 @@ -41664,6 +41458,7 @@ From ae6c0543ff13b892ad4092b97ff9813d9fb3ad8a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Wed, 10 Jan 2024 00:42:37 +0100 Subject: [PATCH 616/641] netfilter: nft_limit: do not ignore unsupported flags +Status: RO Content-Length: 1703 Lines: 58 @@ -41731,6 +41526,7 @@ From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Date: Thu, 11 Jan 2024 23:06:37 +0800 Subject: [PATCH 617/641] netfilter: nfnetlink_log: use proper helper for fetching physinif +Status: RO Content-Length: 1571 Lines: 44 @@ -41783,6 +41579,7 @@ From 108494937a67ecbd4678326761106bd3e5d2012e Mon Sep 17 00:00:00 2001 From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Date: Thu, 11 Jan 2024 23:06:38 +0800 Subject: [PATCH 618/641] netfilter: nf_queue: remove excess nf_bridge variable +Status: RO Content-Length: 1219 Lines: 33 @@ -41824,6 +41621,7 @@ From eb4170437f45b91eef518dcb017197b115b52852 Mon Sep 17 00:00:00 2001 From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Date: Thu, 11 Jan 2024 23:06:39 +0800 Subject: [PATCH 619/641] netfilter: propagate net to nf_bridge_get_physindev +Status: RO Content-Length: 7360 Lines: 181 @@ -42014,6 +41812,7 @@ From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Date: Thu, 11 Jan 2024 23:06:40 +0800 Subject: [PATCH 620/641] netfilter: bridge: replace physindev with physinif in nf_bridge_info +Status: RO Content-Length: 10776 Lines: 298 @@ -42316,62 +42115,12 @@ index 27b2164f4c43..196dd4ecb5e2 100644 -- 2.43.2 -From ff67e3e488090908dc015ba04d7407d8bd467f7e Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Sun, 14 Jan 2024 23:53:39 +0100 -Subject: [PATCH 621/641] netfilter: nf_tables: do not allow mismatch field - size and set key length -Content-Length: 1490 -Lines: 42 - -[ Upstream commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 ] - -The set description provides the size of each field in the set whose sum -should not mismatch the set key length, bail out otherwise. - -I did not manage to crash nft_set_pipapo with mismatch fields and set key -length so far, but this is UB which must be disallowed. - -Fixes: f3a2181e16f1 ("netfilter: nf_tables: Support for sets with multiple ranged fields") -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/netfilter/nf_tables_api.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 3912a133324c..7775bf5224ac 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -4811,8 +4811,8 @@ static int nft_set_desc_concat_parse(const struct nlattr *attr, - static int nft_set_desc_concat(struct nft_set_desc *desc, - const struct nlattr *nla) - { -+ u32 num_regs = 0, key_num_regs = 0; - struct nlattr *attr; -- u32 num_regs = 0; - int rem, err, i; - - nla_for_each_nested(attr, nla, rem) { -@@ -4827,6 +4827,10 @@ static int nft_set_desc_concat(struct nft_set_desc *desc, - for (i = 0; i < desc->field_count; i++) - num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32)); - -+ key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32)); -+ if (key_num_regs != num_regs) -+ return -EINVAL; -+ - if (num_regs > NFT_REG32_COUNT) - return -E2BIG; - --- -2.43.2 - From 9f0254479da4180d194fce950cee1dc975416177 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 15 Jan 2024 00:14:38 +0100 Subject: [PATCH 622/641] netfilter: nf_tables: skip dead set elements in netlink dump +Status: RO Content-Length: 1523 Lines: 39 @@ -42420,6 +42169,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 15 Jan 2024 12:50:29 +0100 Subject: [PATCH 623/641] netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description +Status: RO Content-Length: 1100 Lines: 32 @@ -42461,6 +42211,7 @@ From: Fedor Pchelkin <pchelkin@ispras.ru> Date: Mon, 15 Jan 2024 17:39:22 +0300 Subject: [PATCH 624/641] ipvs: avoid stat macros calls from preemptible context +Status: RO Content-Length: 2567 Lines: 75 @@ -42752,114 +42503,6 @@ index a79af8c25a07..b6cb101d7f19 100644 -- 2.43.2 -From df4bb78489b85dea545c57f3d8568022dea57f2a Mon Sep 17 00:00:00 2001 -From: Christoph Hellwig <hch@lst.de> -Date: Wed, 17 Jan 2024 18:59:01 +0100 -Subject: [PATCH 629/641] loop: fix the the direct I/O support check when used - on top of block devices -Content-Length: 3560 -Lines: 99 - -[ Upstream commit baa7d536077dcdfe2b70c476a8873d1745d3de0f ] - -__loop_update_dio only checks the alignment requirement for block backed -file systems, but misses them for the case where the loop device is -created directly on top of another block device. Due to this creating -a loop device with default option plus the direct I/O flag on a > 512 byte -sector size file system will lead to incorrect I/O being submitted to the -lower block device and a lot of error from the lock layer. This can -be seen with xfstests generic/563. - -Fix the code in __loop_update_dio by factoring the alignment check into -a helper, and calling that also for the struct block_device of a block -device inode. - -Also remove the TODO comment talking about dynamically switching between -buffered and direct I/O, which is a would be a recipe for horrible -performance and occasional data loss. - -Fixes: 2e5ab5f379f9 ("block: loop: prepare for supporing direct IO") -Signed-off-by: Christoph Hellwig <hch@lst.de> -Reviewed-by: Ming Lei <ming.lei@redhat.com> -Link: https://lore.kernel.org/r/20240117175901.871796-1-hch@lst.de -Signed-off-by: Jens Axboe <axboe@kernel.dk> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - drivers/block/loop.c | 52 +++++++++++++++++++++----------------------- - 1 file changed, 25 insertions(+), 27 deletions(-) - -diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index 9f2d412fc560..552f56a84a7e 100644 ---- a/drivers/block/loop.c -+++ b/drivers/block/loop.c -@@ -165,39 +165,37 @@ static loff_t get_loop_size(struct loop_device *lo, struct file *file) - return get_size(lo->lo_offset, lo->lo_sizelimit, file); - } - -+/* -+ * We support direct I/O only if lo_offset is aligned with the logical I/O size -+ * of backing device, and the logical block size of loop is bigger than that of -+ * the backing device. -+ */ -+static bool lo_bdev_can_use_dio(struct loop_device *lo, -+ struct block_device *backing_bdev) -+{ -+ unsigned short sb_bsize = bdev_logical_block_size(backing_bdev); -+ -+ if (queue_logical_block_size(lo->lo_queue) < sb_bsize) -+ return false; -+ if (lo->lo_offset & (sb_bsize - 1)) -+ return false; -+ return true; -+} -+ - static void __loop_update_dio(struct loop_device *lo, bool dio) - { - struct file *file = lo->lo_backing_file; -- struct address_space *mapping = file->f_mapping; -- struct inode *inode = mapping->host; -- unsigned short sb_bsize = 0; -- unsigned dio_align = 0; -+ struct inode *inode = file->f_mapping->host; -+ struct block_device *backing_bdev = NULL; - bool use_dio; - -- if (inode->i_sb->s_bdev) { -- sb_bsize = bdev_logical_block_size(inode->i_sb->s_bdev); -- dio_align = sb_bsize - 1; -- } -+ if (S_ISBLK(inode->i_mode)) -+ backing_bdev = I_BDEV(inode); -+ else if (inode->i_sb->s_bdev) -+ backing_bdev = inode->i_sb->s_bdev; - -- /* -- * We support direct I/O only if lo_offset is aligned with the -- * logical I/O size of backing device, and the logical block -- * size of loop is bigger than the backing device's. -- * -- * TODO: the above condition may be loosed in the future, and -- * direct I/O may be switched runtime at that time because most -- * of requests in sane applications should be PAGE_SIZE aligned -- */ -- if (dio) { -- if (queue_logical_block_size(lo->lo_queue) >= sb_bsize && -- !(lo->lo_offset & dio_align) && -- (file->f_mode & FMODE_CAN_ODIRECT)) -- use_dio = true; -- else -- use_dio = false; -- } else { -- use_dio = false; -- } -+ use_dio = dio && (file->f_mode & FMODE_CAN_ODIRECT) && -+ (!backing_bdev || lo_bdev_can_use_dio(lo, backing_bdev)); - - if (lo->use_dio == use_dio) - return; --- -2.43.2 - From 1a720f3ec16e510ff1e0d384119475bc0bdc4e26 Mon Sep 17 00:00:00 2001 From: Amit Cohen <amcohen@nvidia.com> Date: Wed, 17 Jan 2024 16:04:16 +0100 @@ -43404,6 +43047,7 @@ From: Amit Cohen <amcohen@nvidia.com> Date: Wed, 17 Jan 2024 16:04:21 +0100 Subject: [PATCH 634/641] selftests: mlxsw: qos_pfc: Adjust the test to support 8 lanes +Status: RO Content-Length: 3124 Lines: 80 @@ -43574,6 +43218,7 @@ From a4f8ee0fbe9a089ff95e1333fa18d2062cee1bdc Mon Sep 17 00:00:00 2001 From: Marek Szyprowski <m.szyprowski@samsung.com> Date: Wed, 8 Nov 2023 17:43:52 +0100 Subject: [PATCH 636/641] i2c: s3c24xx: fix read transfers in polling mode +Status: RO Content-Length: 1470 Lines: 42 @@ -43625,6 +43270,7 @@ From: Marek Szyprowski <m.szyprowski@samsung.com> Date: Wed, 8 Nov 2023 17:43:53 +0100 Subject: [PATCH 637/641] i2c: s3c24xx: fix transferring more than one message in polling mode +Status: RO Content-Length: 2696 Lines: 80 diff --git a/cve/review/mbox.6.7.2.cve b/cve/review/mbox.6.7.2.cve index fc481797..0e50d3d4 100644 --- a/cve/review/mbox.6.7.2.cve +++ b/cve/review/mbox.6.7.2.cve @@ -4024,3 +4024,454 @@ index 6e7e57360b81..58e34ff81197 100644 -- 2.43.2 +From 9efc70cf2554e7a8d5a996a44252f39e5bc4e510 Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini <francesco.dolcini@toradex.com> +Date: Mon, 11 Dec 2023 17:40:18 +0100 +Subject: [PATCH 224/641] Bluetooth: btnxpuart: fix recv_buf() return value +Status: RO +Content-Length: 2609 +Lines: 61 + +[ Upstream commit 94d05394254401e503867c16aff561d3e687dfdc ] + +Serdev recv_buf() callback is supposed to return the amount of bytes +consumed, therefore an int in between 0 and count. + +Do not return a negative number in case of issue, just print an error +and return count. Before this change, in case of error, the returned +negative number was internally converted to 0 in ttyport_receive_buf, +now when the receive buffer is corrupted we return the size of the whole +received data (`count`). This should allow for better recovery in case +receiver/transmitter get out of sync if some data is lost. + +This fixes a WARN in ttyport_receive_buf(). + + Bluetooth: hci0: Frame reassembly failed (-84) + ------------[ cut here ]------------ + serial serial0: receive_buf returns -84 (count = 6) + WARNING: CPU: 0 PID: 37 at drivers/tty/serdev/serdev-ttyport.c:37 ttyport_receive_buf+0xd8/0xf8 + Modules linked in: mwifiex_sdio(+) ... + CPU: 0 PID: 37 Comm: kworker/u4:2 Not tainted 6.7.0-rc2-00147-gf1a09972a45a #1 + Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT) + Workqueue: events_unbound flush_to_ldisc + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : ttyport_receive_buf+0xd8/0xf8 + lr : ttyport_receive_buf+0xd8/0xf8 +... + Call trace: + ttyport_receive_buf+0xd8/0xf8 + flush_to_ldisc+0xbc/0x1a4 + process_scheduled_works+0x16c/0x28c + +Closes: https://lore.kernel.org/all/ZWEIhcUXfutb5SY6@francesco-nb.int.toradex.com/ +Fixes: 689ca16e5232 ("Bluetooth: NXP: Add protocol support for NXP Bluetooth chipsets") +Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/bluetooth/btnxpuart.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c +index b7e66b7ac570..951fe3014a3f 100644 +--- a/drivers/bluetooth/btnxpuart.c ++++ b/drivers/bluetooth/btnxpuart.c +@@ -1276,11 +1276,10 @@ static int btnxpuart_receive_buf(struct serdev_device *serdev, const u8 *data, + if (IS_ERR(nxpdev->rx_skb)) { + int err = PTR_ERR(nxpdev->rx_skb); + /* Safe to ignore out-of-sync bootloader signatures */ +- if (is_fw_downloading(nxpdev)) +- return count; +- bt_dev_err(nxpdev->hdev, "Frame reassembly failed (%d)", err); ++ if (!is_fw_downloading(nxpdev)) ++ bt_dev_err(nxpdev->hdev, "Frame reassembly failed (%d)", err); + nxpdev->rx_skb = NULL; +- return err; ++ return count; + } + if (!is_fw_downloading(nxpdev)) + nxpdev->hdev->stat.byte_rx += count; +-- +2.43.2 + +From 3e2680bd68fab7ba145393e4eb069d6c4d8a30fa Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini <francesco.dolcini@toradex.com> +Date: Mon, 11 Dec 2023 17:40:19 +0100 +Subject: [PATCH 225/641] Bluetooth: btmtkuart: fix recv_buf() return value +Status: RO +Content-Length: 1991 +Lines: 60 + +[ Upstream commit 64057f051f20c2a2184b9db7f8037d928d68a4f4 ] + +Serdev recv_buf() callback is supposed to return the amount of bytes +consumed, therefore an int in between 0 and count. + +Do not return negative number in case of issue, just print an error and +return count. This fixes a WARN in ttyport_receive_buf(). + +Link: https://lore.kernel.org/all/087be419-ec6b-47ad-851a-5e1e3ea5cfcc@kernel.org/ +Fixes: 7237c4c9ec92 ("Bluetooth: mediatek: Add protocol support for MediaTek serial devices") +Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/bluetooth/btmtkuart.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c +index 935feab815d9..203a000a84e3 100644 +--- a/drivers/bluetooth/btmtkuart.c ++++ b/drivers/bluetooth/btmtkuart.c +@@ -336,7 +336,7 @@ mtk_stp_split(struct btmtkuart_dev *bdev, const unsigned char *data, int count, + return data; + } + +-static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) ++static void btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) + { + struct btmtkuart_dev *bdev = hci_get_drvdata(hdev); + const unsigned char *p_left = data, *p_h4; +@@ -375,25 +375,20 @@ static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) + bt_dev_err(bdev->hdev, + "Frame reassembly failed (%d)", err); + bdev->rx_skb = NULL; +- return err; ++ return; + } + + sz_left -= sz_h4; + p_left += sz_h4; + } +- +- return 0; + } + + static int btmtkuart_receive_buf(struct serdev_device *serdev, const u8 *data, + size_t count) + { + struct btmtkuart_dev *bdev = serdev_device_get_drvdata(serdev); +- int err; + +- err = btmtkuart_recv(bdev->hdev, data, count); +- if (err < 0) +- return err; ++ btmtkuart_recv(bdev->hdev, data, count); + + bdev->hdev->stat.byte_rx += count; + +-- +2.43.2 + +From f5346df0591d10bc948761ca854b1fae6d2ef441 Mon Sep 17 00:00:00 2001 +From: Tao Liu <taoliu828@163.com> +Date: Thu, 28 Dec 2023 16:14:57 +0800 +Subject: [PATCH 236/641] net/sched: act_ct: fix skb leak and crash on ooo + frags +Status: RO +Content-Length: 6310 +Lines: 141 + +[ Upstream commit 3f14b377d01d8357eba032b4cabc8c1149b458b6 ] + +act_ct adds skb->users before defragmentation. If frags arrive in order, +the last frag's reference is reset in: + + inet_frag_reasm_prepare + skb_morph + +which is not straightforward. + +However when frags arrive out of order, nobody unref the last frag, and +all frags are leaked. The situation is even worse, as initiating packet +capture can lead to a crash[0] when skb has been cloned and shared at the +same time. + +Fix the issue by removing skb_get() before defragmentation. act_ct +returns TC_ACT_CONSUMED when defrag failed or in progress. + +[0]: +[ 843.804823] ------------[ cut here ]------------ +[ 843.809659] kernel BUG at net/core/skbuff.c:2091! +[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP +[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 +[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 +[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 +[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 +[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 +[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 +[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 +[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 +[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 +[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 +[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 +[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 +[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 843.894229] PKRU: 55555554 +[ 843.898539] Call Trace: +[ 843.902772] <IRQ> +[ 843.906922] ? __die_body+0x1e/0x60 +[ 843.911032] ? die+0x3c/0x60 +[ 843.915037] ? do_trap+0xe2/0x110 +[ 843.918911] ? pskb_expand_head+0x2ac/0x300 +[ 843.922687] ? do_error_trap+0x65/0x80 +[ 843.926342] ? pskb_expand_head+0x2ac/0x300 +[ 843.929905] ? exc_invalid_op+0x50/0x60 +[ 843.933398] ? pskb_expand_head+0x2ac/0x300 +[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20 +[ 843.940226] ? pskb_expand_head+0x2ac/0x300 +[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 +[ 843.946904] ip_defrag+0x5d4/0x870 +[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack] +[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct] +[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred] +[ 843.959657] tcf_action_exec+0xa1/0x160 +[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower] +[ 843.966010] ? skb_clone+0x53/0xc0 +[ 843.969173] tcf_classify+0x24d/0x420 +[ 843.972333] tc_run+0x8f/0xf0 +[ 843.975465] __netif_receive_skb_core+0x67a/0x1080 +[ 843.978634] ? dev_gro_receive+0x249/0x730 +[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260 +[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 +[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] +[ 843.991170] napi_complete_done+0x72/0x1a0 +[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] +[ 843.997501] __napi_poll+0x25/0x1b0 +[ 844.000627] net_rx_action+0x256/0x330 +[ 844.003705] __do_softirq+0xb3/0x29b +[ 844.006718] irq_exit_rcu+0x9e/0xc0 +[ 844.009672] common_interrupt+0x86/0xa0 +[ 844.012537] </IRQ> +[ 844.015285] <TASK> +[ 844.017937] asm_common_interrupt+0x26/0x40 +[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 +[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb f4 <fa> c3 0f 1f 00 89 fa ec 48 8b 05 ee 88 ed 00 a9 00 00 00 80 75 11 +[ 844.028900] RSP: 0018:ffffc90000533e70 EFLAGS: 00000246 +[ 844.031725] RAX: 0000000000004000 RBX: 0000000000000001 RCX: 0000000000000000 +[ 844.034553] RDX: ffff889ffffc0000 RSI: ffffffff828b7f20 RDI: ffff88a090f45c64 +[ 844.037368] RBP: ffff88a0901a2800 R08: ffff88a090f45c00 R09: 00000000000317c0 +[ 844.040155] R10: 00ec812281150475 R11: ffff889fffff0e04 R12: ffffffff828b7fa0 +[ 844.042962] R13: ffffffff828b7f20 R14: 0000000000000001 R15: 0000000000000000 +[ 844.045819] acpi_idle_enter+0x7b/0xc0 +[ 844.048621] cpuidle_enter_state+0x7f/0x430 +[ 844.051451] cpuidle_enter+0x2d/0x40 +[ 844.054279] do_idle+0x1d4/0x240 +[ 844.057096] cpu_startup_entry+0x2a/0x30 +[ 844.059934] start_secondary+0x104/0x130 +[ 844.062787] secondary_startup_64_no_verify+0x16b/0x16b +[ 844.065674] </TASK> + +Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") +Signed-off-by: Tao Liu <taoliu828@163.com> +Link: https://lore.kernel.org/r/20231228081457.936732-1-taoliu828@163.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/sched/act_ct.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index f69c47945175..3d50215985d5 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -850,7 +850,6 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb, + if (err || !frag) + return err; + +- skb_get(skb); + err = nf_ct_handle_fragments(net, skb, zone, family, &proto, &mru); + if (err) + return err; +@@ -999,12 +998,8 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a, + nh_ofs = skb_network_offset(skb); + skb_pull_rcsum(skb, nh_ofs); + err = tcf_ct_handle_fragments(net, skb, family, p->zone, &defrag); +- if (err == -EINPROGRESS) { +- retval = TC_ACT_STOLEN; +- goto out_clear; +- } + if (err) +- goto drop; ++ goto out_frag; + + err = nf_ct_skb_network_trim(skb, family); + if (err) +@@ -1091,6 +1086,11 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a, + qdisc_skb_cb(skb)->pkt_len = skb->len; + return retval; + ++out_frag: ++ if (err != -EINPROGRESS) ++ tcf_action_inc_drop_qstats(&c->common); ++ return TC_ACT_CONSUMED; ++ + drop: + tcf_action_inc_drop_qstats(&c->common); + return TC_ACT_SHOT; +-- +2.43.2 + +From df4bb78489b85dea545c57f3d8568022dea57f2a Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig <hch@lst.de> +Date: Wed, 17 Jan 2024 18:59:01 +0100 +Subject: [PATCH 629/641] loop: fix the the direct I/O support check when used + on top of block devices +Status: RO +Content-Length: 3560 +Lines: 99 + +[ Upstream commit baa7d536077dcdfe2b70c476a8873d1745d3de0f ] + +__loop_update_dio only checks the alignment requirement for block backed +file systems, but misses them for the case where the loop device is +created directly on top of another block device. Due to this creating +a loop device with default option plus the direct I/O flag on a > 512 byte +sector size file system will lead to incorrect I/O being submitted to the +lower block device and a lot of error from the lock layer. This can +be seen with xfstests generic/563. + +Fix the code in __loop_update_dio by factoring the alignment check into +a helper, and calling that also for the struct block_device of a block +device inode. + +Also remove the TODO comment talking about dynamically switching between +buffered and direct I/O, which is a would be a recipe for horrible +performance and occasional data loss. + +Fixes: 2e5ab5f379f9 ("block: loop: prepare for supporing direct IO") +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Ming Lei <ming.lei@redhat.com> +Link: https://lore.kernel.org/r/20240117175901.871796-1-hch@lst.de +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/block/loop.c | 52 +++++++++++++++++++++----------------------- + 1 file changed, 25 insertions(+), 27 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 9f2d412fc560..552f56a84a7e 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -165,39 +165,37 @@ static loff_t get_loop_size(struct loop_device *lo, struct file *file) + return get_size(lo->lo_offset, lo->lo_sizelimit, file); + } + ++/* ++ * We support direct I/O only if lo_offset is aligned with the logical I/O size ++ * of backing device, and the logical block size of loop is bigger than that of ++ * the backing device. ++ */ ++static bool lo_bdev_can_use_dio(struct loop_device *lo, ++ struct block_device *backing_bdev) ++{ ++ unsigned short sb_bsize = bdev_logical_block_size(backing_bdev); ++ ++ if (queue_logical_block_size(lo->lo_queue) < sb_bsize) ++ return false; ++ if (lo->lo_offset & (sb_bsize - 1)) ++ return false; ++ return true; ++} ++ + static void __loop_update_dio(struct loop_device *lo, bool dio) + { + struct file *file = lo->lo_backing_file; +- struct address_space *mapping = file->f_mapping; +- struct inode *inode = mapping->host; +- unsigned short sb_bsize = 0; +- unsigned dio_align = 0; ++ struct inode *inode = file->f_mapping->host; ++ struct block_device *backing_bdev = NULL; + bool use_dio; + +- if (inode->i_sb->s_bdev) { +- sb_bsize = bdev_logical_block_size(inode->i_sb->s_bdev); +- dio_align = sb_bsize - 1; +- } ++ if (S_ISBLK(inode->i_mode)) ++ backing_bdev = I_BDEV(inode); ++ else if (inode->i_sb->s_bdev) ++ backing_bdev = inode->i_sb->s_bdev; + +- /* +- * We support direct I/O only if lo_offset is aligned with the +- * logical I/O size of backing device, and the logical block +- * size of loop is bigger than the backing device's. +- * +- * TODO: the above condition may be loosed in the future, and +- * direct I/O may be switched runtime at that time because most +- * of requests in sane applications should be PAGE_SIZE aligned +- */ +- if (dio) { +- if (queue_logical_block_size(lo->lo_queue) >= sb_bsize && +- !(lo->lo_offset & dio_align) && +- (file->f_mode & FMODE_CAN_ODIRECT)) +- use_dio = true; +- else +- use_dio = false; +- } else { +- use_dio = false; +- } ++ use_dio = dio && (file->f_mode & FMODE_CAN_ODIRECT) && ++ (!backing_bdev || lo_bdev_can_use_dio(lo, backing_bdev)); + + if (lo->use_dio == use_dio) + return; +-- +2.43.2 + +From ff67e3e488090908dc015ba04d7407d8bd467f7e Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Sun, 14 Jan 2024 23:53:39 +0100 +Subject: [PATCH 621/641] netfilter: nf_tables: do not allow mismatch field + size and set key length +Status: RO +Content-Length: 1490 +Lines: 42 + +[ Upstream commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 ] + +The set description provides the size of each field in the set whose sum +should not mismatch the set key length, bail out otherwise. + +I did not manage to crash nft_set_pipapo with mismatch fields and set key +length so far, but this is UB which must be disallowed. + +Fixes: f3a2181e16f1 ("netfilter: nf_tables: Support for sets with multiple ranged fields") +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/netfilter/nf_tables_api.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 3912a133324c..7775bf5224ac 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4811,8 +4811,8 @@ static int nft_set_desc_concat_parse(const struct nlattr *attr, + static int nft_set_desc_concat(struct nft_set_desc *desc, + const struct nlattr *nla) + { ++ u32 num_regs = 0, key_num_regs = 0; + struct nlattr *attr; +- u32 num_regs = 0; + int rem, err, i; + + nla_for_each_nested(attr, nla, rem) { +@@ -4827,6 +4827,10 @@ static int nft_set_desc_concat(struct nft_set_desc *desc, + for (i = 0; i < desc->field_count; i++) + num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32)); + ++ key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32)); ++ if (key_num_regs != num_regs) ++ return -EINVAL; ++ + if (num_regs > NFT_REG32_COUNT) + return -E2BIG; + +-- +2.43.2 + |