[ Upstream commit 810c38a3 ]

Because rose_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with rose_accept().
A use-after-free for skb occurs with the following flow.
```
rose_ioctl() -> skb_peek()
rose_accept() -> skb_dequeue() -> kfree_skb()
```
Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue.

Bug: 321175740
Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX


Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 3f1f6a94)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I94d2aae6221fb95cb285e1a6d0c6fe39a70e35d2

commit f1082dd3 upstream.

An nftables family is merely a hollow container, its family just a
number and such not reliant on compile-time options other than nftables
support itself. Add an artificial check so attempts at using a family
the kernel can't support fail as early as possible. This helps user
space detect kernels which lack e.g. NFPROTO_INET.

Bug: 321815738
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit ab3a3aad)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I7123795885791a62089d5f7d1e5ff5a3f90e4abd

This merges the commits up to 5.15.144 LTS into the android13-5.15
branch.  Included in here are the following commits:

* 819bb2da ANDROID: GKI: fix crc issue in include/net/addrconf.h
* bd51aa17 Revert "cred: switch to using atomic_long_t"
* 75f40a04 ANDROID: GKI: fix build error with mm/memory_hotplug.c and v5.15.144
*   cfad9337 Merge 5.15.144 into android13-5.15-lts
|\
| * 1d146b18 Linux 5.15.144
| * 4c117984 r8152: fix the autosuspend doesn't work
| * aa3cc80e r8152: remove rtl_vendor_mode function
| * 07ba2162 r8152: avoid to change cfg for all devices
| * fa5f992d powerpc/ftrace: Fix stack teardown in ftrace_no_trace
| * 4624f5f2 powerpc/ftrace: Create a dummy stackframe to fix stack unwind
| * 410c05b6 RDMA/irdma: Prevent zero-length STAG registration
| * 93e76552 USB: gadget: core: adjust uevent timing on gadget unbind
| * 529f020f ring-buffer: Do not try to put back write_stamp
| * b8d59ea2 ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs
| * fb63b1f9 ring-buffer: Fix writing to the buffer with max_data_size
| * e9587314 ring-buffer: Have saved event hold the entire event
| * 8ed7d280 ring-buffer: Do not update before stamp when switching sub-buffers
| * 54793745 tracing: Update snapshot buffer on resize if it is allocated
| * 97e70d66 ring-buffer: Fix memory leak of free page
| * f9494288 drm/amdgpu/sdma5.2: add begin/end_use ring callbacks
| * 8175dad2 team: Fix use-after-free when an option instance allocation fails
| * c2134ed5 arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify
| * 1bc91916 ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
| * 1a4da77e soundwire: stream: fix NULL pointer dereference for multi_link
| * 5a954998 btrfs: do not allow non subvolume root targets for snapshot
| * 7b427d8c perf: Fix perf_event_validate_size() lockdep splat
| * 27714a22 HID: hid-asus: add const to read-only outgoing usb buffer
| * 11c17f42 net: usb: qmi_wwan: claim interface 4 for ZTE MF290
| * ca15561c asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation
| * 0a3f27d9 HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
| * 41759fab HID: hid-asus: reset the backlight brightness level on resume
| * 9f093e15 HID: add ALWAYS_POLL quirk for Apple kb
| * 61fc877f HID: glorious: fix Glorious Model I HID report
| * 23b08531 platform/x86: intel_telemetry: Fix kernel doc descriptions
| * 7020385e bcache: avoid NULL checking to c->root in run_cache_set()
| * f891bbf1 bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc()
| * 8758b053 bcache: remove redundant assignment to variable cur_idx
| * d38288af bcache: avoid oversize memory allocation by small stripe_size
| * 252c2a47 blk-cgroup: bypass blkcg_deactivate_policy after destroying
| * 8146f7a8 blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!"
| * b7d82e5d stmmac: dwmac-loongson: Add architecture dependency
| * 46412b2f usb: aqc111: check packet for fixup for true limit
| * fe13b6a6 drm/mediatek: Add spinlock for setting vblank event in atomic_begin
| * 6f709907 PCI: loongson: Limit MRRS to 256
| * 4f4a9fc6 Revert "PCI: acpiphp: Reassign resources on bridge if necessary"
| * 2d099b27 ALSA: hda/realtek: Apply mute LED quirk for HP15-db
| * 0239375e ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants
| * d6df72b2 ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB
| * 45f53ca3 fuse: dax: set fc->dax to NULL in fuse_dax_conn_free()
| * f21b7610 cred: switch to using atomic_long_t
| * 3a142864 net: atlantic: fix double free in ring reinit logic
| * 5b87ac25 appletalk: Fix Use-After-Free in atalk_ioctl
| * de73f41f net: stmmac: Handle disabled MDIO busses from devicetree
| * 6f3b49a4 net: stmmac: use dev_err_probe() for reporting mdio bus registration failure
| * 90715e0a dpaa2-switch: fix size of the dma_unmap
| * 444339f3 vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
| * a5ab70a9 sign-file: Fix incorrect return values check
| * 8eec2dcc stmmac: dwmac-loongson: Make sure MDIO is initialized before use
| * abb40550 net: ena: Fix XDP redirection error
| * 5d452257 net: ena: Fix xdp drops handling due to multibuf packets
| * 39082715 net: ena: Destroy correct number of xdp queues upon failure
| * e2b48f94 net: Remove acked SYN flag from packet in the transmit queue correctly
| * d3b174db qed: Fix a potential use-after-free in qed_cxt_tables_alloc
| * 3f1f6a94 net/rose: Fix Use-After-Free in rose_ioctl
| * 3bb41dc3 atm: Fix Use-After-Free in do_vcc_ioctl
| * db400b1f octeontx2-af: Update RSS algorithm index
| * e0676d37 octeontx2-pf: Fix promisc mcam entry action
| * 86f50bb2 octeontx2-af: fix a use-after-free in rvu_nix_register_reporters
| * af7a7721 net: fec: correct queue selection
| * 3c4dcfbf net: vlan: introduce skb_vlan_eth_hdr()
| * fe779dbb atm: solos-pci: Fix potential deadlock on &tx_queue_lock
| * e16f961f atm: solos-pci: Fix potential deadlock on &cli_queue_lock
| * d525bbd9 qca_spi: Fix reset behavior
| * 4ec0e0e6 qca_debug: Fix ethtool -G iface tx behavior
| * 173fc321 qca_debug: Prevent crash on TX ring changes
| * 9846d8c8 net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX
| * 77443956 HID: lenovo: Restrict detection of patched firmware only to USB cptkbd
| * d37f44be afs: Fix refcount underflow from error handling race
| * a69d8ee0 ksmbd: fix memory leak in smb2_lock()
| * fd0d9b16 MIPS: Loongson64: Handle more memory types passed from firmware
| * d9a9d8ef memblock: allow to specify flags with memblock_add_node()
| * 49e0fcb5 mm/memory_hotplug: handle memblock_add_node() failures in add_memory_resource()
| * 5b77f41f netfilter: nf_tables: fix 'exist' matching on bigendian arches
| * 3d4ad03b r8152: add vendor/device ID pair for ASUS USB-C2500
| * 404ce6ee r8152: add vendor/device ID pair for D-Link DUB-E250
| * ca75274b r8152: add USB device driver for config selection
| * f5494d96 perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table
* | 92ec34b6 Revert "drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group"
* | 1cf10b14 Revert "perf/core: Add a new read format to get a number of lost samples"
* | 83e91680 Revert "perf: Fix perf_event_validate_size()"
* | 9a93c59e Revert "hrtimers: Push pending hrtimers away from outgoing CPU earlier"
* | a212ebcf Merge 5.15.143 into android13-5.15-lts
|\|
| * d0fc081c Linux 5.15.143
| * 2eba64dc devcoredump: Send uevent once devcd is ready
| * 97a9a7cf devcoredump : Serialize devcd_del work
| * e5071ae7 smb: client: fix potential NULL deref in parse_dfs_referrals()
| * d2bafe84 cifs: Fix non-availability of dedup breaking generic/304
| * c7a0a265 Revert "btrfs: add dmesg output for first mount and last unmount of a filesystem"
| * 1ed694fe MIPS: Loongson64: Enable DMA noncoherent support
| * a71b6a61 MIPS: Loongson64: Reserve vgabios memory on boot
| * 72bdf344 KVM: SVM: Update EFER software model on CR0 trap for SEV-ES
| * 15a80887 KVM: s390/mm: Properly reset no-dat
| * 19e10526 x86/CPU/AMD: Check vendor in the AMD microcode callback
| * e5731380 serial: 8250_omap: Add earlycon support for the AM654 UART controller
| * 17c2ed9a serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt
| * 8718c0ab serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit
| * 9bf8bc45 serial: sc16is7xx: address RX timeout interrupt errata
| * 87ac2704 ARM: PL011: Fix DMA support
| * 9402252d usb: typec: class: fix typec_altmode_put_partner to put plugs
| * e24f2b21 Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1"
| * 742ecc1b parport: Add support for Brainboxes IX/UC/PX parallel cards
| * 86240d91 usb: gadget: f_hid: fix report descriptor allocation
| * f7a0cab5 drm/amdgpu: correct the amdgpu runtime dereference usage count
| * 091c77c2 drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c
| * 324df6ec gpiolib: sysfs: Fix error handling on failed export
| * ebc7597c perf: Fix perf_event_validate_size()
| * 00f8c6dc perf/core: Add a new read format to get a number of lost samples
| * 4aed5240 arm64: dts: mt8183: kukui: Fix underscores in node names
| * 1e64d6dd arm64: dts: mediatek: add missing space before {
| * 6276d125 arm64: dts: mediatek: mt8183: Move thermal-zones to the root node
| * a6b7222b arm64: dts: mediatek: align thermal zone node names with dtschema
| * ab9ac2cb tools headers UAPI: Sync linux/perf_event.h with the kernel sources
| * dc52117c docs/process/howto: Replace C89 with C11
| * 7aed5086 platform/x86: asus-wmi: Fix kbd_dock_devid tablet-switch reporting
| * e6512861 netfilter: nft_set_pipapo: skip inactive elements during set walk
| * bcedd497 io_uring/af_unix: disable sending io_uring over sockets
| * c5a09d16 mm: fix oops when filemap_map_pmd() without prealloc_pte
| * c755e7cd r8169: fix rtl8125b PAUSE frames blasting when suspended
| * 9234835f tracing: Stop current tracer when resizing buffer
| * 5a9cbf82 tracing: Set actual size after ring buffer resize
| * 40a36f08 ring-buffer: Force absolute timestamp on discard of event
| * 0ccca12b misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write
| * 271b5630 misc: mei: client.c: return negative error code in mei_cl_write
| * 4511b365 coresight: etm4x: Remove bogous __exit annotation for some functions
| * 192352bd coresight: etm4x: Make etm4_remove_dev() return void
| * 318a2066 kallsyms: Make kallsyms_on_each_symbol generally available
| * 61b68b60 binder: fix memory leaks of spam and pending work
| * 1665a875 arm64: dts: mediatek: mt8183: Fix unit address for scp reserved memory
| * dca1bfdb arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names
| * d052b5ad arm64: dts: mediatek: mt8183-kukui-jacuzzi: fix dsi unnecessary cells properties
| * e37aa926 arm64: dts: mediatek: mt7622: fix memory node warning check
| * d849cf64 platform/surface: aggregator: fix recv_buf() return value
| * d91fb1b7 regmap: fix bogus error on regcache_sync success
| * d08a96e5 packet: Move reference count in packet_sock to atomic_long_t
| * c86b7689 tracing: Fix a possible race when disabling buffered events
| * e733a6f8 tracing: Fix incomplete locking when disabling buffered events
| * fb0219bf tracing: Disable snapshot buffer when stopping instance tracers
| * 9e41d92e tracing: Always update snapshot buffer size
| * ac3ccec3 checkstack: fix printed address
| * 762b0d52 nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
| * fd85766c nilfs2: fix missing error check for sb_set_blocksize call
| * 4bbf011b ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
| * e5571507 ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
| * f82e39f7 ALSA: usb-audio: Add Pioneer DJM-450 mixer controls
| * ea3291cb io_uring: fix mutex_unlock with unreferenced ctx
| * 09f9d1fb nvme-pci: Add sleep quirk for Kingston drives
| * 7e765ec2 kprobes: consistent rcu api usage for kretprobe holder
| * f5311389 md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly()
| * 4a52acc9 md: introduce md_ro_state
| * 940a7bcd riscv: fix misaligned access handling of C.SWSP and C.SDSP
| * 6e2f7118 ARM: dts: imx28-xea: Pass the 'model' property
| * 976eb173 ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt
| * cb2034c0 ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
| * 800aabe1 scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
| * 48987eef tracing: Fix a warning when allocating buffered events fails
| * 6daed371 ARM: dts: imx6ul-pico: Describe the Ethernet PHY clock
| * 2ea7438a arm64: dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3
| * 8a21980d arm64: dts: imx8mq: drop usb3-resume-missing-cas from usb
| * 0511a9c5 RDMA/irdma: Avoid free the non-cqp_request scratch
| * b7b24a7f RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz
| * 9d2854cc ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
| * 1d31ea4d hwmon: (nzxt-kraken2) Fix error handling path in kraken2_probe()
| * 9deab0c3 hwmon: (acpi_power_meter) Fix 4.29 MW bug
| * 8ef49679 RDMA/bnxt_re: Correct module description string
| * 0b21a39b RDMA/rtrs-clt: Remove the warnings for req in_use check
| * 6cef8ca1 RDMA/rtrs-clt: Fix the max_send_wr setting
| * 855b4334 RDMA/rtrs-srv: Destroy path files after making sure no IOs in-flight
| * 7df9d0d0 RDMA/rtrs-srv: Free srv_mr iu only when always_invalidate is true
| * 00e54da5 RDMA/rtrs-srv: Check return values while processing info request
| * 59cab0ae RDMA/rtrs-clt: Start hb after path_up
| * 7f0460db RDMA/rtrs-srv: Do not unconditionally enable irq
| * 18556be8 arm64: dts: rockchip: Expand reg size of vdec node for RK3399
| * 583dec14 RDMA/irdma: Add wait for suspend on SQD
| * f78b8b7f RDMA/irdma: Do not modify to SQD on error
| * 75479772 RDMA/hns: Fix unnecessary err return when using invalid congest control algorithm
| * 01c13d8a tee: optee: Fix supplicant based device enumeration
| * d3d254e6 drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
| * 30d4881a net: add missing kdoc for struct genl_multicast_group::flags
| * 5299bca8 psample: Require 'CAP_NET_ADMIN' when joining "packets" group
| * 81b0c3d2 bpf: sockmap, updating the sg structure should also update curr
| * 0d4e0afd tcp: do not accept ACK of bytes we never sent
| * 38bae9cd netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
| * 9de311e5 netfilter: nf_tables: validate family when identifying table via handle
| * cf5f113c netfilter: nf_tables: bail out on mismatching dynset and set expressions
| * 219c6b55 octeontx2-af: Update Tx link register range
| * 4fe599a7 net: hns: fix fake link up on xge port
| * a5c2f9f7 ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
| * c8aca57e ionic: Fix dim work handling in split interrupt mode
| * 04022c18 ionic: fix snprintf format length warning
| * 246bc719 net: bnxt: fix a potential use-after-free in bnxt_init_tc
| * b14d6d40 i40e: Fix unexpected MFS warning message
| * 6113cba2 octeontx2-af: fix a use-after-free in rvu_npa_register_reporters
| * e047a1fc net: stmmac: fix FPE events losing
| * 75c53a4c arcnet: restoring support for multiple Sohard Arcnet cards
| * 789fed57 platform/mellanox: Check devm_hwmon_device_register_with_groups() return value
| * a2407144 platform/mellanox: Add null pointer checks for devm_kasprintf()
| * 45171e5e mlxbf-bootctl: correctly identify secure boot with development keys
| * 401d9bab r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en()
| * 5b9bf02f r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1()
| * 0a53ed0b r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash()
| * a6378013 r8152: Add RTL8152_INACCESSIBLE checks to more loops
| * 00beca90 r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
| * 89c619b1 hv_netvsc: rndis_filter needs to select NLS
| * f258a0be octeontx2-af: Check return value of nix_get_nixlf before using nixlf
| * 51e7868e octeontx2-pf: Add missing mutex lock in otx2_get_pauseparam
| * a239affd ipv6: fix potential NULL deref in fib6_add()
| * 9008af83 platform/x86: wmi: Skip blocks with zero instances
| * 29783a17 platform/x86: wmi: Allow duplicate GUIDs for drivers that use struct wmi_driver
| * 0f06d9bd of: dynamic: Fix of_reconfig_get_state_change() return value documentation
| * 5dd9a481 platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code
| * 450f8c95 platform/x86: asus-wmi: Simplify tablet-mode-switch handling
| * f277c14b platform/x86: asus-wmi: Simplify tablet-mode-switch probing
| * 36ede147 platform/x86: asus-wmi: Add support for ROG X13 tablet mode
| * e8aed513 platform/x86: asus-wmi: Adjust tablet/lidflip handling to use enum
| * bfac5cc5 drm/amdgpu: correct chunk_ptr to a pointer to chunk.
| * 94e5ed16 kconfig: fix memory leak from range properties
| * c5ab980a tg3: Increment tx_dropped in tg3_tso_bug()
| * d188dcb9 tg3: Move the [rt]x_dropped counters to tg3_napi
| * 8bb930c3 netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
| * 89a05781 i2c: designware: Fix corrupted memory seen in the ISR
| * 6fcbcc6c hrtimers: Push pending hrtimers away from outgoing CPU earlier
| * ef93d885 vdpa/mlx5: preserve CVQ vringh index
* | 1370e896 Revert "mmc: core: add helpers mmc_regulator_enable/disable_vqmmc"
* | 5aa8856e Revert "mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled"
* | a90e9988 Merge 5.15.142 into android13-5.15-lts
|\|
| * 8a1d809b Linux 5.15.142
| * 4d9bd1b1 iomap: update ki_pos a little later in iomap_dio_complete
| * 6ed02493 r8169: fix deadlock on RTL8125 in jumbo mtu mode
| * 0249024a r8169: disable ASPM in case of tx timeout
| * 8912dbdd mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled
| * 68156ce2 mmc: core: add helpers mmc_regulator_enable/disable_vqmmc
| * 9807860f iommu/vt-d: Make context clearing consistent with context mapping
| * 7960f2cf iommu/vt-d: Omit devTLB invalidation requests when TES=0
| * cfd842b7 cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily
| * f0b68806 cpufreq: imx6q: don't warn for disabling a non-existing frequency
| * bb08df40 smb3: fix caching of ctime on setxattr
| * 15b4158c fs: add ctime accessors infrastructure
| * db78835b fbdev: stifb: Make the STI next font pointer a 32-bit signed offset
| * 711ee151 ASoC: SOF: sof-pci-dev: Fix community key quirk detection
| * 81952f82 ASoC: SOF: sof-pci-dev: don't use the community key on APL Chromebooks
| * fa0a570d ASoC: SOF: sof-pci-dev: add parameter to override topology filename
| * 0d38d659 ASoC: SOF: sof-pci-dev: use community key on all Up boards
| * f3db01e4 ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header
| * b4329a3a smb3: fix touch -h of symlink
| * b60187f6 selftests/resctrl: Move _GNU_SOURCE define into Makefile
| * 072c17d4 selftests/resctrl: Add missing SPDX license to Makefile
| * 1e9973ae perf intel-pt: Fix async branch flags
| * 0a6b5321 net: ravb: Stop DMA in case of failures on ravb_open()
| * a4515a2f net: ravb: Start TX queues after HW initialization succeeded
| * 2ba0a833 net: ravb: Use pm_runtime_resume_and_get()
| * 5823191f net: ravb: Check return value of reset_control_deassert()
| * 24681e92 ravb: Fix races between ravb_tx_timeout_work() and net related ops
| * 97509417 r8169: prevent potential deadlock in rtl8169_close
| * 66625069 Revert "workqueue: remove unused cancel_work()"
| * 2587d8fe octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64
| * 54260f14 net: stmmac: xgmac: Disable FPE MMC interrupts
| * 9af4884b octeontx2-af: Fix possible buffer overflow
| * f4499f0f selftests/net: ipsec: fix constant out of range
| * 8454f0e0 uapi: propagate __struct_group() attributes to the container union
| * 0bf95654 dpaa2-eth: increase the needed headroom to account for alignment
| * c4a00c47 ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
| * 64c27b7b usb: config: fix iteration issue in 'usb_get_bos_descriptor()'
| * e704db8e USB: core: Change configuration warnings to notices
| * bec3ae29 hv_netvsc: fix race of netvsc and VF register_netdevice
| * 69732d21 rcu: Avoid tracing a few functions executed in stop machine
| * 02caa78c vlan: move dev_put into vlan_dev_uninit
| * 84280118 vlan: introduce vlan_dev_free_egress_priority
| * a8604a90 Input: xpad - add HyperX Clutch Gladiate Support
| * 875eeda4 btrfs: make error messages more clear when getting a chunk map
| * 47693835 btrfs: send: ensure send_fd is writable
| * 36b98806 btrfs: fix off-by-one when checking chunk map includes logical address
| * 0ffd9d35 btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod()
| * a480eb26 btrfs: add dmesg output for first mount and last unmount of a filesystem
| * 2e931b33 parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes
| * f0d05222 powerpc: Don't clobber f0/vs0 during fp|altivec register save
| * d48f9008 iommu/vt-d: Add MTL to quirk list to skip TE disabling
| * 0c7fa41e bcache: revert replacing IS_ERR_OR_NULL with IS_ERR
| * c986cb72 dm verity: don't perform FEC for failed readahead IO
| * 9a2590b4 dm-verity: align struct dm_verity_fec_io properly
| * 61a982f9 ALSA: hda/realtek: Add supported ALC257 for ChromeOS
| * 5fe4d965 ALSA: hda/realtek: Headset Mic VREF to 100%
| * 4ed5ad05 ALSA: hda: Disable power-save on KONTRON SinglePC
| * a7579368 mmc: block: Be sure to wait while busy in CQE error recovery
| * 8dfdd603 mmc: block: Do not lose cache flush during CQE error recovery
| * 129984dc mmc: block: Retry commands in CQE error recovery
| * 85afaefa mmc: cqhci: Fix task clearing in CQE error recovery
| * ceec8231 mmc: cqhci: Warn of halt or task clear failure
| * 9edc0635 mmc: cqhci: Increase recovery halt timeout
| * 44382938 firewire: core: fix possible memory leak in create_units()
| * b20f71c8 pinctrl: avoid reload of p state in list iteration
* | 28e3f585 Revert "HID: core: store the unique system identifier in hid_device"
* | e953bdbd Revert "HID: fix HID device resource race between HID core and debugging support"
* | 3d768e6e Revert "wireguard: use DEV_STATS_INC()"
* | e81f5f3c Merge 5.15.141 into android13-5.15-lts
|\|
| * 9b91d36b Linux 5.15.141
| * 313a34d1 io_uring: fix off-by one bvec index
| * 49ae2e4e USB: dwc3: qcom: fix wakeup after probe deferral
| * eb17fb4b USB: dwc3: qcom: fix software node leak on probe errors
| * 98f0e9b6 usb: dwc3: set the dma max_seg_size
| * 1a3dcb1d usb: dwc3: Fix default mode initialization
| * a22702a8 USB: dwc2: write HCINT with INTMASK applied
| * 1134fde9 usb: typec: tcpm: Skip hard reset when in error recovery
| * 64830d04 USB: serial: option: don't claim interface 4 for ZTE MF290
| * 9611cbc6 USB: serial: option: fix FM101R-GL defines
| * a8d80b1f USB: serial: option: add Fibocom L7xx modules
| * de8c6fce usb: cdnsp: Fix deadlock issue during using NCM gadget
| * dd0cc4b6 bcache: fixup lock c->root error
| * a912742d bcache: fixup init dirty data errors
| * 137660f8 bcache: prevent potential division by zero error
| * f7077ce8 bcache: check return value from btree_node_alloc_replacement()
| * 1eed0109 dm-delay: fix a race between delay_presuspend and delay_bio
| * d181a7a1 hv_netvsc: Mark VF as slave before exposing it to user-mode
| * 97683466 hv_netvsc: Fix race of register_netdevice_notifier and VF register
| * 38419210 USB: serial: option: add Luat Air72*U series products
| * 6062c527 s390/dasd: protect device queue against concurrent access
| * 35b5d86e io_uring/fs: consider link->flags when getting path for LINKAT
| * 2bb75a2c bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up race
| * 6f09318f md: fix bi_status reporting in md_end_clone_io
| * 72ecb975 bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce()
| * e09ba90f swiotlb-xen: provide the "max_mapping_size" method
| * 0f05021e ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA
| * f95e9f7a proc: sysctl: prevent aliased sysctls from getting passed to init
| * 3f3880fc ext4: make sure allocate pending entry not fail
| * e33eb499 ext4: fix slab-use-after-free in ext4_es_insert_extent()
| * 859893f6 ext4: using nofail preallocation in ext4_es_insert_extent()
| * 048e7f38 ext4: using nofail preallocation in ext4_es_insert_delayed_block()
| * 580b9dd6 ext4: using nofail preallocation in ext4_es_remove_extent()
| * 66bc78a2 ext4: use pre-allocated es in __es_remove_extent()
| * b1995ba6 ext4: use pre-allocated es in __es_insert_extent()
| * edec1271 ext4: factor out __es_alloc_extent() and __es_free_extent()
| * e82d05cf ext4: add a new helper to check if es must be kept
| * 612edd48 media: qcom: camss: Fix csid-gen2 for test pattern generator
| * ceb5276d media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3
| * f001e6f6 media: camss: sm8250: Virtual channels for CSID
| * 9fb81ca7 media: camss: Replace hard coded value with parameter
| * 8ef9b32f MIPS: KVM: Fix a build warning about variable set but not used
| * 6ddaca6b lockdep: Fix block chain corruption
| * 61747778 USB: dwc3: qcom: fix ACPI platform device leak
| * 02747288 USB: dwc3: qcom: fix resource leaks on probe deferral
| * e26c6feb nvmet: nul-terminate the NQNs passed in the connect command
| * b5d50c6a afs: Fix file locking on R/O volumes to operate in local mode
| * 84ebfbed afs: Return ENOENT if no cell DNS record can be found
| * 6aeac88a net: axienet: Fix check for partial TX checksum
| * 293acba8 amd-xgbe: propagate the correct speed and duplex status
| * b3874cc2 amd-xgbe: handle the corner-case during tx completion
| * e949dbc2 amd-xgbe: handle corner-case during sfp hotplug
| * 01a8b947 octeontx2-pf: Fix ntuple rule creation to direct packet to VF with higher Rx queue than its PF
| * fcc4a03a arm/xen: fix xen_vcpu_info allocation alignment
| * 90072af9 net/smc: avoid data corruption caused by decline
| * 66c02346 net: usb: ax88179_178a: fix failed operations during ax88179_reset
| * ba81c522 ipv4: Correct/silence an endian warning in __ip_do_redirect
| * 364406d4 HID: fix HID device resource race between HID core and debugging support
| * 52badc06 HID: core: store the unique system identifier in hid_device
| * 221be624 drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full
| * b0c835fd ata: pata_isapnp: Add missing error check for devm_ioport_map()
| * 9754a498 octeontx2-pf: Fix memory leak during interface down
| * be41c0c4 wireguard: use DEV_STATS_INC()
| * f163a6d1 drm/panel: simple: Fix Innolux G101ICE-L01 timings
| * 608de3a5 drm/panel: simple: Fix Innolux G101ICE-L01 bus flags
| * 18bd108a drm/panel: auo,b101uan08.3: Fine tune the panel power sequence
| * 9fe5718d drm/panel: boe-tv101wum-nl6: Fine tune the panel power sequence
| * c8a49336 afs: Make error on cell lookup failure consistent with OpenAFS
| * ac239fcc afs: Fix afs_server_list to be cleaned up with RCU
* | 37769036 Revert "ASoC: soc-card: Add storage for PCI SSID"
* | 7c554dc3 Revert "net: inet: Remove count from inet_listen_hashbucket"
* | a2d3874c Revert "net: inet: Open code inet_hash2 and inet_unhash2"
* | c249a76a Revert "net: inet: Retire port only listening_hash"
* | 2071d76a Revert "net: set SOCK_RCU_FREE before inserting socket into hashtable"
* | d7540ec6 Revert "tracing: Have trace_event_file have ref counters"
* | aa34356b Revert "workqueue: Provide one lock class key per work_on_cpu() callsite"
* | b5d865c3 Merge 5.15.140 into android13-5.15-lts
|\|
| * a78d278e Linux 5.15.140
| * 947c9e12 driver core: Release all resources during unbind before updating device links
| * 5a434d5c Input: xpad - add VID for Turtle Beach controllers
| * cbc7c29d tracing: Have trace_event_file have ref counters
| * 1dcf90c9 powerpc/powernv: Fix fortify source warnings in opal-prd.c
| * 3d791271 io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid
| * 595b051c drm/amd/display: Change the DMCUB mailbox memory location from FB to inbox
| * a2a6e97c drm/amdgpu: fix error handling in amdgpu_bo_list_get()
| * e380992c drm/amdgpu: don't use ATRM for external devices
| * 4ff985b8 drm/i915: Fix potential spectre vulnerability
| * ea0c4d5e drm/amd/pm: Handle non-terminated overdrive commands.
| * 9ce842d7 ext4: add missed brelse in update_backups
| * ce19c200 ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
| * ac45d8e3 ext4: correct the start block of counting reserved clusters
| * 8f9842c4 ext4: correct return value of ext4_convert_meta_bg
| * 8798d3b2 ext4: correct offset of gdb backup in non meta_bg group to update_backups
| * 8a3bb38b ext4: apply umask if ACL support is disabled
| * d5c38014 Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E"
| * 6ad3d859 media: qcom: camss: Fix missing vfe_lite clocks check
| * e0376cf0 media: qcom: camss: Fix VFE-17x vfe_disable_output()
| * 8f733387 media: qcom: camss: Fix vfe_get() error jump
| * 841fc648 media: qcom: camss: Fix pm_domain_on sequence in probe
| * 4c9c43f7 mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of AER
| * 72bf271c r8169: fix network lost after resume on DASH systems
| * 468e3ebf mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors
| * 0387978f mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2
| * 070b3ccb riscv: kprobes: allow writing to x0
| * cd0e9f47 nfsd: fix file memleak on client_opens_release
| * 114c9d73 media: ccs: Correctly initialise try compose rectangle
| * 6c8aeeb2 media: venus: hfi: add checks to handle capabilities from firmware
| * cdeb0a4c media: venus: hfi: fix the check to handle session buffer requirement
| * 7d62570f media: venus: hfi_parser: Add check to keep the number of codecs within range
| * d0d831e7 media: sharp: fix sharp encoding
| * 6003733c media: lirc: drop trailing space from scancode transmit
| * e4088d7d f2fs: avoid format-overflow warning
| * 12055238 i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
| * 336e6db5 net: phylink: initialize carrier state at creation
| * d8cb287d net: dsa: lan9303: consequently nested-lock physical MDIO
| * 656262cb net: ethtool: Fix documentation of ethtool_sprintf()
| * acca20cc s390/ap: fix AP bus crash on early config change callback invocation
| * 019b7d42 i2c: designware: Disable TX_EMPTY irq while waiting for block length byte
| * c6e89348 sbsa_gwdt: Calculate timeout with 64-bit math
| * 132670ae lsm: fix default return value for inode_getsecctx
| * 223196b5 lsm: fix default return value for vm_enough_memory
| * 06d320ca Revert "i2c: pxa: move to generic GPIO recovery"
| * ddec3d04 Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
| * ad0b74d0 powerpc/pseries/ddw: simplify enable_ddw()
| * b3e993de arm64: dts: qcom: ipq6018: Fix tcsr_mutex register size
| * b99ac206 arm64: dts: qcom: ipq6018: switch TCSR mutex to MMIO
| * aaf0a07d ksmbd: fix slab out of bounds write in smb_inherit_dacl()
| * 1c701423 Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE
| * 36a573b3 Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables
| * c4976160 bluetooth: Add device 13d3:3571 to device tables
| * 603e77e9 bluetooth: Add device 0bda:887b to device tables
| * e9bb966c Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559
| * cf642ee6 cpufreq: stats: Fix buffer overflow detection in trans_stats()
| * 63e09cdf regmap: Ensure range selector registers are updated after cache sync
| * 0c49e74e tty: serial: meson: fix hard LOCKUP on crtscts mode
| * 6f26b6a6 serial: meson: Use platform_get_irq() to get the interrupt
| * 450fa8bf ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
| * cc549ba5 ALSA: hda/realtek - Add Dell ALC295 to pin fall back table
| * 767c9887 ALSA: info: Fix potential deadlock at disconnection
| * 09022ae6 xhci: Enable RPM on controllers that support low-power states
| * 68574fe2 parisc/pgtable: Do not drop upper 5 address bits of physical address
| * ea7593c1 parisc: Prevent booting 64-bit kernels on PA1.x machines
| * 2c9092e8 i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen
| * da754f92 i3c: master: svc: fix check wrong status register in irq handler
| * 5ba77b6b i3c: master: svc: fix ibi may not return mandatory data byte
| * e0a70ed4 i3c: master: svc: fix wrong data return when IBI happen during start frame
| * 7383675a i3c: master: svc: fix race condition in ibi work thread
| * cc7efd10 i3c: master: cdns: Fix reading status register
| * d3c6a08c mtd: cfi_cmdset_0001: Byte swap OTP info
| * a4668088 mm/memory_hotplug: use pfn math in place of direct struct page manipulation
| * 792a7960 mm/cma: use nth_page() in place of direct struct page manipulation
| * 9b59fc31 s390/cmma: fix detection of DAT pages
| * 45bb94aa dmaengine: stm32-mdma: correct desc prep when channel running
| * 91659b77 mcb: fix error handling for different scenarios when parsing
| * 534790fd tracing: Have the user copy of synthetic event address use correct context
| * f6237afa i2c: core: Run atomic i2c xfer when !preemptible
| * 931aa715 kernel/reboot: emergency_restart: Set correct system_state
| * 7a3424c3 quota: explicitly forbid quota files from being encrypted
| * 47f50983 jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev
| * f13e1ea4 ASoC: codecs: wsa-macro: fix uninitialized stack variables with name prefix
| * 28436d80 selftests/resctrl: Reduce failures due to outliers in MBA/MBM tests
| * 6ce63598 selftests/resctrl: Remove duplicate feature check from CMT test
| * e90efe17 netfilter: nf_tables: split async and sync catchall in two functions
| * 0d9506c7 netfilter: nf_tables: remove catchall element in GC sync path
| * 96fc7a50 PCI: keystone: Don't discard .probe() callback
| * e0d394df PCI: keystone: Don't discard .remove() callback
| * f4f12667 KEYS: trusted: Rollback init_trusted() consistently
| * c407ff72 genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
| * bc8a14e3 mmc: meson-gx: Remove setting of CMD_CFG_ERROR
| * 3a51e6b4 wifi: ath11k: fix htt pktlog locking
| * 426e718c wifi: ath11k: fix dfs radar event locking
| * e9d84413 wifi: ath11k: fix temperature event locking
| * 5ff84994 ima: detect changes to the backing overlay file
| * 4584a421 ima: annotate iint mutex to avoid lockdep false positive warnings
| * 4049576c ACPI: FPDT: properly handle invalid FPDT subtables
| * 628e76e6 firmware: qcom_scm: use 64-bit calling convention only when client is 64-bit
| * 6eb8c191 btrfs: don't arbitrarily slow down delalloc if we're committing
| * 0b99626b rcu: kmemleak: Ignore kmemleak false positives when RCU-freeing objects
| * 71f5344f PM: hibernate: Clean up sync_read handling in snapshot_write_next()
| * 57dbc0eb PM: hibernate: Use __get_safe_page() rather than touching the list
| * 87a30633 arm64: dts: qcom: ipq6018: Fix hwlock index for SMEM
| * ebaee06a rcu/tree: Defer setting of jiffies during stall reset
| * 057d1034 svcrdma: Drop connection after an RDMA Read error
| * 541b3757 wifi: wilc1000: use vmm_table as array in wilc struct
| * b156f62f PCI: exynos: Don't discard .remove() callback
| * f8879672 PCI/ASPM: Fix L1 substate handling in aspm_attr_store_common()
| * 467864d5 mmc: sdhci_am654: fix start loop index for TAP value parsing
| * ef34a97b mmc: vub300: fix an error code
| * 36adb620 clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks
| * 090b167b clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
| * 18640a18 clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data
| * 4d17b54c parisc/pdc: Add width field to struct pdc_model
| * 936c9c10 arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer
| * 8b24bb54 ACPI: resource: Do IRQ override on TongFang GMxXGxx
| * 5619c34d watchdog: move softlockup_panic back to early_param
| * a6c3a1fe PCI/sysfs: Protect driver's D3cold preference from user space
| * 01975bee hvc/xen: fix event channel handling for secondary consoles
| * cfd543c1 hvc/xen: fix error path in xen_hvc_init() to always register frontend driver
| * 730e08cb hvc/xen: fix console unplug
| * fa0b93a3 tty/sysrq: replace smp_processor_id() with get_cpu()
| * 92e6c0f0 audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
| * e29c095f audit: don't take task_lock() in audit_exe_compare() code path
| * 5eb6519f KVM: x86: Ignore MSR_AMD64_TW_CFG access
| * 1c49ef70 KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space
| * fe6b461c x86/cpu/hygon: Fix the CPU topology evaluation for real
| * 3a2adf48 crypto: x86/sha - load modules based on CPU features
| * be079aa7 scsi: qla2xxx: Fix system crash due to bad pointer access
| * 6ba3569f scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers
| * 6a33b581 scsi: mpt3sas: Fix loop logic
| * 3c5aede4 bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
| * 40347043 bpf: Fix check_stack_write_fixed_off() to correctly spill imm
| * ba115f6c randstruct: Fix gcc-plugin performance mode to stay in group
| * 2771fac4 powerpc/perf: Fix disabling BHRB and instruction sampling
| * 7e450cc9 media: venus: hfi: add checks to perform sanity on queue pointers
| * 1566e8be i915/perf: Fix NULL deref bugs with drm_dbg() calls
| * 35c17257 xfs: Fix unreferenced object reported by kmemleak in xfs_sysfs_init()
| * 5db14632 xfs: fix memory leak in xfs_errortag_init
| * c540284d xfs: fix exception caused by unexpected illegal bestcount in leaf dir
| * 5212d586 xfs: avoid a UAF when log intent item recovery fails
| * ba179cc1 xfs: fix inode reservation space for removing transaction
| * b7847653 xfs: Fix false ENOSPC when performing direct write on a delalloc extent in cow fork
| * 92d38b87 xfs: add missing cmap->br_state = XFS_EXT_NORM update
| * 8d0baec7 xfs: fix intermittent hang during quotacheck
| * 76545c0e xfs: don't leak memory when attr fork loading fails
| * eb888caf xfs: fix use-after-free in xattr node block inactivation
| * 4cb38429 xfs: flush inode gc workqueue before clearing agi bucket
| * 188594c6 xfs: prevent a UAF when log IO errors race with unmount
| * 921c9621 xfs: use invalidate_lock to check the state of mmap_lock
| * efd19480 xfs: convert buf_cancel_table allocation to kmalloc_array
| * 074fee18 xfs: don't leak xfs_buf_cancel structures when recovery fails
| * b8effd31 xfs: refactor buffer cancellation table allocation
| * 4968c2aa cifs: fix check of rc in function generate_smb3signingkey
| * 8d725bf0 cifs: spnego: add ';' in HOST_KEY_LEN
| * 21accf14 tools/power/turbostat: Enable the C-state Pre-wake printing
| * 0045c1ff tools/power/turbostat: Fix a knl bug
| * 5bcce23f macvlan: Don't propagate promisc change to lower dev in passthru
| * 7574b5e6 net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors
| * 55553c5b net/mlx5e: Reduce the size of icosq_str
| * 51655fd3 net/mlx5e: Fix pedit endianness
| * a990dd74 net/mlx5e: Refactor mod header management API
| * 39f95b1d net/mlx5e: Move mod hdr allocation to a single place
| * c0f37a37 net/mlx5e: Remove incorrect addition of action fwd flag
| * 6974fd92 net/mlx5e: fix double free of encap_header in update funcs
| * f3c4a704 net/mlx5e: fix double free of encap_header
| * 931e9e8e net: stmmac: fix rx budget limit check
| * b8b514b2 netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
| * 25da0f58 netfilter: nf_tables: add and use BE register load-store helpers
| * a48f6be5 netfilter: nf_tables: use the correct get/put helpers
| * 7d3901bf netfilter: nf_conntrack_bridge: initialize err to 0
| * 75bcfc18 af_unix: fix use-after-free in unix_stream_read_actor()
| * 0b480c65 net: ethernet: cortina: Fix MTU max setting
| * 097588e2 net: ethernet: cortina: Handle large frames
| * f9269b27 net: ethernet: cortina: Fix max RX frame define
| * 53064e82 bonding: stop the device in bond_setup_by_slave()
| * cda210a4 ptp: annotate data-race around q->head and q->tail
| * b67d16b2 xen/events: fix delayed eoi list handling
| * 8531a419 ppp: limit MRU to 64K
| * 9ae82308 tipc: Fix kernel-infoleak due to uninitialized TLV value
| * 359c65da net: hns3: fix VF wrong speed and duplex issue
| * 406be003 net: hns3: fix VF reset fail issue
| * cfc131b0 net: hns3: fix variable may not initialized problem in hns3_init_mac_addr()
| * 07058182 net: hns3: fix incorrect capability bit display for copper port
| * a3c65cf7 net: hns3: add barrier in vf mailbox reply process
| * e671d820 net: hns3: add byte order conversion for PF to VF mailbox message
| * bb0f1425 net: hns3: refine the definition for struct hclge_pf_to_vf_msg
| * 1d8f66d4 net: hns3: fix add VLAN fail issue
| * 4b3b2541 tty: Fix uninit-value access in ppp_sync_receive()
| * 1f64cad3 ipvlan: add ipvlan_route_v6_outbound() helper
| * 6c71b9b1 net: set SOCK_RCU_FREE before inserting socket into hashtable
| * 42716542 net: inet: Retire port only listening_hash
| * be1ceb8b net: inet: Open code inet_hash2 and inet_unhash2
| * bb9bcf47 net: inet: Remove count from inet_listen_hashbucket
| * de634368 mptcp: listen diag dump support
| * 870f438a mptcp: diag: switch to context structure
| * be020f65 gfs2: Silence "suspicious RCU usage in gfs2_permission" warning
| * 194454af SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
| * 319ed0cb NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
| * 809684f5 SUNRPC: Add an IS_ERR() check back to where it was
| * 46d6b768 SUNRPC: ECONNRESET might require a rebind
| * a7032d4d media: cec: meson: always include meson sub-directory in Makefile
| * 16e78f28 media: cadence: csi2rx: Unregister v4l2 async notifier
| * 20c2ca9a sched/core: Optimize in_task() and in_interrupt() a bit
| * 9894c58c tracing/perf: Add interrupt_context_level() helper
| * 48fef664 tracing: Reuse logic from perf's get_recursion_context()
| * 670b3e90 wifi: iwlwifi: Use FW rate for non-data frames
| * a7ee519e pwm: Fix double shift bug
| * 7054366c drm/amdgpu: fix software pci_unplug on some chips
| * e48a5e78 drm/qxl: prevent memory leak
| * 0835e7f2 ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings
| * 38ada2f3 i2c: dev: copy userspace array safely
| * 61024498 kgdb: Flush console before entering kgdb on panic
| * 4e497f1a drm/amd/display: Avoid NULL dereference of timing generator
| * 5e0b788f media: imon: fix access to invalid resource for the second interface
| * ae6bcafe media: ccs: Fix driver quirk struct documentation
| * d01b0ad7 media: cobalt: Use FIELD_GET() to extract Link Width
| * 03ce0655 gfs2: fix an oops in gfs2_permission
| * 5bfda356 gfs2: ignore negated quota changes
| * 16631907 media: vivid: avoid integer overflow
| * 09cd8b56 media: gspca: cpia1: shift-out-of-bounds in set_flicker
| * 39c71357 i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.
| * 72775cad virtio-blk: fix implicit overflow on virtio_max_dma_size
| * f7f3bdb2 i2c: sun6i-p2wi: Prevent potential division by zero
| * d23ad76f i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler
| * e6fbad3c 9p: v9fs_listxattr: fix %s null argument warning
| * a18be976 9p/trans_fd: Annotate data-racy writes to file::f_flags
| * 2cc5e191 usb: gadget: f_ncm: Always set current gadget in ncm_bind()
| * 6c80f489 tty: vcc: Add check for kstrdup() in vcc_probe()
| * 2ff61106 exfat: support handle zero-size directory
| * c86a3007 HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
| * 3453f945 PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk
| * 0a93a0f9 misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller
| * 03dbd6a9 PCI: Disable ATS for specific Intel IPU E2000 devices
| * a9a0b344 PCI: Extract ATS disabling to a helper function
| * fe511d24 PCI: Use FIELD_GET() to extract Link Width
| * 56d78b54 scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()
| * 37a51e7f atm: iphase: Do PCI error checks on own line
| * f05ae001 PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields
| * 631a96e9 ALSA: hda: Fix possible null-ptr-deref when assigning a stream
| * 1c805b9c ARM: 9320/1: fix stack depot IRQ stack filter
| * 8d25ec69 HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround
| * 64f062ba jfs: fix array-index-out-of-bounds in diAlloc
| * da3da5e1 jfs: fix array-index-out-of-bounds in dbFindLeaf
| * 1f74d336 fs/jfs: Add validity check for db_maxag and db_agpref
| * 5f148b16 fs/jfs: Add check for negative db_l2nbperpage
| * e1d1f79b scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool
| * f0bfc8a5 scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs
| * 5904dee7 RDMA/hfi1: Use FIELD_GET() to extract Link Width
| * 546c1796 crypto: pcrypt - Fix hungtask for PADATA_RESET
| * bc443a19 ASoC: soc-card: Add storage for PCI SSID
| * 9f208206 selftests/efivarfs: create-read: fix a resource leak
| * 428cad17 arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size
| * 174f62a0 drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL
| * 3f7a400d drm/amdkfd: Fix shift out-of-bounds issue
| * 300589d5 drm/panel: st7703: Pick different reset sequence
| * eaa03ea3 drm/amdgpu/vkms: fix a possible null pointer dereference
| * 84c923d8 drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference
| * 2381f6b6 drm/panel: fix a possible null pointer dereference
| * c11cf5e1 drm/amdgpu: Fix potential null pointer derefernce
| * a237675a drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
| * acdb6830 drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
| * 829ce8e9 drm/msm/dp: skip validity check for DP CTS EDID checksum
| * 689b33b9 drm: vmwgfx_surface.c: copy user-array safely
| * 22260dab kernel: watch_queue: copy user-array safely
| * d4f2c09d kernel: kexec: copy user-array safely
| * 24b17d53 string.h: add array-wrappers for (v)memdup_user()
| * 3a3a6dc9 drm/amd/display: use full update for clip size increase of large plane source
| * 7d43cdd2 drm/amdkfd: Fix a race condition of vram buffer unref in svm code
| * eea81424 drm/komeda: drop all currently held locks if deadlock happens
| * 81288686 platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
| * ba708876 Bluetooth: Fix double free in hci_conn_cleanup
| * f9de14bd Bluetooth: btusb: Add date->evt_skb is NULL check
| * a43cf6ac wifi: ath10k: Don't touch the CE interrupt registers after power up
| * 6f42bd24 net: annotate data-races around sk->sk_dst_pending_confirm
| * 19ab5fd2 net: annotate data-races around sk->sk_tx_queue_mapping
| * f3be63f7 wifi: ath10k: fix clang-specific fortify warning
| * 02a0547b wifi: ath9k: fix clang-specific fortify warnings
| * cf353904 bpf: Detect IP == ksym.end as part of BPF program
| * c29a89b2 atl1c: Work around the DMA RX overflow issue
| * 21a0f310 wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
| * 3073e380 wifi: mac80211_hwsim: fix clang-specific fortify warning
| * e8e55fa4 x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
| * f9d3ba62 workqueue: Provide one lock class key per work_on_cpu() callsite
| * 0a5b512d clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
| * 465b88c0 clocksource/drivers/timer-imx-gpt: Fix potential memory leak
| * fd0df3f8 perf/core: Bail out early if the request AUX area is out of bound
| * e89d0ed4 locking/ww_mutex/test: Fix potential workqueue corruption
* | 05ef4ccb Revert "ipvlan: properly track tx_errors"
* | 716f17fa Revert "mfd: core: Un-constify mfd_cell.of_reg"
* | 6c57c70e Revert "inet: shrink struct flowi_common"
* | 11c2b46b Revert "arm64/arm: xen: enlighten: Fix KPTI checks"
* |   6f432499 Merge "Merge 5.15.139 into android13-5.15-lts" into android13-5.15-lts
|\ \
| * | 66a4ba38 Merge 5.15.139 into android13-5.15-lts
| |\|
| | * 2a910f4a Linux 5.15.139
| | * 3443337a btrfs: use u64 for buffer sizes in the tree search ioctls
| | * f9f5e8ce Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
| | * 824829c2 tracing/kprobes: Fix the order of argument descriptions
| | * 560680f7 fbdev: fsl-diu-fb: mark wr_reg_wa() static
| | * 8e4b510f fbdev: imsttfb: fix a resource leak in probe
| | * 36485821 fbdev: imsttfb: Fix error path of imsttfb_probe()
| | * 30959f9f spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies
| | * 9cf044cc ASoC: hdmi-codec: register hpd callback on component probe
| | * 705e5a28 drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE
| | * 0ca05fae netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
| | * 1652f57f netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs
| | * d28c17ab netfilter: xt_recent: fix (increase) ipv6 literal buffer length
| | * f30567fc i2c: iproc: handle invalid slave state
| | * 38f5ac54 r8169: respect userspace disabling IFF_MULTICAST
| | * fd01115b blk-core: use pr_warn_ratelimited() in bio_check_ro()
| | * b8014871 block: remove unneeded return value of bio_check_ro()
| | * d8d94d6b tg3: power down device only on SYSTEM_POWER_OFF
| | * 5ea06a23 net/smc: put sk reference if close work was canceled
| | * 884606f8 net/smc: allow cdc msg send rather than drop it with NULL sndbuf_desc
| | * a62af714 net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
| | * 86660682 selftests: pmtu.sh: fix result checking
| | * 2d117ac1 net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs
| | * 95a99ac1 Fix termination state for idr_for_each_entry_ul()
| | * 70ef755f net: r8169: Disable multicast filter for RTL8168H and RTL8107E
| | * 0dad0e75 dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
| | * c340713b dccp: Call security_inet_conn_request() after setting IPv4 addresses.
| | * d1b7e656 octeontx2-pf: Fix holes in error code
| | * f60297ef octeontx2-pf: Fix error codes
| | * 794d360b inet: shrink struct flowi_common
| | * 8943083b bpf: Check map->usercnt after timer->timer is assigned
| | * 3907b89c tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
| | * a1a485e4 hsr: Prevent use after free in prp_create_tagged_frame()
| | * 352887b3 llc: verify mac len before reading mac header
| | * 303766bb Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
| | * 741e4c15 pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
| | * 895ac9a2 pwm: sti: Reduce number of allocations and drop usage of chip_data
| | * db64dddd regmap: prevent noinc writes from clobbering cache
| | * 004d4002 media: dvb-usb-v2: af9035: fix missing unlock
| | * a0beda18 media: cedrus: Fix clock/reset sequence
| | * 980be4c3 media: vidtv: mux: Add check and kfree for kstrdup
| | * d17269fb media: vidtv: psi: Add check for kstrdup
| | * db89f551 media: s3c-camif: Avoid inappropriate kfree()
| | * 51c94256 media: bttv: fix use after free error due to btv->timeout timer
| | * d3937f9e media: i2c: max9286: Fix some redundant of_node_put() calls
| | * 9d060f2f pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
| | * 24e9df58 pcmcia: ds: fix refcount leak in pcmcia_device_add()
| | * 24e73ab5 pcmcia: cs: fix possible hung task and memory leak pccardd()
| | * b3eaa0d4 rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call
| | * 20bd0198 cxl/mem: Fix shutdown order
| | * d48fe8d9 i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs
| | * 855d6fb2 9p/net: fix possible memory leak in p9_check_errors()
| | * 0d456eba perf hist: Add missing puts to hist__account_cycles
| | * 924e8d0b perf machine: Avoid out of bounds LBR memory read
| | * 76b0eab9 usb: host: xhci-plat: fix possible kernel oops while resuming
| | * c9c4dab0 xhci: Loosen RPM as default policy to cover for AMD xHC 1.1
| | * 92c9ef15 powerpc/pseries: fix potential memory leak in init_cpu_associativity()
| | * 516235e7 powerpc/imc-pmu: Use the correct spinlock initializer.
| | * 945dc61d powerpc/xive: Fix endian conversion size
| | * bce31a2b powerpc/40x: Remove stale PTE_ATOMIC_UPDATES macro
| | * 1308e55e modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host
| | * 863a9c3f powerpc: Only define __parse_fpscr() when required
| | * 01f62c6b f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
| | * dfebea71 dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
| | * 72f8fa6c USB: usbip: fix stub_dev hub disconnect
| | * 168697f1 tools: iio: iio_generic_buffer ensure alignment
| | * a61c3c64 misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
| | * 732aa0cb dmaengine: ti: edma: handle irq_of_parse_and_map() errors
| | * 2941a29f usb: chipidea: Simplify Tegra DMA alignment code
| | * 58e8316b usb: chipidea: Fix DMA overwrite for Tegra
| | * fcaafb57 usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
| | * c956be56 dmaengine: idxd: Register dsa_bus_type before registering idxd sub-drivers
| | * ca46d7ce livepatch: Fix missing newline character in klp_resolve_symbols()
| | * b77f7c02 tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
| | * e9f598a5 f2fs: compress: fix to avoid redundant compress extension
| | * 8c4504cc f2fs: compress: fix to avoid use-after-free on dic
| | * ca0aae38 leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
| | * 206a9725 leds: pwm: Don't disable the PWM when the LED should be off
| | * 893eedf5 leds: turris-omnia: Do not use SMBUS calls
| | * aec37069 leds: turris-omnia: Drop unnecessary mutex locking
| | * c9a4f13c mfd: arizona-spi: Set pdata.hpdet_channel for ACPI enumerated devs
| | * 63a99d7b mfd: dln2: Fix double put in dln2_probe
| | * 2742c860 mfd: core: Ensure disabled devices are skipped without aborting
| | * 94eb5423 mfd: core: Un-constify mfd_cell.of_reg
| | * 8890d4d5 ASoC: ams-delta.c: use component after check
| | * a2ae48bd crypto: qat - fix deadlock in backlog processing
| | * 0dd34a7a padata: Fix refcnt handling in padata_free_shell()
| | * 93e4aa85 ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
| | * cd1c2df6 HID: logitech-hidpp: Move get_wireless_feature_index() check to hidpp_connect_event()
| | * 99893b7c HID: logitech-hidpp: Revert "Don't restart communication if not necessary"
| | * 5f2f3860 HID: logitech-hidpp: Don't restart IO, instead defer hid_connect() only
| | * 1f80041c HID: logitech-hidpp: Remove HIDPP_QUIRK_NO_HIDINPUT quirk
| | * d3b196a1 Revert "HID: logitech-hidpp: add a module parameter to keep firmware gestures"
| | * 6885e5ff sh: bios: Revive earlyprintk support
| | * b0c25e95 hid: cp2112: Fix IRQ shutdown stopping polling for all IRQs on chip
| | * d06dc0f9 RDMA/hfi1: Workaround truncation compilation error
| | * 086cd442 scsi: ufs: core: Leave space for '\0' in utf8 desc string
| | * a0f19990 ASoC: fsl: Fix PM disable depth imbalance in fsl_easrc_probe
| | * 904fc010 RDMA/hns: The UD mode can only be configured with DCQCN
| | * 9f8db02d RDMA/hns: Fix signed-unsigned mixed comparisons
| | * 2de683e2 RDMA/hns: Fix uninitialized ucmd in hns_roce_create_qp_common()
| | * 611260e3 IB/mlx5: Fix rdma counter binding for RAW QP
| | * 922b2693 ASoC: fsl: mpc5200_dma.c: Fix warning of Function parameter or member not described
| | * 001f90cd ext4: move 'ix' sanity check to corrent position
| | * c24a3c9e ARM: 9321/1: memset: cast the constant byte to unsigned char
| | * 012d0c66 hid: cp2112: Fix duplicate workqueue initialization
| | * 1ce09238 crypto: qat - increase size of buffers
| | * 62df66b7 crypto: caam/jr - fix Chacha20 + Poly1305 self test failure
| | * 61f25d46 crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure
| | * 66eb7b7f nd_btt: Make BTT lanes preemptible
| | * 6563e0f7 libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value
| | * d4ad0c1a scsi: ibmvfc: Fix erroneous use of rtas_busy_delay with hcall return code
| | * b79c7d68 RDMA/core: Use size_{add,sub,mul}() in calls to struct_size()
| | * a5c83c80 hwrng: geode - fix accessing registers
| | * a8607725 crypto: hisilicon/hpre - Fix a erroneous check after snprintf()
| | * b01b9dc5 selftests/resctrl: Ensure the benchmark commands fits to its array
| | * 2d2300fc selftests/pidfd: Fix ksft print formats
| | * 8bc9c944 arm64: dts: imx8mn: Add sound-dai-cells to micfil node
| | * 1abd6584 arm64: dts: imx8mm: Add sound-dai-cells to micfil node
| | * cf7abb54 arm64: dts: imx8qm-ss-img: Fix jpegenc compatible entry
| | * 8704bf18 clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped
| | * bdb0428a firmware: arm_ffa: Assign the missing IDR allocation ID to the FFA device
| | * b0ffdc16 firmware: ti_sci: Mark driver as non removable
| | * 995ee1e8 soc: qcom: llcc: Handle a second device without data corruption
| | * 19b8098f ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
| | * a8ab88f8 arm64: dts: qcom: apq8016-sbc: Add missing ADV7533 regulators
| | * ddc0df81 ARM64: dts: marvell: cn9310: Use appropriate label for spi1 pins
| | * 12d9de01 arm64: dts: qcom: sdm845-mtp: fix WiFi configuration
| | * 690b8925 arm64: dts: qcom: sc7280: Add missing LMH interrupts
| | * 2a4cce41 arm64: dts: qcom: msm8992-libra: drop duplicated reserved memory
| | * eb9daf47 arm64: dts: qcom: msm8916: Fix iommu local address range
| | * 541640dc ARM: dts: renesas: blanche: Fix typo in GP_11_2 pin name
| | * 0e1e88bb perf: hisi: Fix use-after-free when register pmu fails
| | * 4067d39f drm: mediatek: mtk_dsi: Fix NO_EOT_PACKET settings/handling
| | * a6a6f70a drm/msm/dsi: use msm_gem_kernel_put to free TX buffer
| | * aea6f32a xen-pciback: Consider INTx disabled when MSI/MSI-X is enabled
| | * e588ca45 drm/rockchip: Fix type promotion bug in rockchip_gem_iommu_map()
| | * a00a293d arm64/arm: xen: enlighten: Fix KPTI checks
| | * d0d01bb4 drm/bridge: lt9611uxc: fix the race in the error path
| | * 29aba28e drm/bridge: lt9611uxc: Register and attach our DSI device at probe
| | * f53a0457 drm/bridge: lt9611uxc: Switch to devm MIPI-DSI helpers
| | * 517a5137 drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
| | * 865ccd4c drm/mediatek: Fix iommu fault during crtc enabling
| | * 8e3c8253 drm/mediatek: Fix iommu fault by swapping FBs after updating plane state
| | * e11e339f drm/amdkfd: fix some race conditions in vram buffer alloc/free of svm code
| | * 30cb99e0 drm/bridge: tc358768: Fix bit updates
| | * 1cd4ae68 drm/bridge: tc358768: Disable non-continuous clock mode
| | * c13591b8 drm/bridge: tc358768: Fix use of uninitialized variable
| | * d78bddd9 drm/bridge: lt8912b: Add missing drm_bridge_attach call
| | * 5cc2bc51 drm/bridge: lt8912b: Manually disable HPD only if it was enabled
| | * 42071fea drm/bridge: lt8912b: Fix crash on bridge detach
| | * d9217286 drm/bridge: lt8912b: Fix bridge_detach
| | * cc305795 drm/bridge: lt8912b: Add hot plug detection
| | * ef4a4095 drm/bridge: lt8912b: Register and attach our DSI device at probe
| | * 3580b8a0 drm/bridge: lt8912b: Switch to devm MIPI-DSI helpers
| | * 52541851 drm/mipi-dsi: Create devm device attachment
| | * a20d6ecd drm/mipi-dsi: Create devm device registration
| | * 347f025a drm/radeon: possible buffer overflow
| | * b163b371 drm/rockchip: vop: Fix call to crtc reset helper
| | * 9a96bed1 drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
| | * 1b0bc99c hwmon: (coretemp) Fix potentially truncated sysfs attribute name
| | * b3e7eb23 hwmon: (axi-fan-control) Fix possible NULL pointer dereference
| | * e0bf076b platform/x86: wmi: Fix opening of char device
| | * c57e81d5 platform/x86: wmi: remove unnecessary initializations
| | * 2ca4e461 platform/x86: wmi: Fix probe failure when failing to register WMI devices
| | * f75e11f5 clk: qcom: config IPQ_APSS_6018 should depend on QCOM_SMEM
| | * d1175cf4 clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
| | * e964d21d clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data
| | * c4070ada clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data
| | * 3aefc6fc clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
| | * ca6d565a clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data
| | * 533ca515 clk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data
| | * e531e4e7 clk: npcm7xx: Fix incorrect kfree
| | * 761c2a69 clk: ti: fix double free in of_ti_divider_clk_setup()
| | * 1c37faca clk: ti: change ti_clk_register[_omap_hw]() API
| | * 28b72fba clk: ti: Update component clocks to use ti_dt_clk_name()
| | * c4bffed2 clk: ti: Update pll and clockdomain clocks to use ti_dt_clk_name()
| | * 9b5e9d8b clk: ti: Add ti_dt_clk_name() helper to use clock-output-names
| | * f45fff80 clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
| | * 7ff8ca9b spi: nxp-fspi: use the correct ioremap function
| | * 26206c85 clk: renesas: rzg2l: Fix computation formula
| | * 1966bf2a clk: renesas: rzg2l: Use FIELD_GET() for PLL register fields
| | * 7ece2efa clk: renesas: rzg2l: Simplify multiplication/shift logic
| | * e2239f71 clk: imx: imx8qxp: Fix elcdif_pll clock
| | * 7d416973 clk: imx: imx8mq: correct error handling path
| | * 608ebb09 clk: imx: Select MXC_CLK for CLK_IMX8QXP
| | * 8861b292 clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src
| | * 76e8f00f clk: qcom: mmcc-msm8998: Fix the SMMU GDSC
| | * 56c4bb46 clk: qcom: mmcc-msm8998: Don't check halt bit on some branch clks
| | * 0881d24c clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
| | * b64683f5 spi: tegra: Fix missing IRQ check in tegra_slink_probe()
| | * b13e8b38 regmap: debugfs: Fix a erroneous check after snprintf()
| | * 8fafac40 ipvlan: properly track tx_errors
| | * 3eedc19a net: add DEV_STATS_READ() helper
| | * 359bce81 ipv6: avoid atomic fragment on GSO packets
| | * 6b413d52 ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
| | * 32aaa3b9 wifi: iwlwifi: empty overflow queue during flush
| | * 0e3ad00b wifi: iwlwifi: pcie: synchronize IRQs before NAPI
| | * a8ebe549 wifi: iwlwifi: call napi_synchronize() before freeing rx/tx queues
| | * 627a3b3f iwlwifi: pcie: adjust to Bz completion descriptor
| | * 0d91506a tcp: fix cookie_init_timestamp() overflows
| | * 4f6e904e chtls: fix tp->rcv_tstamp initialization
| | * 5d7bec7a r8169: fix rare issue with broken rx after link-down on RTL8125
| | * e143a3c8 r8169: use tp_to_dev instead of open code
| | * 3a8f4e58 thermal: core: prevent potential string overflow
| | * bfd4ed49 netfilter: nf_tables: Drop pointless memset when dumping rules
| | * 80986257 PM / devfreq: rockchip-dfi: Make pmu regmap mandatory
| | * 826120c9 can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
| | * 28e9e015 can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
| | * ada4dc47 can: dev: can_restart(): don't crash kernel if carrier is OK
| | * d4eb4182 wifi: rtlwifi: fix EDCA limit set by BT coexistence
| | * 2027e741 tcp_metrics: do not create an entry from tcp_init_metrics()
| | * 3f7cb7c4 tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
| | * ca7b6fa9 tcp_metrics: add missing barriers on delete
| | * 227709a0 wifi: mt76: mt7603: improve stuck beacon handling
| | * eab5b0aa mt76: pass original queue id from __mt76_tx_queue_skb to the driver
| | * 75336a76 mt76: add support for overriding the device used for DMA mapping
| | * 77b2ab5c mt76: dma: use kzalloc instead of devm_kzalloc for txwi
| | * 064b32f1 wifi: mt76: mt7603: rework/fix rx pse hang check
| | * 1afbb9ec wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
| | * ebcbf5f5 net: spider_net: Use size_add() in call to struct_size()
| | * 56e7424c tipc: Use size_add() in calls to struct_size()
| | * 3e51efcb mlxsw: Use size_mul() in call to struct_size()
| | * dc3fef31 gve: Use size_add() in call to struct_size()
| | * 70f032db tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
| | * a2d540c7 udp: add missing WRITE_ONCE() around up->encap_rcv
| | * 8f7eef3a selftests/bpf: Correct map_fd to data_fd in tailcalls
| | * 3eefb2fb selftests/bpf: Test tail call counting with bpf2bpf and data on stack
| | * ab91992e i40e: fix potential memory leaks in i40e_remove()
| | * 70274237 genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
| | * 379b120e pstore/platform: Add check for kstrdup
| | * 81b8638e x86/boot: Fix incorrect startup_gdt_descr.size
| | * c7e8c745 x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot
| | * 0b5da8ce x86: Share definition of __is_canonical_address()
| | * 90b263db futex: Don't include process MM in futex key on no-MMU
| | * f0d6e584 x86/srso: Fix SBPB enablement for (possible) future fixed HW
| | * 565f9337 writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs
| | * 2bb46b20 vfs: fix readahead(2) on block devices
| | * 20195f87 sched: Fix stop_one_cpu_nowait() vs hotplug
| | * 13cde955 sched/uclamp: Ignore (util == 0) optimization in feec() when p_util_max = 0
| | * cc6198ff iov_iter, x86: Be consistent about the __user tag on copy_mc_to_user()
* | | b1355f16 ANDROID: sort Bazel load statements
* | | 0e7c7966 ANDROID: GKI: db845c: Update symbols list and ABI on rpmsg_register_device_override
|/ /
* | eb99a642 Merge branch 'android13-5.15' into branch 'android13-5.15-lts'
* | 30b8daf0 ANDROID: fix up rpmsg_device ABI break
* | 858ee7de ANDROID: fix up platform_device ABI break
* | 4ba2bb27 Revert "kasan: print the original fault addr when access invalid shadow"
* | 60f7a6c4 Merge 5.15.138 into android13-5.15-lts
|/
* 80529b49 Linux 5.15.138
* 3d8344a7 ALSA: hda: intel-dsp-config: Fix JSL Chromebook quirk detection
* f049c0c0 misc: pci_endpoint_test: Add deviceID for J721S2 PCIe EP device support
* 28b8ad8c tty: 8250: Add Brainboxes Oxford Semiconductor-based quirks
* 44c4dfac tty: 8250: Add support for Intashield IX cards
* d541ccb3 tty: 8250: Add support for additional Brainboxes PX cards
* 60debc01 tty: 8250: Fix up PX-803/PX-857
* 1f5649ae tty: 8250: Fix port count of PX-257
* 3fe3cc63 tty: 8250: Add support for Intashield IS-100
* a5b6390f tty: 8250: Add support for Brainboxes UP cards
* 738fe41b tty: 8250: Add support for additional Brainboxes UC cards
* ff6059c3 tty: 8250: Remove UC-257 and UC-431
* 81a4dd5e tty: n_gsm: fix race condition in status line change on dead connections
* e2519774 usb: raw-gadget: properly handle interrupted requests
* e5f53a68 usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()
* 7c4855b2 usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility
* c48aae53 PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
* 6628c362 drm/amd: Disable ASPM for VI w/ all Intel systems
* b6c3c778 drm/amd: Move helper for dynamic speed switch check out of smu13
* 9015169f can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior
* d72ff647 can: isotp: isotp_bind(): do not validate unused address information
* e163ad6a can: isotp: add local echo tx processing and tx without FC
* b4e78ea2 can: isotp: handle wait_event_interruptible() return values
* 2fc6f337 can: isotp: check CAN address family in isotp_bind()
* f8c3bd21 can: isotp: isotp_bind(): return -EINVAL on incorrect CAN ID formatting
* 615c4dd6 can: isotp: set max PDU size to 64 kByte
* 6627b968 powerpc/mm: Fix boot crash with FLATMEM
* f0f99864 r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en()
* 78c939a8 r8152: Check for unplug in rtl_phy_patch_request()
* 51cc28ce net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
* bbc92619 platform/mellanox: mlxbf-tmfifo: Fix a warning message
* db4416ea scsi: mpt3sas: Fix in error path
* d48b2e81 fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
* e39440c3 drm/ttm: Reorder sys manager cleanup step
* aade33d3 ASoC: rt5650: fix the wrong result of key button
* fa32e21c netfilter: nfnetlink_log: silence bogus compiler warning
* dfcbb983 spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0
* 64ae128b fs/ntfs3: Avoid possible memory leak
* 27a0bed1 fs/ntfs3: Fix directory element type detection
* 94524980 fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame()
* 2de32839 fs/ntfs3: Fix possible NULL-ptr-deref in ni_readpage_cmpr()
* 962a3d3d fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN)
* 393966e7 fs/ntfs3: Write immediately updated ntfs state
* 59e629fc fs/ntfs3: Add ckeck in ni_update_parent()
* 738a3adc fbdev: atyfb: only use ioremap_uc() on i386 and ia64
* afef8af9 Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
* abc62fc0 powerpc/85xx: Fix math emulation exception
* 4bdde4dc dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
* 39d2c103 irqchip/stm32-exti: add missing DT IRQ flag translation
* c57aef90 irqchip/riscv-intc: Mark all INTC nodes as initialized
* eb99b6e2 net: sched: cls_u32: Fix allocation size in u32_init()
* 5e78ebe7 ASoC: simple-card: fixup asoc_simple_probe() error handling
* 65fd21aa x86: Fix .brk attribute in linker script
* d4c8bf56 rpmsg: Fix possible refcount leak in rpmsg_register_device_override()
* a82e0fda rpmsg: glink: Release driver_override
* bfd4a664 rpmsg: Fix calling device_lock() on non-initialized device
* 2e76b4f6 rpmsg: Fix kfree() of static memory on setting driver_override
* 5c0da718 rpmsg: Constify local variable in field store macro
* 389190b2 driver: platform: Add helper for safer setting of driver_override
* 37ffa428 objtool/x86: add missing embedded_insn check
* f031e15d ext4: avoid overlapping preallocations due to overflow
* f2c3a3aa ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
* 7a992726 ext4: add two helper functions extent_logical_end() and pa_logical_end()
* 9e78e770 x86/mm: Fix RESERVE_BRK() for older binutils
* d3201c71 x86/mm: Simplify RESERVE_BRK()
* 897b56ac x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility
* 77db87c4 gve: Fix GFP flags when allocing pages
* 8b424bdf iio: afe: rescale: Accept only offset channels
* c1eeb494 iio: afe: rescale: add offset support
* 7c76b7db iio: afe: rescale: expose scale processing function
* c6067150 iio: afe: rescale: reorder includes
* 27dd09f5 clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name
* c27ca4ae sparc32: fix a braino in fault handling in csum_and_copy_..._user()
* 21b07a2e perf/core: Fix potential NULL deref
* 6efd4980 nvmem: imx: correct nregs for i.MX6UL
* 0c294811 nvmem: imx: correct nregs for i.MX6SLL
* 6e22bf6f00d5 nvmem: imx: correct nregs for i.MX6ULL
* e0f95b831b4a misc: fastrpc: Clean buffers on remote invocation failures
* c4957f00f9e2 tracing/kprobes: Fix the description of variable length arguments
* cdc57093b470 i2c: aspeed: Fix i2c bus hang in slave read
* e97d374a2506 i2c: stm32f7: Fix PEC handling in case of SMBUS transfers
* 2766a872103b i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node()
* 48b58f7469e5 i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node()
* cb65e692765b i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node()
* eace761f35a1 iio: adc: xilinx-xadc: Correct temperature offset/scale for UltraScale
* 70322a446ef2 iio: adc: xilinx-xadc: Don't clobber preset voltage/temperature thresholds
* 3c1312b5d49a iio: exynos-adc: request second interupt only when touchscreen mode is used
* 4e14f2d5885f kasan: print the original fault addr when access invalid shadow
* bdfa4fa7588d i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
* d5c175f4cea6 gtp: fix fragmentation needed check with gso
* c0dad0c0924c gtp: uapi: fix GTPA_MAX
* 852fb4ce426d tcp: fix wrong RTO timeout when received SACK reneging
* 83cfa3b51a78 r8152: Release firmware if we have an error in probe
* e0f9231ccd6c r8152: Cancel hw_phy_work if we have an error in probe
* ff42b0a55659 r8152: Run the unload routine if we have errors during probe
* 6fa3b9f9478e r8152: Increase USB control msg timeout to 5000ms as per spec
* 76873f2eadc0 net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg
* 6afd112c3f95 net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show()
* 46cd35e4e774 igc: Fix ambiguity in the ethtool advertising
* 49529413eaed neighbour: fix various data-races
* 667554946360 igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
* 263421905346 treewide: Spelling fix in comment
* bc0c4bc119d2 i40e: Fix I40E_FLAG_VF_VLAN_PRUNING value
* c532c5df01ad r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1
* 6afb294c88c6 r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1
* 9d7b3838428c r8169: fix the KCSAN reported data-race in rtl_tx() while reading tp->cur_tx
* 04dbfa4122e0 firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels()
* 0d587b86cd0d drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper()
* 8860f0175e51 vsock/virtio: initialize the_virtio_vsock before using VQs
* 762c251c7f5c vsock/virtio: add support for device suspend/resume
* 1e02df6f6907 vsock/virtio: factor our the code to initialize and delete VQs
* 15a8cac3c250 drm/i915/pmu: Check if pmu is closed before stopping event
* 43bd431a5dd9 nfsd: lock_rename() needs both directories to live on the same fs
* 556b68d9b95f mm/migrate: fix do_pages_move for compat pointers
* c4071c6114de mm/page_alloc: correct start page when guard page debug is enabled
* 3a6cee2bfb53 vhost: Allow null msg.size on VHOST_IOTLB_INVALIDATE
* fbc9a8718f31 virtio-mmio: fix memory leak of vm_dev
* 862a356bc986 virtio_balloon: Fix endless deflation and inflation on arm64
* 41bb770e42bc mcb-lpc: Reallocate memory region to avoid memory overlapping
* f2ac8b2643dd mcb: Return actual parsed size when reading chameleon table
* 90918ef995b5 mptcp: more conservative check for zero probes
* fd2b2dab6f5b tcp: cleanup tcp_remove_empty_skb() use
* 68342755b9b2 tcp: remove dead code from tcp_sendmsg_locked()
* 0f482ad7b1a5 pinctrl: qcom: lpass-lpi: fix concurrent register updates
* 51b054f6fe01 ASoC: codecs: wcd938x: fix runtime PM imbalance on remove
* cb34f4e79e54 ASoC: codecs: wcd938x: fix resource leaks on bind errors

Update the .xml for the abi preservation changes:

type 'struct prefix_info' changed
  member 'union { __u8 flags; struct { __u8 reserved; __u8 autoconf; __u8 onlink; }; }' was added
  member '__u8 reserved' was removed
  member '__u8 autoconf' was removed
  member '__u8 onlink' was removed

Change-Id: I94dee98bf0510ffa8f43169badcbf425f16846bd
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

Adding kernfs_rwsem in kernfs_root breaks the ABI unfortunately
since it changes the size of kernfs_root structure.
To fix the issue, this patch introduces new data structure
kernfs_root_ext which includes kernfs_root with kernfs_rwsem to
avoid increasing kernfs_root'size. It also introduces kernfs_rwsem
wrapper function to reach kernfs_rwsem from kernfs_root to minimize
change.

Bug: 320903885
Bug: 219424218
Bug: 206126556
Signed-off-by: Minchan Kim <minchan@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Iabaad9623e9a101210073db3106c93f06847a8b3

kernfs_remove supported NULL kernfs_node param to bail out but revent
per-fs lock change introduced regression that dereferencing the
param without NULL check so kernel goes crash.

This patch checks the NULL kernfs_node in kernfs_remove and if so,
just return.

Quote from bug report by Jirka

```
The bug is triggered by running NAS Parallel benchmark suite on
SuperMicro servers with 2x Xeon(R) Gold 6126 CPU. Here is the error
log:

[  247.035564] BUG: kernel NULL pointer dereference, address: 0000000000000008
[  247.036009] #PF: supervisor read access in kernel mode
[  247.036009] #PF: error_code(0x0000) - not-present page
[  247.036009] PGD 0 P4D 0
[  247.036009] Oops: 0000 [#1] PREEMPT SMP PTI
[  247.058060] CPU: 1 PID: 6546 Comm: umount Not tainted
5.16.0393c3714081a53795bbff0e985d24146def6f57f+ #16
[  247.058060] Hardware name: Supermicro Super Server/X11DDW-L, BIOS
2.0b 03/07/2018
[  247.058060] RIP: 0010:kernfs_remove+0x8/0x50
[  247.058060] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 49 c7 c4 f4
ff ff ff eb b2 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 1f 44 00 00
41 54 55 <48> 8b 47 08 48 89 fd 48 85 c0 48 0f 44 c7 4c 8b 60 50 49 83
c4 60
[  247.058060] RSP: 0018:ffffbbfa48a27e48 EFLAGS: 00010246
[  247.058060] RAX: 0000000000000001 RBX: ffffffff89e31f98 RCX: 0000000080200018
[  247.058060] RDX: 0000000080200019 RSI: fffff6760786c900 RDI: 0000000000000000
[  247.058060] RBP: ffffffff89e31f98 R08: ffff926b61b24d00 R09: 0000000080200018
[  247.122048] R10: ffff926b61b24d00 R11: ffff926a8040c000 R12: ffff927bd09a2000
[  247.122048] R13: ffffffff89e31fa0 R14: dead000000000122 R15: dead000000000100
[  247.122048] FS:  00007f01be0a8c40(0000) GS:ffff926fa8e40000(0000)
knlGS:0000000000000000
[  247.122048] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  247.122048] CR2: 0000000000000008 CR3: 00000001145c6003 CR4: 00000000007706e0
[  247.122048] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  247.122048] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  247.122048] PKRU: 55555554
[  247.122048] Call Trace:
[  247.122048]  <TASK>
[  247.122048]  rdt_kill_sb+0x29d/0x350
[  247.122048]  deactivate_locked_super+0x36/0xa0
[  247.122048]  cleanup_mnt+0x131/0x190
[  247.122048]  task_work_run+0x5c/0x90
[  247.122048]  exit_to_user_mode_prepare+0x229/0x230
[  247.122048]  syscall_exit_to_user_mode+0x18/0x40
[  247.122048]  do_syscall_64+0x48/0x90
[  247.122048]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  247.122048] RIP: 0033:0x7f01be2d735b
```

Link: https://bugzilla.kernel.org/show_bug.cgi?id=215696
Link: https://lore.kernel.org/lkml/CAE4VaGDZr_4wzRn2___eDYRtmdPaGGJdzu_LCSkJYuY9BEO3cw@mail.gmail.com/


Fixes: 393c3714 (kernfs: switch global kernfs_rwsem lock to per-fs lock)
Cc: stable@vger.kernel.org
Reported-by: Jirka Hladky <jhladky@redhat.com>
Tested-by: Jirka Hladky <jhladky@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Link: https://lore.kernel.org/r/20220427172152.3505364-1-minchan@kernel.org


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

(cherry picked from commit ad8d8693)

Bug: 320903885
Bug: 219424218
Bug: 206126556
Change-Id: I5b0a491231ee8913b7f522f22349c22ba0e07d88
Signed-off-by: Suren Baghdasaryan <surenb@google.com>

Marek reported the warning below.

  =========================
  WARNING: held lock freed!
  5.16.0-rc2+ #10984 Not tainted
  -------------------------
  kworker/1:0/18 is freeing memory ffff00004034e200-ffff00004034e3ff,
with a lock still held there!
  ffff00004034e348 (&root->kernfs_rwsem){++++}-{3:3}, at:
__kernfs_remove+0x310/0x37c
  3 locks held by kworker/1:0/18:
   #0: ffff000040107938 ((wq_completion)cgroup_destroy){+.+.}-{0:0}, at:
process_one_work+0x1f0/0x6f0
   #1: ffff80000b55bdc0
((work_completion)(&(&css->destroy_rwork)->work)){+.+.}-{0:0}, at:
process_one_work+0x1f0/0x6f0
   #2: ffff00004034e348 (&root->kernfs_rwsem){++++}-{3:3}, at:
__kernfs_remove+0x310/0x37c

  stack backtrace:
  CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 5.16.0-rc2+ #10984
  Hardware name: Raspberry Pi 4 Model B (DT)
  Workqueue: cgroup_destroy css_free_rwork_fn
  Call trace:
   dump_backtrace+0x0/0x1ac
   show_stack+0x18/0x24
   dump_stack_lvl+0x8c/0xb8
   dump_stack+0x18/0x34
   debug_check_no_locks_freed+0x124/0x140
   kfree+0xf0/0x3a4
   kernfs_put+0x1f8/0x224
   __kernfs_remove+0x1b8/0x37c
   kernfs_destroy_root+0x38/0x50
   css_free_rwork_fn+0x288/0x3d4
   process_one_work+0x288/0x6f0
   worker_thread+0x74/0x470
   kthread+0x188/0x194
   ret_from_fork+0x10/0x20

Since kernfs moves the kernfs_rwsem lock into root, it couldn't hold
the lock when the root node is tearing down. Thus, get the refcount
of root node.

Fixes: 393c3714 ("kernfs: switch global kernfs_rwsem lock to per-fs lock")
Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Link: https://lore.kernel.org/r/20211201231648.1027165-1-minchan@kernel.org


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

(cherry picked from commit 555a0ce4)

Bug: 320903885
Change-Id: If96f85b88b662e88430c9c8d1efb436e9a80ddcf
Signed-off-by: Suren Baghdasaryan <surenb@google.com>

The kernfs implementation has big lock granularity(kernfs_rwsem) so
every kernfs-based(e.g., sysfs, cgroup) fs are able to compete the
lock. It makes trouble for some cases to wait the global lock
for a long time even though they are totally independent contexts
each other.

A general example is process A goes under direct reclaim with holding
the lock when it accessed the file in sysfs and process B is waiting
the lock with exclusive mode and then process C is waiting the lock
until process B could finish the job after it gets the lock from
process A.

This patch switches the global kernfs_rwsem to per-fs lock, which
put the rwsem into kernfs_root.

Suggested-by: Tejun Heo <tj@kernel.org>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Link: https://lore.kernel.org/r/20211118230008.2679780-1-minchan@kernel.org


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

(cherry picked from commit 393c3714)

Bug: 320903885
Bug: 219424218
Bug: 206126556
Change-Id: I5f942f7a4a18b3c2198496fea789b381ba955d19
Signed-off-by: Suren Baghdasaryan <surenb@google.com>

This reverts commit 96e78d17.

Keeps the ABI stable by taking advantage of a hole in the structure!

Bug: 307236803
Change-Id: Ic5f7ebeb3a9b13afdb3bfff7e54c4a93b863dab6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

In current scenario if Plug-out and Plug-In performed continuously
there could be a chance while checking for dwc->gadget_driver in
dwc3_gadget_suspend, a NULL pointer dereference may occur.

Call Stack:

	CPU1:                           CPU2:
	gadget_unbind_driver            dwc3_suspend_common
	dwc3_gadget_stop                dwc3_gadget_suspend
                                        dwc3_disconnect_gadget

CPU1 basically clears the variable and CPU2 checks the variable.
Consider CPU1 is running and right before gadget_driver is cleared
and in parallel CPU2 executes dwc3_gadget_suspend where it finds
dwc->gadget_driver which is not NULL and resumes execution and then
CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where
it checks dwc->gadget_driver is already NULL because of which the
NULL pointer deference occur.

Cc: <stable@vger.kernel.org>
Fixes: 9772b47a ("usb: dwc3: gadget: Fix suspend/resume during device mode")
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com>

(cherry picked from commit 61a34885 )

Bug: 322899161
Link: https://lore.kernel.org/all/20240119094825.26530-1-quic_uaggarwa@quicinc.com/


Change-Id: I2f1663f19ebdd6c6b5b1874a66c81fd3f75b0e9a
Signed-off-by: Rajashekar kuruva <quic_kuruva@quicinc.com>
Signed-off-by: Manish Nagar <quic_mnagar@quicinc.com>

Add EXTCON_DISP_CVBS for Composite Video Broadcast Signal.
Add EXTCON_DISP_EDP for Embedded Display Port

[1] https://en.wikipedia.org/wiki/Composite_video
[2] https://en.wikipedia.org/wiki/DisplayPort#eDP



Signed-off-by: Michael Wu <michael@allwinnertech.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>

Bug: 322749762
(cherry picked from commit 3a06ed80)
Signed-off-by: Aran Dalton <arda@allwinnertech.com>
Change-Id: I8ad34b830ad2013c90d729c20050f5cbd8aa661a

Upstream commit bac1ec55 ("usb: xhci: Set quirk for
XHCI_SG_TRB_CACHE_SIZE_QUIRK") introduced a new quirk in XHCI
which fixes XHC timeout, which was seen on synopsys XHCs while
using SG buffers. But the support for this quirk isn't present
in the DWC3 layer.

We will encounter this XHCI timeout/hung issue if we run iperf
loopback tests using RTL8156 ethernet adaptor on DWC3 targets
with scatter-gather enabled. This gets resolved after enabling
the XHCI_SG_TRB_CACHE_SIZE_QUIRK. This patch enables it using
the xhci device property since its needed for DWC3 controller.

In Synopsys DWC3 databook,
Table 9-3: xHCI Debug Capability Limitations
Chained TRBs greater than TRB cache size: The debug capability
driver must not create a multi-TRB TD that describes smaller
than a 1K packet that spreads across 8 or more TRBs on either
the IN TR or the OUT TR.

Cc: stable@vger.kernel.org #5.11
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20240116055816.1169821-2-quic_prashk@quicinc.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 322910830
(cherry picked from commit 817349b6
https: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/ usb-linus)
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
Change-Id: I9a5bf2c4d43551406d452927084576387656953d

Upstream commit bac1ec55 ("usb: xhci: Set quirk for
XHCI_SG_TRB_CACHE_SIZE_QUIRK") introduced a new quirk in XHCI
which fixes XHC timeout, which was seen on synopsys XHCs while
using SG buffers. Currently this quirk can only be set using
xhci private data. But there are some drivers like dwc3/host.c
which adds adds quirks using software node for xhci device.
Hence set this xhci quirk by iterating over device properties.

Cc: stable@vger.kernel.org # 5.11
Fixes: bac1ec55 ("usb: xhci: Set quirk for XHCI_SG_TRB_CACHE_SIZE_QUIRK")
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
Link: https://lore.kernel.org/r/20240116055816.1169821-3-quic_prashk@quicinc.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 322910830
(cherry picked from commit 520b391e
https: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/ usb-linus)
Signed-off-by: Prashanth K <quic_prashk@quicinc.com>
Change-Id: I7cc21f5975cd82997f8eca38472f9c467df21dd6

Since the cmpxchg() to unlock the VMA (reset ref count from -1), is
enclosed in VM_BUG_ON_VMA() it gets compiled out in non-debug builds
(CONFIG_DEBUG_VM=n). This means that any VMA that underwent a fast-remap
will have it's refcount stuck at -1, making it not be eligible for
future speculative faults, and preventing freeing of the VMA.

Bug: 322411509
Change-Id: If5bf61c7d94268700f2c4f096d946201b68abdb8
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

Add symbols used by SCMI based IIO sensor driver (scmi_iio.ko) and Marvell
88Q5152 Ethernet driver.

2 Added functions:
  [A] 'function void netdev_reset_tc(net_device*)'
  [A] 'function int pci_prepare_to_sleep(pci_dev*)'

Bug: 320707943
Signed-off-by: Wojciech Lewandowski <wojciech.lewandowski@ext.us.panasonic.com>
Change-Id: I96d9f4c84de9b78da69e34947710d8940806eaf5

CONFIG_ARM_SCMI_TRANSPORT_VIRTIO is required by SCMI based IIO sensor
driver (CONFIG_IIO_SCMI) to enable VirtIO SCMI support.

Bug: 320707943
Signed-off-by: Wojciech Lewandowski <wojciech.lewandowski@ext.us.panasonic.com>
Change-Id: I9ceff4a2f49f9b84e521ae45ad7a5013f8625ea2

The workqueue watchdog reports a lockup when there was not any progress
in the worker pool for a long time. The progress means that a pending
work item starts being proceed.

The progress is guaranteed by using idle workers or creating new workers
for pending work items.

There are several reasons why a new worker could not be created:

   + there is not enough memory

   + there is no free pool ID (IDR API)

   + the system reached PID limit

   + the process creating the new worker was interrupted

   + the last idle worker (manager) has not been scheduled for a long
     time. It was not able to even start creating the kthread.

None of these failures is reported at the moment. The only clue is that
show_one_worker_pool() prints that there is a manager. It is the last
idle worker that is responsible for creating a new one. But it is not
clear if create_worker() is failing and why.

Make the debugging easier by printing errors in create_worker().

The error code is important, especially from kthread_create_on_node().
It helps to distinguish the various reasons. For example, reaching
memory limit (-ENOMEM), other system limits (-EAGAIN), or process
interrupted (-EINTR).

Use pr_once() to avoid repeating the same error every CREATE_COOLDOWN
for each stuck worker pool.

Ratelimited printk() might be better. It would help to know if the problem
remains. It would be more clear if the create_worker() errors and workqueue
stalls are related. Also old messages might get lost when the internal log
buffer is full. The problem is that printk() might touch the watchdog.
For example, see touch_nmi_watchdog() in serial8250_console_write().
It would require synchronization of the begin and length of the ratelimit
interval with the workqueue watchdog. Otherwise, the error messages
might break the watchdog. This does not look worth the complexity.

Bug: 320570308

Change-Id: I306be476cd34e4b7f19ecb503144cb26b75ad24b
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
(cherry picked from commit 3f0ea0b8)
Signed-off-by: Yi Sun <yi.sun@unisoc.com>

It was pointed out that since commit b6115e14 ("ANDROID:
uid_sys_stat: split the global lock uid_lock to the fine-grained locks
for each hlist in hash_table") taking a spin_lock in uid_lock()
causes a scheduling while atomic error if CONFIG_UID_SYS_STATS_DEBUG
is enabled, as get_full_task_comm() takes the mmap_write_lock()
which is a semaphore, breaking the proper ordering.

In the GKI CONFIG_UID_SYS_STATS_DEBUG is disabled, so this went
unnoticed.

The uid_sys_stats logic isn't ever going to go upstream (it depends
on reverting upstream logic) and will hopefully be replaced eventually.
So there's not much reason to drag around this debug logic that is
unused.

So drop it. Less code to schlep forward.

Bug: 320184870
Change-Id: I2cfce79d5a25a3eba11a5509444c07b4642ef2de
Signed-off-by: John Stultz <jstultz@google.com>

Amit Pundir at Linaro reported seeing crashes in uid_sys_stats
driver when building with GCC.

Looking into it, it seems the uid_entry_tmp value is used
while only partially initialized, causing potential out of bound
access on the uid_entry io arrays.

This likely has gone unnoticed with clang as I believe we're
using the zero initialization for stack variables security
feature.

So change the logic to fully initialize the uid_entry_tmp
value.

Fixes: f68d4f3c ("ANDROID: uid_sys_stat: instead update_io_stats_uid_locked to update_io_stats_uid")
Reported-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: John Stultz <jstultz@google.com>
Change-Id: I78de245e80ef60aabec78a615c7ba582ab5a2242

When handling error status from uvcg_video_usb_req_queue,
uvc_video_complete currently calls uvcg_queue_cancel with
video->req_lock held. uvcg_queue_cancel internally locks
queue->irqlock, which nests queue->irqlock inside
video->req_lock. This isn't a functional bug at the
moment, but does open up possibilities for ABBA
deadlocks in the future.

This patch fixes the accidental nesting by dropping
video->req_lock before calling uvcg_queue_cancel.

Fixes: 6acba034 ("usb:gadget:uvc Do not use worker thread to pump isoc usb requests")
Signed-off-by: Avichal Rakesh <arakesh@google.com>
Link: https://lore.kernel.org/r/20240104215009.2252452-2-arakesh@google.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 314338409
(cherry picked from commit 9866dc43)
Change-Id: Ic50069f8584e0d236463a084b12cabcc845d3b6a
Signed-off-by: Avichal Rakesh <arakesh@google.com>

There is a path that may lead to freed memory being referenced,
causing kernel panics.

The kernel panic has the following stack trace:

Workqueue: uvcgadget uvcg_video_pump.c51fb85fece46625450f86adbf92c56c.cfi_jt
pstate: 60c00085 (nZCv daIf +PAN +UAO -TCO BTYPE=--)
pc : __list_del_entry_valid+0xc0/0xd4
lr : __list_del_entry_valid+0xc0/0xd4
Call trace:
  __list_del_entry_valid+0xc0/0xd4
  uvc_video_free_request+0x60/0x98
  uvcg_video_pump+0x1cc/0x204
  process_one_work+0x21c/0x4b8
  worker_thread+0x29c/0x574
  kthread+0x158/0x1b0
  ret_from_fork+0x10/0x30

The root cause is that uvcg_video_usb_req_queue frees the uvc_request
if is_enabled is false and returns an error status. video_pump also
frees the associated request if uvcg_video_usb_req_queue returns an
error status, leading to double free and accessing garbage memory.

To fix the issue, this patch removes freeing logic from
uvcg_video_usb_req_queue, and lets the callers to the function handle
queueing errors as they see fit.

Fixes: 6acba034 ("usb:gadget:uvc Do not use worker thread to pump isoc usb requests")
Tested-by: Avichal Rakesh <arakesh@google.com>
Signed-off-by: Avichal Rakesh <arakesh@google.com>
Link: https://lore.kernel.org/r/20240104215009.2252452-1-arakesh@google.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 314338409
(cherry picked from commit fe814b5b)
Change-Id: I833c33e038ea5b34d5c580dfc612752ab1fa88a6
Signed-off-by: Avichal Rakesh <arakesh@google.com>

fuse_lseek_backing was returning the offset as an int, which would then
be treated as an ERR if in the range 4G-4096 and 4G.

Although the call would appear to work correctly, the file position
would be incorrect according to a subsequent fseek with SEEK_CUR.

Based on a change by chenyuwen <chenyuwen1@meizu.com> who found and
fixed this issue.

Bug: 319219307
Change-Id: I3aef5fb22751a72ce2bd7674ee081956a89fc752
Signed-off-by: chenyuwen <chenyuwen1@meizu.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>

Update symbols to symbol list externed by oppo memory group.

ABI DIFFERENCES HAVE BEEN DETECTED!

1 function symbol(s) added
  'bool is_transparent_hugepage(struct page *)'

Bug: 321196175

Change-Id: I6a7e58f51903fbdc3c4c7deb9e1d3accc2559027
Signed-off-by: huzhanyuan <huzhanyuan@oppo.com>

Current implementation blocks the running operations when Plug-out and
Plug-In is performed continuously, process gets stuck in
dwc3_thread_interrupt().

Code Flow:

	CPU1

	->Gadget_start
	->dwc3_interrupt
	->dwc3_thread_interrupt
	->dwc3_process_event_buf
	->dwc3_process_event_entry
	->dwc3_endpoint_interrupt
	->dwc3_ep0_interrupt
	->dwc3_ep0_inspect_setup
	->dwc3_ep0_stall_and_restart

By this time if pending_list is not empty, it will get the next request
on the given list and calls dwc3_gadget_giveback which will unmap request
and call its complete() callback to notify upper layers that it has
completed. Currently dwc3_gadget_giveback status is set to -ECONNRESET,
whereas it should be -ESHUTDOWN based on condition if not dwc->connected
is true.

Cc:  <stable@vger.kernel.org>
Fixes: d742220b ("usb: dwc3: ep0: giveback requests on stall_and_restart")
Signed-off-by: Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com>
Link: https://lore.kernel.org/r/20231222094704.20276-1-quic_uaggarwa@quicinc.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 320608609
(cherry picked from commit e9d40b21
https: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/ usb-next)

Change-Id: Ie1cb993fc9e24e6c2f6d6120bca409a6f2664c18
Signed-off-by: Uttkarsh Aggarwal <quic_uaggarwa@quicinc.com>

The current implementation of the mark_victim tracepoint provides only the
process ID (pid) of the victim process.  This limitation poses challenges
for userspace tools that need additional information about the OOM victim.
The association between pid and the additional data may be lost after the
kill, making it difficult for userspace to correlate the OOM event with
the specific process.

In order to mitigate this limitation, add the following fields:

- UID
   In Android each installed application has a unique UID. Including
   the `uid` assists in correlating OOM events with specific apps.

- Process Name (comm)
   Enables identification of the affected process.

- OOM Score
   Allows userspace to get additional insights of the relative kill
   priority of the OOM victim.

Link: https://lkml.kernel.org/r/20240111210539.636607-1-carlosgalo@google.com


Change-Id: Icc3ed013a9dfff9bb09f1d7588757e6028c17069
Signed-off-by: Carlos Galo <carlosgalo@google.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 649ffb4cbb90a7f60f17dd74e57d814e762ea01d mm-unstable)
[ carlosgalo: Manually added struct cred change in mark_oom_victim function ]

Bug: 315560026
Change-Id: I81fb6f3447f432100ad4cd25e22db23768003388
Signed-off-by: Carlos Galo <carlosgalo@google.com>

A recent change to add a vendor hook inadvertently affected the CRC of
two existing exported symbols, due to an additional header inclusion.

This change hides the inclusion from genksyms, reverting the CRCs.

function symbol 'char * __get_task_comm(char *, size_t, struct task_struct *)' changed
  CRC changed from 0x84461de to 0x4428fb5e

function symbol 'int __traceiter_task_rename(void *, struct task_struct *, const char *)' changed
  CRC changed from 0x6012942d to 0x199d26ce

Bug: 317949078
Bug: 320644132
Fixes: 7348d925 ("ANDROID: vendor_hooks: Add a hook for set_task_comm")
Change-Id: Id065ae6244dbd337ed1dcbf3687c2ef3711d4415
Signed-off-by: Giuliano Procida <gprocida@google.com>

Currently for dwc3_usb31 controller, if maximum_speed is limited to
super-speed in DT, then device mode is limited to SS, but host mode
still works in SSP.

The documentation for max-speed property is as follows:

"Tells USB controllers we want to work up to a certain speed.
Incase  this isn't passed via DT, USB controllers should default to
their maximum HW capability."

It doesn't specify that the property is only for device mode.
There are cases where we need to limit the host's maximum speed to
SuperSpeed only. Use this property for host mode to contrain host's
speed to SuperSpeed.

Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20231219041559.15789-1-quic_kriskura@quicinc.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 320619105
(cherry picked from commit 91736d06 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git

 usb-next)
Change-Id: I458fa5cd44c1510a797f824e263eb3ea27bbb287
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>

Starting with FUSE 7.36, all the fields for the 32-bit FUSE init flags
have been allocated, so commit 53db2893 ("fuse: extend init flags")
introduces the new 32-bit flags2 field in fuse_init_in and
fuse_init_out. That change also adds the FUSE_INIT_RESERVED flag that
doesn't have any specific purpose yet, is just reserved and should not
be used, and (un)fortunately collides with FUSE_PASSTHROUGH.

This change fixes the conflict by simply setting the FUSE_PASSTHROUGH
value to the next, latest unused fuse2 bit.
Although this is not the best design choice, userspace will know what
FUSE_PASSTHROUGH bit to choose based on the FUSE major and minor version
for FUSE version:
- < 7.36:    FUSE_PASSTHROUGH is the 31st bit of flags;
- otherwise: FUSE_PASSTHROUGH is the 31st bit of flags2.

Test: launch_cvd (both android-mainline and android13-5.10) \
  `logcat FuseDaemon:V \*:S` shows no FUSE passthrough errors
Bug: 215310351
Signed-off-by: Alexandre Marciano Gimenez <raging@google.com>
Change-Id: I85d7582008b8c093b3172b3f41c6cdf09863dd45
(cherry picked from commit cffa61e7)

[ Upstream commit 3701cd39 ]

If dynset expressions provided by userspace is larger than the declared
set expressions, then bail out.

Bug: 316085841
Fixes: 48b0ae04 ("netfilter: nftables: netlink support for several set element expressions")
Reported-by: Xingyuan Mo <hdthky0@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit cf5f113c)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I4bd3f7e9148d4bc12bbc67ecdd605c2957eb8010

Update whitelist for the symbols used by the unisoc device and
update the ABI representation accordingly.

1 function symbol(s) added
  'int __traceiter_android_vh_rwsem_downgrade_wake_finish(void *, struct rw_semaphore *)'

1 variable symbol(s) added
  'struct tracepoint __tracepoint_android_vh_rwsem_downgrade_wake_finish'

Bug: 319178409
Change-Id: Ife1520ea7d9d6c39607d2f750a37a78d8d642486
Signed-off-by: Jing Xia <jing.xia@unisoc.com>

The commit d4528a28 ("ANDROID: vendor_hooks: Add hooks for
rwsem and mutex") adds the android_vh_rwsem_wake_finish hook to
rwsem_wake().It can get the point when a [write/read]_owner
releases the rwsem and wakes up other waiters of the rwsem.
However, it cannot cover a scenario that a task acquires the
write-lock first, then downgrades to the read-lock and wakes up
other waiters in list.

In order to avoid breaking other partner handlers that don't
expect to be called from rwsem_downgrade_wake,this patch adds
a new vendor hook named android_vh_rwsem_downgrade_wake_finish
to rwsem_downgrade_wake() as Todd Kjos suggested.

Bug: 319178409
Change-Id: I73f677d2aa813777f21f13fafc17b1f912f6ef7e
Signed-off-by: Jing Xia <jing.xia@unisoc.com>

Under certain circumstances a SoC can reach a critical temperaturelimit
and is unable to stabilize the temperature around a temperaturecontrol.
The system may ask for a specific power budget butbecause of the OPP
density, we can only choose an OPP with a powerbudget lower than the
requested one and under-utilize the CPU, thuslosing performance. In
other words, one OPP under-utilizes the CPUwith a power less than the
requested power budget and the next OPPexceeds the power budget. The
cpu idle cooling can solve this problem.

Bug: 299411923
Signed-off-by: Aran Dalton <arda@allwinnertech.com>
Change-Id: I1c17b340617e88be075097dc47f30ce94be2a4d7

commit 7315dc1e upstream.

NFT_MSG_DELSET deactivates all elements in the set, skip
set->ops->commit() to avoid the unnecessary clone (for the pipapo case)
as well as the sync GC cycle, which could deactivate again expired
elements in such set.

Bug: 318548348
Fixes: 5f68718b ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Reported-by: Kevin Rich <kevinrich1337@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 0105571f)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ie733688e27d9568d797fc1bc477261883b7dc8c1

[ Upstream commit e2b706c6 ]

When I perform the following test operations:
1.ip link add br0 type bridge
2.brctl addif br0 eth0
3.ip addr add 239.0.0.1/32 dev eth0
4.ip addr add 239.0.0.1/32 dev br0
5.ip addr add 224.0.0.1/32 dev br0
6.while ((1))
    do
        ifconfig br0 up
        ifconfig br0 down
    done
7.send IGMPv2 query packets to port eth0 continuously. For example,
./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00
1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00"

The preceding tests may trigger the refcnt uaf issue of the mc list. The
stack is as follows:
	refcount_t: addition on 0; use-after-free.
	WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25)
	CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80
	Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
	RIP: 0010:refcount_warn_saturate (lib/refcount.c:25)
	RSP: 0018:ffffb68f00657910 EFLAGS: 00010286
	RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908
	RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900
	RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff
	R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680
	R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00
	FS:  0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000
	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0
	Call Trace:
	<TASK>
	igmp_heard_query (net/ipv4/igmp.c:1068)
	igmp_rcv (net/ipv4/igmp.c:1132)
	ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
	ip_local_deliver_finish (net/ipv4/ip_input.c:234)
	__netif_receive_skb_one_core (net/core/dev.c:5529)
	netif_receive_skb_internal (net/core/dev.c:5729)
	netif_receive_skb (net/core/dev.c:5788)
	br_handle_frame_finish (net/bridge/br_input.c:216)
	nf_hook_bridge_pre (net/bridge/br_input.c:294)
	__netif_receive_skb_core (net/core/dev.c:5423)
	__netif_receive_skb_list_core (net/core/dev.c:5606)
	__netif_receive_skb_list (net/core/dev.c:5674)
	netif_receive_skb_list_internal (net/core/dev.c:5764)
	napi_gro_receive (net/core/gro.c:609)
	e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467)
	e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805)
	__napi_poll (net/core/dev.c:6533)
	net_rx_action (net/core/dev.c:6735)
	__do_softirq (kernel/softirq.c:554)
	run_ksoftirqd (kernel/softirq.c:913)
	smpboot_thread_fn (kernel/smpboot.c:164)
	kthread (kernel/kthread.c:388)
	ret_from_fork (arch/x86/kernel/process.c:153)
	ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
	</TASK>

The root causes are as follows:
Thread A					Thread B
...						netif_receive_skb
br_dev_stop					...
    br_multicast_leave_snoopers			...
        __ip_mc_dec_group			...
            __igmp_group_dropped		igmp_rcv
                igmp_stop_timer			    igmp_heard_query         //ref = 1
                ip_ma_put			        igmp_mod_timer
                    refcount_dec_and_test	            igmp_start_timer //ref = 0
			...                                     refcount_inc //ref increases from 0
When the device receives an IGMPv2 Query message, it starts the timer
immediately, regardless of whether the device is running. If the device is
down and has left the multicast group, it will cause the mc list refcount
uaf issue.

Bug: 316932391
Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 94445d95)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I277be2304e564994e05b981ccd6cd8cbb9dc85be

2 function symbol(s) added
  'struct drm_private_state* drm_atomic_get_new_private_obj_state(struct drm_atomic_state*, struct drm_private_obj*)'
  'uint64_t drm_format_info_min_pitch(const struct drm_format_info*, int, unsigned int)'

Bug: 319070243
Change-Id: I54d8e1c1ff2ecbddd54d61724577ddad1cbfde08
Signed-off-by: Qinglin Li <qinglin.li@amlogic.com>

commit 4b7de801 upstream.

Lee pointed out issue found by syscaller [0] hitting BUG in prog array
map poke update in prog_array_map_poke_run function due to error value
returned from bpf_arch_text_poke function.

There's race window where bpf_arch_text_poke can fail due to missing
bpf program kallsym symbols, which is accounted for with check for
-EINVAL in that BUG_ON call.

The problem is that in such case we won't update the tail call jump
and cause imbalance for the next tail call update check which will
fail with -EBUSY in bpf_arch_text_poke.

I'm hitting following race during the program load:

  CPU 0                             CPU 1

  bpf_prog_load
    bpf_check
      do_misc_fixups
        prog_array_map_poke_track

                                    map_update_elem
                                      bpf_fd_array_map_update_elem
                                        prog_array_map_poke_run

                                          bpf_arch_text_poke returns -EINVAL

    bpf_prog_kallsyms_add

After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next
poke update fails on expected jump instruction check in bpf_arch_text_poke
with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run.

Similar race exists on the program unload.

Fixing this by moving the update to bpf_arch_poke_desc_update function which
makes sure we call __bpf_arch_text_poke that skips the bpf address check.

Each architecture has slightly different approach wrt looking up bpf address
in bpf_arch_text_poke, so instead of splitting the function or adding new
'checkip' argument in previous version, it seems best to move the whole
map_poke_run update as arch specific code.

  [0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810



Bug: 309551558
Fixes: ebf7d1f5 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
Reported-by:  <syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Cc: Lee Jones <lee@kernel.org>
Cc: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://lore.kernel.org/bpf/20231206083041.1306660-2-jolsa@kernel.org


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 13578b4e)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I1291f0589e84f627ee44d07acb24196fab166c29

In commit 9846d8c8 ("net: ipv6: support reporting otherwise unknown
prefix flags in RTM_NEWPREFIX") a union is added to fix some issues, but
that messes with the crc of a number of networking symbols for obvious
reasons.  As this does not actually change the abi at all, use some
GENKSYMS magic #define logic to preserve the crc so that all is well.

Update the .xml file for the following structure change that is abi-safe:
type 'struct prefix_info' changed
  member 'union { __u8 flags; struct { __u8 reserved; __u8 autoconf; __u8 onlink; }; }' was added
  member '__u8 reserved' was removed
  member '__u8 autoconf' was removed
  member '__u8 onlink' was removed

Bug: 161946584
Fixes: 9846d8c8 ("net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX")
Cc: Maciej Żenczykowski <maze@google.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Change-Id: I9d2df74e8f3ae60425534f1b33d50b2bc444f7f5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

9 function symbol(s) added
  'int nf_log_buf_add(struct nf_log_buf *, const char *, ...)'
  'void nf_log_buf_close(struct nf_log_buf *)'
  'struct nf_log_buf * nf_log_buf_open()'
  'int nf_log_register(u_int8_t, struct nf_logger *)'
  'int nf_log_set(struct net *, u_int8_t, const struct nf_logger *)'
  'void nf_log_unregister(struct nf_logger *)'
  'void nf_log_unset(struct net *, const struct nf_logger *)'
  'int nf_logger_find_get(int, enum nf_log_type)'
  'void nf_logger_put(int, enum nf_log_type)'

Bug: 316040982

Change-Id: Icd40e3750160b579b1eea3710ac6c855585b2b4c
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

2 function symbol(s) added
  'void arp_send(int, int, __be32, struct net_device *, __be32, const unsigned char *, const unsigned char *, const unsigned char *)'
  'void nf_log_packet(struct net *, u_int8_t, unsigned int, const struct sk_buff *, const struct net_device *, const struct net_device *, const struct nf_loginfo *, const char *, ...)'

1 variable symbol(s) added
  'int sysctl_nf_log_all_netns'

Bug: 316040982

Change-Id: Ie421b63df849c8ae5cafd18c890cc6e641a70fa3
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

18 function symbol(s) added
  'void __audit_log_nfcfg(const char *, u8, unsigned int, enum audit_nfcfgop, gfp_t)'
  'int nf_register_sockopt(struct nf_sockopt_ops *)'
  'void nf_unregister_sockopt(struct nf_sockopt_ops *)'
  'void * vmalloc_node(unsigned long int, int)'
  'int xt_check_match(struct xt_mtchk_param *, unsigned int, u16, bool)'
  'int xt_check_target(struct xt_tgchk_param *, unsigned int, u16, bool)'
  'int xt_compat_add_offset(u_int8_t, unsigned int, int)'
  'int xt_compat_calc_jump(u_int8_t, unsigned int)'
  'void xt_compat_flush_offsets(u_int8_t)'
  'int xt_compat_init_offsets(u8, unsigned int)'
  'void xt_compat_lock(u_int8_t)'
  'int xt_compat_match_offset(const struct xt_match *)'
  'int xt_compat_target_offset(const struct xt_target *)'
  'void xt_compat_unlock(u_int8_t)'
  'int xt_data_to_user(void *, void *, int, int, int)'
  'struct xt_match * xt_find_match(u8, const char *, u8)'
  'struct xt_match * xt_request_find_match(uint8_t, const char *, uint8_t)'
  'struct xt_target * xt_request_find_target(u8, const char *, u8)'

1 variable symbol(s) added
  'u32 audit_enabled'

Bug: 316040982

Change-Id: I5d3bb3ad453ac4c231f7c23531d84a96673b1487
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>