This is the 6.1.115 stable release
* tag 'v6.1.115': (2780 commits)
Linux 6.1.115
xfrm: validate new SA's prefixlen using SA family when sel.family is unset
arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning
ACPI: PRM: Clean up guid type in struct prm_handler_info
platform/x86: dell-wmi: Ignore suspend notifications
ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()
net: phy: dp83822: Fix reset pin definitions
serial: protect uart_port_dtr_rts() in uart_shutdown() too
selinux: improve error checking in sel_write_load()
drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too
hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event
xfrm: fix one more kernel-infoleak in algo dumping
LoongArch: Get correct cores_per_package for SMT systems
ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593
KVM: arm64: Don't eagerly teardown the vgic on init error
KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory
openat2: explicitly return -E2BIG for (usize > PAGE_SIZE)
nilfs2: fix kernel bug due to missing clearing of buffer delay flag
ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue
ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context
...
Change-Id: Iee600c49a5c914b79141c62cda38e787e429a167
Conflicts:
arch/arm64/boot/dts/rockchip/rk356x.dtsi
drivers/gpio/gpio-rockchip.c
drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c
drivers/gpu/drm/rockchip/rockchip_drm_vop.c
drivers/gpu/drm/rockchip/rockchip_drm_vop.h
drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
drivers/gpu/drm/rockchip/rockchip_vop_reg.c
drivers/media/i2c/imx335.c
drivers/pci/controller/dwc/pcie-dw-rockchip.c
drivers/spi/spi-rockchip.c
drivers/spi/spidev.c
drivers/usb/dwc3/gadget.c
drivers/usb/host/xhci.h
Merge from kernel-5.10
media: rockchip: isp: fix isp33 unite error for fastboot
media: rockchip: isp: fix unite mode for fast
media: rockchip: isp: output stream burst 16 for isp33
media: rockchip: isp: write burst adjust to 8 for isp33
media: rockchip: isp: fix free bay3d buf fd to get again fail
media: rockchip: isp: wait aiq params for isp33 fast
media: rockchip: isp: fix multi switch to online no work for fast
media: rockchip: isp: isp33 change input to 4 align
media: rockchip: isp: fix isp33 multi online resume
media: rockchip: isp: drop 2 frame if rockit switch resolution
media: rockchip: isp: disable isp33 dma write gather
media: rockchip: isp: fix isp33 multi sensor resume
media: rockchip: isp: isp33 add api to get params
media: rockchip: isp: fix isp33 unite switch online for fast
media: rockchip: isp: w3a overflow check for isp33
media: rockchip: isp: fix isp33 params sram config
media: rockchip: isp: fix memory leak
media: rockchip: isp: add sync for multi online mode
media: rockchip: isp: limit bp crop and scl for isp33
media: rockchip: isp: fix hold at register irq if mcu still running
media: rockchip: isp: enable bay3d FST_FRAME if change bypass
media: rockchip: isp: fix 4k unite effect
media: rockchip: isp: add api for raw buf cnt and hdr wrap
media: rockchip: isp: fix resume for multi online mode
media: rockchip: isp: frame start irq to send dvbm event
media: rockchip: isp: fix hist for isp33 unite mode
media: rockchip: isp: fix buf update for multi online mode
media: rockchip: isp: resume early for isp33
media: rockchip: isp: fix rd_mode for vicap to send buf
media: rockchip: isp: fix fast stop no to clean flag
media: rockchip: isp: fix isp2enc wrap for isp33 fast
media: rockchip: isp: support online hdr wrap for isp33
media: rockchip: isp: support unite online for isp33
media: rockchip: isp: support two sensor online for isp33
media: rockchip: isp: support mirror for wrap mode
media: rockchip: isp: more mode for vicap to isp
media: rockchip: isp: add isp2enc frame count to rockit
media: rockchip: isp: add rv1103b config
media: rockchip: isp: add isp33
media: rockchip: isp: fix rockit switch resolution
media: rockchip: isp: fix params buffersize for tb case
media: rockchip: isp: fix isp32 bp no output if suspend
media: rockchip: isp: rockit buf add offset
Change-Id: I7d3720165e9fb045e88be34c2f58fe83c0f700bc
Signed-off-by: Cai YiWei <cyw@rock-chips.com>
[ Upstream commit 09d88791c7cd888d5195c84733caf9183dcfbd16 ]
The bpf_redirect_info is shared between the SKB and XDP redirect paths,
and the two paths use the same numeric flag values in the ri->flags
field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
subsequently, an XDP redirect is performed using the same
bpf_redirect_info struct, the XDP path will get confused and end up
crashing, which syzbot managed to trigger.
With the stack-allocated bpf_redirect_info, the structure is no longer
shared between the SKB and XDP paths, so the crash doesn't happen
anymore. However, different code paths using identically-numbered flag
values in the same struct field still seems like a bit of a mess, so
this patch cleans that up by moving the flag definitions together and
redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
sure the overlap is not re-introduced by mistake.
Fixes: e624d4ed4a ("xdp: Extend xdp_redirect_map with broadcast support")
Reported-by: syzbot+cca39e6e84a367a7e6f6@syzkaller.appspotmail.com
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Closes: https://syzkaller.appspot.com/bug?extid=cca39e6e84a367a7e6f6
Link: https://lore.kernel.org/bpf/20240920125625.59465-1-toke@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
This is the 6.1.99 stable release
* tag 'v6.1.99': (1975 commits)
Linux 6.1.99
Revert "usb: xhci: prevent potential failure in handle_tx_event() for Transfer events without TRB"
Linux 6.1.98
nilfs2: fix incorrect inode allocation from reserved inodes
null_blk: Do not allow runt zone with zone capacity smaller then zone size
spi: cadence: Ensure data lines set to low during dummy-cycle period
nfc/nci: Add the inconsistency check between the input data length and count
kbuild: fix short log for AS in link-vmlinux.sh
nvmet: fix a possible leak when destroy a ctrl during qp establishment
platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro
platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet
regmap-i2c: Subtract reg size from max_write
nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset
dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails
nvme-multipath: find NUMA path only for online numa-node
ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897
fs/ntfs3: Mark volume as dirty if xattr is broken
i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr
clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg
clk: mediatek: clk-mtk: Register MFG notifier in mtk_clk_simple_probe()
...
Change-Id: Ibf9c2caa3bbffb7a960e82ec6c2b0b497753778c
Conflicts:
arch/arm64/boot/dts/rockchip/rk3328.dtsi
drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
drivers/phy/rockchip/phy-rockchip-snps-pcie3.c
drivers/pinctrl/pinctrl-rockchip.c
drivers/usb/gadget/function/u_audio.c
include/linux/usb/quirks.h
mm/cma.c
sound/soc/rockchip/rockchip_i2s_tdm.c
commit 599f6899051cb70c4e0aa9fd591b9ee220cb6f14 upstream.
The cec_msg_set_reply_to() helper function never zeroed the
struct cec_msg flags field, this can cause unexpected behavior
if flags was uninitialized to begin with.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: 0dbacebede ("[media] cec: move the CEC framework out of staging and to media")
Cc: <stable@vger.kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d0941130c9 upstream.
There are multiple ICMP rate limiting mechanisms:
* Global limits: net.ipv4.icmp_msgs_burst/icmp_msgs_per_sec
* v4 per-host limits: net.ipv4.icmp_ratelimit/ratemask
* v6 per-host limits: net.ipv6.icmp_ratelimit/ratemask
However, when ICMP output is limited, there is no way to tell
which limit has been hit or even if the limits are responsible
for the lack of ICMP output.
Add counters for each of the cases above. As we are within
local_bh_disable(), use the __INC stats variant.
Example output:
# nstat -sz "*RateLimit*"
IcmpOutRateLimitGlobal 134 0.0
IcmpOutRateLimitHost 770 0.0
Icmp6OutRateLimitHost 84 0.0
Signed-off-by: Jamie Bainbridge <jamie.bainbridge@gmail.com>
Suggested-by: Abhishek Rawal <rawal.abhishek92@gmail.com>
Link: https://lore.kernel.org/r/273b32241e6b7fdc5c609e6f5ebc68caf3994342.1674605770.git.jamie.bainbridge@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5cadfbd5a1 upstream.
Add an init flag idicating whether the FUSE_EXPIRE_ONLY flag of
FUSE_NOTIFY_INVAL_ENTRY is effective.
This is needed for backports of this feature, otherwise the server could
just check the protocol version.
Fixes: 4f8d37020e ("fuse: add "expire only" mode to FUSE_NOTIFY_INVAL_ENTRY")
Cc: <stable@vger.kernel.org> # v6.2
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 15d937d7ca ]
Will need to add supplementary groups to create messages, so add the
general concept of a request extension. A request extension is appended to
the end of the main request. It has a header indicating the size and type
of the extension.
The create security context (fuse_secctx_*) is similar to the generic
request extension, so include that as well in a backward compatible manner.
Add the total extension length to the request header. The offset of the
extension block within the request can be calculated by:
inh->len - inh->total_extlen * 8
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Stable-dep-of: 3002240d1649 ("fuse: fix memory leak in fuse_create_open")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 153524053b ]
In general, as of now, in FUSE, direct writes on the same file are
serialized over inode lock i.e we hold inode lock for the full duration of
the write request. I could not find in fuse code and git history a comment
which clearly explains why this exclusive lock is taken for direct writes.
Following might be the reasons for acquiring an exclusive lock but not be
limited to
1) Our guess is some USER space fuse implementations might be relying on
this lock for serialization.
2) The lock protects against file read/write size races.
3) Ruling out any issues arising from partial write failures.
This patch relaxes the exclusive lock for direct non-extending writes only.
File size extending writes might not need the lock either, but we are not
entirely sure if there is a risk to introduce any kind of regression.
Furthermore, benchmarking with fio does not show a difference between patch
versions that take on file size extension a) an exclusive lock and b) a
shared lock.
A possible example of an issue with i_size extending writes are write error
cases. Some writes might succeed and others might fail for file system
internal reasons - for example ENOSPACE. With parallel file size extending
writes it _might_ be difficult to revert the action of the failing write,
especially to restore the right i_size.
With these changes, we allow non-extending parallel direct writes on the
same file with the help of a flag called FOPEN_PARALLEL_DIRECT_WRITES. If
this flag is set on the file (flag is passed from libfuse to fuse kernel as
part of file open/create), we do not take exclusive lock anymore, but
instead use a shared lock that allows non-extending writes to run in
parallel. FUSE implementations which rely on this inode lock for
serialization can continue to do so and serialized direct writes are still
the default. Implementations that do not do write serialization need to be
updated and need to set the FOPEN_PARALLEL_DIRECT_WRITES flag in their file
open/create reply.
On patch review there were concerns that network file systems (or vfs
multiple mounts of the same file system) might have issues with parallel
writes. We believe this is not the case, as this is just a local lock,
which network file systems could not rely on anyway. I.e. this lock is
just for local consistency.
Signed-off-by: Dharmendra Singh <dsingh@ddn.com>
Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Stable-dep-of: 3002240d1649 ("fuse: fix memory leak in fuse_create_open")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 4f8d37020e ]
Add a flag to entry expiration that lets the filesystem expire a dentry
without kicking it out from the cache immediately.
This makes a difference for overmounted dentries, where plain invalidation
would detach all submounts before dropping the dentry from the cache. If
only expiry is set on the dentry, then any overmounts are left alone and
until ->d_revalidate() is called.
Note: ->d_revalidate() is not called for the case of following a submount,
so invalidation will only be triggered for the non-overmounted case. The
dentry could also be mounted in a different mount instance, in which case
any submounts will still be detached.
Suggested-by: Jakob Blomer <jblomer@cern.ch>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Stable-dep-of: 3002240d1649 ("fuse: fix memory leak in fuse_create_open")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 896880ff30866f386ebed14ab81ce1ad3710cfc4 ]
Replace deprecated 0-length array in struct bpf_lpm_trie_key with
flexible array. Found with GCC 13:
../kernel/bpf/lpm_trie.c:207:51: warning: array subscript i is outside array bounds of 'const __u8[0]' {aka 'const unsigned char[]'} [-Warray-bounds=]
207 | *(__be16 *)&key->data[i]);
| ^~~~~~~~~~~~~
../include/uapi/linux/swab.h:102:54: note: in definition of macro '__swab16'
102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
| ^
../include/linux/byteorder/generic.h:97:21: note: in expansion of macro '__be16_to_cpu'
97 | #define be16_to_cpu __be16_to_cpu
| ^~~~~~~~~~~~~
../kernel/bpf/lpm_trie.c:206:28: note: in expansion of macro 'be16_to_cpu'
206 | u16 diff = be16_to_cpu(*(__be16 *)&node->data[i]
^
| ^~~~~~~~~~~
In file included from ../include/linux/bpf.h:7:
../include/uapi/linux/bpf.h:82:17: note: while referencing 'data'
82 | __u8 data[0]; /* Arbitrary size */
| ^~~~
And found at run-time under CONFIG_FORTIFY_SOURCE:
UBSAN: array-index-out-of-bounds in kernel/bpf/lpm_trie.c:218:49
index 0 is out of range for type '__u8 [*]'
Changing struct bpf_lpm_trie_key is difficult since has been used by
userspace. For example, in Cilium:
struct egress_gw_policy_key {
struct bpf_lpm_trie_key lpm_key;
__u32 saddr;
__u32 daddr;
};
While direct references to the "data" member haven't been found, there
are static initializers what include the final member. For example,
the "{}" here:
struct egress_gw_policy_key in_key = {
.lpm_key = { 32 + 24, {} },
.saddr = CLIENT_IP,
.daddr = EXTERNAL_SVC_IP & 0Xffffff,
};
To avoid the build time and run time warnings seen with a 0-sized
trailing array for struct bpf_lpm_trie_key, introduce a new struct
that correctly uses a flexible array for the trailing bytes,
struct bpf_lpm_trie_key_u8. As part of this, include the "header"
portion (which is just the "prefixlen" member), so it can be used
by anything building a bpf_lpr_trie_key that has trailing members that
aren't a u8 flexible array (like the self-test[1]), which is named
struct bpf_lpm_trie_key_hdr.
Unfortunately, C++ refuses to parse the __struct_group() helper, so
it is not possible to define struct bpf_lpm_trie_key_hdr directly in
struct bpf_lpm_trie_key_u8, so we must open-code the union directly.
Adjust the kernel code to use struct bpf_lpm_trie_key_u8 through-out,
and for the selftest to use struct bpf_lpm_trie_key_hdr. Add a comment
to the UAPI header directing folks to the two new options.
Reported-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Closes: https://paste.debian.net/hidden/ca500597/
Link: https://lore.kernel.org/all/202206281009.4332AA33@keescook/ [1]
Link: https://lore.kernel.org/bpf/20240222155612.it.533-kees@kernel.org
Stable-dep-of: 59f2f841179a ("bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie.")
Signed-off-by: Sasha Levin <sashal@kernel.org>
This is the 6.1.84 stable release
* tag 'v6.1.84': (1865 commits)
Linux 6.1.84
tools/resolve_btfids: fix build with musl libc
USB: core: Fix deadlock in usb_deauthorize_interface()
x86/sev: Skip ROM range scans and validation for SEV-SNP guests
scsi: libsas: Fix disk not being scanned in after being removed
scsi: libsas: Add a helper sas_get_sas_addr_and_dev_type()
scsi: lpfc: Correct size for wqe for memset()
scsi: lpfc: Correct size for cmdwqe/rspwqe for memset()
tls: fix use-after-free on failed backlog decryption
x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled
scsi: qla2xxx: Delay I/O Abort on PCI error
scsi: qla2xxx: Change debug message during driver unload
scsi: qla2xxx: Fix double free of fcport
scsi: qla2xxx: Fix command flush on cable pull
scsi: qla2xxx: NVME|FCP prefer flag not being honored
scsi: qla2xxx: Update manufacturer detail
scsi: qla2xxx: Split FCE|EFT trace control
scsi: qla2xxx: Fix N2N stuck connection
scsi: qla2xxx: Prevent command send on chip reset
usb: typec: ucsi: Clear UCSI_CCI_RESET_COMPLETE before reset
...
Change-Id: If6edd552c88012d97f5eefc5e1d97a4f1683f171
Conflicts:
drivers/gpu/drm/bridge/sii902x.c
drivers/gpu/drm/rockchip/rockchip_lvds.c
drivers/media/i2c/imx335.c
drivers/usb/dwc3/gadget.c
drivers/usb/host/xhci-plat.c
sound/soc/rockchip/rockchip_i2s_tdm.c
[ Upstream commit f91717007217d975aa975ddabd91ae1a107b9bff ]
The struct bpf_fib_lookup is supposed to be of size 64. A recent commit
59b418c7063d ("bpf: Add a check for struct bpf_fib_lookup size") added
a static assertion to check this property so that future changes to the
structure will not accidentally break this assumption.
As it immediately turned out, on some 32-bit arm systems, when AEABI=n,
the total size of the structure was equal to 68, see [1]. This happened
because the bpf_fib_lookup structure contains a union of two 16-bit
fields:
union {
__u16 tot_len;
__u16 mtu_result;
};
which was supposed to compile to a 16-bit-aligned 16-bit field. On the
aforementioned setups it was instead both aligned and padded to 32-bits.
Declare this inner union as __attribute__((packed, aligned(2))) such
that it always is of size 2 and is aligned to 16 bits.
[1] https://lore.kernel.org/all/CA+G9fYtsoP51f-oP_Sp5MOq-Ffv8La2RztNpwvE6+R1VtFiLrw@mail.gmail.com/#t
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Fixes: e1850ea9bd ("bpf: bpf_fib_lookup return MTU value as output when looked up")
Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240403123303.1452184-1-aspsk@isovalent.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
This is the 6.1.75 stable release
* tag 'v6.1.75': (2623 commits)
Linux 6.1.75
Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
arm64: dts: armada-3720-turris-mox: set irq type for RTC
Revert "KEYS: encrypted: Add check for strsep"
riscv: Fix wrong usage of lm_alias() when splitting a huge linear mapping
block: Remove special-casing of compound pages
i2c: s3c24xx: fix transferring more than one message in polling mode
i2c: s3c24xx: fix read transfers in polling mode
ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work
selftests: mlxsw: qos_pfc: Adjust the test to support 8 lanes
mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure
loop: fix the the direct I/O support check when used on top of block devices
ethtool: netlink: Add missing ethnl_ops_begin/complete
kdb: Fix a potential buffer overflow in kdb_local()
ipvs: avoid stat macros calls from preemptible context
netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description
netfilter: nf_tables: skip dead set elements in netlink dump
netfilter: nf_tables: do not allow mismatch field size and set key length
netfilter: bridge: replace physindev with physinif in nf_bridge_info
netfilter: propagate net to nf_bridge_get_physindev
...
Conflicts:
drivers/clk/rockchip/clk-rk3568.c
drivers/devfreq/event/rockchip-dfi.c
drivers/gpu/drm/rockchip/rockchip_drm_vop.c
drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
drivers/i2c/busses/i2c-rk3x.c
drivers/i2c/i2c-core-base.c
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
drivers/nvme/host/nvme.h
Change-Id: I9649ece83925659bca59cced0be24f0bd165822a
Signed-off-by: Sandy Huang <hjc@rock-chips.com>
Signed-off-by: Tao Huang <huangtao@rock-chips.com>
1.support set output range by user
2.fix csc process color space and range config
3.add adobe YUV/RGB and 2020 YUV/RGB support
Signed-off-by: Jianwei Fan <jianwei.fan@rock-chips.com>
Change-Id: I02ce6ae17c94f51b44d5b6096e1185e1fbb3e3e9
