Merge 5.15.78 into android14-5.15

Changes in 5.15.78 scsi: lpfc: Adjust bytes received vales during cmf timer interval scsi: lpfc: Adjust CMF total bytes and rxmonitor scsi: lpfc: Rework MIB Rx Monitor debug info logic serial: ar933x: Deassert Transmit Enable on ->rs485_config() KVM: x86: Trace re-injected exceptions KVM: x86: Treat #DBs from the emulator as fault-like (code and DR7.GD=1) drm/amd/display: explicitly disable psr_feature_enable appropriately mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page HID: playstation: add initial DualSense Edge controller support KVM: x86: Protect the unused bits in MSR exiting flags KVM: x86: Copy filter arg outside kvm_vm_ioctl_set_msr_filter() KVM: x86: Add compat handler for KVM_X86_SET_MSR_FILTER RDMA/cma: Use output interface for net_dev check IB/hfi1: Correctly move list in sc_disable() RDMA/hns: Remove magic number RDMA/hns: Use hr_reg_xxx() instead of remaining roce_set_xxx() RDMA/hns: Disable local invalidate operation NFSv4: Fix a potential state reclaim deadlock NFSv4.1: Handle RECLAIM_COMPLETE trunking errors NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot SUNRPC: Fix null-ptr-deref when xps sysfs alloc failed NFSv4.2: Fixup CLONE dest file size for zero-length count nfs4: Fix kmemleak when allocate slot failed net: dsa: Fix possible memory leaks in dsa_loop_init() RDMA/core: Fix null-ptr-deref in ib_core_cleanup() RDMA/qedr: clean up work queue on failure in qedr_alloc_resources() net: dsa: fall back to default tagger if we can't load the one from DT nfc: fdp: Fix potential memory leak in fdp_nci_send() nfc: nxp-nci: Fix potential memory leak in nxp_nci_send() nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() net: fec: fix improper use of NETDEV_TX_BUSY ata: pata_legacy: fix pdc20230_set_piomode() net: sched: Fix use after free in red_enqueue() net: tun: fix bugs for oversize packet when napi frags enabled netfilter: nf_tables: netlink notifier might race to release objects netfilter: nf_tables: release flow rule object from commit path ipvs: use explicitly signed chars ipvs: fix WARNING in __ip_vs_cleanup_batch() ipvs: fix WARNING in ip_vs_app_net_cleanup() rose: Fix NULL pointer dereference in rose_send_frame() mISDN: fix possible memory leak in mISDN_register_device() isdn: mISDN: netjet: fix wrong check of device registration btrfs: fix inode list leak during backref walking at resolve_indirect_refs() btrfs: fix inode list leak during backref walking at find_parent_nodes() btrfs: fix ulist leaks in error paths of qgroup self tests netfilter: ipset: enforce documented limit to prevent allocating huge memory Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu Bluetooth: virtio_bt: Use skb_put to set length Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() Bluetooth: L2CAP: Fix memory leak in vhci_write net: mdio: fix undefined behavior in bit shift for __mdiobus_register ibmvnic: Free rwi on reset success stmmac: dwmac-loongson: fix invalid mdio_node net/smc: Fix possible leaked pernet namespace in smc_init() net, neigh: Fix null-ptr-deref in neigh_table_clear() ipv6: fix WARNING in ip6_route_net_exit_late() vsock: fix possible infinite sleep in vsock_connectible_wait_data() drm/msm/hdmi: Remove spurious IRQF_ONESHOT flag drm/msm/hdmi: fix IRQ lifetime video/fbdev/stifb: Implement the stifb_fillrect() function fbdev: stifb: Fall back to cfb_fillrect() on 32-bit HCRX cards mtd: parsers: bcm47xxpart: print correct offset on read error mtd: parsers: bcm47xxpart: Fix halfblock reads s390/uaccess: add missing EX_TABLE entries to __clear_user() s390/boot: add secure boot trailer s390/cio: derive cdev information only for IO-subchannels s390/cio: fix out-of-bounds access on cio_ignore free media: rkisp1: Don't pass the quantization to rkisp1_csm_config() media: rkisp1: Initialize color space on resizer sink and source pads media: rkisp1: Use correct macro for gradient registers media: rkisp1: Zero v4l2_subdev_format fields in when validating links media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE media: cros-ec-cec: limit msg.len to CEC_MAX_MSG_SIZE media: dvb-frontends/drxk: initialize err to 0 media: meson: vdec: fix possible refcount leak in vdec_probe() media: v4l: subdev: Fail graciously when getting try data for NULL state ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init() scsi: core: Restrict legal sdev_state transitions via sysfs HID: saitek: add madcatz variant of MMO7 mouse device ID drm/amdgpu: set vm_update_mode=0 as default for Sienna Cichlid in SRIOV case i2c: xiic: Add platform module alias efi/tpm: Pass correct address to memblock_reserve clk: qcom: Update the force mem core bit for GPU clocks ARM: dts: imx6qdl-gw59{10,13}: fix user pushbutton GPIO offset arm64: dts: imx8: correct clock order arm64: dts: lx2160a: specify clock frequencies for the MDIO controllers arm64: dts: ls1088a: specify clock frequencies for the MDIO controllers arm64: dts: ls208xa: specify clock frequencies for the MDIO controllers block: Fix possible memory leak for rq_wb on add_disk failure firmware: arm_scmi: Suppress the driver's bind attributes firmware: arm_scmi: Make Rx chan_setup fail on memory errors firmware: arm_scmi: Fix devres allocation device in virtio transport arm64: dts: juno: Add thermal critical trip points i2c: piix4: Fix adapter not be removed in piix4_remove() Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM Bluetooth: L2CAP: Fix attempting to access uninitialized memory block, bfq: protect 'bfqd->queued' by 'bfqd->lock' af_unix: Fix memory leaks of the whole sk due to OOB skb. fscrypt: stop using keyrings subsystem for fscrypt_master_key fscrypt: fix keyring memory leak on mount failure btrfs: fix lost file sync on direct IO write with nowait and dsync iocb btrfs: fix tree mod log mishandling of reallocated nodes btrfs: fix type of parameter generation in btrfs_get_dentry ftrace: Fix use-after-free for dynamic ftrace_ops tcp/udp: Make early_demux back namespacified. tracing: kprobe: Fix memory leak in test_gen_kprobe/kretprobe_cmd() kprobe: reverse kp->flags when arm_kprobe failed ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters() tools/nolibc/string: Fix memcmp() implementation tracing/histogram: Update document for KEYS_MAX size capabilities: fix potential memleak on error path from vfs_getxattr_alloc() fuse: add file_modified() to fallocate efi: random: reduce seed size to 32 bytes efi: random: Use 'ACPI reclaim' memory for random seed arm64: entry: avoid kprobe recursion perf/x86/intel: Fix pebs event constraints for ICL perf/x86/intel: Add Cooper Lake stepping to isolation_ucodes[] perf/x86/intel: Fix pebs event constraints for SPR parisc: Make 8250_gsc driver dependend on CONFIG_PARISC parisc: Export iosapic_serial_irq() symbol for serial port driver parisc: Avoid printing the hardware path twice ext4: fix warning in 'ext4_da_release_space' ext4: fix BUG_ON() when directory entry has invalid rec_len x86/syscall: Include asm/ptrace.h in syscall_wrapper header KVM: x86: Mask off reserved bits in CPUID.80000006H KVM: x86: Mask off reserved bits in CPUID.8000001AH KVM: x86: Mask off reserved bits in CPUID.80000008H KVM: x86: Mask off reserved bits in CPUID.80000001H KVM: x86: Mask off reserved bits in CPUID.8000001FH KVM: VMX: fully disable SGX if SECONDARY_EXEC_ENCLS_EXITING unavailable KVM: arm64: Fix bad dereference on MTE-enabled systems KVM: x86: emulator: em_sysexit should update ctxt->mode KVM: x86: emulator: introduce emulator_recalc_and_set_mode KVM: x86: emulator: update the emulation mode after rsm KVM: x86: emulator: update the emulation mode after CR0 write tee: Fix tee_shm_register() for kernel TEE drivers ext4,f2fs: fix readahead of verity data cifs: fix regression in very old smb1 mounts drm/rockchip: dsi: Clean up 'usage_mode' when failing to attach drm/rockchip: dsi: Force synchronous probe drm/i915/sdvo: Filter out invalid outputs more sensibly drm/i915/sdvo: Setup DDC fully before output init wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() Linux 5.15.78 Change-Id: I807682f70b9d2817cef65b5ccb76567b20ca6ccd Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2022-11-15 16:38:36 +00:00
parent cd3481dba1 509a32764e
commit 54e0a862f9
143 changed files with 1413 additions and 934 deletions
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -42,31 +42,8 @@
 #define AHASH_MAX_SIZE			(6 * AHASH_INIT_SIZE)
 /* Max muber of elements in the array block when tuned */
 #define AHASH_MAX_TUNED			64
-
 #define AHASH_MAX(h)			((h)->bucketsize)

-/* Max number of elements can be tuned */
-#ifdef IP_SET_HASH_WITH_MULTI
-static u8
-tune_bucketsize(u8 curr, u32 multi)
-{
-	u32 n;
-
-	if (multi < curr)
-		return curr;
-
-	n = curr + AHASH_INIT_SIZE;
-	/* Currently, at listing one hash bucket must fit into a message.
-	 * Therefore we have a hard limit here.
-	 */
-	return n > curr && n <= AHASH_MAX_TUNED ? n : curr;
-}
-#define TUNE_BUCKETSIZE(h, multi)	\
-	((h)->bucketsize = tune_bucketsize((h)->bucketsize, multi))
-#else
-#define TUNE_BUCKETSIZE(h, multi)
-#endif
-
 /* A hash bucket */
 struct hbucket {
 	struct rcu_head rcu;	/* for call_rcu */
@@ -936,7 +913,12 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
 		goto set_full;
 	/* Create a new slot */
 	if (n->pos >= n->size) {
-		TUNE_BUCKETSIZE(h, multi);
+#ifdef IP_SET_HASH_WITH_MULTI
+		if (h->bucketsize >= AHASH_MAX_TUNED)
+			goto set_full;
+		else if (h->bucketsize < multi)
+			h->bucketsize += AHASH_INIT_SIZE;
+#endif
 		if (n->size >= AHASH_MAX(h)) {
 			/* Trigger rehashing */
 			mtype_data_next(&h->next, d);
--- a/net/netfilter/ipvs/ip_vs_app.c
+++ b/net/netfilter/ipvs/ip_vs_app.c
@@ -599,13 +599,19 @@ static const struct seq_operations ip_vs_app_seq_ops = {
 int __net_init ip_vs_app_net_init(struct netns_ipvs *ipvs)
 {
 	INIT_LIST_HEAD(&ipvs->app_list);
-	proc_create_net("ip_vs_app", 0, ipvs->net->proc_net, &ip_vs_app_seq_ops,
-			sizeof(struct seq_net_private));
+#ifdef CONFIG_PROC_FS
+	if (!proc_create_net("ip_vs_app", 0, ipvs->net->proc_net,
+			     &ip_vs_app_seq_ops,
+			     sizeof(struct seq_net_private)))
+		return -ENOMEM;
+#endif
 	return 0;
 }

 void __net_exit ip_vs_app_net_cleanup(struct netns_ipvs *ipvs)
 {
 	unregister_ip_vs_app(ipvs, NULL /* all */);
+#ifdef CONFIG_PROC_FS
 	remove_proc_entry("ip_vs_app", ipvs->net->proc_net);
+#endif
 }
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -1265,8 +1265,8 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
 	 * The drop rate array needs tuning for real environments.
 	 * Called from timer bh only => no locking
 	 */
-	static const char todrop_rate[9] = {0, 1, 2, 3, 4, 5, 6, 7, 8};
-	static char todrop_counter[9] = {0};
+	static const signed char todrop_rate[9] = {0, 1, 2, 3, 4, 5, 6, 7, 8};
+	static signed char todrop_counter[9] = {0};
 	int i;

 	/* if the conn entry hasn't lasted for 60 seconds, don't drop it.
@@ -1447,20 +1447,36 @@ int __net_init ip_vs_conn_net_init(struct netns_ipvs *ipvs)
 {
 	atomic_set(&ipvs->conn_count, 0);

-	proc_create_net("ip_vs_conn", 0, ipvs->net->proc_net,
-			&ip_vs_conn_seq_ops, sizeof(struct ip_vs_iter_state));
-	proc_create_net("ip_vs_conn_sync", 0, ipvs->net->proc_net,
-			&ip_vs_conn_sync_seq_ops,
-			sizeof(struct ip_vs_iter_state));
+#ifdef CONFIG_PROC_FS
+	if (!proc_create_net("ip_vs_conn", 0, ipvs->net->proc_net,
+			     &ip_vs_conn_seq_ops,
+			     sizeof(struct ip_vs_iter_state)))
+		goto err_conn;
+
+	if (!proc_create_net("ip_vs_conn_sync", 0, ipvs->net->proc_net,
+			     &ip_vs_conn_sync_seq_ops,
+			     sizeof(struct ip_vs_iter_state)))
+		goto err_conn_sync;
+#endif
+
 	return 0;
+
+#ifdef CONFIG_PROC_FS
+err_conn_sync:
+	remove_proc_entry("ip_vs_conn", ipvs->net->proc_net);
+err_conn:
+	return -ENOMEM;
+#endif
 }

 void __net_exit ip_vs_conn_net_cleanup(struct netns_ipvs *ipvs)
 {
 	/* flush all the connection entries first */
 	ip_vs_conn_flush(ipvs);
+#ifdef CONFIG_PROC_FS
 	remove_proc_entry("ip_vs_conn", ipvs->net->proc_net);
 	remove_proc_entry("ip_vs_conn_sync", ipvs->net->proc_net);
+#endif
 }

 int __init ip_vs_conn_init(void)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8308,9 +8308,6 @@ static void nft_commit_release(struct nft_trans *trans)
 		nf_tables_chain_destroy(&trans->ctx);
 		break;
 	case NFT_MSG_DELRULE:
-		if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
-			nft_flow_rule_destroy(nft_trans_flow_rule(trans));
-
 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
 		break;
 	case NFT_MSG_DELSET:
@@ -8767,6 +8764,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 			nft_rule_expr_deactivate(&trans->ctx,
 						 nft_trans_rule(trans),
 						 NFT_TRANS_COMMIT);
+
+			if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
+				nft_flow_rule_destroy(nft_trans_flow_rule(trans));
 			break;
 		case NFT_MSG_NEWSET:
 			nft_clear(net, nft_trans_set(trans));
@@ -9824,6 +9824,8 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
 	nft_net = nft_pernet(net);
 	deleted = 0;
 	mutex_lock(&nft_net->commit_mutex);
+	if (!list_empty(&nf_tables_destroy_list))
+		rcu_barrier();
 again:
 	list_for_each_entry(table, &nft_net->tables, list) {
 		if (nft_table_has_owner(table) &&