~ubuntu-mainline/ubuntu-mainline/+git/linux-upstream:linux-4.19.y

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

b37477f... by Greg Kroah-Hartman <email address hidden> on 2024-06-16

Linux 4.19.316

Link: https://<email address hidden>
Tested-by: Pavel Machek (CIP) <email address hidden>
Tested-by: Jon Hunter <email address hidden>
Tested-by: Harshit Mogalapalli <email address hidden>
Tested-by: Shuah Khan <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

74ea538... by Sergey Shtylyov <email address hidden> on 2024-05-10

nfs: fix undefined behavior in nfs_block_bits()

commit 3c0a2e0b0ae661457c8505fecc7be5501aa7a715 upstream.

Shifting *signed int* typed constant 1 left by 31 bits causes undefined
behavior. Specify the correct *unsigned long* type by using 1UL instead.

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Cc: <email address hidden>
Signed-off-by: Sergey Shtylyov <email address hidden>
Reviewed-by: Benjamin Coddington <email address hidden>
Signed-off-by: Trond Myklebust <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

2062e3f... by Harald Freudenberger <email address hidden> on 2024-05-13

s390/ap: Fix crash in AP internal function modify_bitmap()

commit d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9 upstream.

A system crash like this

  Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403
  Fault in home space mode while using kernel ASCE.
  AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d
  Oops: 0038 ilc:3 [#1] PREEMPT SMP
  Modules linked in: mlx5_ib ...
  CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8
  Hardware name: IBM 3931 A01 704 (LPAR)
  Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)
  R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
  Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3
  000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0
  000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff
  000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8
  Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a
  0000014b75e7b600: 18b2 lr %r11,%r2
  #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616
  >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)
  0000014b75e7b60c: a7680001 lhi %r6,1
  0000014b75e7b610: 187b lr %r7,%r11
  0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654
  0000014b75e7b616: 18e9 lr %r14,%r9
  Call Trace:
  [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8
  ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)
  [<0000014b75e7b758>] apmask_store+0x68/0x140
  [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8
  [<0000014b75598524>] vfs_write+0x1b4/0x448
  [<0000014b7559894c>] ksys_write+0x74/0x100
  [<0000014b7618a440>] __do_syscall+0x268/0x328
  [<0000014b761a3558>] system_call+0x70/0x98
  INFO: lockdep is turned off.
  Last Breaking-Event-Address:
  [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8
  Kernel panic - not syncing: Fatal exception: panic_on_oops

occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value
(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.

The fix is simple: use unsigned long values for the internal variables. The
correct checks are already in place in the function but a simple int for
the internal variables was used with the possibility to overflow.

Reported-by: Marc Hartmayer <email address hidden>
Signed-off-by: Harald Freudenberger <email address hidden>
Tested-by: Marc Hartmayer <email address hidden>
Reviewed-by: Holger Dengler <email address hidden>
Cc: <email address hidden>
Signed-off-by: Heiko Carstens <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

9ad75e7... by Baokun Li <email address hidden> on 2024-05-04

ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()

commit 0c0b4a49d3e7f49690a6827a41faeffad5df7e21 upstream.

Syzbot reports a warning as follows:

============================================
WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290
Modules linked in:
CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7
RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419
Call Trace:
 <TASK>
 ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375
 generic_shutdown_super+0x136/0x2d0 fs/super.c:641
 kill_block_super+0x44/0x90 fs/super.c:1675
 ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327
[...]
============================================

This is because when finding an entry in ext4_xattr_block_cache_find(), if
ext4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown
in the __entry_find(), won't be put away, and eventually trigger the above
issue in mb_cache_destroy() due to reference count leakage.

So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.

Reported-by: <email address hidden>
Closes: https://syzkaller.appspot.com/bug?extid=dd43bd0f7474512edc47
Fixes: fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases")
Cc: <email address hidden>
Signed-off-by: Baokun Li <email address hidden>
Reviewed-by: Jan Kara <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Theodore Ts'o <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

980a1cd... by Mike Gilbert on 2024-03-06

sparc: move struct termio to asm/termios.h

commit c32d18e7942d7589b62e301eb426b32623366565 upstream.

Every other arch declares struct termio in asm/termios.h, so make sparc
match them.

Resolves a build failure in the PPP software package, which includes
both bits/ioctl-types.h via sys/ioctl.h (glibc) and asm/termbits.h.

Closes: https://bugs.gentoo.org/918992
Signed-off-by: Mike Gilbert <email address hidden>
Cc: <email address hidden>
Reviewed-by: Andreas Larsson <email address hidden>
Tested-by: Andreas Larsson <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Andreas Larsson <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

051c0bd... by Eric Dumazet <email address hidden> on 2024-05-28

net: fix __dst_negative_advice() race

commit 92f1655aa2b2294d0b49925f3b875a634bd3b59e upstream.

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Fixes: a87cb3e48ee8 ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <email address hidden>
Diagnosed-by: Clement Lecigne <email address hidden>
Signed-off-by: Eric Dumazet <email address hidden>
Cc: Tom Herbert <email address hidden>
Reviewed-by: David Ahern <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Jakub Kicinski <email address hidden>
[Lee: Stable backport]
Signed-off-by: Lee Jones <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

2467f3f... by Daniel Thompson on 2024-04-24

kdb: Use format-specifiers rather than memset() for padding in kdb_read()

commit c9b51ddb66b1d96e4d364c088da0f1dfb004c574 upstream.

Currently when the current line should be removed from the display
kdb_read() uses memset() to fill a temporary buffer with spaces.
The problem is not that this could be trivially implemented using a
format string rather than open coding it. The real problem is that
it is possible, on systems with a long kdb_prompt_str, to write past
the end of the tmpbuffer.

Happily, as mentioned above, this can be trivially implemented using a
format string. Make it so!

Cc: <email address hidden>
Reviewed-by: Douglas Anderson <email address hidden>
Tested-by: Justin Stitt <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Daniel Thompson <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

4a89182... by Daniel Thompson on 2024-04-24

kdb: Merge identical case statements in kdb_read()

commit 6244917f377bf64719551b58592a02a0336a7439 upstream.

The code that handles case 14 (down) and case 16 (up) has been copy and
pasted despite being byte-for-byte identical. Combine them.

Cc: <email address hidden> # Not a bug fix but it is needed for later bug fixes
Reviewed-by: Douglas Anderson <email address hidden>
Tested-by: Justin Stitt <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Daniel Thompson <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

21c068c... by Daniel Thompson on 2024-04-24

kdb: Fix console handling when editing and tab-completing commands

commit db2f9c7dc29114f531df4a425d0867d01e1f1e28 upstream.

Currently, if the cursor position is not at the end of the command buffer
and the user uses the Tab-complete functions, then the console does not
leave the cursor in the correct position.

For example consider the following buffer with the cursor positioned
at the ^:

md kdb_pro 10
          ^

Pressing tab should result in:

md kdb_prompt_str 10
                 ^

However this does not happen. Instead the cursor is placed at the end
(after then 10) and further cursor movement redraws incorrectly. The
same problem exists when we double-Tab but in a different part of the
code.

Fix this by sending a carriage return and then redisplaying the text to
the left of the cursor.

Cc: <email address hidden>
Reviewed-by: Douglas Anderson <email address hidden>
Tested-by: Justin Stitt <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Daniel Thompson <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

4edfbba... by Daniel Thompson on 2024-04-24

kdb: Use format-strings rather than '\0' injection in kdb_read()

commit 09b35989421dfd5573f0b4683c7700a7483c71f9 upstream.

Currently when kdb_read() needs to reposition the cursor it uses copy and
paste code that works by injecting an '\0' at the cursor position before
delivering a carriage-return and reprinting the line (which stops at the
'\0').

Tidy up the code by hoisting the copy and paste code into an appropriately
named function. Additionally let's replace the '\0' injection with a
proper field width parameter so that the string will be abridged during
formatting instead.

Cc: <email address hidden> # Not a bug fix but it is needed for later bug fixes
Tested-by: Justin Stitt <email address hidden>
Reviewed-by: Douglas Anderson <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Daniel Thompson <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>