~vicamo/+git/ubuntu-kernel:bug-2031412/intel-ipu-iommu-passthrough-for-mtl/mantic
- Git
- lp:~vicamo/+git/ubuntu-kernel
- bug-2031412/intel-ipu-iommu-passthrou...
- Get this branch:
-
git clone
-b bug-2031412/intel-ipu-iommu-passthrough-for-mtl/mantic
https://git.launchpad.net/~vicamo/+git/ubuntu-kernel
Branch merges
- You will only be able to propose a merge to another personal repository with the same name.
Related source package recipes
Branch information
- Name:
- bug-2031412/intel-ipu-iommu-passthrough-for-mtl/mantic
- Repository:
- lp:~vicamo/+git/ubuntu-kernel
Recent commits
- c680277... by Hao Yao
-
UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO function
BugLink: https:/
/bugs.launchpad .net/bugs/ 2031412 Handshake pin is used for Lattice MIPI aggregator to enable the
camera sensor. After pulled up, recommend to wail ~250ms to get
everything ready.Signed-off-by: Hao Yao <email address hidden>
Reviewed-by: Andy Shevchenko <email address hidden>
(cherry-picked from https://<email address hidden>)
Signed-off-by: You-Sheng Yang <email address hidden> - d85b80e... by You-Sheng Yang
-
UBUNTU: SAUCE: iommu: intel-ipu: use IOMMU passthrough mode for Intel IPUs on Meteor Lake
BugLink: https:/
/bugs.launchpad .net/bugs/ 2031412 Signed-off-by: You-Sheng Yang <email address hidden>
- 8ef5689... by Tim Gardner
-
UBUNTU: [Config] CONFIG_
DM_VERITY_ VERIFY_ ROOTHASH_ SIG_SECONDARY_ KEYRING= y BugLink: https:/
/bugs.launchpad .net/bugs/ 2019040 Signed-off-by: Tim Gardner <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Stefan Bader <email address hidden> - 39123de... by Kai-Heng Feng
-
power: supply: core: Use blocking_
notifier_ call_chain to avoid RCU complaint BugLink: https:/
/bugs.launchpad .net/bugs/ 2036377 AMD PMF driver can cause the following warning:
[ 196.159546] ------------[ cut here ]------------
[ 196.159556] Voluntary context switch within RCU read-side critical section!
[ 196.159571] WARNING: CPU: 0 PID: 9 at kernel/rcu/tree_ plugin. h:320 rcu_note_ context_ switch+ 0x43d/0x560
[ 196.159604] Modules linked in: nvme_fabrics ccm rfcomm snd_hda_scodec_ cs35l41_ spi cmac algif_hash algif_skcipher af_alg bnep joydev btusb btrtl uvcvideo btintel btbcm videobuf2_vmalloc intel_rapl_msr btmtk videobuf2_memops uvc videobuf2_v4l2 intel_rapl_common binfmt_misc hid_sensor_als snd_sof_amd_vangogh hid_sensor_trigger bluetooth industrialio_ triggered_ buffer videodev snd_sof_ amd_rembrandt hid_sensor_ iio_common amdgpu ecdh_generic kfifo_buf videobuf2_common hp_wmi kvm_amd sparse_keymap snd_sof_amd_renoir wmi_bmof industrialio ecc mc nls_iso8859_1 kvm snd_sof_amd_acp irqbypass snd_sof_xtensa_dsp crct10dif_pclmul crc32_pclmul mt7921e snd_sof_pci snd_ctl_led polyval_clmulni mt7921_common polyval_generic snd_sof ghash_clmulni_intel mt792x_lib mt76_connac_lib sha512_ssse3 snd_sof_utils aesni_intel snd_hda_ codec_realtek crypto_simd mt76 snd_hda_ codec_generic cryptd snd_soc_core snd_hda_codec_hdmi rapl ledtrig_audio input_leds snd_compress i2c_algo_bit drm_ttm_helper mac80211 snd_pci_ps hid_multitouch ttm drm_exec
[ 196.159970] drm_suballoc_helper snd_rpl_pci_acp6x amdxcp drm_buddy snd_hda_intel snd_acp_pci snd_hda_scodec_ cs35l41_ i2c serio_raw gpu_sched snd_hda_ scodec_ cs35l41 snd_acp_ legacy_ common snd_intel_dspcfg snd_hda_cs_dsp_ctls snd_hda_codec libarc4 drm_display_helper snd_pci_acp6x cs_dsp snd_hwdep snd_soc_cs35l41_lib video k10temp snd_pci_acp5x thunderbolt snd_hda_core drm_kms_helper cfg80211 snd_seq snd_rn_pci_acp3x snd_pcm snd_acp_config cec snd_soc_acpi snd_seq_device rc_core ccp snd_pci_acp3x snd_timer snd soundcore wmi amd_pmf platform_profile amd_pmc mac_hid serial_ multi_instantia te wireless_hotkey hid_sensor_hub sch_fq_codel msr parport_pc ppdev lp parport efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx libcrc32c xor raid6_pq raid1 raid0 multipath linear dm_mirror dm_region_hash dm_log cdc_ether usbnet r8152 mii hid_generic nvme i2c_hid_acpi i2c_hid nvme_core i2c_piix4 xhci_pci amd_sfh drm xhci_pci_renesas nvme_common hid
[ 196.160382] CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.0-rc1 #4
[ 196.160397] Hardware name: HP HP EliteBook 845 14 inch G10 Notebook PC/8B6E, BIOS V82 Ver. 01.02.00 08/24/2023
[ 196.160405] Workqueue: events power_supply_changed_ work
[ 196.160426] RIP: 0010:rcu_note_context_ switch+ 0x43d/0x560
[ 196.160440] Code: 00 48 89 be 40 08 00 00 48 89 86 48 08 00 00 48 89 10 e9 63 fe ff ff 48 c7 c7 10 e7 b0 9e c6 05 e8 d8 20 02 01 e8 13 0f f3 ff <0f> 0b e9 27 fc ff ff a9 ff ff ff 7f 0f 84 cf fc ff ff 65 48 8b 3c
[ 196.160450] RSP: 0018:ffffc900001878f0 EFLAGS: 00010046
[ 196.160462] RAX: 0000000000000000 RBX: ffff88885e834040 RCX: 0000000000000000
[ 196.160470] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 196.160476] RBP: ffffc90000187910 R08: 0000000000000000 R09: 0000000000000000
[ 196.160482] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 196.160488] R13: 0000000000000000 R14: ffff888100990000 R15: ffff888100990000
[ 196.160495] FS: 0000000000000000(0000) GS:ffff88885e80 0000(0000) knlGS:000000000 0000000
[ 196.160504] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 196.160512] CR2: 000055cb053c8246 CR3: 000000013443a000 CR4: 0000000000750ef0
[ 196.160520] PKRU: 55555554
[ 196.160526] Call Trace:
[ 196.160532] <TASK>
[ 196.160548] ? show_regs+0x72/0x90
[ 196.160570] ? rcu_note_context_ switch+ 0x43d/0x560
[ 196.160580] ? __warn+0x8d/0x160
[ 196.160600] ? rcu_note_context_ switch+ 0x43d/0x560
[ 196.160613] ? report_bug+0x1bb/ 0x1d0
[ 196.160637] ? handle_bug+0x46/ 0x90
[ 196.160658] ? exc_invalid_op+0x19/ 0x80
[ 196.160675] ? asm_exc_invalid_ op+0x1b/ 0x20
[ 196.160709] ? rcu_note_context_ switch+ 0x43d/0x560
[ 196.160727] __schedule+0xb9/0x15f0
[ 196.160746] ? srso_alias_return_ thunk+0x5/ 0x7f
[ 196.160765] ? srso_alias_return_ thunk+0x5/ 0x7f
[ 196.160778] ? acpi_ns_search_ one_scope+ 0xbe/0x270
[ 196.160806] schedule+0x68/0x110
[ 196.160820] schedule_timeout+ 0x151/0x160
[ 196.160829] ? srso_alias_return_ thunk+0x5/ 0x7f
[ 196.160842] ? srso_alias_return_ thunk+0x5/ 0x7f
[ 196.160855] ? acpi_ns_lookup+ 0x3c5/0xa90
[ 196.160878] __down_common+ 0xff/0x220
[ 196.160905] __down_timeout+ 0x16/0x30
[ 196.160920] down_timeout+0x64/0x70
[ 196.160938] acpi_os_wait_semaphore+ 0x85/0x200
[ 196.160959] acpi_ut_acquire_ mutex+0x9e/ 0x280
[ 196.160979] acpi_ex_enter_interpret er+0x2d/ 0xb0
[ 196.160992] acpi_ns_evaluate+ 0x2f0/0x5f0
[ 196.161005] acpi_evaluate_object+ 0x172/0x490
[ 196.161018] ? acpi_os_signal_ semaphore+ 0x8a/0xd0
[ 196.161038] acpi_evaluate_integer+ 0x52/0xe0
[ 196.161055] ? kfree+0x79/0x120
[ 196.161071] ? srso_alias_return_ thunk+0x5/ 0x7f
[ 196.161089] acpi_ac_get_state. part.0+ 0x27/0x80
[ 196.161110] get_ac_property+ 0x5c/0x70
[ 196.161127] ? __pfx___power_ supply_ is_system_ supplied+ 0x10/0x10
[ 196.161146] __power_supply_ is_system_ supplied+ 0x44/0xb0
[ 196.161166] class_for_each_device+ 0x124/0x160
[ 196.161184] ? acpi_ac_get_state. part.0+ 0x27/0x80
[ 196.161203] ? srso_alias_return_ thunk+0x5/ 0x7f
[ 196.161223] power_supply_is_system_ supplied+ 0x3c/0x70
[ 196.161243] amd_pmf_get_power_ source+ 0xe/0x20 [amd_pmf]
[ 196.161276] amd_pmf_power_slider_ update_ event+0x49/ 0x90 [amd_pmf]
[ 196.161310] amd_pmf_pwr_src_ notify_ call+0xe7/ 0x100 [amd_pmf]
[ 196.161340] notifier_call_chain+ 0x5f/0xe0
[ 196.161362] atomic_notifier_ call_chain+ 0x33/0x60
[ 196.161378] power_supply_changed_ work+0x84/ 0x110
[ 196.161394] process_one_work+ 0x178/0x360
[ 196.161412] ? __pfx_worker_thread+ 0x10/0x10
[ 196.161424] worker_thread+ 0x307/0x430
[ 196.161440] ? __pfx_worker_thread+ 0x10/0x10
[ 196.161451] kthread+0xf4/0x130
[ 196.161467] ? __pfx_kthread+0x10/0x10
[ 196.161486] ret_from_fork+0x43/ 0x70
[ 196.161502] ? __pfx_kthread+0x10/0x10
[ 196.161518] ret_from_fork_asm+ 0x1b/0x30
[ 196.161558] </TASK>
[ 196.161562] ---[ end trace 0000000000000000 ]---Since there's no guarantee that all the callbacks can work in atomic
context, switch to use blocking_notifier_ call_chain to relax the
constraint.Signed-off-by: Kai-Heng Feng <email address hidden>
Reported-by: Allen Zhong <email address hidden>
Fixes: 4c71ae414474 ("platform/x86/amd/ pmf: Add support SPS PMF feature")
Closes: https://bugzilla. kernel. org/show_ bug.cgi? id=217571
Reviewed-by: Mario Limonciello <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Sebastian Reichel <email address hidden>(cherry picked from commit bbaa6ffa5b6c960
9d3b3c431c389b4 07eea5441f linux-next)
Signed-off-by: Kai-Heng Feng <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Signed-off-by: Stefan Bader <email address hidden> - 8b71952... by Matteo Rizzo <email address hidden>
-
io_uring: add a sysctl to disable io_uring system-wide
BugLink: https:/
/bugs.launchpad .net/bugs/ 2035116 Introduce a new sysctl (io_uring_disabled) which can be either 0, 1, or
2. When 0 (the default), all processes are allowed to create io_uring
instances, which is the current behavior. When 1, io_uring creation is
disabled (io_uring_setup() will fail with -EPERM) for unprivileged
processes not in the kernel.io_uring_ group group. When 2, calls to
io_uring_setup() fail with -EPERM regardless of privilege.Signed-off-by: Matteo Rizzo <email address hidden>
[JEM: modified to add io_uring_group]
Signed-off-by: Jeff Moyer <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Jens Axboe <email address hidden>
(backported from commit 76d3ccecfa186af3120e206d62f03d b1a94a535f)
[cascardo: conflict due to missing b97f96e22f051d59d07a527dbd7d90 408b661ca8]
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Cengiz Can <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden> - 6542ed6... by Kailiang Yang
-
ALSA: hda/realtek - ALC287 I2S speaker platform support
BugLink: https:/
/bugs.launchpad .net/bugs/ 2037077 0x17 was only speaker pin, DAC assigned will be 0x03. Headphone
assigned to 0x02.
Playback via headphone will get EQ filter processing. So,it needs to
swap DAC.Tested-by: Mark Pearson <email address hidden>
Signed-off-by: Kailang Yang <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Takashi Iwai <email address hidden>
(backported from commit e43252db7e207a2e194e6a4883a43a 31a776a968)
[ AaronMa: Adjusted for minor context ]
Signed-off-by: Aaron Ma <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden> - 9c6c455... by Stefan Bader
-
UBUNTU: Ubuntu-6.5.0-10.10
Signed-off-by: Stefan Bader <email address hidden>
- 7bc06ca... by Stefan Bader
-
UBUNTU: link-to-tracker: update tracking bug
BugLink: https:/
/bugs.launchpad .net/bugs/ 2039204
Properties: no-test-build
Signed-off-by: Stefan Bader <email address hidden> - c81e7f9... by valis <email address hidden>
-
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
When the plug qdisc is used as a class of the qfq qdisc it could trigger a
UAF. This issue can be reproduced with following commands:tc qdisc add dev lo root handle 1: qfq
tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
tc qdisc add dev lo parent 1:1 handle 2: plug
tc filter add dev lo parent 1: basic classid 1:1
ping -c1 127.0.0.1and boom:
[ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+
0xa7/0x7f0
[ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144
[ 285.355903]
[ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4
[ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
[ 285.358376] Call Trace:
[ 285.358773] <IRQ>
[ 285.359109] dump_stack_lvl+0x44/ 0x60
[ 285.359708] print_address_description. constprop. 0+0x2c/ 0x3c0
[ 285.360611] kasan_report+0x10c/0x120
[ 285.361195] ? qfq_dequeue+0xa7/0x7f0
[ 285.361780] qfq_dequeue+0xa7/0x7f0
[ 285.362342] __qdisc_run+0xf1/ 0x970
[ 285.362903] net_tx_action+ 0x28e/0x460
[ 285.363502] __do_softirq+0x11b/0x3de
[ 285.364097] do_softirq.part.0+ 0x72/0x90
[ 285.364721] </IRQ>
[ 285.365072] <TASK>
[ 285.365422] __local_bh_enable_ ip+0x77/ 0x90
[ 285.366079] __dev_queue_xmit+0x95f/ 0x1550
[ 285.366732] ? __pfx_csum_and_copy_ from_iter+ 0x10/0x10
[ 285.367526] ? __pfx___dev_queue_ xmit+0x10/ 0x10
[ 285.368259] ? __build_skb_around+ 0x129/0x190
[ 285.368960] ? ip_generic_getfrag+ 0x12c/0x170
[ 285.369653] ? __pfx_ip_generic_ getfrag+ 0x10/0x10
[ 285.370390] ? csum_partial+0x8/0x20
[ 285.370961] ? raw_getfrag+0xe5/0x140
[ 285.371559] ip_finish_output2+ 0x539/0xa40
[ 285.372222] ? __pfx_ip_finish_ output2+ 0x10/0x10
[ 285.372954] ip_output+0x113/0x1e0
[ 285.373512] ? __pfx_ip_output+ 0x10/0x10
[ 285.374130] ? icmp_out_count+0x49/ 0x60
[ 285.374739] ? __pfx_ip_finish_ output+ 0x10/0x10
[ 285.375457] ip_push_pending_ frames+ 0xf3/0x100
[ 285.376173] raw_sendmsg+0xef5/0x12d0
[ 285.376760] ? do_syscall_64+0x40/ 0x90
[ 285.377359] ? __static_call_text_ end+0x136578/ 0x136578
[ 285.378173] ? do_syscall_64+0x40/ 0x90
[ 285.378772] ? kasan_enable_current+ 0x11/0x20
[ 285.379469] ? __pfx_raw_sendmsg+ 0x10/0x10
[ 285.380137] ? __sock_create+ 0x13e/0x270
[ 285.380673] ? __sys_socket+0xf3/0x180
[ 285.381174] ? __x64_sys_socket+ 0x3d/0x50
[ 285.381725] ? entry_SYSCALL_64_after_ hwframe+ 0x6e/0xd8
[ 285.382425] ? __rcu_read_unlock+ 0x48/0x70
[ 285.382975] ? ip4_datagram_release_ cb+0xd8/ 0x380
[ 285.383608] ? __pfx_ip4_datagram_ release_ cb+0x10/ 0x10
[ 285.384295] ? preempt_count_sub+ 0x14/0xc0
[ 285.384844] ? __list_del_entry_ valid+0x76/ 0x140
[ 285.385467] ? _raw_spin_lock_bh+ 0x87/0xe0
[ 285.386014] ? __pfx__raw_spin_ lock_bh+ 0x10/0x10
[ 285.386645] ? release_sock+0xa0/ 0xd0
[ 285.387148] ? preempt_count_sub+ 0x14/0xc0
[ 285.387712] ? freeze_secondary_ cpus+0x348/ 0x3c0
[ 285.388341] ? aa_sk_perm+0x177/0x390
[ 285.388856] ? __pfx_aa_sk_perm+ 0x10/0x10
[ 285.389441] ? check_stack_object+ 0x22/0x70
[ 285.390032] ? inet_send_prepare+ 0x2f/0x120
[ 285.390603] ? __pfx_inet_sendmsg+ 0x10/0x10
[ 285.391172] sock_sendmsg+0xcc/0xe0
[ 285.391667] __sys_sendto+0x190/0x230
[ 285.392168] ? __pfx___sys_sendto+ 0x10/0x10
[ 285.392727] ? kvm_clock_get_cycles+ 0x14/0x30
[ 285.393328] ? set_normalized_timespec64+ 0x57/0x70
[ 285.393980] ? _raw_spin_unlock_ irq+0x1b/ 0x40
[ 285.394578] ? __x64_sys_clock_gettime+ 0x11c/0x160
[ 285.395225] ? __pfx___x64_sys_ clock_gettime+ 0x10/0x10
[ 285.395908] ? _copy_to_user+0x3e/ 0x60
[ 285.396432] ? exit_to_user_mode_ prepare+ 0x1a/0x120
[ 285.397086] ? syscall_exit_to_ user_mode+ 0x22/0x50
[ 285.397734] ? do_syscall_64+0x71/ 0x90
[ 285.398258] __x64_sys_sendto+ 0x74/0x90
[ 285.398786] do_syscall_64+0x64/ 0x90
[ 285.399273] ? exit_to_user_mode_ prepare+ 0x1a/0x120
[ 285.399949] ? syscall_exit_to_ user_mode+ 0x22/0x50
[ 285.400605] ? do_syscall_64+0x71/ 0x90
[ 285.401124] entry_SYSCALL_64_after_ hwframe+ 0x6e/0xd8
[ 285.401807] RIP: 0033:0x495726
[ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09
[ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726
[ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000
[ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c
[ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634
[ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000
[ 285.410403] </TASK>
[ 285.410704]
[ 285.410929] Allocated by task 144:
[ 285.411402] kasan_save_stack+0x1e/ 0x40
[ 285.411926] kasan_set_track+0x21/ 0x30
[ 285.412442] __kasan_slab_alloc+ 0x55/0x70
[ 285.412973] kmem_cache_alloc_node+ 0x187/0x3d0
[ 285.413567] __alloc_skb+0x1b4/ 0x230
[ 285.414060] __ip_append_data+0x17f7/ 0x1b60
[ 285.414633] ip_append_data+0x97/ 0xf0
[ 285.415144] raw_sendmsg+0x5a8/0x12d0
[ 285.415640] sock_sendmsg+0xcc/0xe0
[ 285.416117] __sys_sendto+0x190/0x230
[ 285.416626] __x64_sys_sendto+ 0x74/0x90
[ 285.417145] do_syscall_64+0x64/ 0x90
[ 285.417624] entry_SYSCALL_64_after_ hwframe+ 0x6e/0xd8
[ 285.418306]
[ 285.418531] Freed by task 144:
[ 285.418960] kasan_save_stack+0x1e/ 0x40
[ 285.419469] kasan_set_track+0x21/ 0x30
[ 285.419988] kasan_save_free_info+ 0x27/0x40
[ 285.420556] ____kasan_slab_free+ 0x109/0x1a0
[ 285.421146] kmem_cache_free+0x1c2/ 0x450
[ 285.421680] __netif_receive_ skb_core+ 0x2ce/0x1870
[ 285.422333] __netif_receive_ skb_one_ core+0x97/ 0x140
[ 285.423003] process_backlog+ 0x100/0x2f0
[ 285.423537] __napi_poll+0x5c/ 0x2d0
[ 285.424023] net_rx_action+ 0x2be/0x560
[ 285.424510] __do_softirq+0x11b/0x3de
[ 285.425034]
[ 285.425254] The buggy address belongs to the object at ffff8880bad31280
[ 285.425254] which belongs to the cache skbuff_head_cache of size 224
[ 285.426993] The buggy address is located 40 bytes inside of
[ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360)
[ 285.428572]
[ 285.428798] The buggy address belongs to the physical page:
[ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping: 000000000000000 0 index:0x0 pfn:0xbad31
[ 285.430758] flags: 0x100000000000200(slab| node=0| zone=1)
[ 285.431447] page_type: 0xffffffff()
[ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000
[ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 285.433562] page dumped because: kasan: bad access detected
[ 285.434144]
[ 285.434320] Memory state around the buggy address:
[ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 285.436777] ^
[ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 285.438126] ============== ======= ======= ======= ======= ======= ======= ======= ===
[ 285.438662] Disabling lock debugging due to kernel taintFix this by:
1. Changing sch_plug's .peek handler to qdisc_peek_dequeued( ), a
function compatible with non-work-conserving qdiscs
2. Checking the return value of qdisc_dequeue_peeked( ) in sch_qfq. Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
Reported-by: valis <email address hidden>
Signed-off-by: valis <email address hidden>
Signed-off-by: Jamal Hadi Salim <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Paolo Abeni <email address hidden>CVE-2023-4921
(cherry picked from commit 8fc134fee27f2263988ae38920bc03 da416b03d8)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Stefan Bader <email address hidden> - 12428e5... by Jozsef Kadlecsik <email address hidden>
-
netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP
Kyle Zeng reported that there is a race between IPSET_CMD_ADD and IPSET_CMD_SWAP
in netfilter/ip_set, which can lead to the invocation of `__ip_set_put` on a
wrong `set`, triggering the `BUG_ON(set->ref == 0);` check in it.The race is caused by using the wrong reference counter, i.e. the ref counter instead
of ref_netlink.Fixes: 24e227896bbf ("netfilter: ipset: Add schedule point in call_ad().")
Reported-by: Kyle Zeng <email address hidden>
Closes: https://lore.kernel. org/netfilter- devel/ZPZqetxOm H+w%2Fmyc@ westworld/ #r
Tested-by: Kyle Zeng <email address hidden>
Signed-off-by: Jozsef Kadlecsik <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>
(cherry picked from commit 7433b6d2afd512d04398c73aa984d1 e285be125b)
CVE-2023-42756
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>