Changelog in Linux kernel 4.19.325

 
9p/xen: fix init sequence [+ + +]
Author: Alex Zenla <[email protected]>
Date:   Tue Nov 19 21:16:33 2024 +0000

    9p/xen: fix init sequence
    
    [ Upstream commit 7ef3ae82a6ebbf4750967d1ce43bcdb7e44ff74b ]
    
    Large amount of mount hangs observed during hotplugging of 9pfs devices. The
    9pfs Xen driver attempts to initialize itself more than once, causing the
    frontend and backend to disagree: the backend listens on a channel that the
    frontend does not send on, resulting in stalled processing.
    
    Only allow initialization of 9p frontend once.
    
    Fixes: c15fe55d14b3b ("9p/xen: fix connection sequence")
    Signed-off-by: Alex Zenla <[email protected]>
    Signed-off-by: Alexander Merritt <[email protected]>
    Signed-off-by: Ariadne Conill <[email protected]>
    Reviewed-by: Juergen Gross <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Dominique Martinet <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

9p/xen: fix release of IRQ [+ + +]
Author: Alex Zenla <[email protected]>
Date:   Thu Nov 21 22:51:00 2024 +0000

    9p/xen: fix release of IRQ
    
    [ Upstream commit e43c608f40c065b30964f0a806348062991b802d ]
    
    Kernel logs indicate an IRQ was double-freed.
    
    Pass correct device ID during IRQ release.
    
    Fixes: 71ebd71921e45 ("xen/9pfs: connect to the backend")
    Signed-off-by: Alex Zenla <[email protected]>
    Signed-off-by: Alexander Merritt <[email protected]>
    Signed-off-by: Ariadne Conill <[email protected]>
    Reviewed-by: Juergen Gross <[email protected]>
    Message-ID: <[email protected]>
    [Dominique: remove confusing variable reset to 0]
    Signed-off-by: Dominique Martinet <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block() [+ + +]
Author: Aleksandr Mishin <[email protected]>
Date:   Tue Aug 27 13:12:39 2024 +0300

    acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block()
    
    [ Upstream commit 1a9de2f6fda69d5f105dd8af776856a66abdaa64 ]
    
    In case of error in gtdt_parse_timer_block() invalid 'gtdt_frame'
    will be used in 'do {} while (i-- >= 0 && gtdt_frame--);' statement block
    because do{} block will be executed even if 'i == 0'.
    
    Adjust error handling procedure by replacing 'i-- >= 0' with 'i-- > 0'.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: a712c3ed9b8a ("acpi/arm64: Add memory-mapped timer support in GTDT driver")
    Signed-off-by: Aleksandr Mishin <[email protected]>
    Acked-by: Hanjun Guo <[email protected]>
    Acked-by: Sudeep Holla <[email protected]>
    Acked-by: Aleksandr Mishin <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Catalin Marinas <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ALSA: 6fire: Release resources at card release [+ + +]
Author: Takashi Iwai <[email protected]>
Date:   Wed Nov 13 12:10:39 2024 +0100

    ALSA: 6fire: Release resources at card release
    
    [ Upstream commit a0810c3d6dd2d29a9b92604d682eacd2902ce947 ]
    
    The current 6fire code tries to release the resources right after the
    call of usb6fire_chip_abort().  But at this moment, the card object
    might be still in use (as we're calling snd_card_free_when_closed()).
    
    For avoid potential UAFs, move the release of resources to the card's
    private_free instead of the manual call of usb6fire_chip_destroy() at
    the USB disconnect callback.
    
    Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB")
    Signed-off-by: Takashi Iwai <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

ALSA: caiaq: Use snd_card_free_when_closed() at disconnection [+ + +]
Author: Takashi Iwai <[email protected]>
Date:   Wed Nov 13 12:10:38 2024 +0100

    ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
    
    [ Upstream commit b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c ]
    
    The USB disconnect callback is supposed to be short and not too-long
    waiting.  OTOH, the current code uses snd_card_free() at
    disconnection, but this waits for the close of all used fds, hence it
    can take long.  It eventually blocks the upper layer USB ioctls, which
    may trigger a soft lockup.
    
    An easy workaround is to replace snd_card_free() with
    snd_card_free_when_closed().  This variant returns immediately while
    the release of resources is done asynchronously by the card device
    release at the last close.
    
    This patch also splits the code to the disconnect and the free phases;
    the former is called immediately at the USB disconnect callback while
    the latter is called from the card destructor.
    
    Fixes: 523f1dce3743 ("[ALSA] Add Native Instrument usb audio device support")
    Signed-off-by: Takashi Iwai <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

ALSA: us122l: Use snd_card_free_when_closed() at disconnection [+ + +]
Author: Takashi Iwai <[email protected]>
Date:   Wed Nov 13 12:10:36 2024 +0100

    ALSA: us122l: Use snd_card_free_when_closed() at disconnection
    
    [ Upstream commit b7df09bb348016943f56b09dcaafe221e3f73947 ]
    
    The USB disconnect callback is supposed to be short and not too-long
    waiting.  OTOH, the current code uses snd_card_free() at
    disconnection, but this waits for the close of all used fds, hence it
    can take long.  It eventually blocks the upper layer USB ioctls, which
    may trigger a soft lockup.
    
    An easy workaround is to replace snd_card_free() with
    snd_card_free_when_closed().  This variant returns immediately while
    the release of resources is done asynchronously by the card device
    release at the last close.
    
    The loop of us122l->mmap_count check is dropped as well.  The check is
    useless for the asynchronous operation with *_when_closed().
    
    Fixes: 030a07e44129 ("ALSA: Add USB US122L driver")
    Signed-off-by: Takashi Iwai <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices [+ + +]
Author: Benoît Sevens <[email protected]>
Date:   Wed Nov 20 12:41:44 2024 +0000

    ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices
    
    commit b909df18ce2a998afef81d58bbd1a05dc0788c40 upstream.
    
    A bogus device can provide a bNumConfigurations value that exceeds the
    initial value used in usb_get_configuration for allocating dev->config.
    
    This can lead to out-of-bounds accesses later, e.g. in
    usb_destroy_configuration.
    
    Signed-off-by: Benoît Sevens <[email protected]>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: [email protected]
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
apparmor: fix 'Do simple duplicate message elimination' [+ + +]
Author: chao liu <[email protected]>
Date:   Tue Jun 27 10:03:16 2023 +0800

    apparmor: fix 'Do simple duplicate message elimination'
    
    [ Upstream commit 9b897132424fe76bf6c61f22f9cf12af7f1d1e6a ]
    
    Multiple profiles shared 'ent->caps', so some logs missed.
    
    Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects")
    Signed-off-by: chao liu <[email protected]>
    Signed-off-by: John Johansen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled [+ + +]
Author: Will Deacon <[email protected]>
Date:   Thu Nov 14 09:53:32 2024 +0000

    arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled
    
    commit 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c upstream.
    
    Commit 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of
    tpidrro_el0 for native tasks") tried to optimise the context switching
    of tpidrro_el0 by eliding the clearing of the register when switching
    to a native task with kpti enabled, on the erroneous assumption that
    the kpti trampoline entry code would already have taken care of the
    write.
    
    Although the kpti trampoline does zero the register on entry from a
    native task, the check in tls_thread_switch() is on the *next* task and
    so we can end up leaving a stale, non-zero value in the register if the
    previous task was 32-bit.
    
    Drop the broken optimisation and zero tpidrro_el0 unconditionally when
    switching to a native 64-bit task.
    
    Cc: Mark Rutland <[email protected]>
    Cc: [email protected]
    Fixes: 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks")
    Signed-off-by: Will Deacon <[email protected]>
    Acked-by: Mark Rutland <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Catalin Marinas <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ARM: dts: cubieboard4: Fix DCDC5 regulator constraints [+ + +]
Author: Andre Przywara <[email protected]>
Date:   Mon Oct 7 23:29:16 2024 +0100

    ARM: dts: cubieboard4: Fix DCDC5 regulator constraints
    
    [ Upstream commit dd36ad71ad65968f97630808bc8d605c929b128e ]
    
    The DCDC5 voltage rail in the X-Powers AXP809 PMIC has a resolution of
    50mV, so the currently enforced limits of 1.475 and 1.525 volts cannot
    be set, when the existing regulator value is beyond this range.
    
    This will lead to the whole regulator driver to give up and fail
    probing, which in turn will hang the system, as essential devices depend
    on the PMIC.
    In this case a bug in U-Boot set the voltage to 1.75V (meant for DCDC4),
    and the AXP driver's attempt to correct this lead to this error:
    ==================
    [    4.447653] axp20x-rsb sunxi-rsb-3a3: AXP20X driver loaded
    [    4.450066] vcc-dram: Bringing 1750000uV into 1575000-1575000uV
    [    4.460272] vcc-dram: failed to apply 1575000-1575000uV constraint: -EINVAL
    [    4.474788] axp20x-regulator axp20x-regulator.0: Failed to register dcdc5
    [    4.482276] axp20x-regulator axp20x-regulator.0: probe with driver axp20x-regulator failed with error -22
    ==================
    
    Set the limits to values that can be programmed, so any correction will
    be successful.
    
    Signed-off-by: Andre Przywara <[email protected]>
    Fixes: 1e1dea72651b ("ARM: dts: sun9i: cubieboard4: Add AXP809 PMIC device node and regulators")
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Chen-Yu Tsai <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() [+ + +]
Author: Qiu-ji Chen <[email protected]>
Date:   Mon Sep 30 18:12:16 2024 +0800

    ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata()
    
    commit 1157733344651ca505e259d6554591ff156922fa upstream.
    
    An atomicity violation occurs when the validity of the variables
    da7219->clk_src and da7219->mclk_rate is being assessed. Since the entire
    assessment is not protected by a lock, the da7219 variable might still be
    in flux during the assessment, rendering this check invalid.
    
    To fix this issue, we recommend adding a lock before the block
    if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) so that
    the legitimacy check for da7219->clk_src and da7219->mclk_rate is
    protected by the lock, ensuring the validity of the check.
    
    This possible bug is found by an experimental static analysis tool
    developed by our team. This tool analyzes the locking APIs
    to extract function pairs that can be concurrently executed, and then
    analyzes the instructions in the paired functions to identify possible
    concurrency bugs including data races and atomicity violations.
    
    Fixes: 6d817c0e9fd7 ("ASoC: codecs: Add da7219 codec driver")
    Cc: [email protected]
    Signed-off-by: Qiu-ji Chen <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet [+ + +]
Author: Hans de Goede <[email protected]>
Date:   Thu Oct 24 23:16:15 2024 +0200

    ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet
    
    [ Upstream commit 0107f28f135231da22a9ad5756bb16bd5cada4d5 ]
    
    The Vexia Edu Atla 10 tablet mostly uses the BYTCR tablet defaults,
    but as happens on more models it is using IN1 instead of IN3 for
    its internal mic and JD_SRC_JD2_IN4N instead of JD_SRC_JD1_IN4P
    for jack-detection.
    
    Add a DMI quirk for this to fix the internal-mic and jack-detection.
    
    Signed-off-by: Hans de Goede <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
block: fix ordering between checking BLK_MQ_S_STOPPED request adding [+ + +]
Author: Muchun Song <[email protected]>
Date:   Mon Oct 14 17:29:34 2024 +0800

    block: fix ordering between checking BLK_MQ_S_STOPPED request adding
    
    commit 96a9fe64bfd486ebeeacf1e6011801ffe89dae18 upstream.
    
    Supposing first scenario with a virtio_blk driver.
    
    CPU0                        CPU1
    
    blk_mq_try_issue_directly()
      __blk_mq_issue_directly()
        q->mq_ops->queue_rq()
          virtio_queue_rq()
            blk_mq_stop_hw_queue()
                                virtblk_done()
      blk_mq_request_bypass_insert()  1) store
                                  blk_mq_start_stopped_hw_queue()
                                    clear_bit(BLK_MQ_S_STOPPED)       3) store
                                    blk_mq_run_hw_queue()
                                      if (!blk_mq_hctx_has_pending()) 4) load
                                        return
                                      blk_mq_sched_dispatch_requests()
      blk_mq_run_hw_queue()
        if (!blk_mq_hctx_has_pending())
          return
        blk_mq_sched_dispatch_requests()
          if (blk_mq_hctx_stopped())  2) load
            return
          __blk_mq_sched_dispatch_requests()
    
    Supposing another scenario.
    
    CPU0                        CPU1
    
    blk_mq_requeue_work()
      blk_mq_insert_request() 1) store
                                virtblk_done()
                                  blk_mq_start_stopped_hw_queue()
      blk_mq_run_hw_queues()        clear_bit(BLK_MQ_S_STOPPED)       3) store
                                    blk_mq_run_hw_queue()
                                      if (!blk_mq_hctx_has_pending()) 4) load
                                        return
                                      blk_mq_sched_dispatch_requests()
        if (blk_mq_hctx_stopped())  2) load
          continue
        blk_mq_run_hw_queue()
    
    Both scenarios are similar, the full memory barrier should be inserted
    between 1) and 2), as well as between 3) and 4) to make sure that either
    CPU0 sees BLK_MQ_S_STOPPED is cleared or CPU1 sees dispatch list.
    Otherwise, either CPU will not rerun the hardware queue causing
    starvation of the request.
    
    The easy way to fix it is to add the essential full memory barrier into
    helper of blk_mq_hctx_stopped(). In order to not affect the fast path
    (hardware queue is not stopped most of the time), we only insert the
    barrier into the slow path. Actually, only slow path needs to care about
    missing of dispatching the request to the low-level device driver.
    
    Fixes: 320ae51feed5 ("blk-mq: new multi-queue block IO queueing mechanism")
    Cc: [email protected]
    Cc: Muchun Song <[email protected]>
    Signed-off-by: Muchun Song <[email protected]>
    Reviewed-by: Ming Lei <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

block: return unsigned int from bdev_io_min [+ + +]
Author: Christoph Hellwig <[email protected]>
Date:   Tue Nov 19 08:26:02 2024 +0100

    block: return unsigned int from bdev_io_min
    
    [ Upstream commit 46fd48ab3ea3eb3bb215684bd66ea3d260b091a9 ]
    
    The underlying limit is defined as an unsigned int, so return that from
    bdev_io_min as well.
    
    Fixes: ac481c20ef8f ("block: Topology ioctls")
    Signed-off-by: Christoph Hellwig <[email protected]>
    Reviewed-by: Martin K. Petersen <[email protected]>
    Reviewed-by: John Garry <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() [+ + +]
Author: Andrej Shadura <[email protected]>
Date:   Wed Oct 9 14:14:24 2024 +0200

    Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}()
    
    commit 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 upstream.
    
    Commit 9bf4e919ccad worked around an issue introduced after an innocuous
    optimisation change in LLVM main:
    
    > len is defined as an 'int' because it is assigned from
    > '__user int *optlen'. However, it is clamped against the result of
    > sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit
    > platforms). This is done with min_t() because min() requires compatible
    > types, which results in both len and the result of sizeof() being casted
    > to 'unsigned int', meaning len changes signs and the result of sizeof()
    > is truncated. From there, len is passed to copy_to_user(), which has a
    > third parameter type of 'unsigned long', so it is widened and changes
    > signs again. This excessive casting in combination with the KCSAN
    > instrumentation causes LLVM to fail to eliminate the __bad_copy_from()
    > call, failing the build.
    
    The same issue occurs in rfcomm in functions rfcomm_sock_getsockopt and
    rfcomm_sock_getsockopt_old.
    
    Change the type of len to size_t in both rfcomm_sock_getsockopt and
    rfcomm_sock_getsockopt_old and replace min_t() with min().
    
    Cc: [email protected]
    Co-authored-by: Aleksei Vetrov <[email protected]>
    Improves: 9bf4e919ccad ("Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()")
    Link: https://github.com/ClangBuiltLinux/linux/issues/2007
    Link: https://github.com/llvm/llvm-project/issues/85647
    Signed-off-by: Andrej Shadura <[email protected]>
    Reviewed-by: Nathan Chancellor <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
bpf: Fix the xdp_adjust_tail sample prog issue [+ + +]
Author: Yuan Chen <[email protected]>
Date:   Mon Sep 30 10:41:15 2024 +0800

    bpf: Fix the xdp_adjust_tail sample prog issue
    
    [ Upstream commit 4236f114a3ffbbfd217436c08852e94cae372f57 ]
    
    During the xdp_adjust_tail test, probabilistic failure occurs and SKB package
    is discarded by the kernel. After checking the issues by tracking SKB package,
    it is identified that they were caused by checksum errors. Refer to checksum
    of the arch/arm64/include/asm/checksum.h for fixing.
    
    v2: Based on Alexei Starovoitov's suggestions, it is necessary to keep the code
     implementation consistent.
    
    Fixes: c6ffd1ff7856 (bpf: add bpf_xdp_adjust_tail sample prog)
    Signed-off-by: Yuan Chen <[email protected]>
    Signed-off-by: Andrii Nakryiko <[email protected]>
    Link: https://lore.kernel.org/bpf/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand [+ + +]
Author: Alexandru Ardelean <[email protected]>
Date:   Mon Feb 1 17:12:45 2021 +0200

    clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand
    
    [ Upstream commit 6ba7ea7630fb03c1ce01508bdf89f5bb39b38e54 ]
    
    No major functional change. Noticed while checking the driver code that
    this could be used.
    Saves two lines.
    
    Signed-off-by: Alexandru Ardelean <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Stephen Boyd <[email protected]>
    Stable-dep-of: c64ef7e4851d ("clk: clk-axi-clkgen: make sure to enable the AXI bus clock")
    Signed-off-by: Sasha Levin <[email protected]>

clk: clk-axi-clkgen: make sure to enable the AXI bus clock [+ + +]
Author: Nuno Sa <[email protected]>
Date:   Tue Oct 29 14:59:42 2024 +0100

    clk: clk-axi-clkgen: make sure to enable the AXI bus clock
    
    [ Upstream commit c64ef7e4851d1a9abbb7f7833e4936973ac5ba79 ]
    
    In order to access the registers of the HW, we need to make sure that
    the AXI bus clock is enabled. Hence let's increase the number of clocks
    by one.
    
    In order to keep backward compatibility and make sure old DTs still work
    we check if clock-names is available or not. If it is, then we can
    disambiguate between really having the AXI clock or a parent clock and
    so we can enable the bus clock. If not, we fallback to what was done
    before and don't explicitly enable the AXI bus clock.
    
    Note that if clock-names is given, the axi clock must be the last one in
    the phandle array (also enforced in the DT bindings) so that we can reuse
    as much code as possible.
    
    Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver")
    Signed-off-by: Nuno Sa <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Stephen Boyd <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
cpufreq: loongson2: Unregister platform_driver on failure [+ + +]
Author: Yuan Can <[email protected]>
Date:   Wed Oct 16 17:06:15 2024 +0800

    cpufreq: loongson2: Unregister platform_driver on failure
    
    [ Upstream commit 5f856d71ccdf89b4bac0ff70ebb0bb582e7f7f18 ]
    
    When cpufreq_register_driver() returns error, the cpufreq_init() returns
    without unregister platform_driver, fix by add missing
    platform_driver_unregister() when cpufreq_register_driver() failed.
    
    Fixes: f8ede0f700f5 ("MIPS: Loongson 2F: Add CPU frequency scaling support")
    Signed-off-by: Yuan Can <[email protected]>
    Signed-off-by: Viresh Kumar <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
crypto: bcm - add error check in the ahash_hmac_init function [+ + +]
Author: Chen Ridong <[email protected]>
Date:   Mon Nov 4 12:17:45 2024 +0000

    crypto: bcm - add error check in the ahash_hmac_init function
    
    [ Upstream commit 19630cf57233e845b6ac57c9c969a4888925467b ]
    
    The ahash_init functions may return fails. The ahash_hmac_init should
    not return ok when ahash_init returns error. For an example, ahash_init
    will return -ENOMEM when allocation memory is error.
    
    Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
    Signed-off-by: Chen Ridong <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() [+ + +]
Author: Christophe JAILLET <[email protected]>
Date:   Fri Nov 8 18:22:27 2024 +0100

    crypto: cavium - Fix an error handling path in cpt_ucode_load_fw()
    
    [ Upstream commit 572b7cf08403b6c67dfe0dc3e0f2efb42443254f ]
    
    If do_cpt_init() fails, a previous dma_alloc_coherent() call needs to be
    undone.
    
    Add the needed dma_free_coherent() before returning.
    
    Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
    Signed-off-by: Christophe JAILLET <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

crypto: cavium - Fix the if condition to exit loop after timeout [+ + +]
Author: Everest K.C <[email protected]>
Date:   Fri Oct 18 10:23:10 2024 -0600

    crypto: cavium - Fix the if condition to exit loop after timeout
    
    [ Upstream commit 53d91ca76b6c426c546542a44c78507b42008c9e ]
    
    The while loop breaks in the first run because of incorrect
    if condition. It also causes the statements after the if to
    appear dead.
    Fix this by changing the condition from if(timeout--) to
    if(!timeout--).
    
    This bug was reported by Coverity Scan.
    Report:
    CID 1600859: (#1 of 1): Logically dead code (DEADCODE)
    dead_error_line: Execution cannot reach this statement: udelay(30UL);
    
    Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
    Signed-off-by: Everest K.C. <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY [+ + +]
Author: Yi Yang <[email protected]>
Date:   Tue Oct 15 02:09:35 2024 +0000

    crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY
    
    [ Upstream commit 662f2f13e66d3883b9238b0b96b17886179e60e2 ]
    
    Since commit 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for
    PADATA_RESET"), the pcrypt encryption and decryption operations return
    -EAGAIN when the CPU goes online or offline. In alg_test(), a WARN is
    generated when pcrypt_aead_decrypt() or pcrypt_aead_encrypt() returns
    -EAGAIN, the unnecessary panic will occur when panic_on_warn set 1.
    Fix this issue by calling crypto layer directly without parallelization
    in that case.
    
    Fixes: 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for PADATA_RESET")
    Signed-off-by: Yi Yang <[email protected]>
    Signed-off-by: Herbert Xu <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/etnaviv: consolidate hardware fence handling in etnaviv_gpu [+ + +]
Author: Lucas Stach <[email protected]>
Date:   Mon Nov 5 18:12:39 2018 +0100

    drm/etnaviv: consolidate hardware fence handling in etnaviv_gpu
    
    [ Upstream commit 3283ee771c88bdf28d427b7ff0831a13213a812c ]
    
    This is the only place in the driver that should have to deal with
    the raw hardware fences. To avoid any further confusion, consolidate
    the fence handling in this file and remove any traces of this from
    the header files.
    
    Signed-off-by: Lucas Stach <[email protected]>
    Reviewed-by: Philipp Zabel <[email protected]>
    Stable-dep-of: 37dc4737447a ("drm/etnaviv: hold GPU lock across perfmon sampling")
    Signed-off-by: Sasha Levin <[email protected]>

drm/etnaviv: dump: fix sparse warnings [+ + +]
Author: Marc Kleine-Budde <[email protected]>
Date:   Wed Dec 23 20:51:10 2020 +0100

    drm/etnaviv: dump: fix sparse warnings
    
    [ Upstream commit 03a2753936e85beb8239fd20ae3fb2ce90209212 ]
    
    This patch fixes the following sparse warnings, by adding the missing endianess
    conversion functions.
    
    | etnaviv/etnaviv_dump.c:78:26: warning: restricted __le32 degrades to integer
    | etnaviv/etnaviv_dump.c:88:26: warning: incorrect type in assignment (different base types)
    | etnaviv/etnaviv_dump.c:88:26:    expected restricted __le32 [usertype] reg
    | etnaviv/etnaviv_dump.c:88:26:    got unsigned short const
    | etnaviv/etnaviv_dump.c:89:28: warning: incorrect type in assignment (different base types)
    | etnaviv/etnaviv_dump.c:89:28:    expected restricted __le32 [usertype] value
    | etnaviv/etnaviv_dump.c:89:28:    got unsigned int
    | etnaviv/etnaviv_dump.c:210:43: warning: incorrect type in assignment (different base types)
    | etnaviv/etnaviv_dump.c:210:43:    expected restricted __le32
    | etnaviv/etnaviv_dump.c:210:43:    got long
    
    Signed-off-by: Marc Kleine-Budde <[email protected]>
    Signed-off-by: Lucas Stach <[email protected]>
    Stable-dep-of: 37dc4737447a ("drm/etnaviv: hold GPU lock across perfmon sampling")
    Signed-off-by: Sasha Levin <[email protected]>

drm/etnaviv: fix power register offset on GC300 [+ + +]
Author: Doug Brown <[email protected]>
Date:   Sat Sep 10 13:29:39 2022 -0700

    drm/etnaviv: fix power register offset on GC300
    
    [ Upstream commit 61a6920bb604df3a0e389a2a9479e1e233e4461d ]
    
    Older GC300 revisions have their power registers at an offset of 0x200
    rather than 0x100. Add new gpu_read_power and gpu_write_power functions
    to encapsulate accesses to the power addresses and fix the addresses.
    
    Signed-off-by: Doug Brown <[email protected]>
    Signed-off-by: Lucas Stach <[email protected]>
    Stable-dep-of: 37dc4737447a ("drm/etnaviv: hold GPU lock across perfmon sampling")
    Signed-off-by: Sasha Levin <[email protected]>

drm/etnaviv: hold GPU lock across perfmon sampling [+ + +]
Author: Lucas Stach <[email protected]>
Date:   Fri Jul 5 22:00:09 2024 +0200

    drm/etnaviv: hold GPU lock across perfmon sampling
    
    [ Upstream commit 37dc4737447a7667f8e9ec790dac251da057eb27 ]
    
    The perfmon sampling mutates shared GPU state (e.g. VIVS_HI_CLOCK_CONTROL
    to select the pipe for the perf counter reads). To avoid clashing with
    other functions mutating the same state (e.g. etnaviv_gpu_update_clock)
    the perfmon sampling needs to hold the GPU lock.
    
    Fixes: 68dc0b295dcb ("drm/etnaviv: use 'sync points' for performance monitor requests")
    Reviewed-by: Christian Gmeiner <[email protected]>
    Signed-off-by: Lucas Stach <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused [+ + +]
Author: Andy Shevchenko <[email protected]>
Date:   Thu Aug 29 18:46:40 2024 +0300

    drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused
    
    [ Upstream commit 53bd7c1c0077db533472ae32799157758302ef48 ]
    
    The INTERVAL_TREE_DEFINE() uncoditionally provides a bunch of helper
    functions which in some cases may be not used. This, in particular,
    prevents kernel builds with clang, `make W=1` and CONFIG_WERROR=y:
    
    .../drm/drm_mm.c:152:1: error: unused function 'drm_mm_interval_tree_insert' [-Werror,-Wunused-function]
      152 | INTERVAL_TREE_DEFINE(struct drm_mm_node, rb,
          | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      153 |                      u64, __subtree_last,
          |                      ~~~~~~~~~~~~~~~~~~~~
      154 |                      START, LAST, static inline, drm_mm_interval_tree)
          |                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Fix this by marking drm_mm_interval_tree*() functions with __maybe_unused.
    
    See also commit 6863f5643dd7 ("kbuild: allow Clang to find unused static
    inline functions for W=1 build").
    
    Fixes: 202b52b7fbf7 ("drm: Track drm_mm nodes with an interval tree")
    Signed-off-by: Andy Shevchenko <[email protected]>
    Reviewed-by: Jani Nikula <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Jani Nikula <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/omap: Fix locking in omap_gem_new_dmabuf() [+ + +]
Author: Tomi Valkeinen <[email protected]>
Date:   Tue Aug 6 16:50:29 2024 +0300

    drm/omap: Fix locking in omap_gem_new_dmabuf()
    
    [ Upstream commit e6a1c4037227539373c8cf484ace83833e2ad6a2 ]
    
    omap_gem_new_dmabuf() creates the new gem object, and then takes and
    holds the omap_obj->lock for the rest of the function. This has two
    issues:
    
    - omap_gem_free_object(), which is called in the error paths, also takes
      the same lock, leading to deadlock
    - Even if the above wouldn't happen, in the error cases
      omap_gem_new_dmabuf() still unlocks omap_obj->lock, even after the
      omap_obj has already been freed.
    
    Furthermore, I don't think there's any reason to take the lock at all,
    as the object was just created and not yet shared with anyone else.
    
    To fix all this, drop taking the lock.
    
    Fixes: 3cbd0c587b12 ("drm/omap: gem: Replace struct_mutex usage with omap_obj private lock")
    Reported-by: Dan Carpenter <[email protected]>
    Closes: https://lore.kernel.org/all/[email protected]/
    Reviewed-by: Sebastian Reichel <[email protected]>
    Signed-off-by: Tomi Valkeinen <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml format [+ + +]
Author: Alexandru Ardelean <[email protected]>
Date:   Tue Oct 13 17:34:20 2020 +0300

    dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml format
    
    [ Upstream commit bd91abb218e0ac4a7402d6c25d383e2a706bb511 ]
    
    This change converts the old binding for the AXI clkgen driver to a yaml
    format.
    
    As maintainers, added:
     - Lars-Peter Clausen <[email protected]> - as original author of driver &
       binding
     - Michael Hennerich <[email protected]> - as supporter of
       Analog Devices drivers
    
    Acked-by: Michael Hennerich <[email protected]>
    Acked-by: Lars-Peter Clausen <[email protected]>
    Signed-off-by: Alexandru Ardelean <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Rob Herring <[email protected]>
    Signed-off-by: Stephen Boyd <[email protected]>
    Stable-dep-of: 47f3f5a82a31 ("dt-bindings: clock: axi-clkgen: include AXI clk")
    Signed-off-by: Sasha Levin <[email protected]>

dt-bindings: clock: axi-clkgen: include AXI clk [+ + +]
Author: Nuno Sa <[email protected]>
Date:   Tue Oct 29 14:59:41 2024 +0100

    dt-bindings: clock: axi-clkgen: include AXI clk
    
    [ Upstream commit 47f3f5a82a31527e027929c5cec3dd1ef5ef30f5 ]
    
    In order to access the registers of the HW, we need to make sure that
    the AXI bus clock is enabled. Hence let's increase the number of clocks
    by one and add clock-names to differentiate between parent clocks and
    the bus clock.
    
    Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver")
    Signed-off-by: Nuno Sa <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Conor Dooley <[email protected]>
    Signed-off-by: Stephen Boyd <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
EDAC/fsl_ddr: Fix bad bit shift operations [+ + +]
Author: Priyanka Singh <[email protected]>
Date:   Wed Oct 16 16:31:11 2024 -0400

    EDAC/fsl_ddr: Fix bad bit shift operations
    
    [ Upstream commit 9ec22ac4fe766c6abba845290d5139a3fbe0153b ]
    
    Fix undefined behavior caused by left-shifting a negative value in the
    expression:
    
        cap_high ^ (1 << (bad_data_bit - 32))
    
    The variable bad_data_bit ranges from 0 to 63. When it is less than 32,
    bad_data_bit - 32 becomes negative, and left-shifting by a negative
    value in C is undefined behavior.
    
    Fix this by combining cap_high and cap_low into a 64-bit variable.
    
      [ bp: Massage commit message, simplify error bits handling. ]
    
    Fixes: ea2eb9a8b620 ("EDAC, fsl-ddr: Separate FSL DDR driver from MPC85xx")
    Signed-off-by: Priyanka Singh <[email protected]>
    Signed-off-by: Li Yang <[email protected]>
    Signed-off-by: Frank Li <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
ext4: fix FS_IOC_GETFSMAP handling [+ + +]
Author: Theodore Ts'o <[email protected]>
Date:   Wed Oct 23 00:25:37 2024 -0400

    ext4: fix FS_IOC_GETFSMAP handling
    
    commit 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 upstream.
    
    The original implementation ext4's FS_IOC_GETFSMAP handling only
    worked when the range of queried blocks included at least one free
    (unallocated) block range.  This is because how the metadata blocks
    were emitted was as a side effect of ext4_mballoc_query_range()
    calling ext4_getfsmap_datadev_helper(), and that function was only
    called when a free block range was identified.  As a result, this
    caused generic/365 to fail.
    
    Fix this by creating a new function ext4_getfsmap_meta_helper() which
    gets called so that blocks before the first free block range in a
    block group can get properly reported.
    
    Signed-off-by: Theodore Ts'o <[email protected]>
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ext4: supress data-race warnings in ext4_free_inodes_{count,set}() [+ + +]
Author: Jeongjun Park <[email protected]>
Date:   Thu Oct 3 21:53:37 2024 +0900

    ext4: supress data-race warnings in ext4_free_inodes_{count,set}()
    
    commit 902cc179c931a033cd7f4242353aa2733bf8524c upstream.
    
    find_group_other() and find_group_orlov() read *_lo, *_hi with
    ext4_free_inodes_count without additional locking. This can cause
    data-race warning, but since the lock is held for most writes and free
    inodes value is generally not a problem even if it is incorrect, it is
    more appropriate to use READ_ONCE()/WRITE_ONCE() than to add locking.
    
    ==================================================================
    BUG: KCSAN: data-race in ext4_free_inodes_count / ext4_free_inodes_set
    
    write to 0xffff88810404300e of 2 bytes by task 6254 on cpu 1:
     ext4_free_inodes_set+0x1f/0x80 fs/ext4/super.c:405
     __ext4_new_inode+0x15ca/0x2200 fs/ext4/ialloc.c:1216
     ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391
     vfs_symlink+0xca/0x1d0 fs/namei.c:4615
     do_symlinkat+0xe3/0x340 fs/namei.c:4641
     __do_sys_symlinkat fs/namei.c:4657 [inline]
     __se_sys_symlinkat fs/namei.c:4654 [inline]
     __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654
     x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    read to 0xffff88810404300e of 2 bytes by task 6257 on cpu 0:
     ext4_free_inodes_count+0x1c/0x80 fs/ext4/super.c:349
     find_group_other fs/ext4/ialloc.c:594 [inline]
     __ext4_new_inode+0x6ec/0x2200 fs/ext4/ialloc.c:1017
     ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391
     vfs_symlink+0xca/0x1d0 fs/namei.c:4615
     do_symlinkat+0xe3/0x340 fs/namei.c:4641
     __do_sys_symlinkat fs/namei.c:4657 [inline]
     __se_sys_symlinkat fs/namei.c:4654 [inline]
     __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654
     x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    Cc: [email protected]
    Signed-off-by: Jeongjun Park <[email protected]>
    Reviewed-by: Andreas Dilger <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Theodore Ts'o <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
fbdev/sh7760fb: Alloc DMA memory from hardware device [+ + +]
Author: Thomas Zimmermann <[email protected]>
Date:   Tue Jun 13 13:07:02 2023 +0200

    fbdev/sh7760fb: Alloc DMA memory from hardware device
    
    [ Upstream commit 8404e56f4bc1d1a65bfc98450ba3dae5e653dda1 ]
    
    Pass the hardware device to the DMA helpers dma_alloc_coherent() and
    dma_free_coherent(). The fbdev device that is currently being used is
    a software device and does not provide DMA memory. Also update the
    related dev_*() output statements similarly.
    
    Signed-off-by: Thomas Zimmermann <[email protected]>
    Reviewed-by: Javier Martinez Canillas <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Stable-dep-of: f89d17ae2ac4 ("fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()")
    Signed-off-by: Sasha Levin <[email protected]>

 
fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() [+ + +]
Author: Zhen Lei <[email protected]>
Date:   Sat Oct 26 11:56:34 2024 +0800

    fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()
    
    [ Upstream commit f89d17ae2ac42931be2a0153fecbf8533280c927 ]
    
    When information such as info->screen_base is not ready, calling
    sh7760fb_free_mem() does not release memory correctly. Call
    dma_free_coherent() instead.
    
    Fixes: 4a25e41831ee ("video: sh7760fb: SH7760/SH7763 LCDC framebuffer driver")
    Signed-off-by: Zhen Lei <[email protected]>
    Reviewed-by: Dmitry Baryshkov <[email protected]>
    Signed-off-by: Helge Deller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
firmware: arm_scpi: Check the DVFS OPP count returned by the firmware [+ + +]
Author: Luo Qiu <[email protected]>
Date:   Fri Nov 1 11:21:15 2024 +0800

    firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
    
    [ Upstream commit 109aa654f85c5141e813b2cd1bd36d90be678407 ]
    
    Fix a kernel crash with the below call trace when the SCPI firmware
    returns OPP count of zero.
    
    dvfs_info.opp_count may be zero on some platforms during the reboot
    test, and the kernel will crash after dereferencing the pointer to
    kcalloc(info->count, sizeof(*opp), GFP_KERNEL).
    
      |  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
      |  Mem abort info:
      |    ESR = 0x96000004
      |    Exception class = DABT (current EL), IL = 32 bits
      |    SET = 0, FnV = 0
      |    EA = 0, S1PTW = 0
      |  Data abort info:
      |    ISV = 0, ISS = 0x00000004
      |    CM = 0, WnR = 0
      |  user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000faefa08c
      |  [0000000000000028] pgd=0000000000000000
      |  Internal error: Oops: 96000004 [#1] SMP
      |  scpi-hwmon: probe of PHYT000D:00 failed with error -110
      |  Process systemd-udevd (pid: 1701, stack limit = 0x00000000aaede86c)
      |  CPU: 2 PID: 1701 Comm: systemd-udevd Not tainted 4.19.90+ #1
      |  Hardware name: PHYTIUM LTD Phytium FT2000/4/Phytium FT2000/4, BIOS
      |  pstate: 60000005 (nZCv daif -PAN -UAO)
      |  pc : scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]
      |  lr : clk_register+0x438/0x720
      |  Call trace:
      |   scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]
      |   devm_clk_hw_register+0x50/0xa0
      |   scpi_clk_ops_init.isra.2+0xa0/0x138 [clk_scpi]
      |   scpi_clocks_probe+0x528/0x70c [clk_scpi]
      |   platform_drv_probe+0x58/0xa8
      |   really_probe+0x260/0x3d0
      |   driver_probe_device+0x12c/0x148
      |   device_driver_attach+0x74/0x98
      |   __driver_attach+0xb4/0xe8
      |   bus_for_each_dev+0x88/0xe0
      |   driver_attach+0x30/0x40
      |   bus_add_driver+0x178/0x2b0
      |   driver_register+0x64/0x118
      |   __platform_driver_register+0x54/0x60
      |   scpi_clocks_driver_init+0x24/0x1000 [clk_scpi]
      |   do_one_initcall+0x54/0x220
      |   do_init_module+0x54/0x1c8
      |   load_module+0x14a4/0x1668
      |   __se_sys_finit_module+0xf8/0x110
      |   __arm64_sys_finit_module+0x24/0x30
      |   el0_svc_common+0x78/0x170
      |   el0_svc_handler+0x38/0x78
      |   el0_svc+0x8/0x340
      |  Code: 937d7c00 a94153f3 a8c27bfd f9400421 (b8606820)
      |  ---[ end trace 06feb22469d89fa8 ]---
      |  Kernel panic - not syncing: Fatal exception
      |  SMP: stopping secondary CPUs
      |  Kernel Offset: disabled
      |  CPU features: 0x10,a0002008
      |  Memory Limit: none
    
    Fixes: 8cb7cf56c9fe ("firmware: add support for ARM System Control and Power Interface(SCPI) protocol")
    Signed-off-by: Luo Qiu <[email protected]>
    Message-Id: <[email protected]>
    Signed-off-by: Sudeep Holla <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
hfsplus: don't query the device logical block size multiple times [+ + +]
Author: Thadeu Lima de Souza Cascardo <[email protected]>
Date:   Thu Nov 7 08:41:09 2024 -0300

    hfsplus: don't query the device logical block size multiple times
    
    [ Upstream commit 1c82587cb57687de3f18ab4b98a8850c789bedcf ]
    
    Devices block sizes may change. One of these cases is a loop device by
    using ioctl LOOP_SET_BLOCK_SIZE.
    
    While this may cause other issues like IO being rejected, in the case of
    hfsplus, it will allocate a block by using that size and potentially write
    out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the
    latter function reads a different io_size.
    
    Using a new min_io_size initally set to sb_min_blocksize works for the
    purposes of the original fix, since it will be set to the max between
    HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the
    max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not
    initialized.
    
    Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024
    and 4096.
    
    The produced KASAN report before the fix looks like this:
    
    [  419.944641] ==================================================================
    [  419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a
    [  419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678
    [  419.947612]
    [  419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84
    [  419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
    [  419.950035] Call Trace:
    [  419.950384]  <TASK>
    [  419.950676]  dump_stack_lvl+0x57/0x78
    [  419.951212]  ? hfsplus_read_wrapper+0x659/0xa0a
    [  419.951830]  print_report+0x14c/0x49e
    [  419.952361]  ? __virt_addr_valid+0x267/0x278
    [  419.952979]  ? kmem_cache_debug_flags+0xc/0x1d
    [  419.953561]  ? hfsplus_read_wrapper+0x659/0xa0a
    [  419.954231]  kasan_report+0x89/0xb0
    [  419.954748]  ? hfsplus_read_wrapper+0x659/0xa0a
    [  419.955367]  hfsplus_read_wrapper+0x659/0xa0a
    [  419.955948]  ? __pfx_hfsplus_read_wrapper+0x10/0x10
    [  419.956618]  ? do_raw_spin_unlock+0x59/0x1a9
    [  419.957214]  ? _raw_spin_unlock+0x1a/0x2e
    [  419.957772]  hfsplus_fill_super+0x348/0x1590
    [  419.958355]  ? hlock_class+0x4c/0x109
    [  419.958867]  ? __pfx_hfsplus_fill_super+0x10/0x10
    [  419.959499]  ? __pfx_string+0x10/0x10
    [  419.960006]  ? lock_acquire+0x3e2/0x454
    [  419.960532]  ? bdev_name.constprop.0+0xce/0x243
    [  419.961129]  ? __pfx_bdev_name.constprop.0+0x10/0x10
    [  419.961799]  ? pointer+0x3f0/0x62f
    [  419.962277]  ? __pfx_pointer+0x10/0x10
    [  419.962761]  ? vsnprintf+0x6c4/0xfba
    [  419.963178]  ? __pfx_vsnprintf+0x10/0x10
    [  419.963621]  ? setup_bdev_super+0x376/0x3b3
    [  419.964029]  ? snprintf+0x9d/0xd2
    [  419.964344]  ? __pfx_snprintf+0x10/0x10
    [  419.964675]  ? lock_acquired+0x45c/0x5e9
    [  419.965016]  ? set_blocksize+0x139/0x1c1
    [  419.965381]  ? sb_set_blocksize+0x6d/0xae
    [  419.965742]  ? __pfx_hfsplus_fill_super+0x10/0x10
    [  419.966179]  mount_bdev+0x12f/0x1bf
    [  419.966512]  ? __pfx_mount_bdev+0x10/0x10
    [  419.966886]  ? vfs_parse_fs_string+0xce/0x111
    [  419.967293]  ? __pfx_vfs_parse_fs_string+0x10/0x10
    [  419.967702]  ? __pfx_hfsplus_mount+0x10/0x10
    [  419.968073]  legacy_get_tree+0x104/0x178
    [  419.968414]  vfs_get_tree+0x86/0x296
    [  419.968751]  path_mount+0xba3/0xd0b
    [  419.969157]  ? __pfx_path_mount+0x10/0x10
    [  419.969594]  ? kmem_cache_free+0x1e2/0x260
    [  419.970311]  do_mount+0x99/0xe0
    [  419.970630]  ? __pfx_do_mount+0x10/0x10
    [  419.971008]  __do_sys_mount+0x199/0x1c9
    [  419.971397]  do_syscall_64+0xd0/0x135
    [  419.971761]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
    [  419.972233] RIP: 0033:0x7c3cb812972e
    [  419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48
    [  419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
    [  419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e
    [  419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: 00007ffe306325d0
    [  419.976363] RBP: 00007ffe30632720 R08: 00007ffe30632610 R09: 0000000000000000
    [  419.977034] R10: 0000000000200008 R11: 0000000000000286 R12: 0000000000000000
    [  419.977713] R13: 00007ffe306328e8 R14: 00005a0eb298bc68 R15: 00007c3cb8356000
    [  419.978375]  </TASK>
    [  419.978589]
    
    Fixes: 6596528e391a ("hfsplus: ensure bio requests are not smaller than the hardware sectors")
    Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Christian Brauner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
HID: wacom: Interpret tilt data from Intuos Pro BT as signed values [+ + +]
Author: Jason Gerecke <[email protected]>
Date:   Mon Oct 28 10:39:14 2024 -0700

    HID: wacom: Interpret tilt data from Intuos Pro BT as signed values
    
    commit 49a397ad24ee5e2c53a59dada2780d7e71bd3f77 upstream.
    
    The tilt data contained in the Bluetooth packets of an Intuos Pro are
    supposed to be interpreted as signed values. Simply casting the values
    to type `char` is not guaranteed to work since it is implementation-
    defined whether it is signed or unsigned. At least one user has noticed
    the data being reported incorrectly on their system. To ensure that the
    data is interpreted properly, we specifically cast to `signed char`
    instead.
    
    Link: https://github.com/linuxwacom/input-wacom/issues/445
    Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
    CC: [email protected] # 4.11+
    Signed-off-by: Jason Gerecke <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
initramfs: avoid filename buffer overrun [+ + +]
Author: David Disseldorp <[email protected]>
Date:   Wed Oct 30 03:55:10 2024 +0000

    initramfs: avoid filename buffer overrun
    
    [ Upstream commit e017671f534dd3f568db9e47b0583e853d2da9b5 ]
    
    The initramfs filename field is defined in
    Documentation/driver-api/early-userspace/buffer-format.rst as:
    
     37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data
    ...
     55 ============= ================== =========================
     56 Field name    Field size         Meaning
     57 ============= ================== =========================
    ...
     70 c_namesize    8 bytes            Length of filename, including final \0
    
    When extracting an initramfs cpio archive, the kernel's do_name() path
    handler assumes a zero-terminated path at @collected, passing it
    directly to filp_open() / init_mkdir() / init_mknod().
    
    If a specially crafted cpio entry carries a non-zero-terminated filename
    and is followed by uninitialized memory, then a file may be created with
    trailing characters that represent the uninitialized memory. The ability
    to create an initramfs entry would imply already having full control of
    the system, so the buffer overrun shouldn't be considered a security
    vulnerability.
    
    Append the output of the following bash script to an existing initramfs
    and observe any created /initramfs_test_fname_overrunAA* path. E.g.
      ./reproducer.sh | gzip >> /myinitramfs
    
    It's easiest to observe non-zero uninitialized memory when the output is
    gzipped, as it'll overflow the heap allocated @out_buf in __gunzip(),
    rather than the initrd_start+initrd_size block.
    
    ---- reproducer.sh ----
    nilchar="A"     # change to "\0" to properly zero terminate / pad
    magic="070701"
    ino=1
    mode=$(( 0100777 ))
    uid=0
    gid=0
    nlink=1
    mtime=1
    filesize=0
    devmajor=0
    devminor=1
    rdevmajor=0
    rdevminor=0
    csum=0
    fname="initramfs_test_fname_overrun"
    namelen=$(( ${#fname} + 1 ))    # plus one to account for terminator
    
    printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \
            $magic $ino $mode $uid $gid $nlink $mtime $filesize \
            $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname
    
    termpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) ))
    printf "%.s${nilchar}" $(seq 1 $termpadlen)
    ---- reproducer.sh ----
    
    Symlink filename fields handled in do_symlink() won't overrun past the
    data segment, due to the explicit zero-termination of the symlink
    target.
    
    Fix filename buffer overrun by aborting the initramfs FSM if any cpio
    entry doesn't carry a zero-terminator at the expected (name_len - 1)
    offset.
    
    Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
    Signed-off-by: David Disseldorp <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Christian Brauner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
jffs2: fix use of uninitialized variable [+ + +]
Author: Qingfang Deng <[email protected]>
Date:   Mon Jul 1 12:52:05 2024 +0800

    jffs2: fix use of uninitialized variable
    
    [ Upstream commit 3ba44ee966bc3c41dd8a944f963466c8fcc60dc8 ]
    
    When building the kernel with -Wmaybe-uninitialized, the compiler
    reports this warning:
    
    In function 'jffs2_mark_erased_block',
        inlined from 'jffs2_erase_pending_blocks' at fs/jffs2/erase.c:116:4:
    fs/jffs2/erase.c:474:9: warning: 'bad_offset' may be used uninitialized [-Wmaybe-uninitialized]
      474 |         jffs2_erase_failed(c, jeb, bad_offset);
          |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    fs/jffs2/erase.c: In function 'jffs2_erase_pending_blocks':
    fs/jffs2/erase.c:402:18: note: 'bad_offset' was declared here
      402 |         uint32_t bad_offset;
          |                  ^~~~~~~~~~
    
    When mtd->point() is used, jffs2_erase_pending_blocks can return -EIO
    without initializing bad_offset, which is later used at the filebad
    label in jffs2_mark_erased_block.
    Fix it by initializing this variable.
    
    Fixes: 8a0f572397ca ("[JFFS2] Return values of jffs2_block_check_erase error paths")
    Signed-off-by: Qingfang Deng <[email protected]>
    Reviewed-by: Zhihao Cheng <[email protected]>
    Signed-off-by: Richard Weinberger <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
jfs: xattr: check invalid xattr size more strictly [+ + +]
Author: Artem Sadovnikov <[email protected]>
Date:   Sat Oct 5 10:06:57 2024 +0000

    jfs: xattr: check invalid xattr size more strictly
    
    commit d9f9d96136cba8fedd647d2c024342ce090133c2 upstream.
    
    Commit 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr")
    also addresses this issue but it only fixes it for positive values, while
    ea_size is an integer type and can take negative values, e.g. in case of
    a corrupted filesystem. This still breaks validation and would overflow
    because of implicit conversion from int to size_t in print_hex_dump().
    
    Fix this issue by clamping the ea_size value instead.
    
    Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
    
    Cc: [email protected]
    Signed-off-by: Artem Sadovnikov <[email protected]>
    Signed-off-by: Dave Kleikamp <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
kbuild: Use uname for LINUX_COMPILE_HOST detection [+ + +]
Author: Chris Down <[email protected]>
Date:   Tue Oct 20 10:34:59 2020 +0100

    kbuild: Use uname for LINUX_COMPILE_HOST detection
    
    commit 1e66d50ad3a1dbf0169b14d502be59a4b1213149 upstream.
    
    `hostname` may not be present on some systems as it's not mandated by
    POSIX/SUSv4. This isn't just a theoretical problem: on Arch Linux,
    `hostname` is provided by `inetutils`, which isn't part of the base
    distribution.
    
        ./scripts/mkcompile_h: line 38: hostname: command not found
    
    Use `uname -n` instead, which is more likely to be available (and
    mandated by standards).
    
    Signed-off-by: Chris Down <[email protected]>
    Signed-off-by: Masahiro Yamada <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
lib: string_helpers: silence snprintf() output truncation warning [+ + +]
Author: Bartosz Golaszewski <[email protected]>
Date:   Fri Nov 1 21:54:53 2024 +0100

    lib: string_helpers: silence snprintf() output truncation warning
    
    commit a508ef4b1dcc82227edc594ffae583874dd425d7 upstream.
    
    The output of ".%03u" with the unsigned int in range [0, 4294966295] may
    get truncated if the target buffer is not 12 bytes. This can't really
    happen here as the 'remainder' variable cannot exceed 999 but the
    compiler doesn't know it. To make it happy just increase the buffer to
    where the warning goes away.
    
    Fixes: 3c9f3681d0b4 ("[SCSI] lib: add generic helper to print sizes rounded to the correct SI range")
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Cc: James E.J. Bottomley <[email protected]>
    Cc: Kees Cook <[email protected]>
    Cc: [email protected]
    Signed-off-by: Andrew Morton <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Kees Cook <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Linux: Linux 4.19.325 [+ + +]
Author: Greg Kroah-Hartman <[email protected]>
Date:   Thu Dec 5 10:59:42 2024 +0100

    Linux 4.19.325
    
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Harshit Mogalapalli <[email protected]>
    Tested-by: Shuah Khan <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
m68k: coldfire/device.c: only build FEC when HW macros are defined [+ + +]
Author: Antonio Quartulli <[email protected]>
Date:   Tue Oct 29 22:43:15 2024 +0100

    m68k: coldfire/device.c: only build FEC when HW macros are defined
    
    [ Upstream commit 63a24cf8cc330e5a68ebd2e20ae200096974c475 ]
    
    When CONFIG_FEC is set (due to COMPILE_TEST) along with
    CONFIG_M54xx, coldfire/device.c has compile errors due to
    missing MCFEC_* and MCF_IRQ_FEC_* symbols.
    
    Make the whole FEC blocks dependent on having the HW macros
    defined, rather than on CONFIG_FEC itself.
    
    This fix is very similar to commit e6e1e7b19fa1 ("m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined")
    
    Fixes: b7ce7f0d0efc ("m68knommu: merge common ColdFire FEC platform setup code")
    To: Greg Ungerer <[email protected]>
    To: Geert Uytterhoeven <[email protected]>
    Cc: [email protected]
    Cc: [email protected]
    Signed-off-by: Antonio Quartulli <[email protected]>
    Signed-off-by: Greg Ungerer <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x [+ + +]
Author: Jean-Michel Hautbois <[email protected]>
Date:   Wed Oct 16 09:24:35 2024 +0200

    m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x
    
    [ Upstream commit f212140962c93cd5da43283a18e31681540fc23d ]
    
    Fix a typo in the CONFIG_M5441x preprocessor condition, where the GPIO
    register offset was incorrectly set to 8 instead of 0. This prevented
    proper GPIO configuration for m5441x targets.
    
    Fixes: bea8bcb12da0 ("m68knommu: Add support for the Coldfire m5441x.")
    Signed-off-by: Jean-Michel Hautbois <[email protected]>
    Signed-off-by: Greg Ungerer <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

m68k: mvme147: Fix SCSI controller IRQ numbers [+ + +]
Author: Daniel Palmer <[email protected]>
Date:   Thu Oct 3 13:29:47 2024 +1000

    m68k: mvme147: Fix SCSI controller IRQ numbers
    
    [ Upstream commit 47bc874427382018fa2e3e982480e156271eee70 ]
    
    Sometime long ago the m68k IRQ code was refactored and the interrupt
    numbers for SCSI controller on this board ended up wrong, and it hasn't
    worked since.
    
    The PCC adds 0x40 to the vector for its interrupts so they end up in
    the user interrupt range. Hence, the kernel number should be the kernel
    offset for user interrupt range + the PCC interrupt number.
    
    Fixes: 200a3d352cd5 ("[PATCH] m68k: convert VME irq code")
    Signed-off-by: Daniel Palmer <[email protected]>
    Reviewed-by: Finn Thain <[email protected]>
    Reviewed-by: Geert Uytterhoeven <[email protected]>
    Link: https://lore.kernel.org/0e7636a21a0274eea35bfd5d874459d5078e97cc.1727926187.git.fthain@linux-m68k.org
    Signed-off-by: Geert Uytterhoeven <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

m68k: mvme147: Reinstate early console [+ + +]
Author: Daniel Palmer <[email protected]>
Date:   Wed Nov 6 10:51:24 2024 +1100

    m68k: mvme147: Reinstate early console
    
    [ Upstream commit 077b33b9e2833ff25050d986178a2c4c4036cbac ]
    
    Commit a38eaa07a0ce ("m68k/mvme147: config.c - Remove unused
    functions"), removed the console functionality for the mvme147 instead
    of wiring it up to an early console.  Put the console write function
    back and wire it up like mvme16x does so it's possible to see Linux boot
    on this fine hardware once more.
    
    Fixes: a38eaa07a0ce ("m68k/mvme147: config.c - Remove unused functions")
    Signed-off-by: Daniel Palmer <[email protected]>
    Co-developed-by: Finn Thain <[email protected]>
    Signed-off-by: Finn Thain <[email protected]>
    Reviewed-by: Geert Uytterhoeven <[email protected]>
    Link: https://lore.kernel.org/a82e8f0068a8722996a0ccfe666abb5e0a5c120d.1730850684.git.fthain@linux-m68k.org
    Signed-off-by: Geert Uytterhoeven <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

m68k: mvme16x: Add and use "mvme16x.h" [+ + +]
Author: Geert Uytterhoeven <[email protected]>
Date:   Wed Sep 13 16:08:25 2023 +0200

    m68k: mvme16x: Add and use "mvme16x.h"
    
    [ Upstream commit dcec33c1fc4ab63983d93ffb0d82b68fc5775b88 ]
    
    When building with W=1:
    
        arch/m68k/mvme16x/config.c:208:6: warning: no previous prototype for ‘mvme16x_cons_write’ [-Wmissing-prototypes]
          208 | void mvme16x_cons_write(struct console *co, const char *str, unsigned count)
              |      ^~~~~~~~~~~~~~~~~~
    
    Fix this by introducing a new header file "mvme16x.h" for holding the
    prototypes of functions implemented in arch/m68k/mvme16x/.
    
    Signed-off-by: Geert Uytterhoeven <[email protected]>
    Acked-by: Arnd Bergmann <[email protected]>
    Link: https://lore.kernel.org/r/6200cc3b26fad215c4524748af04692e38c5ecd2.1694613528.git.geert@linux-m68k.org
    Stable-dep-of: 077b33b9e283 ("m68k: mvme147: Reinstate early console")
    Signed-off-by: Sasha Levin <[email protected]>

 
mac80211: fix user-power when emulating chanctx [+ + +]
Author: Ben Greear <[email protected]>
Date:   Thu Oct 10 13:39:54 2024 -0700

    mac80211: fix user-power when emulating chanctx
    
    [ Upstream commit 9b15c6cf8d2e82c8427cd06f535d8de93b5b995c ]
    
    ieee80211_calc_hw_conf_chan was ignoring the configured
    user_txpower.  If it is set, use it to potentially decrease
    txpower as requested.
    
    Signed-off-by: Ben Greear <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
marvell: pxa168_eth: fix call balance of pep->clk handling routines [+ + +]
Author: Vitalii Mordan <[email protected]>
Date:   Thu Nov 21 23:06:58 2024 +0300

    marvell: pxa168_eth: fix call balance of pep->clk handling routines
    
    [ Upstream commit b032ae57d4fe2b2445e3bc190db6fcaa8c102f68 ]
    
    If the clock pep->clk was not enabled in pxa168_eth_probe,
    it should not be disabled in any path.
    
    Conversely, if it was enabled in pxa168_eth_probe, it must be disabled
    in all error paths to ensure proper cleanup.
    
    Use the devm_clk_get_enabled helper function to ensure proper call balance
    for pep->clk.
    
    Found by Linux Verification Center (linuxtesting.org) with Klever.
    
    Fixes: a49f37eed22b ("net: add Fast Ethernet driver for PXA168.")
    Signed-off-by: Vitalii Mordan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set [+ + +]
Author: Mauro Carvalho Chehab <[email protected]>
Date:   Wed Nov 6 21:50:55 2024 +0100

    media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set
    
    commit a4aebaf6e6efff548b01a3dc49b4b9074751c15b upstream.
    
    When CONFIG_DVB_DYNAMIC_MINORS, ret is not initialized, and a
    semaphore is left at the wrong state, in case of errors.
    
    Make the code simpler and avoid mistakes by having just one error
    check logic used weather DVB_DYNAMIC_MINORS is used or not.
    
    Reported-by: kernel test robot <[email protected]>
    Reported-by: Dan Carpenter <[email protected]>
    Closes: https://lore.kernel.org/r/[email protected]/
    Signed-off-by: Mauro Carvalho Chehab <[email protected]>
    Link: https://lore.kernel.org/r/9e067488d8935b8cf00959764a1fa5de85d65725.1730926254.git.mchehab+huawei@kernel.org
    Cc: Nathan Chancellor <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

media: wl128x: Fix atomicity violation in fmc_send_cmd() [+ + +]
Author: Qiu-ji Chen <[email protected]>
Date:   Fri Sep 27 16:39:02 2024 +0800

    media: wl128x: Fix atomicity violation in fmc_send_cmd()
    
    commit ca59f9956d4519ab18ab2270be47c6b8c6ced091 upstream.
    
    Atomicity violation occurs when the fmc_send_cmd() function is executed
    simultaneously with the modification of the fmdev->resp_skb value.
    Consider a scenario where, after passing the validity check within the
    function, a non-null fmdev->resp_skb variable is assigned a null value.
    This results in an invalid fmdev->resp_skb variable passing the validity
    check. As seen in the later part of the function, skb = fmdev->resp_skb;
    when the invalid fmdev->resp_skb passes the check, a null pointer
    dereference error may occur at line 478, evt_hdr = (void *)skb->data;
    
    To address this issue, it is recommended to include the validity check of
    fmdev->resp_skb within the locked section of the function. This
    modification ensures that the value of fmdev->resp_skb does not change
    during the validation process, thereby maintaining its validity.
    
    This possible bug is found by an experimental static analysis tool
    developed by our team. This tool analyzes the locking APIs
    to extract function pairs that can be concurrently executed, and then
    analyzes the instructions in the paired functions to identify possible
    concurrency bugs including data races and atomicity violations.
    
    Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
    Cc: [email protected]
    Signed-off-by: Qiu-ji Chen <[email protected]>
    Signed-off-by: Hans Verkuil <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mfd: da9052-spi: Change read-mask to write-mask [+ + +]
Author: Marcus Folkesson <[email protected]>
Date:   Wed Sep 25 12:19:53 2024 +0200

    mfd: da9052-spi: Change read-mask to write-mask
    
    [ Upstream commit 2e3378f6c79a1b3f7855ded1ef306ea4406352ed ]
    
    Driver has mixed up the R/W bit.
    The LSB bit is set on write rather than read.
    Change it to avoid nasty things to happen.
    
    Fixes: e9e9d3973594 ("mfd: da9052: Avoid setting read_flag_mask for da9052-i2c driver")
    Signed-off-by: Marcus Folkesson <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Lee Jones <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

mfd: rt5033: Fix missing regmap_del_irq_chip() [+ + +]
Author: Zhang Changzhong <[email protected]>
Date:   Wed Oct 30 23:41:06 2024 +0800

    mfd: rt5033: Fix missing regmap_del_irq_chip()
    
    [ Upstream commit d256d612f47529ed0b332298e2d5ea981a4dd5b8 ]
    
    Fix missing call to regmap_del_irq_chip() in error handling path by
    using devm_regmap_add_irq_chip().
    
    Fixes: 0b271258544b ("mfd: rt5033: Add Richtek RT5033 driver core.")
    Signed-off-by: Zhang Changzhong <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Lee Jones <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
misc: apds990x: Fix missing pm_runtime_disable() [+ + +]
Author: Jinjie Ruan <[email protected]>
Date:   Mon Sep 23 11:55:56 2024 +0800

    misc: apds990x: Fix missing pm_runtime_disable()
    
    [ Upstream commit 3c5d8b819d27012264edd17e6ae7fffda382fe44 ]
    
    The pm_runtime_disable() is missing in probe error path,
    so add it to fix it.
    
    Fixes: 92b1f84d46b2 ("drivers/misc: driver for APDS990X ALS and proximity sensors")
    Signed-off-by: Jinjie Ruan <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
mm: revert "mm: shmem: fix data-race in shmem_getattr()" [+ + +]
Author: Andrew Morton <[email protected]>
Date:   Fri Nov 15 16:57:24 2024 -0800

    mm: revert "mm: shmem: fix data-race in shmem_getattr()"
    
    commit d1aa0c04294e29883d65eac6c2f72fe95cc7c049 upstream.
    
    Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as
    suggested by Chuck [1].  It is causing deadlocks when accessing tmpfs over
    NFS.
    
    As Hugh commented, "added just to silence a syzbot sanitizer splat: added
    where there has never been any practical problem".
    
    Link: https://lkml.kernel.org/r/[email protected] [1]
    Fixes: d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()")
    Acked-by: Hugh Dickins <[email protected]>
    Cc: Chuck Lever <[email protected]>
    Cc: Jeongjun Park <[email protected]>
    Cc: Yu Zhao <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Hugh Dickins <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mmc: mmc_spi: drop buggy snprintf() [+ + +]
Author: Bartosz Golaszewski <[email protected]>
Date:   Tue Oct 8 18:01:34 2024 +0200

    mmc: mmc_spi: drop buggy snprintf()
    
    [ Upstream commit 328bda09cc91b3d93bc64f4a4dadc44313dd8140 ]
    
    GCC 13 complains about the truncated output of snprintf():
    
    drivers/mmc/host/mmc_spi.c: In function ‘mmc_spi_response_get’:
    drivers/mmc/host/mmc_spi.c:227:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
      227 |         snprintf(tag, sizeof(tag), "  ... CMD%d response SPI_%s",
          |                                                                ^
    drivers/mmc/host/mmc_spi.c:227:9: note: ‘snprintf’ output between 26 and 43 bytes into a destination of size 32
      227 |         snprintf(tag, sizeof(tag), "  ... CMD%d response SPI_%s",
          |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      228 |                 cmd->opcode, maptype(cmd));
    
    Drop it and fold the string it generates into the only place where it's
    emitted - the dev_dbg() call at the end of the function.
    
    Fixes: 15a0580ced08 ("mmc_spi host driver")
    Suggested-by: Christophe JAILLET <[email protected]>
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
modpost: remove incorrect code in do_eisa_entry() [+ + +]
Author: Masahiro Yamada <[email protected]>
Date:   Wed Nov 20 08:56:39 2024 +0900

    modpost: remove incorrect code in do_eisa_entry()
    
    [ Upstream commit 0c3e091319e4748cb36ac9a50848903dc6f54054 ]
    
    This function contains multiple bugs after the following commits:
    
     - ac551828993e ("modpost: i2c aliases need no trailing wildcard")
     - 6543becf26ff ("mod/file2alias: make modalias generation safe for cross compiling")
    
    Commit ac551828993e inserted the following code to do_eisa_entry():
    
        else
                strcat(alias, "*");
    
    This is incorrect because 'alias' is uninitialized. If it is not
    NULL-terminated, strcat() could cause a buffer overrun.
    
    Even if 'alias' happens to be zero-filled, it would output:
    
        MODULE_ALIAS("*");
    
    This would match anything. As a result, the module could be loaded by
    any unrelated uevent from an unrelated subsystem.
    
    Commit ac551828993e introduced another bug.            
    
    Prior to that commit, the conditional check was:
    
        if (eisa->sig[0])
    
    This checked if the first character of eisa_device_id::sig was not '\0'.
    
    However, commit ac551828993e changed it as follows:
    
        if (sig[0])
    
    sig[0] is NOT the first character of the eisa_device_id::sig. The
    type of 'sig' is 'char (*)[8]', meaning that the type of 'sig[0]' is
    'char [8]' instead of 'char'. 'sig[0]' and 'symval' refer to the same
    address, which never becomes NULL.
    
    The correct conversion would have been:
    
        if ((*sig)[0])
    
    However, this if-conditional was meaningless because the earlier change
    in commit ac551828993e was incorrect.
    
    This commit removes the entire incorrect code, which should never have
    been executed.
    
    Fixes: ac551828993e ("modpost: i2c aliases need no trailing wildcard")
    Fixes: 6543becf26ff ("mod/file2alias: make modalias generation safe for cross compiling")
    Signed-off-by: Masahiro Yamada <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
mtd: rawnand: atmel: Fix possible memory leak [+ + +]
Author: Miquel Raynal <[email protected]>
Date:   Tue Oct 1 22:31:49 2024 +0200

    mtd: rawnand: atmel: Fix possible memory leak
    
    [ Upstream commit 6d734f1bfc336aaea91313a5632f2f197608fadd ]
    
    The pmecc "user" structure is allocated in atmel_pmecc_create_user() and
    was supposed to be freed with atmel_pmecc_destroy_user(), but this other
    helper is never called. One solution would be to find the proper
    location to call the destructor, but the trend today is to switch to
    device managed allocations, which in this case fits pretty well.
    
    Replace kzalloc() by devm_kzalloc() and drop the destructor entirely.
    
    Reported-by: "Dr. David Alan Gilbert" <[email protected]>
    Closes: https://lore.kernel.org/all/ZvmIvRJCf6VhHvpo@gallifrey/
    Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
    Signed-off-by: Miquel Raynal <[email protected]>
    Link: https://lore.kernel.org/linux-mtd/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
net: rfkill: gpio: Add check for clk_enable() [+ + +]
Author: Mingwei Zheng <[email protected]>
Date:   Fri Nov 8 14:53:41 2024 -0500

    net: rfkill: gpio: Add check for clk_enable()
    
    [ Upstream commit 8251e7621b25ccdb689f1dd9553b8789e3745ea1 ]
    
    Add check for the return value of clk_enable() to catch the potential
    error.
    
    Fixes: 7176ba23f8b5 ("net: rfkill: add generic gpio rfkill driver")
    Signed-off-by: Mingwei Zheng <[email protected]>
    Signed-off-by: Jiasheng Jiang <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken [+ + +]
Author: Maxime Chevallier <[email protected]>
Date:   Fri Nov 22 15:12:55 2024 +0100

    net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken
    
    [ Upstream commit 407618d66dba55e7db1278872e8be106808bbe91 ]
    
    On DWMAC3 and later, there's a RX Watchdog interrupt that's used for
    interrupt coalescing. It's known to be buggy on some platforms, and
    dwmac-socfpga appears to be one of them. Changing the interrupt
    coalescing from ethtool doesn't appear to have any effect here.
    
    Without disabling RIWT (Received Interrupt Watchdog Timer, I
    believe...), we observe latencies while receiving traffic that amount to
    around ~0.4ms. This was discovered with NTP but can be easily reproduced
    with a simple ping. Without this patch :
    
    64 bytes from 192.168.5.2: icmp_seq=1 ttl=64 time=0.657 ms
    
    With this patch :
    
    64 bytes from 192.168.5.2: icmp_seq=1 ttl=64 time=0.254 ms
    
    Fixes: 801d233b7302 ("net: stmmac: Add SOCFPGA glue driver")
    Signed-off-by: Maxime Chevallier <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device [+ + +]
Author: Oleksij Rempel <[email protected]>
Date:   Sat Nov 16 14:05:58 2024 +0100

    net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device
    
    [ Upstream commit ae7370e61c5d8f5bcefc2d4fca724bd4e9bbf789 ]
    
    Add calls to `phy_device_free` after `fixed_phy_unregister` to fix a
    memory leak that occurs when the device is unplugged. This ensures
    proper cleanup of pseudo fixed-link PHYs.
    
    Fixes: 89b36fb5e532 ("lan78xx: Lan7801 Support for Fixed PHY")
    Cc: Raghuram Chary J <[email protected]>
    Signed-off-by: Oleksij Rempel <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration [+ + +]
Author: Oleksij Rempel <[email protected]>
Date:   Mon Nov 18 15:03:51 2024 +0100

    net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration
    
    [ Upstream commit e863ff806f72098bccaf8fa89c80d9ad6187c3b0 ]
    
    Validate Wake-on-LAN (WoL) options in `lan78xx_set_wol` before calling
    `usb_autopm_get_interface`. This prevents USB autopm refcounting issues
    and ensures the adapter can properly enter autosuspend when invalid WoL
    options are provided.
    
    Fixes: eb9ad088f966 ("lan78xx: Check for supported Wake-on-LAN modes")
    Signed-off-by: Oleksij Rempel <[email protected]>
    Acked-by: Florian Fainelli <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: usb: qmi_wwan: add Quectel RG650V [+ + +]
Author: Benoît Monin <[email protected]>
Date:   Thu Oct 24 17:11:13 2024 +0200

    net: usb: qmi_wwan: add Quectel RG650V
    
    [ Upstream commit 6b3f18a76be6bbd237c7594cf0bf2912b68084fe ]
    
    Add support for Quectel RG650V which is based on Qualcomm SDX65 chip.
    The composition is DIAG / NMEA / AT / AT / QMI.
    
    T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=5000 MxCh= 0
    D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs=  1
    P: Vendor=2c7c ProdID=0122 Rev=05.15
    S: Manufacturer=Quectel
    S: Product=RG650V-EU
    S: SerialNumber=xxxxxxx
    C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=896mA
    I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E: Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=9ms
    I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E: Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=9ms
    I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
    E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E: Ad=87(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E: Ad=88(I) Atr=03(Int.) MxPS=   8 Ivl=9ms
    
    Signed-off-by: Benoît Monin <[email protected]>
    Reviewed-by: Simon Horman <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
netfilter: ipset: add missing range check in bitmap_ip_uadt [+ + +]
Author: Jeongjun Park <[email protected]>
Date:   Wed Nov 13 22:02:09 2024 +0900

    netfilter: ipset: add missing range check in bitmap_ip_uadt
    
    commit 35f56c554eb1b56b77b3cf197a6b00922d49033d upstream.
    
    When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
    the values of ip and ip_to are slightly swapped. Therefore, the range check
    for ip should be done later, but this part is missing and it seems that the
    vulnerability occurs.
    
    So we should add missing range checks and remove unnecessary range checks.
    
    Cc: <[email protected]>
    Reported-by: [email protected]
    Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
    Signed-off-by: Jeongjun Park <[email protected]>
    Acked-by: Jozsef Kadlecsik <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
netlink: terminate outstanding dump on socket close [+ + +]
Author: Jakub Kicinski <[email protected]>
Date:   Tue Nov 5 17:52:34 2024 -0800

    netlink: terminate outstanding dump on socket close
    
    [ Upstream commit 1904fb9ebf911441f90a68e96b22aa73e4410505 ]
    
    Netlink supports iterative dumping of data. It provides the families
    the following ops:
     - start - (optional) kicks off the dumping process
     - dump  - actual dump helper, keeps getting called until it returns 0
     - done  - (optional) pairs with .start, can be used for cleanup
    The whole process is asynchronous and the repeated calls to .dump
    don't actually happen in a tight loop, but rather are triggered
    in response to recvmsg() on the socket.
    
    This gives the user full control over the dump, but also means that
    the user can close the socket without getting to the end of the dump.
    To make sure .start is always paired with .done we check if there
    is an ongoing dump before freeing the socket, and if so call .done.
    
    The complication is that sockets can get freed from BH and .done
    is allowed to sleep. So we use a workqueue to defer the call, when
    needed.
    
    Unfortunately this does not work correctly. What we defer is not
    the cleanup but rather releasing a reference on the socket.
    We have no guarantee that we own the last reference, if someone
    else holds the socket they may release it in BH and we're back
    to square one.
    
    The whole dance, however, appears to be unnecessary. Only the user
    can interact with dumps, so we can clean up when socket is closed.
    And close always happens in process context. Some async code may
    still access the socket after close, queue notification skbs to it etc.
    but no dumps can start, end or otherwise make progress.
    
    Delete the workqueue and flush the dump state directly from the release
    handler. Note that further cleanup is possible in -next, for instance
    we now always call .done before releasing the main module reference,
    so dump doesn't have to take a reference of its own.
    
    Reported-by: syzkaller <[email protected]>
    Fixes: ed5d7788a934 ("netlink: Do not schedule work from sk_destruct")
    Reviewed-by: Kuniyuki Iwashima <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
 
netpoll: Use rcu_access_pointer() in netpoll_poll_lock [+ + +]
Author: Breno Leitao <[email protected]>
Date:   Mon Nov 18 03:15:18 2024 -0800

    netpoll: Use rcu_access_pointer() in netpoll_poll_lock
    
    [ Upstream commit a57d5a72f8dec7db8a79d0016fb0a3bdecc82b56 ]
    
    The ndev->npinfo pointer in netpoll_poll_lock() is RCU-protected but is
    being accessed directly for a NULL check. While no RCU read lock is held
    in this context, we should still use proper RCU primitives for
    consistency and correctness.
    
    Replace the direct NULL check with rcu_access_pointer(), which is the
    appropriate primitive when only checking for NULL without dereferencing
    the pointer. This function provides the necessary ordering guarantees
    without requiring RCU read-side protection.
    
    Fixes: bea3348eef27 ("[NET]: Make NAPI polling independent of struct net_device objects.")
    Signed-off-by: Breno Leitao <[email protected]>
    Reviewed-by: Michal Kubiak <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir() [+ + +]
Author: Chuck Lever <[email protected]>
Date:   Thu Oct 17 11:03:56 2024 -0400

    NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir()
    
    [ Upstream commit f64ea4af43161bb86ffc77e6aeb5bcf5c3229df0 ]
    
    It's only current caller already length-checks the string, but let's
    be safe.
    
    Fixes: 0964a3d3f1aa ("[PATCH] knfsd: nfsd4 reboot dirname fix")
    Reviewed-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

NFSD: Prevent a potential integer overflow [+ + +]
Author: Chuck Lever <[email protected]>
Date:   Tue Sep 17 12:15:23 2024 -0400

    NFSD: Prevent a potential integer overflow
    
    commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream.
    
    If the tag length is >= U32_MAX - 3 then the "length + 4" addition
    can result in an integer overflow. Address this by splitting the
    decoding into several steps so that decode_cb_compound4res() does
    not have to perform arithmetic on the unsafe length value.
    
    Reported-by: Dan Carpenter <[email protected]>
    Cc: [email protected]
    Reviewed-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

NFSD: Prevent NULL dereference in nfsd4_process_cb_update() [+ + +]
Author: Chuck Lever <[email protected]>
Date:   Thu Oct 17 11:03:53 2024 -0400

    NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
    
    [ Upstream commit 1e02c641c3a43c88cecc08402000418e15578d38 ]
    
    @ses is initialized to NULL. If __nfsd4_find_backchannel() finds no
    available backchannel session, setup_callback_client() will try to
    dereference @ses and segfault.
    
    Fixes: dcbeaa68dbbd ("nfsd4: allow backchannel recovery")
    Reviewed-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
NFSv4.0: Fix a use-after-free problem in the asynchronous open() [+ + +]
Author: Trond Myklebust <[email protected]>
Date:   Fri Nov 8 12:13:31 2024 -0500

    NFSv4.0: Fix a use-after-free problem in the asynchronous open()
    
    [ Upstream commit 2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889 ]
    
    Yang Erkun reports that when two threads are opening files at the same
    time, and are forced to abort before a reply is seen, then the call to
    nfs_release_seqid() in nfs4_opendata_free() can result in a
    use-after-free of the pointer to the defunct rpc task of the other
    thread.
    The fix is to ensure that if the RPC call is aborted before the call to
    nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid()
    in nfs4_open_release() before the rpc_task is freed.
    
    Reported-by: Yang Erkun <[email protected]>
    Fixes: 24ac23ab88df ("NFSv4: Convert open() into an asynchronous RPC call")
    Reviewed-by: Yang Erkun <[email protected]>
    Signed-off-by: Trond Myklebust <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint [+ + +]
Author: Ryusuke Konishi <[email protected]>
Date:   Thu Nov 7 01:07:33 2024 +0900

    nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
    
    commit 2026559a6c4ce34db117d2db8f710fe2a9420d5a upstream.
    
    When using the "block:block_dirty_buffer" tracepoint, mark_buffer_dirty()
    may cause a NULL pointer dereference, or a general protection fault when
    KASAN is enabled.
    
    This happens because, since the tracepoint was added in
    mark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev
    regardless of whether the buffer head has a pointer to a block_device
    structure.
    
    In the current implementation, nilfs_grab_buffer(), which grabs a buffer
    to read (or create) a block of metadata, including b-tree node blocks,
    does not set the block device, but instead does so only if the buffer is
    not in the "uptodate" state for each of its caller block reading
    functions.  However, if the uptodate flag is set on a folio/page, and the
    buffer heads are detached from it by try_to_free_buffers(), and new buffer
    heads are then attached by create_empty_buffers(), the uptodate flag may
    be restored to each buffer without the block device being set to
    bh->b_bdev, and mark_buffer_dirty() may be called later in that state,
    resulting in the bug mentioned above.
    
    Fix this issue by making nilfs_grab_buffer() always set the block device
    of the super block structure to the buffer head, regardless of the state
    of the buffer's uptodate flag.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 5305cb830834 ("block: add block_{touch|dirty}_buffer tracepoint")
    Signed-off-by: Ryusuke Konishi <[email protected]>
    Cc: Tejun Heo <[email protected]>
    Cc: Ubisectech Sirius <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint [+ + +]
Author: Ryusuke Konishi <[email protected]>
Date:   Thu Nov 7 01:07:32 2024 +0900

    nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint
    
    commit cd45e963e44b0f10d90b9e6c0e8b4f47f3c92471 upstream.
    
    Patch series "nilfs2: fix null-ptr-deref bugs on block tracepoints".
    
    This series fixes null pointer dereference bugs that occur when using
    nilfs2 and two block-related tracepoints.
    
    
    This patch (of 2):
    
    It has been reported that when using "block:block_touch_buffer"
    tracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a
    NULL pointer dereference, or a general protection fault when KASAN is
    enabled.
    
    This happens because since the tracepoint was added in touch_buffer(), it
    references the dev_t member bh->b_bdev->bd_dev regardless of whether the
    buffer head has a pointer to a block_device structure.  In the current
    implementation, the block_device structure is set after the function
    returns to the caller.
    
    Here, touch_buffer() is used to mark the folio/page that owns the buffer
    head as accessed, but the common search helper for folio/page used by the
    caller function was optimized to mark the folio/page as accessed when it
    was reimplemented a long time ago, eliminating the need to call
    touch_buffer() here in the first place.
    
    So this solves the issue by eliminating the touch_buffer() call itself.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 5305cb830834 ("block: add block_{touch|dirty}_buffer tracepoint")
    Signed-off-by: Ryusuke Konishi <[email protected]>
    Reported-by: Ubisectech Sirius <[email protected]>
    Closes: https://lkml.kernel.org/r/[email protected]
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=9982fb8d18eba905abe2
    Tested-by: [email protected]
    Cc: Tejun Heo <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nvme: fix metadata handling in nvme-passthrough [+ + +]
Author: Puranjay Mohan <[email protected]>
Date:   Mon Nov 25 14:29:53 2024 +0000

    nvme: fix metadata handling in nvme-passthrough
    
    [ Upstream commit 7c2fd76048e95dd267055b5f5e0a48e6e7c81fd9 ]
    
    On an NVMe namespace that does not support metadata, it is possible to
    send an IO command with metadata through io-passthru. This allows issues
    like [1] to trigger in the completion code path.
    nvme_map_user_request() doesn't check if the namespace supports metadata
    before sending it forward. It also allows admin commands with metadata to
    be processed as it ignores metadata when bdev == NULL and may report
    success.
    
    Reject an IO command with metadata when the NVMe namespace doesn't
    support it and reject an admin command if it has metadata.
    
    [1] https://lore.kernel.org/all/[email protected]/
    
    Suggested-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Puranjay Mohan <[email protected]>
    Reviewed-by: Christoph Hellwig <[email protected]>
    Reviewed-by: Sagi Grimberg <[email protected]>
    Reviewed-by: Anuj Gupta <[email protected]>
    Signed-off-by: Keith Busch <[email protected]>
    [ Move the changes from nvme_map_user_request() to nvme_submit_user_cmd()
      to make it work on 4.19 ]
    Signed-off-by: Hagar Hemdan <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ocfs2: fix UBSAN warning in ocfs2_verify_volume() [+ + +]
Author: Dmitry Antipov <[email protected]>
Date:   Wed Nov 6 12:21:00 2024 +0300

    ocfs2: fix UBSAN warning in ocfs2_verify_volume()
    
    commit 23aab037106d46e6168ce1214a958ce9bf317f2e upstream.
    
    Syzbot has reported the following splat triggered by UBSAN:
    
    UBSAN: shift-out-of-bounds in fs/ocfs2/super.c:2336:10
    shift exponent 32768 is too large for 32-bit type 'int'
    CPU: 2 UID: 0 PID: 5255 Comm: repro Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
    Call Trace:
     <TASK>
     dump_stack_lvl+0x241/0x360
     ? __pfx_dump_stack_lvl+0x10/0x10
     ? __pfx__printk+0x10/0x10
     ? __asan_memset+0x23/0x50
     ? lockdep_init_map_type+0xa1/0x910
     __ubsan_handle_shift_out_of_bounds+0x3c8/0x420
     ocfs2_fill_super+0xf9c/0x5750
     ? __pfx_ocfs2_fill_super+0x10/0x10
     ? __pfx_validate_chain+0x10/0x10
     ? __pfx_validate_chain+0x10/0x10
     ? validate_chain+0x11e/0x5920
     ? __lock_acquire+0x1384/0x2050
     ? __pfx_validate_chain+0x10/0x10
     ? string+0x26a/0x2b0
     ? widen_string+0x3a/0x310
     ? string+0x26a/0x2b0
     ? bdev_name+0x2b1/0x3c0
     ? pointer+0x703/0x1210
     ? __pfx_pointer+0x10/0x10
     ? __pfx_format_decode+0x10/0x10
     ? __lock_acquire+0x1384/0x2050
     ? vsnprintf+0x1ccd/0x1da0
     ? snprintf+0xda/0x120
     ? __pfx_lock_release+0x10/0x10
     ? do_raw_spin_lock+0x14f/0x370
     ? __pfx_snprintf+0x10/0x10
     ? set_blocksize+0x1f9/0x360
     ? sb_set_blocksize+0x98/0xf0
     ? setup_bdev_super+0x4e6/0x5d0
     mount_bdev+0x20c/0x2d0
     ? __pfx_ocfs2_fill_super+0x10/0x10
     ? __pfx_mount_bdev+0x10/0x10
     ? vfs_parse_fs_string+0x190/0x230
     ? __pfx_vfs_parse_fs_string+0x10/0x10
     legacy_get_tree+0xf0/0x190
     ? __pfx_ocfs2_mount+0x10/0x10
     vfs_get_tree+0x92/0x2b0
     do_new_mount+0x2be/0xb40
     ? __pfx_do_new_mount+0x10/0x10
     __se_sys_mount+0x2d6/0x3c0
     ? __pfx___se_sys_mount+0x10/0x10
     ? do_syscall_64+0x100/0x230
     ? __x64_sys_mount+0x20/0xc0
     do_syscall_64+0xf3/0x230
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f37cae96fda
    Code: 48 8b 0d 51 ce 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e ce 0c 00 f7 d8 64 89 01 48
    RSP: 002b:00007fff6c1aa228 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
    RAX: ffffffffffffffda RBX: 00007fff6c1aa240 RCX: 00007f37cae96fda
    RDX: 00000000200002c0 RSI: 0000000020000040 RDI: 00007fff6c1aa240
    RBP: 0000000000000004 R08: 00007fff6c1aa280 R09: 0000000000000000
    R10: 00000000000008c0 R11: 0000000000000206 R12: 00000000000008c0
    R13: 00007fff6c1aa280 R14: 0000000000000003 R15: 0000000001000000
     </TASK>
    
    For a really damaged superblock, the value of 'i_super.s_blocksize_bits'
    may exceed the maximum possible shift for an underlying 'int'.  So add an
    extra check whether the aforementioned field represents the valid block
    size, which is 512 bytes, 1K, 2K, or 4K.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
    Signed-off-by: Dmitry Antipov <[email protected]>
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=56f7cd1abe4b8e475180
    Reviewed-by: Joseph Qi <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Junxiao Bi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ocfs2: fix uninitialized value in ocfs2_file_read_iter() [+ + +]
Author: Dmitry Antipov <[email protected]>
Date:   Tue Oct 29 12:17:36 2024 +0300

    ocfs2: fix uninitialized value in ocfs2_file_read_iter()
    
    [ Upstream commit adc77b19f62d7e80f98400b2fca9d700d2afdd6f ]
    
    Syzbot has reported the following KMSAN splat:
    
    BUG: KMSAN: uninit-value in ocfs2_file_read_iter+0x9a4/0xf80
     ocfs2_file_read_iter+0x9a4/0xf80
     __io_read+0x8d4/0x20f0
     io_read+0x3e/0xf0
     io_issue_sqe+0x42b/0x22c0
     io_wq_submit_work+0xaf9/0xdc0
     io_worker_handle_work+0xd13/0x2110
     io_wq_worker+0x447/0x1410
     ret_from_fork+0x6f/0x90
     ret_from_fork_asm+0x1a/0x30
    
    Uninit was created at:
     __alloc_pages_noprof+0x9a7/0xe00
     alloc_pages_mpol_noprof+0x299/0x990
     alloc_pages_noprof+0x1bf/0x1e0
     allocate_slab+0x33a/0x1250
     ___slab_alloc+0x12ef/0x35e0
     kmem_cache_alloc_bulk_noprof+0x486/0x1330
     __io_alloc_req_refill+0x84/0x560
     io_submit_sqes+0x172f/0x2f30
     __se_sys_io_uring_enter+0x406/0x41c0
     __x64_sys_io_uring_enter+0x11f/0x1a0
     x64_sys_call+0x2b54/0x3ba0
     do_syscall_64+0xcd/0x1e0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Since an instance of 'struct kiocb' may be passed from the block layer
    with 'private' field uninitialized, introduce 'ocfs2_iocb_init_rw_locked()'
    and use it from where 'ocfs2_dio_end_io()' might take care, i.e. in
    'ocfs2_file_read_iter()' and 'ocfs2_file_write_iter()'.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 7cdfc3a1c397 ("ocfs2: Remember rw lock level during direct io")
    Signed-off-by: Dmitry Antipov <[email protected]>
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=a73e253cca4f0230a5a5
    Cc: Mark Fasheh <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Junxiao Bi <[email protected]>
    Cc: Joseph Qi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Jun Piao <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ocfs2: uncache inode which has failed entering the group [+ + +]
Author: Dmitry Antipov <[email protected]>
Date:   Thu Nov 14 07:38:44 2024 +0300

    ocfs2: uncache inode which has failed entering the group
    
    commit 737f34137844d6572ab7d473c998c7f977ff30eb upstream.
    
    Syzbot has reported the following BUG:
    
    kernel BUG at fs/ocfs2/uptodate.c:509!
    ...
    Call Trace:
     <TASK>
     ? __die_body+0x5f/0xb0
     ? die+0x9e/0xc0
     ? do_trap+0x15a/0x3a0
     ? ocfs2_set_new_buffer_uptodate+0x145/0x160
     ? do_error_trap+0x1dc/0x2c0
     ? ocfs2_set_new_buffer_uptodate+0x145/0x160
     ? __pfx_do_error_trap+0x10/0x10
     ? handle_invalid_op+0x34/0x40
     ? ocfs2_set_new_buffer_uptodate+0x145/0x160
     ? exc_invalid_op+0x38/0x50
     ? asm_exc_invalid_op+0x1a/0x20
     ? ocfs2_set_new_buffer_uptodate+0x2e/0x160
     ? ocfs2_set_new_buffer_uptodate+0x144/0x160
     ? ocfs2_set_new_buffer_uptodate+0x145/0x160
     ocfs2_group_add+0x39f/0x15a0
     ? __pfx_ocfs2_group_add+0x10/0x10
     ? __pfx_lock_acquire+0x10/0x10
     ? mnt_get_write_access+0x68/0x2b0
     ? __pfx_lock_release+0x10/0x10
     ? rcu_read_lock_any_held+0xb7/0x160
     ? __pfx_rcu_read_lock_any_held+0x10/0x10
     ? smack_log+0x123/0x540
     ? mnt_get_write_access+0x68/0x2b0
     ? mnt_get_write_access+0x68/0x2b0
     ? mnt_get_write_access+0x226/0x2b0
     ocfs2_ioctl+0x65e/0x7d0
     ? __pfx_ocfs2_ioctl+0x10/0x10
     ? smack_file_ioctl+0x29e/0x3a0
     ? __pfx_smack_file_ioctl+0x10/0x10
     ? lockdep_hardirqs_on_prepare+0x43d/0x780
     ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
     ? __pfx_ocfs2_ioctl+0x10/0x10
     __se_sys_ioctl+0xfb/0x170
     do_syscall_64+0xf3/0x230
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    ...
     </TASK>
    
    When 'ioctl(OCFS2_IOC_GROUP_ADD, ...)' has failed for the particular
    inode in 'ocfs2_verify_group_and_input()', corresponding buffer head
    remains cached and subsequent call to the same 'ioctl()' for the same
    inode issues the BUG() in 'ocfs2_set_new_buffer_uptodate()' (trying
    to cache the same buffer head of that inode). Fix this by uncaching
    the buffer head with 'ocfs2_remove_from_cache()' on error path in
    'ocfs2_group_add()'.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 7909f2bf8353 ("[PATCH 2/2] ocfs2: Implement group add for online resize")
    Signed-off-by: Dmitry Antipov <[email protected]>
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=453873f1588c2d75b447
    Reviewed-by: Joseph Qi <[email protected]>
    Cc: Dmitry Antipov <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: Junxiao Bi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
PCI: cpqphp: Fix PCIBIOS_* return value confusion [+ + +]
Author: Ilpo Järvinen <[email protected]>
Date:   Tue Oct 22 12:11:37 2024 +0300

    PCI: cpqphp: Fix PCIBIOS_* return value confusion
    
    [ Upstream commit e2226dbc4a4919d9c8bd9293299b532090bdf020 ]
    
    Code in and related to PCI_RefinedAccessConfig() has three types of return
    type confusion:
    
     - PCI_RefinedAccessConfig() tests pci_bus_read_config_dword() return value
       against -1.
    
     - PCI_RefinedAccessConfig() returns both -1 and PCIBIOS_* return codes.
    
     - Callers of PCI_RefinedAccessConfig() only test for -1.
    
    Make PCI_RefinedAccessConfig() return PCIBIOS_* codes consistently and
    adapt callers accordingly.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Ilpo Järvinen <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads [+ + +]
Author: weiyufeng <[email protected]>
Date:   Tue Aug 6 14:50:50 2024 +0800

    PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads
    
    [ Upstream commit a18a025c2fb5fbf2d1d0606ea0d7441ac90e9c39 ]
    
    When config pci_ops.read() can detect failed PCI transactions, the data
    returned to the CPU is PCI_ERROR_RESPONSE (~0 or 0xffffffff).
    
    Obviously a successful PCI config read may *also* return that data if a
    config register happens to contain ~0, so it doesn't definitively indicate
    an error unless we know the register cannot contain ~0.
    
    Use PCI_POSSIBLE_ERROR() to check the response we get when we read data
    from hardware.  This unifies PCI error response checking and makes error
    checks consistent and easier to find.
    
    Link: https://lore.kernel.org/r/b12005c0d57bb9d4c8b486724d078b7bd92f8321.1637243717.git.naveennaidu479@gmail.com
    Signed-off-by: Naveen Naidu <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Stable-dep-of: e2226dbc4a49 ("PCI: cpqphp: Fix PCIBIOS_* return value confusion")
    Signed-off-by: Sasha Levin <[email protected]>

PCI: Fix use-after-free of slot->bus on hot remove [+ + +]
Author: Lukas Wunner <[email protected]>
Date:   Thu Oct 10 19:10:34 2024 +0200

    PCI: Fix use-after-free of slot->bus on hot remove
    
    commit c7acef99642b763ba585f4a43af999fcdbcc3dc4 upstream.
    
    Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock.
    
    Since commit 0fc70886569c ("thunderbolt: Reset USB4 v2 host router") and
    commit 59a54c5f3dbd ("thunderbolt: Reset topology created by the boot
    firmware"), USB4 v2 and v1 Host Routers are reset on probe of the
    thunderbolt driver.
    
    The reset clears the Presence Detect State and Data Link Layer Link Active
    bits at the USB4 Host Router's Root Port and thus causes hot removal of the
    dock.
    
    The crash occurs when pciehp is unbound from one of the dock's Downstream
    Ports:  pciehp creates a pci_slot on bind and destroys it on unbind.  The
    pci_slot contains a pointer to the pci_bus below the Downstream Port, but
    a reference on that pci_bus is never acquired.  The pci_bus is destroyed
    before the pci_slot, so a use-after-free ensues when pci_slot_release()
    accesses slot->bus.
    
    In principle this should not happen because pci_stop_bus_device() unbinds
    pciehp (and therefore destroys the pci_slot) before the pci_bus is
    destroyed by pci_remove_bus_device().
    
    However the stacktrace provided by Dennis shows that pciehp is unbound from
    pci_remove_bus_device() instead of pci_stop_bus_device().  To understand
    the significance of this, one needs to know that the PCI core uses a two
    step process to remove a portion of the hierarchy:  It first unbinds all
    drivers in the sub-hierarchy in pci_stop_bus_device() and then actually
    removes the devices in pci_remove_bus_device().  There is no precaution to
    prevent driver binding in-between pci_stop_bus_device() and
    pci_remove_bus_device().
    
    In Dennis' case, it seems removal of the hierarchy by pciehp races with
    driver binding by pci_bus_add_devices().  pciehp is bound to the
    Downstream Port after pci_stop_bus_device() has run, so it is unbound by
    pci_remove_bus_device() instead of pci_stop_bus_device().  Because the
    pci_bus has already been destroyed at that point, accesses to it result in
    a use-after-free.
    
    One might conclude that driver binding needs to be prevented after
    pci_stop_bus_device() has run.  However it seems risky that pci_slot points
    to pci_bus without holding a reference.  Solely relying on correct ordering
    of driver unbind versus pci_bus destruction is certainly not defensive
    programming.
    
    If pci_slot has a need to access data in pci_bus, it ought to acquire a
    reference.  Amend pci_create_slot() accordingly.  Dennis reports that the
    crash is not reproducible with this change.
    
    Abridged stacktrace:
    
      pcieport 0000:00:07.0: PME: Signaling with IRQ 156
      pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+
      pci_bus 0000:20: dev 00, created physical slot 12
      pcieport 0000:00:07.0: pciehp: Slot(12): Card not present
      ...
      pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0
      Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1
      RIP: 0010:dev_driver_string+0x12/0x40
      pci_destroy_slot
      pciehp_remove
      pcie_port_remove_service
      device_release_driver_internal
      bus_remove_device
      device_del
      device_unregister
      remove_iter
      device_for_each_child
      pcie_portdrv_remove
      pci_device_remove
      device_release_driver_internal
      bus_remove_device
      device_del
      pci_remove_bus_device (recursive invocation)
      pci_remove_bus_device
      pciehp_unconfigure_device
      pciehp_disable_slot
      pciehp_handle_presence_or_link_change
      pciehp_ist
    
    Link: https://lore.kernel.org/r/4bfd4c0e976c1776cd08e76603903b338cf25729.1728579288.git.lukas@wunner.de
    Reported-by: Dennis Wassenberg <[email protected]>
    Closes: https://lore.kernel.org/r/[email protected]/
    Tested-by: Dennis Wassenberg <[email protected]>
    Signed-off-by: Lukas Wunner <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Reviewed-by: Mika Westerberg <[email protected]>
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
perf probe: Correct demangled symbols in C++ program [+ + +]
Author: Leo Yan <[email protected]>
Date:   Sat Oct 12 15:14:32 2024 +0100

    perf probe: Correct demangled symbols in C++ program
    
    [ Upstream commit 314909f13cc12d47c468602c37dace512d225eeb ]
    
    An issue can be observed when probe C++ demangled symbol with steps:
    
      # nm test_cpp_mangle | grep print_data
        0000000000000c94 t _GLOBAL__sub_I__Z10print_datai
        0000000000000afc T _Z10print_datai
        0000000000000b38 T _Z10print_dataR5Point
    
      # perf probe -x /home/niayan01/test_cpp_mangle -F --demangle
        ...
        print_data(Point&)
        print_data(int)
        ...
    
      # perf --debug verbose=3 probe -x test_cpp_mangle --add "test=print_data(int)"
        probe-definition(0): test=print_data(int)
        symbol:print_data(int) file:(null) line:0 offset:0 return:0 lazy:(null)
        0 arguments
        Open Debuginfo file: /home/niayan01/test_cpp_mangle
        Try to find probe point from debuginfo.
        Symbol print_data(int) address found : afc
        Matched function: print_data [2ccf]
        Probe point found: print_data+0
        Found 1 probe_trace_events.
        Opening /sys/kernel/tracing//uprobe_events write=1
        Opening /sys/kernel/tracing//README write=0
        Writing event: p:probe_test_cpp_mangle/test /home/niayan01/test_cpp_mangle:0xb38
        ...
    
    When tried to probe symbol "print_data(int)", the log shows:
    
        Symbol print_data(int) address found : afc
    
    The found address is 0xafc - which is right with verifying the output
    result from nm. Afterwards when write event, the command uses offset
    0xb38 in the last log, which is a wrong address.
    
    The dwarf_diename() gets a common function name, in above case, it
    returns string "print_data". As a result, the tool parses the offset
    based on the common name. This leads to probe at the wrong symbol
    "print_data(Point&)".
    
    To fix the issue, use the die_get_linkage_name() function to retrieve
    the distinct linkage name - this is the mangled name for the C++ case.
    Based on this unique name, the tool can get a correct offset for
    probing. Based on DWARF doc, it is possible the linkage name is missed
    in the DIE, it rolls back to use dwarf_diename().
    
    After:
    
      # perf --debug verbose=3 probe -x test_cpp_mangle --add "test=print_data(int)"
        probe-definition(0): test=print_data(int)
        symbol:print_data(int) file:(null) line:0 offset:0 return:0 lazy:(null)
        0 arguments
        Open Debuginfo file: /home/niayan01/test_cpp_mangle
        Try to find probe point from debuginfo.
        Symbol print_data(int) address found : afc
        Matched function: print_data [2d06]
        Probe point found: print_data+0
        Found 1 probe_trace_events.
        Opening /sys/kernel/tracing//uprobe_events write=1
        Opening /sys/kernel/tracing//README write=0
        Writing event: p:probe_test_cpp_mangle/test /home/niayan01/test_cpp_mangle:0xafc
        Added new event:
          probe_test_cpp_mangle:test (on print_data(int) in /home/niayan01/test_cpp_mangle)
    
        You can now use it in all perf tools, such as:
    
                perf record -e probe_test_cpp_mangle:test -aR sleep 1
    
      # perf --debug verbose=3 probe -x test_cpp_mangle --add "test2=print_data(Point&)"
        probe-definition(0): test2=print_data(Point&)
        symbol:print_data(Point&) file:(null) line:0 offset:0 return:0 lazy:(null)
        0 arguments
        Open Debuginfo file: /home/niayan01/test_cpp_mangle
        Try to find probe point from debuginfo.
        Symbol print_data(Point&) address found : b38
        Matched function: print_data [2ccf]
        Probe point found: print_data+0
        Found 1 probe_trace_events.
        Opening /sys/kernel/tracing//uprobe_events write=1
        Parsing probe_events: p:probe_test_cpp_mangle/test /home/niayan01/test_cpp_mangle:0x0000000000000afc
        Group:probe_test_cpp_mangle Event:test probe:p
        Opening /sys/kernel/tracing//README write=0
        Writing event: p:probe_test_cpp_mangle/test2 /home/niayan01/test_cpp_mangle:0xb38
        Added new event:
          probe_test_cpp_mangle:test2 (on print_data(Point&) in /home/niayan01/test_cpp_mangle)
    
        You can now use it in all perf tools, such as:
    
                perf record -e probe_test_cpp_mangle:test2 -aR sleep 1
    
    Fixes: fb1587d869a3 ("perf probe: List probes with line number and file name")
    Signed-off-by: Leo Yan <[email protected]>
    Acked-by: Masami Hiramatsu (Google) <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Namhyung Kim <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
power: supply: core: Remove might_sleep() from power_supply_put() [+ + +]
Author: Bart Van Assche <[email protected]>
Date:   Tue Sep 17 12:39:14 2024 -0700

    power: supply: core: Remove might_sleep() from power_supply_put()
    
    [ Upstream commit f6da4553ff24a5d1c959c9627c965323adc3d307 ]
    
    The put_device() call in power_supply_put() may call
    power_supply_dev_release(). The latter function does not sleep so
    power_supply_put() doesn't sleep either. Hence, remove the might_sleep()
    call from power_supply_put(). This patch suppresses false positive
    complaints about calling a sleeping function from atomic context if
    power_supply_put() is called from atomic context.
    
    Cc: Kyle Tso <[email protected]>
    Cc: Krzysztof Kozlowski <[email protected]>
    Fixes: 1a352462b537 ("power_supply: Add power_supply_put for decrementing device reference counter")
    Signed-off-by: Bart Van Assche <[email protected]>
    Reviewed-by: Krzysztof Kozlowski <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Sebastian Reichel <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static [+ + +]
Author: Michal Suchanek <[email protected]>
Date:   Tue Oct 1 15:03:49 2024 +0200

    powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static
    
    [ Upstream commit a26c4dbb3d9c1821cb0fc11cb2dbc32d5bf3463b ]
    
    These functions are not used outside of sstep.c
    
    Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code")
    Signed-off-by: Michal Suchanek <[email protected]>
    Signed-off-by: Michael Ellerman <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
powerpc/vdso: Flag VDSO64 entry points as functions [+ + +]
Author: Christophe Leroy <[email protected]>
Date:   Thu Oct 10 00:17:57 2024 +0200

    powerpc/vdso: Flag VDSO64 entry points as functions
    
    [ Upstream commit 0161bd38c24312853ed5ae9a425a1c41c4ac674a ]
    
    On powerpc64 as shown below by readelf, vDSO functions symbols have
    type NOTYPE.
    
    $ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg
    ELF Header:
      Magic:   7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00
      Class:                             ELF64
      Data:                              2's complement, big endian
      Version:                           1 (current)
      OS/ABI:                            UNIX - System V
      ABI Version:                       0
      Type:                              DYN (Shared object file)
      Machine:                           PowerPC64
      Version:                           0x1
    ...
    
    Symbol table '.dynsym' contains 12 entries:
       Num:    Value          Size Type    Bind   Vis      Ndx Name
    ...
         1: 0000000000000524    84 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
    ...
         4: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  ABS LINUX_2.6.15
         5: 00000000000006c0    48 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
    
    Symbol table '.symtab' contains 56 entries:
       Num:    Value          Size Type    Bind   Vis      Ndx Name
    ...
        45: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  ABS LINUX_2.6.15
        46: 00000000000006c0    48 NOTYPE  GLOBAL DEFAULT    8 __kernel_getcpu
        47: 0000000000000524    84 NOTYPE  GLOBAL DEFAULT    8 __kernel_clock_getres
    
    To overcome that, commit ba83b3239e65 ("selftests: vDSO: fix vDSO
    symbols lookup for powerpc64") was applied to have selftests also
    look for NOTYPE symbols, but the correct fix should be to flag VDSO
    entry points as functions.
    
    The original commit that brought VDSO support into powerpc/64 has the
    following explanation:
    
        Note that the symbols exposed by the vDSO aren't "normal" function symbols, apps
        can't be expected to link against them directly, the vDSO's are both seen
        as if they were linked at 0 and the symbols just contain offsets to the
        various functions.  This is done on purpose to avoid a relocation step
        (ppc64 functions normally have descriptors with abs addresses in them).
        When glibc uses those functions, it's expected to use it's own trampolines
        that know how to reach them.
    
    The descriptors it's talking about are the OPD function descriptors
    used on ABI v1 (big endian). But it would be more correct for a text
    symbol to have type function, even if there's no function descriptor
    for it.
    
    glibc has a special case already for handling the VDSO symbols which
    creates a fake opd pointing at the kernel symbol. So changing the VDSO
    symbol type to function shouldn't affect that.
    
    For ABI v2, there is no function descriptors and VDSO functions can
    safely have function type.
    
    So lets flag VDSO entry points as functions and revert the
    selftest change.
    
    Link: https://github.com/mpe/linux-fullhistory/commit/5f2dd691b62da9d9cc54b938f8b29c22c93cb805
    Fixes: ba83b3239e65 ("selftests: vDSO: fix vDSO symbols lookup for powerpc64")
    Signed-off-by: Christophe Leroy <[email protected]>
    Reviewed-By: Segher Boessenkool <[email protected]>
    Signed-off-by: Michael Ellerman <[email protected]>
    Link: https://patch.msgid.link/b6ad2f1ee9887af3ca5ecade2a56f4acda517a85.1728512263.git.christophe.leroy@csgroup.eu
    Signed-off-by: Sasha Levin <[email protected]>

 
proc/softirqs: replace seq_printf with seq_put_decimal_ull_width [+ + +]
Author: David Wang <[email protected]>
Date:   Wed Nov 6 10:12:28 2024 +0800

    proc/softirqs: replace seq_printf with seq_put_decimal_ull_width
    
    [ Upstream commit 84b9749a3a704dcc824a88aa8267247c801d51e4 ]
    
    seq_printf is costy, on a system with n CPUs, reading /proc/softirqs
    would yield 10*n decimal values, and the extra cost parsing format string
    grows linearly with number of cpus. Replace seq_printf with
    seq_put_decimal_ull_width have significant performance improvement.
    On an 8CPUs system, reading /proc/softirqs show ~40% performance
    gain with this patch.
    
    Signed-off-by: David Wang <[email protected]>
    Signed-off-by: Linus Torvalds <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey [+ + +]
Author: Kashyap Desai <[email protected]>
Date:   Mon Oct 28 03:06:54 2024 -0700

    RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey
    
    [ Upstream commit 808ca6de989c598bc5af1ae0ad971a66077efac0 ]
    
    Invalidate rkey is cpu endian and immediate data is in big endian format.
    Both immediate data and invalidate the remote key returned by
    HW is in little endian format.
    
    While handling the commit in fixes tag, the difference between
    immediate data and invalidate rkey endianness was not considered.
    
    Without changes of this patch, Kernel ULP was failing while processing
    inv_rkey.
    
    dmesg log snippet -
    nvme nvme0: Bogus remote invalidation for rkey 0x2000019Fix in this patch
    
    Do endianness conversion based on completion queue entry flag.
    Also, the HW completions are already converted to host endianness in
    bnxt_qplib_cq_process_res_rc and bnxt_qplib_cq_process_res_ud and there
    is no need to convert it again in bnxt_re_poll_cq. Modified the union to
    hold the correct data type.
    
    Fixes: 95b087f87b78 ("bnxt_re: Fix imm_data endianness")
    Signed-off-by: Kashyap Desai <[email protected]>
    Signed-off-by: Selvin Xavier <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Leon Romanovsky <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
regmap: irq: Set lockdep class for hierarchical IRQ domains [+ + +]
Author: Andy Shevchenko <[email protected]>
Date:   Fri Nov 1 18:55:53 2024 +0200

    regmap: irq: Set lockdep class for hierarchical IRQ domains
    
    [ Upstream commit 953e549471cabc9d4980f1da2e9fa79f4c23da06 ]
    
    Lockdep gives a false positive splat as it can't distinguish the lock
    which is taken by different IRQ descriptors from different IRQ chips
    that are organized in a way of a hierarchy:
    
       ======================================================
       WARNING: possible circular locking dependency detected
       6.12.0-rc5-next-20241101-00148-g9fabf8160b53 #562 Tainted: G        W
       ------------------------------------------------------
       modprobe/141 is trying to acquire lock:
       ffff899446947868 (intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock){+.+.}-{4:4}, at: regmap_update_bits_base+0x33/0x90
    
       but task is already holding lock:
       ffff899446947c68 (&d->lock){+.+.}-{4:4}, at: __setup_irq+0x682/0x790
    
       which lock already depends on the new lock.
    
       -> #3 (&d->lock){+.+.}-{4:4}:
       -> #2 (&desc->request_mutex){+.+.}-{4:4}:
       -> #1 (ipclock){+.+.}-{4:4}:
       -> #0 (intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock){+.+.}-{4:4}:
    
       Chain exists of:
         intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock --> &desc->request_mutex --> &d->lock
    
        Possible unsafe locking scenario:
    
              CPU0                    CPU1
              ----                    ----
         lock(&d->lock);
                                      lock(&desc->request_mutex);
                                      lock(&d->lock);
         lock(intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock);
    
        *** DEADLOCK ***
    
       3 locks held by modprobe/141:
        #0: ffff8994419368f8 (&dev->mutex){....}-{4:4}, at: __driver_attach+0xf6/0x250
        #1: ffff89944690b250 (&desc->request_mutex){+.+.}-{4:4}, at: __setup_irq+0x1a2/0x790
        #2: ffff899446947c68 (&d->lock){+.+.}-{4:4}, at: __setup_irq+0x682/0x790
    
    Set a lockdep class when we map the IRQ so that it doesn't warn about
    a lockdep bug that doesn't exist.
    
    Fixes: 4af8be67fd99 ("regmap: Convert regmap_irq to use irq_domain")
    Signed-off-by: Andy Shevchenko <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" [+ + +]
Author: Aurelien Jarno <[email protected]>
Date:   Sun Nov 10 12:46:36 2024 +0100

    Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"
    
    commit 1635e407a4a64d08a8517ac59ca14ad4fc785e75 upstream.
    
    The commit 8396c793ffdf ("mmc: dw_mmc: Fix IDMAC operation with pages
    bigger than 4K") increased the max_req_size, even for 4K pages, causing
    various issues:
    - Panic booting the kernel/rootfs from an SD card on Rockchip RK3566
    - Panic booting the kernel/rootfs from an SD card on StarFive JH7100
    - "swiotlb buffer is full" and data corruption on StarFive JH7110
    
    At this stage no fix have been found, so it's probably better to just
    revert the change.
    
    This reverts commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890.
    
    Cc: [email protected]
    Cc: Sam Protsenko <[email protected]>
    Fixes: 8396c793ffdf ("mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K")
    Closes: https://lore.kernel.org/linux-mmc/[email protected]/
    Closes: https://lore.kernel.org/linux-mmc/CAC8uq=Ppnmv98mpa1CrWLawWoPnu5abtU69v-=G-P7ysATQ2Pw@mail.gmail.com/
    Signed-off-by: Aurelien Jarno <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit" [+ + +]
Author: Greg Kroah-Hartman <[email protected]>
Date:   Sat Nov 30 16:55:56 2024 +0100

    Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit"
    
    commit 718632467d88e98816fa01ab12681ef1c2aa56f8 upstream.
    
    This reverts commit 3791ea69a4858b81e0277f695ca40f5aae40f312.
    
    It was reported to cause boot-time issues, so revert it for now.
    
    Reported-by: Geert Uytterhoeven <[email protected]>
    Fixes: 3791ea69a485 ("serial: sh-sci: Clean sci_ports[0] after at earlycon exit")
    Cc: stable <[email protected]>
    Cc: Claudiu Beznea <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Revert "usb: gadget: composite: fix OS descriptors w_value logic" [+ + +]
Author: Michal Vrastil <[email protected]>
Date:   Wed Nov 13 15:54:33 2024 -0800

    Revert "usb: gadget: composite: fix OS descriptors w_value logic"
    
    commit 51cdd69d6a857f527d6d0697a2e1f0fa8bca1005 upstream.
    
    This reverts commit ec6ce7075ef879b91a8710829016005dc8170f17.
    
    Fix installation of WinUSB driver using OS descriptors. Without the
    fix the drivers are not installed correctly and the property
    'DeviceInterfaceGUID' is missing on host side.
    
    The original change was based on the assumption that the interface
    number is in the high byte of wValue but it is in the low byte,
    instead. Unfortunately, the fix is based on MS documentation which is
    also wrong.
    
    The actual USB request for OS descriptors (using USB analyzer) looks
    like:
    
    Offset  0   1   2   3   4   5   6   7
    0x000   C1  A1  02  00  05  00  0A  00
    
    C1: bmRequestType (device to host, vendor, interface)
    A1: nas magic number
    0002: wValue (2: nas interface)
    0005: wIndex (5: get extended property i.e. nas interface GUID)
    008E: wLength (142)
    
    The fix was tested on Windows 10 and Windows 11.
    
    Cc: [email protected]
    Fixes: ec6ce7075ef8 ("usb: gadget: composite: fix OS descriptors w_value logic")
    Signed-off-by: Michal Vrastil <[email protected]>
    Signed-off-by: Elson Roy Serrao <[email protected]>
    Acked-by: Peter korsgaard <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
rpmsg: glink: Add TX_DATA_CONT command while sending [+ + +]
Author: Arun Kumar Neelakantam <[email protected]>
Date:   Thu Jul 30 10:48:13 2020 +0530

    rpmsg: glink: Add TX_DATA_CONT command while sending
    
    [ Upstream commit 8956927faed366b60b0355f4a4317a10e281ced7 ]
    
    With current design the transport can send packets of size upto
    FIFO_SIZE which is 16k and return failure for all packets above 16k.
    
    Add TX_DATA_CONT command to send packets greater than 16k by splitting
    into 8K chunks.
    
    Signed-off-by: Arun Kumar Neelakantam <[email protected]>
    Signed-off-by: Deepak Kumar Singh <[email protected]>
    Signed-off-by: Bjorn Andersson <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Stable-dep-of: 06c59d97f63c ("rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length")
    Signed-off-by: Sasha Levin <[email protected]>

rpmsg: glink: Fix GLINK command prefix [+ + +]
Author: Bjorn Andersson <[email protected]>
Date:   Tue Feb 14 14:59:33 2023 -0800

    rpmsg: glink: Fix GLINK command prefix
    
    [ Upstream commit 4e816d0318fdfe8932da80dbf04ba318b13e4b3a ]
    
    The upstream GLINK driver was first introduced to communicate with the
    RPM on MSM8996, presumably as an artifact from that era the command
    defines was prefixed RPM_CMD, while they actually are GLINK_CMDs.
    
    Let's rename these, to keep things tidy. No functional change.
    
    Signed-off-by: Bjorn Andersson <[email protected]>
    Reviewed-by: Chris Lew <[email protected]>
    Signed-off-by: Bjorn Andersson <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Stable-dep-of: 06c59d97f63c ("rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length")
    Signed-off-by: Sasha Levin <[email protected]>

rpmsg: glink: Propagate TX failures in intentless mode as well [+ + +]
Author: Bjorn Andersson <[email protected]>
Date:   Tue Apr 18 09:30:17 2023 -0700

    rpmsg: glink: Propagate TX failures in intentless mode as well
    
    commit 7a68f9fa97357a0f2073c9c31ed4101da4fce93e upstream.
    
    As support for splitting transmission over several messages using
    TX_DATA_CONT was introduced it does not immediately return the return
    value of qcom_glink_tx().
    
    The result is that in the intentless case (i.e. intent == NULL), the
    code will continue to send all additional chunks. This is wasteful, and
    it's possible that the send operation could incorrectly indicate
    success, if the last chunk fits in the TX fifo.
    
    Fix the condition.
    
    Fixes: 8956927faed3 ("rpmsg: glink: Add TX_DATA_CONT command while sending")
    Reviewed-by: Chris Lew <[email protected]>
    Signed-off-by: Bjorn Andersson <[email protected]>
    Signed-off-by: Bjorn Andersson <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

rpmsg: glink: Send READ_NOTIFY command in FIFO full case [+ + +]
Author: Arun Kumar Neelakantam <[email protected]>
Date:   Thu Jul 30 10:48:16 2020 +0530

    rpmsg: glink: Send READ_NOTIFY command in FIFO full case
    
    [ Upstream commit b16a37e1846c9573a847a56fa2f31ba833dae45a ]
    
    The current design sleeps unconditionally in TX FIFO full case and
    wakeup only after sleep timer expires which adds random delays in
    clients TX path.
    
    Avoid sleep and use READ_NOTIFY command so that writer can be woken up
    when remote notifies about read completion by sending IRQ.
    
    Signed-off-by: Deepak Kumar Singh <[email protected]>
    Signed-off-by: Arun Kumar Neelakantam <[email protected]>
    Signed-off-by: Bjorn Andersson <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Stable-dep-of: 06c59d97f63c ("rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length")
    Signed-off-by: Sasha Levin <[email protected]>

rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length [+ + +]
Author: Jonathan Marek <[email protected]>
Date:   Mon Oct 7 19:59:35 2024 -0400

    rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length
    
    [ Upstream commit 06c59d97f63c1b8af521fa5aef8a716fb988b285 ]
    
    The name len field of the CMD_OPEN packet is only 16-bits and the upper
    16-bits of "param2" are a different "prio" field, which can be nonzero in
    certain situations, and CMD_OPEN packets can be unexpectedly dropped
    because of this.
    
    Fix this by masking out the upper 16 bits of param2.
    
    Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
    Signed-off-by: Jonathan Marek <[email protected]>
    Reviewed-by: Dmitry Baryshkov <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Bjorn Andersson <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
rtc: check if __rtc_read_time was successful in rtc_timer_do_work() [+ + +]
Author: Yongliang Gao <[email protected]>
Date:   Fri Oct 11 12:31:53 2024 +0800

    rtc: check if __rtc_read_time was successful in rtc_timer_do_work()
    
    [ Upstream commit e8ba8a2bc4f60a1065f23d6a0e7cbea945a0f40d ]
    
    If the __rtc_read_time call fails,, the struct rtc_time tm; may contain
    uninitialized data, or an illegal date/time read from the RTC hardware.
    
    When calling rtc_tm_to_ktime later, the result may be a very large value
    (possibly KTIME_MAX). If there are periodic timers in rtc->timerqueue,
    they will continually expire, may causing kernel softlockup.
    
    Fixes: 6610e0893b8b ("RTC: Rework RTC code to use timerqueue for events")
    Signed-off-by: Yongliang Gao <[email protected]>
    Acked-by: Jingqun Li <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alexandre Belloni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
s390/syscalls: Avoid creation of arch/arch/ directory [+ + +]
Author: Masahiro Yamada <[email protected]>
Date:   Mon Nov 11 22:45:52 2024 +0900

    s390/syscalls: Avoid creation of arch/arch/ directory
    
    [ Upstream commit 0708967e2d56e370231fd07defa0d69f9ad125e8 ]
    
    Building the kernel with ARCH=s390 creates a weird arch/arch/ directory.
    
      $ find arch/arch
      arch/arch
      arch/arch/s390
      arch/arch/s390/include
      arch/arch/s390/include/generated
      arch/arch/s390/include/generated/asm
      arch/arch/s390/include/generated/uapi
      arch/arch/s390/include/generated/uapi/asm
    
    The root cause is 'targets' in arch/s390/kernel/syscalls/Makefile,
    where the relative path is incorrect.
    
    Strictly speaking, 'targets' was not necessary in the first place
    because this Makefile uses 'filechk' instead of 'if_changed'.
    
    However, this commit keeps it, as it will be useful when converting
    'filechk' to 'if_changed' later.
    
    Fixes: 5c75824d915e ("s390/syscalls: add Makefile to generate system call header files")
    Signed-off-by: Masahiro Yamada <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Heiko Carstens <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
scsi: bfa: Fix use-after-free in bfad_im_module_exit() [+ + +]
Author: Ye Bin <[email protected]>
Date:   Wed Oct 23 09:18:09 2024 +0800

    scsi: bfa: Fix use-after-free in bfad_im_module_exit()
    
    [ Upstream commit 178b8f38932d635e90f5f0e9af1986c6f4a89271 ]
    
    BUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20
    Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303
    
    Call Trace:
     <TASK>
     dump_stack_lvl+0x95/0xe0
     print_report+0xcb/0x620
     kasan_report+0xbd/0xf0
     __lock_acquire+0x2aca/0x3a20
     lock_acquire+0x19b/0x520
     _raw_spin_lock+0x2b/0x40
     attribute_container_unregister+0x30/0x160
     fc_release_transport+0x19/0x90 [scsi_transport_fc]
     bfad_im_module_exit+0x23/0x60 [bfa]
     bfad_init+0xdb/0xff0 [bfa]
     do_one_initcall+0xdc/0x550
     do_init_module+0x22d/0x6b0
     load_module+0x4e96/0x5ff0
     init_module_from_file+0xcd/0x130
     idempotent_init_module+0x330/0x620
     __x64_sys_finit_module+0xb3/0x110
     do_syscall_64+0xc1/0x1d0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
     </TASK>
    
    Allocated by task 25303:
     kasan_save_stack+0x24/0x50
     kasan_save_track+0x14/0x30
     __kasan_kmalloc+0x7f/0x90
     fc_attach_transport+0x4f/0x4740 [scsi_transport_fc]
     bfad_im_module_init+0x17/0x80 [bfa]
     bfad_init+0x23/0xff0 [bfa]
     do_one_initcall+0xdc/0x550
     do_init_module+0x22d/0x6b0
     load_module+0x4e96/0x5ff0
     init_module_from_file+0xcd/0x130
     idempotent_init_module+0x330/0x620
     __x64_sys_finit_module+0xb3/0x110
     do_syscall_64+0xc1/0x1d0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Freed by task 25303:
     kasan_save_stack+0x24/0x50
     kasan_save_track+0x14/0x30
     kasan_save_free_info+0x3b/0x60
     __kasan_slab_free+0x38/0x50
     kfree+0x212/0x480
     bfad_im_module_init+0x7e/0x80 [bfa]
     bfad_init+0x23/0xff0 [bfa]
     do_one_initcall+0xdc/0x550
     do_init_module+0x22d/0x6b0
     load_module+0x4e96/0x5ff0
     init_module_from_file+0xcd/0x130
     idempotent_init_module+0x330/0x620
     __x64_sys_finit_module+0xb3/0x110
     do_syscall_64+0xc1/0x1d0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Above issue happens as follows:
    
    bfad_init
      error = bfad_im_module_init()
        fc_release_transport(bfad_im_scsi_transport_template);
      if (error)
        goto ext;
    
    ext:
      bfad_im_module_exit();
        fc_release_transport(bfad_im_scsi_transport_template);
        --> Trigger double release
    
    Don't call bfad_im_module_exit() if bfad_im_module_init() failed.
    
    Fixes: 7725ccfda597 ("[SCSI] bfa: Brocade BFA FC SCSI driver")
    Signed-off-by: Ye Bin <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Martin K. Petersen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

scsi: fusion: Remove unused variable 'rc' [+ + +]
Author: Zeng Heng <[email protected]>
Date:   Thu Oct 24 16:44:17 2024 +0800

    scsi: fusion: Remove unused variable 'rc'
    
    [ Upstream commit bd65694223f7ad11c790ab63ad1af87a771192ee ]
    
    The return value of scsi_device_reprobe() is currently ignored in
    _scsih_reprobe_lun(). Fixing the calling code to deal with the potential
    error is non-trivial, so for now just WARN_ON().
    
    The handling of scsi_device_reprobe()'s return value refers to
    _scsih_reprobe_lun() and the following link:
    
    https://lore.kernel.org/all/094fdbf57487af4f395238c0525b2a560c8f68f0.1469766027.git.calvinowens@fb.com/
    
    Fixes: f99be43b3024 ("[SCSI] fusion: power pc and miscellaneous bug fixs")
    Signed-off-by: Zeng Heng <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Martin K. Petersen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb() [+ + +]
Author: Zhen Lei <[email protected]>
Date:   Sat Oct 26 20:57:11 2024 +0800

    scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()
    
    [ Upstream commit 95bbdca4999bc59a72ebab01663d421d6ce5775d ]
    
    Hook "qedi_ops->common->sb_init = qed_sb_init" does not release the DMA
    memory sb_virt when it fails. Add dma_free_coherent() to free it. This
    is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb().
    
    Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
    Signed-off-by: Zhen Lei <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Martin K. Petersen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
selftests/watchdog-test: Fix system accidentally reset after watchdog-test [+ + +]
Author: Li Zhijian <[email protected]>
Date:   Tue Oct 29 11:13:24 2024 +0800

    selftests/watchdog-test: Fix system accidentally reset after watchdog-test
    
    [ Upstream commit dc1308bee1ed03b4d698d77c8bd670d399dcd04d ]
    
    When running watchdog-test with 'make run_tests', the watchdog-test will
    be terminated by a timeout signal(SIGTERM) due to the test timemout.
    
    And then, a system reboot would happen due to watchdog not stop. see
    the dmesg as below:
    ```
    [ 1367.185172] watchdog: watchdog0: watchdog did not stop!
    ```
    
    Fix it by registering more signals(including SIGTERM) in watchdog-test,
    where its signal handler will stop the watchdog.
    
    After that
     # timeout 1 ./watchdog-test
     Watchdog Ticking Away!
     .
     Stopping watchdog ticks...
    
    Link: https://lore.kernel.org/all/[email protected]/
    Signed-off-by: Li Zhijian <[email protected]>
    Reviewed-by: Shuah Khan <[email protected]>
    Signed-off-by: Shuah Khan <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
serial: 8250: omap: Move pm_runtime_get_sync [+ + +]
Author: Bin Liu <[email protected]>
Date:   Thu Oct 31 12:23:15 2024 -0500

    serial: 8250: omap: Move pm_runtime_get_sync
    
    commit bcc7ba668818dcadd2f1db66b39ed860a63ecf97 upstream.
    
    Currently in omap_8250_shutdown, the dma->rx_running flag is
    set to zero in omap_8250_rx_dma_flush. Next pm_runtime_get_sync
    is called, which is a runtime resume call stack which can
    re-set the flag. When the call omap_8250_shutdown returns, the
    flag is expected to be UN-SET, but this is not the case. This
    is causing issues the next time UART is re-opened and
    omap_8250_rx_dma is called. Fix by moving pm_runtime_get_sync
    before the omap_8250_rx_dma_flush.
    
    cc: [email protected]
    Fixes: 0e31c8d173ab ("tty: serial: 8250_omap: add custom DMA-RX callback")
    Signed-off-by: Bin Liu <[email protected]>
    [Judith: Add commit message]
    Signed-off-by: Judith Mendez <[email protected]>
    Reviewed-by: Kevin Hilman <[email protected]>
    Tested-by: Kevin Hilman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

serial: sh-sci: Clean sci_ports[0] after at earlycon exit [+ + +]
Author: Claudiu Beznea <[email protected]>
Date:   Wed Nov 6 14:01:12 2024 +0200

    serial: sh-sci: Clean sci_ports[0] after at earlycon exit
    
    commit 3791ea69a4858b81e0277f695ca40f5aae40f312 upstream.
    
    The early_console_setup() function initializes the sci_ports[0].port with
    an object of type struct uart_port obtained from the object of type
    struct earlycon_device received as argument by the early_console_setup().
    
    It may happen that later, when the rest of the serial ports are probed,
    the serial port that was used as earlycon (e.g., port A) to be mapped to a
    different position in sci_ports[] and the slot 0 to be used by a different
    serial port (e.g., port B), as follows:
    
    sci_ports[0] = port A
    sci_ports[X] = port B
    
    In this case, the new port mapped at index zero will have associated data
    that was used for earlycon.
    
    In case this happens, after Linux boot, any access to the serial port that
    maps on sci_ports[0] (port A) will block the serial port that was used as
    earlycon (port B).
    
    To fix this, add early_console_exit() that clean the sci_ports[0] at
    earlycon exit time.
    
    Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
    Cc: [email protected]
    Signed-off-by: Claudiu Beznea <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK [+ + +]
Author: Huacai Chen <[email protected]>
Date:   Thu Jul 14 16:41:36 2022 +0800

    sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
    
    commit 3c891f7c6a4e90bb1199497552f24b26e46383bc upstream.
    
    When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected,
    cpu_max_bits_warn() generates a runtime warning similar as below when
    showing /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)
    instead of NR_CPUS to iterate CPUs.
    
    [    3.052463] ------------[ cut here ]------------
    [    3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0
    [    3.070072] Modules linked in: efivarfs autofs4
    [    3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052
    [    3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000
    [    3.109127]         9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430
    [    3.118774]         90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff
    [    3.128412]         0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890
    [    3.138056]         0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa
    [    3.147711]         ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000
    [    3.157364]         900000000101c998 0000000000000004 9000000000ef7430 0000000000000000
    [    3.167012]         0000000000000009 000000000000006c 0000000000000000 0000000000000000
    [    3.176641]         9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286
    [    3.186260]         00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c
    [    3.195868]         ...
    [    3.199917] Call Trace:
    [    3.203941] [<90000000002086d8>] show_stack+0x38/0x14c
    [    3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88
    [    3.217625] [<900000000023d268>] __warn+0xd0/0x100
    [    3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc
    [    3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0
    [    3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4
    [    3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4
    [    3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0
    [    3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100
    [    3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94
    [    3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160
    [    3.281824] ---[ end trace 8b484262b4b8c24c ]---
    
    Cc: [email protected]
    Signed-off-by: Huacai Chen <[email protected]>
    Reviewed-by: John Paul Adrian Glaubitz <[email protected]>
    Tested-by: John Paul Adrian Glaubitz <[email protected]>
    Signed-off-by: John Paul Adrian Glaubitz <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

sh: intc: Fix use-after-free bug in register_intc_controller() [+ + +]
Author: Dan Carpenter <[email protected]>
Date:   Wed Oct 23 11:41:59 2024 +0300

    sh: intc: Fix use-after-free bug in register_intc_controller()
    
    [ Upstream commit 63e72e551942642c48456a4134975136cdcb9b3c ]
    
    In the error handling for this function, d is freed without ever
    removing it from intc_list which would lead to a use after free.
    To fix this, let's only add it to the list after everything has
    succeeded.
    
    Fixes: 2dcec7a988a1 ("sh: intc: set_irq_wake() support")
    Signed-off-by: Dan Carpenter <[email protected]>
    Reviewed-by: John Paul Adrian Glaubitz <[email protected]>
    Signed-off-by: John Paul Adrian Glaubitz <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get() [+ + +]
Author: Dan Carpenter <[email protected]>
Date:   Mon Sep 30 10:51:31 2024 +0300

    soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()
    
    [ Upstream commit 78261cb08f06c93d362cab5c5034bf5899bc7552 ]
    
    This loop is supposed to break if the frequency returned from
    clk_round_rate() is the same as on the previous iteration.  However,
    that check doesn't make sense on the first iteration through the loop.
    It leads to reading before the start of these->clk_perf_tbl[] array.
    
    Fixes: eddac5af0654 ("soc: qcom: Add GENI based QUP Wrapper driver")
    Signed-off-by: Dan Carpenter <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Bjorn Andersson <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
spi: Fix acpi deferred irq probe [+ + +]
Author: Stanislaw Gruszka <[email protected]>
Date:   Fri Nov 22 10:42:24 2024 +0100

    spi: Fix acpi deferred irq probe
    
    commit d24cfee7f63d6b44d45a67c5662bd1cc48e8b3ca upstream.
    
    When probing spi device take care of deferred probe of ACPI irq gpio
    similar like for OF/DT case.
    
    >From practical standpoint this fixes issue with vsc-tp driver on
    Dell XP 9340 laptop, which try to request interrupt with spi->irq
    equal to -EPROBE_DEFER and fail to probe with the following error:
    
    vsc-tp spi-INTC10D0:00: probe with driver vsc-tp failed with error -22
    
    Suggested-by: Hans de Goede <[email protected]>
    Fixes: 33ada67da352 ("ACPI / spi: attach GPIO IRQ from ACPI description to SPI device")
    Cc: [email protected]
    Signed-off-by: Stanislaw Gruszka <[email protected]>
    Reviewed-by: Hans de Goede <[email protected]>
    Tested-by: Alexis Lothoré <[email protected]> # Dell XPS9320, ov01a10
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets [+ + +]
Author: Pavan Chebbi <[email protected]>
Date:   Mon Nov 18 21:57:41 2024 -0800

    tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets
    
    [ Upstream commit 614f4d166eeeb9bd709b0ad29552f691c0f45776 ]
    
    The hardware on Broadcom 1G chipsets have a known limitation
    where they cannot handle DMA addresses that cross over 4GB.
    When such an address is encountered, the hardware sets the
    address overflow error bit in the DMA status register and
    triggers a reset.
    
    However, BCM57766 hardware is setting the overflow bit and
    triggering a reset in some cases when there is no actual
    underlying address overflow. The hardware team analyzed the
    issue and concluded that it is happening when the status
    block update has an address with higher (b16 to b31) bits
    as 0xffff following a previous update that had lowest bits
    as 0xffff.
    
    To work around this bug in the BCM57766 hardware, set the
    coherent dma mask from the current 64b to 31b. This will
    ensure that upper bits of the status block DMA address are
    always at most 0x7fff, thus avoiding the improper overflow
    check described above. This work around is intended for only
    status block and ring memories and has no effect on TX and
    RX buffers as they do not require coherent memory.
    
    Fixes: 72f2afb8a685 ("[TG3]: Add DMA address workaround")
    Reported-by: Salam Noureddine <[email protected]>
    Reviewed-by: Kalesh AP <[email protected]>
    Reviewed-by: Somnath Kotur <[email protected]>
    Signed-off-by: Pavan Chebbi <[email protected]>
    Reviewed-by: Michal Kubiak <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
time: Fix references to _msecs_to_jiffies() handling of values [+ + +]
Author: Miguel Ojeda <[email protected]>
Date:   Fri Oct 25 13:01:41 2024 +0200

    time: Fix references to _msecs_to_jiffies() handling of values
    
    [ Upstream commit 92b043fd995a63a57aae29ff85a39b6f30cd440c ]
    
    The details about the handling of the "normal" values were moved
    to the _msecs_to_jiffies() helpers in commit ca42aaf0c861 ("time:
    Refactor msecs_to_jiffies"). However, the same commit still mentioned
    __msecs_to_jiffies() in the added documentation.
    
    Thus point to _msecs_to_jiffies() instead.
    
    Fixes: ca42aaf0c861 ("time: Refactor msecs_to_jiffies")
    Signed-off-by: Miguel Ojeda <[email protected]>
    Signed-off-by: Thomas Gleixner <[email protected]>
    Link: https://lore.kernel.org/all/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
trace/trace_event_perf: remove duplicate samples on the first tracepoint event [+ + +]
Author: Levi Yun <[email protected]>
Date:   Fri Sep 13 03:13:47 2024 +0100

    trace/trace_event_perf: remove duplicate samples on the first tracepoint event
    
    [ Upstream commit afe5960dc208fe069ddaaeb0994d857b24ac19d1 ]
    
    When a tracepoint event is created with attr.freq = 1,
    'hwc->period_left' is not initialized correctly. As a result,
    in the perf_swevent_overflow() function, when the first time the event occurs,
    it calculates the event overflow and the perf_swevent_set_period() returns 3,
    this leads to the event are recorded for three duplicate times.
    
    Step to reproduce:
        1. Enable the tracepoint event & starting tracing
             $ echo 1 > /sys/kernel/tracing/events/module/module_free
             $ echo 1 > /sys/kernel/tracing/tracing_on
    
        2. Record with perf
             $ perf record -a --strict-freq -F 1 -e "module:module_free"
    
        3. Trigger module_free event.
             $ modprobe -i sunrpc
             $ modprobe -r sunrpc
    
    Result:
         - Trace pipe result:
             $ cat trace_pipe
             modprobe-174509  [003] .....  6504.868896: module_free: sunrpc
    
         - perf sample:
             modprobe  174509 [003]  6504.868980: module:module_free: sunrpc
             modprobe  174509 [003]  6504.868980: module:module_free: sunrpc
             modprobe  174509 [003]  6504.868980: module:module_free: sunrpc
    
    By setting period_left via perf_swevent_set_period() as other sw_event did,
    This problem could be solved.
    
    After patch:
         - Trace pipe result:
             $ cat trace_pipe
             modprobe 1153096 [068] 613468.867774: module:module_free: xfs
    
         - perf sample
             modprobe 1153096 [068] 613468.867794: module:module_free: xfs
    
    Link: https://lore.kernel.org/[email protected]
    Fixes: bd2b5b12849a ("perf_counter: More aggressive frequency adjustment")
    Signed-off-by: Levi Yun <[email protected]>
    Acked-by: Namhyung Kim <[email protected]>
    Signed-off-by: Steven Rostedt (Google) <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler [+ + +]
Author: Nicolas Bouchinet <[email protected]>
Date:   Tue Nov 12 14:13:31 2024 +0100

    tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler
    
    commit 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 upstream.
    
    Commit 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of
    ldiscs") introduces the tty_ldisc_autoload sysctl with the wrong
    proc_handler. .extra1 and .extra2 parameters are set to avoid other values
    thant SYSCTL_ZERO or SYSCTL_ONE to be set but proc_dointvec do not uses
    them.
    
    This commit fixes this by using proc_dointvec_minmax instead of
    proc_dointvec.
    
    Fixes: 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of ldiscs")
    Cc: stable <[email protected]>
    Signed-off-by: Nicolas Bouchinet <[email protected]>
    Reviewed-by: Lin Feng <[email protected]>
    Reviewed-by: Jiri Slaby <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ubi: fastmap: Fix duplicate slab cache names while attaching [+ + +]
Author: Zhihao Cheng <[email protected]>
Date:   Fri Oct 11 12:50:02 2024 +0800

    ubi: fastmap: Fix duplicate slab cache names while attaching
    
    [ Upstream commit bcddf52b7a17adcebc768d26f4e27cf79adb424c ]
    
    Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when
    DEBUG_VM=y"), the duplicate slab cache names can be detected and a
    kernel WARNING is thrown out.
    In UBI fast attaching process, alloc_ai() could be invoked twice
    with the same slab cache name 'ubi_aeb_slab_cache', which will trigger
    following warning messages:
     kmem_cache of name 'ubi_aeb_slab_cache' already exists
     WARNING: CPU: 0 PID: 7519 at mm/slab_common.c:107
              __kmem_cache_create_args+0x100/0x5f0
     Modules linked in: ubi(+) nandsim [last unloaded: nandsim]
     CPU: 0 UID: 0 PID: 7519 Comm: modprobe Tainted: G 6.12.0-rc2
     RIP: 0010:__kmem_cache_create_args+0x100/0x5f0
     Call Trace:
       __kmem_cache_create_args+0x100/0x5f0
       alloc_ai+0x295/0x3f0 [ubi]
       ubi_attach+0x3c3/0xcc0 [ubi]
       ubi_attach_mtd_dev+0x17cf/0x3fa0 [ubi]
       ubi_init+0x3fb/0x800 [ubi]
       do_init_module+0x265/0x7d0
       __x64_sys_finit_module+0x7a/0xc0
    
    The problem could be easily reproduced by loading UBI device by fastmap
    with CONFIG_DEBUG_VM=y.
    Fix it by using different slab names for alloc_ai() callers.
    
    Fixes: d2158f69a7d4 ("UBI: Remove alloc_ai() slab name from parameter list")
    Fixes: fdf10ed710c0 ("ubi: Rework Fastmap attach base code")
    Signed-off-by: Zhihao Cheng <[email protected]>
    Signed-off-by: Richard Weinberger <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ubi: wl: Put source PEB into correct list if trying locking LEB failed [+ + +]
Author: Zhihao Cheng <[email protected]>
Date:   Mon Aug 19 11:26:21 2024 +0800

    ubi: wl: Put source PEB into correct list if trying locking LEB failed
    
    commit d610020f030bec819f42de327c2bd5437d2766b3 upstream.
    
    During wear-leveing work, the source PEB will be moved into scrub list
    when source LEB cannot be locked in ubi_eba_copy_leb(), which is wrong
    for non-scrub type source PEB. The problem could bring extra and
    ineffective wear-leveing jobs, which makes more or less negative effects
    for the life time of flash. Specifically, the process is divided 2 steps:
    1. wear_leveling_worker // generate false scrub type PEB
         ubi_eba_copy_leb // MOVE_RETRY is returned
           leb_write_trylock // trylock failed
         scrubbing = 1;
         e1 is put into ubi->scrub
    2. wear_leveling_worker // schedule false scrub type PEB for wl
         scrubbing = 1
         e1 = rb_entry(rb_first(&ubi->scrub))
    
    The problem can be reproduced easily by running fsstress on a small
    UBIFS partition(<64M, simulated by nandsim) for 5~10mins
    (CONFIG_MTD_UBI_FASTMAP=y,CONFIG_MTD_UBI_WL_THRESHOLD=50). Following
    message is shown:
     ubi0: scrubbed PEB 66 (LEB 0:10), data moved to PEB 165
    
    Since scrub type source PEB has set variable scrubbing as '1', and
    variable scrubbing is checked before variable keep, so the problem can
    be fixed by setting keep variable as 1 directly if the source LEB cannot
    be locked.
    
    Fixes: e801e128b220 ("UBI: fix missing scrub when there is a bit-flip")
    CC: [email protected]
    Signed-off-by: Zhihao Cheng <[email protected]>
    Signed-off-by: Richard Weinberger <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ubifs: Correct the total block count by deducting journal reservation [+ + +]
Author: Zhihao Cheng <[email protected]>
Date:   Thu Sep 5 09:09:09 2024 +0800

    ubifs: Correct the total block count by deducting journal reservation
    
    [ Upstream commit 84a2bee9c49769310efa19601157ef50a1df1267 ]
    
    Since commit e874dcde1cbf ("ubifs: Reserve one leb for each journal
    head while doing budget"), available space is calulated by deducting
    reservation for all journal heads. However, the total block count (
    which is only used by statfs) is not updated yet, which will cause
    the wrong displaying for used space(total - available).
    Fix it by deducting reservation for all journal heads from total
    block count.
    
    Fixes: e874dcde1cbf ("ubifs: Reserve one leb for each journal head while doing budget")
    Signed-off-by: Zhihao Cheng <[email protected]>
    Signed-off-by: Richard Weinberger <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
um: Fix the return value of elf_core_copy_task_fpregs [+ + +]
Author: Tiwei Bie <[email protected]>
Date:   Fri Sep 13 10:33:02 2024 +0800

    um: Fix the return value of elf_core_copy_task_fpregs
    
    [ Upstream commit 865e3845eeaa21e9a62abc1361644e67124f1ec0 ]
    
    This function is expected to return a boolean value, which should be
    true on success and false on failure.
    
    Fixes: d1254b12c93e ("uml: fix x86_64 core dump crash")
    Signed-off-by: Tiwei Bie <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

um: net: Do not use drvdata in release [+ + +]
Author: Tiwei Bie <[email protected]>
Date:   Tue Nov 5 00:32:02 2024 +0800

    um: net: Do not use drvdata in release
    
    commit d1db692a9be3b4bd3473b64fcae996afaffe8438 upstream.
    
    The drvdata is not available in release. Let's just use container_of()
    to get the uml_net instance. Otherwise, removing a network device will
    result in a crash:
    
    RIP: 0033:net_device_release+0x10/0x6f
    RSP: 00000000e20c7c40  EFLAGS: 00010206
    RAX: 000000006002e4e7 RBX: 00000000600f1baf RCX: 00000000624074e0
    RDX: 0000000062778000 RSI: 0000000060551c80 RDI: 00000000627af028
    RBP: 00000000e20c7c50 R08: 00000000603ad594 R09: 00000000e20c7b70
    R10: 000000000000135a R11: 00000000603ad422 R12: 0000000000000000
    R13: 0000000062c7af00 R14: 0000000062406d60 R15: 00000000627700b6
    Kernel panic - not syncing: Segfault with no mm
    CPU: 0 UID: 0 PID: 29 Comm: kworker/0:2 Not tainted 6.12.0-rc6-g59b723cd2adb #1
    Workqueue: events mc_work_proc
    Stack:
     627af028 62c7af00 e20c7c80 60276fcd
     62778000 603f5820 627af028 00000000
     e20c7cb0 603a2bcd 627af000 62770010
    Call Trace:
     [<60276fcd>] device_release+0x70/0xba
     [<603a2bcd>] kobject_put+0xba/0xe7
     [<60277265>] put_device+0x19/0x1c
     [<60281266>] platform_device_put+0x26/0x29
     [<60281e5f>] platform_device_unregister+0x2c/0x2e
     [<6002ec9c>] net_remove+0x63/0x69
     [<60031316>] ? mconsole_reply+0x0/0x50
     [<600310c8>] mconsole_remove+0x160/0x1cc
     [<60087d40>] ? __remove_hrtimer+0x38/0x74
     [<60087ff8>] ? hrtimer_try_to_cancel+0x8c/0x98
     [<6006b3cf>] ? dl_server_stop+0x3f/0x48
     [<6006b390>] ? dl_server_stop+0x0/0x48
     [<600672e8>] ? dequeue_entities+0x327/0x390
     [<60038fa6>] ? um_set_signals+0x0/0x43
     [<6003070c>] mc_work_proc+0x77/0x91
     [<60057664>] process_scheduled_works+0x1b3/0x2dd
     [<60055f32>] ? assign_work+0x0/0x58
     [<60057f0a>] worker_thread+0x1e9/0x293
     [<6005406f>] ? set_pf_worker+0x0/0x64
     [<6005d65d>] ? arch_local_irq_save+0x0/0x2d
     [<6005d748>] ? kthread_exit+0x0/0x3a
     [<60057d21>] ? worker_thread+0x0/0x293
     [<6005dbf1>] kthread+0x126/0x12b
     [<600219c5>] new_thread_handler+0x85/0xb6
    
    Cc: [email protected]
    Signed-off-by: Tiwei Bie <[email protected]>
    Acked-By: Anton Ivanov <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

um: ubd: Do not use drvdata in release [+ + +]
Author: Tiwei Bie <[email protected]>
Date:   Tue Nov 5 00:32:01 2024 +0800

    um: ubd: Do not use drvdata in release
    
    commit 5bee35e5389f450a7eea7318deb9073e9414d3b1 upstream.
    
    The drvdata is not available in release. Let's just use container_of()
    to get the ubd instance. Otherwise, removing a ubd device will result
    in a crash:
    
    RIP: 0033:blk_mq_free_tag_set+0x1f/0xba
    RSP: 00000000e2083bf0  EFLAGS: 00010246
    RAX: 000000006021463a RBX: 0000000000000348 RCX: 0000000062604d00
    RDX: 0000000004208060 RSI: 00000000605241a0 RDI: 0000000000000348
    RBP: 00000000e2083c10 R08: 0000000062414010 R09: 00000000601603f7
    R10: 000000000000133a R11: 000000006038c4bd R12: 0000000000000000
    R13: 0000000060213a5c R14: 0000000062405d20 R15: 00000000604f7aa0
    Kernel panic - not syncing: Segfault with no mm
    CPU: 0 PID: 17 Comm: kworker/0:1 Not tainted 6.8.0-rc3-00107-gba3f67c11638 #1
    Workqueue: events mc_work_proc
    Stack:
     00000000 604f7ef0 62c5d000 62405d20
     e2083c30 6002c776 6002c755 600e47ff
     e2083c60 6025ffe3 04208060 603d36e0
    Call Trace:
     [<6002c776>] ubd_device_release+0x21/0x55
     [<6002c755>] ? ubd_device_release+0x0/0x55
     [<600e47ff>] ? kfree+0x0/0x100
     [<6025ffe3>] device_release+0x70/0xba
     [<60381d6a>] kobject_put+0xb5/0xe2
     [<6026027b>] put_device+0x19/0x1c
     [<6026a036>] platform_device_put+0x26/0x29
     [<6026ac5a>] platform_device_unregister+0x2c/0x2e
     [<6002c52e>] ubd_remove+0xb8/0xd6
     [<6002bb74>] ? mconsole_reply+0x0/0x50
     [<6002b926>] mconsole_remove+0x160/0x1cc
     [<6002bbbc>] ? mconsole_reply+0x48/0x50
     [<6003379c>] ? um_set_signals+0x3b/0x43
     [<60061c55>] ? update_min_vruntime+0x14/0x70
     [<6006251f>] ? dequeue_task_fair+0x164/0x235
     [<600620aa>] ? update_cfs_group+0x0/0x40
     [<603a0e77>] ? __schedule+0x0/0x3ed
     [<60033761>] ? um_set_signals+0x0/0x43
     [<6002af6a>] mc_work_proc+0x77/0x91
     [<600520b4>] process_scheduled_works+0x1af/0x2c3
     [<6004ede3>] ? assign_work+0x0/0x58
     [<600527a1>] worker_thread+0x2f7/0x37a
     [<6004ee3b>] ? set_pf_worker+0x0/0x64
     [<6005765d>] ? arch_local_irq_save+0x0/0x2d
     [<60058e07>] ? kthread_exit+0x0/0x3a
     [<600524aa>] ? worker_thread+0x0/0x37a
     [<60058f9f>] kthread+0x130/0x135
     [<6002068e>] new_thread_handler+0x85/0xb6
    
    Cc: [email protected]
    Signed-off-by: Tiwei Bie <[email protected]>
    Acked-By: Anton Ivanov <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

um: vector: Do not use drvdata in release [+ + +]
Author: Tiwei Bie <[email protected]>
Date:   Tue Nov 5 00:32:03 2024 +0800

    um: vector: Do not use drvdata in release
    
    commit 51b39d741970742a5c41136241a9c48ac607cf82 upstream.
    
    The drvdata is not available in release. Let's just use container_of()
    to get the vector_device instance. Otherwise, removing a vector device
    will result in a crash:
    
    RIP: 0033:vector_device_release+0xf/0x50
    RSP: 00000000e187bc40  EFLAGS: 00010202
    RAX: 0000000060028f61 RBX: 00000000600f1baf RCX: 00000000620074e0
    RDX: 000000006220b9c0 RSI: 0000000060551c80 RDI: 0000000000000000
    RBP: 00000000e187bc50 R08: 00000000603ad594 R09: 00000000e187bb70
    R10: 000000000000135a R11: 00000000603ad422 R12: 00000000623ae028
    R13: 000000006287a200 R14: 0000000062006d30 R15: 00000000623700b6
    Kernel panic - not syncing: Segfault with no mm
    CPU: 0 UID: 0 PID: 16 Comm: kworker/0:1 Not tainted 6.12.0-rc6-g59b723cd2adb #1
    Workqueue: events mc_work_proc
    Stack:
     60028f61 623ae028 e187bc80 60276fcd
     6220b9c0 603f5820 623ae028 00000000
     e187bcb0 603a2bcd 623ae000 62370010
    Call Trace:
     [<60028f61>] ? vector_device_release+0x0/0x50
     [<60276fcd>] device_release+0x70/0xba
     [<603a2bcd>] kobject_put+0xba/0xe7
     [<60277265>] put_device+0x19/0x1c
     [<60281266>] platform_device_put+0x26/0x29
     [<60281e5f>] platform_device_unregister+0x2c/0x2e
     [<60029422>] vector_remove+0x52/0x58
     [<60031316>] ? mconsole_reply+0x0/0x50
     [<600310c8>] mconsole_remove+0x160/0x1cc
     [<603b19f4>] ? strlen+0x0/0x15
     [<60066611>] ? __dequeue_entity+0x1a9/0x206
     [<600666a7>] ? set_next_entity+0x39/0x63
     [<6006666e>] ? set_next_entity+0x0/0x63
     [<60038fa6>] ? um_set_signals+0x0/0x43
     [<6003070c>] mc_work_proc+0x77/0x91
     [<60057664>] process_scheduled_works+0x1b3/0x2dd
     [<60055f32>] ? assign_work+0x0/0x58
     [<60057f0a>] worker_thread+0x1e9/0x293
     [<6005406f>] ? set_pf_worker+0x0/0x64
     [<6005d65d>] ? arch_local_irq_save+0x0/0x2d
     [<6005d748>] ? kthread_exit+0x0/0x3a
     [<60057d21>] ? worker_thread+0x0/0x293
     [<6005dbf1>] kthread+0x126/0x12b
     [<600219c5>] new_thread_handler+0x85/0xb6
    
    Cc: [email protected]
    Signed-off-by: Tiwei Bie <[email protected]>
    Acked-By: Anton Ivanov <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
USB: chaoskey: fail open after removal [+ + +]
Author: Oliver Neukum <[email protected]>
Date:   Wed Oct 2 15:21:41 2024 +0200

    USB: chaoskey: fail open after removal
    
    [ Upstream commit 422dc0a4d12d0b80dd3aab3fe5943f665ba8f041 ]
    
    chaoskey_open() takes the lock only to increase the
    counter of openings. That means that the mutual exclusion
    with chaoskey_disconnect() cannot prevent an increase
    of the counter and chaoskey_open() returning a success.
    
    If that race is hit, chaoskey_disconnect() will happily
    free all resources associated with the device after
    it has dropped the lock, as it has read the counter
    as zero.
    
    To prevent this race chaoskey_open() has to check
    the presence of the device under the lock.
    However, the current per device lock cannot be used,
    because it is a part of the data structure to be
    freed. Hence an additional global mutex is needed.
    The issue is as old as the driver.
    
    Signed-off-by: Oliver Neukum <[email protected]>
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=422188bce66e76020e55
    Fixes: 66e3e591891da ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
    Rule: add
    Link: https://lore.kernel.org/stable/20241002132201.552578-1-oneukum%40suse.com
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

USB: chaoskey: Fix possible deadlock chaoskey_list_lock [+ + +]
Author: Edward Adam Davis <[email protected]>
Date:   Wed Oct 9 22:52:07 2024 +0800

    USB: chaoskey: Fix possible deadlock chaoskey_list_lock
    
    [ Upstream commit d73dc7b182be4238b75278bfae16afb4c5564a58 ]
    
    [Syzbot reported two possible deadlocks]
    The first possible deadlock is:
    WARNING: possible recursive locking detected
    6.12.0-rc1-syzkaller-00027-g4a9fe2a8ac53 #0 Not tainted
    --------------------------------------------
    syz-executor363/2651 is trying to acquire lock:
    ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_release+0x15d/0x2c0 drivers/usb/misc/chaoskey.c:322
    
    but task is already holding lock:
    ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_release+0x7f/0x2c0 drivers/usb/misc/chaoskey.c:299
    
    other info that might help us debug this:
     Possible unsafe locking scenario:
    
           CPU0
           ----
      lock(chaoskey_list_lock);
      lock(chaoskey_list_lock);
    
     *** DEADLOCK ***
    
    The second possible deadlock is:
    WARNING: possible circular locking dependency detected
    6.12.0-rc1-syzkaller-00027-g4a9fe2a8ac53 #0 Not tainted
    ------------------------------------------------------
    kworker/0:2/804 is trying to acquire lock:
    ffffffff899dadb0 (minor_rwsem){++++}-{3:3}, at: usb_deregister_dev+0x7c/0x1e0 drivers/usb/core/file.c:186
    
    but task is already holding lock:
    ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_disconnect+0xa8/0x2a0 drivers/usb/misc/chaoskey.c:235
    
    which lock already depends on the new lock.
    
    the existing dependency chain (in reverse order) is:
    
    -> #1 (chaoskey_list_lock){+.+.}-{3:3}:
           __mutex_lock_common kernel/locking/mutex.c:608 [inline]
           __mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752
           chaoskey_open+0xdd/0x220 drivers/usb/misc/chaoskey.c:274
           usb_open+0x186/0x220 drivers/usb/core/file.c:47
           chrdev_open+0x237/0x6a0 fs/char_dev.c:414
           do_dentry_open+0x6cb/0x1390 fs/open.c:958
           vfs_open+0x82/0x3f0 fs/open.c:1088
           do_open fs/namei.c:3774 [inline]
           path_openat+0x1e6a/0x2d60 fs/namei.c:3933
           do_filp_open+0x1dc/0x430 fs/namei.c:3960
           do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
           do_sys_open fs/open.c:1430 [inline]
           __do_sys_openat fs/open.c:1446 [inline]
           __se_sys_openat fs/open.c:1441 [inline]
           __x64_sys_openat+0x175/0x210 fs/open.c:1441
           do_syscall_x64 arch/x86/entry/common.c:52 [inline]
           do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
           entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    -> #0 (minor_rwsem){++++}-{3:3}:
           check_prev_add kernel/locking/lockdep.c:3161 [inline]
           check_prevs_add kernel/locking/lockdep.c:3280 [inline]
           validate_chain kernel/locking/lockdep.c:3904 [inline]
           __lock_acquire+0x250b/0x3ce0 kernel/locking/lockdep.c:5202
           lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
           down_write+0x93/0x200 kernel/locking/rwsem.c:1577
           usb_deregister_dev+0x7c/0x1e0 drivers/usb/core/file.c:186
           chaoskey_disconnect+0xb7/0x2a0 drivers/usb/misc/chaoskey.c:236
           usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
           device_remove drivers/base/dd.c:569 [inline]
           device_remove+0x122/0x170 drivers/base/dd.c:561
           __device_release_driver drivers/base/dd.c:1273 [inline]
           device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
           bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
           device_del+0x396/0x9f0 drivers/base/core.c:3864
           usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
           usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
           hub_port_connect drivers/usb/core/hub.c:5361 [inline]
           hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
           port_event drivers/usb/core/hub.c:5821 [inline]
           hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5903
           process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
           process_scheduled_works kernel/workqueue.c:3310 [inline]
           worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
           kthread+0x2c1/0x3a0 kernel/kthread.c:389
           ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
           ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
    
    other info that might help us debug this:
    
     Possible unsafe locking scenario:
    
           CPU0                    CPU1
           ----                    ----
      lock(chaoskey_list_lock);
                                   lock(minor_rwsem);
                                   lock(chaoskey_list_lock);
      lock(minor_rwsem);
    
     *** DEADLOCK ***
    [Analysis]
    The first is AA lock, it because wrong logic, it need a unlock.
    The second is AB lock, it needs to rearrange the order of lock usage.
    
    Fixes: 422dc0a4d12d ("USB: chaoskey: fail open after removal")
    Reported-by: [email protected]
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=685e14d04fe35692d3bc
    Signed-off-by: Edward Adam Davis <[email protected]>
    Tested-by: [email protected]
    Reported-by: [email protected]
    Tested-by: [email protected]
    Tested-by: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Cc: Oliver Neukum <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
usb: dwc3: gadget: Fix checking for number of TRBs left [+ + +]
Author: Thinh Nguyen <[email protected]>
Date:   Thu Nov 14 01:02:12 2024 +0000

    usb: dwc3: gadget: Fix checking for number of TRBs left
    
    commit 02a6982b0ccfcdc39e20016f5fc9a1b7826a6ee7 upstream.
    
    The check whether the TRB ring is full or empty in dwc3_calc_trbs_left()
    is insufficient. It assumes there are active TRBs if there's any request
    in the started_list. However, that's not the case for requests with a
    large SG list.
    
    That is, if we have a single usb request that requires more TRBs than
    the total TRBs in the TRB ring, the queued TRBs will be available when
    all the TRBs in the ring are completed. But the request is only
    partially completed and remains in the started_list. With the current
    logic, the TRB ring is empty, but dwc3_calc_trbs_left() returns 0.
    
    Fix this by additionally checking for the request->num_trbs for active
    TRB count.
    
    Cc: [email protected]
    Fixes: 51f1954ad853 ("usb: dwc3: gadget: Fix dwc3_calc_trbs_left()")
    Signed-off-by: Thinh Nguyen <[email protected]>
    Link: https://lore.kernel.org/r/708dc62b56b77da1f704cc2ae9b6ddb1f2dbef1f.1731545781.git.Thinh.Nguyen@synopsys.com
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: ehci-spear: fix call balance of sehci clk handling routines [+ + +]
Author: Vitalii Mordan <[email protected]>
Date:   Fri Nov 15 02:03:10 2024 +0300

    usb: ehci-spear: fix call balance of sehci clk handling routines
    
    commit 40c974826734836402abfd44efbf04f63a2cc1c1 upstream.
    
    If the clock sehci->clk was not enabled in spear_ehci_hcd_drv_probe,
    it should not be disabled in any path.
    
    Conversely, if it was enabled in spear_ehci_hcd_drv_probe, it must be disabled
    in all error paths to ensure proper cleanup.
    
    Found by Linux Verification Center (linuxtesting.org) with Klever.
    
    Fixes: 7675d6ba436f ("USB: EHCI: make ehci-spear a separate driver")
    Cc: [email protected]
    Signed-off-by: Vitalii Mordan <[email protected]>
    Acked-by: Alan Stern <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read() [+ + +]
Author: Jeongjun Park <[email protected]>
Date:   Thu Sep 19 19:34:03 2024 +0900

    usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read()
    
    [ Upstream commit 44feafbaa66ec86232b123bb8437a6a262442025 ]
    
    iowarrior_read() uses the iowarrior dev structure, but does not use any
    lock on the structure. This can cause various bugs including data-races,
    so it is more appropriate to use a mutex lock to safely protect the
    iowarrior dev structure. When using a mutex lock, you should split the
    branch to prevent blocking when the O_NONBLOCK flag is set.
    
    In addition, it is unnecessary to check for NULL on the iowarrior dev
    structure obtained by reading file->private_data. Therefore, it is
    better to remove the check.
    
    Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
    Signed-off-by: Jeongjun Park <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
vfio/pci: Properly hide first-in-list PCIe extended capability [+ + +]
Author: Avihai Horon <[email protected]>
Date:   Sun Nov 24 16:27:39 2024 +0200

    vfio/pci: Properly hide first-in-list PCIe extended capability
    
    [ Upstream commit fe4bf8d0b6716a423b16495d55b35d3fe515905d ]
    
    There are cases where a PCIe extended capability should be hidden from
    the user. For example, an unknown capability (i.e., capability with ID
    greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally
    chosen to be hidden from the user.
    
    Hiding a capability is done by virtualizing and modifying the 'Next
    Capability Offset' field of the previous capability so it points to the
    capability after the one that should be hidden.
    
    The special case where the first capability in the list should be hidden
    is handled differently because there is no previous capability that can
    be modified. In this case, the capability ID and version are zeroed
    while leaving the next pointer intact. This hides the capability and
    leaves an anchor for the rest of the capability list.
    
    However, today, hiding the first capability in the list is not done
    properly if the capability is unknown, as struct
    vfio_pci_core_device->pci_config_map is set to the capability ID during
    initialization but the capability ID is not properly checked later when
    used in vfio_config_do_rw(). This leads to the following warning [1] and
    to an out-of-bounds access to ecap_perms array.
    
    Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater
    than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct
    read only access instead of the ecap_perms array.
    
    Note that this is safe since the above is the only case where cap_id can
    exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which
    are already checked before).
    
    [1]
    
    WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
    CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1
    (snip)
    Call Trace:
     <TASK>
     ? show_regs+0x69/0x80
     ? __warn+0x8d/0x140
     ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
     ? report_bug+0x18f/0x1a0
     ? handle_bug+0x63/0xa0
     ? exc_invalid_op+0x19/0x70
     ? asm_exc_invalid_op+0x1b/0x20
     ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
     ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]
     vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]
     vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]
     vfio_device_fops_read+0x27/0x40 [vfio]
     vfs_read+0xbd/0x340
     ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]
     ? __rseq_handle_notify_resume+0xa4/0x4b0
     __x64_sys_pread64+0x96/0xc0
     x64_sys_call+0x1c3d/0x20d0
     do_syscall_64+0x4d/0x120
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver")
    Signed-off-by: Avihai Horon <[email protected]>
    Reviewed-by: Yi Liu <[email protected]>
    Tested-by: Yi Liu <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alex Williamson <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() [+ + +]
Author: Jeongjun Park <[email protected]>
Date:   Sat Sep 14 12:06:03 2024 +0300

    wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
    
    [ Upstream commit 8619593634cbdf5abf43f5714df49b04e4ef09ab ]
    
    I found the following bug in my fuzzer:
    
      UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
      index 255 is out of range for type 'htc_endpoint [22]'
      CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
      Workqueue: events request_firmware_work_func
      Call Trace:
       <TASK>
       dump_stack_lvl+0x180/0x1b0
       __ubsan_handle_out_of_bounds+0xd4/0x130
       htc_issue_send.constprop.0+0x20c/0x230
       ? _raw_spin_unlock_irqrestore+0x3c/0x70
       ath9k_wmi_cmd+0x41d/0x610
       ? mark_held_locks+0x9f/0xe0
       ...
    
    Since this bug has been confirmed to be caused by insufficient verification
    of conn_rsp_epid, I think it would be appropriate to add a range check for
    conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
    
    Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
    Signed-off-by: Jeongjun Park <[email protected]>
    Acked-by: Toke Høiland-Jørgensen <[email protected]>
    Signed-off-by: Kalle Valo <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() [+ + +]
Author: Alper Nebi Yasak <[email protected]>
Date:   Tue Oct 8 01:20:54 2024 +0300

    wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()
    
    [ Upstream commit d241a139c2e9f8a479f25c75ebd5391e6a448500 ]
    
    Replace one-element array with a flexible-array member in `struct
    mwifiex_ie_types_wildcard_ssid_params` to fix the following warning
    on a MT8173 Chromebook (mt8173-elm-hana):
    
    [  356.775250] ------------[ cut here ]------------
    [  356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)
    [  356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex]
    
    The "(size 6)" above is exactly the length of the SSID of the network
    this device was connected to. The source of the warning looks like:
    
        ssid_len = user_scan_in->ssid_list[i].ssid_len;
        [...]
        memcpy(wildcard_ssid_tlv->ssid,
               user_scan_in->ssid_list[i].ssid, ssid_len);
    
    There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this
    struct, but it already didn't account for the size of the one-element
    array, so it doesn't need to be changed.
    
    Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
    Signed-off-by: Alper Nebi Yasak <[email protected]>
    Acked-by: Brian Norris <[email protected]>
    Signed-off-by: Kalle Valo <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB [+ + +]
Author: Arnd Bergmann <[email protected]>
Date:   Tue Oct 29 09:23:20 2024 +0000

    x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB
    
    [ Upstream commit fce9642c765a18abd1db0339a7d832c29b68456a ]
    
    node_to_amd_nb() is defined to NULL in non-AMD configs:
    
      drivers/platform/x86/amd/hsmp/plat.c: In function 'init_platform_device':
      drivers/platform/x86/amd/hsmp/plat.c:165:68: error: dereferencing 'void *' pointer [-Werror]
        165 |                 sock->root                      = node_to_amd_nb(i)->root;
            |                                                                    ^~
      drivers/platform/x86/amd/hsmp/plat.c:165:68: error: request for member 'root' in something not a structure or union
    
    Users of the interface who also allow COMPILE_TEST will cause the above build
    error so provide an inline stub to fix that.
    
      [ bp: Massage commit message. ]
    
    Signed-off-by: Arnd Bergmann <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Reviewed-by: Ilpo Järvinen <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>