Changelog in Linux kernel 5.15.177

 
ACPI: resource: acpi_dev_irq_override(): Check DMI match last [+ + +]
Author: Hans de Goede <[email protected]>
Date:   Sat Dec 28 17:52:53 2024 +0100

    ACPI: resource: acpi_dev_irq_override(): Check DMI match last
    
    [ Upstream commit cd4a7b2e6a2437a5502910c08128ea3bad55a80b ]
    
    acpi_dev_irq_override() gets called approx. 30 times during boot (15 legacy
    IRQs * 2 override_table entries). Of these 30 calls at max 1 will match
    the non DMI checks done by acpi_dev_irq_override(). The dmi_check_system()
    check is by far the most expensive check done by acpi_dev_irq_override(),
    make this call the last check done by acpi_dev_irq_override() so that it
    will be called at max 1 time instead of 30 times.
    
    Signed-off-by: Hans de Goede <[email protected]>
    Reviewed-by: Mario Limonciello <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    [ rjw: Subject edit ]
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] [+ + +]
Author: Hans de Goede <[email protected]>
Date:   Fri Dec 20 19:13:52 2024 +0100

    ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]
    
    commit 66d337fede44dcbab4107d37684af8fcab3d648e upstream.
    
    Like the Vivobook X1704VAP the X1504VAP has its keyboard IRQ (1) described
    as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh which
    breaks the keyboard.
    
    Add the X1504VAP to the irq1_level_low_skip_override[] quirk table to fix
    this.
    
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219224
    Cc: All applicable <[email protected]>
    Signed-off-by: Hans de Goede <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] [+ + +]
Author: Hans de Goede <[email protected]>
Date:   Sat Dec 28 17:48:45 2024 +0100

    ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]
    
    commit 7ed4e4a659d99499dc6968c61970d41b64feeac0 upstream.
    
    The TongFang GM5HG0A is a TongFang barebone design which is sold under
    various brand names.
    
    The ACPI IRQ override for the keyboard IRQ must be used on these AMD Zen
    laptops in order for the IRQ to work.
    
    At least on the SKIKK Vanaheim variant the DMI product- and board-name
    strings have been replaced by the OEM with "Vanaheim" so checking that
    board-name contains "GM5HG0A" as is usually done for TongFang barebones
    quirks does not work.
    
    The DMI OEM strings do contain "GM5HG0A". I have looked at the dmidecode
    for a few other TongFang devices and the TongFang code-name string being
    in the OEM strings seems to be something which is consistently true.
    
    Add a quirk checking one of the DMI_OEM_STRING(s) is "GM5HG0A" in the hope
    that this will work for other OEM versions of the "GM5HG0A" too.
    
    Link: https://www.skikk.eu/en/laptops/vanaheim-15-rtx-4060
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219614
    Cc: All applicable <[email protected]>
    Signed-off-by: Hans de Goede <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
afs: Fix the maximum cell name length [+ + +]
Author: David Howells <[email protected]>
Date:   Mon Jan 6 16:21:00 2025 +0000

    afs: Fix the maximum cell name length
    
    [ Upstream commit 8fd56ad6e7c90ac2bddb0741c6b248c8c5d56ac8 ]
    
    The kafs filesystem limits the maximum length of a cell to 256 bytes, but a
    problem occurs if someone actually does that: kafs tries to create a
    directory under /proc/net/afs/ with the name of the cell, but that fails
    with a warning:
    
            WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:405
    
    because procfs limits the maximum filename length to 255.
    
    However, the DNS limits the maximum lookup length and, by extension, the
    maximum cell name, to 255 less two (length count and trailing NUL).
    
    Fix this by limiting the maximum acceptable cellname length to 253.  This
    also allows us to be sure we can create the "/afs/.<cell>/" mountpoint too.
    
    Further, split the YFS VL record cell name maximum to be the 256 allowed by
    the protocol and ignore the record retrieved by YFSVL.GetCellName if it
    exceeds 253.
    
    Fixes: c3e9f888263b ("afs: Implement client support for the YFSVL.GetCellName RPC op")
    Reported-by: [email protected]
    Closes: https://lore.kernel.org/r/[email protected]/
    Signed-off-by: David Howells <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: [email protected]
    cc: Marc Dionne <[email protected]>
    cc: [email protected]
    Signed-off-by: Christian Brauner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
arm64: dts: rockchip: add hevc power domain clock to rk3328 [+ + +]
Author: Peter Geis <[email protected]>
Date:   Sat Dec 14 22:43:39 2024 +0000

    arm64: dts: rockchip: add hevc power domain clock to rk3328
    
    [ Upstream commit 3699f2c43ea9984e00d70463f8c29baaf260ea97 ]
    
    There is a race condition at startup between disabling power domains not
    used and disabling clocks not used on the rk3328. When the clocks are
    disabled first, the hevc power domain fails to shut off leading to a
    splat of failures. Add the hevc core clock to the rk3328 power domain
    node to prevent this condition.
    
    rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 3-.... }
    1087 jiffies s: 89 root: 0x8/.
    rcu: blocking rcu_node structures (internal RCU debug):
    Sending NMI from CPU 0 to CPUs 3:
    NMI backtrace for cpu 3
    CPU: 3 UID: 0 PID: 86 Comm: kworker/3:3 Not tainted 6.12.0-rc5+ #53
    Hardware name: Firefly ROC-RK3328-CC (DT)
    Workqueue: pm genpd_power_off_work_fn
    pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    pc : regmap_unlock_spinlock+0x18/0x30
    lr : regmap_read+0x60/0x88
    sp : ffff800081123c00
    x29: ffff800081123c00 x28: ffff2fa4c62cad80 x27: 0000000000000000
    x26: ffffd74e6e660eb8 x25: ffff2fa4c62cae00 x24: 0000000000000040
    x23: ffffd74e6d2f3ab8 x22: 0000000000000001 x21: ffff800081123c74
    x20: 0000000000000000 x19: ffff2fa4c0412000 x18: 0000000000000000
    x17: 77202c31203d2065 x16: 6c6469203a72656c x15: 6c6f72746e6f632d
    x14: 7265776f703a6e6f x13: 2063766568206e69 x12: 616d6f64202c3431
    x11: 347830206f742030 x10: 3430303034783020 x9 : ffffd74e6c7369e0
    x8 : 3030316666206e69 x7 : 205d383738353733 x6 : 332e31202020205b
    x5 : ffffd74e6c73fc88 x4 : ffffd74e6c73fcd4 x3 : ffffd74e6c740b40
    x2 : ffff800080015484 x1 : 0000000000000000 x0 : ffff2fa4c0412000
    Call trace:
    regmap_unlock_spinlock+0x18/0x30
    rockchip_pmu_set_idle_request+0xac/0x2c0
    rockchip_pd_power+0x144/0x5f8
    rockchip_pd_power_off+0x1c/0x30
    _genpd_power_off+0x9c/0x180
    genpd_power_off.part.0.isra.0+0x130/0x2a8
    genpd_power_off_work_fn+0x6c/0x98
    process_one_work+0x170/0x3f0
    worker_thread+0x290/0x4a8
    kthread+0xec/0xf8
    ret_from_fork+0x10/0x20
    rockchip-pm-domain ff100000.syscon:power-controller: failed to get ack on domain 'hevc', val=0x88220
    
    Fixes: 52e02d377a72 ("arm64: dts: rockchip: add core dtsi file for RK3328 SoCs")
    Signed-off-by: Peter Geis <[email protected]>
    Reviewed-by: Dragan Simic <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Heiko Stuebner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ASoC: mediatek: disable buffer pre-allocation [+ + +]
Author: Chen-Yu Tsai <[email protected]>
Date:   Thu Dec 19 18:53:02 2024 +0800

    ASoC: mediatek: disable buffer pre-allocation
    
    [ Upstream commit 32c9c06adb5b157ef259233775a063a43746d699 ]
    
    On Chromebooks based on Mediatek MT8195 or MT8188, the audio frontend
    (AFE) is limited to accessing a very small window (1 MiB) of memory,
    which is described as a reserved memory region in the device tree.
    
    On these two platforms, the maximum buffer size is given as 512 KiB.
    The MediaTek common code uses the same value for preallocations. This
    means that only the first two PCM substreams get preallocations, and
    then the whole space is exhausted, barring any other substreams from
    working. Since the substreams used are not always the first two, this
    means audio won't work correctly.
    
    This is observed on the MT8188 Geralt Chromebooks, on which the
    "mediatek,dai-link" property was dropped when it was upstreamed. That
    property causes the driver to only register the PCM substreams listed
    in the property, and in the order given.
    
    Instead of trying to compute an optimal value and figuring out which
    streams are used, simply disable preallocation. The PCM buffers are
    managed by the core and are allocated and released on the fly. There
    should be no impact to any of the other MediaTek platforms.
    
    Signed-off-by: Chen-Yu Tsai <[email protected]>
    Reviewed-by: AngeloGioacchino Del Regno <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
blk-cgroup: Fix UAF in blkcg_unpin_online() [+ + +]
Author: Tejun Heo <[email protected]>
Date:   Fri Dec 6 07:59:51 2024 -1000

    blk-cgroup: Fix UAF in blkcg_unpin_online()
    
    commit 86e6ca55b83c575ab0f2e105cf08f98e58d3d7af upstream.
    
    blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To
    walk up, it uses blkcg_parent(blkcg) but it was calling that after
    blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the
    following UAF:
    
      ==================================================================
      BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270
      Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117
    
      CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022
      Workqueue: cgwb_release cgwb_release_workfn
      Call Trace:
       <TASK>
       dump_stack_lvl+0x27/0x80
       print_report+0x151/0x710
       kasan_report+0xc0/0x100
       blkcg_unpin_online+0x15a/0x270
       cgwb_release_workfn+0x194/0x480
       process_scheduled_works+0x71b/0xe20
       worker_thread+0x82a/0xbd0
       kthread+0x242/0x2c0
       ret_from_fork+0x33/0x70
       ret_from_fork_asm+0x1a/0x30
       </TASK>
      ...
      Freed by task 1944:
       kasan_save_track+0x2b/0x70
       kasan_save_free_info+0x3c/0x50
       __kasan_slab_free+0x33/0x50
       kfree+0x10c/0x330
       css_free_rwork_fn+0xe6/0xb30
       process_scheduled_works+0x71b/0xe20
       worker_thread+0x82a/0xbd0
       kthread+0x242/0x2c0
       ret_from_fork+0x33/0x70
       ret_from_fork_asm+0x1a/0x30
    
    Note that the UAF is not easy to trigger as the free path is indirected
    behind a couple RCU grace periods and a work item execution. I could only
    trigger it with artifical msleep() injected in blkcg_unpin_online().
    
    Fix it by reading the parent pointer before destroying the blkcg's blkg's.
    
    Signed-off-by: Tejun Heo <[email protected]>
    Reported-by: Abagail ren <[email protected]>
    Suggested-by: Linus Torvalds <[email protected]>
    Fixes: 4308a434e5e0 ("blkcg: don't offline parent blkcg first")
    Cc: [email protected] # v5.7+
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() [+ + +]
Author: Yu Kuai <[email protected]>
Date:   Wed Jan 8 16:41:48 2025 +0800

    block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
    
    [ Upstream commit fcede1f0a043ccefe9bc6ad57f12718e42f63f1d ]
    
    Our syzkaller report a following UAF for v6.6:
    
    BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
    Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726
    
    CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
     print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364
     print_report+0x3e/0x70 mm/kasan/report.c:475
     kasan_report+0xb8/0xf0 mm/kasan/report.c:588
     hlist_add_head include/linux/list.h:1023 [inline]
     bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
     bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
     bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
     blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
     blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
     __submit_bio+0xa0/0x6b0 block/blk-core.c:639
     __submit_bio_noacct_mq block/blk-core.c:718 [inline]
     submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
     submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
     __ext4_read_bh fs/ext4/super.c:205 [inline]
     ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230
     __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567
     ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947
     ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182
     ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660
     ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569
     iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91
     iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80
     ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051
     ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220
     do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811
     __do_sys_ioctl fs/ioctl.c:869 [inline]
     __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857
     do_syscall_x64 arch/x86/entry/common.c:51 [inline]
     do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
     entry_SYSCALL_64_after_hwframe+0x78/0xe2
    
    Allocated by task 232719:
     kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
     kasan_set_track+0x25/0x30 mm/kasan/common.c:52
     __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
     kasan_slab_alloc include/linux/kasan.h:188 [inline]
     slab_post_alloc_hook mm/slab.h:768 [inline]
     slab_alloc_node mm/slub.c:3492 [inline]
     kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537
     bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869
     bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776
     bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938
     bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
     bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
     blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
     blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
     __submit_bio+0xa0/0x6b0 block/blk-core.c:639
     __submit_bio_noacct_mq block/blk-core.c:718 [inline]
     submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
     submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
     __ext4_read_bh fs/ext4/super.c:205 [inline]
     ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217
     ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242
     ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958
     __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671
     ext4_lookup_entry fs/ext4/namei.c:1774 [inline]
     ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842
     ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839
     __lookup_slow+0x257/0x480 fs/namei.c:1696
     lookup_slow fs/namei.c:1713 [inline]
     walk_component+0x454/0x5c0 fs/namei.c:2004
     link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331
     link_path_walk fs/namei.c:3826 [inline]
     path_openat+0x1b9/0x520 fs/namei.c:3826
     do_filp_open+0x1b7/0x400 fs/namei.c:3857
     do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428
     do_sys_open fs/open.c:1443 [inline]
     __do_sys_openat fs/open.c:1459 [inline]
     __se_sys_openat fs/open.c:1454 [inline]
     __x64_sys_openat+0x148/0x200 fs/open.c:1454
     do_syscall_x64 arch/x86/entry/common.c:51 [inline]
     do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
     entry_SYSCALL_64_after_hwframe+0x78/0xe2
    
    Freed by task 232726:
     kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
     kasan_set_track+0x25/0x30 mm/kasan/common.c:52
     kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
     ____kasan_slab_free mm/kasan/common.c:236 [inline]
     __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244
     kasan_slab_free include/linux/kasan.h:164 [inline]
     slab_free_hook mm/slub.c:1827 [inline]
     slab_free_freelist_hook mm/slub.c:1853 [inline]
     slab_free mm/slub.c:3820 [inline]
     kmem_cache_free+0x110/0x760 mm/slub.c:3842
     bfq_put_queue+0x6a7/0xfb0 block/bfq-iosched.c:5428
     bfq_forget_entity block/bfq-wf2q.c:634 [inline]
     bfq_put_idle_entity+0x142/0x240 block/bfq-wf2q.c:645
     bfq_forget_idle+0x189/0x1e0 block/bfq-wf2q.c:671
     bfq_update_vtime block/bfq-wf2q.c:1280 [inline]
     __bfq_lookup_next_entity block/bfq-wf2q.c:1374 [inline]
     bfq_lookup_next_entity+0x350/0x480 block/bfq-wf2q.c:1433
     bfq_update_next_in_service+0x1c0/0x4f0 block/bfq-wf2q.c:128
     bfq_deactivate_entity+0x10a/0x240 block/bfq-wf2q.c:1188
     bfq_deactivate_bfqq block/bfq-wf2q.c:1592 [inline]
     bfq_del_bfqq_busy+0x2e8/0xad0 block/bfq-wf2q.c:1659
     bfq_release_process_ref+0x1cc/0x220 block/bfq-iosched.c:3139
     bfq_split_bfqq+0x481/0xdf0 block/bfq-iosched.c:6754
     bfq_init_rq+0xf29/0x17a0 block/bfq-iosched.c:6934
     bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
     bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
     blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
     blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
     __submit_bio+0xa0/0x6b0 block/blk-core.c:639
     __submit_bio_noacct_mq block/blk-core.c:718 [inline]
     submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
     submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
     __ext4_read_bh fs/ext4/super.c:205 [inline]
     ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230
     __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567
     ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947
     ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182
     ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660
     ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569
     iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91
     iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80
     ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051
     ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220
     do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811
     __do_sys_ioctl fs/ioctl.c:869 [inline]
     __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857
     do_syscall_x64 arch/x86/entry/common.c:51 [inline]
     do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
     entry_SYSCALL_64_after_hwframe+0x78/0xe2
    
    commit 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after
    splitting") fix the problem that if waker_bfqq is in the merge chain,
    and current is the only procress, waker_bfqq can be freed from
    bfq_split_bfqq(). However, the case that waker_bfqq is not in the merge
    chain is missed, and if the procress reference of waker_bfqq is 0,
    waker_bfqq can be freed as well.
    
    Fix the problem by checking procress reference if waker_bfqq is not in
    the merge_chain.
    
    Fixes: 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after splitting")
    Signed-off-by: Hou Tao <[email protected]>
    Signed-off-by: Yu Kuai <[email protected]>
    Reviewed-by: Jan Kara <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jens Axboe <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
bnxt_en: Fix possible memory leak when hwrm_req_replace fails [+ + +]
Author: Kalesh AP <[email protected]>
Date:   Fri Jan 3 20:38:47 2025 -0800

    bnxt_en: Fix possible memory leak when hwrm_req_replace fails
    
    [ Upstream commit c8dafb0e4398dacc362832098a04b97da3b0395b ]
    
    When hwrm_req_replace() fails, the driver is not invoking bnxt_req_drop()
    which could cause a memory leak.
    
    Fixes: bbf33d1d9805 ("bnxt_en: update all firmware calls to use the new APIs")
    Reviewed-by: Pavan Chebbi <[email protected]>
    Signed-off-by: Kalesh AP <[email protected]>
    Signed-off-by: Michael Chan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
bpf: Fix bpf_sk_select_reuseport() memory leak [+ + +]
Author: Michal Luczaj <[email protected]>
Date:   Fri Jan 10 14:21:55 2025 +0100

    bpf: Fix bpf_sk_select_reuseport() memory leak
    
    [ Upstream commit b3af60928ab9129befa65e6df0310d27300942bf ]
    
    As pointed out in the original comment, lookup in sockmap can return a TCP
    ESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF
    set before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb
    does not imply a non-refcounted socket.
    
    Drop sk's reference in both error paths.
    
    unreferenced object 0xffff888101911800 (size 2048):
      comm "test_progs", pid 44109, jiffies 4297131437
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace (crc 9336483b):
        __kmalloc_noprof+0x3bf/0x560
        __reuseport_alloc+0x1d/0x40
        reuseport_alloc+0xca/0x150
        reuseport_attach_prog+0x87/0x140
        sk_reuseport_attach_bpf+0xc8/0x100
        sk_setsockopt+0x1181/0x1990
        do_sock_setsockopt+0x12b/0x160
        __sys_setsockopt+0x7b/0xc0
        __x64_sys_setsockopt+0x1b/0x30
        do_syscall_64+0x93/0x180
        entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    Fixes: 64d85290d79c ("bpf: Allow bpf_map_lookup_elem for SOCKMAP and SOCKHASH")
    Signed-off-by: Michal Luczaj <[email protected]>
    Reviewed-by: Martin KaFai Lau <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ceph: give up on paths longer than PATH_MAX [+ + +]
Author: Max Kellermann <[email protected]>
Date:   Mon Nov 18 23:28:28 2024 +0100

    ceph: give up on paths longer than PATH_MAX
    
    commit 550f7ca98ee028a606aa75705a7e77b1bd11720f upstream.
    
    If the full path to be built by ceph_mdsc_build_path() happens to be
    longer than PATH_MAX, then this function will enter an endless (retry)
    loop, effectively blocking the whole task.  Most of the machine
    becomes unusable, making this a very simple and effective DoS
    vulnerability.
    
    I cannot imagine why this retry was ever implemented, but it seems
    rather useless and harmful to me.  Let's remove it and fail with
    ENAMETOOLONG instead.
    
    Cc: [email protected]
    Reported-by: Dario Weißer <[email protected]>
    Signed-off-by: Max Kellermann <[email protected]>
    Reviewed-by: Alex Markuze <[email protected]>
    Signed-off-by: Ilya Dryomov <[email protected]>
    [[email protected]: backport to 6.1: pr_warn() is still in use]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
 
cxgb4: Avoid removal of uninserted tid [+ + +]
Author: Anumula Murali Mohan Reddy <[email protected]>
Date:   Fri Jan 3 14:53:27 2025 +0530

    cxgb4: Avoid removal of uninserted tid
    
    [ Upstream commit 4c1224501e9d6c5fd12d83752f1c1b444e0e3418 ]
    
    During ARP failure, tid is not inserted but _c4iw_free_ep()
    attempts to remove tid which results in error.
    This patch fixes the issue by avoiding removal of uninserted tid.
    
    Fixes: 59437d78f088 ("cxgb4/chtls: fix ULD connection failures due to wrong TID base")
    Signed-off-by: Anumula Murali Mohan Reddy <[email protected]>
    Signed-off-by: Potnuri Bharat Teja <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
dm array: fix cursor index when skipping across block boundaries [+ + +]
Author: Ming-Hung Tsai <[email protected]>
Date:   Thu Dec 5 19:41:53 2024 +0800

    dm array: fix cursor index when skipping across block boundaries
    
    [ Upstream commit 0bb1968da2737ba68fd63857d1af2b301a18d3bf ]
    
    dm_array_cursor_skip() seeks to the target position by loading array
    blocks iteratively until the specified number of entries to skip is
    reached. When seeking across block boundaries, it uses
    dm_array_cursor_next() to step into the next block.
    dm_array_cursor_skip() must first move the cursor index to the end
    of the current block; otherwise, the cursor position could incorrectly
    remain in the same block, causing the actual number of skipped entries
    to be much smaller than expected.
    
    This bug affects cache resizing in v2 metadata and could lead to data
    loss if the fast device is shrunk during the first-time resume. For
    example:
    
    1. create a cache metadata consists of 32768 blocks, with a dirty block
       assigned to the second bitmap block. cache_restore v1.0 is required.
    
    cat <<EOF >> cmeta.xml
    <superblock uuid="" block_size="64" nr_cache_blocks="32768" \
    policy="smq" hint_width="4">
      <mappings>
        <mapping cache_block="32767" origin_block="0" dirty="true"/>
      </mappings>
    </superblock>
    EOF
    dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
    cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2
    
    2. bring up the cache while attempt to discard all the blocks belonging
       to the second bitmap block (block# 32576 to 32767). The last command
       is expected to fail, but it actually succeeds.
    
    dmsetup create cdata --table "0 2084864 linear /dev/sdc 8192"
    dmsetup create corig --table "0 65536 linear /dev/sdc 2105344"
    dmsetup create cache --table "0 65536 cache /dev/mapper/cmeta \
    /dev/mapper/cdata /dev/mapper/corig 64 2 metadata2 writeback smq \
    2 migration_threshold 0"
    
    In addition to the reproducer described above, this fix can be
    verified using the "array_cursor/skip" tests in dm-unit:
      dm-unit run /pdata/array_cursor/skip/ --kernel-dir <KERNEL_DIR>
    
    Signed-off-by: Ming-Hung Tsai <[email protected]>
    Fixes: 9b696229aa7d ("dm persistent data: add cursor skip functions to the cursor APIs")
    Reviewed-by: Joe Thornber <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

dm array: fix releasing a faulty array block twice in dm_array_cursor_end [+ + +]
Author: Ming-Hung Tsai <[email protected]>
Date:   Thu Dec 5 19:41:51 2024 +0800

    dm array: fix releasing a faulty array block twice in dm_array_cursor_end
    
    [ Upstream commit f2893c0804d86230ffb8f1c8703fdbb18648abc8 ]
    
    When dm_bm_read_lock() fails due to locking or checksum errors, it
    releases the faulty block implicitly while leaving an invalid output
    pointer behind. The caller of dm_bm_read_lock() should not operate on
    this invalid dm_block pointer, or it will lead to undefined result.
    For example, the dm_array_cursor incorrectly caches the invalid pointer
    on reading a faulty array block, causing a double release in
    dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put().
    
    Reproduce steps:
    
    1. initialize a cache device
    
    dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
    dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
    dmsetup create corig --table "0 524288 linear /dev/sdc $262144"
    dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1
    dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
    /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
    
    2. wipe the second array block offline
    
    dmsteup remove cache cmeta cdata corig
    mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \
    2>/dev/null | hexdump -e '1/8 "%u\n"')
    ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \
    2>/dev/null | hexdump -e '1/8 "%u\n"')
    dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock
    
    3. try reopen the cache device
    
    dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
    dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
    dmsetup create corig --table "0 524288 linear /dev/sdc $262144"
    dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
    /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
    
    Kernel logs:
    
    (snip)
    device-mapper: array: array_block_check failed: blocknr 0 != wanted 10
    device-mapper: block manager: array validator check failed for block 10
    device-mapper: array: get_ablock failed
    device-mapper: cache metadata: dm_array_cursor_next for mapping failed
    ------------[ cut here ]------------
    kernel BUG at drivers/md/dm-bufio.c:638!
    
    Fix by setting the cached block pointer to NULL on errors.
    
    In addition to the reproducer described above, this fix can be
    verified using the "array_cursor/damaged" test in dm-unit:
      dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR>
    
    Signed-off-by: Ming-Hung Tsai <[email protected]>
    Fixes: fdd1315aa5f0 ("dm array: introduce cursor api")
    Reviewed-by: Joe Thornber <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

dm array: fix unreleased btree blocks on closing a faulty array cursor [+ + +]
Author: Ming-Hung Tsai <[email protected]>
Date:   Thu Dec 5 19:41:52 2024 +0800

    dm array: fix unreleased btree blocks on closing a faulty array cursor
    
    [ Upstream commit 626f128ee9c4133b1cfce4be2b34a1508949370e ]
    
    The cached block pointer in dm_array_cursor might be NULL if it reaches
    an unreadable array block, or the array is empty. Therefore,
    dm_array_cursor_end() should call dm_btree_cursor_end() unconditionally,
    to prevent leaving unreleased btree blocks.
    
    This fix can be verified using the "array_cursor/iterate/empty" test
    in dm-unit:
      dm-unit run /pdata/array_cursor/iterate/empty --kernel-dir <KERNEL_DIR>
    
    Signed-off-by: Ming-Hung Tsai <[email protected]>
    Fixes: fdd1315aa5f0 ("dm array: introduce cursor api")
    Reviewed-by: Joe Thornber <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
dm thin: make get_first_thin use rcu-safe list first function [+ + +]
Author: Krister Johansen <[email protected]>
Date:   Tue Jan 7 15:24:58 2025 -0800

    dm thin: make get_first_thin use rcu-safe list first function
    
    commit 80f130bfad1dab93b95683fc39b87235682b8f72 upstream.
    
    The documentation in rculist.h explains the absence of list_empty_rcu()
    and cautions programmers against relying on a list_empty() ->
    list_first() sequence in RCU safe code.  This is because each of these
    functions performs its own READ_ONCE() of the list head.  This can lead
    to a situation where the list_empty() sees a valid list entry, but the
    subsequent list_first() sees a different view of list head state after a
    modification.
    
    In the case of dm-thin, this author had a production box crash from a GP
    fault in the process_deferred_bios path.  This function saw a valid list
    head in get_first_thin() but when it subsequently dereferenced that and
    turned it into a thin_c, it got the inside of the struct pool, since the
    list was now empty and referring to itself.  The kernel on which this
    occurred printed both a warning about a refcount_t being saturated, and
    a UBSAN error for an out-of-bounds cpuid access in the queued spinlock,
    prior to the fault itself.  When the resulting kdump was examined, it
    was possible to see another thread patiently waiting in thin_dtr's
    synchronize_rcu.
    
    The thin_dtr call managed to pull the thin_c out of the active thins
    list (and have it be the last entry in the active_thins list) at just
    the wrong moment which lead to this crash.
    
    Fortunately, the fix here is straight forward.  Switch get_first_thin()
    function to use list_first_or_null_rcu() which performs just a single
    READ_ONCE() and returns NULL if the list is already empty.
    
    This was run against the devicemapper test suite's thin-provisioning
    suites for delete and suspend and no regressions were observed.
    
    Signed-off-by: Krister Johansen <[email protected]>
    Fixes: b10ebd34ccca ("dm thin: fix rcu_read_lock being held in code that can sleep")
    Cc: [email protected]
    Acked-by: Ming-Hung Tsai <[email protected]>
    Signed-off-by: Mikulas Patocka <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY [+ + +]
Author: Mikulas Patocka <[email protected]>
Date:   Tue Jan 7 17:47:01 2025 +0100

    dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY
    
    commit 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 upstream.
    
    dm-ebs uses dm-bufio to process requests that are not aligned on logical
    sector size. dm-bufio doesn't support passing integrity data (and it is
    unclear how should it do it), so we shouldn't set the
    DM_TARGET_PASSES_INTEGRITY flag.
    
    Signed-off-by: Mikulas Patocka <[email protected]>
    Cc: [email protected]
    Fixes: d3c7b35c20d6 ("dm: add emulated block size target")
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/amd/display: Add check for granularity in dml ceil/floor helpers [+ + +]
Author: Roman Li <[email protected]>
Date:   Fri Dec 13 13:51:07 2024 -0500

    drm/amd/display: Add check for granularity in dml ceil/floor helpers
    
    commit 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 upstream.
    
    [Why]
    Wrapper functions for dcn_bw_ceil2() and dcn_bw_floor2()
    should check for granularity is non zero to avoid assert and
    divide-by-zero error in dcn_bw_ functions.
    
    [How]
    Add check for granularity 0.
    
    Cc: Mario Limonciello <[email protected]>
    Reviewed-by: Alvin Lee <[email protected]>
    Signed-off-by: Roman Li <[email protected]>
    Tested-by: Daniel Wheeler <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit f6e09701c3eb2ccb8cb0518e0b67f1c69742a4ec)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/amd/display: increase MAX_SURFACES to the value supported by hw [+ + +]
Author: Melissa Wen <[email protected]>
Date:   Tue Dec 17 17:45:04 2024 -0300

    drm/amd/display: increase MAX_SURFACES to the value supported by hw
    
    commit 21541bc6b44241e3f791f9e552352d8440b2b29e upstream.
    
    As the hw supports up to 4 surfaces, increase the maximum number of
    surfaces to prevent the DC error when trying to use more than three
    planes.
    
    [drm:dc_state_add_plane [amdgpu]] *ERROR* Surface: can not attach plane_state 000000003e2cb82c! Maximum is: 3
    
    Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3693
    Signed-off-by: Melissa Wen <[email protected]>
    Reviewed-by: Rodrigo Siqueira <[email protected]>
    Signed-off-by: Rodrigo Siqueira <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit b8d6daffc871a42026c3c20bff7b8fa0302298c1)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/i915/fb: Relax clear color alignment to 64 bytes [+ + +]
Author: Ville Syrjälä <[email protected]>
Date:   Fri Nov 29 08:50:11 2024 +0200

    drm/i915/fb: Relax clear color alignment to 64 bytes
    
    commit 1a5401ec3018c101c456cdbda2eaef9482db6786 upstream.
    
    Mesa changed its clear color alignment from 4k to 64 bytes
    without informing the kernel side about the change. This
    is now likely to cause framebuffer creation to fail.
    
    The only thing we do with the clear color buffer in i915 is:
    1. map a single page
    2. read out bytes 16-23 from said page
    3. unmap the page
    
    So the only requirement we really have is that those 8 bytes
    are all contained within one page. Thus we can deal with the
    Mesa regression by reducing the alignment requiment from 4k
    to the same 64 bytes in the kernel. We could even go as low as
    32 bytes, but IIRC 64 bytes is the hardware requirement on
    the 3D engine side so matching that seems sensible.
    
    Note that the Mesa alignment chages were partially undone
    so the regression itself was already fixed on userspace
    side.
    
    Cc: [email protected]
    Cc: Sagar Ghuge <[email protected]>
    Cc: Nanley Chery <[email protected]>
    Reported-by: Xi Ruoyao <[email protected]>
    Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13057
    Closes: https://lore.kernel.org/all/[email protected]/
    Link: https://gitlab.freedesktop.org/mesa/mesa/-/commit/17f97a69c13832a6c1b0b3aad45b06f07d4b852f
    Link: https://gitlab.freedesktop.org/mesa/mesa/-/commit/888f63cf1baf34bc95e847a30a041dc7798edddb
    Signed-off-by: Ville Syrjälä <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Tested-by: Xi Ruoyao <[email protected]>
    Reviewed-by: José Roberto de Souza <[email protected]>
    (cherry picked from commit ed3a892e5e3d6b3f6eeb76db7c92a968aeb52f3d)
    Signed-off-by: Tvrtko Ursulin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/mediatek: Add support for 180-degree rotation in the display driver [+ + +]
Author: Jason-JH.Lin <[email protected]>
Date:   Mon Nov 18 10:51:26 2024 +0800

    drm/mediatek: Add support for 180-degree rotation in the display driver
    
    [ Upstream commit 5c9d7e79ba154e8e1f0bfdeb7b495f454c1a3eba ]
    
    mediatek-drm driver reported the capability of 180-degree rotation by
    adding `DRM_MODE_ROTATE_180` to the plane property, as flip-x combined
    with flip-y equals a 180-degree rotation. However, we did not handle
    the rotation property in the driver and lead to rotation issues.
    
    Fixes: 74608d8feefd ("drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property")
    Signed-off-by: Jason-JH.Lin <[email protected]>
    Reviewed-by: AngeloGioacchino Del Regno <[email protected]>
    Reviewed-by: CK Hu <[email protected]>
    Link: https://patchwork.kernel.org/project/dri-devel/patch/[email protected]/
    Signed-off-by: Chun-Kuang Hu <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/v3d: Ensure job pointer is set to NULL after job completion [+ + +]
Author: Maíra Canal <[email protected]>
Date:   Mon Jan 13 12:47:40 2025 -0300

    drm/v3d: Ensure job pointer is set to NULL after job completion
    
    [ Upstream commit e4b5ccd392b92300a2b341705cc4805681094e49 ]
    
    After a job completes, the corresponding pointer in the device must
    be set to NULL. Failing to do so triggers a warning when unloading
    the driver, as it appears the job is still active. To prevent this,
    assign the job pointer to NULL after completing the job, indicating
    the job has finished.
    
    Fixes: 14d1d1908696 ("drm/v3d: Remove the bad signaled() implementation.")
    Signed-off-by: Maíra Canal <[email protected]>
    Reviewed-by: Jose Maria Casanova Crespo <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
exfat: fix the infinite loop in __exfat_free_cluster() [+ + +]
Author: Yuezhang Mo <[email protected]>
Date:   Mon Dec 16 13:39:42 2024 +0800

    exfat: fix the infinite loop in __exfat_free_cluster()
    
    [ Upstream commit a5324b3a488d883aa2d42f72260054e87d0940a0 ]
    
    In __exfat_free_cluster(), the cluster chain is traversed until the
    EOF cluster. If the cluster chain includes a loop due to file system
    corruption, the EOF cluster cannot be traversed, resulting in an
    infinite loop.
    
    This commit uses the total number of clusters to prevent this infinite
    loop.
    
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330
    Tested-by: [email protected]
    Fixes: 31023864e67a ("exfat: add fat entry operations")
    Signed-off-by: Yuezhang Mo <[email protected]>
    Reviewed-by: Sungjong Seo <[email protected]>
    Signed-off-by: Namjae Jeon <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

exfat: fix the infinite loop in exfat_readdir() [+ + +]
Author: Yuezhang Mo <[email protected]>
Date:   Fri Dec 13 13:08:37 2024 +0800

    exfat: fix the infinite loop in exfat_readdir()
    
    [ Upstream commit fee873761bd978d077d8c55334b4966ac4cb7b59 ]
    
    If the file system is corrupted so that a cluster is linked to
    itself in the cluster chain, and there is an unused directory
    entry in the cluster, 'dentry' will not be incremented, causing
    condition 'dentry < max_dentries' unable to prevent an infinite
    loop.
    
    This infinite loop causes s_lock not to be released, and other
    tasks will hang, such as exfat_sync_fs().
    
    This commit stops traversing the cluster chain when there is unused
    directory entry in the cluster to avoid this infinite loop.
    
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=205c2644abdff9d3f9fc
    Tested-by: [email protected]
    Fixes: ca06197382bd ("exfat: add directory operations")
    Signed-off-by: Yuezhang Mo <[email protected]>
    Reviewed-by: Sungjong Seo <[email protected]>
    Signed-off-by: Namjae Jeon <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
filemap: avoid truncating 64-bit offset to 32 bits [+ + +]
Author: Marco Nelissen <[email protected]>
Date:   Thu Jan 2 11:04:11 2025 -0800

    filemap: avoid truncating 64-bit offset to 32 bits
    
    commit f505e6c91e7a22d10316665a86d79f84d9f0ba76 upstream.
    
    On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a
    64-bit value to 32 bits, leading to a possible infinite loop when writing
    to an xfs filesystem.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 54fa39ac2e00 ("iomap: use mapping_seek_hole_data")
    Signed-off-by: Marco Nelissen <[email protected]>
    Cc: Matthew Wilcox (Oracle) <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
fs/proc: fix softlockup in __read_vmcore (part 2) [+ + +]
Author: Rik van Riel <[email protected]>
Date:   Fri Jan 10 10:28:21 2025 -0500

    fs/proc: fix softlockup in __read_vmcore (part 2)
    
    commit cbc5dde0a461240046e8a41c43d7c3b76d5db952 upstream.
    
    Since commit 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore") the
    number of softlockups in __read_vmcore at kdump time have gone down, but
    they still happen sometimes.
    
    In a memory constrained environment like the kdump image, a softlockup is
    not just a harmless message, but it can interfere with things like RCU
    freeing memory, causing the crashdump to get stuck.
    
    The second loop in __read_vmcore has a lot more opportunities for natural
    sleep points, like scheduling out while waiting for a data write to
    happen, but apparently that is not always enough.
    
    Add a cond_resched() to the second loop in __read_vmcore to (hopefully)
    get rid of the softlockups.
    
    Link: https://lkml.kernel.org/r/20250110102821.2a37581b@fangorn
    Fixes: 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore")
    Signed-off-by: Rik van Riel <[email protected]>
    Reported-by: Breno Leitao <[email protected]>
    Cc: Baoquan He <[email protected]>
    Cc: Dave Young <[email protected]>
    Cc: Vivek Goyal <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
fs: fix missing declaration of init_files [+ + +]
Author: Zhang Kunbo <[email protected]>
Date:   Tue Dec 17 07:18:36 2024 +0000

    fs: fix missing declaration of init_files
    
    [ Upstream commit 2b2fc0be98a828cf33a88a28e9745e8599fb05cf ]
    
    fs/file.c should include include/linux/init_task.h  for
     declaration of init_files. This fixes the sparse warning:
    
    fs/file.c:501:21: warning: symbol 'init_files' was not declared. Should it be static?
    
    Signed-off-by: Zhang Kunbo <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Christian Brauner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
gpiolib: cdev: Fix use after free in lineinfo_changed_notify [+ + +]
Author: Zhongqiu Han <[email protected]>
Date:   Sun May 5 22:11:56 2024 +0800

    gpiolib: cdev: Fix use after free in lineinfo_changed_notify
    
    commit 02f6b0e1ec7e0e7d059dddc893645816552039da upstream.
    
    The use-after-free issue occurs as follows: when the GPIO chip device file
    is being closed by invoking gpio_chrdev_release(), watched_lines is freed
    by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier
    chain failed due to waiting write rwsem. Additionally, one of the GPIO
    chip's lines is also in the release process and holds the notifier chain's
    read rwsem. Consequently, a race condition leads to the use-after-free of
    watched_lines.
    
    Here is the typical stack when issue happened:
    
    [free]
    gpio_chrdev_release()
      --> bitmap_free(cdev->watched_lines)                  <-- freed
      --> blocking_notifier_chain_unregister()
        --> down_write(&nh->rwsem)                          <-- waiting rwsem
              --> __down_write_common()
                --> rwsem_down_write_slowpath()
                      --> schedule_preempt_disabled()
                        --> schedule()
    
    [use]
    st54spi_gpio_dev_release()
      --> gpio_free()
        --> gpiod_free()
          --> gpiod_free_commit()
            --> gpiod_line_state_notify()
              --> blocking_notifier_call_chain()
                --> down_read(&nh->rwsem);                  <-- held rwsem
                --> notifier_call_chain()
                  --> lineinfo_changed_notify()
                    --> test_bit(xxxx, cdev->watched_lines) <-- use after free
    
    The side effect of the use-after-free issue is that a GPIO line event is
    being generated for userspace where it shouldn't. However, since the chrdev
    is being closed, userspace won't have the chance to read that event anyway.
    
    To fix the issue, call the bitmap_free() function after the unregistration
    of lineinfo_changed_nb notifier chain.
    
    Fixes: 51c1064e82e7 ("gpiolib: add new ioctl() for monitoring changes in line info")
    Signed-off-by: Zhongqiu Han <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Signed-off-by: Bruno VERNAY <[email protected]>
    Signed-off-by: Hugo SIMELIERE <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
gtp: Destroy device along with udp socket's netns dismantle. [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Fri Jan 10 10:47:53 2025 +0900

    gtp: Destroy device along with udp socket's netns dismantle.
    
    [ Upstream commit eb28fd76c0a08a47b470677c6cef9dd1c60e92d1 ]
    
    gtp_newlink() links the device to a list in dev_net(dev) instead of
    src_net, where a udp tunnel socket is created.
    
    Even when src_net is removed, the device stays alive on dev_net(dev).
    Then, removing src_net triggers the splat below. [0]
    
    In this example, gtp0 is created in ns2, and the udp socket is created
    in ns1.
    
      ip netns add ns1
      ip netns add ns2
      ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn
      ip netns del ns1
    
    Let's link the device to the socket's netns instead.
    
    Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove
    all gtp devices in the netns.
    
    [0]:
    ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at
         sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236)
         inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252)
         __sock_create (net/socket.c:1558)
         udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18)
         gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423)
         gtp_create_sockets (drivers/net/gtp.c:1447)
         gtp_newlink (drivers/net/gtp.c:1507)
         rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012)
         rtnetlink_rcv_msg (net/core/rtnetlink.c:6922)
         netlink_rcv_skb (net/netlink/af_netlink.c:2542)
         netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347)
         netlink_sendmsg (net/netlink/af_netlink.c:1891)
         ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583)
         ___sys_sendmsg (net/socket.c:2639)
         __sys_sendmsg (net/socket.c:2669)
         do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
    
    WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)
    Modules linked in:
    CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
    Workqueue: netns cleanup_net
    RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179)
    Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89
    RSP: 0018:ff11000009a07b60 EFLAGS: 00010286
    RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c
    RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae
    R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0
    R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000
    FS:  0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
    PKRU: 55555554
    Call Trace:
     <TASK>
     ? __warn (kernel/panic.c:748)
     ? ref_tracker_dir_exit (lib/ref_tracker.c:179)
     ? report_bug (lib/bug.c:201 lib/bug.c:219)
     ? handle_bug (arch/x86/kernel/traps.c:285)
     ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1))
     ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
     ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
     ? ref_tracker_dir_exit (lib/ref_tracker.c:179)
     ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158)
     ? kfree (mm/slub.c:4613 mm/slub.c:4761)
     net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467)
     cleanup_net (net/core/net_namespace.c:664 (discriminator 3))
     process_one_work (kernel/workqueue.c:3229)
     worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391)
     kthread (kernel/kthread.c:389)
     ret_from_fork (arch/x86/kernel/process.c:147)
     ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
     </TASK>
    
    Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
    Reported-by: Xiao Liang <[email protected]>
    Closes: https://lore.kernel.org/netdev/[email protected]/
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

gtp: use exit_batch_rtnl() method [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Tue Feb 6 14:43:03 2024 +0000

    gtp: use exit_batch_rtnl() method
    
    [ Upstream commit 6eedda01b2bfdcf427b37759e053dc27232f3af1 ]
    
    exit_batch_rtnl() is called while RTNL is held,
    and devices to be unregistered can be queued in the dev_kill_list.
    
    This saves one rtnl_lock()/rtnl_unlock() pair per netns
    and one unregister_netdevice_many() call per netns.
    
    Signed-off-by: Eric Dumazet <[email protected]>
    Reviewed-by: Antoine Tenart <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Stable-dep-of: 46841c7053e6 ("gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().")
    Signed-off-by: Sasha Levin <[email protected]>

gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Fri Jan 10 10:47:52 2025 +0900

    gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().
    
    [ Upstream commit 46841c7053e6d25fb33e0534ef023833bf03e382 ]
    
    gtp_newlink() links the gtp device to a list in dev_net(dev).
    
    However, even after the gtp device is moved to another netns,
    it stays on the list but should be invisible.
    
    Let's use for_each_netdev_rcu() for netdev traversal in
    gtp_genl_dump_pdp().
    
    Note that gtp_dev_list is no longer used under RCU, so list
    helpers are converted to the non-RCU variant.
    
    Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
    Reported-by: Xiao Liang <[email protected]>
    Closes: https://lore.kernel.org/netdev/CABAhCOQdBL6h9M2C+kd+bGivRJ9Q72JUxW+-gur0nub_=PmFPA@mail.gmail.com/
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
hfs: Sanity check the root record [+ + +]
Author: Leo Stone <[email protected]>
Date:   Sat Nov 30 21:14:19 2024 -0800

    hfs: Sanity check the root record
    
    [ Upstream commit b905bafdea21a75d75a96855edd9e0b6051eee30 ]
    
    In the syzbot reproducer, the hfs_cat_rec for the root dir has type
    HFS_CDR_FIL after being read with hfs_bnode_read() in hfs_super_fill().
    This indicates it should be used as an hfs_cat_file, which is 102 bytes.
    Only the first 70 bytes of that struct are initialized, however,
    because the entrylength passed into hfs_bnode_read() is still the length of
    a directory record. This causes uninitialized values to be used later on,
    when the hfs_cat_rec union is treated as the larger hfs_cat_file struct.
    
    Add a check to make sure the retrieved record has the correct type
    for the root directory (HFS_CDR_DIR), and make sure we load the correct
    number of bytes for a directory record.
    
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=2db3c7526ba68f4ea776
    Tested-by: [email protected]
    Tested-by: Leo Stone <[email protected]>
    Signed-off-by: Leo Stone <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Jan Kara <[email protected]>
    Signed-off-by: Christian Brauner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
hrtimers: Handle CPU state correctly on hotplug [+ + +]
Author: Koichiro Den <[email protected]>
Date:   Fri Dec 20 22:44:21 2024 +0900

    hrtimers: Handle CPU state correctly on hotplug
    
    commit 2f8dea1692eef2b7ba6a256246ed82c365fdc686 upstream.
    
    Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway
    through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to
    CPUHP_ONLINE:
    
    Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set
    to 1 throughout. However, during a CPU unplug operation, the tick and the
    clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online
    state, for instance CFS incorrectly assumes that the hrtick is already
    active, and the chance of the clockevent device to transition to oneshot
    mode is also lost forever for the CPU, unless it goes back to a lower state
    than CPUHP_HRTIMERS_PREPARE once.
    
    This round-trip reveals another issue; cpu_base.online is not set to 1
    after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().
    
    Aside of that, the bulk of the per CPU state is not reset either, which
    means there are dangling pointers in the worst case.
    
    Address this by adding a corresponding startup() callback, which resets the
    stale per CPU state and sets the online flag.
    
    [ tglx: Make the new callback unconditionally available, remove the online
            modification in the prepare() callback and clear the remaining
            state in the starting callback instead of the prepare callback ]
    
    Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier")
    Signed-off-by: Koichiro Den <[email protected]>
    Signed-off-by: Thomas Gleixner <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/all/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
hwmon: (tmp513) Fix division of negative numbers [+ + +]
Author: David Lechner <[email protected]>
Date:   Tue Jan 14 15:45:52 2025 -0600

    hwmon: (tmp513) Fix division of negative numbers
    
    [ Upstream commit e2c68cea431d65292b592c9f8446c918d45fcf78 ]
    
    Fix several issues with division of negative numbers in the tmp513
    driver.
    
    The docs on the DIV_ROUND_CLOSEST macro explain that dividing a negative
    value by an unsigned type is undefined behavior. The driver was doing
    this in several places, i.e. data->shunt_uohms has type of u32. The
    actual "undefined" behavior is that it converts both values to unsigned
    before doing the division, for example:
    
        int ret = DIV_ROUND_CLOSEST(-100, 3U);
    
    results in ret == 1431655732 instead of -33.
    
    Furthermore the MILLI macro has a type of unsigned long. Multiplying a
    signed long by an unsigned long results in an unsigned long.
    
    So, we need to cast both MILLI and data data->shunt_uohms to long when
    using the DIV_ROUND_CLOSEST macro.
    
    Fixes: f07f9d2467f4 ("hwmon: (tmp513) Use SI constants from units.h")
    Fixes: 59dfa75e5d82 ("hwmon: Add driver for Texas Instruments TMP512/513 sensor chips.")
    Signed-off-by: David Lechner <[email protected]>
    Link: https://lore.kernel.org/r/20250114-fix-si-prefix-macro-sign-bugs-v1-1-696fd8d10f00@baylibre.com
    [groeck: Drop some continuation lines]
    Signed-off-by: Guenter Roeck <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
i2c: mux: demux-pinctrl: check initial mux selection, too [+ + +]
Author: Wolfram Sang <[email protected]>
Date:   Wed Jan 15 08:29:45 2025 +0100

    i2c: mux: demux-pinctrl: check initial mux selection, too
    
    [ Upstream commit ca89f73394daf92779ddaa37b42956f4953f3941 ]
    
    When misconfigured, the initial setup of the current mux channel can
    fail, too. It must be checked as well.
    
    Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver")
    Signed-off-by: Wolfram Sang <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

i2c: rcar: fix NACK handling when being a target [+ + +]
Author: Wolfram Sang <[email protected]>
Date:   Wed Jan 15 13:36:23 2025 +0100

    i2c: rcar: fix NACK handling when being a target
    
    [ Upstream commit 093f70c134f70e4632b295240f07d2b50b74e247 ]
    
    When this controller is a target, the NACK handling had two issues.
    First, the return value from the backend was not checked on the initial
    WRITE_REQUESTED. So, the driver missed to send a NACK in this case.
    Also, the NACK always arrives one byte late on the bus, even in the
    WRITE_RECEIVED case. This seems to be a HW issue. We should then not
    rely on the backend to correctly NACK the superfluous byte as well. Fix
    both issues by introducing a flag which gets set whenever the backend
    requests a NACK and keep sending it until we get a STOP condition.
    
    Fixes: de20d1857dd6 ("i2c: rcar: add slave support")
    Signed-off-by: Wolfram Sang <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() [+ + +]
Author: Keisuke Nishimura <[email protected]>
Date:   Tue Oct 29 19:27:12 2024 +0100

    ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe()
    
    [ Upstream commit 2c87309ea741341c6722efdf1fb3f50dd427c823 ]
    
    ca8210_test_interface_init() returns the result of kfifo_alloc(),
    which can be non-zero in case of an error. The caller, ca8210_probe(),
    should check the return value and do error-handling if it fails.
    
    Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
    Signed-off-by: Keisuke Nishimura <[email protected]>
    Reviewed-by: Simon Horman <[email protected]>
    Reviewed-by: Miquel Raynal <[email protected]>
    Link: https://lore.kernel.org/[email protected]
    Signed-off-by: Stefan Schmidt <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
iio: adc: ad7124: Disable all channels at probe time [+ + +]
Author: Uwe Kleine-König <[email protected]>
Date:   Mon Nov 4 11:19:04 2024 +0100

    iio: adc: ad7124: Disable all channels at probe time
    
    commit 4be339af334c283a1a1af3cb28e7e448a0aa8a7c upstream.
    
    When during a measurement two channels are enabled, two measurements are
    done that are reported sequencially in the DATA register. As the code
    triggered by reading one of the sysfs properties expects that only one
    channel is enabled it only reads the first data set which might or might
    not belong to the intended channel.
    
    To prevent this situation disable all channels during probe. This fixes
    a problem in practise because the reset default for channel 0 is
    enabled. So all measurements before the first measurement on channel 0
    (which disables channel 0 at the end) might report wrong values.
    
    Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels")
    Reviewed-by: Nuno Sa <[email protected]>
    Signed-off-by: Uwe Kleine-König <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: adc: at91: call input_free_device() on allocated iio_dev [+ + +]
Author: Joe Hattori <[email protected]>
Date:   Sat Dec 7 13:30:45 2024 +0900

    iio: adc: at91: call input_free_device() on allocated iio_dev
    
    commit de6a73bad1743e9e81ea5a24c178c67429ff510b upstream.
    
    Current implementation of at91_ts_register() calls input_free_deivce()
    on st->ts_input, however, the err label can be reached before the
    allocated iio_dev is stored to st->ts_input. Thus call
    input_free_device() on input instead of st->ts_input.
    
    Fixes: 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens without TSMR")
    Signed-off-by: Joe Hattori <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: adc: rockchip_saradc: fix information leak in triggered buffer [+ + +]
Author: Javier Carrasco <[email protected]>
Date:   Mon Nov 25 22:16:12 2024 +0100

    iio: adc: rockchip_saradc: fix information leak in triggered buffer
    
    commit 38724591364e1e3b278b4053f102b49ea06ee17c upstream.
    
    The 'data' local struct is used to push data to user space from a
    triggered buffer, but it does not set values for inactive channels, as
    it only uses iio_for_each_active_channel() to assign new values.
    
    Initialize the struct to zero before using it to avoid pushing
    uninitialized information to userspace.
    
    Cc: [email protected]
    Fixes: 4e130dc7b413 ("iio: adc: rockchip_saradc: Add support iio buffers")
    Signed-off-by: Javier Carrasco <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Bin Lan <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() [+ + +]
Author: Fabio Estevam <[email protected]>
Date:   Fri Nov 22 13:43:08 2024 -0300

    iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
    
    commit 2a8e34096ec70d73ebb6d9920688ea312700cbd9 upstream.
    
    Using gpiod_set_value() to control the reset GPIO causes some verbose
    warnings during boot when the reset GPIO is controlled by an I2C IO
    expander.
    
    As the caller can sleep, use the gpiod_set_value_cansleep() variant to
    fix the issue.
    
    Tested on a custom i.MX93 board with a ADS124S08 ADC.
    
    Cc: [email protected]
    Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code")
    Signed-off-by: Fabio Estevam <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: adc: ti-ads8688: fix information leak in triggered buffer [+ + +]
Author: Javier Carrasco <[email protected]>
Date:   Mon Nov 25 22:16:16 2024 +0100

    iio: adc: ti-ads8688: fix information leak in triggered buffer
    
    commit 2a7377ccfd940cd6e9201756aff1e7852c266e69 upstream.
    
    The 'buffer' local array is used to push data to user space from a
    triggered buffer, but it does not set values for inactive channels, as
    it only uses iio_for_each_active_channel() to assign new values.
    
    Initialize the array to zero before using it to avoid pushing
    uninitialized information to userspace.
    
    Cc: [email protected]
    Fixes: 61fa5dfa5f52 ("iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()")
    Signed-off-by: Javier Carrasco <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer [+ + +]
Author: Javier Carrasco <[email protected]>
Date:   Mon Nov 25 22:16:17 2024 +0100

    iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer
    
    commit 333be433ee908a53f283beb95585dfc14c8ffb46 upstream.
    
    The 'data' array is allocated via kmalloc() and it is used to push data
    to user space from a triggered buffer, but it does not set values for
    inactive channels, as it only uses iio_for_each_active_channel()
    to assign new values.
    
    Use kzalloc for the memory allocation to avoid pushing uninitialized
    information to userspace.
    
    Cc: [email protected]
    Fixes: 415f79244757 ("iio: Move IIO Dummy Driver out of staging")
    Signed-off-by: Javier Carrasco <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: gyro: fxas21002c: Fix missing data update in trigger handler [+ + +]
Author: Carlos Song <[email protected]>
Date:   Sat Nov 16 10:29:45 2024 -0500

    iio: gyro: fxas21002c: Fix missing data update in trigger handler
    
    commit fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 upstream.
    
    The fxas21002c_trigger_handler() may fail to acquire sample data because
    the runtime PM enters the autosuspend state and sensor can not return
    sample data in standby mode..
    
    Resume the sensor before reading the sample data into the buffer within the
    trigger handler. After the data is read, place the sensor back into the
    autosuspend state.
    
    Fixes: a0701b6263ae ("iio: gyro: add core driver for fxas21002c")
    Signed-off-by: Carlos Song <[email protected]>
    Signed-off-by: Frank Li <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: imu: inv_icm42600: fix spi burst write not supported [+ + +]
Author: Jean-Baptiste Maneyrol <[email protected]>
Date:   Tue Nov 12 10:30:10 2024 +0100

    iio: imu: inv_icm42600: fix spi burst write not supported
    
    commit c0f866de4ce447bca3191b9cefac60c4b36a7922 upstream.
    
    Burst write with SPI is not working for all icm42600 chips. It was
    only used for setting user offsets with regmap_bulk_write.
    
    Add specific SPI regmap config for using only single write with SPI.
    
    Fixes: 9f9ff91b775b ("iio: imu: inv_icm42600: add SPI driver for inv_icm42600 driver")
    Cc: [email protected]
    Signed-off-by: Jean-Baptiste Maneyrol <[email protected]>
    Link: https://patch.msgid.link/20241112-inv-icm42600-fix-spi-burst-write-not-supported-v2-1-97690dc03607@tdk.com
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on [+ + +]
Author: Jean-Baptiste Maneyrol <[email protected]>
Date:   Wed Nov 13 21:25:45 2024 +0100

    iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on
    
    commit 65a60a590142c54a3f3be11ff162db2d5b0e1e06 upstream.
    
    Currently suspending while sensors are one will result in timestamping
    continuing without gap at resume. It can work with monotonic clock but
    not with other clocks. Fix that by resetting timestamping.
    
    Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
    Cc: [email protected]
    Signed-off-by: Jean-Baptiste Maneyrol <[email protected]>
    Link: https://patch.msgid.link/20241113-inv_icm42600-fix-timestamps-after-suspend-v1-1-dfc77c394173@tdk.com
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: imu: kmx61: fix information leak in triggered buffer [+ + +]
Author: Javier Carrasco <[email protected]>
Date:   Mon Nov 25 22:16:13 2024 +0100

    iio: imu: kmx61: fix information leak in triggered buffer
    
    commit 6ae053113f6a226a2303caa4936a4c37f3bfff7b upstream.
    
    The 'buffer' local array is used to push data to user space from a
    triggered buffer, but it does not set values for inactive channels, as
    it only uses iio_for_each_active_channel() to assign new values.
    
    Initialize the array to zero before using it to avoid pushing
    uninitialized information to userspace.
    
    Cc: [email protected]
    Fixes: c3a23ecc0901 ("iio: imu: kmx61: Add support for data ready triggers")
    Signed-off-by: Javier Carrasco <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: inkern: call iio_device_put() only on mapped devices [+ + +]
Author: Joe Hattori <[email protected]>
Date:   Wed Dec 4 20:13:42 2024 +0900

    iio: inkern: call iio_device_put() only on mapped devices
    
    commit 64f43895b4457532a3cc524ab250b7a30739a1b1 upstream.
    
    In the error path of iio_channel_get_all(), iio_device_put() is called
    on all IIO devices, which can cause a refcount imbalance. Fix this error
    by calling iio_device_put() only on IIO devices whose refcounts were
    previously incremented by iio_device_get().
    
    Fixes: 314be14bb893 ("iio: Rename _st_ functions to loose the bit that meant the staging version.")
    Signed-off-by: Joe Hattori <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: light: vcnl4035: fix information leak in triggered buffer [+ + +]
Author: Javier Carrasco <[email protected]>
Date:   Mon Nov 25 22:16:14 2024 +0100

    iio: light: vcnl4035: fix information leak in triggered buffer
    
    commit 47b43e53c0a0edf5578d5d12f5fc71c019649279 upstream.
    
    The 'buffer' local array is used to push data to userspace from a
    triggered buffer, but it does not set an initial value for the single
    data element, which is an u16 aligned to 8 bytes. That leaves at least
    4 bytes uninitialized even after writing an integer value with
    regmap_read().
    
    Initialize the array to zero before using it to avoid pushing
    uninitialized information to userspace.
    
    Cc: [email protected]
    Fixes: ec90b52c07c0 ("iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp()")
    Signed-off-by: Javier Carrasco <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: pressure: zpa2326: fix information leak in triggered buffer [+ + +]
Author: Javier Carrasco <[email protected]>
Date:   Mon Nov 25 22:16:11 2024 +0100

    iio: pressure: zpa2326: fix information leak in triggered buffer
    
    commit 6007d10c5262f6f71479627c1216899ea7f09073 upstream.
    
    The 'sample' local struct is used to push data to user space from a
    triggered buffer, but it has a hole between the temperature and the
    timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp).
    This hole is never initialized.
    
    Initialize the struct to zero before using it to avoid pushing
    uninitialized information to userspace.
    
    Cc: [email protected]
    Fixes: 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support")
    Signed-off-by: Javier Carrasco <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Fri Sep 13 08:31:47 2024 +0000

    ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
    
    commit 04ccecfa959d3b9ae7348780d8e379c6486176ac upstream.
    
    Blamed commit accidentally removed a check for rt->rt6i_idev being NULL,
    as spotted by syzbot:
    
    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
    CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
     RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
     RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
    Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
    RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
    RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
    RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c
    R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18
    R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930
    FS:  0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
      addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856
     addrconf_notify+0x3cb/0x1020
      notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
      call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]
      call_netdevice_notifiers net/core/dev.c:2046 [inline]
      unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352
      unregister_netdevice_many net/core/dev.c:11414 [inline]
      unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289
      unregister_netdevice include/linux/netdevice.h:3129 [inline]
      __tun_detach+0x6b9/0x1600 drivers/net/tun.c:685
      tun_detach drivers/net/tun.c:701 [inline]
      tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510
      __fput+0x24a/0x8a0 fs/file_table.c:422
      task_work_run+0x24f/0x310 kernel/task_work.c:228
      exit_task_work include/linux/task_work.h:40 [inline]
      do_exit+0xa2f/0x27f0 kernel/exit.c:882
      do_group_exit+0x207/0x2c0 kernel/exit.c:1031
      __do_sys_exit_group kernel/exit.c:1042 [inline]
      __se_sys_exit_group kernel/exit.c:1040 [inline]
      __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
      x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f1acc77def9
    Code: Unable to access opcode bytes at 0x7f1acc77decf.
    RSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
    RBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003
    R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
    R13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0
     </TASK>
    Modules linked in:
    ---[ end trace 0000000000000000 ]---
     RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
     RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
    Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
    RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
    RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
    RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c
    R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18
    R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930
    FS:  0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    
    Fixes: e332bc67cf5e ("ipv6: Don't call with rt6_uncached_list_flush_dev")
    Signed-off-by: Eric Dumazet <[email protected]>
    Reviewed-by: Simon Horman <[email protected]>
    Reviewed-by: David Ahern <[email protected]>
    Acked-by: Martin KaFai Lau <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: BRUNO VERNAY <[email protected]>
    Signed-off-by: Hugo SIMELIERE <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly [+ + +]
Author: Yogesh Lal <[email protected]>
Date:   Fri Dec 20 15:09:07 2024 +0530

    irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly
    
    commit 0d62a49ab55c99e8deb4593b8d9f923de1ab5c18 upstream.
    
    When a CPU attempts to enter low power mode, it disables the redistributor
    and Group 1 interrupts and reinitializes the system registers upon wakeup.
    
    If the transition into low power mode fails, then the CPU_PM framework
    invokes the PM notifier callback with CPU_PM_ENTER_FAILED to allow the
    drivers to undo the state changes.
    
    The GIC V3 driver ignores CPU_PM_ENTER_FAILED, which leaves the GIC in
    disabled state.
    
    Handle CPU_PM_ENTER_FAILED in the same way as CPU_PM_EXIT to restore normal
    operation.
    
    [ tglx: Massage change log, add Fixes tag ]
    
    Fixes: 3708d52fc6bb ("irqchip: gic-v3: Implement CPU PM notifier")
    Signed-off-by: Yogesh Lal <[email protected]>
    Signed-off-by: Thomas Gleixner <[email protected]>
    Acked-by: Marc Zyngier <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/all/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
jbd2: flush filesystem device before updating tail sequence [+ + +]
Author: Zhang Yi <[email protected]>
Date:   Tue Dec 3 09:44:07 2024 +0800

    jbd2: flush filesystem device before updating tail sequence
    
    [ Upstream commit a0851ea9cd555c333795b85ddd908898b937c4e1 ]
    
    When committing transaction in jbd2_journal_commit_transaction(), the
    disk caches for the filesystem device should be flushed before updating
    the journal tail sequence. However, this step is missed if the journal
    is not located on the filesystem device. As a result, the filesystem may
    become inconsistent following a power failure or system crash. Fix it by
    ensuring that the filesystem device is flushed appropriately.
    
    Fixes: 3339578f0578 ("jbd2: cleanup journal tail after transaction commit")
    Signed-off-by: Zhang Yi <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Jan Kara <[email protected]>
    Signed-off-by: Christian Brauner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
kheaders: Ignore silly-rename files [+ + +]
Author: David Howells <[email protected]>
Date:   Fri Dec 13 13:50:01 2024 +0000

    kheaders: Ignore silly-rename files
    
    [ Upstream commit 973b710b8821c3401ad7a25360c89e94b26884ac ]
    
    Tell tar to ignore silly-rename files (".__afs*" and ".nfs*") when building
    the header archive.  These occur when a file that is open is unlinked
    locally, but hasn't yet been closed.  Such files are visible to the user
    via the getdents() syscall and so programs may want to do things with them.
    
    During the kernel build, such files may be made during the processing of
    header files and the cleanup may get deferred by fput() which may result in
    tar seeing these files when it reads the directory, but they may have
    disappeared by the time it tries to open them, causing tar to fail with an
    error.  Further, we don't want to include them in the tarball if they still
    exist.
    
    With CONFIG_HEADERS_INSTALL=y, something like the following may be seen:
    
       find: './kernel/.tmp_cpio_dir/include/dt-bindings/reset/.__afs2080': No such file or directory
       tar: ./include/linux/greybus/.__afs3C95: File removed before we read it
    
    The find warning doesn't seem to cause a problem.
    
    Fix this by telling tar when called from in gen_kheaders.sh to exclude such
    files.  This only affects afs and nfs; cifs uses the Windows Hidden
    attribute to prevent the file from being seen.
    
    Signed-off-by: David Howells <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    cc: Masahiro Yamada <[email protected]>
    cc: Marc Dionne <[email protected]>
    cc: [email protected]
    cc: [email protected]
    cc: [email protected]
    Signed-off-by: Christian Brauner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ksmbd: fix a missing return value check bug [+ + +]
Author: Wentao Liang <[email protected]>
Date:   Mon Dec 23 23:30:50 2024 +0800

    ksmbd: fix a missing return value check bug
    
    [ Upstream commit 4c16e1cadcbcaf3c82d5fc310fbd34d0f5d0db7c ]
    
    In the smb2_send_interim_resp(), if ksmbd_alloc_work_struct()
    fails to allocate a node, it returns a NULL pointer to the
    in_work pointer. This can lead to an illegal memory write of
    in_work->response_buf when allocate_interim_rsp_buf() attempts
    to perform a kzalloc() on it.
    
    To address this issue, incorporating a check for the return
    value of ksmbd_alloc_work_struct() ensures that the function
    returns immediately upon allocation failure, thereby preventing
    the aforementioned illegal memory access.
    
    Fixes: 041bba4414cd ("ksmbd: fix wrong interim response on compound")
    Signed-off-by: Wentao Liang <[email protected]>
    Acked-by: Namjae Jeon <[email protected]>
    Signed-off-by: Steve French <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
Linux: Linux 5.15.177 [+ + +]
Author: Greg Kroah-Hartman <[email protected]>
Date:   Thu Jan 23 17:16:04 2025 +0100

    Linux 5.15.177
    
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Florian Fainelli <[email protected]>
    Tested-by: Shuah Khan <[email protected]>
    Tested-by: SeongJae Park <[email protected]>
    Tested-by: Vijayendra Suman <[email protected]>
    Tested-by: Jon Hunter <[email protected]>
    Tested-by: Hardik Garg <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Mark Brown <[email protected]>
    Tested-by: Florian Fainelli <[email protected]>
    Tested-by: Hardik Garg <[email protected]>
    Tested-by: kernelci.org bot <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mac802154: check local interfaces before deleting sdata list [+ + +]
Author: Lizhi Xu <[email protected]>
Date:   Wed Nov 13 17:51:29 2024 +0800

    mac802154: check local interfaces before deleting sdata list
    
    [ Upstream commit eb09fbeb48709fe66c0d708aed81e910a577a30a ]
    
    syzkaller reported a corrupted list in ieee802154_if_remove. [1]
    
    Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
    hardware device from the system.
    
    CPU0                                    CPU1
    ====                                    ====
    genl_family_rcv_msg_doit                ieee802154_unregister_hw
    ieee802154_del_iface                    ieee802154_remove_interfaces
    rdev_del_virtual_intf_deprecated        list_del(&sdata->list)
    ieee802154_if_remove
    list_del_rcu
    
    The net device has been unregistered, since the rcu grace period,
    unregistration must be run before ieee802154_if_remove.
    
    To avoid this issue, add a check for local->interfaces before deleting
    sdata list.
    
    [1]
    kernel BUG at lib/list_debug.c:58!
    Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
    CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
    RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
    Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
    RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
    RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
    RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
    RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
    R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
    R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
    FS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     __list_del_entry_valid include/linux/list.h:124 [inline]
     __list_del_entry include/linux/list.h:215 [inline]
     list_del_rcu include/linux/rculist.h:157 [inline]
     ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
     rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
     ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
     genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
     genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
     genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
     netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
     genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
     netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
     netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
     netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
     sock_sendmsg_nosec net/socket.c:729 [inline]
     __sock_sendmsg+0x221/0x270 net/socket.c:744
     ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
     ___sys_sendmsg net/socket.c:2661 [inline]
     __sys_sendmsg+0x292/0x380 net/socket.c:2690
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Reported-and-tested-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92
    Signed-off-by: Lizhi Xu <[email protected]>
    Reviewed-by: Miquel Raynal <[email protected]>
    Link: https://lore.kernel.org/[email protected]
    Signed-off-by: Stefan Schmidt <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
md/raid5: fix atomicity violation in raid5_cache_count [+ + +]
Author: Gui-Dong Han <[email protected]>
Date:   Fri Jan 12 15:10:17 2024 +0800

    md/raid5: fix atomicity violation in raid5_cache_count
    
    commit dfd2bf436709b2bccb78c2dda550dde93700efa7 upstream.
    
    In raid5_cache_count():
        if (conf->max_nr_stripes < conf->min_nr_stripes)
            return 0;
        return conf->max_nr_stripes - conf->min_nr_stripes;
    The current check is ineffective, as the values could change immediately
    after being checked.
    
    In raid5_set_cache_size():
        ...
        conf->min_nr_stripes = size;
        ...
        while (size > conf->max_nr_stripes)
            conf->min_nr_stripes = conf->max_nr_stripes;
        ...
    
    Due to intermediate value updates in raid5_set_cache_size(), concurrent
    execution of raid5_cache_count() and raid5_set_cache_size() may lead to
    inconsistent reads of conf->max_nr_stripes and conf->min_nr_stripes.
    The current checks are ineffective as values could change immediately
    after being checked, raising the risk of conf->min_nr_stripes exceeding
    conf->max_nr_stripes and potentially causing an integer overflow.
    
    This possible bug is found by an experimental static analysis tool
    developed by our team. This tool analyzes the locking APIs to extract
    function pairs that can be concurrently executed, and then analyzes the
    instructions in the paired functions to identify possible concurrency bugs
    including data races and atomicity violations. The above possible bug is
    reported when our tool analyzes the source code of Linux 6.2.
    
    To resolve this issue, it is suggested to introduce local variables
    'min_stripes' and 'max_stripes' in raid5_cache_count() to ensure the
    values remain stable throughout the check. Adding locks in
    raid5_cache_count() fails to resolve atomicity violations, as
    raid5_set_cache_size() may hold intermediate values of
    conf->min_nr_stripes while unlocked. With this patch applied, our tool no
    longer reports the bug, with the kernel configuration allyesconfig for
    x86_64. Due to the lack of associated hardware, we cannot test the patch
    in runtime testing, and just verify it according to the code logic.
    
    Fixes: edbe83ab4c27 ("md/raid5: allow the stripe_cache to grow and shrink.")
    Cc: [email protected]
    Signed-off-by: Gui-Dong Han <[email protected]>
    Reviewed-by: Yu Kuai <[email protected]>
    Signed-off-by: Song Liu <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Song Liu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mptcp: drop port parameter of mptcp_pm_add_addr_signal [+ + +]
Author: Geliang Tang <[email protected]>
Date:   Tue Feb 15 18:11:27 2022 -0800

    mptcp: drop port parameter of mptcp_pm_add_addr_signal
    
    [ Upstream commit af7939f390de17bde4a10a3bf0e337627fb42591 ]
    
    Drop the port parameter of mptcp_pm_add_addr_signal() and reflect it to
    avoid passing too many parameters.
    
    Signed-off-by: Geliang Tang <[email protected]>
    Signed-off-by: Mat Martineau <[email protected]>
    Signed-off-by: Jakub Kicinski <[email protected]>
    Stable-dep-of: cbb26f7d8451 ("mptcp: fix TCP options overflow.")
    Signed-off-by: Sasha Levin <[email protected]>

mptcp: fix TCP options overflow. [+ + +]
Author: Paolo Abeni <[email protected]>
Date:   Sat Dec 21 09:51:46 2024 +0100

    mptcp: fix TCP options overflow.
    
    [ Upstream commit cbb26f7d8451fe56ccac802c6db48d16240feebd ]
    
    Syzbot reported the following splat:
    
    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
    CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
    RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline]
    RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552
    Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83
    RSP: 0000:ffffc90003916c90 EFLAGS: 00010202
    RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000
    RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
    RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac
    R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007
    R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000
    FS:  00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     skb_page_unref include/linux/skbuff_ref.h:43 [inline]
     __skb_frag_unref include/linux/skbuff_ref.h:56 [inline]
     skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119
     skb_release_all net/core/skbuff.c:1190 [inline]
     __kfree_skb+0x55/0x70 net/core/skbuff.c:1204
     tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline]
     tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032
     tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805
     tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939
     tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351
     ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205
     ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233
     NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
     NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
     __netif_receive_skb_one_core net/core/dev.c:5672 [inline]
     __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785
     process_backlog+0x662/0x15b0 net/core/dev.c:6117
     __napi_poll+0xcb/0x490 net/core/dev.c:6883
     napi_poll net/core/dev.c:6952 [inline]
     net_rx_action+0x89b/0x1240 net/core/dev.c:7074
     handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
     __do_softirq kernel/softirq.c:595 [inline]
     invoke_softirq kernel/softirq.c:435 [inline]
     __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
     irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
     instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
     sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049
     asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
    RIP: 0033:0x7f34f4519ad5
    Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83
    RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246
    RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5
    RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0
    RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000
    R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4
    R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68
     </TASK>
    
    Eric noted a probable shinfo->nr_frags corruption, which indeed
    occurs.
    
    The root cause is a buggy MPTCP option len computation in some
    circumstances: the ADD_ADDR option should be mutually exclusive
    with DSS since the blamed commit.
    
    Still, mptcp_established_options_add_addr() tries to set the
    relevant info in mptcp_out_options, if the remaining space is
    large enough even when DSS is present.
    
    Since the ADD_ADDR infos and the DSS share the same union
    fields, adding first corrupts the latter. In the worst-case
    scenario, such corruption increases the DSS binary layout,
    exceeding the computed length and possibly overwriting the
    skb shared info.
    
    Address the issue by enforcing mutual exclusion in
    mptcp_established_options_add_addr(), too.
    
    Cc: [email protected]
    Reported-by: [email protected]
    Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538
    Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
    Signed-off-by: Paolo Abeni <[email protected]>
    Reviewed-by: Matthieu Baerts (NGI0) <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Link: https://patch.msgid.link/025d9df8cde3c9a557befc47e9bc08fbbe3476e5.1734771049.git.pabeni@redhat.com
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net/mlx5: Add priorities for counters in RDMA namespaces [+ + +]
Author: Aharon Landau <[email protected]>
Date:   Fri Oct 8 15:24:28 2021 +0300

    net/mlx5: Add priorities for counters in RDMA namespaces
    
    [ Upstream commit b8dfed636fc6239396c3a2ae5f812505906cf215 ]
    
    Add additional flow steering priorities in the RDMA namespace.
    This allows adding flow counters to count filtered RDMA traffic and then
    continue processing in the regular RDMA steering flow.
    
    Signed-off-by: Aharon Landau <[email protected]>
    Reviewed-by: Maor Gottlieb <[email protected]>
    Signed-off-by: Mark Zhang <[email protected]>
    Signed-off-by: Leon Romanovsky <[email protected]>
    Stable-dep-of: c08d3e62b2e7 ("net/mlx5: Fix RDMA TX steering prio")
    Signed-off-by: Sasha Levin <[email protected]>

net/mlx5: Fix RDMA TX steering prio [+ + +]
Author: Patrisious Haddad <[email protected]>
Date:   Wed Jan 15 13:39:04 2025 +0200

    net/mlx5: Fix RDMA TX steering prio
    
    [ Upstream commit c08d3e62b2e73e14da318a1d20b52d0486a28ee0 ]
    
    User added steering rules at RDMA_TX were being added to the first prio,
    which is the counters prio.
    Fix that so that they are correctly added to the BYPASS_PRIO instead.
    
    Fixes: 24670b1a3166 ("net/mlx5: Add support for RDMA TX steering")
    Signed-off-by: Patrisious Haddad <[email protected]>
    Reviewed-by: Mark Bloch <[email protected]>
    Reviewed-by: Jacob Keller <[email protected]>
    Signed-off-by: Tariq Toukan <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net/mlx5: Refactor mlx5_get_flow_namespace [+ + +]
Author: Maor Gottlieb <[email protected]>
Date:   Wed Dec 1 11:36:19 2021 -0800

    net/mlx5: Refactor mlx5_get_flow_namespace
    
    [ Upstream commit 4588fed7beae6d54ef4c67c77fc39364f8fc42af ]
    
    Have all the namespace type check in the same switch case.
    
    Signed-off-by: Maor Gottlieb <[email protected]>
    Reviewed-by: Mark Bloch <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Reviewed-by: Leon Romanovsky <[email protected]>
    Signed-off-by: Saeed Mahameed <[email protected]>
    Stable-dep-of: c08d3e62b2e7 ("net/mlx5: Fix RDMA TX steering prio")
    Signed-off-by: Sasha Levin <[email protected]>

 
net: 802: LLC+SNAP OID:PID lookup on start of skb data [+ + +]
Author: Antonio Pastor <[email protected]>
Date:   Thu Jan 2 20:23:00 2025 -0500

    net: 802: LLC+SNAP OID:PID lookup on start of skb data
    
    [ Upstream commit 1e9b0e1c550c42c13c111d1a31e822057232abc4 ]
    
    802.2+LLC+SNAP frames received by napi_complete_done() with GRO and DSA
    have skb->transport_header set two bytes short, or pointing 2 bytes
    before network_header & skb->data. This was an issue as snap_rcv()
    expected offset to point to SNAP header (OID:PID), causing packet to
    be dropped.
    
    A fix at llc_fixup_skb() (a024e377efed) resets transport_header for any
    LLC consumers that may care about it, and stops SNAP packets from being
    dropped, but doesn't fix the problem which is that LLC and SNAP should
    not use transport_header offset.
    
    Ths patch eliminates the use of transport_header offset for SNAP lookup
    of OID:PID so that SNAP does not rely on the offset at all.
    The offset is reset after pull for any SNAP packet consumers that may
    (but shouldn't) use it.
    
    Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()")
    Signed-off-by: Antonio Pastor <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: add exit_batch_rtnl() method [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Tue Feb 6 14:42:57 2024 +0000

    net: add exit_batch_rtnl() method
    
    [ Upstream commit fd4f101edbd9f99567ab2adb1f2169579ede7c13 ]
    
    Many (struct pernet_operations)->exit_batch() methods have
    to acquire rtnl.
    
    In presence of rtnl mutex pressure, this makes cleanup_net()
    very slow.
    
    This patch adds a new exit_batch_rtnl() method to reduce
    number of rtnl acquisitions from cleanup_net().
    
    exit_batch_rtnl() handlers are called while rtnl is locked,
    and devices to be killed can be queued in a list provided
    as their second argument.
    
    A single unregister_netdevice_many() is called right
    before rtnl is released.
    
    exit_batch_rtnl() handlers are called before ->exit() and
    ->exit_batch() handlers.
    
    Signed-off-by: Eric Dumazet <[email protected]>
    Reviewed-by: Antoine Tenart <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Stable-dep-of: 46841c7053e6 ("gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().")
    Signed-off-by: Sasha Levin <[email protected]>

net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() [+ + +]
Author: Sudheer Kumar Doredla <[email protected]>
Date:   Wed Jan 8 22:54:33 2025 +0530

    net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()
    
    [ Upstream commit 03d120f27d050336f7e7d21879891542c4741f81 ]
    
    CPSW ALE has 75-bit ALE entries stored across three 32-bit words.
    The cpsw_ale_get_field() and cpsw_ale_set_field() functions support
    ALE field entries spanning up to two words at the most.
    
    The cpsw_ale_get_field() and cpsw_ale_set_field() functions work as
    expected when ALE field spanned across word1 and word2, but fails when
    ALE field spanned across word2 and word3.
    
    For example, while reading the ALE field spanned across word2 and word3
    (i.e. bits 62 to 64), the word3 data shifted to an incorrect position
    due to the index becoming zero while flipping.
    The same issue occurred when setting an ALE entry.
    
    This issue has not been seen in practice but will be an issue in the future
    if the driver supports accessing ALE fields spanning word2 and word3
    
    Fix the methods to handle getting/setting fields spanning up to two words.
    
    Fixes: b685f1a58956 ("net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field()")
    Signed-off-by: Sudheer Kumar Doredla <[email protected]>
    Reviewed-by: Simon Horman <[email protected]>
    Reviewed-by: Roger Quadros <[email protected]>
    Reviewed-by: Siddharth Vadapalli <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: ethernet: xgbe: re-add aneg to supported features in PHY quirks [+ + +]
Author: Heiner Kallweit <[email protected]>
Date:   Sun Jan 12 22:59:59 2025 +0100

    net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
    
    commit 6be7aca91009865d8c2b73589270224a6b6e67ab upstream.
    
    In 4.19, before the switch to linkmode bitmaps, PHY_GBIT_FEATURES
    included feature bits for aneg and TP/MII ports.
    
                                     SUPPORTED_TP | \
                                     SUPPORTED_MII)
    
                                     SUPPORTED_10baseT_Full)
    
                                     SUPPORTED_100baseT_Full)
    
                                     SUPPORTED_1000baseT_Full)
    
                                     PHY_100BT_FEATURES | \
                                     PHY_DEFAULT_FEATURES)
    
                                     PHY_1000BT_FEATURES)
    
    Referenced commit expanded PHY_GBIT_FEATURES, silently removing
    PHY_DEFAULT_FEATURES. The removed part can be re-added by using
    the new PHY_GBIT_FEATURES definition.
    Not clear to me is why nobody seems to have noticed this issue.
    
    I stumbled across this when checking what it takes to make
    phy_10_100_features_array et al private to phylib.
    
    Fixes: d0939c26c53a ("net: ethernet: xgbe: expand PHY_GBIT_FEAUTRES")
    Cc: [email protected]
    Signed-off-by: Heiner Kallweit <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

net: fix data-races around sk->sk_forward_alloc [+ + +]
Author: Wang Liang <[email protected]>
Date:   Thu Nov 7 10:34:05 2024 +0800

    net: fix data-races around sk->sk_forward_alloc
    
    commit 073d89808c065ac4c672c0a613a71b27a80691cb upstream.
    
    Syzkaller reported this warning:
     ------------[ cut here ]------------
     WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0
     Modules linked in:
     CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
     RIP: 0010:inet_sock_destruct+0x1c5/0x1e0
     Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00
     RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206
     RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007
     RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00
     RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007
     R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00
     R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78
     FS:  0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0
     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
     Call Trace:
      <TASK>
      ? __warn+0x88/0x130
      ? inet_sock_destruct+0x1c5/0x1e0
      ? report_bug+0x18e/0x1a0
      ? handle_bug+0x53/0x90
      ? exc_invalid_op+0x18/0x70
      ? asm_exc_invalid_op+0x1a/0x20
      ? inet_sock_destruct+0x1c5/0x1e0
      __sk_destruct+0x2a/0x200
      rcu_do_batch+0x1aa/0x530
      ? rcu_do_batch+0x13b/0x530
      rcu_core+0x159/0x2f0
      handle_softirqs+0xd3/0x2b0
      ? __pfx_smpboot_thread_fn+0x10/0x10
      run_ksoftirqd+0x25/0x30
      smpboot_thread_fn+0xdd/0x1d0
      kthread+0xd3/0x100
      ? __pfx_kthread+0x10/0x10
      ret_from_fork+0x34/0x50
      ? __pfx_kthread+0x10/0x10
      ret_from_fork_asm+0x1a/0x30
      </TASK>
     ---[ end trace 0000000000000000 ]---
    
    Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()
    concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked,
    which triggers a data-race around sk->sk_forward_alloc:
    tcp_v6_rcv
        tcp_v6_do_rcv
            skb_clone_and_charge_r
                sk_rmem_schedule
                    __sk_mem_schedule
                        sk_forward_alloc_add()
                skb_set_owner_r
                    sk_mem_charge
                        sk_forward_alloc_add()
            __kfree_skb
                skb_release_all
                    skb_release_head_state
                        sock_rfree
                            sk_mem_uncharge
                                sk_forward_alloc_add()
                                sk_mem_reclaim
                                    // set local var reclaimable
                                    __sk_mem_reclaim
                                        sk_forward_alloc_add()
    
    In this syzkaller testcase, two threads call
    tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like
    this:
     (cpu 1)             | (cpu 2)             | sk_forward_alloc
     ...                 | ...                 | 0
     __sk_mem_schedule() |                     | +4096 = 4096
                         | __sk_mem_schedule() | +4096 = 8192
     sk_mem_charge()     |                     | -768  = 7424
                         | sk_mem_charge()     | -768  = 6656
     ...                 |    ...              |
     sk_mem_uncharge()   |                     | +768  = 7424
     reclaimable=7424    |                     |
                         | sk_mem_uncharge()   | +768  = 8192
                         | reclaimable=8192    |
     __sk_mem_reclaim()  |                     | -4096 = 4096
                         | __sk_mem_reclaim()  | -8192 = -4096 != 0
    
    The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when
    sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().
    Fix the same issue in dccp_v6_do_rcv().
    
    Suggested-by: Eric Dumazet <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
    Signed-off-by: Wang Liang <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Alva Lan <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

net: xilinx: axienet: Fix IRQ coalescing packet count overflow [+ + +]
Author: Sean Anderson <[email protected]>
Date:   Mon Jan 13 11:30:00 2025 -0500

    net: xilinx: axienet: Fix IRQ coalescing packet count overflow
    
    [ Upstream commit c17ff476f53afb30f90bb3c2af77de069c81a622 ]
    
    If coalesce_count is greater than 255 it will not fit in the register and
    will overflow. This can be reproduced by running
    
        # ethtool -C ethX rx-frames 256
    
    which will result in a timeout of 0us instead. Fix this by checking for
    invalid values and reporting an error.
    
    Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
    Signed-off-by: Sean Anderson <[email protected]>
    Reviewed-by: Shannon Nelson <[email protected]>
    Reviewed-by: Radhey Shyam Pandey <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Fri Jan 3 10:45:46 2025 +0000

    net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
    
    [ Upstream commit a039e54397c6a75b713b9ce7894a62e06956aa92 ]
    
    syzbot found that TCA_FLOW_RSHIFT attribute was not validated.
    Right shitfing a 32bit integer is undefined for large shift values.
    
    UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23
    shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int')
    CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
    Workqueue: ipv6_addrconf addrconf_dad_work
    Call Trace:
     <TASK>
      __dump_stack lib/dump_stack.c:94 [inline]
      dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
      ubsan_epilogue lib/ubsan.c:231 [inline]
      __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468
      flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329
      tc_classify include/net/tc_wrapper.h:197 [inline]
      __tcf_classify net/sched/cls_api.c:1771 [inline]
      tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867
      sfb_classify net/sched/sch_sfb.c:260 [inline]
      sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318
      dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793
      __dev_xmit_skb net/core/dev.c:3889 [inline]
      __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400
      dev_queue_xmit include/linux/netdevice.h:3168 [inline]
      neigh_hh_output include/net/neighbour.h:523 [inline]
      neigh_output include/net/neighbour.h:537 [inline]
      ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236
      iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82
      udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173
      geneve_xmit_skb drivers/net/geneve.c:916 [inline]
      geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039
      __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
      netdev_start_xmit include/linux/netdevice.h:5011 [inline]
      xmit_one net/core/dev.c:3590 [inline]
      dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606
      __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434
    
    Fixes: e5dfb815181f ("[NET_SCHED]: Add flow classifier")
    Reported-by: [email protected]
    Closes: https://lore.kernel.org/netdev/[email protected]/T/#u
    Signed-off-by: Eric Dumazet <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
netfilter: conntrack: clamp maximum hashtable size to INT_MAX [+ + +]
Author: Pablo Neira Ayuso <[email protected]>
Date:   Wed Jan 8 22:56:33 2025 +0100

    netfilter: conntrack: clamp maximum hashtable size to INT_MAX
    
    [ Upstream commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13 ]
    
    Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it
    is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when
    resizing hashtable because __GFP_NOWARN is unset. See:
    
      0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls")
    
    Note: hashtable resize is only possible from init_netns.
    
    Fixes: 9cc1c73ad666 ("netfilter: conntrack: avoid integer overflow when resizing")
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

netfilter: nf_tables: imbalance in flowtable binding [+ + +]
Author: Pablo Neira Ayuso <[email protected]>
Date:   Thu Jan 2 13:01:13 2025 +0100

    netfilter: nf_tables: imbalance in flowtable binding
    
    [ Upstream commit 13210fc63f353fe78584048079343413a3cdf819 ]
    
    All these cases cause imbalance between BIND and UNBIND calls:
    
    - Delete an interface from a flowtable with multiple interfaces
    
    - Add a (device to a) flowtable with --check flag
    
    - Delete a netns containing a flowtable
    
    - In an interactive nft session, create a table with owner flag and
      flowtable inside, then quit.
    
    Fix it by calling FLOW_BLOCK_UNBIND when unregistering hooks, then
    remove late FLOW_BLOCK_UNBIND call when destroying flowtable.
    
    Fixes: ff4bf2f42a40 ("netfilter: nf_tables: add nft_unregister_flowtable_hook()")
    Reported-by: Phil Sutter <[email protected]>
    Tested-by: Phil Sutter <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
nfp: bpf: prevent integer overflow in nfp_bpf_event_output() [+ + +]
Author: Dan Carpenter <[email protected]>
Date:   Mon Jan 13 09:18:39 2025 +0300

    nfp: bpf: prevent integer overflow in nfp_bpf_event_output()
    
    [ Upstream commit 16ebb6f5b6295c9688749862a39a4889c56227f8 ]
    
    The "sizeof(struct cmsg_bpf_event) + pkt_size + data_size" math could
    potentially have an integer wrapping bug on 32bit systems.  Check for
    this and return an error.
    
    Fixes: 9816dd35ecec ("nfp: bpf: perf event output helpers support")
    Signed-off-by: Dan Carpenter <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
nfsd: add list_head nf_gc to struct nfsd_file [+ + +]
Author: Youzhong Yang <[email protected]>
Date:   Wed Jul 10 10:40:35 2024 -0400

    nfsd: add list_head nf_gc to struct nfsd_file
    
    commit 8e6e2ffa6569a205f1805cbaeca143b556581da6 upstream.
    
    nfsd_file_put() in one thread can race with another thread doing
    garbage collection (running nfsd_file_gc() -> list_lru_walk() ->
    nfsd_file_lru_cb()):
    
      * In nfsd_file_put(), nf->nf_ref is 1, so it tries to do nfsd_file_lru_add().
      * nfsd_file_lru_add() returns true (with NFSD_FILE_REFERENCED bit set)
      * garbage collector kicks in, nfsd_file_lru_cb() clears REFERENCED bit and
        returns LRU_ROTATE.
      * garbage collector kicks in again, nfsd_file_lru_cb() now decrements nf->nf_ref
        to 0, runs nfsd_file_unhash(), removes it from the LRU and adds to the dispose
        list [list_lru_isolate_move(lru, &nf->nf_lru, head)]
      * nfsd_file_put() detects NFSD_FILE_HASHED bit is cleared, so it tries to remove
        the 'nf' from the LRU [if (!nfsd_file_lru_remove(nf))]. The 'nf' has been added
        to the 'dispose' list by nfsd_file_lru_cb(), so nfsd_file_lru_remove(nf) simply
        treats it as part of the LRU and removes it, which leads to its removal from
        the 'dispose' list.
      * At this moment, 'nf' is unhashed with its nf_ref being 0, and not on the LRU.
        nfsd_file_put() continues its execution [if (refcount_dec_and_test(&nf->nf_ref))],
        as nf->nf_ref is already 0, nf->nf_ref is set to REFCOUNT_SATURATED, and the 'nf'
        gets no chance of being freed.
    
    nfsd_file_put() can also race with nfsd_file_cond_queue():
      * In nfsd_file_put(), nf->nf_ref is 1, so it tries to do nfsd_file_lru_add().
      * nfsd_file_lru_add() sets REFERENCED bit and returns true.
      * Some userland application runs 'exportfs -f' or something like that, which triggers
        __nfsd_file_cache_purge() -> nfsd_file_cond_queue().
      * In nfsd_file_cond_queue(), it runs [if (!nfsd_file_unhash(nf))], unhash is done
        successfully.
      * nfsd_file_cond_queue() runs [if (!nfsd_file_get(nf))], now nf->nf_ref goes to 2.
      * nfsd_file_cond_queue() runs [if (nfsd_file_lru_remove(nf))], it succeeds.
      * nfsd_file_cond_queue() runs [if (refcount_sub_and_test(decrement, &nf->nf_ref))]
        (with "decrement" being 2), so the nf->nf_ref goes to 0, the 'nf' is added to the
        dispose list [list_add(&nf->nf_lru, dispose)]
      * nfsd_file_put() detects NFSD_FILE_HASHED bit is cleared, so it tries to remove
        the 'nf' from the LRU [if (!nfsd_file_lru_remove(nf))], although the 'nf' is not
        in the LRU, but it is linked in the 'dispose' list, nfsd_file_lru_remove() simply
        treats it as part of the LRU and removes it. This leads to its removal from
        the 'dispose' list!
      * Now nf->ref is 0, unhashed. nfsd_file_put() continues its execution and set
        nf->nf_ref to REFCOUNT_SATURATED.
    
    As shown in the above analysis, using nf_lru for both the LRU list and dispose list
    can cause the leaks. This patch adds a new list_head nf_gc in struct nfsd_file, and uses
    it for the dispose list. This does not fix the nfsd_file leaking issue completely.
    
    Signed-off-by: Youzhong Yang <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Signed-off-by: Chuck Lever <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nvmet: propagate npwg topology [+ + +]
Author: Luis Chamberlain <[email protected]>
Date:   Tue Dec 17 18:33:25 2024 -0800

    nvmet: propagate npwg topology
    
    [ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ]
    
    Ensure we propagate npwg to the target as well instead
    of assuming its the same logical blocks per physical block.
    
    This ensures devices with large IUs information properly
    propagated on the target.
    
    Signed-off-by: Luis Chamberlain <[email protected]>
    Reviewed-by: Sagi Grimberg <[email protected]>
    Signed-off-by: Keith Busch <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ocfs2: correct return value of ocfs2_local_free_info() [+ + +]
Author: Joseph Qi <[email protected]>
Date:   Sun May 28 21:20:32 2023 +0800

    ocfs2: correct return value of ocfs2_local_free_info()
    
    [ Upstream commit d32840ad4a111c6abd651fbf6b5996e6123913da ]
    
    Now in ocfs2_local_free_info(), it returns 0 even if it actually fails.
    Though it doesn't cause any real problem since the only caller
    dquot_disable() ignores the return value, we'd better return correct as it
    is.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Joseph Qi <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Junxiao Bi <[email protected]>
    Cc: Joseph Qi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Gang He <[email protected]>
    Cc: Jun Piao <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Stable-dep-of: 5f3fd772d152 ("ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv")
    Signed-off-by: Sasha Levin <[email protected]>

ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv [+ + +]
Author: Dennis Lam <[email protected]>
Date:   Tue Dec 17 21:39:25 2024 -0500

    ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
    
    [ Upstream commit 5f3fd772d152229d94602bca243fbb658068a597 ]
    
    When mounting ocfs2 and then remounting it as read-only, a
    slab-use-after-free occurs after the user uses a syscall to
    quota_getnextquota.  Specifically, sb_dqinfo(sb, type)->dqi_priv is the
    dangling pointer.
    
    During the remounting process, the pointer dqi_priv is freed but is never
    set as null leaving it to be accessed.  Additionally, the read-only option
    for remounting sets the DQUOT_SUSPENDED flag instead of setting the
    DQUOT_USAGE_ENABLED flags.  Moreover, later in the process of getting the
    next quota, the function ocfs2_get_next_id is called and only checks the
    quota usage flags and not the quota suspended flags.
    
    To fix this, I set dqi_priv to null when it is freed after remounting with
    read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.
    
    [[email protected]: coding-style cleanups]
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas")
    Signed-off-by: Dennis Lam <[email protected]>
    Reported-by: [email protected]
    Tested-by: [email protected]
    Closes: https://lore.kernel.org/all/[email protected]/T/
    Reviewed-by: Joseph Qi <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Junxiao Bi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
of/address: Add support for 3 address cell bus [+ + +]
Author: Rob Herring <[email protected]>
Date:   Tue Mar 28 15:15:58 2023 -0500

    of/address: Add support for 3 address cell bus
    
    [ Upstream commit 3d5089c4263d3594dc055e0f9c5cb990505cdd64 ]
    
    There's a few custom bus bindings (e.g. fsl,qoriq-mc) which use a
    3 cell format with custom flags in the high cell. We can match these
    buses as a fallback if we didn't match on PCI bus which is the only
    standard bus binding with 3 address cells.
    
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Rob Herring <[email protected]>
    Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
    Signed-off-by: Sasha Levin <[email protected]>

 
of: address: Fix address translation when address-size is greater than 2 [+ + +]
Author: Herve Codina <[email protected]>
Date:   Tue Oct 17 13:02:16 2023 +0200

    of: address: Fix address translation when address-size is greater than 2
    
    [ Upstream commit 42604f8eb7ba04b589375049cc76282dad4677d2 ]
    
    With the recent addition of of_pci_prop_ranges() in commit 407d1a51921e
    ("PCI: Create device tree node for bridge"), the ranges property can
    have a 3 cells child address, a 3 cells parent address and a 2 cells
    child size.
    
    A range item property for a PCI device is filled as follow:
      <BAR_nbr> 0 0 <phys.hi> <phys.mid> <phys.low> <BAR_sizeh> <BAR_sizel>
      <-- Child --> <-- Parent (PCI definition) --> <- BAR size (64bit) -->
    
    This allow to translate BAR addresses from the DT. For instance:
    pci@0,0 {
      #address-cells = <0x03>;
      #size-cells = <0x02>;
      device_type = "pci";
      compatible = "pci11ab,100", "pciclass,060400", "pciclass,0604";
      ranges = <0x82000000 0x00 0xe8000000
                0x82000000 0x00 0xe8000000
                0x00 0x4400000>;
      ...
      dev@0,0 {
        #address-cells = <0x03>;
        #size-cells = <0x02>;
        compatible = "pci1055,9660", "pciclass,020000", "pciclass,0200";
        /* Translations for BAR0 to BAR5 */
        ranges = <0x00 0x00 0x00 0x82010000 0x00 0xe8000000 0x00 0x2000000
                  0x01 0x00 0x00 0x82010000 0x00 0xea000000 0x00 0x1000000
                  0x02 0x00 0x00 0x82010000 0x00 0xeb000000 0x00 0x800000
                  0x03 0x00 0x00 0x82010000 0x00 0xeb800000 0x00 0x800000
                  0x04 0x00 0x00 0x82010000 0x00 0xec000000 0x00 0x20000
                  0x05 0x00 0x00 0x82010000 0x00 0xec020000 0x00 0x2000>;
        ...
        pci-ep-bus@0 {
          #address-cells = <0x01>;
          #size-cells = <0x01>;
          compatible = "simple-bus";
          /* Translate 0xe2000000 to BAR0 and 0xe0000000 to BAR1 */
          ranges = <0xe2000000 0x00 0x00 0x00 0x2000000
                    0xe0000000 0x01 0x00 0x00 0x1000000>;
          ...
        };
      };
    };
    
    During the translation process, the "default-flags" map() function is
    used to select the matching item in the ranges table and determine the
    address offset from this matching item.
    This map() function simply calls of_read_number() and when address-size
    is greater than 2, the map() function skips the extra high address part
    (ie part over 64bit). This lead to a wrong matching item and a wrong
    offset computation.
    Also during the translation itself, the extra high part related to the
    parent address is not present in the translated address.
    
    Fix the "default-flags" map() and translate() in order to take into
    account the child extra high address part in map() and the parent extra
    high address part in translate() and so having a correct address
    translation for ranges patterns such as the one given in the example
    above.
    
    Signed-off-by: Herve Codina <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Rob Herring <[email protected]>
    Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
    Signed-off-by: Sasha Levin <[email protected]>

of: address: Preserve the flags portion on 1:1 dma-ranges mapping [+ + +]
Author: Andrea della Porta <[email protected]>
Date:   Sun Nov 24 11:05:37 2024 +0100

    of: address: Preserve the flags portion on 1:1 dma-ranges mapping
    
    [ Upstream commit 7f05e20b989ac33c9c0f8c2028ec0a566493548f ]
    
    A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma
    translations. In this specific case, the current behaviour is to zero out
    the entire specifier so that the translation could be carried on as an
    offset from zero. This includes address specifier that has flags (e.g.
    PCI ranges).
    
    Once the flags portion has been zeroed, the translation chain is broken
    since the mapping functions will check the upcoming address specifier
    against mismatching flags, always failing the 1:1 mapping and its entire
    purpose of always succeeding.
    
    Set to zero only the address portion while passing the flags through.
    
    Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code")
    Cc: [email protected]
    Signed-off-by: Andrea della Porta <[email protected]>
    Tested-by: Herve Codina <[email protected]>
    Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.1732441813.git.andrea.porta@suse.com
    Signed-off-by: Rob Herring (Arm) <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

of: address: Remove duplicated functions [+ + +]
Author: Herve Codina <[email protected]>
Date:   Tue Oct 17 13:02:17 2023 +0200

    of: address: Remove duplicated functions
    
    [ Upstream commit 3eb030c60835668997d5763b1a0c7938faf169f6 ]
    
    The recently added of_bus_default_flags_translate() performs the exact
    same operation as of_bus_pci_translate() and of_bus_isa_translate().
    
    Avoid duplicated code replacing both of_bus_pci_translate() and
    of_bus_isa_translate() with of_bus_default_flags_translate().
    
    Signed-off-by: Herve Codina <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Rob Herring <[email protected]>
    Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
    Signed-off-by: Sasha Levin <[email protected]>

of: address: Store number of bus flag cells rather than bool [+ + +]
Author: Rob Herring <[email protected]>
Date:   Thu Oct 26 08:53:58 2023 -0500

    of: address: Store number of bus flag cells rather than bool
    
    [ Upstream commit 88696db08b7efa3b6bb722014ea7429e78f6be32 ]
    
    It is more useful to know how many flags cells a bus has rather than
    whether a bus has flags or not as ultimately the number of cells is the
    information used. Replace 'has_flags' boolean with 'flag_cells' count.
    
    Acked-by: Herve Codina <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Rob Herring <[email protected]>
    Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
    Signed-off-by: Sasha Levin <[email protected]>

of: unittest: Add bus address range parsing tests [+ + +]
Author: Rob Herring <[email protected]>
Date:   Tue Mar 28 15:15:56 2023 -0500

    of: unittest: Add bus address range parsing tests
    
    [ Upstream commit 6d32dadb11a6480be62c6ada901bbdcbda1775c9 ]
    
    While there are tests for "dma-ranges" helpers, "ranges" is missing any
    tests. It's the same underlying code, but for completeness add a test
    for "ranges" parsing iterators. This is in preparation to add some
    additional "ranges" helpers.
    
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Rob Herring <[email protected]>
    Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
    Signed-off-by: Sasha Levin <[email protected]>

 
Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals [+ + +]
Author: Ron Economos <[email protected]>
Date:   Sat Jan 18 04:24:09 2025 -0800

    Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals
    
    commit 9734fd7a2777 ("xhci: use pm_ptr() instead of #ifdef for CONFIG_PM
    conditionals") did not quite work properly in the 5.15.y branch where it was
    applied to fix a build error when CONFIG_PM was set as it left the following
    build errors still present:
    
            ERROR: modpost: "xhci_suspend" [drivers/usb/host/xhci-pci.ko] undefined!
            ERROR: modpost: "xhci_resume" [drivers/usb/host/xhci-pci.ko] undefined!
    
    Fix this up by properly placing the #ifdef CONFIG_PM in the xhci-pci.c and
    hcd.h files to handle this correctly.
    
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Ron Economos <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reported-by: Guenter Roeck <[email protected]>
    [ Trimmed the partial revert down to an even smaller bit to only be what
      is required to fix the build error - gregkh]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers [+ + +]
Author: Al Cooper <[email protected]>
Date:   Mon Feb 14 19:24:21 2022 -0800

    phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers
    
    [ Upstream commit ae532b2b7aa5a3dad036aef4e0b177607172d276 ]
    
    Add "wake on" support for the newer Synopsis based XHCI only controller.
    This works on the 72165 and 72164 and newer chips and does not work
    on 7216 based systems. Also switch the USB sysclk to a slower clock
    on suspend to save additional power in S2. The clock switch will only
    save power on the 72165b0 and newer chips and is a nop on older chips.
    
    Signed-off-by: Al Cooper <[email protected]>
    Signed-off-by: Florian Fainelli <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Vinod Koul <[email protected]>
    Stable-dep-of: 0a92ea87bdd6 ("phy: usb: Toggle the PHY power during init")
    Signed-off-by: Sasha Levin <[email protected]>

phy: usb: Fix clock imbalance for suspend/resume [+ + +]
Author: Justin Chen <[email protected]>
Date:   Wed Oct 5 14:30:18 2022 -0700

    phy: usb: Fix clock imbalance for suspend/resume
    
    commit 8484199c09347bdd5d81ee8a2bc530850f900797 upstream.
    
    We should be disabling clocks when wake from USB is not needed. Since
    this wasn't done, we had a clock imbalance since clocks were always
    being enabled on resume.
    
    Fixes: ae532b2b7aa5 ("phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers")
    Fixes: b0c0b66c0b43 ("phy: usb: Add support for wake and USB low power mode for 7211 S2/S5")
    Signed-off-by: Justin Chen <[email protected]>
    Acked-by: Florian Fainelli <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Vinod Koul <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

phy: usb: Toggle the PHY power during init [+ + +]
Author: Justin Chen <[email protected]>
Date:   Thu Oct 24 14:35:40 2024 -0700

    phy: usb: Toggle the PHY power during init
    
    [ Upstream commit 0a92ea87bdd6f77ca4e17fe19649882cf5209edd ]
    
    When bringing up the PHY, it might be in a bad state if left powered.
    One case is we lose the PLL lock if the PLL is gated while the PHY
    is powered. Toggle the PHY power so we can start from a known state.
    
    Fixes: 4e5b9c9a73b3 ("phy: usb: Add support for new Synopsys USB controller on the 7216")
    Signed-off-by: Justin Chen <[email protected]>
    Acked-by: Florian Fainelli <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Vinod Koul <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

phy: usb: Use slow clock for wake enabled suspend [+ + +]
Author: Justin Chen <[email protected]>
Date:   Wed Oct 5 14:30:17 2022 -0700

    phy: usb: Use slow clock for wake enabled suspend
    
    commit 700c44b508020a3ea29d297c677f8d4ab14b7e6a upstream.
    
    The logic was incorrect when switching to slow clock. We want the slow
    clock if wake_enabled is set.
    
    Fixes: ae532b2b7aa5 ("phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers")
    Signed-off-by: Justin Chen <[email protected]>
    Acked-by: Florian Fainelli <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Vinod Koul <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
pktgen: Avoid out-of-bounds access in get_imix_entries [+ + +]
Author: Artem Chernyshev <[email protected]>
Date:   Thu Jan 9 11:30:39 2025 +0300

    pktgen: Avoid out-of-bounds access in get_imix_entries
    
    [ Upstream commit 76201b5979768500bca362871db66d77cb4c225e ]
    
    Passing a sufficient amount of imix entries leads to invalid access to the
    pkt_dev->imix_entries array because of the incorrect boundary check.
    
    UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24
    index 20 is out of range for type 'imix_pkt [20]'
    CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
    Call Trace:
    <TASK>
    dump_stack_lvl lib/dump_stack.c:117
    __ubsan_handle_out_of_bounds lib/ubsan.c:429
    get_imix_entries net/core/pktgen.c:874
    pktgen_if_write net/core/pktgen.c:1063
    pde_write fs/proc/inode.c:334
    proc_reg_write fs/proc/inode.c:346
    vfs_write fs/read_write.c:593
    ksys_write fs/read_write.c:644
    do_syscall_64 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: 52a62f8603f9 ("pktgen: Parse internet mix (imix) input")
    Signed-off-by: Artem Chernyshev <[email protected]>
    [ fp: allow to fill the array completely; minor changelog cleanup ]
    Signed-off-by: Fedor Pchelkin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() [+ + +]
Author: Oleg Nesterov <[email protected]>
Date:   Tue Jan 7 17:27:17 2025 +0100

    poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll()
    
    [ Upstream commit cacd9ae4bf801ff4125d8961bb9a3ba955e51680 ]
    
    As the comment above waitqueue_active() explains, it can only be used
    if both waker and waiter have mb()'s that pair with each other. However
    __pollwait() is broken in this respect.
    
    This is not pipe-specific, but let's look at pipe_poll() for example:
    
            poll_wait(...); // -> __pollwait() -> add_wait_queue()
    
            LOAD(pipe->head);
            LOAD(pipe->head);
    
    In theory these LOAD()'s can leak into the critical section inside
    add_wait_queue() and can happen before list_add(entry, wq_head), in this
    case pipe_poll() can race with wakeup_pipe_readers/writers which do
    
            smp_mb();
            if (waitqueue_active(wq_head))
                    wake_up_interruptible(wq_head);
    
    There are more __pollwait()-like functions (grep init_poll_funcptr), and
    it seems that at least ep_ptable_queue_proc() has the same problem, so the
    patch adds smp_mb() into poll_wait().
    
    Link: https://lore.kernel.org/all/[email protected]/
    Signed-off-by: Oleg Nesterov <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Christian Brauner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
Revert "drm/amdgpu: rework resume handling for display (v2)" [+ + +]
Author: Greg Kroah-Hartman <[email protected]>
Date:   Tue Jan 21 14:15:30 2025 +0100

    Revert "drm/amdgpu: rework resume handling for display (v2)"
    
    This reverts commit d897650c5897b3d858ca97ab77d10041e8e34231 which is
    commit 73dae652dcac776296890da215ee7dec357a1032 upstream.
    
    The original patch 73dae652dcac (drm/amdgpu: rework resume handling for
    display (v2)), was only targeted at kernels 6.11 and newer.  It did not
    apply cleanly to 6.12 so I backported it and it backport landed as
    99a02eab8251 ("drm/amdgpu: rework resume handling for display (v2)"),
    however there was a bug in the backport that was subsequently fixed in
    063d380ca28e ("drm/amdgpu: fix backport of commit 73dae652dcac").  None
    of this was intended for kernels older than 6.11, however the original
    backport eventually landed in 6.6, 6.1, and 5.15.
    
    Please revert the change from kernels 6.6, 6.1, and 5.15.
    
    Link: https://lore.kernel.org/r/BL1PR12MB5144D5363FCE6F2FD3502534F7E72@BL1PR12MB5144.namprd12.prod.outlook.com
    Link: https://lore.kernel.org/r/BL1PR12MB51449ADCFBF2314431F8BCFDF7132@BL1PR12MB5144.namprd12.prod.outlook.com
    Reported-by: Salvatore Bonaccorso <[email protected]>
    Reported-by: Christian König <[email protected]>
    Reported-by: Alex Deucher <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" [+ + +]
Author: Pratyush Yadav <[email protected]>
Date:   Wed Jan 15 13:41:56 2025 +0000

    Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data"
    
    [ Upstream commit d15638bf76ad47874ecb5dc386f0945fc0b2a875 ]
    
    This reverts commit 98d1fb94ce75f39febd456d6d3cbbe58b6678795.
    
    The commit uses data nbits instead of addr nbits for dummy phase. This
    causes a regression for all boards where spi-tx-bus-width is smaller
    than spi-rx-bus-width. It is a common pattern for boards to have
    spi-tx-bus-width == 1 and spi-rx-bus-width > 1. The regression causes
    all reads with a dummy phase to become unavailable for such boards,
    leading to a usually slower 0-dummy-cycle read being selected.
    
    Most controllers' supports_op hooks call spi_mem_default_supports_op().
    In spi_mem_default_supports_op(), spi_mem_check_buswidth() is called to
    check if the buswidths for the op can actually be supported by the
    board's wiring. This wiring information comes from (among other things)
    the spi-{tx,rx}-bus-width DT properties. Based on these properties,
    SPI_TX_* or SPI_RX_* flags are set by of_spi_parse_dt().
    spi_mem_check_buswidth() then uses these flags to make the decision
    whether an op can be supported by the board's wiring (in a way,
    indirectly checking against spi-{rx,tx}-bus-width).
    
    Now the tricky bit here is that spi_mem_check_buswidth() does:
    
            if (op->dummy.nbytes &&
                spi_check_buswidth_req(mem, op->dummy.buswidth, true))
                    return false;
    
    The true argument to spi_check_buswidth_req() means the op is treated as
    a TX op. For a board that has say 1-bit TX and 4-bit RX, a 4-bit dummy
    TX is considered as unsupported, and the op gets rejected.
    
    The commit being reverted uses the data buswidth for dummy buswidth. So
    for reads, the RX buswidth gets used for the dummy phase, uncovering
    this issue. In reality, a dummy phase is neither RX nor TX. As the name
    suggests, these are just dummy cycles that send or receive no data, and
    thus don't really need to have any buswidth at all.
    
    Ideally, dummy phases should not be checked against the board's wiring
    capabilities at all, and should only be sanity-checked for having a sane
    buswidth value. Since we are now at rc7 and such a change might
    introduce many unexpected bugs, revert the commit for now. It can be
    sent out later along with the spi_mem_check_buswidth() fix.
    
    Fixes: 98d1fb94ce75 ("mtd: spi-nor: core: replace dummy buswidth from addr to data")
    Reported-by: Alexander Stein <[email protected]>
    Closes: https://lore.kernel.org/linux-mtd/3342163.44csPzL39Z@steina-w/
    Tested-by: Alexander Stein <[email protected]>
    Reviewed-by: Tudor Ambarus <[email protected]>
    Signed-off-by: Pratyush Yadav <[email protected]>
    Signed-off-by: Miquel Raynal <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
Revert "PCI: Use preserve_config in place of pci_flags" [+ + +]
Author: Terry Tritton <[email protected]>
Date:   Fri Jan 17 15:16:25 2025 +0000

    Revert "PCI: Use preserve_config in place of pci_flags"
    
    This reverts commit c1a1393f7844c645389e5f1a3f1f0350e0fb9316 which is
    commit 7246a4520b4bf1494d7d030166a11b5226f6d508 upstream.
    
    This patch causes a regression in cuttlefish/crossvm boot on arm64.
    
    The patch was part of a series that when applied will not cause a regression
    but this patch was backported to the 5.15 branch by itself.
    
    The other patches do not apply cleanly to the 5.15 branch.
    
    Signed-off-by: Terry Tritton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Revert "regmap: detach regmap from dev on regmap_exit" [+ + +]
Author: Greg Kroah-Hartman <[email protected]>
Date:   Tue Jan 21 14:26:25 2025 +0100

    Revert "regmap: detach regmap from dev on regmap_exit"
    
    This reverts commit f373a189817584d0af5f922e91cad40e45f12314 which is
    commit 3061e170381af96d1e66799d34264e6414d428a7 upstream.
    
    It was backported incorrectly, a fixed version will be applied later.
    
    Cc: Cosmin Tanislav <[email protected]>
    Cc: Mark Brown <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reported-by: Tzung-Bi Shih <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
riscv: Fix sleeping in invalid context in die() [+ + +]
Author: Nam Cao <[email protected]>
Date:   Mon Nov 18 10:13:33 2024 +0100

    riscv: Fix sleeping in invalid context in die()
    
    commit 6a97f4118ac07cfdc316433f385dbdc12af5025e upstream.
    
    die() can be called in exception handler, and therefore cannot sleep.
    However, die() takes spinlock_t which can sleep with PREEMPT_RT enabled.
    That causes the following warning:
    
    BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
    in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex
    preempt_count: 110001, expected: 0
    RCU nest depth: 0, expected: 0
    CPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234
    Hardware name: riscv-virtio,qemu (DT)
    Call Trace:
        dump_backtrace+0x1c/0x24
        show_stack+0x2c/0x38
        dump_stack_lvl+0x5a/0x72
        dump_stack+0x14/0x1c
        __might_resched+0x130/0x13a
        rt_spin_lock+0x2a/0x5c
        die+0x24/0x112
        do_trap_insn_illegal+0xa0/0xea
        _new_vmalloc_restore_context_a0+0xcc/0xd8
    Oops - illegal instruction [#1]
    
    Switch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT
    enabled.
    
    Fixes: 76d2a0493a17 ("RISC-V: Init and Halt Code")
    Signed-off-by: Nam Cao <[email protected]>
    Cc: [email protected]
    Reviewed-by: Sebastian Andrzej Siewior <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Palmer Dabbelt <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity [+ + +]
Author: Kuan-Wei Chiu <[email protected]>
Date:   Thu Dec 26 22:03:32 2024 +0800

    scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity
    
    commit 0210d251162f4033350a94a43f95b1c39ec84a90 upstream.
    
    The orc_sort_cmp() function, used with qsort(), previously violated the
    symmetry and transitivity rules required by the C standard.  Specifically,
    when both entries are ORC_TYPE_UNDEFINED, it could result in both a < b
    and b < a, which breaks the required symmetry and transitivity.  This can
    lead to undefined behavior and incorrect sorting results, potentially
    causing memory corruption in glibc implementations [1].
    
    Symmetry: If x < y, then y > x.
    Transitivity: If x < y and y < z, then x < z.
    
    Fix the comparison logic to return 0 when both entries are
    ORC_TYPE_UNDEFINED, ensuring compliance with qsort() requirements.
    
    Link: https://www.qualys.com/2024/01/30/qsort.txt [1]
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 57fa18994285 ("scripts/sorttable: Implement build-time ORC unwind table sorting")
    Fixes: fb799447ae29 ("x86,objtool: Split UNWIND_HINT_EMPTY in two")
    Signed-off-by: Kuan-Wei Chiu <[email protected]>
    Cc: Ching-Chun (Jim) Huang <[email protected]>
    Cc: <[email protected]>
    Cc: Ingo Molnar <[email protected]>
    Cc: Josh Poimboeuf <[email protected]>
    Cc: Peter Zijlstra <[email protected]>
    Cc: Shile Zhang <[email protected]>
    Cc: Steven Rostedt <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Kuan-Wei Chiu <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
scsi: sg: Fix slab-use-after-free read in sg_release() [+ + +]
Author: Suraj Sonawane <[email protected]>
Date:   Wed Nov 20 18:29:44 2024 +0530

    scsi: sg: Fix slab-use-after-free read in sg_release()
    
    commit f10593ad9bc36921f623361c9e3dd96bd52d85ee upstream.
    
    Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN:
    
    BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30
    kernel/locking/lockdep.c:5838
    __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912
    sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407
    
    In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is
    called before releasing the open_rel_lock mutex. The kref_put() call may
    decrement the reference count of sfp to zero, triggering its cleanup
    through sg_remove_sfp(). This cleanup includes scheduling deferred work
    via sg_remove_sfp_usercontext(), which ultimately frees sfp.
    
    After kref_put(), sg_release() continues to unlock open_rel_lock and may
    reference sfp or sdp. If sfp has already been freed, this results in a
    slab-use-after-free error.
    
    Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the
    open_rel_lock mutex. This ensures:
    
     - No references to sfp or sdp occur after the reference count is
       decremented.
    
     - Cleanup functions such as sg_remove_sfp() and
       sg_remove_sfp_usercontext() can safely execute without impacting the
       mutex handling in sg_release().
    
    The fix has been tested and validated by syzbot. This patch closes the
    bug reported at the following syzkaller link and ensures proper
    sequencing of resource cleanup and mutex operations, eliminating the
    risk of use-after-free errors in sg_release().
    
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=7efb5850a17ba6ce098b
    Tested-by: [email protected]
    Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
    Signed-off-by: Suraj Sonawane <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Bart Van Assche <[email protected]>
    Signed-off-by: Martin K. Petersen <[email protected]>
    Signed-off-by: BRUNO VERNAY <[email protected]>
    Signed-off-by: Hugo SIMELIERE <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
sctp: sysctl: auth_enable: avoid using current->nsproxy [+ + +]
Author: Matthieu Baerts (NGI0) <[email protected]>
Date:   Wed Jan 8 16:34:34 2025 +0100

    sctp: sysctl: auth_enable: avoid using current->nsproxy
    
    commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream.
    
    As mentioned in a previous commit of this series, using the 'net'
    structure via 'current' is not recommended for different reasons:
    
    - Inconsistency: getting info from the reader's/writer's netns vs only
      from the opener's netns.
    
    - current->nsproxy can be NULL in some cases, resulting in an 'Oops'
      (null-ptr-deref), e.g. when the current task is exiting, as spotted by
      syzbot [1] using acct(2).
    
    The 'net' structure can be obtained from the table->data using
    container_of().
    
    Note that table->data could also be used directly, but that would
    increase the size of this fix, while 'sctp.ctl_sock' still needs to be
    retrieved from 'net' structure.
    
    Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
    Cc: [email protected]
    Link: https://lore.kernel.org/[email protected] [1]
    Suggested-by: Al Viro <[email protected]>
    Signed-off-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy [+ + +]
Author: Matthieu Baerts (NGI0) <[email protected]>
Date:   Wed Jan 8 16:34:32 2025 +0100

    sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
    
    commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream.
    
    As mentioned in a previous commit of this series, using the 'net'
    structure via 'current' is not recommended for different reasons:
    
    - Inconsistency: getting info from the reader's/writer's netns vs only
      from the opener's netns.
    
    - current->nsproxy can be NULL in some cases, resulting in an 'Oops'
      (null-ptr-deref), e.g. when the current task is exiting, as spotted by
      syzbot [1] using acct(2).
    
    The 'net' structure can be obtained from the table->data using
    container_of().
    
    Note that table->data could also be used directly, as this is the only
    member needed from the 'net' structure, but that would increase the size
    of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is
    used.
    
    Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
    Cc: [email protected]
    Link: https://lore.kernel.org/[email protected] [1]
    Suggested-by: Al Viro <[email protected]>
    Signed-off-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy [+ + +]
Author: Matthieu Baerts (NGI0) <[email protected]>
Date:   Wed Jan 8 16:34:36 2025 +0100

    sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy
    
    commit 6259d2484d0ceff42245d1f09cc8cb6ee72d847a upstream.
    
    As mentioned in a previous commit of this series, using the 'net'
    structure via 'current' is not recommended for different reasons:
    
    - Inconsistency: getting info from the reader's/writer's netns vs only
      from the opener's netns.
    
    - current->nsproxy can be NULL in some cases, resulting in an 'Oops'
      (null-ptr-deref), e.g. when the current task is exiting, as spotted by
      syzbot [1] using acct(2).
    
    The 'net' structure can be obtained from the table->data using
    container_of().
    
    Note that table->data could also be used directly, as this is the only
    member needed from the 'net' structure, but that would increase the size
    of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is
    used.
    
    Fixes: d1e462a7a5f3 ("sctp: add probe_interval in sysctl and sock/asoc/transport")
    Cc: [email protected]
    Link: https://lore.kernel.org/[email protected] [1]
    Suggested-by: Al Viro <[email protected]>
    Signed-off-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

sctp: sysctl: rto_min/max: avoid using current->nsproxy [+ + +]
Author: Matthieu Baerts (NGI0) <[email protected]>
Date:   Wed Jan 8 16:34:33 2025 +0100

    sctp: sysctl: rto_min/max: avoid using current->nsproxy
    
    commit 9fc17b76fc70763780aa78b38fcf4742384044a5 upstream.
    
    As mentioned in a previous commit of this series, using the 'net'
    structure via 'current' is not recommended for different reasons:
    
    - Inconsistency: getting info from the reader's/writer's netns vs only
      from the opener's netns.
    
    - current->nsproxy can be NULL in some cases, resulting in an 'Oops'
      (null-ptr-deref), e.g. when the current task is exiting, as spotted by
      syzbot [1] using acct(2).
    
    The 'net' structure can be obtained from the table->data using
    container_of().
    
    Note that table->data could also be used directly, as this is the only
    member needed from the 'net' structure, but that would increase the size
    of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used.
    
    Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl")
    Cc: [email protected]
    Link: https://lore.kernel.org/[email protected] [1]
    Suggested-by: Al Viro <[email protected]>
    Signed-off-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

sctp: sysctl: udp_port: avoid using current->nsproxy [+ + +]
Author: Matthieu Baerts (NGI0) <[email protected]>
Date:   Wed Jan 8 16:34:35 2025 +0100

    sctp: sysctl: udp_port: avoid using current->nsproxy
    
    commit c10377bbc1972d858eaf0ab366a311b39f8ef1b6 upstream.
    
    As mentioned in a previous commit of this series, using the 'net'
    structure via 'current' is not recommended for different reasons:
    
    - Inconsistency: getting info from the reader's/writer's netns vs only
      from the opener's netns.
    
    - current->nsproxy can be NULL in some cases, resulting in an 'Oops'
      (null-ptr-deref), e.g. when the current task is exiting, as spotted by
      syzbot [1] using acct(2).
    
    The 'net' structure can be obtained from the table->data using
    container_of().
    
    Note that table->data could also be used directly, but that would
    increase the size of this fix, while 'sctp.ctl_sock' still needs to be
    retrieved from 'net' structure.
    
    Fixes: 046c052b475e ("sctp: enable udp tunneling socks")
    Cc: [email protected]
    Link: https://lore.kernel.org/[email protected] [1]
    Suggested-by: Al Viro <[email protected]>
    Signed-off-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
staging: iio: ad9832: Correct phase range check [+ + +]
Author: Zicheng Qu <[email protected]>
Date:   Thu Nov 7 01:10:15 2024 +0000

    staging: iio: ad9832: Correct phase range check
    
    commit 4636e859ebe0011f41e35fa79bab585b8004e9a3 upstream.
    
    User Perspective:
    When a user sets the phase value, the ad9832_write_phase() is called.
    The phase register has a 12-bit resolution, so the valid range is 0 to
    4095. If the phase offset value of 4096 is input, it effectively exactly
    equals 0 in the lower 12 bits, meaning no offset.
    
    Reasons for the Change:
    1) Original Condition (phase > BIT(AD9832_PHASE_BITS)):
    This condition allows a phase value equal to 2^12, which is 4096.
    However, this value exceeds the valid 12-bit range, as the maximum valid
    phase value should be 4095.
    2) Modified Condition (phase >= BIT(AD9832_PHASE_BITS)):
    Ensures that the phase value is within the valid range, preventing
    invalid datafrom being written.
    
    Impact on Subsequent Logic: st->data = cpu_to_be16(addr | phase):
    If the phase value is 2^12, i.e., 4096 (0001 0000 0000 0000), and addr
    is AD9832_REG_PHASE0 (1100 0000 0000 0000), then addr | phase results in
    1101 0000 0000 0000, occupying DB12. According to the section of WRITING
    TO A PHASE REGISTER in the datasheet, the MSB 12 PHASE0 bits should be
    DB11. The original condition leads to incorrect DB12 usage, which
    contradicts the datasheet and could pose potential issues for future
    updates if DB12 is used in such related cases.
    
    Fixes: ea707584bac1 ("Staging: IIO: DDS: AD9832 / AD9835 driver")
    Cc: [email protected]
    Signed-off-by: Zicheng Qu <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

staging: iio: ad9834: Correct phase range check [+ + +]
Author: Zicheng Qu <[email protected]>
Date:   Thu Nov 7 01:10:14 2024 +0000

    staging: iio: ad9834: Correct phase range check
    
    commit c0599762f0c7e260b99c6b7bceb8eae69b804c94 upstream.
    
    User Perspective:
    When a user sets the phase value, the ad9834_write_phase() is called.
    The phase register has a 12-bit resolution, so the valid range is 0 to
    4095. If the phase offset value of 4096 is input, it effectively exactly
    equals 0 in the lower 12 bits, meaning no offset.
    
    Reasons for the Change:
    1) Original Condition (phase > BIT(AD9834_PHASE_BITS)):
    This condition allows a phase value equal to 2^12, which is 4096.
    However, this value exceeds the valid 12-bit range, as the maximum valid
    phase value should be 4095.
    2) Modified Condition (phase >= BIT(AD9834_PHASE_BITS)):
    Ensures that the phase value is within the valid range, preventing
    invalid datafrom being written.
    
    Impact on Subsequent Logic: st->data = cpu_to_be16(addr | phase):
    If the phase value is 2^12, i.e., 4096 (0001 0000 0000 0000), and addr
    is AD9834_REG_PHASE0 (1100 0000 0000 0000), then addr | phase results in
    1101 0000 0000 0000, occupying DB12. According to the section of WRITING
    TO A PHASE REGISTER in the datasheet, the MSB 12 PHASE0 bits should be
    DB11. The original condition leads to incorrect DB12 usage, which
    contradicts the datasheet and could pose potential issues for future
    updates if DB12 is used in such related cases.
    
    Fixes: 12b9d5bf76bf ("Staging: IIO: DDS: AD9833 / AD9834 driver")
    Cc: [email protected]
    Signed-off-by: Zicheng Qu <[email protected]>
    Reviewed-by: Dan Carpenter <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
tcp/dccp: allow a connection when sk_max_ack_backlog is zero [+ + +]
Author: Zhongqiu Duan <[email protected]>
Date:   Thu Jan 2 17:14:26 2025 +0000

    tcp/dccp: allow a connection when sk_max_ack_backlog is zero
    
    [ Upstream commit 3479c7549fb1dfa7a1db4efb7347c7b8ef50de4b ]
    
    If the backlog of listen() is set to zero, sk_acceptq_is_full() allows
    one connection to be made, but inet_csk_reqsk_queue_is_full() does not.
    When the net.ipv4.tcp_syncookies is zero, inet_csk_reqsk_queue_is_full()
    will cause an immediate drop before the sk_acceptq_is_full() check in
    tcp_conn_request(), resulting in no connection can be made.
    
    This patch tries to keep consistent with 64a146513f8f ("[NET]: Revert
    incorrect accept queue backlog changes.").
    
    Link: https://lore.kernel.org/netdev/[email protected]/
    Fixes: ef547f2ac16b ("tcp: remove max_qlen_log")
    Signed-off-by: Zhongqiu Duan <[email protected]>
    Reviewed-by: Kuniyuki Iwashima <[email protected]>
    Reviewed-by: Jason Xing <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog [+ + +]
Author: Jason Xing <[email protected]>
Date:   Sun Mar 31 17:05:21 2024 +0800

    tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
    
    [ Upstream commit 9a79c65f00e2b036e17af3a3a607d7d732b7affb ]
    
    Since commit 099ecf59f05b ("net: annotate lockless accesses to
    sk->sk_max_ack_backlog") decided to handle the sk_max_ack_backlog
    locklessly, there is one more function mostly called in TCP/DCCP
    cases. So this patch completes it:)
    
    Signed-off-by: Jason Xing <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Stable-dep-of: 3479c7549fb1 ("tcp/dccp: allow a connection when sk_max_ack_backlog is zero")
    Signed-off-by: Sasha Levin <[email protected]>

 
tls: Fix tls_sw_sendmsg error handling [+ + +]
Author: Benjamin Coddington <[email protected]>
Date:   Sat Jan 4 10:29:45 2025 -0500

    tls: Fix tls_sw_sendmsg error handling
    
    [ Upstream commit b341ca51d2679829d26a3f6a4aa9aee9abd94f92 ]
    
    We've noticed that NFS can hang when using RPC over TLS on an unstable
    connection, and investigation shows that the RPC layer is stuck in a tight
    loop attempting to transmit, but forever getting -EBADMSG back from the
    underlying network.  The loop begins when tcp_sendmsg_locked() returns
    -EPIPE to tls_tx_records(), but that error is converted to -EBADMSG when
    calling the socket's error reporting handler.
    
    Instead of converting errors from tcp_sendmsg_locked(), let's pass them
    along in this path.  The RPC layer handles -EPIPE by reconnecting the
    transport, which prevents the endless attempts to transmit on a broken
    connection.
    
    Signed-off-by: Benjamin Coddington <[email protected]>
    Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance")
    Link: https://patch.msgid.link/9594185559881679d81f071b181a10eb07cd079f.1736004079.git.bcodding@redhat.com
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
topology: Keep the cpumask unchanged when printing cpumap [+ + +]
Author: Li Huafei <[email protected]>
Date:   Thu Nov 14 19:01:41 2024 +0800

    topology: Keep the cpumask unchanged when printing cpumap
    
    commit cbd399f78e23ad4492c174fc5e6b3676dba74a52 upstream.
    
    During fuzz testing, the following warning was discovered:
    
     different return values (15 and 11) from vsnprintf("%*pbl
     ", ...)
    
     test:keyward is WARNING in kvasprintf
     WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130
     Call Trace:
      kvasprintf+0x121/0x130
      kasprintf+0xa6/0xe0
      bitmap_print_to_buf+0x89/0x100
      core_siblings_list_read+0x7e/0xb0
      kernfs_file_read_iter+0x15b/0x270
      new_sync_read+0x153/0x260
      vfs_read+0x215/0x290
      ksys_read+0xb9/0x160
      do_syscall_64+0x56/0x100
      entry_SYSCALL_64_after_hwframe+0x78/0xe2
    
    The call trace shows that kvasprintf() reported this warning during the
    printing of core_siblings_list. kvasprintf() has several steps:
    
     (1) First, calculate the length of the resulting formatted string.
    
     (2) Allocate a buffer based on the returned length.
    
     (3) Then, perform the actual string formatting.
    
     (4) Check whether the lengths of the formatted strings returned in
         steps (1) and (2) are consistent.
    
    If the core_cpumask is modified between steps (1) and (3), the lengths
    obtained in these two steps may not match. Indeed our test includes cpu
    hotplugging, which should modify core_cpumask while printing.
    
    To fix this issue, cache the cpumask into a temporary variable before
    calling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged
    during the printing process.
    
    Fixes: bb9ec13d156e ("topology: use bin_attribute to break the size limitation of cpumap ABI")
    Cc: stable <[email protected]>
    Signed-off-by: Li Huafei <[email protected]>
    Reviewed-by: Jonathan Cameron <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usb-storage: Add max sectors quirk for Nokia 208 [+ + +]
Author: Lubomir Rintel <[email protected]>
Date:   Wed Jan 1 22:22:06 2025 +0100

    usb-storage: Add max sectors quirk for Nokia 208
    
    commit cdef30e0774802df2f87024d68a9d86c3b99ca2a upstream.
    
    This fixes data corruption when accessing the internal SD card in mass
    storage mode.
    
    I am actually not too sure why. I didn't figure a straightforward way to
    reproduce the issue, but i seem to get garbage when issuing a lot (over 50)
    of large reads (over 120 sectors) are done in a quick succession. That is,
    time seems to matter here -- larger reads are fine if they are done with
    some delay between them.
    
    But I'm not great at understanding this sort of things, so I'll assume
    the issue other, smarter, folks were seeing with similar phones is the
    same problem and I'll just put my quirk next to theirs.
    
    The "Software details" screen on the phone is as follows:
    
      V 04.06
      07-08-13
      RM-849
      (c) Nokia
    
    TL;DR version of the device descriptor:
    
      idVendor           0x0421 Nokia Mobile Phones
      idProduct          0x06c2
      bcdDevice            4.06
      iManufacturer           1 Nokia
      iProduct                2 Nokia 208
    
    The patch assumes older firmwares are broken too (I'm unable to test, but
    no biggie if they aren't I guess), and I have no idea if newer firmware
    exists.
    
    Signed-off-by: Lubomir Rintel <[email protected]>
    Cc: stable <[email protected]>
    Acked-by: Alan Stern <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
USB: core: Disable LPM only for non-suspended ports [+ + +]
Author: Kai-Heng Feng <[email protected]>
Date:   Fri Dec 6 15:48:17 2024 +0800

    USB: core: Disable LPM only for non-suspended ports
    
    commit 59bfeaf5454b7e764288d84802577f4a99bf0819 upstream.
    
    There's USB error when tegra board is shutting down:
    [  180.919315] usb 2-3: Failed to set U1 timeout to 0x0,error code -113
    [  180.919995] usb 2-3: Failed to set U1 timeout to 0xa,error code -113
    [  180.920512] usb 2-3: Failed to set U2 timeout to 0x4,error code -113
    [  186.157172] tegra-xusb 3610000.usb: xHCI host controller not responding, assume dead
    [  186.157858] tegra-xusb 3610000.usb: HC died; cleaning up
    [  186.317280] tegra-xusb 3610000.usb: Timeout while waiting for evaluate context command
    
    The issue is caused by disabling LPM on already suspended ports.
    
    For USB2 LPM, the LPM is already disabled during port suspend. For USB3
    LPM, port won't transit to U1/U2 when it's already suspended in U3,
    hence disabling LPM is only needed for ports that are not suspended.
    
    Cc: Wayne Chang <[email protected]>
    Cc: stable <[email protected]>
    Fixes: d920a2ed8620 ("usb: Disable USB3 LPM at shutdown")
    Signed-off-by: Kai-Heng Feng <[email protected]>
    Acked-by: Alan Stern <[email protected]>
    Tested-by: Jon Hunter <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usb: dwc3: gadget: fix writing NYET threshold [+ + +]
Author: André Draszik <[email protected]>
Date:   Mon Dec 9 11:49:53 2024 +0000

    usb: dwc3: gadget: fix writing NYET threshold
    
    commit 01ea6bf5cb58b20cc1bd159f0cf74a76cf04bb69 upstream.
    
    Before writing a new value to the register, the old value needs to be
    masked out for the new value to be programmed as intended, because at
    least in some cases the reset value of that field is 0xf (max value).
    
    At the moment, the dwc3 core initialises the threshold to the maximum
    value (0xf), with the option to override it via a DT. No upstream DTs
    seem to override it, therefore this commit doesn't change behaviour for
    any upstream platform. Nevertheless, the code should be fixed to have
    the desired outcome.
    
    Do so.
    
    Fixes: 80caf7d21adc ("usb: dwc3: add lpm erratum support")
    Cc: [email protected] # 5.10+ (needs adjustment for 5.4)
    Signed-off-by: André Draszik <[email protected]>
    Acked-by: Thinh Nguyen <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: fix reference leak in usb_new_device() [+ + +]
Author: Ma Ke <[email protected]>
Date:   Wed Dec 18 15:13:46 2024 +0800

    usb: fix reference leak in usb_new_device()
    
    commit 0df11fa8cee5a9cf8753d4e2672bb3667138c652 upstream.
    
    When device_add(&udev->dev) succeeds and a later call fails,
    usb_new_device() does not properly call device_del(). As comment of
    device_add() says, 'if device_add() succeeds, you should call
    device_del() when you want to get rid of it. If device_add() has not
    succeeded, use only put_device() to drop the reference count'.
    
    Found by code review.
    
    Cc: stable <[email protected]>
    Fixes: 9f8b17e643fe ("USB: make usbdevices export their device nodes instead of using a separate class")
    Signed-off-by: Ma Ke <[email protected]>
    Reviewed-by: Alan Stern <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: f_fs: Remove WARN_ON in functionfs_bind [+ + +]
Author: Akash M <[email protected]>
Date:   Thu Dec 19 18:22:19 2024 +0530

    usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
    
    commit dfc51e48bca475bbee984e90f33fdc537ce09699 upstream.
    
    This commit addresses an issue related to below kernel panic where
    panic_on_warn is enabled. It is caused by the unnecessary use of WARN_ON
    in functionsfs_bind, which easily leads to the following scenarios.
    
    1.adb_write in adbd               2. UDC write via configfs
      =================                  =====================
    
    ->usb_ffs_open_thread()           ->UDC write
     ->open_functionfs()               ->configfs_write_iter()
      ->adb_open()                      ->gadget_dev_desc_UDC_store()
       ->adb_write()                     ->usb_gadget_register_driver_owner
                                          ->driver_register()
    ->StartMonitor()                       ->bus_add_driver()
     ->adb_read()                           ->gadget_bind_driver()
    <times-out without BIND event>           ->configfs_composite_bind()
                                              ->usb_add_function()
    ->open_functionfs()                        ->ffs_func_bind()
     ->adb_open()                               ->functionfs_bind()
                                           <ffs->state !=FFS_ACTIVE>
    
    The adb_open, adb_read, and adb_write operations are invoked from the
    daemon, but trying to bind the function is a process that is invoked by
    UDC write through configfs, which opens up the possibility of a race
    condition between the two paths. In this race scenario, the kernel panic
    occurs due to the WARN_ON from functionfs_bind when panic_on_warn is
    enabled. This commit fixes the kernel panic by removing the unnecessary
    WARN_ON.
    
    Kernel panic - not syncing: kernel: panic_on_warn set ...
    [   14.542395] Call trace:
    [   14.542464]  ffs_func_bind+0x1c8/0x14a8
    [   14.542468]  usb_add_function+0xcc/0x1f0
    [   14.542473]  configfs_composite_bind+0x468/0x588
    [   14.542478]  gadget_bind_driver+0x108/0x27c
    [   14.542483]  really_probe+0x190/0x374
    [   14.542488]  __driver_probe_device+0xa0/0x12c
    [   14.542492]  driver_probe_device+0x3c/0x220
    [   14.542498]  __driver_attach+0x11c/0x1fc
    [   14.542502]  bus_for_each_dev+0x104/0x160
    [   14.542506]  driver_attach+0x24/0x34
    [   14.542510]  bus_add_driver+0x154/0x270
    [   14.542514]  driver_register+0x68/0x104
    [   14.542518]  usb_gadget_register_driver_owner+0x48/0xf4
    [   14.542523]  gadget_dev_desc_UDC_store+0xf8/0x144
    [   14.542526]  configfs_write_iter+0xf0/0x138
    
    Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
    Cc: stable <[email protected]>
    Signed-off-by: Akash M <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints [+ + +]
Author: Prashanth K <[email protected]>
Date:   Wed Dec 11 17:29:15 2024 +0530

    usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints
    
    commit 057bd54dfcf68b1f67e6dfc32a47a72e12198495 upstream.
    
    Currently afunc_bind sets std_ac_if_desc.bNumEndpoints to 1 if
    controls (mute/volume) are enabled. During next afunc_bind call,
    bNumEndpoints would be unchanged and incorrectly set to 1 even
    if the controls aren't enabled.
    
    Fix this by resetting the value of bNumEndpoints to 0 on every
    afunc_bind call.
    
    Fixes: eaf6cbe09920 ("usb: gadget: f_uac2: add volume and mute support")
    Cc: stable <[email protected]>
    Signed-off-by: Prashanth K <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null [+ + +]
Author: Lianqin Hu <[email protected]>
Date:   Tue Dec 17 07:58:44 2024 +0000

    usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null
    
    commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec upstream.
    
    Considering that in some extreme cases, when performing the
    unbinding operation, gserial_disconnect has cleared gser->ioport,
    which triggers gadget reconfiguration, and then calls gs_read_complete,
    resulting in access to a null pointer. Therefore, ep is disabled before
    gserial_disconnect sets port to null to prevent this from happening.
    
    Call trace:
     gs_read_complete+0x58/0x240
     usb_gadget_giveback_request+0x40/0x160
     dwc3_remove_requests+0x170/0x484
     dwc3_ep0_out_start+0xb0/0x1d4
     __dwc3_gadget_start+0x25c/0x720
     kretprobe_trampoline.cfi_jt+0x0/0x8
     kretprobe_trampoline.cfi_jt+0x0/0x8
     udc_bind_to_driver+0x1d8/0x300
     usb_gadget_probe_driver+0xa8/0x1dc
     gadget_dev_desc_UDC_store+0x13c/0x188
     configfs_write_iter+0x160/0x1f4
     vfs_write+0x2d0/0x40c
     ksys_write+0x7c/0xf0
     __arm64_sys_write+0x20/0x30
     invoke_syscall+0x60/0x150
     el0_svc_common+0x8c/0xf8
     do_el0_svc+0x28/0xa0
     el0_svc+0x24/0x84
    
    Fixes: c1dca562be8a ("usb gadget: split out serial core")
    Cc: stable <[email protected]>
    Suggested-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Lianqin Hu <[email protected]>
    Link: https://lore.kernel.org/r/TYUPR06MB621733B5AC690DBDF80A0DCCD2042@TYUPR06MB6217.apcprd06.prod.outlook.com
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
USB: serial: cp210x: add Phoenix Contact UPS Device [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Wed Jan 8 11:24:36 2025 +0100

    USB: serial: cp210x: add Phoenix Contact UPS Device
    
    commit 854eee93bd6e3dca619d47087af4d65b2045828e upstream.
    
    Phoenix Contact sells UPS Quint devices [1] with a custom datacable [2]
    that embeds a Silicon Labs converter:
    
    Bus 001 Device 003: ID 1b93:1013 Silicon Labs Phoenix Contact UPS Device
    Device Descriptor:
      bLength                18
      bDescriptorType         1
      bcdUSB               2.00
      bDeviceClass            0
      bDeviceSubClass         0
      bDeviceProtocol         0
      bMaxPacketSize0        64
      idVendor           0x1b93
      idProduct          0x1013
      bcdDevice            1.00
      iManufacturer           1 Silicon Labs
      iProduct                2 Phoenix Contact UPS Device
      iSerial                 3 <redacted>
      bNumConfigurations     1
      Configuration Descriptor:
        bLength                 9
        bDescriptorType         2
        wTotalLength       0x0020
        bNumInterfaces          1
        bConfigurationValue     1
        iConfiguration          0
        bmAttributes         0x80
          (Bus Powered)
        MaxPower              100mA
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        0
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass       255 Vendor Specific Class
          bInterfaceSubClass      0
          bInterfaceProtocol      0
          iInterface              2 Phoenix Contact UPS Device
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x01  EP 1 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x82  EP 2 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               0
    
    [1] https://www.phoenixcontact.com/en-pc/products/power-supply-unit-quint-ps-1ac-24dc-10-2866763
    [2] https://www.phoenixcontact.com/en-il/products/data-cable-preassembled-ifs-usb-datacable-2320500
    
    Reported-by: Giuseppe Corbelli <[email protected]>
    Cc: [email protected]
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: serial: option: add MeiG Smart SRM815 [+ + +]
Author: Chukun Pan <[email protected]>
Date:   Sun Dec 15 18:00:27 2024 +0800

    USB: serial: option: add MeiG Smart SRM815
    
    commit c1947d244f807b1f95605b75a4059e7b37b5dcc3 upstream.
    
    It looks like SRM815 shares ID with SRM825L.
    
    T:  Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=2dee ProdID=4d22 Rev= 4.14
    S:  Manufacturer=MEIG
    S:  Product=LTE-A Module
    S:  SerialNumber=123456
    C:* #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Chukun Pan <[email protected]>
    Link: https://lore.kernel.org/lkml/[email protected]/
    Link: https://lore.kernel.org/all/[email protected]/
    Cc: [email protected]
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: serial: option: add Neoway N723-EA support [+ + +]
Author: Michal Hrusecky <[email protected]>
Date:   Tue Jan 7 17:08:29 2025 +0100

    USB: serial: option: add Neoway N723-EA support
    
    commit f5b435be70cb126866fa92ffc6f89cda9e112c75 upstream.
    
    Update the USB serial option driver to support Neoway N723-EA.
    
    ID 2949:8700 Marvell Mobile Composite Device Bus
    
    T:  Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=2949 ProdID=8700 Rev= 1.00
    S:  Manufacturer=Marvell
    S:  Product=Mobile Composite Device Bus
    S:  SerialNumber=200806006809080000
    C:* #Ifs= 5 Cfg#= 1 Atr=c0 MxPwr=500mA
    A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03
    I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host
    E:  Ad=87(I) Atr=03(Int.) MxPS=  64 Ivl=4096ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=4096ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=86(I) Atr=03(Int.) MxPS=  64 Ivl=4096ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=0e(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=88(I) Atr=03(Int.) MxPS=  64 Ivl=4096ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Tested successfully connecting to the Internet via rndis interface after
    dialing via AT commands on If#=4 or If#=6.
    
    Not sure of the purpose of the other serial interface.
    
    Signed-off-by: Michal Hrusecky <[email protected]>
    Cc: [email protected]
    Signed-off-by: Johan Hovold <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

USB: usblp: return error when setting unsupported protocol [+ + +]
Author: Jun Yan <[email protected]>
Date:   Thu Dec 12 22:38:52 2024 +0800

    USB: usblp: return error when setting unsupported protocol
    
    commit 7a3d76a0b60b3f6fc3375e4de2174bab43f64545 upstream.
    
    Fix the regression introduced by commit d8c6edfa3f4e ("USB:
    usblp: don't call usb_set_interface if there's a single alt"),
    which causes that unsupported protocols can also be set via
    ioctl when the num_altsetting of the device is 1.
    
    Move the check for protocol support to the earlier stage.
    
    Fixes: d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt")
    Cc: stable <[email protected]>
    Signed-off-by: Jun Yan <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
vsock/virtio: cancel close work in the destructor [+ + +]
Author: Stefano Garzarella <[email protected]>
Date:   Fri Jan 10 09:35:09 2025 +0100

    vsock/virtio: cancel close work in the destructor
    
    commit df137da9d6d166e87e40980e36eb8e0bc90483ef upstream.
    
    During virtio_transport_release() we can schedule a delayed work to
    perform the closing of the socket before destruction.
    
    The destructor is called either when the socket is really destroyed
    (reference counter to zero), or it can also be called when we are
    de-assigning the transport.
    
    In the former case, we are sure the delayed work has completed, because
    it holds a reference until it completes, so the destructor will
    definitely be called after the delayed work is finished.
    But in the latter case, the destructor is called by AF_VSOCK core, just
    after the release(), so there may still be delayed work scheduled.
    
    Refactor the code, moving the code to delete the close work already in
    the do_close() to a new function. Invoke it during destruction to make
    sure we don't leave any pending work.
    
    Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
    Cc: [email protected]
    Reported-by: Hyunwoo Kim <[email protected]>
    Closes: https://lore.kernel.org/netdev/Z37Sh+utS+iV3+eb@v4bel-B760M-AORUS-ELITE-AX/
    Signed-off-by: Stefano Garzarella <[email protected]>
    Reviewed-by: Luigi Leonardi <[email protected]>
    Tested-by: Hyunwoo Kim <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

vsock/virtio: discard packets if the transport changes [+ + +]
Author: Stefano Garzarella <[email protected]>
Date:   Fri Jan 10 09:35:07 2025 +0100

    vsock/virtio: discard packets if the transport changes
    
    commit 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 upstream.
    
    If the socket has been de-assigned or assigned to another transport,
    we must discard any packets received because they are not expected
    and would cause issues when we access vsk->transport.
    
    A possible scenario is described by Hyunwoo Kim in the attached link,
    where after a first connect() interrupted by a signal, and a second
    connect() failed, we can find `vsk->transport` at NULL, leading to a
    NULL pointer dereference.
    
    Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
    Cc: [email protected]
    Reported-by: Hyunwoo Kim <[email protected]>
    Reported-by: Wongi Lee <[email protected]>
    Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/
    Signed-off-by: Stefano Garzarella <[email protected]>
    Reviewed-by: Hyunwoo Kim <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    [SG: fixed context conflict since this tree is missing commit 71dc9ec9ac7d
     ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")]
    Signed-off-by: Stefano Garzarella <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] [+ + +]
Author: Stefano Garzarella <[email protected]>
Date:   Fri Jan 10 09:35:11 2025 +0100

    vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
    
    commit 91751e248256efc111e52e15115840c35d85abaf upstream.
    
    Recent reports have shown how we sometimes call vsock_*_has_data()
    when a vsock socket has been de-assigned from a transport (see attached
    links), but we shouldn't.
    
    Previous commits should have solved the real problems, but we may have
    more in the future, so to avoid null-ptr-deref, we can return 0
    (no space, no data available) but with a warning.
    
    This way the code should continue to run in a nearly consistent state
    and have a warning that allows us to debug future problems.
    
    Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
    Cc: [email protected]
    Link: https://lore.kernel.org/netdev/Z2K%2FI4nlHdfMRTZC@v4bel-B760M-AORUS-ELITE-AX/
    Link: https://lore.kernel.org/netdev/[email protected]/
    Link: https://lore.kernel.org/netdev/[email protected]/
    Co-developed-by: Hyunwoo Kim <[email protected]>
    Signed-off-by: Hyunwoo Kim <[email protected]>
    Co-developed-by: Wongi Lee <[email protected]>
    Signed-off-by: Wongi Lee <[email protected]>
    Signed-off-by: Stefano Garzarella <[email protected]>
    Reviewed-by: Luigi Leonardi <[email protected]>
    Reviewed-by: Hyunwoo Kim <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

vsock: reset socket state when de-assigning the transport [+ + +]
Author: Stefano Garzarella <[email protected]>
Date:   Fri Jan 10 09:35:10 2025 +0100

    vsock: reset socket state when de-assigning the transport
    
    commit a24009bc9be60242651a21702609381b5092459e upstream.
    
    Transport's release() and destruct() are called when de-assigning the
    vsock transport. These callbacks can touch some socket state like
    sock flags, sk_state, and peer_shutdown.
    
    Since we are reassigning the socket to a new transport during
    vsock_connect(), let's reset these fields to have a clean state with
    the new transport.
    
    Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
    Cc: [email protected]
    Signed-off-by: Stefano Garzarella <[email protected]>
    Reviewed-by: Luigi Leonardi <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
x86/asm: Make serialize() always_inline [+ + +]
Author: Juergen Gross <[email protected]>
Date:   Wed Dec 18 11:09:18 2024 +0100

    x86/asm: Make serialize() always_inline
    
    [ Upstream commit ae02ae16b76160f0aeeae2c5fb9b15226d00a4ef ]
    
    In order to allow serialize() to be used from noinstr code, make it
    __always_inline.
    
    Fixes: 0ef8047b737d ("x86/static-call: provide a way to do very early static-call updates")
    Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/
    Reported-by: kernel test robot <[email protected]>
    Signed-off-by: Juergen Gross <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
x86/xen: fix SLS mitigation in xen_hypercall_iret() [+ + +]
Author: Juergen Gross <[email protected]>
Date:   Fri Jan 17 12:05:51 2025 +0100

    x86/xen: fix SLS mitigation in xen_hypercall_iret()
    
    The backport of upstream patch a2796dff62d6 ("x86/xen: don't do PV iret
    hypercall through hypercall page") missed to adapt the SLS mitigation
    config check from CONFIG_MITIGATION_SLS to CONFIG_SLS.
    
    Signed-off-by: Juergen Gross <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals [+ + +]
Author: Arnd Bergmann <[email protected]>
Date:   Tue Mar 28 15:10:43 2023 +0200

    xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals
    
    commit 130eac4170859fb368681e00d390f20f44bbf27b upstream.
    
    A recent patch caused an unused-function warning in builds with
    CONFIG_PM disabled, after the function became marked 'static':
    
    drivers/usb/host/xhci-pci.c:91:13: error: 'xhci_msix_sync_irqs' defined but not used [-Werror=unused-function]
       91 | static void xhci_msix_sync_irqs(struct xhci_hcd *xhci)
          |             ^~~~~~~~~~~~~~~~~~~
    
    This could be solved by adding another #ifdef, but as there is
    a trend towards removing CONFIG_PM checks in favor of helper
    macros, do the same conversion here and use pm_ptr() to get
    either a function pointer or NULL but avoid the warning.
    
    As the hidden functions reference some other symbols, make
    sure those are visible at compile time, at the minimal cost of
    a few extra bytes for 'struct usb_device'.
    
    Fixes: 9abe15d55dcc ("xhci: Move xhci MSI sync function to to xhci-pci")
    Signed-off-by: Arnd Bergmann <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>