Changelog in Linux kernel 5.4.279

 
ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." [+ + +]
Author: Raju Rangoju <[email protected]>
Date:   Fri Jun 14 19:31:49 2024 +0530

    ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
    
    [ Upstream commit a83e1385b780d41307433ddbc86e3c528db031f0 ]
    
    Undo the modifications made in commit d410ee5109a1 ("ACPICA: avoid
    "Info: mapping multiple BARs. Your kernel is fine.""). The initial
    purpose of this commit was to stop memory mappings for operation
    regions from overlapping page boundaries, as it can trigger warnings
    if different page attributes are present.
    
    However, it was found that when this situation arises, mapping
    continues until the boundary's end, but there is still an attempt to
    read/write the entire length of the map, leading to a NULL pointer
    deference. For example, if a four-byte mapping request is made but
    only one byte is mapped because it hits the current page boundary's
    end, a four-byte read/write attempt is still made, resulting in a NULL
    pointer deference.
    
    Instead, map the entire length, as the ACPI specification does not
    mandate that it must be within the same page boundary. It is
    permissible for it to be mapped across different regions.
    
    Link: https://github.com/acpica/acpica/pull/954
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218849
    Fixes: d410ee5109a1 ("ACPICA: avoid "Info: mapping multiple BARs. Your kernel is fine."")
    Co-developed-by: Sanath S <[email protected]>
    Signed-off-by: Sanath S <[email protected]>
    Signed-off-by: Raju Rangoju <[email protected]>
    Signed-off-by: Rafael J. Wysocki <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Tue Jun 4 09:52:37 2024 -0700

    af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.
    
    [ Upstream commit bd9f2d05731f6a112d0c7391a0d537bfc588dbe6 ]
    
    net->unx.sysctl_max_dgram_qlen is exposed as a sysctl knob and can be
    changed concurrently.
    
    Let's use READ_ONCE() in unix_create1().
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Tue Jun 4 09:52:41 2024 -0700

    af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().
    
    [ Upstream commit efaf24e30ec39ebbea9112227485805a48b0ceb1 ]
    
    While dumping sockets via UNIX_DIAG, we do not hold unix_state_lock().
    
    Let's use READ_ONCE() to read sk->sk_shutdown.
    
    Fixes: e4e541a84863 ("sock-diag: Report shutdown for inet and unix sockets (v2)")
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Tue Jun 4 09:52:29 2024 -0700

    af_unix: Annotate data-race of sk->sk_state in unix_inq_len().
    
    [ Upstream commit 3a0f38eb285c8c2eead4b3230c7ac2983707599d ]
    
    ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first
    and returns -EINVAL if it's TCP_LISTEN.
    
    Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of
    bytes in recvq.
    
    However, unix_inq_len() does not hold unix_state_lock(), and the
    concurrent listen() might change the state after checking sk->sk_state.
    
    If the race occurs, 0 is returned for the listener, instead of -EINVAL,
    because the length of skb with embryo is 0.
    
    We could hold unix_state_lock() in unix_inq_len(), but it's overkill
    given the result is true for pre-listen() TCP_CLOSE state.
    
    So, let's use READ_ONCE() for sk->sk_state in unix_inq_len().
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Tue Jun 4 09:52:33 2024 -0700

    af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().
    
    [ Upstream commit 8a34d4e8d9742a24f74998f45a6a98edd923319b ]
    
    The following functions read sk->sk_state locklessly and proceed only if
    the state is TCP_ESTABLISHED.
    
      * unix_stream_sendmsg
      * unix_stream_read_generic
      * unix_seqpacket_sendmsg
      * unix_seqpacket_recvmsg
    
    Let's use READ_ONCE() there.
    
    Fixes: a05d2ad1c1f3 ("af_unix: Only allow recv on connected seqpacket sockets.")
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Tue Jun 4 09:52:35 2024 -0700

    af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.
    
    [ Upstream commit 0aa3be7b3e1f8f997312cc4705f8165e02806f8f ]
    
    While dumping AF_UNIX sockets via UNIX_DIAG, sk->sk_state is read
    locklessly.
    
    Let's use READ_ONCE() there.
    
    Note that the result could be inconsistent if the socket is dumped
    during the state change.  This is common for other SOCK_DIAG and
    similar interfaces.
    
    Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report")
    Fixes: 2aac7a2cb0d9 ("unix_diag: Pending connections IDs NLA")
    Fixes: 45a96b9be6ec ("unix_diag: Dumping all sockets core")
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Tue Jun 4 09:52:30 2024 -0700

    af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll().
    
    [ Upstream commit eb0718fb3e97ad0d6f4529b810103451c90adf94 ]
    
    unix_poll() and unix_dgram_poll() read sk->sk_state locklessly and
    calls unix_writable() which also reads sk->sk_state without holding
    unix_state_lock().
    
    Let's use READ_ONCE() in unix_poll() and unix_dgram_poll() and pass
    it to unix_writable().
    
    While at it, we remove TCP_SYN_SENT check in unix_dgram_poll() as
    that state does not exist for AF_UNIX socket since the code was added.
    
    Fixes: 1586a5877db9 ("af_unix: do not report POLLOUT on listeners")
    Fixes: 3c73419c09a5 ("af_unix: fix 'poll for write'/ connected DGRAM sockets")
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Tue Jun 4 09:52:40 2024 -0700

    af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().
    
    [ Upstream commit 5d915e584d8408211d4567c22685aae8820bfc55 ]
    
    We can dump the socket queue length via UNIX_DIAG by specifying
    UDIAG_SHOW_RQLEN.
    
    If sk->sk_state is TCP_LISTEN, we return the recv queue length,
    but here we do not hold recvq lock.
    
    Let's use skb_queue_len_lockless() in sk_diag_show_rqlen().
    
    Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report")
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Tue Jun 4 09:52:38 2024 -0700

    af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().
    
    [ Upstream commit 45d872f0e65593176d880ec148f41ad7c02e40a7 ]
    
    Once sk->sk_state is changed to TCP_LISTEN, it never changes.
    
    unix_accept() takes advantage of this characteristics; it does not
    hold the listener's unix_state_lock() and only acquires recvq lock
    to pop one skb.
    
    It means unix_state_lock() does not prevent the queue length from
    changing in unix_stream_connect().
    
    Thus, we need to use unix_recvq_full_lockless() to avoid data-race.
    
    Now we remove unix_recvq_full() as no one uses it.
    
    Note that we can remove READ_ONCE() for sk->sk_max_ack_backlog in
    unix_recvq_full_lockless() because of the following reasons:
    
      (1) For SOCK_DGRAM, it is a written-once field in unix_create1()
    
      (2) For SOCK_STREAM and SOCK_SEQPACKET, it is changed under the
          listener's unix_state_lock() in unix_listen(), and we hold
          the lock in unix_stream_connect()
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ALSA: emux: improve patch ioctl data validation [+ + +]
Author: Oswald Buddenhagen <[email protected]>
Date:   Sat Apr 6 08:48:20 2024 +0200

    ALSA: emux: improve patch ioctl data validation
    
    [ Upstream commit 89b32ccb12ae67e630c6453d778ec30a592a212f ]
    
    In load_data(), make the validation of and skipping over the main info
    block match that in load_guspatch().
    
    In load_guspatch(), add checking that the specified patch length matches
    the actually supplied data, like load_data() already did.
    
    Signed-off-by: Oswald Buddenhagen <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
arm64: dts: qcom: qcs404: fix bluetooth device address [+ + +]
Author: Johan Hovold <[email protected]>
Date:   Wed May 1 09:52:01 2024 +0200

    arm64: dts: qcom: qcs404: fix bluetooth device address
    
    [ Upstream commit f5f390a77f18eaeb2c93211a1b7c5e66b5acd423 ]
    
    The 'local-bd-address' property is used to pass a unique Bluetooth
    device address from the boot firmware to the kernel and should otherwise
    be left unset so that the OS can prevent the controller from being used
    until a valid address has been provided through some other means (e.g.
    using btmgmt).
    
    Fixes: 60f77ae7d1c1 ("arm64: dts: qcom: qcs404-evb: Enable uart3 and add Bluetooth")
    Cc: [email protected]      # 5.10
    Signed-off-by: Johan Hovold <[email protected]>
    Reviewed-by: Bryan O'Donoghue <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Bjorn Andersson <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

arm64: dts: rockchip: Add sound-dai-cells for RK3368 [+ + +]
Author: Alex Bee <[email protected]>
Date:   Sun Jun 23 11:01:15 2024 +0200

    arm64: dts: rockchip: Add sound-dai-cells for RK3368
    
    [ Upstream commit 8d7ec44aa5d1eb94a30319074762a1740440cdc8 ]
    
    Add the missing #sound-dai-cells for RK3368's I2S and S/PDIF controllers.
    
    Fixes: f7d89dfe1e31 ("arm64: dts: rockchip: add i2s nodes support for RK3368 SoCs")
    Fixes: 0328d68ea76d ("arm64: dts: rockchip: add rk3368 spdif node")
    Signed-off-by: Alex Bee <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Heiko Stuebner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node [+ + +]
Author: Johan Jonker <[email protected]>
Date:   Thu Jun 13 20:08:10 2024 +0200

    ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node
    
    [ Upstream commit cca46f811d0000c1522a5e18ea48c27a15e45c05 ]
    
    '#sound-dai-cells' is required to properly interpret
    the list of DAI specified in the 'sound-dai' property,
    so add them to the 'hdmi' node for 'rk3066a.dtsi'.
    
    Fixes: fadc78062477 ("ARM: dts: rockchip: add rk3066 hdmi nodes")
    Signed-off-by: Johan Jonker <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Heiko Stuebner <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat [+ + +]
Author: Krzysztof Kozlowski <[email protected]>
Date:   Tue Mar 12 19:31:03 2024 +0100

    ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat
    
    [ Upstream commit 88208d3cd79821117fd3fb80d9bcab618467d37b ]
    
    Although the Samsung SoC keypad binding defined
    linux,keypad-no-autorepeat property, Linux driver never implemented it
    and always used linux,input-no-autorepeat.  Correct the DTS to use
    property actually implemented.
    
    This also fixes dtbs_check errors like:
    
      exynos4412-origen.dtb: keypad@100a0000: 'linux,keypad-no-autorepeat' does not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+'
    
    Cc: <[email protected]>
    Fixes: bd08f6277e44 ("ARM: dts: Add keypad entries to Exynos4412 based Origen")
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Krzysztof Kozlowski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ARM: dts: samsung: smdk4412: fix keypad no-autorepeat [+ + +]
Author: Krzysztof Kozlowski <[email protected]>
Date:   Tue Mar 12 19:31:04 2024 +0100

    ARM: dts: samsung: smdk4412: fix keypad no-autorepeat
    
    [ Upstream commit 4ac4c1d794e7ff454d191bbdab7585ed8dbf3758 ]
    
    Although the Samsung SoC keypad binding defined
    linux,keypad-no-autorepeat property, Linux driver never implemented it
    and always used linux,input-no-autorepeat.  Correct the DTS to use
    property actually implemented.
    
    This also fixes dtbs_check errors like:
    
      exynos4412-smdk4412.dtb: keypad@100a0000: 'key-A', 'key-B', 'key-C', 'key-D', 'key-E', 'linux,keypad-no-autorepeat' do not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+'
    
    Cc: <[email protected]>
    Fixes: c9b92dd70107 ("ARM: dts: Add keypad entries to SMDK4412")
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Krzysztof Kozlowski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ARM: dts: samsung: smdkv310: fix keypad no-autorepeat [+ + +]
Author: Krzysztof Kozlowski <[email protected]>
Date:   Tue Mar 12 19:31:02 2024 +0100

    ARM: dts: samsung: smdkv310: fix keypad no-autorepeat
    
    [ Upstream commit 87d8e522d6f5a004f0aa06c0def302df65aff296 ]
    
    Although the Samsung SoC keypad binding defined
    linux,keypad-no-autorepeat property, Linux driver never implemented it
    and always used linux,input-no-autorepeat.  Correct the DTS to use
    property actually implemented.
    
    This also fixes dtbs_check errors like:
    
      exynos4210-smdkv310.dtb: keypad@100a0000: 'linux,keypad-no-autorepeat' does not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+'
    
    Cc: <[email protected]>
    Fixes: 0561ceabd0f1 ("ARM: dts: Add intial dts file for EXYNOS4210 SoC, SMDKV310 and ORIGEN")
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Krzysztof Kozlowski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ASoC: fsl-asoc-card: set priv->pdev before using it [+ + +]
Author: Elinor Montmasson <[email protected]>
Date:   Thu Jun 20 15:25:03 2024 +0200

    ASoC: fsl-asoc-card: set priv->pdev before using it
    
    [ Upstream commit 90f3feb24172185f1832636264943e8b5e289245 ]
    
    priv->pdev pointer was set after being used in
    fsl_asoc_card_audmux_init().
    Move this assignment at the start of the probe function, so
    sub-functions can correctly use pdev through priv.
    
    fsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the
    dev struct, used with dev_err macros.
    As priv is zero-initialised, there would be a NULL pointer dereference.
    Note that if priv->dev is dereferenced before assignment but never used,
    for example if there is no error to be printed, the driver won't crash
    probably due to compiler optimisations.
    
    Fixes: 708b4351f08c ("ASoC: fsl: Add Freescale Generic ASoC Sound Card with ASRC support")
    Signed-off-by: Elinor Montmasson <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ASoC: ti: davinci-mcasp: Fix race condition during probe [+ + +]
Author: Joao Paulo Goncalves <[email protected]>
Date:   Wed Apr 17 15:41:38 2024 -0300

    ASoC: ti: davinci-mcasp: Fix race condition during probe
    
    [ Upstream commit d18ca8635db2f88c17acbdf6412f26d4f6aff414 ]
    
    When using davinci-mcasp as CPU DAI with simple-card, there are some
    conditions that cause simple-card to finish registering a sound card before
    davinci-mcasp finishes registering all sound components. This creates a
    non-working sound card from userspace with no problem indication apart
    from not being able to play/record audio on a PCM stream. The issue
    arises during simultaneous probe execution of both drivers. Specifically,
    the simple-card driver, awaiting a CPU DAI, proceeds as soon as
    davinci-mcasp registers its DAI. However, this process can lead to the
    client mutex lock (client_mutex in soc-core.c) being held or davinci-mcasp
    being preempted before PCM DMA registration on davinci-mcasp finishes.
    This situation occurs when the probes of both drivers run concurrently.
    Below is the code path for this condition. To solve the issue, defer
    davinci-mcasp CPU DAI registration to the last step in the audio part of
    it. This way, simple-card CPU DAI parsing will be deferred until all
    audio components are registered.
    
    Fail Code Path:
    
    simple-card.c: probe starts
    simple-card.c: simple_dai_link_of: simple_parse_node(..,cpu,..) returns EPROBE_DEFER, no CPU DAI yet
    davinci-mcasp.c: probe starts
    davinci-mcasp.c: devm_snd_soc_register_component() register CPU DAI
    simple-card.c: probes again, finish CPU DAI parsing and call devm_snd_soc_register_card()
    simple-card.c: finish probe
    davinci-mcasp.c: *dma_pcm_platform_register() register PCM  DMA
    davinci-mcasp.c: probe finish
    
    Cc: [email protected]
    Fixes: 9fbd58cf4ab0 ("ASoC: davinci-mcasp: Choose PCM driver based on configured DMA controller")
    Signed-off-by: Joao Paulo Goncalves <[email protected]>
    Acked-by: Peter Ujfalusi <[email protected]>
    Reviewed-by: Jai Luthra <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ASoC: ti: davinci-mcasp: Handle missing required DT properties [+ + +]
Author: Peter Ujfalusi <[email protected]>
Date:   Fri Nov 6 09:25:51 2020 +0200

    ASoC: ti: davinci-mcasp: Handle missing required DT properties
    
    [ Upstream commit 1b4fb70e5b28a477478417a7958e0228460ffe68 ]
    
    McASP needs three required properties to be usable for audio:
    op-mode, tdm-slots and the serial-dir array.
    
    Instead of probing the driver even without the needed information we should
    make sure that all the parameters are provided for operation.
    
    The fact that McASP can act as a GPIO controller for it's pins complicates
    this a bit, but as a general rule we can:
    - we fail the probe if McASP is not configured to be used as gpiochip
    - we will not register the DAI (and PCM) if gpiochip is defined
    
    Signed-off-by: Peter Ujfalusi <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Stable-dep-of: d18ca8635db2 ("ASoC: ti: davinci-mcasp: Fix race condition during probe")
    Signed-off-by: Sasha Levin <[email protected]>

ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params [+ + +]
Author: Zhang Qilong <[email protected]>
Date:   Mon Nov 2 18:34:28 2020 +0800

    ASoC: ti: davinci-mcasp: remove always zero of davinci_mcasp_get_dt_params
    
    [ Upstream commit 19f6e424d6150b5eede2277dbc6dfd3bf42e994f ]
    
    davinci_mcasp_get_dt_params alway return zero, and its return value
    could be ignored by the caller. So make it 'void' type to avoid the
    check its return value.
    
    Fixes: 764958f2b5239 ("ASoC: ti: davinci-mcasp: Support for auxclk-fs-ratio")
    Signed-off-by: Zhang Qilong <[email protected]>
    Acked-by: Peter Ujfalusi <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Stable-dep-of: d18ca8635db2 ("ASoC: ti: davinci-mcasp: Fix race condition during probe")
    Signed-off-by: Sasha Levin <[email protected]>

ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing [+ + +]
Author: Peter Ujfalusi <[email protected]>
Date:   Fri Nov 6 09:25:49 2020 +0200

    ASoC: ti: davinci-mcasp: Remove legacy dma_request parsing
    
    [ Upstream commit db8793a39b293d5a8983e1713a70a76cb039c2fe ]
    
    The legacy dma_request (which was holding the DMA request number) is no
    longer in use for a long time.
    All legacy platforms has been converted to dma_slave_map.
    
    Remove it along with the DT parsing to get tx_dma_channel and
    rx_dma_channel.
    
    Signed-off-by: Peter Ujfalusi <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Stable-dep-of: d18ca8635db2 ("ASoC: ti: davinci-mcasp: Fix race condition during probe")
    Signed-off-by: Sasha Levin <[email protected]>

ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret [+ + +]
Author: Colin Ian King <[email protected]>
Date:   Mon Feb 10 09:24:22 2020 +0000

    ASoC: ti: davinci-mcasp: remove redundant assignment to variable ret
    
    [ Upstream commit f4d95de415b286090c1bf739c20a5ea2aefda834 ]
    
    The assignment to ret is redundant as it is not used in the error
    return path and hence can be removed.
    
    Addresses-Coverity: ("Unused value")
    Signed-off-by: Colin Ian King <[email protected]>
    Acked-by: Peter Ujfalusi <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Stable-dep-of: d18ca8635db2 ("ASoC: ti: davinci-mcasp: Fix race condition during probe")
    Signed-off-by: Sasha Levin <[email protected]>

ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling [+ + +]
Author: Peter Ujfalusi <[email protected]>
Date:   Fri Nov 6 09:25:50 2020 +0200

    ASoC: ti: davinci-mcasp: Simplify the configuration parameter handling
    
    [ Upstream commit 1125d925990b8d8166c45396c9281e2a705c97f8 ]
    
    Replace the davinci_mcasp_set_pdata_from_of() function which returned a
    pdata pointer with davinci_mcasp_get_config() to return an actual error
    code and handle all pdata validation and private mcasp struct setup in
    there.
    
    Drop the unused ram-size-playback and sram-size-capture query from DT at
    the same time.
    
    Signed-off-by: Peter Ujfalusi <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Stable-dep-of: d18ca8635db2 ("ASoC: ti: davinci-mcasp: Fix race condition during probe")
    Signed-off-by: Sasha Levin <[email protected]>

ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional [+ + +]
Author: Peter Ujfalusi <[email protected]>
Date:   Fri Nov 6 09:25:48 2020 +0200

    ASoC: ti: davinci-mcasp: Use platform_get_irq_byname_optional
    
    [ Upstream commit 372c4bd11de1793667e11d19c29fffc80495eeca ]
    
    Depending on the integration of McASP either the 'common' or the
    'rx' and 'tx' or only the 'tx' interrupt number is valid, provided.
    
    By switching to platform_get_irq_byname_optional() we can clean up the
    bootlog from messages like:
    
    davinci-mcasp 2ba0000.mcasp: IRQ common not found
    
    The irq number == 0 is not valid, fix the check at the same time.
    
    Signed-off-by: Peter Ujfalusi <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Stable-dep-of: d18ca8635db2 ("ASoC: ti: davinci-mcasp: Fix race condition during probe")
    Signed-off-by: Sasha Levin <[email protected]>

 
ata: libata-core: Fix double free on error [+ + +]
Author: Niklas Cassel <[email protected]>
Date:   Sat Jun 29 14:42:13 2024 +0200

    ata: libata-core: Fix double free on error
    
    commit ab9e0c529eb7cafebdd31fe1644524e80a48b05d upstream.
    
    If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump
    to the err_out label, which will call devres_release_group().
    devres_release_group() will trigger a call to ata_host_release().
    ata_host_release() calls kfree(host), so executing the kfree(host) in
    ata_host_alloc() will lead to a double free:
    
    kernel BUG at mm/slub.c:553!
    Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
    CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
    RIP: 0010:kfree+0x2cf/0x2f0
    Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da
    RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246
    RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320
    RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0
    RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000
    R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780
    R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006
    FS:  00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0
    PKRU: 55555554
    Call Trace:
     <TASK>
     ? __die_body.cold+0x19/0x27
     ? die+0x2e/0x50
     ? do_trap+0xca/0x110
     ? do_error_trap+0x6a/0x90
     ? kfree+0x2cf/0x2f0
     ? exc_invalid_op+0x50/0x70
     ? kfree+0x2cf/0x2f0
     ? asm_exc_invalid_op+0x1a/0x20
     ? ata_host_alloc+0xf5/0x120 [libata]
     ? ata_host_alloc+0xf5/0x120 [libata]
     ? kfree+0x2cf/0x2f0
     ata_host_alloc+0xf5/0x120 [libata]
     ata_host_alloc_pinfo+0x14/0xa0 [libata]
     ahci_init_one+0x6c9/0xd20 [ahci]
    
    Ensure that we will not call kfree(host) twice, by performing the kfree()
    only if the devres_open_group() call failed.
    
    Fixes: dafd6c496381 ("libata: ensure host is free'd on error exit paths")
    Cc: [email protected]
    Reviewed-by: Damien Le Moal <[email protected]>
    Reviewed-by: Hannes Reinecke <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Niklas Cassel <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
batman-adv: bypass empty buckets in batadv_purge_orig_ref() [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Sat Mar 30 15:54:38 2024 +0000

    batman-adv: bypass empty buckets in batadv_purge_orig_ref()
    
    [ Upstream commit 40dc8ab605894acae1473e434944924a22cfaaa0 ]
    
    Many syzbot reports are pointing to soft lockups in
    batadv_purge_orig_ref() [1]
    
    Root cause is unknown, but we can avoid spending too much
    time there and perhaps get more interesting reports.
    
    [1]
    
    watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]
    Modules linked in:
    irq event stamp: 6182794
     hardirqs last  enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
     hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
     hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
     softirqs last  enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
     softirqs last  enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
     softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline]
     softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271
    CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
    Workqueue: bat_events batadv_purge_orig
    pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]
     pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388
     lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
    sp : ffff800099007970
    x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000
    x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001
    x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4
    x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0
    x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001
    x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003
    x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000
    x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000
    x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
    x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000
    Call trace:
      __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
      arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]
      __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386
      __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
      _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210
      spin_unlock_bh include/linux/spinlock.h:396 [inline]
      batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
      batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300
      process_one_work+0x694/0x1204 kernel/workqueue.c:2633
      process_scheduled_works kernel/workqueue.c:2706 [inline]
      worker_thread+0x938/0xef4 kernel/workqueue.c:2787
      kthread+0x288/0x310 kernel/kthread.c:388
      ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
    Sending NMI from CPU 0 to CPUs 1:
    NMI backtrace for cpu 1
    CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
    pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51
     lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103
    sp : ffff800093a17d30
    x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4
    x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002
    x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000
    x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396
    x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001
    x14: 1fffe00036805f10 x13: 0000000000000000 x12: 0000000000000003
    x11: 0000000000000001 x10: 0000000000000003 x9 : 0000000000000000
    x8 : 00000000000ce8d1 x7 : ffff8000804609e4 x6 : 0000000000000000
    x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008ad6aac0
    x2 : 0000000000000000 x1 : ffff80008aedea60 x0 : ffff800125436000
    Call trace:
      __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
      arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:49
      cpuidle_idle_call kernel/sched/idle.c:170 [inline]
      do_idle+0x1f0/0x4e8 kernel/sched/idle.c:312
      cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:410
      secondary_start_kernel+0x198/0x1c0 arch/arm64/kernel/smp.c:272
      __secondary_switched+0xb8/0xbc arch/arm64/kernel/head.S:404
    
    Signed-off-by: Eric Dumazet <[email protected]>
    Signed-off-by: Sven Eckelmann <[email protected]>
    Signed-off-by: Simon Wunderlich <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

batman-adv: Don't accept TT entries for out-of-spec VIDs [+ + +]
Author: Sven Eckelmann <[email protected]>
Date:   Sat May 4 21:57:30 2024 +0200

    batman-adv: Don't accept TT entries for out-of-spec VIDs
    
    commit 537a350d14321c8cca5efbf0a33a404fec3a9f9e upstream.
    
    The internal handling of VLAN IDs in batman-adv is only specified for
    following encodings:
    
    * VLAN is used
      - bit 15 is 1
      - bit 11 - bit 0 is the VLAN ID (0-4095)
      - remaining bits are 0
    * No VLAN is used
      - bit 15 is 0
      - remaining bits are 0
    
    batman-adv was only preparing new translation table entries (based on its
    soft interface information) using this encoding format. But the receive
    path was never checking if entries in the roam or TT TVLVs were also
    following this encoding.
    
    It was therefore possible to create more than the expected maximum of 4096
    + 1 entries in the originator VLAN list. Simply by setting the "remaining
    bits" to "random" values in corresponding TVLV.
    
    Cc: [email protected]
    Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
    Reported-by: Linus Lüssing <[email protected]>
    Signed-off-by: Sven Eckelmann <[email protected]>
    Signed-off-by: Simon Wunderlich <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl [+ + +]
Author: Uri Arev <[email protected]>
Date:   Sat Apr 6 00:42:24 2024 +0300

    Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl
    
    [ Upstream commit 68aa21054ec3a1a313af90a5f95ade16c3326d20 ]
    
    This fixes some CHECKs reported by the checkpatch script.
    
    Issues reported in ath3k.c:
    -------
    ath3k.c
    -------
    CHECK: Please don't use multiple blank lines
    +
    +
    
    CHECK: Blank lines aren't necessary after an open brace '{'
    +static const struct usb_device_id ath3k_blist_tbl[] = {
    +
    
    CHECK: Alignment should match open parenthesis
    +static int ath3k_load_firmware(struct usb_device *udev,
    +                               const struct firmware *firmware)
    
    CHECK: Alignment should match open parenthesis
    +               err = usb_bulk_msg(udev, pipe, send_buf, size,
    +                                       &len, 3000);
    
    CHECK: Unnecessary parentheses around 'len != size'
    +               if (err || (len != size)) {
    
    CHECK: Alignment should match open parenthesis
    +static int ath3k_get_version(struct usb_device *udev,
    +                       struct ath3k_version *version)
    
    CHECK: Alignment should match open parenthesis
    +static int ath3k_load_fwfile(struct usb_device *udev,
    +               const struct firmware *firmware)
    
    CHECK: Alignment should match open parenthesis
    +               err = usb_bulk_msg(udev, pipe, send_buf, size,
    +                                       &len, 3000);
    
    CHECK: Unnecessary parentheses around 'len != size'
    +               if (err || (len != size)) {
    
    CHECK: Blank lines aren't necessary after an open brace '{'
    +       switch (fw_version.ref_clock) {
    +
    
    CHECK: Alignment should match open parenthesis
    +       snprintf(filename, ATH3K_NAME_LEN, "ar3k/ramps_0x%08x_%d%s",
    +               le32_to_cpu(fw_version.rom_version), clk_value, ".dfu");
    
    CHECK: Alignment should match open parenthesis
    +static int ath3k_probe(struct usb_interface *intf,
    +                       const struct usb_device_id *id)
    
    CHECK: Alignment should match open parenthesis
    +                       BT_ERR("Firmware file \"%s\" not found",
    +                                                       ATH3K_FIRMWARE);
    
    CHECK: Alignment should match open parenthesis
    +               BT_ERR("Firmware file \"%s\" request failed (err=%d)",
    +                                               ATH3K_FIRMWARE, ret);
    
    total: 0 errors, 0 warnings, 14 checks, 540 lines checked
    
    Signed-off-by: Uri Arev <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ [+ + +]
Author: Luiz Augusto von Dentz <[email protected]>
Date:   Mon May 20 16:03:07 2024 -0400

    Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
    
    [ Upstream commit 806a5198c05987b748b50f3d0c0cfb3d417381a4 ]
    
    This removes the bogus check for max > hcon->le_conn_max_interval since
    the later is just the initial maximum conn interval not the maximum the
    stack could support which is really 3200=4000ms.
    
    In order to pass GAP/CONN/CPUP/BV-05-C one shall probably enter values
    of the following fields in IXIT that would cause hci_check_conn_params
    to fail:
    
    TSPX_conn_update_int_min
    TSPX_conn_update_int_max
    TSPX_conn_update_peripheral_latency
    TSPX_conn_update_supervision_timeout
    
    Link: https://github.com/bluez/bluez/issues/847
    Fixes: e4b019515f95 ("Bluetooth: Enforce validation on max value of connection interval")
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
cipso: fix total option length computation [+ + +]
Author: Ondrej Mosnacek <[email protected]>
Date:   Fri Jun 7 18:07:52 2024 +0200

    cipso: fix total option length computation
    
    [ Upstream commit 9f36169912331fa035d7b73a91252d7c2512eb1a ]
    
    As evident from the definition of ip_options_get(), the IP option
    IPOPT_END is used to pad the IP option data array, not IPOPT_NOP. Yet
    the loop that walks the IP options to determine the total IP options
    length in cipso_v4_delopt() doesn't take IPOPT_END into account.
    
    Fix it by recognizing the IPOPT_END value as the end of actual options.
    
    Fixes: 014ab19a69c3 ("selinux: Set socket NetLabel based on connection endpoint")
    Signed-off-by: Ondrej Mosnacek <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
csky, hexagon: fix broken sys_sync_file_range [+ + +]
Author: Arnd Bergmann <[email protected]>
Date:   Fri Jun 14 09:54:20 2024 +0200

    csky, hexagon: fix broken sys_sync_file_range
    
    commit 3339b99ef6fe38dac43b534cba3a8a0e29fb2eff upstream.
    
    Both of these architectures require u64 function arguments to be
    passed in even/odd pairs of registers or stack slots, which in case of
    sync_file_range would result in a seven-argument system call that is
    not currently possible. The system call is therefore incompatible with
    all existing binaries.
    
    While it would be possible to implement support for seven arguments
    like on mips, it seems better to use a six-argument version, either
    with the normal argument order but misaligned as on most architectures
    or with the reordered sync_file_range2() calling conventions as on
    arm and powerpc.
    
    Cc: [email protected]
    Acked-by: Guo Ren <[email protected]>
    Signed-off-by: Arnd Bergmann <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
dmaengine: axi-dmac: fix possible race in remove() [+ + +]
Author: Nuno Sa <[email protected]>
Date:   Thu Mar 28 14:58:50 2024 +0100

    dmaengine: axi-dmac: fix possible race in remove()
    
    commit 1bc31444209c8efae98cb78818131950d9a6f4d6 upstream.
    
    We need to first free the IRQ before calling of_dma_controller_free().
    Otherwise we could get an interrupt and schedule a tasklet while
    removing the DMA controller.
    
    Fixes: 0e3b67b348b8 ("dmaengine: Add support for the Analog Devices AXI-DMAC DMA controller")
    Cc: [email protected]
    Signed-off-by: Nuno Sa <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Vinod Koul <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

dmaengine: ioatdma: Fix missing kmem_cache_destroy() [+ + +]
Author: Nikita Shubin <[email protected]>
Date:   Tue May 14 13:52:31 2024 +0300

    dmaengine: ioatdma: Fix missing kmem_cache_destroy()
    
    [ Upstream commit 5422145d0b749ad554ada772133b9b20f9fb0ec8 ]
    
    Fix missing kmem_cache_destroy() for ioat_sed_cache in
    ioat_exit_module().
    
    Noticed via:
    
    ```
    modprobe ioatdma
    rmmod ioatdma
    modprobe ioatdma
    debugfs: Directory 'ioat_sed_ent' with parent 'slab' already present!
    ```
    
    Fixes: c0f28ce66ecf ("dmaengine: ioatdma: move all the init routines")
    Signed-off-by: Nikita Shubin <[email protected]>
    Acked-by: Dave Jiang <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Vinod Koul <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drivers: core: synchronize really_probe() and dev_uevent() [+ + +]
Author: Dirk Behme <[email protected]>
Date:   Mon May 13 07:06:34 2024 +0200

    drivers: core: synchronize really_probe() and dev_uevent()
    
    commit c0a40097f0bc81deafc15f9195d1fb54595cd6d0 upstream.
    
    Synchronize the dev->driver usage in really_probe() and dev_uevent().
    These can run in different threads, what can result in the following
    race condition for dev->driver uninitialization:
    
    Thread #1:
    ==========
    
    really_probe() {
    ...
    probe_failed:
    ...
    device_unbind_cleanup(dev) {
        ...
        dev->driver = NULL;   // <= Failed probe sets dev->driver to NULL
        ...
        }
    ...
    }
    
    Thread #2:
    ==========
    
    dev_uevent() {
    ...
    if (dev->driver)
          // If dev->driver is NULLed from really_probe() from here on,
          // after above check, the system crashes
          add_uevent_var(env, "DRIVER=%s", dev->driver->name);
    ...
    }
    
    really_probe() holds the lock, already. So nothing needs to be done
    there. dev_uevent() is called with lock held, often, too. But not
    always. What implies that we can't add any locking in dev_uevent()
    itself. So fix this race by adding the lock to the non-protected
    path. This is the path where above race is observed:
    
     dev_uevent+0x235/0x380
     uevent_show+0x10c/0x1f0  <= Add lock here
     dev_attr_show+0x3a/0xa0
     sysfs_kf_seq_show+0x17c/0x250
     kernfs_seq_show+0x7c/0x90
     seq_read_iter+0x2d7/0x940
     kernfs_fop_read_iter+0xc6/0x310
     vfs_read+0x5bc/0x6b0
     ksys_read+0xeb/0x1b0
     __x64_sys_read+0x42/0x50
     x64_sys_call+0x27ad/0x2d30
     do_syscall_64+0xcd/0x1d0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Similar cases are reported by syzkaller in
    
    https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a
    
    But these are regarding the *initialization* of dev->driver
    
    dev->driver = drv;
    
    As this switches dev->driver to non-NULL these reports can be considered
    to be false-positives (which should be "fixed" by this commit, as well,
    though).
    
    The same issue was reported and tried to be fixed back in 2015 in
    
    https://lore.kernel.org/lkml/[email protected]/
    
    already.
    
    Fixes: 239378f16aa1 ("Driver core: add uevent vars for devices of a class")
    Cc: stable <[email protected]>
    Cc: [email protected]
    Cc: Ashish Sangwan <[email protected]>
    Cc: Namjae Jeon <[email protected]>
    Signed-off-by: Dirk Behme <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/amd/display: Handle Y carry-over in VCP X.Y calculation [+ + +]
Author: George Shen <[email protected]>
Date:   Thu Sep 16 19:55:39 2021 -0400

    drm/amd/display: Handle Y carry-over in VCP X.Y calculation
    
    [ Upstream commit 3626a6aebe62ce7067cdc460c0c644e9445386bb ]
    
    [Why/How]
    Theoretically rare corner case where ceil(Y) results in rounding
    up to an integer. If this happens, the 1 should be carried over to
    the X value.
    
    Reviewed-by: Wenjing Liu <[email protected]>
    Acked-by: Anson Jacob <[email protected]>
    Signed-off-by: George Shen <[email protected]>
    Tested-by: Daniel Wheeler <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/amdgpu: fix UBSAN warning in kv_dpm.c [+ + +]
Author: Alex Deucher <[email protected]>
Date:   Mon May 20 09:05:21 2024 -0400

    drm/amdgpu: fix UBSAN warning in kv_dpm.c
    
    [ Upstream commit f0d576f840153392d04b2d52cf3adab8f62e8cb6 ]
    
    Adds bounds check for sumo_vid_mapping_entry.
    
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3392
    Reviewed-by: Mario Limonciello <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/bridge/panel: Fix runtime warning on panel bridge release [+ + +]
Author: Adam Miotk <[email protected]>
Date:   Mon Jun 10 11:27:39 2024 +0100

    drm/bridge/panel: Fix runtime warning on panel bridge release
    
    [ Upstream commit ce62600c4dbee8d43b02277669dd91785a9b81d9 ]
    
    Device managed panel bridge wrappers are created by calling to
    drm_panel_bridge_add_typed() and registering a release handler for
    clean-up when the device gets unbound.
    
    Since the memory for this bridge is also managed and linked to the panel
    device, the release function should not try to free that memory.
    Moreover, the call to devm_kfree() inside drm_panel_bridge_remove() will
    fail in this case and emit a warning because the panel bridge resource
    is no longer on the device resources list (it has been removed from
    there before the call to release handlers).
    
    Fixes: 67022227ffb1 ("drm/bridge: Add a devm_ allocator for panel bridge.")
    Signed-off-by: Adam Miotk <[email protected]>
    Signed-off-by: Maxime Ripard <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/exynos/vidi: fix memory leak in .get_modes() [+ + +]
Author: Jani Nikula <[email protected]>
Date:   Thu May 30 13:01:51 2024 +0300

    drm/exynos/vidi: fix memory leak in .get_modes()
    
    commit 38e3825631b1f314b21e3ade00b5a4d737eb054e upstream.
    
    The duplicated EDID is never freed. Fix it.
    
    Cc: [email protected]
    Signed-off-by: Jani Nikula <[email protected]>
    Signed-off-by: Inki Dae <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found [+ + +]
Author: Marek Szyprowski <[email protected]>
Date:   Thu Apr 25 11:48:51 2024 +0200

    drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found
    
    commit 799d4b392417ed6889030a5b2335ccb6dcf030ab upstream.
    
    When reading EDID fails and driver reports no modes available, the DRM
    core adds an artificial 1024x786 mode to the connector. Unfortunately
    some variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not
    able to drive such mode, so report a safe 640x480 mode instead of nothing
    in case of the EDID reading failure.
    
    This fixes the following issue observed on Trats2 board since commit
    13d5b040363c ("drm/exynos: do not return negative values from .get_modes()"):
    
    [drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations
    exynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops)
    exynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops)
    exynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b)
    exynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops)
    exynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops)
    [drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1
    exynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state
    panel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c
    exynos-mixer 12c10000.mixer: timeout waiting for VSYNC
    ------------[ cut here ]------------
    WARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8
    [CRTC:70:crtc-1] vblank wait timed out
    Modules linked in:
    CPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913
    Hardware name: Samsung Exynos (Flattened Device Tree)
    Workqueue: events_unbound deferred_probe_work_func
    Call trace:
     unwind_backtrace from show_stack+0x10/0x14
     show_stack from dump_stack_lvl+0x68/0x88
     dump_stack_lvl from __warn+0x7c/0x1c4
     __warn from warn_slowpath_fmt+0x11c/0x1a8
     warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8
     drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c
     drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184
     commit_tail from drm_atomic_helper_commit+0x168/0x190
     drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0
     drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c
     drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc
     drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40
     drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4
     __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c
     drm_fb_helper_set_par from fbcon_init+0x3d8/0x550
     fbcon_init from visual_init+0xc0/0x108
     visual_init from do_bind_con_driver+0x1b8/0x3a4
     do_bind_con_driver from do_take_over_console+0x140/0x1ec
     do_take_over_console from do_fbcon_takeover+0x70/0xd0
     do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac
     fbcon_fb_registered from register_framebuffer+0x190/0x21c
     register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574
     __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0
     exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94
     drm_client_register from exynos_drm_bind+0x160/0x190
     exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8
     try_to_bring_up_aggregate_device from __component_add+0xb0/0x170
     __component_add from mixer_probe+0x74/0xcc
     mixer_probe from platform_probe+0x5c/0xb8
     platform_probe from really_probe+0xe0/0x3d8
     really_probe from __driver_probe_device+0x9c/0x1e4
     __driver_probe_device from driver_probe_device+0x30/0xc0
     driver_probe_device from __device_attach_driver+0xa8/0x120
     __device_attach_driver from bus_for_each_drv+0x80/0xcc
     bus_for_each_drv from __device_attach+0xac/0x1fc
     __device_attach from bus_probe_device+0x8c/0x90
     bus_probe_device from deferred_probe_work_func+0x98/0xe0
     deferred_probe_work_func from process_one_work+0x240/0x6d0
     process_one_work from worker_thread+0x1a0/0x3f4
     worker_thread from kthread+0x104/0x138
     kthread from ret_from_fork+0x14/0x28
    Exception stack(0xf0895fb0 to 0xf0895ff8)
    ...
    irq event stamp: 82357
    hardirqs last  enabled at (82363): [<c01a96e8>] vprintk_emit+0x308/0x33c
    hardirqs last disabled at (82368): [<c01a969c>] vprintk_emit+0x2bc/0x33c
    softirqs last  enabled at (81614): [<c0101644>] __do_softirq+0x320/0x500
    softirqs last disabled at (81609): [<c012dfe0>] __irq_exit_rcu+0x130/0x184
    ---[ end trace 0000000000000000 ]---
    exynos-drm exynos-drm: [drm] *ERROR* flip_done timed out
    exynos-drm exynos-drm: [drm] *ERROR* [CRTC:70:crtc-1] commit wait timed out
    exynos-drm exynos-drm: [drm] *ERROR* flip_done timed out
    exynos-drm exynos-drm: [drm] *ERROR* [CONNECTOR:74:HDMI-A-1] commit wait timed out
    exynos-drm exynos-drm: [drm] *ERROR* flip_done timed out
    exynos-drm exynos-drm: [drm] *ERROR* [PLANE:56:plane-5] commit wait timed out
    exynos-mixer 12c10000.mixer: timeout waiting for VSYNC
    
    Cc: [email protected]
    Fixes: 13d5b040363c ("drm/exynos: do not return negative values from .get_modes()")
    Signed-off-by: Marek Szyprowski <[email protected]>
    Signed-off-by: Inki Dae <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/komeda: check for error-valued pointer [+ + +]
Author: Amjad Ouled-Ameur <[email protected]>
Date:   Mon Jun 10 11:20:56 2024 +0100

    drm/komeda: check for error-valued pointer
    
    [ Upstream commit b880018edd3a577e50366338194dee9b899947e0 ]
    
    komeda_pipeline_get_state() may return an error-valued pointer, thus
    check the pointer for negative or null value before dereferencing.
    
    Fixes: 502932a03fce ("drm/komeda: Add the initial scaler support for CORE")
    Signed-off-by: Amjad Ouled-Ameur <[email protected]>
    Signed-off-by: Maxime Ripard <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes [+ + +]
Author: Ma Ke <[email protected]>
Date:   Tue Jun 25 16:10:29 2024 +0800

    drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
    
    commit 6d411c8ccc0137a612e0044489030a194ff5c843 upstream.
    
    In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is
    assigned to mode, which will lead to a possible NULL pointer dereference
    on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().
    Add a check to avoid null pointer dereference.
    
    Cc: [email protected]
    Signed-off-by: Ma Ke <[email protected]>
    Signed-off-by: Lyude Paul <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes [+ + +]
Author: Ma Ke <[email protected]>
Date:   Tue Jun 25 16:18:28 2024 +0800

    drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes
    
    commit 66edf3fb331b6c55439b10f9862987b0916b3726 upstream.
    
    In nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is
    assigned to mode, which will lead to a possible NULL pointer dereference
    on failure of drm_mode_duplicate(). Add a check to avoid npd.
    
    Cc: [email protected]
    Signed-off-by: Ma Ke <[email protected]>
    Signed-off-by: Lyude Paul <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep [+ + +]
Author: Laurent Pinchart <[email protected]>
Date:   Sun Mar 17 17:48:39 2024 +0200

    drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep
    
    [ Upstream commit ee7860cd8b5763017f8dc785c2851fecb7a0c565 ]
    
    The ilitek-ili9881c controls the reset GPIO using the non-sleeping
    gpiod_set_value() function. This complains loudly when the GPIO
    controller needs to sleep. As the caller can sleep, use
    gpiod_set_value_cansleep() to fix the issue.
    
    Signed-off-by: Laurent Pinchart <[email protected]>
    Reviewed-by: Neil Armstrong <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Neil Armstrong <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/radeon: fix UBSAN warning in kv_dpm.c [+ + +]
Author: Alex Deucher <[email protected]>
Date:   Mon May 20 09:11:45 2024 -0400

    drm/radeon: fix UBSAN warning in kv_dpm.c
    
    commit a498df5421fd737d11bfd152428ba6b1c8538321 upstream.
    
    Adds bounds check for sumo_vid_mapping_entry.
    
    Reviewed-by: Mario Limonciello <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drop_monitor: replace spin_lock by raw_spin_lock [+ + +]
Author: Wander Lairson Costa <[email protected]>
Date:   Thu Apr 11 11:13:46 2024 -0300

    drop_monitor: replace spin_lock by raw_spin_lock
    
    [ Upstream commit f1e197a665c2148ebc25fe09c53689e60afea195 ]
    
    trace_drop_common() is called with preemption disabled, and it acquires
    a spin_lock. This is problematic for RT kernels because spin_locks are
    sleeping locks in this configuration, which causes the following splat:
    
    BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
    in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47
    preempt_count: 1, expected: 0
    RCU nest depth: 2, expected: 2
    5 locks held by rcuc/47/449:
     #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210
     #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130
     #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210
     #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70
     #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290
    irq event stamp: 139909
    hardirqs last  enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80
    hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290
    softirqs last  enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170
    softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0
    Preemption disabled at:
    [<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0
    CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7
    Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022
    Call Trace:
     <TASK>
     dump_stack_lvl+0x8c/0xd0
     dump_stack+0x14/0x20
     __might_resched+0x21e/0x2f0
     rt_spin_lock+0x5e/0x130
     ? trace_drop_common.constprop.0+0xb5/0x290
     ? skb_queue_purge_reason.part.0+0x1bf/0x230
     trace_drop_common.constprop.0+0xb5/0x290
     ? preempt_count_sub+0x1c/0xd0
     ? _raw_spin_unlock_irqrestore+0x4a/0x80
     ? __pfx_trace_drop_common.constprop.0+0x10/0x10
     ? rt_mutex_slowunlock+0x26a/0x2e0
     ? skb_queue_purge_reason.part.0+0x1bf/0x230
     ? __pfx_rt_mutex_slowunlock+0x10/0x10
     ? skb_queue_purge_reason.part.0+0x1bf/0x230
     trace_kfree_skb_hit+0x15/0x20
     trace_kfree_skb+0xe9/0x150
     kfree_skb_reason+0x7b/0x110
     skb_queue_purge_reason.part.0+0x1bf/0x230
     ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10
     ? mark_lock.part.0+0x8a/0x520
    ...
    
    trace_drop_common() also disables interrupts, but this is a minor issue
    because we could easily replace it with a local_lock.
    
    Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic
    context.
    
    Signed-off-by: Wander Lairson Costa <[email protected]>
    Reported-by: Hu Chunyu <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
fs/proc: fix softlockup in __read_vmcore [+ + +]
Author: Rik van Riel <[email protected]>
Date:   Tue May 7 09:18:58 2024 -0400

    fs/proc: fix softlockup in __read_vmcore
    
    commit 5cbcb62dddf5346077feb82b7b0c9254222d3445 upstream.
    
    While taking a kernel core dump with makedumpfile on a larger system,
    softlockup messages often appear.
    
    While softlockup warnings can be harmless, they can also interfere with
    things like RCU freeing memory, which can be problematic when the kdump
    kexec image is configured with as little memory as possible.
    
    Avoid the softlockup, and give things like work items and RCU a chance to
    do their thing during __read_vmcore by adding a cond_resched.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Rik van Riel <[email protected]>
    Acked-by: Baoquan He <[email protected]>
    Cc: Dave Young <[email protected]>
    Cc: Vivek Goyal <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ftruncate: pass a signed offset [+ + +]
Author: Arnd Bergmann <[email protected]>
Date:   Wed Jun 19 11:34:09 2024 +0200

    ftruncate: pass a signed offset
    
    commit 4b8e88e563b5f666446d002ad0dc1e6e8e7102b0 upstream.
    
    The old ftruncate() syscall, using the 32-bit off_t misses a sign
    extension when called in compat mode on 64-bit architectures.  As a
    result, passing a negative length accidentally succeeds in truncating
    to file size between 2GiB and 4GiB.
    
    Changing the type of the compat syscall to the signed compat_off_t
    changes the behavior so it instead returns -EINVAL.
    
    The native entry point, the truncate() syscall and the corresponding
    loff_t based variants are all correct already and do not suffer
    from this mistake.
    
    Fixes: 3f6d078d4acc ("fix compat truncate/ftruncate")
    Reviewed-by: Christian Brauner <[email protected]>
    Cc: [email protected]
    Signed-off-by: Arnd Bergmann <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
gcov: add support for GCC 14 [+ + +]
Author: Peter Oberparleiter <[email protected]>
Date:   Mon Jun 10 11:27:43 2024 +0200

    gcov: add support for GCC 14
    
    commit c1558bc57b8e5b4da5d821537cd30e2e660861d8 upstream.
    
    Using gcov on kernels compiled with GCC 14 results in truncated 16-byte
    long .gcda files with no usable data.  To fix this, update GCOV_COUNTERS
    to match the value defined by GCC 14.
    
    Tested with GCC versions 14.1.0 and 13.2.0.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Peter Oberparleiter <[email protected]>
    Reported-by: Allison Henderson <[email protected]>
    Reported-by: Chuck Lever III <[email protected]>
    Tested-by: Chuck Lever <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
gpio: davinci: Validate the obtained number of IRQs [+ + +]
Author: Aleksandr Mishin <[email protected]>
Date:   Tue Jun 18 17:43:44 2024 +0300

    gpio: davinci: Validate the obtained number of IRQs
    
    [ Upstream commit 7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164 ]
    
    Value of pdata->gpio_unbanked is taken from Device Tree. In case of broken
    DT due to any error this value can be any. Without this value validation
    there can be out of chips->irqs array boundaries access in
    davinci_gpio_probe().
    
    Validate the obtained nirq value so that it won't exceed the maximum
    number of IRQs per bank.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: eb3744a2dd01 ("gpio: davinci: Do not assume continuous IRQ numbering")
    Signed-off-by: Aleksandr Mishin <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

gpio: tqmx86: fix typo in Kconfig label [+ + +]
Author: Gregor Herburger <[email protected]>
Date:   Thu May 30 12:19:59 2024 +0200

    gpio: tqmx86: fix typo in Kconfig label
    
    [ Upstream commit 8c219e52ca4d9a67cd6a7074e91bf29b55edc075 ]
    
    Fix description for GPIO_TQMX86 from QTMX86 to TQMx86.
    
    Fixes: b868db94a6a7 ("gpio: tqmx86: Add GPIO from for this IO controller")
    Signed-off-by: Gregor Herburger <[email protected]>
    Signed-off-by: Matthias Schiffer <[email protected]>
    Reviewed-by: Andrew Lunn <[email protected]>
    Link: https://lore.kernel.org/r/e0e38c9944ad6d281d9a662a45d289b88edc808e.1717063994.git.matthias.schiffer@ew.tq-group.com
    Signed-off-by: Bartosz Golaszewski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
greybus: Fix use-after-free bug in gb_interface_release due to race condition. [+ + +]
Author: Sicong Huang <[email protected]>
Date:   Tue Apr 16 16:03:13 2024 +0800

    greybus: Fix use-after-free bug in gb_interface_release due to race condition.
    
    commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce upstream.
    
    In gb_interface_create, &intf->mode_switch_completion is bound with
    gb_interface_mode_switch_work. Then it will be started by
    gb_interface_request_mode_switch. Here is the relevant code.
    if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
            ...
    }
    
    If we call gb_interface_release to make cleanup, there may be an
    unfinished work. This function will call kfree to free the object
    "intf". However, if gb_interface_mode_switch_work is scheduled to
    run after kfree, it may cause use-after-free error as
    gb_interface_mode_switch_work will use the object "intf".
    The possible execution flow that may lead to the issue is as follows:
    
    CPU0                            CPU1
    
                                |   gb_interface_create
                                |   gb_interface_request_mode_switch
    gb_interface_release        |
    kfree(intf) (free)          |
                                |   gb_interface_mode_switch_work
                                |   mutex_lock(&intf->mutex) (use)
    
    Fix it by canceling the work before kfree.
    
    Signed-off-by: Sicong Huang <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: Ronnie Sahlberg <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
hexagon: fix fadvise64_64 calling conventions [+ + +]
Author: Arnd Bergmann <[email protected]>
Date:   Thu Jun 20 15:24:11 2024 +0200

    hexagon: fix fadvise64_64 calling conventions
    
    commit 896842284c6ccba25ec9d78b7b6e62cdd507c083 upstream.
    
    fadvise64_64() has two 64-bit arguments at the wrong alignment
    for hexagon, which turns them into a 7-argument syscall that is
    not supported by Linux.
    
    The downstream musl port for hexagon actually asks for a 6-argument
    version the same way we do it on arm, csky, powerpc, so make the
    kernel do it the same way to avoid having to change both.
    
    Link: https://github.com/quic/musl/blob/hexagon/arch/hexagon/syscall_arch.h#L78
    Cc: [email protected]
    Signed-off-by: Arnd Bergmann <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
HID: core: remove unnecessary WARN_ON() in implement() [+ + +]
Author: Nikita Zhandarovich <[email protected]>
Date:   Fri May 17 07:19:14 2024 -0700

    HID: core: remove unnecessary WARN_ON() in implement()
    
    [ Upstream commit 4aa2dcfbad538adf7becd0034a3754e1bd01b2b5 ]
    
    Syzkaller hit a warning [1] in a call to implement() when trying
    to write a value into a field of smaller size in an output report.
    
    Since implement() already has a warn message printed out with the
    help of hid_warn() and value in question gets trimmed with:
            ...
            value &= m;
            ...
    WARN_ON may be considered superfluous. Remove it to suppress future
    syzkaller triggers.
    
    [1]
    WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]
    WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863
    Modules linked in:
    CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
    RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]
    RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863
    ...
    Call Trace:
     <TASK>
     __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]
     usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636
     hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726
     vfs_ioctl fs/ioctl.c:51 [inline]
     __do_sys_ioctl fs/ioctl.c:904 [inline]
     __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    ...
    
    Fixes: 95d1c8951e5b ("HID: simplify implement() a bit")
    Reported-by: <[email protected]>
    Suggested-by: Alan Stern <[email protected]>
    Signed-off-by: Nikita Zhandarovich <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() [+ + +]
Author: José Expósito <[email protected]>
Date:   Fri May 24 15:05:39 2024 +0200

    HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()
    
    [ Upstream commit ce3af2ee95170b7d9e15fff6e500d67deab1e7b3 ]
    
    Fix a memory leak on logi_dj_recv_send_report() error path.
    
    Fixes: 6f20d3261265 ("HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()")
    Signed-off-by: José Expósito <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
hugetlb_encode.h: fix undefined behaviour (34 << 26) [+ + +]
Author: Matthias Goergens <[email protected]>
Date:   Mon Sep 5 11:19:04 2022 +0800

    hugetlb_encode.h: fix undefined behaviour (34 << 26)
    
    commit 710bb68c2e3a24512e2d2bae470960d7488e97b1 upstream.
    
    Left-shifting past the size of your datatype is undefined behaviour in C.
    The literal 34 gets the type `int`, and that one is not big enough to be
    left shifted by 26 bits.
    
    An `unsigned` is long enough (on any machine that has at least 32 bits for
    their ints.)
    
    For uniformity, we mark all the literals as unsigned.  But it's only
    really needed for HUGETLB_FLAG_ENCODE_16GB.
    
    Thanks to Randy Dunlap for an initial review and suggestion.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Matthias Goergens <[email protected]>
    Acked-by: Randy Dunlap <[email protected]>
    Cc: Mike Kravetz <[email protected]>
    Cc: Muchun Song <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    [cmllamas: fix trivial conflict due to missing page encondigs]
    Signed-off-by: Carlos Llamas <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
hv_utils: drain the timesync packets on onchannelcallback [+ + +]
Author: Vineeth Pillai <[email protected]>
Date:   Fri Aug 21 15:28:49 2020 +0000

    hv_utils: drain the timesync packets on onchannelcallback
    
    commit b46b4a8a57c377b72a98c7930a9f6969d2d4784e upstream.
    
    There could be instances where a system stall prevents the timesync
    packets to be consumed. And this might lead to more than one packet
    pending in the ring buffer. Current code empties one packet per callback
    and it might be a stale one. So drain all the packets from ring buffer
    on each callback.
    
    Signed-off-by: Vineeth Pillai <[email protected]>
    Reviewed-by: Michael Kelley <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Wei Liu <[email protected]>
    [ The old code in the upstream commit uses HV_HYP_PAGE_SIZE, but
      the old code in 5.4.y sitll uses PAGE_SIZE. Fixed this manually for 5.4.y.
      Note: 5.4.y already has the define HV_HYP_PAGE_SIZE, so the new code in
      in the upstream commit works for 5.4.y.
      If there are multiple messages in the host-to-guest ringbuffer of the TimeSync
      device, 5.4.y only handles 1 message, and later the host puts new messages
      into the ringbuffer without signaling the guest because the ringbuffer is not
      empty, causing a "hung" ringbuffer. Backported the mainline fix for this issue.]
    Signed-off-by: Dexuan Cui <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
i2c: at91: Fix the functionality flags of the slave-only interface [+ + +]
Author: Jean Delvare <[email protected]>
Date:   Fri May 31 11:19:14 2024 +0200

    i2c: at91: Fix the functionality flags of the slave-only interface
    
    [ Upstream commit d6d5645e5fc1233a7ba950de4a72981c394a2557 ]
    
    When an I2C adapter acts only as a slave, it should not claim to
    support I2C master capabilities.
    
    Fixes: 9d3ca54b550c ("i2c: at91: added slave mode support")
    Signed-off-by: Jean Delvare <[email protected]>
    Cc: Juergen Fitschen <[email protected]>
    Cc: Ludovic Desroches <[email protected]>
    Cc: Codrin Ciubotariu <[email protected]>
    Cc: Andi Shyti <[email protected]>
    Cc: Nicolas Ferre <[email protected]>
    Cc: Alexandre Belloni <[email protected]>
    Cc: Claudiu Beznea <[email protected]>
    Signed-off-by: Andi Shyti <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

i2c: ocores: set IACK bit after core is enabled [+ + +]
Author: Grygorii Tertychnyi <[email protected]>
Date:   Mon May 20 17:39:32 2024 +0200

    i2c: ocores: set IACK bit after core is enabled
    
    commit 5a72477273066b5b357801ab2d315ef14949d402 upstream.
    
    Setting IACK bit when core is disabled does not clear the "Interrupt Flag"
    bit in the status register, and the interrupt remains pending.
    
    Sometimes it causes failure for the very first message transfer, that is
    usually a device probe.
    
    Hence, set IACK bit after core is enabled to clear pending interrupt.
    
    Fixes: 18f98b1e3147 ("[PATCH] i2c: New bus driver for the OpenCores I2C controller")
    Signed-off-by: Grygorii Tertychnyi <[email protected]>
    Acked-by: Peter Korsgaard <[email protected]>
    Cc: [email protected]
    Signed-off-by: Andi Shyti <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
iio: adc: ad7266: Fix variable checking bug [+ + +]
Author: Fernando Yang <[email protected]>
Date:   Mon Jun 3 15:07:54 2024 -0300

    iio: adc: ad7266: Fix variable checking bug
    
    commit a2b86132955268b2a1703082fbc2d4832fc001b8 upstream.
    
    The ret variable was not checked after iio_device_release_direct_mode(),
    which could possibly cause errors
    
    Fixes: c70df20e3159 ("iio: adc: ad7266: claim direct mode during sensor read")
    Signed-off-by: Fernando Yang <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: chemical: bme680: Fix calibration data variable [+ + +]
Author: Vasileios Amoiridis <[email protected]>
Date:   Thu Jun 6 23:22:54 2024 +0200

    iio: chemical: bme680: Fix calibration data variable
    
    commit b47c0fee73a810c4503c4a94ea34858a1d865bba upstream.
    
    According to the BME68x Sensor API [1], the h6 calibration
    data variable should be an unsigned integer of size 8.
    
    [1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x_defs.h#L789
    
    Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
    Signed-off-by: Vasileios Amoiridis <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: chemical: bme680: Fix overflows in compensate() functions [+ + +]
Author: Vasileios Amoiridis <[email protected]>
Date:   Thu Jun 6 23:22:55 2024 +0200

    iio: chemical: bme680: Fix overflows in compensate() functions
    
    commit fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8 upstream.
    
    There are cases in the compensate functions of the driver that
    there could be overflows of variables due to bit shifting ops.
    These implications were initially discussed here [1] and they
    were mentioned in log message of Commit 1b3bd8592780 ("iio:
    chemical: Add support for Bosch BME680 sensor").
    
    [1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/
    
    Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
    Signed-off-by: Vasileios Amoiridis <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: chemical: bme680: Fix pressure value output [+ + +]
Author: Vasileios Amoiridis <[email protected]>
Date:   Thu Jun 6 23:22:53 2024 +0200

    iio: chemical: bme680: Fix pressure value output
    
    commit ae1f7b93b52095be6776d0f34957b4f35dda44d9 upstream.
    
    The IIO standard units are measured in kPa while the driver
    is using hPa.
    
    Apart from checking the userspace value itself, it is mentioned also
    in the Bosch API [1] that the pressure value is in Pascal.
    
    [1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x_defs.h#L742
    
    Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
    Signed-off-by: Vasileios Amoiridis <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: chemical: bme680: Fix sensor data read operation [+ + +]
Author: Vasileios Amoiridis <[email protected]>
Date:   Thu Jun 6 23:22:56 2024 +0200

    iio: chemical: bme680: Fix sensor data read operation
    
    commit 4241665e6ea063a9c1d734de790121a71db763fc upstream.
    
    A read operation is happening as follows:
    
    a) Set sensor to forced mode
    b) Sensor measures values and update data registers and sleeps again
    c) Read data registers
    
    In the current implementation the read operation happens immediately
    after the sensor is set to forced mode so the sensor does not have
    the time to update properly the registers. This leads to the following
    2 problems:
    
    1) The first ever value which is read by the register is always wrong
    2) Every read operation, puts the register into forced mode and reads
    the data that were calculated in the previous conversion.
    
    This behaviour was tested in 2 ways:
    
    1) The internal meas_status_0 register was read before and after every
    read operation in order to verify that the data were ready even before
    the register was set to forced mode and also to check that after the
    forced mode was set the new data were not yet ready.
    
    2) Physically changing the temperature and measuring the temperature
    
    This commit adds the waiting time in between the set of the forced mode
    and the read of the data. The function is taken from the Bosch BME68x
    Sensor API [1].
    
    [1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L490
    
    Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
    Signed-off-by: Vasileios Amoiridis <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock [+ + +]
Author: Sergiu Cuciurean <[email protected]>
Date:   Wed May 20 15:02:01 2020 +0300

    iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock
    
    [ Upstream commit 33c53cbf8f7bc8d62f6146a19da97c8594376ff0 ]
    
    As part of the general cleanup of indio_dev->mlock, this change replaces
    it with a local lock on the device's state structure.
    This also removes unused iio_dev pointers.
    
    Signed-off-by: Sergiu Cuciurean <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Stable-dep-of: 279428df8883 ("iio: dac: ad5592r: fix temperature channel scaling value")
    Signed-off-by: Sasha Levin <[email protected]>

iio: dac: ad5592r: fix temperature channel scaling value [+ + +]
Author: Marc Ferland <[email protected]>
Date:   Wed May 1 11:05:54 2024 -0400

    iio: dac: ad5592r: fix temperature channel scaling value
    
    [ Upstream commit 279428df888319bf68f2686934897301a250bb84 ]
    
    The scale value for the temperature channel is (assuming Vref=2.5 and
    the datasheet):
    
        376.7897513
    
    When calculating both val and val2 for the temperature scale we
    use (3767897513/25) and multiply it by Vref (here I assume 2500mV) to
    obtain:
    
      2500 * (3767897513/25) ==> 376789751300
    
    Finally we divide with remainder by 10^9 to get:
    
        val = 376
        val2 = 789751300
    
    However, we return IIO_VAL_INT_PLUS_MICRO (should have been NANO) as
    the scale type. So when converting the raw temperature value to the
    'processed' temperature value we will get (assuming raw=810,
    offset=-753):
    
        processed = (raw + offset) * scale_val
                  = (810 + -753) * 376
                  = 21432
    
        processed += div((raw + offset) * scale_val2, 10^6)
                  += div((810 + -753) * 789751300, 10^6)
                  += 45015
        ==> 66447
        ==> 66.4 Celcius
    
    instead of the expected 21.5 Celsius.
    
    Fix this issue by changing IIO_VAL_INT_PLUS_MICRO to
    IIO_VAL_INT_PLUS_NANO.
    
    Fixes: 56ca9db862bf ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs")
    Signed-off-by: Marc Ferland <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: <[email protected]>
    Signed-off-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

iio: dac: ad5592r: un-indent code-block for scale read [+ + +]
Author: Alexandru Ardelean <[email protected]>
Date:   Mon Jul 6 14:02:58 2020 +0300

    iio: dac: ad5592r: un-indent code-block for scale read
    
    [ Upstream commit b004fe33034cc64f72c20923be71cf1e6c9a624c ]
    
    The next rework may require an unindentation of a code block in
    ad5592r_read_raw(), which would make review a bit more difficult.
    
    This change unindents the code block for reading the scale of the
    non-temperature channels.
    
    Signed-off-by: Alexandru Ardelean <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jonathan Cameron <[email protected]>
    Stable-dep-of: 279428df8883 ("iio: dac: ad5592r: fix temperature channel scaling value")
    Signed-off-by: Sasha Levin <[email protected]>

 
Input: try trimming too long modalias strings [+ + +]
Author: Dmitry Torokhov <[email protected]>
Date:   Mon Apr 29 14:50:41 2024 -0700

    Input: try trimming too long modalias strings
    
    commit 0774d19038c496f0c3602fb505c43e1b2d8eed85 upstream.
    
    If an input device declares too many capability bits then modalias
    string for such device may become too long and not fit into uevent
    buffer, resulting in failure of sending said uevent. This, in turn,
    may prevent userspace from recognizing existence of such devices.
    
    This is typically not a concern for real hardware devices as they have
    limited number of keys, but happen with synthetic devices such as
    ones created by xen-kbdfront driver, which creates devices as being
    capable of delivering all possible keys, since it doesn't know what
    keys the backend may produce.
    
    To deal with such devices input core will attempt to trim key data,
    in the hope that the rest of modalias string will fit in the given
    buffer. When trimming key data it will indicate that it is not
    complete by placing "+," sign, resulting in conversions like this:
    
    old: k71,72,73,74,78,7A,7B,7C,7D,8E,9E,A4,AD,E0,E1,E4,F8,174,
    new: k71,72,73,74,78,7A,7B,7C,+,
    
    This should allow existing udev rules continue to work with existing
    devices, and will also allow writing more complex rules that would
    recognize trimmed modalias and check input device characteristics by
    other means (for example by parsing KEY= data in uevent or parsing
    input device sysfs attributes).
    
    Note that the driver core may try adding more uevent environment
    variables once input core is done adding its own, so when forming
    modalias we can not use the entire available buffer, so we reduce
    it by somewhat an arbitrary amount (96 bytes).
    
    Reported-by: Jason Andryuk <[email protected]>
    Reviewed-by: Peter Hutterer <[email protected]>
    Tested-by: Jason Andryuk <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: [email protected]
    Signed-off-by: Dmitry Torokhov <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Jason Andryuk <[email protected]>

 
intel_th: pci: Add Granite Rapids SOC support [+ + +]
Author: Alexander Shishkin <[email protected]>
Date:   Mon Apr 29 16:01:15 2024 +0300

    intel_th: pci: Add Granite Rapids SOC support
    
    commit 854afe461b009801a171b3a49c5f75ea43e4c04c upstream.
    
    Add support for the Trace Hub in Granite Rapids SOC.
    
    Signed-off-by: Alexander Shishkin <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

intel_th: pci: Add Granite Rapids support [+ + +]
Author: Alexander Shishkin <[email protected]>
Date:   Mon Apr 29 16:01:14 2024 +0300

    intel_th: pci: Add Granite Rapids support
    
    commit e44937889bdf4ecd1f0c25762b7226406b9b7a69 upstream.
    
    Add support for the Trace Hub in Granite Rapids.
    
    Signed-off-by: Alexander Shishkin <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

intel_th: pci: Add Lunar Lake support [+ + +]
Author: Alexander Shishkin <[email protected]>
Date:   Mon Apr 29 16:01:19 2024 +0300

    intel_th: pci: Add Lunar Lake support
    
    commit f866b65322bfbc8fcca13c25f49e1a5c5a93ae4d upstream.
    
    Add support for the Trace Hub in Lunar Lake.
    
    Signed-off-by: Alexander Shishkin <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

intel_th: pci: Add Meteor Lake-S support [+ + +]
Author: Alexander Shishkin <[email protected]>
Date:   Mon Apr 29 16:01:17 2024 +0300

    intel_th: pci: Add Meteor Lake-S support
    
    commit c4a30def564d75e84718b059d1a62cc79b137cf9 upstream.
    
    Add support for the Trace Hub in Meteor Lake-S.
    
    Signed-off-by: Alexander Shishkin <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

intel_th: pci: Add Sapphire Rapids SOC support [+ + +]
Author: Alexander Shishkin <[email protected]>
Date:   Mon Apr 29 16:01:16 2024 +0300

    intel_th: pci: Add Sapphire Rapids SOC support
    
    commit 2e1da7efabe05cb0cf0b358883b2bc89080ed0eb upstream.
    
    Add support for the Trace Hub in Sapphire Rapids SOC.
    
    Signed-off-by: Alexander Shishkin <[email protected]>
    Reviewed-by: Andy Shevchenko <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
iommu/amd: Fix sysfs leak in iommu init [+ + +]
Author: Kun(llfl) <[email protected]>
Date:   Thu May 9 08:42:20 2024 +0800

    iommu/amd: Fix sysfs leak in iommu init
    
    [ Upstream commit a295ec52c8624883885396fde7b4df1a179627c3 ]
    
    During the iommu initialization, iommu_init_pci() adds sysfs nodes.
    However, these nodes aren't remove in free_iommu_resources() subsequently.
    
    Fixes: 39ab9555c241 ("iommu: Add sysfs bindings for struct iommu_device")
    Signed-off-by: Kun(llfl) <[email protected]>
    Reviewed-by: Suravee Suthikulpanit <[email protected]>
    Link: https://lore.kernel.org/r/c8e0d11c6ab1ee48299c288009cf9c5dae07b42d.1715215003.git.llfl@linux.alibaba.com
    Signed-off-by: Joerg Roedel <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
iommu: Return right value in iommu_sva_bind_device() [+ + +]
Author: Lu Baolu <[email protected]>
Date:   Tue May 28 12:25:28 2024 +0800

    iommu: Return right value in iommu_sva_bind_device()
    
    [ Upstream commit 89e8a2366e3bce584b6c01549d5019c5cda1205e ]
    
    iommu_sva_bind_device() should return either a sva bond handle or an
    ERR_PTR value in error cases. Existing drivers (idxd and uacce) only
    check the return value with IS_ERR(). This could potentially lead to
    a kernel NULL pointer dereference issue if the function returns NULL
    instead of an error pointer.
    
    In reality, this doesn't cause any problems because iommu_sva_bind_device()
    only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.
    In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will
    return an error, and the device drivers won't call iommu_sva_bind_device()
    at all.
    
    Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
    Signed-off-by: Lu Baolu <[email protected]>
    Reviewed-by: Jean-Philippe Brucker <[email protected]>
    Reviewed-by: Kevin Tian <[email protected]>
    Reviewed-by: Vasant Hegde <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Joerg Roedel <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ionic: fix use after netif_napi_del() [+ + +]
Author: Taehee Yoo <[email protected]>
Date:   Wed Jun 12 06:04:46 2024 +0000

    ionic: fix use after netif_napi_del()
    
    [ Upstream commit 79f18a41dd056115d685f3b0a419c7cd40055e13 ]
    
    When queues are started, netif_napi_add() and napi_enable() are called.
    If there are 4 queues and only 3 queues are used for the current
    configuration, only 3 queues' napi should be registered and enabled.
    The ionic_qcq_enable() checks whether the .poll pointer is not NULL for
    enabling only the using queue' napi. Unused queues' napi will not be
    registered by netif_napi_add(), so the .poll pointer indicates NULL.
    But it couldn't distinguish whether the napi was unregistered or not
    because netif_napi_del() doesn't reset the .poll pointer to NULL.
    So, ionic_qcq_enable() calls napi_enable() for the queue, which was
    unregistered by netif_napi_del().
    
    Reproducer:
       ethtool -L <interface name> rx 1 tx 1 combined 0
       ethtool -L <interface name> rx 0 tx 0 combined 1
       ethtool -L <interface name> rx 0 tx 0 combined 4
    
    Splat looks like:
    kernel BUG at net/core/dev.c:6666!
    Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
    CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16
    Workqueue: events ionic_lif_deferred_work [ionic]
    RIP: 0010:napi_enable+0x3b/0x40
    Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f
    RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029
    RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28
    RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001
    R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
    R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20
    FS:  0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0
    PKRU: 55555554
    Call Trace:
     <TASK>
     ? die+0x33/0x90
     ? do_trap+0xd9/0x100
     ? napi_enable+0x3b/0x40
     ? do_error_trap+0x83/0xb0
     ? napi_enable+0x3b/0x40
     ? napi_enable+0x3b/0x40
     ? exc_invalid_op+0x4e/0x70
     ? napi_enable+0x3b/0x40
     ? asm_exc_invalid_op+0x16/0x20
     ? napi_enable+0x3b/0x40
     ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
     ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
     ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
     ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
     process_one_work+0x145/0x360
     worker_thread+0x2bb/0x3d0
     ? __pfx_worker_thread+0x10/0x10
     kthread+0xcc/0x100
     ? __pfx_kthread+0x10/0x10
     ret_from_fork+0x2d/0x50
     ? __pfx_kthread+0x10/0x10
     ret_from_fork_asm+0x1a/0x30
    
    Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling")
    Signed-off-by: Taehee Yoo <[email protected]>
    Reviewed-by: Brett Creeley <[email protected]>
    Reviewed-by: Shannon Nelson <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ipv6: annotate some data-races around sk->sk_prot [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Mon Apr 17 16:54:04 2023 +0000

    ipv6: annotate some data-races around sk->sk_prot
    
    commit 086d49058cd8471046ae9927524708820f5fd1c7 upstream.
    
    IPv6 has this hack changing sk->sk_prot when an IPv6 socket
    is 'converted' to an IPv4 one with IPV6_ADDRFORM option.
    
    This operation is only performed for TCP and UDP, knowing
    their 'struct proto' for the two network families are populated
    in the same way, and can not disappear while a reader
    might use and dereference sk->sk_prot.
    
    If we think about it all reads of sk->sk_prot while
    either socket lock or RTNL is not acquired should be using READ_ONCE().
    
    Also note that other layers like MPTCP, XFRM, CHELSIO_TLS also
    write over sk->sk_prot.
    
    BUG: KCSAN: data-race in inet6_recvmsg / ipv6_setsockopt
    
    write to 0xffff8881386f7aa8 of 8 bytes by task 26932 on cpu 0:
     do_ipv6_setsockopt net/ipv6/ipv6_sockglue.c:492 [inline]
     ipv6_setsockopt+0x3758/0x3910 net/ipv6/ipv6_sockglue.c:1019
     udpv6_setsockopt+0x85/0x90 net/ipv6/udp.c:1649
     sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3489
     __sys_setsockopt+0x209/0x2a0 net/socket.c:2180
     __do_sys_setsockopt net/socket.c:2191 [inline]
     __se_sys_setsockopt net/socket.c:2188 [inline]
     __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    read to 0xffff8881386f7aa8 of 8 bytes by task 26911 on cpu 1:
     inet6_recvmsg+0x7a/0x210 net/ipv6/af_inet6.c:659
     ____sys_recvmsg+0x16c/0x320
     ___sys_recvmsg net/socket.c:2674 [inline]
     do_recvmmsg+0x3f5/0xae0 net/socket.c:2768
     __sys_recvmmsg net/socket.c:2847 [inline]
     __do_sys_recvmmsg net/socket.c:2870 [inline]
     __se_sys_recvmmsg net/socket.c:2863 [inline]
     __x64_sys_recvmmsg+0xde/0x160 net/socket.c:2863
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    value changed: 0xffffffff85e0e980 -> 0xffffffff85e01580
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 1 PID: 26911 Comm: syz-executor.3 Not tainted 5.17.0-rc2-syzkaller-00316-g0457e5153e0e-dirty #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    
    Reported-by: syzbot <[email protected]>
    Signed-off-by: Eric Dumazet <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Kazunori Kobayashi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ipv6: Fix data races around sk->sk_prot. [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Mon Apr 17 16:54:05 2023 +0000

    ipv6: Fix data races around sk->sk_prot.
    
    commit 364f997b5cfe1db0d63a390fe7c801fa2b3115f6 upstream.
    
    Commit 086d49058cd8 ("ipv6: annotate some data-races around sk->sk_prot")
    fixed some data-races around sk->sk_prot but it was not enough.
    
    Some functions in inet6_(stream|dgram)_ops still access sk->sk_prot
    without lock_sock() or rtnl_lock(), so they need READ_ONCE() to avoid
    load tearing.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Kazunori Kobayashi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ipv6: fix possible race in __fib6_drop_pcpu_from() [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Tue Jun 4 19:35:49 2024 +0000

    ipv6: fix possible race in __fib6_drop_pcpu_from()
    
    [ Upstream commit b01e1c030770ff3b4fe37fc7cc6bca03f594133f ]
    
    syzbot found a race in __fib6_drop_pcpu_from() [1]
    
    If compiler reads more than once (*ppcpu_rt),
    second read could read NULL, if another cpu clears
    the value in rt6_get_pcpu_route().
    
    Add a READ_ONCE() to prevent this race.
    
    Also add rcu_read_lock()/rcu_read_unlock() because
    we rely on RCU protection while dereferencing pcpu_rt.
    
    [1]
    
    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
    CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
    Workqueue: netns cleanup_net
     RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984
    Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48
    RSP: 0018:ffffc900040df070 EFLAGS: 00010206
    RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16
    RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091
    RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007
    R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8
    R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001
    FS:  0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
      __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]
      fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]
      fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038
      fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]
      fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043
      fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205
      fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127
      fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175
      fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255
      __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271
      rt6_sync_down_dev net/ipv6/route.c:4906 [inline]
      rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911
      addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855
      addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778
      notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
      call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992
      call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
      call_netdevice_notifiers net/core/dev.c:2044 [inline]
      dev_close_many+0x333/0x6a0 net/core/dev.c:1585
      unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193
      unregister_netdevice_many net/core/dev.c:11276 [inline]
      default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759
      ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
      cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
      process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
      process_scheduled_works kernel/workqueue.c:3312 [inline]
      worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
      kthread+0x2c1/0x3a0 kernel/kthread.c:389
      ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
    
    Fixes: d52d3997f843 ("ipv6: Create percpu rt6_info")
    Signed-off-by: Eric Dumazet <[email protected]>
    Cc: Martin KaFai Lau <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ipv6: prevent possible NULL deref in fib6_nh_init() [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Fri Jun 14 08:20:02 2024 +0000

    ipv6: prevent possible NULL deref in fib6_nh_init()
    
    [ Upstream commit 2eab4543a2204092c3a7af81d7d6c506e59a03a6 ]
    
    syzbot reminds us that in6_dev_get() can return NULL.
    
    fib6_nh_init()
        ip6_validate_gw(  &idev  )
            ip6_route_check_nh(  idev  )
                *idev = in6_dev_get(dev); // can be NULL
    
    Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
    CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
     RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606
    Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b
    RSP: 0018:ffffc900032775a0 EFLAGS: 00010202
    RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000
    RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8
    RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000
    R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8
    R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000
    FS:  00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
      ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809
      ip6_route_add+0x28/0x160 net/ipv6/route.c:3853
      ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483
      inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579
      sock_do_ioctl+0x158/0x460 net/socket.c:1222
      sock_ioctl+0x629/0x8e0 net/socket.c:1341
      vfs_ioctl fs/ioctl.c:51 [inline]
      __do_sys_ioctl fs/ioctl.c:907 [inline]
      __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f940f07cea9
    
    Fixes: 428604fb118f ("ipv6: do not set routes if disable_ipv6 has been enabled")
    Reported-by: syzbot <[email protected]>
    Signed-off-by: Eric Dumazet <[email protected]>
    Acked-by: Lorenzo Bianconi <[email protected]>
    Reviewed-by: David Ahern <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ipv6: prevent possible NULL dereference in rt6_probe() [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Sat Jun 15 15:14:54 2024 +0000

    ipv6: prevent possible NULL dereference in rt6_probe()
    
    [ Upstream commit b86762dbe19a62e785c189f313cda5b989931f37 ]
    
    syzbot caught a NULL dereference in rt6_probe() [1]
    
    Bail out if  __in6_dev_get() returns NULL.
    
    [1]
    Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]
    CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
     RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]
     RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758
    Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19
    RSP: 0018:ffffc900034af070 EFLAGS: 00010203
    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000
    RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c
    RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a
    R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000
    FS:  00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
      rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784
      nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496
      __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825
      find_rr_leaf net/ipv6/route.c:853 [inline]
      rt6_select net/ipv6/route.c:897 [inline]
      fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195
      ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231
      pol_lookup_func include/net/ip6_fib.h:616 [inline]
      fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121
      ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]
      ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651
      ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147
      ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250
      rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898
      inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg net/socket.c:745 [inline]
      sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
      new_sync_write fs/read_write.c:497 [inline]
      vfs_write+0x6b6/0x1140 fs/read_write.c:590
      ksys_write+0x1f8/0x260 fs/read_write.c:643
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Fixes: 52e1635631b3 ("[IPV6]: ROUTE: Add router_probe_interval sysctl.")
    Signed-off-by: Eric Dumazet <[email protected]>
    Reviewed-by: Jason Xing <[email protected]>
    Reviewed-by: David Ahern <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ipv6: sr: block BH in seg6_output_core() and seg6_input_core() [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Fri May 31 13:26:34 2024 +0000

    ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
    
    [ Upstream commit c0b98ac1cc104f48763cdb27b1e9ac25fd81fc90 ]
    
    As explained in commit 1378817486d6 ("tipc: block BH
    before using dst_cache"), net/core/dst_cache.c
    helpers need to be called with BH disabled.
    
    Disabling preemption in seg6_output_core() is not good enough,
    because seg6_output_core() is called from process context,
    lwtunnel_output() only uses rcu_read_lock().
    
    We might be interrupted by a softirq, re-enter seg6_output_core()
    and corrupt dst_cache data structures.
    
    Fix the race by using local_bh_disable() instead of
    preempt_disable().
    
    Apply a similar change in seg6_input_core().
    
    Fixes: fa79581ea66c ("ipv6: sr: fix several BUGs when preemption is enabled")
    Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
    Signed-off-by: Eric Dumazet <[email protected]>
    Cc: David Lebrun <[email protected]>
    Acked-by: Paolo Abeni <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
jfs: xattr: fix buffer overflow for invalid xattr [+ + +]
Author: Greg Kroah-Hartman <[email protected]>
Date:   Tue May 14 12:06:34 2024 +0200

    jfs: xattr: fix buffer overflow for invalid xattr
    
    commit 7c55b78818cfb732680c4a72ab270cc2d2ee3d0f upstream.
    
    When an xattr size is not what is expected, it is printed out to the
    kernel log in hex format as a form of debugging.  But when that xattr
    size is bigger than the expected size, printing it out can cause an
    access off the end of the buffer.
    
    Fix this all up by properly restricting the size of the debug hex dump
    in the kernel log.
    
    Reported-by: [email protected]
    Cc: Dave Kleikamp <[email protected]>
    Link: https://lore.kernel.org/r/2024051433-slider-cloning-98f9@gregkh
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
kheaders: explicitly define file modes for archived headers [+ + +]
Author: Matthias Maennich <[email protected]>
Date:   Tue May 28 11:32:43 2024 +0000

    kheaders: explicitly define file modes for archived headers
    
    [ Upstream commit 3bd27a847a3a4827a948387cc8f0dbc9fa5931d5 ]
    
    Build environments might be running with different umask settings
    resulting in indeterministic file modes for the files contained in
    kheaders.tar.xz. The file itself is served with 444, i.e. world
    readable. Archive the files explicitly with 744,a+X to improve
    reproducibility across build environments.
    
    --mode=0444 is not suitable as directories need to be executable. Also,
    444 makes it hard to delete all the readonly files after extraction.
    
    Cc: [email protected]
    Signed-off-by: Matthias Maennich <[email protected]>
    Signed-off-by: Masahiro Yamada <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
Linux: Linux 5.4.279 [+ + +]
Author: Greg Kroah-Hartman <[email protected]>
Date:   Fri Jul 5 09:08:32 2024 +0200

    Linux 5.4.279
    
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Jon Hunter <[email protected]>
    Tested-by: Harshit Mogalapalli <[email protected]>
    Tested-by: Shuah Khan <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Florian Fainelli <[email protected]>
    Tested-by: Jon Hunter <[email protected]>
    Tested-by: Linux Kernel Functional Testing <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet [+ + +]
Author: Aleksandr Mishin <[email protected]>
Date:   Wed Jun 5 13:11:35 2024 +0300

    liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
    
    [ Upstream commit c44711b78608c98a3e6b49ce91678cd0917d5349 ]
    
    In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,
    but then it is unconditionally passed to skb_add_rx_frag() which looks
    strange and could lead to null pointer dereference.
    
    lio_vf_rep_copy_packet() call trace looks like:
            octeon_droq_process_packets
             octeon_droq_fast_process_packets
              octeon_droq_dispatch_pkt
               octeon_create_recv_info
                ...search in the dispatch_list...
                 ->disp_fn(rdisp->rinfo, ...)
                  lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)
    In this path there is no code which sets pg_info->page to NULL.
    So this check looks unneeded and doesn't solve potential problem.
    But I guess the author had reason to add a check and I have no such card
    and can't do real test.
    In addition, the code in the function liquidio_push_packet() in
    liquidio/lio_core.c does exactly the same.
    
    Based on this, I consider the most acceptable compromise solution to
    adjust this issue by moving skb_add_rx_frag() into conditional scope.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: 1f233f327913 ("liquidio: switchdev support for LiquidIO NIC")
    Signed-off-by: Aleksandr Mishin <[email protected]>
    Reviewed-by: Simon Horman <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
media: dvbdev: Initialize sbuf [+ + +]
Author: Ricardo Ribalda <[email protected]>
Date:   Mon Mar 25 14:50:25 2024 +0000

    media: dvbdev: Initialize sbuf
    
    [ Upstream commit 17d1316de0d7dc1bdc5d6e3ad4efd30a9bf1a381 ]
    
    Because the size passed to copy_from_user() cannot be known beforehand,
    it needs to be checked during runtime with check_object_size. That makes
    gcc believe that the content of sbuf can be used before init.
    
    Fix:
    ./include/linux/thread_info.h:215:17: warning: ‘sbuf’ may be used uninitialized [-Wmaybe-uninitialized]
    
    Signed-off-by: Ricardo Ribalda <[email protected]>
    Signed-off-by: Hans Verkuil <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
mei: me: release irq in mei_me_pci_resume error path [+ + +]
Author: Tomas Winkler <[email protected]>
Date:   Tue Jun 4 12:07:28 2024 +0300

    mei: me: release irq in mei_me_pci_resume error path
    
    commit 283cb234ef95d94c61f59e1cd070cd9499b51292 upstream.
    
    The mei_me_pci_resume doesn't release irq on the error path,
    in case mei_start() fails.
    
    Cc: <[email protected]>
    Fixes: 33ec08263147 ("mei: revamp mei reset state machine")
    Signed-off-by: Tomas Winkler <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mips: bmips: BCM6358: make sure CBR is correctly set [+ + +]
Author: Christian Marangi <[email protected]>
Date:   Tue Jun 11 13:35:33 2024 +0200

    mips: bmips: BCM6358: make sure CBR is correctly set
    
    [ Upstream commit ce5cdd3b05216b704a704f466fb4c2dff3778caf ]
    
    It was discovered that some device have CBR address set to 0 causing
    kernel panic when arch_sync_dma_for_cpu_all is called.
    
    This was notice in situation where the system is booted from TP1 and
    BMIPS_GET_CBR() returns 0 instead of a valid address and
    !!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.
    
    The current check whether RAC flush should be disabled or not are not
    enough hence lets check if CBR is a valid address or not.
    
    Fixes: ab327f8acdf8 ("mips: bmips: BCM6358: disable RAC flush for TP1")
    Signed-off-by: Christian Marangi <[email protected]>
    Acked-by: Florian Fainelli <[email protected]>
    Signed-off-by: Thomas Bogendoerfer <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
MIPS: Octeon: Add PCIe link status check [+ + +]
Author: Songyang Li <[email protected]>
Date:   Wed Mar 20 23:22:00 2024 +0800

    MIPS: Octeon: Add PCIe link status check
    
    [ Upstream commit 29b83a64df3b42c88c0338696feb6fdcd7f1f3b7 ]
    
    The standard PCIe configuration read-write interface is used to
    access the configuration space of the peripheral PCIe devices
    of the mips processor after the PCIe link surprise down, it can
    generate kernel panic caused by "Data bus error". So it is
    necessary to add PCIe link status check for system protection.
    When the PCIe link is down or in training, assigning a value
    of 0 to the configuration address can prevent read-write behavior
    to the configuration space of peripheral PCIe devices, thereby
    preventing kernel panic.
    
    Signed-off-by: Songyang Li <[email protected]>
    Signed-off-by: Thomas Bogendoerfer <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

MIPS: Routerboard 532: Fix vendor retry check code [+ + +]
Author: Ilpo Järvinen <[email protected]>
Date:   Wed May 8 15:07:00 2024 +0300

    MIPS: Routerboard 532: Fix vendor retry check code
    
    [ Upstream commit ae9daffd9028f2500c9ac1517e46d4f2b57efb80 ]
    
    read_config_dword() contains strange condition checking ret for a
    number of values. The ret variable, however, is always zero because
    config_access() never returns anything else. Thus, the retry is always
    taken until number of tries is exceeded.
    
    The code looks like it wants to check *val instead of ret to see if the
    read gave an error response.
    
    Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system")
    Signed-off-by: Ilpo Järvinen <[email protected]>
    Signed-off-by: Thomas Bogendoerfer <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos [+ + +]
Author: Ilpo Järvinen <[email protected]>
Date:   Mon May 27 16:24:41 2024 +0300

    mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos
    
    commit ebc4fc34eae8ddfbef49f2bdaced1bf4167ef80d upstream.
    
    jmicron_pmos() and sdhci_pci_probe() use pci_{read,write}_config_byte()
    that return PCIBIOS_* codes. The return code is then returned as is by
    jmicron_probe() and sdhci_pci_probe(). Similarly, the return code is
    also returned as is from jmicron_resume(). Both probe and resume
    functions should return normal errnos.
    
    Convert PCIBIOS_* returns code using pcibios_err_to_errno() into normal
    errno before returning them the fix these issues.
    
    Fixes: 7582041ff3d4 ("mmc: sdhci-pci: fix simple_return.cocci warnings")
    Fixes: 45211e215984 ("sdhci: toggle JMicron PMOS setting")
    Cc: [email protected]
    Signed-off-by: Ilpo Järvinen <[email protected]>
    Acked-by: Adrian Hunter <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

mmc: sdhci: Do not invert write-protect twice [+ + +]
Author: Adrian Hunter <[email protected]>
Date:   Fri Jun 14 11:00:49 2024 +0300

    mmc: sdhci: Do not invert write-protect twice
    
    commit fbd64f902b93fe9658b855b9892ae59ef6ea22b9 upstream.
    
    mmc_of_parse() reads device property "wp-inverted" and sets
    MMC_CAP2_RO_ACTIVE_HIGH if it is true. MMC_CAP2_RO_ACTIVE_HIGH is used
    to invert a write-protect (AKA read-only) GPIO value.
    
    sdhci_get_property() also reads "wp-inverted" and sets
    SDHCI_QUIRK_INVERTED_WRITE_PROTECT which is used to invert the
    write-protect value as well but also acts upon a value read out from the
    SDHCI_PRESENT_STATE register.
    
    Many drivers call both mmc_of_parse() and sdhci_get_property(),
    so that both MMC_CAP2_RO_ACTIVE_HIGH and
    SDHCI_QUIRK_INVERTED_WRITE_PROTECT will be set if the controller has
    device property "wp-inverted".
    
    Amend the logic in sdhci_check_ro() to allow for that possibility,
    so that the write-protect value is not inverted twice.
    
    Also do not invert the value if it is a negative error value. Note that
    callers treat an error the same as not-write-protected, so the result is
    functionally the same in that case.
    
    Also do not invert the value if sdhci host operation ->get_ro() is used.
    None of the users of that callback set SDHCI_QUIRK_INVERTED_WRITE_PROTECT
    directly or indirectly, but two do call mmc_gpio_get_ro(), so leave it to
    them to deal with that if they ever set SDHCI_QUIRK_INVERTED_WRITE_PROTECT
    in the future.
    
    Fixes: 6d5cd068ee59 ("mmc: sdhci: use WP GPIO in sdhci_check_ro()")
    Signed-off-by: Adrian Hunter <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() [+ + +]
Author: Adrian Hunter <[email protected]>
Date:   Fri Jun 14 11:00:50 2024 +0300

    mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()
    
    commit ab069ce125965a5e282f7b53b86aee76ab32975c upstream.
    
    sdhci_check_ro() can call mmc_gpio_get_ro() while holding the sdhci
    host->lock spinlock. That would be a problem if the GPIO access done by
    mmc_gpio_get_ro() needed to sleep.
    
    However, host->lock is not needed anyway. The mmc core ensures that host
    operations do not race with each other, and asynchronous callbacks like the
    interrupt handler, software timeouts, completion work etc, cannot affect
    sdhci_check_ro().
    
    So remove the locking.
    
    Fixes: 6d5cd068ee59 ("mmc: sdhci: use WP GPIO in sdhci_check_ro()")
    Signed-off-by: Adrian Hunter <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mtd: partitions: redboot: Added conversion of operands to a larger type [+ + +]
Author: Denis Arefev <[email protected]>
Date:   Fri Mar 15 12:37:58 2024 +0300

    mtd: partitions: redboot: Added conversion of operands to a larger type
    
    [ Upstream commit 1162bc2f8f5de7da23d18aa4b7fbd4e93c369c50 ]
    
    The value of an arithmetic expression directory * master->erasesize is
    subject to overflow due to a failure to cast operands to a larger data
    type before perfroming arithmetic
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Signed-off-by: Denis Arefev <[email protected]>
    Signed-off-by: Miquel Raynal <[email protected]>
    Link: https://lore.kernel.org/linux-mtd/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

mtd: spinand: macronix: Add support for serial NAND flash [+ + +]
Author: Jaime Liao <[email protected]>
Date:   Thu May 20 09:45:08 2021 +0800

    mtd: spinand: macronix: Add support for serial NAND flash
    
    commit c374839f9b4475173e536d1eaddff45cb481dbdf upstream.
    
    Macronix NAND Flash devices are available in different configurations
    and densities.
    
    MX"35" means SPI NAND
    MX35"LF"/"UF" , LF means 3V and UF meands 1.8V
    MX35LF"2G" , 2G means 2Gbits
    MX35LF2G"E4"/"24"/"14",
    E4 means internal ECC and Quad I/O(x4)
    24 means 8-bit ecc requirement and Quad I/O(x4)
    14 means 4-bit ecc requirement and Quad I/O(x4)
    
    MX35LF2G14AC is 3V 2Gbit serial NAND flash device
    (without on-die ECC)
    https://www.mxic.com.tw/Lists/Datasheet/Attachments/7926/MX35LF2G14AC,%203V,%202Gb,%20v1.1.pdf
    
    MX35UF4G24AD is 1.8V 4Gbit serial NAND flash device
    (without on-die ECC)
    https://www.mxic.com.tw/Lists/Datasheet/Attachments/7980/MX35UF4G24AD,%201.8V,%204Gb,%20v0.00.pdf
    
    MX35UF4GE4AD/MX35UF2GE4AD are 1.8V 4G/2Gbit serial
    NAND flash device with 8-bit on-die ECC
    https://www.mxic.com.tw/Lists/Datasheet/Attachments/7983/MX35UF4GE4AD,%201.8V,%204Gb,%20v0.00.pdf
    
    MX35UF2GE4AC/MX35UF1GE4AC are 1.8V 2G/1Gbit serial
    NAND flash device with 8-bit on-die ECC
    https://www.mxic.com.tw/Lists/Datasheet/Attachments/7974/MX35UF2GE4AC,%201.8V,%202Gb,%20v1.0.pdf
    
    MX35UF2G14AC/MX35UF1G14AC are 1.8V 2G/1Gbit serial
    NAND flash device (without on-die ECC)
    https://www.mxic.com.tw/Lists/Datasheet/Attachments/7931/MX35UF2G14AC,%201.8V,%202Gb,%20v1.1.pdf
    
    Validated via normal(default) and QUAD mode by read, erase, read back,
    on Xilinx Zynq PicoZed FPGA board which included Macronix
    SPI Host(drivers/spi/spi-mxic.c).
    
    Signed-off-by: Jaime Liao <[email protected]>
    Signed-off-by: Miquel Raynal <[email protected]>
    Link: https://lore.kernel.org/linux-mtd/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
net/dpaa2: Avoid explicit cpumask var allocation on stack [+ + +]
Author: Dawei Li <[email protected]>
Date:   Sun Mar 31 13:34:41 2024 +0800

    net/dpaa2: Avoid explicit cpumask var allocation on stack
    
    [ Upstream commit d33fe1714a44ff540629b149d8fab4ac6967585c ]
    
    For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask
    variable on stack is not recommended since it can cause potential stack
    overflow.
    
    Instead, kernel code should always use *cpumask_var API(s) to allocate
    cpumask var in config-neutral way, leaving allocation strategy to
    CONFIG_CPUMASK_OFFSTACK.
    
    Use *cpumask_var API(s) to address it.
    
    Signed-off-by: Dawei Li <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net/ipv6: Fix the RT cache flush via sysctl using a previous delay [+ + +]
Author: Petr Pavlu <[email protected]>
Date:   Fri Jun 7 13:28:28 2024 +0200

    net/ipv6: Fix the RT cache flush via sysctl using a previous delay
    
    [ Upstream commit 14a20e5b4ad998793c5f43b0330d9e1388446cf3 ]
    
    The net.ipv6.route.flush system parameter takes a value which specifies
    a delay used during the flush operation for aging exception routes. The
    written value is however not used in the currently requested flush and
    instead utilized only in the next one.
    
    A problem is that ipv6_sysctl_rtcache_flush() first reads the old value
    of net->ipv6.sysctl.flush_delay into a local delay variable and then
    calls proc_dointvec() which actually updates the sysctl based on the
    provided input.
    
    Fix the problem by switching the order of the two operations.
    
    Fixes: 4990509f19e8 ("[NETNS][IPV6]: Make sysctls route per namespace.")
    Signed-off-by: Petr Pavlu <[email protected]>
    Reviewed-by: David Ahern <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net/iucv: Avoid explicit cpumask var allocation on stack [+ + +]
Author: Dawei Li <[email protected]>
Date:   Sun Mar 31 13:34:40 2024 +0800

    net/iucv: Avoid explicit cpumask var allocation on stack
    
    [ Upstream commit be4e1304419c99a164b4c0e101c7c2a756b635b9 ]
    
    For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask
    variable on stack is not recommended since it can cause potential stack
    overflow.
    
    Instead, kernel code should always use *cpumask_var API(s) to allocate
    cpumask var in config-neutral way, leaving allocation strategy to
    CONFIG_CPUMASK_OFFSTACK.
    
    Use *cpumask_var API(s) to address it.
    
    Signed-off-by: Dawei Li <[email protected]>
    Reviewed-by: Alexandra Winter <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net/mlx5: Stop waiting for PCI if pci channel is offline [+ + +]
Author: Moshe Shemesh <[email protected]>
Date:   Tue Jun 4 00:04:42 2024 +0300

    net/mlx5: Stop waiting for PCI if pci channel is offline
    
    [ Upstream commit 33afbfcc105a572159750f2ebee834a8a70fdd96 ]
    
    In case pci channel becomes offline the driver should not wait for PCI
    reads during health dump and recovery flow. The driver has timeout for
    each of these loops trying to read PCI, so it would fail anyway.
    However, in case of recovery waiting till timeout may cause the pci
    error_detected() callback fail to meet pci_dpc_recovered() wait timeout.
    
    Fixes: b3bd076f7501 ("net/mlx5: Report devlink health on FW fatal issues")
    Signed-off-by: Moshe Shemesh <[email protected]>
    Reviewed-by: Shay Drori <[email protected]>
    Signed-off-by: Tariq Toukan <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets [+ + +]
Author: Gal Pressman <[email protected]>
Date:   Thu Jun 6 23:32:49 2024 +0300

    net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets
    
    [ Upstream commit 791b4089e326271424b78f2fae778b20e53d071b ]
    
    Move the vxlan_features_check() call to after we verified the packet is
    a tunneled VXLAN packet.
    
    Without this, tunneled UDP non-VXLAN packets (for ex. GENENVE) might
    wrongly not get offloaded.
    In some cases, it worked by chance as GENEVE header is the same size as
    VXLAN, but it is obviously incorrect.
    
    Fixes: e3cfc7e6b7bd ("net/mlx5e: TX, Add geneve tunnel stateless offload support")
    Signed-off-by: Gal Pressman <[email protected]>
    Reviewed-by: Dragos Tatulea <[email protected]>
    Signed-off-by: Tariq Toukan <[email protected]>
    Reviewed-by: Wojciech Drewek <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() [+ + +]
Author: David Ruth <[email protected]>
Date:   Fri Jun 14 19:03:26 2024 +0000

    net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()
    
    [ Upstream commit d864319871b05fadd153e0aede4811ca7008f5d6 ]
    
    syzbot found hanging tasks waiting on rtnl_lock [1]
    
    A reproducer is available in the syzbot bug.
    
    When a request to add multiple actions with the same index is sent, the
    second request will block forever on the first request. This holds
    rtnl_lock, and causes tasks to hang.
    
    Return -EAGAIN to prevent infinite looping, while keeping documented
    behavior.
    
    [1]
    
    INFO: task kworker/1:0:5088 blocked for more than 143 seconds.
    Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000
    Workqueue: events_power_efficient reg_check_chans_work
    Call Trace:
    <TASK>
    context_switch kernel/sched/core.c:5409 [inline]
    __schedule+0xf15/0x5d00 kernel/sched/core.c:6746
    __schedule_loop kernel/sched/core.c:6823 [inline]
    schedule+0xe7/0x350 kernel/sched/core.c:6838
    schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
    __mutex_lock_common kernel/locking/mutex.c:684 [inline]
    __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
    wiphy_lock include/net/cfg80211.h:5953 [inline]
    reg_leave_invalid_chans net/wireless/reg.c:2466 [inline]
    reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481
    
    Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action")
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=b87c222546179f4513a7
    Signed-off-by: David Ruth <[email protected]>
    Reviewed-by: Jamal Hadi Salim <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net/sched: act_api: rely on rcu in tcf_idr_check_alloc [+ + +]
Author: Pedro Tammela <[email protected]>
Date:   Mon Dec 11 15:18:06 2023 -0300

    net/sched: act_api: rely on rcu in tcf_idr_check_alloc
    
    [ Upstream commit 4b55e86736d5b492cf689125da2600f59c7d2c39 ]
    
    Instead of relying only on the idrinfo->lock mutex for
    bind/alloc logic, rely on a combination of rcu + mutex + atomics
    to better scale the case where multiple rtnl-less filters are
    binding to the same action object.
    
    Action binding happens when an action index is specified explicitly and
    an action exists which such index exists. Example:
      tc actions add action drop index 1
      tc filter add ... matchall action drop index 1
      tc filter add ... matchall action drop index 1
      tc filter add ... matchall action drop index 1
      tc filter ls ...
         filter protocol all pref 49150 matchall chain 0 filter protocol all pref 49150 matchall chain 0 handle 0x1
         not_in_hw
               action order 1: gact action drop
                random type none pass val 0
                index 1 ref 4 bind 3
    
       filter protocol all pref 49151 matchall chain 0 filter protocol all pref 49151 matchall chain 0 handle 0x1
         not_in_hw
               action order 1: gact action drop
                random type none pass val 0
                index 1 ref 4 bind 3
    
       filter protocol all pref 49152 matchall chain 0 filter protocol all pref 49152 matchall chain 0 handle 0x1
         not_in_hw
               action order 1: gact action drop
                random type none pass val 0
                index 1 ref 4 bind 3
    
    When no index is specified, as before, grab the mutex and allocate
    in the idr the next available id. In this version, as opposed to before,
    it's simplified to store the -EBUSY pointer instead of the previous
    alloc + replace combination.
    
    When an index is specified, rely on rcu to find if there's an object in
    such index. If there's none, fallback to the above, serializing on the
    mutex and reserving the specified id. If there's one, it can be an -EBUSY
    pointer, in which case we just try again until it's an action, or an action.
    Given the rcu guarantees, the action found could be dead and therefore
    we need to bump the refcount if it's not 0, handling the case it's
    in fact 0.
    
    As bind and the action refcount are already atomics, these increments can
    happen without the mutex protection while many tcf_idr_check_alloc race
    to bind to the same action instance.
    
    In case binding encounters a parallel delete or add, it will return
    -EAGAIN in order to try again. Both filter and action apis already
    have the retry machinery in-place. In case it's an unlocked filter it
    retries under the rtnl lock.
    
    Signed-off-by: Pedro Tammela <[email protected]>
    Acked-by: Jamal Hadi Salim <[email protected]>
    Reviewed-by: Vlad Buslov <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Stable-dep-of: d864319871b0 ("net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()")
    Signed-off-by: Sasha Levin <[email protected]>

net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Tue Jun 4 18:15:11 2024 +0000

    net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
    
    [ Upstream commit f921a58ae20852d188f70842431ce6519c4fdc36 ]
    
    If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,
    taprio_parse_mqprio_opt() must validate it, or userspace
    can inject arbitrary data to the kernel, the second time
    taprio_change() is called.
    
    First call (with valid attributes) sets dev->num_tc
    to a non zero value.
    
    Second call (with arbitrary mqprio attributes)
    returns early from taprio_parse_mqprio_opt()
    and bad things can happen.
    
    Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule")
    Reported-by: Noam Rathaus <[email protected]>
    Signed-off-by: Eric Dumazet <[email protected]>
    Acked-by: Vinicius Costa Gomes <[email protected]>
    Reviewed-by: Vladimir Oltean <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new [+ + +]
Author: Oleksij Rempel <[email protected]>
Date:   Fri Nov 17 13:49:59 2023 +0100

    net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new
    
    commit d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb upstream.
    
    This patch enhances error handling in scenarios with RTS (Request to
    Send) messages arriving closely. It replaces the less informative WARN_ON_ONCE
    backtraces with a new error handling method. This provides clearer error
    messages and allows for the early termination of problematic sessions.
    Previously, sessions were only released at the end of j1939_xtp_rx_rts().
    
    Potentially this could be reproduced with something like:
    testj1939 -r vcan0:0x80 &
    while true; do
            # send first RTS
            cansend vcan0 18EC8090#1014000303002301;
            # send second RTS
            cansend vcan0 18EC8090#1014000303002301;
            # send abort
            cansend vcan0 18EC8090#ff00000000002301;
    done
    
    Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
    Reported-by: [email protected]
    Cc: [email protected]
    Signed-off-by: Oleksij Rempel <[email protected]>
    Link: https://lore.kernel.org/all/[email protected]
    Signed-off-by: Marc Kleine-Budde <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

net: can: j1939: Initialize unused data in j1939_send_one() [+ + +]
Author: Shigeru Yoshida <[email protected]>
Date:   Fri May 17 12:59:53 2024 +0900

    net: can: j1939: Initialize unused data in j1939_send_one()
    
    commit b7cdf1dd5d2a2d8200efd98d1893684db48fe134 upstream.
    
    syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()
    creates full frame including unused data, but it doesn't initialize
    it. This causes the kernel-infoleak issue. Fix this by initializing
    unused data.
    
    [1]
    BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
    BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
    BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
    BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
    BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
    BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
     instrument_copy_to_user include/linux/instrumented.h:114 [inline]
     copy_to_user_iter lib/iov_iter.c:24 [inline]
     iterate_ubuf include/linux/iov_iter.h:29 [inline]
     iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
     iterate_and_advance include/linux/iov_iter.h:271 [inline]
     _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
     copy_to_iter include/linux/uio.h:196 [inline]
     memcpy_to_msg include/linux/skbuff.h:4113 [inline]
     raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008
     sock_recvmsg_nosec net/socket.c:1046 [inline]
     sock_recvmsg+0x2c4/0x340 net/socket.c:1068
     ____sys_recvmsg+0x18a/0x620 net/socket.c:2803
     ___sys_recvmsg+0x223/0x840 net/socket.c:2845
     do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939
     __sys_recvmmsg net/socket.c:3018 [inline]
     __do_sys_recvmmsg net/socket.c:3041 [inline]
     __se_sys_recvmmsg net/socket.c:3034 [inline]
     __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034
     x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Uninit was created at:
     slab_post_alloc_hook mm/slub.c:3804 [inline]
     slab_alloc_node mm/slub.c:3845 [inline]
     kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
     kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
     __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
     alloc_skb include/linux/skbuff.h:1313 [inline]
     alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
     sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
     sock_alloc_send_skb include/net/sock.h:1842 [inline]
     j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]
     j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]
     j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277
     sock_sendmsg_nosec net/socket.c:730 [inline]
     __sock_sendmsg+0x30f/0x380 net/socket.c:745
     ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
     ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
     __sys_sendmsg net/socket.c:2667 [inline]
     __do_sys_sendmsg net/socket.c:2676 [inline]
     __se_sys_sendmsg net/socket.c:2674 [inline]
     __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
     x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Bytes 12-15 of 16 are uninitialized
    Memory access of size 16 starts at ffff888120969690
    Data copied to user address 00000000200017c0
    
    CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
    
    Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
    Reported-and-tested-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=5681e40d297b30f5b513
    Acked-by: Oleksij Rempel <[email protected]>
    Signed-off-by: Shigeru Yoshida <[email protected]>
    Link: https://lore.kernel.org/all/[email protected]
    Cc: [email protected]
    Signed-off-by: Marc Kleine-Budde <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

net: can: j1939: recover socket queue on CAN bus error during BAM transmission [+ + +]
Author: Oleksij Rempel <[email protected]>
Date:   Tue May 28 09:06:48 2024 +0200

    net: can: j1939: recover socket queue on CAN bus error during BAM transmission
    
    commit 9ad1da14ab3bf23087ae45fe399d84a109ddb81a upstream.
    
    Addresses an issue where a CAN bus error during a BAM transmission
    could stall the socket queue, preventing further transmissions even
    after the bus error is resolved. The fix activates the next queued
    session after the error recovery, allowing communication to continue.
    
    Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
    Cc: [email protected]
    Reported-by: Alexander Hölzl <[email protected]>
    Tested-by: Alexander Hölzl <[email protected]>
    Signed-off-by: Oleksij Rempel <[email protected]>
    Link: https://lore.kernel.org/all/[email protected]
    Cc: [email protected]
    Signed-off-by: Marc Kleine-Budde <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

net: dsa: microchip: fix initial port flush problem [+ + +]
Author: Tristram Ha <[email protected]>
Date:   Tue Jun 18 17:16:42 2024 -0700

    net: dsa: microchip: fix initial port flush problem
    
    [ Upstream commit ad53f5f54f351e967128edbc431f0f26427172cf ]
    
    The very first flush in any port will flush all learned addresses in all
    ports.  This can be observed by unplugging the cable from one port while
    additional ports are connected and dumping the fdb entries.
    
    This problem is caused by the initially wrong value programmed to the
    REG_SW_LUE_CTRL_1 register.  Setting SW_FLUSH_STP_TABLE and
    SW_FLUSH_MSTP_TABLE bits does not have an immediate effect.  It is when
    ksz9477_flush_dyn_mac_table() is called then the SW_FLUSH_STP_TABLE bit
    takes effect and flushes all learned entries.  After that call both bits
    are reset and so the next port flush will not cause such problem again.
    
    Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477")
    Signed-off-by: Tristram Ha <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: phy: mchp: Add support for LAN8814 QUAD PHY [+ + +]
Author: Divya Koppera <[email protected]>
Date:   Fri Sep 11 18:48:44 2020 +0530

    net: phy: mchp: Add support for LAN8814 QUAD PHY
    
    [ Upstream commit 1623ad8ec04c771a54975fb84b22bc21c2dbcac1 ]
    
    LAN8814 is a low-power, quad-port triple-speed (10BASE-T/100BASETX/1000BASE-T)
    Ethernet physical layer transceiver (PHY). It supports transmission and
    reception of data on standard CAT-5, as well as CAT-5e and CAT-6, unshielded
    twisted pair (UTP) cables.
    
    LAN8814 supports industry-standard QSGMII (Quad Serial Gigabit Media
    Independent Interface) and Q-USGMII (Quad Universal Serial Gigabit Media
    Independent Interface) providing chip-to-chip connection to four Gigabit
    Ethernet MACs using a single serialized link (differential pair) in each
    direction.
    
    The LAN8814 SKU supports high-accuracy timestamping functions to
    support IEEE-1588 solutions using Microchip Ethernet switches, as well as
    customer solutions based on SoCs and FPGAs.
    
    The LAN8804 SKU has same features as that of LAN8814 SKU except that it does
    not support 1588, SyncE, or Q-USGMII with PCH/MCH.
    
    This adds support for 10BASE-T, 100BASE-TX, and 1000BASE-T,
    QSGMII link with the MAC.
    
    Signed-off-by: Divya Koppera<[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Stable-dep-of: 54a4e5c16382 ("net: phy: micrel: add Microchip KSZ 9477 to the device table")
    Signed-off-by: Sasha Levin <[email protected]>

net: phy: micrel: add Microchip KSZ 9477 to the device table [+ + +]
Author: Enguerrand de Ribaucourt <[email protected]>
Date:   Fri Jun 21 16:43:20 2024 +0200

    net: phy: micrel: add Microchip KSZ 9477 to the device table
    
    [ Upstream commit 54a4e5c16382e871c01dd82b47e930fdce30406b ]
    
    PHY_ID_KSZ9477 was supported but not added to the device table passed to
    MODULE_DEVICE_TABLE.
    
    Fixes: fc3973a1fa09 ("phy: micrel: add Microchip KSZ 9477 Switch PHY support")
    Signed-off-by: Enguerrand de Ribaucourt <[email protected]>
    Reviewed-by: Andrew Lunn <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: sched: sch_multiq: fix possible OOB write in multiq_tune() [+ + +]
Author: Hangyu Hua <[email protected]>
Date:   Mon Jun 3 15:13:03 2024 +0800

    net: sched: sch_multiq: fix possible OOB write in multiq_tune()
    
    [ Upstream commit affc18fdc694190ca7575b9a86632a73b9fe043d ]
    
    q->bands will be assigned to qopt->bands to execute subsequent code logic
    after kmalloc. So the old q->bands should not be used in kmalloc.
    Otherwise, an out-of-bounds write will occur.
    
    Fixes: c2999f7fb05b ("net: sched: multiq: don't call qdisc_put() while holding tree lock")
    Signed-off-by: Hangyu Hua <[email protected]>
    Acked-by: Cong Wang <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: usb: ax88179_178a: improve link status logs [+ + +]
Author: Jose Ignacio Tornos Martinez <[email protected]>
Date:   Thu Jun 20 15:34:31 2024 +0200

    net: usb: ax88179_178a: improve link status logs
    
    commit 058722ee350c0bdd664e467156feb2bf5d9cc271 upstream.
    
    Avoid spurious link status logs that may ultimately be wrong; for example,
    if the link is set to down with the cable plugged, then the cable is
    unplugged and after this the link is set to up, the last new log that is
    appearing is incorrectly telling that the link is up.
    
    In order to avoid errors, show link status logs after link_reset
    processing, and in order to avoid spurious as much as possible, only show
    the link loss when some link status change is detected.
    
    cc: [email protected]
    Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
    Signed-off-by: Jose Ignacio Tornos Martinez <[email protected]>
    Reviewed-by: Simon Horman <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings [+ + +]
Author: Oliver Neukum <[email protected]>
Date:   Wed Jun 19 15:28:03 2024 +0200

    net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings
    
    [ Upstream commit fba383985354e83474f95f36d7c65feb75dba19d ]
    
    This functions retrieves values by passing a pointer. As the function
    that retrieves them can fail before touching the pointers, the variables
    must be initialized.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: [email protected]
    Signed-off-by: Oliver Neukum <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type [+ + +]
Author: Jozsef Kadlecsik <[email protected]>
Date:   Tue Jun 4 15:58:03 2024 +0200

    netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
    
    [ Upstream commit 4e7aaa6b82d63e8ddcbfb56b4fd3d014ca586f10 ]
    
    Lion Ackermann reported that there is a race condition between namespace cleanup
    in ipset and the garbage collection of the list:set type. The namespace
    cleanup can destroy the list:set type of sets while the gc of the set type is
    waiting to run in rcu cleanup. The latter uses data from the destroyed set which
    thus leads use after free. The patch contains the following parts:
    
    - When destroying all sets, first remove the garbage collectors, then wait
      if needed and then destroy the sets.
    - Fix the badly ordered "wait then remove gc" for the destroy a single set
      case.
    - Fix the missing rcu locking in the list:set type in the userspace test
      case.
    - Use proper RCU list handlings in the list:set type.
    
    The patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).
    
    Fixes: 97f7cf1cd80e (netfilter: ipset: fix performance regression in swap operation)
    Reported-by: Lion Ackermann <[email protected]>
    Tested-by: Lion Ackermann <[email protected]>
    Signed-off-by: Jozsef Kadlecsik <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

netfilter: ipset: Fix suspicious rcu_dereference_protected() [+ + +]
Author: Jozsef Kadlecsik <[email protected]>
Date:   Mon Jun 17 11:18:15 2024 +0200

    netfilter: ipset: Fix suspicious rcu_dereference_protected()
    
    [ Upstream commit 8ecd06277a7664f4ef018abae3abd3451d64e7a6 ]
    
    When destroying all sets, we are either in pernet exit phase or
    are executing a "destroy all sets command" from userspace. The latter
    was taken into account in ip_set_dereference() (nfnetlink mutex is held),
    but the former was not. The patch adds the required check to
    rcu_dereference_protected() in ip_set_dereference().
    
    Fixes: 4e7aaa6b82d6 ("netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type")
    Reported-by: [email protected]
    Reported-by: [email protected]
    Reported-by: kernel test robot <[email protected]>
    Closes: https://lore.kernel.org/oe-lkp/[email protected]
    Signed-off-by: Jozsef Kadlecsik <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers [+ + +]
Author: Pablo Neira Ayuso <[email protected]>
Date:   Wed Jun 26 23:15:38 2024 +0200

    netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
    
    [ Upstream commit 7931d32955e09d0a11b1fe0b6aac1bfa061c005c ]
    
    register store validation for NFT_DATA_VALUE is conditional, however,
    the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
    only requires a new helper function to infer the register type from the
    set datatype so this conditional check can be removed. Otherwise,
    pointer to chain object can be leaked through the registers.
    
    Fixes: 96518518cc41 ("netfilter: add nftables")
    Reported-by: Linus Torvalds <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

netfilter: nf_tables: validate family when identifying table via handle [+ + +]
Author: Pablo Neira Ayuso <[email protected]>
Date:   Thu Jun 27 02:41:12 2024 +0200

    netfilter: nf_tables: validate family when identifying table via handle
    
    [ Upstream commit f6e1532a2697b81da00bfb184e99d15e01e9d98c ]
    
    Validate table family when looking up for it via NFTA_TABLE_HANDLE.
    
    Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle")
    Reported-by: Xingyuan Mo <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

netfilter: nftables: exthdr: fix 4-byte stack OOB write [+ + +]
Author: Florian Westphal <[email protected]>
Date:   Tue Sep 5 23:13:56 2023 +0200

    netfilter: nftables: exthdr: fix 4-byte stack OOB write
    
    commit fd94d9dadee58e09b49075240fe83423eb1dcd36 upstream.
    
    If priv->len is a multiple of 4, then dst[len / 4] can write past
    the destination array which leads to stack corruption.
    
    This construct is necessary to clean the remainder of the register
    in case ->len is NOT a multiple of the register size, so make it
    conditional just like nft_payload.c does.
    
    The bug was added in 4.1 cycle and then copied/inherited when
    tcp/sctp and ip option support was added.
    
    Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
    ZDI-CAN-21951, ZDI-CAN-21961).
    
    Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
    Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
    Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
    Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
    Signed-off-by: Florian Westphal <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
netns: Make get_net_ns() handle zero refcount net [+ + +]
Author: Yue Haibing <[email protected]>
Date:   Fri Jun 14 21:13:02 2024 +0800

    netns: Make get_net_ns() handle zero refcount net
    
    [ Upstream commit ff960f9d3edbe08a736b5a224d91a305ccc946b0 ]
    
    Syzkaller hit a warning:
    refcount_t: addition on 0; use-after-free.
    WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0
    Modules linked in:
    CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
    RIP: 0010:refcount_warn_saturate+0xdf/0x1d0
    Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1
    RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286
    RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac
    RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001
    RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139
    R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4
    R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040
    FS:  00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     ? show_regs+0xa3/0xc0
     ? __warn+0xa5/0x1c0
     ? refcount_warn_saturate+0xdf/0x1d0
     ? report_bug+0x1fc/0x2d0
     ? refcount_warn_saturate+0xdf/0x1d0
     ? handle_bug+0xa1/0x110
     ? exc_invalid_op+0x3c/0xb0
     ? asm_exc_invalid_op+0x1f/0x30
     ? __warn_printk+0xcc/0x140
     ? __warn_printk+0xd5/0x140
     ? refcount_warn_saturate+0xdf/0x1d0
     get_net_ns+0xa4/0xc0
     ? __pfx_get_net_ns+0x10/0x10
     open_related_ns+0x5a/0x130
     __tun_chr_ioctl+0x1616/0x2370
     ? __sanitizer_cov_trace_switch+0x58/0xa0
     ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30
     ? __pfx_tun_chr_ioctl+0x10/0x10
     tun_chr_ioctl+0x2f/0x40
     __x64_sys_ioctl+0x11b/0x160
     x64_sys_call+0x1211/0x20d0
     do_syscall_64+0x9e/0x1d0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f5b28f165d7
    Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8
    RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7
    RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003
    RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0
    R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730
    R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000
     </TASK>
    Kernel panic - not syncing: kernel: panic_on_warn set ...
    
    This is trigger as below:
              ns0                                    ns1
    tun_set_iff() //dev is tun0
       tun->dev = dev
    //ip link set tun0 netns ns1
                                           put_net() //ref is 0
    __tun_chr_ioctl() //TUNGETDEVNETNS
       net = dev_net(tun->dev);
       open_related_ns(&net->ns, get_net_ns); //ns1
         get_net_ns()
            get_net() //addition on 0
    
    Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
    
    Fixes: 0c3e0e3bb623 ("tun: Add ioctl() TUNGETDEVNETNS cmd to allow obtaining real net ns of tun device")
    Signed-off-by: Yue Haibing <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
netrom: Fix a memory leak in nr_heartbeat_expiry() [+ + +]
Author: Gavrilov Ilia <[email protected]>
Date:   Thu Jun 13 08:23:00 2024 +0000

    netrom: Fix a memory leak in nr_heartbeat_expiry()
    
    [ Upstream commit 0b9130247f3b6a1122478471ff0e014ea96bb735 ]
    
    syzbot reported a memory leak in nr_create() [0].
    
    Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
    added sock_hold() to the nr_heartbeat_expiry() function, where
    a) a socket has a SOCK_DESTROY flag or
    b) a listening socket has a SOCK_DEAD flag.
    
    But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
    has already been closed and the nr_release() function has been called.
    So it makes no sense to hold the reference count because no one will
    call another nr_destroy_socket() and put it as in the case "b."
    
    nr_connect
      nr_establish_data_link
        nr_start_heartbeat
    
    nr_release
      switch (nr->state)
      case NR_STATE_3
        nr->state = NR_STATE_2
        sock_set_flag(sk, SOCK_DESTROY);
    
                            nr_rx_frame
                              nr_process_rx_frame
                                switch (nr->state)
                                case NR_STATE_2
                                  nr_state2_machine()
                                    nr_disconnect()
                                      nr_sk(sk)->state = NR_STATE_0
                                      sock_set_flag(sk, SOCK_DEAD)
    
                            nr_heartbeat_expiry
                              switch (nr->state)
                              case NR_STATE_0
                                if (sock_flag(sk, SOCK_DESTROY) ||
                                   (sk->sk_state == TCP_LISTEN
                                     && sock_flag(sk, SOCK_DEAD)))
                                   sock_hold()  // ( !!! )
                                   nr_destroy_socket()
    
    To fix the memory leak, let's call sock_hold() only for a listening socket.
    
    Found by InfoTeCS on behalf of Linux Verification Center
    (linuxtesting.org) with Syzkaller.
    
    [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
    
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
    Fixes: 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
    Signed-off-by: Gavrilov Ilia <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
nfs: Leave pages in the pagecache if readpage failed [+ + +]
Author: Matthew Wilcox (Oracle) <[email protected]>
Date:   Mon May 16 10:30:09 2022 -0400

    nfs: Leave pages in the pagecache if readpage failed
    
    commit 0b768a9610c6de9811c6d33900bebfb665192ee1 upstream.
    
    The pagecache handles readpage failing by itself; it doesn't want
    filesystems to remove pages from under it.
    
    Signed-off-by: Matthew Wilcox (Oracle) <[email protected]>
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors [+ + +]
Author: Ryusuke Konishi <[email protected]>
Date:   Tue Jun 4 22:42:55 2024 +0900

    nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
    
    [ Upstream commit 7373a51e7998b508af7136530f3a997b286ce81c ]
    
    The error handling in nilfs_empty_dir() when a directory folio/page read
    fails is incorrect, as in the old ext2 implementation, and if the
    folio/page cannot be read or nilfs_check_folio() fails, it will falsely
    determine the directory as empty and corrupt the file system.
    
    In addition, since nilfs_empty_dir() does not immediately return on a
    failed folio/page read, but continues to loop, this can cause a long loop
    with I/O if i_size of the directory's inode is also corrupted, causing the
    log writer thread to wait and hang, as reported by syzbot.
    
    Fix these issues by making nilfs_empty_dir() immediately return a false
    value (0) if it fails to get a directory folio/page.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Ryusuke Konishi <[email protected]>
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=c8166c541d3971bf6c87
    Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
    Tested-by: Ryusuke Konishi <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

nilfs2: fix potential kernel bug due to lack of writeback flag waiting [+ + +]
Author: Ryusuke Konishi <[email protected]>
Date:   Thu May 30 23:15:56 2024 +0900

    nilfs2: fix potential kernel bug due to lack of writeback flag waiting
    
    commit a4ca369ca221bb7e06c725792ac107f0e48e82e7 upstream.
    
    Destructive writes to a block device on which nilfs2 is mounted can cause
    a kernel bug in the folio/page writeback start routine or writeback end
    routine (__folio_start_writeback in the log below):
    
     kernel BUG at mm/page-writeback.c:3070!
     Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
     ...
     RIP: 0010:__folio_start_writeback+0xbaa/0x10e0
     Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff
      e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>
      0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00
     ...
     Call Trace:
      <TASK>
      nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]
      nilfs_segctor_construct+0x181/0x6b0 [nilfs2]
      nilfs_segctor_thread+0x548/0x11c0 [nilfs2]
      kthread+0x2f0/0x390
      ret_from_fork+0x4b/0x80
      ret_from_fork_asm+0x1a/0x30
      </TASK>
    
    This is because when the log writer starts a writeback for segment summary
    blocks or a super root block that use the backing device's page cache, it
    does not wait for the ongoing folio/page writeback, resulting in an
    inconsistent writeback state.
    
    Fix this issue by waiting for ongoing writebacks when putting
    folios/pages on the backing device into writeback state.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 9ff05123e3bf ("nilfs2: segment constructor")
    Signed-off-by: Ryusuke Konishi <[email protected]>
    Tested-by: Ryusuke Konishi <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

nilfs2: Remove check for PageError [+ + +]
Author: Matthew Wilcox (Oracle) <[email protected]>
Date:   Tue May 17 18:12:25 2022 -0400

    nilfs2: Remove check for PageError
    
    [ Upstream commit 79ea65563ad8aaab309d61eeb4d5019dd6cf5fa0 ]
    
    If read_mapping_page() encounters an error, it returns an errno, not a
    page with PageError set, so this test is not needed.
    
    Signed-off-by: Matthew Wilcox (Oracle) <[email protected]>
    Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
    Signed-off-by: Sasha Levin <[email protected]>

nilfs2: return the mapped address from nilfs_get_page() [+ + +]
Author: Matthew Wilcox (Oracle) <[email protected]>
Date:   Mon Nov 27 23:30:25 2023 +0900

    nilfs2: return the mapped address from nilfs_get_page()
    
    [ Upstream commit 09a46acb3697e50548bb265afa1d79163659dd85 ]
    
    In prepartion for switching from kmap() to kmap_local(), return the kmap
    address from nilfs_get_page() instead of having the caller look up
    page_address().
    
    [konishi.ryusuke: fixed a missing blank line after declaration]
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Matthew Wilcox (Oracle) <[email protected]>
    Signed-off-by: Ryusuke Konishi <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
    Signed-off-by: Sasha Levin <[email protected]>

 
nvme: fixup comment for nvme RDMA Provider Type [+ + +]
Author: Hannes Reinecke <[email protected]>
Date:   Mon Jun 17 09:27:27 2024 +0200

    nvme: fixup comment for nvme RDMA Provider Type
    
    [ Upstream commit f80a55fa90fa76d01e3fffaa5d0413e522ab9a00 ]
    
    PRTYPE is the provider type, not the QP service type.
    
    Fixes: eb793e2c9286 ("nvme.h: add NVMe over Fabrics definitions")
    Signed-off-by: Hannes Reinecke <[email protected]>
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Keith Busch <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
ocfs2: fix races between hole punching and AIO+DIO [+ + +]
Author: Su Yue <[email protected]>
Date:   Mon Apr 8 16:20:39 2024 +0800

    ocfs2: fix races between hole punching and AIO+DIO
    
    commit 952b023f06a24b2ad6ba67304c4c84d45bea2f18 upstream.
    
    After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block",
    fstests/generic/300 become from always failed to sometimes failed:
    
    ========================================================================
    [  473.293420 ] run fstests generic/300
    
    [  475.296983 ] JBD2: Ignoring recovery information on journal
    [  475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.
    [  494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found
    [  494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.
    [  494.292018 ] OCFS2: File system is now read-only.
    [  494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30
    [  494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3
    fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072
    =========================================================================
    
    In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten
    extents to a list.  extents are also inserted into extent tree in
    ocfs2_write_begin_nolock.  Then another thread call fallocate to puch a
    hole at one of the unwritten extent.  The extent at cpos was removed by
    ocfs2_remove_extent().  At end io worker thread, ocfs2_search_extent_list
    found there is no such extent at the cpos.
    
        T1                        T2                T3
                                  inode lock
                                    ...
                                    insert extents
                                    ...
                                  inode unlock
    ocfs2_fallocate
     __ocfs2_change_file_space
      inode lock
      lock ip_alloc_sem
      ocfs2_remove_inode_range inode
       ocfs2_remove_btree_range
        ocfs2_remove_extent
        ^---remove the extent at cpos 78723
      ...
      unlock ip_alloc_sem
      inode unlock
                                           ocfs2_dio_end_io
                                            ocfs2_dio_end_io_write
                                             lock ip_alloc_sem
                                             ocfs2_mark_extent_written
                                              ocfs2_change_extent_flag
                                               ocfs2_search_extent_list
                                               ^---failed to find extent
                                              ...
                                              unlock ip_alloc_sem
    
    In most filesystems, fallocate is not compatible with racing with AIO+DIO,
    so fix it by adding to wait for all dio before fallocate/punch_hole like
    ext4.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: b25801038da5 ("ocfs2: Support xfs style space reservation ioctls")
    Signed-off-by: Su Yue <[email protected]>
    Reviewed-by: Joseph Qi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Gang He <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: Junxiao Bi <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ocfs2: use coarse time for new created files [+ + +]
Author: Su Yue <[email protected]>
Date:   Mon Apr 8 16:20:41 2024 +0800

    ocfs2: use coarse time for new created files
    
    commit b8cb324277ee16f3eca3055b96fce4735a5a41c6 upstream.
    
    The default atime related mount option is '-o realtime' which means file
    atime should be updated if atime <= ctime or atime <= mtime.  atime should
    be updated in the following scenario, but it is not:
    ==========================================================
    $ rm /mnt/testfile;
    $ echo test > /mnt/testfile
    $ stat -c "%X %Y %Z" /mnt/testfile
    1711881646 1711881646 1711881646
    $ sleep 5
    $ cat /mnt/testfile > /dev/null
    $ stat -c "%X %Y %Z" /mnt/testfile
    1711881646 1711881646 1711881646
    ==========================================================
    
    And the reason the atime in the test is not updated is that ocfs2 calls
    ktime_get_real_ts64() in __ocfs2_mknod_locked during file creation.  Then
    inode_set_ctime_current() is called in inode_set_ctime_current() calls
    ktime_get_coarse_real_ts64() to get current time.
    
    ktime_get_real_ts64() is more accurate than ktime_get_coarse_real_ts64().
    In my test box, I saw ctime set by ktime_get_coarse_real_ts64() is less
    than ktime_get_real_ts64() even ctime is set later.  The ctime of the new
    inode is smaller than atime.
    
    The call trace is like:
    
    ocfs2_create
      ocfs2_mknod
        __ocfs2_mknod_locked
        ....
    
          ktime_get_real_ts64 <------- set atime,ctime,mtime, more accurate
          ocfs2_populate_inode
        ...
        ocfs2_init_acl
          ocfs2_acl_set_mode
            inode_set_ctime_current
              current_time
                ktime_get_coarse_real_ts64 <-------less accurate
    
    ocfs2_file_read_iter
      ocfs2_inode_lock_atime
        ocfs2_should_update_atime
          atime <= ctime ? <-------- false, ctime < atime due to accuracy
    
    So here call ktime_get_coarse_real_ts64 to set inode time coarser while
    creating new files.  It may lower the accuracy of file times.  But it's
    not a big deal since we already use coarse time in other places like
    ocfs2_update_inode_atime and inode_set_ctime_current.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: c62c38f6b91b ("ocfs2: replace CURRENT_TIME macro")
    Signed-off-by: Su Yue <[email protected]>
    Reviewed-by: Joseph Qi <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Junxiao Bi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Gang He <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
parisc: use correct compat recv/recvfrom syscalls [+ + +]
Author: Arnd Bergmann <[email protected]>
Date:   Wed Jun 19 14:27:55 2024 +0200

    parisc: use correct compat recv/recvfrom syscalls
    
    [ Upstream commit 20a50787349fadf66ac5c48f62e58d753878d2bb ]
    
    Johannes missed parisc back when he introduced the compat version
    of these syscalls, so receiving cmsg messages that require a compat
    conversion is still broken.
    
    Use the correct calls like the other architectures do.
    
    Fixes: 1dacc76d0014 ("net/compat/wext: send different messages to compat tasks")
    Acked-by: Helge Deller <[email protected]>
    Signed-off-by: Arnd Bergmann <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports [+ + +]
Author: Mario Limonciello <[email protected]>
Date:   Thu Mar 7 10:37:09 2024 -0600

    PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports
    
    [ Upstream commit 256df20c590bf0e4d63ac69330cf23faddac3e08 ]
    
    Hewlett-Packard HP Pavilion 17 Notebook PC/1972 is an Intel Ivy Bridge
    system with a muxless AMD Radeon dGPU.  Attempting to use the dGPU fails
    with the following sequence:
    
      ACPI Error: Aborting method \AMD3._ON due to previous error (AE_AML_LOOP_TIMEOUT) (20230628/psparse-529)
      radeon 0000:01:00.0: not ready 1023ms after resume; waiting
      radeon 0000:01:00.0: not ready 2047ms after resume; waiting
      radeon 0000:01:00.0: not ready 4095ms after resume; waiting
      radeon 0000:01:00.0: not ready 8191ms after resume; waiting
      radeon 0000:01:00.0: not ready 16383ms after resume; waiting
      radeon 0000:01:00.0: not ready 32767ms after resume; waiting
      radeon 0000:01:00.0: not ready 65535ms after resume; giving up
      radeon 0000:01:00.0: Unable to change power state from D3cold to D0, device inaccessible
    
    The issue is that the Root Port the dGPU is connected to can't handle the
    transition from D3cold to D0 so the dGPU can't properly exit runtime PM.
    
    The existing logic in pci_bridge_d3_possible() checks for systems that are
    newer than 2015 to decide that D3 is safe.  This would nominally work for
    an Ivy Bridge system (which was discontinued in 2015), but this system
    appears to have continued to receive BIOS updates until 2017 and so this
    existing logic doesn't appropriately capture it.
    
    Add the system to bridge_d3_blacklist to prevent D3cold from being used.
    
    Link: https://lore.kernel.org/r/[email protected]
    Reported-by: Eric Heintzmann <[email protected]>
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3229
    Signed-off-by: Mario Limonciello <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Tested-by: Eric Heintzmann <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
PCI: Add PCI_ERROR_RESPONSE and related definitions [+ + +]
Author: Naveen Naidu <[email protected]>
Date:   Thu Nov 18 19:33:11 2021 +0530

    PCI: Add PCI_ERROR_RESPONSE and related definitions
    
    [ Upstream commit 57bdeef4716689d9b0e3571034d65cf420f6efcd ]
    
    A config or MMIO read from a PCI device that doesn't exist or doesn't
    respond causes a PCI error. There's no real data to return to satisfy the
    CPU read, so most hardware fabricates ~0 data.
    
    Add a PCI_ERROR_RESPONSE definition for that and use it where appropriate
    to make these checks consistent and easier to find.
    
    Also add helper definitions PCI_SET_ERROR_RESPONSE() and
    PCI_POSSIBLE_ERROR() to make the code more readable.
    
    Suggested-by: Bjorn Helgaas <[email protected]>
    Link: https://lore.kernel.org/r/55563bf4dfc5d3fdc96695373c659d099bf175b1.1637243717.git.naveennaidu479@gmail.com
    Signed-off-by: Naveen Naidu <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Reviewed-by: Pali Rohár <[email protected]>
    Stable-dep-of: c625dabbf1c4 ("x86/amd_nb: Check for invalid SMN reads")
    Signed-off-by: Sasha Levin <[email protected]>

PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id [+ + +]
Author: Rick Wertenbroek <[email protected]>
Date:   Wed Apr 3 16:45:08 2024 +0200

    PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id
    
    commit 2dba285caba53f309d6060fca911b43d63f41697 upstream.
    
    Remove wrong mask on subsys_vendor_id. Both the Vendor ID and Subsystem
    Vendor ID are u16 variables and are written to a u32 register of the
    controller. The Subsystem Vendor ID was always 0 because the u16 value
    was masked incorrectly with GENMASK(31,16) resulting in all lower 16
    bits being set to 0 prior to the shift.
    
    Remove both masks as they are unnecessary and set the register correctly
    i.e., the lower 16-bits are the Vendor ID and the upper 16-bits are the
    Subsystem Vendor ID.
    
    This is documented in the RK3399 TRM section 17.6.7.1.17
    
    [kwilczynski: removed unnecesary newline]
    Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
    Link: https://lore.kernel.org/linux-pci/[email protected]
    Signed-off-by: Rick Wertenbroek <[email protected]>
    Signed-off-by: Krzysztof Wilczyński <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Reviewed-by: Damien Le Moal <[email protected]>
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
perf/core: Fix missing wakeup when waiting for context reference [+ + +]
Author: Haifeng Xu <[email protected]>
Date:   Mon May 13 10:39:48 2024 +0000

    perf/core: Fix missing wakeup when waiting for context reference
    
    [ Upstream commit 74751ef5c1912ebd3e65c3b65f45587e05ce5d36 ]
    
    In our production environment, we found many hung tasks which are
    blocked for more than 18 hours. Their call traces are like this:
    
    [346278.191038] __schedule+0x2d8/0x890
    [346278.191046] schedule+0x4e/0xb0
    [346278.191049] perf_event_free_task+0x220/0x270
    [346278.191056] ? init_wait_var_entry+0x50/0x50
    [346278.191060] copy_process+0x663/0x18d0
    [346278.191068] kernel_clone+0x9d/0x3d0
    [346278.191072] __do_sys_clone+0x5d/0x80
    [346278.191076] __x64_sys_clone+0x25/0x30
    [346278.191079] do_syscall_64+0x5c/0xc0
    [346278.191083] ? syscall_exit_to_user_mode+0x27/0x50
    [346278.191086] ? do_syscall_64+0x69/0xc0
    [346278.191088] ? irqentry_exit_to_user_mode+0x9/0x20
    [346278.191092] ? irqentry_exit+0x19/0x30
    [346278.191095] ? exc_page_fault+0x89/0x160
    [346278.191097] ? asm_exc_page_fault+0x8/0x30
    [346278.191102] entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    The task was waiting for the refcount become to 1, but from the vmcore,
    we found the refcount has already been 1. It seems that the task didn't
    get woken up by perf_event_release_kernel() and got stuck forever. The
    below scenario may cause the problem.
    
    Thread A                                        Thread B
    ...                                             ...
    perf_event_free_task                            perf_event_release_kernel
                                                       ...
                                                       acquire event->child_mutex
                                                       ...
                                                       get_ctx
       ...                                             release event->child_mutex
       acquire ctx->mutex
       ...
       perf_free_event (acquire/release event->child_mutex)
       ...
       release ctx->mutex
       wait_var_event
                                                       acquire ctx->mutex
                                                       acquire event->child_mutex
                                                       # move existing events to free_list
                                                       release event->child_mutex
                                                       release ctx->mutex
                                                       put_ctx
    ...                                             ...
    
    In this case, all events of the ctx have been freed, so we couldn't
    find the ctx in free_list and Thread A will miss the wakeup. It's thus
    necessary to add a wakeup after dropping the reference.
    
    Fixes: 1cf8dfe8a661 ("perf/core: Fix race between close() and fork()")
    Signed-off-by: Haifeng Xu <[email protected]>
    Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
    Reviewed-by: Frederic Weisbecker <[email protected]>
    Acked-by: Mark Rutland <[email protected]>
    Cc: [email protected]
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER [+ + +]
Author: Hagar Hemdan <[email protected]>
Date:   Tue Jun 4 08:58:38 2024 +0000

    pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER
    
    [ Upstream commit adec57ff8e66aee632f3dd1f93787c13d112b7a1 ]
    
    In create_pinctrl(), pinctrl_maps_mutex is acquired before calling
    add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()
    calls pinctrl_free(). However, pinctrl_free() attempts to acquire
    pinctrl_maps_mutex, which is already held by create_pinctrl(), leading to
    a potential deadlock.
    
    This patch resolves the issue by releasing pinctrl_maps_mutex before
    calling pinctrl_free(), preventing the deadlock.
    
    This bug was discovered and resolved using Coverity Static Analysis
    Security Testing (SAST) by Synopsys, Inc.
    
    Fixes: 42fed7ba44e4 ("pinctrl: move subsystem mutex to pinctrl_dev struct")
    Suggested-by: Maximilian Heyne <[email protected]>
    Signed-off-by: Hagar Hemdan <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Linus Walleij <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins [+ + +]
Author: Huang-Huang Bao <[email protected]>
Date:   Thu Jun 6 20:57:52 2024 +0800

    pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins
    
    [ Upstream commit e8448a6c817c2aa6c6af785b1d45678bd5977e8d ]
    
    The pinmux bits for GPIO2-B0 to GPIO2-B6 actually have 2 bits width,
    correct the bank flag for GPIO2-B. The pinmux bits for GPIO2-B7 is
    recalculated so it remain unchanged.
    
    The pinmux bits for those pins are not explicitly specified in RK3328
    TRM, however we can get hint from pad name and its correspinding IOMUX
    setting for pins in interface descriptions. The correspinding IOMIX
    settings for GPIO2-B0 to GPIO2-B6 can be found in the same row next to
    occurrences of following pad names in RK3328 TRM.
    
    GPIO2-B0: IO_SPIclkm0_GPIO2B0vccio5
    GPIO2-B1: IO_SPItxdm0_GPIO2B1vccio5
    GPIO2-B2: IO_SPIrxdm0_GPIO2B2vccio5
    GPIO2-B3: IO_SPIcsn0m0_GPIO2B3vccio5
    GPIO2-B4: IO_SPIcsn1m0_FLASHvol_sel_GPIO2B4vccio5
    GPIO2-B5: IO_ I2C2sda_TSADCshut_GPIO2B5vccio5
    GPIO2-B6: IO_ I2C2scl_GPIO2B6vccio5
    
    This fix has been tested on NanoPi R2S for fixing confliting pinmux bits
    between GPIO2-B7 with GPIO2-B5.
    
    Signed-off-by: Huang-Huang Bao <[email protected]>
    Reviewed-by: Heiko Stuebner <[email protected]>
    Fixes: 3818e4a7678e ("pinctrl: rockchip: Add rk3328 pinctrl support")
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Linus Walleij <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins [+ + +]
Author: Huang-Huang Bao <[email protected]>
Date:   Thu Jun 6 20:57:53 2024 +0800

    pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins
    
    [ Upstream commit 5ef6914e0bf578357b4c906ffe6b26e7eedb8ccf ]
    
    The pinmux bits for GPIO3-B1 to GPIO3-B6 pins are not explicitly
    specified in RK3328 TRM, however we can get hint from pad name and its
    correspinding IOMUX setting for pins in interface descriptions. The
    correspinding IOMIX settings for these pins can be found in the same
    row next to occurrences of following pad names in RK3328 TRM.
    
    GPIO3-B1:  IO_TSPd5m0_CIFdata5m0_GPIO3B1vccio6
    GPIO3-B2: IO_TSPd6m0_CIFdata6m0_GPIO3B2vccio6
    GPIO3-B3: IO_TSPd7m0_CIFdata7m0_GPIO3B3vccio6
    GPIO3-B4: IO_CARDclkm0_GPIO3B4vccio6
    GPIO3-B5: IO_CARDrstm0_GPIO3B5vccio6
    GPIO3-B6: IO_CARDdetm0_GPIO3B6vccio6
    
    Add pinmux data to rk3328_mux_recalced_data as mux register offset for
    these pins does not follow rockchip convention.
    
    Signed-off-by: Huang-Huang Bao <[email protected]>
    Reviewed-by: Heiko Stuebner <[email protected]>
    Fixes: 3818e4a7678e ("pinctrl: rockchip: Add rk3328 pinctrl support")
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Linus Walleij <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set [+ + +]
Author: Huang-Huang Bao <[email protected]>
Date:   Thu Jun 6 20:57:55 2024 +0800

    pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set
    
    [ Upstream commit 4ea4d4808e342ddf89ba24b93ffa2057005aaced ]
    
    rockchip_pmx_set reset all pinmuxs in group to 0 in the case of error,
    add missing bank data retrieval in that code to avoid setting mux on
    unexpected pins.
    
    Fixes: 14797189b35e ("pinctrl: rockchip: add return value to rockchip_set_mux")
    Reviewed-by: Heiko Stuebner <[email protected]>
    Signed-off-by: Huang-Huang Bao <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Linus Walleij <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
powerpc/io: Avoid clang null pointer arithmetic warnings [+ + +]
Author: Michael Ellerman <[email protected]>
Date:   Fri May 3 17:56:18 2024 +1000

    powerpc/io: Avoid clang null pointer arithmetic warnings
    
    [ Upstream commit 03c0f2c2b2220fc9cf8785cd7b61d3e71e24a366 ]
    
    With -Wextra clang warns about pointer arithmetic using a null pointer.
    When building with CONFIG_PCI=n, that triggers a warning in the IO
    accessors, eg:
    
      In file included from linux/arch/powerpc/include/asm/io.h:672:
      linux/arch/powerpc/include/asm/io-defs.h:23:1: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
         23 | DEF_PCI_AC_RET(inb, u8, (unsigned long port), (port), pio, port)
            | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ...
      linux/arch/powerpc/include/asm/io.h:591:53: note: expanded from macro '__do_inb'
        591 | #define __do_inb(port)          readb((PCI_IO_ADDR)_IO_BASE + port);
            |                                       ~~~~~~~~~~~~~~~~~~~~~ ^
    
    That is because when CONFIG_PCI=n, _IO_BASE is defined as 0.
    
    Although _IO_BASE is defined as plain 0, the cast (PCI_IO_ADDR) converts
    it to void * before the addition with port happens.
    
    Instead the addition can be done first, and then the cast. The resulting
    value will be the same, but avoids the warning, and also avoids void
    pointer arithmetic which is apparently non-standard.
    
    Reported-by: Naresh Kamboju <[email protected]>
    Closes: https://lore.kernel.org/all/CA+G9fYtEh8zmq8k8wE-8RZwW-Qr927RLTn+KqGnq1F=ptaaNsA@mail.gmail.com
    Signed-off-by: Michael Ellerman <[email protected]>
    Link: https://msgid.link/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
powerpc/pseries: Enforce hcall result buffer validity and size [+ + +]
Author: Nathan Lynch <[email protected]>
Date:   Mon Apr 8 09:08:31 2024 -0500

    powerpc/pseries: Enforce hcall result buffer validity and size
    
    [ Upstream commit ff2e185cf73df480ec69675936c4ee75a445c3e4 ]
    
    plpar_hcall(), plpar_hcall9(), and related functions expect callers to
    provide valid result buffers of certain minimum size. Currently this
    is communicated only through comments in the code and the compiler has
    no idea.
    
    For example, if I write a bug like this:
    
      long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE
      plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);
    
    This compiles with no diagnostics emitted, but likely results in stack
    corruption at runtime when plpar_hcall9() stores results past the end
    of the array. (To be clear this is a contrived example and I have not
    found a real instance yet.)
    
    To make this class of error less likely, we can use explicitly-sized
    array parameters instead of pointers in the declarations for the hcall
    APIs. When compiled with -Warray-bounds[1], the code above now
    provokes a diagnostic like this:
    
    error: array argument is too small;
    is of size 32, callee requires at least 72 [-Werror,-Warray-bounds]
       60 |                 plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,
          |                 ^                                   ~~~~~~
    
    [1] Enabled for LLVM builds but not GCC for now. See commit
        0da6e5fd6c37 ("gcc: disable '-Warray-bounds' for gcc-13 too") and
        related changes.
    
    Signed-off-by: Nathan Lynch <[email protected]>
    Signed-off-by: Michael Ellerman <[email protected]>
    Link: https://msgid.link/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
ptp: Fix error message on failed pin verification [+ + +]
Author: Karol Kolacinski <[email protected]>
Date:   Tue Jun 4 14:05:27 2024 +0200

    ptp: Fix error message on failed pin verification
    
    [ Upstream commit 323a359f9b077f382f4483023d096a4d316fd135 ]
    
    On failed verification of PTP clock pin, error message prints channel
    number instead of pin index after "pin", which is incorrect.
    
    Fix error message by adding channel number to the message and printing
    pin number instead of channel number.
    
    Fixes: 6092315dfdec ("ptp: introduce programmable pins.")
    Signed-off-by: Karol Kolacinski <[email protected]>
    Acked-by: Richard Cochran <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
pwm: stm32: Refuse too small period requests [+ + +]
Author: Uwe Kleine-König <[email protected]>
Date:   Fri Jun 21 16:37:12 2024 +0200

    pwm: stm32: Refuse too small period requests
    
    commit c45fcf46ca2368dafe7e5c513a711a6f0f974308 upstream.
    
    If period_ns is small, prd might well become 0. Catch that case because
    otherwise with
    
            regmap_write(priv->regmap, TIM_ARR, prd - 1);
    
    a few lines down quite a big period is configured.
    
    Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm")
    Cc: [email protected]
    Reviewed-by: Trevor Gamblin <[email protected]>
    Signed-off-by: Uwe Kleine-König <[email protected]>
    Link: https://lore.kernel.org/r/b86f62f099983646f97eeb6bfc0117bb2d0c340d.1718979150.git.u.kleine-koenig@baylibre.com
    Signed-off-by: Uwe Kleine-König <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment [+ + +]
Author: Paul E. McKenney <[email protected]>
Date:   Wed Mar 6 19:21:47 2024 -0800

    rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment
    
    [ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ]
    
    The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should
    not happen, but...".  This is only true when testing an RCU whose grace
    periods are always long enough.  This commit therefore fixes this comment.
    
    Reported-by: Linus Torvalds <[email protected]>
    Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOKm74Tw@mail.gmail.com/
    Signed-off-by: Paul E. McKenney <[email protected]>
    Signed-off-by: Uladzislau Rezki (Sony) <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
regulator: core: Fix modpost error "regulator_get_regmap" undefined [+ + +]
Author: Biju Das <[email protected]>
Date:   Mon Jun 10 20:55:32 2024 +0100

    regulator: core: Fix modpost error "regulator_get_regmap" undefined
    
    [ Upstream commit 3f60497c658d2072714d097a177612d34b34aa3d ]
    
    Fix the modpost error "regulator_get_regmap" undefined by adding export
    symbol.
    
    Fixes: 04eca28cde52 ("regulator: Add helpers for low-level register access")
    Reported-by: kernel test robot <[email protected]>
    Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]
    Signed-off-by: Biju Das <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Mark Brown <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
Revert "kheaders: substituting --sort in archive creation" [+ + +]
Author: Masahiro Yamada <[email protected]>
Date:   Sun May 21 22:23:35 2023 +0900

    Revert "kheaders: substituting --sort in archive creation"
    
    [ Upstream commit 49c386ebbb43394ff4773ce24f726f6afc4c30c8 ]
    
    This reverts commit 700dea5a0bea9f64eba89fae7cb2540326fdfdc1.
    
    The reason for that commit was --sort=ORDER introduced in
    tar 1.28 (2014). More than 3 years have passed since then.
    
    Requiring GNU tar 1.28 should be fine now because we require
    GCC 5.1 (2015).
    
    Signed-off-by: Masahiro Yamada <[email protected]>
    Reviewed-by: Nicolas Schier <[email protected]>
    Stable-dep-of: 3bd27a847a3a ("kheaders: explicitly define file modes for archived headers")
    Signed-off-by: Sasha Levin <[email protected]>

 
scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory [+ + +]
Author: Breno Leitao <[email protected]>
Date:   Wed Jun 5 01:55:29 2024 -0700

    scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
    
    commit 4254dfeda82f20844299dca6c38cbffcfd499f41 upstream.
    
    There is a potential out-of-bounds access when using test_bit() on a single
    word. The test_bit() and set_bit() functions operate on long values, and
    when testing or setting a single word, they can exceed the word
    boundary. KASAN detects this issue and produces a dump:
    
             BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas
    
             Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965
    
    For full log, please look at [1].
    
    Make the allocation at least the size of sizeof(unsigned long) so that
    set_bit() and test_bit() have sufficient room for read/write operations
    without overwriting unallocated memory.
    
    [1] Link: https://lore.kernel.org/all/[email protected]/
    
    Fixes: c696f7b83ede ("scsi: mpt3sas: Implement device_remove_in_progress check in IOCTL path")
    Cc: [email protected]
    Suggested-by: Keith Busch <[email protected]>
    Signed-off-by: Breno Leitao <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Reviewed-by: Keith Busch <[email protected]>
    Signed-off-by: Martin K. Petersen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

scsi: qedi: Fix crash while reading debugfs attribute [+ + +]
Author: Manish Rangankar <[email protected]>
Date:   Mon Apr 15 12:51:55 2024 +0530

    scsi: qedi: Fix crash while reading debugfs attribute
    
    [ Upstream commit 28027ec8e32ecbadcd67623edb290dad61e735b5 ]
    
    The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly
    on a __user pointer, which results into the crash.
    
    To fix this issue, use a small local stack buffer for sprintf() and then
    call simple_read_from_buffer(), which in turns make the copy_to_user()
    call.
    
    BUG: unable to handle page fault for address: 00007f4801111000
    PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0
    Oops: 0002 [#1] PREEMPT SMP PTI
    Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023
    RIP: 0010:memcpy_orig+0xcd/0x130
    RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202
    RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f
    RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000
    RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572
    R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff
    R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af
    FS:  00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    PKRU: 55555554
    Call Trace:
     <TASK>
     ? __die_body+0x1a/0x60
     ? page_fault_oops+0x183/0x510
     ? exc_page_fault+0x69/0x150
     ? asm_exc_page_fault+0x22/0x30
     ? memcpy_orig+0xcd/0x130
     vsnprintf+0x102/0x4c0
     sprintf+0x51/0x80
     qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]
     full_proxy_read+0x50/0x80
     vfs_read+0xa5/0x2e0
     ? folio_add_new_anon_rmap+0x44/0xa0
     ? set_pte_at+0x15/0x30
     ? do_pte_missing+0x426/0x7f0
     ksys_read+0xa5/0xe0
     do_syscall_64+0x58/0x80
     ? __count_memcg_events+0x46/0x90
     ? count_memcg_event_mm+0x3d/0x60
     ? handle_mm_fault+0x196/0x2f0
     ? do_user_addr_fault+0x267/0x890
     ? exc_page_fault+0x69/0x150
     entry_SYSCALL_64_after_hwframe+0x72/0xdc
    RIP: 0033:0x7f4800f20b4d
    
    Tested-by: Martin Hoyer <[email protected]>
    Reviewed-by: John Meneghini <[email protected]>
    Signed-off-by: Manish Rangankar <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Martin K. Petersen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh [+ + +]
Author: Alessandro Carminati (Red Hat) <[email protected]>
Date:   Thu Mar 14 10:59:11 2024 +0000

    selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh
    
    [ Upstream commit f803bcf9208a2540acb4c32bdc3616673169f490 ]
    
    In some systems, the netcat server can incur in delay to start listening.
    When this happens, the test can randomly fail in various points.
    This is an example error message:
    
       # ip gre none gso
       # encap 192.168.1.1 to 192.168.1.2, type gre, mac none len 2000
       # test basic connectivity
       # Ncat: Connection refused.
    
    The issue stems from a race condition between the netcat client and server.
    The test author had addressed this problem by implementing a sleep, which
    I have removed in this patch.
    This patch introduces a function capable of sleeping for up to two seconds.
    However, it can terminate the waiting period early if the port is reported
    to be listening.
    
    Signed-off-by: Alessandro Carminati (Red Hat) <[email protected]>
    Signed-off-by: Andrii Nakryiko <[email protected]>
    Link: https://lore.kernel.org/bpf/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
selftests/mm: compaction_test: fix bogus test success on Aarch64 [+ + +]
Author: Dev Jain <[email protected]>
Date:   Tue May 21 13:13:56 2024 +0530

    selftests/mm: compaction_test: fix bogus test success on Aarch64
    
    [ Upstream commit d4202e66a4b1fe6968f17f9f09bbc30d08f028a1 ]
    
    Patch series "Fixes for compaction_test", v2.
    
    The compaction_test memory selftest introduces fragmentation in memory
    and then tries to allocate as many hugepages as possible. This series
    addresses some problems.
    
    On Aarch64, if nr_hugepages == 0, then the test trivially succeeds since
    compaction_index becomes 0, which is less than 3, due to no division by
    zero exception being raised. We fix that by checking for division by
    zero.
    
    Secondly, correctly set the number of hugepages to zero before trying
    to set a large number of them.
    
    Now, consider a situation in which, at the start of the test, a non-zero
    number of hugepages have been already set (while running the entire
    selftests/mm suite, or manually by the admin). The test operates on 80%
    of memory to avoid OOM-killer invocation, and because some memory is
    already blocked by hugepages, it would increase the chance of OOM-killing.
    Also, since mem_free used in check_compaction() is the value before we
    set nr_hugepages to zero, the chance that the compaction_index will
    be small is very high if the preset nr_hugepages was high, leading to a
    bogus test success.
    
    This patch (of 3):
    
    Currently, if at runtime we are not able to allocate a huge page, the test
    will trivially pass on Aarch64 due to no exception being raised on
    division by zero while computing compaction_index.  Fix that by checking
    for nr_hugepages == 0.  Anyways, in general, avoid a division by zero by
    exiting the program beforehand.  While at it, fix a typo, and handle the
    case where the number of hugepages may overflow an integer.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory")
    Signed-off-by: Dev Jain <[email protected]>
    Cc: Anshuman Khandual <[email protected]>
    Cc: Shuah Khan <[email protected]>
    Cc: Sri Jayaramappa <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages [+ + +]
Author: Dev Jain <[email protected]>
Date:   Tue May 21 13:13:57 2024 +0530

    selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages
    
    [ Upstream commit 9ad665ef55eaad1ead1406a58a34f615a7c18b5e ]
    
    Currently, the test tries to set nr_hugepages to zero, but that is not
    actually done because the file offset is not reset after read().  Fix that
    using lseek().
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory")
    Signed-off-by: Dev Jain <[email protected]>
    Cc: <[email protected]>
    Cc: Anshuman Khandual <[email protected]>
    Cc: Shuah Khan <[email protected]>
    Cc: Sri Jayaramappa <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

selftests/mm: conform test to TAP format output [+ + +]
Author: Muhammad Usama Anjum <[email protected]>
Date:   Mon Jan 1 13:36:12 2024 +0500

    selftests/mm: conform test to TAP format output
    
    [ Upstream commit 9a21701edc41465de56f97914741bfb7bfc2517d ]
    
    Conform the layout, informational and status messages to TAP.  No
    functional change is intended other than the layout of output messages.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Muhammad Usama Anjum <[email protected]>
    Cc: Shuah Khan <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64")
    Signed-off-by: Sasha Levin <[email protected]>

 
serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler [+ + +]
Author: Hugo Villeneuve <[email protected]>
Date:   Tue Apr 30 16:04:30 2024 -0400

    serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler
    
    [ Upstream commit 8492bd91aa055907c67ef04f2b56f6dadd1f44bf ]
    
    When using a high speed clock with a low baud rate, the 4x prescaler is
    automatically selected if required. In that case, sc16is7xx_set_baud()
    properly configures the chip registers, but returns an incorrect baud
    rate by not taking into account the prescaler value. This incorrect baud
    rate is then fed to uart_update_timeout().
    
    For example, with an input clock of 80MHz, and a selected baud rate of 50,
    sc16is7xx_set_baud() will return 200 instead of 50.
    
    Fix this by first changing the prescaler variable to hold the selected
    prescaler value instead of the MCR bitfield. Then properly take into
    account the selected prescaler value in the return value computation.
    
    Also add better documentation about the divisor value computation.
    
    Fixes: dfeae619d781 ("serial: sc16is7xx")
    Cc: [email protected]
    Signed-off-by: Hugo Villeneuve <[email protected]>
    Reviewed-by: Jiri Slaby <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

serial: sc16is7xx: replace hardcoded divisor value with BIT() macro [+ + +]
Author: Hugo Villeneuve <[email protected]>
Date:   Thu Dec 21 18:18:19 2023 -0500

    serial: sc16is7xx: replace hardcoded divisor value with BIT() macro
    
    [ Upstream commit 2e57cefc4477659527f7adab1f87cdbf60ef1ae6 ]
    
    To better show why the limit is what it is, since we have only 16 bits for
    the divisor.
    
    Reviewed-by: Andy Shevchenko <[email protected]>
    Suggested-by: Andy Shevchenko <[email protected]>
    Signed-off-by: Hugo Villeneuve <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Stable-dep-of: 8492bd91aa05 ("serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler")
    Signed-off-by: Sasha Levin <[email protected]>

 
soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message [+ + +]
Author: Andrew Davis <[email protected]>
Date:   Mon Mar 25 11:55:07 2024 -0500

    soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message
    
    [ Upstream commit ddbf3204f600a4d1f153498f618369fca352ae00 ]
    
    mbox_send_message() sends a u32 bit message, not a pointer to a message.
    We only convert to a pointer type as a generic type. If we want to send
    a dummy message of 0, then simply send 0 (NULL).
    
    Signed-off-by: Andrew Davis <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Nishanth Menon <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
sparc: fix old compat_sys_select() [+ + +]
Author: Arnd Bergmann <[email protected]>
Date:   Wed Jun 19 14:07:30 2024 +0200

    sparc: fix old compat_sys_select()
    
    [ Upstream commit bae6428a9fffb2023191b0723e276cf1377a7c9f ]
    
    sparc has two identical select syscalls at numbers 93 and 230, respectively.
    During the conversion to the modern syscall.tbl format, the older one of the
    two broke in compat mode, and now refers to the native 64-bit syscall.
    
    Restore the correct behavior. This has very little effect, as glibc has
    been using the newer number anyway.
    
    Fixes: 6ff645dd683a ("sparc: add system call table generation support")
    Signed-off-by: Arnd Bergmann <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
SUNRPC: return proper error from gss_wrap_req_priv [+ + +]
Author: Chen Hanxiao <[email protected]>
Date:   Thu May 23 16:47:16 2024 +0800

    SUNRPC: return proper error from gss_wrap_req_priv
    
    [ Upstream commit 33c94d7e3cb84f6d130678d6d59ba475a6c489cf ]
    
    don't return 0 if snd_buf->len really greater than snd_buf->buflen
    
    Signed-off-by: Chen Hanxiao <[email protected]>
    Fixes: 0c77668ddb4e ("SUNRPC: Introduce trace points in rpc_auth_gss.ko")
    Reviewed-by: Benjamin Coddington <[email protected]>
    Reviewed-by: Chuck Lever <[email protected]>
    Signed-off-by: Trond Myklebust <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB [+ + +]
Author: Jason Xing <[email protected]>
Date:   Tue Jun 4 01:02:16 2024 +0800

    tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
    
    [ Upstream commit a46d0ea5c94205f40ecf912d1bb7806a8a64704f ]
    
    According to RFC 1213, we should also take CLOSE-WAIT sockets into
    consideration:
    
      "tcpCurrEstab OBJECT-TYPE
       ...
       The number of TCP connections for which the current state
       is either ESTABLISHED or CLOSE- WAIT."
    
    After this, CurrEstab counter will display the total number of
    ESTABLISHED and CLOSE-WAIT sockets.
    
    The logic of counting
    When we increment the counter?
    a) if we change the state to ESTABLISHED.
    b) if we change the state from SYN-RECEIVED to CLOSE-WAIT.
    
    When we decrement the counter?
    a) if the socket leaves ESTABLISHED and will never go into CLOSE-WAIT,
    say, on the client side, changing from ESTABLISHED to FIN-WAIT-1.
    b) if the socket leaves CLOSE-WAIT, say, on the server side, changing
    from CLOSE-WAIT to LAST-ACK.
    
    Please note: there are two chances that old state of socket can be changed
    to CLOSE-WAIT in tcp_fin(). One is SYN-RECV, the other is ESTABLISHED.
    So we have to take care of the former case.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Jason Xing <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

tcp: Fix data races around icsk->icsk_af_ops. [+ + +]
Author: Kuniyuki Iwashima <[email protected]>
Date:   Mon Apr 17 16:54:06 2023 +0000

    tcp: Fix data races around icsk->icsk_af_ops.
    
    commit f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 upstream.
    
    setsockopt(IPV6_ADDRFORM) and tcp_v6_connect() change icsk->icsk_af_ops
    under lock_sock(), but tcp_(get|set)sockopt() read it locklessly.  To
    avoid load/store tearing, we need to add READ_ONCE() and WRITE_ONCE()
    for the reads and writes.
    
    Thanks to Eric Dumazet for providing the syzbot report:
    
    BUG: KCSAN: data-race in tcp_setsockopt / tcp_v6_connect
    
    write to 0xffff88813c624518 of 8 bytes by task 23936 on cpu 0:
    tcp_v6_connect+0x5b3/0xce0 net/ipv6/tcp_ipv6.c:240
    __inet_stream_connect+0x159/0x6d0 net/ipv4/af_inet.c:660
    inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:724
    __sys_connect_file net/socket.c:1976 [inline]
    __sys_connect+0x197/0x1b0 net/socket.c:1993
    __do_sys_connect net/socket.c:2003 [inline]
    __se_sys_connect net/socket.c:2000 [inline]
    __x64_sys_connect+0x3d/0x50 net/socket.c:2000
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    read to 0xffff88813c624518 of 8 bytes by task 23937 on cpu 1:
    tcp_setsockopt+0x147/0x1c80 net/ipv4/tcp.c:3789
    sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3585
    __sys_setsockopt+0x212/0x2b0 net/socket.c:2252
    __do_sys_setsockopt net/socket.c:2263 [inline]
    __se_sys_setsockopt net/socket.c:2260 [inline]
    __x64_sys_setsockopt+0x62/0x70 net/socket.c:2260
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    value changed: 0xffffffff8539af68 -> 0xffffffff8539aff8
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 1 PID: 23937 Comm: syz-executor.5 Not tainted
    6.0.0-rc4-syzkaller-00331-g4ed9c1e971b1-dirty #0
    
    Hardware name: Google Google Compute Engine/Google Compute Engine,
    BIOS Google 08/26/2022
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot <[email protected]>
    Reported-by: Eric Dumazet <[email protected]>
    Signed-off-by: Kuniyuki Iwashima <[email protected]>
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Kazunori Kobayashi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

tcp: fix race in tcp_v6_syn_recv_sock() [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Thu Jun 6 15:46:51 2024 +0000

    tcp: fix race in tcp_v6_syn_recv_sock()
    
    [ Upstream commit d37fe4255abe8e7b419b90c5847e8ec2b8debb08 ]
    
    tcp_v6_syn_recv_sock() calls ip6_dst_store() before
    inet_sk(newsk)->pinet6 has been set up.
    
    This means ip6_dst_store() writes over the parent (listener)
    np->dst_cookie.
    
    This is racy because multiple threads could share the same
    parent and their final np->dst_cookie could be wrong.
    
    Move ip6_dst_store() call after inet_sk(newsk)->pinet6
    has been changed and after the copy of parent ipv6_pinfo.
    
    Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
    Signed-off-by: Eric Dumazet <[email protected]>
    Reviewed-by: Simon Horman <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() [+ + +]
Author: Oleg Nesterov <[email protected]>
Date:   Tue May 28 14:20:19 2024 +0200

    tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device()
    
    commit 07c54cc5988f19c9642fd463c2dbdac7fc52f777 upstream.
    
    After the recent commit 5097cbcb38e6 ("sched/isolation: Prevent boot crash
    when the boot CPU is nohz_full") the kernel no longer crashes, but there is
    another problem.
    
    In this case tick_setup_device() calls tick_take_do_timer_from_boot() to
    update tick_do_timer_cpu and this triggers the WARN_ON_ONCE(irqs_disabled)
    in smp_call_function_single().
    
    Kill tick_take_do_timer_from_boot() and just use WRITE_ONCE(), the new
    comment explains why this is safe (thanks Thomas!).
    
    Fixes: 08ae95f4fd3b ("nohz_full: Allow the boot CPU to be nohz_full")
    Signed-off-by: Oleg Nesterov <[email protected]>
    Signed-off-by: Thomas Gleixner <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Link: https://lore.kernel.org/all/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
tracing/selftests: Fix kprobe event name test for .isra. functions [+ + +]
Author: Steven Rostedt (Google) <[email protected]>
Date:   Mon May 20 20:57:37 2024 -0400

    tracing/selftests: Fix kprobe event name test for .isra. functions
    
    commit 23a4b108accc29a6125ed14de4a044689ffeda78 upstream.
    
    The kprobe_eventname.tc test checks if a function with .isra. can have a
    kprobe attached to it. It loops through the kallsyms file for all the
    functions that have the .isra. name, and checks if it exists in the
    available_filter_functions file, and if it does, it uses it to attach a
    kprobe to it.
    
    The issue is that kprobes can not attach to functions that are listed more
    than once in available_filter_functions. With the latest kernel, the
    function that is found is: rapl_event_update.isra.0
    
      # grep rapl_event_update.isra.0 /sys/kernel/tracing/available_filter_functions
      rapl_event_update.isra.0
      rapl_event_update.isra.0
    
    It is listed twice. This causes the attached kprobe to it to fail which in
    turn fails the test. Instead of just picking the function function that is
    found in available_filter_functions, pick the first one that is listed
    only once in available_filter_functions.
    
    Cc: [email protected]
    Fixes: 604e3548236d ("selftests/ftrace: Select an existing function in kprobe_eventname test")
    Signed-off-by: Steven Rostedt (Google) <[email protected]>
    Acked-by: Masami Hiramatsu (Google) <[email protected]>
    Signed-off-by: Shuah Khan <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test [+ + +]
Author: Jeff Johnson <[email protected]>
Date:   Sat May 18 15:54:49 2024 -0700

    tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test
    
    [ Upstream commit 23748e3e0fbfe471eff5ce439921629f6a427828 ]
    
    Fix the 'make W=1' warning:
    
    WARNING: modpost: missing MODULE_DESCRIPTION() in kernel/trace/preemptirq_delay_test.o
    
    Link: https://lore.kernel.org/linux-trace-kernel/[email protected]
    
    Cc: [email protected]
    Cc: Mathieu Desnoyers <[email protected]>
    Fixes: f96e8577da10 ("lib: Add module for testing preemptoff/irqsoff latency tracers")
    Acked-by: Masami Hiramatsu (Google) <[email protected]>
    Signed-off-by: Jeff Johnson <[email protected]>
    Signed-off-by: Steven Rostedt (Google) <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
tty: mcf: MCF54418 has 10 UARTS [+ + +]
Author: Jean-Michel Hautbois <[email protected]>
Date:   Thu Jun 20 18:29:59 2024 +0200

    tty: mcf: MCF54418 has 10 UARTS
    
    commit 7c92a8bd53f24d50c8cf4aba53bb75505b382fed upstream.
    
    Most of the colfires have up to 5 UARTs but MCF54418 has up-to 10 !
    Change the maximum value authorized.
    
    Signed-off-by: Jean-Michel Hautbois <[email protected]>
    Cc: stable <[email protected]>
    Fixes: 2545cf6e94b4 ("m68knommu: allow 4 coldfire serial ports")
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
udf: udftime: prevent overflow in udf_disk_stamp_to_time() [+ + +]
Author: Roman Smirnov <[email protected]>
Date:   Wed Mar 27 16:27:55 2024 +0300

    udf: udftime: prevent overflow in udf_disk_stamp_to_time()
    
    [ Upstream commit 3b84adf460381169c085e4bc09e7b57e9e16db0a ]
    
    An overflow can occur in a situation where src.centiseconds
    takes the value of 255. This situation is unlikely, but there
    is no validation check anywere in the code.
    
    Found by Linux Verification Center (linuxtesting.org) with Svace.
    
    Suggested-by: Jan Kara <[email protected]>
    Signed-off-by: Roman Smirnov <[email protected]>
    Reviewed-by: Sergey Shtylyov <[email protected]>
    Signed-off-by: Jan Kara <[email protected]>
    Message-Id: <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
usb-storage: alauda: Check whether the media is initialized [+ + +]
Author: Shichao Lai <[email protected]>
Date:   Sun May 26 09:27:45 2024 +0800

    usb-storage: alauda: Check whether the media is initialized
    
    [ Upstream commit 16637fea001ab3c8df528a8995b3211906165a30 ]
    
    The member "uzonesize" of struct alauda_info will remain 0
    if alauda_init_media() fails, potentially causing divide errors
    in alauda_read_data() and alauda_write_lba().
    - Add a member "media_initialized" to struct alauda_info.
    - Change a condition in alauda_check_media() to ensure the
      first initialization.
    - Add an error check for the return value of alauda_init_media().
    
    Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support")
    Reported-by: xingwei lee <[email protected]>
    Reported-by: yue sun <[email protected]>
    Reviewed-by: Alan Stern <[email protected]>
    Signed-off-by: Shichao Lai <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
usb: atm: cxacru: fix endpoint checking in cxacru_bind() [+ + +]
Author: Nikita Zhandarovich <[email protected]>
Date:   Sun Jun 9 06:15:46 2024 -0700

    usb: atm: cxacru: fix endpoint checking in cxacru_bind()
    
    commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 upstream.
    
    Syzbot is still reporting quite an old issue [1] that occurs due to
    incomplete checking of present usb endpoints. As such, wrong
    endpoints types may be used at urb sumbitting stage which in turn
    triggers a warning in usb_submit_urb().
    
    Fix the issue by verifying that required endpoint types are present
    for both in and out endpoints, taking into account cmd endpoint type.
    
    Unfortunately, this patch has not been tested on real hardware.
    
    [1] Syzbot report:
    usb 1-1: BOGUS urb xfer, pipe 1 != type 3
    WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
    Modules linked in:
    CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Workqueue: usb_hub_wq hub_event
    RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
    ...
    Call Trace:
     cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649
     cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760
     cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209
     usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055
     cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363
     usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
     call_driver_probe drivers/base/dd.c:517 [inline]
     really_probe+0x23c/0xcd0 drivers/base/dd.c:595
     __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
     driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
     __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
     bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
     __device_attach+0x228/0x4a0 drivers/base/dd.c:965
     bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
     device_add+0xc2f/0x2180 drivers/base/core.c:3354
     usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
     usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
     usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
    
    Reported-and-tested-by: [email protected]
    Fixes: 902ffc3c707c ("USB: cxacru: Use a bulk/int URB to access the command endpoint")
    Cc: stable <[email protected]>
    Signed-off-by: Nikita Zhandarovich <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages [+ + +]
Author: Alan Stern <[email protected]>
Date:   Thu Jun 13 21:30:43 2024 -0400

    USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
    
    commit 22f00812862564b314784167a89f27b444f82a46 upstream.
    
    The syzbot fuzzer found that the interrupt-URB completion callback in
    the cdc-wdm driver was taking too long, and the driver's immediate
    resubmission of interrupt URBs with -EPROTO status combined with the
    dummy-hcd emulation to cause a CPU lockup:
    
    cdc_wdm 1-1:1.0: nonzero urb status received: -71
    cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes
    watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]
    CPU#0 Utilization every 4s during lockup:
            #1:  98% system,          0% softirq,     3% hardirq,     0% idle
            #2:  98% system,          0% softirq,     3% hardirq,     0% idle
            #3:  98% system,          0% softirq,     3% hardirq,     0% idle
            #4:  98% system,          0% softirq,     3% hardirq,     0% idle
            #5:  98% system,          1% softirq,     3% hardirq,     0% idle
    Modules linked in:
    irq event stamp: 73096
    hardirqs last  enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]
    hardirqs last  enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994
    hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
    hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
    softirqs last  enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]
    softirqs last  enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582
    softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588
    CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G        W          6.10.0-rc2-syzkaller-g8867bbd4a056 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
    
    Testing showed that the problem did not occur if the two error
    messages -- the first two lines above -- were removed; apparently adding
    material to the kernel log takes a surprisingly large amount of time.
    
    In any case, the best approach for preventing these lockups and to
    avoid spamming the log with thousands of error messages per second is
    to ratelimit the two dev_err() calls.  Therefore we replace them with
    dev_err_ratelimited().
    
    Signed-off-by: Alan Stern <[email protected]>
    Suggested-by: Greg KH <[email protected]>
    Reported-and-tested-by: [email protected]
    Closes: https://lore.kernel.org/linux-usb/[email protected]/
    Reported-and-tested-by: [email protected]
    Closes: https://lore.kernel.org/linux-usb/[email protected]/
    Fixes: 9908a32e94de ("USB: remove err() macro from usb class drivers")
    Link: https://lore.kernel.org/linux-usb/[email protected]/
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete [+ + +]
Author: Wesley Cheng <[email protected]>
Date:   Mon Apr 8 18:40:59 2024 -0700

    usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
    
    [ Upstream commit 24729b307eefcd7c476065cd7351c1a018082c19 ]
    
    FFS based applications can utilize the aio_cancel() callback to dequeue
    pending USB requests submitted to the UDC.  There is a scenario where the
    FFS application issues an AIO cancel call, while the UDC is handling a
    soft disconnect.  For a DWC3 based implementation, the callstack looks
    like the following:
    
        DWC3 Gadget                               FFS Application
    dwc3_gadget_soft_disconnect()              ...
      --> dwc3_stop_active_transfers()
        --> dwc3_gadget_giveback(-ESHUTDOWN)
          --> ffs_epfile_async_io_complete()   ffs_aio_cancel()
            --> usb_ep_free_request()            --> usb_ep_dequeue()
    
    There is currently no locking implemented between the AIO completion
    handler and AIO cancel, so the issue occurs if the completion routine is
    running in parallel to an AIO cancel call coming from the FFS application.
    As the completion call frees the USB request (io_data->req) the FFS
    application is also referencing it for the usb_ep_dequeue() call.  This can
    lead to accessing a stale/hanging pointer.
    
    commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
    relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
    However, in order to properly implement locking to mitigate this issue, the
    spinlock can't be added to ffs_epfile_async_io_complete(), as
    usb_ep_dequeue() (if successfully dequeuing a USB request) will call the
    function driver's completion handler in the same context.  Hence, leading
    into a deadlock.
    
    Fix this issue by moving the usb_ep_free_request() back to
    ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req
    to NULL after freeing it within the ffs->eps_lock.  This resolves the race
    condition above, as the ffs_aio_cancel() routine will not continue
    attempting to dequeue a request that has already been freed, or the
    ffs_user_copy_work() not freeing the USB request until the AIO cancel is
    done referencing it.
    
    This fix depends on
      commit b566d38857fc ("usb: gadget: f_fs: use io_data->status
      consistently")
    
    Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
    Cc: stable <[email protected]>  # b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
    Signed-off-by: Wesley Cheng <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

usb: gadget: printer: SS+ support [+ + +]
Author: Oliver Neukum <[email protected]>
Date:   Thu Jun 20 11:37:39 2024 +0200

    usb: gadget: printer: SS+ support
    
    commit fd80731e5e9d1402cb2f85022a6abf9b1982ec5f upstream.
    
    We need to treat super speed plus as super speed, not the default,
    which is full speed.
    
    Signed-off-by: Oliver Neukum <[email protected]>
    Cc: stable <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

usb: misc: uss720: check for incompatible versions of the Belkin F5U002 [+ + +]
Author: Alex Henrie <[email protected]>
Date:   Tue Mar 26 09:07:11 2024 -0600

    usb: misc: uss720: check for incompatible versions of the Belkin F5U002
    
    [ Upstream commit 3295f1b866bfbcabd625511968e8a5c541f9ab32 ]
    
    The incompatible device in my possession has a sticker that says
    "F5U002 Rev 2" and "P80453-B", and lsusb identifies it as
    "050d:0002 Belkin Components IEEE-1284 Controller". There is a bug
    report from 2007 from Michael Trausch who was seeing the exact same
    errors that I saw in 2024 trying to use this cable.
    
    Link: https://lore.kernel.org/all/[email protected]/
    Signed-off-by: Alex Henrie <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

usb: musb: da8xx: fix a resource leak in probe() [+ + +]
Author: Dan Carpenter <[email protected]>
Date:   Mon Jun 17 12:31:30 2024 +0300

    usb: musb: da8xx: fix a resource leak in probe()
    
    commit de644a4a86be04ed8a43ef8267d0f7d021941c5e upstream.
    
    Call usb_phy_generic_unregister() if of_platform_populate() fails.
    
    Fixes: d6299b6efbf6 ("usb: musb: Add support of CPPI 4.1 DMA controller to DA8xx")
    Cc: stable <[email protected]>
    Signed-off-by: Dan Carpenter <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
virtio_net: checksum offloading handling fix [+ + +]
Author: Heng Qi <[email protected]>
Date:   Mon Jun 17 21:15:23 2024 +0800

    virtio_net: checksum offloading handling fix
    
    [ Upstream commit 604141c036e1b636e2a71cf6e1aa09d1e45f40c2 ]
    
    In virtio spec 0.95, VIRTIO_NET_F_GUEST_CSUM was designed to handle
    partially checksummed packets, and the validation of fully checksummed
    packets by the device is independent of VIRTIO_NET_F_GUEST_CSUM
    negotiation. However, the specification erroneously stated:
    
      "If VIRTIO_NET_F_GUEST_CSUM is not negotiated, the device MUST set flags
       to zero and SHOULD supply a fully checksummed packet to the driver."
    
    This statement is inaccurate because even without VIRTIO_NET_F_GUEST_CSUM
    negotiation, the device can still set the VIRTIO_NET_HDR_F_DATA_VALID flag.
    Essentially, the device can facilitate the validation of these packets'
    checksums - a process known as RX checksum offloading - removing the need
    for the driver to do so.
    
    This scenario is currently not implemented in the driver and requires
    correction. The necessary specification correction[1] has been made and
    approved in the virtio TC vote.
    [1] https://lists.oasis-open.org/archives/virtio-comment/202401/msg00011.html
    
    Fixes: 4f49129be6fa ("virtio-net: Set RXCSUM feature if GUEST_CSUM is available")
    Signed-off-by: Heng Qi <[email protected]>
    Reviewed-by: Jiri Pirko <[email protected]>
    Acked-by: Jason Wang <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
vmci: prevent speculation leaks by sanitizing event in event_deliver() [+ + +]
Author: Hagar Gamal Halim Hemdan <[email protected]>
Date:   Tue Apr 30 08:59:16 2024 +0000

    vmci: prevent speculation leaks by sanitizing event in event_deliver()
    
    commit 8003f00d895310d409b2bf9ef907c56b42a4e0f4 upstream.
    
    Coverity spotted that event_msg is controlled by user-space,
    event_msg->event_data.event is passed to event_deliver() and used
    as an index without sanitization.
    
    This change ensures that the event index is sanitized to mitigate any
    possibility of speculative information leaks.
    
    This bug was discovered and resolved using Coverity Static Analysis
    Security Testing (SAST) by Synopsys, Inc.
    
    Only compile tested, no access to HW.
    
    Fixes: 1d990201f9bb ("VMCI: event handling implementation.")
    Cc: stable <[email protected]>
    Signed-off-by: Hagar Gamal Halim Hemdan <[email protected]>
    Link: https://lore.kernel.org/stable/20231127193533.46174-1-hagarhem%40amazon.com
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
vxlan: Fix regression when dropping packets due to invalid src addresses [+ + +]
Author: Daniel Borkmann <[email protected]>
Date:   Mon Jun 3 10:59:26 2024 +0200

    vxlan: Fix regression when dropping packets due to invalid src addresses
    
    [ Upstream commit 1cd4bc987abb2823836cbb8f887026011ccddc8a ]
    
    Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
    has recently been added to vxlan mainly in the context of source
    address snooping/learning so that when it is enabled, an entry in the
    FDB is not being created for an invalid address for the corresponding
    tunnel endpoint.
    
    Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in
    that it passed through whichever macs were set in the L2 header. It
    turns out that this change in behavior breaks setups, for example,
    Cilium with netkit in L3 mode for Pods as well as tunnel mode has been
    passing before the change in f58f45c1e5b9 for both vxlan and geneve.
    After mentioned change it is only passing for geneve as in case of
    vxlan packets are dropped due to vxlan_set_mac() returning false as
    source and destination macs are zero which for E/W traffic via tunnel
    is totally fine.
    
    Fix it by only opting into the is_valid_ether_addr() check in
    vxlan_set_mac() when in fact source address snooping/learning is
    actually enabled in vxlan. This is done by moving the check into
    vxlan_snoop(). With this change, the Cilium connectivity test suite
    passes again for both tunnel flavors.
    
    Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
    Signed-off-by: Daniel Borkmann <[email protected]>
    Cc: David Bauer <[email protected]>
    Cc: Ido Schimmel <[email protected]>
    Cc: Nikolay Aleksandrov <[email protected]>
    Cc: Martin KaFai Lau <[email protected]>
    Reviewed-by: Ido Schimmel <[email protected]>
    Reviewed-by: Nikolay Aleksandrov <[email protected]>
    Reviewed-by: David Bauer <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
wifi: cfg80211: pmsr: use correct nla_get_uX functions [+ + +]
Author: Lin Ma <[email protected]>
Date:   Tue May 21 15:50:59 2024 +0800

    wifi: cfg80211: pmsr: use correct nla_get_uX functions
    
    [ Upstream commit ab904521f4de52fef4f179d2dfc1877645ef5f5c ]
    
    The commit 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM
    initiator API") defines four attributes NL80211_PMSR_FTM_REQ_ATTR_
    {NUM_BURSTS_EXP}/{BURST_PERIOD}/{BURST_DURATION}/{FTMS_PER_BURST} in
    following ways.
    
    static const struct nla_policy
    nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
        ...
        [NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
            NLA_POLICY_MAX(NLA_U8, 15),
        [NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
        [NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
            NLA_POLICY_MAX(NLA_U8, 15),
        [NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
            NLA_POLICY_MAX(NLA_U8, 31),
        ...
    };
    
    That is, those attributes are expected to be NLA_U8 and NLA_U16 types.
    However, the consumers of these attributes in `pmsr_parse_ftm` blindly
    all use `nla_get_u32`, which is incorrect and causes functionality issues
    on little-endian platforms. Hence, fix them with the correct `nla_get_u8`
    and `nla_get_u16` functions.
    
    Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
    Signed-off-by: Lin Ma <[email protected]>
    Link: https://msgid.link/[email protected]
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef [+ + +]
Author: Shahar S Matityahu <[email protected]>
Date:   Fri May 10 17:06:39 2024 +0300

    wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef
    
    [ Upstream commit 87821b67dea87addbc4ab093ba752753b002176a ]
    
    The driver should call iwl_dbg_tlv_free even if debugfs is not defined
    since ini mode does not depend on debugfs ifdef.
    
    Fixes: 68f6f492c4fa ("iwlwifi: trans: support loading ini TLVs from external file")
    Signed-off-by: Shahar S Matityahu <[email protected]>
    Reviewed-by: Luciano Coelho <[email protected]>
    Signed-off-by: Miri Korenblit <[email protected]>
    Link: https://msgid.link/20240510170500.c8e3723f55b0.I5e805732b0be31ee6b83c642ec652a34e974ff10@changeid
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

wifi: iwlwifi: mvm: don't read past the mfuart notifcation [+ + +]
Author: Emmanuel Grumbach <[email protected]>
Date:   Mon May 13 13:27:14 2024 +0300

    wifi: iwlwifi: mvm: don't read past the mfuart notifcation
    
    [ Upstream commit 4bb95f4535489ed830cf9b34b0a891e384d1aee4 ]
    
    In case the firmware sends a notification that claims it has more data
    than it has, we will read past that was allocated for the notification.
    Remove the print of the buffer, we won't see it by default. If needed,
    we can see the content with tracing.
    
    This was reported by KFENCE.
    
    Fixes: bdccdb854f2f ("iwlwifi: mvm: support MFUART dump in case of MFUART assert")
    Signed-off-by: Emmanuel Grumbach <[email protected]>
    Reviewed-by: Johannes Berg <[email protected]>
    Signed-off-by: Miri Korenblit <[email protected]>
    Link: https://msgid.link/20240513132416.ba82a01a559e.Ia91dd20f5e1ca1ad380b95e68aebf2794f553d9b@changeid
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 [+ + +]
Author: Johannes Berg <[email protected]>
Date:   Fri May 10 17:06:33 2024 +0300

    wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
    
    [ Upstream commit 4a7aace2899711592327463c1a29ffee44fcc66e ]
    
    We don't actually support >64 even for HE devices, so revert
    back to 64. This fixes an issue where the session is refused
    because the queue is configured differently from the actual
    session later.
    
    Fixes: 514c30696fbc ("iwlwifi: add support for IEEE802.11ax")
    Signed-off-by: Johannes Berg <[email protected]>
    Reviewed-by: Liad Kaufman <[email protected]>
    Reviewed-by: Luciano Coelho <[email protected]>
    Signed-off-by: Miri Korenblit <[email protected]>
    Link: https://msgid.link/20240510170500.52f7b4cf83aa.If47e43adddf7fe250ed7f5571fbb35d8221c7c47@changeid
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() [+ + +]
Author: Remi Pommarel <[email protected]>
Date:   Wed May 29 08:57:53 2024 +0200

    wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
    
    [ Upstream commit 44c06bbde6443de206b30f513100b5670b23fc5e ]
    
    The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
    synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
    softirq context. However using only spin_lock() to get sta->ps_lock in
    ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
    on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
    take this same lock ending in deadlock. Below is an example of rcu stall
    that arises in such situation.
    
     rcu: INFO: rcu_sched self-detected stall on CPU
     rcu:    2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
     rcu:    (t=42586894 jiffies g=2057 q=362405 ncpus=4)
     CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G        W          6.4.0-02158-g1b062f552873 #742
     Hardware name: RPT (r1) (DT)
     pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : queued_spin_lock_slowpath+0x58/0x2d0
     lr : invoke_tx_handlers_early+0x5b4/0x5c0
     sp : ffff00001ef64660
     x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
     x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
     x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
     x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
     x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
     x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
     x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
     x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
     x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
     x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
     Call trace:
      queued_spin_lock_slowpath+0x58/0x2d0
      ieee80211_tx+0x80/0x12c
      ieee80211_tx_pending+0x110/0x278
      tasklet_action_common.constprop.0+0x10c/0x144
      tasklet_action+0x20/0x28
      _stext+0x11c/0x284
      ____do_softirq+0xc/0x14
      call_on_irq_stack+0x24/0x34
      do_softirq_own_stack+0x18/0x20
      do_softirq+0x74/0x7c
      __local_bh_enable_ip+0xa0/0xa4
      _ieee80211_wake_txqs+0x3b0/0x4b8
      __ieee80211_wake_queue+0x12c/0x168
      ieee80211_add_pending_skbs+0xec/0x138
      ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
      ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
      ieee80211_mps_sta_status_update+0x18/0x24
      sta_apply_parameters+0x3bc/0x4c0
      ieee80211_change_station+0x1b8/0x2dc
      nl80211_set_station+0x444/0x49c
      genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
      genl_rcv_msg+0x1b0/0x244
      netlink_rcv_skb+0x38/0x10c
      genl_rcv+0x34/0x48
      netlink_unicast+0x254/0x2bc
      netlink_sendmsg+0x190/0x3b4
      ____sys_sendmsg+0x1e8/0x218
      ___sys_sendmsg+0x68/0x8c
      __sys_sendmsg+0x44/0x84
      __arm64_sys_sendmsg+0x20/0x28
      do_el0_svc+0x6c/0xe8
      el0_svc+0x14/0x48
      el0t_64_sync_handler+0xb0/0xb4
      el0t_64_sync+0x14c/0x150
    
    Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
    on the same CPU that is holding the lock.
    
    Fixes: 1d147bfa6429 ("mac80211: fix AP powersave TX vs. wakeup race")
    Signed-off-by: Remi Pommarel <[email protected]>
    Link: https://msgid.link/8e36fe07d0fbc146f89196cd47a53c8a0afe84aa.1716910344.git.repk@triplefau.lt
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects [+ + +]
Author: Nicolas Escande <[email protected]>
Date:   Tue May 28 16:26:05 2024 +0200

    wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
    
    [ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ]
    
    The hwmp code use objects of type mesh_preq_queue, added to a list in
    ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath
    gets deleted, ex mesh interface is removed, the entries in that list will
    never get cleaned. Fix this by flushing all corresponding items of the
    preq_queue in mesh_path_flush_pending().
    
    This should take care of KASAN reports like this:
    
    unreferenced object 0xffff00000668d800 (size 128):
      comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s)
      hex dump (first 32 bytes):
        00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff  ..........h.....
        8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00  ....>...........
      backtrace:
        [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
        [<00000000049bd418>] kmalloc_trace+0x34/0x80
        [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
        [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
        [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
        [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
        [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
        [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
        [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
        [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
        [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
        [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
        [<00000000b36425d1>] worker_thread+0x9c/0x634
        [<0000000005852dd5>] kthread+0x1bc/0x1c4
        [<000000005fccd770>] ret_from_fork+0x10/0x20
    unreferenced object 0xffff000009051f00 (size 128):
      comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s)
      hex dump (first 32 bytes):
        90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff  ..........h.....
        36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff  6'.......Xy.....
      backtrace:
        [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
        [<00000000049bd418>] kmalloc_trace+0x34/0x80
        [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
        [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
        [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
        [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
        [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
        [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
        [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
        [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
        [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
        [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
        [<00000000b36425d1>] worker_thread+0x9c/0x634
        [<0000000005852dd5>] kthread+0x1bc/0x1c4
        [<000000005fccd770>] ret_from_fork+0x10/0x20
    
    Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol")
    Signed-off-by: Nicolas Escande <[email protected]>
    Link: https://msgid.link/[email protected]
    Signed-off-by: Johannes Berg <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
 
x86/amd_nb: Check for invalid SMN reads [+ + +]
Author: Yazen Ghannam <[email protected]>
Date:   Mon Apr 3 16:42:44 2023 +0000

    x86/amd_nb: Check for invalid SMN reads
    
    [ Upstream commit c625dabbf1c4a8e77e4734014f2fde7aa9071a1f ]
    
    AMD Zen-based systems use a System Management Network (SMN) that
    provides access to implementation-specific registers.
    
    SMN accesses are done indirectly through an index/data pair in PCI
    config space. The PCI config access may fail and return an error code.
    This would prevent the "read" value from being updated.
    
    However, the PCI config access may succeed, but the return value may be
    invalid. This is in similar fashion to PCI bad reads, i.e. return all
    bits set.
    
    Most systems will return 0 for SMN addresses that are not accessible.
    This is in line with AMD convention that unavailable registers are
    Read-as-Zero/Writes-Ignored.
    
    However, some systems will return a "PCI Error Response" instead. This
    value, along with an error code of 0 from the PCI config access, will
    confuse callers of the amd_smn_read() function.
    
    Check for this condition, clear the return value, and set a proper error
    code.
    
    Fixes: ddfe43cdc0da ("x86/amd_nb: Add SMN and Indirect Data Fabric access for AMD Fam17h")
    Signed-off-by: Yazen Ghannam <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
x86: stop playing stack games in profile_pc() [+ + +]
Author: Linus Torvalds <[email protected]>
Date:   Fri Jun 28 14:27:22 2024 -0700

    x86: stop playing stack games in profile_pc()
    
    [ Upstream commit 093d9603b60093a9aaae942db56107f6432a5dca ]
    
    The 'profile_pc()' function is used for timer-based profiling, which
    isn't really all that relevant any more to begin with, but it also ends
    up making assumptions based on the stack layout that aren't necessarily
    valid.
    
    Basically, the code tries to account the time spent in spinlocks to the
    caller rather than the spinlock, and while I support that as a concept,
    it's not worth the code complexity or the KASAN warnings when no serious
    profiling is done using timers anyway these days.
    
    And the code really does depend on stack layout that is only true in the
    simplest of cases.  We've lost the comment at some point (I think when
    the 32-bit and 64-bit code was unified), but it used to say:
    
            Assume the lock function has either no stack frame or a copy
            of eflags from PUSHF.
    
    which explains why it just blindly loads a word or two straight off the
    stack pointer and then takes a minimal look at the values to just check
    if they might be eflags or the return pc:
    
            Eflags always has bits 22 and up cleared unlike kernel addresses
    
    but that basic stack layout assumption assumes that there isn't any lock
    debugging etc going on that would complicate the code and cause a stack
    frame.
    
    It causes KASAN unhappiness reported for years by syzkaller [1] and
    others [2].
    
    With no real practical reason for this any more, just remove the code.
    
    Just for historical interest, here's some background commits relating to
    this code from 2006:
    
      0cb91a229364 ("i386: Account spinlocks to the caller during profiling for !FP kernels")
      31679f38d886 ("Simplify profile_pc on x86-64")
    
    and a code unification from 2009:
    
      ef4512882dbe ("x86: time_32/64.c unify profile_pc")
    
    but the basics of this thing actually goes back to before the git tree.
    
    Link: https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3 [1]
    Link: https://lore.kernel.org/all/CAK55_s7Xyq=nh97=K=G1sxueOFrJDAvPOJAL4TPTCAYvmxO9_A@mail.gmail.com/ [2]
    Signed-off-by: Linus Torvalds <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Sat Jun 15 15:42:31 2024 +0000

    xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
    
    [ Upstream commit d46401052c2d5614da8efea5788532f0401cb164 ]
    
    ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.
    
    syzbot reported:
    
    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
    CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
    Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
     RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64
    Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00
    RSP: 0018:ffffc90000117378 EFLAGS: 00010246
    RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7
    RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98
    RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000
    R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
      xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]
      xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]
      xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541
      xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835
      xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]
      xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201
      xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]
      xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309
      ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256
      send6+0x611/0xd20 drivers/net/wireguard/socket.c:139
      wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178
      wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200
      wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
      wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
      process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
      process_scheduled_works kernel/workqueue.c:3312 [inline]
      worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
      kthread+0x2c1/0x3a0 kernel/kthread.c:389
      ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot <[email protected]>
    Signed-off-by: Eric Dumazet <[email protected]>
    Reviewed-by: David Ahern <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
xhci: Apply broken streams quirk to Etron EJ188 xHCI host [+ + +]
Author: Kuangyi Chiang <[email protected]>
Date:   Tue Jun 11 15:06:09 2024 +0300

    xhci: Apply broken streams quirk to Etron EJ188 xHCI host
    
    commit 91f7a1524a92c70ffe264db8bdfa075f15bbbeb9 upstream.
    
    As described in commit 8f873c1ff4ca ("xhci: Blacklist using streams on the
    Etron EJ168 controller"), EJ188 have the same issue as EJ168, where Streams
    do not work reliable on EJ188. So apply XHCI_BROKEN_STREAMS quirk to EJ188
    as well.
    
    Cc: [email protected]
    Signed-off-by: Kuangyi Chiang <[email protected]>
    Signed-off-by: Mathias Nyman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xhci: Apply reset resume quirk to Etron EJ188 xHCI host [+ + +]
Author: Kuangyi Chiang <[email protected]>
Date:   Tue Jun 11 15:06:08 2024 +0300

    xhci: Apply reset resume quirk to Etron EJ188 xHCI host
    
    commit 17bd54555c2aaecfdb38e2734149f684a73fa584 upstream.
    
    As described in commit c877b3b2ad5c ("xhci: Add reset on resume quirk for
    asrock p67 host"), EJ188 have the same issue as EJ168, where completely
    dies on resume. So apply XHCI_RESET_ON_RESUME quirk to EJ188 as well.
    
    Cc: [email protected]
    Signed-off-by: Kuangyi Chiang <[email protected]>
    Signed-off-by: Mathias Nyman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

xhci: Set correct transferred length for cancelled bulk transfers [+ + +]
Author: Mathias Nyman <[email protected]>
Date:   Tue Jun 11 15:06:07 2024 +0300

    xhci: Set correct transferred length for cancelled bulk transfers
    
    commit f0260589b439e2637ad54a2b25f00a516ef28a57 upstream.
    
    The transferred length is set incorrectly for cancelled bulk
    transfer TDs in case the bulk transfer ring stops on the last transfer
    block with a 'Stop - Length Invalid' completion code.
    
    length essentially ends up being set to the requested length:
    urb->actual_length = urb->transfer_buffer_length
    
    Length for 'Stop - Length Invalid' cases should be the sum of all
    TRB transfer block lengths up to the one the ring stopped on,
    _excluding_ the one stopped on.
    
    Fix this by always summing up TRB lengths for 'Stop - Length Invalid'
    bulk cases.
    
    This issue was discovered by Alan Stern while debugging
    https://bugzilla.kernel.org/show_bug.cgi?id=218890, but does not
    solve that bug. Issue is older than 4.10 kernel but fix won't apply
    to those due to major reworks in that area.
    
    Tested-by: Pierre Tomon <[email protected]>
    Cc: [email protected] # v4.10+
    Cc: Alan Stern <[email protected]>
    Signed-off-by: Mathias Nyman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>