Changelog in Linux kernel 6.11.10

 
ALSA: hda/realtek - Fixed Clevo platform headset Mic issue [+ + +]
Author: Kailang Yang <[email protected]>
Date:   Fri Oct 25 16:37:57 2024 +0800

    ALSA: hda/realtek - Fixed Clevo platform headset Mic issue
    
    commit 42ee87df8530150d637aa48363b72b22a9bbd78f upstream.
    
    Clevo platform with ALC255 Headset Mic was disable by default.
    Assigned verb table for Mic pin will enable it.
    
    Signed-off-by: Kailang Yang <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: hda/realtek - update set GPIO3 to default for Thinkpad with ALC1318 [+ + +]
Author: Kailang Yang <[email protected]>
Date:   Tue Nov 12 14:03:53 2024 +0800

    ALSA: hda/realtek - update set GPIO3 to default for Thinkpad with ALC1318
    
    commit 2143c8ae423dbc3f036cae8d18a5a3c272df3deb upstream.
    
    If user no update BIOS, the speaker will no sound.
    This patch support old BIOS to have sound from speaker.
    
    Fixes: 1e707769df07 ("ALSA: hda/realtek - Set GPIO3 to default at S4 state for Thinkpad with ALC1318")
    Signed-off-by: Kailang Yang <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 [+ + +]
Author: Maksym Glubokiy <[email protected]>
Date:   Tue Nov 12 17:48:15 2024 +0200

    ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10
    
    commit 96409eeab8cdd394e03ec494ea9547edc27f7ab4 upstream.
    
    HP EliteBook 645 G10 uses ALC236 codec and need the
    ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to make mute LED and
    micmute LED work.
    
    Signed-off-by: Maksym Glubokiy <[email protected]>
    Cc: <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels [+ + +]
Author: Harith G <[email protected]>
Date:   Wed Sep 18 06:57:11 2024 +0100

    ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels
    
    [ Upstream commit ed6cbe6e5563452f305e89c15846820f2874e431 ]
    
    The patchset introducing kernel_sec_start/end variables to separate the
    kernel/lowmem memory mappings, broke the mapping of the kernel memory
    for xipkernels.
    
    kernel_sec_start/end variables are in RO area before the MMU is switched
    on for xipkernels.
    So these cannot be set early in boot in head.S. Fix this by setting these
    after MMU is switched on.
    xipkernels need two different mappings for kernel text (starting at
    CONFIG_XIP_PHYS_ADDR) and data (starting at CONFIG_PHYS_OFFSET).
    Also, move the kernel code mapping from devicemaps_init() to map_kernel().
    
    Fixes: a91da5457085 ("ARM: 9089/1: Define kernel physical section start and end")
    Signed-off-by: Harith George <[email protected]>
    Reviewed-by: Linus Walleij <[email protected]>
    Signed-off-by: Russell King (Oracle) <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

ARM: fix cacheflush with PAN [+ + +]
Author: Russell King (Oracle) <[email protected]>
Date:   Tue Nov 12 10:16:13 2024 +0000

    ARM: fix cacheflush with PAN
    
    [ Upstream commit ca29cfcc4a21083d671522ad384532e28a43f033 ]
    
    It seems that the cacheflush syscall got broken when PAN for LPAE was
    implemented. User access was not enabled around the cache maintenance
    instructions, causing them to fault.
    
    Fixes: 7af5b901e847 ("ARM: 9358/2: Implement PAN for LPAE by TTBR0 page table walks disablement")
    Reported-by: Michał Pecio <[email protected]>
    Tested-by: Michał Pecio <[email protected]>
    Signed-off-by: Russell King (Oracle) <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
Bluetooth: btintel: Direct exception event to bluetooth stack [+ + +]
Author: Kiran K <[email protected]>
Date:   Tue Oct 22 14:41:34 2024 +0530

    Bluetooth: btintel: Direct exception event to bluetooth stack
    
    [ Upstream commit d5359a7f583ab9b7706915213b54deac065bcb81 ]
    
    Have exception event part of HCI traces which helps for debug.
    
    snoop traces:
    > HCI Event: Vendor (0xff) plen 79
            Vendor Prefix (0x8780)
          Intel Extended Telemetry (0x03)
            Unknown extended telemetry event type (0xde)
            01 01 de
            Unknown extended subevent 0x07
            01 01 de 07 01 de 06 1c ef be ad de ef be ad de
            ef be ad de ef be ad de ef be ad de ef be ad de
            ef be ad de 05 14 ef be ad de ef be ad de ef be
            ad de ef be ad de ef be ad de 43 10 ef be ad de
            ef be ad de ef be ad de ef be ad de
    
    Fixes: af395330abed ("Bluetooth: btintel: Add Intel devcoredump support")
    Signed-off-by: Kiran K <[email protected]>
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

Bluetooth: hci_core: Fix calling mgmt_device_connected [+ + +]
Author: Luiz Augusto von Dentz <[email protected]>
Date:   Fri Nov 8 11:19:54 2024 -0500

    Bluetooth: hci_core: Fix calling mgmt_device_connected
    
    [ Upstream commit 7967dc8f797f454d4f4acec15c7df0cdf4801617 ]
    
    Since 61a939c68ee0 ("Bluetooth: Queue incoming ACL data until
    BT_CONNECTED state is reached") there is no long the need to call
    mgmt_device_connected as ACL data will be queued until BT_CONNECTED
    state.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=219458
    Link: https://github.com/bluez/bluez/issues/1014
    Fixes: 333b4fd11e89 ("Bluetooth: L2CAP: Fix uaf in l2cap_connect")
    Signed-off-by: Luiz Augusto von Dentz <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
bonding: add ns target multicast address to slave device [+ + +]
Author: Hangbin Liu <[email protected]>
Date:   Mon Nov 11 10:16:49 2024 +0000

    bonding: add ns target multicast address to slave device
    
    [ Upstream commit 8eb36164d1a6769a20ed43033510067ff3dab9ee ]
    
    Commit 4598380f9c54 ("bonding: fix ns validation on backup slaves")
    tried to resolve the issue where backup slaves couldn't be brought up when
    receiving IPv6 Neighbor Solicitation (NS) messages. However, this fix only
    worked for drivers that receive all multicast messages, such as the veth
    interface.
    
    For standard drivers, the NS multicast message is silently dropped because
    the slave device is not a member of the NS target multicast group.
    
    To address this, we need to make the slave device join the NS target
    multicast group, ensuring it can receive these IPv6 NS messages to validate
    the slave’s status properly.
    
    There are three policies before joining the multicast group:
    1. All settings must be under active-backup mode (alb and tlb do not support
       arp_validate), with backup slaves and slaves supporting multicast.
    2. We can add or remove multicast groups when arp_validate changes.
    3. Other operations, such as enslaving, releasing, or setting NS targets,
       need to be guarded by arp_validate.
    
    Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets")
    Signed-off-by: Hangbin Liu <[email protected]>
    Reviewed-by: Nikolay Aleksandrov <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
btrfs: fix incorrect comparison for delayed refs [+ + +]
Author: Josef Bacik <[email protected]>
Date:   Wed Nov 13 11:05:13 2024 -0500

    btrfs: fix incorrect comparison for delayed refs
    
    commit 7d493a5ecc26f861421af6e64427d5f697ddd395 upstream.
    
    When I reworked delayed ref comparison in cf4f04325b2b ("btrfs: move
    ->parent and ->ref_root into btrfs_delayed_ref_node"), I made a mistake
    and returned -1 for the case where ref1->ref_root was > than
    ref2->ref_root.  This is a subtle bug that can result in improper
    delayed ref running order, which can result in transaction aborts.
    
    Fixes: cf4f04325b2b ("btrfs: move ->parent and ->ref_root into btrfs_delayed_ref_node")
    CC: [email protected] # 6.10+
    Reviewed-by: Filipe Manana <[email protected]>
    Reviewed-by: Qu Wenruo <[email protected]>
    Signed-off-by: Josef Bacik <[email protected]>
    Reviewed-by: David Sterba <[email protected]>
    Signed-off-by: David Sterba <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
crash, powerpc: default to CRASH_DUMP=n on PPC_BOOK3S_32 [+ + +]
Author: Dave Vasilevsky <[email protected]>
Date:   Tue Sep 17 12:37:20 2024 -0400

    crash, powerpc: default to CRASH_DUMP=n on PPC_BOOK3S_32
    
    commit 31daa34315d45d3fe77f2158d889d523d78852ea upstream.
    
    Fixes boot failures on 6.9 on PPC_BOOK3S_32 machines using Open Firmware.
    On these machines, the kernel refuses to boot from non-zero
    PHYSICAL_START, which occurs when CRASH_DUMP is on.
    
    Since most PPC_BOOK3S_32 machines boot via Open Firmware, it should
    default to off for them.  Users booting via some other mechanism can still
    turn it on explicitly.
    
    Does not change the default on any other architectures for the
    time being.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 75bc255a7444 ("crash: clean up kdump related config items")
    Signed-off-by: Dave Vasilevsky <[email protected]>
    Reported-by: Reimar Döffinger <[email protected]>
    Closes: https://lists.debian.org/debian-powerpc/2024/07/msg00001.html
    Acked-by: Michael Ellerman <[email protected]> [powerpc]
    Acked-by: Baoquan He <[email protected]>
    Cc: "Eric W. Biederman" <[email protected]>
    Cc: John Paul Adrian Glaubitz <[email protected]>
    Cc: Reimar Döffinger <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drivers: perf: Fix wrong put_cpu() placement [+ + +]
Author: Alexandre Ghiti <[email protected]>
Date:   Tue Nov 12 12:34:22 2024 +0100

    drivers: perf: Fix wrong put_cpu() placement
    
    [ Upstream commit 57f7c7dc78cd09622b12920d92b40c1ce11b234e ]
    
    Unfortunately, the wrong patch version was merged which places the
    put_cpu() after enabling a static key, which is not safe as pointed by
    Will [1], so move put_cpu() before to avoid this.
    
    Fixes: 2840dadf0dde ("drivers: perf: Fix smp_processor_id() use in preemptible code")
    Reported-by: Atish Patra <[email protected]>
    Link: https://lore.kernel.org/all/20240827125335.GD4772@willie-the-truck/ [1]
    Signed-off-by: Alexandre Ghiti <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Palmer Dabbelt <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/amd/display: Adjust VSDB parser for replay feature [+ + +]
Author: Rodrigo Siqueira <[email protected]>
Date:   Tue Nov 5 08:40:23 2024 -0700

    drm/amd/display: Adjust VSDB parser for replay feature
    
    commit 16dd2825c23530f2259fc671960a3a65d2af69bd upstream.
    
    At some point, the IEEE ID identification for the replay check in the
    AMD EDID was added. However, this check causes the following
    out-of-bounds issues when using KASAN:
    
    [   27.804016] BUG: KASAN: slab-out-of-bounds in amdgpu_dm_update_freesync_caps+0xefa/0x17a0 [amdgpu]
    [   27.804788] Read of size 1 at addr ffff8881647fdb00 by task systemd-udevd/383
    
    ...
    
    [   27.821207] Memory state around the buggy address:
    [   27.821215]  ffff8881647fda00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [   27.821224]  ffff8881647fda80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [   27.821234] >ffff8881647fdb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [   27.821243]                    ^
    [   27.821250]  ffff8881647fdb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [   27.821259]  ffff8881647fdc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [   27.821268] ==================================================================
    
    This is caused because the ID extraction happens outside of the range of
    the edid lenght. This commit addresses this issue by considering the
    amd_vsdb_block size.
    
    Cc: ChiaHsuan Chung <[email protected]>
    Reviewed-by: Leo Li <[email protected]>
    Signed-off-by: Rodrigo Siqueira <[email protected]>
    Signed-off-by: Hamza Mahfooz <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit b7e381b1ccd5e778e3d9c44c669ad38439a861d8)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/amd/display: Change some variable name of psr [+ + +]
Author: Tom Chung <[email protected]>
Date:   Tue Oct 29 15:38:16 2024 +0800

    drm/amd/display: Change some variable name of psr
    
    commit b8d9d5fef4915a383b4ce4d0f418352aa4701a87 upstream.
    
    Panel Replay feature may also use the same variable with PSR.
    Change the variable name and make it not specify for PSR.
    
    Reviewed-by: Leo Li <[email protected]>
    Signed-off-by: Tom Chung <[email protected]>
    Signed-off-by: Hamza Mahfooz <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit c7fafb7a46b38a11a19342d153f505749bf56f3e)
    Cc: [email protected] # 6.11+
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/amd/display: Fix failure to read vram info due to static BP_RESULT [+ + +]
Author: Hamish Claxton <[email protected]>
Date:   Tue Nov 5 10:42:31 2024 +1000

    drm/amd/display: Fix failure to read vram info due to static BP_RESULT
    
    commit 4bb2f52ac01b8d45d64c7c04881207722e5e6fe4 upstream.
    
    The static declaration causes the check to fail.  Remove it.
    
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3678
    Fixes: 00c391102abc ("drm/amd/display: Add misc DC changes for DCN401")
    Reviewed-by: Harry Wentland <[email protected]>
    Signed-off-by: Hamish Claxton <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected]
    Cc: [email protected]
    (cherry picked from commit 91314e7dfd83345b8b820b782b2511c9c32866cd)
    Cc: [email protected] # 6.11.x
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/amd/display: Fix Panel Replay not update screen correctly [+ + +]
Author: Tom Chung <[email protected]>
Date:   Tue Oct 29 17:28:23 2024 +0800

    drm/amd/display: Fix Panel Replay not update screen correctly
    
    commit bd8a9576617439bdc907c9ce0875909aea4221cb upstream.
    
    [Why]
    In certain use case such as KDE login screen, there will be no atomic
    commit while do the frame update.
    If the Panel Replay enabled, it will cause the screen not updated and
    looks like system hang.
    
    [How]
    Delay few atomic commits before enabled the Panel Replay just like PSR.
    
    Fixes: be64336307a6c ("drm/amd/display: Re-enable panel replay feature")
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3686
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3682
    Tested-By: Corey Hickey <[email protected]>
    Tested-By: James Courtier-Dutton <[email protected]>
    Reviewed-by: Leo Li <[email protected]>
    Signed-off-by: Tom Chung <[email protected]>
    Signed-off-by: Hamza Mahfooz <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit ca628f0eddd73adfccfcc06b2a55d915bca4a342)
    Cc: [email protected] # 6.11+
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/amd/display: Handle dml allocation failure to avoid crash [+ + +]
Author: Ryan Seto <[email protected]>
Date:   Fri Nov 1 10:19:56 2024 -0400

    drm/amd/display: Handle dml allocation failure to avoid crash
    
    commit 6825cb07b79ffeb1d90ffaa7a1227462cdca34ae upstream.
    
    [Why]
    In the case where a dml allocation fails for any reason, the
    current state's dml contexts would no longer be valid. Then
    subsequent calls dc_state_copy_internal would shallow copy
    invalid memory and if the new state was released, a double
    free would occur.
    
    [How]
    Reset dml pointers in new_state to NULL and avoid invalid
    pointer
    
    Reviewed-by: Dillon Varone <[email protected]>
    Signed-off-by: Ryan Seto <[email protected]>
    Signed-off-by: Hamza Mahfooz <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit bcafdc61529a48f6f06355d78eb41b3aeda5296c)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/amd/display: Require minimum VBlank size for stutter optimization [+ + +]
Author: Dillon Varone <[email protected]>
Date:   Fri Nov 1 12:00:14 2024 -0400

    drm/amd/display: Require minimum VBlank size for stutter optimization
    
    commit 9fc0cbcb6e45d6fc96ffd3bb7b6d6d28d693ff4d upstream.
    
    If the nominal VBlank is too small, optimizing for stutter can cause
    the prefetch bandwidth to increase drasticaly, resulting in higher
    clock and power requirements. Only optimize if it is >3x the stutter
    latency.
    
    Reviewed-by: Austin Zheng <[email protected]>
    Signed-off-by: Dillon Varone <[email protected]>
    Signed-off-by: Hamza Mahfooz <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit 003215f962cdf2265f126a3f4c9ad20917f87fca)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/amd/display: Run idle optimizations at end of vblank handler [+ + +]
Author: Leo Li <[email protected]>
Date:   Thu Jul 11 14:38:11 2024 -0400

    drm/amd/display: Run idle optimizations at end of vblank handler
    
    commit 17e68f89132b9ee4b144358b49e5df404b314181 upstream.
    
    [Why & How]
    1. After allowing idle optimizations, hw programming is disallowed.
    2. Before hw programming, we need to disallow idle optimizations.
    
    Otherwise, in scenario 1, we will immediately kick hw out of idle
    optimizations with register access.
    
    Scenario 2 is less of a concern, since any register access will kick
    hw out of idle optimizations. But we'll do it early for correctness.
    
    Signed-off-by: Leo Li <[email protected]>
    Reviewed-by: Aurabindo Pillai <[email protected]>
    Tested-by: Daniel Wheeler <[email protected]>
    Signed-off-by: Rodrigo Siqueira <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/amd/pm: print pp_dpm_mclk in ascending order on SMU v14.0.0 [+ + +]
Author: Tim Huang <[email protected]>
Date:   Mon Oct 28 13:51:50 2024 +0800

    drm/amd/pm: print pp_dpm_mclk in ascending order on SMU v14.0.0
    
    commit df0279e2a1c0735e8ca80c5df8d9f8f9fc120b4a upstream.
    
    Currently, the pp_dpm_mclk values are reported in descending order
    on SMU IP v14.0.0/1/4. Adjust to ascending order for consistency
    with other clock interfaces.
    
    Signed-off-by: Tim Huang <[email protected]>
    Reviewed-by: Yifan Zhang <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit d4be16ccfd5bf822176740a51ff2306679a2247e)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/amd: Fix initialization mistake for NBIO 7.7.0 [+ + +]
Author: Vijendar Mukunda <[email protected]>
Date:   Tue Nov 12 10:11:42 2024 -0600

    drm/amd: Fix initialization mistake for NBIO 7.7.0
    
    commit 7013a8268d311fded6c7a6528fc1de82668e75f6 upstream.
    
    There is a strapping issue on NBIO 7.7.0 that can lead to spurious PME
    events while in the D0 state.
    
    Co-developed-by: Mario Limonciello <[email protected]>
    Signed-off-by: Vijendar Mukunda <[email protected]>
    Signed-off-by: Mario Limonciello <[email protected]>
    Acked-by: Alex Deucher <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit 447a54a0f79c9a409ceaa17804bdd2e0206397b9)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/amdgpu/mes12: correct kiq unmap latency [+ + +]
Author: Jack Xiao <[email protected]>
Date:   Mon Nov 4 18:06:01 2024 +0800

    drm/amdgpu/mes12: correct kiq unmap latency
    
    commit 79365ea70714427b4dff89b43234ad7c3233d7ba upstream.
    
    Correct kiq unmap queue timeout value.
    
    Signed-off-by: Jack Xiao <[email protected]>
    Reviewed-by: Hawking Zhang <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit cfe98204a06329b6b7fce1b828b7d620473181ff)
    Cc: [email protected] # 6.11.x
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/amdgpu: enable GTT fallback handling for dGPUs only [+ + +]
Author: Christian König <[email protected]>
Date:   Tue Jun 4 18:05:00 2024 +0200

    drm/amdgpu: enable GTT fallback handling for dGPUs only
    
    commit 5a67c31669a3aca814a99428328d2be40d82b333 upstream.
    
    That is just a waste of time on APUs.
    
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3704
    Fixes: 216c1282dde3 ("drm/amdgpu: use GTT only as fallback for VRAM|GTT")
    Reviewed-by: Alex Deucher <[email protected]>
    Signed-off-by: Christian König <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit e8fc090d322346e5ce4c4cfe03a8100e31f61c3c)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/amdgpu: fix check in gmc_v9_0_get_vm_pte() [+ + +]
Author: Christian König <[email protected]>
Date:   Thu Oct 31 10:04:17 2024 +0100

    drm/amdgpu: fix check in gmc_v9_0_get_vm_pte()
    
    commit 0e5ac88fb918297a7484b67f2b484d43bed3fbbe upstream.
    
    The coherency flags can only be determined when the BO is locked and that
    in turn is only guaranteed when the mapping is validated.
    
    Fix the check, move the resource check into the function and add an assert
    that the BO is locked.
    
    Signed-off-by: Christian König <[email protected]>
    Fixes: d1a372af1c3d ("drm/amdgpu: Set MTYPE in PTE based on BO flags")
    Acked-by: Alex Deucher <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit 1b4ca8546f5b5c482717bedb8e031227b1541539)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/amdgpu: Fix video caps for H264 and HEVC encode maximum size [+ + +]
Author: David Rosca <[email protected]>
Date:   Mon Oct 21 09:36:11 2024 +0200

    drm/amdgpu: Fix video caps for H264 and HEVC encode maximum size
    
    commit d641a151fcaf0d043075b214b469a14abab25af2 upstream.
    
    H264 supports 4096x4096 starting from Polaris.
    HEVC also supports 4096x4096, with VCN 3 and newer 8192x4352
    is supported.
    
    Signed-off-by: David Rosca <[email protected]>
    Reviewed-by: Leo Liu <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    (cherry picked from commit 69e9a9e65b1ea542d07e3fdd4222b46e9f5a3a29)
    Cc: [email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/bridge: tc358768: Fix DSI command tx [+ + +]
Author: Francesco Dolcini <[email protected]>
Date:   Thu Sep 26 16:12:46 2024 +0200

    drm/bridge: tc358768: Fix DSI command tx
    
    commit 32c4514455b2b8fde506f8c0962f15c7e4c26f1d upstream.
    
    Wait for the command transmission to be completed in the DSI transfer
    function polling for the dc_start bit to go back to idle state after the
    transmission is started.
    
    This is documented in the datasheet and failures to do so lead to
    commands corruption.
    
    Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver")
    Cc: [email protected]
    Signed-off-by: Francesco Dolcini <[email protected]>
    Reviewed-by: Neil Armstrong <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Neil Armstrong <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/i915/gsc: ARL-H and ARL-U need a newer GSC FW. [+ + +]
Author: Daniele Ceraolo Spurio <[email protected]>
Date:   Mon Oct 28 16:31:32 2024 -0700

    drm/i915/gsc: ARL-H and ARL-U need a newer GSC FW.
    
    [ Upstream commit db0fc586edde83ff7ff65fea56c4f72dae511764 ]
    
    All MTL and ARL SKUs share the same GSC FW, but the newer platforms are
    only supported in newer blobs. In particular, ARL-S is supported
    starting from 102.0.10.1878 (which is already the minimum required
    version for ARL in the code), while ARL-H and ARL-U are supported from
    102.1.15.1926. Therefore, the driver needs to check which specific ARL
    subplatform its running on when verifying that the GSC FW is new enough
    for it.
    
    Fixes: 2955ae8186c8 ("drm/i915: ARL requires a newer GSC firmware")
    Signed-off-by: Daniele Ceraolo Spurio <[email protected]>
    Cc: John Harrison <[email protected]>
    Cc: Rodrigo Vivi <[email protected]>
    Reviewed-by: Rodrigo Vivi <[email protected]>
    Reviewed-by: John Harrison <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    (cherry picked from commit 3c1d5ced18db8a67251c8436cf9bdc061f972bdb)
    Signed-off-by: Joonas Lahtinen <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/panthor: Fix handling of partial GPU mapping of BOs [+ + +]
Author: Akash Goel <[email protected]>
Date:   Mon Nov 11 13:47:20 2024 +0000

    drm/panthor: Fix handling of partial GPU mapping of BOs
    
    [ Upstream commit 3387e043918e154ca08d83954966a8b087fe2835 ]
    
    This commit fixes the bug in the handling of partial mapping of the
    buffer objects to the GPU, which caused kernel warnings.
    
    Panthor didn't correctly handle the case where the partial mapping
    spanned multiple scatterlists and the mapping offset didn't point
    to the 1st page of starting scatterlist. The offset variable was
    not cleared after reaching the starting scatterlist.
    
    Following warning messages were seen.
    WARNING: CPU: 1 PID: 650 at drivers/iommu/io-pgtable-arm.c:659 __arm_lpae_unmap+0x254/0x5a0
    <snip>
    pc : __arm_lpae_unmap+0x254/0x5a0
    lr : __arm_lpae_unmap+0x2cc/0x5a0
    <snip>
    Call trace:
     __arm_lpae_unmap+0x254/0x5a0
     __arm_lpae_unmap+0x108/0x5a0
     __arm_lpae_unmap+0x108/0x5a0
     __arm_lpae_unmap+0x108/0x5a0
     arm_lpae_unmap_pages+0x80/0xa0
     panthor_vm_unmap_pages+0xac/0x1c8 [panthor]
     panthor_gpuva_sm_step_unmap+0x4c/0xc8 [panthor]
     op_unmap_cb.isra.23.constprop.30+0x54/0x80
     __drm_gpuvm_sm_unmap+0x184/0x1c8
     drm_gpuvm_sm_unmap+0x40/0x60
     panthor_vm_exec_op+0xa8/0x120 [panthor]
     panthor_vm_bind_exec_sync_op+0xc4/0xe8 [panthor]
     panthor_ioctl_vm_bind+0x10c/0x170 [panthor]
     drm_ioctl_kernel+0xbc/0x138
     drm_ioctl+0x210/0x4b0
     __arm64_sys_ioctl+0xb0/0xf8
     invoke_syscall+0x4c/0x110
     el0_svc_common.constprop.1+0x98/0xf8
     do_el0_svc+0x24/0x38
     el0_svc+0x34/0xc8
     el0t_64_sync_handler+0xa0/0xc8
     el0t_64_sync+0x174/0x178
    <snip>
    panthor : [drm] drm_WARN_ON(unmapped_sz != pgsize * pgcount)
    WARNING: CPU: 1 PID: 650 at drivers/gpu/drm/panthor/panthor_mmu.c:922 panthor_vm_unmap_pages+0x124/0x1c8 [panthor]
    <snip>
    pc : panthor_vm_unmap_pages+0x124/0x1c8 [panthor]
    lr : panthor_vm_unmap_pages+0x124/0x1c8 [panthor]
    <snip>
    panthor : [drm] *ERROR* failed to unmap range ffffa388f000-ffffa3890000 (requested range ffffa388c000-ffffa3890000)
    
    Fixes: 647810ec2476 ("drm/panthor: Add the MMU/VM logical block")
    Signed-off-by: Akash Goel <[email protected]>
    Reviewed-by: Liviu Dudau <[email protected]>
    Reviewed-by: Steven Price <[email protected]>
    Reviewed-by: Boris Brezillon <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Liviu Dudau <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/rockchip: vop: Fix a dereferenced before check warning [+ + +]
Author: Andy Yan <[email protected]>
Date:   Mon Oct 21 15:28:06 2024 +0800

    drm/rockchip: vop: Fix a dereferenced before check warning
    
    [ Upstream commit ab1c793f457f740ab7108cc0b1340a402dbf484d ]
    
    The 'state' can't be NULL, we should check crtc_state.
    
    Fix warning:
    drivers/gpu/drm/rockchip/rockchip_drm_vop.c:1096
    vop_plane_atomic_async_check() warn: variable dereferenced before check
    'state' (see line 1077)
    
    Fixes: 5ddb0bd4ddc3 ("drm/atomic: Pass the full state to planes async atomic check and update")
    Signed-off-by: Andy Yan <[email protected]>
    Signed-off-by: Heiko Stuebner <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/vmwgfx: avoid null_ptr_deref in vmw_framebuffer_surface_create_handle [+ + +]
Author: Chen Ridong <[email protected]>
Date:   Tue Oct 29 08:34:29 2024 +0000

    drm/vmwgfx: avoid null_ptr_deref in vmw_framebuffer_surface_create_handle
    
    [ Upstream commit 93d1f41a82de382845af460bf03bcb17dcbf08c5 ]
    
    The 'vmw_user_object_buffer' function may return NULL with incorrect
    inputs. To avoid possible null pointer dereference, add a check whether
    the 'bo' is NULL in the vmw_framebuffer_surface_create_handle.
    
    Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers")
    Signed-off-by: Chen Ridong <[email protected]>
    Signed-off-by: Zack Rusin <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Sasha Levin <[email protected]>

 
drm/xe/oa: Fix "Missing outer runtime PM protection" warning [+ + +]
Author: Ashutosh Dixit <[email protected]>
Date:   Fri Nov 8 19:20:03 2024 -0800

    drm/xe/oa: Fix "Missing outer runtime PM protection" warning
    
    commit c0403e4ceecaefbeaf78263dffcd3e3f06a19f6b upstream.
    
    Fix the following drm_WARN:
    
    [953.586396] xe 0000:00:02.0: [drm] Missing outer runtime PM protection
    ...
    <4> [953.587090]  ? xe_pm_runtime_get_noresume+0x8d/0xa0 [xe]
    <4> [953.587208]  guc_exec_queue_add_msg+0x28/0x130 [xe]
    <4> [953.587319]  guc_exec_queue_fini+0x3a/0x40 [xe]
    <4> [953.587425]  xe_exec_queue_destroy+0xb3/0xf0 [xe]
    <4> [953.587515]  xe_oa_release+0x9c/0xc0 [xe]
    
    Suggested-by: John Harrison <[email protected]>
    Suggested-by: Matthew Brost <[email protected]>
    Fixes: e936f885f1e9 ("drm/xe/oa/uapi: Expose OA stream fd")
    Cc: [email protected]
    Signed-off-by: Ashutosh Dixit <[email protected]>
    Reviewed-by: Matthew Brost <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    (cherry picked from commit b107c63d2953907908fd0cafb0e543b3c3167b75)
    Signed-off-by: Lucas De Marchi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
drm/xe: handle flat ccs during hibernation on igpu [+ + +]
Author: Matthew Auld <[email protected]>
Date:   Tue Nov 12 16:28:28 2024 +0000

    drm/xe: handle flat ccs during hibernation on igpu
    
    commit be7eeaba2a11d7c16a9dc034a25f224f1343f303 upstream.
    
    Starting from LNL, CCS has moved over to flat CCS model where there is
    now dedicated memory reserved for storing compression state. On
    platforms like LNL this reserved memory lives inside graphics stolen
    memory, which is not treated like normal RAM and is therefore skipped by
    the core kernel when creating the hibernation image. Currently if
    something was compressed and we enter hibernation all the corresponding
    CCS state is lost on such HW, resulting in corrupted memory. To fix this
    evict user buffers from TT -> SYSTEM to ensure we take a snapshot of the
    raw CCS state when entering hibernation, where upon resuming we can
    restore the raw CCS state back when next validating the buffer. This has
    been confirmed to fix display corruption on LNL when coming back from
    hibernation.
    
    Fixes: cbdc52c11c9b ("drm/xe/xe2: Support flat ccs")
    Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3409
    Signed-off-by: Matthew Auld <[email protected]>
    Cc: Matthew Brost <[email protected]>
    Cc: <[email protected]> # v6.8+
    Reviewed-by: Rodrigo Vivi <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    (cherry picked from commit c8b3c6db941299d7cc31bd9befed3518fdebaf68)
    Signed-off-by: Lucas De Marchi <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

drm/xe: improve hibernation on igpu [+ + +]
Author: Matthew Auld <[email protected]>
Date:   Fri Nov 1 17:01:57 2024 +0000

    drm/xe: improve hibernation on igpu
    
    [ Upstream commit 46f1f4b0f3c2a2dff9887de7c66ccc7ef482bd83 ]
    
    The GGTT looks to be stored inside stolen memory on igpu which is not
    treated as normal RAM.  The core kernel skips this memory range when
    creating the hibernation image, therefore when coming back from
    hibernation the GGTT programming is lost. This seems to cause issues
    with broken resume where GuC FW fails to load:
    
    [drm] *ERROR* GT0: load failed: status = 0x400000A0, time = 10ms, freq = 1250MHz (req 1300MHz), done = -1
    [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01
    [drm] *ERROR* GT0: firmware signature verification failed
    [drm] *ERROR* CRITICAL: Xe has declared device 0000:00:02.0 as wedged.
    
    Current GGTT users are kernel internal and tracked as pinned, so it
    should be possible to hook into the existing save/restore logic that we
    use for dgpu, where the actual evict is skipped but on restore we
    importantly restore the GGTT programming.  This has been confirmed to
    fix hibernation on at least ADL and MTL, though likely all igpu
    platforms are affected.
    
    This also means we have a hole in our testing, where the existing s4
    tests only really test the driver hooks, and don't go as far as actually
    rebooting and restoring from the hibernation image and in turn powering
    down RAM (and therefore losing the contents of stolen).
    
    v2 (Brost)
     - Remove extra newline and drop unnecessary parentheses.
    
    Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
    Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3275
    Signed-off-by: Matthew Auld <[email protected]>
    Cc: Matthew Brost <[email protected]>
    Cc: <[email protected]> # v6.8+
    Reviewed-by: Matthew Brost <[email protected]>
    Reviewed-by: Lucas De Marchi <[email protected]>
    Signed-off-by: Matthew Brost <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    (cherry picked from commit f2a6b8e396666d97ada8e8759dfb6a69d8df6380)
    Signed-off-by: Lucas De Marchi <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

drm/xe: Restore system memory GGTT mappings [+ + +]
Author: Matthew Brost <[email protected]>
Date:   Thu Oct 31 11:22:57 2024 -0700

    drm/xe: Restore system memory GGTT mappings
    
    [ Upstream commit dd886a63d6e2ce5c16e662c07547c067ad7d91f5 ]
    
    GGTT mappings reside on the device and this state is lost during suspend
    / d3cold thus this state must be restored resume regardless if the BO is
    in system memory or VRAM.
    
    v2:
     - Unnecessary parentheses around bo->placements[0] (Checkpatch)
    
    Signed-off-by: Matthew Brost <[email protected]>
    Reviewed-by: Matthew Auld <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    (cherry picked from commit a19d1db9a3fa89fabd7c83544b84f393ee9b851f)
    Signed-off-by: Lucas De Marchi <[email protected]>
    Stable-dep-of: 46f1f4b0f3c2 ("drm/xe: improve hibernation on igpu")
    Signed-off-by: Sasha Levin <[email protected]>

 
evm: stop avoidably reading i_writecount in evm_file_release [+ + +]
Author: Mateusz Guzik <[email protected]>
Date:   Tue Aug 6 15:36:07 2024 +0200

    evm: stop avoidably reading i_writecount in evm_file_release
    
    commit 699ae6241920b0fa837fa57e61f7d5b0e2e65b58 upstream.
    
    The EVM_NEW_FILE flag is unset if the file already existed at the time
    of open and this can be checked without looking at i_writecount.
    
    Not accessing it reduces traffic on the cacheline during parallel open
    of the same file and drop the evm_file_release routine from second place
    to bottom of the profile.
    
    Fixes: 75a323e604fc ("evm: Make it independent from 'integrity' LSM")
    Signed-off-by: Mateusz Guzik <[email protected]>
    Reviewed-by: Roberto Sassu <[email protected]>
    Cc: [email protected] # 6.9+
    Signed-off-by: Mimi Zohar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
firmware: arm_scmi: Report duplicate opps as firmware bugs [+ + +]
Author: Sibi Sankar <[email protected]>
Date:   Wed Oct 30 18:25:09 2024 +0530

    firmware: arm_scmi: Report duplicate opps as firmware bugs
    
    commit e2261bb81e0db86c3c866734cf93232a58464ecd upstream.
    
    Duplicate opps reported by buggy SCP firmware currently show up
    as warnings even though the only functional impact is that the
    level/index remain inaccessible. Make it less scary for the end
    user by using dev_info instead, along with FW_BUG tag.
    
    Suggested-by: Johan Hovold <[email protected]>
    Signed-off-by: Sibi Sankar <[email protected]>
    Reviewed-by: Cristian Marussi <[email protected]>
    Reviewed-by: Florian Fainelli <[email protected]>
    Reviewed-by: Sudeep Holla <[email protected]>
    Cc: [email protected]
    Message-ID: <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

firmware: arm_scmi: Skip opp duplicates [+ + +]
Author: Cristian Marussi <[email protected]>
Date:   Wed Oct 30 18:25:08 2024 +0530

    firmware: arm_scmi: Skip opp duplicates
    
    commit 5d8a766226587d111620df520dd9239c009cb154 upstream.
    
    Buggy firmware can reply with duplicated PERF opps descriptors.
    
    Ensure that the bad duplicates reported by the platform firmware doesn't
    get added to the opp-tables.
    
    Reported-by: Johan Hovold <[email protected]>
    Closes: https://lore.kernel.org/lkml/[email protected]/
    Signed-off-by: Cristian Marussi <[email protected]>
    Tested-by: Johan Hovold <[email protected]>
    Reviewed-by: Sudeep Holla <[email protected]>
    Cc: [email protected]
    Message-ID: <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args() [+ + +]
Author: Dan Carpenter <[email protected]>
Date:   Thu Nov 14 11:59:32 2024 +0300

    fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args()
    
    commit 669b0cb81e4e4e78cff77a5b367c7f70c0c6c05e upstream.
    
    The "arg->vec_len" variable is a u64 that comes from the user at the start
    of the function.  The "arg->vec_len * sizeof(struct page_region))"
    multiplication can lead to integer wrapping.  Use size_mul() to avoid
    that.
    
    Also the size_add/mul() functions work on unsigned long so for 32bit
    systems we need to ensure that "arg->vec_len" fits in an unsigned long.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
    Signed-off-by: Dan Carpenter <[email protected]>
    Cc: Andrei Vagin <[email protected]>
    Cc: Andrii Nakryiko <[email protected]>
    Cc: Arnd Bergmann <[email protected]>
    Cc: David Hildenbrand <[email protected]>
    Cc: Matthew Wilcox <[email protected]>
    Cc: Michał Mirosław <[email protected]>
    Cc: Muhammad Usama Anjum <[email protected]>
    Cc: Oscar Salvador <[email protected]>
    Cc: Peter Xu <[email protected]>
    Cc: Ryan Roberts <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ima: fix buffer overrun in ima_eventdigest_init_common [+ + +]
Author: Samasth Norway Ananda <[email protected]>
Date:   Wed Aug 7 10:27:13 2024 -0700

    ima: fix buffer overrun in ima_eventdigest_init_common
    
    commit 923168a0631bc42fffd55087b337b1b6c54dcff5 upstream.
    
    Function ima_eventdigest_init() calls ima_eventdigest_init_common()
    with HASH_ALGO__LAST which is then used to access the array
    hash_digest_size[] leading to buffer overrun. Have a conditional
    statement to handle this.
    
    Fixes: 9fab303a2cb3 ("ima: fix violation measurement list record")
    Signed-off-by: Samasth Norway Ananda <[email protected]>
    Tested-by: Enrico Bravi (PhD at polito.it) <[email protected]>
    Cc: [email protected] # 5.19+
    Signed-off-by: Mimi Zohar <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled [+ + +]
Author: Sean Christopherson <[email protected]>
Date:   Thu Oct 31 13:20:11 2024 -0700

    KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled
    
    commit 2657b82a78f18528bef56dc1b017158490970873 upstream.
    
    When getting the current VPID, e.g. to emulate a guest TLB flush, return
    vpid01 if L2 is running but with VPID disabled, i.e. if VPID is disabled
    in vmcs12.  Architecturally, if VPID is disabled, then the guest and host
    effectively share VPID=0.  KVM emulates this behavior by using vpid01 when
    running an L2 with VPID disabled (see prepare_vmcs02_early_rare()), and so
    KVM must also treat vpid01 as the current VPID while L2 is active.
    
    Unconditionally treating vpid02 as the current VPID when L2 is active
    causes KVM to flush TLB entries for vpid02 instead of vpid01, which
    results in TLB entries from L1 being incorrectly preserved across nested
    VM-Enter to L2 (L2=>L1 isn't problematic, because the TLB flush after
    nested VM-Exit flushes vpid01).
    
    The bug manifests as failures in the vmx_apicv_test KVM-Unit-Test, as KVM
    incorrectly retains TLB entries for the APIC-access page across a nested
    VM-Enter.
    
    Opportunisticaly add comments at various touchpoints to explain the
    architectural requirements, and also why KVM uses vpid01 instead of vpid02.
    
    All credit goes to Chao, who root caused the issue and identified the fix.
    
    Link: https://lore.kernel.org/all/[email protected]
    Fixes: 2b4a5a5d5688 ("KVM: nVMX: Flush current VPID (L1 vs. L2) for KVM_REQ_TLB_FLUSH_GUEST")
    Cc: [email protected]
    Cc: Like Xu <[email protected]>
    Debugged-by: Chao Gao <[email protected]>
    Reviewed-by: Chao Gao <[email protected]>
    Tested-by: Chao Gao <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Sean Christopherson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

KVM: selftests: Disable strict aliasing [+ + +]
Author: Sean Christopherson <[email protected]>
Date:   Wed Oct 9 08:49:41 2024 -0700

    KVM: selftests: Disable strict aliasing
    
    commit 5b188cc4866aaf712e896f92ac42c7802135e507 upstream.
    
    Disable strict aliasing, as has been done in the kernel proper for decades
    (literally since before git history) to fix issues where gcc will optimize
    away loads in code that looks 100% correct, but is _technically_ undefined
    behavior, and thus can be thrown away by the compiler.
    
    E.g. arm64's vPMU counter access test casts a uint64_t (unsigned long)
    pointer to a u64 (unsigned long long) pointer when setting PMCR.N via
    u64p_replace_bits(), which gcc-13 detects and optimizes away, i.e. ignores
    the result and uses the original PMCR.
    
    The issue is most easily observed by making set_pmcr_n() noinline and
    wrapping the call with printf(), e.g. sans comments, for this code:
    
      printf("orig = %lx, next = %lx, want = %lu\n", pmcr_orig, pmcr, pmcr_n);
      set_pmcr_n(&pmcr, pmcr_n);
      printf("orig = %lx, next = %lx, want = %lu\n", pmcr_orig, pmcr, pmcr_n);
    
    gcc-13 generates:
    
     0000000000401c90 <set_pmcr_n>:
      401c90:       f9400002        ldr     x2, [x0]
      401c94:       b3751022        bfi     x2, x1, #11, #5
      401c98:       f9000002        str     x2, [x0]
      401c9c:       d65f03c0        ret
    
     0000000000402660 <test_create_vpmu_vm_with_pmcr_n>:
      402724:       aa1403e3        mov     x3, x20
      402728:       aa1503e2        mov     x2, x21
      40272c:       aa1603e0        mov     x0, x22
      402730:       aa1503e1        mov     x1, x21
      402734:       940060ff        bl      41ab30 <_IO_printf>
      402738:       aa1403e1        mov     x1, x20
      40273c:       910183e0        add     x0, sp, #0x60
      402740:       97fffd54        bl      401c90 <set_pmcr_n>
      402744:       aa1403e3        mov     x3, x20
      402748:       aa1503e2        mov     x2, x21
      40274c:       aa1503e1        mov     x1, x21
      402750:       aa1603e0        mov     x0, x22
      402754:       940060f7        bl      41ab30 <_IO_printf>
    
    with the value stored in [sp + 0x60] ignored by both printf() above and
    in the test proper, resulting in a false failure due to vcpu_set_reg()
    simply storing the original value, not the intended value.
    
      $ ./vpmu_counter_access
      Random seed: 0x6b8b4567
      orig = 3040, next = 3040, want = 0
      orig = 3040, next = 3040, want = 0
      ==== Test Assertion Failure ====
        aarch64/vpmu_counter_access.c:505: pmcr_n == get_pmcr_n(pmcr)
        pid=71578 tid=71578 errno=9 - Bad file descriptor
           1        0x400673: run_access_test at vpmu_counter_access.c:522
           2         (inlined by) main at vpmu_counter_access.c:643
           3        0x4132d7: __libc_start_call_main at libc-start.o:0
           4        0x413653: __libc_start_main at ??:0
           5        0x40106f: _start at ??:0
        Failed to update PMCR.N to 0 (received: 6)
    
    Somewhat bizarrely, gcc-11 also exhibits the same behavior, but only if
    set_pmcr_n() is marked noinline, whereas gcc-13 fails even if set_pmcr_n()
    is inlined in its sole caller.
    
    Cc: [email protected]
    Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116912
    Signed-off-by: Sean Christopherson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN [+ + +]
Author: Sean Christopherson <[email protected]>
Date:   Fri Nov 1 11:50:30 2024 -0700

    KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN
    
    commit aa0d42cacf093a6fcca872edc954f6f812926a17 upstream.
    
    Hide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable support
    for virtualizing Intel PT via guest/host mode unless BROKEN=y.  There are
    myriad bugs in the implementation, some of which are fatal to the guest,
    and others which put the stability and health of the host at risk.
    
    For guest fatalities, the most glaring issue is that KVM fails to ensure
    tracing is disabled, and *stays* disabled prior to VM-Enter, which is
    necessary as hardware disallows loading (the guest's) RTIT_CTL if tracing
    is enabled (enforced via a VMX consistency check).  Per the SDM:
    
      If the logical processor is operating with Intel PT enabled (if
      IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load
      IA32_RTIT_CTL" VM-entry control must be 0.
    
    On the host side, KVM doesn't validate the guest CPUID configuration
    provided by userspace, and even worse, uses the guest configuration to
    decide what MSRs to save/load at VM-Enter and VM-Exit.  E.g. configuring
    guest CPUID to enumerate more address ranges than are supported in hardware
    will result in KVM trying to passthrough, save, and load non-existent MSRs,
    which generates a variety of WARNs, ToPA ERRORs in the host, a potential
    deadlock, etc.
    
    Fixes: f99e3daf94ff ("KVM: x86: Add Intel PT virtualization work mode")
    Cc: [email protected]
    Cc: Adrian Hunter <[email protected]>
    Signed-off-by: Sean Christopherson <[email protected]>
    Reviewed-by: Xiaoyao Li <[email protected]>
    Tested-by: Adrian Hunter <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Paolo Bonzini <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

KVM: x86: Unconditionally set irr_pending when updating APICv state [+ + +]
Author: Sean Christopherson <[email protected]>
Date:   Tue Nov 5 17:51:35 2024 -0800

    KVM: x86: Unconditionally set irr_pending when updating APICv state
    
    commit d3ddef46f22e8c3124e0df1f325bc6a18dadff39 upstream.
    
    Always set irr_pending (to true) when updating APICv status to fix a bug
    where KVM fails to set irr_pending when userspace sets APIC state and
    APICv is disabled, which ultimate results in KVM failing to inject the
    pending interrupt(s) that userspace stuffed into the vIRR, until another
    interrupt happens to be emulated by KVM.
    
    Only the APICv-disabled case is flawed, as KVM forces apic->irr_pending to
    be true if APICv is enabled, because not all vIRR updates will be visible
    to KVM.
    
    Hit the bug with a big hammer, even though strictly speaking KVM can scan
    the vIRR and set/clear irr_pending as appropriate for this specific case.
    The bug was introduced by commit 755c2bf87860 ("KVM: x86: lapic: don't
    touch irr_pending in kvm_apic_update_apicv when inhibiting it"), which as
    the shortlog suggests, deleted code that updated irr_pending.
    
    Before that commit, kvm_apic_update_apicv() did indeed scan the vIRR, with
    with the crucial difference that kvm_apic_update_apicv() did the scan even
    when APICv was being *disabled*, e.g. due to an AVIC inhibition.
    
            struct kvm_lapic *apic = vcpu->arch.apic;
    
            if (vcpu->arch.apicv_active) {
                    /* irr_pending is always true when apicv is activated. */
                    apic->irr_pending = true;
                    apic->isr_count = 1;
            } else {
                    apic->irr_pending = (apic_search_irr(apic) != -1);
                    apic->isr_count = count_vectors(apic->regs + APIC_ISR);
            }
    
    And _that_ bug (clearing irr_pending) was introduced by commit b26a695a1d78
    ("kvm: lapic: Introduce APICv update helper function"), prior to which KVM
    unconditionally set irr_pending to true in kvm_apic_set_state(), i.e.
    assumed that the new virtual APIC state could have a pending IRQ.
    
    Furthermore, in addition to introducing this issue, commit 755c2bf87860
    also papered over the underlying bug: KVM doesn't ensure CPUs and devices
    see APICv as disabled prior to searching the IRR.  Waiting until KVM
    emulates an EOI to update irr_pending "works", but only because KVM won't
    emulate EOI until after refresh_apicv_exec_ctrl(), and there are plenty of
    memory barriers in between.  I.e. leaving irr_pending set is basically
    hacking around bad ordering.
    
    So, effectively revert to the pre-b26a695a1d78 behavior for state restore,
    even though it's sub-optimal if no IRQs are pending, in order to provide a
    minimal fix, but leave behind a FIXME to document the ugliness.  With luck,
    the ordering issue will be fixed and the mess will be cleaned up in the
    not-too-distant future.
    
    Fixes: 755c2bf87860 ("KVM: x86: lapic: don't touch irr_pending in kvm_apic_update_apicv when inhibiting it")
    Cc: [email protected]
    Cc: Maxim Levitsky <[email protected]>
    Reported-by: Yong He <[email protected]>
    Closes: https://lkml.kernel.org/r/20241023124527.1092810-1-alexyonghe%40tencent.com
    Signed-off-by: Sean Christopherson <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Paolo Bonzini <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
lib/buildid: Fix build ID parsing logic [+ + +]
Author: Jiri Olsa <[email protected]>
Date:   Mon Nov 4 18:52:56 2024 +0100

    lib/buildid: Fix build ID parsing logic
    
    The parse_build_id_buf does not account Elf32_Nhdr header size
    when getting the build id data pointer and returns wrong build
    id data as result.
    
    This is problem only for stable trees that merged 768d731b8a0d
    fix, the upstream build id code was refactored and returns proper
    build id.
    
    Acked-by: Andrii Nakryiko <[email protected]>
    Fixes: 768d731b8a0d ("lib/buildid: harden build ID parsing logic")
    Signed-off-by: Jiri Olsa <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Linux: Linux 6.11.10 [+ + +]
Author: Greg Kroah-Hartman <[email protected]>
Date:   Fri Nov 22 15:39:56 2024 +0100

    Linux 6.11.10
    
    Link: https://lore.kernel.org/r/[email protected]
    Tested-by: Ronald Warsow <[email protected]>
    Tested-by: Mark Brown <[email protected]>
    Tested-by: SeongJae Park <[email protected]>
    Tested-by: Florian Fainelli <[email protected]>
    Tested-by: Shuah Khan <[email protected]>
    Tested-by: Ron Economos <[email protected]>
    Tested-by: Pavel Machek (CIP) <[email protected]>
    Tested-by: Linux Kernel Functional Testing <[email protected]>
    Tested-by: Salvatore Bonaccorso <[email protected]>
    Tested-by: Justin M. Forbes <[email protected]>
    Tested-by: kernelci.org bot <[email protected]>
    Tested-by: Jon Hunter <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
LoongArch: Add WriteCombine shadow mapping in KASAN [+ + +]
Author: Kanglong Wang <[email protected]>
Date:   Tue Nov 12 16:35:39 2024 +0800

    LoongArch: Add WriteCombine shadow mapping in KASAN
    
    commit 139d42ca51018c1d43ab5f35829179f060d1ab31 upstream.
    
    Currently, the kernel couldn't boot when ARCH_IOREMAP, ARCH_WRITECOMBINE
    and KASAN are enabled together. Because DMW2 is used by kernel now which
    is configured as 0xa000000000000000 for WriteCombine, but KASAN has no
    segment mapping for it. This patch fix this issue.
    
    Solution: Add the relevant definitions for WriteCombine (DMW2) in KASAN.
    
    Cc: [email protected]
    Fixes: 8e02c3b782ec ("LoongArch: Add writecombine support for DMW-based ioremap()")
    Signed-off-by: Kanglong Wang <[email protected]>
    Signed-off-by: Huacai Chen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits [+ + +]
Author: Huacai Chen <[email protected]>
Date:   Tue Nov 12 16:35:39 2024 +0800

    LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits
    
    commit 227ca9f6f6aeb8aa8f0c10430b955f1fe2aeab91 upstream.
    
    If PGDIR_SIZE is too large for cpu_vabits, KASAN_SHADOW_END will
    overflow UINTPTR_MAX because KASAN_SHADOW_START/KASAN_SHADOW_END are
    aligned up by PGDIR_SIZE. And then the overflowed KASAN_SHADOW_END looks
    like a user space address.
    
    For example, PGDIR_SIZE of CONFIG_4KB_4LEVEL is 2^39, which is too large
    for Loongson-2K series whose cpu_vabits = 39.
    
    Since CONFIG_4KB_4LEVEL is completely legal for CPUs with cpu_vabits <=
    39, we just disable KASAN via early return in kasan_init(). Otherwise we
    get a boot failure.
    
    Moreover, we change KASAN_SHADOW_END from the first address after KASAN
    shadow area to the last address in KASAN shadow area, in order to avoid
    the end address exactly overflow to 0 (which is a legal case). We don't
    need to worry about alignment because pgd_addr_end() can handle it.
    
    Cc: [email protected]
    Reviewed-by: Jiaxun Yang <[email protected]>
    Signed-off-by: Huacai Chen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

LoongArch: Fix AP booting issue in VM mode [+ + +]
Author: Bibo Mao <[email protected]>
Date:   Tue Nov 12 16:35:39 2024 +0800

    LoongArch: Fix AP booting issue in VM mode
    
    commit 6ce031e5d6f475d476bab55ab7d8ea168fedc4c1 upstream.
    
    Native IPI is used for AP booting, because it is the booting interface
    between OS and BIOS firmware. The paravirt IPI is only used inside OS,
    and native IPI is necessary to boot AP.
    
    When booting AP, we write the kernel entry address in the HW mailbox of
    AP and send IPI interrupt to it. AP executes idle instruction and waits
    for interrupts or SW events, then clears IPI interrupt and jumps to the
    kernel entry from HW mailbox.
    
    Between writing HW mailbox and sending IPI, AP can be woken up by SW
    events and jumps to the kernel entry, so ACTION_BOOT_CPU IPI interrupt
    will keep pending during AP booting. And native IPI interrupt handler
    needs be registered so that it can clear pending native IPI, else there
    will be endless interrupts during AP booting stage.
    
    Here native IPI interrupt is initialized even if paravirt IPI is used.
    
    Cc: [email protected]
    Fixes: 74c16b2e2b0c ("LoongArch: KVM: Add PV IPI support on guest side")
    Signed-off-by: Bibo Mao <[email protected]>
    Signed-off-by: Huacai Chen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

LoongArch: Fix early_numa_add_cpu() usage for FDT systems [+ + +]
Author: Huacai Chen <[email protected]>
Date:   Tue Nov 12 16:35:36 2024 +0800

    LoongArch: Fix early_numa_add_cpu() usage for FDT systems
    
    commit 30cec747d6bf2c3e915c075d76d9712e54cde0a6 upstream.
    
    early_numa_add_cpu() applies on physical CPU id rather than logical CPU
    id, so use cpuid instead of cpu.
    
    Cc: [email protected]
    Fixes: 3de9c42d02a79a5 ("LoongArch: Add all CPUs enabled by fdt to NUMA node 0")
    Reported-by: Bibo Mao <[email protected]>
    Signed-off-by: Huacai Chen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

LoongArch: Make KASAN work with 5-level page-tables [+ + +]
Author: Huacai Chen <[email protected]>
Date:   Tue Nov 12 16:35:39 2024 +0800

    LoongArch: Make KASAN work with 5-level page-tables
    
    commit a410656643ce4844ba9875aa4e87a7779308259b upstream.
    
    Make KASAN work with 5-level page-tables, including:
    1. Implement and use __pgd_none() and kasan_p4d_offset().
    2. As done in kasan_pmd_populate() and kasan_pte_populate(), restrict
       the loop conditions of kasan_p4d_populate() and kasan_pud_populate()
       to avoid unnecessary population.
    
    Cc: [email protected]
    Signed-off-by: Huacai Chen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mailbox: qcom-cpucp: Mark the irq with IRQF_NO_SUSPEND flag [+ + +]
Author: Sibi Sankar <[email protected]>
Date:   Wed Oct 30 18:25:12 2024 +0530

    mailbox: qcom-cpucp: Mark the irq with IRQF_NO_SUSPEND flag
    
    commit d2fab3fc27cbca7ba65c539a2c5fc7f941231983 upstream.
    
    The qcom-cpucp mailbox irq is expected to function during suspend-resume
    cycle particularly when the scmi cpufreq driver can query the current
    frequency using the get_level message after the cpus are brought up during
    resume. Hence mark the irq with IRQF_NO_SUSPEND flag to fix the do_xfer
    failures we see during resume.
    
    Err Logs:
    arm-scmi firmware:scmi: timed out in resp(caller:do_xfer+0x164/0x568)
    cpufreq: cpufreq_online: ->get() failed
    
    Reported-by: Johan Hovold <[email protected]>
    Closes: https://lore.kernel.org/lkml/[email protected]/
    Fixes: 0e2a9a03106c ("mailbox: Add support for QTI CPUCP mailbox controller")
    Signed-off-by: Sibi Sankar <[email protected]>
    Reviewed-by: Konrad Dybcio <[email protected]>
    Tested-by: Johan Hovold <[email protected]>
    Cc: [email protected]
    Message-ID: <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set [+ + +]
Author: Mauro Carvalho Chehab <[email protected]>
Date:   Wed Nov 6 21:50:55 2024 +0100

    media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set
    
    commit a4aebaf6e6efff548b01a3dc49b4b9074751c15b upstream.
    
    When CONFIG_DVB_DYNAMIC_MINORS, ret is not initialized, and a
    semaphore is left at the wrong state, in case of errors.
    
    Make the code simpler and avoid mistakes by having just one error
    check logic used weather DVB_DYNAMIC_MINORS is used or not.
    
    Reported-by: kernel test robot <[email protected]>
    Reported-by: Dan Carpenter <[email protected]>
    Closes: https://lore.kernel.org/r/[email protected]/
    Signed-off-by: Mauro Carvalho Chehab <[email protected]>
    Link: https://lore.kernel.org/r/9e067488d8935b8cf00959764a1fa5de85d65725.1730926254.git.mchehab+huawei@kernel.org
    Cc: Nathan Chancellor <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mm/mremap: fix address wraparound in move_page_tables() [+ + +]
Author: Jann Horn <[email protected]>
Date:   Mon Nov 11 20:34:30 2024 +0100

    mm/mremap: fix address wraparound in move_page_tables()
    
    commit a4a282daf1a190f03790bf163458ea3c8d28d217 upstream.
    
    On 32-bit platforms, it is possible for the expression `len + old_addr <
    old_end` to be false-positive if `len + old_addr` wraps around.
    `old_addr` is the cursor in the old range up to which page table entries
    have been moved; so if the operation succeeded, `old_addr` is the *end* of
    the old region, and adding `len` to it can wrap.
    
    The overflow causes mremap() to mistakenly believe that PTEs have been
    copied; the consequence is that mremap() bails out, but doesn't move the
    PTEs back before the new VMA is unmapped, causing anonymous pages in the
    region to be lost.  So basically if userspace tries to mremap() a
    private-anon region and hits this bug, mremap() will return an error and
    the private-anon region's contents appear to have been zeroed.
    
    The idea of this check is that `old_end - len` is the original start
    address, and writing the check that way also makes it easier to read; so
    fix the check by rearranging the comparison accordingly.
    
    (An alternate fix would be to refactor this function by introducing an
    "orig_old_start" variable or such.)
    
    
    Tested in a VM with a 32-bit X86 kernel; without the patch:
    
    ```
    user@horn:~/big_mremap$ cat test.c
    #define _GNU_SOURCE
    #include <stdlib.h>
    #include <stdio.h>
    #include <err.h>
    #include <sys/mman.h>
    
    #define ADDR1 ((void*)0x60000000)
    #define ADDR2 ((void*)0x10000000)
    #define SIZE          0x50000000uL
    
    int main(void) {
      unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE,
          MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);
      if (p1 == MAP_FAILED)
        err(1, "mmap 1");
      unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE,
          MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);
      if (p2 == MAP_FAILED)
        err(1, "mmap 2");
      *p1 = 0x41;
      printf("first char is 0x%02hhx\n", *p1);
      unsigned char *p3 = mremap(p1, SIZE, SIZE,
          MREMAP_MAYMOVE|MREMAP_FIXED, p2);
      if (p3 == MAP_FAILED) {
        printf("mremap() failed; first char is 0x%02hhx\n", *p1);
      } else {
        printf("mremap() succeeded; first char is 0x%02hhx\n", *p3);
      }
    }
    user@horn:~/big_mremap$ gcc -static -o test test.c
    user@horn:~/big_mremap$ setarch -R ./test
    first char is 0x41
    mremap() failed; first char is 0x00
    ```
    
    With the patch:
    
    ```
    user@horn:~/big_mremap$ setarch -R ./test
    first char is 0x41
    mremap() succeeded; first char is 0x41
    ```
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: af8ca1c14906 ("mm/mremap: optimize the start addresses in move_page_tables()")
    Signed-off-by: Jann Horn <[email protected]>
    Acked-by: Vlastimil Babka <[email protected]>
    Reviewed-by: Lorenzo Stoakes <[email protected]>
    Acked-by: Qi Zheng <[email protected]>
    Reviewed-by: Liam R. Howlett <[email protected]>
    Cc: Joel Fernandes (Google) <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mm: fix NULL pointer dereference in alloc_pages_bulk_noprof [+ + +]
Author: Jinjiang Tu <[email protected]>
Date:   Wed Nov 13 16:32:35 2024 +0800

    mm: fix NULL pointer dereference in alloc_pages_bulk_noprof
    
    commit 8ce41b0f9d77cca074df25afd39b86e2ee3aa68e upstream.
    
    We triggered a NULL pointer dereference for ac.preferred_zoneref->zone in
    alloc_pages_bulk_noprof() when the task is migrated between cpusets.
    
    When cpuset is enabled, in prepare_alloc_pages(), ac->nodemask may be
    ¤t->mems_allowed.  when first_zones_zonelist() is called to find
    preferred_zoneref, the ac->nodemask may be modified concurrently if the
    task is migrated between different cpusets.  Assuming we have 2 NUMA Node,
    when traversing Node1 in ac->zonelist, the nodemask is 2, and when
    traversing Node2 in ac->zonelist, the nodemask is 1.  As a result, the
    ac->preferred_zoneref points to NULL zone.
    
    In alloc_pages_bulk_noprof(), for_each_zone_zonelist_nodemask() finds a
    allowable zone and calls zonelist_node_idx(ac.preferred_zoneref), leading
    to NULL pointer dereference.
    
    __alloc_pages_noprof() fixes this issue by checking NULL pointer in commit
    ea57485af8f4 ("mm, page_alloc: fix check for NULL preferred_zone") and
    commit df76cee6bbeb ("mm, page_alloc: remove redundant checks from alloc
    fastpath").
    
    To fix it, check NULL pointer for preferred_zoneref->zone.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 387ba26fb1cb ("mm/page_alloc: add a bulk page allocator")
    Signed-off-by: Jinjiang Tu <[email protected]>
    Reviewed-by: Vlastimil Babka <[email protected]>
    Cc: Alexander Lobakin <[email protected]>
    Cc: David Hildenbrand <[email protected]>
    Cc: Kefeng Wang <[email protected]>
    Cc: Mel Gorman <[email protected]>
    Cc: Nanyong Sun <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

mm: page_alloc: move mlocked flag clearance into free_pages_prepare() [+ + +]
Author: Roman Gushchin <[email protected]>
Date:   Wed Nov 6 19:53:54 2024 +0000

    mm: page_alloc: move mlocked flag clearance into free_pages_prepare()
    
    commit 66edc3a5894c74f8887c8af23b97593a0dd0df4d upstream.
    
    Syzbot reported a bad page state problem caused by a page being freed
    using free_page() still having a mlocked flag at free_pages_prepare()
    stage:
    
      BUG: Bad page state in process syz.5.504  pfn:61f45
      page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61f45
      flags: 0xfff00000080204(referenced|workingset|mlocked|node=0|zone=1|lastcpupid=0x7ff)
      raw: 00fff00000080204 0000000000000000 dead000000000122 0000000000000000
      raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
      page_owner tracks the page as allocated
      page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 8443, tgid 8442 (syz.5.504), ts 201884660643, free_ts 201499827394
       set_page_owner include/linux/page_owner.h:32 [inline]
       post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
       prep_new_page mm/page_alloc.c:1545 [inline]
       get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457
       __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
       alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
       kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99
       kvm_create_vm virt/kvm/kvm_main.c:1235 [inline]
       kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5488 [inline]
       kvm_dev_ioctl+0x12dc/0x2240 virt/kvm/kvm_main.c:5530
       __do_compat_sys_ioctl fs/ioctl.c:1007 [inline]
       __se_compat_sys_ioctl+0x510/0xc90 fs/ioctl.c:950
       do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
       __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386
       do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411
       entry_SYSENTER_compat_after_hwframe+0x84/0x8e
      page last free pid 8399 tgid 8399 stack trace:
       reset_page_owner include/linux/page_owner.h:25 [inline]
       free_pages_prepare mm/page_alloc.c:1108 [inline]
       free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686
       folios_put_refs+0x76c/0x860 mm/swap.c:1007
       free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335
       __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
       tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
       tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
       tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
       tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
       exit_mmap+0x496/0xc40 mm/mmap.c:1926
       __mmput+0x115/0x390 kernel/fork.c:1348
       exit_mm+0x220/0x310 kernel/exit.c:571
       do_exit+0x9b2/0x28e0 kernel/exit.c:926
       do_group_exit+0x207/0x2c0 kernel/exit.c:1088
       __do_sys_exit_group kernel/exit.c:1099 [inline]
       __se_sys_exit_group kernel/exit.c:1097 [inline]
       __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
       x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      Modules linked in:
      CPU: 0 UID: 0 PID: 8442 Comm: syz.5.504 Not tainted 6.12.0-rc6-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:94 [inline]
       dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
       bad_page+0x176/0x1d0 mm/page_alloc.c:501
       free_page_is_bad mm/page_alloc.c:918 [inline]
       free_pages_prepare mm/page_alloc.c:1100 [inline]
       free_unref_page+0xed0/0xf20 mm/page_alloc.c:2638
       kvm_destroy_vm virt/kvm/kvm_main.c:1327 [inline]
       kvm_put_kvm+0xc75/0x1350 virt/kvm/kvm_main.c:1386
       kvm_vcpu_release+0x54/0x60 virt/kvm/kvm_main.c:4143
       __fput+0x23f/0x880 fs/file_table.c:431
       task_work_run+0x24f/0x310 kernel/task_work.c:239
       exit_task_work include/linux/task_work.h:43 [inline]
       do_exit+0xa2f/0x28e0 kernel/exit.c:939
       do_group_exit+0x207/0x2c0 kernel/exit.c:1088
       __do_sys_exit_group kernel/exit.c:1099 [inline]
       __se_sys_exit_group kernel/exit.c:1097 [inline]
       __ia32_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
       ia32_sys_call+0x2624/0x2630 arch/x86/include/generated/asm/syscalls_32.h:253
       do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
       __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386
       do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411
       entry_SYSENTER_compat_after_hwframe+0x84/0x8e
      RIP: 0023:0xf745d579
      Code: Unable to access opcode bytes at 0xf745d54f.
      RSP: 002b:00000000f75afd6c EFLAGS: 00000206 ORIG_RAX: 00000000000000fc
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 00000000ffffff9c RDI: 00000000f744cff4
      RBP: 00000000f717ae61 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
       </TASK>
    
    The problem was originally introduced by commit b109b87050df ("mm/munlock:
    replace clear_page_mlock() by final clearance"): it was focused on
    handling pagecache and anonymous memory and wasn't suitable for lower
    level get_page()/free_page() API's used for example by KVM, as with this
    reproducer.
    
    Fix it by moving the mlocked flag clearance down to free_page_prepare().
    
    The bug itself if fairly old and harmless (aside from generating these
    warnings), aside from a small memory leak - "bad" pages are stopped from
    being allocated again.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: b109b87050df ("mm/munlock: replace clear_page_mlock() by final clearance")
    Signed-off-by: Roman Gushchin <[email protected]>
    Reported-by: [email protected]
    Closes: https://lore.kernel.org/all/[email protected]
    Acked-by: Hugh Dickins <[email protected]>
    Cc: Matthew Wilcox <[email protected]>
    Cc: Sean Christopherson <[email protected]>
    Cc: Vlastimil Babka <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling [+ + +]
Author: Lorenzo Stoakes <[email protected]>
Date:   Tue Oct 29 18:11:47 2024 +0000

    mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling
    
    [ Upstream commit 5baf8b037debf4ec60108ccfeccb8636d1dbad81 ]
    
    Currently MTE is permitted in two circumstances (desiring to use MTE
    having been specified by the VM_MTE flag) - where MAP_ANONYMOUS is
    specified, as checked by arch_calc_vm_flag_bits() and actualised by
    setting the VM_MTE_ALLOWED flag, or if the file backing the mapping is
    shmem, in which case we set VM_MTE_ALLOWED in shmem_mmap() when the mmap
    hook is activated in mmap_region().
    
    The function that checks that, if VM_MTE is set, VM_MTE_ALLOWED is also
    set is the arm64 implementation of arch_validate_flags().
    
    Unfortunately, we intend to refactor mmap_region() to perform this check
    earlier, meaning that in the case of a shmem backing we will not have
    invoked shmem_mmap() yet, causing the mapping to fail spuriously.
    
    It is inappropriate to set this architecture-specific flag in general mm
    code anyway, so a sensible resolution of this issue is to instead move the
    check somewhere else.
    
    We resolve this by setting VM_MTE_ALLOWED much earlier in do_mmap(), via
    the arch_calc_vm_flag_bits() call.
    
    This is an appropriate place to do this as we already check for the
    MAP_ANONYMOUS case here, and the shmem file case is simply a variant of
    the same idea - we permit RAM-backed memory.
    
    This requires a modification to the arch_calc_vm_flag_bits() signature to
    pass in a pointer to the struct file associated with the mapping, however
    this is not too egregious as this is only used by two architectures anyway
    - arm64 and parisc.
    
    So this patch performs this adjustment and removes the unnecessary
    assignment of VM_MTE_ALLOWED in shmem_mmap().
    
    [[email protected]: fix whitespace, per Catalin]
    Link: https://lkml.kernel.org/r/ec251b20ba1964fb64cf1607d2ad80c47f3873df.1730224667.git.lorenzo.stoakes@oracle.com
    Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails")
    Signed-off-by: Lorenzo Stoakes <[email protected]>
    Suggested-by: Catalin Marinas <[email protected]>
    Reported-by: Jann Horn <[email protected]>
    Reviewed-by: Catalin Marinas <[email protected]>
    Reviewed-by: Vlastimil Babka <[email protected]>
    Cc: Andreas Larsson <[email protected]>
    Cc: David S. Miller <[email protected]>
    Cc: Helge Deller <[email protected]>
    Cc: James E.J. Bottomley <[email protected]>
    Cc: Liam R. Howlett <[email protected]>
    Cc: Linus Torvalds <[email protected]>
    Cc: Mark Brown <[email protected]>
    Cc: Peter Xu <[email protected]>
    Cc: Will Deacon <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

mm: revert "mm: shmem: fix data-race in shmem_getattr()" [+ + +]
Author: Andrew Morton <[email protected]>
Date:   Fri Nov 15 16:57:24 2024 -0800

    mm: revert "mm: shmem: fix data-race in shmem_getattr()"
    
    commit d1aa0c04294e29883d65eac6c2f72fe95cc7c049 upstream.
    
    Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as
    suggested by Chuck [1].  It is causing deadlocks when accessing tmpfs over
    NFS.
    
    As Hugh commented, "added just to silence a syzbot sanitizer splat: added
    where there has never been any practical problem".
    
    Link: https://lkml.kernel.org/r/[email protected] [1]
    Fixes: d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()")
    Acked-by: Hugh Dickins <[email protected]>
    Cc: Chuck Lever <[email protected]>
    Cc: Jeongjun Park <[email protected]>
    Cc: Yu Zhao <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mmc: sunxi-mmc: Fix A100 compatible description [+ + +]
Author: Andre Przywara <[email protected]>
Date:   Thu Nov 7 01:42:40 2024 +0000

    mmc: sunxi-mmc: Fix A100 compatible description
    
    commit 85b580afc2c215394e08974bf033de9face94955 upstream.
    
    It turns out that the Allwinner A100/A133 SoC only supports 8K DMA
    blocks (13 bits wide), for both the SD/SDIO and eMMC instances.
    And while this alone would make a trivial fix, the H616 falls back to
    the A100 compatible string, so we have to now match the H616 compatible
    string explicitly against the description advertising 64K DMA blocks.
    
    As the A100 is now compatible with the D1 description, let the A100
    compatible string point to that block instead, and introduce an explicit
    match against the H616 string, pointing to the old description.
    Also remove the redundant setting of clk_delays to NULL on the way.
    
    Fixes: 3536b82e5853 ("mmc: sunxi: add support for A100 mmc controller")
    Cc: [email protected]
    Signed-off-by: Andre Przywara <[email protected]>
    Tested-by: Parthiban Nallathambi <[email protected]>
    Reviewed-by: Chen-Yu Tsai <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
mptcp: cope racing subflow creation in mptcp_rcv_space_adjust [+ + +]
Author: Paolo Abeni <[email protected]>
Date:   Fri Nov 8 11:58:17 2024 +0100

    mptcp: cope racing subflow creation in mptcp_rcv_space_adjust
    
    [ Upstream commit ce7356ae35943cc6494cc692e62d51a734062b7d ]
    
    Additional active subflows - i.e. created by the in kernel path
    manager - are included into the subflow list before starting the
    3whs.
    
    A racing recvmsg() spooling data received on an already established
    subflow would unconditionally call tcp_cleanup_rbuf() on all the
    current subflows, potentially hitting a divide by zero error on
    the newly created ones.
    
    Explicitly check that the subflow is in a suitable state before
    invoking tcp_cleanup_rbuf().
    
    Fixes: c76c6956566f ("mptcp: call tcp_cleanup_rbuf on subflows")
    Signed-off-by: Paolo Abeni <[email protected]>
    Reviewed-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/02374660836e1b52afc91966b7535c8c5f7bafb0.1731060874.git.pabeni@redhat.com
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

mptcp: error out earlier on disconnect [+ + +]
Author: Paolo Abeni <[email protected]>
Date:   Fri Nov 8 11:58:16 2024 +0100

    mptcp: error out earlier on disconnect
    
    [ Upstream commit 581302298524e9d77c4c44ff5156a6cd112227ae ]
    
    Eric reported a division by zero splat in the MPTCP protocol:
    
    Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI
    CPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted
    6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0
    Hardware name: Google Google Compute Engine/Google Compute Engine,
    BIOS Google 09/13/2024
    RIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163
    Code: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8
    0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 <f7> 7c
    24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89
    RSP: 0018:ffffc900041f7930 EFLAGS: 00010293
    RAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b
    RDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004
    RBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67
    R10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80
    R13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000
    FS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    <TASK>
    __tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493
    mptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline]
    mptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289
    inet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885
    sock_recvmsg_nosec net/socket.c:1051 [inline]
    sock_recvmsg+0x1b2/0x250 net/socket.c:1073
    __sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265
    __do_sys_recvfrom net/socket.c:2283 [inline]
    __se_sys_recvfrom net/socket.c:2279 [inline]
    __x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7feb5d857559
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48
    89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
    01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
    RAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559
    RDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003
    RBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000
    R10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c
    R13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef
    
    and provided a nice reproducer.
    
    The root cause is the current bad handling of racing disconnect.
    After the blamed commit below, sk_wait_data() can return (with
    error) with the underlying socket disconnected and a zero rcv_mss.
    
    Catch the error and return without performing any additional
    operations on the current socket.
    
    Reported-by: Eric Dumazet <[email protected]>
    Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting")
    Signed-off-by: Paolo Abeni <[email protected]>
    Reviewed-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/8c82ecf71662ecbc47bf390f9905de70884c9f2d.1731060874.git.pabeni@redhat.com
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

mptcp: hold pm lock when deleting entry [+ + +]
Author: Geliang Tang <[email protected]>
Date:   Tue Nov 12 20:18:34 2024 +0100

    mptcp: hold pm lock when deleting entry
    
    commit f642c5c4d528d11bd78b6c6f84f541cd3c0bea86 upstream.
    
    When traversing userspace_pm_local_addr_list and deleting an entry from
    it in mptcp_pm_nl_remove_doit(), msk->pm.lock should be held.
    
    This patch holds this lock before mptcp_userspace_pm_lookup_addr_by_id()
    and releases it after list_move() in mptcp_pm_nl_remove_doit().
    
    Fixes: d9a4594edabf ("mptcp: netlink: Add MPTCP_PM_CMD_REMOVE")
    Cc: [email protected]
    Signed-off-by: Geliang Tang <[email protected]>
    Reviewed-by: Matthieu Baerts (NGI0) <[email protected]>
    Signed-off-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

mptcp: pm: use _rcu variant under rcu_read_lock [+ + +]
Author: Matthieu Baerts (NGI0) <[email protected]>
Date:   Tue Nov 12 20:18:35 2024 +0100

    mptcp: pm: use _rcu variant under rcu_read_lock
    
    commit db3eab8110bc0520416101b6a5b52f44a43fb4cf upstream.
    
    In mptcp_pm_create_subflow_or_signal_addr(), rcu_read_(un)lock() are
    used as expected to iterate over the list of local addresses, but
    list_for_each_entry() was used instead of list_for_each_entry_rcu() in
    __lookup_addr(). It is important to use this variant which adds the
    required READ_ONCE() (and diagnostic checks if enabled).
    
    Because __lookup_addr() is also used in mptcp_pm_nl_set_flags() where it
    is called under the pernet->lock and not rcu_read_lock(), an extra
    condition is then passed to help the diagnostic checks making sure
    either the associated spin lock or the RCU lock is held.
    
    Fixes: 86e39e04482b ("mptcp: keep track of local endpoint still available for each msk")
    Cc: [email protected]
    Reviewed-by: Geliang Tang <[email protected]>
    Signed-off-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

mptcp: update local address flags when setting it [+ + +]
Author: Geliang Tang <[email protected]>
Date:   Tue Nov 12 20:18:33 2024 +0100

    mptcp: update local address flags when setting it
    
    commit e0266319413d5d687ba7b6df7ca99e4b9724a4f2 upstream.
    
    Just like in-kernel pm, when userspace pm does set_flags, it needs to send
    out MP_PRIO signal, and also modify the flags of the corresponding address
    entry in the local address list. This patch implements the missing logic.
    
    Traverse all address entries on userspace_pm_local_addr_list to find the
    local address entry, if bkup is true, set the flags of this entry with
    FLAG_BACKUP, otherwise, clear FLAG_BACKUP.
    
    Fixes: 892f396c8e68 ("mptcp: netlink: issue MP_PRIO signals from userspace PMs")
    Cc: [email protected]
    Signed-off-by: Geliang Tang <[email protected]>
    Reviewed-by: Matthieu Baerts (NGI0) <[email protected]>
    Signed-off-by: Matthieu Baerts (NGI0) <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
net/mlx5: Fix msix vectors to respect platform limit [+ + +]
Author: Parav Pandit <[email protected]>
Date:   Thu Nov 7 20:35:22 2024 +0200

    net/mlx5: Fix msix vectors to respect platform limit
    
    [ Upstream commit d0989c9d2b3a89ae5e4ad45fe6d7bbe449fc49fe ]
    
    The number of PCI vectors allocated by the platform (which may be fewer
    than requested) is currently not honored when creating the SF pool;
    only the PCI MSI-X capability is considered.
    
    As a result, when a platform allocates fewer vectors
    (in non-dynamic mode) than requested, the PF and SF pools end up
    with an invalid vector range.
    
    This causes incorrect SF vector accounting, which leads to the
    following call trace when an invalid IRQ vector is allocated.
    
    This issue is resolved by ensuring that the platform's vector
    limit is respected for both the SF and PF pools.
    
    Workqueue: mlx5_vhca_event0 mlx5_sf_dev_add_active_work [mlx5_core]
    RIP: 0010:pci_irq_vector+0x23/0x80
    RSP: 0018:ffffabd5cebd7248 EFLAGS: 00010246
    RAX: ffff980880e7f308 RBX: ffff9808932fb880 RCX: 0000000000000001
    RDX: 00000000000001ff RSI: 0000000000000200 RDI: ffff980880e7f308
    RBP: 0000000000000200 R08: 0000000000000010 R09: ffff97a9116f0860
    R10: 0000000000000002 R11: 0000000000000228 R12: ffff980897cd0160
    R13: 0000000000000000 R14: ffff97a920fec0c0 R15: ffffabd5cebd72d0
    FS:  0000000000000000(0000) GS:ffff97c7ff9c0000(0000) knlGS:0000000000000000
     ? rescuer_thread+0x350/0x350
     kthread+0x11b/0x140
     ? __kthread_bind_mask+0x60/0x60
     ret_from_fork+0x22/0x30
    mlx5_core 0000:a1:00.0: mlx5_irq_alloc:321:(pid 6781): Failed to request irq. err = -22
    mlx5_core 0000:a1:00.0: mlx5_irq_alloc:321:(pid 6781): Failed to request irq. err = -22
    mlx5_core.sf mlx5_core.sf.6: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced)
    mlx5_core.sf mlx5_core.sf.7: firmware version: 32.43.356
    mlx5_core.sf mlx5_core.sf.6 enpa1s0f0s4: renamed from eth0
    mlx5_core.sf mlx5_core.sf.7: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps
    mlx5_core 0000:a1:00.0: mlx5_irq_alloc:321:(pid 6781): Failed to request irq. err = -22
    mlx5_core 0000:a1:00.0: mlx5_irq_alloc:321:(pid 6781): Failed to request irq. err = -22
    mlx5_core 0000:a1:00.0: mlx5_irq_alloc:321:(pid 6781): Failed to request irq. err = -22
    
    Fixes: 3354822cde5a ("net/mlx5: Use dynamic msix vectors allocation")
    Signed-off-by: Parav Pandit <[email protected]>
    Signed-off-by: Amir Tzin <[email protected]>
    Signed-off-by: Tariq Toukan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net/mlx5: fs, lock FTE when checking if active [+ + +]
Author: Mark Bloch <[email protected]>
Date:   Thu Nov 7 20:35:23 2024 +0200

    net/mlx5: fs, lock FTE when checking if active
    
    [ Upstream commit 9ca314419930f9135727e39d77e66262d5f7bef6 ]
    
    The referenced commits introduced a two-step process for deleting FTEs:
    
    - Lock the FTE, delete it from hardware, set the hardware deletion function
      to NULL and unlock the FTE.
    - Lock the parent flow group, delete the software copy of the FTE, and
      remove it from the xarray.
    
    However, this approach encounters a race condition if a rule with the same
    match value is added simultaneously. In this scenario, fs_core may set the
    hardware deletion function to NULL prematurely, causing a panic during
    subsequent rule deletions.
    
    To prevent this, ensure the active flag of the FTE is checked under a lock,
    which will prevent the fs_core layer from attaching a new steering rule to
    an FTE that is in the process of deletion.
    
    [  438.967589] MOSHE: 2496 mlx5_del_flow_rules del_hw_func
    [  438.968205] ------------[ cut here ]------------
    [  438.968654] refcount_t: decrement hit 0; leaking memory.
    [  438.969249] WARNING: CPU: 0 PID: 8957 at lib/refcount.c:31 refcount_warn_saturate+0xfb/0x110
    [  438.970054] Modules linked in: act_mirred cls_flower act_gact sch_ingress openvswitch nsh mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core zram zsmalloc fuse [last unloaded: cls_flower]
    [  438.973288] CPU: 0 UID: 0 PID: 8957 Comm: tc Not tainted 6.12.0-rc1+ #8
    [  438.973888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    [  438.974874] RIP: 0010:refcount_warn_saturate+0xfb/0x110
    [  438.975363] Code: 40 66 3b 82 c6 05 16 e9 4d 01 01 e8 1f 7c a0 ff 0f 0b c3 cc cc cc cc 48 c7 c7 10 66 3b 82 c6 05 fd e8 4d 01 01 e8 05 7c a0 ff <0f> 0b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90
    [  438.976947] RSP: 0018:ffff888124a53610 EFLAGS: 00010286
    [  438.977446] RAX: 0000000000000000 RBX: ffff888119d56de0 RCX: 0000000000000000
    [  438.978090] RDX: ffff88852c828700 RSI: ffff88852c81b3c0 RDI: ffff88852c81b3c0
    [  438.978721] RBP: ffff888120fa0e88 R08: 0000000000000000 R09: ffff888124a534b0
    [  438.979353] R10: 0000000000000001 R11: 0000000000000001 R12: ffff888119d56de0
    [  438.979979] R13: ffff888120fa0ec0 R14: ffff888120fa0ee8 R15: ffff888119d56de0
    [  438.980607] FS:  00007fe6dcc0f800(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000
    [  438.983984] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  438.984544] CR2: 00000000004275e0 CR3: 0000000186982001 CR4: 0000000000372eb0
    [  438.985205] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [  438.985842] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [  438.986507] Call Trace:
    [  438.986799]  <TASK>
    [  438.987070]  ? __warn+0x7d/0x110
    [  438.987426]  ? refcount_warn_saturate+0xfb/0x110
    [  438.987877]  ? report_bug+0x17d/0x190
    [  438.988261]  ? prb_read_valid+0x17/0x20
    [  438.988659]  ? handle_bug+0x53/0x90
    [  438.989054]  ? exc_invalid_op+0x14/0x70
    [  438.989458]  ? asm_exc_invalid_op+0x16/0x20
    [  438.989883]  ? refcount_warn_saturate+0xfb/0x110
    [  438.990348]  mlx5_del_flow_rules+0x2f7/0x340 [mlx5_core]
    [  438.990932]  __mlx5_eswitch_del_rule+0x49/0x170 [mlx5_core]
    [  438.991519]  ? mlx5_lag_is_sriov+0x3c/0x50 [mlx5_core]
    [  438.992054]  ? xas_load+0x9/0xb0
    [  438.992407]  mlx5e_tc_rule_unoffload+0x45/0xe0 [mlx5_core]
    [  438.993037]  mlx5e_tc_del_fdb_flow+0x2a6/0x2e0 [mlx5_core]
    [  438.993623]  mlx5e_flow_put+0x29/0x60 [mlx5_core]
    [  438.994161]  mlx5e_delete_flower+0x261/0x390 [mlx5_core]
    [  438.994728]  tc_setup_cb_destroy+0xb9/0x190
    [  438.995150]  fl_hw_destroy_filter+0x94/0xc0 [cls_flower]
    [  438.995650]  fl_change+0x11a4/0x13c0 [cls_flower]
    [  438.996105]  tc_new_tfilter+0x347/0xbc0
    [  438.996503]  ? ___slab_alloc+0x70/0x8c0
    [  438.996929]  rtnetlink_rcv_msg+0xf9/0x3e0
    [  438.997339]  ? __netlink_sendskb+0x4c/0x70
    [  438.997751]  ? netlink_unicast+0x286/0x2d0
    [  438.998171]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
    [  438.998625]  netlink_rcv_skb+0x54/0x100
    [  438.999020]  netlink_unicast+0x203/0x2d0
    [  438.999421]  netlink_sendmsg+0x1e4/0x420
    [  438.999820]  __sock_sendmsg+0xa1/0xb0
    [  439.000203]  ____sys_sendmsg+0x207/0x2a0
    [  439.000600]  ? copy_msghdr_from_user+0x6d/0xa0
    [  439.001072]  ___sys_sendmsg+0x80/0xc0
    [  439.001459]  ? ___sys_recvmsg+0x8b/0xc0
    [  439.001848]  ? generic_update_time+0x4d/0x60
    [  439.002282]  __sys_sendmsg+0x51/0x90
    [  439.002658]  do_syscall_64+0x50/0x110
    [  439.003040]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    Fixes: 718ce4d601db ("net/mlx5: Consolidate update FTE for all removal changes")
    Fixes: cefc23554fc2 ("net/mlx5: Fix FTE cleanup")
    Signed-off-by: Mark Bloch <[email protected]>
    Reviewed-by: Maor Gottlieb <[email protected]>
    Signed-off-by: Tariq Toukan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net/mlx5e: clear xdp features on non-uplink representors [+ + +]
Author: William Tu <[email protected]>
Date:   Thu Nov 7 20:35:25 2024 +0200

    net/mlx5e: clear xdp features on non-uplink representors
    
    [ Upstream commit c079389878debf767dc4e52fe877b9117258dfe2 ]
    
    Non-uplink representor port does not support XDP. The patch clears
    the xdp feature by checking the net_device_ops.ndo_bpf is set or not.
    
    Verify using the netlink tool:
    $ tools/net/ynl/cli.py --spec Documentation/netlink/specs/netdev.yaml --dump dev-get
    
    Representor netdev before the patch:
    {'ifindex': 8,
      'xdp-features': {'basic',
                       'ndo-xmit',
                       'ndo-xmit-sg',
                       'redirect',
                       'rx-sg',
                       'xsk-zerocopy'},
      'xdp-rx-metadata-features': set(),
      'xdp-zc-max-segs': 1,
      'xsk-features': set()},
    With the patch:
     {'ifindex': 8,
      'xdp-features': set(),
      'xdp-rx-metadata-features': set(),
      'xsk-features': set()},
    
    Fixes: 4d5ab0ad964d ("net/mlx5e: take into account device reconfiguration for xdp_features flag")
    Signed-off-by: William Tu <[email protected]>
    Signed-off-by: Tariq Toukan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net/mlx5e: CT: Fix null-ptr-deref in add rule err flow [+ + +]
Author: Moshe Shemesh <[email protected]>
Date:   Thu Nov 7 20:35:26 2024 +0200

    net/mlx5e: CT: Fix null-ptr-deref in add rule err flow
    
    [ Upstream commit e99c6873229fe0482e7ceb7d5600e32d623ed9d9 ]
    
    In error flow of mlx5_tc_ct_entry_add_rule(), in case ct_rule_add()
    callback returns error, zone_rule->attr is used uninitiated. Fix it to
    use attr which has the needed pointer value.
    
    Kernel log:
     BUG: kernel NULL pointer dereference, address: 0000000000000110
     RIP: 0010:mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core]
    …
     Call Trace:
      <TASK>
      ? __die+0x20/0x70
      ? page_fault_oops+0x150/0x3e0
      ? exc_page_fault+0x74/0x140
      ? asm_exc_page_fault+0x22/0x30
      ? mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core]
      ? mlx5_tc_ct_entry_add_rule+0x1d5/0x2f0 [mlx5_core]
      mlx5_tc_ct_block_flow_offload+0xc6a/0xf90 [mlx5_core]
      ? nf_flow_offload_tuple+0xd8/0x190 [nf_flow_table]
      nf_flow_offload_tuple+0xd8/0x190 [nf_flow_table]
      flow_offload_work_handler+0x142/0x320 [nf_flow_table]
      ? finish_task_switch.isra.0+0x15b/0x2b0
      process_one_work+0x16c/0x320
      worker_thread+0x28c/0x3a0
      ? __pfx_worker_thread+0x10/0x10
      kthread+0xb8/0xf0
      ? __pfx_kthread+0x10/0x10
      ret_from_fork+0x2d/0x50
      ? __pfx_kthread+0x10/0x10
      ret_from_fork_asm+0x1a/0x30
      </TASK>
    
    Fixes: 7fac5c2eced3 ("net/mlx5: CT: Avoid reusing modify header context for natted entries")
    Signed-off-by: Moshe Shemesh <[email protected]>
    Reviewed-by: Cosmin Ratiu <[email protected]>
    Reviewed-by: Yevgeny Kliteynik <[email protected]>
    Signed-off-by: Tariq Toukan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net/mlx5e: Disable loopback self-test on multi-PF netdev [+ + +]
Author: Carolina Jubran <[email protected]>
Date:   Thu Nov 7 20:35:27 2024 +0200

    net/mlx5e: Disable loopback self-test on multi-PF netdev
    
    [ Upstream commit d1ac33934a66e8d58a52668999bf9e8f59e56c81 ]
    
    In Multi-PF (Socket Direct) configurations, when a loopback packet is
    sent through one of the secondary devices, it will always be received
    on the primary device. This causes the loopback layer to fail in
    identifying the loopback packet as the devices are different.
    
    To avoid false test failures, disable the loopback self-test in
    Multi-PF configurations.
    
    Fixes: ed29705e4ed1 ("net/mlx5: Enable SD feature")
    Signed-off-by: Carolina Jubran <[email protected]>
    Signed-off-by: Tariq Toukan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net/mlx5e: kTLS, Fix incorrect page refcounting [+ + +]
Author: Dragos Tatulea <[email protected]>
Date:   Thu Nov 7 20:35:24 2024 +0200

    net/mlx5e: kTLS, Fix incorrect page refcounting
    
    [ Upstream commit dd6e972cc5890d91d6749bb48e3912721c4e4b25 ]
    
    The kTLS tx handling code is using a mix of get_page() and
    page_ref_inc() APIs to increment the page reference. But on the release
    path (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is used.
    
    This is an issue when using pages from large folios: the get_page()
    references are stored on the folio page while the page_ref_inc()
    references are stored directly in the given page. On release the folio
    page will be dereferenced too many times.
    
    This was found while doing kTLS testing with sendfile() + ZC when the
    served file was read from NFS on a kernel with NFS large folios support
    (commit 49b29a573da8 ("nfs: add support for large folios")).
    
    Fixes: 84d1bb2b139e ("net/mlx5e: kTLS, Limit DUMP wqe size")
    Signed-off-by: Dragos Tatulea <[email protected]>
    Signed-off-by: Tariq Toukan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
net: fix data-races around sk->sk_forward_alloc [+ + +]
Author: Wang Liang <[email protected]>
Date:   Thu Nov 7 10:34:05 2024 +0800

    net: fix data-races around sk->sk_forward_alloc
    
    [ Upstream commit 073d89808c065ac4c672c0a613a71b27a80691cb ]
    
    Syzkaller reported this warning:
     ------------[ cut here ]------------
     WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0
     Modules linked in:
     CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
     RIP: 0010:inet_sock_destruct+0x1c5/0x1e0
     Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00
     RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206
     RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007
     RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00
     RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007
     R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00
     R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78
     FS:  0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0
     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
     Call Trace:
      <TASK>
      ? __warn+0x88/0x130
      ? inet_sock_destruct+0x1c5/0x1e0
      ? report_bug+0x18e/0x1a0
      ? handle_bug+0x53/0x90
      ? exc_invalid_op+0x18/0x70
      ? asm_exc_invalid_op+0x1a/0x20
      ? inet_sock_destruct+0x1c5/0x1e0
      __sk_destruct+0x2a/0x200
      rcu_do_batch+0x1aa/0x530
      ? rcu_do_batch+0x13b/0x530
      rcu_core+0x159/0x2f0
      handle_softirqs+0xd3/0x2b0
      ? __pfx_smpboot_thread_fn+0x10/0x10
      run_ksoftirqd+0x25/0x30
      smpboot_thread_fn+0xdd/0x1d0
      kthread+0xd3/0x100
      ? __pfx_kthread+0x10/0x10
      ret_from_fork+0x34/0x50
      ? __pfx_kthread+0x10/0x10
      ret_from_fork_asm+0x1a/0x30
      </TASK>
     ---[ end trace 0000000000000000 ]---
    
    Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()
    concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked,
    which triggers a data-race around sk->sk_forward_alloc:
    tcp_v6_rcv
        tcp_v6_do_rcv
            skb_clone_and_charge_r
                sk_rmem_schedule
                    __sk_mem_schedule
                        sk_forward_alloc_add()
                skb_set_owner_r
                    sk_mem_charge
                        sk_forward_alloc_add()
            __kfree_skb
                skb_release_all
                    skb_release_head_state
                        sock_rfree
                            sk_mem_uncharge
                                sk_forward_alloc_add()
                                sk_mem_reclaim
                                    // set local var reclaimable
                                    __sk_mem_reclaim
                                        sk_forward_alloc_add()
    
    In this syzkaller testcase, two threads call
    tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like
    this:
     (cpu 1)             | (cpu 2)             | sk_forward_alloc
     ...                 | ...                 | 0
     __sk_mem_schedule() |                     | +4096 = 4096
                         | __sk_mem_schedule() | +4096 = 8192
     sk_mem_charge()     |                     | -768  = 7424
                         | sk_mem_charge()     | -768  = 6656
     ...                 |    ...              |
     sk_mem_uncharge()   |                     | +768  = 7424
     reclaimable=7424    |                     |
                         | sk_mem_uncharge()   | +768  = 8192
                         | reclaimable=8192    |
     __sk_mem_reclaim()  |                     | -4096 = 4096
                         | __sk_mem_reclaim()  | -8192 = -4096 != 0
    
    The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when
    sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().
    Fix the same issue in dccp_v6_do_rcv().
    
    Suggested-by: Eric Dumazet <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
    Signed-off-by: Wang Liang <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: Make copy_safe_from_sockptr() match documentation [+ + +]
Author: Michal Luczaj <[email protected]>
Date:   Mon Nov 11 00:17:34 2024 +0100

    net: Make copy_safe_from_sockptr() match documentation
    
    [ Upstream commit eb94b7bb10109a14a5431a67e5d8e31cfa06b395 ]
    
    copy_safe_from_sockptr()
      return copy_from_sockptr()
        return copy_from_sockptr_offset()
          return copy_from_user()
    
    copy_from_user() does not return an error on fault. Instead, it returns a
    number of bytes that were not copied. Have it handled.
    
    Patch has a side effect: it un-breaks garbage input handling of
    nfc_llcp_setsockopt() and mISDN's data_sock_setsockopt().
    
    Fixes: 6309863b31dd ("net: add copy_safe_from_sockptr() helper")
    Signed-off-by: Michal Luczaj <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: phylink: ensure PHY momentary link-fails are handled [+ + +]
Author: Russell King (Oracle) <[email protected]>
Date:   Tue Nov 12 16:20:00 2024 +0000

    net: phylink: ensure PHY momentary link-fails are handled
    
    [ Upstream commit 671154f174e0e7f242507cd074497661deb41bfd ]
    
    Normally, phylib won't notify changes in quick succession. However, as
    a result of commit 3e43b903da04 ("net: phy: Immediately call
    adjust_link if only tx_lpi_enabled changes") this is no longer true -
    it is now possible that phy_link_down() and phy_link_up() will both
    complete before phylink's resolver has run, which means it'll miss that
    pl->phy_state.link momentarily became false.
    
    Rename "mac_link_dropped" to be more generic "link_failed" since it will
    cover more than the MAC/PCS end of the link failing, and arrange to set
    this in phylink_phy_change() if we notice that the PHY reports that the
    link is down.
    
    This will ensure that we capture an EEE reconfiguration event.
    
    Fixes: 3e43b903da04 ("net: phy: Immediately call adjust_link if only tx_lpi_enabled changes")
    Signed-off-by: Russell King (Oracle) <[email protected]>
    Reviewed-by: Oleksij Rempel <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. [+ + +]
Author: Alexandre Ferrieux <[email protected]>
Date:   Sun Nov 10 18:28:36 2024 +0100

    net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes.
    
    [ Upstream commit 73af53d82076bbe184d9ece9e14b0dc8599e6055 ]
    
    To generate hnode handles (in gen_new_htid()), u32 uses IDR and
    encodes the returned small integer into a structured 32-bit
    word. Unfortunately, at disposal time, the needed decoding
    is not done. As a result, idr_remove() fails, and the IDR
    fills up. Since its size is 2048, the following script ends up
    with "Filter already exists":
    
      tc filter add dev myve $FILTER1
      tc filter add dev myve $FILTER2
      for i in {1..2048}
      do
        echo $i
        tc filter del dev myve $FILTER2
        tc filter add dev myve $FILTER2
      done
    
    This patch adds the missing decoding logic for handles that
    deserve it.
    
    Fixes: e7614370d6f0 ("net_sched: use idr to allocate u32 filter handles")
    Reviewed-by: Eric Dumazet <[email protected]>
    Acked-by: Jamal Hadi Salim <[email protected]>
    Signed-off-by: Alexandre Ferrieux <[email protected]>
    Tested-by: Victor Nogueira <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: sched: u32: Add test case for systematic hnode IDR leaks [+ + +]
Author: Alexandre Ferrieux <[email protected]>
Date:   Wed Nov 13 11:04:28 2024 +0100

    net: sched: u32: Add test case for systematic hnode IDR leaks
    
    commit ca34aceb322bfcd6ab498884f1805ee12f983259 upstream.
    
    Add a tdc test case to exercise the just-fixed systematic leak of
    IDR entries in u32 hnode disposal. Given the IDR in question is
    confined to the range [1..0x7FF], it is sufficient to create/delete
    the same filter 2048 times to fill it up and get a nonzero exit
    status from "tc filter add".
    
    Signed-off-by: Alexandre Ferrieux <[email protected]>
    Acked-by: Jamal Hadi Salim <[email protected]>
    Reviewed-by: Victor Nogueira <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol [+ + +]
Author: Nícolas F. R. A. Prado <[email protected]>
Date:   Sat Nov 9 10:16:32 2024 -0500

    net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol
    
    [ Upstream commit a03b18a71c128846360cc81ac6fdb0e7d41597b4 ]
    
    The mediatek,mac-wol property is being handled backwards to what is
    described in the binding: it currently enables PHY WOL when the property
    is present and vice versa. Invert the driver logic so it matches the
    binding description.
    
    Fixes: fd1d62d80ebc ("net: stmmac: replace the use_phy_wol field with a flag")
    Signed-off-by: Nícolas F. R. A. Prado <[email protected]>
    Link: https://patch.msgid.link/20241109-mediatek-mac-wol-noninverted-v2-1-0e264e213878@collabora.com
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: ti: icssg-prueth: Fix 1 PPS sync [+ + +]
Author: Meghana Malladi <[email protected]>
Date:   Mon Nov 11 15:28:42 2024 +0530

    net: ti: icssg-prueth: Fix 1 PPS sync
    
    [ Upstream commit dc065076ee7768377d7c16af7d1b0767782d8c98 ]
    
    The first PPS latch time needs to be calculated by the driver
    (in rounded off seconds) and configured as the start time
    offset for the cycle. After synchronizing two PTP clocks
    running as master/slave, missing this would cause master
    and slave to start immediately with some milliseconds
    drift which causes the PPS signal to never synchronize with
    the PTP master.
    
    Fixes: 186734c15886 ("net: ti: icssg-prueth: add packet timestamping and ptp support")
    Signed-off-by: Meghana Malladi <[email protected]>
    Reviewed-by: Vadim Fedorenko <[email protected]>
    Reviewed-by: MD Danish Anwar <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

net: vertexcom: mse102x: Fix tx_bytes calculation [+ + +]
Author: Stefan Wahren <[email protected]>
Date:   Fri Nov 8 12:43:43 2024 +0100

    net: vertexcom: mse102x: Fix tx_bytes calculation
    
    [ Upstream commit e68da664d379f352d41d7955712c44e0a738e4ab ]
    
    The tx_bytes should consider the actual size of the Ethernet frames
    without the SPI encapsulation. But we still need to take care of
    Ethernet padding.
    
    Fixes: 2f207cbf0dd4 ("net: vertexcom: Add MSE102x SPI support")
    Signed-off-by: Stefan Wahren <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
netlink: terminate outstanding dump on socket close [+ + +]
Author: Jakub Kicinski <[email protected]>
Date:   Tue Nov 5 17:52:34 2024 -0800

    netlink: terminate outstanding dump on socket close
    
    [ Upstream commit 1904fb9ebf911441f90a68e96b22aa73e4410505 ]
    
    Netlink supports iterative dumping of data. It provides the families
    the following ops:
     - start - (optional) kicks off the dumping process
     - dump  - actual dump helper, keeps getting called until it returns 0
     - done  - (optional) pairs with .start, can be used for cleanup
    The whole process is asynchronous and the repeated calls to .dump
    don't actually happen in a tight loop, but rather are triggered
    in response to recvmsg() on the socket.
    
    This gives the user full control over the dump, but also means that
    the user can close the socket without getting to the end of the dump.
    To make sure .start is always paired with .done we check if there
    is an ongoing dump before freeing the socket, and if so call .done.
    
    The complication is that sockets can get freed from BH and .done
    is allowed to sleep. So we use a workqueue to defer the call, when
    needed.
    
    Unfortunately this does not work correctly. What we defer is not
    the cleanup but rather releasing a reference on the socket.
    We have no guarantee that we own the last reference, if someone
    else holds the socket they may release it in BH and we're back
    to square one.
    
    The whole dance, however, appears to be unnecessary. Only the user
    can interact with dumps, so we can clean up when socket is closed.
    And close always happens in process context. Some async code may
    still access the socket after close, queue notification skbs to it etc.
    but no dumps can start, end or otherwise make progress.
    
    Delete the workqueue and flush the dump state directly from the release
    handler. Note that further cleanup is possible in -next, for instance
    we now always call .done before releasing the main module reference,
    so dump doesn't have to take a reference of its own.
    
    Reported-by: syzkaller <[email protected]>
    Fixes: ed5d7788a934 ("netlink: Do not schedule work from sk_destruct")
    Reviewed-by: Kuniyuki Iwashima <[email protected]>
    Reviewed-by: Eric Dumazet <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>
 
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint [+ + +]
Author: Ryusuke Konishi <[email protected]>
Date:   Thu Nov 7 01:07:33 2024 +0900

    nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
    
    commit 2026559a6c4ce34db117d2db8f710fe2a9420d5a upstream.
    
    When using the "block:block_dirty_buffer" tracepoint, mark_buffer_dirty()
    may cause a NULL pointer dereference, or a general protection fault when
    KASAN is enabled.
    
    This happens because, since the tracepoint was added in
    mark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev
    regardless of whether the buffer head has a pointer to a block_device
    structure.
    
    In the current implementation, nilfs_grab_buffer(), which grabs a buffer
    to read (or create) a block of metadata, including b-tree node blocks,
    does not set the block device, but instead does so only if the buffer is
    not in the "uptodate" state for each of its caller block reading
    functions.  However, if the uptodate flag is set on a folio/page, and the
    buffer heads are detached from it by try_to_free_buffers(), and new buffer
    heads are then attached by create_empty_buffers(), the uptodate flag may
    be restored to each buffer without the block device being set to
    bh->b_bdev, and mark_buffer_dirty() may be called later in that state,
    resulting in the bug mentioned above.
    
    Fix this issue by making nilfs_grab_buffer() always set the block device
    of the super block structure to the buffer head, regardless of the state
    of the buffer's uptodate flag.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 5305cb830834 ("block: add block_{touch|dirty}_buffer tracepoint")
    Signed-off-by: Ryusuke Konishi <[email protected]>
    Cc: Tejun Heo <[email protected]>
    Cc: Ubisectech Sirius <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint [+ + +]
Author: Ryusuke Konishi <[email protected]>
Date:   Thu Nov 7 01:07:32 2024 +0900

    nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint
    
    commit cd45e963e44b0f10d90b9e6c0e8b4f47f3c92471 upstream.
    
    Patch series "nilfs2: fix null-ptr-deref bugs on block tracepoints".
    
    This series fixes null pointer dereference bugs that occur when using
    nilfs2 and two block-related tracepoints.
    
    
    This patch (of 2):
    
    It has been reported that when using "block:block_touch_buffer"
    tracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a
    NULL pointer dereference, or a general protection fault when KASAN is
    enabled.
    
    This happens because since the tracepoint was added in touch_buffer(), it
    references the dev_t member bh->b_bdev->bd_dev regardless of whether the
    buffer head has a pointer to a block_device structure.  In the current
    implementation, the block_device structure is set after the function
    returns to the caller.
    
    Here, touch_buffer() is used to mark the folio/page that owns the buffer
    head as accessed, but the common search helper for folio/page used by the
    caller function was optimized to mark the folio/page as accessed when it
    was reimplemented a long time ago, eliminating the need to call
    touch_buffer() here in the first place.
    
    So this solves the issue by eliminating the touch_buffer() call itself.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 5305cb830834 ("block: add block_{touch|dirty}_buffer tracepoint")
    Signed-off-by: Ryusuke Konishi <[email protected]>
    Reported-by: Ubisectech Sirius <[email protected]>
    Closes: https://lkml.kernel.org/r/[email protected]
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=9982fb8d18eba905abe2
    Tested-by: [email protected]
    Cc: Tejun Heo <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nommu: pass NULL argument to vma_iter_prealloc() [+ + +]
Author: Hajime Tazaki <[email protected]>
Date:   Sat Nov 9 07:28:34 2024 +0900

    nommu: pass NULL argument to vma_iter_prealloc()
    
    commit 247d720b2c5d22f7281437fd6054a138256986ba upstream.
    
    When deleting a vma entry from a maple tree, it has to pass NULL to
    vma_iter_prealloc() in order to calculate internal state of the tree, but
    it passed a wrong argument.  As a result, nommu kernels crashed upon
    accessing a vma iterator, such as acct_collect() reading the size of vma
    entries after do_munmap().
    
    This commit fixes this issue by passing a right argument to the
    preallocation call.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: b5df09226450 ("mm: set up vma iterator for vma_iter_prealloc() calls")
    Signed-off-by: Hajime Tazaki <[email protected]>
    Reviewed-by: Liam R. Howlett <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nouveau/dp: handle retries for AUX CH transfers with GSP. [+ + +]
Author: Dave Airlie <[email protected]>
Date:   Mon Nov 11 13:41:25 2024 +1000

    nouveau/dp: handle retries for AUX CH transfers with GSP.
    
    commit 9776c0a75a1a86b753b2dc7c1ecc3baa048a8dec upstream.
    
    eb284f4b3781 drm/nouveau/dp: Honor GSP link training retry timeouts
    
    tried to fix a problem with panel retires, however it appears
    the auxch also needs the same treatment, so add the same retry
    wrapper around it.
    
    This fixes some eDP panels after a suspend/resume cycle.
    
    Fixes: eb284f4b3781 ("drm/nouveau/dp: Honor GSP link training retry timeouts")
    Cc: [email protected]
    Reviewed-by: Lyude Paul <[email protected]>
    Signed-off-by: Dave Airlie <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
nouveau: fw: sync dma after setup is called. [+ + +]
Author: Dave Airlie <[email protected]>
Date:   Wed Nov 13 05:57:03 2024 +1000

    nouveau: fw: sync dma after setup is called.
    
    commit 21ec425eaf2cb7c0371f7683f81ad7d9679b6eb5 upstream.
    
    When this code moved to non-coherent allocator the sync was put too
    early for some firmwares which called the setup function, move the
    sync down after the setup function.
    
    Reported-by: Diogo Ivo <[email protected]>
    Tested-by: Diogo Ivo <[email protected]>
    Reviewed-by: Lyude Paul <[email protected]>
    Fixes: 9b340aeb26d5 ("nouveau/firmware: use dma non-coherent allocator")
    Cc: [email protected]
    Signed-off-by: Dave Airlie <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

nouveau: handle EBUSY and EAGAIN for GSP aux errors. [+ + +]
Author: Dave Airlie <[email protected]>
Date:   Mon Nov 11 13:41:24 2024 +1000

    nouveau: handle EBUSY and EAGAIN for GSP aux errors.
    
    commit b6ad7debf5ab3e581b5cb0f5c94e404ec968bd5b upstream.
    
    The upper layer transfer functions expect EBUSY as a return
    for when retries should be done.
    
    Fix the AUX error translation, but also check for both errors
    in a few places.
    
    Fixes: eb284f4b3781 ("drm/nouveau/dp: Honor GSP link training retry timeouts")
    Cc: [email protected]
    Reviewed-by: Lyude Paul <[email protected]>
    Signed-off-by: Dave Airlie <[email protected]>
    Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
ocfs2: fix UBSAN warning in ocfs2_verify_volume() [+ + +]
Author: Dmitry Antipov <[email protected]>
Date:   Wed Nov 6 12:21:00 2024 +0300

    ocfs2: fix UBSAN warning in ocfs2_verify_volume()
    
    commit 23aab037106d46e6168ce1214a958ce9bf317f2e upstream.
    
    Syzbot has reported the following splat triggered by UBSAN:
    
    UBSAN: shift-out-of-bounds in fs/ocfs2/super.c:2336:10
    shift exponent 32768 is too large for 32-bit type 'int'
    CPU: 2 UID: 0 PID: 5255 Comm: repro Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
    Call Trace:
     <TASK>
     dump_stack_lvl+0x241/0x360
     ? __pfx_dump_stack_lvl+0x10/0x10
     ? __pfx__printk+0x10/0x10
     ? __asan_memset+0x23/0x50
     ? lockdep_init_map_type+0xa1/0x910
     __ubsan_handle_shift_out_of_bounds+0x3c8/0x420
     ocfs2_fill_super+0xf9c/0x5750
     ? __pfx_ocfs2_fill_super+0x10/0x10
     ? __pfx_validate_chain+0x10/0x10
     ? __pfx_validate_chain+0x10/0x10
     ? validate_chain+0x11e/0x5920
     ? __lock_acquire+0x1384/0x2050
     ? __pfx_validate_chain+0x10/0x10
     ? string+0x26a/0x2b0
     ? widen_string+0x3a/0x310
     ? string+0x26a/0x2b0
     ? bdev_name+0x2b1/0x3c0
     ? pointer+0x703/0x1210
     ? __pfx_pointer+0x10/0x10
     ? __pfx_format_decode+0x10/0x10
     ? __lock_acquire+0x1384/0x2050
     ? vsnprintf+0x1ccd/0x1da0
     ? snprintf+0xda/0x120
     ? __pfx_lock_release+0x10/0x10
     ? do_raw_spin_lock+0x14f/0x370
     ? __pfx_snprintf+0x10/0x10
     ? set_blocksize+0x1f9/0x360
     ? sb_set_blocksize+0x98/0xf0
     ? setup_bdev_super+0x4e6/0x5d0
     mount_bdev+0x20c/0x2d0
     ? __pfx_ocfs2_fill_super+0x10/0x10
     ? __pfx_mount_bdev+0x10/0x10
     ? vfs_parse_fs_string+0x190/0x230
     ? __pfx_vfs_parse_fs_string+0x10/0x10
     legacy_get_tree+0xf0/0x190
     ? __pfx_ocfs2_mount+0x10/0x10
     vfs_get_tree+0x92/0x2b0
     do_new_mount+0x2be/0xb40
     ? __pfx_do_new_mount+0x10/0x10
     __se_sys_mount+0x2d6/0x3c0
     ? __pfx___se_sys_mount+0x10/0x10
     ? do_syscall_64+0x100/0x230
     ? __x64_sys_mount+0x20/0xc0
     do_syscall_64+0xf3/0x230
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f37cae96fda
    Code: 48 8b 0d 51 ce 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e ce 0c 00 f7 d8 64 89 01 48
    RSP: 002b:00007fff6c1aa228 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
    RAX: ffffffffffffffda RBX: 00007fff6c1aa240 RCX: 00007f37cae96fda
    RDX: 00000000200002c0 RSI: 0000000020000040 RDI: 00007fff6c1aa240
    RBP: 0000000000000004 R08: 00007fff6c1aa280 R09: 0000000000000000
    R10: 00000000000008c0 R11: 0000000000000206 R12: 00000000000008c0
    R13: 00007fff6c1aa280 R14: 0000000000000003 R15: 0000000001000000
     </TASK>
    
    For a really damaged superblock, the value of 'i_super.s_blocksize_bits'
    may exceed the maximum possible shift for an underlying 'int'.  So add an
    extra check whether the aforementioned field represents the valid block
    size, which is 512 bytes, 1K, 2K, or 4K.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
    Signed-off-by: Dmitry Antipov <[email protected]>
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=56f7cd1abe4b8e475180
    Reviewed-by: Joseph Qi <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Junxiao Bi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

ocfs2: uncache inode which has failed entering the group [+ + +]
Author: Dmitry Antipov <[email protected]>
Date:   Thu Nov 14 07:38:44 2024 +0300

    ocfs2: uncache inode which has failed entering the group
    
    commit 737f34137844d6572ab7d473c998c7f977ff30eb upstream.
    
    Syzbot has reported the following BUG:
    
    kernel BUG at fs/ocfs2/uptodate.c:509!
    ...
    Call Trace:
     <TASK>
     ? __die_body+0x5f/0xb0
     ? die+0x9e/0xc0
     ? do_trap+0x15a/0x3a0
     ? ocfs2_set_new_buffer_uptodate+0x145/0x160
     ? do_error_trap+0x1dc/0x2c0
     ? ocfs2_set_new_buffer_uptodate+0x145/0x160
     ? __pfx_do_error_trap+0x10/0x10
     ? handle_invalid_op+0x34/0x40
     ? ocfs2_set_new_buffer_uptodate+0x145/0x160
     ? exc_invalid_op+0x38/0x50
     ? asm_exc_invalid_op+0x1a/0x20
     ? ocfs2_set_new_buffer_uptodate+0x2e/0x160
     ? ocfs2_set_new_buffer_uptodate+0x144/0x160
     ? ocfs2_set_new_buffer_uptodate+0x145/0x160
     ocfs2_group_add+0x39f/0x15a0
     ? __pfx_ocfs2_group_add+0x10/0x10
     ? __pfx_lock_acquire+0x10/0x10
     ? mnt_get_write_access+0x68/0x2b0
     ? __pfx_lock_release+0x10/0x10
     ? rcu_read_lock_any_held+0xb7/0x160
     ? __pfx_rcu_read_lock_any_held+0x10/0x10
     ? smack_log+0x123/0x540
     ? mnt_get_write_access+0x68/0x2b0
     ? mnt_get_write_access+0x68/0x2b0
     ? mnt_get_write_access+0x226/0x2b0
     ocfs2_ioctl+0x65e/0x7d0
     ? __pfx_ocfs2_ioctl+0x10/0x10
     ? smack_file_ioctl+0x29e/0x3a0
     ? __pfx_smack_file_ioctl+0x10/0x10
     ? lockdep_hardirqs_on_prepare+0x43d/0x780
     ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
     ? __pfx_ocfs2_ioctl+0x10/0x10
     __se_sys_ioctl+0xfb/0x170
     do_syscall_64+0xf3/0x230
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    ...
     </TASK>
    
    When 'ioctl(OCFS2_IOC_GROUP_ADD, ...)' has failed for the particular
    inode in 'ocfs2_verify_group_and_input()', corresponding buffer head
    remains cached and subsequent call to the same 'ioctl()' for the same
    inode issues the BUG() in 'ocfs2_set_new_buffer_uptodate()' (trying
    to cache the same buffer head of that inode). Fix this by uncaching
    the buffer head with 'ocfs2_remove_from_cache()' on error path in
    'ocfs2_group_add()'.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 7909f2bf8353 ("[PATCH 2/2] ocfs2: Implement group add for online resize")
    Signed-off-by: Dmitry Antipov <[email protected]>
    Reported-by: [email protected]
    Closes: https://syzkaller.appspot.com/bug?extid=453873f1588c2d75b447
    Reviewed-by: Joseph Qi <[email protected]>
    Cc: Dmitry Antipov <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: Junxiao Bi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
pmdomain: arm: Use FLAG_DEV_NAME_FW to ensure unique names [+ + +]
Author: Sibi Sankar <[email protected]>
Date:   Wed Oct 30 18:25:11 2024 +0530

    pmdomain: arm: Use FLAG_DEV_NAME_FW to ensure unique names
    
    commit 0bf020344204a2c1067b7562b6a247e6c689e28b upstream.
    
    The domain attributes returned by the perf protocol can end up reporting
    identical names across domains, resulting in debugfs node creation failure.
    Use the GENPD_FLAG_DEV_NAME_FW to ensure the genpd providers end up with an
    unique name.
    
    Logs: [X1E reports 'NCC' for all its scmi perf domains]
    debugfs: Directory 'NCC' with parent 'pm_genpd' already present!
    debugfs: Directory 'NCC' with parent 'pm_genpd' already present!
    
    Reported-by: Johan Hovold <[email protected]>
    Closes: https://lore.kernel.org/lkml/[email protected]/
    Suggested-by: Ulf Hansson <[email protected]>
    Suggested-by: Dmitry Baryshkov <[email protected]>
    Signed-off-by: Sibi Sankar <[email protected]>
    Cc: [email protected]
    Message-ID: <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag [+ + +]
Author: Sibi Sankar <[email protected]>
Date:   Wed Oct 30 18:25:10 2024 +0530

    pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag
    
    commit 899f44531fe6cac4b024710fec647ecc127724b8 upstream.
    
    Introduce GENPD_FLAG_DEV_NAME_FW flag which instructs genpd to generate
    an unique device name using ida. It is aimed to be used by genpd providers
    which derive their names directly from FW making them susceptible to
    debugfs node creation failures.
    
    Reported-by: Johan Hovold <[email protected]>
    Closes: https://lore.kernel.org/lkml/[email protected]/
    Fixes: 718072ceb211 ("PM: domains: create debugfs nodes when adding power domains")
    Suggested-by: Ulf Hansson <[email protected]>
    Suggested-by: Dmitry Baryshkov <[email protected]>
    Signed-off-by: Sibi Sankar <[email protected]>
    Cc: [email protected]
    Message-ID: <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

pmdomain: imx93-blk-ctrl: correct remove path [+ + +]
Author: Peng Fan <[email protected]>
Date:   Fri Nov 1 18:12:51 2024 +0800

    pmdomain: imx93-blk-ctrl: correct remove path
    
    commit f7c7c5aa556378a2c8da72c1f7f238b6648f95fb upstream.
    
    The check condition should be 'i < bc->onecell_data.num_domains', not
    'bc->onecell_data.num_domains' which will make the look never finish
    and cause kernel panic.
    
    Also disable runtime to address
    "imx93-blk-ctrl 4ac10000.system-controller: Unbalanced pm_runtime_enable!"
    
    Fixes: e9aa77d413c9 ("soc: imx: add i.MX93 media blk ctrl driver")
    Signed-off-by: Peng Fan <[email protected]>
    Reviewed-by: Stefan Wahren <[email protected]>
    Cc: [email protected]
    Message-ID: <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Revert "drm/amd/display: parse umc_info or vram_info based on ASIC" [+ + +]
Author: Alex Deucher <[email protected]>
Date:   Fri Nov 8 09:34:46 2024 -0500

    Revert "drm/amd/display: parse umc_info or vram_info based on ASIC"
    
    commit 5f77ee21eb44e37e371bcea195ea9403b95d1399 upstream.
    
    This reverts commit 694c79769cb384bca8b1ec1d1e84156e726bd106.
    
    This was not the root cause.  Revert.
    
    Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3678
    Reviewed-by: Harry Wentland <[email protected]>
    Signed-off-by: Alex Deucher <[email protected]>
    Cc: [email protected]
    Cc: [email protected]
    (cherry picked from commit 3c2296b1eec55b50c64509ba15406142d4a958dc)
    Cc: [email protected] # 6.11.x
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Revert "drm/amd/pm: correct the workload setting" [+ + +]
Author: Alex Deucher <[email protected]>
Date:   Sat Nov 16 09:22:14 2024 -0500

    Revert "drm/amd/pm: correct the workload setting"
    
    [ Upstream commit 44f392fbf628a7ff2d8bb8e83ca1851261f81a6f ]
    
    This reverts commit 74e1006430a5377228e49310f6d915628609929e.
    
    This causes a regression in the workload selection.
    A more extensive fix is being worked on.
    For now, revert.
    
    Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3618
    Fixes: 74e1006430a5 ("drm/amd/pm: correct the workload setting")
    Signed-off-by: Alex Deucher <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" [+ + +]
Author: Aurelien Jarno <[email protected]>
Date:   Sun Nov 10 12:46:36 2024 +0100

    Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"
    
    commit 1635e407a4a64d08a8517ac59ca14ad4fc785e75 upstream.
    
    The commit 8396c793ffdf ("mmc: dw_mmc: Fix IDMAC operation with pages
    bigger than 4K") increased the max_req_size, even for 4K pages, causing
    various issues:
    - Panic booting the kernel/rootfs from an SD card on Rockchip RK3566
    - Panic booting the kernel/rootfs from an SD card on StarFive JH7100
    - "swiotlb buffer is full" and data corruption on StarFive JH7110
    
    At this stage no fix have been found, so it's probably better to just
    revert the change.
    
    This reverts commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890.
    
    Cc: [email protected]
    Cc: Sam Protsenko <[email protected]>
    Fixes: 8396c793ffdf ("mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K")
    Closes: https://lore.kernel.org/linux-mmc/[email protected]/
    Closes: https://lore.kernel.org/linux-mmc/CAC8uq=Ppnmv98mpa1CrWLawWoPnu5abtU69v-=G-P7ysATQ2Pw@mail.gmail.com/
    Signed-off-by: Aurelien Jarno <[email protected]>
    Message-ID: <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" [+ + +]
Author: Leon Romanovsky <[email protected]>
Date:   Tue Nov 12 10:56:26 2024 +0200

    Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan"
    
    [ Upstream commit 6abe2a90808192a5a8b2825293e5f10e80fdea56 ]
    
    The citied commit in Fixes line caused to regression for udaddy [1]
    application. It doesn't work over VLANs anymore.
    
    Client:
      ifconfig eth2 1.1.1.1
      ip link add link eth2 name p0.3597 type vlan protocol 802.1Q id 3597
      ip link set dev p0.3597 up
      ip addr add 2.2.2.2/16 dev p0.3597
      udaddy -S 847 -C 220 -c 2 -t 0 -s 2.2.2.3 -b 2.2.2.2
    
    Server:
      ifconfig eth2 1.1.1.3
      ip link add link eth2 name p0.3597 type vlan protocol 802.1Q id 3597
      ip link set dev p0.3597 up
      ip addr add 2.2.2.3/16 dev p0.3597
      udaddy -S 847 -C 220 -c 2 -t 0 -b 2.2.2.3
    
    [1] https://github.com/linux-rdma/rdma-core/blob/master/librdmacm/examples/udaddy.c
    
    Fixes: 5069d7e202f6 ("RDMA/core: Fix ENODEV error for iWARP test over vlan")
    Reported-by: Leon Romanovsky <[email protected]>
    Closes: https://lore.kernel.org/all/20241110130746.GA48891@unreal
    Link: https://patch.msgid.link/bb9d403419b2b9566da5b8bf0761fa8377927e49.1731401658.git.leon@kernel.org
    Signed-off-by: Leon Romanovsky <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
samples: pktgen: correct dev to DEV [+ + +]
Author: Wei Fang <[email protected]>
Date:   Tue Nov 12 11:03:47 2024 +0800

    samples: pktgen: correct dev to DEV
    
    [ Upstream commit 3342dc8b4623d835e7dd76a15cec2e5a94fe2f93 ]
    
    In the pktgen_sample01_simple.sh script, the device variable is uppercase
    'DEV' instead of lowercase 'dev'. Because of this typo, the script cannot
    enable UDP tx checksum.
    
    Fixes: 460a9aa23de6 ("samples: pktgen: add UDP tx checksum support")
    Signed-off-by: Wei Fang <[email protected]>
    Reviewed-by: Simon Horman <[email protected]>
    Acked-by: Jesper Dangaard Brouer <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers [+ + +]
Author: Qun-Wei Lin <[email protected]>
Date:   Wed Nov 13 12:25:43 2024 +0800

    sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers
    
    commit fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58 upstream.
    
    When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the
    object_is_on_stack() function may produce incorrect results due to the
    presence of tags in the obj pointer, while the stack pointer does not have
    tags.  This discrepancy can lead to incorrect stack object detection and
    subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled.
    
    Example of the warning:
    
    ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
    ------------[ cut here ]------------
    WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364
    Modules linked in:
    CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4
    Hardware name: linux,dummy-virt (DT)
    pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    pc : __debug_object_init+0x330/0x364
    lr : __debug_object_init+0x330/0x364
    sp : ffff800082ea7b40
    x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534
    x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0
    x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418
    x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000
    x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e
    x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e
    x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800
    x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001
    x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4
    x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050
    Call trace:
     __debug_object_init+0x330/0x364
     debug_object_init_on_stack+0x30/0x3c
     schedule_hrtimeout_range_clock+0xac/0x26c
     schedule_hrtimeout+0x1c/0x30
     wait_task_inactive+0x1d4/0x25c
     kthread_bind_mask+0x28/0x98
     init_rescuer+0x1e8/0x280
     workqueue_init+0x1a0/0x3cc
     kernel_init_freeable+0x118/0x200
     kernel_init+0x28/0x1f0
     ret_from_fork+0x10/0x20
    ---[ end trace 0000000000000000 ]---
    ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
    ------------[ cut here ]------------
    
    Link: https://lkml.kernel.org/r/[email protected]
    Signed-off-by: Qun-Wei Lin <[email protected]>
    Cc: Andrew Yang <[email protected]>
    Cc: AngeloGioacchino Del Regno <[email protected]>
    Cc: Casper Li <[email protected]>
    Cc: Catalin Marinas <[email protected]>
    Cc: Chinwen Chang <[email protected]>
    Cc: Kent Overstreet <[email protected]>
    Cc: Matthias Brugger <[email protected]>
    Cc: Pasha Tatashin <[email protected]>
    Cc: Shakeel Butt <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
sctp: fix possible UAF in sctp_v6_available() [+ + +]
Author: Eric Dumazet <[email protected]>
Date:   Thu Nov 7 19:20:21 2024 +0000

    sctp: fix possible UAF in sctp_v6_available()
    
    [ Upstream commit eb72e7fcc83987d5d5595b43222f23b295d5de7f ]
    
    A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints
    that sctp_v6_available() is calling dev_get_by_index_rcu()
    and ipv6_chk_addr() without holding rcu.
    
    [1]
     =============================
     WARNING: suspicious RCU usage
     6.12.0-rc5-virtme #1216 Tainted: G        W
     -----------------------------
     net/core/dev.c:876 RCU-list traversed in non-reader section!!
    
    other info that might help us debug this:
    
    rcu_scheduler_active = 2, debug_locks = 1
     1 lock held by sctp_hello/31495:
     #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp
    
    stack backtrace:
     CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G        W          6.12.0-rc5-virtme #1216
     Tainted: [W]=WARN
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
     Call Trace:
      <TASK>
     dump_stack_lvl (lib/dump_stack.c:123)
     lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)
     dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7))
     sctp_v6_available (net/sctp/ipv6.c:701) sctp
     sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp
     sctp_bind (net/sctp/socket.c:320) sctp
     inet6_bind_sk (net/ipv6/af_inet6.c:465)
     ? security_socket_bind (security/security.c:4581 (discriminator 1))
     __sys_bind (net/socket.c:1848 net/socket.c:1869)
     ? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340)
     ? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13))
     __x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1))
     do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
     entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
     RIP: 0033:0x7f59b934a1e7
     Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48
    All code
    ========
       0:   44 00 00                add    %r8b,(%rax)
       3:   48 8b 15 39 8c 0c 00    mov    0xc8c39(%rip),%rdx        # 0xc8c43
       a:   f7 d8                   neg    %eax
       c:   64 89 02                mov    %eax,%fs:(%rdx)
       f:   b8 ff ff ff ff          mov    $0xffffffff,%eax
      14:   eb bd                   jmp    0xffffffffffffffd3
      16:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
      1d:   00 00 00
      20:   0f 1f 00                nopl   (%rax)
      23:   b8 31 00 00 00          mov    $0x31,%eax
      28:   0f 05                   syscall
      2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax         <-- trapping instruction
      30:   73 01                   jae    0x33
      32:   c3                      ret
      33:   48 8b 0d 09 8c 0c 00    mov    0xc8c09(%rip),%rcx        # 0xc8c43
      3a:   f7 d8                   neg    %eax
      3c:   64 89 01                mov    %eax,%fs:(%rcx)
      3f:   48                      rex.W
    
    Code starting with the faulting instruction
    ===========================================
       0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
       6:   73 01                   jae    0x9
       8:   c3                      ret
       9:   48 8b 0d 09 8c 0c 00    mov    0xc8c09(%rip),%rcx        # 0xc8c19
      10:   f7 d8                   neg    %eax
      12:   64 89 01                mov    %eax,%fs:(%rcx)
      15:   48                      rex.W
     RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031
     RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7
     RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005
     RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000
     R10: 00007f59b9253298 R11: 0000000000000202 R12: 00007ffe2d0ada61
     R13: 0000000000000000 R14: 0000562926516dd8 R15: 00007f59b9479000
      </TASK>
    
    Fixes: 6fe1e52490a9 ("sctp: check ipv6 addr with sk_bound_dev if set")
    Signed-off-by: Eric Dumazet <[email protected]>
    Cc: Marcelo Ricardo Leitner <[email protected]>
    Acked-by: Xin Long <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
selftests: hugetlb_dio: fixup check for initial conditions to skip in the start [+ + +]
Author: Donet Tom <[email protected]>
Date:   Sun Nov 10 00:49:03 2024 -0600

    selftests: hugetlb_dio: fixup check for initial conditions to skip in the start
    
    commit fae1980347bfd23325099b69db6638b94149a94c upstream.
    
    This test verifies that a hugepage, used as a user buffer for DIO
    operations, is correctly freed upon unmapping.  To test this, we read the
    count of free hugepages before and after the mmap, DIO, and munmap
    operations, then check if the free hugepage count is the same.
    
    Reading free hugepages before the test was removed by commit 0268d4579901
    ('selftests: hugetlb_dio: check for initial conditions to skip at the
    start'), causing the test to always fail.
    
    This patch adds back reading the free hugepages before starting the test.
    With this patch, the tests are now passing.
    
    Test results without this patch:
    
    ./tools/testing/selftests/mm/hugetlb_dio
    TAP version 13
    1..4
     # No. Free pages before allocation : 0
     # No. Free pages after munmap : 100
    not ok 1 : Huge pages not freed!
     # No. Free pages before allocation : 0
     # No. Free pages after munmap : 100
    not ok 2 : Huge pages not freed!
     # No. Free pages before allocation : 0
     # No. Free pages after munmap : 100
    not ok 3 : Huge pages not freed!
     # No. Free pages before allocation : 0
     # No. Free pages after munmap : 100
    not ok 4 : Huge pages not freed!
     # Totals: pass:0 fail:4 xfail:0 xpass:0 skip:0 error:0
    
    Test results with this patch:
    
    /tools/testing/selftests/mm/hugetlb_dio
    TAP version 13
    1..4
    # No. Free pages before allocation : 100
    # No. Free pages after munmap : 100
    ok 1 : Huge pages freed successfully !
    # No. Free pages before allocation : 100
    # No. Free pages after munmap : 100
    ok 2 : Huge pages freed successfully !
    # No. Free pages before allocation : 100
    # No. Free pages after munmap : 100
    ok 3 : Huge pages freed successfully !
    # No. Free pages before allocation : 100
    # No. Free pages after munmap : 100
    ok 4 : Huge pages freed successfully !
    
    # Totals: pass:4 fail:0 xfail:0 xpass:0 skip:0 error:0
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: 0268d4579901 ("selftests: hugetlb_dio: check for initial conditions to skip in the start")
    Signed-off-by: Donet Tom <[email protected]>
    Cc: Muhammad Usama Anjum <[email protected]>
    Cc: Shuah Khan <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines [+ + +]
Author: Vitalii Mordan <[email protected]>
Date:   Fri Nov 8 20:33:34 2024 +0300

    stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines
    
    [ Upstream commit 5b366eae71937ae7412365340b431064625f9617 ]
    
    If the clock dwmac->tx_clk was not enabled in intel_eth_plat_probe,
    it should not be disabled in any path.
    
    Conversely, if it was enabled in intel_eth_plat_probe, it must be disabled
    in all error paths to ensure proper cleanup.
    
    Found by Linux Verification Center (linuxtesting.org) with Klever.
    
    Fixes: 9efc9b2b04c7 ("net: stmmac: Add dwmac-intel-plat for GBE driver")
    Signed-off-by: Vitalii Mordan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Jakub Kicinski <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
tools/mm: fix compile error [+ + +]
Author: Motiejus JakÅ`tys <[email protected]>
Date:   Tue Nov 12 19:16:55 2024 +0200

    tools/mm: fix compile error
    
    [ Upstream commit a39326767c55c00c7c313333404cbcb502cce8fe ]
    
    Add a missing semicolon.
    
    Link: https://lkml.kernel.org/r/[email protected]
    Fixes: ece5897e5a10 ("tools/mm: -Werror fixes in page-types/slabinfo")
    Signed-off-by: Motiejus JakÅ`tys <[email protected]>
    Closes: https://github.com/NixOS/nixpkgs/issues/355369
    Reviewed-by: SeongJae Park <[email protected]>
    Reviewed-by: Vishal Moola (Oracle) <[email protected]>
    Acked-by: Oleksandr Natalenko <[email protected]>
    Cc: Wladislav Wiebe <[email protected]>
    Signed-off-by: Andrew Morton <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
tpm: Disable TPM on tpm2_create_primary() failure [+ + +]
Author: Jarkko Sakkinen <[email protected]>
Date:   Wed Nov 13 20:35:39 2024 +0200

    tpm: Disable TPM on tpm2_create_primary() failure
    
    commit 423893fcbe7e9adc875bce4e55b9b25fc1424977 upstream.
    
    The earlier bug fix misplaced the error-label when dealing with the
    tpm2_create_primary() return value, which the original completely ignored.
    
    Cc: [email protected]
    Reported-by: Christoph Anton Mitterer <[email protected]>
    Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087331
    Fixes: cc7d8594342a ("tpm: Rollback tpm2_load_null()")
    Signed-off-by: Jarkko Sakkinen <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
vdpa/mlx5: Fix PA offset with unaligned starting iotlb map [+ + +]
Author: Si-Wei Liu <[email protected]>
Date:   Mon Oct 21 16:40:39 2024 +0300

    vdpa/mlx5: Fix PA offset with unaligned starting iotlb map
    
    commit 29ce8b8a4fa74e841342c8b8f8941848a3c6f29f upstream.
    
    When calculating the physical address range based on the iotlb and mr
    [start,end) ranges, the offset of mr->start relative to map->start
    is not taken into account. This leads to some incorrect and duplicate
    mappings.
    
    For the case when mr->start < map->start the code is already correct:
    the range in [mr->start, map->start) was handled by a different
    iteration.
    
    Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code")
    Cc: [email protected]
    Signed-off-by: Si-Wei Liu <[email protected]>
    Signed-off-by: Dragos Tatulea <[email protected]>
    Message-Id: <[email protected]>
    Signed-off-by: Michael S. Tsirkin <[email protected]>
    Acked-by: Jason Wang <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
vdpa: solidrun: Fix UB bug with devres [+ + +]
Author: Philipp Stanner <[email protected]>
Date:   Mon Oct 28 08:43:59 2024 +0100

    vdpa: solidrun: Fix UB bug with devres
    
    commit 0b364cf53b20204e92bac7c6ebd1ee7d3ec62931 upstream.
    
    In psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to
    pcim_iomap_regions() is placed on the stack. Neither
    pcim_iomap_regions() nor the functions it calls copy that string.
    
    Should the string later ever be used, this, consequently, causes
    undefined behavior since the stack frame will by then have disappeared.
    
    Fix the bug by allocating the strings on the heap through
    devm_kasprintf().
    
    Cc: [email protected]      # v6.3
    Fixes: 51a8f9d7f587 ("virtio: vdpa: new SolidNET DPU driver.")
    Reported-by: Christophe JAILLET <[email protected]>
    Closes: https://lore.kernel.org/all/[email protected]/
    Suggested-by: Andy Shevchenko <[email protected]>
    Signed-off-by: Philipp Stanner <[email protected]>
    Reviewed-by: Stefano Garzarella <[email protected]>
    Message-Id: <[email protected]>
    Signed-off-by: Michael S. Tsirkin <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
virtio/vsock: Fix accept_queue memory leak [+ + +]
Author: Michal Luczaj <[email protected]>
Date:   Thu Nov 7 21:46:12 2024 +0100

    virtio/vsock: Fix accept_queue memory leak
    
    [ Upstream commit d7b0ff5a866724c3ad21f2628c22a63336deec3f ]
    
    As the final stages of socket destruction may be delayed, it is possible
    that virtio_transport_recv_listen() will be called after the accept_queue
    has been flushed, but before the SOCK_DONE flag has been set. As a result,
    sockets enqueued after the flush would remain unremoved, leading to a
    memory leak.
    
    vsock_release
      __vsock_release
        lock
        virtio_transport_release
          virtio_transport_close
            schedule_delayed_work(close_work)
        sk_shutdown = SHUTDOWN_MASK
    (!) flush accept_queue
        release
                                            virtio_transport_recv_pkt
                                              vsock_find_bound_socket
                                              lock
                                              if flag(SOCK_DONE) return
                                              virtio_transport_recv_listen
                                                child = vsock_create_connected
                                          (!)   vsock_enqueue_accept(child)
                                              release
    close_work
      lock
      virtio_transport_do_close
        set_flag(SOCK_DONE)
        virtio_transport_remove_sock
          vsock_remove_sock
            vsock_remove_bound
      release
    
    Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during
    socket destruction.
    
    unreferenced object 0xffff888109e3f800 (size 2040):
      comm "kworker/5:2", pid 371, jiffies 4294940105
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00  (..@............
      backtrace (crc 9e5f4e84):
        [<ffffffff81418ff1>] kmem_cache_alloc_noprof+0x2c1/0x360
        [<ffffffff81d27aa0>] sk_prot_alloc+0x30/0x120
        [<ffffffff81d2b54c>] sk_alloc+0x2c/0x4b0
        [<ffffffff81fe049a>] __vsock_create.constprop.0+0x2a/0x310
        [<ffffffff81fe6d6c>] virtio_transport_recv_pkt+0x4dc/0x9a0
        [<ffffffff81fe745d>] vsock_loopback_work+0xfd/0x140
        [<ffffffff810fc6ac>] process_one_work+0x20c/0x570
        [<ffffffff810fce3f>] worker_thread+0x1bf/0x3a0
        [<ffffffff811070dd>] kthread+0xdd/0x110
        [<ffffffff81044fdd>] ret_from_fork+0x2d/0x50
        [<ffffffff8100785a>] ret_from_fork_asm+0x1a/0x30
    
    Fixes: 3fe356d58efa ("vsock/virtio: discard packets only when socket is really closed")
    Reviewed-by: Stefano Garzarella <[email protected]>
    Signed-off-by: Michal Luczaj <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

virtio/vsock: Improve MSG_ZEROCOPY error handling [+ + +]
Author: Michal Luczaj <[email protected]>
Date:   Thu Nov 7 21:46:14 2024 +0100

    virtio/vsock: Improve MSG_ZEROCOPY error handling
    
    [ Upstream commit 60cf6206a1f513512f5d73fa4d3dbbcad2e7dcd6 ]
    
    Add a missing kfree_skb() to prevent memory leaks.
    
    Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
    Reviewed-by: Stefano Garzarella <[email protected]>
    Signed-off-by: Michal Luczaj <[email protected]>
    Acked-by: Arseniy Krasnov <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
vp_vdpa: fix id_table array not null terminated error [+ + +]
Author: Xiaoguang Wang <[email protected]>
Date:   Tue Nov 5 21:35:18 2024 +0800

    vp_vdpa: fix id_table array not null terminated error
    
    commit 4e39ecadf1d2a08187139619f1f314b64ba7d947 upstream.
    
    Allocate one extra virtio_device_id as null terminator, otherwise
    vdpa_mgmtdev_get_classes() may iterate multiple times and visit
    undefined memory.
    
    Fixes: ffbda8e9df10 ("vdpa/vp_vdpa : add vdpa tool support in vp_vdpa")
    Cc: [email protected]
    Suggested-by: Parav Pandit <[email protected]>
    Signed-off-by: Angus Chen <[email protected]>
    Signed-off-by: Xiaoguang Wang <[email protected]>
    Message-Id: <[email protected]>
    Signed-off-by: Michael S. Tsirkin <[email protected]>
    Reviewed-by: Parav Pandit <[email protected]>
    Acked-by: Jason Wang <[email protected]>
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
vsock: Fix sk_error_queue memory leak [+ + +]
Author: Michal Luczaj <[email protected]>
Date:   Thu Nov 7 21:46:13 2024 +0100

    vsock: Fix sk_error_queue memory leak
    
    [ Upstream commit fbf7085b3ad1c7cc0677834c90f985f1b4f77a33 ]
    
    Kernel queues MSG_ZEROCOPY completion notifications on the error queue.
    Where they remain, until explicitly recv()ed. To prevent memory leaks,
    clean up the queue when the socket is destroyed.
    
    unreferenced object 0xffff8881028beb00 (size 224):
      comm "vsock_test", pid 1218, jiffies 4294694897
      hex dump (first 32 bytes):
        90 b0 21 17 81 88 ff ff 90 b0 21 17 81 88 ff ff  ..!.......!.....
        00 00 00 00 00 00 00 00 00 b0 21 17 81 88 ff ff  ..........!.....
      backtrace (crc 6c7031ca):
        [<ffffffff81418ef7>] kmem_cache_alloc_node_noprof+0x2f7/0x370
        [<ffffffff81d35882>] __alloc_skb+0x132/0x180
        [<ffffffff81d2d32b>] sock_omalloc+0x4b/0x80
        [<ffffffff81d3a8ae>] msg_zerocopy_realloc+0x9e/0x240
        [<ffffffff81fe5cb2>] virtio_transport_send_pkt_info+0x412/0x4c0
        [<ffffffff81fe6183>] virtio_transport_stream_enqueue+0x43/0x50
        [<ffffffff81fe0813>] vsock_connectible_sendmsg+0x373/0x450
        [<ffffffff81d233d5>] ____sys_sendmsg+0x365/0x3a0
        [<ffffffff81d246f4>] ___sys_sendmsg+0x84/0xd0
        [<ffffffff81d26f47>] __sys_sendmsg+0x47/0x80
        [<ffffffff820d3df3>] do_syscall_64+0x93/0x180
        [<ffffffff8220012b>] entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
    Signed-off-by: Michal Luczaj <[email protected]>
    Reviewed-by: Stefano Garzarella <[email protected]>
    Acked-by: Arseniy Krasnov <[email protected]>
    Signed-off-by: Paolo Abeni <[email protected]>
    Signed-off-by: Sasha Levin <[email protected]>

 
x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client [+ + +]
Author: Mario Limonciello <[email protected]>
Date:   Tue Nov 5 10:02:34 2024 -0600

    x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client
    
    commit a5ca1dc46a6b610dd4627d8b633d6c84f9724ef0 upstream.
    
    A number of Zen4 client SoCs advertise the ability to use virtualized
    VMLOAD/VMSAVE, but using these instructions is reported to be a cause
    of a random host reboot.
    
    These instructions aren't intended to be advertised on Zen4 client
    so clear the capability.
    
    Signed-off-by: Mario Limonciello <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Cc: [email protected]
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=219009
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y [+ + +]
Author: Baoquan He <[email protected]>
Date:   Wed Sep 11 16:16:15 2024 +0800

    x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y
    
    commit 8d9ffb2fe65a6c4ef114e8d4f947958a12751bbe upstream.
    
    The kdump kernel is broken on SME systems with CONFIG_IMA_KEXEC=y enabled.
    Debugging traced the issue back to
    
      b69a2afd5afc ("x86/kexec: Carry forward IMA measurement log on kexec").
    
    Testing was previously not conducted on SME systems with CONFIG_IMA_KEXEC
    enabled, which led to the oversight, with the following incarnation:
    
    ...
      ima: No TPM chip found, activating TPM-bypass!
      Loading compiled-in module X.509 certificates
      Loaded X.509 cert 'Build time autogenerated kernel key: 18ae0bc7e79b64700122bb1d6a904b070fef2656'
      ima: Allocated hash algorithm: sha256
      Oops: general protection fault, probably for non-canonical address 0xcfacfdfe6660003e: 0000 [#1] PREEMPT SMP NOPTI
      CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-rc2+ #14
      Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS 1.20.0 05/03/2023
      RIP: 0010:ima_restore_measurement_list
      Call Trace:
       <TASK>
       ? show_trace_log_lvl
       ? show_trace_log_lvl
       ? ima_load_kexec_buffer
       ? __die_body.cold
       ? die_addr
       ? exc_general_protection
       ? asm_exc_general_protection
       ? ima_restore_measurement_list
       ? vprintk_emit
       ? ima_load_kexec_buffer
       ima_load_kexec_buffer
       ima_init
       ? __pfx_init_ima
       init_ima
       ? __pfx_init_ima
       do_one_initcall
       do_initcalls
       ? __pfx_kernel_init
       kernel_init_freeable
       kernel_init
       ret_from_fork
       ? __pfx_kernel_init
       ret_from_fork_asm
       </TASK>
      Modules linked in:
      ---[ end trace 0000000000000000 ]---
      ...
      Kernel panic - not syncing: Fatal exception
      Kernel Offset: disabled
      Rebooting in 10 seconds..
    
    Adding debug printks showed that the stored addr and size of ima_kexec buffer
    are not decrypted correctly like:
    
      ima: ima_load_kexec_buffer, buffer:0xcfacfdfe6660003e, size:0xe48066052d5df359
    
    Three types of setup_data info
    
      — SETUP_EFI,
      - SETUP_IMA, and
      - SETUP_RNG_SEED
    
    are passed to the kexec/kdump kernel. Only the ima_kexec buffer
    experienced incorrect decryption. Debugging identified a bug in
    early_memremap_is_setup_data(), where an incorrect range calculation
    occurred due to the len variable in struct setup_data ended up only
    representing the length of the data field, excluding the struct's size,
    and thus leading to miscalculation.
    
    Address a similar issue in memremap_is_setup_data() while at it.
    
      [ bp: Heavily massage. ]
    
    Fixes: b3c72fc9a78e ("x86/boot: Introduce setup_indirect")
    Signed-off-by: Baoquan He <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Acked-by: Tom Lendacky <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>

 
x86/stackprotector: Work around strict Clang TLS symbol requirements [+ + +]
Author: Ard Biesheuvel <[email protected]>
Date:   Tue Nov 5 10:57:46 2024 -0500

    x86/stackprotector: Work around strict Clang TLS symbol requirements
    
    commit 577c134d311b9b94598d7a0c86be1f431f823003 upstream.
    
    GCC and Clang both implement stack protector support based on Thread Local
    Storage (TLS) variables, and this is used in the kernel to implement per-task
    stack cookies, by copying a task's stack cookie into a per-CPU variable every
    time it is scheduled in.
    
    Both now also implement -mstack-protector-guard-symbol=, which permits the TLS
    variable to be specified directly. This is useful because it will allow to
    move away from using a fixed offset of 40 bytes into the per-CPU area on
    x86_64, which requires a lot of special handling in the per-CPU code and the
    runtime relocation code.
    
    However, while GCC is rather lax in its implementation of this command line
    option, Clang actually requires that the provided symbol name refers to a TLS
    variable (i.e., one declared with __thread), although it also permits the
    variable to be undeclared entirely, in which case it will use an implicit
    declaration of the right type.
    
    The upshot of this is that Clang will emit the correct references to the stack
    cookie variable in most cases, e.g.,
    
      10d:       64 a1 00 00 00 00       mov    %fs:0x0,%eax
                         10f: R_386_32   __stack_chk_guard
    
    However, if a non-TLS definition of the symbol in question is visible in the
    same compilation unit (which amounts to the whole of vmlinux if LTO is
    enabled), it will drop the per-CPU prefix and emit a load from a bogus
    address.
    
    Work around this by using a symbol name that never occurs in C code, and emit
    it as an alias in the linker script.
    
    Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable")
    Signed-off-by: Ard Biesheuvel <[email protected]>
    Signed-off-by: Brian Gerst <[email protected]>
    Signed-off-by: Borislav Petkov (AMD) <[email protected]>
    Reviewed-by: Nathan Chancellor <[email protected]>
    Tested-by: Nathan Chancellor <[email protected]>
    Cc: [email protected]
    Link: https://github.com/ClangBuiltLinux/linux/issues/1854
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Greg Kroah-Hartman <[email protected]>