commit d60c95efffe84428e3611431bf688f50bfc13f4e Author: Greg Kroah-Hartman Date: Thu Feb 9 11:28:28 2023 +0100 Linux 6.1.11 Link: https://lore.kernel.org/r/20230207125634.292109991@linuxfoundation.org Tested-by: Ronald Warsow Tested-by: Conor Dooley Tested-by: Jon Hunter Tested-by: Shuah Khan Tested-by: Florian Fainelli Tested-by: Bagas Sanjaya Tested-by: Guenter Roeck Tested-by: Ron Economos Tested-by: Rudi Heitbaum Tested-by: Salvatore Bonaccorso Tested-by: Allen Pais Tested-by: Justin M. Forbes Signed-off-by: Greg Kroah-Hartman commit 74eec8266f37aff609db6a2f2b093e56a11c28c4 Author: Hao Sun Date: Wed Jan 4 09:47:09 2023 +0800 bpf: Skip invalid kfunc call in backtrack_insn commit d3178e8a434b58678d99257c0387810a24042fb6 upstream. The verifier skips invalid kfunc call in check_kfunc_call(), which would be captured in fixup_kfunc_call() if such insn is not eliminated by dead code elimination. However, this can lead to the following warning in backtrack_insn(), also see [1]: ------------[ cut here ]------------ verifier backtracking bug WARNING: CPU: 6 PID: 8646 at kernel/bpf/verifier.c:2756 backtrack_insn kernel/bpf/verifier.c:2756 __mark_chain_precision kernel/bpf/verifier.c:3065 mark_chain_precision kernel/bpf/verifier.c:3165 adjust_reg_min_max_vals kernel/bpf/verifier.c:10715 check_alu_op kernel/bpf/verifier.c:10928 do_check kernel/bpf/verifier.c:13821 [inline] do_check_common kernel/bpf/verifier.c:16289 [...] So make backtracking conservative with this by returning ENOTSUPP. [1] https://lore.kernel.org/bpf/CACkBjsaXNceR8ZjkLG=dT3P=4A8SBsg0Z5h5PWLryF5=ghKq=g@mail.gmail.com/ Reported-by: syzbot+4da3ff23081bafe74fc2@syzkaller.appspotmail.com Signed-off-by: Hao Sun Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20230104014709.9375-1-sunhao.th@gmail.com Signed-off-by: Greg Kroah-Hartman commit d458a0984429c2d47e60254f5bc4119cbafe83a2 Author: Andreas Gruenbacher Date: Sun Dec 4 17:00:04 2022 +0100 gfs2: Always check inode size of inline inodes commit 70376c7ff31221f1d21db5611d8209e677781d3a upstream. Check if the inode size of stuffed (inline) inodes is within the allowed range when reading inodes from disk (gfs2_dinode_in()). This prevents us from on-disk corruption. The two checks in stuffed_readpage() and gfs2_unstuffer_page() that just truncate inline data to the maximum allowed size don't actually make sense, and they can be removed now as well. Reported-by: syzbot+7bb81dfa9cda07d9cd9d@syzkaller.appspotmail.com Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit 62b11a34a98cc91b1ec4d534b1df80ad8f333bb9 Author: Andreas Gruenbacher Date: Sun Dec 4 16:50:41 2022 +0100 gfs2: Cosmetic gfs2_dinode_{in,out} cleanup commit 7db354444ad8429e660b0f8145d425285d4f90ff upstream. In each of the two functions, add an inode variable that points to &ip->i_inode and use that throughout the rest of the function. Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit f06de1bb6d61f0c18b0213bbc6298960037f9d42 Author: Minsuk Kang Date: Wed Nov 16 23:29:52 2022 +0900 wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads commit 4920ab131b2dbae7464b72bdcac465d070254209 upstream. This patch fixes slab-out-of-bounds reads in brcmfmac that occur in brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count value of channel specifications provided by the device is greater than the length of 'list->element[]', decided by the size of the 'list' allocated with kzalloc(). The patch adds checks that make the functions free the buffer and return -EINVAL if that is the case. Note that the negative return is handled by the caller, brcmf_setup_wiphybands() or brcmf_cfg80211_attach(). Found by a modified version of syzkaller. Crash Report from brcmf_construct_chaninfo(): ================================================================== BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430 Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896 CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x57/0x7d print_address_description.constprop.0.cold+0x93/0x334 kasan_report.cold+0x83/0xdf brcmf_setup_wiphybands+0x1238/0x1430 brcmf_cfg80211_attach+0x2118/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 Allocated by task 1896: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 kmem_cache_alloc_trace+0x19e/0x330 brcmf_setup_wiphybands+0x290/0x1430 brcmf_cfg80211_attach+0x2118/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff888115f24000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1536 bytes inside of 2048-byte region [ffff888115f24000, ffff888115f24800) Memory state around the buggy address: ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Crash Report from brcmf_enable_bw40_2g(): ================================================================== BUG: KASAN: slab-out-of-bounds in brcmf_cfg80211_attach+0x3d11/0x3fd0 Read of size 4 at addr ffff888103787600 by task kworker/0:2/1896 CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x57/0x7d print_address_description.constprop.0.cold+0x93/0x334 kasan_report.cold+0x83/0xdf brcmf_cfg80211_attach+0x3d11/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 Allocated by task 1896: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 kmem_cache_alloc_trace+0x19e/0x330 brcmf_cfg80211_attach+0x3302/0x3fd0 brcmf_attach+0x389/0xd40 brcmf_usb_probe+0x12de/0x1690 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_set_configuration+0x984/0x1770 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 bus_for_each_drv+0x123/0x1a0 __device_attach+0x207/0x330 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 usb_new_device.cold+0x463/0xf66 hub_event+0x10d5/0x3330 process_one_work+0x873/0x13e0 worker_thread+0x8b/0xd10 kthread+0x379/0x450 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff888103787000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1536 bytes inside of 2048-byte region [ffff888103787000, ffff888103787800) Memory state around the buggy address: ffff888103787500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888103787580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888103787600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888103787680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888103787700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Reported-by: Dokyung Song Reported-by: Jisoo Jang Reported-by: Minsuk Kang Reviewed-by: Arend van Spriel Signed-off-by: Minsuk Kang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221116142952.518241-1-linuxlovemin@yonsei.ac.kr Signed-off-by: Greg Kroah-Hartman commit 5b25035fb888cb2f78bf0b9c9f95b1dc54480d36 Author: Chao Yu Date: Tue Nov 15 00:08:47 2022 +0800 f2fs: fix to do sanity check on i_extra_isize in is_alive() commit d3b7b4afd6b2c344eabf9cc26b8bfa903c164c7c upstream. syzbot found a f2fs bug: BUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2891 [inline] BUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1117 [inline] BUG: KASAN: slab-out-of-bounds in gc_data_segment fs/f2fs/gc.c:1520 [inline] BUG: KASAN: slab-out-of-bounds in do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734 Read of size 4 at addr ffff888076557568 by task kworker/u4:3/52 CPU: 1 PID: 52 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 data_blkaddr fs/f2fs/f2fs.h:2891 [inline] is_alive fs/f2fs/gc.c:1117 [inline] gc_data_segment fs/f2fs/gc.c:1520 [inline] do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734 f2fs_gc+0x88c/0x20a0 fs/f2fs/gc.c:1831 f2fs_balance_fs+0x544/0x6b0 fs/f2fs/segment.c:410 f2fs_write_inode+0x57e/0xe20 fs/f2fs/inode.c:753 write_inode fs/fs-writeback.c:1440 [inline] __writeback_single_inode+0xcfc/0x1440 fs/fs-writeback.c:1652 writeback_sb_inodes+0x54d/0xf90 fs/fs-writeback.c:1870 wb_writeback+0x2c5/0xd70 fs/fs-writeback.c:2044 wb_do_writeback fs/fs-writeback.c:2187 [inline] wb_workfn+0x2dc/0x12f0 fs/fs-writeback.c:2227 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The root cause is that we forgot to do sanity check on .i_extra_isize in below path, result in accessing invalid address later, fix it. - gc_data_segment - is_alive - data_blkaddr - offset_in_addr Reported-by: syzbot+f8f3dfa4abc489e768a1@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-f2fs-devel/0000000000003cb3c405ed5c17f9@google.com/T/#u Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 1b4c08844628dfc8d72d3f51b657f2a5e63b7b4b Author: Dongliang Mu Date: Fri Nov 11 13:49:49 2022 +0800 fbdev: smscufx: fix error handling code in ufx_usb_probe commit b76449ee75e21acfe9fa4c653d8598f191ed7d68 upstream. The current error handling code in ufx_usb_probe have many unmatching issues, e.g., missing ufx_free_usb_list, destroy_modedb label should only include framebuffer_release, fb_dealloc_cmap only matches fb_alloc_cmap. My local syzkaller reports a memory leak bug: memory leak in ufx_usb_probe BUG: memory leak unreferenced object 0xffff88802f879580 (size 128): comm "kworker/0:7", pid 17416, jiffies 4295067474 (age 46.710s) hex dump (first 32 bytes): 80 21 7c 2e 80 88 ff ff 18 d0 d0 0c 80 88 ff ff .!|............. 00 d0 d0 0c 80 88 ff ff e0 ff ff ff 0f 00 00 00 ................ backtrace: [] kmalloc_trace+0x20/0x90 mm/slab_common.c:1045 [] kmalloc include/linux/slab.h:553 [inline] [] kzalloc include/linux/slab.h:689 [inline] [] ufx_alloc_urb_list drivers/video/fbdev/smscufx.c:1873 [inline] [] ufx_usb_probe+0x11c/0x15a0 drivers/video/fbdev/smscufx.c:1655 [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [] call_driver_probe drivers/base/dd.c:560 [inline] [] really_probe+0x12d/0x390 drivers/base/dd.c:639 [] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778 [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:808 [] __device_attach_driver+0xf7/0x150 drivers/base/dd.c:936 [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 [] __device_attach+0x105/0x2d0 drivers/base/dd.c:1008 [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 [] device_add+0x642/0xdc0 drivers/base/core.c:3517 [] usb_set_configuration+0x8ef/0xb80 drivers/usb/core/message.c:2170 [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [] call_driver_probe drivers/base/dd.c:560 [inline] [] really_probe+0x12d/0x390 drivers/base/dd.c:639 [] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778 Fix this bug by rewriting the error handling code in ufx_usb_probe. Reported-by: syzkaller Tested-by: Dongliang Mu Signed-off-by: Dongliang Mu Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit ddeff03bb33810fcf2f0c18e03d099cf0aacda62 Author: Tetsuo Handa Date: Wed Nov 9 07:04:42 2022 +0900 f2fs: initialize locks earlier in f2fs_fill_super() commit 92b4cf5b48955a4bdd15fe4e2067db8ebd87f04c upstream. syzbot is reporting lockdep warning at f2fs_handle_error() [1], for spin_lock(&sbi->error_lock) is called before spin_lock_init() is called. For safe locking in error handling, move initialization of locks (and obvious structures) in f2fs_fill_super() to immediately after memory allocation. Link: https://syzkaller.appspot.com/bug?extid=40642be9b7e0bb28e0df [1] Reported-by: syzbot Signed-off-by: Tetsuo Handa Tested-by: syzbot Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 07a96977b2f462337a9121302de64277b8747ab1 Author: Kees Cook Date: Sat Sep 24 00:33:15 2022 -0700 ovl: Use "buf" flexible array for memcpy() destination commit cf8aa9bf97cadf85745506c6a3e244b22c268d63 upstream. The "buf" flexible array needs to be the memcpy() destination to avoid false positive run-time warning from the recent FORTIFY_SOURCE hardening: memcpy: detected field-spanning write (size 93) of single field "&fh->fb" at fs/overlayfs/export.c:799 (size 21) Reported-by: syzbot+9d14351a171d0d1c7955@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/000000000000763a6c05e95a5985@google.com/ Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 543bba3be262803c13678401a925e45003f26e7a Author: Abdun Nihaal Date: Tue Oct 4 08:45:02 2022 +0530 fs/ntfs3: Validate attribute data and valid sizes commit 019d22eb0eb707fc099e6e8fad9b3933236a06d0 upstream. The data_size and valid_size fields of non resident attributes should be less than the its alloc_size field, but this is not checked in ntfs_read_mft function. Syzbot reports a allocation order warning due to a large unchecked value of data_size getting assigned to inode->i_size which is then passed to kcalloc. Add sanity check for ensuring that the data_size and valid_size fields are not larger than alloc_size field. Link: https://syzkaller.appspot.com/bug?extid=fa4648a5446460b7b963 Reported-and-tested-by: syzbot+fa4648a5446460b7b963@syzkaller.appspotmail.com Fixes: (82cae269cfa95) fs/ntfs3: Add initialization of super block Signed-off-by: Abdun Nihaal Signed-off-by: Konstantin Komarov Signed-off-by: Greg Kroah-Hartman commit 0153009a7e6500bec259ac1d2dabf64aa6aef616 Author: Michael Ellerman Date: Mon Jan 30 12:44:01 2023 +1100 powerpc/imc-pmu: Revert nest_init_lock to being a mutex commit ad53db4acb415976761d7302f5b02e97f2bd097e upstream. The recent commit 76d588dddc45 ("powerpc/imc-pmu: Fix use of mutex in IRQs disabled section") fixed warnings (and possible deadlocks) in the IMC PMU driver by converting the locking to use spinlocks. It also converted the init-time nest_init_lock to a spinlock, even though it's not used at runtime in IRQ disabled sections or while holding other spinlocks. This leads to warnings such as: BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0 preempt_count: 1, expected: 0 CPU: 7 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc2-14719-gf12cd06109f4-dirty #1 Hardware name: Mambo,Simulated-System POWER9 0x4e1203 opal:v6.6.6 PowerNV Call Trace: dump_stack_lvl+0x74/0xa8 (unreliable) __might_resched+0x178/0x1a0 __cpuhp_setup_state+0x64/0x1e0 init_imc_pmu+0xe48/0x1250 opal_imc_counters_probe+0x30c/0x6a0 platform_probe+0x78/0x110 really_probe+0x104/0x420 __driver_probe_device+0xb0/0x170 driver_probe_device+0x58/0x180 __driver_attach+0xd8/0x250 bus_for_each_dev+0xb4/0x140 driver_attach+0x34/0x50 bus_add_driver+0x1e8/0x2d0 driver_register+0xb4/0x1c0 __platform_driver_register+0x38/0x50 opal_imc_driver_init+0x2c/0x40 do_one_initcall+0x80/0x360 kernel_init_freeable+0x310/0x3b8 kernel_init+0x30/0x1a0 ret_from_kernel_thread+0x5c/0x64 Fix it by converting nest_init_lock back to a mutex, so that we can call sleeping functions while holding it. There is no interaction between nest_init_lock and the runtime spinlocks used by the actual PMU routines. Fixes: 76d588dddc45 ("powerpc/imc-pmu: Fix use of mutex in IRQs disabled section") Tested-by: Kajol Jain Reviewed-by: Kajol Jain Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230130014401.540543-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman commit 5a9fe6b7f4c1e95cd1515f77fc7b5b1897c95418 Author: Nicholas Piggin Date: Sat Jan 21 19:53:52 2023 +1000 powerpc/64s: Fix local irq disable when PMIs are disabled commit bc88ef663265676419555df2dc469a471c0add31 upstream. When PMI interrupts are soft-masked, local_irq_save() will clear the PMI mask bit, allowing PMIs in and causing a race condition. This causes a deadlock in native_hpte_insert via hash_preload, which depends on PMIs being disabled since commit 8b91cee5eadd ("powerpc/64s/hash: Make hash faults work in NMI context"). native_hpte_insert calls local_irq_save(). It's possible the lpar hash code is also affected when tracing is enabled because __trace_hcall_entry() calls local_irq_save(). Fix this by making arch_local_irq_save() _or_ the IRQS_DISABLED bit into the mask. This was found with the stress_hpt option with a kbuild workload running together with `perf record -g`. Fixes: f442d004806e ("powerpc/64s: Add support to mask perf interrupts and replay them") Fixes: 8b91cee5eadd ("powerpc/64s/hash: Make hash faults work in NMI context") Signed-off-by: Nicholas Piggin [mpe: Just take the fix without the new warning] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230121095352.2823517-1-npiggin@gmail.com Signed-off-by: Greg Kroah-Hartman commit 18bac7de245975a3be98c02069504f18099a7705 Author: Michael Ellerman Date: Tue Jan 10 23:47:52 2023 +1100 powerpc/64s/radix: Fix crash with unaligned relocated kernel commit 98d0219e043e09013e883eacde3b93e0b2bf944d upstream. If a relocatable kernel is loaded at an address that is not 2MB aligned and told not to relocate to zero, the kernel can crash due to mark_rodata_ro() incorrectly changing some read-write data to read-only. Scenarios where the misalignment can occur are when the kernel is loaded by kdump or using the RELOCATABLE_TEST config option. Example crash with the kernel loaded at 5MB: Run /sbin/init as init process BUG: Unable to handle kernel data access on write at 0xc000000000452000 Faulting instruction address: 0xc0000000005b6730 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries CPU: 1 PID: 1 Comm: init Not tainted 6.2.0-rc1-00011-g349188be4841 #166 Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,git-5b4c5a hv:linux,kvm pSeries NIP: c0000000005b6730 LR: c000000000ae9ab8 CTR: 0000000000000380 REGS: c000000004503250 TRAP: 0300 Not tainted (6.2.0-rc1-00011-g349188be4841) MSR: 8000000000009033 CR: 44288480 XER: 00000000 CFAR: c0000000005b66ec DAR: c000000000452000 DSISR: 0a000000 IRQMASK: 0 ... NIP memset+0x68/0x104 LR zero_user_segments.constprop.0+0xa8/0xf0 Call Trace: ext4_mpage_readpages+0x7f8/0x830 ext4_readahead+0x48/0x60 read_pages+0xb8/0x380 page_cache_ra_unbounded+0x19c/0x250 filemap_fault+0x58c/0xae0 __do_fault+0x60/0x100 __handle_mm_fault+0x1230/0x1a40 handle_mm_fault+0x120/0x300 ___do_page_fault+0x20c/0xa80 do_page_fault+0x30/0xc0 data_access_common_virt+0x210/0x220 This happens because mark_rodata_ro() tries to change permissions on the range _stext..__end_rodata, but _stext sits in the middle of the 2MB page from 4MB to 6MB: radix-mmu: Mapped 0x0000000000000000-0x0000000000200000 with 2.00 MiB pages (exec) radix-mmu: Mapped 0x0000000000200000-0x0000000000400000 with 2.00 MiB pages radix-mmu: Mapped 0x0000000000400000-0x0000000002400000 with 2.00 MiB pages (exec) The logic that changes the permissions assumes the linear mapping was split correctly at boot, so it marks the entire 2MB page read-only. That leads to the write fault above. To fix it, the boot time mapping logic needs to consider that if the kernel is running at a non-zero address then _stext is a boundary where it must split the mapping. That leads to the mapping being split correctly, allowing the rodata permission change to take happen correctly, with no spillover: radix-mmu: Mapped 0x0000000000000000-0x0000000000200000 with 2.00 MiB pages (exec) radix-mmu: Mapped 0x0000000000200000-0x0000000000400000 with 2.00 MiB pages radix-mmu: Mapped 0x0000000000400000-0x0000000000500000 with 64.0 KiB pages radix-mmu: Mapped 0x0000000000500000-0x0000000000600000 with 64.0 KiB pages (exec) radix-mmu: Mapped 0x0000000000600000-0x0000000002400000 with 2.00 MiB pages (exec) If the kernel is loaded at a 2MB aligned address, the mapping continues to use 2MB pages as before: radix-mmu: Mapped 0x0000000000000000-0x0000000000200000 with 2.00 MiB pages (exec) radix-mmu: Mapped 0x0000000000200000-0x0000000000400000 with 2.00 MiB pages radix-mmu: Mapped 0x0000000000400000-0x0000000002c00000 with 2.00 MiB pages (exec) radix-mmu: Mapped 0x0000000002c00000-0x0000000100000000 with 2.00 MiB pages Fixes: c55d7b5e6426 ("powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230110124753.1325426-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman commit 54fb38bcaaa04fe8afb284b224a1a2e7d153b880 Author: Andreas Kemnade Date: Sat Dec 17 23:13:05 2022 +0100 iio:adc:twl6030: Enable measurement of VAC commit bffb7d9d1a3dbd09e083b88aefd093b3b10abbfb upstream. VAC needs to be wired up to produce proper measurements, without this change only near zero values are reported. Reported-by: kernel test robot Reported-by: Julia Lawall Fixes: 1696f36482e7 ("iio: twl6030-gpadc: TWL6030, TWL6032 GPADC driver") Signed-off-by: Andreas Kemnade Link: https://lore.kernel.org/r/20221217221305.671117-1-andreas@kemnade.info Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit f6c0ebc10c0b988dcd175789b478edf81446f2b7 Author: Peter Ujfalusi Date: Fri Jan 20 12:21:25 2023 +0200 ASoC: SOF: sof-audio: prepare_widgets: Check swidget for NULL on sink failure commit fb4293600cc651cfe4d48ec489f1d175adf6e2f8 upstream. If the swidget is NULL we skip the preparing of the widget and jump to handle the sink path of the widget. If the prepare fails in this case we would undo the prepare but the swidget is NULL (we skipped the prepare for the widget). To avoid NULL pointer dereference in this case we must check swidget against NULL pointer once again. Fixes: 0ad84b11f2f8 ("ASoC: SOF: sof-audio: skip prepare/unprepare if swidget is NULL") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Peter Ujfalusi Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230120102125.30653-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 02b9d653531d1fc26ab7bbcb093a113b0c376763 Author: Arnd Bergmann Date: Fri Jan 27 10:39:44 2023 +0100 platform/x86/amd: pmc: add CONFIG_SERIO dependency commit abce209d18fd26e865b2406cc68819289db973f9 upstream. Using the serio subsystem now requires the code to be reachable: x86_64-linux-ld: drivers/platform/x86/amd/pmc.o: in function `amd_pmc_suspend_handler': pmc.c:(.text+0x86c): undefined reference to `serio_bus' Add the usual dependency: as other users of serio use 'select' rather than 'depends on', use the same here. Fixes: 8e60615e8932 ("platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20230127093950.2368575-1-arnd@kernel.org Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit 9d25aea2ab4fe328e3129cc30f9e46688c404d43 Author: Ilpo Järvinen Date: Mon Jan 30 13:48:41 2023 +0200 serial: 8250_dma: Fix DMA Rx rearm race commit 57e9af7831dcf211c5c689c2a6f209f4abdf0bce upstream. As DMA Rx can be completed from two places, it is possible that DMA Rx completes before DMA completion callback had a chance to complete it. Once the previous DMA Rx has been completed, a new one can be started on the next UART interrupt. The following race is possible (uart_unlock_and_check_sysrq_irqrestore() replaced with spin_unlock_irqrestore() for simplicity/clarity): CPU0 CPU1 dma_rx_complete() serial8250_handle_irq() spin_lock_irqsave(&port->lock) handle_rx_dma() serial8250_rx_dma_flush() __dma_rx_complete() dma->rx_running = 0 // Complete DMA Rx spin_unlock_irqrestore(&port->lock) serial8250_handle_irq() spin_lock_irqsave(&port->lock) handle_rx_dma() serial8250_rx_dma() dma->rx_running = 1 // Setup a new DMA Rx spin_unlock_irqrestore(&port->lock) spin_lock_irqsave(&port->lock) // sees dma->rx_running = 1 __dma_rx_complete() dma->rx_running = 0 // Incorrectly complete // running DMA Rx This race seems somewhat theoretical to occur for real but handle it correctly regardless. Check what is the DMA status before complething anything in __dma_rx_complete(). Reported-by: Gilles BULOZ Tested-by: Gilles BULOZ Fixes: 9ee4b83e51f7 ("serial: 8250: Add support for dmaengine") Cc: stable@vger.kernel.org Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20230130114841.25749-3-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit bd8d2ba9d9e0afd987764fd94a532b683a793d00 Author: Ilpo Järvinen Date: Mon Jan 30 13:48:40 2023 +0200 serial: 8250_dma: Fix DMA Rx completion race commit 31352811e13dc2313f101b890fd4b1ce760b5fe7 upstream. __dma_rx_complete() is called from two places: - Through the DMA completion callback dma_rx_complete() - From serial8250_rx_dma_flush() after IIR_RLSI or IIR_RX_TIMEOUT The former does not hold port's lock during __dma_rx_complete() which allows these two to race and potentially insert the same data twice. Extend port's lock coverage in dma_rx_complete() to prevent the race and check if the DMA Rx is still pending completion before calling into __dma_rx_complete(). Reported-by: Gilles BULOZ Tested-by: Gilles BULOZ Fixes: 9ee4b83e51f7 ("serial: 8250: Add support for dmaengine") Cc: stable@vger.kernel.org Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20230130114841.25749-2-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 5f3dedbc3bf483377d39ef2e83ecf1f8723dc220 Author: Johan Hovold Date: Mon Nov 14 09:13:45 2022 +0100 phy: qcom-qmp-combo: fix runtime suspend commit c7b98de745cffdceefc077ad5cf9cda032ef8959 upstream. Drop the confused runtime-suspend type check which effectively broke runtime PM if the DP child node happens to be parsed before the USB child node during probe (e.g. due to order of child nodes in the devicetree). Instead use the new driver data USB PHY pointer to access the USB configuration and resources. Fixes: 52e013d0bffa ("phy: qcom-qmp: Add support for DP in USB3+DP combo phy") Reviewed-by: Dmitry Baryshkov Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20221114081346.5116-6-johan+linaro@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 5288d522a9879a5ea71a8a1cd76df78f39e7a675 Author: Russell King (Oracle) Date: Fri Jan 27 10:40:14 2023 +0000 nvmem: core: fix return value commit 0c4862b1c1465e473bc961a02765490578bf5c20 upstream. Dan Carpenter points out that the return code was not set in commit 60c8b4aebd8e ("nvmem: core: fix cleanup after dev_set_name()"), but this is not the only issue - we also need to zero wp_gpio to prevent gpiod_put() being called on an error value. Fixes: 560181d3ace6 ("nvmem: core: fix cleanup after dev_set_name()") Cc: stable@vger.kernel.org Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Russell King (Oracle) Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-10-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 1dcd68c9cc5c2f7a055dc8c2cbb5a3e4bf268c16 Author: Michael Walle Date: Fri Jan 27 10:40:13 2023 +0000 nvmem: core: fix cell removal on error commit db3546d58b5a0fa581d9c9f2bdc2856fa6c5e43e upstream. nvmem_add_cells() could return an error after some cells are already added to the provider. In this case, the added cells are not removed. Remove any registered cells if nvmem_add_cells() fails. Fixes: fa72d847d68d7 ("nvmem: check the return value of nvmem_add_cells()") Cc: stable@vger.kernel.org Signed-off-by: Michael Walle Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-9-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit d78f5d46fc2a43aae0d9509bcbcb495a7c67a54d Author: Michael Walle Date: Fri Jan 27 10:40:12 2023 +0000 nvmem: core: fix device node refcounting commit edcf2fb660526b5ed29f93bd17328a2b4835c8b2 upstream. In of_nvmem_cell_get(), of_get_next_parent() is used on cell_np. This will decrement the refcount on cell_np, but cell_np is still used later in the code. Use of_get_parent() instead and of_node_put() in the appropriate places. Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") Fixes: 7ae6478b304b ("nvmem: core: rework nvmem cell instance creation") Cc: stable@vger.kernel.org Signed-off-by: Michael Walle Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-8-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 897dfd346223fed415d7d7e6644982166a60e727 Author: Russell King (Oracle) Date: Fri Jan 27 10:40:11 2023 +0000 nvmem: core: fix registration vs use race commit ab3428cfd9aa2f3463ee4b2909b5bb2193bd0c4a upstream. The i.MX6 CPU frequency driver sometimes fails to register at boot time due to nvmem_cell_read_u32() sporadically returning -ENOENT. This happens because there is a window where __nvmem_device_get() in of_nvmem_cell_get() is able to return the nvmem device, but as cells have been setup, nvmem_find_cell_entry_by_node() returns NULL. The occurs because the nvmem core registration code violates one of the fundamental principles of kernel programming: do not publish data structures before their setup is complete. Fix this by making nvmem core code conform with this principle. Fixes: eace75cfdcf7 ("nvmem: Add a simple NVMEM framework for nvmem providers") Cc: stable@vger.kernel.org Signed-off-by: Russell King (Oracle) Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-7-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 39708bc8da7858de0bed9b3a88b3beb1d1e0b443 Author: Russell King (Oracle) Date: Fri Jan 27 10:40:10 2023 +0000 nvmem: core: fix cleanup after dev_set_name() commit 560181d3ace61825f4ca9dd3481d6c0ee6709fa8 upstream. If dev_set_name() fails, we leak nvmem->wp_gpio as the cleanup does not put this. While a minimal fix for this would be to add the gpiod_put() call, we can do better if we split device_register(), and use the tested nvmem_release() cleanup code by initialising the device early, and putting the device. This results in a slightly larger fix, but results in clear code. Note: this patch depends on "nvmem: core: initialise nvmem->id early" and "nvmem: core: remove nvmem_config wp_gpio". Fixes: 5544e90c8126 ("nvmem: core: add error handling for dev_set_name") Cc: stable@vger.kernel.org Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Russell King (Oracle) [Srini: Fixed subject line and error code handing with wp_gpio while applying.] Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-6-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 1e2a745a896ec220a9f22f000f64f0f778991414 Author: Russell King (Oracle) Date: Fri Jan 27 10:40:09 2023 +0000 nvmem: core: remove nvmem_config wp_gpio commit 569653f022a29a1a44ea9de5308b657228303fa5 upstream. No one provides wp_gpio, so let's remove it to avoid issues with the nvmem core putting this gpio. Cc: stable@vger.kernel.org Signed-off-by: Russell King (Oracle) Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-5-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 28829e5f1c88a07dfbc435187df42ce9e173ccb7 Author: Russell King (Oracle) Date: Fri Jan 27 10:40:08 2023 +0000 nvmem: core: initialise nvmem->id early commit 3bd747c7ea13cb145f0d84444e00df928b0842d9 upstream. The error path for wp_gpio attempts to free the IDA nvmem->id, but this has yet to be assigned, so will always be zero - leaking the ID allocated by ida_alloc(). Fix this by moving the initialisation of nvmem->id earlier. Fixes: f7d8d7dcd978 ("nvmem: fix memory leak in error path") Cc: stable@vger.kernel.org Signed-off-by: Russell King (Oracle) Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-4-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 86dbbc8f6ba705b82c0e6daf5c2fed993665dc1a Author: Graham Sider Date: Mon Jan 16 10:43:11 2023 -0500 drm/amdgpu: update wave data type to 3 for gfx11 commit ed8e793c65e4c6633e8577e40d574da8a56d2e0f upstream. SQ_WAVE_INST_DW0 isn't present on gfx11 compared to gfx10, so update wave data type to signify a difference. Signed-off-by: Graham Sider Reviewed-by: Mukul Joshi Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x Signed-off-by: Greg Kroah-Hartman commit 91ef43f6b65b5aea03e71d70bb510efc61637ff6 Author: Tim Huang Date: Sat Jan 21 10:35:04 2023 +0800 drm/amd/pm: drop unneeded dpm features disablement for SMU 13.0.4/11 commit 1538709c9f1c207d30afd95ea41b3aeb973f67e7 upstream. PMFW will handle the features disablement properly for gpu reset case, driver involvement may cause some unexpected issues. Cc: stable@vger.kernel.org # 6.1 Signed-off-by: Tim Huang Reviewed-by: Yifan Zhang Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 814d83a710e8309d989fafc163656a68f2acaef4 Author: Mario Limonciello Date: Mon Jan 30 10:16:06 2023 -0600 drm/amd: Fix initialization for nbio 4.3.0 commit 5048fa1ebf89d03cf0ceca13fab8f800399e9ee3 upstream. A mistake has been made on some boards with NBIO 4.3.0 where some NBIO registers aren't properly set by the hardware. Ensure that they're set during initialization. Cc: Natikar Basavaraj Tested-by: Satyanarayana ReddyTVN Tested-by: Rutvij Gajjar Signed-off-by: Mario Limonciello Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x Signed-off-by: Greg Kroah-Hartman commit 0769f997a7b6d5cb8336db0b4ec3d2d311b8097c Author: Rob Clark Date: Fri Jan 27 12:05:31 2023 -0800 drm/i915: Fix potential bit_17 double-free commit 7057a8f126f14f14b040faecfa220fd27c6c2f85 upstream. A userspace with multiple threads racing I915_GEM_SET_TILING to set the tiling to I915_TILING_NONE could trigger a double free of the bit_17 bitmask. (Or conversely leak memory on the transition to tiled.) Move allocation/free'ing of the bitmask within the section protected by the obj lock. Signed-off-by: Rob Clark Fixes: 2850748ef876 ("drm/i915: Pull i915_vma_pin under the vm->mutex") Cc: # v5.5+ [tursulin: Correct fixes tag and added cc stable.] Reviewed-by: Tvrtko Ursulin Signed-off-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20230127200550.3531984-1-robdclark@gmail.com (cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit 764accc2c1b8fd1507be2e7f436c94cdce887a00 Author: Rob Clark Date: Thu Jan 19 09:32:58 2023 -0800 drm/i915: Avoid potential vm use-after-free commit 41d419382ec7e257e54b7b6ff0d3623aafb1316d upstream. Adding the vm to the vm_xa table makes it visible to userspace, which could try to race with us to close the vm. So we need to take our extra reference before putting it in the table. Signed-off-by: Rob Clark Reviewed-by: Matthew Auld Fixes: 9ec8795e7d91 ("drm/i915: Drop __rcu from gem_context->vm") Cc: # v5.16+ Signed-off-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20230119173321.2825472-1-robdclark@gmail.com (cherry picked from commit 99343c46d4e2b34c285d3d5f68ff04274c2f9fb4) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit 52c6d3a84a3ece73ad02cfc65a965026450e580f Author: Marek Vasut Date: Fri Jan 20 17:03:32 2023 +0100 serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler commit 3f6c02fa712bd453871877fe1d1969625617471e upstream. Requesting an interrupt with IRQF_ONESHOT will run the primary handler in the hard-IRQ context even in the force-threaded mode. The force-threaded mode is used by PREEMPT_RT in order to avoid acquiring sleeping locks (spinlock_t) in hard-IRQ context. This combination makes it impossible and leads to "sleeping while atomic" warnings. Use one interrupt handler for both handlers (primary and secondary) and drop the IRQF_ONESHOT flag which is not needed. Fixes: e359b4411c283 ("serial: stm32: fix threaded interrupt handling") Reviewed-by: Sebastian Andrzej Siewior Tested-by: Valentin Caron # V3 Signed-off-by: Marek Vasut Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230120160332.57930-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman commit e48a8ad77be33119d3ca74bfb13bad9b8e1840c5 Author: Danilo Krummrich Date: Thu Jan 26 01:28:44 2023 +0100 dma-buf: actually set signaling bit for private stub fences commit d2ceea0eb6e17bb37d8b85cb4c16797c0d683d1c upstream. In dma_fence_allocate_private_stub() set the signaling bit of the newly allocated private stub fence rather than the signaling bit of the shared dma_fence_stub. Cc: # v6.1 Fixes: c85d00d4fd8b ("dma-buf: set signaling bit for the stub fence") Reviewed-by: Christian König Signed-off-by: Danilo Krummrich Link: https://patchwork.freedesktop.org/patch/msgid/20230126002844.339593-1-dakr@redhat.com Signed-off-by: Greg Kroah-Hartman commit d8b46cc1cf9b26d2411c63331d77815ce32959a0 Author: Mike Kravetz Date: Thu Jan 26 14:27:21 2023 -0800 migrate: hugetlb: check for hugetlb shared PMD in node migration commit 73bdf65ea74857d7fb2ec3067a3cec0e261b1462 upstream. migrate_pages/mempolicy semantics state that CAP_SYS_NICE is required to move pages shared with another process to a different node. page_mapcount > 1 is being used to determine if a hugetlb page is shared. However, a hugetlb page will have a mapcount of 1 if mapped by multiple processes via a shared PMD. As a result, hugetlb pages shared by multiple processes and mapped with a shared PMD can be moved by a process without CAP_SYS_NICE. To fix, check for a shared PMD if mapcount is 1. If a shared PMD is found consider the page shared. Link: https://lkml.kernel.org/r/20230126222721.222195-3-mike.kravetz@oracle.com Fixes: e2d8cf405525 ("migrate: add hugepage migration code to migrate_pages()") Signed-off-by: Mike Kravetz Acked-by: Peter Xu Acked-by: David Hildenbrand Cc: James Houghton Cc: Matthew Wilcox Cc: Michal Hocko Cc: Muchun Song Cc: Naoya Horiguchi Cc: Vishal Moola (Oracle) Cc: Yang Shi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 82587c0e2735b04a3d9426bee1635f10dfe2829b Author: Liam Howlett Date: Wed Jan 11 20:02:07 2023 +0000 maple_tree: fix mas_empty_area_rev() lower bound validation commit 7327e8111adb315423035fb5233533016dfd3f2e upstream. mas_empty_area_rev() was not correctly validating the start of a gap against the lower limit. This could lead to the range starting lower than the requested minimum. Fix the issue by better validating a gap once one is found. This commit also adds tests to the maple tree test suite for this issue and tests the mas_empty_area() function for similar bound checking. Link: https://lkml.kernel.org/r/20230111200136.1851322-1-Liam.Howlett@oracle.com Link: https://bugzilla.kernel.org/show_bug.cgi?id=216911 Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett Reported-by: Link: https://lore.kernel.org/linux-mm/0b9f5425-08d4-8013-aa4c-e620c3b10bb2@leemhuis.info/ Tested-by: Holger Hoffsttte Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit a7da7d01ac5ce9b369a1ac70e1197999cc6c9686 Author: Phillip Lougher Date: Fri Jan 27 06:18:42 2023 +0000 Squashfs: fix handling and sanity checking of xattr_ids count commit f65c4bbbd682b0877b669828b4e033b8d5d0a2dc upstream. A Sysbot [1] corrupted filesystem exposes two flaws in the handling and sanity checking of the xattr_ids count in the filesystem. Both of these flaws cause computation overflow due to incorrect typing. In the corrupted filesystem the xattr_ids value is 4294967071, which stored in a signed variable becomes the negative number -225. Flaw 1 (64-bit systems only): The signed integer xattr_ids variable causes sign extension. This causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The variable is first multiplied by sizeof(struct squashfs_xattr_id) where the type of the sizeof operator is "unsigned long". On a 64-bit system this is 64-bits in size, and causes the negative number to be sign extended and widened to 64-bits and then become unsigned. This produces the very large number 18446744073709548016 or 2^64 - 3600. This number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0 (stored in len). Flaw 2 (32-bit systems only): On a 32-bit system the integer variable is not widened by the unsigned long type of the sizeof operator (32-bits), and the signedness of the variable has no effect due it always being treated as unsigned. The above corrupted xattr_ids value of 4294967071, when multiplied overflows and produces the number 4294963696 or 2^32 - 3400. This number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by SQUASHFS_METADATA_SIZE overflows again and produces a length of 0. The effect of the 0 length computation: In conjunction with the corrupted xattr_ids field, the filesystem also has a corrupted xattr_table_start value, where it matches the end of filesystem value of 850. This causes the following sanity check code to fail because the incorrectly computed len of 0 matches the incorrect size of the table reported by the superblock (0 bytes). len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids); /* * The computed size of the index table (len bytes) should exactly * match the table start and end points */ start = table_start + sizeof(*id_table); end = msblk->bytes_used; if (len != (end - start)) return ERR_PTR(-EINVAL); Changing the xattr_ids variable to be "usigned int" fixes the flaw on a 64-bit system. This relies on the fact the computation is widened by the unsigned long type of the sizeof operator. Casting the variable to u64 in the above macro fixes this flaw on a 32-bit system. It also means 64-bit systems do not implicitly rely on the type of the sizeof operator to widen the computation. [1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/ Link: https://lkml.kernel.org/r/20230127061842.10965-1-phillip@squashfs.org.uk Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") Signed-off-by: Phillip Lougher Reported-by: Cc: Alexey Khoroshilov Cc: Fedor Pchelkin Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit c4fd07cd5e7ecd18aacd295d4de7bb309c74f601 Author: James Morse Date: Tue Jan 17 15:16:32 2023 +0000 ia64: fix build error due to switch case label appearing next to declaration commit 6f28a2613497fc587e347afa99fa2c52230678a7 upstream. Since commit aa06a9bd8533 ("ia64: fix clock_getres(CLOCK_MONOTONIC) to report ITC frequency"), gcc 10.1.0 fails to build ia64 with the gnomic: | ../arch/ia64/kernel/sys_ia64.c: In function 'ia64_clock_getres': | ../arch/ia64/kernel/sys_ia64.c:189:3: error: a label can only be part of a statement and a declaration is not a statement | 189 | s64 tick_ns = DIV_ROUND_UP(NSEC_PER_SEC, local_cpu_data->itc_freq); This line appears immediately after a case label in a switch. Move the declarations out of the case, to the top of the function. Link: https://lkml.kernel.org/r/20230117151632.393836-1-james.morse@arm.com Fixes: aa06a9bd8533 ("ia64: fix clock_getres(CLOCK_MONOTONIC) to report ITC frequency") Signed-off-by: James Morse Reviewed-by: Sergei Trofimovich Cc: Émeric Maschino Cc: matoro Cc: John Paul Adrian Glaubitz Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ef8a286338c4f3b1fc1be3cddbb99efab20f1445 Author: Matthew Wilcox (Oracle) Date: Thu Jan 26 20:07:27 2023 +0000 highmem: round down the address passed to kunmap_flush_on_unmap() commit 88d7b12068b95731c280af8ce88e8ee9561f96de upstream. We already round down the address in kunmap_local_indexed() which is the other implementation of __kunmap_local(). The only implementation of kunmap_flush_on_unmap() is PA-RISC which is expecting a page-aligned address. This may be causing PA-RISC to be flushing the wrong addresses currently. Link: https://lkml.kernel.org/r/20230126200727.1680362-1-willy@infradead.org Signed-off-by: Matthew Wilcox (Oracle) Fixes: 298fa1ad5571 ("highmem: Provide generic variant of kmap_atomic*") Reviewed-by: Ira Weiny Cc: "Fabio M. De Francesco" Cc: Al Viro Cc: Thomas Gleixner Cc: Helge Deller Cc: Alexander Potapenko Cc: Andrey Konovalov Cc: Bagas Sanjaya Cc: David Sterba Cc: Kees Cook Cc: Sebastian Andrzej Siewior Cc: Tony Luck Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 96aaaf8666010a39430cecf8a65c7ce2908a030f Author: Zach O'Keefe Date: Wed Jan 25 14:53:58 2023 -0800 mm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups commit edb5d0cf5525357652aff6eacd9850b8ced07143 upstream. In commit 34488399fa08 ("mm/madvise: add file and shmem support to MADV_COLLAPSE") we make the following change to find_pmd_or_thp_or_none(): - if (!pmd_present(pmde)) - return SCAN_PMD_NULL; + if (pmd_none(pmde)) + return SCAN_PMD_NONE; This was for-use by MADV_COLLAPSE file/shmem codepaths, where MADV_COLLAPSE might identify a pte-mapped hugepage, only to have khugepaged race-in, free the pte table, and clear the pmd. Such codepaths include: A) If we find a suitably-aligned compound page of order HPAGE_PMD_ORDER already in the pagecache. B) In retract_page_tables(), if we fail to grab mmap_lock for the target mm/address. In these cases, collapse_pte_mapped_thp() really does expect a none (not just !present) pmd, and we want to suitably identify that case separate from the case where no pmd is found, or it's a bad-pmd (of course, many things could happen once we drop mmap_lock, and the pmd could plausibly undergo multiple transitions due to intervening fault, split, etc). Regardless, the code is prepared install a huge-pmd only when the existing pmd entry is either a genuine pte-table-mapping-pmd, or the none-pmd. However, the commit introduces a logical hole; namely, that we've allowed !none- && !huge- && !bad-pmds to be classified as genuine pte-table-mapping-pmds. One such example that could leak through are swap entries. The pmd values aren't checked again before use in pte_offset_map_lock(), which is expecting nothing less than a genuine pte-table-mapping-pmd. We want to put back the !pmd_present() check (below the pmd_none() check), but need to be careful to deal with subtleties in pmd transitions and treatments by various arch. The issue is that __split_huge_pmd_locked() temporarily clears the present bit (or otherwise marks the entry as invalid), but pmd_present() and pmd_trans_huge() still need to return true while the pmd is in this transitory state. For example, x86's pmd_present() also checks the _PAGE_PSE , riscv's version also checks the _PAGE_LEAF bit, and arm64 also checks a PMD_PRESENT_INVALID bit. Covering all 4 cases for x86 (all checks done on the same pmd value): 1) pmd_present() && pmd_trans_huge() All we actually know here is that the PSE bit is set. Either: a) We aren't racing with __split_huge_page(), and PRESENT or PROTNONE is set. => huge-pmd b) We are currently racing with __split_huge_page(). The danger here is that we proceed as-if we have a huge-pmd, but really we are looking at a pte-mapping-pmd. So, what is the risk of this danger? The only relevant path is: madvise_collapse() -> collapse_pte_mapped_thp() Where we might just incorrectly report back "success", when really the memory isn't pmd-backed. This is fine, since split could happen immediately after (actually) successful madvise_collapse(). So, it should be safe to just assume huge-pmd here. 2) pmd_present() && !pmd_trans_huge() Either: a) PSE not set and either PRESENT or PROTNONE is. => pte-table-mapping pmd (or PROT_NONE) b) devmap. This routine can be called immediately after unlocking/locking mmap_lock -- or called with no locks held (see khugepaged_scan_mm_slot()), so previous VMA checks have since been invalidated. 3) !pmd_present() && pmd_trans_huge() Not possible. 4) !pmd_present() && !pmd_trans_huge() Neither PRESENT nor PROTNONE set => not present I've checked all archs that implement pmd_trans_huge() (arm64, riscv, powerpc, longarch, x86, mips, s390) and this logic roughly translates (though devmap treatment is unique to x86 and powerpc, and (3) doesn't necessarily hold in general -- but that doesn't matter since !pmd_present() always takes failure path). Also, add a comment above find_pmd_or_thp_or_none() to help future travelers reason about the validity of the code; namely, the possible mutations that might happen out from under us, depending on how mmap_lock is held (if at all). Link: https://lkml.kernel.org/r/20230125225358.2576151-1-zokeefe@google.com Fixes: 34488399fa08 ("mm/madvise: add file and shmem support to MADV_COLLAPSE") Signed-off-by: Zach O'Keefe Reported-by: Hugh Dickins Reviewed-by: Yang Shi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 97f17a737270810c08b86a50feabbb5b6b6a3fbf Author: Vlastimil Babka Date: Tue Jan 17 11:19:39 2023 +0100 mm, mremap: fix mremap() expanding for vma's with vm_ops->close() commit d014cd7c1c358edc3ea82ebf327a036a42ed0164 upstream. Fabian has reported another regression in 6.1 due to ca3d76b0aa80 ("mm: add merging after mremap resize"). The problem is that vma_merge() can fail when vma has a vm_ops->close() method, causing is_mergeable_vma() test to be negative. This was happening for vma mapping a file from fuse-overlayfs, which does have the method. But when we are simply expanding the vma, we never remove it due to the "merge" with the added area, so the test should not prevent the expansion. As a quick fix, check for such vmas and expand them using vma_adjust() directly as was done before commit ca3d76b0aa80. For a more robust long term solution we should try to limit the check for vma_ops->close only to cases that actually result in vma removal, so that no merge would be prevented unnecessarily. [akpm@linux-foundation.org: fix indenting whitespace, reflow comment] Link: https://lkml.kernel.org/r/20230117101939.9753-1-vbabka@suse.cz Fixes: ca3d76b0aa80 ("mm: add merging after mremap resize") Signed-off-by: Vlastimil Babka Reported-by: Fabian Vogt Link: https://bugzilla.suse.com/show_bug.cgi?id=1206359#c35 Tested-by: Fabian Vogt Cc: Jakub Matěna Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit acb08187b5a83cdb9ac4112fae9e18cf983b0128 Author: Jann Horn Date: Wed Jan 11 14:33:51 2023 +0100 mm/khugepaged: fix ->anon_vma race commit 023f47a8250c6bdb4aebe744db4bf7f73414028b upstream. If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access. Link: https://lore.kernel.org/linux-mm/CAG48ez3434wZBKFFbdx4M9j6eUwSUVPd4dxhzW_k_POneSDF+A@mail.gmail.com/ Link: https://lkml.kernel.org/r/20230111133351.807024-1-jannh@google.com Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") Signed-off-by: Jann Horn Reported-by: Zach O'Keefe Acked-by: Kirill A. Shutemov Reviewed-by: Yang Shi Cc: David Hildenbrand Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 49178d4d61e78aed8c837dfeea8a450700f196e2 Author: Longlong Xia Date: Sat Jan 28 09:47:57 2023 +0000 mm/swapfile: add cond_resched() in get_swap_pages() commit 7717fc1a12f88701573f9ed897cc4f6699c661e3 upstream. The softlockup still occurs in get_swap_pages() under memory pressure. 64 CPU cores, 64GB memory, and 28 zram devices, the disksize of each zram device is 50MB with same priority as si. Use the stress-ng tool to increase memory pressure, causing the system to oom frequently. The plist_for_each_entry_safe() loops in get_swap_pages() could reach tens of thousands of times to find available space (extreme case: cond_resched() is not called in scan_swap_map_slots()). Let's add cond_resched() into get_swap_pages() when failed to find available space to avoid softlockup. Link: https://lkml.kernel.org/r/20230128094757.1060525-1-xialonglong1@huawei.com Signed-off-by: Longlong Xia Reviewed-by: "Huang, Ying" Cc: Chen Wandun Cc: Huang Ying Cc: Kefeng Wang Cc: Nanyong Sun Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 2d11727655bf931776fb541f5862daf04bd5bf02 Author: Peter Xu Date: Wed Dec 14 15:04:52 2022 -0500 mm/uffd: fix pte marker when fork() without fork event commit 49d6d7fb631345b0f2957a7c4be24ad63903150f upstream. Patch series "mm: Fixes on pte markers". Patch 1 resolves the syzkiller report from Pengfei. Patch 2 further harden pte markers when used with the recent swapin error markers. The major case is we should persist a swapin error marker after fork(), so child shouldn't read a corrupted page. This patch (of 2): When fork(), dst_vma is not guaranteed to have VM_UFFD_WP even if src may have it and has pte marker installed. The warning is improper along with the comment. The right thing is to inherit the pte marker when needed, or keep the dst pte empty. A vague guess is this happened by an accident when there's the prior patch to introduce src/dst vma into this helper during the uffd-wp feature got developed and I probably messed up in the rebase, since if we replace dst_vma with src_vma the warning & comment it all makes sense too. Hugetlb did exactly the right here (copy_hugetlb_page_range()). Fix the general path. Reproducer: https://github.com/xupengfe/syzkaller_logs/blob/main/221208_115556_copy_page_range/repro.c Bugzilla report: https://bugzilla.kernel.org/show_bug.cgi?id=216808 Link: https://lkml.kernel.org/r/20221214200453.1772655-1-peterx@redhat.com Link: https://lkml.kernel.org/r/20221214200453.1772655-2-peterx@redhat.com Fixes: c56d1b62cce8 ("mm/shmem: handle uffd-wp during fork()") Signed-off-by: Peter Xu Reported-by: Pengfei Xu Acked-by: David Hildenbrand Reviewed-by: Miaohe Lin Cc: Andrea Arcangeli Cc: "Huang, Ying" Cc: Nadav Amit Cc: # 5.19+ Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit b10990bee73cba064def8f7e180e1888b02688e6 Author: Zheng Yongjun Date: Sat Nov 26 07:14:30 2022 +0000 fpga: stratix10-soc: Fix return value check in s10_ops_write_init() commit 65ea840afd508194b0ee903256162aa87e46ec30 upstream. In case of error, the function stratix10_svc_allocate_memory() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Fixes: e7eef1d7633a ("fpga: add intel stratix10 soc fpga manager driver") Signed-off-by: Zheng Yongjun Reviewed-by: Russ Weight Cc: stable@vger.kernel.org Acked-by: Xu Yilun Link: https://lore.kernel.org/r/20221126071430.19540-1-zhengyongjun3@huawei.com Signed-off-by: Xu Yilun Signed-off-by: Greg Kroah-Hartman commit 74cff472d3d66db13b5ef64f40dfa42383f71ff7 Author: Ilpo Järvinen Date: Wed Dec 14 16:49:52 2022 +0200 fpga: m10bmc-sec: Fix probe rollback commit 60ce26d10e5850f33cc76fce52f5377045e75a15 upstream. Handle probe error rollbacks properly to avoid leaks. Fixes: 5cd339b370e2 ("fpga: m10bmc-sec: add max10 secure update functions") Reviewed-by: Matthew Gerlach Reviewed-by: Russ Weight Reviewed-by: Marco Pagani Signed-off-by: Ilpo Järvinen Cc: stable@vger.kernel.org Acked-by: Xu Yilun Link: https://lore.kernel.org/r/20221214144952.8392-1-ilpo.jarvinen@linux.intel.com Signed-off-by: Xu Yilun Signed-off-by: Greg Kroah-Hartman commit 32beac7a3d0f7ae6a7de67ce4c18755f80bf7e29 Author: Joerg Roedel Date: Tue Jan 31 09:57:18 2023 +0100 x86/debug: Fix stack recursion caused by wrongly ordered DR7 accesses commit 9d2c7203ffdb846399b82b0660563c89e918c751 upstream. In kernels compiled with CONFIG_PARAVIRT=n, the compiler re-orders the DR7 read in exc_nmi() to happen before the call to sev_es_ist_enter(). This is problematic when running as an SEV-ES guest because in this environment the DR7 read might cause a #VC exception, and taking #VC exceptions is not safe in exc_nmi() before sev_es_ist_enter() has run. The result is stack recursion if the NMI was caused on the #VC IST stack, because a subsequent #VC exception in the NMI handler will overwrite the stack frame of the interrupted #VC handler. As there are no compiler barriers affecting the ordering of DR7 reads/writes, make the accesses to this register volatile, forbidding the compiler to re-order them. [ bp: Massage text, make them volatile too, to make sure some aggressive compiler optimization pass doesn't discard them. ] Fixes: 315562c9af3d ("x86/sev-es: Adjust #VC IST Stack on entering NMI handler") Reported-by: Alexey Kardashevskiy Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov (AMD) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230127035616.508966-1-aik@amd.com Signed-off-by: Greg Kroah-Hartman commit 0b570a059cf42ad6e2eb632f47c23813d58d8303 Author: Greg Kroah-Hartman Date: Thu Feb 2 15:09:18 2023 +0100 HV: hv_balloon: fix memory leak with using debugfs_lookup() commit 6dfb0771429a63db8561d44147f2bb76f93e1c86 upstream. When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Fixes: d180e0a1be6c ("Drivers: hv: Create debugfs file with hyper-v balloon usage information") Cc: stable Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20230202140918.2289522-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit cf1c917bf1c761a557b26410024e90057646c049 Author: Greg Kroah-Hartman Date: Thu Feb 2 16:15:54 2023 +0100 kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup() commit d83d7ed260283560700d4034a80baad46620481b upstream. When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once. Cc: Thomas Gleixner Cc: stable Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20230202151554.2310273-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 512d1ed968d535fb7df5cde57f30009c17bbf509 Author: Aaro Koskinen Date: Thu Feb 2 00:01:25 2023 +0200 usb: gadget: udc: do not clear gadget driver.bus commit 30d09b3131f5b1b9d54ad9b7ee171a45e21362b3 upstream. Before the commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget driver.bus was unused. For whatever reason, many UDC drivers set this field explicitly to NULL in udc_start(). With the newly added gadget bus, doing this will crash the driver during the attach. The problem was first reported, fixed and tested with OMAP UDC and g_ether. Other drivers are changed based on code analysis only. Fixes: fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") Cc: stable Signed-off-by: Aaro Koskinen Acked-by: Alan Stern Link: https://lore.kernel.org/r/20230201220125.GD2415@darkstar.musicnaut.iki.fi Signed-off-by: Greg Kroah-Hartman commit fdd11d7136fd070b3a74d6d8799d9eac28a57fc5 Author: Heikki Krogerus Date: Tue Jan 31 16:15:18 2023 +0200 usb: typec: ucsi: Don't attempt to resume the ports before they exist commit f82060da749c611ed427523b6d1605d87338aac1 upstream. This will fix null pointer dereference that was caused by the driver attempting to resume ports that were not yet registered. Fixes: e0dced9c7d47 ("usb: typec: ucsi: Resume in separate work") Cc: Link: https://bugzilla.kernel.org/show_bug.cgi?id=216697 Signed-off-by: Heikki Krogerus Link: https://lore.kernel.org/r/20230131141518.78215-1-heikki.krogerus@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit dd63f6f0d94673c44bb84b1fd9ef32baba67f2e9 Author: Pratham Pratap Date: Wed Jan 25 12:57:25 2023 +0530 usb: gadget: f_uac2: Fix incorrect increment of bNumEndpoints commit 2fa89458af9993fab8054daf827f38881e2ad473 upstream. Currently connect/disconnect of USB cable calls afunc_bind and eventually increments the bNumEndpoints. Performing multiple plugin/plugout will increment bNumEndpoints incorrectly, and on the next plug-in it leads to invalid configuration of descriptor and hence enumeration fails. Fix this by resetting the value of bNumEndpoints to 1 on every afunc_bind call. Fixes: 40c73b30546e ("usb: gadget: f_uac2: add adaptive sync support for capture") Cc: stable Signed-off-by: Pratham Pratap Signed-off-by: Prashanth K Link: https://lore.kernel.org/r/1674631645-28888-1-git-send-email-quic_prashk@quicinc.com Signed-off-by: Greg Kroah-Hartman commit b79ba5953f6fdc5559389ad415620bffc24f024b Author: Kefeng Wang Date: Sun Jan 29 12:09:45 2023 +0800 mm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath() commit ac86f547ca1002aec2ef66b9e64d03f45bbbfbb9 upstream. As commit 18365225f044 ("hwpoison, memcg: forcibly uncharge LRU pages"), hwpoison will forcibly uncharg a LRU hwpoisoned page, the folio_memcg could be NULl, then, mem_cgroup_track_foreign_dirty_slowpath() could occurs a NULL pointer dereference, let's do not record the foreign writebacks for folio memcg is null in mem_cgroup_track_foreign_dirty() to fix it. Link: https://lkml.kernel.org/r/20230129040945.180629-1-wangkefeng.wang@huawei.com Fixes: 97b27821b485 ("writeback, memcg: Implement foreign dirty flushing") Signed-off-by: Kefeng Wang Reported-by: Ma Wupeng Tested-by: Miko Larsson Acked-by: Michal Hocko Cc: Jan Kara Cc: Jens Axboe Cc: Kefeng Wang Cc: Ma Wupeng Cc: Naoya Horiguchi Cc: Shakeel Butt Cc: Tejun Heo Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 139f866e420a97740f12555be7d77ad330619248 Author: Mike Kravetz Date: Thu Jan 26 14:27:20 2023 -0800 mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps commit 3489dbb696d25602aea8c3e669a6d43b76bd5358 upstream. Patch series "Fixes for hugetlb mapcount at most 1 for shared PMDs". This issue of mapcount in hugetlb pages referenced by shared PMDs was discussed in [1]. The following two patches address user visible behavior caused by this issue. [1] https://lore.kernel.org/linux-mm/Y9BF+OCdWnCSilEu@monkey/ This patch (of 2): A hugetlb page will have a mapcount of 1 if mapped by multiple processes via a shared PMD. This is because only the first process increases the map count, and subsequent processes just add the shared PMD page to their page table. page_mapcount is being used to decide if a hugetlb page is shared or private in /proc/PID/smaps. Pages referenced via a shared PMD were incorrectly being counted as private. To fix, check for a shared PMD if mapcount is 1. If a shared PMD is found count the hugetlb page as shared. A new helper to check for a shared PMD is added. [akpm@linux-foundation.org: simplification, per David] [akpm@linux-foundation.org: hugetlb.h: include page_ref.h for page_count()] Link: https://lkml.kernel.org/r/20230126222721.222195-2-mike.kravetz@oracle.com Fixes: 25ee01a2fca0 ("mm: hugetlb: proc: add hugetlb-related fields to /proc/PID/smaps") Signed-off-by: Mike Kravetz Acked-by: Peter Xu Cc: David Hildenbrand Cc: James Houghton Cc: Matthew Wilcox Cc: Michal Hocko Cc: Muchun Song Cc: Naoya Horiguchi Cc: Vishal Moola (Oracle) Cc: Yang Shi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 04448022311cebd30969d3aebdde765f1258b360 Author: Yu Zhao Date: Sun Jan 15 20:44:05 2023 -0700 mm: multi-gen LRU: fix crash during cgroup migration commit de08eaa6156405f2e9369f06ba5afae0e4ab3b62 upstream. lru_gen_migrate_mm() assumes lru_gen_add_mm() runs prior to itself. This isn't true for the following scenario: CPU 1 CPU 2 clone() cgroup_can_fork() cgroup_procs_write() cgroup_post_fork() task_lock() lru_gen_migrate_mm() task_unlock() task_lock() lru_gen_add_mm() task_unlock() And when the above happens, kernel crashes because of linked list corruption (mm_struct->lru_gen.list). Link: https://lore.kernel.org/r/20230115134651.30028-1-msizanoen@qtmlabs.xyz/ Link: https://lkml.kernel.org/r/20230116034405.2960276-1-yuzhao@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao Reported-by: msizanoen Tested-by: msizanoen Cc: [6.1+] Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit b40680220b13f79eeb900aca436270b86a9623bb Author: Isaac J. Manjarres Date: Tue Jan 24 15:02:54 2023 -0800 Revert "mm: kmemleak: alloc gray object for reserved region with direct map" commit 8ef852f1cb426a5812aee700d3b4297aaa426acc upstream. This reverts commit 972fa3a7c17c9d60212e32ecc0205dc585b1e769. Kmemleak operates by periodically scanning memory regions for pointers to allocated memory blocks to determine if they are leaked or not. However, reserved memory regions can be used for DMA transactions between a device and a CPU, and thus, wouldn't contain pointers to allocated memory blocks, making them inappropriate for kmemleak to scan. Thus, revert this commit. Link: https://lkml.kernel.org/r/20230124230254.295589-1-isaacmanjarres@google.com Fixes: 972fa3a7c17c9 ("mm: kmemleak: alloc gray object for reserved region with direct map") Signed-off-by: Isaac J. Manjarres Acked-by: Catalin Marinas Cc: Calvin Zhang Cc: Frank Rowand Cc: Rob Herring Cc: Saravana Kannan Cc: [5.17+] Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 4afacf17ff0f6a76b2ba5f5f3908ab18cf6de5e5 Author: Andreas Schwab Date: Wed Feb 1 10:29:45 2023 +0100 riscv: disable generation of unwind tables commit 2f394c0e7d1129a35156e492bc8f445fb20f43ac upstream. GCC 13 will enable -fasynchronous-unwind-tables by default on riscv. In the kernel, we don't have any use for unwind tables yet, so disable them. More importantly, the .eh_frame section brings relocations (R_RISC_32_PCREL, R_RISCV_SET{6,8,16}, R_RISCV_SUB{6,8,16}) into modules that we are not prepared to handle. Signed-off-by: Andreas Schwab Link: https://lore.kernel.org/r/mvmzg9xybqu.fsf@suse.de Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 3028c3a169a2bbed54a3d73caebb0c3931ec6356 Author: Helge Deller Date: Wed Feb 1 16:41:54 2023 +0100 parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case commit 316f1f42b5cc1d95124c1f0387c867c1ba7b6d0e upstream. Wire up the missing ptrace requests PTRACE_GETREGS, PTRACE_SETREGS, PTRACE_GETFPREGS and PTRACE_SETFPREGS when running 32-bit applications on 64-bit kernels. Signed-off-by: Helge Deller Cc: stable@vger.kernel.org # 4.7+ Signed-off-by: Greg Kroah-Hartman commit a6a5b7067018d23e09b4a627b85a74c7c2e43afc Author: Helge Deller Date: Wed Feb 1 11:04:06 2023 +0100 parisc: Replace hardcoded value with PRIV_USER constant in ptrace.c commit 3f0c17809a098d3f0c1ec83f1fb3ca61638d3dcd upstream. Prefer usage of the PRIV_USER constant over the hard-coded value to set the lowest 2 bits for the userspace privilege. Signed-off-by: Helge Deller Cc: stable@vger.kernel.org # 5.16+ Signed-off-by: Greg Kroah-Hartman commit d386bc5bf1cd00aee94bfc7b72d20b57d26ff5a8 Author: Helge Deller Date: Mon Dec 19 20:56:36 2022 +0100 parisc: Fix return code of pdc_iodc_print() commit 5d1335dabb3c493a3d6d5b233953b6ac7b6c1ff2 upstream. There is an off-by-one if the printed string includes a new-line char. Cc: stable@vger.kernel.org Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 96d3b446680e28587d4bf7955dc58ae5c525a2f9 Author: Johan Hovold Date: Fri Jan 27 10:40:15 2023 +0000 nvmem: qcom-spmi-sdam: fix module autoloading commit 1ca7fca349316231bbaa68d16f819a08d683c5a7 upstream. Add the missing module device table so that the driver can be autoloaded when built as a module. Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver") Cc: stable@vger.kernel.org # 5.6 Reviewed-by: Bjorn Andersson Signed-off-by: Johan Hovold Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-11-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 68ce2c8f9d0e2f2ec2d84161387dcde775ae6c60 Author: Samuel Holland Date: Fri Jan 27 10:40:07 2023 +0000 nvmem: sunxi_sid: Always use 32-bit MMIO reads commit c151d5ed8e8fe0474bd61dce7f2076ca5916c683 upstream. The SID SRAM on at least some SoCs (A64 and D1) returns different values when read with bus cycles narrower than 32 bits. This is not immediately obvious, because memcpy_fromio() uses word-size accesses as long as enough data is being copied. The vendor driver always uses 32-bit MMIO reads, so do the same here. This is faster than the register-based method, which is currently used as a workaround on A64. And it fixes the values returned on D1, where the SRAM method was being used. The special case for the last word is needed to maintain .word_size == 1 for sysfs ABI compatibility, as noted previously in commit de2a3eaea552 ("nvmem: sunxi_sid: Optimize register read-out method"). Fixes: 07ae4fde9efa ("nvmem: sunxi_sid: Add support for D1 variant") Cc: stable@vger.kernel.org Tested-by: Heiko Stuebner Signed-off-by: Samuel Holland Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-3-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit f5249bbae0e736d612d2095ad79dc1389b3e89b5 Author: Jiasheng Jiang Date: Fri Jan 27 10:40:06 2023 +0000 nvmem: brcm_nvram: Add check for kzalloc commit b0576ade3aaf24b376ea1a4406ae138e2a22b0c0 upstream. Add the check for the return value of kzalloc in order to avoid NULL pointer dereference. Fixes: 6e977eaa8280 ("nvmem: brcm_nvram: parse NVRAM content into NVMEM cells") Cc: stable@vger.kernel.org Signed-off-by: Jiasheng Jiang Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-2-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 4092267ad66a02cbe4b36fe9018a25355d6f776b Author: Carlos Song Date: Wed Jan 18 15:42:27 2023 +0800 iio: imu: fxos8700: fix MAGN sensor scale and unit commit 2acd031347f645871959a799238a7caf6803aa18 upstream. +/-1200uT is a MAGN sensor full measurement range. Magnetometer scale is the magnetic sensitivity parameter. It is referenced as 0.1uT according to datasheet and magnetometer channel unit is Gauss in sysfs-bus-iio documentation. Gauss and uTesla unit conversion relationship as follows: 0.1uT = 0.001Gs. Set magnetometer scale and available magnetometer scale as fixed 0.001Gs. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20230118074227.1665098-5-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit ad3c145485b2f134c28d6fc96445627e9f05ea6d Author: Carlos Song Date: Wed Jan 18 15:42:26 2023 +0800 iio: imu: fxos8700: remove definition FXOS8700_CTRL_ODR_MIN commit ff5e2cd92ffda9a25ffa2cbdb3a0cf17650172a6 upstream. FXOS8700_CTRL_ODR_MIN is not used but value is probably wrong. Remove it for a good readability. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20230118074227.1665098-4-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 8ac10e1cb0f5b0ccbc2d32d45399bac3b7f9012c Author: Carlos Song Date: Wed Jan 18 15:42:25 2023 +0800 iio: imu: fxos8700: fix failed initialization ODR mode assignment commit eb6d8f8705bc19141bac81d8161461f9e256948a upstream. The absence of correct offset leads a failed initialization ODR mode assignment. Select MAX ODR mode as the initialization ODR mode by field mask and FIELD_PREP. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20230118074227.1665098-3-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 555daa41074d7f617877cd1b2acdccdb9ad4d818 Author: Carlos Song Date: Wed Jan 18 15:42:24 2023 +0800 iio: imu: fxos8700: fix incorrect ODR mode readback commit 78ad6864e9e012cdba7c353d044d21ffcfd5f34b upstream. The absence of a correct offset leads an incorrect ODR mode readback after use a hexadecimal number to mark the value from FXOS8700_CTRL_REG1. Get ODR mode by field mask and FIELD_GET clearly and conveniently. And attach other additional fix for keeping the original code logic and a good readability. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20230118074227.1665098-2-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit efc3dc3812cfd6098cd7a91cc9549dfb216f29b5 Author: Carlos Song Date: Thu Dec 8 15:19:06 2022 +0800 iio: imu: fxos8700: fix swapped ACCEL and MAGN channels readback commit c68b44bc7d9b1469774a1c985ee71d2cbc5ebef5 upstream. Because ACCEL and MAGN channels data register base address is swapped the accelerometer and magnetometer channels readback is swapped. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20221208071911.2405922-3-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit af7b50e4f6eead784709414ce3ba05e987e0e7a0 Author: Carlos Song Date: Thu Dec 8 15:19:05 2022 +0800 iio: imu: fxos8700: fix map label of channel type to MAGN sensor commit 429e1e8ec696e0e7a0742904e3dc2f83b7b23dfb upstream. FXOS8700 is an IMU sensor with ACCEL sensor and MAGN sensor. Sensor type is indexed by corresponding channel type in a switch. IIO_ANGL_VEL channel type mapped to MAGN sensor has caused confusion. Fix the mapping label of "IIO_MAGN" channel type instead of "IIO_ANGL_VEL" channel type to MAGN sensor. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20221208071911.2405922-2-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 3a91ef914ab1ac7aab0f8678437694634f987428 Author: Carlos Song Date: Thu Dec 8 15:19:08 2022 +0800 iio: imu: fxos8700: fix IMU data bits returned to user space commit a53f945879c0cb9de3a4c05a665f5157884b5208 upstream. ACCEL output data registers contain the X-axis, Y-axis, and Z-axis 14-bit left-justified sample data and MAGN output data registers contain the X-axis, Y-axis, and Z-axis 16-bit sample data. The ACCEL raw register output data should be divided by 4 before sent to userspace. Apply a 2 bits signed right shift to the raw data from ACCEL output data register but keep that from MAGN sensor as the origin. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20221208071911.2405922-5-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 8f1b6aa3bf0fe10c47e8590fe408567f3d6f2be3 Author: Carlos Song Date: Thu Dec 8 15:19:07 2022 +0800 iio: imu: fxos8700: fix incomplete ACCEL and MAGN channels readback commit 37a94d86d7050665d6d01378b2c916c28e454f10 upstream. The length of ACCEL and MAGN 3-axis channels output data is 6 byte individually. However block only read 3 bytes data into buffer from ACCEL or MAGN output data registers every time. It causes an incomplete ACCEL and MAGN channels readback. Set correct value count for regmap_bulk_read to get 6 bytes ACCEL and MAGN channels readback. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20221208071911.2405922-4-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit fb06fc5af496f1eea32beab59465853b172308ae Author: Carlos Song Date: Thu Dec 8 15:19:09 2022 +0800 iio: imu: fxos8700: fix ACCEL measurement range selection commit 9d61c1820598a5ea474576ed55318a6dadee37ed upstream. When device is in active mode, it fails to set an ACCEL full-scale range(2g/4g/8g) in FXOS8700_XYZ_DATA_CFG. This is not align with the datasheet, but it is a fxos8700 chip behavior. Keep the device in standby mode before setting ACCEL full-scale range into FXOS8700_XYZ_DATA_CFG in chip initialization phase and setting scale phase. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20221208071911.2405922-6-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 1a48ba20a551065bcd40a77d358f95ac0cd76a7c Author: Kai-Heng Feng Date: Thu Jan 19 01:04:22 2023 +0800 iio: light: cm32181: Fix PM support on system with 2 I2C resources commit ee3c5b644a0fdcfed27515a39fb2dd3a016704c1 upstream. Commit c1e62062ff54 ("iio: light: cm32181: Handle CM3218 ACPI devices with 2 I2C resources") creates a second client for the actual I2C address, but the "struct device" passed to PM ops is the first I2C client that can't talk to the sensor. That means the I2C transfers in both suspend and resume routines can fail and blocking the whole suspend process. Instead of using the first client for I2C transfer, use the I2C client stored in the cm32181 private struct so the PM ops can get the correct I2C client to really talk to the sensor device. Fixes: 68c1b3dd5c48 ("iio: light: cm32181: Add PM support") BugLink: https://bugs.launchpad.net/bugs/1988346 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152281 Tested-by: Wahaj Signed-off-by: Kai-Heng Feng Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20230118170422.339619-1-kai.heng.feng@canonical.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 930351148181c6a53ed5ef00142ffbff02c637d5 Author: Andreas Kemnade Date: Thu Dec 1 19:16:35 2022 +0100 iio:adc:twl6030: Enable measurements of VUSB, VBAT and others commit f804bd0dc28683a93a60f271aaefb2fc5b0853dd upstream. Some inputs need to be wired up to produce proper measurements, without this change only near zero values are reported. Signed-off-by: Andreas Kemnade Fixes: 1696f36482e70 ("iio: twl6030-gpadc: TWL6030, TWL6032 GPADC driver") Link: https://lore.kernel.org/r/20221201181635.3522962-1-andreas@kemnade.info Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit e05b41391ab361816e2faa62e5af5a28c2ee5946 Author: Frank Li Date: Thu Dec 1 09:01:10 2022 -0500 iio: imx8qxp-adc: fix irq flood when call imx8qxp_adc_read_raw() commit 0fc3562a993c3dc41d1177b3983d9300d0db1d4d upstream. irq flood happen when run cat /sys/bus/iio/devices/iio:device0/in_voltage1_raw imx8qxp_adc_read_raw() { ... enable irq /* adc start */ writel(1, adc->regs + IMX8QXP_ADR_ADC_SWTRIG); ^^^^ trigger irq flood. wait_for_completion_interruptible_timeout(); readl(adc->regs + IMX8QXP_ADR_ADC_RESFIFO); ^^^^ clear irq here. ... } There is only FIFO watermark interrupt at this ADC controller. IRQ line will be assert until software read data from FIFO. So IRQ flood happen during wait_for_completion_interruptible_timeout(). Move FIFO read into irq handle to avoid irq flood. Fixes: 1e23dcaa1a9f ("iio: imx8qxp-adc: Add driver support for NXP IMX8QXP ADC") Cc: stable@vger.kernel.org Signed-off-by: Frank Li Reviewed-by: Cai Huoqing Reviewed-by: Haibo Chen Link: https://lore.kernel.org/r/20221201140110.2653501-1-Frank.Li@nxp.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 9e480211d0f85151ad4f6a245c9b4811d094571b Author: Xiongfeng Wang Date: Tue Nov 29 10:03:16 2022 +0800 iio: adc: berlin2-adc: Add missing of_node_put() in error path commit cbd3a0153cd18a2cbef6bf3cf31bb406c3fc9f55 upstream. of_get_parent() will return a device_node pointer with refcount incremented. We need to use of_node_put() on it when done. Add the missing of_node_put() in the error path of berlin2_adc_probe(); Fixes: 70f1937911ca ("iio: adc: add support for Berlin") Signed-off-by: Xiongfeng Wang Link: https://lore.kernel.org/r/20221129020316.191731-1-wangxiongfeng2@huawei.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0b2f949909a34664ca4e60d8393a1f80bf062e0f Author: Marco Pagani Date: Fri Nov 25 12:31:12 2022 +0100 iio: adc: xilinx-ams: fix devm_krealloc() return value check commit 6794ed0cfcc6ce737240eccc48b3e8190df36703 upstream. The clang-analyzer reported a warning: "Value stored to 'ret' is never read". Fix the return value check if devm_krealloc() fails to resize ams_channels. Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver") Signed-off-by: Marco Pagani Acked-by: Michal Simek Link: https://lore.kernel.org/r/20221125113112.219290-1-marpagan@redhat.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit f9e5c6d9ac6ca44ddad45e444ed6164e76b42572 Author: Dmitry Perchanov Date: Wed Jan 11 14:24:25 2023 +0200 iio: hid: fix the retval in gyro_3d_capture_sample commit eb50cd5bfdac61627a5026566cf3b90ced7b141c upstream. Return value should be zero for success. This was forgotten for timestamp feature. Verified on RealSense cameras. Fixes: 4648cbd8fb92 ("iio: hid-sensor-gyro-3d: Add timestamp channel") Signed-off-by: Dmitry Perchanov Link: https://lore.kernel.org/r/7c1809dc74eb2f58a20595f4d02e76934f8e9219.camel@intel.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 37b5824545e661da19fce3f76575250d30415c4a Author: Dmitry Perchanov Date: Wed Jan 11 14:22:10 2023 +0200 iio: hid: fix the retval in accel_3d_capture_sample commit f7b23d1c35d8b8de1425bdfccaefd01f3b7c9d1c upstream. Return value should be zero for success. This was forgotten for timestamp feature. Verified on RealSense cameras. Fixes: a96cd0f901ee ("iio: accel: hid-sensor-accel-3d: Add timestamp") Signed-off-by: Dmitry Perchanov Link: https://lore.kernel.org/r/a6dc426498221c81fa71045b41adf782ebd42136.camel@intel.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 8c3203f47d33e4a41de4355856edd2215906b372 Author: Shanker Donthineni Date: Mon Jan 2 17:06:30 2023 -0600 rtc: efi: Enable SET/GET WAKEUP services as optional commit 101ca8d05913b7d1e6e8b9dd792193d4082fff86 upstream. The current implementation of rtc-efi is expecting all the 4 time services GET{SET}_TIME{WAKEUP} must be supported by UEFI firmware. As per the EFI_RT_PROPERTIES_TABLE, the platform specific implementations can choose to enable selective time services based on the RTC device capabilities. This patch does the following changes to provide GET/SET RTC services on platforms that do not support the WAKEUP feature. 1) Relax time services cap check when creating a platform device. 2) Clear RTC_FEATURE_ALARM bit in the absence of WAKEUP services. 3) Conditional alarm entries in '/proc/driver/rtc'. Cc: # v6.0+ Signed-off-by: Shanker Donthineni Link: https://lore.kernel.org/r/20230102230630.192911-1-sdonthineni@nvidia.com Signed-off-by: Alexandre Belloni Signed-off-by: Greg Kroah-Hartman commit 661bb546c4d547afbc0fab30dd69467a95446263 Author: Ard Biesheuvel Date: Thu Feb 2 18:30:06 2023 +0100 efi: Accept version 2 of memory attributes table commit 636ab417a7aec4ee993916e688eb5c5977570836 upstream. UEFI v2.10 introduces version 2 of the memory attributes table, which turns the reserved field into a flags field, but is compatible with version 1 in all other respects. So let's not complain about version 2 if we encounter it. Cc: Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman commit ac515839b1f3e0b824af4c320a10e7cf75346507 Author: Bard Liao Date: Wed Jan 18 12:12:55 2023 +0200 ASoC: SOF: keep prepare/unprepare widgets in sink path commit cc755b4377b0520d594ae573497cf0824baea648 upstream. The existing code return when a widget doesn't need to prepare/unprepare. This will prevent widgets in the sink path from being prepared/unprepared. Cc: # 6.1 Link: https://github.com/thesofproject/linux/issues/4021 Signed-off-by: Bard Liao Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Reviewed-by: Rander Wang Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20230118101255.29139-4-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 18691bdd5db5b4c230e78304383469415ad60a6e Author: Ranjani Sridharan Date: Wed Jan 18 12:12:54 2023 +0200 ASoC: SOF: sof-audio: skip prepare/unprepare if swidget is NULL commit 0ad84b11f2f8dd19d62d0b2ffd95ece897e6c3dc upstream. Skip preparing/unpreparing widgets if the swidget pointer is NULL. This will be true in the case of virtual widgets in topology that were added for reusing the legacy HDA machine driver with SOF. Fixes: 9862dcf70245 ("ASoC: SOF: don't unprepare widget used other pipelines") Cc: # 6.1 Signed-off-by: Ranjani Sridharan Signed-off-by: Peter Ujfalusi Reviewed-by: Rander Wang Reviewed-by: AngeloGioacchino Del Regno Tested-by: AngeloGioacchino Del Regno Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20230118101255.29139-3-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit b6552a76015a70496d96f1abc0bb0bf72872e97e Author: Bard Liao Date: Wed Jan 18 12:12:53 2023 +0200 ASoC: SOF: sof-audio: unprepare when swidget->use_count > 0 commit 7d2a67e02549c4b1feaac4d8b4151bf46424a047 upstream. We should unprepare the widget if its use_count = 1. Fixes: 9862dcf70245 ("ASoC: SOF: don't unprepare widget used other pipelines") Cc: # 6.1 Signed-off-by: Bard Liao Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Reviewed-by: Rander Wang Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20230118101255.29139-2-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 60a1ffed517f0fdc893b8e762f5d170d6d14b5da Author: Krzysztof Kozlowski Date: Tue Jan 24 13:30:49 2023 +0100 ASoC: codecs: wsa883x: correct playback min/max rates commit 100c94ffde489ee11e23400f2a07b236144b048f upstream. Correct reversed values used in min/max rates, leading to incorrect playback constraints. Cc: Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20230124123049.285395-1-krzysztof.kozlowski@linaro.org Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit dd405afa4e9703c95f96e245645bec1459f0f95b Author: Jeremy Szu Date: Wed Jan 18 19:54:45 2023 +0800 ALSA: hda/realtek: fix mute/micmute LEDs, speaker don't work for a HP platform commit 858c54152658ccd4e305c1e12d3cc6825bc90504 upstream. There is a HP platform needs ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED quirk to make mic-mute/audio-mute/speaker working. Signed-off-by: Jeremy Szu Cc: Link: https://lore.kernel.org/r/20230118115446.14902-1-jeremy.szu@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e58d01b099302028197d7c56bc3e846e03b7fcc2 Author: Victor Shyba Date: Mon Jan 23 19:21:29 2023 -0300 ALSA: hda/realtek: Add Acer Predator PH315-54 commit 6a28a25d358079b7d0d144689f850aecacf63cba upstream. Same issue as SP513-54N: Headset microphone does not work without ALC255_FIXUP_ACER_MIC_NO_PRESENCE fixup. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211853 Cc: Signed-off-by: Victor Shyba Link: https://lore.kernel.org/r/20230123222129.17589-1-victor1984@riseup.net Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit be606481eb3337203d430dd14bade44b9b2c3b57 Author: Alexander Egorenkov Date: Fri Jan 27 14:52:42 2023 +0100 watchdog: diag288_wdt: fix __diag288() inline assembly commit 32e40f9506b9e32917eb73154f93037b443124d1 upstream. The DIAG 288 statement consumes an EBCDIC string the address of which is passed in a register. Use a "memory" clobber to tell the compiler that memory is accessed within the inline assembly. Signed-off-by: Alexander Egorenkov Reviewed-by: Heiko Carstens Cc: Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit f3d786285f4c86843c254f9e1c07bf6b26702fcc Author: Alexander Egorenkov Date: Fri Jan 27 14:52:41 2023 +0100 watchdog: diag288_wdt: do not use stack buffers for hardware data commit fe8973a3ad0905cb9ba2d42db42ed51de14737df upstream. With CONFIG_VMAP_STACK=y the stack is allocated from the vmalloc space. Data passed to a hardware or a hypervisor interface that requires V=R can no longer be allocated on the stack. Use kmalloc() to get memory for a diag288 command. Signed-off-by: Alexander Egorenkov Reviewed-by: Heiko Carstens Cc: Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit ad88608681417996a603eb78bd63ac940be097c2 Author: Oliver Hartkopp Date: Thu Jan 12 20:23:47 2023 +0100 can: isotp: handle wait_event_interruptible() return values commit 823b2e42720f96f277940c37ea438b7c5ead51a4 upstream. When wait_event_interruptible() has been interrupted by a signal the tx.state value might not be ISOTP_IDLE. Force the state machines into idle state to inhibit the timer handlers to continue working. Fixes: 866337865f37 ("can: isotp: fix tx state handling for echo tx processing") Cc: stable@vger.kernel.org Signed-off-by: Oliver Hartkopp Link: https://lore.kernel.org/all/20230112192347.1944-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit cae4c9bc35f72af5d4a079bb9d9fd62c4088a411 Author: Oliver Hartkopp Date: Wed Jan 4 15:57:01 2023 +0100 can: isotp: split tx timer into transmission and timeout commit 4f027cba8216f42a18b544842efab134f8b1f9f4 upstream. The timer for the transmission of isotp PDUs formerly had two functions: 1. send two consecutive frames with a given time gap 2. monitor the timeouts for flow control frames and the echo frames This led to larger txstate checks and potentially to a problem discovered by syzbot which enabled the panic_on_warn feature while testing. The former 'txtimer' function is split into 'txfrtimer' and 'txtimer' to handle the two above functionalities with separate timer callbacks. The two simplified timers now run in one-shot mode and make the state transitions (especially with isotp_rcv_echo) better understandable. Fixes: 866337865f37 ("can: isotp: fix tx state handling for echo tx processing") Reported-by: syzbot+5aed6c3aaba661f5b917@syzkaller.appspotmail.com Cc: stable@vger.kernel.org # >= v6.0 Signed-off-by: Oliver Hartkopp Link: https://lore.kernel.org/all/20230104145701.2422-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 6e62048f527dcd80bf13ccf3b5a382d7da2c0889 Author: Natalia Petrova Date: Wed Jan 25 16:48:31 2023 +0300 net: qrtr: free memory on error path in radix_tree_insert() commit 29de68c2b32ce58d64dea496d281e25ad0f551bd upstream. Function radix_tree_insert() returns errors if the node hasn't been initialized and added to the tree. "kfree(node)" and return value "NULL" of node_get() help to avoid using unclear node in other calls. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: # 5.7 Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") Signed-off-by: Natalia Petrova Reviewed-by: Simon Horman Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20230125134831.8090-1-n.petrova@fintech.ru Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 334ce90fadd14b2438cae75f76b8323fb4c69c15 Author: Fabio Estevam Date: Tue Jan 17 08:25:10 2023 -0300 ARM: dts: imx7d-smegw01: Fix USB host over-current polarity commit 1febf88ef907b142fdde34f7c64ed3535d9339e4 upstream. Currently, when resetting the USB modem via AT commands, the modem is no longer re-connected. This problem is caused by the incorrect description of the USB_OTG2_OC pad. It should have pull-up enabled, hysteresis enabled and the property 'over-current-active-low' should be passed. With this change, the USB modem can be successfully re-connected after a reset. Cc: stable@vger.kernel.org Fixes: 9ac0ae97e349 ("ARM: dts: imx7d-smegw01: Add support for i.MX7D SMEGW01 board") Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 78792d25b658bacdd8592dc2c90789f64d78ffab Author: Michael Kelley Date: Mon Jan 30 19:33:06 2023 -0800 hv_netvsc: Fix missed pagebuf entries in netvsc_dma_map/unmap() commit 99f1c46011cc0feb47d4f4f7bee70a0341442d14 upstream. netvsc_dma_map() and netvsc_dma_unmap() currently check the cp_partial flag and adjust the page_count so that pagebuf entries for the RNDIS portion of the message are skipped when it has already been copied into a send buffer. But this adjustment has already been made by code in netvsc_send(). The duplicate adjustment causes some pagebuf entries to not be mapped. In a normal VM, this doesn't break anything because the mapping doesn’t change the PFN. But in a Confidential VM, dma_map_single() does bounce buffering and provides a different PFN. Failing to do the mapping causes the wrong PFN to be passed to Hyper-V, and various errors ensue. Fix this by removing the duplicate adjustment in netvsc_dma_map() and netvsc_dma_unmap(). Fixes: 846da38de0e8 ("net: netvsc: Add Isolation VM support for netvsc driver") Cc: stable@vger.kernel.org Signed-off-by: Michael Kelley Reviewed-by: Haiyang Zhang Link: https://lore.kernel.org/r/1675135986-254490-1-git-send-email-mikelley@microsoft.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit a2ab7f2cf5ef8f0c6212a246e681d1fe358cec1f Author: Waiman Long Date: Tue Jan 31 10:48:03 2023 -0500 cgroup/cpuset: Fix wrong check in update_parent_subparts_cpumask() commit e5ae8803847b80fe9d744a3174abe2b7bfed222a upstream. It was found that the check to see if a partition could use up all the cpus from the parent cpuset in update_parent_subparts_cpumask() was incorrect. As a result, it is possible to leave parent with no effective cpu left even if there are tasks in the parent cpuset. This can lead to system panic as reported in [1]. Fix this probem by updating the check to fail the enabling the partition if parent's effective_cpus is a subset of the child's cpus_allowed. Also record the error code when an error happens in update_prstate() and add a test case where parent partition and child have the same cpu list and parent has task. Enabling partition in the child will fail in this case. [1] https://www.spinics.net/lists/cgroups/msg36254.html Fixes: f0af1bfc27b5 ("cgroup/cpuset: Relax constraints to partition & cpus changes") Cc: stable@vger.kernel.org # v6.1 Reported-by: Srinivas Pandruvada Signed-off-by: Waiman Long Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 5e7f6e2ade57dfd6d133ff7c643abd2079248943 Author: Samuel Thibault Date: Sun Jan 29 16:17:40 2023 +0100 fbcon: Check font dimension limits commit 2b09d5d364986f724f17001ccfe4126b9b43a0be upstream. blit_x and blit_y are u32, so fbcon currently cannot support fonts larger than 32x32. The 32x32 case also needs shifting an unsigned int, to properly set bit 31, otherwise we get "UBSAN: shift-out-of-bounds in fbcon_set_font", as reported on: http://lore.kernel.org/all/IA1PR07MB98308653E259A6F2CE94A4AFABCE9@IA1PR07MB9830.namprd07.prod.outlook.com Kernel Branch: 6.2.0-rc5-next-20230124 Kernel config: https://drive.google.com/file/d/1F-LszDAizEEH0ZX0HcSR06v5q8FPl2Uv/view?usp=sharing Reproducer: https://drive.google.com/file/d/1mP1jcLBY7vWCNM60OMf-ogw-urQRjNrm/view?usp=sharing Reported-by: Sanan Hasanov Signed-off-by: Samuel Thibault Fixes: 2d2699d98492 ("fbcon: font setting should check limitation of driver") Cc: stable@vger.kernel.org Tested-by: Miko Larsson Reviewed-by: Greg Kroah-Hartman Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 8506f16aae9daf354e3732bcfd447e2a97f023df Author: George Kennedy Date: Tue Jan 24 11:16:54 2023 -0500 vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF [ Upstream commit 226fae124b2dac217ea5436060d623ff3385bc34 ] After a call to console_unlock() in vcs_read() the vc_data struct can be freed by vc_deallocate(). Because of that, the struct vc_data pointer load must be done at the top of while loop in vcs_read() to avoid a UAF when vcs_size() is called. Syzkaller reported a UAF in vcs_size(). BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537 CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1 Hardware name: Red Hat KVM, BIOS 1.15.0-2.module Call Trace: __asan_report_load4_noabort (mm/kasan/report_generic.c:350) vcs_size (drivers/tty/vt/vc_screen.c:215) vcs_read (drivers/tty/vt/vc_screen.c:415) vfs_read (fs/read_write.c:468 fs/read_write.c:450) ... Allocated by task 1191: ... kmalloc_trace (mm/slab_common.c:1069) vc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720 drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108) con_install (drivers/tty/vt/vt.c:3383) tty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413 drivers/tty/tty_io.c:1390) tty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126) chrdev_open (fs/char_dev.c:415) do_dentry_open (fs/open.c:883) vfs_open (fs/open.c:1014) ... Freed by task 1548: ... kfree (mm/slab_common.c:1021) vc_port_destruct (drivers/tty/vt/vt.c:1094) tty_port_destructor (drivers/tty/tty_port.c:296) tty_port_put (drivers/tty/tty_port.c:312) vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) tty_ioctl (drivers/tty/tty_io.c:2776) ... The buggy address belongs to the object at ffff888113747800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of 1024-byte region [ffff888113747800, ffff888113747c00) The buggy address belongs to the physical page: page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113740 head:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()") Reported-by: syzkaller Suggested-by: Jiri Slaby Signed-off-by: George Kennedy Link: https://lore.kernel.org/r/1674577014-12374-1-git-send-email-george.kennedy@oracle.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3b1534f5bae79f8549e14d3193793b67745038a8 Author: Udipto Goswami Date: Tue Jan 24 14:41:49 2023 +0530 usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait [ Upstream commit 921deb9da15851425ccbb6ee409dc2fd8fbdfe6b ] __ffs_ep0_queue_wait executes holding the spinlock of &ffs->ev.waitq.lock and unlocks it after the assignments to usb_request are done. However in the code if the request is already NULL we bail out returning -EINVAL but never unlocked the spinlock. Fix this by adding spin_unlock_irq &ffs->ev.waitq.lock before returning. Fixes: 6a19da111057 ("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait") Reviewed-by: John Keeping Signed-off-by: Udipto Goswami Link: https://lore.kernel.org/r/20230124091149.18647-1-quic_ugoswami@quicinc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f3ce160b301ca7180ec545d875e60e5369101f19 Author: Neil Armstrong Date: Tue Jan 24 09:31:21 2023 +0100 usb: dwc3: qcom: enable vbus override when in OTG dr-mode [ Upstream commit eb320f76e31dc835b9f57f04af1a2353b13bb7d8 ] With vbus override enabled when in OTG dr_mode, Host<->Peripheral switch now works on SM8550, otherwise the DWC3 seems to be stuck in Host mode only. Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") Reviewed-by: Bryan O'Donoghue Signed-off-by: Neil Armstrong Link: https://lore.kernel.org/r/20230123-topic-sm8550-upstream-dwc3-qcom-otg-v2-1-2d400e598463@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e99780c3e7a9f8c4dcdec58e0c3711dc8fba9bda Author: Olivier Moysan Date: Fri Dec 2 16:28:48 2022 +0100 iio: adc: stm32-dfsdm: fill module aliases [ Upstream commit cc3304052a89ab6ac887ed9224420a27e3d354e1 ] When STM32 DFSDM driver is built as module, no modalias information is available. This prevents module to be loaded by udev. Add MODULE_DEVICE_TABLE() to fill module aliases. Fixes: e2e6771c6462 ("IIO: ADC: add STM32 DFSDM sigma delta ADC support") Signed-off-by: Olivier Moysan Link: https://lore.kernel.org/r/20221202152848.45585-1-olivier.moysan@foss.st.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 016dadc60e2ee58da702418a5a81488fce006908 Author: Kees Cook Date: Thu Jan 5 22:02:33 2023 -0800 bcache: Silence memcpy() run-time false positive warnings [ Upstream commit be0d8f48ad97f5b775b0af3310343f676dbf318a ] struct bkey has internal padding in a union, but it isn't always named the same (e.g. key ## _pad, key_p, etc). This makes it extremely hard for the compiler to reason about the available size of copies done against such keys. Use unsafe_memcpy() for now, to silence the many run-time false positive warnings: memcpy: detected field-spanning write (size 264) of single field "&i->j" at drivers/md/bcache/journal.c:152 (size 240) memcpy: detected field-spanning write (size 24) of single field "&b->key" at drivers/md/bcache/btree.c:939 (size 16) memcpy: detected field-spanning write (size 24) of single field "&temp.key" at drivers/md/bcache/extents.c:428 (size 16) Reported-by: Alexandre Pereira Link: https://bugzilla.kernel.org/show_bug.cgi?id=216785 Acked-by: Coly Li Cc: Kent Overstreet Cc: linux-bcache@vger.kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20230106060229.never.047-kees@kernel.org Signed-off-by: Sasha Levin commit f3056978934cf809c0ae70a22ac3af2a857e1a93 Author: Aurabindo Pillai Date: Wed Jan 11 14:56:22 2023 -0500 drm/amd/display: Fix timing not changning when freesync video is enabled [ Upstream commit 4b069553246f993c4221e382d0d0ae34f5ba730e ] [Why&How] Switching between certain modes that are freesync video modes and those are not freesync video modes result in timing not changing as seen by the monitor due to incorrect timing being driven. The issue is fixed by ensuring that when a non freesync video mode is set, we reset the freesync status on the crtc. Reviewed-by: Nicholas Kazlauskas Acked-by: Alan Liu Signed-off-by: Aurabindo Pillai Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 22312eeab33e71a887e6ade5de08339949f2907b Author: Hyunwoo Kim Date: Mon Jan 23 11:43:23 2023 -0800 net/x25: Fix to not accept on connected socket [ Upstream commit f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 ] When listen() and accept() are called on an x25 socket that connect() succeeds, accept() succeeds immediately. This is because x25_connect() queues the skb to sk->sk_receive_queue, and x25_accept() dequeues it. This creates a child socket with the sk of the parent x25 socket, which can cause confusion. Fix x25_listen() to return -EINVAL if the socket has already been successfully connect()ed to avoid this issue. Signed-off-by: Hyunwoo Kim Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 72e5a83b7c8401856cc3732150af24e43726717a Author: Mario Limonciello Date: Fri Jan 20 13:15:18 2023 -0600 platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN [ Upstream commit 8e60615e8932167057b363c11a7835da7f007106 ] By default when the system is configured for low power idle in the FADT the keyboard is set up as a wake source. This matches the behavior that Windows uses for Modern Standby as well. It has been reported that a variety of AMD based designs there are spurious wakeups are happening where two IRQ sources are active. For example: ``` PM: Triggering wakeup from IRQ 9 PM: Triggering wakeup from IRQ 1 ``` In these designs IRQ 9 is the ACPI SCI and IRQ 1 is the keyboard. One way to trigger this problem is to suspend the laptop and then unplug the AC adapter. The SOC will be in a hardware sleep state and plugging in the AC adapter returns control to the kernel's s2idle loop. Normally if just IRQ 9 was active the s2idle loop would advance any EC transactions and no other IRQ being active would cause the s2idle loop to put the SOC back into hardware sleep state. When this bug occurred IRQ 1 is also active even if no keyboard activity occurred. This causes the s2idle loop to break and the system to wake. This is a platform firmware bug triggering IRQ1 without keyboard activity. This occurs in Windows as well, but Windows will enter "SW DRIPS" and then with no activity enters back into "HW DRIPS" (hardware sleep state). This issue affects Renoir, Lucienne, Cezanne, and Barcelo platforms. It does not happen on newer systems such as Mendocino or Rembrandt. It's been fixed in newer platform firmware. To avoid triggering the bug on older systems check the SMU F/W version and adjust the policy at suspend time for s2idle wakeup from keyboard on these systems. A lot of thought and experimentation has been given around the timing of disabling IRQ1, and to make it work the "suspend" PM callback is restored. Reported-by: Kai-Heng Feng Reported-by: Xaver Hugl Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2115 Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1951 Signed-off-by: Mario Limonciello Link: https://lore.kernel.org/r/20230120191519.15926-1-mario.limonciello@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 37e9784331f27ddaf3e24aba8c9a163ab7f74ac7 Author: Kevin Kuriakose Date: Thu Jan 19 20:39:25 2023 +0530 platform/x86: gigabyte-wmi: add support for B450M DS3H WIFI-CF [ Upstream commit a410429a3b7e748a9db9f357e71e2e085a21c902 ] To the best of my knowledge this is the same board as the B450M DS3H-CF, but with an added WiFi card. Name obtained using dmidecode, tested with force_load on v6.1.6 Signed-off-by: Kevin Kuriakose Acked-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20230119150925.31962-1-kevinmkuriakose@gmail.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 919ff2c40145be645c41774c48eb0818a2641840 Author: Rishit Bansal Date: Sat Jan 21 03:42:14 2023 +0530 platform/x86: hp-wmi: Handle Omen Key event [ Upstream commit 3ee5447b2048c8389ed899838a40b40180d50906 ] Add support to map the "HP Omen Key" to KEY_PROG2. Laptops in the HP Omen Series open the HP Omen Command Center application on windows. But, on linux it fails with the following message from the hp-wmi driver: [ 5143.415714] hp_wmi: Unknown event_id - 29 - 0x21a5 Also adds support to map Fn+Esc to KEY_FN_ESC. This currently throws the following message on the hp-wmi driver: [ 6082.143785] hp_wmi: Unknown key code - 0x21a7 There is also a "Win-Lock" key on HP Omen Laptops which supports Enabling and Disabling the Windows key, which trigger commands 0x21a4 and 0x121a4 respectively, but I wasn't able to find any KEY in input.h to map this to. Signed-off-by: Rishit Bansal Link: https://lore.kernel.org/r/20230120221214.24426-1-rishitbansal0@gmail.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit eb74184dcc70839d5d0ce5384ccbcc41f0c91db7 Author: Koba Ko Date: Tue Jan 17 20:34:36 2023 +0800 platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010 table [ Upstream commit 83bcf3e52e9cfc727df33f1055ef0618c91719d0 ] Some platforms send the speaker-mute key from EC. dell-wmi can't recognize it. Add a new keymap for KEY_MUTE in type 0x0010 table. Signed-off-by: Koba Ko Link: https://lore.kernel.org/r/20230117123436.200440-1-koba.ko@canonical.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 19e2f49914e71be97719978c68b1858bd5c029f6 Author: Nathan Chancellor Date: Fri Jan 20 09:58:27 2023 -0700 x86/build: Move '-mindirect-branch-cs-prefix' out of GCC-only block [ Upstream commit 27b5de622ea3fe0ad5a31a0ebd9f7a0a276932d1 ] LLVM 16 will have support for this flag so move it out of the GCC-only block to allow LLVM builds to take advantage of it. Signed-off-by: Nathan Chancellor Signed-off-by: Ingo Molnar Tested-by: Nick Desaulniers Reviewed-by: Nick Desaulniers Acked-by: Peter Zijlstra (Intel) Link: https://github.com/ClangBuiltLinux/linux/issues/1665 Link: https://github.com/llvm/llvm-project/commit/6f867f9102838ebe314c1f3661fdf95700386e5a Link: https://lore.kernel.org/r/20230120165826.2469302-1-nathan@kernel.org Signed-off-by: Sasha Levin commit 40971f2e525e683cb55429b0afaf39b473148b12 Author: Andreas Gruenbacher Date: Thu Jan 19 20:14:42 2023 +0100 Revert "gfs2: stop using generic_writepages in gfs2_ail1_start_one" [ Upstream commit 95ecbd0f162fc06ef4c4045a66f653f47b62a2d3 ] Commit b2b0a5e97855 switched from generic_writepages() to filemap_fdatawrite_wbc() in gfs2_ail1_start_one() on the path to replacing ->writepage() with ->writepages() and eventually eliminating the former. Function gfs2_ail1_start_one() is called from gfs2_log_flush(), our main function for flushing the filesystem log. Unfortunately, at least as implemented today, ->writepage() and ->writepages() are entirely different operations for journaled data inodes: while the former creates and submits transactions covering the data to be written, the latter flushes dirty buffers out to disk. With gfs2_ail1_start_one() now calling ->writepages(), we end up creating filesystem transactions while we are in the course of a log flush, which immediately deadlocks on the sdp->sd_log_flush_lock semaphore. Work around that by going back to how things used to work before commit b2b0a5e97855 for now; figuring out a superior solution will take time we don't have available right now. However ... Since the removal of generic_writepages() is imminent, open-code it here. We're already inside a blk_start_plug() ... blk_finish_plug() section here, so skip that part of the original generic_writepages(). This reverts commit b2b0a5e978552e348f85ad9c7568b630a5ede659. Signed-off-by: Andreas Gruenbacher Acked-by: Christoph Hellwig Signed-off-by: Sasha Levin commit c671f7aaf2d8114ed2f4162008cf20983a7ca8be Author: Randy Dunlap Date: Thu Jan 12 22:38:05 2023 -0800 i2c: rk3x: fix a bunch of kernel-doc warnings [ Upstream commit 0582d984793d30442da88fe458674502bad1ad29 ] Fix multiple W=1 kernel-doc warnings in i2c-rk3x.c: drivers/i2c/busses/i2c-rk3x.c:83: warning: missing initial short description on line: * struct i2c_spec_values: drivers/i2c/busses/i2c-rk3x.c:139: warning: missing initial short description on line: * struct rk3x_i2c_calced_timings: drivers/i2c/busses/i2c-rk3x.c:162: warning: missing initial short description on line: * struct rk3x_i2c_soc_data: drivers/i2c/busses/i2c-rk3x.c:242: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst * Generate a START condition, which triggers a REG_INT_START interrupt. drivers/i2c/busses/i2c-rk3x.c:261: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst * Generate a STOP condition, which triggers a REG_INT_STOP interrupt. drivers/i2c/busses/i2c-rk3x.c:304: warning: expecting prototype for Setup a read according to i2c(). Prototype was for rk3x_i2c_prepare_read() instead drivers/i2c/busses/i2c-rk3x.c:335: warning: expecting prototype for Fill the transmit buffer with data from i2c(). Prototype was for rk3x_i2c_fill_transmit_buf() instead drivers/i2c/busses/i2c-rk3x.c:535: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst * Get timing values of I2C specification drivers/i2c/busses/i2c-rk3x.c:552: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst * Calculate divider values for desired SCL frequency drivers/i2c/busses/i2c-rk3x.c:713: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst * Calculate timing values for desired SCL frequency drivers/i2c/busses/i2c-rk3x.c:963: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst * Setup I2C registers for an I2C operation specified by msgs, num. Signed-off-by: Randy Dunlap Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 61e43ebfd243bcbad11be26bd921723027b77441 Author: Mike Christie Date: Tue Jan 17 13:39:37 2023 -0600 scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress [ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ] If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, userspace could be accessing the host's ipaddress attr. If we then free the session via iscsi_session_teardown() while userspace is still accessing the session we will hit a use after free bug. Set the tcp_sw_host->session after we have completed session creation and can no longer fail. Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com Signed-off-by: Mike Christie Reviewed-by: Lee Duncan Acked-by: Ding Hui Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8859687f5b242c0b057461df0a9ff51d5500783b Author: Mike Christie Date: Tue Jan 17 13:39:36 2023 -0600 scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress [ Upstream commit 6f1d64b13097e85abda0f91b5638000afc5f9a06 ] Bug report and analysis from Ding Hui. During iSCSI session logout, if another task accesses the shost ipaddress attr, we can get a KASAN UAF report like this: [ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0 [ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088 [ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3 [ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 276.944470] Call Trace: [ 276.944943] [ 276.945397] dump_stack_lvl+0x34/0x48 [ 276.945887] print_address_description.constprop.0+0x86/0x1e7 [ 276.946421] print_report+0x36/0x4f [ 276.947358] kasan_report+0xad/0x130 [ 276.948234] kasan_check_range+0x35/0x1c0 [ 276.948674] _raw_spin_lock_bh+0x78/0xe0 [ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp] [ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi] [ 276.952185] dev_attr_show+0x3f/0x80 [ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0 [ 276.953401] seq_read_iter+0x402/0x1020 [ 276.954260] vfs_read+0x532/0x7b0 [ 276.955113] ksys_read+0xed/0x1c0 [ 276.955952] do_syscall_64+0x38/0x90 [ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.956769] RIP: 0033:0x7f5d3a679222 [ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 [ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222 [ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003 [ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000 [ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000 [ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58 [ 276.960536] [ 276.961357] Allocated by task 2209: [ 276.961756] kasan_save_stack+0x1e/0x40 [ 276.962170] kasan_set_track+0x21/0x30 [ 276.962557] __kasan_kmalloc+0x7e/0x90 [ 276.962923] __kmalloc+0x5b/0x140 [ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi] [ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi] [ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp] [ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi] [ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi] [ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.965546] netlink_unicast+0x4d5/0x7b0 [ 276.965905] netlink_sendmsg+0x78d/0xc30 [ 276.966236] sock_sendmsg+0xe5/0x120 [ 276.966576] ____sys_sendmsg+0x5fe/0x860 [ 276.966923] ___sys_sendmsg+0xe0/0x170 [ 276.967300] __sys_sendmsg+0xc8/0x170 [ 276.967666] do_syscall_64+0x38/0x90 [ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.968773] Freed by task 2209: [ 276.969111] kasan_save_stack+0x1e/0x40 [ 276.969449] kasan_set_track+0x21/0x30 [ 276.969789] kasan_save_free_info+0x2a/0x50 [ 276.970146] __kasan_slab_free+0x106/0x190 [ 276.970470] __kmem_cache_free+0x133/0x270 [ 276.970816] device_release+0x98/0x210 [ 276.971145] kobject_cleanup+0x101/0x360 [ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi] [ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp] [ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi] [ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.972808] netlink_unicast+0x4d5/0x7b0 [ 276.973201] netlink_sendmsg+0x78d/0xc30 [ 276.973544] sock_sendmsg+0xe5/0x120 [ 276.973864] ____sys_sendmsg+0x5fe/0x860 [ 276.974248] ___sys_sendmsg+0xe0/0x170 [ 276.974583] __sys_sendmsg+0xc8/0x170 [ 276.974891] do_syscall_64+0x38/0x90 [ 276.975216] entry_SYSCALL_64_after_hwframe+0x63/0xcd We can easily reproduce by two tasks: 1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done 2. while :; do cat \ /sys/devices/platform/host*/iscsi_host/host*/ipaddress; done iscsid | cat --------------------------------+--------------------------------------- |- iscsi_sw_tcp_session_destroy | |- iscsi_session_teardown | |- device_release | |- iscsi_session_release ||- dev_attr_show |- kfree | |- show_host_param_ | ISCSI_HOST_PARAM_IPADDRESS | |- iscsi_sw_tcp_host_get_param | |- r/w tcp_sw_host->session (UAF) |- iscsi_host_remove | |- iscsi_host_free | Fix the above bug by splitting the session removal into 2 parts: 1. removal from iSCSI class which includes sysfs and removal from host tracking. 2. freeing of session. During iscsi_tcp host and session removal we can remove the session from sysfs then remove the host from sysfs. At this point we know userspace is not accessing the kernel via sysfs so we can free the session and host. Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@oracle.com Signed-off-by: Mike Christie Reviewed-by: Lee Duncan Acked-by: Ding Hui Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 35e44dc402838a5703307b9d8485031077359cb7 Author: Kan Liang Date: Fri Jan 6 08:04:47 2023 -0800 perf/x86/intel/cstate: Add Emerald Rapids [ Upstream commit 5a8a05f165fb18d37526062419774d9088c2a9b9 ] From the perspective of Intel cstate residency counters, Emerald Rapids is the same as the Sapphire Rapids and Ice Lake. Add Emerald Rapids model. Signed-off-by: Kan Liang Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20230106160449.3566477-2-kan.liang@linux.intel.com Signed-off-by: Sasha Levin commit e095f0d86e3a43d3448768b5dcbd08dbf3d18523 Author: Kan Liang Date: Fri Jan 6 08:04:46 2023 -0800 perf/x86/intel: Add Emerald Rapids [ Upstream commit 6795e558e9cc6123c24e2100a2ebe88e58a792bc ] From core PMU's perspective, Emerald Rapids is the same as the Sapphire Rapids. The only difference is the event list, which will be supported in the perf tool later. Signed-off-by: Kan Liang Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20230106160449.3566477-1-kan.liang@linux.intel.com Signed-off-by: Sasha Levin commit fcf8b1a6d5b86a16b986746ed99a4a7665838af6 Author: Yair Podemsky Date: Tue Jan 10 18:02:06 2023 +0200 x86/aperfmperf: Erase stale arch_freq_scale values when disabling frequency invariance readings [ Upstream commit 5f5cc9ed992cbab6361f198966f0edba5fc52688 ] Once disable_freq_invariance_work is called the scale_freq_tick function will not compute or update the arch_freq_scale values. However the scheduler will still read these values and use them. The result is that the scheduler might perform unfair decisions based on stale values. This patch adds the step of setting the arch_freq_scale values for all cpus to the default (max) value SCHED_CAPACITY_SCALE, Once all cpus have the same arch_freq_scale value the scaling is meaningless. Signed-off-by: Yair Podemsky Signed-off-by: Ingo Molnar Acked-by: Peter Zijlstra Link: https://lore.kernel.org/r/20230110160206.75912-1-ypodemsk@redhat.com Signed-off-by: Sasha Levin commit f6c8f682e588fc6c920049dce1cabd6eff3138f6 Author: Maurizio Lombardi Date: Tue Jan 10 13:53:10 2023 +0100 scsi: target: core: Fix warning on RT kernels [ Upstream commit 84ed64b1a7a7fcd507598dee7708c1f225123711 ] Calling spin_lock_irqsave() does not disable the interrupts on realtime kernels, remove the warning and replace assert_spin_locked() with lockdep_assert_held(). Signed-off-by: Maurizio Lombardi Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20230110125310.55884-1-mlombard@redhat.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit c1435f5a03c8bf74da0644ec3136099dc2ce451c Author: Stefan Wahren Date: Sat Jan 7 13:32:29 2023 +0100 i2c: mxs: suppress probe-deferral error message [ Upstream commit 78a4471fa1a76a8bef4919105de67660a89a1e9b ] During boot of I2SE Duckbill the kernel log contains a confusing error: Failed to request dma This is caused by i2c-mxs tries to request a not yet available DMA channel (-EPROBE_DEFER). So suppress this message by using dev_err_probe(). Signed-off-by: Stefan Wahren Reviewed-by: Fabio Estevam Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 8e9b15ad14843c59951f4c81f5db63f2717d2dc1 Author: Basavaraj Natikar Date: Mon Jan 2 22:39:55 2023 +0530 i2c: designware-pci: Add new PCI IDs for AMD NAVI GPU [ Upstream commit 2ece0930ac5662bccce0ba4c59b84c98d2437200 ] Add additional supported PCI IDs for latest AMD NAVI GPU card which has an integrated Type-C controller and designware I2C with PCI interface. Signed-off-by: Basavaraj Natikar Tested-by: Sanath S Reviewed-by: Andy Shevchenko Acked-by: Jarkko Nikula Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 65166bccd0383688524d833ed4c52f64f392be56 Author: Jan Luebbe Date: Tue Jan 31 09:43:23 2023 +0100 kbuild: modinst: Fix build error when CONFIG_MODULE_SIG_KEY is a PKCS#11 URI [ Upstream commit 22e46f6480e83bcf49b6d5e6b66c81872c97a902 ] When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*), signing of modules fails: scripts/sign-file sha256 /.../linux/pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 /.../kernel/crypto/tcrypt.ko Usage: scripts/sign-file [-dp] [] scripts/sign-file -s [] First, we need to avoid adding the $(srctree)/ prefix to the URL. Second, since the kconfig string values no longer include quotes, we need to add them again when passing a PKCS#11 URI to sign-file. This avoids splitting by the shell if the URI contains semicolons. Fixes: 4db9c2e3d055 ("kbuild: stop using config_filename in scripts/Makefile.modsign") Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") Signed-off-by: Jan Luebbe Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 10282d9daaf74f614b2ecbb71ad8b0a6c38bdf66 Author: Jan Luebbe Date: Tue Jan 31 09:43:22 2023 +0100 certs: Fix build error when PKCS#11 URI contains semicolon [ Upstream commit b1c3d2beed8ef3699fab106340e33a79052df116 ] When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a semicolon, signing_key.x509 fails to build: certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 Usage: extract-cert Add quotes to the extract-cert argument to avoid splitting by the shell. This approach was suggested by Masahiro Yamada . Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") Signed-off-by: Jan Luebbe Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 71ebd83f320e6df9f4d1513e4998752756a2f917 Author: Arnd Bergmann Date: Tue Jan 17 18:24:44 2023 +0100 rtc: sunplus: fix format string for printing resource [ Upstream commit 08279468a294d8c996a657ecc9e51bd5c084c75d ] On 32-bit architectures with 64-bit resource_size_t, sp_rtc_probe() causes a compiler warning: drivers/rtc/rtc-sunplus.c: In function 'sp_rtc_probe': drivers/rtc/rtc-sunplus.c:243:33: error: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=] 243 | dev_dbg(&plat_dev->dev, "res = 0x%x, reg_base = 0x%lx\n", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The best way to print a resource is the special %pR format string, and similarly to print a pointer we can use %p and avoid the cast. Fixes: fad6cbe9b2b4 ("rtc: Add driver for RTC in Sunplus SP7021") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20230117172450.2938962-1-arnd@kernel.org Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit a2e6a9ff89f13666a1c3ff7195612ab949ea9afc Author: Anton Gusev Date: Fri Feb 3 16:22:13 2023 +0300 efi: fix potential NULL deref in efi_mem_reserve_persistent [ Upstream commit 966d47e1f27c45507c5df82b2a2157e5a4fd3909 ] When iterating on a linked list, a result of memremap is dereferenced without checking it for NULL. This patch adds a check that falls back on allocating a new page in case memremap doesn't succeed. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 18df7577adae ("efi/memreserve: deal with memreserve entries in unmapped memory") Signed-off-by: Anton Gusev [ardb: return -ENOMEM instead of breaking out of the loop] Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 70d40674a549d498bd63d5432acf46205da1534b Author: Fedor Pchelkin Date: Thu Feb 2 00:02:18 2023 +0300 net: openvswitch: fix flow memory leak in ovs_flow_cmd_new [ Upstream commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 ] Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is not freed when an allocation of a key fails. BUG: memory leak unreferenced object 0xffff888116668000 (size 632): comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline] [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77 [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957 [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739 [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800 [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515 [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339 [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934 [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline] [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671 [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356 [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410 [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 To fix this the patch rearranges the goto labels to reflect the order of object allocations and adds appropriate goto statements on the error paths. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key") Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov Acked-by: Eelco Chaudron Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2c036e21c2b63ef0071320f766eb66f6cd68d8b8 Author: Parav Pandit Date: Thu Feb 2 18:35:16 2023 +0200 virtio-net: Keep stop() to follow mirror sequence of open() [ Upstream commit 63b114042d8a9c02d9939889177c36dbdb17a588 ] Cited commit in fixes tag frees rxq xdp info while RQ NAPI is still enabled and packet processing may be ongoing. Follow the mirror sequence of open() in the stop() callback. This ensures that when rxq info is unregistered, no rx packet processing is ongoing. Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info") Acked-by: Michael S. Tsirkin Reviewed-by: Jiri Pirko Signed-off-by: Parav Pandit Link: https://lore.kernel.org/r/20230202163516.12559-1-parav@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 462a2c1bdf1a4aca49b06be89671493f3bc7a01d Author: Andrei Gherzan Date: Wed Feb 1 00:16:16 2023 +0000 selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking [ Upstream commit 329c9cd769c2e306957df031efff656c40922c76 ] The test tool can check that the zerocopy number of completions value is valid taking into consideration the number of datagram send calls. This can catch the system into a state where the datagrams are still in the system (for example in a qdisk, waiting for the network interface to return a completion notification, etc). This change adds a retry logic of computing the number of completions up to a configurable (via CLI) timeout (default: 2 seconds). Fixes: 79ebc3c26010 ("net/udpgso_bench_tx: options to exercise TX CMSG") Signed-off-by: Andrei Gherzan Cc: Willem de Bruijn Cc: Paolo Abeni Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/r/20230201001612.515730-4-andrei.gherzan@canonical.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 14782ea872e03ae27a0e9ddf76285c422989ca9d Author: Andrei Gherzan Date: Wed Feb 1 00:16:14 2023 +0000 selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs [ Upstream commit dafe93b9ee21028d625dce347118b82659652eff ] "udpgro_bench.sh" invokes udpgso_bench_rx/udpgso_bench_tx programs subsequently and while doing so, there is a chance that the rx one is not ready to accept socket connections. This racing bug could fail the test with at least one of the following: ./udpgso_bench_tx: connect: Connection refused ./udpgso_bench_tx: sendmsg: Connection refused ./udpgso_bench_tx: write: Connection refused This change addresses this by making udpgro_bench.sh wait for the rx program to be ready before firing off the tx one - up to a 10s timeout. Fixes: 3a687bef148d ("selftests: udp gso benchmark") Signed-off-by: Andrei Gherzan Cc: Paolo Abeni Cc: Willem de Bruijn Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/r/20230201001612.515730-3-andrei.gherzan@canonical.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 430bc0756ae13648bb1d8802a41e9509536e7951 Author: Andrei Gherzan Date: Wed Feb 1 00:16:12 2023 +0000 selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided [ Upstream commit db9b47ee9f5f375ab0c5daeb20321c75b4fa657d ] Leaving unrecognized arguments buried in the output, can easily hide a CLI/script typo. Avoid this by exiting when wrong arguments are provided to the udpgso_bench test programs. Fixes: 3a687bef148d ("selftests: udp gso benchmark") Signed-off-by: Andrei Gherzan Cc: Willem de Bruijn Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/r/20230201001612.515730-2-andrei.gherzan@canonical.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 5bbc22fdbcbc365b731021e4b7f9f6bde85ab2c4 Author: Andrei Gherzan Date: Wed Feb 1 00:16:10 2023 +0000 selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning [ Upstream commit c03c80e3a03ffb4f790901d60797e9810539d946 ] This change fixes the following compiler warning: /usr/include/x86_64-linux-gnu/bits/error.h:40:5: warning: ‘gso_size’ may be used uninitialized [-Wmaybe-uninitialized] 40 | __error_noreturn (__status, __errnum, __format, __va_arg_pack ()); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ udpgso_bench_rx.c: In function ‘main’: udpgso_bench_rx.c:253:23: note: ‘gso_size’ was declared here 253 | int ret, len, gso_size, budget = 256; Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO") Signed-off-by: Andrei Gherzan Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/r/20230201001612.515730-1-andrei.gherzan@canonical.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 3b7fbcf86eee69e8a8402bee2c4d8308f1963da4 Author: Damien Le Moal Date: Mon Jan 30 12:27:41 2023 +0900 ata: libata: Fix sata_down_spd_limit() when no link speed is reported [ Upstream commit 69f2c9346313ba3d3dfa4091ff99df26c67c9021 ] Commit 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if driver has not recorded sstatus speed") changed the behavior of sata_down_spd_limit() to return doing nothing if a drive does not report a current link speed, to avoid reducing the link speed to the lowest 1.5 Gbps speed. However, the change assumed that a speed was recorded before probing (e.g. before a suspend/resume) and set in link->sata_spd. This causes problems with adapters/drives combination failing to establish a link speed during probe autonegotiation. One example reported of this problem is an mvebu adapter with a 3Gbps port-multiplier box: autonegotiation fails, leaving no recorded link speed and no reported current link speed. Probe retries also fail as no action is taken by sata_set_spd() after each retry. Fix this by returning early in sata_down_spd_limit() only if we do have a recorded link speed, that is, if link->sata_spd is not 0. With this fix, a failed probe not leading to a recorded link speed is retried at the lower 1.5 Gbps speed, with the link speed potentially increased later on the second revalidate of the device if the device reports that it supports higher link speeds. Reported-by: Marius Dinu Fixes: 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if driver has not recorded sstatus speed") Reviewed-by: Niklas Cassel Tested-by: Marius Dinu Signed-off-by: Damien Le Moal Signed-off-by: Sasha Levin commit 6366671954f062c99d4c30052b0f2dbe337a1268 Author: Marc Kleine-Budde Date: Mon Jan 23 09:03:42 2023 +0100 can: mcp251xfd: mcp251xfd_ring_set_ringparam(): assign missing tx_obj_num_coalesce_irq [ Upstream commit 1613fff7a32e1d9e2ac09db73feba0e71a188445 ] If the a new ring layout is set, the max coalesced frames for RX and TX are re-calculated, too. Add the missing assignment of the newly calculated TX max coalesced frames. Fixes: 656fc12ddaf8 ("can: mcp251xfd: add TX IRQ coalescing ethtool support") Link: https://lore.kernel.org/all/20230130154334.1578518-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit c3033f91ebd6587b42a6ab44cce0c323cd23641a Author: Oliver Hartkopp Date: Tue Jan 31 11:56:13 2023 +0100 can: raw: fix CAN FD frame transmissions over CAN XL devices [ Upstream commit 3793301cbaa4a62d83e21f685307da7671f812ab ] A CAN XL device is always capable to process CAN FD frames. The former check when sending CAN FD frames relied on the existence of a CAN FD device and did not check for a CAN XL device that would be correct too. With this patch the CAN FD feature is enabled automatically when CAN XL is switched on - and CAN FD cannot be switch off while CAN XL is enabled. This precondition also leads to a clean up and reduction of checks in the hot path in raw_rcv() and raw_sendmsg(). Some conditions are reordered to handle simple checks first. changes since v1: https://lore.kernel.org/all/20230131091012.50553-1-socketcan@hartkopp.net - fixed typo: devive -> device changes since v2: https://lore.kernel.org/all/20230131091824.51026-1-socketcan@hartkopp.net/ - reorder checks in if statements to handle simple checks first Fixes: 626332696d75 ("can: raw: add CAN XL support") Signed-off-by: Oliver Hartkopp Link: https://lore.kernel.org/all/20230131105613.55228-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 1740a1e45eee65099a92fb502e1e67e63aad277d Author: Ziyang Xuan Date: Mon Sep 6 17:42:00 2021 +0800 can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate [ Upstream commit d0553680f94c49bbe0e39eb50d033ba563b4212d ] The conclusion "j1939_session_deactivate() should be called with a session ref-count of at least 2" is incorrect. In some concurrent scenarios, j1939_session_deactivate can be called with the session ref-count less than 2. But there is not any problem because it will check the session active state before session putting in j1939_session_deactivate_locked(). Here is the concurrent scenario of the problem reported by syzbot and my reproduction log. cpu0 cpu1 j1939_xtp_rx_eoma j1939_xtp_rx_abort_one j1939_session_get_by_addr [kref == 2] j1939_session_get_by_addr [kref == 3] j1939_session_deactivate [kref == 2] j1939_session_put [kref == 1] j1939_session_completed j1939_session_deactivate WARN_ON_ONCE(kref < 2) ===================================================== WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70 CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 RIP: 0010:j1939_session_deactivate+0x5f/0x70 Call Trace: j1939_session_deactivate_activate_next+0x11/0x28 j1939_xtp_rx_eoma+0x12a/0x180 j1939_tp_recv+0x4a2/0x510 j1939_can_recv+0x226/0x380 can_rcv_filter+0xf8/0x220 can_receive+0x102/0x220 ? process_backlog+0xf0/0x2c0 can_rcv+0x53/0xf0 __netif_receive_skb_one_core+0x67/0x90 ? process_backlog+0x97/0x2c0 __netif_receive_skb+0x22/0x80 Fixes: 0c71437dd50d ("can: j1939: j1939_session_deactivate(): clarify lifetime of session object") Reported-by: syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com Signed-off-by: Ziyang Xuan Acked-by: Oleksij Rempel Link: https://lore.kernel.org/all/20210906094200.95868-1-william.xuanziyang@huawei.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 0cb094179aa8895e8f6fd9975e0beb3b746bd75a Author: Ratheesh Kannoth Date: Tue Jan 31 11:46:59 2023 +0530 octeontx2-af: Fix devlink unregister [ Upstream commit 917d5e04d4dd2bbbf36fc6976ba442e284ccc42d ] Exact match feature is only available in CN10K-B. Unregister exact match devlink entry only for this silicon variant. Fixes: 87e4ea29b030 ("octeontx2-af: Debugsfs support for exact match.") Signed-off-by: Ratheesh Kannoth Reviewed-by: Leon Romanovsky Link: https://lore.kernel.org/r/20230131061659.1025137-1-rkannoth@marvell.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit adf848eab2d49f087e0233448c3db4ee8a3cb701 Author: Tom Rix Date: Tue Jan 31 13:54:37 2023 -0800 igc: return an error if the mac type is unknown in igc_ptp_systim_to_hwtstamp() [ Upstream commit a2df8463e15c10a8a882090f3d7a760fdb7b189d ] clang static analysis reports drivers/net/ethernet/intel/igc/igc_ptp.c:673:3: warning: The left operand of '+' is a garbage value [core.UndefinedBinaryOperatorResult] ktime_add_ns(shhwtstamps.hwtstamp, adjust); ^ ~~~~~~~~~~~~~~~~~~~~ igc_ptp_systim_to_hwtstamp() silently returns without setting the hwtstamp if the mac type is unknown. This should be treated as an error. Fixes: 81b055205e8b ("igc: Add support for RX timestamping") Signed-off-by: Tom Rix Reviewed-by: Simon Horman Acked-by: Sasha Neftin Tested-by: Naama Meir Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20230131215437.1528994-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 12316538b1d193064109ce1a28fc9bacd43950de Author: Guo Ren Date: Tue Jan 31 23:06:04 2023 -0500 riscv: kprobe: Fixup kernel panic when probing an illegal position [ Upstream commit 87f48c7ccc73afc78630530d9af51f458f58cab8 ] The kernel would panic when probed for an illegal position. eg: (CONFIG_RISCV_ISA_C=n) echo 'p:hello kernel_clone+0x16 a0=%a0' >> kprobe_events echo 1 > events/kprobes/hello/enable cat trace Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 CPU: 0 PID: 111 Comm: sh Not tainted 6.2.0-rc1-00027-g2d398fe49a4d #490 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x38/0x48 [] show_stack+0x50/0x68 [] dump_stack_lvl+0x60/0x84 [] dump_stack+0x20/0x30 [] panic+0x160/0x374 [] generic_handle_arch_irq+0x0/0xa8 [] sys_newstat+0x0/0x30 [] sys_clone+0x20/0x30 [] ret_from_syscall+0x0/0x4 ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]--- That is because the kprobe's ebreak instruction broke the kernel's original code. The user should guarantee the correction of the probe position, but it couldn't make the kernel panic. This patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an illegal position (Such as the middle of an instruction). Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") Signed-off-by: Guo Ren Signed-off-by: Guo Ren Reviewed-by: Björn Töpel Link: https://lore.kernel.org/r/20230201040604.3390509-1-guoren@kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 848b6074654e88a543945f258c248bd538c9b5b7 Author: Thomas Winter Date: Tue Jan 31 16:46:46 2023 +1300 ip/ip6_gre: Fix non-point-to-point tunnel not generating IPv6 link local address [ Upstream commit 30e2291f61f93f7132c060190f8360df52644ec1 ] We recently found that our non-point-to-point tunnels were not generating any IPv6 link local address and instead generating an IPv6 compat address, breaking IPv6 communication on the tunnel. Previously, addrconf_gre_config always would call addrconf_addr_gen and generate a EUI64 link local address for the tunnel. Then commit e5dd729460ca changed the code path so that add_v4_addrs is called but this only generates a compat IPv6 address for non-point-to-point tunnels. I assume the compat address is specifically for SIT tunnels so have kept that only for SIT - GRE tunnels now always generate link local addresses. Fixes: e5dd729460ca ("ip/ip6_gre: use the same logic as SIT interfaces when computing v6LL address") Signed-off-by: Thomas Winter Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit abac37d8f90c7f1427e0890c5dc97cb62a1ef212 Author: Thomas Winter Date: Tue Jan 31 16:46:45 2023 +1300 ip/ip6_gre: Fix changing addr gen mode not generating IPv6 link local address [ Upstream commit 23ca0c2c93406bdb1150659e720bda1cec1fad04 ] For our point-to-point GRE tunnels, they have IN6_ADDR_GEN_MODE_NONE when they are created then we set IN6_ADDR_GEN_MODE_EUI64 when they come up to generate the IPv6 link local address for the interface. Recently we found that they were no longer generating IPv6 addresses. This issue would also have affected SIT tunnels. Commit e5dd729460ca changed the code path so that GRE tunnels generate an IPv6 address based on the tunnel source address. It also changed the code path so GRE tunnels don't call addrconf_addr_gen in addrconf_dev_config which is called by addrconf_sysctl_addr_gen_mode when the IN6_ADDR_GEN_MODE is changed. This patch aims to fix this issue by moving the code in addrconf_notify which calls the addr gen for GRE and SIT into a separate function and calling it in the places that expect the IPv6 address to be generated. The previous addrconf_dev_config is renamed to addrconf_eth_config since it only expected eth type interfaces and follows the addrconf_gre/sit_config format. A part of this changes means that the loopback address will be attempted to be configured when changing addr_gen_mode for lo. This should not be a problem because the address should exist anyway and if does already exist then no error is produced. Fixes: e5dd729460ca ("ip/ip6_gre: use the same logic as SIT interfaces when computing v6LL address") Signed-off-by: Thomas Winter Reviewed-by: David Ahern Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e2d967b42a71f8fea69fbda8cd456cb146eaab19 Author: Stephen Boyd Date: Thu Jan 5 19:01:08 2023 -0800 drm/panel: boe-tv101wum-nl6: Ensure DSI writes succeed during disable [ Upstream commit a3ee9e0b57f8ecca02d1c16fad4941e09bfe2941 ] The unprepare sequence has started to fail after moving to panel bridge code in the msm drm driver (commit 007ac0262b0d ("drm/msm/dsi: switch to DRM_PANEL_BRIDGE")). You'll see messages like this in the kernel logs: panel-boe-tv101wum-nl6 ae94000.dsi.0: failed to set panel off: -22 This is because boe_panel_enter_sleep_mode() needs an operating DSI link to set the panel into sleep mode. Performing those writes in the unprepare phase of bridge ops is too late, because the link has already been torn down by the DSI controller in post_disable, i.e. the PHY has been disabled, etc. See dsi_mgr_bridge_post_disable() for more details on the DSI . Split the unprepare function into a disable part and an unprepare part. For now, just the DSI writes to enter sleep mode are put in the disable function. This fixes the panel off routine and keeps the panel happy. My Wormdingler has an integrated touchscreen that stops responding to touch if the panel is only half disabled too. This patch fixes it. And finally, this saves power when the screen is off because without this fix the regulators for the panel are left enabled when nothing is being displayed on the screen. Fixes: 007ac0262b0d ("drm/msm/dsi: switch to DRM_PANEL_BRIDGE") Fixes: a869b9db7adf ("drm/panel: support for boe tv101wum-nl6 wuxga dsi video mode panel") Cc: yangcong Cc: Douglas Anderson Cc: Jitao Shi Cc: Sam Ravnborg Cc: Rob Clark Cc: Dmitry Baryshkov Signed-off-by: Stephen Boyd Reviewed-by: Douglas Anderson Signed-off-by: Douglas Anderson Link: https://patchwork.freedesktop.org/patch/msgid/20230106030108.2542081-1-swboyd@chromium.org (cherry picked from commit c913cd5489930abbb557ef144a333846286754c3) Signed-off-by: Thomas Zimmermann Signed-off-by: Sasha Levin commit 11ee5d6308279b8cd22b53201718b36b1f9e03b0 Author: Chris Healy Date: Mon Jan 30 15:14:02 2023 -0800 net: phy: meson-gxl: Add generic dummy stubs for MMD register access [ Upstream commit afc2336f89dc0fc0ef25b92366814524b0fd90fb ] The Meson G12A Internal PHY does not support standard IEEE MMD extended register access, therefore add generic dummy stubs to fail the read and write MMD calls. This is necessary to prevent the core PHY code from erroneously believing that EEE is supported by this PHY even though this PHY does not support EEE, as MMD register access returns all FFFFs. Fixes: 5c3407abb338 ("net: phy: meson-gxl: add g12a support") Reviewed-by: Heiner Kallweit Signed-off-by: Chris Healy Reviewed-by: Jerome Brunet Link: https://lore.kernel.org/r/20230130231402.471493-1-cphealy@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 0cfe084e1530513b89c21bf858154a73a7ffc5e6 Author: Xin Long Date: Mon Jan 30 11:25:33 2023 -0500 sctp: do not check hb_timer.expires when resetting hb_timer [ Upstream commit 8f35ae17ef565a605de5f409e04bcd49a55d7646 ] It tries to avoid the frequently hb_timer refresh in commit ba6f5e33bdbb ("sctp: avoid refreshing heartbeat timer too often"), and it only allows mod_timer when the new expires is after hb_timer.expires. It means even a much shorter interval for hb timer gets applied, it will have to wait until the current hb timer to time out. In sctp_do_8_2_transport_strike(), when a transport enters PF state, it expects to update the hb timer to resend a heartbeat every rto after calling sctp_transport_reset_hb_timer(), which will not work as the change mentioned above. The frequently hb_timer refresh was caused by sctp_transport_reset_timers() called in sctp_outq_flush() and it was already removed in the commit above. So we don't have to check hb_timer.expires when resetting hb_timer as it is now not called very often. Fixes: ba6f5e33bdbb ("sctp: avoid refreshing heartbeat timer too often") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Link: https://lore.kernel.org/r/d958c06985713ec84049a2d5664879802710179a.1675095933.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e0514483fa88f4e4960a080ad0613c1503386f34 Author: Wei Yang Date: Sat Nov 12 23:43:08 2022 +0000 maple_tree: should get pivots boundary by type [ Upstream commit ab6ef70a8b0d314c2160af70b0de984664d675e0 ] We should get pivots boundary by type. Fixes a potential overindexing of mt_pivots[]. Link: https://lkml.kernel.org/r/20221112234308.23823-1-richard.weiyang@gmail.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Wei Yang Reviewed-by: Liam R. Howlett Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 29e774dcb27116c06b9c57b1f1f14a1623738989 Author: Fedor Pchelkin Date: Tue Jan 17 13:52:26 2023 +0300 squashfs: harden sanity check in squashfs_read_xattr_id_table [ Upstream commit 72e544b1b28325fe78a4687b980871a7e4101f76 ] While mounting a corrupted filesystem, a signed integer '*xattr_ids' can become less than zero. This leads to the incorrect computation of 'len' and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor() or out-of-bounds accesses in the next sanity checks inside squashfs_read_xattr_id_table(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Link: https://lkml.kernel.org/r/20230117105226.329303-2-pchelkin@ispras.ru Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") Reported-by: Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov Cc: Phillip Lougher Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 14f56034ec4eaec33563fb4c704ee6ce764a6d18 Author: Brendan Higgins Date: Tue Jan 31 10:35:03 2023 +0800 kunit: fix kunit_test_init_section_suites(...) [ Upstream commit 254c71374a70051a043676b67ba4f7ad392b5fe6 ] Looks like kunit_test_init_section_suites(...) was messed up in a merge conflict. This fixes it. kunit_test_init_section_suites(...) was not updated to avoid the extra level of indirection when .kunit_test_suites was flattened. Given no-one was actively using it, this went unnoticed for a long period of time. Fixes: e5857d396f35 ("kunit: flatten kunit_suite*** to kunit_suite** in .kunit_test_suites") Signed-off-by: Brendan Higgins Signed-off-by: David Gow Tested-by: Martin Fernandez Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit ee1e3fe4b4579f856997190a00ea4db0307b4332 Author: Liu Xiaodong Date: Tue Jan 31 02:05:52 2023 -0500 block: ublk: extending queue_size to fix overflow [ Upstream commit 29baef789c838bd5c02f50c88adbbc6b955aaf61 ] When validating drafted SPDK ublk target, in a case that assigning large queue depth to multiqueue ublk device, ublk target would run into a weird incorrect state. During rounds of review and debug, An overflow bug was found in ublk driver. In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means each ublk queue depth can be set as large as 4096. But when setting qd for a ublk device, sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io) will be larger than 65535 if qd is larger than 2728. Then queue_size is overflowed, and ublk_get_queue() references a wrong pointer position. The wrong content of ublk_queue elements will lead to out-of-bounds memory access. Extend queue_size in ublk_device as "unsigned int". Signed-off-by: Liu Xiaodong Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20230131070552.115067-1-xiaodong.liu@intel.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit a1512f11ec02458c0986f169f29c90a92c150cc4 Author: Florian Westphal Date: Mon Jan 30 11:39:29 2023 +0100 netfilter: br_netfilter: disable sabotage_in hook after first suppression [ Upstream commit 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba ] When using a xfrm interface in a bridged setup (the outgoing device is bridged), the incoming packets in the xfrm interface are only tracked in the outgoing direction. $ brctl show bridge name interfaces br_eth1 eth1 $ conntrack -L tcp 115 SYN_SENT src=192... dst=192... [UNREPLIED] ... If br_netfilter is enabled, the first (encrypted) packet is received onR eth1, conntrack hooks are called from br_netfilter emulation which allocates nf_bridge info for this skb. If the packet is for local machine, skb gets passed up the ip stack. The skb passes through ip prerouting a second time. br_netfilter ip_sabotage_in supresses the re-invocation of the hooks. After this, skb gets decrypted in xfrm layer and appears in network stack a second time (after decryption). Then, ip_sabotage_in is called again and suppresses netfilter hook invocation, even though the bridge layer never called them for the plaintext incarnation of the packet. Free the bridge info after the first suppression to avoid this. I was unable to figure out where the regression comes from, as far as i can see br_netfilter always had this problem; i did not expect that skb is looped again with different headers. Fixes: c4b0e771f906 ("netfilter: avoid using skb->nf_bridge directly") Reported-and-tested-by: Wolfgang Nothdurft Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 3214b04de31ba505678a93ead796472704fed747 Author: Takashi Sakamoto Date: Mon Jan 30 23:15:40 2023 +0900 ALSA: firewire-motu: fix unreleased lock warning in hwdep device [ Upstream commit c7a806d9ce6757ff56078674916e53bd859f242d ] Smatch static analysis tool detects that acquired lock is not released in hwdep device when condition branch is passed due to no event. It is unlikely to occur, while fulfilling is preferable for better coding. Reported-by: Dan Carpenter Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20230130141540.102854-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 37c0cdf7e4919e5f76381ac60817b67bcbdacb50 Author: Pietro Borrello Date: Sat Jan 28 16:29:17 2023 +0000 net/tls: tls_is_tx_ready() checked list_entry [ Upstream commit ffe2a22562444720b05bdfeb999c03e810d84cbb ] tls_is_tx_ready() checks that list_first_entry() does not return NULL. This condition can never happen. For empty lists, list_first_entry() returns the list_entry() of the head, which is a type confusion. Use list_first_entry_or_null() which returns NULL in case of empty lists. Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") Signed-off-by: Pietro Borrello Link: https://lore.kernel.org/r/20230128-list-entry-null-check-tls-v1-1-525bbfe6f0d0@diag.uniroma1.it Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 7a435fe0b6bbf4ab5ede23e25658f3735caa2a65 Author: Chaitanya Kumar Borah Date: Thu Jan 12 15:11:31 2023 +0530 drm/i915/adlp: Fix typo for reference clock [ Upstream commit 47a2bd9d985bfdb55900f313603619fc9234f317 ] Fix typo for reference clock from 24400 to 24000. Bspec: 55409 Fixes: 626426ff9ce4 ("drm/i915/adl_p: Add cdclk support for ADL-P") Reviewed-by: Matt Roper Signed-off-by: Chaitanya Kumar Borah Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20230112094131.550252-1-chaitanya.kumar.borah@intel.com (cherry picked from commit 2b6f7e39ccae065abfbe3b6e562ec95ccad09f1e) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit 04dcff26490cc8dedbfcf44cfb3e3e7a08622fd0 Author: John Harrison Date: Thu Jan 26 16:28:37 2023 -0800 drm/i915: Fix up locking around dumping requests lists [ Upstream commit 5bc4b43d5c6c9692ddc7b96116650cdf9406f3da ] The debugfs dump of requests was confused about what state requires the execlist lock versus the GuC lock. There was also a bunch of duplicated messy code between it and the error capture code. So refactor the hung request search into a re-usable function. And reduce the span of the execlist state lock to only the execlist specific code paths. In order to do that, also move the report of hold count (which is an execlist only concept) from the top level dump function to the lower level execlist specific function. Also, move the execlist specific code into the execlist source file. v2: Rename some functions and move to more appropriate files (Daniele). v3: Rename new execlist dump function (Daniele) Fixes: dc0dad365c5e ("drm/i915/guc: Fix for error capture after full GPU reset with GuC") Signed-off-by: John Harrison Reviewed-by: Daniele Ceraolo Spurio Acked-by: Tvrtko Ursulin Cc: Matthew Brost Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: Matt Roper Cc: Umesh Nerlige Ramappa Cc: Michael Cheng Cc: Lucas De Marchi Cc: Bruce Chang Cc: Alan Previn Cc: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20230127002842.3169194-4-John.C.Harrison@Intel.com (cherry picked from commit a4be3dca53172d9d2091e4b474fb795c81ed3d6c) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit 9467397f417dd7b5d0db91452f0474e79716a527 Author: John Harrison Date: Thu Jan 26 16:28:36 2023 -0800 drm/i915: Fix request ref counting during error capture & debugfs dump [ Upstream commit 86d8ddc74124c3fdfc139f246ba6da15e45e86e3 ] When GuC support was added to error capture, the reference counting around the request object was broken. Fix it up. The context based search manages the spinlocking around the search internally. So it needs to grab the reference count internally as well. The execlist only request based search relies on external locking, so it needs an external reference count but within the spinlock not outside it. The only other caller of the context based search is the code for dumping engine state to debugfs. That code wasn't previously getting an explicit reference at all as it does everything while holding the execlist specific spinlock. So, that needs updaing as well as that spinlock doesn't help when using GuC submission. Rather than trying to conditionally get/put depending on submission model, just change it to always do the get/put. v2: Explicitly document adding an extra blank line in some dense code (Andy Shevchenko). Fix multiple potential null pointer derefs in case of no request found (some spotted by Tvrtko, but there was more!). Also fix a leaked request in case of !started and another in __guc_reset_context now that intel_context_find_active_request is actually reference counting the returned request. v3: Add a _get suffix to intel_context_find_active_request now that it grabs a reference (Daniele). v4: Split the intel_guc_find_hung_context change to a separate patch and rename intel_context_find_active_request_get to intel_context_get_active_request (Tvrtko). v5: s/locking/reference counting/ in commit message (Tvrtko) Fixes: dc0dad365c5e ("drm/i915/guc: Fix for error capture after full GPU reset with GuC") Fixes: 573ba126aef3 ("drm/i915/guc: Capture error state on context reset") Signed-off-by: John Harrison Reviewed-by: Daniele Ceraolo Spurio Acked-by: Tvrtko Ursulin Cc: Matthew Brost Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: Andrzej Hajda Cc: Matthew Auld Cc: Matt Roper Cc: Umesh Nerlige Ramappa Cc: Michael Cheng Cc: Lucas De Marchi Cc: Tejas Upadhyay Cc: Andy Shevchenko Cc: Aravind Iddamsetty Cc: Alan Previn Cc: Bruce Chang Link: https://patchwork.freedesktop.org/patch/msgid/20230127002842.3169194-3-John.C.Harrison@Intel.com (cherry picked from commit 3700e353781e27f1bc7222f51f2cc36cbeb9b4ec) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit de997938a7a5da3cb3bd3b914456656963ca1d1c Author: John Harrison Date: Thu Jan 26 16:28:35 2023 -0800 drm/i915/guc: Fix locking when searching for a hung request [ Upstream commit 87b04e53daf806945c415e94de9f90943d434aed ] intel_guc_find_hung_context() was not acquiring the correct spinlock before searching the request list. So fix that up. While at it, add some extra whitespace padding for readability. Fixes: dc0dad365c5e ("drm/i915/guc: Fix for error capture after full GPU reset with GuC") Signed-off-by: John Harrison Reviewed-by: Daniele Ceraolo Spurio Acked-by: Tvrtko Ursulin Cc: Matthew Brost Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: Matt Roper Cc: Umesh Nerlige Ramappa Cc: Michael Cheng Cc: Lucas De Marchi Cc: Tejas Upadhyay Cc: Chris Wilson Cc: Bruce Chang Cc: Alan Previn Cc: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20230127002842.3169194-2-John.C.Harrison@Intel.com (cherry picked from commit d1c3717501bcf56536e8b8c1bdaf5cd5357f6bb2) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit e7cdec97ebebf70c4574edef8343ac22e02b03a6 Author: Hans de Goede Date: Sat Jan 28 00:57:23 2023 +0100 platform/x86: thinkpad_acpi: Fix thinklight LED brightness returning 255 [ Upstream commit eebf82012dddbdcb09e4e49d3cdfafb93bc66eb2 ] Reading the thinklight LED brightnes while the LED is on returns 255 (LED_FULL) but we advertise a max_brightness of 1, so this should be 1 (LED_ON). Fixes: db5e2a4ca0a7 ("platform/x86: thinkpad_acpi: Fix max_brightness of thinklight") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230127235723.412864-1-hdegoede@redhat.com Signed-off-by: Sasha Levin commit 21745fbfe7600881ddcefe270d4659f56ac54133 Author: Hans de Goede Date: Mon Jan 30 14:25:54 2023 +0100 platform/x86/amd/pmf: Ensure mutexes are initialized before use [ Upstream commit e0c40529ff942a985eb0f3dacf18d35ee4dbb03d ] As soon as the first handler or sysfs file is registered the mutex may get used. Move the initialization to before any handler registration / sysfs file creation. Likewise move the destruction of the mutex to after all the de-initialization is done. Fixes: da5ce22df5fe ("platform/x86/amd/pmf: Add support for PMF core layer") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230130132554.696025-1-hdegoede@redhat.com Signed-off-by: Sasha Levin commit 7f7f441347b49b3df569f1fd942f2d43aa4aa2b9 Author: Shyam Sundar S K Date: Wed Jan 25 15:29:36 2023 +0530 platform/x86/amd/pmf: Fix to update SPS thermals when power supply change [ Upstream commit f21bf62290dd4d769594dcf0e6a688783d74f6a0 ] Every power mode of static power slider has its own AC and DC power settings. When the power source changes from AC to DC, corresponding DC thermals were not updated from PMF config store and this leads the system to always run on AC power settings. Fix it by registering with power_supply notifier and apply DC settings upon getting notified by the power_supply handler. Fixes: da5ce22df5fe ("platform/x86/amd/pmf: Add support for PMF core layer") Suggested-by: Patil Rajesh Reddy Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-6-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit dadc3820a3d98105360477949bd3be94b7d6a3af Author: Shyam Sundar S K Date: Wed Jan 25 15:29:33 2023 +0530 platform/x86/amd/pmf: Add helper routine to check pprof is balanced [ Upstream commit 16909aa8c9cc284085f1202c6403ecb9814af812 ] Add helper routine to check if the current platform profile is balanced mode and remove duplicate code occurrences. Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-3-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Stable-dep-of: f21bf62290dd ("platform/x86/amd/pmf: Fix to update SPS thermals when power supply change") Signed-off-by: Sasha Levin commit 1db1edddb8731defcd7df55470d4cd51abbee4d7 Author: Shyam Sundar S K Date: Wed Jan 25 15:29:35 2023 +0530 platform/x86/amd/pmf: Fix to update SPS default pprof thermals [ Upstream commit 635f79bc73cf3d40c4198a20b3a0e7016dd6f0d3 ] By design PMF static slider will be set to BALANCED during init, but updating to corresponding thermal values from the PMF config store was missed, leading to improper settings getting propagated to PMFW. Fixes: 4c71ae414474 ("platform/x86/amd/pmf: Add support SPS PMF feature") Suggested-by: Patil Rajesh Reddy Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-5-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 05484584cadf1d7921ffde6bd3daa709897a7f7b Author: Shyam Sundar S K Date: Wed Jan 25 15:29:32 2023 +0530 platform/x86/amd/pmf: Add helper routine to update SPS thermals [ Upstream commit c5258d39fc4cbed37e20945715e7eb102f26d65b ] Add helper routine to update the static slider information and remove the duplicate code occurrences after this change. Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-2-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Stable-dep-of: 635f79bc73cf ("platform/x86/amd/pmf: Fix to update SPS default pprof thermals") Signed-off-by: Sasha Levin commit bb4a5cef532d6948c34086b588b46f650bc96ead Author: Shyam Sundar S K Date: Wed Jan 25 15:29:34 2023 +0530 platform/x86/amd/pmf: update to auto-mode limits only after AMT event [ Upstream commit 3dfe28c936f87373a2b6ada750be4c52c0f249f3 ] Auto-mode thermal limits should be updated only after receiving the AMT event. But due to a bug in the older commit, these settings were getting applied during the auto-mode init. Fix this by removing amd_pmf_set_automode() during auto-mode initialization. Fixes: 3f5571d99524 ("platform/x86/amd/pmf: Add support for Auto mode feature") Suggested-by: Patil Rajesh Reddy Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-4-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 3be069f42a7b79d3149194f21cdf24bf23864cac Author: Hou Tao Date: Fri Jan 13 19:52:10 2023 +0800 fscache: Use wait_on_bit() to wait for the freeing of relinquished volume [ Upstream commit 8226e37d82f43657da34dd770e2b38f20242ada7 ] The freeing of relinquished volume will wake up the pending volume acquisition by using wake_up_bit(), however it is mismatched with wait_var_event() used in fscache_wait_on_volume_collision() and it will never wake up the waiter in the wait-queue because these two functions operate on different wait-queues. According to the implementation in fscache_wait_on_volume_collision(), if the wake-up of pending acquisition is delayed longer than 20 seconds (e.g., due to the delay of on-demand fd closing), the first wait_var_event_timeout() will timeout and the following wait_var_event() will hang forever as shown below: FS-Cache: Potential volume collision new=00000024 old=00000022 ...... INFO: task mount:1148 blocked for more than 122 seconds. Not tainted 6.1.0-rc6+ #1 task:mount state:D stack:0 pid:1148 ppid:1 Call Trace: __schedule+0x2f6/0xb80 schedule+0x67/0xe0 fscache_wait_on_volume_collision.cold+0x80/0x82 __fscache_acquire_volume+0x40d/0x4e0 erofs_fscache_register_volume+0x51/0xe0 [erofs] erofs_fscache_register_fs+0x19c/0x240 [erofs] erofs_fc_fill_super+0x746/0xaf0 [erofs] vfs_get_super+0x7d/0x100 get_tree_nodev+0x16/0x20 erofs_fc_get_tree+0x20/0x30 [erofs] vfs_get_tree+0x24/0xb0 path_mount+0x2fa/0xa90 do_mount+0x7c/0xa0 __x64_sys_mount+0x8b/0xe0 do_syscall_64+0x30/0x60 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Considering that wake_up_bit() is more selective, so fix it by using wait_on_bit() instead of wait_var_event() to wait for the freeing of relinquished volume. In addition because waitqueue_active() is used in wake_up_bit() and clear_bit() doesn't imply any memory barrier, use clear_and_wake_up_bit() to add the missing memory barrier between cursor->flags and waitqueue_active(). Fixes: 62ab63352350 ("fscache: Implement volume registration") Reviewed-by: Jingbo Xu Signed-off-by: Hou Tao Signed-off-by: David Howells Reviewed-by: Jeff Layton Link: https://lore.kernel.org/r/20230113115211.2895845-2-houtao@huaweicloud.com/ # v3 Signed-off-by: Sasha Levin commit 5c2227f3f17782d5262ee0979ad30609b3e01f6e Author: Hyunwoo Kim Date: Thu Jan 26 18:32:50 2023 -0800 netrom: Fix use-after-free caused by accept on already connected socket [ Upstream commit 611792920925fb088ddccbe2783c7f92fdfb6b64 ] If you call listen() and accept() on an already connect()ed AF_NETROM socket, accept() can successfully connect. This is because when the peer socket sends data to sendmsg, the skb with its own sk stored in the connected socket's sk->sk_receive_queue is connected, and nr_accept() dequeues the skb waiting in the sk->sk_receive_queue. As a result, nr_accept() allocates and returns a sock with the sk of the parent AF_NETROM socket. And here use-after-free can happen through complex race conditions: ``` cpu0 cpu1 1. socket_2 = socket(AF_NETROM) . . listen(socket_2) accepted_socket = accept(socket_2) 2. socket_1 = socket(AF_NETROM) nr_create() // sk refcount : 1 connect(socket_1) 3. write(accepted_socket) nr_sendmsg() nr_output() nr_kick() nr_send_iframe() nr_transmit_buffer() nr_route_frame() nr_loopback_queue() nr_loopback_timer() nr_rx_frame() nr_process_rx_frame(sk, skb); // sk : socket_1's sk nr_state3_machine() nr_queue_rx_frame() sock_queue_rcv_skb() sock_queue_rcv_skb_reason() __sock_queue_rcv_skb() __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue 4. listen(socket_1) nr_listen() uaf_socket = accept(socket_1) nr_accept() skb_dequeue(&sk->sk_receive_queue); 5. close(accepted_socket) nr_release() nr_write_internal(sk, NR_DISCREQ) nr_transmit_buffer() // NR_DISCREQ nr_route_frame() nr_loopback_queue() nr_loopback_timer() nr_rx_frame() // sk : socket_1's sk nr_process_rx_frame() // NR_STATE_3 nr_state3_machine() // NR_DISCREQ nr_disconnect() nr_sk(sk)->state = NR_STATE_0; 6. close(socket_1) // sk refcount : 3 nr_release() // NR_STATE_0 sock_put(sk); // sk refcount : 0 sk_free(sk); close(uaf_socket) nr_release() sock_hold(sk); // UAF ``` KASAN report by syzbot: ``` BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520 Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x15e/0x461 mm/kasan/report.c:417 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] sock_hold include/net/sock.h:775 [inline] nr_release+0x66/0x460 net/netrom/af_netrom.c:520 __sock_release+0xcd/0x280 net/socket.c:650 sock_close+0x1c/0x20 net/socket.c:1365 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xaa8/0x2950 kernel/exit.c:867 do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 get_signal+0x21c3/0x2450 kernel/signal.c:2859 arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f6c19e3c9b9 Code: Unable to access opcode bytes at 0x7f6c19e3c98f. RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9 RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006 RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0 R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 5128: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] ____kasan_kmalloc mm/kasan/common.c:330 [inline] __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:968 [inline] __kmalloc+0x5a/0xd0 mm/slab_common.c:981 kmalloc include/linux/slab.h:584 [inline] sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 __sock_create+0x359/0x790 net/socket.c:1515 sock_create net/socket.c:1566 [inline] __sys_socket_create net/socket.c:1603 [inline] __sys_socket_create net/socket.c:1588 [inline] __sys_socket+0x133/0x250 net/socket.c:1636 __do_sys_socket net/socket.c:1649 [inline] __se_sys_socket net/socket.c:1647 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 5128: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:177 [inline] __cache_free mm/slab.c:3394 [inline] __do_kmem_cache_free mm/slab.c:3580 [inline] __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 sk_prot_free net/core/sock.c:2074 [inline] __sk_destruct+0x5df/0x750 net/core/sock.c:2166 sk_destruct net/core/sock.c:2181 [inline] __sk_free+0x175/0x460 net/core/sock.c:2192 sk_free+0x7c/0xa0 net/core/sock.c:2203 sock_put include/net/sock.h:1991 [inline] nr_release+0x39e/0x460 net/netrom/af_netrom.c:554 __sock_release+0xcd/0x280 net/socket.c:650 sock_close+0x1c/0x20 net/socket.c:1365 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xaa8/0x2950 kernel/exit.c:867 do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 get_signal+0x21c3/0x2450 kernel/signal.c:2859 arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd ``` To fix this issue, nr_listen() returns -EINVAL for sockets that successfully nr_connect(). Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Hyunwoo Kim Reviewed-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cb1876fc33af26d00efdd473311f1b664c77c44e Author: Yu Kuai Date: Mon Jan 30 09:41:36 2023 +0800 block, bfq: fix uaf for bfqq in bic_set_bfqq() [ Upstream commit b600de2d7d3a16f9007fad1bdae82a3951a26af2 ] After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"), bic->bfqq will be accessed in bic_set_bfqq(), however, in some context bic->bfqq will be freed, and bic_set_bfqq() is called with the freed bic->bfqq. Fix the problem by always freeing bfqq after bic_set_bfqq(). Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") Reported-and-tested-by: Shinichiro Kawasaki Signed-off-by: Yu Kuai Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20230130014136.591038-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b2e181cf9e57cec9e739efb191014e8fd8ec6ec0 Author: Yu Kuai Date: Wed Dec 14 11:31:55 2022 +0800 block, bfq: replace 0/1 with false/true in bic apis [ Upstream commit 337366e02b370d2800110fbc99940f6ddddcbdfa ] Just to make the code a litter cleaner, there are no functional changes. Signed-off-by: Yu Kuai Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20221214033155.3455754-3-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Stable-dep-of: b600de2d7d3a ("block, bfq: fix uaf for bfqq in bic_set_bfqq()") Signed-off-by: Sasha Levin commit 70fd5afb4c361e7335b0748fcc463e79665f9100 Author: Kornel Dulęba Date: Thu Jan 26 13:25:35 2023 +0000 net: wwan: t7xx: Fix Runtime PM initialization [ Upstream commit e3d6d152a1cbdee25f2e3962009a2751b54e2297 ] For PCI devices the Runtime PM refcount is incremented twice: 1. During device enumeration with a call to pm_runtime_forbid. 2. Just before a driver probe logic is called. Because of that in order to enable Runtime PM on a given device we have to call both pm_runtime_allow and pm_runtime_put_noidle, once it's ready to be runtime suspended. The former was missing causing the pm refcount to never reach 0. Fixes: d10b3a695ba0 ("net: wwan: t7xx: Runtime PM") Signed-off-by: Kornel Dulęba Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 78901b10522cdf6badf24acf65a892637596bccc Author: Andre Kalb Date: Wed Jan 25 19:23:26 2023 +0100 net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices [ Upstream commit 422ae7d9c7221e8d4c8526d0f54106307d69d2dc ] The probe() function is only used for the DP83822 PHY, leaving the private data pointer uninitialized for the smaller DP83825/26 models. While all uses of the private data structure are hidden in 82822 specific callbacks, configuring the interrupt is shared across all models. This causes a NULL pointer dereference on the smaller PHYs as it accesses the private data unchecked. Verifying the pointer avoids that. Fixes: 5dc39fd5ef35 ("net: phy: DP83822: Add ability to advertise Fiber connection") Signed-off-by: Andre Kalb Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/Y9FzniUhUtbaGKU7@pc6682 Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit ddaf96f6953b0a04a2cf8df4790aa76b50dabd31 Author: Íñigo Huguet Date: Wed Jan 25 15:35:13 2023 +0100 sfc: correctly advertise tunneled IPv6 segmentation [ Upstream commit ffffd2454a7a1bc9f7242b12c4cc0b05c12692b4 ] Recent sfc NICs are TSO capable for some tunnel protocols. However, it was not working properly because the feature was not advertised in hw_enc_features, but in hw_features only. Setting up a GENEVE tunnel and using iperf3 to send IPv4 and IPv6 traffic to the tunnel show, with tcpdump, that the IPv4 packets still had ~64k size but the IPv6 ones had only ~1500 bytes (they had been segmented by software, not offloaded). With this patch segmentation is offloaded as expected and the traffic is correctly received at the other end. Fixes: 24b2c3751aa3 ("sfc: advertise encapsulated offloads on EF10") Reported-by: Tianhao Zhao Signed-off-by: Íñigo Huguet Acked-by: Martin Habets Link: https://lore.kernel.org/r/20230125143513.25841-1-ihuguet@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a838f8a69b1ff1351673494f6b7b5786c6ecb1c2 Author: Alexander Duyck Date: Thu Jan 26 11:06:59 2023 -0800 skb: Do mix page pool and page referenced frags in GRO [ Upstream commit 7d2c89b325874a35564db5630a459966afab04cc ] GSO should not merge page pool recycled frames with standard reference counted frames. Traditionally this didn't occur, at least not often. However as we start looking at adding support for wireless adapters there becomes the potential to mix the two due to A-MSDU repartitioning frames in the receive path. There are possibly other places where this may have occurred however I suspect they must be few and far between as we have not seen this issue until now. Fixes: 53e0961da1c7 ("page_pool: add frag page recycling support in page pool") Reported-by: Felix Fietkau Signed-off-by: Alexander Duyck Acked-by: Ilias Apalodimas Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/167475990764.1934330.11960904198087757911.stgit@localhost.localdomain Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 9e0d874c0a6bda0cb77f2e5ac98afab3b4cf012d Author: Magnus Karlsson Date: Wed Jan 25 08:49:01 2023 +0100 dpaa2-eth: execute xdp_do_flush() before napi_complete_done() [ Upstream commit a3191c4d86c5d3bd35b00dfde6910b88391436a0 ] Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found following the first link below. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in the second link below. Fixes: d678be1dc1ec ("dpaa2-eth: add XDP_REDIRECT support") Signed-off-by: Magnus Karlsson Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 71a773ab79c9911d306aa81a007492d2cb17bc5d Author: Magnus Karlsson Date: Wed Jan 25 08:49:00 2023 +0100 dpaa_eth: execute xdp_do_flush() before napi_complete_done() [ Upstream commit b534013798b77f81a36f36dafd59bab9de837619 ] Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found following the first link below. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in the second link below. Fixes: a1e031ffb422 ("dpaa_eth: add XDP_REDIRECT support") Signed-off-by: Magnus Karlsson Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ Acked-by: Camelia Groza Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e5aed13363031bb503b5e4f5d28346f6497d460f Author: Magnus Karlsson Date: Wed Jan 25 08:48:59 2023 +0100 virtio-net: execute xdp_do_flush() before napi_complete_done() [ Upstream commit ad7e615f646c9b5b2cf655cdfb9d91a28db4f25a ] Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found following the first link below. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in the second link below. Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT") Signed-off-by: Magnus Karlsson Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ Acked-by: Michael S. Tsirkin Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b9fd30ea66e88bcacedd46ba1c341392dcd56b25 Author: Magnus Karlsson Date: Wed Jan 25 08:48:57 2023 +0100 qede: execute xdp_do_flush() before napi_complete_done() [ Upstream commit 2ccce20d51faa0178086163ccb6c84a099a87ab4 ] Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found following the first link below. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in the second link below. Fixes: d1b25b79e162b ("qede: add .ndo_xdp_xmit() and XDP_REDIRECT support") Signed-off-by: Magnus Karlsson Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 34e0dd0947e904702a455a513839501a16f2f431 Author: Dave Ertman Date: Tue Jan 24 09:19:43 2023 -0800 ice: Prevent set_channel from changing queues while RDMA active [ Upstream commit a6a0974aae4209d039ba81226ded5246eea14961 ] The PF controls the set of queues that the RDMA auxiliary_driver requests resources from. The set_channel command will alter that pool and trigger a reconfiguration of the VSI, which breaks RDMA functionality. Prevent set_channel from executing when RDMA driver bound to auxiliary device. Adding a locked variable to pass down the call chain to avoid double locking the device_lock. Fixes: 348048e724a0 ("ice: Implement iidc operations") Signed-off-by: Dave Ertman Tested-by: Gurucharan G (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit c4cadb84e71b537f30315ed7846806762d8efbc2 Author: Jason Wang Date: Thu Jan 19 15:36:47 2023 +0800 vhost-scsi: unbreak any layout for response [ Upstream commit 6dd88fd59da84631b5fe5c8176931c38cfa3b265 ] Al Viro said: """ Since "vhost/scsi: fix reuse of &vq->iov[out] in response" we have this: cmd->tvc_resp_iov = vq->iov[vc.out]; cmd->tvc_in_iovs = vc.in; combined with iov_iter_init(&iov_iter, ITER_DEST, &cmd->tvc_resp_iov, cmd->tvc_in_iovs, sizeof(v_rsp)); in vhost_scsi_complete_cmd_work(). We used to have ->tvc_resp_iov _pointing_ to vq->iov[vc.out]; back then iov_iter_init() asked to set an iovec-backed iov_iter over the tail of vq->iov[], with length being the amount of iovecs in the tail. Now we have a copy of one element of that array. Fortunately, the members following it in the containing structure are two non-NULL kernel pointers, so copy_to_iter() will not copy anything beyond the first iovec - kernel pointer is not (on the majority of architectures) going to be accepted by access_ok() in copyout() and it won't be skipped since the "length" (in reality - another non-NULL kernel pointer) won't be zero. So it's not going to give a guest-to-qemu escalation, but it's definitely a bug. Frankly, my preference would be to verify that the very first iovec is long enough to hold rsp_size. Due to the above, any users that try to give us vq->iov[vc.out].iov_len < sizeof(struct virtio_scsi_cmd_resp) would currently get a failure in vhost_scsi_complete_cmd_work() anyway. """ However, the spec doesn't say anything about the legacy descriptor layout for the respone. So this patch tries to not assume the response to reside in a single separate descriptor which is what commit 79c14141a487 ("vhost/scsi: Convert completion path to use") tries to achieve towards to ANY_LAYOUT. This is done by allocating and using dedicate resp iov in the command. To be safety, start with UIO_MAXIOV to be consistent with the limitation that we advertise to the vhost_get_vq_desc(). Testing with the hacked virtio-scsi driver that use 1 descriptor for 1 byte in the response. Reported-by: Al Viro Cc: Benjamin Coddington Cc: Nicholas Bellinger Fixes: a77ec83a5789 ("vhost/scsi: fix reuse of &vq->iov[out] in response") Signed-off-by: Jason Wang Message-Id: <20230119073647.76467-1-jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin Reviewed-by: Stefan Hajnoczi Signed-off-by: Sasha Levin commit 5a1909510387ddf6c2bf58836dc844f66e8a9efb Author: Al Viro Date: Thu Sep 15 20:25:47 2022 -0400 use less confusing names for iov_iter direction initializers [ Upstream commit de4eda9de2d957ef2d6a8365a01e26a435e958cb ] READ/WRITE proved to be actively confusing - the meanings are "data destination, as used with read(2)" and "data source, as used with write(2)", but people keep interpreting those as "we read data from it" and "we write data to it", i.e. exactly the wrong way. Call them ITER_DEST and ITER_SOURCE - at least that is harder to misinterpret... Signed-off-by: Al Viro Stable-dep-of: 6dd88fd59da8 ("vhost-scsi: unbreak any layout for response") Signed-off-by: Sasha Levin commit 6d6e144ffbf253a9cda30cc8158762bdd981303f Author: Al Viro Date: Thu Sep 15 19:16:56 2022 -0400 fix "direction" argument of iov_iter_kvec() [ Upstream commit fc02f33787d8dd227b54f263eba983d5b249c032 ] Signed-off-by: Al Viro Stable-dep-of: 6dd88fd59da8 ("vhost-scsi: unbreak any layout for response") Signed-off-by: Sasha Levin commit ff85ec97d14c3532b1bd134adb5d0047e5653dd1 Author: Al Viro Date: Thu Sep 15 19:09:39 2022 -0400 fix 'direction' argument of iov_iter_{init,bvec}() [ Upstream commit e3bf3df824675ea9cadc3cd2c75d08ee83a6ae26 ] READ means "data destination", WRITE - "data source". Signed-off-by: Al Viro Stable-dep-of: 6dd88fd59da8 ("vhost-scsi: unbreak any layout for response") Signed-off-by: Sasha Levin commit 02f719be2f2b10b5a952a36dc230ea40fa37afb9 Author: Al Viro Date: Thu Sep 15 19:04:18 2022 -0400 fix iov_iter_bvec() "direction" argument [ Upstream commit b676668d99155e6859d99bbf2df18b3f03851902 ] Signed-off-by: Al Viro Stable-dep-of: 6dd88fd59da8 ("vhost-scsi: unbreak any layout for response") Signed-off-by: Sasha Levin commit b50705b5ef09c9683eb88d6583e6b49f5ac21219 Author: Al Viro Date: Sun Oct 23 13:29:08 2022 -0400 memcpy_real(): WRITE is "data source", not destination... [ Upstream commit 77729412acde120712f5793e9134c2b1cbd1ee02 ] Signed-off-by: Al Viro Stable-dep-of: 6dd88fd59da8 ("vhost-scsi: unbreak any layout for response") Signed-off-by: Sasha Levin commit cefb33f5be6e71339b40c81e9fa6522c4449c924 Author: Al Viro Date: Thu Sep 15 19:02:47 2022 -0400 zcore: WRITE is "data source", not destination... [ Upstream commit 4ba48e1bae5f68af24d8d71d4f28de9eb658af1d ] Signed-off-by: Al Viro Stable-dep-of: 6dd88fd59da8 ("vhost-scsi: unbreak any layout for response") Signed-off-by: Sasha Levin commit 98653e51618e942b9b4af545020e1dd23baefc7d Author: Al Viro Date: Thu Sep 15 19:01:10 2022 -0400 READ is "data destination", not source... [ Upstream commit 355d2c2798e9dc39f6714fa7ef8902c0d4c5350b ] Signed-off-by: Al Viro Stable-dep-of: 6dd88fd59da8 ("vhost-scsi: unbreak any layout for response") Signed-off-by: Sasha Levin commit a7fcd22a55a6f166ac7f1df8e8a151f1ced4b9be Author: Al Viro Date: Thu Sep 15 18:59:12 2022 -0400 WRITE is "data source", not destination... [ Upstream commit 974c36fb828aeae7b4f9063f94860ae6c5633efd ] Signed-off-by: Al Viro Stable-dep-of: 6dd88fd59da8 ("vhost-scsi: unbreak any layout for response") Signed-off-by: Sasha Levin commit 0332bdec060af671755bf5e330fe4e19eea6c783 Author: Al Viro Date: Thu Sep 15 18:55:18 2022 -0400 copy_oldmem_kernel() - WRITE is "data source", not destination [ Upstream commit 0e1e4a2238d465199e8f11eb7a779bcb224a0505 ] Signed-off-by: Al Viro Stable-dep-of: 6dd88fd59da8 ("vhost-scsi: unbreak any layout for response") Signed-off-by: Sasha Levin commit ccbe22d4843da9aef2a9cf9ac7a6253430640b05 Author: Eric Auger Date: Tue Jan 17 10:15:18 2023 -0500 vhost/net: Clear the pending messages when the backend is removed [ Upstream commit 9526f9a2b762af16be94a72aca5d65c677d28f50 ] When the vhost iotlb is used along with a guest virtual iommu and the guest gets rebooted, some MISS messages may have been recorded just before the reboot and spuriously executed by the virtual iommu after the reboot. As vhost does not have any explicit reset user API, VHOST_NET_SET_BACKEND looks a reasonable point where to clear the pending messages, in case the backend is removed. Export vhost_clear_msg() and call it in vhost_net_set_backend() when fd == -1. Signed-off-by: Eric Auger Suggested-by: Jason Wang Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Message-Id: <20230117151518.44725-3-eric.auger@redhat.com> Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit 0b49da857d32b3162d9465cdfa93043b33b83352 Author: Takashi Iwai Date: Wed Jan 25 16:31:04 2023 +0100 ALSA: memalloc: Workaround for Xen PV [ Upstream commit 53466ebdec614f915c691809b0861acecb941e30 ] We change recently the memalloc helper to use dma_alloc_noncontiguous() and the fallback to get_pages(). Although lots of issues with IOMMU (or non-IOMMU) have been addressed, but there seems still a regression on Xen PV. Interestingly, the only proper way to work is use dma_alloc_coherent(). The use of dma_alloc_coherent() for SG buffer was dropped as it's problematic on IOMMU systems. OTOH, Xen PV has a different way, and it's fine to use the dma_alloc_coherent(). This patch is a workaround for Xen PV. It consists of the following changes: - For Xen PV, use only the fallback allocation without dma_alloc_noncontiguous() - In the fallback allocation, use dma_alloc_coherent(); the DMA address from dma_alloc_coherent() is returned in get_addr ops - The DMA addresses are stored in an array; the first entry stores the number of allocated pages in lower bits, which are referred at releasing pages again Reported-by: Marek Marczykowski-Górecki Tested-by: Marek Marczykowski-Górecki Fixes: a8d302a0b770 ("ALSA: memalloc: Revive x86-specific WC page allocations again") Fixes: 9736a325137b ("ALSA: memalloc: Don't fall back for SG-buffer with IOMMU") Link: https://lore.kernel.org/r/87tu256lqs.wl-tiwai@suse.de Link: https://lore.kernel.org/r/20230125153104.5527-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3331d34160767a872151b80bcbf475fd0d33b4fe Author: Kui-Feng Lee Date: Thu Jan 26 16:17:32 2023 -0800 bpf: Fix the kernel crash caused by bpf_setsockopt(). [ Upstream commit 5416c9aea8323583e8696f0500b6142dfae80821 ] The kernel crash was caused by a BPF program attached to the "lsm_cgroup/socket_sock_rcv_skb" hook, which performed a call to `bpf_setsockopt()` in order to set the TCP_NODELAY flag as an example. Flags like TCP_NODELAY can prompt the kernel to flush a socket's outgoing queue, and this hook "lsm_cgroup/socket_sock_rcv_skb" is frequently triggered by softirqs. The issue was that in certain circumstances, when `tcp_write_xmit()` was called to flush the queue, it would also allow BH (bottom-half) to run. This could lead to our program attempting to flush the same socket recursively, which caused a `skbuff` to be unlinked twice. `security_sock_rcv_skb()` is triggered by `tcp_filter()`. This occurs before the sock ownership is checked in `tcp_v4_rcv()`. Consequently, if a bpf program runs on `security_sock_rcv_skb()` while under softirq conditions, it may not possess the lock needed for `bpf_setsockopt()`, thus presenting an issue. The patch fixes this issue by ensuring that a BPF program attached to the "lsm_cgroup/socket_sock_rcv_skb" hook is not allowed to call `bpf_setsockopt()`. The differences from v1 are - changing commit log to explain holding the lock of the sock, - emphasizing that TCP_NODELAY is not the only flag, and - adding the fixes tag. v1: https://lore.kernel.org/bpf/20230125000244.1109228-1-kuifeng@meta.com/ Signed-off-by: Kui-Feng Lee Fixes: 9113d7e48e91 ("bpf: expose bpf_{g,s}etsockopt to lsm cgroup") Link: https://lore.kernel.org/r/20230127001732.4162630-1-kuifeng@meta.com Signed-off-by: Martin KaFai Lau Signed-off-by: Sasha Levin commit c7ee7bad9c1b4af717d15d370af54ced1162037a Author: Martin K. Petersen Date: Thu Jan 26 22:06:08 2023 -0500 scsi: Revert "scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT" [ Upstream commit 15600159bcc6abbeae6b33a849bef90dca28b78f ] This reverts commit 948e922fc44611ee2de0c89583ca958cb5307d36. Not all targets that return PQ=1 and PDT=0 should be ignored. While the SCSI spec is vague in this department, there appears to be a critical mass of devices which rely on devices being accessible with this combination of reported values. Fixes: 948e922fc446 ("scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT") Link: https://lore.kernel.org/r/yq1lelrleqr.fsf@ca-mkp.ca.oracle.com Acked-by: Bart Van Assche Acked-by: Martin Wilck Acked-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 9e0097cb51e69f4b7d1c3823fbacc3725f48ce4e Author: Javier Martinez Canillas Date: Wed Jan 25 19:42:30 2023 +0100 drm/ssd130x: Init display before the SSD130X_DISPLAY_ON command [ Upstream commit 343c700480982214dc4f834f536a49a4098e556a ] Commit 622113b9f11f ("drm/ssd130x: Replace simple display helpers with the atomic helpers") changed the driver to just use the atomic helpers instead of the simple KMS abstraction layer. But the commit also made a subtle change on the display power sequence and initialization order, by moving the ssd130x_power_on() call to the encoder .atomic_enable handler and the ssd130x_init() call to CRTC .reset handler. Before this change, both ssd130x_power_on() and ssd130x_init() were called in the simple display pipeline .enable handler, so the display was already initialized by the time the SSD130X_DISPLAY_ON command was sent. For some reasons, it only made the ssd130x SPI driver to fail but the I2C was still working. That is the reason why the bug was not noticed before. To revert to the old driver behavior, move the ssd130x_init() call to the encoder .atomic_enable as well. Besides fixing the panel not being turned on when using SPI, it also gets rid of the custom CRTC .reset callback. Fixes: 622113b9f11f ("drm/ssd130x: Replace simple display helpers with the atomic helpers") Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20230125184230.3343206-1-javierm@redhat.com Signed-off-by: Sasha Levin commit c590a4a59a985f8f12d358340825e936890f5804 Author: Hans Verkuil Date: Thu Jan 19 10:02:19 2023 +0100 drm/vc4: hdmi: make CEC adapter name unique [ Upstream commit 51128c3f2a7c98055ea1d27e34910dc10977f618 ] The bcm2711 has two HDMI outputs, each with their own CEC adapter. The CEC adapter name has to be unique, but it is currently hardcoded to "vc4" for both outputs. Change this to use the card_name from the variant information in order to make the adapter name unique. Signed-off-by: Hans Verkuil Fixes: 15b4511a4af6 ("drm/vc4: add HDMI CEC support") Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/dcf1db75-d9cc-62cc-fa12-baf1b2b3bf31@xs4all.nl Signed-off-by: Sasha Levin commit 0bdd5a7b517f16fdffc444be6516c45788548d08 Author: Philippe Schenker Date: Mon Jan 16 15:01:52 2023 +0100 arm64: dts: imx8mm-verdin: Do not power down eth-phy [ Upstream commit 39c95d0c357d7ef76aea958c1bece6b24f9b2e7e ] Currently if suspending using either freeze or memory state, the fec driver tries to power down the phy which leads to crash of the kernel and non-responsible kernel with the following call trace: [ 24.839889 ] Call trace: [ 24.839892 ] phy_error+0x18/0x60 [ 24.839898 ] kszphy_handle_interrupt+0x6c/0x80 [ 24.839903 ] phy_interrupt+0x20/0x2c [ 24.839909 ] irq_thread_fn+0x30/0xa0 [ 24.839919 ] irq_thread+0x178/0x2c0 [ 24.839925 ] kthread+0x154/0x160 [ 24.839932 ] ret_from_fork+0x10/0x20 Since there is currently no functionality in the phy subsystem to power down phys let's just disable the feature of powering-down the ethernet phy. Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") Signed-off-by: Philippe Schenker Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 3419ddcfa143abfa9a14ec7f1fe52cb56a444b03 Author: Pierluigi Passaro Date: Sun Jan 15 22:35:03 2023 +0100 arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX [ Upstream commit 47123900f3e4a7f769631d6ec15abf44086276f6 ] According section     8.2.5.313 Select Input Register (IOMUXC_UART1_RXD_SELECT_INPUT) of      i.MX 8M Mini Applications Processor Reference Manual, Rev. 3, 11/2020 the required setting for this specific pin configuration is "1" Signed-off-by: Pierluigi Passaro Reviewed-by: Fabio Estevam Fixes: c1c9d41319c3 ("dt-bindings: imx: Add pinctrl binding doc for imx8mm") Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 12b0ec7c6953e1602957926439e5297095d7d065 Author: Jakub Sitnicki Date: Sat Jan 21 13:41:44 2023 +0100 bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener [ Upstream commit ddce1e091757d0259107c6c0c7262df201de2b66 ] A listening socket linked to a sockmap has its sk_prot overridden. It points to one of the struct proto variants in tcp_bpf_prots. The variant depends on the socket's family and which sockmap programs are attached. A child socket cloned from a TCP listener initially inherits their sk_prot. But before cloning is finished, we restore the child's proto to the listener's original non-tcp_bpf_prots one. This happens in tcp_create_openreq_child -> tcp_bpf_clone. Today, in tcp_bpf_clone we detect if the child's proto should be restored by checking only for the TCP_BPF_BASE proto variant. This is not correct. The sk_prot of listening socket linked to a sockmap can point to to any variant in tcp_bpf_prots. If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then the child socket unintentionally is left if the inherited sk_prot by tcp_bpf_clone. This leads to issues like infinite recursion on close [1], because the child state is otherwise not set up for use with tcp_bpf_prot operations. Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants. Note that it wouldn't be sufficient to check the socket state when overriding the sk_prot in tcp_bpf_update_proto in order to always use the TCP_BPF_BASE variant for listening sockets. Since commit b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage") it is possible for a socket to transition to TCP_LISTEN state while already linked to a sockmap, e.g. connect() -> insert into map -> connect(AF_UNSPEC) -> listen(). [1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ Fixes: e80251555f0b ("tcp_bpf: Don't let child socket inherit parent protocol ops on copy") Reported-by: syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com Signed-off-by: Jakub Sitnicki Acked-by: John Fastabend Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-2-1e0ee7ac2f90@cloudflare.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 7715f96f4ba63b45bb25a88dcf408703aa5caba4 Author: Hans Verkuil Date: Wed Dec 28 18:02:27 2022 +0100 media: v4l2-ctrls-api.c: move ctrl->is_new = 1 to the correct line [ Upstream commit a1550700629f30c5bd554161524f14f14600d554 ] The patch that fixed string control support somehow got mangled when it was merged in mainline: the added line ended up in the wrong place. Fix this. Fixes: 73278d483378 ("media: v4l2-ctrls-api.c: add back dropped ctrl->is_new = 1") Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d5c7a2ab5e1f7c8cfaec8255aaed5e541d8f512a Author: Jiri Olsa Date: Fri Jan 20 13:21:48 2023 +0100 bpf: Add missing btf_put to register_btf_id_dtor_kfuncs [ Upstream commit 74bc3a5acc82f020d2e126f56c535d02d1e74e37 ] We take the BTF reference before we register dtors and we need to put it back when it's done. We probably won't se a problem with kernel BTF, but module BTF would stay loaded (because of the extra ref) even when its module is removed. Cc: Kumar Kartikeya Dwivedi Fixes: 5ce937d613a4 ("bpf: Populate pairs of btf_id and destructor kfunc in btf") Acked-by: Kumar Kartikeya Dwivedi Signed-off-by: Jiri Olsa Link: https://lore.kernel.org/r/20230120122148.1522359-1-jolsa@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit d52f34784e4e2f6e77671a9f104d8a69a3b5d24c Author: Dan Carpenter Date: Thu Jan 19 17:58:54 2023 +0300 ASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write() [ Upstream commit ea57680af47587397f5005d7758022441ed66d54 ] The "id" comes from the user. Change the type to unsigned to prevent an array underflow. Fixes: f4ea22f7aa75 ("ASoC: SOF: ipc4: Add support for mtrace log extraction") Signed-off-by: Dan Carpenter Acked-by: Peter Ujfalusi Link: https://lore.kernel.org/r/Y8laruWOEwOC/dx9@kili Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4ea7f83314f1998b3d683f322594383bbdddc7c9 Author: Pengfei Xu Date: Wed Jan 11 16:15:31 2023 +0800 selftests/filesystems: grant executable permission to run_fat_tests.sh [ Upstream commit 24b5308cf5ee9f52dd22f3af78a5b0cdc9d35e72 ] When use tools/testing/selftests/kselftest_install.sh to make the kselftest-list.txt under tools/testing/selftests/kselftest_install. Then use tools/testing/selftests/kselftest_install/run_kselftest.sh to run all the kselftests in kselftest-list.txt, it will be blocked by case "filesystems/fat: run_fat_tests.sh" with "Warning: file run_fat_tests.sh is not executable", so grant executable permission to run_fat_tests.sh to fix this issue. Link: https://lkml.kernel.org/r/dfdbba6df8a1ab34bb1e81cd8bd7ca3f9ed5c369.1673424747.git.pengfei.xu@intel.com Fixes: dd7c9be330d8 ("selftests/filesystems: add a vfat RENAME_EXCHANGE test") Signed-off-by: Pengfei Xu Reviewed-by: Javier Martinez Canillas Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 7c7652ffa986d80d7ccb995184a3f993b4edf4db Author: Eduard Zingerman Date: Fri Jan 6 16:22:13 2023 +0200 bpf: Fix to preserve reg parent/live fields when copying range info [ Upstream commit 71f656a50176915d6813751188b5758daa8d012b ] Register range information is copied in several places. The intent is to transfer range/id information from one register/stack spill to another. Currently this is done using direct register assignment, e.g.: static void find_equal_scalars(..., struct bpf_reg_state *known_reg) { ... struct bpf_reg_state *reg; ... *reg = *known_reg; ... } However, such assignments also copy the following bpf_reg_state fields: struct bpf_reg_state { ... struct bpf_reg_state *parent; ... enum bpf_reg_liveness live; ... }; Copying of these fields is accidental and incorrect, as could be demonstrated by the following example: 0: call ktime_get_ns() 1: r6 = r0 2: call ktime_get_ns() 3: r7 = r0 4: if r0 > r6 goto +1 ; r0 & r6 are unbound thus generated ; branch states are identical 5: *(u64 *)(r10 - 8) = 0xdeadbeef ; 64-bit write to fp[-8] --- checkpoint --- 6: r1 = 42 ; r1 marked as written 7: *(u8 *)(r10 - 8) = r1 ; 8-bit write, fp[-8] parent & live ; overwritten 8: r2 = *(u64 *)(r10 - 8) 9: r0 = 0 10: exit This example is unsafe because 64-bit write to fp[-8] at (5) is conditional, thus not all bytes of fp[-8] are guaranteed to be set when it is read at (8). However, currently the example passes verification. First, the execution path 1-10 is examined by verifier. Suppose that a new checkpoint is created by is_state_visited() at (6). After checkpoint creation: - r1.parent points to checkpoint.r1, - fp[-8].parent points to checkpoint.fp[-8]. At (6) the r1.live is set to REG_LIVE_WRITTEN. At (7) the fp[-8].parent is set to r1.parent and fp[-8].live is set to REG_LIVE_WRITTEN, because of the following code called in check_stack_write_fixed_off(): static void save_register_state(struct bpf_func_state *state, int spi, struct bpf_reg_state *reg, int size) { ... state->stack[spi].spilled_ptr = *reg; // <--- parent & live copied if (size == BPF_REG_SIZE) state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; ... } Note the intent to mark stack spill as written only if 8 bytes are spilled to a slot, however this intent is spoiled by a 'live' field copy. At (8) the checkpoint.fp[-8] should be marked as REG_LIVE_READ but this does not happen: - fp[-8] in a current state is already marked as REG_LIVE_WRITTEN; - fp[-8].parent points to checkpoint.r1, parentage chain is used by mark_reg_read() to mark checkpoint states. At (10) the verification is finished for path 1-10 and jump 4-6 is examined. The checkpoint.fp[-8] never gets REG_LIVE_READ mark and this spill is pruned from the cached states by clean_live_states(). Hence verifier state obtained via path 1-4,6 is deemed identical to one obtained via path 1-6 and program marked as safe. Note: the example should be executed with BPF_F_TEST_STATE_FREQ flag set to force creation of intermediate verifier states. This commit revisits the locations where bpf_reg_state instances are copied and replaces the direct copies with a call to a function copy_register_state(dst, src) that preserves 'parent' and 'live' fields of the 'dst'. Fixes: 679c782de14b ("bpf/verifier: per-register parent pointers") Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20230106142214.1040390-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit f011360ad234a07cb6fbcc720fff646a93a9f0d6 Author: Artemii Karasev Date: Thu Jan 19 00:22:59 2023 -0800 ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() [ Upstream commit b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa ] snd_hda_get_connections() can return a negative error code. It may lead to accessing 'conn' array at a negative index. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Artemii Karasev Fixes: 30b4503378c9 ("ALSA: hda - Expose secret DAC-AA connection of some VIA codecs") Link: https://lore.kernel.org/r/20230119082259.3634-1-karasev@ispras.ru Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 6a199d556c0255a58023416ece1320305dd53c12 Author: Yonghong Song Date: Wed Jan 18 12:48:15 2023 -0800 bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() helpers [ Upstream commit bdb7fdb0aca8b96cef9995d3a57e251c2289322f ] In current bpf_send_signal() and bpf_send_signal_thread() helper implementation, irq_work is used to handle nmi context. Hao Sun reported in [1] that the current task at the entry of the helper might be gone during irq_work callback processing. To fix the issue, a reference is acquired for the current task before enqueuing into the irq_work so that the queued task is still available during irq_work callback processing. [1] https://lore.kernel.org/bpf/20230109074425.12556-1-sunhao.th@gmail.com/ Fixes: 8b401f9ed244 ("bpf: implement bpf_send_signal() helper") Tested-by: Hao Sun Reported-by: Hao Sun Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20230118204815.3331855-1-yhs@fb.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit c32efcf9ff8547afef2a77b1fe12f0c04bd3d1f9 Author: Hou Tao Date: Wed Jan 18 16:46:30 2023 +0800 bpf: Fix off-by-one error in bpf_mem_cache_idx() [ Upstream commit 36024d023d139a0c8b552dc3b7f4dc7b4c139e8f ] According to the definition of sizes[NUM_CACHES], when the size passed to bpf_mem_cache_size() is 256, it should return 6 instead 7. Fixes: 7c8199e24fa0 ("bpf: Introduce any context BPF specific memory allocator.") Signed-off-by: Hou Tao Acked-by: Yonghong Song Link: https://lore.kernel.org/r/20230118084630.3750680-1-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit ba32923bcedda1eb32b8f8110d181236da59bc93 Author: Amadeusz Sławiński Date: Fri Jan 13 20:03:08 2023 +0100 ASoC: Intel: avs: Implement PCI shutdown [ Upstream commit f89d783d68dcc6b2ce4fe3bda972ae0f84df0dca ] On shutdown reference to i915 driver needs to be released to not spam logs with unnecessary warnings. While at it do some additional cleanup to make sure DSP is powered down and interrupts from device are disabled. Fixes: 1affc44ea5dd ("ASoC: Intel: avs: PCI driver implementation") Reported-by: Kornel Dulęba Signed-off-by: Amadeusz Sławiński Reviewed-by: Cezary Rojewski Link: https://lore.kernel.org/r/20230113190310.1451693-2-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cdebb52d609819b2ca23b0c08276c68d50e6b01e Author: Andy Shevchenko Date: Thu Jan 12 13:28:52 2023 +0200 ASoC: Intel: sof_es8336: Drop reference count of ACPI device after use [ Upstream commit 64e57b2195725c1ae2246a8a2ce224abb60620ac ] Theoretically the device might gone if its reference count drops to 0. This might be the case when we try to find the first physical node of the ACPI device. We need to keep reference to it until we get a result of the above mentioned call. Refactor the code to drop the reference count at the correct place. While at it, move to acpi_dev_put() as symmetrical call to the acpi_dev_get_first_match_dev(). Fixes: a164137ce91a ("ASoC: Intel: add machine driver for SOF+ES8336") Signed-off-by: Andy Shevchenko Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20230112112852.67714-6-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c48af765e183c9b1787d9506e3c582b3f577379c Author: Andy Shevchenko Date: Thu Jan 12 13:28:51 2023 +0200 ASoC: Intel: bytcr_wm5102: Drop reference count of ACPI device after use [ Upstream commit c8aa49abdeda2ab587aadb083e670f6aa0236f93 ] Theoretically the device might gone if its reference count drops to 0. This might be the case when we try to find the first physical node of the ACPI device. We need to keep reference to it until we get a result of the above mentioned call. Refactor the code to drop the reference count at the correct place. While at it, move to acpi_dev_put() as symmetrical call to the acpi_dev_get_first_match_dev(). Fixes: 9a87fc1e0619 ("ASoC: Intel: bytcr_wm5102: Add machine driver for BYT/WM5102") Signed-off-by: Andy Shevchenko Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20230112112852.67714-5-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c72c57b689bf8adff07dcb1b3c2b8ef7910842c3 Author: Andy Shevchenko Date: Thu Jan 12 13:28:50 2023 +0200 ASoC: Intel: bytcr_rt5640: Drop reference count of ACPI device after use [ Upstream commit cbf87bcf46e399e9a5288430d940efbad3551c68 ] Theoretically the device might gone if its reference count drops to 0. This might be the case when we try to find the first physical node of the ACPI device. We need to keep reference to it until we get a result of the above mentioned call. Refactor the code to drop the reference count at the correct place. While at it, move to acpi_dev_put() as symmetrical call to the acpi_dev_get_first_match_dev(). Fixes: a232b96dcece ("ASoC: Intel: bytcr_rt5640: use HID translation util") Signed-off-by: Andy Shevchenko Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20230112112852.67714-4-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 877699a054ec23054acc7c6bc1b31aad177083ee Author: Andy Shevchenko Date: Thu Jan 12 13:28:49 2023 +0200 ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use [ Upstream commit 721858823d7cdc8f2a897579b040e935989f6f02 ] Theoretically the device might gone if its reference count drops to 0. This might be the case when we try to find the first physical node of the ACPI device. We need to keep reference to it until we get a result of the above mentioned call. Refactor the code to drop the reference count at the correct place. While at it, move to acpi_dev_put() as symmetrical call to the acpi_dev_get_first_match_dev(). Fixes: 02c0a3b3047f ("ASoC: Intel: bytcr_rt5651: add MCLK, quirks and cleanups") Signed-off-by: Andy Shevchenko Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20230112112852.67714-3-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit eddc0f2ad6d53560c311d62c28bc7b88190edc48 Author: Andy Shevchenko Date: Thu Jan 12 13:28:48 2023 +0200 ASoC: Intel: bytcht_es8316: Drop reference count of ACPI device after use [ Upstream commit 6b1c0bd6fdefbf3c3d75680c2708f5423ef72e46 ] Theoretically the device might gone if its reference count drops to 0. This might be the case when we try to find the first physical node of the ACPI device. We need to keep reference to it until we get a result of the above mentioned call. Refactor the code to drop the reference count at the correct place. While at it, move to acpi_dev_put() as symmetrical call to the acpi_dev_get_first_match_dev(). Fixes: 3c22a73fb873 ("ASoC: Intel: bytcht_es8316: fix HID handling") Signed-off-by: Andy Shevchenko Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20230112112852.67714-2-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7b1ed88ec3af376363e55514ce935d8f2f6f103f Author: Andy Shevchenko Date: Thu Jan 12 13:23:56 2023 +0200 ASoC: amd: acp-es8336: Drop reference count of ACPI device after use [ Upstream commit d784fc8be6814b31854f7b529919ca4506ff8066 ] Theoretically the device might gone if its reference count drops to 0. This might be the case when we try to find the first physical node of the ACPI device. We need to keep reference to it until we get a result of the above mentioned call. Refactor the code to drop the reference count at the correct place. While at it, move to acpi_dev_put() as symmetrical call to the acpi_dev_get_first_match_dev(). Fixes: 02527c3f2300 ("ASoC: amd: add Machine driver for Jadeite platform") Signed-off-by: Andy Shevchenko Acked-by: Vijendar Mukunda Link: https://lore.kernel.org/r/20230112112356.67643-1-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ac949eae8d594148692c146868922ed0b6a895f4 Author: Frank Li Date: Wed Jan 4 16:07:40 2023 -0500 arm64: dts: freescale: imx8dxl: fix sc_pwrkey's property name linux,keycode [ Upstream commit cfb47bf5a470bdd80e8ac2f7b2f3a34563ecd4ea ] linux,keycode should be "linux,keycodes" according binding-doc Documentation/devicetree/bindings/input/fsl,scu-key.yaml Fixes: f537ee7f1e76 ("arm64: dts: freescale: add i.MX8DXL SoC support") Signed-off-by: Frank Li Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 13d27de91ace841d48c644c9c5b0eb71ad73816d Author: Fabio Estevam Date: Mon Jan 2 11:04:02 2023 -0300 arm64: dts: imx8m-venice: Remove incorrect 'uart-has-rtscts' [ Upstream commit fca053893e8d5be8173c92876c6329cbee78b880 ] The following build warnings are seen when running: make dtbs_check DT_SCHEMA_FILES=fsl-imx-uart.yaml arch/arm64/boot/dts/freescale/imx8mm-venice-gw7903.dtb: serial@30860000: cts-gpios: False schema does not allow [[33, 3, 1]] From schema: Documentation/devicetree/bindings/serial/fsl-imx-uart.yaml arch/arm64/boot/dts/freescale/imx8mm-venice-gw7903.dtb: serial@30860000: rts-gpios: False schema does not allow [[33, 5, 1]] From schema: Documentation/devicetree/bindings/serial/fsl-imx-uart.yaml ... The imx8m Venice Gateworks boards do not expose the UART RTS and CTS as native UART pins, so 'uart-has-rtscts' should not be used. Using 'uart-has-rtscts' with 'rts-gpios' is an invalid combination detected by serial.yaml. Fix the problem by removing the incorrect 'uart-has-rtscts' property. Fixes: 27c8f4ccc1b9 ("arm64: dts: imx8mm-venice-gw72xx-0x: add dt overlays for serial modes") Fixes: d9a9a7cf32c9 ("arm64: dts: imx8m{m,n}-venice-*: add missing uart-has-rtscts property to UARTs") Fixes: 870f645b396b ("arm64: dts: imx8mp-venice-gw74xx: add WiFi/BT module support") Signed-off-by: Fabio Estevam Acked-by: Tim Harvey Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 17b83ef66d0e48279ade6c89b7d7d36bf5449f8a Author: Yuan Can Date: Wed Nov 23 09:42:00 2022 +0000 bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() [ Upstream commit f71eaf2708be7831428eacae7db25d8ec6b8b4c5 ] The sunxi_rsb_init() returns the platform_driver_register() directly without checking its return value, if platform_driver_register() failed, the sunxi_rsb_bus is not unregistered. Fix by unregister sunxi_rsb_bus when platform_driver_register() failed. Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") Signed-off-by: Yuan Can Reviewed-by: Jernej Skrabec Link: https://lore.kernel.org/r/20221123094200.12036-1-yuancan@huawei.com Signed-off-by: Jernej Skrabec Signed-off-by: Sasha Levin commit c8bdc88216f09cb7387fedbdf613524367328616 Author: Takashi Sakamoto Date: Tue Jan 17 18:06:10 2023 +0900 firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region commit 531390a243ef47448f8bad01c186c2787666bf4d upstream. This patch is fix for Linux kernel v2.6.33 or later. For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem have had an issue of use-after-free. The subsystem allows multiple user space listeners to the region, while data of the payload was likely released before the listeners execute read(2) to access to it for copying to user space. The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler"). The object of payload is duplicated in kernel space for each listener. When the listener executes ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to be released. However, it causes memory leak since the commit relies on call of release_request() in drivers/firewire/core-cdev.c. Against the expectation, the function is never called due to the design of release_client_resource(). The function delegates release task to caller when called with non-NULL fourth argument. The implementation of ioctl_send_response() is the case. It should release the object explicitly. This commit fixes the bug. Cc: Fixes: 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20230117090610.93792-2-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman