Changelog in Linux kernel 4.19.317

 
ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." [+ + +]
Author: Raju Rangoju <Raju.Rangoju@amd.com>
Date:   Fri Jun 14 19:31:49 2024 +0530

    ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
    
    [ Upstream commit a83e1385b780d41307433ddbc86e3c528db031f0 ]
    
    Undo the modifications made in commit d410ee5109a1 ("ACPICA: avoid
    "Info: mapping multiple BARs. Your kernel is fine.""). The initial
    purpose of this commit was to stop memory mappings for operation
    regions from overlapping page boundaries, as it can trigger warnings
    if different page attributes are present.
    
    However, it was found that when this situation arises, mapping
    continues until the boundary's end, but there is still an attempt to
    read/write the entire length of the map, leading to a NULL pointer
    deference. For example, if a four-byte mapping request is made but
    only one byte is mapped because it hits the current page boundary's
    end, a four-byte read/write attempt is still made, resulting in a NULL
    pointer deference.
    
    Instead, map the entire length, as the ACPI specification does not
    mandate that it must be within the same page boundary. It is
    permissible for it to be mapped across different regions.
    
    Link: https://github.com/acpica/acpica/pull/954
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218849
    Fixes: d410ee5109a1 ("ACPICA: avoid "Info: mapping multiple BARs. Your kernel is fine."")
    Co-developed-by: Sanath S <Sanath.S@amd.com>
    Signed-off-by: Sanath S <Sanath.S@amd.com>
    Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jun 4 09:52:37 2024 -0700

    af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.
    
    [ Upstream commit bd9f2d05731f6a112d0c7391a0d537bfc588dbe6 ]
    
    net->unx.sysctl_max_dgram_qlen is exposed as a sysctl knob and can be
    changed concurrently.
    
    Let's use READ_ONCE() in unix_create1().
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jun 4 09:52:41 2024 -0700

    af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().
    
    [ Upstream commit efaf24e30ec39ebbea9112227485805a48b0ceb1 ]
    
    While dumping sockets via UNIX_DIAG, we do not hold unix_state_lock().
    
    Let's use READ_ONCE() to read sk->sk_shutdown.
    
    Fixes: e4e541a84863 ("sock-diag: Report shutdown for inet and unix sockets (v2)")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jun 4 09:52:29 2024 -0700

    af_unix: Annotate data-race of sk->sk_state in unix_inq_len().
    
    [ Upstream commit 3a0f38eb285c8c2eead4b3230c7ac2983707599d ]
    
    ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first
    and returns -EINVAL if it's TCP_LISTEN.
    
    Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of
    bytes in recvq.
    
    However, unix_inq_len() does not hold unix_state_lock(), and the
    concurrent listen() might change the state after checking sk->sk_state.
    
    If the race occurs, 0 is returned for the listener, instead of -EINVAL,
    because the length of skb with embryo is 0.
    
    We could hold unix_state_lock() in unix_inq_len(), but it's overkill
    given the result is true for pre-listen() TCP_CLOSE state.
    
    So, let's use READ_ONCE() for sk->sk_state in unix_inq_len().
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jun 4 09:52:33 2024 -0700

    af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().
    
    [ Upstream commit 8a34d4e8d9742a24f74998f45a6a98edd923319b ]
    
    The following functions read sk->sk_state locklessly and proceed only if
    the state is TCP_ESTABLISHED.
    
      * unix_stream_sendmsg
      * unix_stream_read_generic
      * unix_seqpacket_sendmsg
      * unix_seqpacket_recvmsg
    
    Let's use READ_ONCE() there.
    
    Fixes: a05d2ad1c1f3 ("af_unix: Only allow recv on connected seqpacket sockets.")
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jun 4 09:52:35 2024 -0700

    af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.
    
    [ Upstream commit 0aa3be7b3e1f8f997312cc4705f8165e02806f8f ]
    
    While dumping AF_UNIX sockets via UNIX_DIAG, sk->sk_state is read
    locklessly.
    
    Let's use READ_ONCE() there.
    
    Note that the result could be inconsistent if the socket is dumped
    during the state change.  This is common for other SOCK_DIAG and
    similar interfaces.
    
    Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report")
    Fixes: 2aac7a2cb0d9 ("unix_diag: Pending connections IDs NLA")
    Fixes: 45a96b9be6ec ("unix_diag: Dumping all sockets core")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jun 4 09:52:30 2024 -0700

    af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll().
    
    [ Upstream commit eb0718fb3e97ad0d6f4529b810103451c90adf94 ]
    
    unix_poll() and unix_dgram_poll() read sk->sk_state locklessly and
    calls unix_writable() which also reads sk->sk_state without holding
    unix_state_lock().
    
    Let's use READ_ONCE() in unix_poll() and unix_dgram_poll() and pass
    it to unix_writable().
    
    While at it, we remove TCP_SYN_SENT check in unix_dgram_poll() as
    that state does not exist for AF_UNIX socket since the code was added.
    
    Fixes: 1586a5877db9 ("af_unix: do not report POLLOUT on listeners")
    Fixes: 3c73419c09a5 ("af_unix: fix 'poll for write'/ connected DGRAM sockets")
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jun 4 09:52:40 2024 -0700

    af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().
    
    [ Upstream commit 5d915e584d8408211d4567c22685aae8820bfc55 ]
    
    We can dump the socket queue length via UNIX_DIAG by specifying
    UDIAG_SHOW_RQLEN.
    
    If sk->sk_state is TCP_LISTEN, we return the recv queue length,
    but here we do not hold recvq lock.
    
    Let's use skb_queue_len_lockless() in sk_diag_show_rqlen().
    
    Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jun 4 09:52:38 2024 -0700

    af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().
    
    [ Upstream commit 45d872f0e65593176d880ec148f41ad7c02e40a7 ]
    
    Once sk->sk_state is changed to TCP_LISTEN, it never changes.
    
    unix_accept() takes advantage of this characteristics; it does not
    hold the listener's unix_state_lock() and only acquires recvq lock
    to pop one skb.
    
    It means unix_state_lock() does not prevent the queue length from
    changing in unix_stream_connect().
    
    Thus, we need to use unix_recvq_full_lockless() to avoid data-race.
    
    Now we remove unix_recvq_full() as no one uses it.
    
    Note that we can remove READ_ONCE() for sk->sk_max_ack_backlog in
    unix_recvq_full_lockless() because of the following reasons:
    
      (1) For SOCK_DGRAM, it is a written-once field in unix_create1()
    
      (2) For SOCK_STREAM and SOCK_SEQPACKET, it is changed under the
          listener's unix_state_lock() in unix_listen(), and we hold
          the lock in unix_stream_connect()
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ALSA: emux: improve patch ioctl data validation [+ + +]
Author: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Date:   Sat Apr 6 08:48:20 2024 +0200

    ALSA: emux: improve patch ioctl data validation
    
    [ Upstream commit 89b32ccb12ae67e630c6453d778ec30a592a212f ]
    
    In load_data(), make the validation of and skipping over the main info
    block match that in load_guspatch().
    
    In load_guspatch(), add checking that the specified patch length matches
    the actually supplied data, like load_data() already did.
    
    Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
    Message-ID: <20240406064830.1029573-8-oswald.buddenhagen@gmx.de>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
arm64: dts: rockchip: Add sound-dai-cells for RK3368 [+ + +]
Author: Alex Bee <knaerzche@gmail.com>
Date:   Sun Jun 23 11:01:15 2024 +0200

    arm64: dts: rockchip: Add sound-dai-cells for RK3368
    
    [ Upstream commit 8d7ec44aa5d1eb94a30319074762a1740440cdc8 ]
    
    Add the missing #sound-dai-cells for RK3368's I2S and S/PDIF controllers.
    
    Fixes: f7d89dfe1e31 ("arm64: dts: rockchip: add i2s nodes support for RK3368 SoCs")
    Fixes: 0328d68ea76d ("arm64: dts: rockchip: add rk3368 spdif node")
    Signed-off-by: Alex Bee <knaerzche@gmail.com>
    Link: https://lore.kernel.org/r/20240623090116.670607-4-knaerzche@gmail.com
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Mar 12 19:31:03 2024 +0100

    ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat
    
    [ Upstream commit 88208d3cd79821117fd3fb80d9bcab618467d37b ]
    
    Although the Samsung SoC keypad binding defined
    linux,keypad-no-autorepeat property, Linux driver never implemented it
    and always used linux,input-no-autorepeat.  Correct the DTS to use
    property actually implemented.
    
    This also fixes dtbs_check errors like:
    
      exynos4412-origen.dtb: keypad@100a0000: 'linux,keypad-no-autorepeat' does not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+'
    
    Cc: <stable@vger.kernel.org>
    Fixes: bd08f6277e44 ("ARM: dts: Add keypad entries to Exynos4412 based Origen")
    Link: https://lore.kernel.org/r/20240312183105.715735-2-krzysztof.kozlowski@linaro.org
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: samsung: smdk4412: fix keypad no-autorepeat [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Mar 12 19:31:04 2024 +0100

    ARM: dts: samsung: smdk4412: fix keypad no-autorepeat
    
    [ Upstream commit 4ac4c1d794e7ff454d191bbdab7585ed8dbf3758 ]
    
    Although the Samsung SoC keypad binding defined
    linux,keypad-no-autorepeat property, Linux driver never implemented it
    and always used linux,input-no-autorepeat.  Correct the DTS to use
    property actually implemented.
    
    This also fixes dtbs_check errors like:
    
      exynos4412-smdk4412.dtb: keypad@100a0000: 'key-A', 'key-B', 'key-C', 'key-D', 'key-E', 'linux,keypad-no-autorepeat' do not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+'
    
    Cc: <stable@vger.kernel.org>
    Fixes: c9b92dd70107 ("ARM: dts: Add keypad entries to SMDK4412")
    Link: https://lore.kernel.org/r/20240312183105.715735-3-krzysztof.kozlowski@linaro.org
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: samsung: smdkv310: fix keypad no-autorepeat [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Mar 12 19:31:02 2024 +0100

    ARM: dts: samsung: smdkv310: fix keypad no-autorepeat
    
    [ Upstream commit 87d8e522d6f5a004f0aa06c0def302df65aff296 ]
    
    Although the Samsung SoC keypad binding defined
    linux,keypad-no-autorepeat property, Linux driver never implemented it
    and always used linux,input-no-autorepeat.  Correct the DTS to use
    property actually implemented.
    
    This also fixes dtbs_check errors like:
    
      exynos4210-smdkv310.dtb: keypad@100a0000: 'linux,keypad-no-autorepeat' does not match any of the regexes: '^key-[0-9a-z]+$', 'pinctrl-[0-9]+'
    
    Cc: <stable@vger.kernel.org>
    Fixes: 0561ceabd0f1 ("ARM: dts: Add intial dts file for EXYNOS4210 SoC, SMDKV310 and ORIGEN")
    Link: https://lore.kernel.org/r/20240312183105.715735-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ASoC: fsl-asoc-card: set priv->pdev before using it [+ + +]
Author: Elinor Montmasson <elinor.montmasson@savoirfairelinux.com>
Date:   Thu Jun 20 15:25:03 2024 +0200

    ASoC: fsl-asoc-card: set priv->pdev before using it
    
    [ Upstream commit 90f3feb24172185f1832636264943e8b5e289245 ]
    
    priv->pdev pointer was set after being used in
    fsl_asoc_card_audmux_init().
    Move this assignment at the start of the probe function, so
    sub-functions can correctly use pdev through priv.
    
    fsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the
    dev struct, used with dev_err macros.
    As priv is zero-initialised, there would be a NULL pointer dereference.
    Note that if priv->dev is dereferenced before assignment but never used,
    for example if there is no error to be printed, the driver won't crash
    probably due to compiler optimisations.
    
    Fixes: 708b4351f08c ("ASoC: fsl: Add Freescale Generic ASoC Sound Card with ASRC support")
    Signed-off-by: Elinor Montmasson <elinor.montmasson@savoirfairelinux.com>
    Link: https://patch.msgid.link/20240620132511.4291-2-elinor.montmasson@savoirfairelinux.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ata: libata-core: Fix double free on error [+ + +]
Author: Niklas Cassel <cassel@kernel.org>
Date:   Sat Jun 29 14:42:13 2024 +0200

    ata: libata-core: Fix double free on error
    
    commit ab9e0c529eb7cafebdd31fe1644524e80a48b05d upstream.
    
    If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump
    to the err_out label, which will call devres_release_group().
    devres_release_group() will trigger a call to ata_host_release().
    ata_host_release() calls kfree(host), so executing the kfree(host) in
    ata_host_alloc() will lead to a double free:
    
    kernel BUG at mm/slub.c:553!
    Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
    CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
    RIP: 0010:kfree+0x2cf/0x2f0
    Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da
    RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246
    RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320
    RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0
    RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000
    R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780
    R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006
    FS:  00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0
    PKRU: 55555554
    Call Trace:
     <TASK>
     ? __die_body.cold+0x19/0x27
     ? die+0x2e/0x50
     ? do_trap+0xca/0x110
     ? do_error_trap+0x6a/0x90
     ? kfree+0x2cf/0x2f0
     ? exc_invalid_op+0x50/0x70
     ? kfree+0x2cf/0x2f0
     ? asm_exc_invalid_op+0x1a/0x20
     ? ata_host_alloc+0xf5/0x120 [libata]
     ? ata_host_alloc+0xf5/0x120 [libata]
     ? kfree+0x2cf/0x2f0
     ata_host_alloc+0xf5/0x120 [libata]
     ata_host_alloc_pinfo+0x14/0xa0 [libata]
     ahci_init_one+0x6c9/0xd20 [ahci]
    
    Ensure that we will not call kfree(host) twice, by performing the kfree()
    only if the devres_open_group() call failed.
    
    Fixes: dafd6c496381 ("libata: ensure host is free'd on error exit paths")
    Cc: stable@vger.kernel.org
    Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Link: https://lore.kernel.org/r/20240629124210.181537-9-cassel@kernel.org
    Signed-off-by: Niklas Cassel <cassel@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
batman-adv: bypass empty buckets in batadv_purge_orig_ref() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Mar 30 15:54:38 2024 +0000

    batman-adv: bypass empty buckets in batadv_purge_orig_ref()
    
    [ Upstream commit 40dc8ab605894acae1473e434944924a22cfaaa0 ]
    
    Many syzbot reports are pointing to soft lockups in
    batadv_purge_orig_ref() [1]
    
    Root cause is unknown, but we can avoid spending too much
    time there and perhaps get more interesting reports.
    
    [1]
    
    watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]
    Modules linked in:
    irq event stamp: 6182794
     hardirqs last  enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
     hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
     hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
     softirqs last  enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
     softirqs last  enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
     softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline]
     softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271
    CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
    Workqueue: bat_events batadv_purge_orig
    pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]
     pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388
     lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386
    sp : ffff800099007970
    x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000
    x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001
    x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4
    x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0
    x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001
    x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003
    x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000
    x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000
    x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
    x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000
    Call trace:
      __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
      arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]
      __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386
      __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
      _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210
      spin_unlock_bh include/linux/spinlock.h:396 [inline]
      batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287
      batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300
      process_one_work+0x694/0x1204 kernel/workqueue.c:2633
      process_scheduled_works kernel/workqueue.c:2706 [inline]
      worker_thread+0x938/0xef4 kernel/workqueue.c:2787
      kthread+0x288/0x310 kernel/kthread.c:388
      ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
    Sending NMI from CPU 0 to CPUs 1:
    NMI backtrace for cpu 1
    CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
    pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51
     lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103
    sp : ffff800093a17d30
    x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4
    x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002
    x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000
    x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396
    x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001
    x14: 1fffe00036805f10 x13: 0000000000000000 x12: 0000000000000003
    x11: 0000000000000001 x10: 0000000000000003 x9 : 0000000000000000
    x8 : 00000000000ce8d1 x7 : ffff8000804609e4 x6 : 0000000000000000
    x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008ad6aac0
    x2 : 0000000000000000 x1 : ffff80008aedea60 x0 : ffff800125436000
    Call trace:
      __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
      arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:49
      cpuidle_idle_call kernel/sched/idle.c:170 [inline]
      do_idle+0x1f0/0x4e8 kernel/sched/idle.c:312
      cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:410
      secondary_start_kernel+0x198/0x1c0 arch/arm64/kernel/smp.c:272
      __secondary_switched+0xb8/0xbc arch/arm64/kernel/head.S:404
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: Don't accept TT entries for out-of-spec VIDs [+ + +]
Author: Sven Eckelmann <sven@narfation.org>
Date:   Sat May 4 21:57:30 2024 +0200

    batman-adv: Don't accept TT entries for out-of-spec VIDs
    
    commit 537a350d14321c8cca5efbf0a33a404fec3a9f9e upstream.
    
    The internal handling of VLAN IDs in batman-adv is only specified for
    following encodings:
    
    * VLAN is used
      - bit 15 is 1
      - bit 11 - bit 0 is the VLAN ID (0-4095)
      - remaining bits are 0
    * No VLAN is used
      - bit 15 is 0
      - remaining bits are 0
    
    batman-adv was only preparing new translation table entries (based on its
    soft interface information) using this encoding format. But the receive
    path was never checking if entries in the roam or TT TVLVs were also
    following this encoding.
    
    It was therefore possible to create more than the expected maximum of 4096
    + 1 entries in the originator VLAN list. Simply by setting the "remaining
    bits" to "random" values in corresponding TVLV.
    
    Cc: stable@vger.kernel.org
    Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
    Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ [+ + +]
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Mon May 20 16:03:07 2024 -0400

    Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
    
    [ Upstream commit 806a5198c05987b748b50f3d0c0cfb3d417381a4 ]
    
    This removes the bogus check for max > hcon->le_conn_max_interval since
    the later is just the initial maximum conn interval not the maximum the
    stack could support which is really 3200=4000ms.
    
    In order to pass GAP/CONN/CPUP/BV-05-C one shall probably enter values
    of the following fields in IXIT that would cause hci_check_conn_params
    to fail:
    
    TSPX_conn_update_int_min
    TSPX_conn_update_int_max
    TSPX_conn_update_peripheral_latency
    TSPX_conn_update_supervision_timeout
    
    Link: https://github.com/bluez/bluez/issues/847
    Fixes: e4b019515f95 ("Bluetooth: Enforce validation on max value of connection interval")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cipso: fix total option length computation [+ + +]
Author: Ondrej Mosnacek <omosnace@redhat.com>
Date:   Fri Jun 7 18:07:52 2024 +0200

    cipso: fix total option length computation
    
    [ Upstream commit 9f36169912331fa035d7b73a91252d7c2512eb1a ]
    
    As evident from the definition of ip_options_get(), the IP option
    IPOPT_END is used to pad the IP option data array, not IPOPT_NOP. Yet
    the loop that walks the IP options to determine the total IP options
    length in cipso_v4_delopt() doesn't take IPOPT_END into account.
    
    Fix it by recognizing the IPOPT_END value as the end of actual options.
    
    Fixes: 014ab19a69c3 ("selinux: Set socket NetLabel based on connection endpoint")
    Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
dmaengine: axi-dmac: fix possible race in remove() [+ + +]
Author: Nuno Sa <nuno.sa@analog.com>
Date:   Thu Mar 28 14:58:50 2024 +0100

    dmaengine: axi-dmac: fix possible race in remove()
    
    commit 1bc31444209c8efae98cb78818131950d9a6f4d6 upstream.
    
    We need to first free the IRQ before calling of_dma_controller_free().
    Otherwise we could get an interrupt and schedule a tasklet while
    removing the DMA controller.
    
    Fixes: 0e3b67b348b8 ("dmaengine: Add support for the Analog Devices AXI-DMAC DMA controller")
    Cc: stable@kernel.org
    Signed-off-by: Nuno Sa <nuno.sa@analog.com>
    Link: https://lore.kernel.org/r/20240328-axi-dmac-devm-probe-v3-1-523c0176df70@analog.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: ioatdma: Fix missing kmem_cache_destroy() [+ + +]
Author: Nikita Shubin <n.shubin@yadro.com>
Date:   Tue May 14 13:52:31 2024 +0300

    dmaengine: ioatdma: Fix missing kmem_cache_destroy()
    
    [ Upstream commit 5422145d0b749ad554ada772133b9b20f9fb0ec8 ]
    
    Fix missing kmem_cache_destroy() for ioat_sed_cache in
    ioat_exit_module().
    
    Noticed via:
    
    ```
    modprobe ioatdma
    rmmod ioatdma
    modprobe ioatdma
    debugfs: Directory 'ioat_sed_ent' with parent 'slab' already present!
    ```
    
    Fixes: c0f28ce66ecf ("dmaengine: ioatdma: move all the init routines")
    Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
    Acked-by: Dave Jiang <dave.jiang@intel.com>
    Link: https://lore.kernel.org/r/20240514-ioatdma_fixes-v1-1-2776a0913254@yadro.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drivers: core: synchronize really_probe() and dev_uevent() [+ + +]
Author: Dirk Behme <dirk.behme@de.bosch.com>
Date:   Mon May 13 07:06:34 2024 +0200

    drivers: core: synchronize really_probe() and dev_uevent()
    
    commit c0a40097f0bc81deafc15f9195d1fb54595cd6d0 upstream.
    
    Synchronize the dev->driver usage in really_probe() and dev_uevent().
    These can run in different threads, what can result in the following
    race condition for dev->driver uninitialization:
    
    Thread #1:
    ==========
    
    really_probe() {
    ...
    probe_failed:
    ...
    device_unbind_cleanup(dev) {
        ...
        dev->driver = NULL;   // <= Failed probe sets dev->driver to NULL
        ...
        }
    ...
    }
    
    Thread #2:
    ==========
    
    dev_uevent() {
    ...
    if (dev->driver)
          // If dev->driver is NULLed from really_probe() from here on,
          // after above check, the system crashes
          add_uevent_var(env, "DRIVER=%s", dev->driver->name);
    ...
    }
    
    really_probe() holds the lock, already. So nothing needs to be done
    there. dev_uevent() is called with lock held, often, too. But not
    always. What implies that we can't add any locking in dev_uevent()
    itself. So fix this race by adding the lock to the non-protected
    path. This is the path where above race is observed:
    
     dev_uevent+0x235/0x380
     uevent_show+0x10c/0x1f0  <= Add lock here
     dev_attr_show+0x3a/0xa0
     sysfs_kf_seq_show+0x17c/0x250
     kernfs_seq_show+0x7c/0x90
     seq_read_iter+0x2d7/0x940
     kernfs_fop_read_iter+0xc6/0x310
     vfs_read+0x5bc/0x6b0
     ksys_read+0xeb/0x1b0
     __x64_sys_read+0x42/0x50
     x64_sys_call+0x27ad/0x2d30
     do_syscall_64+0xcd/0x1d0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Similar cases are reported by syzkaller in
    
    https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a
    
    But these are regarding the *initialization* of dev->driver
    
    dev->driver = drv;
    
    As this switches dev->driver to non-NULL these reports can be considered
    to be false-positives (which should be "fixed" by this commit, as well,
    though).
    
    The same issue was reported and tried to be fixed back in 2015 in
    
    https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/
    
    already.
    
    Fixes: 239378f16aa1 ("Driver core: add uevent vars for devices of a class")
    Cc: stable <stable@kernel.org>
    Cc: syzbot+ffa8143439596313a85a@syzkaller.appspotmail.com
    Cc: Ashish Sangwan <a.sangwan@samsung.com>
    Cc: Namjae Jeon <namjae.jeon@samsung.com>
    Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
    Link: https://lore.kernel.org/r/20240513050634.3964461-1-dirk.behme@de.bosch.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amd/display: Handle Y carry-over in VCP X.Y calculation [+ + +]
Author: George Shen <george.shen@amd.com>
Date:   Thu Sep 16 19:55:39 2021 -0400

    drm/amd/display: Handle Y carry-over in VCP X.Y calculation
    
    [ Upstream commit 3626a6aebe62ce7067cdc460c0c644e9445386bb ]
    
    [Why/How]
    Theoretically rare corner case where ceil(Y) results in rounding
    up to an integer. If this happens, the 1 should be carried over to
    the X value.
    
    Reviewed-by: Wenjing Liu <wenjing.liu@amd.com>
    Acked-by: Anson Jacob <Anson.Jacob@amd.com>
    Signed-off-by: George Shen <george.shen@amd.com>
    Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/amdgpu: fix UBSAN warning in kv_dpm.c [+ + +]
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Mon May 20 09:05:21 2024 -0400

    drm/amdgpu: fix UBSAN warning in kv_dpm.c
    
    [ Upstream commit f0d576f840153392d04b2d52cf3adab8f62e8cb6 ]
    
    Adds bounds check for sumo_vid_mapping_entry.
    
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3392
    Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/bridge/panel: Fix runtime warning on panel bridge release [+ + +]
Author: Adam Miotk <adam.miotk@arm.com>
Date:   Mon Jun 10 11:27:39 2024 +0100

    drm/bridge/panel: Fix runtime warning on panel bridge release
    
    [ Upstream commit ce62600c4dbee8d43b02277669dd91785a9b81d9 ]
    
    Device managed panel bridge wrappers are created by calling to
    drm_panel_bridge_add_typed() and registering a release handler for
    clean-up when the device gets unbound.
    
    Since the memory for this bridge is also managed and linked to the panel
    device, the release function should not try to free that memory.
    Moreover, the call to devm_kfree() inside drm_panel_bridge_remove() will
    fail in this case and emit a warning because the panel bridge resource
    is no longer on the device resources list (it has been removed from
    there before the call to release handlers).
    
    Fixes: 67022227ffb1 ("drm/bridge: Add a devm_ allocator for panel bridge.")
    Signed-off-by: Adam Miotk <adam.miotk@arm.com>
    Signed-off-by: Maxime Ripard <mripard@kernel.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240610102739.139852-1-adam.miotk@arm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/exynos/vidi: fix memory leak in .get_modes() [+ + +]
Author: Jani Nikula <jani.nikula@intel.com>
Date:   Thu May 30 13:01:51 2024 +0300

    drm/exynos/vidi: fix memory leak in .get_modes()
    
    commit 38e3825631b1f314b21e3ade00b5a4d737eb054e upstream.
    
    The duplicated EDID is never freed. Fix it.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes [+ + +]
Author: Ma Ke <make24@iscas.ac.cn>
Date:   Tue Jun 25 16:10:29 2024 +0800

    drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes
    
    commit 6d411c8ccc0137a612e0044489030a194ff5c843 upstream.
    
    In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is
    assigned to mode, which will lead to a possible NULL pointer dereference
    on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().
    Add a check to avoid null pointer dereference.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ma Ke <make24@iscas.ac.cn>
    Signed-off-by: Lyude Paul <lyude@redhat.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240625081029.2619437-1-make24@iscas.ac.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes [+ + +]
Author: Ma Ke <make24@iscas.ac.cn>
Date:   Tue Jun 25 16:18:28 2024 +0800

    drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes
    
    commit 66edf3fb331b6c55439b10f9862987b0916b3726 upstream.
    
    In nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is
    assigned to mode, which will lead to a possible NULL pointer dereference
    on failure of drm_mode_duplicate(). Add a check to avoid npd.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ma Ke <make24@iscas.ac.cn>
    Signed-off-by: Lyude Paul <lyude@redhat.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240625081828.2620794-1-make24@iscas.ac.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep [+ + +]
Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Date:   Sun Mar 17 17:48:39 2024 +0200

    drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep
    
    [ Upstream commit ee7860cd8b5763017f8dc785c2851fecb7a0c565 ]
    
    The ilitek-ili9881c controls the reset GPIO using the non-sleeping
    gpiod_set_value() function. This complains loudly when the GPIO
    controller needs to sleep. As the caller can sleep, use
    gpiod_set_value_cansleep() to fix the issue.
    
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
    Link: https://lore.kernel.org/r/20240317154839.21260-1-laurent.pinchart@ideasonboard.com
    Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240317154839.21260-1-laurent.pinchart@ideasonboard.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/radeon: fix UBSAN warning in kv_dpm.c [+ + +]
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Mon May 20 09:11:45 2024 -0400

    drm/radeon: fix UBSAN warning in kv_dpm.c
    
    commit a498df5421fd737d11bfd152428ba6b1c8538321 upstream.
    
    Adds bounds check for sumo_vid_mapping_entry.
    
    Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fs/proc: fix softlockup in __read_vmcore [+ + +]
Author: Rik van Riel <riel@surriel.com>
Date:   Tue May 7 09:18:58 2024 -0400

    fs/proc: fix softlockup in __read_vmcore
    
    commit 5cbcb62dddf5346077feb82b7b0c9254222d3445 upstream.
    
    While taking a kernel core dump with makedumpfile on a larger system,
    softlockup messages often appear.
    
    While softlockup warnings can be harmless, they can also interfere with
    things like RCU freeing memory, which can be problematic when the kdump
    kexec image is configured with as little memory as possible.
    
    Avoid the softlockup, and give things like work items and RCU a chance to
    do their thing during __read_vmcore by adding a cond_resched.
    
    Link: https://lkml.kernel.org/r/20240507091858.36ff767f@imladris.surriel.com
    Signed-off-by: Rik van Riel <riel@surriel.com>
    Acked-by: Baoquan He <bhe@redhat.com>
    Cc: Dave Young <dyoung@redhat.com>
    Cc: Vivek Goyal <vgoyal@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ftruncate: pass a signed offset [+ + +]
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Wed Jun 19 11:34:09 2024 +0200

    ftruncate: pass a signed offset
    
    commit 4b8e88e563b5f666446d002ad0dc1e6e8e7102b0 upstream.
    
    The old ftruncate() syscall, using the 32-bit off_t misses a sign
    extension when called in compat mode on 64-bit architectures.  As a
    result, passing a negative length accidentally succeeds in truncating
    to file size between 2GiB and 4GiB.
    
    Changing the type of the compat syscall to the signed compat_off_t
    changes the behavior so it instead returns -EINVAL.
    
    The native entry point, the truncate() syscall and the corresponding
    loff_t based variants are all correct already and do not suffer
    from this mistake.
    
    Fixes: 3f6d078d4acc ("fix compat truncate/ftruncate")
    Reviewed-by: Christian Brauner <brauner@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
gcov: add support for GCC 14 [+ + +]
Author: Peter Oberparleiter <oberpar@linux.ibm.com>
Date:   Mon Jun 10 11:27:43 2024 +0200

    gcov: add support for GCC 14
    
    commit c1558bc57b8e5b4da5d821537cd30e2e660861d8 upstream.
    
    Using gcov on kernels compiled with GCC 14 results in truncated 16-byte
    long .gcda files with no usable data.  To fix this, update GCOV_COUNTERS
    to match the value defined by GCC 14.
    
    Tested with GCC versions 14.1.0 and 13.2.0.
    
    Link: https://lkml.kernel.org/r/20240610092743.1609845-1-oberpar@linux.ibm.com
    Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
    Reported-by: Allison Henderson <allison.henderson@oracle.com>
    Reported-by: Chuck Lever III <chuck.lever@oracle.com>
    Tested-by: Chuck Lever <chuck.lever@oracle.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
gpio: davinci: Validate the obtained number of IRQs [+ + +]
Author: Aleksandr Mishin <amishin@t-argos.ru>
Date:   Tue Jun 18 17:43:44 2024 +0300

    gpio: davinci: Validate the obtained number of IRQs
    
    [ Upstream commit 7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164 ]
    
    Value of pdata->gpio_unbanked is taken from Device Tree. In case of broken
    DT due to any error this value can be any. Without this value validation
    there can be out of chips->irqs array boundaries access in
    davinci_gpio_probe().
    
    Validate the obtained nirq value so that it won't exceed the maximum
    number of IRQs per bank.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: eb3744a2dd01 ("gpio: davinci: Do not assume continuous IRQ numbering")
    Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
    Link: https://lore.kernel.org/r/20240618144344.16943-1-amishin@t-argos.ru
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hexagon: fix fadvise64_64 calling conventions [+ + +]
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Thu Jun 20 15:24:11 2024 +0200

    hexagon: fix fadvise64_64 calling conventions
    
    commit 896842284c6ccba25ec9d78b7b6e62cdd507c083 upstream.
    
    fadvise64_64() has two 64-bit arguments at the wrong alignment
    for hexagon, which turns them into a 7-argument syscall that is
    not supported by Linux.
    
    The downstream musl port for hexagon actually asks for a 6-argument
    version the same way we do it on arm, csky, powerpc, so make the
    kernel do it the same way to avoid having to change both.
    
    Link: https://github.com/quic/musl/blob/hexagon/arch/hexagon/syscall_arch.h#L78
    Cc: stable@vger.kernel.org
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
HID: core: remove unnecessary WARN_ON() in implement() [+ + +]
Author: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Date:   Fri May 17 07:19:14 2024 -0700

    HID: core: remove unnecessary WARN_ON() in implement()
    
    [ Upstream commit 4aa2dcfbad538adf7becd0034a3754e1bd01b2b5 ]
    
    Syzkaller hit a warning [1] in a call to implement() when trying
    to write a value into a field of smaller size in an output report.
    
    Since implement() already has a warn message printed out with the
    help of hid_warn() and value in question gets trimmed with:
            ...
            value &= m;
            ...
    WARN_ON may be considered superfluous. Remove it to suppress future
    syzkaller triggers.
    
    [1]
    WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline]
    WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863
    Modules linked in:
    CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
    RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline]
    RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863
    ...
    Call Trace:
     <TASK>
     __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline]
     usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636
     hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726
     vfs_ioctl fs/ioctl.c:51 [inline]
     __do_sys_ioctl fs/ioctl.c:904 [inline]
     __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    ...
    
    Fixes: 95d1c8951e5b ("HID: simplify implement() a bit")
    Reported-by: <syzbot+5186630949e3c55f0799@syzkaller.appspotmail.com>
    Suggested-by: Alan Stern <stern@rowland.harvard.edu>
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
    Signed-off-by: Jiri Kosina <jkosina@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hugetlb_encode.h: fix undefined behaviour (34 << 26) [+ + +]
Author: Matthias Goergens <matthias.goergens@gmail.com>
Date:   Mon Sep 5 11:19:04 2022 +0800

    hugetlb_encode.h: fix undefined behaviour (34 << 26)
    
    commit 710bb68c2e3a24512e2d2bae470960d7488e97b1 upstream.
    
    Left-shifting past the size of your datatype is undefined behaviour in C.
    The literal 34 gets the type `int`, and that one is not big enough to be
    left shifted by 26 bits.
    
    An `unsigned` is long enough (on any machine that has at least 32 bits for
    their ints.)
    
    For uniformity, we mark all the literals as unsigned.  But it's only
    really needed for HUGETLB_FLAG_ENCODE_16GB.
    
    Thanks to Randy Dunlap for an initial review and suggestion.
    
    Link: https://lkml.kernel.org/r/20220905031904.150925-1-matthias.goergens@gmail.com
    Signed-off-by: Matthias Goergens <matthias.goergens@gmail.com>
    Acked-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Mike Kravetz <mike.kravetz@oracle.com>
    Cc: Muchun Song <songmuchun@bytedance.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    [cmllamas: fix trivial conflict due to missing page encondigs]
    Signed-off-by: Carlos Llamas <cmllamas@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
hv_utils: drain the timesync packets on onchannelcallback [+ + +]
Author: Vineeth Pillai <viremana@linux.microsoft.com>
Date:   Fri Aug 21 15:28:49 2020 +0000

    hv_utils: drain the timesync packets on onchannelcallback
    
    commit b46b4a8a57c377b72a98c7930a9f6969d2d4784e upstream.
    
    There could be instances where a system stall prevents the timesync
    packets to be consumed. And this might lead to more than one packet
    pending in the ring buffer. Current code empties one packet per callback
    and it might be a stale one. So drain all the packets from ring buffer
    on each callback.
    
    Signed-off-by: Vineeth Pillai <viremana@linux.microsoft.com>
    Reviewed-by: Michael Kelley <mikelley@microsoft.com>
    Link: https://lore.kernel.org/r/20200821152849.99517-1-viremana@linux.microsoft.com
    Signed-off-by: Wei Liu <wei.liu@kernel.org>
    [ The upstream commit uses HV_HYP_PAGE_SIZE, which is not defined in 4.19.y.
      Fixed this manually for 4.19.y by using PAGE_SIZE instead.
    
      If there are multiple messages in the host-to-guest ringbuffer of the TimeSync
      device, 4.19.y only handles 1 message, and later the host puts new messages
      into the ringbuffer without signaling the guest because the ringbuffer is not
      empty, causing a "hung" ringbuffer. Backported the mainline fix for this issue. ]
    Signed-off-by: Dexuan Cui <decui@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
i2c: ocores: set IACK bit after core is enabled [+ + +]
Author: Grygorii Tertychnyi <grembeter@gmail.com>
Date:   Mon May 20 17:39:32 2024 +0200

    i2c: ocores: set IACK bit after core is enabled
    
    [ Upstream commit 5a72477273066b5b357801ab2d315ef14949d402 ]
    
    Setting IACK bit when core is disabled does not clear the "Interrupt Flag"
    bit in the status register, and the interrupt remains pending.
    
    Sometimes it causes failure for the very first message transfer, that is
    usually a device probe.
    
    Hence, set IACK bit after core is enabled to clear pending interrupt.
    
    Fixes: 18f98b1e3147 ("[PATCH] i2c: New bus driver for the OpenCores I2C controller")
    Signed-off-by: Grygorii Tertychnyi <grygorii.tertychnyi@leica-geosystems.com>
    Acked-by: Peter Korsgaard <peter@korsgaard.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: ocores: stop transfer on timeout [+ + +]
Author: Federico Vaga <federico.vaga@cern.ch>
Date:   Thu Feb 14 09:51:30 2019 +0100

    i2c: ocores: stop transfer on timeout
    
    [ Upstream commit e7663ef5ae0f02e3b902eb0305dec981333eb3e1 ]
    
    Detecting a timeout is ok, but we also need to assert a STOP command on
    the bus in order to prevent it from generating interrupts when there are
    no on going transfers.
    
    Example: very long transmission.
    
    1. ocores_xfer: START a transfer
    2. ocores_isr : handle byte by byte the transfer
    3. ocores_xfer: goes in timeout [[bugfix here]]
    4. ocores_xfer: return to I2C subsystem and to the I2C driver
    5. I2C driver : it may clean up the i2c_msg memory
    6. ocores_isr : receives another interrupt (pending bytes to be
                    transferred) but the i2c_msg memory is invalid now
    
    So, since the transfer was too long, we have to detect the timeout and
    STOP the transfer.
    
    Another point is that we have a critical region here. When handling the
    timeout condition we may have a running IRQ handler. For this reason I
    introduce a spinlock.
    
    In order to make easier to understan locking I have:
    - added a new function to handle timeout
    - modified the current ocores_process() function in order to be protected
      by the new spinlock
    Like this it is obvious at first sight that this locking serializes
    the execution of ocores_process() and ocores_process_timeout()
    
    Signed-off-by: Federico Vaga <federico.vaga@cern.ch>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Stable-dep-of: 5a7247727306 ("i2c: ocores: set IACK bit after core is enabled")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
iio: adc: ad7266: Fix variable checking bug [+ + +]
Author: Fernando Yang <hagisf@usp.br>
Date:   Mon Jun 3 15:07:54 2024 -0300

    iio: adc: ad7266: Fix variable checking bug
    
    commit a2b86132955268b2a1703082fbc2d4832fc001b8 upstream.
    
    The ret variable was not checked after iio_device_release_direct_mode(),
    which could possibly cause errors
    
    Fixes: c70df20e3159 ("iio: adc: ad7266: claim direct mode during sensor read")
    Signed-off-by: Fernando Yang <hagisf@usp.br>
    Link: https://lore.kernel.org/r/20240603180757.8560-1-hagisf@usp.br
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: chemical: bme680: Fix calibration data variable [+ + +]
Author: Vasileios Amoiridis <vassilisamir@gmail.com>
Date:   Thu Jun 6 23:22:54 2024 +0200

    iio: chemical: bme680: Fix calibration data variable
    
    commit b47c0fee73a810c4503c4a94ea34858a1d865bba upstream.
    
    According to the BME68x Sensor API [1], the h6 calibration
    data variable should be an unsigned integer of size 8.
    
    [1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x_defs.h#L789
    
    Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
    Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
    Link: https://lore.kernel.org/r/20240606212313.207550-3-vassilisamir@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: chemical: bme680: Fix overflows in compensate() functions [+ + +]
Author: Vasileios Amoiridis <vassilisamir@gmail.com>
Date:   Thu Jun 6 23:22:55 2024 +0200

    iio: chemical: bme680: Fix overflows in compensate() functions
    
    commit fdd478c3ae98c3f13628e110dce9b6cfb0d9b3c8 upstream.
    
    There are cases in the compensate functions of the driver that
    there could be overflows of variables due to bit shifting ops.
    These implications were initially discussed here [1] and they
    were mentioned in log message of Commit 1b3bd8592780 ("iio:
    chemical: Add support for Bosch BME680 sensor").
    
    [1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/
    
    Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
    Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
    Link: https://lore.kernel.org/r/20240606212313.207550-4-vassilisamir@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: chemical: bme680: Fix pressure value output [+ + +]
Author: Vasileios Amoiridis <vassilisamir@gmail.com>
Date:   Thu Jun 6 23:22:53 2024 +0200

    iio: chemical: bme680: Fix pressure value output
    
    commit ae1f7b93b52095be6776d0f34957b4f35dda44d9 upstream.
    
    The IIO standard units are measured in kPa while the driver
    is using hPa.
    
    Apart from checking the userspace value itself, it is mentioned also
    in the Bosch API [1] that the pressure value is in Pascal.
    
    [1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x_defs.h#L742
    
    Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
    Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
    Link: https://lore.kernel.org/r/20240606212313.207550-2-vassilisamir@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: chemical: bme680: Fix sensor data read operation [+ + +]
Author: Vasileios Amoiridis <vassilisamir@gmail.com>
Date:   Thu Jun 6 23:22:56 2024 +0200

    iio: chemical: bme680: Fix sensor data read operation
    
    commit 4241665e6ea063a9c1d734de790121a71db763fc upstream.
    
    A read operation is happening as follows:
    
    a) Set sensor to forced mode
    b) Sensor measures values and update data registers and sleeps again
    c) Read data registers
    
    In the current implementation the read operation happens immediately
    after the sensor is set to forced mode so the sensor does not have
    the time to update properly the registers. This leads to the following
    2 problems:
    
    1) The first ever value which is read by the register is always wrong
    2) Every read operation, puts the register into forced mode and reads
    the data that were calculated in the previous conversion.
    
    This behaviour was tested in 2 ways:
    
    1) The internal meas_status_0 register was read before and after every
    read operation in order to verify that the data were ready even before
    the register was set to forced mode and also to check that after the
    forced mode was set the new data were not yet ready.
    
    2) Physically changing the temperature and measuring the temperature
    
    This commit adds the waiting time in between the set of the forced mode
    and the read of the data. The function is taken from the Bosch BME68x
    Sensor API [1].
    
    [1]: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L490
    
    Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
    Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
    Link: https://lore.kernel.org/r/20240606212313.207550-5-vassilisamir@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock [+ + +]
Author: Sergiu Cuciurean <sergiu.cuciurean@analog.com>
Date:   Wed May 20 15:02:01 2020 +0300

    iio: dac: ad5592r-base: Replace indio_dev->mlock with own device lock
    
    [ Upstream commit 33c53cbf8f7bc8d62f6146a19da97c8594376ff0 ]
    
    As part of the general cleanup of indio_dev->mlock, this change replaces
    it with a local lock on the device's state structure.
    This also removes unused iio_dev pointers.
    
    Signed-off-by: Sergiu Cuciurean <sergiu.cuciurean@analog.com>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Stable-dep-of: 279428df8883 ("iio: dac: ad5592r: fix temperature channel scaling value")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

iio: dac: ad5592r: fix temperature channel scaling value [+ + +]
Author: Marc Ferland <marc.ferland@sonatest.com>
Date:   Wed May 1 11:05:54 2024 -0400

    iio: dac: ad5592r: fix temperature channel scaling value
    
    [ Upstream commit 279428df888319bf68f2686934897301a250bb84 ]
    
    The scale value for the temperature channel is (assuming Vref=2.5 and
    the datasheet):
    
        376.7897513
    
    When calculating both val and val2 for the temperature scale we
    use (3767897513/25) and multiply it by Vref (here I assume 2500mV) to
    obtain:
    
      2500 * (3767897513/25) ==> 376789751300
    
    Finally we divide with remainder by 10^9 to get:
    
        val = 376
        val2 = 789751300
    
    However, we return IIO_VAL_INT_PLUS_MICRO (should have been NANO) as
    the scale type. So when converting the raw temperature value to the
    'processed' temperature value we will get (assuming raw=810,
    offset=-753):
    
        processed = (raw + offset) * scale_val
                  = (810 + -753) * 376
                  = 21432
    
        processed += div((raw + offset) * scale_val2, 10^6)
                  += div((810 + -753) * 789751300, 10^6)
                  += 45015
        ==> 66447
        ==> 66.4 Celcius
    
    instead of the expected 21.5 Celsius.
    
    Fix this issue by changing IIO_VAL_INT_PLUS_MICRO to
    IIO_VAL_INT_PLUS_NANO.
    
    Fixes: 56ca9db862bf ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs")
    Signed-off-by: Marc Ferland <marc.ferland@sonatest.com>
    Link: https://lore.kernel.org/r/20240501150554.1871390-1-marc.ferland@sonatest.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

iio: dac: ad5592r: un-indent code-block for scale read [+ + +]
Author: Alexandru Ardelean <alexandru.ardelean@analog.com>
Date:   Mon Jul 6 14:02:58 2020 +0300

    iio: dac: ad5592r: un-indent code-block for scale read
    
    [ Upstream commit b004fe33034cc64f72c20923be71cf1e6c9a624c ]
    
    The next rework may require an unindentation of a code block in
    ad5592r_read_raw(), which would make review a bit more difficult.
    
    This change unindents the code block for reading the scale of the
    non-temperature channels.
    
    Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
    Link: https://lore.kernel.org/r/20200706110259.23947-2-alexandru.ardelean@analog.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Stable-dep-of: 279428df8883 ("iio: dac: ad5592r: fix temperature channel scaling value")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Input: try trimming too long modalias strings [+ + +]
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Mon Apr 29 14:50:41 2024 -0700

    Input: try trimming too long modalias strings
    
    commit 0774d19038c496f0c3602fb505c43e1b2d8eed85 upstream.
    
    If an input device declares too many capability bits then modalias
    string for such device may become too long and not fit into uevent
    buffer, resulting in failure of sending said uevent. This, in turn,
    may prevent userspace from recognizing existence of such devices.
    
    This is typically not a concern for real hardware devices as they have
    limited number of keys, but happen with synthetic devices such as
    ones created by xen-kbdfront driver, which creates devices as being
    capable of delivering all possible keys, since it doesn't know what
    keys the backend may produce.
    
    To deal with such devices input core will attempt to trim key data,
    in the hope that the rest of modalias string will fit in the given
    buffer. When trimming key data it will indicate that it is not
    complete by placing "+," sign, resulting in conversions like this:
    
    old: k71,72,73,74,78,7A,7B,7C,7D,8E,9E,A4,AD,E0,E1,E4,F8,174,
    new: k71,72,73,74,78,7A,7B,7C,+,
    
    This should allow existing udev rules continue to work with existing
    devices, and will also allow writing more complex rules that would
    recognize trimmed modalias and check input device characteristics by
    other means (for example by parsing KEY= data in uevent or parsing
    input device sysfs attributes).
    
    Note that the driver core may try adding more uevent environment
    variables once input core is done adding its own, so when forming
    modalias we can not use the entire available buffer, so we reduce
    it by somewhat an arbitrary amount (96 bytes).
    
    Reported-by: Jason Andryuk <jandryuk@gmail.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Tested-by: Jason Andryuk <jandryuk@gmail.com>
    Link: https://lore.kernel.org/r/ZjAWMQCJdrxZkvkB@google.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>

 
intel_th: pci: Add Granite Rapids SOC support [+ + +]
Author: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Date:   Mon Apr 29 16:01:15 2024 +0300

    intel_th: pci: Add Granite Rapids SOC support
    
    commit 854afe461b009801a171b3a49c5f75ea43e4c04c upstream.
    
    Add support for the Trace Hub in Granite Rapids SOC.
    
    Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: stable@kernel.org
    Link: https://lore.kernel.org/r/20240429130119.1518073-12-alexander.shishkin@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

intel_th: pci: Add Granite Rapids support [+ + +]
Author: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Date:   Mon Apr 29 16:01:14 2024 +0300

    intel_th: pci: Add Granite Rapids support
    
    commit e44937889bdf4ecd1f0c25762b7226406b9b7a69 upstream.
    
    Add support for the Trace Hub in Granite Rapids.
    
    Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: stable@kernel.org
    Link: https://lore.kernel.org/r/20240429130119.1518073-11-alexander.shishkin@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

intel_th: pci: Add Lunar Lake support [+ + +]
Author: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Date:   Mon Apr 29 16:01:19 2024 +0300

    intel_th: pci: Add Lunar Lake support
    
    commit f866b65322bfbc8fcca13c25f49e1a5c5a93ae4d upstream.
    
    Add support for the Trace Hub in Lunar Lake.
    
    Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: stable@kernel.org
    Link: https://lore.kernel.org/r/20240429130119.1518073-16-alexander.shishkin@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

intel_th: pci: Add Meteor Lake-S support [+ + +]
Author: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Date:   Mon Apr 29 16:01:17 2024 +0300

    intel_th: pci: Add Meteor Lake-S support
    
    commit c4a30def564d75e84718b059d1a62cc79b137cf9 upstream.
    
    Add support for the Trace Hub in Meteor Lake-S.
    
    Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: stable@kernel.org
    Link: https://lore.kernel.org/r/20240429130119.1518073-14-alexander.shishkin@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

intel_th: pci: Add Sapphire Rapids SOC support [+ + +]
Author: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Date:   Mon Apr 29 16:01:16 2024 +0300

    intel_th: pci: Add Sapphire Rapids SOC support
    
    commit 2e1da7efabe05cb0cf0b358883b2bc89080ed0eb upstream.
    
    Add support for the Trace Hub in Sapphire Rapids SOC.
    
    Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: stable@kernel.org
    Link: https://lore.kernel.org/r/20240429130119.1518073-13-alexander.shishkin@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
iommu/amd: Fix sysfs leak in iommu init [+ + +]
Author: Kun(llfl) <llfl@linux.alibaba.com>
Date:   Thu May 9 08:42:20 2024 +0800

    iommu/amd: Fix sysfs leak in iommu init
    
    [ Upstream commit a295ec52c8624883885396fde7b4df1a179627c3 ]
    
    During the iommu initialization, iommu_init_pci() adds sysfs nodes.
    However, these nodes aren't remove in free_iommu_resources() subsequently.
    
    Fixes: 39ab9555c241 ("iommu: Add sysfs bindings for struct iommu_device")
    Signed-off-by: Kun(llfl) <llfl@linux.alibaba.com>
    Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
    Link: https://lore.kernel.org/r/c8e0d11c6ab1ee48299c288009cf9c5dae07b42d.1715215003.git.llfl@linux.alibaba.com
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipv6/route: Add a missing check on proc_dointvec [+ + +]
Author: Aditya Pakki <pakki001@umn.edu>
Date:   Mon Dec 24 10:30:17 2018 -0600

    ipv6/route: Add a missing check on proc_dointvec
    
    [ Upstream commit f0fb9b288d0a7e9cc324ae362e2dfd2cc2217ded ]
    
    While flushing the cache via  ipv6_sysctl_rtcache_flush(), the call
    to proc_dointvec() may fail. The fix adds a check that returns the
    error, on failure.
    
    Signed-off-by: Aditya Pakki <pakki001@umn.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Stable-dep-of: 14a20e5b4ad9 ("net/ipv6: Fix the RT cache flush via sysctl using a previous delay")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipv6: annotate some data-races around sk->sk_prot [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Apr 17 16:54:26 2023 +0000

    ipv6: annotate some data-races around sk->sk_prot
    
    commit 086d49058cd8471046ae9927524708820f5fd1c7 upstream.
    
    Changes from the original is that the applied code to inet6_sendmsg
    and inet6_recvmsg is ported to inet_sendmsg and inet_recvmsg because
    the same functions are shared between ipv4 and v6 in 4.19 kernel.
    
    The original commit message is as below.
    
    IPv6 has this hack changing sk->sk_prot when an IPv6 socket
    is 'converted' to an IPv4 one with IPV6_ADDRFORM option.
    
    This operation is only performed for TCP and UDP, knowing
    their 'struct proto' for the two network families are populated
    in the same way, and can not disappear while a reader
    might use and dereference sk->sk_prot.
    
    If we think about it all reads of sk->sk_prot while
    either socket lock or RTNL is not acquired should be using READ_ONCE().
    
    Also note that other layers like MPTCP, XFRM, CHELSIO_TLS also
    write over sk->sk_prot.
    
    BUG: KCSAN: data-race in inet6_recvmsg / ipv6_setsockopt
    
    write to 0xffff8881386f7aa8 of 8 bytes by task 26932 on cpu 0:
     do_ipv6_setsockopt net/ipv6/ipv6_sockglue.c:492 [inline]
     ipv6_setsockopt+0x3758/0x3910 net/ipv6/ipv6_sockglue.c:1019
     udpv6_setsockopt+0x85/0x90 net/ipv6/udp.c:1649
     sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3489
     __sys_setsockopt+0x209/0x2a0 net/socket.c:2180
     __do_sys_setsockopt net/socket.c:2191 [inline]
     __se_sys_setsockopt net/socket.c:2188 [inline]
     __x64_sys_setsockopt+0x62/0x70 net/socket.c:2188
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    read to 0xffff8881386f7aa8 of 8 bytes by task 26911 on cpu 1:
     inet6_recvmsg+0x7a/0x210 net/ipv6/af_inet6.c:659
     ____sys_recvmsg+0x16c/0x320
     ___sys_recvmsg net/socket.c:2674 [inline]
     do_recvmmsg+0x3f5/0xae0 net/socket.c:2768
     __sys_recvmmsg net/socket.c:2847 [inline]
     __do_sys_recvmmsg net/socket.c:2870 [inline]
     __se_sys_recvmmsg net/socket.c:2863 [inline]
     __x64_sys_recvmmsg+0xde/0x160 net/socket.c:2863
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    value changed: 0xffffffff85e0e980 -> 0xffffffff85e01580
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 1 PID: 26911 Comm: syz-executor.3 Not tainted 5.17.0-rc2-syzkaller-00316-g0457e5153e0e-dirty #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Kazunori Kobayashi <kazunori.kobayashi@miraclelinux.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ipv6: Fix data races around sk->sk_prot. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Mon Apr 17 16:54:27 2023 +0000

    ipv6: Fix data races around sk->sk_prot.
    
    commit 364f997b5cfe1db0d63a390fe7c801fa2b3115f6 upstream.
    
    Commit 086d49058cd8 ("ipv6: annotate some data-races around sk->sk_prot")
    fixed some data-races around sk->sk_prot but it was not enough.
    
    Some functions in inet6_(stream|dgram)_ops still access sk->sk_prot
    without lock_sock() or rtnl_lock(), so they need READ_ONCE() to avoid
    load tearing.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Kazunori Kobayashi <kazunori.kobayashi@miraclelinux.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ipv6: prevent possible NULL dereference in rt6_probe() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Jun 15 15:14:54 2024 +0000

    ipv6: prevent possible NULL dereference in rt6_probe()
    
    [ Upstream commit b86762dbe19a62e785c189f313cda5b989931f37 ]
    
    syzbot caught a NULL dereference in rt6_probe() [1]
    
    Bail out if  __in6_dev_get() returns NULL.
    
    [1]
    Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]
    CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
     RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]
     RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758
    Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19
    RSP: 0018:ffffc900034af070 EFLAGS: 00010203
    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000
    RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c
    RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a
    R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000
    FS:  00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
      rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784
      nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496
      __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825
      find_rr_leaf net/ipv6/route.c:853 [inline]
      rt6_select net/ipv6/route.c:897 [inline]
      fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195
      ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231
      pol_lookup_func include/net/ip6_fib.h:616 [inline]
      fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121
      ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]
      ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651
      ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147
      ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250
      rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898
      inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg net/socket.c:745 [inline]
      sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
      new_sync_write fs/read_write.c:497 [inline]
      vfs_write+0x6b6/0x1140 fs/read_write.c:590
      ksys_write+0x1f8/0x260 fs/read_write.c:643
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Fixes: 52e1635631b3 ("[IPV6]: ROUTE: Add router_probe_interval sysctl.")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Link: https://lore.kernel.org/r/20240615151454.166404-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ipv6: sr: block BH in seg6_output_core() and seg6_input_core() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 31 13:26:34 2024 +0000

    ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
    
    [ Upstream commit c0b98ac1cc104f48763cdb27b1e9ac25fd81fc90 ]
    
    As explained in commit 1378817486d6 ("tipc: block BH
    before using dst_cache"), net/core/dst_cache.c
    helpers need to be called with BH disabled.
    
    Disabling preemption in seg6_output_core() is not good enough,
    because seg6_output_core() is called from process context,
    lwtunnel_output() only uses rcu_read_lock().
    
    We might be interrupted by a softirq, re-enter seg6_output_core()
    and corrupt dst_cache data structures.
    
    Fix the race by using local_bh_disable() instead of
    preempt_disable().
    
    Apply a similar change in seg6_input_core().
    
    Fixes: fa79581ea66c ("ipv6: sr: fix several BUGs when preemption is enabled")
    Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: David Lebrun <dlebrun@google.com>
    Acked-by: Paolo Abeni <pabeni@redhat.com>
    Link: https://lore.kernel.org/r/20240531132636.2637995-4-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
jfs: xattr: fix buffer overflow for invalid xattr [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue May 14 12:06:34 2024 +0200

    jfs: xattr: fix buffer overflow for invalid xattr
    
    commit 7c55b78818cfb732680c4a72ab270cc2d2ee3d0f upstream.
    
    When an xattr size is not what is expected, it is printed out to the
    kernel log in hex format as a form of debugging.  But when that xattr
    size is bigger than the expected size, printing it out can cause an
    access off the end of the buffer.
    
    Fix this all up by properly restricting the size of the debug hex dump
    in the kernel log.
    
    Reported-by: syzbot+9dfe490c8176301c1d06@syzkaller.appspotmail.com
    Cc: Dave Kleikamp <shaggy@kernel.org>
    Link: https://lore.kernel.org/r/2024051433-slider-cloning-98f9@gregkh
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 4.19.317 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Jul 5 09:00:36 2024 +0200

    Linux 4.19.317
    
    Link: https://lore.kernel.org/r/20240703102830.432293640@linuxfoundation.org
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet [+ + +]
Author: Aleksandr Mishin <amishin@t-argos.ru>
Date:   Wed Jun 5 13:11:35 2024 +0300

    liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
    
    [ Upstream commit c44711b78608c98a3e6b49ce91678cd0917d5349 ]
    
    In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,
    but then it is unconditionally passed to skb_add_rx_frag() which looks
    strange and could lead to null pointer dereference.
    
    lio_vf_rep_copy_packet() call trace looks like:
            octeon_droq_process_packets
             octeon_droq_fast_process_packets
              octeon_droq_dispatch_pkt
               octeon_create_recv_info
                ...search in the dispatch_list...
                 ->disp_fn(rdisp->rinfo, ...)
                  lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)
    In this path there is no code which sets pg_info->page to NULL.
    So this check looks unneeded and doesn't solve potential problem.
    But I guess the author had reason to add a check and I have no such card
    and can't do real test.
    In addition, the code in the function liquidio_push_packet() in
    liquidio/lio_core.c does exactly the same.
    
    Based on this, I consider the most acceptable compromise solution to
    adjust this issue by moving skb_add_rx_frag() into conditional scope.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: 1f233f327913 ("liquidio: switchdev support for LiquidIO NIC")
    Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
media: dvbdev: Initialize sbuf [+ + +]
Author: Ricardo Ribalda <ribalda@chromium.org>
Date:   Mon Mar 25 14:50:25 2024 +0000

    media: dvbdev: Initialize sbuf
    
    [ Upstream commit 17d1316de0d7dc1bdc5d6e3ad4efd30a9bf1a381 ]
    
    Because the size passed to copy_from_user() cannot be known beforehand,
    it needs to be checked during runtime with check_object_size. That makes
    gcc believe that the content of sbuf can be used before init.
    
    Fix:
    ./include/linux/thread_info.h:215:17: warning: ‘sbuf’ may be used uninitialized [-Wmaybe-uninitialized]
    
    Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: mc: mark the media devnode as registered from the, start [+ + +]
Author: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date:   Fri Feb 23 09:46:19 2024 +0100

    media: mc: mark the media devnode as registered from the, start
    
    [ Upstream commit 4bc60736154bc9e0e39d3b88918f5d3762ebe5e0 ]
    
    First the media device node was created, and if successful it was
    marked as 'registered'. This leaves a small race condition where
    an application can open the device node and get an error back
    because the 'registered' flag was not yet set.
    
    Change the order: first set the 'registered' flag, then actually
    register the media device node. If that fails, then clear the flag.
    
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Fixes: cf4b9211b568 ("[media] media: Media device node support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mei: me: release irq in mei_me_pci_resume error path [+ + +]
Author: Tomas Winkler <tomas.winkler@intel.com>
Date:   Tue Jun 4 12:07:28 2024 +0300

    mei: me: release irq in mei_me_pci_resume error path
    
    commit 283cb234ef95d94c61f59e1cd070cd9499b51292 upstream.
    
    The mei_me_pci_resume doesn't release irq on the error path,
    in case mei_start() fails.
    
    Cc: <stable@kernel.org>
    Fixes: 33ec08263147 ("mei: revamp mei reset state machine")
    Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
    Link: https://lore.kernel.org/r/20240604090728.1027307-1-tomas.winkler@intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
MIPS: Octeon: Add PCIe link status check [+ + +]
Author: Songyang Li <leesongyang@outlook.com>
Date:   Wed Mar 20 23:22:00 2024 +0800

    MIPS: Octeon: Add PCIe link status check
    
    [ Upstream commit 29b83a64df3b42c88c0338696feb6fdcd7f1f3b7 ]
    
    The standard PCIe configuration read-write interface is used to
    access the configuration space of the peripheral PCIe devices
    of the mips processor after the PCIe link surprise down, it can
    generate kernel panic caused by "Data bus error". So it is
    necessary to add PCIe link status check for system protection.
    When the PCIe link is down or in training, assigning a value
    of 0 to the configuration address can prevent read-write behavior
    to the configuration space of peripheral PCIe devices, thereby
    preventing kernel panic.
    
    Signed-off-by: Songyang Li <leesongyang@outlook.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

MIPS: Routerboard 532: Fix vendor retry check code [+ + +]
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Wed May 8 15:07:00 2024 +0300

    MIPS: Routerboard 532: Fix vendor retry check code
    
    [ Upstream commit ae9daffd9028f2500c9ac1517e46d4f2b57efb80 ]
    
    read_config_dword() contains strange condition checking ret for a
    number of values. The ret variable, however, is always zero because
    config_access() never returns anything else. Thus, the retry is always
    taken until number of tries is exceeded.
    
    The code looks like it wants to check *val instead of ret to see if the
    read gave an error response.
    
    Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system")
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos [+ + +]
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Mon May 27 16:24:41 2024 +0300

    mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos
    
    commit ebc4fc34eae8ddfbef49f2bdaced1bf4167ef80d upstream.
    
    jmicron_pmos() and sdhci_pci_probe() use pci_{read,write}_config_byte()
    that return PCIBIOS_* codes. The return code is then returned as is by
    jmicron_probe() and sdhci_pci_probe(). Similarly, the return code is
    also returned as is from jmicron_resume(). Both probe and resume
    functions should return normal errnos.
    
    Convert PCIBIOS_* returns code using pcibios_err_to_errno() into normal
    errno before returning them the fix these issues.
    
    Fixes: 7582041ff3d4 ("mmc: sdhci-pci: fix simple_return.cocci warnings")
    Fixes: 45211e215984 ("sdhci: toggle JMicron PMOS setting")
    Cc: stable@vger.kernel.org
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Link: https://lore.kernel.org/r/20240527132443.14038-1-ilpo.jarvinen@linux.intel.com
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net/ipv6: Fix the RT cache flush via sysctl using a previous delay [+ + +]
Author: Petr Pavlu <petr.pavlu@suse.com>
Date:   Fri Jun 7 13:28:28 2024 +0200

    net/ipv6: Fix the RT cache flush via sysctl using a previous delay
    
    [ Upstream commit 14a20e5b4ad998793c5f43b0330d9e1388446cf3 ]
    
    The net.ipv6.route.flush system parameter takes a value which specifies
    a delay used during the flush operation for aging exception routes. The
    written value is however not used in the currently requested flush and
    instead utilized only in the next one.
    
    A problem is that ipv6_sysctl_rtcache_flush() first reads the old value
    of net->ipv6.sysctl.flush_delay into a local delay variable and then
    calls proc_dointvec() which actually updates the sysctl based on the
    provided input.
    
    Fix the problem by switching the order of the two operations.
    
    Fixes: 4990509f19e8 ("[NETNS][IPV6]: Make sysctls route per namespace.")
    Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Link: https://lore.kernel.org/r/20240607112828.30285-1-petr.pavlu@suse.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/iucv: Avoid explicit cpumask var allocation on stack [+ + +]
Author: Dawei Li <dawei.li@shingroup.cn>
Date:   Sun Mar 31 13:34:40 2024 +0800

    net/iucv: Avoid explicit cpumask var allocation on stack
    
    [ Upstream commit be4e1304419c99a164b4c0e101c7c2a756b635b9 ]
    
    For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask
    variable on stack is not recommended since it can cause potential stack
    overflow.
    
    Instead, kernel code should always use *cpumask_var API(s) to allocate
    cpumask var in config-neutral way, leaving allocation strategy to
    CONFIG_CPUMASK_OFFSTACK.
    
    Use *cpumask_var API(s) to address it.
    
    Signed-off-by: Dawei Li <dawei.li@shingroup.cn>
    Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
    Link: https://lore.kernel.org/r/20240331053441.1276826-2-dawei.li@shingroup.cn
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: usb: ax88179_178a: improve link status logs [+ + +]
Author: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
Date:   Thu Jun 20 15:34:31 2024 +0200

    net: usb: ax88179_178a: improve link status logs
    
    commit 058722ee350c0bdd664e467156feb2bf5d9cc271 upstream.
    
    Avoid spurious link status logs that may ultimately be wrong; for example,
    if the link is set to down with the cable plugged, then the cable is
    unplugged and after this the link is set to up, the last new log that is
    appearing is incorrectly telling that the link is up.
    
    In order to avoid errors, show link status logs after link_reset
    processing, and in order to avoid spurious as much as possible, only show
    the link loss when some link status change is detected.
    
    cc: stable@vger.kernel.org
    Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
    Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings [+ + +]
Author: Oliver Neukum <oneukum@suse.com>
Date:   Wed Jun 19 15:28:03 2024 +0200

    net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings
    
    [ Upstream commit fba383985354e83474f95f36d7c65feb75dba19d ]
    
    This functions retrieves values by passing a pointer. As the function
    that retrieves them can fail before touching the pointers, the variables
    must be initialized.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot+5186630949e3c55f0799@syzkaller.appspotmail.com
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Link: https://lore.kernel.org/r/20240619132816.11526-1-oneukum@suse.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Wed Jun 26 23:15:38 2024 +0200

    netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
    
    [ Upstream commit 7931d32955e09d0a11b1fe0b6aac1bfa061c005c ]
    
    register store validation for NFT_DATA_VALUE is conditional, however,
    the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
    only requires a new helper function to infer the register type from the
    set datatype so this conditional check can be removed. Otherwise,
    pointer to chain object can be leaked through the registers.
    
    Fixes: 96518518cc41 ("netfilter: add nftables")
    Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nf_tables: validate family when identifying table via handle [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jun 27 02:41:11 2024 +0200

    netfilter: nf_tables: validate family when identifying table via handle
    
    [ Upstream commit f6e1532a2697b81da00bfb184e99d15e01e9d98c ]
    
    Validate table family when looking up for it via NFTA_TABLE_HANDLE.
    
    Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle")
    Reported-by: Xingyuan Mo <hdthky0@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netrom: Fix a memory leak in nr_heartbeat_expiry() [+ + +]
Author: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Date:   Thu Jun 13 08:23:00 2024 +0000

    netrom: Fix a memory leak in nr_heartbeat_expiry()
    
    [ Upstream commit 0b9130247f3b6a1122478471ff0e014ea96bb735 ]
    
    syzbot reported a memory leak in nr_create() [0].
    
    Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
    added sock_hold() to the nr_heartbeat_expiry() function, where
    a) a socket has a SOCK_DESTROY flag or
    b) a listening socket has a SOCK_DEAD flag.
    
    But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
    has already been closed and the nr_release() function has been called.
    So it makes no sense to hold the reference count because no one will
    call another nr_destroy_socket() and put it as in the case "b."
    
    nr_connect
      nr_establish_data_link
        nr_start_heartbeat
    
    nr_release
      switch (nr->state)
      case NR_STATE_3
        nr->state = NR_STATE_2
        sock_set_flag(sk, SOCK_DESTROY);
    
                            nr_rx_frame
                              nr_process_rx_frame
                                switch (nr->state)
                                case NR_STATE_2
                                  nr_state2_machine()
                                    nr_disconnect()
                                      nr_sk(sk)->state = NR_STATE_0
                                      sock_set_flag(sk, SOCK_DEAD)
    
                            nr_heartbeat_expiry
                              switch (nr->state)
                              case NR_STATE_0
                                if (sock_flag(sk, SOCK_DESTROY) ||
                                   (sk->sk_state == TCP_LISTEN
                                     && sock_flag(sk, SOCK_DEAD)))
                                   sock_hold()  // ( !!! )
                                   nr_destroy_socket()
    
    To fix the memory leak, let's call sock_hold() only for a listening socket.
    
    Found by InfoTeCS on behalf of Linux Verification Center
    (linuxtesting.org) with Syzkaller.
    
    [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
    
    Reported-by: syzbot+d327a1f3b12e1e206c16@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
    Fixes: 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
    Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Tue Jun 4 22:42:55 2024 +0900

    nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
    
    [ Upstream commit 7373a51e7998b508af7136530f3a997b286ce81c ]
    
    The error handling in nilfs_empty_dir() when a directory folio/page read
    fails is incorrect, as in the old ext2 implementation, and if the
    folio/page cannot be read or nilfs_check_folio() fails, it will falsely
    determine the directory as empty and corrupt the file system.
    
    In addition, since nilfs_empty_dir() does not immediately return on a
    failed folio/page read, but continues to loop, this can cause a long loop
    with I/O if i_size of the directory's inode is also corrupted, causing the
    log writer thread to wait and hang, as reported by syzbot.
    
    Fix these issues by making nilfs_empty_dir() immediately return a false
    value (0) if it fails to get a directory folio/page.
    
    Link: https://lkml.kernel.org/r/20240604134255.7165-1-konishi.ryusuke@gmail.com
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+c8166c541d3971bf6c87@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=c8166c541d3971bf6c87
    Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
    Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

nilfs2: fix potential kernel bug due to lack of writeback flag waiting [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Thu May 30 23:15:56 2024 +0900

    nilfs2: fix potential kernel bug due to lack of writeback flag waiting
    
    commit a4ca369ca221bb7e06c725792ac107f0e48e82e7 upstream.
    
    Destructive writes to a block device on which nilfs2 is mounted can cause
    a kernel bug in the folio/page writeback start routine or writeback end
    routine (__folio_start_writeback in the log below):
    
     kernel BUG at mm/page-writeback.c:3070!
     Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
     ...
     RIP: 0010:__folio_start_writeback+0xbaa/0x10e0
     Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff
      e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>
      0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00
     ...
     Call Trace:
      <TASK>
      nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]
      nilfs_segctor_construct+0x181/0x6b0 [nilfs2]
      nilfs_segctor_thread+0x548/0x11c0 [nilfs2]
      kthread+0x2f0/0x390
      ret_from_fork+0x4b/0x80
      ret_from_fork_asm+0x1a/0x30
      </TASK>
    
    This is because when the log writer starts a writeback for segment summary
    blocks or a super root block that use the backing device's page cache, it
    does not wait for the ongoing folio/page writeback, resulting in an
    inconsistent writeback state.
    
    Fix this issue by waiting for ongoing writebacks when putting
    folios/pages on the backing device into writeback state.
    
    Link: https://lkml.kernel.org/r/20240530141556.4411-1-konishi.ryusuke@gmail.com
    Fixes: 9ff05123e3bf ("nilfs2: segment constructor")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: Remove check for PageError [+ + +]
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date:   Tue May 17 18:12:25 2022 -0400

    nilfs2: Remove check for PageError
    
    [ Upstream commit 79ea65563ad8aaab309d61eeb4d5019dd6cf5fa0 ]
    
    If read_mapping_page() encounters an error, it returns an errno, not a
    page with PageError set, so this test is not needed.
    
    Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
    Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

nilfs2: return the mapped address from nilfs_get_page() [+ + +]
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date:   Mon Nov 27 23:30:25 2023 +0900

    nilfs2: return the mapped address from nilfs_get_page()
    
    [ Upstream commit 09a46acb3697e50548bb265afa1d79163659dd85 ]
    
    In prepartion for switching from kmap() to kmap_local(), return the kmap
    address from nilfs_get_page() instead of having the caller look up
    page_address().
    
    [konishi.ryusuke: fixed a missing blank line after declaration]
    Link: https://lkml.kernel.org/r/20231127143036.2425-7-konishi.ryusuke@gmail.com
    Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nvme: fixup comment for nvme RDMA Provider Type [+ + +]
Author: Hannes Reinecke <hare@suse.de>
Date:   Mon Jun 17 09:27:27 2024 +0200

    nvme: fixup comment for nvme RDMA Provider Type
    
    [ Upstream commit f80a55fa90fa76d01e3fffaa5d0413e522ab9a00 ]
    
    PRTYPE is the provider type, not the QP service type.
    
    Fixes: eb793e2c9286 ("nvme.h: add NVMe over Fabrics definitions")
    Signed-off-by: Hannes Reinecke <hare@kernel.org>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Keith Busch <kbusch@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ocfs2: fix races between hole punching and AIO+DIO [+ + +]
Author: Su Yue <glass.su@suse.com>
Date:   Mon Apr 8 16:20:39 2024 +0800

    ocfs2: fix races between hole punching and AIO+DIO
    
    commit 952b023f06a24b2ad6ba67304c4c84d45bea2f18 upstream.
    
    After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block",
    fstests/generic/300 become from always failed to sometimes failed:
    
    ========================================================================
    [  473.293420 ] run fstests generic/300
    
    [  475.296983 ] JBD2: Ignoring recovery information on journal
    [  475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.
    [  494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found
    [  494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.
    [  494.292018 ] OCFS2: File system is now read-only.
    [  494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30
    [  494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3
    fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072
    =========================================================================
    
    In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten
    extents to a list.  extents are also inserted into extent tree in
    ocfs2_write_begin_nolock.  Then another thread call fallocate to puch a
    hole at one of the unwritten extent.  The extent at cpos was removed by
    ocfs2_remove_extent().  At end io worker thread, ocfs2_search_extent_list
    found there is no such extent at the cpos.
    
        T1                        T2                T3
                                  inode lock
                                    ...
                                    insert extents
                                    ...
                                  inode unlock
    ocfs2_fallocate
     __ocfs2_change_file_space
      inode lock
      lock ip_alloc_sem
      ocfs2_remove_inode_range inode
       ocfs2_remove_btree_range
        ocfs2_remove_extent
        ^---remove the extent at cpos 78723
      ...
      unlock ip_alloc_sem
      inode unlock
                                           ocfs2_dio_end_io
                                            ocfs2_dio_end_io_write
                                             lock ip_alloc_sem
                                             ocfs2_mark_extent_written
                                              ocfs2_change_extent_flag
                                               ocfs2_search_extent_list
                                               ^---failed to find extent
                                              ...
                                              unlock ip_alloc_sem
    
    In most filesystems, fallocate is not compatible with racing with AIO+DIO,
    so fix it by adding to wait for all dio before fallocate/punch_hole like
    ext4.
    
    Link: https://lkml.kernel.org/r/20240408082041.20925-3-glass.su@suse.com
    Fixes: b25801038da5 ("ocfs2: Support xfs style space reservation ioctls")
    Signed-off-by: Su Yue <glass.su@suse.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ocfs2: use coarse time for new created files [+ + +]
Author: Su Yue <glass.su@suse.com>
Date:   Mon Apr 8 16:20:41 2024 +0800

    ocfs2: use coarse time for new created files
    
    commit b8cb324277ee16f3eca3055b96fce4735a5a41c6 upstream.
    
    The default atime related mount option is '-o realtime' which means file
    atime should be updated if atime <= ctime or atime <= mtime.  atime should
    be updated in the following scenario, but it is not:
    ==========================================================
    $ rm /mnt/testfile;
    $ echo test > /mnt/testfile
    $ stat -c "%X %Y %Z" /mnt/testfile
    1711881646 1711881646 1711881646
    $ sleep 5
    $ cat /mnt/testfile > /dev/null
    $ stat -c "%X %Y %Z" /mnt/testfile
    1711881646 1711881646 1711881646
    ==========================================================
    
    And the reason the atime in the test is not updated is that ocfs2 calls
    ktime_get_real_ts64() in __ocfs2_mknod_locked during file creation.  Then
    inode_set_ctime_current() is called in inode_set_ctime_current() calls
    ktime_get_coarse_real_ts64() to get current time.
    
    ktime_get_real_ts64() is more accurate than ktime_get_coarse_real_ts64().
    In my test box, I saw ctime set by ktime_get_coarse_real_ts64() is less
    than ktime_get_real_ts64() even ctime is set later.  The ctime of the new
    inode is smaller than atime.
    
    The call trace is like:
    
    ocfs2_create
      ocfs2_mknod
        __ocfs2_mknod_locked
        ....
    
          ktime_get_real_ts64 <------- set atime,ctime,mtime, more accurate
          ocfs2_populate_inode
        ...
        ocfs2_init_acl
          ocfs2_acl_set_mode
            inode_set_ctime_current
              current_time
                ktime_get_coarse_real_ts64 <-------less accurate
    
    ocfs2_file_read_iter
      ocfs2_inode_lock_atime
        ocfs2_should_update_atime
          atime <= ctime ? <-------- false, ctime < atime due to accuracy
    
    So here call ktime_get_coarse_real_ts64 to set inode time coarser while
    creating new files.  It may lower the accuracy of file times.  But it's
    not a big deal since we already use coarse time in other places like
    ocfs2_update_inode_atime and inode_set_ctime_current.
    
    Link: https://lkml.kernel.org/r/20240408082041.20925-5-glass.su@suse.com
    Fixes: c62c38f6b91b ("ocfs2: replace CURRENT_TIME macro")
    Signed-off-by: Su Yue <glass.su@suse.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports [+ + +]
Author: Mario Limonciello <mario.limonciello@amd.com>
Date:   Thu Mar 7 10:37:09 2024 -0600

    PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports
    
    [ Upstream commit 256df20c590bf0e4d63ac69330cf23faddac3e08 ]
    
    Hewlett-Packard HP Pavilion 17 Notebook PC/1972 is an Intel Ivy Bridge
    system with a muxless AMD Radeon dGPU.  Attempting to use the dGPU fails
    with the following sequence:
    
      ACPI Error: Aborting method \AMD3._ON due to previous error (AE_AML_LOOP_TIMEOUT) (20230628/psparse-529)
      radeon 0000:01:00.0: not ready 1023ms after resume; waiting
      radeon 0000:01:00.0: not ready 2047ms after resume; waiting
      radeon 0000:01:00.0: not ready 4095ms after resume; waiting
      radeon 0000:01:00.0: not ready 8191ms after resume; waiting
      radeon 0000:01:00.0: not ready 16383ms after resume; waiting
      radeon 0000:01:00.0: not ready 32767ms after resume; waiting
      radeon 0000:01:00.0: not ready 65535ms after resume; giving up
      radeon 0000:01:00.0: Unable to change power state from D3cold to D0, device inaccessible
    
    The issue is that the Root Port the dGPU is connected to can't handle the
    transition from D3cold to D0 so the dGPU can't properly exit runtime PM.
    
    The existing logic in pci_bridge_d3_possible() checks for systems that are
    newer than 2015 to decide that D3 is safe.  This would nominally work for
    an Ivy Bridge system (which was discontinued in 2015), but this system
    appears to have continued to receive BIOS updates until 2017 and so this
    existing logic doesn't appropriately capture it.
    
    Add the system to bridge_d3_blacklist to prevent D3cold from being used.
    
    Link: https://lore.kernel.org/r/20240307163709.323-1-mario.limonciello@amd.com
    Reported-by: Eric Heintzmann <heintzmann.eric@free.fr>
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3229
    Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Tested-by: Eric Heintzmann <heintzmann.eric@free.fr>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
PCI: Add PCI_ERROR_RESPONSE and related definitions [+ + +]
Author: Naveen Naidu <naveennaidu479@gmail.com>
Date:   Thu Nov 18 19:33:11 2021 +0530

    PCI: Add PCI_ERROR_RESPONSE and related definitions
    
    [ Upstream commit 57bdeef4716689d9b0e3571034d65cf420f6efcd ]
    
    A config or MMIO read from a PCI device that doesn't exist or doesn't
    respond causes a PCI error. There's no real data to return to satisfy the
    CPU read, so most hardware fabricates ~0 data.
    
    Add a PCI_ERROR_RESPONSE definition for that and use it where appropriate
    to make these checks consistent and easier to find.
    
    Also add helper definitions PCI_SET_ERROR_RESPONSE() and
    PCI_POSSIBLE_ERROR() to make the code more readable.
    
    Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
    Link: https://lore.kernel.org/r/55563bf4dfc5d3fdc96695373c659d099bf175b1.1637243717.git.naveennaidu479@gmail.com
    Signed-off-by: Naveen Naidu <naveennaidu479@gmail.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Pali Rohár <pali@kernel.org>
    Stable-dep-of: c625dabbf1c4 ("x86/amd_nb: Check for invalid SMN reads")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id [+ + +]
Author: Rick Wertenbroek <rick.wertenbroek@gmail.com>
Date:   Wed Apr 3 16:45:08 2024 +0200

    PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id
    
    commit 2dba285caba53f309d6060fca911b43d63f41697 upstream.
    
    Remove wrong mask on subsys_vendor_id. Both the Vendor ID and Subsystem
    Vendor ID are u16 variables and are written to a u32 register of the
    controller. The Subsystem Vendor ID was always 0 because the u16 value
    was masked incorrectly with GENMASK(31,16) resulting in all lower 16
    bits being set to 0 prior to the shift.
    
    Remove both masks as they are unnecessary and set the register correctly
    i.e., the lower 16-bits are the Vendor ID and the upper 16-bits are the
    Subsystem Vendor ID.
    
    This is documented in the RK3399 TRM section 17.6.7.1.17
    
    [kwilczynski: removed unnecesary newline]
    Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
    Link: https://lore.kernel.org/linux-pci/20240403144508.489835-1-rick.wertenbroek@gmail.com
    Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
    Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
perf/core: Fix missing wakeup when waiting for context reference [+ + +]
Author: Haifeng Xu <haifeng.xu@shopee.com>
Date:   Mon May 13 10:39:48 2024 +0000

    perf/core: Fix missing wakeup when waiting for context reference
    
    [ Upstream commit 74751ef5c1912ebd3e65c3b65f45587e05ce5d36 ]
    
    In our production environment, we found many hung tasks which are
    blocked for more than 18 hours. Their call traces are like this:
    
    [346278.191038] __schedule+0x2d8/0x890
    [346278.191046] schedule+0x4e/0xb0
    [346278.191049] perf_event_free_task+0x220/0x270
    [346278.191056] ? init_wait_var_entry+0x50/0x50
    [346278.191060] copy_process+0x663/0x18d0
    [346278.191068] kernel_clone+0x9d/0x3d0
    [346278.191072] __do_sys_clone+0x5d/0x80
    [346278.191076] __x64_sys_clone+0x25/0x30
    [346278.191079] do_syscall_64+0x5c/0xc0
    [346278.191083] ? syscall_exit_to_user_mode+0x27/0x50
    [346278.191086] ? do_syscall_64+0x69/0xc0
    [346278.191088] ? irqentry_exit_to_user_mode+0x9/0x20
    [346278.191092] ? irqentry_exit+0x19/0x30
    [346278.191095] ? exc_page_fault+0x89/0x160
    [346278.191097] ? asm_exc_page_fault+0x8/0x30
    [346278.191102] entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    The task was waiting for the refcount become to 1, but from the vmcore,
    we found the refcount has already been 1. It seems that the task didn't
    get woken up by perf_event_release_kernel() and got stuck forever. The
    below scenario may cause the problem.
    
    Thread A                                        Thread B
    ...                                             ...
    perf_event_free_task                            perf_event_release_kernel
                                                       ...
                                                       acquire event->child_mutex
                                                       ...
                                                       get_ctx
       ...                                             release event->child_mutex
       acquire ctx->mutex
       ...
       perf_free_event (acquire/release event->child_mutex)
       ...
       release ctx->mutex
       wait_var_event
                                                       acquire ctx->mutex
                                                       acquire event->child_mutex
                                                       # move existing events to free_list
                                                       release event->child_mutex
                                                       release ctx->mutex
                                                       put_ctx
    ...                                             ...
    
    In this case, all events of the ctx have been freed, so we couldn't
    find the ctx in free_list and Thread A will miss the wakeup. It's thus
    necessary to add a wakeup after dropping the reference.
    
    Fixes: 1cf8dfe8a661 ("perf/core: Fix race between close() and fork()")
    Signed-off-by: Haifeng Xu <haifeng.xu@shopee.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
    Acked-by: Mark Rutland <mark.rutland@arm.com>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20240513103948.33570-1-haifeng.xu@shopee.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER [+ + +]
Author: Hagar Hemdan <hagarhem@amazon.com>
Date:   Tue Jun 4 08:58:38 2024 +0000

    pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER
    
    [ Upstream commit adec57ff8e66aee632f3dd1f93787c13d112b7a1 ]
    
    In create_pinctrl(), pinctrl_maps_mutex is acquired before calling
    add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()
    calls pinctrl_free(). However, pinctrl_free() attempts to acquire
    pinctrl_maps_mutex, which is already held by create_pinctrl(), leading to
    a potential deadlock.
    
    This patch resolves the issue by releasing pinctrl_maps_mutex before
    calling pinctrl_free(), preventing the deadlock.
    
    This bug was discovered and resolved using Coverity Static Analysis
    Security Testing (SAST) by Synopsys, Inc.
    
    Fixes: 42fed7ba44e4 ("pinctrl: move subsystem mutex to pinctrl_dev struct")
    Suggested-by: Maximilian Heyne <mheyne@amazon.de>
    Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
    Link: https://lore.kernel.org/r/20240604085838.3344-1-hagarhem@amazon.com
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins [+ + +]
Author: Huang-Huang Bao <i@eh5.me>
Date:   Thu Jun 6 20:57:52 2024 +0800

    pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins
    
    [ Upstream commit e8448a6c817c2aa6c6af785b1d45678bd5977e8d ]
    
    The pinmux bits for GPIO2-B0 to GPIO2-B6 actually have 2 bits width,
    correct the bank flag for GPIO2-B. The pinmux bits for GPIO2-B7 is
    recalculated so it remain unchanged.
    
    The pinmux bits for those pins are not explicitly specified in RK3328
    TRM, however we can get hint from pad name and its correspinding IOMUX
    setting for pins in interface descriptions. The correspinding IOMIX
    settings for GPIO2-B0 to GPIO2-B6 can be found in the same row next to
    occurrences of following pad names in RK3328 TRM.
    
    GPIO2-B0: IO_SPIclkm0_GPIO2B0vccio5
    GPIO2-B1: IO_SPItxdm0_GPIO2B1vccio5
    GPIO2-B2: IO_SPIrxdm0_GPIO2B2vccio5
    GPIO2-B3: IO_SPIcsn0m0_GPIO2B3vccio5
    GPIO2-B4: IO_SPIcsn1m0_FLASHvol_sel_GPIO2B4vccio5
    GPIO2-B5: IO_ I2C2sda_TSADCshut_GPIO2B5vccio5
    GPIO2-B6: IO_ I2C2scl_GPIO2B6vccio5
    
    This fix has been tested on NanoPi R2S for fixing confliting pinmux bits
    between GPIO2-B7 with GPIO2-B5.
    
    Signed-off-by: Huang-Huang Bao <i@eh5.me>
    Reviewed-by: Heiko Stuebner <heiko@sntech.de>
    Fixes: 3818e4a7678e ("pinctrl: rockchip: Add rk3328 pinctrl support")
    Link: https://lore.kernel.org/r/20240606125755.53778-2-i@eh5.me
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins [+ + +]
Author: Huang-Huang Bao <i@eh5.me>
Date:   Thu Jun 6 20:57:53 2024 +0800

    pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins
    
    [ Upstream commit 5ef6914e0bf578357b4c906ffe6b26e7eedb8ccf ]
    
    The pinmux bits for GPIO3-B1 to GPIO3-B6 pins are not explicitly
    specified in RK3328 TRM, however we can get hint from pad name and its
    correspinding IOMUX setting for pins in interface descriptions. The
    correspinding IOMIX settings for these pins can be found in the same
    row next to occurrences of following pad names in RK3328 TRM.
    
    GPIO3-B1:  IO_TSPd5m0_CIFdata5m0_GPIO3B1vccio6
    GPIO3-B2: IO_TSPd6m0_CIFdata6m0_GPIO3B2vccio6
    GPIO3-B3: IO_TSPd7m0_CIFdata7m0_GPIO3B3vccio6
    GPIO3-B4: IO_CARDclkm0_GPIO3B4vccio6
    GPIO3-B5: IO_CARDrstm0_GPIO3B5vccio6
    GPIO3-B6: IO_CARDdetm0_GPIO3B6vccio6
    
    Add pinmux data to rk3328_mux_recalced_data as mux register offset for
    these pins does not follow rockchip convention.
    
    Signed-off-by: Huang-Huang Bao <i@eh5.me>
    Reviewed-by: Heiko Stuebner <heiko@sntech.de>
    Fixes: 3818e4a7678e ("pinctrl: rockchip: Add rk3328 pinctrl support")
    Link: https://lore.kernel.org/r/20240606125755.53778-3-i@eh5.me
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set [+ + +]
Author: Huang-Huang Bao <i@eh5.me>
Date:   Thu Jun 6 20:57:55 2024 +0800

    pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set
    
    [ Upstream commit 4ea4d4808e342ddf89ba24b93ffa2057005aaced ]
    
    rockchip_pmx_set reset all pinmuxs in group to 0 in the case of error,
    add missing bank data retrieval in that code to avoid setting mux on
    unexpected pins.
    
    Fixes: 14797189b35e ("pinctrl: rockchip: add return value to rockchip_set_mux")
    Reviewed-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Huang-Huang Bao <i@eh5.me>
    Link: https://lore.kernel.org/r/20240606125755.53778-5-i@eh5.me
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc/io: Avoid clang null pointer arithmetic warnings [+ + +]
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Fri May 3 17:56:18 2024 +1000

    powerpc/io: Avoid clang null pointer arithmetic warnings
    
    [ Upstream commit 03c0f2c2b2220fc9cf8785cd7b61d3e71e24a366 ]
    
    With -Wextra clang warns about pointer arithmetic using a null pointer.
    When building with CONFIG_PCI=n, that triggers a warning in the IO
    accessors, eg:
    
      In file included from linux/arch/powerpc/include/asm/io.h:672:
      linux/arch/powerpc/include/asm/io-defs.h:23:1: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
         23 | DEF_PCI_AC_RET(inb, u8, (unsigned long port), (port), pio, port)
            | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ...
      linux/arch/powerpc/include/asm/io.h:591:53: note: expanded from macro '__do_inb'
        591 | #define __do_inb(port)          readb((PCI_IO_ADDR)_IO_BASE + port);
            |                                       ~~~~~~~~~~~~~~~~~~~~~ ^
    
    That is because when CONFIG_PCI=n, _IO_BASE is defined as 0.
    
    Although _IO_BASE is defined as plain 0, the cast (PCI_IO_ADDR) converts
    it to void * before the addition with port happens.
    
    Instead the addition can be done first, and then the cast. The resulting
    value will be the same, but avoids the warning, and also avoids void
    pointer arithmetic which is apparently non-standard.
    
    Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
    Closes: https://lore.kernel.org/all/CA+G9fYtEh8zmq8k8wE-8RZwW-Qr927RLTn+KqGnq1F=ptaaNsA@mail.gmail.com
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20240503075619.394467-1-mpe@ellerman.id.au
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc/pseries: Enforce hcall result buffer validity and size [+ + +]
Author: Nathan Lynch <nathanl@linux.ibm.com>
Date:   Mon Apr 8 09:08:31 2024 -0500

    powerpc/pseries: Enforce hcall result buffer validity and size
    
    [ Upstream commit ff2e185cf73df480ec69675936c4ee75a445c3e4 ]
    
    plpar_hcall(), plpar_hcall9(), and related functions expect callers to
    provide valid result buffers of certain minimum size. Currently this
    is communicated only through comments in the code and the compiler has
    no idea.
    
    For example, if I write a bug like this:
    
      long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE
      plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);
    
    This compiles with no diagnostics emitted, but likely results in stack
    corruption at runtime when plpar_hcall9() stores results past the end
    of the array. (To be clear this is a contrived example and I have not
    found a real instance yet.)
    
    To make this class of error less likely, we can use explicitly-sized
    array parameters instead of pointers in the declarations for the hcall
    APIs. When compiled with -Warray-bounds[1], the code above now
    provokes a diagnostic like this:
    
    error: array argument is too small;
    is of size 32, callee requires at least 72 [-Werror,-Warray-bounds]
       60 |                 plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,
          |                 ^                                   ~~~~~~
    
    [1] Enabled for LLVM builds but not GCC for now. See commit
        0da6e5fd6c37 ("gcc: disable '-Warray-bounds' for gcc-13 too") and
        related changes.
    
    Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20240408-pseries-hvcall-retbuf-v1-1-ebc73d7253cf@linux.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ptp: Fix error message on failed pin verification [+ + +]
Author: Karol Kolacinski <karol.kolacinski@intel.com>
Date:   Tue Jun 4 14:05:27 2024 +0200

    ptp: Fix error message on failed pin verification
    
    [ Upstream commit 323a359f9b077f382f4483023d096a4d316fd135 ]
    
    On failed verification of PTP clock pin, error message prints channel
    number instead of pin index after "pin", which is incorrect.
    
    Fix error message by adding channel number to the message and printing
    pin number instead of channel number.
    
    Fixes: 6092315dfdec ("ptp: introduce programmable pins.")
    Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
    Acked-by: Richard Cochran <richardcochran@gmail.com>
    Link: https://lore.kernel.org/r/20240604120555.16643-1-karol.kolacinski@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
pwm: stm32: Refuse too small period requests [+ + +]
Author: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Date:   Fri Jun 21 16:37:12 2024 +0200

    pwm: stm32: Refuse too small period requests
    
    commit c45fcf46ca2368dafe7e5c513a711a6f0f974308 upstream.
    
    If period_ns is small, prd might well become 0. Catch that case because
    otherwise with
    
            regmap_write(priv->regmap, TIM_ARR, prd - 1);
    
    a few lines down quite a big period is configured.
    
    Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm")
    Cc: stable@vger.kernel.org
    Reviewed-by: Trevor Gamblin <tgamblin@baylibre.com>
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
    Link: https://lore.kernel.org/r/b86f62f099983646f97eeb6bfc0117bb2d0c340d.1718979150.git.u.kleine-koenig@baylibre.com
    Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment [+ + +]
Author: Paul E. McKenney <paulmck@kernel.org>
Date:   Wed Mar 6 19:21:47 2024 -0800

    rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment
    
    [ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ]
    
    The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should
    not happen, but...".  This is only true when testing an RCU whose grace
    periods are always long enough.  This commit therefore fixes this comment.
    
    Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
    Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOKm74Tw@mail.gmail.com/
    Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
    Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
regulator: core: Fix modpost error "regulator_get_regmap" undefined [+ + +]
Author: Biju Das <biju.das.jz@bp.renesas.com>
Date:   Mon Jun 10 20:55:32 2024 +0100

    regulator: core: Fix modpost error "regulator_get_regmap" undefined
    
    [ Upstream commit 3f60497c658d2072714d097a177612d34b34aa3d ]
    
    Fix the modpost error "regulator_get_regmap" undefined by adding export
    symbol.
    
    Fixes: 04eca28cde52 ("regulator: Add helpers for low-level register access")
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/oe-kbuild-all/202406110117.mk5UR3VZ-lkp@intel.com
    Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
    Link: https://lore.kernel.org/r/20240610195532.175942-1-biju.das.jz@bp.renesas.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
scsi: mpt3sas: Add ioc_ logging macros [+ + +]
Author: Joe Perches <joe@perches.com>
Date:   Mon Sep 17 08:01:08 2018 -0700

    scsi: mpt3sas: Add ioc_<level> logging macros
    
    [ Upstream commit 645a20c6821cd1ab58af8a1f99659e619c216efd ]
    
    These macros can help identify specific logging uses and eventually perhaps
    reduce object sizes.
    
    Signed-off-by: Joe Perches <joe@perches.com>
    Acked-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Stable-dep-of: 4254dfeda82f ("scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory [+ + +]
Author: Breno Leitao <leitao@debian.org>
Date:   Wed Jun 5 01:55:29 2024 -0700

    scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
    
    [ Upstream commit 4254dfeda82f20844299dca6c38cbffcfd499f41 ]
    
    There is a potential out-of-bounds access when using test_bit() on a single
    word. The test_bit() and set_bit() functions operate on long values, and
    when testing or setting a single word, they can exceed the word
    boundary. KASAN detects this issue and produces a dump:
    
             BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas
    
             Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965
    
    For full log, please look at [1].
    
    Make the allocation at least the size of sizeof(unsigned long) so that
    set_bit() and test_bit() have sufficient room for read/write operations
    without overwriting unallocated memory.
    
    [1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/
    
    Fixes: c696f7b83ede ("scsi: mpt3sas: Implement device_remove_in_progress check in IOCTL path")
    Cc: stable@vger.kernel.org
    Suggested-by: Keith Busch <kbusch@kernel.org>
    Signed-off-by: Breno Leitao <leitao@debian.org>
    Link: https://lore.kernel.org/r/20240605085530.499432-1-leitao@debian.org
    Reviewed-by: Keith Busch <kbusch@kernel.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

scsi: mpt3sas: Gracefully handle online firmware update [+ + +]
Author: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Date:   Sat Aug 3 09:59:48 2019 -0400

    scsi: mpt3sas: Gracefully handle online firmware update
    
    [ Upstream commit ffedeae1fa545a1d07e6827180c3923bf67af59f ]
    
    Issue:
    
    During online Firmware upgrade operations it is possible that MaxDevHandles
    filled in IOCFacts may change with new FW.  With this we may observe kernel
    panics when driver try to access the pd_handles or blocking_handles buffers
    at offset greater than the old firmware's MaxDevHandle value.
    
    Fix:
    
    _base_check_ioc_facts_changes() looks for increase/decrease in IOCFacts
    attributes during online firmware upgrade and increases the pd_handles,
    blocking_handles, etc buffer sizes to new firmware's MaxDevHandle value if
    this new firmware's MaxDevHandle value is greater than the old firmware's
    MaxDevHandle value.
    
    Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Stable-dep-of: 4254dfeda82f ("scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

scsi: qedi: Fix crash while reading debugfs attribute [+ + +]
Author: Manish Rangankar <mrangankar@marvell.com>
Date:   Mon Apr 15 12:51:55 2024 +0530

    scsi: qedi: Fix crash while reading debugfs attribute
    
    [ Upstream commit 28027ec8e32ecbadcd67623edb290dad61e735b5 ]
    
    The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly
    on a __user pointer, which results into the crash.
    
    To fix this issue, use a small local stack buffer for sprintf() and then
    call simple_read_from_buffer(), which in turns make the copy_to_user()
    call.
    
    BUG: unable to handle page fault for address: 00007f4801111000
    PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0
    Oops: 0002 [#1] PREEMPT SMP PTI
    Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023
    RIP: 0010:memcpy_orig+0xcd/0x130
    RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202
    RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f
    RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000
    RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572
    R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff
    R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af
    FS:  00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    PKRU: 55555554
    Call Trace:
     <TASK>
     ? __die_body+0x1a/0x60
     ? page_fault_oops+0x183/0x510
     ? exc_page_fault+0x69/0x150
     ? asm_exc_page_fault+0x22/0x30
     ? memcpy_orig+0xcd/0x130
     vsnprintf+0x102/0x4c0
     sprintf+0x51/0x80
     qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]
     full_proxy_read+0x50/0x80
     vfs_read+0xa5/0x2e0
     ? folio_add_new_anon_rmap+0x44/0xa0
     ? set_pte_at+0x15/0x30
     ? do_pte_missing+0x426/0x7f0
     ksys_read+0xa5/0xe0
     do_syscall_64+0x58/0x80
     ? __count_memcg_events+0x46/0x90
     ? count_memcg_event_mm+0x3d/0x60
     ? handle_mm_fault+0x196/0x2f0
     ? do_user_addr_fault+0x267/0x890
     ? exc_page_fault+0x69/0x150
     entry_SYSCALL_64_after_hwframe+0x72/0xdc
    RIP: 0033:0x7f4800f20b4d
    
    Tested-by: Martin Hoyer <mhoyer@redhat.com>
    Reviewed-by: John Meneghini <jmeneghi@redhat.com>
    Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
    Link: https://lore.kernel.org/r/20240415072155.30840-1-mrangankar@marvell.com
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests/ftrace: Fix checkbashisms errors [+ + +]
Author: Masami Hiramatsu <mhiramat@kernel.org>
Date:   Thu Aug 30 23:16:41 2018 +0900

    selftests/ftrace: Fix checkbashisms errors
    
    [ Upstream commit 72ce3daf92ba4f5bae6e91095d40e67b367c6b2f ]
    
    Fix a test case to make checkbashisms clean.
    
    Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
    Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests/mm: compaction_test: fix bogus test success on Aarch64 [+ + +]
Author: Dev Jain <dev.jain@arm.com>
Date:   Tue May 21 13:13:56 2024 +0530

    selftests/mm: compaction_test: fix bogus test success on Aarch64
    
    [ Upstream commit d4202e66a4b1fe6968f17f9f09bbc30d08f028a1 ]
    
    Patch series "Fixes for compaction_test", v2.
    
    The compaction_test memory selftest introduces fragmentation in memory
    and then tries to allocate as many hugepages as possible. This series
    addresses some problems.
    
    On Aarch64, if nr_hugepages == 0, then the test trivially succeeds since
    compaction_index becomes 0, which is less than 3, due to no division by
    zero exception being raised. We fix that by checking for division by
    zero.
    
    Secondly, correctly set the number of hugepages to zero before trying
    to set a large number of them.
    
    Now, consider a situation in which, at the start of the test, a non-zero
    number of hugepages have been already set (while running the entire
    selftests/mm suite, or manually by the admin). The test operates on 80%
    of memory to avoid OOM-killer invocation, and because some memory is
    already blocked by hugepages, it would increase the chance of OOM-killing.
    Also, since mem_free used in check_compaction() is the value before we
    set nr_hugepages to zero, the chance that the compaction_index will
    be small is very high if the preset nr_hugepages was high, leading to a
    bogus test success.
    
    This patch (of 3):
    
    Currently, if at runtime we are not able to allocate a huge page, the test
    will trivially pass on Aarch64 due to no exception being raised on
    division by zero while computing compaction_index.  Fix that by checking
    for nr_hugepages == 0.  Anyways, in general, avoid a division by zero by
    exiting the program beforehand.  While at it, fix a typo, and handle the
    case where the number of hugepages may overflow an integer.
    
    Link: https://lkml.kernel.org/r/20240521074358.675031-1-dev.jain@arm.com
    Link: https://lkml.kernel.org/r/20240521074358.675031-2-dev.jain@arm.com
    Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory")
    Signed-off-by: Dev Jain <dev.jain@arm.com>
    Cc: Anshuman Khandual <anshuman.khandual@arm.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: Sri Jayaramappa <sjayaram@akamai.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages [+ + +]
Author: Dev Jain <dev.jain@arm.com>
Date:   Tue May 21 13:13:57 2024 +0530

    selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages
    
    [ Upstream commit 9ad665ef55eaad1ead1406a58a34f615a7c18b5e ]
    
    Currently, the test tries to set nr_hugepages to zero, but that is not
    actually done because the file offset is not reset after read().  Fix that
    using lseek().
    
    Link: https://lkml.kernel.org/r/20240521074358.675031-3-dev.jain@arm.com
    Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory")
    Signed-off-by: Dev Jain <dev.jain@arm.com>
    Cc: <stable@vger.kernel.org>
    Cc: Anshuman Khandual <anshuman.khandual@arm.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: Sri Jayaramappa <sjayaram@akamai.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

selftests/mm: conform test to TAP format output [+ + +]
Author: Muhammad Usama Anjum <usama.anjum@collabora.com>
Date:   Mon Jan 1 13:36:12 2024 +0500

    selftests/mm: conform test to TAP format output
    
    [ Upstream commit 9a21701edc41465de56f97914741bfb7bfc2517d ]
    
    Conform the layout, informational and status messages to TAP.  No
    functional change is intended other than the layout of output messages.
    
    Link: https://lkml.kernel.org/r/20240101083614.1076768-1-usama.anjum@collabora.com
    Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler [+ + +]
Author: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Date:   Tue Apr 30 16:04:30 2024 -0400

    serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler
    
    [ Upstream commit 8492bd91aa055907c67ef04f2b56f6dadd1f44bf ]
    
    When using a high speed clock with a low baud rate, the 4x prescaler is
    automatically selected if required. In that case, sc16is7xx_set_baud()
    properly configures the chip registers, but returns an incorrect baud
    rate by not taking into account the prescaler value. This incorrect baud
    rate is then fed to uart_update_timeout().
    
    For example, with an input clock of 80MHz, and a selected baud rate of 50,
    sc16is7xx_set_baud() will return 200 instead of 50.
    
    Fix this by first changing the prescaler variable to hold the selected
    prescaler value instead of the MCR bitfield. Then properly take into
    account the selected prescaler value in the return value computation.
    
    Also add better documentation about the divisor value computation.
    
    Fixes: dfeae619d781 ("serial: sc16is7xx")
    Cc: stable@vger.kernel.org
    Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
    Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
    Link: https://lore.kernel.org/r/20240430200431.4102923-1-hugo@hugovil.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

serial: sc16is7xx: replace hardcoded divisor value with BIT() macro [+ + +]
Author: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Date:   Thu Dec 21 18:18:19 2023 -0500

    serial: sc16is7xx: replace hardcoded divisor value with BIT() macro
    
    [ Upstream commit 2e57cefc4477659527f7adab1f87cdbf60ef1ae6 ]
    
    To better show why the limit is what it is, since we have only 16 bits for
    the divisor.
    
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
    Link: https://lore.kernel.org/r/20231221231823.2327894-13-hugo@hugovil.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Stable-dep-of: 8492bd91aa05 ("serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message [+ + +]
Author: Andrew Davis <afd@ti.com>
Date:   Mon Mar 25 11:55:07 2024 -0500

    soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message
    
    [ Upstream commit ddbf3204f600a4d1f153498f618369fca352ae00 ]
    
    mbox_send_message() sends a u32 bit message, not a pointer to a message.
    We only convert to a pointer type as a generic type. If we want to send
    a dummy message of 0, then simply send 0 (NULL).
    
    Signed-off-by: Andrew Davis <afd@ti.com>
    Link: https://lore.kernel.org/r/20240325165507.30323-1-afd@ti.com
    Signed-off-by: Nishanth Menon <nm@ti.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB [+ + +]
Author: Jason Xing <kernelxing@tencent.com>
Date:   Tue Jun 4 01:02:16 2024 +0800

    tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
    
    [ Upstream commit a46d0ea5c94205f40ecf912d1bb7806a8a64704f ]
    
    According to RFC 1213, we should also take CLOSE-WAIT sockets into
    consideration:
    
      "tcpCurrEstab OBJECT-TYPE
       ...
       The number of TCP connections for which the current state
       is either ESTABLISHED or CLOSE- WAIT."
    
    After this, CurrEstab counter will display the total number of
    ESTABLISHED and CLOSE-WAIT sockets.
    
    The logic of counting
    When we increment the counter?
    a) if we change the state to ESTABLISHED.
    b) if we change the state from SYN-RECEIVED to CLOSE-WAIT.
    
    When we decrement the counter?
    a) if the socket leaves ESTABLISHED and will never go into CLOSE-WAIT,
    say, on the client side, changing from ESTABLISHED to FIN-WAIT-1.
    b) if the socket leaves CLOSE-WAIT, say, on the server side, changing
    from CLOSE-WAIT to LAST-ACK.
    
    Please note: there are two chances that old state of socket can be changed
    to CLOSE-WAIT in tcp_fin(). One is SYN-RECV, the other is ESTABLISHED.
    So we have to take care of the former case.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Jason Xing <kernelxing@tencent.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: Fix data races around icsk->icsk_af_ops. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Mon Apr 17 16:54:28 2023 +0000

    tcp: Fix data races around icsk->icsk_af_ops.
    
    commit f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 upstream.
    
    setsockopt(IPV6_ADDRFORM) and tcp_v6_connect() change icsk->icsk_af_ops
    under lock_sock(), but tcp_(get|set)sockopt() read it locklessly.  To
    avoid load/store tearing, we need to add READ_ONCE() and WRITE_ONCE()
    for the reads and writes.
    
    Thanks to Eric Dumazet for providing the syzbot report:
    
    BUG: KCSAN: data-race in tcp_setsockopt / tcp_v6_connect
    
    write to 0xffff88813c624518 of 8 bytes by task 23936 on cpu 0:
    tcp_v6_connect+0x5b3/0xce0 net/ipv6/tcp_ipv6.c:240
    __inet_stream_connect+0x159/0x6d0 net/ipv4/af_inet.c:660
    inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:724
    __sys_connect_file net/socket.c:1976 [inline]
    __sys_connect+0x197/0x1b0 net/socket.c:1993
    __do_sys_connect net/socket.c:2003 [inline]
    __se_sys_connect net/socket.c:2000 [inline]
    __x64_sys_connect+0x3d/0x50 net/socket.c:2000
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    read to 0xffff88813c624518 of 8 bytes by task 23937 on cpu 1:
    tcp_setsockopt+0x147/0x1c80 net/ipv4/tcp.c:3789
    sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3585
    __sys_setsockopt+0x212/0x2b0 net/socket.c:2252
    __do_sys_setsockopt net/socket.c:2263 [inline]
    __se_sys_setsockopt net/socket.c:2260 [inline]
    __x64_sys_setsockopt+0x62/0x70 net/socket.c:2260
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    value changed: 0xffffffff8539af68 -> 0xffffffff8539aff8
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 1 PID: 23937 Comm: syz-executor.5 Not tainted
    6.0.0-rc4-syzkaller-00331-g4ed9c1e971b1-dirty #0
    
    Hardware name: Google Google Compute Engine/Google Compute Engine,
    BIOS Google 08/26/2022
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Reported-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Kazunori Kobayashi <kazunori.kobayashi@miraclelinux.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: fix race in tcp_v6_syn_recv_sock() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jun 6 15:46:51 2024 +0000

    tcp: fix race in tcp_v6_syn_recv_sock()
    
    [ Upstream commit d37fe4255abe8e7b419b90c5847e8ec2b8debb08 ]
    
    tcp_v6_syn_recv_sock() calls ip6_dst_store() before
    inet_sk(newsk)->pinet6 has been set up.
    
    This means ip6_dst_store() writes over the parent (listener)
    np->dst_cookie.
    
    This is racy because multiple threads could share the same
    parent and their final np->dst_cookie could be wrong.
    
    Move ip6_dst_store() call after inet_sk(newsk)->pinet6
    has been changed and after the copy of parent ipv6_pinfo.
    
    Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test [+ + +]
Author: Jeff Johnson <quic_jjohnson@quicinc.com>
Date:   Sat May 18 15:54:49 2024 -0700

    tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test
    
    [ Upstream commit 23748e3e0fbfe471eff5ce439921629f6a427828 ]
    
    Fix the 'make W=1' warning:
    
    WARNING: modpost: missing MODULE_DESCRIPTION() in kernel/trace/preemptirq_delay_test.o
    
    Link: https://lore.kernel.org/linux-trace-kernel/20240518-md-preemptirq_delay_test-v1-1-387d11b30d85@quicinc.com
    
    Cc: stable@vger.kernel.org
    Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Fixes: f96e8577da10 ("lib: Add module for testing preemptoff/irqsoff latency tracers")
    Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tty: mcf: MCF54418 has 10 UARTS [+ + +]
Author: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
Date:   Thu Jun 20 18:29:59 2024 +0200

    tty: mcf: MCF54418 has 10 UARTS
    
    commit 7c92a8bd53f24d50c8cf4aba53bb75505b382fed upstream.
    
    Most of the colfires have up to 5 UARTs but MCF54418 has up-to 10 !
    Change the maximum value authorized.
    
    Signed-off-by: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
    Cc: stable <stable@kernel.org>
    Fixes: 2545cf6e94b4 ("m68knommu: allow 4 coldfire serial ports")
    Link: https://lore.kernel.org/r/20240620-upstream-uart-v1-1-a9d0d95fb19e@yoseli.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
udf: udftime: prevent overflow in udf_disk_stamp_to_time() [+ + +]
Author: Roman Smirnov <r.smirnov@omp.ru>
Date:   Wed Mar 27 16:27:55 2024 +0300

    udf: udftime: prevent overflow in udf_disk_stamp_to_time()
    
    [ Upstream commit 3b84adf460381169c085e4bc09e7b57e9e16db0a ]
    
    An overflow can occur in a situation where src.centiseconds
    takes the value of 255. This situation is unlikely, but there
    is no validation check anywere in the code.
    
    Found by Linux Verification Center (linuxtesting.org) with Svace.
    
    Suggested-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
    Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Message-Id: <20240327132755.13945-1-r.smirnov@omp.ru>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
usb-storage: alauda: Check whether the media is initialized [+ + +]
Author: Shichao Lai <shichaorai@gmail.com>
Date:   Sun May 26 09:27:45 2024 +0800

    usb-storage: alauda: Check whether the media is initialized
    
    [ Upstream commit 16637fea001ab3c8df528a8995b3211906165a30 ]
    
    The member "uzonesize" of struct alauda_info will remain 0
    if alauda_init_media() fails, potentially causing divide errors
    in alauda_read_data() and alauda_write_lba().
    - Add a member "media_initialized" to struct alauda_info.
    - Change a condition in alauda_check_media() to ensure the
      first initialization.
    - Add an error check for the return value of alauda_init_media().
    
    Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support")
    Reported-by: xingwei lee <xrivendell7@gmail.com>
    Reported-by: yue sun <samsun1006219@gmail.com>
    Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
    Signed-off-by: Shichao Lai <shichaorai@gmail.com>
    Link: https://lore.kernel.org/r/20240526012745.2852061-1-shichaorai@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
usb: atm: cxacru: fix endpoint checking in cxacru_bind() [+ + +]
Author: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Date:   Sun Jun 9 06:15:46 2024 -0700

    usb: atm: cxacru: fix endpoint checking in cxacru_bind()
    
    commit 2eabb655a968b862bc0c31629a09f0fbf3c80d51 upstream.
    
    Syzbot is still reporting quite an old issue [1] that occurs due to
    incomplete checking of present usb endpoints. As such, wrong
    endpoints types may be used at urb sumbitting stage which in turn
    triggers a warning in usb_submit_urb().
    
    Fix the issue by verifying that required endpoint types are present
    for both in and out endpoints, taking into account cmd endpoint type.
    
    Unfortunately, this patch has not been tested on real hardware.
    
    [1] Syzbot report:
    usb 1-1: BOGUS urb xfer, pipe 1 != type 3
    WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
    Modules linked in:
    CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Workqueue: usb_hub_wq hub_event
    RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
    ...
    Call Trace:
     cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649
     cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760
     cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209
     usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055
     cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363
     usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
     call_driver_probe drivers/base/dd.c:517 [inline]
     really_probe+0x23c/0xcd0 drivers/base/dd.c:595
     __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
     driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
     __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
     bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
     __device_attach+0x228/0x4a0 drivers/base/dd.c:965
     bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
     device_add+0xc2f/0x2180 drivers/base/core.c:3354
     usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
     usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
     usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
    
    Reported-and-tested-by: syzbot+00c18ee8497dd3be6ade@syzkaller.appspotmail.com
    Fixes: 902ffc3c707c ("USB: cxacru: Use a bulk/int URB to access the command endpoint")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
    Link: https://lore.kernel.org/r/20240609131546.3932-1-n.zhandarovich@fintech.ru
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages [+ + +]
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Thu Jun 13 21:30:43 2024 -0400

    USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
    
    commit 22f00812862564b314784167a89f27b444f82a46 upstream.
    
    The syzbot fuzzer found that the interrupt-URB completion callback in
    the cdc-wdm driver was taking too long, and the driver's immediate
    resubmission of interrupt URBs with -EPROTO status combined with the
    dummy-hcd emulation to cause a CPU lockup:
    
    cdc_wdm 1-1:1.0: nonzero urb status received: -71
    cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes
    watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625]
    CPU#0 Utilization every 4s during lockup:
            #1:  98% system,          0% softirq,     3% hardirq,     0% idle
            #2:  98% system,          0% softirq,     3% hardirq,     0% idle
            #3:  98% system,          0% softirq,     3% hardirq,     0% idle
            #4:  98% system,          0% softirq,     3% hardirq,     0% idle
            #5:  98% system,          1% softirq,     3% hardirq,     0% idle
    Modules linked in:
    irq event stamp: 73096
    hardirqs last  enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline]
    hardirqs last  enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994
    hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
    hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
    softirqs last  enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline]
    softirqs last  enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582
    softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588
    CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G        W          6.10.0-rc2-syzkaller-g8867bbd4a056 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
    
    Testing showed that the problem did not occur if the two error
    messages -- the first two lines above -- were removed; apparently adding
    material to the kernel log takes a surprisingly large amount of time.
    
    In any case, the best approach for preventing these lockups and to
    avoid spamming the log with thousands of error messages per second is
    to ratelimit the two dev_err() calls.  Therefore we replace them with
    dev_err_ratelimited().
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Suggested-by: Greg KH <gregkh@linuxfoundation.org>
    Reported-and-tested-by: syzbot+5f996b83575ef4058638@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/linux-usb/00000000000073d54b061a6a1c65@google.com/
    Reported-and-tested-by: syzbot+1b2abad17596ad03dcff@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/linux-usb/000000000000f45085061aa9b37e@google.com/
    Fixes: 9908a32e94de ("USB: remove err() macro from usb class drivers")
    Link: https://lore.kernel.org/linux-usb/40dfa45b-5f21-4eef-a8c1-51a2f320e267@rowland.harvard.edu/
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/29855215-52f5-4385-b058-91f42c2bee18@rowland.harvard.edu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete [+ + +]
Author: Wesley Cheng <quic_wcheng@quicinc.com>
Date:   Mon Apr 8 18:40:59 2024 -0700

    usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
    
    [ Upstream commit 24729b307eefcd7c476065cd7351c1a018082c19 ]
    
    FFS based applications can utilize the aio_cancel() callback to dequeue
    pending USB requests submitted to the UDC.  There is a scenario where the
    FFS application issues an AIO cancel call, while the UDC is handling a
    soft disconnect.  For a DWC3 based implementation, the callstack looks
    like the following:
    
        DWC3 Gadget                               FFS Application
    dwc3_gadget_soft_disconnect()              ...
      --> dwc3_stop_active_transfers()
        --> dwc3_gadget_giveback(-ESHUTDOWN)
          --> ffs_epfile_async_io_complete()   ffs_aio_cancel()
            --> usb_ep_free_request()            --> usb_ep_dequeue()
    
    There is currently no locking implemented between the AIO completion
    handler and AIO cancel, so the issue occurs if the completion routine is
    running in parallel to an AIO cancel call coming from the FFS application.
    As the completion call frees the USB request (io_data->req) the FFS
    application is also referencing it for the usb_ep_dequeue() call.  This can
    lead to accessing a stale/hanging pointer.
    
    commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
    relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
    However, in order to properly implement locking to mitigate this issue, the
    spinlock can't be added to ffs_epfile_async_io_complete(), as
    usb_ep_dequeue() (if successfully dequeuing a USB request) will call the
    function driver's completion handler in the same context.  Hence, leading
    into a deadlock.
    
    Fix this issue by moving the usb_ep_free_request() back to
    ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req
    to NULL after freeing it within the ffs->eps_lock.  This resolves the race
    condition above, as the ffs_aio_cancel() routine will not continue
    attempting to dequeue a request that has already been freed, or the
    ffs_user_copy_work() not freeing the USB request until the AIO cancel is
    done referencing it.
    
    This fix depends on
      commit b566d38857fc ("usb: gadget: f_fs: use io_data->status
      consistently")
    
    Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
    Cc: stable <stable@kernel.org>  # b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
    Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
    Link: https://lore.kernel.org/r/20240409014059.6740-1-quic_wcheng@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

usb: gadget: printer: SS+ support [+ + +]
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Jun 20 11:37:39 2024 +0200

    usb: gadget: printer: SS+ support
    
    commit fd80731e5e9d1402cb2f85022a6abf9b1982ec5f upstream.
    
    We need to treat super speed plus as super speed, not the default,
    which is full speed.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Cc: stable <stable@kernel.org>
    Link: https://lore.kernel.org/r/20240620093800.28901-1-oneukum@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: misc: uss720: check for incompatible versions of the Belkin F5U002 [+ + +]
Author: Alex Henrie <alexhenrie24@gmail.com>
Date:   Tue Mar 26 09:07:11 2024 -0600

    usb: misc: uss720: check for incompatible versions of the Belkin F5U002
    
    [ Upstream commit 3295f1b866bfbcabd625511968e8a5c541f9ab32 ]
    
    The incompatible device in my possession has a sticker that says
    "F5U002 Rev 2" and "P80453-B", and lsusb identifies it as
    "050d:0002 Belkin Components IEEE-1284 Controller". There is a bug
    report from 2007 from Michael Trausch who was seeing the exact same
    errors that I saw in 2024 trying to use this cable.
    
    Link: https://lore.kernel.org/all/46DE5830.9060401@trausch.us/
    Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
    Link: https://lore.kernel.org/r/20240326150723.99939-5-alexhenrie24@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

usb: musb: da8xx: fix a resource leak in probe() [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Mon Jun 17 12:31:30 2024 +0300

    usb: musb: da8xx: fix a resource leak in probe()
    
    commit de644a4a86be04ed8a43ef8267d0f7d021941c5e upstream.
    
    Call usb_phy_generic_unregister() if of_platform_populate() fails.
    
    Fixes: d6299b6efbf6 ("usb: musb: Add support of CPPI 4.1 DMA controller to DA8xx")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Link: https://lore.kernel.org/r/69af1b1d-d3f4-492b-bcea-359ca5949f30@moroto.mountain
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: xhci: do not perform Soft Retry for some xHCI hosts [+ + +]
Author: Stanislaw Gruszka <stf_xl@wp.pl>
Date:   Thu Mar 11 13:53:50 2021 +0200

    usb: xhci: do not perform Soft Retry for some xHCI hosts
    
    commit a4a251f8c23518899d2078c320cf9ce2fa459c9f upstream.
    
    On some systems rt2800usb and mt7601u devices are unable to operate since
    commit f8f80be501aa ("xhci: Use soft retry to recover faster from
    transaction errors")
    
    Seems that some xHCI controllers can not perform Soft Retry correctly,
    affecting those devices.
    
    To avoid the problem add xhci->quirks flag that restore pre soft retry
    xhci behaviour for affected xHCI controllers. Currently those are
    AMD_PROMONTORYA_4 and AMD_PROMONTORYA_2, since it was confirmed
    by the users: on those xHCI hosts issue happen and is gone after
    disabling Soft Retry.
    
    [minor commit message rewording for checkpatch -Mathias]
    
    Fixes: f8f80be501aa ("xhci: Use soft retry to recover faster from transaction errors")
    Cc: <stable@vger.kernel.org> # 4.20+
    Reported-by: Bernhard <bernhard.gebetsberger@gmx.at>
    Tested-by: Bernhard <bernhard.gebetsberger@gmx.at>
    Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202541
    Link: https://lore.kernel.org/r/20210311115353.2137560-2-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
virtio_net: checksum offloading handling fix [+ + +]
Author: Heng Qi <hengqi@linux.alibaba.com>
Date:   Mon Jun 17 21:15:23 2024 +0800

    virtio_net: checksum offloading handling fix
    
    [ Upstream commit 604141c036e1b636e2a71cf6e1aa09d1e45f40c2 ]
    
    In virtio spec 0.95, VIRTIO_NET_F_GUEST_CSUM was designed to handle
    partially checksummed packets, and the validation of fully checksummed
    packets by the device is independent of VIRTIO_NET_F_GUEST_CSUM
    negotiation. However, the specification erroneously stated:
    
      "If VIRTIO_NET_F_GUEST_CSUM is not negotiated, the device MUST set flags
       to zero and SHOULD supply a fully checksummed packet to the driver."
    
    This statement is inaccurate because even without VIRTIO_NET_F_GUEST_CSUM
    negotiation, the device can still set the VIRTIO_NET_HDR_F_DATA_VALID flag.
    Essentially, the device can facilitate the validation of these packets'
    checksums - a process known as RX checksum offloading - removing the need
    for the driver to do so.
    
    This scenario is currently not implemented in the driver and requires
    correction. The necessary specification correction[1] has been made and
    approved in the virtio TC vote.
    [1] https://lists.oasis-open.org/archives/virtio-comment/202401/msg00011.html
    
    Fixes: 4f49129be6fa ("virtio-net: Set RXCSUM feature if GUEST_CSUM is available")
    Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
    Reviewed-by: Jiri Pirko <jiri@nvidia.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
vmci: prevent speculation leaks by sanitizing event in event_deliver() [+ + +]
Author: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
Date:   Tue Apr 30 08:59:16 2024 +0000

    vmci: prevent speculation leaks by sanitizing event in event_deliver()
    
    commit 8003f00d895310d409b2bf9ef907c56b42a4e0f4 upstream.
    
    Coverity spotted that event_msg is controlled by user-space,
    event_msg->event_data.event is passed to event_deliver() and used
    as an index without sanitization.
    
    This change ensures that the event index is sanitized to mitigate any
    possibility of speculative information leaks.
    
    This bug was discovered and resolved using Coverity Static Analysis
    Security Testing (SAST) by Synopsys, Inc.
    
    Only compile tested, no access to HW.
    
    Fixes: 1d990201f9bb ("VMCI: event handling implementation.")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
    Link: https://lore.kernel.org/stable/20231127193533.46174-1-hagarhem%40amazon.com
    Link: https://lore.kernel.org/r/20240430085916.4753-1-hagarhem@amazon.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
vxlan: Fix regression when dropping packets due to invalid src addresses [+ + +]
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Mon Jun 3 10:59:26 2024 +0200

    vxlan: Fix regression when dropping packets due to invalid src addresses
    
    [ Upstream commit 1cd4bc987abb2823836cbb8f887026011ccddc8a ]
    
    Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
    has recently been added to vxlan mainly in the context of source
    address snooping/learning so that when it is enabled, an entry in the
    FDB is not being created for an invalid address for the corresponding
    tunnel endpoint.
    
    Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in
    that it passed through whichever macs were set in the L2 header. It
    turns out that this change in behavior breaks setups, for example,
    Cilium with netkit in L3 mode for Pods as well as tunnel mode has been
    passing before the change in f58f45c1e5b9 for both vxlan and geneve.
    After mentioned change it is only passing for geneve as in case of
    vxlan packets are dropped due to vxlan_set_mac() returning false as
    source and destination macs are zero which for E/W traffic via tunnel
    is totally fine.
    
    Fix it by only opting into the is_valid_ether_addr() check in
    vxlan_set_mac() when in fact source address snooping/learning is
    actually enabled in vxlan. This is done by moving the check into
    vxlan_snoop(). With this change, the Cilium connectivity test suite
    passes again for both tunnel flavors.
    
    Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Cc: David Bauer <mail@david-bauer.net>
    Cc: Ido Schimmel <idosch@nvidia.com>
    Cc: Nikolay Aleksandrov <razor@blackwall.org>
    Cc: Martin KaFai Lau <martin.lau@kernel.org>
    Reviewed-by: Ido Schimmel <idosch@nvidia.com>
    Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
    Reviewed-by: David Bauer <mail@david-bauer.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
wifi: iwlwifi: mvm: don't read past the mfuart notifcation [+ + +]
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date:   Mon May 13 13:27:14 2024 +0300

    wifi: iwlwifi: mvm: don't read past the mfuart notifcation
    
    [ Upstream commit 4bb95f4535489ed830cf9b34b0a891e384d1aee4 ]
    
    In case the firmware sends a notification that claims it has more data
    than it has, we will read past that was allocated for the notification.
    Remove the print of the buffer, we won't see it by default. If needed,
    we can see the content with tracing.
    
    This was reported by KFENCE.
    
    Fixes: bdccdb854f2f ("iwlwifi: mvm: support MFUART dump in case of MFUART assert")
    Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Reviewed-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
    Link: https://msgid.link/20240513132416.ba82a01a559e.Ia91dd20f5e1ca1ad380b95e68aebf2794f553d9b@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 [+ + +]
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri May 10 17:06:33 2024 +0300

    wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
    
    [ Upstream commit 4a7aace2899711592327463c1a29ffee44fcc66e ]
    
    We don't actually support >64 even for HE devices, so revert
    back to 64. This fixes an issue where the session is refused
    because the queue is configured differently from the actual
    session later.
    
    Fixes: 514c30696fbc ("iwlwifi: add support for IEEE802.11ax")
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Reviewed-by: Liad Kaufman <liad.kaufman@intel.com>
    Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
    Link: https://msgid.link/20240510170500.52f7b4cf83aa.If47e43adddf7fe250ed7f5571fbb35d8221c7c47@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() [+ + +]
Author: Remi Pommarel <repk@triplefau.lt>
Date:   Wed May 29 08:57:53 2024 +0200

    wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
    
    [ Upstream commit 44c06bbde6443de206b30f513100b5670b23fc5e ]
    
    The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
    synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
    softirq context. However using only spin_lock() to get sta->ps_lock in
    ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
    on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
    take this same lock ending in deadlock. Below is an example of rcu stall
    that arises in such situation.
    
     rcu: INFO: rcu_sched self-detected stall on CPU
     rcu:    2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
     rcu:    (t=42586894 jiffies g=2057 q=362405 ncpus=4)
     CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G        W          6.4.0-02158-g1b062f552873 #742
     Hardware name: RPT (r1) (DT)
     pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : queued_spin_lock_slowpath+0x58/0x2d0
     lr : invoke_tx_handlers_early+0x5b4/0x5c0
     sp : ffff00001ef64660
     x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
     x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
     x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
     x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
     x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
     x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
     x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
     x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
     x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
     x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
     Call trace:
      queued_spin_lock_slowpath+0x58/0x2d0
      ieee80211_tx+0x80/0x12c
      ieee80211_tx_pending+0x110/0x278
      tasklet_action_common.constprop.0+0x10c/0x144
      tasklet_action+0x20/0x28
      _stext+0x11c/0x284
      ____do_softirq+0xc/0x14
      call_on_irq_stack+0x24/0x34
      do_softirq_own_stack+0x18/0x20
      do_softirq+0x74/0x7c
      __local_bh_enable_ip+0xa0/0xa4
      _ieee80211_wake_txqs+0x3b0/0x4b8
      __ieee80211_wake_queue+0x12c/0x168
      ieee80211_add_pending_skbs+0xec/0x138
      ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
      ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
      ieee80211_mps_sta_status_update+0x18/0x24
      sta_apply_parameters+0x3bc/0x4c0
      ieee80211_change_station+0x1b8/0x2dc
      nl80211_set_station+0x444/0x49c
      genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
      genl_rcv_msg+0x1b0/0x244
      netlink_rcv_skb+0x38/0x10c
      genl_rcv+0x34/0x48
      netlink_unicast+0x254/0x2bc
      netlink_sendmsg+0x190/0x3b4
      ____sys_sendmsg+0x1e8/0x218
      ___sys_sendmsg+0x68/0x8c
      __sys_sendmsg+0x44/0x84
      __arm64_sys_sendmsg+0x20/0x28
      do_el0_svc+0x6c/0xe8
      el0_svc+0x14/0x48
      el0t_64_sync_handler+0xb0/0xb4
      el0t_64_sync+0x14c/0x150
    
    Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
    on the same CPU that is holding the lock.
    
    Fixes: 1d147bfa6429 ("mac80211: fix AP powersave TX vs. wakeup race")
    Signed-off-by: Remi Pommarel <repk@triplefau.lt>
    Link: https://msgid.link/8e36fe07d0fbc146f89196cd47a53c8a0afe84aa.1716910344.git.repk@triplefau.lt
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects [+ + +]
Author: Nicolas Escande <nico.escande@gmail.com>
Date:   Tue May 28 16:26:05 2024 +0200

    wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
    
    [ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ]
    
    The hwmp code use objects of type mesh_preq_queue, added to a list in
    ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath
    gets deleted, ex mesh interface is removed, the entries in that list will
    never get cleaned. Fix this by flushing all corresponding items of the
    preq_queue in mesh_path_flush_pending().
    
    This should take care of KASAN reports like this:
    
    unreferenced object 0xffff00000668d800 (size 128):
      comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s)
      hex dump (first 32 bytes):
        00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff  ..........h.....
        8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00  ....>...........
      backtrace:
        [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
        [<00000000049bd418>] kmalloc_trace+0x34/0x80
        [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
        [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
        [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
        [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
        [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
        [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
        [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
        [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
        [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
        [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
        [<00000000b36425d1>] worker_thread+0x9c/0x634
        [<0000000005852dd5>] kthread+0x1bc/0x1c4
        [<000000005fccd770>] ret_from_fork+0x10/0x20
    unreferenced object 0xffff000009051f00 (size 128):
      comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s)
      hex dump (first 32 bytes):
        90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff  ..........h.....
        36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff  6'.......Xy.....
      backtrace:
        [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
        [<00000000049bd418>] kmalloc_trace+0x34/0x80
        [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
        [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
        [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
        [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
        [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
        [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
        [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
        [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
        [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
        [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
        [<00000000b36425d1>] worker_thread+0x9c/0x634
        [<0000000005852dd5>] kthread+0x1bc/0x1c4
        [<000000005fccd770>] ret_from_fork+0x10/0x20
    
    Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol")
    Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
    Link: https://msgid.link/20240528142605.1060566-1-nico.escande@gmail.com
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
 
x86/amd_nb: Check for invalid SMN reads [+ + +]
Author: Yazen Ghannam <yazen.ghannam@amd.com>
Date:   Mon Apr 3 16:42:44 2023 +0000

    x86/amd_nb: Check for invalid SMN reads
    
    [ Upstream commit c625dabbf1c4a8e77e4734014f2fde7aa9071a1f ]
    
    AMD Zen-based systems use a System Management Network (SMN) that
    provides access to implementation-specific registers.
    
    SMN accesses are done indirectly through an index/data pair in PCI
    config space. The PCI config access may fail and return an error code.
    This would prevent the "read" value from being updated.
    
    However, the PCI config access may succeed, but the return value may be
    invalid. This is in similar fashion to PCI bad reads, i.e. return all
    bits set.
    
    Most systems will return 0 for SMN addresses that are not accessible.
    This is in line with AMD convention that unavailable registers are
    Read-as-Zero/Writes-Ignored.
    
    However, some systems will return a "PCI Error Response" instead. This
    value, along with an error code of 0 from the PCI config access, will
    confuse callers of the amd_smn_read() function.
    
    Check for this condition, clear the return value, and set a proper error
    code.
    
    Fixes: ddfe43cdc0da ("x86/amd_nb: Add SMN and Indirect Data Fabric access for AMD Fam17h")
    Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
    Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20230403164244.471141-1-yazen.ghannam@amd.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
x86: stop playing stack games in profile_pc() [+ + +]
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Jun 28 14:27:22 2024 -0700

    x86: stop playing stack games in profile_pc()
    
    [ Upstream commit 093d9603b60093a9aaae942db56107f6432a5dca ]
    
    The 'profile_pc()' function is used for timer-based profiling, which
    isn't really all that relevant any more to begin with, but it also ends
    up making assumptions based on the stack layout that aren't necessarily
    valid.
    
    Basically, the code tries to account the time spent in spinlocks to the
    caller rather than the spinlock, and while I support that as a concept,
    it's not worth the code complexity or the KASAN warnings when no serious
    profiling is done using timers anyway these days.
    
    And the code really does depend on stack layout that is only true in the
    simplest of cases.  We've lost the comment at some point (I think when
    the 32-bit and 64-bit code was unified), but it used to say:
    
            Assume the lock function has either no stack frame or a copy
            of eflags from PUSHF.
    
    which explains why it just blindly loads a word or two straight off the
    stack pointer and then takes a minimal look at the values to just check
    if they might be eflags or the return pc:
    
            Eflags always has bits 22 and up cleared unlike kernel addresses
    
    but that basic stack layout assumption assumes that there isn't any lock
    debugging etc going on that would complicate the code and cause a stack
    frame.
    
    It causes KASAN unhappiness reported for years by syzkaller [1] and
    others [2].
    
    With no real practical reason for this any more, just remove the code.
    
    Just for historical interest, here's some background commits relating to
    this code from 2006:
    
      0cb91a229364 ("i386: Account spinlocks to the caller during profiling for !FP kernels")
      31679f38d886 ("Simplify profile_pc on x86-64")
    
    and a code unification from 2009:
    
      ef4512882dbe ("x86: time_32/64.c unify profile_pc")
    
    but the basics of this thing actually goes back to before the git tree.
    
    Link: https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3 [1]
    Link: https://lore.kernel.org/all/CAK55_s7Xyq=nh97=K=G1sxueOFrJDAvPOJAL4TPTCAYvmxO9_A@mail.gmail.com/ [2]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Jun 15 15:42:31 2024 +0000

    xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
    
    [ Upstream commit d46401052c2d5614da8efea5788532f0401cb164 ]
    
    ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.
    
    syzbot reported:
    
    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
    CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
    Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
     RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64
    Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00
    RSP: 0018:ffffc90000117378 EFLAGS: 00010246
    RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7
    RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98
    RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000
    R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
      xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]
      xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]
      xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541
      xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835
      xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]
      xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201
      xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]
      xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309
      ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256
      send6+0x611/0xd20 drivers/net/wireguard/socket.c:139
      wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178
      wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200
      wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
      wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
      process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
      process_scheduled_works kernel/workqueue.c:3312 [inline]
      worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
      kthread+0x2c1/0x3a0 kernel/kthread.c:389
      ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Link: https://lore.kernel.org/r/20240615154231.234442-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
xhci: Apply broken streams quirk to Etron EJ188 xHCI host [+ + +]
Author: Kuangyi Chiang <ki.chiang65@gmail.com>
Date:   Tue Jun 11 15:06:09 2024 +0300

    xhci: Apply broken streams quirk to Etron EJ188 xHCI host
    
    commit 91f7a1524a92c70ffe264db8bdfa075f15bbbeb9 upstream.
    
    As described in commit 8f873c1ff4ca ("xhci: Blacklist using streams on the
    Etron EJ168 controller"), EJ188 have the same issue as EJ168, where Streams
    do not work reliable on EJ188. So apply XHCI_BROKEN_STREAMS quirk to EJ188
    as well.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Kuangyi Chiang <ki.chiang65@gmail.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20240611120610.3264502-4-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xhci: Apply reset resume quirk to Etron EJ188 xHCI host [+ + +]
Author: Kuangyi Chiang <ki.chiang65@gmail.com>
Date:   Tue Jun 11 15:06:08 2024 +0300

    xhci: Apply reset resume quirk to Etron EJ188 xHCI host
    
    commit 17bd54555c2aaecfdb38e2734149f684a73fa584 upstream.
    
    As described in commit c877b3b2ad5c ("xhci: Add reset on resume quirk for
    asrock p67 host"), EJ188 have the same issue as EJ168, where completely
    dies on resume. So apply XHCI_RESET_ON_RESUME quirk to EJ188 as well.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Kuangyi Chiang <ki.chiang65@gmail.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20240611120610.3264502-3-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xhci: Set correct transferred length for cancelled bulk transfers [+ + +]
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Tue Jun 11 15:06:07 2024 +0300

    xhci: Set correct transferred length for cancelled bulk transfers
    
    [ Upstream commit f0260589b439e2637ad54a2b25f00a516ef28a57 ]
    
    The transferred length is set incorrectly for cancelled bulk
    transfer TDs in case the bulk transfer ring stops on the last transfer
    block with a 'Stop - Length Invalid' completion code.
    
    length essentially ends up being set to the requested length:
    urb->actual_length = urb->transfer_buffer_length
    
    Length for 'Stop - Length Invalid' cases should be the sum of all
    TRB transfer block lengths up to the one the ring stopped on,
    _excluding_ the one stopped on.
    
    Fix this by always summing up TRB lengths for 'Stop - Length Invalid'
    bulk cases.
    
    This issue was discovered by Alan Stern while debugging
    https://bugzilla.kernel.org/show_bug.cgi?id=218890, but does not
    solve that bug. Issue is older than 4.10 kernel but fix won't apply
    to those due to major reworks in that area.
    
    Tested-by: Pierre Tomon <pierretom+12@ik.me>
    Cc: stable@vger.kernel.org # v4.10+
    Cc: Alan Stern <stern@rowland.harvard.edu>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20240611120610.3264502-2-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

xhci: Use soft retry to recover faster from transaction errors [+ + +]
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Thu Sep 20 19:13:37 2018 +0300

    xhci: Use soft retry to recover faster from transaction errors
    
    [ Upstream commit f8f80be501aa2f10669585c3e328fad079d8cb3a ]
    
    Use soft retry to recover from a USB Transaction Errors that are caused by
    temporary error conditions. The USB device is not aware that the xHC
    has halted the endpoint, and will be waiting for another retry
    
    A Soft Retry perform additional retries and recover from an error which has
    caused the xHC to halt an endpoint.
    
    Soft retry has some limitations:
    Soft Retry attempts shall not be performed on Isoch endpoints
    Soft Retry attempts shall not be performed if the device is behind a TT in
    a HS Hub
    
    Software shall limit the number of unsuccessful Soft Retry attempts to
    prevent an infinite loop.
    
    For more details on Soft retry see xhci specs  4.6.8.1
    
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Stable-dep-of: f0260589b439 ("xhci: Set correct transferred length for cancelled bulk transfers")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Apr 4 20:27:38 2024 +0000

    xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
    
    commit 237f3cf13b20db183d3706d997eedc3c49eacd44 upstream.
    
    syzbot reported an illegal copy in xsk_setsockopt() [1]
    
    Make sure to validate setsockopt() @optlen parameter.
    
    [1]
    
     BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
     BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
     BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420
    Read of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549
    
    CPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
    Call Trace:
     <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
      print_address_description mm/kasan/report.c:377 [inline]
      print_report+0x169/0x550 mm/kasan/report.c:488
      kasan_report+0x143/0x180 mm/kasan/report.c:601
      copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
      copy_from_sockptr include/linux/sockptr.h:55 [inline]
      xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420
      do_sock_setsockopt+0x3af/0x720 net/socket.c:2311
      __sys_setsockopt+0x1ae/0x250 net/socket.c:2334
      __do_sys_setsockopt net/socket.c:2343 [inline]
      __se_sys_setsockopt net/socket.c:2340 [inline]
      __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
     do_syscall_64+0xfb/0x240
     entry_SYSCALL_64_after_hwframe+0x6d/0x75
    RIP: 0033:0x7fb40587de69
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
    RAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69
    RDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006
    RBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000
    R10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000
    R13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08
     </TASK>
    
    Allocated by task 7549:
      kasan_save_stack mm/kasan/common.c:47 [inline]
      kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
      poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
      __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
      kasan_kmalloc include/linux/kasan.h:211 [inline]
      __do_kmalloc_node mm/slub.c:3966 [inline]
      __kmalloc+0x233/0x4a0 mm/slub.c:3979
      kmalloc include/linux/slab.h:632 [inline]
      __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869
      do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
      __sys_setsockopt+0x1ae/0x250 net/socket.c:2334
      __do_sys_setsockopt net/socket.c:2343 [inline]
      __se_sys_setsockopt net/socket.c:2340 [inline]
      __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
     do_syscall_64+0xfb/0x240
     entry_SYSCALL_64_after_hwframe+0x6d/0x75
    
    The buggy address belongs to the object at ffff888028c6cde0
     which belongs to the cache kmalloc-8 of size 8
    The buggy address is located 1 bytes to the right of
     allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)
    
    The buggy address belongs to the physical page:
    page:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c
    anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
    page_type: 0xffffffff()
    raw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001
    raw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    page_owner tracks the page as allocated
    page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223
      set_page_owner include/linux/page_owner.h:31 [inline]
      post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
      prep_new_page mm/page_alloc.c:1540 [inline]
      get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
      __alloc_pages+0x256/0x680 mm/page_alloc.c:4569
      __alloc_pages_node include/linux/gfp.h:238 [inline]
      alloc_pages_node include/linux/gfp.h:261 [inline]
      alloc_slab_page+0x5f/0x160 mm/slub.c:2175
      allocate_slab mm/slub.c:2338 [inline]
      new_slab+0x84/0x2f0 mm/slub.c:2391
      ___slab_alloc+0xc73/0x1260 mm/slub.c:3525
      __slab_alloc mm/slub.c:3610 [inline]
      __slab_alloc_node mm/slub.c:3663 [inline]
      slab_alloc_node mm/slub.c:3835 [inline]
      __do_kmalloc_node mm/slub.c:3965 [inline]
      __kmalloc_node+0x2db/0x4e0 mm/slub.c:3973
      kmalloc_node include/linux/slab.h:648 [inline]
      __vmalloc_area_node mm/vmalloc.c:3197 [inline]
      __vmalloc_node_range+0x5f9/0x14a0 mm/vmalloc.c:3392
      __vmalloc_node mm/vmalloc.c:3457 [inline]
      vzalloc+0x79/0x90 mm/vmalloc.c:3530
      bpf_check+0x260/0x19010 kernel/bpf/verifier.c:21162
      bpf_prog_load+0x1667/0x20f0 kernel/bpf/syscall.c:2895
      __sys_bpf+0x4ee/0x810 kernel/bpf/syscall.c:5631
      __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
      __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
      __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736
     do_syscall_64+0xfb/0x240
     entry_SYSCALL_64_after_hwframe+0x6d/0x75
    page last free pid 6650 tgid 6647 stack trace:
      reset_page_owner include/linux/page_owner.h:24 [inline]
      free_pages_prepare mm/page_alloc.c:1140 [inline]
      free_unref_page_prepare+0x95d/0xa80 mm/page_alloc.c:2346
      free_unref_page_list+0x5a3/0x850 mm/page_alloc.c:2532
      release_pages+0x2117/0x2400 mm/swap.c:1042
      tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
      tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
      tlb_flush_mmu+0x34d/0x4e0 mm/mmu_gather.c:300
      tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:392
      exit_mmap+0x4b6/0xd40 mm/mmap.c:3300
      __mmput+0x115/0x3c0 kernel/fork.c:1345
      exit_mm+0x220/0x310 kernel/exit.c:569
      do_exit+0x99e/0x27e0 kernel/exit.c:865
      do_group_exit+0x207/0x2c0 kernel/exit.c:1027
      get_signal+0x176e/0x1850 kernel/signal.c:2907
      arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
      exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
      exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
      __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
      syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:212
      do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89
     entry_SYSCALL_64_after_hwframe+0x6d/0x75
    
    Memory state around the buggy address:
     ffff888028c6cc80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
     ffff888028c6cd00: fa fc fc fc fa fc fc fc 00 fc fc fc 06 fc fc fc
    >ffff888028c6cd80: fa fc fc fc fa fc fc fc fa fc fc fc 02 fc fc fc
                                                           ^
     ffff888028c6ce00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
     ffff888028c6ce80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
    
    Fixes: 423f38329d26 ("xsk: add umem fill queue support and mmap")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: "Björn Töpel" <bjorn@kernel.org>
    Cc: Magnus Karlsson <magnus.karlsson@intel.com>
    Cc: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
    Acked-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/r/20240404202738.3634547-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    [shung-hsi.yu: two additional changes not present in the original
     1. Check optlen in the XDP_UMEM_REG case as well. It was added in commit
        c05cd36458147 ("xsk: add support to allow unaligned chunk placement") but
        seems like too big of a change for stable
     2. copy_from_sockptr() in the context was replace copy_from_usr()
        because commit a7b75c5a8c414 ("net: pass a sockptr_t into
        ->setsockopt") was not present]
    Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>