Changelog in Linux kernel 4.19.323

 
ACPI: battery: Fix possible crash when unregistering a battery hook [+ + +]
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Tue Oct 1 23:28:34 2024 +0200

    ACPI: battery: Fix possible crash when unregistering a battery hook
    
    [ Upstream commit 76959aff14a0012ad6b984ec7686d163deccdc16 ]
    
    When a battery hook returns an error when adding a new battery, then
    the battery hook is automatically unregistered.
    However the battery hook provider cannot know that, so it will later
    call battery_hook_unregister() on the already unregistered battery
    hook, resulting in a crash.
    
    Fix this by using the list head to mark already unregistered battery
    hooks as already being unregistered so that they can be ignored by
    battery_hook_unregister().
    
    Fixes: fa93854f7a7e ("battery: Add the battery hooking API")
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    Link: https://patch.msgid.link/20241001212835.341788-3-W_Armin@gmx.de
    Cc: All applicable <stable@vger.kernel.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ACPI: battery: Simplify battery hook locking [+ + +]
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Tue Oct 1 23:28:33 2024 +0200

    ACPI: battery: Simplify battery hook locking
    
    [ Upstream commit 86309cbed26139e1caae7629dcca1027d9a28e75 ]
    
    Move the conditional locking from __battery_hook_unregister()
    into battery_hook_unregister() and rename the low-level function
    to simplify the locking during battery hook removal.
    
    Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Reviewed-by: Pali Rohár <pali@kernel.org>
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    Link: https://patch.msgid.link/20241001212835.341788-2-W_Armin@gmx.de
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Stable-dep-of: 76959aff14a0 ("ACPI: battery: Fix possible crash when unregistering a battery hook")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue [+ + +]
Author: Shubham Panwar <shubiisp8@gmail.com>
Date:   Sun Oct 20 15:20:46 2024 +0530

    ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue
    
    commit 8fa73ee44daefc884c53a25158c25a4107eb5a94 upstream.
    
    Add a DMI quirk for Samsung Galaxy Book2 to fix an initial lid state
    detection issue.
    
    The _LID device incorrectly returns the lid status as "closed" during
    boot, causing the system to enter a suspend loop right after booting.
    
    The quirk ensures that the correct lid state is reported initially,
    preventing the system from immediately suspending after startup.  It
    only addresses the initial lid state detection and ensures proper
    system behavior upon boot.
    
    Signed-off-by: Shubham Panwar <shubiisp8@gmail.com>
    Link: https://patch.msgid.link/20241020095045.6036-2-shubiisp8@gmail.com
    [ rjw: Changelog edits ]
    Cc: All applicable <stable@vger.kernel.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ACPI: EC: Do not release locks during operation region accesses [+ + +]
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Thu Jul 4 18:26:54 2024 +0200

    ACPI: EC: Do not release locks during operation region accesses
    
    [ Upstream commit dc171114926ec390ab90f46534545420ec03e458 ]
    
    It is not particularly useful to release locks (the EC mutex and the
    ACPI global lock, if present) and re-acquire them immediately thereafter
    during EC address space accesses in acpi_ec_space_handler().
    
    First, releasing them for a while before grabbing them again does not
    really help anyone because there may not be enough time for another
    thread to acquire them.
    
    Second, if another thread successfully acquires them and carries out
    a new EC write or read in the middle if an operation region access in
    progress, it may confuse the EC firmware, especially after the burst
    mode has been enabled.
    
    Finally, manipulating the locks after writing or reading every single
    byte of data is overhead that it is better to avoid.
    
    Accordingly, modify the code to carry out EC address space accesses
    entirely without releasing the locks.
    
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://patch.msgid.link/12473338.O9o76ZdvQC@rjwysocki.net
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() [+ + +]
Author: Aleksandr Mishin <amishin@t-argos.ru>
Date:   Wed Jul 31 01:53:39 2024 +0300

    ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe()
    
    [ Upstream commit 07442c46abad1d50ac82af5e0f9c5de2732c4592 ]
    
    In tps68470_pmic_opregion_probe() pointer 'dev' is compared to NULL which
    is useless.
    
    Fix this issue by removing unneeded check.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: e13452ac3790 ("ACPI / PMIC: Add TI PMIC TPS68470 operation region driver")
    Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
    Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Link: https://patch.msgid.link/20240730225339.13165-1-amishin@t-argos.ru
    [ rjw: Subject edit ]
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ACPI: sysfs: validate return type of _STR method [+ + +]
Author: Thomas Weißschuh <linux@weissschuh.net>
Date:   Tue Jul 9 22:37:24 2024 +0200

    ACPI: sysfs: validate return type of _STR method
    
    commit 4bb1e7d027413835b086aed35bc3f0713bc0f72b upstream.
    
    Only buffer objects are valid return values of _STR.
    
    If something else is returned description_show() will access invalid
    memory.
    
    Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description")
    Cc: All applicable <stable@vger.kernel.org>
    Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
    Link: https://patch.msgid.link/20240709-acpi-sysfs-groups-v2-1-058ab0667fa8@weissschuh.net
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() [+ + +]
Author: Pei Xiao <xiaopei01@kylinos.cn>
Date:   Thu Jul 18 14:05:48 2024 +0800

    ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()
    
    [ Upstream commit a5242874488eba2b9062985bf13743c029821330 ]
    
    ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0
    
    ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause
    NULL pointer dereference later.
    
    Link: https://github.com/acpica/acpica/commit/4d4547cf
    Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
    Link: https://patch.msgid.link/tencent_4A21A2865B8B0A0D12CAEBEB84708EDDB505@qq.com
    [ rjw: Subject and changelog edits ]
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ACPICA: Fix memory leak if acpi_ps_get_next_field() fails [+ + +]
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Sun Apr 14 21:50:33 2024 +0200

    ACPICA: Fix memory leak if acpi_ps_get_next_field() fails
    
    [ Upstream commit e6169a8ffee8a012badd8c703716e761ce851b15 ]
    
    ACPICA commit 1280045754264841b119a5ede96cd005bc09b5a7
    
    If acpi_ps_get_next_field() fails, the previously created field list
    needs to be properly disposed before returning the status code.
    
    Link: https://github.com/acpica/acpica/commit/12800457
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    [ rjw: Rename local variable to avoid compiler confusion ]
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails [+ + +]
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Wed Apr 3 20:50:11 2024 +0200

    ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails
    
    [ Upstream commit 5accb265f7a1b23e52b0ec42313d1e12895552f4 ]
    
    ACPICA commit 2802af722bbde7bf1a7ac68df68e179e2555d361
    
    If acpi_ps_get_next_namepath() fails, the previously allocated
    union acpi_parse_object needs to be freed before returning the
    status code.
    
    The issue was first being reported on the Linux ACPI mailing list:
    
    Link: https://lore.kernel.org/linux-acpi/56f94776-484f-48c0-8855-dba8e6a7793b@yandex.ru/T/
    Link: https://github.com/acpica/acpica/commit/2802af72
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ACPICA: iasl: handle empty connection_node [+ + +]
Author: Aleksandrs Vinarskis <alex.vinarskis@gmail.com>
Date:   Sun Aug 11 23:33:44 2024 +0200

    ACPICA: iasl: handle empty connection_node
    
    [ Upstream commit a0a2459b79414584af6c46dd8c6f866d8f1aa421 ]
    
    ACPICA commit 6c551e2c9487067d4b085333e7fe97e965a11625
    
    Link: https://github.com/acpica/acpica/commit/6c551e2c
    Signed-off-by: Aleksandrs Vinarskis <alex.vinarskis@gmail.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ALSA: asihpi: Fix potential OOB array access [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Aug 8 11:14:42 2024 +0200

    ALSA: asihpi: Fix potential OOB array access
    
    [ Upstream commit 7b986c7430a6bb68d523dac7bfc74cbd5b44ef96 ]
    
    ASIHPI driver stores some values in the static array upon a response
    from the driver, and its index depends on the firmware.  We shouldn't
    trust it blindly.
    
    This patch adds a sanity check of the array index to fit in the array
    size.
    
    Link: https://patch.msgid.link/20240808091454.30846-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: core: add isascii() check to card ID generator [+ + +]
Author: Jaroslav Kysela <perex@perex.cz>
Date:   Wed Oct 2 21:46:49 2024 +0200

    ALSA: core: add isascii() check to card ID generator
    
    commit d278a9de5e1837edbe57b2f1f95a104ff6c84846 upstream.
    
    The card identifier should contain only safe ASCII characters. The isalnum()
    returns true also for characters for non-ASCII characters.
    
    Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/4135
    Link: https://lore.kernel.org/linux-sound/yk3WTvKkwheOon_LzZlJ43PPInz6byYfBzpKkbasww1yzuiMRqn7n6Y8vZcXB-xwFCu_vb8hoNjv7DTNwH5TWjpEuiVsyn9HPCEXqwF4120=@protonmail.com/
    Cc: stable@vger.kernel.org
    Reported-by: Barnabás Pőcze <pobrn@protonmail.com>
    Signed-off-by: Jaroslav Kysela <perex@perex.cz>
    Link: https://patch.msgid.link/20241002194649.1944696-1-perex@perex.cz
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Fri Oct 4 10:25:58 2024 +0200

    ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin
    
    [ Upstream commit b3ebb007060f89d5a45c9b99f06a55e36a1945b5 ]
    
    We received a regression report for System76 Pangolin (pang14) due to
    the recent fix for Tuxedo Sirius devices to support the top speaker.
    The reason was the conflicting PCI SSID, as often seen.
    
    As a workaround, now the codec SSID is checked and the quirk is
    applied conditionally only to Sirius devices.
    
    Fixes: 4178d78cd7a8 ("ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices")
    Reported-by: Christian Heusel <christian@heusel.eu>
    Reported-by: Jerry <jerryluo225@gmail.com>
    Closes: https://lore.kernel.org/c930b6a6-64e5-498f-b65a-1cd5e0a1d733@heusel.eu
    Link: https://patch.msgid.link/20241004082602.29016-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Oct 1 14:14:36 2024 +0200

    ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs
    
    [ Upstream commit 1c801e7f77445bc56e5e1fec6191fd4503534787 ]
    
    Some time ago, we introduced the obey_preferred_dacs flag for choosing
    the DAC/pin pairs specified by the driver instead of parsing the
    paths.  This works as expected, per se, but there have been a few
    cases where we forgot to set this flag while preferred_dacs table is
    already set up.  It ended up with incorrect wiring and made us
    wondering why it doesn't work.
    
    Basically, when the preferred_dacs table is provided, it means that
    the driver really wants to wire up to follow that.  That is, the
    presence of the preferred_dacs table itself is already a "do-it"
    flag.
    
    In this patch, we simply replace the evaluation of obey_preferred_dacs
    flag with the presence of preferred_dacs table for fixing the
    misbehavior.  Another patch to drop of the obsoleted flag will
    follow.
    
    Fixes: 242d990c158d ("ALSA: hda/generic: Add option to enforce preferred_dacs pairs")
    Link: https://bugzilla.suse.com/show_bug.cgi?id=1219803
    Link: https://patch.msgid.link/20241001121439.26060-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: hda/realtek: Update default depop procedure [+ + +]
Author: Kailang Yang <kailang@realtek.com>
Date:   Wed Oct 23 16:13:10 2024 +0800

    ALSA: hda/realtek: Update default depop procedure
    
    [ Upstream commit e3ea2757c312e51bbf62ebc434a6f7df1e3a201f ]
    
    Old procedure has a chance to meet Headphone no output.
    
    Fixes: c2d6af53a43f ("ALSA: hda/realtek - Add default procedure for suspend and resume state")
    Signed-off-by: Kailang Yang <kailang@realtek.com>
    Link: https://lore.kernel.org/17b717a0a0b04a77aea4a8ec820cba13@realtek.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: hdsp: Break infinite MIDI input flush loop [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Aug 8 11:15:12 2024 +0200

    ALSA: hdsp: Break infinite MIDI input flush loop
    
    [ Upstream commit c01f3815453e2d5f699ccd8c8c1f93a5b8669e59 ]
    
    The current MIDI input flush on HDSP and HDSPM drivers relies on the
    hardware reporting the right value.  If the hardware doesn't give the
    proper value but returns -1, it may be stuck at an infinite loop.
    
    Add a counter and break if the loop is unexpectedly too long.
    
    Link: https://patch.msgid.link/20240808091513.31380-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
aoe: fix the potential use-after-free problem in more places [+ + +]
Author: Chun-Yi Lee <joeyli.kernel@gmail.com>
Date:   Wed Oct 2 11:54:58 2024 +0800

    aoe: fix the potential use-after-free problem in more places
    
    commit 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 upstream.
    
    For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential
    use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()
    instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs
    into use-after-free.
    
    Then Nicolai Stange found more places in aoe have potential use-after-free
    problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()
    and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push
    packet to tx queue. So they should also use dev_hold() to increase the
    refcnt of skb->dev.
    
    On the other hand, moving dev_put() to tx() causes that the refcnt of
    skb->dev be reduced to a negative value, because corresponding
    dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),
    probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
    
    Cc: stable@vger.kernel.org
    Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
    Fixes: f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts")
    Reported-by: Nicolai Stange <nstange@suse.com>
    Signed-off-by: Chun-Yi Lee <jlee@suse.com>
    Link: https://lore.kernel.org/stable/20240624064418.27043-1-jlee%40suse.com
    Link: https://lore.kernel.org/r/20241002035458.24401-1-jlee@suse.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning [+ + +]
Author: junhua huang <huang.junhua@zte.com.cn>
Date:   Wed Dec 28 09:54:12 2022 +0800

    arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning
    
    commit ef08c0fadd8a17ebe429b85e23952dac3263ad34 upstream.
    
    After we fixed the uprobe inst endian in aarch_be, the sparse check report
    the following warning info:
    
    sparse warnings: (new ones prefixed by >>)
    >> kernel/events/uprobes.c:223:25: sparse: sparse: restricted __le32 degrades to integer
    >> kernel/events/uprobes.c:574:56: sparse: sparse: incorrect type in argument 4 (different base types)
    @@     expected unsigned int [addressable] [usertype] opcode @@     got restricted __le32 [usertype] @@
       kernel/events/uprobes.c:574:56: sparse:     expected unsigned int [addressable] [usertype] opcode
       kernel/events/uprobes.c:574:56: sparse:     got restricted __le32 [usertype]
    >> kernel/events/uprobes.c:1483:32: sparse: sparse: incorrect type in initializer (different base types)
    @@     expected unsigned int [usertype] insn @@     got restricted __le32 [usertype] @@
       kernel/events/uprobes.c:1483:32: sparse:     expected unsigned int [usertype] insn
       kernel/events/uprobes.c:1483:32: sparse:     got restricted __le32 [usertype]
    
    use the __le32 to u32 for uprobe_opcode_t, to keep the same.
    
    Fixes: 60f07e22a73d ("arm64:uprobe fix the uprobe SWBP_INSN in big-endian")
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: junhua huang <huang.junhua@zte.com.cn>
    Link: https://lore.kernel.org/r/202212280954121197626@zte.com.cn
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
arm64: Add Cortex-715 CPU part definition [+ + +]
Author: Anshuman Khandual <anshuman.khandual@arm.com>
Date:   Mon Oct 7 13:20:26 2024 +0100

    arm64: Add Cortex-715 CPU part definition
    
    [ Upstream commit 07e39e60bbf0ccd5f895568e1afca032193705c0 ]
    
    Add the CPU Partnumbers for the new Arm designs.
    
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
    Cc: James Morse <james.morse@arm.com>
    Cc: linux-arm-kernel@lists.infradead.org
    Cc: linux-kernel@vger.kernel.org
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
    Link: https://lore.kernel.org/r/20221116140915.356601-2-anshuman.khandual@arm.com
    Signed-off-by: Will Deacon <will@kernel.org>
    [ Mark: Trivial backport ]
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: cputype: Add Neoverse-N3 definitions [+ + +]
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Mon Oct 7 13:20:27 2024 +0100

    arm64: cputype: Add Neoverse-N3 definitions
    
    [ Upstream commit 924725707d80bc2588cefafef76ff3f164d299bc ]
    
    Add cputype definitions for Neoverse-N3. These will be used for errata
    detection in subsequent patches.
    
    These values can be found in Table A-261 ("MIDR_EL1 bit descriptions")
    in issue 02 of the Neoverse-N3 TRM, which can be found at:
    
      https://developer.arm.com/documentation/107997/0000/?lang=en
    
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Cc: James Morse <james.morse@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Link: https://lore.kernel.org/r/20240930111705.3352047-2-mark.rutland@arm.com
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    [ Mark: trivial backport ]
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma [+ + +]
Author: Quentin Schulz <quentin.schulz@cherry.de>
Date:   Wed Jul 31 13:05:29 2024 +0200

    arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma
    
    commit 741f5ba7ccba5d7ae796dd11c320e28045524771 upstream.
    
    The Qseven BIOS_DISABLE signal on the RK3399-Q7 keeps the on-module eMMC
    and SPI flash powered-down initially (in fact it keeps the reset signal
    asserted). BIOS_DISABLE_OVERRIDE pin allows to override that signal so
    that eMMC and SPI can be used regardless of the state of the signal.
    
    Let's make this GPIO a hog so that it's reserved and locked in the
    proper state.
    
    At the same time, make sure the pin is reserved for the hog and cannot
    be requested by another node.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
    Link: https://lore.kernel.org/r/20240731-puma-emmc-6-v1-2-4e28eadf32d0@cherry.de
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

arm64: errata: Expand speculative SSBS workaround once more [+ + +]
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Mon Oct 7 13:20:28 2024 +0100

    arm64: errata: Expand speculative SSBS workaround once more
    
    [ Upstream commit 081eb7932c2b244f63317a982c5e3990e2c7fbdd ]
    
    A number of Arm Ltd CPUs suffer from errata whereby an MSR to the SSBS
    special-purpose register does not affect subsequent speculative
    instructions, permitting speculative store bypassing for a window of
    time.
    
    We worked around this for a number of CPUs in commits:
    
    * 7187bb7d0b5c7dfa ("arm64: errata: Add workaround for Arm errata 3194386 and 3312417")
    * 75b3c43eab594bfb ("arm64: errata: Expand speculative SSBS workaround")
    * 145502cac7ea70b5 ("arm64: errata: Expand speculative SSBS workaround (again)")
    
    Since then, a (hopefully final) batch of updates have been published,
    with two more affected CPUs. For the affected CPUs the existing
    mitigation is sufficient, as described in their respective Software
    Developer Errata Notice (SDEN) documents:
    
    * Cortex-A715 (MP148) SDEN v15.0, erratum 3456084
      https://developer.arm.com/documentation/SDEN-2148827/1500/
    
    * Neoverse-N3 (MP195) SDEN v5.0, erratum 3456111
      https://developer.arm.com/documentation/SDEN-3050973/0500/
    
    Enable the existing mitigation by adding the relevant MIDRs to
    erratum_spec_ssbs_list, and update silicon-errata.rst and the
    Kconfig text accordingly.
    
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Cc: James Morse <james.morse@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Link: https://lore.kernel.org/r/20240930111705.3352047-3-mark.rutland@arm.com
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    [ Mark: fix conflict in silicon-errata.rst, handle move and rename ]
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: probes: Fix simulate_ldr*_literal() [+ + +]
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Tue Oct 8 16:58:47 2024 +0100

    arm64: probes: Fix simulate_ldr*_literal()
    
    commit 50f813e57601c22b6f26ced3193b9b94d70a2640 upstream.
    
    The simulate_ldr_literal() code always loads a 64-bit quantity, and when
    simulating a 32-bit load into a 'W' register, it discards the most
    significant 32 bits. For big-endian kernels this means that the relevant
    bits are discarded, and the value returned is the the subsequent 32 bits
    in memory (i.e. the value at addr + 4).
    
    Additionally, simulate_ldr_literal() and simulate_ldrsw_literal() use a
    plain C load, which the compiler may tear or elide (e.g. if the target
    is the zero register). Today this doesn't happen to matter, but it may
    matter in future if trampoline code uses a LDR (literal) or LDRSW
    (literal).
    
    Update simulate_ldr_literal() and simulate_ldrsw_literal() to use an
    appropriately-sized READ_ONCE() to perform the access, which avoids
    these problems.
    
    Fixes: 39a67d49ba35 ("arm64: kprobes instruction simulation support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Link: https://lore.kernel.org/r/20241008155851.801546-3-mark.rutland@arm.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

arm64: probes: Fix uprobes for big-endian kernels [+ + +]
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Tue Oct 8 16:58:48 2024 +0100

    arm64: probes: Fix uprobes for big-endian kernels
    
    [ Upstream commit 13f8f1e05f1dc36dbba6cba0ae03354c0dafcde7 ]
    
    The arm64 uprobes code is broken for big-endian kernels as it doesn't
    convert the in-memory instruction encoding (which is always
    little-endian) into the kernel's native endianness before analyzing and
    simulating instructions. This may result in a few distinct problems:
    
    * The kernel may may erroneously reject probing an instruction which can
      safely be probed.
    
    * The kernel may erroneously erroneously permit stepping an
      instruction out-of-line when that instruction cannot be stepped
      out-of-line safely.
    
    * The kernel may erroneously simulate instruction incorrectly dur to
      interpretting the byte-swapped encoding.
    
    The endianness mismatch isn't caught by the compiler or sparse because:
    
    * The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so
      the compiler and sparse have no idea these contain a little-endian
      32-bit value. The core uprobes code populates these with a memcpy()
      which similarly does not handle endianness.
    
    * While the uprobe_opcode_t type is an alias for __le32, both
      arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[]
      to the similarly-named probe_opcode_t, which is an alias for u32.
      Hence there is no endianness conversion warning.
    
    Fix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and
    adding the appropriate __le32_to_cpu() conversions prior to consuming
    the instruction encoding. The core uprobes copies these fields as opaque
    ranges of bytes, and so is unaffected by this change.
    
    At the same time, remove MAX_UINSN_BYTES and consistently use
    AARCH64_INSN_SIZE for clarity.
    
    Tested with the following:
    
    | #include <stdio.h>
    | #include <stdbool.h>
    |
    | #define noinline __attribute__((noinline))
    |
    | static noinline void *adrp_self(void)
    | {
    |         void *addr;
    |
    |         asm volatile(
    |         "       adrp    %x0, adrp_self\n"
    |         "       add     %x0, %x0, :lo12:adrp_self\n"
    |         : "=r" (addr));
    | }
    |
    |
    | int main(int argc, char *argv)
    | {
    |         void *ptr = adrp_self();
    |         bool equal = (ptr == adrp_self);
    |
    |         printf("adrp_self   => %p\n"
    |                "adrp_self() => %p\n"
    |                "%s\n",
    |                adrp_self, ptr, equal ? "EQUAL" : "NOT EQUAL");
    |
    |         return 0;
    | }
    
    .... where the adrp_self() function was compiled to:
    
    | 00000000004007e0 <adrp_self>:
    |   4007e0:       90000000        adrp    x0, 400000 <__ehdr_start>
    |   4007e4:       911f8000        add     x0, x0, #0x7e0
    |   4007e8:       d65f03c0        ret
    
    Before this patch, the ADRP is not recognized, and is assumed to be
    steppable, resulting in corruption of the result:
    
    | # ./adrp-self
    | adrp_self   => 0x4007e0
    | adrp_self() => 0x4007e0
    | EQUAL
    | # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events
    | # echo 1 > /sys/kernel/tracing/events/uprobes/enable
    | # ./adrp-self
    | adrp_self   => 0x4007e0
    | adrp_self() => 0xffffffffff7e0
    | NOT EQUAL
    
    After this patch, the ADRP is correctly recognized and simulated:
    
    | # ./adrp-self
    | adrp_self   => 0x4007e0
    | adrp_self() => 0x4007e0
    | EQUAL
    | #
    | # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events
    | # echo 1 > /sys/kernel/tracing/events/uprobes/enable
    | # ./adrp-self
    | adrp_self   => 0x4007e0
    | adrp_self() => 0x4007e0
    | EQUAL
    
    Fixes: 9842ceae9fa8 ("arm64: Add uprobe support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Link: https://lore.kernel.org/r/20241008155851.801546-4-mark.rutland@arm.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: probes: Remove broken LDR (literal) uprobe support [+ + +]
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Tue Oct 8 16:58:46 2024 +0100

    arm64: probes: Remove broken LDR (literal) uprobe support
    
    commit acc450aa07099d071b18174c22a1119c57da8227 upstream.
    
    The simulate_ldr_literal() and simulate_ldrsw_literal() functions are
    unsafe to use for uprobes. Both functions were originally written for
    use with kprobes, and access memory with plain C accesses. When uprobes
    was added, these were reused unmodified even though they cannot safely
    access user memory.
    
    There are three key problems:
    
    1) The plain C accesses do not have corresponding extable entries, and
       thus if they encounter a fault the kernel will treat these as
       unintentional accesses to user memory, resulting in a BUG() which
       will kill the kernel thread, and likely lead to further issues (e.g.
       lockup or panic()).
    
    2) The plain C accesses are subject to HW PAN and SW PAN, and so when
       either is in use, any attempt to simulate an access to user memory
       will fault. Thus neither simulate_ldr_literal() nor
       simulate_ldrsw_literal() can do anything useful when simulating a
       user instruction on any system with HW PAN or SW PAN.
    
    3) The plain C accesses are privileged, as they run in kernel context,
       and in practice can access a small range of kernel virtual addresses.
       The instructions they simulate have a range of +/-1MiB, and since the
       simulated instructions must itself be a user instructions in the
       TTBR0 address range, these can address the final 1MiB of the TTBR1
       acddress range by wrapping downwards from an address in the first
       1MiB of the TTBR0 address range.
    
       In contemporary kernels the last 8MiB of TTBR1 address range is
       reserved, and accesses to this will always fault, meaning this is no
       worse than (1).
    
       Historically, it was theoretically possible for the linear map or
       vmemmap to spill into the final 8MiB of the TTBR1 address range, but
       in practice this is extremely unlikely to occur as this would
       require either:
    
       * Having enough physical memory to fill the entire linear map all the
         way to the final 1MiB of the TTBR1 address range.
    
       * Getting unlucky with KASLR randomization of the linear map such
         that the populated region happens to overlap with the last 1MiB of
         the TTBR address range.
    
       ... and in either case if we were to spill into the final page there
       would be larger problems as the final page would alias with error
       pointers.
    
    Practically speaking, (1) and (2) are the big issues. Given there have
    been no reports of problems since the broken code was introduced, it
    appears that no-one is relying on probing these instructions with
    uprobes.
    
    Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW
    (literal), limiting the use of simulate_ldr_literal() and
    simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR
    (literal) and LDRSW (literal) will be rejected as
    arm_probe_decode_insn() will return INSN_REJECTED. In future we can
    consider introducing working uprobes support for these instructions, but
    this will require more significant work.
    
    Fixes: 9842ceae9fa8 ("arm64: Add uprobe support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Link: https://lore.kernel.org/r/20241008155851.801546-2-mark.rutland@arm.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: arm64:uprobe fix the uprobe SWBP_INSN in big-endian [+ + +]
Author: junhua huang <huang.junhua@zte.com.cn>
Date:   Fri Dec 2 15:11:10 2022 +0800

    arm64:uprobe fix the uprobe SWBP_INSN in big-endian
    
    [ Upstream commit 60f07e22a73d318cddaafa5ef41a10476807cc07 ]
    
    We use uprobe in aarch64_be, which we found the tracee task would exit
    due to SIGILL when we enable the uprobe trace.
    We can see the replace inst from uprobe is not correct in aarch big-endian.
    As in Armv8-A, instruction fetches are always treated as little-endian,
    we should treat the UPROBE_SWBP_INSN as little-endian。
    
    The test case is as following。
    bash-4.4# ./mqueue_test_aarchbe 1 1 2 1 10 > /dev/null &
    bash-4.4# cd /sys/kernel/debug/tracing/
    bash-4.4# echo 'p:test /mqueue_test_aarchbe:0xc30 %x0 %x1' > uprobe_events
    bash-4.4# echo 1 > events/uprobes/enable
    bash-4.4#
    bash-4.4# ps
      PID TTY          TIME CMD
      140 ?        00:00:01 bash
      237 ?        00:00:00 ps
    [1]+  Illegal instruction     ./mqueue_test_aarchbe 1 1 2 1 100 > /dev/null
    
    which we debug use gdb as following:
    
    bash-4.4# gdb attach 155
    (gdb) disassemble send
    Dump of assembler code for function send:
       0x0000000000400c30 <+0>:     .inst   0xa00020d4 ; undefined
       0x0000000000400c34 <+4>:     mov     x29, sp
       0x0000000000400c38 <+8>:     str     w0, [sp, #28]
       0x0000000000400c3c <+12>:    strb    w1, [sp, #27]
       0x0000000000400c40 <+16>:    str     xzr, [sp, #40]
       0x0000000000400c44 <+20>:    str     xzr, [sp, #48]
       0x0000000000400c48 <+24>:    add     x0, sp, #0x1b
       0x0000000000400c4c <+28>:    mov     w3, #0x0                 // #0
       0x0000000000400c50 <+32>:    mov     x2, #0x1                 // #1
       0x0000000000400c54 <+36>:    mov     x1, x0
       0x0000000000400c58 <+40>:    ldr     w0, [sp, #28]
       0x0000000000400c5c <+44>:    bl      0x405e10 <mq_send>
       0x0000000000400c60 <+48>:    str     w0, [sp, #60]
       0x0000000000400c64 <+52>:    ldr     w0, [sp, #60]
       0x0000000000400c68 <+56>:    ldp     x29, x30, [sp], #64
       0x0000000000400c6c <+60>:    ret
    End of assembler dump.
    (gdb) info b
    No breakpoints or watchpoints.
    (gdb) c
    Continuing.
    
    Program received signal SIGILL, Illegal instruction.
    0x0000000000400c30 in send ()
    (gdb) x/10x 0x400c30
    0x400c30 <send>:    0xd42000a0   0xfd030091      0xe01f00b9      0xe16f0039
    0x400c40 <send+16>: 0xff1700f9   0xff1b00f9      0xe06f0091      0x03008052
    0x400c50 <send+32>: 0x220080d2   0xe10300aa
    (gdb) disassemble 0x400c30
    Dump of assembler code for function send:
    => 0x0000000000400c30 <+0>:     .inst   0xa00020d4 ; undefined
       0x0000000000400c34 <+4>:     mov     x29, sp
       0x0000000000400c38 <+8>:     str     w0, [sp, #28]
       0x0000000000400c3c <+12>:    strb    w1, [sp, #27]
       0x0000000000400c40 <+16>:    str     xzr, [sp, #40]
    
    Signed-off-by: junhua huang <huang.junhua@zte.com.cn>
    Link: https://lore.kernel.org/r/202212021511106844809@zte.com.cn
    Signed-off-by: Will Deacon <will@kernel.org>
    Stable-dep-of: 13f8f1e05f1d ("arm64: probes: Fix uprobes for big-endian kernels")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ARM: versatile: fix OF node leak in CPUs prepare [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Mon Aug 26 07:49:33 2024 +0200

    ARM: versatile: fix OF node leak in CPUs prepare
    
    [ Upstream commit f2642d97f2105ed17b2ece0c597450f2ff95d704 ]
    
    Machine code is leaking OF node reference from of_find_matching_node()
    in realview_smp_prepare_cpus().
    
    Fixes: 5420b4b15617 ("ARM: realview: add an DT SMP boot method")
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Acked-by: Liviu Dudau <liviu.dudau@arm.com>
    Link: https://lore.kernel.org/20240826054934.10724-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ASoC: allow module autoloading for table db1200_pids [+ + +]
Author: Hongbo Li <lihongbo22@huawei.com>
Date:   Wed Aug 21 14:19:54 2024 +0800

    ASoC: allow module autoloading for table db1200_pids
    
    [ Upstream commit 0e9fdab1e8df490354562187cdbb8dec643eae2c ]
    
    Add MODULE_DEVICE_TABLE(), so modules could be properly
    autoloaded based on the alias from platform_device_id table.
    
    Signed-off-by: Hongbo Li <lihongbo22@huawei.com>
    Link: https://patch.msgid.link/20240821061955.2273782-2-lihongbo22@huawei.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ASoC: tda7419: fix module autoloading [+ + +]
Author: Liao Chen <liaochen4@huawei.com>
Date:   Mon Aug 26 08:49:23 2024 +0000

    ASoC: tda7419: fix module autoloading
    
    [ Upstream commit 934b44589da9aa300201a00fe139c5c54f421563 ]
    
    Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
    based on the alias from of_device_id table.
    
    Signed-off-by: Liao Chen <liaochen4@huawei.com>
    Link: https://patch.msgid.link/20240826084924.368387-4-liaochen4@huawei.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ata: sata_sil: Rename sil_blacklist to sil_quirks [+ + +]
Author: Damien Le Moal <dlemoal@kernel.org>
Date:   Fri Jul 26 11:14:11 2024 +0900

    ata: sata_sil: Rename sil_blacklist to sil_quirks
    
    [ Upstream commit 93b0f9e11ce511353c65b7f924cf5f95bd9c3aba ]
    
    Rename the array sil_blacklist to sil_quirks as this name is more
    neutral and is also consistent with how this driver define quirks with
    the SIL_QUIRK_XXX flags.
    
    Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
    Reviewed-by: Niklas Cassel <cassel@kernel.org>
    Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
be2net: fix potential memory leak in be_xmit() [+ + +]
Author: Wang Hai <wanghai38@huawei.com>
Date:   Tue Oct 15 22:48:02 2024 +0800

    be2net: fix potential memory leak in be_xmit()
    
    [ Upstream commit e4dd8bfe0f6a23acd305f9b892c00899089bd621 ]
    
    The be_xmit() returns NETDEV_TX_OK without freeing skb
    in case of be_xmit_enqueue() fails, add dev_kfree_skb_any() to fix it.
    
    Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.")
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
    Message-ID: <20241015144802.12150-1-wanghai38@huawei.com>
    Signed-off-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() [+ + +]
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Mon Sep 2 21:03:27 2024 +0800

    block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()
    
    [ Upstream commit 0e456dba86c7f9a19792204a044835f1ca2c8dbb ]
    
    Consider the following merge chain:
    
    Process 1       Process 2       Process 3       Process 4
     (BIC1)          (BIC2)          (BIC3)          (BIC4)
      Λ                |               |               |
       \--------------\ \-------------\ \-------------\|
                       V               V               V
      bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
    
    IO from Process 1 will get bfqf2 from BIC1 first, then
    bfq_setup_cooperator() will found bfqq2 already merged to bfqq3 and then
    handle this IO from bfqq3. However, the merge chain can be much deeper
    and bfqq3 can be merged to other bfqq as well.
    
    Fix this problem by iterating to the last bfqq in
    bfq_setup_cooperator().
    
    Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Link: https://lore.kernel.org/r/20240902130329.3787024-3-yukuai1@huaweicloud.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

block, bfq: don't break merge chain in bfq_split_bfqq() [+ + +]
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Mon Sep 2 21:03:28 2024 +0800

    block, bfq: don't break merge chain in bfq_split_bfqq()
    
    [ Upstream commit 42c306ed723321af4003b2a41bb73728cab54f85 ]
    
    Consider the following scenario:
    
        Process 1       Process 2       Process 3       Process 4
         (BIC1)          (BIC2)          (BIC3)          (BIC4)
          Λ               |               |                |
           \-------------\ \-------------\ \--------------\|
                          V               V                V
          bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
    ref    0              1               2                4
    
    If Process 1 issue a new IO and bfqq2 is found, and then bfq_init_rq()
    decide to spilt bfqq2 by bfq_split_bfqq(). Howerver, procress reference
    of bfqq2 is 1 and bfq_split_bfqq() just clear the coop flag, which will
    break the merge chain.
    
    Expected result: caller will allocate a new bfqq for BIC1
    
        Process 1       Process 2       Process 3       Process 4
         (BIC1)          (BIC2)          (BIC3)          (BIC4)
                          |               |                |
                           \-------------\ \--------------\|
                                          V                V
          bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
    ref    0              0               1                3
    
    Since the condition is only used for the last bfqq4 when the previous
    bfqq2 and bfqq3 are already splited. Fix the problem by checking if
    bfqq is the last one in the merge chain as well.
    
    Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Link: https://lore.kernel.org/r/20240902130329.3787024-4-yukuai1@huaweicloud.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

block, bfq: fix possible UAF for bfqq->bic with merge chain [+ + +]
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Mon Sep 2 21:03:26 2024 +0800

    block, bfq: fix possible UAF for bfqq->bic with merge chain
    
    [ Upstream commit 18ad4df091dd5d067d2faa8fce1180b79f7041a7 ]
    
    1) initial state, three tasks:
    
                    Process 1       Process 2       Process 3
                     (BIC1)          (BIC2)          (BIC3)
                      |  Λ            |  Λ            |  Λ
                      |  |            |  |            |  |
                      V  |            V  |            V  |
                      bfqq1           bfqq2           bfqq3
    process ref:       1                1               1
    
    2) bfqq1 merged to bfqq2:
    
                    Process 1       Process 2       Process 3
                     (BIC1)          (BIC2)          (BIC3)
                      |               |               |  Λ
                      \--------------\|               |  |
                                      V               V  |
                      bfqq1--------->bfqq2            bfqq3
    process ref:       0                2               1
    
    3) bfqq2 merged to bfqq3:
    
                    Process 1       Process 2       Process 3
                     (BIC1)          (BIC2)          (BIC3)
             here -> Λ                |               |
                      \--------------\ \-------------\|
                                      V               V
                      bfqq1--------->bfqq2---------->bfqq3
    process ref:       0                1               3
    
    In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
    get bfqq3 through merge chain, and finially handle IO by bfqq3.
    Howerver, current code will think bfqq2 is owned by BIC1, like initial
    state, and set bfqq2->bic to BIC1.
    
    bfq_insert_request
    -> by Process 1
     bfqq = bfq_init_rq(rq)
      bfqq = bfq_get_bfqq_handle_split
       bfqq = bic_to_bfqq
       -> get bfqq2 from BIC1
     bfqq->ref++
     rq->elv.priv[0] = bic
     rq->elv.priv[1] = bfqq
     if (bfqq_process_refs(bfqq) == 1)
      bfqq->bic = bic
      -> record BIC1 to bfqq2
    
      __bfq_insert_request
       new_bfqq = bfq_setup_cooperator
       -> get bfqq3 from bfqq2->new_bfqq
       bfqq_request_freed(bfqq)
       new_bfqq->ref++
       rq->elv.priv[1] = new_bfqq
       -> handle IO by bfqq3
    
    Fix the problem by checking bfqq is from merge chain fist. And this
    might fix a following problem reported by our syzkaller(unreproducible):
    
    ==================================================================
    BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
    BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
    BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
    Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
    
    CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G             L     6.6.0-07439-gba2303cacfda #6
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
    Workqueue: kblockd blk_mq_requeue_work
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
     print_address_description mm/kasan/report.c:364 [inline]
     print_report+0x10d/0x610 mm/kasan/report.c:475
     kasan_report+0x8e/0xc0 mm/kasan/report.c:588
     bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
     bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
     bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
     bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757
     bfq_init_rq block/bfq-iosched.c:6876 [inline]
     bfq_insert_request block/bfq-iosched.c:6254 [inline]
     bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304
     blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593
     blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502
     process_one_work kernel/workqueue.c:2627 [inline]
     process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
     worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
     kthread+0x33c/0x440 kernel/kthread.c:388
     ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
     ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
     </TASK>
    
    Allocated by task 20776:
     kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
     kasan_set_track+0x25/0x30 mm/kasan/common.c:52
     __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
     kasan_slab_alloc include/linux/kasan.h:188 [inline]
     slab_post_alloc_hook mm/slab.h:763 [inline]
     slab_alloc_node mm/slub.c:3458 [inline]
     kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503
     ioc_create_icq block/blk-ioc.c:370 [inline]
     ioc_find_get_icq+0x180/0xaa0 block/blk-ioc.c:436
     bfq_prepare_request+0x39/0xf0 block/bfq-iosched.c:6812
     blk_mq_rq_ctx_init.isra.7+0x6ac/0xa00 block/blk-mq.c:403
     __blk_mq_alloc_requests+0xcc0/0x1070 block/blk-mq.c:517
     blk_mq_get_new_requests block/blk-mq.c:2940 [inline]
     blk_mq_submit_bio+0x624/0x27c0 block/blk-mq.c:3042
     __submit_bio+0x331/0x6f0 block/blk-core.c:624
     __submit_bio_noacct_mq block/blk-core.c:703 [inline]
     submit_bio_noacct_nocheck+0x816/0xb40 block/blk-core.c:732
     submit_bio_noacct+0x7a6/0x1b50 block/blk-core.c:826
     xlog_write_iclog+0x7d5/0xa00 fs/xfs/xfs_log.c:1958
     xlog_state_release_iclog+0x3b8/0x720 fs/xfs/xfs_log.c:619
     xlog_cil_push_work+0x19c5/0x2270 fs/xfs/xfs_log_cil.c:1330
     process_one_work kernel/workqueue.c:2627 [inline]
     process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
     worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
     kthread+0x33c/0x440 kernel/kthread.c:388
     ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
     ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
    
    Freed by task 946:
     kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
     kasan_set_track+0x25/0x30 mm/kasan/common.c:52
     kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
     ____kasan_slab_free mm/kasan/common.c:236 [inline]
     __kasan_slab_free+0x12c/0x1c0 mm/kasan/common.c:244
     kasan_slab_free include/linux/kasan.h:164 [inline]
     slab_free_hook mm/slub.c:1815 [inline]
     slab_free_freelist_hook mm/slub.c:1841 [inline]
     slab_free mm/slub.c:3786 [inline]
     kmem_cache_free+0x118/0x6f0 mm/slub.c:3808
     rcu_do_batch+0x35c/0xe30 kernel/rcu/tree.c:2189
     rcu_core+0x819/0xd90 kernel/rcu/tree.c:2462
     __do_softirq+0x1b0/0x7a2 kernel/softirq.c:553
    
    Last potentially related work creation:
     kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
     __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
     __call_rcu_common kernel/rcu/tree.c:2712 [inline]
     call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
     ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
     ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
     process_one_work kernel/workqueue.c:2627 [inline]
     process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
     worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
     kthread+0x33c/0x440 kernel/kthread.c:388
     ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
     ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
    
    Second to last potentially related work creation:
     kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
     __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
     __call_rcu_common kernel/rcu/tree.c:2712 [inline]
     call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
     ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
     ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
     process_one_work kernel/workqueue.c:2627 [inline]
     process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
     worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
     kthread+0x33c/0x440 kernel/kthread.c:388
     ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
     ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
    
    The buggy address belongs to the object at ffff888123839d68
     which belongs to the cache bfq_io_cq of size 1360
    The buggy address is located 336 bytes inside of
     freed 1360-byte region [ffff888123839d68, ffff88812383a2b8)
    
    The buggy address belongs to the physical page:
    page:ffffea00048e0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812383f588 pfn:0x123838
    head:ffffea00048e0e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
    flags: 0x17ffffc0000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1fffff)
    page_type: 0xffffffff()
    raw: 0017ffffc0000a40 ffff88810588c200 ffffea00048ffa10 ffff888105889488
    raw: ffff88812383f588 0000000000150006 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff888123839d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff888123839e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff888123839e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                            ^
     ffff888123839f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff888123839f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================
    
    Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Link: https://lore.kernel.org/r/20240902130329.3787024-2-yukuai1@huaweicloud.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Bluetooth: bnep: fix wild-memory-access in proto_unregister [+ + +]
Author: Ye Bin <yebin10@huawei.com>
Date:   Mon Oct 14 17:07:08 2024 +0800

    Bluetooth: bnep: fix wild-memory-access in proto_unregister
    
    [ Upstream commit 64a90991ba8d4e32e3173ddd83d0b24167a5668c ]
    
    There's issue as follows:
      KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f]
      CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G        W
      RIP: 0010:proto_unregister+0xee/0x400
      Call Trace:
       <TASK>
       __do_sys_delete_module+0x318/0x580
       do_syscall_64+0xc1/0x1d0
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init()
    will cleanup all resource. Then when remove bnep module will call
    bnep_sock_cleanup() to cleanup sock's resource.
    To solve above issue just return bnep_sock_init()'s return value in
    bnep_exit().
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Ye Bin <yebin10@huawei.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

Bluetooth: btusb: Fix not handling ZPL/short-transfer [+ + +]
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Mon Sep 9 16:51:52 2024 -0400

    Bluetooth: btusb: Fix not handling ZPL/short-transfer
    
    [ Upstream commit 7b05933340f4490ef5b09e84d644d12484b05fdf ]
    
    Requesting transfers of the exact same size of wMaxPacketSize may result
    in ZPL/short-transfer since the USB stack cannot handle it as we are
    limiting the buffer size to be the same as wMaxPacketSize.
    
    Also, in terms of throughput this change has the same effect to
    interrupt endpoint as 290ba200815f "Bluetooth: Improve USB driver throughput
    by increasing the frame size" had for the bulk endpoint, so users of the
    advertisement bearer (e.g. BT Mesh) may benefit from this change.
    
    Fixes: 5e23b923da03 ("[Bluetooth] Add generic driver for Bluetooth USB devices")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Tested-by: Kiran K <kiran.k@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 [+ + +]
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Wed Oct 16 11:47:00 2024 -0400

    Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001
    
    commit 2c1dda2acc4192d826e84008d963b528e24d12bc upstream.
    
    Fake CSR controllers don't seem to handle short-transfer properly which
    cause command to time out:
    
    kernel: usb 1-1: new full-speed USB device number 19 using xhci_hcd
    kernel: usb 1-1: New USB device found, idVendor=0a12, idProduct=0001, bcdDevice=88.91
    kernel: usb 1-1: New USB device strings: Mfr=0, Product=2, SerialNumber=0
    kernel: usb 1-1: Product: BT DONGLE10
    ...
    Bluetooth: hci1: Opcode 0x1004 failed: -110
    kernel: Bluetooth: hci1: command 0x1004 tx timeout
    
    According to USB Spec 2.0 Section 5.7.3 Interrupt Transfer Packet Size
    Constraints a interrupt transfer is considered complete when the size is 0
    (ZPL) or < wMaxPacketSize:
    
     'When an interrupt transfer involves more data than can fit in one
     data payload of the currently established maximum size, all data
     payloads are required to be maximum-sized except for the last data
     payload, which will contain the remaining data. An interrupt transfer
     is complete when the endpoint does one of the following:
    
     • Has transferred exactly the amount of data expected
     • Transfers a packet with a payload size less than wMaxPacketSize or
     transfers a zero-length packet'
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=219365
    Fixes: 7b05933340f4 ("Bluetooth: btusb: Fix not handling ZPL/short-transfer")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bluetooth: Remove debugfs directory on module init failure [+ + +]
Author: Aaron Thompson <dev@aaront.org>
Date:   Fri Oct 4 23:04:10 2024 +0000

    Bluetooth: Remove debugfs directory on module init failure
    
    commit 1db4564f101b47188c1b71696bd342ef09172b22 upstream.
    
    If bt_init() fails, the debugfs directory currently is not removed. If
    the module is loaded again after that, the debugfs directory is not set
    up properly due to the existing directory.
    
      # modprobe bluetooth
      # ls -laF /sys/kernel/debug/bluetooth
      total 0
      drwxr-xr-x  2 root root 0 Sep 27 14:26 ./
      drwx------ 31 root root 0 Sep 27 14:25 ../
      -r--r--r--  1 root root 0 Sep 27 14:26 l2cap
      -r--r--r--  1 root root 0 Sep 27 14:26 sco
      # modprobe -r bluetooth
      # ls -laF /sys/kernel/debug/bluetooth
      ls: cannot access '/sys/kernel/debug/bluetooth': No such file or directory
      #
    
      # modprobe bluetooth
      modprobe: ERROR: could not insert 'bluetooth': Invalid argument
      # dmesg | tail -n 6
      Bluetooth: Core ver 2.22
      NET: Registered PF_BLUETOOTH protocol family
      Bluetooth: HCI device and connection manager initialized
      Bluetooth: HCI socket layer initialized
      Bluetooth: Faking l2cap_init() failure for testing
      NET: Unregistered PF_BLUETOOTH protocol family
      # ls -laF /sys/kernel/debug/bluetooth
      total 0
      drwxr-xr-x  2 root root 0 Sep 27 14:31 ./
      drwx------ 31 root root 0 Sep 27 14:26 ../
      #
    
      # modprobe bluetooth
      # dmesg | tail -n 7
      Bluetooth: Core ver 2.22
      debugfs: Directory 'bluetooth' with parent '/' already present!
      NET: Registered PF_BLUETOOTH protocol family
      Bluetooth: HCI device and connection manager initialized
      Bluetooth: HCI socket layer initialized
      Bluetooth: L2CAP socket layer initialized
      Bluetooth: SCO socket layer initialized
      # ls -laF /sys/kernel/debug/bluetooth
      total 0
      drwxr-xr-x  2 root root 0 Sep 27 14:31 ./
      drwx------ 31 root root 0 Sep 27 14:26 ../
      #
    
    Cc: stable@vger.kernel.org
    Fixes: ffcecac6a738 ("Bluetooth: Create root debugfs directory during module init")
    Signed-off-by: Aaron Thompson <dev@aaront.org>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change [+ + +]
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Mon Sep 30 13:26:21 2024 -0400

    Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
    
    [ Upstream commit 08d1914293dae38350b8088980e59fbc699a72fe ]
    
    rfcomm_sk_state_change attempts to use sock_lock so it must never be
    called with it locked but rfcomm_sock_ioctl always attempt to lock it
    causing the following trace:
    
    ======================================================
    WARNING: possible circular locking dependency detected
    6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
    ------------------------------------------------------
    syz-executor386/5093 is trying to acquire lock:
    ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline]
    ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73
    
    but task is already holding lock:
    ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491
    
    Reported-by: syzbot+d7ce59b06b3eb14fd218@syzkaller.appspotmail.com
    Tested-by: syzbot+d7ce59b06b3eb14fd218@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=d7ce59b06b3eb14fd218
    Fixes: 3241ad820dbb ("[Bluetooth] Add timestamp support to L2CAP, RFCOMM and SCO")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf: Check percpu map value size first [+ + +]
Author: Tao Chen <chen.dylane@gmail.com>
Date:   Tue Sep 10 22:41:10 2024 +0800

    bpf: Check percpu map value size first
    
    [ Upstream commit 1d244784be6b01162b732a5a7d637dfc024c3203 ]
    
    Percpu map is often used, but the map value size limit often ignored,
    like issue: https://github.com/iovisor/bcc/issues/2519. Actually,
    percpu map value size is bound by PCPU_MIN_UNIT_SIZE, so we
    can check the value size whether it exceeds PCPU_MIN_UNIT_SIZE first,
    like percpu map of local_storage. Maybe the error message seems clearer
    compared with "cannot allocate memory".
    
    Signed-off-by: Jinke Han <jinkehan@didiglobal.com>
    Signed-off-by: Tao Chen <chen.dylane@gmail.com>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Acked-by: Jiri Olsa <jolsa@kernel.org>
    Acked-by: Andrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/bpf/20240910144111.1464912-2-chen.dylane@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: Fix out-of-bounds write in trie_get_next_key() [+ + +]
Author: Byeonguk Jeong <jungbu2855@gmail.com>
Date:   Sat Oct 26 14:02:43 2024 +0900

    bpf: Fix out-of-bounds write in trie_get_next_key()
    
    [ Upstream commit 13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21 ]
    
    trie_get_next_key() allocates a node stack with size trie->max_prefixlen,
    while it writes (trie->max_prefixlen + 1) nodes to the stack when it has
    full paths from the root to leaves. For example, consider a trie with
    max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ...
    0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with
    .prefixlen = 8 make 9 nodes be written on the node stack with size 8.
    
    Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map")
    Signed-off-by: Byeonguk Jeong <jungbu2855@gmail.com>
    Reviewed-by: Toke Høiland-Jørgensen <toke@kernel.org>
    Tested-by: Hou Tao <houtao1@huawei.com>
    Acked-by: Hou Tao <houtao1@huawei.com>
    Link: https://lore.kernel.org/r/Zxx384ZfdlFYnz6J@localhost.localdomain
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
btrfs: wait for fixup workers before stopping cleaner kthread during umount [+ + +]
Author: Filipe Manana <fdmanana@suse.com>
Date:   Tue Oct 1 11:06:52 2024 +0100

    btrfs: wait for fixup workers before stopping cleaner kthread during umount
    
    commit 41fd1e94066a815a7ab0a7025359e9b40e4b3576 upstream.
    
    During unmount, at close_ctree(), we have the following steps in this order:
    
    1) Park the cleaner kthread - this doesn't destroy the kthread, it basically
       halts its execution (wake ups against it work but do nothing);
    
    2) We stop the cleaner kthread - this results in freeing the respective
       struct task_struct;
    
    3) We call btrfs_stop_all_workers() which waits for any jobs running in all
       the work queues and then free the work queues.
    
    Syzbot reported a case where a fixup worker resulted in a crash when doing
    a delayed iput on its inode while attempting to wake up the cleaner at
    btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread
    was already freed. This can happen during unmount because we don't wait
    for any fixup workers still running before we call kthread_stop() against
    the cleaner kthread, which stops and free all its resources.
    
    Fix this by waiting for any fixup workers at close_ctree() before we call
    kthread_stop() against the cleaner and run pending delayed iputs.
    
    The stack traces reported by syzbot were the following:
    
      BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
      Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52
    
      CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
      Workqueue: btrfs-fixup btrfs_work_helper
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:94 [inline]
       dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
       print_address_description mm/kasan/report.c:377 [inline]
       print_report+0x169/0x550 mm/kasan/report.c:488
       kasan_report+0x143/0x180 mm/kasan/report.c:601
       __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
       class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
       try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154
       btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842
       btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314
       process_one_work kernel/workqueue.c:3229 [inline]
       process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
       worker_thread+0x870/0xd30 kernel/workqueue.c:3391
       kthread+0x2f0/0x390 kernel/kthread.c:389
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
       </TASK>
    
      Allocated by task 2:
       kasan_save_stack mm/kasan/common.c:47 [inline]
       kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
       unpoison_slab_object mm/kasan/common.c:319 [inline]
       __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
       kasan_slab_alloc include/linux/kasan.h:247 [inline]
       slab_post_alloc_hook mm/slub.c:4086 [inline]
       slab_alloc_node mm/slub.c:4135 [inline]
       kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187
       alloc_task_struct_node kernel/fork.c:180 [inline]
       dup_task_struct+0x57/0x8c0 kernel/fork.c:1107
       copy_process+0x5d1/0x3d50 kernel/fork.c:2206
       kernel_clone+0x223/0x880 kernel/fork.c:2787
       kernel_thread+0x1bc/0x240 kernel/fork.c:2849
       create_kthread kernel/kthread.c:412 [inline]
       kthreadd+0x60d/0x810 kernel/kthread.c:765
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
    
      Freed by task 61:
       kasan_save_stack mm/kasan/common.c:47 [inline]
       kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
       kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
       poison_slab_object mm/kasan/common.c:247 [inline]
       __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
       kasan_slab_free include/linux/kasan.h:230 [inline]
       slab_free_hook mm/slub.c:2343 [inline]
       slab_free mm/slub.c:4580 [inline]
       kmem_cache_free+0x1a2/0x420 mm/slub.c:4682
       put_task_struct include/linux/sched/task.h:144 [inline]
       delayed_put_task_struct+0x125/0x300 kernel/exit.c:228
       rcu_do_batch kernel/rcu/tree.c:2567 [inline]
       rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
       handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
       __do_softirq kernel/softirq.c:588 [inline]
       invoke_softirq kernel/softirq.c:428 [inline]
       __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
       irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
       instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline]
       sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1037
       asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
    
      Last potentially related work creation:
       kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
       __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
       __call_rcu_common kernel/rcu/tree.c:3086 [inline]
       call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190
       context_switch kernel/sched/core.c:5318 [inline]
       __schedule+0x184b/0x4ae0 kernel/sched/core.c:6675
       schedule_idle+0x56/0x90 kernel/sched/core.c:6793
       do_idle+0x56a/0x5d0 kernel/sched/idle.c:354
       cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:424
       start_secondary+0x102/0x110 arch/x86/kernel/smpboot.c:314
       common_startup_64+0x13e/0x147
    
      The buggy address belongs to the object at ffff8880272a8000
       which belongs to the cache task_struct of size 7424
      The buggy address is located 2584 bytes inside of
       freed 7424-byte region [ffff8880272a8000, ffff8880272a9d00)
    
      The buggy address belongs to the physical page:
      page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x272a8
      head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
      page_type: f5(slab)
      raw: 00fff00000000040 ffff88801bafa500 dead000000000122 0000000000000000
      raw: 0000000000000000 0000000080040004 00000001f5000000 0000000000000000
      head: 00fff00000000040 ffff88801bafa500 dead000000000122 0000000000000000
      head: 0000000000000000 0000000080040004 00000001f5000000 0000000000000000
      head: 00fff00000000003 ffffea00009caa01 ffffffffffffffff 0000000000000000
      head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 71247381401, free_ts 71214998153
       set_page_owner include/linux/page_owner.h:32 [inline]
       post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
       prep_new_page mm/page_alloc.c:1545 [inline]
       get_page_from_freelist+0x3039/0x3180 mm/page_alloc.c:3457
       __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
       alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
       alloc_slab_page+0x6a/0x120 mm/slub.c:2413
       allocate_slab+0x5a/0x2f0 mm/slub.c:2579
       new_slab mm/slub.c:2632 [inline]
       ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
       __slab_alloc+0x58/0xa0 mm/slub.c:3909
       __slab_alloc_node mm/slub.c:3962 [inline]
       slab_alloc_node mm/slub.c:4123 [inline]
       kmem_cache_alloc_node_noprof+0x1fe/0x320 mm/slub.c:4187
       alloc_task_struct_node kernel/fork.c:180 [inline]
       dup_task_struct+0x57/0x8c0 kernel/fork.c:1107
       copy_process+0x5d1/0x3d50 kernel/fork.c:2206
       kernel_clone+0x223/0x880 kernel/fork.c:2787
       kernel_thread+0x1bc/0x240 kernel/fork.c:2849
       create_kthread kernel/kthread.c:412 [inline]
       kthreadd+0x60d/0x810 kernel/kthread.c:765
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
      page last free pid 5230 tgid 5230 stack trace:
       reset_page_owner include/linux/page_owner.h:25 [inline]
       free_pages_prepare mm/page_alloc.c:1108 [inline]
       free_unref_page+0xcd0/0xf00 mm/page_alloc.c:2638
       discard_slab mm/slub.c:2678 [inline]
       __put_partials+0xeb/0x130 mm/slub.c:3146
       put_cpu_partial+0x17c/0x250 mm/slub.c:3221
       __slab_free+0x2ea/0x3d0 mm/slub.c:4450
       qlink_free mm/kasan/quarantine.c:163 [inline]
       qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
       kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
       __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
       kasan_slab_alloc include/linux/kasan.h:247 [inline]
       slab_post_alloc_hook mm/slub.c:4086 [inline]
       slab_alloc_node mm/slub.c:4135 [inline]
       kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4142
       getname_flags+0xb7/0x540 fs/namei.c:139
       do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
       do_sys_open fs/open.c:1430 [inline]
       __do_sys_openat fs/open.c:1446 [inline]
       __se_sys_openat fs/open.c:1441 [inline]
       __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
      Memory state around the buggy address:
       ffff8880272a8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880272a8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff8880272a8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
       ffff8880272a8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880272a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
    
    Reported-by: syzbot+8aaf2df2ef0164ffe1fb@syzkaller.appspotmail.com
    Link: https://lore.kernel.org/linux-btrfs/66fb36b1.050a0220.aab67.003b.GAE@google.com/
    CC: stable@vger.kernel.org # 4.19+
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Wed Sep 4 18:22:37 2024 -0700

    can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().
    
    [ Upstream commit 94b0818fa63555a65f6ba107080659ea6bcca63e ]
    
    syzbot reported a warning in bcm_release(). [0]
    
    The blamed change fixed another warning that is triggered when
    connect() is issued again for a socket whose connect()ed device has
    been unregistered.
    
    However, if the socket is just close()d without the 2nd connect(), the
    remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
    in bcm_release().
    
    Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().
    
    [0]
    name '4986'
    WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
    Modules linked in:
    CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
    RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
    Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
    RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
    RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
    RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
    R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
    R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
    FS:  0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     bcm_release+0x250/0x880 net/can/bcm.c:1578
     __sock_release net/socket.c:659 [inline]
     sock_close+0xbc/0x240 net/socket.c:1421
     __fput+0x24a/0x8a0 fs/file_table.c:422
     task_work_run+0x24f/0x310 kernel/task_work.c:228
     exit_task_work include/linux/task_work.h:40 [inline]
     do_exit+0xa2f/0x27f0 kernel/exit.c:882
     do_group_exit+0x207/0x2c0 kernel/exit.c:1031
     __do_sys_exit_group kernel/exit.c:1042 [inline]
     __se_sys_exit_group kernel/exit.c:1040 [inline]
     __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
     x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7fcfb51ee969
    Code: Unable to access opcode bytes at 0x7fcfb51ee93f.
    RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
    RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969
    RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
    RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000
    R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0
    R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160
     </TASK>
    
    Fixes: 76fe372ccb81 ("can: bcm: Remove proc entry when dev is unregistered.")
    Reported-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=0532ac7a06fb1a03187e
    Tested-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    Link: https://patch.msgid.link/20240905012237.79683-1-kuniyu@amazon.com
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
CDC-NCM: avoid overflow in sanity checking [+ + +]
Author: Oliver Neukum <oneukum@suse.com>
Date:   Tue Feb 15 11:35:47 2022 +0100

    CDC-NCM: avoid overflow in sanity checking
    
    commit 8d2b1a1ec9f559d30b724877da4ce592edc41fdc upstream.
    
    A broken device may give an extreme offset like 0xFFF0
    and a reasonable length for a fragment. In the sanity
    check as formulated now, this will create an integer
    overflow, defeating the sanity check. Both offset
    and offset + len need to be checked in such a manner
    that no overflow can occur.
    And those quantities should be unsigned.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
    Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ceph: remove the incorrect Fw reference check when dirtying pages [+ + +]
Author: Xiubo Li <xiubli@redhat.com>
Date:   Thu Sep 5 06:22:18 2024 +0800

    ceph: remove the incorrect Fw reference check when dirtying pages
    
    [ Upstream commit c08dfb1b49492c09cf13838c71897493ea3b424e ]
    
    When doing the direct-io reads it will also try to mark pages dirty,
    but for the read path it won't hold the Fw caps and there is case
    will it get the Fw reference.
    
    Fixes: 5dda377cf0a6 ("ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference")
    Signed-off-by: Xiubo Li <xiubli@redhat.com>
    Reviewed-by: Patrick Donnelly <pdonnell@redhat.com>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cgroup: Fix potential overflow issue when checking max_depth [+ + +]
Author: Xiu Jianfeng <xiujianfeng@huawei.com>
Date:   Sat Oct 12 07:22:46 2024 +0000

    cgroup: Fix potential overflow issue when checking max_depth
    
    [ Upstream commit 3cc4e13bb1617f6a13e5e6882465984148743cf4 ]
    
    cgroup.max.depth is the maximum allowed descent depth below the current
    cgroup. If the actual descent depth is equal or larger, an attempt to
    create a new child cgroup will fail. However due to the cgroup->max_depth
    is of int type and having the default value INT_MAX, the condition
    'level > cgroup->max_depth' will never be satisfied, and it will cause
    an overflow of the level after it reaches to INT_MAX.
    
    Fix it by starting the level from 0 and using '>=' instead.
    
    It's worth mentioning that this issue is unlikely to occur in reality,
    as it's impossible to have a depth of INT_MAX hierarchy, but should be
    be avoided logically.
    
    Fixes: 1a926e0bbab8 ("cgroup: implement hierarchy limits")
    Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
    Reviewed-by: Michal Koutný <mkoutny@suse.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
clk: Add (devm_)clk_get_optional() functions [+ + +]
Author: Phil Edworthy <phil.edworthy@renesas.com>
Date:   Mon Dec 3 11:13:09 2018 +0000

    clk: Add (devm_)clk_get_optional() functions
    
    [ Upstream commit 60b8f0ddf1a927ef02141a6610fd52575134f821 ]
    
    This adds clk_get_optional() and devm_clk_get_optional() functions to get
    optional clocks.
    
    They behave the same as (devm_)clk_get() except where there is no clock
    producer. In this case, instead of returning -ENOENT, the function
    returns NULL. This makes error checking simpler and allows
    clk_prepare_enable, etc to be called on the returned reference
    without additional checks.
    
    Signed-off-by: Phil Edworthy <phil.edworthy@renesas.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: Russell King <linux@armlinux.org.uk>
    [sboyd@kernel.org: Document in devres.txt]
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Stable-dep-of: a6191a3d1811 ("gpio: aspeed: Use devm_clk api to manage clock source")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: bcm: bcm53573: fix OF node leak in init [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Mon Aug 26 08:58:01 2024 +0200

    clk: bcm: bcm53573: fix OF node leak in init
    
    [ Upstream commit f92d67e23b8caa81f6322a2bad1d633b00ca000e ]
    
    Driver code is leaking OF node reference from of_get_parent() in
    bcm53573_ilp_init().  Usage of of_get_parent() is not needed in the
    first place, because the parent node will not be freed while we are
    processing given node (triggered by CLK_OF_DECLARE()).  Thus fix the
    leak by accessing parent directly, instead of of_get_parent().
    
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/r/20240826065801.17081-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: Fix pointer casting to prevent oops in devm_clk_release() [+ + +]
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Mon Jun 20 19:18:15 2022 +0200

    clk: Fix pointer casting to prevent oops in devm_clk_release()
    
    commit 8b3d743fc9e2542822826890b482afabf0e7522a upstream.
    
    The release function is called with a pointer to the memory returned by
    devres_alloc(). I was confused about that by the code before the
    generalization that used a struct clk **ptr.
    
    Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Link: https://lore.kernel.org/r/20220620171815.114212-1-u.kleine-koenig@pengutronix.de
    Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

clk: Fix slab-out-of-bounds error in devm_clk_release() [+ + +]
Author: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Date:   Sat Aug 5 11:48:47 2023 +0300

    clk: Fix slab-out-of-bounds error in devm_clk_release()
    
    commit 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 upstream.
    
    Problem can be reproduced by unloading snd_soc_simple_card, because in
    devm_get_clk_from_child() devres data is allocated as `struct clk`, but
    devm_clk_release() expects devres data to be `struct devm_clk_state`.
    
    KASAN report:
     ==================================================================
     BUG: KASAN: slab-out-of-bounds in devm_clk_release+0x20/0x54
     Read of size 8 at addr ffffff800ee09688 by task (udev-worker)/287
    
     Call trace:
      dump_backtrace+0xe8/0x11c
      show_stack+0x1c/0x30
      dump_stack_lvl+0x60/0x78
      print_report+0x150/0x450
      kasan_report+0xa8/0xf0
      __asan_load8+0x78/0xa0
      devm_clk_release+0x20/0x54
      release_nodes+0x84/0x120
      devres_release_all+0x144/0x210
      device_unbind_cleanup+0x1c/0xac
      really_probe+0x2f0/0x5b0
      __driver_probe_device+0xc0/0x1f0
      driver_probe_device+0x68/0x120
      __driver_attach+0x140/0x294
      bus_for_each_dev+0xec/0x160
      driver_attach+0x38/0x44
      bus_add_driver+0x24c/0x300
      driver_register+0xf0/0x210
      __platform_driver_register+0x48/0x54
      asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
      do_one_initcall+0xac/0x340
      do_init_module+0xd0/0x300
      load_module+0x2ba4/0x3100
      __do_sys_init_module+0x2c8/0x300
      __arm64_sys_init_module+0x48/0x5c
      invoke_syscall+0x64/0x190
      el0_svc_common.constprop.0+0x124/0x154
      do_el0_svc+0x44/0xdc
      el0_svc+0x14/0x50
      el0t_64_sync_handler+0xec/0x11c
      el0t_64_sync+0x14c/0x150
    
     Allocated by task 287:
      kasan_save_stack+0x38/0x60
      kasan_set_track+0x28/0x40
      kasan_save_alloc_info+0x20/0x30
      __kasan_kmalloc+0xac/0xb0
      __kmalloc_node_track_caller+0x6c/0x1c4
      __devres_alloc_node+0x44/0xb4
      devm_get_clk_from_child+0x44/0xa0
      asoc_simple_parse_clk+0x1b8/0x1dc [snd_soc_simple_card_utils]
      simple_parse_node.isra.0+0x1ec/0x230 [snd_soc_simple_card]
      simple_dai_link_of+0x1bc/0x334 [snd_soc_simple_card]
      __simple_for_each_link+0x2ec/0x320 [snd_soc_simple_card]
      asoc_simple_probe+0x468/0x4dc [snd_soc_simple_card]
      platform_probe+0x90/0xf0
      really_probe+0x118/0x5b0
      __driver_probe_device+0xc0/0x1f0
      driver_probe_device+0x68/0x120
      __driver_attach+0x140/0x294
      bus_for_each_dev+0xec/0x160
      driver_attach+0x38/0x44
      bus_add_driver+0x24c/0x300
      driver_register+0xf0/0x210
      __platform_driver_register+0x48/0x54
      asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
      do_one_initcall+0xac/0x340
      do_init_module+0xd0/0x300
      load_module+0x2ba4/0x3100
      __do_sys_init_module+0x2c8/0x300
      __arm64_sys_init_module+0x48/0x5c
      invoke_syscall+0x64/0x190
      el0_svc_common.constprop.0+0x124/0x154
      do_el0_svc+0x44/0xdc
      el0_svc+0x14/0x50
      el0t_64_sync_handler+0xec/0x11c
      el0t_64_sync+0x14c/0x150
    
     The buggy address belongs to the object at ffffff800ee09600
      which belongs to the cache kmalloc-256 of size 256
     The buggy address is located 136 bytes inside of
      256-byte region [ffffff800ee09600, ffffff800ee09700)
    
     The buggy address belongs to the physical page:
     page:000000002d97303b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ee08
     head:000000002d97303b order:1 compound_mapcount:0 compound_pincount:0
     flags: 0x10200(slab|head|zone=0)
     raw: 0000000000010200 0000000000000000 dead000000000122 ffffff8002c02480
     raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
     page dumped because: kasan: bad access detected
    
     Memory state around the buggy address:
      ffffff800ee09580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      ffffff800ee09600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     >ffffff800ee09680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                           ^
      ffffff800ee09700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      ffffff800ee09780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ==================================================================
    
    Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
    Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
    Link: https://lore.kernel.org/r/20230805084847.3110586-1-andrej.skvortzov@gmail.com
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

clk: generalize devm_clk_get() a bit [+ + +]
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Fri May 20 09:57:35 2022 +0200

    clk: generalize devm_clk_get() a bit
    
    [ Upstream commit abae8e57e49aa75f6db76aa866c775721523908f ]
    
    Allow to add an exit hook to devm managed clocks. Also use
    clk_get_optional() in devm_clk_get_optional instead of open coding it.
    The generalisation will be used in the next commit to add some more
    devm_clk helpers.
    
    Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Reviewed-by: Alexandru Ardelean <aardelean@deviqon.com>
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Link: https://lore.kernel.org/r/20220520075737.758761-3-u.kleine-koenig@pengutronix.de
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Stable-dep-of: a6191a3d1811 ("gpio: aspeed: Use devm_clk api to manage clock source")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: Provide new devm_clk helpers for prepared and enabled clocks [+ + +]
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Fri May 20 09:57:36 2022 +0200

    clk: Provide new devm_clk helpers for prepared and enabled clocks
    
    [ Upstream commit 7ef9651e9792b08eb310c6beb202cbc947f43cab ]
    
    When a driver keeps a clock prepared (or enabled) during the whole
    lifetime of the driver, these helpers allow to simplify the drivers.
    
    Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Reviewed-by: Alexandru Ardelean <aardelean@deviqon.com>
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Link: https://lore.kernel.org/r/20220520075737.758761-4-u.kleine-koenig@pengutronix.de
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Stable-dep-of: a6191a3d1811 ("gpio: aspeed: Use devm_clk api to manage clock source")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: rockchip: fix error for unknown clocks [+ + +]
Author: Sebastian Reichel <sebastian.reichel@collabora.com>
Date:   Mon Mar 25 20:33:36 2024 +0100

    clk: rockchip: fix error for unknown clocks
    
    commit 12fd64babaca4dc09d072f63eda76ba44119816a upstream.
    
    There is a clk == NULL check after the switch to check for
    unsupported clk types. Since clk is re-assigned in a loop,
    this check is useless right now for anything but the first
    round. Let's fix this up by assigning clk = NULL in the
    loop before the switch statement.
    
    Fixes: a245fecbb806 ("clk: rockchip: add basic infrastructure for clock branches")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    [added fixes + stable-cc]
    Link: https://lore.kernel.org/r/20240325193609.237182-6-sebastian.reichel@collabora.com
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 [+ + +]
Author: Jonas Karlman <jonas@kwiboo.se>
Date:   Sat Jun 15 17:03:53 2024 +0000

    clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228
    
    [ Upstream commit 1d34b9757523c1ad547bd6d040381f62d74a3189 ]
    
    Similar to DCLK_LCDC on RK3328, the DCLK_VOP on RK3228 is typically
    parented by the hdmiphy clk and it is expected that the DCLK_VOP and
    hdmiphy clk rate are kept in sync.
    
    Use CLK_SET_RATE_PARENT and CLK_SET_RATE_NO_REPARENT flags, same as used
    on RK3328, to make full use of all possible supported display modes.
    
    Fixes: 0a9d4ac08ebc ("clk: rockchip: set the clock ids for RK3228 VOP")
    Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228")
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Link: https://lore.kernel.org/r/20240615170417.3134517-3-jonas@kwiboo.se
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: ti: dra7-atl: Fix leak of of_nodes [+ + +]
Author: David Lechner <dlechner@baylibre.com>
Date:   Mon Aug 26 10:35:29 2024 -0500

    clk: ti: dra7-atl: Fix leak of of_nodes
    
    [ Upstream commit 9d6e9f10e2e031fb7bfb3030a7d1afc561a28fea ]
    
    This fix leaking the of_node references in of_dra7_atl_clk_probe().
    
    The docs for of_parse_phandle_with_args() say that the caller must call
    of_node_put() on the returned node. This adds the missing of_node_put()
    to fix the leak.
    
    Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)")
    Signed-off-by: David Lechner <dlechner@baylibre.com>
    Link: https://lore.kernel.org/r/20240826-clk-fix-leak-v1-1-f55418a13aa6@baylibre.com
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() [+ + +]
Author: Ankit Agrawal <agrawal.ag.ankit@gmail.com>
Date:   Sat Jul 13 15:27:13 2024 +0530

    clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init()
    
    [ Upstream commit ca140a0dc0a18acd4653b56db211fec9b2339986 ]
    
    Add the missing iounmap() when clock frequency fails to get read by the
    of_property_read_u32() call, or if the call to msm_timer_init() fails.
    
    Fixes: 6e3321631ac2 ("ARM: msm: Add DT support to msm_timer")
    Signed-off-by: Ankit Agrawal <agrawal.ag.ankit@gmail.com>
    Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
    Link: https://lore.kernel.org/r/20240713095713.GA430091@bnew-VirtualBox
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
coresight: tmc: sg: Do not leak sg_table [+ + +]
Author: Suzuki K Poulose <suzuki.poulose@arm.com>
Date:   Tue Jul 2 14:28:46 2024 +0100

    coresight: tmc: sg: Do not leak sg_table
    
    [ Upstream commit c58dc5a1f886f2fcc1133746d0cbaa1fe7fd44ff ]
    
    Running perf with cs_etm on Juno triggers the following kmemleak warning !
    
    :~# cat /sys/kernel/debug/kmemleak
     unreferenced object 0xffffff8806b6d720 (size 96):
     comm "perf", pid 562, jiffies 4297810960
     hex dump (first 32 bytes):
     38 d8 13 07 88 ff ff ff 00 d0 9e 85 c0 ff ff ff  8...............
     00 10 00 88 c0 ff ff ff 00 f0 ff f7 ff 00 00 00  ................
     backtrace (crc 1dbf6e00):
     [<ffffffc08107381c>] kmemleak_alloc+0xbc/0xd8
     [<ffffffc0802f9798>] kmalloc_trace_noprof+0x220/0x2e8
     [<ffffffc07bb71948>] tmc_alloc_sg_table+0x48/0x208 [coresight_tmc]
     [<ffffffc07bb71cbc>] tmc_etr_alloc_sg_buf+0xac/0x240 [coresight_tmc]
     [<ffffffc07bb72538>] tmc_alloc_etr_buf.constprop.0+0x1f0/0x260 [coresight_tmc]
     [<ffffffc07bb7280c>] alloc_etr_buf.constprop.0.isra.0+0x74/0xa8 [coresight_tmc]
     [<ffffffc07bb72950>] tmc_alloc_etr_buffer+0x110/0x260 [coresight_tmc]
     [<ffffffc07bb38afc>] etm_setup_aux+0x204/0x3b0 [coresight]
     [<ffffffc08025837c>] rb_alloc_aux+0x20c/0x318
     [<ffffffc08024dd84>] perf_mmap+0x2e4/0x7a0
     [<ffffffc0802cceb0>] mmap_region+0x3b0/0xa08
     [<ffffffc0802cd8a8>] do_mmap+0x3a0/0x500
     [<ffffffc080295328>] vm_mmap_pgoff+0x100/0x1d0
     [<ffffffc0802cadf8>] ksys_mmap_pgoff+0xb8/0x110
     [<ffffffc080020688>] __arm64_sys_mmap+0x38/0x58
     [<ffffffc080028fc0>] invoke_syscall.constprop.0+0x58/0x100
    
    This due to the fact that we do not free the "sg_table" itself while
    freeing up  the SG table and data pages. Fix this by freeing the sg_table
    in tmc_free_sg_table().
    
    Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework")
    Cc: Mike Leach <mike.leach@linaro.org>
    Cc: James Clark <james.clark@arm.com>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
    Link: https://lore.kernel.org/r/20240702132846.1677261-1-suzuki.poulose@arm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
crypto: aead,cipher - zeroize key buffer after use [+ + +]
Author: Hailey Mothershead <hailmo@amazon.com>
Date:   Mon Apr 15 22:19:15 2024 +0000

    crypto: aead,cipher - zeroize key buffer after use
    
    commit 23e4099bdc3c8381992f9eb975c79196d6755210 upstream.
    
    I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding
    cryptographic information should be zeroized once they are no longer
    needed. Accomplish this by using kfree_sensitive for buffers that
    previously held the private key.
    
    Signed-off-by: Hailey Mothershead <hailmo@amazon.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drbd: Add NULL check for net_conf to prevent dereference in state validation [+ + +]
Author: Mikhail Lobanov <m.lobanov@rosalinux.ru>
Date:   Mon Sep 9 09:37:36 2024 -0400

    drbd: Add NULL check for net_conf to prevent dereference in state validation
    
    commit a5e61b50c9f44c5edb6e134ede6fee8806ffafa9 upstream.
    
    If the net_conf pointer is NULL and the code attempts to access its
    fields without a check, it will lead to a null pointer dereference.
    Add a NULL check before dereferencing the pointer.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: 44ed167da748 ("drbd: rcu_read_lock() and rcu_dereference() for tconn->net_conf")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
    Link: https://lore.kernel.org/r/20240909133740.84297-1-m.lobanov@rosalinux.ru
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drbd: Fix atomicity violation in drbd_uuid_set_bm() [+ + +]
Author: Qiu-ji Chen <chenqiuji666@gmail.com>
Date:   Fri Sep 13 16:35:04 2024 +0800

    drbd: Fix atomicity violation in drbd_uuid_set_bm()
    
    commit 2f02b5af3a4482b216e6a466edecf6ba8450fa45 upstream.
    
    The violation of atomicity occurs when the drbd_uuid_set_bm function is
    executed simultaneously with modifying the value of
    device->ldev->md.uuid[UI_BITMAP]. Consider a scenario where, while
    device->ldev->md.uuid[UI_BITMAP] passes the validity check when its
    value is not zero, the value of device->ldev->md.uuid[UI_BITMAP] is
    written to zero. In this case, the check in drbd_uuid_set_bm might refer
    to the old value of device->ldev->md.uuid[UI_BITMAP] (before locking),
    which allows an invalid value to pass the validity check, resulting in
    inconsistency.
    
    To address this issue, it is recommended to include the data validity
    check within the locked section of the function. This modification
    ensures that the value of device->ldev->md.uuid[UI_BITMAP] does not
    change during the validation process, thereby maintaining its integrity.
    
    This possible bug is found by an experimental static analysis tool
    developed by our team. This tool analyzes the locking APIs to extract
    function pairs that can be concurrently executed, and then analyzes the
    instructions in the paired functions to identify possible concurrency
    bugs including data races and atomicity violations.
    
    Fixes: 9f2247bb9b75 ("drbd: Protect accesses to the uuid set with a spinlock")
    Cc: stable@vger.kernel.org
    Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
    Reviewed-by: Philipp Reisner <philipp.reisner@linbit.com>
    Link: https://lore.kernel.org/r/20240913083504.10549-1-chenqiuji666@gmail.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute [+ + +]
Author: Zijun Hu <quic_zijuhu@quicinc.com>
Date:   Wed Jul 24 21:54:48 2024 +0800

    driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute
    
    [ Upstream commit c0fd973c108cdc22a384854bc4b3e288a9717bb2 ]
    
    Return -EIO instead of 0 for below erroneous bus attribute operations:
     - read a bus attribute without show().
     - write a bus attribute without store().
    
    Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
    Link: https://lore.kernel.org/r/20240724-bus_fix-v2-1-5adbafc698fb@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error [+ + +]
Author: Junlin Li <make24@iscas.ac.cn>
Date:   Wed Jul 3 01:50:23 2024 +0800

    drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error
    
    [ Upstream commit 46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14 ]
    
    Ensure index in rtl2830_pid_filter does not exceed 31 to prevent
    out-of-bounds access.
    
    dev->filters is a 32-bit value, so set_bit and clear_bit functions should
    only operate on indices from 0 to 31. If index is 32, it will attempt to
    access a non-existent 33rd bit, leading to out-of-bounds access.
    Change the boundary check from index > 32 to index >= 32 to resolve this
    issue.
    
    Fixes: df70ddad81b4 ("[media] rtl2830: implement PID filter")
    Signed-off-by: Junlin Li <make24@iscas.ac.cn>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error [+ + +]
Author: Junlin Li <make24@iscas.ac.cn>
Date:   Tue Jul 2 21:24:13 2024 +0800

    drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error
    
    [ Upstream commit 8ae06f360cfaca2b88b98ca89144548b3186aab1 ]
    
    Ensure index in rtl2832_pid_filter does not exceed 31 to prevent
    out-of-bounds access.
    
    dev->filters is a 32-bit value, so set_bit and clear_bit functions should
    only operate on indices from 0 to 31. If index is 32, it will attempt to
    access a non-existent 33rd bit, leading to out-of-bounds access.
    Change the boundary check from index > 32 to index >= 32 to resolve this
    issue.
    
    Signed-off-by: Junlin Li <make24@iscas.ac.cn>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Fixes: 4b01e01a81b6 ("[media] rtl2832: implement PID filter")
    [hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/amd/display: Check stream before comparing them [+ + +]
Author: Alex Hung <alex.hung@amd.com>
Date:   Thu Jun 27 20:05:14 2024 -0600

    drm/amd/display: Check stream before comparing them
    
    [ Upstream commit 35ff747c86767937ee1e0ca987545b7eed7a0810 ]
    
    [WHAT & HOW]
    amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is
    necessary to check for null before dereferencing them.
    
    This fixes 1 FORWARD_NULL issue reported by Coverity.
    
    Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
    Signed-off-by: Jerry Zuo <jerry.zuo@amd.com>
    Signed-off-by: Alex Hung <alex.hung@amd.com>
    Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: Fix index out of bounds in degamma hardware format translation [+ + +]
Author: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Date:   Sat Jul 20 17:48:27 2024 +0530

    drm/amd/display: Fix index out of bounds in degamma hardware format translation
    
    [ Upstream commit b7e99058eb2e86aabd7a10761e76cae33d22b49f ]
    
    Fixes index out of bounds issue in
    `cm_helper_translate_curve_to_degamma_hw_format` function. The issue
    could occur when the index 'i' exceeds the number of transfer function
    points (TRANSFER_FUNC_POINTS).
    
    The fix adds a check to ensure 'i' is within bounds before accessing the
    transfer function points. If 'i' is out of bounds the function returns
    false to indicate an error.
    
    Reported by smatch:
    drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
    drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
    drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
    
    Cc: Tom Chung <chiahsuan.chung@amd.com>
    Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
    Cc: Roman Li <roman.li@amd.com>
    Cc: Alex Hung <alex.hung@amd.com>
    Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
    Cc: Harry Wentland <harry.wentland@amd.com>
    Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
    Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
    Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/amd: fix typo [+ + +]
Author: Matteo Croce <mcroce@redhat.com>
Date:   Mon Jan 7 14:06:00 2019 +0100

    drm/amd: fix typo
    
    [ Upstream commit 229f7b1d6344ea35fff0b113e4d91128921f8937 ]
    
    Fix spelling mistake: "lenght" -> "length"
    
    Signed-off-by: Matteo Croce <mcroce@redhat.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Stable-dep-of: 8155566a26b8 ("drm/amdgpu: properly handle vbios fake edid sizing")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd: Guard against bad data for ATIF ACPI method [+ + +]
Author: Mario Limonciello <mario.limonciello@amd.com>
Date:   Fri Oct 11 12:23:15 2024 -0500

    drm/amd: Guard against bad data for ATIF ACPI method
    
    commit bf58f03931fdcf7b3c45cb76ac13244477a60f44 upstream.
    
    If a BIOS provides bad data in response to an ATIF method call
    this causes a NULL pointer dereference in the caller.
    
    ```
    ? show_regs (arch/x86/kernel/dumpstack.c:478 (discriminator 1))
    ? __die (arch/x86/kernel/dumpstack.c:423 arch/x86/kernel/dumpstack.c:434)
    ? page_fault_oops (arch/x86/mm/fault.c:544 (discriminator 2) arch/x86/mm/fault.c:705 (discriminator 2))
    ? do_user_addr_fault (arch/x86/mm/fault.c:440 (discriminator 1) arch/x86/mm/fault.c:1232 (discriminator 1))
    ? acpi_ut_update_object_reference (drivers/acpi/acpica/utdelete.c:642)
    ? exc_page_fault (arch/x86/mm/fault.c:1542)
    ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
    ? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:387 (discriminator 2)) amdgpu
    ? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:386 (discriminator 1)) amdgpu
    ```
    
    It has been encountered on at least one system, so guard for it.
    
    Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
    Acked-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    (cherry picked from commit c9b7c809b89f24e9372a4e7f02d64c950b07fdee)
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amdgpu: properly handle vbios fake edid sizing [+ + +]
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Tue Jul 23 13:23:56 2024 -0400

    drm/amdgpu: properly handle vbios fake edid sizing
    
    [ Upstream commit 8155566a26b8d6c1dd914f06a0c652e4e2f2adf1 ]
    
    The comment in the vbios structure says:
    // = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
    
    This fake edid struct has not been used in a long time, so I'm
    not sure if there were actually any boards out there with a non-128 byte
    EDID, but align the code with the comment.
    
    Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
    Reported-by: Thomas Weißschuh <linux@weissschuh.net>
    Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html
    Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: Replace one-element array with flexible-array member [+ + +]
Author: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
Date:   Sat Oct 29 14:30:44 2022 +1300

    drm/amdgpu: Replace one-element array with flexible-array member
    
    [ Upstream commit 320e2590e281d0a7865e861f50155b5b435e9813 ]
    
    One-element arrays are deprecated, and we are replacing them with
    flexible array members instead. So, replace one-element array with
    flexible-array member in struct _ATOM_FAKE_EDID_PATCH_RECORD and
    refactor the rest of the code accordingly.
    
    Important to mention is that doing a build before/after this patch
    results in no binary output differences.
    
    This helps with the ongoing efforts to tighten the FORTIFY_SOURCE
    routines on memcpy() and help us make progress towards globally
    enabling -fstrict-flex-arrays=3 [1].
    
    Link: https://github.com/KSPP/linux/issues/79
    Link: https://github.com/KSPP/linux/issues/238
    Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 [1]
    
    Signed-off-by: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Stable-dep-of: 8155566a26b8 ("drm/amdgpu: properly handle vbios fake edid sizing")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/crtc: fix uninitialized variable use even harder [+ + +]
Author: Rob Clark <robdclark@chromium.org>
Date:   Mon Feb 12 13:55:34 2024 -0800

    drm/crtc: fix uninitialized variable use even harder
    
    [ Upstream commit b6802b61a9d0e99dcfa6fff7c50db7c48a9623d3 ]
    
    DRM_MODESET_LOCK_ALL_BEGIN() has a hidden trap-door (aka retry loop),
    which means we can't rely too much on variable initializers.
    
    Fixes: 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable use")
    Signed-off-by: Rob Clark <robdclark@chromium.org>
    Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> # sc7180, sdm845
    Link: https://patchwork.freedesktop.org/patch/msgid/20240212215534.190682-1-robdclark@gmail.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/msm/a5xx: fix races in preemption evaluation stage [+ + +]
Author: Vladimir Lypak <vladimir.lypak@gmail.com>
Date:   Sun Sep 1 13:54:02 2024 +0000

    drm/msm/a5xx: fix races in preemption evaluation stage
    
    [ Upstream commit ce050f307ad93bcc5958d0dd35fc276fd394d274 ]
    
    On A5XX GPUs when preemption is used it's invietable to enter a soft
    lock-up state in which GPU is stuck at empty ring-buffer doing nothing.
    This appears as full UI lockup and not detected as GPU hang (because
    it's not). This happens due to not triggering preemption when it was
    needed. Sometimes this state can be recovered by some new submit but
    generally it won't happen because applications are waiting for old
    submits to retire.
    
    One of the reasons why this happens is a race between a5xx_submit and
    a5xx_preempt_trigger called from IRQ during submit retire. Former thread
    updates ring->cur of previously empty and not current ring right after
    latter checks it for emptiness. Then both threads can just exit because
    for first one preempt_state wasn't NONE yet and for second one all rings
    appeared to be empty.
    
    To prevent such situations from happening we need to establish guarantee
    for preempt_trigger to make decision after each submit or retire. To
    implement this we serialize preemption initiation using spinlock. If
    switch is already in progress we need to re-trigger preemption when it
    finishes.
    
    Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
    Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
    Patchwork: https://patchwork.freedesktop.org/patch/612045/
    Signed-off-by: Rob Clark <robdclark@chromium.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/msm/a5xx: properly clear preemption records on resume [+ + +]
Author: Vladimir Lypak <vladimir.lypak@gmail.com>
Date:   Sun Sep 1 13:54:01 2024 +0000

    drm/msm/a5xx: properly clear preemption records on resume
    
    [ Upstream commit 64fd6d01a52904bdbda0ce810a45a428c995a4ca ]
    
    Two fields of preempt_record which are used by CP aren't reset on
    resume: "data" and "info". This is the reason behind faults which happen
    when we try to switch to the ring that was active last before suspend.
    In addition those faults can't be recovered from because we use suspend
    and resume to do so (keeping values of those fields again).
    
    Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
    Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
    Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
    Patchwork: https://patchwork.freedesktop.org/patch/612043/
    Signed-off-by: Rob Clark <robdclark@chromium.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation [+ + +]
Author: Jonathan Marek <jonathan@marek.ca>
Date:   Mon Oct 7 01:01:49 2024 -0400

    drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation
    
    [ Upstream commit 358b762400bd94db2a14a72dfcef74c7da6bd845 ]
    
    When (mode->clock * 1000) is larger than (1<<31), int to unsigned long
    conversion will sign extend the int to 64 bits and the pclk_rate value
    will be incorrect.
    
    Fix this by making the result of the multiplication unsigned.
    
    Note that above (1<<32) would still be broken and require more changes, but
    its unlikely anyone will need that anytime soon.
    
    Fixes: c4d8cfe516dc ("drm/msm/dsi: add implementation for helper functions")
    Signed-off-by: Jonathan Marek <jonathan@marek.ca>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Patchwork: https://patchwork.freedesktop.org/patch/618434/
    Link: https://lore.kernel.org/r/20241007050157.26855-2-jonathan@marek.ca
    Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/msm: fix %s null argument error [+ + +]
Author: Sherry Yang <sherry.yang@oracle.com>
Date:   Tue Aug 27 09:53:37 2024 -0700

    drm/msm: fix %s null argument error
    
    [ Upstream commit 25b85075150fe8adddb096db8a4b950353045ee1 ]
    
    The following build error was triggered because of NULL string argument:
    
    BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c: In function 'mdp5_smp_dump':
    BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=]
    BUILDSTDERR:   352 |                         drm_printf(p, "%s:%d\t%d\t%s\n",
    BUILDSTDERR:       |                                                   ^~
    BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=]
    
    This happens from the commit a61ddb4393ad ("drm: enable (most) W=1
    warnings by default across the subsystem"). Using "(null)" instead
    to fix it.
    
    Fixes: bc5289eed481 ("drm/msm/mdp5: add debugfs to show smp block status")
    Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
    Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Patchwork: https://patchwork.freedesktop.org/patch/611071/
    Link: https://lore.kernel.org/r/20240827165337.1075904-1-sherry.yang@oracle.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/printer: Allow NULL data in devcoredump printer [+ + +]
Author: Matthew Brost <matthew.brost@intel.com>
Date:   Thu Aug 1 08:41:17 2024 -0700

    drm/printer: Allow NULL data in devcoredump printer
    
    [ Upstream commit 53369581dc0c68a5700ed51e1660f44c4b2bb524 ]
    
    We want to determine the size of the devcoredump before writing it out.
    To that end, we will run the devcoredump printer with NULL data to get
    the size, alloc data based on the generated offset, then run the
    devcorecump again with a valid data pointer to print.  This necessitates
    not writing data to the data pointer on the initial pass, when it is
    NULL.
    
    v5:
     - Better commit message (Jonathan)
     - Add kerenl doc with examples (Jani)
    
    Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Signed-off-by: Matthew Brost <matthew.brost@intel.com>
    Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240801154118.2547543-3-matthew.brost@intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets [+ + +]
Author: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Date:   Tue Aug 6 10:19:04 2024 -0700

    drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets
    
    [ Upstream commit 3fbaf475a5b8361ebee7da18964db809e37518b7 ]
    
    Several cs track offsets (such as 'track->db_s_read_offset')
    either are initialized with or plainly take big enough values that,
    once shifted 8 bits left, may be hit with integer overflow if the
    resulting values end up going over u32 limit.
    
    Same goes for a few instances of 'surf.layer_size * mslice'
    multiplications that are added to 'offset' variable - they may
    potentially overflow as well and need to be validated properly.
    
    While some debug prints in this code section take possible overflow
    issues into account, simply casting to (unsigned long) may be
    erroneous in its own way, as depending on CPU architecture one is
    liable to get different results.
    
    Fix said problems by:
     - casting 'offset' to fixed u64 data type instead of
     ambiguous unsigned long.
     - casting one of the operands in vulnerable to integer
     overflow cases to u64.
     - adjust format specifiers in debug prints to properly
     represent 'offset' values.
    
    Found by Linux Verification Center (linuxtesting.org) with static
    analysis tool SVACE.
    
    Fixes: 285484e2d55e ("drm/radeon: add support for evergreen/ni tiling informations v11")
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() [+ + +]
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Tue Jul 30 17:58:12 2024 +0200

    drm/radeon/r100: Handle unknown family in r100_cp_init_microcode()
    
    [ Upstream commit c6dbab46324b1742b50dc2fb5c1fee2c28129439 ]
    
    With -Werror:
    
        In function ‘r100_cp_init_microcode’,
            inlined from ‘r100_cp_init’ at drivers/gpu/drm/radeon/r100.c:1136:7:
        include/linux/printk.h:465:44: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
          465 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
              |                                            ^
        include/linux/printk.h:437:17: note: in definition of macro ‘printk_index_wrap’
          437 |                 _p_func(_fmt, ##__VA_ARGS__);                           \
              |                 ^~~~~~~
        include/linux/printk.h:508:9: note: in expansion of macro ‘printk’
          508 |         printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__)
              |         ^~~~~~
        drivers/gpu/drm/radeon/r100.c:1062:17: note: in expansion of macro ‘pr_err’
         1062 |                 pr_err("radeon_cp: Failed to load firmware \"%s\"\n", fw_name);
              |                 ^~~~~~
    
    Fix this by converting the if/else if/... construct into a proper
    switch() statement with a default to handle the error case.
    
    As a bonus, the generated code is ca. 100 bytes smaller (with gcc 11.4.0
    targeting arm32).
    
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/radeon: properly handle vbios fake edid sizing [+ + +]
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Tue Jul 23 13:31:58 2024 -0400

    drm/radeon: properly handle vbios fake edid sizing
    
    [ Upstream commit 17c6baff3d5f65c8da164137a58742541a060b2f ]
    
    The comment in the vbios structure says:
    // = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
    
    This fake edid struct has not been used in a long time, so I'm
    not sure if there were actually any boards out there with a non-128 byte
    EDID, but align the code with the comment.
    
    Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
    Reported-by: Thomas Weißschuh <linux@weissschuh.net>
    Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html
    Fixes: c324acd5032f ("drm/radeon/kms: parse the extended LCD info block")
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/radeon: Replace one-element array with flexible-array member [+ + +]
Author: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
Date:   Sat Oct 29 16:32:05 2022 +1300

    drm/radeon: Replace one-element array with flexible-array member
    
    [ Upstream commit c81c5bd5cf2f428867e0bcfcccd4e4d2f8c68f51 ]
    
    One-element arrays are deprecated, and we are replacing them with
    flexible array members instead. So, replace one-element array with
    flexible-array member in struct _ATOM_FAKE_EDID_PATCH_RECORD and
    refactor the rest of the code accordingly.
    
    It's worth mentioning that doing a build before/after this patch results
    in no binary output differences.
    
    This helps with the ongoing efforts to tighten the FORTIFY_SOURCE
    routines on memcpy() and help us make progress towards globally
    enabling -fstrict-flex-arrays=3 [1].
    
    Link: https://github.com/KSPP/linux/issues/79
    Link: https://github.com/KSPP/linux/issues/239
    Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 [1]
    
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Stable-dep-of: 17c6baff3d5f ("drm/radeon: properly handle vbios fake edid sizing")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/rockchip: vop: Allow 4096px width scaling [+ + +]
Author: Alex Bee <knaerzche@gmail.com>
Date:   Sat Jun 15 17:03:54 2024 +0000

    drm/rockchip: vop: Allow 4096px width scaling
    
    [ Upstream commit 0ef968d91a20b5da581839f093f98f7a03a804f7 ]
    
    There is no reason to limit VOP scaling to 3840px width, the limit of
    RK3288, when there are newer VOP versions that support 4096px width.
    
    Change to enforce a maximum of 4096px width plane scaling, the maximum
    supported output width of the VOP versions supported by this driver.
    
    Fixes: 4c156c21c794 ("drm/rockchip: vop: support plane scale")
    Signed-off-by: Alex Bee <knaerzche@gmail.com>
    Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-4-jonas@kwiboo.se
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/stm: Fix an error handling path in stm_drm_platform_probe() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sat Jan 6 17:54:32 2024 +0100

    drm/stm: Fix an error handling path in stm_drm_platform_probe()
    
    [ Upstream commit ce7c90bfda2656418c69ba0dd8f8a7536b8928d4 ]
    
    If drm_dev_register() fails, a call to drv_load() must be undone, as
    already done in the remove function.
    
    Fixes: b759012c5fa7 ("drm/stm: Add STM32 LTDC driver")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Acked-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20fff7f853f20a48a96db8ff186124470ec4d976.1704560028.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/vmwgfx: Handle surface check failure correctly [+ + +]
Author: Nikolay Kuratov <kniv@yandex-team.ru>
Date:   Wed Oct 2 15:24:29 2024 +0300

    drm/vmwgfx: Handle surface check failure correctly
    
    commit 26498b8d54373d31a621d7dec95c4bd842563b3b upstream.
    
    Currently if condition (!bo and !vmw_kms_srf_ok()) was met
    we go to err_out with ret == 0.
    err_out dereferences vfb if ret == 0, but in our case vfb is still NULL.
    
    Fix this by assigning sensible error to ret.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE
    
    Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
    Cc: stable@vger.kernel.org
    Fixes: 810b3e1683d0 ("drm/vmwgfx: Support topology greater than texture size")
    Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20241002122429.1981822-1-kniv@yandex-team.ru
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm: Move drm_mode_setcrtc() local re-init to failure path [+ + +]
Author: Sean Paul <seanpaul@chromium.org>
Date:   Thu Nov 29 10:04:15 2018 -0500

    drm: Move drm_mode_setcrtc() local re-init to failure path
    
    [ Upstream commit c232e9f41b136c141df9938024e521191a7b910d ]
    
    Instead of always re-initializing the variables we need to clean up on
    out, move the re-initialization into the branch that goes back to retry
    label.
    
    This is a lateral move right now, but will allow us to pull out the
    modeset locking into common code. I kept this change separate to make
    things easier to review.
    
    Changes in v2:
    - None
    
    Reviewed-by: Daniel Vetter <daniel@ffwll.ch>
    Signed-off-by: Sean Paul <seanpaul@chromium.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20181129150423.239081-2-sean@poorly.run
    Stable-dep-of: b6802b61a9d0 ("drm/crtc: fix uninitialized variable use even harder")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ext4: aovid use-after-free in ext4_ext_insert_extent() [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Thu Aug 22 10:35:26 2024 +0800

    ext4: aovid use-after-free in ext4_ext_insert_extent()
    
    commit a164f3a432aae62ca23d03e6d926b122ee5b860d upstream.
    
    As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is
    reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and
    cause UAF. Below is a sample trace with dummy values:
    
    ext4_ext_insert_extent
      path = *ppath = 2000
      ext4_ext_create_new_leaf(ppath)
        ext4_find_extent(ppath)
          path = *ppath = 2000
          if (depth > path[0].p_maxdepth)
                kfree(path = 2000);
                *ppath = path = NULL;
          path = kcalloc() = 3000
          *ppath = 3000;
          return path;
      /* here path is still 2000, UAF! */
      eh = path[depth].p_hdr
    
    ==================================================================
    BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330
    Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179
    CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866
    Call Trace:
     <TASK>
     ext4_ext_insert_extent+0x26d4/0x3330
     ext4_ext_map_blocks+0xe22/0x2d40
     ext4_map_blocks+0x71e/0x1700
     ext4_do_writepages+0x1290/0x2800
    [...]
    
    Allocated by task 179:
     ext4_find_extent+0x81c/0x1f70
     ext4_ext_map_blocks+0x146/0x2d40
     ext4_map_blocks+0x71e/0x1700
     ext4_do_writepages+0x1290/0x2800
     ext4_writepages+0x26d/0x4e0
     do_writepages+0x175/0x700
    [...]
    
    Freed by task 179:
     kfree+0xcb/0x240
     ext4_find_extent+0x7c0/0x1f70
     ext4_ext_insert_extent+0xa26/0x3330
     ext4_ext_map_blocks+0xe22/0x2d40
     ext4_map_blocks+0x71e/0x1700
     ext4_do_writepages+0x1290/0x2800
     ext4_writepages+0x26d/0x4e0
     do_writepages+0x175/0x700
    [...]
    ==================================================================
    
    So use *ppath to update the path to avoid the above problem.
    
    Reported-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
    Closes: https://lore.kernel.org/r/ZqyL6rmtwl6N4MWR@li-bb2b2a4c-3307-11b2-a85c-8fa5c3a69313.ibm.com
    Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary")
    Cc: stable@kernel.org
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20240822023545.1994557-7-libaokun@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path [+ + +]
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Thu May 7 10:50:28 2020 -0700

    ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path
    
    [ Upstream commit 73c384c0cdaa8ea9ca9ef2d0cff6a25930f1648e ]
    
    We can't fail in the truncate path without requiring an fsck.
    Add work around for this by using a combination of retry loops
    and the __GFP_NOFAIL flag.
    
    From: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Anna Pendleton <pendleton@google.com>
    Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
    Link: https://lore.kernel.org/r/20200507175028.15061-1-pendleton@google.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Stable-dep-of: c26ab35702f8 ("ext4: fix slab-use-after-free in ext4_split_extent_at()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: avoid negative min_clusters in find_group_orlov() [+ + +]
Author: Kemeng Shi <shikemeng@huaweicloud.com>
Date:   Tue Aug 20 21:22:30 2024 +0800

    ext4: avoid negative min_clusters in find_group_orlov()
    
    [ Upstream commit bb0a12c3439b10d88412fd3102df5b9a6e3cd6dc ]
    
    min_clusters is signed integer and will be converted to unsigned
    integer when compared with unsigned number stats.free_clusters.
    If min_clusters is negative, it will be converted to a huge unsigned
    value in which case all groups may not meet the actual desired free
    clusters.
    Set negative min_clusters to 0 to avoid unexpected behavior.
    
    Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3")
    Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
    Link: https://patch.msgid.link/20240820132234.2759926-4-shikemeng@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: avoid OOB when system.data xattr changes underneath the filesystem [+ + +]
Author: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Date:   Wed Aug 21 12:23:24 2024 -0300

    ext4: avoid OOB when system.data xattr changes underneath the filesystem
    
    [ Upstream commit c6b72f5d82b1017bad80f9ebf502832fc321d796 ]
    
    When looking up for an entry in an inlined directory, if e_value_offs is
    changed underneath the filesystem by some change in the block device, it
    will lead to an out-of-bounds access that KASAN detects as an UAF.
    
    EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
    loop0: detected capacity change from 2048 to 2047
    ==================================================================
    BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
    Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
    
    CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:93 [inline]
     dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
     print_address_description mm/kasan/report.c:377 [inline]
     print_report+0x169/0x550 mm/kasan/report.c:488
     kasan_report+0x143/0x180 mm/kasan/report.c:601
     ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
     ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
     __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
     ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
     ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
     lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
     filename_create+0x297/0x540 fs/namei.c:3980
     do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
     __do_sys_symlinkat fs/namei.c:4610 [inline]
     __se_sys_symlinkat fs/namei.c:4607 [inline]
     __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f3e73ced469
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
    RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
    RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
    RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
    R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
    R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
     </TASK>
    
    Calling ext4_xattr_ibody_find right after reading the inode with
    ext4_get_inode_loc will lead to a check of the validity of the xattrs,
    avoiding this problem.
    
    Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79
    Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data")
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
    Link: https://patch.msgid.link/20240821152324.3621860-5-cascardo@igalia.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard [+ + +]
Author: yangerkun <yangerkun@huawei.com>
Date:   Sat Aug 17 16:55:10 2024 +0800

    ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard
    
    [ Upstream commit 20cee68f5b44fdc2942d20f3172a262ec247b117 ]
    
    Commit 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in
    ext4_group_info") speed up fstrim by skipping trim trimmed group. We
    also has the chance to clear trimmed once there exists some block free
    for this group(mount without discard), and the next trim for this group
    will work well too.
    
    For mount with discard, we will issue dicard when we free blocks, so
    leave trimmed flag keep alive to skip useless trim trigger from
    userspace seems reasonable. But for some case like ext4 build on
    dm-thinpool(ext4 blocksize 4K, pool blocksize 128K), discard from ext4
    maybe unaligned for dm thinpool, and thinpool will just finish this
    discard(see process_discard_bio when begein equals to end) without
    actually process discard. For this case, trim from userspace can really
    help us to free some thinpool block.
    
    So convert to clear trimmed flag for all case no matter mounted with
    discard or not.
    
    Fixes: 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in ext4_group_info")
    Signed-off-by: yangerkun <yangerkun@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20240817085510.2084444-1-yangerkun@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: ext4_search_dir should return a proper error [+ + +]
Author: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Date:   Wed Aug 21 12:23:21 2024 -0300

    ext4: ext4_search_dir should return a proper error
    
    [ Upstream commit cd69f8f9de280e331c9e6ff689ced0a688a9ce8f ]
    
    ext4_search_dir currently returns -1 in case of a failure, while it returns
    0 when the name is not found. In such failure cases, it should return an
    error code instead.
    
    This becomes even more important when ext4_find_inline_entry returns an
    error code as well in the next commit.
    
    -EFSCORRUPTED seems appropriate as such error code as these failures would
    be caused by unexpected record lengths and is in line with other instances
    of ext4_check_dir_entry failures.
    
    In the case of ext4_dx_find_entry, the current use of ERR_BAD_DX_DIR was
    left as is to reduce the risk of regressions.
    
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
    Link: https://patch.msgid.link/20240821152324.3621860-2-cascardo@igalia.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: fix double brelse() the buffer of the extents path [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Thu Aug 22 10:35:28 2024 +0800

    ext4: fix double brelse() the buffer of the extents path
    
    commit dcaa6c31134c0f515600111c38ed7750003e1b9c upstream.
    
    In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been
    released, otherwise it may be released twice. An example of what triggers
    this is as follows:
    
      split2    map    split1
    |--------|-------|--------|
    
    ext4_ext_map_blocks
     ext4_ext_handle_unwritten_extents
      ext4_split_convert_extents
       // path->p_depth == 0
       ext4_split_extent
         // 1. do split1
         ext4_split_extent_at
           |ext4_ext_insert_extent
           |  ext4_ext_create_new_leaf
           |    ext4_ext_grow_indepth
           |      le16_add_cpu(&neh->eh_depth, 1)
           |    ext4_find_extent
           |      // return -ENOMEM
           |// get error and try zeroout
           |path = ext4_find_extent
           |  path->p_depth = 1
           |ext4_ext_try_to_merge
           |  ext4_ext_try_to_merge_up
           |    path->p_depth = 0
           |    brelse(path[1].p_bh)  ---> not set to NULL here
           |// zeroout success
         // 2. update path
         ext4_find_extent
         // 3. do split2
         ext4_split_extent_at
           ext4_ext_insert_extent
             ext4_ext_create_new_leaf
               ext4_ext_grow_indepth
                 le16_add_cpu(&neh->eh_depth, 1)
               ext4_find_extent
                 path[0].p_bh = NULL;
                 path->p_depth = 1
                 read_extent_tree_block  ---> return err
                 // path[1].p_bh is still the old value
                 ext4_free_ext_path
                   ext4_ext_drop_refs
                     // path->p_depth == 1
                     brelse(path[1].p_bh)  ---> brelse a buffer twice
    
    Finally got the following WARRNING when removing the buffer from lru:
    
    ============================================
    VFS: brelse: Trying to free free buffer
    WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90
    CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716
    RIP: 0010:__brelse+0x58/0x90
    Call Trace:
     <TASK>
     __find_get_block+0x6e7/0x810
     bdev_getblk+0x2b/0x480
     __ext4_get_inode_loc+0x48a/0x1240
     ext4_get_inode_loc+0xb2/0x150
     ext4_reserve_inode_write+0xb7/0x230
     __ext4_mark_inode_dirty+0x144/0x6a0
     ext4_ext_insert_extent+0x9c8/0x3230
     ext4_ext_map_blocks+0xf45/0x2dc0
     ext4_map_blocks+0x724/0x1700
     ext4_do_writepages+0x12d6/0x2a70
    [...]
    ============================================
    
    Fixes: ecb94f5fdf4b ("ext4: collapse a single extent tree block into the inode if possible")
    Cc: stable@kernel.org
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
    Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
    Link: https://patch.msgid.link/20240822023545.1994557-9-libaokun@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: fix i_data_sem unlock order in ext4_ind_migrate() [+ + +]
Author: Artem Sadovnikov <ancowi69@gmail.com>
Date:   Thu Aug 29 15:22:09 2024 +0000

    ext4: fix i_data_sem unlock order in ext4_ind_migrate()
    
    [ Upstream commit cc749e61c011c255d81b192a822db650c68b313f ]
    
    Fuzzing reports a possible deadlock in jbd2_log_wait_commit.
    
    This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require
    synchronous updates because the file descriptor is opened with O_SYNC.
    This can lead to the jbd2_journal_stop() function calling
    jbd2_might_wait_for_commit(), potentially causing a deadlock if the
    EXT4_IOC_MIGRATE call races with a write(2) system call.
    
    This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this
    case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the
    jbd2_journal_stop function while i_data_sem is locked. This triggers
    lockdep because the jbd2_journal_start function might also lock the same
    jbd2_handle simultaneously.
    
    Found by Linux Verification Center (linuxtesting.org) with syzkaller.
    
    Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
    Co-developed-by: Mikhail Ukhin <mish.uxin2012@yandex.ru>
    Signed-off-by: Mikhail Ukhin <mish.uxin2012@yandex.ru>
    Signed-off-by: Artem Sadovnikov <ancowi69@gmail.com>
    Rule: add
    Link: https://lore.kernel.org/stable/20240404095000.5872-1-mish.uxin2012%40yandex.ru
    Link: https://patch.msgid.link/20240829152210.2754-1-ancowi69@gmail.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() [+ + +]
Author: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Date:   Wed Jul 24 17:11:16 2024 +0100

    ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space()
    
    commit 972090651ee15e51abfb2160e986fa050cfc7a40 upstream.
    
    Function __jbd2_log_wait_for_space() assumes that '0' is not a valid value
    for transaction IDs, which is incorrect.  Don't assume that and invoke
    jbd2_log_wait_commit() if the journal had a committing transaction instead.
    
    Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20240724161119.13448-3-luis.henriques@linux.dev
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() [+ + +]
Author: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Date:   Wed Jul 24 17:11:15 2024 +0100

    ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit()
    
    commit dd589b0f1445e1ea1085b98edca6e4d5dedb98d0 upstream.
    
    Function ext4_wait_for_tail_page_commit() assumes that '0' is not a valid
    value for transaction IDs, which is incorrect.  Don't assume that and invoke
    jbd2_log_wait_commit() if the journal had a committing transaction instead.
    
    Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20240724161119.13448-2-luis.henriques@linux.dev
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: fix inode tree inconsistency caused by ENOMEM [+ + +]
Author: zhanchengbin <zhanchengbin1@huawei.com>
Date:   Tue Jan 3 10:28:12 2023 +0800

    ext4: fix inode tree inconsistency caused by ENOMEM
    
    commit 3f5424790d4377839093b68c12b130077a4e4510 upstream.
    
    If ENOMEM fails when the extent is splitting, we need to restore the length
    of the split extent.
    In the ext4_split_extent_at function, only in ext4_ext_create_new_leaf will
    it alloc memory and change the shape of the extent tree,even if an ENOMEM
    is returned at this time, the extent tree is still self-consistent, Just
    restore the split extent lens in the function ext4_split_extent_at.
    
    ext4_split_extent_at
     ext4_ext_insert_extent
      ext4_ext_create_new_leaf
       1)ext4_ext_split
         ext4_find_extent
       2)ext4_ext_grow_indepth
         ext4_find_extent
    
    Signed-off-by: zhanchengbin <zhanchengbin1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20230103022812.130603-1-zhanchengbin1@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: Baokun Li <libaokun1@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: fix slab-use-after-free in ext4_split_extent_at() [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Thu Aug 22 10:35:23 2024 +0800

    ext4: fix slab-use-after-free in ext4_split_extent_at()
    
    [ Upstream commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f ]
    
    We hit the following use-after-free:
    
    ==================================================================
    BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
    Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
    CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
    Call Trace:
     <TASK>
     kasan_report+0x93/0xc0
     ext4_split_extent_at+0xba8/0xcc0
     ext4_split_extent.isra.0+0x18f/0x500
     ext4_split_convert_extents+0x275/0x750
     ext4_ext_handle_unwritten_extents+0x73e/0x1580
     ext4_ext_map_blocks+0xe20/0x2dc0
     ext4_map_blocks+0x724/0x1700
     ext4_do_writepages+0x12d6/0x2a70
    [...]
    
    Allocated by task 40:
     __kmalloc_noprof+0x1ac/0x480
     ext4_find_extent+0xf3b/0x1e70
     ext4_ext_map_blocks+0x188/0x2dc0
     ext4_map_blocks+0x724/0x1700
     ext4_do_writepages+0x12d6/0x2a70
    [...]
    
    Freed by task 40:
     kfree+0xf1/0x2b0
     ext4_find_extent+0xa71/0x1e70
     ext4_ext_insert_extent+0xa22/0x3260
     ext4_split_extent_at+0x3ef/0xcc0
     ext4_split_extent.isra.0+0x18f/0x500
     ext4_split_convert_extents+0x275/0x750
     ext4_ext_handle_unwritten_extents+0x73e/0x1580
     ext4_ext_map_blocks+0xe20/0x2dc0
     ext4_map_blocks+0x724/0x1700
     ext4_do_writepages+0x12d6/0x2a70
    [...]
    ==================================================================
    
    The flow of issue triggering is as follows:
    
    ext4_split_extent_at
      path = *ppath
      ext4_ext_insert_extent(ppath)
        ext4_ext_create_new_leaf(ppath)
          ext4_find_extent(orig_path)
            path = *orig_path
            read_extent_tree_block
              // return -ENOMEM or -EIO
            ext4_free_ext_path(path)
              kfree(path)
            *orig_path = NULL
      a. If err is -ENOMEM:
      ext4_ext_dirty(path + path->p_depth)
      // path use-after-free !!!
      b. If err is -EIO and we have EXT_DEBUG defined:
      ext4_ext_show_leaf(path)
        eh = path[depth].p_hdr
        // path also use-after-free !!!
    
    So when trying to zeroout or fix the extent length, call ext4_find_extent()
    to update the path.
    
    In addition we use *ppath directly as an ext4_ext_show_leaf() input to
    avoid possible use-after-free when EXT_DEBUG is defined, and to avoid
    unnecessary path updates.
    
    Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code")
    Cc: stable@kernel.org
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
    Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
    Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: nested locking for xattr inode [+ + +]
Author: Wojciech Gładysz <wojciech.gladysz@infogain.com>
Date:   Thu Aug 1 16:38:27 2024 +0200

    ext4: nested locking for xattr inode
    
    [ Upstream commit d1bc560e9a9c78d0b2314692847fc8661e0aeb99 ]
    
    Add nested locking with I_MUTEX_XATTR subclass to avoid lockdep warning
    while handling xattr inode on file open syscall at ext4_xattr_inode_iget.
    
    Backtrace
    EXT4-fs (loop0): Ignoring removed oldalloc option
    ======================================================
    WARNING: possible circular locking dependency detected
    5.10.0-syzkaller #0 Not tainted
    ------------------------------------------------------
    syz-executor543/2794 is trying to acquire lock:
    ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
    ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
    
    but task is already holding lock:
    ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
    
    which lock already depends on the new lock.
    
    the existing dependency chain (in reverse order) is:
    
    -> #1 (&ei->i_data_sem/3){++++}-{3:3}:
           lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
           down_write+0x93/0x180 kernel/locking/rwsem.c:1564
           ext4_update_i_disksize fs/ext4/ext4.h:3267 [inline]
           ext4_xattr_inode_write fs/ext4/xattr.c:1390 [inline]
           ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1538 [inline]
           ext4_xattr_set_entry+0x331a/0x3d80 fs/ext4/xattr.c:1662
           ext4_xattr_ibody_set+0x124/0x390 fs/ext4/xattr.c:2228
           ext4_xattr_set_handle+0xc27/0x14e0 fs/ext4/xattr.c:2385
           ext4_xattr_set+0x219/0x390 fs/ext4/xattr.c:2498
           ext4_xattr_user_set+0xc9/0xf0 fs/ext4/xattr_user.c:40
           __vfs_setxattr+0x404/0x450 fs/xattr.c:177
           __vfs_setxattr_noperm+0x11d/0x4f0 fs/xattr.c:208
           __vfs_setxattr_locked+0x1f9/0x210 fs/xattr.c:266
           vfs_setxattr+0x112/0x2c0 fs/xattr.c:283
           setxattr+0x1db/0x3e0 fs/xattr.c:548
           path_setxattr+0x15a/0x240 fs/xattr.c:567
           __do_sys_setxattr fs/xattr.c:582 [inline]
           __se_sys_setxattr fs/xattr.c:578 [inline]
           __x64_sys_setxattr+0xc5/0xe0 fs/xattr.c:578
           do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
           entry_SYSCALL_64_after_hwframe+0x61/0xcb
    
    -> #0 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}:
           check_prev_add kernel/locking/lockdep.c:2988 [inline]
           check_prevs_add kernel/locking/lockdep.c:3113 [inline]
           validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
           __lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
           lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
           down_write+0x93/0x180 kernel/locking/rwsem.c:1564
           inode_lock include/linux/fs.h:782 [inline]
           ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
           ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
           ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
           ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
           ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
           __ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
           ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
           __ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
           ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
           notify_change+0xbb6/0xe60 fs/attr.c:435
           do_truncate+0x1de/0x2c0 fs/open.c:64
           handle_truncate fs/namei.c:2970 [inline]
           do_open fs/namei.c:3311 [inline]
           path_openat+0x29f3/0x3290 fs/namei.c:3425
           do_filp_open+0x20b/0x450 fs/namei.c:3452
           do_sys_openat2+0x124/0x460 fs/open.c:1207
           do_sys_open fs/open.c:1223 [inline]
           __do_sys_open fs/open.c:1231 [inline]
           __se_sys_open fs/open.c:1227 [inline]
           __x64_sys_open+0x221/0x270 fs/open.c:1227
           do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
           entry_SYSCALL_64_after_hwframe+0x61/0xcb
    
    other info that might help us debug this:
    
     Possible unsafe locking scenario:
    
           CPU0                    CPU1
           ----                    ----
      lock(&ei->i_data_sem/3);
                                   lock(&ea_inode->i_rwsem#7/1);
                                   lock(&ei->i_data_sem/3);
      lock(&ea_inode->i_rwsem#7/1);
    
     *** DEADLOCK ***
    
    5 locks held by syz-executor543/2794:
     #0: ffff888026fbc448 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x4a/0x2a0 fs/namespace.c:365
     #1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
     #1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: do_truncate+0x1cf/0x2c0 fs/open.c:62
     #2: ffff8880215e3310 (&ei->i_mmap_sem){++++}-{3:3}, at: ext4_setattr+0xec4/0x19c0 fs/ext4/inode.c:5519
     #3: ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
     #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline]
     #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:5938 [inline]
     #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x4fb/0x810 fs/ext4/inode.c:6018
    
    stack backtrace:
    CPU: 1 PID: 2794 Comm: syz-executor543 Not tainted 5.10.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x177/0x211 lib/dump_stack.c:118
     print_circular_bug+0x146/0x1b0 kernel/locking/lockdep.c:2002
     check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2123
     check_prev_add kernel/locking/lockdep.c:2988 [inline]
     check_prevs_add kernel/locking/lockdep.c:3113 [inline]
     validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
     __lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
     lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
     down_write+0x93/0x180 kernel/locking/rwsem.c:1564
     inode_lock include/linux/fs.h:782 [inline]
     ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
     ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
     ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
     ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
     ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
     __ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
     ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
     __ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
     ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
     notify_change+0xbb6/0xe60 fs/attr.c:435
     do_truncate+0x1de/0x2c0 fs/open.c:64
     handle_truncate fs/namei.c:2970 [inline]
     do_open fs/namei.c:3311 [inline]
     path_openat+0x29f3/0x3290 fs/namei.c:3425
     do_filp_open+0x20b/0x450 fs/namei.c:3452
     do_sys_openat2+0x124/0x460 fs/open.c:1207
     do_sys_open fs/open.c:1223 [inline]
     __do_sys_open fs/open.c:1231 [inline]
     __se_sys_open fs/open.c:1227 [inline]
     __x64_sys_open+0x221/0x270 fs/open.c:1227
     do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
     entry_SYSCALL_64_after_hwframe+0x61/0xcb
    RIP: 0033:0x7f0cde4ea229
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007ffd81d1c978 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
    RAX: ffffffffffffffda RBX: 0030656c69662f30 RCX: 00007f0cde4ea229
    RDX: 0000000000000089 RSI: 00000000000a0a00 RDI: 00000000200001c0
    RBP: 2f30656c69662f2e R08: 0000000000208000 R09: 0000000000208000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd81d1c9c0
    R13: 00007ffd81d1ca00 R14: 0000000000080000 R15: 0000000000000003
    EXT4-fs error (device loop0): ext4_expand_extra_isize_ea:2730: inode #13: comm syz-executor543: corrupted in-inode xattr
    
    Signed-off-by: Wojciech Gładysz <wojciech.gladysz@infogain.com>
    Link: https://patch.msgid.link/20240801143827.19135-1-wojciech.gladysz@infogain.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: no need to continue when the number of entries is 1 [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Mon Jul 1 22:25:03 2024 +0800

    ext4: no need to continue when the number of entries is 1
    
    commit 1a00a393d6a7fb1e745a41edd09019bd6a0ad64c upstream.
    
    Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3")
    Reported-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    Reported-and-tested-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com
    Link: https://patch.msgid.link/tencent_BE7AEE6C7C2D216CB8949CE8E6EE7ECC2C0A@qq.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: propagate errors from ext4_find_extent() in ext4_insert_range() [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Thu Aug 22 10:35:30 2024 +0800

    ext4: propagate errors from ext4_find_extent() in ext4_insert_range()
    
    commit 369c944ed1d7c3fb7b35f24e4735761153afe7b3 upstream.
    
    Even though ext4_find_extent() returns an error, ext4_insert_range() still
    returns 0. This may confuse the user as to why fallocate returns success,
    but the contents of the file are not as expected. So propagate the error
    returned by ext4_find_extent() to avoid inconsistencies.
    
    Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate")
    Cc: stable@kernel.org
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
    Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
    Link: https://patch.msgid.link/20240822023545.1994557-11-libaokun@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: return error on ext4_find_inline_entry [+ + +]
Author: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Date:   Wed Aug 21 12:23:22 2024 -0300

    ext4: return error on ext4_find_inline_entry
    
    [ Upstream commit 4d231b91a944f3cab355fce65af5871fb5d7735b ]
    
    In case of errors when reading an inode from disk or traversing inline
    directory entries, return an error-encoded ERR_PTR instead of returning
    NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns
    such encoded errors.
    
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
    Link: https://patch.msgid.link/20240821152324.3621860-3-cascardo@igalia.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Stable-dep-of: c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: update orig_path in ext4_find_extent() [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Thu Aug 22 10:35:25 2024 +0800

    ext4: update orig_path in ext4_find_extent()
    
    [ Upstream commit 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 ]
    
    In ext4_find_extent(), if the path is not big enough, we free it and set
    *orig_path to NULL. But after reallocating and successfully initializing
    the path, we don't update *orig_path, in which case the caller gets a
    valid path but a NULL ppath, and this may cause a NULL pointer dereference
    or a path memory leak. For example:
    
    ext4_split_extent
      path = *ppath = 2000
      ext4_find_extent
        if (depth > path[0].p_maxdepth)
          kfree(path = 2000);
          *orig_path = path = NULL;
          path = kcalloc() = 3000
      ext4_split_extent_at(*ppath = NULL)
        path = *ppath;
        ex = path[depth].p_ext;
        // NULL pointer dereference!
    
    ==================================================================
    BUG: kernel NULL pointer dereference, address: 0000000000000010
    CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
    RIP: 0010:ext4_split_extent_at+0x6d/0x560
    Call Trace:
     <TASK>
     ext4_split_extent.isra.0+0xcb/0x1b0
     ext4_ext_convert_to_initialized+0x168/0x6c0
     ext4_ext_handle_unwritten_extents+0x325/0x4d0
     ext4_ext_map_blocks+0x520/0xdb0
     ext4_map_blocks+0x2b0/0x690
     ext4_iomap_begin+0x20e/0x2c0
    [...]
    ==================================================================
    
    Therefore, *orig_path is updated when the extent lookup succeeds, so that
    the caller can safely use path or *ppath.
    
    Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary")
    Cc: stable@kernel.org
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20240822023545.1994557-6-libaokun@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
f2fs: avoid potential int overflow in sanity_check_area_boundary() [+ + +]
Author: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Date:   Wed Jul 24 10:51:58 2024 -0700

    f2fs: avoid potential int overflow in sanity_check_area_boundary()
    
    commit 50438dbc483ca6a133d2bce9d5d6747bcee38371 upstream.
    
    While calculating the end addresses of main area and segment 0, u32
    may be not enough to hold the result without the danger of int
    overflow.
    
    Just in case, play it safe and cast one of the operands to a
    wider type (u64).
    
    Found by Linux Verification Center (linuxtesting.org) with static
    analysis tool SVACE.
    
    Fixes: fd694733d523 ("f2fs: cover large section in sanity check of super")
    Cc: stable@vger.kernel.org
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
    Reviewed-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() [+ + +]
Author: Chao Yu <chao@kernel.org>
Date:   Fri Dec 25 16:52:27 2020 +0800

    f2fs: enhance to update i_mode and acl atomically in f2fs_setattr()
    
    [ Upstream commit 17232e830afb800acdcc22ae8980bf9d330393ef ]
    
    Previously, in f2fs_setattr(), we don't update S_ISUID|S_ISGID|S_ISVTX
    bits with S_IRWXUGO bits and acl entries atomically, so in error path,
    chmod() may partially success, this patch enhances to make chmod() flow
    being atomical.
    
    Signed-off-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

f2fs: fix to update i_ctime in __f2fs_setxattr() [+ + +]
Author: Chao Yu <chao@kernel.org>
Date:   Wed Jul 19 21:50:45 2023 +0800

    f2fs: fix to update i_ctime in __f2fs_setxattr()
    
    [ Upstream commit 8874ad7dae8d91d24cc87c545c0073b3b2da5688 ]
    
    generic/728       - output mismatch (see /media/fstests/results//generic/728.out.bad)
        --- tests/generic/728.out   2023-07-19 07:10:48.362711407 +0000
        +++ /media/fstests/results//generic/728.out.bad     2023-07-19 08:39:57.000000000 +0000
         QA output created by 728
        +Expected ctime to change after setxattr.
        +Expected ctime to change after removexattr.
         Silence is golden
        ...
        (Run 'diff -u /media/fstests/tests/generic/728.out /media/fstests/results//generic/728.out.bad'  to see the entire diff)
    generic/729        1s
    
    It needs to update i_ctime after {set,remove}xattr, fix it.
    
    Signed-off-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

f2fs: fix typo [+ + +]
Author: Yonggil Song <yonggil.song@samsung.com>
Date:   Fri Sep 2 11:07:49 2022 +0900

    f2fs: fix typo
    
    [ Upstream commit d382e36970ecf8242921400db2afde15fb6ed49e ]
    
    Fix typo in f2fs.h
    Detected by Jaeyoon Choi
    
    Signed-off-by: Yonggil Song <yonggil.song@samsung.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

f2fs: prevent possible int overflow in dir_block_index() [+ + +]
Author: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Date:   Wed Jul 24 10:05:44 2024 -0700

    f2fs: prevent possible int overflow in dir_block_index()
    
    commit 47f268f33dff4a5e31541a990dc09f116f80e61c upstream.
    
    The result of multiplication between values derived from functions
    dir_buckets() and bucket_blocks() *could* technically reach
    2^30 * 2^2 = 2^32.
    
    While unlikely to happen, it is prudent to ensure that it will not
    lead to integer overflow. Thus, use mul_u32_u32() as it's more
    appropriate to mitigate the issue.
    
    Found by Linux Verification Center (linuxtesting.org) with static
    analysis tool SVACE.
    
    Fixes: 3843154598a0 ("f2fs: introduce large directory support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
    Reviewed-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

f2fs: reduce expensive checkpoint trigger frequency [+ + +]
Author: Chao Yu <chao@kernel.org>
Date:   Wed Jun 26 09:47:27 2024 +0800

    f2fs: reduce expensive checkpoint trigger frequency
    
    [ Upstream commit aaf8c0b9ae042494cb4585883b15c1332de77840 ]
    
    We may trigger high frequent checkpoint for below case:
    1. mkdir /mnt/dir1; set dir1 encrypted
    2. touch /mnt/file1; fsync /mnt/file1
    3. mkdir /mnt/dir2; set dir2 encrypted
    4. touch /mnt/file2; fsync /mnt/file2
    ...
    
    Although, newly created dir and file are not related, due to
    commit bbf156f7afa7 ("f2fs: fix lost xattrs of directories"), we will
    trigger checkpoint whenever fsync() comes after a new encrypted dir
    created.
    
    In order to avoid such performance regression issue, let's record an
    entry including directory's ino in global cache whenever we update
    directory's xattr data, and then triggerring checkpoint() only if
    xattr metadata of target file's parent was updated.
    
    This patch updates to cover below no encryption case as well:
    1) parent is checkpointed
    2) set_xattr(dir) w/ new xnid
    3) create(file)
    4) fsync(file)
    
    Fixes: bbf156f7afa7 ("f2fs: fix lost xattrs of directories")
    Reported-by: wangzijie <wangzijie1@honor.com>
    Reported-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
    Tested-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
    Reported-by: Yunlei He <heyunlei@hihonor.com>
    Signed-off-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

f2fs: remove unneeded check condition in __f2fs_setxattr() [+ + +]
Author: Chao Yu <chao@kernel.org>
Date:   Wed Jul 19 21:50:46 2023 +0800

    f2fs: remove unneeded check condition in __f2fs_setxattr()
    
    [ Upstream commit bc3994ffa4cf23f55171943c713366132c3ff45d ]
    
    It has checked return value of write_all_xattrs(), remove unneeded
    following check condition.
    
    Signed-off-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

f2fs: Require FMODE_WRITE for atomic write ioctls [+ + +]
Author: Jann Horn <jannh@google.com>
Date:   Fri Oct 4 19:37:49 2024 +0000

    f2fs: Require FMODE_WRITE for atomic write ioctls
    
    commit 4f5a100f87f32cb65d4bb1ad282a08c92f6f591e upstream.
    
    The F2FS ioctls for starting and committing atomic writes check for
    inode_owner_or_capable(), but this does not give LSMs like SELinux or
    Landlock an opportunity to deny the write access - if the caller's FSUID
    matches the inode's UID, inode_owner_or_capable() immediately returns true.
    
    There are scenarios where LSMs want to deny a process the ability to write
    particular files, even files that the FSUID of the process owns; but this
    can currently partially be bypassed using atomic write ioctls in two ways:
    
     - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can
       truncate an inode to size 0
     - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert
       changes another process concurrently made to a file
    
    Fix it by requiring FMODE_WRITE for these operations, just like for
    F2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these
    ioctls when intending to write into the file, that seems unlikely to break
    anything.
    
    Fixes: 88b88a667971 ("f2fs: support atomic writes")
    Cc: stable@vger.kernel.org
    Signed-off-by: Jann Horn <jannh@google.com>
    Reviewed-by: Chao Yu <chao@kernel.org>
    Reviewed-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
fat: fix uninitialized variable [+ + +]
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date:   Fri Oct 4 15:03:49 2024 +0900

    fat: fix uninitialized variable
    
    commit 963a7f4d3b90ee195b895ca06b95757fcba02d1a upstream.
    
    syszbot produced this with a corrupted fs image.  In theory, however an IO
    error would trigger this also.
    
    This affects just an error report, so should not be a serious error.
    
    Link: https://lkml.kernel.org/r/87r08wjsnh.fsf@mail.parknet.co.jp
    Link: https://lkml.kernel.org/r/66ff2c95.050a0220.49194.03e9.GAE@google.com
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Reported-by: syzbot+ef0d7bc412553291aa86@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Thu Aug 1 22:34:39 2024 +0200

    fbdev: hpfb: Fix an error handling path in hpfb_dio_probe()
    
    [ Upstream commit aa578e897520f32ae12bec487f2474357d01ca9c ]
    
    If an error occurs after request_mem_region(), a corresponding
    release_mem_region() should be called, as already done in the remove
    function.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fbdev: pxafb: Fix possible use after free in pxafb_task() [+ + +]
Author: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Date:   Wed Sep 11 22:29:52 2024 +0800

    fbdev: pxafb: Fix possible use after free in pxafb_task()
    
    [ Upstream commit 4a6921095eb04a900e0000da83d9475eb958e61e ]
    
    In the pxafb_probe function, it calls the pxafb_init_fbinfo function,
    after which &fbi->task is associated with pxafb_task. Moreover,
    within this pxafb_init_fbinfo function, the pxafb_blank function
    within the &pxafb_ops struct is capable of scheduling work.
    
    If we remove the module which will call pxafb_remove to make cleanup,
    it will call unregister_framebuffer function which can call
    do_unregister_framebuffer to free fbi->fb through
    put_fb_info(fb_info), while the work mentioned above will be used.
    The sequence of operations that may lead to a UAF bug is as follows:
    
    CPU0                                                CPU1
    
                                       | pxafb_task
    pxafb_remove                       |
    unregister_framebuffer(info)       |
    do_unregister_framebuffer(fb_info) |
    put_fb_info(fb_info)               |
    // free fbi->fb                    | set_ctrlr_state(fbi, state)
                                       | __pxafb_lcd_power(fbi, 0)
                                       | fbi->lcd_power(on, &fbi->fb.var)
                                       | //use fbi->fb
    
    Fix it by ensuring that the work is canceled before proceeding
    with the cleanup in pxafb_remove.
    
    Note that only root user can remove the driver at runtime.
    
    Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fbdev: sisfb: Fix strbuf array overflow [+ + +]
Author: Andrey Shumilin <shum.sdl@nppct.ru>
Date:   Fri Sep 27 22:34:24 2024 +0300

    fbdev: sisfb: Fix strbuf array overflow
    
    [ Upstream commit 9cf14f5a2746c19455ce9cb44341b5527b5e19c3 ]
    
    The values of the variables xres and yres are placed in strbuf.
    These variables are obtained from strbuf1.
    The strbuf1 array contains digit characters
    and a space if the array contains non-digit characters.
    Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres);
    more than 16 bytes will be written to strbuf.
    It is suggested to increase the size of the strbuf array to 24.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() [+ + +]
Author: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Date:   Wed Oct 16 16:47:40 2024 +0800

    firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state()
    
    [ Upstream commit c83212d79be2c9886d3e6039759ecd388fd5fed1 ]
    
    In sdei_device_freeze(), the input parameter of cpuhp_remove_state() is
    passed as 'sdei_entry_point' by mistake. Change it to 'sdei_hp_state'.
    
    Fixes: d2c48b2387eb ("firmware: arm_sdei: Fix sleep from invalid context BUG")
    Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
    Reviewed-by: James Morse <james.morse@arm.com>
    Link: https://lore.kernel.org/r/20241016084740.183353-1-wangxiongfeng2@huawei.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
firmware_loader: Block path traversal [+ + +]
Author: Jann Horn <jannh@google.com>
Date:   Wed Aug 28 01:45:48 2024 +0200

    firmware_loader: Block path traversal
    
    commit f0e5311aa8022107d63c54e2f03684ec097d1394 upstream.
    
    Most firmware names are hardcoded strings, or are constructed from fairly
    constrained format strings where the dynamic parts are just some hex
    numbers or such.
    
    However, there are a couple codepaths in the kernel where firmware file
    names contain string components that are passed through from a device or
    semi-privileged userspace; the ones I could find (not counting interfaces
    that require root privileges) are:
    
     - lpfc_sli4_request_firmware_update() seems to construct the firmware
       filename from "ModelName", a string that was previously parsed out of
       some descriptor ("Vital Product Data") in lpfc_fill_vpd()
     - nfp_net_fw_find() seems to construct a firmware filename from a model
       name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I
       think parses some descriptor that was read from the device.
       (But this case likely isn't exploitable because the format string looks
       like "netronome/nic_%s", and there shouldn't be any *folders* starting
       with "netronome/nic_". The previous case was different because there,
       the "%s" is *at the start* of the format string.)
     - module_flash_fw_schedule() is reachable from the
       ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as
       GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is
       enough to pass the privilege check), and takes a userspace-provided
       firmware name.
       (But I think to reach this case, you need to have CAP_NET_ADMIN over a
       network namespace that a special kind of ethernet device is mapped into,
       so I think this is not a viable attack path in practice.)
    
    Fix it by rejecting any firmware names containing ".." path components.
    
    For what it's worth, I went looking and haven't found any USB device
    drivers that use the firmware loader dangerously.
    
    Cc: stable@vger.kernel.org
    Reviewed-by: Danilo Krummrich <dakr@kernel.org>
    Fixes: abb139e75c2c ("firmware: teach the kernel to load firmware files directly from the filesystem")
    Signed-off-by: Jann Horn <jannh@google.com>
    Acked-by: Luis Chamberlain <mcgrof@kernel.org>
    Link: https://lore.kernel.org/r/20240828-firmware-traversal-v3-1-c76529c63b5f@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fs: Fix file_set_fowner LSM hook inconsistencies [+ + +]
Author: Mickaël Salaün <mic@digikod.net>
Date:   Wed Aug 21 11:56:05 2024 +0200

    fs: Fix file_set_fowner LSM hook inconsistencies
    
    commit 26f204380a3c182e5adf1a798db0724d6111b597 upstream.
    
    The fcntl's F_SETOWN command sets the process that handle SIGIO/SIGURG
    for the related file descriptor.  Before this change, the
    file_set_fowner LSM hook was always called, ignoring the VFS logic which
    may not actually change the process that handles SIGIO (e.g. TUN, TTY,
    dnotify), nor update the related UID/EUID.
    
    Moreover, because security_file_set_fowner() was called without lock
    (e.g. f_owner.lock), concurrent F_SETOWN commands could result to a race
    condition and inconsistent LSM states (e.g. SELinux's fown_sid) compared
    to struct fown_struct's UID/EUID.
    
    This change makes sure the LSM states are always in sync with the VFS
    state by moving the security_file_set_fowner() call close to the
    UID/EUID updates and using the same f_owner.lock .
    
    Rename f_modown() to __f_setown() to simplify code.
    
    Cc: stable@vger.kernel.org
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Casey Schaufler <casey@schaufler-ca.com>
    Cc: Christian Brauner <brauner@kernel.org>
    Cc: James Morris <jmorris@namei.org>
    Cc: Jann Horn <jannh@google.com>
    Cc: Ondrej Mosnacek <omosnace@redhat.com>
    Cc: Paul Moore <paul@paul-moore.com>
    Cc: Serge E. Hallyn <serge@hallyn.com>
    Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Mickaël Salaün <mic@digikod.net>
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
gpio: aspeed: Add the flush write to ensure the write complete. [+ + +]
Author: Billy Tsai <billy_tsai@aspeedtech.com>
Date:   Tue Oct 8 16:14:44 2024 +0800

    gpio: aspeed: Add the flush write to ensure the write complete.
    
    [ Upstream commit 1bb5a99e1f3fd27accb804aa0443a789161f843c ]
    
    Performing a dummy read ensures that the register write operation is fully
    completed, mitigating any potential bus delays that could otherwise impact
    the frequency of bitbang usage. E.g., if the JTAG application uses GPIO to
    control the JTAG pins (TCK, TMS, TDI, TDO, and TRST), and the application
    sets the TCK clock to 1 MHz, the GPIO's high/low transitions will rely on
    a delay function to ensure the clock frequency does not exceed 1 MHz.
    However, this can lead to rapid toggling of the GPIO because the write
    operation is POSTed and does not wait for a bus acknowledgment.
    
    Fixes: 361b79119a4b ("gpio: Add Aspeed driver")
    Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
    Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
    Link: https://lore.kernel.org/r/20241008081450.1490955-2-billy_tsai@aspeedtech.com
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

gpio: aspeed: Use devm_clk api to manage clock source [+ + +]
Author: Billy Tsai <billy_tsai@aspeedtech.com>
Date:   Tue Oct 8 16:14:45 2024 +0800

    gpio: aspeed: Use devm_clk api to manage clock source
    
    [ Upstream commit a6191a3d18119184237f4ee600039081ad992320 ]
    
    Replace of_clk_get with devm_clk_get_enabled to manage the clock source.
    
    Fixes: 5ae4cb94b313 ("gpio: aspeed: Add debounce support")
    Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
    Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
    Link: https://lore.kernel.org/r/20241008081450.1490955-3-billy_tsai@aspeedtech.com
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

gpio: davinci: fix lazy disable [+ + +]
Author: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
Date:   Wed Aug 28 15:32:07 2024 +0200

    gpio: davinci: fix lazy disable
    
    commit 3360d41f4ac490282fddc3ccc0b58679aa5c065d upstream.
    
    On a few platforms such as TI's AM69 device, disable_irq() fails to keep
    track of the interrupts that happen between disable_irq() and
    enable_irq() and those interrupts are missed. Use the ->irq_unmask() and
    ->irq_mask() methods instead of ->irq_enable() and ->irq_disable() to
    correctly keep track of edges when disable_irq is called.
    
    This solves the issue of disable_irq() not working as expected on such
    platforms.
    
    Fixes: 23265442b02b ("ARM: davinci: irq_data conversion.")
    Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
    Signed-off-by: Parth Pancholi <parth.pancholi@toradex.com>
    Acked-by: Keerthy <j-keerthy@ti.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240828133207.493961-1-parth105105@gmail.com
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

gpio: prevent potential speculation leaks in gpio_device_get_desc() [+ + +]
Author: Hagar Hemdan <hagarhem@amazon.com>
Date:   Thu May 23 08:53:32 2024 +0000

    gpio: prevent potential speculation leaks in gpio_device_get_desc()
    
    commit d795848ecce24a75dfd46481aee066ae6fe39775 upstream.
    
    Userspace may trigger a speculative read of an address outside the gpio
    descriptor array.
    Users can do that by calling gpio_ioctl() with an offset out of range.
    Offset is copied from user and then used as an array index to get
    the gpio descriptor without sanitization in gpio_device_get_desc().
    
    This change ensures that the offset is sanitized by using
    array_index_nospec() to mitigate any possibility of speculative
    information leaks.
    
    This bug was discovered and resolved using Coverity Static Analysis
    Security Testing (SAST) by Synopsys, Inc.
    
    Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
    Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
gtp: allow -1 to be specified as file description from userspace [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue Oct 22 16:48:25 2024 +0200

    gtp: allow -1 to be specified as file description from userspace
    
    [ Upstream commit 7515e37bce5c428a56a9b04ea7e96b3f53f17150 ]
    
    Existing user space applications maintained by the Osmocom project are
    breaking since a recent fix that addresses incorrect error checking.
    
    Restore operation for user space programs that specify -1 as file
    descriptor to skip GTPv0 or GTPv1 only sockets.
    
    Fixes: defd8b3c37b0 ("gtp: fix a potential NULL pointer dereference")
    Reported-by: Pau Espin Pedrol <pespin@sysmocom.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Tested-by: Oliver Smith <osmith@sysmocom.de>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241022144825.66740-1-pablo@netfilter.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

gtp: simplify error handling code in 'gtp_encap_enable()' [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sun Jan 5 18:36:07 2020 +0100

    gtp: simplify error handling code in 'gtp_encap_enable()'
    
    [ Upstream commit b289ba5e07105548b8219695e5443d807a825eb8 ]
    
    'gtp_encap_disable_sock(sk)' handles the case where sk is NULL, so there
    is no need to test it before calling the function.
    
    This saves a few line of code.
    
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Reviewed-by: Simon Horman <simon.horman@netronome.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Stable-dep-of: 7515e37bce5c ("gtp: allow -1 to be specified as file description from userspace")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
HID: plantronics: Workaround for an unexcepted opposite volume key [+ + +]
Author: Wade Wang <wade.wang@hp.com>
Date:   Mon Sep 16 16:56:00 2024 +0800

    HID: plantronics: Workaround for an unexcepted opposite volume key
    
    commit 87b696209007b7c4ef7bdfe39ea0253404a43770 upstream.
    
    Some Plantronics headset as the below send an unexcept opposite
    volume key's HID report for each volume key press after 200ms, like
    unecepted Volume Up Key following Volume Down key pressed by user.
    This patch adds a quirk to hid-plantronics for these devices, which
    will ignore the second unexcepted opposite volume key if it happens
    within 220ms from the last one that was handled.
        Plantronics EncorePro 500 Series  (047f:431e)
        Plantronics Blackwire_3325 Series (047f:430c)
    
    The patch was tested on the mentioned model, it shouldn't affect
    other models, however, this quirk might be needed for them too.
    Auto-repeat (when a key is held pressed) is not affected per test
    result.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Wade Wang <wade.wang@hp.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event [+ + +]
Author: Haiyang Zhang <haiyangz@microsoft.com>
Date:   Fri Oct 18 11:25:22 2024 -0700

    hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event
    
    commit 4c262801ea60c518b5bebc22a09f5b78b3147da2 upstream.
    
    The existing code moves VF to the same namespace as the synthetic NIC
    during netvsc_register_vf(). But, if the synthetic device is moved to a
    new namespace after the VF registration, the VF won't be moved together.
    
    To make the behavior more consistent, add a namespace check for synthetic
    NIC's NETDEV_REGISTER event (generated during its move), and move the VF
    if it is not in the same namespace.
    
    Cc: stable@vger.kernel.org
    Fixes: c0a41b887ce6 ("hv_netvsc: move VF to same namespace as netvsc device")
    Suggested-by: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/1729275922-17595-1-git-send-email-haiyangz@microsoft.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
hwmon: (max16065) Fix overflows seen when writing limits [+ + +]
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Thu Jul 18 09:52:01 2024 -0700

    hwmon: (max16065) Fix overflows seen when writing limits
    
    [ Upstream commit 744ec4477b11c42e2c8de9eb8364675ae7a0bd81 ]
    
    Writing large limits resulted in overflows as reported by module tests.
    
    in0_lcrit: Suspected overflow: [max=5538, read 0, written 2147483647]
    in0_crit: Suspected overflow: [max=5538, read 0, written 2147483647]
    in0_min: Suspected overflow: [max=5538, read 0, written 2147483647]
    
    Fix the problem by clamping prior to multiplications and the use of
    DIV_ROUND_CLOSEST, and by using consistent variable types.
    
    Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
    Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

hwmon: (ntc_thermistor) fix module autoloading [+ + +]
Author: Yuntao Liu <liuyuntao12@huawei.com>
Date:   Thu Aug 15 08:30:21 2024 +0000

    hwmon: (ntc_thermistor) fix module autoloading
    
    [ Upstream commit b6964d66a07a9003868e428a956949e17ab44d7e ]
    
    Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
    based on the alias from of_device_id table.
    
    Fixes: 9e8269de100d ("hwmon: (ntc_thermistor) Add DT with IIO support to NTC thermistor driver")
    Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
    Message-ID: <20240815083021.756134-1-liuyuntao12@huawei.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
i2c: aspeed: Update the stop sw state when the bus recovery occurs [+ + +]
Author: Tommy Huang <tommy_huang@aspeedtech.com>
Date:   Wed Sep 11 17:39:51 2024 +0800

    i2c: aspeed: Update the stop sw state when the bus recovery occurs
    
    commit 93701d3b84ac5f3ea07259d4ced405c53d757985 upstream.
    
    When the i2c bus recovery occurs, driver will send i2c stop command
    in the scl low condition. In this case the sw state will still keep
    original situation. Under multi-master usage, i2c bus recovery will
    be called when i2c transfer timeout occurs. Update the stop command
    calling with aspeed_i2c_do_stop function to update master_state.
    
    Fixes: f327c686d3ba ("i2c: aspeed: added driver for Aspeed I2C")
    Cc: stable@vger.kernel.org # v4.13+
    Signed-off-by: Tommy Huang <tommy_huang@aspeedtech.com>
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

i2c: i801: Use a different adapter-name for IDF adapters [+ + +]
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Mon Aug 12 22:39:48 2024 +0200

    i2c: i801: Use a different adapter-name for IDF adapters
    
    [ Upstream commit 43457ada98c824f310adb7bd96bd5f2fcd9a3279 ]
    
    On chipsets with a second 'Integrated Device Function' SMBus controller use
    a different adapter-name for the second IDF adapter.
    
    This allows platform glue code which is looking for the primary i801
    adapter to manually instantiate i2c_clients on to differentiate
    between the 2.
    
    This allows such code to find the primary i801 adapter by name, without
    needing to duplicate the PCI-ids to feature-flags mapping from i2c-i801.c.
    
    Reviewed-by: Pali Rohár <pali@kernel.org>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Acked-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: isch: Add missed 'else' [+ + +]
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Wed Sep 11 18:39:14 2024 +0300

    i2c: isch: Add missed 'else'
    
    commit 1db4da55070d6a2754efeb3743f5312fc32f5961 upstream.
    
    In accordance with the existing comment and code analysis
    it is quite likely that there is a missed 'else' when adapter
    times out. Add it.
    
    Fixes: 5bc1200852c3 ("i2c: Add Intel SCH SMBus support")
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: <stable@vger.kernel.org> # v2.6.27+
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

i2c: xiic: Wait for TX empty to avoid missed TX NAKs [+ + +]
Author: Robert Hancock <robert.hancock@calian.com>
Date:   Tue Nov 21 18:11:16 2023 +0000

    i2c: xiic: Wait for TX empty to avoid missed TX NAKs
    
    commit 521da1e9225450bd323db5fa5bca942b1dc485b7 upstream.
    
    Frequently an I2C write will be followed by a read, such as a register
    address write followed by a read of the register value. In this driver,
    when the TX FIFO half empty interrupt was raised and it was determined
    that there was enough space in the TX FIFO to send the following read
    command, it would do so without waiting for the TX FIFO to actually
    empty.
    
    Unfortunately it appears that in some cases this can result in a NAK
    that was raised by the target device on the write, such as due to an
    unsupported register address, being ignored and the subsequent read
    being done anyway. This can potentially put the I2C bus into an
    invalid state and/or result in invalid read data being processed.
    
    To avoid this, once a message has been fully written to the TX FIFO,
    wait for the TX FIFO empty interrupt before moving on to the next
    message, to ensure NAKs are handled properly.
    
    Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface")
    Signed-off-by: Robert Hancock <robert.hancock@calian.com>
    Cc: <stable@vger.kernel.org> # v2.6.34+
    Reviewed-by: Manikanta Guntupalli <manikanta.guntupalli@amd.com>
    Acked-by: Michal Simek <michal.simek@amd.com>
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
igb: Do not bring the device up after non-fatal error [+ + +]
Author: Mohamed Khalfella <mkhalfella@purestorage.com>
Date:   Tue Sep 24 15:06:01 2024 -0600

    igb: Do not bring the device up after non-fatal error
    
    [ Upstream commit 330a699ecbfc9c26ec92c6310686da1230b4e7eb ]
    
    Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
    changed igb_io_error_detected() to ignore non-fatal pcie errors in order
    to avoid hung task that can happen when igb_down() is called multiple
    times. This caused an issue when processing transient non-fatal errors.
    igb_io_resume(), which is called after igb_io_error_detected(), assumes
    that device is brought down by igb_io_error_detected() if the interface
    is up. This resulted in panic with stacktrace below.
    
    [ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down
    [  T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0
    [  T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)
    [  T292] igb 0000:09:00.0:   device [8086:1537] error status/mask=00004000/00000000
    [  T292] igb 0000:09:00.0:    [14] CmpltTO [  200.105524,009][  T292] igb 0000:09:00.0: AER:   TLP Header: 00000000 00000000 00000000 00000000
    [  T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message
    [  T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.
    [  T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message
    [  T292] pcieport 0000:00:1c.5: AER: broadcast resume message
    [  T292] ------------[ cut here ]------------
    [  T292] kernel BUG at net/core/dev.c:6539!
    [  T292] invalid opcode: 0000 [#1] PREEMPT SMP
    [  T292] RIP: 0010:napi_enable+0x37/0x40
    [  T292] Call Trace:
    [  T292]  <TASK>
    [  T292]  ? die+0x33/0x90
    [  T292]  ? do_trap+0xdc/0x110
    [  T292]  ? napi_enable+0x37/0x40
    [  T292]  ? do_error_trap+0x70/0xb0
    [  T292]  ? napi_enable+0x37/0x40
    [  T292]  ? napi_enable+0x37/0x40
    [  T292]  ? exc_invalid_op+0x4e/0x70
    [  T292]  ? napi_enable+0x37/0x40
    [  T292]  ? asm_exc_invalid_op+0x16/0x20
    [  T292]  ? napi_enable+0x37/0x40
    [  T292]  igb_up+0x41/0x150
    [  T292]  igb_io_resume+0x25/0x70
    [  T292]  report_resume+0x54/0x70
    [  T292]  ? report_frozen_detected+0x20/0x20
    [  T292]  pci_walk_bus+0x6c/0x90
    [  T292]  ? aer_print_port_info+0xa0/0xa0
    [  T292]  pcie_do_recovery+0x22f/0x380
    [  T292]  aer_process_err_devices+0x110/0x160
    [  T292]  aer_isr+0x1c1/0x1e0
    [  T292]  ? disable_irq_nosync+0x10/0x10
    [  T292]  irq_thread_fn+0x1a/0x60
    [  T292]  irq_thread+0xe3/0x1a0
    [  T292]  ? irq_set_affinity_notifier+0x120/0x120
    [  T292]  ? irq_affinity_notify+0x100/0x100
    [  T292]  kthread+0xe2/0x110
    [  T292]  ? kthread_complete_and_exit+0x20/0x20
    [  T292]  ret_from_fork+0x2d/0x50
    [  T292]  ? kthread_complete_and_exit+0x20/0x20
    [  T292]  ret_from_fork_asm+0x11/0x20
    [  T292]  </TASK>
    
    To fix this issue igb_io_resume() checks if the interface is running and
    the device is not down this means igb_io_error_detected() did not bring
    the device down and there is no need to bring it up.
    
    Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
    Reviewed-by: Yuanyuan Zhong <yzhong@purestorage.com>
    Fixes: 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
    Reviewed-by: Simon Horman <horms@kernel.org>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig [+ + +]
Author: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Date:   Thu Oct 3 23:04:50 2024 +0200

    iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig
    
    commit 4c4834fd8696a949d1b1f1c2c5b96e1ad2083b02 upstream.
    
    This driver makes use of triggered buffers, but does not select the
    required modules.
    
    Fixes: 2a86487786b5 ("iio: adc: ti-ads8688: add trigger and buffer support")
    Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'.
    
    Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
    Reviewed-by: Sean Nyekjaer <sean@geanix.com>
    Link: https://patch.msgid.link/20241003-iio-select-v1-4-67c0385197cd@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig [+ + +]
Author: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Date:   Thu Oct 3 18:49:40 2024 +0200

    iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig
    
    commit 27b6aa68a68105086aef9f0cb541cd688e5edea8 upstream.
    
    This driver makes use of regmap_mmio, but does not select the required
    module.
    Add the missing 'select REGMAP_MMIO'.
    
    Fixes: 4d4b30526eb8 ("iio: dac: add support for stm32 DAC")
    Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
    Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-8-4019453f8c33@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Thu Oct 3 20:41:12 2024 +0200

    iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency()
    
    commit 3a29b84cf7fbf912a6ab1b9c886746f02b74ea25 upstream.
    
    If hid_sensor_set_report_latency() fails, the error code should be returned
    instead of a value likely to be interpreted as 'success'.
    
    Fixes: 138bc7969c24 ("iio: hid-sensor-hub: Implement batch mode")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    Link: https://patch.msgid.link/c50640665f091a04086e5092cf50f73f2055107a.1727980825.git.christophe.jaillet@wanadoo.fr
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: light: opt3001: add missing full-scale range value [+ + +]
Author: Emil Gedenryd <emil.gedenryd@axis.com>
Date:   Fri Sep 13 11:57:02 2024 +0200

    iio: light: opt3001: add missing full-scale range value
    
    commit 530688e39c644543b71bdd9cb45fdfb458a28eaa upstream.
    
    The opt3001 driver uses predetermined full-scale range values to
    determine what exponent to use for event trigger threshold values.
    The problem is that one of the values specified in the datasheet is
    missing from the implementation. This causes larger values to be
    scaled down to an incorrect exponent, effectively reducing the
    maximum settable threshold value by a factor of 2.
    
    Add missing full-scale range array value.
    
    Fixes: 94a9b7b1809f ("iio: light: add support for TI's opt3001 light sensor")
    Signed-off-by: Emil Gedenryd <emil.gedenryd@axis.com>
    Cc: <Stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240913-add_opt3002-v2-1-69e04f840360@axis.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: magnetometer: ak8975: Fix reading for ak099xx sensors [+ + +]
Author: Barnabás Czémán <barnabas.czeman@mainlining.org>
Date:   Mon Aug 19 00:29:40 2024 +0200

    iio: magnetometer: ak8975: Fix reading for ak099xx sensors
    
    commit 129464e86c7445a858b790ac2d28d35f58256bbe upstream.
    
    Move ST2 reading with overflow handling after measurement data
    reading.
    ST2 register read have to be read after read measurment data,
    because it means end of the reading and realease the lock on the data.
    Remove ST2 read skip on interrupt based waiting because ST2 required to
    be read out at and of the axis read.
    
    Fixes: 57e73a423b1e ("iio: ak8975: add ak09911 and ak09912 support")
    Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
    Link: https://patch.msgid.link/20240819-ak09918-v4-2-f0734d14cfb9@mainlining.org
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Input: adp5589-keys - fix adp5589_gpio_get_value() [+ + +]
Author: Nuno Sa <nuno.sa@analog.com>
Date:   Tue Oct 1 07:47:23 2024 -0700

    Input: adp5589-keys - fix adp5589_gpio_get_value()
    
    commit c684771630e64bc39bddffeb65dd8a6612a6b249 upstream.
    
    The adp5589 seems to have the same behavior as similar devices as
    explained in commit 910a9f5636f5 ("Input: adp5588-keys - get value from
    data out when dir is out").
    
    Basically, when the gpio is set as output we need to get the value from
    ADP5589_GPO_DATA_OUT_A register instead of ADP5589_GPI_STATUS_A.
    
    Fixes: 9d2e173644bb ("Input: ADP5589 - new driver for I2C Keypad Decoder and I/O Expander")
    Signed-off-by: Nuno Sa <nuno.sa@analog.com>
    Link: https://lore.kernel.org/r/20241001-b4-dev-adp5589-fw-conversion-v1-2-fca0149dfc47@analog.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal [+ + +]
Author: Mathias Krause <minipli@grsecurity.net>
Date:   Wed Oct 9 05:42:21 2024 +0000

    Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal
    
    commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream.
    
    Calling irq_domain_remove() will lead to freeing the IRQ domain
    prematurely. The domain is still referenced and will be attempted to get
    used via rmi_free_function_list() -> rmi_unregister_function() ->
    irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer.
    
    With PaX's MEMORY_SANITIZE this will lead to an access fault when
    attempting to dereference embedded pointers, as in Torsten's report that
    was faulting on the 'domain->ops->unmap' test.
    
    Fix this by releasing the IRQ domain only after all related IRQs have
    been deactivated.
    
    Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain")
    Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
    Signed-off-by: Mathias Krause <minipli@grsecurity.net>
    Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipmi: docs: don't advertise deprecated sysfs entries [+ + +]
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Sun Sep 1 11:02:11 2024 +0200

    ipmi: docs: don't advertise deprecated sysfs entries
    
    [ Upstream commit 64dce81f8c373c681e62d5ffe0397c45a35d48a2 ]
    
    "i2c-adapter" class entries are deprecated since 2009. Switch to the
    proper location.
    
    Reported-by: Heiner Kallweit <hkallweit1@gmail.com>
    Closes: https://lore.kernel.org/r/80c4a898-5867-4162-ac85-bdf7c7c68746@gmail.com
    Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)")
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Message-Id: <20240901090211.3797-2-wsa+renesas@sang-engineering.com>
    Signed-off-by: Corey Minyard <corey@minyard.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Fri Aug 9 16:54:02 2024 -0700

    ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR).
    
    [ Upstream commit e3af3d3c5b26c33a7950e34e137584f6056c4319 ]
    
    dev->ip_ptr could be NULL if we set an invalid MTU.
    
    Even then, if we issue ioctl(SIOCSIFADDR) for a new IPv4 address,
    devinet_ioctl() allocates struct in_ifaddr and fails later in
    inet_set_ifa() because in_dev is NULL.
    
    Let's move the check earlier.
    
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://patch.msgid.link/20240809235406.50187-2-kuniyu@amazon.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ipv4: ip_gre: Fix drops of small packets in ipgre_xmit [+ + +]
Author: Anton Danilov <littlesmilingcloud@gmail.com>
Date:   Wed Sep 25 02:51:59 2024 +0300

    ipv4: ip_gre: Fix drops of small packets in ipgre_xmit
    
    [ Upstream commit c4a14f6d9d17ad1e41a36182dd3b8a5fd91efbd7 ]
    
    Regression Description:
    
    Depending on the options specified for the GRE tunnel device, small
    packets may be dropped. This occurs because the pskb_network_may_pull
    function fails due to the packet's insufficient length.
    
    For example, if only the okey option is specified for the tunnel device,
    original (before encapsulation) packets smaller than 28 bytes (including
    the IPv4 header) will be dropped. This happens because the required
    length is calculated relative to the network header, not the skb->head.
    
    Here is how the required length is computed and checked:
    
    * The pull_len variable is set to 28 bytes, consisting of:
      * IPv4 header: 20 bytes
      * GRE header with Key field: 8 bytes
    
    * The pskb_network_may_pull function adds the network offset, shifting
    the checkable space further to the beginning of the network header and
    extending it to the beginning of the packet. As a result, the end of
    the checkable space occurs beyond the actual end of the packet.
    
    Instead of ensuring that 28 bytes are present in skb->head, the function
    is requesting these 28 bytes starting from the network header. For small
    packets, this requested length exceeds the actual packet size, causing
    the check to fail and the packets to be dropped.
    
    This issue affects both locally originated and forwarded packets in
    DMVPN-like setups.
    
    How to reproduce (for local originated packets):
    
      ip link add dev gre1 type gre ikey 1.9.8.4 okey 1.9.8.4 \
              local <your-ip> remote 0.0.0.0
    
      ip link set mtu 1400 dev gre1
      ip link set up dev gre1
      ip address add 192.168.13.1/24 dev gre1
      ip neighbor add 192.168.13.2 lladdr <remote-ip> dev gre1
      ping -s 1374 -c 10 192.168.13.2
      tcpdump -vni gre1
      tcpdump -vni <your-ext-iface> 'ip proto 47'
      ip -s -s -d link show dev gre1
    
    Solution:
    
    Use the pskb_may_pull function instead the pskb_network_may_pull.
    
    Fixes: 80d875cfc9d3 ("ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()")
    Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20240924235158.106062-1-littlesmilingcloud@gmail.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family [+ + +]
Author: Ido Schimmel <idosch@nvidia.com>
Date:   Wed Aug 14 15:52:22 2024 +0300

    ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family
    
    [ Upstream commit 8fed54758cd248cd311a2b5c1e180abef1866237 ]
    
    The NETLINK_FIB_LOOKUP netlink family can be used to perform a FIB
    lookup according to user provided parameters and communicate the result
    back to user space.
    
    However, unlike other users of the FIB lookup API, the upper DSCP bits
    and the ECN bits of the DS field are not masked, which can result in the
    wrong result being returned.
    
    Solve this by masking the upper DSCP bits and the ECN bits using
    IPTOS_RT_MASK.
    
    The structure that communicates the request and the response is not
    exported to user space, so it is unlikely that this netlink family is
    actually in use [1].
    
    [1] https://lore.kernel.org/netdev/ZpqpB8vJU%2FQ6LSqa@debian/
    
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>
    Reviewed-by: Guillaume Nault <gnault@redhat.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers() [+ + +]
Author: Mauricio Faria de Oliveira <mfo@canonical.com>
Date:   Mon Oct 5 21:48:38 2020 -0300

    jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers()
    
    [ Upstream commit aa3c0c61f62d682259e3e66cdc01846290f9cd6c ]
    
    Export functions that implement the current behavior done
    for an inode in journal_submit|finish_inode_data_buffers().
    
    No functional change.
    
    Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
    Suggested-by: Jan Kara <jack@suse.cz>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Reviewed-by: Andreas Dilger <adilger@dilger.ca>
    Link: https://lore.kernel.org/r/20201006004841.600488-2-mfo@canonical.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Stable-dep-of: 20cee68f5b44 ("ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Thu Jul 18 19:53:36 2024 +0800

    jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error
    
    commit f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a upstream.
    
    In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()
    to recover some journal space. But if an error occurs while executing
    jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free
    space right away, we try other branches, and if j_committing_transaction
    is NULL (i.e., the tid is 0), we will get the following complain:
    
    ============================================
    JBD2: I/O error when updating journal superblock for sdd-8.
    __jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available
    __jbd2_log_wait_for_space: no way to get more journal space in sdd-8
    ------------[ cut here ]------------
    WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0
    Modules linked in:
    CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1
    RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0
    Call Trace:
     <TASK>
     add_transaction_credits+0x5d1/0x5e0
     start_this_handle+0x1ef/0x6a0
     jbd2__journal_start+0x18b/0x340
     ext4_dirty_inode+0x5d/0xb0
     __mark_inode_dirty+0xe4/0x5d0
     generic_update_time+0x60/0x70
    [...]
    ============================================
    
    So only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to
    clean up at the moment, continue to try to reclaim free space in other ways.
    
    Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt
    when updating journal superblock fails") to make jbd2_cleanup_journal_tail
    return the correct error code.
    
    Fixes: 8c3f25d8950c ("jbd2: don't give up looking for space so easily in __jbd2_log_wait_for_space")
    Cc: stable@kernel.org
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20240718115336.2554501-1-libaokun@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
jfs: check if leafidx greater than num leaves per dmap tree [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Sat Aug 24 09:25:23 2024 +0800

    jfs: check if leafidx greater than num leaves per dmap tree
    
    [ Upstream commit d64ff0d2306713ff084d4b09f84ed1a8c75ecc32 ]
    
    syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater
    than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.
    
    Shaggy:
    Modified sanity check to apply to control pages as well as leaf pages.
    
    Reported-and-tested-by: syzbot+dca05492eff41f604890@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

jfs: fix out-of-bounds in dbNextAG() and diAlloc() [+ + +]
Author: Jeongjun Park <aha310510@gmail.com>
Date:   Mon Aug 19 13:05:46 2024 +0900

    jfs: fix out-of-bounds in dbNextAG() and diAlloc()
    
    [ Upstream commit e63866a475562810500ea7f784099bfe341e761a ]
    
    In dbNextAG() , there is no check for the case where bmp->db_numag is
    greater or same than MAXAG due to a polluted image, which causes an
    out-of-bounds. Therefore, a bounds check should be added in dbMount().
    
    And in dbNextAG(), a check for the case where agpref is greater than
    bmp->db_numag should be added, so an out-of-bounds exception should be
    prevented.
    
    Additionally, a check for the case where agno is greater or same than
    MAXAG should be added in diAlloc() to prevent out-of-bounds.
    
    Reported-by: Jeongjun Park <aha310510@gmail.com>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Jeongjun Park <aha310510@gmail.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

jfs: Fix sanity check in dbMount [+ + +]
Author: Dave Kleikamp <dave.kleikamp@oracle.com>
Date:   Tue Oct 22 09:40:37 2024 -0500

    jfs: Fix sanity check in dbMount
    
    [ Upstream commit 67373ca8404fe57eb1bb4b57f314cff77ce54932 ]
    
    MAXAG is a legitimate value for bmp->db_numag
    
    Fixes: e63866a47556 ("jfs: fix out-of-bounds in dbNextAG() and diAlloc()")
    
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

jfs: Fix uaf in dbFreeBits [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Sat Aug 24 10:50:48 2024 +0800

    jfs: Fix uaf in dbFreeBits
    
    [ Upstream commit d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 ]
    
    [syzbot reported]
    ==================================================================
    BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline]
    BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
    Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216
    
    CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:93 [inline]
     dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
     print_address_description mm/kasan/report.c:377 [inline]
     print_report+0x169/0x550 mm/kasan/report.c:488
     kasan_report+0x143/0x180 mm/kasan/report.c:601
     __mutex_lock_common kernel/locking/mutex.c:587 [inline]
     __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
     dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390
     dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
     dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409
     dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650
     jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100
     jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131
     vfs_ioctl fs/ioctl.c:51 [inline]
     __do_sys_ioctl fs/ioctl.c:907 [inline]
     __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
    
    Freed by task 5218:
     kasan_save_stack mm/kasan/common.c:47 [inline]
     kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
     kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
     poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
     __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
     kasan_slab_free include/linux/kasan.h:184 [inline]
     slab_free_hook mm/slub.c:2252 [inline]
     slab_free mm/slub.c:4473 [inline]
     kfree+0x149/0x360 mm/slub.c:4594
     dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278
     jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247
     jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454
     reconfigure_super+0x445/0x880 fs/super.c:1083
     vfs_cmd_reconfigure fs/fsopen.c:263 [inline]
     vfs_fsconfig_locked fs/fsopen.c:292 [inline]
     __do_sys_fsconfig fs/fsopen.c:473 [inline]
     __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    [Analysis]
    There are two paths (dbUnmount and jfs_ioc_trim) that generate race
    condition when accessing bmap, which leads to the occurrence of uaf.
    
    Use the lock s_umount to synchronize them, in order to avoid uaf caused
    by race condition.
    
    Reported-and-tested-by: syzbot+3c010e21296f33a5dc16@syzkaller.appspotmail.com
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

jfs: Fix uninit-value access of new_ea in ea_buffer [+ + +]
Author: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
Date:   Wed Sep 4 09:07:58 2024 +0800

    jfs: Fix uninit-value access of new_ea in ea_buffer
    
    [ Upstream commit 2b59ffad47db1c46af25ccad157bb3b25147c35c ]
    
    syzbot reports that lzo1x_1_do_compress is using uninit-value:
    
    =====================================================
    BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178
    
    ...
    
    Uninit was stored to memory at:
     ea_put fs/jfs/xattr.c:639 [inline]
    
    ...
    
    Local variable ea_buf created at:
     __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662
     __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934
    
    =====================================================
    
    The reason is ea_buf->new_ea is not initialized properly.
    
    Fix this by using memset to empty its content at the beginning
    in ea_get().
    
    Reported-by: syzbot+02341e0daa42a15ce130@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=02341e0daa42a15ce130
    Signed-off-by: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

jfs: UBSAN: shift-out-of-bounds in dbFindBits [+ + +]
Author: Remington Brasga <rbrasga@uci.edu>
Date:   Wed Jul 10 00:12:44 2024 +0000

    jfs: UBSAN: shift-out-of-bounds in dbFindBits
    
    [ Upstream commit b0b2fc815e514221f01384f39fbfbff65d897e1c ]
    
    Fix issue with UBSAN throwing shift-out-of-bounds warning.
    
    Reported-by: syzbot+e38d703eeb410b17b473@syzkaller.appspotmail.com
    Signed-off-by: Remington Brasga <rbrasga@uci.edu>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ktest.pl: Avoid false positives with grub2 skip regex [+ + +]
Author: Daniel Jordan <daniel.m.jordan@oracle.com>
Date:   Wed Sep 4 13:55:30 2024 -0400

    ktest.pl: Avoid false positives with grub2 skip regex
    
    [ Upstream commit 2351e8c65404aabc433300b6bf90c7a37e8bbc4d ]
    
    Some distros have grub2 config files with the lines
    
        if [ x"${feature_menuentry_id}" = xy ]; then
          menuentry_id_option="--id"
        else
          menuentry_id_option=""
        fi
    
    which match the skip regex defined for grub2 in get_grub_index():
    
        $skip = '^\s*menuentry';
    
    These false positives cause the grub number to be higher than it
    should be, and the wrong kernel can end up booting.
    
    Grub documents the menuentry command with whitespace between it and the
    title, so make the skip regex reflect this.
    
    Link: https://lore.kernel.org/20240904175530.84175-1-daniel.m.jordan@oracle.com
    Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
    Acked-by: John 'Warthog9' Hawley (Tenstorrent) <warthog9@eaglescrag.net>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
kthread: add kthread_work tracepoints [+ + +]
Author: Rob Clark <robdclark@chromium.org>
Date:   Mon Dec 14 19:03:14 2020 -0800

    kthread: add kthread_work tracepoints
    
    [ Upstream commit f630c7c6f10546ebff15c3a856e7949feb7a2372 ]
    
    While migrating some code from wq to kthread_worker, I found that I missed
    the execute_start/end tracepoints.  So add similar tracepoints for
    kthread_work.  And for completeness, queue_work tracepoint (although this
    one differs slightly from the matching workqueue tracepoint).
    
    Link: https://lkml.kernel.org/r/20201010180323.126634-1-robdclark@gmail.com
    Signed-off-by: Rob Clark <robdclark@chromium.org>
    Cc: Rob Clark <robdclark@chromium.org>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
    Cc: Phil Auld <pauld@redhat.com>
    Cc: Valentin Schneider <valentin.schneider@arm.com>
    Cc: Thara Gopinath <thara.gopinath@linaro.org>
    Cc: Randy Dunlap <rdunlap@infradead.org>
    Cc: Vincent Donnefort <vincent.donnefort@arm.com>
    Cc: Mel Gorman <mgorman@techsingularity.net>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: Marcelo Tosatti <mtosatti@redhat.com>
    Cc: Frederic Weisbecker <frederic@kernel.org>
    Cc: Ilias Stamatis <stamatis.iliass@gmail.com>
    Cc: Liang Chen <cl@rock-chips.com>
    Cc: Ben Dooks <ben.dooks@codethink.co.uk>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: "J. Bruce Fields" <bfields@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Stable-dep-of: e16c7b07784f ("kthread: fix task state in kthread worker if being frozen")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

kthread: fix task state in kthread worker if being frozen [+ + +]
Author: Chen Yu <yu.c.chen@intel.com>
Date:   Tue Aug 27 19:23:08 2024 +0800

    kthread: fix task state in kthread worker if being frozen
    
    [ Upstream commit e16c7b07784f3fb03025939c4590b9a7c64970a7 ]
    
    When analyzing a kernel waring message, Peter pointed out that there is a
    race condition when the kworker is being frozen and falls into
    try_to_freeze() with TASK_INTERRUPTIBLE, which could trigger a
    might_sleep() warning in try_to_freeze().  Although the root cause is not
    related to freeze()[1], it is still worthy to fix this issue ahead.
    
    One possible race scenario:
    
            CPU 0                                           CPU 1
            -----                                           -----
    
            // kthread_worker_fn
            set_current_state(TASK_INTERRUPTIBLE);
                                                           suspend_freeze_processes()
                                                             freeze_processes
                                                               static_branch_inc(&freezer_active);
                                                             freeze_kernel_threads
                                                               pm_nosig_freezing = true;
            if (work) { //false
              __set_current_state(TASK_RUNNING);
    
            } else if (!freezing(current)) //false, been frozen
    
                          freezing():
                          if (static_branch_unlikely(&freezer_active))
                            if (pm_nosig_freezing)
                              return true;
              schedule()
            }
    
            // state is still TASK_INTERRUPTIBLE
            try_to_freeze()
              might_sleep() <--- warning
    
    Fix this by explicitly set the TASK_RUNNING before entering
    try_to_freeze().
    
    Link: https://lore.kernel.org/lkml/Zs2ZoAcUsZMX2B%2FI@chenyu5-mobl2/ [1]
    Link: https://lkml.kernel.org/r/20240827112308.181081-1-yu.c.chen@intel.com
    Fixes: b56c0d8937e6 ("kthread: implement kthread_worker")
    Signed-off-by: Chen Yu <yu.c.chen@intel.com>
    Suggested-by: Peter Zijlstra <peterz@infradead.org>
    Suggested-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Andreas Gruenbacher <agruenba@redhat.com>
    Cc: David Gow <davidgow@google.com>
    Cc: Mateusz Guzik <mjguzik@gmail.com>
    Cc: Mickaël Salaün <mic@digikod.net>
    Cc: Tejun Heo <tj@kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() [+ + +]
Author: Breno Leitao <leitao@debian.org>
Date:   Fri May 10 02:23:52 2024 -0700

    KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
    
    commit 49f683b41f28918df3e51ddc0d928cb2e934ccdb upstream.
    
    Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the
    loads and stores are atomic.  In the extremely unlikely scenario the
    compiler tears the stores, it's theoretically possible for KVM to attempt
    to get a vCPU using an out-of-bounds index, e.g. if the write is split
    into multiple 8-bit stores, and is paired with a 32-bit load on a VM with
    257 vCPUs:
    
      CPU0                              CPU1
      last_boosted_vcpu = 0xff;
    
                                        (last_boosted_vcpu = 0x100)
                                        last_boosted_vcpu[15:8] = 0x01;
      i = (last_boosted_vcpu = 0x1ff)
                                        last_boosted_vcpu[7:0] = 0x00;
    
      vcpu = kvm->vcpu_array[0x1ff];
    
    As detected by KCSAN:
    
      BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]
    
      write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:
      kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm
      handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
      vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
                     arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
      vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
      kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
      kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
      __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
      __x64_sys_ioctl (fs/ioctl.c:890)
      x64_sys_call (arch/x86/entry/syscall_64.c:33)
      do_syscall_64 (arch/x86/entry/common.c:?)
      entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
    
      read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:
      kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm
      handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
      vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
                            arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
      vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
      kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
      kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
      __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
      __x64_sys_ioctl (fs/ioctl.c:890)
      x64_sys_call (arch/x86/entry/syscall_64.c:33)
      do_syscall_64 (arch/x86/entry/common.c:?)
      entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
    
      value changed: 0x00000012 -> 0x00000000
    
    Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin")
    Cc: stable@vger.kernel.org
    Signed-off-by: Breno Leitao <leitao@debian.org>
    Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

KVM: s390: Change virtual to physical address access in diag 0x258 handler [+ + +]
Author: Michael Mueller <mimu@linux.ibm.com>
Date:   Tue Sep 17 17:18:34 2024 +0200

    KVM: s390: Change virtual to physical address access in diag 0x258 handler
    
    commit cad4b3d4ab1f062708fff33f44d246853f51e966 upstream.
    
    The parameters for the diag 0x258 are real addresses, not virtual, but
    KVM was using them as virtual addresses. This only happened to work, since
    the Linux kernel as a guest used to have a 1:1 mapping for physical vs
    virtual addresses.
    
    Fix KVM so that it correctly uses the addresses as real addresses.
    
    Cc: stable@vger.kernel.org
    Fixes: 8ae04b8f500b ("KVM: s390: Guest's memory access functions get access registers")
    Suggested-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Michael Mueller <mimu@linux.ibm.com>
    Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
    Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Link: https://lore.kernel.org/r/20240917151904.74314-3-nrb@linux.ibm.com
    Acked-by: Janosch Frank <frankja@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

KVM: s390: gaccess: Check if guest address is in memslot [+ + +]
Author: Nico Boehr <nrb@linux.ibm.com>
Date:   Tue Sep 17 17:18:33 2024 +0200

    KVM: s390: gaccess: Check if guest address is in memslot
    
    [ Upstream commit e8061f06185be0a06a73760d6526b8b0feadfe52 ]
    
    Previously, access_guest_page() did not check whether the given guest
    address is inside of a memslot. This is not a problem, since
    kvm_write_guest_page/kvm_read_guest_page return -EFAULT in this case.
    
    However, -EFAULT is also returned when copy_to/from_user fails.
    
    When emulating a guest instruction, the address being outside a memslot
    usually means that an addressing exception should be injected into the
    guest.
    
    Failure in copy_to/from_user however indicates that something is wrong
    in userspace and hence should be handled there.
    
    To be able to distinguish these two cases, return PGM_ADDRESSING in
    access_guest_page() when the guest address is outside guest memory. In
    access_guest_real(), populate vcpu->arch.pgm.code such that
    kvm_s390_inject_prog_cond() can be used in the caller for injecting into
    the guest (if applicable).
    
    Since this adds a new return value to access_guest_page(), we need to make
    sure that other callers are not confused by the new positive return value.
    
    There are the following users of access_guest_page():
    - access_guest_with_key() does the checking itself (in
      guest_range_to_gpas()), so this case should never happen. Even if, the
      handling is set up properly.
    - access_guest_real() just passes the return code to its callers, which
      are:
        - read_guest_real() - see below
        - write_guest_real() - see below
    
    There are the following users of read_guest_real():
    - ar_translation() in gaccess.c which already returns PGM_*
    - setup_apcb10(), setup_apcb00(), setup_apcb11() in vsie.c which always
      return -EFAULT on read_guest_read() nonzero return - no change
    - shadow_crycb(), handle_stfle() always present this as validity, this
      could be handled better but doesn't change current behaviour - no change
    
    There are the following users of write_guest_real():
    - kvm_s390_store_status_unloaded() always returns -EFAULT on
      write_guest_real() failure.
    
    Fixes: 2293897805c2 ("KVM: s390: add architecture compliant guest access functions")
    Cc: stable@vger.kernel.org
    Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Link: https://lore.kernel.org/r/20240917151904.74314-2-nrb@linux.ibm.com
    Acked-by: Janosch Frank <frankja@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

KVM: s390: gaccess: Cleanup access to guest pages [+ + +]
Author: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
Date:   Fri Nov 26 17:45:49 2021 +0100

    KVM: s390: gaccess: Cleanup access to guest pages
    
    [ Upstream commit bad13799e0305deb258372b7298a86be4c78aaba ]
    
    Introduce a helper function for guest frame access.
    
    Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
    Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
    Message-Id: <20211126164549.7046-4-scgl@linux.ibm.com>
    Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
    Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

KVM: s390: gaccess: Refactor access address range check [+ + +]
Author: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
Date:   Fri Nov 26 17:45:48 2021 +0100

    KVM: s390: gaccess: Refactor access address range check
    
    [ Upstream commit 7faa543df19bf62d4583a64d3902705747f2ad29 ]
    
    Do not round down the first address to the page boundary, just translate
    it normally, which gives the value we care about in the first place.
    Given this, translating a single address is just the special case of
    translating a range spanning a single page.
    
    Make the output optional, so the function can be used to just check a
    range.
    
    Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
    Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
    Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
    Message-Id: <20211126164549.7046-3-scgl@linux.ibm.com>
    Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
    Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

KVM: s390: gaccess: Refactor gpa and length calculation [+ + +]
Author: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
Date:   Fri Nov 26 17:45:47 2021 +0100

    KVM: s390: gaccess: Refactor gpa and length calculation
    
    [ Upstream commit 416e7f0c9d613bf84e182eba9547ae8f9f5bfa4c ]
    
    Improve readability by renaming the length variable and
    not calculating the offset manually.
    
    Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
    Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
    Message-Id: <20211126164549.7046-2-scgl@linux.ibm.com>
    Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
    Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Linux: Linux 4.19.323 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Nov 8 16:19:24 2024 +0100

    Linux 4.19.323
    
    Link: https://lore.kernel.org/r/20241106120320.865793091@linuxfoundation.org
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/20241107063342.964868073@linuxfoundation.org
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: kernelci.org bot <bot@kernelci.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
macsec: don't increment counters for an unrelated SA [+ + +]
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Fri Oct 11 17:16:37 2024 +0200

    macsec: don't increment counters for an unrelated SA
    
    [ Upstream commit cf58aefb1332db322060cad4a330d5f9292b0f41 ]
    
    On RX, we shouldn't be incrementing the stats for an arbitrary SA in
    case the actual SA hasn't been set up. Those counters are intended to
    track packets for their respective AN when the SA isn't currently
    configured. Due to the way MACsec is implemented, we don't keep
    counters unless the SA is configured, so we can't track those packets,
    and those counters will remain at 0.
    
    The RXSC's stats keeps track of those packets without telling us which
    AN they belonged to. We could add counters for non-existent SAs, and
    then find a way to integrate them in the dump to userspace, but I
    don't think it's worth the effort.
    
    Fixes: 91ec9bd57f35 ("macsec: Fix traffic counters/statistics")
    Reported-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Link: https://patch.msgid.link/f5ac92aaa5b89343232615f4c03f9f95042c6aa0.1728657709.git.sd@queasysnail.net
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mailbox: bcm2835: Fix timeout during suspend mode [+ + +]
Author: Stefan Wahren <wahrenst@gmx.net>
Date:   Wed Aug 21 23:40:44 2024 +0200

    mailbox: bcm2835: Fix timeout during suspend mode
    
    [ Upstream commit dc09f007caed3b2f6a3b6bd7e13777557ae22bfd ]
    
    During noirq suspend phase the Raspberry Pi power driver suffer of
    firmware property timeouts. The reason is that the IRQ of the underlying
    BCM2835 mailbox is disabled and rpi_firmware_property_list() will always
    run into a timeout [1].
    
    Since the VideoCore side isn't consider as a wakeup source, set the
    IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled
    during suspend-resume cycle.
    
    [1]
    PM: late suspend of devices complete after 1.754 msecs
    WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128
     rpi_firmware_property_list+0x204/0x22c
    Firmware transaction 0x00028001 timeout
    Modules linked in:
    CPU: 0 PID: 438 Comm: bash Tainted: G         C         6.9.3-dirty #17
    Hardware name: BCM2835
    Call trace:
    unwind_backtrace from show_stack+0x18/0x1c
    show_stack from dump_stack_lvl+0x34/0x44
    dump_stack_lvl from __warn+0x88/0xec
    __warn from warn_slowpath_fmt+0x7c/0xb0
    warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c
    rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c
    rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0
    rpi_firmware_set_power from _genpd_power_off+0xe4/0x148
    _genpd_power_off from genpd_sync_power_off+0x7c/0x11c
    genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0
    genpd_finish_suspend from dpm_run_callback+0x78/0xd0
    dpm_run_callback from device_suspend_noirq+0xc0/0x238
    device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168
    dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac
    suspend_devices_and_enter from pm_suspend+0x254/0x2e4
    pm_suspend from state_store+0xa8/0xd4
    state_store from kernfs_fop_write_iter+0x154/0x1a0
    kernfs_fop_write_iter from vfs_write+0x12c/0x184
    vfs_write from ksys_write+0x78/0xc0
    ksys_write from ret_fast_syscall+0x0/0x54
    Exception stack(0xcc93dfa8 to 0xcc93dff0)
    [...]
    PM: noirq suspend of devices complete after 3095.584 msecs
    
    Link: https://github.com/raspberrypi/firmware/issues/1894
    Fixes: 0bae6af6d704 ("mailbox: Enable BCM2835 mailbox support")
    Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
    Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

mailbox: rockchip: fix a typo in module autoloading [+ + +]
Author: Liao Chen <liaochen4@huawei.com>
Date:   Wed Aug 14 02:51:47 2024 +0000

    mailbox: rockchip: fix a typo in module autoloading
    
    [ Upstream commit e92d87c9c5d769e4cb1dd7c90faa38dddd7e52e3 ]
    
    MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match) could let the module
    properly autoloaded based on the alias from of_device_id table. It
    should be 'rockchip_mbox_of_match' instead of 'rockchp_mbox_of_match',
    just fix it.
    
    Fixes: f70ed3b5dc8b ("mailbox: rockchip: Add Rockchip mailbox driver")
    Signed-off-by: Liao Chen <liaochen4@huawei.com>
    Reviewed-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags [+ + +]
Author: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date:   Wed Aug 7 09:22:10 2024 +0200

    media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags
    
    commit 599f6899051cb70c4e0aa9fd591b9ee220cb6f14 upstream.
    
    The cec_msg_set_reply_to() helper function never zeroed the
    struct cec_msg flags field, this can cause unexpected behavior
    if flags was uninitialized to begin with.
    
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Fixes: 0dbacebede1e ("[media] cec: move the CEC framework out of staging and to media")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: venus: fix use after free bug in venus_remove due to race condition [+ + +]
Author: Zheng Wang <zyytlz.wz@163.com>
Date:   Tue Jun 18 14:55:59 2024 +0530

    media: venus: fix use after free bug in venus_remove due to race condition
    
    commit c5a85ed88e043474161bbfe54002c89c1cb50ee2 upstream.
    
    in venus_probe, core->work is bound with venus_sys_error_handler, which is
    used to handle error. The code use core->sys_err_done to make sync work.
    The core->work is started in venus_event_notify.
    
    If we call venus_remove, there might be an unfished work. The possible
    sequence is as follows:
    
    CPU0                  CPU1
    
                         |venus_sys_error_handler
    venus_remove         |
    hfi_destroy                      |
    venus_hfi_destroy        |
    kfree(hdev);         |
                         |hfi_reinit
                                             |venus_hfi_queues_reinit
                         |//use hdev
    
    Fix it by canceling the work in venus_remove.
    
    Cc: stable@vger.kernel.org
    Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
    Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
    Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
    Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() [+ + +]
Author: Yunke Cao <yunkec@chromium.org>
Date:   Wed Aug 14 11:06:40 2024 +0900

    media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put()
    
    [ Upstream commit 6a9c97ab6b7e85697e0b74e86062192a5ffffd99 ]
    
    Clear vb2_plane's memory related fields in __vb2_plane_dmabuf_put(),
    including bytesused, length, fd and data_offset.
    
    Remove the duplicated code in __prepare_dmabuf().
    
    Signed-off-by: Yunke Cao <yunkec@chromium.org>
    Acked-by: Tomasz Figa <tfiga@chromium.org>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
microblaze: don't treat zero reserved memory regions as error [+ + +]
Author: Mike Rapoport <rppt@kernel.org>
Date:   Mon Jul 29 08:33:27 2024 +0300

    microblaze: don't treat zero reserved memory regions as error
    
    [ Upstream commit 0075df288dd8a7abfe03b3766176c393063591dd ]
    
    Before commit 721f4a6526da ("mm/memblock: remove empty dummy entry") the
    check for non-zero of memblock.reserved.cnt in mmu_init() would always
    be true either because  memblock.reserved.cnt is initialized to 1 or
    because there were memory reservations earlier.
    
    The removal of dummy empty entry in memblock caused this check to fail
    because now memblock.reserved.cnt is initialized to 0.
    
    Remove the check for non-zero of memblock.reserved.cnt because it's
    perfectly fine to have an empty memblock.reserved array that early in
    boot.
    
    Reported-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Mike Rapoport <rppt@kernel.org>
    Reviewed-by: Wei Yang <richard.weiyang@gmail.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Link: https://lore.kernel.org/r/20240729053327.4091459-1-rppt@kernel.org
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
misc: sgi-gru: Don't disable preemption in GRU driver [+ + +]
Author: Dimitri Sivanich <sivanich@hpe.com>
Date:   Thu Sep 19 07:34:50 2024 -0500

    misc: sgi-gru: Don't disable preemption in GRU driver
    
    [ Upstream commit b983b271662bd6104d429b0fd97af3333ba760bf ]
    
    Disabling preemption in the GRU driver is unnecessary, and clashes with
    sleeping locks in several code paths.  Remove preempt_disable and
    preempt_enable from the GRU driver.
    
    Signed-off-by: Dimitri Sivanich <sivanich@hpe.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mm: shmem: fix data-race in shmem_getattr() [+ + +]
Author: Jeongjun Park <aha310510@gmail.com>
Date:   Mon Sep 9 21:35:58 2024 +0900

    mm: shmem: fix data-race in shmem_getattr()
    
    commit d949d1d14fa281ace388b1de978e8f2cd52875cf upstream.
    
    I got the following KCSAN report during syzbot testing:
    
    ==================================================================
    BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current
    
    write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1:
     inode_set_ctime_to_ts include/linux/fs.h:1638 [inline]
     inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626
     shmem_mknod+0x117/0x180 mm/shmem.c:3443
     shmem_create+0x34/0x40 mm/shmem.c:3497
     lookup_open fs/namei.c:3578 [inline]
     open_last_lookups fs/namei.c:3647 [inline]
     path_openat+0xdbc/0x1f00 fs/namei.c:3883
     do_filp_open+0xf7/0x200 fs/namei.c:3913
     do_sys_openat2+0xab/0x120 fs/open.c:1416
     do_sys_open fs/open.c:1431 [inline]
     __do_sys_openat fs/open.c:1447 [inline]
     __se_sys_openat fs/open.c:1442 [inline]
     __x64_sys_openat+0xf3/0x120 fs/open.c:1442
     x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0:
     inode_get_ctime_nsec include/linux/fs.h:1623 [inline]
     inode_get_ctime include/linux/fs.h:1629 [inline]
     generic_fillattr+0x1dd/0x2f0 fs/stat.c:62
     shmem_getattr+0x17b/0x200 mm/shmem.c:1157
     vfs_getattr_nosec fs/stat.c:166 [inline]
     vfs_getattr+0x19b/0x1e0 fs/stat.c:207
     vfs_statx_path fs/stat.c:251 [inline]
     vfs_statx+0x134/0x2f0 fs/stat.c:315
     vfs_fstatat+0xec/0x110 fs/stat.c:341
     __do_sys_newfstatat fs/stat.c:505 [inline]
     __se_sys_newfstatat+0x58/0x260 fs/stat.c:499
     __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499
     x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    value changed: 0x2755ae53 -> 0x27ee44d3
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
    ==================================================================
    
    When calling generic_fillattr(), if you don't hold read lock, data-race
    will occur in inode member variables, which can cause unexpected
    behavior.
    
    Since there is no special protection when shmem_getattr() calls
    generic_fillattr(), data-race occurs by functions such as shmem_unlink()
    or shmem_mknod(). This can cause unexpected results, so commenting it out
    is not enough.
    
    Therefore, when calling generic_fillattr() from shmem_getattr(), it is
    appropriate to protect the inode using inode_lock_shared() and
    inode_unlock_shared() to prevent data-race.
    
    Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com
    Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat")
    Signed-off-by: Jeongjun Park <aha310510@gmail.com>
    Reported-by: syzbot <syzkaller@googlegroup.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Yu Zhao <yuzhao@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mtd: slram: insert break after errors in parsing the map [+ + +]
Author: Mirsad Todorovac <mtodorovac69@gmail.com>
Date:   Fri Jul 12 01:43:20 2024 +0200

    mtd: slram: insert break after errors in parsing the map
    
    [ Upstream commit 336c218dd7f0588ed8a7345f367975a00a4f003f ]
    
    GCC 12.3.0 compiler on linux-next next-20240709 tree found the execution
    path in which, due to lazy evaluation, devlength isn't initialised with the
    parsed string:
    
       289          while (map) {
       290                  devname = devstart = devlength = NULL;
       291
       292                  if (!(devname = strsep(&map, ","))) {
       293                          E("slram: No devicename specified.\n");
       294                          break;
       295                  }
       296                  T("slram: devname = %s\n", devname);
       297                  if ((!map) || (!(devstart = strsep(&map, ",")))) {
       298                          E("slram: No devicestart specified.\n");
       299                  }
       300                  T("slram: devstart = %s\n", devstart);
     → 301                  if ((!map) || (!(devlength = strsep(&map, ",")))) {
       302                          E("slram: No devicelength / -end specified.\n");
       303                  }
     → 304                  T("slram: devlength = %s\n", devlength);
       305                  if (parse_cmdline(devname, devstart, devlength) != 0) {
       306                          return(-EINVAL);
       307                  }
    
    Parsing should be finished after map == NULL, so a break is best inserted after
    each E("slram: ... \n") error message.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: Miquel Raynal <miquel.raynal@bootlin.com>
    Cc: Richard Weinberger <richard@nod.at>
    Cc: Vignesh Raghavendra <vigneshr@ti.com>
    Cc: linux-mtd@lists.infradead.org
    Signed-off-by: Mirsad Todorovac <mtodorovac69@gmail.com>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/20240711234319.637824-1-mtodorovac69@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/mlx5: Update the list of the PCI supported devices [+ + +]
Author: Eran Ben Elisha <eranbe@mellanox.com>
Date:   Sun Jan 27 15:01:25 2019 +0200

    net/mlx5: Update the list of the PCI supported devices
    
    [ Upstream commit 85327a9c415057259b337805d356705d0d0f4200 ]
    
    Add the upcoming ConnectX-6 Dx.
    
    In addition, add "ConnectX Family mlx5Gen Virtual Function" device ID.
    Every new HCA VF will be identified with this device ID. Different VF
    models will be distinguished by their revision id.
    
    Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
    Reviewed-by: Aya Levin <ayal@mellanox.com>
    Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Thu Oct 24 12:55:47 2024 -0400

    net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
    
    [ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ]
    
    In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
    to be either root or ingress. This assumption is bogus since it's valid
    to create egress qdiscs with major handle ffff:
    Budimir Markovic found that for qdiscs like DRR that maintain an active
    class list, it will cause a UAF with a dangling class pointer.
    
    In 066a3b5b2346, the concern was to avoid iterating over the ingress
    qdisc since its parent is itself. The proper fix is to stop when parent
    TC_H_ROOT is reached because the only way to retrieve ingress is when a
    hierarchy which does not contain a ffff: major handle call into
    qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
    
    In the scenario where major ffff: is an egress qdisc in any of the tree
    levels, the updates will also propagate to TC_H_ROOT, which then the
    iteration must stop.
    
    Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop")
    Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
    Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Tested-by: Victor Nogueira <victor@mojatatu.com>
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
    
     net/sched/sch_api.c | 2 +-
     1 file changed, 1 insertion(+), 1 deletion(-)
    Reviewed-by: Simon Horman <horms@kernel.org>
    
    Link: https://patch.msgid.link/20241024165547.418570-1-jhs@mojatatu.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() [+ + +]
Author: Wang Hai <wanghai38@huawei.com>
Date:   Tue Oct 15 22:41:48 2024 +0800

    net/sun3_82586: fix potential memory leak in sun3_82586_send_packet()
    
    [ Upstream commit 2cb3f56e827abb22c4168ad0c1bbbf401bb2f3b8 ]
    
    The sun3_82586_send_packet() returns NETDEV_TX_OK without freeing skb
    in case of skb->len being too long, add dev_kfree_skb() to fix it.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Message-ID: <20241015144148.7918-1-wanghai38@huawei.com>
    Signed-off-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: add more sanity checks to qdisc_pkt_len_init() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Sep 24 15:02:57 2024 +0000

    net: add more sanity checks to qdisc_pkt_len_init()
    
    [ Upstream commit ab9a9a9e9647392a19e7a885b08000e89c86b535 ]
    
    One path takes care of SKB_GSO_DODGY, assuming
    skb->len is bigger than hdr_len.
    
    virtio_net_hdr_to_skb() does not fully dissect TCP headers,
    it only make sure it is at least 20 bytes.
    
    It is possible for an user to provide a malicious 'GSO' packet,
    total length of 80 bytes.
    
    - 20 bytes of IPv4 header
    - 60 bytes TCP header
    - a small gso_size like 8
    
    virtio_net_hdr_to_skb() would declare this packet as a normal
    GSO packet, because it would see 40 bytes of payload,
    bigger than gso_size.
    
    We need to make detect this case to not underflow
    qdisc_skb_cb(skb)->pkt_len.
    
    Fixes: 1def9238d4aa ("net_sched: more precise pkt_len computation")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: amd: mvme147: Fix probe banner message [+ + +]
Author: Daniel Palmer <daniel@0x0f.com>
Date:   Mon Oct 7 19:43:17 2024 +0900

    net: amd: mvme147: Fix probe banner message
    
    [ Upstream commit 82c5b53140faf89c31ea2b3a0985a2f291694169 ]
    
    Currently this driver prints this line with what looks like
    a rogue format specifier when the device is probed:
    [    2.840000] eth%d: MVME147 at 0xfffe1800, irq 12, Hardware Address xx:xx:xx:xx:xx:xx
    
    Change the printk() for netdev_info() and move it after the
    registration has completed so it prints out the name of the
    interface properly.
    
    Signed-off-by: Daniel Palmer <daniel@0x0f.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: avoid potential underflow in qdisc_pkt_len_init() with UFO [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Sep 24 15:02:56 2024 +0000

    net: avoid potential underflow in qdisc_pkt_len_init() with UFO
    
    [ Upstream commit c20029db28399ecc50e556964eaba75c43b1e2f1 ]
    
    After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
    requests coming from user") virtio_net_hdr_to_skb() had sanity check
    to detect malicious attempts from user space to cook a bad GSO packet.
    
    Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
    transport header in UFO") while fixing one issue, allowed user space
    to cook a GSO packet with the following characteristic :
    
    IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.
    
    When this packet arrives in qdisc_pkt_len_init(), we end up
    with hdr_len = 28 (IPv4 header + UDP header), matching skb->len
    
    Then the following sets gso_segs to 0 :
    
    gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
                            shinfo->gso_size);
    
    Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/
    
    qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
    
    This leads to the following crash in fq_codel [1]
    
    qdisc_pkt_len_init() is best effort, we only want an estimation
    of the bytes sent on the wire, not crashing the kernel.
    
    This patch is fixing this particular issue, a following one
    adds more sanity checks for another potential bug.
    
    [1]
    [   70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
    [   70.724561] #PF: supervisor read access in kernel mode
    [   70.724561] #PF: error_code(0x0000) - not-present page
    [   70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
    [   70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
    [   70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
    [   70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
    [   70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
    [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
    All code
    ========
       0:   24 08                   and    $0x8,%al
       2:   49 c1 e1 06             shl    $0x6,%r9
       6:   44 89 7c 24 18          mov    %r15d,0x18(%rsp)
       b:   45 31 ed                xor    %r13d,%r13d
       e:   45 31 c0                xor    %r8d,%r8d
      11:   31 ff                   xor    %edi,%edi
      13:   89 44 24 14             mov    %eax,0x14(%rsp)
      17:   4c 03 8b 90 01 00 00    add    0x190(%rbx),%r9
      1e:   eb 04                   jmp    0x24
      20:   39 ca                   cmp    %ecx,%edx
      22:   73 37                   jae    0x5b
      24:   4d 8b 39                mov    (%r9),%r15
      27:   83 c7 01                add    $0x1,%edi
      2a:*  49 8b 17                mov    (%r15),%rdx              <-- trapping instruction
      2d:   49 89 11                mov    %rdx,(%r9)
      30:   41 8b 57 28             mov    0x28(%r15),%edx
      34:   45 8b 5f 34             mov    0x34(%r15),%r11d
      38:   49 c7 07 00 00 00 00    movq   $0x0,(%r15)
      3f:   49                      rex.WB
    
    Code starting with the faulting instruction
    ===========================================
       0:   49 8b 17                mov    (%r15),%rdx
       3:   49 89 11                mov    %rdx,(%r9)
       6:   41 8b 57 28             mov    0x28(%r15),%edx
       a:   45 8b 5f 34             mov    0x34(%r15),%r11d
       e:   49 c7 07 00 00 00 00    movq   $0x0,(%r15)
      15:   49                      rex.WB
    [   70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
    [   70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
    [   70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
    [   70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
    [   70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
    [   70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
    [   70.724561] FS:  000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
    [   70.724561] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [   70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0
    [   70.724561] Call Trace:
    [   70.724561]  <TASK>
    [   70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
    [   70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715)
    [   70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
    [   70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
    [   70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
    [   70.724561] dev_qdisc_enqueue (net/core/dev.c:3784)
    [   70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2))
    [   70.724561] ? irqentry_enter (kernel/entry/common.c:237)
    [   70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2))
    [   70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4))
    [   70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)
    [   70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1))
    [   70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
    [   70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
    [   70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1))
    [   70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
    [   70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
    [   70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
    [   70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
    [   70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
    [   70.724561] RIP: 0033:0x41ae09
    
    Fixes: cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Jonathan Davies <jonathan.davies@nutanix.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Reviewed-by: Jonathan Davies <jonathan.davies@nutanix.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: dpaa: Pad packets to ETH_ZLEN [+ + +]
Author: Sean Anderson <sean.anderson@linux.dev>
Date:   Tue Sep 10 10:31:44 2024 -0400

    net: dpaa: Pad packets to ETH_ZLEN
    
    [ Upstream commit cbd7ec083413c6a2e0c326d49e24ec7d12c7a9e0 ]
    
    When sending packets under 60 bytes, up to three bytes of the buffer
    following the data may be leaked. Avoid this by extending all packets to
    ETH_ZLEN, ensuring nothing is leaked in the padding. This bug can be
    reproduced by running
    
            $ ping -s 11 destination
    
    Fixes: 9ad1a3749333 ("dpaa_eth: add support for DPAA Ethernet")
    Suggested-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20240910143144.1439910-1-sean.anderson@linux.dev
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: dsa: mv88e6xxx: Fix out-of-bound access [+ + +]
Author: Joseph Huang <Joseph.Huang@garmin.com>
Date:   Mon Aug 19 19:52:50 2024 -0400

    net: dsa: mv88e6xxx: Fix out-of-bound access
    
    commit 528876d867a23b5198022baf2e388052ca67c952 upstream.
    
    If an ATU violation was caused by a CPU Load operation, the SPID could
    be larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array).
    
    Fixes: 75c05a74e745 ("net: dsa: mv88e6xxx: Fix counting of ATU violations")
    Signed-off-by: Joseph Huang <Joseph.Huang@garmin.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Link: https://patch.msgid.link/20240819235251.1331763-1-Joseph.Huang@garmin.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
    Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() [+ + +]
Author: Wang Hai <wanghai38@huawei.com>
Date:   Sat Oct 12 19:04:34 2024 +0800

    net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit()
    
    [ Upstream commit cf57b5d7a2aad456719152ecd12007fe031628a3 ]
    
    The greth_start_xmit_gbit() returns NETDEV_TX_OK without freeing skb
    in case of skb->len being too long, add dev_kfree_skb() to fix it.
    
    Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Reviewed-by: Gerhard Engleder <gerhard@engleder-embedded.com>
    Link: https://patch.msgid.link/20241012110434.49265-1-wanghai38@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ethernet: cortina: Drop TSO support [+ + +]
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Sat Jan 6 01:12:22 2024 +0100

    net: ethernet: cortina: Drop TSO support
    
    [ Upstream commit ac631873c9e7a50d2a8de457cfc4b9f86666403e ]
    
    The recent change to allow large frames without hardware checksumming
    slotted in software checksumming in the driver if hardware could not
    do it.
    
    This will however upset TSO (TCP Segment Offloading). Typical
    error dumps includes this:
    
    skb len=2961 headroom=222 headlen=66 tailroom=0
    (...)
    WARNING: CPU: 0 PID: 956 at net/core/dev.c:3259 skb_warn_bad_offload+0x7c/0x108
    gemini-ethernet-port: caps=(0x0000010000154813, 0x00002007ffdd7889)
    
    And the packets do not go through.
    
    The TSO implementation is bogus: a TSO enabled driver must propagate
    the skb_shinfo(skb)->gso_size value to the TSO engine on the NIC.
    
    Drop the size check and TSO offloading features for now: this
    needs to be fixed up properly.
    
    After this ethernet works fine on Gemini devices with a direct connected
    PHY such as D-Link DNS-313.
    
    Also tested to still be working with a DSA switch using the Gemini
    ethernet as conduit interface.
    
    Link: https://lore.kernel.org/netdev/CANn89iJLfxng1sYL5Zk0mknXpyYQPCp83m3KgD2KJ2_hKCpEUg@mail.gmail.com/
    Suggested-by: Eric Dumazet <edumazet@google.com>
    Fixes: d4d0c5b4d279 ("net: ethernet: cortina: Handle large frames")
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ethernet: lantiq_etop: fix memory disclosure [+ + +]
Author: Aleksander Jan Bajkowski <olek2@wp.pl>
Date:   Mon Sep 23 23:49:49 2024 +0200

    net: ethernet: lantiq_etop: fix memory disclosure
    
    [ Upstream commit 45c0de18ff2dc9af01236380404bbd6a46502c69 ]
    
    When applying padding, the buffer is not zeroed, which results in memory
    disclosure. The mentioned data is observed on the wire. This patch uses
    skb_put_padto() to pad Ethernet frames properly. The mentioned function
    zeroes the expanded buffer.
    
    In case the packet cannot be padded it is silently dropped. Statistics
    are also not incremented. This driver does not support statistics in the
    old 32-bit format or the new 64-bit format. These will be added in the
    future. In its current form, the patch should be easily backported to
    stable versions.
    
    Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets
    in hardware, so software padding must be applied.
    
    Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver")
    Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
    Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
    Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Link: https://patch.msgid.link/20240923214949.231511-2-olek2@wp.pl
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ethernet: use ip_hdrlen() instead of bit shift [+ + +]
Author: Moon Yeounsu <yyyynoom@gmail.com>
Date:   Wed Aug 7 19:07:21 2024 +0900

    net: ethernet: use ip_hdrlen() instead of bit shift
    
    [ Upstream commit 9a039eeb71a42c8b13408a1976e300f3898e1be0 ]
    
    `ip_hdr(skb)->ihl << 2` is the same as `ip_hdrlen(skb)`
    Therefore, we should use a well-defined function not a bit shift
    to find the header length.
    
    It also compresses two lines to a single line.
    
    Signed-off-by: Moon Yeounsu <yyyynoom@gmail.com>
    Reviewed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: Fix an unsafe loop on the list [+ + +]
Author: Anastasia Kovaleva <a.kovaleva@yadro.com>
Date:   Thu Oct 3 13:44:31 2024 +0300

    net: Fix an unsafe loop on the list
    
    commit 1dae9f1187189bc09ff6d25ca97ead711f7e26f9 upstream.
    
    The kernel may crash when deleting a genetlink family if there are still
    listeners for that family:
    
    Oops: Kernel access of bad area, sig: 11 [#1]
      ...
      NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0
      LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0
      Call Trace:
    __netlink_clear_multicast_users+0x74/0xc0
    genl_unregister_family+0xd4/0x2d0
    
    Change the unsafe loop on the list to a safe one, because inside the
    loop there is an element removal from this list.
    
    Fixes: b8273570f802 ("genetlink: fix netns vs. netlink table locking (2)")
    Cc: stable@vger.kernel.org
    Signed-off-by: Anastasia Kovaleva <a.kovaleva@yadro.com>
    Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
    Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://patch.msgid.link/20241003104431.12391-1-a.kovaleva@yadro.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: ftgmac100: Enable TX interrupt to avoid TX timeout [+ + +]
Author: Jacky Chou <jacky_chou@aspeedtech.com>
Date:   Fri Sep 6 14:28:31 2024 +0800

    net: ftgmac100: Enable TX interrupt to avoid TX timeout
    
    [ Upstream commit fef2843bb49f414d1523ca007d088071dee0e055 ]
    
    Currently, the driver only enables RX interrupt to handle RX
    packets and TX resources. Sometimes there is not RX traffic,
    so the TX resource needs to wait for RX interrupt to free.
    This situation will toggle the TX timeout watchdog when the MAC
    TX ring has no more resources to transmit packets.
    Therefore, enable TX interrupt to release TX resources at any time.
    
    When I am verifying iperf3 over UDP, the network hangs.
    Like the log below.
    
    root# iperf3 -c 192.168.100.100 -i1 -t10 -u -b0
    Connecting to host 192.168.100.100, port 5201
    [  4] local 192.168.100.101 port 35773 connected to 192.168.100.100 port 5201
    [ ID] Interval           Transfer     Bandwidth       Total Datagrams
    [  4]   0.00-20.42  sec   160 KBytes  64.2 Kbits/sec  20
    [  4]  20.42-20.42  sec  0.00 Bytes  0.00 bits/sec  0
    [  4]  20.42-20.42  sec  0.00 Bytes  0.00 bits/sec  0
    [  4]  20.42-20.42  sec  0.00 Bytes  0.00 bits/sec  0
    [  4]  20.42-20.42  sec  0.00 Bytes  0.00 bits/sec  0
    [  4]  20.42-20.42  sec  0.00 Bytes  0.00 bits/sec  0
    [  4]  20.42-20.42  sec  0.00 Bytes  0.00 bits/sec  0
    [  4]  20.42-20.42  sec  0.00 Bytes  0.00 bits/sec  0
    [  4]  20.42-20.42  sec  0.00 Bytes  0.00 bits/sec  0
    [  4]  20.42-20.42  sec  0.00 Bytes  0.00 bits/sec  0
    - - - - - - - - - - - - - - - - - - - - - - - - -
    [ ID] Interval          Transfer    Bandwidth      Jitter   Lost/Total Datagrams
    [  4]   0.00-20.42  sec  160 KBytes 64.2 Kbits/sec 0.000 ms 0/20 (0%)
    [  4] Sent 20 datagrams
    iperf3: error - the server has terminated
    
    The network topology is FTGMAC connects directly to a PC.
    UDP does not need to wait for ACK, unlike TCP.
    Therefore, FTGMAC needs to enable TX interrupt to release TX resources instead
    of waiting for the RX interrupt.
    
    Fixes: 10cbd6407609 ("ftgmac100: Rework NAPI & interrupts handling")
    Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
    Link: https://patch.msgid.link/20240906062831.2243399-1-jacky_chou@aspeedtech.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ftgmac100: Ensure tx descriptor updates are visible [+ + +]
Author: Jacky Chou <jacky_chou@aspeedtech.com>
Date:   Thu Aug 22 15:30:06 2024 +0800

    net: ftgmac100: Ensure tx descriptor updates are visible
    
    [ Upstream commit 4186c8d9e6af57bab0687b299df10ebd47534a0a ]
    
    The driver must ensure TX descriptor updates are visible
    before updating TX pointer and TX clear pointer.
    
    This resolves TX hangs observed on AST2600 when running
    iperf3.
    
    Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: hisilicon: hip04: fix OF node leak in probe() [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Aug 27 16:44:19 2024 +0200

    net: hisilicon: hip04: fix OF node leak in probe()
    
    [ Upstream commit 17555297dbd5bccc93a01516117547e26a61caf1 ]
    
    Driver is leaking OF node reference from
    of_parse_phandle_with_fixed_args() in probe().
    
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240827144421.52852-2-krzysztof.kozlowski@linaro.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Aug 27 16:44:20 2024 +0200

    net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info()
    
    [ Upstream commit 5680cf8d34e1552df987e2f4bb1bff0b2a8c8b11 ]
    
    Driver is leaking OF node reference from
    of_parse_phandle_with_fixed_args() in hns_mac_get_info().
    
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240827144421.52852-3-krzysztof.kozlowski@linaro.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: hisilicon: hns_mdio: fix OF node leak in probe() [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Aug 27 16:44:21 2024 +0200

    net: hisilicon: hns_mdio: fix OF node leak in probe()
    
    [ Upstream commit e62beddc45f487b9969821fad3a0913d9bc18a2f ]
    
    Driver is leaking OF node reference from
    of_parse_phandle_with_fixed_args() in probe().
    
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240827144421.52852-4-krzysztof.kozlowski@linaro.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ibm: emac: mal: fix wrong goto [+ + +]
Author: Rosen Penev <rosenp@gmail.com>
Date:   Mon Oct 7 16:57:11 2024 -0700

    net: ibm: emac: mal: fix wrong goto
    
    [ Upstream commit 08c8acc9d8f3f70d62dd928571368d5018206490 ]
    
    dcr_map is called in the previous if and therefore needs to be unmapped.
    
    Fixes: 1ff0fcfcb1a6 ("ibm_newemac: Fix new MAL feature handling")
    Signed-off-by: Rosen Penev <rosenp@gmail.com>
    Link: https://patch.msgid.link/20241007235711.5714-1-rosenp@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ipv6: ensure we call ipv6_mc_down() at most once [+ + +]
Author: j.nixdorf@avm.de <j.nixdorf@avm.de>
Date:   Thu Feb 24 10:06:49 2022 +0100

    net: ipv6: ensure we call ipv6_mc_down() at most once
    
    commit 9995b408f17ff8c7f11bc725c8aa225ba3a63b1c upstream.
    
    There are two reasons for addrconf_notify() to be called with NETDEV_DOWN:
    either the network device is actually going down, or IPv6 was disabled
    on the interface.
    
    If either of them stays down while the other is toggled, we repeatedly
    call the code for NETDEV_DOWN, including ipv6_mc_down(), while never
    calling the corresponding ipv6_mc_up() in between. This will cause a
    new entry in idev->mc_tomb to be allocated for each multicast group
    the interface is subscribed to, which in turn leaks one struct ifmcaddr6
    per nontrivial multicast group the interface is subscribed to.
    
    The following reproducer will leak at least $n objects:
    
    ip addr add ff2e::4242/32 dev eth0 autojoin
    sysctl -w net.ipv6.conf.eth0.disable_ipv6=1
    for i in $(seq 1 $n); do
            ip link set up eth0; ip link set down eth0
    done
    
    Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the
    sysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2)
    can also be used to create a nontrivial idev->mc_list, which will the
    leak objects with the right up-down-sequence.
    
    Based on both sources for NETDEV_DOWN events the interface IPv6 state
    should be considered:
    
     - not ready if the network interface is not ready OR IPv6 is disabled
       for it
     - ready if the network interface is ready AND IPv6 is enabled for it
    
    The functions ipv6_mc_up() and ipv6_down() should only be run when this
    state changes.
    
    Implement this by remembering when the IPv6 state is ready, and only
    run ipv6_mc_down() if it actually changed from ready to not ready.
    
    The other direction (not ready -> ready) already works correctly, as:
    
     - the interface notification triggered codepath for NETDEV_UP /
       NETDEV_CHANGE returns early if ipv6 is disabled, and
     - the disable_ipv6=0 triggered codepath skips fully initializing the
       interface as long as addrconf_link_ready(dev) returns false
     - calling ipv6_mc_up() repeatedly does not leak anything
    
    Fixes: 3ce62a84d53c ("ipv6: exit early in addrconf_notify() if IPv6 is disabled")
    Signed-off-by: Johannes Nixdorf <j.nixdorf@avm.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
    Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: mvpp2: Increase size of queue_name buffer [+ + +]
Author: Simon Horman <horms@kernel.org>
Date:   Tue Aug 6 12:28:24 2024 +0100

    net: mvpp2: Increase size of queue_name buffer
    
    [ Upstream commit 91d516d4de48532d967a77967834e00c8c53dfe6 ]
    
    Increase size of queue_name buffer from 30 to 31 to accommodate
    the largest string written to it. This avoids truncation in
    the possibly unlikely case where the string is name is the
    maximum size.
    
    Flagged by gcc-14:
    
      .../mvpp2_main.c: In function 'mvpp2_probe':
      .../mvpp2_main.c:7636:32: warning: 'snprintf' output may be truncated before the last format character [-Wformat-truncation=]
       7636 |                  "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev),
            |                                ^
      .../mvpp2_main.c:7635:9: note: 'snprintf' output between 10 and 31 bytes into a destination of size 30
       7635 |         snprintf(priv->queue_name, sizeof(priv->queue_name),
            |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       7636 |                  "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev),
            |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       7637 |                  priv->port_count > 1 ? "+" : "");
            |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Introduced by commit 118d6298f6f0 ("net: mvpp2: add ethtool GOP statistics").
    I am not flagging this as a bug as I am not aware that it is one.
    
    Compile tested only.
    
    Signed-off-by: Simon Horman <horms@kernel.org>
    Reviewed-by: Marcin Wojtas <marcin.s.wojtas@gmail.com>
    Link: https://patch.msgid.link/20240806-mvpp2-namelen-v1-1-6dc773653f2f@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: phy: vitesse: repair vsc73xx autonegotiation [+ + +]
Author: Pawel Dembicki <paweldembicki@gmail.com>
Date:   Fri Aug 9 21:38:06 2024 +0200

    net: phy: vitesse: repair vsc73xx autonegotiation
    
    [ Upstream commit de7a670f8defe4ed2115552ad23dea0f432f7be4 ]
    
    When the vsc73xx mdio bus work properly, the generic autonegotiation
    configuration works well.
    
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: qrtr: Update packets cloning when broadcasting [+ + +]
Author: Youssef Samir <quic_yabdulra@quicinc.com>
Date:   Mon Sep 16 19:08:58 2024 +0200

    net: qrtr: Update packets cloning when broadcasting
    
    [ Upstream commit f011b313e8ebd5b7abd8521b5119aecef403de45 ]
    
    When broadcasting data to multiple nodes via MHI, using skb_clone()
    causes all nodes to receive the same header data. This can result in
    packets being discarded by endpoints, leading to lost data.
    
    This issue occurs when a socket is closed, and a QRTR_TYPE_DEL_CLIENT
    packet is broadcasted. All nodes receive the same destination node ID,
    causing the node connected to the client to discard the packet and
    remain unaware of the client's deletion.
    
    Replace skb_clone() with pskb_copy(), to create a separate copy of
    the header for each sk_buff.
    
    Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
    Signed-off-by: Youssef Samir <quic_yabdulra@quicinc.com>
    Reviewed-by: Jeffery Hugo <quic_jhugo@quicinc.com>
    Reviewed-by: Carl Vanderlip <quic_carlv@quicinc.com>
    Reviewed-by: Chris Lew <quic_clew@quicinc.com>
    Link: https://patch.msgid.link/20240916170858.2382247-1-quic_yabdulra@quicinc.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition [+ + +]
Author: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Date:   Sun Sep 15 22:40:46 2024 +0800

    net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition
    
    [ Upstream commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4 ]
    
    In the ether3_probe function, a timer is initialized with a callback
    function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
    started, there is a risk of a race condition if the module or device
    is removed, triggering the ether3_remove function to perform cleanup.
    The sequence of operations that may lead to a UAF bug is as follows:
    
    CPU0                                    CPU1
    
                          |  ether3_ledoff
    ether3_remove         |
      free_netdev(dev);   |
      put_devic           |
      kfree(dev);         |
     |  ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
                          | // use dev
    
    Fix it by ensuring that the timer is canceled before proceeding with
    the cleanup in ether3_remove.
    
    Fixes: 6fd9c53f7186 ("net: seeq: Convert timers to use timer_setup()")
    Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
    Link: https://patch.msgid.link/20240915144045.451-1-kxwang23@m.fudan.edu.cn
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension [+ + +]
Author: Benoît Monin <benoit.monin@gmx.fr>
Date:   Thu Oct 24 16:01:54 2024 +0200

    net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension
    
    [ Upstream commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c ]
    
    As documented in skbuff.h, devices with NETIF_F_IPV6_CSUM capability
    can only checksum TCP and UDP over IPv6 if the IP header does not
    contains extension.
    
    This is enforced for UDP packets emitted from user-space to an IPv6
    address as they go through ip6_make_skb(), which calls
    __ip6_append_data() where a check is done on the header size before
    setting CHECKSUM_PARTIAL.
    
    But the introduction of UDP encapsulation with fou6 added a code-path
    where it is possible to get an skb with a partial UDP checksum and an
    IPv6 header with extension:
    * fou6 adds a UDP header with a partial checksum if the inner packet
    does not contains a valid checksum.
    * ip6_tunnel adds an IPv6 header with a destination option extension
    header if encap_limit is non-zero (the default value is 4).
    
    The thread linked below describes in more details how to reproduce the
    problem with GRE-in-UDP tunnel.
    
    Add a check on the network header size in skb_csum_hwoffload_help() to
    make sure no IPv6 packet with extension header is handed to a network
    device with NETIF_F_IPV6_CSUM capability.
    
    Link: https://lore.kernel.org/netdev/26548921.1r3eYUQgxm@benoit.monin/T/#u
    Fixes: aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels")
    Signed-off-by: Benoît Monin <benoit.monin@gmx.fr>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Link: https://patch.msgid.link/5fbeecfc311ea182aa1d1c771725ab8b4cac515e.1729778144.git.benoit.monin@gmx.fr
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: support ip generic csum processing in skb_csum_hwoffload_help [+ + +]
Author: Xin Long <lucien.xin@gmail.com>
Date:   Thu Jan 28 17:18:31 2021 +0800

    net: support ip generic csum processing in skb_csum_hwoffload_help
    
    [ Upstream commit 62fafcd63139920eb25b3fbf154177ce3e6f3232 ]
    
    NETIF_F_IP|IPV6_CSUM feature flag indicates UDP and TCP csum offload
    while NETIF_F_HW_CSUM feature flag indicates ip generic csum offload
    for HW, which includes not only for TCP/UDP csum, but also for other
    protocols' csum like GRE's.
    
    However, in skb_csum_hwoffload_help() it only checks features against
    NETIF_F_CSUM_MASK(NETIF_F_HW|IP|IPV6_CSUM). So if it's a non TCP/UDP
    packet and the features doesn't support NETIF_F_HW_CSUM, but supports
    NETIF_F_IP|IPV6_CSUM only, it would still return 0 and leave the HW
    to do csum.
    
    This patch is to support ip generic csum processing by checking
    NETIF_F_HW_CSUM for all protocols, and check (NETIF_F_IP_CSUM |
    NETIF_F_IPV6_CSUM) only for TCP and UDP.
    
    Note that we're using skb->csum_offset to check if it's a TCP/UDP
    proctol, this might be fragile. However, as Alex said, for now we
    only have a few L4 protocols that are requesting Tx csum offload,
    we'd better fix this until a new protocol comes with a same csum
    offset.
    
    v1->v2:
      - not extend skb->csum_not_inet, but use skb->csum_offset to tell
        if it's an UDP/TCP csum packet.
    v2->v3:
      - add a note in the changelog, as Willem suggested.
    
    Suggested-by: Alexander Duyck <alexander.duyck@gmail.com>
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Stable-dep-of: 04c20a9356f2 ("net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: systemport: fix potential memory leak in bcm_sysport_xmit() [+ + +]
Author: Wang Hai <wanghai38@huawei.com>
Date:   Mon Oct 14 22:51:15 2024 +0800

    net: systemport: fix potential memory leak in bcm_sysport_xmit()
    
    [ Upstream commit c401ed1c709948e57945485088413e1bb5e94bd1 ]
    
    The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb
    in case of dma_map_single() fails, add dev_kfree_skb() to fix it.
    
    Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Link: https://patch.msgid.link/20241014145115.44977-1-wanghai38@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: usb: usbnet: fix name regression [+ + +]
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Oct 17 09:18:37 2024 +0200

    net: usb: usbnet: fix name regression
    
    [ Upstream commit 8a7d12d674ac6f2147c18f36d1e15f1a48060edf ]
    
    The fix for MAC addresses broke detection of the naming convention
    because it gave network devices no random MAC before bind()
    was called. This means that the check for the local assignment bit
    was always negative as the address was zeroed from allocation,
    instead of from overwriting the MAC with a unique hardware address.
    
    The correct check for whether bind() has altered the MAC is
    done with is_zero_ether_addr
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Reported-by: Greg Thelen <gthelen@google.com>
    Diagnosed-by: John Sperbeck <jsperbeck@google.com>
    Fixes: bab8eb0dd4cb9 ("usbnet: modern method to get random MAC")
    Link: https://patch.msgid.link/20241017071849.389636-1-oneukum@suse.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netfilter: br_netfilter: fix panic with metadata_dst skb [+ + +]
Author: Andy Roulin <aroulin@nvidia.com>
Date:   Tue Oct 1 08:43:59 2024 -0700

    netfilter: br_netfilter: fix panic with metadata_dst skb
    
    [ Upstream commit f9ff7665cd128012868098bbd07e28993e314fdb ]
    
    Fix a kernel panic in the br_netfilter module when sending untagged
    traffic via a VxLAN device.
    This happens during the check for fragmentation in br_nf_dev_queue_xmit.
    
    It is dependent on:
    1) the br_netfilter module being loaded;
    2) net.bridge.bridge-nf-call-iptables set to 1;
    3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;
    4) untagged frames with size higher than the VxLAN MTU forwarded/flooded
    
    When forwarding the untagged packet to the VxLAN bridge port, before
    the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and
    changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type
    of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.
    
    Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check
    for frames that needs to be fragmented: frames with higher MTU than the
    VxLAN device end up calling br_nf_ip_fragment, which in turns call
    ip_skb_dst_mtu.
    
    The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst
    with valid dst->dev, thus the crash.
    
    This case was never supported in the first place, so drop the packet
    instead.
    
    PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.
    [  176.291791] Unable to handle kernel NULL pointer dereference at
    virtual address 0000000000000110
    [  176.292101] Mem abort info:
    [  176.292184]   ESR = 0x0000000096000004
    [  176.292322]   EC = 0x25: DABT (current EL), IL = 32 bits
    [  176.292530]   SET = 0, FnV = 0
    [  176.292709]   EA = 0, S1PTW = 0
    [  176.292862]   FSC = 0x04: level 0 translation fault
    [  176.293013] Data abort info:
    [  176.293104]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
    [  176.293488]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
    [  176.293787]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
    [  176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000
    [  176.294166] [0000000000000110] pgd=0000000000000000,
    p4d=0000000000000000
    [  176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
    [  176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth
    br_netfilter bridge stp llc ipv6 crct10dif_ce
    [  176.295923] CPU: 0 PID: 188 Comm: ping Not tainted
    6.8.0-rc3-g5b3fbd61b9d1 #2
    [  176.296314] Hardware name: linux,dummy-virt (DT)
    [  176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS
    BTYPE=--)
    [  176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
    [  176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]
    [  176.297636] sp : ffff800080003630
    [  176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:
    ffff6828c49ad9f8
    [  176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:
    00000000000003e8
    [  176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:
    ffff6828c3b16d28
    [  176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:
    0000000000000014
    [  176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:
    0000000095744632
    [  176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:
    ffffb7e137926a70
    [  176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :
    0000000000000000
    [  176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :
    f20e0100bebafeca
    [  176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :
    0000000000000000
    [  176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :
    ffff6828c7f918f0
    [  176.300889] Call trace:
    [  176.301123]  br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
    [  176.301411]  br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]
    [  176.301703]  nf_hook_slow+0x48/0x124
    [  176.302060]  br_forward_finish+0xc8/0xe8 [bridge]
    [  176.302371]  br_nf_hook_thresh+0x124/0x134 [br_netfilter]
    [  176.302605]  br_nf_forward_finish+0x118/0x22c [br_netfilter]
    [  176.302824]  br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]
    [  176.303136]  br_nf_forward+0x2b8/0x4e0 [br_netfilter]
    [  176.303359]  nf_hook_slow+0x48/0x124
    [  176.303803]  __br_forward+0xc4/0x194 [bridge]
    [  176.304013]  br_flood+0xd4/0x168 [bridge]
    [  176.304300]  br_handle_frame_finish+0x1d4/0x5c4 [bridge]
    [  176.304536]  br_nf_hook_thresh+0x124/0x134 [br_netfilter]
    [  176.304978]  br_nf_pre_routing_finish+0x29c/0x494 [br_netfilter]
    [  176.305188]  br_nf_pre_routing+0x250/0x524 [br_netfilter]
    [  176.305428]  br_handle_frame+0x244/0x3cc [bridge]
    [  176.305695]  __netif_receive_skb_core.constprop.0+0x33c/0xecc
    [  176.306080]  __netif_receive_skb_one_core+0x40/0x8c
    [  176.306197]  __netif_receive_skb+0x18/0x64
    [  176.306369]  process_backlog+0x80/0x124
    [  176.306540]  __napi_poll+0x38/0x17c
    [  176.306636]  net_rx_action+0x124/0x26c
    [  176.306758]  __do_softirq+0x100/0x26c
    [  176.307051]  ____do_softirq+0x10/0x1c
    [  176.307162]  call_on_irq_stack+0x24/0x4c
    [  176.307289]  do_softirq_own_stack+0x1c/0x2c
    [  176.307396]  do_softirq+0x54/0x6c
    [  176.307485]  __local_bh_enable_ip+0x8c/0x98
    [  176.307637]  __dev_queue_xmit+0x22c/0xd28
    [  176.307775]  neigh_resolve_output+0xf4/0x1a0
    [  176.308018]  ip_finish_output2+0x1c8/0x628
    [  176.308137]  ip_do_fragment+0x5b4/0x658
    [  176.308279]  ip_fragment.constprop.0+0x48/0xec
    [  176.308420]  __ip_finish_output+0xa4/0x254
    [  176.308593]  ip_finish_output+0x34/0x130
    [  176.308814]  ip_output+0x6c/0x108
    [  176.308929]  ip_send_skb+0x50/0xf0
    [  176.309095]  ip_push_pending_frames+0x30/0x54
    [  176.309254]  raw_sendmsg+0x758/0xaec
    [  176.309568]  inet_sendmsg+0x44/0x70
    [  176.309667]  __sys_sendto+0x110/0x178
    [  176.309758]  __arm64_sys_sendto+0x28/0x38
    [  176.309918]  invoke_syscall+0x48/0x110
    [  176.310211]  el0_svc_common.constprop.0+0x40/0xe0
    [  176.310353]  do_el0_svc+0x1c/0x28
    [  176.310434]  el0_svc+0x34/0xb4
    [  176.310551]  el0t_64_sync_handler+0x120/0x12c
    [  176.310690]  el0t_64_sync+0x190/0x194
    [  176.311066] Code: f9402e61 79402aa2 927ff821 f9400023 (f9408860)
    [  176.315743] ---[ end trace 0000000000000000 ]---
    [  176.316060] Kernel panic - not syncing: Oops: Fatal exception in
    interrupt
    [  176.316371] Kernel Offset: 0x37e0e3000000 from 0xffff800080000000
    [  176.316564] PHYS_OFFSET: 0xffff97d780000000
    [  176.316782] CPU features: 0x0,88000203,3c020000,0100421b
    [  176.317210] Memory Limit: none
    [  176.317527] ---[ end Kernel panic - not syncing: Oops: Fatal
    Exception in interrupt ]---\
    
    Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths")
    Reviewed-by: Ido Schimmel <idosch@nvidia.com>
    Signed-off-by: Andy Roulin <aroulin@nvidia.com>
    Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
    Link: https://patch.msgid.link/20241001154400.22787-2-aroulin@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS [+ + +]
Author: Simon Horman <horms@kernel.org>
Date:   Mon Sep 16 16:14:41 2024 +0100

    netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS
    
    [ Upstream commit e1f1ee0e9ad8cbe660f5c104e791c5f1a7cf4c31 ]
    
    Only provide ctnetlink_label_size when it is used,
    which is when CONFIG_NF_CONNTRACK_EVENTS is configured.
    
    Flagged by clang-18 W=1 builds as:
    
    .../nf_conntrack_netlink.c:385:19: warning: unused function 'ctnetlink_label_size' [-Wunused-function]
      385 | static inline int ctnetlink_label_size(const struct nf_conn *ct)
          |                   ^~~~~~~~~~~~~~~~~~~~
    
    The condition on CONFIG_NF_CONNTRACK_LABELS being removed by
    this patch guards compilation of non-trivial implementations
    of ctnetlink_dump_labels() and ctnetlink_label_size().
    
    However, this is not necessary as each of these functions
    will always return 0 if CONFIG_NF_CONNTRACK_LABELS is not defined
    as each function starts with the equivalent of:
    
            struct nf_conn_labels *labels = nf_ct_labels_find(ct);
    
            if (!labels)
                    return 0;
    
    And nf_ct_labels_find always returns NULL if CONFIG_NF_CONNTRACK_LABELS
    is not enabled.  So I believe that the compiler optimises the code away
    in such cases anyway.
    
    Found by inspection.
    Compile tested only.
    
    Originally splitted in two patches, Pablo Neira Ayuso collapsed them and
    added Fixes: tag.
    
    Fixes: 0ceabd83875b ("netfilter: ctnetlink: deliver labels to userspace")
    Link: https://lore.kernel.org/netfilter-devel/20240909151712.GZ2097826@kernel.org/
    Signed-off-by: Simon Horman <horms@kernel.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Sep 13 17:06:15 2024 +0000

    netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()
    
    [ Upstream commit 9c778fe48d20ef362047e3376dee56d77f8500d4 ]
    
    syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending
    garbage on the four reserved tcp bits (th->res1)
    
    Use skb_put_zero() to clear the whole TCP header,
    as done in nf_reject_ip_tcphdr_put()
    
    BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
      nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
      nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
      nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
      expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
      nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
      nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
      nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
      nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
      nf_hook include/linux/netfilter.h:269 [inline]
      NF_HOOK include/linux/netfilter.h:312 [inline]
      ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
      __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
      __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
      process_backlog+0x4ad/0xa50 net/core/dev.c:6108
      __napi_poll+0xe7/0x980 net/core/dev.c:6772
      napi_poll net/core/dev.c:6841 [inline]
      net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
      handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
      __do_softirq+0x14/0x1a kernel/softirq.c:588
      do_softirq+0x9a/0x100 kernel/softirq.c:455
      __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382
      local_bh_enable include/linux/bottom_half.h:33 [inline]
      rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]
      __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450
      dev_queue_xmit include/linux/netdevice.h:3105 [inline]
      neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565
      neigh_output include/net/neighbour.h:542 [inline]
      ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141
      __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
      ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226
      NF_HOOK_COND include/linux/netfilter.h:303 [inline]
      ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247
      dst_output include/net/dst.h:450 [inline]
      NF_HOOK include/linux/netfilter.h:314 [inline]
      ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366
      inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135
      __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466
      tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
      tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143
      tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333
      __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679
      inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750
      __sys_connect_file net/socket.c:2061 [inline]
      __sys_connect+0x606/0x690 net/socket.c:2078
      __do_sys_connect net/socket.c:2088 [inline]
      __se_sys_connect net/socket.c:2085 [inline]
      __x64_sys_connect+0x91/0xe0 net/socket.c:2085
      x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Uninit was stored to memory at:
      nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249
      nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
      nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
      expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
      nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
      nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
      nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
      nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
      nf_hook include/linux/netfilter.h:269 [inline]
      NF_HOOK include/linux/netfilter.h:312 [inline]
      ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
      __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
      __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
      process_backlog+0x4ad/0xa50 net/core/dev.c:6108
      __napi_poll+0xe7/0x980 net/core/dev.c:6772
      napi_poll net/core/dev.c:6841 [inline]
      net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
      handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
      __do_softirq+0x14/0x1a kernel/softirq.c:588
    
    Uninit was stored to memory at:
      nf_reject_ip6_tcphdr_put+0x2ca/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:231
      nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
      nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
      expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
      nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
      nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
      nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
      nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
      nf_hook include/linux/netfilter.h:269 [inline]
      NF_HOOK include/linux/netfilter.h:312 [inline]
      ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
      __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
      __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
      process_backlog+0x4ad/0xa50 net/core/dev.c:6108
      __napi_poll+0xe7/0x980 net/core/dev.c:6772
      napi_poll net/core/dev.c:6841 [inline]
      net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
      handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
      __do_softirq+0x14/0x1a kernel/softirq.c:588
    
    Uninit was created at:
      slab_post_alloc_hook mm/slub.c:3998 [inline]
      slab_alloc_node mm/slub.c:4041 [inline]
      kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4084
      kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583
      __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674
      alloc_skb include/linux/skbuff.h:1320 [inline]
      nf_send_reset6+0x98d/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:327
      nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
      expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
      nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
      nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
      nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
      nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
      nf_hook include/linux/netfilter.h:269 [inline]
      NF_HOOK include/linux/netfilter.h:312 [inline]
      ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
      __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
      __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
      process_backlog+0x4ad/0xa50 net/core/dev.c:6108
      __napi_poll+0xe7/0x980 net/core/dev.c:6772
      napi_poll net/core/dev.c:6841 [inline]
      net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
      handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
      __do_softirq+0x14/0x1a kernel/softirq.c:588
    
    Fixes: c8d7b98bec43 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Link: https://patch.msgid.link/20240913170615.3670897-1-edumazet@google.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue Sep 3 01:06:41 2024 +0200

    netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire
    
    [ Upstream commit e0c47281723f301894c14e6f5cd5884fdfb813f9 ]
    
    Element timeout that is below CONFIG_HZ never expires because the
    timeout extension is not allocated given that nf_msecs_to_jiffies64()
    returns 0. Set timeout to the minimum value to honor timeout.
    
    Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nf_tables: prevent nf_skb_duplicated corruption [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Sep 26 18:56:11 2024 +0000

    netfilter: nf_tables: prevent nf_skb_duplicated corruption
    
    [ Upstream commit 92ceba94de6fb4cee2bf40b485979c342f44a492 ]
    
    syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write
    per-cpu variable nf_skb_duplicated in an unsafe way [1].
    
    Disabling preemption as hinted by the splat is not enough,
    we have to disable soft interrupts as well.
    
    [1]
    BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
     caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
    CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
    Call Trace:
     <TASK>
      __dump_stack lib/dump_stack.c:93 [inline]
      dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
      check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49
      nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
      nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30
      expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
      nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
      nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23
      nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
      nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
      nf_hook+0x2c4/0x450 include/linux/netfilter.h:269
      NF_HOOK_COND include/linux/netfilter.h:302 [inline]
      ip_output+0x185/0x230 net/ipv4/ip_output.c:433
      ip_local_out net/ipv4/ip_output.c:129 [inline]
      ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495
      udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981
      udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0x1a6/0x270 net/socket.c:745
      ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
      ___sys_sendmsg net/socket.c:2651 [inline]
      __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737
      __do_sys_sendmmsg net/socket.c:2766 [inline]
      __se_sys_sendmmsg net/socket.c:2763 [inline]
      __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f4ce4f7def9
    Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
    RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9
    RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006
    RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
    R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68
     </TASK>
    
    Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nft_payload: sanitize offset and length before calling skb_checksum() [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Wed Oct 30 23:13:48 2024 +0100

    netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
    
    [ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ]
    
    If access to offset + length is larger than the skbuff length, then
    skb_checksum() triggers BUG_ON().
    
    skb_checksum() internally subtracts the length parameter while iterating
    over skbuff, BUG_ON(len) at the end of it checks that the expected
    length to be included in the checksum calculation is fully consumed.
    
    Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support")
    Reported-by: Slavin Liu <slavin-ayu@qq.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED [+ + +]
Author: Phil Sutter <phil@nwl.cc>
Date:   Wed Sep 25 20:01:20 2024 +0200

    netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED
    
    [ Upstream commit 76f1ed087b562a469f2153076f179854b749c09a ]
    
    Fix the comment which incorrectly defines it as NLA_U32.
    
    Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nfs: fix memory leak in error path of nfs4_do_reclaim [+ + +]
Author: Li Lingfeng <lilingfeng3@huawei.com>
Date:   Wed Sep 4 20:34:57 2024 +0800

    nfs: fix memory leak in error path of nfs4_do_reclaim
    
    commit 8f6a7c9467eaf39da4c14e5474e46190ab3fb529 upstream.
    
    Commit c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in
    nfs4_do_reclaim()") separate out the freeing of the state owners from
    nfs4_purge_state_owners() and finish it outside the rcu lock.
    However, the error path is omitted. As a result, the state owners in
    "freeme" will not be released.
    Fix it by adding freeing in the error path.
    
    Fixes: c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()")
    Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
    Cc: stable@vger.kernel.org # v5.3+
    Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
NFS: Remove print_overflow_msg() [+ + +]
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Mon Feb 11 11:24:21 2019 -0500

    NFS: Remove print_overflow_msg()
    
    [ Upstream commit eb72f484a5eb94c53a241e6a7811270fb25200ad ]
    
    This issue is now captured by a trace point in the RPC client.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Stable-dep-of: 6dbf1f341b6b ("SUNRPC: Fix integer overflow in decode_rc_list()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nfsd: call cache_put if xdr_reserve_space returns NULL [+ + +]
Author: Guoqing Jiang <guoqing.jiang@linux.dev>
Date:   Wed Aug 21 22:03:18 2024 +0800

    nfsd: call cache_put if xdr_reserve_space returns NULL
    
    [ Upstream commit d078cbf5c38de83bc31f83c47dcd2184c04a50c7 ]
    
    If not enough buffer space available, but idmap_lookup has triggered
    lookup_fn which calls cache_get and returns successfully. Then we
    missed to call cache_put here which pairs with cache_get.
    
    Fixes: ddd1ea563672 ("nfsd4: use xdr_reserve_space in attribute encoding")
    Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
    Reviwed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

nfsd: fix delegation_blocked() to block correctly for at least 30 seconds [+ + +]
Author: NeilBrown <neilb@suse.de>
Date:   Mon Sep 9 15:06:36 2024 +1000

    nfsd: fix delegation_blocked() to block correctly for at least 30 seconds
    
    [ Upstream commit 45bb63ed20e02ae146336412889fe5450316a84f ]
    
    The pair of bloom filtered used by delegation_blocked() was intended to
    block delegations on given filehandles for between 30 and 60 seconds.  A
    new filehandle would be recorded in the "new" bit set.  That would then
    be switch to the "old" bit set between 0 and 30 seconds later, and it
    would remain as the "old" bit set for 30 seconds.
    
    Unfortunately the code intended to clear the old bit set once it reached
    30 seconds old, preparing it to be the next new bit set, instead cleared
    the *new* bit set before switching it to be the old bit set.  This means
    that the "old" bit set is always empty and delegations are blocked
    between 0 and 30 seconds.
    
    This patch updates bd->new before clearing the set with that index,
    instead of afterwards.
    
    Reported-by: Olga Kornievskaia <okorniev@redhat.com>
    Cc: stable@vger.kernel.org
    Fixes: 6282cd565553 ("NFSD: Don't hand out delegations for 30 seconds after recalling them.")
    Signed-off-by: NeilBrown <neilb@suse.de>
    Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

nfsd: use ktime_get_seconds() for timestamps [+ + +]
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Fri Oct 20 11:25:34 2017 +0200

    nfsd: use ktime_get_seconds() for timestamps
    
    [ Upstream commit b3f255ef6bffc18a28c3b6295357f2a3380c033f ]
    
    The delegation logic in nfsd uses the somewhat inefficient
    seconds_since_boot() function to record time intervals.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Stable-dep-of: 45bb63ed20e0 ("nfsd: fix delegation_blocked() to block correctly for at least 30 seconds")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nilfs2: determine empty node blocks as corrupted [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Wed Sep 4 17:13:08 2024 +0900

    nilfs2: determine empty node blocks as corrupted
    
    [ Upstream commit 111b812d3662f3a1b831d19208f83aa711583fe6 ]
    
    Due to the nature of b-trees, nilfs2 itself and admin tools such as
    mkfs.nilfs2 will never create an intermediate b-tree node block with 0
    child nodes, nor will they delete (key, pointer)-entries that would result
    in such a state.  However, it is possible that a b-tree node block is
    corrupted on the backing device and is read with 0 child nodes.
    
    Because operation is not guaranteed if the number of child nodes is 0 for
    intermediate node blocks other than the root node, modify
    nilfs_btree_node_broken(), which performs sanity checks when reading a
    b-tree node block, so that such cases will be judged as metadata
    corruption.
    
    Link: https://lkml.kernel.org/r/20240904081401.16682-3-konishi.ryusuke@gmail.com
    Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: Lizhi Xu <lizhi.xu@windriver.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

nilfs2: fix kernel bug due to missing clearing of buffer delay flag [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Wed Oct 16 06:32:07 2024 +0900

    nilfs2: fix kernel bug due to missing clearing of buffer delay flag
    
    commit 6ed469df0bfbef3e4b44fca954a781919db9f7ab upstream.
    
    Syzbot reported that after nilfs2 reads a corrupted file system image
    and degrades to read-only, the BUG_ON check for the buffer delay flag
    in submit_bh_wbc() may fail, causing a kernel bug.
    
    This is because the buffer delay flag is not cleared when clearing the
    buffer state flags to discard a page/folio or a buffer head. So, fix
    this.
    
    This became necessary when the use of nilfs2's own page clear routine
    was expanded.  This state inconsistency does not occur if the buffer
    is written normally by log writing.
    
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Link: https://lore.kernel.org/r/20241015213300.7114-1-konishi.ryusuke@gmail.com
    Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
    Reported-by: syzbot+985ada84bf055a575c07@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=985ada84bf055a575c07
    Cc: stable@vger.kernel.org
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: fix kernel bug due to missing clearing of checked flag [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Fri Oct 18 04:33:10 2024 +0900

    nilfs2: fix kernel bug due to missing clearing of checked flag
    
    commit 41e192ad2779cae0102879612dfe46726e4396aa upstream.
    
    Syzbot reported that in directory operations after nilfs2 detects
    filesystem corruption and degrades to read-only,
    __block_write_begin_int(), which is called to prepare block writes, may
    fail the BUG_ON check for accesses exceeding the folio/page size,
    triggering a kernel bug.
    
    This was found to be because the "checked" flag of a page/folio was not
    cleared when it was discarded by nilfs2's own routine, which causes the
    sanity check of directory entries to be skipped when the directory
    page/folio is reloaded.  So, fix that.
    
    This was necessary when the use of nilfs2's own page discard routine was
    applied to more than just metadata files.
    
    Link: https://lkml.kernel.org/r/20241017193359.5051-1-konishi.ryusuke@gmail.com
    Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+d6ca2daf692c7a82f959@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=d6ca2daf692c7a82f959
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: fix potential deadlock with newly created symlinks [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Sun Oct 20 13:51:28 2024 +0900

    nilfs2: fix potential deadlock with newly created symlinks
    
    commit b3a033e3ecd3471248d474ef263aadc0059e516a upstream.
    
    Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers
    memory reclamation involving the filesystem layer, which can result in
    circular lock dependencies among the reader/writer semaphore
    nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the
    fs_reclaim pseudo lock.
    
    This is because after commit 21fc61c73c39 ("don't put symlink bodies in
    pagecache into highmem"), the gfp flags of the page cache for symbolic
    links are overwritten to GFP_KERNEL via inode_nohighmem().
    
    This is not a problem for symlinks read from the backing device, because
    the __GFP_FS flag is dropped after inode_nohighmem() is called.  However,
    when a new symlink is created with nilfs_symlink(), the gfp flags remain
    overwritten to GFP_KERNEL.  Then, memory allocation called from
    page_symlink() etc.  triggers memory reclamation including the FS layer,
    which may call nilfs_evict_inode() or nilfs_dirty_inode().  And these can
    cause a deadlock if they are called while nilfs->ns_segctor_sem is held:
    
    Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags
    of newly created symlinks in the same way that nilfs_new_inode() and
    __nilfs_read_inode() do, as a workaround until we adopt nofs allocation
    scope consistently or improve the locking constraints.
    
    Link: https://lkml.kernel.org/r/20241020050003.4308-1-konishi.ryusuke@gmail.com
    Fixes: 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=9ef37ac20608f4836256
    Tested-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Wed Sep 4 17:13:07 2024 +0900

    nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()
    
    [ Upstream commit 9403001ad65ae4f4c5de368bdda3a0636b51d51a ]
    
    Patch series "nilfs2: fix potential issues with empty b-tree nodes".
    
    This series addresses three potential issues with empty b-tree nodes that
    can occur with corrupted filesystem images, including one recently
    discovered by syzbot.
    
    This patch (of 3):
    
    If a b-tree is broken on the device, and the b-tree height is greater than
    2 (the level of the root node is greater than 1) even if the number of
    child nodes of the b-tree root is 0, a NULL pointer dereference occurs in
    nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().
    
    This is because, when the number of child nodes of the b-tree root is 0,
    nilfs_btree_do_lookup() does not set the block buffer head in any of
    path[x].bp_bh, leaving it as the initial value of NULL, but if the level
    of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),
    which accesses the buffer memory of path[x].bp_bh, is called.
    
    Fix this issue by adding a check to nilfs_btree_root_broken(), which
    performs sanity checks when reading the root node from the device, to
    detect this inconsistency.
    
    Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause
    early on.
    
    Link: https://lkml.kernel.org/r/20240904081401.16682-1-konishi.ryusuke@gmail.com
    Link: https://lkml.kernel.org/r/20240902084101.138971-1-lizhi.xu@windriver.com
    Link: https://lkml.kernel.org/r/20240904081401.16682-2-konishi.ryusuke@gmail.com
    Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+9bff4c7b992038a7409f@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=9bff4c7b992038a7409f
    Cc: Lizhi Xu <lizhi.xu@windriver.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

nilfs2: fix potential oob read in nilfs_btree_check_delete() [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Wed Sep 4 17:13:09 2024 +0900

    nilfs2: fix potential oob read in nilfs_btree_check_delete()
    
    [ Upstream commit f9c96351aa6718b42a9f42eaf7adce0356bdb5e8 ]
    
    The function nilfs_btree_check_delete(), which checks whether degeneration
    to direct mapping occurs before deleting a b-tree entry, causes memory
    access outside the block buffer when retrieving the maximum key if the
    root node has no entries.
    
    This does not usually happen because b-tree mappings with 0 child nodes
    are never created by mkfs.nilfs2 or nilfs2 itself.  However, it can happen
    if the b-tree root node read from a device is configured that way, so fix
    this potential issue by adding a check for that case.
    
    Link: https://lkml.kernel.org/r/20240904081401.16682-4-konishi.ryusuke@gmail.com
    Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: Lizhi Xu <lizhi.xu@windriver.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

nilfs2: propagate directory read errors from nilfs_find_entry() [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Fri Oct 4 12:35:31 2024 +0900

    nilfs2: propagate directory read errors from nilfs_find_entry()
    
    commit 08cfa12adf888db98879dbd735bc741360a34168 upstream.
    
    Syzbot reported that a task hang occurs in vcs_open() during a fuzzing
    test for nilfs2.
    
    The root cause of this problem is that in nilfs_find_entry(), which
    searches for directory entries, ignores errors when loading a directory
    page/folio via nilfs_get_folio() fails.
    
    If the filesystem images is corrupted, and the i_size of the directory
    inode is large, and the directory page/folio is successfully read but
    fails the sanity check, for example when it is zero-filled,
    nilfs_check_folio() may continue to spit out error messages in bursts.
    
    Fix this issue by propagating the error to the callers when loading a
    page/folio fails in nilfs_find_entry().
    
    The current interface of nilfs_find_entry() and its callers is outdated
    and cannot propagate error codes such as -EIO and -ENOMEM returned via
    nilfs_find_entry(), so fix it together.
    
    Link: https://lkml.kernel.org/r/20241004033640.6841-1-konishi.ryusuke@gmail.com
    Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: Lizhi Xu <lizhi.xu@windriver.com>
    Closes: https://lkml.kernel.org/r/20240927013806.3577931-1-lizhi.xu@windriver.com
    Reported-by: syzbot+8a192e8d090fa9a31135@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=8a192e8d090fa9a31135
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Thu Aug 31 20:39:27 2023 +0800

    ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()
    
    [ Upstream commit e229897d373a87ee09ec5cc4ecd4bb2f895fc16b ]
    
    The debugfs_create_dir() function returns error pointers.
    It never returns NULL. So use IS_ERR() to check it.
    
    Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Reviewed-by: Dave Jiang <dave.jiang@intel.com>
    Signed-off-by: Jon Mason <jdmason@kudzu.us>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ocfs2: add bounds checking to ocfs2_xattr_find_entry() [+ + +]
Author: Ferry Meng <mengferry@linux.alibaba.com>
Date:   Mon May 20 10:40:23 2024 +0800

    ocfs2: add bounds checking to ocfs2_xattr_find_entry()
    
    [ Upstream commit 9e3041fecdc8f78a5900c3aa51d3d756e73264d6 ]
    
    Add a paranoia check to make sure it doesn't stray beyond valid memory
    region containing ocfs2 xattr entries when scanning for a match.  It will
    prevent out-of-bound access in case of crafted images.
    
    Link: https://lkml.kernel.org/r/20240520024024.1976129-1-joseph.qi@linux.alibaba.com
    Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
    Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reported-by: lei lu <llfamsec@gmail.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Stable-dep-of: af77c4fc1871 ("ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ocfs2: cancel dqi_sync_work before freeing oinfo [+ + +]
Author: Joseph Qi <joseph.qi@linux.alibaba.com>
Date:   Wed Sep 4 15:10:03 2024 +0800

    ocfs2: cancel dqi_sync_work before freeing oinfo
    
    commit 35fccce29feb3706f649726d410122dd81b92c18 upstream.
    
    ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the
    end, if error occurs after successfully reading global quota, it will
    trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled:
    
    ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c
    
    This reports that there is an active delayed work when freeing oinfo in
    error handling, so cancel dqi_sync_work first.  BTW, return status instead
    of -1 when .read_file_info fails.
    
    Link: https://syzkaller.appspot.com/bug?extid=f7af59df5d6b25f0febd
    Link: https://lkml.kernel.org/r/20240904071004.2067695-1-joseph.qi@linux.alibaba.com
    Fixes: 171bf93ce11f ("ocfs2: Periodic quota syncing")
    Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reviewed-by: Heming Zhao <heming.zhao@suse.com>
    Reported-by: syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com
    Tested-by: syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ocfs2: fix null-ptr-deref when journal load failed. [+ + +]
Author: Julian Sun <sunjunchao2870@gmail.com>
Date:   Mon Sep 2 11:08:44 2024 +0800

    ocfs2: fix null-ptr-deref when journal load failed.
    
    commit 5784d9fcfd43bd853654bb80c87ef293b9e8e80a upstream.
    
    During the mounting process, if journal_reset() fails because of too short
    journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer.
    Subsequently, ocfs2_journal_shutdown() calls
    jbd2_journal_flush()->jbd2_cleanup_journal_tail()->
    __jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail()
    ->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer
    dereference error.
    
    To resolve this issue, we should check the JBD2_LOADED flag to ensure the
    journal was properly loaded.  Additionally, use journal instead of
    osb->journal directly to simplify the code.
    
    Link: https://syzkaller.appspot.com/bug?extid=05b9b39d8bdfe1a0861f
    Link: https://lkml.kernel.org/r/20240902030844.422725-1-sunjunchao2870@gmail.com
    Fixes: f6f50e28f0cb ("jbd2: Fail to load a journal if it is too short")
    Signed-off-by: Julian Sun <sunjunchao2870@gmail.com>
    Reported-by: syzbot+05b9b39d8bdfe1a0861f@syzkaller.appspotmail.com
    Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate [+ + +]
Author: Lizhi Xu <lizhi.xu@windriver.com>
Date:   Mon Sep 2 10:36:36 2024 +0800

    ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
    
    commit 33b525cef4cff49e216e4133cc48452e11c0391e upstream.
    
    When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger
    NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if
    bh is NULL.
    
    Link: https://lkml.kernel.org/r/20240902023636.1843422-3-joseph.qi@linux.alibaba.com
    Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside")
    Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
    Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reported-by: Heming Zhao <heming.zhao@suse.com>
    Suggested-by: Heming Zhao <heming.zhao@suse.com>
    Cc: <stable@vger.kernel.org>    [4.20+]
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ocfs2: fix the la space leak when unmounting an ocfs2 volume [+ + +]
Author: Heming Zhao <heming.zhao@suse.com>
Date:   Fri Jul 19 19:43:10 2024 +0800

    ocfs2: fix the la space leak when unmounting an ocfs2 volume
    
    commit dfe6c5692fb525e5e90cefe306ee0dffae13d35f upstream.
    
    This bug has existed since the initial OCFS2 code.  The code logic in
    ocfs2_sync_local_to_main() is wrong, as it ignores the last contiguous
    free bits, which causes an OCFS2 volume to lose the last free clusters of
    LA window on each umount command.
    
    Link: https://lkml.kernel.org/r/20240719114310.14245-1-heming.zhao@suse.com
    Signed-off-by: Heming Zhao <heming.zhao@suse.com>
    Reviewed-by: Su Yue <glass.su@suse.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: Heming Zhao <heming.zhao@suse.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ocfs2: fix uninit-value in ocfs2_get_block() [+ + +]
Author: Joseph Qi <joseph.qi@linux.alibaba.com>
Date:   Wed Sep 25 17:06:00 2024 +0800

    ocfs2: fix uninit-value in ocfs2_get_block()
    
    commit 2af148ef8549a12f8025286b8825c2833ee6bcb8 upstream.
    
    syzbot reported an uninit-value BUG:
    
    BUG: KMSAN: uninit-value in ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159
    ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159
    do_mpage_readpage+0xc45/0x2780 fs/mpage.c:225
    mpage_readahead+0x43f/0x840 fs/mpage.c:374
    ocfs2_readahead+0x269/0x320 fs/ocfs2/aops.c:381
    read_pages+0x193/0x1110 mm/readahead.c:160
    page_cache_ra_unbounded+0x901/0x9f0 mm/readahead.c:273
    do_page_cache_ra mm/readahead.c:303 [inline]
    force_page_cache_ra+0x3b1/0x4b0 mm/readahead.c:332
    force_page_cache_readahead mm/internal.h:347 [inline]
    generic_fadvise+0x6b0/0xa90 mm/fadvise.c:106
    vfs_fadvise mm/fadvise.c:185 [inline]
    ksys_fadvise64_64 mm/fadvise.c:199 [inline]
    __do_sys_fadvise64 mm/fadvise.c:214 [inline]
    __se_sys_fadvise64 mm/fadvise.c:212 [inline]
    __x64_sys_fadvise64+0x1fb/0x3a0 mm/fadvise.c:212
    x64_sys_call+0xe11/0x3ba0
    arch/x86/include/generated/asm/syscalls_64.h:222
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    This is because when ocfs2_extent_map_get_blocks() fails, p_blkno is
    uninitialized.  So the error log will trigger the above uninit-value
    access.
    
    The error log is out-of-date since get_blocks() was removed long time ago.
    And the error code will be logged in ocfs2_extent_map_get_blocks() once
    ocfs2_get_cluster() fails, so fix this by only logging inode and block.
    
    Link: https://syzkaller.appspot.com/bug?extid=9709e73bae885b05314b
    Link: https://lkml.kernel.org/r/20240925090600.3643376-1-joseph.qi@linux.alibaba.com
    Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
    Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reported-by: syzbot+9709e73bae885b05314b@syzkaller.appspotmail.com
    Tested-by: syzbot+9709e73bae885b05314b@syzkaller.appspotmail.com
    Cc: Heming Zhao <heming.zhao@suse.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Wed Oct 16 19:43:47 2024 +0800

    ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
    
    [ Upstream commit bc0a2f3a73fcdac651fca64df39306d1e5ebe3b0 ]
    
    Syzbot reported a kernel BUG in ocfs2_truncate_inline.  There are two
    reasons for this: first, the parameter value passed is greater than
    ocfs2_max_inline_data_with_xattr, second, the start and end parameters of
    ocfs2_truncate_inline are "unsigned int".
    
    So, we need to add a sanity check for byte_start and byte_len right before
    ocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater
    than ocfs2_max_inline_data_with_xattr return -EINVAL.
    
    Link: https://lkml.kernel.org/r/tencent_D48DB5122ADDAEDDD11918CFB68D93258C07@qq.com
    Fixes: 1afc32b95233 ("ocfs2: Write support for inline data")
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    Reported-by: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ocfs2: remove unreasonable unlock in ocfs2_read_blocks [+ + +]
Author: Lizhi Xu <lizhi.xu@windriver.com>
Date:   Mon Sep 2 10:36:35 2024 +0800

    ocfs2: remove unreasonable unlock in ocfs2_read_blocks
    
    commit c03a82b4a0c935774afa01fd6d128b444fd930a1 upstream.
    
    Patch series "Misc fixes for ocfs2_read_blocks", v5.
    
    This series contains 2 fixes for ocfs2_read_blocks().  The first patch fix
    the issue reported by syzbot, which detects bad unlock balance in
    ocfs2_read_blocks().  The second patch fixes an issue reported by Heming
    Zhao when reviewing above fix.
    
    
    This patch (of 2):
    
    There was a lock release before exiting, so remove the unreasonable unlock.
    
    Link: https://lkml.kernel.org/r/20240902023636.1843422-1-joseph.qi@linux.alibaba.com
    Link: https://lkml.kernel.org/r/20240902023636.1843422-2-joseph.qi@linux.alibaba.com
    Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside")
    Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
    Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reviewed-by: Heming Zhao <heming.zhao@suse.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reported-by: syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=ab134185af9ef88dfed5
    Tested-by: syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>    [4.20+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ocfs2: reserve space for inline xattr before attaching reflink tree [+ + +]
Author: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
Date:   Wed Sep 18 06:38:44 2024 +0000

    ocfs2: reserve space for inline xattr before attaching reflink tree
    
    commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0 upstream.
    
    One of our customers reported a crash and a corrupted ocfs2 filesystem.
    The crash was due to the detection of corruption.  Upon troubleshooting,
    the fsck -fn output showed the below corruption
    
    [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,
    but fsck believes the largest valid value is 227.  Clamp the next record value? n
    
    The stat output from the debugfs.ocfs2 showed the following corruption
    where the "Next Free Rec:" had overshot the "Count:" in the root metadata
    block.
    
            Inode: 33080590   Mode: 0640   Generation: 2619713622 (0x9c25a856)
            FS Generation: 904309833 (0x35e6ac49)
            CRC32: 00000000   ECC: 0000
            Type: Regular   Attr: 0x0   Flags: Valid
            Dynamic Features: (0x16) HasXattr InlineXattr Refcounted
            Extended Attributes Block: 0  Extended Attributes Inline Size: 256
            User: 0 (root)   Group: 0 (root)   Size: 281320357888
            Links: 1   Clusters: 141738
            ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024
            atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024
            mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024
            dtime: 0x0 -- Wed Dec 31 17:00:00 1969
            Refcount Block: 2777346
            Last Extblk: 2886943   Orphan Slot: 0
            Sub Alloc Slot: 0   Sub Alloc Bit: 14
            Tree Depth: 1   Count: 227   Next Free Rec: 230
            ## Offset        Clusters       Block#
            0  0             2310           2776351
            1  2310          2139           2777375
            2  4449          1221           2778399
            3  5670          731            2779423
            4  6401          566            2780447
            .......          ....           .......
            .......          ....           .......
    
    The issue was in the reflink workfow while reserving space for inline
    xattr.  The problematic function is ocfs2_reflink_xattr_inline().  By the
    time this function is called the reflink tree is already recreated at the
    destination inode from the source inode.  At this point, this function
    reserves space for inline xattrs at the destination inode without even
    checking if there is space at the root metadata block.  It simply reduces
    the l_count from 243 to 227 thereby making space of 256 bytes for inline
    xattr whereas the inode already has extents beyond this index (in this
    case up to 230), thereby causing corruption.
    
    The fix for this is to reserve space for inline metadata at the destination
    inode before the reflink tree gets recreated. The customer has verified the
    fix.
    
    Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@oracle.com
    Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink")
    Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() [+ + +]
Author: Ferry Meng <mengferry@linux.alibaba.com>
Date:   Mon May 20 10:40:24 2024 +0800

    ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
    
    [ Upstream commit af77c4fc1871847b528d58b7fdafb4aa1f6a9262 ]
    
    xattr in ocfs2 maybe 'non-indexed', which saved with additional space
    requested.  It's better to check if the memory is out of bound before
    memcmp, although this possibility mainly comes from crafted poisonous
    images.
    
    Link: https://lkml.kernel.org/r/20240520024024.1976129-2-joseph.qi@linux.alibaba.com
    Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
    Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reported-by: lei lu <llfamsec@gmail.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
of/irq: Refer to actual buffer size in of_irq_parse_one() [+ + +]
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Tue Aug 20 14:16:53 2024 +0200

    of/irq: Refer to actual buffer size in of_irq_parse_one()
    
    [ Upstream commit 39ab331ab5d377a18fbf5a0e0b228205edfcc7f4 ]
    
    Replace two open-coded calculations of the buffer size by invocations of
    sizeof() on the buffer itself, to make sure the code will always use the
    actual buffer size.
    
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Link: https://lore.kernel.org/r/817c0b9626fd30790fc488c472a3398324cfcc0c.1724156125.git.geert+renesas@glider.be
    Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

of/irq: Support #msi-cells=<0> in of_msi_get_domain [+ + +]
Author: Andrew Jones <ajones@ventanamicro.com>
Date:   Sat Aug 17 09:41:08 2024 +0200

    of/irq: Support #msi-cells=<0> in of_msi_get_domain
    
    commit db8e81132cf051843c9a59b46fa5a071c45baeb3 upstream.
    
    An 'msi-parent' property with a single entry and no accompanying
    '#msi-cells' property is considered the legacy definition as opposed
    to its definition after being expanded with commit 126b16e2ad98
    ("Docs: dt: add generic MSI bindings"). However, the legacy
    definition is completely compatible with the current definition and,
    since of_phandle_iterator_next() tolerates missing and present-but-
    zero *cells properties since commit e42ee61017f5 ("of: Let
    of_for_each_phandle fallback to non-negative cell_count"), there's no
    need anymore to special case the legacy definition in
    of_msi_get_domain().
    
    Indeed, special casing has turned out to be harmful, because, as of
    commit 7c025238b47a ("dt-bindings: irqchip: Describe the IMX MU block
    as a MSI controller"), MSI controller DT bindings have started
    specifying '#msi-cells' as a required property (even when the value
    must be zero) as an effort to make the bindings more explicit. But,
    since the special casing of 'msi-parent' only uses the existence of
    '#msi-cells' for its heuristic, and not whether or not it's also
    nonzero, the legacy path is not taken. Furthermore, the path to
    support the new, broader definition isn't taken either since that
    path has been restricted to the platform-msi bus.
    
    But, neither the definition of 'msi-parent' nor the definition of
    '#msi-cells' is platform-msi-specific (the platform-msi bus was just
    the first bus that needed '#msi-cells'), so remove both the special
    casing and the restriction. The code removal also requires changing
    to of_parse_phandle_with_optional_args() in order to ensure the
    legacy (but compatible) use of 'msi-parent' remains supported. This
    not only simplifies the code but also resolves an issue with PCI
    devices finding their MSI controllers on riscv, as the riscv,imsics
    binding requires '#msi-cells=<0>'.
    
    Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
    Link: https://lore.kernel.org/r/20240817074107.31153-2-ajones@ventanamicro.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
parisc: Fix 64-bit userspace syscall path [+ + +]
Author: Helge Deller <deller@kernel.org>
Date:   Sun Sep 8 00:40:38 2024 +0200

    parisc: Fix 64-bit userspace syscall path
    
    commit d24449864da5838936669618356b0e30ca2999c3 upstream.
    
    Currently the glibc isn't yet ported to 64-bit for hppa, so
    there is no usable userspace available yet.
    But it's possible to manually build a static 64-bit binary
    and run that for testing. One such 64-bit test program is
    available at http://ftp.parisc-linux.org/src/64bit.tar.gz
    and it shows various issues with the existing 64-bit syscall
    path in the kernel.
    This patch fixes those issues.
    
    Signed-off-by: Helge Deller <deller@gmx.de>
    Cc: stable@vger.kernel.org      # v4.19+
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parisc: Fix itlb miss handler for 64-bit programs [+ + +]
Author: Helge Deller <deller@gmx.de>
Date:   Tue Sep 10 18:32:24 2024 +0200

    parisc: Fix itlb miss handler for 64-bit programs
    
    commit 9542130937e9dc707dd7c6b7af73326437da2d50 upstream.
    
    For an itlb miss when executing code above 4 Gb on ILP64 adjust the
    iasq/iaoq in the same way isr/ior was adjusted.  This fixes signal
    delivery for the 64-bit static test program from
    http://ftp.parisc-linux.org/src/64bit.tar.gz.  Note that signals are
    handled by the signal trampoline code in the 64-bit VDSO which is mapped
    into high userspace memory region above 4GB for 64-bit processes.
    
    Signed-off-by: Helge Deller <deller@gmx.de>
    Cc: stable@vger.kernel.org      # v4.19+
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
parport: Proper fix for array out-of-bounds access [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Fri Sep 20 12:32:19 2024 +0200

    parport: Proper fix for array out-of-bounds access
    
    commit 02ac3a9ef3a18b58d8f3ea2b6e46de657bf6c4f9 upstream.
    
    The recent fix for array out-of-bounds accesses replaced sprintf()
    calls blindly with snprintf().  However, since snprintf() returns the
    would-be-printed size, not the actually output size, the length
    calculation can still go over the given limit.
    
    Use scnprintf() instead of snprintf(), which returns the actually
    output letters, for addressing the potential out-of-bounds access
    properly.
    
    Fixes: ab11dac93d2d ("dev/parport: fix the array out-of-bounds risk")
    Cc: stable@vger.kernel.org
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Link: https://lore.kernel.org/r/20240920103318.19271-1-tiwai@suse.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
PCI: Add function 0 DMA alias quirk for Glenfly Arise chip [+ + +]
Author: WangYuli <wangyuli@uniontech.com>
Date:   Fri Aug 23 17:57:08 2024 +0800

    PCI: Add function 0 DMA alias quirk for Glenfly Arise chip
    
    commit 9246b487ab3c3b5993aae7552b7a4c541cc14a49 upstream.
    
    Add DMA support for audio function of Glenfly Arise chip, which uses
    Requester ID of function 0.
    
    Link: https://lore.kernel.org/r/CA2BBD087345B6D1+20240823095708.3237375-1-wangyuli@uniontech.com
    Signed-off-by: SiyuLi <siyuli@glenfly.com>
    Signed-off-by: WangYuli <wangyuli@uniontech.com>
    [bhelgaas: lower-case hex to match local code, drop unused Device IDs]
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PCI: Mark Creative Labs EMU20k2 INTx masking as broken [+ + +]
Author: Alex Williamson <alex.williamson@redhat.com>
Date:   Thu Sep 12 15:53:27 2024 -0600

    PCI: Mark Creative Labs EMU20k2 INTx masking as broken
    
    [ Upstream commit 2910306655a7072640021563ec9501bfa67f0cb1 ]
    
    Per user reports, the Creative Labs EMU20k2 (Sound Blaster X-Fi
    Titanium Series) generates spurious interrupts when used with
    vfio-pci unless DisINTx masking support is disabled.
    
    Thus, quirk the device to mark INTx masking as broken.
    
    Closes: https://lore.kernel.org/all/VI1PR10MB8207C507DB5420AB4C7281E0DB9A2@VI1PR10MB8207.EURPRD10.PROD.OUTLOOK.COM
    Link: https://lore.kernel.org/linux-pci/20240912215331.839220-1-alex.williamson@redhat.com
    Reported-by: zdravko delineshev <delineshev@outlook.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
    [kwilczynski: commit log]
    Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler [+ + +]
Author: Sean Anderson <sean.anderson@linux.dev>
Date:   Fri May 31 12:13:32 2024 -0400

    PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler
    
    [ Upstream commit 0199d2f2bd8cd97b310f7ed82a067247d7456029 ]
    
    MSGF_LEG_MASK is laid out with INTA in bit 0, INTB in bit 1, INTC in bit 2,
    and INTD in bit 3. Hardware IRQ numbers start at 0, and we register
    PCI_NUM_INTX IRQs. So to enable INTA (aka hwirq 0) we should set bit 0.
    Remove the subtraction of one.
    
    This bug would cause INTx interrupts not to be delivered, as enabling INTB
    would actually enable INTA, and enabling INTA wouldn't enable anything at
    all. It is likely that this got overlooked for so long since most PCIe
    hardware uses MSIs. This fixes the following UBSAN error:
    
      UBSAN: shift-out-of-bounds in ../drivers/pci/controller/pcie-xilinx-nwl.c:389:11
      shift exponent 18446744073709551615 is too large for 32-bit type 'int'
      CPU: 1 PID: 61 Comm: kworker/u10:1 Not tainted 6.6.20+ #268
      Hardware name: xlnx,zynqmp (DT)
      Workqueue: events_unbound deferred_probe_work_func
      Call trace:
      dump_backtrace (arch/arm64/kernel/stacktrace.c:235)
      show_stack (arch/arm64/kernel/stacktrace.c:242)
      dump_stack_lvl (lib/dump_stack.c:107)
      dump_stack (lib/dump_stack.c:114)
      __ubsan_handle_shift_out_of_bounds (lib/ubsan.c:218 lib/ubsan.c:387)
      nwl_unmask_leg_irq (drivers/pci/controller/pcie-xilinx-nwl.c:389 (discriminator 1))
      irq_enable (kernel/irq/internals.h:234 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345)
      __irq_startup (kernel/irq/internals.h:239 kernel/irq/chip.c:180 kernel/irq/chip.c:250)
      irq_startup (kernel/irq/chip.c:270)
      __setup_irq (kernel/irq/manage.c:1800)
      request_threaded_irq (kernel/irq/manage.c:2206)
      pcie_pme_probe (include/linux/interrupt.h:168 drivers/pci/pcie/pme.c:348)
    
    Fixes: 9a181e1093af ("PCI: xilinx-nwl: Modify IRQ chip for legacy interrupts")
    Link: https://lore.kernel.org/r/20240531161337.864994-3-sean.anderson@linux.dev
    Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

PCI: xilinx-nwl: Fix register misspelling [+ + +]
Author: Sean Anderson <sean.anderson@linux.dev>
Date:   Fri May 31 12:13:33 2024 -0400

    PCI: xilinx-nwl: Fix register misspelling
    
    [ Upstream commit a437027ae1730b8dc379c75fa0dd7d3036917400 ]
    
    MSIC -> MISC
    
    Fixes: c2a7ff18edcd ("PCI: xilinx-nwl: Expand error logging")
    Link: https://lore.kernel.org/r/20240531161337.864994-4-sean.anderson@linux.dev
    Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

PCI: xilinx-nwl: Use irq_data_get_irq_chip_data() [+ + +]
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Thu Dec 10 20:25:54 2020 +0100

    PCI: xilinx-nwl: Use irq_data_get_irq_chip_data()
    
    [ Upstream commit e56427068a8d796bb7b8e297f2b6e947380e383f ]
    
    Going through a full irq descriptor lookup instead of just using the proper
    helper function which provides direct access is suboptimal.
    
    In fact it _is_ wrong because the chip callback needs to get the chip data
    which is relevant for the chip while using the irq descriptor variant
    returns the irq chip data of the top level chip of a hierarchy. It does not
    matter in this case because the chip is the top level chip, but that
    doesn't make it more correct.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Rob Herring <robh@kernel.org>
    Cc: Bjorn Helgaas <bhelgaas@google.com>
    Link: https://lore.kernel.org/r/20201210194044.364211860@linutronix.de
    Stable-dep-of: 0199d2f2bd8c ("PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf sched timehist: Fix missing free of session in perf_sched__timehist() [+ + +]
Author: Yang Jihong <yangjihong@bytedance.com>
Date:   Tue Aug 6 10:35:33 2024 +0800

    perf sched timehist: Fix missing free of session in perf_sched__timehist()
    
    [ Upstream commit 6bdf5168b6fb19541b0c1862bdaa596d116c7bfb ]
    
    When perf_time__parse_str() fails in perf_sched__timehist(),
    need to free session that was previously created, fix it.
    
    Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest")
    Signed-off-by: Yang Jihong <yangjihong@bytedance.com>
    Acked-by: Namhyung Kim <namhyung@kernel.org>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: David Ahern <dsa@cumulusnetworks.com>
    Cc: Ian Rogers <irogers@google.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Kan Liang <kan.liang@linux.intel.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Link: https://lore.kernel.org/r/20240806023533.1316348-1-yangjihong@bytedance.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time [+ + +]
Author: Yang Jihong <yangjihong@bytedance.com>
Date:   Mon Aug 19 10:47:20 2024 +0800

    perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time
    
    [ Upstream commit 39c243411bdb8fb35777adf49ee32549633c4e12 ]
    
    If sched_in event for current task is not recorded, sched_in timestamp
    will be set to end_time of time window interest, causing an error in
    timestamp show. In this case, we choose to ignore this event.
    
    Test scenario:
    
      perf[1229608] does not record the first sched_in event, run time and sch delay are both 0
    
      # perf sched timehist
      Samples of sched_switch event do not have callchains.
                 time    cpu  task name                       wait time  sch delay   run time
                              [tid/pid]                          (msec)     (msec)     (msec)
      --------------- ------  ------------------------------  ---------  ---------  ---------
       2090450.763231 [0000]  perf[1229608]                       0.000      0.000      0.000
       2090450.763235 [0000]  migration/0[15]                     0.000      0.001      0.003
       2090450.763263 [0001]  perf[1229608]                       0.000      0.000      0.000
       2090450.763268 [0001]  migration/1[21]                     0.000      0.001      0.004
       2090450.763302 [0002]  perf[1229608]                       0.000      0.000      0.000
       2090450.763309 [0002]  migration/2[27]                     0.000      0.001      0.007
       2090450.763338 [0003]  perf[1229608]                       0.000      0.000      0.000
       2090450.763343 [0003]  migration/3[33]                     0.000      0.001      0.004
    
    Before:
    
      arbitrarily specify a time window of interest, timestamp will be set to an incorrect value
    
      # perf sched timehist --time 100,200
      Samples of sched_switch event do not have callchains.
                 time    cpu  task name                       wait time  sch delay   run time
                              [tid/pid]                          (msec)     (msec)     (msec)
      --------------- ------  ------------------------------  ---------  ---------  ---------
           200.000000 [0000]  perf[1229608]                       0.000      0.000      0.000
           200.000000 [0001]  perf[1229608]                       0.000      0.000      0.000
           200.000000 [0002]  perf[1229608]                       0.000      0.000      0.000
           200.000000 [0003]  perf[1229608]                       0.000      0.000      0.000
           200.000000 [0004]  perf[1229608]                       0.000      0.000      0.000
           200.000000 [0005]  perf[1229608]                       0.000      0.000      0.000
           200.000000 [0006]  perf[1229608]                       0.000      0.000      0.000
           200.000000 [0007]  perf[1229608]                       0.000      0.000      0.000
    
     After:
    
      # perf sched timehist --time 100,200
      Samples of sched_switch event do not have callchains.
                 time    cpu  task name                       wait time  sch delay   run time
                              [tid/pid]                          (msec)     (msec)     (msec)
      --------------- ------  ------------------------------  ---------  ---------  ---------
    
    Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest")
    Signed-off-by: Yang Jihong <yangjihong@bytedance.com>
    Acked-by: Namhyung Kim <namhyung@kernel.org>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: David Ahern <dsa@cumulusnetworks.com>
    Cc: Ian Rogers <irogers@google.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: James Clark <james.clark@arm.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Kan Liang <kan.liang@linux.intel.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Link: https://lore.kernel.org/r/20240819024720.2405244-1-yangjihong@bytedance.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf time-utils: Fix 32-bit nsec parsing [+ + +]
Author: Ian Rogers <irogers@google.com>
Date:   Sat Aug 31 00:04:11 2024 -0700

    perf time-utils: Fix 32-bit nsec parsing
    
    [ Upstream commit 38e2648a81204c9fc5b4c87a8ffce93a6ed91b65 ]
    
    The "time utils" test fails in 32-bit builds:
      ...
      parse_nsec_time("18446744073.709551615")
      Failed. ptime 4294967295709551615 expected 18446744073709551615
      ...
    
    Switch strtoul to strtoull as an unsigned long in 32-bit build isn't
    64-bits.
    
    Fixes: c284d669a20d408b ("perf tools: Move parse_nsec_time to time-utils.c")
    Signed-off-by: Ian Rogers <irogers@google.com>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
    Cc: Chaitanya S Prakash <chaitanyas.prakash@arm.com>
    Cc: Colin Ian King <colin.i.king@gmail.com>
    Cc: David Ahern <dsa@cumulusnetworks.com>
    Cc: Dominique Martinet <asmadeus@codewreck.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: James Clark <james.clark@linaro.org>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: John Garry <john.g.garry@oracle.com>
    Cc: Junhao He <hejunhao3@huawei.com>
    Cc: Kan Liang <kan.liang@linux.intel.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Yang Jihong <yangjihong@bytedance.com>
    Link: https://lore.kernel.org/r/20240831070415.506194-3-irogers@google.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf/core: Fix small negative period being ignored [+ + +]
Author: Luo Gengkun <luogengkun@huaweicloud.com>
Date:   Sat Aug 31 07:43:15 2024 +0000

    perf/core: Fix small negative period being ignored
    
    commit 62c0b1061593d7012292f781f11145b2d46f43ab upstream.
    
    In perf_adjust_period, we will first calculate period, and then use
    this period to calculate delta. However, when delta is less than 0,
    there will be a deviation compared to when delta is greater than or
    equal to 0. For example, when delta is in the range of [-14,-1], the
    range of delta = delta + 7 is between [-7,6], so the final value of
    delta/8 is 0. Therefore, the impact of -1 and -2 will be ignored.
    This is unacceptable when the target period is very short, because
    we will lose a lot of samples.
    
    Here are some tests and analyzes:
    before:
      # perf record -e cs -F 1000  ./a.out
      [ perf record: Woken up 1 times to write data ]
      [ perf record: Captured and wrote 0.022 MB perf.data (518 samples) ]
    
      # perf script
      ...
      a.out     396   257.956048:         23 cs:  ffffffff81f4eeec schedul>
      a.out     396   257.957891:         23 cs:  ffffffff81f4eeec schedul>
      a.out     396   257.959730:         23 cs:  ffffffff81f4eeec schedul>
      a.out     396   257.961545:         23 cs:  ffffffff81f4eeec schedul>
      a.out     396   257.963355:         23 cs:  ffffffff81f4eeec schedul>
      a.out     396   257.965163:         23 cs:  ffffffff81f4eeec schedul>
      a.out     396   257.966973:         23 cs:  ffffffff81f4eeec schedul>
      a.out     396   257.968785:         23 cs:  ffffffff81f4eeec schedul>
      a.out     396   257.970593:         23 cs:  ffffffff81f4eeec schedul>
      ...
    
    after:
      # perf record -e cs -F 1000  ./a.out
      [ perf record: Woken up 1 times to write data ]
      [ perf record: Captured and wrote 0.058 MB perf.data (1466 samples) ]
    
      # perf script
      ...
      a.out     395    59.338813:         11 cs:  ffffffff81f4eeec schedul>
      a.out     395    59.339707:         12 cs:  ffffffff81f4eeec schedul>
      a.out     395    59.340682:         13 cs:  ffffffff81f4eeec schedul>
      a.out     395    59.341751:         13 cs:  ffffffff81f4eeec schedul>
      a.out     395    59.342799:         12 cs:  ffffffff81f4eeec schedul>
      a.out     395    59.343765:         11 cs:  ffffffff81f4eeec schedul>
      a.out     395    59.344651:         11 cs:  ffffffff81f4eeec schedul>
      a.out     395    59.345539:         12 cs:  ffffffff81f4eeec schedul>
      a.out     395    59.346502:         13 cs:  ffffffff81f4eeec schedul>
      ...
    
    test.c
    
    int main() {
            for (int i = 0; i < 20000; i++)
                    usleep(10);
    
            return 0;
    }
    
      # time ./a.out
      real    0m1.583s
      user    0m0.040s
      sys     0m0.298s
    
    The above results were tested on x86-64 qemu with KVM enabled using
    test.c as test program. Ideally, we should have around 1500 samples,
    but the previous algorithm had only about 500, whereas the modified
    algorithm now has about 1400. Further more, the new version shows 1
    sample per 0.001s, while the previous one is 1 sample per 0.002s.This
    indicates that the new algorithm is more sensitive to small negative
    values compared to old algorithm.
    
    Fixes: bd2b5b12849a ("perf_counter: More aggressive frequency adjustment")
    Signed-off-by: Luo Gengkun <luogengkun@huaweicloud.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
    Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20240831074316.2106159-2-luogengkun@huaweicloud.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
pinctrl: at91: make it work with current gpiolib [+ + +]
Author: Thomas Blocher <thomas.blocher@ek-dev.de>
Date:   Wed Jul 31 01:16:26 2024 +0200

    pinctrl: at91: make it work with current gpiolib
    
    [ Upstream commit 752f387faaae0ae2e84d3f496922524785e77d60 ]
    
    pinctrl-at91 currently does not support the gpio-groups devicetree
    property and has no pin-range.
    Because of this at91 gpios stopped working since patch
    commit 2ab73c6d8323fa1e ("gpio: Support GPIO controllers without pin-ranges")
    This was discussed in the patches
    commit fc328a7d1fcce263 ("gpio: Revert regression in sysfs-gpio (gpiolib.c)")
    commit 56e337f2cf132632 ("Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)"")
    
    As a workaround manually set pin-range via gpiochip_add_pin_range() until
    a) pinctrl-at91 is reworked to support devicetree gpio-groups
    b) another solution as mentioned in
    commit 56e337f2cf132632 ("Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)"")
    is found
    
    Signed-off-by: Thomas Blocher <thomas.blocher@ek-dev.de>
    Link: https://lore.kernel.org/5b992862-355d-f0de-cd3d-ff99e67a4ff1@ek-dev.de
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function [+ + +]
Author: Wang Jianzheng <wangjianzheng@vivo.com>
Date:   Thu Aug 29 14:48:23 2024 +0800

    pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function
    
    [ Upstream commit c25478419f6fd3f74c324a21ec007cf14f2688d7 ]
    
    When an error occurs during the execution of the function
    __devinit_dove_pinctrl_probe, the clk is not properly disabled.
    
    Fix this by calling clk_disable_unprepare before return.
    
    Fixes: ba607b6238a1 ("pinctrl: mvebu: make pdma clock on dove mandatory")
    Signed-off-by: Wang Jianzheng <wangjianzheng@vivo.com>
    Link: https://lore.kernel.org/20240829064823.19808-1-wangjianzheng@vivo.com
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pinctrl: single: fix missing error code in pcs_probe() [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Mon Aug 19 10:46:25 2024 +0800

    pinctrl: single: fix missing error code in pcs_probe()
    
    [ Upstream commit cacd8cf79d7823b07619865e994a7916fcc8ae91 ]
    
    If pinctrl_enable() fails in pcs_probe(), it should return the error code.
    
    Fixes: 8f773bfbdd42 ("pinctrl: single: fix possible memory leak when pinctrl_enable() fails")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Link: https://lore.kernel.org/20240819024625.154441-1-yangyingliang@huaweicloud.com
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
posix-clock: Fix missing timespec64 check in pc_clock_settime() [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Wed Oct 9 15:23:01 2024 +0800

    posix-clock: Fix missing timespec64 check in pc_clock_settime()
    
    commit d8794ac20a299b647ba9958f6d657051fc51a540 upstream.
    
    As Andrew pointed out, it will make sense that the PTP core
    checked timespec64 struct's tv_sec and tv_nsec range before calling
    ptp->info->settime64().
    
    As the man manual of clock_settime() said, if tp.tv_sec is negative or
    tp.tv_nsec is outside the range [0..999,999,999], it should return EINVAL,
    which include dynamic clocks which handles PTP clock, and the condition is
    consistent with timespec64_valid(). As Thomas suggested, timespec64_valid()
    only check the timespec is valid, but not ensure that the time is
    in a valid range, so check it ahead using timespec64_valid_strict()
    in pc_clock_settime() and return -EINVAL if not valid.
    
    There are some drivers that use tp->tv_sec and tp->tv_nsec directly to
    write registers without validity checks and assume that the higher layer
    has checked it, which is dangerous and will benefit from this, such as
    hclge_ptp_settime(), igb_ptp_settime_i210(), _rcar_gen4_ptp_settime(),
    and some drivers can remove the checks of itself.
    
    Cc: stable@vger.kernel.org
    Fixes: 0606f422b453 ("posix clocks: Introduce dynamic clocks")
    Acked-by: Richard Cochran <richardcochran@gmail.com>
    Suggested-by: Andrew Lunn <andrew@lunn.ch>
    Suggested-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Link: https://patch.msgid.link/20241009072302.1754567-2-ruanjinjie@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Fri Oct 18 18:07:48 2024 +0800

    posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()
    
    [ Upstream commit 6e62807c7fbb3c758d233018caf94dfea9c65dbd ]
    
    If get_clock_desc() succeeds, it calls fget() for the clockid's fd,
    and get the clk->rwsem read lock, so the error path should release
    the lock to make the lock balance and fput the clockid's fd to make
    the refcount balance and release the fd related resource.
    
    However the below commit left the error path locked behind resulting in
    unbalanced locking. Check timespec64_valid_strict() before
    get_clock_desc() to fix it, because the "ts" is not changed
    after that.
    
    Fixes: d8794ac20a29 ("posix-clock: Fix missing timespec64 check in pc_clock_settime()")
    Acked-by: Richard Cochran <richardcochran@gmail.com>
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Acked-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
    [pabeni@redhat.com: fixed commit message typo]
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
power: reset: brcmstb: Do not go into infinite loop if reset fails [+ + +]
Author: Andrew Davis <afd@ti.com>
Date:   Mon Jun 10 09:28:36 2024 -0500

    power: reset: brcmstb: Do not go into infinite loop if reset fails
    
    [ Upstream commit cf8c39b00e982fa506b16f9d76657838c09150cb ]
    
    There may be other backup reset methods available, do not halt
    here so that other reset methods can be tried.
    
    Signed-off-by: Andrew Davis <afd@ti.com>
    Reviewed-by: Dhruva Gole <d-gole@ti.com>
    Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Link: https://lore.kernel.org/r/20240610142836.168603-5-afd@ti.com
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense [+ + +]
Author: Artur Weber <aweber.kernel@gmail.com>
Date:   Sat Aug 17 12:51:14 2024 +0200

    power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense
    
    [ Upstream commit 3a3acf839b2cedf092bdd1ff65b0e9895df1656b ]
    
    Commit 223a3b82834f ("power: supply: max17042_battery: use VFSOC for
    capacity when no rsns") made it so that capacity on systems without
    current sensing would be read from VFSOC instead of RepSOC. However,
    the SOC threshold calculation still read RepSOC to get the SOC
    regardless of the current sensing option state.
    
    Fix this by applying the same conditional to determine which register
    should be read.
    
    This also seems to be the intended behavior as per the datasheet - SOC
    alert config value in MiscCFG on setups without current sensing is set
    to a value of 0b11, indicating SOC alerts being generated based on
    VFSOC, instead of 0b00 which indicates SOC alerts being generated based
    on RepSOC.
    
    This fixes an issue on the Galaxy S3/Midas boards, where the alert
    interrupt would be constantly retriggered, causing high CPU usage
    on idle (around ~12%-15%).
    
    Fixes: e5f3872d2044 ("max17042: Add support for signalling change in SOC")
    Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
    Reviewed-by: Henrik Grimler <henrik@grimler.se>
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/r/20240817-max17042-soc-threshold-fix-v1-1-72b45899c3cc@gmail.com
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ppp: fix ppp_async_encode() illegal access [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Oct 9 18:58:02 2024 +0000

    ppp: fix ppp_async_encode() illegal access
    
    [ Upstream commit 40dddd4b8bd08a69471efd96107a4e1c73fabefc ]
    
    syzbot reported an issue in ppp_async_encode() [1]
    
    In this case, pppoe_sendmsg() is called with a zero size.
    Then ppp_async_encode() is called with an empty skb.
    
    BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
     BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
      ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
      ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
      ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634
      ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
      ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
      pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
      sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
      __release_sock+0x1da/0x330 net/core/sock.c:3072
      release_sock+0x6b/0x250 net/core/sock.c:3626
      pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
      sock_sendmsg_nosec net/socket.c:729 [inline]
      __sock_sendmsg+0x30f/0x380 net/socket.c:744
      ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
      ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
      __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
      __do_sys_sendmmsg net/socket.c:2771 [inline]
      __se_sys_sendmmsg net/socket.c:2768 [inline]
      __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
      x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Uninit was created at:
      slab_post_alloc_hook mm/slub.c:4092 [inline]
      slab_alloc_node mm/slub.c:4135 [inline]
      kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
      kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
      __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
      alloc_skb include/linux/skbuff.h:1322 [inline]
      sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
      pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
      sock_sendmsg_nosec net/socket.c:729 [inline]
      __sock_sendmsg+0x30f/0x380 net/socket.c:744
      ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
      ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
      __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
      __do_sys_sendmmsg net/socket.c:2771 [inline]
      __se_sys_sendmmsg net/socket.c:2768 [inline]
      __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
      x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot+1d121645899e7692f92a@syzkaller.appspotmail.com
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241009185802.3763282-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
pps: add an error check in parport_attach [+ + +]
Author: Ma Ke <make24@iscas.ac.cn>
Date:   Wed Aug 28 21:18:14 2024 +0800

    pps: add an error check in parport_attach
    
    [ Upstream commit 62c5a01a5711c8e4be8ae7b6f0db663094615d48 ]
    
    In parport_attach, the return value of ida_alloc is unchecked, witch leads
    to the use of an invalid index value.
    
    To address this issue, index should be checked. When the index value is
    abnormal, the device should be freed.
    
    Found by code review, compile tested only.
    
    Cc: stable@vger.kernel.org
    Fixes: fb56d97df70e ("pps: client: use new parport device model")
    Signed-off-by: Ma Ke <make24@iscas.ac.cn>
    Acked-by: Rodolfo Giometti <giometti@enneenne.com>
    Link: https://lore.kernel.org/r/20240828131814.3034338-1-make24@iscas.ac.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

pps: remove usage of the deprecated ida_simple_xx() API [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sun Apr 14 12:10:17 2024 +0200

    pps: remove usage of the deprecated ida_simple_xx() API
    
    [ Upstream commit 55dbc5b5174d0e7d1fa397d05aa4cb145e8b887e ]
    
    ida_alloc() and ida_free() should be preferred to the deprecated
    ida_simple_get() and ida_simple_remove().
    
    This is less verbose.
    
    Link: https://lkml.kernel.org/r/9f681747d446b874952a892491387d79ffe565a9.1713089394.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Cc: Rodolfo Giometti <giometti@enneenne.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Stable-dep-of: 62c5a01a5711 ("pps: add an error check in parport_attach")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
r8152: Factor out OOB link list waits [+ + +]
Author: Prashant Malani <pmalani@chromium.org>
Date:   Tue Oct 1 01:35:57 2019 -0700

    r8152: Factor out OOB link list waits
    
    [ Upstream commit 5f71c84038d39def573744a145c573758f52a949 ]
    
    The same for-loop check for the LINK_LIST_READY bit of an OOB_CTRL
    register is used in several places. Factor these out into a single
    function to reduce the lines of code.
    
    Change-Id: I20e8f327045a72acc0a83e2d145ae2993ab62915
    Signed-off-by: Prashant Malani <pmalani@chromium.org>
    Reviewed-by: Grant Grundler <grundler@chromium.org>
    Acked-by: Hayes Wang <hayeswang@realtek.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Stable-dep-of: 45c0de18ff2d ("net: ethernet: lantiq_etop: fix memory disclosure")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
RDMA/bnxt_re: Fix incorrect AVID type in WQE structure [+ + +]
Author: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
Date:   Wed Sep 18 20:05:57 2024 -0700

    RDMA/bnxt_re: Fix incorrect AVID type in WQE structure
    
    [ Upstream commit 9ab20f76ae9fad55ebaf36bdff04aea1c2552374 ]
    
    Driver uses internal data structure to construct WQE frame.
    It used avid type as u16 which can accommodate up to 64K AVs.
    When outstanding AVID crosses 64K, driver truncates AVID and
    hence it uses incorrect AVID to WR. This leads to WR failure
    due to invalid AV ID and QP is moved to error state with reason
    set to 19 (INVALID AVID). When RDMA CM path is used, this issue
    hits QP1 and it is moved to error state
    
    Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
    Link: https://patch.msgid.link/r/1726715161-18941-3-git-send-email-selvin.xavier@broadcom.com
    Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
    Reviewed-by: Chandramohan Akula <chandramohan.akula@broadcom.com>
    Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
    Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
    Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

RDMA/bnxt_re: Return more meaningful error [+ + +]
Author: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Date:   Tue Oct 8 00:41:36 2024 -0700

    RDMA/bnxt_re: Return more meaningful error
    
    [ Upstream commit 98647df0178df215b8239c5c365537283b2852a6 ]
    
    When the HWRM command fails, driver currently returns -EFAULT(Bad
    address). This does not look correct.
    
    Modified to return -EIO(I/O error).
    
    Fixes: cc1ec769b87c ("RDMA/bnxt_re: Fixing the Control path command and response handling")
    Fixes: 65288a22ddd8 ("RDMA/bnxt_re: use shadow qd while posting non blocking rcfw command")
    Link: https://patch.msgid.link/r/1728373302-19530-5-git-send-email-selvin.xavier@broadcom.com
    Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
    Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
RDMA/cxgb4: Added NULL check for lookup_atid [+ + +]
Author: Mikhail Lobanov <m.lobanov@rosalinux.ru>
Date:   Thu Sep 12 10:58:39 2024 -0400

    RDMA/cxgb4: Added NULL check for lookup_atid
    
    [ Upstream commit e766e6a92410ca269161de059fff0843b8ddd65f ]
    
    The lookup_atid() function can return NULL if the ATID is
    invalid or does not exist in the identifier table, which
    could lead to dereferencing a null pointer without a
    check in the `act_establish()` and `act_open_rpl()` functions.
    Add a NULL check to prevent null pointer dereferencing.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC")
    Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
    Link: https://patch.msgid.link/20240912145844.77516-1-m.lobanov@rosalinux.ru
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP [+ + +]
Author: Anumula Murali Mohan Reddy <anumula@chelsio.com>
Date:   Mon Oct 7 18:53:11 2024 +0530

    RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP
    
    [ Upstream commit c659b405b82ead335bee6eb33f9691bf718e21e8 ]
    
    ip_dev_find() always returns real net_device address, whether traffic is
    running on a vlan or real device, if traffic is over vlan, filling
    endpoint struture with real ndev and an attempt to send a connect request
    will results in RDMA_CM_EVENT_UNREACHABLE error.  This patch fixes the
    issue by using vlan_dev_real_dev().
    
    Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address")
    Link: https://patch.msgid.link/r/20241007132311.70593-1-anumula@chelsio.com
    Signed-off-by: Anumula Murali Mohan Reddy <anumula@chelsio.com>
    Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency [+ + +]
Author: Zhu Yanjun <yanjun.zhu@linux.dev>
Date:   Tue Aug 20 13:33:36 2024 +0200

    RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency
    
    [ Upstream commit 86dfdd8288907f03c18b7fb462e0e232c4f98d89 ]
    
    In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to
    destroying CM IDs"), the function flush_workqueue is invoked to flush the
    work queue iwcm_wq.
    
    But at that time, the work queue iwcm_wq was created via the function
    alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.
    
    Because the current process is trying to flush the whole iwcm_wq, if
    iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current
    process is not reclaiming memory or running on a workqueue which doesn't
    have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee
    leading to a deadlock.
    
    The call trace is as below:
    
    [  125.350876][ T1430] Call Trace:
    [  125.356281][ T1430]  <TASK>
    [ 125.361285][ T1430] ? __warn (kernel/panic.c:693)
    [ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
    [ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219)
    [ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239)
    [ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
    [ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
    [ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
    [ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
    [ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970)
    [ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151)
    [ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm
    [ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910)
    [ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
    [ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
    [ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm
    [ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma
    [ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma
    [ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231)
    [ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393)
    [ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339)
    [ 125.531837][ T1430] kthread (kernel/kthread.c:389)
    [ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
    [ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147)
    [ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
    [ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
    [  125.566487][ T1430]  </TASK>
    [  125.566488][ T1430] ---[ end trace 0000000000000000 ]---
    
    Fixes: aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs")
    Link: https://patch.msgid.link/r/20240820113336.19860-1-yanjun.zhu@linux.dev
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Closes: https://lore.kernel.org/oe-lkp/202408151633.fc01893c-oliver.sang@intel.com
    Tested-by: kernel test robot <oliver.sang@intel.com>
    Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Linux: Remove *.orig pattern from .gitignore [+ + +]
Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Date:   Mon Jul 29 18:57:38 2024 +0300

    Remove *.orig pattern from .gitignore
    
    commit 76be4f5a784533c71afbbb1b8f2963ef9e2ee258 upstream.
    
    Commit 3f1b0e1f2875 (".gitignore update") added *.orig and *.rej
    patterns to .gitignore in v2.6.23. The commit message didn't give a
    rationale. Later on, commit 1f5d3a6b6532 ("Remove *.rej pattern from
    .gitignore") removed the *.rej pattern in v2.6.26, on the rationale that
    *.rej files indicated something went really wrong and should not be
    ignored.
    
    The *.rej files are now shown by `git status`, which helps located
    conflicts when applying patches and lowers the probability that they
    will go unnoticed. It is however still easy to overlook the *.orig files
    which slowly polute the source tree. That's not as big of a deal as not
    noticing a conflict, but it's still not nice.
    
    Drop the *.orig pattern from .gitignore to avoid this and help keep the
    source tree clean.
    
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    [masahiroy@kernel.org:
    I do not have a strong opinion about this. Perhaps some people may have
    a different opinion.
    
    If you are someone who wants to ignore *.orig, it is likely you would
    want to do so across all projects. Then, $XDG_CONFIG_HOME/git/ignore
    would be more suitable for your needs. gitignore(5) suggests, "Patterns
    which a user wants Git to ignore in all situations generally go into a
    file specified by core.excludesFile in the user's ~/.gitconfig".
    
    Please note that you cannot do the opposite; if *.orig is ignored by
    the project's .gitignore, you cannot override the decision because
    $XDG_CONFIG_HOME/git/ignore has a lower priority.
    
    If *.orig is sitting on the fence, I'd leave it to the users. ]
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
reset: berlin: fix OF node leak in probe() error path [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Sun Aug 25 16:14:24 2024 +0200

    reset: berlin: fix OF node leak in probe() error path
    
    [ Upstream commit 5f58a88cc91075be38cec69b7cb70aaa4ba69e8b ]
    
    Driver is leaking OF node reference on memory allocation failure.
    Acquire the OF node reference after memory allocation to fix this and
    keep it simple.
    
    Fixes: aed6f3cadc86 ("reset: berlin: convert to a platform driver")
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
    Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-1-03f6d834f8c0@linaro.org
    Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Revert "driver core: Fix uevent_show() vs driver detach race" [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Oct 29 01:23:04 2024 +0100

    Revert "driver core: Fix uevent_show() vs driver detach race"
    
    commit 9a71892cbcdb9d1459c84f5a4c722b14354158a5 upstream.
    
    This reverts commit 15fffc6a5624b13b428bb1c6e9088e32a55eb82c.
    
    This commit causes a regression, so revert it for now until it can come
    back in a way that works for everyone.
    
    Link: https://lore.kernel.org/all/172790598832.1168608.4519484276671503678.stgit@dwillia2-xfh.jf.intel.com/
    Fixes: 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race")
    Cc: stable <stable@kernel.org>
    Cc: Ashish Sangwan <a.sangwan@samsung.com>
    Cc: Namjae Jeon <namjae.jeon@samsung.com>
    Cc: Dirk Behme <dirk.behme@de.bosch.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Rafael J. Wysocki <rafael@kernel.org>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" [+ + +]
Author: Oliver Neukum <oneukum@suse.com>
Date:   Mon Oct 7 11:39:47 2024 +0200

    Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant"
    
    commit 71c717cd8a2e180126932cc6851ff21c1d04d69a upstream.
    
    This reverts commit 86b20af11e84c26ae3fde4dcc4f490948e3f8035.
    
    This patch leads to passing 0 to simple_read_from_buffer()
    as a fifth argument, turning the read method into a nop.
    The change is fundamentally flawed, as it breaks the driver.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Cc: stable <stable@kernel.org>
    Link: https://lore.kernel.org/r/20241007094004.242122-1-oneukum@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
riscv: define ILLEGAL_POINTER_VALUE for 64bit [+ + +]
Author: Jisheng Zhang <jszhang@kernel.org>
Date:   Sat Jul 6 01:02:10 2024 +0800

    riscv: define ILLEGAL_POINTER_VALUE for 64bit
    
    commit 5c178472af247c7b50f962495bb7462ba453b9fb upstream.
    
    This is used in poison.h for poison pointer offset. Based on current
    SV39, SV48 and SV57 vm layout, 0xdead000000000000 is a proper value
    that is not mappable, this can avoid potentially turning an oops to
    an expolit.
    
    Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
    Fixes: fbe934d69eb7 ("RISC-V: Build Infrastructure")
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240705170210.3236-1-jszhang@kernel.org
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
rtc: at91sam9: drop platform_data support [+ + +]
Author: Alexandre Belloni <alexandre.belloni@bootlin.com>
Date:   Wed Mar 20 13:40:37 2019 +0100

    rtc: at91sam9: drop platform_data support
    
    [ Upstream commit 1a76a77c8800a50b98bd38b7b1ffec32fe107bc1 ]
    
    ARCH_AT91 is DT only for a while, drop platform data support.
    
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Stable-dep-of: 73580e2ee6ad ("rtc: at91sam9: fix OF node leak in probe() error path")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

rtc: at91sam9: fix OF node leak in probe() error path [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Sun Aug 25 20:31:03 2024 +0200

    rtc: at91sam9: fix OF node leak in probe() error path
    
    [ Upstream commit 73580e2ee6adfb40276bd420da3bb1abae204e10 ]
    
    Driver is leaking an OF node reference obtained from
    of_parse_phandle_with_fixed_args().
    
    Fixes: 43e112bb3dea ("rtc: at91sam9: make use of syscon/regmap to access GPBR registers")
    Cc: stable@vger.kernel.org
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/r/20240825183103.102904-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
s390/cpum_sf: Remove WARN_ON_ONCE statements [+ + +]
Author: Thomas Richter <tmricht@linux.ibm.com>
Date:   Wed Jul 10 12:23:47 2024 +0200

    s390/cpum_sf: Remove WARN_ON_ONCE statements
    
    [ Upstream commit b495e710157606889f2d8bdc62aebf2aa02f67a7 ]
    
    Remove WARN_ON_ONCE statements. These have not triggered in the
    past.
    
    Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
    Acked-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
    Cc: Heiko Carstens <hca@linux.ibm.com>
    Cc: Vasily Gorbik <gor@linux.ibm.com>
    Cc: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
s390/facility: Disable compile time optimization for decompressor code [+ + +]
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Wed Sep 4 11:39:24 2024 +0200

    s390/facility: Disable compile time optimization for decompressor code
    
    [ Upstream commit 0147addc4fb72a39448b8873d8acdf3a0f29aa65 ]
    
    Disable compile time optimizations of test_facility() for the
    decompressor. The decompressor should not contain any optimized code
    depending on the architecture level set the kernel image is compiled
    for to avoid unexpected operation exceptions.
    
    Add a __DECOMPRESSOR check to test_facility() to enforce that
    facilities are always checked during runtime for the decompressor.
    
    Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
s390/mm: Add cond_resched() to cmm_alloc/free_pages() [+ + +]
Author: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Date:   Mon Sep 2 14:02:19 2024 +0200

    s390/mm: Add cond_resched() to cmm_alloc/free_pages()
    
    [ Upstream commit 131b8db78558120f58c5dc745ea9655f6b854162 ]
    
    Adding/removing large amount of pages at once to/from the CMM balloon
    can result in rcu_sched stalls or workqueue lockups, because of busy
    looping w/o cond_resched().
    
    Prevent this by adding a cond_resched(). cmm_free_pages() holds a
    spin_lock while looping, so it cannot be added directly to the existing
    loop. Instead, introduce a wrapper function that operates on maximum 256
    pages at once, and add it there.
    
    Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
s390/sclp_vt220: Convert newlines to CRLF instead of LFCR [+ + +]
Author: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Date:   Mon Oct 14 07:50:07 2024 +0200

    s390/sclp_vt220: Convert newlines to CRLF instead of LFCR
    
    commit dee3df68ab4b00fff6bdf9fc39541729af37307c upstream.
    
    According to the VT220 specification the possible character combinations
    sent on RETURN are only CR or CRLF [0].
    
            The Return key sends either a CR character (0/13) or a CR
            character (0/13) and an LF character (0/10), depending on the
            set/reset state of line feed/new line mode (LNM).
    
    The sclp/vt220 driver however uses LFCR. This can confuse tools, for
    example the kunit runner.
    
    Link: https://vt100.net/docs/vt220-rm/chapter3.html#S3.2
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: stable@vger.kernel.org
    Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
    Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
    Link: https://lore.kernel.org/r/20241014-s390-kunit-v1-2-941defa765a6@linutronix.de
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
scripts: kconfig: merge_config: config files: add a trailing newline [+ + +]
Author: Anders Roxell <anders.roxell@linaro.org>
Date:   Mon Aug 5 11:22:34 2024 +0200

    scripts: kconfig: merge_config: config files: add a trailing newline
    
    [ Upstream commit 33330bcf031818e60a816db0cfd3add9eecc3b28 ]
    
    When merging files without trailing newlines at the end of the file, two
    config fragments end up at the same row if file1.config doens't have a
    trailing newline at the end of the file.
    
    file1.config "CONFIG_1=y"
    file2.config "CONFIG_2=y"
    ./scripts/kconfig/merge_config.sh -m .config file1.config file2.config
    
    This will generate a .config looking like this.
    cat .config
    ...
    CONFIG_1=yCONFIG_2=y"
    
    Making sure so we add a newline at the end of every config file that is
    passed into the script.
    
    Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
scsi: aacraid: Rearrange order of struct aac_srb_unit [+ + +]
Author: Kees Cook <kees@kernel.org>
Date:   Thu Jul 11 14:57:37 2024 -0700

    scsi: aacraid: Rearrange order of struct aac_srb_unit
    
    [ Upstream commit 6e5860b0ad4934baee8c7a202c02033b2631bb44 ]
    
    struct aac_srb_unit contains struct aac_srb, which contains struct sgmap,
    which ends in a (currently) "fake" (1-element) flexible array.  Converting
    this to a flexible array is needed so that runtime bounds checking won't
    think the array is fixed size (i.e. under CONFIG_FORTIFY_SOURCE=y and/or
    CONFIG_UBSAN_BOUNDS=y), as other parts of aacraid use struct sgmap as a
    flexible array.
    
    It is not legal to have a flexible array in the middle of a structure, so
    it either needs to be split up or rearranged so that it is at the end of
    the structure. Luckily, struct aac_srb_unit, which is exclusively
    consumed/updated by aac_send_safw_bmic_cmd(), does not depend on member
    ordering.
    
    The values set in the on-stack struct aac_srb_unit instance "srbu" by the
    only two callers, aac_issue_safw_bmic_identify() and
    aac_get_safw_ciss_luns(), do not contain anything in srbu.srb.sgmap.sg, and
    they both implicitly initialize srbu.srb.sgmap.count to 0 during
    memset(). For example:
    
            memset(&srbu, 0, sizeof(struct aac_srb_unit));
    
            srbcmd = &srbu.srb;
            srbcmd->flags   = cpu_to_le32(SRB_DataIn);
            srbcmd->cdb[0]  = CISS_REPORT_PHYSICAL_LUNS;
            srbcmd->cdb[1]  = 2; /* extended reporting */
            srbcmd->cdb[8]  = (u8)(datasize >> 8);
            srbcmd->cdb[9]  = (u8)(datasize);
    
            rcode = aac_send_safw_bmic_cmd(dev, &srbu, phys_luns, datasize);
    
    During aac_send_safw_bmic_cmd(), a separate srb is mapped into DMA, and has
    srbu.srb copied into it:
    
            srb = fib_data(fibptr);
            memcpy(srb, &srbu->srb, sizeof(struct aac_srb));
    
    Only then is srb.sgmap.count written and srb->sg populated:
    
            srb->count              = cpu_to_le32(xfer_len);
    
            sg64 = (struct sgmap64 *)&srb->sg;
            sg64->count             = cpu_to_le32(1);
            sg64->sg[0].addr[1]     = cpu_to_le32(upper_32_bits(addr));
            sg64->sg[0].addr[0]     = cpu_to_le32(lower_32_bits(addr));
            sg64->sg[0].count       = cpu_to_le32(xfer_len);
    
    But this is happening in the DMA memory, not in srbu.srb. An attempt to
    copy the changes back to srbu does happen:
    
            /*
             * Copy the updated data for other dumping or other usage if
             * needed
             */
            memcpy(&srbu->srb, srb, sizeof(struct aac_srb));
    
    But this was never correct: the sg64 (3 u32s) overlap of srb.sg (2 u32s)
    always meant that srbu.srb would have held truncated information and any
    attempt to walk srbu.srb.sg.sg based on the value of srbu.srb.sg.count
    would result in attempting to parse past the end of srbu.srb.sg.sg[0] into
    srbu.srb_reply.
    
    After getting a reply from hardware, the reply is copied into
    srbu.srb_reply:
    
            srb_reply = (struct aac_srb_reply *)fib_data(fibptr);
            memcpy(&srbu->srb_reply, srb_reply, sizeof(struct aac_srb_reply));
    
    This has always been fixed-size, so there's no issue here. It is worth
    noting that the two callers _never check_ srbu contents -- neither
    srbu.srb nor srbu.srb_reply is examined. (They depend on the mapped
    xfer_buf instead.)
    
    Therefore, the ordering of members in struct aac_srb_unit does not matter,
    and the flexible array member can moved to the end.
    
    (Additionally, the two memcpy()s that update srbu could be entirely
    removed as they are never consumed, but I left that as-is.)
    
    Signed-off-by: Kees Cook <kees@kernel.org>
    Link: https://lore.kernel.org/r/20240711215739.208776-1-kees@kernel.org
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start [+ + +]
Author: Xin Long <lucien.xin@gmail.com>
Date:   Mon Sep 30 16:49:51 2024 -0400

    sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
    
    [ Upstream commit 8beee4d8dee76b67c75dc91fd8185d91e845c160 ]
    
    In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
    sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
    
    Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
    is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
    be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
    is NULL.
    
      KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
      Call Trace:
       <TASK>
       __sys_listen_socket net/socket.c:1883 [inline]
       __sys_listen+0x1b7/0x230 net/socket.c:1894
       __do_sys_listen net/socket.c:1902 [inline]
    
    Fixes: 5e8f3f703ae4 ("sctp: simplify sctp listening code")
    Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests/bpf: Fix error compiling test_lru_map.c [+ + +]
Author: Tony Ambardar <tony.ambardar@gmail.com>
Date:   Mon Jul 29 02:24:19 2024 -0700

    selftests/bpf: Fix error compiling test_lru_map.c
    
    [ Upstream commit cacf2a5a78cd1f5f616eae043ebc6f024104b721 ]
    
    Although the post-increment in macro 'CPU_SET(next++, &cpuset)' seems safe,
    the sequencing can raise compile errors, so move the increment outside the
    macro. This avoids an error seen using gcc 12.3.0 for mips64el/musl-libc:
    
      In file included from test_lru_map.c:11:
      test_lru_map.c: In function 'sched_next_online':
      test_lru_map.c:129:29: error: operation on 'next' may be undefined [-Werror=sequence-point]
        129 |                 CPU_SET(next++, &cpuset);
            |                             ^
      cc1: all warnings being treated as errors
    
    Fixes: 3fbfadce6012 ("bpf: Fix test_lru_sanity5() in test_lru_map.c")
    Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/bpf/22993dfb11ccf27925a626b32672fd3324cb76c4.1722244708.git.tony.ambardar@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests/kcmp: remove call to ksft_set_plan() [+ + +]
Author: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Date:   Fri Sep 13 13:02:40 2024 -0700

    selftests/kcmp: remove call to ksft_set_plan()
    
    The function definition for ksft_set_plan() is not present in linux-4.19.y.
    kcmp_test selftest fails to compile because of this.
    
    Fixes: 32b0469d13eb ("selftests/kcmp: Make the test output consistent and clear")
    Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
    Acked-by: Shuah Khan <skhan@linuxfoundation.org>
    Reviewed-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
selftests/vm: remove call to ksft_set_plan() [+ + +]
Author: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Date:   Fri Sep 13 13:02:39 2024 -0700

    selftests/vm: remove call to ksft_set_plan()
    
    The function definition for ksft_set_plan() is not present in linux-4.19.y.
    compaction_test selftest fails to compile because of this.
    
    Fixes: 9a21701edc41 ("selftests/mm: conform test to TAP format output")
    Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
    Reviewed-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
    Acked-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
selftests: breakpoints: use remaining time to check if suspend succeed [+ + +]
Author: Yifei Liu <yifei.l.liu@oracle.com>
Date:   Mon Sep 30 15:40:25 2024 -0700

    selftests: breakpoints: use remaining time to check if suspend succeed
    
    [ Upstream commit c66be905cda24fb782b91053b196bd2e966f95b7 ]
    
    step_after_suspend_test fails with device busy error while
    writing to /sys/power/state to start suspend. The test believes
    it failed to enter suspend state with
    
    $ sudo ./step_after_suspend_test
    TAP version 13
    Bail out! Failed to enter Suspend state
    
    However, in the kernel message, I indeed see the system get
    suspended and then wake up later.
    
    [611172.033108] PM: suspend entry (s2idle)
    [611172.044940] Filesystems sync: 0.006 seconds
    [611172.052254] Freezing user space processes
    [611172.059319] Freezing user space processes completed (elapsed 0.001 seconds)
    [611172.067920] OOM killer disabled.
    [611172.072465] Freezing remaining freezable tasks
    [611172.080332] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
    [611172.089724] printk: Suspending console(s) (use no_console_suspend to debug)
    [611172.117126] serial 00:03: disabled
    some other hardware get reconnected
    [611203.136277] OOM killer enabled.
    [611203.140637] Restarting tasks ...
    [611203.141135] usb 1-8.1: USB disconnect, device number 7
    [611203.141755] done.
    [611203.155268] random: crng reseeded on system resumption
    [611203.162059] PM: suspend exit
    
    After investigation, I noticed that for the code block
    if (write(power_state_fd, "mem", strlen("mem")) != strlen("mem"))
            ksft_exit_fail_msg("Failed to enter Suspend state\n");
    
    The write will return -1 and errno is set to 16 (device busy).
    It should be caused by the write function is not successfully returned
    before the system suspend and the return value get messed when waking up.
    As a result, It may be better to check the time passed of those few
    instructions to determine whether the suspend is executed correctly for
    it is pretty hard to execute those few lines for 5 seconds.
    
    The timer to wake up the system is set to expire after 5 seconds and
    no re-arm. If the timer remaining time is 0 second and 0 nano secomd,
    it means the timer expired and wake the system up. Otherwise, the system
    could be considered to enter the suspend state failed if there is any
    remaining time.
    
    After appling this patch, the test would not fail for it believes the
    system does not go to suspend by mistake. It now could continue to the
    rest part of the test after suspend.
    
    Fixes: bfd092b8c272 ("selftests: breakpoint: add step_after_suspend_test")
    Reported-by: Sinadin Shan <sinadin.shan@oracle.com>
    Signed-off-by: Yifei Liu <yifei.l.liu@oracle.com>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

selftests: vDSO: fix vDSO symbols lookup for powerpc64 [+ + +]
Author: Christophe Leroy <christophe.leroy@csgroup.eu>
Date:   Fri Aug 30 14:28:37 2024 +0200

    selftests: vDSO: fix vDSO symbols lookup for powerpc64
    
    [ Upstream commit ba83b3239e657469709d15dcea5f9b65bf9dbf34 ]
    
    On powerpc64, following tests fail locating vDSO functions:
    
      ~ # ./vdso_test_abi
      TAP version 13
      1..16
      # [vDSO kselftest] VDSO_VERSION: LINUX_2.6.15
      # Couldn't find __kernel_gettimeofday
      ok 1 # SKIP __kernel_gettimeofday
      # clock_id: CLOCK_REALTIME
      # Couldn't find __kernel_clock_gettime
      ok 2 # SKIP __kernel_clock_gettime CLOCK_REALTIME
      # Couldn't find __kernel_clock_getres
      ok 3 # SKIP __kernel_clock_getres CLOCK_REALTIME
      ...
      # Couldn't find __kernel_time
      ok 16 # SKIP __kernel_time
      # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:16 error:0
    
      ~ # ./vdso_test_getrandom
      __kernel_getrandom is missing!
    
      ~ # ./vdso_test_gettimeofday
      Could not find __kernel_gettimeofday
    
      ~ # ./vdso_test_getcpu
      Could not find __kernel_getcpu
    
    On powerpc64, as shown below by readelf, vDSO functions symbols have
    type NOTYPE, so also accept that type when looking for symbols.
    
    $ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg
    ELF Header:
      Magic:   7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00
      Class:                             ELF64
      Data:                              2's complement, big endian
      Version:                           1 (current)
      OS/ABI:                            UNIX - System V
      ABI Version:                       0
      Type:                              DYN (Shared object file)
      Machine:                           PowerPC64
      Version:                           0x1
    ...
    
    Symbol table '.dynsym' contains 12 entries:
       Num:    Value          Size Type    Bind   Vis      Ndx Name
         0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
         1: 0000000000000524    84 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
         2: 00000000000005f0    36 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
         3: 0000000000000578    68 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
         4: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  ABS LINUX_2.6.15
         5: 00000000000006c0    48 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
         6: 0000000000000614   172 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
         7: 00000000000006f0    84 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
         8: 000000000000047c    84 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
         9: 0000000000000454    12 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
        10: 00000000000004d0    84 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
        11: 00000000000005bc    52 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
    
    Symbol table '.symtab' contains 56 entries:
       Num:    Value          Size Type    Bind   Vis      Ndx Name
    ...
        45: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  ABS LINUX_2.6.15
        46: 00000000000006c0    48 NOTYPE  GLOBAL DEFAULT    8 __kernel_getcpu
        47: 0000000000000524    84 NOTYPE  GLOBAL DEFAULT    8 __kernel_clock_getres
        48: 00000000000005f0    36 NOTYPE  GLOBAL DEFAULT    8 __kernel_get_tbfreq
        49: 000000000000047c    84 NOTYPE  GLOBAL DEFAULT    8 __kernel_gettimeofday
        50: 0000000000000614   172 NOTYPE  GLOBAL DEFAULT    8 __kernel_sync_dicache
        51: 00000000000006f0    84 NOTYPE  GLOBAL DEFAULT    8 __kernel_getrandom
        52: 0000000000000454    12 NOTYPE  GLOBAL DEFAULT    8 __kernel_sigtram[...]
        53: 0000000000000578    68 NOTYPE  GLOBAL DEFAULT    8 __kernel_time
        54: 00000000000004d0    84 NOTYPE  GLOBAL DEFAULT    8 __kernel_clock_g[...]
        55: 00000000000005bc    52 NOTYPE  GLOBAL DEFAULT    8 __kernel_get_sys[...]
    
    Fixes: 98eedc3a9dbf ("Document the vDSO and add a reference parser")
    Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Acked-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selinux: improve error checking in sel_write_load() [+ + +]
Author: Paul Moore <paul@paul-moore.com>
Date:   Fri Oct 25 11:21:29 2024 -0300

    selinux: improve error checking in sel_write_load()
    
    [ Upstream commit 42c773238037c90b3302bf37a57ae3b5c3f6004a ]
    
    Move our existing input sanity checking to the top of sel_write_load()
    and add a check to ensure the buffer size is non-zero.
    
    Move a local variable initialization from the declaration to before it
    is used.
    
    Minor style adjustments.
    
    Reported-by: Sam Sun <samsun1006219@gmail.com>
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    [cascardo: keep fsi initialization at its declaration point as it is used earlier]
    [cascardo: keep check for 64MiB size limit]
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
signal: Replace BUG_ON()s [+ + +]
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Jun 10 18:42:34 2024 +0200

    signal: Replace BUG_ON()s
    
    [ Upstream commit 7f8af7bac5380f2d95a63a6f19964e22437166e1 ]
    
    These really can be handled gracefully without killing the machine.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso [+ + +]
Author: Jiawei Ye <jiawei.ye@foxmail.com>
Date:   Mon Sep 2 08:47:26 2024 +0000

    smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso
    
    [ Upstream commit 2749749afa071f8a0e405605de9da615e771a7ce ]
    
    In the `smk_set_cipso` function, the `skp->smk_netlabel.attr.mls.cat`
    field is directly assigned to a new value without using the appropriate
    RCU pointer assignment functions. According to RCU usage rules, this is
    illegal and can lead to unpredictable behavior, including data
    inconsistencies and impossible-to-diagnose memory corruption issues.
    
    This possible bug was identified using a static analysis tool developed
    by myself, specifically designed to detect RCU-related issues.
    
    To address this, the assignment is now done using rcu_assign_pointer(),
    which ensures that the pointer assignment is done safely, with the
    necessary memory barriers and synchronization. This change prevents
    potential RCU dereference issues by ensuring that the `cat` field is
    safely updated while still adhering to RCU's requirements.
    
    Fixes: 0817534ff9ea ("smackfs: Fix use-after-free in netlbl_catmap_walk()")
    Signed-off-by: Jiawei Ye <jiawei.ye@foxmail.com>
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
soc: versatile: integrator: fix OF node leak in probe() error path [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Sun Aug 25 20:05:22 2024 +0200

    soc: versatile: integrator: fix OF node leak in probe() error path
    
    commit 874c5b601856adbfda10846b9770a6c66c41e229 upstream.
    
    Driver is leaking OF node reference obtained from
    of_find_matching_node().
    
    Fixes: f956a785a282 ("soc: move SoC driver for the ARM Integrator")
    Cc: stable@vger.kernel.org
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/20240825-soc-dev-fixes-v1-1-ff4b35abed83@linaro.org
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

soc: versatile: realview: fix memory leak during device remove [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Sun Aug 25 20:05:23 2024 +0200

    soc: versatile: realview: fix memory leak during device remove
    
    [ Upstream commit 1c4f26a41f9d052f334f6ae629e01f598ed93508 ]
    
    If device is unbound, the memory allocated for soc_dev_attr should be
    freed to prevent leaks.
    
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/20240825-soc-dev-fixes-v1-2-ff4b35abed83@linaro.org
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Stable-dep-of: c774f2564c00 ("soc: versatile: realview: fix soc_dev leak during device remove")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

soc: versatile: realview: fix soc_dev leak during device remove [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Sun Aug 25 20:05:24 2024 +0200

    soc: versatile: realview: fix soc_dev leak during device remove
    
    [ Upstream commit c774f2564c0086c23f5269fd4691f233756bf075 ]
    
    If device is unbound, the soc_dev should be unregistered to prevent
    memory leak.
    
    Fixes: a2974c9c1f83 ("soc: add driver for the ARM RealView")
    Cc: stable@vger.kernel.org
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/20240825-soc-dev-fixes-v1-3-ff4b35abed83@linaro.org
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Mon Sep 9 18:47:46 2024 +0200

    soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps"
    
    commit 233a95fd574fde1c375c486540a90304a2d2d49f upstream.
    
    This reverts commit ab8d66d132bc8f1992d3eb6cab8d32dda6733c84 because it
    breaks codecs using non-continuous masks in source and sink ports.  The
    commit missed the point that port numbers are not used as indices for
    iterating over prop.sink_ports or prop.source_ports.
    
    Soundwire core and existing codecs expect that the array passed as
    prop.sink_ports and prop.source_ports is continuous.  The port mask still
    might be non-continuous, but that's unrelated.
    
    Reported-by: Bard Liao <yung-chuan.liao@linux.intel.com>
    Closes: https://lore.kernel.org/all/b6c75eee-761d-44c8-8413-2a5b34ee2f98@linux.intel.com/
    Fixes: ab8d66d132bc ("soundwire: stream: fix programming slave ports for non-continous port maps")
    Acked-by: Bard Liao <yung-chuan.liao@linux.intel.com>
    Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Tested-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Link: https://lore.kernel.org/r/20240909164746.136629-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
spi: bcm63xx: Enable module autoloading [+ + +]
Author: Liao Chen <liaochen4@huawei.com>
Date:   Sat Aug 31 09:42:31 2024 +0000

    spi: bcm63xx: Enable module autoloading
    
    [ Upstream commit 709df70a20e990d262c473ad9899314039e8ec82 ]
    
    Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded based
    on the alias from of_device_id table.
    
    Signed-off-by: Liao Chen <liaochen4@huawei.com>
    Link: https://patch.msgid.link/20240831094231.795024-1-liaochen4@huawei.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

spi: bcm63xx: Fix module autoloading [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Mon Aug 19 20:33:48 2024 +0800

    spi: bcm63xx: Fix module autoloading
    
    commit 909f34f2462a99bf876f64c5c61c653213e32fce upstream.
    
    Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
    based on the alias from platform_device_id table.
    
    Fixes: 44d8fb30941d ("spi/bcm63xx: move register definitions into the driver")
    Cc: stable@vger.kernel.org
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
    Link: https://patch.msgid.link/20240819123349.4020472-2-ruanjinjie@huawei.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ [+ + +]
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Wed Aug 14 17:45:12 2024 +0300

    spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ
    
    [ Upstream commit 7781f1d120fec8624fc654eda900fc8748262082 ]
    
    0 is incorrect error code when failed to parse and map IRQ.
    Replace OF specific old API for IRQ retrieval with a generic
    one to fix this issue.
    
    Fixes: 0f245463b01e ("spi: ppc4xx: handle irq_of_parse_and_map() errors")
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Link: https://patch.msgid.link/20240814144525.2648450-1-andriy.shevchenko@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

spi: ppc4xx: handle irq_of_parse_and_map() errors [+ + +]
Author: Ma Ke <make24@iscas.ac.cn>
Date:   Wed Jul 24 16:40:47 2024 +0800

    spi: ppc4xx: handle irq_of_parse_and_map() errors
    
    [ Upstream commit 0f245463b01ea254ae90e1d0389e90b0e7d8dc75 ]
    
    Zero and negative number is not a valid IRQ for in-kernel code and the
    irq_of_parse_and_map() function returns zero on error.  So this check for
    valid IRQs should only accept values > 0.
    
    Fixes: 44dab88e7cc9 ("spi: add spi_ppc4xx driver")
    Signed-off-by: Ma Ke <make24@iscas.ac.cn>
    Link: https://patch.msgid.link/20240724084047.1506084-1-make24@iscas.ac.cn
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

spi: s3c64xx: fix timeout counters in flush_fifo [+ + +]
Author: Ben Dooks <ben.dooks@codethink.co.uk>
Date:   Tue Sep 24 14:40:08 2024 +0100

    spi: s3c64xx: fix timeout counters in flush_fifo
    
    [ Upstream commit 68a16708d2503b6303d67abd43801e2ca40c208d ]
    
    In the s3c64xx_flush_fifo() code, the loops counter is post-decremented
    in the do { } while(test && loops--) condition. This means the loops is
    left at the unsigned equivalent of -1 if the loop times out. The test
    after will never pass as if tests for loops == 0.
    
    Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
    Fixes: 230d42d422e7 ("spi: Add s3c64xx SPI Controller driver")
    Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
    Link: https://patch.msgid.link/20240924134009.116247-2-ben.dooks@codethink.co.uk
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
staging: iio: frequency: ad9833: Get frequency value statically [+ + +]
Author: Beniamin Bia <biabeniamin@gmail.com>
Date:   Fri Feb 1 17:01:37 2019 +0200

    staging: iio: frequency: ad9833: Get frequency value statically
    
    [ Upstream commit 80109c32348d7b2e85def9efc3f9524fb166569d ]
    
    The values from platform data were replaced by statically values.
    This was just a intermediate step of taking this driver out of staging and
    load data from device tree.
    
    Signed-off-by: Beniamin Bia <beniamin.bia@analog.com>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Stable-dep-of: b48aa9917589 ("staging: iio: frequency: ad9834: Validate frequency parameter value")
    Signed-off-by: Sasha Levin <sashal@kernel.org>
staging: iio: frequency: ad9833: Load clock using clock framework [+ + +]
Author: Beniamin Bia <biabeniamin@gmail.com>
Date:   Fri Feb 1 17:01:38 2019 +0200

    staging: iio: frequency: ad9833: Load clock using clock framework
    
    [ Upstream commit 8e8040c52e63546d1171c188a24aacf145a9a7e0 ]
    
    The clock frequency is loaded from device-tree using clock framework
    instead of statically value. The change allow configuration of
    the device via device-trees and better initialization sequence.
    This is part of broader effort to add device-tree support to this driver
    and take it out from staging.
    
    Signed-off-by: Beniamin Bia <beniamin.bia@analog.com>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Stable-dep-of: b48aa9917589 ("staging: iio: frequency: ad9834: Validate frequency parameter value")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

staging: iio: frequency: ad9834: Validate frequency parameter value [+ + +]
Author: Aleksandr Mishin <amishin@t-argos.ru>
Date:   Wed Jul 3 18:45:06 2024 +0300

    staging: iio: frequency: ad9834: Validate frequency parameter value
    
    [ Upstream commit b48aa991758999d4e8f9296c5bbe388f293ef465 ]
    
    In ad9834_write_frequency() clk_get_rate() can return 0. In such case
    ad9834_calc_freqreg() call will lead to division by zero. Checking
    'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0.
    ad9834_write_frequency() is called from ad9834_write(), where fout is
    taken from text buffer, which can contain any value.
    
    Modify parameters checking.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: 12b9d5bf76bf ("Staging: IIO: DDS: AD9833 / AD9834 driver")
    Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
    Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
    Link: https://patch.msgid.link/20240703154506.25584-1-amishin@t-argos.ru
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
SUNRPC: Fix integer overflow in decode_rc_list() [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Thu Sep 19 11:50:33 2024 +0300

    SUNRPC: Fix integer overflow in decode_rc_list()
    
    [ Upstream commit 6dbf1f341b6b35bcc20ff95b6b315e509f6c5369 ]
    
    The math in "rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)" could have an
    integer overflow.  Add bounds checking on rc_list->rcl_nrefcalls to fix
    that.
    
    Fixes: 4aece6a19cf7 ("nfs41: cb_sequence xdr implementation")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process [+ + +]
Author: Jason Xing <kernelxing@tencent.com>
Date:   Fri Aug 23 08:11:52 2024 +0800

    tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process
    
    [ Upstream commit 0d9e5df4a257afc3a471a82961ace9a22b88295a ]
    
    We found that one close-wait socket was reset by the other side
    due to a new connection reusing the same port which is beyond our
    expectation, so we have to investigate the underlying reason.
    
    The following experiment is conducted in the test environment. We
    limit the port range from 40000 to 40010 and delay the time to close()
    after receiving a fin from the active close side, which can help us
    easily reproduce like what happened in production.
    
    Here are three connections captured by tcpdump:
    127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965525191
    127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 2769915070
    127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1
    127.0.0.1.40002 > 127.0.0.1.9999: Flags [F.], seq 1, ack 1
    // a few seconds later, within 60 seconds
    127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730
    127.0.0.1.9999 > 127.0.0.1.40002: Flags [.], ack 2
    127.0.0.1.40002 > 127.0.0.1.9999: Flags [R], seq 2965525193
    // later, very quickly
    127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730
    127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 3120990805
    127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1
    
    As we can see, the first flow is reset because:
    1) client starts a new connection, I mean, the second one
    2) client tries to find a suitable port which is a timewait socket
       (its state is timewait, substate is fin_wait2)
    3) client occupies that timewait port to send a SYN
    4) server finds a corresponding close-wait socket in ehash table,
       then replies with a challenge ack
    5) client sends an RST to terminate this old close-wait socket.
    
    I don't think the port selection algo can choose a FIN_WAIT2 socket
    when we turn on tcp_tw_reuse because on the server side there
    remain unread data. In some cases, if one side haven't call close() yet,
    we should not consider it as expendable and treat it at will.
    
    Even though, sometimes, the server isn't able to call close() as soon
    as possible like what we expect, it can not be terminated easily,
    especially due to a second unrelated connection happening.
    
    After this patch, we can see the expected failure if we start a
    connection when all the ports are occupied in fin_wait2 state:
    "Ncat: Cannot assign requested address."
    
    Reported-by: Jade Dong <jadedong@tencent.com>
    Signed-off-by: Jason Xing <kernelxing@tencent.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20240823001152.31004-1-kerneljasonxing@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: check skb is non-NULL in tcp_rto_delta_us() [+ + +]
Author: Josh Hunt <johunt@akamai.com>
Date:   Tue Sep 10 15:08:22 2024 -0400

    tcp: check skb is non-NULL in tcp_rto_delta_us()
    
    [ Upstream commit c8770db2d54437a5f49417ae7b46f7de23d14db6 ]
    
    We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic
    kernel that are running ceph and recently hit a null ptr dereference in
    tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also
    saw it getting hit from the RACK case as well. Here are examples of the oops
    messages we saw in each of those cases:
    
    Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020
    Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode
    Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page
    Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0
    Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI
    Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu
    Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
    Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160
    Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
    Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
    Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
    Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
    Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
    Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
    Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
    Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
    Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
    Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554
    Jul 26 15:05:02 rx [11061395.916786] Call Trace:
    Jul 26 15:05:02 rx [11061395.919488]
    Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f
    Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9
    Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380
    Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
    Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50
    Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0
    Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20
    Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450
    Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140
    Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90
    Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0
    Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40
    Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160
    Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160
    Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220
    Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240
    Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0
    Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240
    Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130
    Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280
    Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10
    Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30
    Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_event+0x21/0x30
    Jul 26 15:05:02 rx [11061396.021984] ? clockevents_program_event+0x8f/0xe0
    Jul 26 15:05:02 rx [11061396.027035] run_timer_softirq+0x2a/0x50
    Jul 26 15:05:02 rx [11061396.031212] __do_softirq+0xd1/0x2c1
    Jul 26 15:05:02 rx [11061396.035044] do_softirq_own_stack+0x2a/0x40
    Jul 26 15:05:02 rx [11061396.039480]
    Jul 26 15:05:02 rx [11061396.041840] do_softirq.part.0+0x46/0x50
    Jul 26 15:05:02 rx [11061396.046022] __local_bh_enable_ip+0x50/0x60
    Jul 26 15:05:02 rx [11061396.050460] _raw_spin_unlock_bh+0x1e/0x20
    Jul 26 15:05:02 rx [11061396.054817] nf_conntrack_tcp_packet+0x29e/0xbe0 [nf_conntrack]
    Jul 26 15:05:02 rx [11061396.060994] ? get_l4proto+0xe7/0x190 [nf_conntrack]
    Jul 26 15:05:02 rx [11061396.066220] nf_conntrack_in+0xe9/0x670 [nf_conntrack]
    Jul 26 15:05:02 rx [11061396.071618] ipv6_conntrack_local+0x14/0x20 [nf_conntrack]
    Jul 26 15:05:02 rx [11061396.077356] nf_hook_slow+0x45/0xb0
    Jul 26 15:05:02 rx [11061396.081098] ip6_xmit+0x3f0/0x5d0
    Jul 26 15:05:02 rx [11061396.084670] ? ipv6_anycast_cleanup+0x50/0x50
    Jul 26 15:05:02 rx [11061396.089282] ? __sk_dst_check+0x38/0x70
    Jul 26 15:05:02 rx [11061396.093381] ? inet6_csk_route_socket+0x13b/0x200
    Jul 26 15:05:02 rx [11061396.098346] inet6_csk_xmit+0xa7/0xf0
    Jul 26 15:05:02 rx [11061396.102263] __tcp_transmit_skb+0x550/0xb30
    Jul 26 15:05:02 rx [11061396.106701] tcp_write_xmit+0x3c6/0xc20
    Jul 26 15:05:02 rx [11061396.110792] ? __alloc_skb+0x98/0x1d0
    Jul 26 15:05:02 rx [11061396.114708] __tcp_push_pending_frames+0x37/0x100
    Jul 26 15:05:02 rx [11061396.119667] tcp_push+0xfd/0x100
    Jul 26 15:05:02 rx [11061396.123150] tcp_sendmsg_locked+0xc70/0xdd0
    Jul 26 15:05:02 rx [11061396.127588] tcp_sendmsg+0x2d/0x50
    Jul 26 15:05:02 rx [11061396.131245] inet6_sendmsg+0x43/0x70
    Jul 26 15:05:02 rx [11061396.135075] __sock_sendmsg+0x48/0x70
    Jul 26 15:05:02 rx [11061396.138994] ____sys_sendmsg+0x212/0x280
    Jul 26 15:05:02 rx [11061396.143172] ___sys_sendmsg+0x88/0xd0
    Jul 26 15:05:02 rx [11061396.147098] ? __seccomp_filter+0x7e/0x6b0
    Jul 26 15:05:02 rx [11061396.151446] ? __switch_to+0x39c/0x460
    Jul 26 15:05:02 rx [11061396.155453] ? __switch_to_asm+0x42/0x80
    Jul 26 15:05:02 rx [11061396.159636] ? __switch_to_asm+0x5a/0x80
    Jul 26 15:05:02 rx [11061396.163816] __sys_sendmsg+0x5c/0xa0
    Jul 26 15:05:02 rx [11061396.167647] __x64_sys_sendmsg+0x1f/0x30
    Jul 26 15:05:02 rx [11061396.171832] do_syscall_64+0x57/0x190
    Jul 26 15:05:02 rx [11061396.175748] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
    Jul 26 15:05:02 rx [11061396.181055] RIP: 0033:0x7f1ef692618d
    Jul 26 15:05:02 rx [11061396.184893] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ca ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 fe ee ff ff 48
    Jul 26 15:05:02 rx [11061396.203889] RSP: 002b:00007f1ef4a26aa0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
    Jul 26 15:05:02 rx [11061396.211708] RAX: ffffffffffffffda RBX: 000000000000084b RCX: 00007f1ef692618d
    Jul 26 15:05:02 rx [11061396.219091] RDX: 0000000000004000 RSI: 00007f1ef4a26b10 RDI: 0000000000000275
    Jul 26 15:05:02 rx [11061396.226475] RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000020
    Jul 26 15:05:02 rx [11061396.233859] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000084b
    Jul 26 15:05:02 rx [11061396.241243] R13: 00007f1ef4a26b10 R14: 0000000000000275 R15: 000055592030f1e8
    Jul 26 15:05:02 rx [11061396.248628] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler nft_ct sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 mlx5_core hid_generic pci_hyperv_intf crc32_pclmul tls usbhid ahci mlxfw bnxt_en libahci hid nvme i2c_piix4 nvme_core wmi
    Jul 26 15:05:02 rx [11061396.324334] CR2: 0000000000000020
    Jul 26 15:05:02 rx [11061396.327944] ---[ end trace 68a2b679d1cfb4f1 ]---
    Jul 26 15:05:02 rx [11061396.433435] RIP: 0010:tcp_rearm_rto+0xe4/0x160
    Jul 26 15:05:02 rx [11061396.438137] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
    Jul 26 15:05:02 rx [11061396.457144] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
    Jul 26 15:05:02 rx [11061396.462629] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
    Jul 26 15:05:02 rx [11061396.470012] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
    Jul 26 15:05:02 rx [11061396.477396] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
    Jul 26 15:05:02 rx [11061396.484779] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
    Jul 26 15:05:02 rx [11061396.492164] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
    Jul 26 15:05:02 rx [11061396.499547] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
    Jul 26 15:05:02 rx [11061396.507886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    Jul 26 15:05:02 rx [11061396.513884] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
    Jul 26 15:05:02 rx [11061396.521267] PKRU: 55555554
    Jul 26 15:05:02 rx [11061396.524230] Kernel panic - not syncing: Fatal exception in interrupt
    Jul 26 15:05:02 rx [11061396.530885] Kernel Offset: 0x1b200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
    Jul 26 15:05:03 rx [11061396.660181] ---[ end Kernel panic - not syncing: Fatal
     exception in interrupt ]---
    
    After we hit this we disabled TLP by setting tcp_early_retrans to 0 and then hit the crash in the RACK case:
    
    Aug 7 07:26:16 rx [1006006.265582] BUG: kernel NULL pointer dereference, address: 0000000000000020
    Aug 7 07:26:16 rx [1006006.272719] #PF: supervisor read access in kernel mode
    Aug 7 07:26:16 rx [1006006.278030] #PF: error_code(0x0000) - not-present page
    Aug 7 07:26:16 rx [1006006.283343] PGD 0 P4D 0
    Aug 7 07:26:16 rx [1006006.286057] Oops: 0000 [#1] SMP NOPTI
    Aug 7 07:26:16 rx [1006006.289896] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.4.0-174-generic #193-Ubuntu
    Aug 7 07:26:16 rx [1006006.299107] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
    Aug 7 07:26:16 rx [1006006.309970] RIP: 0010:tcp_rearm_rto+0xe4/0x160
    Aug 7 07:26:16 rx [1006006.314584] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
    Aug 7 07:26:16 rx [1006006.333499] RSP: 0018:ffffb42600a50960 EFLAGS: 00010246
    Aug 7 07:26:16 rx [1006006.338895] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
    Aug 7 07:26:16 rx [1006006.346193] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff92d687ed8160
    Aug 7 07:26:16 rx [1006006.353489] RBP: ffffb42600a50978 R08: 0000000000000000 R09: 00000000cd896dcc
    Aug 7 07:26:16 rx [1006006.360786] R10: ffff92dc3404f400 R11: 0000000000000001 R12: ffff92d687ed8000
    Aug 7 07:26:16 rx [1006006.368084] R13: ffff92d687ed8160 R14: 00000000cd896dcc R15: 00000000cd8fca81
    Aug 7 07:26:16 rx [1006006.375381] FS: 0000000000000000(0000) GS:ffff93158ad40000(0000) knlGS:0000000000000000
    Aug 7 07:26:16 rx [1006006.383632] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    Aug 7 07:26:16 rx [1006006.389544] CR2: 0000000000000020 CR3: 0000003e775ce006 CR4: 0000000000760ee0
    Aug 7 07:26:16 rx [1006006.396839] PKRU: 55555554
    Aug 7 07:26:16 rx [1006006.399717] Call Trace:
    Aug 7 07:26:16 rx [1006006.402335]
    Aug 7 07:26:16 rx [1006006.404525] ? show_regs.cold+0x1a/0x1f
    Aug 7 07:26:16 rx [1006006.408532] ? __die+0x90/0xd9
    Aug 7 07:26:16 rx [1006006.411760] ? no_context+0x196/0x380
    Aug 7 07:26:16 rx [1006006.415599] ? __bad_area_nosemaphore+0x50/0x1a0
    Aug 7 07:26:16 rx [1006006.420392] ? _raw_spin_lock+0x1e/0x30
    Aug 7 07:26:16 rx [1006006.424401] ? bad_area_nosemaphore+0x16/0x20
    Aug 7 07:26:16 rx [1006006.428927] ? do_user_addr_fault+0x267/0x450
    Aug 7 07:26:16 rx [1006006.433450] ? __do_page_fault+0x58/0x90
    Aug 7 07:26:16 rx [1006006.437542] ? do_page_fault+0x2c/0xe0
    Aug 7 07:26:16 rx [1006006.441470] ? page_fault+0x34/0x40
    Aug 7 07:26:16 rx [1006006.445134] ? tcp_rearm_rto+0xe4/0x160
    Aug 7 07:26:16 rx [1006006.449145] tcp_ack+0xa32/0xb30
    Aug 7 07:26:16 rx [1006006.452542] tcp_rcv_established+0x13c/0x670
    Aug 7 07:26:16 rx [1006006.456981] ? sk_filter_trim_cap+0x48/0x220
    Aug 7 07:26:16 rx [1006006.461419] tcp_v6_do_rcv+0xdb/0x450
    Aug 7 07:26:16 rx [1006006.465257] tcp_v6_rcv+0xc2b/0xd10
    Aug 7 07:26:16 rx [1006006.468918] ip6_protocol_deliver_rcu+0xd3/0x4e0
    Aug 7 07:26:16 rx [1006006.473706] ip6_input_finish+0x15/0x20
    Aug 7 07:26:16 rx [1006006.477710] ip6_input+0xa2/0xb0
    Aug 7 07:26:16 rx [1006006.481109] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
    Aug 7 07:26:16 rx [1006006.486151] ip6_sublist_rcv_finish+0x3d/0x50
    Aug 7 07:26:16 rx [1006006.490679] ip6_sublist_rcv+0x1aa/0x250
    Aug 7 07:26:16 rx [1006006.494779] ? ip6_rcv_finish_core.isra.0+0xa0/0xa0
    Aug 7 07:26:16 rx [1006006.499828] ipv6_list_rcv+0x112/0x140
    Aug 7 07:26:16 rx [1006006.503748] __netif_receive_skb_list_core+0x1a4/0x250
    Aug 7 07:26:16 rx [1006006.509057] netif_receive_skb_list_internal+0x1a1/0x2b0
    Aug 7 07:26:16 rx [1006006.514538] gro_normal_list.part.0+0x1e/0x40
    Aug 7 07:26:16 rx [1006006.519068] napi_complete_done+0x91/0x130
    Aug 7 07:26:16 rx [1006006.523352] mlx5e_napi_poll+0x18e/0x610 [mlx5_core]
    Aug 7 07:26:16 rx [1006006.528481] net_rx_action+0x142/0x390
    Aug 7 07:26:16 rx [1006006.532398] __do_softirq+0xd1/0x2c1
    Aug 7 07:26:16 rx [1006006.536142] irq_exit+0xae/0xb0
    Aug 7 07:26:16 rx [1006006.539452] do_IRQ+0x5a/0xf0
    Aug 7 07:26:16 rx [1006006.542590] common_interrupt+0xf/0xf
    Aug 7 07:26:16 rx [1006006.546421]
    Aug 7 07:26:16 rx [1006006.548695] RIP: 0010:native_safe_halt+0xe/0x10
    Aug 7 07:26:16 rx [1006006.553399] Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65
    Aug 7 07:26:16 rx [1006006.572309] RSP: 0018:ffffb42600177e70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffc2
    Aug 7 07:26:16 rx [1006006.580040] RAX: ffffffff8ed08b20 RBX: 0000000000000005 RCX: 0000000000000001
    Aug 7 07:26:16 rx [1006006.587337] RDX: 00000000f48eeca2 RSI: 0000000000000082 RDI: 0000000000000082
    Aug 7 07:26:16 rx [1006006.594635] RBP: ffffb42600177e90 R08: 0000000000000000 R09: 000000000000020f
    Aug 7 07:26:16 rx [1006006.601931] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000005
    Aug 7 07:26:16 rx [1006006.609229] R13: ffff93157deb5f00 R14: 0000000000000000 R15: 0000000000000000
    Aug 7 07:26:16 rx [1006006.616530] ? __cpuidle_text_start+0x8/0x8
    Aug 7 07:26:16 rx [1006006.620886] ? default_idle+0x20/0x140
    Aug 7 07:26:16 rx [1006006.624804] arch_cpu_idle+0x15/0x20
    Aug 7 07:26:16 rx [1006006.628545] default_idle_call+0x23/0x30
    Aug 7 07:26:16 rx [1006006.632640] do_idle+0x1fb/0x270
    Aug 7 07:26:16 rx [1006006.636035] cpu_startup_entry+0x20/0x30
    Aug 7 07:26:16 rx [1006006.640126] start_secondary+0x178/0x1d0
    Aug 7 07:26:16 rx [1006006.644218] secondary_startup_64+0xa4/0xb0
    Aug 7 07:26:17 rx [1006006.648568] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet ast mii drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 hid_generic mlx5_core pci_hyperv_intf crc32_pclmul usbhid ahci tls mlxfw bnxt_en hid libahci nvme i2c_piix4 nvme_core wmi [last unloaded: cpuid]
    Aug 7 07:26:17 rx [1006006.726180] CR2: 0000000000000020
    Aug 7 07:26:17 rx [1006006.729718] ---[ end trace e0e2e37e4e612984 ]---
    
    Prior to seeing the first crash and on other machines we also see the warning in
    tcp_send_loss_probe() where packets_out is non-zero, but both transmit and retrans
    queues are empty so we know the box is seeing some accounting issue in this area:
    
    Jul 26 09:15:27 kernel: ------------[ cut here ]------------
    Jul 26 09:15:27 kernel: invalid inflight: 2 state 1 cwnd 68 mss 8988
    Jul 26 09:15:27 kernel: WARNING: CPU: 16 PID: 0 at net/ipv4/tcp_output.c:2605 tcp_send_loss_probe+0x214/0x220
    Jul 26 09:15:27 kernel: Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif joydev input_leds rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_he>
    Jul 26 09:15:27 kernel: CPU: 16 PID: 0 Comm: swapper/16 Not tainted 5.4.0-174-generic #193-Ubuntu
    Jul 26 09:15:27 kernel: Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
    Jul 26 09:15:27 kernel: RIP: 0010:tcp_send_loss_probe+0x214/0x220
    Jul 26 09:15:27 kernel: Code: 08 26 01 00 75 e2 41 0f b6 54 24 12 41 8b 8c 24 c0 06 00 00 45 89 f0 48 c7 c7 e0 b4 20 a7 c6 05 8d 08 26 01 01 e8 4a c0 0f 00 <0f> 0b eb ba 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
    Jul 26 09:15:27 kernel: RSP: 0018:ffffb7838088ce00 EFLAGS: 00010286
    Jul 26 09:15:27 kernel: RAX: 0000000000000000 RBX: ffff9b84b5630430 RCX: 0000000000000006
    Jul 26 09:15:27 kernel: RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9b8e4621c8c0
    Jul 26 09:15:27 kernel: RBP: ffffb7838088ce18 R08: 0000000000000927 R09: 0000000000000004
    Jul 26 09:15:27 kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff9b84b5630000
    Jul 26 09:15:27 kernel: R13: 0000000000000000 R14: 000000000000231c R15: ffff9b84b5630430
    Jul 26 09:15:27 kernel: FS: 0000000000000000(0000) GS:ffff9b8e46200000(0000) knlGS:0000000000000000
    Jul 26 09:15:27 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    Jul 26 09:15:27 kernel: CR2: 000056238cec2380 CR3: 0000003e49ede005 CR4: 0000000000760ee0
    Jul 26 09:15:27 kernel: PKRU: 55555554
    Jul 26 09:15:27 kernel: Call Trace:
    Jul 26 09:15:27 kernel: <IRQ>
    Jul 26 09:15:27 kernel: ? show_regs.cold+0x1a/0x1f
    Jul 26 09:15:27 kernel: ? __warn+0x98/0xe0
    Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
    Jul 26 09:15:27 kernel: ? report_bug+0xd1/0x100
    Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0
    Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50
    Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
    Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30
    Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
    Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240
    Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0
    Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240
    Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130
    Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280
    Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0
    Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90
    Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0
    Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50
    Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
    Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30
    Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
    Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240
    Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0
    Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240
    Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130
    Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280
    Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0
    Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90
    Jul 26 09:15:27 kernel: ? recalibrate_cpu_khz+0x10/0x10
    Jul 26 09:15:27 kernel: ? ktime_get+0x3e/0xa0
    Jul 26 09:15:27 kernel: ? native_x2apic_icr_write+0x30/0x30
    Jul 26 09:15:27 kernel: run_timer_softirq+0x2a/0x50
    Jul 26 09:15:27 kernel: __do_softirq+0xd1/0x2c1
    Jul 26 09:15:27 kernel: irq_exit+0xae/0xb0
    Jul 26 09:15:27 kernel: smp_apic_timer_interrupt+0x7b/0x140
    Jul 26 09:15:27 kernel: apic_timer_interrupt+0xf/0x20
    Jul 26 09:15:27 kernel: </IRQ>
    Jul 26 09:15:27 kernel: RIP: 0010:native_safe_halt+0xe/0x10
    Jul 26 09:15:27 kernel: Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 <c3> 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65
    Jul 26 09:15:27 kernel: RSP: 0018:ffffb783801cfe70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
    Jul 26 09:15:27 kernel: RAX: ffffffffa6908b20 RBX: 0000000000000010 RCX: 0000000000000001
    Jul 26 09:15:27 kernel: RDX: 000000006fc0c97e RSI: 0000000000000082 RDI: 0000000000000082
    Jul 26 09:15:27 kernel: RBP: ffffb783801cfe90 R08: 0000000000000000 R09: 0000000000000225
    Jul 26 09:15:27 kernel: R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000010
    Jul 26 09:15:27 kernel: R13: ffff9b8e390b0000 R14: 0000000000000000 R15: 0000000000000000
    Jul 26 09:15:27 kernel: ? __cpuidle_text_start+0x8/0x8
    Jul 26 09:15:27 kernel: ? default_idle+0x20/0x140
    Jul 26 09:15:27 kernel: arch_cpu_idle+0x15/0x20
    Jul 26 09:15:27 kernel: default_idle_call+0x23/0x30
    Jul 26 09:15:27 kernel: do_idle+0x1fb/0x270
    Jul 26 09:15:27 kernel: cpu_startup_entry+0x20/0x30
    Jul 26 09:15:27 kernel: start_secondary+0x178/0x1d0
    Jul 26 09:15:27 kernel: secondary_startup_64+0xa4/0xb0
    Jul 26 09:15:27 kernel: ---[ end trace e7ac822987e33be1 ]---
    
    The NULL ptr deref is coming from tcp_rto_delta_us() attempting to pull an skb
    off the head of the retransmit queue and then dereferencing that skb to get the
    skb_mstamp_ns value via tcp_skb_timestamp_us(skb).
    
    The crash is the same one that was reported a # of years ago here:
    https://lore.kernel.org/netdev/86c0f836-9a7c-438b-d81a-839be45f1f58@gmail.com/T/#t
    
    and the kernel we're running has the fix which was added to resolve this issue.
    
    Unfortunately we've been unsuccessful so far in reproducing this problem in the
    lab and do not have the luxury of pushing out a new kernel to try and test if
    newer kernels resolve this issue at the moment. I realize this is a report
    against both an Ubuntu kernel and also an older 5.4 kernel. I have reported this
    issue to Ubuntu here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2077657
    however I feel like since this issue has possibly cropped up again it makes
    sense to build in some protection in this path (even on the latest kernel
    versions) since the code in question just blindly assumes there's a valid skb
    without testing if it's NULL b/f it looks at the timestamp.
    
    Given we have seen crashes in this path before and now this case it seems like
    we should protect ourselves for when packets_out accounting is incorrect.
    While we should fix that root cause we should also just make sure the skb
    is not NULL before dereferencing it. Also add a warn once here to capture
    some information if/when the problem case is hit again.
    
    Fixes: e1a10ef7fa87 ("tcp: introduce tcp_rto_delta_us() helper for xmit timer fix")
    Signed-off-by: Josh Hunt <johunt@akamai.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe [+ + +]
Author: Neal Cardwell <ncardwell@google.com>
Date:   Tue Oct 1 20:05:16 2024 +0000

    tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe
    
    [ Upstream commit b41b4cbd9655bcebcce941bef3601db8110335be ]
    
    Fix tcp_enter_recovery() so that if there are no retransmits out then
    we zero retrans_stamp when entering fast recovery. This is necessary
    to fix two buggy behaviors.
    
    Currently a non-zero retrans_stamp value can persist across multiple
    back-to-back loss recovery episodes. This is because we generally only
    clears retrans_stamp if we are completely done with loss recoveries,
    and get to tcp_try_to_open() and find !tcp_any_retrans_done(sk). This
    behavior causes two bugs:
    
    (1) When a loss recovery episode (CA_Loss or CA_Recovery) is followed
    immediately by a new CA_Recovery, the retrans_stamp value can persist
    and can be a time before this new CA_Recovery episode starts. That
    means that timestamp-based undo will be using the wrong retrans_stamp
    (a value that is too old) when comparing incoming TS ecr values to
    retrans_stamp to see if the current fast recovery episode can be
    undone.
    
    (2) If there is a roughly minutes-long sequence of back-to-back fast
    recovery episodes, one after another (e.g. in a shallow-buffered or
    policed bottleneck), where each fast recovery successfully makes
    forward progress and recovers one window of sequence space (but leaves
    at least one retransmit in flight at the end of the recovery),
    followed by several RTOs, then the ETIMEDOUT check may be using the
    wrong retrans_stamp (a value set at the start of the first fast
    recovery in the sequence). This can cause a very premature ETIMEDOUT,
    killing the connection prematurely.
    
    This commit changes the code to zero retrans_stamp when entering fast
    recovery, when this is known to be safe (no retransmits are out in the
    network). That ensures that when starting a fast recovery episode, and
    it is safe to do so, retrans_stamp is set when we send the fast
    retransmit packet. That addresses both bug (1) and bug (2) by ensuring
    that (if no retransmits are out when we start a fast recovery) we use
    the initial fast retransmit of this fast recovery as the time value
    for undo and ETIMEDOUT calculations.
    
    This makes intuitive sense, since the start of a new fast recovery
    episode (in a scenario where no lost packets are out in the network)
    means that the connection has made forward progress since the last RTO
    or fast recovery, and we should thus "restart the clock" used for both
    undo and ETIMEDOUT logic.
    
    Note that if when we start fast recovery there *are* retransmits out
    in the network, there can still be undesirable (1)/(2) issues. For
    example, after this patch we can still have the (1) and (2) problems
    in cases like this:
    
    + round 1: sender sends flight 1
    
    + round 2: sender receives SACKs and enters fast recovery 1,
      retransmits some packets in flight 1 and then sends some new data as
      flight 2
    
    + round 3: sender receives some SACKs for flight 2, notes losses, and
      retransmits some packets to fill the holes in flight 2
    
    + fast recovery has some lost retransmits in flight 1 and continues
      for one or more rounds sending retransmits for flight 1 and flight 2
    
    + fast recovery 1 completes when snd_una reaches high_seq at end of
      flight 1
    
    + there are still holes in the SACK scoreboard in flight 2, so we
      enter fast recovery 2, but some retransmits in the flight 2 sequence
      range are still in flight (retrans_out > 0), so we can't execute the
      new retrans_stamp=0 added here to clear retrans_stamp
    
    It's not yet clear how to fix these remaining (1)/(2) issues in an
    efficient way without breaking undo behavior, given that retrans_stamp
    is currently used for undo and ETIMEDOUT. Perhaps the optimal (but
    expensive) strategy would be to set retrans_stamp to the timestamp of
    the earliest outstanding retransmit when entering fast recovery. But
    at least this commit makes things better.
    
    Note that this does not change the semantics of retrans_stamp; it
    simply makes retrans_stamp accurate in some cases where it was not
    before:
    
    (1) Some loss recovery, followed by an immediate entry into a fast
    recovery, where there are no retransmits out when entering the fast
    recovery.
    
    (2) When a TFO server has a SYNACK retransmit that sets retrans_stamp,
    and then the ACK that completes the 3-way handshake has SACK blocks
    that trigger a fast recovery. In this case when entering fast recovery
    we want to zero out the retrans_stamp from the TFO SYNACK retransmit,
    and set the retrans_stamp based on the timestamp of the fast recovery.
    
    We introduce a tcp_retrans_stamp_cleanup() helper, because this
    two-line sequence already appears in 3 places and is about to appear
    in 2 more as a result of this bug fix patch series. Once this bug fix
    patches series in the net branch makes it into the net-next branch
    we'll update the 3 other call sites to use the new helper.
    
    This is a long-standing issue. The Fixes tag below is chosen to be the
    oldest commit at which the patch will apply cleanly, which is from
    Linux v3.5 in 2012.
    
    Fixes: 1fbc340514fc ("tcp: early retransmit: tcp_enter_recovery()")
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20241001200517.2756803-3-ncardwell.sw@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: introduce tcp_skb_timestamp_us() helper [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Sep 21 08:51:47 2018 -0700

    tcp: introduce tcp_skb_timestamp_us() helper
    
    [ Upstream commit 2fd66ffba50716fc5ab481c48db643af3bda2276 ]
    
    There are few places where TCP reads skb->skb_mstamp expecting
    a value in usec unit.
    
    skb->tstamp (aka skb->skb_mstamp) will soon store CLOCK_TAI nsec value.
    
    Add tcp_skb_timestamp_us() to provide proper conversion when needed.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Stable-dep-of: c8770db2d544 ("tcp: check skb is non-NULL in tcp_rto_delta_us()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tipc: guard against string buffer overrun [+ + +]
Author: Simon Horman <horms@kernel.org>
Date:   Thu Aug 1 19:35:37 2024 +0100

    tipc: guard against string buffer overrun
    
    [ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ]
    
    Smatch reports that copying media_name and if_name to name_parts may
    overwrite the destination.
    
     .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
     .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)
    
    This does seem to be the case so guard against this possibility by using
    strscpy() and failing if truncation occurs.
    
    Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge")
    
    Compile tested only.
    
    Reviewed-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tomoyo: fallback to realpath if symlink's pathname does not exist [+ + +]
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Wed Sep 25 22:30:59 2024 +0900

    tomoyo: fallback to realpath if symlink's pathname does not exist
    
    commit ada1986d07976d60bed5017aa38b7f7cf27883f7 upstream.
    
    Alfred Agrell found that TOMOYO cannot handle execveat(AT_EMPTY_PATH)
    inside chroot environment where /dev and /proc are not mounted, for
    commit 51f39a1f0cea ("syscalls: implement execveat() system call") missed
    that TOMOYO tries to canonicalize argv[0] when the filename fed to the
    executed program as argv[0] is supplied using potentially nonexistent
    pathname.
    
    Since "/dev/fd/<fd>" already lost symlink information used for obtaining
    that <fd>, it is too late to reconstruct symlink's pathname. Although
    <filename> part of "/dev/fd/<fd>/<filename>" might not be canonicalized,
    TOMOYO cannot use tomoyo_realpath_nofollow() when /dev or /proc is not
    mounted. Therefore, fallback to tomoyo_realpath_from_path() when
    tomoyo_realpath_nofollow() failed.
    
    Reported-by: Alfred Agrell <blubban@gmail.com>
    Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082001
    Fixes: 51f39a1f0cea ("syscalls: implement execveat() system call")
    Cc: stable@vger.kernel.org # v3.19+
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
tools/iio: Add memory allocation failure check for trigger_name [+ + +]
Author: Zhu Jun <zhujun2@cmss.chinamobile.com>
Date:   Wed Aug 28 02:31:29 2024 -0700

    tools/iio: Add memory allocation failure check for trigger_name
    
    [ Upstream commit 3c6b818b097dd6932859bcc3d6722a74ec5931c1 ]
    
    Added a check to handle memory allocation failure for `trigger_name`
    and return `-ENOMEM`.
    
    Signed-off-by: Zhu Jun <zhujun2@cmss.chinamobile.com>
    Link: https://patch.msgid.link/20240828093129.3040-1-zhujun2@cmss.chinamobile.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tracing: Remove precision vsnprintf() check from print event [+ + +]
Author: Steven Rostedt (Google) <rostedt@goodmis.org>
Date:   Mon Mar 4 17:43:41 2024 -0500

    tracing: Remove precision vsnprintf() check from print event
    
    [ Upstream commit 5efd3e2aef91d2d812290dcb25b2058e6f3f532c ]
    
    This reverts 60be76eeabb3d ("tracing: Add size check when printing
    trace_marker output"). The only reason the precision check was added
    was because of a bug that miscalculated the write size of the string into
    the ring buffer and it truncated it removing the terminating nul byte. On
    reading the trace it crashed the kernel. But this was due to the bug in
    the code that happened during development and should never happen in
    practice. If anything, the precision can hide bugs where the string in the
    ring buffer isn't nul terminated and it will not be checked.
    
    Link: https://lore.kernel.org/all/C7E7AF1A-D30F-4D18-B8E5-AF1EF58004F5@linux.ibm.com/
    Link: https://lore.kernel.org/linux-trace-kernel/20240227125706.04279ac2@gandalf.local.home
    Link: https://lore.kernel.org/all/20240302111244.3a1674be@gandalf.local.home/
    Link: https://lore.kernel.org/linux-trace-kernel/20240304174341.2a561d9f@gandalf.local.home
    
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Fixes: 60be76eeabb3d ("tracing: Add size check when printing trace_marker output")
    Reported-by: Sachin Sant <sachinp@linux.ibm.com>
    Tested-by: Sachin Sant <sachinp@linux.ibm.com>
    Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tty: rp2: Fix reset with non forgiving PCIe host bridges [+ + +]
Author: Florian Fainelli <florian.fainelli@broadcom.com>
Date:   Fri Sep 6 15:54:33 2024 -0700

    tty: rp2: Fix reset with non forgiving PCIe host bridges
    
    commit f16dd10ba342c429b1e36ada545fb36d4d1f0e63 upstream.
    
    The write to RP2_GLOBAL_CMD followed by an immediate read of
    RP2_GLOBAL_CMD in rp2_reset_asic() is intented to flush out the write,
    however by then the device is already in reset and cannot respond to a
    memory cycle access.
    
    On platforms such as the Raspberry Pi 4 and others using the
    pcie-brcmstb.c driver, any memory access to a device that cannot respond
    is met with a fatal system error, rather than being substituted with all
    1s as is usually the case on PC platforms.
    
    Swapping the delay and the read ensures that the device has finished
    resetting before we attempt to read from it.
    
    Fixes: 7d9f49afa451 ("serial: rp2: New driver for Comtrol RocketPort 2 cards")
    Cc: stable <stable@kernel.org>
    Suggested-by: Jim Quinlan <james.quinlan@broadcom.com>
    Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Link: https://lore.kernel.org/r/20240906225435.707837-1-florian.fainelli@broadcom.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
udf: fix uninit-value use in udf_get_fileshortad [+ + +]
Author: Gianfranco Trad <gianf.trad@gmail.com>
Date:   Wed Sep 25 09:46:15 2024 +0200

    udf: fix uninit-value use in udf_get_fileshortad
    
    [ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ]
    
    Check for overflow when computing alen in udf_current_aext to mitigate
    later uninit-value use in udf_get_fileshortad KMSAN bug[1].
    After applying the patch reproducer did not trigger any issue[2].
    
    [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
    [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
    
    Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
    Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com
    Suggested-by: Jan Kara <jack@suse.com>
    Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
uprobes: fix kernel info leak via "[uprobes]" vma [+ + +]
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Mon Oct 7 19:46:01 2024 +0200

    uprobes: fix kernel info leak via "[uprobes]" vma
    
    commit 34820304cc2cd1804ee1f8f3504ec77813d29c8e upstream.
    
    xol_add_vma() maps the uninitialized page allocated by __create_xol_area()
    into userspace. On some architectures (x86) this memory is readable even
    without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,
    although this doesn't really matter, debugger can read this memory anyway.
    
    Link: https://lore.kernel.org/all/20240929162047.GA12611@redhat.com/
    
    Reported-by: Will Deacon <will@kernel.org>
    Fixes: d4b3b6384f98 ("uprobes/core: Allocate XOL slots for uprobes use")
    Cc: stable@vger.kernel.org
    Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
USB: appledisplay: close race between probe and completion handler [+ + +]
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Sep 12 14:32:59 2024 +0200

    USB: appledisplay: close race between probe and completion handler
    
    commit 8265d06b7794493d82c5c21a12d7ba43eccc30cb upstream.
    
    There is a small window during probing when IO is running
    but the backlight is not registered. Processing events
    during that time will crash. The completion handler
    needs to check for a backlight before scheduling work.
    
    The bug is as old as the driver.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    CC: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240912123317.1026049-1-oneukum@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: chipidea: udc: enable suspend interrupt after usb reset [+ + +]
Author: Xu Yang <xu.yang_2@nxp.com>
Date:   Fri Aug 23 15:38:32 2024 +0800

    usb: chipidea: udc: enable suspend interrupt after usb reset
    
    [ Upstream commit e4fdcc10092fb244218013bfe8ff01c55d54e8e4 ]
    
    Currently, suspend interrupt is enabled before pullup enable operation.
    This will cause a suspend interrupt assert right after pullup DP. This
    suspend interrupt is meaningless, so this will ignore such interrupt
    by enable it after usb reset completed.
    
    Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
    Acked-by: Peter Chen <peter.chen@kernel.org>
    Link: https://lore.kernel.org/r/20240823073832.1702135-1-xu.yang_2@nxp.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc [+ + +]
Author: Yu Chen <chenyu56@huawei.com>
Date:   Tue Sep 8 09:20:56 2020 +0200

    usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc
    
    [ Upstream commit f580170f135af14e287560d94045624d4242d712 ]
    
    SPLIT_BOUNDARY_DISABLE should be set for DesignWare USB3 DRD Core
    of Hisilicon Kirin Soc when dwc3 core act as host.
    
    [mchehab: dropped a dev_dbg() as only traces are now allowwed on this driver]
    
    Signed-off-by: Yu Chen <chenyu56@huawei.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Stable-dep-of: 0d410e8913f5 ("usb: dwc3: core: Stop processing of pending events if controller is halted")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

usb: dwc3: core: Stop processing of pending events if controller is halted [+ + +]
Author: Selvarasu Ganesan <selvarasu.g@samsung.com>
Date:   Tue Sep 17 04:48:09 2024 +0530

    usb: dwc3: core: Stop processing of pending events if controller is halted
    
    [ Upstream commit 0d410e8913f5cffebcca79ffdd596009d4a13a28 ]
    
    This commit addresses an issue where events were being processed when
    the controller was in a halted state. To fix this issue by stop
    processing the events as the event count was considered stale or
    invalid when the controller was halted.
    
    Fixes: fc8bb91bc83e ("usb: dwc3: implement runtime PM")
    Cc: stable@kernel.org
    Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
    Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
    Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
    Link: https://lore.kernel.org/r/20240916231813.206-1-selvarasu.g@samsung.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

usb: dwc3: remove generic PHY calibrate() calls [+ + +]
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Thu Aug 29 07:30:28 2019 +0200

    usb: dwc3: remove generic PHY calibrate() calls
    
    [ Upstream commit a0a465569b45e3690be155c96fb54603d6904f41 ]
    
    Calls to USB2 generic PHY calibrate() method has been moved to HCD core,
    which now successfully handles generic PHYs and their calibration after
    every HCD reset. This fixes all the timing issues related to PHY
    calibration done directly from DWC3 driver: incorrect operation after
    system suspend/resume or USB3.0 detection failure when XHCI-plat driver
    compiled as separate module.
    
    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Tested-by: Anand Moon <linux.amoon@gmail.com>
    Tested-by: Jochen Sprickerhof <jochen@sprickerhof.de>
    Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
    Link: https://lore.kernel.org/r/20190829053028.32438-3-m.szyprowski@samsung.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Stable-dep-of: 0d410e8913f5 ("usb: dwc3: core: Stop processing of pending events if controller is halted")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
USB: misc: cypress_cy7c63: check for short transfer [+ + +]
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Sep 12 14:54:43 2024 +0200

    USB: misc: cypress_cy7c63: check for short transfer
    
    commit 49cd2f4d747eeb3050b76245a7f72aa99dbd3310 upstream.
    
    As we process the second byte of a control transfer, transfers
    of less than 2 bytes must be discarded.
    
    This bug is as old as the driver.
    
    SIgned-off-by: Oliver Neukum <oneukum@suse.com>
    CC: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240912125449.1030536-1-oneukum@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: misc: yurex: fix race between read and write [+ + +]
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Sep 12 15:21:22 2024 +0200

    USB: misc: yurex: fix race between read and write
    
    [ Upstream commit 93907620b308609c72ba4b95b09a6aa2658bb553 ]
    
    The write code path touches the bbu member in a non atomic manner
    without taking the spinlock. Fix it.
    
    The bug is as old as the driver.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    CC: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240912132126.1034743-1-oneukum@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
usb: phy: Fix API devm_usb_put_phy() can not release the phy [+ + +]
Author: Zijun Hu <quic_zijuhu@quicinc.com>
Date:   Sun Oct 20 17:33:42 2024 +0800

    usb: phy: Fix API devm_usb_put_phy() can not release the phy
    
    commit fdce49b5da6e0fb6d077986dec3e90ef2b094b50 upstream.
    
    For devm_usb_put_phy(), its comment says it needs to invoke usb_put_phy()
    to release the phy, but it does not do that actually, so it can not fully
    undo what the API devm_usb_get_phy() does, that is wrong, fixed by using
    devres_release() instead of devres_destroy() within the API.
    
    Fixes: cedf8602373a ("usb: phy: move bulk of otg/otg.c to phy/phy.c")
    Cc: stable@vger.kernel.org
    Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
    Link: https://lore.kernel.org/r/20241020-usb_phy_fix-v1-1-7f79243b8e1e@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
USB: serial: option: add support for Quectel EG916Q-GL [+ + +]
Author: Benjamin B. Frost <benjamin@geanix.com>
Date:   Wed Sep 11 10:54:05 2024 +0200

    USB: serial: option: add support for Quectel EG916Q-GL
    
    commit 540eff5d7faf0c9330ec762da49df453263f7676 upstream.
    
    Add Quectel EM916Q-GL with product ID 0x6007
    
    T:  Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=6007 Rev= 2.00
    S:  Manufacturer=Quectel
    S:  Product=EG916Q-GL
    C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=200mA
    A:  FirstIf#= 4 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=82(I) Atr=03(Int.) MxPS=  16 Ivl=32ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=84(I) Atr=03(Int.) MxPS=  16 Ivl=32ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=86(I) Atr=03(Int.) MxPS=  16 Ivl=32ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether
    E:  Ad=88(I) Atr=03(Int.) MxPS=  32 Ivl=32ms
    I:  If#= 5 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
    I:* If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    MI_00 Quectel USB Diag Port
    MI_01 Quectel USB NMEA Port
    MI_02 Quectel USB AT Port
    MI_03 Quectel USB Modem Port
    MI_04 Quectel USB Net Port
    
    Signed-off-by: Benjamin B. Frost <benjamin@geanix.com>
    Reviewed-by: Lars Melin <larsm17@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Telit FN920C04 MBIM compositions [+ + +]
Author: Daniele Palmas <dnlplm@gmail.com>
Date:   Thu Oct 3 11:38:08 2024 +0200

    USB: serial: option: add Telit FN920C04 MBIM compositions
    
    commit 6d951576ee16430822a8dee1e5c54d160e1de87d upstream.
    
    Add the following Telit FN920C04 compositions:
    
    0x10a2: MBIM + tty (AT/NMEA) + tty (AT) + tty (diag)
    T:  Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=10a2 Rev=05.15
    S:  Manufacturer=Telit Cinterion
    S:  Product=FN920
    S:  SerialNumber=92c4c4d8
    C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    0x10a7: MBIM + tty (AT) + tty (AT) + tty (diag)
    T:  Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 18 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=10a7 Rev=05.15
    S:  Manufacturer=Telit Cinterion
    S:  Product=FN920
    S:  SerialNumber=92c4c4d8
    C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    0x10aa: MBIM + tty (AT) + tty (diag) + DPL (data packet logging) + adb
    T:  Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 15 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=10aa Rev=05.15
    S:  Manufacturer=Telit Cinterion
    S:  Product=FN920
    S:  SerialNumber=92c4c4d8
    C:  #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: pl2303: add device id for Macrosilicon MS3020 [+ + +]
Author: Junhao Xie <bigfoot@classfun.cn>
Date:   Tue Sep 3 23:06:38 2024 +0800

    USB: serial: pl2303: add device id for Macrosilicon MS3020
    
    commit 7d47d22444bb7dc1b6d768904a22070ef35e1fc0 upstream.
    
    Add the device id for the Macrosilicon MS3020 which is a
    PL2303HXN based device.
    
    Signed-off-by: Junhao Xie <bigfoot@classfun.cn>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip [+ + +]
Author: Icenowy Zheng <uwu@icenowy.me>
Date:   Tue Oct 1 16:34:07 2024 +0800

    usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip
    
    commit a6555cb1cb69db479d0760e392c175ba32426842 upstream.
    
    JieLi tends to use SCSI via USB Mass Storage to implement their own
    proprietary commands instead of implementing another USB interface.
    Enumerating it as a generic mass storage device will lead to a Hardware
    Error sense key get reported.
    
    Ignore this bogus device to prevent appearing a unusable sdX device
    file.
    
    Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
    Cc: stable <stable@kernel.org>
    Acked-by: Alan Stern <stern@rowland.harvard.edu>
    Link: https://lore.kernel.org/r/20241001083407.8336-1-uwu@icenowy.me
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: typec: altmode should keep reference to parent [+ + +]
Author: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Date:   Fri Oct 4 09:37:38 2024 -0300

    usb: typec: altmode should keep reference to parent
    
    [ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ]
    
    The altmode device release refers to its parent device, but without keeping
    a reference to it.
    
    When registering the altmode, get a reference to the parent and put it in
    the release function.
    
    Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues
    like this:
    
    [   43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)
    [   43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)
    [   43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)
    [   43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)
    [   43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)
    [   43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)
    [   43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)
    [   46.612867] ==================================================================
    [   46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129
    [   46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48
    [   46.614538]
    [   46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535
    [   46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
    [   46.616042] Workqueue: events kobject_delayed_cleanup
    [   46.616446] Call Trace:
    [   46.616648]  <TASK>
    [   46.616820]  dump_stack_lvl+0x5b/0x7c
    [   46.617112]  ? typec_altmode_release+0x38/0x129
    [   46.617470]  print_report+0x14c/0x49e
    [   46.617769]  ? rcu_read_unlock_sched+0x56/0x69
    [   46.618117]  ? __virt_addr_valid+0x19a/0x1ab
    [   46.618456]  ? kmem_cache_debug_flags+0xc/0x1d
    [   46.618807]  ? typec_altmode_release+0x38/0x129
    [   46.619161]  kasan_report+0x8d/0xb4
    [   46.619447]  ? typec_altmode_release+0x38/0x129
    [   46.619809]  ? process_scheduled_works+0x3cb/0x85f
    [   46.620185]  typec_altmode_release+0x38/0x129
    [   46.620537]  ? process_scheduled_works+0x3cb/0x85f
    [   46.620907]  device_release+0xaf/0xf2
    [   46.621206]  kobject_delayed_cleanup+0x13b/0x17a
    [   46.621584]  process_scheduled_works+0x4f6/0x85f
    [   46.621955]  ? __pfx_process_scheduled_works+0x10/0x10
    [   46.622353]  ? hlock_class+0x31/0x9a
    [   46.622647]  ? lock_acquired+0x361/0x3c3
    [   46.622956]  ? move_linked_works+0x46/0x7d
    [   46.623277]  worker_thread+0x1ce/0x291
    [   46.623582]  ? __kthread_parkme+0xc8/0xdf
    [   46.623900]  ? __pfx_worker_thread+0x10/0x10
    [   46.624236]  kthread+0x17e/0x190
    [   46.624501]  ? kthread+0xfb/0x190
    [   46.624756]  ? __pfx_kthread+0x10/0x10
    [   46.625015]  ret_from_fork+0x20/0x40
    [   46.625268]  ? __pfx_kthread+0x10/0x10
    [   46.625532]  ret_from_fork_asm+0x1a/0x30
    [   46.625805]  </TASK>
    [   46.625953]
    [   46.626056] Allocated by task 678:
    [   46.626287]  kasan_save_stack+0x24/0x44
    [   46.626555]  kasan_save_track+0x14/0x2d
    [   46.626811]  __kasan_kmalloc+0x3f/0x4d
    [   46.627049]  __kmalloc_noprof+0x1bf/0x1f0
    [   46.627362]  typec_register_port+0x23/0x491
    [   46.627698]  cros_typec_probe+0x634/0xbb6
    [   46.628026]  platform_probe+0x47/0x8c
    [   46.628311]  really_probe+0x20a/0x47d
    [   46.628605]  device_driver_attach+0x39/0x72
    [   46.628940]  bind_store+0x87/0xd7
    [   46.629213]  kernfs_fop_write_iter+0x1aa/0x218
    [   46.629574]  vfs_write+0x1d6/0x29b
    [   46.629856]  ksys_write+0xcd/0x13b
    [   46.630128]  do_syscall_64+0xd4/0x139
    [   46.630420]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
    [   46.630820]
    [   46.630946] Freed by task 48:
    [   46.631182]  kasan_save_stack+0x24/0x44
    [   46.631493]  kasan_save_track+0x14/0x2d
    [   46.631799]  kasan_save_free_info+0x3f/0x4d
    [   46.632144]  __kasan_slab_free+0x37/0x45
    [   46.632474]  kfree+0x1d4/0x252
    [   46.632725]  device_release+0xaf/0xf2
    [   46.633017]  kobject_delayed_cleanup+0x13b/0x17a
    [   46.633388]  process_scheduled_works+0x4f6/0x85f
    [   46.633764]  worker_thread+0x1ce/0x291
    [   46.634065]  kthread+0x17e/0x190
    [   46.634324]  ret_from_fork+0x20/0x40
    [   46.634621]  ret_from_fork_asm+0x1a/0x30
    
    Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
    Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

usb: xhci: Fix problem with xhci resume from suspend [+ + +]
Author: Jose Alberto Reguero <jose.alberto.reguero@gmail.com>
Date:   Thu Sep 19 20:42:02 2024 +0200

    usb: xhci: Fix problem with xhci resume from suspend
    
    commit d44238d8254a36249d576c96473269dbe500f5e4 upstream.
    
    I have a ASUS PN51 S mini pc that has two xhci devices. One from AMD,
    and other from ASMEDIA. The one from ASMEDIA have problems when resume
    from suspend, and keep broken until unplug the  power cord. I use this
    kernel parameter: xhci-hcd.quirks=128 and then it works ok. I make a
    path to reset only the ASMEDIA xhci.
    
    Signed-off-by: Jose Alberto Reguero <jose.alberto.reguero@gmail.com>
    Cc: stable <stable@kernel.org>
    Link: https://lore.kernel.org/r/20240919184202.22249-1-jose.alberto.reguero@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: yurex: Fix inconsistent locking bug in yurex_read() [+ + +]
Author: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Date:   Mon Dec 18 22:36:35 2023 -0800

    usb: yurex: Fix inconsistent locking bug in yurex_read()
    
    commit e7d3b9f28654dbfce7e09f8028210489adaf6a33 upstream.
    
    Unlock before returning on the error path.
    
    Fixes: 86b20af11e84 ("usb: yurex: Replace snprintf() with the safer scnprintf() variant")
    Reported-by: Dan Carpenter <error27@gmail.com>
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/r/202312170252.3udgrIcP-lkp@intel.com/
    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    Link: https://lore.kernel.org/r/20231219063639.450994-1-harshit.m.mogalapalli@oracle.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: yurex: Replace snprintf() with the safer scnprintf() variant [+ + +]
Author: Lee Jones <lee@kernel.org>
Date:   Wed Dec 13 16:42:37 2023 +0000

    usb: yurex: Replace snprintf() with the safer scnprintf() variant
    
    [ Upstream commit 86b20af11e84c26ae3fde4dcc4f490948e3f8035 ]
    
    There is a general misunderstanding amongst engineers that {v}snprintf()
    returns the length of the data *actually* encoded into the destination
    array.  However, as per the C99 standard {v}snprintf() really returns
    the length of the data that *would have been* written if there were
    enough space for it.  This misunderstanding has led to buffer-overruns
    in the past.  It's generally considered safer to use the {v}scnprintf()
    variants in their place (or even sprintf() in simple cases).  So let's
    do that.
    
    Whilst we're at it, let's define some magic numbers to increase
    readability and ease of maintenance.
    
    Link: https://lwn.net/Articles/69419/
    Link: https://github.com/KSPP/linux/issues/105
    Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
    Signed-off-by: Lee Jones <lee@kernel.org>
    Link: https://lore.kernel.org/r/20231213164246.1021885-9-lee@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Stable-dep-of: 93907620b308 ("USB: misc: yurex: fix race between read and write")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
usbip: tools: Fix detach_port() invalid port error path [+ + +]
Author: Zongmin Zhou <zhouzongmin@kylinos.cn>
Date:   Thu Oct 24 10:27:00 2024 +0800

    usbip: tools: Fix detach_port() invalid port error path
    
    commit e7cd4b811c9e019f5acbce85699c622b30194c24 upstream.
    
    The detach_port() doesn't return error
    when detach is attempted on an invalid port.
    
    Fixes: 40ecdeb1a187 ("usbip: usbip_detach: fix to check for invalid ports")
    Cc: stable@vger.kernel.org
    Reviewed-by: Hongren Zheng <i@zenithal.me>
    Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Zongmin Zhou <zhouzongmin@kylinos.cn>
    Link: https://lore.kernel.org/r/20241024022700.1236660-1-min_halo@163.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usbnet: ipheth: fix carrier detection in modes 1 and 4 [+ + +]
Author: Foster Snowhill <forst@pen.gy>
Date:   Tue Aug 6 19:28:09 2024 +0200

    usbnet: ipheth: fix carrier detection in modes 1 and 4
    
    [ Upstream commit 67927a1b255d883881be9467508e0af9a5e0be9d ]
    
    Apart from the standard "configurations", "interfaces" and "alternate
    interface settings" in USB, iOS devices also have a notion of
    "modes". In different modes, the device exposes a different set of
    available configurations.
    
    Depending on the iOS version, and depending on the current mode, the
    length and contents of the carrier state control message differs:
    
    * 1 byte (seen on iOS 4.2.1, 8.4):
        * 03: carrier off (mode 0)
        * 04: carrier on (mode 0)
    * 3 bytes (seen on iOS 10.3.4, 15.7.6):
        * 03 03 03: carrier off (mode 0)
        * 04 04 03: carrier on (mode 0)
    * 4 bytes (seen on iOS 16.5, 17.6):
        * 03 03 03 00: carrier off (mode 0)
        * 04 03 03 00: carrier off (mode 1)
        * 06 03 03 00: carrier off (mode 4)
        * 04 04 03 04: carrier on (mode 0 and 1)
        * 06 04 03 04: carrier on (mode 4)
    
    Before this change, the driver always used the first byte of the
    response to determine carrier state.
    
    From this larger sample, the first byte seems to indicate the number of
    available USB configurations in the current mode (with the exception of
    the default mode 0), and in some cases (namely mode 1 and 4) does not
    correlate with the carrier state.
    
    Previous logic erroneously counted `04 03 03 00` as "carrier on" and
    `06 04 03 04` as "carrier off" on iOS versions that support mode 1 and
    mode 4 respectively.
    
    Only modes 0, 1 and 4 expose the USB Ethernet interfaces necessary for
    the ipheth driver.
    
    Check the second byte of the control message where possible, and fall
    back to checking the first byte on older iOS versions.
    
    Signed-off-by: Foster Snowhill <forst@pen.gy>
    Tested-by: Georgi Valkov <gvalkov@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
vfs: fix race between evice_inodes() and find_inode()&iput() [+ + +]
Author: Julian Sun <sunjunchao2870@gmail.com>
Date:   Fri Aug 23 21:07:30 2024 +0800

    vfs: fix race between evice_inodes() and find_inode()&iput()
    
    commit 88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 upstream.
    
    Hi, all
    
    Recently I noticed a bug[1] in btrfs, after digged it into
    and I believe it'a race in vfs.
    
    Let's assume there's a inode (ie ino 261) with i_count 1 is
    called by iput(), and there's a concurrent thread calling
    generic_shutdown_super().
    
    cpu0:                              cpu1:
    iput() // i_count is 1
      ->spin_lock(inode)
      ->dec i_count to 0
      ->iput_final()                    generic_shutdown_super()
        ->__inode_add_lru()               ->evict_inodes()
          // cause some reason[2]           ->if (atomic_read(inode->i_count)) continue;
          // return before                  // inode 261 passed the above check
          // list_lru_add_obj()             // and then schedule out
       ->spin_unlock()
    // note here: the inode 261
    // was still at sb list and hash list,
    // and I_FREEING|I_WILL_FREE was not been set
    
    btrfs_iget()
      // after some function calls
      ->find_inode()
        // found the above inode 261
        ->spin_lock(inode)
       // check I_FREEING|I_WILL_FREE
       // and passed
          ->__iget()
        ->spin_unlock(inode)                // schedule back
                                            ->spin_lock(inode)
                                            // check (I_NEW|I_FREEING|I_WILL_FREE) flags,
                                            // passed and set I_FREEING
    iput()                                  ->spin_unlock(inode)
      ->spin_lock(inode)                      ->evict()
      // dec i_count to 0
      ->iput_final()
        ->spin_unlock()
        ->evict()
    
    Now, we have two threads simultaneously evicting
    the same inode, which may trigger the BUG(inode->i_state & I_CLEAR)
    statement both within clear_inode() and iput().
    
    To fix the bug, recheck the inode->i_count after holding i_lock.
    Because in the most scenarios, the first check is valid, and
    the overhead of spin_lock() can be reduced.
    
    If there is any misunderstanding, please let me know, thanks.
    
    [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/
    [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()
    return false when I reproduced the bug.
    
    Reported-by: syzbot+67ba3c42bcbb4665d3ad@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=67ba3c42bcbb4665d3ad
    CC: stable@vger.kernel.org
    Fixes: 63997e98a3be ("split invalidate_inodes()")
    Signed-off-by: Julian Sun <sunjunchao2870@gmail.com>
    Link: https://lore.kernel.org/r/20240823130730.658881-1-sunjunchao2870@gmail.com
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
virtio_console: fix misc probe bugs [+ + +]
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Mon Sep 16 14:16:44 2024 -0400

    virtio_console: fix misc probe bugs
    
    [ Upstream commit b9efbe2b8f0177fa97bfab290d60858900aa196b ]
    
    This fixes the following issue discovered by code review:
    
    after vqs have been created, a buggy device can send an interrupt.
    
    A control vq callback will then try to schedule control_work which has
    not been initialized yet. Similarly for config interrupt.  Further, in
    and out vq callbacks invoke find_port_by_vq which attempts to take
    ports_lock which also has not been initialized.
    
    To fix, init all locks and work before creating vqs.
    
    Message-ID: <ad982e975a6160ad110c623c016041311ca15b4f.1726511547.git.mst@redhat.com>
    Fixes: 17634ba25544 ("virtio: console: Add a new MULTIPORT feature, support for generic ports")
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
vt: prevent kernel-infoleak in con_font_get() [+ + +]
Author: Jeongjun Park <aha310510@gmail.com>
Date:   Fri Oct 11 02:46:19 2024 +0900

    vt: prevent kernel-infoleak in con_font_get()
    
    commit f956052e00de211b5c9ebaa1958366c23f82ee9e upstream.
    
    font.data may not initialize all memory spaces depending on the implementation
    of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it
    is safest to modify it to initialize the allocated memory space to 0, and it
    generally does not affect the overall performance of the system.
    
    Cc: stable@vger.kernel.org
    Reported-by: syzbot+955da2d57931604ee691@syzkaller.appspotmail.com
    Fixes: 05e2600cb0a4 ("VT: Bump font size limitation to 64x128 pixels")
    Signed-off-by: Jeongjun Park <aha310510@gmail.com>
    Link: https://lore.kernel.org/r/20241010174619.59662-1-aha310510@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
wifi: ath10k: Fix memory leak in management tx [+ + +]
Author: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
Date:   Tue Oct 15 12:11:03 2024 +0530

    wifi: ath10k: Fix memory leak in management tx
    
    commit e15d84b3bba187aa372dff7c58ce1fd5cb48a076 upstream.
    
    In the current logic, memory is allocated for storing the MSDU context
    during management packet TX but this memory is not being freed during
    management TX completion. Similar leaks are seen in the management TX
    cleanup logic.
    
    Kmemleak reports this problem as below,
    
    unreferenced object 0xffffff80b64ed250 (size 16):
      comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s)
      hex dump (first 16 bytes):
        00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00  .+.......t......
      backtrace:
        [<ffffffe6e7b245dc>] __kmem_cache_alloc_node+0x1e4/0x2d8
        [<ffffffe6e7adde88>] kmalloc_trace+0x48/0x110
        [<ffffffe6bbd765fc>] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core]
        [<ffffffe6bbd3eed4>] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core]
        [<ffffffe6e78d5974>] process_scheduled_works+0x1ac/0x400
        [<ffffffe6e78d60b8>] worker_thread+0x208/0x328
        [<ffffffe6e78dc890>] kthread+0x100/0x1c0
        [<ffffffe6e78166c0>] ret_from_fork+0x10/0x20
    
    Free the memory during completion and cleanup to fix the leak.
    
    Protect the mgmt_pending_tx idr_remove() operation in
    ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to
    other instances.
    
    Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
    
    Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event")
    Fixes: c730c477176a ("ath10k: Remove msdu from idr when management pkt send fails")
    Cc: stable@vger.kernel.org
    Signed-off-by: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
    Link: https://patch.msgid.link/20241015064103.6060-1-quic_mpubbise@quicinc.com
    Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: ath9k: fix parameter check in ath9k_init_debug() [+ + +]
Author: Minjie Du <duminjie@vivo.com>
Date:   Wed Jul 12 19:47:40 2023 +0800

    wifi: ath9k: fix parameter check in ath9k_init_debug()
    
    [ Upstream commit 6edb4ba6fb5b946d112259f54f4657f82eb71e89 ]
    
    Make IS_ERR() judge the debugfs_create_dir() function return
    in ath9k_init_debug()
    
    Signed-off-by: Minjie Du <duminjie@vivo.com>
    Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://lore.kernel.org/r/20230712114740.13226-1-duminjie@vivo.com
    Stable-dep-of: f6ffe7f01847 ("wifi: ath9k: Remove error checks when creating debugfs entries")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() [+ + +]
Author: Dmitry Kandybka <d.kandybka@gmail.com>
Date:   Thu Jul 25 14:17:43 2024 +0300

    wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats()
    
    [ Upstream commit 3f66f26703093886db81f0610b97a6794511917c ]
    
    In 'ath9k_get_et_stats()', promote TX stats counters to 'u64'
    to avoid possible integer overflow. Compile tested only.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
    Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://patch.msgid.link/20240725111743.14422-1-d.kandybka@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: ath9k: Remove error checks when creating debugfs entries [+ + +]
Author: Toke Høiland-Jørgensen <toke@redhat.com>
Date:   Mon Aug 5 13:02:22 2024 +0200

    wifi: ath9k: Remove error checks when creating debugfs entries
    
    [ Upstream commit f6ffe7f0184792c2f99aca6ae5b916683973d7d3 ]
    
    We should not be checking the return values from debugfs creation at all: the
    debugfs functions are designed to handle errors of previously called functions
    and just transparently abort the creation of debugfs entries when debugfs is
    disabled. If we check the return value and abort driver initialisation, we break
    the driver if debugfs is disabled (such as when booting with debugfs=off).
    
    Earlier versions of ath9k accidentally did the right thing by checking the
    return value, but only for NULL, not for IS_ERR(). This was "fixed" by the two
    commits referenced below, breaking ath9k with debugfs=off starting from the 6.6
    kernel (as reported in the Bugzilla linked below).
    
    Restore functionality by just getting rid of the return value check entirely.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=219122
    Fixes: 1e4134610d93 ("wifi: ath9k: use IS_ERR() with debugfs_create_dir()")
    Fixes: 6edb4ba6fb5b ("wifi: ath9k: fix parameter check in ath9k_init_debug()")
    Reported-by: Daniel Tobias <dan.g.tob@gmail.com>
    Tested-by: Daniel Tobias <dan.g.tob@gmail.com>
    Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://patch.msgid.link/20240805110225.19690-1-toke@toke.dk
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit [+ + +]
Author: Toke Høiland-Jørgensen <toke@redhat.com>
Date:   Mon Aug 12 16:24:46 2024 +0200

    wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit
    
    [ Upstream commit 94745807f3ebd379f23865e6dab196f220664179 ]
    
    Syzbot points out that skb_trim() has a sanity check on the existing length of
    the skb, which can be uninitialised in some error paths. The intent here is
    clearly just to reset the length to zero before resubmitting, so switch to
    calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length()
    already contains a call to skb_reset_tail_pointer(), so remove the redundant
    call.
    
    The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar
    usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.
    
    Reported-by: syzbot+98afa303be379af6cdb2@syzkaller.appspotmail.com
    Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://patch.msgid.link/20240812142447.12328-1-toke@toke.dk
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors [+ + +]
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date:   Mon Sep 9 12:08:06 2024 +0300

    wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors
    
    [ Upstream commit 15ea13b1b1fbf6364d4cd568e65e4c8479632999 ]
    
    Although not reproduced in practice, these two cases may be
    considered by UBSAN as off-by-one errors. So fix them in the
    same way as in commit a26a5107bc52 ("wifi: cfg80211: fix UBSAN
    noise in cfg80211_wext_siwscan()").
    
    Fixes: 807f8a8c3004 ("cfg80211/nl80211: add support for scheduled scans")
    Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
    Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
    Link: https://patch.msgid.link/20240909090806.1091956-1-dmantipov@yandex.ru
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() [+ + +]
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date:   Thu Sep 5 18:04:00 2024 +0300

    wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()
    
    [ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ]
    
    Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
    and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the
    following:
    
    [ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25
    [ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]'
    <...skipped...>
    [ T4985] Call Trace:
    [ T4985]  <TASK>
    [ T4985]  dump_stack_lvl+0x1c2/0x2a0
    [ T4985]  ? __pfx_dump_stack_lvl+0x10/0x10
    [ T4985]  ? __pfx__printk+0x10/0x10
    [ T4985]  __ubsan_handle_out_of_bounds+0x127/0x150
    [ T4985]  cfg80211_wext_siwscan+0x11a4/0x1260
    <...the rest is not too useful...>
    
    Even if we do 'creq->n_channels = n_channels' before 'creq->ssids =
    (void *)&creq->channels[n_channels]', UBSAN treats the latter as
    off-by-one error. Fix this by using pointer arithmetic rather than
    an expression with explicit array indexing and use convenient
    'struct_size()' to simplify the math here and in 'kzalloc()' above.
    
    Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
    Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
    Reviewed-by: Kees Cook <kees@kernel.org>
    Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru
    [fix coding style for multi-line calculation]
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: iwlegacy: Clear stale interrupts before resuming device [+ + +]
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Tue Oct 1 23:07:45 2024 +0300

    wifi: iwlegacy: Clear stale interrupts before resuming device
    
    commit 07c90acb071b9954e1fecb1e4f4f13d12c544b34 upstream.
    
    iwl4965 fails upon resume from hibernation on my laptop. The reason
    seems to be a stale interrupt which isn't being cleared out before
    interrupts are enabled. We end up with a race beween the resume
    trying to bring things back up, and the restart work (queued form
    the interrupt handler) trying to bring things down. Eventually
    the whole thing blows up.
    
    Fix the problem by clearing out any stale interrupts before
    interrupts get enabled during resume.
    
    Here's a debug log of the indicent:
    [   12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000
    [   12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000
    [   12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio.
    [   12.042653] iwl4965 0000:10:00.0: On demand firmware reload
    [   12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282
    [   12.052207] ieee80211 phy0: il4965_mac_start enter
    [   12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff
    [   12.052244] ieee80211 phy0: il4965_set_hw_ready hardware  ready
    [   12.052324] ieee80211 phy0: il_apm_init Init card's basic functions
    [   12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S
    [   12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm
    [   12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm
    [   12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK
    [   12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations
    [   12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up
    [   12.058737] ieee80211 phy0: il4965_mac_start Start UP work done.
    [   12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down
    [   12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout
    [   12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort
    [   12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver
    [   12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared
    [   12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state
    [   12.058827] ieee80211 phy0: _il_apm_stop_master stop master
    [   12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear.
    [   12.058869] ieee80211 phy0: Hardware restart was requested
    [   16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms.
    [   16.132303] ------------[ cut here ]------------
    [   16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.
    [   16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211]
    [   16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev
    [   16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143
    [   16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010
    [   16.132463] Workqueue: async async_run_entry_fn
    [   16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211]
    [   16.132501] Code: da 02 00 00 c6 83 ad 05 00 00 00 48 89 df e8 98 1b fc ff 85 c0 41 89 c7 0f 84 e9 02 00 00 48 c7 c7 a0 e6 48 a0 e8 d1 77 c4 e0 <0f> 0b eb 2d 84 c0 0f 85 8b 01 00 00 c6 87 ad 05 00 00 00 e8 69 1b
    [   16.132504] RSP: 0018:ffffc9000029fcf0 EFLAGS: 00010282
    [   16.132507] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: 0000000000000001
    [   16.132509] RDX: ffffffff81f21a18 RSI: 0000000000000086 RDI: 0000000000000001
    [   16.132510] RBP: ffff8880072003c0 R08: 0000000000000000 R09: 0000000000000003
    [   16.132512] R10: 0000000000000000 R11: ffff88807e5b0000 R12: 0000000000000001
    [   16.132514] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000ffffff92
    [   16.132515] FS:  0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000
    [   16.132517] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [   16.132519] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0
    [   16.132521] Call Trace:
    [   16.132525]  <TASK>
    [   16.132526]  ? __warn+0x77/0x120
    [   16.132532]  ? ieee80211_reconfig+0x8f/0x14b0 [mac80211]
    [   16.132564]  ? report_bug+0x15c/0x190
    [   16.132568]  ? handle_bug+0x36/0x70
    [   16.132571]  ? exc_invalid_op+0x13/0x60
    [   16.132573]  ? asm_exc_invalid_op+0x16/0x20
    [   16.132579]  ? ieee80211_reconfig+0x8f/0x14b0 [mac80211]
    [   16.132611]  ? snd_hdac_bus_init_cmd_io+0x24/0x200 [snd_hda_core]
    [   16.132617]  ? pick_eevdf+0x133/0x1c0
    [   16.132622]  ? check_preempt_wakeup_fair+0x70/0x90
    [   16.132626]  ? wakeup_preempt+0x4a/0x60
    [   16.132628]  ? ttwu_do_activate.isra.0+0x5a/0x190
    [   16.132632]  wiphy_resume+0x79/0x1a0 [cfg80211]
    [   16.132675]  ? wiphy_suspend+0x2a0/0x2a0 [cfg80211]
    [   16.132697]  dpm_run_callback+0x75/0x1b0
    [   16.132703]  device_resume+0x97/0x200
    [   16.132707]  async_resume+0x14/0x20
    [   16.132711]  async_run_entry_fn+0x1b/0xa0
    [   16.132714]  process_one_work+0x13d/0x350
    [   16.132718]  worker_thread+0x2be/0x3d0
    [   16.132722]  ? cancel_delayed_work_sync+0x70/0x70
    [   16.132725]  kthread+0xc0/0xf0
    [   16.132729]  ? kthread_park+0x80/0x80
    [   16.132732]  ret_from_fork+0x28/0x40
    [   16.132735]  ? kthread_park+0x80/0x80
    [   16.132738]  ret_from_fork_asm+0x11/0x20
    [   16.132741]  </TASK>
    [   16.132742] ---[ end trace 0000000000000000 ]---
    [   16.132930] ------------[ cut here ]------------
    [   16.132932] WARNING: CPU: 0 PID: 181 at net/mac80211/driver-ops.c:41 drv_stop+0xe7/0xf0 [mac80211]
    [   16.132957] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev
    [   16.133014] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Tainted: G        W          6.11.0-cl+ #143
    [   16.133018] Tainted: [W]=WARN
    [   16.133019] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010
    [   16.133021] Workqueue: async async_run_entry_fn
    [   16.133025] RIP: 0010:drv_stop+0xe7/0xf0 [mac80211]
    [   16.133048] Code: 48 85 c0 74 0e 48 8b 78 08 89 ea 48 89 de e8 e0 87 04 00 65 ff 0d d1 de c4 5f 0f 85 42 ff ff ff e8 be 52 c2 e0 e9 38 ff ff ff <0f> 0b 5b 5d c3 0f 1f 40 00 41 54 49 89 fc 55 53 48 89 f3 2e 2e 2e
    [   16.133050] RSP: 0018:ffffc9000029fc50 EFLAGS: 00010246
    [   16.133053] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: ffff88800377f6c0
    [   16.133054] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8880072008e0
    [   16.133056] RBP: 0000000000000000 R08: ffffffff81f238d8 R09: 0000000000000000
    [   16.133058] R10: ffff8880080520f0 R11: 0000000000000000 R12: ffff888008051c60
    [   16.133060] R13: ffff8880072008e0 R14: 0000000000000000 R15: ffff8880072011d8
    [   16.133061] FS:  0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000
    [   16.133063] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [   16.133065] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0
    [   16.133067] Call Trace:
    [   16.133069]  <TASK>
    [   16.133070]  ? __warn+0x77/0x120
    [   16.133075]  ? drv_stop+0xe7/0xf0 [mac80211]
    [   16.133098]  ? report_bug+0x15c/0x190
    [   16.133100]  ? handle_bug+0x36/0x70
    [   16.133103]  ? exc_invalid_op+0x13/0x60
    [   16.133105]  ? asm_exc_invalid_op+0x16/0x20
    [   16.133109]  ? drv_stop+0xe7/0xf0 [mac80211]
    [   16.133132]  ieee80211_do_stop+0x55a/0x810 [mac80211]
    [   16.133161]  ? fq_codel_reset+0xa5/0xc0 [sch_fq_codel]
    [   16.133164]  ieee80211_stop+0x4f/0x180 [mac80211]
    [   16.133192]  __dev_close_many+0xa2/0x120
    [   16.133195]  dev_close_many+0x90/0x150
    [   16.133198]  dev_close+0x5d/0x80
    [   16.133200]  cfg80211_shutdown_all_interfaces+0x40/0xe0 [cfg80211]
    [   16.133223]  wiphy_resume+0xb2/0x1a0 [cfg80211]
    [   16.133247]  ? wiphy_suspend+0x2a0/0x2a0 [cfg80211]
    [   16.133269]  dpm_run_callback+0x75/0x1b0
    [   16.133273]  device_resume+0x97/0x200
    [   16.133277]  async_resume+0x14/0x20
    [   16.133280]  async_run_entry_fn+0x1b/0xa0
    [   16.133283]  process_one_work+0x13d/0x350
    [   16.133287]  worker_thread+0x2be/0x3d0
    [   16.133290]  ? cancel_delayed_work_sync+0x70/0x70
    [   16.133294]  kthread+0xc0/0xf0
    [   16.133296]  ? kthread_park+0x80/0x80
    [   16.133299]  ret_from_fork+0x28/0x40
    [   16.133302]  ? kthread_park+0x80/0x80
    [   16.133304]  ret_from_fork_asm+0x11/0x20
    [   16.133307]  </TASK>
    [   16.133308] ---[ end trace 0000000000000000 ]---
    [   16.133335] ieee80211 phy0: PM: dpm_run_callback(): wiphy_resume [cfg80211] returns -110
    [   16.133360] ieee80211 phy0: PM: failed to restore async: error -110
    
    Cc: stable@vger.kernel.org
    Cc: Stanislaw Gruszka <stf_xl@wp.pl>
    Cc: Kalle Valo <kvalo@kernel.org>
    Cc: linux-wireless@vger.kernel.org
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://patch.msgid.link/20241001200745.8276-1-ville.syrjala@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead [+ + +]
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date:   Sun Aug 25 19:17:04 2024 +0300

    wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead
    
    [ Upstream commit 3a84454f5204718ca5b4ad2c1f0bf2031e2403d1 ]
    
    There is a WARNING in iwl_trans_wait_tx_queues_empty() (that was
    recently converted from just a message), that can be hit if we
    wait for TX queues to become empty after firmware died. Clearly,
    we can't expect anything from the firmware after it's declared dead.
    
    Don't call iwl_trans_wait_tx_queues_empty() in this case. While it could
    be a good idea to stop the flow earlier, the flush functions do some
    maintenance work that is not related to the firmware, so keep that part
    of the code running even when the firmware is not running.
    
    Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
    Link: https://patch.msgid.link/20240825191257.a7cbd794cee9.I44a739fbd4ffcc46b83844dd1c7b2eb0c7b270f6@changeid
    [edit commit message]
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() [+ + +]
Author: Daniel Gabay <daniel.gabay@intel.com>
Date:   Sun Aug 25 19:17:06 2024 +0300

    wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room()
    
    [ Upstream commit 916a5d9c5354c426220a0a6533a5e8ea1287d6ea ]
    
    Driver creates also the WFA TPC element, consider that in the
    calculation.
    
    Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
    Reviewed-by: Ilan Peer <ilan.peer@intel.com>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
    Link: https://patch.msgid.link/20240825191257.e710ce446b7f.I2715c6742e9c3d160e2ba41bc4b35de370d2ce34@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower [+ + +]
Author: Felix Fietkau <nbd@nbd.name>
Date:   Wed Oct 2 11:56:30 2024 +0200

    wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower
    
    commit 393b6bc174b0dd21bb2a36c13b36e62fc3474a23 upstream.
    
    Avoid potentially crashing in the driver because of uninitialized private data
    
    Fixes: 5b3dc42b1b0d ("mac80211: add support for driver tx power reporting")
    Cc: stable@vger.kernel.org
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Link: https://patch.msgid.link/20241002095630.22431-1-nbd@nbd.name
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys [+ + +]
Author: Felix Fietkau <nbd@nbd.name>
Date:   Sun Oct 6 17:36:30 2024 +0200

    wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys
    
    [ Upstream commit 52009b419355195912a628d0a9847922e90c348c ]
    
    Sync iterator conditions with ieee80211_iter_keys_rcu.
    
    Fixes: 830af02f24fb ("mac80211: allow driver to iterate keys")
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Link: https://patch.msgid.link/20241006153630.87885-1-nbd@nbd.name
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() [+ + +]
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date:   Fri Sep 6 15:31:51 2024 +0300

    wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()
    
    [ Upstream commit 9d301de12da6e1bb069a9835c38359b8e8135121 ]
    
    Since '__dev_queue_xmit()' should be called with interrupts enabled,
    the following backtrace:
    
    ieee80211_do_stop()
     ...
     spin_lock_irqsave(&local->queue_stop_reason_lock, flags)
     ...
     ieee80211_free_txskb()
      ieee80211_report_used_skb()
       ieee80211_report_ack_skb()
        cfg80211_mgmt_tx_status_ext()
         nl80211_frame_tx_status()
          genlmsg_multicast_netns()
           genlmsg_multicast_netns_filtered()
            nlmsg_multicast_filtered()
             netlink_broadcast_filtered()
              do_one_broadcast()
               netlink_broadcast_deliver()
                __netlink_sendskb()
                 netlink_deliver_tap()
                  __netlink_deliver_tap_skb()
                   dev_queue_xmit()
                    __dev_queue_xmit() ; with IRQS disabled
     ...
     spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)
    
    issues the warning (as reported by syzbot reproducer):
    
    WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120
    
    Fix this by implementing a two-phase skb reclamation in
    'ieee80211_do_stop()', where actual work is performed
    outside of a section with interrupts disabled.
    
    Fixes: 5061b0c2b906 ("mac80211: cooperate more with network namespaces")
    Reported-by: syzbot+1a3986bbd3169c307819@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
    Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
    Link: https://patch.msgid.link/20240906123151.351647-1-dmantipov@yandex.ru
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() [+ + +]
Author: Gustavo A. R. Silva <gustavoars@kernel.org>
Date:   Wed Aug 21 15:23:51 2024 -0600

    wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()
    
    [ Upstream commit 498365e52bebcbc36a93279fe7e9d6aec8479cee ]
    
    Replace one-element array with a flexible-array member in
    `struct host_cmd_ds_802_11_scan_ext`.
    
    With this, fix the following warning:
    
    elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------
    elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1)
    elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]
    
    Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Closes: https://lore.kernel.org/linux-hardening/ZsZNgfnEwOcPdCly@black.fi.intel.com/
    Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Acked-by: Brian Norris <briannorris@chromium.org>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://patch.msgid.link/ZsZa5xRcsLq9D+RX@elsanto
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
x86/apic: Always explicitly disarm TSC-deadline timer [+ + +]
Author: Zhang Rui <rui.zhang@intel.com>
Date:   Tue Oct 15 14:15:22 2024 +0800

    x86/apic: Always explicitly disarm TSC-deadline timer
    
    commit ffd95846c6ec6cf1f93da411ea10d504036cab42 upstream.
    
    New processors have become pickier about the local APIC timer state
    before entering low power modes. These low power modes are used (for
    example) when you close your laptop lid and suspend. If you put your
    laptop in a bag and it is not in this low power mode, it is likely
    to get quite toasty while it quickly sucks the battery dry.
    
    The problem boils down to some CPUs' inability to power down until the
    CPU recognizes that the local APIC timer is shut down. The current
    kernel code works in one-shot and periodic modes but does not work for
    deadline mode. Deadline mode has been the supported and preferred mode
    on Intel CPUs for over a decade and uses an MSR to drive the timer
    instead of an APIC register.
    
    Disable the TSC Deadline timer in lapic_timer_shutdown() by writing to
    MSR_IA32_TSC_DEADLINE when in TSC-deadline mode. Also avoid writing
    to the initial-count register (APIC_TMICT) which is ignored in
    TSC-deadline mode.
    
    Note: The APIC_LVTT|=APIC_LVT_MASKED operation should theoretically be
    enough to tell the hardware that the timer will not fire in any of the
    timer modes. But mitigating AMD erratum 411[1] also requires clearing
    out APIC_TMICT. Solely setting APIC_LVT_MASKED is also ineffective in
    practice on Intel Lunar Lake systems, which is the motivation for this
    change.
    
    1. 411 Processor May Exit Message-Triggered C1E State Without an Interrupt if Local APIC Timer Reaches Zero - https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/revision-guides/41322_10h_Rev_Gd.pdf
    
    Fixes: 279f1461432c ("x86: apic: Use tsc deadline for oneshot when available")
    Suggested-by: Dave Hansen <dave.hansen@intel.com>
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Tested-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    Tested-by: Todd Brandt <todd.e.brandt@intel.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/all/20241015061522.25288-1-rui.zhang%40intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET [+ + +]
Author: Jim Mattson <jmattson@google.com>
Date:   Fri Sep 13 10:32:27 2024 -0700

    x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET
    
    commit ff898623af2ed564300752bba83a680a1e4fec8d upstream.
    
    AMD's initial implementation of IBPB did not clear the return address
    predictor. Beginning with Zen4, AMD's IBPB *does* clear the return address
    predictor. This behavior is enumerated by CPUID.80000008H:EBX.IBPB_RET[30].
    
    Define X86_FEATURE_AMD_IBPB_RET for use in KVM_GET_SUPPORTED_CPUID,
    when determining cross-vendor capabilities.
    
    Suggested-by: Venkatesh Srinivas <venkateshs@chromium.org>
    Signed-off-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
    Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: <stable@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency [+ + +]
Author: Michael Kelley <mhklinux@outlook.com>
Date:   Wed Jun 5 19:55:59 2024 -0700

    x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency
    
    [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ]
    
    A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if
    available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux
    doesn't unnecessarily do refined TSC calibration when setting up the TSC
    clocksource.
    
    With this change, a message such as this is no longer output during boot
    when the TSC is used as the clocksource:
    
    [    1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz
    
    Furthermore, the guest and host will have exactly the same view of the
    TSC frequency, which is important for features such as the TSC deadline
    timer that are emulated by the Hyper-V host.
    
    Signed-off-by: Michael Kelley <mhklinux@outlook.com>
    Reviewed-by: Roman Kisel <romank@linux.microsoft.com>
    Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com
    Signed-off-by: Wei Liu <wei.liu@kernel.org>
    Message-ID: <20240606025559.1631-1-mhklinux@outlook.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
xen/swiotlb: add alignment check for dma buffers [+ + +]
Author: Juergen Gross <jgross@suse.com>
Date:   Fri Sep 13 12:05:02 2024 +0200

    xen/swiotlb: add alignment check for dma buffers
    
    [ Upstream commit 9f40ec84a7976d95c34e7cc070939deb103652b0 ]
    
    When checking a memory buffer to be consecutive in machine memory,
    the alignment needs to be checked, too. Failing to do so might result
    in DMA memory not being aligned according to its requested size,
    leading to error messages like:
    
      4xxx 0000:2b:00.0: enabling device (0140 -> 0142)
      4xxx 0000:2b:00.0: Ring address not aligned
      4xxx 0000:2b:00.0: Failed to initialise service qat_crypto
      4xxx 0000:2b:00.0: Resetting device qat_dev0
      4xxx: probe of 0000:2b:00.0 failed with error -14
    
    Fixes: 9435cce87950 ("xen/swiotlb: Add support for 64KB page granularity")
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

xen/swiotlb: simplify range_straddles_page_boundary() [+ + +]
Author: Juergen Gross <jgross@suse.com>
Date:   Fri Jun 14 07:46:03 2019 +0200

    xen/swiotlb: simplify range_straddles_page_boundary()
    
    [ Upstream commit bf70726668c6116aa4976e0cc87f470be6268a2f ]
    
    range_straddles_page_boundary() is open coding several macros from
    include/xen/page.h. Use those instead. Additionally there is no need
    to have check_pages_physically_contiguous() as a separate function as
    it is used only once, so merge it into range_straddles_page_boundary().
    
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Stable-dep-of: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
xen: use correct end address of kernel for conflict checking [+ + +]
Author: Juergen Gross <jgross@suse.com>
Date:   Sat Aug 3 08:01:22 2024 +0200

    xen: use correct end address of kernel for conflict checking
    
    [ Upstream commit fac1bceeeb04886fc2ee952672e6e6c85ce41dca ]
    
    When running as a Xen PV dom0 the kernel is loaded by the hypervisor
    using a different memory map than that of the host. In order to
    minimize the required changes in the kernel, the kernel adapts its
    memory map to that of the host. In order to do that it is checking
    for conflicts of its load address with the host memory map.
    
    Unfortunately the tested memory range does not include the .brk
    area, which might result in crashes or memory corruption when this
    area does conflict with the memory map of the host.
    
    Fix the test by using the _end label instead of __bss_stop.
    
    Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout")
    
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
    Reviewed-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
xfrm: validate new SA's prefixlen using SA family when sel.family is unset [+ + +]
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Tue Oct 1 18:48:14 2024 +0200

    xfrm: validate new SA's prefixlen using SA family when sel.family is unset
    
    [ Upstream commit 3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563 ]
    
    This expands the validation introduced in commit 07bf7908950a ("xfrm:
    Validate address prefix lengths in the xfrm selector.")
    
    syzbot created an SA with
        usersa.sel.family = AF_UNSPEC
        usersa.sel.prefixlen_s = 128
        usersa.family = AF_INET
    
    Because of the AF_UNSPEC selector, verify_newsa_info doesn't put
    limits on prefixlen_{s,d}. But then copy_from_user_state sets
    x->sel.family to usersa.family (AF_INET). Do the same conversion in
    verify_newsa_info before validating prefixlen_{s,d}, since that's how
    prefixlen is going to be used later on.
    
    Reported-by: syzbot+cc39f136925517aed571@syzkaller.appspotmail.com
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Antony Antony <antony.antony@secunet.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
xhci: Fix incorrect stream context type macro [+ + +]
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Wed Oct 16 16:59:57 2024 +0300

    xhci: Fix incorrect stream context type macro
    
    commit 6599b6a6fa8060145046d0744456b6abdb3122a7 upstream.
    
    The stream contex type (SCT) bitfield is used both in the stream context
    data structure,  and in the 'Set TR Dequeue pointer' command TRB.
    In both cases it uses bits 3:1
    
    The SCT_FOR_TRB(p) macro used to set the stream context type (SCT) field
    for the 'Set TR Dequeue pointer' command TRB incorrectly shifts the value
    1 bit left before masking the three bits.
    
    Fix this by first masking and rshifting, just like the similar
    SCT_FOR_CTX(p) macro does
    
    This issue has not been visibile as the lost bit 3 is only used with
    secondary stream arrays (SSA). Xhci driver currently only supports using
    a primary stream array with Linear stream addressing.
    
    Fixes: 95241dbdf828 ("xhci: Set SCT field for Set TR dequeue on streams")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20241016140000.783905-2-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xhci: Fix Link TRB DMA in command ring stopped completion event [+ + +]
Author: Faisal Hassan <quic_faisalh@quicinc.com>
Date:   Tue Oct 22 21:26:31 2024 +0530

    xhci: Fix Link TRB DMA in command ring stopped completion event
    
    commit 075919f6df5dd82ad0b1894898b315fbb3c29b84 upstream.
    
    During the aborting of a command, the software receives a command
    completion event for the command ring stopped, with the TRB pointing
    to the next TRB after the aborted command.
    
    If the command we abort is located just before the Link TRB in the
    command ring, then during the 'command ring stopped' completion event,
    the xHC gives the Link TRB in the event's cmd DMA, which causes a
    mismatch in handling command completion event.
    
    To address this situation, move the 'command ring stopped' completion
    event check slightly earlier, since the specific command it stopped
    on isn't of significant concern.
    
    Fixes: 7f84eef0dafb ("USB: xhci: No-op command queueing and irq handler.")
    Cc: stable@vger.kernel.org
    Signed-off-by: Faisal Hassan <quic_faisalh@quicinc.com>
    Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20241022155631.1185-1-quic_faisalh@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
xz: cleanup CRC32 edits from 2018 [+ + +]
Author: Lasse Collin <lasse.collin@tukaani.org>
Date:   Sun Jul 21 16:36:24 2024 +0300

    xz: cleanup CRC32 edits from 2018
    
    [ Upstream commit 2ee96abef214550d9e92f5143ee3ac1fd1323e67 ]
    
    In 2018, a dependency on <linux/crc32poly.h> was added to avoid
    duplicating the same constant in multiple files.  Two months later it was
    found to be a bad idea and the definition of CRC32_POLY_LE macro was moved
    into xz_private.h to avoid including <linux/crc32poly.h>.
    
    xz_private.h is a wrong place for it too.  Revert back to the upstream
    version which has the poly in xz_crc32_init() in xz_crc32.c.
    
    Link: https://lkml.kernel.org/r/20240721133633.47721-10-lasse.collin@tukaani.org
    Fixes: faa16bc404d7 ("lib: Use existing define with polynomial")
    Fixes: 242cdad873a7 ("lib/xz: Put CRC32_POLY_LE in xz_private.h")
    Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
    Reviewed-by: Sam James <sam@gentoo.org>
    Tested-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
    Cc: Krzysztof Kozlowski <krzk@kernel.org>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Joel Stanley <joel@jms.id.au>
    Cc: Albert Ou <aou@eecs.berkeley.edu>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Emil Renner Berthing <emil.renner.berthing@canonical.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Jubin Zhong <zhongjubin@huawei.com>
    Cc: Jules Maselbas <jmaselbas@zdiv.net>
    Cc: Palmer Dabbelt <palmer@dabbelt.com>
    Cc: Paul Walmsley <paul.walmsley@sifive.com>
    Cc: Randy Dunlap <rdunlap@infradead.org>
    Cc: Rui Li <me@lirui.org>
    Cc: Simon Glass <sjg@chromium.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Will Deacon <will@kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>