Changelog in Linux kernel 6.6.60

 
ACPI: CPPC: Make rmw_lock a raw_spin_lock [+ + +]
Author: Pierre Gondois <pierre.gondois@arm.com>
Date:   Mon Oct 28 13:56:56 2024 +0100

    ACPI: CPPC: Make rmw_lock a raw_spin_lock
    
    [ Upstream commit 1c10941e34c5fdc0357e46a25bd130d9cf40b925 ]
    
    The following BUG was triggered:
    
    =============================
    [ BUG: Invalid wait context ]
    6.12.0-rc2-XXX #406 Not tainted
    -----------------------------
    kworker/1:1/62 is trying to lock:
    ffffff8801593030 (&cpc_ptr->rmw_lock){+.+.}-{3:3}, at: cpc_write+0xcc/0x370
    other info that might help us debug this:
    context-{5:5}
    2 locks held by kworker/1:1/62:
      #0: ffffff897ef5ec98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2c/0x50
      #1: ffffff880154e238 (&sg_policy->update_lock){....}-{2:2}, at: sugov_update_shared+0x3c/0x280
    stack backtrace:
    CPU: 1 UID: 0 PID: 62 Comm: kworker/1:1 Not tainted 6.12.0-rc2-g9654bd3e8806 #406
    Workqueue:  0x0 (events)
    Call trace:
      dump_backtrace+0xa4/0x130
      show_stack+0x20/0x38
      dump_stack_lvl+0x90/0xd0
      dump_stack+0x18/0x28
      __lock_acquire+0x480/0x1ad8
      lock_acquire+0x114/0x310
      _raw_spin_lock+0x50/0x70
      cpc_write+0xcc/0x370
      cppc_set_perf+0xa0/0x3a8
      cppc_cpufreq_fast_switch+0x40/0xc0
      cpufreq_driver_fast_switch+0x4c/0x218
      sugov_update_shared+0x234/0x280
      update_load_avg+0x6ec/0x7b8
      dequeue_entities+0x108/0x830
      dequeue_task_fair+0x58/0x408
      __schedule+0x4f0/0x1070
      schedule+0x54/0x130
      worker_thread+0xc0/0x2e8
      kthread+0x130/0x148
      ret_from_fork+0x10/0x20
    
    sugov_update_shared() locks a raw_spinlock while cpc_write() locks a
    spinlock.
    
    To have a correct wait-type order, update rmw_lock to a raw spinlock and
    ensure that interrupts will be disabled on the CPU holding it.
    
    Fixes: 60949b7b8054 ("ACPI: CPPC: Fix MASK_VAL() usage")
    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
    Link: https://patch.msgid.link/20241028125657.1271512-1-pierre.gondois@arm.com
    [ rjw: Changelog edits ]
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
afs: Automatically generate trace tag enums [+ + +]
Author: David Howells <dhowells@redhat.com>
Date:   Thu Feb 23 15:24:24 2023 +0000

    afs: Automatically generate trace tag enums
    
    [ Upstream commit 2daa6404fd2f00985d5bfeb3c161f4630b46b6bf ]
    
    Automatically generate trace tag enums from the symbol -> string mapping
    tables rather than having the enums as well, thereby reducing duplicated
    data.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Marc Dionne <marc.dionne@auristor.com>
    cc: Jeff Layton <jlayton@kernel.org>
    cc: linux-afs@lists.infradead.org
    cc: linux-fsdevel@vger.kernel.org
    Stable-dep-of: 247d65fb122a ("afs: Fix missing subdir edit when renamed between parent dirs")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

afs: Fix missing subdir edit when renamed between parent dirs [+ + +]
Author: David Howells <dhowells@redhat.com>
Date:   Wed Oct 23 11:40:10 2024 +0100

    afs: Fix missing subdir edit when renamed between parent dirs
    
    [ Upstream commit 247d65fb122ad560be1c8c4d87d7374fb28b0770 ]
    
    When rename moves an AFS subdirectory between parent directories, the
    subdir also needs a bit of editing: the ".." entry needs updating to point
    to the new parent (though I don't make use of the info) and the DV needs
    incrementing by 1 to reflect the change of content.  The server also sends
    a callback break notification on the subdirectory if we have one, but we
    can take care of recovering the promise next time we access the subdir.
    
    This can be triggered by something like:
    
        mount -t afs %example.com:xfstest.test20 /xfstest.test/
        mkdir /xfstest.test/{aaa,bbb,aaa/ccc}
        touch /xfstest.test/bbb/ccc/d
        mv /xfstest.test/{aaa/ccc,bbb/ccc}
        touch /xfstest.test/bbb/ccc/e
    
    When the pathwalk for the second touch hits "ccc", kafs spots that the DV
    is incorrect and downloads it again (so the fix is not critical).
    
    Fix this, if the rename target is a directory and the old and new
    parents are different, by:
    
     (1) Incrementing the DV number of the target locally.
    
     (2) Editing the ".." entry in the target to refer to its new parent's
         vnode ID and uniquifier.
    
    Link: https://lore.kernel.org/r/3340431.1729680010@warthog.procyon.org.uk
    Fixes: 63a4681ff39c ("afs: Locally edit directory data for mkdir/create/unlink/...")
    cc: David Howells <dhowells@redhat.com>
    cc: Marc Dionne <marc.dionne@auristor.com>
    cc: linux-afs@lists.infradead.org
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 [+ + +]
Author: Christoffer Sandberg <cs@tuxedo.de>
Date:   Tue Oct 29 16:16:52 2024 +0100

    ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3
    
    [ Upstream commit 0b04fbe886b4274c8e5855011233aaa69fec6e75 ]
    
    Quirk is needed to enable headset microphone on missing pin 0x19.
    
    Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
    Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20241029151653.80726-1-wse@tuxedocomputers.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 [+ + +]
Author: Christoffer Sandberg <cs@tuxedo.de>
Date:   Tue Oct 29 16:16:53 2024 +0100

    ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1
    
    [ Upstream commit e49370d769e71456db3fbd982e95bab8c69f73e8 ]
    
    Quirk is needed to enable headset microphone on missing pin 0x19.
    
    Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
    Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20241029151653.80726-2-wse@tuxedocomputers.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: hda/realtek: Limit internal Mic boost on Dell platform [+ + +]
Author: Kailang Yang <kailang@realtek.com>
Date:   Fri Oct 18 13:53:24 2024 +0800

    ALSA: hda/realtek: Limit internal Mic boost on Dell platform
    
    [ Upstream commit 78e7be018784934081afec77f96d49a2483f9188 ]
    
    Dell want to limit internal Mic boost on all Dell platform.
    
    Signed-off-by: Kailang Yang <kailang@realtek.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/561fc5f5eff04b6cbd79ed173cd1c1db@realtek.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: usb-audio: Add quirks for Dell WD19 dock [+ + +]
Author: Jan Schär <jan@jschaer.ch>
Date:   Tue Oct 29 23:12:49 2024 +0100

    ALSA: usb-audio: Add quirks for Dell WD19 dock
    
    commit 4413665dd6c528b31284119e3571c25f371e1c36 upstream.
    
    The WD19 family of docks has the same audio chipset as the WD15. This
    change enables jack detection on the WD19.
    
    We don't need the dell_dock_mixer_init quirk for the WD19. It is only
    needed because of the dell_alc4020_map quirk for the WD15 in
    mixer_maps.c, which disables the volume controls. Even for the WD15,
    this quirk was apparently only needed when the dock firmware was not
    updated.
    
    Signed-off-by: Jan Schär <jan@jschaer.ch>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20241029221249.15661-1-jan@jschaer.ch
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
arm64: dts: imx8ulp: correct the flexspi compatible string [+ + +]
Author: Haibo Chen <haibo.chen@nxp.com>
Date:   Thu Sep 5 17:43:38 2024 +0800

    arm64: dts: imx8ulp: correct the flexspi compatible string
    
    commit 409dc5196d5b6eb67468a06bf4d2d07d7225a67b upstream.
    
    The flexspi on imx8ulp only has 16 LUTs, and imx8mm flexspi has
    32 LUTs, so correct the compatible string here, otherwise will
    meet below error:
    
    [    1.119072] ------------[ cut here ]------------
    [    1.123926] WARNING: CPU: 0 PID: 1 at drivers/spi/spi-nxp-fspi.c:855 nxp_fspi_exec_op+0xb04/0xb64
    [    1.133239] Modules linked in:
    [    1.136448] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-rc6-next-20240902-00001-g131bf9439dd9 #69
    [    1.146821] Hardware name: NXP i.MX8ULP EVK (DT)
    [    1.151647] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [    1.158931] pc : nxp_fspi_exec_op+0xb04/0xb64
    [    1.163496] lr : nxp_fspi_exec_op+0xa34/0xb64
    [    1.168060] sp : ffff80008002b2a0
    [    1.171526] x29: ffff80008002b2d0 x28: 0000000000000000 x27: 0000000000000000
    [    1.179002] x26: ffff2eb645542580 x25: ffff800080610014 x24: ffff800080610000
    [    1.186480] x23: ffff2eb645548080 x22: 0000000000000006 x21: ffff2eb6455425e0
    [    1.193956] x20: 0000000000000000 x19: ffff80008002b5e0 x18: ffffffffffffffff
    [    1.201432] x17: ffff2eb644467508 x16: 0000000000000138 x15: 0000000000000002
    [    1.208907] x14: 0000000000000000 x13: ffff2eb6400d8080 x12: 00000000ffffff00
    [    1.216378] x11: 0000000000000000 x10: ffff2eb6400d8080 x9 : ffff2eb697adca80
    [    1.223850] x8 : ffff2eb697ad3cc0 x7 : 0000000100000000 x6 : 0000000000000001
    [    1.231324] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000007a6
    [    1.238795] x2 : 0000000000000000 x1 : 00000000000001ce x0 : 00000000ffffff92
    [    1.246267] Call trace:
    [    1.248824]  nxp_fspi_exec_op+0xb04/0xb64
    [    1.253031]  spi_mem_exec_op+0x3a0/0x430
    [    1.257139]  spi_nor_read_id+0x80/0xcc
    [    1.261065]  spi_nor_scan+0x1ec/0xf10
    [    1.264901]  spi_nor_probe+0x108/0x2fc
    [    1.268828]  spi_mem_probe+0x6c/0xbc
    [    1.272574]  spi_probe+0x84/0xe4
    [    1.275958]  really_probe+0xbc/0x29c
    [    1.279713]  __driver_probe_device+0x78/0x12c
    [    1.284277]  driver_probe_device+0xd8/0x15c
    [    1.288660]  __device_attach_driver+0xb8/0x134
    [    1.293316]  bus_for_each_drv+0x88/0xe8
    [    1.297337]  __device_attach+0xa0/0x190
    [    1.301353]  device_initial_probe+0x14/0x20
    [    1.305734]  bus_probe_device+0xac/0xb0
    [    1.309752]  device_add+0x5d0/0x790
    [    1.313408]  __spi_add_device+0x134/0x204
    [    1.317606]  of_register_spi_device+0x3b4/0x590
    [    1.322348]  spi_register_controller+0x47c/0x754
    [    1.327181]  devm_spi_register_controller+0x4c/0xa4
    [    1.332289]  nxp_fspi_probe+0x1cc/0x2b0
    [    1.336307]  platform_probe+0x68/0xc4
    [    1.340145]  really_probe+0xbc/0x29c
    [    1.343893]  __driver_probe_device+0x78/0x12c
    [    1.348457]  driver_probe_device+0xd8/0x15c
    [    1.352838]  __driver_attach+0x90/0x19c
    [    1.356857]  bus_for_each_dev+0x7c/0xdc
    [    1.360877]  driver_attach+0x24/0x30
    [    1.364624]  bus_add_driver+0xe4/0x208
    [    1.368552]  driver_register+0x5c/0x124
    [    1.372573]  __platform_driver_register+0x28/0x34
    [    1.377497]  nxp_fspi_driver_init+0x1c/0x28
    [    1.381888]  do_one_initcall+0x80/0x1c8
    [    1.385908]  kernel_init_freeable+0x1c4/0x28c
    [    1.390472]  kernel_init+0x20/0x1d8
    [    1.394138]  ret_from_fork+0x10/0x20
    [    1.397885] ---[ end trace 0000000000000000 ]---
    [    1.407908] ------------[ cut here ]------------
    
    Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node")
    Cc: stable@kernel.org
    Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sat Oct 26 22:46:34 2024 +0200

    ASoC: cs42l51: Fix some error handling paths in cs42l51_probe()
    
    [ Upstream commit d221b844ee79823ffc29b7badc4010bdb0960224 ]
    
    If devm_gpiod_get_optional() fails, we need to disable previously enabled
    regulators, as done in the other error handling path of the function.
    
    Also, gpiod_set_value_cansleep(, 1) needs to be called to undo a
    potential gpiod_set_value_cansleep(, 0).
    If the "reset" gpio is not defined, this additional call is just a no-op.
    
    This behavior is the same as the one already in the .remove() function.
    
    Fixes: 11b9cd748e31 ("ASoC: cs42l51: add reset management")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Link: https://patch.msgid.link/a5e5f4b9fb03f46abd2c93ed94b5c395972ce0d1.1729975570.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ASoC: SOF: ipc4-control: Add support for ALSA enum control [+ + +]
Author: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Date:   Tue Sep 19 13:31:15 2023 +0300

    ASoC: SOF: ipc4-control: Add support for ALSA enum control
    
    commit 07a866a41982c896dc46476f57d209a200602946 upstream.
    
    Enum controls use generic param_id and a generic struct where the data
    is passed to the firmware.
    
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
    Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Link: https://lore.kernel.org/r/20230919103115.30783-4-peter.ujfalusi@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ASoC: SOF: ipc4-control: Add support for ALSA switch control [+ + +]
Author: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Date:   Tue Sep 19 13:31:14 2023 +0300

    ASoC: SOF: ipc4-control: Add support for ALSA switch control
    
    commit 4a2fd607b7ca6128ee3532161505da7624197f55 upstream.
    
    Volume controls with a max value of 1 are switches.
    Switch controls use generic param_id and a generic struct where the data
    is passed to the firmware.
    
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
    Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Link: https://lore.kernel.org/r/20230919103115.30783-3-peter.ujfalusi@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ASoC: SOF: ipc4-topology: Add definition for generic switch/enum control [+ + +]
Author: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Date:   Tue Sep 19 13:31:13 2023 +0300

    ASoC: SOF: ipc4-topology: Add definition for generic switch/enum control
    
    commit 060a07cd9bc69eba2da33ed96b1fa69ead60bab1 upstream.
    
    Currently IPC4 has no notion of a switch or enum type of control which is
    a generic concept in ALSA.
    
    The generic support for these control types will be as follows:
    - large config is used to send the channel-value par array
    - param_id of a SWITCH type is 200
    - param_id of an ENUM type is 201
    
    Each module need to support a switch or/and enum must handle these
    universal param_ids.
    The message payload is described by struct sof_ipc4_control_msg_payload.
    
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
    Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Link: https://lore.kernel.org/r/20230919103115.30783-2-peter.ujfalusi@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
block: fix sanity checks in blk_rq_map_user_bvec [+ + +]
Author: Xinyu Zhang <xizhang@purestorage.com>
Date:   Wed Oct 23 15:15:19 2024 -0600

    block: fix sanity checks in blk_rq_map_user_bvec
    
    [ Upstream commit 2ff949441802a8d076d9013c7761f63e8ae5a9bd ]
    
    blk_rq_map_user_bvec contains a check bytes + bv->bv_len > nr_iter which
    causes unnecessary failures in NVMe passthrough I/O, reproducible as
    follows:
    
    - register a 2 page, page-aligned buffer against a ring
    - use that buffer to do a 1 page io_uring NVMe passthrough read
    
    The second (i = 1) iteration of the loop in blk_rq_map_user_bvec will
    then have nr_iter == 1 page, bytes == 1 page, bv->bv_len == 1 page, so
    the check bytes + bv->bv_len > nr_iter will succeed, causing the I/O to
    fail. This failure is unnecessary, as when the check succeeds, it means
    we've checked the entire buffer that will be used by the request - i.e.
    blk_rq_map_user_bvec should complete successfully. Therefore, terminate
    the loop early and return successfully when the check bytes + bv->bv_len
    > nr_iter succeeds.
    
    While we're at it, also remove the check that all segments in the bvec
    are single-page. While this seems to be true for all users of the
    function, it doesn't appear to be required anywhere downstream.
    
    CC: stable@vger.kernel.org
    Signed-off-by: Xinyu Zhang <xizhang@purestorage.com>
    Co-developed-by: Uday Shankar <ushankar@purestorage.com>
    Signed-off-by: Uday Shankar <ushankar@purestorage.com>
    Fixes: 37987547932c ("block: extend functionality to map bvec iterator")
    Link: https://lore.kernel.org/r/20241023211519.4177873-1-ushankar@purestorage.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs [+ + +]
Author: Sungwoo Kim <iam@sung-woo.kim>
Date:   Tue Oct 29 19:44:41 2024 +0000

    Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs
    
    [ Upstream commit 1e67d8641813f1876a42eeb4f532487b8a7fb0a8 ]
    
    Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes.
    
    __hci_cmd_sync_sk() returns NULL if a command returns a status event.
    However, it also returns NULL where an opcode doesn't exist in the
    hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0]
    for unknown opcodes.
    This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as
    there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes
    status = skb->data[0].
    
    KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
    CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
    Workqueue: hci7 hci_power_on
    RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138
    Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78
    RSP: 0018:ffff888120bafac8 EFLAGS: 00010212
    RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040
    RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4
    RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054
    R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070
    R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000
    FS:  0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0
    PKRU: 55555554
    Call Trace:
     <TASK>
     hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline]
     hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline]
     hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline]
     hci_init_sync net/bluetooth/hci_sync.c:4742 [inline]
     hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline]
     hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994
     hci_dev_do_open net/bluetooth/hci_core.c:483 [inline]
     hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015
     process_one_work kernel/workqueue.c:3267 [inline]
     process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348
     worker_thread+0x91f/0xe50 kernel/workqueue.c:3429
     kthread+0x2cb/0x360 kernel/kthread.c:388
     ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
     ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
    
    Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
    
    Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled [+ + +]
Author: Toke Høiland-Jørgensen <toke@redhat.com>
Date:   Wed Oct 30 11:48:26 2024 +0100

    bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled
    
    [ Upstream commit c40dd8c4732551605712985bc5b7045094c6458d ]
    
    The test_run code detects whether a page has been modified and
    re-initialises the xdp_frame structure if it has, using
    xdp_update_frame_from_buff(). However, xdp_update_frame_from_buff()
    doesn't touch frame->mem, so that wasn't correctly re-initialised, which
    led to the pages from page_pool not being returned correctly. Syzbot
    noticed this as a memory leak.
    
    Fix this by also copying the frame->mem structure when re-initialising
    the frame, like we do on initialisation of a new page from page_pool.
    
    Fixes: e5995bc7e2ba ("bpf, test_run: fix crashes due to XDP frame overwriting/corruption")
    Fixes: b530e9e1063e ("bpf: Add "live packet" mode for XDP in BPF_PROG_RUN")
    Reported-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com
    Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Tested-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com
    Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
    Acked-by: Stanislav Fomichev <sdf@fomichev.me>
    Link: https://lore.kernel.org/bpf/20241030-test-run-mem-fix-v1-1-41e88e8cae43@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf: Fix out-of-bounds write in trie_get_next_key() [+ + +]
Author: Byeonguk Jeong <jungbu2855@gmail.com>
Date:   Sat Oct 26 14:02:43 2024 +0900

    bpf: Fix out-of-bounds write in trie_get_next_key()
    
    [ Upstream commit 13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21 ]
    
    trie_get_next_key() allocates a node stack with size trie->max_prefixlen,
    while it writes (trie->max_prefixlen + 1) nodes to the stack when it has
    full paths from the root to leaves. For example, consider a trie with
    max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ...
    0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with
    .prefixlen = 8 make 9 nodes be written on the node stack with size 8.
    
    Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map")
    Signed-off-by: Byeonguk Jeong <jungbu2855@gmail.com>
    Reviewed-by: Toke Høiland-Jørgensen <toke@kernel.org>
    Tested-by: Hou Tao <houtao1@huawei.com>
    Acked-by: Hou Tao <houtao1@huawei.com>
    Link: https://lore.kernel.org/r/Zxx384ZfdlFYnz6J@localhost.localdomain
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: Force checkpoint when jmp history is too long [+ + +]
Author: Eduard Zingerman <eddyz87@gmail.com>
Date:   Tue Oct 29 10:26:40 2024 -0700

    bpf: Force checkpoint when jmp history is too long
    
    [ Upstream commit aa30eb3260b2dea3a68d3c42a39f9a09c5e99cee ]
    
    A specifically crafted program might trick verifier into growing very
    long jump history within a single bpf_verifier_state instance.
    Very long jump history makes mark_chain_precision() unreasonably slow,
    especially in case if verifier processes a loop.
    
    Mitigate this by forcing new state in is_state_visited() in case if
    current state's jump history is too long.
    
    Use same constant as in `skip_inf_loop_check`, but multiply it by
    arbitrarily chosen value 2 to account for jump history containing not
    only information about jumps, but also information about stack access.
    
    For an example of problematic program consider the code below,
    w/o this patch the example is processed by verifier for ~15 minutes,
    before failing to allocate big-enough chunk for jmp_history.
    
        0: r7 = *(u16 *)(r1 +0);"
        1: r7 += 0x1ab064b9;"
        2: if r7 & 0x702000 goto 1b;
        3: r7 &= 0x1ee60e;"
        4: r7 += r1;"
        5: if r7 s> 0x37d2 goto +0;"
        6: r0 = 0;"
        7: exit;"
    
    Perf profiling shows that most of the time is spent in
    mark_chain_precision() ~95%.
    
    The easiest way to explain why this program causes problems is to
    apply the following patch:
    
        diff --git a/include/linux/bpf.h b/include/linux/bpf.h
        index 0c216e71cec7..4b4823961abe 100644
        \--- a/include/linux/bpf.h
        \+++ b/include/linux/bpf.h
        \@@ -1926,7 +1926,7 @@ struct bpf_array {
                };
         };
    
        -#define BPF_COMPLEXITY_LIMIT_INSNS      1000000 /* yes. 1M insns */
        +#define BPF_COMPLEXITY_LIMIT_INSNS      256 /* yes. 1M insns */
         #define MAX_TAIL_CALL_CNT 33
    
         /* Maximum number of loops for bpf_loop and bpf_iter_num.
        diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
        index f514247ba8ba..75e88be3bb3e 100644
        \--- a/kernel/bpf/verifier.c
        \+++ b/kernel/bpf/verifier.c
        \@@ -18024,8 +18024,13 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
         skip_inf_loop_check:
                                if (!force_new_state &&
                                    env->jmps_processed - env->prev_jmps_processed < 20 &&
        -                           env->insn_processed - env->prev_insn_processed < 100)
        +                           env->insn_processed - env->prev_insn_processed < 100) {
        +                               verbose(env, "is_state_visited: suppressing checkpoint at %d, %d jmps processed, cur->jmp_history_cnt is %d\n",
        +                                       env->insn_idx,
        +                                       env->jmps_processed - env->prev_jmps_processed,
        +                                       cur->jmp_history_cnt);
                                        add_new_state = false;
        +                       }
                                goto miss;
                        }
                        /* If sl->state is a part of a loop and this loop's entry is a part of
        \@@ -18142,6 +18147,9 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
                if (!add_new_state)
                        return 0;
    
        +       verbose(env, "is_state_visited: new checkpoint at %d, resetting env->jmps_processed\n",
        +               env->insn_idx);
        +
                /* There were no equivalent states, remember the current one.
                 * Technically the current state is not proven to be safe yet,
                 * but it will either reach outer most bpf_exit (which means it's safe)
    
    And observe verification log:
    
        ...
        is_state_visited: new checkpoint at 5, resetting env->jmps_processed
        5: R1=ctx() R7=ctx(...)
        5: (65) if r7 s> 0x37d2 goto pc+0     ; R7=ctx(...)
        6: (b7) r0 = 0                        ; R0_w=0
        7: (95) exit
    
        from 5 to 6: R1=ctx() R7=ctx(...) R10=fp0
        6: R1=ctx() R7=ctx(...) R10=fp0
        6: (b7) r0 = 0                        ; R0_w=0
        7: (95) exit
        is_state_visited: suppressing checkpoint at 1, 3 jmps processed, cur->jmp_history_cnt is 74
    
        from 2 to 1: R1=ctx() R7_w=scalar(...) R10=fp0
        1: R1=ctx() R7_w=scalar(...) R10=fp0
        1: (07) r7 += 447767737
        is_state_visited: suppressing checkpoint at 2, 3 jmps processed, cur->jmp_history_cnt is 75
        2: R7_w=scalar(...)
        2: (45) if r7 & 0x702000 goto pc-2
        ... mark_precise 152 steps for r7 ...
        2: R7_w=scalar(...)
        is_state_visited: suppressing checkpoint at 1, 4 jmps processed, cur->jmp_history_cnt is 75
        1: (07) r7 += 447767737
        is_state_visited: suppressing checkpoint at 2, 4 jmps processed, cur->jmp_history_cnt is 76
        2: R7_w=scalar(...)
        2: (45) if r7 & 0x702000 goto pc-2
        ...
        BPF program is too large. Processed 257 insn
    
    The log output shows that checkpoint at label (1) is never created,
    because it is suppressed by `skip_inf_loop_check` logic:
    a. When 'if' at (2) is processed it pushes a state with insn_idx (1)
       onto stack and proceeds to (3);
    b. At (5) checkpoint is created, and this resets
       env->{jmps,insns}_processed.
    c. Verification proceeds and reaches `exit`;
    d. State saved at step (a) is popped from stack and is_state_visited()
       considers if checkpoint needs to be added, but because
       env->{jmps,insns}_processed had been just reset at step (b)
       the `skip_inf_loop_check` logic forces `add_new_state` to false.
    e. Verifier proceeds with current state, which slowly accumulates
       more and more entries in the jump history.
    
    The accumulation of entries in the jump history is a problem because
    of two factors:
    - it eventually exhausts memory available for kmalloc() allocation;
    - mark_chain_precision() traverses the jump history of a state,
      meaning that if `r7` is marked precise, verifier would iterate
      ever growing jump history until parent state boundary is reached.
    
    (note: the log also shows a REG INVARIANTS VIOLATION warning
           upon jset processing, but that's another bug to fix).
    
    With this patch applied, the example above is rejected by verifier
    under 1s of time, reaching 1M instructions limit.
    
    The program is a simplified reproducer from syzbot report.
    Previous discussion could be found at [1].
    The patch does not cause any changes in verification performance,
    when tested on selftests from veristat.cfg and cilium programs taken
    from [2].
    
    [1] https://lore.kernel.org/bpf/20241009021254.2805446-1-eddyz87@gmail.com/
    [2] https://github.com/anakryiko/cilium
    
    Changelog:
    - v1 -> v2:
      - moved patch to bpf tree;
      - moved force_new_state variable initialization after declaration and
        shortened the comment.
    v1: https://lore.kernel.org/bpf/20241018020307.1766906-1-eddyz87@gmail.com/
    
    Fixes: 2589726d12a1 ("bpf: introduce bounded loops")
    Reported-by: syzbot+7e46cdef14bf496a3ab4@syzkaller.appspotmail.com
    Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Acked-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/20241029172641.1042523-1-eddyz87@gmail.com
    
    Closes: https://lore.kernel.org/bpf/670429f6.050a0220.49194.0517.GAE@google.com/
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction [+ + +]
Author: Chen Ridong <chenridong@huawei.com>
Date:   Tue Oct 8 11:24:56 2024 +0000

    cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction
    
    [ Upstream commit 117932eea99b729ee5d12783601a4f7f5fd58a23 ]
    
    A hung_task problem shown below was found:
    
    INFO: task kworker/0:0:8 blocked for more than 327 seconds.
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    Workqueue: events cgroup_bpf_release
    Call Trace:
     <TASK>
     __schedule+0x5a2/0x2050
     ? find_held_lock+0x33/0x100
     ? wq_worker_sleeping+0x9e/0xe0
     schedule+0x9f/0x180
     schedule_preempt_disabled+0x25/0x50
     __mutex_lock+0x512/0x740
     ? cgroup_bpf_release+0x1e/0x4d0
     ? cgroup_bpf_release+0xcf/0x4d0
     ? process_scheduled_works+0x161/0x8a0
     ? cgroup_bpf_release+0x1e/0x4d0
     ? mutex_lock_nested+0x2b/0x40
     ? __pfx_delay_tsc+0x10/0x10
     mutex_lock_nested+0x2b/0x40
     cgroup_bpf_release+0xcf/0x4d0
     ? process_scheduled_works+0x161/0x8a0
     ? trace_event_raw_event_workqueue_execute_start+0x64/0xd0
     ? process_scheduled_works+0x161/0x8a0
     process_scheduled_works+0x23a/0x8a0
     worker_thread+0x231/0x5b0
     ? __pfx_worker_thread+0x10/0x10
     kthread+0x14d/0x1c0
     ? __pfx_kthread+0x10/0x10
     ret_from_fork+0x59/0x70
     ? __pfx_kthread+0x10/0x10
     ret_from_fork_asm+0x1b/0x30
     </TASK>
    
    This issue can be reproduced by the following pressuse test:
    1. A large number of cpuset cgroups are deleted.
    2. Set cpu on and off repeatly.
    3. Set watchdog_thresh repeatly.
    The scripts can be obtained at LINK mentioned above the signature.
    
    The reason for this issue is cgroup_mutex and cpu_hotplug_lock are
    acquired in different tasks, which may lead to deadlock.
    It can lead to a deadlock through the following steps:
    1. A large number of cpusets are deleted asynchronously, which puts a
       large number of cgroup_bpf_release works into system_wq. The max_active
       of system_wq is WQ_DFL_ACTIVE(256). Consequently, all active works are
       cgroup_bpf_release works, and many cgroup_bpf_release works will be put
       into inactive queue. As illustrated in the diagram, there are 256 (in
       the acvtive queue) + n (in the inactive queue) works.
    2. Setting watchdog_thresh will hold cpu_hotplug_lock.read and put
       smp_call_on_cpu work into system_wq. However step 1 has already filled
       system_wq, 'sscs.work' is put into inactive queue. 'sscs.work' has
       to wait until the works that were put into the inacvtive queue earlier
       have executed (n cgroup_bpf_release), so it will be blocked for a while.
    3. Cpu offline requires cpu_hotplug_lock.write, which is blocked by step 2.
    4. Cpusets that were deleted at step 1 put cgroup_release works into
       cgroup_destroy_wq. They are competing to get cgroup_mutex all the time.
       When cgroup_metux is acqured by work at css_killed_work_fn, it will
       call cpuset_css_offline, which needs to acqure cpu_hotplug_lock.read.
       However, cpuset_css_offline will be blocked for step 3.
    5. At this moment, there are 256 works in active queue that are
       cgroup_bpf_release, they are attempting to acquire cgroup_mutex, and as
       a result, all of them are blocked. Consequently, sscs.work can not be
       executed. Ultimately, this situation leads to four processes being
       blocked, forming a deadlock.
    
    system_wq(step1)                WatchDog(step2)                 cpu offline(step3)      cgroup_destroy_wq(step4)
    ...
    2000+ cgroups deleted asyn
    256 actives + n inactives
                                    __lockup_detector_reconfigure
                                    P(cpu_hotplug_lock.read)
                                    put sscs.work into system_wq
    256 + n + 1(sscs.work)
    sscs.work wait to be executed
                                    warting sscs.work finish
                                                                    percpu_down_write
                                                                    P(cpu_hotplug_lock.write)
                                                                    ...blocking...
                                                                                            css_killed_work_fn
                                                                                            P(cgroup_mutex)
                                                                                            cpuset_css_offline
                                                                                            P(cpu_hotplug_lock.read)
                                                                                            ...blocking...
    256 cgroup_bpf_release
    mutex_lock(&cgroup_mutex);
    ..blocking...
    
    To fix the problem, place cgroup_bpf_release works on a dedicated
    workqueue which can break the loop and solve the problem. System wqs are
    for misc things which shouldn't create a large number of concurrent work
    items. If something is going to generate >WQ_DFL_ACTIVE(256) concurrent
    work items, it should use its own dedicated workqueue.
    
    Fixes: 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself")
    Cc: stable@vger.kernel.org # v5.3+
    Link: https://lore.kernel.org/cgroups/e90c32d2-2a85-4f28-9154-09c7d320cb60@huawei.com/T/#t
    Tested-by: Vishal Chourasia <vishalc@linux.ibm.com>
    Signed-off-by: Chen Ridong <chenridong@huawei.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cgroup: Fix potential overflow issue when checking max_depth [+ + +]
Author: Xiu Jianfeng <xiujianfeng@huawei.com>
Date:   Sat Oct 12 07:22:46 2024 +0000

    cgroup: Fix potential overflow issue when checking max_depth
    
    [ Upstream commit 3cc4e13bb1617f6a13e5e6882465984148743cf4 ]
    
    cgroup.max.depth is the maximum allowed descent depth below the current
    cgroup. If the actual descent depth is equal or larger, an attempt to
    create a new child cgroup will fail. However due to the cgroup->max_depth
    is of int type and having the default value INT_MAX, the condition
    'level > cgroup->max_depth' will never be satisfied, and it will cause
    an overflow of the level after it reaches to INT_MAX.
    
    Fix it by starting the level from 0 and using '>=' instead.
    
    It's worth mentioning that this issue is unlikely to occur in reality,
    as it's impossible to have a depth of INT_MAX hierarchy, but should be
    be avoided logically.
    
    Fixes: 1a926e0bbab8 ("cgroup: implement hierarchy limits")
    Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
    Reviewed-by: Michal Koutný <mkoutny@suse.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cifs: Fix creating native symlinks pointing to current or parent directory [+ + +]
Author: Pali Rohár <pali@kernel.org>
Date:   Sat Oct 5 16:02:56 2024 +0200

    cifs: Fix creating native symlinks pointing to current or parent directory
    
    [ Upstream commit 63271b7d569fbe924bccc7dadc17d3d07a4e5f7a ]
    
    Calling 'ln -s . symlink' or 'ln -s .. symlink' creates symlink pointing to
    some object name which ends with U+F029 unicode codepoint. This is because
    trailing dot in the object name is replaced by non-ASCII unicode codepoint.
    
    So Linux SMB client currently is not able to create native symlink pointing
    to current or parent directory on Windows SMB server which can be read by
    either on local Windows server or by any other SMB client which does not
    implement compatible-reverse character replacement.
    
    Fix this problem in cifsConvertToUTF16() function which is doing that
    character replacement. Function comment already says that it does not need
    to handle special cases '.' and '..', but after introduction of native
    symlinks in reparse point form, this handling is needed.
    
    Note that this change depends on the previous change
    "cifs: Improve creating native symlinks pointing to directory".
    
    Signed-off-by: Pali Rohár <pali@kernel.org>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

cifs: Improve creating native symlinks pointing to directory [+ + +]
Author: Pali Rohár <pali@kernel.org>
Date:   Sat Oct 5 16:02:55 2024 +0200

    cifs: Improve creating native symlinks pointing to directory
    
    [ Upstream commit 3eb40512530e4f64f819d8e723b6f41695dace5a ]
    
    SMB protocol for native symlinks distinguish between symlink to directory
    and symlink to file. These two symlink types cannot be exchanged, which
    means that symlink of file type pointing to directory cannot be resolved at
    all (and vice-versa).
    
    Windows follows this rule for local filesystems (NTFS) and also for SMB.
    
    Linux SMB client currenly creates all native symlinks of file type. Which
    means that Windows (and some other SMB clients) cannot resolve symlinks
    pointing to directory created by Linux SMB client.
    
    As Linux system does not distinguish between directory and file symlinks,
    its API does not provide enough information for Linux SMB client during
    creating of native symlinks.
    
    Add some heuristic into the Linux SMB client for choosing the correct
    symlink type during symlink creation. Check if the symlink target location
    ends with slash, or last path component is dot or dot-dot, and check if the
    target location on SMB share exists and is a directory. If at least one
    condition is truth then create a new SMB symlink of directory type.
    Otherwise create it as file type symlink.
    
    This change improves interoperability with Windows systems. Windows systems
    would be able to resolve more SMB symlinks created by Linux SMB client
    which points to existing directory.
    
    Signed-off-by: Pali Rohár <pali@kernel.org>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cxl/acpi: Ensure ports ready at cxl_acpi_probe() return [+ + +]
Author: Dan Williams <dan.j.williams@intel.com>
Date:   Tue Oct 22 18:43:40 2024 -0700

    cxl/acpi: Ensure ports ready at cxl_acpi_probe() return
    
    [ Upstream commit 48f62d38a07d464a499fa834638afcfd2b68f852 ]
    
    In order to ensure root CXL ports are enabled upon cxl_acpi_probe()
    when the 'cxl_port' driver is built as a module, arrange for the
    module to be pre-loaded or built-in.
    
    The "Fixes:" but no "Cc: stable" on this patch reflects that the issue
    is merely by inspection since the bug that triggered the discovery of
    this potential problem [1] is fixed by other means. However, a stable
    backport should do no harm.
    
    Fixes: 8dd2bc0f8e02 ("cxl/mem: Add the cxl_mem driver")
    Link: http://lore.kernel.org/20241004212504.1246-1-gourry@gourry.net [1]
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Tested-by: Gregory Price <gourry@gourry.net>
    Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Reviewed-by: Ira Weiny <ira.weiny@intel.com>
    Link: https://patch.msgid.link/172964781969.81806.17276352414854540808.stgit@dwillia2-xfh.jf.intel.com
    Signed-off-by: Ira Weiny <ira.weiny@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cxl/events: Fix Trace DRAM Event Record [+ + +]
Author: Shiju Jose <shiju.jose@huawei.com>
Date:   Mon Oct 14 15:30:03 2024 +0100

    cxl/events: Fix Trace DRAM Event Record
    
    [ Upstream commit 53ab8678e7180834be29cf56cd52825fc3427c02 ]
    
    CXL spec rev 3.0 section 8.2.9.2.1.2 defines the DRAM Event Record.
    
    Fix decode memory event type field of DRAM Event Record.
    For e.g. if value is 0x1 it will be reported as an Invalid Address
    (General Media Event Record - Memory Event Type) instead of Scrub Media
    ECC Error (DRAM Event Record - Memory Event Type) and so on.
    
    Fixes: 2d6c1e6d60ba ("cxl/mem: Trace DRAM Event Record")
    Signed-off-by: Shiju Jose <shiju.jose@huawei.com>
    Link: https://patch.msgid.link/20241014143003.1170-1-shiju.jose@huawei.com
    Signed-off-by: Ira Weiny <ira.weiny@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices() [+ + +]
Author: Dan Williams <dan.j.williams@intel.com>
Date:   Tue Oct 22 18:43:32 2024 -0700

    cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices()
    
    [ Upstream commit 3d6ebf16438de5d712030fefbb4182b46373d677 ]
    
    It turns out since its original introduction, pre-2.6.12,
    bus_rescan_devices() has skipped devices that might be in the process of
    attaching or detaching from their driver. For CXL this behavior is
    unwanted and expects that cxl_bus_rescan() is a probe barrier.
    
    That behavior is simple enough to achieve with bus_for_each_dev() paired
    with call to device_attach(), and it is unclear why bus_rescan_devices()
    took the position of lockless consumption of dev->driver which is racy.
    
    The "Fixes:" but no "Cc: stable" on this patch reflects that the issue
    is merely by inspection since the bug that triggered the discovery of
    this potential problem [1] is fixed by other means.  However, a stable
    backport should do no harm.
    
    Fixes: 8dd2bc0f8e02 ("cxl/mem: Add the cxl_mem driver")
    Link: http://lore.kernel.org/20241004212504.1246-1-gourry@gourry.net [1]
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Tested-by: Gregory Price <gourry@gourry.net>
    Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Reviewed-by: Ira Weiny <ira.weiny@intel.com>
    Link: https://patch.msgid.link/172964781104.81806.4277549800082443769.stgit@dwillia2-xfh.jf.intel.com
    Signed-off-by: Ira Weiny <ira.weiny@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

cxl/port: Fix use-after-free, permit out-of-order decoder shutdown [+ + +]
Author: Dan Williams <dan.j.williams@intel.com>
Date:   Tue Oct 22 18:43:49 2024 -0700

    cxl/port: Fix use-after-free, permit out-of-order decoder shutdown
    
    commit 101c268bd2f37e965a5468353e62d154db38838e upstream.
    
    In support of investigating an initialization failure report [1],
    cxl_test was updated to register mock memory-devices after the mock
    root-port/bus device had been registered. That led to cxl_test crashing
    with a use-after-free bug with the following signature:
    
        cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1
        cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1
        cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 0
    1)  cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[1] = cxl_switch_dport.4 for mem4:decoder14.0 @ 1
        [..]
        cxld_unregister: cxl decoder14.0:
        cxl_region_decode_reset: cxl_region region3:
        mock_decoder_reset: cxl_port port3: decoder3.0 reset
    2)  mock_decoder_reset: cxl_port port3: decoder3.0: out of order reset, expected decoder3.1
        cxl_endpoint_decoder_release: cxl decoder14.0:
        [..]
        cxld_unregister: cxl decoder7.0:
    3)  cxl_region_decode_reset: cxl_region region3:
        Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI
        [..]
        RIP: 0010:to_cxl_port+0x8/0x60 [cxl_core]
        [..]
        Call Trace:
         <TASK>
         cxl_region_decode_reset+0x69/0x190 [cxl_core]
         cxl_region_detach+0xe8/0x210 [cxl_core]
         cxl_decoder_kill_region+0x27/0x40 [cxl_core]
         cxld_unregister+0x5d/0x60 [cxl_core]
    
    At 1) a region has been established with 2 endpoint decoders (7.0 and
    14.0). Those endpoints share a common switch-decoder in the topology
    (3.0). At teardown, 2), decoder14.0 is the first to be removed and hits
    the "out of order reset case" in the switch decoder. The effect though
    is that region3 cleanup is aborted leaving it in-tact and
    referencing decoder14.0. At 3) the second attempt to teardown region3
    trips over the stale decoder14.0 object which has long since been
    deleted.
    
    The fix here is to recognize that the CXL specification places no
    mandate on in-order shutdown of switch-decoders, the driver enforces
    in-order allocation, and hardware enforces in-order commit. So, rather
    than fail and leave objects dangling, always remove them.
    
    In support of making cxl_region_decode_reset() always succeed,
    cxl_region_invalidate_memregion() failures are turned into warnings.
    Crashing the kernel is ok there since system integrity is at risk if
    caches cannot be managed around physical address mutation events like
    CXL region destruction.
    
    A new device_for_each_child_reverse_from() is added to cleanup
    port->commit_end after all dependent decoders have been disabled. In
    other words if decoders are allocated 0->1->2 and disabled 1->2->0 then
    port->commit_end only decrements from 2 after 2 has been disabled, and
    it decrements all the way to zero since 1 was disabled previously.
    
    Link: http://lore.kernel.org/20241004212504.1246-1-gourry@gourry.net [1]
    Cc: stable@vger.kernel.org
    Fixes: 176baefb2eb5 ("cxl/hdm: Commit decoder state to hardware")
    Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Cc: Dave Jiang <dave.jiang@intel.com>
    Cc: Alison Schofield <alison.schofield@intel.com>
    Cc: Ira Weiny <ira.weiny@intel.com>
    Cc: Zijun Hu <quic_zijuhu@quicinc.com>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Reviewed-by: Ira Weiny <ira.weiny@intel.com>
    Link: https://patch.msgid.link/172964782781.81806.17902885593105284330.stgit@dwillia2-xfh.jf.intel.com
    Signed-off-by: Ira Weiny <ira.weiny@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing [+ + +]
Author: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Date:   Mon May 27 20:15:21 2024 +0530

    drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing
    
    commit 15c2990e0f0108b9c3752d7072a97d45d4283aea upstream.
    
    This commit adds null checks for the 'stream' and 'plane' variables in
    the dcn30_apply_idle_power_optimizations function. These variables were
    previously assumed to be null at line 922, but they were used later in
    the code without checking if they were null. This could potentially lead
    to a null pointer dereference, which would cause a crash.
    
    The null checks ensure that 'stream' and 'plane' are not null before
    they are used, preventing potential crashes.
    
    Fixes the below static smatch checker:
    drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)
    drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)
    
    Cc: Tom Chung <chiahsuan.chung@amd.com>
    Cc: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
    Cc: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
    Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
    Cc: Roman Li <roman.li@amd.com>
    Cc: Hersen Wu <hersenxs.wu@amd.com>
    Cc: Alex Hung <alex.hung@amd.com>
    Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
    Cc: Harry Wentland <harry.wentland@amd.com>
    Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
    Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    [Xiangyu: Modified file path to backport this commit]
    Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() [+ + +]
Author: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Date:   Wed Oct 16 16:47:40 2024 +0800

    firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state()
    
    [ Upstream commit c83212d79be2c9886d3e6039759ecd388fd5fed1 ]
    
    In sdei_device_freeze(), the input parameter of cpuhp_remove_state() is
    passed as 'sdei_entry_point' by mistake. Change it to 'sdei_hp_state'.
    
    Fixes: d2c48b2387eb ("firmware: arm_sdei: Fix sleep from invalid context BUG")
    Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
    Reviewed-by: James Morse <james.morse@arm.com>
    Link: https://lore.kernel.org/r/20241016084740.183353-1-wangxiongfeng2@huawei.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
fs/ntfs3: Add rough attr alloc_size check [+ + +]
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Mon Aug 19 16:26:59 2024 +0300

    fs/ntfs3: Add rough attr alloc_size check
    
    [ Upstream commit c4a8ba334262e9a5c158d618a4820e1b9c12495c ]
    
    Reported-by: syzbot+c6d94bedd910a8216d25@syzkaller.appspotmail.com
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ntfs3: Additional check in ni_clear() [+ + +]
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Mon Sep 9 15:39:10 2024 +0300

    fs/ntfs3: Additional check in ni_clear()
    
    [ Upstream commit d178944db36b3369b78a08ba520de109b89bf2a9 ]
    
    Checking of NTFS_FLAGS_LOG_REPLAYING added to prevent access to
    uninitialized bitmap during replay process.
    
    Reported-by: syzbot+3bfd2cc059ab93efcdb4@syzkaller.appspotmail.com
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ntfs3: Additional check in ntfs_file_release [+ + +]
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Wed Sep 4 12:57:31 2024 +0300

    fs/ntfs3: Additional check in ntfs_file_release
    
    [ Upstream commit 031d6f608290c847ba6378322d0986d08d1a645a ]
    
    Reported-by: syzbot+8c652f14a0fde76ff11d@syzkaller.appspotmail.com
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ntfs3: Check if more than chunk-size bytes are written [+ + +]
Author: Andrew Ballance <andrewjballance@gmail.com>
Date:   Wed May 15 07:38:33 2024 -0500

    fs/ntfs3: Check if more than chunk-size bytes are written
    
    [ Upstream commit 9931122d04c6d431b2c11b5bb7b10f28584067f0 ]
    
    A incorrectly formatted chunk may decompress into
    more than LZNT_CHUNK_SIZE bytes and a index out of bounds
    will occur in s_max_off.
    
    Signed-off-by: Andrew Ballance <andrewjballance@gmail.com>
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ntfs3: Fix general protection fault in run_is_mapped_full [+ + +]
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Fri Aug 30 13:50:18 2024 +0300

    fs/ntfs3: Fix general protection fault in run_is_mapped_full
    
    [ Upstream commit a33fb016e49e37aafab18dc3c8314d6399cb4727 ]
    
    Fixed deleating of a non-resident attribute in ntfs_create_inode()
    rollback.
    
    Reported-by: syzbot+9af29acd8f27fbce94bc@syzkaller.appspotmail.com
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ntfs3: Fix possible deadlock in mi_read [+ + +]
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Wed Aug 28 11:55:53 2024 +0300

    fs/ntfs3: Fix possible deadlock in mi_read
    
    [ Upstream commit 03b097099eef255fbf85ea6a786ae3c91b11f041 ]
    
    Mutex lock with another subclass used in ni_lock_dir().
    
    Reported-by: syzbot+bc7ca0ae4591cb2550f9@syzkaller.appspotmail.com
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ntfs3: Fix warning possible deadlock in ntfs_set_state [+ + +]
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Mon Aug 19 16:26:22 2024 +0300

    fs/ntfs3: Fix warning possible deadlock in ntfs_set_state
    
    [ Upstream commit 5b2db723455a89dc96743d34d8bdaa23a402db2f ]
    
    Use non-zero subkey to skip analyzer warnings.
    
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Reported-by: syzbot+c2ada45c23d98d646118@syzkaller.appspotmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fs/ntfs3: Sequential field availability check in mi_enum_attr() [+ + +]
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Thu Sep 5 15:03:48 2024 +0300

    fs/ntfs3: Sequential field availability check in mi_enum_attr()
    
    commit 090f612756a9720ec18b0b130e28be49839d7cb5 upstream.
    
    The code is slightly reformatted to consistently check field availability
    without duplication.
    
    Fixes: 556bdf27c2dd ("ntfs3: Add bounds checking to mi_enum_attr()")
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/ntfs3: Stale inode instead of bad [+ + +]
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Thu Aug 22 14:43:32 2024 +0300

    fs/ntfs3: Stale inode instead of bad
    
    [ Upstream commit 1fd21919de6de245b63066b8ee3cfba92e36f0e9 ]
    
    Fixed the logic of processing inode with wrong sequence number.
    
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
fsdax: dax_unshare_iter needs to copy entire blocks [+ + +]
Author: Darrick J. Wong <djwong@kernel.org>
Date:   Thu Oct 3 08:09:48 2024 -0700

    fsdax: dax_unshare_iter needs to copy entire blocks
    
    [ Upstream commit 50793801fc7f6d08def48754fb0f0706b0cfc394 ]
    
    The code that copies data from srcmap to iomap in dax_unshare_iter is
    very very broken, which bfoster's recent fsx changes have exposed.
    
    If the pos and len passed to dax_file_unshare are not aligned to an
    fsblock boundary, the iter pos and length in the _iter function will
    reflect this unalignment.
    
    dax_iomap_direct_access always returns a pointer to the start of the
    kmapped fsdax page, even if its pos argument is in the middle of that
    page.  This is catastrophic for data integrity when iter->pos is not
    aligned to a page, because daddr/saddr do not point to the same byte in
    the file as iter->pos.  Hence we corrupt user data by copying it to the
    wrong place.
    
    If iter->pos + iomap_length() in the _iter function not aligned to a
    page, then we fail to copy a full block, and only partially populate the
    destination block.  This is catastrophic for data confidentiality
    because we expose stale pmem contents.
    
    Fix both of these issues by aligning copy_pos/copy_len to a page
    boundary (remember, this is fsdax so 1 fsblock == 1 base page) so that
    we always copy full blocks.
    
    We're not done yet -- there's no call to invalidate_inode_pages2_range,
    so programs that have the file range mmap'd will continue accessing the
    old memory mapping after the file metadata updates have completed.
    
    Be careful with the return value -- if the unshare succeeds, we still
    need to return the number of bytes that the iomap iter thinks we're
    operating on.
    
    Cc: ruansy.fnst@fujitsu.com
    Fixes: d984648e428b ("fsdax,xfs: port unshare to fsdax")
    Signed-off-by: Darrick J. Wong <djwong@kernel.org>
    Link: https://lore.kernel.org/r/172796813328.1131942.16777025316348797355.stgit@frogsfrogsfrogs
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

fsdax: remove zeroing code from dax_unshare_iter [+ + +]
Author: Darrick J. Wong <djwong@kernel.org>
Date:   Thu Oct 3 08:09:32 2024 -0700

    fsdax: remove zeroing code from dax_unshare_iter
    
    [ Upstream commit 95472274b6fed8f2d30fbdda304e12174b3d4099 ]
    
    Remove the code in dax_unshare_iter that zeroes the destination memory
    because it's not necessary.
    
    If srcmap is unwritten, we don't have to do anything because that
    unwritten extent came from the regular file mapping, and unwritten
    extents cannot be shared.  The same applies to holes.
    
    Furthermore, zeroing to unshare a mapping is just plain wrong because
    unsharing means copy on write, and we should be copying data.
    
    This is effectively a revert of commit 13dd4e04625f ("fsdax: unshare:
    zero destination if srcmap is HOLE or UNWRITTEN")
    
    Cc: ruansy.fnst@fujitsu.com
    Signed-off-by: Darrick J. Wong <djwong@kernel.org>
    Link: https://lore.kernel.org/r/172796813311.1131942.16033376284752798632.stgit@frogsfrogsfrogs
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Stable-dep-of: 50793801fc7f ("fsdax: dax_unshare_iter needs to copy entire blocks")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
gtp: allow -1 to be specified as file description from userspace [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue Oct 22 16:48:25 2024 +0200

    gtp: allow -1 to be specified as file description from userspace
    
    [ Upstream commit 7515e37bce5c428a56a9b04ea7e96b3f53f17150 ]
    
    Existing user space applications maintained by the Osmocom project are
    breaking since a recent fix that addresses incorrect error checking.
    
    Restore operation for user space programs that specify -1 as file
    descriptor to skip GTPv0 or GTPv1 only sockets.
    
    Fixes: defd8b3c37b0 ("gtp: fix a potential NULL pointer dereference")
    Reported-by: Pau Espin Pedrol <pespin@sysmocom.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Tested-by: Oliver Smith <osmith@sysmocom.de>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241022144825.66740-1-pablo@netfilter.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() [+ + +]
Author: Zicheng Qu <quzicheng@huawei.com>
Date:   Tue Oct 22 13:43:30 2024 +0000

    iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr()
    
    commit efa353ae1b0541981bc96dbf2e586387d0392baa upstream.
    
    In the ad7124_write_raw() function, parameter val can potentially
    be zero. This may lead to a division by zero when DIV_ROUND_CLOSEST()
    is called within ad7124_set_channel_odr(). The ad7124_write_raw()
    function is invoked through the sequence: iio_write_channel_raw() ->
    iio_write_channel_attribute() -> iio_channel_write(), with no checks
    in place to ensure val is non-zero.
    
    Cc: stable@vger.kernel.org
    Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels")
    Signed-off-by: Zicheng Qu <quzicheng@huawei.com>
    Reviewed-by: Nuno Sa <nuno.sa@analog.com>
    Link: https://patch.msgid.link/20241022134330.574601-1-quzicheng@huawei.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table() [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Wed Oct 16 09:24:53 2024 +0800

    iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table()
    
    commit 369f05688911b05216cfcd6ca74473bec87948d7 upstream.
    
    If per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop
    of iio_gts_build_avail_scale_table(), the err_free_out will fail to call
    kfree() each time when i is reduced to 0, so all the per_time_scales[0]
    and per_time_gains[0] will not be freed, which will cause memory leaks.
    
    Fix it by checking if i >= 0.
    
    Cc: stable@vger.kernel.org
    Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers")
    Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Link: https://patch.msgid.link/20241016012453.2013302-1-ruanjinjie@huawei.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Fri Oct 11 17:55:12 2024 +0800

    iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table()
    
    commit 691e79ffc42154a9c91dc3b7e96a307037b4be74 upstream.
    
    modprobe iio-test-gts and rmmod it, then the following memory leak
    occurs:
    
            unreferenced object 0xffffff80c810be00 (size 64):
              comm "kunit_try_catch", pid 1654, jiffies 4294913981
              hex dump (first 32 bytes):
                02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00  ........ ...@...
                80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00  ................
              backtrace (crc a63d875e):
                [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40
                [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0
                [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4
                [<0000000071bb4b09>] 0xffffffdf052a62e0
                [<000000000315bc18>] 0xffffffdf052a6488
                [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac
                [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec
                [<00000000f505065d>] kthread+0x2e8/0x374
                [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20
            unreferenced object 0xffffff80cbfe9e70 (size 16):
              comm "kunit_try_catch", pid 1658, jiffies 4294914015
              hex dump (first 16 bytes):
                10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00  ....@...........
              backtrace (crc 857f0cb4):
                [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40
                [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0
                [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4
                [<0000000071bb4b09>] 0xffffffdf052a62e0
                [<000000007d089d45>] 0xffffffdf052a6864
                [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac
                [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec
                [<00000000f505065d>] kthread+0x2e8/0x374
                [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20
            ......
    
    It includes 5*5 times "size 64" memory leaks, which correspond to 5 times
    test_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int))
    and gts_test_itimes size 5. It also includes 5*1 times "size 16"
    memory leak, which correspond to one time __test_init_iio_gain_scale()
    call with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes
    size 5.
    
    The reason is that the per_time_gains[i] is not freed which is allocated in
    the "gts->num_itime" for loop in iio_gts_build_avail_scale_table().
    
    Cc: stable@vger.kernel.org
    Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers")
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
    Link: https://patch.msgid.link/20241011095512.3667549-1-ruanjinjie@huawei.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

iio: light: veml6030: fix microlux value calculation [+ + +]
Author: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Date:   Wed Oct 16 19:04:31 2024 +0200

    iio: light: veml6030: fix microlux value calculation
    
    commit 63dd163cd61dda6f38343776b42331cc6b7e56e0 upstream.
    
    The raw value conversion to obtain a measurement in lux as
    INT_PLUS_MICRO does not calculate the decimal part properly to display
    it as micro (in this case microlux). It only calculates the module to
    obtain the decimal part from a resolution that is 10000 times the
    provided in the datasheet (0.5376 lux/cnt for the veml6030). The
    resulting value must still be multiplied by 100 to make it micro.
    
    This bug was introduced with the original implementation of the driver.
    
    Only the illuminance channel is fixed becuase the scale is non sensical
    for the intensity channels anyway.
    
    Cc: stable@vger.kernel.org
    Fixes: 7b779f573c48 ("iio: light: add driver for veml6030 ambient light sensor")
    Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
    Link: https://patch.msgid.link/20241016-veml6030-fix-processed-micro-v1-1-4a5644796437@gmail.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Input: edt-ft5x06 - fix regmap leak when probe fails [+ + +]
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Fri Oct 18 17:17:48 2024 -0700

    Input: edt-ft5x06 - fix regmap leak when probe fails
    
    [ Upstream commit bffdf9d7e51a7be8eeaac2ccf9e54a5fde01ff65 ]
    
    The driver neglects to free the instance of I2C regmap constructed at
    the beginning of the edt_ft5x06_ts_probe() method when probe fails.
    Additionally edt_ft5x06_ts_remove() is freeing the regmap too early,
    before the rest of the device resources that are managed by devm are
    released.
    
    Fix this by installing a custom devm action that will ensure that the
    regmap is released at the right time during normal teardown as well as
    in case of probe failure.
    
    Note that devm_regmap_init_i2c() could not be used because the driver
    may replace the original regmap with a regmap specific for M06 devices
    in the middle of the probe, and using devm_regmap_init_i2c() would
    result in releasing the M06 regmap too early.
    
    Reported-by: Li Zetao <lizetao1@huawei.com>
    Fixes: 9dfd9708ffba ("Input: edt-ft5x06 - convert to use regmap API")
    Cc: stable@vger.kernel.org
    Reviewed-by: Oliver Graute <oliver.graute@kococonnector.com>
    Link: https://lore.kernel.org/r/ZxL6rIlVlgsAu-Jv@google.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller [+ + +]
Author: Stefan Kerkmann <s.kerkmann@pengutronix.de>
Date:   Wed Oct 16 12:37:06 2024 -0700

    Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller
    
    [ Upstream commit ea330429a04b383bd319c66261a5eca4798801e4 ]
    
    This XBOX360 compatible gamepad uses the new product id 0x310a under the
    8BitDo's vendor id 0x2dc8. The change was tested using the gamepad in a
    wired and wireless dongle configuration.
    
    Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
    Link: https://lore.kernel.org/r/20241015-8bitdo_2c_ultimate_wireless-v1-1-9c9f9db2e995@pengutronix.de
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

Input: xpad - sort xpad_device by vendor and product ID [+ + +]
Author: Brenton Simpson <appsforartists@google.com>
Date:   Thu Feb 8 11:13:17 2024 -0800

    Input: xpad - sort xpad_device by vendor and product ID
    
    [ Upstream commit 18970d4f6317a3595cc592c3c7815f63d1818932 ]
    
    This helps making sure there are no duplicate entries in the tables.
    
    Signed-off-by: Brenton Simpson <appsforartists@google.com>
    Link: https://lore.kernel.org/r/20240130231903.293265-1-appsforartists@google.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Stable-dep-of: ea330429a04b ("Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
io_uring/rw: fix missing NOWAIT check for O_DIRECT start write [+ + +]
Author: Jens Axboe <axboe@kernel.dk>
Date:   Thu Oct 31 08:05:44 2024 -0600

    io_uring/rw: fix missing NOWAIT check for O_DIRECT start write
    
    [ Upstream commit 1d60d74e852647255bd8e76f5a22dc42531e4389 ]
    
    When io_uring starts a write, it'll call kiocb_start_write() to bump the
    super block rwsem, preventing any freezes from happening while that
    write is in-flight. The freeze side will grab that rwsem for writing,
    excluding any new writers from happening and waiting for existing writes
    to finish. But io_uring unconditionally uses kiocb_start_write(), which
    will block if someone is currently attempting to freeze the mount point.
    This causes a deadlock where freeze is waiting for previous writes to
    complete, but the previous writes cannot complete, as the task that is
    supposed to complete them is blocked waiting on starting a new write.
    This results in the following stuck trace showing that dependency with
    the write blocked starting a new write:
    
    task:fio             state:D stack:0     pid:886   tgid:886   ppid:876
    Call trace:
     __switch_to+0x1d8/0x348
     __schedule+0x8e8/0x2248
     schedule+0x110/0x3f0
     percpu_rwsem_wait+0x1e8/0x3f8
     __percpu_down_read+0xe8/0x500
     io_write+0xbb8/0xff8
     io_issue_sqe+0x10c/0x1020
     io_submit_sqes+0x614/0x2110
     __arm64_sys_io_uring_enter+0x524/0x1038
     invoke_syscall+0x74/0x268
     el0_svc_common.constprop.0+0x160/0x238
     do_el0_svc+0x44/0x60
     el0_svc+0x44/0xb0
     el0t_64_sync_handler+0x118/0x128
     el0t_64_sync+0x168/0x170
    INFO: task fsfreeze:7364 blocked for more than 15 seconds.
          Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963
    
    with the attempting freezer stuck trying to grab the rwsem:
    
    task:fsfreeze        state:D stack:0     pid:7364  tgid:7364  ppid:995
    Call trace:
     __switch_to+0x1d8/0x348
     __schedule+0x8e8/0x2248
     schedule+0x110/0x3f0
     percpu_down_write+0x2b0/0x680
     freeze_super+0x248/0x8a8
     do_vfs_ioctl+0x149c/0x1b18
     __arm64_sys_ioctl+0xd0/0x1a0
     invoke_syscall+0x74/0x268
     el0_svc_common.constprop.0+0x160/0x238
     do_el0_svc+0x44/0x60
     el0_svc+0x44/0xb0
     el0t_64_sync_handler+0x118/0x128
     el0t_64_sync+0x168/0x170
    
    Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a
    blocking grab of the super block rwsem if it isn't set. For normal issue
    where IOCB_NOWAIT would always be set, this returns -EAGAIN which will
    have io_uring core issue a blocking attempt of the write. That will in
    turn also get completions run, ensuring forward progress.
    
    Since freezing requires CAP_SYS_ADMIN in the first place, this isn't
    something that can be triggered by a regular user.
    
    Cc: stable@vger.kernel.org # 5.10+
    Reported-by: Peter Mann <peter.mann@sh.cz>
    Link: https://lore.kernel.org/io-uring/38c94aec-81c9-4f62-b44e-1d87f5597644@sh.cz
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
io_uring: always lock __io_cqring_overflow_flush [+ + +]
Author: Pavel Begunkov <asml.silence@gmail.com>
Date:   Wed Apr 10 02:26:54 2024 +0100

    io_uring: always lock __io_cqring_overflow_flush
    
    commit 8d09a88ef9d3cb7d21d45c39b7b7c31298d23998 upstream.
    
    Conditional locking is never great, in case of
    __io_cqring_overflow_flush(), which is a slow path, it's not justified.
    Don't handle IOPOLL separately, always grab uring_lock for overflow
    flushing.
    
    Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
    Link: https://lore.kernel.org/r/162947df299aa12693ac4b305dacedab32ec7976.1712708261.git.asml.silence@gmail.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
iomap: don't bother unsharing delalloc extents [+ + +]
Author: Darrick J. Wong <djwong@kernel.org>
Date:   Wed Oct 2 08:00:40 2024 -0700

    iomap: don't bother unsharing delalloc extents
    
    [ Upstream commit f7a4874d977bf4202ad575031222e78809a36292 ]
    
    If unshare encounters a delalloc reservation in the srcmap, that means
    that the file range isn't shared because delalloc reservations cannot be
    reflinked.  Therefore, don't try to unshare them.
    
    Signed-off-by: Darrick J. Wong <djwong@kernel.org>
    Link: https://lore.kernel.org/r/20241002150040.GB21853@frogsfrogsfrogs
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Stable-dep-of: 50793801fc7f ("fsdax: dax_unshare_iter needs to copy entire blocks")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

iomap: improve shared block detection in iomap_unshare_iter [+ + +]
Author: Christoph Hellwig <hch@lst.de>
Date:   Tue Sep 10 07:39:04 2024 +0300

    iomap: improve shared block detection in iomap_unshare_iter
    
    [ Upstream commit b53fdb215d13f8e9c29541434bf2d14dac8bcbdc ]
    
    Currently iomap_unshare_iter relies on the IOMAP_F_SHARED flag to detect
    blocks to unshare.  This is reasonable, but IOMAP_F_SHARED is also useful
    for the file system to do internal book keeping for out of place writes.
    XFS used to that, until it got removed in commit 72a048c1056a
    ("xfs: only set IOMAP_F_SHARED when providing a srcmap to a write")
    because unshare for incorrectly unshare such blocks.
    
    Add an extra safeguard by checking the explicitly provided srcmap instead
    of the fallback to the iomap for valid data, as that catches the case
    where we'd just copy from the same place we'd write to easily, allowing
    to reinstate setting IOMAP_F_SHARED for all XFS writes that go to the
    COW fork.
    
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Link: https://lore.kernel.org/r/20240910043949.3481298-3-hch@lst.de
    Reviewed-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Stable-dep-of: 50793801fc7f ("fsdax: dax_unshare_iter needs to copy entire blocks")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

iomap: share iomap_unshare_iter predicate code with fsdax [+ + +]
Author: Darrick J. Wong <djwong@kernel.org>
Date:   Thu Oct 3 08:09:16 2024 -0700

    iomap: share iomap_unshare_iter predicate code with fsdax
    
    [ Upstream commit 6ef6a0e821d3dad6bf8a5d5508762dba9042c84b ]
    
    The predicate code that iomap_unshare_iter uses to decide if it's really
    needs to unshare a file range mapping should be shared with the fsdax
    version, because right now they're opencoded and inconsistent.
    
    Note that we simplify the predicate logic a bit -- we no longer allow
    unsharing of inline data mappings, but there aren't any filesystems that
    allow shared inline data currently.
    
    This is a fix in the sense that it should have been ported to fsdax.
    
    Fixes: b53fdb215d13 ("iomap: improve shared block detection in iomap_unshare_iter")
    Signed-off-by: Darrick J. Wong <djwong@kernel.org>
    Link: https://lore.kernel.org/r/172796813294.1131942.15762084021076932620.stgit@frogsfrogsfrogs
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Stable-dep-of: 50793801fc7f ("fsdax: dax_unshare_iter needs to copy entire blocks")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

iomap: turn iomap_want_unshare_iter into an inline function [+ + +]
Author: Christoph Hellwig <hch@lst.de>
Date:   Tue Oct 15 06:13:50 2024 +0200

    iomap: turn iomap_want_unshare_iter into an inline function
    
    [ Upstream commit 6db388585e486c0261aeef55f8bc63a9b45756c0 ]
    
    iomap_want_unshare_iter currently sits in fs/iomap/buffered-io.c, which
    depends on CONFIG_BLOCK.  It is also in used in fs/dax.c whіch has no
    such dependency.  Given that it is a trivial check turn it into an inline
    in include/linux/iomap.h to fix the DAX && !BLOCK build.
    
    Fixes: 6ef6a0e821d3 ("iomap: share iomap_unshare_iter predicate code with fsdax")
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Link: https://lore.kernel.org/r/20241015041350.118403-1-hch@lst.de
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP [+ + +]
Author: Hugh Dickins <hughd@google.com>
Date:   Sun Oct 27 15:23:23 2024 -0700

    iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP
    
    [ Upstream commit c749d9b7ebbc5716af7a95f7768634b30d9446ec ]
    
    generic/077 on x86_32 CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP=y with highmem,
    on huge=always tmpfs, issues a warning and then hangs (interruptibly):
    
    WARNING: CPU: 5 PID: 3517 at mm/highmem.c:622 kunmap_local_indexed+0x62/0xc9
    CPU: 5 UID: 0 PID: 3517 Comm: cp Not tainted 6.12.0-rc4 #2
    ...
    copy_page_from_iter_atomic+0xa6/0x5ec
    generic_perform_write+0xf6/0x1b4
    shmem_file_write_iter+0x54/0x67
    
    Fix copy_page_from_iter_atomic() by limiting it in that case
    (include/linux/skbuff.h skb_frag_must_loop() does similar).
    
    But going forward, perhaps CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP is too
    surprising, has outlived its usefulness, and should just be removed?
    
    Fixes: 908a1ad89466 ("iov_iter: Handle compound highmem pages in copy_page_from_iter_atomic()")
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Link: https://lore.kernel.org/r/dd5f0c89-186e-18e1-4f43-19a60f5a9774@google.com
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() [+ + +]
Author: Ido Schimmel <idosch@nvidia.com>
Date:   Tue Oct 22 09:38:22 2024 +0300

    ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow()
    
    [ Upstream commit ad4a3ca6a8e886f6491910a3ae5d53595e40597d ]
    
    There are code paths from which the function is called without holding
    the RCU read lock, resulting in a suspicious RCU usage warning [1].
    
    Fix by using l3mdev_master_upper_ifindex_by_index() which will acquire
    the RCU read lock before calling
    l3mdev_master_upper_ifindex_by_index_rcu().
    
    [1]
    WARNING: suspicious RCU usage
    6.12.0-rc3-custom-gac8f72681cf2 #141 Not tainted
    -----------------------------
    net/core/dev.c:876 RCU-list traversed in non-reader section!!
    
    other info that might help us debug this:
    
    rcu_scheduler_active = 2, debug_locks = 1
    1 lock held by ip/361:
     #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60
    
    stack backtrace:
    CPU: 3 UID: 0 PID: 361 Comm: ip Not tainted 6.12.0-rc3-custom-gac8f72681cf2 #141
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    Call Trace:
     <TASK>
     dump_stack_lvl+0xba/0x110
     lockdep_rcu_suspicious.cold+0x4f/0xd6
     dev_get_by_index_rcu+0x1d3/0x210
     l3mdev_master_upper_ifindex_by_index_rcu+0x2b/0xf0
     ip_tunnel_bind_dev+0x72f/0xa00
     ip_tunnel_newlink+0x368/0x7a0
     ipgre_newlink+0x14c/0x170
     __rtnl_newlink+0x1173/0x19c0
     rtnl_newlink+0x6c/0xa0
     rtnetlink_rcv_msg+0x3cc/0xf60
     netlink_rcv_skb+0x171/0x450
     netlink_unicast+0x539/0x7f0
     netlink_sendmsg+0x8c1/0xd80
     ____sys_sendmsg+0x8f9/0xc20
     ___sys_sendmsg+0x197/0x1e0
     __sys_sendmsg+0x122/0x1f0
     do_syscall_64+0xbb/0x1d0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Fixes: db53cd3d88dc ("net: Handle l3mdev in ip_tunnel_init_flow")
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Link: https://patch.msgid.link/20241022063822.462057-1-idosch@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
kasan: Fix Software Tag-Based KASAN with GCC [+ + +]
Author: Marco Elver <elver@google.com>
Date:   Mon Oct 21 14:00:10 2024 +0200

    kasan: Fix Software Tag-Based KASAN with GCC
    
    [ Upstream commit 894b00a3350c560990638bdf89bdf1f3d5491950 ]
    
    Per [1], -fsanitize=kernel-hwaddress with GCC currently does not disable
    instrumentation in functions with __attribute__((no_sanitize_address)).
    
    However, __attribute__((no_sanitize("hwaddress"))) does correctly
    disable instrumentation. Use it instead.
    
    Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117196 [1]
    Link: https://lore.kernel.org/r/000000000000f362e80620e27859@google.com
    Link: https://lore.kernel.org/r/ZvFGwKfoC4yVjN_X@J2N7QTR9R3
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=218854
    Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com
    Tested-by: Andrey Konovalov <andreyknvl@gmail.com>
    Cc: Andrew Pinski <pinskia@gmail.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Signed-off-by: Marco Elver <elver@google.com>
    Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
    Fixes: 7b861a53e46b ("kasan: Bump required compiler version")
    Link: https://lore.kernel.org/r/20241021120013.3209481-1-elver@google.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

kasan: remove vmalloc_percpu test [+ + +]
Author: Andrey Konovalov <andreyknvl@gmail.com>
Date:   Tue Oct 22 18:07:06 2024 +0200

    kasan: remove vmalloc_percpu test
    
    [ Upstream commit 330d8df81f3673d6fb74550bbc9bb159d81b35f7 ]
    
    Commit 1a2473f0cbc0 ("kasan: improve vmalloc tests") added the
    vmalloc_percpu KASAN test with the assumption that __alloc_percpu always
    uses vmalloc internally, which is tagged by KASAN.
    
    However, __alloc_percpu might allocate memory from the first per-CPU
    chunk, which is not allocated via vmalloc().  As a result, the test might
    fail.
    
    Remove the test until proper KASAN annotation for the per-CPU allocated
    are added; tracked in https://bugzilla.kernel.org/show_bug.cgi?id=215019.
    
    Link: https://lkml.kernel.org/r/20241022160706.38943-1-andrey.konovalov@linux.dev
    Fixes: 1a2473f0cbc0 ("kasan: improve vmalloc tests")
    Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
    Reported-by: Samuel Holland <samuel.holland@sifive.com>
    Link: https://lore.kernel.org/all/4a245fff-cc46-44d1-a5f9-fd2f1c3764ae@sifive.com/
    Reported-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
    Link: https://lore.kernel.org/all/CACzwLxiWzNqPBp4C1VkaXZ2wDwvY3yZeetCi1TLGFipKW77drA@mail.gmail.com/
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Marco Elver <elver@google.com>
    Cc: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Linux: Linux 6.6.60 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Nov 8 16:28:28 2024 +0100

    Linux 6.6.60
    
    Link: https://lore.kernel.org/r/20241106120308.841299741@linuxfoundation.org
    Tested-by: SeongJae Park <sj@kernel.org>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Peter Schneider <pschneider1968@googlemail.com>
    Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Tested-by: Ron Economos <re@w6rz.net>
    Tested-by: Hardik Garg <hargar@linux.microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING [+ + +]
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date:   Tue Sep 24 14:08:57 2024 +0200

    mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING
    
    [ Upstream commit b3e046c31441d182b954fc2f57b2dc38c71ad4bc ]
    
    When tracing is disabled, there is no point in asking the user about
    enabling tracing of all mac80211 debug messages.
    
    Fixes: 3fae0273168026ed ("mac80211: trace debug messages")
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Link: https://patch.msgid.link/85bbe38ce0df13350f45714e2dc288cc70947a19.1727179690.git.geert@linux-m68k.org
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
macsec: Fix use-after-free while sending the offloading packet [+ + +]
Author: Jianbo Liu <jianbol@nvidia.com>
Date:   Mon Oct 21 13:03:09 2024 +0300

    macsec: Fix use-after-free while sending the offloading packet
    
    [ Upstream commit f1e54d11b210b53d418ff1476c6b58a2f434dfc0 ]
    
    KASAN reports the following UAF. The metadata_dst, which is used to
    store the SCI value for macsec offload, is already freed by
    metadata_dst_free() in macsec_free_netdev(), while driver still use it
    for sending the packet.
    
    To fix this issue, dst_release() is used instead to release
    metadata_dst. So it is not freed instantly in macsec_free_netdev() if
    still referenced by skb.
    
     BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]
     Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714
     [...]
     Workqueue: mld mld_ifc_work
     Call Trace:
      <TASK>
      dump_stack_lvl+0x51/0x60
      print_report+0xc1/0x600
      kasan_report+0xab/0xe0
      mlx5e_xmit+0x1e8f/0x4190 [mlx5_core]
      dev_hard_start_xmit+0x120/0x530
      sch_direct_xmit+0x149/0x11e0
      __qdisc_run+0x3ad/0x1730
      __dev_queue_xmit+0x1196/0x2ed0
      vlan_dev_hard_start_xmit+0x32e/0x510 [8021q]
      dev_hard_start_xmit+0x120/0x530
      __dev_queue_xmit+0x14a7/0x2ed0
      macsec_start_xmit+0x13e9/0x2340
      dev_hard_start_xmit+0x120/0x530
      __dev_queue_xmit+0x14a7/0x2ed0
      ip6_finish_output2+0x923/0x1a70
      ip6_finish_output+0x2d7/0x970
      ip6_output+0x1ce/0x3a0
      NF_HOOK.constprop.0+0x15f/0x190
      mld_sendpack+0x59a/0xbd0
      mld_ifc_work+0x48a/0xa80
      process_one_work+0x5aa/0xe50
      worker_thread+0x79c/0x1290
      kthread+0x28f/0x350
      ret_from_fork+0x2d/0x70
      ret_from_fork_asm+0x11/0x20
      </TASK>
    
     Allocated by task 3922:
      kasan_save_stack+0x20/0x40
      kasan_save_track+0x10/0x30
      __kasan_kmalloc+0x77/0x90
      __kmalloc_noprof+0x188/0x400
      metadata_dst_alloc+0x1f/0x4e0
      macsec_newlink+0x914/0x1410
      __rtnl_newlink+0xe08/0x15b0
      rtnl_newlink+0x5f/0x90
      rtnetlink_rcv_msg+0x667/0xa80
      netlink_rcv_skb+0x12c/0x360
      netlink_unicast+0x551/0x770
      netlink_sendmsg+0x72d/0xbd0
      __sock_sendmsg+0xc5/0x190
      ____sys_sendmsg+0x52e/0x6a0
      ___sys_sendmsg+0xeb/0x170
      __sys_sendmsg+0xb5/0x140
      do_syscall_64+0x4c/0x100
      entry_SYSCALL_64_after_hwframe+0x4b/0x53
    
     Freed by task 4011:
      kasan_save_stack+0x20/0x40
      kasan_save_track+0x10/0x30
      kasan_save_free_info+0x37/0x50
      poison_slab_object+0x10c/0x190
      __kasan_slab_free+0x11/0x30
      kfree+0xe0/0x290
      macsec_free_netdev+0x3f/0x140
      netdev_run_todo+0x450/0xc70
      rtnetlink_rcv_msg+0x66f/0xa80
      netlink_rcv_skb+0x12c/0x360
      netlink_unicast+0x551/0x770
      netlink_sendmsg+0x72d/0xbd0
      __sock_sendmsg+0xc5/0x190
      ____sys_sendmsg+0x52e/0x6a0
      ___sys_sendmsg+0xeb/0x170
      __sys_sendmsg+0xb5/0x140
      do_syscall_64+0x4c/0x100
      entry_SYSCALL_64_after_hwframe+0x4b/0x53
    
    Fixes: 0a28bfd4971f ("net/macsec: Add MACsec skb_metadata_dst Tx Data path support")
    Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
    Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
    Reviewed-by: Chris Mi <cmi@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
    Link: https://patch.msgid.link/20241021100309.234125-1-tariqt@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mctp i2c: handle NULL header address [+ + +]
Author: Matt Johnston <matt@codeconstruct.com.au>
Date:   Tue Oct 22 18:25:14 2024 +0800

    mctp i2c: handle NULL header address
    
    [ Upstream commit 01e215975fd80af81b5b79f009d49ddd35976c13 ]
    
    daddr can be NULL if there is no neighbour table entry present,
    in that case the tx packet should be dropped.
    
    saddr will usually be set by MCTP core, but check for NULL in case a
    packet is transmitted by a different protocol.
    
    Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver")
    Cc: stable@vger.kernel.org
    Reported-by: Dung Cao <dung@os.amperecomputing.com>
    Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241022-mctp-i2c-null-dest-v3-1-e929709956c5@codeconstruct.com.au
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mei: use kvmalloc for read buffer [+ + +]
Author: Alexander Usyskin <alexander.usyskin@intel.com>
Date:   Tue Oct 15 15:31:57 2024 +0300

    mei: use kvmalloc for read buffer
    
    [ Upstream commit 4adf613e01bf99e1739f6ff3e162ad5b7d578d1a ]
    
    Read buffer is allocated according to max message size, reported by
    the firmware and may reach 64K in systems with pxp client.
    Contiguous 64k allocation may fail under memory pressure.
    Read buffer is used as in-driver message storage and not required
    to be contiguous.
    Use kvmalloc to allow kernel to allocate non-contiguous memory.
    
    Fixes: 3030dc056459 ("mei: add wrapper for queuing control commands.")
    Cc: stable <stable@kernel.org>
    Reported-by: Rohit Agarwal <rohiagar@chromium.org>
    Closes: https://lore.kernel.org/all/20240813084542.2921300-1-rohiagar@chromium.org/
    Tested-by: Brian Geffon <bgeffon@google.com>
    Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
    Acked-by: Tomas Winkler <tomasw@gmail.com>
    Link: https://lore.kernel.org/r/20241015123157.2337026-1-alexander.usyskin@intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
misc: sgi-gru: Don't disable preemption in GRU driver [+ + +]
Author: Dimitri Sivanich <sivanich@hpe.com>
Date:   Thu Sep 19 07:34:50 2024 -0500

    misc: sgi-gru: Don't disable preemption in GRU driver
    
    [ Upstream commit b983b271662bd6104d429b0fd97af3333ba760bf ]
    
    Disabling preemption in the GRU driver is unnecessary, and clashes with
    sleeping locks in several code paths.  Remove preempt_disable and
    preempt_enable from the GRU driver.
    
    Signed-off-by: Dimitri Sivanich <sivanich@hpe.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address [+ + +]
Author: Ido Schimmel <idosch@nvidia.com>
Date:   Fri Oct 25 16:26:28 2024 +0200

    mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address
    
    [ Upstream commit 12ae97c531fcd3bfd774d4dfeaeac23eafe24280 ]
    
    The device stores IPv6 addresses that are used for encapsulation in
    linear memory that is managed by the driver.
    
    Changing the remote address of an ip6gre net device never worked
    properly, but since cited commit the following reproducer [1] would
    result in a warning [2] and a memory leak [3]. The problem is that the
    new remote address is never added by the driver to its hash table (and
    therefore the device) and the old address is never removed from it.
    
    Fix by programming the new address when the configuration of the ip6gre
    net device changes and removing the old one. If the address did not
    change, then the above would result in increasing the reference count of
    the address and then decreasing it.
    
    [1]
     # ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit
     # ip link set dev bla type ip6gre remote 2001:db8:3::1
     # ip link del dev bla
     # devlink dev reload pci/0000:01:00.0
    
    [2]
    WARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0
    Modules linked in:
    CPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151
    Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
    RIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0
    [...]
    Call Trace:
     <TASK>
     mlxsw_sp_router_netdevice_event+0x55f/0x1240
     notifier_call_chain+0x5a/0xd0
     call_netdevice_notifiers_info+0x39/0x90
     unregister_netdevice_many_notify+0x63e/0x9d0
     rtnl_dellink+0x16b/0x3a0
     rtnetlink_rcv_msg+0x142/0x3f0
     netlink_rcv_skb+0x50/0x100
     netlink_unicast+0x242/0x390
     netlink_sendmsg+0x1de/0x420
     ____sys_sendmsg+0x2bd/0x320
     ___sys_sendmsg+0x9a/0xe0
     __sys_sendmsg+0x7a/0xd0
     do_syscall_64+0x9e/0x1a0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    [3]
    unreferenced object 0xffff898081f597a0 (size 32):
      comm "ip", pid 1626, jiffies 4294719324
      hex dump (first 32 bytes):
        20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01   ...............
        21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00  !Ia.............
      backtrace (crc fd9be911):
        [<00000000df89c55d>] __kmalloc_cache_noprof+0x1da/0x260
        [<00000000ff2a1ddb>] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340
        [<000000009ddd445d>] mlxsw_sp_router_netdevice_event+0x47b/0x1240
        [<00000000743e7757>] notifier_call_chain+0x5a/0xd0
        [<000000007c7b9e13>] call_netdevice_notifiers_info+0x39/0x90
        [<000000002509645d>] register_netdevice+0x5f7/0x7a0
        [<00000000c2e7d2a9>] ip6gre_newlink_common.isra.0+0x65/0x130
        [<0000000087cd6d8d>] ip6gre_newlink+0x72/0x120
        [<000000004df7c7cc>] rtnl_newlink+0x471/0xa20
        [<0000000057ed632a>] rtnetlink_rcv_msg+0x142/0x3f0
        [<0000000032e0d5b5>] netlink_rcv_skb+0x50/0x100
        [<00000000908bca63>] netlink_unicast+0x242/0x390
        [<00000000cdbe1c87>] netlink_sendmsg+0x1de/0x420
        [<0000000011db153e>] ____sys_sendmsg+0x2bd/0x320
        [<000000003b6d53eb>] ___sys_sendmsg+0x9a/0xe0
        [<00000000cae27c62>] __sys_sendmsg+0x7a/0xd0
    
    Fixes: cf42911523e0 ("mlxsw: spectrum_ipip: Use common hash table for IPv6 address mapping")
    Reported-by: Maksym Yaremchuk <maksymy@nvidia.com>
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>
    Reviewed-by: Petr Machata <petrm@nvidia.com>
    Signed-off-by: Petr Machata <petrm@nvidia.com>
    Link: https://patch.msgid.link/e91012edc5a6cb9df37b78fd377f669381facfcb.1729866134.git.petrm@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

mlxsw: spectrum_ptp: Add missing verification before pushing Tx header [+ + +]
Author: Amit Cohen <amcohen@nvidia.com>
Date:   Fri Oct 25 16:26:25 2024 +0200

    mlxsw: spectrum_ptp: Add missing verification before pushing Tx header
    
    [ Upstream commit 0a66e5582b5102c4d7b866b977ff7c850c1174ce ]
    
    Tx header should be pushed for each packet which is transmitted via
    Spectrum ASICs. The cited commit moved the call to skb_cow_head() from
    mlxsw_sp_port_xmit() to functions which handle Tx header.
    
    In case that mlxsw_sp->ptp_ops->txhdr_construct() is used to handle Tx
    header, and txhdr_construct() is mlxsw_sp_ptp_txhdr_construct(), there is
    no call for skb_cow_head() before pushing Tx header size to SKB. This flow
    is relevant for Spectrum-1 and Spectrum-4, for PTP packets.
    
    Add the missing call to skb_cow_head() to make sure that there is both
    enough room to push the Tx header and that the SKB header is not cloned and
    can be modified.
    
    An additional set will be sent to net-next to centralize the handling of
    the Tx header by pushing it to every packet just before transmission.
    
    Cc: Richard Cochran <richardcochran@gmail.com>
    Fixes: 24157bc69f45 ("mlxsw: Send PTP packets as data packets to overcome a limitation")
    Signed-off-by: Amit Cohen <amcohen@nvidia.com>
    Signed-off-by: Petr Machata <petrm@nvidia.com>
    Link: https://patch.msgid.link/5145780b07ebbb5d3b3570f311254a3a2d554a44.1729866134.git.petrm@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves [+ + +]
Author: Matt Fleming <mfleming@cloudflare.com>
Date:   Fri Oct 11 13:07:37 2024 +0100

    mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves
    
    [ Upstream commit 281dd25c1a018261a04d1b8bf41a0674000bfe38 ]
    
    Under memory pressure it's possible for GFP_ATOMIC order-0 allocations to
    fail even though free pages are available in the highatomic reserves.
    GFP_ATOMIC allocations cannot trigger unreserve_highatomic_pageblock()
    since it's only run from reclaim.
    
    Given that such allocations will pass the watermarks in
    __zone_watermark_unusable_free(), it makes sense to fallback to highatomic
    reserves the same way that ALLOC_OOM can.
    
    This fixes order-0 page allocation failures observed on Cloudflare's fleet
    when handling network packets:
    
      kswapd1: page allocation failure: order:0, mode:0x820(GFP_ATOMIC),
      nodemask=(null),cpuset=/,mems_allowed=0-7
      CPU: 10 PID: 696 Comm: kswapd1 Kdump: loaded Tainted: G           O 6.6.43-CUSTOM #1
      Hardware name: MACHINE
      Call Trace:
       <IRQ>
       dump_stack_lvl+0x3c/0x50
       warn_alloc+0x13a/0x1c0
       __alloc_pages_slowpath.constprop.0+0xc9d/0xd10
       __alloc_pages+0x327/0x340
       __napi_alloc_skb+0x16d/0x1f0
       bnxt_rx_page_skb+0x96/0x1b0 [bnxt_en]
       bnxt_rx_pkt+0x201/0x15e0 [bnxt_en]
       __bnxt_poll_work+0x156/0x2b0 [bnxt_en]
       bnxt_poll+0xd9/0x1c0 [bnxt_en]
       __napi_poll+0x2b/0x1b0
       bpf_trampoline_6442524138+0x7d/0x1000
       __napi_poll+0x5/0x1b0
       net_rx_action+0x342/0x740
       handle_softirqs+0xcf/0x2b0
       irq_exit_rcu+0x6c/0x90
       sysvec_apic_timer_interrupt+0x72/0x90
       </IRQ>
    
    [mfleming@cloudflare.com: update comment]
      Link: https://lkml.kernel.org/r/20241015125158.3597702-1-matt@readmodwrite.com
    Link: https://lkml.kernel.org/r/20241011120737.3300370-1-matt@readmodwrite.com
    Link: https://lore.kernel.org/all/CAGis_TWzSu=P7QJmjD58WWiu3zjMTVKSzdOwWE8ORaGytzWJwQ@mail.gmail.com/
    Fixes: 1d91df85f399 ("mm/page_alloc: handle a missing case for memalloc_nocma_{save/restore} APIs")
    Signed-off-by: Matt Fleming <mfleming@cloudflare.com>
    Suggested-by: Vlastimil Babka <vbabka@suse.cz>
    Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
    Cc: Mel Gorman <mgorman@techsingularity.net>
    Cc: Michal Hocko <mhocko@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mm: don't install PMD mappings when THPs are disabled by the hw/process/vma [+ + +]
Author: David Hildenbrand <david@redhat.com>
Date:   Fri Oct 11 12:24:45 2024 +0200

    mm: don't install PMD mappings when THPs are disabled by the hw/process/vma
    
    commit 2b0f922323ccfa76219bcaacd35cd50aeaa13592 upstream.
    
    We (or rather, readahead logic :) ) might be allocating a THP in the
    pagecache and then try mapping it into a process that explicitly disabled
    THP: we might end up installing PMD mappings.
    
    This is a problem for s390x KVM, which explicitly remaps all PMD-mapped
    THPs to be PTE-mapped in s390_enable_sie()->thp_split_mm(), before
    starting the VM.
    
    For example, starting a VM backed on a file system with large folios
    supported makes the VM crash when the VM tries accessing such a mapping
    using KVM.
    
    Is it also a problem when the HW disabled THP using
    TRANSPARENT_HUGEPAGE_UNSUPPORTED?  At least on x86 this would be the case
    without X86_FEATURE_PSE.
    
    In the future, we might be able to do better on s390x and only disallow
    PMD mappings -- what s390x and likely TRANSPARENT_HUGEPAGE_UNSUPPORTED
    really wants.  For now, fix it by essentially performing the same check as
    would be done in __thp_vma_allowable_orders() or in shmem code, where this
    works as expected, and disallow PMD mappings, making us fallback to PTE
    mappings.
    
    Link: https://lkml.kernel.org/r/20241011102445.934409-3-david@redhat.com
    Fixes: 793917d997df ("mm/readahead: Add large folio readahead")
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Reported-by: Leo Fu <bfu@redhat.com>
    Tested-by: Thomas Huth <thuth@redhat.com>
    Cc: Thomas Huth <thuth@redhat.com>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: Ryan Roberts <ryan.roberts@arm.com>
    Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
    Cc: Janosch Frank <frankja@linux.ibm.com>
    Cc: Claudio Imbrenda <imbrenda@linux.ibm.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() [+ + +]
Author: Kefeng Wang <wangkefeng.wang@huawei.com>
Date:   Fri Oct 11 12:24:44 2024 +0200

    mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw()
    
    commit 963756aac1f011d904ddd9548ae82286d3a91f96 upstream.
    
    Patch series "mm: don't install PMD mappings when THPs are disabled by the
    hw/process/vma".
    
    During testing, it was found that we can get PMD mappings in processes
    where THP (and more precisely, PMD mappings) are supposed to be disabled.
    While it works as expected for anon+shmem, the pagecache is the
    problematic bit.
    
    For s390 KVM this currently means that a VM backed by a file located on
    filesystem with large folio support can crash when KVM tries accessing the
    problematic page, because the readahead logic might decide to use a
    PMD-sized THP and faulting it into the page tables will install a PMD
    mapping, something that s390 KVM cannot tolerate.
    
    This might also be a problem with HW that does not support PMD mappings,
    but I did not try reproducing it.
    
    Fix it by respecting the ways to disable THPs when deciding whether we can
    install a PMD mapping.  khugepaged should already be taking care of not
    collapsing if THPs are effectively disabled for the hw/process/vma.
    
    
    This patch (of 2):
    
    Add vma_thp_disabled() and thp_disabled_by_hw() helpers to be shared by
    shmem_allowable_huge_orders() and __thp_vma_allowable_orders().
    
    [david@redhat.com: rename to vma_thp_disabled(), split out thp_disabled_by_hw() ]
    Link: https://lkml.kernel.org/r/20241011102445.934409-2-david@redhat.com
    Fixes: 793917d997df ("mm/readahead: Add large folio readahead")
    Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Reported-by: Leo Fu <bfu@redhat.com>
    Tested-by: Thomas Huth <thuth@redhat.com>
    Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
    Cc: Boqiao Fu <bfu@redhat.com>
    Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
    Cc: Claudio Imbrenda <imbrenda@linux.ibm.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Janosch Frank <frankja@linux.ibm.com>
    Cc: Matthew Wilcox <willy@infradead.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mm: shmem: fix data-race in shmem_getattr() [+ + +]
Author: Jeongjun Park <aha310510@gmail.com>
Date:   Mon Sep 9 21:35:58 2024 +0900

    mm: shmem: fix data-race in shmem_getattr()
    
    commit d949d1d14fa281ace388b1de978e8f2cd52875cf upstream.
    
    I got the following KCSAN report during syzbot testing:
    
    ==================================================================
    BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current
    
    write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1:
     inode_set_ctime_to_ts include/linux/fs.h:1638 [inline]
     inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626
     shmem_mknod+0x117/0x180 mm/shmem.c:3443
     shmem_create+0x34/0x40 mm/shmem.c:3497
     lookup_open fs/namei.c:3578 [inline]
     open_last_lookups fs/namei.c:3647 [inline]
     path_openat+0xdbc/0x1f00 fs/namei.c:3883
     do_filp_open+0xf7/0x200 fs/namei.c:3913
     do_sys_openat2+0xab/0x120 fs/open.c:1416
     do_sys_open fs/open.c:1431 [inline]
     __do_sys_openat fs/open.c:1447 [inline]
     __se_sys_openat fs/open.c:1442 [inline]
     __x64_sys_openat+0xf3/0x120 fs/open.c:1442
     x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0:
     inode_get_ctime_nsec include/linux/fs.h:1623 [inline]
     inode_get_ctime include/linux/fs.h:1629 [inline]
     generic_fillattr+0x1dd/0x2f0 fs/stat.c:62
     shmem_getattr+0x17b/0x200 mm/shmem.c:1157
     vfs_getattr_nosec fs/stat.c:166 [inline]
     vfs_getattr+0x19b/0x1e0 fs/stat.c:207
     vfs_statx_path fs/stat.c:251 [inline]
     vfs_statx+0x134/0x2f0 fs/stat.c:315
     vfs_fstatat+0xec/0x110 fs/stat.c:341
     __do_sys_newfstatat fs/stat.c:505 [inline]
     __se_sys_newfstatat+0x58/0x260 fs/stat.c:499
     __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499
     x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    value changed: 0x2755ae53 -> 0x27ee44d3
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
    ==================================================================
    
    When calling generic_fillattr(), if you don't hold read lock, data-race
    will occur in inode member variables, which can cause unexpected
    behavior.
    
    Since there is no special protection when shmem_getattr() calls
    generic_fillattr(), data-race occurs by functions such as shmem_unlink()
    or shmem_mknod(). This can cause unexpected results, so commenting it out
    is not enough.
    
    Therefore, when calling generic_fillattr() from shmem_getattr(), it is
    appropriate to protect the inode using inode_lock_shared() and
    inode_unlock_shared() to prevent data-race.
    
    Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com
    Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat")
    Signed-off-by: Jeongjun Park <aha310510@gmail.com>
    Reported-by: syzbot <syzkaller@googlegroup.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Yu Zhao <yuzhao@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mmc: sdhci-pci-gli: GL9767: Fix low power mode in the SD Express process [+ + +]
Author: Ben Chuang <ben.chuang@genesyslogic.com.tw>
Date:   Fri Oct 25 14:00:17 2024 +0800

    mmc: sdhci-pci-gli: GL9767: Fix low power mode in the SD Express process
    
    commit c4dedaaeb3f78d3718e9c1b1e4d972a6b99073cd upstream.
    
    When starting the SD Express process, the low power negotiation mode will
    be disabled, so we need to re-enable it after switching back to SD mode.
    
    Fixes: 0e92aec2efa0 ("mmc: sdhci-pci-gli: Add support SD Express card for GL9767")
    Signed-off-by: Ben Chuang <ben.chuang@genesyslogic.com.tw>
    Cc: stable@vger.kernel.org
    Message-ID: <20241025060017.1663697-2-benchuanggli@gmail.com>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mmc: sdhci-pci-gli: GL9767: Fix low power mode on the set clock function [+ + +]
Author: Ben Chuang <ben.chuang@genesyslogic.com.tw>
Date:   Fri Oct 25 14:00:16 2024 +0800

    mmc: sdhci-pci-gli: GL9767: Fix low power mode on the set clock function
    
    commit 8c68b5656e55e9324875881f1000eb4ee3603a87 upstream.
    
    On sdhci_gl9767_set_clock(), the vendor header space(VHS) is read-only
    after calling gl9767_disable_ssc_pll() and gl9767_set_ssc_pll_205mhz().
    So the low power negotiation mode cannot be enabled again.
    Introduce gl9767_set_low_power_negotiation() function to fix it.
    
    The explanation process is as below.
    
    static void sdhci_gl9767_set_clock()
    {
            ...
            gl9767_vhs_write();
            ...
            value |= PCIE_GLI_9767_CFG_LOW_PWR_OFF;
            pci_write_config_dword(pdev, PCIE_GLI_9767_CFG, value); <--- (a)
    
            gl9767_disable_ssc_pll(); <--- (b)
            sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL);
    
            if (clock == 0)
                    return;  <-- (I)
    
            ...
            if (clock == 200000000 && ios->timing == MMC_TIMING_UHS_SDR104) {
                    ...
                    gl9767_set_ssc_pll_205mhz(); <--- (c)
            }
            ...
            value &= ~PCIE_GLI_9767_CFG_LOW_PWR_OFF;
            pci_write_config_dword(pdev, PCIE_GLI_9767_CFG, value); <-- (II)
            gl9767_vhs_read();
    }
    
    (a) disable low power negotiation mode. When return on (I), the low power
    mode is disabled.  After (b) and (c), VHS is read-only, the low power mode
    cannot be enabled on (II).
    
    Reported-by: Georg Gottleuber <ggo@tuxedocomputers.com>
    Fixes: d2754355512e ("mmc: sdhci-pci-gli: Set SDR104's clock to 205MHz and enable SSC for GL9767")
    Signed-off-by: Ben Chuang <ben.chuang@genesyslogic.com.tw>
    Tested-by: Georg Gottleuber <ggo@tuxedocomputers.com>
    Cc: stable@vger.kernel.org
    Message-ID: <20241025060017.1663697-1-benchuanggli@gmail.com>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mptcp: init: protect sched with rcu_read_lock [+ + +]
Author: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Date:   Mon Oct 21 12:25:26 2024 +0200

    mptcp: init: protect sched with rcu_read_lock
    
    [ Upstream commit 3deb12c788c385e17142ce6ec50f769852fcec65 ]
    
    Enabling CONFIG_PROVE_RCU_LIST with its dependence CONFIG_RCU_EXPERT
    creates this splat when an MPTCP socket is created:
    
      =============================
      WARNING: suspicious RCU usage
      6.12.0-rc2+ #11 Not tainted
      -----------------------------
      net/mptcp/sched.c:44 RCU-list traversed in non-reader section!!
    
      other info that might help us debug this:
    
      rcu_scheduler_active = 2, debug_locks = 1
      no locks held by mptcp_connect/176.
    
      stack backtrace:
      CPU: 0 UID: 0 PID: 176 Comm: mptcp_connect Not tainted 6.12.0-rc2+ #11
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      Call Trace:
       <TASK>
       dump_stack_lvl (lib/dump_stack.c:123)
       lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)
       mptcp_sched_find (net/mptcp/sched.c:44 (discriminator 7))
       mptcp_init_sock (net/mptcp/protocol.c:2867 (discriminator 1))
       ? sock_init_data_uid (arch/x86/include/asm/atomic.h:28)
       inet_create.part.0.constprop.0 (net/ipv4/af_inet.c:386)
       ? __sock_create (include/linux/rcupdate.h:347 (discriminator 1))
       __sock_create (net/socket.c:1576)
       __sys_socket (net/socket.c:1671)
       ? __pfx___sys_socket (net/socket.c:1712)
       ? do_user_addr_fault (arch/x86/mm/fault.c:1419 (discriminator 1))
       __x64_sys_socket (net/socket.c:1728)
       do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1))
       entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
    
    That's because when the socket is initialised, rcu_read_lock() is not
    used despite the explicit comment written above the declaration of
    mptcp_sched_find() in sched.c. Adding the missing lock/unlock avoids the
    warning.
    
    Fixes: 1730b2b2c5a5 ("mptcp: add sched in mptcp_sock")
    Cc: stable@vger.kernel.org
    Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/523
    Reviewed-by: Geliang Tang <geliang@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241021-net-mptcp-sched-lock-v1-1-637759cf061c@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mtd: spi-nor: winbond: fix w25q128 regression [+ + +]
Author: Michael Walle <mwalle@kernel.org>
Date:   Fri Jun 21 14:09:29 2024 +0200

    mtd: spi-nor: winbond: fix w25q128 regression
    
    commit d35df77707bf5ae1221b5ba1c8a88cf4fcdd4901 upstream.
    
    Commit 83e824a4a595 ("mtd: spi-nor: Correct flags for Winbond w25q128")
    removed the flags for non-SFDP devices. It was assumed that it wasn't in
    use anymore. This wasn't true. Add the no_sfdp_flags as well as the size
    again.
    
    We add the additional flags for dual and quad read because they have
    been reported to work properly by Hartmut using both older and newer
    versions of this flash, the similar flashes with 64Mbit and 256Mbit
    already have these flags and because it will (luckily) trigger our
    legacy SFDP parsing, so newer versions with SFDP support will still get
    the parameters from the SFDP tables.
    
    Reported-by: Hartmut Birr <e9hack@gmail.com>
    Closes: https://lore.kernel.org/r/CALxbwRo_-9CaJmt7r7ELgu+vOcgk=xZcGHobnKf=oT2=u4d4aA@mail.gmail.com/
    Fixes: 83e824a4a595 ("mtd: spi-nor: Correct flags for Winbond w25q128")
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Michael Walle <mwalle@kernel.org>
    Acked-by: Tudor Ambarus <tudor.ambarus@linaro.org>
    Reviewed-by: Esben Haabendal <esben@geanix.com>
    Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
    Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
    Link: https://lore.kernel.org/r/20240621120929.2670185-1-mwalle@kernel.org
    Link: https://lore.kernel.org/r/20240621120929.2670185-1-mwalle@kernel.org
    [Backported to v6.6 - vastly different due to upstream changes]
    Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT [+ + +]
Author: Pedro Tammela <pctammela@mojatatu.com>
Date:   Thu Oct 24 12:55:47 2024 -0400

    net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
    
    [ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ]
    
    In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
    to be either root or ingress. This assumption is bogus since it's valid
    to create egress qdiscs with major handle ffff:
    Budimir Markovic found that for qdiscs like DRR that maintain an active
    class list, it will cause a UAF with a dangling class pointer.
    
    In 066a3b5b2346, the concern was to avoid iterating over the ingress
    qdisc since its parent is itself. The proper fix is to stop when parent
    TC_H_ROOT is reached because the only way to retrieve ingress is when a
    hierarchy which does not contain a ffff: major handle call into
    qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
    
    In the scenario where major ffff: is an egress qdisc in any of the tree
    levels, the updates will also propagate to TC_H_ROOT, which then the
    iteration must stop.
    
    Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop")
    Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
    Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Tested-by: Victor Nogueira <victor@mojatatu.com>
    Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
    Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
    
     net/sched/sch_api.c | 2 +-
     1 file changed, 1 insertion(+), 1 deletion(-)
    Reviewed-by: Simon Horman <horms@kernel.org>
    
    Link: https://patch.msgid.link/20241024165547.418570-1-jhs@mojatatu.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: amd: mvme147: Fix probe banner message [+ + +]
Author: Daniel Palmer <daniel@0x0f.com>
Date:   Mon Oct 7 19:43:17 2024 +0900

    net: amd: mvme147: Fix probe banner message
    
    [ Upstream commit 82c5b53140faf89c31ea2b3a0985a2f291694169 ]
    
    Currently this driver prints this line with what looks like
    a rogue format specifier when the device is probed:
    [    2.840000] eth%d: MVME147 at 0xfffe1800, irq 12, Hardware Address xx:xx:xx:xx:xx:xx
    
    Change the printk() for netdev_info() and move it after the
    registration has completed so it prints out the name of the
    interface properly.
    
    Signed-off-by: Daniel Palmer <daniel@0x0f.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: fix crash when config small gso_max_size/gso_ipv4_max_size [+ + +]
Author: Wang Liang <wangliang74@huawei.com>
Date:   Wed Oct 23 11:52:13 2024 +0800

    net: fix crash when config small gso_max_size/gso_ipv4_max_size
    
    [ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ]
    
    Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow
    in sk_dst_gso_max_size(), which may trigger a BUG_ON crash,
    because sk->sk_gso_max_size would be much bigger than device limits.
    Call Trace:
    tcp_write_xmit
        tso_segs = tcp_init_tso_segs(skb, mss_now);
            tcp_set_skb_tso_segs
                tcp_skb_pcount_set
                    // skb->len = 524288, mss_now = 8
                    // u16 tso_segs = 524288/8 = 65535 -> 0
                    tso_segs = DIV_ROUND_UP(skb->len, mss_now)
        BUG_ON(!tso_segs)
    Add check for the minimum value of gso_max_size and gso_ipv4_max_size.
    
    Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation")
    Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
    Signed-off-by: Wang Liang <wangliang74@huawei.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension [+ + +]
Author: Benoît Monin <benoit.monin@gmx.fr>
Date:   Thu Oct 24 16:01:54 2024 +0200

    net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension
    
    [ Upstream commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c ]
    
    As documented in skbuff.h, devices with NETIF_F_IPV6_CSUM capability
    can only checksum TCP and UDP over IPv6 if the IP header does not
    contains extension.
    
    This is enforced for UDP packets emitted from user-space to an IPv6
    address as they go through ip6_make_skb(), which calls
    __ip6_append_data() where a check is done on the header size before
    setting CHECKSUM_PARTIAL.
    
    But the introduction of UDP encapsulation with fou6 added a code-path
    where it is possible to get an skb with a partial UDP checksum and an
    IPv6 header with extension:
    * fou6 adds a UDP header with a partial checksum if the inner packet
    does not contains a valid checksum.
    * ip6_tunnel adds an IPv6 header with a destination option extension
    header if encap_limit is non-zero (the default value is 4).
    
    The thread linked below describes in more details how to reproduce the
    problem with GRE-in-UDP tunnel.
    
    Add a check on the network header size in skb_csum_hwoffload_help() to
    make sure no IPv6 packet with extension header is handed to a network
    device with NETIF_F_IPV6_CSUM capability.
    
    Link: https://lore.kernel.org/netdev/26548921.1r3eYUQgxm@benoit.monin/T/#u
    Fixes: aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels")
    Signed-off-by: Benoît Monin <benoit.monin@gmx.fr>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Link: https://patch.msgid.link/5fbeecfc311ea182aa1d1c771725ab8b4cac515e.1729778144.git.benoit.monin@gmx.fr
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: stmmac: dwmac4: Fix high address display by updating reg_space[] from register values [+ + +]
Author: Ley Foon Tan <leyfoon.tan@starfivetech.com>
Date:   Mon Oct 21 13:46:25 2024 +0800

    net: stmmac: dwmac4: Fix high address display by updating reg_space[] from register values
    
    [ Upstream commit f84ef58e553206b02d06e02158c98fbccba25d19 ]
    
    The high address will display as 0 if the driver does not set the
    reg_space[]. To fix this, read the high address registers and
    update the reg_space[] accordingly.
    
    Fixes: fbf68229ffe7 ("net: stmmac: unify registers dumps methods")
    Signed-off-by: Ley Foon Tan <leyfoon.tan@starfivetech.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241021054625.1791965-1-leyfoon.tan@starfivetech.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data [+ + +]
Author: Furong Xu <0x1207@gmail.com>
Date:   Mon Oct 21 14:10:23 2024 +0800

    net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data
    
    [ Upstream commit 66600fac7a984dea4ae095411f644770b2561ede ]
    
    In case the non-paged data of a SKB carries protocol header and protocol
    payload to be transmitted on a certain platform that the DMA AXI address
    width is configured to 40-bit/48-bit, or the size of the non-paged data
    is bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI
    address width is configured to 32-bit, then this SKB requires at least
    two DMA transmit descriptors to serve it.
    
    For example, three descriptors are allocated to split one DMA buffer
    mapped from one piece of non-paged data:
        dma_desc[N + 0],
        dma_desc[N + 1],
        dma_desc[N + 2].
    Then three elements of tx_q->tx_skbuff_dma[] will be allocated to hold
    extra information to be reused in stmmac_tx_clean():
        tx_q->tx_skbuff_dma[N + 0],
        tx_q->tx_skbuff_dma[N + 1],
        tx_q->tx_skbuff_dma[N + 2].
    Now we focus on tx_q->tx_skbuff_dma[entry].buf, which is the DMA buffer
    address returned by DMA mapping call. stmmac_tx_clean() will try to
    unmap the DMA buffer _ONLY_IF_ tx_q->tx_skbuff_dma[entry].buf
    is a valid buffer address.
    
    The expected behavior that saves DMA buffer address of this non-paged
    data to tx_q->tx_skbuff_dma[entry].buf is:
        tx_q->tx_skbuff_dma[N + 0].buf = NULL;
        tx_q->tx_skbuff_dma[N + 1].buf = NULL;
        tx_q->tx_skbuff_dma[N + 2].buf = dma_map_single();
    Unfortunately, the current code misbehaves like this:
        tx_q->tx_skbuff_dma[N + 0].buf = dma_map_single();
        tx_q->tx_skbuff_dma[N + 1].buf = NULL;
        tx_q->tx_skbuff_dma[N + 2].buf = NULL;
    
    On the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the
    DMA engine, tx_q->tx_skbuff_dma[N + 0].buf is a valid buffer address
    obviously, then the DMA buffer will be unmapped immediately.
    There may be a rare case that the DMA engine does not finish the
    pending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go
    horribly wrong, DMA is going to access a unmapped/unreferenced memory
    region, corrupted data will be transmited or iommu fault will be
    triggered :(
    
    In contrast, the for-loop that maps SKB fragments behaves perfectly
    as expected, and that is how the driver should do for both non-paged
    data and paged frags actually.
    
    This patch corrects DMA map/unmap sequences by fixing the array index
    for tx_q->tx_skbuff_dma[entry].buf when assigning DMA buffer address.
    
    Tested and verified on DWXGMAC CORE 3.20a
    
    Reported-by: Suraj Jaiswal <quic_jsuraj@quicinc.com>
    Fixes: f748be531d70 ("stmmac: support new GMAC4")
    Signed-off-by: Furong Xu <0x1207@gmail.com>
    Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241021061023.2162701-1-0x1207@gmail.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() [+ + +]
Author: Zichen Xie <zichenxie0106@gmail.com>
Date:   Tue Oct 22 12:19:08 2024 -0500

    netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()
    
    [ Upstream commit 4ce1f56a1eaced2523329bef800d004e30f2f76c ]
    
    This was found by a static analyzer.
    We should not forget the trailing zero after copy_from_user()
    if we will further do some string operations, sscanf() in this
    case. Adding a trailing zero will ensure that the function
    performs properly.
    
    Fixes: c6385c0b67c5 ("netdevsim: Allow reporting activity on nexthop buckets")
    Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
    Reviewed-by: Petr Machata <petrm@nvidia.com>
    Reviewed-by: Ido Schimmel <idosch@nvidia.com>
    Link: https://patch.msgid.link/20241022171907.8606-1-zichenxie0106@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netfilter: Fix use-after-free in get_info() [+ + +]
Author: Dong Chenchen <dongchenchen2@huawei.com>
Date:   Thu Oct 24 09:47:01 2024 +0800

    netfilter: Fix use-after-free in get_info()
    
    [ Upstream commit f48d258f0ac540f00fa617dac496c4c18b5dc2fa ]
    
    ip6table_nat module unload has refcnt warning for UAF. call trace is:
    
    WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80
    Modules linked in: ip6table_nat(-)
    CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
    BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    RIP: 0010:module_put+0x6f/0x80
    Call Trace:
     <TASK>
     get_info+0x128/0x180
     do_ip6t_get_ctl+0x6a/0x430
     nf_getsockopt+0x46/0x80
     ipv6_getsockopt+0xb9/0x100
     rawv6_getsockopt+0x42/0x190
     do_sock_getsockopt+0xaa/0x180
     __sys_getsockopt+0x70/0xc0
     __x64_sys_getsockopt+0x20/0x30
     do_syscall_64+0xa2/0x1a0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Concurrent execution of module unload and get_info() trigered the warning.
    The root cause is as follows:
    
    cpu0                                  cpu1
    module_exit
    //mod->state = MODULE_STATE_GOING
      ip6table_nat_exit
        xt_unregister_template
            kfree(t)
            //removed from templ_list
                                          getinfo()
                                              t = xt_find_table_lock
                                                    list_for_each_entry(tmpl, &xt_templates[af]...)
                                                            if (strcmp(tmpl->name, name))
                                                                    continue;  //table not found
                                                            try_module_get
                                                    list_for_each_entry(t, &xt_net->tables[af]...)
                                                            return t;  //not get refcnt
                                              module_put(t->me) //uaf
        unregister_pernet_subsys
        //remove table from xt_net list
    
    While xt_table module was going away and has been removed from
    xt_templates list, we couldnt get refcnt of xt_table->me. Check
    module in xt_net->tables list re-traversal to fix it.
    
    Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
    Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
    Reviewed-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Oct 25 08:02:29 2024 +0000

    netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
    
    [ Upstream commit 4ed234fe793f27a3b151c43d2106df2ff0d81aac ]
    
    I got a syzbot report without a repro [1] crashing in nf_send_reset6()
    
    I think the issue is that dev->hard_header_len is zero, and we attempt
    later to push an Ethernet header.
    
    Use LL_MAX_HEADER, as other functions in net/ipv6/netfilter/nf_reject_ipv6.c.
    
    [1]
    
    skbuff: skb_under_panic: text:ffffffff89b1d008 len:74 put:14 head:ffff88803123aa00 data:ffff88803123a9f2 tail:0x3c end:0x140 dev:syz_tun
     kernel BUG at net/core/skbuff.c:206 !
    Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
    CPU: 0 UID: 0 PID: 7373 Comm: syz.1.568 Not tainted 6.12.0-rc2-syzkaller-00631-g6d858708d465 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
     RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
     RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
    Code: 0d 8d 48 c7 c6 60 a6 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 ba 30 38 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
    RSP: 0018:ffffc900045269b0 EFLAGS: 00010282
    RAX: 0000000000000088 RBX: dffffc0000000000 RCX: cd66dacdc5d8e800
    RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000
    RBP: ffff88802d39a3d0 R08: ffffffff8174afec R09: 1ffff920008a4ccc
    R10: dffffc0000000000 R11: fffff520008a4ccd R12: 0000000000000140
    R13: ffff88803123aa00 R14: ffff88803123a9f2 R15: 000000000000003c
    FS:  00007fdbee5ff6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 000000005d322000 CR4: 00000000003526f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
      skb_push+0xe5/0x100 net/core/skbuff.c:2636
      eth_header+0x38/0x1f0 net/ethernet/eth.c:83
      dev_hard_header include/linux/netdevice.h:3208 [inline]
      nf_send_reset6+0xce6/0x1270 net/ipv6/netfilter/nf_reject_ipv6.c:358
      nft_reject_inet_eval+0x3b9/0x690 net/netfilter/nft_reject_inet.c:48
      expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
      nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
      nft_do_chain_inet+0x418/0x6b0 net/netfilter/nft_chain_filter.c:161
      nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
      nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
      nf_hook include/linux/netfilter.h:269 [inline]
      NF_HOOK include/linux/netfilter.h:312 [inline]
      br_nf_pre_routing_ipv6+0x63e/0x770 net/bridge/br_netfilter_ipv6.c:184
      nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
      nf_hook_bridge_pre net/bridge/br_input.c:277 [inline]
      br_handle_frame+0x9fd/0x1530 net/bridge/br_input.c:424
      __netif_receive_skb_core+0x13e8/0x4570 net/core/dev.c:5562
      __netif_receive_skb_one_core net/core/dev.c:5666 [inline]
      __netif_receive_skb+0x12f/0x650 net/core/dev.c:5781
      netif_receive_skb_internal net/core/dev.c:5867 [inline]
      netif_receive_skb+0x1e8/0x890 net/core/dev.c:5926
      tun_rx_batched+0x1b7/0x8f0 drivers/net/tun.c:1550
      tun_get_user+0x3056/0x47e0 drivers/net/tun.c:2007
      tun_chr_write_iter+0x10d/0x1f0 drivers/net/tun.c:2053
      new_sync_write fs/read_write.c:590 [inline]
      vfs_write+0xa6d/0xc90 fs/read_write.c:683
      ksys_write+0x183/0x2b0 fs/read_write.c:736
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7fdbeeb7d1ff
    Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48
    RSP: 002b:00007fdbee5ff000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
    RAX: ffffffffffffffda RBX: 00007fdbeed36058 RCX: 00007fdbeeb7d1ff
    RDX: 000000000000008e RSI: 0000000020000040 RDI: 00000000000000c8
    RBP: 00007fdbeebf12be R08: 0000000000000000 R09: 0000000000000000
    R10: 000000000000008e R11: 0000000000000293 R12: 0000000000000000
    R13: 0000000000000000 R14: 00007fdbeed36058 R15: 00007ffc38de06e8
     </TASK>
    
    Fixes: c8d7b98bec43 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nft_payload: sanitize offset and length before calling skb_checksum() [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Wed Oct 30 23:13:48 2024 +0100

    netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
    
    [ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ]
    
    If access to offset + length is larger than the skbuff length, then
    skb_checksum() triggers BUG_ON().
    
    skb_checksum() internally subtracts the length parameter while iterating
    over skbuff, BUG_ON(len) at the end of it checks that the expected
    length to be included in the checksum calculation is fully consumed.
    
    Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support")
    Reported-by: Slavin Liu <slavin-ayu@qq.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
NFS: remove revoked delegation from server's delegation list [+ + +]
Author: Dai Ngo <dai.ngo@oracle.com>
Date:   Tue Oct 8 15:58:07 2024 -0700

    NFS: remove revoked delegation from server's delegation list
    
    [ Upstream commit 7ef60108069b7e3cc66432304e1dd197d5c0a9b5 ]
    
    After the delegation is returned to the NFS server remove it
    from the server's delegations list to reduce the time it takes
    to scan this list.
    
    Network trace captured while running the below script shows the
    time taken to service the CB_RECALL increases gradually due to
    the overhead of traversing the delegation list in
    nfs_delegation_find_inode_server.
    
    The NFS server in this test is a Solaris server which issues
    CB_RECALL when receiving the all-zero stateid in the SETATTR.
    
    mount=/mnt/data
    for i in $(seq 1 20)
    do
       echo $i
       mkdir $mount/testtarfile$i
       time  tar -C $mount/testtarfile$i -xf 5000_files.tar
    done
    
    Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
    Reviewed-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nilfs2: fix kernel bug due to missing clearing of checked flag [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Fri Oct 18 04:33:10 2024 +0900

    nilfs2: fix kernel bug due to missing clearing of checked flag
    
    commit 41e192ad2779cae0102879612dfe46726e4396aa upstream.
    
    Syzbot reported that in directory operations after nilfs2 detects
    filesystem corruption and degrades to read-only,
    __block_write_begin_int(), which is called to prepare block writes, may
    fail the BUG_ON check for accesses exceeding the folio/page size,
    triggering a kernel bug.
    
    This was found to be because the "checked" flag of a page/folio was not
    cleared when it was discarded by nilfs2's own routine, which causes the
    sanity check of directory entries to be skipped when the directory
    page/folio is reloaded.  So, fix that.
    
    This was necessary when the use of nilfs2's own page discard routine was
    applied to more than just metadata files.
    
    Link: https://lkml.kernel.org/r/20241017193359.5051-1-konishi.ryusuke@gmail.com
    Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+d6ca2daf692c7a82f959@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=d6ca2daf692c7a82f959
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: fix potential deadlock with newly created symlinks [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Sun Oct 20 13:51:28 2024 +0900

    nilfs2: fix potential deadlock with newly created symlinks
    
    commit b3a033e3ecd3471248d474ef263aadc0059e516a upstream.
    
    Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers
    memory reclamation involving the filesystem layer, which can result in
    circular lock dependencies among the reader/writer semaphore
    nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the
    fs_reclaim pseudo lock.
    
    This is because after commit 21fc61c73c39 ("don't put symlink bodies in
    pagecache into highmem"), the gfp flags of the page cache for symbolic
    links are overwritten to GFP_KERNEL via inode_nohighmem().
    
    This is not a problem for symlinks read from the backing device, because
    the __GFP_FS flag is dropped after inode_nohighmem() is called.  However,
    when a new symlink is created with nilfs_symlink(), the gfp flags remain
    overwritten to GFP_KERNEL.  Then, memory allocation called from
    page_symlink() etc.  triggers memory reclamation including the FS layer,
    which may call nilfs_evict_inode() or nilfs_dirty_inode().  And these can
    cause a deadlock if they are called while nilfs->ns_segctor_sem is held:
    
    Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags
    of newly created symlinks in the same way that nilfs_new_inode() and
    __nilfs_read_inode() do, as a workaround until we adopt nofs allocation
    scope consistently or improve the locking constraints.
    
    Link: https://lkml.kernel.org/r/20241020050003.4308-1-konishi.ryusuke@gmail.com
    Fixes: 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=9ef37ac20608f4836256
    Tested-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ntfs3: Add bounds checking to mi_enum_attr() [+ + +]
Author: lei lu <llfamsec@gmail.com>
Date:   Fri Aug 23 21:39:44 2024 +0800

    ntfs3: Add bounds checking to mi_enum_attr()
    
    [ Upstream commit 556bdf27c2dd5c74a9caacbe524b943a6cd42d99 ]
    
    Added bounds checking to make sure that every attr don't stray beyond
    valid memory region.
    
    Signed-off-by: lei lu <llfamsec@gmail.com>
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nvmet-auth: assign dh_key to NULL after kfree_sensitive [+ + +]
Author: Vitaliy Shevtsov <v.shevtsov@maxima.ru>
Date:   Mon Sep 16 22:41:37 2024 +0500

    nvmet-auth: assign dh_key to NULL after kfree_sensitive
    
    [ Upstream commit d2f551b1f72b4c508ab9298419f6feadc3b5d791 ]
    
    ctrl->dh_key might be used across multiple calls to nvmet_setup_dhgroup()
    for the same controller. So it's better to nullify it after release on
    error path in order to avoid double free later in nvmet_destroy_auth().
    
    Found by Linux Verification Center (linuxtesting.org) with Svace.
    
    Fixes: 7a277c37d352 ("nvmet-auth: Diffie-Hellman key exchange support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Vitaliy Shevtsov <v.shevtsov@maxima.ru>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Keith Busch <kbusch@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Wed Oct 16 19:43:47 2024 +0800

    ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
    
    [ Upstream commit bc0a2f3a73fcdac651fca64df39306d1e5ebe3b0 ]
    
    Syzbot reported a kernel BUG in ocfs2_truncate_inline.  There are two
    reasons for this: first, the parameter value passed is greater than
    ocfs2_max_inline_data_with_xattr, second, the start and end parameters of
    ocfs2_truncate_inline are "unsigned int".
    
    So, we need to add a sanity check for byte_start and byte_len right before
    ocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater
    than ocfs2_max_inline_data_with_xattr return -EINVAL.
    
    Link: https://lkml.kernel.org/r/tencent_D48DB5122ADDAEDDD11918CFB68D93258C07@qq.com
    Fixes: 1afc32b95233 ("ocfs2: Write support for inline data")
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    Reported-by: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check [+ + +]
Author: Richard Zhu <hongxing.zhu@nxp.com>
Date:   Mon Oct 21 11:52:41 2024 -0400

    phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check
    
    [ Upstream commit f89263b69731e0144d275fff777ee0dd92069200 ]
    
    When enable initcall_debug together with higher debug level below.
    CONFIG_CONSOLE_LOGLEVEL_DEFAULT=9
    CONFIG_CONSOLE_LOGLEVEL_QUIET=9
    CONFIG_MESSAGE_LOGLEVEL_DEFAULT=7
    
    The initialization of i.MX8MP PCIe PHY might be timeout failed randomly.
    To fix this issue, adjust the sequence of the resets refer to the power
    up sequence listed below.
    
    i.MX8MP PCIe PHY power up sequence:
                              /---------------------------------------------
    1.8v supply     ---------/
                        /---------------------------------------------------
    0.8v supply     ---/
    
                    ---\ /--------------------------------------------------
                        X        REFCLK Valid
    Reference Clock ---/ \--------------------------------------------------
                                 -------------------------------------------
                                 |
    i_init_restn    --------------
                                        ------------------------------------
                                        |
    i_cmn_rstn      ---------------------
                                             -------------------------------
                                             |
    o_pll_lock_done --------------------------
    
    Logs:
    imx6q-pcie 33800000.pcie: host bridge /soc@0/pcie@33800000 ranges:
    imx6q-pcie 33800000.pcie:       IO 0x001ff80000..0x001ff8ffff -> 0x0000000000
    imx6q-pcie 33800000.pcie:      MEM 0x0018000000..0x001fefffff -> 0x0018000000
    probe of clk_imx8mp_audiomix.reset.0 returned 0 after 1052 usecs
    probe of 30e20000.clock-controller returned 0 after 32971 usecs
    phy phy-32f00000.pcie-phy.4: phy poweron failed --> -110
    probe of 30e10000.dma-controller returned 0 after 10235 usecs
    imx6q-pcie 33800000.pcie: waiting for PHY ready timeout!
    dwhdmi-imx 32fd8000.hdmi: Detected HDMI TX controller v2.13a with HDCP (samsung_dw_hdmi_phy2)
    imx6q-pcie 33800000.pcie: probe with driver imx6q-pcie failed with error -110
    
    Fixes: dce9edff16ee ("phy: freescale: imx8m-pcie: Add i.MX8MP PCIe PHY support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
    Signed-off-by: Frank Li <Frank.Li@nxp.com>
    
    v2 changes:
    - Rebase to latest fixes branch of linux-phy git repo.
    - Richard's environment have problem and can't sent out patch. So I help
    post this fix patch.
    
    Link: https://lore.kernel.org/r/20241021155241.943665-1-Frank.Li@nxp.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend [+ + +]
Author: Johan Hovold <johan+linaro@kernel.org>
Date:   Wed Sep 11 13:52:51 2024 +0200

    phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend
    
    commit 29240130ab77c80bea1464317ae2a5fd29c16a0c upstream.
    
    Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation")
    removed most users of the platform device driver data from the
    qcom-qmp-usb driver, but mistakenly also removed the initialisation
    despite the data still being used in the runtime PM callbacks. This bug
    was later reproduced when the driver was copied to create the
    qmp-usb-legacy driver.
    
    Restore the driver data initialisation at probe to avoid a NULL-pointer
    dereference on runtime suspend.
    
    Apparently no one uses runtime PM, which currently needs to be enabled
    manually through sysfs, with these drivers.
    
    Fixes: e464a3180a43 ("phy: qcom-qmp-usb: split off the legacy USB+dp_com support")
    Cc: stable@vger.kernel.org      # 6.6
    Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20240911115253.10920-3-johan+linaro@kernel.org
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

phy: qcom: qmp-usb: fix NULL-deref on runtime suspend [+ + +]
Author: Johan Hovold <johan+linaro@kernel.org>
Date:   Wed Sep 11 13:52:50 2024 +0200

    phy: qcom: qmp-usb: fix NULL-deref on runtime suspend
    
    commit bd9e4d4a3b127686efc60096271b0a44c3100061 upstream.
    
    Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation")
    removed most users of the platform device driver data, but mistakenly
    also removed the initialisation despite the data still being used in the
    runtime PM callbacks.
    
    Restore the driver data initialisation at probe to avoid a NULL-pointer
    dereference on runtime suspend.
    
    Apparently no one uses runtime PM, which currently needs to be enabled
    manually through sysfs, with this driver.
    
    Fixes: 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation")
    Cc: stable@vger.kernel.org      # 6.2
    Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20240911115253.10920-2-johan+linaro@kernel.org
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
rcu-tasks: Add data to eliminate RCU-tasks/do_exit() deadlocks [+ + +]
Author: Paul E. McKenney <paulmck@kernel.org>
Date:   Mon Feb 5 13:08:22 2024 -0800

    rcu-tasks: Add data to eliminate RCU-tasks/do_exit() deadlocks
    
    [ Upstream commit bfe93930ea1ea3c6c115a7d44af6e4fea609067e ]
    
    Holding a mutex across synchronize_rcu_tasks() and acquiring
    that same mutex in code called from do_exit() after its call to
    exit_tasks_rcu_start() but before its call to exit_tasks_rcu_stop()
    results in deadlock.  This is by design, because tasks that are far
    enough into do_exit() are no longer present on the tasks list, making
    it a bit difficult for RCU Tasks to find them, let alone wait on them
    to do a voluntary context switch.  However, such deadlocks are becoming
    more frequent.  In addition, lockdep currently does not detect such
    deadlocks and they can be difficult to reproduce.
    
    In addition, if a task voluntarily context switches during that time
    (for example, if it blocks acquiring a mutex), then this task is in an
    RCU Tasks quiescent state.  And with some adjustments, RCU Tasks could
    just as well take advantage of that fact.
    
    This commit therefore adds the data structures that will be needed
    to rely on these quiescent states and to eliminate these deadlocks.
    
    Link: https://lore.kernel.org/all/20240118021842.290665-1-chenzhongjin@huawei.com/
    
    Reported-by: Chen Zhongjin <chenzhongjin@huawei.com>
    Reported-by: Yang Jihong <yangjihong1@huawei.com>
    Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
    Tested-by: Yang Jihong <yangjihong1@huawei.com>
    Tested-by: Chen Zhongjin <chenzhongjin@huawei.com>
    Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
    Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
    Stable-dep-of: fd70e9f1d85f ("rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() [+ + +]
Author: Zqiang <qiang.zhang1211@gmail.com>
Date:   Wed Jul 10 12:45:42 2024 +0800

    rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()
    
    [ Upstream commit fd70e9f1d85f5323096ad313ba73f5fe3d15ea41 ]
    
    For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is
    defined as NR_CPUS instead of the number of possible cpus, this
    will cause the following system panic:
    
    smpboot: Allowing 4 CPUs, 0 hotplug CPUs
    ...
    setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1
    ...
    BUG: unable to handle page fault for address: ffffffff9911c8c8
    Oops: 0000 [#1] PREEMPT SMP PTI
    CPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W
    6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6
    RIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0
    RSP: 0018:ffffa371c00a3e60 EFLAGS: 00010082
    CR2: ffffffff9911c8c8 CR3: 000000040fa20005 CR4: 00000000001706f0
    Call Trace:
    <TASK>
    ? __die+0x23/0x80
    ? page_fault_oops+0xa4/0x180
    ? exc_page_fault+0x152/0x180
    ? asm_exc_page_fault+0x26/0x40
    ? rcu_tasks_need_gpcb+0x25d/0x2c0
    ? __pfx_rcu_tasks_kthread+0x40/0x40
    rcu_tasks_one_gp+0x69/0x180
    rcu_tasks_kthread+0x94/0xc0
    kthread+0xe8/0x140
    ? __pfx_kthread+0x40/0x40
    ret_from_fork+0x34/0x80
    ? __pfx_kthread+0x40/0x40
    ret_from_fork_asm+0x1b/0x80
    </TASK>
    
    Considering that there may be holes in the CPU numbers, use the
    maximum possible cpu number, instead of nr_cpu_ids, for configuring
    enqueue and dequeue limits.
    
    [ neeraj.upadhyay: Fix htmldocs build error reported by Stephen Rothwell ]
    
    Closes: https://lore.kernel.org/linux-input/CALMA0xaTSMN+p4xUXkzrtR5r6k7hgoswcaXx7baR_z9r5jjskw@mail.gmail.com/T/#u
    Reported-by: Zhixu Liu <zhixu.liu@gmail.com>
    Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
    Signed-off-by: Neeraj Upadhyay <neeraj.upadhyay@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

rcu-tasks: Initialize data to eliminate RCU-tasks/do_exit() deadlocks [+ + +]
Author: Paul E. McKenney <paulmck@kernel.org>
Date:   Mon Feb 5 13:10:19 2024 -0800

    rcu-tasks: Initialize data to eliminate RCU-tasks/do_exit() deadlocks
    
    [ Upstream commit 46faf9d8e1d52e4a91c382c6c72da6bd8e68297b ]
    
    Holding a mutex across synchronize_rcu_tasks() and acquiring
    that same mutex in code called from do_exit() after its call to
    exit_tasks_rcu_start() but before its call to exit_tasks_rcu_stop()
    results in deadlock.  This is by design, because tasks that are far
    enough into do_exit() are no longer present on the tasks list, making
    it a bit difficult for RCU Tasks to find them, let alone wait on them
    to do a voluntary context switch.  However, such deadlocks are becoming
    more frequent.  In addition, lockdep currently does not detect such
    deadlocks and they can be difficult to reproduce.
    
    In addition, if a task voluntarily context switches during that time
    (for example, if it blocks acquiring a mutex), then this task is in an
    RCU Tasks quiescent state.  And with some adjustments, RCU Tasks could
    just as well take advantage of that fact.
    
    This commit therefore initializes the data structures that will be needed
    to rely on these quiescent states and to eliminate these deadlocks.
    
    Link: https://lore.kernel.org/all/20240118021842.290665-1-chenzhongjin@huawei.com/
    
    Reported-by: Chen Zhongjin <chenzhongjin@huawei.com>
    Reported-by: Yang Jihong <yangjihong1@huawei.com>
    Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
    Tested-by: Yang Jihong <yangjihong1@huawei.com>
    Tested-by: Chen Zhongjin <chenzhongjin@huawei.com>
    Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
    Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
    Stable-dep-of: fd70e9f1d85f ("rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

rcu-tasks: Pull sampling of ->percpu_dequeue_lim out of loop [+ + +]
Author: Paul E. McKenney <paulmck@kernel.org>
Date:   Wed Aug 2 13:42:00 2023 -0700

    rcu-tasks: Pull sampling of ->percpu_dequeue_lim out of loop
    
    [ Upstream commit e62d8ae4620865411d1b2347980aa28ccf891a3d ]
    
    The rcu_tasks_need_gpcb() samples ->percpu_dequeue_lim as part of the
    condition clause of a "for" loop, which is a bit confusing.  This commit
    therefore hoists this sampling out of the loop, using the result loaded
    in the condition clause.
    
    So why does this work in the face of a concurrent switch from single-CPU
    queueing to per-CPU queueing?
    
    o       The call_rcu_tasks_generic() that makes the change has already
            enqueued its callback, which means that all of the other CPU's
            callback queues are empty.
    
    o       For the call_rcu_tasks_generic() that first notices
            the switch to per-CPU queues, the smp_store_release()
            used to update ->percpu_enqueue_lim pairs with the
            raw_spin_trylock_rcu_node()'s full barrier that is
            between the READ_ONCE(rtp->percpu_enqueue_shift) and the
            rcu_segcblist_enqueue() that enqueues the callback.
    
    o       Because this CPU's queue is empty (unless it happens to
            be the original single queue, in which case there is no
            need for synchronization), this call_rcu_tasks_generic()
            will do an irq_work_queue() to schedule a handler for the
            needed rcuwait_wake_up() call.  This call will be ordered
            after the first call_rcu_tasks_generic() function's change to
            ->percpu_dequeue_lim.
    
    o       This rcuwait_wake_up() will either happen before or after the
            set_current_state() in rcuwait_wait_event().  If it happens
            before, the "condition" argument's call to rcu_tasks_need_gpcb()
            will be ordered after the original change, and all callbacks on
            all CPUs will be visible.  Otherwise, if it happens after, then
            the grace-period kthread's state will be set back to running,
            which will result in a later call to rcuwait_wait_event() and
            thus to rcu_tasks_need_gpcb(), which will again see the change.
    
    So it all works out.
    
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
    Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
    Stable-dep-of: fd70e9f1d85f ("rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
RDMA/bnxt_re: Fix the usage of control path spin locks [+ + +]
Author: Selvin Xavier <selvin.xavier@broadcom.com>
Date:   Mon Oct 14 06:36:14 2024 -0700

    RDMA/bnxt_re: Fix the usage of control path spin locks
    
    [ Upstream commit d71f4acd584cc861f54b3cb3ac07875f06550a05 ]
    
    Control path completion processing always runs in tasklet context. To
    synchronize with the posting thread, there is no need to use the irq
    variant of spin lock. Use spin_lock_bh instead.
    
    Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
    Link: https://patch.msgid.link/r/1728912975-19346-2-git-send-email-selvin.xavier@broadcom.com
    Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
    Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

RDMA/bnxt_re: synchronize the qp-handle table array [+ + +]
Author: Selvin Xavier <selvin.xavier@broadcom.com>
Date:   Mon Oct 14 06:36:15 2024 -0700

    RDMA/bnxt_re: synchronize the qp-handle table array
    
    [ Upstream commit 76d3ddff7153cc0bcc14a63798d19f5d0693ea71 ]
    
    There is a race between the CREQ tasklet and destroy qp when accessing the
    qp-handle table. There is a chance of reading a valid qp-handle in the
    CREQ tasklet handler while the QP is already moving ahead with the
    destruction.
    
    Fixing this race by implementing a table-lock to synchronize the access.
    
    Fixes: f218d67ef004 ("RDMA/bnxt_re: Allow posting when QPs are in error")
    Fixes: 84cf229f4001 ("RDMA/bnxt_re: Fix the qp table indexing")
    Link: https://patch.msgid.link/r/1728912975-19346-3-git-send-email-selvin.xavier@broadcom.com
    Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
    Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
RDMA/cxgb4: Dump vendor specific QP details [+ + +]
Author: Leon Romanovsky <leon@kernel.org>
Date:   Mon Oct 7 20:55:17 2024 +0300

    RDMA/cxgb4: Dump vendor specific QP details
    
    [ Upstream commit 89f8c6f197f480fe05edf91eb9359d5425869d04 ]
    
    Restore the missing functionality to dump vendor specific QP details,
    which was mistakenly removed in the commit mentioned in Fixes line.
    
    Fixes: 5cc34116ccec ("RDMA: Add dedicated QP resource tracker function")
    Link: https://patch.msgid.link/r/ed9844829135cfdcac7d64285688195a5cd43f82.1728323026.git.leonro@nvidia.com
    Reported-by: Dr. David Alan Gilbert <linux@treblig.org>
    Closes: https://lore.kernel.org/all/Zv_4qAxuC0dLmgXP@gallifrey
    Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down [+ + +]
Author: Patrisious Haddad <phaddad@nvidia.com>
Date:   Thu Oct 10 11:50:23 2024 +0300

    RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down
    
    [ Upstream commit 78ed28e08e74da6265e49e19206e1bcb8b9a7f0d ]
    
    After the cited commit below max_dest_rd_atomic and max_rd_atomic values
    are being rounded down to the next power of 2. As opposed to the old
    behavior and mlx4 driver where they used to be rounded up instead.
    
    In order to stay consistent with older code and other drivers, revert to
    using fls round function which rounds up to the next power of 2.
    
    Fixes: f18e26af6aba ("RDMA/mlx5: Convert modify QP to use MLX5_SET macros")
    Link: https://patch.msgid.link/r/d85515d6ef21a2fa8ef4c8293dce9b58df8a6297.1728550179.git.leon@kernel.org
    Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
    Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
    Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Revert "driver core: Fix uevent_show() vs driver detach race" [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Oct 29 01:23:04 2024 +0100

    Revert "driver core: Fix uevent_show() vs driver detach race"
    
    commit 9a71892cbcdb9d1459c84f5a4c722b14354158a5 upstream.
    
    This reverts commit 15fffc6a5624b13b428bb1c6e9088e32a55eb82c.
    
    This commit causes a regression, so revert it for now until it can come
    back in a way that works for everyone.
    
    Link: https://lore.kernel.org/all/172790598832.1168608.4519484276671503678.stgit@dwillia2-xfh.jf.intel.com/
    Fixes: 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race")
    Cc: stable <stable@kernel.org>
    Cc: Ashish Sangwan <a.sangwan@samsung.com>
    Cc: Namjae Jeon <namjae.jeon@samsung.com>
    Cc: Dirk Behme <dirk.behme@de.bosch.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Rafael J. Wysocki <rafael@kernel.org>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM" [+ + +]
Author: Edward Liaw <edliaw@google.com>
Date:   Fri Oct 18 17:17:22 2024 +0000

    Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM"
    
    commit 5bb1f4c9340e01003b00b94d539eadb0da88f48e upstream.
    
    Patch series "selftests/mm: revert pthread_barrier change"
    
    On Android arm, pthread_create followed by a fork caused a deadlock in
    the case where the fork required work to be completed by the created
    thread.
    
    The previous patches incorrectly assumed that the parent would
    always initialize the pthread_barrier for the child thread.  This
    reverts the change and replaces the fix for wp-fork-with-event with the
    original use of atomic_bool.
    
    
    This patch (of 3):
    
    This reverts commit e142cc87ac4ec618f2ccf5f68aedcd6e28a59d9d.
    
    fork_event_consumer may be called by other tests that do not initialize
    the pthread_barrier, so this approach is not correct.  The subsequent
    patch will revert to using atomic_bool instead.
    
    Link: https://lkml.kernel.org/r/20241018171734.2315053-1-edliaw@google.com
    Link: https://lkml.kernel.org/r/20241018171734.2315053-2-edliaw@google.com
    Fixes: e142cc87ac4e ("fix deadlock for fork after pthread_create on ARM")
    Signed-off-by: Edward Liaw <edliaw@google.com>
    Cc: Ryan Roberts <ryan.roberts@arm.com>
    Cc: Peter Xu <peterx@redhat.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Revert "selftests/mm: replace atomic_bool with pthread_barrier_t" [+ + +]
Author: Edward Liaw <edliaw@google.com>
Date:   Fri Oct 18 17:17:23 2024 +0000

    Revert "selftests/mm: replace atomic_bool with pthread_barrier_t"
    
    commit 3673167a3a07f25b3f06754d69f406edea65543a upstream.
    
    This reverts commit e61ef21e27e8deed8c474e9f47f4aa7bc37e138c.
    
    uffd_poll_thread may be called by other tests that do not initialize the
    pthread_barrier, so this approach is not correct.  This will revert to
    using atomic_bool instead.
    
    Link: https://lkml.kernel.org/r/20241018171734.2315053-3-edliaw@google.com
    Fixes: e61ef21e27e8 ("selftests/mm: replace atomic_bool with pthread_barrier_t")
    Signed-off-by: Edward Liaw <edliaw@google.com>
    Cc: Ryan Roberts <ryan.roberts@arm.com>
    Cc: Peter Xu <peterx@redhat.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
RISC-V: ACPI: fix early_ioremap to early_memremap [+ + +]
Author: Yunhui Cui <cuiyunhui@bytedance.com>
Date:   Mon Oct 14 21:01:41 2024 +0800

    RISC-V: ACPI: fix early_ioremap to early_memremap
    
    commit 1966db682f064172891275cb951aa8c98a0a809b upstream.
    
    When SVPBMT is enabled, __acpi_map_table() will directly access the
    data in DDR through the IO attribute, rather than through hardware
    cache consistency, resulting in incorrect data in the obtained ACPI
    table.
    
    The log: ACPI: [ACPI:0x18] Invalid zero length.
    
    We do not assume whether the bootloader flushes or not. We should
    access in a cacheable way instead of maintaining cache consistency
    by software.
    
    Fixes: 3b426d4b5b14 ("RISC-V: ACPI : Fix for usage of pointers in different address space")
    Cc: stable@vger.kernel.org
    Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
    Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
    Reviewed-by: Sunil V L <sunilvl@ventanamicro.com>
    Link: https://lore.kernel.org/r/20241014130141.86426-1-cuiyunhui@bytedance.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
riscv: efi: Set NX compat flag in PE/COFF header [+ + +]
Author: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Date:   Sun Sep 29 16:02:33 2024 +0200

    riscv: efi: Set NX compat flag in PE/COFF header
    
    [ Upstream commit d41373a4b910961df5a5e3527d7bde6ad45ca438 ]
    
    The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
    EFI binary does not rely on pages that are both executable and
    writable.
    
    The flag is used by some distro versions of GRUB to decide if the EFI
    binary may be executed.
    
    As the Linux kernel neither has RWX sections nor needs RWX pages for
    relocation we should set the flag.
    
    Cc: Ard Biesheuvel <ardb@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
    Reviewed-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
    Fixes: cb7d2dd5612a ("RISC-V: Add PE/COFF header for EFI stub")
    Acked-by: Ard Biesheuvel <ardb@kernel.org>
    Link: https://lore.kernel.org/r/20240929140233.211800-1-heinrich.schuchardt@canonical.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

riscv: Remove duplicated GET_RM [+ + +]
Author: Chunyan Zhang <zhangchunyan@iscas.ac.cn>
Date:   Tue Oct 8 17:41:39 2024 +0800

    riscv: Remove duplicated GET_RM
    
    [ Upstream commit 164f66de6bb6ef454893f193c898dc8f1da6d18b ]
    
    The macro GET_RM defined twice in this file, one can be removed.
    
    Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
    Signed-off-by: Chunyan Zhang <zhangchunyan@iscas.ac.cn>
    Fixes: 956d705dd279 ("riscv: Unaligned load/store handling for M_MODE")
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20241008094141.549248-3-zhangchunyan@iscas.ac.cn
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

riscv: Remove unused GENERATING_ASM_OFFSETS [+ + +]
Author: Chunyan Zhang <zhangchunyan@iscas.ac.cn>
Date:   Tue Oct 8 17:41:38 2024 +0800

    riscv: Remove unused GENERATING_ASM_OFFSETS
    
    [ Upstream commit 46d4e5ac6f2f801f97bcd0ec82365969197dc9b1 ]
    
    The macro is not used in the current version of kernel, it looks like
    can be removed to avoid a build warning:
    
    ../arch/riscv/kernel/asm-offsets.c: At top level:
    ../arch/riscv/kernel/asm-offsets.c:7: warning: macro "GENERATING_ASM_OFFSETS" is not used [-Wunused-macros]
        7 | #define GENERATING_ASM_OFFSETS
    
    Fixes: 9639a44394b9 ("RISC-V: Provide a cleaner raw_smp_processor_id()")
    Cc: stable@vger.kernel.org
    Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
    Tested-by: Alexandre Ghiti <alexghiti@rivosinc.com>
    Signed-off-by: Chunyan Zhang <zhangchunyan@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20241008094141.549248-2-zhangchunyan@iscas.ac.cn
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

riscv: Use '%u' to format the output of 'cpu' [+ + +]
Author: WangYuli <wangyuli@uniontech.com>
Date:   Thu Oct 17 11:20:10 2024 +0800

    riscv: Use '%u' to format the output of 'cpu'
    
    [ Upstream commit e0872ab72630dada3ae055bfa410bf463ff1d1e0 ]
    
    'cpu' is an unsigned integer, so its conversion specifier should
    be %u, not %d.
    
    Suggested-by: Wentao Guan <guanwentao@uniontech.com>
    Suggested-by: Maciej W. Rozycki <macro@orcam.me.uk>
    Link: https://lore.kernel.org/all/alpine.DEB.2.21.2409122309090.40372@angie.orcam.me.uk/
    Signed-off-by: WangYuli <wangyuli@uniontech.com>
    Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
    Tested-by: Charlie Jenkins <charlie@rivosinc.com>
    Fixes: f1e58583b9c7 ("RISC-V: Support cpu hotplug")
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/4C127DEECDA287C8+20241017032010.96772-1-wangyuli@uniontech.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

riscv: vdso: Prevent the compiler from inserting calls to memset() [+ + +]
Author: Alexandre Ghiti <alexghiti@rivosinc.com>
Date:   Wed Oct 16 10:36:24 2024 +0200

    riscv: vdso: Prevent the compiler from inserting calls to memset()
    
    [ Upstream commit bf40167d54d55d4b54d0103713d86a8638fb9290 ]
    
    The compiler is smart enough to insert a call to memset() in
    riscv_vdso_get_cpus(), which generates a dynamic relocation.
    
    So prevent this by using -fno-builtin option.
    
    Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API")
    Cc: stable@vger.kernel.org
    Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
    Reviewed-by: Guo Ren <guoren@kernel.org>
    Link: https://lore.kernel.org/r/20241016083625.136311-2-alexghiti@rivosinc.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sched/numa: Fix the potential null pointer dereference in task_numa_work() [+ + +]
Author: Shawn Wang <shawnwang@linux.alibaba.com>
Date:   Fri Oct 25 10:22:08 2024 +0800

    sched/numa: Fix the potential null pointer dereference in task_numa_work()
    
    [ Upstream commit 9c70b2a33cd2aa6a5a59c5523ef053bd42265209 ]
    
    When running stress-ng-vm-segv test, we found a null pointer dereference
    error in task_numa_work(). Here is the backtrace:
    
      [323676.066985] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
      ......
      [323676.067108] CPU: 35 PID: 2694524 Comm: stress-ng-vm-se
      ......
      [323676.067113] pstate: 23401009 (nzCv daif +PAN -UAO +TCO +DIT +SSBS BTYPE=--)
      [323676.067115] pc : vma_migratable+0x1c/0xd0
      [323676.067122] lr : task_numa_work+0x1ec/0x4e0
      [323676.067127] sp : ffff8000ada73d20
      [323676.067128] x29: ffff8000ada73d20 x28: 0000000000000000 x27: 000000003e89f010
      [323676.067130] x26: 0000000000080000 x25: ffff800081b5c0d8 x24: ffff800081b27000
      [323676.067133] x23: 0000000000010000 x22: 0000000104d18cc0 x21: ffff0009f7158000
      [323676.067135] x20: 0000000000000000 x19: 0000000000000000 x18: ffff8000ada73db8
      [323676.067138] x17: 0001400000000000 x16: ffff800080df40b0 x15: 0000000000000035
      [323676.067140] x14: ffff8000ada73cc8 x13: 1fffe0017cc72001 x12: ffff8000ada73cc8
      [323676.067142] x11: ffff80008001160c x10: ffff000be639000c x9 : ffff8000800f4ba4
      [323676.067145] x8 : ffff000810375000 x7 : ffff8000ada73974 x6 : 0000000000000001
      [323676.067147] x5 : 0068000b33e26707 x4 : 0000000000000001 x3 : ffff0009f7158000
      [323676.067149] x2 : 0000000000000041 x1 : 0000000000004400 x0 : 0000000000000000
      [323676.067152] Call trace:
      [323676.067153]  vma_migratable+0x1c/0xd0
      [323676.067155]  task_numa_work+0x1ec/0x4e0
      [323676.067157]  task_work_run+0x78/0xd8
      [323676.067161]  do_notify_resume+0x1ec/0x290
      [323676.067163]  el0_svc+0x150/0x160
      [323676.067167]  el0t_64_sync_handler+0xf8/0x128
      [323676.067170]  el0t_64_sync+0x17c/0x180
      [323676.067173] Code: d2888001 910003fd f9000bf3 aa0003f3 (f9401000)
      [323676.067177] SMP: stopping secondary CPUs
      [323676.070184] Starting crashdump kernel...
    
    stress-ng-vm-segv in stress-ng is used to stress test the SIGSEGV error
    handling function of the system, which tries to cause a SIGSEGV error on
    return from unmapping the whole address space of the child process.
    
    Normally this program will not cause kernel crashes. But before the
    munmap system call returns to user mode, a potential task_numa_work()
    for numa balancing could be added and executed. In this scenario, since the
    child process has no vma after munmap, the vma_next() in task_numa_work()
    will return a null pointer even if the vma iterator restarts from 0.
    
    Recheck the vma pointer before dereferencing it in task_numa_work().
    
    Fixes: 214dbc428137 ("sched: convert to vma iterator")
    Signed-off-by: Shawn Wang <shawnwang@linux.alibaba.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: stable@vger.kernel.org # v6.2+
    Link: https://lkml.kernel.org/r/20241025022208.125527-1-shawnwang@linux.alibaba.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
scsi: scsi_transport_fc: Allow setting rport state to current state [+ + +]
Author: Benjamin Marzinski <bmarzins@redhat.com>
Date:   Tue Sep 17 19:06:43 2024 -0400

    scsi: scsi_transport_fc: Allow setting rport state to current state
    
    [ Upstream commit d539a871ae47a1f27a609a62e06093fa69d7ce99 ]
    
    The only input fc_rport_set_marginal_state() currently accepts is
    "Marginal" when port_state is "Online", and "Online" when the port_state
    is "Marginal". It should also allow setting port_state to its current
    state, either "Marginal or "Online".
    
    Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
    Link: https://lore.kernel.org/r/20240917230643.966768-1-bmarzins@redhat.com
    Reviewed-by: Ewan D. Milne <emilne@redhat.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests/bpf: Add bpf_percpu_obj_{new,drop}() macro in bpf_experimental.h [+ + +]
Author: Yonghong Song <yonghong.song@linux.dev>
Date:   Sun Aug 27 08:28:05 2023 -0700

    selftests/bpf: Add bpf_percpu_obj_{new,drop}() macro in bpf_experimental.h
    
    [ Upstream commit 968c76cb3dc6cc86e8099ecaa5c30dc0d4738a30 ]
    
    The new macro bpf_percpu_obj_{new/drop}() is very similar to bpf_obj_{new,drop}()
    as they both take a type as the argument.
    
    Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
    Link: https://lore.kernel.org/r/20230827152805.1999417-1-yonghong.song@linux.dev
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Stable-dep-of: aa30eb3260b2 ("bpf: Force checkpoint when jmp history is too long")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
smb: client: fix parsing of device numbers [+ + +]
Author: Paulo Alcantara <pc@manguebit.com>
Date:   Wed Sep 18 21:57:43 2024 -0300

    smb: client: fix parsing of device numbers
    
    [ Upstream commit 663f295e35594f4c2584fc68c28546b747b637cd ]
    
    Report correct major and minor numbers from special files created with
    NFS reparse points.
    
    Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

smb: client: set correct device number on nfs reparse points [+ + +]
Author: Paulo Alcantara <pc@manguebit.com>
Date:   Wed Sep 18 21:53:35 2024 -0300

    smb: client: set correct device number on nfs reparse points
    
    [ Upstream commit a9de67336a4aa3ff2e706ba023fb5f7ff681a954 ]
    
    Fix major and minor numbers set on special files created with NFS
    reparse points.
    
    Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
spi: geni-qcom: Fix boot warning related to pm_runtime and devres [+ + +]
Author: Georgi Djakov <djakov@kernel.org>
Date:   Wed Oct 9 02:16:15 2024 +0300

    spi: geni-qcom: Fix boot warning related to pm_runtime and devres
    
    [ Upstream commit d0ccf760a405d243a49485be0a43bd5b66ed17e2 ]
    
    During boot, users sometimes observe the following warning:
    
    [7.841431] WARNING: CPU: 4 PID: 492 at
    drivers/interconnect/core.c:685 __icc_enable
    (drivers/interconnect/core.c:685 (discriminator 7))
    [..]
    [7.841541] Call trace:
    [7.841542] __icc_enable (drivers/interconnect/core.c:685 (discriminator 7))
    [7.841545] icc_disable (drivers/interconnect/core.c:708)
    [7.841547] geni_icc_disable (drivers/soc/qcom/qcom-geni-se.c:862)
    [7.841553] spi_geni_runtime_suspend+0x3c/0x4c spi_geni_qcom
    
    This occurs when the spi-geni driver receives an -EPROBE_DEFER error
    from spi_geni_grab_gpi_chan(), causing devres to start releasing all
    resources as shown below:
    
    [7.138679] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_icc_release (8 bytes)
    [7.138751] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_icc_release (8 bytes)
    [7.138827] geni_spi 880000.spi: DEVRES REL ffff800081443800 pm_runtime_disable_action (16 bytes)
    [7.139494] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_pm_opp_config_release (16 bytes)
    [7.139512] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_spi_release_controller (8 bytes)
    [7.139516] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_clk_release (16 bytes)
    [7.139519] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_ioremap_release (8 bytes)
    [7.139524] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_region_release (24 bytes)
    [7.139527] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_kzalloc_release (22 bytes)
    [7.139530] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_pinctrl_release (8 bytes)
    [7.139539] geni_spi 880000.spi: DEVRES REL ffff800081443800 devm_kzalloc_release (40 bytes)
    
    The issue here is that pm_runtime_disable_action() results in a call to
    spi_geni_runtime_suspend(), which attempts to suspend the device and
    disable an interconnect path that devm_icc_release() has just released.
    
    Resolve this by calling geni_icc_get() before enabling runtime PM. This
    approach ensures that when devres releases resources in reverse order,
    it will start with pm_runtime_disable_action(), suspending the device,
    and then proceed to free the remaining resources.
    
    Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
    Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Closes: https://lore.kernel.org/r/CA+G9fYtsjFtddG8i+k-SpV8U6okL0p4zpsTiwGfNH5GUA8dWAA@mail.gmail.com
    Fixes: 89e362c883c6 ("spi: geni-qcom: Undo runtime PM changes at driver exit time")
    Signed-off-by: Georgi Djakov <djakov@kernel.org>
    Link: https://patch.msgid.link/20241008231615.430073-1-djakov@kernel.org
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

spi: spi-fsl-dspi: Fix crash when not using GPIO chip select [+ + +]
Author: Frank Li <Frank.Li@nxp.com>
Date:   Wed Oct 23 16:30:32 2024 -0400

    spi: spi-fsl-dspi: Fix crash when not using GPIO chip select
    
    [ Upstream commit 25f00a13dccf8e45441265768de46c8bf58e08f6 ]
    
    Add check for the return value of spi_get_csgpiod() to avoid passing a NULL
    pointer to gpiod_direction_output(), preventing a crash when GPIO chip
    select is not used.
    
    Fix below crash:
    [    4.251960] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
    [    4.260762] Mem abort info:
    [    4.263556]   ESR = 0x0000000096000004
    [    4.267308]   EC = 0x25: DABT (current EL), IL = 32 bits
    [    4.272624]   SET = 0, FnV = 0
    [    4.275681]   EA = 0, S1PTW = 0
    [    4.278822]   FSC = 0x04: level 0 translation fault
    [    4.283704] Data abort info:
    [    4.286583]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
    [    4.292074]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
    [    4.297130]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
    [    4.302445] [0000000000000000] user address but active_mm is swapper
    [    4.308805] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
    [    4.315072] Modules linked in:
    [    4.318124] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc4-next-20241023-00008-ga20ec42c5fc1 #359
    [    4.328130] Hardware name: LS1046A QDS Board (DT)
    [    4.332832] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [    4.339794] pc : gpiod_direction_output+0x34/0x5c
    [    4.344505] lr : gpiod_direction_output+0x18/0x5c
    [    4.349208] sp : ffff80008003b8f0
    [    4.352517] x29: ffff80008003b8f0 x28: 0000000000000000 x27: ffffc96bcc7e9068
    [    4.359659] x26: ffffc96bcc6e00b0 x25: ffffc96bcc598398 x24: ffff447400132810
    [    4.366800] x23: 0000000000000000 x22: 0000000011e1a300 x21: 0000000000020002
    [    4.373940] x20: 0000000000000000 x19: 0000000000000000 x18: ffffffffffffffff
    [    4.381081] x17: ffff44740016e600 x16: 0000000500000003 x15: 0000000000000007
    [    4.388221] x14: 0000000000989680 x13: 0000000000020000 x12: 000000000000001e
    [    4.395362] x11: 0044b82fa09b5a53 x10: 0000000000000019 x9 : 0000000000000008
    [    4.402502] x8 : 0000000000000002 x7 : 0000000000000007 x6 : 0000000000000000
    [    4.409641] x5 : 0000000000000200 x4 : 0000000002000000 x3 : 0000000000000000
    [    4.416781] x2 : 0000000000022202 x1 : 0000000000000000 x0 : 0000000000000000
    [    4.423921] Call trace:
    [    4.426362]  gpiod_direction_output+0x34/0x5c (P)
    [    4.431067]  gpiod_direction_output+0x18/0x5c (L)
    [    4.435771]  dspi_setup+0x220/0x334
    
    Fixes: 9e264f3f85a5 ("spi: Replace all spi->chip_select and spi->cs_gpiod references with function call")
    Cc: stable@vger.kernel.org
    Signed-off-by: Frank Li <Frank.Li@nxp.com>
    Link: https://patch.msgid.link/20241023203032.1388491-1-Frank.Li@nxp.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() [+ + +]
Author: Zicheng Qu <quzicheng@huawei.com>
Date:   Tue Oct 22 13:43:54 2024 +0000

    staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()
    
    commit 6bd301819f8f69331a55ae2336c8b111fc933f3d upstream.
    
    In the ad9832_write_frequency() function, clk_get_rate() might return 0.
    This can lead to a division by zero when calling ad9832_calc_freqreg().
    The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect
    against the case when fout is 0. The ad9832_write_frequency() function
    is called from ad9832_write(), and fout is derived from a text buffer,
    which can contain any value.
    
    Link: https://lore.kernel.org/all/2024100904-CVE-2024-47663-9bdc@gregkh/
    Fixes: ea707584bac1 ("Staging: IIO: DDS: AD9832 / AD9835 driver")
    Cc: stable@vger.kernel.org
    Signed-off-by: Zicheng Qu <quzicheng@huawei.com>
    Reviewed-by: Nuno Sa <nuno.sa@analog.com>
    Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
    Link: https://patch.msgid.link/20241022134354.574614-1-quzicheng@huawei.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
SUNRPC: Remove BUG_ON call sites [+ + +]
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Tue Sep 19 11:35:15 2023 -0400

    SUNRPC: Remove BUG_ON call sites
    
    commit 789ce196a31dd13276076762204bee87df893e53 upstream.
    
    There is no need to take down the whole system for these assertions.
    
    I'd rather not attempt a heroic save here, as some bug has occurred
    that has left the transport data structures in an unknown state.
    Just warn and then leak the left-over resources.
    
    Acked-by: Christian Brauner <brauner@kernel.org>
    Reviewed-by: NeilBrown <neilb@suse.de>
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
thermal: core: Free tzp copy along with the thermal zone [+ + +]
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Thu Oct 3 14:27:28 2024 +0200

    thermal: core: Free tzp copy along with the thermal zone
    
    [ Upstream commit 827a07525c099f54d3b15110408824541ec66b3c ]
    
    The object pointed to by tz->tzp may still be accessed after being
    freed in thermal_zone_device_unregister(), so move the freeing of it
    to the point after the removal completion has been completed at which
    it cannot be accessed any more.
    
    Fixes: 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure")
    Cc: 6.8+ <stable@vger.kernel.org> # 6.8+
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
    Link: https://patch.msgid.link/4623516.LvFx2qVVIh@rjwysocki.net
    Signed-off-by: Sasha Levin <sashal@kernel.org>

thermal: core: Make thermal_zone_device_unregister() return after freeing the zone [+ + +]
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Fri Dec 8 20:13:44 2023 +0100

    thermal: core: Make thermal_zone_device_unregister() return after freeing the zone
    
    [ Upstream commit 4649620d9404d3aceb25891c24bab77143e3f21c ]
    
    Make thermal_zone_device_unregister() wait until all of the references
    to the given thermal zone object have been dropped and free it before
    returning.
    
    This guarantees that when thermal_zone_device_unregister() returns,
    there is no leftover activity regarding the thermal zone in question
    which is required by some of its callers (for instance, modular driver
    code that wants to know when it is safe to let the module go away).
    
    Subsequently, this will allow some confusing device_is_registered()
    checks to be dropped from the thermal sysfs and core code.
    
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Reviewed-and-tested-by: Lukasz Luba <lukasz.luba@arm.com>
    Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Stable-dep-of: 827a07525c09 ("thermal: core: Free tzp copy along with the thermal zone")
    Signed-off-by: Sasha Levin <sashal@kernel.org>
thermal: core: Rework thermal zone availability check [+ + +]
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Fri Dec 8 20:20:00 2023 +0100

    thermal: core: Rework thermal zone availability check
    
    [ Upstream commit b38aa87f67931e23ebc32c0ca00a86dfa4688719 ]
    
    In order to avoid running __thermal_zone_device_update() for thermal
    zones going away, the thermal zone lock is held around device_del()
    in thermal_zone_device_unregister() and thermal_zone_device_update()
    passes the given thermal zone device to device_is_registered().
    This allows thermal_zone_device_update() to skip the
    __thermal_zone_device_update() if device_del() has already run for
    the thermal zone at hand.
    
    However, instead of looking at driver core internals, the thermal
    subsystem may as well rely on its own data structures for this
    purpose.  Namely, if the thermal zone is not present in
    thermal_tz_list, it can be regarded as unavailable, which in fact is
    already the case in thermal_zone_device_unregister().  Accordingly,
    the device_is_registered() check in thermal_zone_device_update() can
    be replaced with checking whether or not the node list_head in struct
    thermal_zone_device is empty, in which case it is not there in
    thermal_tz_list.
    
    To make this work, though, it is necessary to initialize tz->node
    in thermal_zone_device_register_with_trips() before registering the
    thermal zone device and it needs to be added to thermal_tz_list and
    deleted from it under its zone lock.
    
    After the above modifications, the zone lock does not need to be
    held around device_del() in thermal_zone_device_unregister() any more.
    
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Reviewed-and-tested-by: Lukasz Luba <lukasz.luba@arm.com>
    Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Stable-dep-of: 827a07525c09 ("thermal: core: Free tzp copy along with the thermal zone")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

thermal: intel: int340x: processor: Add MMIO RAPL PL4 support [+ + +]
Author: Zhang Rui <rui.zhang@intel.com>
Date:   Mon Sep 30 16:18:01 2024 +0800

    thermal: intel: int340x: processor: Add MMIO RAPL PL4 support
    
    [ Upstream commit 3fb0eea8a1c4be5884e0731ea76cbd3ce126e1f3 ]
    
    Similar to the MSR RAPL interface, MMIO RAPL supports PL4 too, so add
    MMIO RAPL PL4d support to the processor_thermal driver.
    
    As a result, the powercap sysfs for MMIO RAPL will show a new "peak
    power" constraint.
    
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    Link: https://patch.msgid.link/20240930081801.28502-7-rui.zhang@intel.com
    [ rjw: Subject and changelog edits ]
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

thermal: intel: int340x: processor: Remove MMIO RAPL CPU hotplug support [+ + +]
Author: Zhang Rui <rui.zhang@intel.com>
Date:   Mon Sep 30 16:18:00 2024 +0800

    thermal: intel: int340x: processor: Remove MMIO RAPL CPU hotplug support
    
    [ Upstream commit bfc6819e4bf56a55df6178f93241b5845ad672eb ]
    
    CPU0/package0 is always online and the MMIO RAPL driver runs on single
    package systems only, so there is no need to handle CPU hotplug in it.
    
    Always register a RAPL package device for package 0 and remove the
    unnecessary CPU hotplug support.
    
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    Link: https://patch.msgid.link/20240930081801.28502-6-rui.zhang@intel.com
    [ rjw: Subject edits ]
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
thunderbolt: Honor TMU requirements in the domain when setting TMU mode [+ + +]
Author: Gil Fine <gil.fine@linux.intel.com>
Date:   Thu Oct 10 17:29:42 2024 +0300

    thunderbolt: Honor TMU requirements in the domain when setting TMU mode
    
    commit 3cea8af2d1a9ae5869b47c3dabe3b20f331f3bbd upstream.
    
    Currently, when configuring TMU (Time Management Unit) mode of a given
    router, we take into account only its own TMU requirements ignoring
    other routers in the domain. This is problematic if the router we are
    configuring has lower TMU requirements than what is already configured
    in the domain.
    
    In the scenario below, we have a host router with two USB4 ports: A and
    B. Port A connected to device router #1 (which supports CL states) and
    existing DisplayPort tunnel, thus, the TMU mode is HiFi uni-directional.
    
    1. Initial topology
    
              [Host]
             A/
             /
     [Device #1]
       /
    Monitor
    
    2. Plug in device #2 (that supports CL states) to downstream port B of
       the host router
    
             [Host]
            A/    B\
            /       \
     [Device #1]    [Device #2]
       /
    Monitor
    
    The TMU mode on port B and port A will be configured to LowRes which is
    not what we want and will cause monitor to start flickering.
    
    To address this we first scan the domain and search for any router
    configured to HiFi uni-directional mode, and if found, configure TMU
    mode of the given router to HiFi uni-directional as well.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Gil Fine <gil.fine@linux.intel.com>
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
tools/mm: -Werror fixes in page-types/slabinfo [+ + +]
Author: Wladislav Wiebe <wladislav.kw@gmail.com>
Date:   Tue Oct 22 19:21:13 2024 +0200

    tools/mm: -Werror fixes in page-types/slabinfo
    
    commit ece5897e5a10fcd56a317e32f2dc7219f366a5a8 upstream.
    
    Commit e6d2c436ff693 ("tools/mm: allow users to provide additional
    cflags/ldflags") passes now CFLAGS to Makefile.  With this, build systems
    with default -Werror enabled found:
    
    slabinfo.c:1300:25: error: ignoring return value of 'chdir'
    declared with attribute 'warn_unused_result' [-Werror=unused-result]
                             chdir("..");
                             ^~~~~~~~~~~
    page-types.c:397:35: error: format '%lu' expects argument of type
    'long unsigned int', but argument 2 has type 'uint64_t'
    {aka 'long long unsigned int'} [-Werror=format=]
                             printf("%lu\t", mapcnt0);
                                     ~~^     ~~~~~~~
    ..
    
    Fix page-types by using PRIu64 for uint64_t prints and check in slabinfo
    for return code on chdir("..").
    
    Link: https://lkml.kernel.org/r/c1ceb507-94bc-461c-934d-c19b77edd825@gmail.com
    Fixes: e6d2c436ff69 ("tools/mm: allow users to provide additional cflags/ldflags")
    Signed-off-by: Wladislav Wiebe <wladislav.kw@gmail.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Herton R. Krzesinski <herton@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
USB: gadget: dummy-hcd: Fix "task hung" problem [+ + +]
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Wed Oct 16 11:44:45 2024 -0400

    USB: gadget: dummy-hcd: Fix "task hung" problem
    
    [ Upstream commit 5189df7b8088268012882c220d6aca4e64981348 ]
    
    The syzbot fuzzer has been encountering "task hung" problems ever
    since the dummy-hcd driver was changed to use hrtimers instead of
    regular timers.  It turns out that the problems are caused by a subtle
    difference between the timer_pending() and hrtimer_active() APIs.
    
    The changeover blindly replaced the first by the second.  However,
    timer_pending() returns True when the timer is queued but not when its
    callback is running, whereas hrtimer_active() returns True when the
    hrtimer is queued _or_ its callback is running.  This difference
    occasionally caused dummy_urb_enqueue() to think that the callback
    routine had not yet started when in fact it was almost finished.  As a
    result the hrtimer was not restarted, which made it impossible for the
    driver to dequeue later the URB that was just enqueued.  This caused
    usb_kill_urb() to hang, and things got worse from there.
    
    Since hrtimers have no API for telling when they are queued and the
    callback isn't running, the driver must keep track of this for itself.
    That's what this patch does, adding a new "timer_pending" flag and
    setting or clearing it at the appropriate times.
    
    Reported-by: syzbot+f342ea16c9d06d80b585@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/linux-usb/6709234e.050a0220.3e960.0011.GAE@google.com/
    Tested-by: syzbot+f342ea16c9d06d80b585@syzkaller.appspotmail.com
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Fixes: a7f3813e589f ("usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler")
    Cc: Marcello Sylvester Bauer <sylv@sylv.io>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/2dab644e-ef87-4de8-ac9a-26f100b2c609@rowland.harvard.edu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
usb: gadget: dummy_hcd: execute hrtimer callback in softirq context [+ + +]
Author: Andrey Konovalov <andreyknvl@gmail.com>
Date:   Wed Sep 4 03:30:51 2024 +0200

    usb: gadget: dummy_hcd: execute hrtimer callback in softirq context
    
    [ Upstream commit 9313d139aa25e572d860f6f673b73a20f32d7f93 ]
    
    Commit a7f3813e589f ("usb: gadget: dummy_hcd: Switch to hrtimer transfer
    scheduler") switched dummy_hcd to use hrtimer and made the timer's
    callback be executed in the hardirq context.
    
    With that change, __usb_hcd_giveback_urb now gets executed in the hardirq
    context, which causes problems for KCOV and KMSAN.
    
    One problem is that KCOV now is unable to collect coverage from
    the USB code that gets executed from the dummy_hcd's timer callback,
    as KCOV cannot collect coverage in the hardirq context.
    
    Another problem is that the dummy_hcd hrtimer might get triggered in the
    middle of a softirq with KCOV remote coverage collection enabled, and that
    causes a WARNING in KCOV, as reported by syzbot. (I sent a separate patch
    to shut down this WARNING, but that doesn't fix the other two issues.)
    
    Finally, KMSAN appears to ignore tracking memory copying operations
    that happen in the hardirq context, which causes false positive
    kernel-infoleaks, as reported by syzbot.
    
    Change the hrtimer in dummy_hcd to execute the callback in the softirq
    context.
    
    Reported-by: syzbot+2388cdaeb6b10f0c13ac@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=2388cdaeb6b10f0c13ac
    Reported-by: syzbot+17ca2339e34a1d863aad@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=17ca2339e34a1d863aad
    Reported-by: syzbot+c793a7eca38803212c61@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=c793a7eca38803212c61
    Reported-by: syzbot+1e6e0b916b211bee1bd6@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=1e6e0b916b211bee1bd6
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Closes: https://lore.kernel.org/oe-lkp/202406141323.413a90d2-lkp@intel.com
    Fixes: a7f3813e589f ("usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler")
    Cc: stable@vger.kernel.org
    Acked-by: Marcello Sylvester Bauer <sylv@sylv.io>
    Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
    Reported-by: syzbot+edd9fe0d3a65b14588d5@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=edd9fe0d3a65b14588d5
    Link: https://lore.kernel.org/r/20240904013051.4409-1-andrey.konovalov@linux.dev
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

usb: gadget: dummy_hcd: Set transfer interval to 1 microframe [+ + +]
Author: Marcello Sylvester Bauer <sylv@sylv.io>
Date:   Thu Apr 11 17:22:11 2024 +0200

    usb: gadget: dummy_hcd: Set transfer interval to 1 microframe
    
    [ Upstream commit 0a723ed3baa941ca4f51d87bab00661f41142835 ]
    
    Currently, the transfer polling interval is set to 1ms, which is the
    frame rate of full-speed and low-speed USB. The USB 2.0 specification
    introduces microframes (125 microseconds) to improve the timing
    precision of data transfers.
    
    Reducing the transfer interval to 1 microframe increases data throughput
    for high-speed and super-speed USB communication
    
    Signed-off-by: Marcello Sylvester Bauer <marcello.bauer@9elements.com>
    Signed-off-by: Marcello Sylvester Bauer <sylv@sylv.io>
    Link: https://lore.kernel.org/r/6295dbb84ca76884551df9eb157cce569377a22c.1712843963.git.sylv@sylv.io
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler [+ + +]
Author: Marcello Sylvester Bauer <sylv@sylv.io>
Date:   Thu Apr 11 16:51:28 2024 +0200

    usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler
    
    [ Upstream commit a7f3813e589fd8e2834720829a47b5eb914a9afe ]
    
    The dummy_hcd transfer scheduler assumes that the internal kernel timer
    frequency is set to 1000Hz to give a polling interval of 1ms. Reducing
    the timer frequency will result in an anti-proportional reduction in
    transfer performance. Switch to a hrtimer to decouple this association.
    
    Signed-off-by: Marcello Sylvester Bauer <marcello.bauer@9elements.com>
    Signed-off-by: Marcello Sylvester Bauer <sylv@sylv.io>
    Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
    Link: https://lore.kernel.org/r/57a1c2180ff74661600e010c234d1dbaba1d0d46.1712843963.git.sylv@sylv.io
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

usb: phy: Fix API devm_usb_put_phy() can not release the phy [+ + +]
Author: Zijun Hu <quic_zijuhu@quicinc.com>
Date:   Sun Oct 20 17:33:42 2024 +0800

    usb: phy: Fix API devm_usb_put_phy() can not release the phy
    
    commit fdce49b5da6e0fb6d077986dec3e90ef2b094b50 upstream.
    
    For devm_usb_put_phy(), its comment says it needs to invoke usb_put_phy()
    to release the phy, but it does not do that actually, so it can not fully
    undo what the API devm_usb_get_phy() does, that is wrong, fixed by using
    devres_release() instead of devres_destroy() within the API.
    
    Fixes: cedf8602373a ("usb: phy: move bulk of otg/otg.c to phy/phy.c")
    Cc: stable@vger.kernel.org
    Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
    Link: https://lore.kernel.org/r/20241020-usb_phy_fix-v1-1-7f79243b8e1e@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() [+ + +]
Author: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Date:   Mon Oct 21 22:45:29 2024 +0200

    usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes()
    
    commit 9581acb91eaf5bbe70086bbb6fca808220d358ba upstream.
    
    The 'altmodes_node' fwnode_handle is never released after it is no
    longer required, which leaks the resource.
    
    Add the required call to fwnode_handle_put() when 'altmodes_node' is no
    longer required.
    
    Cc: stable@vger.kernel.org
    Fixes: 7b458a4c5d73 ("usb: typec: Add typec_port_register_altmodes()")
    Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
    Link: https://lore.kernel.org/r/20241021-typec-class-fwnode_handle_put-v2-1-3281225d3d27@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: typec: qcom-pmic-typec: use fwnode_handle_put() to release fwnodes [+ + +]
Author: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Date:   Sun Oct 20 14:56:34 2024 +0200

    usb: typec: qcom-pmic-typec: use fwnode_handle_put() to release fwnodes
    
    commit 7f02b8a5b602098f2901166e7e4d583acaed872a upstream.
    
    The right function to release a fwnode acquired via
    device_get_named_child_node() is fwnode_handle_put(), and not
    fwnode_remove_software_node(), as no software node is being handled.
    
    Replace the calls to fwnode_remove_software_node() with
    fwnode_handle_put() in qcom_pmic_typec_probe() and
    qcom_pmic_typec_remove().
    
    Cc: stable@vger.kernel.org
    Fixes: a4422ff22142 ("usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
    Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
    Acked-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
    Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20241020-qcom_pmic_typec-fwnode_remove-v2-1-7054f3d2e215@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usbip: tools: Fix detach_port() invalid port error path [+ + +]
Author: Zongmin Zhou <zhouzongmin@kylinos.cn>
Date:   Thu Oct 24 10:27:00 2024 +0800

    usbip: tools: Fix detach_port() invalid port error path
    
    commit e7cd4b811c9e019f5acbce85699c622b30194c24 upstream.
    
    The detach_port() doesn't return error
    when detach is attempted on an invalid port.
    
    Fixes: 40ecdeb1a187 ("usbip: usbip_detach: fix to check for invalid ports")
    Cc: stable@vger.kernel.org
    Reviewed-by: Hongren Zheng <i@zenithal.me>
    Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Zongmin Zhou <zhouzongmin@kylinos.cn>
    Link: https://lore.kernel.org/r/20241024022700.1236660-1-min_halo@163.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
vmscan,migrate: fix page count imbalance on node stats when demoting pages [+ + +]
Author: Gregory Price <gourry@gourry.net>
Date:   Fri Oct 25 10:17:24 2024 -0400

    vmscan,migrate: fix page count imbalance on node stats when demoting pages
    
    [ Upstream commit 35e41024c4c2b02ef8207f61b9004f6956cf037b ]
    
    When numa balancing is enabled with demotion, vmscan will call
    migrate_pages when shrinking LRUs.  migrate_pages will decrement the
    the node's isolated page count, leading to an imbalanced count when
    invoked from (MG)LRU code.
    
    The result is dmesg output like such:
    
    $ cat /proc/sys/vm/stat_refresh
    
    [77383.088417] vmstat_refresh: nr_isolated_anon -103212
    [77383.088417] vmstat_refresh: nr_isolated_file -899642
    
    This negative value may impact compaction and reclaim throttling.
    
    The following path produces the decrement:
    
    shrink_folio_list
      demote_folio_list
        migrate_pages
          migrate_pages_batch
            migrate_folio_move
              migrate_folio_done
                mod_node_page_state(-ve) <- decrement
    
    This path happens for SUCCESSFUL migrations, not failures.  Typically
    callers to migrate_pages are required to handle putback/accounting for
    failures, but this is already handled in the shrink code.
    
    When accounting for migrations, instead do not decrement the count when
    the migration reason is MR_DEMOTION.  As of v6.11, this demotion logic
    is the only source of MR_DEMOTION.
    
    Link: https://lkml.kernel.org/r/20241025141724.17927-1-gourry@gourry.net
    Fixes: 26aa2d199d6f ("mm/migrate: demote pages during reclaim")
    Signed-off-by: Gregory Price <gourry@gourry.net>
    Reviewed-by: Yang Shi <shy828301@gmail.com>
    Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
    Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>
    Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
    Reviewed-by: Oscar Salvador <osalvador@suse.de>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Wei Xu <weixugc@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
wifi: ath10k: Fix memory leak in management tx [+ + +]
Author: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
Date:   Tue Oct 15 12:11:03 2024 +0530

    wifi: ath10k: Fix memory leak in management tx
    
    commit e15d84b3bba187aa372dff7c58ce1fd5cb48a076 upstream.
    
    In the current logic, memory is allocated for storing the MSDU context
    during management packet TX but this memory is not being freed during
    management TX completion. Similar leaks are seen in the management TX
    cleanup logic.
    
    Kmemleak reports this problem as below,
    
    unreferenced object 0xffffff80b64ed250 (size 16):
      comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s)
      hex dump (first 16 bytes):
        00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00  .+.......t......
      backtrace:
        [<ffffffe6e7b245dc>] __kmem_cache_alloc_node+0x1e4/0x2d8
        [<ffffffe6e7adde88>] kmalloc_trace+0x48/0x110
        [<ffffffe6bbd765fc>] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core]
        [<ffffffe6bbd3eed4>] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core]
        [<ffffffe6e78d5974>] process_scheduled_works+0x1ac/0x400
        [<ffffffe6e78d60b8>] worker_thread+0x208/0x328
        [<ffffffe6e78dc890>] kthread+0x100/0x1c0
        [<ffffffe6e78166c0>] ret_from_fork+0x10/0x20
    
    Free the memory during completion and cleanup to fix the leak.
    
    Protect the mgmt_pending_tx idr_remove() operation in
    ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to
    other instances.
    
    Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
    
    Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event")
    Fixes: c730c477176a ("ath10k: Remove msdu from idr when management pkt send fails")
    Cc: stable@vger.kernel.org
    Signed-off-by: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
    Link: https://patch.msgid.link/20241015064103.6060-1-quic_mpubbise@quicinc.com
    Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: ath11k: Fix invalid ring usage in full monitor mode [+ + +]
Author: Remi Pommarel <repk@triplefau.lt>
Date:   Tue Sep 24 21:41:19 2024 +0200

    wifi: ath11k: Fix invalid ring usage in full monitor mode
    
    [ Upstream commit befd716ed429b26eca7abde95da6195c548470de ]
    
    On full monitor HW the monitor destination rxdma ring does not have the
    same descriptor format as in the "classical" mode. The full monitor
    destination entries are of hal_sw_monitor_ring type and fetched using
    ath11k_dp_full_mon_process_rx while the classical ones are of type
    hal_reo_entrance_ring and fetched with ath11k_dp_rx_mon_dest_process.
    
    Although both hal_sw_monitor_ring and hal_reo_entrance_ring are of same
    size, the offset to useful info (such as sw_cookie, paddr, etc) are
    different. Thus if ath11k_dp_rx_mon_dest_process gets called on full
    monitor destination ring, invalid skb buffer id will be fetched from DMA
    ring causing issues such as the following rcu_sched stall:
    
     rcu: INFO: rcu_sched self-detected stall on CPU
     rcu:     0-....: (1 GPs behind) idle=c67/0/0x7 softirq=45768/45769 fqs=1012
      (t=2100 jiffies g=14817 q=8703)
     Task dump for CPU 0:
     task:swapper/0       state:R  running task     stack: 0 pid:    0 ppid:     0 flags:0x0000000a
     Call trace:
      dump_backtrace+0x0/0x160
      show_stack+0x14/0x20
      sched_show_task+0x158/0x184
      dump_cpu_task+0x40/0x4c
      rcu_dump_cpu_stacks+0xec/0x12c
      rcu_sched_clock_irq+0x6c8/0x8a0
      update_process_times+0x88/0xd0
      tick_sched_timer+0x74/0x1e0
      __hrtimer_run_queues+0x150/0x204
      hrtimer_interrupt+0xe4/0x240
      arch_timer_handler_phys+0x30/0x40
      handle_percpu_devid_irq+0x80/0x130
      handle_domain_irq+0x5c/0x90
      gic_handle_irq+0x8c/0xb4
      do_interrupt_handler+0x30/0x54
      el1_interrupt+0x2c/0x4c
      el1h_64_irq_handler+0x14/0x1c
      el1h_64_irq+0x74/0x78
      do_raw_spin_lock+0x60/0x100
      _raw_spin_lock_bh+0x1c/0x2c
      ath11k_dp_rx_mon_mpdu_pop.constprop.0+0x174/0x650
      ath11k_dp_rx_process_mon_status+0x8b4/0xa80
      ath11k_dp_rx_process_mon_rings+0x244/0x510
      ath11k_dp_service_srng+0x190/0x300
      ath11k_pcic_ext_grp_napi_poll+0x30/0xc0
      __napi_poll+0x34/0x174
      net_rx_action+0xf8/0x2a0
      _stext+0x12c/0x2ac
      irq_exit+0x94/0xc0
      handle_domain_irq+0x60/0x90
      gic_handle_irq+0x8c/0xb4
      call_on_irq_stack+0x28/0x44
      do_interrupt_handler+0x4c/0x54
      el1_interrupt+0x2c/0x4c
      el1h_64_irq_handler+0x14/0x1c
      el1h_64_irq+0x74/0x78
      arch_cpu_idle+0x14/0x20
      do_idle+0xf0/0x130
      cpu_startup_entry+0x24/0x50
      rest_init+0xf8/0x104
      arch_call_rest_init+0xc/0x14
      start_kernel+0x56c/0x58c
      __primary_switched+0xa0/0xa8
    
    Thus ath11k_dp_rx_mon_dest_process(), which use classical destination
    entry format, should no be called on full monitor capable HW.
    
    Fixes: 67a9d399fcb0 ("ath11k: enable RX PPDU stats in monitor co-exist mode")
    Signed-off-by: Remi Pommarel <repk@triplefau.lt>
    Reviewed-by: Praneesh P <quic_ppranees@quicinc.com>
    Link: https://patch.msgid.link/20240924194119.15942-1-repk@triplefau.lt
    Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: brcm80211: BRCM_TRACING should depend on TRACING [+ + +]
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date:   Tue Sep 24 14:09:32 2024 +0200

    wifi: brcm80211: BRCM_TRACING should depend on TRACING
    
    [ Upstream commit b73b2069528f90ec49d5fa1010a759baa2c2be05 ]
    
    When tracing is disabled, there is no point in asking the user about
    enabling Broadcom wireless device tracing.
    
    Fixes: f5c4f10852d42012 ("brcm80211: Allow trace support to be enabled separately from debug")
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://patch.msgid.link/81a29b15eaacc1ac1fb421bdace9ac0c3385f40f.1727179742.git.geert@linux-m68k.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: cfg80211: clear wdev->cqm_config pointer on free [+ + +]
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Oct 22 16:17:42 2024 +0200

    wifi: cfg80211: clear wdev->cqm_config pointer on free
    
    commit d5fee261dfd9e17b08b1df8471ac5d5736070917 upstream.
    
    When we free wdev->cqm_config when unregistering, we also
    need to clear out the pointer since the same wdev/netdev
    may get re-registered in another network namespace, then
    destroyed later, running this code again, which results in
    a double-free.
    
    Reported-by: syzbot+36218cddfd84b5cc263e@syzkaller.appspotmail.com
    Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race")
    Cc: stable@vger.kernel.org
    Link: https://patch.msgid.link/20241022161742.7c34b2037726.I121b9cdb7eb180802eafc90b493522950d57ee18@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: iwlegacy: Clear stale interrupts before resuming device [+ + +]
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Tue Oct 1 23:07:45 2024 +0300

    wifi: iwlegacy: Clear stale interrupts before resuming device
    
    commit 07c90acb071b9954e1fecb1e4f4f13d12c544b34 upstream.
    
    iwl4965 fails upon resume from hibernation on my laptop. The reason
    seems to be a stale interrupt which isn't being cleared out before
    interrupts are enabled. We end up with a race beween the resume
    trying to bring things back up, and the restart work (queued form
    the interrupt handler) trying to bring things down. Eventually
    the whole thing blows up.
    
    Fix the problem by clearing out any stale interrupts before
    interrupts get enabled during resume.
    
    Here's a debug log of the indicent:
    [   12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000
    [   12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000
    [   12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio.
    [   12.042653] iwl4965 0000:10:00.0: On demand firmware reload
    [   12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282
    [   12.052207] ieee80211 phy0: il4965_mac_start enter
    [   12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff
    [   12.052244] ieee80211 phy0: il4965_set_hw_ready hardware  ready
    [   12.052324] ieee80211 phy0: il_apm_init Init card's basic functions
    [   12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S
    [   12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm
    [   12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm
    [   12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK
    [   12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations
    [   12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up
    [   12.058737] ieee80211 phy0: il4965_mac_start Start UP work done.
    [   12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down
    [   12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout
    [   12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort
    [   12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver
    [   12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared
    [   12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state
    [   12.058827] ieee80211 phy0: _il_apm_stop_master stop master
    [   12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear.
    [   12.058869] ieee80211 phy0: Hardware restart was requested
    [   16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms.
    [   16.132303] ------------[ cut here ]------------
    [   16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.
    [   16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211]
    [   16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev
    [   16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143
    [   16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010
    [   16.132463] Workqueue: async async_run_entry_fn
    [   16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211]
    [   16.132501] Code: da 02 00 00 c6 83 ad 05 00 00 00 48 89 df e8 98 1b fc ff 85 c0 41 89 c7 0f 84 e9 02 00 00 48 c7 c7 a0 e6 48 a0 e8 d1 77 c4 e0 <0f> 0b eb 2d 84 c0 0f 85 8b 01 00 00 c6 87 ad 05 00 00 00 e8 69 1b
    [   16.132504] RSP: 0018:ffffc9000029fcf0 EFLAGS: 00010282
    [   16.132507] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: 0000000000000001
    [   16.132509] RDX: ffffffff81f21a18 RSI: 0000000000000086 RDI: 0000000000000001
    [   16.132510] RBP: ffff8880072003c0 R08: 0000000000000000 R09: 0000000000000003
    [   16.132512] R10: 0000000000000000 R11: ffff88807e5b0000 R12: 0000000000000001
    [   16.132514] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000ffffff92
    [   16.132515] FS:  0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000
    [   16.132517] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [   16.132519] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0
    [   16.132521] Call Trace:
    [   16.132525]  <TASK>
    [   16.132526]  ? __warn+0x77/0x120
    [   16.132532]  ? ieee80211_reconfig+0x8f/0x14b0 [mac80211]
    [   16.132564]  ? report_bug+0x15c/0x190
    [   16.132568]  ? handle_bug+0x36/0x70
    [   16.132571]  ? exc_invalid_op+0x13/0x60
    [   16.132573]  ? asm_exc_invalid_op+0x16/0x20
    [   16.132579]  ? ieee80211_reconfig+0x8f/0x14b0 [mac80211]
    [   16.132611]  ? snd_hdac_bus_init_cmd_io+0x24/0x200 [snd_hda_core]
    [   16.132617]  ? pick_eevdf+0x133/0x1c0
    [   16.132622]  ? check_preempt_wakeup_fair+0x70/0x90
    [   16.132626]  ? wakeup_preempt+0x4a/0x60
    [   16.132628]  ? ttwu_do_activate.isra.0+0x5a/0x190
    [   16.132632]  wiphy_resume+0x79/0x1a0 [cfg80211]
    [   16.132675]  ? wiphy_suspend+0x2a0/0x2a0 [cfg80211]
    [   16.132697]  dpm_run_callback+0x75/0x1b0
    [   16.132703]  device_resume+0x97/0x200
    [   16.132707]  async_resume+0x14/0x20
    [   16.132711]  async_run_entry_fn+0x1b/0xa0
    [   16.132714]  process_one_work+0x13d/0x350
    [   16.132718]  worker_thread+0x2be/0x3d0
    [   16.132722]  ? cancel_delayed_work_sync+0x70/0x70
    [   16.132725]  kthread+0xc0/0xf0
    [   16.132729]  ? kthread_park+0x80/0x80
    [   16.132732]  ret_from_fork+0x28/0x40
    [   16.132735]  ? kthread_park+0x80/0x80
    [   16.132738]  ret_from_fork_asm+0x11/0x20
    [   16.132741]  </TASK>
    [   16.132742] ---[ end trace 0000000000000000 ]---
    [   16.132930] ------------[ cut here ]------------
    [   16.132932] WARNING: CPU: 0 PID: 181 at net/mac80211/driver-ops.c:41 drv_stop+0xe7/0xf0 [mac80211]
    [   16.132957] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev
    [   16.133014] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Tainted: G        W          6.11.0-cl+ #143
    [   16.133018] Tainted: [W]=WARN
    [   16.133019] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010
    [   16.133021] Workqueue: async async_run_entry_fn
    [   16.133025] RIP: 0010:drv_stop+0xe7/0xf0 [mac80211]
    [   16.133048] Code: 48 85 c0 74 0e 48 8b 78 08 89 ea 48 89 de e8 e0 87 04 00 65 ff 0d d1 de c4 5f 0f 85 42 ff ff ff e8 be 52 c2 e0 e9 38 ff ff ff <0f> 0b 5b 5d c3 0f 1f 40 00 41 54 49 89 fc 55 53 48 89 f3 2e 2e 2e
    [   16.133050] RSP: 0018:ffffc9000029fc50 EFLAGS: 00010246
    [   16.133053] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: ffff88800377f6c0
    [   16.133054] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8880072008e0
    [   16.133056] RBP: 0000000000000000 R08: ffffffff81f238d8 R09: 0000000000000000
    [   16.133058] R10: ffff8880080520f0 R11: 0000000000000000 R12: ffff888008051c60
    [   16.133060] R13: ffff8880072008e0 R14: 0000000000000000 R15: ffff8880072011d8
    [   16.133061] FS:  0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000
    [   16.133063] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [   16.133065] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0
    [   16.133067] Call Trace:
    [   16.133069]  <TASK>
    [   16.133070]  ? __warn+0x77/0x120
    [   16.133075]  ? drv_stop+0xe7/0xf0 [mac80211]
    [   16.133098]  ? report_bug+0x15c/0x190
    [   16.133100]  ? handle_bug+0x36/0x70
    [   16.133103]  ? exc_invalid_op+0x13/0x60
    [   16.133105]  ? asm_exc_invalid_op+0x16/0x20
    [   16.133109]  ? drv_stop+0xe7/0xf0 [mac80211]
    [   16.133132]  ieee80211_do_stop+0x55a/0x810 [mac80211]
    [   16.133161]  ? fq_codel_reset+0xa5/0xc0 [sch_fq_codel]
    [   16.133164]  ieee80211_stop+0x4f/0x180 [mac80211]
    [   16.133192]  __dev_close_many+0xa2/0x120
    [   16.133195]  dev_close_many+0x90/0x150
    [   16.133198]  dev_close+0x5d/0x80
    [   16.133200]  cfg80211_shutdown_all_interfaces+0x40/0xe0 [cfg80211]
    [   16.133223]  wiphy_resume+0xb2/0x1a0 [cfg80211]
    [   16.133247]  ? wiphy_suspend+0x2a0/0x2a0 [cfg80211]
    [   16.133269]  dpm_run_callback+0x75/0x1b0
    [   16.133273]  device_resume+0x97/0x200
    [   16.133277]  async_resume+0x14/0x20
    [   16.133280]  async_run_entry_fn+0x1b/0xa0
    [   16.133283]  process_one_work+0x13d/0x350
    [   16.133287]  worker_thread+0x2be/0x3d0
    [   16.133290]  ? cancel_delayed_work_sync+0x70/0x70
    [   16.133294]  kthread+0xc0/0xf0
    [   16.133296]  ? kthread_park+0x80/0x80
    [   16.133299]  ret_from_fork+0x28/0x40
    [   16.133302]  ? kthread_park+0x80/0x80
    [   16.133304]  ret_from_fork_asm+0x11/0x20
    [   16.133307]  </TASK>
    [   16.133308] ---[ end trace 0000000000000000 ]---
    [   16.133335] ieee80211 phy0: PM: dpm_run_callback(): wiphy_resume [cfg80211] returns -110
    [   16.133360] ieee80211 phy0: PM: failed to restore async: error -110
    
    Cc: stable@vger.kernel.org
    Cc: Stanislaw Gruszka <stf_xl@wp.pl>
    Cc: Kalle Valo <kvalo@kernel.org>
    Cc: linux-wireless@vger.kernel.org
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://patch.msgid.link/20241001200745.8276-1-ville.syrjala@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() [+ + +]
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Thu Sep 12 01:01:21 2024 +0200

    wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd()
    
    [ Upstream commit d4cdc46ca16a5c78b36c5b9b6ad8cac09d6130a0 ]
    
    iwlegacy uses command buffers with a payload size of 320
    bytes (default) or 4092 bytes (huge).  The struct il_device_cmd type
    describes the default buffers and there is no separate type describing
    the huge buffers.
    
    The il_enqueue_hcmd() function works with both default and huge
    buffers, and has a memcpy() to the buffer payload.  The size of
    this copy may exceed 320 bytes when using a huge buffer, which
    now results in a run-time warning:
    
        memcpy: detected field-spanning write (size 1014) of single field "&out_cmd->cmd.payload" at drivers/net/wireless/intel/iwlegacy/common.c:3170 (size 320)
    
    To fix this:
    
    - Define a new struct type for huge buffers, with a correctly sized
      payload field
    - When using a huge buffer in il_enqueue_hcmd(), cast the command
      buffer pointer to that type when looking up the payload field
    
    Reported-by: Martin-Éric Racine <martin-eric.racine@iki.fi>
    References: https://bugs.debian.org/1062421
    References: https://bugzilla.kernel.org/show_bug.cgi?id=219124
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Fixes: 54d9469bc515 ("fortify: Add run-time WARN for cross-field memcpy()")
    Tested-by: Martin-Éric Racine <martin-eric.racine@iki.fi>
    Tested-by: Brandon Nielsen <nielsenb@jetfuse.net>
    Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://patch.msgid.link/ZuIhQRi/791vlUhE@decadent.org.uk
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: iwlwifi: mvm: disconnect station vifs if recovery failed [+ + +]
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date:   Sun Jan 28 08:53:56 2024 +0200

    wifi: iwlwifi: mvm: disconnect station vifs if recovery failed
    
    [ Upstream commit e50a88e5cb8792cc416866496288c5f4d1eb4b1f ]
    
    This will allow to reconnect immediately instead of leaving the
    connection in a limbo state.
    
    Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
    Link: https://msgid.link/20240128084842.e90531cd3a36.Iebdc9483983c0d8497f9dcf9d79ec37332a5fdcc@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: iwlwifi: mvm: don't add default link in fw restart flow [+ + +]
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date:   Thu Oct 10 14:05:06 2024 +0300

    wifi: iwlwifi: mvm: don't add default link in fw restart flow
    
    [ Upstream commit 734a377e1eacc5153bae0ccd4423365726876e93 ]
    
    When we add the vif (and its default link) in fw restart we may
    override the link that already exists. We take care of this but if
    link 0 is a valid MLO link, then we will re-create a default link on
    mvmvif->link[0] and we'll loose the real link we had there.
    
    In non-MLO, we need to re-create the default link upon the interface
    creation, this is fine. In MLO, we'll just wait for change_vif_links()
    to re-build the links.
    
    Fixes: bf976c814c86 ("wifi: iwlwifi: mvm: implement link change ops")
    Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
    Link: https://patch.msgid.link/20241010140328.385bfea1b2e9.I4a127312285ccb529cc95cc4edf6fbe1e0a136ad@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: iwlwifi: mvm: fix 6 GHz scan construction [+ + +]
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Wed Oct 23 09:17:44 2024 +0200

    wifi: iwlwifi: mvm: fix 6 GHz scan construction
    
    commit 7245012f0f496162dd95d888ed2ceb5a35170f1a upstream.
    
    If more than 255 colocated APs exist for the set of all
    APs found during 2.4/5 GHz scanning, then the 6 GHz scan
    construction will loop forever since the loop variable
    has type u8, which can never reach the number found when
    that's bigger than 255, and is stored in a u32 variable.
    Also move it into the loops to have a smaller scope.
    
    Using a u32 there is fine, we limit the number of APs in
    the scan list and each has a limit on the number of RNR
    entries due to the frame size. With a limit of 1000 scan
    results, a frame size upper bound of 4096 (really it's
    more like ~2300) and a TBTT entry size of at least 11,
    we get an upper bound for the number of ~372k, well in
    the bounds of a u32.
    
    Cc: stable@vger.kernel.org
    Fixes: eae94cf82d74 ("iwlwifi: mvm: add support for 6GHz")
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219375
    Link: https://patch.msgid.link/20241023091744.f4baed5c08a1.I8b417148bbc8c5d11c101e1b8f5bf372e17bf2a7@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() [+ + +]
Author: Daniel Gabay <daniel.gabay@intel.com>
Date:   Thu Oct 10 14:05:05 2024 +0300

    wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()
    
    [ Upstream commit 07a6e3b78a65f4b2796a8d0d4adb1a15a81edead ]
    
    1. The size of the response packet is not validated.
    2. The response buffer is not freed.
    
    Resolve these issues by switching to iwl_mvm_send_cmd_status(),
    which handles both size validation and frees the buffer.
    
    Fixes: f130bb75d881 ("iwlwifi: add FW recovery flow")
    Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
    Link: https://patch.msgid.link/20241010140328.76c73185951e.Id3b6ca82ced2081f5ee4f33c997491d0ebda83f7@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower [+ + +]
Author: Felix Fietkau <nbd@nbd.name>
Date:   Wed Oct 2 11:56:30 2024 +0200

    wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower
    
    commit 393b6bc174b0dd21bb2a36c13b36e62fc3474a23 upstream.
    
    Avoid potentially crashing in the driver because of uninitialized private data
    
    Fixes: 5b3dc42b1b0d ("mac80211: add support for driver tx power reporting")
    Cc: stable@vger.kernel.org
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Link: https://patch.msgid.link/20241002095630.22431-1-nbd@nbd.name
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: mac80211: fix NULL dereference at band check in starting tx ba session [+ + +]
Author: Zong-Zhe Yang <kevin_yang@realtek.com>
Date:   Mon Jun 17 19:52:17 2024 +0800

    wifi: mac80211: fix NULL dereference at band check in starting tx ba session
    
    commit 021d53a3d87eeb9dbba524ac515651242a2a7e3b upstream.
    
    In MLD connection, link_data/link_conf are dynamically allocated. They
    don't point to vif->bss_conf. So, there will be no chanreq assigned to
    vif->bss_conf and then the chan will be NULL. Tweak the code to check
    ht_supported/vht_supported/has_he/has_eht on sta deflink.
    
    Crash log (with rtw89 version under MLO development):
    [ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000
    [ 9890.526102] #PF: supervisor read access in kernel mode
    [ 9890.526105] #PF: error_code(0x0000) - not-present page
    [ 9890.526109] PGD 0 P4D 0
    [ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI
    [ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G           OE      6.9.0 #1
    [ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018
    [ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]
    [ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211
    [ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3
    All code
    ========
       0:   f7 e8                   imul   %eax
       2:   d5                      (bad)
       3:   93                      xchg   %eax,%ebx
       4:   3e ea                   ds (bad)
       6:   48 83 c4 28             add    $0x28,%rsp
       a:   89 d8                   mov    %ebx,%eax
       c:   5b                      pop    %rbx
       d:   41 5c                   pop    %r12
       f:   41 5d                   pop    %r13
      11:   41 5e                   pop    %r14
      13:   41 5f                   pop    %r15
      15:   5d                      pop    %rbp
      16:   c3                      retq
      17:   cc                      int3
      18:   cc                      int3
      19:   cc                      int3
      1a:   cc                      int3
      1b:   49 8b 84 24 e0 f1 ff    mov    -0xe20(%r12),%rax
      22:   ff
      23:   48 8b 80 90 1b 00 00    mov    0x1b90(%rax),%rax
      2a:*  83 38 03                cmpl   $0x3,(%rax)              <-- trapping instruction
      2d:   0f 84 37 fe ff ff       je     0xfffffffffffffe6a
      33:   bb ea ff ff ff          mov    $0xffffffea,%ebx
      38:   eb cc                   jmp    0x6
      3a:   49                      rex.WB
      3b:   8b                      .byte 0x8b
      3c:   84 24 10                test   %ah,(%rax,%rdx,1)
      3f:   f3                      repz
    
    Code starting with the faulting instruction
    ===========================================
       0:   83 38 03                cmpl   $0x3,(%rax)
       3:   0f 84 37 fe ff ff       je     0xfffffffffffffe40
       9:   bb ea ff ff ff          mov    $0xffffffea,%ebx
       e:   eb cc                   jmp    0xffffffffffffffdc
      10:   49                      rex.WB
      11:   8b                      .byte 0x8b
      12:   84 24 10                test   %ah,(%rax,%rdx,1)
      15:   f3                      repz
    [ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246
    [ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8
    [ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685
    [ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873
    [ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70
    [ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000
    [ 9890.526313] FS:  0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000
    [ 9890.526316] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0
    [ 9890.526321] Call Trace:
    [ 9890.526324]  <TASK>
    [ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)
    [ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
    [ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)
    [ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator 3))
    [ 9890.526353] ? ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211
    
    Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
    Link: https://patch.msgid.link/20240617115217.22344-1-kevin_yang@realtek.com
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys [+ + +]
Author: Felix Fietkau <nbd@nbd.name>
Date:   Sun Oct 6 17:36:30 2024 +0200

    wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys
    
    [ Upstream commit 52009b419355195912a628d0a9847922e90c348c ]
    
    Sync iterator conditions with ieee80211_iter_keys_rcu.
    
    Fixes: 830af02f24fb ("mac80211: allow driver to iterate keys")
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Link: https://patch.msgid.link/20241006153630.87885-1-nbd@nbd.name
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
x86/traps: Enable UBSAN traps on x86 [+ + +]
Author: Gatlin Newhouse <gatlin.newhouse@gmail.com>
Date:   Wed Jul 24 00:01:55 2024 +0000

    x86/traps: Enable UBSAN traps on x86
    
    [ Upstream commit 7424fc6b86c8980a87169e005f5cd4438d18efe6 ]
    
    Currently ARM64 extracts which specific sanitizer has caused a trap via
    encoded data in the trap instruction. Clang on x86 currently encodes the
    same data in the UD1 instruction but x86 handle_bug() and
    is_valid_bugaddr() currently only look at UD2.
    
    Bring x86 to parity with ARM64, similar to commit 25b84002afb9 ("arm64:
    Support Clang UBSAN trap codes for better reporting"). See the llvm
    links for information about the code generation.
    
    Enable the reporting of UBSAN sanitizer details on x86 compiled with clang
    when CONFIG_UBSAN_TRAP=y by analysing UD1 and retrieving the type immediate
    which is encoded by the compiler after the UD1.
    
    [ tglx: Simplified it by moving the printk() into handle_bug() ]
    
    Signed-off-by: Gatlin Newhouse <gatlin.newhouse@gmail.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Kees Cook <keescook@chromium.org>
    Link: https://lore.kernel.org/all/20240724000206.451425-1-gatlin.newhouse@gmail.com
    Link: https://github.com/llvm/llvm-project/commit/c5978f42ec8e9#diff-bb68d7cd885f41cfc35843998b0f9f534adb60b415f647109e597ce448e92d9f
    Link: https://github.com/llvm/llvm-project/blob/main/llvm/lib/Target/X86/X86InstrSystem.td#L27
    Stable-dep-of: 1db272864ff2 ("x86/traps: move kmsan check after instrumentation_begin")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

x86/traps: move kmsan check after instrumentation_begin [+ + +]
Author: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Date:   Wed Oct 16 20:24:07 2024 +0500

    x86/traps: move kmsan check after instrumentation_begin
    
    [ Upstream commit 1db272864ff250b5e607283eaec819e1186c8e26 ]
    
    During x86_64 kernel build with CONFIG_KMSAN, the objtool warns following:
    
      AR      built-in.a
      AR      vmlinux.a
      LD      vmlinux.o
    vmlinux.o: warning: objtool: handle_bug+0x4: call to
        kmsan_unpoison_entry_regs() leaves .noinstr.text section
      OBJCOPY modules.builtin.modinfo
      GEN     modules.builtin
      MODPOST Module.symvers
      CC      .vmlinux.export.o
    
    Moving kmsan_unpoison_entry_regs() _after_ instrumentation_begin() fixes
    the warning.
    
    There is decode_bug(regs->ip, &imm) is left before KMSAN unpoisoining, but
    it has the return condition and if we include it after
    instrumentation_begin() it results the warning "return with
    instrumentation enabled", hence, I'm concerned that regs will not be KMSAN
    unpoisoned if `ud_type == BUG_NONE` is true.
    
    Link: https://lkml.kernel.org/r/20241016152407.3149001-1-snovitoll@gmail.com
    Fixes: ba54d194f8da ("x86/traps: avoid KMSAN bugs originating from handle_bug()")
    Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
    Reviewed-by: Alexander Potapenko <glider@google.com>
    Cc: Borislav Petkov (AMD) <bp@alien8.de>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
xfs: fix finding a last resort AG in xfs_filestream_pick_ag [+ + +]
Author: Christoph Hellwig <hch@lst.de>
Date:   Wed Oct 23 15:37:22 2024 +0200

    xfs: fix finding a last resort AG in xfs_filestream_pick_ag
    
    [ Upstream commit dc60992ce76fbc2f71c2674f435ff6bde2108028 ]
    
    When the main loop in xfs_filestream_pick_ag fails to find a suitable
    AG it tries to just pick the online AG.  But the loop for that uses
    args->pag as loop iterator while the later code expects pag to be
    set.  Fix this by reusing the max_pag case for this last resort, and
    also add a check for impossible case of no AG just to make sure that
    the uninitialized pag doesn't even escape in theory.
    
    Reported-by: syzbot+4125a3c514e3436a02e6@syzkaller.appspotmail.com
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Tested-by: syzbot+4125a3c514e3436a02e6@syzkaller.appspotmail.com
    Fixes: f8f1ed1ab3baba ("xfs: return a referenced perag from filestreams allocator")
    Cc: <stable@vger.kernel.org> # v6.3
    Reviewed-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Carlos Maiolino <cem@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
xhci: Fix Link TRB DMA in command ring stopped completion event [+ + +]
Author: Faisal Hassan <quic_faisalh@quicinc.com>
Date:   Tue Oct 22 21:26:31 2024 +0530

    xhci: Fix Link TRB DMA in command ring stopped completion event
    
    commit 075919f6df5dd82ad0b1894898b315fbb3c29b84 upstream.
    
    During the aborting of a command, the software receives a command
    completion event for the command ring stopped, with the TRB pointing
    to the next TRB after the aborted command.
    
    If the command we abort is located just before the Link TRB in the
    command ring, then during the 'command ring stopped' completion event,
    the xHC gives the Link TRB in the event's cmd DMA, which causes a
    mismatch in handling command completion event.
    
    To address this situation, move the 'command ring stopped' completion
    event check slightly earlier, since the specific command it stopped
    on isn't of significant concern.
    
    Fixes: 7f84eef0dafb ("USB: xhci: No-op command queueing and irq handler.")
    Cc: stable@vger.kernel.org
    Signed-off-by: Faisal Hassan <quic_faisalh@quicinc.com>
    Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20241022155631.1185-1-quic_faisalh@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

xhci: Use pm_runtime_get to prevent RPM on unsupported systems [+ + +]
Author: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
Date:   Thu Oct 24 19:07:18 2024 +0530

    xhci: Use pm_runtime_get to prevent RPM on unsupported systems
    
    commit 31004740e42846a6f0bb255e6348281df3eb8032 upstream.
    
    Use pm_runtime_put in the remove function and pm_runtime_get to disable
    RPM on platforms that don't support runtime D3, as re-enabling it through
    sysfs auto power control may cause the controller to malfunction. This
    can lead to issues such as hotplug devices not being detected due to
    failed interrupt generation.
    
    Fixes: a5d6264b638e ("xhci: Enable RPM on controllers that support low-power states")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
    Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
    Link: https://lore.kernel.org/r/20241024133718.723846-1-Basavaraj.Natikar@amd.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>