commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c Author: Linus Torvalds Date: Sun Feb 19 14:24:22 2023 -0800 Linux 6.2 commit 925cf0457d7e62ce08878ffb789189ac08ca8677 Merge: 0097c18e459c5 f9f57da2c2d11 Author: Linus Torvalds Date: Sat Feb 18 17:57:16 2023 -0800 Merge tag 'x86-urgent-2023-02-19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Thomas Gleixner: "A single fix for x86. Revert the recent change to the MTRR code which aimed to support SEV-SNP guests on Hyper-V. It caused a regression on XEN Dom0 kernels. The underlying issue of MTTR (mis)handling in the x86 code needs some deeper investigation and is definitely not 6.2 material" * tag 'x86-urgent-2023-02-19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/mtrr: Revert 90b926e68f50 ("x86/pat: Fix pat_x_mtrr_type() for MTRR disabled case") commit 0097c18e459c5ca5d169750eaed99fd272606c1a Merge: a33d946cbb870 d125d1349abeb Author: Linus Torvalds Date: Sat Feb 18 17:46:50 2023 -0800 Merge tag 'timers-urgent-2023-02-19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fix from Thomas Gleixner: "A fix for a long standing issue in the alarmtimer code. Posix-timers armed with a short interval with an ignored signal result in an unpriviledged DoS. Due to the ignored signal the timer switches into self rearm mode. This issue had been "fixed" before but a rework of the alarmtimer code 5 years ago lost that workaround. There is no real good solution for this issue, which is also worked around in the core posix-timer code in the same way, but it certainly moved way up on the ever growing todo list" * tag 'timers-urgent-2023-02-19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: alarmtimer: Prevent starvation by small intervals and SIG_IGN commit a33d946cbb8709339a856d7da406a7a670e86a60 Merge: 5e725d112e1a5 2b129f0b24ab5 Author: Linus Torvalds Date: Sat Feb 18 17:38:18 2023 -0800 Merge tag 'irq-urgent-2023-02-19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fix from Thomas Gleixner: "A single build fix for the PCI/MSI infrastructure. The addition of the new alloc/free interfaces in this cycle forgot to add stub functions for pci_msix_alloc_irq_at() and pci_msix_free_irq() for the CONFIG_PCI_MSI=n case" * tag 'irq-urgent-2023-02-19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: PCI/MSI: Provide missing stubs for CONFIG_PCI_MSI=n commit 5e725d112e1a54c2611d5dffd124a79415d0f0de Merge: 0c2822b116e30 2c10b61421a28 Author: Linus Torvalds Date: Sat Feb 18 11:07:32 2023 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm/x86 fixes from Paolo Bonzini: - zero all padding for KVM_GET_DEBUGREGS - fix rST warning - disable vPMU support on hybrid CPUs * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: kvm: initialize all of the kvm_debugregs structure before sending it to userspace perf/x86: Refuse to export capabilities for hybrid PMUs KVM: x86/pmu: Disable vPMU support on hybrid CPUs (host PMUs) Documentation/hw-vuln: Fix rST warning commit 0c2822b116e300ca6e3b7f98623deb760a93a1d2 Merge: 0e9fd589e61da 853e2dac25c15 Author: Linus Torvalds Date: Sat Feb 18 10:10:49 2023 -0800 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 regression fix from Will Deacon: "Apologies for the _extremely_ late pull request here, but we had a 'perf' (i.e. CPU PMU) regression on the Apple M1 reported on Wednesday [1] which was introduced by bd2756811766 ("perf: Rewrite core context handling") during the merge window. Mark and I looked into this and noticed an additional problem caused by the same patch, where the 'CHAIN' event (used to combine two adjacent 32-bit counters into a single 64-bit counter) was not being filtered correctly. Mark posted a series on Thursday [2] which addresses both of these regressions and I queued it the same day. The changes are small, self-contained and have been confirmed to fix the original regression. Summary: - Fix 'perf' regression for non-standard CPU PMU hardware (i.e. Apple M1)" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: perf: reject CHAIN events at creation time arm_pmu: fix event CPU filtering commit 0e9fd589e61dace0dcc9848fbf6eb38f16d25f08 Merge: 38f8ccde04a3f 1250421697312 Author: Linus Torvalds Date: Sat Feb 18 09:56:58 2023 -0800 Merge tag 'block-6.2-2023-02-17' of git://git.kernel.dk/linux Pull block fix from Jens Axboe: "I guess this is what can happen when you prep things early for going away, something else comes in last minute. This one fixes another regression in 6.2 for NVMe, from this release, and hence we should probably get it submitted for 6.2. Still waiting for the original reporter (see bugzilla linked in the commit) to test this, but Keith managed to setup and recreate the issue and tested the patch that way" * tag 'block-6.2-2023-02-17' of git://git.kernel.dk/linux: nvme-pci: refresh visible attrs for cmb attributes commit 38f8ccde04a3fa317b51b05e63c3cb57e1641931 Merge: dbeed98d89ea9 99b9402a36f07 Author: Linus Torvalds Date: Fri Feb 17 17:51:40 2023 -0800 Merge tag 'mm-hotfixes-stable-2023-02-17-15-16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "Six hotfixes. Five are cc:stable: four for MM, one for nilfs2. Also a MAINTAINERS update" * tag 'mm-hotfixes-stable-2023-02-17-15-16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: nilfs2: fix underflow in second superblock position calculations hugetlb: check for undefined shift on 32 bit architectures mm/migrate: fix wrongly apply write bit after mkdirty on sparc64 MAINTAINERS: update FPU EMULATOR web page mm/MADV_COLLAPSE: set EAGAIN on unexpected page refcount mm/filemap: fix page end in filemap_get_read_batch commit 99b9402a36f0799f25feee4465bfa4b8dfa74b4d Author: Ryusuke Konishi Date: Wed Feb 15 07:40:43 2023 +0900 nilfs2: fix underflow in second superblock position calculations Macro NILFS_SB2_OFFSET_BYTES, which computes the position of the second superblock, underflows when the argument device size is less than 4096 bytes. Therefore, when using this macro, it is necessary to check in advance that the device size is not less than a lower limit, or at least that underflow does not occur. The current nilfs2 implementation lacks this check, causing out-of-bound block access when mounting devices smaller than 4096 bytes: I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 NILFS (loop0): unable to read secondary superblock (blocksize = 1024) In addition, when trying to resize the filesystem to a size below 4096 bytes, this underflow occurs in nilfs_resize_fs(), passing a huge number of segments to nilfs_sufile_resize(), corrupting parameters such as the number of segments in superblocks. This causes excessive loop iterations in nilfs_sufile_resize() during a subsequent resize ioctl, causing semaphore ns_segctor_sem to block for a long time and hang the writer thread: INFO: task segctord:5067 blocked for more than 143 seconds. Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:segctord state:D stack:23456 pid:5067 ppid:2 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:5293 [inline] __schedule+0x1409/0x43f0 kernel/sched/core.c:6606 schedule+0xc3/0x190 kernel/sched/core.c:6682 rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190 nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline] nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570 kthread+0x270/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 ... Call Trace: folio_mark_accessed+0x51c/0xf00 mm/swap.c:515 __nilfs_get_page_block fs/nilfs2/page.c:42 [inline] nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61 nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121 nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176 nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251 nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline] nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline] nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777 nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422 nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline] nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301 ... This fixes these issues by inserting appropriate minimum device size checks or anti-underflow checks, depending on where the macro is used. Link: https://lkml.kernel.org/r/0000000000004e1dfa05f4a48e6b@google.com Link: https://lkml.kernel.org/r/20230214224043.24141-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton commit ec4288fe63966b26d53907212ecd05dfa81dd2cc Author: Mike Kravetz Date: Wed Feb 15 17:35:42 2023 -0800 hugetlb: check for undefined shift on 32 bit architectures Users can specify the hugetlb page size in the mmap, shmget and memfd_create system calls. This is done by using 6 bits within the flags argument to encode the base-2 logarithm of the desired page size. The routine hstate_sizelog() uses the log2 value to find the corresponding hugetlb hstate structure. Converting the log2 value (page_size_log) to potential hugetlb page size is the simple statement: 1UL << page_size_log Because only 6 bits are used for page_size_log, the left shift can not be greater than 63. This is fine on 64 bit architectures where a long is 64 bits. However, if a value greater than 31 is passed on a 32 bit architecture (where long is 32 bits) the shift will result in undefined behavior. This was generally not an issue as the result of the undefined shift had to exactly match hugetlb page size to proceed. Recent improvements in runtime checking have resulted in this undefined behavior throwing errors such as reported below. Fix by comparing page_size_log to BITS_PER_LONG before doing shift. Link: https://lkml.kernel.org/r/20230216013542.138708-1-mike.kravetz@oracle.com Link: https://lore.kernel.org/lkml/CA+G9fYuei_Tr-vN9GS7SfFyU1y9hNysnf=PB7kT0=yv4MiPgVg@mail.gmail.com/ Fixes: 42d7395feb56 ("mm: support more pagesizes for MAP_HUGETLB/SHM_HUGETLB") Signed-off-by: Mike Kravetz Reported-by: Naresh Kamboju Reviewed-by: Jesper Juhl Acked-by: Muchun Song Tested-by: Linux Kernel Functional Testing Tested-by: Naresh Kamboju Cc: Anders Roxell Cc: Andi Kleen Cc: Sasha Levin Cc: Signed-off-by: Andrew Morton commit 96a9c287e25d690fd9623b5133703b8e310fbed1 Author: Peter Xu Date: Thu Feb 16 10:30:59 2023 -0500 mm/migrate: fix wrongly apply write bit after mkdirty on sparc64 Nick Bowler reported another sparc64 breakage after the young/dirty persistent work for page migration (per "Link:" below). That's after a similar report [2]. It turns out page migration was overlooked, and it wasn't failing before because page migration was not enabled in the initial report test environment. David proposed another way [2] to fix this from sparc64 side, but that patch didn't land somehow. Neither did I check whether there's any other arch that has similar issues. Let's fix it for now as simple as moving the write bit handling to be after dirty, like what we did before. Note: this is based on mm-unstable, because the breakage was since 6.1 and we're at a very late stage of 6.2 (-rc8), so I assume for this specific case we should target this at 6.3. [1] https://lore.kernel.org/all/20221021160603.GA23307@u164.east.ru/ [2] https://lore.kernel.org/all/20221212130213.136267-1-david@redhat.com/ Link: https://lkml.kernel.org/r/20230216153059.256739-1-peterx@redhat.com Fixes: 2e3468778dbe ("mm: remember young/dirty bit for page migrations") Link: https://lore.kernel.org/all/CADyTPExpEqaJiMGoV+Z6xVgL50ZoMJg49B10LcZ=8eg19u34BA@mail.gmail.com/ Signed-off-by: Peter Xu Reported-by: Nick Bowler Acked-by: David Hildenbrand Tested-by: Nick Bowler Cc: Cc: Signed-off-by: Andrew Morton commit dbeed98d89ea91ae68ff6dce6060671726292e85 Merge: 75cc9c4716a7a 4302abc628fc0 Author: Linus Torvalds Date: Fri Feb 17 14:53:37 2023 -0800 Merge tag 'powerpc-6.2-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fix from Michael Ellerman: - Prevent fallthrough to hash TLB flush when using radix Thanks to Benjamin Gray and Erhard Furtner. * tag 'powerpc-6.2-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/64s: Prevent fallthrough to hash TLB flush when using radix commit 75cc9c4716a7a398139805e62ccc3e0d14d00540 Merge: 03dad2f0c7814 896e090eefede Author: Linus Torvalds Date: Fri Feb 17 14:49:11 2023 -0800 Merge tag 'nfs-for-6.2-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client fix from Trond Myklebust: "Unfortunately, we found another bug in the NFSv4.2 READ_PLUS code. Since it has not been possible to fix the bug in time for the 6.2 release, let's just revert the Kconfig change that enables it: - Revert 'NFSv4.2: Change the default KConfig value for READ_PLUS'" * tag 'nfs-for-6.2-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: Revert "NFSv4.2: Change the default KConfig value for READ_PLUS" commit 03dad2f0c781443558a510316a5c22fdd2aa312b Merge: 4b89ca5a780f5 e97fc9cffbb9f Author: Linus Torvalds Date: Fri Feb 17 14:44:31 2023 -0800 Merge tag 'sound-fix-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "A few last-minute fixes. The significant ones are two ASoC SOF regression fixes while the rest are trivial HD-audio quirks. All are small / one-liners and should be pretty safe to take" * tag 'sound-fix-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak ALSA: hda/realtek: Enable mute/micmute LEDs and speaker support for HP Laptops ALSA: hda/realtek: fix mute/micmute LEDs don't work for a HP platform. ALSA: hda/realtek - fixed wrong gpio assigned ALSA: hda: Fix codec device field initializan ALSA: hda/conexant: add a new hda codec SN6180 ASoC: SOF: ops: refine parameters order in function snd_sof_dsp_update8 commit 4b89ca5a780f59f8762e22d2fbcfa64b95c8891d Merge: 6d2e62e162e14 79eeab1d85e0f Author: Linus Torvalds Date: Fri Feb 17 13:58:20 2023 -0800 Merge tag 'gpio-fixes-for-v6.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fix from Bartosz Golaszewski: - fix a memory leak in gpio-sim that was triggered every time libgpiod tests are run in user-space * tag 'gpio-fixes-for-v6.2-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: sim: fix a memory leak commit 6d2e62e162e143330f8543e88bc298c77ca34e03 Merge: bda6cfae33a54 1aff53b2fd903 Author: Linus Torvalds Date: Fri Feb 17 13:53:09 2023 -0800 Merge tag 'ata-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata Pull ata fixes from Damien Le Moal: "Three small fixes for 6.2 final: - Disable READ LOG DMA EXT for Samsung MZ7LH drives as these drives choke on that command, from Patrick. - Add Intel Tiger Lake UP{3,4} to the list of supported AHCI controllers (this is not technically a bug fix, but it is trivial enough that I add it here), from Simon. - Fix code comments in the pata_octeon_cf driver as incorrect formatting was causing warnings from kernel-doc, from Randy" * tag 'ata-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata: ata: pata_octeon_cf: drop kernel-doc notation ata: ahci: Add Tiger Lake UP{3,4} AHCI controller ata: libata-core: Disable READ LOG DMA EXT for Samsung MZ7LH commit bda6cfae33a541230970bad853c01a4e5bdeedde Merge: 64e0253df67d5 3f18c5046e633 Author: Linus Torvalds Date: Fri Feb 17 13:48:54 2023 -0800 Merge tag 'mmc-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: "MMC core: - Fix potential resource leaks in SDIO card detection error path MMC host: - jz4740: Decrease maximum clock rate to workaround bug on JZ4760(B) - meson-gx: Fix SDIO support to get some WiFi modules to work again - mmc_spi: Fix error handling in ->probe()" * tag 'mmc-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: jz4740: Work around bug on JZ4760(B) mmc: mmc_spi: fix error handling in mmc_spi_probe() mmc: sdio: fix possible resource leaks in some error paths mmc: meson-gx: fix SDIO mode if cap_sdio_irq isn't set commit 64e0253df67d5e1557e82b923c78f1bad185eb9a Merge: ec35307e18ba8 c2dbe32d5db5c Author: Linus Torvalds Date: Fri Feb 17 13:45:09 2023 -0800 Merge tag 'sched-urgent-2023-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Ingo Molnar: - Fix user-after-free bug in call_usermodehelper_exec() - Fix missing user_cpus_ptr update in __set_cpus_allowed_ptr_locked() - Fix PSI use-after-free bug in ep_remove_wait_queue() * tag 'sched-urgent-2023-02-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/psi: Fix use-after-free in ep_remove_wait_queue() sched/core: Fix a missed update of user_cpus_ptr freezer,umh: Fix call_usermode_helper_exec() vs SIGKILL commit 1250421697312a7f2f13213a71b430402f2ae8f1 Merge: 9a28b92cc21e8 e917a849c3fc3 Author: Jens Axboe Date: Fri Feb 17 09:07:00 2023 -0700 Merge tag 'nvme-6.2-2022-02-17' of git://git.infradead.org/nvme into block-6.2 Pull NVMe fix from Christoph: "nvme fix for Linux 6.2 - fix visibility of the CMB sysfs attributes (Keith Busch)" * tag 'nvme-6.2-2022-02-17' of git://git.infradead.org/nvme: nvme-pci: refresh visible attrs for cmb attributes commit 896e090eefedeb8a715ea19938a2791c32679cc9 Author: Anna Schumaker Date: Wed Feb 15 16:49:22 2023 -0500 Revert "NFSv4.2: Change the default KConfig value for READ_PLUS" This reverts commit 7fd461c47c6cfab4ca4d003790ec276209e52978. Unfortunately, it has come to our attention that there is still a bug somewhere in the READ_PLUS code that can result in nfsroot systems on ARM to crash during boot. Let's do the right thing and revert this change so we don't break people's nfsroot setups. Signed-off-by: Anna Schumaker Signed-off-by: Trond Myklebust commit 79eeab1d85e0fee4c0bc36f3b6ddf3920f39f74b Author: Bartosz Golaszewski Date: Fri Feb 17 12:02:26 2023 +0100 gpio: sim: fix a memory leak Fix an inverted logic bug in gpio_sim_remove_hogs() that leads to GPIO hog structures never being freed. Fixes: cb8c474e79be ("gpio: sim: new testing module") Reported-by: Mirsad Goran Todorovac Signed-off-by: Bartosz Golaszewski Reviewed-by: Andy Shevchenko commit e97fc9cffbb9f372b53b42c36cd7b20aab44a554 Merge: 82f1627cb6339 1f810d2b6b2fb Author: Takashi Iwai Date: Fri Feb 17 08:56:33 2023 +0100 Merge tag 'asoc-fix-v6.2-rc8-2' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: One more fix for v6.2 One more fix from Peter which he'd very much like to get into v6.2. commit e917a849c3fc317c4a5f82bb18726000173d39e6 Author: Keith Busch Date: Thu Feb 16 08:44:03 2023 -0800 nvme-pci: refresh visible attrs for cmb attributes The sysfs group containing the cmb attributes is registered before the driver knows if they need to be visible or not. Update the group when cmb attributes are known to exist so the visibility setting is correct. Link: https://bugzilla.kernel.org/show_bug.cgi?id=217037 Fixes: 86adbf0cdb9ec65 ("nvme: simplify transport specific device attribute handling") Signed-off-by: Keith Busch Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig commit ec35307e18ba8174e2a3f701956059f6a36f22fb Merge: 3ac88fa4605ec f7597e3c58eeb Author: Linus Torvalds Date: Thu Feb 16 20:23:32 2023 -0800 Merge tag 'drm-fixes-2023-02-17' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Just a final collection of misc fixes, the biggest disables the recently added dynamic debugging support, it has a regression that needs some bigger fixes. Otherwise a bunch of fixes across the board, vc4, amdgpu and vmwgfx mostly, with some smaller i915 and ast fixes. drm: - dynamic debug disable for now fbdev: - deferred i/o device close fix amdgpu: - Fix GC11.x suspend warning - Fix display warning vc4: - YUV planes fix - hdmi display fix - crtc reduced blanking fix ast: - fix start address computation vmwgfx: - fix bo/handle races i915: - gen11 WA fix" * tag 'drm-fixes-2023-02-17' of git://anongit.freedesktop.org/drm/drm: drm/amd/display: Fail atomic_check early on normalize_zpos error drm/amd/amdgpu: fix warning during suspend drm/vmwgfx: Do not drop the reference to the handle too soon drm/vmwgfx: Stop accessing buffer objects which failed init drm/i915/gen11: Wa_1408615072/Wa_1407596294 should be on GT list drm: Disable dynamic debug as broken drm/ast: Fix start address computation fbdev: Fix invalid page access after closing deferred I/O devices drm/vc4: crtc: Increase setup cost in core clock calculation to handle extreme reduced blanking drm/vc4: hdmi: Always enable GCP with AVMUTE cleared drm/vc4: Fix YUV plane handling when planes are in different buffers commit 5c7388bcd59df59fe527246526bbdf8b9dedf8cc Author: Randy Dunlap Date: Tue Feb 14 09:02:08 2023 -0800 MAINTAINERS: update FPU EMULATOR web page The web page entry for the FPU EMULATOR no longer works. I notified Bill of this and he asked me to update it to this new entry. Link: https://lkml.kernel.org/r/20230214170208.17287-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Acked-by: Bill Metzenthen Signed-off-by: Andrew Morton commit ae63c898f4004bbc7d212f4adcb3bb14852c30d6 Author: Zach O'Keefe Date: Tue Jan 24 17:57:37 2023 -0800 mm/MADV_COLLAPSE: set EAGAIN on unexpected page refcount During collapse, in a few places we check to see if a given small page has any unaccounted references. If the refcount on the page doesn't match our expectations, it must be there is an unknown user concurrently interested in the page, and so it's not safe to move the contents elsewhere. However, the unaccounted pins are likely an ephemeral state. In this situation, MADV_COLLAPSE returns -EINVAL when it should return -EAGAIN. This could cause userspace to conclude that the syscall failed, when it in fact could succeed by retrying. Link: https://lkml.kernel.org/r/20230125015738.912924-1-zokeefe@google.com Fixes: 7d8faaf15545 ("mm/madvise: introduce MADV_COLLAPSE sync hugepage collapse") Signed-off-by: Zach O'Keefe Reported-by: Hugh Dickins Acked-by: Hugh Dickins Reviewed-by: Yang Shi Cc: Signed-off-by: Andrew Morton commit 5956592ce337330cdff0399a6f8b6a5aea397a8e Author: Qian Yingjin Date: Wed Feb 8 10:24:00 2023 +0800 mm/filemap: fix page end in filemap_get_read_batch I was running traces of the read code against an RAID storage system to understand why read requests were being misaligned against the underlying RAID strips. I found that the page end offset calculation in filemap_get_read_batch() was off by one. When a read is submitted with end offset 1048575, then it calculates the end page for read of 256 when it should be 255. "last_index" is the index of the page beyond the end of the read and it should be skipped when get a batch of pages for read in @filemap_get_read_batch(). The below simple patch fixes the problem. This code was introduced in kernel 5.12. Link: https://lkml.kernel.org/r/20230208022400.28962-1-coolqyj@163.com Fixes: cbd59c48ae2b ("mm/filemap: use head pages in generic_file_buffered_read") Signed-off-by: Qian Yingjin Reviewed-by: Matthew Wilcox (Oracle) Cc: Signed-off-by: Andrew Morton commit 4302abc628fc0dc08e5855f21bbfaed407a72bc3 Author: Benjamin Gray Date: Fri Feb 17 12:14:34 2023 +1100 powerpc/64s: Prevent fallthrough to hash TLB flush when using radix In the fix reconnecting hash__tlb_flush() to tlb_flush() the void return on radix__tlb_flush() was not restored and subsequently falls through to the restored hash__tlb_flush(). Guard hash__tlb_flush() under an else to prevent this. Fixes: 1665c027afb2 ("powerpc/64s: Reconnect tlb_flush() to hash__tlb_flush()") Reported-by: "Erhard F." Suggested-by: Christophe Leroy Signed-off-by: Benjamin Gray Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230217011434.115554-1-bgray@linux.ibm.com commit f7597e3c58eeb9ce534993f53c982f2e91e6dd4d Merge: a2a04b515562b d5a1224aa68c8 Author: Dave Airlie Date: Fri Feb 17 09:49:12 2023 +1000 Merge tag 'drm-intel-fixes-2023-02-16' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Moving gen11 hw wa to the right place. (Matt) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/Y+47eUvwbafER35/@intel.com commit a2a04b515562bbb040e8ae3decae8c1e9ef05327 Merge: caa068c9bb2bc a950b989ea29a Author: Dave Airlie Date: Fri Feb 17 09:23:43 2023 +1000 Merge tag 'drm-misc-fixes-2023-02-16' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes Multiple fixes in vc4 to address issues with YUV planes, HDMI and CRTC; an invalid page access fix for fbdev, mark dynamic debug as broken, a double free and refcounting fix for vmwgfx. Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20230216091905.i5wswy4dd74x4br5@houat commit caa068c9bb2bc86e6da2caf8508f3fda24d4dea0 Merge: ceaa837f96adb 2a00299e74473 Author: Dave Airlie Date: Fri Feb 17 07:34:58 2023 +1000 Merge tag 'amd-drm-fixes-6.2-2023-02-15' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.2-2023-02-15: amdgpu: - Fix GC11.x suspend warning - Fix display warning Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20230216041122.7714-1-alexander.deucher@amd.com commit 853e2dac25c15f7431dfe59805de1bada34c96e9 Author: Mark Rutland Date: Thu Feb 16 14:12:39 2023 +0000 arm64: perf: reject CHAIN events at creation time Currently it's possible for a user to open CHAIN events arbitrarily, which we previously tried to rule out in commit: ca2b497253ad01c8 ("arm64: perf: Reject stand-alone CHAIN events for PMUv3") Which allowed the events to be opened, but prevented them from being scheduled by by using an arm_pmu::filter_match hook to reject the relevant events. The CHAIN event filtering in the arm_pmu::filter_match hook was silently removed in commit: bd27568117664b8b ("perf: Rewrite core context handling") As a result, it's now possible for users to open CHAIN events, and for these to be installed arbitrarily. Fix this by rejecting CHAIN events at creation time. This avoids the creation of events which will never count, and doesn't require using the dynamic filtering. Attempting to open a CHAIN event (0x1e) will now be rejected: | # ./perf stat -e armv8_pmuv3/config=0x1e/ ls | perf | | Performance counter stats for 'ls': | | armv8_pmuv3/config=0x1e/ | | 0.002197470 seconds time elapsed | | 0.000000000 seconds user | 0.002294000 seconds sys Other events (e.g. CPU_CYCLES / 0x11) will open as usual: | # ./perf stat -e armv8_pmuv3/config=0x11/ ls | perf | | Performance counter stats for 'ls': | | 2538761 armv8_pmuv3/config=0x11/ | | 0.002227330 seconds time elapsed | | 0.002369000 seconds user | 0.000000000 seconds sys Fixes: bd2756811766 ("perf: Rewrite core context handling") Signed-off-by: Mark Rutland Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Will Deacon Link: https://lore.kernel.org/r/20230216141240.3833272-3-mark.rutland@arm.com Signed-off-by: Will Deacon commit 61d03862734360aad470019f160d484403a3923e Author: Mark Rutland Date: Thu Feb 16 14:12:38 2023 +0000 arm_pmu: fix event CPU filtering Janne reports that perf has been broken on Apple M1 as of commit: bd27568117664b8b ("perf: Rewrite core context handling") That commit replaced the pmu::filter_match() callback with pmu::filter(), whose return value has the opposite polarity, with true implying events should be ignored rather than scheduled. While an attempt was made to update the logic in armv8pmu_filter() and armpmu_filter() accordingly, the return value remains inverted in a couple of cases: * If the arm_pmu does not have an arm_pmu::filter() callback, armpmu_filter() will always return whether the CPU is supported rather than whether the CPU is not supported. As a result, the perf core will not schedule events on supported CPUs, resulting in a loss of events. Additionally, the perf core will attempt to schedule events on unsupported CPUs, but this will be rejected by armpmu_add(), which may result in a loss of events from other PMUs on those unsupported CPUs. * If the arm_pmu does have an arm_pmu::filter() callback, and armpmu_filter() is called on a CPU which is not supported by the arm_pmu, armpmu_filter() will return false rather than true. As a result, the perf core will attempt to schedule events on unsupported CPUs, but this will be rejected by armpmu_add(), which may result in a loss of events from other PMUs on those unsupported CPUs. This means a loss of events can be seen with any arm_pmu driver, but with the ARMv8 PMUv3 driver (which is the only arm_pmu driver with an arm_pmu::filter() callback) the event loss will be more limited and may go unnoticed, which is how this issue evaded testing so far. Fix the CPU filtering by performing this consistently in armpmu_filter(), and remove the redundant arm_pmu::filter() callback and armv8pmu_filter() implementation. Commit bd2756811766 also silently removed the CHAIN event filtering from armv8pmu_filter(), which will be addressed by a separate patch without using the filter callback. Fixes: bd2756811766 ("perf: Rewrite core context handling") Reported-by: Janne Grunau Link: https://lore.kernel.org/asahi/20230215-arm_pmu_m1_regression-v1-1-f5a266577c8d@jannau.net/ Signed-off-by: Mark Rutland Cc: Will Deacon Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Asahi Lina Cc: Eric Curtin Tested-by: Janne Grunau Link: https://lore.kernel.org/r/20230216141240.3833272-2-mark.rutland@arm.com Signed-off-by: Will Deacon commit 3ac88fa4605ec98e545fb3ad0154f575fda2de5f Merge: d3d6f0eb086d3 b20b8aec6ffc0 Author: Linus Torvalds Date: Thu Feb 16 12:13:58 2023 -0800 Merge tag 'net-6.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Fixes from the main networking tree only, probably because all sub-trees have backed off and haven't submitted their changes. None of the fixes here are particularly scary and no outstanding regressions. In an ideal world the "current release" sections would be empty at this stage but that never happens. Current release - regressions: - fix unwanted sign extension in netdev_stats_to_stats64() Current release - new code bugs: - initialize net->notrefcnt_tracker earlier - devlink: fix netdev notifier chain corruption - nfp: make sure mbox accesses in IPsec code are atomic - ice: fix check for weight and priority of a scheduling node Previous releases - regressions: - ice: xsk: fix cleaning of XDP_TX frame, prevent inf loop - igb: fix I2C bit banging config with external thermal sensor Previous releases - always broken: - sched: tcindex: update imperfect hash filters respecting rcu - mpls: fix stale pointer if allocation fails during device rename - dccp/tcp: avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions - remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues() - af_key: fix heap information leak - ipv6: fix socket connection with DSCP (correct interpretation of the tclass field vs fib rule matching) - tipc: fix kernel warning when sending SYN message - vmxnet3: read RSS information from the correct descriptor (eop)" * tag 'net-6.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (35 commits) devlink: Fix netdev notifier chain corruption igb: conditionalize I2C bit banging on external thermal sensor support net: mpls: fix stale pointer if allocation fails during device rename net/sched: tcindex: search key must be 16 bits tipc: fix kernel warning when sending SYN message igb: Fix PPS input and output using 3rd and 4th SDP net: use a bounce buffer for copying skb->mark ixgbe: add double of VLAN header when computing the max MTU i40e: add double of VLAN header when computing the max MTU ixgbe: allow to increase MTU to 3K with XDP enabled net: stmmac: Restrict warning on disabling DMA store and fwd mode net/sched: act_ctinfo: use percpu stats net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence ice: fix lost multicast packets in promisc mode ice: Fix check for weight and priority of a scheduling node bnxt_en: Fix mqprio and XDP ring checking logic net: Fix unwanted sign extension in netdev_stats_to_stats64() net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() af_key: Fix heap information leak ... commit d3d6f0eb086d3d68960ded479e846e7dcfcec2bb Merge: b5596f1d54589 9a28b92cc21e8 Author: Linus Torvalds Date: Thu Feb 16 12:05:33 2023 -0800 Merge tag 'block-6.2-2023-02-16' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: "Just a few NVMe fixes that should go into the 6.2 release, adding a quirk and fixing two issues introduced in this release: - NVMe fixes via Christoph: - Always return an ERR_PTR from nvme_pci_alloc_dev (Irvin Cote) - Add bogus ID quirk for ADATA SX6000PNP (Daniel Wagner) - Set the DMA mask earlier (Christoph Hellwig)" * tag 'block-6.2-2023-02-16' of git://git.kernel.dk/linux: nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev nvme-pci: set the DMA mask earlier nvme-pci: add bogus ID quirk for ADATA SX6000PNP commit b5596f1d545898de6d5cebe99692e6a205b61c92 Merge: 18902059e05bd f276aacf5d2f7 Author: Linus Torvalds Date: Thu Feb 16 12:01:46 2023 -0800 Merge tag 'spi-v6.2-rc8-abi' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fix from Mark Brown: "One more last minute patch for v6.2 updating the parsing of the newly added spi-cs-setup-delay-ns. It's been pointed out that due to the way DT parsing works the change in property size is ABI visible so let's not let a release go out without it being fixed. The change got split from some earlier ABI related fixes to the property since the first version sent had a build error" * tag 'spi-v6.2-rc8-abi' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: Use a 32-bit DT property for spi-cs-setup-delay-ns commit 18902059e05bd22edaf70ab5819291d0618c93dc Merge: 88d355832e09f b8b3b0bfb742f Author: Linus Torvalds Date: Thu Feb 16 11:57:43 2023 -0800 Merge tag 'gpio-fixes-for-v6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - fix a potential Kconfig issue with gpio-mlxbf2 not selecting GPIOLIB_IRQCHIP - another immutable irqchip conversion, this time for gpio-vf610 - fix a wakeup issue on Clevo NH5xAx * tag 'gpio-fixes-for-v6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: mlxbf2: select GPIOLIB_IRQCHIP gpiolib: acpi: Add a ignore wakeup quirk for Clevo NH5xAx gpio: vf610: make irq_chip immutable gpiolib: acpi: remove redundant declaration commit 88d355832e09f5dd30d2df4c22c4e8129c3cce3c Author: Christoph Hellwig Date: Thu Feb 16 07:31:10 2023 +0100 stop mainaining UUID The uuid code is very low maintainance now that the major overhaul has completed, and doesn't need it's own tree. All the recent work has been done by Andy who'd like to stay on as a reviewer without an explicit tree. Signed-off-by: Christoph Hellwig Acked-by: Andy Shevchenko Signed-off-by: Linus Torvalds commit a8cd2990b694ed2c0ef0e8fc80686c664b4ebbe5 Author: Christoph Hellwig Date: Thu Feb 16 07:29:22 2023 +0100 orphan sysvfs This code has been stale for years and I have no way to test it. Signed-off-by: Christoph Hellwig Signed-off-by: Linus Torvalds commit 2c10b61421a28e95a46ab489fd56c0f442ff6952 Author: Greg Kroah-Hartman Date: Tue Feb 14 11:33:04 2023 +0100 kvm: initialize all of the kvm_debugregs structure before sending it to userspace When calling the KVM_GET_DEBUGREGS ioctl, on some configurations, there might be some unitialized portions of the kvm_debugregs structure that could be copied to userspace. Prevent this as is done in the other kvm ioctls, by setting the whole structure to 0 before copying anything into it. Bonus is that this reduces the lines of code as the explicit flag setting and reserved space zeroing out can be removed. Cc: Sean Christopherson Cc: Paolo Bonzini Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: Cc: "H. Peter Anvin" Cc: stable Reported-by: Xingyuan Mo Signed-off-by: Greg Kroah-Hartman Message-Id: <20230214103304.3689213-1-gregkh@linuxfoundation.org> Tested-by: Xingyuan Mo Signed-off-by: Paolo Bonzini commit 1f810d2b6b2fbdc5279644d8b2c140b1f7c9d43d Author: Pierre-Louis Bossart Date: Thu Feb 16 18:23:40 2023 +0200 ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak The HDaudio stream allocation is done first, and in a second step the LOSIDV parameter is programmed for the multi-link used by a codec. This leads to a possible stream_tag leak, e.g. if a DisplayAudio link is not used. This would happen when a non-Intel graphics card is used and userspace unconditionally uses the Intel Display Audio PCMs without checking if they are connected to a receiver with jack controls. We should first check that there is a valid multi-link entry to configure before allocating a stream_tag. This change aligns the dma_assign and dma_cleanup phases. Complements: b0cd60f3e9f5 ("ALSA/ASoC: hda: clarify bus_get_link() and bus_link_get() helpers") Link: https://github.com/thesofproject/linux/issues/4151 Signed-off-by: Pierre-Louis Bossart Reviewed-by: Ranjani Sridharan Reviewed-by: Rander Wang Reviewed-by: Bard Liao Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20230216162340.19480-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown commit 82f1627cb6339ee32db22c89c750c0e359e5c72e Merge: 9251584af0928 5afc7eefe4164 Author: Takashi Iwai Date: Thu Feb 16 14:29:54 2023 +0100 Merge tag 'asoc-fix-v6.2-rc8' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fix for v6.2 One non-urgent fix for v6.2, this could possibly wait till the merge window. commit b8b3b0bfb742f0cbb006c66b10216b724ce42e25 Merge: 2f43f6020cde9 a69982c37cd05 Author: Bartosz Golaszewski Date: Thu Feb 16 13:31:42 2023 +0100 Merge tag 'intel-gpio-v6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/andy/linux-gpio-intel into gpio/for-current intel-gpio for v6.2-2 * Ignore spurious wakeup by touchpad on Clevo NH5xAx * Miscellaneous fix(es) commit b20b8aec6ffc07bb547966b356780cd344f20f5b Author: Ido Schimmel Date: Wed Feb 15 09:31:39 2023 +0200 devlink: Fix netdev notifier chain corruption Cited commit changed devlink to register its netdev notifier block on the global netdev notifier chain instead of on the per network namespace one. However, when changing the network namespace of the devlink instance, devlink still tries to unregister its notifier block from the chain of the old namespace and register it on the chain of the new namespace. This results in corruption of the notifier chains, as the same notifier block is registered on two different chains: The global one and the per network namespace one. In turn, this causes other problems such as the inability to dismantle namespaces due to netdev reference count issues. Fix by preventing devlink from moving its notifier block between namespaces. Reproducer: # echo "10 1" > /sys/bus/netdevsim/new_device # ip netns add test123 # devlink dev reload netdevsim/netdevsim10 netns test123 # ip netns del test123 [ 71.935619] unregister_netdevice: waiting for lo to become free. Usage count = 2 [ 71.938348] leaked reference. Fixes: 565b4824c39f ("devlink: change port event netdev notifier from per-net to global") Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Reviewed-by: Jacob Keller Reviewed-by: Jakub Kicinski Link: https://lore.kernel.org/r/20230215073139.1360108-1-idosch@nvidia.com Signed-off-by: Paolo Abeni commit 5d54cb1767e06025819daa6769e0f18dcbc60936 Author: Corinna Vinschen Date: Tue Feb 14 10:55:48 2023 -0800 igb: conditionalize I2C bit banging on external thermal sensor support Commit a97f8783a937 ("igb: unbreak I2C bit-banging on i350") introduced code to change I2C settings to bit banging unconditionally. However, this patch introduced a regression: On an Intel S2600CWR Server Board with three NICs: - 1x dual-port copper Intel I350 Gigabit Network Connection [8086:1521] (rev 01) fw 1.63, 0x80000dda - 2x quad-port SFP+ with copper SFP Avago ABCU-5700RZ Intel I350 Gigabit Fiber Network Connection [8086:1522] (rev 01) fw 1.52.0 the SFP NICs no longer get link at all. Reverting commit a97f8783a937 or switching to the Intel out-of-tree driver both fix the problem. Per the igb out-of-tree driver, I2C bit banging on i350 depends on support for an external thermal sensor (ETS). However, commit a97f8783a937 added bit banging unconditionally. Additionally, the out-of-tree driver always calls init_thermal_sensor_thresh on probe, while our driver only calls init_thermal_sensor_thresh only in igb_reset(), and only if an ETS is present, ignoring the internal thermal sensor. The affected SFPs don't provide an ETS. Per Intel, the behaviour is a result of i350 firmware requirements. This patch fixes the problem by aligning the behaviour to the out-of-tree driver: - split igb_init_i2c() into two functions: - igb_init_i2c() only performs the basic I2C initialization. - igb_set_i2c_bb() makes sure that E1000_CTRL_I2C_ENA is set and enables bit-banging. - igb_probe() only calls igb_set_i2c_bb() if an ETS is present. - igb_probe() calls init_thermal_sensor_thresh() unconditionally. - igb_reset() aligns its behaviour to igb_probe(), i. e., call igb_set_i2c_bb() if an ETS is present and call init_thermal_sensor_thresh() unconditionally. Fixes: a97f8783a937 ("igb: unbreak I2C bit-banging on i350") Tested-by: Mateusz Palczewski Co-developed-by: Jamie Bainbridge Signed-off-by: Jamie Bainbridge Signed-off-by: Corinna Vinschen Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20230214185549.1306522-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 2a00299e7447395d0898e7c6214817c06a61a8e8 Author: Leo Li Date: Thu Feb 9 12:15:21 2023 -0500 drm/amd/display: Fail atomic_check early on normalize_zpos error [Why] drm_atomic_normalize_zpos() can return an error code when there's modeset lock contention. This was being ignored. [How] Bail out of atomic check if normalize_zpos() returns an error. Fixes: b261509952bc ("drm/amd/display: Fix double cursor on non-video RGB MPO") Signed-off-by: Leo Li Tested-by: Mikhail Gavrilov Reviewed-by: Hamza Mahfooz Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 8f32378986218812083b127da5ba42d48297d7c4 Author: Jack Xiao Date: Fri Feb 10 10:31:32 2023 +0800 drm/amd/amdgpu: fix warning during suspend Freeing memory was warned during suspend. Move the self test out of suspend. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2151825 Cc: jfalempe@redhat.com Signed-off-by: Jack Xiao Reviewed-by: Christian König Reviewed-by: Feifei Xu Reviewed-and-tested-by: Evan Quan Tested-by: Jocelyn Falempe Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit dee4bf7167cfcae642e0cf04bef81dca49cc286f Merge: fda6c89fe3d9a 0967bf837784a Author: Jakub Kicinski Date: Wed Feb 15 19:20:58 2023 -0800 Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2023-02-14 (ixgbe, i40e) This series contains updates to ixgbe and i40e drivers. Jason Xing corrects comparison of frame sizes for setting MTU with XDP on ixgbe and adjusts frame size to account for a second VLAN header on ixgbe and i40e. * '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: ixgbe: add double of VLAN header when computing the max MTU i40e: add double of VLAN header when computing the max MTU ixgbe: allow to increase MTU to 3K with XDP enabled ==================== Link: https://lore.kernel.org/r/20230214185146.1305819-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 033c40a89f55525139fd5b6342281b09b97d05bf Merge: 3402351a5a8f3 cbb13e12a5d3e Author: Linus Torvalds Date: Wed Feb 15 14:53:08 2023 -0800 Merge tag 'apparmor-v6.2-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor fix from John Johansen: "Regression fix for getattr mediation of old policy" * tag 'apparmor-v6.2-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: Fix regression in compat permissions for getattr commit 9a28b92cc21e8445c25b18e46f41634539938a91 Merge: 38c33ece23201 dc785d69d753a Author: Jens Axboe Date: Wed Feb 15 13:47:27 2023 -0700 Merge tag 'nvme-6.2-2023-02-15' of git://git.infradead.org/nvme into block-6.2 Pull NVMe fixes from Christoph: "nvme fixes for Linux 6.2 - always return an ERR_PTR from nvme_pci_alloc_dev (Irvin Cote) - add bogus ID quirk for ADATA SX6000PNP (Daniel Wagner) - set the DMA mask earlier (Christoph Hellwig)" * tag 'nvme-6.2-2023-02-15' of git://git.infradead.org/nvme: nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev nvme-pci: set the DMA mask earlier nvme-pci: add bogus ID quirk for ADATA SX6000PNP commit 3402351a5a8f3bcb1488877f85072a0141c97939 Merge: ca5ca227757d7 4102db175b5d8 Author: Linus Torvalds Date: Wed Feb 15 11:48:56 2023 -0800 Merge tag 'nfsd-6.2-6' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fix from Chuck Lever: - Fix a teardown bug in the new nfs4_file hashtable * tag 'nfsd-6.2-6' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: nfsd: don't destroy global nfs4_file table in per-net shutdown commit ca5ca227757d7da7f19092bce662b80c74dea507 Merge: e1c04510f521e 70b5339caf847 Author: Linus Torvalds Date: Wed Feb 15 11:31:34 2023 -0800 Merge tag 'trace-v6.2-rc7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fixlet from Steven Rostedt: "Make trace_define_field_ext() static. Just after the fix to TASK_COMM_LEN not converted to its value in trace_events was pulled, the kernel test robot reported that the helper function trace_define_field_ext() added to that change was only used in the file it was defined in but was not declared static. Make it a local function" * tag 'trace-v6.2-rc7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Make trace_define_field_ext() static commit cbb13e12a5d3ecef400716ea7d12a9268b0f37ca Author: John Johansen Date: Tue Feb 14 20:21:17 2023 -0800 apparmor: Fix regression in compat permissions for getattr This fixes a regression in mediation of getattr when old policy built under an older ABI is loaded and mapped to internal permissions. The regression does not occur for all getattr permission requests, only appearing if state zero is the final state in the permission lookup. This is because despite the first state (index 0) being guaranteed to not have permissions in both newer and older permission formats, it may have to carry permissions that were not mediated as part of an older policy. These backward compat permissions are mapped here to avoid special casing the mediation code paths. Since the mapping code already takes into account backwards compat permission from older formats it can be applied to state 0 to fix the regression. Fixes: 408d53e923bd ("apparmor: compute file permissions on profile load") Reported-by: Philip Meulengracht Signed-off-by: John Johansen commit 2f43f6020cde9f5024d26f17e9fd9f9b5581c2f9 Author: Linus Walleij Date: Wed Feb 15 15:52:06 2023 +0100 gpio: mlxbf2: select GPIOLIB_IRQCHIP This driver uncondictionally uses the GPIOLIB_IRQCHIP so select it. Signed-off-by: Linus Walleij Signed-off-by: Bartosz Golaszewski commit a69982c37cd0586e6832268155349301b87f2e35 Author: Werner Sembach Date: Wed Feb 15 15:39:41 2023 +0100 gpiolib: acpi: Add a ignore wakeup quirk for Clevo NH5xAx The commit 1796f808e4bb ("HID: i2c-hid: acpi: Stop setting wakeup_capable") changed the policy such that I2C touchpads may be able to wake up the system by default if the system is configured as such. However for some devices there is a bug, that is causing the touchpad to instantly wake up the device again once it gets deactivated. The root cause is still under investigation (see Link tag). To workaround this problem for the time being, introduce a quirk for this model that will prevent the wakeup capability for being set for GPIO 16. Fixes: 1796f808e4bb ("HID: i2c-hid: acpi: Stop setting wakeup_capable") Link: https://lore.kernel.org/linux-acpi/20230210164636.628462-1-wse@tuxedocomputers.com/ Signed-off-by: Werner Sembach Cc: # v6.1+ Signed-off-by: Andy Shevchenko commit e6ef4f8ede09f4af7cde000717b349b50bc62576 Author: Alexander Stein Date: Wed Feb 15 10:52:49 2023 +0100 gpio: vf610: make irq_chip immutable Since recently, the kernel is nagging about mutable irq_chips: "not an immutable chip, please consider fixing it!" Drop the unneeded copy, flag it as IRQCHIP_IMMUTABLE, add the new helper functions and call the appropriate gpiolib functions. Signed-off-by: Alexander Stein Reviewed-by: Andy Shevchenko Reviewed-by: Linus Walleij Signed-off-by: Bartosz Golaszewski commit b61494d0f82e7298ddef7b1ced0946ccdc1c7d88 Author: Raag Jadav Date: Wed Feb 15 17:30:04 2023 +0530 gpiolib: acpi: remove redundant declaration Remove acpi_device declaration, as it is no longer needed. Signed-off-by: Raag Jadav Reviewed-by: Mika Westerberg Signed-off-by: Andy Shevchenko commit 4b4191b8ae1278bde3642acaaef8f92810ed111a Author: Sean Christopherson Date: Wed Feb 8 20:42:30 2023 +0000 perf/x86: Refuse to export capabilities for hybrid PMUs Now that KVM disables vPMU support on hybrid CPUs, WARN and return zeros if perf_get_x86_pmu_capability() is invoked on a hybrid CPU. The helper doesn't provide an accurate accounting of the PMU capabilities for hybrid CPUs and needs to be enhanced if KVM, or anything else outside of perf, wants to act on the PMU capabilities. Cc: stable@vger.kernel.org Cc: Andrew Cooper Cc: Peter Zijlstra Cc: Kan Liang Cc: Andi Kleen Link: https://lore.kernel.org/all/20220818181530.2355034-1-kan.liang@linux.intel.com Signed-off-by: Sean Christopherson Message-Id: <20230208204230.1360502-3-seanjc@google.com> Signed-off-by: Paolo Bonzini commit 4d7404e5ee0066e9a9e8268675de8a273b568b08 Author: Sean Christopherson Date: Wed Feb 8 20:42:29 2023 +0000 KVM: x86/pmu: Disable vPMU support on hybrid CPUs (host PMUs) Disable KVM support for virtualizing PMUs on hosts with hybrid PMUs until KVM gains a sane way to enumeration the hybrid vPMU to userspace and/or gains a mechanism to let userspace opt-in to the dangers of exposing a hybrid vPMU to KVM guests. Virtualizing a hybrid PMU, or at least part of a hybrid PMU, is possible, but it requires careful, deliberate configuration from userspace. E.g. to expose full functionality, vCPUs need to be pinned to pCPUs to prevent migrating a vCPU between a big core and a little core, userspace must enumerate a reasonable topology to the guest, and guest CPUID must be curated per vCPU to enumerate accurate vPMU capabilities. The last point is especially problematic, as KVM doesn't control which pCPU it runs on when enumerating KVM's vPMU capabilities to userspace, i.e. userspace can't rely on KVM_GET_SUPPORTED_CPUID in it's current form. Alternatively, userspace could enable vPMU support by enumerating the set of features that are common and coherent across all cores, e.g. by filtering PMU events and restricting guest capabilities. But again, that requires userspace to take action far beyond reflecting KVM's supported feature set into the guest. For now, simply disable vPMU support on hybrid CPUs to avoid inducing seemingly random #GPs in guests, and punt support for hybrid CPUs to a future enabling effort. Reported-by: Jianfeng Gao Cc: stable@vger.kernel.org Cc: Andrew Cooper Cc: Peter Zijlstra Cc: Kan Liang Cc: Andi Kleen Link: https://lore.kernel.org/all/20220818181530.2355034-1-kan.liang@linux.intel.com Signed-off-by: Sean Christopherson Message-Id: <20230208204230.1360502-2-seanjc@google.com> Signed-off-by: Paolo Bonzini commit c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe Author: Munehisa Kamata Date: Tue Feb 14 13:27:05 2023 -0800 sched/psi: Fix use-after-free in ep_remove_wait_queue() If a non-root cgroup gets removed when there is a thread that registered trigger and is polling on a pressure file within the cgroup, the polling waitqueue gets freed in the following path: do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy However, the polling thread still has a reference to the pressure file and will access the freed waitqueue when the file is closed or upon exit: fput ep_eventpoll_release ep_free ep_remove_wait_queue remove_wait_queue This results in use-after-free as pasted below. The fundamental problem here is that cgroup_file_release() (and consequently waitqueue's lifetime) is not tied to the file's real lifetime. Using wake_up_pollfree() here might be less than ideal, but it is in line with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()") since the waitqueue's lifetime is not tied to file's one and can be considered as another special case. While this would be fixable by somehow making cgroup_file_release() be tied to the fput(), it would require sizable refactoring at cgroups or higher layer which might be more justifiable if we identify more cases like this. BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0 Write of size 4 at addr ffff88810e625328 by task a.out/4404 CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38 Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017 Call Trace: dump_stack_lvl+0x73/0xa0 print_report+0x16c/0x4e0 kasan_report+0xc3/0xf0 kasan_check_range+0x2d2/0x310 _raw_spin_lock_irqsave+0x60/0xc0 remove_wait_queue+0x1a/0xa0 ep_free+0x12c/0x170 ep_eventpoll_release+0x26/0x30 __fput+0x202/0x400 task_work_run+0x11d/0x170 do_exit+0x495/0x1130 do_group_exit+0x100/0x100 get_signal+0xd67/0xde0 arch_do_signal_or_restart+0x2a/0x2b0 exit_to_user_mode_prepare+0x94/0x100 syscall_exit_to_user_mode+0x20/0x40 do_syscall_64+0x52/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 4404: kasan_set_track+0x3d/0x60 __kasan_kmalloc+0x85/0x90 psi_trigger_create+0x113/0x3e0 pressure_write+0x146/0x2e0 cgroup_file_write+0x11c/0x250 kernfs_fop_write_iter+0x186/0x220 vfs_write+0x3d8/0x5c0 ksys_write+0x90/0x110 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 4407: kasan_set_track+0x3d/0x60 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x11d/0x170 slab_free_freelist_hook+0x87/0x150 __kmem_cache_free+0xcb/0x180 psi_trigger_destroy+0x2e8/0x310 cgroup_file_release+0x4f/0xb0 kernfs_drain_open_files+0x165/0x1f0 kernfs_drain+0x162/0x1a0 __kernfs_remove+0x1fb/0x310 kernfs_remove_by_name_ns+0x95/0xe0 cgroup_addrm_files+0x67f/0x700 cgroup_destroy_locked+0x283/0x3c0 cgroup_rmdir+0x29/0x100 kernfs_iop_rmdir+0xd1/0x140 vfs_rmdir+0xfe/0x240 do_rmdir+0x13d/0x280 __x64_sys_rmdir+0x2c/0x30 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 0e94682b73bf ("psi: introduce psi monitor") Signed-off-by: Munehisa Kamata Signed-off-by: Mengchi Cheng Signed-off-by: Ingo Molnar Acked-by: Suren Baghdasaryan Acked-by: Peter Zijlstra Cc: stable@vger.kernel.org Link: https://lore.kernel.org/lkml/20230106224859.4123476-1-kamatam@amazon.com/ Link: https://lore.kernel.org/r/20230214212705.4058045-1-kamatam@amazon.com commit 971cecb9591a7b8ceae658252bf15240d7078a45 Author: Paolo Bonzini Date: Wed Feb 15 07:11:32 2023 -0500 Documentation/hw-vuln: Fix rST warning The following warning: Documentation/admin-guide/hw-vuln/cross-thread-rsb.rst:92: ERROR: Unexpected indentation. was introduced by commit 493a2c2d23ca. Fix it by placing everything in the same paragraph and also use a monospace font. Fixes: 493a2c2d23ca ("Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions") Reported-by: Stephen Rothwell Signed-off-by: Paolo Bonzini commit fda6c89fe3d9aca073495a664e1d5aea28cd4377 Author: Jakub Kicinski Date: Mon Feb 13 22:53:55 2023 -0800 net: mpls: fix stale pointer if allocation fails during device rename lianhui reports that when MPLS fails to register the sysctl table under new location (during device rename) the old pointers won't get overwritten and may be freed again (double free). Handle this gracefully. The best option would be unregistering the MPLS from the device completely on failure, but unfortunately mpls_ifdown() can fail. So failing fully is also unreliable. Another option is to register the new table first then only remove old one if the new one succeeds. That requires more code, changes order of notifications and two tables may be visible at the same time. sysctl point is not used in the rest of the code - set to NULL on failures and skip unregister if already NULL. Reported-by: lianhui tang Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller commit 42018a322bd453e38b3ffee294982243e50a484f Author: Pedro Tammela Date: Mon Feb 13 22:47:29 2023 -0300 net/sched: tcindex: search key must be 16 bits Syzkaller found an issue where a handle greater than 16 bits would trigger a null-ptr-deref in the imperfect hash area update. general protection fault, probably for non-canonical address 0xdffffc0000000015: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] CPU: 0 PID: 5070 Comm: syz-executor456 Not tainted 6.2.0-rc7-syzkaller-00112-gc68f345b7c42 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 RIP: 0010:tcindex_set_parms+0x1a6a/0x2990 net/sched/cls_tcindex.c:509 Code: 01 e9 e9 fe ff ff 4c 8b bd 28 fe ff ff e8 0e 57 7d f9 48 8d bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 94 0c 00 00 48 8b 85 f8 fd ff ff 48 8b 9b a8 00 RSP: 0018:ffffc90003d3ef88 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000015 RSI: ffffffff8803a102 RDI: 00000000000000a8 RBP: ffffc90003d3f1d8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801e2b10a8 R13: dffffc0000000000 R14: 0000000000030000 R15: ffff888017b3be00 FS: 00005555569af300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056041c6d2000 CR3: 000000002bfca000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tcindex_change+0x1ea/0x320 net/sched/cls_tcindex.c:572 tc_new_tfilter+0x96e/0x2220 net/sched/cls_api.c:2155 rtnetlink_rcv_msg+0x959/0xca0 net/core/rtnetlink.c:6132 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 ____sys_sendmsg+0x334/0x8c0 net/socket.c:2476 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 __sys_sendmmsg+0x18f/0x460 net/socket.c:2616 __do_sys_sendmmsg net/socket.c:2645 [inline] __se_sys_sendmmsg net/socket.c:2642 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2642 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 Fixes: ee059170b1f7 ("net/sched: tcindex: update imperfect hash filters respecting rcu") Signed-off-by: Jamal Hadi Salim Signed-off-by: Pedro Tammela Reported-by: syzbot Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller commit 11a4d6f67cf55883dc78e31c247d1903ed7feccc Author: Tung Nguyen Date: Tue Feb 14 01:26:06 2023 +0000 tipc: fix kernel warning when sending SYN message When sending a SYN message, this kernel stack trace is observed: ... [ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550 ... [ 13.398494] Call Trace: [ 13.398630] [ 13.398630] ? __alloc_skb+0xed/0x1a0 [ 13.398630] tipc_msg_build+0x12c/0x670 [tipc] [ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290 [ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc] [ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc] [ 13.398630] ? __local_bh_enable_ip+0x37/0x80 [ 13.398630] tipc_connect+0x1d9/0x230 [tipc] [ 13.398630] ? __sys_connect+0x9f/0xd0 [ 13.398630] __sys_connect+0x9f/0xd0 [ 13.398630] ? preempt_count_add+0x4d/0xa0 [ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50 [ 13.398630] __x64_sys_connect+0x16/0x20 [ 13.398630] do_syscall_64+0x42/0x90 [ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd It is because commit a41dad905e5a ("iov_iter: saner checks for attempt to copy to/from iterator") has introduced sanity check for copying from/to iov iterator. Lacking of copy direction from the iterator viewpoint would lead to kernel stack trace like above. This commit fixes this issue by initializing the iov iterator with the correct copy direction when sending SYN or ACK without data. Fixes: f25dcc7687d4 ("tipc: tipc ->sendmsg() conversion") Reported-by: syzbot+d43608d061e8847ec9f3@syzkaller.appspotmail.com Acked-by: Jon Maloy Signed-off-by: Tung Nguyen Link: https://lore.kernel.org/r/20230214012606.5804-1-tung.q.nguyen@dektech.com.au Signed-off-by: Jakub Kicinski commit 207ce626add80ddd941f62fc2fe5d77586e0801b Author: Miroslav Lichvar Date: Mon Feb 13 10:58:22 2023 -0800 igb: Fix PPS input and output using 3rd and 4th SDP Fix handling of the tsync interrupt to compare the pin number with IGB_N_SDP instead of IGB_N_EXTTS/IGB_N_PEROUT and fix the indexing to the perout array. Fixes: cf99c1dd7b77 ("igb: move PEROUT and EXTTS isr logic to separate functions") Reported-by: Matt Corallo Signed-off-by: Miroslav Lichvar Reviewed-by: Jacob Keller Tested-by: Gurucharan G (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20230213185822.3960072-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit d3a373461f016b6fa6216b8f5a61d15ec18cce4b Merge: 2558b8039d059 43fbca02c2ddc Author: Jakub Kicinski Date: Tue Feb 14 20:41:23 2023 -0800 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2023-02-13 (ice) This series contains updates to ice driver only. Michal fixes check of scheduling node weight and priority to be done against desired value, not current value. Jesse adds setting of all multicast when adding promiscuous mode to resolve traffic being lost due to filter settings. * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: ice: fix lost multicast packets in promisc mode ice: Fix check for weight and priority of a scheduling node ==================== Link: https://lore.kernel.org/r/20230213185259.3959224-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 2558b8039d059342197610498c8749ad294adee5 Author: Eric Dumazet Date: Mon Feb 13 16:00:59 2023 +0000 net: use a bounce buffer for copying skb->mark syzbot found arm64 builds would crash in sock_recv_mark() when CONFIG_HARDENED_USERCOPY=y x86 and powerpc are not detecting the issue because they define user_access_begin. This will be handled in a different patch, because a check_object_size() is missing. Only data from skb->cb[] can be copied directly to/from user space, as explained in commit 79a8a642bf05 ("net: Whitelist the skbuff_head_cache "cb" field") syzbot report was: usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90 lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90 sp : ffff80000fb9b9a0 x29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00 x26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000 x23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8 x20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000 x17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118 x14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400 x11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00 x8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c Call trace: usercopy_abort+0x90/0x94 mm/usercopy.c:90 __check_heap_object+0xa8/0x100 mm/slub.c:4761 check_heap_object mm/usercopy.c:196 [inline] __check_object_size+0x208/0x6b8 mm/usercopy.c:251 check_object_size include/linux/thread_info.h:199 [inline] __copy_to_user include/linux/uaccess.h:115 [inline] put_cmsg+0x408/0x464 net/core/scm.c:238 sock_recv_mark net/socket.c:975 [inline] __sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984 sock_recv_cmsgs include/net/sock.h:2728 [inline] packet_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482 ____sys_recvmsg+0x110/0x3a0 ___sys_recvmsg net/socket.c:2737 [inline] __sys_recvmsg+0x194/0x210 net/socket.c:2767 __do_sys_recvmsg net/socket.c:2777 [inline] __se_sys_recvmsg net/socket.c:2774 [inline] __arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52 el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193 el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000) Fixes: 6fd1d51cfa25 ("net: SO_RCVMARK socket option for SO_MARK with recvmsg()") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Erin MacNeil Reviewed-by: Alexander Lobakin Link: https://lore.kernel.org/r/20230213160059.3829741-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit a950b989ea29ab3b38ea7f6e3d2540700a3c54e8 Author: Zack Rusin Date: Sat Feb 11 00:05:14 2023 -0500 drm/vmwgfx: Do not drop the reference to the handle too soon v3: Fix vmw_user_bo_lookup which was also dropping the gem reference before the kernel was done with buffer depending on userspace doing the right thing. Same bug, different spot. It is possible for userspace to predict the next buffer handle and to destroy the buffer while it's still used by the kernel. Delay dropping the internal reference on the buffers until kernel is done with them. Instead of immediately dropping the gem reference in vmw_user_bo_lookup and vmw_gem_object_create_with_handle let the callers decide when they're ready give the control back to userspace. Also fixes the second usage of vmw_gem_object_create_with_handle in vmwgfx_surface.c which wasn't grabbing an explicit reference to the gem object which could have been destroyed by the userspace on the owning surface at any point. Signed-off-by: Zack Rusin Fixes: 8afa13a0583f ("drm/vmwgfx: Implement DRIVER_GEM") Reviewed-by: Martin Krastev Reviewed-by: Maaz Mombasawala Link: https://patchwork.freedesktop.org/patch/msgid/20230211050514.2431155-1-zack@kde.org (cherry picked from commit 9ef8d83e8e25d5f1811b3a38eb1484f85f64296c) Cc: # v5.17+ commit 1a6897921f52ceb2c8665ef826e405bd96385159 Author: Zack Rusin Date: Wed Feb 8 13:00:50 2023 -0500 drm/vmwgfx: Stop accessing buffer objects which failed init ttm_bo_init_reserved on failure puts the buffer object back which causes it to be deleted, but kfree was still being called on the same buffer in vmw_bo_create leading to a double free. After the double free the vmw_gem_object_create_with_handle was setting the gem function objects before checking the return status of vmw_bo_create leading to null pointer access. Fix the entire path by relaying on ttm_bo_init_reserved to delete the buffer objects on failure and making sure the return status is checked before setting the gem function objects on the buffer object. Signed-off-by: Zack Rusin Fixes: 8afa13a0583f ("drm/vmwgfx: Implement DRIVER_GEM") Reviewed-by: Maaz Mombasawala Reviewed-by: Martin Krastev Link: https://patchwork.freedesktop.org/patch/msgid/20230208180050.2093426-1-zack@kde.org (cherry picked from commit 36d421e632e9a0e8375eaed0143551a34d81a7e3) Cc: # v5.17+ commit d5a1224aa68c8b124a4c5c390186e571815ed390 Author: Matt Roper Date: Wed Feb 1 14:28:29 2023 -0800 drm/i915/gen11: Wa_1408615072/Wa_1407596294 should be on GT list The UNSLICE_UNIT_LEVEL_CLKGATE register programmed by this workaround has 'BUS' style reset, indicating that it does not lose its value on engine resets. Furthermore, this register is part of the GT forcewake domain rather than the RENDER domain, so it should not be impacted by RCS engine resets. As such, we should implement this on the GT workaround list rather than an engine list. Bspec: 19219 Fixes: 3551ff928744 ("drm/i915/gen11: Moving WAs to rcs_engine_wa_init()") Signed-off-by: Matt Roper Reviewed-by: Gustavo Sousa Link: https://patchwork.freedesktop.org/patch/msgid/20230201222831.608281-2-matthew.d.roper@intel.com (cherry picked from commit 5f21dc07b52eb54a908e66f5d6e05a87bcb5b049) Signed-off-by: Rodrigo Vivi commit 0967bf837784a11c65d66060623a74e65211af0b Author: Jason Xing Date: Thu Feb 9 10:41:28 2023 +0800 ixgbe: add double of VLAN header when computing the max MTU Include the second VLAN HLEN into account when computing the maximum MTU size as other drivers do. Fixes: fabf1bce103a ("ixgbe: Prevent unsupported configurations with XDP") Signed-off-by: Jason Xing Reviewed-by: Alexander Duyck Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) Signed-off-by: Tony Nguyen commit ce45ffb815e8e238f05de1630be3969b6bb15e4e Author: Jason Xing Date: Wed Feb 8 10:43:33 2023 +0800 i40e: add double of VLAN header when computing the max MTU Include the second VLAN HLEN into account when computing the maximum MTU size as other drivers do. Fixes: 0c8493d90b6b ("i40e: add XDP support for pass and drop actions") Signed-off-by: Jason Xing Reviewed-by: Alexander Duyck Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) Signed-off-by: Tony Nguyen commit f9cd6a4418bac6a046ee78382423b1ae7565fb24 Author: Jason Xing Date: Wed Feb 8 10:43:32 2023 +0800 ixgbe: allow to increase MTU to 3K with XDP enabled Recently I encountered one case where I cannot increase the MTU size directly from 1500 to a much bigger value with XDP enabled if the server is equipped with IXGBE card, which happened on thousands of servers in production environment. After applying the current patch, we can set the maximum MTU size to 3K. This patch follows the behavior of changing MTU as i40e/ice does. References: [1] commit 23b44513c3e6 ("ice: allow 3k MTU for XDP") [2] commit 0c8493d90b6b ("i40e: add XDP support for pass and drop actions") Fixes: fabf1bce103a ("ixgbe: Prevent unsupported configurations with XDP") Signed-off-by: Jason Xing Reviewed-by: Alexander Duyck Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) Signed-off-by: Tony Nguyen commit e1c04510f521e853019afeca2a5991a5ef8d6a5b Merge: 82eac0c830b7d 6f098cde9df2c Author: Linus Torvalds Date: Tue Feb 14 09:38:33 2023 -0800 Merge tag 'pm-6.2-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "Add a missing NULL pointer check to the cpufreq drver for Qualcomm platforms (Manivannan Sadhasivam)" * tag 'pm-6.2-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq: qcom-hw: Add missing null pointer check commit 82eac0c830b7d917bd2a8806eb6ed21ef1e0f84e Merge: f6feea56f66d3 493a2c2d23ca9 Author: Linus Torvalds Date: Tue Feb 14 09:17:01 2023 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "Certain AMD processors are vulnerable to a cross-thread return address predictions bug. When running in SMT mode and one of the sibling threads transitions out of C0 state, the other thread gets access to twice as many entries in the RSB, but unfortunately the predictions of the now-halted logical processor are not purged. Therefore, the executing processor could speculatively execute from locations that the now-halted processor had trained the RSB on. The Spectre v2 mitigations cover the Linux kernel, as it fills the RSB when context switching to the idle thread. However, KVM allows a VMM to prevent exiting guest mode when transitioning out of C0 using the KVM_CAP_X86_DISABLE_EXITS capability can be used by a VMM to change this behavior. To mitigate the cross-thread return address predictions bug, a VMM must not be allowed to override the default behavior to intercept C0 transitions. These patches introduce a KVM module parameter that, if set, will prevent the user from disabling the HLT, MWAIT and CSTATE exits" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions KVM: x86: Mitigate the cross-thread return address predictions bug x86/speculation: Identify processors vulnerable to SMT RSB predictions commit 9251584af09285133bec0595e5c7218fe2e595c9 Author: Andy Chi Date: Tue Feb 14 22:04:31 2023 +0800 ALSA: hda/realtek: Enable mute/micmute LEDs and speaker support for HP Laptops On HP Laptops, requires the ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED quirk to make its audio LEDs and speaker work. Signed-off-by: Andy Chi Cc: Link: https://lore.kernel.org/r/20230214140432.39654-1-andy.chi@canonical.com Signed-off-by: Takashi Iwai commit 6f098cde9df2c86d60db727d6270272751943674 Author: Manivannan Sadhasivam Date: Tue Feb 14 15:11:15 2023 +0530 cpufreq: qcom-hw: Add missing null pointer check of_device_get_match_data() may return NULL, so add a check to prevent potential null pointer dereference. Issue reported by Qualcomm's internal static analysis tool. Fixes: 4f7961706c63 ("cpufreq: qcom-hw: Move soc_data to struct qcom_cpufreq") Signed-off-by: Manivannan Sadhasivam Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki commit 5007b848ff2234ff7ea55755cb315766888988da Author: Andy Chi Date: Tue Feb 14 11:58:51 2023 +0800 ALSA: hda/realtek: fix mute/micmute LEDs don't work for a HP platform. There is a HP platform needs ALC236_FIXUP_HP_GPIO_LED quirk to make mic-mute/audio-mute working. Signed-off-by: Andy Chi Cc: Link: https://lore.kernel.org/r/20230214035853.31217-1-andy.chi@canonical.com Signed-off-by: Takashi Iwai commit d125d1349abeb46945dc5e98f7824bf688266f13 Author: Thomas Gleixner Date: Thu Feb 9 23:25:49 2023 +0100 alarmtimer: Prevent starvation by small intervals and SIG_IGN syzbot reported a RCU stall which is caused by setting up an alarmtimer with a very small interval and ignoring the signal. The reproducer arms the alarm timer with a relative expiry of 8ns and an interval of 9ns. Not a problem per se, but that's an issue when the signal is ignored because then the timer is immediately rearmed because there is no way to delay that rearming to the signal delivery path. See posix_timer_fn() and commit 58229a189942 ("posix-timers: Prevent softirq starvation by small intervals and SIG_IGN") for details. The reproducer does not set SIG_IGN explicitely, but it sets up the timers signal with SIGCONT. That has the same effect as explicitely setting SIG_IGN for a signal as SIGCONT is ignored if there is no handler set and the task is not ptraced. The log clearly shows that: [pid 5102] --- SIGCONT {si_signo=SIGCONT, si_code=SI_TIMER, si_timerid=0, si_overrun=316014, si_int=0, si_ptr=NULL} --- It works because the tasks are traced and therefore the signal is queued so the tracer can see it, which delays the restart of the timer to the signal delivery path. But then the tracer is killed: [pid 5087] kill(-5102, SIGKILL ... ./strace-static-x86_64: Process 5107 detached and after it's gone the stall can be observed: syzkaller login: [ 79.439102][ C0] hrtimer: interrupt took 68471 ns [ 184.460538][ C1] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: ... [ 184.658237][ C1] rcu: Stack dump where RCU GP kthread last ran: [ 184.664574][ C1] Sending NMI from CPU 1 to CPUs 0: [ 184.669821][ C0] NMI backtrace for cpu 0 [ 184.669831][ C0] CPU: 0 PID: 5108 Comm: syz-executor192 Not tainted 6.2.0-rc6-next-20230203-syzkaller #0 ... [ 184.670036][ C0] Call Trace: [ 184.670041][ C0] [ 184.670045][ C0] alarmtimer_fired+0x327/0x670 posix_timer_fn() prevents that by checking whether the interval for timers which have the signal ignored is smaller than a jiffie and artifically delay it by shifting the next expiry out by a jiffie. That's accurate vs. the overrun accounting, but slightly inaccurate vs. timer_gettimer(2). The comment in that function says what needs to be done and there was a fix available for the regular userspace induced SIG_IGN mechanism, but that did not work due to the implicit ignore for SIGCONT and similar signals. This needs to be worked on, but for now the only available workaround is to do exactly what posix_timer_fn() does: Increase the interval of self-rearming timers, which have their signal ignored, to at least a jiffie. Interestingly this has been fixed before via commit ff86bf0c65f1 ("alarmtimer: Rate limit periodic intervals") already, but that fix got lost in a later rework. Reported-by: syzbot+b9564ba6e8e00694511b@syzkaller.appspotmail.com Fixes: f2c45807d399 ("alarmtimer: Switch over to generic set/get/rearm routine") Signed-off-by: Thomas Gleixner Acked-by: John Stultz Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/87k00q1no2.ffs@tglx commit f9f57da2c2d119dbf109e3f6e1ceab7659294046 Author: Juergen Gross Date: Thu Feb 9 08:22:17 2023 +0100 x86/mtrr: Revert 90b926e68f50 ("x86/pat: Fix pat_x_mtrr_type() for MTRR disabled case") Commit 90b926e68f50 ("x86/pat: Fix pat_x_mtrr_type() for MTRR disabled case") broke the use case of running Xen dom0 kernels on machines with an external disk enclosure attached via USB, see Link tag. What this commit was originally fixing - SEV-SNP guests on Hyper-V - is a more specialized situation which has other issues at the moment anyway so reverting this now and addressing the issue properly later is the prudent thing to do. So revert it in time for the 6.2 proper release. [ bp: Rewrite commit message. ] Reported-by: Christian Kujau Tested-by: Christian Kujau Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/4fe9541e-4d4c-2b2a-f8c8-2d34a7284930@nerdbynature.de commit 05d7623a892a9da62da0e714428e38f09e4a64d8 Author: Cristian Ciocaltea Date: Fri Feb 10 22:21:26 2023 +0200 net: stmmac: Restrict warning on disabling DMA store and fwd mode When setting 'snps,force_thresh_dma_mode' DT property, the following warning is always emitted, regardless the status of force_sf_dma_mode: dwmac-starfive 10020000.ethernet: force_sf_dma_mode is ignored if force_thresh_dma_mode is set. Do not print the rather misleading message when DMA store and forward mode is already disabled. Fixes: e2a240c7d3bc ("driver:net:stmmac: Disable DMA store and forward mode if platform data force_thresh_dma_mode is set.") Signed-off-by: Cristian Ciocaltea Link: https://lore.kernel.org/r/20230210202126.877548-1-cristian.ciocaltea@collabora.com Signed-off-by: Paolo Abeni commit dc785d69d753a3894c93afc23b91404652382ead Author: Irvin Cote Date: Thu Feb 9 17:43:57 2023 -0300 nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev Don't mix NULL and ERR_PTR returns. Fixes: 2e87570be9d2 ("nvme-pci: factor out a nvme_pci_alloc_dev helper") Signed-off-by: Irvin Cote Reviewed-by: Keith Busch Signed-off-by: Christoph Hellwig commit 924bd96ea27d53706147a94b8e576080535785df Author: Christoph Hellwig Date: Mon Feb 13 06:58:33 2023 +0100 nvme-pci: set the DMA mask earlier Set the DMA mask before calling dma_addressing_limited, which depends on it. Note that this stop checking the return value of dma_set_mask_and_coherent as this function can only fail for masks < 32-bit. Fixes: 3f30a79c2e2c ("nvme-pci: set constant paramters in nvme_pci_alloc_ctrl") Reported-by: Michael Kelley Signed-off-by: Christoph Hellwig Reviewed-by: Jens Axboe Reviewed-by: Sagi Grimberg Tested-by: Michael Kelley commit 21c167aa0ba943a7cac2f6969814f83bb701666b Author: Pedro Tammela Date: Fri Feb 10 17:08:25 2023 -0300 net/sched: act_ctinfo: use percpu stats The tc action act_ctinfo was using shared stats, fix it to use percpu stats since bstats_update() must be called with locks or with a percpu pointer argument. tdc results: 1..12 ok 1 c826 - Add ctinfo action with default setting ok 2 0286 - Add ctinfo action with dscp ok 3 4938 - Add ctinfo action with valid cpmark and zone ok 4 7593 - Add ctinfo action with drop control ok 5 2961 - Replace ctinfo action zone and action control ok 6 e567 - Delete ctinfo action with valid index ok 7 6a91 - Delete ctinfo action with invalid index ok 8 5232 - List ctinfo actions ok 9 7702 - Flush ctinfo actions ok 10 3201 - Add ctinfo action with duplicate index ok 11 8295 - Add ctinfo action with invalid index ok 12 3964 - Replace ctinfo action with invalid goto_chain control Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action") Reviewed-by: Jamal Hadi Salim Signed-off-by: Pedro Tammela Reviewed-by: Larysa Zaremba Link: https://lore.kernel.org/r/20230210200824.444856-1-pctammela@mojatatu.com Signed-off-by: Jakub Kicinski commit 4562c65ec852067c6196abdcf2d925f08841dcbc Author: Johannes Zink Date: Fri Feb 10 15:39:37 2023 +0100 net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence So far changing the period by just setting new period values while running did not work. The order as indicated by the publicly available reference manual of the i.MX8MP [1] indicates a sequence: * initiate the programming sequence * set the values for PPS period and start time * start the pulse train generation. This is currently not used in dwmac5_flex_pps_config(), which instead does: * initiate the programming sequence and immediately start the pulse train generation * set the values for PPS period and start time This caused the period values written not to take effect until the FlexPPS output was disabled and re-enabled again. This patch fix the order and allows the period to be set immediately. [1] https://www.nxp.com/webapp/Download?colCode=IMX8MPRM Fixes: 9a8a02c9d46d ("net: stmmac: Add Flexible PPS support") Signed-off-by: Johannes Zink Link: https://lore.kernel.org/r/20230210143937.3427483-1-j.zink@pengutronix.de Signed-off-by: Jakub Kicinski commit 1aff53b2fd903b300dfd71af0064c21fbca313c6 Author: Randy Dunlap Date: Mon Feb 13 13:25:49 2023 -0800 ata: pata_octeon_cf: drop kernel-doc notation Fix a slew of kernel-doc warnings in pata_octeon_cf.c by changing all "/**" comments to "/*" since they are not in kernel-doc format. Fixes: 3c929c6f5aa7 ("libata: New driver for OCTEON SOC Compact Flash interface (v7).") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Link: https://lore.kernel.org/all/202302101722.5O56RClE-lkp@intel.com/ Cc: David Daney Cc: Damien Le Moal Cc: Mauro Carvalho Chehab Cc: linux-ide@vger.kernel.org Signed-off-by: Damien Le Moal commit 104ff59af73aba524e57ae0fef70121643ff270e Author: Simon Gaiser Date: Mon Feb 13 11:24:49 2023 +0100 ata: ahci: Add Tiger Lake UP{3,4} AHCI controller Mark the Tiger Lake UP{3,4} AHCI controller as "low_power". This enables S0ix to work out of the box. Otherwise this isn't working unless the user manually sets /sys/class/scsi_host/*/link_power_management_policy. Intel lists a total of 4 SATA controller IDs in [1] for those mobile PCHs. This commit just adds the "AHCI" variant since I only tested those. [1]: https://cdrdv2.intel.com/v1/dl/getContent/631119 Signed-off-by: Simon Gaiser CC: stable@vger.kernel.org Signed-off-by: Damien Le Moal commit ead089577e0f55b238f980d9f62eaa90b7b64672 Author: Patrick McLean Date: Fri Feb 10 13:51:51 2023 -0800 ata: libata-core: Disable READ LOG DMA EXT for Samsung MZ7LH Samsung MZ7LH drives are spewing messages like this in to dmesg with AMD SATA controllers: ata1.00: exception Emask 0x0 SAct 0x7e0000 SErr 0x0 action 0x6 frozen ata1.00: failed command: SEND FPDMA QUEUED ata1.00: cmd 64/01:88:00:00:00/00:00:00:00:00/a0 tag 17 ncq dma 512 out res 40/00:01:01:4f:c2/00:00:00:00:00/00 Emask 0x4 (timeout) Since this was seen previously with SSD 840 EVO drives in https://bugzilla.kernel.org/show_bug.cgi?id=203475 let's add the same fix for these drives as the EVOs have, since they likely have very similar firmwares. Signed-off-by: Patrick McLean Signed-off-by: Damien Le Moal commit 3f18c5046e633cc4bbad396b74c05d46d353033d Author: Paul Cercueil Date: Tue Jan 31 21:02:28 2023 +0000 mmc: jz4740: Work around bug on JZ4760(B) On JZ4760 and JZ4760B, SD cards fail to run if the maximum clock rate is set to 50 MHz, even though the controller officially does support it. Until the actual bug is found and fixed, limit the maximum clock rate to 24 MHz. Signed-off-by: Paul Cercueil Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230131210229.68129-1-paul@crapouillou.net Signed-off-by: Ulf Hansson commit cf4c9d2ac1e42c7d18b921bec39486896645b714 Author: Yang Yingliang Date: Tue Jan 31 09:38:35 2023 +0800 mmc: mmc_spi: fix error handling in mmc_spi_probe() If mmc_add_host() fails, it doesn't need to call mmc_remove_host(), or it will cause null-ptr-deref, because of deleting a not added device in mmc_remove_host(). To fix this, goto label 'fail_glue_init', if mmc_add_host() fails, and change the label 'fail_add_host' to 'fail_gpiod_request'. Fixes: 15a0580ced08 ("mmc_spi host driver") Signed-off-by: Yang Yingliang Cc:stable@vger.kernel.org Link: https://lore.kernel.org/r/20230131013835.3564011-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson commit 605d9fb9556f8f5fb4566f4df1480f280f308ded Author: Yang Yingliang Date: Mon Jan 30 20:58:08 2023 +0800 mmc: sdio: fix possible resource leaks in some error paths If sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can not release the resources, because the sdio function is not presented in these two cases, it won't call of_node_put() or put_device(). To fix these leaks, make sdio_func_present() only control whether device_del() needs to be called or not, then always call of_node_put() and put_device(). In error case in sdio_init_func(), the reference of 'card->dev' is not get, to avoid redundant put in sdio_free_func_cis(), move the get_device() to sdio_alloc_func() and put_device() to sdio_release_func(), it can keep the get/put function be balanced. Without this patch, while doing fault inject test, it can get the following leak reports, after this fix, the leak is gone. unreferenced object 0xffff888112514000 (size 2048): comm "kworker/3:2", pid 65, jiffies 4294741614 (age 124.774s) hex dump (first 32 bytes): 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X...... 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q..... backtrace: [<000000009e5931da>] kmalloc_trace+0x21/0x110 [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core] [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core] [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core] [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core] unreferenced object 0xffff888112511000 (size 2048): comm "kworker/3:2", pid 65, jiffies 4294741623 (age 124.766s) hex dump (first 32 bytes): 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X...... 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q..... backtrace: [<000000009e5931da>] kmalloc_trace+0x21/0x110 [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core] [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core] [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core] Fixes: 3d10a1ba0d37 ("sdio: fix reference counting in sdio_remove_func()") Signed-off-by: Yang Yingliang Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230130125808.3471254-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson commit 6ea6b95a7e3ec2015954cb514ee9dbc6dc80ec8f Author: Heiner Kallweit Date: Mon Feb 13 21:55:56 2023 +0100 mmc: meson-gx: fix SDIO mode if cap_sdio_irq isn't set Some SDIO WiFi modules stopped working after SDIO interrupt mode was added if cap_sdio_irq isn't set in device tree. This patch was confirmed to fix the issue. Fixes: 066ecde6d826 ("mmc: meson-gx: add SDIO interrupt support") Reported-by: Geraldo Nascimento Tested-by: Geraldo Nascimento Cc: stable@vger.kernel.org Signed-off-by: Heiner Kallweit Link: https://lore.kernel.org/r/816cba9f-ff92-31a2-60f0-aca542d1d13e@gmail.com Signed-off-by: Ulf Hansson commit f6feea56f66d34259c4222fa02e8171c4f2673d1 Merge: b408817d48840 ce4d9a1ea35ac Author: Linus Torvalds Date: Mon Feb 13 14:09:20 2023 -0800 Merge tag 'mm-hotfixes-stable-2023-02-13-13-50' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "Twelve hotfixes, mostly against mm/. Five of these fixes are cc:stable" * tag 'mm-hotfixes-stable-2023-02-13-13-50' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: of: reserved_mem: Have kmemleak ignore dynamically allocated reserved mem scripts/gdb: fix 'lx-current' for x86 lib: parser: optimize match_NUMBER apis to use local array mm: shrinkers: fix deadlock in shrinker debugfs mm: hwpoison: support recovery from ksm_might_need_to_copy() kasan: fix Oops due to missing calls to kasan_arch_is_ready() revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" fsdax: dax_unshare_iter() should return a valid length mm/gup: add folio to list when folio_isolate_lru() succeed aio: fix mremap after fork null-deref mailmap: add entry for Alexander Mikhalitsyn mm: extend max struct page size for kmsan commit 43fbca02c2ddc39ff5879b6f3a4a097b1ba02098 Author: Jesse Brandeburg Date: Mon Feb 6 15:54:36 2023 -0800 ice: fix lost multicast packets in promisc mode There was a problem reported to us where the addition of a VF with an IPv6 address ending with a particular sequence would cause the parent device on the PF to no longer be able to respond to neighbor discovery packets. In this case, we had an ovs-bridge device living on top of a VLAN, which was on top of a PF, and it would not be able to talk anymore (the neighbor entry would expire and couldn't be restored). The root cause of the issue is that if the PF is asked to be in IFF_PROMISC mode (promiscuous mode) and it had an ipv6 address that needed the 33:33:ff:00:00:04 multicast address to work, then when the VF was added with the need for the same multicast address, the VF would steal all the traffic destined for that address. The ice driver didn't auto-subscribe a request of IFF_PROMISC to the "multicast replication from other port's traffic" meaning that it won't get for instance, packets with an exact destination in the VF, as above. The VF's IPv6 address, which adds a "perfect filter" for 33:33:ff:00:00:04, results in no packets for that multicast address making it to the PF (which is in promisc but NOT "multicast replication"). The fix is to enable "multicast promiscuous" whenever the driver is asked to enable IFF_PROMISC, and make sure to disable it when appropriate. Fixes: e94d44786693 ("ice: Implement filter sync, NDO operations and bump version") Signed-off-by: Jesse Brandeburg Tested-by: Rafal Romanowski Signed-off-by: Tony Nguyen commit 3e6dc119a37bceb06e1d595b1d41b52f3e99132d Author: Michal Wilczynski Date: Wed Jan 25 12:37:40 2023 +0100 ice: Fix check for weight and priority of a scheduling node Currently checks for weight and priority ranges don't check incoming value from the devlink. Instead it checks node current weight or priority. This makes those checks useless. Change range checks in ice_set_object_tx_priority() and ice_set_object_tx_weight() to check against incoming priority an weight. Fixes: 42c2eb6b1f43 ("ice: Implement devlink-rate API") Signed-off-by: Michal Wilczynski Acked-by: Jesse Brandeburg Reviewed-by: Paul Menzel Tested-by: Gurucharan G (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit b408817d48840847c00052ae0e02a54311913073 Merge: ceaa837f96adb eb4b55f2f26fc Author: Linus Torvalds Date: Mon Feb 13 08:29:06 2023 -0800 Merge tag 'platform-drivers-x86-v6.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform drivers fix from Hans de Goede: "Intel vsec driver Meteor Lake PCI ids addition" * tag 'platform-drivers-x86-v6.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86/intel/vsec: Add support for Meteor Lake commit bb2ff6c27bc9e1da4d3ec5e7b1d6b9df1092cb5a Author: Ville Syrjälä Date: Tue Feb 7 16:33:37 2023 +0200 drm: Disable dynamic debug as broken CONFIG_DRM_USE_DYNAMIC_DEBUG breaks debug prints for (at least modular) drm drivers. The debug prints can be reinstated by manually frobbing /sys/module/drm/parameters/debug after the fact, but at that point the damage is done and all debugs from driver probe are lost. This makes drivers totally undebuggable. There's a more complete fix in progress [1], with further details, but we need this fixed in stable kernels. Mark the feature as broken and disable it by default, with hopes distros follow suit and disable it as well. [1] https://lore.kernel.org/r/20230125203743.564009-1-jim.cromie@gmail.com Fixes: 84ec67288c10 ("drm_print: wrap drm_*_dbg in dyndbg descriptor factory macro") Cc: Jim Cromie Cc: Greg Kroah-Hartman Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Cc: # v6.1+ Signed-off-by: Ville Syrjälä Acked-by: Greg Kroah-Hartman Acked-by: Jim Cromie Acked-by: Maxime Ripard Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20230207143337.2126678-1-jani.nikula@intel.com commit df14b7f9efcda35e59bb6f50351aac25c50f6e24 Author: Waiman Long Date: Fri Feb 3 13:18:49 2023 -0500 sched/core: Fix a missed update of user_cpus_ptr Since commit 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask"), a successful call to sched_setaffinity() should always save the user requested cpu affinity mask in a task's user_cpus_ptr. However, when the given cpu mask is the same as the current one, user_cpus_ptr is not updated. Fix this by saving the user mask in this case too. Fixes: 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask") Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20230203181849.221943-1-longman@redhat.com commit eedeb787ebb53de5c5dcf7b7b39d01bf1b0f037d Author: Peter Zijlstra Date: Fri Feb 3 15:31:11 2023 +0100 freezer,umh: Fix call_usermode_helper_exec() vs SIGKILL Tetsuo-San noted that commit f5d39b020809 ("freezer,sched: Rewrite core freezer logic") broke call_usermodehelper_exec() for the KILLABLE case. Specifically it was missed that the second, unconditional, wait_for_completion() was not optional and ensures the on-stack completion is unused before going out-of-scope. Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic") Reported-by: syzbot+6cd18e123583550cf469@syzkaller.appspotmail.com Reported-by: Tetsuo Handa Debugged-by: Tetsuo Handa Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/Y90ar35uKQoUrLEK@hirez.programming.kicks-ass.net commit 2b129f0b24ab578b02901b4a1744b7f97399faa0 Author: Reinette Chatre Date: Thu Feb 9 13:49:00 2023 -0800 PCI/MSI: Provide missing stubs for CONFIG_PCI_MSI=n pci_msix_alloc_irq_at() and pci_msix_free_irq() are not declared when CONFIG_PCI_MSI is disabled. Users of these two calls do not yet exist but when users do appear (shown below is an attempt to use the new API in vfio-pci) the following errors will be encountered when compiling with CONFIG_PCI_MSI disabled: drivers/vfio/pci/vfio_pci_intrs.c:461:4: error: implicit declaration of\ function 'pci_msix_free_irq' is invalid in C99\ [-Werror,-Wimplicit-function-declaration] pci_msix_free_irq(pdev, msix_map); ^ drivers/vfio/pci/vfio_pci_intrs.c:511:15: error: implicit declaration of\ function 'pci_msix_alloc_irq_at' is invalid in C99\ [-Werror,-Wimplicit-function-declaration] msix_map = pci_msix_alloc_irq_at(pdev, vector, NULL); Provide definitions for pci_msix_alloc_irq_at() and pci_msix_free_irq() in preparation for users that need to compile when CONFIG_PCI_MSI is disabled. Reported-by: kernel test robot Fixes: 34026364df8e ("PCI/MSI: Provide post-enable dynamic allocation interfaces for MSI-X") Signed-off-by: Reinette Chatre Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/158e40e1cfcfc58ae30ecb2bbfaf86e5bba7a1ef.1675978686.git.reinette.chatre@intel.com commit 2038cc592811209de20c4e094ca08bfb1e6fbc6c Author: Michael Chan Date: Fri Feb 10 12:31:55 2023 -0500 bnxt_en: Fix mqprio and XDP ring checking logic In bnxt_reserve_rings(), there is logic to check that the number of TX rings reserved is enough to cover all the mqprio TCs, but it fails to account for the TX XDP rings. So the check will always fail if there are mqprio TCs and TX XDP rings. As a result, the driver always fails to initialize after the XDP program is attached and the device will be brought down. A subsequent ifconfig up will also fail because the number of TX rings is set to an inconsistent number. Fix the check to properly account for TX XDP rings. If the check fails, set the number of TX rings back to a consistent number after calling netdev_reset_tc(). Fixes: 674f50a5b026 ("bnxt_en: Implement new method to reserve rings.") Reviewed-by: Hongguang Gao Signed-off-by: Michael Chan Signed-off-by: David S. Miller commit 9b55d3f0a69af649c62cbc2633e6d695bb3cc583 Author: Felix Riemann Date: Fri Feb 10 13:36:44 2023 +0100 net: Fix unwanted sign extension in netdev_stats_to_stats64() When converting net_device_stats to rtnl_link_stats64 sign extension is triggered on ILP32 machines as 6c1c509778 changed the previous "ulong -> u64" conversion to "long -> u64" by accessing the net_device_stats fields through a (signed) atomic_long_t. This causes for example the received bytes counter to jump to 16EiB after having received 2^31 bytes. Casting the atomic value to "unsigned long" beforehand converting it into u64 avoids this. Fixes: 6c1c5097781f ("net: add atomic_long_t to net_device_stats fields") Signed-off-by: Felix Riemann Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller commit c68f345b7c425b38656e1791a0486769a8797016 Author: Miko Larsson Date: Fri Feb 10 09:13:44 2023 +0100 net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path syzbot reported that act_len in kalmia_send_init_packet() is uninitialized when passing it to the first usb_bulk_msg error path. Jiri Pirko noted that it's pointless to pass it in the error path, and that the value that would be printed in the second error path would be the value of act_len from the first call to usb_bulk_msg.[1] With this in mind, let's just not pass act_len to the usb_bulk_msg error paths. 1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/ Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") Reported-and-tested-by: syzbot+cd80c5ef5121bfe85b55@syzkaller.appspotmail.com Signed-off-by: Miko Larsson Reviewed-by: Alexander Duyck Signed-off-by: David S. Miller commit 2fa28f5c6fcbfc794340684f36d2581b4f2d20b5 Author: Hangyu Hua Date: Fri Feb 10 10:05:51 2023 +0800 net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() old_meter needs to be free after it is detached regardless of whether the new meter is successfully attached. Fixes: c7c4c44c9a95 ("net: openvswitch: expand the meters supported number") Signed-off-by: Hangyu Hua Acked-by: Eelco Chaudron Reviewed-by: Simon Horman Signed-off-by: David S. Miller commit 2f4796518315ab246638db8feebfcb494212e7ee Author: Hyunwoo Kim Date: Thu Feb 9 01:16:48 2023 -0800 af_key: Fix heap information leak Since x->encap of pfkey_msg2xfrm_state() is not initialized to 0, kernel heap data can be leaked. Fix with kzalloc() to prevent this. Signed-off-by: Hyunwoo Kim Acked-by: Herbert Xu Reviewed-by: Sabrina Dubroca Signed-off-by: David S. Miller commit 2bdccfd290d421b50df4ec6a68d832dad1310748 Author: Kailang Yang Date: Mon Feb 13 14:54:22 2023 +0800 ALSA: hda/realtek - fixed wrong gpio assigned GPIO2 PIN use for output. Mask Dir and Data need to assign for 0x4. Not 0x3. This fixed was for Lenovo Desktop(0x17aa1056). GPIO2 use for AMP enable. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/8d02bb9ac8134f878cd08607fdf088fd@realtek.com Signed-off-by: Takashi Iwai commit 5f69f009b7c445ddd219609c0085825c6270415a Author: Daniel Wagner Date: Wed Feb 8 17:14:35 2023 +0100 nvme-pci: add bogus ID quirk for ADATA SX6000PNP Yet another device which needs a quirk: nvme nvme1: globally duplicate IDs for nsid 1 nvme nvme1: VID:DID 10ec:5763 model:ADATA SX6000PNP firmware:V9002s94 Link: http://bugzilla.opensuse.org/show_bug.cgi?id=1207827 Reported-by: Gustavo Freitas Signed-off-by: Daniel Wagner Signed-off-by: Christoph Hellwig commit 70b5339caf847b8b6097b6dfab0c5a99b40713c8 Author: Steven Rostedt (Google) Date: Sun Feb 12 20:11:42 2023 -0500 tracing: Make trace_define_field_ext() static trace_define_field_ext() is not used outside of trace_events.c, it should be static. Link: https://lore.kernel.org/oe-kbuild-all/202302130750.679RaRog-lkp@intel.com/ Fixes: b6c7abd1c28a ("tracing: Fix TASK_COMM_LEN in trace event format file") Reported-by: Reported-by: kernel test robot Signed-off-by: Steven Rostedt (Google) commit ceaa837f96adb69c0df0397937cd74991d5d821a Author: Linus Torvalds Date: Sun Feb 12 14:10:17 2023 -0800 Linux 6.2-rc8 commit 80510b63f7b6bdd30e07b3a42115d0a324e20cd6 Author: John Paul Adrian Glaubitz Date: Tue Feb 7 17:57:15 2023 +0100 MAINTAINERS: Add myself as maintainer for arch/sh (SUPERH) Both Rich Felker and Yoshinori Sato haven't done any work on arch/sh for a while. As I have been maintaining Debian's sh4 port since 2014, I am interested to keep the architecture alive. Signed-off-by: John Paul Adrian Glaubitz Acked-by: Yoshinori Sato Acked-by: Geert Uytterhoeven Signed-off-by: Linus Torvalds commit 5e98e916f95bdc50e90f3199d7f3d74b94fa5976 Merge: 711e9a4d52bf4 b6c7abd1c28a6 Author: Linus Torvalds Date: Sun Feb 12 13:52:17 2023 -0800 Merge tag 'trace-v6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fix from Steven Rostedt: "Fix showing of TASK_COMM_LEN instead of its value The TASK_COMM_LEN was converted from a macro into an enum so that BTF would have access to it. But this unfortunately caused TASK_COMM_LEN to display in the format fields of trace events, as they are created by the TRACE_EVENT() macro and such, macros convert to their values, where as enums do not. To handle this, instead of using the field itself to be display, save the value of the array size as another field in the trace_event_fields structure, and use that instead. Not only does this fix the issue, but also converts the other trace events that have this same problem (but were not breaking tooling). With this change, the original work around b3bc8547d3be6 ("tracing: Have TRACE_DEFINE_ENUM affect trace event types as well") could be reverted (but that should be done in the merge window)" * tag 'trace-v6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Fix TASK_COMM_LEN in trace event format file commit 711e9a4d52bf4e477e51c7135e1e6188c42018d0 Merge: e2bca0ebf7754 5f58d783fd782 Author: Linus Torvalds Date: Sun Feb 12 11:26:36 2023 -0800 Merge tag 'for-6.2-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: - one more fix for a tree-log 'write time corruption' report, update the last dir index directly and don't keep in the log context - do VFS-level inode lock around FIEMAP to prevent a deadlock with concurrent fsync, the extent-level lock is not sufficient - don't cache a single-device filesystem device to avoid cases when a loop device is reformatted and the entry gets stale * tag 'for-6.2-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: free device in btrfs_close_devices for a single device filesystem btrfs: lock the inode in shared mode before starting fiemap btrfs: simplify update of last_dir_index_offset when logging a directory commit e2bca0ebf775453bb3c6b9c2149fb4712621493a Merge: dd78af9fde7ae 303e724d7b1e1 Author: Linus Torvalds Date: Sun Feb 12 11:18:57 2023 -0800 Merge tag 'usb-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are 2 small USB driver fixes that resolve some reported regressions and one new device quirk. Specifically these are: - new quirk for Alcor Link AK9563 smartcard reader - revert of u_ether gadget change in 6.2-rc1 that caused problems - typec pin probe fix All of these have been in linux-next with no reported problems" * tag 'usb-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: core: add quirk for Alcor Link AK9563 smartcard reader usb: typec: altmodes/displayport: Fix probe pin assign check Revert "usb: gadget: u_ether: Do not make UDC parent of the net device" commit dd78af9fde7aeae427adf4bac6cf62ed84e8f898 Merge: 49a0bdb0a38e2 190233164cd77 Author: Linus Torvalds Date: Sun Feb 12 11:13:29 2023 -0800 Merge tag 'efi-fixes-for-v6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi Pull EFI fix from Ard Biesheuvel: "A fix from Darren to widen the SMBIOS match for detecting Ampere Altra machines with problematic firmware. In the mean time, we are working on a more precise check, but this is still work in progress" * tag 'efi-fixes-for-v6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: arm64: efi: Force the use of SetVirtualAddressMap() on eMAG and Altra Max machines commit 49a0bdb0a38e222d35c50644468856e2408764f0 Merge: 462a8e08e0e62 2ea31e2e62bbc Author: Linus Torvalds Date: Sun Feb 12 11:08:15 2023 -0800 Merge tag 'powerpc-6.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: - Fix interrupt exit race with security mitigation switching. - Don't select ARCH_WANTS_NO_INSTR until warnings are fixed. - Build fix for CONFIG_NUMA=n. Thanks to Nicholas Piggin, Randy Dunlap, and Sachin Sant. * tag 'powerpc-6.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch powerpc/kexec_file: fix implicit decl error powerpc: Don't select ARCH_WANTS_NO_INSTR commit 462a8e08e0e6287e5ce13187257edbf24213ed03 Author: David Chen Date: Thu Feb 9 17:48:28 2023 +0000 Fix page corruption caused by racy check in __free_pages When we upgraded our kernel, we started seeing some page corruption like the following consistently: BUG: Bad page state in process ganesha.nfsd pfn:1304ca page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca flags: 0x17ffffc0000000() raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000 page dumped because: nonzero mapcount CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 Call Trace: dump_stack+0x74/0x96 bad_page.cold+0x63/0x94 check_new_page_bad+0x6d/0x80 rmqueue+0x46e/0x970 get_page_from_freelist+0xcb/0x3f0 ? _cond_resched+0x19/0x40 __alloc_pages_nodemask+0x164/0x300 alloc_pages_current+0x87/0xf0 skb_page_frag_refill+0x84/0x110 ... Sometimes, it would also show up as corruption in the free list pointer and cause crashes. After bisecting the issue, we found the issue started from commit e320d3012d25 ("mm/page_alloc.c: fix freeing non-compound pages"): if (put_page_testzero(page)) free_the_page(page, order); else if (!PageHead(page)) while (order-- > 0) free_the_page(page + (1 << order), order); So the problem is the check PageHead is racy because at this point we already dropped our reference to the page. So even if we came in with compound page, the page can already be freed and PageHead can return false and we will end up freeing all the tail pages causing double free. Fixes: e320d3012d25 ("mm/page_alloc.c: fix freeing non-compound pages") Link: https://lore.kernel.org/lkml/BYAPR02MB448855960A9656EEA81141FC94D99@BYAPR02MB4488.namprd02.prod.outlook.com/ Cc: Andrew Morton Cc: stable@vger.kernel.org Signed-off-by: Chunwei Chen Reviewed-by: Vlastimil Babka Reviewed-by: Matthew Wilcox (Oracle) Signed-off-by: Linus Torvalds commit b6c7abd1c28a63ad633433d037ee15a1bc3023ba Author: Yafang Shao Date: Sun Feb 12 15:13:03 2023 +0000 tracing: Fix TASK_COMM_LEN in trace event format file After commit 3087c61ed2c4 ("tools/testing/selftests/bpf: replace open-coded 16 with TASK_COMM_LEN"), the content of the format file under /sys/kernel/tracing/events/task/task_newtask was changed from field:char comm[16]; offset:12; size:16; signed:0; to field:char comm[TASK_COMM_LEN]; offset:12; size:16; signed:0; John reported that this change breaks older versions of perfetto. Then Mathieu pointed out that this behavioral change was caused by the use of __stringify(_len), which happens to work on macros, but not on enum labels. And he also gave the suggestion on how to fix it: :One possible solution to make this more robust would be to extend :struct trace_event_fields with one more field that indicates the length :of an array as an actual integer, without storing it in its stringified :form in the type, and do the formatting in f_show where it belongs. The result as follows after this change, $ cat /sys/kernel/tracing/events/task/task_newtask/format field:char comm[16]; offset:12; size:16; signed:0; Link: https://lore.kernel.org/lkml/Y+QaZtz55LIirsUO@google.com/ Link: https://lore.kernel.org/linux-trace-kernel/20230210155921.4610-1-laoar.shao@gmail.com/ Link: https://lore.kernel.org/linux-trace-kernel/20230212151303.12353-1-laoar.shao@gmail.com Cc: stable@vger.kernel.org Cc: Alexei Starovoitov Cc: Kajetan Puchalski CC: Qais Yousef Fixes: 3087c61ed2c4 ("tools/testing/selftests/bpf: replace open-coded 16 with TASK_COMM_LEN") Reported-by: John Stultz Debugged-by: Mathieu Desnoyers Suggested-by: Mathieu Desnoyers Suggested-by: Steven Rostedt Signed-off-by: Yafang Shao Signed-off-by: Steven Rostedt (Google) commit f339c2597ebb00e738f2b6328c14804ed19f5d57 Merge: 47e9aa14ce5ab eede42c9459b5 Author: Linus Torvalds Date: Sat Feb 11 16:39:05 2023 -0800 Merge tag 'spi-fix-v6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A couple of hopefully final fixes for spi: one driver specific fix for an issue with very large transfers and a fix for an issue with the locking fixes in spidev merged earlier this release cycle which was missed" * tag 'spi-fix-v6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: spidev: fix a recursive locking error spi: dw: Fix wrong FIFO level setting for long xfers commit 47e9aa14ce5abca70d6584a8d8213707d197c38e Merge: 338c84730406c f545e8831e700 Author: Linus Torvalds Date: Sat Feb 11 11:17:21 2023 -0800 Merge tag 'x86-urgent-2023-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Ingo Molnar: "Fix a kprobes bug, plus add a new Intel model number to the upstream header for drivers to use" * tag 'x86-urgent-2023-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/cpu: Add Lunar Lake M x86/kprobes: Fix 1 byte conditional jump target commit 338c84730406c30185d54b565d670e7e7c96967b Merge: d12aca5c0cee0 db370a8b9f67a Author: Linus Torvalds Date: Sat Feb 11 11:11:18 2023 -0800 Merge tag 'locking-urgent-2023-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fix from Ingo Molnar: "Fix an rtmutex missed-wakeup bug" * tag 'locking-urgent-2023-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: rtmutex: Ensure that the top waiter is always woken up commit d12aca5c0cee0da197ca55241bcc5ec55dd5ae58 Merge: 95232dd9ae13d 711442e29f16f Author: Linus Torvalds Date: Sat Feb 11 11:03:25 2023 -0800 Merge tag 'cxl-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl Pull cxl fixes from Dan Williams: "Two fixups for CXL (Compute Express Link) in presence of passthrough decoders. This primarily helps developers using the QEMU CXL emulation, but with the impending arrival of CXL switches these types of topologies will be of interest to end users. - Fix a crash when shutting down regions in the presence of passthrough decoders - Fix region creation to understand passthrough decoders instead of the narrower definition of passthrough ports" * tag 'cxl-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl: cxl/region: Fix passthrough-decoder detection cxl/region: Fix null pointer dereference for resetting decoder commit 95232dd9ae13d6bb52ebd0c295e5dde30acd0d02 Merge: 230809c145091 c91d713630848 Author: Linus Torvalds Date: Sat Feb 11 10:58:36 2023 -0800 Merge tag 'libnvdimm-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fixes from Dan Williams: "A fix for an issue that could causes users to inadvertantly reserve too much capacity when debugging the KMSAN and persistent memory namespace, a lockdep fix, and a kernel-doc build warning: - Resolve the conflict between KMSAN and NVDIMM with respect to reserving pmem namespace / volume capacity for larger sizeof(struct page) - Fix a lockdep warning in the the NFIT code - Fix a kernel-doc build warning" * tag 'libnvdimm-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: nvdimm: Support sizeof(struct page) > MAX_STRUCT_PAGE_SIZE ACPI: NFIT: fix a potential deadlock during NFIT teardown dax: super.c: fix kernel-doc bad line warning commit 230809c145091e5cfd948bd2db98e67a1a0571de Merge: 420b2d431d18a 647037adcad00 Author: Linus Torvalds Date: Sat Feb 11 10:51:45 2023 -0800 Merge tag 'fixes-2023-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock Pull memblock revert from Mike Rapoport: "Revert 'mm: Always release pages to the buddy allocator in memblock_free_late()' The pages being freed by memblock_free_late() have already been initialized, but if they are in the deferred init range, __free_one_page() might access nearby uninitialized pages when trying to coalesce buddies, which will cause a crash. A proper fix will be more involved so revert this change for the time being" * tag 'fixes-2023-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock: Revert "mm: Always release pages to the buddy allocator in memblock_free_late()." commit 4102db175b5d884d133270fdbd0e59111ce688fc Author: Jeff Layton Date: Sat Feb 11 07:50:08 2023 -0500 nfsd: don't destroy global nfs4_file table in per-net shutdown The nfs4_file table is global, so shutting it down when a containerized nfsd is shut down is wrong and can lead to double-frees. Tear down the nfs4_file_rhltable in nfs4_state_shutdown instead of nfs4_state_shutdown_net. Fixes: d47b295e8d76 ("NFSD: Use rhashtable for managing nfs4_file objects") Link: https://bugzilla.redhat.com/show_bug.cgi?id=2169017 Reported-by: JianHong Yin Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever commit 3af4a4f7a20c94009adba65764fa5a0269d70a82 Author: Cezary Rojewski Date: Fri Feb 10 17:55:41 2023 +0100 ALSA: hda: Fix codec device field initializan Commit f2bd1c5ae2cb ("ALSA: hda: Fix page fault in snd_hda_codec_shutdown()") relocated initialization of several codec device fields. Due to differences between codec_exec_verb() and snd_hdac_bus_exec_bus() in how they handle VERB execution - the latter does not touch PM - assigning ->exec_verb to codec_exec_verb() causes PM to be engaged before it is configured for the device. Configuration of PM for the ASoC HDAudio sound card is done with snd_hda_set_power_save() during skl_hda_audio_probe() whereas the assignment happens early, in snd_hda_codec_device_init(). Revert to previous behavior to avoid problems caused by too early PM manipulation. Suggested-by: Jason Montleon Link: https://lore.kernel.org/regressions/CALFERdzKUodLsm6=Ub3g2+PxpNpPtPq3bGBLbff=eZr9_S=YVA@mail.gmail.com Fixes: f2bd1c5ae2cb ("ALSA: hda: Fix page fault in snd_hda_codec_shutdown()") Signed-off-by: Cezary Rojewski Link: https://lore.kernel.org/r/20230210165541.3543604-1-cezary.rojewski@intel.com Signed-off-by: Takashi Iwai commit 20ab8432420e51f1adce23027121efd5478d0ba3 Merge: 7fa0b526f865c 62ec33b44e0f7 Author: Jakub Kicinski Date: Fri Feb 10 19:53:43 2023 -0800 Merge branch 'sk-sk_forward_alloc-fixes' Kuniyuki Iwashima says: ==================== sk->sk_forward_alloc fixes. The first patch fixes a negative sk_forward_alloc by adding sk_rmem_schedule() before skb_set_owner_r(), and second patch removes an unnecessary WARN_ON_ONCE(). v2: https://lore.kernel.org/netdev/20230209013329.87879-1-kuniyu@amazon.com/ v1: https://lore.kernel.org/netdev/20230207183718.54520-1-kuniyu@amazon.com/ ==================== Link: https://lore.kernel.org/r/20230210002202.81442-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski commit 62ec33b44e0f7168ff2886520fec6fb62d03b5a3 Author: Kuniyuki Iwashima Date: Thu Feb 9 16:22:02 2023 -0800 net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). Christoph Paasch reported that commit b5fc29233d28 ("inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().") started triggering WARN_ON_ONCE(sk->sk_forward_alloc) in sk_stream_kill_queues(). [0 - 2] Also, we can reproduce it by a program in [3]. In the commit, we delay freeing ipv6_pinfo.pktoptions from sk->destroy() to sk->sk_destruct(), so sk->sk_forward_alloc is no longer zero in inet_csk_destroy_sock(). The same check has been in inet_sock_destruct() from at least v2.6, we can just remove the WARN_ON_ONCE(). However, among the users of sk_stream_kill_queues(), only CAIF is not calling inet_sock_destruct(). Thus, we add the same WARN_ON_ONCE() to caif_sock_destructor(). [0]: https://lore.kernel.org/netdev/39725AB4-88F1-41B3-B07F-949C5CAEFF4F@icloud.com/ [1]: https://github.com/multipath-tcp/mptcp_net-next/issues/341 [2]: WARNING: CPU: 0 PID: 3232 at net/core/stream.c:212 sk_stream_kill_queues+0x2f9/0x3e0 Modules linked in: CPU: 0 PID: 3232 Comm: syz-executor.0 Not tainted 6.2.0-rc5ab24eb4698afbe147b424149c529e2a43ec24eb5 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:sk_stream_kill_queues+0x2f9/0x3e0 Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ec 00 00 00 8b ab 08 01 00 00 e9 60 ff ff ff e8 d0 5f b6 fe 0f 0b eb 97 e8 c7 5f b6 fe <0f> 0b eb a0 e8 be 5f b6 fe 0f 0b e9 6a fe ff ff e8 02 07 e3 fe e9 RSP: 0018:ffff88810570fc68 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff888101f38f40 RSI: ffffffff8285e529 RDI: 0000000000000005 RBP: 0000000000000ce0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000ce0 R11: 0000000000000001 R12: ffff8881009e9488 R13: ffffffff84af2cc0 R14: 0000000000000000 R15: ffff8881009e9458 FS: 00007f7fdfbd5800(0000) GS:ffff88811b600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32923000 CR3: 00000001062fc006 CR4: 0000000000170ef0 Call Trace: inet_csk_destroy_sock+0x1a1/0x320 __tcp_close+0xab6/0xe90 tcp_close+0x30/0xc0 inet_release+0xe9/0x1f0 inet6_release+0x4c/0x70 __sock_release+0xd2/0x280 sock_close+0x15/0x20 __fput+0x252/0xa20 task_work_run+0x169/0x250 exit_to_user_mode_prepare+0x113/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x48/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f7fdf7ae28d Code: c1 20 00 00 75 10 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 37 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00000000007dfbb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f7fdf7ae28d RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003 RBP: 0000000000000000 R08: 000000007f338e0f R09: 0000000000000e0f R10: 000000007f338e13 R11: 0000000000000293 R12: 00007f7fdefff000 R13: 00007f7fdefffcd8 R14: 00007f7fdefffce0 R15: 00007f7fdefffcd8 [3]: https://lore.kernel.org/netdev/20230208004245.83497-1-kuniyu@amazon.com/ Fixes: b5fc29233d28 ("inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().") Reported-by: syzbot Reported-by: Christoph Paasch Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Signed-off-by: Jakub Kicinski commit ca43ccf41224b023fc290073d5603a755fd12eed Author: Kuniyuki Iwashima Date: Thu Feb 9 16:22:01 2023 -0800 dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. Eric Dumazet pointed out [0] that when we call skb_set_owner_r() for ipv6_pinfo.pktoptions, sk_rmem_schedule() has not been called, resulting in a negative sk_forward_alloc. We add a new helper which clones a skb and sets its owner only when sk_rmem_schedule() succeeds. Note that we move skb_set_owner_r() forward in (dccp|tcp)_v6_do_rcv() because tcp_send_synack() can make sk_forward_alloc negative before ipv6_opt_accepted() in the crossed SYN-ACK or self-connect() cases. [0]: https://lore.kernel.org/netdev/CANn89iK9oc20Jdi_41jb9URdF210r7d1Y-+uypbMSbOfY6jqrg@mail.gmail.com/ Fixes: 323fbd0edf3f ("net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()") Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet Signed-off-by: Jakub Kicinski commit 7fa0b526f865cb42aa33917fd02a92cb03746f4d Author: Natalia Petrova Date: Thu Feb 9 09:28:33 2023 -0800 i40e: Add checking for null for nlmsg_find_attr() The result of nlmsg_find_attr() 'br_spec' is dereferenced in nla_for_each_nested(), but it can take NULL value in nla_find() function, which will result in an error. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops") Signed-off-by: Natalia Petrova Reviewed-by: Jesse Brandeburg Tested-by: Gurucharan G (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20230209172833.3596034-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 1f090494170ea298530cf1285fb8d078e355b4c0 Author: Larysa Zaremba Date: Thu Feb 9 17:01:30 2023 +0100 ice: xsk: Fix cleaning of XDP_TX frames Incrementation of xsk_frames inside the for-loop produces infinite loop, if we have both normal AF_XDP-TX and XDP_TXed buffers to complete. Split xsk_frames into 2 variables (xsk_frames and completed_frames) to eliminate this bug. Fixes: 29322791bc8b ("ice: xsk: change batched Tx descriptor cleaning") Acked-by: Maciej Fijalkowski Signed-off-by: Larysa Zaremba Reviewed-by: Alexander Duyck Acked-by: Tony Nguyen Link: https://lore.kernel.org/r/20230209160130.1779890-1-larysa.zaremba@intel.com Signed-off-by: Jakub Kicinski commit ee059170b1f7e94e55fa6cadee544e176a6e59c2 Author: Pedro Tammela Date: Thu Feb 9 11:37:39 2023 -0300 net/sched: tcindex: update imperfect hash filters respecting rcu The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. CPU 0: CPU 1: tcindex_set_parms tcindex_classify tcindex_lookup tcindex_lookup tcf_exts_change tcf_exts_exec [UAF] Stop operating on the shared area directly, by using a local copy, and update the filter with 'rcu_replace_pointer()'. Delete the old filter version only after a rcu grace period elapsed. Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change") Reported-by: valis Suggested-by: valis Signed-off-by: Jamal Hadi Salim Signed-off-by: Pedro Tammela Link: https://lore.kernel.org/r/20230209143739.279867-1-pctammela@mojatatu.com Signed-off-by: Jakub Kicinski commit a1221703a0f75a9d81748c516457e0fc76951496 Author: Pietro Borrello Date: Thu Feb 9 12:13:05 2023 +0000 sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list Use list_is_first() to check whether tsp->asoc matches the first element of ep->asocs, as the list is not guaranteed to have an entry. Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") Signed-off-by: Pietro Borrello Acked-by: Xin Long Link: https://lore.kernel.org/r/20230208-sctp-filter-v2-1-6e1f4017f326@diag.uniroma1.it Signed-off-by: Jakub Kicinski commit 0ed577e7e8e508c24e22ba07713ecc4903e147c3 Author: Siddharth Vadapalli Date: Thu Feb 9 14:14:32 2023 +0530 net: ethernet: ti: am65-cpsw: Add RX DMA Channel Teardown Quirk In TI's AM62x/AM64x SoCs, successful teardown of RX DMA Channel raises an interrupt. The process of servicing this interrupt involves flushing all pending RX DMA descriptors and clearing the teardown completion marker (TDCM). The am65_cpsw_nuss_rx_packets() function invoked from the RX NAPI callback services the interrupt. Thus, it is necessary to wait for this handler to run, drain all packets and clear TDCM, before calling napi_disable() in am65_cpsw_nuss_common_stop() function post channel teardown. If napi_disable() executes before ensuring that TDCM is cleared, the TDCM remains set when the interfaces are down, resulting in an interrupt storm when the interfaces are brought up again. Since the interrupt raised to indicate the RX DMA Channel teardown is specific to the AM62x and AM64x SoCs, add a quirk for it. Fixes: 4f7cce272403 ("net: ethernet: ti: am65-cpsw: add support for am64x cpsw3g") Co-developed-by: Vignesh Raghavendra Signed-off-by: Vignesh Raghavendra Signed-off-by: Siddharth Vadapalli Reviewed-by: Roger Quadros Link: https://lore.kernel.org/r/20230209084432.189222-1-s-vadapalli@ti.com Signed-off-by: Jakub Kicinski commit 420b2d431d18a2572c8e86579e78105cb5ed45b0 Merge: 545c80ab3428d ecfb9f404771d Author: Linus Torvalds Date: Fri Feb 10 15:28:08 2023 -0800 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Two clk driver fixes - Use devm_kasprintf() to avoid overflows when forming clk names in the Microchip PolarFire driver - Fix the pretty broken Ingenic JZ4760 M/N/OD calculation to actually work and find proper divisors" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: ingenic: jz4760: Update M/N/OD calculation algorithm clk: microchip: mpfs-ccc: Use devm_kasprintf() for allocating formatted strings commit 545c80ab3428df0d693f6b99b57f3c6ada34494d Merge: 4cfd5afcd87eb a8520be3ffef3 Author: Linus Torvalds Date: Fri Feb 10 15:02:16 2023 -0800 Merge tag 'pinctrl-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "Some assorted pin control fixes, the most interesting will be the Intel patch fixing a classic problem: laptop touchpad IRQs... - Some pin drive register fixes in the Mediatek driver. - Return proper error code in the Aspeed driver, and revert and ill-advised force-disablement patch that needs to be reworked. - Fix AMD driver debug output. - Fix potential NULL dereference in the Single driver. - Fix a group definition error in the Qualcomm SM8450 LPASS driver. - Restore pins used in direct IRQ mode in the Intel driver (This fixes some laptop touchpads!)" * tag 'pinctrl-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: intel: Restore the pins that used to be in Direct IRQ mode pinctrl: qcom: sm8450-lpass-lpi: correct swr_rx_data group pinctrl: aspeed: Revert "Force to disable the function's signal" pinctrl: single: fix potential NULL dereference pinctrl: amd: Fix debug output for debounce time pinctrl: aspeed: Fix confusing types in return value pinctrl: mediatek: Fix the drive register definition of some Pins commit 4cfd5afcd87eb213f08863b6f34944978b0a678d Merge: 4f72a263e1629 ff209ecc376a2 Author: Linus Torvalds Date: Fri Feb 10 14:18:48 2023 -0800 Merge tag 'pci-v6.2-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci Pull PCI fixes from Bjorn Helgaas: - Move to a shared PCI git tree (Bjorn Helgaas) - Add Krzysztof Wilczyński as another PCI maintainer (Lorenzo Pieralisi) - Revert a couple ASPM patches to fix suspend/resume regressions (Bjorn Helgaas) * tag 'pci-v6.2-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci: Revert "PCI/ASPM: Refactor L1 PM Substates Control Register programming" Revert "PCI/ASPM: Save L1 PM Substates Capability for suspend/resume" MAINTAINERS: Promote Krzysztof to PCI controller maintainer MAINTAINERS: Move to shared PCI tree commit ff209ecc376a2ea8dd106a1f594427a5d94b7dd3 Author: Bjorn Helgaas Date: Fri Feb 3 13:57:39 2023 -0600 Revert "PCI/ASPM: Refactor L1 PM Substates Control Register programming" This reverts commit 5e85eba6f50dc288c22083a7e213152bcc4b8208. Thomas Witt reported that 5e85eba6f50d ("PCI/ASPM: Refactor L1 PM Substates Control Register programming") broke suspend/resume on a Tuxedo Infinitybook S 14 v5, which seems to use a Clevo L140CU Mainboard. The main symptom is: iwlwifi 0000:02:00.0: Unable to change power state from D3hot to D0, device inaccessible nvme 0000:03:00.0: Unable to change power state from D3hot to D0, device inaccessible and the machine is only partially usable after resume. It can't run dmesg and can't do a clean reboot. This happens on every suspend/resume cycle. Revert 5e85eba6f50d until we can figure out the root cause. Fixes: 5e85eba6f50d ("PCI/ASPM: Refactor L1 PM Substates Control Register programming") Link: https://bugzilla.kernel.org/show_bug.cgi?id=216877 Reported-by: Thomas Witt Tested-by: Thomas Witt Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org # v6.1+ Cc: Vidya Sagar commit a7152be79b627428c628da2a887ca4b2512a78fd Author: Bjorn Helgaas Date: Fri Feb 3 13:57:29 2023 -0600 Revert "PCI/ASPM: Save L1 PM Substates Capability for suspend/resume" This reverts commit 4ff116d0d5fd8a025604b0802d93a2d5f4e465d1. Tasev Nikola and Mark Enriquez reported that resume from suspend was broken in v6.1-rc1. Tasev bisected to a47126ec29f5 ("PCI/PTM: Cache PTM Capability offset"), but we can't figure out how that could be related. Mark saw the same symptoms and bisected to 4ff116d0d5fd ("PCI/ASPM: Save L1 PM Substates Capability for suspend/resume"), which does have a connection: it restores L1 Substates configuration while ASPM L1 may be enabled: pci_restore_state pci_restore_aspm_l1ss_state aspm_program_l1ss pci_write_config_dword(PCI_L1SS_CTL1, ctl1) # L1SS restore pci_restore_pcie_state pcie_capability_write_word(PCI_EXP_LNKCTL, cap[i++]) # L1 restore which is a problem because PCIe r6.0, sec 5.5.4, requires that: If setting either or both of the enable bits for ASPM L1 PM Substates, both ports must be configured as described in this section while ASPM L1 is disabled. Separately, Thomas Witt reported that 5e85eba6f50d ("PCI/ASPM: Refactor L1 PM Substates Control Register programming") broke suspend/resume, and it depends on 4ff116d0d5fd. Revert 4ff116d0d5fd ("PCI/ASPM: Save L1 PM Substates Capability for suspend/resume") to fix the resume issue and enable revert of 5e85eba6f50d to fix the issue Thomas reported. Note that reverting 4ff116d0d5fd means L1 Substates config may be lost on suspend/resume. As far as we know the system will use more power but will still *work* correctly. Fixes: 4ff116d0d5fd ("PCI/ASPM: Save L1 PM Substates Capability for suspend/resume") Link: https://bugzilla.kernel.org/show_bug.cgi?id=216782 Link: https://bugzilla.kernel.org/show_bug.cgi?id=216877 Reported-by: Tasev Nikola Reported-by: Mark Enriquez Reported-by: Thomas Witt Tested-by: Mark Enriquez Tested-by: Thomas Witt Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org # v6.1+ Cc: Vidya Sagar commit 4f72a263e162938de26866b862ed6015f5725946 Merge: 8e9a8427a1f1f bc6772bbab9af Author: Linus Torvalds Date: Fri Feb 10 09:48:42 2023 -0800 Merge tag 'soc-fixes-6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "All the changes this time are minor devicetree corrections, the majority being for 64-bit Rockchip SoC support. These are a couple of corrections for properties that are in violation of the binding, some that put the machine into safer operating points for the eMMC and thermal settings, and missing properties that prevented rk356x PCIe and ethernet from working correctly. The changes for amlogic and mediatek address incorrect properties that were preventing the display support on MT8195 and the MMC support on various Meson SoCs from working correctly. The stihxxx-b2120 change fixes the GPIO polarity for the DVB tuner to allow this to be used correctly after a futre driver change, though it has no effect on older kernels" * tag 'soc-fixes-6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive arm64: dts: meson-g12-common: Make mmc host controller interrupts level-sensitive arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive ARM: dts: stihxxx-b2120: fix polarity of reset line of tsin0 port arm64: dts: mediatek: mt8195: Fix vdosys* compatible strings arm64: dts: rockchip: align rk3399 DMC OPP table with bindings arm64: dts: rockchip: set sdmmc0 speed to sd-uhs-sdr50 on rock-3a arm64: dts: rockchip: fix probe of analog sound card on rock-3a arm64: dts: rockchip: add missing #interrupt-cells to rk356x pcie2x1 arm64: dts: rockchip: fix input enable pinconf on rk3399 ARM: dts: rockchip: add power-domains property to dp node on rk3288 arm64: dts: rockchip: add io domain setting to rk3566-box-demo arm64: dts: rockchip: remove unsupported property from sdmmc2 for rock-3a arm64: dts: rockchip: drop unused LED mode property from rk3328-roc-cc arm64: dts: rockchip: reduce thermal limits on rk3399-pinephone-pro arm64: dts: rockchip: use correct reset names for rk3399 crypto nodes commit 8e9a8427a1f1f39632e2b2ccd651e499c64f59b2 Merge: 3647d2d70640f 950b879b7f025 Author: Linus Torvalds Date: Fri Feb 10 09:27:52 2023 -0800 Merge tag 'riscv-for-linus-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: "This is a little bigger that I'd hope for this late in the cycle, but they're all pretty concrete fixes and the only one that's bigger than a few lines is pmdp_collapse_flush() (which is almost all boilerplate/comment). It's also all bug fixes for issues that have been around for a while. So I think it's not all that scary, just bad timing. - avoid partial TLB fences for huge pages, which are disallowed by the ISA - avoid missing a frame when dumping stacks - avoid misaligned accesses (and possibly overflows) in kprobes - fix a race condition in tracking page dirtiness" * tag 'riscv-for-linus-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte riscv: kprobe: Fixup misaligned load text riscv: stacktrace: Fix missing the first frame riscv: mm: Implement pmdp_collapse_flush for THP commit 3647d2d70640ff85be60793fa4b204bdae26ca44 Merge: 29716680adbb2 e7d84c6a1296d Author: Linus Torvalds Date: Fri Feb 10 09:04:00 2023 -0800 Merge tag 'ceph-for-6.2-rc8' of https://github.com/ceph/ceph-client Pull ceph fix from Ilya Dryomov: "A fix for a pretty embarrassing omission in the session flush handler from Xiubo, marked for stable" * tag 'ceph-for-6.2-rc8' of https://github.com/ceph/ceph-client: ceph: flush cap releases when the session is flushed commit 29716680adbb221a5cd1604e11e81c6f2938e06f Merge: 4fe37223975ce 38c33ece23201 Author: Linus Torvalds Date: Fri Feb 10 08:55:09 2023 -0800 Merge tag 'block-6.2-2023-02-10' of git://git.kernel.dk/linux Pull block fix from Jens Axboe: "A single fix for a smatch regression introduced in this merge window" * tag 'block-6.2-2023-02-10' of git://git.kernel.dk/linux: nvme-auth: mark nvme_auth_wq static commit 4fe37223975ce04c4a4ad0a136cd4e64b39bc3ca Merge: 38c1e0c658654 88d18b8896bd9 Author: Linus Torvalds Date: Fri Feb 10 08:37:48 2023 -0800 Merge tag 'sound-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Hopefully the last one for 6.2, a collection of the fixes that have been gathered since the last pull. All changes are small and trivial device-specific fixes" * tag 'sound-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/realtek: Add Positivo N14KP6-TG ASoC: topology: Return -ENOMEM on memory allocation failure ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() ASoC: fsl_sai: fix getting version from VERID ALSA: hda/realtek: fix mute/micmute LEDs don't work for a HP platform. ALSA: hda/realtek: Add quirk for ASUS UM3402 using CS35L41 ASoC: codecs: es8326: Fix DTS properties reading ASoC: tas5805m: add missing page switch. ASoC: tas5805m: rework to avoid scheduling while atomic. ALSA: hda/realtek: Enable mute/micmute LEDs on HP Elitebook, 645 G9 ASoC: SOF: amd: Fix for handling spurious interrupts from DSP ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book2 Pro 360 ALSA: pci: lx6464es: fix a debug loop ASoC: rt715-sdca: fix clock stop prepare timeout issue commit 7484a5bc153e81a1740c06ce037fd55b7638335c Author: Jocelyn Falempe Date: Thu Feb 9 10:44:17 2023 +0100 drm/ast: Fix start address computation During the driver conversion to shmem, the start address for the scanout buffer was set to the base PCI address. In most cases it works because only the lower 24bits are used, and due to alignment it was almost always 0. But on some unlucky hardware, it's not the case, and some uninitialized memory is displayed on the BMC. With shmem, the primary plane is always at offset 0 in GPU memory. * v2: rewrite the patch to set the offset to 0. (Thomas Zimmermann) * v3: move the change to plane_init() and also fix the cursor plane. (Jammy Huang) Tested on a sr645 affected by this bug. Fixes: f2fa5a99ca81 ("drm/ast: Convert ast to SHMEM") Signed-off-by: Jocelyn Falempe Reviewed-by: Thomas Zimmermann Reviewed-by: Jammy Huang Link: https://patchwork.freedesktop.org/patch/msgid/20230209094417.21630-1-jfalempe@redhat.com commit 493a2c2d23ca91afba96ac32b6cbafb54382c2a3 Author: Tom Lendacky Date: Thu Feb 9 09:22:26 2023 -0600 Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions Add the admin guide for the Cross-Thread Return Predictions vulnerability. Signed-off-by: Tom Lendacky Message-Id: <60f9c0b4396956ce70499ae180cb548720b25c7e.1675956146.git.thomas.lendacky@amd.com> Signed-off-by: Paolo Bonzini commit 6f0f2d5ef895d66a3f2b32dd05189ec34afa5a55 Author: Tom Lendacky Date: Thu Feb 9 09:22:25 2023 -0600 KVM: x86: Mitigate the cross-thread return address predictions bug By default, KVM/SVM will intercept attempts by the guest to transition out of C0. However, the KVM_CAP_X86_DISABLE_EXITS capability can be used by a VMM to change this behavior. To mitigate the cross-thread return address predictions bug (X86_BUG_SMT_RSB), a VMM must not be allowed to override the default behavior to intercept C0 transitions. Use a module parameter to control the mitigation on processors that are vulnerable to X86_BUG_SMT_RSB. If the processor is vulnerable to the X86_BUG_SMT_RSB bug and the module parameter is set to mitigate the bug, KVM will not allow the disabling of the HLT, MWAIT and CSTATE exits. Signed-off-by: Tom Lendacky Message-Id: <4019348b5e07148eb4d593380a5f6713b93c9a16.1675956146.git.thomas.lendacky@amd.com> Signed-off-by: Paolo Bonzini commit be8de49bea505e7777a69ef63d60e02ac1712683 Author: Tom Lendacky Date: Thu Feb 9 09:22:24 2023 -0600 x86/speculation: Identify processors vulnerable to SMT RSB predictions Certain AMD processors are vulnerable to a cross-thread return address predictions bug. When running in SMT mode and one of the sibling threads transitions out of C0 state, the other sibling thread could use return target predictions from the sibling thread that transitioned out of C0. The Spectre v2 mitigations cover the Linux kernel, as it fills the RSB when context switching to the idle thread. However, KVM allows a VMM to prevent exiting guest mode when transitioning out of C0. A guest could act maliciously in this situation, so create a new x86 BUG that can be used to detect if the processor is vulnerable. Reviewed-by: Borislav Petkov (AMD) Signed-off-by: Tom Lendacky Message-Id: <91cec885656ca1fcd4f0185ce403a53dd9edecb7.1675956146.git.thomas.lendacky@amd.com> Signed-off-by: Paolo Bonzini commit bc6772bbab9af6034f918624a40ac5c962df2bac Merge: 89e5dd41c444c 66e45351f7d67 Author: Arnd Bergmann Date: Fri Feb 10 11:31:24 2023 +0100 Merge tag 'amlogic-fixes-v6.2-rc-take2' of https://git.kernel.org/pub/scm/linux/kernel/git/amlogic/linux into arm/fixes Amlogic fixes for v6.2-rc, take2: - Change MMC controllers interrupts flag to level on all families, fixes irq loss & performance issues when cpu loaded * tag 'amlogic-fixes-v6.2-rc-take2' of https://git.kernel.org/pub/scm/linux/kernel/git/amlogic/linux: arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive arm64: dts: meson-g12-common: Make mmc host controller interrupts level-sensitive arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive Link: https://lore.kernel.org/r/761c2ebc-7c93-8504-35ae-3e84ad216bcf@linaro.org Signed-off-by: Arnd Bergmann commit 3efc61d95259956db25347e2a9562c3e54546e20 Author: Takashi Iwai Date: Sun Jan 29 09:28:56 2023 +0100 fbdev: Fix invalid page access after closing deferred I/O devices When a fbdev with deferred I/O is once opened and closed, the dirty pages still remain queued in the pageref list, and eventually later those may be processed in the delayed work. This may lead to a corruption of pages, hitting an Oops. This patch makes sure to cancel the delayed work and clean up the pageref list at closing the device for addressing the bug. A part of the cleanup code is factored out as a new helper function that is called from the common fb_release(). Reviewed-by: Patrik Jakobsson Cc: Signed-off-by: Takashi Iwai Tested-by: Miko Larsson Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct") Reviewed-by: Thomas Zimmermann Signed-off-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20230129082856.22113-1-tiwai@suse.de commit 18d7e16c917a08f08778ecf2b780d63648d5d923 Author: Bo Liu Date: Thu Feb 9 10:13:48 2023 +0800 ALSA: hda/conexant: add a new hda codec SN6180 The current kernel does not support the SN6180 codec chip. Add the SN6180 codec configuration item to kernel. Signed-off-by: Bo Liu Cc: Link: https://lore.kernel.org/r/1675908828-1012-1-git-send-email-bo.liu@senarytech.com Signed-off-by: Takashi Iwai commit 66e45351f7d6798751f98001d1fcd572024d87f0 Author: Heiner Kallweit Date: Thu Feb 9 21:11:47 2023 +0100 arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive The usage of edge-triggered interrupts lead to lost interrupts under load, see [0]. This was confirmed to be fixed by using level-triggered interrupts. The report was about SDIO. However, as the host controller is the same for SD and MMC, apply the change to all mmc controller instances. [0] https://www.spinics.net/lists/linux-mmc/msg73991.html Fixes: ef8d2ffedf18 ("ARM64: dts: meson-gxbb: add MMC support") Cc: stable@vger.kernel.org Signed-off-by: Heiner Kallweit Acked-by: Neil Armstrong Link: https://lore.kernel.org/r/76e042e0-a610-5ed5-209f-c4d7f879df44@gmail.com Signed-off-by: Neil Armstrong commit ac8db4cceed218cca21c84f9d75ce88182d8b04f Author: Heiner Kallweit Date: Thu Feb 9 21:11:10 2023 +0100 arm64: dts: meson-g12-common: Make mmc host controller interrupts level-sensitive The usage of edge-triggered interrupts lead to lost interrupts under load, see [0]. This was confirmed to be fixed by using level-triggered interrupts. The report was about SDIO. However, as the host controller is the same for SD and MMC, apply the change to all mmc controller instances. [0] https://www.spinics.net/lists/linux-mmc/msg73991.html Fixes: 4759fd87b928 ("arm64: dts: meson: g12a: add mmc nodes") Tested-by: FUKAUMI Naoki Tested-by: Martin Blumenstingl Tested-by: Jerome Brunet Cc: stable@vger.kernel.org Signed-off-by: Heiner Kallweit Acked-by: Neil Armstrong Link: https://lore.kernel.org/r/27d89baa-b8fa-baca-541b-ef17a97cde3c@gmail.com Signed-off-by: Neil Armstrong commit d182bcf300772d8b2e5f43e47fa0ebda2b767cc4 Author: Heiner Kallweit Date: Thu Feb 9 21:10:31 2023 +0100 arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive The usage of edge-triggered interrupts lead to lost interrupts under load, see [0]. This was confirmed to be fixed by using level-triggered interrupts. The report was about SDIO. However, as the host controller is the same for SD and MMC, apply the change to all mmc controller instances. [0] https://www.spinics.net/lists/linux-mmc/msg73991.html Fixes: 221cf34bac54 ("ARM64: dts: meson-axg: enable the eMMC controller") Reported-by: Peter Suti Tested-by: Vyacheslav Bocharov Tested-by: Peter Suti Cc: stable@vger.kernel.org Signed-off-by: Heiner Kallweit Acked-by: Neil Armstrong Link: https://lore.kernel.org/r/c00655d3-02f8-6f5f-4239-ca2412420cad@gmail.com Signed-off-by: Neil Armstrong commit ec76d0c2da5c6dfb6a33f1545cc15997013923da Author: Ronak Doshi Date: Wed Feb 8 14:38:59 2023 -0800 vmxnet3: move rss code block under eop descriptor Commit b3973bb40041 ("vmxnet3: set correct hash type based on rss information") added hashType information into skb. However, rssType field is populated for eop descriptor. This can lead to incorrectly reporting of hashType for packets which use multiple rx descriptors. Multiple rx descriptors are used for Jumbo frame or LRO packets, which can hit this issue. This patch moves the RSS codeblock under eop descritor. Cc: stable@vger.kernel.org Fixes: b3973bb40041 ("vmxnet3: set correct hash type based on rss information") Signed-off-by: Ronak Doshi Acked-by: Peng Li Acked-by: Guolin Yang Link: https://lore.kernel.org/r/20230208223900.5794-1-doshir@vmware.com Signed-off-by: Jakub Kicinski commit 6e77a5a4af05d5e7391c841a4a4f3e4cadf72c25 Author: Eric Dumazet Date: Wed Feb 8 18:21:23 2023 +0000 net: initialize net->notrefcnt_tracker earlier syzbot was able to trigger a warning [1] from net_free() calling ref_tracker_dir_exit(&net->notrefcnt_tracker) while the corresponding ref_tracker_dir_init() has not been done yet. copy_net_ns() can indeed bypass the call to setup_net() in some error conditions. Note: We might factorize/move more code in preinit_net() in the future. [1] INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 PID: 5817 Comm: syz-executor.3 Not tainted 6.2.0-rc7-next-20230208-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 assign_lock_key kernel/locking/lockdep.c:982 [inline] register_lock_class+0xdb6/0x1120 kernel/locking/lockdep.c:1295 __lock_acquire+0x10a/0x5df0 kernel/locking/lockdep.c:4951 lock_acquire.part.0+0x11c/0x370 kernel/locking/lockdep.c:5691 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 ref_tracker_dir_exit+0x52/0x600 lib/ref_tracker.c:24 net_free net/core/net_namespace.c:442 [inline] net_free+0x98/0xd0 net/core/net_namespace.c:436 copy_net_ns+0x4f3/0x6b0 net/core/net_namespace.c:493 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:228 ksys_unshare+0x449/0x920 kernel/fork.c:3205 __do_sys_unshare kernel/fork.c:3276 [inline] __se_sys_unshare kernel/fork.c:3274 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3274 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 Fixes: 0cafd77dcd03 ("net: add a refcount tracker for kernel sockets") Reported-by: syzbot Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20230208182123.3821604-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit e8ac615fe126c829612b97b4ddf6cae105ca20b8 Merge: 6e16e67a6b27f c21a20d9d102a Author: Jakub Kicinski Date: Thu Feb 9 22:49:06 2023 -0800 Merge branch 'ipv6-fix-socket-connection-with-dscp-fib-rules' Guillaume Nault says: ==================== ipv6: Fix socket connection with DSCP fib-rules. The "flowlabel" field of struct flowi6 is used to store both the actual flow label and the DS Field (or Traffic Class). However the .connect handlers of datagram and TCP sockets don't set the DS Field part when doing their route lookup. This breaks fib-rules that match on DSCP. ==================== Link: https://lore.kernel.org/r/cover.1675875519.git.gnault@redhat.com Signed-off-by: Jakub Kicinski commit c21a20d9d102ab809a992a6b056abbec4cd4c1cd Author: Guillaume Nault Date: Wed Feb 8 18:14:07 2023 +0100 selftests: fib_rule_tests: Test UDP and TCP connections with DSCP rules. Add the fib_rule6_send and fib_rule4_send tests to verify that DSCP values are properly taken into account when UDP or TCP sockets try to connect(). Tests are done with nettest, which needs a new option to specify the DS Field value of the socket being tested. This new option is named '-Q', in reference to the similar option used by ping. Signed-off-by: Guillaume Nault Reviewed-by: David Ahern Signed-off-by: Jakub Kicinski commit 8230680f36fd1525303d1117768c8852314c488c Author: Guillaume Nault Date: Wed Feb 8 18:14:03 2023 +0100 ipv6: Fix tcp socket connection with DSCP. Take into account the IPV6_TCLASS socket option (DSCP) in tcp_v6_connect(). Otherwise fib6_rule_match() can't properly match the DSCP value, resulting in invalid route lookup. For example: ip route add unreachable table main 2001:db8::10/124 ip route add table 100 2001:db8::10/124 dev eth0 ip -6 rule add dsfield 0x04 table 100 echo test | socat - TCP6:[2001:db8::11]:54321,ipv6-tclass=0x04 Without this patch, socat fails at connect() time ("No route to host") because the fib-rule doesn't jump to table 100 and the lookup ends up being done in the main table. Fixes: 2cc67cc731d9 ("[IPV6] ROUTE: Routing by Traffic Class.") Signed-off-by: Guillaume Nault Reviewed-by: Eric Dumazet Reviewed-by: David Ahern Signed-off-by: Jakub Kicinski commit e010ae08c71fda8be3d6bda256837795a0b3ea41 Author: Guillaume Nault Date: Wed Feb 8 18:13:59 2023 +0100 ipv6: Fix datagram socket connection with DSCP. Take into account the IPV6_TCLASS socket option (DSCP) in ip6_datagram_flow_key_init(). Otherwise fib6_rule_match() can't properly match the DSCP value, resulting in invalid route lookup. For example: ip route add unreachable table main 2001:db8::10/124 ip route add table 100 2001:db8::10/124 dev eth0 ip -6 rule add dsfield 0x04 table 100 echo test | socat - UDP6:[2001:db8::11]:54321,ipv6-tclass=0x04 Without this patch, socat fails at connect() time ("No route to host") because the fib-rule doesn't jump to table 100 and the lookup ends up being done in the main table. Fixes: 2cc67cc731d9 ("[IPV6] ROUTE: Routing by Traffic Class.") Signed-off-by: Guillaume Nault Reviewed-by: Eric Dumazet Reviewed-by: David Ahern Signed-off-by: Jakub Kicinski commit 6e16e67a6b27f009ac70b1c59d8bd5a4e2820baf Merge: d61615c366a48 71f814cda659d Author: Jakub Kicinski Date: Thu Feb 9 22:28:08 2023 -0800 Merge branch 'nfp-fix-schedule-in-atomic-context-when-offloading-sa' Simon Horman says: ==================== nfp: fix schedule in atomic context when offloading sa Yinjun Zhang says: IPsec offloading callbacks may be called in atomic context, sleep is not allowed in the implementation. Now use workqueue mechanism to avoid this issue. Extend existing workqueue mechanism for multicast configuration only to universal use, so that all configuring through mailbox asynchoronously can utilize it. Also fix another two incorrect use of mailbox in IPsec: 1. Need lock for race condition when accessing mbox 2. Offset of mbox access should depends on tlv caps ==================== Link: https://lore.kernel.org/r/20230208102258.29639-1-simon.horman@corigine.com Signed-off-by: Jakub Kicinski commit 71f814cda659dca3db575ed67dfcdc4b93e8d33f Author: Yinjun Zhang Date: Wed Feb 8 11:22:58 2023 +0100 nfp: fix schedule in atomic context when offloading sa IPsec offloading callbacks may be called in atomic context, sleep is not allowed in the implementation. Now use workqueue mechanism to avoid this issue. Extend existing workqueue mechanism for multicast configuration only to universal use, so that all configuring through mailbox asynchronously can utilize it. Fixes: 859a497fe80c ("nfp: implement xfrm callbacks and expose ipsec offload feature to upper layer") Signed-off-by: Yinjun Zhang Signed-off-by: Simon Horman Signed-off-by: Jakub Kicinski commit 7a13a2eef645f2d2e3018d6ea518f121b35a87c8 Author: Yinjun Zhang Date: Wed Feb 8 11:22:57 2023 +0100 nfp: fix incorrect use of mbox in IPsec code The mailbox configuration mechanism requires writing several registers, which shouldn't be interrupted, so need lock to avoid race condition. The base offset of mailbox configuration registers is not fixed, it depends on TLV caps read from application firmware. Fixes: 859a497fe80c ("nfp: implement xfrm callbacks and expose ipsec offload feature to upper layer") Signed-off-by: Yinjun Zhang Signed-off-by: Simon Horman Signed-off-by: Jakub Kicinski commit d61615c366a489646a1bfe5b33455f916762d5f4 Author: Rafał Miłecki Date: Wed Feb 8 10:16:37 2023 +0100 net: bgmac: fix BCM5358 support by setting correct flags Code blocks handling BCMA_CHIP_ID_BCM5357 and BCMA_CHIP_ID_BCM53572 were incorrectly unified. Chip package values are not unique and cannot be checked independently. They are meaningful only in a context of a given chip. Packages BCM5358 and BCM47188 share the same value but then belong to different chips. Code unification resulted in treating BCM5358 as BCM47188 and broke its initialization. Link: https://github.com/openwrt/openwrt/issues/8278 Fixes: cb1b0f90acfe ("net: ethernet: bgmac: unify code of the same family") Cc: Jon Mason Signed-off-by: Rafał Miłecki Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20230208091637.16291-1-zajec5@gmail.com Signed-off-by: Jakub Kicinski commit 38c1e0c65865426676123cc9a127526fa02bcac6 Merge: 1424c3e309bbd 777c1e01cb7e1 Author: Linus Torvalds Date: Thu Feb 9 17:52:00 2023 -0800 Merge tag 'drm-fixes-2023-02-10' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Weekly fixes. The amdgpu had a few small fixes to display flicker on certain configurations, however it was found the the flicker was lessened but there were other unintended consequences, so for now they've been reverted and replaced with an option for users to test with so future fixes can be developed. Otherwise apart from the usual bunch of i915 and amdgpu, there's a client, virtio-gpu and an nvidiafb fix that reorders its loading to avoid failure. client: - refcount fix amdgpu: - a bunch of attempted flicker fixes that regressed turned into a user workaround option for now - Properly fix S/G display with AGP aperture enabled - Fix cursor offset with 180 rotation - SMU13 fixes - Use TGID for GPUVM traces - Fix oops on in fence error path - Don't run IB tests on hw rings when sw rings are in use - memory leak fix i915: - Display watermark fix - fbdev fix for PSR, FBC, DRRS - Move fd_install after last use of fence - Initialize the obj flags for shmem objects - Fix VBT DSI DVO port handling virtio-gpu: - fence fix nvidiafb: - regression fix for driver load when no hw supported" * tag 'drm-fixes-2023-02-10' of git://anongit.freedesktop.org/drm/drm: (27 commits) Revert "drm/amd/display: disable S/G display on DCN 3.1.5" Revert "drm/amd/display: disable S/G display on DCN 2.1.0" Revert "drm/amd/display: disable S/G display on DCN 3.1.2/3" drm/amdgpu: add S/G display parameter drm/amdgpu/smu: skip pptable init under sriov amd/amdgpu: remove test ib on hw ring drm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini drm/amdgpu: Use the TGID for trace_amdgpu_vm_update_ptes drm/amdgpu: Add unique_id support for GC 11.0.1/2 drm/amd/pm: bump SMU 13.0.7 driver_if header version drm/amd/pm: bump SMU 13.0.0 driver_if header version drm/amd/pm: add SMU 13.0.7 missing GetPptLimit message mapping drm/amd/display: fix cursor offset on rotation 180 drm/amd/amdgpu: enable athub cg 11.0.3 Revert "drm/amd/display: disable S/G display on DCN 3.1.4" drm/amd/display: properly handling AGP aperture in vm setup drm/amd/display: disable S/G display on DCN 3.1.2/3 drm/amd/display: disable S/G display on DCN 2.1.0 drm/i915: Fix VBT DSI DVO port handling drm/client: fix circular reference counting issue ... commit 1424c3e309bbdcf2d93977bf2840cc00ef9b6208 Merge: e544a07438522 2de49fb1c9bb8 Author: Linus Torvalds Date: Thu Feb 9 17:34:14 2023 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "The usual collection of small driver bug fixes: - Fix error unwind bugs in hfi1, irdma rtrs - Old bug with IPoIB children interfaces possibly using the wrong number of queues - Really old bug in usnic calling iommu_map in an atomic context - Recent regression from the DMABUF locking rework - Missing user data validation in MANA" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/rtrs: Don't call kobject_del for srv_path->kobj RDMA/mana_ib: Prevent array underflow in mana_ib_create_qp_raw() IB/hfi1: Assign npages earlier RDMA/umem: Use dma-buf locked API to solve deadlock RDMA/usnic: use iommu_map_atomic() under spin_lock() RDMA/irdma: Fix potential NULL-ptr-dereference IB/IPoIB: Fix legacy IPoIB due to wrong number of queues IB/hfi1: Restore allocated resources on failed copyout commit ce4d9a1ea35ac5429e822c4106cb2859d5c71f3e Author: Isaac J. Manjarres Date: Wed Feb 8 15:20:00 2023 -0800 of: reserved_mem: Have kmemleak ignore dynamically allocated reserved mem Patch series "Fix kmemleak crashes when scanning CMA regions", v2. When trying to boot a device with an ARM64 kernel with the following config options enabled: CONFIG_DEBUG_PAGEALLOC=y CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y CONFIG_DEBUG_KMEMLEAK=y a crash is encountered when kmemleak starts to scan the list of gray or allocated objects that it maintains. Upon closer inspection, it was observed that these page-faults always occurred when kmemleak attempted to scan a CMA region. At the moment, kmemleak is made aware of CMA regions that are specified through the devicetree to be dynamically allocated within a range of addresses. However, kmemleak should not need to scan CMA regions or any reserved memory region, as those regions can be used for DMA transfers between drivers and peripherals, and thus wouldn't contain anything useful for kmemleak. Additionally, since CMA regions are unmapped from the kernel's address space when they are freed to the buddy allocator at boot when CONFIG_DEBUG_PAGEALLOC is enabled, kmemleak shouldn't attempt to access those memory regions, as that will trigger a crash. Thus, kmemleak should ignore all dynamically allocated reserved memory regions. This patch (of 1): Currently, kmemleak ignores dynamically allocated reserved memory regions that don't have a kernel mapping. However, regions that do retain a kernel mapping (e.g. CMA regions) do get scanned by kmemleak. This is not ideal for two reasons: 1 kmemleak works by scanning memory regions for pointers to allocated objects to determine if those objects have been leaked or not. However, reserved memory regions can be used between drivers and peripherals for DMA transfers, and thus, would not contain pointers to allocated objects, making it unnecessary for kmemleak to scan these reserved memory regions. 2 When CONFIG_DEBUG_PAGEALLOC is enabled, along with kmemleak, the CMA reserved memory regions are unmapped from the kernel's address space when they are freed to buddy at boot. These CMA reserved regions are still tracked by kmemleak, however, and when kmemleak attempts to scan them, a crash will happen, as accessing the CMA region will result in a page-fault, since the regions are unmapped. Thus, use kmemleak_ignore_phys() for all dynamically allocated reserved memory regions, instead of those that do not have a kernel mapping associated with them. Link: https://lkml.kernel.org/r/20230208232001.2052777-1-isaacmanjarres@google.com Link: https://lkml.kernel.org/r/20230208232001.2052777-2-isaacmanjarres@google.com Fixes: a7259df76702 ("memblock: make memblock_find_in_range method private") Signed-off-by: Isaac J. Manjarres Acked-by: Mike Rapoport (IBM) Acked-by: Catalin Marinas Cc: Frank Rowand Cc: Kirill A. Shutemov Cc: Nick Kossifidis Cc: Rafael J. Wysocki Cc: Rob Herring Cc: Russell King (Oracle) Cc: Saravana Kannan Cc: [5.15+] Signed-off-by: Andrew Morton commit c16a3b11eaa88872d07f135df94dfa3fbcd05d10 Author: Jeff Xie Date: Sat Feb 4 17:01:39 2023 +0800 scripts/gdb: fix 'lx-current' for x86 When printing the name of the current process, it will report an error: (gdb) p $lx_current().comm Python Exception No symbol "current_task" in current context.: Error occurred in Python: No symbol "current_task" in current context. Because e57ef2ed97c1 ("x86: Put hot per CPU variables into a struct") changed it. Link: https://lkml.kernel.org/r/20230204090139.1789264-1-xiehuan09@gmail.com Fixes: e57ef2ed97c1 ("x86: Put hot per CPU variables into a struct") Signed-off-by: Jeff Xie Cc: Jan Kiszka Cc: Signed-off-by: Andrew Morton commit 67222c4ba8afe409d1e049a8f1e687c8a214fec7 Author: Li Lingfeng Date: Fri Jan 20 11:23:52 2023 +0800 lib: parser: optimize match_NUMBER apis to use local array Memory will be allocated to store substring_t in match_strdup(), which means the caller of match_strdup() may need to be scheduled out to wait for reclaiming memory. smatch complains that this can cuase sleeping in an atoic context. Using local array to store substring_t to remove the restriction. Link: https://lkml.kernel.org/r/20230120032352.242767-1-lilingfeng3@huawei.com Link: https://lore.kernel.org/all/20221104023938.2346986-5-yukuai1@huaweicloud.com/ Link: https://lkml.kernel.org/r/20230120032352.242767-1-lilingfeng3@huawei.com Fixes: 2c0647988433 ("blk-iocost: don't release 'ioc->lock' while updating params") Signed-off-by: Li Lingfeng Reported-by: Yu Kuai Acked-by: Tejun Heo Cc: BingJing Chang Cc: Eric Biggers Cc: Hou Tao Cc: James Smart Cc: Jan Kara Cc: Jens Axboe Cc: yangerkun Cc: Zhang Yi Signed-off-by: Andrew Morton commit badc28d4924bfed73efc93f716a0c3aa3afbdf6f Author: Qi Zheng Date: Thu Feb 2 18:56:12 2023 +0800 mm: shrinkers: fix deadlock in shrinker debugfs The debugfs_remove_recursive() is invoked by unregister_shrinker(), which is holding the write lock of shrinker_rwsem. It will waits for the handler of debugfs file complete. The handler also needs to hold the read lock of shrinker_rwsem to do something. So it may cause the following deadlock: CPU0 CPU1 debugfs_file_get() shrinker_debugfs_count_show()/shrinker_debugfs_scan_write() unregister_shrinker() --> down_write(&shrinker_rwsem); debugfs_remove_recursive() // wait for (A) --> wait_for_completion(); // wait for (B) --> down_read_killable(&shrinker_rwsem) debugfs_file_put() -- (A) up_write() -- (B) The down_read_killable() can be killed, so that the above deadlock can be recovered. But it still requires an extra kill action, otherwise it will block all subsequent shrinker-related operations, so it's better to fix it. [akpm@linux-foundation.org: fix CONFIG_SHRINKER_DEBUG=n stub] Link: https://lkml.kernel.org/r/20230202105612.64641-1-zhengqi.arch@bytedance.com Fixes: 5035ebc644ae ("mm: shrinkers: introduce debugfs interface for memory shrinkers") Signed-off-by: Qi Zheng Reviewed-by: Roman Gushchin Cc: Kent Overstreet Cc: Muchun Song Cc: Signed-off-by: Andrew Morton commit 6b970599e807ea95c653926d41b095a92fd381e2 Author: Kefeng Wang Date: Fri Dec 9 15:28:01 2022 +0800 mm: hwpoison: support recovery from ksm_might_need_to_copy() When the kernel copies a page from ksm_might_need_to_copy(), but runs into an uncorrectable error, it will crash since poisoned page is consumed by kernel, this is similar to the issue recently fixed by Copy-on-write poison recovery. When an error is detected during the page copy, return VM_FAULT_HWPOISON in do_swap_page(), and install a hwpoison entry in unuse_pte() when swapoff, which help us to avoid system crash. Note, memory failure on a KSM page will be skipped, but still call memory_failure_queue() to be consistent with general memory failure process, and we could support KSM page recovery in the feature. [wangkefeng.wang@huawei.com: enhance unuse_pte(), fix issue found by lkp] Link: https://lkml.kernel.org/r/20221213120523.141588-1-wangkefeng.wang@huawei.com [wangkefeng.wang@huawei.com: update changelog, alter ksm_might_need_to_copy(), restore unlikely() in unuse_pte()] Link: https://lkml.kernel.org/r/20230201074433.96641-1-wangkefeng.wang@huawei.com Link: https://lkml.kernel.org/r/20221209072801.193221-1-wangkefeng.wang@huawei.com Signed-off-by: Kefeng Wang Reviewed-by: Naoya Horiguchi Cc: Miaohe Lin Cc: Tony Luck Signed-off-by: Andrew Morton commit 55d77bae73426237b3c74c1757a894b056550dff Author: Christophe Leroy Date: Thu Jan 26 08:04:47 2023 +0100 kasan: fix Oops due to missing calls to kasan_arch_is_ready() On powerpc64, you can build a kernel with KASAN as soon as you build it with RADIX MMU support. However if the CPU doesn't have RADIX MMU, KASAN isn't enabled at init and the following Oops is encountered. [ 0.000000][ T0] KASAN not enabled as it requires radix! [ 4.484295][ T26] BUG: Unable to handle kernel data access at 0xc00e000000804a04 [ 4.485270][ T26] Faulting instruction address: 0xc00000000062ec6c [ 4.485748][ T26] Oops: Kernel access of bad area, sig: 11 [#1] [ 4.485920][ T26] BE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries [ 4.486259][ T26] Modules linked in: [ 4.486637][ T26] CPU: 0 PID: 26 Comm: kworker/u2:2 Not tainted 6.2.0-rc3-02590-gf8a023b0a805 #249 [ 4.486907][ T26] Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1200 0xf000005 of:SLOF,HEAD pSeries [ 4.487445][ T26] Workqueue: eval_map_wq .tracer_init_tracefs_work_func [ 4.488744][ T26] NIP: c00000000062ec6c LR: c00000000062bb84 CTR: c0000000002ebcd0 [ 4.488867][ T26] REGS: c0000000049175c0 TRAP: 0380 Not tainted (6.2.0-rc3-02590-gf8a023b0a805) [ 4.489028][ T26] MSR: 8000000002009032 CR: 44002808 XER: 00000000 [ 4.489584][ T26] CFAR: c00000000062bb80 IRQMASK: 0 [ 4.489584][ T26] GPR00: c0000000005624d4 c000000004917860 c000000001cfc000 1800000000804a04 [ 4.489584][ T26] GPR04: c0000000003a2650 0000000000000cc0 c00000000000d3d8 c00000000000d3d8 [ 4.489584][ T26] GPR08: c0000000049175b0 a80e000000000000 0000000000000000 0000000017d78400 [ 4.489584][ T26] GPR12: 0000000044002204 c000000003790000 c00000000435003c c0000000043f1c40 [ 4.489584][ T26] GPR16: c0000000043f1c68 c0000000043501a0 c000000002106138 c0000000043f1c08 [ 4.489584][ T26] GPR20: c0000000043f1c10 c0000000043f1c20 c000000004146c40 c000000002fdb7f8 [ 4.489584][ T26] GPR24: c000000002fdb834 c000000003685e00 c000000004025030 c000000003522e90 [ 4.489584][ T26] GPR28: 0000000000000cc0 c0000000003a2650 c000000004025020 c000000004025020 [ 4.491201][ T26] NIP [c00000000062ec6c] .kasan_byte_accessible+0xc/0x20 [ 4.491430][ T26] LR [c00000000062bb84] .__kasan_check_byte+0x24/0x90 [ 4.491767][ T26] Call Trace: [ 4.491941][ T26] [c000000004917860] [c00000000062ae70] .__kasan_kmalloc+0xc0/0x110 (unreliable) [ 4.492270][ T26] [c0000000049178f0] [c0000000005624d4] .krealloc+0x54/0x1c0 [ 4.492453][ T26] [c000000004917990] [c0000000003a2650] .create_trace_option_files+0x280/0x530 [ 4.492613][ T26] [c000000004917a90] [c000000002050d90] .tracer_init_tracefs_work_func+0x274/0x2c0 [ 4.492771][ T26] [c000000004917b40] [c0000000001f9948] .process_one_work+0x578/0x9f0 [ 4.492927][ T26] [c000000004917c30] [c0000000001f9ebc] .worker_thread+0xfc/0x950 [ 4.493084][ T26] [c000000004917d60] [c00000000020be84] .kthread+0x1a4/0x1b0 [ 4.493232][ T26] [c000000004917e10] [c00000000000d3d8] .ret_from_kernel_thread+0x58/0x60 [ 4.495642][ T26] Code: 60000000 7cc802a6 38a00000 4bfffc78 60000000 7cc802a6 38a00001 4bfffc68 60000000 3d20a80e 7863e8c2 792907c6 <7c6348ae> 20630007 78630fe0 68630001 [ 4.496704][ T26] ---[ end trace 0000000000000000 ]--- The Oops is due to kasan_byte_accessible() not checking the readiness of KASAN. Add missing call to kasan_arch_is_ready() and bail out when not ready. The same problem is observed with ____kasan_kfree_large() so fix it the same. Also, as KASAN is not available and no shadow area is allocated for linear memory mapping, there is no point in allocating shadow mem for vmalloc memory as shown below in /sys/kernel/debug/kernel_page_tables ---[ kasan shadow mem start ]--- 0xc00f000000000000-0xc00f00000006ffff 0x00000000040f0000 448K r w pte valid present dirty accessed 0xc00f000000860000-0xc00f00000086ffff 0x000000000ac10000 64K r w pte valid present dirty accessed 0xc00f3ffffffe0000-0xc00f3fffffffffff 0x0000000004d10000 128K r w pte valid present dirty accessed ---[ kasan shadow mem end ]--- So, also verify KASAN readiness before allocating and poisoning shadow mem for VMAs. Link: https://lkml.kernel.org/r/150768c55722311699fdcf8f5379e8256749f47d.1674716617.git.christophe.leroy@csgroup.eu Fixes: 41b7a347bf14 ("powerpc: Book3S 64-bit outline-only KASAN support") Signed-off-by: Christophe Leroy Reported-by: Nathan Lynch Suggested-by: Michael Ellerman Cc: Alexander Potapenko Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Vincenzo Frascino Cc: [5.19+] Signed-off-by: Andrew Morton commit 777c1e01cb7e1947765fb0c3b9b71dab18e53e46 Merge: 0ed904169f85e e7d636476ba73 Author: Dave Airlie Date: Fri Feb 10 09:49:12 2023 +1000 Merge tag 'amd-drm-fixes-6.2-2023-02-09' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.2-2023-02-09: amdgpu: - Add a parameter to disable S/G display - Re-enable S/G display on all DCNs Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20230209174504.7577-1-alexander.deucher@amd.com commit 0ed904169f85efcf9f82bd960597aac46260537f Merge: 337d5b5edc3d0 6a7ff131f17f4 Author: Dave Airlie Date: Fri Feb 10 09:47:20 2023 +1000 Merge tag 'drm-intel-fixes-2023-02-09' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Display watermark fix (Ville) - fbdev fix for PSR, FBC, DRRS (Jouni) - Move fd_install after last use of fence (Rob) - Initialize the obj flags for shmem objects (Aravind) - Fix VBT DSI DVO port handling (Ville) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/Y+UZ0rh2YlhTrE4t@intel.com commit 337d5b5edc3d03a30a972aead75cc6be5dcebbf6 Merge: 4684f5ce839ab 85e26dd5100a1 Author: Dave Airlie Date: Fri Feb 10 09:15:52 2023 +1000 Merge tag 'drm-misc-fixes-2023-02-09' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes A fix for a circular refcounting in drm/client, one for a memory leak in amdgpu and a virtio fence fix when interrupted Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20230209083600.7hi6roht6xxgldgz@houat commit 950b879b7f0251317d26bae0687e72592d607532 Author: Guo Ren Date: Thu Jan 26 22:53:06 2023 -0500 riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte In commit 588a513d3425 ("arm64: Fix race condition on PG_dcache_clean in __sync_icache_dcache()"), we found RISC-V has the same issue as the previous arm64. The previous implementation didn't guarantee the correct sequence of operations, which means flush_icache_all() hasn't been called when the PG_dcache_clean was set. That would cause a risk of page synchronization. Fixes: 08f051eda33b ("RISC-V: Flush I$ when making a dirty page executable") Signed-off-by: Guo Ren Signed-off-by: Guo Ren Reviewed-by: Andrew Jones Reviewed-by: Conor Dooley Link: https://lore.kernel.org/r/20230127035306.1819561-1-guoren@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit eb7423273cc9922ee2d05bf660c034d7d515bb91 Author: Guo Ren Date: Sat Feb 4 01:35:31 2023 -0500 riscv: kprobe: Fixup misaligned load text The current kprobe would cause a misaligned load for the probe point. This patch fixup it with two half-word loads instead. Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") Signed-off-by: Guo Ren Signed-off-by: Guo Ren Link: https://lore.kernel.org/linux-riscv/878rhig9zj.fsf@all.your.base.are.belong.to.us/ Reported-by: Bjorn Topel Reviewed-by: Björn Töpel Link: https://lore.kernel.org/r/20230204063531.740220-1-guoren@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit e544a07438522ab3688416e6e2e34bf0ee6d8755 Merge: 35674e7875187 918c5765a1542 Author: Linus Torvalds Date: Thu Feb 9 10:54:57 2023 -0800 Merge tag 'pm-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "Fix the incorrect value returned by cpufreq driver's ->get() callback for Qualcomm platforms (Douglas Anderson)" * tag 'pm-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq: qcom-hw: Fix cpufreq_driver->get() for non-LMH systems commit 35674e787518768626d3a0ffce1c13a7eeed922d Merge: 0b028189d1019 3a082086aa200 Author: Linus Torvalds Date: Thu Feb 9 09:17:38 2023 -0800 Merge tag 'net-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from can and ipsec subtrees. Current release - regressions: - sched: fix off by one in htb_activate_prios() - eth: mana: fix accessing freed irq affinity_hint - eth: ice: fix out-of-bounds KASAN warning in virtchnl Current release - new code bugs: - eth: mtk_eth_soc: enable special tag when any MAC uses DSA Previous releases - always broken: - core: fix sk->sk_txrehash default - neigh: make sure used and confirmed times are valid - mptcp: be careful on subflow status propagation on errors - xfrm: prevent potential spectre v1 gadget in xfrm_xlate32_attr() - phylink: move phy_device_free() to correctly release phy device - eth: mlx5: - fix crash unsetting rx-vlan-filter in switchdev mode - fix hang on firmware reset - serialize module cleanup with reload and remove" * tag 'net-6.2-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (57 commits) selftests: forwarding: lib: quote the sysctl values net: mscc: ocelot: fix all IPv6 getting trapped to CPU when PTP timestamping is used rds: rds_rm_zerocopy_callback() use list_first_entry() net: txgbe: Update support email address selftests: Fix failing VXLAN VNI filtering test selftests: mptcp: stop tests earlier selftests: mptcp: allow more slack for slow test-case mptcp: be careful on subflow status propagation on errors mptcp: fix locking for in-kernel listener creation mptcp: fix locking for setsockopt corner-case mptcp: do not wait for bare sockets' timeout net: ethernet: mtk_eth_soc: fix DSA TX tag hwaccel for switch port 0 nfp: ethtool: fix the bug of setting unsupported port speed txhash: fix sk->sk_txrehash default net: ethernet: mtk_eth_soc: fix wrong parameters order in __xdp_rxq_info_reg() net: ethernet: mtk_eth_soc: enable special tag when any MAC uses DSA net: sched: sch: Fix off by one in htb_activate_prios() igc: Add ndo_tx_timeout support net: mana: Fix accessing freed irq affinity_hint hv_netvsc: Allocate memory in netvsc_dma_map() with GFP_ATOMIC ... commit 0b028189d1019ca352da108643b8f1503ee25a0e Merge: 94a1f56db688f ebebf05a4b06a Author: Linus Torvalds Date: Thu Feb 9 09:09:13 2023 -0800 Merge tag 'for-linus-2023020901' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid Pull HID fixes from Benjamin Tissoires: - fix potential infinite loop with a badly crafted HID device (Xin Zhao) - fix regression from 6.1 in USB logitech devices potentially making their mouse wheel not working (Bastien Nocera) - clean up in AMD sensors, which fixes a long time resume bug (Mario Limonciello) - few device small fixes and quirks * tag 'for-linus-2023020901' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: HID: Ignore battery for ELAN touchscreen 29DF on HP HID: amd_sfh: if no sensors are enabled, clean up HID: logitech: Disable hi-res scrolling on USB HID: core: Fix deadloop in hid_apply_multiplier. HID: Ignore battery for Elan touchscreen on Asus TP420IA HID: elecom: add support for TrackBall 056E:011C commit 94a1f56db688f134c763a4b2a5926b437f1ab4b9 Merge: 0983f6bf2bfc0 aa5465aeca3c6 Author: Linus Torvalds Date: Thu Feb 9 09:00:26 2023 -0800 Merge tag '6.2-rc8-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6 Pull cifx fix from Steve French: "Small fix for use after free" * tag '6.2-rc8-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6: cifs: Fix use-after-free in rdata->read_into_pages() commit 5f58d783fd7823b2c2d5954d1126e702f94bfc4c Author: Anand Jain Date: Fri Jan 20 21:47:16 2023 +0800 btrfs: free device in btrfs_close_devices for a single device filesystem We have this check to make sure we don't accidentally add older devices that may have disappeared and re-appeared with an older generation from being added to an fs_devices (such as a replace source device). This makes sense, we don't want stale disks in our file system. However for single disks this doesn't really make sense. I've seen this in testing, but I was provided a reproducer from a project that builds btrfs images on loopback devices. The loopback device gets cached with the new generation, and then if it is re-used to generate a new file system we'll fail to mount it because the new fs is "older" than what we have in cache. Fix this by freeing the cache when closing the device for a single device filesystem. This will ensure that the mount command passed device path is scanned successfully during the next mount. CC: stable@vger.kernel.org # 5.10+ Reported-by: Daan De Meyer Signed-off-by: Josef Bacik Signed-off-by: Anand Jain Reviewed-by: David Sterba Signed-off-by: David Sterba commit 519b7e13b5ae8dd38da1e52275705343be6bb508 Author: Filipe Manana Date: Mon Jan 23 16:54:46 2023 +0000 btrfs: lock the inode in shared mode before starting fiemap Currently fiemap does not take the inode's lock (VFS lock), it only locks a file range in the inode's io tree. This however can lead to a deadlock if we have a concurrent fsync on the file and fiemap code triggers a fault when accessing the user space buffer with fiemap_fill_next_extent(). The deadlock happens on the inode's i_mmap_lock semaphore, which is taken both by fsync and btrfs_page_mkwrite(). This deadlock was recently reported by syzbot and triggers a trace like the following: task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:5293 [inline] __schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 wait_on_state fs/btrfs/extent-io-tree.c:707 [inline] wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751 lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742 find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488 writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863 __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174 extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091 extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211 do_writepages+0x3c3/0x680 mm/page-writeback.c:2581 filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388 __filemap_fdatawrite_range mm/filemap.c:421 [inline] filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439 btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline] start_ordered_ops fs/btrfs/file.c:1737 [inline] btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839 generic_write_sync include/linux/fs.h:2885 [inline] btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684 call_write_iter include/linux/fs.h:2189 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x7dc/0xc50 fs/read_write.c:584 ksys_write+0x177/0x2a0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f7d4054e9b9 RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9 RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006 RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69 R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8 INFO: task syz-executor361:5697 blocked for more than 145 seconds. Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:5293 [inline] __schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095 __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260 btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526 do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947 wp_page_shared+0x15e/0x380 mm/memory.c:3295 handle_pte_fault mm/memory.c:4949 [inline] __handle_mm_fault mm/memory.c:5073 [inline] handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219 do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428 handle_page_fault arch/x86/mm/fault.c:1519 [inline] exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233 Code: 74 0a 89 (...) RSP: 0018:ffffc9000570f330 EFLAGS: 00050202 RAX: ffffffff843e6601 RBX: 00007fffffffefc8 RCX: 0000000000000007 RDX: 0000000000000000 RSI: ffffc9000570f3e0 RDI: 0000000020000120 RBP: ffffc9000570f490 R08: 0000000000000000 R09: fffff52000ae1e83 R10: fffff52000ae1e83 R11: 1ffff92000ae1e7c R12: 0000000000000038 R13: ffffc9000570f3e0 R14: 0000000020000120 R15: ffffc9000570f3e0 copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline] raw_copy_to_user arch/x86/include/asm/uaccess_64.h:58 [inline] _copy_to_user+0xe9/0x130 lib/usercopy.c:34 copy_to_user include/linux/uaccess.h:169 [inline] fiemap_fill_next_extent+0x22e/0x410 fs/ioctl.c:144 emit_fiemap_extent+0x22d/0x3c0 fs/btrfs/extent_io.c:3458 fiemap_process_hole+0xa00/0xad0 fs/btrfs/extent_io.c:3716 extent_fiemap+0xe27/0x2100 fs/btrfs/extent_io.c:3922 btrfs_fiemap+0x172/0x1e0 fs/btrfs/inode.c:8209 ioctl_fiemap fs/ioctl.c:219 [inline] do_vfs_ioctl+0x185b/0x2980 fs/ioctl.c:810 __do_sys_ioctl fs/ioctl.c:868 [inline] __se_sys_ioctl+0x83/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f7d4054e9b9 RSP: 002b:00007f7d390d92f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f7d405d87b0 RCX: 00007f7d4054e9b9 RDX: 0000000020000100 RSI: 00000000c020660b RDI: 0000000000000005 RBP: 00007f7d405a51d0 R08: 00007f7d390d9700 R09: 0000000000000000 R10: 00007f7d390d9700 R11: 0000000000000246 R12: 61635f65646f6e69 R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87b8 What happens is the following: 1) Task A is doing an fsync, enters btrfs_sync_file() and flushes delalloc before locking the inode and the i_mmap_lock semaphore, that is, before calling btrfs_inode_lock(); 2) After task A flushes delalloc and before it calls btrfs_inode_lock(), another task dirties a page; 3) Task B starts a fiemap without FIEMAP_FLAG_SYNC, so the page dirtied at step 2 remains dirty and unflushed. Then when it enters extent_fiemap() and it locks a file range that includes the range of the page dirtied in step 2; 4) Task A calls btrfs_inode_lock() and locks the inode (VFS lock) and the inode's i_mmap_lock semaphore in write mode. Then it tries to flush delalloc by calling start_ordered_ops(), which will block, at find_lock_delalloc_range(), when trying to lock the range of the page dirtied at step 2, since this range was locked by the fiemap task (at step 3); 5) Task B generates a page fault when accessing the user space fiemap buffer with a call to fiemap_fill_next_extent(). The fault handler needs to call btrfs_page_mkwrite() for some other page of our inode, and there we deadlock when trying to lock the inode's i_mmap_lock semaphore in read mode, since the fsync task locked it in write mode (step 4) and the fsync task can not progress because it's waiting to lock a file range that is currently locked by us (the fiemap task, step 3). Fix this by taking the inode's lock (VFS lock) in shared mode when entering fiemap. This effectively serializes fiemap with fsync (except the most expensive part of fsync, the log sync), preventing this deadlock. Reported-by: syzbot+cc35f55c41e34c30dcb5@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/00000000000032dc7305f2a66f46@google.com/ CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Josef Bacik Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit e7d636476ba73e61460619bd8822e16af3cba509 Author: Alex Deucher Date: Thu Feb 9 09:09:45 2023 -0500 Revert "drm/amd/display: disable S/G display on DCN 3.1.5" This reverts commit 3cc67fe1b3aa1ac4720e002f2aa2d08c9199a584. Some users have reported flickerng with S/G display. We've tried extensively to reproduce and debug the issue on a wide variety of platform configurations (DRAM bandwidth, etc.) and a variety of monitors, but so far have not been able to. We disabled S/G display on a number of platforms to address this but that leads to failure to pin framebuffers errors and blank displays when there is memory pressure or no displays at all on systems with limited carveout (e.g., Chromebooks). We have a parameter to disable this as a debugging option as a way for users to disable this, depending on their use case, and for us to help debug this further. Having this enabled seems like the lesser of to evils. Reviewed-by: Harry Wentland Acked-by: Christian König Signed-off-by: Alex Deucher commit 1b7ac7989ad82f8df6365cd6338df0d9937e0119 Author: Alex Deucher Date: Thu Feb 9 09:09:19 2023 -0500 Revert "drm/amd/display: disable S/G display on DCN 2.1.0" This reverts commit 2404f9b0ea0153c3fddb0c4d7a43869dc8608f6f. Some users have reported flickerng with S/G display. We've tried extensively to reproduce and debug the issue on a wide variety of platform configurations (DRAM bandwidth, etc.) and a variety of monitors, but so far have not been able to. We disabled S/G display on a number of platforms to address this but that leads to failure to pin framebuffers errors and blank displays when there is memory pressure or no displays at all on systems with limited carveout (e.g., Chromebooks). We have a parameter to disable this as a debugging option as a way for users to disable this, depending on their use case, and for us to help debug this further. Having this enabled seems like the lesser of to evils. Reviewed-by: Harry Wentland Acked-by: Christian König Signed-off-by: Alex Deucher commit 9734a75cd99d448814e64feca133dc9a6e3f65f2 Author: Alex Deucher Date: Thu Feb 9 09:07:42 2023 -0500 Revert "drm/amd/display: disable S/G display on DCN 3.1.2/3" This reverts commit f081cd4ca2658752a8c0e2353d50aec80d07c65f. Some users have reported flickerng with S/G display. We've tried extensively to reproduce and debug the issue on a wide variety of platform configurations (DRAM bandwidth, etc.) and a variety of monitors, but so far have not been able to. We disabled S/G display on a number of platforms to address this but that leads to failure to pin framebuffers errors and blank displays when there is memory pressure or no displays at all on systems with limited carveout (e.g., Chromebooks). We have a parameter to disable this as a debugging option as a way for users to disable this, depending on their use case, and for us to help debug this further. Having this enabled seems like the lesser of to evils. Reviewed-by: Harry Wentland Acked-by: Christian König Signed-off-by: Alex Deucher commit 4693e852f19a1338a49e540fb99fe3b2898d8594 Author: Alex Deucher Date: Thu Feb 9 09:00:02 2023 -0500 drm/amdgpu: add S/G display parameter Some users have reported flickerng with S/G display. We've tried extensively to reproduce and debug the issue on a wide variety of platform configurations (DRAM bandwidth, etc.) and a variety of monitors, but so far have not been able to. We disabled S/G display on a number of platforms to address this but that leads to failure to pin framebuffers errors and blank displays when there is memory pressure or no displays at all on systems with limited carveout (e.g., Chromebooks). Add a option to disable this as a debugging option as a way for users to disable this, depending on their use case, and for us to help debug this further. v2: fix typo Reviewed-by: Harry Wentland Acked-by: Christian König Signed-off-by: Alex Deucher commit 38c33ece232019c5b18b4d5ec0254807cac06b7c Merge: e02bbac74cdde 70daa5c8f001e Author: Jens Axboe Date: Thu Feb 9 08:12:06 2023 -0700 Merge tag 'nvme-6.2-2023-02-09' of git://git.infradead.org/nvme into block-6.2 Pull NVMe fix from Christoph: "nvme fixes for Linux 6.2 - fix a static checker warning for a variable introduces in the last pull request (Tom Rix)" * tag 'nvme-6.2-2023-02-09' of git://git.infradead.org/nvme: nvme-auth: mark nvme_auth_wq static commit 303e724d7b1e1a0a93daf0b1ab5f7c4f53543b34 Author: Mark Pearson Date: Wed Feb 8 13:12:23 2023 -0500 usb: core: add quirk for Alcor Link AK9563 smartcard reader The Alcor Link AK9563 smartcard reader used on some Lenovo platforms doesn't work. If LPM is enabled the reader will provide an invalid usb config descriptor. Added quirk to disable LPM. Verified fix on Lenovo P16 G1 and T14 G3 Tested-by: Miroslav Zatko Tested-by: Dennis Wassenberg Cc: stable@vger.kernel.org Signed-off-by: Dennis Wassenberg Signed-off-by: Mark Pearson Link: https://lore.kernel.org/r/20230208181223.1092654-1-mpearson-lenovo@squebb.ca Signed-off-by: Greg Kroah-Hartman commit 54e5c00a4eb0a4c663445b245f641bbfab142430 Author: Prashant Malani Date: Wed Feb 8 20:53:19 2023 +0000 usb: typec: altmodes/displayport: Fix probe pin assign check While checking Pin Assignments of the port and partner during probe, we don't take into account whether the peripheral is a plug or receptacle. This manifests itself in a mode entry failure on certain docks and dongles with captive cables. For instance, the Startech.com Type-C to DP dongle (Model #CDP2DP) advertises its DP VDO as 0x405. This would fail the Pin Assignment compatibility check, despite it supporting Pin Assignment C as a UFP. Update the check to use the correct DP Pin Assign macros that take the peripheral's receptacle bit into account. Fixes: c1e5c2f0cb8a ("usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles") Cc: stable@vger.kernel.org Reported-by: Diana Zigterman Signed-off-by: Prashant Malani Link: https://lore.kernel.org/r/20230208205318.131385-1-pmalani@chromium.org Signed-off-by: Greg Kroah-Hartman commit bb07bd68fa0983e3915f83c471382868860389fe Author: Paul Cercueil Date: Thu Feb 9 10:56:26 2023 +0000 Revert "usb: gadget: u_ether: Do not make UDC parent of the net device" This reverts commit 321b59870f850a10dbb211ecd2bd87b41497ea6f. This commit broke USB networking on Ingenic SoCs and maybe elsewhere. The actual reason is unknown; and while a proper fix would be better, we're sitting at -rc7 now, so a revert is justified - and we can work on re-introducing this change for 6.3. Fixes: 321b59870f85 ("usb: gadget: u_ether: Do not make UDC parent of the net device") Signed-off-by: Paul Cercueil Acked-by: Sascha Hauer Link: https://lore.kernel.org/r/20230209105626.10597-1-paul@crapouillou.net Signed-off-by: Greg Kroah-Hartman commit 190233164cd77115f8dea718cbac561f557092c6 Author: Darren Hart Date: Wed Feb 8 16:28:21 2023 -0800 arm64: efi: Force the use of SetVirtualAddressMap() on eMAG and Altra Max machines Commit 550b33cfd445 ("arm64: efi: Force the use of SetVirtualAddressMap() on Altra machines") identifies the Altra family via the family field in the type#1 SMBIOS record. eMAG and Altra Max machines are similarly affected but not detected with the strict strcmp test. The type1_family smbios string is not an entirely reliable means of identifying systems with this issue as OEMs can, and do, use their own strings for these fields. However, until we have a better solution, capture the bulk of these systems by adding strcmp matching for "eMAG" and "Altra Max". Fixes: 550b33cfd445 ("arm64: efi: Force the use of SetVirtualAddressMap() on Altra machines") Cc: # 6.1.x Cc: Alexandru Elisei Signed-off-by: Darren Hart Tested-by: Justin He Signed-off-by: Ard Biesheuvel commit 3a082086aa200852545cf15159213582c0c80eba Author: Hangbin Liu Date: Wed Feb 8 11:21:10 2023 +0800 selftests: forwarding: lib: quote the sysctl values When set/restore sysctl value, we should quote the value as some keys may have multi values, e.g. net.ipv4.ping_group_range Fixes: f5ae57784ba8 ("selftests: forwarding: lib: Add sysctl_set(), sysctl_restore()") Signed-off-by: Hangbin Liu Reviewed-by: Petr Machata Link: https://lore.kernel.org/r/20230208032110.879205-1-liuhangbin@gmail.com Signed-off-by: Paolo Abeni commit 2fcde9fe258ec8b88d41def38e43ca4da32c0a9a Author: Vladimir Oltean Date: Tue Feb 7 20:31:17 2023 +0200 net: mscc: ocelot: fix all IPv6 getting trapped to CPU when PTP timestamping is used While running this selftest which usually passes: ~/selftests/drivers/net/dsa# ./local_termination.sh eno0 swp0 TEST: swp0: Unicast IPv4 to primary MAC address [ OK ] TEST: swp0: Unicast IPv4 to macvlan MAC address [ OK ] TEST: swp0: Unicast IPv4 to unknown MAC address [ OK ] TEST: swp0: Unicast IPv4 to unknown MAC address, promisc [ OK ] TEST: swp0: Unicast IPv4 to unknown MAC address, allmulti [ OK ] TEST: swp0: Multicast IPv4 to joined group [ OK ] TEST: swp0: Multicast IPv4 to unknown group [ OK ] TEST: swp0: Multicast IPv4 to unknown group, promisc [ OK ] TEST: swp0: Multicast IPv4 to unknown group, allmulti [ OK ] TEST: swp0: Multicast IPv6 to joined group [ OK ] TEST: swp0: Multicast IPv6 to unknown group [ OK ] TEST: swp0: Multicast IPv6 to unknown group, promisc [ OK ] TEST: swp0: Multicast IPv6 to unknown group, allmulti [ OK ] if I start PTP timestamping then run it again (debug prints added by me), the unknown IPv6 MC traffic is seen by the CPU port even when it should have been dropped: ~/selftests/drivers/net/dsa# ptp4l -i swp0 -2 -P -m ptp4l[225.410]: selected /dev/ptp1 as PTP clock [ 225.445746] mscc_felix 0000:00:00.5: ocelot_l2_ptp_trap_add: port 0 adding L2 PTP trap [ 225.453815] mscc_felix 0000:00:00.5: ocelot_ipv4_ptp_trap_add: port 0 adding IPv4 PTP event trap [ 225.462703] mscc_felix 0000:00:00.5: ocelot_ipv4_ptp_trap_add: port 0 adding IPv4 PTP general trap [ 225.471768] mscc_felix 0000:00:00.5: ocelot_ipv6_ptp_trap_add: port 0 adding IPv6 PTP event trap [ 225.480651] mscc_felix 0000:00:00.5: ocelot_ipv6_ptp_trap_add: port 0 adding IPv6 PTP general trap ptp4l[225.488]: port 1: INITIALIZING to LISTENING on INIT_COMPLETE ptp4l[225.488]: port 0: INITIALIZING to LISTENING on INIT_COMPLETE ^C ~/selftests/drivers/net/dsa# ./local_termination.sh eno0 swp0 TEST: swp0: Unicast IPv4 to primary MAC address [ OK ] TEST: swp0: Unicast IPv4 to macvlan MAC address [ OK ] TEST: swp0: Unicast IPv4 to unknown MAC address [ OK ] TEST: swp0: Unicast IPv4 to unknown MAC address, promisc [ OK ] TEST: swp0: Unicast IPv4 to unknown MAC address, allmulti [ OK ] TEST: swp0: Multicast IPv4 to joined group [ OK ] TEST: swp0: Multicast IPv4 to unknown group [ OK ] TEST: swp0: Multicast IPv4 to unknown group, promisc [ OK ] TEST: swp0: Multicast IPv4 to unknown group, allmulti [ OK ] TEST: swp0: Multicast IPv6 to joined group [ OK ] TEST: swp0: Multicast IPv6 to unknown group [FAIL] reception succeeded, but should have failed TEST: swp0: Multicast IPv6 to unknown group, promisc [ OK ] TEST: swp0: Multicast IPv6 to unknown group, allmulti [ OK ] The PGID_MCIPV6 is configured correctly to not flood to the CPU, I checked that. Furthermore, when I disable back PTP RX timestamping (ptp4l doesn't do that when it exists), packets are RX filtered again as they should be: ~/selftests/drivers/net/dsa# hwstamp_ctl -i swp0 -r 0 [ 218.202854] mscc_felix 0000:00:00.5: ocelot_l2_ptp_trap_del: port 0 removing L2 PTP trap [ 218.212656] mscc_felix 0000:00:00.5: ocelot_ipv4_ptp_trap_del: port 0 removing IPv4 PTP event trap [ 218.222975] mscc_felix 0000:00:00.5: ocelot_ipv4_ptp_trap_del: port 0 removing IPv4 PTP general trap [ 218.233133] mscc_felix 0000:00:00.5: ocelot_ipv6_ptp_trap_del: port 0 removing IPv6 PTP event trap [ 218.242251] mscc_felix 0000:00:00.5: ocelot_ipv6_ptp_trap_del: port 0 removing IPv6 PTP general trap current settings: tx_type 1 rx_filter 12 new settings: tx_type 1 rx_filter 0 ~/selftests/drivers/net/dsa# ./local_termination.sh eno0 swp0 TEST: swp0: Unicast IPv4 to primary MAC address [ OK ] TEST: swp0: Unicast IPv4 to macvlan MAC address [ OK ] TEST: swp0: Unicast IPv4 to unknown MAC address [ OK ] TEST: swp0: Unicast IPv4 to unknown MAC address, promisc [ OK ] TEST: swp0: Unicast IPv4 to unknown MAC address, allmulti [ OK ] TEST: swp0: Multicast IPv4 to joined group [ OK ] TEST: swp0: Multicast IPv4 to unknown group [ OK ] TEST: swp0: Multicast IPv4 to unknown group, promisc [ OK ] TEST: swp0: Multicast IPv4 to unknown group, allmulti [ OK ] TEST: swp0: Multicast IPv6 to joined group [ OK ] TEST: swp0: Multicast IPv6 to unknown group [ OK ] TEST: swp0: Multicast IPv6 to unknown group, promisc [ OK ] TEST: swp0: Multicast IPv6 to unknown group, allmulti [ OK ] So it's clear that something in the PTP RX trapping logic went wrong. Looking a bit at the code, I can see that there are 4 typos, which populate "ipv4" VCAP IS2 key filter fields for IPv6 keys. VCAP IS2 keys of type OCELOT_VCAP_KEY_IPV4 and OCELOT_VCAP_KEY_IPV6 are handled by is2_entry_set(). OCELOT_VCAP_KEY_IPV4 looks at &filter->key.ipv4, and OCELOT_VCAP_KEY_IPV6 at &filter->key.ipv6. Simply put, when we populate the wrong key field, &filter->key.ipv6 fields "proto.mask" and "proto.value" remain all zeroes (or "don't care"). So is2_entry_set() will enter the "else" of this "if" condition: if (msk == 0xff && (val == IPPROTO_TCP || val == IPPROTO_UDP)) and proceed to ignore the "proto" field. The resulting rule will match on all IPv6 traffic, trapping it to the CPU. This is the reason why the local_termination.sh selftest sees it, because control traps are stronger than the PGID_MCIPV6 used for flooding (from the forwarding data path). But the problem is in fact much deeper. We trap all IPv6 traffic to the CPU, but if we're bridged, we set skb->offload_fwd_mark = 1, so software forwarding will not take place and IPv6 traffic will never reach its destination. The fix is simple - correct the typos. I was intentionally inaccurate in the commit message about the breakage occurring when any PTP timestamping is enabled. In fact it only happens when L4 timestamping is requested (HWTSTAMP_FILTER_PTP_V2_EVENT or HWTSTAMP_FILTER_PTP_V2_L4_EVENT). But ptp4l requests a larger RX timestamping filter than it needs for "-2": HWTSTAMP_FILTER_PTP_V2_EVENT. I wanted people skimming through git logs to not think that the bug doesn't affect them because they only use ptp4l in L2 mode. Fixes: 96ca08c05838 ("net: mscc: ocelot: set up traps for PTP packets") Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20230207183117.1745754-1-vladimir.oltean@nxp.com Signed-off-by: Paolo Abeni commit f753a68980cf4b59a80fe677619da2b1804f526d Author: Pietro Borrello Date: Tue Feb 7 18:26:34 2023 +0000 rds: rds_rm_zerocopy_callback() use list_first_entry() rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Use list_first_entry() to actually access the first element of the rs_zcookie_queue list. Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") Reviewed-by: Willem de Bruijn Signed-off-by: Pietro Borrello Link: https://lore.kernel.org/r/20230202-rds-zerocopy-v3-1-83b0df974f9a@diag.uniroma1.it Signed-off-by: Paolo Abeni commit 247a631f9c0ffb37ed0786a94cb4c5f2b6fc7ab1 Author: Dom Cobley Date: Fri Jan 27 15:55:58 2023 +0100 drm/vc4: crtc: Increase setup cost in core clock calculation to handle extreme reduced blanking The formula that determines the core clock requirement based on pixel clock and blanking has been determined experimentally to minimise the clock while supporting all modes we've seen. A new reduced blanking mode (4kp60 at 533MHz rather than the standard 594MHz) has been seen that doesn't produce a high enough clock and results in "flip_done timed out" error. Increase the setup cost in the formula to make this work. The result is a reduced blanking mode increases by up to 7MHz while leaving the standard timing mode untouched Link: https://github.com/raspberrypi/linux/issues/4446 Fixes: 16e101051f32 ("drm/vc4: Increase the core clock based on HVS load") Signed-off-by: Dom Cobley Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20230127145558.446123-1-maxime@cerno.tech commit 7fa846b95ce8fd4cb80f32516e2ad3f4ea4d6742 Author: Dom Cobley Date: Fri Jan 27 17:12:19 2023 +0100 drm/vc4: hdmi: Always enable GCP with AVMUTE cleared Issue is some displays go blank at the point of firmware to kms handover. Plugging/unplugging hdmi cable, power cycling display, or switching standby off/on typically resolve this case. Finally managed to find a display that suffers from this, and track down the issue. The firmware uses AVMUTE in normal operation. It will set AVMUTE before disabling hdmi clocks and phy. It will clear AVMUTE after clocks and phy are set up for a new hdmi mode. But with the hdmi handover from firmware to kms, AVMUTE will be set by firmware. kms driver typically has no GCP packet (except for deep colour modes). The spec isn't clear on whether to consider the AVMUTE as continuing indefinitely in the absence of a GCP packet, or to consider that state to have ended. Most displays behave as we want, but there are a number (from multiple manufacturers) which need to see AVMUTE cleared before displaying a picture. Lets just always enable GCP packet with AVMUTE cleared. That resolves the issue on problematic displays. From HDMI 1.4 spec: A CD field of zero (Color Depth not indicated) shall be used whenever the Sink does not indicate support for Deep Color. This value may also be used in Deep Color mode to transmit a GCP indicating only non-Deep Color information (e.g. AVMUTE). So use CD=0 where we were previously not enabling a GCP. Link: https://forum.libreelec.tv/thread/24780-le-10-0-1-rpi4-no-picture-after-update-from-le-10-0-0 Signed-off-by: Dom Cobley Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20230127161219.457058-1-maxime@cerno.tech commit 6b77b16de75a6efc0870b1fa467209387cbee8f3 Author: Dave Stevenson Date: Fri Jan 27 16:57:08 2023 +0100 drm/vc4: Fix YUV plane handling when planes are in different buffers YUV images can either be presented as one allocation with offsets for the different planes, or multiple allocations with 0 offsets. The driver only ever calls drm_fb_[dma|cma]_get_gem_obj with plane index 0, therefore any application using the second approach was incorrectly rendered. Correctly determine the address for each plane, removing the assumption that the base address is the same for each. Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.") Signed-off-by: Dave Stevenson Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20230127155708.454704-1-maxime@cerno.tech commit 4684f5ce839ab27f5f0414c08084468098363d27 Merge: 04119ab1a49fc c6ac406cd8ff6 Author: Dave Airlie Date: Thu Feb 9 17:04:25 2023 +1000 Merge tag 'amd-drm-fixes-6.2-2023-02-08' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.2-2023-02-08: amdgpu: - Flickering fixes for DCN 2.1, 3.1.2/3 - Re-enable S/G display on DCN 3.1.4 - Properly fix S/G display with AGP aperture enabled - Fix cursor offset with 180 rotation - SMU13 fixes - Use TGID for GPUVM traces - Fix oops on in fence error path - Don't run IB tests on hw rings when sw rings are in use Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20230209045321.565132-1-alexander.deucher@amd.com commit 646be03ec46cc736d78ca4db2e0b00fa84446d77 Merge: 363d7c2298e73 6028da3f125fe Author: Jakub Kicinski Date: Wed Feb 8 21:35:38 2023 -0800 Merge tag 'ipsec-2023-02-08' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== ipsec 2023-02-08 1) Fix policy checks for nested IPsec tunnels when using xfrm interfaces. From Benedict Wong. 2) Fix netlink message expression on 32=>64-bit messages translators. From Anastasia Belova. 3) Prevent potential spectre v1 gadget in xfrm_xlate32_attr. From Eric Dumazet. 4) Always consistently use time64_t in xfrm_timer_handler. From Eric Dumazet. 5) Fix KCSAN reported bug: Multiple cpus can update use_time at the same time. From Eric Dumazet. 6) Fix SCP copy from IPv4 to IPv6 on interfamily tunnel. From Christian Hopps. * tag 'ipsec-2023-02-08' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec: xfrm: fix bug with DSCP copy to v6 from v4 tunnel xfrm: annotate data-race around use_time xfrm: consistently use time64_t in xfrm_timer_handler() xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr() xfrm: compat: change expression for switch in xfrm_xlate64 Fix XFRM-I support for nested ESP tunnels ==================== Link: https://lore.kernel.org/r/20230208114322.266510-1-steffen.klassert@secunet.com Signed-off-by: Jakub Kicinski commit 363d7c2298e730083df942446534825654d65c5e Author: Jiawen Wu Date: Wed Feb 8 10:30:35 2023 +0800 net: txgbe: Update support email address Update new email address for Wangxun 10Gb NIC support team. Signed-off-by: Jiawen Wu Link: https://lore.kernel.org/r/20230208023035.3371250-1-jiawenwu@trustnetic.com Signed-off-by: Jakub Kicinski commit c6ac406cd8ff610a2d5da298b1d3071acfcde7f0 Author: Jane Jian Date: Fri Jan 13 18:53:45 2023 +0800 drm/amdgpu/smu: skip pptable init under sriov sriov does not need to init pptable from amdgpu driver we finish it from PF Signed-off-by: Jane Jian Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit 6c1a6d0b64e1a15016ba7450cce8629f94de56c7 Author: JesseZhang Date: Wed Feb 8 10:07:18 2023 +0800 amd/amdgpu: remove test ib on hw ring test ib function is not necessary on hw ring, so remove it. v2: squash in NULL check fix Signed-off-by: JesseZhang Acked-by: Christian König Signed-off-by: Alex Deucher commit 5ad7bbf3dba5c4a684338df1f285080f2588b535 Author: Guilherme G. Piccoli Date: Thu Feb 2 10:48:56 2023 -0300 drm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini Currently amdgpu calls drm_sched_fini() from the fence driver sw fini routine - such function is expected to be called only after the respective init function - drm_sched_init() - was executed successfully. Happens that we faced a driver probe failure in the Steam Deck recently, and the function drm_sched_fini() was called even without its counter-part had been previously called, causing the following oops: amdgpu: probe of 0000:04:00.0 failed with error -110 BUG: kernel NULL pointer dereference, address: 0000000000000090 PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338 Hardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022 RIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched] [...] Call Trace: amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu] amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu] amdgpu_driver_release_kms+0x16/0x30 [amdgpu] devm_drm_dev_init_release+0x49/0x70 [...] To prevent that, check if the drm_sched was properly initialized for a given ring before calling its fini counter-part. Notice ideally we'd use sched.ready for that; such field is set as the latest thing on drm_sched_init(). But amdgpu seems to "override" the meaning of such field - in the above oops for example, it was a GFX ring causing the crash, and the sched.ready field was set to true in the ring init routine, regardless of the state of the DRM scheduler. Hence, we ended-up using sched.ops as per Christian's suggestion [0], and also removed the no_scheduler check [1]. [0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/ [1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/ Fixes: 067f44c8b459 ("drm/amdgpu: avoid over-handle of fence driver fini in s3 test (v2)") Suggested-by: Christian König Cc: Guchun Chen Cc: Luben Tuikov Cc: Mario Limonciello Reviewed-by: Luben Tuikov Signed-off-by: Guilherme G. Piccoli Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit e53448e0a1efa5133c7db78f1df1f4caf177676b Author: Friedrich Vock Date: Thu Feb 2 17:21:03 2023 +0100 drm/amdgpu: Use the TGID for trace_amdgpu_vm_update_ptes The pid field corresponds to the result of gettid() in userspace. However, userspace cannot reliably attribute PTE events to processes with just the thread id. This patch allows userspace to easily attribute PTE update events to specific processes by comparing this field with the result of getpid(). For attributing events to specific threads, the thread id is also contained in the common fields of each trace event. Reviewed-by: Christian König Signed-off-by: Friedrich Vock Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit c108a18462949fe709ebd6b0be68398d643bc285 Author: Kent Russell Date: Mon Feb 6 12:21:42 2023 -0500 drm/amdgpu: Add unique_id support for GC 11.0.1/2 These can support unique_id, so create the sysfs file for them Signed-off-by: Kent Russell Reviewed-by: Harish Kasiviswanathan Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit dc38b996db968f51f0fe45845a519c5cd7f6bd04 Author: Evan Quan Date: Tue Feb 7 10:42:31 2023 +0800 drm/amd/pm: bump SMU 13.0.7 driver_if header version This can suppress the warning caused by version mismatch. Signed-off-by: Evan Quan Acked-by: Alex Deucher Acked-by: Guchun Chen Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit 9874cc2df4e892c8744aa0472866cbf7c3cf1862 Author: Evan Quan Date: Tue Jan 31 10:40:09 2023 +0800 drm/amd/pm: bump SMU 13.0.0 driver_if header version This can suppress the warning caused by version mismatch. Signed-off-by: Evan Quan Acked-by: Alex Deucher Acked-by: Guchun Chen Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit 0e763afcb50814e256ecb780fcc0f3bade2e1a0c Author: Evan Quan Date: Fri Feb 3 15:33:59 2023 +0800 drm/amd/pm: add SMU 13.0.7 missing GetPptLimit message mapping Add missing GetPptLimit message mapping. Signed-off-by: Evan Quan Reviewed-by: Feifei Xu Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit ff8ced4eefbff5f27a21015b20228ae0118d2f7d Merge: b963d9d5b9437 8f0d1451ecf7b Author: Jakub Kicinski Date: Wed Feb 8 19:23:44 2023 -0800 Merge tag 'mlx5-fixes-2023-02-07' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== mlx5 fixes 2023-02-07 This series provides bug fixes to mlx5 driver. * tag 'mlx5-fixes-2023-02-07' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux: net/mlx5: Serialize module cleanup with reload and remove net/mlx5: fw_tracer, Zero consumer index when reloading the tracer net/mlx5: fw_tracer, Clear load bit when freeing string DBs buffers net/mlx5: Expose SF firmware pages counter net/mlx5: Store page counters in a single array net/mlx5e: IPoIB, Show unknown speed instead of error net/mlx5e: Fix crash unsetting rx-vlan-filter in switchdev mode net/mlx5: Bridge, fix ageing of peer FDB entries net/mlx5: DR, Fix potential race in dr_rule_create_rule_nic net/mlx5e: Update rx ring hw mtu upon each rx-fcs flag change ==================== Link: https://lore.kernel.org/r/20230208030302.95378-1-saeed@kernel.org Signed-off-by: Jakub Kicinski commit 49d0555976f0972af68397ed996375c135b38ba7 Author: Melissa Wen Date: Tue Jan 31 15:05:46 2023 -0100 drm/amd/display: fix cursor offset on rotation 180 Cursor gets clipped off in the middle of the screen with hw rotation 180. Fix a miscalculation of cursor offset when it's placed near the edges in the pipe split case. Cursor bugs with hw rotation were reported on AMD issue tracker: https://gitlab.freedesktop.org/drm/amd/-/issues/2247 The issues on rotation 270 was fixed by: https://lore.kernel.org/amd-gfx/20221118125935.4013669-22-Brian.Chang@amd.com/ that partially addressed the rotation 180 too. So, this patch is the final bits for rotation 180. Reported-by: Xaver Hugl Reviewed-by: Harry Wentland Fixes: 9d84c7ef8a87 ("drm/amd/display: Correct cursor position on horizontal mirror") Signed-off-by: Melissa Wen Signed-off-by: Hamza Mahfooz Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 5630a35024d12432827bd7e7986dd60cfe2f983b Author: Kenneth Feng Date: Fri Feb 3 14:19:37 2023 +0800 drm/amd/amdgpu: enable athub cg 11.0.3 enable athub cg on gc 11.0.3 Signed-off-by: Kenneth Feng Reviewed-by: Likun Gao Signed-off-by: Alex Deucher commit 7ece674cd9468ce740494f6108c39831cfc7eb4e Author: Alex Deucher Date: Tue Jan 31 13:10:55 2023 -0500 Revert "drm/amd/display: disable S/G display on DCN 3.1.4" This reverts commit 9aa15370819294beb7eb67c9dcbf654d79ff8790. This is fixed now so we can re-enable S/G display on DCN 3.1.4. Reviewed-by: Yifan Zhang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit 5c4e8c71d1202cd84d870e7e5cb8d6b52f9c3507 Author: Alex Deucher Date: Tue Jan 31 09:56:46 2023 -0500 drm/amd/display: properly handling AGP aperture in vm setup Take into account whether or not the AGP aperture is enabled or not when calculating the system aperture. Fixes white screens with DCN 3.1.4. Based on a patch from Yifan Zhang Cc: Yifan Zhang Acked-by: Harry Wentland Reviewed-by: Yifan Zhang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit 077e9659581acab70f2dcc04b5bc799aca3a056b Author: Alex Deucher Date: Wed Jan 25 09:57:27 2023 -0500 drm/amd/display: disable S/G display on DCN 3.1.2/3 Causes flickering or white screens in some configurations. Disable it for now until we can fix the issue. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2352 Cc: roman.li@amd.com Cc: yifan1.zhang@amd.com Reviewed-by: Yifan Zhang Signed-off-by: Alex Deucher commit 877f26bf3ca65447e923e86305a7f2a20d059e21 Author: Alex Deucher Date: Thu Jan 26 10:15:37 2023 -0500 drm/amd/display: disable S/G display on DCN 2.1.0 Causes flickering or white screens in some configurations. Disable it for now until we can fix the issue. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2352 Cc: roman.li@amd.com Cc: yifan1.zhang@amd.com Reviewed-by: Yifan Zhang Signed-off-by: Alex Deucher commit b963d9d5b9437a6b99504987310f98537c9e77d4 Author: Ido Schimmel Date: Tue Feb 7 16:18:19 2023 +0200 selftests: Fix failing VXLAN VNI filtering test iproute2 does not recognize the "group6" and "remote6" keywords. Fix by using "group" and "remote" instead. Before: # ./test_vxlan_vnifiltering.sh [...] Tests passed: 25 Tests failed: 2 After: # ./test_vxlan_vnifiltering.sh [...] Tests passed: 27 Tests failed: 0 Fixes: 3edf5f66c12a ("selftests: add new tests for vxlan vnifiltering") Signed-off-by: Ido Schimmel Reviewed-by: Alexander Duyck Link: https://lore.kernel.org/r/20230207141819.256689-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski commit f545e8831e70065e127f903fc7aca09aa50422c7 Author: Kan Liang Date: Wed Feb 8 09:23:40 2023 -0800 x86/cpu: Add Lunar Lake M Intel confirmed the existence of this CPU in Q4'2022 earnings presentation. Add the CPU model number. [ dhansen: Merging these as soon as possible makes it easier on all the folks developing model-specific features. ] Signed-off-by: Kan Liang Signed-off-by: Tony Luck Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20230208172340.158548-1-tony.luck%40intel.com commit ae052e3ae09572194d7e574906db7272041577d3 Author: Nadav Amit Date: Wed Feb 8 07:17:08 2023 +0000 x86/kprobes: Fix 1 byte conditional jump target Commit 3bc753c06dd0 ("kbuild: treat char as always unsigned") broke kprobes. Setting a probe-point on 1 byte conditional jump can cause the kernel to crash when the (signed) relative jump offset gets treated as unsigned. Fix by replacing the unsigned 'immediate.bytes' (plus a cast) with the signed 'immediate.value' when assigning to the relative jump offset. [ dhansen: clarified changelog ] Fixes: 3bc753c06dd0 ("kbuild: treat char as always unsigned") Suggested-by: Masami Hiramatsu (Google) Suggested-by: Dave Hansen Signed-off-by: Nadav Amit Signed-off-by: Dave Hansen Acked-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/all/20230208071708.4048-1-namit%40vmware.com commit 6a7ff131f17f44c593173c5ee30e2c03ef211685 Author: Ville Syrjälä Date: Tue Feb 7 08:43:35 2023 +0200 drm/i915: Fix VBT DSI DVO port handling Turns out modern (icl+) VBTs still declare their DSI ports as MIPI-A and MIPI-C despite the PHYs now being A and B. Remap appropriately to allow the panels declared as MIPI-C to work. Cc: stable@vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8016 Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20230207064337.18697-2-ville.syrjala@linux.intel.com Reviewed-by: Jani Nikula (cherry picked from commit 118b5c136c04da705b274b0d39982bb8b7430fc5) Signed-off-by: Rodrigo Vivi commit 5afc7eefe41645259da84898fc55f6f46cb4de47 Author: Rander Wang Date: Wed Feb 8 12:44:04 2023 +0200 ASoC: SOF: ops: refine parameters order in function snd_sof_dsp_update8 SOF driver calls snd_sof_dsp_update8 with parameters mask and value but the snd_sof_dsp_update8 declares these two parameters in reverse order. This causes some issues such as d0i3 register can't be set correctly Now change function definition according to common SOF usage. Fixes: c28a36b012f1 ("ASoC: SOF: ops: add snd_sof_dsp_updateb() helper") Signed-off-by: Rander Wang Reviewed-by: Bard Liao Reviewed-by: Ranjani Sridharan Reviewed-by: Chao Song Reviewed-by: Péter Ujfalusi Reviewed-by: Liam Girdwood Reviewed-by: Pierre-Louis Bossart Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20230208104404.20554-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown commit 965bffd2dd8a2c769ae17e5344545ba03d584176 Merge: 1a3245fe0cf84 070d6dafacbaa Author: David S. Miller Date: Wed Feb 8 09:39:34 2023 +0000 Merge branch 'mptcp-fixes' Matthieu Baerts says: ==================== mptcp: fixes for v6.2 Patch 1 clears resources earlier if there is no more reasons to keep MPTCP sockets alive. Patches 2 and 3 fix some locking issues visible in some rare corner cases: the linked issues should be quite hard to reproduce. Patch 4 makes sure subflows are correctly cleaned after the end of a connection. Patch 5 and 6 improve the selftests stability when running in a slow environment by transfering data for a longer period on one hand and by stopping the tests when all expected events have been observed on the other hand. All these patches fix issues introduced before v6.2. ==================== Signed-off-by: Matthieu Baerts Signed-off-by: David S. Miller commit 070d6dafacbaa9d1f2e4e3edc263853d194af15e Author: Matthieu Baerts Date: Tue Feb 7 14:04:18 2023 +0100 selftests: mptcp: stop tests earlier These 'endpoint' tests from 'mptcp_join.sh' selftest start a transfer in the background and check the status during this transfer. Once the expected events have been recorded, there is no reason to wait for the data transfer to finish. It can be stopped earlier to reduce the execution time by more than half. For these tests, the exchanged data were not verified. Errors, if any, were ignored but that's fine, plenty of other tests are looking at that. It is then OK to mute stderr now that we are sure errors will be printed (and still ignored) because the transfer is stopped before the end. Fixes: e274f7154008 ("selftests: mptcp: add subflow limits test-cases") Cc: stable@vger.kernel.org Signed-off-by: Matthieu Baerts Signed-off-by: David S. Miller commit a635a8c3df66ab68dc088c08a4e9e955e22c0e64 Author: Paolo Abeni Date: Tue Feb 7 14:04:17 2023 +0100 selftests: mptcp: allow more slack for slow test-case A test-case is frequently failing on some extremely slow VMs. The mptcp transfer completes before the script is able to do all the required PM manipulation. Address the issue in the simplest possible way, making the transfer even more slow. Additionally dump more info in case of failures, to help debugging similar problems in the future and init dump_stats var. Fixes: e274f7154008 ("selftests: mptcp: add subflow limits test-cases") Cc: stable@vger.kernel.org Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/323 Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Signed-off-by: Matthieu Baerts Signed-off-by: David S. Miller commit 1249db44a102d9d3541ed7798d4b01ffdcf03524 Author: Paolo Abeni Date: Tue Feb 7 14:04:16 2023 +0100 mptcp: be careful on subflow status propagation on errors Currently the subflow error report callback unconditionally propagates the fallback subflow status to the owning msk. If the msk is already orphaned, the above prevents the code from correctly tracking the msk moving to the TCP_CLOSE state and doing the appropriate cleanup. All the above causes increasing memory usage over time and sporadic self-tests failures. There is a great deal of infrastructure trying to propagate correctly the fallback subflow status to the owning mptcp socket, e.g. via mptcp_subflow_eof() and subflow_sched_work_if_closed(): in the error propagation path we need only to cope with unorphaned sockets. Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/339 Fixes: 15cc10453398 ("mptcp: deliver ssk errors to msk") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Signed-off-by: Matthieu Baerts Signed-off-by: David S. Miller commit ad2171009d968104ccda9dc517f5a3ba891515db Author: Paolo Abeni Date: Tue Feb 7 14:04:15 2023 +0100 mptcp: fix locking for in-kernel listener creation For consistency, in mptcp_pm_nl_create_listen_socket(), we need to call the __mptcp_nmpc_socket() under the msk socket lock. Note that as a side effect, mptcp_subflow_create_socket() needs a 'nested' lockdep annotation, as it will acquire the subflow (kernel) socket lock under the in-kernel listener msk socket lock. The current lack of locking is almost harmless, because the relevant socket is not exposed to the user space, but in future we will add more complexity to the mentioned helper, let's play safe. Fixes: 1729cf186d8a ("mptcp: create the listening socket for new port") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Signed-off-by: Matthieu Baerts Signed-off-by: David S. Miller commit 21e43569685de4ad773fb060c11a15f3fd5e7ac4 Author: Paolo Abeni Date: Tue Feb 7 14:04:14 2023 +0100 mptcp: fix locking for setsockopt corner-case We need to call the __mptcp_nmpc_socket(), and later subflow socket access under the msk socket lock, or e.g. a racing connect() could change the socket status under the hood, with unexpected results. Fixes: 54635bd04701 ("mptcp: add TCP_FASTOPEN_CONNECT socket option") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Signed-off-by: Matthieu Baerts Signed-off-by: David S. Miller commit d4e85922e3e7ef2071f91f65e61629b60f3a9cf4 Author: Paolo Abeni Date: Tue Feb 7 14:04:13 2023 +0100 mptcp: do not wait for bare sockets' timeout If the peer closes all the existing subflows for a given mptcp socket and later the application closes it, the current implementation let it survive until the timewait timeout expires. While the above is allowed by the protocol specification it consumes resources for almost no reason and additionally causes sporadic self-tests failures. Let's move the mptcp socket to the TCP_CLOSE state when there are no alive subflows at close time, so that the allocated resources will be freed immediately. Fixes: e16163b6e2b7 ("mptcp: refactor shutdown and close") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Signed-off-by: Matthieu Baerts Signed-off-by: David S. Miller commit 1a3245fe0cf84e630598da4ab110a5f8a2d6730d Author: Vladimir Oltean Date: Tue Feb 7 12:30:27 2023 +0200 net: ethernet: mtk_eth_soc: fix DSA TX tag hwaccel for switch port 0 Arınç reports that on his MT7621AT Unielec U7621-06 board and MT7623NI Bananapi BPI-R2, packets received by the CPU over mt7530 switch port 0 (of which this driver acts as the DSA master) are not processed correctly by software. More precisely, they arrive without a DSA tag (in packet or in the hwaccel area - skb_metadata_dst()), so DSA cannot demux them towards the switch's interface for port 0. Traffic from other ports receives a skb_metadata_dst() with the correct port and is demuxed properly. Looking at mtk_poll_rx(), it becomes apparent that this driver uses the skb vlan hwaccel area: union { u32 vlan_all; struct { __be16 vlan_proto; __u16 vlan_tci; }; }; as a temporary storage for the VLAN hwaccel tag, or the DSA hwaccel tag. If this is a DSA master it's a DSA hwaccel tag, and finally clears up the skb VLAN hwaccel header. I'm guessing that the problem is the (mis)use of API. skb_vlan_tag_present() looks like this: #define skb_vlan_tag_present(__skb) (!!(__skb)->vlan_all) So if both vlan_proto and vlan_tci are zeroes, skb_vlan_tag_present() returns precisely false. I don't know for sure what is the format of the DSA hwaccel tag, but I surely know that lowermost 3 bits of vlan_proto are 0 when receiving from port 0: unsigned int port = vlan_proto & GENMASK(2, 0); If the RX descriptor has no other bits set to non-zero values in RX_DMA_VTAG, then the call to __vlan_hwaccel_put_tag() will not, in fact, make the subsequent skb_vlan_tag_present() return true, because it's implemented like this: static inline void __vlan_hwaccel_put_tag(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci) { skb->vlan_proto = vlan_proto; skb->vlan_tci = vlan_tci; } What we need to do to fix this problem (assuming this is the problem) is to stop using skb->vlan_all as temporary storage for driver affairs, and just create some local variables that serve the same purpose, but hopefully better. Instead of calling skb_vlan_tag_present(), let's look at a boolean has_hwaccel_tag which we set to true when the RX DMA descriptors have something. Disambiguate based on netdev_uses_dsa() whether this is a VLAN or DSA hwaccel tag, and only call __vlan_hwaccel_put_tag() if we're certain it's a VLAN tag. Arınç confirms that the treatment works, so this validates the assumption. Link: https://lore.kernel.org/netdev/704f3a72-fc9e-714a-db54-272e17612637@arinc9.com/ Fixes: 2d7605a72906 ("net: ethernet: mtk_eth_soc: enable hardware DSA untagging") Reported-by: Arınç ÜNAL Tested-by: Arınç ÜNAL Signed-off-by: Vladimir Oltean Reviewed-by: Felix Fietkau Signed-off-by: David S. Miller commit 821de68c1f9c0236b0b9c10834cda900ae9b443c Author: Yu Xiao Date: Tue Feb 7 11:16:50 2023 +0100 nfp: ethtool: fix the bug of setting unsupported port speed Unsupported port speed can be set and cause error. Now fixing it and return an error if setting unsupported speed. This fix depends on the following, which was included in v6.2-rc1: commit a61474c41e8c ("nfp: ethtool: support reporting link modes"). Fixes: 7c698737270f ("nfp: add support for .set_link_ksettings()") Signed-off-by: Yu Xiao Signed-off-by: Simon Horman Signed-off-by: David S. Miller commit c11204c78d6966c5bda6dd05c3ac5cbb193f93e3 Author: Kevin Yang Date: Tue Feb 7 02:08:20 2023 +0000 txhash: fix sk->sk_txrehash default This code fix a bug that sk->sk_txrehash gets its default enable value from sysctl_txrehash only when the socket is a TCP listener. We should have sysctl_txrehash to set the default sk->sk_txrehash, no matter TCP, nor listerner/connector. Tested by following packetdrill: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 socket(..., SOCK_DGRAM, IPPROTO_UDP) = 4 // SO_TXREHASH == 74, default to sysctl_txrehash == 1 +0 getsockopt(3, SOL_SOCKET, 74, [1], [4]) = 0 +0 getsockopt(4, SOL_SOCKET, 74, [1], [4]) = 0 Fixes: 26859240e4ee ("txhash: Add socket option to control TX hash rethink behavior") Signed-off-by: Kevin Yang Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit c966153d120222cd4e85e1e1601584d7d4d91dcb Author: Tariq Toukan Date: Mon Feb 6 22:47:03 2023 +0200 net: ethernet: mtk_eth_soc: fix wrong parameters order in __xdp_rxq_info_reg() Parameters 'queue_index' and 'napi_id' are passed in a swapped order. Fix it here. Fixes: 23233e577ef9 ("net: ethernet: mtk_eth_soc: rely on page_pool for single page buffers") Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller commit 21386e692613702502f7c982d81e0dfa86d25cfd Author: Arınç ÜNAL Date: Sun Feb 5 20:53:31 2023 +0300 net: ethernet: mtk_eth_soc: enable special tag when any MAC uses DSA The special tag is only enabled when the first MAC uses DSA. However, it must be enabled when any MAC uses DSA. Change the check accordingly. This fixes hardware DSA untagging not working on the second MAC of the MT7621 and MT7623 SoCs, and likely other SoCs too. Therefore, remove the check that disables hardware DSA untagging for the second MAC of the MT7621 and MT7623 SoCs. Fixes: a1f47752fd62 ("net: ethernet: mtk_eth_soc: disable hardware DSA untagging for second MAC") Co-developed-by: Richard van Schagen Signed-off-by: Richard van Schagen Signed-off-by: Arınç ÜNAL Signed-off-by: David S. Miller commit 88d18b8896bd98e636b632f805b7e84e61458255 Author: Edson Juliano Drosdeck Date: Tue Feb 7 15:37:20 2023 -0300 ALSA: hda/realtek: Add Positivo N14KP6-TG Positivo N14KP6-TG (1c6c:1251) require quirk for enabling headset-mic Signed-off-by: Edson Juliano Drosdeck Cc: Link: https://lore.kernel.org/r/20230207183720.2519-1-edson.drosdeck@gmail.com Signed-off-by: Takashi Iwai commit 9cec2aaffe969f2a3e18b5ec105fc20bb908e475 Author: Dan Carpenter Date: Mon Feb 6 16:18:32 2023 +0300 net: sched: sch: Fix off by one in htb_activate_prios() The > needs be >= to prevent an out of bounds access. Fixes: de5ca4c3852f ("net: sched: sch: Bounds check priority") Signed-off-by: Dan Carpenter Reviewed-by: Simon Horman Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/Y+D+KN18FQI2DKLq@kili Signed-off-by: Jakub Kicinski commit 70daa5c8f001e351af174c40ac21eb0a25600483 Author: Tom Rix Date: Mon Feb 6 06:57:00 2023 -0800 nvme-auth: mark nvme_auth_wq static Fix a smatch report for the newly added nvme_auth_wq. Signed-off-by: Tom Rix Reviewed-by: Chaitanya Kulkarni Signed-off-by: Christoph Hellwig commit 91701f63d8e14fb86ec58bb0b5a6c9d2683d99b4 Merge: 9b275176270ef 4a606ce68426c Author: Jakub Kicinski Date: Tue Feb 7 22:04:44 2023 -0800 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2023-02-06 (ice) This series contains updates to ice driver only. Ani removes WQ_MEM_RECLAIM flag from workqueue to resolve check_flush_dependency warning. Michal fixes KASAN out-of-bounds warning. Brett corrects behaviour for port VLAN Rx filters to prevent receiving of unintended traffic. Dan Carpenter fixes possible off by one issue. Zhang Changzhong adjusts error path for switch recipe to prevent memory leak. * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: ice: switch: fix potential memleak in ice_add_adv_recipe() ice: Fix off by one in ice_tc_forward_to_queue() ice: Fix disabling Rx VLAN filtering with port VLAN enabled ice: fix out-of-bounds KASAN warning in virtchnl ice: Do not use WQ_MEM_RECLAIM flag for workqueue ==================== Link: https://lore.kernel.org/r/20230206232934.634298-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 9b275176270efd18f2f4e328b32be1bad34c4c0d Author: Sasha Neftin Date: Mon Feb 6 15:58:18 2023 -0800 igc: Add ndo_tx_timeout support On some platforms, 100/1000/2500 speeds seem to have sometimes problems reporting false positive tx unit hang during stressful UDP traffic. Likely other Intel drivers introduce responses to a tx hang. Update the 'tx hang' comparator with the comparison of the head and tail of ring pointers and restore the tx_timeout_factor to the previous value (one). This can be test by using netperf or iperf3 applications. Example: iperf3 -s -p 5001 iperf3 -c 192.168.0.2 --udp -p 5001 --time 600 -b 0 netserver -p 16604 netperf -H 192.168.0.2 -l 600 -p 16604 -t UDP_STREAM -- -m 64000 Fixes: b27b8dc77b5e ("igc: Increase timeout value for Speed 100/1000/2500") Signed-off-by: Sasha Neftin Tested-by: Naama Meir Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20230206235818.662384-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 18a048370b06a3a521219e9e5b10bdc2178ef19c Author: Haiyang Zhang Date: Mon Feb 6 13:28:49 2023 -0800 net: mana: Fix accessing freed irq affinity_hint After calling irq_set_affinity_and_hint(), the cpumask pointer is saved in desc->affinity_hint, and will be used later when reading /proc/irq//affinity_hint. So the cpumask variable needs to be persistent. Otherwise, we are accessing freed memory when reading the affinity_hint file. Also, need to clear affinity_hint before free_irq(), otherwise there is a one-time warning and stack trace during module unloading: [ 243.948687] WARNING: CPU: 10 PID: 1589 at kernel/irq/manage.c:1913 free_irq+0x318/0x360 ... [ 243.948753] Call Trace: [ 243.948754] [ 243.948760] mana_gd_remove_irqs+0x78/0xc0 [mana] [ 243.948767] mana_gd_remove+0x3e/0x80 [mana] [ 243.948773] pci_device_remove+0x3d/0xb0 [ 243.948778] device_remove+0x46/0x70 [ 243.948782] device_release_driver_internal+0x1fe/0x280 [ 243.948785] driver_detach+0x4e/0xa0 [ 243.948787] bus_remove_driver+0x70/0xf0 [ 243.948789] driver_unregister+0x35/0x60 [ 243.948792] pci_unregister_driver+0x44/0x90 [ 243.948794] mana_driver_exit+0x14/0x3fe [mana] [ 243.948800] __do_sys_delete_module.constprop.0+0x185/0x2f0 To fix the bug, use the persistent mask, cpumask_of(cpu#), and set affinity_hint to NULL before freeing the IRQ, as required by free_irq(). Cc: stable@vger.kernel.org Fixes: 71fa6887eeca ("net: mana: Assign interrupts to CPUs based on NUMA nodes") Signed-off-by: Haiyang Zhang Reviewed-by: Michael Kelley Reviewed-by: Leon Romanovsky Link: https://lore.kernel.org/r/1675718929-19565-1-git-send-email-haiyangz@microsoft.com Signed-off-by: Jakub Kicinski commit b1f4fbabbb912eb7061795461a498895bdc30f3c Merge: c6aa9d3b43cd1 4ae5e1e97c44f Author: Jakub Kicinski Date: Tue Feb 7 20:50:30 2023 -0800 Merge tag 'linux-can-fixes-for-6.2-20230207' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== can 2023-02-07 The patch is from Devid Antonio Filoni and fixes an address claiming problem in the J1939 CAN protocol. * tag 'linux-can-fixes-for-6.2-20230207' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: j1939: do not wait 250 ms if the same addr was already claimed ==================== Link: https://lore.kernel.org/r/20230207140514.2885065-1-mkl@pengutronix.de Signed-off-by: Jakub Kicinski commit c6aa9d3b43cd11ac13a8220368a3b0483c6751d4 Author: Michael Kelley Date: Mon Feb 6 12:11:57 2023 -0800 hv_netvsc: Allocate memory in netvsc_dma_map() with GFP_ATOMIC Memory allocations in the network transmit path must use GFP_ATOMIC so they won't sleep. Reported-by: Paolo Abeni Link: https://lore.kernel.org/lkml/8a4d08f94d3e6fe8b6da68440eaa89a088ad84f9.camel@redhat.com/ Fixes: 846da38de0e8 ("net: netvsc: Add Isolation VM support for netvsc driver") Cc: stable@vger.kernel.org Signed-off-by: Michael Kelley Link: https://lore.kernel.org/r/1675714317-48577-1-git-send-email-mikelley@microsoft.com Signed-off-by: Jakub Kicinski commit 8f0d1451ecf7b3bd5a06ffc866c753d0f3ab4683 Author: Shay Drory Date: Wed Dec 14 22:16:23 2022 +0200 net/mlx5: Serialize module cleanup with reload and remove Currently, remove and reload flows can run in parallel to module cleanup. This design is error prone. For example: aux_drivers callbacks are called from both cleanup and remove flows with different lockings, which can cause a deadlock[1]. Hence, serialize module cleanup with reload and remove. [1] cleanup remove ------- ------ auxiliary_driver_unregister(); devl_lock() auxiliary_device_delete(mlx5e_aux) device_lock(mlx5e_aux) devl_lock() device_lock(mlx5e_aux) Fixes: 912cebf420c2 ("net/mlx5e: Connect ethernet part to auxiliary bus") Signed-off-by: Shay Drory Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed commit 184e1e4474dbcfebc4dbd1fa823a329978f25506 Author: Shay Drory Date: Wed Jan 25 17:39:36 2023 +0200 net/mlx5: fw_tracer, Zero consumer index when reloading the tracer When tracer is reloaded, the device will log the traces at the beginning of the log buffer. Also, driver is reading the log buffer in chunks in accordance to the consumer index. Hence, zero consumer index when reloading the tracer. Fixes: 4383cfcc65e7 ("net/mlx5: Add devlink reload") Signed-off-by: Shay Drory Signed-off-by: Saeed Mahameed commit db561fed6b8fa3878e74d5df6512a4a38152b63e Author: Shay Drory Date: Mon Jan 9 15:27:40 2023 +0200 net/mlx5: fw_tracer, Clear load bit when freeing string DBs buffers Whenever the driver is reading the string DBs into buffers, the driver is setting the load bit, but the driver never clears this bit. As a result, in case load bit is on and the driver query the device for new string DBs, the driver won't read again the string DBs. Fix it by clearing the load bit when query the device for new string DBs. Fixes: 2d69356752ff ("net/mlx5: Add support for fw live patch event") Signed-off-by: Shay Drory Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed commit 9965bbebae59b3563a4d95e4aed121e8965dfdc2 Author: Maher Sanalla Date: Sun Jan 22 23:24:56 2023 +0200 net/mlx5: Expose SF firmware pages counter Currently, each core device has VF pages counter which stores number of fw pages used by its VFs and SFs. The current design led to a hang when performing firmware reset on DPU, where the DPU PFs stalled in sriov unload flow due to waiting on release of SFs pages instead of waiting on only VFs pages. Thus, Add a separate counter for SF firmware pages, which will prevent the stall scenario described above. Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver") Signed-off-by: Maher Sanalla Reviewed-by: Shay Drory Signed-off-by: Saeed Mahameed commit c3bdbaea654d8df39112de33037106134a520dc7 Author: Maher Sanalla Date: Sun Jan 22 21:09:40 2023 +0200 net/mlx5: Store page counters in a single array Currently, an independent page counter is used for tracking memory usage for each function type such as VF, PF and host PF (DPU). For better code-readibilty, use a single array that stores the number of allocated memory pages for each function type. Signed-off-by: Maher Sanalla Reviewed-by: Shay Drory Signed-off-by: Saeed Mahameed commit 8aa5f171d51c1cb69e5e3106df4dd1a446102823 Author: Dragos Tatulea Date: Mon Jan 23 16:06:32 2023 +0200 net/mlx5e: IPoIB, Show unknown speed instead of error ethtool is returning an error for unknown speeds for the IPoIB interface: $ ethtool ib0 netlink error: failed to retrieve link settings netlink error: Invalid argument netlink error: failed to retrieve link settings netlink error: Invalid argument Settings for ib0: Link detected: no After this change, ethtool will return success and show "unknown speed": $ ethtool ib0 Settings for ib0: Supported ports: [ ] Supported link modes: Not reported Supported pause frame use: No Supports auto-negotiation: No Supported FEC modes: Not reported Advertised link modes: Not reported Advertised pause frame use: No Advertised auto-negotiation: No Advertised FEC modes: Not reported Speed: Unknown! Duplex: Full Auto-negotiation: off Port: Other PHYAD: 0 Transceiver: internal Link detected: no Fixes: eb234ee9d541 ("net/mlx5e: IPoIB, Add support for get_link_ksettings in ethtool") Signed-off-by: Dragos Tatulea Reviewed-by: Gal Pressman Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit 8974aa9638df557f4642acef707af15648a03555 Author: Amir Tzin Date: Sun Jan 8 15:54:46 2023 +0200 net/mlx5e: Fix crash unsetting rx-vlan-filter in switchdev mode Moving to switchdev mode with rx-vlan-filter on and then setting it off causes the kernel to crash since fs->vlan is freed during nic profile cleanup flow. RX VLAN filtering is not supported in switchdev mode so unset it when changing to switchdev and restore its value when switching back to legacy. trace: [] RIP: 0010:mlx5e_disable_cvlan_filter+0x43/0x70 [] set_feature_cvlan_filter+0x37/0x40 [mlx5_core] [] mlx5e_handle_feature+0x3a/0x60 [mlx5_core] [] mlx5e_set_features+0x6d/0x160 [mlx5_core] [] __netdev_update_features+0x288/0xa70 [] ethnl_set_features+0x309/0x380 [] ? __nla_parse+0x21/0x30 [] genl_family_rcv_msg_doit.isra.17+0x110/0x150 [] genl_rcv_msg+0x112/0x260 [] ? features_reply_size+0xe0/0xe0 [] ? genl_family_rcv_msg_doit.isra.17+0x150/0x150 [] netlink_rcv_skb+0x4e/0x100 [] genl_rcv+0x24/0x40 [] netlink_unicast+0x1ab/0x290 [] netlink_sendmsg+0x257/0x4f0 [] sock_sendmsg+0x5c/0x70 Fixes: cb67b832921c ("net/mlx5e: Introduce SRIOV VF representors") Signed-off-by: Amir Tzin Reviewed-by: Maor Dickman Signed-off-by: Saeed Mahameed commit da0c52426cd23f8728eff72c2b2d2a3eb6b451f5 Author: Vlad Buslov Date: Thu Jan 26 14:47:12 2023 +0100 net/mlx5: Bridge, fix ageing of peer FDB entries SWITCHDEV_FDB_ADD_TO_BRIDGE event handler that updates FDB entry 'lastuse' field is only executed for eswitch that owns the entry. However, if peer entry processed packets at least once it will have hardware counter 'used' value greater than entry 'lastuse' from that point on, which will cause FDB entry not being aged out. Process the event on all eswitch instances. Fixes: ff9b7521468b ("net/mlx5: Bridge, support LAG") Signed-off-by: Vlad Buslov Reviewed-by: Maor Dickman Signed-off-by: Saeed Mahameed commit 288d85e07fbca5ee35882a4884dd701e43637be1 Author: Yevgeny Kliteynik Date: Tue Jan 17 17:34:20 2023 +0200 net/mlx5: DR, Fix potential race in dr_rule_create_rule_nic Selecting builder should be protected by the lock to prevent the case where a new rule sets a builder in the nic_matcher while the previous rule is still using the nic_matcher. Fixing this issue and cleaning the error flow. Fixes: b9b81e1e9382 ("net/mlx5: DR, For short chains of STEs, avoid allocating ste_arr dynamically") Signed-off-by: Yevgeny Kliteynik Reviewed-by: Alex Vesker Signed-off-by: Saeed Mahameed commit 1e66220948df815d7b37e0ff8b4627ce10433738 Author: Adham Faris Date: Sun Jan 8 18:09:32 2023 +0200 net/mlx5e: Update rx ring hw mtu upon each rx-fcs flag change rq->hw_mtu is used in function en_rx.c/mlx5e_skb_from_cqe_mpwrq_linear() to catch oversized packets. If FCS is concatenated to the end of the packet then the check should be updated accordingly. Rx rings initialization (mlx5e_init_rxq_rq()) invoked for every new set of channels, as part of mlx5e_safe_switch_params(), unknowingly if it runs with default configuration or not. Current rq->hw_mtu initialization assumes default configuration and ignores params->scatter_fcs_en flag state. Fix this, by accounting for params->scatter_fcs_en flag state during rq->hw_mtu initialization. In addition, updating rq->hw_mtu value during ingress traffic might lead to packets drop and oversize_pkts_sw_drop counter increase with no good reason. Hence we remove this optimization and switch the set of channels with a new one, to make sure we don't get false positives on the oversize_pkts_sw_drop counter. Fixes: 102722fc6832 ("net/mlx5e: Add support for RXFCS feature flag") Signed-off-by: Adham Faris Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit 0983f6bf2bfc0789b51ddf7315f644ff4da50acb Merge: 513c1a3d3f198 707344c8a188b Author: Linus Torvalds Date: Tue Feb 7 14:17:12 2023 -0800 Merge tag 'devicetree-fixes-for-6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux Pull devicetree fixes from Rob Herring: - Fix handling of multiple OF framebuffer devices - Fix booting on Socionext Synquacer with bad 'dma-ranges' entries - Add DT binding .yamllint to .gitignore * tag 'devicetree-fixes-for-6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: dt-bindings: interrupt-controller: arm,gic-v3: Fix typo in description of msi-controller property dt-bindings: Fix .gitignore of/address: Return an error when no valid dma-ranges are found of: Make OF framebuffer device names unique commit 711442e29f16f0d39dd0e2460c9baacfccb9d5a7 Author: Dan Williams Date: Tue Feb 7 11:04:30 2023 -0800 cxl/region: Fix passthrough-decoder detection A passthrough decoder is a decoder that maps only 1 target. It is a special case because it does not impose any constraints on the interleave-math as compared to a decoder with multiple targets. Extend the passthrough case to multi-target-capable decoders that only have one target selected. I.e. the current code was only considering passthrough *ports* which are only a subset of the potential passthrough decoder scenarios. Fixes: e4f6dfa9ef75 ("cxl/region: Fix 'distance' calculation with passthrough ports") Cc: Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/167564540422.847146.13816934143225777888.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Dan Williams commit 02f64ed06670120d35b5352a67ebd7a4cc104546 Merge: 6a32425f953b9 c173ee5b2fa61 Author: Takashi Iwai Date: Tue Feb 7 18:04:44 2023 +0100 Merge tag 'asoc-fix-v6.2-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v6.2 A few more fixes for v6.2, all driver specific and small. It's larger than is ideal but we can't really control when people find problems. commit e7d84c6a1296d059389f7342d9b4b7defb518d3a Author: Xiubo Li Date: Tue Feb 7 13:04:52 2023 +0800 ceph: flush cap releases when the session is flushed MDS expects the completed cap release prior to responding to the session flush for cache drop. Cc: stable@vger.kernel.org Link: http://tracker.ceph.com/issues/38009 Signed-off-by: Xiubo Li Reviewed-by: Venky Shankar Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov commit 513c1a3d3f1982fb850c910937099525b0d35e24 Merge: 05ecb680708a1 3e46d910d8acf Author: Linus Torvalds Date: Tue Feb 7 07:54:40 2023 -0800 Merge tag 'trace-v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fix from Steven Rostedt: "Fix regression in poll() and select() With the fix that made poll() and select() block if read would block caused a slight regression in rasdaemon, as it needed that kind of behavior. Add a way to make that behavior come back by writing zero into the 'buffer_percentage', which means to never block on read" * tag 'trace-v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw commit c173ee5b2fa6195066674d66d1d7e191010fb1ff Author: Amadeusz Sławiński Date: Tue Feb 7 22:04:28 2023 +0100 ASoC: topology: Return -ENOMEM on memory allocation failure When handling error path, ret needs to be set to correct value. Reported-by: kernel test robot Reported-by: Dan Carpenter Fixes: d29d41e28eea ("ASoC: topology: Add support for multiple kcontrol types to a widget") Reviewed-by: Cezary Rojewski Signed-off-by: Amadeusz Sławiński Link: https://lore.kernel.org/r/20230207210428.2076354-1-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown commit 4ae5e1e97c44f4654516c1d41591a462ed62fa7b Author: Devid Antonio Filoni Date: Fri Nov 25 18:04:18 2022 +0100 can: j1939: do not wait 250 ms if the same addr was already claimed The ISO 11783-5 standard, in "4.5.2 - Address claim requirements", states: d) No CF shall begin, or resume, transmission on the network until 250 ms after it has successfully claimed an address except when responding to a request for address-claimed. But "Figure 6" and "Figure 7" in "4.5.4.2 - Address-claim prioritization" show that the CF begins the transmission after 250 ms from the first AC (address-claimed) message even if it sends another AC message during that time window to resolve the address contention with another CF. As stated in "4.4.2.3 - Address-claimed message": In order to successfully claim an address, the CF sending an address claimed message shall not receive a contending claim from another CF for at least 250 ms. As stated in "4.4.3.2 - NAME management (NM) message": 1) A commanding CF can d) request that a CF with a specified NAME transmit the address- claimed message with its current NAME. 2) A target CF shall d) send an address-claimed message in response to a request for a matching NAME Taking the above arguments into account, the 250 ms wait is requested only during network initialization. Do not restart the timer on AC message if both the NAME and the address match and so if the address has already been claimed (timer has expired) or the AC message has been sent to resolve the contention with another CF (timer is still running). Signed-off-by: Devid Antonio Filoni Acked-by: Oleksij Rempel Link: https://lore.kernel.org/all/20221125170418.34575-1-devid.filoni@egluetechnologies.com Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde commit 6a32425f953b955b4ff82f339d01df0b713caa5d Author: Artemii Karasev Date: Tue Feb 7 18:20:26 2023 +0500 ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() snd_emux_xg_control() can be called with an argument 'param' greater than size of 'control' array. It may lead to accessing 'control' array at a wrong index. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Artemii Karasev Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: Link: https://lore.kernel.org/r/20230207132026.2870-1-karasev@ispras.ru Signed-off-by: Takashi Iwai commit 565b4824c39fa335cba2028a09d7beb7112f3c9a Author: Jiri Pirko Date: Mon Feb 6 10:41:51 2023 +0100 devlink: change port event netdev notifier from per-net to global Currently only the network namespace of devlink instance is monitored for port events. If netdev is moved to a different namespace and then unregistered, NETDEV_PRE_UNINIT is missed which leads to trigger following WARN_ON in devl_port_unregister(). WARN_ON(devlink_port->type != DEVLINK_PORT_TYPE_NOTSET); Fix this by changing the netdev notifier from per-net to global so no event is missed. Fixes: 02a68a47eade ("net: devlink: track netdev with devlink_port assigned") Signed-off-by: Jiri Pirko Reviewed-by: Jacob Keller Link: https://lore.kernel.org/r/20230206094151.2557264-1-jiri@resnulli.us Signed-off-by: Paolo Abeni commit 29aab38823b61e482995c24644bd2d8acfe56185 Author: Shengjiu Wang Date: Tue Feb 7 17:04:24 2023 +0800 ASoC: fsl_sai: fix getting version from VERID The version information is at the bit31 ~ bit16 in the VERID register, so need to right shift 16bit to get it, otherwise the result of comparison "sai->verid.version >= 0x0301" is wrong. Fixes: 99c1e74f25d4 ("ASoC: fsl_sai: store full version instead of major/minor") Signed-off-by: Shengjiu Wang Reviewed-by: Iuliana Prodan Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/1675760664-25193-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown commit bbb253b206b9c417928a6c827d038e457f3012e9 Author: Vladimir Oltean Date: Sun Feb 5 21:24:09 2023 +0200 selftests: ocelot: tc_flower_chains: make test_vlan_ingress_modify() more comprehensive We have two IS1 filters of the OCELOT_VCAP_KEY_ANY key type (the one with "action vlan pop" and the one with "action vlan modify") and one of the OCELOT_VCAP_KEY_IPV4 key type (the one with "action skbedit priority"). But we have no IS1 filter with the OCELOT_VCAP_KEY_ETYPE key type, and there was an uncaught breakage there. To increase test coverage, convert one of the OCELOT_VCAP_KEY_ANY filters to OCELOT_VCAP_KEY_ETYPE, by making the filter also match on the MAC SA of the traffic sent by mausezahn, $h1_mac. Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20230205192409.1796428-2-vladimir.oltean@nxp.com Signed-off-by: Paolo Abeni commit f964f8399df29d3e3ced77177cf35131cd2491bf Author: Vladimir Oltean Date: Sun Feb 5 21:24:08 2023 +0200 net: mscc: ocelot: fix VCAP filters not matching on MAC with "protocol 802.1Q" Alternative short title: don't instruct the hardware to match on EtherType with "protocol 802.1Q" flower filters. It doesn't work for the reasons detailed below. With a command such as the following: tc filter add dev $swp1 ingress chain $(IS1 2) pref 3 \ protocol 802.1Q flower skip_sw vlan_id 200 src_mac $h1_mac \ action vlan modify id 300 \ action goto chain $(IS2 0 0) the created filter is set by ocelot_flower_parse_key() to be of type OCELOT_VCAP_KEY_ETYPE, and etype is set to {value=0x8100, mask=0xffff}. This gets propagated all the way to is1_entry_set() which commits it to hardware (the VCAP_IS1_HK_ETYPE field of the key). Compare this to the case where src_mac isn't specified - the key type is OCELOT_VCAP_KEY_ANY, and is1_entry_set() doesn't populate VCAP_IS1_HK_ETYPE. The problem is that for VLAN-tagged frames, the hardware interprets the ETYPE field as holding the encapsulated VLAN protocol. So the above filter will only match those packets which have an encapsulated protocol of 0x8100, rather than all packets with VLAN ID 200 and the given src_mac. The reason why this is allowed to occur is because, although we have a block of code in ocelot_flower_parse_key() which sets "match_protocol" to false when VLAN keys are present, that code executes too late. There is another block of code, which executes for Ethernet addresses, and has a "goto finished_key_parsing" and skips the VLAN header parsing. By skipping it, "match_protocol" remains with the value it was initialized with, i.e. "true", and "proto" is set to f->common.protocol, or 0x8100. The concept of ignoring some keys rather than erroring out when they are present but can't be offloaded is dubious in itself, but is present since the initial commit fe3490e6107e ("net: mscc: ocelot: Hardware ofload for tc flower filter"), and it's outside of the scope of this patch to change that. The problem was introduced when the driver started to interpret the flower filter's protocol, and populate the VCAP filter's ETYPE field based on it. To fix this, it is sufficient to move the code that parses the VLAN keys earlier than the "goto finished_key_parsing" instruction. This will ensure that if we have a flower filter with both VLAN and Ethernet address keys, it won't match on ETYPE 0x8100, because the VLAN key parsing sets "match_protocol = false". Fixes: 86b956de119c ("net: mscc: ocelot: support matching on EtherType") Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20230205192409.1796428-1-vladimir.oltean@nxp.com Signed-off-by: Paolo Abeni commit 647037adcad00f2bab8828d3d41cd0553d41f3bd Author: Aaron Thompson Date: Tue Feb 7 08:21:51 2023 +0000 Revert "mm: Always release pages to the buddy allocator in memblock_free_late()." This reverts commit 115d9d77bb0f9152c60b6e8646369fa7f6167593. The pages being freed by memblock_free_late() have already been initialized, but if they are in the deferred init range, __free_one_page() might access nearby uninitialized pages when trying to coalesce buddies. This can, for example, trigger this BUG: BUG: unable to handle page fault for address: ffffe964c02580c8 RIP: 0010:__list_del_entry_valid+0x3f/0x70 __free_one_page+0x139/0x410 __free_pages_ok+0x21d/0x450 memblock_free_late+0x8c/0xb9 efi_free_boot_services+0x16b/0x25c efi_enter_virtual_mode+0x403/0x446 start_kernel+0x678/0x714 secondary_startup_64_no_verify+0xd2/0xdb A proper fix will be more involved so revert this change for the time being. Fixes: 115d9d77bb0f ("mm: Always release pages to the buddy allocator in memblock_free_late().") Signed-off-by: Aaron Thompson Link: https://lore.kernel.org/r/20230207082151.1303-1-dev@aaront.org Signed-off-by: Mike Rapoport (IBM) commit 0b6d6425103a676e2b6a81f3fd35d7ea4f9b90ec Author: Vladimir Oltean Date: Sun Feb 5 16:07:13 2023 +0200 net: dsa: mt7530: don't change PVC_EG_TAG when CPU port becomes VLAN-aware Frank reports that in a mt7530 setup where some ports are standalone and some are in a VLAN-aware bridge, 8021q uppers of the standalone ports lose their VLAN tag on xmit, as seen by the link partner. This seems to occur because once the other ports join the VLAN-aware bridge, mt7530_port_vlan_filtering() also calls mt7530_port_set_vlan_aware(ds, cpu_dp->index), and this affects the way that the switch processes the traffic of the standalone port. Relevant is the PVC_EG_TAG bit. The MT7530 documentation says about it: EG_TAG: Incoming Port Egress Tag VLAN Attribution 0: disabled (system default) 1: consistent (keep the original ingress tag attribute) My interpretation is that this setting applies on the ingress port, and "disabled" is basically the normal behavior, where the egress tag format of the packet (tagged or untagged) is decided by the VLAN table (MT7530_VLAN_EGRESS_UNTAG or MT7530_VLAN_EGRESS_TAG). But there is also an option of overriding the system default behavior, and for the egress tagging format of packets to be decided not by the VLAN table, but simply by copying the ingress tag format (if ingress was tagged, egress is tagged; if ingress was untagged, egress is untagged; aka "consistent). This is useful in 2 scenarios: - VLAN-unaware bridge ports will always encounter a miss in the VLAN table. They should forward a packet as-is, though. So we use "consistent" there. See commit e045124e9399 ("net: dsa: mt7530: fix tagged frames pass-through in VLAN-unaware mode"). - Traffic injected from the CPU port. The operating system is in god mode; if it wants a packet to exit as VLAN-tagged, it sends it as VLAN-tagged. Otherwise it sends it as VLAN-untagged*. *This is true only if we don't consider the bridge TX forwarding offload feature, which mt7530 doesn't support. So for now, make the CPU port always stay in "consistent" mode to allow software VLANs to be forwarded to their egress ports with the VLAN tag intact, and not stripped. Link: https://lore.kernel.org/netdev/trinity-e6294d28-636c-4c40-bb8b-b523521b00be-1674233135062@3c-app-gmx-bs36/ Fixes: e045124e9399 ("net: dsa: mt7530: fix tagged frames pass-through in VLAN-unaware mode") Reported-by: Frank Wunderlich Tested-by: Frank Wunderlich Signed-off-by: Vladimir Oltean Tested-by: Arınç ÜNAL Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20230205140713.1609281-1-vladimir.oltean@nxp.com Signed-off-by: Paolo Abeni commit 2de49fb1c9bb8bfe283070fef2e9304d9842a30c Author: Li Zhijian Date: Thu Feb 2 10:12:01 2023 +0000 RDMA/rtrs: Don't call kobject_del for srv_path->kobj As the mention in commmit f7452a7e96c1 ("RDMA/rtrs-srv: fix memory leak by missing kobject free"), it was intended to remove the kobject_del for srv_path->kobj. f7452a7e96c1 said: >This patch moves kobject_del() into free_sess() so that the kobject of > rtrs_srv_sess can be freed. This patch also move rtrs_srv_destroy_once_sysfs_root_folders back to 'if (srv_path->kobj.state_in_sysfs)' block to avoid a 'held lock freed!' A kernel panic will be triggered by following script ----------------------- $ while true do echo "sessname=foo path=ip: device_path=/dev/nvme0n1" > /sys/devices/virtual/rnbd-client/ctl/map_device echo "normal" > /sys/block/rnbd0/rnbd/unmap_device done ----------------------- The bisection pointed to commit 6af4609c18b3 ("RDMA/rtrs-srv: Fix several issues in rtrs_srv_destroy_path_files") at last. rnbd_server L777: : Opened device 'nvme0n1' general protection fault, probably for non-canonical address 0x765f766564753aea: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 3558 Comm: systemd-udevd Kdump: loaded Not tainted 6.1.0-rc3-roce-flush+ #51 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:kernfs_dop_revalidate+0x36/0x180 Code: 00 00 41 55 41 54 55 53 48 8b 47 68 48 89 fb 48 85 c0 0f 84 db 00 00 00 48 8b a8 60 04 00 00 48 8b 45 30 48 85 c0 48 0f 44 c5 <4c> 8b 60 78 49 81 c4 d8 00 00 00 4c 89 e7 e8 b7 78 7b 00 8b 05 3d RSP: 0018:ffffaf1700b67c78 EFLAGS: 00010206 RAX: 765f766564753a72 RBX: ffff89e2830849c0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff89e2830849c0 RBP: ffff89e280361bd0 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000065 R11: 0000000000000000 R12: ffff89e2830849c0 R13: ffff89e283084888 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f FS: 00007f13fbce7b40(0000) GS:ffff89e2bbc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f93e055d340 CR3: 0000000104664002 CR4: 00000000001706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lookup_fast+0x7b/0x100 walk_component+0x21/0x160 link_path_walk.part.0+0x24d/0x390 path_openat+0xad/0x9a0 do_filp_open+0xa9/0x150 ? lock_release+0x13c/0x2e0 ? _raw_spin_unlock+0x29/0x50 ? alloc_fd+0x124/0x1f0 do_sys_openat2+0x9b/0x160 __x64_sys_openat+0x54/0xa0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f13fc9d701b Code: 25 00 00 41 00 3d 00 00 41 00 74 4b 64 8b 04 25 18 00 00 00 85 c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 91 00 00 00 48 8b 54 24 28 64 48 2b 14 25 RSP: 002b:00007ffddf242640 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f13fc9d701b RDX: 0000000000080000 RSI: 00007ffddf2427c0 RDI: 00000000ffffff9c RBP: 00007ffddf2427c0 R08: 00007f13fcc5b440 R09: 21b2131aa64b1ef2 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000 R13: 00007ffddf2427c0 R14: 000055ed13be8db0 R15: 0000000000000000 Fixes: 6af4609c18b3 ("RDMA/rtrs-srv: Fix several issues in rtrs_srv_destroy_path_files") Acked-by: Guoqing Jiang Signed-off-by: Li Zhijian Link: https://lore.kernel.org/r/1675332721-2-1-git-send-email-lizhijian@fujitsu.com Acked-by: Jack Wang Signed-off-by: Leon Romanovsky commit 6c4715aa5b0ab1c0d35780b7c552e952dbb5515d Author: Andy Chi Date: Tue Feb 7 16:30:09 2023 +0800 ALSA: hda/realtek: fix mute/micmute LEDs don't work for a HP platform. There is a HP platform needs ALC236_FIXUP_HP_GPIO_LED quirk to make mic-mute/audio-mute working. Signed-off-by: Andy Chi Cc: Link: https://lore.kernel.org/r/20230207083011.100189-1-andy.chi@canonical.com Signed-off-by: Takashi Iwai commit a8520be3ffef3d25b53bf171a7ebe17ee0154175 Author: Andy Shevchenko Date: Mon Feb 6 16:15:59 2023 +0200 pinctrl: intel: Restore the pins that used to be in Direct IRQ mode If the firmware mangled the register contents too much, check the saved value for the Direct IRQ mode. If it matches, we will restore the pin state. Reported-by: Jim Minter Fixes: 6989ea4881c8 ("pinctrl: intel: Save and restore pins in "direct IRQ" mode") Tested-by: Jim Minter Signed-off-by: Andy Shevchenko Acked-by: Mika Westerberg Link: https://lore.kernel.org/r/20230206141558.20916-1-andriy.shevchenko@linux.intel.com Signed-off-by: Linus Walleij commit 85e26dd5100a182bf8448050427539c0a66ab793 Author: Christian König Date: Thu Jan 26 10:24:26 2023 +0100 drm/client: fix circular reference counting issue We reference dump buffers both by their handle as well as their object. The problem is now that when anybody iterates over the DRM framebuffers and exports the underlying GEM objects through DMA-buf we run into a circular reference count situation. The result is that the fbdev handling holds the GEM handle preventing the DMA-buf in the GEM object to be released. This DMA-buf in turn holds a reference to the driver module which on unload would release the fbdev. Break that loop by releasing the handle as soon as the DRM framebuffer object is created. The DRM framebuffer and the DRM client buffer structure still hold a reference to the underlying GEM object preventing its destruction. Signed-off-by: Christian König Fixes: c76f0f7cb546 ("drm: Begin an API for in-kernel clients") Cc: Reviewed-by: Thomas Zimmermann Tested-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20230126102814.8722-1-christian.koenig@amd.com commit aa5465aeca3c66fecdf7efcf554aed79b4c4b211 Author: ZhaoLong Wang Date: Mon Feb 6 09:10:09 2023 +0800 cifs: Fix use-after-free in rdata->read_into_pages() When the network status is unstable, use-after-free may occur when read data from the server. BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0 Call Trace: dump_stack_lvl+0x38/0x4c print_report+0x16f/0x4a6 kasan_report+0xb7/0x130 readpages_fill_pages+0x14c/0x7e0 cifs_readv_receive+0x46d/0xa40 cifs_demultiplex_thread+0x121c/0x1490 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 Allocated by task 2535: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x82/0x90 cifs_readdata_direct_alloc+0x2c/0x110 cifs_readdata_alloc+0x2d/0x60 cifs_readahead+0x393/0xfe0 read_pages+0x12f/0x470 page_cache_ra_unbounded+0x1b1/0x240 filemap_get_pages+0x1c8/0x9a0 filemap_read+0x1c0/0x540 cifs_strict_readv+0x21b/0x240 vfs_read+0x395/0x4b0 ksys_read+0xb8/0x150 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 79: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2e/0x50 __kasan_slab_free+0x10e/0x1a0 __kmem_cache_free+0x7a/0x1a0 cifs_readdata_release+0x49/0x60 process_one_work+0x46c/0x760 worker_thread+0x2a4/0x6f0 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 Last potentially related work creation: kasan_save_stack+0x22/0x50 __kasan_record_aux_stack+0x95/0xb0 insert_work+0x2b/0x130 __queue_work+0x1fe/0x660 queue_work_on+0x4b/0x60 smb2_readv_callback+0x396/0x800 cifs_abort_connection+0x474/0x6a0 cifs_reconnect+0x5cb/0xa50 cifs_readv_from_socket.cold+0x22/0x6c cifs_read_page_from_socket+0xc1/0x100 readpages_fill_pages.cold+0x2f/0x46 cifs_readv_receive+0x46d/0xa40 cifs_demultiplex_thread+0x121c/0x1490 kthread+0x16b/0x1a0 ret_from_fork+0x2c/0x50 The following function calls will cause UAF of the rdata pointer. readpages_fill_pages cifs_read_page_from_socket cifs_readv_from_socket cifs_reconnect __cifs_reconnect cifs_abort_connection mid->callback() --> smb2_readv_callback queue_work(&rdata->work) # if the worker completes first, # the rdata is freed cifs_readv_complete kref_put cifs_readdata_release kfree(rdata) return rdata->... # UAF in readpages_fill_pages() Similarly, this problem also occurs in the uncache_fill_pages(). Fix this by adjusts the order of condition judgment in the return statement. Signed-off-by: ZhaoLong Wang Cc: stable@vger.kernel.org Acked-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French commit 4fa4302d6dc7de7e8e74dc7405611a2efb4bf54b Author: Fan Ni Date: Thu Dec 15 17:09:14 2022 +0000 cxl/region: Fix null pointer dereference for resetting decoder Not all decoders have a reset callback. The CXL specification allows a host bridge with a single root port to have no explicit HDM decoders. Currently the region driver assumes there are none. As such the CXL core creates a special pass through decoder instance without a commit/reset callback. Prior to this patch, the ->reset() callback was called unconditionally when calling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge, 1 Root Port, and one directly attached CXL type 3 device or multiple CXL type 3 devices attached to downstream ports of a switch can cause a null pointer dereference. Before the fix, a kernel crash was observed when we destroy the region, and a pass through decoder is reset. The issue can be reproduced as below, 1) create a region with a CXL setup which includes a HB with a single root port under which a memdev is attached directly. 2) destroy the region with cxl destroy-region regionX -f. Fixes: 176baefb2eb5 ("cxl/hdm: Commit decoder state to hardware") Cc: Signed-off-by: Fan Ni Reviewed-by: Davidlohr Bueso Reviewed-by: Dave Jiang Reviewed-by: Jonathan Cameron Tested-by: Gregory Price Reviewed-by: Gregory Price Link: https://lore.kernel.org/r/20221215170909.2650271-1-fan.ni@samsung.com Signed-off-by: Dan Williams commit 2ea31e2e62bbc4d11c411eeb36f1b02841dbcab1 Author: Nicholas Piggin Date: Mon Feb 6 14:22:40 2023 +1000 powerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch The RFI and STF security mitigation options can flip the interrupt_exit_not_reentrant static branch condition concurrently with the interrupt exit code which tests that branch. Interrupt exit tests this condition to set MSR[EE|RI] for exit, then again in the case a soft-masked interrupt is found pending, to recover the MSR so the interrupt can be replayed before attempting to exit again. If the condition changes between these two tests, the MSR and irq soft-mask state will become corrupted, leading to warnings and possible crashes. For example, if the branch is initially true then false, MSR[EE] will be 0 but PACA_IRQ_HARD_DIS clear and EE may not get enabled, leading to warnings in irq_64.c. Fixes: 13799748b957 ("powerpc/64: use interrupt restart table to speed up return from interrupt") Cc: stable@vger.kernel.org # v5.14+ Reported-by: Sachin Sant Tested-by: Sachin Sant Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230206042240.92103-1-npiggin@gmail.com commit 4a606ce68426c88ff2563382b33cc34f3485fe57 Author: Zhang Changzhong Date: Mon Dec 12 15:11:26 2022 -0800 ice: switch: fix potential memleak in ice_add_adv_recipe() When ice_add_special_words() fails, the 'rm' is not released, which will lead to a memory leak. Fix this up by going to 'err_unroll' label. Compile tested only. Fixes: 8b032a55c1bd ("ice: low level support for tunnels") Signed-off-by: Zhang Changzhong Tested-by: Sujai Buvaneswaran Signed-off-by: Tony Nguyen Reviewed-by: Leon Romanovsky commit 3f4870df1b15d62665cb86ca116c8c9cf0e830b0 Author: Dan Carpenter Date: Fri Oct 28 18:02:24 2022 +0300 ice: Fix off by one in ice_tc_forward_to_queue() The > comparison should be >= to prevent reading one element beyond the end of the array. The "vsi->num_rxq" is not strictly speaking the number of elements in the vsi->rxq_map[] array. The array has "vsi->alloc_rxq" elements and "vsi->num_rxq" is less than or equal to the number of elements in the array. The array is allocated in ice_vsi_alloc_arrays(). It's still an off by one but it might not access outside the end of the array. Fixes: 143b86f346c7 ("ice: Enable RX queue selection using skbedit action") Signed-off-by: Dan Carpenter Acked-by: Amritha Nambiar Tested-by: Bharathi Sreenivas Signed-off-by: Tony Nguyen Reviewed-by: Leon Romanovsky commit c793f8ea15e312789b5b6b4a5e7b0b92315be5cb Author: Brett Creeley Date: Mon Jan 16 13:34:58 2023 +0100 ice: Fix disabling Rx VLAN filtering with port VLAN enabled If the user turns on the vf-true-promiscuous-support flag, then Rx VLAN filtering will be disabled if the VF requests to enable promiscuous mode. When the VF is in a port VLAN, this is the incorrect behavior because it will allow the VF to receive traffic outside of its port VLAN domain. Fortunately this only resulted in the VF(s) receiving broadcast traffic outside of the VLAN domain because all of the VLAN promiscuous rules are based on the port VLAN ID. Fix this by setting the .disable_rx_filtering VLAN op to a no-op when a port VLAN is enabled on the VF. Also, make sure to make this fix for both Single VLAN Mode and Double VLAN Mode enabled devices. Fixes: c31af68a1b94 ("ice: Add outer_vlan_ops and VSI specific VLAN ops implementations") Signed-off-by: Brett Creeley Signed-off-by: Karen Ostrowska Tested-by: Marek Szlosek Signed-off-by: Tony Nguyen commit b2dbde3ad44f290ded319f00b71dccec90083a50 Author: Michal Swiatkowski Date: Wed Jan 4 09:25:17 2023 +0100 ice: fix out-of-bounds KASAN warning in virtchnl KASAN reported: [ 9793.708867] BUG: KASAN: global-out-of-bounds in ice_get_link_speed+0x16/0x30 [ice] [ 9793.709205] Read of size 4 at addr ffffffffc1271b1c by task kworker/6:1/402 [ 9793.709222] CPU: 6 PID: 402 Comm: kworker/6:1 Kdump: loaded Tainted: G B OE 6.1.0+ #3 [ 9793.709235] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018 [ 9793.709245] Workqueue: ice ice_service_task [ice] [ 9793.709575] Call Trace: [ 9793.709582] [ 9793.709588] dump_stack_lvl+0x44/0x5c [ 9793.709613] print_report+0x17f/0x47b [ 9793.709632] ? __cpuidle_text_end+0x5/0x5 [ 9793.709653] ? ice_get_link_speed+0x16/0x30 [ice] [ 9793.709986] ? ice_get_link_speed+0x16/0x30 [ice] [ 9793.710317] kasan_report+0xb7/0x140 [ 9793.710335] ? ice_get_link_speed+0x16/0x30 [ice] [ 9793.710673] ice_get_link_speed+0x16/0x30 [ice] [ 9793.711006] ice_vc_notify_vf_link_state+0x14c/0x160 [ice] [ 9793.711351] ? ice_vc_repr_cfg_promiscuous_mode+0x120/0x120 [ice] [ 9793.711698] ice_vc_process_vf_msg+0x7a7/0xc00 [ice] [ 9793.712074] __ice_clean_ctrlq+0x98f/0xd20 [ice] [ 9793.712534] ? ice_bridge_setlink+0x410/0x410 [ice] [ 9793.712979] ? __request_module+0x320/0x520 [ 9793.713014] ? ice_process_vflr_event+0x27/0x130 [ice] [ 9793.713489] ice_service_task+0x11cf/0x1950 [ice] [ 9793.713948] ? io_schedule_timeout+0xb0/0xb0 [ 9793.713972] process_one_work+0x3d0/0x6a0 [ 9793.714003] worker_thread+0x8a/0x610 [ 9793.714031] ? process_one_work+0x6a0/0x6a0 [ 9793.714049] kthread+0x164/0x1a0 [ 9793.714071] ? kthread_complete_and_exit+0x20/0x20 [ 9793.714100] ret_from_fork+0x1f/0x30 [ 9793.714137] [ 9793.714151] The buggy address belongs to the variable: [ 9793.714158] ice_aq_to_link_speed+0x3c/0xffffffffffff3520 [ice] [ 9793.714632] Memory state around the buggy address: [ 9793.714642] ffffffffc1271a00: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 02 f9 [ 9793.714656] ffffffffc1271a80: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 [ 9793.714670] >ffffffffc1271b00: 00 00 00 04 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 [ 9793.714680] ^ [ 9793.714690] ffffffffc1271b80: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 [ 9793.714704] ffffffffc1271c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 The ICE_AQ_LINK_SPEED_UNKNOWN define is BIT(15). The value is bigger than both legacy and normal link speed tables. Add one element (0 - unknown) to both tables. There is no need to explicitly set table size, leave it empty. Fixes: 1d0e28a9be1f ("ice: Remove and replace ice speed defines with ethtool.h versions") Signed-off-by: Michal Swiatkowski Reviewed-by: Alexander Lobakin Tested-by: Gurucharan G (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Reviewed-by: Leon Romanovsky commit 4d159f7884f78b1aacb99b4fc37d1e3cb1194e39 Author: Anirudh Venkataramanan Date: Mon Jan 30 14:06:40 2023 -0800 ice: Do not use WQ_MEM_RECLAIM flag for workqueue When both ice and the irdma driver are loaded, a warning in check_flush_dependency is being triggered. This is due to ice driver workqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one is not. According to kernel documentation, this flag should be set if the workqueue will be involved in the kernel's memory reclamation flow. Since it is not, there is no need for the ice driver's WQ to have this flag set so remove it. Example trace: [ +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0 [ +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0 [ +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha in_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel _rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1 0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_ core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs ib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter acpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba ta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse [ +0.000161] [last unloaded: bonding] [ +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1 [ +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020 [ +0.000003] Workqueue: ice ice_service_task [ice] [ +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0 [ +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08 9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06 [ +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282 [ +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000 [ +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80 [ +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112 [ +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000 [ +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400 [ +0.000004] FS: 0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000 [ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0 [ +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ +0.000002] PKRU: 55555554 [ +0.000003] Call Trace: [ +0.000002] [ +0.000003] __flush_workqueue+0x203/0x840 [ +0.000006] ? mutex_unlock+0x84/0xd0 [ +0.000008] ? __pfx_mutex_unlock+0x10/0x10 [ +0.000004] ? __pfx___flush_workqueue+0x10/0x10 [ +0.000006] ? mutex_lock+0xa3/0xf0 [ +0.000005] ib_cache_cleanup_one+0x39/0x190 [ib_core] [ +0.000174] __ib_unregister_device+0x84/0xf0 [ib_core] [ +0.000094] ib_unregister_device+0x25/0x30 [ib_core] [ +0.000093] irdma_ib_unregister_device+0x97/0xc0 [irdma] [ +0.000064] ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma] [ +0.000059] ? up_write+0x5c/0x90 [ +0.000005] irdma_remove+0x36/0x90 [irdma] [ +0.000062] auxiliary_bus_remove+0x32/0x50 [ +0.000007] device_release_driver_internal+0xfa/0x1c0 [ +0.000005] bus_remove_device+0x18a/0x260 [ +0.000007] device_del+0x2e5/0x650 [ +0.000005] ? __pfx_device_del+0x10/0x10 [ +0.000003] ? mutex_unlock+0x84/0xd0 [ +0.000004] ? __pfx_mutex_unlock+0x10/0x10 [ +0.000004] ? _raw_spin_unlock+0x18/0x40 [ +0.000005] ice_unplug_aux_dev+0x52/0x70 [ice] [ +0.000160] ice_service_task+0x1309/0x14f0 [ice] [ +0.000134] ? __pfx___schedule+0x10/0x10 [ +0.000006] process_one_work+0x3b1/0x6c0 [ +0.000008] worker_thread+0x69/0x670 [ +0.000005] ? __kthread_parkme+0xec/0x110 [ +0.000007] ? __pfx_worker_thread+0x10/0x10 [ +0.000005] kthread+0x17f/0x1b0 [ +0.000005] ? __pfx_kthread+0x10/0x10 [ +0.000004] ret_from_fork+0x29/0x50 [ +0.000009] Fixes: 940b61af02f4 ("ice: Initialize PF and setup miscellaneous interrupt") Signed-off-by: Anirudh Venkataramanan Signed-off-by: Marcin Szycik Tested-by: Jakub Andrysiak Signed-off-by: Tony Nguyen Reviewed-by: Leon Romanovsky commit 04119ab1a49fc41cb70f0472be5455af268fa260 Author: Dave Airlie Date: Mon Feb 6 07:05:28 2023 +1000 nvidiafb: detect the hardware support before removing console. This driver removed the console, but hasn't yet decided if it could take over the console yet. Instead of doing that, probe the hw for support and then remove the console afterwards. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216859 Fixes: 145eed48de27 ("fbdev: Remove conflicting devices on PCI bus") Reported-by: Zeno Davatz Tested-by: Zeno Davatz Tested-by: Thomas Zimmermann Reviewed-by: Thomas Zimmermann Signed-off-by: Dave Airlie Link: https://patchwork.freedesktop.org/patch/msgid/20230205210751.3842103-1-airlied@gmail.com commit 6afaed53cc9adde69d8a76ff5b4d740d5efbc54c Author: Filipe Manana Date: Tue Jan 10 14:56:39 2023 +0000 btrfs: simplify update of last_dir_index_offset when logging a directory When logging a directory, we always set the inode's last_dir_index_offset to the offset of the last dir index item we found. This is using an extra field in the log context structure, and it makes more sense to update it only after we insert dir index items, and we could directly update the inode's last_dir_index_offset field instead. So make this simpler by updating the inode's last_dir_index_offset only when we actually insert dir index keys in the log tree, and getting rid of the last_dir_item_offset field in the log context structure. Reported-by: David Arendt Link: https://lore.kernel.org/linux-btrfs/ae169fc6-f504-28f0-a098-6fa6a4dfb612@leemhuis.info/ Reported-by: Maxim Mikityanskiy Link: https://lore.kernel.org/linux-btrfs/Y8voyTXdnPDz8xwY@mail.gmail.com/ Reported-by: Hunter Wardlaw Link: https://bugzilla.suse.com/show_bug.cgi?id=1207231 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216851 CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Josef Bacik Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 05ecb680708a1dbe6554d6fc17e5d9a8a7cb5e6a Merge: 66fcf74e5c0d7 7a2127e66a00e Author: Linus Torvalds Date: Mon Feb 6 14:07:38 2023 -0800 Merge tag 'cgroup-for-6.2-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "During the v6.2 cycle, there were a series of changes to task cpu affinity handling which fixed cpuset inadvertently clobbering user-configured affinity masks. Unfortunately, they broke the affinity handling on hybrid heterogeneous CPUs which have cores that can execute both 64 and 32bit along with cores that can only execute 32bit code. This contains two fix patches for the above issue. While reverting the changes that caused the regression is definitely an option, the origial patches do improve how cpuset behave signficantly in some cases and the fixes seem fairly safe, so I think it'd be better to try to fix them first" * tag 'cgroup-for-6.2-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cpuset: Call set_cpus_allowed_ptr() with appropriate mask for task cgroup/cpuset: Don't filter offline CPUs in cpuset_cpus_allowed() for top cpuset tasks commit 66fcf74e5c0d771a456b96ec9aebfb53d648eede Merge: d2d11f342b179 a9ad4d87aa263 Author: Linus Torvalds Date: Mon Feb 6 14:05:16 2023 -0800 Merge tag 'for-6.2-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: - explicitly initialize zlib work memory to fix a KCSAN warning - limit number of send clones by maximum memory allocated - limit device size extent in case it device shrink races with chunk allocation - raid56 fixes: - fix copy&paste error in RAID6 stripe recovery - make error bitmap update atomic * tag 'for-6.2-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: raid56: make error_bitmap update atomic btrfs: send: limit number of clones and allocated memory size btrfs: zlib: zero-initialize zlib workspace btrfs: limit device extents to the device size btrfs: raid56: fix stripes if vertical errors are found commit 95ff4aadf1326633e157dbf9c59260465dde9513 Merge: fe1e7e8ce2c47 e0576cd642ced Author: Mark Brown Date: Mon Feb 6 21:36:47 2023 +0000 Two bug fixes for tas5805m codec driver Merge series from Daniel Beer : This pair of patches fixes two issues which crept in while revising the original submission, at a time when I no longer had access to test hardware. The fixes here have been tested and verified on hardware. commit 7a2127e66a00e073db8d90f9aac308f4a8a64226 Author: Will Deacon Date: Tue Jan 31 22:17:19 2023 +0000 cpuset: Call set_cpus_allowed_ptr() with appropriate mask for task set_cpus_allowed_ptr() will fail with -EINVAL if the requested affinity mask is not a subset of the task_cpu_possible_mask() for the task being updated. Consequently, on a heterogeneous system with cpusets spanning the different CPU types, updates to the cgroup hierarchy can silently fail to update task affinities when the effective affinity mask for the cpuset is expanded. For example, consider an arm64 system with 4 CPUs, where CPUs 2-3 are the only cores capable of executing 32-bit tasks. Attaching a 32-bit task to a cpuset containing CPUs 0-2 will correctly affine the task to CPU 2. Extending the cpuset to CPUs 0-3, however, will fail to extend the affinity mask of the 32-bit task because update_tasks_cpumask() will pass the full 0-3 mask to set_cpus_allowed_ptr(). Extend update_tasks_cpumask() to take a temporary 'cpumask' paramater and use it to mask the 'effective_cpus' mask with the possible mask for each task being updated. Fixes: 431c69fac05b ("cpuset: Honour task_cpu_possible_mask() in guarantee_online_cpus()") Signed-off-by: Will Deacon Acked-by: Waiman Long Signed-off-by: Tejun Heo commit 3fb906e7fabbb5b76c3c5256b10dc46ef80a0bfe Author: Waiman Long Date: Sun Feb 5 22:48:53 2023 -0500 cgroup/cpuset: Don't filter offline CPUs in cpuset_cpus_allowed() for top cpuset tasks Since commit 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask"), relax_compatible_cpus_allowed_ptr() is calling __sched_setaffinity() unconditionally. This helps to expose a bug in the current cpuset hotplug code where the cpumasks of the tasks in the top cpuset are not updated at all when some CPUs become online or offline. It is likely caused by the fact that some of the tasks in the top cpuset, like percpu kthreads, cannot have their cpu affinity changed. One way to reproduce this as suggested by Peter is: - boot machine - offline all CPUs except one - taskset -p ffffffff $$ - online all CPUs Fix this by allowing cpuset_cpus_allowed() to return a wider mask that includes offline CPUs for those tasks that are in the top cpuset. For tasks not in the top cpuset, the old rule applies and only online CPUs will be returned in the mask since hotplug events will update their cpumasks accordingly. Fixes: 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask") Reported-by: Will Deacon Originally-from: Peter Zijlstra (Intel) Tested-by: Will Deacon Signed-off-by: Waiman Long Signed-off-by: Tejun Heo commit 89e5dd41c444cc2178be8d3090e386d02f4fccf3 Merge: 97801cfcf9565 4722dd4029c63 Author: Arnd Bergmann Date: Mon Feb 6 20:47:13 2023 +0100 Merge tag 'sti-dt-for-6.3-round1' of git://git.kernel.org/pub/scm/linux/kernel/git/pchotard/sti into arm/fixes Fix polarity of reset line of tsin0 port for stihxxx-b2120 * tag 'sti-dt-for-6.3-round1' of git://git.kernel.org/pub/scm/linux/kernel/git/pchotard/sti: ARM: dts: stihxxx-b2120: fix polarity of reset line of tsin0 port Link: https://lore.kernel.org/r/8e05c729-89bc-20f3-acf6-096fb85d7e36@foss.st.com Signed-off-by: Arnd Bergmann commit 918c5765a15420ad60730fbe5b5b67beb74ca7b6 Merge: 4ec5183ec4865 51be2fffd65d9 Author: Rafael J. Wysocki Date: Mon Feb 6 18:54:35 2023 +0100 Merge tag 'cpufreq-arm-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm Pull an ARM cpufreq fix for 6.2-rc8 from Viresh Kumar: - Fix the incorrect value returned by cpufreq driver's ->get() callback for Qualcomm platforms (Douglas Anderson). * tag 'cpufreq-arm-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm: cpufreq: qcom-hw: Fix cpufreq_driver->get() for non-LMH systems commit 8f20660f053cefd4693e69cfff9cf58f4f7c4929 Author: Ryan Neph Date: Fri Feb 3 15:33:44 2023 -0800 drm/virtio: exbuf->fence_fd unmodified on interrupted wait An interrupted dma_fence_wait() becomes an -ERESTARTSYS returned to userspace ioctl(DRM_IOCTL_VIRTGPU_EXECBUFFER) calls, prompting to retry the ioctl(), but the passed exbuf->fence_fd has been reset to -1, making the retry attempt fail at sync_file_get_fence(). The uapi for DRM_IOCTL_VIRTGPU_EXECBUFFER is changed to retain the passed value for exbuf->fence_fd when returning anything besides a successful result from the ioctl. Fixes: 2cd7b6f08bc4 ("drm/virtio: add in/out fence support for explicit synchronization") Signed-off-by: Ryan Neph Reviewed-by: Rob Clark Reviewed-by: Dmitry Osipenko Signed-off-by: Dmitry Osipenko Link: https://patchwork.freedesktop.org/patch/msgid/20230203233345.2477767-1-ryanneph@chromium.org commit 7a17e8423a133a6ac238462126d7f88faaccc681 Author: Stefan Binding Date: Mon Feb 6 15:00:19 2023 +0000 ALSA: hda/realtek: Add quirk for ASUS UM3402 using CS35L41 This Asus Zenbook laptop use Realtek HDA codec combined with 2xCS35L41 Amplifiers using I2C with External Boost. Signed-off-by: Stefan Binding Cc: Link: https://lore.kernel.org/r/20230206150019.3825120-1-sbinding@opensource.cirrus.com Signed-off-by: Takashi Iwai commit ebebf05a4b06a1be49788ca0edf990de01c4b0d0 Author: Luka Guzenko Date: Fri Jan 20 23:37:41 2023 +0100 HID: Ignore battery for ELAN touchscreen 29DF on HP The touchscreen reports a battery status of 0% and jumps to 1% when a stylus is used. The device ID was added and the battery ignore quirk was enabled for it. Signed-off-by: Luka Guzenko Link: https://lore.kernel.org/r/20230120223741.3007-1-l.guzenko@web.de Signed-off-by: Benjamin Tissoires commit db370a8b9f67ae5f17e3d5482493294467784504 Author: Wander Lairson Costa Date: Thu Feb 2 09:30:20 2023 -0300 rtmutex: Ensure that the top waiter is always woken up Let L1 and L2 be two spinlocks. Let T1 be a task holding L1 and blocked on L2. T1, currently, is the top waiter of L2. Let T2 be the task holding L2. Let T3 be a task trying to acquire L1. The following events will lead to a state in which the wait queue of L2 isn't empty, but no task actually holds the lock. T1 T2 T3 == == == spin_lock(L1) | raw_spin_lock(L1->wait_lock) | rtlock_slowlock_locked(L1) | | task_blocks_on_rt_mutex(L1, T3) | | | orig_waiter->lock = L1 | | | orig_waiter->task = T3 | | | raw_spin_unlock(L1->wait_lock) | | | rt_mutex_adjust_prio_chain(T1, L1, L2, orig_waiter, T3) spin_unlock(L2) | | | | | rt_mutex_slowunlock(L2) | | | | | | raw_spin_lock(L2->wait_lock) | | | | | | wakeup(T1) | | | | | | raw_spin_unlock(L2->wait_lock) | | | | | | | | waiter = T1->pi_blocked_on | | | | waiter == rt_mutex_top_waiter(L2) | | | | waiter->task == T1 | | | | raw_spin_lock(L2->wait_lock) | | | | dequeue(L2, waiter) | | | | update_prio(waiter, T1) | | | | enqueue(L2, waiter) | | | | waiter != rt_mutex_top_waiter(L2) | | | | L2->owner == NULL | | | | wakeup(T1) | | | | raw_spin_unlock(L2->wait_lock) T1 wakes up T1 != top_waiter(L2) schedule_rtlock() If the deadline of T1 is updated before the call to update_prio(), and the new deadline is greater than the deadline of the second top waiter, then after the requeue, T1 is no longer the top waiter, and the wrong task is woken up which will then go back to sleep because it is not the top waiter. This can be reproduced in PREEMPT_RT with stress-ng: while true; do stress-ng --sched deadline --sched-period 1000000000 \ --sched-runtime 800000000 --sched-deadline \ 1000000000 --mmapfork 23 -t 20 done A similar issue was pointed out by Thomas versus the cases where the top waiter drops out early due to a signal or timeout, which is a general issue for all regular rtmutex use cases, e.g. futex. The problematic code is in rt_mutex_adjust_prio_chain(): // Save the top waiter before dequeue/enqueue prerequeue_top_waiter = rt_mutex_top_waiter(lock); rt_mutex_dequeue(lock, waiter); waiter_update_prio(waiter, task); rt_mutex_enqueue(lock, waiter); // Lock has no owner? if (!rt_mutex_owner(lock)) { // Top waiter changed ----> if (prerequeue_top_waiter != rt_mutex_top_waiter(lock)) ----> wake_up_state(waiter->task, waiter->wake_state); This only takes the case into account where @waiter is the new top waiter due to the requeue operation. But it fails to handle the case where @waiter is not longer the top waiter due to the requeue operation. Ensure that the new top waiter is woken up so in all cases so it can take over the ownerless lock. [ tglx: Amend changelog, add Fixes tag ] Fixes: c014ef69b3ac ("locking/rtmutex: Add wake_state to rt_mutex_waiter") Signed-off-by: Wander Lairson Costa Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230117172649.52465-1-wander@redhat.com Link: https://lore.kernel.org/r/20230202123020.14844-1-wander@redhat.com commit eb4b55f2f26fc8a7b7dc6f06f1de91480d53485b Author: Gayatri Kammela Date: Thu Feb 2 17:17:16 2023 -0800 platform/x86/intel/vsec: Add support for Meteor Lake Add Meteor Lake PMT telemetry support. Signed-off-by: Gayatri Kammela Signed-off-by: David E. Box Link: https://lore.kernel.org/r/20230203011716.1078003-1-david.e.box@linux.intel.com Signed-off-by: Hans de Goede commit 44e4c5684fcc82d8f099656c4ea39d9571e2a8ac Author: Aravind Iddamsetty Date: Fri Feb 3 19:22:05 2023 +0530 drm/i915: Initialize the obj flags for shmem objects Obj flags for shmem objects is not being set correctly. Fixes in setting BO_ALLOC_USER flag which applies to shmem objs as well. v2: Add fixes tag (Tvrtko, Matt A) Fixes: 13d29c823738 ("drm/i915/ehl: unconditionally flush the pages on acquire") Cc: # v5.15+ Cc: Matthew Auld Cc: Tvrtko Ursulin Reviewed-by: Matthew Auld Signed-off-by: Aravind Iddamsetty Reviewed-by: Andrzej Hajda Signed-off-by: Tvrtko Ursulin [tursulin: Grouped all tags together.] Link: https://patchwork.freedesktop.org/patch/msgid/20230203135205.4051149-1-aravind.iddamsetty@intel.com (cherry picked from commit bca0d1d3ceeb07be45a51c0fa4d57a0ce31b6aed) Signed-off-by: Rodrigo Vivi commit 251e8c5b1b1fadcc387a8e618c7437d330bdac3e Author: Rob Clark Date: Fri Feb 3 08:49:20 2023 -0800 drm/i915: Move fd_install after last use of fence Because eb_composite_fence_create() drops the fence_array reference after creation of the sync_file, only the sync_file holds a ref to the fence. But fd_install() makes that reference visable to userspace, so it must be the last thing we do with the fence. Signed-off-by: Rob Clark Fixes: 00dae4d3d35d ("drm/i915: Implement SINGLE_TIMELINE with a syncobj (v4)") Cc: # v5.15+ [tursulin: Added stable tag.] Reviewed-by: Tvrtko Ursulin Signed-off-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20230203164937.4035503-1-robdclark@gmail.com (cherry picked from commit 960dafa30455450d318756a9896a02727f2639e0) Signed-off-by: Rodrigo Vivi commit 039a72ce7e570c56713fe7758a0658034dc48c9b Author: Jouni Högander Date: Mon Jan 23 09:44:37 2023 +0200 drm/i915/fbdev: Implement fb_dirty for intel custom fb helper After disconnecting damage worker from update logic it's left to fbdev emulation implementation to have fb_dirty function. Currently intel fbdev doesn't have it. This is causing problems to features (PSR, FBC, DRRS) relying on dirty callback. Implement simple fb_dirty callback to deliver notifications about updates in fb console. v4: Add proper Fixes tag and modify commit message v3: Check damage clip v2: Improved commit message and added Fixes tag Fixes: f231af498c29 ("drm/fb-helper: Disconnect damage worker from update logic") Cc: Ville Syrjälä Cc: Thomas Zimmermann Cc: Jani Nikula Signed-off-by: Jouni Högander Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20230123074437.475103-1-jouni.hogander@intel.com (cherry picked from commit 1af546c2cec6e28b6bbe01a4ad0c38e96e54fcb4) Signed-off-by: Rodrigo Vivi commit 90d5e8301ac24550be80d193aa5582cab56c29fc Author: Ville Syrjälä Date: Tue Jan 31 02:21:24 2023 +0200 drm/i915: Don't do the WM0->WM1 copy w/a if WM1 is already enabled Due to a workaround we have to make sure the WM1 watermarks block/lines values are sensible even when WM1 is disabled. To that end we copy those values from WM0. However since we now keep each wm level enabled on a per-plane basis it doesn't seem necessary to do that copy when we already have an enabled WM1 on the current plane. That is, we might be in a situation where another plane can only do WM0 (and thus needs the copy) but the current plane's WM1 is still perfectly valid (ie. fits into the current DDB allocation). Skipping the copy could avoid reprogramming the plane's registers needlessly in some cases. Fixes: a301cb0fca2d ("drm/i915: Keep plane watermarks enabled more aggressively") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20230131002127.29305-1-ville.syrjala@linux.intel.com Reviewed-by: Stanislav Lisovskiy (cherry picked from commit c580c2d27ac8754cc6f01da1d715b7272f5f9cbb) Signed-off-by: Rodrigo Vivi commit fe1e7e8ce2c47bd8fd9885eab63fca0a522e94c9 Author: Alexey Firago Date: Sat Feb 4 22:51:06 2023 +0300 ASoC: codecs: es8326: Fix DTS properties reading Seems like properties parsing and reading was copy-pasted, so "everest,interrupt-src" and "everest,interrupt-clk" are saved into the es8326->jack_pol variable. This might lead to wrong settings being saved into the reg 57 (ES8326_HP_DET). Fix this by using proper variables while reading properties. Signed-off-by: Alexey Firago Reviewed-by: Yang Yingliang commit e0576cd642ced1ac65370b4516b7be9f536a0498 Author: Daniel Beer Date: Thu Oct 27 21:38:38 2022 +1300 ASoC: tas5805m: add missing page switch. In tas5805m_refresh, we switch pages to update the DSP volume control, but we need to switch back to page 0 before trying to alter the soft-mute control. This latter page-switch was missing. Fixes: ec45268467f4 ("ASoC: add support for TAS5805M digital amplifier") Signed-off-by: Daniel Beer Link: https://lore.kernel.org/r/1fea38a71ea6ab0225d19ab28d1fa12828d762d0.1675497326.git.daniel.beer@igorinstitute.com Signed-off-by: Mark Brown commit 147323792693bf013f60dca160be1d32bd4d180a Author: Daniel Beer Date: Thu Oct 27 21:28:31 2022 +1300 ASoC: tas5805m: rework to avoid scheduling while atomic. There's some setup we need to do in order to get the DSP initialized, and this can't be done until a bit-clock is ready. In an earlier version of this driver, this work was done in a DAPM callback. The DAPM callback doesn't guarantee that the bit-clock is running, so the work was moved instead to the trigger callback. Unfortunately this callback runs in atomic context, and the setup code needs to do I2C transactions. Here we use a work_struct to kick off the setup in a thread instead. Fixes: ec45268467f4 ("ASoC: add support for TAS5805M digital amplifier") Signed-off-by: Daniel Beer Link: https://lore.kernel.org/r/85d8ba405cb009a7a3249b556dc8f3bdb1754fdf.1675497326.git.daniel.beer@igorinstitute.com Signed-off-by: Mark Brown commit 5921b250f43870e7d8044ca14e402292ceb3e3a8 Author: Krzysztof Kozlowski Date: Fri Feb 3 17:50:54 2023 +0100 pinctrl: qcom: sm8450-lpass-lpi: correct swr_rx_data group According to hardware programming guide, the swr_rx_data pin group has only two pins (GPIO5 and GPIO6). This is also visible in "struct sm8450_groups" in the driver - GPIO15 does not have swr_rx_data function. Fixes: ec1652fc4d56 ("pinctrl: qcom: Add sm8450 lpass lpi pinctrl driver") Cc: Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20230203165054.390762-1-krzysztof.kozlowski@linaro.org Signed-off-by: Linus Walleij commit 97e45d469eb180a7bd2809e4e079331552c73e42 Author: Randy Dunlap Date: Sat Feb 4 09:22:06 2023 -0800 powerpc/kexec_file: fix implicit decl error kexec (PPC64) code calls memory_hotplug_max(). Add the header declaration for it from . Using does not work since the #include for depends on CONFIG_NUMA=y, which is not always set. Fixes this build error/warning: arch/powerpc/kexec/file_load_64.c: In function 'kexec_extra_fdt_size_ppc64': arch/powerpc/kexec/file_load_64.c:993:33: error: implicit declaration of function 'memory_hotplug_max' 993 | usm_entries = ((memory_hotplug_max() / drmem_lmb_size()) + | ^~~~~~~~~~~~~~~~~~ Fixes: fc546faa5595 ("powerpc/kexec_file: Count hot-pluggable memory in FDT estimate") Signed-off-by: Randy Dunlap Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230204172206.7662-1-rdunlap@infradead.org commit 563ca0e9eab8acc8a1309e8b440108ff8d23e951 Author: Dan Carpenter Date: Tue Jan 24 18:20:54 2023 +0300 RDMA/mana_ib: Prevent array underflow in mana_ib_create_qp_raw() The "port" comes from the user and if it is zero then the: ndev = mc->ports[port - 1]; assignment does an out of bounds read. I have changed the if statement to fix this and to mirror how it is done in mana_ib_create_qp_rss(). Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/Y8/3Vn8qx00kE9Kk@kili Acked-by: Long Li Signed-off-by: Leon Romanovsky commit 7bcfdab3f0c6672ca52be3cb65a0550d8b99554b Author: Mario Limonciello Date: Fri Feb 3 16:08:49 2023 -0600 HID: amd_sfh: if no sensors are enabled, clean up It was reported that commit b300667b33b2 ("HID: amd_sfh: Disable the interrupt for all command") had caused increased resume time on HP Envy x360. Before this commit 3 sensors were reported, but they were not actually functional. After this commit the sensors are no longer reported, but also the resume time increased. To avoid this problem explicitly look for the number of disabled sensors. If all the sensors are disabled, clean everything up. Fixes: b300667b33b2 ("HID: amd_sfh: Disable the interrupt for all command") Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2115 Reported-by: Xaver Hugl Signed-off-by: Mario Limonciello Acked-by: Basavaraj Natikar Link: https://lore.kernel.org/r/20230203220850.13924-1-mario.limonciello@amd.com Signed-off-by: Benjamin Tissoires commit 811d581194f7412eda97acc03d17fc77824b561f Author: Alan Stern Date: Fri Feb 3 14:32:09 2023 -0500 net: USB: Fix wrong-direction WARNING in plusb.c The syzbot fuzzer detected a bug in the plusb network driver: A zero-length control-OUT transfer was treated as a read instead of a write. In modern kernels this error provokes a WARNING: usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0 WARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Modules linked in: CPU: 1 PID: 4645 Comm: dhcpcd Not tainted 6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 ... Call Trace: usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010 usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068 pl_vendor_req drivers/net/usb/plusb.c:60 [inline] pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline] pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85 usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889 __dev_open+0x297/0x4d0 net/core/dev.c:1417 __dev_change_flags+0x587/0x750 net/core/dev.c:8530 dev_change_flags+0x97/0x170 net/core/dev.c:8602 devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147 inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979 sock_do_ioctl+0xcc/0x230 net/socket.c:1169 sock_ioctl+0x1f8/0x680 net/socket.c:1286 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and remove the USB_DIR_IN flag. Reported-and-tested-by: syzbot+2a0e7abd24f1eb90ce25@syzkaller.appspotmail.com Signed-off-by: Alan Stern Fixes: 090ffa9d0e90 ("[PATCH] USB: usbnet (9/9) module for pl2301/2302 cables") CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/00000000000052099f05f3b3e298@google.com/ Signed-off-by: David S. Miller commit 690eb7dec72ae52d1d710d14a451844b4d0f4f19 Author: Bastien Nocera Date: Fri Feb 3 11:18:00 2023 +0100 HID: logitech: Disable hi-res scrolling on USB On some Logitech mice, such as the G903, and possibly the G403, the HID events are generated on a different interface to the HID++ one. If we enable hi-res through the HID++ interface, the HID interface wouldn't know anything about it, and handle the events as if they were regular scroll events, making the mouse unusable. Disable hi-res scrolling on those devices until we implement scroll events through HID++. Signed-off-by: Bastien Nocera Tested-by: Tobias Klausmann Link: https://bugzilla.kernel.org/show_bug.cgi?id=216885 Fixes: 908d325e1665 ("HID: logitech-hidpp: Detect hi-res scrolling support") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230203101800.139380-1-hadess@hadess.net Signed-off-by: Benjamin Tissoires commit ea427a222d8bdf2bc1a8a6da3ebe247f7dced70c Author: Xin Zhao Date: Mon Jan 30 21:29:47 2023 +0000 HID: core: Fix deadloop in hid_apply_multiplier. The initial value of hid->collection[].parent_idx if 0. When Report descriptor doesn't contain "HID Collection", the value remains as 0. In the meanwhile, when the Report descriptor fullfill all following conditions, it will trigger hid_apply_multiplier function call. 1. Usage page is Generic Desktop Ctrls (0x01) 2. Usage is RESOLUTION_MULTIPLIER (0x48) 3. Contain any FEATURE items The while loop in hid_apply_multiplier will search the top-most collection by searching parent_idx == -1. Because all parent_idx is 0. The loop will run forever. There is a Report Descriptor triggerring the deadloop 0x05, 0x01, // Usage Page (Generic Desktop Ctrls) 0x09, 0x48, // Usage (0x48) 0x95, 0x01, // Report Count (1) 0x75, 0x08, // Report Size (8) 0xB1, 0x01, // Feature Signed-off-by: Xin Zhao Link: https://lore.kernel.org/r/20230130212947.1315941-1-xnzhao@google.com Signed-off-by: Benjamin Tissoires commit d7d94b2612f5dc25d61dc7bf58aafe7b31f40191 Author: Casper Andersson Date: Fri Feb 3 09:55:57 2023 +0100 net: microchip: sparx5: fix PTP init/deinit not checking all ports Check all ports instead of just port_count ports. PTP init was only checking ports 0 to port_count. If the hardware ports are not mapped starting from 0 then they would be missed, e.g. if only ports 20-30 were mapped it would attempt to init ports 0-10, resulting in NULL pointers when attempting to timestamp. Now it will init all mapped ports. Fixes: 70dfe25cd866 ("net: sparx5: Update extraction/injection for timestamping") Signed-off-by: Casper Andersson Reviewed-by: Horatiu Vultur Signed-off-by: David S. Miller commit 03702d4d29be4e2510ec80b248dbbde4e57030d9 Author: Herton R. Krzesinski Date: Fri Feb 3 13:04:48 2023 -0300 uapi: add missing ip/ipv6 header dependencies for linux/stddef.h Since commit 58e0be1ef6118 ("net: use struct_group to copy ip/ipv6 header addresses"), ip and ipv6 headers started to use the __struct_group definition, which is defined at include/uapi/linux/stddef.h. However, linux/stddef.h isn't explicitly included in include/uapi/linux/{ip,ipv6}.h, which breaks build of xskxceiver bpf selftest if you install the uapi headers in the system: $ make V=1 xskxceiver -C tools/testing/selftests/bpf ... make: Entering directory '(...)/tools/testing/selftests/bpf' gcc -g -O0 -rdynamic -Wall -Werror (...) In file included from xskxceiver.c:79: /usr/include/linux/ip.h:103:9: error: expected specifier-qualifier-list before ‘__struct_group’ 103 | __struct_group(/* no tag */, addrs, /* no attrs */, | ^~~~~~~~~~~~~~ ... Include the missing dependency in ip.h and do the same for the ipv6.h header. Fixes: 58e0be1ef611 ("net: use struct_group to copy ip/ipv6 header addresses") Signed-off-by: Herton R. Krzesinski Reviewed-by: Carlos O'Donell Tested-by: Carlos O'Donell Signed-off-by: David S. Miller commit c1d2ecdf5e38e3489ce8328238b558b3b2866fe1 Author: Julian Anastasov Date: Thu Feb 2 17:25:51 2023 +0200 neigh: make sure used and confirmed times are valid Entries can linger in cache without timer for days, thanks to the gc_thresh1 limit. As result, without traffic, the confirmed time can be outdated and to appear to be in the future. Later, on traffic, NUD_STALE entries can switch to NUD_DELAY and start the timer which can see the invalid confirmed time and wrongly switch to NUD_REACHABLE state instead of NUD_PROBE. As result, timer is set many days in the future. This is more visible on 32-bit platforms, with higher HZ value. Why this is a problem? While we expect unused entries to expire, such entries stay in REACHABLE state for too long, locked in cache. They are not expired normally, only when cache is full. Problem and the wrong state change reported by Zhang Changzhong: 172.16.1.18 dev bond0 lladdr 0a:0e:0f:01:12:01 ref 1 used 350521/15994171/350520 probes 4 REACHABLE 350520 seconds have elapsed since this entry was last updated, but it is still in the REACHABLE state (base_reachable_time_ms is 30000), preventing lladdr from being updated through probe. Fix it by ensuring timer is started with valid used/confirmed times. Considering the valid time range is LONG_MAX jiffies, we try not to go too much in the past while we are in DELAY/PROBE state. There are also places that need used/updated times to be validated while timer is not running. Reported-by: Zhang Changzhong Signed-off-by: Julian Anastasov Tested-by: Zhang Changzhong Signed-off-by: David S. Miller commit 9a6804aa1c92cd28e89e746ace44d5ba101db76c Author: Elvis Angelaccio Date: Sun Feb 5 19:56:18 2023 +0100 ALSA: hda/realtek: Enable mute/micmute LEDs on HP Elitebook, 645 G9 The HP Elitebook 645 G9 laptop (with motherboard model 89D2) uses the ALC236 codec and requires the alc236_fixup_hp_mute_led_micmute_vref fixup in order to enable mute/micmute LEDs. Note: the alc236_fixup_hp_gpio_led fixup, which is used by the Elitebook 640 G9, does not work with the 645 G9. [ rearranged the entry in SSID order -- tiwai ] Signed-off-by: Elvis Angelaccio Cc: Link: https://lore.kernel.org/r/4055cb48-e228-8a13-524d-afbb7aaafebe@kde.org Signed-off-by: Takashi Iwai commit 51be2fffd65d9f9cb427030ab0ee85d791b4437d Author: Douglas Anderson Date: Thu Feb 2 14:00:23 2023 -0800 cpufreq: qcom-hw: Fix cpufreq_driver->get() for non-LMH systems On a sc7180-based Chromebook, when I go to /sys/devices/system/cpu/cpu0/cpufreq I can see: cpuinfo_cur_freq:2995200 cpuinfo_max_freq:1804800 scaling_available_frequencies:300000 576000 ... 1708800 1804800 scaling_cur_freq:1804800 scaling_max_freq:1804800 As you can see the `cpuinfo_cur_freq` is bogus. It turns out that this bogus info started showing up as of commit c72cf0cb1d77 ("cpufreq: qcom-hw: Fix the frequency returned by cpufreq_driver->get()"). That commit seems to assume that everyone is on the LMH bandwagon, but sc7180 isn't. Let's go back to the old code in the case where LMH isn't used. Fixes: c72cf0cb1d77 ("cpufreq: qcom-hw: Fix the frequency returned by cpufreq_driver->get()") Signed-off-by: Douglas Anderson Reviewed-by: Konrad Dybcio Reviewed-by: Manivannan Sadhasivam [ Viresh: Fixed the 'fixes' tag ] Signed-off-by: Viresh Kumar commit d2d11f342b179f1894a901f143ec7c008caba43e Merge: 4ec5183ec4865 9c7417b5ec440 Author: Linus Torvalds Date: Sun Feb 5 17:17:10 2023 -0800 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull ELF fix from Al Viro: "One of the many equivalent build warning fixes for !CONFIG_ELF_CORE configs. Geert's is the earliest one I've been able to find" * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: coredump: Move dump_emit_page() to kill unused warning commit 4ec5183ec48656cec489c49f989c508b68b518e3 Author: Linus Torvalds Date: Sun Feb 5 13:13:28 2023 -0800 Linux 6.2-rc7 commit c608f6b58f306ce0e4f459af69a196f5ed6ccf45 Merge: dc0ce181af6d1 f82060da749c6 Author: Linus Torvalds Date: Sun Feb 5 12:19:55 2023 -0800 Merge tag 'usb-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB fixes that resolve some reported problems. These include: - gadget driver fixes - dwc3 driver fix - typec driver fix - MAINTAINERS file update. All of these have been in linux-next with no reported problems" * tag 'usb-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: typec: ucsi: Don't attempt to resume the ports before they exist usb: gadget: udc: do not clear gadget driver.bus usb: gadget: f_uac2: Fix incorrect increment of bNumEndpoints usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait usb: dwc3: qcom: enable vbus override when in OTG dr-mode MAINTAINERS: Add myself as UVC Gadget Maintainer commit dc0ce181af6d1989192b973eae5f916cb6ce47f0 Merge: d3feaff4d9492 226fae124b2da Author: Linus Torvalds Date: Sun Feb 5 12:06:29 2023 -0800 Merge tag 'tty-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial driver fixes from Greg KH: "Here are some small serial and vt fixes. These include: - 8250 driver fixes relating to dma issues - stm32 serial driver fix for threaded irqs - vc_screen bugfix for reported problems. All have been in linux-next for a while with no reported problems" * tag 'tty-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF serial: 8250_dma: Fix DMA Rx rearm race serial: 8250_dma: Fix DMA Rx completion race serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler commit d3feaff4d9492aa05b94167e170858da81159654 Merge: 870c3a9a2bc48 d83d7ed260283 Author: Linus Torvalds Date: Sun Feb 5 11:52:23 2023 -0800 Merge tag 'char-misc-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are a number of small char/misc/whatever driver fixes. They include: - IIO driver fixes for some reported problems - nvmem driver fixes - fpga driver fixes - debugfs memory leak fix in the hv_balloon and irqdomain code (irqdomain change was acked by the maintainer) All have been in linux-next with no reported problems" * tag 'char-misc-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (33 commits) kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup() HV: hv_balloon: fix memory leak with using debugfs_lookup() nvmem: qcom-spmi-sdam: fix module autoloading nvmem: core: fix return value nvmem: core: fix cell removal on error nvmem: core: fix device node refcounting nvmem: core: fix registration vs use race nvmem: core: fix cleanup after dev_set_name() nvmem: core: remove nvmem_config wp_gpio nvmem: core: initialise nvmem->id early nvmem: sunxi_sid: Always use 32-bit MMIO reads nvmem: brcm_nvram: Add check for kzalloc iio: imu: fxos8700: fix MAGN sensor scale and unit iio: imu: fxos8700: remove definition FXOS8700_CTRL_ODR_MIN iio: imu: fxos8700: fix failed initialization ODR mode assignment iio: imu: fxos8700: fix incorrect ODR mode readback iio: light: cm32181: Fix PM support on system with 2 I2C resources iio: hid: fix the retval in gyro_3d_capture_sample iio: hid: fix the retval in accel_3d_capture_sample iio: imu: st_lsm6dsx: fix build when CONFIG_IIO_TRIGGERED_BUFFER=m ... commit 870c3a9a2bc48bea0f954172aaff7ed489acaf64 Merge: 9e482602c5945 2b09d5d364986 Author: Linus Torvalds Date: Sun Feb 5 11:43:00 2023 -0800 Merge tag 'fbdev-for-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev Pull fbdev fixes from Helge Deller: - fix fbcon to prevent fonts bigger than 32x32 pixels to avoid overflows reported by syzbot - switch omapfb to use kstrtobool() - switch some fbdev drivers to use the backlight helpers * tag 'fbdev-for-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbcon: Check font dimension limits fbdev: omapfb: Use kstrtobool() instead of strtobool() fbdev: fbmon: fix function name in kernel-doc fbdev: atmel_lcdfb: Rework backlight status updates fbdev: riva: Use backlight helper fbdev: omapfb: panel-dsi-cm: Use backlight helper fbdev: nvidia: Use backlight helper fbdev: mx3fb: Use backlight helper fbdev: radeon: Use backlight helper fbdev: atyfb: Use backlight helper fbdev: aty128fb: Use backlight helper commit 9e482602c59457374916d942b4ba6ff602b14fa4 Merge: de506eec89d84 9d2c7203ffdb8 Author: Linus Torvalds Date: Sun Feb 5 11:28:42 2023 -0800 Merge tag 'x86_urgent_for_v6.2_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Borislav Petkov: - Prevent the compiler from reordering accesses to debug regs which could cause a #VC exception in SEV-ES guests at the wrong place in the NMI handling path * tag 'x86_urgent_for_v6.2_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/debug: Fix stack recursion caused by wrongly ordered DR7 accesses commit de506eec89d8456dfe344fac5b72afce0dce07a3 Merge: 837c07cf68fec 4f64a6c9f6f11 Author: Linus Torvalds Date: Sun Feb 5 11:03:56 2023 -0800 Merge tag 'perf_urgent_for_v6.2_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fix from Borislav Petkov: - Lock the proper critical section when dealing with perf event context * tag 'perf_urgent_for_v6.2_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf: Fix perf_event_pmu_context serialization commit 837c07cf68fec9cad455d5fc86aab5350cc06c53 Merge: 95078069c1e70 1665c027afb22 Author: Linus Torvalds Date: Sat Feb 4 18:40:51 2023 -0800 Merge tag 'powerpc-6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "It's a bit of a big batch for rc6, but just because I didn't send any fixes the last week or two while I was on vacation, next week should be quieter: - Fix a few objtool warnings since we recently enabled objtool. - Fix a deadlock with the hash MMU vs perf record. - Fix perf profiling of asynchronous interrupt handlers. - Revert the IMC PMU nest_init_lock to being a mutex. - Two commits fixing problems with the kexec_file FDT size estimation. - Two commits fixing problems with strict RWX vs kernels running at non-zero. - Reconnect tlb_flush() to hash__tlb_flush() Thanks to Kajol Jain, Nicholas Piggin, Sachin Sant Sathvika Vasireddy, and Sourabh Jain" * tag 'powerpc-6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/64s: Reconnect tlb_flush() to hash__tlb_flush() powerpc/kexec_file: Count hot-pluggable memory in FDT estimate powerpc/64s/radix: Fix RWX mapping with relocated kernel powerpc/64s/radix: Fix crash with unaligned relocated kernel powerpc/kexec_file: Fix division by zero in extra size estimation powerpc/imc-pmu: Revert nest_init_lock to being a mutex powerpc/64: Fix perf profiling asynchronous interrupt handlers powerpc/64s: Fix local irq disable when PMIs are disabled powerpc/kvm: Fix unannotated intra-function call warning powerpc/85xx: Fix unannotated intra-function call warning commit 95078069c1e70d1b3b141132d18d0c563acedd0c Merge: db27c22251e7c 08279468a294d Author: Linus Torvalds Date: Sat Feb 4 13:46:37 2023 -0800 Merge tag 'rtc-6.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux Pull RTC fixes from Alexandre Belloni: "Here are a few fixes for 6.2. The EFI one is the most important as it allows some RTCs to actually work. The other two are warnings that are worth fixing. - efi: make WAKEUP services optional - sunplus: fix format string warning" * tag 'rtc-6.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: rtc: sunplus: fix format string for printing resource dt-bindings: rtc: qcom-pm8xxx: allow 'wakeup-source' property rtc: efi: Enable SET/GET WAKEUP services as optional commit db27c22251e7c8f3a9d5bfb55c9c8c701a70bbb3 Merge: c00f4ddde0943 22e46f6480e83 Author: Linus Torvalds Date: Sat Feb 4 11:30:23 2023 -0800 Merge tag 'kbuild-fixes-v6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: - Fix two bugs (for building and for signing) when MODULE_SIG_KEY contains a PKCS#11 URI * tag 'kbuild-fixes-v6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kbuild: modinst: Fix build error when CONFIG_MODULE_SIG_KEY is a PKCS#11 URI certs: Fix build error when PKCS#11 URI contains semicolon commit c00f4ddde0943cf54499bc380ffca6376af2d945 Merge: 2ab2ba494db2d 25b72cf7da9f0 Author: Linus Torvalds Date: Sat Feb 4 11:21:27 2023 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "ARM64: - Yet another fix for non-CPU accesses to the memory backing the VGICv3 subsystem - A set of fixes for the setlftest checking for the S1PTW behaviour after the fix that went in ealier in the cycle" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: selftests: aarch64: Test read-only PT memory regions KVM: selftests: aarch64: Fix check of dirty log PT write KVM: selftests: aarch64: Do not default to dirty PTE pages on all S1PTWs KVM: selftests: aarch64: Relax userfaultfd read vs. write checks KVM: arm64: Allow no running vcpu on saving vgic3 pending table KVM: arm64: Allow no running vcpu on restoring vgic3 LPI pending status KVM: arm64: Add helper vgic_write_guest_lock() commit 2ab2ba494db2dbfbb541ae27f69317e1c089ea51 Merge: 583472ef2d176 316f1f42b5cc1 Author: Linus Torvalds Date: Sat Feb 4 11:15:00 2023 -0800 Merge tag 'parisc-for-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc architecture fixes from Helge Deller: - Fix PTRACE_GETREGS/PTRACE_SETREGS for 32-bit userspace on a 64-bit kernel - pdc_iodc_print() dropped chars for newline in strings - Drop constants in favour of PRIV_USER - use safer strscpy() function in pdc_stable driver * tag 'parisc-for-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case parisc: Replace hardcoded value with PRIV_USER constant in ptrace.c parisc: Fix return code of pdc_iodc_print() parisc: pdc_stable: use strscpy() to instead of strncpy() commit 583472ef2d176883596637a690602e6d76c5fee5 Merge: 0136d86b78522 0a2742bf5899b Author: Linus Torvalds Date: Sat Feb 4 10:14:50 2023 -0800 Merge tag 'for-linus' of https://github.com/openrisc/linux Pull OpenRISC mailing list update from Stafford Horne: "The old mailing list for OpenRISC died due to some infrastructure issues and the people in charge decided not to keep it running. We have migrated this and the users over to kernel.org infrastructure. Sending this out now to avoid kernel developers getting lots of bounced mails for using the old list" * tag 'for-linus' of https://github.com/openrisc/linux: MAINTAINERS: Update OpenRISC mailing list commit 25b72cf7da9f0d66eef3979187ddfda98d4efcd0 Merge: c2c46b10d5262 08ddbbdf0b558 Author: Paolo Bonzini Date: Sat Feb 4 08:57:43 2023 -0500 Merge tag 'kvmarm-fixes-6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/arm64 fixes for 6.2, take #3 - Yet another fix for non-CPU accesses to the memory backing the VGICv3 subsystem - A set of fixes for the setlftest checking for the S1PTW behaviour after the fix that went in ealier in the cycle commit 2b09d5d364986f724f17001ccfe4126b9b43a0be Author: Samuel Thibault Date: Sun Jan 29 16:17:40 2023 +0100 fbcon: Check font dimension limits blit_x and blit_y are u32, so fbcon currently cannot support fonts larger than 32x32. The 32x32 case also needs shifting an unsigned int, to properly set bit 31, otherwise we get "UBSAN: shift-out-of-bounds in fbcon_set_font", as reported on: http://lore.kernel.org/all/IA1PR07MB98308653E259A6F2CE94A4AFABCE9@IA1PR07MB9830.namprd07.prod.outlook.com Kernel Branch: 6.2.0-rc5-next-20230124 Kernel config: https://drive.google.com/file/d/1F-LszDAizEEH0ZX0HcSR06v5q8FPl2Uv/view?usp=sharing Reproducer: https://drive.google.com/file/d/1mP1jcLBY7vWCNM60OMf-ogw-urQRjNrm/view?usp=sharing Reported-by: Sanan Hasanov Signed-off-by: Samuel Thibault Fixes: 2d2699d98492 ("fbcon: font setting should check limitation of driver") Cc: stable@vger.kernel.org Tested-by: Miko Larsson Reviewed-by: Greg Kroah-Hartman Signed-off-by: Helge Deller commit a05e7a67986c6be900f7d3310fa5bb1e0c55bb4c Merge: 69ff53e4a4c94 b69585bfcecee Author: Jakub Kicinski Date: Fri Feb 3 19:58:56 2023 -0800 Merge branch 'ionic-code-maintenance' Shannon Nelson says: ==================== ionic: code maintenance These are a few fixes for a hardware bug, a couple of sw bugs, and a little code cleanup. ==================== Link: https://lore.kernel.org/r/20230202215537.69756-1-shannon.nelson@amd.com Signed-off-by: Jakub Kicinski commit b69585bfceceeffda940906cabfdaee4b47bde92 Author: Allen Hubbe Date: Thu Feb 2 13:55:37 2023 -0800 ionic: missed doorbell workaround In one version of the HW there is a remote possibility that it will miss the doorbell ring. This adds a bit of protection to be sure we don't stall a queue from a missed doorbell. Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") Signed-off-by: Allen Hubbe Signed-off-by: Shannon Nelson Signed-off-by: Jakub Kicinski commit 1fffb0254178de1d4d9e67f467a3460d10680b10 Author: Shannon Nelson Date: Thu Feb 2 13:55:36 2023 -0800 ionic: clear up notifyq alloc commentary Make sure the q+cq alloc for NotifyQ is clearly documented and don't bother with unnecessary local variables. Signed-off-by: Shannon Nelson Reviewed-by: Leon Romanovsky Signed-off-by: Jakub Kicinski commit e8797a058466b60fc5a3291b92430c93ba90eaff Author: Neel Patel Date: Thu Feb 2 13:55:35 2023 -0800 ionic: clean interrupt before enabling queue to avoid credit race Clear the interrupt credits before enabling the queue rather than after to be sure that the enabled queue starts at 0 and that we don't wipe away possible credits after enabling the queue. Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") Signed-off-by: Neel Patel Signed-off-by: Shannon Nelson Reviewed-by: Leon Romanovsky Signed-off-by: Jakub Kicinski commit 69ff53e4a4c9498eeed7d1441f68a1481dc69251 Author: Heiner Kallweit Date: Thu Feb 2 21:45:36 2023 +0100 net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal PHY Jerome provided the information that also the GXL internal PHY doesn't support MMD register access and EEE. MMD reads return 0xffff, what results in e.g. completely wrong ethtool --show-eee output. Therefore use the MMD dummy stubs. Fixes: d853d145ea3e ("net: phy: add an option to disable EEE advertisement") Suggested-by: Jerome Brunet Signed-off-by: Heiner Kallweit Link: https://lore.kernel.org/r/84432fe4-0be4-bc82-4e5c-557206b40f56@gmail.com Signed-off-by: Jakub Kicinski commit c9011b028e956c3b6baa6f131d9eec43e4e52020 Author: Radhey Shyam Pandey Date: Thu Feb 2 17:56:19 2023 +0530 net: macb: Perform zynqmp dynamic configuration only for SGMII interface In zynqmp platforms where firmware supports dynamic SGMII configuration but has other non-SGMII ethernet devices, it fails them with no packets received at the RX interface. To fix this behaviour perform SGMII dynamic configuration only for the SGMII phy interface. Fixes: 32cee7818111 ("net: macb: Add zynqmp SGMII dynamic configuration support") Signed-off-by: Radhey Shyam Pandey Reviewed-by: Jiri Pirko Reported-by: Michal Simek Tested-by: Michal Simek Reviewed-by: Claudiu Beznea Link: https://lore.kernel.org/r/1675340779-27499-1-git-send-email-radhey.shyam.pandey@amd.com Signed-off-by: Jakub Kicinski commit cbe83191d40d8925b7a99969d037d2a0caf69294 Author: Qi Zheng Date: Thu Feb 2 17:32:55 2023 +0800 bonding: fix error checking in bond_debug_reregister() Since commit ff9fb72bc077 ("debugfs: return error values, not NULL") changed return value of debugfs_rename() in error cases from %NULL to %ERR_PTR(-ERROR), we should also check error values instead of NULL. Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL") Signed-off-by: Qi Zheng Acked-by: Jay Vosburgh Link: https://lore.kernel.org/r/20230202093256.32458-1-zhengqi.arch@bytedance.com Signed-off-by: Jakub Kicinski commit a5b21d8d791cd4db609d0bbcaa9e0c7e019888d1 Author: Andrew Morton Date: Thu Feb 2 18:07:35 2023 -0800 revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" This fix was nacked by Philip, for reasons identified in the email linked below. Link: https://lkml.kernel.org/r/68f15d67-8945-2728-1f17-5b53a80ec52d@squashfs.org.uk Fixes: 72e544b1b28325 ("squashfs: harden sanity check in squashfs_read_xattr_id_table") Cc: Alexey Khoroshilov Cc: Fedor Pchelkin Cc: Phillip Lougher Signed-off-by: Andrew Morton commit 388bc034d91d480efa88abc5c8d6e6c8a878b1ab Author: Shiyang Ruan Date: Thu Feb 2 12:33:47 2023 +0000 fsdax: dax_unshare_iter() should return a valid length The copy_mc_to_kernel() will return 0 if it executed successfully. Then the return value should be set to the length it copied. [akpm@linux-foundation.org: don't mess up `ret', per Matthew] Link: https://lkml.kernel.org/r/1675341227-14-1-git-send-email-ruansy.fnst@fujitsu.com Fixes: d984648e428b ("fsdax,xfs: port unshare to fsdax") Signed-off-by: Shiyang Ruan Cc: Darrick J. Wong Cc: Alistair Popple Cc: Dan Williams Cc: Dave Chinner Cc: Jason Gunthorpe Cc: John Hubbard Cc: Matthew Wilcox Signed-off-by: Andrew Morton commit aa1e6a932ca652a50a5df458399724a80459f521 Author: Kuan-Ying Lee Date: Tue Jan 31 14:32:06 2023 +0800 mm/gup: add folio to list when folio_isolate_lru() succeed If we call folio_isolate_lru() successfully, we will get return value 0. We need to add this folio to the movable_pages_list. Link: https://lkml.kernel.org/r/20230131063206.28820-1-Kuan-Ying.Lee@mediatek.com Fixes: 67e139b02d99 ("mm/gup.c: refactor check_and_migrate_movable_pages()") Signed-off-by: Kuan-Ying Lee Reviewed-by: Alistair Popple Acked-by: David Hildenbrand Reviewed-by: Baolin Wang Cc: Andrew Yang Cc: Chinwen Chang Cc: John Hubbard Cc: Matthias Brugger Signed-off-by: Andrew Morton commit 81e9d6f8647650a7bead74c5f926e29970e834d1 Author: Seth Jenkins Date: Tue Jan 31 12:25:55 2023 -0500 aio: fix mremap after fork null-deref Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced a null-deref if mremap is called on an old aio mapping after fork as mm->ioctx_table will be set to NULL. [jmoyer@redhat.com: fix 80 column issue] Link: https://lkml.kernel.org/r/x49sffq4nvg.fsf@segfault.boston.devel.redhat.com Fixes: e4a0d3e720e7 ("aio: Make it possible to remap aio ring") Signed-off-by: Seth Jenkins Signed-off-by: Jeff Moyer Cc: Alexander Viro Cc: Benjamin LaHaise Cc: Jann Horn Cc: Pavel Emelyanov Cc: Signed-off-by: Andrew Morton commit ca2b1a5cd107d451e71e7ef463c2a2141ec078d2 Author: Alexander Mikhalitsyn Date: Tue Jan 31 13:34:56 2023 +0100 mailmap: add entry for Alexander Mikhalitsyn My old email isn't working anymore. Link: https://lkml.kernel.org/r/20230131123456.192657-1-aleksandr.mikhalitsyn@canonical.com Signed-off-by: Alexander Mikhalitsyn Signed-off-by: Andrew Morton commit 3770e52fd4ec40ebee16ba19ad6c09dc0b52739b Author: Arnd Bergmann Date: Mon Jan 30 14:07:26 2023 +0100 mm: extend max struct page size for kmsan After x86 enabled support for KMSAN, it has become possible to have larger 'struct page' than was expected when commit 5470dea49f53 ("mm: use mm_zero_struct_page from SPARC on all 64b architectures") was merged: include/linux/mm.h:156:10: warning: no case matching constant switch condition '96' switch (sizeof(struct page)) { Extend the maximum accordingly. Link: https://lkml.kernel.org/r/20230130130739.563628-1-arnd@kernel.org Fixes: 5470dea49f53 ("mm: use mm_zero_struct_page from SPARC on all 64b architectures") Fixes: 4ca8cc8d1bbe ("x86: kmsan: enable KMSAN builds for x86") Fixes: f80be4571b19 ("kmsan: add KMSAN runtime core") Signed-off-by: Arnd Bergmann Acked-by: Michal Hocko Reviewed-by: Pasha Tatashin Cc: Alexander Duyck Cc: Alexander Potapenko Cc: Alex Sierra Cc: David Hildenbrand Cc: Hugh Dickins Cc: John Hubbard Cc: Liam R. Howlett Cc: Matthew Wilcox Cc: Naoya Horiguchi Cc: Suren Baghdasaryan Signed-off-by: Andrew Morton commit 0136d86b78522bbd5755f8194c97a987f0586ba5 Merge: 7b753a909f426 e02bbac74cdde Author: Linus Torvalds Date: Fri Feb 3 11:35:42 2023 -0800 Merge tag 'block-6.2-2023-02-03' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: "A bit bigger than I'd like at this point, but mostly a bunch of little fixes. In detail: - NVMe pull request via Christoph: - Fix a missing queue put in nvmet_fc_ls_create_association (Amit Engel) - Clear queue pointers on tag_set initialization failure (Maurizio Lombardi) - Use workqueue dedicated to authentication (Shin'ichiro Kawasaki) - Fix for an overflow in ublk (Liu) - Fix for leaking a queue reference in block cgroups (Ming) - Fix for a use-after-free in BFQ (Yu)" * tag 'block-6.2-2023-02-03' of git://git.kernel.dk/linux: blk-cgroup: don't update io stat for root cgroup nvme-auth: use workqueue dedicated to authentication nvme: clear the request_queue pointers on failure in nvme_alloc_io_tag_set nvme: clear the request_queue pointers on failure in nvme_alloc_admin_tag_set nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association block: Fix the blk_mq_destroy_queue() documentation block: ublk: extending queue_size to fix overflow block, bfq: fix uaf for bfqq in bic_set_bfqq() commit 9f8b3706eb23bed26f7898af3c6f7fe3858564a1 Author: Bert Karwatzki Date: Thu Feb 2 20:02:36 2023 +0100 drm/amdgpu: fix memory leak in amdgpu_cs_sync_rings amdgpu_sync_get_fence deletes the returned fence from the syncobj, so the refcount of fence needs to lowered to avoid a memory leak. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2360 Reviewed-by: Alex Deucher Tested-by: Mikhail Gavrilov Reviewed-by: Christian König Signed-off-by: Bert Karwatzki Signed-off-by: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/3b590ba0f11d24b8c6c39c3d38250129c1116af4.camel@web.de commit 7b753a909f426f2789d9db6f357c3d59180a9354 Merge: a0880c33794ba a68e564adcaa6 Author: Linus Torvalds Date: Fri Feb 3 10:34:07 2023 -0800 Merge tag 'ceph-for-6.2-rc7' of https://github.com/ceph/ceph-client Pull ceph fix from Ilya Dryomov: "A safeguard to prevent the kernel client from further damaging the filesystem after running into a case of an invalid snap trace. The root cause of this metadata corruption is still being investigated but it appears to be stemming from the MDS. As such, this is the best we can do for now" * tag 'ceph-for-6.2-rc7' of https://github.com/ceph/ceph-client: ceph: blocklist the kclient when receiving corrupted snap trace ceph: move mount state enum to super.h commit a0880c33794ba417687822482ffb0d3b797f0a04 Merge: a30df1ea94ad3 966d47e1f27c4 Author: Linus Torvalds Date: Fri Feb 3 10:25:41 2023 -0800 Merge tag 'efi-fixes-for-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi Pull EFI fixes from Ard Biesheuvel: - handle potential mremap() failure gracefully - don't reject EFI memory attributes table version 2 * tag 'efi-fixes-for-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: efi: fix potential NULL deref in efi_mem_reserve_persistent efi: Accept version 2 of memory attributes table commit a30df1ea94ad35c7b42d44199fe1376b4d648862 Merge: bffede38f82c2 2f394c0e7d112 Author: Linus Torvalds Date: Fri Feb 3 10:18:39 2023 -0800 Merge tag 'riscv-for-linus-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: - A build fix to avoid static branches in cpu_relax(), which greatly inflates the jump tables and breaks at least CONFIG_CC_OPTIMIZE_FOR_SIZE=y. - A fix for a kernel panic when probing impossible instruction positions. - A fix to disable unwind tables, which are enabled by default for GCC-13 and result in unhandled relocations in modules. * tag 'riscv-for-linus-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: disable generation of unwind tables riscv: kprobe: Fixup kernel panic when probing an illegal position riscv: Fix build with CONFIG_CC_OPTIMIZE_FOR_SIZE=y commit bffede38f82c27cf5e203a2c659fcc9b581dd7b8 Merge: 0c272a1d33965 f1a9e82a12038 Author: Linus Torvalds Date: Fri Feb 3 10:09:55 2023 -0800 Merge tag 'drm-fixes-2023-02-03' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "A few more fixes this week, a bit more spread out though. We have a bunch of nouveau regression and stabilisation fixes, along with usual amdgpu, and i915. Otherwise just some minor misc ones: dma-fence: - fix signaling bit for private fences panel: - boe-tv101wum-nl6 disable fix nouveau: - gm20b acr regression fix - tu102 scrub status fix - tu102 wait for firmware fix i915: - Fixes for potential use-after-free and double-free - GuC locking and refcount fixes - Display's reference clock value fix amdgpu: - GC11 fixes - DCN 3.1.4 fixes - NBIO 4.3 fix - DCN 3.2 fixes - Properly handle additional cases where DCN is not supported - SMU13 fixes vc4: - fix CEC adapter names ssd130x: - fix display init regression" * tag 'drm-fixes-2023-02-03' of git://anongit.freedesktop.org/drm/drm: (23 commits) drm/amd/display: Properly handle additional cases where DCN is not supported drm/amdgpu: Enable vclk dclk node for gc11.0.3 drm/amd: Fix initialization for nbio 4.3.0 drm/amdgpu: enable HDP SD for gfx 11.0.3 drm/amd/pm: drop unneeded dpm features disablement for SMU 13.0.4/11 drm/amd/display: Reset DMUB mailbox SW state after HW reset drm/amd/display: Unassign does_plane_fit_in_mall function from dcn3.2 drm/amd/display: Adjust downscaling limits for dcn314 drm/amd/display: Add missing brackets in calculation drm/amdgpu: update wave data type to 3 for gfx11 drm/panel: boe-tv101wum-nl6: Ensure DSI writes succeed during disable drm/nouveau/acr/gm20b: regression fixes drm/nouveau/fb/tu102-: fix register used to determine scrub status drm/nouveau/devinit/tu102-: wait for GFW_BOOT_PROGRESS == COMPLETED drm/i915/adlp: Fix typo for reference clock drm/i915: Fix potential bit_17 double-free drm/i915: Fix up locking around dumping requests lists drm/i915: Fix request ref counting during error capture & debugfs dump drm/i915/guc: Fix locking when searching for a hung request drm/i915: Avoid potential vm use-after-free ... commit 0c272a1d33965627653f4fafd6eab55d0d50f21f Merge: 66a87fff1a87c ac86f547ca100 Author: Linus Torvalds Date: Fri Feb 3 10:01:57 2023 -0800 Merge tag 'mm-hotfixes-stable-2023-02-02-19-24-2' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "25 hotfixes, mainly for MM. 13 are cc:stable" * tag 'mm-hotfixes-stable-2023-02-02-19-24-2' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (26 commits) mm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath() Kconfig.debug: fix the help description in SCHED_DEBUG mm/swapfile: add cond_resched() in get_swap_pages() mm: use stack_depot_early_init for kmemleak Squashfs: fix handling and sanity checking of xattr_ids count sh: define RUNTIME_DISCARD_EXIT highmem: round down the address passed to kunmap_flush_on_unmap() migrate: hugetlb: check for hugetlb shared PMD in node migration mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps mm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups Revert "mm: kmemleak: alloc gray object for reserved region with direct map" freevxfs: Kconfig: fix spelling maple_tree: should get pivots boundary by type .mailmap: update e-mail address for Eugen Hristev mm, mremap: fix mremap() expanding for vma's with vm_ops->close() squashfs: harden sanity check in squashfs_read_xattr_id_table ia64: fix build error due to switch case label appearing next to declaration mm: multi-gen LRU: fix crash during cgroup migration Revert "mm: add nodes= arg to memory.reclaim" zsmalloc: fix a race with deferred_handles storing ... commit 966d47e1f27c45507c5df82b2a2157e5a4fd3909 Author: Anton Gusev Date: Fri Feb 3 16:22:13 2023 +0300 efi: fix potential NULL deref in efi_mem_reserve_persistent When iterating on a linked list, a result of memremap is dereferenced without checking it for NULL. This patch adds a check that falls back on allocating a new page in case memremap doesn't succeed. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 18df7577adae ("efi/memreserve: deal with memreserve entries in unmapped memory") Signed-off-by: Anton Gusev [ardb: return -ENOMEM instead of breaking out of the loop] Signed-off-by: Ard Biesheuvel commit 4722dd4029c63f10414ffd8d3ffdd6c748391cd7 Author: Dmitry Torokhov Date: Fri Sep 30 09:00:41 2022 -0700 ARM: dts: stihxxx-b2120: fix polarity of reset line of tsin0 port According to c8sectpfe driver code we first drive reset line low and then high to reset the port, therefore the reset line is supposed to be annotated as "active low". This will be important when we convert the driver to gpiod API. Reviewed-by: Patrice Chotard Signed-off-by: Dmitry Torokhov Signed-off-by: Patrice Chotard commit 97801cfcf9565247bcc53b67ea47fa87b1704375 Author: Chen-Yu Tsai Date: Thu Feb 2 18:40:14 2023 +0800 arm64: dts: mediatek: mt8195: Fix vdosys* compatible strings When vdosys1 was initially added, it was incorrectly assumed to be compatible with vdosys0, and thus both had the same mt8195-mmsys compatible attached. This has since been corrected in commit b237efd47df7 ("dt-bindings: arm: mediatek: mmsys: change compatible for MT8195") and commit 82219cfbef18 ("dt-bindings: arm: mediatek: mmsys: add vdosys1 compatible for MT8195"). The device tree needs to be fixed as well, otherwise the vdosys1 block fails to work, and causes its dependent power domain controller to not work either. Change the compatible string of vdosys1 to "mediatek,mt8195-vdosys1". While at it, also add the new "mediatek,mt8195-vdosys0" compatible to vdosys0. Fixes: 6aa5b46d1755 ("arm64: dts: mt8195: Add vdosys and vppsys clock nodes") Signed-off-by: Chen-Yu Tsai Tested-by: AngeloGioacchino Del Regno Reviewed-by: AngeloGioacchino Del Regno Acked-by: Matthias Brugger Link: https://lore.kernel.org/r/20230202104014.2931517-1-wenst@chromium.org Signed-off-by: Arnd Bergmann commit 07975ef0faae2cf49aded78f907c84ee7d238ad6 Merge: 6d796c50f84ca b67b09733d8a4 Author: Arnd Bergmann Date: Fri Feb 3 14:18:41 2023 +0100 Merge tag 'v6.2-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes Fixes to adapt to correct binding behaviour and fixes for devices on some boards Most notably may be the adaption of lower thermal limits for the pinephone pro, where the original hiher ones could result in (possibly permanent) display issues. * tag 'v6.2-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: arm64: dts: rockchip: align rk3399 DMC OPP table with bindings arm64: dts: rockchip: set sdmmc0 speed to sd-uhs-sdr50 on rock-3a arm64: dts: rockchip: fix probe of analog sound card on rock-3a arm64: dts: rockchip: add missing #interrupt-cells to rk356x pcie2x1 arm64: dts: rockchip: fix input enable pinconf on rk3399 ARM: dts: rockchip: add power-domains property to dp node on rk3288 arm64: dts: rockchip: add io domain setting to rk3566-box-demo arm64: dts: rockchip: remove unsupported property from sdmmc2 for rock-3a arm64: dts: rockchip: drop unused LED mode property from rk3328-roc-cc arm64: dts: rockchip: reduce thermal limits on rk3399-pinephone-pro arm64: dts: rockchip: use correct reset names for rk3399 crypto nodes Link: https://lore.kernel.org/r/3514663.mvXUDI8C0e@phil Signed-off-by: Arnd Bergmann commit ce93fdb5f2ca5c9e2a9668411cc39091507f8dc9 Author: Clément Léger Date: Tue Jan 31 11:02:42 2023 +0100 net: phylink: move phy_device_free() to correctly release phy device After calling fwnode_phy_find_device(), the phy device refcount is incremented. Then, when the phy device is attached to a netdev with phy_attach_direct(), the refcount is also incremented but only decremented in the caller if phy_attach_direct() fails. Move phy_device_free() before the "if" to always release it correctly. Indeed, either phy_attach_direct() failed and we don't want to keep a reference to the phydev or it succeeded and a reference has been taken internally. Fixes: 25396f680dd6 ("net: phylink: introduce phylink_fwnode_phy_connect()") Signed-off-by: Clément Léger Signed-off-by: David S. Miller commit d83d7ed260283560700d4034a80baad46620481b Author: Greg Kroah-Hartman Date: Thu Feb 2 16:15:54 2023 +0100 kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once. Cc: Thomas Gleixner Cc: stable Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20230202151554.2310273-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 6dfb0771429a63db8561d44147f2bb76f93e1c86 Author: Greg Kroah-Hartman Date: Thu Feb 2 15:09:18 2023 +0100 HV: hv_balloon: fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once. Cc: "K. Y. Srinivasan" Cc: Haiyang Zhang Cc: Wei Liu Cc: Dexuan Cui Fixes: d180e0a1be6c ("Drivers: hv: Create debugfs file with hyper-v balloon usage information") Cc: stable Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20230202140918.2289522-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit cb80242cc679d6397e77d8a964deeb3ff218d2b5 Author: Liu Shixin Date: Wed Dec 7 10:50:38 2022 +0800 riscv: stacktrace: Fix missing the first frame When running kfence_test, I found some testcases failed like this: # test_out_of_bounds_read: EXPECTATION FAILED at mm/kfence/kfence_test.c:346 Expected report_matches(&expect) to be true, but is false not ok 1 - test_out_of_bounds_read The corresponding call-trace is: BUG: KFENCE: out-of-bounds read in kunit_try_run_case+0x38/0x84 Out-of-bounds read at 0x(____ptrval____) (32B right of kfence-#10): kunit_try_run_case+0x38/0x84 kunit_generic_run_threadfn_adapter+0x12/0x1e kthread+0xc8/0xde ret_from_exception+0x0/0xc The kfence_test using the first frame of call trace to check whether the testcase is succeed or not. Commit 6a00ef449370 ("riscv: eliminate unreliable __builtin_frame_address(1)") skip first frame for all case, which results the kfence_test failed. Indeed, we only need to skip the first frame for case (task==NULL || task==current). With this patch, the call-trace will be: BUG: KFENCE: out-of-bounds read in test_out_of_bounds_read+0x88/0x19e Out-of-bounds read at 0x(____ptrval____) (1B left of kfence-#7): test_out_of_bounds_read+0x88/0x19e kunit_try_run_case+0x38/0x84 kunit_generic_run_threadfn_adapter+0x12/0x1e kthread+0xc8/0xde ret_from_exception+0x0/0xc Fixes: 6a00ef449370 ("riscv: eliminate unreliable __builtin_frame_address(1)") Signed-off-by: Liu Shixin Tested-by: Samuel Holland Link: https://lore.kernel.org/r/20221207025038.1022045-1-liushixin2@huawei.com Signed-off-by: Palmer Dabbelt commit f1a9e82a1203802df3c917dd7ab1b5a5ded55793 Merge: 74d6c8ea183e7 6fc547a5a2ef5 Author: Dave Airlie Date: Fri Feb 3 13:28:05 2023 +1000 Merge tag 'amd-drm-fixes-6.2-2023-02-01' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.2-2023-02-01: amdgpu: - GC11 fixes - DCN 3.1.4 fixes - NBIO 4.3 fix - DCN 3.2 fixes - Properly handle additional cases where DCN is not supported - SMU13 fixes Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20230202042309.24144-1-alexander.deucher@amd.com commit 74d6c8ea183e73031db635a96f67bc30ae1fc2ee Merge: abf301e14e427 47a2bd9d985bf Author: Dave Airlie Date: Fri Feb 3 12:28:28 2023 +1000 Merge tag 'drm-intel-fixes-2023-02-02' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Fixes for potential use-after-free and double-free (Rob) - GuC locking and refcount fixes (John) - Display's reference clock value fix (Chaitanya) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/Y9u5pHjOYcxzS5Z7@intel.com commit abf301e14e42702c11ab20331aa4d0ab87a777ca Merge: 6d796c50f84ca a3ee9e0b57f8e Author: Dave Airlie Date: Fri Feb 3 11:57:23 2023 +1000 Merge tag 'drm-misc-fixes-2023-02-02' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes A fix for a non-unique CEC adapter name registration in vc4, a regression breaking the display in ssd130x, a signaling bit issue in dma-fence, a couple of fixes in nouveau for Turing and Ampere, and a disable fix for the boe-tv101wum-nl6 panel. Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20230202085724.pz22m7bmei3wyuzp@houat commit 66a87fff1a87c260452f5a57123891ca5258c449 Merge: edb9b8f380c34 69f2c9346313b Author: Linus Torvalds Date: Thu Feb 2 16:44:07 2023 -0800 Merge tag 'ata-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata Pull libata fix from Damien Le Moal: "Fix device probe issues with some combination of adapters & devices that do not report a current link speed, leading to device probe failures if a link speed was not previously reported and saved (me)" * tag 'ata-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata: ata: libata: Fix sata_down_spd_limit() when no link speed is reported commit 707344c8a188bb1d6704d3546229fc7a07c01a63 Author: Lad Prabhakar Date: Mon Jan 30 23:43:35 2023 +0000 dt-bindings: interrupt-controller: arm,gic-v3: Fix typo in description of msi-controller property Fix typo functionnality -> functionality. Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/r/20230130234335.13952-1-prabhakar.csengg@gmail.com Signed-off-by: Rob Herring commit 08f379d98731a7014ee6987508d1228cb56ce694 Author: Andy Shevchenko Date: Fri Jan 27 17:02:25 2023 +0200 dt-bindings: Fix .gitignore The tracked files should not be ignored. Fixes: 44ec8b20d1e9 ("dt-bindings: Add running yamllint to dt_binding_check") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20230127150225.18148-1-andriy.shevchenko@linux.intel.com Signed-off-by: Rob Herring commit f6933c01e42d2fc83b9133ed755609e4aac6eadd Author: Mark Brown Date: Sat Jan 28 17:47:50 2023 +0000 of/address: Return an error when no valid dma-ranges are found Commit 7a8b64d17e35 ("of/address: use range parser for of_dma_get_range") converted the parsing of dma-range properties to use code shared with the PCI range parser. The intent was to introduce no functional changes however in the case where we fail to translate the first resource instead of returning -EINVAL the new code we return 0. Restore the previous behaviour by returning an error if we find no valid ranges, the original code only handled the first range but subsequently support for parsing all supplied ranges was added. This avoids confusing code using the parsed ranges which doesn't expect to successfully parse ranges but have only a list terminator returned, this fixes breakage with so far as I can tell all DMA for on SoC devices on the Socionext Synquacer platform which has a firmware supplied DT. A bisect identified the original conversion as triggering the issues there. Fixes: 7a8b64d17e35 ("of/address: use range parser for of_dma_get_range") Signed-off-by: Mark Brown Cc: Luca Di Stefano Cc: 993612@bugs.debian.org Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230126-synquacer-boot-v2-1-cb80fd23c4e2@kernel.org Signed-off-by: Rob Herring commit 241d2fb56a18473af5f2ff0d512992a996eb64dd Author: Michal Suchanek Date: Wed Feb 1 10:22:47 2023 -0600 of: Make OF framebuffer device names unique Since Linux 5.19 this error is observed: sysfs: cannot create duplicate filename '/devices/platform/of-display' This is because multiple devices with the same name 'of-display' are created on the same bus. Update the code to create numbered device names for the displays. Also, fix a node refcounting issue when exiting the boot display loop. cc: linuxppc-dev@lists.ozlabs.org References: https://bugzilla.kernel.org/show_bug.cgi?id=216095 Fixes: 52b1b46c39ae ("of: Create platform devices for OF framebuffers") Reported-by: Erhard F. Suggested-by: Thomas Zimmermann Signed-off-by: Michal Suchanek Link: https://lore.kernel.org/r/20230201162247.3575506-1-robh@kernel.org [robh: Rework to avoid node refcount leaks] Signed-off-by: Rob Herring commit edb9b8f380c3413bf783475279b1a941c7e5cec1 Merge: e7368fd30165c 9983a2c986534 Author: Linus Torvalds Date: Thu Feb 2 14:03:31 2023 -0800 Merge tag 'net-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from bpf, can and netfilter. Current release - regressions: - phy: fix null-deref in phy_attach_direct - mac802154: fix possible double free upon parsing error Previous releases - regressions: - bpf: preserve reg parent/live fields when copying range info, prevent mis-verification of programs as safe - ip6: fix GRE tunnels not generating IPv6 link local addresses - phy: dp83822: fix null-deref on DP83825/DP83826 devices - sctp: do not check hb_timer.expires when resetting hb_timer - eth: mtk_sock: fix SGMII configuration after phylink conversion Previous releases - always broken: - eth: xdp: execute xdp_do_flush() before napi_complete_done() - skb: do not mix page pool and page referenced frags in GRO - bpf: - fix a possible task gone issue with bpf_send_signal[_thread]() - fix an off-by-one bug in bpf_mem_cache_idx() to select the right cache - add missing btf_put to register_btf_id_dtor_kfuncs - sockmap: fon't let sock_map_{close,destroy,unhash} call itself - gso: fix null-deref in skb_segment_list() - mctp: purge receive queues on sk destruction - fix UaF caused by accept on already connected socket in exotic socket families - tls: don't treat list head as an entry in tls_is_tx_ready() - netfilter: br_netfilter: disable sabotage_in hook after first suppression - wwan: t7xx: fix runtime PM implementation Misc: - MAINTAINERS: spring cleanup of networking maintainers" * tag 'net-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (65 commits) mtk_sgmii: enable PCS polling to allow SFP work net: mediatek: sgmii: fix duplex configuration net: mediatek: sgmii: ensure the SGMII PHY is powered down on configuration MAINTAINERS: update SCTP maintainers MAINTAINERS: ipv6: retire Hideaki Yoshifuji mailmap: add John Crispin's entry MAINTAINERS: bonding: move Veaceslav Falico to CREDITS net: openvswitch: fix flow memory leak in ovs_flow_cmd_new net: ethernet: mtk_eth_soc: disable hardware DSA untagging for second MAC virtio-net: Keep stop() to follow mirror sequence of open() selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning can: mcp251xfd: mcp251xfd_ring_set_ringparam(): assign missing tx_obj_num_coalesce_irq can: isotp: split tx timer into transmission and timeout can: isotp: handle wait_event_interruptible() return values can: raw: fix CAN FD frame transmissions over CAN XL devices can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate hv_netvsc: Fix missed pagebuf entries in netvsc_dma_map/unmap() ... commit 3e46d910d8acf94e5360126593b68bf4fee4c4a1 Author: Shiju Jose Date: Thu Feb 2 18:23:09 2023 +0000 tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw poll() and select() on per_cpu trace_pipe and trace_pipe_raw do not work since kernel 6.1-rc6. This issue is seen after the commit 42fb0a1e84ff525ebe560e2baf9451ab69127e2b ("tracing/ring-buffer: Have polling block on watermark"). This issue is firstly detected and reported, when testing the CXL error events in the rasdaemon and also erified using the test application for poll() and select(). This issue occurs for the per_cpu case, when calling the ring_buffer_poll_wait(), in kernel/trace/ring_buffer.c, with the buffer_percent > 0 and then wait until the percentage of pages are available. The default value set for the buffer_percent is 50 in the kernel/trace/trace.c. As a fix, allow userspace application could set buffer_percent as 0 through the buffer_percent_fops, so that the task will wake up as soon as data is added to any of the specific cpu buffer. Link: https://lore.kernel.org/linux-trace-kernel/20230202182309.742-2-shiju.jose@huawei.com Cc: Cc: Cc: Cc: stable@vger.kernel.org Fixes: 42fb0a1e84ff5 ("tracing/ring-buffer: Have polling block on watermark") Signed-off-by: Shiju Jose Signed-off-by: Steven Rostedt (Google) commit e7368fd30165ced757d64da48e2091c83815ce5c Merge: 42c78a5b29c47 254c71374a700 Author: Linus Torvalds Date: Thu Feb 2 13:08:18 2023 -0800 Merge tag 'linux-kselftest-kunit-fixes-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull KUnit fixes from Shuah Khan: "Three fixes to bugs that cause kernel crash, link error during build, and a third to fix kunit_test_init_section_suites() extra indirection issue" * tag 'linux-kselftest-kunit-fixes-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: kunit: fix kunit_test_init_section_suites(...) kunit: fix bug in KUNIT_EXPECT_MEMEQ kunit: Export kunit_running() commit 42c78a5b29c47ad913993bcf845bfc39e2ed8c8b Merge: addfba11b3148 5efb648042a1c Author: Linus Torvalds Date: Thu Feb 2 13:02:45 2023 -0800 Merge tag 'soc-fixes-6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "The majority of bugfixes is once more for the NXP i.MX platform, addressing issue with i.MX8M (UART, watchdog and ethernet) as well as imx8dxl power button and the USB modem on an imx7 board. The reason that i.MX always shows up here is obviously not that they are more buggy than the others, but they have the most boards and are good about getting fixes in quickly. The other DT fixes are for the Nuvoton wpcm450 flash controller and the i2c mux on an ASpeed board. Lastly, there are updates to the MAINTAINERS entries for Mediatek, AMD/Seattle and NXP SoCs, as well as a lone code fix for error handling in the allwinner 'rsb' bus driver" * tag 'soc-fixes-6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: ARM: dts: wpcm450: Add nuvoton,shm = <&shm> to FIU node MAINTAINERS: Update entry for MediaTek SoC support MAINTAINERS: amd: drop inactive Brijesh Singh ARM: dts: imx7d-smegw01: Fix USB host over-current polarity arm64: dts: imx8mm-verdin: Do not power down eth-phy MAINTAINERS: match freescale ARM64 DT directory in i.MX entry arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX ARM: dts: aspeed: Fix pca9849 compatible arm64: dts: freescale: imx8dxl: fix sc_pwrkey's property name linux,keycode arm64: dts: imx8m-venice: Remove incorrect 'uart-has-rtscts' arm64: dts: imx8mm: Reinstate GPIO watchdog always-running property on eDM SBC bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() commit addfba11b314824e3b4fb70448b339dcb21be5bf Merge: 870bb7656ab24 7ab41c2c08a32 Author: Linus Torvalds Date: Thu Feb 2 12:52:47 2023 -0800 Merge tag 's390-6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Heiko Carstens: - With CONFIG_VMAP_STACK enabled it is not possible to load the s390 specific diag288_wdt watchdog module. The reason is that a pointer to a string is passed to an inline assembly; this string however is located on the stack, while the instruction within the inline assembly expects a physicial address. Fix this by copying the string to a kmalloc'ed buffer. - The diag288_wdt watchdog module does not indicate that it accesses memory from an inline assembly, which it does. Add "memory" to the clobber list to prevent the compiler from optimizing code incorrectly away. - Pass size of the uncompressed kernel image to __decompress() call. Otherwise the kernel image decompressor may corrupt/overwrite an initrd. This was reported to happen on s390 after commit 2aa14b1ab2c4 ("zstd: import usptream v1.5.2"). * tag 's390-6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/decompressor: specify __decompress() buf len to avoid overflow watchdog: diag288_wdt: fix __diag288() inline assembly watchdog: diag288_wdt: do not use stack buffers for hardware data commit 870bb7656ab247c000e9627e0da0db7ef8e9cf0c Merge: 9f266ccaa2f52 eecf2acd4a580 Author: Linus Torvalds Date: Thu Feb 2 12:47:08 2023 -0800 Merge tag 'platform-drivers-x86-v6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Hans de Goede: "A set of AMD PMF fixes + a few other small fixes" * tag 'platform-drivers-x86-v6.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: touchscreen_dmi: Add Chuwi Vi8 (CWI501) DMI match platform/x86: thinkpad_acpi: Fix thinklight LED brightness returning 255 platform/x86/amd: pmc: add CONFIG_SERIO dependency platform/x86/amd/pmf: Ensure mutexes are initialized before use platform/x86/amd/pmf: Fix to update SPS thermals when power supply change platform/x86/amd/pmf: Fix to update SPS default pprof thermals platform/x86/amd/pmf: update to auto-mode limits only after AMT event platform/x86/amd/pmf: Add helper routine to check pprof is balanced platform/x86/amd/pmf: Add helper routine to update SPS thermals commit 9983a2c986534db004b50d95b7fe64bb9b925dca Merge: b0de13d3070bb 3337a6e04ddf2 Author: Jakub Kicinski Date: Thu Feb 2 11:55:55 2023 -0800 Merge branch 'fixes-for-mtk_eth_soc' Bjørn Mork says: ==================== Fix mtk_eth_soc sgmii configuration. This has been tested on a MT7986 with a Maxlinear GPY211C phy permanently attached to the second SoC mac. ==================== Link: https://lore.kernel.org/r/20230201182331.943411-1-bjorn@mork.no Signed-off-by: Jakub Kicinski commit 3337a6e04ddf2923a1bdcf3d31b3b52412bf82dd Author: Alexander Couzens Date: Wed Feb 1 19:23:31 2023 +0100 mtk_sgmii: enable PCS polling to allow SFP work Currently there is no IRQ handling (even the SGMII supports it). Enable polling to support SFP ports. Fixes: 14a44ab0330d ("net: mtk_eth_soc: partially convert to phylink_pcs") Reviewed-by: Russell King (Oracle) Signed-off-by: Alexander Couzens [ bmork: changed "1" => "true" ] Signed-off-by: Bjørn Mork Acked-by: Daniel Golle Tested-by: Daniel Golle Signed-off-by: Jakub Kicinski commit 9d32637122de88f1ef614c29703f0e050cad342e Author: Bjørn Mork Date: Wed Feb 1 19:23:30 2023 +0100 net: mediatek: sgmii: fix duplex configuration The logic of the duplex bit is inverted. Setting it means half duplex, not full duplex. Fix and rename macro to avoid confusion. Fixes: 7e538372694b ("net: ethernet: mediatek: Re-add support SGMII") Reviewed-by: Russell King (Oracle) Signed-off-by: Bjørn Mork Acked-by: Daniel Golle Tested-by: Daniel Golle Signed-off-by: Jakub Kicinski commit 7ff82416de8295c61423ef6fd75f052d3837d2f7 Author: Alexander Couzens Date: Wed Feb 1 19:23:29 2023 +0100 net: mediatek: sgmii: ensure the SGMII PHY is powered down on configuration The code expect the PHY to be in power down which is only true after reset. Allow changes of the SGMII parameters more than once. Only power down when reconfiguring to avoid bouncing the link when there's no reason to - based on code from Russell King. There are cases when the SGMII_PHYA_PWD register contains 0x9 which prevents SGMII from working. The SGMII still shows link but no traffic can flow. Writing 0x0 to the PHYA_PWD register fix the issue. 0x0 was taken from a good working state of the SGMII interface. Fixes: 42c03844e93d ("net-next: mediatek: add support for MediaTek MT7622 SoC") Suggested-by: Russell King (Oracle) Signed-off-by: Alexander Couzens [ bmork: rebased and squashed into one patch ] Reviewed-by: Russell King (Oracle) Signed-off-by: Bjørn Mork Acked-by: Daniel Golle Tested-by: Daniel Golle Signed-off-by: Jakub Kicinski commit b0de13d3070bb1daab6e0d9410309fa5fa9d6295 Merge: 4b6e135e6bee0 1613fff7a32e1 Author: Jakub Kicinski Date: Thu Feb 2 11:51:24 2023 -0800 Merge tag 'linux-can-fixes-for-6.2-20230202' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== can 2023-02-02 The first patch is by Ziyang Xuan and removes a errant WARN_ON_ONCE() in the CAN J1939 protocol. The next 3 patches are by Oliver Hartkopp. The first 2 target the CAN ISO-TP protocol and fix the state machine with respect to signals and a regression found by the syzbot. The last patch is by me an missing assignment during the ethtool ring configuration callback. * tag 'linux-can-fixes-for-6.2-20230202' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: mcp251xfd: mcp251xfd_ring_set_ringparam(): assign missing tx_obj_num_coalesce_irq can: isotp: split tx timer into transmission and timeout can: isotp: handle wait_event_interruptible() return values can: raw: fix CAN FD frame transmissions over CAN XL devices can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate ==================== Link: https://lore.kernel.org/r/20230202094135.2293939-1-mkl@pengutronix.de Signed-off-by: Jakub Kicinski commit 4b6e135e6bee02e29d27911ba0b9a045c9e489e8 Merge: 0c598aed445eb cd101f40a419f Author: Jakub Kicinski Date: Thu Feb 2 11:35:35 2023 -0800 Merge branch 'maintainers-spring-refresh-of-networking-maintainers' Jakub Kicinski says: ==================== MAINTAINERS: spring refresh of networking maintainers Use Jon Corbet's script for generating statistics about maintainer coverage to identify inactive maintainers of relatively active code. Move them to CREDITS. ==================== Link: https://lore.kernel.org/r/20230201182014.2362044-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit cd101f40a419f72d54b517bc51ca710bc5b07d55 Author: Jakub Kicinski Date: Wed Feb 1 10:20:14 2023 -0800 MAINTAINERS: update SCTP maintainers Vlad has stepped away from SCTP related duties. Move him to CREDITS and add Xin Long. Subsystem SCTP PROTOCOL Changes 237 / 629 (37%) Last activity: 2022-12-12 Vlad Yasevich : Neil Horman : Author 20a785aa52c8 2020-05-19 00:00:00 4 Tags 20a785aa52c8 2020-05-19 00:00:00 84 Marcelo Ricardo Leitner : Author 557fb5862c92 2021-07-28 00:00:00 41 Tags da05cecc4939 2022-12-12 00:00:00 197 Top reviewers: [15]: lucien.xin@gmail.com INACTIVE MAINTAINER Vlad Yasevich Acked-by: Marcelo Ricardo Leitner Signed-off-by: Jakub Kicinski commit c71a70c267eb40455489c0df10ca986e3969b007 Author: Jakub Kicinski Date: Wed Feb 1 10:20:13 2023 -0800 MAINTAINERS: ipv6: retire Hideaki Yoshifuji We very rarely hear from Hideaki Yoshifuji and the IPv4/IPv6 entry covers a lot of code. Asking people to CC someone who rarely responds feels wrong. Note that Hideaki Yoshifuji already has an entry in CREDITS for IPv6 so not adding another one. Cc: Hideaki YOSHIFUJI Signed-off-by: Jakub Kicinski commit a35965625649b5b65153d51aed466c4b3008ce2e Author: Jakub Kicinski Date: Wed Feb 1 10:20:12 2023 -0800 mailmap: add John Crispin's entry John has not been CCed on some of the fixes which perhaps resulted in the lack of review tags: Subsystem MEDIATEK ETHERNET DRIVER Changes 50 / 295 (16%) Last activity: 2023-01-17 Felix Fietkau : Author 8bd8dcc5e47f 2022-11-18 00:00:00 33 Tags 8bd8dcc5e47f 2022-11-18 00:00:00 38 John Crispin : Sean Wang : Author 880c2d4b2fdf 2019-06-03 00:00:00 7 Tags a5d75538295b 2020-04-07 00:00:00 10 Mark Lee : Author 8d66a8183d0c 2019-11-14 00:00:00 4 Tags 8d66a8183d0c 2019-11-14 00:00:00 4 Lorenzo Bianconi : Author 08a764a7c51b 2023-01-17 00:00:00 68 Tags 08a764a7c51b 2023-01-17 00:00:00 74 Top reviewers: [12]: leonro@nvidia.com [6]: f.fainelli@gmail.com [6]: andrew@lunn.ch INACTIVE MAINTAINER John Crispin map his old address to the up to date one. Acked-by: John Crispin Signed-off-by: Jakub Kicinski commit 57b24f8c30a0bdbe851f4a181d9c9c29f077e0a2 Author: Jakub Kicinski Date: Wed Feb 1 10:20:11 2023 -0800 MAINTAINERS: bonding: move Veaceslav Falico to CREDITS Veaceslav has stepped away from netdev: Subsystem BONDING DRIVER Changes 96 / 319 (30%) Last activity: 2022-12-01 Jay Vosburgh : Author 4f5d33f4f798 2022-08-11 00:00:00 3 Tags e5214f363dab 2022-12-01 00:00:00 48 Veaceslav Falico : Andy Gospodarek : Tags 47f706262f1d 2019-02-24 00:00:00 4 Top reviewers: [42]: jay.vosburgh@canonical.com [18]: jiri@nvidia.com [10]: jtoppins@redhat.com INACTIVE MAINTAINER Veaceslav Falico Signed-off-by: Jakub Kicinski commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 Author: Fedor Pchelkin Date: Thu Feb 2 00:02:18 2023 +0300 net: openvswitch: fix flow memory leak in ovs_flow_cmd_new Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is not freed when an allocation of a key fails. BUG: memory leak unreferenced object 0xffff888116668000 (size 632): comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline] [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77 [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957 [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739 [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800 [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515 [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339 [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934 [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline] [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671 [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356 [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410 [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 To fix this the patch rearranges the goto labels to reflect the order of object allocations and adds appropriate goto statements on the error paths. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key") Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov Acked-by: Eelco Chaudron Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru Signed-off-by: Jakub Kicinski commit a1f47752fd6275b2502fb075945022d6cf264855 Author: Arınç ÜNAL Date: Sat Jan 28 12:42:32 2023 +0300 net: ethernet: mtk_eth_soc: disable hardware DSA untagging for second MAC According to my tests on MT7621AT and MT7623NI SoCs, hardware DSA untagging won't work on the second MAC. Therefore, disable this feature when the second MAC of the MT7621 and MT7623 SoCs is being used. Fixes: 2d7605a72906 ("net: ethernet: mtk_eth_soc: enable hardware DSA untagging") Link: https://lore.kernel.org/netdev/6249fc14-b38a-c770-36b4-5af6d41c21d3@arinc9.com/ Tested-by: Arınç ÜNAL Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20230128094232.2451947-1-arinc.unal@arinc9.com Signed-off-by: Jakub Kicinski commit 63b114042d8a9c02d9939889177c36dbdb17a588 Author: Parav Pandit Date: Thu Feb 2 18:35:16 2023 +0200 virtio-net: Keep stop() to follow mirror sequence of open() Cited commit in fixes tag frees rxq xdp info while RQ NAPI is still enabled and packet processing may be ongoing. Follow the mirror sequence of open() in the stop() callback. This ensures that when rxq info is unregistered, no rx packet processing is ongoing. Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info") Acked-by: Michael S. Tsirkin Reviewed-by: Jiri Pirko Signed-off-by: Parav Pandit Link: https://lore.kernel.org/r/20230202163516.12559-1-parav@nvidia.com Signed-off-by: Jakub Kicinski commit e02bbac74cdde25f71a80978f5daa1d8a0aa6fc3 Merge: 0416f3be58c6b bd97a59da6a86 Author: Jens Axboe Date: Thu Feb 2 11:02:12 2023 -0700 Merge tag 'nvme-6.2-2023-02-02' of git://git.infradead.org/nvme into block-6.2 Pul NVMe fixes from Christoph: "nvme fixes for Linux 6.2 - fix a missing queue put in nvmet_fc_ls_create_association (Amit Engel) - clear queue pointers on tag_set initialization failure (Maurizio Lombardi) - use workqueue dedicated to authentication (Shin'ichiro Kawasaki)" * tag 'nvme-6.2-2023-02-02' of git://git.infradead.org/nvme: nvme-auth: use workqueue dedicated to authentication nvme: clear the request_queue pointers on failure in nvme_alloc_io_tag_set nvme: clear the request_queue pointers on failure in nvme_alloc_admin_tag_set nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association commit 636ab417a7aec4ee993916e688eb5c5977570836 Author: Ard Biesheuvel Date: Thu Feb 2 18:30:06 2023 +0100 efi: Accept version 2 of memory attributes table UEFI v2.10 introduces version 2 of the memory attributes table, which turns the reserved field into a flags field, but is compatible with version 1 in all other respects. So let's not complain about version 2 if we encounter it. Cc: Signed-off-by: Ard Biesheuvel commit 2e7c6652f9b86c01cbd4e988057a746a3a461969 Author: V sujith kumar Reddy Date: Fri Feb 3 18:02:52 2023 +0530 ASoC: SOF: amd: Fix for handling spurious interrupts from DSP As interrupts are Level-triggered,unless and until we deassert the register the interrupts are generated which causes spurious interrupts unhandled. Now we deasserted the interrupt at top half which solved the below "nobody cared" warning. warning reported in dmesg: irq 80: nobody cared (try booting with the "irqpoll" option) CPU: 5 PID: 2735 Comm: irq/80-AudioDSP Not tainted 5.15.86-15817-g4c19f3e06d49 #1 1bd3fd932cf58caacc95b0504d6ea1e3eab22289 Hardware name: Google Skyrim/Skyrim, BIOS Google_Skyrim.15303.0.0 01/03/2023 Call Trace: dump_stack_lvl+0x69/0x97 __report_bad_irq+0x3a/0xae note_interrupt+0x1a9/0x1e3 handle_irq_event_percpu+0x4b/0x6e handle_irq_event+0x36/0x5b handle_fasteoi_irq+0xae/0x171 __common_interrupt+0x48/0xc4 handlers: acp_irq_handler [snd_sof_amd_acp] threaded [<000000007e089f34>] acp_irq_thread [snd_sof_amd_acp] Disabling IRQ #80 Signed-off-by: V sujith kumar Reddy Link: https://lore.kernel.org/r/20230203123254.1898794-1-Vsujithkumar.Reddy@amd.com Signed-off-by: Mark Brown commit a68e564adcaa69b0930809fb64d9d5f7d9c32ba9 Author: Xiubo Li Date: Wed Feb 1 09:36:45 2023 +0800 ceph: blocklist the kclient when receiving corrupted snap trace When received corrupted snap trace we don't know what exactly has happened in MDS side. And we shouldn't continue IOs and metadatas access to MDS, which may corrupt or get incorrect contents. This patch will just block all the further IO/MDS requests immediately and then evict the kclient itself. The reason why we still need to evict the kclient just after blocking all the further IOs is that the MDS could revoke the caps faster. Link: https://tracker.ceph.com/issues/57686 Signed-off-by: Xiubo Li Reviewed-by: Venky Shankar Signed-off-by: Ilya Dryomov commit b38b17b6a01ca4e738af097a1529910646ef4270 Author: Xiubo Li Date: Wed Feb 1 09:36:44 2023 +0800 ceph: move mount state enum to super.h These flags are only used in ceph filesystem in fs/ceph, so just move it to the place it should be. Signed-off-by: Xiubo Li Reviewed-by: Venky Shankar Signed-off-by: Ilya Dryomov commit 329c9cd769c2e306957df031efff656c40922c76 Author: Andrei Gherzan Date: Wed Feb 1 00:16:16 2023 +0000 selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking The test tool can check that the zerocopy number of completions value is valid taking into consideration the number of datagram send calls. This can catch the system into a state where the datagrams are still in the system (for example in a qdisk, waiting for the network interface to return a completion notification, etc). This change adds a retry logic of computing the number of completions up to a configurable (via CLI) timeout (default: 2 seconds). Fixes: 79ebc3c26010 ("net/udpgso_bench_tx: options to exercise TX CMSG") Signed-off-by: Andrei Gherzan Cc: Willem de Bruijn Cc: Paolo Abeni Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/r/20230201001612.515730-4-andrei.gherzan@canonical.com Signed-off-by: Paolo Abeni commit dafe93b9ee21028d625dce347118b82659652eff Author: Andrei Gherzan Date: Wed Feb 1 00:16:14 2023 +0000 selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs "udpgro_bench.sh" invokes udpgso_bench_rx/udpgso_bench_tx programs subsequently and while doing so, there is a chance that the rx one is not ready to accept socket connections. This racing bug could fail the test with at least one of the following: ./udpgso_bench_tx: connect: Connection refused ./udpgso_bench_tx: sendmsg: Connection refused ./udpgso_bench_tx: write: Connection refused This change addresses this by making udpgro_bench.sh wait for the rx program to be ready before firing off the tx one - up to a 10s timeout. Fixes: 3a687bef148d ("selftests: udp gso benchmark") Signed-off-by: Andrei Gherzan Cc: Paolo Abeni Cc: Willem de Bruijn Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/r/20230201001612.515730-3-andrei.gherzan@canonical.com Signed-off-by: Paolo Abeni commit db9b47ee9f5f375ab0c5daeb20321c75b4fa657d Author: Andrei Gherzan Date: Wed Feb 1 00:16:12 2023 +0000 selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided Leaving unrecognized arguments buried in the output, can easily hide a CLI/script typo. Avoid this by exiting when wrong arguments are provided to the udpgso_bench test programs. Fixes: 3a687bef148d ("selftests: udp gso benchmark") Signed-off-by: Andrei Gherzan Cc: Willem de Bruijn Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/r/20230201001612.515730-2-andrei.gherzan@canonical.com Signed-off-by: Paolo Abeni commit c03c80e3a03ffb4f790901d60797e9810539d946 Author: Andrei Gherzan Date: Wed Feb 1 00:16:10 2023 +0000 selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning This change fixes the following compiler warning: /usr/include/x86_64-linux-gnu/bits/error.h:40:5: warning: ‘gso_size’ may be used uninitialized [-Wmaybe-uninitialized] 40 | __error_noreturn (__status, __errnum, __format, __va_arg_pack ()); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ udpgso_bench_rx.c: In function ‘main’: udpgso_bench_rx.c:253:23: note: ‘gso_size’ was declared here 253 | int ret, len, gso_size, budget = 256; Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO") Signed-off-by: Andrei Gherzan Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/r/20230201001612.515730-1-andrei.gherzan@canonical.com Signed-off-by: Paolo Abeni commit 69f2c9346313ba3d3dfa4091ff99df26c67c9021 Author: Damien Le Moal Date: Mon Jan 30 12:27:41 2023 +0900 ata: libata: Fix sata_down_spd_limit() when no link speed is reported Commit 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if driver has not recorded sstatus speed") changed the behavior of sata_down_spd_limit() to return doing nothing if a drive does not report a current link speed, to avoid reducing the link speed to the lowest 1.5 Gbps speed. However, the change assumed that a speed was recorded before probing (e.g. before a suspend/resume) and set in link->sata_spd. This causes problems with adapters/drives combination failing to establish a link speed during probe autonegotiation. One example reported of this problem is an mvebu adapter with a 3Gbps port-multiplier box: autonegotiation fails, leaving no recorded link speed and no reported current link speed. Probe retries also fail as no action is taken by sata_set_spd() after each retry. Fix this by returning early in sata_down_spd_limit() only if we do have a recorded link speed, that is, if link->sata_spd is not 0. With this fix, a failed probe not leading to a recorded link speed is retried at the lower 1.5 Gbps speed, with the link speed potentially increased later on the second revalidate of the device if the device reports that it supports higher link speeds. Reported-by: Marius Dinu Fixes: 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if driver has not recorded sstatus speed") Reviewed-by: Niklas Cassel Tested-by: Marius Dinu Signed-off-by: Damien Le Moal commit eecf2acd4a580e9364e5087daf0effca60a240b7 Author: Hans de Goede Date: Thu Feb 2 11:34:13 2023 +0100 platform/x86: touchscreen_dmi: Add Chuwi Vi8 (CWI501) DMI match Add a DMI match for the CWI501 version of the Chuwi Vi8 tablet, pointing to the same chuwi_vi8_data as the existing CWI506 version DMI match. Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230202103413.331459-1-hdegoede@redhat.com commit e33416fca8a2313b8650bd5807aaf34354d39a4c Author: Michael Ellerman Date: Thu Feb 2 21:27:35 2023 +1100 powerpc: Don't select ARCH_WANTS_NO_INSTR Commit 41b7a347bf14 ("powerpc: Book3S 64-bit outline-only KASAN support") added a select of ARCH_WANTS_NO_INSTR, because it also added some uses of noinstr. However noinstr is always defined, regardless of ARCH_WANTS_NO_INSTR, so there's no need to select it just for that. As PeterZ says [1]: Note that by selecting ARCH_WANTS_NO_INSTR you effectively state to abide by its rules. As of now the powerpc code does not abide by those rules, and trips some new warnings added by Peter in linux-next. So until the code can be fixed to avoid those warnings, disable ARCH_WANTS_NO_INSTR. Note that ARCH_WANTS_NO_INSTR is also used to gate building KCOV and parts of KCSAN. However none of the noinstr annotations in powerpc were added for KCOV or KCSAN, instead instrumentation is blocked at the file level using KCOV_INSTRUMENT_foo.o := n. [1]: https://lore.kernel.org/linuxppc-dev/Y9t6yoafrO5YqVgM@hirez.programming.kicks-ass.net Reported-by: Sachin Sant Suggested-by: Peter Zijlstra Signed-off-by: Michael Ellerman commit f82060da749c611ed427523b6d1605d87338aac1 Author: Heikki Krogerus Date: Tue Jan 31 16:15:18 2023 +0200 usb: typec: ucsi: Don't attempt to resume the ports before they exist This will fix null pointer dereference that was caused by the driver attempting to resume ports that were not yet registered. Fixes: e0dced9c7d47 ("usb: typec: ucsi: Resume in separate work") Cc: Link: https://bugzilla.kernel.org/show_bug.cgi?id=216697 Signed-off-by: Heikki Krogerus Link: https://lore.kernel.org/r/20230131141518.78215-1-heikki.krogerus@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 1613fff7a32e1d9e2ac09db73feba0e71a188445 Author: Marc Kleine-Budde Date: Mon Jan 23 09:03:42 2023 +0100 can: mcp251xfd: mcp251xfd_ring_set_ringparam(): assign missing tx_obj_num_coalesce_irq If the a new ring layout is set, the max coalesced frames for RX and TX are re-calculated, too. Add the missing assignment of the newly calculated TX max coalesced frames. Fixes: 656fc12ddaf8 ("can: mcp251xfd: add TX IRQ coalescing ethtool support") Link: https://lore.kernel.org/all/20230130154334.1578518-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde commit 4f027cba8216f42a18b544842efab134f8b1f9f4 Author: Oliver Hartkopp Date: Wed Jan 4 15:57:01 2023 +0100 can: isotp: split tx timer into transmission and timeout The timer for the transmission of isotp PDUs formerly had two functions: 1. send two consecutive frames with a given time gap 2. monitor the timeouts for flow control frames and the echo frames This led to larger txstate checks and potentially to a problem discovered by syzbot which enabled the panic_on_warn feature while testing. The former 'txtimer' function is split into 'txfrtimer' and 'txtimer' to handle the two above functionalities with separate timer callbacks. The two simplified timers now run in one-shot mode and make the state transitions (especially with isotp_rcv_echo) better understandable. Fixes: 866337865f37 ("can: isotp: fix tx state handling for echo tx processing") Reported-by: syzbot+5aed6c3aaba661f5b917@syzkaller.appspotmail.com Cc: stable@vger.kernel.org # >= v6.0 Signed-off-by: Oliver Hartkopp Link: https://lore.kernel.org/all/20230104145701.2422-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde commit 823b2e42720f96f277940c37ea438b7c5ead51a4 Author: Oliver Hartkopp Date: Thu Jan 12 20:23:47 2023 +0100 can: isotp: handle wait_event_interruptible() return values When wait_event_interruptible() has been interrupted by a signal the tx.state value might not be ISOTP_IDLE. Force the state machines into idle state to inhibit the timer handlers to continue working. Fixes: 866337865f37 ("can: isotp: fix tx state handling for echo tx processing") Cc: stable@vger.kernel.org Signed-off-by: Oliver Hartkopp Link: https://lore.kernel.org/all/20230112192347.1944-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde commit 3793301cbaa4a62d83e21f685307da7671f812ab Author: Oliver Hartkopp Date: Tue Jan 31 11:56:13 2023 +0100 can: raw: fix CAN FD frame transmissions over CAN XL devices A CAN XL device is always capable to process CAN FD frames. The former check when sending CAN FD frames relied on the existence of a CAN FD device and did not check for a CAN XL device that would be correct too. With this patch the CAN FD feature is enabled automatically when CAN XL is switched on - and CAN FD cannot be switch off while CAN XL is enabled. This precondition also leads to a clean up and reduction of checks in the hot path in raw_rcv() and raw_sendmsg(). Some conditions are reordered to handle simple checks first. changes since v1: https://lore.kernel.org/all/20230131091012.50553-1-socketcan@hartkopp.net - fixed typo: devive -> device changes since v2: https://lore.kernel.org/all/20230131091824.51026-1-socketcan@hartkopp.net/ - reorder checks in if statements to handle simple checks first Fixes: 626332696d75 ("can: raw: add CAN XL support") Signed-off-by: Oliver Hartkopp Link: https://lore.kernel.org/all/20230131105613.55228-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde commit d0553680f94c49bbe0e39eb50d033ba563b4212d Author: Ziyang Xuan Date: Mon Sep 6 17:42:00 2021 +0800 can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate The conclusion "j1939_session_deactivate() should be called with a session ref-count of at least 2" is incorrect. In some concurrent scenarios, j1939_session_deactivate can be called with the session ref-count less than 2. But there is not any problem because it will check the session active state before session putting in j1939_session_deactivate_locked(). Here is the concurrent scenario of the problem reported by syzbot and my reproduction log. cpu0 cpu1 j1939_xtp_rx_eoma j1939_xtp_rx_abort_one j1939_session_get_by_addr [kref == 2] j1939_session_get_by_addr [kref == 3] j1939_session_deactivate [kref == 2] j1939_session_put [kref == 1] j1939_session_completed j1939_session_deactivate WARN_ON_ONCE(kref < 2) ===================================================== WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70 CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 RIP: 0010:j1939_session_deactivate+0x5f/0x70 Call Trace: j1939_session_deactivate_activate_next+0x11/0x28 j1939_xtp_rx_eoma+0x12a/0x180 j1939_tp_recv+0x4a2/0x510 j1939_can_recv+0x226/0x380 can_rcv_filter+0xf8/0x220 can_receive+0x102/0x220 ? process_backlog+0xf0/0x2c0 can_rcv+0x53/0xf0 __netif_receive_skb_one_core+0x67/0x90 ? process_backlog+0x97/0x2c0 __netif_receive_skb+0x22/0x80 Fixes: 0c71437dd50d ("can: j1939: j1939_session_deactivate(): clarify lifetime of session object") Reported-by: syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com Signed-off-by: Ziyang Xuan Acked-by: Oleksij Rempel Link: https://lore.kernel.org/all/20210906094200.95868-1-william.xuanziyang@huawei.com Signed-off-by: Marc Kleine-Budde commit 30d09b3131f5b1b9d54ad9b7ee171a45e21362b3 Author: Aaro Koskinen Date: Thu Feb 2 00:01:25 2023 +0200 usb: gadget: udc: do not clear gadget driver.bus Before the commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget driver.bus was unused. For whatever reason, many UDC drivers set this field explicitly to NULL in udc_start(). With the newly added gadget bus, doing this will crash the driver during the attach. The problem was first reported, fixed and tested with OMAP UDC and g_ether. Other drivers are changed based on code analysis only. Fixes: fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") Cc: stable Signed-off-by: Aaro Koskinen Acked-by: Alan Stern Link: https://lore.kernel.org/r/20230201220125.GD2415@darkstar.musicnaut.iki.fi Signed-off-by: Greg Kroah-Hartman commit 99f1c46011cc0feb47d4f4f7bee70a0341442d14 Author: Michael Kelley Date: Mon Jan 30 19:33:06 2023 -0800 hv_netvsc: Fix missed pagebuf entries in netvsc_dma_map/unmap() netvsc_dma_map() and netvsc_dma_unmap() currently check the cp_partial flag and adjust the page_count so that pagebuf entries for the RNDIS portion of the message are skipped when it has already been copied into a send buffer. But this adjustment has already been made by code in netvsc_send(). The duplicate adjustment causes some pagebuf entries to not be mapped. In a normal VM, this doesn't break anything because the mapping doesn’t change the PFN. But in a Confidential VM, dma_map_single() does bounce buffering and provides a different PFN. Failing to do the mapping causes the wrong PFN to be passed to Hyper-V, and various errors ensue. Fix this by removing the duplicate adjustment in netvsc_dma_map() and netvsc_dma_unmap(). Fixes: 846da38de0e8 ("net: netvsc: Add Isolation VM support for netvsc driver") Cc: stable@vger.kernel.org Signed-off-by: Michael Kelley Reviewed-by: Haiyang Zhang Link: https://lore.kernel.org/r/1675135986-254490-1-git-send-email-mikelley@microsoft.com Signed-off-by: Paolo Abeni commit 917d5e04d4dd2bbbf36fc6976ba442e284ccc42d Author: Ratheesh Kannoth Date: Tue Jan 31 11:46:59 2023 +0530 octeontx2-af: Fix devlink unregister Exact match feature is only available in CN10K-B. Unregister exact match devlink entry only for this silicon variant. Fixes: 87e4ea29b030 ("octeontx2-af: Debugsfs support for exact match.") Signed-off-by: Ratheesh Kannoth Reviewed-by: Leon Romanovsky Link: https://lore.kernel.org/r/20230131061659.1025137-1-rkannoth@marvell.com Signed-off-by: Jakub Kicinski commit a2df8463e15c10a8a882090f3d7a760fdb7b189d Author: Tom Rix Date: Tue Jan 31 13:54:37 2023 -0800 igc: return an error if the mac type is unknown in igc_ptp_systim_to_hwtstamp() clang static analysis reports drivers/net/ethernet/intel/igc/igc_ptp.c:673:3: warning: The left operand of '+' is a garbage value [core.UndefinedBinaryOperatorResult] ktime_add_ns(shhwtstamps.hwtstamp, adjust); ^ ~~~~~~~~~~~~~~~~~~~~ igc_ptp_systim_to_hwtstamp() silently returns without setting the hwtstamp if the mac type is unknown. This should be treated as an error. Fixes: 81b055205e8b ("igc: Add support for RX timestamping") Signed-off-by: Tom Rix Reviewed-by: Simon Horman Acked-by: Sasha Neftin Tested-by: Naama Meir Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20230131215437.1528994-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit f0293cd1f4fcc4fbdcd65a5a7b3b318a6d471f78 Author: Mayuresh Chitale Date: Mon Jan 30 13:18:15 2023 +0530 riscv: mm: Implement pmdp_collapse_flush for THP When THP is enabled, 4K pages are collapsed into a single huge page using the generic pmdp_collapse_flush() which will further use flush_tlb_range() to shoot-down stale TLB entries. Unfortunately, the generic pmdp_collapse_flush() only invalidates cached leaf PTEs using address specific SFENCEs which results in repetitive (or unpredictable) page faults on RISC-V implementations which cache non-leaf PTEs. Provide a RISC-V specific pmdp_collapse_flush() which ensures both cached leaf and non-leaf PTEs are invalidated by using non-address specific SFENCEs as recommended by the RISC-V privileged specification. Fixes: e88b333142e4 ("riscv: mm: add THP support on 64-bit") Signed-off-by: Mayuresh Chitale Link: https://lore.kernel.org/r/20230130074815.1694055-1-mchitale@ventanamicro.com Signed-off-by: Palmer Dabbelt commit 2f394c0e7d1129a35156e492bc8f445fb20f43ac Author: Andreas Schwab Date: Wed Feb 1 10:29:45 2023 +0100 riscv: disable generation of unwind tables GCC 13 will enable -fasynchronous-unwind-tables by default on riscv. In the kernel, we don't have any use for unwind tables yet, so disable them. More importantly, the .eh_frame section brings relocations (R_RISC_32_PCREL, R_RISCV_SET{6,8,16}, R_RISCV_SUB{6,8,16}) into modules that we are not prepared to handle. Signed-off-by: Andreas Schwab Link: https://lore.kernel.org/r/mvmzg9xybqu.fsf@suse.de Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit 87f48c7ccc73afc78630530d9af51f458f58cab8 Author: Guo Ren Date: Tue Jan 31 23:06:04 2023 -0500 riscv: kprobe: Fixup kernel panic when probing an illegal position The kernel would panic when probed for an illegal position. eg: (CONFIG_RISCV_ISA_C=n) echo 'p:hello kernel_clone+0x16 a0=%a0' >> kprobe_events echo 1 > events/kprobes/hello/enable cat trace Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 CPU: 0 PID: 111 Comm: sh Not tainted 6.2.0-rc1-00027-g2d398fe49a4d #490 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x38/0x48 [] show_stack+0x50/0x68 [] dump_stack_lvl+0x60/0x84 [] dump_stack+0x20/0x30 [] panic+0x160/0x374 [] generic_handle_arch_irq+0x0/0xa8 [] sys_newstat+0x0/0x30 [] sys_clone+0x20/0x30 [] ret_from_syscall+0x0/0x4 ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]--- That is because the kprobe's ebreak instruction broke the kernel's original code. The user should guarantee the correction of the probe position, but it couldn't make the kernel panic. This patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an illegal position (Such as the middle of an instruction). Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") Signed-off-by: Guo Ren Signed-off-by: Guo Ren Reviewed-by: Björn Töpel Link: https://lore.kernel.org/r/20230201040604.3390509-1-guoren@kernel.org Signed-off-by: Palmer Dabbelt commit 9c6b9cbafdc010b38f4077c8252654381eb46028 Author: Yanguo Li Date: Tue Jan 31 09:03:13 2023 +0100 nfp: flower: avoid taking mutex in atomic context A mutex may sleep, which is not permitted in atomic context. Avoid a case where this may arise by moving the to nfp_flower_lag_get_info_from_netdev() in nfp_tun_write_neigh() spinlock. Fixes: abc210952af7 ("nfp: flower: tunnel neigh support bond offload") Reported-by: Dan Carpenter Signed-off-by: Yanguo Li Signed-off-by: Simon Horman Link: https://lore.kernel.org/r/20230131080313.2076060-1-simon.horman@corigine.com Signed-off-by: Jakub Kicinski commit cca6e9ff22f79e37da3d73f60c38a84d8ed0c162 Merge: 64466c407a73e 30e2291f61f93 Author: Jakub Kicinski Date: Wed Feb 1 19:52:35 2023 -0800 Merge branch 'ip-ip6_gre-fix-gre-tunnels-not-generating-ipv6-link-local-addresses' Thomas Winter says: ==================== ip/ip6_gre: Fix GRE tunnels not generating IPv6 link local addresses For our point-to-point GRE tunnels, they have IN6_ADDR_GEN_MODE_NONE when they are created then we set IN6_ADDR_GEN_MODE_EUI64 when they come up to generate the IPv6 link local address for the interface. Recently we found that they were no longer generating IPv6 addresses. Also, non-point-to-point tunnels were not generating any IPv6 link local address and instead generating an IPv6 compat address, breaking IPv6 communication on the tunnel. These failures were caused by commit e5dd729460ca and this patch set aims to resolve these issues. ==================== Link: https://lore.kernel.org/r/20230131034646.237671-1-Thomas.Winter@alliedtelesis.co.nz Signed-off-by: Jakub Kicinski commit 30e2291f61f93f7132c060190f8360df52644ec1 Author: Thomas Winter Date: Tue Jan 31 16:46:46 2023 +1300 ip/ip6_gre: Fix non-point-to-point tunnel not generating IPv6 link local address We recently found that our non-point-to-point tunnels were not generating any IPv6 link local address and instead generating an IPv6 compat address, breaking IPv6 communication on the tunnel. Previously, addrconf_gre_config always would call addrconf_addr_gen and generate a EUI64 link local address for the tunnel. Then commit e5dd729460ca changed the code path so that add_v4_addrs is called but this only generates a compat IPv6 address for non-point-to-point tunnels. I assume the compat address is specifically for SIT tunnels so have kept that only for SIT - GRE tunnels now always generate link local addresses. Fixes: e5dd729460ca ("ip/ip6_gre: use the same logic as SIT interfaces when computing v6LL address") Signed-off-by: Thomas Winter Signed-off-by: Jakub Kicinski commit 23ca0c2c93406bdb1150659e720bda1cec1fad04 Author: Thomas Winter Date: Tue Jan 31 16:46:45 2023 +1300 ip/ip6_gre: Fix changing addr gen mode not generating IPv6 link local address For our point-to-point GRE tunnels, they have IN6_ADDR_GEN_MODE_NONE when they are created then we set IN6_ADDR_GEN_MODE_EUI64 when they come up to generate the IPv6 link local address for the interface. Recently we found that they were no longer generating IPv6 addresses. This issue would also have affected SIT tunnels. Commit e5dd729460ca changed the code path so that GRE tunnels generate an IPv6 address based on the tunnel source address. It also changed the code path so GRE tunnels don't call addrconf_addr_gen in addrconf_dev_config which is called by addrconf_sysctl_addr_gen_mode when the IN6_ADDR_GEN_MODE is changed. This patch aims to fix this issue by moving the code in addrconf_notify which calls the addr gen for GRE and SIT into a separate function and calling it in the places that expect the IPv6 address to be generated. The previous addrconf_dev_config is renamed to addrconf_eth_config since it only expected eth type interfaces and follows the addrconf_gre/sit_config format. A part of this changes means that the loopback address will be attempted to be configured when changing addr_gen_mode for lo. This should not be a problem because the address should exist anyway and if does already exist then no error is produced. Fixes: e5dd729460ca ("ip/ip6_gre: use the same logic as SIT interfaces when computing v6LL address") Signed-off-by: Thomas Winter Reviewed-by: David Ahern Signed-off-by: Jakub Kicinski commit 6fc547a5a2ef5ce05b16924106663ab92f8f87a7 Author: Alex Deucher Date: Wed Jan 25 14:35:16 2023 -0500 drm/amd/display: Properly handle additional cases where DCN is not supported There could be boards with DCN listed in IP discovery, but no display hardware actually wired up. In this case the vbios display table will not be populated. Detect this case and skip loading DM when we detect it. v2: Mark DCN as harvested as well so other display checks elsewhere in the driver are handled properly. Cc: Aurabindo Pillai Reviewed-by: Aurabindo Pillai Signed-off-by: Alex Deucher commit ac7170082c0e140663f0853d3de733a5341ce7b0 Author: Yiqing Yao Date: Tue Jan 31 16:02:47 2023 +0800 drm/amdgpu: Enable vclk dclk node for gc11.0.3 These sysfs nodes are tested supported, so enable them. Signed-off-by: Yiqing Yao Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher commit 5048fa1ebf89d03cf0ceca13fab8f800399e9ee3 Author: Mario Limonciello Date: Mon Jan 30 10:16:06 2023 -0600 drm/amd: Fix initialization for nbio 4.3.0 A mistake has been made on some boards with NBIO 4.3.0 where some NBIO registers aren't properly set by the hardware. Ensure that they're set during initialization. Cc: Natikar Basavaraj Tested-by: Satyanarayana ReddyTVN Tested-by: Rutvij Gajjar Signed-off-by: Mario Limonciello Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit bb25849c0fa550b26cecc9c476c519a927c66898 Author: Evan Quan Date: Sat Jan 28 14:24:34 2023 +0800 drm/amdgpu: enable HDP SD for gfx 11.0.3 Enable HDP clock gating control for gfx 11.0.3. Signed-off-by: Evan Quan Reviewed-by: Feifei Xu Signed-off-by: Alex Deucher commit 1538709c9f1c207d30afd95ea41b3aeb973f67e7 Author: Tim Huang Date: Sat Jan 21 10:35:04 2023 +0800 drm/amd/pm: drop unneeded dpm features disablement for SMU 13.0.4/11 PMFW will handle the features disablement properly for gpu reset case, driver involvement may cause some unexpected issues. Cc: stable@vger.kernel.org # 6.1 Signed-off-by: Tim Huang Reviewed-by: Yifan Zhang Signed-off-by: Alex Deucher commit 154711aa5759ef9b45903124fa813c4c29ee681c Author: Nicholas Kazlauskas Date: Fri Jan 20 11:14:30 2023 -0500 drm/amd/display: Reset DMUB mailbox SW state after HW reset [Why] Otherwise we can be out of sync with what's in the hardware, leading to us rerunning every command that's presently in the ringbuffer. [How] Reset software state for the mailboxes in hw_reset callback. This is already done as part of the mailbox init in hw_init, but we do need to remember to reset the last cached wptr value as well here. Reviewed-by: Hansen Dsouza Acked-by: Alex Hung Signed-off-by: Nicholas Kazlauskas Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit 275d8a1db261a1272a818d40ebc61b3b865b60e5 Author: George Shen Date: Thu Jan 19 17:09:54 2023 -0500 drm/amd/display: Unassign does_plane_fit_in_mall function from dcn3.2 [Why] The hwss function does_plane_fit_in_mall not applicable to dcn3.2 asics. Using it with dcn3.2 can result in undefined behaviour. [How] Assign the function pointer to NULL. Reviewed-by: Alvin Lee Acked-by: Alex Hung Signed-off-by: George Shen Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit dd2db2dc4bd298f33dea50c80c3c11bee4e3b0a4 Author: Daniel Miess Date: Tue Jan 17 15:45:30 2023 -0500 drm/amd/display: Adjust downscaling limits for dcn314 [Why] Lower max_downscale_ratio and ARGB888 downscale factor to prevent cases where underflow may occur on dcn314 [How] Set max_downscale_ratio to 400 and ARGB downscale factor to 250 for dcn314 Reviewed-by: Nicholas Kazlauskas Acked-by: Alex Hung Signed-off-by: Daniel Miess Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit ea062fd28f922cb118bfb33229f405b81aff7781 Author: Daniel Miess Date: Tue Jan 17 15:34:35 2023 -0500 drm/amd/display: Add missing brackets in calculation [Why] Brackets missing in the calculation for MIN_DST_Y_NEXT_START [How] Add missing brackets for this calculation Reviewed-by: Nicholas Kazlauskas Acked-by: Alex Hung Signed-off-by: Daniel Miess Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit ed8e793c65e4c6633e8577e40d574da8a56d2e0f Author: Graham Sider Date: Mon Jan 16 10:43:11 2023 -0500 drm/amdgpu: update wave data type to 3 for gfx11 SQ_WAVE_INST_DW0 isn't present on gfx11 compared to gfx10, so update wave data type to signify a difference. Signed-off-by: Graham Sider Reviewed-by: Mukul Joshi Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit 0416f3be58c6b1ea066cd52e354b857693feb01e Author: Ming Lei Date: Thu Feb 2 10:18:04 2023 +0800 blk-cgroup: don't update io stat for root cgroup We source root cgroup stats from the system-wide stats, see blkcg_print_stat and blkcg_rstat_flush, so don't update io state for root cgroup. Fixes blkg leak issue introduced in commit 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") which starts to grab blkg's reference when adding iostat_cpu into percpu blkcg list, but this state won't be consumed by blkcg_rstat_flush() where the blkg reference is dropped. Tested-by: Bart van Assche Reported-by: Bart van Assche Fixes: 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") Cc: Tejun Heo Cc: Waiman Long Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20230202021804.278582-1-ming.lei@redhat.com Signed-off-by: Jens Axboe commit 1665c027afb225882a5a0b014c45e84290b826c2 Author: Michael Ellerman Date: Tue Jan 31 22:14:07 2023 +1100 powerpc/64s: Reconnect tlb_flush() to hash__tlb_flush() Commit baf1ed24b27d ("powerpc/mm: Remove empty hash__ functions") removed some empty hash MMU flushing routines, but got a bit overeager and also removed the call to hash__tlb_flush() from tlb_flush(). In regular use this doesn't lead to any noticable breakage, which is a little concerning. Presumably there are flushes happening via other paths such as arch_leave_lazy_mmu_mode(), and/or a bit of luck. Fix it by reinstating the call to hash__tlb_flush(). Fixes: baf1ed24b27d ("powerpc/mm: Remove empty hash__ functions") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230131111407.806770-1-mpe@ellerman.id.au commit 316f1f42b5cc1d95124c1f0387c867c1ba7b6d0e Author: Helge Deller Date: Wed Feb 1 16:41:54 2023 +0100 parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case Wire up the missing ptrace requests PTRACE_GETREGS, PTRACE_SETREGS, PTRACE_GETFPREGS and PTRACE_SETFPREGS when running 32-bit applications on 64-bit kernels. Signed-off-by: Helge Deller Cc: stable@vger.kernel.org # 4.7+ commit 3f0c17809a098d3f0c1ec83f1fb3ca61638d3dcd Author: Helge Deller Date: Wed Feb 1 11:04:06 2023 +0100 parisc: Replace hardcoded value with PRIV_USER constant in ptrace.c Prefer usage of the PRIV_USER constant over the hard-coded value to set the lowest 2 bits for the userspace privilege. Signed-off-by: Helge Deller Cc: stable@vger.kernel.org # 5.16+ commit 9f266ccaa2f5228bfe67ad58a94ca4e0109b954a Merge: ce18d3aa6a232 6b04456e24876 Author: Linus Torvalds Date: Wed Feb 1 10:31:53 2023 -0800 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio fixes from Michael Tsirkin: "Just small bugfixes all over the place" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: vdpa: ifcvf: Do proper cleanup if IFCVF init fails vhost-scsi: unbreak any layout for response tools/virtio: fix the vringh test for virtio ring changes vhost/net: Clear the pending messages when the backend is removed commit ce18d3aa6a232ec80ece60ad5d6eb17bcac1744e Merge: c0b67534c95c5 c7a806d9ce675 Author: Linus Torvalds Date: Wed Feb 1 10:26:23 2023 -0800 Merge tag 'sound-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "A bit higher volume of changes than wished, but each change is relatively small and the fix targets are mostly device-specific, so those should be safe as a late stage merge. The most significant LoC is about the memalloc helper fix, which is applied only to Xen PV. The other major parts are ASoC Intel SOF and AVS fixes that are scattered as various small code changes. The rest are device-specific fixes and quirks for HD- and USB-audio, FireWire and ASoC AMD / HDMI" * tag 'sound-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (30 commits) ALSA: firewire-motu: fix unreleased lock warning in hwdep device ALSA: memalloc: Workaround for Xen PV ASoC: cs42l56: fix DT probe ASoC: codecs: wsa883x: correct playback min/max rates ALSA: hda/realtek: Add Acer Predator PH315-54 ASoC: amd: yc: Add Xiaomi Redmi Book Pro 15 2022 into DMI table ALSA: hda: Do not unset preset when cleaning up codec ASoC: SOF: sof-audio: prepare_widgets: Check swidget for NULL on sink failure ASoC: hdmi-codec: zero clear HDMI pdata ASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write() ASoC: Intel: sof_ssp_amp: always set dpcm_capture for amplifiers ASoC: Intel: sof_nau8825: always set dpcm_capture for amplifiers ASoC: Intel: sof_cs42l42: always set dpcm_capture for amplifiers ASoC: Intel: sof_rt5682: always set dpcm_capture for amplifiers ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() ALSA: usb-audio: Add FIXED_RATE quirk for JBL Quantum610 Wireless ALSA: hda/realtek: fix mute/micmute LEDs, speaker don't work for a HP platform ASoC: SOF: keep prepare/unprepare widgets in sink path ASoC: SOF: sof-audio: skip prepare/unprepare if swidget is NULL ASoC: SOF: sof-audio: unprepare when swidget->use_count > 0 ... commit 5efb648042a1c3d1734e69ebbae2fe9477f4fc4d Author: Jonathan Neuschäfer Date: Wed Feb 1 15:11:58 2023 +1030 ARM: dts: wpcm450: Add nuvoton,shm = <&shm> to FIU node The Flash Interface Unit (FIU) should have a reference to the Shared Memory controller (SHM) so that flash access from the host (x86 computer managed by the WPCM450 BMC) can be blocked during flash access by the FIU driver. Fixes: 38abcb0d68767 ("ARM: dts: wpcm450: Add FIU SPI controller node") Signed-off-by: Jonathan Neuschäfer Link: https://lore.kernel.org/r/20230129112611.1176517-1-j.neuschaefer@gmx.net Signed-off-by: Joel Stanley Link: https://lore.kernel.org/r/20230201044158.962417-1-joel@jms.id.au Signed-off-by: Arnd Bergmann commit b459861783a909f66120814b34fa38d409d1e6af Author: Matthias Brugger Date: Wed Feb 1 16:22:56 2023 +0100 MAINTAINERS: Update entry for MediaTek SoC support The linux-mediatek IRC channel has moved to liber.chat for quite some time. Apart from that, not all patches are also send to LKML, so add this ML explicitly. And last but not least: Angelo does a wunderfull job in reviewing patches for all kind of devices from MediaTek. Cc: AngeloGioacchino Del Regno Signed-off-by: Matthias Brugger Link: https://lore.kernel.org/r/20230201152256.19514-1-matthias.bgg@kernel.org Signed-off-by: Arnd Bergmann commit bd97a59da6a866e3dee5d2a2d582ec71dbbc84cd Author: Shin'ichiro Kawasaki Date: Tue Jan 31 18:26:44 2023 +0900 nvme-auth: use workqueue dedicated to authentication NVMe In-Band authentication uses two kinds of works: chap->auth_work and ctrl->dhchap_auth_work. The latter work flushes or cancels the former work. However, the both works are queued to the same workqueue nvme-wq. It results in the lockdep WARNING as follows: WARNING: possible recursive locking detected 6.2.0-rc4+ #1 Not tainted -------------------------------------------- kworker/u16:7/69 is trying to acquire lock: ffff902d52e65548 ((wq_completion)nvme-wq){+.+.}-{0:0}, at: start_flush_work+0x2c5/0x380 but task is already holding lock: ffff902d52e65548 ((wq_completion)nvme-wq){+.+.}-{0:0}, at: process_one_work+0x210/0x410 To avoid the WARNING, introduce a new workqueue nvme-auth-wq dedicated to chap->auth_work. Reported-by: Daniel Wagner Link: https://lore.kernel.org/linux-nvme/20230130110802.paafkiipmitwtnwr@carbon.lan/ Fixes: f50fff73d620 ("nvme: implement In-Band authentication") Signed-off-by: Shin'ichiro Kawasaki Tested-by: Daniel Wagner Reviewed-by: Hannes Reinecke Signed-off-by: Christoph Hellwig commit bd401fd730cbcb0717bbc5438f15084db10f9259 Author: Guillaume Pinot Date: Sun Jan 29 18:13:38 2023 +0100 ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book2 Pro 360 Samsung Galaxy Book2 Pro 360 (13" 2022 NP930QED-KA1FR) with codec SSID 144d:ca03 requires the same workaround for enabling the speaker amp like other Samsung models with ALC298 codec. Cc: Signed-off-by: Guillaume Pinot Link: https://lore.kernel.org/r/20230129171338.17249-1-texitoi@texitoi.eu Signed-off-by: Takashi Iwai commit 6fbf13c0e24fd86ab2e4477cd8484a485b687421 Author: Maurizio Lombardi Date: Tue Jan 31 17:38:42 2023 +0100 nvme: clear the request_queue pointers on failure in nvme_alloc_io_tag_set In nvme_alloc_io_tag_set(), the connect_q pointer should be set to NULL in case of error to avoid potential invalid pointer dereferences. Signed-off-by: Maurizio Lombardi Reviewed-by: Chaitanya Kulkarni Signed-off-by: Christoph Hellwig commit fd62678ab55cb01e11a404d302cdade222bf4022 Author: Maurizio Lombardi Date: Fri Jan 27 16:42:37 2023 +0100 nvme: clear the request_queue pointers on failure in nvme_alloc_admin_tag_set If nvme_alloc_admin_tag_set() fails, the admin_q and fabrics_q pointers are left with an invalid, non-NULL value. Other functions may then check the pointers and dereference them, e.g. in nvme_probe() -> out_disable: -> nvme_dev_remove_admin(). Fix the bug by setting admin_q and fabrics_q to NULL in case of error. Also use the set variable to free the tag_set as ctrl->admin_tagset isn't initialized yet. Signed-off-by: Maurizio Lombardi Reviewed-by: Keith Busch Reviewed-by: Chaitanya Kulkarni Signed-off-by: Christoph Hellwig commit 0cab4404874f2de52617de8400c844891c6ea1ce Author: Amit Engel Date: Mon Jan 23 14:37:28 2023 +0200 nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association As part of nvmet_fc_ls_create_association there is a case where nvmet_fc_alloc_target_queue fails right after a new association with an admin queue is created. In this case, no one releases the get taken in nvmet_fc_alloc_target_assoc. This fix is adding the missing put. Signed-off-by: Amit Engel Reviewed-by: James Smart Signed-off-by: Christoph Hellwig commit 5dac9f8dc25fefd9d928b98f6477ff3daefd73e3 Author: Dan Carpenter Date: Tue Jan 31 13:02:13 2023 +0300 ALSA: pci: lx6464es: fix a debug loop This loop accidentally reuses the "i" iterator for both the inside and the outside loop. The value of MAX_STREAM_BUFFER is 5. I believe that chip->rmh.stat_len is in the 2-12 range. If the value of .stat_len is 4 or more then it will loop exactly one time, but if it's less then it is a forever loop. It looks like it was supposed to combined into one loop where conditions are checked. Fixes: 8e6320064c33 ("ALSA: lx_core: Remove useless #if 0 .. #endif") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/Y9jnJTis/mRFJAQp@kili Signed-off-by: Takashi Iwai commit a3ee9e0b57f8ecca02d1c16fad4941e09bfe2941 Author: Stephen Boyd Date: Thu Jan 5 19:01:08 2023 -0800 drm/panel: boe-tv101wum-nl6: Ensure DSI writes succeed during disable The unprepare sequence has started to fail after moving to panel bridge code in the msm drm driver (commit 007ac0262b0d ("drm/msm/dsi: switch to DRM_PANEL_BRIDGE")). You'll see messages like this in the kernel logs: panel-boe-tv101wum-nl6 ae94000.dsi.0: failed to set panel off: -22 This is because boe_panel_enter_sleep_mode() needs an operating DSI link to set the panel into sleep mode. Performing those writes in the unprepare phase of bridge ops is too late, because the link has already been torn down by the DSI controller in post_disable, i.e. the PHY has been disabled, etc. See dsi_mgr_bridge_post_disable() for more details on the DSI . Split the unprepare function into a disable part and an unprepare part. For now, just the DSI writes to enter sleep mode are put in the disable function. This fixes the panel off routine and keeps the panel happy. My Wormdingler has an integrated touchscreen that stops responding to touch if the panel is only half disabled too. This patch fixes it. And finally, this saves power when the screen is off because without this fix the regulators for the panel are left enabled when nothing is being displayed on the screen. Fixes: 007ac0262b0d ("drm/msm/dsi: switch to DRM_PANEL_BRIDGE") Fixes: a869b9db7adf ("drm/panel: support for boe tv101wum-nl6 wuxga dsi video mode panel") Cc: yangcong Cc: Douglas Anderson Cc: Jitao Shi Cc: Sam Ravnborg Cc: Rob Clark Cc: Dmitry Baryshkov Signed-off-by: Stephen Boyd Reviewed-by: Douglas Anderson Signed-off-by: Douglas Anderson Link: https://patchwork.freedesktop.org/patch/msgid/20230106030108.2542081-1-swboyd@chromium.org (cherry picked from commit c913cd5489930abbb557ef144a333846286754c3) Signed-off-by: Thomas Zimmermann commit 3c349eacc55996a57aaca5e3754edb6b83980237 Merge: c1d6105869464 0b1d60d6dd9e2 Author: Palmer Dabbelt Date: Tue Jan 31 21:55:43 2023 -0800 Merge patch "riscv: Fix build with CONFIG_CC_OPTIMIZE_FOR_SIZE=y" This is a single fix, but it conflicts with some recent features. I'm merging it on top of the commit it fixes to ease backporting. * b4-shazam-merge: riscv: Fix build with CONFIG_CC_OPTIMIZE_FOR_SIZE=y Link: https://lore.kernel.org/r/20220922060958.44203-1-samuel@sholland.org Signed-off-by: Palmer Dabbelt commit 0b1d60d6dd9e2e867cc6e4277d73ea5a7ff2d4d0 Author: Samuel Holland Date: Thu Sep 22 01:09:58 2022 -0500 riscv: Fix build with CONFIG_CC_OPTIMIZE_FOR_SIZE=y commit 8eb060e10185 ("arch/riscv: add Zihintpause support") broke building with CONFIG_CC_OPTIMIZE_FOR_SIZE enabled (gcc 11.1.0): CC arch/riscv/kernel/vdso/vgettimeofday.o In file included from : ./arch/riscv/include/asm/jump_label.h: In function 'cpu_relax': ././include/linux/compiler_types.h:285:33: warning: 'asm' operand 0 probably does not match constraints 285 | #define asm_volatile_goto(x...) asm goto(x) | ^~~ ./arch/riscv/include/asm/jump_label.h:41:9: note: in expansion of macro 'asm_volatile_goto' 41 | asm_volatile_goto( | ^~~~~~~~~~~~~~~~~ ././include/linux/compiler_types.h:285:33: error: impossible constraint in 'asm' 285 | #define asm_volatile_goto(x...) asm goto(x) | ^~~ ./arch/riscv/include/asm/jump_label.h:41:9: note: in expansion of macro 'asm_volatile_goto' 41 | asm_volatile_goto( | ^~~~~~~~~~~~~~~~~ make[1]: *** [scripts/Makefile.build:249: arch/riscv/kernel/vdso/vgettimeofday.o] Error 1 make: *** [arch/riscv/Makefile:128: vdso_prepare] Error 2 Having a static branch in cpu_relax() is problematic because that function is widely inlined, including in some quite complex functions like in the VDSO. A quick measurement shows this static branch is responsible by itself for around 40% of the jump table. Drop the static branch, which ends up being the same number of instructions anyway. If Zihintpause is supported, we trade the nop from the static branch for a div. If Zihintpause is unsupported, we trade the jump from the static branch for (what gets interpreted as) a nop. Fixes: 8eb060e10185 ("arch/riscv: add Zihintpause support") Signed-off-by: Samuel Holland Reviewed-by: Conor Dooley Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit 64466c407a73e7c4fc49d50f4604cd22b53e50eb Merge: afc2336f89dc0 bd0e06f0def75 Author: Jakub Kicinski Date: Tue Jan 31 21:19:20 2023 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net 1) Release bridge info once packet escapes the br_netfilter path, from Florian Westphal. 2) Revert incorrect fix for the SCTP connection tracking chunk iterator, also from Florian. First path fixes a long standing issue, the second path addresses a mistake in the previous pull request for net. * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk" netfilter: br_netfilter: disable sabotage_in hook after first suppression ==================== Link: https://lore.kernel.org/r/20230131133158.4052-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski commit afc2336f89dc0fc0ef25b92366814524b0fd90fb Author: Chris Healy Date: Mon Jan 30 15:14:02 2023 -0800 net: phy: meson-gxl: Add generic dummy stubs for MMD register access The Meson G12A Internal PHY does not support standard IEEE MMD extended register access, therefore add generic dummy stubs to fail the read and write MMD calls. This is necessary to prevent the core PHY code from erroneously believing that EEE is supported by this PHY even though this PHY does not support EEE, as MMD register access returns all FFFFs. Fixes: 5c3407abb338 ("net: phy: meson-gxl: add g12a support") Reviewed-by: Heiner Kallweit Signed-off-by: Chris Healy Reviewed-by: Jerome Brunet Link: https://lore.kernel.org/r/20230130231402.471493-1-cphealy@gmail.com Signed-off-by: Jakub Kicinski commit 876e8ca8366735a604bac86ff7e2732fc9d85d2d Author: Yan Zhai Date: Mon Jan 30 12:51:48 2023 -0800 net: fix NULL pointer in skb_segment_list Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") introduced UDP listifyed GRO. The segmentation relies on frag_list being untouched when passing through the network stack. This assumption can be broken sometimes, where frag_list itself gets pulled into linear area, leaving frag_list being NULL. When this happens it can trigger following NULL pointer dereference, and panic the kernel. Reverse the test condition should fix it. [19185.577801][ C1] BUG: kernel NULL pointer dereference, address: ... [19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390 ... [19185.834644][ C1] Call Trace: [19185.841730][ C1] [19185.848563][ C1] __udp_gso_segment+0x33e/0x510 [19185.857370][ C1] inet_gso_segment+0x15b/0x3e0 [19185.866059][ C1] skb_mac_gso_segment+0x97/0x110 [19185.874939][ C1] __skb_gso_segment+0xb2/0x160 [19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0 [19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90 [19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200 [19185.910003][ C1] ip_local_deliver_finish+0x44/0x60 [19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0 [19185.927834][ C1] process_backlog+0x88/0x130 [19185.935840][ C1] __napi_poll+0x27/0x150 [19185.943447][ C1] net_rx_action+0x27e/0x5f0 [19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core] [19185.960848][ C1] __do_softirq+0xbc/0x25d [19185.968607][ C1] irq_exit_rcu+0x83/0xb0 [19185.976247][ C1] common_interrupt+0x43/0xa0 [19185.984235][ C1] asm_common_interrupt+0x22/0x40 ... [19186.094106][ C1] Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") Suggested-by: Daniel Borkmann Reviewed-by: Willem de Bruijn Signed-off-by: Yan Zhai Acked-by: Daniel Borkmann Link: https://lore.kernel.org/r/Y9gt5EUizK1UImEP@debian Signed-off-by: Jakub Kicinski commit efec2e2a722ed609fc7b64feef720fd601633b73 Author: Vladimir Oltean Date: Mon Jan 30 21:30:51 2023 +0200 net: fman: memac: free mdio device if lynx_pcs_create() fails When memory allocation fails in lynx_pcs_create() and it returns NULL, there remains a dangling reference to the mdiodev returned by of_mdio_find_device() which is leaked as soon as memac_pcs_create() returns empty-handed. Fixes: a7c2a32e7f22 ("net: fman: memac: Use lynx pcs driver") Signed-off-by: Vladimir Oltean Reviewed-by: Sean Anderson Acked-by: Madalin Bucur Link: https://lore.kernel.org/r/20230130193051.563315-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 8f35ae17ef565a605de5f409e04bcd49a55d7646 Author: Xin Long Date: Mon Jan 30 11:25:33 2023 -0500 sctp: do not check hb_timer.expires when resetting hb_timer It tries to avoid the frequently hb_timer refresh in commit ba6f5e33bdbb ("sctp: avoid refreshing heartbeat timer too often"), and it only allows mod_timer when the new expires is after hb_timer.expires. It means even a much shorter interval for hb timer gets applied, it will have to wait until the current hb timer to time out. In sctp_do_8_2_transport_strike(), when a transport enters PF state, it expects to update the hb timer to resend a heartbeat every rto after calling sctp_transport_reset_hb_timer(), which will not work as the change mentioned above. The frequently hb_timer refresh was caused by sctp_transport_reset_timers() called in sctp_outq_flush() and it was already removed in the commit above. So we don't have to check hb_timer.expires when resetting hb_timer as it is now not called very often. Fixes: ba6f5e33bdbb ("sctp: avoid refreshing heartbeat timer too often") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Link: https://lore.kernel.org/r/d958c06985713ec84049a2d5664879802710179a.1675095933.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski commit fc546faa559538fb312c77e055243ece18ab3288 Author: Sourabh Jain Date: Tue Jan 31 08:36:15 2023 +0530 powerpc/kexec_file: Count hot-pluggable memory in FDT estimate On Systems where online memory is lesser compared to max memory, the kexec_file_load system call may fail to load the kdump kernel with the below errors: "Failed to update fdt with linux,drconf-usable-memory property" "Error setting up usable-memory property for kdump kernel" This happens because the size estimation for usable memory properties for the kdump kernel's FDT is based on the online memory whereas the usable memory properties include max memory. In short, the hot-pluggable memory is not accounted for while estimating the size of the usable memory properties. The issue is addressed by calculating usable memory property size using max hotplug address instead of the last online memory address. Fixes: 2377c92e37fe ("powerpc/kexec_file: fix FDT size estimation for kdump kernel") Signed-off-by: Sourabh Jain Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230131030615.729894-1-sourabhjain@linux.ibm.com commit ac86f547ca1002aec2ef66b9e64d03f45bbbfbb9 Author: Kefeng Wang Date: Sun Jan 29 12:09:45 2023 +0800 mm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath() As commit 18365225f044 ("hwpoison, memcg: forcibly uncharge LRU pages"), hwpoison will forcibly uncharg a LRU hwpoisoned page, the folio_memcg could be NULl, then, mem_cgroup_track_foreign_dirty_slowpath() could occurs a NULL pointer dereference, let's do not record the foreign writebacks for folio memcg is null in mem_cgroup_track_foreign_dirty() to fix it. Link: https://lkml.kernel.org/r/20230129040945.180629-1-wangkefeng.wang@huawei.com Fixes: 97b27821b485 ("writeback, memcg: Implement foreign dirty flushing") Signed-off-by: Kefeng Wang Reported-by: Ma Wupeng Tested-by: Miko Larsson Acked-by: Michal Hocko Cc: Jan Kara Cc: Jens Axboe Cc: Kefeng Wang Cc: Ma Wupeng Cc: Naoya Horiguchi Cc: Shakeel Butt Cc: Tejun Heo Cc: Signed-off-by: Andrew Morton commit 1e90e35b620587e82cf52f3b7ccd8270d824d840 Author: ye xingchen Date: Sun Jan 29 10:13:57 2023 +0800 Kconfig.debug: fix the help description in SCHED_DEBUG The correct file path for SCHED_DEBUG is /sys/kernel/debug/sched. Link: https://lkml.kernel.org/r/202301291013573466558@zte.com.cn Signed-off-by: ye xingchen Cc: Dan Williams Cc: Geert Uytterhoeven Cc: Josh Poimboeuf Cc: Kees Cook Cc: Miguel Ojeda Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Peter Zijlstra Cc: Randy Dunlap Cc: Rasmus Villemoes Cc: Vlastimil Babka Cc: Zhaoyang Huang Signed-off-by: Andrew Morton commit 7717fc1a12f88701573f9ed897cc4f6699c661e3 Author: Longlong Xia Date: Sat Jan 28 09:47:57 2023 +0000 mm/swapfile: add cond_resched() in get_swap_pages() The softlockup still occurs in get_swap_pages() under memory pressure. 64 CPU cores, 64GB memory, and 28 zram devices, the disksize of each zram device is 50MB with same priority as si. Use the stress-ng tool to increase memory pressure, causing the system to oom frequently. The plist_for_each_entry_safe() loops in get_swap_pages() could reach tens of thousands of times to find available space (extreme case: cond_resched() is not called in scan_swap_map_slots()). Let's add cond_resched() into get_swap_pages() when failed to find available space to avoid softlockup. Link: https://lkml.kernel.org/r/20230128094757.1060525-1-xialonglong1@huawei.com Signed-off-by: Longlong Xia Reviewed-by: "Huang, Ying" Cc: Chen Wandun Cc: Huang Ying Cc: Kefeng Wang Cc: Nanyong Sun Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton commit 993f57e0277b78182eb9e4955d118cc8b086c83d Author: Zhaoyang Huang Date: Thu Jan 19 09:22:25 2023 +0800 mm: use stack_depot_early_init for kmemleak Mirsad report the below error which is caused by stack_depot_init() failure in kvcalloc. Solve this by having stackdepot use stack_depot_early_init(). On 1/4/23 17:08, Mirsad Goran Todorovac wrote: I hate to bring bad news again, but there seems to be a problem with the output of /sys/kernel/debug/kmemleak: [root@pc-mtodorov ~]# cat /sys/kernel/debug/kmemleak unreferenced object 0xffff951c118568b0 (size 16): comm "kworker/u12:2", pid 56, jiffies 4294893952 (age 4356.548s) hex dump (first 16 bytes): 6d 65 6d 73 74 69 63 6b 30 00 00 00 00 00 00 00 memstick0....... backtrace: [root@pc-mtodorov ~]# Apparently, backtrace of called functions on the stack is no longer printed with the list of memory leaks. This appeared on Lenovo desktop 10TX000VCR, with AlmaLinux 8.7 and BIOS version M22KT49A (11/10/2022) and 6.2-rc1 and 6.2-rc2 builds. This worked on 6.1 with the same CONFIG_KMEMLEAK=y and MGLRU enabled on a vanilla mainstream kernel from Mr. Torvalds' tree. I don't know if this is deliberate feature for some reason or a bug. Please find attached the config, lshw and kmemleak output. [vbabka@suse.cz: remove stack_depot_init() call] Link: https://lore.kernel.org/all/5272a819-ef74-65ff-be61-4d2d567337de@alu.unizg.hr/ Link: https://lkml.kernel.org/r/1674091345-14799-2-git-send-email-zhaoyang.huang@unisoc.com Fixes: 56a61617dd22 ("mm: use stack_depot for recording kmemleak's backtrace") Reported-by: Mirsad Todorovac Suggested-by: Vlastimil Babka Signed-off-by: Zhaoyang Huang Acked-by: Mike Rapoport (IBM) Acked-by: Catalin Marinas Acked-by: Vlastimil Babka Tested-by: Borislav Petkov (AMD) Cc: ke.wang Cc: Nathan Chancellor Cc: Peter Zijlstra (Intel) Signed-off-by: Andrew Morton commit f65c4bbbd682b0877b669828b4e033b8d5d0a2dc Author: Phillip Lougher Date: Fri Jan 27 06:18:42 2023 +0000 Squashfs: fix handling and sanity checking of xattr_ids count A Sysbot [1] corrupted filesystem exposes two flaws in the handling and sanity checking of the xattr_ids count in the filesystem. Both of these flaws cause computation overflow due to incorrect typing. In the corrupted filesystem the xattr_ids value is 4294967071, which stored in a signed variable becomes the negative number -225. Flaw 1 (64-bit systems only): The signed integer xattr_ids variable causes sign extension. This causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The variable is first multiplied by sizeof(struct squashfs_xattr_id) where the type of the sizeof operator is "unsigned long". On a 64-bit system this is 64-bits in size, and causes the negative number to be sign extended and widened to 64-bits and then become unsigned. This produces the very large number 18446744073709548016 or 2^64 - 3600. This number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0 (stored in len). Flaw 2 (32-bit systems only): On a 32-bit system the integer variable is not widened by the unsigned long type of the sizeof operator (32-bits), and the signedness of the variable has no effect due it always being treated as unsigned. The above corrupted xattr_ids value of 4294967071, when multiplied overflows and produces the number 4294963696 or 2^32 - 3400. This number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by SQUASHFS_METADATA_SIZE overflows again and produces a length of 0. The effect of the 0 length computation: In conjunction with the corrupted xattr_ids field, the filesystem also has a corrupted xattr_table_start value, where it matches the end of filesystem value of 850. This causes the following sanity check code to fail because the incorrectly computed len of 0 matches the incorrect size of the table reported by the superblock (0 bytes). len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids); /* * The computed size of the index table (len bytes) should exactly * match the table start and end points */ start = table_start + sizeof(*id_table); end = msblk->bytes_used; if (len != (end - start)) return ERR_PTR(-EINVAL); Changing the xattr_ids variable to be "usigned int" fixes the flaw on a 64-bit system. This relies on the fact the computation is widened by the unsigned long type of the sizeof operator. Casting the variable to u64 in the above macro fixes this flaw on a 32-bit system. It also means 64-bit systems do not implicitly rely on the type of the sizeof operator to widen the computation. [1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/ Link: https://lkml.kernel.org/r/20230127061842.10965-1-phillip@squashfs.org.uk Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") Signed-off-by: Phillip Lougher Reported-by: Cc: Alexey Khoroshilov Cc: Fedor Pchelkin Cc: Signed-off-by: Andrew Morton commit c1c551bebf928889e7a8fef7415b44f9a64975f4 Author: Tom Saeger Date: Mon Jan 23 17:09:35 2023 -0700 sh: define RUNTIME_DISCARD_EXIT sh vmlinux fails to link with GNU ld < 2.40 (likely < 2.36) since commit 99cb0d917ffa ("arch: fix broken BuildID for arm64 and riscv"). This is similar to fixes for powerpc and s390: commit 4b9880dbf3bd ("powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT"). commit a494398bde27 ("s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36"). $ sh4-linux-gnu-ld --version | head -n1 GNU ld (GNU Binutils for Debian) 2.35.2 $ make ARCH=sh CROSS_COMPILE=sh4-linux-gnu- microdev_defconfig $ make ARCH=sh CROSS_COMPILE=sh4-linux-gnu- `.exit.text' referenced in section `__bug_table' of crypto/algboss.o: defined in discarded section `.exit.text' of crypto/algboss.o `.exit.text' referenced in section `__bug_table' of drivers/char/hw_random/core.o: defined in discarded section `.exit.text' of drivers/char/hw_random/core.o make[2]: *** [scripts/Makefile.vmlinux:34: vmlinux] Error 1 make[1]: *** [Makefile:1252: vmlinux] Error 2 arch/sh/kernel/vmlinux.lds.S keeps EXIT_TEXT: /* * .exit.text is discarded at runtime, not link time, to deal with * references from __bug_table */ .exit.text : AT(ADDR(.exit.text)) { EXIT_TEXT } However, EXIT_TEXT is thrown away by DISCARD(include/asm-generic/vmlinux.lds.h) because sh does not define RUNTIME_DISCARD_EXIT. GNU ld 2.40 does not have this issue and builds fine. This corresponds with Masahiro's comments in a494398bde27: "Nathan [Chancellor] also found that binutils commit 21401fc7bf67 ("Duplicate output sections in scripts") cured this issue, so we cannot reproduce it with binutils 2.36+, but it is better to not rely on it." Link: https://lkml.kernel.org/r/9166a8abdc0f979e50377e61780a4bba1dfa2f52.1674518464.git.tom.saeger@oracle.com Fixes: 99cb0d917ffa ("arch: fix broken BuildID for arm64 and riscv") Link: https://lore.kernel.org/all/Y7Jal56f6UBh1abE@dev-arch.thelio-3990X/ Link: https://lore.kernel.org/all/20230123194218.47ssfzhrpnv3xfez@oracle.com/ Signed-off-by: Tom Saeger Tested-by: John Paul Adrian Glaubitz Cc: Ard Biesheuvel Cc: Arnd Bergmann Cc: Christoph Hellwig Cc: Dennis Gilmore Cc: Greg Kroah-Hartman Cc: Masahiro Yamada Cc: Naresh Kamboju Cc: Nathan Chancellor Cc: Palmer Dabbelt Cc: Rich Felker Cc: Yoshinori Sato Signed-off-by: Andrew Morton commit 88d7b12068b95731c280af8ce88e8ee9561f96de Author: Matthew Wilcox (Oracle) Date: Thu Jan 26 20:07:27 2023 +0000 highmem: round down the address passed to kunmap_flush_on_unmap() We already round down the address in kunmap_local_indexed() which is the other implementation of __kunmap_local(). The only implementation of kunmap_flush_on_unmap() is PA-RISC which is expecting a page-aligned address. This may be causing PA-RISC to be flushing the wrong addresses currently. Link: https://lkml.kernel.org/r/20230126200727.1680362-1-willy@infradead.org Signed-off-by: Matthew Wilcox (Oracle) Fixes: 298fa1ad5571 ("highmem: Provide generic variant of kmap_atomic*") Reviewed-by: Ira Weiny Cc: "Fabio M. De Francesco" Cc: Al Viro Cc: Thomas Gleixner Cc: Helge Deller Cc: Alexander Potapenko Cc: Andrey Konovalov Cc: Bagas Sanjaya Cc: David Sterba Cc: Kees Cook Cc: Sebastian Andrzej Siewior Cc: Tony Luck Cc: Signed-off-by: Andrew Morton commit 73bdf65ea74857d7fb2ec3067a3cec0e261b1462 Author: Mike Kravetz Date: Thu Jan 26 14:27:21 2023 -0800 migrate: hugetlb: check for hugetlb shared PMD in node migration migrate_pages/mempolicy semantics state that CAP_SYS_NICE is required to move pages shared with another process to a different node. page_mapcount > 1 is being used to determine if a hugetlb page is shared. However, a hugetlb page will have a mapcount of 1 if mapped by multiple processes via a shared PMD. As a result, hugetlb pages shared by multiple processes and mapped with a shared PMD can be moved by a process without CAP_SYS_NICE. To fix, check for a shared PMD if mapcount is 1. If a shared PMD is found consider the page shared. Link: https://lkml.kernel.org/r/20230126222721.222195-3-mike.kravetz@oracle.com Fixes: e2d8cf405525 ("migrate: add hugepage migration code to migrate_pages()") Signed-off-by: Mike Kravetz Acked-by: Peter Xu Acked-by: David Hildenbrand Cc: James Houghton Cc: Matthew Wilcox Cc: Michal Hocko Cc: Muchun Song Cc: Naoya Horiguchi Cc: Vishal Moola (Oracle) Cc: Yang Shi Cc: Signed-off-by: Andrew Morton commit 3489dbb696d25602aea8c3e669a6d43b76bd5358 Author: Mike Kravetz Date: Thu Jan 26 14:27:20 2023 -0800 mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps Patch series "Fixes for hugetlb mapcount at most 1 for shared PMDs". This issue of mapcount in hugetlb pages referenced by shared PMDs was discussed in [1]. The following two patches address user visible behavior caused by this issue. [1] https://lore.kernel.org/linux-mm/Y9BF+OCdWnCSilEu@monkey/ This patch (of 2): A hugetlb page will have a mapcount of 1 if mapped by multiple processes via a shared PMD. This is because only the first process increases the map count, and subsequent processes just add the shared PMD page to their page table. page_mapcount is being used to decide if a hugetlb page is shared or private in /proc/PID/smaps. Pages referenced via a shared PMD were incorrectly being counted as private. To fix, check for a shared PMD if mapcount is 1. If a shared PMD is found count the hugetlb page as shared. A new helper to check for a shared PMD is added. [akpm@linux-foundation.org: simplification, per David] [akpm@linux-foundation.org: hugetlb.h: include page_ref.h for page_count()] Link: https://lkml.kernel.org/r/20230126222721.222195-2-mike.kravetz@oracle.com Fixes: 25ee01a2fca0 ("mm: hugetlb: proc: add hugetlb-related fields to /proc/PID/smaps") Signed-off-by: Mike Kravetz Acked-by: Peter Xu Cc: David Hildenbrand Cc: James Houghton Cc: Matthew Wilcox Cc: Michal Hocko Cc: Muchun Song Cc: Naoya Horiguchi Cc: Vishal Moola (Oracle) Cc: Yang Shi Cc: Signed-off-by: Andrew Morton commit edb5d0cf5525357652aff6eacd9850b8ced07143 Author: Zach O'Keefe Date: Wed Jan 25 14:53:58 2023 -0800 mm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups In commit 34488399fa08 ("mm/madvise: add file and shmem support to MADV_COLLAPSE") we make the following change to find_pmd_or_thp_or_none(): - if (!pmd_present(pmde)) - return SCAN_PMD_NULL; + if (pmd_none(pmde)) + return SCAN_PMD_NONE; This was for-use by MADV_COLLAPSE file/shmem codepaths, where MADV_COLLAPSE might identify a pte-mapped hugepage, only to have khugepaged race-in, free the pte table, and clear the pmd. Such codepaths include: A) If we find a suitably-aligned compound page of order HPAGE_PMD_ORDER already in the pagecache. B) In retract_page_tables(), if we fail to grab mmap_lock for the target mm/address. In these cases, collapse_pte_mapped_thp() really does expect a none (not just !present) pmd, and we want to suitably identify that case separate from the case where no pmd is found, or it's a bad-pmd (of course, many things could happen once we drop mmap_lock, and the pmd could plausibly undergo multiple transitions due to intervening fault, split, etc). Regardless, the code is prepared install a huge-pmd only when the existing pmd entry is either a genuine pte-table-mapping-pmd, or the none-pmd. However, the commit introduces a logical hole; namely, that we've allowed !none- && !huge- && !bad-pmds to be classified as genuine pte-table-mapping-pmds. One such example that could leak through are swap entries. The pmd values aren't checked again before use in pte_offset_map_lock(), which is expecting nothing less than a genuine pte-table-mapping-pmd. We want to put back the !pmd_present() check (below the pmd_none() check), but need to be careful to deal with subtleties in pmd transitions and treatments by various arch. The issue is that __split_huge_pmd_locked() temporarily clears the present bit (or otherwise marks the entry as invalid), but pmd_present() and pmd_trans_huge() still need to return true while the pmd is in this transitory state. For example, x86's pmd_present() also checks the _PAGE_PSE , riscv's version also checks the _PAGE_LEAF bit, and arm64 also checks a PMD_PRESENT_INVALID bit. Covering all 4 cases for x86 (all checks done on the same pmd value): 1) pmd_present() && pmd_trans_huge() All we actually know here is that the PSE bit is set. Either: a) We aren't racing with __split_huge_page(), and PRESENT or PROTNONE is set. => huge-pmd b) We are currently racing with __split_huge_page(). The danger here is that we proceed as-if we have a huge-pmd, but really we are looking at a pte-mapping-pmd. So, what is the risk of this danger? The only relevant path is: madvise_collapse() -> collapse_pte_mapped_thp() Where we might just incorrectly report back "success", when really the memory isn't pmd-backed. This is fine, since split could happen immediately after (actually) successful madvise_collapse(). So, it should be safe to just assume huge-pmd here. 2) pmd_present() && !pmd_trans_huge() Either: a) PSE not set and either PRESENT or PROTNONE is. => pte-table-mapping pmd (or PROT_NONE) b) devmap. This routine can be called immediately after unlocking/locking mmap_lock -- or called with no locks held (see khugepaged_scan_mm_slot()), so previous VMA checks have since been invalidated. 3) !pmd_present() && pmd_trans_huge() Not possible. 4) !pmd_present() && !pmd_trans_huge() Neither PRESENT nor PROTNONE set => not present I've checked all archs that implement pmd_trans_huge() (arm64, riscv, powerpc, longarch, x86, mips, s390) and this logic roughly translates (though devmap treatment is unique to x86 and powerpc, and (3) doesn't necessarily hold in general -- but that doesn't matter since !pmd_present() always takes failure path). Also, add a comment above find_pmd_or_thp_or_none() to help future travelers reason about the validity of the code; namely, the possible mutations that might happen out from under us, depending on how mmap_lock is held (if at all). Link: https://lkml.kernel.org/r/20230125225358.2576151-1-zokeefe@google.com Fixes: 34488399fa08 ("mm/madvise: add file and shmem support to MADV_COLLAPSE") Signed-off-by: Zach O'Keefe Reported-by: Hugh Dickins Reviewed-by: Yang Shi Cc: Signed-off-by: Andrew Morton commit 8ef852f1cb426a5812aee700d3b4297aaa426acc Author: Isaac J. Manjarres Date: Tue Jan 24 15:02:54 2023 -0800 Revert "mm: kmemleak: alloc gray object for reserved region with direct map" This reverts commit 972fa3a7c17c9d60212e32ecc0205dc585b1e769. Kmemleak operates by periodically scanning memory regions for pointers to allocated memory blocks to determine if they are leaked or not. However, reserved memory regions can be used for DMA transactions between a device and a CPU, and thus, wouldn't contain pointers to allocated memory blocks, making them inappropriate for kmemleak to scan. Thus, revert this commit. Link: https://lkml.kernel.org/r/20230124230254.295589-1-isaacmanjarres@google.com Fixes: 972fa3a7c17c9 ("mm: kmemleak: alloc gray object for reserved region with direct map") Signed-off-by: Isaac J. Manjarres Acked-by: Catalin Marinas Cc: Calvin Zhang Cc: Frank Rowand Cc: Rob Herring Cc: Saravana Kannan Cc: [5.17+] Signed-off-by: Andrew Morton commit 0d7866eace86c174e2d4f4fe3a7eca7a3a31247a Author: Randy Dunlap Date: Tue Jan 24 10:16:38 2023 -0800 freevxfs: Kconfig: fix spelling Fix a spello in freevxfs Kconfig. (reported by codespell) Link: https://lkml.kernel.org/r/20230124181638.15604-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Cc: Christoph Hellwig Signed-off-by: Andrew Morton commit ab6ef70a8b0d314c2160af70b0de984664d675e0 Author: Wei Yang Date: Sat Nov 12 23:43:08 2022 +0000 maple_tree: should get pivots boundary by type We should get pivots boundary by type. Fixes a potential overindexing of mt_pivots[]. Link: https://lkml.kernel.org/r/20221112234308.23823-1-richard.weiyang@gmail.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Wei Yang Reviewed-by: Liam R. Howlett Signed-off-by: Andrew Morton commit 889a904fe34d90c4416dd403f5d3ad859180cf68 Author: Eugen Hristev Date: Thu Jan 19 09:22:29 2023 +0200 .mailmap: update e-mail address for Eugen Hristev Update e-mail address. Link: https://lkml.kernel.org/r/20230119072229.99603-1-eugen.hristev@collabora.com Signed-off-by: Eugen Hristev Signed-off-by: Andrew Morton commit d014cd7c1c358edc3ea82ebf327a036a42ed0164 Author: Vlastimil Babka Date: Tue Jan 17 11:19:39 2023 +0100 mm, mremap: fix mremap() expanding for vma's with vm_ops->close() Fabian has reported another regression in 6.1 due to ca3d76b0aa80 ("mm: add merging after mremap resize"). The problem is that vma_merge() can fail when vma has a vm_ops->close() method, causing is_mergeable_vma() test to be negative. This was happening for vma mapping a file from fuse-overlayfs, which does have the method. But when we are simply expanding the vma, we never remove it due to the "merge" with the added area, so the test should not prevent the expansion. As a quick fix, check for such vmas and expand them using vma_adjust() directly as was done before commit ca3d76b0aa80. For a more robust long term solution we should try to limit the check for vma_ops->close only to cases that actually result in vma removal, so that no merge would be prevented unnecessarily. [akpm@linux-foundation.org: fix indenting whitespace, reflow comment] Link: https://lkml.kernel.org/r/20230117101939.9753-1-vbabka@suse.cz Fixes: ca3d76b0aa80 ("mm: add merging after mremap resize") Signed-off-by: Vlastimil Babka Reported-by: Fabian Vogt Link: https://bugzilla.suse.com/show_bug.cgi?id=1206359#c35 Tested-by: Fabian Vogt Cc: Jakub Matěna Cc: Signed-off-by: Andrew Morton commit 72e544b1b28325fe78a4687b980871a7e4101f76 Author: Fedor Pchelkin Date: Tue Jan 17 13:52:26 2023 +0300 squashfs: harden sanity check in squashfs_read_xattr_id_table While mounting a corrupted filesystem, a signed integer '*xattr_ids' can become less than zero. This leads to the incorrect computation of 'len' and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor() or out-of-bounds accesses in the next sanity checks inside squashfs_read_xattr_id_table(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Link: https://lkml.kernel.org/r/20230117105226.329303-2-pchelkin@ispras.ru Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") Reported-by: Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov Cc: Phillip Lougher Signed-off-by: Andrew Morton commit 6f28a2613497fc587e347afa99fa2c52230678a7 Author: James Morse Date: Tue Jan 17 15:16:32 2023 +0000 ia64: fix build error due to switch case label appearing next to declaration Since commit aa06a9bd8533 ("ia64: fix clock_getres(CLOCK_MONOTONIC) to report ITC frequency"), gcc 10.1.0 fails to build ia64 with the gnomic: | ../arch/ia64/kernel/sys_ia64.c: In function 'ia64_clock_getres': | ../arch/ia64/kernel/sys_ia64.c:189:3: error: a label can only be part of a statement and a declaration is not a statement | 189 | s64 tick_ns = DIV_ROUND_UP(NSEC_PER_SEC, local_cpu_data->itc_freq); This line appears immediately after a case label in a switch. Move the declarations out of the case, to the top of the function. Link: https://lkml.kernel.org/r/20230117151632.393836-1-james.morse@arm.com Fixes: aa06a9bd8533 ("ia64: fix clock_getres(CLOCK_MONOTONIC) to report ITC frequency") Signed-off-by: James Morse Reviewed-by: Sergei Trofimovich Cc: Émeric Maschino Cc: matoro Cc: John Paul Adrian Glaubitz Cc: Signed-off-by: Andrew Morton commit de08eaa6156405f2e9369f06ba5afae0e4ab3b62 Author: Yu Zhao Date: Sun Jan 15 20:44:05 2023 -0700 mm: multi-gen LRU: fix crash during cgroup migration lru_gen_migrate_mm() assumes lru_gen_add_mm() runs prior to itself. This isn't true for the following scenario: CPU 1 CPU 2 clone() cgroup_can_fork() cgroup_procs_write() cgroup_post_fork() task_lock() lru_gen_migrate_mm() task_unlock() task_lock() lru_gen_add_mm() task_unlock() And when the above happens, kernel crashes because of linked list corruption (mm_struct->lru_gen.list). Link: https://lore.kernel.org/r/20230115134651.30028-1-msizanoen@qtmlabs.xyz/ Link: https://lkml.kernel.org/r/20230116034405.2960276-1-yuzhao@google.com Fixes: bd74fdaea146 ("mm: multi-gen LRU: support page table walks") Signed-off-by: Yu Zhao Reported-by: msizanoen Tested-by: msizanoen Cc: [6.1+] Signed-off-by: Andrew Morton commit 55ab834a86a9934c4f17825c115f7dc16a89aae7 Author: Michal Hocko Date: Fri Dec 16 10:46:33 2022 +0100 Revert "mm: add nodes= arg to memory.reclaim" This reverts commit 12a5d3955227b0d7e04fb793ccceeb2a1dd275c5. Although it is recognized that a finer grained pro-active reclaim is something we need and want the semantic of this implementation is really ambiguous. In a follow up discussion it became clear that there are two essential usecases here. One is to use memory.reclaim to pro-actively reclaim memory and expectation is that the requested and reported amount of memory is uncharged from the memcg. Another usecase focuses on pro-active demotion when the memory is merely shuffled around to demotion targets while the overall charged memory stays unchanged. The current implementation considers demoted pages as reclaimed and that break both usecases. [1] has tried to address the reporting part but there are more issues with that summarized in [2] and follow up emails. Let's revert the nodemask based extension of the memcg pro-active reclaim for now until we settle with a more robust semantic. [1] http://lkml.kernel.org/r/http://lkml.kernel.org/r/20221206023406.3182800-1-almasrymina@google.com [2] http://lkml.kernel.org/r/Y5bsmpCyeryu3Zz1@dhcp22.suse.cz Link: https://lkml.kernel.org/r/Y5xASNe1x8cusiTx@dhcp22.suse.cz Fixes: 12a5d3955227b0d ("mm: add nodes= arg to memory.reclaim") Signed-off-by: Michal Hocko Cc: Bagas Sanjaya Cc: Huang Ying Cc: Johannes Weiner Cc: Jonathan Corbet Cc: Mina Almasry Cc: Muchun Song Cc: Roman Gushchin Cc: Shakeel Butt Cc: Tejun Heo Cc: Wei Xu Cc: Yang Shi Cc: Yosry Ahmed Cc: zefan li Signed-off-by: Andrew Morton commit 85b325815b566e8e7472e0089c8cbb0d5ea274ec Author: Nhat Pham Date: Tue Jan 10 15:17:01 2023 -0800 zsmalloc: fix a race with deferred_handles storing Currently, there is a race between zs_free() and zs_reclaim_page(): zs_reclaim_page() finds a handle to an allocated object, but before the eviction happens, an independent zs_free() call to the same handle could come in and overwrite the object value stored at the handle with the last deferred handle. When zs_reclaim_page() finally gets to call the eviction handler, it will see an invalid object value (i.e the previous deferred handle instead of the original object value). This race happens quite infrequently. We only managed to produce it with out-of-tree developmental code that triggers zsmalloc writeback with a much higher frequency than usual. This patch fixes this race by storing the deferred handle in the object header instead. We differentiate the deferred handle from the other two cases (handle for allocated object, and linkage for free object) with a new tag. If zspage reclamation succeeds, we will free these deferred handles by walking through the zspage objects. On the other hand, if zspage reclamation fails, we reconstruct the zspage freelist (with the deferred handle tag and allocated tag) before trying again with the reclamation. [arnd@arndb.de: avoid unused-function warning] Link: https://lkml.kernel.org/r/20230117170507.2651972-1-arnd@kernel.org Link: https://lkml.kernel.org/r/20230110231701.326724-1-nphamcs@gmail.com Fixes: 9997bc017549 ("zsmalloc: implement writeback mechanism for zsmalloc") Signed-off-by: Nhat Pham Signed-off-by: Arnd Bergmann Suggested-by: Johannes Weiner Cc: Dan Streetman Cc: Minchan Kim Cc: Nitin Gupta Cc: Sergey Senozhatsky Cc: Seth Jennings Cc: Vitaly Wool Signed-off-by: Andrew Morton commit 023f47a8250c6bdb4aebe744db4bf7f73414028b Author: Jann Horn Date: Wed Jan 11 14:33:51 2023 +0100 mm/khugepaged: fix ->anon_vma race If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access. Link: https://lore.kernel.org/linux-mm/CAG48ez3434wZBKFFbdx4M9j6eUwSUVPd4dxhzW_k_POneSDF+A@mail.gmail.com/ Link: https://lkml.kernel.org/r/20230111133351.807024-1-jannh@google.com Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") Signed-off-by: Jann Horn Reported-by: Zach O'Keefe Acked-by: Kirill A. Shutemov Reviewed-by: Yang Shi Cc: David Hildenbrand Cc: Signed-off-by: Andrew Morton commit 7327e8111adb315423035fb5233533016dfd3f2e Author: Liam Howlett Date: Wed Jan 11 20:02:07 2023 +0000 maple_tree: fix mas_empty_area_rev() lower bound validation mas_empty_area_rev() was not correctly validating the start of a gap against the lower limit. This could lead to the range starting lower than the requested minimum. Fix the issue by better validating a gap once one is found. This commit also adds tests to the maple tree test suite for this issue and tests the mas_empty_area() function for similar bound checking. Link: https://lkml.kernel.org/r/20230111200136.1851322-1-Liam.Howlett@oracle.com Link: https://bugzilla.kernel.org/show_bug.cgi?id=216911 Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett Reported-by: Link: https://lore.kernel.org/linux-mm/0b9f5425-08d4-8013-aa4c-e620c3b10bb2@leemhuis.info/ Tested-by: Holger Hoffsttte Cc: Signed-off-by: Andrew Morton commit c0b67534c95c537f7a506a06b98e5e85d72e2b7d Merge: 58706f7fb045b e5ae8803847b8 Author: Linus Torvalds Date: Tue Jan 31 16:02:05 2023 -0800 Merge tag 'cgroup-for-6.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fix from Tejun Heo: "cpuset has a bug which can cause an oops after some configuration operations, introduced during the v6.1 cycle. This single commit fixes the bug" * tag 'cgroup-for-6.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup/cpuset: Fix wrong check in update_parent_subparts_cpumask() commit e5ae8803847b80fe9d744a3174abe2b7bfed222a Author: Waiman Long Date: Tue Jan 31 10:48:03 2023 -0500 cgroup/cpuset: Fix wrong check in update_parent_subparts_cpumask() It was found that the check to see if a partition could use up all the cpus from the parent cpuset in update_parent_subparts_cpumask() was incorrect. As a result, it is possible to leave parent with no effective cpu left even if there are tasks in the parent cpuset. This can lead to system panic as reported in [1]. Fix this probem by updating the check to fail the enabling the partition if parent's effective_cpus is a subset of the child's cpus_allowed. Also record the error code when an error happens in update_prstate() and add a test case where parent partition and child have the same cpu list and parent has task. Enabling partition in the child will fail in this case. [1] https://www.spinics.net/lists/cgroups/msg36254.html Fixes: f0af1bfc27b5 ("cgroup/cpuset: Relax constraints to partition & cpus changes") Cc: stable@vger.kernel.org # v6.1 Reported-by: Srinivas Pandruvada Signed-off-by: Waiman Long Signed-off-by: Tejun Heo commit 58706f7fb045b7019bada81fa17f372189315fe5 Merge: 88b356e19199d 15600159bcc6a Author: Linus Torvalds Date: Tue Jan 31 11:39:08 2023 -0800 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Two core fixes. One simply moves an annotation from put to release to avoid the warning triggering needlessly in alua, but to keep it in case release is ever called from that path (which we don't think will happen). The other reverts a change to the PQ=1 target scanning behaviour that's under intense discussion at the moment" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: Revert "scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT" scsi: core: Fix the scsi_device_put() might_sleep annotation commit 4f64a6c9f6f11e8b7314f8e27e2c4568706009e6 Author: James Clark Date: Fri Jan 27 14:31:41 2023 +0000 perf: Fix perf_event_pmu_context serialization Syzkaller triggered a WARN in put_pmu_ctx(). WARNING: CPU: 1 PID: 2245 at kernel/events/core.c:4925 put_pmu_ctx+0x1f0/0x278 This is because there is no locking around the access of "if (!epc->ctx)" in find_get_pmu_context() and when it is set to NULL in put_pmu_ctx(). The decrement of the reference count in put_pmu_ctx() also happens outside of the spinlock, leading to the possibility of this order of events, and the context being cleared in put_pmu_ctx(), after its refcount is non zero: CPU0 CPU1 find_get_pmu_context() if (!epc->ctx) == false put_pmu_ctx() atomic_dec_and_test(&epc->refcount) == true epc->refcount == 0 atomic_inc(&epc->refcount); epc->refcount == 1 list_del_init(&epc->pmu_ctx_entry); epc->ctx = NULL; Another issue is that WARN_ON for no active PMU events in put_pmu_ctx() is outside of the lock. If the perf_event_pmu_context is an embedded one, even after clearing it, it won't be deleted and can be re-used. So the warning can trigger. For this reason it also needs to be moved inside the lock. The above warning is very quick to trigger on Arm by running these two commands at the same time: while true; do perf record -- ls; done while true; do perf record -- ls; done [peterz: atomic_dec_and_raw_lock*()] Fixes: bd2756811766 ("perf: Rewrite core context handling") Reported-by: syzbot+697196bc0265049822bd@syzkaller.appspotmail.com Signed-off-by: James Clark Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Ravi Bangoria Link: https://lore.kernel.org/r/20230127143141.1782804-2-james.clark@arm.com commit 88b356e19199dca700b1180adc0b843a3228d4a0 Merge: 22b8077d0fcec 89c08aef8f8dc Author: Linus Torvalds Date: Tue Jan 31 11:17:38 2023 -0800 Merge tag 'media/v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: "A couple of v4l2 core fixes: - fix a regression on strings control support - fix a regression for some drivers that depend on an odd streaming behavior" * tag 'media/v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: media: videobuf2: set q->streaming later media: v4l2-ctrls-api.c: move ctrl->is_new = 1 to the correct line commit 81ea42b9c3d61ea34d82d900ed93f4b4851f13b0 Author: Bart Van Assche Date: Mon Jan 30 13:12:33 2023 -0800 block: Fix the blk_mq_destroy_queue() documentation Commit 2b3f056f72e5 moved a blk_put_queue() call from blk_mq_destroy_queue() into its callers. Reflect this change in the documentation block above blk_mq_destroy_queue(). Cc: Christoph Hellwig Cc: Sagi Grimberg Cc: Chaitanya Kulkarni Cc: Keith Busch Fixes: 2b3f056f72e5 ("blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue") Signed-off-by: Bart Van Assche Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20230130211233.831613-1-bvanassche@acm.org Signed-off-by: Jens Axboe commit 7ab41c2c08a32132ba8c14624910e2fe8ce4ba4b Author: Vasily Gorbik Date: Sun Jan 29 23:47:23 2023 +0100 s390/decompressor: specify __decompress() buf len to avoid overflow Historically calls to __decompress() didn't specify "out_len" parameter on many architectures including s390, expecting that no writes beyond uncompressed kernel image are performed. This has changed since commit 2aa14b1ab2c4 ("zstd: import usptream v1.5.2") which includes zstd library commit 6a7ede3dfccb ("Reduce size of dctx by reutilizing dst buffer (#2751)"). Now zstd decompression code might store literal buffer in the unwritten portion of the destination buffer. Since "out_len" is not set, it is considered to be unlimited and hence free to use for optimization needs. On s390 this might corrupt initrd or ipl report which are often placed right after the decompressor buffer. Luckily the size of uncompressed kernel image is already known to the decompressor, so to avoid the problem simply specify it in the "out_len" parameter. Link: https://github.com/facebook/zstd/commit/6a7ede3dfccb Signed-off-by: Vasily Gorbik Tested-by: Alexander Egorenkov Link: https://lore.kernel.org/r/patch-1.thread-41c676.git-41c676c2d153.your-ad-here.call-01675030179-ext-9637@work.hours Signed-off-by: Heiko Carstens commit 254c71374a70051a043676b67ba4f7ad392b5fe6 Author: Brendan Higgins Date: Tue Jan 31 10:35:03 2023 +0800 kunit: fix kunit_test_init_section_suites(...) Looks like kunit_test_init_section_suites(...) was messed up in a merge conflict. This fixes it. kunit_test_init_section_suites(...) was not updated to avoid the extra level of indirection when .kunit_test_suites was flattened. Given no-one was actively using it, this went unnoticed for a long period of time. Fixes: e5857d396f35 ("kunit: flatten kunit_suite*** to kunit_suite** in .kunit_test_suites") Signed-off-by: Brendan Higgins Signed-off-by: David Gow Tested-by: Martin Fernandez Signed-off-by: Shuah Khan commit 0a2742bf5899bf3bc46d16e4cc7dd7352ce771fd Author: Stafford Horne Date: Wed Feb 1 00:48:30 2023 +0900 MAINTAINERS: Update OpenRISC mailing list The mailing list at librecores.org is being shut down due to infrastructure issues. Update the the newly created list on vger.kernel.org. Signed-off-by: Stafford Horne commit 29baef789c838bd5c02f50c88adbbc6b955aaf61 Author: Liu Xiaodong Date: Tue Jan 31 02:05:52 2023 -0500 block: ublk: extending queue_size to fix overflow When validating drafted SPDK ublk target, in a case that assigning large queue depth to multiqueue ublk device, ublk target would run into a weird incorrect state. During rounds of review and debug, An overflow bug was found in ublk driver. In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means each ublk queue depth can be set as large as 4096. But when setting qd for a ublk device, sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io) will be larger than 65535 if qd is larger than 2728. Then queue_size is overflowed, and ublk_get_queue() references a wrong pointer position. The wrong content of ublk_queue elements will lead to out-of-bounds memory access. Extend queue_size in ublk_device as "unsigned int". Signed-off-by: Liu Xiaodong Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20230131070552.115067-1-xiaodong.liu@intel.com Signed-off-by: Jens Axboe commit f9c47b2caa7ffc903ec950b454b59c209afe3182 Author: Dean Luick Date: Mon Jan 9 14:04:08 2023 -0500 IB/hfi1: Assign npages earlier Improve code clarity and enable earlier use of tidbuf->npages by moving its assignment to structure creation time. Signed-off-by: Dean Luick Signed-off-by: Dennis Dalessandro Link: https://lore.kernel.org/r/167329104884.1472990.4639750192433251493.stgit@awfm-02.cornelisnetworks.com Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit 226fae124b2dac217ea5436060d623ff3385bc34 Author: George Kennedy Date: Tue Jan 24 11:16:54 2023 -0500 vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF After a call to console_unlock() in vcs_read() the vc_data struct can be freed by vc_deallocate(). Because of that, the struct vc_data pointer load must be done at the top of while loop in vcs_read() to avoid a UAF when vcs_size() is called. Syzkaller reported a UAF in vcs_size(). BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537 CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1 Hardware name: Red Hat KVM, BIOS 1.15.0-2.module Call Trace: __asan_report_load4_noabort (mm/kasan/report_generic.c:350) vcs_size (drivers/tty/vt/vc_screen.c:215) vcs_read (drivers/tty/vt/vc_screen.c:415) vfs_read (fs/read_write.c:468 fs/read_write.c:450) ... Allocated by task 1191: ... kmalloc_trace (mm/slab_common.c:1069) vc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720 drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108) con_install (drivers/tty/vt/vt.c:3383) tty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413 drivers/tty/tty_io.c:1390) tty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126) chrdev_open (fs/char_dev.c:415) do_dentry_open (fs/open.c:883) vfs_open (fs/open.c:1014) ... Freed by task 1548: ... kfree (mm/slab_common.c:1021) vc_port_destruct (drivers/tty/vt/vt.c:1094) tty_port_destructor (drivers/tty/tty_port.c:296) tty_port_put (drivers/tty/tty_port.c:312) vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) tty_ioctl (drivers/tty/tty_io.c:2776) ... The buggy address belongs to the object at ffff888113747800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of 1024-byte region [ffff888113747800, ffff888113747c00) The buggy address belongs to the physical page: page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113740 head:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()") Reported-by: syzkaller Suggested-by: Jiri Slaby Signed-off-by: George Kennedy Link: https://lore.kernel.org/r/1674577014-12374-1-git-send-email-george.kennedy@oracle.com Signed-off-by: Greg Kroah-Hartman commit c956940a4ab73a87d0165e911c001dbdd2c8200f Author: Maor Gottlieb Date: Mon Jan 30 16:25:50 2023 +0200 RDMA/umem: Use dma-buf locked API to solve deadlock The cited commit moves umem to call the unlocked versions of dmabuf unmap/map attachment, but the lock is held while calling to these functions, hence move back to the locked versions of these APIs. Fixes: 21c9c5c0784f ("RDMA/umem: Prepare to dynamic dma-buf locking specification") Link: https://lore.kernel.org/r/311c2cb791f8af75486df446819071357353db1b.1675088709.git.leon@kernel.org Signed-off-by: Maor Gottlieb Reviewed-by: Christian König Signed-off-by: Leon Romanovsky Reviewed-by: Dmitry Osipenko Signed-off-by: Jason Gunthorpe commit bd0e06f0def75ba26572a94e5350324474a55562 Author: Florian Westphal Date: Thu Jan 26 02:35:21 2023 +0100 Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk" There is no bug. If sch->length == 0, this would result in an infinite loop, but first caller, do_basic_checks(), errors out in this case. After this change, packets with bogus zero-length chunks are no longer detected as invalid, so revert & add comment wrt. 0 length check. Fixes: 98ee00774525 ("netfilter: conntrack: fix bug in for_each_sctp_chunk") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba Author: Florian Westphal Date: Mon Jan 30 11:39:29 2023 +0100 netfilter: br_netfilter: disable sabotage_in hook after first suppression When using a xfrm interface in a bridged setup (the outgoing device is bridged), the incoming packets in the xfrm interface are only tracked in the outgoing direction. $ brctl show bridge name interfaces br_eth1 eth1 $ conntrack -L tcp 115 SYN_SENT src=192... dst=192... [UNREPLIED] ... If br_netfilter is enabled, the first (encrypted) packet is received onR eth1, conntrack hooks are called from br_netfilter emulation which allocates nf_bridge info for this skb. If the packet is for local machine, skb gets passed up the ip stack. The skb passes through ip prerouting a second time. br_netfilter ip_sabotage_in supresses the re-invocation of the hooks. After this, skb gets decrypted in xfrm layer and appears in network stack a second time (after decryption). Then, ip_sabotage_in is called again and suppresses netfilter hook invocation, even though the bridge layer never called them for the plaintext incarnation of the packet. Free the bridge info after the first suppression to avoid this. I was unable to figure out where the regression comes from, as far as i can see br_netfilter always had this problem; i did not expect that skb is looped again with different headers. Fixes: c4b0e771f906 ("netfilter: avoid using skb->nf_bridge directly") Reported-and-tested-by: Wolfgang Nothdurft Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit 9d2c7203ffdb846399b82b0660563c89e918c751 Author: Joerg Roedel Date: Tue Jan 31 09:57:18 2023 +0100 x86/debug: Fix stack recursion caused by wrongly ordered DR7 accesses In kernels compiled with CONFIG_PARAVIRT=n, the compiler re-orders the DR7 read in exc_nmi() to happen before the call to sev_es_ist_enter(). This is problematic when running as an SEV-ES guest because in this environment the DR7 read might cause a #VC exception, and taking #VC exceptions is not safe in exc_nmi() before sev_es_ist_enter() has run. The result is stack recursion if the NMI was caused on the #VC IST stack, because a subsequent #VC exception in the NMI handler will overwrite the stack frame of the interrupted #VC handler. As there are no compiler barriers affecting the ordering of DR7 reads/writes, make the accesses to this register volatile, forbidding the compiler to re-order them. [ bp: Massage text, make them volatile too, to make sure some aggressive compiler optimization pass doesn't discard them. ] Fixes: 315562c9af3d ("x86/sev-es: Adjust #VC IST Stack on entering NMI handler") Reported-by: Alexey Kardashevskiy Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov (AMD) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230127035616.508966-1-aik@amd.com commit 111bcb37385353f0510e5847d5abcd1c613dba23 Author: Michael Ellerman Date: Tue Jan 10 23:47:53 2023 +1100 powerpc/64s/radix: Fix RWX mapping with relocated kernel If a relocatable kernel is loaded at a non-zero address and told not to relocate to zero (kdump or RELOCATABLE_TEST), the mapping of the interrupt code at zero is left with RWX permissions. That is a security weakness, and leads to a warning at boot if CONFIG_DEBUG_WX is enabled: powerpc/mm: Found insecure W+X mapping at address 00000000056435bc/0xc000000000000000 WARNING: CPU: 1 PID: 1 at arch/powerpc/mm/ptdump/ptdump.c:193 note_page+0x484/0x4c0 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc1-00001-g8ae8e98aea82-dirty #175 Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,git-dd0dca hv:linux,kvm pSeries NIP: c0000000004a1c34 LR: c0000000004a1c30 CTR: 0000000000000000 REGS: c000000003503770 TRAP: 0700 Not tainted (6.2.0-rc1-00001-g8ae8e98aea82-dirty) MSR: 8000000002029033 CR: 24000220 XER: 00000000 CFAR: c000000000545a58 IRQMASK: 0 ... NIP note_page+0x484/0x4c0 LR note_page+0x480/0x4c0 Call Trace: note_page+0x480/0x4c0 (unreliable) ptdump_pmd_entry+0xc8/0x100 walk_pgd_range+0x618/0xab0 walk_page_range_novma+0x74/0xc0 ptdump_walk_pgd+0x98/0x170 ptdump_check_wx+0x94/0x100 mark_rodata_ro+0x30/0x70 kernel_init+0x78/0x1a0 ret_from_kernel_thread+0x5c/0x64 The fix has two parts. Firstly the pages from zero up to the end of interrupts need to be marked read-only, so that they are left with R-X permissions. Secondly the mapping logic needs to be taught to ensure there is a page boundary at the end of the interrupt region, so that the permission change only applies to the interrupt text, and not the region following it. Fixes: c55d7b5e6426 ("powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE") Reported-by: Sachin Sant Tested-by: Sachin Sant Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230110124753.1325426-2-mpe@ellerman.id.au commit 98d0219e043e09013e883eacde3b93e0b2bf944d Author: Michael Ellerman Date: Tue Jan 10 23:47:52 2023 +1100 powerpc/64s/radix: Fix crash with unaligned relocated kernel If a relocatable kernel is loaded at an address that is not 2MB aligned and told not to relocate to zero, the kernel can crash due to mark_rodata_ro() incorrectly changing some read-write data to read-only. Scenarios where the misalignment can occur are when the kernel is loaded by kdump or using the RELOCATABLE_TEST config option. Example crash with the kernel loaded at 5MB: Run /sbin/init as init process BUG: Unable to handle kernel data access on write at 0xc000000000452000 Faulting instruction address: 0xc0000000005b6730 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries CPU: 1 PID: 1 Comm: init Not tainted 6.2.0-rc1-00011-g349188be4841 #166 Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,git-5b4c5a hv:linux,kvm pSeries NIP: c0000000005b6730 LR: c000000000ae9ab8 CTR: 0000000000000380 REGS: c000000004503250 TRAP: 0300 Not tainted (6.2.0-rc1-00011-g349188be4841) MSR: 8000000000009033 CR: 44288480 XER: 00000000 CFAR: c0000000005b66ec DAR: c000000000452000 DSISR: 0a000000 IRQMASK: 0 ... NIP memset+0x68/0x104 LR zero_user_segments.constprop.0+0xa8/0xf0 Call Trace: ext4_mpage_readpages+0x7f8/0x830 ext4_readahead+0x48/0x60 read_pages+0xb8/0x380 page_cache_ra_unbounded+0x19c/0x250 filemap_fault+0x58c/0xae0 __do_fault+0x60/0x100 __handle_mm_fault+0x1230/0x1a40 handle_mm_fault+0x120/0x300 ___do_page_fault+0x20c/0xa80 do_page_fault+0x30/0xc0 data_access_common_virt+0x210/0x220 This happens because mark_rodata_ro() tries to change permissions on the range _stext..__end_rodata, but _stext sits in the middle of the 2MB page from 4MB to 6MB: radix-mmu: Mapped 0x0000000000000000-0x0000000000200000 with 2.00 MiB pages (exec) radix-mmu: Mapped 0x0000000000200000-0x0000000000400000 with 2.00 MiB pages radix-mmu: Mapped 0x0000000000400000-0x0000000002400000 with 2.00 MiB pages (exec) The logic that changes the permissions assumes the linear mapping was split correctly at boot, so it marks the entire 2MB page read-only. That leads to the write fault above. To fix it, the boot time mapping logic needs to consider that if the kernel is running at a non-zero address then _stext is a boundary where it must split the mapping. That leads to the mapping being split correctly, allowing the rodata permission change to take happen correctly, with no spillover: radix-mmu: Mapped 0x0000000000000000-0x0000000000200000 with 2.00 MiB pages (exec) radix-mmu: Mapped 0x0000000000200000-0x0000000000400000 with 2.00 MiB pages radix-mmu: Mapped 0x0000000000400000-0x0000000000500000 with 64.0 KiB pages radix-mmu: Mapped 0x0000000000500000-0x0000000000600000 with 64.0 KiB pages (exec) radix-mmu: Mapped 0x0000000000600000-0x0000000002400000 with 2.00 MiB pages (exec) If the kernel is loaded at a 2MB aligned address, the mapping continues to use 2MB pages as before: radix-mmu: Mapped 0x0000000000000000-0x0000000000200000 with 2.00 MiB pages (exec) radix-mmu: Mapped 0x0000000000200000-0x0000000000400000 with 2.00 MiB pages radix-mmu: Mapped 0x0000000000400000-0x0000000002c00000 with 2.00 MiB pages (exec) radix-mmu: Mapped 0x0000000002c00000-0x0000000100000000 with 2.00 MiB pages Fixes: c55d7b5e6426 ("powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230110124753.1325426-1-mpe@ellerman.id.au commit 7294194b47e994753a86eee8cf1c61f3f36458a3 Author: Michael Ellerman Date: Mon Jan 30 12:47:07 2023 +1100 powerpc/kexec_file: Fix division by zero in extra size estimation In kexec_extra_fdt_size_ppc64() there's logic to estimate how much extra space will be needed in the device tree for some memory related properties. That logic uses the size of RAM divided by drmem_lmb_size() to do the estimation. However drmem_lmb_size() can be zero if the machine has no hotpluggable memory configured, which is the case when booting with qemu and no maxmem=x parameter is passed (the default). The division by zero is reported by UBSAN, and can also lead to an overflow and a warning from kvmalloc, and kdump kernel loading fails: WARNING: CPU: 0 PID: 133 at mm/util.c:596 kvmalloc_node+0x15c/0x160 Modules linked in: CPU: 0 PID: 133 Comm: kexec Not tainted 6.2.0-rc5-03455-g07358bd97810 #223 Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1200 0xf000005 of:SLOF,git-dd0dca pSeries NIP: c00000000041ff4c LR: c00000000041fe58 CTR: 0000000000000000 REGS: c0000000096ef750 TRAP: 0700 Not tainted (6.2.0-rc5-03455-g07358bd97810) MSR: 800000000282b033 CR: 24248242 XER: 2004011e CFAR: c00000000041fed0 IRQMASK: 0 ... NIP kvmalloc_node+0x15c/0x160 LR kvmalloc_node+0x68/0x160 Call Trace: kvmalloc_node+0x68/0x160 (unreliable) of_kexec_alloc_and_setup_fdt+0xb8/0x7d0 elf64_load+0x25c/0x4a0 kexec_image_load_default+0x58/0x80 sys_kexec_file_load+0x5c0/0x920 system_call_exception+0x128/0x330 system_call_vectored_common+0x15c/0x2ec To fix it, skip the calculation if drmem_lmb_size() is zero. Fixes: 2377c92e37fe ("powerpc/kexec_file: fix FDT size estimation for kdump kernel") Cc: stable@vger.kernel.org # v5.12+ Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230130014707.541110-1-mpe@ellerman.id.au commit 57e9af7831dcf211c5c689c2a6f209f4abdf0bce Author: Ilpo Järvinen Date: Mon Jan 30 13:48:41 2023 +0200 serial: 8250_dma: Fix DMA Rx rearm race As DMA Rx can be completed from two places, it is possible that DMA Rx completes before DMA completion callback had a chance to complete it. Once the previous DMA Rx has been completed, a new one can be started on the next UART interrupt. The following race is possible (uart_unlock_and_check_sysrq_irqrestore() replaced with spin_unlock_irqrestore() for simplicity/clarity): CPU0 CPU1 dma_rx_complete() serial8250_handle_irq() spin_lock_irqsave(&port->lock) handle_rx_dma() serial8250_rx_dma_flush() __dma_rx_complete() dma->rx_running = 0 // Complete DMA Rx spin_unlock_irqrestore(&port->lock) serial8250_handle_irq() spin_lock_irqsave(&port->lock) handle_rx_dma() serial8250_rx_dma() dma->rx_running = 1 // Setup a new DMA Rx spin_unlock_irqrestore(&port->lock) spin_lock_irqsave(&port->lock) // sees dma->rx_running = 1 __dma_rx_complete() dma->rx_running = 0 // Incorrectly complete // running DMA Rx This race seems somewhat theoretical to occur for real but handle it correctly regardless. Check what is the DMA status before complething anything in __dma_rx_complete(). Reported-by: Gilles BULOZ Tested-by: Gilles BULOZ Fixes: 9ee4b83e51f7 ("serial: 8250: Add support for dmaengine") Cc: stable@vger.kernel.org Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20230130114841.25749-3-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 31352811e13dc2313f101b890fd4b1ce760b5fe7 Author: Ilpo Järvinen Date: Mon Jan 30 13:48:40 2023 +0200 serial: 8250_dma: Fix DMA Rx completion race __dma_rx_complete() is called from two places: - Through the DMA completion callback dma_rx_complete() - From serial8250_rx_dma_flush() after IIR_RLSI or IIR_RX_TIMEOUT The former does not hold port's lock during __dma_rx_complete() which allows these two to race and potentially insert the same data twice. Extend port's lock coverage in dma_rx_complete() to prevent the race and check if the DMA Rx is still pending completion before calling into __dma_rx_complete(). Reported-by: Gilles BULOZ Tested-by: Gilles BULOZ Fixes: 9ee4b83e51f7 ("serial: 8250: Add support for dmaengine") Cc: stable@vger.kernel.org Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20230130114841.25749-2-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 3f6c02fa712bd453871877fe1d1969625617471e Author: Marek Vasut Date: Fri Jan 20 17:03:32 2023 +0100 serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler Requesting an interrupt with IRQF_ONESHOT will run the primary handler in the hard-IRQ context even in the force-threaded mode. The force-threaded mode is used by PREEMPT_RT in order to avoid acquiring sleeping locks (spinlock_t) in hard-IRQ context. This combination makes it impossible and leads to "sleeping while atomic" warnings. Use one interrupt handler for both handlers (primary and secondary) and drop the IRQF_ONESHOT flag which is not needed. Fixes: e359b4411c283 ("serial: stm32: fix threaded interrupt handling") Reviewed-by: Sebastian Andrzej Siewior Tested-by: Valentin Caron # V3 Signed-off-by: Marek Vasut Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230120160332.57930-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman commit 9944028659e638587c2c27aaaf5ebd7531ebe0fa Merge: bf29ce87ba137 2acd031347f64 Author: Greg Kroah-Hartman Date: Tue Jan 31 10:51:39 2023 +0100 Merge tag 'iio-fixes-for-6.2a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into char-misc-next Jonathan writes: "1st set of IIO fixes for the 6.2 cycle. The usual mixed bag - with a bunch of issues found by Carlos Song in the fxos8700 IMU driver dominating. hid-accel,gyro - Fix wrong returned value when read succeeds. marvell,berlin-adc - Missing of_node_put() in an error path. nxp,fxos8700 (freescale) - Wrong channel type match. - Swapped channel read back. - Incomplete channel read back (not enough bytes). - Missing shift of acceleration data. - Range selection didn't work (datasheet bug) - Wrong ODR mode read back due to wrong field offset. - Drop unused, but wrong define. - Fix issue with magnetometer scale an units. nxp,imx8qxp - Fix an irq flood due to not reading data early enough. st,lsm6dsx - Add CONFIG_IIO_TRIGGERED_BUFFER select. st,stm32-adc - Fix missing MODULE_DEVICE_TABLE() needed for module aliases. ti,twl6030 - Fix missing enable of some channels. - Fix a typo in previous patch that meant one channel still wasn't enabled. xilinx,xadc - Carrying on incorrectly after allocation error." * tag 'iio-fixes-for-6.2a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio: iio: imu: fxos8700: fix MAGN sensor scale and unit iio: imu: fxos8700: remove definition FXOS8700_CTRL_ODR_MIN iio: imu: fxos8700: fix failed initialization ODR mode assignment iio: imu: fxos8700: fix incorrect ODR mode readback iio: light: cm32181: Fix PM support on system with 2 I2C resources iio: hid: fix the retval in gyro_3d_capture_sample iio: hid: fix the retval in accel_3d_capture_sample iio: imu: st_lsm6dsx: fix build when CONFIG_IIO_TRIGGERED_BUFFER=m iio:adc:twl6030: Enable measurement of VAC iio: imu: fxos8700: fix ACCEL measurement range selection iio: imu: fxos8700: fix IMU data bits returned to user space iio: imu: fxos8700: fix incomplete ACCEL and MAGN channels readback iio: imu: fxos8700: fix swapped ACCEL and MAGN channels readback iio: imu: fxos8700: fix map label of channel type to MAGN sensor iio:adc:twl6030: Enable measurements of VUSB, VBAT and others iio: imx8qxp-adc: fix irq flood when call imx8qxp_adc_read_raw() iio: adc: xilinx-ams: fix devm_krealloc() return value check iio: adc: berlin2-adc: Add missing of_node_put() in error path iio: adc: stm32-dfsdm: fill module aliases commit de5ca4c3852f896cacac2bf259597aab5e17d9e3 Author: Kees Cook Date: Fri Jan 27 14:40:37 2023 -0800 net: sched: sch: Bounds check priority Nothing was explicitly bounds checking the priority index used to access clpriop[]. WARN and bail out early if it's pathological. Seen with GCC 13: ../net/sched/sch_htb.c: In function 'htb_activate_prios': ../net/sched/sch_htb.c:437:44: warning: array subscript [0, 31] is outside array bounds of 'struct htb_prio[8]' [-Warray-bounds=] 437 | if (p->inner.clprio[prio].feed.rb_node) | ~~~~~~~~~~~~~~~^~~~~~ ../net/sched/sch_htb.c:131:41: note: while referencing 'clprio' 131 | struct htb_prio clprio[TC_HTB_NUMPRIO]; | ^~~~~~ Cc: Jamal Hadi Salim Cc: Cong Wang Cc: Jiri Pirko Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Simon Horman Reviewed-by: Cong Wang Link: https://lore.kernel.org/r/20230127224036.never.561-kees@kernel.org Signed-off-by: Paolo Abeni commit f3eceaed9edd7c0e0d9fb057613131f92973626f Author: Kees Cook Date: Fri Jan 27 14:38:54 2023 -0800 net: ethernet: mtk_eth_soc: Avoid truncating allocation There doesn't appear to be a reason to truncate the allocation used for flow_info, so do a full allocation and remove the unused empty struct. GCC does not like having a reference to an object that has been partially allocated, as bounds checking may become impossible when such an object is passed to other code. Seen with GCC 13: ../drivers/net/ethernet/mediatek/mtk_ppe.c: In function 'mtk_foe_entry_commit_subflow': ../drivers/net/ethernet/mediatek/mtk_ppe.c:623:18: warning: array subscript 'struct mtk_flow_entry[0]' is partly outside array bounds of 'unsigned char[48]' [-Warray-bounds=] 623 | flow_info->l2_data.base_flow = entry; | ^~ Cc: Felix Fietkau Cc: John Crispin Cc: Sean Wang Cc: Mark Lee Cc: Lorenzo Bianconi Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Matthias Brugger Cc: netdev@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-mediatek@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20230127223853.never.014-kees@kernel.org Signed-off-by: Paolo Abeni commit 22e46f6480e83bcf49b6d5e6b66c81872c97a902 Author: Jan Luebbe Date: Tue Jan 31 09:43:23 2023 +0100 kbuild: modinst: Fix build error when CONFIG_MODULE_SIG_KEY is a PKCS#11 URI When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*), signing of modules fails: scripts/sign-file sha256 /.../linux/pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 /.../kernel/crypto/tcrypt.ko Usage: scripts/sign-file [-dp] [] scripts/sign-file -s [] First, we need to avoid adding the $(srctree)/ prefix to the URL. Second, since the kconfig string values no longer include quotes, we need to add them again when passing a PKCS#11 URI to sign-file. This avoids splitting by the shell if the URI contains semicolons. Fixes: 4db9c2e3d055 ("kbuild: stop using config_filename in scripts/Makefile.modsign") Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") Signed-off-by: Jan Luebbe Signed-off-by: Masahiro Yamada commit b1c3d2beed8ef3699fab106340e33a79052df116 Author: Jan Luebbe Date: Tue Jan 31 09:43:22 2023 +0100 certs: Fix build error when PKCS#11 URI contains semicolon When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a semicolon, signing_key.x509 fails to build: certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 Usage: extract-cert Add quotes to the extract-cert argument to avoid splitting by the shell. This approach was suggested by Masahiro Yamada . Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") Signed-off-by: Jan Luebbe Signed-off-by: Masahiro Yamada commit c7a806d9ce6757ff56078674916e53bd859f242d Author: Takashi Sakamoto Date: Mon Jan 30 23:15:40 2023 +0900 ALSA: firewire-motu: fix unreleased lock warning in hwdep device Smatch static analysis tool detects that acquired lock is not released in hwdep device when condition branch is passed due to no event. It is unlikely to occur, while fulfilling is preferable for better coding. Reported-by: Dan Carpenter Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20230130141540.102854-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai commit 9b3fc325c2a7e9e17e22b008357cb0ceb810d9b2 Merge: ffe2a22562444 71a06f1034b91 Author: Jakub Kicinski Date: Mon Jan 30 21:11:11 2023 -0800 Merge tag 'ieee802154-for-net-2023-01-30' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan Stefan Schmidt says: ==================== ieee802154 for net 2023-01-30 Only one fix this time around. Miquel Raynal fixed a potential double free spotted by Dan Carpenter. * tag 'ieee802154-for-net-2023-01-30' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan: mac802154: Fix possible double free upon parsing error ==================== Link: https://lore.kernel.org/r/20230130095646.301448-1-stefan@datenfreihafen.org Signed-off-by: Jakub Kicinski commit ffe2a22562444720b05bdfeb999c03e810d84cbb Author: Pietro Borrello Date: Sat Jan 28 16:29:17 2023 +0000 net/tls: tls_is_tx_ready() checked list_entry tls_is_tx_ready() checks that list_first_entry() does not return NULL. This condition can never happen. For empty lists, list_first_entry() returns the list_entry() of the head, which is a type confusion. Use list_first_entry_or_null() which returns NULL in case of empty lists. Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") Signed-off-by: Pietro Borrello Link: https://lore.kernel.org/r/20230128-list-entry-null-check-tls-v1-1-525bbfe6f0d0@diag.uniroma1.it Signed-off-by: Jakub Kicinski commit 84115f0e74ea73eccc44842a125f242a02097493 Merge: 73a876022273c 53b9b77dcf48d Author: Jakub Kicinski Date: Mon Jan 30 21:02:44 2023 -0800 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2023-01-27 (ice) This series contains updates to ice driver only. Dave prevents modifying channels when RDMA is active as this will break RDMA traffic. Michal fixes a broken URL. * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: ice: Fix broken link in ice NAPI doc ice: Prevent set_channel from changing queues while RDMA active ==================== Link: https://lore.kernel.org/r/20230127225333.1534783-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit ad53db4acb415976761d7302f5b02e97f2bd097e Author: Michael Ellerman Date: Mon Jan 30 12:44:01 2023 +1100 powerpc/imc-pmu: Revert nest_init_lock to being a mutex The recent commit 76d588dddc45 ("powerpc/imc-pmu: Fix use of mutex in IRQs disabled section") fixed warnings (and possible deadlocks) in the IMC PMU driver by converting the locking to use spinlocks. It also converted the init-time nest_init_lock to a spinlock, even though it's not used at runtime in IRQ disabled sections or while holding other spinlocks. This leads to warnings such as: BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0 preempt_count: 1, expected: 0 CPU: 7 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc2-14719-gf12cd06109f4-dirty #1 Hardware name: Mambo,Simulated-System POWER9 0x4e1203 opal:v6.6.6 PowerNV Call Trace: dump_stack_lvl+0x74/0xa8 (unreliable) __might_resched+0x178/0x1a0 __cpuhp_setup_state+0x64/0x1e0 init_imc_pmu+0xe48/0x1250 opal_imc_counters_probe+0x30c/0x6a0 platform_probe+0x78/0x110 really_probe+0x104/0x420 __driver_probe_device+0xb0/0x170 driver_probe_device+0x58/0x180 __driver_attach+0xd8/0x250 bus_for_each_dev+0xb4/0x140 driver_attach+0x34/0x50 bus_add_driver+0x1e8/0x2d0 driver_register+0xb4/0x1c0 __platform_driver_register+0x38/0x50 opal_imc_driver_init+0x2c/0x40 do_one_initcall+0x80/0x360 kernel_init_freeable+0x310/0x3b8 kernel_init+0x30/0x1a0 ret_from_kernel_thread+0x5c/0x64 Fix it by converting nest_init_lock back to a mutex, so that we can call sleeping functions while holding it. There is no interaction between nest_init_lock and the runtime spinlocks used by the actual PMU routines. Fixes: 76d588dddc45 ("powerpc/imc-pmu: Fix use of mutex in IRQs disabled section") Tested-by: Kajol Jain Reviewed-by: Kajol Jain Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230130014401.540543-1-mpe@ellerman.id.au commit 90741096769bd75152a5fe397343e5893c7d905a Author: Ben Skeggs Date: Tue Jan 31 08:37:15 2023 +1000 drm/nouveau/acr/gm20b: regression fixes Missed some Tegra-specific quirks when reworking ACR to support Ampere. Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs") Signed-off-by: Ben Skeggs Tested-by: Diogo Ivo Tested-by: Nicolas Chauvet Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20230130223715.1831509-3-bskeggs@redhat.com commit b480600988181c411d46a7f8da24d78d1e5ee151 Author: Ben Skeggs Date: Tue Jan 31 08:37:14 2023 +1000 drm/nouveau/fb/tu102-: fix register used to determine scrub status Turing apparently needs to use the same register we use on Ampere. Not executing the scrubber ucode when required would result in large areas of VRAM being inaccessible to the driver. Signed-off-by: Ben Skeggs Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20230130223715.1831509-2-bskeggs@redhat.com commit d22915d22ded21fd5b24b60d174775789f173997 Author: Ben Skeggs Date: Tue Jan 31 08:37:13 2023 +1000 drm/nouveau/devinit/tu102-: wait for GFW_BOOT_PROGRESS == COMPLETED Starting from Turing, the driver is no longer responsible for initiating DEVINIT when required as the GPU started loading a FW image from ROM and executing DEVINIT itself after power-on. However - we apparently still need to wait for it to complete. This should correct some issues with runpm on some systems, where we get control of the HW before it's been fully reinitialised after resume from suspend. Signed-off-by: Ben Skeggs Reviewed-by: Lyude Paul Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20230130223715.1831509-1-bskeggs@redhat.com commit 606d4ef4922662ded34aa7218288c3043ce0a41a Author: Joel Stanley Date: Tue Jan 31 08:38:45 2023 +1030 pinctrl: aspeed: Revert "Force to disable the function's signal" This reverts commit cf517fef601b9dde151f0afc27164d13bf1fd907. The commit cf517fef601b ("pinctrl: aspeed: Force to disable the function's signal") exposed a problem with fetching the regmap for reading the GFX register. The Romulus machine the device tree contains a gpio hog for GPIO S7. With the patch applied: Muxing pin 151 for GPIO Disabling signal VPOB9 for VPO aspeed-g5-pinctrl 1e6e2080.pinctrl: Failed to acquire regmap for IP block 1 aspeed-g5-pinctrl 1e6e2080.pinctrl: request() failed for pin 151 The code path is aspeed-gpio -> pinmux-g5 -> regmap -> clk, and the of_clock code returns an error as it doesn't have a valid struct clk_hw pointer. The regmap call happens because pinmux wants to check the GFX node (IP block 1) to query bits there. For reference, before the offending patch: Muxing pin 151 for GPIO Disabling signal VPOB9 for VPO Want SCU8C[0x00000080]=0x1, got 0x0 from 0x00000000 Disabling signal VPOB9 for VPOOFF1 Want SCU8C[0x00000080]=0x1, got 0x0 from 0x00000000 Disabling signal VPOB9 for VPOOFF2 Want SCU8C[0x00000080]=0x1, got 0x0 from 0x00000000 Enabling signal GPIOS7 for GPIOS7 Muxed pin 151 as GPIOS7 gpio-943 (seq_cont): hogged as output/low We can't skip the clock check to allow pinmux to proceed, because the write to disable VPOB9 will try to set a bit in the GFX register space which will not stick when the IP is in reset. However, we do not want to enable the IP just so pinmux can do a disable-enable dance for the pin. For now, revert the offending patch while a correct solution is found. Fixes: cf517fef601b ("pinctrl: aspeed: Force to disable the function's signal") Link: https://github.com/openbmc/linux/issues/218 Signed-off-by: Joel Stanley Link: https://lore.kernel.org/r/20230130220845.917985-1-joel@jms.id.au Signed-off-by: Linus Walleij commit dd2f0a0a2f751b7aafaea5cbba8e65a55fd12f94 Author: Rae Moar Date: Fri Jan 27 20:39:50 2023 +0000 kunit: fix bug in KUNIT_EXPECT_MEMEQ In KUNIT_EXPECT_MEMEQ and KUNIT_EXPECT_MEMNEQ, add check if one of the inputs is NULL and fail if this is the case. Currently, the kernel crashes if one of the inputs is NULL. Instead, fail the test and add an appropriate error message. Fixes: b8a926bea8b1 ("kunit: Introduce KUNIT_EXPECT_MEMEQ and KUNIT_EXPECT_MEMNEQ macros") This was found by the kernel test robot: https://lore.kernel.org/all/202212191448.D6EDPdOh-lkp@intel.com/ Reported-by: kernel test robot Signed-off-by: Rae Moar Reviewed-by: David Gow Signed-off-by: Shuah Khan commit 47a2bd9d985bfdb55900f313603619fc9234f317 Author: Chaitanya Kumar Borah Date: Thu Jan 12 15:11:31 2023 +0530 drm/i915/adlp: Fix typo for reference clock Fix typo for reference clock from 24400 to 24000. Bspec: 55409 Fixes: 626426ff9ce4 ("drm/i915/adl_p: Add cdclk support for ADL-P") Reviewed-by: Matt Roper Signed-off-by: Chaitanya Kumar Borah Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20230112094131.550252-1-chaitanya.kumar.borah@intel.com (cherry picked from commit 2b6f7e39ccae065abfbe3b6e562ec95ccad09f1e) Signed-off-by: Rodrigo Vivi commit 7057a8f126f14f14b040faecfa220fd27c6c2f85 Author: Rob Clark Date: Fri Jan 27 12:05:31 2023 -0800 drm/i915: Fix potential bit_17 double-free A userspace with multiple threads racing I915_GEM_SET_TILING to set the tiling to I915_TILING_NONE could trigger a double free of the bit_17 bitmask. (Or conversely leak memory on the transition to tiled.) Move allocation/free'ing of the bitmask within the section protected by the obj lock. Signed-off-by: Rob Clark Fixes: 2850748ef876 ("drm/i915: Pull i915_vma_pin under the vm->mutex") Cc: # v5.5+ [tursulin: Correct fixes tag and added cc stable.] Reviewed-by: Tvrtko Ursulin Signed-off-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20230127200550.3531984-1-robdclark@gmail.com (cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e) Signed-off-by: Rodrigo Vivi commit 5bc4b43d5c6c9692ddc7b96116650cdf9406f3da Author: John Harrison Date: Thu Jan 26 16:28:37 2023 -0800 drm/i915: Fix up locking around dumping requests lists The debugfs dump of requests was confused about what state requires the execlist lock versus the GuC lock. There was also a bunch of duplicated messy code between it and the error capture code. So refactor the hung request search into a re-usable function. And reduce the span of the execlist state lock to only the execlist specific code paths. In order to do that, also move the report of hold count (which is an execlist only concept) from the top level dump function to the lower level execlist specific function. Also, move the execlist specific code into the execlist source file. v2: Rename some functions and move to more appropriate files (Daniele). v3: Rename new execlist dump function (Daniele) Fixes: dc0dad365c5e ("drm/i915/guc: Fix for error capture after full GPU reset with GuC") Signed-off-by: John Harrison Reviewed-by: Daniele Ceraolo Spurio Acked-by: Tvrtko Ursulin Cc: Matthew Brost Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: Matt Roper Cc: Umesh Nerlige Ramappa Cc: Michael Cheng Cc: Lucas De Marchi Cc: Bruce Chang Cc: Alan Previn Cc: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20230127002842.3169194-4-John.C.Harrison@Intel.com (cherry picked from commit a4be3dca53172d9d2091e4b474fb795c81ed3d6c) Signed-off-by: Rodrigo Vivi commit 86d8ddc74124c3fdfc139f246ba6da15e45e86e3 Author: John Harrison Date: Thu Jan 26 16:28:36 2023 -0800 drm/i915: Fix request ref counting during error capture & debugfs dump When GuC support was added to error capture, the reference counting around the request object was broken. Fix it up. The context based search manages the spinlocking around the search internally. So it needs to grab the reference count internally as well. The execlist only request based search relies on external locking, so it needs an external reference count but within the spinlock not outside it. The only other caller of the context based search is the code for dumping engine state to debugfs. That code wasn't previously getting an explicit reference at all as it does everything while holding the execlist specific spinlock. So, that needs updaing as well as that spinlock doesn't help when using GuC submission. Rather than trying to conditionally get/put depending on submission model, just change it to always do the get/put. v2: Explicitly document adding an extra blank line in some dense code (Andy Shevchenko). Fix multiple potential null pointer derefs in case of no request found (some spotted by Tvrtko, but there was more!). Also fix a leaked request in case of !started and another in __guc_reset_context now that intel_context_find_active_request is actually reference counting the returned request. v3: Add a _get suffix to intel_context_find_active_request now that it grabs a reference (Daniele). v4: Split the intel_guc_find_hung_context change to a separate patch and rename intel_context_find_active_request_get to intel_context_get_active_request (Tvrtko). v5: s/locking/reference counting/ in commit message (Tvrtko) Fixes: dc0dad365c5e ("drm/i915/guc: Fix for error capture after full GPU reset with GuC") Fixes: 573ba126aef3 ("drm/i915/guc: Capture error state on context reset") Signed-off-by: John Harrison Reviewed-by: Daniele Ceraolo Spurio Acked-by: Tvrtko Ursulin Cc: Matthew Brost Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: Andrzej Hajda Cc: Matthew Auld Cc: Matt Roper Cc: Umesh Nerlige Ramappa Cc: Michael Cheng Cc: Lucas De Marchi Cc: Tejas Upadhyay Cc: Andy Shevchenko Cc: Aravind Iddamsetty Cc: Alan Previn Cc: Bruce Chang Link: https://patchwork.freedesktop.org/patch/msgid/20230127002842.3169194-3-John.C.Harrison@Intel.com (cherry picked from commit 3700e353781e27f1bc7222f51f2cc36cbeb9b4ec) Signed-off-by: Rodrigo Vivi commit 87b04e53daf806945c415e94de9f90943d434aed Author: John Harrison Date: Thu Jan 26 16:28:35 2023 -0800 drm/i915/guc: Fix locking when searching for a hung request intel_guc_find_hung_context() was not acquiring the correct spinlock before searching the request list. So fix that up. While at it, add some extra whitespace padding for readability. Fixes: dc0dad365c5e ("drm/i915/guc: Fix for error capture after full GPU reset with GuC") Signed-off-by: John Harrison Reviewed-by: Daniele Ceraolo Spurio Acked-by: Tvrtko Ursulin Cc: Matthew Brost Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: Matt Roper Cc: Umesh Nerlige Ramappa Cc: Michael Cheng Cc: Lucas De Marchi Cc: Tejas Upadhyay Cc: Chris Wilson Cc: Bruce Chang Cc: Alan Previn Cc: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20230127002842.3169194-2-John.C.Harrison@Intel.com (cherry picked from commit d1c3717501bcf56536e8b8c1bdaf5cd5357f6bb2) Signed-off-by: Rodrigo Vivi commit 41d419382ec7e257e54b7b6ff0d3623aafb1316d Author: Rob Clark Date: Thu Jan 19 09:32:58 2023 -0800 drm/i915: Avoid potential vm use-after-free Adding the vm to the vm_xa table makes it visible to userspace, which could try to race with us to close the vm. So we need to take our extra reference before putting it in the table. Signed-off-by: Rob Clark Reviewed-by: Matthew Auld Fixes: 9ec8795e7d91 ("drm/i915: Drop __rcu from gem_context->vm") Cc: # v5.16+ Signed-off-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20230119173321.2825472-1-robdclark@gmail.com (cherry picked from commit 99343c46d4e2b34c285d3d5f68ff04274c2f9fb4) Signed-off-by: Rodrigo Vivi commit 22b8077d0fcec86c6ed0e0fce9f7e7e5a4c2d56a Merge: 6d796c50f84ca 3288666c72568 Author: Linus Torvalds Date: Mon Jan 30 11:58:53 2023 -0800 Merge tag 'fscache-fixes-20230130' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull fscache fixes from David Howells: "Fix two problems in fscache volume handling: - wake_up_bit() is incorrectly paired with wait_var_event(). The latter selects the waitqueue to use differently. - Missing barriers ordering between state bit and task state" * tag 'fscache-fixes-20230130' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: fscache: Use clear_and_wake_up_bit() in fscache_create_volume_work() fscache: Use wait_on_bit() to wait for the freeing of relinquished volume commit 8a74191c899efd3a0e942632f31dad0ea7eb4c7f Merge: a6e6ceb28a268 1febf88ef907b Author: Arnd Bergmann Date: Mon Jan 30 17:44:27 2023 +0100 Merge tag 'imx-fixes-6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes i.MX fixes for 6.2, round 2: - Update MAINTAINERS i.MX entry to match arm64 freescale DTS. - Drop misused 'uart-has-rtscts' from imx8m-venice boards. - Fix USB host over-current polarity for imx7d-smegw01 board. - Fix a typo in i.MX8DXL sc_pwrkey property name. - Fix GPIO watchdog property for i.MX8MM eDM SBC board. - Keep Ethernet PHY powered on imx8mm-verdin to avoid kernel crash. - Fix configuration of i.MX8MM pad UART1_DTE_RX. * tag 'imx-fixes-6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts: imx7d-smegw01: Fix USB host over-current polarity arm64: dts: imx8mm-verdin: Do not power down eth-phy MAINTAINERS: match freescale ARM64 DT directory in i.MX entry arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX arm64: dts: freescale: imx8dxl: fix sc_pwrkey's property name linux,keycode arm64: dts: imx8m-venice: Remove incorrect 'uart-has-rtscts' arm64: dts: imx8mm: Reinstate GPIO watchdog always-running property on eDM SBC Link: https://lore.kernel.org/r/20230130003614.GP20713@T480 Signed-off-by: Arnd Bergmann commit a6e6ceb28a268a2a0ec9a2ebe4081ec1d1799228 Merge: d2591298b9ab5 f71eaf2708be7 Author: Arnd Bergmann Date: Mon Jan 30 17:43:41 2023 +0100 Merge tag 'sunxi-fixes-for-6.2-1' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into arm/fixes - Fix error handling in RSB init * tag 'sunxi-fixes-for-6.2-1' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() Link: https://lore.kernel.org/r/Y9RWcDdO0nj98KVj@jernej-laptop Signed-off-by: Arnd Bergmann commit d2591298b9ab576b568f0c49d60a7f21d0c8d1e2 Author: Krzysztof Kozlowski Date: Fri Jan 27 11:59:35 2023 +0100 MAINTAINERS: amd: drop inactive Brijesh Singh Emails to Brijesh Singh bounce ("550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup"). Signed-off-by: Krzysztof Kozlowski Acked-by: Tom Lendacky Link: https://lore.kernel.org/r/20230127105935.99174-1-krzysztof.kozlowski@linaro.org Signed-off-by: Arnd Bergmann commit 581e43ef5de6cc3369b2496362348e38bc85ded0 Author: Lorenzo Pieralisi Date: Mon Jan 30 11:08:50 2023 +0100 MAINTAINERS: Promote Krzysztof to PCI controller maintainer Krzysztof has contributed significantly to the PCI controller subsystem recently through reviews, tooling and submissions. Update the MAINTAINERS file to grant him the role he deserves. Link: https://lore.kernel.org/r/20230130100850.24994-1-lpieralisi@kernel.org Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Cc: Krzysztof Wilczyński commit 32e40f9506b9e32917eb73154f93037b443124d1 Author: Alexander Egorenkov Date: Fri Jan 27 14:52:42 2023 +0100 watchdog: diag288_wdt: fix __diag288() inline assembly The DIAG 288 statement consumes an EBCDIC string the address of which is passed in a register. Use a "memory" clobber to tell the compiler that memory is accessed within the inline assembly. Signed-off-by: Alexander Egorenkov Reviewed-by: Heiko Carstens Cc: Signed-off-by: Heiko Carstens commit fe8973a3ad0905cb9ba2d42db42ed51de14737df Author: Alexander Egorenkov Date: Fri Jan 27 14:52:41 2023 +0100 watchdog: diag288_wdt: do not use stack buffers for hardware data With CONFIG_VMAP_STACK=y the stack is allocated from the vmalloc space. Data passed to a hardware or a hypervisor interface that requires V=R can no longer be allocated on the stack. Use kmalloc() to get memory for a diag288 command. Signed-off-by: Alexander Egorenkov Reviewed-by: Heiko Carstens Cc: Signed-off-by: Heiko Carstens commit eebf82012dddbdcb09e4e49d3cdfafb93bc66eb2 Author: Hans de Goede Date: Sat Jan 28 00:57:23 2023 +0100 platform/x86: thinkpad_acpi: Fix thinklight LED brightness returning 255 Reading the thinklight LED brightnes while the LED is on returns 255 (LED_FULL) but we advertise a max_brightness of 1, so this should be 1 (LED_ON). Fixes: db5e2a4ca0a7 ("platform/x86: thinkpad_acpi: Fix max_brightness of thinklight") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230127235723.412864-1-hdegoede@redhat.com commit abce209d18fd26e865b2406cc68819289db973f9 Author: Arnd Bergmann Date: Fri Jan 27 10:39:44 2023 +0100 platform/x86/amd: pmc: add CONFIG_SERIO dependency Using the serio subsystem now requires the code to be reachable: x86_64-linux-ld: drivers/platform/x86/amd/pmc.o: in function `amd_pmc_suspend_handler': pmc.c:(.text+0x86c): undefined reference to `serio_bus' Add the usual dependency: as other users of serio use 'select' rather than 'depends on', use the same here. Fixes: 8e60615e8932 ("platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20230127093950.2368575-1-arnd@kernel.org Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit e0c40529ff942a985eb0f3dacf18d35ee4dbb03d Author: Hans de Goede Date: Mon Jan 30 14:25:54 2023 +0100 platform/x86/amd/pmf: Ensure mutexes are initialized before use As soon as the first handler or sysfs file is registered the mutex may get used. Move the initialization to before any handler registration / sysfs file creation. Likewise move the destruction of the mutex to after all the de-initialization is done. Fixes: da5ce22df5fe ("platform/x86/amd/pmf: Add support for PMF core layer") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230130132554.696025-1-hdegoede@redhat.com commit f21bf62290dd4d769594dcf0e6a688783d74f6a0 Author: Shyam Sundar S K Date: Wed Jan 25 15:29:36 2023 +0530 platform/x86/amd/pmf: Fix to update SPS thermals when power supply change Every power mode of static power slider has its own AC and DC power settings. When the power source changes from AC to DC, corresponding DC thermals were not updated from PMF config store and this leads the system to always run on AC power settings. Fix it by registering with power_supply notifier and apply DC settings upon getting notified by the power_supply handler. Fixes: da5ce22df5fe ("platform/x86/amd/pmf: Add support for PMF core layer") Suggested-by: Patil Rajesh Reddy Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-6-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 635f79bc73cf3d40c4198a20b3a0e7016dd6f0d3 Author: Shyam Sundar S K Date: Wed Jan 25 15:29:35 2023 +0530 platform/x86/amd/pmf: Fix to update SPS default pprof thermals By design PMF static slider will be set to BALANCED during init, but updating to corresponding thermal values from the PMF config store was missed, leading to improper settings getting propagated to PMFW. Fixes: 4c71ae414474 ("platform/x86/amd/pmf: Add support SPS PMF feature") Suggested-by: Patil Rajesh Reddy Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-5-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 3dfe28c936f87373a2b6ada750be4c52c0f249f3 Author: Shyam Sundar S K Date: Wed Jan 25 15:29:34 2023 +0530 platform/x86/amd/pmf: update to auto-mode limits only after AMT event Auto-mode thermal limits should be updated only after receiving the AMT event. But due to a bug in the older commit, these settings were getting applied during the auto-mode init. Fix this by removing amd_pmf_set_automode() during auto-mode initialization. Fixes: 3f5571d99524 ("platform/x86/amd/pmf: Add support for Auto mode feature") Suggested-by: Patil Rajesh Reddy Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-4-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 16909aa8c9cc284085f1202c6403ecb9814af812 Author: Shyam Sundar S K Date: Wed Jan 25 15:29:33 2023 +0530 platform/x86/amd/pmf: Add helper routine to check pprof is balanced Add helper routine to check if the current platform profile is balanced mode and remove duplicate code occurrences. Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-3-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit c5258d39fc4cbed37e20945715e7eb102f26d65b Author: Shyam Sundar S K Date: Wed Jan 25 15:29:32 2023 +0530 platform/x86/amd/pmf: Add helper routine to update SPS thermals Add helper routine to update the static slider information and remove the duplicate code occurrences after this change. Signed-off-by: Shyam Sundar S K Reviewed-by: Mario Limonciello Link: https://lore.kernel.org/r/20230125095936.3292883-2-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 2036890282d56bcbf7f915ba9e04bf77967ab231 Author: Jack Yu Date: Mon Jan 30 02:43:25 2023 +0000 ASoC: rt715-sdca: fix clock stop prepare timeout issue Modify clock_stop_timeout value for rt715-sdca according to the requirement of internal clock trimming. Signed-off-by: Jack Yu Link: https://lore.kernel.org/r/574b6586267a458cac78c5ac4d5b10bd@realtek.com Signed-off-by: Mark Brown commit 3288666c72568fe1cc7f5c5ae33dfd3ab18004c8 Author: Hou Tao Date: Fri Jan 13 19:52:11 2023 +0800 fscache: Use clear_and_wake_up_bit() in fscache_create_volume_work() fscache_create_volume_work() uses wake_up_bit() to wake up the processes which are waiting for the completion of volume creation. According to comments in wake_up_bit() and waitqueue_active(), an extra smp_mb() is needed to guarantee the memory order between FSCACHE_VOLUME_CREATING flag and waitqueue_active() before invoking wake_up_bit(). Fixing it by using clear_and_wake_up_bit() to add the missing memory barrier. Reviewed-by: Jingbo Xu Signed-off-by: Hou Tao Signed-off-by: David Howells Reviewed-by: Jeff Layton Link: https://lore.kernel.org/r/20230113115211.2895845-3-houtao@huaweicloud.com/ # v3 commit 8226e37d82f43657da34dd770e2b38f20242ada7 Author: Hou Tao Date: Fri Jan 13 19:52:10 2023 +0800 fscache: Use wait_on_bit() to wait for the freeing of relinquished volume The freeing of relinquished volume will wake up the pending volume acquisition by using wake_up_bit(), however it is mismatched with wait_var_event() used in fscache_wait_on_volume_collision() and it will never wake up the waiter in the wait-queue because these two functions operate on different wait-queues. According to the implementation in fscache_wait_on_volume_collision(), if the wake-up of pending acquisition is delayed longer than 20 seconds (e.g., due to the delay of on-demand fd closing), the first wait_var_event_timeout() will timeout and the following wait_var_event() will hang forever as shown below: FS-Cache: Potential volume collision new=00000024 old=00000022 ...... INFO: task mount:1148 blocked for more than 122 seconds. Not tainted 6.1.0-rc6+ #1 task:mount state:D stack:0 pid:1148 ppid:1 Call Trace: __schedule+0x2f6/0xb80 schedule+0x67/0xe0 fscache_wait_on_volume_collision.cold+0x80/0x82 __fscache_acquire_volume+0x40d/0x4e0 erofs_fscache_register_volume+0x51/0xe0 [erofs] erofs_fscache_register_fs+0x19c/0x240 [erofs] erofs_fc_fill_super+0x746/0xaf0 [erofs] vfs_get_super+0x7d/0x100 get_tree_nodev+0x16/0x20 erofs_fc_get_tree+0x20/0x30 [erofs] vfs_get_tree+0x24/0xb0 path_mount+0x2fa/0xa90 do_mount+0x7c/0xa0 __x64_sys_mount+0x8b/0xe0 do_syscall_64+0x30/0x60 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Considering that wake_up_bit() is more selective, so fix it by using wait_on_bit() instead of wait_var_event() to wait for the freeing of relinquished volume. In addition because waitqueue_active() is used in wake_up_bit() and clear_bit() doesn't imply any memory barrier, use clear_and_wake_up_bit() to add the missing memory barrier between cursor->flags and waitqueue_active(). Fixes: 62ab63352350 ("fscache: Implement volume registration") Reviewed-by: Jingbo Xu Signed-off-by: Hou Tao Signed-off-by: David Howells Reviewed-by: Jeff Layton Link: https://lore.kernel.org/r/20230113115211.2895845-2-houtao@huaweicloud.com/ # v3 commit 6028da3f125fec34425dbd5fec18e85d372b2af6 Author: Christian Hopps Date: Thu Jan 26 11:33:50 2023 -0500 xfrm: fix bug with DSCP copy to v6 from v4 tunnel When copying the DSCP bits for decap-dscp into IPv6 don't assume the outer encap is always IPv6. Instead, as with the inner IPv4 case, copy the DSCP bits from the correctly saved "tos" value in the control block. Fixes: 227620e29509 ("[IPSEC]: Separate inner/outer mode processing on input") Signed-off-by: Christian Hopps Acked-by: Herbert Xu Signed-off-by: Steffen Klassert commit b7e08a5a63a11627601915473c3b569c1f6c6c06 Author: Yang Yingliang Date: Sun Jan 29 17:37:57 2023 +0800 RDMA/usnic: use iommu_map_atomic() under spin_lock() usnic_uiom_map_sorted_intervals() is called under spin_lock(), iommu_map() might sleep, use iommu_map_atomic() to avoid potential sleep in atomic context. Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20230129093757.637354-1-yangyingliang@huawei.com Signed-off-by: Leon Romanovsky commit 73a876022273cbc9c1db7869a54444ce8b9d085e Author: Colin Foster Date: Fri Jan 27 09:14:27 2023 -0800 net: phy: fix null dereference in phy_attach_direct Commit bc66fa87d4fd ("net: phy: Add link between phy dev and mac dev") introduced a link between net devices and phy devices. It fails to check whether dev is NULL, leading to a NULL dereference error. Fixes: bc66fa87d4fd ("net: phy: Add link between phy dev and mac dev") Signed-off-by: Colin Foster Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit c28548012ee2bac55772ef7685138bd1124b80c3 Author: Nicholas Piggin Date: Sat Jan 21 20:01:56 2023 +1000 powerpc/64: Fix perf profiling asynchronous interrupt handlers Interrupt entry sets the soft mask to IRQS_ALL_DISABLED to match the hard irq disabled state. So when should_hard_irq_enable() returns true because we want PMI interrupts in irq handlers, MSR[EE] is enabled but PMIs just get soft-masked. Fix this by clearing IRQS_PMI_DISABLED before enabling MSR[EE]. This also tidies some of the warnings, no need to duplicate them in both should_hard_irq_enable() and do_hard_irq_enable(). Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230121100156.2824054-1-npiggin@gmail.com commit bc88ef663265676419555df2dc469a471c0add31 Author: Nicholas Piggin Date: Sat Jan 21 19:53:52 2023 +1000 powerpc/64s: Fix local irq disable when PMIs are disabled When PMI interrupts are soft-masked, local_irq_save() will clear the PMI mask bit, allowing PMIs in and causing a race condition. This causes a deadlock in native_hpte_insert via hash_preload, which depends on PMIs being disabled since commit 8b91cee5eadd ("powerpc/64s/hash: Make hash faults work in NMI context"). native_hpte_insert calls local_irq_save(). It's possible the lpar hash code is also affected when tracing is enabled because __trace_hcall_entry() calls local_irq_save(). Fix this by making arch_local_irq_save() _or_ the IRQS_DISABLED bit into the mask. This was found with the stress_hpt option with a kbuild workload running together with `perf record -g`. Fixes: f442d004806e ("powerpc/64s: Add support to mask perf interrupts and replay them") Fixes: 8b91cee5eadd ("powerpc/64s/hash: Make hash faults work in NMI context") Signed-off-by: Nicholas Piggin [mpe: Just take the fix without the new warning] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230121095352.2823517-1-npiggin@gmail.com commit 611792920925fb088ddccbe2783c7f92fdfb6b64 Author: Hyunwoo Kim Date: Thu Jan 26 18:32:50 2023 -0800 netrom: Fix use-after-free caused by accept on already connected socket If you call listen() and accept() on an already connect()ed AF_NETROM socket, accept() can successfully connect. This is because when the peer socket sends data to sendmsg, the skb with its own sk stored in the connected socket's sk->sk_receive_queue is connected, and nr_accept() dequeues the skb waiting in the sk->sk_receive_queue. As a result, nr_accept() allocates and returns a sock with the sk of the parent AF_NETROM socket. And here use-after-free can happen through complex race conditions: ``` cpu0 cpu1 1. socket_2 = socket(AF_NETROM) . . listen(socket_2) accepted_socket = accept(socket_2) 2. socket_1 = socket(AF_NETROM) nr_create() // sk refcount : 1 connect(socket_1) 3. write(accepted_socket) nr_sendmsg() nr_output() nr_kick() nr_send_iframe() nr_transmit_buffer() nr_route_frame() nr_loopback_queue() nr_loopback_timer() nr_rx_frame() nr_process_rx_frame(sk, skb); // sk : socket_1's sk nr_state3_machine() nr_queue_rx_frame() sock_queue_rcv_skb() sock_queue_rcv_skb_reason() __sock_queue_rcv_skb() __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue 4. listen(socket_1) nr_listen() uaf_socket = accept(socket_1) nr_accept() skb_dequeue(&sk->sk_receive_queue); 5. close(accepted_socket) nr_release() nr_write_internal(sk, NR_DISCREQ) nr_transmit_buffer() // NR_DISCREQ nr_route_frame() nr_loopback_queue() nr_loopback_timer() nr_rx_frame() // sk : socket_1's sk nr_process_rx_frame() // NR_STATE_3 nr_state3_machine() // NR_DISCREQ nr_disconnect() nr_sk(sk)->state = NR_STATE_0; 6. close(socket_1) // sk refcount : 3 nr_release() // NR_STATE_0 sock_put(sk); // sk refcount : 0 sk_free(sk); close(uaf_socket) nr_release() sock_hold(sk); // UAF ``` KASAN report by syzbot: ``` BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520 Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x15e/0x461 mm/kasan/report.c:417 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] sock_hold include/net/sock.h:775 [inline] nr_release+0x66/0x460 net/netrom/af_netrom.c:520 __sock_release+0xcd/0x280 net/socket.c:650 sock_close+0x1c/0x20 net/socket.c:1365 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xaa8/0x2950 kernel/exit.c:867 do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 get_signal+0x21c3/0x2450 kernel/signal.c:2859 arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f6c19e3c9b9 Code: Unable to access opcode bytes at 0x7f6c19e3c98f. RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9 RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006 RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0 R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 5128: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] ____kasan_kmalloc mm/kasan/common.c:330 [inline] __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:968 [inline] __kmalloc+0x5a/0xd0 mm/slab_common.c:981 kmalloc include/linux/slab.h:584 [inline] sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 __sock_create+0x359/0x790 net/socket.c:1515 sock_create net/socket.c:1566 [inline] __sys_socket_create net/socket.c:1603 [inline] __sys_socket_create net/socket.c:1588 [inline] __sys_socket+0x133/0x250 net/socket.c:1636 __do_sys_socket net/socket.c:1649 [inline] __se_sys_socket net/socket.c:1647 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 5128: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:177 [inline] __cache_free mm/slab.c:3394 [inline] __do_kmem_cache_free mm/slab.c:3580 [inline] __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 sk_prot_free net/core/sock.c:2074 [inline] __sk_destruct+0x5df/0x750 net/core/sock.c:2166 sk_destruct net/core/sock.c:2181 [inline] __sk_free+0x175/0x460 net/core/sock.c:2192 sk_free+0x7c/0xa0 net/core/sock.c:2203 sock_put include/net/sock.h:1991 [inline] nr_release+0x39e/0x460 net/netrom/af_netrom.c:554 __sock_release+0xcd/0x280 net/socket.c:650 sock_close+0x1c/0x20 net/socket.c:1365 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xaa8/0x2950 kernel/exit.c:867 do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 get_signal+0x21c3/0x2450 kernel/signal.c:2859 arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd ``` To fix this issue, nr_listen() returns -EINVAL for sockets that successfully nr_connect(). Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Hyunwoo Kim Reviewed-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 54aa39a513dbf2164ca462a19f04519b2407a224 Author: Andrey Konovalov Date: Fri Jan 27 00:35:39 2023 +0300 net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC Currently in phy_init_eee() the driver unconditionally configures the PHY to stop RX_CLK after entering Rx LPI state. This causes an LPI interrupt storm on my qcs404-base board. Change the PHY initialization so that for "qcom,qcs404-ethqos" compatible device RX_CLK continues to run even in Rx LPI state. Signed-off-by: Andrey Konovalov Signed-off-by: David S. Miller commit fe6de81b610e5d0b9d2231acff2de74a35482e7d Author: Sathvika Vasireddy Date: Sat Jan 28 18:11:58 2023 +0530 powerpc/kvm: Fix unannotated intra-function call warning objtool throws the following warning: arch/powerpc/kvm/booke.o: warning: objtool: kvmppc_fill_pt_regs+0x30: unannotated intra-function call Fix the warning by setting the value of 'nip' using the _THIS_IP_ macro, without using an assembly bl/mflr sequence to save the instruction pointer. Reported-by: kernel test robot Suggested-by: Michael Ellerman Signed-off-by: Sathvika Vasireddy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230128124158.1066251-1-sv@linux.ibm.com commit 8afffce6aa3bddc940ac1909627ff1e772b6cbf1 Author: Sathvika Vasireddy Date: Sat Jan 28 18:11:38 2023 +0530 powerpc/85xx: Fix unannotated intra-function call warning objtool throws the following warning: arch/powerpc/kernel/head_85xx.o: warning: objtool: .head.text+0x1a6c: unannotated intra-function call Fix the warning by annotating KernelSPE symbol with SYM_FUNC_START_LOCAL and SYM_FUNC_END macros. Reported-by: kernel test robot Signed-off-by: Sathvika Vasireddy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20230128124138.1066176-1-sv@linux.ibm.com commit b600de2d7d3a16f9007fad1bdae82a3951a26af2 Author: Yu Kuai Date: Mon Jan 30 09:41:36 2023 +0800 block, bfq: fix uaf for bfqq in bic_set_bfqq() After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"), bic->bfqq will be accessed in bic_set_bfqq(), however, in some context bic->bfqq will be freed, and bic_set_bfqq() is called with the freed bic->bfqq. Fix the problem by always freeing bfqq after bic_set_bfqq(). Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") Reported-and-tested-by: Shinichiro Kawasaki Signed-off-by: Yu Kuai Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20230130014136.591038-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe commit b67b09733d8a41eec33d5d37be2f8cff8af82a5e Author: Krzysztof Kozlowski Date: Thu Jan 19 13:46:31 2023 +0100 arm64: dts: rockchip: align rk3399 DMC OPP table with bindings Bindings expect certain pattern for OPP table node name and underscores are not allowed: rk3399-rock-pi-4a-plus.dtb: dmc_opp_table: $nodename:0: 'dmc_opp_table' does not match '^opp-table(-[a-z0-9]+)?$' Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20230119124631.91080-1-krzysztof.kozlowski@linaro.org Signed-off-by: Heiko Stuebner commit bc121b707e816616567683e51fd9194c2309977a Author: Dan Johansen Date: Sat Jan 28 12:24:32 2023 +0100 arm64: dts: rockchip: set sdmmc0 speed to sd-uhs-sdr50 on rock-3a As other rk336x based devices, the Rock 3 Model A has issues with high speed SD cards, so lower the speed to 50 instead of 104 in the same manor has the Quartz64 Model B has. Fixes: 22a442e6586c ("arm64: dts: rockchip: add basic dts for the radxa rock3 model a") Signed-off-by: Dan Johansen Link: https://lore.kernel.org/r/20230128112432.132302-1-strit@manjaro.org Signed-off-by: Heiko Stuebner commit 6d796c50f84ca79f1722bb131799e5a5710c4700 Author: Linus Torvalds Date: Sun Jan 29 13:59:43 2023 -0800 Linux 6.2-rc6 commit ab072681eabe1ce0a9a32d4baa1a27a2d046bc4a Merge: bc6bc34b1095b ac8f29aef2f16 Author: Linus Torvalds Date: Sun Jan 29 11:26:49 2023 -0800 Merge tag 'irq_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fix from Borislav Petkov: - Cleanup the firmware node for the new IRQ MSI domain properly, to avoid leaking memory * tag 'irq_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: genirq/msi: Free the fwnode created by msi_create_device_irq_domain() commit bc6bc34b1095b64840308fa0fc325c028bd9b89a Merge: 80826e9020afc 27b5de622ea3f Author: Linus Torvalds Date: Sun Jan 29 11:17:34 2023 -0800 Merge tag 'x86_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - Start checking for -mindirect-branch-cs-prefix clang support too now that LLVM 16 will support it - Fix a NULL ptr deref when suspending with Xen PV - Have a SEV-SNP guest check explicitly for features enabled by the hypervisor and fail gracefully if some are unsupported by the guest instead of failing in a non-obvious and hard-to-debug way - Fix a MSI descriptor leakage under Xen - Mark Xen's MSI domain as supporting MSI-X - Prevent legacy PIC interrupts from being resent in software by marking them level triggered, as they should be, which lead to a NULL ptr deref * tag 'x86_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/build: Move '-mindirect-branch-cs-prefix' out of GCC-only block acpi: Fix suspend with Xen PV x86/sev: Add SEV-SNP guest feature negotiation support x86/pci/xen: Fixup fallout from the PCI/MSI overhaul x86/pci/xen: Set MSI_FLAG_PCI_MSIX support in Xen MSI domain x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL commit 80826e9020afc7b8243df302a13521e0020fa9d8 Merge: 803929285af41 9c445d2637c93 Author: Linus Torvalds Date: Sun Jan 29 11:06:47 2023 -0800 Merge tag 'input-for-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fixes from Dmitry Torokhov: - touchpads on HP 15-* laptops switched back to PS/2 emulation mode - a quirk for Clevo PCX0DX/TUXEDO XP1511 to make sure keyboard is responding after resume * tag 'input-for-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: i8042 - add Clevo PCX0DX to i8042 quirk table Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode" commit 08ddbbdf0b55839ca93a12677a30a1ef24634969 Author: Ricardo Koller Date: Fri Jan 27 21:43:53 2023 +0000 KVM: selftests: aarch64: Test read-only PT memory regions Extend the read-only memslot tests in page_fault_test to test read-only PT (Page table) memslots. Note that this was not allowed before commit 406504c7b040 ("KVM: arm64: Fix S1PTW handling on RO memslots") as all S1PTW faults were treated as writes which resulted in an (unrecoverable) exception inside the guest. Signed-off-by: Ricardo Koller Reviewed-by: Oliver Upton Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230127214353.245671-5-ricarkol@google.com commit 8b03c97fa6fd442b949b71aeb7545b970b968fe3 Author: Ricardo Koller Date: Fri Jan 27 21:43:52 2023 +0000 KVM: selftests: aarch64: Fix check of dirty log PT write The dirty log checks are mistakenly testing the first page in the page table (PT) memory region instead of the page holding the test data page PTE. This wasn't an issue before commit 406504c7b040 ("KVM: arm64: Fix S1PTW handling on RO memslots") as all PT pages (including the first page) were treated as writes. Fix the page_fault_test dirty logging tests by checking for the right page: the one for the PTE of the data test page. Fixes: a4edf25b3e25 ("KVM: selftests: aarch64: Add dirty logging tests into page_fault_test") Signed-off-by: Ricardo Koller Reviewed-by: Oliver Upton Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230127214353.245671-4-ricarkol@google.com commit 42561751ea918d8f3f54412622735e1f887cb360 Author: Ricardo Koller Date: Fri Jan 27 21:43:51 2023 +0000 KVM: selftests: aarch64: Do not default to dirty PTE pages on all S1PTWs Only Stage1 Page table walks (S1PTW) trying to write into a PTE should result in the PTE page being dirty in the log. However, the dirty log tests in page_fault_test default to treat all S1PTW accesses as writes. Fix the relevant tests by asserting dirty pages only for S1PTW writes, which in these tests only applies to when Hardware management of the Access Flag is enabled. Signed-off-by: Ricardo Koller Reviewed-by: Oliver Upton Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230127214353.245671-3-ricarkol@google.com commit 0dd8d22a887a473f6f11abf556c4f7944ab5ef1d Author: Ricardo Koller Date: Fri Jan 27 21:43:50 2023 +0000 KVM: selftests: aarch64: Relax userfaultfd read vs. write checks Only Stage1 Page table walks (S1PTW) writing a PTE on an unmapped page should result in a userfaultfd write. However, the userfaultfd tests in page_fault_test wrongly assert that any S1PTW is a PTE write. Fix this by relaxing the read vs. write checks in all userfaultfd handlers. Note that this is also an attempt to focus less on KVM (and userfaultfd) behavior, and more on architectural behavior. Also note that after commit 406504c7b040 ("KVM: arm64: Fix S1PTW handling on RO memslots"), the userfaultfd fault (S1PTW with AF on an unmaped PTE page) is actually a read: the translation fault that comes before the permission fault. Signed-off-by: Ricardo Koller Reviewed-by: Oliver Upton Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230127214353.245671-2-ricarkol@google.com commit 803929285af4194d490d5652a64731d613e78b8b Merge: 95e7a450b8190 19398821b25a9 Author: Linus Torvalds Date: Sun Jan 29 10:47:22 2023 -0800 Merge tag 'cxl-fixes-for-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl Pull cxl fixes from Dan Williams: "A couple of fixes for bugs introduced during the merge window. One is a regression, the other was a bug in the CXL AER handler: - Fix a crash regression due to module load order of cxl_pmem.ko - Fix wrong register offset read in CXL AER handling path" * tag 'cxl-fixes-for-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl: cxl/pmem: Fix nvdimm unregistration when cxl_pmem driver is absent cxl: fix cxl_report_and_clear() RAS UE addr mis-assignment commit 6028acbe3a5f2119a2a6ddd3e06453c87c09cae0 Author: Gavin Shan Date: Fri Jan 27 07:54:51 2023 +0800 KVM: arm64: Allow no running vcpu on saving vgic3 pending table We don't have a running VCPU context to save vgic3 pending table due to KVM_DEV_ARM_VGIC_{GRP_CTRL, SAVE_PENDING_TABLES} command on KVM device "kvm-arm-vgic-v3". The unknown case is caught by kvm-unit-tests. # ./kvm-unit-tests/tests/its-pending-migration WARNING: CPU: 120 PID: 7973 at arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3325 \ mark_page_dirty_in_slot+0x60/0xe0 : mark_page_dirty_in_slot+0x60/0xe0 __kvm_write_guest_page+0xcc/0x100 kvm_write_guest+0x7c/0xb0 vgic_v3_save_pending_tables+0x148/0x2a0 vgic_set_common_attr+0x158/0x240 vgic_v3_set_attr+0x4c/0x5c kvm_device_ioctl+0x100/0x160 __arm64_sys_ioctl+0xa8/0xf0 invoke_syscall.constprop.0+0x7c/0xd0 el0_svc_common.constprop.0+0x144/0x160 do_el0_svc+0x34/0x60 el0_svc+0x3c/0x1a0 el0t_64_sync_handler+0xb4/0x130 el0t_64_sync+0x178/0x17c Use vgic_write_guest_lock() to save vgic3 pending table. Reported-by: Zenghui Yu Signed-off-by: Gavin Shan Reviewed-by: Oliver Upton Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230126235451.469087-5-gshan@redhat.com commit 2f8b1ad2228a7f1f1e2458864f4bfc1cbdf511ed Author: Gavin Shan Date: Fri Jan 27 07:54:50 2023 +0800 KVM: arm64: Allow no running vcpu on restoring vgic3 LPI pending status We don't have a running VCPU context to restore vgic3 LPI pending status due to command KVM_DEV_ARM_{VGIC_GRP_CTRL, ITS_RESTORE_TABLES} on KVM device "kvm-arm-vgic-its". Use vgic_write_guest_lock() to restore vgic3 LPI pending status. Signed-off-by: Gavin Shan Reviewed-by: Oliver Upton Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230126235451.469087-4-gshan@redhat.com commit a23eaf9368aafa4defcc8904b20391b6ea07bb1e Author: Gavin Shan Date: Fri Jan 27 07:54:48 2023 +0800 KVM: arm64: Add helper vgic_write_guest_lock() Currently, the unknown no-running-vcpu sites are reported when a dirty page is tracked by mark_page_dirty_in_slot(). Until now, the only known no-running-vcpu site is saving vgic/its tables through KVM_DEV_ARM_{VGIC_GRP_CTRL, ITS_SAVE_TABLES} command on KVM device "kvm-arm-vgic-its". Unfortunately, there are more unknown sites to be handled and no-running-vcpu context will be allowed in these sites: (1) KVM_DEV_ARM_{VGIC_GRP_CTRL, ITS_RESTORE_TABLES} command on KVM device "kvm-arm-vgic-its" to restore vgic/its tables. The vgic3 LPI pending status could be restored. (2) Save vgic3 pending table through KVM_DEV_ARM_{VGIC_GRP_CTRL, VGIC_SAVE_PENDING_TABLES} command on KVM device "kvm-arm-vgic-v3". In order to handle those unknown cases, we need a unified helper vgic_write_guest_lock(). struct vgic_dist::save_its_tables_in_progress is also renamed to struct vgic_dist::save_tables_in_progress. No functional change intended. Suggested-by: Oliver Upton Signed-off-by: Gavin Shan Reviewed-by: Oliver Upton Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230126235451.469087-3-gshan@redhat.com commit 95e7a450b8190673675836bfef236262ceff084a Author: Vlastimil Babka Date: Fri Jan 13 18:33:45 2023 +0100 Revert "mm/compaction: fix set skip in fast_find_migrateblock" This reverts commit 7efc3b7261030da79001c00d92bc3392fd6c664c. We have got openSUSE reports (Link 1) for 6.1 kernel with khugepaged stalling CPU for long periods of time. Investigation of tracepoint data shows that compaction is stuck in repeating fast_find_migrateblock() based migrate page isolation, and then fails to migrate all isolated pages. Commit 7efc3b726103 ("mm/compaction: fix set skip in fast_find_migrateblock") was suspected as it was merged in 6.1 and in theory can indeed remove a termination condition for fast_find_migrateblock() under certain conditions, as it removes a place that always marks a scanned pageblock from being re-scanned. There are other such places, but those can be skipped under certain conditions, which seems to match the tracepoint data. Testing of revert also appears to have resolved the issue, thus revert the commit until a more robust solution for the original problem is developed. It's also likely this will fix qemu stalls with 6.1 kernel reported in Link 2, but that is not yet confirmed. Link: https://bugzilla.suse.com/show_bug.cgi?id=1206848 Link: https://lore.kernel.org/kvm/b8017e09-f336-3035-8344-c549086c2340@kernel.org/ Link: https://lore.kernel.org/lkml/20230125134434.18017-1-mgorman@techsingularity.net/ Fixes: 7efc3b726103 ("mm/compaction: fix set skip in fast_find_migrateblock") Cc: Tested-by: Pedro Falcato Acked-by: Mel Gorman Signed-off-by: Vlastimil Babka Signed-off-by: Linus Torvalds commit 5d9745cead1f121974322b94ceadfb4d1e67960e Author: Nikita Zhandarovich Date: Thu Jan 26 10:52:30 2023 -0800 RDMA/irdma: Fix potential NULL-ptr-dereference in_dev_get() can return NULL which will cause a failure once idev is dereferenced in in_dev_for_each_ifa_rtnl(). This patch adds a check for NULL value in idev beforehand. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager") Signed-off-by: Nikita Zhandarovich Link: https://lore.kernel.org/r/20230126185230.62464-1-n.zhandarovich@fintech.ru Reviewed-by: Sindhu Devale Signed-off-by: Leon Romanovsky commit c91d713630848460de8669e6570307b7e559863b Author: Dan Williams Date: Wed Jan 25 12:23:46 2023 -0800 nvdimm: Support sizeof(struct page) > MAX_STRUCT_PAGE_SIZE Commit 6e9f05dc66f9 ("libnvdimm/pfn_dev: increase MAX_STRUCT_PAGE_SIZE") ...updated MAX_STRUCT_PAGE_SIZE to account for sizeof(struct page) potentially doubling in the case of CONFIG_KMSAN=y. Unfortunately this doubles the amount of capacity stolen from user addressable capacity for everyone, regardless of whether they are using the debug option. Revert that change, mandate that MAX_STRUCT_PAGE_SIZE never exceed 64, but allow for debug scenarios to proceed with creating debug sized page maps with a compile option to support debug scenarios. Note that this only applies to cases where the page map is permanent, i.e. stored in a reservation of the pmem itself ("--map=dev" in "ndctl create-namespace" terms). For the "--map=mem" case, since the allocation is ephemeral for the lifespan of the namespace, there are no explicit restriction. However, the implicit restriction, of having enough available "System RAM" to store the page map for the typically large pmem, still applies. Fixes: 6e9f05dc66f9 ("libnvdimm/pfn_dev: increase MAX_STRUCT_PAGE_SIZE") Cc: Cc: Alexander Potapenko Cc: Marco Elver Reported-by: Jeff Moyer Acked-by: Yu Zhao Link: https://lore.kernel.org/r/167467815773.463042.7022545814443036382.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Dan Williams commit c96618275234ad03d44eafe9f8844305bb44fda4 Author: Linus Torvalds Date: Sat Jan 28 11:17:57 2023 -0800 Fix up more non-executable files marked executable Joe found another DT file that shouldn't be executable, and that frustrated me enough that I went hunting with this script: git ls-files -s | grep '^100755' | cut -f2 | xargs grep -L '^#!' and that found another file that shouldn't have been marked executable either, despite being in the scripts directory. Maybe these two are the last ones at least for now. But I'm sure we'll be back in a few years, fixing things up again. Fixes: 8c6789f4e2d4 ("ASoC: dt-bindings: Add Everest ES8326 audio CODEC") Fixes: 4d8e5cd233db ("locking/atomics: Fix scripts/atomic/ script permissions") Reported-by: Joe Perches Signed-off-by: Linus Torvalds commit 2543fdbd5cd3bb7d72a6c810b431ba17778a607d Merge: 5af6ce7049365 a34dc4a9b9e2f Author: Linus Torvalds Date: Sat Jan 28 10:52:51 2023 -0800 Merge tag '6.2-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd Pull ksmbd server fixes from Steve French: "Four smb3 server fixes, all also for stable: - fix for signing bug - fix to more strictly check packet length - add a max connections parm to limit simultaneous connections - fix error message flood that can occur with newer Samba xattr format" * tag '6.2-rc5-ksmbd-server-fixes' of git://git.samba.org/ksmbd: ksmbd: downgrade ndr version error message to debug ksmbd: limit pdu length size according to connection status ksmbd: do not sign response to session request for guest login ksmbd: add max connections parameter commit bf29ce87ba137307a4465c45be5bfe633ccf6074 Merge: 1ca7fca349316 60ce26d10e585 Author: Greg Kroah-Hartman Date: Sat Jan 28 19:18:37 2023 +0100 Merge tag 'fpga-for-6.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/fpga/linux-fpga into char-misc-linus Xy writes: FPGA Manager changes for 6.2-final stratix10-soc: - Zheng's change fixes return value check Intel m10 bmc secure update: - Ilpo's change fixes probe rollback All patches have been reviewed on the mailing list, and have been in the last linux-next releases (as part of our for-6.2 branch) Signed-off-by: Xu Yilun * tag 'fpga-for-6.2-final' of git://git.kernel.org/pub/scm/linux/kernel/git/fpga/linux-fpga: fpga: m10bmc-sec: Fix probe rollback fpga: stratix10-soc: Fix return value check in s10_ops_write_init() commit a6efc42a86c0c87cfe2f1c3d1f09a4c9b13ba890 Author: Andrei Gherzan Date: Thu Jan 26 16:55:48 2023 +0000 selftest: net: Improve IPV6_TCLASS/IPV6_HOPLIMIT tests apparmor compatibility "tcpdump" is used to capture traffic in these tests while using a random, temporary and not suffixed file for it. This can interfere with apparmor configuration where the tool is only allowed to read from files with 'known' extensions. The MINE type application/vnd.tcpdump.pcap was registered with IANA for pcap files and .pcap is the extension that is both most common but also aligned with standard apparmor configurations. See TCPDUMP(8) for more details. This improves compatibility with standard apparmor configurations by using ".pcap" as the file extension for the tests' temporary files. Signed-off-by: Andrei Gherzan Signed-off-by: David S. Miller commit 1ca7fca349316231bbaa68d16f819a08d683c5a7 Author: Johan Hovold Date: Fri Jan 27 10:40:15 2023 +0000 nvmem: qcom-spmi-sdam: fix module autoloading Add the missing module device table so that the driver can be autoloaded when built as a module. Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver") Cc: stable@vger.kernel.org # 5.6 Reviewed-by: Bjorn Andersson Signed-off-by: Johan Hovold Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-11-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 0c4862b1c1465e473bc961a02765490578bf5c20 Author: Russell King (Oracle) Date: Fri Jan 27 10:40:14 2023 +0000 nvmem: core: fix return value Dan Carpenter points out that the return code was not set in commit 60c8b4aebd8e ("nvmem: core: fix cleanup after dev_set_name()"), but this is not the only issue - we also need to zero wp_gpio to prevent gpiod_put() being called on an error value. Fixes: 560181d3ace6 ("nvmem: core: fix cleanup after dev_set_name()") Cc: stable@vger.kernel.org Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Russell King (Oracle) Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-10-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit db3546d58b5a0fa581d9c9f2bdc2856fa6c5e43e Author: Michael Walle Date: Fri Jan 27 10:40:13 2023 +0000 nvmem: core: fix cell removal on error nvmem_add_cells() could return an error after some cells are already added to the provider. In this case, the added cells are not removed. Remove any registered cells if nvmem_add_cells() fails. Fixes: fa72d847d68d7 ("nvmem: check the return value of nvmem_add_cells()") Cc: stable@vger.kernel.org Signed-off-by: Michael Walle Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-9-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit edcf2fb660526b5ed29f93bd17328a2b4835c8b2 Author: Michael Walle Date: Fri Jan 27 10:40:12 2023 +0000 nvmem: core: fix device node refcounting In of_nvmem_cell_get(), of_get_next_parent() is used on cell_np. This will decrement the refcount on cell_np, but cell_np is still used later in the code. Use of_get_parent() instead and of_node_put() in the appropriate places. Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") Fixes: 7ae6478b304b ("nvmem: core: rework nvmem cell instance creation") Cc: stable@vger.kernel.org Signed-off-by: Michael Walle Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-8-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit ab3428cfd9aa2f3463ee4b2909b5bb2193bd0c4a Author: Russell King (Oracle) Date: Fri Jan 27 10:40:11 2023 +0000 nvmem: core: fix registration vs use race The i.MX6 CPU frequency driver sometimes fails to register at boot time due to nvmem_cell_read_u32() sporadically returning -ENOENT. This happens because there is a window where __nvmem_device_get() in of_nvmem_cell_get() is able to return the nvmem device, but as cells have been setup, nvmem_find_cell_entry_by_node() returns NULL. The occurs because the nvmem core registration code violates one of the fundamental principles of kernel programming: do not publish data structures before their setup is complete. Fix this by making nvmem core code conform with this principle. Fixes: eace75cfdcf7 ("nvmem: Add a simple NVMEM framework for nvmem providers") Cc: stable@vger.kernel.org Signed-off-by: Russell King (Oracle) Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-7-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 560181d3ace61825f4ca9dd3481d6c0ee6709fa8 Author: Russell King (Oracle) Date: Fri Jan 27 10:40:10 2023 +0000 nvmem: core: fix cleanup after dev_set_name() If dev_set_name() fails, we leak nvmem->wp_gpio as the cleanup does not put this. While a minimal fix for this would be to add the gpiod_put() call, we can do better if we split device_register(), and use the tested nvmem_release() cleanup code by initialising the device early, and putting the device. This results in a slightly larger fix, but results in clear code. Note: this patch depends on "nvmem: core: initialise nvmem->id early" and "nvmem: core: remove nvmem_config wp_gpio". Fixes: 5544e90c8126 ("nvmem: core: add error handling for dev_set_name") Cc: stable@vger.kernel.org Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Russell King (Oracle) [Srini: Fixed subject line and error code handing with wp_gpio while applying.] Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-6-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 569653f022a29a1a44ea9de5308b657228303fa5 Author: Russell King (Oracle) Date: Fri Jan 27 10:40:09 2023 +0000 nvmem: core: remove nvmem_config wp_gpio No one provides wp_gpio, so let's remove it to avoid issues with the nvmem core putting this gpio. Cc: stable@vger.kernel.org Signed-off-by: Russell King (Oracle) Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-5-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 3bd747c7ea13cb145f0d84444e00df928b0842d9 Author: Russell King (Oracle) Date: Fri Jan 27 10:40:08 2023 +0000 nvmem: core: initialise nvmem->id early The error path for wp_gpio attempts to free the IDA nvmem->id, but this has yet to be assigned, so will always be zero - leaking the ID allocated by ida_alloc(). Fix this by moving the initialisation of nvmem->id earlier. Fixes: f7d8d7dcd978 ("nvmem: fix memory leak in error path") Cc: stable@vger.kernel.org Signed-off-by: Russell King (Oracle) Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-4-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit c151d5ed8e8fe0474bd61dce7f2076ca5916c683 Author: Samuel Holland Date: Fri Jan 27 10:40:07 2023 +0000 nvmem: sunxi_sid: Always use 32-bit MMIO reads The SID SRAM on at least some SoCs (A64 and D1) returns different values when read with bus cycles narrower than 32 bits. This is not immediately obvious, because memcpy_fromio() uses word-size accesses as long as enough data is being copied. The vendor driver always uses 32-bit MMIO reads, so do the same here. This is faster than the register-based method, which is currently used as a workaround on A64. And it fixes the values returned on D1, where the SRAM method was being used. The special case for the last word is needed to maintain .word_size == 1 for sysfs ABI compatibility, as noted previously in commit de2a3eaea552 ("nvmem: sunxi_sid: Optimize register read-out method"). Fixes: 07ae4fde9efa ("nvmem: sunxi_sid: Add support for D1 variant") Cc: stable@vger.kernel.org Tested-by: Heiko Stuebner Signed-off-by: Samuel Holland Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-3-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit b0576ade3aaf24b376ea1a4406ae138e2a22b0c0 Author: Jiasheng Jiang Date: Fri Jan 27 10:40:06 2023 +0000 nvmem: brcm_nvram: Add check for kzalloc Add the check for the return value of kzalloc in order to avoid NULL pointer dereference. Fixes: 6e977eaa8280 ("nvmem: brcm_nvram: parse NVRAM content into NVMEM cells") Cc: stable@vger.kernel.org Signed-off-by: Jiasheng Jiang Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20230127104015.23839-2-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 906ad3c9bf66e3c6dd4ebe14a7af1b339a2afacf Merge: 60bd1d9008a50 e3d6d152a1cbd Author: David S. Miller Date: Sat Jan 28 13:20:21 2023 +0000 Merge branch 't7xx-pm-fixes' Kornel Dulęba says: ==================== net: wwan: t7xx: Fix Runtime PM implementation d10b3a695ba0 ("net: wwan: t7xx: Runtime PM") introduced support for Runtime PM for this driver, but due to a bug in the initialization logic the usage refcount would never reach 0, leaving the feature unused. This patchset addresses that, together with a bug found after runtime suspend was enabled. ==================== Signed-off-by: David S. Miller commit e3d6d152a1cbdee25f2e3962009a2751b54e2297 Author: Kornel Dulęba Date: Thu Jan 26 13:25:35 2023 +0000 net: wwan: t7xx: Fix Runtime PM initialization For PCI devices the Runtime PM refcount is incremented twice: 1. During device enumeration with a call to pm_runtime_forbid. 2. Just before a driver probe logic is called. Because of that in order to enable Runtime PM on a given device we have to call both pm_runtime_allow and pm_runtime_put_noidle, once it's ready to be runtime suspended. The former was missing causing the pm refcount to never reach 0. Fixes: d10b3a695ba0 ("net: wwan: t7xx: Runtime PM") Signed-off-by: Kornel Dulęba Signed-off-by: David S. Miller commit 364d0221f1788e5225006ba7a0026e5968431c29 Author: Kornel Dulęba Date: Thu Jan 26 13:25:34 2023 +0000 net: wwan: t7xx: Fix Runtime PM resume sequence Resume device before calling napi_schedule, instead of doing in the napi poll routine. Polling is done in softrq context. We can't call the PM resume logic from there as it's blocking and not irq safe. In order to make it work modify the interrupt handler to be run from irq handler thread. Fixes: 5545b7b9f294 ("net: wwan: t7xx: Add NAPI support") Signed-off-by: Kornel Dulęba Signed-off-by: David S. Miller commit 60bd1d9008a50cc78c4033a16a6f5d78210d481c Author: Jeremy Kerr Date: Thu Jan 26 14:45:51 2023 +0800 net: mctp: purge receive queues on sk destruction We may have pending skbs in the receive queue when the sk is being destroyed; add a destructor to purge the queue. MCTP doesn't use the error queue, so only the receive_queue is purged. Fixes: 833ef3b91de6 ("mctp: Populate socket implementation") Signed-off-by: Jeremy Kerr Reviewed-by: Pavan Chebbi Link: https://lore.kernel.org/r/20230126064551.464468-1-jk@codeconstruct.com.au Signed-off-by: Jakub Kicinski commit 422ae7d9c7221e8d4c8526d0f54106307d69d2dc Author: Andre Kalb Date: Wed Jan 25 19:23:26 2023 +0100 net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices The probe() function is only used for the DP83822 PHY, leaving the private data pointer uninitialized for the smaller DP83825/26 models. While all uses of the private data structure are hidden in 82822 specific callbacks, configuring the interrupt is shared across all models. This causes a NULL pointer dereference on the smaller PHYs as it accesses the private data unchecked. Verifying the pointer avoids that. Fixes: 5dc39fd5ef35 ("net: phy: DP83822: Add ability to advertise Fiber connection") Signed-off-by: Andre Kalb Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/Y9FzniUhUtbaGKU7@pc6682 Signed-off-by: Jakub Kicinski commit 4f876bfdb731a320089c5a64f8fa15fbba14418c Merge: 53466ebdec614 e18c6da62edc7 Author: Takashi Iwai Date: Sat Jan 28 09:21:36 2023 +0100 Merge tag 'asoc-fix-v6.2-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v6.2 An unfortunately large batch of fixes here, the numbers amplified by several repeated fixes for patterns of bugs in multiple drivers. Most of this is in the x86 drivers which are very actively developed, the implementation of PCI shutdown is a fix for issues with spamming warnings into the logs with a leaked reference to the i915 driver. commit 29de68c2b32ce58d64dea496d281e25ad0f551bd Author: Natalia Petrova Date: Wed Jan 25 16:48:31 2023 +0300 net: qrtr: free memory on error path in radix_tree_insert() Function radix_tree_insert() returns errors if the node hasn't been initialized and added to the tree. "kfree(node)" and return value "NULL" of node_get() help to avoid using unclear node in other calls. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: # 5.7 Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") Signed-off-by: Natalia Petrova Reviewed-by: Simon Horman Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20230125134831.8090-1-n.petrova@fintech.ru Signed-off-by: Jakub Kicinski commit 14caefcf9837a2be765a566005ad82cd0d2a429f Author: Hyunwoo Kim Date: Wed Jan 25 02:59:44 2023 -0800 net/rose: Fix to not accept on connected socket If you call listen() and accept() on an already connect()ed rose socket, accept() can successfully connect. This is because when the peer socket sends data to sendmsg, the skb with its own sk stored in the connected socket's sk->sk_receive_queue is connected, and rose_accept() dequeues the skb waiting in the sk->sk_receive_queue. This creates a child socket with the sk of the parent rose socket, which can cause confusion. Fix rose_listen() to return -EINVAL if the socket has already been successfully connected, and add lock_sock to prevent this issue. Signed-off-by: Hyunwoo Kim Reviewed-by: Kuniyuki Iwashima Link: https://lore.kernel.org/r/20230125105944.GA133314@ubuntu Signed-off-by: Jakub Kicinski commit ffffd2454a7a1bc9f7242b12c4cc0b05c12692b4 Author: Íñigo Huguet Date: Wed Jan 25 15:35:13 2023 +0100 sfc: correctly advertise tunneled IPv6 segmentation Recent sfc NICs are TSO capable for some tunnel protocols. However, it was not working properly because the feature was not advertised in hw_enc_features, but in hw_features only. Setting up a GENEVE tunnel and using iperf3 to send IPv4 and IPv6 traffic to the tunnel show, with tcpdump, that the IPv4 packets still had ~64k size but the IPv6 ones had only ~1500 bytes (they had been segmented by software, not offloaded). With this patch segmentation is offloaded as expected and the traffic is correctly received at the other end. Fixes: 24b2c3751aa3 ("sfc: advertise encapsulated offloads on EF10") Reported-by: Tianhao Zhao Signed-off-by: Íñigo Huguet Acked-by: Martin Habets Link: https://lore.kernel.org/r/20230125143513.25841-1-ihuguet@redhat.com Signed-off-by: Jakub Kicinski commit 0548c5f26a0fefa721b29be2bfff1c44f15b6d73 Merge: 7d2c89b325874 5416c9aea8323 Author: Jakub Kicinski Date: Fri Jan 27 23:32:02 2023 -0800 Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== bpf 2023-01-27 We've added 10 non-merge commits during the last 9 day(s) which contain a total of 10 files changed, 170 insertions(+), 59 deletions(-). The main changes are: 1) Fix preservation of register's parent/live fields when copying range-info, from Eduard Zingerman. 2) Fix an off-by-one bug in bpf_mem_cache_idx() to select the right cache, from Hou Tao. 3) Fix stack overflow from infinite recursion in sock_map_close(), from Jakub Sitnicki. 4) Fix missing btf_put() in register_btf_id_dtor_kfuncs()'s error path, from Jiri Olsa. 5) Fix a splat from bpf_setsockopt() via lsm_cgroup/socket_sock_rcv_skb, from Kui-Feng Lee. 6) Fix bpf_send_signal[_thread]() helpers to hold a reference on the task, from Yonghong Song. * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf: Fix the kernel crash caused by bpf_setsockopt(). selftests/bpf: Cover listener cloning with progs attached to sockmap selftests/bpf: Pass BPF skeleton to sockmap_listen ops tests bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself bpf: Add missing btf_put to register_btf_id_dtor_kfuncs selftests/bpf: Verify copy_register_state() preserves parent/live fields bpf: Fix to preserve reg parent/live fields when copying range info bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() helpers bpf: Fix off-by-one error in bpf_mem_cache_idx() ==================== Link: https://lore.kernel.org/r/20230127215820.4993-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski commit 7d2c89b325874a35564db5630a459966afab04cc Author: Alexander Duyck Date: Thu Jan 26 11:06:59 2023 -0800 skb: Do mix page pool and page referenced frags in GRO GSO should not merge page pool recycled frames with standard reference counted frames. Traditionally this didn't occur, at least not often. However as we start looking at adding support for wireless adapters there becomes the potential to mix the two due to A-MSDU repartitioning frames in the receive path. There are possibly other places where this may have occurred however I suspect they must be few and far between as we have not seen this issue until now. Fixes: 53e0961da1c7 ("page_pool: add frag page recycling support in page pool") Reported-by: Felix Fietkau Signed-off-by: Alexander Duyck Acked-by: Ilias Apalodimas Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/167475990764.1934330.11960904198087757911.stgit@localhost.localdomain Signed-off-by: Jakub Kicinski commit ff445b8397745ea94675162faa0e9b0079ca521d Author: Arınç ÜNAL Date: Thu Jan 26 22:01:11 2023 +0300 net: dsa: mt7530: fix tristate and help description Fix description for tristate and help sections which include inaccurate information. Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20230126190110.9124-1-arinc.unal@arinc9.com Signed-off-by: Jakub Kicinski commit 3ac77ecd9a8356c11754def95d657df026c6c135 Merge: 28b4387f0ec08 a3191c4d86c5d Author: Jakub Kicinski Date: Fri Jan 27 22:28:01 2023 -0800 Merge branch 'net-xdp-execute-xdp_do_flush-before-napi_complete_done' Magnus Karlsson says: ==================== net: xdp: execute xdp_do_flush() before napi_complete_done() Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found in [1]. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in [2]. The drivers have only been compile-tested since I do not own any of the HW below. So if you are a maintainer, it would be great if you could take a quick look to make sure I did not mess something up. Note that these were the drivers I found that violated the ordering by running a simple script and manually checking the ones that came up as potential offenders. But the script was not perfect in any way. There might still be offenders out there, since the script can generate false negatives. [1] https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com [2] https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ ==================== Link: https://lore.kernel.org/r/20230125074901.2737-1-magnus.karlsson@gmail.com Signed-off-by: Jakub Kicinski commit a3191c4d86c5d3bd35b00dfde6910b88391436a0 Author: Magnus Karlsson Date: Wed Jan 25 08:49:01 2023 +0100 dpaa2-eth: execute xdp_do_flush() before napi_complete_done() Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found following the first link below. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in the second link below. Fixes: d678be1dc1ec ("dpaa2-eth: add XDP_REDIRECT support") Signed-off-by: Magnus Karlsson Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ Signed-off-by: Jakub Kicinski commit b534013798b77f81a36f36dafd59bab9de837619 Author: Magnus Karlsson Date: Wed Jan 25 08:49:00 2023 +0100 dpaa_eth: execute xdp_do_flush() before napi_complete_done() Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found following the first link below. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in the second link below. Fixes: a1e031ffb422 ("dpaa_eth: add XDP_REDIRECT support") Signed-off-by: Magnus Karlsson Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ Acked-by: Camelia Groza Signed-off-by: Jakub Kicinski commit ad7e615f646c9b5b2cf655cdfb9d91a28db4f25a Author: Magnus Karlsson Date: Wed Jan 25 08:48:59 2023 +0100 virtio-net: execute xdp_do_flush() before napi_complete_done() Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found following the first link below. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in the second link below. Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT") Signed-off-by: Magnus Karlsson Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ Acked-by: Michael S. Tsirkin Signed-off-by: Jakub Kicinski commit 12b5717990c81fc2f6f2aa9d53d960b916478d4f Author: Magnus Karlsson Date: Wed Jan 25 08:48:58 2023 +0100 lan966x: execute xdp_do_flush() before napi_complete_done() Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found following the first link below. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in the second link below. Fixes: a825b611c7c1 ("net: lan966x: Add support for XDP_REDIRECT") Signed-off-by: Magnus Karlsson Acked-by: Toke Høiland-Jørgensen Acked-by: Steen Hegelund Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ Signed-off-by: Jakub Kicinski commit 2ccce20d51faa0178086163ccb6c84a099a87ab4 Author: Magnus Karlsson Date: Wed Jan 25 08:48:57 2023 +0100 qede: execute xdp_do_flush() before napi_complete_done() Make sure that xdp_do_flush() is always executed before napi_complete_done(). This is important for two reasons. First, a redirect to an XSKMAP assumes that a call to xdp_do_redirect() from napi context X on CPU Y will be followed by a xdp_do_flush() from the same napi context and CPU. This is not guaranteed if the napi_complete_done() is executed before xdp_do_flush(), as it tells the napi logic that it is fine to schedule napi context X on another CPU. Details from a production system triggering this bug using the veth driver can be found following the first link below. The second reason is that the XDP_REDIRECT logic in itself relies on being inside a single NAPI instance through to the xdp_do_flush() call for RCU protection of all in-kernel data structures. Details can be found in the second link below. Fixes: d1b25b79e162b ("qede: add .ndo_xdp_xmit() and XDP_REDIRECT support") Signed-off-by: Magnus Karlsson Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ Signed-off-by: Jakub Kicinski commit 5af6ce7049365952f7f023155234fe091693ead1 Merge: 90aaef4e35c4a b7ab9161cf5dd Author: Linus Torvalds Date: Fri Jan 27 17:41:47 2023 -0800 Merge tag '6.2-rc5-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fix from Steve French: "Fix for reconnect oops in smbdirect (RDMA), also is marked for stable" * tag '6.2-rc5-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: Fix oops due to uncleared server->smbd_conn in reconnect commit 90aaef4e35c4a74b0f1593d06e39eda867ef13d3 Merge: f851453bf1955 db3ba974c2bc8 Author: Linus Torvalds Date: Fri Jan 27 16:16:57 2023 -0800 Merge tag 'block-6.2-2023-01-27' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: "Minor tweaks for this release: - NVMe pull request via Christoph: - Flush initial scan_work for async probe (Keith Busch) - Fix passthrough csi check (Keith Busch) - Fix nvme-fc initialization order (Ross Lagerwall) - Fix for tearing down non-started device in ublk (Ming)" * tag 'block-6.2-2023-01-27' of git://git.kernel.dk/linux: block: ublk: move ublk_chr_class destroying after devices are removed nvme: fix passthrough csi check nvme-pci: flush initial scan_work for async probe nvme-fc: fix initialization order commit f851453bf19554a42eb480b65436b9500c3cf392 Merge: 28cca23da7240 ef5c600adb1d9 Author: Linus Torvalds Date: Fri Jan 27 16:15:06 2023 -0800 Merge tag 'io_uring-6.2-2023-01-27' of git://git.kernel.dk/linux Pull io_uring fixes from Jens Axboe: "Two small fixes for this release: - Sanitize how async prep is done for drain requests, so we ensure that it always gets done (Dylan) - A ring provided buffer recycling fix for multishot receive (me)" * tag 'io_uring-6.2-2023-01-27' of git://git.kernel.dk/linux: io_uring: always prep_async for drain requests io_uring/net: cache provided buffer group value for multishot receives commit 28cca23da7240df597240a492a7a7d4ce990026b Merge: d786f0fe5e549 be0d8f48ad97f Author: Linus Torvalds Date: Fri Jan 27 16:09:12 2023 -0800 Merge tag 'hardening-v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardening fixes from Kees Cook: - Split slow memcpy tests into MEMCPY_SLOW_KUNIT_TEST - Reorganize gcc-plugin includes for GCC 13 - Silence bcache memcpy run-time false positive warnings * tag 'hardening-v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: bcache: Silence memcpy() run-time false positive warnings gcc-plugins: Reorganize gimple includes for GCC 13 kunit: memcpy: Split slow memcpy tests into MEMCPY_SLOW_KUNIT_TEST commit d786f0fe5e5490682cc05dce6bea0b32964d5088 Merge: e6f2f6ac500c6 7802023341851 Author: Linus Torvalds Date: Fri Jan 27 16:03:32 2023 -0800 Merge tag 'trace-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull tracing fixes from Steven Rostedt: - Fix filter memory leak by calling ftrace_free_filter() - Initialize trace_printk() earlier so that ftrace_dump_on_oops shows data on early crashes. - Update the outdated instructions in scripts/tracing/ftrace-bisect.sh - Add lockdep_is_held() to fix lockdep warning - Add allocation failure check in create_hist_field() - Don't initialize pointer that gets set right away in enabled_monitors_write() - Update MAINTAINER entries - Fix help messages in Kconfigs - Fix kernel-doc header for update_preds() * tag 'trace-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: bootconfig: Update MAINTAINERS file to add tree and mailing list rv: remove redundant initialization of pointer ptr ftrace: Maintain samples/ftrace tracing/filter: fix kernel-doc warnings lib: Kconfig: fix spellos trace_events_hist: add check for return value of 'create_hist_field' tracing/osnoise: Use built-in RCU list checking tracing: Kconfig: Fix spelling/grammar/punctuation ftrace/scripts: Update the instructions for ftrace-bisect.sh tracing: Make sure trace_printk() can output as soon as it can be used ftrace: Export ftrace_free_filter() to modules commit e6f2f6ac500c67164f6f6b47299aece579277c14 Merge: 37d0be6a7d7d6 0582d984793d3 Author: Linus Torvalds Date: Fri Jan 27 13:52:38 2023 -0800 Merge tag 'i2c-for-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "A bunch of driver fixes with a tiny bit of new IDs" * tag 'i2c-for-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: rk3x: fix a bunch of kernel-doc warnings i2c: axxia: use 'struct' for kernel-doc notation dt-bindings: i2c: renesas,rzv2m: Fix SoC specific string i2c: mxs: suppress probe-deferral error message i2c: designware-pci: Add new PCI IDs for AMD NAVI GPU i2c: designware: Fix unbalanced suspended flag i2c: designware: use casting of u64 in clock multiplication to avoid overflow commit 37d0be6a7d7d6fede952c439f8d8b9d1df5c756f Merge: 4d1483a99e9cd 677d85e1a1ee6 Author: Linus Torvalds Date: Fri Jan 27 13:47:40 2023 -0800 Merge tag 'gpio-fixes-for-v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - fix the -c option in the gpio-event-mode user-space example program - fix the irq number translation in gpio-ep93xx and make its irqchip immutable - add a missing spin_unlock in error path in gpio-mxc - fix a suspend breakage on System76 and Lenovo Gen2a introduced in GPIO ACPI * tag 'gpio-fixes-for-v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: tools: gpio: fix -c option of gpio-event-mon gpio: ep93xx: remove unused variable gpio: ep93xx: Make irqchip immutable gpio: ep93xx: Fix port F hwirq numbers in handler gpio: mxc: Unlock on error path in mxc_flip_edge() gpiolib-acpi: Don't set GPIOs for wakeup in S3 mode commit 4d1483a99e9cdf2775ae93c49982042a0a103c29 Merge: 0acffb235fbf5 4bb3d82a1820c Author: Linus Torvalds Date: Fri Jan 27 13:43:46 2023 -0800 Merge tag 'regulator-fix-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fix from Mark Brown: "A fix for the DT binding documentation which dropped a property when being converted to YAML format causing spurious errors validating device trees for platforms using the device" * tag 'regulator-fix-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: dt-bindings: samsung,s2mps14: add lost samsung,ext-control-gpios commit 0acffb235fbf57f11a3da1098f9134825ac7c1c9 Merge: 76e26e3c6a49b 4f11ada10d0ad Author: Linus Torvalds Date: Fri Jan 27 13:39:30 2023 -0800 Merge tag 'ovl-fixes-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fixes from Miklos Szeredi: "Fix two bugs, a recent one introduced in the last cycle, and an older one from v5.11" * tag 'ovl-fixes-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: fail on invalid uid/gid mapping at copy up ovl: fix tmpfile leak commit 76e26e3c6a49b368a6fd38e2da2b1b164470cc52 Merge: 04ad927cacc67 d23db89883962 Author: Linus Torvalds Date: Fri Jan 27 13:18:14 2023 -0800 Merge tag 'drm-fixes-2023-01-27' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Fairly small this week as well, i915 has a memory leak fix and some minor changes, and amdgpu has some MST fixes, and some other minor ones: drm: - DP MST kref fix - fb_helper: check return value i915: - Fix BSC default context for Meteor Lake - Fix selftest-scheduler's modify_type - memory leak fix amdgpu: - GC11.x fixes - SMU13.0.0 fix - Freesync video fix - DP MST fixes - build fix" * tag 'drm-fixes-2023-01-27' of git://anongit.freedesktop.org/drm/drm: amdgpu: fix build on non-DCN platforms. drm/amd/display: Fix timing not changning when freesync video is enabled drm/display/dp_mst: Correct the kref of port. drm/amdgpu/display/mst: update mst_mgr relevant variable when long HPD drm/amdgpu/display/mst: limit payload to be updated one by one drm/amdgpu/display/mst: Fix mst_state->pbn_div and slot count assignments drm/amdgpu: declare firmware for new MES 11.0.4 drm/amdgpu: enable imu firmware for GC 11.0.4 drm/amd/pm: add missing AllowIHInterrupt message mapping for SMU13.0.0 drm/amdgpu: remove unconditional trap enable on add gfx11 queues drm/fb-helper: Use a per-driver FB deferred I/O handler drm/fb-helper: Check fb_deferred_io_init() return value drm/i915/selftest: fix intel_selftest_modify_policy argument types drm/i915/mtl: Fix bcs default context drm/i915: Fix a memory leak with reused mmap_offset drm/drm_vma_manager: Add drm_vma_node_allow_once() commit 04ad927cacc678371ea9b187cd7e6eb71894b422 Merge: 274d2f8b0c032 e6b3086fddc00 Author: Linus Torvalds Date: Fri Jan 27 13:11:19 2023 -0800 Merge tag 'acpi-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "Add ACPI backlight handling quirks for 3 machines (Hans de Goede)" * tag 'acpi-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: video: Add backlight=native DMI quirk for Asus U46E ACPI: video: Add backlight=native DMI quirk for HP EliteBook 8460p ACPI: video: Add backlight=native DMI quirk for HP Pavilion g6-1d80nr commit 274d2f8b0c032ca3c1ae88194b75edd2669368b0 Merge: 0d1e013fd9246 acd7e9ee57c88 Author: Linus Torvalds Date: Fri Jan 27 13:01:36 2023 -0800 Merge tag 'thermal-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull thermal control fixes from Rafael Wysocki: "Add locking to the Intel int340x thermal control driver to prevent its thermal zone callbacks from racing with firmware-induced thermal trip point updates (Srinivas Pandruvada, Rafael Wysocki)" * tag 'thermal-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() thermal: intel: int340x: Protect trip temperature from concurrent updates commit 0d1e013fd9246fcf73a078999487ba47d1dd1bb9 Merge: db7c4673bbd30 a428eb4b99ab8 Author: Linus Torvalds Date: Fri Jan 27 12:56:45 2023 -0800 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fix from Will Deacon: - Fix event counting regression in Arm CMN PMU driver due to broken optimisation * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: Partially revert "perf/arm-cmn: Optimise DTC counter accesses" commit db7c4673bbd30e54e28a3274dd50fe6a5e28a8b8 Merge: e5eb2b22f0f4a c1d6105869464 Author: Linus Torvalds Date: Fri Jan 27 12:52:45 2023 -0800 Merge tag 'riscv-for-linus-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: - A few DT bindings fixes to more closely align the ISA string requirements between the bindings and the ISA manual. - A handful of build error/warning fixes. - A fix to move init_cpu_topology() later in the boot flow, so it can allocate memory. - The IRC channel is now in the MAINTAINERS file, so it's easier to find. * tag 'riscv-for-linus-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: Move call to init_cpu_topology() to later initialization stage riscv/kprobe: Fix instruction simulation of JALR riscv: fix -Wundef warning for CONFIG_RISCV_BOOT_SPINWAIT MAINTAINERS: add an IRC entry for RISC-V RISC-V: fix compile error from deduplicated __ALTERNATIVE_CFG_2 dt-bindings: riscv: fix single letter canonical order dt-bindings: riscv: fix underscore requirement for multi-letter extensions commit e5eb2b22f0f4a1f0b98bc9b7efb352b0841a3bd2 Merge: 9f4d0bd24e6b4 2f62847cf6ae4 Author: Linus Torvalds Date: Fri Jan 27 12:49:00 2023 -0800 Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: - fix nommu assignment build warning - fix -Wundef preprocessor warning - reduce __thumb2__ definitions for crypto files that require it * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 9287/1: Reduce __thumb2__ definition to crypto files that require it ARM: 9284/1: include from proc-macros.S to fix -Wundef warnings ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment commit 9f4d0bd24e6b42555c02e137763f12c106572e63 Merge: 83abd4d4c4be8 a49fb7218ed84 Author: Linus Torvalds Date: Fri Jan 27 12:41:09 2023 -0800 Merge tag 'linux-kselftest-fixes-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull Kselftest fixes from Shuah Khan: "A single fix to a amd-pstate test Makefile bug that deletes source files during make clean run" * tag 'linux-kselftest-fixes-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: selftests: amd-pstate: Don't delete source files via Makefile commit 53b9b77dcf48dad1c6111b0c0a7310b3f9364776 Author: Michal Wilczynski Date: Fri Nov 25 14:34:39 2022 +0100 ice: Fix broken link in ice NAPI doc Current link for NAPI documentation in ice driver doesn't work - it returns 404. Update the link to the working one. Signed-off-by: Michal Wilczynski Acked-by: Jesse Brandeburg Signed-off-by: Tony Nguyen commit a6a0974aae4209d039ba81226ded5246eea14961 Author: Dave Ertman Date: Tue Jan 24 09:19:43 2023 -0800 ice: Prevent set_channel from changing queues while RDMA active The PF controls the set of queues that the RDMA auxiliary_driver requests resources from. The set_channel command will alter that pool and trigger a reconfiguration of the VSI, which breaks RDMA functionality. Prevent set_channel from executing when RDMA driver bound to auxiliary device. Adding a locked variable to pass down the call chain to avoid double locking the device_lock. Fixes: 348048e724a0 ("ice: Implement iidc operations") Signed-off-by: Dave Ertman Tested-by: Gurucharan G (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit eede42c9459b58b71edc99303dad65216a655810 Author: Bartosz Golaszewski Date: Mon Jan 16 15:41:49 2023 +0100 spi: spidev: fix a recursive locking error When calling spidev_message() from the one of the ioctl() callbacks, the spi_lock is already taken. When we then end up calling spidev_sync(), we get the following splat: [ 214.047619] [ 214.049198] ============================================ [ 214.054533] WARNING: possible recursive locking detected [ 214.059858] 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 Not tainted [ 214.065969] -------------------------------------------- [ 214.071290] spidev_test/1454 is trying to acquire lock: [ 214.076530] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x8e0/0xab8 [ 214.084164] [ 214.084164] but task is already holding lock: [ 214.090007] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.097537] [ 214.097537] other info that might help us debug this: [ 214.104075] Possible unsafe locking scenario: [ 214.104075] [ 214.110004] CPU0 [ 214.112461] ---- [ 214.114916] lock(&spidev->spi_lock); [ 214.118687] lock(&spidev->spi_lock); [ 214.122457] [ 214.122457] *** DEADLOCK *** [ 214.122457] [ 214.128386] May be due to missing lock nesting notation [ 214.128386] [ 214.135183] 2 locks held by spidev_test/1454: [ 214.139553] #0: c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.147524] #1: c4925e14 (&spidev->buf_lock){+.+.}-{3:3}, at: spidev_ioctl+0x70/0xab8 [ 214.155493] [ 214.155493] stack backtrace: [ 214.159861] CPU: 0 PID: 1454 Comm: spidev_test Not tainted 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 [ 214.169012] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 214.175555] unwind_backtrace from show_stack+0x10/0x14 [ 214.180819] show_stack from dump_stack_lvl+0x60/0x90 [ 214.185900] dump_stack_lvl from __lock_acquire+0x874/0x2858 [ 214.191584] __lock_acquire from lock_acquire+0xfc/0x378 [ 214.196918] lock_acquire from __mutex_lock+0x9c/0x8a8 [ 214.202083] __mutex_lock from mutex_lock_nested+0x1c/0x24 [ 214.207597] mutex_lock_nested from spidev_ioctl+0x8e0/0xab8 [ 214.213284] spidev_ioctl from sys_ioctl+0x4d0/0xe2c [ 214.218277] sys_ioctl from ret_fast_syscall+0x0/0x1c [ 214.223351] Exception stack(0xe75cdfa8 to 0xe75cdff0) [ 214.228422] dfa0: 00000000 00001000 00000003 40206b00 bee266e8 bee266e0 [ 214.236617] dfc0: 00000000 00001000 006a71a0 00000036 004c0040 004bfd18 00000000 00000003 [ 214.244809] dfe0: 00000036 bee266c8 b6f16dc5 b6e8e5f6 Fix it by introducing an unlocked variant of spidev_sync() and calling it from spidev_message() while other users who don't check the spidev->spi's existence keep on using the locking flavor. Reported-by: Francesco Dolcini Fixes: 1f4d2dd45b6e ("spi: spidev: fix a race condition when accessing spidev->spi") Signed-off-by: Bartosz Golaszewski Tested-by: Max Krummenacher Link: https://lore.kernel.org/r/20230116144149.305560-1-brgl@bgdev.pl Signed-off-by: Mark Brown commit c63b8fd14a7db719f8252038a790638728c4eb66 Author: Serge Semin Date: Fri Jan 13 21:59:42 2023 +0300 spi: dw: Fix wrong FIFO level setting for long xfers Due to using the u16 type in the min_t() macros the SPI transfer length will be cast to word before participating in the conditional statement implied by the macro. Thus if the transfer length is greater than 64KB the Tx/Rx FIFO threshold level value will be determined by the leftover of the truncated after the type-case length. In the worst case it will cause the dramatical performance drop due to the "Tx FIFO Empty" or "Rx FIFO Full" interrupts triggered on each xfer word sent/received to/from the bus. The problem can be easily fixed by specifying the unsigned int type in the min_t() macros thus preventing the possible data loss. Fixes: ea11370fffdf ("spi: dw: get TX level without an additional variable") Reported-by: Sergey Nazarov Signed-off-by: Serge Semin Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20230113185942.2516-1-Sergey.Semin@baikalelectronics.ru Signed-off-by: Mark Brown commit 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 Author: Miklos Szeredi Date: Tue Jan 24 16:41:18 2023 +0100 ovl: fail on invalid uid/gid mapping at copy up If st_uid/st_gid doesn't have a mapping in the mounter's user_ns, then copy-up should fail, just like it would fail if the mounter task was doing the copy using "cp -a". There's a corner case where the "cp -a" would succeed but copy up fail: if there's a mapping of the invalid uid/gid (65534 by default) in the user namespace. This is because stat(2) will return this value if the mapping doesn't exist in the current user_ns and "cp -a" will in turn be able to create a file with this uid/gid. This behavior would be inconsistent with POSIX ACL's, which return -1 for invalid uid/gid which result in a failed copy. For consistency and simplicity fail the copy of the st_uid/st_gid are invalid. Fixes: 459c7c565ac3 ("ovl: unprivieged mounts") Cc: # v5.11 Signed-off-by: Miklos Szeredi Reviewed-by: Christian Brauner Reviewed-by: Seth Forshee commit baabaa505563362b71f2637aedd7b807d270656c Author: Miklos Szeredi Date: Tue Jan 24 16:41:18 2023 +0100 ovl: fix tmpfile leak Missed an error cleanup. Reported-by: syzbot+fd749a7ea127a84e0ffd@syzkaller.appspotmail.com Fixes: 2b1a77461f16 ("ovl: use vfs_tmpfile_open() helper") Cc: # v6.1 Signed-off-by: Miklos Szeredi commit a9ad4d87aa263de36895402b66115a3a4b88bf1c Author: Qu Wenruo Date: Sat Jan 21 16:06:11 2023 +0800 btrfs: raid56: make error_bitmap update atomic In the rework of raid56 code, there is very limited concurrency in the endio context. Most of the work is done inside the sectors arrays, which different bios will never touch the same sector. But there is a concurrency here for error_bitmap. Both read and write endio functions need to touch them, and we can have multiple write bios touching the same error bitmap if they all hit some errors. Here we fix the unprotected bitmap operation by going set_bit() in a loop. Since we have a very small ceiling of the sectors (at most 16 sectors), such set_bit() in a loop should be very acceptable. Fixes: 2942a50dea74 ("btrfs: raid56: introduce btrfs_raid_bio::error_bitmap") Reviewed-by: Christoph Hellwig Signed-off-by: Qu Wenruo Signed-off-by: David Sterba commit 33e17b3f5ab74af12aca58c515bc8424ff69a343 Author: David Sterba Date: Tue Jan 24 20:32:10 2023 +0100 btrfs: send: limit number of clones and allocated memory size The arg->clone_sources_count is u64 and can trigger a warning when a huge value is passed from user space and a huge array is allocated. Limit the allocated memory to 8MiB (can be increased if needed), which in turn limits the number of clone sources to 8M / sizeof(struct clone_root) = 8M / 40 = 209715. Real world number of clones is from tens to hundreds, so this is future proof. Reported-by: syzbot+4376a9a073770c173269@syzkaller.appspotmail.com Signed-off-by: David Sterba commit ef5c600adb1d985513d2b612cc90403a148ff287 Author: Dylan Yudaken Date: Fri Jan 27 02:59:11 2023 -0800 io_uring: always prep_async for drain requests Drain requests all go through io_drain_req, which has a quick exit in case there is nothing pending (ie the drain is not useful). In that case it can run the issue the request immediately. However for safety it queues it through task work. The problem is that in this case the request is run asynchronously, but the async work has not been prepared through io_req_prep_async. This has not been a problem up to now, as the task work always would run before returning to userspace, and so the user would not have a chance to race with it. However - with IORING_SETUP_DEFER_TASKRUN - this is no longer the case and the work might be defered, giving userspace a chance to change data being referred to in the request. Instead _always_ prep_async for drain requests, which is simpler anyway and removes this issue. Cc: stable@vger.kernel.org Fixes: c0e0d6ba25f1 ("io_uring: add IORING_SETUP_DEFER_TASKRUN") Signed-off-by: Dylan Yudaken Link: https://lore.kernel.org/r/20230127105911.2420061-1-dylany@meta.com Signed-off-by: Jens Axboe commit d2ceea0eb6e17bb37d8b85cb4c16797c0d683d1c Author: Danilo Krummrich Date: Thu Jan 26 01:28:44 2023 +0100 dma-buf: actually set signaling bit for private stub fences In dma_fence_allocate_private_stub() set the signaling bit of the newly allocated private stub fence rather than the signaling bit of the shared dma_fence_stub. Cc: # v6.1 Fixes: c85d00d4fd8b ("dma-buf: set signaling bit for the stub fence") Reviewed-by: Christian König Signed-off-by: Danilo Krummrich Link: https://patchwork.freedesktop.org/patch/msgid/20230126002844.339593-1-dakr@redhat.com commit 677d85e1a1ee69fa05ccea83847309484be3781c Author: Ivo Borisov Shopov Date: Thu Jan 26 15:10:33 2023 +0200 tools: gpio: fix -c option of gpio-event-mon Following line should listen for a rising edge and exit after the first one since '-c 1' is provided. # gpio-event-mon -n gpiochip1 -o 0 -r -c 1 It works with kernel 4.19 but it doesn't work with 5.10. In 5.10 the above command doesn't exit after the first rising edge it keep listening for an event forever. The '-c 1' is not taken into an account. The problem is in commit 62757c32d5db ("tools: gpio: add multi-line monitoring to gpio-event-mon"). Before this commit the iterator 'i' in monitor_device() is used for counting of the events (loops). In the case of the above command (-c 1) we should start from 0 and increment 'i' only ones and hit the 'break' statement and exit the process. But after the above commit counting doesn't start from 0, it start from 1 when we listen on one line. It is because 'i' is used from one more purpose, counting of lines (num_lines) and it isn't restore to 0 after following code for (i = 0; i < num_lines; i++) gpiotools_set_bit(&values.mask, i); Restore the initial value of the iterator to 0 in order to allow counting of loops to work for any cases. Fixes: 62757c32d5db ("tools: gpio: add multi-line monitoring to gpio-event-mon") Signed-off-by: Ivo Borisov Shopov Reviewed-by: Andy Shevchenko [Bartosz: tweak the commit message] Signed-off-by: Bartosz Golaszewski commit b710ef411048cdbd0fb279b9529af2731fe97022 Author: Arnd Bergmann Date: Fri Jan 27 10:35:05 2023 +0100 gpio: ep93xx: remove unused variable This one was left behind by a previous cleanup patch: drivers/gpio/gpio-ep93xx.c: In function 'ep93xx_gpio_add_bank': drivers/gpio/gpio-ep93xx.c:366:34: error: unused variable 'ic' [-Werror=unused-variable] Fixes: 216f37366e86 ("gpio: ep93xx: Make irqchip immutable") Signed-off-by: Arnd Bergmann Signed-off-by: Bartosz Golaszewski commit d2d73e6d4822140445ad4a7b1c6091e0f5fe703b Author: Maxim Korotkov Date: Fri Nov 18 13:43:32 2022 +0300 pinctrl: single: fix potential NULL dereference Added checking of pointer "function" in pcs_set_mux(). pinmux_generic_get_function() can return NULL and the pointer "function" was dereferenced without checking against NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions") Signed-off-by: Maxim Korotkov Reviewed-by: Tony Lindgren Link: https://lore.kernel.org/r/20221118104332.943-1-korotkov.maxim.s@gmail.com Signed-off-by: Linus Walleij commit c6e0679b8381bf03315e6660cf5370f916c1a1c6 Author: Mario Limonciello Date: Sat Jan 21 07:48:10 2023 -0600 pinctrl: amd: Fix debug output for debounce time If one GPIO has debounce enabled but future GPIOs in the list don't have debounce the time never gets reset and shows wrong value. Signed-off-by: Mario Limonciello Link: https://lore.kernel.org/r/20230121134812.16637-2-mario.limonciello@amd.com Signed-off-by: Linus Walleij commit 287a344a11f1ebd31055cf9b22c88d7005f108d7 Author: Joel Stanley Date: Fri Jan 20 09:48:56 2023 +1030 pinctrl: aspeed: Fix confusing types in return value The function signature is int, but we return a bool. Instead return a negative errno as the kerneldoc suggests. Fixes: 4d3d0e4272d8 ("pinctrl: Add core support for Aspeed SoCs") Signed-off-by: Joel Stanley Reviewed-by: Andrew Jeffery Link: https://lore.kernel.org/r/20230119231856.52014-1-joel@jms.id.au Signed-off-by: Linus Walleij commit 6b04456e248761cf68f562f2fd7c04e591fcac94 Author: Tanmay Bhushan <007047221b@gmail.com> Date: Tue Dec 27 22:02:16 2022 +0100 vdpa: ifcvf: Do proper cleanup if IFCVF init fails ifcvf_mgmt_dev leaks memory if it is not freed before returning. Call is made to correct return statement so memory does not leak. ifcvf_init_hw does not take care of this so it is needed to do it here. Signed-off-by: Tanmay Bhushan <007047221b@gmail.com> Message-Id: <772e9fe133f21fa78fb98a2ebe8969efbbd58e3c.camel@gmail.com> Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Zhu Lingshan commit 6dd88fd59da84631b5fe5c8176931c38cfa3b265 Author: Jason Wang Date: Thu Jan 19 15:36:47 2023 +0800 vhost-scsi: unbreak any layout for response Al Viro said: """ Since "vhost/scsi: fix reuse of &vq->iov[out] in response" we have this: cmd->tvc_resp_iov = vq->iov[vc.out]; cmd->tvc_in_iovs = vc.in; combined with iov_iter_init(&iov_iter, ITER_DEST, &cmd->tvc_resp_iov, cmd->tvc_in_iovs, sizeof(v_rsp)); in vhost_scsi_complete_cmd_work(). We used to have ->tvc_resp_iov _pointing_ to vq->iov[vc.out]; back then iov_iter_init() asked to set an iovec-backed iov_iter over the tail of vq->iov[], with length being the amount of iovecs in the tail. Now we have a copy of one element of that array. Fortunately, the members following it in the containing structure are two non-NULL kernel pointers, so copy_to_iter() will not copy anything beyond the first iovec - kernel pointer is not (on the majority of architectures) going to be accepted by access_ok() in copyout() and it won't be skipped since the "length" (in reality - another non-NULL kernel pointer) won't be zero. So it's not going to give a guest-to-qemu escalation, but it's definitely a bug. Frankly, my preference would be to verify that the very first iovec is long enough to hold rsp_size. Due to the above, any users that try to give us vq->iov[vc.out].iov_len < sizeof(struct virtio_scsi_cmd_resp) would currently get a failure in vhost_scsi_complete_cmd_work() anyway. """ However, the spec doesn't say anything about the legacy descriptor layout for the respone. So this patch tries to not assume the response to reside in a single separate descriptor which is what commit 79c14141a487 ("vhost/scsi: Convert completion path to use") tries to achieve towards to ANY_LAYOUT. This is done by allocating and using dedicate resp iov in the command. To be safety, start with UIO_MAXIOV to be consistent with the limitation that we advertise to the vhost_get_vq_desc(). Testing with the hacked virtio-scsi driver that use 1 descriptor for 1 byte in the response. Reported-by: Al Viro Cc: Benjamin Coddington Cc: Nicholas Bellinger Fixes: a77ec83a5789 ("vhost/scsi: fix reuse of &vq->iov[out] in response") Signed-off-by: Jason Wang Message-Id: <20230119073647.76467-1-jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin Reviewed-by: Stefan Hajnoczi commit 3f7b75abf41cc4143aa295f62acbb060a012868d Author: Shunsuke Mie Date: Tue Jan 10 12:43:10 2023 +0900 tools/virtio: fix the vringh test for virtio ring changes Fix the build caused by missing kmsan_handle_dma() and is_power_of_2() that are used in drivers/virtio/virtio_ring.c. Signed-off-by: Shunsuke Mie Message-Id: <20230110034310.779744-1-mie@igel.co.jp> Signed-off-by: Michael S. Tsirkin commit 9526f9a2b762af16be94a72aca5d65c677d28f50 Author: Eric Auger Date: Tue Jan 17 10:15:18 2023 -0500 vhost/net: Clear the pending messages when the backend is removed When the vhost iotlb is used along with a guest virtual iommu and the guest gets rebooted, some MISS messages may have been recorded just before the reboot and spuriously executed by the virtual iommu after the reboot. As vhost does not have any explicit reset user API, VHOST_NET_SET_BACKEND looks a reasonable point where to clear the pending messages, in case the backend is removed. Export vhost_clear_msg() and call it in vhost_net_set_backend() when fd == -1. Signed-off-by: Eric Auger Suggested-by: Jason Wang Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Message-Id: <20230117151518.44725-3-eric.auger@redhat.com> Signed-off-by: Michael S. Tsirkin commit 0a9e5794b21e2d1303759ff8fe5f9215db7757ba Author: Eric Dumazet Date: Thu Jan 26 11:21:30 2023 +0000 xfrm: annotate data-race around use_time KCSAN reported multiple cpus can update use_time at the same time. Adds READ_ONCE()/WRITE_ONCE() annotations. Note that 32bit arches are not fully protected, but they will probably no longer be supported/used in 2106. BUG: KCSAN: data-race in __xfrm_policy_check / __xfrm_policy_check write to 0xffff88813e7ec108 of 8 bytes by interrupt on cpu 0: __xfrm_policy_check+0x6ae/0x17f0 net/xfrm/xfrm_policy.c:3664 __xfrm_policy_check2 include/net/xfrm.h:1174 [inline] xfrm_policy_check include/net/xfrm.h:1179 [inline] xfrm6_policy_check+0x2e9/0x320 include/net/xfrm.h:1189 udpv6_queue_rcv_one_skb+0x48/0xa30 net/ipv6/udp.c:703 udpv6_queue_rcv_skb+0x2d6/0x310 net/ipv6/udp.c:792 udp6_unicast_rcv_skb+0x16b/0x190 net/ipv6/udp.c:935 __udp6_lib_rcv+0x84b/0x9b0 net/ipv6/udp.c:1020 udpv6_rcv+0x4b/0x50 net/ipv6/udp.c:1133 ip6_protocol_deliver_rcu+0x99e/0x1020 net/ipv6/ip6_input.c:439 ip6_input_finish net/ipv6/ip6_input.c:484 [inline] NF_HOOK include/linux/netfilter.h:302 [inline] ip6_input+0xca/0x180 net/ipv6/ip6_input.c:493 dst_input include/net/dst.h:454 [inline] ip6_rcv_finish+0x1e9/0x2d0 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:302 [inline] ipv6_rcv+0x85/0x140 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core net/core/dev.c:5482 [inline] __netif_receive_skb+0x8b/0x1b0 net/core/dev.c:5596 process_backlog+0x23f/0x3b0 net/core/dev.c:5924 __napi_poll+0x65/0x390 net/core/dev.c:6485 napi_poll net/core/dev.c:6552 [inline] net_rx_action+0x37e/0x730 net/core/dev.c:6663 __do_softirq+0xf2/0x2c7 kernel/softirq.c:571 do_softirq+0xb1/0xf0 kernel/softirq.c:472 __local_bh_enable_ip+0x6f/0x80 kernel/softirq.c:396 __raw_read_unlock_bh include/linux/rwlock_api_smp.h:257 [inline] _raw_read_unlock_bh+0x17/0x20 kernel/locking/spinlock.c:284 wg_socket_send_skb_to_peer+0x107/0x120 drivers/net/wireguard/socket.c:184 wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline] wg_packet_tx_worker+0x142/0x360 drivers/net/wireguard/send.c:276 process_one_work+0x3d3/0x720 kernel/workqueue.c:2289 worker_thread+0x618/0xa70 kernel/workqueue.c:2436 kthread+0x1a9/0x1e0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 write to 0xffff88813e7ec108 of 8 bytes by interrupt on cpu 1: __xfrm_policy_check+0x6ae/0x17f0 net/xfrm/xfrm_policy.c:3664 __xfrm_policy_check2 include/net/xfrm.h:1174 [inline] xfrm_policy_check include/net/xfrm.h:1179 [inline] xfrm6_policy_check+0x2e9/0x320 include/net/xfrm.h:1189 udpv6_queue_rcv_one_skb+0x48/0xa30 net/ipv6/udp.c:703 udpv6_queue_rcv_skb+0x2d6/0x310 net/ipv6/udp.c:792 udp6_unicast_rcv_skb+0x16b/0x190 net/ipv6/udp.c:935 __udp6_lib_rcv+0x84b/0x9b0 net/ipv6/udp.c:1020 udpv6_rcv+0x4b/0x50 net/ipv6/udp.c:1133 ip6_protocol_deliver_rcu+0x99e/0x1020 net/ipv6/ip6_input.c:439 ip6_input_finish net/ipv6/ip6_input.c:484 [inline] NF_HOOK include/linux/netfilter.h:302 [inline] ip6_input+0xca/0x180 net/ipv6/ip6_input.c:493 dst_input include/net/dst.h:454 [inline] ip6_rcv_finish+0x1e9/0x2d0 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:302 [inline] ipv6_rcv+0x85/0x140 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core net/core/dev.c:5482 [inline] __netif_receive_skb+0x8b/0x1b0 net/core/dev.c:5596 process_backlog+0x23f/0x3b0 net/core/dev.c:5924 __napi_poll+0x65/0x390 net/core/dev.c:6485 napi_poll net/core/dev.c:6552 [inline] net_rx_action+0x37e/0x730 net/core/dev.c:6663 __do_softirq+0xf2/0x2c7 kernel/softirq.c:571 do_softirq+0xb1/0xf0 kernel/softirq.c:472 __local_bh_enable_ip+0x6f/0x80 kernel/softirq.c:396 __raw_read_unlock_bh include/linux/rwlock_api_smp.h:257 [inline] _raw_read_unlock_bh+0x17/0x20 kernel/locking/spinlock.c:284 wg_socket_send_skb_to_peer+0x107/0x120 drivers/net/wireguard/socket.c:184 wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline] wg_packet_tx_worker+0x142/0x360 drivers/net/wireguard/send.c:276 process_one_work+0x3d3/0x720 kernel/workqueue.c:2289 worker_thread+0x618/0xa70 kernel/workqueue.c:2436 kthread+0x1a9/0x1e0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 value changed: 0x0000000063c62d6f -> 0x0000000063c62d70 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 4185 Comm: kworker/1:2 Tainted: G W 6.2.0-rc4-syzkaller-00009-gd532dd102151-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: wg-crypt-wg0 wg_packet_tx_worker Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Steffen Klassert Cc: Arnd Bergmann Acked-by: Arnd Bergmann Signed-off-by: Steffen Klassert commit 195e4aac74ce67385f95432301da6db3c2cfc72a Author: Eric Dumazet Date: Thu Jan 26 11:21:29 2023 +0000 xfrm: consistently use time64_t in xfrm_timer_handler() For some reason, blamed commit did the right thing in xfrm_policy_timer() but did not in xfrm_timer_handler() Fixes: 386c5680e2e8 ("xfrm: use time64_t for in-kernel timestamps") Signed-off-by: Eric Dumazet Cc: Arnd Bergmann Cc: Steffen Klassert Acked-by: Arnd Bergmann Signed-off-by: Steffen Klassert commit 53466ebdec614f915c691809b0861acecb941e30 Author: Takashi Iwai Date: Wed Jan 25 16:31:04 2023 +0100 ALSA: memalloc: Workaround for Xen PV We change recently the memalloc helper to use dma_alloc_noncontiguous() and the fallback to get_pages(). Although lots of issues with IOMMU (or non-IOMMU) have been addressed, but there seems still a regression on Xen PV. Interestingly, the only proper way to work is use dma_alloc_coherent(). The use of dma_alloc_coherent() for SG buffer was dropped as it's problematic on IOMMU systems. OTOH, Xen PV has a different way, and it's fine to use the dma_alloc_coherent(). This patch is a workaround for Xen PV. It consists of the following changes: - For Xen PV, use only the fallback allocation without dma_alloc_noncontiguous() - In the fallback allocation, use dma_alloc_coherent(); the DMA address from dma_alloc_coherent() is returned in get_addr ops - The DMA addresses are stored in an array; the first entry stores the number of allocated pages in lower bits, which are referred at releasing pages again Reported-by: Marek Marczykowski-Górecki Tested-by: Marek Marczykowski-Górecki Fixes: a8d302a0b770 ("ALSA: memalloc: Revive x86-specific WC page allocations again") Fixes: 9736a325137b ("ALSA: memalloc: Don't fall back for SG-buffer with IOMMU") Link: https://lore.kernel.org/r/87tu256lqs.wl-tiwai@suse.de Link: https://lore.kernel.org/r/20230125153104.5527-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 5416c9aea8323583e8696f0500b6142dfae80821 Author: Kui-Feng Lee Date: Thu Jan 26 16:17:32 2023 -0800 bpf: Fix the kernel crash caused by bpf_setsockopt(). The kernel crash was caused by a BPF program attached to the "lsm_cgroup/socket_sock_rcv_skb" hook, which performed a call to `bpf_setsockopt()` in order to set the TCP_NODELAY flag as an example. Flags like TCP_NODELAY can prompt the kernel to flush a socket's outgoing queue, and this hook "lsm_cgroup/socket_sock_rcv_skb" is frequently triggered by softirqs. The issue was that in certain circumstances, when `tcp_write_xmit()` was called to flush the queue, it would also allow BH (bottom-half) to run. This could lead to our program attempting to flush the same socket recursively, which caused a `skbuff` to be unlinked twice. `security_sock_rcv_skb()` is triggered by `tcp_filter()`. This occurs before the sock ownership is checked in `tcp_v4_rcv()`. Consequently, if a bpf program runs on `security_sock_rcv_skb()` while under softirq conditions, it may not possess the lock needed for `bpf_setsockopt()`, thus presenting an issue. The patch fixes this issue by ensuring that a BPF program attached to the "lsm_cgroup/socket_sock_rcv_skb" hook is not allowed to call `bpf_setsockopt()`. The differences from v1 are - changing commit log to explain holding the lock of the sock, - emphasizing that TCP_NODELAY is not the only flag, and - adding the fixes tag. v1: https://lore.kernel.org/bpf/20230125000244.1109228-1-kuifeng@meta.com/ Signed-off-by: Kui-Feng Lee Fixes: 9113d7e48e91 ("bpf: expose bpf_{g,s}etsockopt to lsm cgroup") Link: https://lore.kernel.org/r/20230127001732.4162630-1-kuifeng@meta.com Signed-off-by: Martin KaFai Lau commit 15600159bcc6abbeae6b33a849bef90dca28b78f Author: Martin K. Petersen Date: Thu Jan 26 22:06:08 2023 -0500 scsi: Revert "scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT" This reverts commit 948e922fc44611ee2de0c89583ca958cb5307d36. Not all targets that return PQ=1 and PDT=0 should be ignored. While the SCSI spec is vague in this department, there appears to be a critical mass of devices which rely on devices being accessible with this combination of reported values. Fixes: 948e922fc446 ("scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT") Link: https://lore.kernel.org/r/yq1lelrleqr.fsf@ca-mkp.ca.oracle.com Acked-by: Bart Van Assche Acked-by: Martin Wilck Acked-by: Hannes Reinecke Signed-off-by: Martin K. Petersen commit 2542fc9578d49b3b376231269d4c7c7d4cffd62a Author: Bart Van Assche Date: Wed Jan 25 11:43:11 2023 -0800 scsi: core: Fix the scsi_device_put() might_sleep annotation Although most calls of scsi_device_put() happen from non-atomic context, alua_rtpg_queue() calls this function from atomic context if alua_rtpg_queue() itself is called from atomic context. alua_rtpg_queue() is always called from contexts where the caller must hold at least one reference to the scsi device in question. This means that the reference taken by alua_rtpg_queue() itself can't be the last one, and thus can be dropped without entering the code path in which scsi_device_put() might actually sleep. Hence move the might_sleep() annotation from scsi_device_put() into scsi_device_dev_release(). [1] https://lore.kernel.org/linux-scsi/b49e37d5-edfb-4c56-3eeb-62c7d5855c00@linux.ibm.com/ [2] https://lore.kernel.org/linux-scsi/55c35e64-a7d4-9072-46fd-e8eae6a90e96@linux.ibm.com/ Note: a significant part of the above description was written by Martin Wilck. Fixes: f93ed747e2c7 ("scsi: core: Release SCSI devices synchronously") Cc: Martin Wilck Cc: Steffen Maier Cc: Hannes Reinecke Cc: Sachin Sant Cc: Benjamin Block Reported-by: Steffen Maier Signed-off-by: Bart Van Assche Reviewed-by: Martin Wilck Link: https://lore.kernel.org/r/20230125194311.249553-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit d23db89883962d9b4cb3ad03dfd02e525ed2cc03 Merge: f439a959dcfb6 d6591da5f3ff2 Author: Dave Airlie Date: Fri Jan 27 12:31:02 2023 +1000 Merge tag 'drm-misc-fixes-2023-01-26' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes A fix and a preliminary patch to fix a memory leak in i915, and a use after free fix for fbdev deferred io Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20230126104018.cbrcjxl5wefdbb2f@houat commit f439a959dcfb6b39d6fd4b85ca1110a1d1de1587 Author: Dave Airlie Date: Fri Jan 27 12:15:13 2023 +1000 amdgpu: fix build on non-DCN platforms. This fixes the build here locally on my 32-bit arm build. Signed-off-by: Dave Airlie commit 1d65bd6b6f6f1e57430787682e6fa791108f1b05 Merge: af0af9087a071 4b069553246f9 Author: Dave Airlie Date: Fri Jan 27 11:50:08 2023 +1000 Merge tag 'amd-drm-fixes-6.2-2023-01-25' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.2-2023-01-25: amdgpu: - GC11.x fixes - SMU13.0.0 fix - Freesync video fix - DP MST fixes drm: - DP MST kref fix Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20230125220153.320248-1-alexander.deucher@amd.com commit af0af9087a071c68cc9be3f3875772b41068e03b Merge: 2241ab53cbb5c 2255bbcdc39d5 Author: Dave Airlie Date: Fri Jan 27 11:39:55 2023 +1000 Merge tag 'drm-intel-fixes-2023-01-26' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Fix BSC default context for Meteor Lake (Lucas) - Fix selftest-scheduler's modify_type (Andi) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/Y9LKD2J5bmICTyIP@intel.com commit ad34656db3b959421621c4e239d7e0dc710ec04c Author: Bjorn Helgaas Date: Thu Jan 26 15:10:03 2023 -0600 MAINTAINERS: Move to shared PCI tree Move PCI subsystem maintenance to a shared git tree to make it easier for maintainers to collaborate. Update MAINTAINERS accordingly. No change to patch submission and patchwork tracking. Link: https://lore.kernel.org/r/20230126211003.1310916-1-helgaas@kernel.org Signed-off-by: Bjorn Helgaas commit e632291a2dbce45a24cddeb5fe28fe71d724ba43 Author: Dragos Tatulea Date: Tue Jan 24 20:24:18 2023 +0200 IB/IPoIB: Fix legacy IPoIB due to wrong number of queues The cited commit creates child PKEY interfaces over netlink will multiple tx and rx queues, but some devices doesn't support more than 1 tx and 1 rx queues. This causes to a crash when traffic is sent over the PKEY interface due to the parent having a single queue but the child having multiple queues. This patch fixes the number of queues to 1 for legacy IPoIB at the earliest possible point in time. BUG: kernel NULL pointer dereference, address: 000000000000036b PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc+0xcb/0x450 Code: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a 01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b RSP: 0018:ffff88822acbbab8 EFLAGS: 00010202 RAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae RDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00 RBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40 R10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000 R13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000 FS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_clone+0x55/0xd0 ip6_finish_output2+0x3fe/0x690 ip6_finish_output+0xfa/0x310 ip6_send_skb+0x1e/0x60 udp_v6_send_skb+0x1e5/0x420 udpv6_sendmsg+0xb3c/0xe60 ? ip_mc_finish_output+0x180/0x180 ? __switch_to_asm+0x3a/0x60 ? __switch_to_asm+0x34/0x60 sock_sendmsg+0x33/0x40 __sys_sendto+0x103/0x160 ? _copy_to_user+0x21/0x30 ? kvm_clock_get_cycles+0xd/0x10 ? ktime_get_ts64+0x49/0xe0 __x64_sys_sendto+0x25/0x30 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f9374f1ed14 Code: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b RSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14 RDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030 RBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc Fixes: dbc94a0fb817 ("IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces") Signed-off-by: Dragos Tatulea Link: https://lore.kernel.org/r/95eb6b74c7cf49fa46281f9d056d685c9fa11d38.1674584576.git.leon@kernel.org Signed-off-by: Leon Romanovsky commit 343c700480982214dc4f834f536a49a4098e556a Author: Javier Martinez Canillas Date: Wed Jan 25 19:42:30 2023 +0100 drm/ssd130x: Init display before the SSD130X_DISPLAY_ON command Commit 622113b9f11f ("drm/ssd130x: Replace simple display helpers with the atomic helpers") changed the driver to just use the atomic helpers instead of the simple KMS abstraction layer. But the commit also made a subtle change on the display power sequence and initialization order, by moving the ssd130x_power_on() call to the encoder .atomic_enable handler and the ssd130x_init() call to CRTC .reset handler. Before this change, both ssd130x_power_on() and ssd130x_init() were called in the simple display pipeline .enable handler, so the display was already initialized by the time the SSD130X_DISPLAY_ON command was sent. For some reasons, it only made the ssd130x SPI driver to fail but the I2C was still working. That is the reason why the bug was not noticed before. To revert to the old driver behavior, move the ssd130x_init() call to the encoder .atomic_enable as well. Besides fixing the panel not being turned on when using SPI, it also gets rid of the custom CRTC .reset callback. Fixes: 622113b9f11f ("drm/ssd130x: Replace simple display helpers with the atomic helpers") Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20230125184230.3343206-1-javierm@redhat.com commit db3ba974c2bc895ba39689a364cb7a49c0fe779f Merge: 8e4ff684762b6 85eee6341abb8 Author: Jens Axboe Date: Thu Jan 26 11:43:33 2023 -0700 Merge tag 'nvme-6.2-2023-01-26' of git://git.infradead.org/nvme into block-6.2 Pull NVMe fixes from Christoph: "nvme fixes for Linux 6.2 - flush initial scan_work for async probe (Keith Busch) - fix passthrough csi check (Keith Busch) - fix nvme-fc initialization order (Ross Lagerwall)" * tag 'nvme-6.2-2023-01-26' of git://git.infradead.org/nvme: nvme: fix passthrough csi check nvme-pci: flush initial scan_work for async probe nvme-fc: fix initialization order commit 83abd4d4c4be8984ba5a3a813ccfedba79c7d6ad Merge: 28b4387f0ec08 1bc5d819f0b97 Author: Linus Torvalds Date: Thu Jan 26 10:29:49 2023 -0800 Merge tag 'platform-drivers-x86-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Hans de Goede: - Fix false positive apple_gmux backlight detection on older iGPU only MacBook models - Various other small fixes and hardware-id additions * tag 'platform-drivers-x86-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: thinkpad_acpi: Fix profile modes on Intel platforms ACPI: video: Fix apple gmux detection platform/x86: apple-gmux: Add apple_gmux_detect() helper platform/x86: apple-gmux: Move port defines to apple-gmux.h platform/x86: hp-wmi: Fix cast to smaller integer type warning platform/x86/amd: pmc: Add a module parameter to disable workarounds platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN platform/x86: asus-wmi: Fix kbd_dock_devid tablet-switch reporting platform/x86: gigabyte-wmi: add support for B450M DS3H WIFI-CF platform/x86: hp-wmi: Handle Omen Key event platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010 table commit 28b4387f0ec08d48634fcc3e3687c93edc1503f9 Merge: 262b42e02d1e0 7083df59abbc2 Author: Linus Torvalds Date: Thu Jan 26 10:20:12 2023 -0800 Merge tag 'net-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from netfilter. Current release - regressions: - sched: sch_taprio: do not schedule in taprio_reset() Previous releases - regressions: - core: fix UaF in netns ops registration error path - ipv4: prevent potential spectre v1 gadgets - ipv6: fix reachability confirmation with proxy_ndp - netfilter: fix for the set rbtree - eth: fec: use page_pool_put_full_page when freeing rx buffers - eth: iavf: fix temporary deadlock and failure to set MAC address Previous releases - always broken: - netlink: prevent potential spectre v1 gadgets - netfilter: fixes for SCTP connection tracking - mctp: struct sock lifetime fixes - eth: ravb: fix possible hang if RIS2_QFF1 happen - eth: tg3: resolve deadlock in tg3_reset_task() during EEH Misc: - Mat stepped out as MPTCP co-maintainer" * tag 'net-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (40 commits) net: mdio-mux-meson-g12a: force internal PHY off on mux switch docs: networking: Fix bridge documentation URL tsnep: Fix TX queue stop/wake for multiple queues net/tg3: resolve deadlock in tg3_reset_task() during EEH net: mctp: mark socks as dead on unhash, prevent re-add net: mctp: hold key reference when looking up a general key net: mctp: move expiry timer delete to unhash net: mctp: add an explicit reference from a mctp_sk_key to sock net: ravb: Fix possible hang if RIS2_QFF1 happen net: ravb: Fix lack of register setting after system resumed for Gen3 net/x25: Fix to not accept on connected socket ice: move devlink port creation/deletion sctp: fail if no bound addresses can be used for a given scope net/sched: sch_taprio: do not schedule in taprio_reset() Revert "Merge branch 'ethtool-mac-merge'" netrom: Fix use-after-free of a listening socket. netfilter: conntrack: unify established states for SCTP paths Revert "netfilter: conntrack: add sctp DATA_SENT state" netfilter: conntrack: fix bug in for_each_sctp_chunk netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE ... commit 262b42e02d1e0b5ad1b33e9b9842e178c16231de Author: Linus Torvalds Date: Thu Jan 26 10:05:39 2023 -0800 treewide: fix up files incorrectly marked executable I'm not exactly clear on what strange workflow causes people to do it, but clearly occasionally some files end up being committed as executable even though they clearly aren't. This is a reprise of commit 90fda63fa115 ("treewide: fix up files incorrectly marked executable"), just with a different set of files (but with the same trivial shell scripting). So apparently we need to re-do this every five years or so, and Joe needs to just keep reminding me to do so ;) Reported-by: Joe Perches Fixes: 523375c943e5 ("drm/vmwgfx: Port vmwgfx to arm64") Fixes: 5c439937775d ("ASoC: codecs: add support for ES8326") Signed-off-by: Linus Torvalds commit e18c6da62edc780e4f4f3c9ce07bdacd69505182 Author: Arnd Bergmann Date: Thu Jan 26 17:21:24 2023 +0100 ASoC: cs42l56: fix DT probe While looking through legacy platform data users, I noticed that the DT probing never uses data from the DT properties, as the platform_data structure gets overwritten directly after it is initialized. There have never been any boards defining the platform_data in the mainline kernel either, so this driver so far only worked with patched kernels or with the default values. For the benefit of possible downstream users, fix the DT probe by no longer overwriting the data. Signed-off-by: Arnd Bergmann Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20230126162203.2986339-1-arnd@kernel.org Signed-off-by: Mark Brown commit 8e4ff684762b6503db45e8906e258faee080c336 Author: Ming Lei Date: Thu Jan 26 19:53:46 2023 +0800 block: ublk: move ublk_chr_class destroying after devices are removed The 'ublk_chr_class' is needed when deleting ublk char devices in ublk_exit(), so move it after devices(idle) are removed. Fixes the following warning reported by Harris, James R: [ 859.178950] sysfs group 'power' not found for kobject 'ublkc0' [ 859.178962] WARNING: CPU: 3 PID: 1109 at fs/sysfs/group.c:278 sysfs_remove_group+0x9c/0xb0 Reported-by: "Harris, James R" Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") Link: https://lore.kernel.org/linux-block/Y9JlFmSgDl3+zy3N@T590/T/#t Signed-off-by: Ming Lei Tested-by: Jim Harris Link: https://lore.kernel.org/r/20230126115346.263344-1-ming.lei@redhat.com Signed-off-by: Jens Axboe commit a428eb4b99ab80454f06ad256b25e930fe8a4954 Author: Robin Murphy Date: Mon Jan 23 18:30:38 2023 +0000 Partially revert "perf/arm-cmn: Optimise DTC counter accesses" It turns out the optimisation implemented by commit 4f2c3872dde5 is totally broken, since all the places that consume hw->dtcs_used for events other than cycle count are still not expecting it to be sparsely populated, and fail to read all the relevant DTC counters correctly if so. If implemented correctly, the optimisation potentially saves up to 3 register reads per event update, which is reasonably significant for events targeting a single node, but still not worth a massive amount of additional code complexity overall. Getting it right within the current design looks a fair bit more involved than it was ever intended to be, so let's just make a functional revert which restores the old behaviour while still backporting easily. Fixes: 4f2c3872dde5 ("perf/arm-cmn: Optimise DTC counter accesses") Reported-by: Ilkka Koskinen Signed-off-by: Robin Murphy Link: https://lore.kernel.org/r/b41bb4ed7283c3d8400ce5cf5e6ec94915e6750f.1674498637.git.robin.murphy@arm.com Signed-off-by: Will Deacon commit 5754a1c98b18009cb3030dc391aa37b77428a0bd Author: Guodong Liu Date: Wed Jan 18 14:21:16 2023 +0800 pinctrl: mediatek: Fix the drive register definition of some Pins The drive adjustment register definition of gpio13 and gpio81 is wrong: "the start address for the range" of gpio18 is corrected to 0x000, "the start bit for the first register within the range" of gpio81 is corrected to 24. Fixes: 6cf5e9ef362a ("pinctrl: add pinctrl driver on mt8195") Signed-off-by: Guodong Liu Link: https://lore.kernel.org/r/20230118062116.26315-1-Guodong.Liu@mediatek.com Signed-off-by: Linus Walleij commit 51128c3f2a7c98055ea1d27e34910dc10977f618 Author: Hans Verkuil Date: Thu Jan 19 10:02:19 2023 +0100 drm/vc4: hdmi: make CEC adapter name unique The bcm2711 has two HDMI outputs, each with their own CEC adapter. The CEC adapter name has to be unique, but it is currently hardcoded to "vc4" for both outputs. Change this to use the card_name from the variant information in order to make the adapter name unique. Signed-off-by: Hans Verkuil Fixes: 15b4511a4af6 ("drm/vc4: add HDMI CEC support") Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/dcf1db75-d9cc-62cc-fa12-baf1b2b3bf31@xs4all.nl commit 1febf88ef907b142fdde34f7c64ed3535d9339e4 Author: Fabio Estevam Date: Tue Jan 17 08:25:10 2023 -0300 ARM: dts: imx7d-smegw01: Fix USB host over-current polarity Currently, when resetting the USB modem via AT commands, the modem is no longer re-connected. This problem is caused by the incorrect description of the USB_OTG2_OC pad. It should have pull-up enabled, hysteresis enabled and the property 'over-current-active-low' should be passed. With this change, the USB modem can be successfully re-connected after a reset. Cc: stable@vger.kernel.org Fixes: 9ac0ae97e349 ("ARM: dts: imx7d-smegw01: Add support for i.MX7D SMEGW01 board") Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo commit 39c95d0c357d7ef76aea958c1bece6b24f9b2e7e Author: Philippe Schenker Date: Mon Jan 16 15:01:52 2023 +0100 arm64: dts: imx8mm-verdin: Do not power down eth-phy Currently if suspending using either freeze or memory state, the fec driver tries to power down the phy which leads to crash of the kernel and non-responsible kernel with the following call trace: [ 24.839889 ] Call trace: [ 24.839892 ] phy_error+0x18/0x60 [ 24.839898 ] kszphy_handle_interrupt+0x6c/0x80 [ 24.839903 ] phy_interrupt+0x20/0x2c [ 24.839909 ] irq_thread_fn+0x30/0xa0 [ 24.839919 ] irq_thread+0x178/0x2c0 [ 24.839925 ] kthread+0x154/0x160 [ 24.839932 ] ret_from_fork+0x10/0x20 Since there is currently no functionality in the phy subsystem to power down phys let's just disable the feature of powering-down the ethernet phy. Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") Signed-off-by: Philippe Schenker Signed-off-by: Shawn Guo commit 52219e719f53c792cc10296178e7e38e9e1412aa Author: Ahmad Fatoum Date: Mon Jan 16 12:25:06 2023 +0100 MAINTAINERS: match freescale ARM64 DT directory in i.MX entry The majority of device trees in arch/arm64/boot/dts/freescale/ are built around i.MX SoCs with the rest being for Layerscape. Yet, calling get_maintainers.pl -f on this directory will not match the MAINTAINERS entry, because the directory name doesn't contain the substring "imx". Add an explicit file match for the directory and exclude the Layerscape specific files. This ensures To/Cc is not only generated from git history, but takes e.g. the R: entries into account as well. Signed-off-by: Ahmad Fatoum Signed-off-by: Shawn Guo commit 7083df59abbc2b7500db312cac706493be0273ff Author: Jerome Brunet Date: Tue Jan 24 11:11:57 2023 +0100 net: mdio-mux-meson-g12a: force internal PHY off on mux switch Force the internal PHY off then on when switching to the internal path. This fixes problems where the PHY ID is not properly set. Fixes: 7090425104db ("net: phy: add amlogic g12a mdio mux support") Suggested-by: Qi Duan Co-developed-by: Heiner Kallweit Signed-off-by: Heiner Kallweit Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20230124101157.232234-1-jbrunet@baylibre.com Signed-off-by: Jakub Kicinski commit aee2770d199a969b205e7b60125d5af47e3bdee0 Author: Ivan Vecera Date: Tue Jan 24 15:51:26 2023 +0100 docs: networking: Fix bridge documentation URL Current documentation URL [1] is no longer valid. [1] https://www.linuxfoundation.org/collaborate/workgroups/networking/bridge Signed-off-by: Ivan Vecera Reviewed-by: Pavan Chebbi Link: https://lore.kernel.org/r/20230124145127.189221-1-ivecera@redhat.com Signed-off-by: Jakub Kicinski commit 3d53aaef4332245044b2f3688ac0ea10436c719c Author: Gerhard Engleder Date: Tue Jan 24 20:14:40 2023 +0100 tsnep: Fix TX queue stop/wake for multiple queues netif_stop_queue() and netif_wake_queue() act on TX queue 0. This is ok as long as only a single TX queue is supported. But support for multiple TX queues was introduced with 762031375d5c and I missed to adapt stop and wake of TX queues. Use netif_stop_subqueue() and netif_tx_wake_queue() to act on specific TX queue. Fixes: 762031375d5c ("tsnep: Support multiple TX/RX queue pairs") Signed-off-by: Gerhard Engleder Link: https://lore.kernel.org/r/20230124191440.56887-1-gerhard@engleder-embedded.com Signed-off-by: Jakub Kicinski commit 6c4ca03bd890566d873e3593b32d034bf2f5a087 Author: David Christensen Date: Tue Jan 24 13:53:39 2023 -0500 net/tg3: resolve deadlock in tg3_reset_task() during EEH During EEH error injection testing, a deadlock was encountered in the tg3 driver when tg3_io_error_detected() was attempting to cancel outstanding reset tasks: crash> foreach UN bt ... PID: 159 TASK: c0000000067c6000 CPU: 8 COMMAND: "eehd" ... #5 [c00000000681f990] __cancel_work_timer at c00000000019fd18 #6 [c00000000681fa30] tg3_io_error_detected at c00800000295f098 [tg3] #7 [c00000000681faf0] eeh_report_error at c00000000004e25c ... PID: 290 TASK: c000000036e5f800 CPU: 6 COMMAND: "kworker/6:1" ... #4 [c00000003721fbc0] rtnl_lock at c000000000c940d8 #5 [c00000003721fbe0] tg3_reset_task at c008000002969358 [tg3] #6 [c00000003721fc60] process_one_work at c00000000019e5c4 ... PID: 296 TASK: c000000037a65800 CPU: 21 COMMAND: "kworker/21:1" ... #4 [c000000037247bc0] rtnl_lock at c000000000c940d8 #5 [c000000037247be0] tg3_reset_task at c008000002969358 [tg3] #6 [c000000037247c60] process_one_work at c00000000019e5c4 ... PID: 655 TASK: c000000036f49000 CPU: 16 COMMAND: "kworker/16:2" ...:1 #4 [c0000000373ebbc0] rtnl_lock at c000000000c940d8 #5 [c0000000373ebbe0] tg3_reset_task at c008000002969358 [tg3] #6 [c0000000373ebc60] process_one_work at c00000000019e5c4 ... Code inspection shows that both tg3_io_error_detected() and tg3_reset_task() attempt to acquire the RTNL lock at the beginning of their code blocks. If tg3_reset_task() should happen to execute between the times when tg3_io_error_deteced() acquires the RTNL lock and tg3_reset_task_cancel() is called, a deadlock will occur. Moving tg3_reset_task_cancel() call earlier within the code block, prior to acquiring RTNL, prevents this from happening, but also exposes another deadlock issue where tg3_reset_task() may execute AFTER tg3_io_error_detected() has executed: crash> foreach UN bt PID: 159 TASK: c0000000067d2000 CPU: 9 COMMAND: "eehd" ... #4 [c000000006867a60] rtnl_lock at c000000000c940d8 #5 [c000000006867a80] tg3_io_slot_reset at c0080000026c2ea8 [tg3] #6 [c000000006867b00] eeh_report_reset at c00000000004de88 ... PID: 363 TASK: c000000037564000 CPU: 6 COMMAND: "kworker/6:1" ... #3 [c000000036c1bb70] msleep at c000000000259e6c #4 [c000000036c1bba0] napi_disable at c000000000c6b848 #5 [c000000036c1bbe0] tg3_reset_task at c0080000026d942c [tg3] #6 [c000000036c1bc60] process_one_work at c00000000019e5c4 ... This issue can be avoided by aborting tg3_reset_task() if EEH error recovery is already in progress. Fixes: db84bf43ef23 ("tg3: tg3_reset_task() needs to use rtnl_lock to synchronize") Signed-off-by: David Christensen Reviewed-by: Pavan Chebbi Link: https://lore.kernel.org/r/20230124185339.225806-1-drc@linux.vnet.ibm.com Signed-off-by: Jakub Kicinski commit 47123900f3e4a7f769631d6ec15abf44086276f6 Author: Pierluigi Passaro Date: Sun Jan 15 22:35:03 2023 +0100 arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX According section     8.2.5.313 Select Input Register (IOMUXC_UART1_RXD_SELECT_INPUT) of      i.MX 8M Mini Applications Processor Reference Manual, Rev. 3, 11/2020 the required setting for this specific pin configuration is "1" Signed-off-by: Pierluigi Passaro Reviewed-by: Fabio Estevam Fixes: c1c9d41319c3 ("dt-bindings: imx: Add pinctrl binding doc for imx8mm") Signed-off-by: Shawn Guo commit a34dc4a9b9e2fb3a45c179a60bb0b26539c96189 Author: Namjae Jeon Date: Wed Jan 25 00:09:02 2023 +0900 ksmbd: downgrade ndr version error message to debug When user switch samba to ksmbd, The following message flood is coming when accessing files. Samba seems to changs dos attribute version to v5. This patch downgrade ndr version error message to debug. $ dmesg ... [68971.766914] ksmbd: v5 version is not supported [68971.779808] ksmbd: v5 version is not supported [68971.871544] ksmbd: v5 version is not supported [68971.910135] ksmbd: v5 version is not supported ... Cc: stable@vger.kernel.org Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit 62c487b53a7ff31e322cf2874d3796b8202c54a5 Author: Namjae Jeon Date: Wed Jan 25 00:13:20 2023 +0900 ksmbd: limit pdu length size according to connection status Stream protocol length will never be larger than 16KB until session setup. After session setup, the size of requests will not be larger than 16KB + SMB2 MAX WRITE size. This patch limits these invalidly oversized requests and closes the connection immediately. Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18259 Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit ecfb9f404771dde909ce7743df954370933c3be2 Author: Paul Cercueil Date: Wed Dec 14 13:37:04 2022 +0100 clk: ingenic: jz4760: Update M/N/OD calculation algorithm The previous algorithm was pretty broken. - The inner loop had a '(m > m_max)' condition, and the value of 'm' would increase in each iteration; - Each iteration would actually multiply 'm' by two, so it is not needed to re-compute the whole equation at each iteration; - It would loop until (m & 1) == 0, which means it would loop at most once. - The outer loop would divide the 'n' value by two at the end of each iteration. This meant that for a 12 MHz parent clock and a 1.2 GHz requested clock, it would first try n=12, then n=6, then n=3, then n=1, none of which would work; the only valid value is n=2 in this case. Simplify this algorithm with a single for loop, which decrements 'n' after each iteration, addressing all of the above problems. Fixes: bdbfc029374f ("clk: ingenic: Add support for the JZ4760") Cc: Signed-off-by: Paul Cercueil Link: https://lore.kernel.org/r/20221214123704.7305-1-paul@crapouillou.net Signed-off-by: Stephen Boyd commit 19398821b25a9cde564265262e680ae1c2351be7 Author: Dan Williams Date: Fri Jan 20 16:26:12 2023 -0800 cxl/pmem: Fix nvdimm unregistration when cxl_pmem driver is absent The cxl_pmem.ko module houses the driver for both cxl_nvdimm_bridge objects and cxl_nvdimm objects. When the core creates a cxl_nvdimm it arranges for it to be autoremoved when the bridge goes down. However, if the bridge never initialized because the cxl_pmem.ko module never loaded, it sets up a the following crash scenario: BUG: kernel NULL pointer dereference, address: 0000000000000478 [..] RIP: 0010:cxl_nvdimm_probe+0x99/0x140 [cxl_pmem] [..] Call Trace: cxl_bus_probe+0x17/0x50 [cxl_core] really_probe+0xde/0x380 __driver_probe_device+0x78/0x170 driver_probe_device+0x1f/0x90 __driver_attach+0xd2/0x1c0 bus_for_each_dev+0x79/0xc0 bus_add_driver+0x1b1/0x200 driver_register+0x89/0xe0 cxl_pmem_init+0x50/0xff0 [cxl_pmem] It turns out the recent rework to simplify nvdimm probing obviated the need to unregister cxl_nvdimm objects at cxl_nvdimm_bridge ->remove() time. Leave the cxl_nvdimm device registered until the hosting cxl_memdev departs. The alternative is that the cxl_memdev needs to be reattached whenever the cxl_nvdimm_bridge attach state cycles, which is awkward and unnecessary. The only requirement is to make sure that when the cxl_nvdimm_bridge goes away any dependent cxl_nvdimm objects are shutdown. Handle that in unregister_nvdimm_bus(). With these registration entanglements removed there is no longer a need to pre-load the cxl_pmem module in cxl_acpi. Fixes: cb9cfff82f6a ("cxl/acpi: Simplify cxl_nvdimm_bridge probing") Reported-by: Gregory Price Debugged-by: Jonathan Cameron Tested-by: Jonathan Cameron Reviewed-by: Jonathan Cameron Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/167426077263.3955046.9695309346988027311.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Dan Williams commit fb6df4366f86dd252bfa3049edffa52d17e7b895 Author: Vishal Verma Date: Wed Jan 25 11:34:18 2023 -0700 ACPI: NFIT: fix a potential deadlock during NFIT teardown Lockdep reports that acpi_nfit_shutdown() may deadlock against an opportune acpi_nfit_scrub(). acpi_nfit_scrub () is run from inside a 'work' and therefore has already acquired workqueue-internal locks. It also acquiires acpi_desc->init_mutex. acpi_nfit_shutdown() first acquires init_mutex, and was subsequently attempting to cancel any pending workqueue items. This reversed locking order causes a potential deadlock: ====================================================== WARNING: possible circular locking dependency detected 6.2.0-rc3 #116 Tainted: G O N ------------------------------------------------------ libndctl/1958 is trying to acquire lock: ffff888129b461c0 ((work_completion)(&(&acpi_desc->dwork)->work)){+.+.}-{0:0}, at: __flush_work+0x43/0x450 but task is already holding lock: ffff888129b460e8 (&acpi_desc->init_mutex){+.+.}-{3:3}, at: acpi_nfit_shutdown+0x87/0xd0 [nfit] which lock already depends on the new lock. ... Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&acpi_desc->init_mutex); lock((work_completion)(&(&acpi_desc->dwork)->work)); lock(&acpi_desc->init_mutex); lock((work_completion)(&(&acpi_desc->dwork)->work)); *** DEADLOCK *** Since the workqueue manipulation is protected by its own internal locking, the cancellation of pending work doesn't need to be done under acpi_desc->init_mutex. Move cancel_delayed_work_sync() outside the init_mutex to fix the deadlock. Any work that starts after acpi_nfit_shutdown() drops the lock will see ARS_CANCEL, and the cancel_delayed_work_sync() will safely flush it out. Reported-by: Dan Williams Signed-off-by: Vishal Verma Link: https://lore.kernel.org/r/20230112-acpi_nfit_lockdep-v1-1-660be4dd10be@intel.com Signed-off-by: Dan Williams commit 1c88b9ba6b126080a9c121abd943b25e20cd7ac1 Author: Randy Dunlap Date: Mon Jan 16 23:02:49 2023 -0800 dax: super.c: fix kernel-doc bad line warning Convert an empty line to " *" to avoid a kernel-doc warning: drivers/dax/super.c:478: warning: bad line: Signed-off-by: Randy Dunlap Cc: Dan Williams Cc: Vishal Verma Cc: Dave Jiang Cc: nvdimm@lists.linux.dev Link: https://lore.kernel.org/r/20230117070249.31934-1-rdunlap@infradead.org Signed-off-by: Dan Williams commit be0d8f48ad97f5b775b0af3310343f676dbf318a Author: Kees Cook Date: Thu Jan 5 22:02:33 2023 -0800 bcache: Silence memcpy() run-time false positive warnings struct bkey has internal padding in a union, but it isn't always named the same (e.g. key ## _pad, key_p, etc). This makes it extremely hard for the compiler to reason about the available size of copies done against such keys. Use unsafe_memcpy() for now, to silence the many run-time false positive warnings: memcpy: detected field-spanning write (size 264) of single field "&i->j" at drivers/md/bcache/journal.c:152 (size 240) memcpy: detected field-spanning write (size 24) of single field "&b->key" at drivers/md/bcache/btree.c:939 (size 16) memcpy: detected field-spanning write (size 24) of single field "&temp.key" at drivers/md/bcache/extents.c:428 (size 16) Reported-by: Alexandre Pereira Link: https://bugzilla.kernel.org/show_bug.cgi?id=216785 Acked-by: Coly Li Cc: Kent Overstreet Cc: linux-bcache@vger.kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20230106060229.never.047-kees@kernel.org commit e6a71160cc145e18ab45195abf89884112e02dfb Author: Kees Cook Date: Wed Jan 18 12:21:35 2023 -0800 gcc-plugins: Reorganize gimple includes for GCC 13 The gimple-iterator.h header must be included before gimple-fold.h starting with GCC 13. Reorganize gimple headers to work for all GCC versions. Reported-by: Palmer Dabbelt Acked-by: Palmer Dabbelt Link: https://lore.kernel.org/all/20230113173033.4380-1-palmer@rivosinc.com/ Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook commit 4acf1de35f41549e60c3c02a8defa7cb95eabdf2 Author: Kees Cook Date: Fri Jan 6 19:47:05 2023 -0800 kunit: memcpy: Split slow memcpy tests into MEMCPY_SLOW_KUNIT_TEST Since the long memcpy tests may stall a system for tens of seconds in virtualized architecture environments, split those tests off under CONFIG_MEMCPY_SLOW_KUNIT_TEST so they can be separately disabled. Reported-by: Guenter Roeck Link: https://lore.kernel.org/lkml/20221226195206.GA2626419@roeck-us.net Reviewed-by: Nick Desaulniers Reviewed-and-tested-by: Guenter Roeck Reviewed-by: David Gow Cc: Andrew Morton Cc: Nathan Chancellor Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook commit 4b069553246f993c4221e382d0d0ae34f5ba730e Author: Aurabindo Pillai Date: Wed Jan 11 14:56:22 2023 -0500 drm/amd/display: Fix timing not changning when freesync video is enabled [Why&How] Switching between certain modes that are freesync video modes and those are not freesync video modes result in timing not changing as seen by the monitor due to incorrect timing being driven. The issue is fixed by ensuring that when a non freesync video mode is set, we reset the freesync status on the crtc. Reviewed-by: Nicholas Kazlauskas Acked-by: Alan Liu Signed-off-by: Aurabindo Pillai Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher commit eadd7deca0ad8a83edb2b894d8326c78e78635d6 Author: Alexander Potapenko Date: Tue Jan 24 12:32:34 2023 +0100 btrfs: zlib: zero-initialize zlib workspace KMSAN reports uses of uninitialized memory in zlib's longest_match() called on memory originating from zlib_alloc_workspace(). This issue is known by zlib maintainers and is claimed to be harmless, but to be on the safe side we'd better initialize the memory. Link: https://zlib.net/zlib_faq.html#faq36 Reported-by: syzbot+14d9e7602ebdf7ec0a60@syzkaller.appspotmail.com CC: stable@vger.kernel.org # 5.4+ Signed-off-by: Alexander Potapenko Reviewed-by: David Sterba Signed-off-by: David Sterba commit 3c538de0f2a74d50aff7278c092f88ae59cee688 Author: Josef Bacik Date: Wed Jan 18 16:35:13 2023 -0500 btrfs: limit device extents to the device size There was a recent regression in btrfs/177 that started happening with the size class patches ("btrfs: introduce size class to block group allocator"). This however isn't a regression introduced by those patches, but rather the bug was uncovered by a change in behavior in these patches. The patches triggered more chunk allocations in the ^free-space-tree case, which uncovered a race with device shrink. The problem is we will set the device total size to the new size, and use this to find a hole for a device extent. However during shrink we may have device extents allocated past this range, so we could potentially find a hole in a range past our new shrink size. We don't actually limit our found extent to the device size anywhere, we assume that we will not find a hole past our device size. This isn't true with shrink as we're relocating block groups and thus creating holes past the device size. Fix this by making sure we do not search past the new device size, and if we wander into any device extents that start after our device size simply break from the loop and use whatever hole we've already found. CC: stable@vger.kernel.org # 4.14+ Signed-off-by: Josef Bacik Signed-off-by: David Sterba commit f7c11affde9e29316d24b6736d16faeaac8278f2 Author: Tanmay Bhushan <007047221b@gmail.com> Date: Sun Jan 15 21:32:15 2023 +0100 btrfs: raid56: fix stripes if vertical errors are found We take two stripe numbers if vertical errors are found. In case it is just a pstripe it does not matter but in case of raid 6 it matters as both stripes need to be fixed. Fixes: 7a3150723061 ("btrfs: raid56: do data csum verification during RMW cycle") Reviewed-by: Qu Wenruo Signed-off-by: Tanmay Bhushan <007047221b@gmail.com> Signed-off-by: David Sterba commit d8bf2df715bb8ac964f91fe8bf67c37c5d916463 Author: Wayne Lin Date: Wed Dec 28 14:50:43 2022 +0800 drm/display/dp_mst: Correct the kref of port. [why & how] We still need to refer to port while removing payload at commit_tail. we should keep the kref till then to release. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2171 Signed-off-by: Wayne Lin Signed-off-by: Harry Wentland Fixes: 4d07b0bc4034 ("drm/display/dp_mst: Move all payload info into the atomic state") Cc: stable@vger.kernel.org # 6.1 Acked-by: Harry Wentland Reviewed-by: Lyude Paul Tested-by: Didier Raboud Signed-off-by: Alex Deucher commit f85c5e25fd28fe0bf6d6d0563cf83758a4e05c8f Author: Wayne Lin Date: Mon Dec 12 15:41:18 2022 +0800 drm/amdgpu/display/mst: update mst_mgr relevant variable when long HPD [Why & How] Now the vc_start_slot is controlled at drm side. When we service a long HPD, we still need to run dm_helpers_dp_mst_write_payload_allocation_table() to update drm mst_mgr's relevant variable. Otherwise, on the next plug-in, payload will get assigned with a wrong start slot. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2171 Signed-off-by: Wayne Lin Signed-off-by: Harry Wentland Fixes: 4d07b0bc4034 ("drm/display/dp_mst: Move all payload info into the atomic state") Cc: stable@vger.kernel.org # 6.1 Acked-by: Harry Wentland Reviewed-by: Lyude Paul Tested-by: Didier Raboud Signed-off-by: Alex Deucher commit cb1e0b015f56b8f3c7f5ce33ff4b782ee5674512 Author: Wayne Lin Date: Fri Dec 9 19:05:33 2022 +0800 drm/amdgpu/display/mst: limit payload to be updated one by one [Why] amdgpu expects to update payload table for one stream one time by calling dm_helpers_dp_mst_write_payload_allocation_table(). Currently, it get modified to try to update HW payload table at once by referring mst_state. [How] This is just a quick workaround. Should find way to remove the temporary struct dc_dp_mst_stream_allocation_table later if set struct link_mst_stream_allocatio directly is possible. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2171 Signed-off-by: Wayne Lin Signed-off-by: Harry Wentland Fixes: 4d07b0bc4034 ("drm/display/dp_mst: Move all payload info into the atomic state") Cc: stable@vger.kernel.org # 6.1 Acked-by: Harry Wentland Reviewed-by: Lyude Paul Tested-by: Didier Raboud Signed-off-by: Alex Deucher commit 1119e1f9636b76aef14068c7fd0b4d55132b86b8 Author: Lyude Paul Date: Wed Nov 23 14:50:16 2022 -0500 drm/amdgpu/display/mst: Fix mst_state->pbn_div and slot count assignments Looks like I made a pretty big mistake here without noticing: it seems when I moved the assignments of mst_state->pbn_div I completely missed the fact that the reason for us calling drm_dp_mst_update_slots() earlier was to account for the fact that we need to call this function using info from the root MST connector, instead of just trying to do this from each MST encoder's atomic check function. Otherwise, we end up filling out all of DC's link information with zeroes. So, let's restore that and hopefully fix this DSC regression. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2171 Signed-off-by: Lyude Paul Signed-off-by: Harry Wentland Fixes: 4d07b0bc4034 ("drm/display/dp_mst: Move all payload info into the atomic state") Cc: stable@vger.kernel.org # 6.1 Reviewed-by: Harry Wentland Tested-by: Didier Raboud Signed-off-by: Alex Deucher commit f0f7743624e77abe419ff1971b50e44ac1482421 Author: Li Ma Date: Fri Jan 20 15:41:22 2023 +0800 drm/amdgpu: declare firmware for new MES 11.0.4 To support new mes ip block Signed-off-by: Li Ma Reviewed-by: Yifan Zhang Signed-off-by: Alex Deucher commit 08fbe3c24fd2f0706c0eb907c71e26f10e5d8c6a Author: Li Ma Date: Fri Jan 20 15:38:33 2023 +0800 drm/amdgpu: enable imu firmware for GC 11.0.4 The GC 11.0.4 needs load IMU to power up GFX before loads GFX firmware. Signed-off-by: Li Ma Reviewed-by: Yifan Zhang Signed-off-by: Alex Deucher commit 15b207d0abdcbb2271774aa99d9a290789159e75 Author: Evan Quan Date: Fri Jan 20 11:21:53 2023 +0800 drm/amd/pm: add missing AllowIHInterrupt message mapping for SMU13.0.0 Add SMU13.0.0 AllowIHInterrupt message mapping. Signed-off-by: Evan Quan Reviewed-by: Feifei Xu Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit 2de3769830346e68b3de0f4abc0d8e2625ad9dac Author: Jonathan Kim Date: Thu Jan 19 18:42:03 2023 -0500 drm/amdgpu: remove unconditional trap enable on add gfx11 queues Rebase of driver has incorrect unconditional trap enablement for GFX11 when adding mes queues. Reported-by: Graham Sider Signed-off-by: Jonathan Kim Reviewed-by: Graham Sider Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.1.x commit 7c46948a6e9cf47ed03b0d489fde894ad46f1437 Merge: 948ef7bb70c4a facd61053cff1 Author: Linus Torvalds Date: Wed Jan 25 09:15:15 2023 -0800 Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping Pull fuse ACL fix from Christian Brauner: "The new posix acl API doesn't depend on the xattr handler infrastructure anymore and instead only relies on the posix acl inode operations. As a result daemons without FUSE_POSIX_ACL are unable to use posix acls like they used to. Fix this by copying what we did for overlayfs during the posix acl api conversion. Make fuse implement a dedicated ->get_inode_acl() method as does overlayfs. Fuse can then also uses this to express different needs for vfs permission checking during lookup and acl based retrieval via the regular system call path. This allows fuse to continue to refuse retrieving posix acls for daemons that don't set FUSE_POSXI_ACL for permission checking while also allowing a fuse server to retrieve it via the usual system calls" * tag 'fs.fuse.acl.v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping: fuse: fixes after adapting to new posix acl api commit a49fb7218ed84a4c5e6c56b9fd933498b9730912 Author: Doug Smythies Date: Sat Jan 21 08:41:35 2023 -0800 selftests: amd-pstate: Don't delete source files via Makefile Revert the portion of a recent Makefile change that incorrectly deletes source files when doing "make clean". Fixes: ba2d788aa873 ("selftests: amd-pstate: Trigger tbench benchmark and test cpus") Reported-by: Sedat Dilek Tested-by: Sedat Dilek Reviewed-by: Sedat Dilek Acked-by: Huang Rui Signed-off-by: Doug Smythies Signed-off-by: Shuah Khan commit b7ab9161cf5ddc42a288edf9d1a61f3bdffe17c7 Author: David Howells Date: Wed Jan 25 14:02:13 2023 +0000 cifs: Fix oops due to uncleared server->smbd_conn in reconnect In smbd_destroy(), clear the server->smbd_conn pointer after freeing the smbd_connection struct that it points to so that reconnection doesn't get confused. Fixes: 8ef130f9ec27 ("CIFS: SMBD: Implement function to destroy a SMB Direct connection") Cc: stable@vger.kernel.org Reviewed-by: Paulo Alcantara (SUSE) Acked-by: Tom Talpey Signed-off-by: David Howells Cc: Long Li Cc: Pavel Shilovsky Cc: Ronnie Sahlberg Signed-off-by: Steve French commit 78020233418518faa72fba11f40e1d53b9e88a2e Author: Masami Hiramatsu (Google) Date: Fri Jan 20 08:36:24 2023 +0900 bootconfig: Update MAINTAINERS file to add tree and mailing list Since the bootconfig related changes will be handled on linux-trace tree, add the tree and mailing lists for EXTRA BOOT CONFIG. Link: https://lkml.kernel.org/r/167417138436.2333752.6988808113120359923.stgit@devnote3 Signed-off-by: Masami Hiramatsu (Google) Signed-off-by: Steven Rostedt (Google) commit ae3edea88e6c1bbb8b41ef958f79a7a44ab45f7c Author: Colin Ian King Date: Mon Jan 16 16:16:12 2023 +0000 rv: remove redundant initialization of pointer ptr The pointer ptr is being initialized with a value that is never read, it is being updated later on a call to strim. Remove the extraneous initialization. Link: https://lkml.kernel.org/r/20230116161612.77192-1-colin.i.king@gmail.com Cc: Daniel Bristot de Oliveira Cc: Masami Hiramatsu Signed-off-by: Colin Ian King Signed-off-by: Steven Rostedt (Google) commit 34226fc6889e0e2fe8480bf3a0b43ac992bbee94 Author: Mark Rutland Date: Tue Jan 3 12:49:10 2023 +0000 ftrace: Maintain samples/ftrace There's no entry in MAINTAINERS for samples/ftrace. Add one so that the FTRACE maintainers are kept in the loop. Link: https://lkml.kernel.org/r/20230103124912.2948963-2-mark.rutland@arm.com Acked-by: Masami Hiramatsu (Google) Signed-off-by: Mark Rutland Signed-off-by: Steven Rostedt (Google) commit d5090d91ec929a79b52e5a98144d85dea40d4438 Author: Randy Dunlap Date: Sat Jan 7 18:12:38 2023 -0800 tracing/filter: fix kernel-doc warnings Use the 'struct' keyword for a struct's kernel-doc notation and use the correct function parameter name to eliminate kernel-doc warnings: kernel/trace/trace_events_filter.c:136: warning: cannot understand function prototype: 'struct prog_entry ' kerne/trace/trace_events_filter.c:155: warning: Excess function parameter 'when_to_branch' description in 'update_preds' Also correct some trivial punctuation problems. Link: https://lkml.kernel.org/r/20230108021238.16398-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Signed-off-by: Steven Rostedt (Google) commit c1d6105869464635d8a2bcf87a43c05f4c0cfca4 Author: Ley Foon Tan Date: Thu Jan 5 11:37:05 2023 +0800 riscv: Move call to init_cpu_topology() to later initialization stage If "capacity-dmips-mhz" is present in a CPU DT node, topology_parse_cpu_capacity() will fail to allocate memory. arm64, with which this code path is shared, does not call topology_parse_cpu_capacity() until later in boot where memory allocation is available. While "capacity-dmips-mhz" is not yet a valid property on RISC-V, invalid properties should be ignored rather than cause issues. Move init_cpu_topology(), which calls topology_parse_cpu_capacity(), to a later initialization stage, to match arm64. As a side effect of this change, RISC-V is "protected" from changes to core topology code that would work on arm64 where memory allocation is safe but on RISC-V isn't. Fixes: 03f11f03dbfe ("RISC-V: Parse cpu topology during boot.") Reviewed-by: Conor Dooley Reviewed-by: Andrew Jones Signed-off-by: Ley Foon Tan Link: https://lore.kernel.org/r/20230105033705.3946130-1-leyfoon.tan@starfivetech.com [Palmer: use Conor's commit text] Link: https://lore.kernel.org/linux-riscv/20230104183033.755668-1-pierre.gondois@arm.com/T/#me592d4c8b9508642954839f0077288a353b0b9b2 Signed-off-by: Palmer Dabbelt commit 2fa89458af9993fab8054daf827f38881e2ad473 Author: Pratham Pratap Date: Wed Jan 25 12:57:25 2023 +0530 usb: gadget: f_uac2: Fix incorrect increment of bNumEndpoints Currently connect/disconnect of USB cable calls afunc_bind and eventually increments the bNumEndpoints. Performing multiple plugin/plugout will increment bNumEndpoints incorrectly, and on the next plug-in it leads to invalid configuration of descriptor and hence enumeration fails. Fix this by resetting the value of bNumEndpoints to 1 on every afunc_bind call. Fixes: 40c73b30546e ("usb: gadget: f_uac2: add adaptive sync support for capture") Cc: stable Signed-off-by: Pratham Pratap Signed-off-by: Prashanth K Link: https://lore.kernel.org/r/1674631645-28888-1-git-send-email-quic_prashk@quicinc.com Signed-off-by: Greg Kroah-Hartman commit cb963b2c011a62838852c902eccb3f72e5d3dbb6 Author: marco.rodolfi@tuta.io Date: Tue Jan 10 15:54:26 2023 +0100 HID: Ignore battery for Elan touchscreen on Asus TP420IA This device has a touchscreen thats report a battery even if it doesn't have one. Ask Linux to ignore the battery so it will not always report it as low. [jkosina@suse.cz: fix whitespace damage] Signed-off-by: Marco Rodolfi Signed-off-by: Jiri Kosina commit acd7e9ee57c880b99671dd99680cb707b7b5b0ee Author: Rafael J. Wysocki Date: Wed Jan 25 13:17:42 2023 +0100 thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() In order to prevent int340x_thermal_get_trip_type() from possibly racing with int340x_thermal_read_trips() invoked by int3403_notify() add locking to it in analogy with int340x_thermal_get_trip_temp(). Fixes: 6757a7abe47b ("thermal: intel: int340x: Protect trip temperature from concurrent updates") Signed-off-by: Rafael J. Wysocki commit ac8d986cbf0b0ffdbf2c707fe59cf4a71d933a18 Merge: a9e9b78d53b91 b98e1a04e27fd Author: David S. Miller Date: Wed Jan 25 13:07:38 2023 +0000 Merge branch 'mptcp-fixes' Jeremy Kerr says: ==================== net: mctp: struct sock lifetime fixes This series is a set of fixes for the sock lifetime handling in the AF_MCTP code, fixing a uaf reported by Noam Rathaus . The Fixes: tags indicate the original patches affected, but some tweaking to backport to those commits may be needed; I have a separate branch with backports to 5.15 if that helps with stable trees. Of course, any comments/queries most welcome. ==================== Signed-off-by: David S. Miller commit b98e1a04e27fddfdc808bf46fe78eca30db89ab3 Author: Jeremy Kerr Date: Tue Jan 24 10:01:06 2023 +0800 net: mctp: mark socks as dead on unhash, prevent re-add Once a socket has been unhashed, we want to prevent it from being re-used in a sk_key entry as part of a routing operation. This change marks the sk as SOCK_DEAD on unhash, which prevents addition into the net's key list. We need to do this during the key add path, rather than key lookup, as we release the net keys_lock between those operations. Fixes: 4a992bbd3650 ("mctp: Implement message fragmentation & reassembly") Signed-off-by: Jeremy Kerr Signed-off-by: David S. Miller commit 6e54ea37e344f145665c2dc3cc534b92529e8de5 Author: Paolo Abeni Date: Tue Jan 24 10:01:05 2023 +0800 net: mctp: hold key reference when looking up a general key Currently, we have a race where we look up a sock through a "general" (ie, not directly associated with the (src,dest,tag) tuple) key, then drop the key reference while still holding the key's sock. This change expands the key reference until we've finished using the sock, and hence the sock reference too. Commit message changes from Jeremy Kerr . Reported-by: Noam Rathaus Fixes: 73c618456dc5 ("mctp: locking, lifetime and validity changes for sk_keys") Signed-off-by: Paolo Abeni Signed-off-by: Jeremy Kerr Signed-off-by: David S. Miller commit 5f41ae6fca9d40ab3cb9b0507931ef7a9b3ea50b Author: Jeremy Kerr Date: Tue Jan 24 10:01:04 2023 +0800 net: mctp: move expiry timer delete to unhash Currently, we delete the key expiry timer (in sk->close) before unhashing the sk. This means that another thread may find the sk through its presence on the key list, and re-queue the timer. This change moves the timer deletion to the unhash, after we have made the key no longer observable, so the timer cannot be re-queued. Fixes: 7b14e15ae6f4 ("mctp: Implement a timeout for tags") Signed-off-by: Jeremy Kerr Signed-off-by: David S. Miller commit de8a6b15d9654c3e4f672d76da9d9df8ee06331d Author: Jeremy Kerr Date: Tue Jan 24 10:01:03 2023 +0800 net: mctp: add an explicit reference from a mctp_sk_key to sock Currently, we correlate the mctp_sk_key lifetime to the sock lifetime through the sock hash/unhash operations, but this is pretty tenuous, and there are cases where we may have a temporary reference to an unhashed sk. This change makes the reference more explicit, by adding a hold on the sock when it's associated with a mctp_sk_key, released on final key unref. Fixes: 73c618456dc5 ("mctp: locking, lifetime and validity changes for sk_keys") Signed-off-by: Jeremy Kerr Signed-off-by: David S. Miller commit a9e9b78d53b91e6e52a2580aafece542655685b7 Merge: f2b0b5210f67c f3c07758c9007 Author: David S. Miller Date: Wed Jan 25 13:00:27 2023 +0000 Merge branch 'ravb-fixes' Yoshihiro Shimoda says: ==================== net: ravb: Fix potential issues Fix potentiall issues on the ravb driver. Changes from v2: https://lore.kernel.org/all/20230123131331.1425648-1-yoshihiro.shimoda.uh@renesas.com/ - Add Reviewed-by in the patch [2/2]. - Add a commit description in the patch [2/2]. Changes from v1: https://lore.kernel.org/all/20230119043920.875280-1-yoshihiro.shimoda.uh@renesas.com/ - Fix typo in the patch [1/2]. - Add Reviewed-by in the patch [1/2]. - Fix "Fixed" tag in the patch [2/2]. - Fix a comment indentation of the code in the patch [2/2]. ==================== Signed-off-by: David S. Miller commit f3c07758c9007a6bfff5290d9e19d3c41930c897 Author: Yoshihiro Shimoda Date: Tue Jan 24 09:02:11 2023 +0900 net: ravb: Fix possible hang if RIS2_QFF1 happen Since this driver enables the interrupt by RIC2_QFE1, this driver should clear the interrupt flag if it happens. Otherwise, the interrupt causes to hang the system. Note that this also fix a minor coding style (a comment indentation) around the fixed code. Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") Signed-off-by: Yoshihiro Shimoda Reviewed-by: Sergey Shtylyov Signed-off-by: David S. Miller commit c2b6cdee1d13ffbb24baca3c9b8a572d6b541e4e Author: Yoshihiro Shimoda Date: Tue Jan 24 09:02:10 2023 +0900 net: ravb: Fix lack of register setting after system resumed for Gen3 After system entered Suspend to RAM, registers setting of this hardware is reset because the SoC will be turned off. On R-Car Gen3 (info->ccc_gac), ravb_ptp_init() is called in ravb_probe() only. So, after system resumed, it lacks of the initial settings for ptp. So, add ravb_ptp_{init,stop}() into ravb_{resume,suspend}(). Fixes: f5d7837f96e5 ("ravb: ptp: Add CONFIG mode support") Signed-off-by: Yoshihiro Shimoda Reviewed-by: Sergey Shtylyov Signed-off-by: David S. Miller commit 216f37366e86a6ddd34ed842cac3354f579ef48e Author: Nikita Shubin Date: Wed Jan 25 11:30:25 2023 +0300 gpio: ep93xx: Make irqchip immutable This turns the Cirrus ep93xx gpio irqchip immutable. Preserve per-chip labels by adding an ->irq_print_chip() callback. Signed-off-by: Nikita Shubin Signed-off-by: Bartosz Golaszewski commit 0f04cdbdb210000a97c773b28b598fa8ac3aafa4 Author: Nikita Shubin Date: Wed Jan 25 11:30:24 2023 +0300 gpio: ep93xx: Fix port F hwirq numbers in handler Fix wrong translation of irq numbers in port F handler, as ep93xx hwirqs increased by 1, we should simply decrease them by 1 in translation. Fixes: 482c27273f52 ("ARM: ep93xx: renumber interrupts") Signed-off-by: Nikita Shubin Acked-by: Arnd Bergmann Signed-off-by: Bartosz Golaszewski commit 100c94ffde489ee11e23400f2a07b236144b048f Author: Krzysztof Kozlowski Date: Tue Jan 24 13:30:49 2023 +0100 ASoC: codecs: wsa883x: correct playback min/max rates Correct reversed values used in min/max rates, leading to incorrect playback constraints. Cc: Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20230124123049.285395-1-krzysztof.kozlowski@linaro.org Signed-off-by: Mark Brown commit 37870358616ca7fdb1e90ad1cdd791655ec54414 Author: Dan Carpenter Date: Tue Jan 24 18:20:26 2023 +0300 gpio: mxc: Unlock on error path in mxc_flip_edge() We recently added locking to this function but one error path was over looked. Drop the lock before returning. Fixes: e5464277625c ("gpio: mxc: Protect GPIO irqchip RMW with bgpio spinlock") Signed-off-by: Dan Carpenter Acked-by: Marek Vasut Signed-off-by: Bartosz Golaszewski commit 1bc5d819f0b9784043ea08570e1b21107aa35739 Author: Mark Pearson Date: Tue Jan 24 10:36:23 2023 -0500 platform/x86: thinkpad_acpi: Fix profile modes on Intel platforms My last commit to fix profile mode displays on AMD platforms caused an issue on Intel platforms - sorry! In it I was reading the current functional mode (MMC, PSC, AMT) from the BIOS but didn't account for the fact that on some of our Intel platforms I use a different API which returns just the profile and not the functional mode. This commit fixes it so that on Intel platforms it knows the functional mode is always MMC. I also fixed a potential problem that a platform may try to set the mode for both MMC and PSC - which was incorrect. Tested on X1 Carbon 9 (Intel) and Z13 (AMD). Link: https://bugzilla.kernel.org/show_bug.cgi?id=216963 Fixes: fde5f74ccfc7 ("platform/x86: thinkpad_acpi: Fix profile mode display in AMT mode") Cc: stable@vger.kernel.org Reviewed-by: Mario Limonciello Signed-off-by: Mark Pearson Link: https://lore.kernel.org/r/20230124153623.145188-1-mpearson-lenovo@squebb.ca Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 Author: Hyunwoo Kim Date: Mon Jan 23 11:43:23 2023 -0800 net/x25: Fix to not accept on connected socket When listen() and accept() are called on an x25 socket that connect() succeeds, accept() succeeds immediately. This is because x25_connect() queues the skb to sk->sk_receive_queue, and x25_accept() dequeues it. This creates a child socket with the sk of the parent x25 socket, which can cause confusion. Fix x25_listen() to return -EINVAL if the socket has already been successfully connect()ed to avoid this issue. Signed-off-by: Hyunwoo Kim Signed-off-by: David S. Miller commit 85eee6341abb81ac6a35062ffd5c3029eb53be6b Author: Keith Busch Date: Tue Jan 24 13:29:14 2023 -0800 nvme: fix passthrough csi check The namespace head saves the Command Set Indicator enum, so use that instead of the Command Set Selected. The two values are not the same. Fixes: 831ed60c2aca2d ("nvme: also return I/O command effects from nvme_command_effects") Signed-off-by: Keith Busch Signed-off-by: Christoph Hellwig commit ca0254998be4d74cf6add70ccfab0d2dbd362a10 Author: Liao Chang Date: Mon Jan 16 14:43:42 2023 +0800 riscv/kprobe: Fix instruction simulation of JALR Set kprobe at 'jalr 1140(ra)' of vfs_write results in the following crash: [ 32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170 [ 32.093115] Oops [#1] [ 32.093251] Modules linked in: [ 32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16 [ 32.093985] Hardware name: riscv-virtio,qemu (DT) [ 32.094280] epc : ksys_read+0x88/0xd6 [ 32.094855] ra : ksys_read+0xc0/0xd6 [ 32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0 [ 32.095227] gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80 [ 32.095500] t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60 [ 32.095716] s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708 [ 32.095921] a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300 [ 32.096171] a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff [ 32.096411] s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170 [ 32.096638] s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030 [ 32.096865] s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410 [ 32.097092] s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c [ 32.097317] t5 : ffffffff8000c29c t6 : ffffffff800dbc54 [ 32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d [ 32.098011] [] ksys_write+0x6c/0xd6 [ 32.098222] [] sys_write+0x2a/0x38 [ 32.098405] [] ret_from_syscall+0x0/0x2 Since the rs1 and rd might be the same one, such as 'jalr 1140(ra)', hence it requires obtaining the target address from rs1 followed by updating rd. Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") Signed-off-by: Liao Chang Reviewed-by: Guo Ren Link: https://lore.kernel.org/r/20230116064342.2092136-1-liaochang1@huawei.com [Palmer: Pick Guo's cleanup] Signed-off-by: Palmer Dabbelt commit e8c8fd9b8393d7064152c8806f5ac446d760a23e Merge: 74bc3a5acc82f c88ea16a8f892 Author: Alexei Starovoitov Date: Tue Jan 24 21:32:55 2023 -0800 Merge branch 'bpf, sockmap: Fix infinite recursion in sock_map_close' Jakub Sitnicki says: ==================== This patch set addresses the syzbot report in [1]. Patch #1 has been suggested by Eric [2]. I extended it to cover the rest of sock_map proto callbacks. Otherwise we would still overflow the stack. Patch #2 contains the actual fix and bug analysis. Patches #3 & #4 add coverage to selftests to trigger the bug. [1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ [2] https://lore.kernel.org/all/CANn89iK2UN1FmdUcH12fv_xiZkv2G+Nskvmq7fG6aA_6VKRf6g@mail.gmail.com/ --- v1 -> v2: v1: https://lore.kernel.org/r/20230113-sockmap-fix-v1-0-d3cad092ee10@cloudflare.com [v1 didn't hit bpf@ ML by mistake] * pull in Eric's patch to protect against recursion loop bugs (Eric) * add a macro helper to check if pointer is inside a memory range (Eric) ==================== Signed-off-by: Alexei Starovoitov commit c88ea16a8f892bce3bfb3f6a0d91b2bb27df8f59 Author: Jakub Sitnicki Date: Sat Jan 21 13:41:46 2023 +0100 selftests/bpf: Cover listener cloning with progs attached to sockmap Today we test if a child socket is cloned properly from a listening socket inside a sockmap only when there are no BPF programs attached to the map. A bug has been reported [1] for the case when sockmap has a verdict program attached. So cover this case as well to prevent regressions. [1]: https://lore.kernel.org/r/00000000000073b14905ef2e7401@google.com Signed-off-by: Jakub Sitnicki Acked-by: John Fastabend Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-4-1e0ee7ac2f90@cloudflare.com Signed-off-by: Alexei Starovoitov commit b4ea530d024ca6095fc80290075893a5b7136516 Author: Jakub Sitnicki Date: Sat Jan 21 13:41:45 2023 +0100 selftests/bpf: Pass BPF skeleton to sockmap_listen ops tests Following patch extends the sockmap ops tests to cover the scenario when a sockmap with attached programs holds listening sockets. Pass the BPF skeleton to sockmap ops test so that the can access and attach the BPF programs. Signed-off-by: Jakub Sitnicki Acked-by: John Fastabend Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-3-1e0ee7ac2f90@cloudflare.com Signed-off-by: Alexei Starovoitov commit ddce1e091757d0259107c6c0c7262df201de2b66 Author: Jakub Sitnicki Date: Sat Jan 21 13:41:44 2023 +0100 bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener A listening socket linked to a sockmap has its sk_prot overridden. It points to one of the struct proto variants in tcp_bpf_prots. The variant depends on the socket's family and which sockmap programs are attached. A child socket cloned from a TCP listener initially inherits their sk_prot. But before cloning is finished, we restore the child's proto to the listener's original non-tcp_bpf_prots one. This happens in tcp_create_openreq_child -> tcp_bpf_clone. Today, in tcp_bpf_clone we detect if the child's proto should be restored by checking only for the TCP_BPF_BASE proto variant. This is not correct. The sk_prot of listening socket linked to a sockmap can point to to any variant in tcp_bpf_prots. If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then the child socket unintentionally is left if the inherited sk_prot by tcp_bpf_clone. This leads to issues like infinite recursion on close [1], because the child state is otherwise not set up for use with tcp_bpf_prot operations. Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants. Note that it wouldn't be sufficient to check the socket state when overriding the sk_prot in tcp_bpf_update_proto in order to always use the TCP_BPF_BASE variant for listening sockets. Since commit b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage") it is possible for a socket to transition to TCP_LISTEN state while already linked to a sockmap, e.g. connect() -> insert into map -> connect(AF_UNSPEC) -> listen(). [1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ Fixes: e80251555f0b ("tcp_bpf: Don't let child socket inherit parent protocol ops on copy") Reported-by: syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com Signed-off-by: Jakub Sitnicki Acked-by: John Fastabend Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-2-1e0ee7ac2f90@cloudflare.com Signed-off-by: Alexei Starovoitov commit 5b4a79ba65a1ab479903fff2e604865d229b70a9 Author: Jakub Sitnicki Date: Sat Jan 21 13:41:43 2023 +0100 bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself sock_map proto callbacks should never call themselves by design. Protect against bugs like [1] and break out of the recursive loop to avoid a stack overflow in favor of a resource leak. [1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ Suggested-by: Eric Dumazet Signed-off-by: Jakub Sitnicki Acked-by: John Fastabend Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-1-1e0ee7ac2f90@cloudflare.com Signed-off-by: Alexei Starovoitov commit 2a48216cff7a2e3964fbed16f84d33f68b3e5e42 Merge: 418e53401e478 a44b7651489f2 Author: Jakub Kicinski Date: Tue Jan 24 18:59:37 2023 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net 1) Perform SCTP vtag verification for ABORT/SHUTDOWN_COMPLETE according to RFC 9260, Sect 8.5.1. 2) Fix infinite loop if SCTP chunk size is zero in for_each_sctp_chunk(). And remove useless check in this macro too. 3) Revert DATA_SENT state in the SCTP tracker, this was applied in the previous merge window. Next patch in this series provides a more simple approach to multihoming support. 4) Unify HEARTBEAT_ACKED and ESTABLISHED states for SCTP multihoming support, use default ESTABLISHED of 210 seconds based on heartbeat timeout * maximum number of retransmission + round-trip timeout. Otherwise, SCTP conntrack entry that represents secondary paths remain stale in the table for up to 5 days. This is a slightly large batch with fixes for the SCTP connection tracking helper, all patches from Sriram Yagnaraman. * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: conntrack: unify established states for SCTP paths Revert "netfilter: conntrack: add sctp DATA_SENT state" netfilter: conntrack: fix bug in for_each_sctp_chunk netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE ==================== Link: https://lore.kernel.org/r/20230124183933.4752-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski commit 418e53401e478a743cf33b1c32ea0728f0afef66 Author: Paul M Stillwell Jr Date: Mon Jan 23 16:57:14 2023 -0800 ice: move devlink port creation/deletion Commit a286ba738714 ("ice: reorder PF/representor devlink port register/unregister flows") moved the code to create and destroy the devlink PF port. This was fine, but created a corner case issue in the case of ice_register_netdev() failing. In that case, the driver would end up calling ice_devlink_destroy_pf_port() twice. Additionally, it makes no sense to tie creation of the devlink PF port to the creation of the netdev so separate out the code to create/destroy the devlink PF port from the netdev code. This makes it a cleaner interface. Fixes: a286ba738714 ("ice: reorder PF/representor devlink port register/unregister flows") Signed-off-by: Paul M Stillwell Jr Tested-by: Gurucharan G (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Reviewed-by: Leon Romanovsky Link: https://lore.kernel.org/r/20230124005714.3996270-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 458e279f861d3f61796894cd158b780765a1569f Author: Marcelo Ricardo Leitner Date: Mon Jan 23 14:59:33 2023 -0300 sctp: fail if no bound addresses can be used for a given scope Currently, if you bind the socket to something like: servaddr.sin6_family = AF_INET6; servaddr.sin6_port = htons(0); servaddr.sin6_scope_id = 0; inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); And then request a connect to: connaddr.sin6_family = AF_INET6; connaddr.sin6_port = htons(20000); connaddr.sin6_scope_id = if_nametoindex("lo"); inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); What the stack does is: - bind the socket - create a new asoc - to handle the connect - copy the addresses that can be used for the given scope - try to connect But the copy returns 0 addresses, and the effect is that it ends up trying to connect as if the socket wasn't bound, which is not the desired behavior. This unexpected behavior also allows KASLR leaks through SCTP diag interface. The fix here then is, if when trying to copy the addresses that can be used for the scope used in connect() it returns 0 addresses, bail out. This is what TCP does with a similar reproducer. Reported-by: Pietro Borrello Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Marcelo Ricardo Leitner Reviewed-by: Xin Long Link: https://lore.kernel.org/r/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner@gmail.com Signed-off-by: Jakub Kicinski commit 948ef7bb70c4acaf74d87420ea3a1190862d4548 Merge: 246dc53fb2461 0254127ab977e Author: Linus Torvalds Date: Tue Jan 24 18:19:44 2023 -0800 Merge tag 'modules-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux Pull module fix from Luis Chamberlain: "Theis is a fix we have been delaying for v6.2 due to lack of early testing on linux-next. The commit has been sitting in linux-next since December and testing has also been now a bit extensive by a few developers. Since this is a fix which definitely will go to v6.3 it should also apply to v6.2 so if there are any issues we pick them up earlier rather than later. The fix fixes a regression since v5.3, prior to me helping with module maintenance, however, the issue is real in that in the worst case now can prevent boot. We've discussed all possible corner cases [0] and at last do feel this is ready for v6.2-rc6" Link https://lore.kernel.org/all/Y9A4fiobL6IHp%2F%2FP@bombadil.infradead.org/ [0] * tag 'modules-6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux: module: Don't wait for GOING modules commit ea4fdbaa2f7798cb25adbe4fd52ffc6356f097bb Author: Eric Dumazet Date: Mon Jan 23 08:45:52 2023 +0000 net/sched: sch_taprio: do not schedule in taprio_reset() As reported by syzbot and hinted by Vinicius, I should not have added a qdisc_synchronize() call in taprio_reset() taprio_reset() can be called with qdisc spinlock held (and BH disabled) as shown in included syzbot report [1]. Only taprio_destroy() needed this synchronization, as explained in the blamed commit changelog. [1] BUG: scheduling while atomic: syz-executor150/5091/0x00000202 2 locks held by syz-executor150/5091: Modules linked in: Preemption disabled at: [<0000000000000000>] 0x0 Kernel panic - not syncing: scheduling while atomic: panic_on_warn set ... CPU: 1 PID: 5091 Comm: syz-executor150 Not tainted 6.2.0-rc3-syzkaller-00219-g010a74f52203 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 panic+0x2cc/0x626 kernel/panic.c:318 check_panic_on_warn.cold+0x19/0x35 kernel/panic.c:238 __schedule_bug.cold+0xd5/0xfe kernel/sched/core.c:5836 schedule_debug kernel/sched/core.c:5865 [inline] __schedule+0x34e4/0x5450 kernel/sched/core.c:6500 schedule+0xde/0x1b0 kernel/sched/core.c:6682 schedule_timeout+0x14e/0x2a0 kernel/time/timer.c:2167 schedule_timeout_uninterruptible kernel/time/timer.c:2201 [inline] msleep+0xb6/0x100 kernel/time/timer.c:2322 qdisc_synchronize include/net/sch_generic.h:1295 [inline] taprio_reset+0x93/0x270 net/sched/sch_taprio.c:1703 qdisc_reset+0x10c/0x770 net/sched/sch_generic.c:1022 dev_reset_queue+0x92/0x130 net/sched/sch_generic.c:1285 netdev_for_each_tx_queue include/linux/netdevice.h:2464 [inline] dev_deactivate_many+0x36d/0x9f0 net/sched/sch_generic.c:1351 dev_deactivate+0xed/0x1b0 net/sched/sch_generic.c:1374 qdisc_graft+0xe4a/0x1380 net/sched/sch_api.c:1080 tc_modify_qdisc+0xb6b/0x19a0 net/sched/sch_api.c:1689 rtnetlink_rcv_msg+0x43e/0xca0 net/core/rtnetlink.c:6141 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356 netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 ____sys_sendmsg+0x712/0x8c0 net/socket.c:2476 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 __sys_sendmsg+0xf7/0x1c0 net/socket.c:2559 do_syscall_x64 arch/x86/entry/common.c:50 [inline] Fixes: 3a415d59c1db ("net/sched: sch_taprio: fix possible use-after-free") Link: https://lore.kernel.org/netdev/167387581653.2747.13878941339893288655.git-patchwork-notify@kernel.org/T/ Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Vinicius Costa Gomes Link: https://lore.kernel.org/r/20230123084552.574396-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 246dc53fb2461dbcd66d4d1d914246a581edad29 Merge: b2f317173ed5f 6618d69aa129a Author: Linus Torvalds Date: Tue Jan 24 17:54:25 2023 -0800 Merge tag 'rust-fixes-6.2' of https://github.com/Rust-for-Linux/linux Pull rust fix from Miguel Ojeda: - Avoid evaluating arguments in 'pr_*' macros in 'unsafe' blocks * tag 'rust-fixes-6.2' of https://github.com/Rust-for-Linux/linux: rust: print: avoid evaluating arguments in `pr_*` macros in `unsafe` blocks commit b2f317173ed5f00a00aedba71cc67454d9cde90f Merge: 02db81a787e30 c2c46b10d5262 Author: Linus Torvalds Date: Tue Jan 24 17:48:09 2023 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "ARM64: - Pass the correct address to mte_clear_page_tags() on initialising a tagged page - Plug a race against a GICv4.1 doorbell interrupt while saving the vgic-v3 pending state. x86: - A command line parsing fix and a clang compilation fix for selftests - A fix for a longstanding VMX issue, that surprisingly was only found now to affect real world guests" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: selftests: Make reclaim_period_ms input always be positive KVM: x86/vmx: Do not skip segment attributes if unusable bit is set selftests: kvm: move declaration at the beginning of main() KVM: arm64: GICv4.1: Fix race with doorbell on VPE activation/deactivation KVM: arm64: Pass the actual page address to mte_clear_page_tags() commit 02db81a787e304e5afaa31dc66522d39d3f89f1a Merge: fb6e71db53f3d 0bfe63d075789 Author: Linus Torvalds Date: Tue Jan 24 17:42:53 2023 -0800 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Six fixes, all in drivers. The biggest are the UFS devfreq fixes which address a lock inversion and the two iscsi_tcp fixes which try to prevent a use after free from userspace still accessing an area which the kernel has released (seen by KASAN)" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: device_handler: alua: Remove a might_sleep() annotation scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress scsi: ufs: core: Fix devfreq deadlocks scsi: hpsa: Fix allocation size for scsi_host_alloc() scsi: target: core: Fix warning on RT kernels commit ca0f2cfc495d9b614ac6431d7029f1f140403155 Author: Randy Dunlap Date: Tue Jan 24 10:16:55 2023 -0800 lib: Kconfig: fix spellos Fix spelling in lib/ Kconfig files. (reported by codespell) Link: https://lkml.kernel.org/r/20230124181655.16269-1-rdunlap@infradead.org Cc: Andrew Morton Cc: Marco Elver Cc: Dmitry Vyukov Cc: kasan-dev@googlegroups.com Reviewed-by: Marco Elver Signed-off-by: Randy Dunlap Signed-off-by: Steven Rostedt (Google) commit 8b152e9150d07a885f95e1fd401fc81af202d9a4 Author: Natalia Petrova Date: Wed Jan 11 15:04:09 2023 +0300 trace_events_hist: add check for return value of 'create_hist_field' Function 'create_hist_field' is called recursively at trace_events_hist.c:1954 and can return NULL-value that's why we have to check it to avoid null pointer dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE. Link: https://lkml.kernel.org/r/20230111120409.4111-1-n.petrova@fintech.ru Cc: stable@vger.kernel.org Fixes: 30350d65ac56 ("tracing: Add variable support to hist triggers") Signed-off-by: Natalia Petrova Signed-off-by: Steven Rostedt (Google) commit 685b64e4d6da4be8b4595654a57db663b3d1dfc2 Author: Chuang Wang Date: Tue Dec 27 10:30:36 2022 +0800 tracing/osnoise: Use built-in RCU list checking list_for_each_entry_rcu() has built-in RCU and lock checking. Pass cond argument to list_for_each_entry_rcu() to silence false lockdep warning when CONFIG_PROVE_RCU_LIST is enabled. Execute as follow: [tracing]# echo osnoise > current_tracer [tracing]# echo 1 > tracing_on [tracing]# echo 0 > tracing_on The trace_types_lock is held when osnoise_tracer_stop() or timerlat_tracer_stop() are called in the non-RCU read side section. So, pass lockdep_is_held(&trace_types_lock) to silence false lockdep warning. Link: https://lkml.kernel.org/r/20221227023036.784337-1-nashuiliang@gmail.com Cc: Masami Hiramatsu Fixes: dae181349f1e ("tracing/osnoise: Support a list of trace_array *tr") Acked-by: Daniel Bristot de Oliveira Signed-off-by: Chuang Wang Signed-off-by: Steven Rostedt (Google) commit d9b6c322fd33d55a254756b0269d644851899e5f Author: Eddie James Date: Wed Jan 18 15:47:36 2023 +1030 ARM: dts: aspeed: Fix pca9849 compatible Missed a digit in the PCA9849 compatible string. Signed-off-by: Eddie James Fixes: 65b697e5dec7 ("ARM: dts: aspeed: Add IBM Bonnell system BMC devicetree") Link: https://lore.kernel.org/r/20220826194457.164492-1-eajames@linux.ibm.com Signed-off-by: Joel Stanley Link: https://lore.kernel.org/r/20230118051736.246714-1-joel@jms.id.au Signed-off-by: Arnd Bergmann commit fb6e71db53f3d4351dada7c130fb652eecf994d6 Merge: 50306df38ac4e 4bdbba54e9b1c Author: Linus Torvalds Date: Tue Jan 24 12:58:47 2023 -0800 Merge tag 'nfsd-6.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fix from Chuck Lever: - Nail another UAF in NFSD's filecache * tag 'nfsd-6.2-5' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: nfsd: don't free files unconditionally in __nfsd_file_cache_purge commit 50306df38ac4edbeb1eac29d68128f84630405d8 Merge: 5149394c89980 31e1be62abdeb Author: Linus Torvalds Date: Tue Jan 24 12:53:26 2023 -0800 Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux Pull fscrypt MAINTAINERS entry update from Eric Biggers: "Update the MAINTAINERS file entry for fscrypt" * tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux: MAINTAINERS: update fscrypt git repo commit 0254127ab977e70798707a7a2b757c9f3c971210 Author: Petr Pavlu Date: Mon Dec 5 11:35:57 2022 +0100 module: Don't wait for GOING modules During a system boot, it can happen that the kernel receives a burst of requests to insert the same module but loading it eventually fails during its init call. For instance, udev can make a request to insert a frequency module for each individual CPU when another frequency module is already loaded which causes the init function of the new module to return an error. Since commit 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for modules that have finished loading"), the kernel waits for modules in MODULE_STATE_GOING state to finish unloading before making another attempt to load the same module. This creates unnecessary work in the described scenario and delays the boot. In the worst case, it can prevent udev from loading drivers for other devices and might cause timeouts of services waiting on them and subsequently a failed boot. This patch attempts a different solution for the problem 6e6de3dee51a was trying to solve. Rather than waiting for the unloading to complete, it returns a different error code (-EBUSY) for modules in the GOING state. This should avoid the error situation that was described in 6e6de3dee51a (user space attempting to load a dependent module because the -EEXIST error code would suggest to user space that the first module had been loaded successfully), while avoiding the delay situation too. This has been tested on linux-next since December 2022 and passes all kmod selftests except test 0009 with module compression enabled but it has been confirmed that this issue has existed and has gone unnoticed since prior to this commit and can also be reproduced without module compression with a simple usleep(5000000) on tools/modprobe.c [0]. These failures are caused by hitting the kernel mod_concurrent_max and can happen either due to a self inflicted kernel module auto-loead DoS somehow or on a system with large CPU count and each CPU count incorrectly triggering many module auto-loads. Both of those issues need to be fixed in-kernel. [0] https://lore.kernel.org/all/Y9A4fiobL6IHp%2F%2FP@bombadil.infradead.org/ Fixes: 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for modules that have finished loading") Co-developed-by: Martin Wilck Signed-off-by: Martin Wilck Signed-off-by: Petr Pavlu Cc: stable@vger.kernel.org Reviewed-by: Petr Mladek [mcgrof: enhance commit log with testing and kmod test result interpretation ] Signed-off-by: Luis Chamberlain commit 5149394c899808667e0f8444d3d39cba1dfb42f7 Merge: 854f0912f813c ef7592e466ef7 Author: Linus Torvalds Date: Tue Jan 24 12:51:49 2023 -0800 Merge tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fsverity/linux Pull fsverity MAINTAINERS entry update from Eric Biggers: "Update the MAINTAINERS file entry for fsverity" * tag 'fsverity-for-linus' of git://git.kernel.org/pub/scm/fs/fsverity/linux: MAINTAINERS: update fsverity git repo, list, and patchwork commit 854f0912f813c3b7a4d35517658ca7f1511a69e2 Author: Linus Torvalds Date: Tue Jan 24 09:23:56 2023 -0800 ext4: make xattr char unsignedness in hash explicit Commit f3bbac32475b ("ext4: deal with legacy signed xattr name hash values") added a hashing function for the legacy case of having the xattr hash calculated using a signed 'char' type. It left the unsigned case alone, since it's all implicitly handled by the '-funsigned-char' compiler option. However, there's been some noise about back-porting it all into stable kernels that lack the '-funsigned-char', so let's just make that at least possible by making the whole 'this uses unsigned char' very explicit in the code itself. Whether such a back-port is really warranted or not, I'll leave to others, but at least together with this change it is technically sensible. Also, add a 'pr_warn_once()' for reporting the "hey, signedness for this hash calculation has changed" issue. Hopefully it never triggers except for that xfstests generic/454 test-case, but even if it does it's just good information to have. If for no other reason than "we can remove the legacy signed hash code entirely if nobody ever sees the message any more". Cc: Sasha Levin Cc: Eric Biggers Cc: Andreas Dilger Cc: Theodore Ts'o , Cc: Jason Donenfeld Cc: Masahiro Yamada Signed-off-by: Linus Torvalds commit 6757a7abe47bcb12cb2d45661067e182424b0ee3 Author: Srinivas Pandruvada Date: Mon Jan 23 09:21:10 2023 -0800 thermal: intel: int340x: Protect trip temperature from concurrent updates Trip temperatures are read using ACPI methods and stored in the memory during zone initializtion and when the firmware sends a notification for change. This trip temperature is returned when the thermal core calls via callback get_trip_temp(). But it is possible that while updating the memory copy of the trips when the firmware sends a notification for change, thermal core is reading the trip temperature via the callback get_trip_temp(). This may return invalid trip temperature. To address this add a mutex to protect the invalid temperature reads in the callback get_trip_temp() and int340x_thermal_read_trips(). Fixes: 5fbf7f27fa3d ("Thermal/int340x: Add common thermal zone handler") Signed-off-by: Srinivas Pandruvada Cc: 5.0+ # 5.0+ Signed-off-by: Rafael J. Wysocki commit 5a5754a4997c372292e57ed631807131c63cebaf Author: Keith Busch Date: Tue Jan 24 09:17:38 2023 -0800 nvme-pci: flush initial scan_work for async probe The nvme device may have a namespace with the root partition, so make sure we've completed scanning before returning from the async probe. Fixes: eac3ef262941 ("nvme-pci: split the initial probe from the rest path") Reported-by: Klaus Jensen Signed-off-by: Keith Busch Tested-by: Ville Syrjälä Tested-by: Klaus Jensen Signed-off-by: Christoph Hellwig commit ac28d0a0f40782d216f6aaaf22e0d8bded06a435 Author: Randy Dunlap Date: Tue Jan 24 10:16:47 2023 -0800 tracing: Kconfig: Fix spelling/grammar/punctuation Fix some editorial nits in trace Kconfig. Link: https://lkml.kernel.org/r/20230124181647.15902-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Signed-off-by: Steven Rostedt (Google) commit 7ae4ba7195b1bac04a4210a499da9d8c63b0ba9c Author: Steven Rostedt (Google) Date: Mon Jan 23 11:22:52 2023 -0500 ftrace/scripts: Update the instructions for ftrace-bisect.sh The instructions for the ftrace-bisect.sh script, which is used to find what function is being traced that is causing a kernel crash, and possibly a triple fault reboot, uses the old method. In 5.1, a new feature was added that let the user write in the index into available_filter_functions that maps to the function a user wants to set in set_ftrace_filter (or set_ftrace_notrace). This takes O(1) to set, as suppose to writing a function name, which takes O(n) (where n is the number of functions in available_filter_functions). The ftrace-bisect.sh requires setting half of the functions in available_filter_functions, which is O(n^2) using the name method to enable and can take several minutes to complete. The number method is O(n) which takes less than a second to complete. Using the number method for any kernel 5.1 and after is the proper way to do the bisect. Update the usage to reflect the new change, as well as using the /sys/kernel/tracing path instead of the obsolete debugfs path. Link: https://lkml.kernel.org/r/20230123112252.022003dd@gandalf.local.home Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Acked-by: Mark Rutland Fixes: f79b3f338564e ("ftrace: Allow enabling of filters via index of available_filter_functions") Signed-off-by: Steven Rostedt (Google) commit 921deb9da15851425ccbb6ee409dc2fd8fbdfe6b Author: Udipto Goswami Date: Tue Jan 24 14:41:49 2023 +0530 usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait __ffs_ep0_queue_wait executes holding the spinlock of &ffs->ev.waitq.lock and unlocks it after the assignments to usb_request are done. However in the code if the request is already NULL we bail out returning -EINVAL but never unlocked the spinlock. Fix this by adding spin_unlock_irq &ffs->ev.waitq.lock before returning. Fixes: 6a19da111057 ("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait") Reviewed-by: John Keeping Signed-off-by: Udipto Goswami Link: https://lore.kernel.org/r/20230124091149.18647-1-quic_ugoswami@quicinc.com Signed-off-by: Greg Kroah-Hartman commit eb320f76e31dc835b9f57f04af1a2353b13bb7d8 Author: Neil Armstrong Date: Tue Jan 24 09:31:21 2023 +0100 usb: dwc3: qcom: enable vbus override when in OTG dr-mode With vbus override enabled when in OTG dr_mode, Host<->Peripheral switch now works on SM8550, otherwise the DWC3 seems to be stuck in Host mode only. Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") Reviewed-by: Bryan O'Donoghue Signed-off-by: Neil Armstrong Link: https://lore.kernel.org/r/20230123-topic-sm8550-upstream-dwc3-qcom-otg-v2-1-2d400e598463@linaro.org Signed-off-by: Greg Kroah-Hartman commit fa003a3c11efff1c42a0edbe8eee86fb1ebe6d7a Author: Daniel Scally Date: Tue Jan 24 15:39:09 2023 +0000 MAINTAINERS: Add myself as UVC Gadget Maintainer Add myself as a second maintainer for the UVC Gadget. Reviewed-by: Laurent Pinchart Signed-off-by: Daniel Scally Link: https://lore.kernel.org/r/20230124153909.867202-1-dan.scally@ideasonboard.com Signed-off-by: Greg Kroah-Hartman commit d968117a7e8e5572762eacbdbca13bc96710e9a3 Author: Paolo Abeni Date: Tue Jan 24 17:44:14 2023 +0100 Revert "Merge branch 'ethtool-mac-merge'" This reverts commit 0ad999c1eec879f06cc52ef7df4d0dbee4a2d7eb, reversing changes made to e38553bdc377e3e7a6caa9dd9770d8b644d8dac3. It was not intended for net. Signed-off-by: Paolo Abeni commit 3bb06eb6e9acf7c4a3e1b5bc87aed398ff8e2253 Author: Steven Rostedt (Google) Date: Wed Jan 4 16:14:12 2023 -0500 tracing: Make sure trace_printk() can output as soon as it can be used Currently trace_printk() can be used as soon as early_trace_init() is called from start_kernel(). But if a crash happens, and "ftrace_dump_on_oops" is set on the kernel command line, all you get will be: [ 0.456075] -0 0dN.2. 347519us : Unknown type 6 [ 0.456075] -0 0dN.2. 353141us : Unknown type 6 [ 0.456075] -0 0dN.2. 358684us : Unknown type 6 This is because the trace_printk() event (type 6) hasn't been registered yet. That gets done via an early_initcall(), which may be early, but not early enough. Instead of registering the trace_printk() event (and other ftrace events, which are not trace events) via an early_initcall(), have them registered at the same time that trace_printk() can be used. This way, if there is a crash before early_initcall(), then the trace_printk()s will actually be useful. Link: https://lkml.kernel.org/r/20230104161412.019f6c55@gandalf.local.home Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Fixes: e725c731e3bb1 ("tracing: Split tracing initialization into two for early initialization") Reported-by: "Joel Fernandes (Google)" Tested-by: Joel Fernandes (Google) Signed-off-by: Steven Rostedt (Google) commit 8be9fbd5345da52f4a74f7f81d55ff9fa0a2958e Author: Mark Rutland Date: Tue Jan 3 12:49:11 2023 +0000 ftrace: Export ftrace_free_filter() to modules Setting filters on an ftrace ops results in some memory being allocated for the filter hashes, which must be freed before the ops can be freed. This can be done by removing every individual element of the hash by calling ftrace_set_filter_ip() or ftrace_set_filter_ips() with `remove` set, but this is somewhat error prone as it's easy to forget to remove an element. Make it easier to clean this up by exporting ftrace_free_filter(), which can be used to clean up all of the filter hashes after an ftrace_ops has been unregistered. Using this, fix the ftrace-direct* samples to free hashes prior to being unloaded. All other code either removes individual filters explicitly or is built-in and already calls ftrace_free_filter(). Link: https://lkml.kernel.org/r/20230103124912.2948963-3-mark.rutland@arm.com Cc: stable@vger.kernel.org Cc: Florent Revest Cc: Masami Hiramatsu Fixes: e1067a07cfbc ("ftrace/samples: Add module to test multi direct modify interface") Fixes: 5fae941b9a6f ("ftrace/samples: Add multi direct interface test module") Reviewed-by: Masami Hiramatsu (Google) Reviewed-by: Steven Rostedt (Google) Signed-off-by: Mark Rutland Signed-off-by: Steven Rostedt (Google) commit 89c08aef8f8dcb5fc98ad8db7ca92c9dab1f26b0 Author: Hans Verkuil Date: Mon Jan 23 09:45:49 2023 +0100 media: videobuf2: set q->streaming later Commit a10b21532574 ("media: vb2: add (un)prepare_streaming queue ops") moved up the q->streaming = 1 assignment to before the call to vb2_start_streaming(). This does make sense since q->streaming indicates that VIDIOC_STREAMON is called, and the call to start_streaming happens either at that time or later if q->min_buffers_needed > 0. So q->streaming should be 1 before start_streaming is called. However, it turned out that some drivers use vb2_is_streaming() in buf_queue, and if q->min_buffers_needed == 0, then that will now return true instead of false. So for the time being revert to the original behavior. Signed-off-by: Hans Verkuil Fixes: a10b21532574 ("media: vb2: add (un)prepare_streaming queue ops") Reviewed-by: Laurent Pinchart Tested-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab commit facd61053cff100973921d4d45d47cf53c747ec6 Author: Christian Brauner Date: Fri Jan 20 12:55:04 2023 +0100 fuse: fixes after adapting to new posix acl api This cycle we ported all filesystems to the new posix acl api. While looking at further simplifications in this area to remove the last remnants of the generic dummy posix acl handlers we realized that we regressed fuse daemons that don't set FUSE_POSIX_ACL but still make use of posix acls. With the change to a dedicated posix acl api interacting with posix acls doesn't go through the old xattr codepaths anymore and instead only relies the get acl and set acl inode operations. Before this change fuse daemons that don't set FUSE_POSIX_ACL were able to get and set posix acl albeit with two caveats. First, that posix acls aren't cached. And second, that they aren't used for permission checking in the vfs. We regressed that use-case as we currently refuse to retrieve any posix acls if they aren't enabled via FUSE_POSIX_ACL. So older fuse daemons would see a change in behavior. We can restore the old behavior in multiple ways. We could change the new posix acl api and look for a dedicated xattr handler and if we find one prefer that over the dedicated posix acl api. That would break the consistency of the new posix acl api so we would very much prefer not to do that. We could introduce a new ACL_*_CACHE sentinel that would instruct the vfs permission checking codepath to not call into the filesystem and ignore acls. But a more straightforward fix for v6.2 is to do the same thing that Overlayfs does and give fuse a separate get acl method for permission checking. Overlayfs uses this to express different needs for vfs permission lookup and acl based retrieval via the regular system call path as well. Let fuse do the same for now. This way fuse can continue to refuse to retrieve posix acls for daemons that don't set FUSE_POSXI_ACL for permission checking while allowing a fuse server to retrieve it via the usual system calls. In the future, we could extend the get acl inode operation to not just pass a simple boolean to indicate rcu lookup but instead make it a flag argument. Then in addition to passing the information that this is an rcu lookup to the filesystem we could also introduce a flag that tells the filesystem that this is a request from the vfs to use these acls for permission checking. Then fuse could refuse the get acl request for permission checking when the daemon doesn't have FUSE_POSIX_ACL set in the same get acl method. This would also help Overlayfs and allow us to remove the second method for it as well. But since that change is more invasive as we need to update the get acl inode operation for multiple filesystems we should not do this as a fix for v6.2. Instead we will do this for the v6.3 merge window. Fwiw, since posix acls are now always correctly translated in the new posix acl api we could also allow them to be used for daemons without FUSE_POSIX_ACL that are not mounted on the host. But this is behavioral change and again if dones should be done for v6.3. For now, let's just restore the original behavior. A nice side-effect of this change is that for fuse daemons with and without FUSE_POSIX_ACL the same code is used for posix acls in a backwards compatible way. This also means we can remove the legacy xattr handlers completely. We've also added comments to explain the expected behavior for daemons without FUSE_POSIX_ACL into the code. Fixes: 318e66856dde ("xattr: use posix acl api") Signed-off-by: Seth Forshee (Digital Ocean) Reviewed-by: Miklos Szeredi Signed-off-by: Christian Brauner (Microsoft) commit b0935f110cff5d70da05c5cb1670bee0b07b631c Author: Hans de Goede Date: Tue Jan 24 11:57:54 2023 +0100 ACPI: video: Fix apple gmux detection Some apple laptop models have an ACPI device with a HID of APP000B and that device has an IO resource (so it does not describe the new unsupported MMIO based gmux type), but there actually is no gmux in the laptop at all. The gmux_probe() function of the actual apple-gmux driver has code to detect this, this code has been factored out into a new apple_gmux_detect() helper in apple-gmux.h. Use this new function to fix acpi_video_get_backlight_type() wrongly returning apple_gmux as type on the following laptops: MacBookPro5,4 https://pastebin.com/8Xjq7RhS MacBookPro8,1 https://linux-hardware.org/?probe=e513cfbadb&log=dmesg MacBookPro9,2 https://bugzilla.kernel.org/attachment.cgi?id=278961 MacBookPro10,2 https://lkml.org/lkml/2014/9/22/657 MacBookPro11,2 https://forums.fedora-fr.org/viewtopic.php?id=70142 MacBookPro11,4 https://raw.githubusercontent.com/im-0/investigate-card-reader-suspend-problem-on-mbp11.4/mast Fixes: 21245df307cb ("ACPI: video: Add Apple GMUX brightness control detection") Link: https://lore.kernel.org/platform-driver-x86/20230123113750.462144-1-hdegoede@redhat.com/ Reported-by: Emmanouil Kouroupakis Acked-by: Rafael J. Wysocki Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230124105754.62167-4-hdegoede@redhat.com commit d143908f80f3e5d164ac3342f73d6b9f536e8b4d Author: Hans de Goede Date: Tue Jan 24 11:57:53 2023 +0100 platform/x86: apple-gmux: Add apple_gmux_detect() helper Add a new (static inline) apple_gmux_detect() helper to apple-gmux.h which can be used for gmux detection instead of apple_gmux_present(). The latter is not really reliable since an ACPI device with a HID of APP000B is present on some devices without a gmux at all, as well as on devices with a newer (unsupported) MMIO based gmux model. This causes apple_gmux_present() to return false-positives on a number of different Apple laptop models. This new helper uses the same probing as the actual apple-gmux driver, so that it does not return false positives. To avoid code duplication the gmux_probe() function of the actual driver is also moved over to using the new apple_gmux_detect() helper. This avoids false positives (vs _HID + IO region detection) on: MacBookPro5,4 https://pastebin.com/8Xjq7RhS MacBookPro8,1 https://linux-hardware.org/?probe=e513cfbadb&log=dmesg MacBookPro9,2 https://bugzilla.kernel.org/attachment.cgi?id=278961 MacBookPro10,2 https://lkml.org/lkml/2014/9/22/657 MacBookPro11,2 https://forums.fedora-fr.org/viewtopic.php?id=70142 MacBookPro11,4 https://raw.githubusercontent.com/im-0/investigate-card-reader-suspend-problem-on-mbp11.4/master/test-16/dmesg Fixes: 21245df307cb ("ACPI: video: Add Apple GMUX brightness control detection") Link: https://lore.kernel.org/platform-driver-x86/20230123113750.462144-1-hdegoede@redhat.com/ Reported-by: Emmanouil Kouroupakis Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230124105754.62167-3-hdegoede@redhat.com commit 39f5a81f7ad80eb3fbcbfd817c6552db9de5504d Author: Hans de Goede Date: Tue Jan 24 11:57:52 2023 +0100 platform/x86: apple-gmux: Move port defines to apple-gmux.h This is a preparation patch for adding a new static inline apple_gmux_detect() helper which actually checks a supported gmux is present, rather then only checking an ACPI device with the HID is there as apple_gmux_present() does. Fixes: 21245df307cb ("ACPI: video: Add Apple GMUX brightness control detection") Link: https://lore.kernel.org/platform-driver-x86/20230123113750.462144-1-hdegoede@redhat.com/ Reported-by: Emmanouil Kouroupakis Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230124105754.62167-2-hdegoede@redhat.com commit ce95010ef62d4bf470928969bafc9070ae98cbb1 Author: Hans de Goede Date: Mon Jan 23 14:28:24 2023 +0100 platform/x86: hp-wmi: Fix cast to smaller integer type warning Fix the following compiler warning: drivers/platform/x86/hp/hp-wmi.c:551:24: warning: cast to smaller integer type 'enum hp_wmi_radio' from 'void *' [-Wvoid-pointer-to-enum-cast] Reported-by: kernel test robot Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230123132824.660062-1-hdegoede@redhat.com commit 062c1394cbda95b0c51839b5221c7267e1e7f57e Author: Mario Limonciello Date: Fri Jan 20 13:15:19 2023 -0600 platform/x86/amd: pmc: Add a module parameter to disable workarounds Some users may want to live with the bugs that exist in platform firmware and have workarounds in AMD PMC driver. To allow them to bypass these workarounds, introduce a module parameter. Signed-off-by: Mario Limonciello Link: https://lore.kernel.org/r/20230120191519.15926-2-mario.limonciello@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 8e60615e8932167057b363c11a7835da7f007106 Author: Mario Limonciello Date: Fri Jan 20 13:15:18 2023 -0600 platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN By default when the system is configured for low power idle in the FADT the keyboard is set up as a wake source. This matches the behavior that Windows uses for Modern Standby as well. It has been reported that a variety of AMD based designs there are spurious wakeups are happening where two IRQ sources are active. For example: ``` PM: Triggering wakeup from IRQ 9 PM: Triggering wakeup from IRQ 1 ``` In these designs IRQ 9 is the ACPI SCI and IRQ 1 is the keyboard. One way to trigger this problem is to suspend the laptop and then unplug the AC adapter. The SOC will be in a hardware sleep state and plugging in the AC adapter returns control to the kernel's s2idle loop. Normally if just IRQ 9 was active the s2idle loop would advance any EC transactions and no other IRQ being active would cause the s2idle loop to put the SOC back into hardware sleep state. When this bug occurred IRQ 1 is also active even if no keyboard activity occurred. This causes the s2idle loop to break and the system to wake. This is a platform firmware bug triggering IRQ1 without keyboard activity. This occurs in Windows as well, but Windows will enter "SW DRIPS" and then with no activity enters back into "HW DRIPS" (hardware sleep state). This issue affects Renoir, Lucienne, Cezanne, and Barcelo platforms. It does not happen on newer systems such as Mendocino or Rembrandt. It's been fixed in newer platform firmware. To avoid triggering the bug on older systems check the SMU F/W version and adjust the policy at suspend time for s2idle wakeup from keyboard on these systems. A lot of thought and experimentation has been given around the timing of disabling IRQ1, and to make it work the "suspend" PM callback is restored. Reported-by: Kai-Heng Feng Reported-by: Xaver Hugl Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2115 Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1951 Signed-off-by: Mario Limonciello Link: https://lore.kernel.org/r/20230120191519.15926-1-mario.limonciello@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit fdcc0602d64f22185f61c70747214b630049cc33 Author: Hans de Goede Date: Fri Jan 20 15:34:41 2023 +0100 platform/x86: asus-wmi: Fix kbd_dock_devid tablet-switch reporting Commit 1ea0d3b46798 ("platform/x86: asus-wmi: Simplify tablet-mode-switch handling") unified the asus-wmi tablet-switch handling, but it did not take into account that the value returned for the kbd_dock_devid WMI method is inverted where as the other ones are not inverted. This causes asus-wmi to report an inverted tablet-switch state for devices which use the kbd_dock_devid, which causes libinput to ignore touchpad events while the affected T10x model 2-in-1s are docked. Add inverting of the return value in the kbd_dock_devid case to fix this. Fixes: 1ea0d3b46798 ("platform/x86: asus-wmi: Simplify tablet-mode-switch handling") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20230120143441.527334-1-hdegoede@redhat.com commit a410429a3b7e748a9db9f357e71e2e085a21c902 Author: Kevin Kuriakose Date: Thu Jan 19 20:39:25 2023 +0530 platform/x86: gigabyte-wmi: add support for B450M DS3H WIFI-CF To the best of my knowledge this is the same board as the B450M DS3H-CF, but with an added WiFi card. Name obtained using dmidecode, tested with force_load on v6.1.6 Signed-off-by: Kevin Kuriakose Acked-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20230119150925.31962-1-kevinmkuriakose@gmail.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 3ee5447b2048c8389ed899838a40b40180d50906 Author: Rishit Bansal Date: Sat Jan 21 03:42:14 2023 +0530 platform/x86: hp-wmi: Handle Omen Key event Add support to map the "HP Omen Key" to KEY_PROG2. Laptops in the HP Omen Series open the HP Omen Command Center application on windows. But, on linux it fails with the following message from the hp-wmi driver: [ 5143.415714] hp_wmi: Unknown event_id - 29 - 0x21a5 Also adds support to map Fn+Esc to KEY_FN_ESC. This currently throws the following message on the hp-wmi driver: [ 6082.143785] hp_wmi: Unknown key code - 0x21a7 There is also a "Win-Lock" key on HP Omen Laptops which supports Enabling and Disabling the Windows key, which trigger commands 0x21a4 and 0x121a4 respectively, but I wasn't able to find any KEY in input.h to map this to. Signed-off-by: Rishit Bansal Link: https://lore.kernel.org/r/20230120221214.24426-1-rishitbansal0@gmail.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 83bcf3e52e9cfc727df33f1055ef0618c91719d0 Author: Koba Ko Date: Tue Jan 17 20:34:36 2023 +0800 platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010 table Some platforms send the speaker-mute key from EC. dell-wmi can't recognize it. Add a new keymap for KEY_MUTE in type 0x0010 table. Signed-off-by: Koba Ko Link: https://lore.kernel.org/r/20230117123436.200440-1-koba.ko@canonical.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 Author: Kuniyuki Iwashima Date: Fri Jan 20 15:19:27 2023 -0800 netrom: Fix use-after-free of a listening socket. syzbot reported a use-after-free in do_accept(), precisely nr_accept() as sk_prot_alloc() allocated the memory and sock_put() frees it. [0] The issue could happen if the heartbeat timer is fired and nr_heartbeat_expiry() calls nr_destroy_socket(), where a socket has SOCK_DESTROY or a listening socket has SOCK_DEAD. In this case, the first condition cannot be true. SOCK_DESTROY is flagged in nr_release() only when the file descriptor is close()d, but accept() is being called for the listening socket, so the second condition must be true. Usually, the AF_NETROM listener neither starts timers nor sets SOCK_DEAD. However, the condition is met if connect() fails before listen(). connect() starts the t1 timer and heartbeat timer, and t1timer calls nr_disconnect() when timeout happens. Then, SOCK_DEAD is set, and if we call listen(), the heartbeat timer calls nr_destroy_socket(). nr_connect nr_establish_data_link(sk) nr_start_t1timer(sk) nr_start_heartbeat(sk) nr_t1timer_expiry nr_disconnect(sk, ETIMEDOUT) nr_sk(sk)->state = NR_STATE_0 sk->sk_state = TCP_CLOSE sock_set_flag(sk, SOCK_DEAD) nr_listen if (sk->sk_state != TCP_LISTEN) sk->sk_state = TCP_LISTEN nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD)) nr_destroy_socket(sk) This path seems expected, and nr_destroy_socket() is called to clean up resources. Initially, there was sock_hold() before nr_destroy_socket() so that the socket would not be freed, but the commit 517a16b1a88b ("netrom: Decrease sock refcount when sock timers expire") accidentally removed it. To fix use-after-free, let's add sock_hold(). [0]: BUG: KASAN: use-after-free in do_accept+0x483/0x510 net/socket.c:1848 Read of size 8 at addr ffff88807978d398 by task syz-executor.3/5315 CPU: 0 PID: 5315 Comm: syz-executor.3 Not tainted 6.2.0-rc3-syzkaller-00165-gd9fc1511728c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x15e/0x461 mm/kasan/report.c:417 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 do_accept+0x483/0x510 net/socket.c:1848 __sys_accept4_file net/socket.c:1897 [inline] __sys_accept4+0x9a/0x120 net/socket.c:1927 __do_sys_accept net/socket.c:1944 [inline] __se_sys_accept net/socket.c:1941 [inline] __x64_sys_accept+0x75/0xb0 net/socket.c:1941 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fa436a8c0c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa437784168 EFLAGS: 00000246 ORIG_RAX: 000000000000002b RAX: ffffffffffffffda RBX: 00007fa436bac050 RCX: 00007fa436a8c0c9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 00007fa436ae7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffebc6700df R14: 00007fa437784300 R15: 0000000000022000 Allocated by task 5294: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] ____kasan_kmalloc mm/kasan/common.c:330 [inline] __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:968 [inline] __kmalloc+0x5a/0xd0 mm/slab_common.c:981 kmalloc include/linux/slab.h:584 [inline] sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 __sock_create+0x359/0x790 net/socket.c:1515 sock_create net/socket.c:1566 [inline] __sys_socket_create net/socket.c:1603 [inline] __sys_socket_create net/socket.c:1588 [inline] __sys_socket+0x133/0x250 net/socket.c:1636 __do_sys_socket net/socket.c:1649 [inline] __se_sys_socket net/socket.c:1647 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 14: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:177 [inline] __cache_free mm/slab.c:3394 [inline] __do_kmem_cache_free mm/slab.c:3580 [inline] __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 sk_prot_free net/core/sock.c:2074 [inline] __sk_destruct+0x5df/0x750 net/core/sock.c:2166 sk_destruct net/core/sock.c:2181 [inline] __sk_free+0x175/0x460 net/core/sock.c:2192 sk_free+0x7c/0xa0 net/core/sock.c:2203 sock_put include/net/sock.h:1991 [inline] nr_heartbeat_expiry+0x1d7/0x460 net/netrom/nr_timer.c:148 call_timer_fn+0x1da/0x7c0 kernel/time/timer.c:1700 expire_timers+0x2c6/0x5c0 kernel/time/timer.c:1751 __run_timers kernel/time/timer.c:2022 [inline] __run_timers kernel/time/timer.c:1995 [inline] run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 __do_softirq+0x1fb/0xadc kernel/softirq.c:571 Fixes: 517a16b1a88b ("netrom: Decrease sock refcount when sock timers expire") Reported-by: syzbot+5fafd5cfe1fc91f6b352@syzkaller.appspotmail.com Signed-off-by: Kuniyuki Iwashima Link: https://lore.kernel.org/r/20230120231927.51711-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni commit d6591da5f3ff284a376d56b5f7a48a34e9cb159d Author: Javier Martinez Canillas Date: Sat Jan 21 20:24:18 2023 +0100 drm/fb-helper: Use a per-driver FB deferred I/O handler The DRM fbdev emulation layer sets the struct fb_info .fbdefio field to a struct fb_deferred_io pointer, that is shared across all drivers that use the generic drm_fbdev_generic_setup() helper function. It is a problem because the fbdev core deferred I/O logic assumes that the struct fb_deferred_io data is not shared between devices, and it's stored there state such as the list of pages touched and a mutex that is use to synchronize between the fb_deferred_io_track_page() function that track the dirty pages and fb_deferred_io_work() workqueue handler doing the actual deferred I/O. The latter can lead to the following error, since it may happen that two drivers are probed and then one is removed, which causes the mutex bo be destroyed and not existing anymore by the time the other driver tries to grab it for the fbdev deferred I/O logic: [ 369.756553] ------------[ cut here ]------------ [ 369.756604] DEBUG_LOCKS_WARN_ON(lock->magic != lock) [ 369.756631] WARNING: CPU: 2 PID: 1023 at kernel/locking/mutex.c:582 __mutex_lock+0x348/0x424 [ 369.756744] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip v6 nf_defrag_ipv4 ip_set nf_tables nfnetlink qrtr btsdio bluetooth sunrpc brcmfmac snd_soc_hdmi_codec cpufreq_dt cfg80211 vfat fat vc4 rfkill brcmutil raspberrypi_cpufreq i2c_bcm2835 iproc_rng200 bcm2711_thermal snd_soc_core snd_pcm_dmaen gine leds_gpio nvmem_rmem joydev hid_cherry uas usb_storage gpio_raspberrypi_exp v3d snd_pcm raspberrypi_hwmon gpu_sched bcm2835_wdt broadcom bcm_phy_lib snd_timer genet snd mdio_bcm_unimac clk_bcm2711_dvp soundcore drm_display_helper pci e_brcmstb cec ip6_tables ip_tables fuse [ 369.757400] CPU: 2 PID: 1023 Comm: fbtest Not tainted 5.19.0-rc6+ #94 [ 369.757455] Hardware name: raspberrypi,4-model-b Raspberry Pi 4 Model B Rev 1.4/Raspberry Pi 4 Model B Rev 1.4, BIOS 2022.10 10/01/2022 [ 369.757538] pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 369.757596] pc : __mutex_lock+0x348/0x424 [ 369.757635] lr : __mutex_lock+0x348/0x424 [ 369.757672] sp : ffff80000953bb00 [ 369.757703] x29: ffff80000953bb00 x28: ffff17fdc087c000 x27: 0000000000000002 [ 369.757771] x26: ffff17fdc349f9b0 x25: fffffc5ff72e0100 x24: 0000000000000000 [ 369.757838] x23: 0000000000000000 x22: 0000000000000002 x21: ffffa618df636f10 [ 369.757903] x20: ffff80000953bb68 x19: ffffa618e0f18138 x18: 0000000000000001 [ 369.757968] x17: 0000000020000000 x16: 0000000000000002 x15: 0000000000000000 [ 369.758032] x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 5f534b434f4c5f47 [ 369.758097] x11: 00000000ffffdfff x10: ffffa618e0c79f88 x9 : ffffa618de472484 [ 369.758162] x8 : 000000000002ffe8 x7 : c0000000ffffdfff x6 : 00000000000affa8 [ 369.758227] x5 : 0000000000001fff x4 : 0000000000000000 x3 : 0000000000000027 [ 369.758292] x2 : 0000000000000001 x1 : ffff17fdc087c000 x0 : 0000000000000028 [ 369.758357] Call trace: [ 369.758383] __mutex_lock+0x348/0x424 [ 369.758420] mutex_lock_nested+0x4c/0x5c [ 369.758459] fb_deferred_io_mkwrite+0x78/0x1d8 [ 369.758507] do_page_mkwrite+0x5c/0x19c [ 369.758550] wp_page_shared+0x70/0x1a0 [ 369.758590] do_wp_page+0x3d0/0x510 [ 369.758628] handle_pte_fault+0x1c0/0x1e0 [ 369.758670] __handle_mm_fault+0x250/0x380 [ 369.758712] handle_mm_fault+0x17c/0x3a4 [ 369.758753] do_page_fault+0x158/0x530 [ 369.758792] do_mem_abort+0x50/0xa0 [ 369.758831] el0_da+0x78/0x19c [ 369.758864] el0t_64_sync_handler+0xbc/0x150 [ 369.758904] el0t_64_sync+0x190/0x194 [ 369.758942] irq event stamp: 11395 [ 369.758973] hardirqs last enabled at (11395): [] __up_console_sem+0x74/0x80 [ 369.759042] hardirqs last disabled at (11394): [] __up_console_sem+0x6c/0x80 [ 369.760554] softirqs last enabled at (11392): [] __do_softirq+0x4c4/0x6b8 [ 369.762060] softirqs last disabled at (11383): [] __irq_exit_rcu+0x104/0x214 [ 369.763564] ---[ end trace 0000000000000000 ]--- Fixes: d536540f304c ("drm/fb-helper: Add generic fbdev emulation .fb_probe function") Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20230121192418.2814955-4-javierm@redhat.com commit cc88ad784e42398b8845594fe3aa720d0cc1c40c Author: Javier Martinez Canillas Date: Sat Jan 21 20:24:17 2023 +0100 drm/fb-helper: Check fb_deferred_io_init() return value The fb_deferred_io_init() can fail and return an errno code but currently there is no check for its return value. Fix that and propagate to errno to the caller in the case of a failure. Fixes: d536540f304c ("drm/fb-helper: Add generic fbdev emulation .fb_probe function") Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20230121192418.2814955-3-javierm@redhat.com commit 6a28a25d358079b7d0d144689f850aecacf63cba Author: Victor Shyba Date: Mon Jan 23 19:21:29 2023 -0300 ALSA: hda/realtek: Add Acer Predator PH315-54 Same issue as SP513-54N: Headset microphone does not work without ALC255_FIXUP_ACER_MIC_NO_PRESENCE fixup. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211853 Cc: Signed-off-by: Victor Shyba Link: https://lore.kernel.org/r/20230123222129.17589-1-victor1984@riseup.net Signed-off-by: Takashi Iwai commit a44b7651489f26271ac784b70895e8a85d0cebf4 Author: Sriram Yagnaraman Date: Tue Jan 24 02:47:21 2023 +0100 netfilter: conntrack: unify established states for SCTP paths An SCTP endpoint can start an association through a path and tear it down over another one. That means the initial path will not see the shutdown sequence, and the conntrack entry will remain in ESTABLISHED state for 5 days. By merging the HEARTBEAT_ACKED and ESTABLISHED states into one ESTABLISHED state, there remains no difference between a primary or secondary path. The timeout for the merged ESTABLISHED state is set to 210 seconds (hb_interval * max_path_retrans + rto_max). So, even if a path doesn't see the shutdown sequence, it will expire in a reasonable amount of time. With this change in place, there is now more than one state from which we can transition to ESTABLISHED, COOKIE_ECHOED and HEARTBEAT_SENT, so handle the setting of ASSURED bit whenever a state change has happened and the new state is ESTABLISHED. Removed the check for dir==REPLY since the transition to ESTABLISHED can happen only in the reply direction. Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") Signed-off-by: Sriram Yagnaraman Signed-off-by: Pablo Neira Ayuso commit 13bd9b31a969b03c8ec1d4eb0f2b9aebd30ebfd8 Author: Sriram Yagnaraman Date: Tue Jan 24 02:47:20 2023 +0100 Revert "netfilter: conntrack: add sctp DATA_SENT state" This reverts commit (bff3d0534804: "netfilter: conntrack: add sctp DATA_SENT state") Using DATA/SACK to detect a new connection on secondary/alternate paths works only on new connections, while a HEARTBEAT is required on connection re-use. It is probably consistent to wait for HEARTBEAT to create a secondary connection in conntrack. Signed-off-by: Sriram Yagnaraman Signed-off-by: Pablo Neira Ayuso commit 98ee0077452527f971567db01386de3c3d97ce13 Author: Sriram Yagnaraman Date: Tue Jan 24 02:47:19 2023 +0100 netfilter: conntrack: fix bug in for_each_sctp_chunk skb_header_pointer() will return NULL if offset + sizeof(_sch) exceeds skb->len, so this offset < skb->len test is redundant. if sch->length == 0, this will end up in an infinite loop, add a check for sch->length > 0 Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") Suggested-by: Florian Westphal Signed-off-by: Sriram Yagnaraman Signed-off-by: Pablo Neira Ayuso commit a9993591fa94246b16b444eea55d84c54608282a Author: Sriram Yagnaraman Date: Tue Jan 24 02:47:18 2023 +0100 netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE RFC 9260, Sec 8.5.1 states that for ABORT/SHUTDOWN_COMPLETE, the chunk MUST be accepted if the vtag of the packet matches its own tag and the T bit is not set OR if it is set to its peer's vtag and the T bit is set in chunk flags. Otherwise the packet MUST be silently dropped. Update vtag verification for ABORT/SHUTDOWN_COMPLETE based on the above description. Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") Signed-off-by: Sriram Yagnaraman Signed-off-by: Pablo Neira Ayuso commit 208a21107ef0ae86c92078caf84ce80053e73f7a Merge: 571cca79df0a6 e2b53ea5a7c1f Author: Jakub Kicinski Date: Mon Jan 23 22:36:58 2023 -0800 Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2023-01-20 (iavf) This series contains updates to iavf driver only. Michal Schmidt converts single iavf workqueue to per adapter to avoid deadlock issues. Marcin moves setting of VLAN related netdev features to watchdog task to avoid RTNL deadlock. Stefan Assmann schedules immediate watchdog task execution on changing primary MAC to avoid excessive delay. * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: iavf: schedule watchdog immediately when changing primary MAC iavf: Move netdev_update_features() into watchdog task iavf: fix temporary deadlock and failure to set MAC address ==================== Link: https://lore.kernel.org/r/20230120211036.430946-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 571cca79df0a6c0ae9f14be7381e13dad4078fbf Merge: bce4affe30b29 5d235d6ce75c1 Author: Jakub Kicinski Date: Mon Jan 23 21:50:58 2023 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net 1) Fix overlap detection in rbtree set backend: Detect overlap by going through the ordered list of valid tree nodes. To shorten the number of visited nodes in the list, this algorithm descends the tree to search for an existing element greater than the key value to insert that is greater than the new element. 2) Fix for the rbtree set garbage collector: Skip inactive and busy elements when checking for expired elements to avoid interference with an ongoing transaction from control plane. This is a rather large fix coming at this stage of the 6.2-rc. Since 33c7aba0b4ff ("netfilter: nf_tables: do not set up extensions for end interval"), bogus overlap errors in the rbtree set occur more frequently. * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nft_set_rbtree: skip elements in transaction from garbage collection netfilter: nft_set_rbtree: Switch to node list walk for overlap detection ==================== Link: https://lore.kernel.org/r/20230123211601.292930-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski commit bce4affe30b297bfa3092bb53e879c0bd86901ab Author: Mat Martineau Date: Fri Jan 20 15:11:21 2023 -0800 MAINTAINERS: Update MPTCP maintainer list and CREDITS My responsibilities at Intel have changed, so I'm handing off exclusive MPTCP subsystem maintainer duties to Matthieu. It has been a privilege to see MPTCP through its initial upstreaming and first few years in the upstream kernel! Acked-by: Matthieu Baerts Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20230120231121.36121-1-mathew.j.martineau@linux.intel.com Signed-off-by: Jakub Kicinski commit 8a4f6d023221c4b052ddfa1db48b27871bad6e96 Author: Alexandru Tachici Date: Fri Jan 20 11:08:46 2023 +0200 net: ethernet: adi: adin1110: Fix multicast offloading Driver marked broadcast/multicast frames as offloaded incorrectly. Mark them as offloaded only when HW offloading has been enabled. This should happen only for ADIN2111 when both ports are bridged by the software. Fixes: bc93e19d088b ("net: ethernet: adi: Add ADIN1110 support") Signed-off-by: Alexandru Tachici Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/20230120090846.18172-1-alexandru.tachici@analog.com Signed-off-by: Jakub Kicinski commit 360fdc999d92db4a4adbba0db8641396dc9f1b13 Author: Ahmad Fatoum Date: Fri Jan 20 12:09:32 2023 +0100 net: dsa: microchip: fix probe of I2C-connected KSZ8563 Starting with commit eee16b147121 ("net: dsa: microchip: perform the compatibility check for dev probed"), the KSZ switch driver now bails out if it thinks the DT compatible doesn't match the actual chip ID read back from the hardware: ksz9477-switch 1-005f: Device tree specifies chip KSZ9893 but found KSZ8563, please fix it! For the KSZ8563, which used ksz_switch_chips[KSZ9893], this was fine at first, because it indeed shares the same chip id as the KSZ9893. Commit b44908095612 ("net: dsa: microchip: add separate struct ksz_chip_data for KSZ8563 chip") started differentiating KSZ9893 compatible chips by consulting the 0x1F register. The resulting breakage was fixed for the SPI driver in the same commit by introducing the appropriate ksz_switch_chips[KSZ8563], but not for the I2C driver. Fix this for I2C-connected KSZ8563 now to get it probing again. Fixes: b44908095612 ("net: dsa: microchip: add separate struct ksz_chip_data for KSZ8563 chip"). Reviewed-by: Andrew Lunn Signed-off-by: Ahmad Fatoum Acked-by: Arun Ramadoss Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20230120110933.1151054-1-a.fatoum@pengutronix.de Signed-off-by: Jakub Kicinski commit 5e9398a26a92fc402d82ce1f97cc67d832527da0 Author: Eric Dumazet Date: Fri Jan 20 13:31:40 2023 +0000 ipv4: prevent potential spectre v1 gadget in fib_metrics_match() if (!type) continue; if (type > RTAX_MAX) return false; ... fi_val = fi->fib_metrics->metrics[type - 1]; @type being used as an array index, we need to prevent cpu speculation or risk leaking kernel memory content. Fixes: 5f9ae3d9e7e4 ("ipv4: do metrics match when looking up and deleting a route") Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20230120133140.3624204-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 1d1d63b612801b3f0a39b7d4467cad0abd60e5c8 Author: Eric Dumazet Date: Fri Jan 20 13:30:40 2023 +0000 ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() if (!type) continue; if (type > RTAX_MAX) return -EINVAL; ... metrics[type - 1] = val; @type being used as an array index, we need to prevent cpu speculation or risk leaking kernel memory content. Fixes: 6cf9dfd3bd62 ("net: fib: move metrics parsing to a helper") Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20230120133040.3623463-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit d6ab640c21ed3b471e42ea783223c396e102c02d Merge: 9f535c870e493 9b663b5cbb15b Author: Jakub Kicinski Date: Mon Jan 23 21:35:55 2023 -0800 Merge branch 'netlink-annotate-various-data-races' Eric Dumazet says: ==================== netlink: annotate various data races A recent syzbot report came to my attention. After addressing it, I also fixed other related races. ==================== Link: https://lore.kernel.org/r/20230120125955.3453768-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 9b663b5cbb15b494ef132a3c937641c90646eb73 Author: Eric Dumazet Date: Fri Jan 20 12:59:55 2023 +0000 netlink: annotate data races around sk_state netlink_getsockbyportid() reads sk_state while a concurrent netlink_connect() can change its value. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Signed-off-by: Jakub Kicinski commit 004db64d185a5f23dfb891d7701e23713b2420ee Author: Eric Dumazet Date: Fri Jan 20 12:59:54 2023 +0000 netlink: annotate data races around dst_portid and dst_group netlink_getname(), netlink_sendmsg() and netlink_getsockbyportid() can read nlk->dst_portid and nlk->dst_group while another thread is changing them. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Signed-off-by: Jakub Kicinski commit c1bb9484e3b05166880da8574504156ccbd0549e Author: Eric Dumazet Date: Fri Jan 20 12:59:53 2023 +0000 netlink: annotate data races around nlk->portid syzbot reminds us netlink_getname() runs locklessly [1] This first patch annotates the race against nlk->portid. Following patches take care of the remaining races. [1] BUG: KCSAN: data-race in netlink_getname / netlink_insert write to 0xffff88814176d310 of 4 bytes by task 2315 on cpu 1: netlink_insert+0xf1/0x9a0 net/netlink/af_netlink.c:583 netlink_autobind+0xae/0x180 net/netlink/af_netlink.c:856 netlink_sendmsg+0x444/0x760 net/netlink/af_netlink.c:1895 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x38f/0x500 net/socket.c:2476 ___sys_sendmsg net/socket.c:2530 [inline] __sys_sendmsg+0x19a/0x230 net/socket.c:2559 __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff88814176d310 of 4 bytes by task 2316 on cpu 0: netlink_getname+0xcd/0x1a0 net/netlink/af_netlink.c:1144 __sys_getsockname+0x11d/0x1b0 net/socket.c:2026 __do_sys_getsockname net/socket.c:2041 [inline] __se_sys_getsockname net/socket.c:2038 [inline] __x64_sys_getsockname+0x3e/0x50 net/socket.c:2038 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x00000000 -> 0xc9a49780 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 2316 Comm: syz-executor.2 Not tainted 6.2.0-rc3-syzkaller-00030-ge8f60cd7db24-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: Jakub Kicinski commit 08279468a294d8c996a657ecc9e51bd5c084c75d Author: Arnd Bergmann Date: Tue Jan 17 18:24:44 2023 +0100 rtc: sunplus: fix format string for printing resource On 32-bit architectures with 64-bit resource_size_t, sp_rtc_probe() causes a compiler warning: drivers/rtc/rtc-sunplus.c: In function 'sp_rtc_probe': drivers/rtc/rtc-sunplus.c:243:33: error: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=] 243 | dev_dbg(&plat_dev->dev, "res = 0x%x, reg_base = 0x%lx\n", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The best way to print a resource is the special %pR format string, and similarly to print a pointer we can use %p and avoid the cast. Fixes: fad6cbe9b2b4 ("rtc: Add driver for RTC in Sunplus SP7021") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20230117172450.2938962-1-arnd@kernel.org Signed-off-by: Alexandre Belloni commit 5d235d6ce75c12a7fdee375eb211e4116f7ab01b Author: Pablo Neira Ayuso Date: Sat Jan 14 23:49:46 2023 +0100 netfilter: nft_set_rbtree: skip elements in transaction from garbage collection Skip interference with an ongoing transaction, do not perform garbage collection on inactive elements. Reset annotated previous end interval if the expired element is marked as busy (control plane removed the element right before expiration). Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") Reviewed-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso commit c9e6978e2725a7d4b6cd23b2facd3f11422c0643 Author: Pablo Neira Ayuso Date: Sat Jan 14 23:38:32 2023 +0100 netfilter: nft_set_rbtree: Switch to node list walk for overlap detection ...instead of a tree descent, which became overly complicated in an attempt to cover cases where expired or inactive elements would affect comparisons with the new element being inserted. Further, it turned out that it's probably impossible to cover all those cases, as inactive nodes might entirely hide subtrees consisting of a complete interval plus a node that makes the current insertion not overlap. To speed up the overlap check, descent the tree to find a greater element that is closer to the key value to insert. Then walk down the node list for overlap detection. Starting the overlap check from rb_first() unconditionally is slow, it takes 10 times longer due to the full linear traversal of the list. Moreover, perform garbage collection of expired elements when walking down the node list to avoid bogus overlap reports. For the insertion operation itself, this essentially reverts back to the implementation before commit 7c84d41416d8 ("netfilter: nft_set_rbtree: Detect partial overlaps on insertion"), except that cases of complete overlap are already handled in the overlap detection phase itself, which slightly simplifies the loop to find the insertion point. Based on initial patch from Stefano Brivio, including text from the original patch description too. Fixes: 7c84d41416d8 ("netfilter: nft_set_rbtree: Detect partial overlaps on insertion") Reviewed-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso commit e6b3086fddc0065a5ffb947d4d29dd0e6efc327b Author: Hans de Goede Date: Thu Jan 19 18:24:41 2023 +0100 ACPI: video: Add backlight=native DMI quirk for Asus U46E The Asus U46E backlight tables have a set of interesting problems: 1. Its ACPI tables do make _OSI ("Windows 2012") checks, so acpi_osi_is_win8() should return true. But the tables have 2 sets of _OSI calls, one from the usual global _INI method setting a global OSYS variable and a second set of _OSI calls from a MSOS method and the MSOS method is the only one calling _OSI ("Windows 2012"). The MSOS method only gets called in the following cases: 1. From some Asus specific WMI methods 2. From _DOD, which only runs after acpi_video_get_backlight_type() has already been called by the i915 driver 3. From other ACPI video bus methods which never run (see below) 4. From some EC query callbacks So when i915 calls acpi_video_get_backlight_type() MSOS has never run and acpi_osi_is_win8() returns false, so acpi_video_get_backlight_type() returns acpi_video as the desired backlight type, which causes the intel_backlight device to not register. 2. _DOD effectively does this: Return (Package (0x01) { 0x0400 }) causing acpi_video_device_in_dod() to return false, which causes the acpi_video backlight device to not register. Leaving the user with no backlight device at all. Note that before 6.1.y the i915 driver would register the intel_backlight device unconditionally and since that then was the only backlight device userspace would use that. Add a backlight=native DMI quirk for this special laptop to restore the old (and working) behavior of the intel_backlight device registering. Fixes: fb1836c91317 ("ACPI: video: Prefer native over vendor") Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki commit 9dcb34234b8235144c96103266317da33321077e Author: Hans de Goede Date: Thu Jan 19 17:37:44 2023 +0100 ACPI: video: Add backlight=native DMI quirk for HP EliteBook 8460p The HP EliteBook 8460p predates Windows 8, so it defaults to using acpi_video# for backlight control. Starting with the 6.1.y kernels the native radeon_bl0 backlight is hidden in this case instead of relying on userspace preferring acpi_video# over native backlight devices. It turns out that for the acpi_video# interface to work on the HP EliteBook 8460p, the brightness needs to be set at least once through the native interface, which now no longer is done breaking backlight control. The native interface however always works without problems, so add a quirk to use native backlight on the EliteBook 8460p to fix this. Fixes: fb1836c91317 ("ACPI: video: Prefer native over vendor") Link: https://bugzilla.redhat.com/show_bug.cgi?id=2161428 Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki commit d77596d432cc4142520af32b5388d512e52e0edb Author: Hans de Goede Date: Thu Jan 19 17:37:43 2023 +0100 ACPI: video: Add backlight=native DMI quirk for HP Pavilion g6-1d80nr The HP Pavilion g6-1d80nr predates Windows 8, so it defaults to using acpi_video# for backlight control, but this is non functional on this model. Add a DMI quirk to use the native backlight interface which does work properly. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki commit 7bf70dbb18820b37406fdfa2aaf14c2f5c71a11a Merge: 9946f0981ff86 51cdc8bc120ef Author: Linus Torvalds Date: Mon Jan 23 11:56:07 2023 -0800 Merge tag 'vfio-v6.2-rc6' of https://github.com/awilliam/linux-vfio Pull VFIO fixes from Alex Williamson: - Honor reserved regions when testing for IOMMU find grained super page support, avoiding a regression on s390 for a firmware device where the existence of the mapping, even if unused can trigger an error state. (Niklas Schnelle) - Fix a deadlock in releasing KVM references by using the alternate .release() rather than .destroy() callback for the kvm-vfio device. (Yi Liu) * tag 'vfio-v6.2-rc6' of https://github.com/awilliam/linux-vfio: kvm/vfio: Fix potential deadlock on vfio group_lock vfio/type1: Respect IOMMU reserved regions in vfio_test_domain_fgsp() commit 9946f0981ff8698848ee79d739f432a2a3e68eed Merge: 2475bf0250dee e1fabbc83cb1d Author: Linus Torvalds Date: Mon Jan 23 11:46:19 2023 -0800 Merge tag 'efi-fixes-for-v6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi Pull EFI fixes from Ard Biesheuvel: "Another couple of EFI fixes, of which the first two were already in -next when I sent out the previous PR, but they caused some issues on non-EFI boots so I let them simmer for a bit longer. - ensure the EFI ResetSystem and ACPI PRM calls are recognized as users of the EFI runtime, and therefore protected against exceptions - account for the EFI runtime stack in the stacktrace code - remove Matthew Garrett's MAINTAINERS entry for efivarfs" * tag 'efi-fixes-for-v6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: efi: Remove Matthew Garrett as efivarfs maintainer arm64: efi: Account for the EFI runtime stack in stack unwinder arm64: efi: Avoid workqueue to check whether EFI runtime is live commit 2255bbcdc39d5b0311968f86614ae4f25fdd465d Author: Arnd Bergmann Date: Tue Jan 17 17:37:29 2023 +0100 drm/i915/selftest: fix intel_selftest_modify_policy argument types The definition of intel_selftest_modify_policy() does not match the declaration, as gcc-13 points out: drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.c:29:5: error: conflicting types for 'intel_selftest_modify_policy' due to enum/integer mismatch; have 'int(struct intel_engine_cs *, struct intel_selftest_saved_policy *, u32)' {aka 'int(struct intel_engine_cs *, struct intel_selftest_saved_policy *, unsigned int)'} [-Werror=enum-int-mismatch] 29 | int intel_selftest_modify_policy(struct intel_engine_cs *engine, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.c:11: drivers/gpu/drm/i915/selftests/intel_scheduler_helpers.h:28:5: note: previous declaration of 'intel_selftest_modify_policy' with type 'int(struct intel_engine_cs *, struct intel_selftest_saved_policy *, enum selftest_scheduler_modify)' 28 | int intel_selftest_modify_policy(struct intel_engine_cs *engine, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ Change the type in the definition to match. Fixes: 617e87c05c72 ("drm/i915/selftest: Fix hangcheck self test for GuC submission") Signed-off-by: Arnd Bergmann Reviewed-by: Andi Shyti Signed-off-by: Andi Shyti Link: https://patchwork.freedesktop.org/patch/msgid/20230117163743.1003219-1-arnd@kernel.org (cherry picked from commit 8d7eb8ed3f83f248e01a4f548d9c500a950a2c2d) Signed-off-by: Rodrigo Vivi commit 75444cfffc12459273be70a56460035fb4c553f3 Author: Lucas De Marchi Date: Wed Jan 18 17:52:39 2023 -0800 drm/i915/mtl: Fix bcs default context Commit 0d0e7d1eea9e ("drm/i915/mtl: Define engine context layouts") added the engine context for Meteor Lake. In a second revision of the patch it was believed the xcs offsets were wrong due to a tagging issue in the spec. The first version was actually correct, as shown by the intel_lrc_live_selftests/live_lrc_layout test: i915: Running gt_lrc i915: Running intel_lrc_live_selftests/live_lrc_layout bcs0: LRI command mismatch at dword 1, expected 1108101d found 11081019 [drm:drm_helper_probe_single_connector_modes [drm_kms_helper]] [CONNECTOR:236:DP-1] disconnected bcs0: HW register image: [0000] 00000000 1108101d 00022244 ffff0008 00022034 00000088 00022030 00000088 ... bcs0: SW register image: [0000] 00000000 11081019 00022244 00090009 00022034 00000000 00022030 00000000 The difference in the 2 additional dwords (0x1d vs 0x19) are the offsets 0x120 / 0x124 that are indeed part of the context image. Bspec: 45585 Fixes: 0d0e7d1eea9e ("drm/i915/mtl: Define engine context layouts") Signed-off-by: Lucas De Marchi Signed-off-by: Radhakrishna Sripada Reviewed-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20230111235531.3353815-2-radhakrishna.sripada@intel.com (cherry picked from commit ca54a9a32da0f0ef7e5cbcd111b66f3c9d78b7d2) Signed-off-by: Rodrigo Vivi commit 98e3528012cd571c48bbae7c7c0f868823254b6c Author: Ross Lagerwall Date: Fri Jan 20 17:43:54 2023 +0000 nvme-fc: fix initialization order ctrl->ops is used by nvme_alloc_admin_tag_set() but set by nvme_init_ctrl() so reorder the calls to avoid a NULL pointer dereference. Fixes: 6dfba1c09c10 ("nvme-fc: use the tagset alloc/free helpers") Signed-off-by: Ross Lagerwall Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig commit d63f11c02b8d3e54bdb65d8c309f73b7f474aec4 Author: Mario Limonciello Date: Sat Jan 21 07:48:11 2023 -0600 gpiolib-acpi: Don't set GPIOs for wakeup in S3 mode commit 1796f808e4bb ("HID: i2c-hid: acpi: Stop setting wakeup_capable") adjusted the policy to enable wakeup by default if the ACPI tables indicated that a device was wake capable. It was reported however that this broke suspend on at least two System76 systems in S3 mode and two Lenovo Gen2a systems, but only with S3. When the machines are set to s2idle, wakeup behaves properly. Configuring the GPIOs for wakeup with S3 doesn't work properly, so only set it when the system supports low power idle. Fixes: 1796f808e4bb ("HID: i2c-hid: acpi: Stop setting wakeup_capable") Fixes: b38f2d5d9615c ("i2c: acpi: Use ACPI wake capability bit to set wake_irq") Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2357 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2162013 Reported-by: Nathan Smythe Tested-by: Nathan Smythe Suggested-by: Raul Rangel Signed-off-by: Mario Limonciello Acked-by: Andy Shevchenko Signed-off-by: Bartosz Golaszewski commit 4bdbba54e9b1c769da8ded9abd209d765715e1d6 Author: Jeff Layton Date: Fri Jan 20 14:52:14 2023 -0500 nfsd: don't free files unconditionally in __nfsd_file_cache_purge nfsd_file_cache_purge is called when the server is shutting down, in which case, tearing things down is generally fine, but it also gets called when the exports cache is flushed. Instead of walking the cache and freeing everything unconditionally, handle it the same as when we have a notification of conflicting access. Fixes: ac3a2585f018 ("nfsd: rework refcounting in filecache") Reported-by: Ruben Vestergaard Reported-by: Torkil Svensgaard Reported-by: Shachar Kagan Signed-off-by: Jeff Layton Tested-by: Shachar Kagan Signed-off-by: Chuck Lever commit 2f62847cf6ae49a54515421f67b1badffaa805f3 Author: Nathan Chancellor Date: Wed Jan 18 20:29:02 2023 +0100 ARM: 9287/1: Reduce __thumb2__ definition to crypto files that require it Commit 1d2e9b67b001 ("ARM: 9265/1: pass -march= only to compiler") added a __thumb2__ define to ASFLAGS to avoid build errors in the crypto code, which relies on __thumb2__ for preprocessing. Commit 59e2cf8d21e0 ("ARM: 9275/1: Drop '-mthumb' from AFLAGS_ISA") followed up on this by removing -mthumb from AFLAGS so that __thumb2__ would not be defined when the default target was ARMv7 or newer. Unfortunately, the second commit's fix assumes that the toolchain defaults to -mno-thumb / -marm, which is not the case for Debian's arm-linux-gnueabihf target, which defaults to -mthumb: $ echo | arm-linux-gnueabihf-gcc -dM -E - | grep __thumb #define __thumb2__ 1 #define __thumb__ 1 This target is used by several CI systems, which will still see redefined macro warnings, despite '-mthumb' not being present in the flags: : warning: "__thumb2__" redefined : note: this is the location of the previous definition Remove the global AFLAGS __thumb2__ define and move it to the crypto folder where it is required by the imported OpenSSL algorithms; the rest of the kernel should use the internal CONFIG_THUMB2_KERNEL symbol to know whether or not Thumb2 is being used or not. Be sure that __thumb2__ is undefined first so that there are no macro redefinition warnings. Link: https://github.com/ClangBuiltLinux/linux/issues/1772 Reported-by: "kernelci.org bot" Suggested-by: Ard Biesheuvel Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Tested-by: Nick Desaulniers Fixes: 59e2cf8d21e0 ("ARM: 9275/1: Drop '-mthumb' from AFLAGS_ISA") Fixes: 1d2e9b67b001 ("ARM: 9265/1: pass -march= only to compiler") Signed-off-by: Russell King (Oracle) commit b00c51ef8f72ced0965d021a291b98ff822c5337 Author: Jens Axboe Date: Sun Jan 22 10:02:55 2023 -0700 io_uring/net: cache provided buffer group value for multishot receives If we're using ring provided buffers with multishot receive, and we end up doing an io-wq based issue at some points that also needs to select a buffer, we'll lose the initially assigned buffer group as io_ring_buffer_select() correctly clears the buffer group list as the issue isn't serialized by the ctx uring_lock. This is fine for normal receives as the request puts the buffer and finishes, but for multishot, we will re-arm and do further receives. On the next trigger for this multishot receive, the receive will try and pick from a buffer group whose value is the same as the buffer ID of the las receive. That is obviously incorrect, and will result in a premature -ENOUFS error for the receive even if we had available buffers in the correct group. Cache the buffer group value at prep time, so we can restore it for future receives. This only needs doing for the above mentioned case, but just do it by default to keep it easier to read. Cc: stable@vger.kernel.org Fixes: b3fdea6ecb55 ("io_uring: multishot recv") Fixes: 9bb66906f23e ("io_uring: support multishot in recvmsg") Cc: Dylan Yudaken Signed-off-by: Jens Axboe commit dcff8b7ca92d724bdaf474a3fa37a7748377813a Author: fengwk Date: Sun Jan 22 01:51:06 2023 +0800 ASoC: amd: yc: Add Xiaomi Redmi Book Pro 15 2022 into DMI table This model requires an additional detection quirk to enable the internal microphone - BIOS doesn't seem to support AcpDmicConnected (nothing in acpidump output). Signed-off-by: fengwk Link: https://lore.kernel.org/r/Y8wmCutc74j/tyHP@arch Signed-off-by: Mark Brown commit 9f535c870e493841ac7be390610ff2edec755762 Author: Gergely Risko Date: Thu Jan 19 14:40:41 2023 +0100 ipv6: fix reachability confirmation with proxy_ndp When proxying IPv6 NDP requests, the adverts to the initial multicast solicits are correct and working. On the other hand, when later a reachability confirmation is requested (on unicast), no reply is sent. This causes the neighbor entry expiring on the sending node, which is mostly a non-issue, as a new multicast request is sent. There are routers, where the multicast requests are intentionally delayed, and in these environments the current implementation causes periodic packet loss for the proxied endpoints. The root cause is the erroneous decrease of the hop limit, as this is checked in ndisc.c and no answer is generated when it's 254 instead of the correct 255. Cc: stable@vger.kernel.org Fixes: 46c7655f0b56 ("ipv6: decrease hop limit counter in ip6_forward()") Signed-off-by: Gergely Risko Tested-by: Gergely Risko Reviewed-by: David Ahern Signed-off-by: David S. Miller commit 0ad999c1eec879f06cc52ef7df4d0dbee4a2d7eb Merge: e38553bdc377e 7c494a7749a7d Author: David S. Miller Date: Mon Jan 23 10:58:12 2023 +0000 Merge branch 'ethtool-mac-merge' Vladimir Oltean say: ==================== ethtool support for IEEE 802.3 MAC Merge layer Change log ---------- v3->v4: - add missing opening bracket in ocelot_port_mm_irq() - moved cfg.verify_time range checking so that it actually takes place for the updated rather than old value v3 at: https://patchwork.kernel.org/project/netdevbpf/cover/20230117085947.2176464-1-vladimir.oltean@nxp.com/ v2->v3: - made get_mm return int instead of void - deleted ETHTOOL_A_MM_SUPPORTED - renamed ETHTOOL_A_MM_ADD_FRAG_SIZE to ETHTOOL_A_MM_TX_MIN_FRAG_SIZE - introduced ETHTOOL_A_MM_RX_MIN_FRAG_SIZE - cleaned up documentation - rebased on top of PLCA changes - renamed ETHTOOL_STATS_SRC_* to ETHTOOL_MAC_STATS_SRC_* v2 at: https://patchwork.kernel.org/project/netdevbpf/cover/20230111161706.1465242-1-vladimir.oltean@nxp.com/ v1->v2: I've decided to focus just on the MAC Merge layer for now, which is why I am able to submit this patch set as non-RFC. v1 (RFC) at: https://patchwork.kernel.org/project/netdevbpf/cover/20220816222920.1952936-1-vladimir.oltean@nxp.com/ What is being introduced ------------------------ TL;DR: a MAC Merge layer as defined by IEEE 802.3-2018, clause 99 (interspersing of express traffic). This is controlled through ethtool netlink (ETHTOOL_MSG_MM_GET, ETHTOOL_MSG_MM_SET). The raw ethtool commands are posted here: https://patchwork.kernel.org/project/netdevbpf/cover/20230111153638.1454687-1-vladimir.oltean@nxp.com/ The MAC Merge layer has its own statistics counters (ethtool --include-statistics --show-mm swp0) as well as two member MACs, the statistics of which can be queried individually, through a new ethtool netlink attribute, corresponding to: $ ethtool -I --show-pause eno2 --src aggregate $ ethtool -S eno2 --groups eth-mac eth-phy eth-ctrl rmon -- --src pmac The core properties of the MAC Merge layer are described in great detail in patches 02/12 and 03/12. They can be viewed in "make htmldocs" format. Devices for which the API is supported -------------------------------------- I decided to start with the Ethernet switch on NXP LS1028A (Felix) because of the smaller patch set. I also have support for the ENETC controller pending. I would like to get confirmation that the UAPI being proposed here will not restrict any use cases known by other hardware vendors. Why is support for preemptible traffic classes not here? -------------------------------------------------------- There is legitimate concern whether the 802.1Q portion of the standard (which traffic classes go to the eMAC and which to the pMAC) should be modeled in Linux using tc or using another UAPI. I think that is stalling the entire series, but should be discussed separately instead. Removing FP adminStatus support makes me confident enough to submit this patch set without an RFC tag (meaning: I wouldn't mind if it was merged as is). What is submitted here is sufficient for an LLDP daemon to do its job. I've patched openlldp to advertise and configure frame preemption: https://github.com/vladimiroltean/openlldp/tree/frame-preemption-v3 In case someone wants to try it out, here are some commands I've used. # Configure the interfaces to receive and transmit LLDP Data Units lldptool -L -i eno0 adminStatus=rxtx lldptool -L -i swp0 adminStatus=rxtx # Enable the transmission of certain TLVs on switch's interface lldptool -T -i eno0 -V addEthCap enableTx=yes lldptool -T -i swp0 -V addEthCap enableTx=yes # Query LLDP statistics on switch's interface lldptool -S -i swp0 # Query the received neighbor TLVs lldptool -i swp0 -t -n -V addEthCap Additional Ethernet Capabilities TLV Preemption capability supported Preemption capability enabled Preemption capability active Additional fragment size: 60 octets So using this patch set, lldpad will be able to advertise and configure frame preemption, but still, no data packet will be sent as preemptible over the link, because there is no UAPI to control which traffic classes are sent as preemptible and which as express. Preemptable or preemptible? --------------------------- IEEE 802.3 uses "preemptable" throughout. IEEE 802.1Q uses "preemptible" throughout. Because the definition of "preemptible" falls under 802.1Q's jurisdiction and 802.3 just references it, I went with the 802.1Q naming even where supporting an 802.3 feature. Also, checkpatch agrees with this. ==================== Signed-off-by: David S. Miller commit 7c494a7749a7d6ee95cfae6a8c109c5d63103d88 Author: Vladimir Oltean Date: Thu Jan 19 14:26:53 2023 +0200 net: ethtool: netlink: introduce ethnl_update_bool() Due to the fact that the kernel-side data structures have been carried over from the ioctl-based ethtool, we are now in the situation where we have an ethnl_update_bool32() function, but the plain function that operates on a boolean value kept in an actual u8 netlink attribute doesn't exist. With new ethtool features that are exposed solely over netlink, the kernel data structures will use the "bool" type, so we will need this kind of helper. Introduce it now; it's needed for things like verify-disabled for the MAC merge configuration. Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller commit e38553bdc377e3e7a6caa9dd9770d8b644d8dac3 Author: Wei Fang Date: Thu Jan 19 12:37:47 2023 +0800 net: fec: Use page_pool_put_full_page when freeing rx buffers The page_pool_release_page was used when freeing rx buffers, and this function just unmaps the page (if mapped) and does not recycle the page. So after hundreds of down/up the eth0, the system will out of memory. For more details, please refer to the following reproduce steps and bug logs. To solve this issue and refer to the doc of page pool, the page_pool_put_full_page should be used to replace page_pool_release_page. Because this API will try to recycle the page if the page refcnt equal to 1. After testing 20000 times, the issue can not be reproduced anymore (about testing 391 times the issue will occur on i.MX8MN-EVK before). Reproduce steps: Create the test script and run the script. The script content is as follows: LOOPS=20000 i=1 while [ $i -le $LOOPS ] do echo "TINFO:ENET $curface up and down test $i times" org_macaddr=$(cat /sys/class/net/eth0/address) ifconfig eth0 down ifconfig eth0 hw ether $org_macaddr up i=$(expr $i + 1) done sleep 5 if cat /sys/class/net/eth0/operstate | grep 'up';then echo "TEST PASS" else echo "TEST FAIL" fi Bug detail logs: TINFO:ENET up and down test 391 times [ 850.471205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL) [ 853.535318] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 853.541694] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx [ 870.590531] page_pool_release_retry() stalled pool shutdown 199 inflight 60 sec [ 931.006557] page_pool_release_retry() stalled pool shutdown 199 inflight 120 sec TINFO:ENET up and down test 392 times [ 991.426544] page_pool_release_retry() stalled pool shutdown 192 inflight 181 sec [ 1051.838531] page_pool_release_retry() stalled pool shutdown 170 inflight 241 sec [ 1093.751217] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL) [ 1096.446520] page_pool_release_retry() stalled pool shutdown 308 inflight 60 sec [ 1096.831245] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx [ 1096.839092] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 1112.254526] page_pool_release_retry() stalled pool shutdown 103 inflight 302 sec [ 1156.862533] page_pool_release_retry() stalled pool shutdown 308 inflight 120 sec [ 1172.674516] page_pool_release_retry() stalled pool shutdown 103 inflight 362 sec [ 1217.278532] page_pool_release_retry() stalled pool shutdown 308 inflight 181 sec TINFO:ENET up and down test 393 times [ 1233.086535] page_pool_release_retry() stalled pool shutdown 103 inflight 422 sec [ 1277.698513] page_pool_release_retry() stalled pool shutdown 308 inflight 241 sec [ 1293.502525] page_pool_release_retry() stalled pool shutdown 86 inflight 483 sec [ 1338.110518] page_pool_release_retry() stalled pool shutdown 308 inflight 302 sec [ 1353.918540] page_pool_release_retry() stalled pool shutdown 32 inflight 543 sec [ 1361.179205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL) [ 1364.255298] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx [ 1364.263189] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 1371.998532] page_pool_release_retry() stalled pool shutdown 310 inflight 60 sec [ 1398.530542] page_pool_release_retry() stalled pool shutdown 308 inflight 362 sec [ 1414.334539] page_pool_release_retry() stalled pool shutdown 16 inflight 604 sec [ 1432.414520] page_pool_release_retry() stalled pool shutdown 310 inflight 120 sec [ 1458.942523] page_pool_release_retry() stalled pool shutdown 308 inflight 422 sec [ 1474.750521] page_pool_release_retry() stalled pool shutdown 16 inflight 664 sec TINFO:ENET up and down test 394 times [ 1492.830522] page_pool_release_retry() stalled pool shutdown 310 inflight 181 sec [ 1519.358519] page_pool_release_retry() stalled pool shutdown 308 inflight 483 sec [ 1535.166545] page_pool_release_retry() stalled pool shutdown 2 inflight 724 sec [ 1537.090278] eth_test2.sh invoked oom-killer: gfp_mask=0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), order=0, oom_score_adj=0 [ 1537.101192] CPU: 3 PID: 2379 Comm: eth_test2.sh Tainted: G C 6.1.1+g56321e101aca #1 [ 1537.110249] Hardware name: NXP i.MX8MNano EVK board (DT) [ 1537.115561] Call trace: [ 1537.118005] dump_backtrace.part.0+0xe0/0xf0 [ 1537.122289] show_stack+0x18/0x40 [ 1537.125608] dump_stack_lvl+0x64/0x80 [ 1537.129276] dump_stack+0x18/0x34 [ 1537.132592] dump_header+0x44/0x208 [ 1537.136083] oom_kill_process+0x2b4/0x2c0 [ 1537.140097] out_of_memory+0xe4/0x594 [ 1537.143766] __alloc_pages+0xb68/0xd00 [ 1537.147521] alloc_pages+0xac/0x160 [ 1537.151013] __get_free_pages+0x14/0x40 [ 1537.154851] pgd_alloc+0x1c/0x30 [ 1537.158082] mm_init+0xf8/0x1d0 [ 1537.161228] mm_alloc+0x48/0x60 [ 1537.164368] alloc_bprm+0x7c/0x240 [ 1537.167777] do_execveat_common.isra.0+0x70/0x240 [ 1537.172486] __arm64_sys_execve+0x40/0x54 [ 1537.176502] invoke_syscall+0x48/0x114 [ 1537.180255] el0_svc_common.constprop.0+0xcc/0xec [ 1537.184964] do_el0_svc+0x2c/0xd0 [ 1537.188280] el0_svc+0x2c/0x84 [ 1537.191340] el0t_64_sync_handler+0xf4/0x120 [ 1537.195613] el0t_64_sync+0x18c/0x190 [ 1537.199334] Mem-Info: [ 1537.201620] active_anon:342 inactive_anon:10343 isolated_anon:0 [ 1537.201620] active_file:54 inactive_file:112 isolated_file:0 [ 1537.201620] unevictable:0 dirty:0 writeback:0 [ 1537.201620] slab_reclaimable:2620 slab_unreclaimable:7076 [ 1537.201620] mapped:1489 shmem:2473 pagetables:466 [ 1537.201620] sec_pagetables:0 bounce:0 [ 1537.201620] kernel_misc_reclaimable:0 [ 1537.201620] free:136672 free_pcp:96 free_cma:129241 [ 1537.240419] Node 0 active_anon:1368kB inactive_anon:41372kB active_file:216kB inactive_file:5052kB unevictable:0kB isolated(anon):0kB isolated(file):0kB s [ 1537.271422] Node 0 DMA free:541636kB boost:0kB min:30000kB low:37500kB high:45000kB reserved_highatomic:0KB active_anon:1368kB inactive_anon:41372kB actiB [ 1537.300219] lowmem_reserve[]: 0 0 0 0 [ 1537.303929] Node 0 DMA: 1015*4kB (UMEC) 743*8kB (UMEC) 417*16kB (UMEC) 235*32kB (UMEC) 116*64kB (UMEC) 25*128kB (UMEC) 4*256kB (UC) 2*512kB (UC) 0*1024kBB [ 1537.323938] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB [ 1537.332708] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=32768kB [ 1537.341292] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB [ 1537.349776] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=64kB [ 1537.358087] 2939 total pagecache pages [ 1537.361876] 0 pages in swap cache [ 1537.365229] Free swap = 0kB [ 1537.368147] Total swap = 0kB [ 1537.371065] 516096 pages RAM [ 1537.373959] 0 pages HighMem/MovableOnly [ 1537.377834] 17302 pages reserved [ 1537.381103] 163840 pages cma reserved [ 1537.384809] 0 pages hwpoisoned [ 1537.387902] Tasks state (memory values in pages): [ 1537.392652] [ pid ] uid tgid total_vm rss pgtables_bytes swapents oom_score_adj name [ 1537.401356] [ 201] 993 201 1130 72 45056 0 0 rpcbind [ 1537.409772] [ 202] 0 202 4529 1640 77824 0 -250 systemd-journal [ 1537.418861] [ 222] 0 222 4691 801 69632 0 -1000 systemd-udevd [ 1537.427787] [ 248] 994 248 20914 130 65536 0 0 systemd-timesyn [ 1537.436884] [ 497] 0 497 620 31 49152 0 0 atd [ 1537.444938] [ 500] 0 500 854 77 53248 0 0 crond [ 1537.453165] [ 503] 997 503 1470 160 49152 0 -900 dbus-daemon [ 1537.461908] [ 505] 0 505 633 24 40960 0 0 firmwared [ 1537.470491] [ 513] 0 513 2507 180 61440 0 0 ofonod [ 1537.478800] [ 514] 990 514 69640 137 81920 0 0 parsec [ 1537.487120] [ 533] 0 533 599 39 40960 0 0 syslogd [ 1537.495518] [ 534] 0 534 4546 148 65536 0 0 systemd-logind [ 1537.504560] [ 535] 0 535 690 24 45056 0 0 tee-supplicant [ 1537.513564] [ 540] 996 540 2769 168 61440 0 0 systemd-network [ 1537.522680] [ 566] 0 566 3878 228 77824 0 0 connmand [ 1537.531168] [ 645] 998 645 1538 133 57344 0 0 avahi-daemon [ 1537.540004] [ 646] 998 646 1461 64 57344 0 0 avahi-daemon [ 1537.548846] [ 648] 992 648 781 41 45056 0 0 rpc.statd [ 1537.557415] [ 650] 64371 650 590 23 45056 0 0 ninfod [ 1537.565754] [ 653] 61563 653 555 24 45056 0 0 rdisc [ 1537.573971] [ 655] 0 655 374569 2999 290816 0 -999 containerd [ 1537.582621] [ 658] 0 658 1311 20 49152 0 0 agetty [ 1537.590922] [ 663] 0 663 1529 97 49152 0 0 login [ 1537.599138] [ 666] 0 666 3430 202 69632 0 0 wpa_supplicant [ 1537.608147] [ 667] 0 667 2344 96 61440 0 0 systemd-userdbd [ 1537.617240] [ 677] 0 677 2964 314 65536 0 100 systemd [ 1537.625651] [ 679] 0 679 3720 646 73728 0 100 (sd-pam) [ 1537.634138] [ 687] 0 687 1289 403 45056 0 0 sh [ 1537.642108] [ 789] 0 789 970 93 45056 0 0 eth_test2.sh [ 1537.650955] [ 2355] 0 2355 2346 94 61440 0 0 systemd-userwor [ 1537.660046] [ 2356] 0 2356 2346 94 61440 0 0 systemd-userwor [ 1537.669137] [ 2358] 0 2358 2346 95 57344 0 0 systemd-userwor [ 1537.678258] [ 2379] 0 2379 970 93 45056 0 0 eth_test2.sh [ 1537.687098] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-0.slice/user@0.service,tas0 [ 1537.703009] Out of memory: Killed process 679 ((sd-pam)) total-vm:14880kB, anon-rss:2584kB, file-rss:0kB, shmem-rss:0kB, UID:0 pgtables:72kB oom_score_ad0 [ 1553.246526] page_pool_release_retry() stalled pool shutdown 310 inflight 241 sec Fixes: 95698ff6177b ("net: fec: using page pool to manage RX buffers") Signed-off-by: Wei Fang Reviewed-by: shenwei wang Reviewed-by: Jesse Brandeburg Signed-off-by: David S. Miller commit 87978e6ad45a16835cc58234451111091be3c59a Author: Cezary Rojewski Date: Thu Jan 19 15:32:35 2023 +0100 ALSA: hda: Do not unset preset when cleaning up codec Several functions that take part in codec's initialization and removal are re-used by ASoC codec drivers implementations. Drivers mimic the behavior of hda_codec_driver_probe/remove() found in sound/pci/hda/hda_bind.c with their component->probe/remove() instead. One of the reasons for that is the expectation of snd_hda_codec_device_new() to receive a valid pointer to an instance of struct snd_card. This expectation can be met only once sound card components probing commences. As ASoC sound card may be unbound without codec device being actually removed from the system, unsetting ->preset in snd_hda_codec_cleanup_for_unbind() interferes with module unload -> load scenario causing null-ptr-deref. Preset is assigned only once, during device/driver matching whereas ASoC codec driver's module reloading may occur several times throughout the lifetime of an audio stack. Suggested-by: Takashi Iwai Signed-off-by: Cezary Rojewski Link: https://lore.kernel.org/r/20230119143235.1159814-1-cezary.rojewski@intel.com Signed-off-by: Takashi Iwai commit b6ee896385380aa621102e8ea402ba12db1cabff Author: Eric Dumazet Date: Fri Jan 20 13:02:49 2023 +0000 xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr() int type = nla_type(nla); if (type > XFRMA_MAX) { return -EOPNOTSUPP; } @type is then used as an array index and can be used as a Spectre v1 gadget. if (nla_len(nla) < compat_policy[type].len) { array_index_nospec() can be used to prevent leaking content of kernel memory to malicious users. Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator") Signed-off-by: Eric Dumazet Cc: Dmitry Safonov Cc: Steffen Klassert Reviewed-by: Dmitry Safonov Signed-off-by: Steffen Klassert commit 2475bf0250dee99b477e0c56d7dc9d7ac3f04117 Merge: ab2f408731cc7 5f5cc9ed992cb Author: Linus Torvalds Date: Sun Jan 22 12:14:58 2023 -0800 Merge tag 'sched_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Borislav Petkov: - Make sure the scheduler doesn't use stale frequency scaling values when latter get disabled due to a value error - Fix a NULL pointer access on UP configs - Use the proper locking when updating CPU capacity * tag 'sched_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/aperfmperf: Erase stale arch_freq_scale values when disabling frequency invariance readings sched/core: Fix NULL pointer access fault in sched_setaffinity() with non-SMP configs sched/fair: Fixes for capacity inversion detection sched/uclamp: Fix a uninitialized variable warnings commit ab2f408731cc7e03ef2e5dc7dada649220e4dcd2 Merge: 2b299a1cd4327 977c6ba624f24 Author: Linus Torvalds Date: Sun Jan 22 12:10:47 2023 -0800 Merge tag 'edac_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras Pull EDAC fixes from Borislav Petkov: - Respect user-supplied polling value in the EDAC device code - Fix a use-after-free issue in qcom_edac * tag 'edac_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras: EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info EDAC/device: Respect any driver-supplied workqueue polling value commit 2b299a1cd43271ffb582342a2a3c227aea0f32ac Merge: 3c006ad74d68b 5a8a05f165fb1 Author: Linus Torvalds Date: Sun Jan 22 12:06:18 2023 -0800 Merge tag 'perf_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fix from Borislav Petkov: - Add Emerald Rapids model support to more perf machinery * tag 'perf_urgent_for_v6.2_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/intel/cstate: Add Emerald Rapids perf/x86/intel: Add Emerald Rapids commit 3c006ad74d68be45ee36ca68fd9c053974fb6b0f Merge: 2241ab53cbb5c 95ecbd0f162fc Author: Linus Torvalds Date: Sun Jan 22 11:56:33 2023 -0800 Merge tag 'gfs2-v6.2-rc4-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 writepage fix from Andreas Gruenbacher: - Fix a regression introduced by commit "gfs2: stop using generic_writepages in gfs2_ail1_start_one". * tag 'gfs2-v6.2-rc4-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: Revert "gfs2: stop using generic_writepages in gfs2_ail1_start_one" commit 6601fc0d15ffc20654e39486f9bef35567106d68 Author: Dean Luick Date: Thu Jan 12 13:16:02 2023 -0500 IB/hfi1: Restore allocated resources on failed copyout Fix a resource leak if an error occurs. Fixes: f404ca4c7ea8 ("IB/hfi1: Refactor hfi_user_exp_rcv_setup() IOCTL") Signed-off-by: Dean Luick Signed-off-by: Dennis Dalessandro Link: https://lore.kernel.org/r/167354736291.2132367.10894218740150168180.stgit@awfm-02.cornelisnetworks.com Signed-off-by: Leon Romanovsky commit 27b5de622ea3fe0ad5a31a0ebd9f7a0a276932d1 Author: Nathan Chancellor Date: Fri Jan 20 09:58:27 2023 -0700 x86/build: Move '-mindirect-branch-cs-prefix' out of GCC-only block LLVM 16 will have support for this flag so move it out of the GCC-only block to allow LLVM builds to take advantage of it. Signed-off-by: Nathan Chancellor Signed-off-by: Ingo Molnar Tested-by: Nick Desaulniers Reviewed-by: Nick Desaulniers Acked-by: Peter Zijlstra (Intel) Link: https://github.com/ClangBuiltLinux/linux/issues/1665 Link: https://github.com/llvm/llvm-project/commit/6f867f9102838ebe314c1f3661fdf95700386e5a Link: https://lore.kernel.org/r/20230120165826.2469302-1-nathan@kernel.org commit c2c46b10d52624376322b01654095a84611c7e09 Author: Vipin Sharma Date: Wed Jan 11 10:34:08 2023 -0800 KVM: selftests: Make reclaim_period_ms input always be positive reclaim_period_ms used to be positive only but the commit 0001725d0f9b ("KVM: selftests: Add atoi_positive() and atoi_non_negative() for input validation") incorrectly changed it to non-negative validation. Change validation to allow only positive input. Fixes: 0001725d0f9b ("KVM: selftests: Add atoi_positive() and atoi_non_negative() for input validation") Signed-off-by: Vipin Sharma Reported-by: Ben Gardon Reviewed-by: Ben Gardon Reviewed-by: Sean Christopherson Message-Id: <20230111183408.104491-1-vipinsh@google.com> Signed-off-by: Paolo Bonzini commit a44b331614e6f7e63902ed7dff7adc8c85edd8bc Author: Hendrik Borghorst Date: Mon Nov 14 16:48:23 2022 +0000 KVM: x86/vmx: Do not skip segment attributes if unusable bit is set When serializing and deserializing kvm_sregs, attributes of the segment descriptors are stored by user space. For unusable segments, vmx_segment_access_rights skips all attributes and sets them to 0. This means we zero out the DPL (Descriptor Privilege Level) for unusable entries. Unusable segments are - contrary to their name - usable in 64bit mode and are used by guests to for example create a linear map through the NULL selector. VMENTER checks if SS.DPL is correct depending on the CS segment type. For types 9 (Execute Only) and 11 (Execute Read), CS.DPL must be equal to SS.DPL [1]. We have seen real world guests setting CS to a usable segment with DPL=3 and SS to an unusable segment with DPL=3. Once we go through an sregs get/set cycle, SS.DPL turns to 0. This causes the virtual machine to crash reproducibly. This commit changes the attribute logic to always preserve attributes for unusable segments. According to [2] SS.DPL is always saved on VM exits, regardless of the unusable bit so user space applications should have saved the information on serialization correctly. [3] specifies that besides SS.DPL the rest of the attributes of the descriptors are undefined after VM entry if unusable bit is set. So, there should be no harm in setting them all to the previous state. [1] Intel SDM Vol 3C 26.3.1.2 Checks on Guest Segment Registers [2] Intel SDM Vol 3C 27.3.2 Saving Segment Registers and Descriptor-Table Registers [3] Intel SDM Vol 3C 26.3.2.2 Loading Guest Segment Registers and Descriptor-Table Registers Cc: Alexander Graf Cc: stable@vger.kernel.org Signed-off-by: Hendrik Borghorst Reviewed-by: Jim Mattson Reviewed-by: Alexander Graf Message-Id: <20221114164823.69555-1-hborghor@amazon.de> Signed-off-by: Paolo Bonzini commit 50aa870ba2f7735f556e52d15f61cd0f359c4c0b Author: Paolo Bonzini Date: Sun Jan 22 04:04:50 2023 -0500 selftests: kvm: move declaration at the beginning of main() Placing a declaration of evt_reset is pedantically invalid according to the C standard. While GCC does not really care and only warns with -Wpedantic, clang ignores the declaration altogether with an error: x86_64/xen_shinfo_test.c:965:2: error: expected expression struct kvm_xen_hvm_attr evt_reset = { ^ x86_64/xen_shinfo_test.c:969:38: error: use of undeclared identifier evt_reset vm_ioctl(vm, KVM_XEN_HVM_SET_ATTR, &evt_reset); ^ Reported-by: Yu Zhang Reported-by: Sean Christopherson Fixes: a79b53aaaab5 ("KVM: x86: fix deadlock for KVM_XEN_EVTCHN_RESET", 2022-12-28) Signed-off-by: Paolo Bonzini commit 95ecbd0f162fc06ef4c4045a66f653f47b62a2d3 Author: Andreas Gruenbacher Date: Thu Jan 19 20:14:42 2023 +0100 Revert "gfs2: stop using generic_writepages in gfs2_ail1_start_one" Commit b2b0a5e97855 switched from generic_writepages() to filemap_fdatawrite_wbc() in gfs2_ail1_start_one() on the path to replacing ->writepage() with ->writepages() and eventually eliminating the former. Function gfs2_ail1_start_one() is called from gfs2_log_flush(), our main function for flushing the filesystem log. Unfortunately, at least as implemented today, ->writepage() and ->writepages() are entirely different operations for journaled data inodes: while the former creates and submits transactions covering the data to be written, the latter flushes dirty buffers out to disk. With gfs2_ail1_start_one() now calling ->writepages(), we end up creating filesystem transactions while we are in the course of a log flush, which immediately deadlocks on the sdp->sd_log_flush_lock semaphore. Work around that by going back to how things used to work before commit b2b0a5e97855 for now; figuring out a superior solution will take time we don't have available right now. However ... Since the removal of generic_writepages() is imminent, open-code it here. We're already inside a blk_start_plug() ... blk_finish_plug() section here, so skip that part of the original generic_writepages(). This reverts commit b2b0a5e978552e348f85ad9c7568b630a5ede659. Signed-off-by: Andreas Gruenbacher Acked-by: Christoph Hellwig commit d732cbf78d616c0b63201eb9e5e4af3fe9b90dc4 Merge: 2241ab53cbb5c ef3691683d7bf Author: Paolo Bonzini Date: Sun Jan 22 03:46:14 2023 -0500 Merge tag 'kvmarm-fixes-6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/arm64 fixes for 6.2, take #2 - Pass the correct address to mte_clear_page_tags() on initialising a tagged page - Plug a race against a GICv4.1 doorbell interrupt while saving the vgic-v3 pending state. commit a1550700629f30c5bd554161524f14f14600d554 Author: Hans Verkuil Date: Wed Dec 28 18:02:27 2022 +0100 media: v4l2-ctrls-api.c: move ctrl->is_new = 1 to the correct line The patch that fixed string control support somehow got mangled when it was merged in mainline: the added line ended up in the wrong place. Fix this. Fixes: 73278d483378 ("media: v4l2-ctrls-api.c: add back dropped ctrl->is_new = 1") Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab commit 2241ab53cbb5cdb08a6b2d4688feb13971058f65 Author: Linus Torvalds Date: Sat Jan 21 16:27:01 2023 -0800 Linux 6.2-rc5 commit 95f184d0e1e14e6fd4368a804db5f870e5f841d2 Merge: f671440228853 8caa03f10bf92 Author: Linus Torvalds Date: Sat Jan 21 16:21:56 2023 -0800 Merge tag 'io_uring-6.2-2023-01-21' of git://git.kernel.dk/linux Pull another io_uring fix from Jens Axboe: "Just a single fix for a regression that happened in this release due to a poll change. Normally I would've just deferred it to next week, but since the original fix got picked up by stable, I think it's better to just send this one off separately. The issue is around the poll race fix, and how it mistakenly also got applied to multishot polling. Those don't need the race fix, and we should not be doing any reissues for that case. Exhaustive test cases were written and committed to the liburing regression suite for the reported issue, and additions for similar issues" * tag 'io_uring-6.2-2023-01-21' of git://git.kernel.dk/linux: io_uring/poll: don't reissue in case of poll race on multishot request commit f67144022885344375ad03593e7a290cc614da34 Merge: c88a311470642 3daed6345d588 Author: Linus Torvalds Date: Sat Jan 21 11:20:55 2023 -0800 Merge tag 'char-misc-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some small char/misc and other subsystem driver fixes for 6.2-rc5 to resolve a few reported issues. They include: - long time pending fastrpc fixes (should have gone into 6.1, my fault) - mei driver/bus fixes and new device ids - interconnect driver fixes for reported problems - vmci bugfix - w1 driver bugfixes for reported problems Almost all of these have been in linux-next with no reported problems, the rest have all passed 0-day bot testing in my tree and on the mailing lists where they have sat too long due to me taking a long time to catch up on my pending patch queue" * tag 'char-misc-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: VMCI: Use threaded irqs instead of tasklets misc: fastrpc: Pass bitfield into qcom_scm_assign_mem gsmi: fix null-deref in gsmi_get_variable misc: fastrpc: Fix use-after-free race condition for maps misc: fastrpc: Don't remove map on creater_process and device_release misc: fastrpc: Fix use-after-free and race in fastrpc_map_find misc: fastrpc: fix error code in fastrpc_req_mmap() mei: me: add meteor lake point M DID mei: bus: fix unlink on bus in error path w1: fix WARNING after calling w1_process() w1: fix deadloop in __w1_remove_master_device() comedi: adv_pci1760: Fix PWM instruction handling interconnect: qcom: rpm: Use _optional func for provider clocks interconnect: qcom: msm8996: Fix regmap max_register values interconnect: qcom: msm8996: Provide UFS clocks to A2NoC dt-bindings: interconnect: Add UFS clocks to MSM8996 A2NoC commit c88a3114706429c9edf89e0bf2cd6757270c00f8 Merge: bb86d65775cc3 739790605705d Author: Linus Torvalds Date: Sat Jan 21 11:17:23 2023 -0800 Merge tag 'driver-core-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fixes from Greg KH: "Here are three small driver and kernel core fixes for 6.2-rc5. They include: - potential gadget fixup in do_prlimit - device property refcount leak fix - test_async_probe bugfix for reported problem" * tag 'driver-core-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: prlimit: do_prlimit needs to have a speculation check driver core: Fix test_async_probe_init saves device in wrong array device property: fix of node refcount leak in fwnode_graph_get_next_endpoint() commit bb86d65775cc3835152c08882384c2534b56f1d3 Merge: bd5cc6ee8f4e8 7d83299351fe7 Author: Linus Torvalds Date: Sat Jan 21 11:15:21 2023 -0800 Merge tag 'staging-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fix from Greg KH: "Here is a single staging driver fix for 6.2-rc5. It resolves a build issue reported and Fixed by Arnd in the vc04_services driver. It's been in linux-next this week with no reported problems" * tag 'staging-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: vchiq_arm: fix enum vchiq_status return types commit bd5cc6ee8f4e823e466a075a79db3cd355cee28e Merge: e67da28898e9e 14ee78d5932af Author: Linus Torvalds Date: Sat Jan 21 11:12:42 2023 -0800 Merge tag 'tty-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial driver fixes from Greg KH: "Here are some small tty and serial driver fixes for 6.2-rc5 that resolve a number of tiny reported issues and some new device ids. They include: - new device id for the exar serial driver - speakup tty driver bugfix - atmel serial driver baudrate fixup - stm32 serial driver bugfix and then revert as the bugfix broke the build. That will come back in a later pull request once it is all worked out properly. - amba-pl011 serial driver rs486 mode bugfix - qcom_geni serial driver bugfix Most of these have been in linux-next with no reported problems (well, other than the build breakage which generated the revert), the new device id passed 0-day testing" * tag 'tty-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: exar: Add support for Sealevel 7xxxC serial cards Revert "serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler" tty: serial: qcom_geni: avoid duplicate struct member init serial: atmel: fix incorrect baudrate setup tty: fix possible null-ptr-defer in spk_ttyio_release serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler serial: amba-pl011: fix high priority character transmission in rs486 mode serial: pch_uart: Pass correct sg to dma_unmap_sg() tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer commit e67da28898e9e219176412f2fd2f415dece474ab Merge: 83cd5fd014c0a 14ff7460bb586 Author: Linus Torvalds Date: Sat Jan 21 11:10:03 2023 -0800 Merge tag 'usb-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB / Thunderbolt fixes from Greg KH: "Here are a number of small USB and Thunderbolt driver fixes and new device id changes for 6.2-rc5. Included in here are: - thunderbolt bugfixes for reported problems - new usb-serial driver ids added - onboard_hub usb driver fixes for much-reported problems - xhci bugfixes - typec bugfixes - ehci-fsl driver module alias fix - iowarrior header size fix - usb gadget driver fixes All of these, except for the iowarrior fix, have been in linux-next with no reported issues. The iowarrior fix passed the 0-day testing and is a one digit change based on a reported problem in the driver (which was written to a spec, not the real device that is now available)" * tag 'usb-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (40 commits) USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 usb: host: ehci-fsl: Fix module alias usb: dwc3: fix extcon dependency usb: core: hub: disable autosuspend for TI TUSB8041 USB: fix misleading usb_set_intfdata() kernel doc usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() USB: gadget: Add ID numbers to configfs-gadget driver names usb: typec: tcpm: Fix altmode re-registration causes sysfs create fail usb: gadget: g_webcam: Send color matching descriptor per frame usb: typec: altmodes/displayport: Use proper macro for pin assignment check usb: typec: altmodes/displayport: Fix pin assignment calculation usb: typec: altmodes/displayport: Add pin assignment helper usb: gadget: f_fs: Ensure ep0req is dequeued before free_request usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait usb: misc: onboard_hub: Move 'attach' work to the driver usb: misc: onboard_hub: Invert driver registration order usb: ucsi: Ensure connector delayed work items are flushed usb: musb: fix error return code in omap2430_probe() usb: chipidea: core: fix possible constant 0 if use IS_ERR(ci->role_switch) xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables ... commit 83cd5fd014c0abfd3cf6d8e4189333d099630845 Merge: f3bbac32475b2 13e1df09284da Author: Linus Torvalds Date: Sat Jan 21 10:56:37 2023 -0800 Merge tag 'kbuild-fixes-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: - Hide LDFLAGS_vmlinux from decompressor Makefiles to fix error messages when GNU Make 4.4 is used. - Fix 'make modules' build error when CONFIG_DEBUG_INFO_BTF_MODULES=y. - Fix warnings emitted by GNU Make 4.4 in scripts/kconfig/Makefile. - Support GNU Make 4.4 for scripts/jobserver-exec. - Show clearer error message when kernel/gen_kheaders.sh fails due to missing cpio. * tag 'kbuild-fixes-v6.2-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kheaders: explicitly validate existence of cpio command scripts: support GNU make 4.4 in jobserver-exec kconfig: Update all declared targets scripts: rpm: make clear that mkspec script contains 4.13 feature init/Kconfig: fix LOCALVERSION_AUTO help text kbuild: fix 'make modules' error when CONFIG_DEBUG_INFO_BTF_MODULES=y kbuild: export top-level LDFLAGS_vmlinux only to scripts/Makefile.vmlinux init/version-timestamp.c: remove unneeded #include docs: kbuild: remove mention to dropped $(objtree) feature commit 2acd031347f645871959a799238a7caf6803aa18 Author: Carlos Song Date: Wed Jan 18 15:42:27 2023 +0800 iio: imu: fxos8700: fix MAGN sensor scale and unit +/-1200uT is a MAGN sensor full measurement range. Magnetometer scale is the magnetic sensitivity parameter. It is referenced as 0.1uT according to datasheet and magnetometer channel unit is Gauss in sysfs-bus-iio documentation. Gauss and uTesla unit conversion relationship as follows: 0.1uT = 0.001Gs. Set magnetometer scale and available magnetometer scale as fixed 0.001Gs. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20230118074227.1665098-5-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron commit ff5e2cd92ffda9a25ffa2cbdb3a0cf17650172a6 Author: Carlos Song Date: Wed Jan 18 15:42:26 2023 +0800 iio: imu: fxos8700: remove definition FXOS8700_CTRL_ODR_MIN FXOS8700_CTRL_ODR_MIN is not used but value is probably wrong. Remove it for a good readability. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20230118074227.1665098-4-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron commit eb6d8f8705bc19141bac81d8161461f9e256948a Author: Carlos Song Date: Wed Jan 18 15:42:25 2023 +0800 iio: imu: fxos8700: fix failed initialization ODR mode assignment The absence of correct offset leads a failed initialization ODR mode assignment. Select MAX ODR mode as the initialization ODR mode by field mask and FIELD_PREP. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20230118074227.1665098-3-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron commit 78ad6864e9e012cdba7c353d044d21ffcfd5f34b Author: Carlos Song Date: Wed Jan 18 15:42:24 2023 +0800 iio: imu: fxos8700: fix incorrect ODR mode readback The absence of a correct offset leads an incorrect ODR mode readback after use a hexadecimal number to mark the value from FXOS8700_CTRL_REG1. Get ODR mode by field mask and FIELD_GET clearly and conveniently. And attach other additional fix for keeping the original code logic and a good readability. Fixes: 84e5ddd5c46e ("iio: imu: Add support for the FXOS8700 IMU") Signed-off-by: Carlos Song Link: https://lore.kernel.org/r/20230118074227.1665098-2-carlos.song@nxp.com Cc: Signed-off-by: Jonathan Cameron commit f3bbac32475b27f49be201f896d98d4009de1562 Author: Linus Torvalds Date: Tue Jan 17 20:27:23 2023 -0800 ext4: deal with legacy signed xattr name hash values We potentially have old hashes of the xattr names generated on systems with signed 'char' types. Now that everybody uses '-funsigned-char', those hashes will no longer match. This only happens if you use xattrs names that have the high bit set, which probably doesn't happen in practice, but the xfstest generic/454 shows it. Instead of adding a new "signed xattr hash filesystem" bit and having to deal with all the possible combinations, just calculate the hash both ways if the first one fails, and always generate new hashes with the proper unsigned char version. Reported-by: kernel test robot Link: https://lore.kernel.org/oe-lkp/202212291509.704a11c9-oliver.sang@intel.com Link: https://lore.kernel.org/all/CAHk-=whUNjwqZXa-MH9KMmc_CpQpoFKFjAB9ZKHuu=TbsouT4A@mail.gmail.com/ Exposed-by: 3bc753c06dd0 ("kbuild: treat char as always unsigned") Cc: Eric Biggers Cc: Andreas Dilger Cc: Theodore Ts'o , Cc: Jason Donenfeld Cc: Masahiro Yamada Signed-off-by: Linus Torvalds commit ee3c5b644a0fdcfed27515a39fb2dd3a016704c1 Author: Kai-Heng Feng Date: Thu Jan 19 01:04:22 2023 +0800 iio: light: cm32181: Fix PM support on system with 2 I2C resources Commit c1e62062ff54 ("iio: light: cm32181: Handle CM3218 ACPI devices with 2 I2C resources") creates a second client for the actual I2C address, but the "struct device" passed to PM ops is the first I2C client that can't talk to the sensor. That means the I2C transfers in both suspend and resume routines can fail and blocking the whole suspend process. Instead of using the first client for I2C transfer, use the I2C client stored in the cm32181 private struct so the PM ops can get the correct I2C client to really talk to the sensor device. Fixes: 68c1b3dd5c48 ("iio: light: cm32181: Add PM support") BugLink: https://bugs.launchpad.net/bugs/1988346 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152281 Tested-by: Wahaj Signed-off-by: Kai-Heng Feng Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/20230118170422.339619-1-kai.heng.feng@canonical.com Cc: Signed-off-by: Jonathan Cameron commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Author: Greg Kroah-Hartman Date: Fri Jan 20 11:03:20 2023 +0100 prlimit: do_prlimit needs to have a speculation check do_prlimit() adds the user-controlled resource value to a pointer that will subsequently be dereferenced. In order to help prevent this codepath from being used as a spectre "gadget" a barrier needs to be added after checking the range. Reported-by: Jordy Zomer Tested-by: Jordy Zomer Suggested-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ef3691683d7bfd0a2acf48812e4ffe894f10bfa8 Author: Marc Zyngier Date: Thu Jan 19 11:07:59 2023 +0000 KVM: arm64: GICv4.1: Fix race with doorbell on VPE activation/deactivation To save the vgic LPI pending state with GICv4.1, the VPEs must all be unmapped from the ITSs so that the sGIC caches can be flushed. The opposite is done once the state is saved. This is all done by using the activate/deactivate irqdomain callbacks directly from the vgic code. Crutially, this is done without holding the irqdesc lock for the interrupts that represent the VPE. And these callbacks are changing the state of the irqdesc. What could possibly go wrong? If a doorbell fires while we are messing with the irqdesc state, it will acquire the lock and change the interrupt state concurrently. Since we don't hole the lock, curruption occurs in on the interrupt state. Oh well. While acquiring the lock would fix this (and this was Shanker's initial approach), this is still a layering violation we could do without. A better approach is actually to free the VPE interrupt, do what we have to do, and re-request it. It is more work, but this usually happens only once in the lifetime of the VM and we don't really care about this sort of overhead. Fixes: f66b7b151e00 ("KVM: arm64: GICv4.1: Try to save VLPI state in save_pending_tables") Reported-by: Shanker Donthineni Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230118022348.4137094-1-sdonthineni@nvidia.com commit c3b37c2d77a2c735857c55492ee81e88e855497d Author: Catalin Marinas Date: Thu Jan 19 17:09:02 2023 +0000 KVM: arm64: Pass the actual page address to mte_clear_page_tags() Commit d77e59a8fccd ("arm64: mte: Lock a page for MTE tag initialisation") added a call to mte_clear_page_tags() in case a prior mte_copy_tags_from_user() failed in order to avoid stale tags in the guest page (it should have really been a separate commit). Unfortunately, the argument passed to this function was the address of the struct page rather than the actual page address. Fix this function call. Fixes: d77e59a8fccd ("arm64: mte: Lock a page for MTE tag initialisation") Signed-off-by: Catalin Marinas Cc: Marc Zyngier Reviewed-by: Oliver Upton Reviewed-by: Anshuman Khandual Reviewed-by: Cornelia Huck Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230119170902.1574756-1-catalin.marinas@arm.com commit 71ab9c3e2253619136c31c89dbb2c69305cc89b1 Author: Paolo Abeni Date: Thu Jan 19 19:55:45 2023 +0100 net: fix UaF in netns ops registration error path If net_assign_generic() fails, the current error path in ops_init() tries to clear the gen pointer slot. Anyway, in such error path, the gen pointer itself has not been modified yet, and the existing and accessed one is smaller than the accessed index, causing an out-of-bounds error: BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320 Write of size 8 at addr ffff888109124978 by task modprobe/1018 CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x6a/0x9f print_address_description.constprop.0+0x86/0x2b5 print_report+0x11b/0x1fb kasan_report+0x87/0xc0 ops_init+0x2de/0x320 register_pernet_operations+0x2e4/0x750 register_pernet_subsys+0x24/0x40 tcf_register_action+0x9f/0x560 do_one_initcall+0xf9/0x570 do_init_module+0x190/0x650 load_module+0x1fa5/0x23c0 __do_sys_finit_module+0x10d/0x1b0 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f42518f778d Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003 RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000 This change addresses the issue by skipping the gen pointer de-reference in the mentioned error-path. Found by code inspection and verified with explicit error injection on a kasan-enabled kernel. Fixes: d266935ac43d ("net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed") Signed-off-by: Paolo Abeni Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/cec4e0f3bb2c77ac03a6154a8508d3930beb5f0f.1674154348.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski commit fd941bd64f0776e4c51d8934f8e666cfbe14406a Author: Yoshihiro Shimoda Date: Fri Jan 20 09:19:59 2023 +0900 net: ethernet: renesas: rswitch: Fix ethernet-ports handling If one of ports in the ethernet-ports was disabled, this driver failed to probe all ports. So, fix it. Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") Signed-off-by: Yoshihiro Shimoda Reviewed-by: Jiri Pirko Reviewed-by: Jacob Keller Link: https://lore.kernel.org/r/20230120001959.1059850-1-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Jakub Kicinski commit 20e3028c39a5bf882e91e717da96d14f1acec40e Author: Haiyang Zhang Date: Thu Jan 19 12:59:10 2023 -0800 net: mana: Fix IRQ name - add PCI and queue number The PCI and queue number info is missing in IRQ names. Add PCI and queue number to IRQ names, to allow CPU affinity tuning scripts to work. Cc: stable@vger.kernel.org Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Haiyang Zhang Reviewed-by: Jesse Brandeburg Link: https://lore.kernel.org/r/1674161950-19708-1-git-send-email-haiyangz@microsoft.com Signed-off-by: Jakub Kicinski commit f0950402e8c76e7dcb08563f1b4e8000fbc62455 Author: Eric Dumazet Date: Thu Jan 19 11:01:50 2023 +0000 netlink: prevent potential spectre v1 gadgets Most netlink attributes are parsed and validated from __nla_validate_parse() or validate_nla() u16 type = nla_type(nla); if (type == 0 || type > maxtype) { /* error or continue */ } @type is then used as an array index and can be used as a Spectre v1 gadget. array_index_nospec() can be used to prevent leaking content of kernel memory to malicious users. This should take care of vast majority of netlink uses, but an audit is needed to take care of others where validation is not yet centralized in core netlink functions. Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface") Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20230119110150.2678537-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit f883675bf6522b52cd75dc3de791680375961769 Merge: 4e31badaa188d 4cb786180dfb5 Author: Linus Torvalds Date: Fri Jan 20 17:13:55 2023 -0800 Merge tag 'gpio-fixes-for-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - fix a potential race condition and always set GPIOs used as interrupt source to input in gpio-mxc - fix a GPIO ACPI-related issue with system suspend on Clevo NL5xRU * tag 'gpio-fixes-for-v6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xRU gpiolib: acpi: Allow ignoring wake capability on pins that aren't in _AEI gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode gpio: mxc: Protect GPIO irqchip RMW with bgpio spinlock commit 4e31badaa188d0e2923f5082c041083c05bda3ff Merge: 8440ffcd68c64 a1b7c8457ecc0 Author: Linus Torvalds Date: Fri Jan 20 14:28:49 2023 -0800 Merge tag '6.2-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: - important fix for packet signature calculation error - three fixes to correct DFS deadlock, and DFS refresh problem - remove an unused DFS function, and duplicate tcon refresh code - DFS cache lookup fix - uninitialized rc fix * tag '6.2-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: remove unused function cifs: do not include page data when checking signature cifs: fix return of uninitialized rc in dfs_cache_update_tgthint() cifs: handle cache lookup errors different than -ENOENT cifs: remove duplicate code in __refresh_tcon() cifs: don't take exclusive lock for updating target hints cifs: avoid re-lookups in dfs_cache_find() cifs: fix potential deadlock in cache_refresh_path() commit 8440ffcd68c644e846ce6b23ff13b348d49b2abf Merge: 8974efaa33859 431d153146603 Author: Linus Torvalds Date: Fri Jan 20 14:22:56 2023 -0800 Merge tag 'pinctrl-v6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: - Compilation fix for Sunplus sp7021 - Add some missing headers after a cleanup to the Nomadik driver - Fix pull type and mux routes on Rockchip RK3568 * tag 'pinctrl-v6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: rockchip: fix mux route data for rk3568 pinctrl: rockchip: fix reading pull type on rk3568 pinctrl: nomadik: Add missing header(s) pinctrl: sp7021: fix unused function warning commit efaeb5f9f83965010c83c59665840541a54bbaf4 Merge: 1b929c02afd37 86d884f5287f4 Author: Stephen Boyd Date: Fri Jan 20 14:19:25 2023 -0800 Merge tag 'clk-microchip-fixes-6.2' of https://git.kernel.org/pub/scm/linux/kernel/git/at91/linux into clk-fixes Pull a Microchip clock fix from Claudiu Beznea: Only one fix for Polarfire SoCs at this time as follows: - replace devm_kzalloc() with devm_kasprintf(); this has been marked as fix to avoid having registered 2 clocks with the same or invalid name in case device tree node addresses will be longer such that clocks registered with name patern "ccc_pll" will exeed the allocated space. * tag 'clk-microchip-fixes-6.2' of https://git.kernel.org/pub/scm/linux/kernel/git/at91/linux: clk: microchip: mpfs-ccc: Use devm_kasprintf() for allocating formatted strings commit 8974efaa3385959e7ea1019a4b63acff28631e6d Merge: edc00350d205d 0f097f08c9b3c Author: Linus Torvalds Date: Fri Jan 20 14:15:51 2023 -0800 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: - Several hfi1 patches fixing some long standing driver bugs - Overflow when working with sg lists with elements greater than 4G - An rxe regression with object numbering after the mrs reach their limit - A theoretical problem with the scatterlist merging code * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: lib/scatterlist: Fix to calculate the last_pg properly IB/hfi1: Remove user expected buffer invalidate race IB/hfi1: Immediately remove invalid memory from hardware IB/hfi1: Fix expected receive setup error exit issues IB/hfi1: Reserve user expected TIDs IB/hfi1: Reject a zero-length user expected buffer RDMA/core: Fix ib block iterator counter overflow RDMA/rxe: Prevent faulty rkey generation RDMA/rxe: Fix inaccurate constants in rxe_type_info commit 8caa03f10bf92cb8657408a6ece6a8a73f96ce13 Author: Jens Axboe Date: Fri Jan 20 15:08:21 2023 -0700 io_uring/poll: don't reissue in case of poll race on multishot request A previous commit fixed a poll race that can occur, but it's only applicable for multishot requests. For a multishot request, we can safely ignore a spurious wakeup, as we never leave the waitqueue to begin with. A blunt reissue of a multishot armed request can cause us to leak a buffer, if they are ring provided. While this seems like a bug in itself, it's not really defined behavior to reissue a multishot request directly. It's less efficient to do so as well, and not required to rearm anything like it is for singleshot poll requests. Cc: stable@vger.kernel.org Fixes: 6e5aedb9324a ("io_uring/poll: attempt request issue after racy poll wakeup") Reported-and-tested-by: Olivier Langlois Link: https://github.com/axboe/liburing/issues/778 Signed-off-by: Jens Axboe commit 5fde3c21cf33830eda7bfd006dc7f4bf07ec9fe6 Author: Marios Makassikis Date: Wed Jan 11 17:39:02 2023 +0100 ksmbd: do not sign response to session request for guest login If ksmbd.mountd is configured to assign unknown users to the guest account ("map to guest = bad user" in the config), ksmbd signs the response. This is wrong according to MS-SMB2 3.3.5.5.3: 12. If the SMB2_SESSION_FLAG_IS_GUEST bit is not set in the SessionFlags field, and Session.IsAnonymous is FALSE, the server MUST sign the final session setup response before sending it to the client, as follows: [...] This fixes libsmb2 based applications failing to establish a session ("Wrong signature in received"). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Signed-off-by: Marios Makassikis Acked-by: Namjae Jeon Signed-off-by: Steve French commit 0d0d4680db22eda1eea785c47bbf66a9b33a8b16 Author: Namjae Jeon Date: Thu Dec 29 18:33:25 2022 +0900 ksmbd: add max connections parameter Add max connections parameter to limit number of maximum simultaneous connections. Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") Cc: stable@vger.kernel.org Reviewed-by: Sergey Senozhatsky Signed-off-by: Namjae Jeon Signed-off-by: Steve French commit edc00350d205d2de8871b514c8f9b403d588e5d1 Merge: 9c38747f0cdb2 955bc12299b17 Author: Linus Torvalds Date: Fri Jan 20 12:44:41 2023 -0800 Merge tag 'block-6.2-2023-01-20' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: "Various little tweaks all over the place: - NVMe pull request via Christoph: - fix controller shutdown regression in nvme-apple (Janne Grunau) - fix a polling on timeout regression in nvme-pci (Keith Busch) - Fix a bug in the read request side request allocation caching (Pavel) - pktcdvd was brought back after we configured a NULL return on bio splits, make it consistent with the others (me) - BFQ refcount fix (Yu) - Block cgroup policy activation fix (Yu) - Fix for an md regression introduced in the 6.2 cycle (Adrian)" * tag 'block-6.2-2023-01-20' of git://git.kernel.dk/linux: nvme-pci: fix timeout request state check nvme-apple: only reset the controller when RTKit is running nvme-apple: reset controller during shutdown block: fix hctx checks for batch allocation block/rnbd-clt: fix wrong max ID in ida_alloc_max blk-cgroup: fix missing pd_online_fn() while activating policy pktcdvd: check for NULL returna fter calling bio_split_to_limits() block, bfq: switch 'bfqg->ref' to use atomic refcount apis md: fix incorrect declaration about claim_rdev in md_import_device commit 9c38747f0cdb20516de3d708f39720762786750a Merge: 26e57507a0f04 8579538c89e33 Author: Linus Torvalds Date: Fri Jan 20 12:39:45 2023 -0800 Merge tag 'io_uring-6.2-2023-01-20' of git://git.kernel.dk/linux Pull io_uring fixes from Jens Axboe: "Fixes for the MSG_RING opcode. Nothing really major: - Fix an overflow missing serialization around posting CQEs to the target ring (me) - Disable MSG_RING on a ring that isn't enabled yet. There's nothing really wrong with allowing it, but 1) it's somewhat odd as nobody can receive them yet, and 2) it means that using the right delivery mechanism might change. As nobody should be sending CQEs to a ring that isn't enabled yet, let's just disable it (Pavel) - Tweak to when we decide to post remotely or not for MSG_RING (Pavel)" * tag 'io_uring-6.2-2023-01-20' of git://git.kernel.dk/linux: io_uring/msg_ring: fix remote queue to disabled ring io_uring/msg_ring: fix flagging remote execution io_uring/msg_ring: fix missing lock on overflow for IOPOLL io_uring/msg_ring: move double lock/unlock helpers higher up commit 26e57507a0f04ae0e472afe4799784e2ed19e1b0 Merge: d9166cb31cb08 b7adbf9ada351 Author: Linus Torvalds Date: Fri Jan 20 11:59:01 2023 -0800 Merge tag 'for-6.2-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: - fix potential out-of-bounds access to leaf data when seeking in an inline file - fix potential crash in quota when rescan races with disable - reimplement super block signature scratching by marking page/folio dirty and syncing block device, allow removing write_one_page * tag 'for-6.2-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: fix race between quota rescan and disable leading to NULL pointer deref btrfs: fix invalid leaf access due to inline extent during lseek btrfs: stop using write_one_page in btrfs_scratch_superblock btrfs: factor out scratching of one regular super block commit d9166cb31cb08f027011e8b6159966810bb514e3 Merge: dc18175938e65 9fdaca2c1e157 Author: Linus Torvalds Date: Fri Jan 20 11:35:21 2023 -0800 Merge tag 'linux-kselftest-fixes-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull Kselftest fix from Shuah Khan: "Fix an error seen during unconfigured LLVM builds" * tag 'linux-kselftest-fixes-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: kselftest: Fix error message for unconfigured LLVM builds commit dc18175938e65e979b866f23dc5b93e81d649cc4 Merge: fe563a2c554c8 6c54b7bc8a31c Author: Linus Torvalds Date: Fri Jan 20 11:14:41 2023 -0800 Merge tag 'thermal-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull thermal control fix from Rafael Wysocki: "Modify __thermal_cooling_device_register() to make it call put_device() after invoking device_register() and fix up a few error paths calling thermal_cooling_device_destroy_sysfs() unnecessarily (Viresh Kumar)" * tag 'thermal-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal: core: call put_device() only after device_register() fails commit fe563a2c554c8cd07078eb1dacd3ea6148bd4681 Merge: 1670d7e69b044 3bdd346ebda37 Author: Linus Torvalds Date: Fri Jan 20 11:11:35 2023 -0800 Merge tag 'acpi-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "These update the ACPICA entry in MAINTAINERS, add a backlight handling quirk and fix the ACPI PRM (platform runtime) mechanism support. Specifics: - Update the ACPICA development list address in MAINTAINERS to the new one that does not bounce (Rafael Wysocki) - Check whether EFI runtime is available when registering the ACPI PRM address space handler and when running it (Ard Biesheuvel) - Add backlight=native DMI quirk for Acer Aspire 4810T to the ACPI video driver (Hans de Goede)" * tag 'acpi-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: PRM: Check whether EFI runtime is available ACPI: video: Add backlight=native DMI quirk for Acer Aspire 4810T MAINTAINERS: Update the ACPICA development list address commit 1670d7e69b044e900bb6a3d57a03c9202ea387ae Merge: 1ed46384f85bc 8509419758f2c Author: Linus Torvalds Date: Fri Jan 20 11:04:59 2023 -0800 Merge tag 'mmc-v6.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: - sunxi-mmc: Fix clock refcount imbalance during unbind - sdhci-esdhc-imx: Fix some tuning settings * tag 'mmc-v6.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: sunxi-mmc: Fix clock refcount imbalance during unbind mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting commit 1ed46384f85bcf05fc9b6605f9fd54e1f81a331d Merge: ff83fec8179e3 d2c865553adb7 Author: Linus Torvalds Date: Fri Jan 20 11:00:03 2023 -0800 Merge tag 'soc-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC DT and driver fixes from Arnd Bergmann: "Lots of dts fixes for Qualcomm Snapdragon and NXP i.MX platforms, including: - A regression fix for SDHCI controllers on Inforce 6540, and another SDHCI fix on SM8350 - Reenable cluster idle on sm8250 after the the code fix is upstream - multiple fixes for the QMP PHY binding, needing an incompatible dt change - The reserved memory map is updated on Xiaomi Mi 4C and Huawei Nexus 6P, to avoid instabilities caused by use of protected memory regions - Fix i.MX8MP DT for missing GPC Interrupt, power-domain typo and USB clock error - A couple of verdin-imx8mm DT fixes for audio playback support - Fix pca9547 i2c-mux node name for i.MX and Vybrid device trees - Fix an imx93-11x11-evk uSDHC pad setting problem that causes Micron eMMC CMD8 CRC error in HS400ES/HS400 mode The remaining ARM and RISC-V platforms only have very few smaller dts bugfixes this time: - A fix for the SiFive unmatched board's PCI memory space - A revert to fix a regression with GPIO on Marvell Armada - A fix for the UART address on Marvell AC5 - Missing chip-select phandles for stm32 boards - Selecting the correct clock for the sam9x60 memory controller - Amlogic based Odroid-HC4 needs a revert to restore USB functionality. And finally, there are some minor code fixes: - Build fixes for OMAP1, pxa, riscpc, raspberry pi firmware, and zynq firmware - memory controller driver fixes for an OMAP regression and older bugs on tegra, atmel and mvebu - reset controller fixes for ti-sci and uniphier platforms - ARM SCMI firmware fixes for a couple of rare corner cases - Qualcomm platform driver fixes for incorrect error handling and a backwards compatibility fix for the apr driver using older dtb - NXP i.MX SoC driver fixes for HDMI output, error handling in the imx8 soc-id and missing reference counting on older cpuid code" * tag 'soc-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (60 commits) firmware: zynqmp: fix declarations for gcc-13 ARM: dts: stm32: Fix qspi pinctrl phandle for stm32mp151a-prtt1l ARM: dts: stm32: Fix qspi pinctrl phandle for stm32mp157c-emstamp-argon ARM: dts: stm32: Fix qspi pinctrl phandle for stm32mp15xx-dhcom-som ARM: dts: stm32: Fix qspi pinctrl phandle for stm32mp15xx-dhcor-som ARM: dts: at91: sam9x60: fix the ddr clock for sam9x60 ARM: omap1: fix building gpio15xx ARM: omap1: fix !ARCH_OMAP1_ANY link failures firmware: raspberrypi: Fix type assignment arm64: dts: qcom: msm8992-libra: Fix the memory map arm64: dts: qcom: msm8992: Don't use sfpb mutex PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe() arm64: dts: msm8994-angler: fix the memory map arm64: dts: marvell: AC5/AC5X: Fix address for UART1 ARM: footbridge: drop unnecessary inclusion Revert "ARM: dts: armada-39x: Fix compatible string for gpios" Revert "ARM: dts: armada-38x: Fix compatible string for gpios" ARM: pxa: enable PXA310/PXA320 for DT-only build riscv: dts: sifive: fu740: fix size of pcie 32bit memory soc: qcom: apr: Make qcom,protection-domain optional again ... commit 977c6ba624f24ae20cf0faee871257a39348d4a9 Author: Manivannan Sadhasivam Date: Wed Jan 18 20:38:50 2023 +0530 EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info The memory for llcc_driv_data is allocated by the LLCC driver. But when it is passed as the private driver info to the EDAC core, it will get freed during the qcom_edac driver release. So when the qcom_edac driver gets probed again, it will try to use the freed data leading to the use-after-free bug. Hence, do not pass llcc_driv_data as pvt_info but rather reference it using the platform_data pointer in the qcom_edac driver. Fixes: 27450653f1db ("drivers: edac: Add EDAC driver support for QCOM SoCs") Reported-by: Steev Klimaszewski Signed-off-by: Manivannan Sadhasivam Signed-off-by: Borislav Petkov (AMD) Tested-by: Steev Klimaszewski # Thinkpad X13s Tested-by: Andrew Halaney # sa8540p-ride Cc: # 4.20 Link: https://lore.kernel.org/r/20230118150904.26913-4-manivannan.sadhasivam@linaro.org commit ff83fec8179e392be2f472f0a9ec3da8f6d529c6 Merge: 35929dae72332 3f30a6e67ce49 Author: Linus Torvalds Date: Fri Jan 20 10:43:07 2023 -0800 Merge tag 'drm-fixes-2023-01-20' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Just a pretty regular week for this stage of things, amdgpu and i915, along with some msm and misc others. fb-helper: - switcheroo fix msm: - kexec shutdown fix - fix potential double free i915: - Reject display plane with height == 0 - re-disable RC6p on Sandy Bridge - Fix hugepages' selftest - DG2 hw workarounds - switcheroo fix vc4: - fix a memory leak panfrost: - Kconfig fix amdgpu: - Fix display scaling - Fix RN/CZN power reporting on some firmware versions - Colorspace fixes - Fix resource freeing in error case in CS IOCTL - Fix warning on driver unload - GC11 fixes - DCN 3.1.4/5 S/G display workarounds" * tag 'drm-fixes-2023-01-20' of git://anongit.freedesktop.org/drm/drm: (24 commits) drm/amd/display: disable S/G display on DCN 3.1.4 drm/amd/display: disable S/G display on DCN 3.1.5 drm/amdgpu: allow multipipe policy on ASICs with one MEC drm/amdgpu: correct MEC number for gfx11 APUs drm/amd/display: fix issues with driver unload drm/amdgpu: fix amdgpu_job_free_resources v2 drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix drm/amd/display: Calculate output_color_space after pixel encoding adjustment drm/amdgpu: fix cleaning up reserved VMID on release drm/amdgpu: Correct the power calcultion for Renior/Cezanne. drm/amd/display: Fix set scaling doesn's work drm/i915: Remove unused variable drm/i915/dg2: Introduce Wa_18019271663 drm/i915/dg2: Introduce Wa_18018764978 drm/fb-helper: Set framebuffer for vga-switcheroo clients drm/i915: Allow switching away via vga-switcheroo if uninitialized drm/i915/selftests: Unwind hugepages to drop wakeref on error drm/i915: re-disable RC6p on Sandy Bridge drm/panfrost: fix GENERIC_ATOMIC64 dependency drm/i915/display: Check source height is > 0 ... commit 35929dae72332e41cb11b56439999fd0295d5a64 Merge: aaaf919c2ef59 95e5fda3b5f9e Author: Linus Torvalds Date: Fri Jan 20 10:23:14 2023 -0800 Merge tag 'dmaengine-fix-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine Pull dmaengine fixes from Vinod Koul: - email address Update for Jie Hai - fix double increment of client_count in dma_chan_get() - idxd driver fixes: use after free, probe error handling and callback on wq disable - fix for qcom gpi driver GO tre - ptdma locking fix - tegra & imx-sdma mem leak fix * tag 'dmaengine-fix-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine: ptdma: pt_core_execute_cmd() should use spinlock dmaengine: tegra: Fix memory leak in terminate_all() dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node() dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init dmaengine: Fix double increment of client_count in dma_chan_get() dmaengine: tegra210-adma: fix global intr clear Add exception protection processing for vd in axi_chan_handle_err function dmaengine: lgm: Move DT parsing after initialization MAINTAINERS: update Jie Hai's email address dmaengine: ti: k3-udma: Do conditional decrement of UDMA_CHAN_RT_PEER_BCNT_REG dmaengine: idxd: Do not call DMX TX callbacks during workqueue disable dmaengine: idxd: Prevent use after free on completion memory dmaengine: idxd: Let probe fail when workqueue cannot be enabled dmaengine: qcom: gpi: Set link_rx bit on GO TRE for rx operation commit aaaf919c2ef595ab9a8a6810f53a6db685dbba40 Merge: 5deaa98587aca bc30c15f27548 Author: Linus Torvalds Date: Fri Jan 20 10:10:52 2023 -0800 Merge tag 'phy-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy Pull phy fixes from Vinod Koul: - binding fix for g12a phys - Kconfig operator precedence for TI driver - renesas: register setting - sunplus: null deref fix - rockchip-inno fix for clk_disable_unprepare() - MDM9607 init sequence revert due to regression * tag 'phy-fixes-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy: phy: phy-can-transceiver: Skip warning if no "max-bitrate" dt-bindings: phy: g12a-usb2-phy: fix compatible string documentation dt-bindings: phy: g12a-usb3-pcie-phy: fix compatible string documentation phy: freescale: imx8m-pcie: Add one missing error return phy: Revert "phy: qualcomm: usb28nm: Add MDM9607 init sequence" phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() phy: renesas: r8a779f0-eth-serdes: Fix register setting phy: usb: sunplus: Fix potential null-ptr-deref in sp_usb_phy_probe() phy: ti: fix Kconfig warning and operator precedence commit 5deaa98587aca2f0e7605388e89cfa1df4bad5cb Merge: 4a0c7a6831a0a 45a919bbb21c6 Author: Linus Torvalds Date: Fri Jan 20 09:58:44 2023 -0800 Merge tag 'net-6.2-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from wireless, bluetooth, bpf and netfilter. Current release - regressions: - Revert "net: team: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf", fix nsna_ping mode of team - wifi: mt76: fix bugs in Rx queue handling and DMA mapping - eth: mlx5: - add missing mutex_unlock in error reporter - protect global IPsec ASO with a lock Current release - new code bugs: - rxrpc: fix wrong error return in rxrpc_connect_call() Previous releases - regressions: - bluetooth: hci_sync: fix use of HCI_OP_LE_READ_BUFFER_SIZE_V2 - wifi: - mac80211: fix crashes on Rx due to incorrect initialization of rx->link and rx->link_sta - mac80211: fix bugs in iTXQ conversion - Tx stalls, incorrect aggregation handling, crashes - brcmfmac: fix regression for Broadcom PCIe wifi devices - rndis_wlan: prevent buffer overflow in rndis_query_oid - netfilter: conntrack: handle tcp challenge acks during connection reuse - sched: avoid grafting on htb_destroy_class_offload when destroying - virtio-net: correctly enable callback during start_xmit, fix stalls - tcp: avoid the lookup process failing to get sk in ehash table - ipa: disable ipa interrupt during suspend - eth: stmmac: enable all safety features by default Previous releases - always broken: - bpf: - fix pointer-leak due to insufficient speculative store bypass mitigation (Spectre v4) - skip task with pid=1 in send_signal_common() to avoid a splat - fix BPF program ID information in BPF_AUDIT_UNLOAD as well as PERF_BPF_EVENT_PROG_UNLOAD events - fix potential deadlock in htab_lock_bucket from same bucket index but different map_locked index - bluetooth: - fix a buffer overflow in mgmt_mesh_add() - hci_qca: fix driver shutdown on closed serdev - ISO: fix possible circular locking dependency - CIS: hci_event: fix invalid wait context - wifi: brcmfmac: fixes for survey dump handling - mptcp: explicitly specify sock family at subflow creation time - netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits - tcp: fix rate_app_limited to default to 1 - l2tp: close all race conditions in l2tp_tunnel_register() - eth: mlx5: fixes for QoS config and eswitch configuration - eth: enetc: avoid deadlock in enetc_tx_onestep_tstamp() - eth: stmmac: fix invalid call to mdiobus_get_phy() Misc: - ethtool: add netlink attr in rss get reply only if the value is not empty" * tag 'net-6.2-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (88 commits) Revert "Merge branch 'octeontx2-af-CPT'" tcp: fix rate_app_limited to default to 1 bnxt: Do not read past the end of test names net: stmmac: enable all safety features by default octeontx2-af: add mbox to return CPT_AF_FLT_INT info octeontx2-af: update cpt lf alloc mailbox octeontx2-af: restore rxc conf after teardown sequence octeontx2-af: optimize cpt pf identification octeontx2-af: modify FLR sequence for CPT octeontx2-af: add mbox for CPT LF reset octeontx2-af: recover CPT engine when it gets fault net: dsa: microchip: ksz9477: port map correction in ALU table entry register selftests/net: toeplitz: fix race on tpacket_v3 block close net/ulp: use consistent error code when blocking ULP octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt tcp: avoid the lookup process failing to get sk in ehash table Revert "net: team: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf" MAINTAINERS: add networking entries for Willem net: sched: gred: prevent races when adding offloads to stats l2tp: prevent lockdep issue in l2tp_tunnel_register() ... commit 29f316a1d7e0a570be9a47fa283ece53a67cebb7 Author: Takahiro Fujii Date: Fri Jan 20 03:30:02 2023 +0900 HID: elecom: add support for TrackBall 056E:011C Make function buttons on ELECOM M-HT1DRBK trackball mouse work. This model has two devices with different device IDs (010D and 011C). Both of them misreports the number of buttons as 5 in the report descriptor, even though they have 8 buttons. hid-elecom overwrites the report to fix them, but supports only on 010D and does not work on 011C. This patch fixes 011C in the similar way but with specialized position parameters. In fact, it is sufficient to rewrite only 17th byte (05 -> 08). However I followed the existing way. Signed-off-by: Takahiro Fujii Signed-off-by: Jiri Kosina commit 3bdd346ebda37f4cb12461d5e83a5b9d575afc63 Merge: 81aae5cbd36da 182da6f2b81a7 8ba5fc4c154ae Author: Rafael J. Wysocki Date: Fri Jan 20 18:42:16 2023 +0100 Merge branches 'acpi-prm' and 'acpi-video' Merge an ACPI PRM (platform runtime) support fix and an ACPI backlight quirk for 6.2-rc5: - Check whether EFI runtime is available when registering the ACPI PRM address space handler and when running it (Ard Biesheuvel). - Add backlight=native DMI quirk for Acer Aspire 4810T to the ACPI video driver (Hans de Goede). * acpi-prm: ACPI: PRM: Check whether EFI runtime is available * acpi-video: ACPI: video: Add backlight=native DMI quirk for Acer Aspire 4810T commit db105c37a4d69d684c1edf2915557463d0ba172c Author: Arnd Bergmann Date: Tue Jan 17 17:50:26 2023 +0100 kunit: Export kunit_running() Using kunit_fail_current_test() in a loadable module causes a link error like: ERROR: modpost: "kunit_running" [drivers/gpu/drm/vc4/vc4.ko] undefined! Export the symbol to allow using it from modules. Fixes: da43ff045c3f ("drm/vc4: tests: Fail the current test if we access a register") Signed-off-by: Arnd Bergmann Reviewed-by: David Gow Signed-off-by: Shuah Khan commit e2b53ea5a7c1fb484277ad12cd075f502cf03b04 Author: Stefan Assmann Date: Tue Jan 10 09:00:18 2023 +0100 iavf: schedule watchdog immediately when changing primary MAC iavf_replace_primary_mac() utilizes queue_work() to schedule the watchdog task but that only ensures that the watchdog task is queued to run. To make sure the watchdog is executed asap use mod_delayed_work(). Without this patch it may take up to 2s until the watchdog task gets executed, which may cause long delays when setting the MAC address. Fixes: a3e839d539e0 ("iavf: Add usage of new virtchnl format to set default MAC") Signed-off-by: Stefan Assmann Reviewed-by: Michal Schmidt Tested-by: Michal Schmidt Tested-by: Rafal Romanowski Signed-off-by: Tony Nguyen commit 7598f4b40bd60e4a4280de645eb2893eea80b59d Author: Marcin Szycik Date: Tue Jan 3 17:42:27 2023 +0100 iavf: Move netdev_update_features() into watchdog task Remove netdev_update_features() from iavf_adminq_task(), as it can cause deadlocks due to needing rtnl_lock. Instead use the IAVF_FLAG_SETUP_NETDEV_FEATURES flag to indicate that netdev features need to be updated in the watchdog task. iavf_set_vlan_offload_features() and iavf_set_queue_vlan_tag_loc() can be called directly from iavf_virtchnl_completion(). Suggested-by: Phani Burra Signed-off-by: Marcin Szycik Reviewed-by: Alexander Lobakin Tested-by: Marek Szlosek Signed-off-by: Tony Nguyen commit 4411a608f7c8df000cb1a9f7881982dd8e10839a Author: Michal Schmidt Date: Thu Dec 15 23:50:48 2022 +0100 iavf: fix temporary deadlock and failure to set MAC address We are seeing an issue where setting the MAC address on iavf fails with EAGAIN after the 2.5s timeout expires in iavf_set_mac(). There is the following deadlock scenario: iavf_set_mac(), holding rtnl_lock, waits on: iavf_watchdog_task (within iavf_wq) to send a message to the PF, and iavf_adminq_task (within iavf_wq) to receive a response from the PF. In this adapter state (>=__IAVF_DOWN), these tasks do not need to take rtnl_lock, but iavf_wq is a global single-threaded workqueue, so they may get stuck waiting for another adapter's iavf_watchdog_task to run iavf_init_config_adapter(), which does take rtnl_lock. The deadlock resolves itself by the timeout in iavf_set_mac(), which results in EAGAIN returned to userspace. Let's break the deadlock loop by changing iavf_wq into a per-adapter workqueue, so that one adapter's tasks are not blocked by another's. Fixes: 35a2443d0910 ("iavf: Add waiting for response from PF in set mac") Co-developed-by: Ivan Vecera Signed-off-by: Ivan Vecera Signed-off-by: Michal Schmidt Tested-by: Rafal Romanowski Signed-off-by: Tony Nguyen commit 8579538c89e33ce78be2feb41e07489c8cbf8f31 Author: Pavel Begunkov Date: Fri Jan 20 16:38:06 2023 +0000 io_uring/msg_ring: fix remote queue to disabled ring IORING_SETUP_R_DISABLED rings don't have the submitter task set, so it's not always safe to use ->submitter_task. Disallow posting msg_ring messaged to disabled rings. Also add task NULL check for loosy sync around testing for IORING_SETUP_R_DISABLED. Cc: stable@vger.kernel.org Fixes: 6d043ee1164ca ("io_uring: do msg_ring in target task via tw") Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 56d8e3180c065c9b78ed77afcd0cf99677a4e22f Author: Pavel Begunkov Date: Fri Jan 20 16:38:05 2023 +0000 io_uring/msg_ring: fix flagging remote execution There is a couple of problems with queueing a tw in io_msg_ring_data() for remote execution. First, once we queue it the target ring can go away and so setting IORING_SQ_TASKRUN there is not safe. Secondly, the userspace might not expect IORING_SQ_TASKRUN. Extract a helper and uniformly use TWA_SIGNAL without TWA_SIGNAL_NO_IPI tricks for now, just as it was done in the original patch. Cc: stable@vger.kernel.org Fixes: 6d043ee1164ca ("io_uring: do msg_ring in target task via tw") Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 45a919bbb21c642e0c34dac483d1e003560159dc Author: Jakub Kicinski Date: Fri Jan 20 08:38:16 2023 -0800 Revert "Merge branch 'octeontx2-af-CPT'" This reverts commit b4fbf0b27fa9dd2594b3371532341bd4636a00f9, reversing changes made to 6c977c5c2e4c5d8ad1b604724cc344e38f96fe9b. This seems like net-next material. Signed-off-by: Jakub Kicinski commit 74bc3a5acc82f020d2e126f56c535d02d1e74e37 Author: Jiri Olsa Date: Fri Jan 20 13:21:48 2023 +0100 bpf: Add missing btf_put to register_btf_id_dtor_kfuncs We take the BTF reference before we register dtors and we need to put it back when it's done. We probably won't se a problem with kernel BTF, but module BTF would stay loaded (because of the extra ref) even when its module is removed. Cc: Kumar Kartikeya Dwivedi Fixes: 5ce937d613a4 ("bpf: Populate pairs of btf_id and destructor kfunc in btf") Acked-by: Kumar Kartikeya Dwivedi Signed-off-by: Jiri Olsa Link: https://lore.kernel.org/r/20230120122148.1522359-1-jolsa@kernel.org Signed-off-by: Alexei Starovoitov commit 51cdc8bc120ef6e42f6fb758341f5d91bc955952 Author: Yi Liu Date: Fri Jan 20 07:05:28 2023 -0800 kvm/vfio: Fix potential deadlock on vfio group_lock Currently it is possible that the final put of a KVM reference comes from vfio during its device close operation. This occurs while the vfio group lock is held; however, if the vfio device is still in the kvm device list, then the following call chain could result in a deadlock: VFIO holds group->group_lock/group_rwsem -> kvm_put_kvm -> kvm_destroy_vm -> kvm_destroy_devices -> kvm_vfio_destroy -> kvm_vfio_file_set_kvm -> vfio_file_set_kvm -> try to hold group->group_lock/group_rwsem The key function is the kvm_destroy_devices() which triggers destroy cb of kvm_device_ops. It calls back to vfio and try to hold group_lock. So if this path doesn't call back to vfio, this dead lock would be fixed. Actually, there is a way for it. KVM provides another point to free the kvm-vfio device which is the point when the device file descriptor is closed. This can be achieved by providing the release cb instead of the destroy cb. Also rename kvm_vfio_destroy() to be kvm_vfio_release(). /* * Destroy is responsible for freeing dev. * * Destroy may be called before or after destructors are called * on emulated I/O regions, depending on whether a reference is * held by a vcpu or other kvm component that gets destroyed * after the emulated I/O. */ void (*destroy)(struct kvm_device *dev); /* * Release is an alternative method to free the device. It is * called when the device file descriptor is closed. Once * release is called, the destroy method will not be called * anymore as the device is removed from the device list of * the VM. kvm->lock is held. */ void (*release)(struct kvm_device *dev); Fixes: 421cfe6596f6 ("vfio: remove VFIO_GROUP_NOTIFY_SET_KVM") Reported-by: Alex Williamson Suggested-by: Kevin Tian Reviewed-by: Jason Gunthorpe Signed-off-by: Yi Liu Reviewed-by: Matthew Rosato Link: https://lore.kernel.org/r/20230114000351.115444-1-mjrosato@linux.ibm.com Link: https://lore.kernel.org/r/20230120150528.471752-1-yi.l.liu@intel.com [aw: update comment as well, s/destroy/release/] Signed-off-by: Alex Williamson commit 955bc12299b17aa60325e1748336e1fd1e664ed0 Merge: 7746564793978 1c5842085851f Author: Jens Axboe Date: Fri Jan 20 08:08:29 2023 -0700 Merge tag 'nvme-6.2-2023-01-20' of git://git.infradead.org/nvme into block-6.2 Pull NVMe fixes from Christoph: "nvme fixes for Linux 6.2 - fix controller shutdown regression in nvme-apple (Janne Grunau) - fix a polling on timeout regression in nvme-pci (Keith Busch)" * tag 'nvme-6.2-2023-01-20' of git://git.infradead.org/nvme: nvme-pci: fix timeout request state check nvme-apple: only reset the controller when RTKit is running nvme-apple: reset controller during shutdown commit 4bb3d82a1820c1b609ede8eb2332f3cb038c5840 Author: Krzysztof Kozlowski Date: Fri Jan 20 14:14:47 2023 +0100 regulator: dt-bindings: samsung,s2mps14: add lost samsung,ext-control-gpios The samsung,ext-control-gpios property was lost during conversion to DT schema: exynos3250-artik5-eval.dtb: pmic@66: regulators:LDO11: Unevaluated properties are not allowed ('samsung,ext-control-gpios' was unexpected) Fixes: ea98b9eba05c ("regulator: dt-bindings: samsung,s2m: convert to dtschema") Cc: Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20230120131447.289702-1-krzysztof.kozlowski@linaro.org Signed-off-by: Mark Brown commit fb4293600cc651cfe4d48ec489f1d175adf6e2f8 Author: Peter Ujfalusi Date: Fri Jan 20 12:21:25 2023 +0200 ASoC: SOF: sof-audio: prepare_widgets: Check swidget for NULL on sink failure If the swidget is NULL we skip the preparing of the widget and jump to handle the sink path of the widget. If the prepare fails in this case we would undo the prepare but the swidget is NULL (we skipped the prepare for the widget). To avoid NULL pointer dereference in this case we must check swidget against NULL pointer once again. Fixes: 0ad84b11f2f8 ("ASoC: SOF: sof-audio: skip prepare/unprepare if swidget is NULL") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Peter Ujfalusi Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20230120102125.30653-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown commit 2855e16f47ae0ad881e724d4a619fdeebcff09fb Merge: 54650eb17132a b3c00316a2f84 Author: Mark Brown Date: Fri Jan 20 14:09:28 2023 +0000 ASoC: Intel: set dpcm_capture for amps Merge series from Kai Vehmanen : This series addresses problems with echo reference devices reported in: "[BUG][ADL-N] Kernel panic when echo reference stream is opened" https://github.com/thesofproject/linux/issues/4083 commit 14ff7460bb58662d86aa50298943cc7d25532e28 Author: Greg Kroah-Hartman Date: Fri Jan 20 14:53:30 2023 +0100 USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 The USB_DEVICE_ID_CODEMERCS_IOW100 header size was incorrect, it should be 12, not 13. Cc: stable Fixes: 17a82716587e ("USB: iowarrior: fix up report size handling for some devices") Reported-by: Christoph Jung Link: https://lore.kernel.org/r/20230120135330.3842518-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 5d3d01ae15d2f37ed0325c99ab47ef0ae5d05f3c Author: Alexander Stein Date: Fri Jan 20 13:27:14 2023 +0100 usb: host: ehci-fsl: Fix module alias Commit ca07e1c1e4a6 ("drivers:usb:fsl:Make fsl ehci drv an independent driver module") changed DRV_NAME which was used for MODULE_ALIAS as well. Starting from this the module alias didn't match the platform device name created in fsl-mph-dr-of.c Change DRV_NAME to match the driver name for host mode in fsl-mph-dr-of. This is needed for module autoloading on ls1021a. Fixes: ca07e1c1e4a6 ("drivers:usb:fsl:Make fsl ehci drv an independent driver module") Cc: stable Signed-off-by: Alexander Stein Link: https://lore.kernel.org/r/20230120122714.3848784-1-alexander.stein@ew.tq-group.com Signed-off-by: Greg Kroah-Hartman commit 300b655db1b5152d6101bcb6801d50899b20c2d6 Author: David Morley Date: Thu Jan 19 19:00:28 2023 +0000 tcp: fix rate_app_limited to default to 1 The initial default value of 0 for tp->rate_app_limited was incorrect, since a flow is indeed application-limited until it first sends data. Fixing the default to be 1 is generally correct but also specifically will help user-space applications avoid using the initial tcpi_delivery_rate value of 0 that persists until the connection has some non-zero bandwidth sample. Fixes: eb8329e0a04d ("tcp: export data delivery rate") Suggested-by: Yuchung Cheng Signed-off-by: David Morley Signed-off-by: Neal Cardwell Tested-by: David Morley Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller commit d3e599c090fc6977331150c5f0a69ab8ce87da21 Author: Kees Cook Date: Wed Jan 18 12:35:01 2023 -0800 bnxt: Do not read past the end of test names Test names were being concatenated based on a offset beyond the end of the first name, which tripped the buffer overflow detection logic: detected buffer overflow in strnlen [...] Call Trace: bnxt_ethtool_init.cold+0x18/0x18 Refactor struct hwrm_selftest_qlist_output to use an actual array, and adjust the concatenation to use snprintf() rather than a series of strncat() calls. Reported-by: Niklas Cassel Link: https://lore.kernel.org/lkml/Y8F%2F1w1AZTvLglFX@x1-carbon/ Tested-by: Niklas Cassel Fixes: eb51365846bc ("bnxt_en: Add basic ethtool -t selftest support.") Cc: Michael Chan Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Michael Chan Reviewed-by: Niklas Cassel Signed-off-by: David S. Miller commit 14ee78d5932afeb710c8305196a676a715bfdea8 Author: Matthew Howell Date: Thu Jan 19 14:40:29 2023 -0500 serial: exar: Add support for Sealevel 7xxxC serial cards Add support for Sealevel 7xxxC serial cards. This patch: * Adds IDs to recognize 7xxxC cards from Sealevel Systems. * Updates exar_pci_probe() to set nr_ports to last two bytes of primary dev ID for these cards. Signed-off-by: Matthew Howell Cc: stable Link: https://lore.kernel.org/r/alpine.DEB.2.21.2301191440010.22558@tstest-VirtualBox Signed-off-by: Greg Kroah-Hartman commit 3daed6345d5880464f46adab871d208e1baa2f3a Author: Vishnu Dasa Date: Tue Nov 29 23:05:11 2022 -0800 VMCI: Use threaded irqs instead of tasklets The vmci_dispatch_dgs() tasklet function calls vmci_read_data() which uses wait_event() resulting in invalid sleep in an atomic context (and therefore potentially in a deadlock). Use threaded irqs to fix this issue and completely remove usage of tasklets. [ 20.264639] BUG: sleeping function called from invalid context at drivers/misc/vmw_vmci/vmci_guest.c:145 [ 20.264643] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 762, name: vmtoolsd [ 20.264645] preempt_count: 101, expected: 0 [ 20.264646] RCU nest depth: 0, expected: 0 [ 20.264647] 1 lock held by vmtoolsd/762: [ 20.264648] #0: ffff0000874ae440 (sk_lock-AF_VSOCK){+.+.}-{0:0}, at: vsock_connect+0x60/0x330 [vsock] [ 20.264658] Preemption disabled at: [ 20.264659] [] vmci_send_datagram+0x44/0xa0 [vmw_vmci] [ 20.264665] CPU: 0 PID: 762 Comm: vmtoolsd Not tainted 5.19.0-0.rc8.20220727git39c3c396f813.60.fc37.aarch64 #1 [ 20.264667] Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020 [ 20.264668] Call trace: [ 20.264669] dump_backtrace+0xc4/0x130 [ 20.264672] show_stack+0x24/0x80 [ 20.264673] dump_stack_lvl+0x88/0xb4 [ 20.264676] dump_stack+0x18/0x34 [ 20.264677] __might_resched+0x1a0/0x280 [ 20.264679] __might_sleep+0x58/0x90 [ 20.264681] vmci_read_data+0x74/0x120 [vmw_vmci] [ 20.264683] vmci_dispatch_dgs+0x64/0x204 [vmw_vmci] [ 20.264686] tasklet_action_common.constprop.0+0x13c/0x150 [ 20.264688] tasklet_action+0x40/0x50 [ 20.264689] __do_softirq+0x23c/0x6b4 [ 20.264690] __irq_exit_rcu+0x104/0x214 [ 20.264691] irq_exit_rcu+0x1c/0x50 [ 20.264693] el1_interrupt+0x38/0x6c [ 20.264695] el1h_64_irq_handler+0x18/0x24 [ 20.264696] el1h_64_irq+0x68/0x6c [ 20.264697] preempt_count_sub+0xa4/0xe0 [ 20.264698] _raw_spin_unlock_irqrestore+0x64/0xb0 [ 20.264701] vmci_send_datagram+0x7c/0xa0 [vmw_vmci] [ 20.264703] vmci_datagram_dispatch+0x84/0x100 [vmw_vmci] [ 20.264706] vmci_datagram_send+0x2c/0x40 [vmw_vmci] [ 20.264709] vmci_transport_send_control_pkt+0xb8/0x120 [vmw_vsock_vmci_transport] [ 20.264711] vmci_transport_connect+0x40/0x7c [vmw_vsock_vmci_transport] [ 20.264713] vsock_connect+0x278/0x330 [vsock] [ 20.264715] __sys_connect_file+0x8c/0xc0 [ 20.264718] __sys_connect+0x84/0xb4 [ 20.264720] __arm64_sys_connect+0x2c/0x3c [ 20.264721] invoke_syscall+0x78/0x100 [ 20.264723] el0_svc_common.constprop.0+0x68/0x124 [ 20.264724] do_el0_svc+0x38/0x4c [ 20.264725] el0_svc+0x60/0x180 [ 20.264726] el0t_64_sync_handler+0x11c/0x150 [ 20.264728] el0t_64_sync+0x190/0x194 Signed-off-by: Vishnu Dasa Suggested-by: Zack Rusin Reported-by: Nadav Amit Reported-by: Nathan Chancellor Tested-by: Nathan Chancellor Fixes: 463713eb6164 ("VMCI: dma dg: add support for DMA datagrams receive") Cc: # v5.18+ Cc: VMware PV-Drivers Reviewers Cc: Greg Kroah-Hartman Cc: Bryan Tan Reviewed-by: Bryan Tan Reviewed-by: Zack Rusin Link: https://lore.kernel.org/r/20221130070511.46558-1-vdasa@vmware.com Signed-off-by: Greg Kroah-Hartman commit aaca766c77fcf5aabda846d3372a1d40b0d4735d Author: Elliot Berman Date: Thu Jan 12 10:23:12 2023 -0800 misc: fastrpc: Pass bitfield into qcom_scm_assign_mem The srcvm parameter of qcom_scm_assign_mem is a pointer to a bitfield of VMIDs. The bitfield is updated with which VMIDs have permissions after the qcom_scm_assign_mem call. This makes it simpler for clients to make qcom_scm_assign_mem calls later, they always pass in same srcvm bitfield and do not need to closely track whether memory was originally shared. When restoring permissions to HLOS, fastrpc is incorrectly using the first VMID directly -- neither the BIT nor the other possible VMIDs the memory was already assigned to. We already have a field intended for this purpose: "perms" in the struct fastrpc_channel_ctx, but it was never used. Start using the perms field. Cc: Abel Vesa Cc: Vamsi Krishna Gattupalli Cc: Srinivas Kandagatla Fixes: e90d91190619 ("misc: fastrpc: Add support to secure memory map") Fixes: 0871561055e6 ("misc: fastrpc: Add support for audiopd") Fixes: 532ad70c6d44 ("misc: fastrpc: Add mmap request assigning for static PD pool") Tested-by: Srinivas Kandagatla Signed-off-by: Elliot Berman drivers/misc/fastrpc.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) Link: https://lore.kernel.org/r/20230112182313.521467-1-quic_eberman@quicinc.com Signed-off-by: Greg Kroah-Hartman commit a769b05eeed7accc4019a1ed9799dd72067f1ce8 Author: Khazhismel Kumykov Date: Tue Jan 17 17:02:12 2023 -0800 gsmi: fix null-deref in gsmi_get_variable We can get EFI variables without fetching the attribute, so we must allow for that in gsmi. commit 859748255b43 ("efi: pstore: Omit efivars caching EFI varstore access layer") added a new get_variable call with attr=NULL, which triggers panic in gsmi. Fixes: 74c5b31c6618 ("driver: Google EFI SMI") Cc: stable Signed-off-by: Khazhismel Kumykov Link: https://lore.kernel.org/r/20230118010212.1268474-1-khazhy@google.com Signed-off-by: Greg Kroah-Hartman commit 96b328d119eca7563c1edcc4e1039a62e6370ecb Author: Ola Jeppsson Date: Thu Nov 24 17:49:41 2022 +0000 misc: fastrpc: Fix use-after-free race condition for maps It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted. Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. Propagate this to callers so they can know if a map is about to be deleted. Fixes this warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate ... Call trace: refcount_warn_saturate [fastrpc_map_get inlined] [fastrpc_map_lookup inlined] fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_syscall Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable Signed-off-by: Ola Jeppsson Signed-off-by: Abel Vesa Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20221124174941.418450-4-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 5bb96c8f9268e2fdb0e5321cbc358ee5941efc15 Author: Abel Vesa Date: Thu Nov 24 17:49:40 2022 +0000 misc: fastrpc: Don't remove map on creater_process and device_release Do not remove the map from the list on error path in fastrpc_init_create_process, instead call fastrpc_map_put, to avoid use-after-free. Do not remove it on fastrpc_device_release either, call fastrpc_map_put instead. The fastrpc_free_map is the only proper place to remove the map. This is called only after the reference count is 0. Fixes: b49f6d83e290 ("misc: fastrpc: Fix a possible double free") Cc: stable Co-developed-by: Ola Jeppsson Signed-off-by: Ola Jeppsson Signed-off-by: Abel Vesa Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20221124174941.418450-3-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 9446fa1683a7e3937d9970248ced427c1983a1c5 Author: Abel Vesa Date: Thu Nov 24 17:49:39 2022 +0000 misc: fastrpc: Fix use-after-free and race in fastrpc_map_find Currently, there is a race window between the point when the mutex is unlocked in fastrpc_map_lookup and the reference count increasing (fastrpc_map_get) in fastrpc_map_find, which can also lead to use-after-free. So lets merge fastrpc_map_find into fastrpc_map_lookup which allows us to both protect the maps list by also taking the &fl->lock spinlock and the reference count, since the spinlock will be released only after. Add take_ref argument to make this suitable for all callers. Fixes: 8f6c1d8c4f0c ("misc: fastrpc: Add fdlist implementation") Cc: stable Co-developed-by: Ola Jeppsson Signed-off-by: Ola Jeppsson Signed-off-by: Abel Vesa Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20221124174941.418450-2-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 5023adc364df004bd8e57afe89a4bd8019485c3d Author: Dan Carpenter Date: Tue Nov 29 12:45:16 2022 +0300 misc: fastrpc: fix error code in fastrpc_req_mmap() The "err" variable shadows an earlier global variable so this code returns success instead of a negative error code. Fixes: 532ad70c6d44 ("misc: fastrpc: Add mmap request assigning for static PD pool") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/Y4XUrMETCl1O6t0A@kili Signed-off-by: Greg Kroah-Hartman commit 0c4d68261717f89fa8c4f98a6967c3832fcb3ad0 Author: Alexander Usyskin Date: Tue Dec 13 00:02:47 2022 +0200 mei: me: add meteor lake point M DID Add Meteor Lake Point M device id. Cc: Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20221212220247.286019-2-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit a43866856125c3c432e2fbb6cc63cee1539ec4a7 Author: Alexander Usyskin Date: Tue Dec 13 00:02:46 2022 +0200 mei: bus: fix unlink on bus in error path Unconditional call to mei_cl_unlink in mei_cl_bus_dev_release leads to call of the mei_cl_unlink without corresponding mei_cl_link. This leads to miscalculation of open_handle_count (decrease without increase). Call unlink in mei_cldev_enable fail path and remove blanket unlink from mei_cl_bus_dev_release. Fixes: 34f1166afd67 ("mei: bus: need to unlink client before freeing") Cc: Signed-off-by: Alexander Usyskin Reviewed-by: Tomas Winkler Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20221212220247.286019-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit 54650eb17132a099100264caf59bb2210f65085a Author: Kuninori Morimoto Date: Fri Jan 20 06:32:52 2023 +0000 ASoC: hdmi-codec: zero clear HDMI pdata commit f77a066f4ed307d ("ASoC: hdmi-codec: Allow playback and capture to be disabled") added new no_i2s_playback/capture. We need to zero clear HDMI pdata first, otherwise unexpected flag will be added. Fixes: f77a066f4ed3 ("ASoC: hdmi-codec: Allow playback and capture to be disabled") Signed-off-by: Kuninori Morimoto Link: https://lore.kernel.org/r/87k01hlnqj.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown commit ea57680af47587397f5005d7758022441ed66d54 Author: Dan Carpenter Date: Thu Jan 19 17:58:54 2023 +0300 ASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write() The "id" comes from the user. Change the type to unsigned to prevent an array underflow. Fixes: f4ea22f7aa75 ("ASoC: SOF: ipc4: Add support for mtrace log extraction") Signed-off-by: Dan Carpenter Acked-by: Peter Ujfalusi Link: https://lore.kernel.org/r/Y8laruWOEwOC/dx9@kili Signed-off-by: Mark Brown commit 732065df5deb5d565f66780a97990e77fc9bc49f Merge: 36225a7c72e9e dd42ec8ea5b97 Author: Greg Kroah-Hartman Date: Fri Jan 20 11:40:04 2023 +0100 Merge tag 'icc-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/djakov/icc into char-misc-linus Georgi writes: interconnect fixes for v6.2-rc This contains fixes for a rare boot hang issue that has been reported on the db820c dragonboard. - dt-bindings: interconnect: Add UFS clocks to MSM8996 A2NoC - interconnect: qcom: msm8996: Provide UFS clocks to A2NoC - interconnect: qcom: msm8996: Fix regmap max_register values - interconnect: qcom: rpm: Use _optional func for provider clocks Signed-off-by: Georgi Djakov * tag 'icc-6.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/djakov/icc: interconnect: qcom: rpm: Use _optional func for provider clocks interconnect: qcom: msm8996: Fix regmap max_register values interconnect: qcom: msm8996: Provide UFS clocks to A2NoC dt-bindings: interconnect: Add UFS clocks to MSM8996 A2NoC commit 2cbafffbf69addd7509072f4be5917f81d238cf6 Author: Greg Kroah-Hartman Date: Fri Jan 20 11:16:59 2023 +0100 Revert "serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler" This reverts commit f24771b62a83239f0dce816bddf0f6807f436235 as it is reported to break the build. Reported-by: kernel test robot Link: https://lore.kernel.org/r/202301200130.ttBiTzfO-lkp@intel.com Fixes: f24771b62a83 ("serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler") Cc: Sebastian Andrzej Siewior Cc: Valentin Caron # V3 Cc: Marek Vasut Cc: Johan Hovold Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit d2c865553adb7ad9abf3894cbb209cf1bc95484a Author: Arnd Bergmann Date: Tue Jan 17 17:41:14 2023 +0100 firmware: zynqmp: fix declarations for gcc-13 gcc-13.0.1 reports a type mismatch for two functions: drivers/firmware/xilinx/zynqmp.c:1228:5: error: conflicting types for 'zynqmp_pm_set_rpu_mode' due to enum/integer mi