Linux 5.4.269

 
ACPI: extlog: fix NULL pointer dereference check [+ + +]
Author: Prarit Bhargava <prarit@redhat.com>
Date:   Mon Dec 4 13:00:37 2023 -0500

    ACPI: extlog: fix NULL pointer dereference check
    
    [ Upstream commit 72d9b9747e78979510e9aafdd32eb99c7aa30dd1 ]
    
    The gcc plugin -fanalyzer [1] tries to detect various
    patterns of incorrect behaviour.  The tool reports:
    
    drivers/acpi/acpi_extlog.c: In function ‘extlog_exit’:
    drivers/acpi/acpi_extlog.c:307:12: warning: check of ‘extlog_l1_addr’ for NULL after already dereferencing it [-Wanalyzer-deref-before-check]
        |
        |  306 |         ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN;
        |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~
        |      |                                                  |
        |      |                                                  (1) pointer ‘extlog_l1_addr’ is dereferenced here
        |  307 |         if (extlog_l1_addr)
        |      |            ~
        |      |            |
        |      |            (2) pointer ‘extlog_l1_addr’ is checked for NULL here but it was already dereferenced at (1)
        |
    
    Fix the NULL pointer dereference check in extlog_exit().
    
    Link: https://gcc.gnu.org/onlinedocs/gcc-10.1.0/gcc/Static-Analyzer-Options.html # [1]
    
    Signed-off-by: Prarit Bhargava <prarit@redhat.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop [+ + +]
Author: Yuluo Qiu <qyl27@outlook.com>
Date:   Sun Nov 26 21:59:13 2023 +0800

    ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
    
    [ Upstream commit 143176a46bdd3bfbe9ba2462bf94458e80d65ebf ]
    
    The Colorful X15 AT 23 ACPI video-bus device report spurious
    ACPI_VIDEO_NOTIFY_CYCLE events resulting in spurious KEY_SWITCHVIDEOMODE
    events being reported to userspace (and causing trouble there) when
    an external screen plugged in.
    
    Add a quirk setting the report_key_events mask to
    REPORT_BRIGHTNESS_KEY_EVENTS so that the ACPI_VIDEO_NOTIFY_CYCLE
    events will be ignored, while still reporting brightness up/down
    hotkey-presses to userspace normally.
    
    Signed-off-by: Yuluo Qiu <qyl27@outlook.com>
    Co-developed-by: Celeste Liu <CoelacanthusHex@gmail.com>
    Signed-off-by: Celeste Liu <CoelacanthusHex@gmail.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
af_unix: fix lockdep positive in sk_diag_dump_icons() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jan 30 18:42:35 2024 +0000

    af_unix: fix lockdep positive in sk_diag_dump_icons()
    
    [ Upstream commit 4d322dce82a1d44f8c83f0f54f95dd1b8dcf46c9 ]
    
    syzbot reported a lockdep splat [1].
    
    Blamed commit hinted about the possible lockdep
    violation, and code used unix_state_lock_nested()
    in an attempt to silence lockdep.
    
    It is not sufficient, because unix_state_lock_nested()
    is already used from unix_state_double_lock().
    
    We need to use a separate subclass.
    
    This patch adds a distinct enumeration to make things
    more explicit.
    
    Also use swap() in unix_state_double_lock() as a clean up.
    
    v2: add a missing inline keyword to unix_state_lock_nested()
    
    [1]
    WARNING: possible circular locking dependency detected
    6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Not tainted
    
    syz-executor.1/2542 is trying to acquire lock:
     ffff88808b5df9e8 (rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
    
    but task is already holding lock:
     ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089
    
    which lock already depends on the new lock.
    
    the existing dependency chain (in reverse order) is:
    
    -> #1 (&u->lock/1){+.+.}-{2:2}:
            lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
            _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
            sk_diag_dump_icons net/unix/diag.c:87 [inline]
            sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157
            sk_diag_dump net/unix/diag.c:196 [inline]
            unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220
            netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264
            __netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370
            netlink_dump_start include/linux/netlink.h:338 [inline]
            unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319
           sock_diag_rcv_msg+0xe3/0x400
            netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2543
            sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280
            netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
            netlink_unicast+0x7e6/0x980 net/netlink/af_netlink.c:1367
            netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1908
            sock_sendmsg_nosec net/socket.c:730 [inline]
            __sock_sendmsg net/socket.c:745 [inline]
            sock_write_iter+0x39a/0x520 net/socket.c:1160
            call_write_iter include/linux/fs.h:2085 [inline]
            new_sync_write fs/read_write.c:497 [inline]
            vfs_write+0xa74/0xca0 fs/read_write.c:590
            ksys_write+0x1a0/0x2c0 fs/read_write.c:643
            do_syscall_x64 arch/x86/entry/common.c:52 [inline]
            do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
           entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    -> #0 (rlock-AF_UNIX){+.+.}-{2:2}:
            check_prev_add kernel/locking/lockdep.c:3134 [inline]
            check_prevs_add kernel/locking/lockdep.c:3253 [inline]
            validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869
            __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
            lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
            __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
            _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
            skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
            unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112
            sock_sendmsg_nosec net/socket.c:730 [inline]
            __sock_sendmsg net/socket.c:745 [inline]
            ____sys_sendmsg+0x592/0x890 net/socket.c:2584
            ___sys_sendmsg net/socket.c:2638 [inline]
            __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
            __do_sys_sendmmsg net/socket.c:2753 [inline]
            __se_sys_sendmmsg net/socket.c:2750 [inline]
            __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
            do_syscall_x64 arch/x86/entry/common.c:52 [inline]
            do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
           entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    other info that might help us debug this:
    
     Possible unsafe locking scenario:
    
           CPU0                    CPU1
           ----                    ----
      lock(&u->lock/1);
                                   lock(rlock-AF_UNIX);
                                   lock(&u->lock/1);
      lock(rlock-AF_UNIX);
    
     *** DEADLOCK ***
    
    1 lock held by syz-executor.1/2542:
      #0: ffff88808b5dfe70 (&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200 net/unix/af_unix.c:2089
    
    stack backtrace:
    CPU: 1 PID: 2542 Comm: syz-executor.1 Not tainted 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
    Call Trace:
     <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
      check_noncircular+0x366/0x490 kernel/locking/lockdep.c:2187
      check_prev_add kernel/locking/lockdep.c:3134 [inline]
      check_prevs_add kernel/locking/lockdep.c:3253 [inline]
      validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869
      __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
      lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
      __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
      _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
      skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
      unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg net/socket.c:745 [inline]
      ____sys_sendmsg+0x592/0x890 net/socket.c:2584
      ___sys_sendmsg net/socket.c:2638 [inline]
      __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
      __do_sys_sendmmsg net/socket.c:2753 [inline]
      __se_sys_sendmmsg net/socket.c:2750 [inline]
      __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xf5/0x230 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    RIP: 0033:0x7f26d887cda9
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007f26d95a60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
    RAX: ffffffffffffffda RBX: 00007f26d89abf80 RCX: 00007f26d887cda9
    RDX: 000000000000003e RSI: 00000000200bd000 RDI: 0000000000000004
    RBP: 00007f26d88c947a R08: 0000000000000000 R09: 0000000000000000
    R10: 00000000000008c0 R11: 0000000000000246 R12: 0000000000000000
    R13: 000000000000000b R14: 00007f26d89abf80 R15: 00007ffcfe081a68
    
    Fixes: 2aac7a2cb0d9 ("unix_diag: Pending connections IDs NLA")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://lore.kernel.org/r/20240130184235.1620738-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() [+ + +]
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Thu Nov 30 12:56:14 2023 +0100

    afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
    
    [ Upstream commit 1702e0654ca9a7bcd7c7619c8a5004db58945b71 ]
    
    David Howells says:
    
     (5) afs_find_server().
    
         There could be a lot of servers in the list and each server can have
         multiple addresses, so I think this would be better with an exclusive
         second pass.
    
         The server list isn't likely to change all that often, but when it does
         change, there's a good chance several servers are going to be
         added/removed one after the other.  Further, this is only going to be
         used for incoming cache management/callback requests from the server,
         which hopefully aren't going to happen too often - but it is remotely
         drivable.
    
     (6) afs_find_server_by_uuid().
    
         Similarly to (5), there could be a lot of servers to search through, but
         they are in a tree not a flat list, so it should be faster to process.
         Again, it's not likely to change that often and, again, when it does
         change it's likely to involve multiple changes.  This can be driven
         remotely by an incoming cache management request but is mostly going to
         be driven by setting up or reconfiguring a volume's server list -
         something that also isn't likely to happen often.
    
    Make the "seq" counter odd on the 2nd pass, otherwise read_seqbegin_or_lock()
    never takes the lock.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Marc Dionne <marc.dionne@auristor.com>
    cc: linux-afs@lists.infradead.org
    Link: https://lore.kernel.org/r/20231130115614.GA21581@redhat.com/
    Signed-off-by: Sasha Levin <sashal@kernel.org>

afs: Hide silly-rename files from userspace [+ + +]
Author: David Howells <dhowells@redhat.com>
Date:   Mon Jan 8 17:22:36 2024 +0000

    afs: Hide silly-rename files from userspace
    
    [ Upstream commit 57e9d49c54528c49b8bffe6d99d782ea051ea534 ]
    
    There appears to be a race between silly-rename files being created/removed
    and various userspace tools iterating over the contents of a directory,
    leading to such errors as:
    
            find: './kernel/.tmp_cpio_dir/include/dt-bindings/reset/.__afs2080': No such file or directory
            tar: ./include/linux/greybus/.__afs3C95: File removed before we read it
    
    when building a kernel.
    
    Fix afs_readdir() so that it doesn't return .__afsXXXX silly-rename files
    to userspace.  This doesn't stop them being looked up directly by name as
    we need to be able to look them up from within the kernel as part of the
    silly-rename algorithm.
    
    Fixes: 79ddbfa500b3 ("afs: Implement sillyrename for unlink and rename")
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Marc Dionne <marc.dionne@auristor.com>
    cc: linux-afs@lists.infradead.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ALSA: hda/conexant: Add quirk for SWS JS201D [+ + +]
Author: bo liu <bo.liu@senarytech.com>
Date:   Mon Feb 5 09:38:02 2024 +0800

    ALSA: hda/conexant: Add quirk for SWS JS201D
    
    commit 4639c5021029d49fd2f97fa8d74731f167f98919 upstream.
    
    The SWS JS201D need a different pinconfig from windows driver.
    Add a quirk to use a specific pinconfig to SWS JS201D.
    
    Signed-off-by: bo liu <bo.liu@senarytech.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20240205013802.51907-1-bo.liu@senarytech.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL [+ + +]
Author: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
Date:   Thu Feb 1 09:21:14 2024 -0300

    ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL
    
    commit c7de2d9bb68a5fc71c25ff96705a80a76c8436eb upstream.
    
    Vaio VJFE-ADL is equipped with ALC269VC, and it needs
    ALC298_FIXUP_SPK_VOLUME quirk to make its headset mic work.
    
    Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20240201122114.30080-1-edson.drosdeck@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda: Intel: add HDA_ARL PCI ID support [+ + +]
Author: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Date:   Mon Dec 4 15:27:07 2023 -0600

    ALSA: hda: Intel: add HDA_ARL PCI ID support
    
    [ Upstream commit a31014ebad617868c246d3985ff80d891f03711e ]
    
    Yet another PCI ID.
    
    Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
    Acked-by: Mark Brown <broonie@kernel.org>
    Link: https://lore.kernel.org/r/20231204212710.185976-3-pierre-louis.bossart@linux.intel.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
arch, mm: remove stale mentions of DISCONIGMEM [+ + +]
Author: Mike Rapoport <rppt@kernel.org>
Date:   Mon Jun 28 19:42:55 2021 -0700

    arch, mm: remove stale mentions of DISCONIGMEM
    
    [ Upstream commit d3c251ab95b69f3dc189c4657baeac1b4c050789 ]
    
    There are several places that mention DISCONIGMEM in comments or have
    stale code guarded by CONFIG_DISCONTIGMEM.
    
    Remove the dead code and update the comments.
    
    Link: https://lkml.kernel.org/r/20210608091316.3622-7-rppt@kernel.org
    Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
    Acked-by: Arnd Bergmann <arnd@arndb.de>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Cc: Geert Uytterhoeven <geert@linux-m68k.org>
    Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Matt Turner <mattst88@gmail.com>
    Cc: Richard Henderson <rth@twiddle.net>
    Cc: Vineet Gupta <vgupta@synopsys.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Stable-dep-of: e1a9ae457369 ("mips: Fix max_mapnr being uninitialized on early stages")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property [+ + +]
Author: Mao Jinlong <quic_jinlmao@quicinc.com>
Date:   Sat Dec 9 23:26:29 2023 -0800

    arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
    
    [ Upstream commit 9a6fc510a6a3ec150cb7450aec1e5f257e6fc77b ]
    
    Add the inport of funnel@3023000 to fix 'in-ports' is a required property
    warning.
    
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Mao Jinlong <quic_jinlmao@quicinc.com>
    Link: https://lore.kernel.org/r/20231210072633.4243-3-quic_jinlmao@quicinc.com
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property [+ + +]
Author: Mao Jinlong <quic_jinlmao@quicinc.com>
Date:   Sat Dec 9 23:26:30 2023 -0800

    arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
    
    [ Upstream commit ae5ee3562a2519214b12228545e88a203dd68bbd ]
    
    out-ports is a required property for coresight ETM. Add out-ports for
    ETM nodes to fix the warning.
    
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Mao Jinlong <quic_jinlmao@quicinc.com>
    Link: https://lore.kernel.org/r/20231210072633.4243-4-quic_jinlmao@quicinc.com
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: qcom: sdm845: fix USB wakeup interrupt types [+ + +]
Author: Johan Hovold <johan+linaro@kernel.org>
Date:   Mon Nov 20 17:43:28 2023 +0100

    arm64: dts: qcom: sdm845: fix USB wakeup interrupt types
    
    commit 84ad9ac8d9ca29033d589e79a991866b38e23b85 upstream.
    
    The DP/DM wakeup interrupts are edge triggered and which edge to trigger
    on depends on use-case and whether a Low speed or Full/High speed device
    is connected.
    
    Fixes: ca4db2b538a1 ("arm64: dts: qcom: sdm845: Add USB-related nodes")
    Cc: stable@vger.kernel.org      # 4.20
    Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
    Link: https://lore.kernel.org/r/20231120164331.8116-9-johan+linaro@kernel.org
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ARM: dts: imx1: Fix sram node [+ + +]
Author: Fabio Estevam <festevam@denx.de>
Date:   Wed Dec 6 09:39:21 2023 -0300

    ARM: dts: imx1: Fix sram node
    
    [ Upstream commit c248e535973088ba7071ff6f26ab7951143450af ]
    
    Per sram.yaml, address-cells, size-cells and ranges are mandatory.
    
    The node name should be sram.
    
    Change the node name and pass the required properties to fix the
    following dt-schema warnings:
    
    imx1-apf9328.dtb: esram@300000: $nodename:0: 'esram@300000' does not match '^sram(@.*)?'
            from schema $id: http://devicetree.org/schemas/sram/sram.yaml#
    imx1-apf9328.dtb: esram@300000: '#address-cells' is a required property
            from schema $id: http://devicetree.org/schemas/sram/sram.yaml#
    imx1-apf9328.dtb: esram@300000: '#size-cells' is a required property
            from schema $id: http://devicetree.org/schemas/sram/sram.yaml#
    imx1-apf9328.dtb: esram@300000: 'ranges' is a required property
            from schema $id: http://devicetree.org/schemas/sram/sram.yaml#
    
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx23-sansa: Use preferred i2c-gpios properties [+ + +]
Author: Fabio Estevam <festevam@denx.de>
Date:   Thu Dec 7 07:12:12 2023 -0300

    ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
    
    [ Upstream commit e3aa1a82fb20ee97597022f6528823a8ab82bde6 ]
    
    The 'gpios' property to describe the SDA and SCL GPIOs is considered
    deprecated according to i2c-gpio.yaml.
    
    Switch to the preferred 'sda-gpios' and 'scl-gpios' properties.
    
    This fixes the following schema warnings:
    
    imx23-sansa.dtb: i2c-0: 'sda-gpios' is a required property
            from schema $id: http://devicetree.org/schemas/i2c/i2c-gpio.yaml#
    imx23-sansa.dtb: i2c-0: 'scl-gpios' is a required property
            from schema $id: http://devicetree.org/schemas/i2c/i2c-gpio.yaml#
    
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx23/28: Fix the DMA controller node name [+ + +]
Author: Fabio Estevam <festevam@denx.de>
Date:   Thu Dec 7 07:26:31 2023 -0300

    ARM: dts: imx23/28: Fix the DMA controller node name
    
    [ Upstream commit 858d83ca4b50bbc8693d95cc94310e6d791fb2e6 ]
    
    Per fsl,mxs-dma.yaml, the node name should be 'dma-controller'.
    
    Change it to fix the following dt-schema warning.
    
    imx28-apf28.dtb: dma-apbx@80024000: $nodename:0: 'dma-apbx@80024000' does not match '^dma-controller(@.*)?$'
            from schema $id: http://devicetree.org/schemas/dma/fsl,mxs-dma.yaml#
    
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx25/27-eukrea: Fix RTC node name [+ + +]
Author: Fabio Estevam <festevam@denx.de>
Date:   Wed Dec 6 08:58:26 2023 -0300

    ARM: dts: imx25/27-eukrea: Fix RTC node name
    
    [ Upstream commit 68c711b882c262e36895547cddea2c2d56ce611d ]
    
    Node names should be generic. Use 'rtc' as node name to fix
    the following dt-schema warning:
    
    imx25-eukrea-mbimxsd25-baseboard.dtb: pcf8563@51: $nodename:0: 'pcf8563@51' does not match '^rtc(@.*|-([0-9]|[1-9][0-9]+))?$'
            from schema $id: http://devicetree.org/schemas/rtc/nxp,pcf8563.yaml#
    
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx25/27: Pass timing0 [+ + +]
Author: Fabio Estevam <festevam@denx.de>
Date:   Wed Dec 6 17:14:05 2023 -0300

    ARM: dts: imx25/27: Pass timing0
    
    [ Upstream commit 11ab7ad6f795ae23c398a4a5c56505d3dab27c4c ]
    
    Per display-timings.yaml, the 'timing' pattern should be used to
    describe the display timings.
    
    Change it accordingly to fix the following dt-schema warning:
    
    imx27-apf27dev.dtb: display-timings: '800x480' does not match any of the regexes: '^timing', 'pinctrl-[0-9]+'
            from schema $id: http://devicetree.org/schemas/display/panel/display-timings.yaml#
    
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx27-apf27dev: Fix LED name [+ + +]
Author: Fabio Estevam <festevam@denx.de>
Date:   Wed Dec 6 17:19:05 2023 -0300

    ARM: dts: imx27-apf27dev: Fix LED name
    
    [ Upstream commit dc35e253d032b959d92e12f081db5b00db26ae64 ]
    
    Per leds-gpio.yaml, the led names should start with 'led'.
    
    Change it to fix the following dt-schema warning:
    
    imx27-apf27dev.dtb: leds: 'user' does not match any of the regexes: '(^led-[0-9a-f]$|led)', 'pinctrl-[0-9]+'
            from schema $id: http://devicetree.org/schemas/leds/leds-gpio.yaml#
    
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx27: Fix sram node [+ + +]
Author: Fabio Estevam <festevam@denx.de>
Date:   Wed Dec 6 09:39:20 2023 -0300

    ARM: dts: imx27: Fix sram node
    
    [ Upstream commit 2fb7b2a2f06bb3f8321cf26c33e4e820c5b238b6 ]
    
    Per sram.yaml, address-cells, size-cells and ranges are mandatory.
    
    Pass them to fix the following dt-schema warnings:
    
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx7d: Fix coresight funnel ports [+ + +]
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
Date:   Thu Oct 12 10:15:53 2023 +0200

    ARM: dts: imx7d: Fix coresight funnel ports
    
    [ Upstream commit 0d4ac04fa7c3f6dc263dba6f575a2ec7a2d4eca8 ]
    
    imx7d uses two ports for 'in-ports', so the syntax port@<num> has to
    be used. imx7d has both port and port@1 nodes present, raising these
    error:
    funnel@30041000: in-ports: More than one condition true in oneOf schema
    funnel@30041000: Unevaluated properties are not allowed
    ('in-ports' was unexpected)
    
    Fix this by also using port@0 for imx7s as well.
    
    Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx7s: Fix lcdif compatible [+ + +]
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
Date:   Thu Oct 12 10:15:54 2023 +0200

    ARM: dts: imx7s: Fix lcdif compatible
    
    [ Upstream commit 5f55da4cc37051cda600ea870ce8cf29f1297715 ]
    
    imx7d-lcdif is compatible to imx6sx-lcdif. MXSFB_V6 supports overlay
    by using LCDC_AS_CTRL register. This registers used by overlay plane:
    * LCDC_AS_CTRL
    * LCDC_AS_BUF
    * LCDC_AS_NEXT_BUF
    are listed in i.MX7D RM as well.
    
    Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx7s: Fix nand-controller #size-cells [+ + +]
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
Date:   Thu Oct 12 10:15:55 2023 +0200

    ARM: dts: imx7s: Fix nand-controller #size-cells
    
    [ Upstream commit 4aadb841ed49bada1415c48c44d21f5b69e01299 ]
    
    nand-controller.yaml bindings says #size-cells shall be set to 0.
    Fixes the dtbs_check warning:
    arch/arm/boot/dts/nxp/imx/imx7s-mba7.dtb: nand-controller@33002000:
     #size-cells:0:0: 0 was expected
      from schema $id: http://devicetree.org/schemas/mtd/gpmi-nand.yaml#
    
    Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: imx: Use flash@0,0 pattern [+ + +]
Author: Fabio Estevam <festevam@denx.de>
Date:   Wed Dec 6 09:36:05 2023 -0300

    ARM: dts: imx: Use flash@0,0 pattern
    
    [ Upstream commit 1e1d7cc478fb16816de09740e3c323c0c188d58f ]
    
    Per mtd-physmap.yaml, 'nor@0,0' is not a valid node pattern.
    
    Change it to 'flash@0,0' to fix the following dt-schema warning:
    
    imx1-ads.dtb: nor@0,0: $nodename:0: 'nor@0,0' does not match '^(flash|.*sram|nand)(@.*)?$'
            from schema $id: http://devicetree.org/schemas/mtd/mtd-physmap.yaml#
    
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: rockchip: fix rk3036 hdmi ports node [+ + +]
Author: Johan Jonker <jbx6244@gmail.com>
Date:   Mon Dec 4 18:40:27 2023 +0100

    ARM: dts: rockchip: fix rk3036 hdmi ports node
    
    [ Upstream commit 27ded76ef0fcfcf939914532aae575cf23c221b4 ]
    
    Fix hdmi ports node so that it matches the
    rockchip,inno-hdmi.yaml binding.
    
    Signed-off-by: Johan Jonker <jbx6244@gmail.com>
    Link: https://lore.kernel.org/r/9a2afac1-ed5c-382d-02b0-b2f5f1af3abb@gmail.com
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument [+ + +]
Author: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Date:   Tue Nov 21 14:07:51 2023 +0200

    ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
    
    [ Upstream commit 67c7666fe808c3a7af3cc6f9d0a3dd3acfd26115 ]
    
    The virtual widget example makes use of an undefined SND_SOC_DAPM_NOPM
    argument passed to SND_SOC_DAPM_MIXER().  Replace with the correct
    SND_SOC_NOPM definition.
    
    Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
    Link: https://lore.kernel.org/r/20231121120751.77355-1-cristian.ciocaltea@collabora.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() [+ + +]
Author: Alexey Khoroshilov <khoroshilov@ispras.ru>
Date:   Sun Feb 11 12:58:34 2024 +0300

    ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
    
    [ Upstream commit 6ef5d5b92f7117b324efaac72b3db27ae8bb3082 ]
    
    There is a path in rt5645_jack_detect_work(), where rt5645->jd_mutex
    is left locked forever. That may lead to deadlock
    when rt5645_jack_detect_work() is called for the second time.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: cdba4301adda ("ASoC: rt5650: add mutex to avoid the jack detection failure")
    Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
    Link: https://lore.kernel.org/r/1707645514-21196-1-git-send-email-khoroshilov@ispras.ru
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
atm: idt77252: fix a memleak in open_card_ubr0 [+ + +]
Author: Zhipeng Lu <alexious@zju.edu.cn>
Date:   Thu Feb 1 20:41:05 2024 +0800

    atm: idt77252: fix a memleak in open_card_ubr0
    
    [ Upstream commit f3616173bf9be9bf39d131b120d6eea4e6324cb5 ]
    
    When alloc_scq fails, card->vcs[0] (i.e. vc) should be freed. Otherwise,
    in the following call chain:
    
    idt77252_init_one
      |-> idt77252_dev_open
            |-> open_card_ubr0
                  |-> alloc_scq [failed]
      |-> deinit_card
            |-> vfree(card->vcs);
    
    card->vcs is freed and card->vcs[0] is leaked.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
    Reviewed-by: Jiri Pirko <jiri@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
audit: Send netlink ACK before setting connection in auditd_set [+ + +]
Author: Chris Riches <chris.riches@nutanix.com>
Date:   Wed Oct 18 09:23:51 2023 +0000

    audit: Send netlink ACK before setting connection in auditd_set
    
    [ Upstream commit 022732e3d846e197539712e51ecada90ded0572a ]
    
    When auditd_set sets the auditd_conn pointer, audit messages can
    immediately be put on the socket by other kernel threads. If the backlog
    is large or the rate is high, this can immediately fill the socket
    buffer. If the audit daemon requested an ACK for this operation, a full
    socket buffer causes the ACK to get dropped, also setting ENOBUFS on the
    socket.
    
    To avoid this race and ensure ACKs get through, fast-track the ACK in
    this specific case to ensure it is sent before auditd_conn is set.
    
    Signed-off-by: Chris Riches <chris.riches@nutanix.com>
    [PM: fix some tab vs space damage]
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
binder: signal epoll threads of self-work [+ + +]
Author: Carlos Llamas <cmllamas@google.com>
Date:   Wed Jan 31 21:53:46 2024 +0000

    binder: signal epoll threads of self-work
    
    commit 97830f3c3088638ff90b20dfba2eb4d487bf14d7 upstream.
    
    In (e)poll mode, threads often depend on I/O events to determine when
    data is ready for consumption. Within binder, a thread may initiate a
    command via BINDER_WRITE_READ without a read buffer and then make use
    of epoll_wait() or similar to consume any responses afterwards.
    
    It is then crucial that epoll threads are signaled via wakeup when they
    queue their own work. Otherwise, they risk waiting indefinitely for an
    event leaving their work unhandled. What is worse, subsequent commands
    won't trigger a wakeup either as the thread has pending work.
    
    Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
    Cc: Arve Hjønnevåg <arve@android.com>
    Cc: Martijn Coenen <maco@android.com>
    Cc: Alice Ryhl <aliceryhl@google.com>
    Cc: Steven Moreland <smoreland@google.com>
    Cc: stable@vger.kernel.org # v4.19+
    Signed-off-by: Carlos Llamas <cmllamas@google.com>
    Link: https://lore.kernel.org/r/20240131215347.1808751-1-cmllamas@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
blk-mq: fix IO hang from sbitmap wakeup race [+ + +]
Author: Ming Lei <ming.lei@redhat.com>
Date:   Fri Jan 12 20:26:26 2024 +0800

    blk-mq: fix IO hang from sbitmap wakeup race
    
    [ Upstream commit 5266caaf5660529e3da53004b8b7174cab6374ed ]
    
    In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered
    with the following blk_mq_get_driver_tag() in case of getting driver
    tag failure.
    
    Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe
    the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime
    blk_mq_mark_tag_wait() can't get driver tag successfully.
    
    This issue can be reproduced by running the following test in loop, and
    fio hang can be observed in < 30min when running it on my test VM
    in laptop.
    
            modprobe -r scsi_debug
            modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4
            dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`
            fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \
                    --runtime=100 --numjobs=40 --time_based --name=test \
                    --ioengine=libaio
    
    Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which
    is just fine in case of running out of tag.
    
    Cc: Jan Kara <jack@suse.cz>
    Cc: Kemeng Shi <shikemeng@huaweicloud.com>
    Reported-by: Changhui Zhong <czhong@redhat.com>
    Signed-off-by: Ming Lei <ming.lei@redhat.com>
    Link: https://lore.kernel.org/r/20240112122626.4181044-1-ming.lei@redhat.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
block: prevent an integer overflow in bvec_try_merge_hw_page [+ + +]
Author: Christoph Hellwig <hch@lst.de>
Date:   Mon Dec 4 18:34:18 2023 +0100

    block: prevent an integer overflow in bvec_try_merge_hw_page
    
    [ Upstream commit 3f034c374ad55773c12dd8f3c1607328e17c0072 ]
    
    Reordered a check to avoid a possible overflow when adding len to bv_len.
    
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Link: https://lore.kernel.org/r/20231204173419.782378-2-hch@lst.de
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

block: Remove special-casing of compound pages [+ + +]
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date:   Mon Aug 14 15:41:00 2023 +0100

    block: Remove special-casing of compound pages
    
    commit 1b151e2435fc3a9b10c8946c6aebe9f3e1938c55 upstream.
    
    The special casing was originally added in pre-git history; reproducing
    the commit log here:
    
    > commit a318a92567d77
    > Author: Andrew Morton <akpm@osdl.org>
    > Date:   Sun Sep 21 01:42:22 2003 -0700
    >
    >     [PATCH] Speed up direct-io hugetlbpage handling
    >
    >     This patch short-circuits all the direct-io page dirtying logic for
    >     higher-order pages.  Without this, we pointlessly bounce BIOs up to
    >     keventd all the time.
    
    In the last twenty years, compound pages have become used for more than
    just hugetlb.  Rewrite these functions to operate on folios instead
    of pages and remove the special case for hugetlbfs; I don't think
    it's needed any more (and if it is, we can put it back in as a call
    to folio_test_hugetlb()).
    
    This was found by inspection; as far as I can tell, this bug can lead
    to pages used as the destination of a direct I/O read not being marked
    as dirty.  If those pages are then reclaimed by the MM without being
    dirtied for some other reason, they won't be written out.  Then when
    they're faulted back in, they will not contain the data they should.
    It'll take a pretty unusual setup to produce this problem with several
    races all going the wrong way.
    
    This problem predates the folio work; it could for example have been
    triggered by mmaping a THP in tmpfs and using that as the target of an
    O_DIRECT read.
    
    Fixes: 800d8c63b2e98 ("shmem: add huge pages support")
    Cc:  <stable@vger.kernel.org>
    Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
bonding: remove print in bond_verify_device_path [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Thu Nov 23 09:55:15 2023 +0800

    bonding: remove print in bond_verify_device_path
    
    commit 486058f42a4728053ae69ebbf78e9731d8ce6f8b upstream.
    
    As suggested by Paolo in link[1], if the memory allocation fails, the mm
    layer will emit a lot warning comprising the backtrace, so remove the
    print.
    
    [1] https://lore.kernel.org/all/20231118081653.1481260-1-shaozhengchao@huawei.com/
    
    Suggested-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Sat Nov 18 16:16:53 2023 +0800

    bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
    
    [ Upstream commit d6b83f1e3707c4d60acfa58afd3515e17e5d5384 ]
    
    If failed to allocate "tags" or could not find the final upper device from
    start_dev's upper list in bond_verify_device_path(), only the loopback
    detection of the current upper device should be affected, and the system is
    no need to be panic.
    So return -ENOMEM in alb_upper_dev_walk to stop walking, print some warn
    information when failed to allocate memory for vlan tags in
    bond_verify_device_path.
    
    I also think that the following function calls
    netdev_walk_all_upper_dev_rcu
    ---->>>alb_upper_dev_walk
    ---------->>>bond_verify_device_path
    From this way, "end device" can eventually be obtained from "start device"
    in bond_verify_device_path, IS_ERR(tags) could be instead of
    IS_ERR_OR_NULL(tags) in alb_upper_dev_walk.
    
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
    Link: https://lore.kernel.org/r/20231118081653.1481260-1-shaozhengchao@huawei.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf: Add map and need_defer parameters to .map_fd_put_ptr() [+ + +]
Author: Hou Tao <houtao1@huawei.com>
Date:   Mon Dec 4 22:04:20 2023 +0800

    bpf: Add map and need_defer parameters to .map_fd_put_ptr()
    
    [ Upstream commit 20c20bd11a0702ce4dc9300c3da58acf551d9725 ]
    
    map is the pointer of outer map, and need_defer needs some explanation.
    need_defer tells the implementation to defer the reference release of
    the passed element and ensure that the element is still alive before
    the bpf program, which may manipulate it, exits.
    
    The following three cases will invoke map_fd_put_ptr() and different
    need_defer values will be passed to these callers:
    
    1) release the reference of the old element in the map during map update
       or map deletion. The release must be deferred, otherwise the bpf
       program may incur use-after-free problem, so need_defer needs to be
       true.
    2) release the reference of the to-be-added element in the error path of
       map update. The to-be-added element is not visible to any bpf
       program, so it is OK to pass false for need_defer parameter.
    3) release the references of all elements in the map during map release.
       Any bpf program which has access to the map must have been exited and
       released, so need_defer=false will be OK.
    
    These two parameters will be used by the following patches to fix the
    potential use-after-free problem for map-in-map.
    
    Signed-off-by: Hou Tao <houtao1@huawei.com>
    Link: https://lore.kernel.org/r/20231204140425.1480317-3-houtao@huaweicloud.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args [+ + +]
Author: Qu Wenruo <wqu@suse.com>
Date:   Wed Jan 10 08:58:26 2024 +1030

    btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args
    
    commit 173431b274a9a54fc10b273b46e67f46bcf62d2e upstream.
    
    Add extra sanity check for btrfs_ioctl_defrag_range_args::flags.
    
    This is not really to enhance fuzzing tests, but as a preparation for
    future expansion on btrfs_ioctl_defrag_range_args.
    
    In the future we're going to add new members, allowing more fine tuning
    for btrfs defrag.  Without the -ENONOTSUPP error, there would be no way
    to detect if the kernel supports those new defrag features.
    
    CC: stable@vger.kernel.org # 4.14+
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: Qu Wenruo <wqu@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: don't warn if discard range is not aligned to sector [+ + +]
Author: David Sterba <dsterba@suse.com>
Date:   Mon Jan 15 20:30:26 2024 +0100

    btrfs: don't warn if discard range is not aligned to sector
    
    commit a208b3f132b48e1f94f620024e66fea635925877 upstream.
    
    There's a warning in btrfs_issue_discard() when the range is not aligned
    to 512 bytes, originally added in 4d89d377bbb0 ("btrfs:
    btrfs_issue_discard ensure offset/length are aligned to sector
    boundaries"). We can't do sub-sector writes anyway so the adjustment is
    the only thing that we can do and the warning is unnecessary.
    
    CC: stable@vger.kernel.org # 4.19+
    Reported-by: syzbot+4a4f1eba14eb5c3417d1@syzkaller.appspotmail.com
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Reviewed-by: Anand Jain <anand.jain@oracle.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: forbid creating subvol qgroups [+ + +]
Author: Boris Burkov <boris@bur.io>
Date:   Wed Jan 10 17:51:26 2024 -0800

    btrfs: forbid creating subvol qgroups
    
    commit 0c309d66dacddf8ce939b891d9ead4a8e21ad6f0 upstream.
    
    Creating a qgroup 0/subvolid leads to various races and it isn't
    helpful, because you can't specify a subvol id when creating a subvol,
    so you can't be sure it will be the right one. Any requirements on the
    automatic subvol can be gratified by using a higher level qgroup and the
    inheritance parameters of subvol creation.
    
    Fixes: cecbb533b5fc ("btrfs: record simple quota deltas in delayed refs")
    CC: stable@vger.kernel.org # 4.14+
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Signed-off-by: Boris Burkov <boris@bur.io>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: forbid deleting live subvol qgroup [+ + +]
Author: Boris Burkov <boris@bur.io>
Date:   Wed Jan 10 17:30:00 2024 -0800

    btrfs: forbid deleting live subvol qgroup
    
    commit a8df35619948bd8363d330c20a90c9a7fbff28c0 upstream.
    
    If a subvolume still exists, forbid deleting its qgroup 0/subvolid.
    This behavior generally leads to incorrect behavior in squotas and
    doesn't have a legitimate purpose.
    
    Fixes: cecbb533b5fc ("btrfs: record simple quota deltas in delayed refs")
    CC: stable@vger.kernel.org # 5.4+
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Signed-off-by: Boris Burkov <boris@bur.io>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: ref-verify: free ref cache before clearing mount opt [+ + +]
Author: Fedor Pchelkin <pchelkin@ispras.ru>
Date:   Wed Jan 3 13:31:27 2024 +0300

    btrfs: ref-verify: free ref cache before clearing mount opt
    
    commit f03e274a8b29d1d1c1bbd7f764766cb5ca537ab7 upstream.
    
    As clearing REF_VERIFY mount option indicates there were some errors in a
    ref-verify process, a ref cache is not relevant anymore and should be
    freed.
    
    btrfs_free_ref_cache() requires REF_VERIFY option being set so call
    it just before clearing the mount option.
    
    Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
    
    Reported-by: syzbot+be14ed7728594dc8bd42@syzkaller.appspotmail.com
    Fixes: fd708b81d972 ("Btrfs: add a extent ref verify tool")
    CC: stable@vger.kernel.org # 5.4+
    Closes: https://lore.kernel.org/lkml/000000000000e5a65c05ee832054@google.com/
    Reported-by: syzbot+c563a3c79927971f950f@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/lkml/0000000000007fe09705fdc6086c@google.com/
    Reviewed-by: Anand Jain <anand.jain@oracle.com>
    Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: send: return EOPNOTSUPP on unknown flags [+ + +]
Author: David Sterba <dsterba@suse.com>
Date:   Wed Jan 10 17:48:44 2024 +0100

    btrfs: send: return EOPNOTSUPP on unknown flags
    
    commit f884a9f9e59206a2d41f265e7e403f080d10b493 upstream.
    
    When some ioctl flags are checked we return EOPNOTSUPP, like for
    BTRFS_SCRUB_SUPPORTED_FLAGS, BTRFS_SUBVOL_CREATE_ARGS_MASK or fallocate
    modes. The EINVAL is supposed to be for a supported but invalid
    values or combination of options. Fix that when checking send flags so
    it's consistent with the rest.
    
    CC: stable@vger.kernel.org # 4.14+
    Link: https://lore.kernel.org/linux-btrfs/CAL3q7H5rryOLzp3EKq8RTbjMHMHeaJubfpsVLF6H4qJnKCUR1w@mail.gmail.com/
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: tree-checker: fix inline ref size in error messages [+ + +]
Author: Chung-Chiang Cheng <cccheng@synology.com>
Date:   Fri Jan 12 15:41:05 2024 +0800

    btrfs: tree-checker: fix inline ref size in error messages
    
    commit f398e70dd69e6ceea71463a5380e6118f219197e upstream.
    
    The error message should accurately reflect the size rather than the
    type.
    
    Fixes: f82d1c7ca8ae ("btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check")
    CC: stable@vger.kernel.org # 5.4+
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Signed-off-by: Chung-Chiang Cheng <cccheng@synology.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
bus: moxtet: Add spi device table [+ + +]
Author: Sjoerd Simons <sjoerd@collabora.com>
Date:   Tue Nov 28 22:35:05 2023 +0100

    bus: moxtet: Add spi device table
    
    [ Upstream commit aaafe88d5500ba18b33be72458439367ef878788 ]
    
    The moxtet module fails to auto-load on. Add a SPI id table to
    allow it to do so.
    
    Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
    Cc:  <stable@vger.kernel.org>
    Reviewed-by: Marek Behún <kabel@kernel.org>
    Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) [+ + +]
Author: Oleksij Rempel <o.rempel@pengutronix.de>
Date:   Fri Oct 20 15:38:14 2023 +0200

    can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
    
    commit efe7cf828039aedb297c1f9920b638fffee6aabc upstream.
    
    Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)
    modifies jsk->filters while receiving packets.
    
    Following trace was seen on affected system:
     ==================================================================
     BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
     Read of size 4 at addr ffff888012144014 by task j1939/350
    
     CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
     Call Trace:
      print_report+0xd3/0x620
      ? kasan_complete_mode_report_info+0x7d/0x200
      ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
      kasan_report+0xc2/0x100
      ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
      __asan_load4+0x84/0xb0
      j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
      j1939_sk_recv+0x20b/0x320 [can_j1939]
      ? __kasan_check_write+0x18/0x20
      ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]
      ? j1939_simple_recv+0x69/0x280 [can_j1939]
      ? j1939_ac_recv+0x5e/0x310 [can_j1939]
      j1939_can_recv+0x43f/0x580 [can_j1939]
      ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
      ? raw_rcv+0x42/0x3c0 [can_raw]
      ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
      can_rcv_filter+0x11f/0x350 [can]
      can_receive+0x12f/0x190 [can]
      ? __pfx_can_rcv+0x10/0x10 [can]
      can_rcv+0xdd/0x130 [can]
      ? __pfx_can_rcv+0x10/0x10 [can]
      __netif_receive_skb_one_core+0x13d/0x150
      ? __pfx___netif_receive_skb_one_core+0x10/0x10
      ? __kasan_check_write+0x18/0x20
      ? _raw_spin_lock_irq+0x8c/0xe0
      __netif_receive_skb+0x23/0xb0
      process_backlog+0x107/0x260
      __napi_poll+0x69/0x310
      net_rx_action+0x2a1/0x580
      ? __pfx_net_rx_action+0x10/0x10
      ? __pfx__raw_spin_lock+0x10/0x10
      ? handle_irq_event+0x7d/0xa0
      __do_softirq+0xf3/0x3f8
      do_softirq+0x53/0x80
      </IRQ>
      <TASK>
      __local_bh_enable_ip+0x6e/0x70
      netif_rx+0x16b/0x180
      can_send+0x32b/0x520 [can]
      ? __pfx_can_send+0x10/0x10 [can]
      ? __check_object_size+0x299/0x410
      raw_sendmsg+0x572/0x6d0 [can_raw]
      ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
      ? apparmor_socket_sendmsg+0x2f/0x40
      ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
      sock_sendmsg+0xef/0x100
      sock_write_iter+0x162/0x220
      ? __pfx_sock_write_iter+0x10/0x10
      ? __rtnl_unlock+0x47/0x80
      ? security_file_permission+0x54/0x320
      vfs_write+0x6ba/0x750
      ? __pfx_vfs_write+0x10/0x10
      ? __fget_light+0x1ca/0x1f0
      ? __rcu_read_unlock+0x5b/0x280
      ksys_write+0x143/0x170
      ? __pfx_ksys_write+0x10/0x10
      ? __kasan_check_read+0x15/0x20
      ? fpregs_assert_state_consistent+0x62/0x70
      __x64_sys_write+0x47/0x60
      do_syscall_64+0x60/0x90
      ? do_syscall_64+0x6d/0x90
      ? irqentry_exit+0x3f/0x50
      ? exc_page_fault+0x79/0xf0
      entry_SYSCALL_64_after_hwframe+0x6e/0xd8
    
     Allocated by task 348:
      kasan_save_stack+0x2a/0x50
      kasan_set_track+0x29/0x40
      kasan_save_alloc_info+0x1f/0x30
      __kasan_kmalloc+0xb5/0xc0
      __kmalloc_node_track_caller+0x67/0x160
      j1939_sk_setsockopt+0x284/0x450 [can_j1939]
      __sys_setsockopt+0x15c/0x2f0
      __x64_sys_setsockopt+0x6b/0x80
      do_syscall_64+0x60/0x90
      entry_SYSCALL_64_after_hwframe+0x6e/0xd8
    
     Freed by task 349:
      kasan_save_stack+0x2a/0x50
      kasan_set_track+0x29/0x40
      kasan_save_free_info+0x2f/0x50
      __kasan_slab_free+0x12e/0x1c0
      __kmem_cache_free+0x1b9/0x380
      kfree+0x7a/0x120
      j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]
      __sys_setsockopt+0x15c/0x2f0
      __x64_sys_setsockopt+0x6b/0x80
      do_syscall_64+0x60/0x90
      entry_SYSCALL_64_after_hwframe+0x6e/0xd8
    
    Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
    Reported-by: Sili Luo <rootlab@huawei.com>
    Suggested-by: Sili Luo <rootlab@huawei.com>
    Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Link: https://lore.kernel.org/all/20231020133814.383996-1-o.rempel@pengutronix.de
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ceph: fix deadlock or deadcode of misusing dget() [+ + +]
Author: Xiubo Li <xiubli@redhat.com>
Date:   Fri Nov 17 13:26:18 2023 +0800

    ceph: fix deadlock or deadcode of misusing dget()
    
    [ Upstream commit b493ad718b1f0357394d2cdecbf00a44a36fa085 ]
    
    The lock order is incorrect between denty and its parent, we should
    always make sure that the parent get the lock first.
    
    But since this deadcode is never used and the parent dir will always
    be set from the callers, let's just remove it.
    
    Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Xiubo Li <xiubli@redhat.com>
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() [+ + +]
Author: Kuan-Wei Chiu <visitorckw@gmail.com>
Date:   Mon Dec 11 00:50:40 2023 +0800

    clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
    
    [ Upstream commit bfbea9e5667cfa9552c3d88f023386f017f6c308 ]
    
    In cases where kcalloc() fails for the 'clk_data->clks' allocation, the
    code path does not handle the failure gracefully, potentially leading
    to a memory leak. This fix ensures proper cleanup by freeing the
    allocated memory for 'clk_data' before returning.
    
    Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
    Link: https://lore.kernel.org/r/20231210165040.3407545-1-visitorckw@gmail.com
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() [+ + +]
Author: Kuan-Wei Chiu <visitorckw@gmail.com>
Date:   Mon Dec 11 01:52:32 2023 +0800

    clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
    
    [ Upstream commit 2fbabea626b6467eb4e6c4cb7a16523da12e43b4 ]
    
    In cases where mapping of mpmu/apmu/apbc registers fails, the code path
    does not handle the failure gracefully, potentially leading to a memory
    leak. This fix ensures proper cleanup by freeing the allocated memory
    for 'pxa_unit' before returning.
    
    Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
    Link: https://lore.kernel.org/r/20231210175232.3414584-1-visitorckw@gmail.com
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
crypto: api - Disallow identical driver names [+ + +]
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Thu Dec 7 18:36:57 2023 +0800

    crypto: api - Disallow identical driver names
    
    commit 27016f75f5ed47e2d8e0ca75a8ff1f40bc1a5e27 upstream.
    
    Disallow registration of two algorithms with identical driver names.
    
    Cc: <stable@vger.kernel.org>
    Reported-by: Ovidiu Panait <ovidiu.panait@windriver.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

crypto: stm32/crc32 - fix parsing list of devices [+ + +]
Author: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Date:   Fri Dec 15 12:17:24 2023 +0100

    crypto: stm32/crc32 - fix parsing list of devices
    
    [ Upstream commit 0eaef675b94c746900dcea7f6c41b9a103ed5d53 ]
    
    smatch warnings:
    drivers/crypto/stm32/stm32-crc32.c:108 stm32_crc_get_next_crc() warn:
    can 'crc' even be NULL?
    
    Use list_first_entry_or_null instead of list_first_entry to retrieve
    the first device registered.
    The function list_first_entry always return a non NULL pointer even if
    the list is empty. Hence checking if the pointer returned is NULL does
    not tell if the list is empty or not.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/r/202311281111.ou2oUL2i-lkp@intel.com/
    Reported-by: Dan Carpenter <error27@gmail.com>
    Closes: https://lore.kernel.org/r/202311281111.ou2oUL2i-lkp@intel.com/
    Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV [+ + +]
Author: Frank Li <Frank.Li@nxp.com>
Date:   Tue Jan 23 12:28:41 2024 -0500

    dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV
    
    [ Upstream commit a22fe1d6dec7e98535b97249fdc95c2be79120bb ]
    
    is_slave_direction() should return true when direction is DMA_DEV_TO_DEV.
    
    Fixes: 49920bc66984 ("dmaengine: add new enum dma_transfer_direction")
    Signed-off-by: Frank Li <Frank.Li@nxp.com>
    Link: https://lore.kernel.org/r/20240123172842.3764529-1-Frank.Li@nxp.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sun Jan 7 11:02:04 2024 +0100

    dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
    
    [ Upstream commit 3aa58cb51318e329d203857f7a191678e60bb714 ]
    
    This dma_alloc_coherent() is undone neither in the remove function, nor in
    the error handling path of fsl_qdma_probe().
    
    Switch to the managed version to fix both issues.
    
    Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Link: https://lore.kernel.org/r/7f66aa14f59d32b13672dde28602b47deb294e1f.1704621515.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sun Jan 7 11:02:03 2024 +0100

    dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA
    
    [ Upstream commit 968bc1d7203d384e72afe34124a1801b7af76514 ]
    
    This dma_alloc_coherent() is undone in the remove function, but not in the
    error handling path of fsl_qdma_probe().
    
    Switch to the managed version to fix the issue in the probe and simplify
    the remove function.
    
    Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Link: https://lore.kernel.org/r/a0ef5d0f5a47381617ef339df776ddc68ce48173.1704621515.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()' [+ + +]
Author: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Date:   Wed Dec 27 12:54:44 2023 +0530

    drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
    
    [ Upstream commit bf2ad4fb8adca89374b54b225d494e0b1956dbea ]
    
    Return value of container_of(...) can't be null, so null check is not
    required for 'fence'. Hence drop its NULL check.
    
    Fixes the below:
    drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c:93 to_amdgpu_amdkfd_fence() warn: can 'fence' even be NULL?
    
    Cc: Felix Kuehling <Felix.Kuehling@amd.com>
    Cc: Christian König <christian.koenig@amd.com>
    Cc: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
    Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: Let KFD sync with VM fences [+ + +]
Author: Felix Kuehling <Felix.Kuehling@amd.com>
Date:   Mon Dec 18 16:17:23 2023 -0500

    drm/amdgpu: Let KFD sync with VM fences
    
    [ Upstream commit ec9ba4821fa52b5efdbc4cdf0a77497990655231 ]
    
    Change the rules for amdgpu_sync_resv to let KFD synchronize with VM
    fences on page table reservations. This fixes intermittent memory
    corruption after evictions when using amdgpu_vm_handle_moved to update
    page tables for VM mappings managed through render nodes.
    
    Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()' [+ + +]
Author: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Date:   Thu Dec 21 18:13:11 2023 +0530

    drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
    
    [ Upstream commit 8a44fdd3cf91debbd09b43bd2519ad2b2486ccf4 ]
    
    In function 'amdgpu_device_need_post(struct amdgpu_device *adev)' -
    'adev->pm.fw' may not be released before return.
    
    Using the function release_firmware() to release adev->pm.fw.
    
    Thus fixing the below:
    drivers/gpu/drm/amd/amdgpu/amdgpu_device.c:1571 amdgpu_device_need_post() warn: 'adev->pm.fw' from request_firmware() not released on lines: 1554.
    
    Cc: Monk Liu <Monk.Liu@amd.com>
    Cc: Christian König <christian.koenig@amd.com>
    Cc: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
    Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Mon Dec 4 15:29:00 2023 +0300

    drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking
    
    commit 914437992876838662c968cb416f832110fb1093 upstream.
    
    The i2c_master_send/recv() functions return negative error codes or the
    number of bytes that were able to be sent/received.  This code has
    two problems.  1)  Instead of checking if all the bytes were sent or
    received, it checks that at least one byte was sent or received.
    2) If there was a partial send/receive then we should return a negative
    error code but this code returns success.
    
    Fixes: a9fe713d7d45 ("drm/bridge: Add PTN3460 bridge driver")
    Cc: stable@vger.kernel.org
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Reviewed-by: Robert Foss <rfoss@kernel.org>
    Signed-off-by: Robert Foss <rfoss@kernel.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/0cdc2dce-ca89-451a-9774-1482ab2f4762@moroto.mountain
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/bridge: nxp-ptn3460: simplify some error checking [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Wed Dec 6 18:05:15 2023 +0300

    drm/bridge: nxp-ptn3460: simplify some error checking
    
    commit 28d3d0696688154cc04983f343011d07bf0508e4 upstream.
    
    The i2c_master_send/recv() functions return negative error codes or
    they return "len" on success.  So the error handling here can be written
    as just normal checks for "if (ret < 0) return ret;".  No need to
    complicate things.
    
    Btw, in this code the "len" parameter can never be zero, but even if
    it were, then I feel like this would still be the best way to write it.
    
    Fixes: 914437992876 ("drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking")
    Suggested-by: Neil Armstrong <neil.armstrong@linaro.org>
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Reviewed-by: Robert Foss <rfoss@kernel.org>
    Signed-off-by: Robert Foss <rfoss@kernel.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/04242630-42d8-4920-8c67-24ac9db6b3c9@moroto.mountain
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/drm_file: fix use of uninitialized variable [+ + +]
Author: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Date:   Fri Nov 3 15:14:03 2023 +0200

    drm/drm_file: fix use of uninitialized variable
    
    [ Upstream commit 1d3062fad9c7313fff9970a88e0538a24480ffb8 ]
    
    smatch reports:
    
    drivers/gpu/drm/drm_file.c:967 drm_show_memory_stats() error: uninitialized symbol 'supported_status'.
    
    'supported_status' is only set in one code path. I'm not familiar with
    the code to say if that path will always be ran in real life, but
    whether that is the case or not, I think it is good to initialize
    'supported_status' to 0 to silence the warning (and possibly fix a bug).
    
    Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
    Acked-by: Maxime Ripard <mripard@kernel.org>
    Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-1-c22b2444f5f5@ideasonboard.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time [+ + +]
Author: Douglas Anderson <dianders@chromium.org>
Date:   Thu Sep 21 12:26:52 2023 -0700

    drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
    
    [ Upstream commit 16ac5b21b31b439f03cdf44c153c5f5af94fb3eb ]
    
    Based on grepping through the source code this driver appears to be
    missing a call to drm_atomic_helper_shutdown() at system shutdown time
    and at driver unbind time. Among other things, this means that if a
    panel is in use that it won't be cleanly powered off at system
    shutdown time.
    
    The fact that we should call drm_atomic_helper_shutdown() in the case
    of OS shutdown/restart and at driver remove (or unbind) time comes
    straight out of the kernel doc "driver instance overview" in
    drm_drv.c.
    
    A few notes about this fix:
    - When adding drm_atomic_helper_shutdown() to the unbind path, I added
      it after drm_kms_helper_poll_fini() since that's when other drivers
      seemed to have it.
    - Technically with a previous patch, ("drm/atomic-helper:
      drm_atomic_helper_shutdown(NULL) should be a noop"), we don't
      actually need to check to see if our "drm" pointer is NULL before
      calling drm_atomic_helper_shutdown(). We'll leave the "if" test in,
      though, so that this patch can land without any dependencies. It
      could potentially be removed later.
    - This patch also makes sure to set the drvdata to NULL in the case of
      bind errors to make sure that shutdown can't access freed data.
    
    Suggested-by: Maxime Ripard <mripard@kernel.org>
    Reviewed-by: Maxime Ripard <mripard@kernel.org>
    Signed-off-by: Douglas Anderson <dianders@chromium.org>
    Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/exynos: fix accidental on-stack copy of exynos_drm_plane [+ + +]
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Thu Dec 14 13:32:15 2023 +0100

    drm/exynos: fix accidental on-stack copy of exynos_drm_plane
    
    [ Upstream commit 960b537e91725bcb17dd1b19e48950e62d134078 ]
    
    gcc rightfully complains about excessive stack usage in the fimd_win_set_pixfmt()
    function:
    
    drivers/gpu/drm/exynos/exynos_drm_fimd.c: In function 'fimd_win_set_pixfmt':
    drivers/gpu/drm/exynos/exynos_drm_fimd.c:750:1: error: the frame size of 1032 bytes is larger than 1024 byte
    drivers/gpu/drm/exynos/exynos5433_drm_decon.c: In function 'decon_win_set_pixfmt':
    drivers/gpu/drm/exynos/exynos5433_drm_decon.c:381:1: error: the frame size of 1032 bytes is larger than 1024 bytes
    
    There is really no reason to copy the large exynos_drm_plane
    structure to the stack before using one of its members, so just
    use a pointer instead.
    
    Fixes: 6f8ee5c21722 ("drm/exynos: fimd: Make plane alpha configurable")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume [+ + +]
Author: Fedor Pchelkin <pchelkin@ispras.ru>
Date:   Wed Dec 20 12:53:15 2023 +0300

    drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume
    
    [ Upstream commit 4050957c7c2c14aa795dbf423b4180d5ac04e113 ]
    
    Do not forget to call clk_disable_unprepare() on the first element of
    ctx->clocks array.
    
    Found by Linux Verification Center (linuxtesting.org).
    
    Fixes: 8b7d3ec83aba ("drm/exynos: gsc: Convert driver to IPP v2 core API")
    Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
    Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/framebuffer: Fix use of uninitialized variable [+ + +]
Author: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Date:   Fri Nov 3 15:14:04 2023 +0200

    drm/framebuffer: Fix use of uninitialized variable
    
    [ Upstream commit f9af8f0c1dc567a5a6a6318ff324c45d80d4a60f ]
    
    smatch reports:
    
    drivers/gpu/drm/drm_framebuffer.c:654 drm_mode_getfb2_ioctl() error: uninitialized symbol 'ret'.
    
    'ret' is possibly not set when there are no errors, causing the error
    above. I can't say if that ever happens in real-life, but in any case I
    think it is good to initialize 'ret' to 0.
    
    Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
    Acked-by: Maxime Ripard <mripard@kernel.org>
    Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-2-c22b2444f5f5@ideasonboard.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/mipi-dsi: Fix detach call without attach [+ + +]
Author: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Date:   Thu Sep 21 13:50:32 2023 +0300

    drm/mipi-dsi: Fix detach call without attach
    
    [ Upstream commit 90d50b8d85834e73536fdccd5aa913b30494fef0 ]
    
    It's been reported that DSI host driver's detach can be called without
    the attach ever happening:
    
    https://lore.kernel.org/all/20230412073954.20601-1-tony@atomide.com/
    
    After reading the code, I think this is what happens:
    
    We have a DSI host defined in the device tree and a DSI peripheral under
    that host (i.e. an i2c device using the DSI as data bus doesn't exhibit
    this behavior).
    
    The host driver calls mipi_dsi_host_register(), which causes (via a few
    functions) mipi_dsi_device_add() to be called for the DSI peripheral. So
    now we have a DSI device under the host, but attach hasn't been called.
    
    Normally the probing of the devices continues, and eventually the DSI
    peripheral's driver will call mipi_dsi_attach(), attaching the
    peripheral.
    
    However, if the host driver's probe encounters an error after calling
    mipi_dsi_host_register(), and before the peripheral has called
    mipi_dsi_attach(), the host driver will do cleanups and return an error
    from its probe function. The cleanups include calling
    mipi_dsi_host_unregister().
    
    mipi_dsi_host_unregister() will call two functions for all its DSI
    peripheral devices: mipi_dsi_detach() and mipi_dsi_device_unregister().
    The latter makes sense, as the device exists, but the former may be
    wrong as attach has not necessarily been done.
    
    To fix this, track the attached state of the peripheral, and only detach
    from mipi_dsi_host_unregister() if the peripheral was attached.
    
    Note that I have only tested this with a board with an i2c DSI
    peripheral, not with a "pure" DSI peripheral.
    
    However, slightly related, the unregister machinery still seems broken.
    E.g. if the DSI host driver is unbound, it'll detach and unregister the
    DSI peripherals. After that, when the DSI peripheral driver unbound
    it'll call detach either directly or using the devm variant, leading to
    a crash. And probably the driver will crash if it happens, for some
    reason, to try to send a message via the DSI bus.
    
    But that's another topic.
    
    Tested-by: H. Nikolaus Schaller <hns@goldelico.com>
    Acked-by: Maxime Ripard <mripard@kernel.org>
    Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Tested-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20230921-dsi-detach-fix-v1-1-d0de2d1621d9@ideasonboard.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/msm/dpu: Ratelimit framedone timeout msgs [+ + +]
Author: Rob Clark <robdclark@chromium.org>
Date:   Mon Dec 11 10:19:55 2023 -0800

    drm/msm/dpu: Ratelimit framedone timeout msgs
    
    [ Upstream commit 2b72e50c62de60ad2d6bcd86aa38d4ccbdd633f2 ]
    
    When we start getting these, we get a *lot*.  So ratelimit it to not
    flood dmesg.
    
    Signed-off-by: Rob Clark <robdclark@chromium.org>
    Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
    Patchwork: https://patchwork.freedesktop.org/patch/571584/
    Link: https://lore.kernel.org/r/20231211182000.218088-1-robdclark@gmail.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/msm/dsi: Enable runtime PM [+ + +]
Author: Konrad Dybcio <konrad.dybcio@linaro.org>
Date:   Mon Jan 29 16:09:02 2024 +0530

    drm/msm/dsi: Enable runtime PM
    
    [ Upstream commit 6ab502bc1cf3147ea1d8540d04b83a7a4cb6d1f1 ]
    
    Some devices power the DSI PHY/PLL through a power rail that we model
    as a GENPD. Enable runtime PM to make it suspendable.
    
    Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Patchwork: https://patchwork.freedesktop.org/patch/543352/
    Link: https://lore.kernel.org/r/20230620-topic-dsiphy_rpm-v2-2-a11a751f34f0@linaro.org
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Stable-dep-of: 3d07a411b4fa ("drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks")
    Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm: Don't unref the same fb many times by mistake due to deadlock handling [+ + +]
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Mon Dec 11 10:16:24 2023 +0200

    drm: Don't unref the same fb many times by mistake due to deadlock handling
    
    commit cb4daf271302d71a6b9a7c01bd0b6d76febd8f0c upstream.
    
    If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()
    we proceed to unref the fb and then retry the whole thing from the top.
    But we forget to reset the fb pointer back to NULL, and so if we then
    get another error during the retry, before the fb lookup, we proceed
    the unref the same fb again without having gotten another reference.
    The end result is that the fb will (eventually) end up being freed
    while it's still in use.
    
    Reset fb to NULL once we've unreffed it to avoid doing it again
    until we've done another fb lookup.
    
    This turned out to be pretty easy to hit on a DG2 when doing async
    flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I
    saw that drm_closefb() simply got stuck in a busy loop while walking
    the framebuffer list. Fortunately I was able to convince it to oops
    instead, and from there it was easier to track down the culprit.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20231211081625.25704-1-ville.syrjala@linux.intel.com
    Acked-by: Javier Martinez Canillas <javierm@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ecryptfs: Reject casefold directory inodes [+ + +]
Author: Gabriel Krisman Bertazi <krisman@suse.de>
Date:   Fri Aug 11 14:38:12 2023 -0400

    ecryptfs: Reject casefold directory inodes
    
    [ Upstream commit cd72c7ef5fed44272272a105b1da22810c91be69 ]
    
    Even though it seems to be able to resolve some names of
    case-insensitive directories, the lack of d_hash and d_compare means we
    end up with a broken state in the d_cache.  Considering it was never a
    goal to support these two together, and we are preparing to use
    d_revalidate in case-insensitive filesystems, which would make the
    combination even more broken, reject any attempt to get a casefolded
    inode from ecryptfs.
    
    Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
    Reviewed-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ext4: allow for the last group to be marked as trimmed [+ + +]
Author: Suraj Jitindar Singh <surajjs@amazon.com>
Date:   Wed Dec 13 16:16:35 2023 +1100

    ext4: allow for the last group to be marked as trimmed
    
    commit 7c784d624819acbeefb0018bac89e632467cca5a upstream.
    
    The ext4 filesystem tracks the trim status of blocks at the group
    level.  When an entire group has been trimmed then it is marked as
    such and subsequent trim invocations with the same minimum trim size
    will not be attempted on that group unless it is marked as able to be
    trimmed again such as when a block is freed.
    
    Currently the last group can't be marked as trimmed due to incorrect
    logic in ext4_last_grp_cluster(). ext4_last_grp_cluster() is supposed
    to return the zero based index of the last cluster in a group. This is
    then used by ext4_try_to_trim_range() to determine if the trim
    operation spans the entire group and as such if the trim status of the
    group should be recorded.
    
    ext4_last_grp_cluster() takes a 0 based group index, thus the valid
    values for grp are 0..(ext4_get_groups_count - 1). Any group index
    less than (ext4_get_groups_count - 1) is not the last group and must
    have EXT4_CLUSTERS_PER_GROUP(sb) clusters. For the last group we need
    to calculate the number of clusters based on the number of blocks in
    the group. Finally subtract 1 from the number of clusters as zero
    based indexing is expected.  Rearrange the function slightly to make
    it clear what we are calculating and returning.
    
    Reproducer:
    // Create file system where the last group has fewer blocks than
    // blocks per group
    $ mkfs.ext4 -b 4096 -g 8192 /dev/nvme0n1 8191
    $ mount /dev/nvme0n1 /mnt
    
    Before Patch:
    $ fstrim -v /mnt
    /mnt: 25.9 MiB (27156480 bytes) trimmed
    // Group not marked as trimmed so second invocation still discards blocks
    $ fstrim -v /mnt
    /mnt: 25.9 MiB (27156480 bytes) trimmed
    
    After Patch:
    fstrim -v /mnt
    /mnt: 25.9 MiB (27156480 bytes) trimmed
    // Group marked as trimmed so second invocation DOESN'T discard any blocks
    fstrim -v /mnt
    /mnt: 0 B (0 bytes) trimmed
    
    Fixes: 45e4ab320c9b ("ext4: move setting of trimmed bit into ext4_try_to_trim_range()")
    Cc:  <stable@vger.kernel.org> # 4.19+
    Signed-off-by: Suraj Jitindar Singh <surajjs@amazon.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20231213051635.37731-1-surajjs@amazon.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: avoid online resizing failures due to oversized flex bg [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Mon Oct 23 09:30:56 2023 +0800

    ext4: avoid online resizing failures due to oversized flex bg
    
    [ Upstream commit 5d1935ac02ca5aee364a449a35e2977ea84509b0 ]
    
    When we online resize an ext4 filesystem with a oversized flexbg_size,
    
         mkfs.ext4 -F -G 67108864 $dev -b 4096 100M
         mount $dev $dir
         resize2fs $dev 16G
    
    the following WARN_ON is triggered:
    ==================================================================
    WARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550
    Modules linked in: sg(E)
    CPU: 0 PID: 427 Comm: resize2fs Tainted: G  E  6.6.0-rc5+ #314
    RIP: 0010:__alloc_pages+0x411/0x550
    Call Trace:
     <TASK>
     __kmalloc_large_node+0xa2/0x200
     __kmalloc+0x16e/0x290
     ext4_resize_fs+0x481/0xd80
     __ext4_ioctl+0x1616/0x1d90
     ext4_ioctl+0x12/0x20
     __x64_sys_ioctl+0xf0/0x150
     do_syscall_64+0x3b/0x90
    ==================================================================
    
    This is because flexbg_size is too large and the size of the new_group_data
    array to be allocated exceeds MAX_ORDER. Currently, the minimum value of
    MAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding
    maximum number of groups that can be allocated is:
    
     (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845
    
    And the value that is down-aligned to the power of 2 is 16384. Therefore,
    this value is defined as MAX_RESIZE_BG, and the number of groups added
    each time does not exceed this value during resizing, and is added multiple
    times to complete the online resizing. The difference is that the metadata
    in a flex_bg may be more dispersed.
    
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20231023013057.2117948-4-libaokun1@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: fix double-free of blocks due to wrong extents moved_len [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Thu Jan 4 22:20:33 2024 +0800

    ext4: fix double-free of blocks due to wrong extents moved_len
    
    commit 55583e899a5357308274601364741a83e78d6ac4 upstream.
    
    In ext4_move_extents(), moved_len is only updated when all moves are
    successfully executed, and only discards orig_inode and donor_inode
    preallocations when moved_len is not zero. When the loop fails to exit
    after successfully moving some extents, moved_len is not updated and
    remains at 0, so it does not discard the preallocations.
    
    If the moved extents overlap with the preallocated extents, the
    overlapped extents are freed twice in ext4_mb_release_inode_pa() and
    ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4:
    Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is
    incremented twice. Hence when trim is executed, a zero-division bug is
    triggered in mb_update_avg_fragment_size() because bb_free is not zero
    and bb_fragments is zero.
    
    Therefore, update move_len after each extent move to avoid the issue.
    
    Reported-by: Wei Chen <harperchen1110@gmail.com>
    Reported-by: xingwei lee <xrivendell7@gmail.com>
    Closes: https://lore.kernel.org/r/CAO4mrferzqBUnCag8R3m2zf897ts9UEuhjFQGPtODT92rYyR2Q@mail.gmail.com
    Fixes: fcf6b1b729bc ("ext4: refactor ext4_move_extents code base")
    CC:  <stable@vger.kernel.org> # 3.18
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20240104142040.2835097-2-libaokun1@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ext4: fix inconsistent between segment fstrim and full fstrim [+ + +]
Author: Ye Bin <yebin10@huawei.com>
Date:   Sat Dec 16 09:09:19 2023 +0800

    ext4: fix inconsistent between segment fstrim and full fstrim
    
    [ Upstream commit 68da4c44b994aea797eb9821acb3a4a36015293e ]
    
    Suppose we issue two FITRIM ioctls for ranges [0,15] and [16,31] with
    mininum length of trimmed range set to 8 blocks. If we have say a range of
    blocks 10-22 free, this range will not be trimmed because it straddles the
    boundary of the two FITRIM ranges and neither part is big enough. This is a
    bit surprising to some users that call FITRIM on smaller ranges of blocks
    to limit impact on the system. Also XFS trims all free space extents that
    overlap with the specified range so we are inconsistent among filesystems.
    Let's change ext4_try_to_trim_range() to consider for trimming the whole
    free space extent that straddles the end of specified range, not just the
    part of it within the range.
    
    Signed-off-by: Ye Bin <yebin10@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20231216010919.1995851-1-yebin10@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: remove unnecessary check from alloc_flex_gd() [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Mon Oct 23 09:30:55 2023 +0800

    ext4: remove unnecessary check from alloc_flex_gd()
    
    [ Upstream commit b099eb87de105cf07cad731ded6fb40b2675108b ]
    
    In commit 967ac8af4475 ("ext4: fix potential integer overflow in
    alloc_flex_gd()"), an overflow check is added to alloc_flex_gd() to
    prevent the allocated memory from being smaller than expected due to
    the overflow. However, after kmalloc() is replaced with kmalloc_array()
    in commit 6da2ec56059c ("treewide: kmalloc() -> kmalloc_array()"), the
    kmalloc_array() function has an overflow check, so the above problem
    will not occur. Therefore, the extra check is removed.
    
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20231023013057.2117948-3-libaokun1@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: unify the type of flexbg_size to unsigned int [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Mon Oct 23 09:30:54 2023 +0800

    ext4: unify the type of flexbg_size to unsigned int
    
    [ Upstream commit 658a52344fb139f9531e7543a6e0015b630feb38 ]
    
    The maximum value of flexbg_size is 2^31, but the maximum value of int
    is (2^31 - 1), so overflow may occur when the type of flexbg_size is
    declared as int.
    
    For example, when uninit_mask is initialized in ext4_alloc_group_tables(),
    if flexbg_size == 2^31, the initialized uninit_mask is incorrect, and this
    may causes set_flexbg_block_bitmap() to trigger a BUG_ON().
    
    Therefore, the flexbg_size type is declared as unsigned int to avoid
    overflow and memory waste.
    
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20231023013057.2117948-2-libaokun1@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
f2fs: fix to check return value of f2fs_reserve_new_block() [+ + +]
Author: Chao Yu <chao@kernel.org>
Date:   Thu Nov 16 14:25:56 2023 +0800

    f2fs: fix to check return value of f2fs_reserve_new_block()
    
    [ Upstream commit 956fa1ddc132e028f3b7d4cf17e6bfc8cb36c7fd ]
    
    Let's check return value of f2fs_reserve_new_block() in do_recover_data()
    rather than letting it fails silently.
    
    Also refactoring check condition on return value of f2fs_reserve_new_block()
    as below:
    - trigger f2fs_bug_on() only for ENOSPC case;
    - use do-while statement to avoid redundant codes;
    
    Signed-off-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
fast_dput(): handle underflows gracefully [+ + +]
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Wed Nov 1 01:08:54 2023 -0400

    fast_dput(): handle underflows gracefully
    
    [ Upstream commit 504e08cebe1d4e1efe25f915234f646e74a364a8 ]
    
    If refcount is less than 1, we should just warn, unlock dentry and
    return true, so that the caller doesn't try to do anything else.
    
    Taking care of that leaves the rest of "lockref_put_return() has
    failed" case equivalent to "decrement refcount and rejoin the
    normal slow path after the point where we grab ->d_lock".
    
    NOTE: lockref_put_return() is strictly a fastpath thing - unlike
    the rest of lockref primitives, it does not contain a fallback.
    Caller (and it looks like fast_dput() is the only legitimate one
    in the entire kernel) has to do that itself.  Reasons for
    lockref_put_return() failures:
            * ->d_lock held by somebody
            * refcount <= 0
            * ... or an architecture not supporting lockref use of
    cmpxchg - sparc, anything non-SMP, config with spinlock debugging...
    
    We could add a fallback, but it would be a clumsy API - we'd have
    to distinguish between:
            (1) refcount > 1 - decremented, lock not held on return
            (2) refcount < 1 - left alone, probably no sense to hold the lock
            (3) refcount is 1, no cmphxcg - decremented, lock held on return
            (4) refcount is 1, cmphxcg supported - decremented, lock *NOT* held
                on return.
    We want to return with no lock held in case (4); that's the whole point of that
    thing.  We very much do not want to have the fallback in case (3) return without
    a lock, since the caller might have to retake it in that case.
    So it wouldn't be more convenient than doing the fallback in the caller and
    it would be very easy to screw up, especially since the test coverage would
    suck - no way to test (3) and (4) on the same kernel build.
    
    Reviewed-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
firewire: core: correct documentation of fw_csr_string() kernel API [+ + +]
Author: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Date:   Thu Feb 1 20:53:18 2024 +0900

    firewire: core: correct documentation of fw_csr_string() kernel API
    
    commit 5f9ab17394f831cb7986ec50900fa37507a127f1 upstream.
    
    Against its current description, the kernel API can accepts all types of
    directory entries.
    
    This commit corrects the documentation.
    
    Cc: stable@vger.kernel.org
    Fixes: 3c2c58cb33b3 ("firewire: core: fw_csr_string addendum")
    Link: https://lore.kernel.org/r/20240130100409.30128-2-o-takashi@sakamocchi.jp
    Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fjes: fix memleaks in fjes_hw_setup [+ + +]
Author: Zhipeng Lu <alexious@zju.edu.cn>
Date:   Tue Jan 23 01:24:42 2024 +0800

    fjes: fix memleaks in fjes_hw_setup
    
    [ Upstream commit f6cc4b6a3ae53df425771000e9c9540cce9b7bb1 ]
    
    In fjes_hw_setup, it allocates several memory and delay the deallocation
    to the fjes_hw_exit in fjes_probe through the following call chain:
    
    fjes_probe
      |-> fjes_hw_init
            |-> fjes_hw_setup
      |-> fjes_hw_exit
    
    However, when fjes_hw_setup fails, fjes_hw_exit won't be called and thus
    all the resources allocated in fjes_hw_setup will be leaked. In this
    patch, we free those resources in fjes_hw_setup and prevents such leaks.
    
    Fixes: 2fcbca687702 ("fjes: platform_driver's .probe and .remove routine")
    Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://lore.kernel.org/r/20240122172445.3841883-1-alexious@zju.edu.cn
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
fs/kernfs/dir: obey S_ISGID [+ + +]
Author: Max Kellermann <max.kellermann@ionos.com>
Date:   Fri Dec 8 10:33:10 2023 +0100

    fs/kernfs/dir: obey S_ISGID
    
    [ Upstream commit 5133bee62f0ea5d4c316d503cc0040cac5637601 ]
    
    Handling of S_ISGID is usually done by inode_init_owner() in all other
    filesystems, but kernfs doesn't use that function.  In kernfs, struct
    kernfs_node is the primary data structure, and struct inode is only
    created from it on demand.  Therefore, inode_init_owner() can't be
    used and we need to imitate its behavior.
    
    S_ISGID support is useful for the cgroup filesystem; it allows
    subtrees managed by an unprivileged process to retain a certain owner
    gid, which then enables sharing access to the subtree with another
    unprivileged process.
    
    --
    v1 -> v2: minor coding style fix (comment)
    
    Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
    Acked-by: Tejun Heo <tj@kernel.org>
    Link: https://lore.kernel.org/r/20231208093310.297233-2-max.kellermann@ionos.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
fs: add mode_strip_sgid() helper [+ + +]
Author: Yang Xu <xuyang2018.jy@fujitsu.com>
Date:   Wed Jan 24 14:00:25 2024 +0100

    fs: add mode_strip_sgid() helper
    
    commit 2b3416ceff5e6bd4922f6d1c61fb68113dd82302 upstream.
    
    [remove userns argument of helper for 5.4.y backport]
    
    Add a dedicated helper to handle the setgid bit when creating a new file
    in a setgid directory. This is a preparatory patch for moving setgid
    stripping into the vfs. The patch contains no functional changes.
    
    Currently the setgid stripping logic is open-coded directly in
    inode_init_owner() and the individual filesystems are responsible for
    handling setgid inheritance. Since this has proven to be brittle as
    evidenced by old issues we uncovered over the last months (see [1] to
    [3] below) we will try to move this logic into the vfs.
    
    Link: e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") [1]
    Link: 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") [2]
    Link: fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") [3]
    Link: https://lore.kernel.org/r/1657779088-2242-1-git-send-email-xuyang2018.jy@fujitsu.com
    Reviewed-by: Darrick J. Wong <djwong@kernel.org>
    Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
    Reviewed-and-Tested-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Yang Xu <xuyang2018.jy@fujitsu.com>
    Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [commit 347750e1b69cef62966fbc5bd7dc579b4c00688a upstream
            backported from 5.10.y, resolved context conflicts]
    Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs: move S_ISGID stripping into the vfs_*() helpers [+ + +]
Author: Yang Xu <xuyang2018.jy@fujitsu.com>
Date:   Wed Jan 24 14:00:26 2024 +0100

    fs: move S_ISGID stripping into the vfs_*() helpers
    
    commit 1639a49ccdce58ea248841ed9b23babcce6dbb0b upstream.
    
    [remove userns argument of helpers for 5.4.y backport]
    
    Move setgid handling out of individual filesystems and into the VFS
    itself to stop the proliferation of setgid inheritance bugs.
    
    Creating files that have both the S_IXGRP and S_ISGID bit raised in
    directories that themselves have the S_ISGID bit set requires additional
    privileges to avoid security issues.
    
    When a filesystem creates a new inode it needs to take care that the
    caller is either in the group of the newly created inode or they have
    CAP_FSETID in their current user namespace and are privileged over the
    parent directory of the new inode. If any of these two conditions is
    true then the S_ISGID bit can be raised for an S_IXGRP file and if not
    it needs to be stripped.
    
    However, there are several key issues with the current implementation:
    
    * S_ISGID stripping logic is entangled with umask stripping.
    
      If a filesystem doesn't support or enable POSIX ACLs then umask
      stripping is done directly in the vfs before calling into the
      filesystem.
      If the filesystem does support POSIX ACLs then unmask stripping may be
      done in the filesystem itself when calling posix_acl_create().
    
      Since umask stripping has an effect on S_ISGID inheritance, e.g., by
      stripping the S_IXGRP bit from the file to be created and all relevant
      filesystems have to call posix_acl_create() before inode_init_owner()
      where we currently take care of S_ISGID handling S_ISGID handling is
      order dependent. IOW, whether or not you get a setgid bit depends on
      POSIX ACLs and umask and in what order they are called.
    
      Note that technically filesystems are free to impose their own
      ordering between posix_acl_create() and inode_init_owner() meaning
      that there's additional ordering issues that influence S_SIGID
      inheritance.
    
    * Filesystems that don't rely on inode_init_owner() don't get S_ISGID
      stripping logic.
    
      While that may be intentional (e.g. network filesystems might just
      defer setgid stripping to a server) it is often just a security issue.
    
    This is not just ugly it's unsustainably messy especially since we do
    still have bugs in this area years after the initial round of setgid
    bugfixes.
    
    So the current state is quite messy and while we won't be able to make
    it completely clean as posix_acl_create() is still a filesystem specific
    call we can improve the S_SIGD stripping situation quite a bit by
    hoisting it out of inode_init_owner() and into the vfs creation
    operations. This means we alleviate the burden for filesystems to handle
    S_ISGID stripping correctly and can standardize the ordering between
    S_ISGID and umask stripping in the vfs.
    
    We add a new helper vfs_prepare_mode() so S_ISGID handling is now done
    in the VFS before umask handling. This has S_ISGID handling is
    unaffected unaffected by whether umask stripping is done by the VFS
    itself (if no POSIX ACLs are supported or enabled) or in the filesystem
    in posix_acl_create() (if POSIX ACLs are supported).
    
    The vfs_prepare_mode() helper is called directly in vfs_*() helpers that
    create new filesystem objects. We need to move them into there to make
    sure that filesystems like overlayfs hat have callchains like:
    
    sys_mknod()
    -> do_mknodat(mode)
       -> .mknod = ovl_mknod(mode)
          -> ovl_create(mode)
             -> vfs_mknod(mode)
    
    get S_ISGID stripping done when calling into lower filesystems via
    vfs_*() creation helpers. Moving vfs_prepare_mode() into e.g.
    vfs_mknod() takes care of that. This is in any case semantically cleaner
    because S_ISGID stripping is VFS security requirement.
    
    Security hooks so far have seen the mode with the umask applied but
    without S_ISGID handling done. The relevant hooks are called outside of
    vfs_*() creation helpers so by calling vfs_prepare_mode() from vfs_*()
    helpers the security hooks would now see the mode without umask
    stripping applied. For now we fix this by passing the mode with umask
    settings applied to not risk any regressions for LSM hooks. IOW, nothing
    changes for LSM hooks. It is worth pointing out that security hooks
    never saw the mode that is seen by the filesystem when actually creating
    the file. They have always been completely misplaced for that to work.
    
    The following filesystems use inode_init_owner() and thus relied on
    S_ISGID stripping: spufs, 9p, bfs, btrfs, ext2, ext4, f2fs, hfsplus,
    hugetlbfs, jfs, minix, nilfs2, ntfs3, ocfs2, omfs, overlayfs, ramfs,
    reiserfs, sysv, ubifs, udf, ufs, xfs, zonefs, bpf, tmpfs.
    
    All of the above filesystems end up calling inode_init_owner() when new
    filesystem objects are created through the ->mkdir(), ->mknod(),
    ->create(), ->tmpfile(), ->rename() inode operations.
    
    Since directories always inherit the S_ISGID bit with the exception of
    xfs when irix_sgid_inherit mode is turned on S_ISGID stripping doesn't
    apply. The ->symlink() and ->link() inode operations trivially inherit
    the mode from the target and the ->rename() inode operation inherits the
    mode from the source inode. All other creation inode operations will get
    S_ISGID handling via vfs_prepare_mode() when called from their relevant
    vfs_*() helpers.
    
    In addition to this there are filesystems which allow the creation of
    filesystem objects through ioctl()s or - in the case of spufs -
    circumventing the vfs in other ways. If filesystem objects are created
    through ioctl()s the vfs doesn't know about it and can't apply regular
    permission checking including S_ISGID logic. Therfore, a filesystem
    relying on S_ISGID stripping in inode_init_owner() in their ioctl()
    callpath will be affected by moving this logic into the vfs. We audited
    those filesystems:
    
    * btrfs allows the creation of filesystem objects through various
      ioctls(). Snapshot creation literally takes a snapshot and so the mode
      is fully preserved and S_ISGID stripping doesn't apply.
    
      Creating a new subvolum relies on inode_init_owner() in
      btrfs_new_subvol_inode() but only creates directories and doesn't
      raise S_ISGID.
    
    * ocfs2 has a peculiar implementation of reflinks. In contrast to e.g.
      xfs and btrfs FICLONE/FICLONERANGE ioctl() that is only concerned with
      the actual extents ocfs2 uses a separate ioctl() that also creates the
      target file.
    
      Iow, ocfs2 circumvents the vfs entirely here and did indeed rely on
      inode_init_owner() to strip the S_ISGID bit. This is the only place
      where a filesystem needs to call mode_strip_sgid() directly but this
      is self-inflicted pain.
    
    * spufs doesn't go through the vfs at all and doesn't use ioctl()s
      either. Instead it has a dedicated system call spufs_create() which
      allows the creation of filesystem objects. But spufs only creates
      directories and doesn't allo S_SIGID bits, i.e. it specifically only
      allows 0777 bits.
    
    * bpf uses vfs_mkobj() but also doesn't allow S_ISGID bits to be created.
    
    The patch will have an effect on ext2 when the EXT2_MOUNT_GRPID mount
    option is used, on ext4 when the EXT4_MOUNT_GRPID mount option is used,
    and on xfs when the XFS_FEAT_GRPID mount option is used. When any of
    these filesystems are mounted with their respective GRPID option then
    newly created files inherit the parent directories group
    unconditionally. In these cases non of the filesystems call
    inode_init_owner() and thus did never strip the S_ISGID bit for newly
    created files. Moving this logic into the VFS means that they now get
    the S_ISGID bit stripped. This is a user visible change. If this leads
    to regressions we will either need to figure out a better way or we need
    to revert. However, given the various setgid bugs that we found just in
    the last two years this is a regression risk we should take.
    
    Associated with this change is a new set of fstests to enforce the
    semantics for all new filesystems.
    
    Link: https://lore.kernel.org/ceph-devel/20220427092201.wvsdjbnc7b4dttaw@wittgenstein [1]
    Link: e014f37db1a2 ("xfs: use setattr_copy to set vfs inode attributes") [2]
    Link: 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") [3]
    Link: fd84bfdddd16 ("ceph: fix up non-directory creation in SGID directories") [4]
    Link: https://lore.kernel.org/r/1657779088-2242-3-git-send-email-xuyang2018.jy@fujitsu.com
    Suggested-by: Dave Chinner <david@fromorbit.com>
    Suggested-by: Christian Brauner (Microsoft) <brauner@kernel.org>
    Reviewed-by: Darrick J. Wong <djwong@kernel.org>
    Reviewed-and-Tested-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Yang Xu <xuyang2018.jy@fujitsu.com>
    [<brauner@kernel.org>: rewrote commit message]
    Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [commit 94ac142c19f1016283a1860b07de7fa555385d31 upstream
            backported from 5.10.y, resolved context conflicts]
    Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree [+ + +]
Author: Osama Muhammad <osmtendev@gmail.com>
Date:   Wed Oct 11 23:46:37 2023 +0500

    FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
    
    [ Upstream commit 9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68 ]
    
    Syzkaller reported the following issue:
    
    UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6
    index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')
    CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
     ubsan_epilogue lib/ubsan.c:217 [inline]
     __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348
     dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867
     dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834
     dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331
     dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]
     dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402
     txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
     txUpdateMap+0x342/0x9e0
     txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
     jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732
     kthread+0x2d3/0x370 kernel/kthread.c:388
     ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
     ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
     </TASK>
    ================================================================================
    Kernel panic - not syncing: UBSAN: panic_on_warn set ...
    CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
     panic+0x30f/0x770 kernel/panic.c:340
     check_panic_on_warn+0x82/0xa0 kernel/panic.c:236
     ubsan_epilogue lib/ubsan.c:223 [inline]
     __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348
     dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867
     dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834
     dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331
     dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]
     dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402
     txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
     txUpdateMap+0x342/0x9e0
     txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
     jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732
     kthread+0x2d3/0x370 kernel/kthread.c:388
     ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
     ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
     </TASK>
    Kernel Offset: disabled
    Rebooting in 86400 seconds..
    
    The issue is caused when the value of lp becomes greater than
    CTLTREESIZE which is the max size of stree. Adding a simple check
    solves this issue.
    
    Dave:
    As the function returns a void, good error handling
    would require a more intrusive code reorganization, so I modified
    Osama's patch at use WARN_ON_ONCE for lack of a cleaner option.
    
    The patch is tested via syzbot.
    
    Reported-by: syzbot+39ba34a099ac2e9bd3cb@syzkaller.appspotmail.com
    Link: https://syzkaller.appspot.com/bug?extid=39ba34a099ac2e9bd3cb
    Signed-off-by: Osama Muhammad <osmtendev@gmail.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
gpio: eic-sprd: Clear interrupt after set the interrupt type [+ + +]
Author: Wenhua Lin <Wenhua.Lin@unisoc.com>
Date:   Tue Jan 9 15:38:48 2024 +0800

    gpio: eic-sprd: Clear interrupt after set the interrupt type
    
    [ Upstream commit 84aef4ed59705585d629e81d633a83b7d416f5fb ]
    
    The raw interrupt status of eic maybe set before the interrupt is enabled,
    since the eic interrupt has a latch function, which would trigger the
    interrupt event once enabled it from user side. To solve this problem,
    interrupts generated before setting the interrupt trigger type are ignored.
    
    Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support")
    Acked-by: Chunyan Zhang <zhang.lyra@gmail.com>
    Signed-off-by: Wenhua Lin <Wenhua.Lin@unisoc.com>
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 [+ + +]
Author: Mario Limonciello <mario.limonciello@amd.com>
Date:   Wed Jan 17 08:29:42 2024 -0600

    gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04
    
    commit 805c74eac8cb306dc69b87b6b066ab4da77ceaf1 upstream.
    
    Spurious wakeups are reported on the GPD G1619-04 which
    can be absolved by programming the GPIO to ignore wakeups.
    
    Cc: stable@vger.kernel.org
    Reported-and-tested-by: George Melikov <mail@gmelikov.ru>
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3073
    Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
HID: apple: Add 2021 magic keyboard FN key mapping [+ + +]
Author: Benjamin Berg <bberg@redhat.com>
Date:   Mon Nov 8 13:50:38 2021 +0100

    HID: apple: Add 2021 magic keyboard FN key mapping
    
    commit 531cb56972f2773c941499fcfb639cd5128dfb27 upstream.
    
    The new 2021 apple models have a different FN key assignment. Add a new
    translation table and use that for the 2021 magic keyboard.
    
    Signed-off-by: Benjamin Berg <bberg@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Aseda Aboagye <aaboagye@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

HID: apple: Add support for the 2021 Magic Keyboard [+ + +]
Author: Alex Henrie <alexhenrie24@gmail.com>
Date:   Fri Oct 8 01:37:01 2021 -0600

    HID: apple: Add support for the 2021 Magic Keyboard
    
    commit 0cd3be51733febb4f8acb92bcf55b75fe824dd05 upstream.
    
    Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Aseda Aboagye <aaboagye@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

HID: apple: Swap the Fn and Left Control keys on Apple keyboards [+ + +]
Author: free5lot <mail@free5lot.com>
Date:   Fri May 15 13:14:00 2020 +0700

    HID: apple: Swap the Fn and Left Control keys on Apple keyboards
    
    commit 346338ef00d35bf8338ded171f9abeb9b10b43df upstream.
    
    This patch allows users to swap the Fn and left Control keys on all Apple
    keyboards: internal (e.g. Macbooks) and external (both wired and wireless).
    The patch adds a new hid-apple module param: swap_fn_leftctrl (off by default).
    
    Signed-off-by: Zakhar Semenov <mail@free5lot.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Aseda Aboagye <aaboagye@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

HID: wacom: Do not register input devices until after hid_hw_start [+ + +]
Author: Jason Gerecke <killertofu@gmail.com>
Date:   Mon Jan 29 14:35:45 2024 -0800

    HID: wacom: Do not register input devices until after hid_hw_start
    
    commit c1d6708bf0d3dd976460d435373cf5abf21ce258 upstream.
    
    If a input device is opened before hid_hw_start is called, events may
    not be received from the hardware. In the case of USB-backed devices,
    for example, the hid_hw_start function is responsible for filling in
    the URB which is submitted when the input device is opened. If a device
    is opened prematurely, polling will never start because the device will
    not have been in the correct state to send the URB.
    
    Because the wacom driver registers its input devices before calling
    hid_hw_start, there is a window of time where a device can be opened
    and end up in an inoperable state. Some ARM-based Chromebooks in particular
    reliably trigger this bug.
    
    This commit splits the wacom_register_inputs function into two pieces.
    One which is responsible for setting up the allocated inputs (and runs
    prior to hid_hw_start so that devices are ready for any input events
    they may end up receiving) and another which only registers the devices
    (and runs after hid_hw_start to ensure devices can be immediately opened
    without issue). Note that the functions to initialize the LEDs and remotes
    are also moved after hid_hw_start to maintain their own dependency chains.
    
    Fixes: 7704ac937345 ("HID: wacom: implement generic HID handling for pen generic devices")
    Cc: stable@vger.kernel.org # v3.18+
    Suggested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
    Tested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

HID: wacom: generic: Avoid reporting a serial of '0' to userspace [+ + +]
Author: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
Date:   Thu Feb 1 13:40:55 2024 +0900

    HID: wacom: generic: Avoid reporting a serial of '0' to userspace
    
    commit ab41a31dd5e2681803642b6d08590b61867840ec upstream.
    
    The xf86-input-wacom driver does not treat '0' as a valid serial
    number and will drop any input report which contains an
    MSC_SERIAL = 0 event. The kernel driver already takes care to
    avoid sending any MSC_SERIAL event if the value of serial[0] == 0
    (which is the case for devices that don't actually report a
    serial number), but this is not quite sufficient.
    Only the lower 32 bits of the serial get reported to userspace,
    so if this portion of the serial is zero then there can still
    be problems.
    
    This commit allows the driver to report either the lower 32 bits
    if they are non-zero or the upper 32 bits otherwise.
    
    Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
    Signed-off-by: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
    Fixes: f85c9dc678a5 ("HID: wacom: generic: Support tool ID and additional tool types")
    CC: stable@vger.kernel.org # v4.10
    Signed-off-by: Jiri Kosina <jkosina@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
hrtimer: Report offline hrtimer enqueue [+ + +]
Author: Frederic Weisbecker <frederic@kernel.org>
Date:   Mon Jan 29 15:56:36 2024 -0800

    hrtimer: Report offline hrtimer enqueue
    
    commit dad6a09f3148257ac1773cd90934d721d68ab595 upstream.
    
    The hrtimers migration on CPU-down hotplug process has been moved
    earlier, before the CPU actually goes to die. This leaves a small window
    of opportunity to queue an hrtimer in a blind spot, leaving it ignored.
    
    For example a practical case has been reported with RCU waking up a
    SCHED_FIFO task right before the CPUHP_AP_IDLE_DEAD stage, queuing that
    way a sched/rt timer to the local offline CPU.
    
    Make sure such situations never go unnoticed and warn when that happens.
    
    Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier")
    Reported-by: Paul E. McKenney <paulmck@kernel.org>
    Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
    Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240129235646.3171983-4-boqun.feng@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
hwmon: (aspeed-pwm-tacho) mutex for tach reading [+ + +]
Author: Loic Prylli <lprylli@netflix.com>
Date:   Fri Nov 3 11:30:55 2023 +0100

    hwmon: (aspeed-pwm-tacho) mutex for tach reading
    
    [ Upstream commit 1168491e7f53581ba7b6014a39a49cfbbb722feb ]
    
    the ASPEED_PTCR_RESULT Register can only hold the result for a
    single fan input. Adding a mutex to protect the register until the
    reading is done.
    
    Signed-off-by: Loic Prylli <lprylli@netflix.com>
    Signed-off-by: Alexander Hansen <alexander.hansen@9elements.com>
    Fixes: 2d7a548a3eff ("drivers: hwmon: Support for ASPEED PWM/Fan tach")
    Link: https://lore.kernel.org/r/121d888762a1232ef403cf35230ccf7b3887083a.1699007401.git.alexander.hansen@9elements.com
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

hwmon: (coretemp) Fix bogus core_id to attr name mapping [+ + +]
Author: Zhang Rui <rui.zhang@intel.com>
Date:   Fri Feb 2 17:21:35 2024 +0800

    hwmon: (coretemp) Fix bogus core_id to attr name mapping
    
    [ Upstream commit fdaf0c8629d4524a168cb9e4ad4231875749b28c ]
    
    Before commit 7108b80a542b ("hwmon/coretemp: Handle large core ID
    value"), there is a fixed mapping between
    1. cpu_core_id
    2. the index in pdata->core_data[] array
    3. the sysfs attr name, aka "tempX_"
    The later two always equal cpu_core_id + 2.
    
    After the commit, pdata->core_data[] index is got from ida so that it
    can handle sparse core ids and support more cores within a package.
    
    However, the commit erroneously maps the sysfs attr name to
    pdata->core_data[] index instead of cpu_core_id + 2.
    
    As a result, the code is not aligned with the comments, and brings user
    visible changes in hwmon sysfs on systems with sparse core id.
    
    For example, before commit 7108b80a542b ("hwmon/coretemp: Handle large
    core ID value"),
    /sys/class/hwmon/hwmon2/temp2_label:Core 0
    /sys/class/hwmon/hwmon2/temp3_label:Core 1
    /sys/class/hwmon/hwmon2/temp4_label:Core 2
    /sys/class/hwmon/hwmon2/temp5_label:Core 3
    /sys/class/hwmon/hwmon2/temp6_label:Core 4
    /sys/class/hwmon/hwmon3/temp10_label:Core 8
    /sys/class/hwmon/hwmon3/temp11_label:Core 9
    after commit,
    /sys/class/hwmon/hwmon2/temp2_label:Core 0
    /sys/class/hwmon/hwmon2/temp3_label:Core 1
    /sys/class/hwmon/hwmon2/temp4_label:Core 2
    /sys/class/hwmon/hwmon2/temp5_label:Core 3
    /sys/class/hwmon/hwmon2/temp6_label:Core 4
    /sys/class/hwmon/hwmon2/temp7_label:Core 8
    /sys/class/hwmon/hwmon2/temp8_label:Core 9
    
    Restore the previous behavior and rework the code, comments and variable
    names to avoid future confusions.
    
    Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value")
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Link: https://lore.kernel.org/r/20240202092144.71180-3-rui.zhang@intel.com
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

hwmon: (coretemp) Fix out-of-bounds memory access [+ + +]
Author: Zhang Rui <rui.zhang@intel.com>
Date:   Fri Feb 2 17:21:34 2024 +0800

    hwmon: (coretemp) Fix out-of-bounds memory access
    
    [ Upstream commit 4e440abc894585a34c2904a32cd54af1742311b3 ]
    
    Fix a bug that pdata->cpu_map[] is set before out-of-bounds check.
    The problem might be triggered on systems with more than 128 cores per
    package.
    
    Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value")
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20240202092144.71180-2-rui.zhang@intel.com
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Stable-dep-of: fdaf0c8629d4 ("hwmon: (coretemp) Fix bogus core_id to attr name mapping")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hwrng: core - Fix page fault dead lock on mmap-ed hwrng [+ + +]
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Sat Dec 2 09:01:54 2023 +0800

    hwrng: core - Fix page fault dead lock on mmap-ed hwrng
    
    commit 78aafb3884f6bc6636efcc1760c891c8500b9922 upstream.
    
    There is a dead-lock in the hwrng device read path.  This triggers
    when the user reads from /dev/hwrng into memory also mmap-ed from
    /dev/hwrng.  The resulting page fault triggers a recursive read
    which then dead-locks.
    
    Fix this by using a stack buffer when calling copy_to_user.
    
    Reported-by: Edward Adam Davis <eadavis@qq.com>
    Reported-by: syzbot+c52ab18308964d248092@syzkaller.appspotmail.com
    Fixes: 9996508b3353 ("hwrng: core - Replace u32 in driver API with byte array")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
i2c: i801: Fix block process call transactions [+ + +]
Author: Jean Delvare <jdelvare@suse.de>
Date:   Wed Feb 14 15:59:39 2024 +0100

    i2c: i801: Fix block process call transactions
    
    [ Upstream commit c1c9d0f6f7f1dbf29db996bd8e166242843a5f21 ]
    
    According to the Intel datasheets, software must reset the block
    buffer index twice for block process call transactions: once before
    writing the outgoing data to the buffer, and once again before
    reading the incoming data from the buffer.
    
    The driver is currently missing the second reset, causing the wrong
    portion of the block buffer to be read.
    
    Signed-off-by: Jean Delvare <jdelvare@suse.de>
    Reported-by: Piotr Zakowski <piotr.zakowski@intel.com>
    Closes: https://lore.kernel.org/linux-i2c/20240213120553.7b0ab120@endymion.delvare/
    Fixes: 315cd67c9453 ("i2c: i801: Add Block Write-Block Read Process Call support")
    Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: i801: Remove i801_set_block_buffer_mode [+ + +]
Author: Heiner Kallweit <hkallweit1@gmail.com>
Date:   Thu Nov 18 23:58:17 2021 +0100

    i2c: i801: Remove i801_set_block_buffer_mode
    
    [ Upstream commit 1e1d6582f483a4dba4ea03445e6f2f05d9de5bcf ]
    
    If FEATURE_BLOCK_BUFFER is set then bit SMBAUXCTL_E32B is supported
    and there's no benefit in reading it back. Origin of this check
    seems to be 14 yrs ago when people were not completely sure which
    chip versions support the block buffer mode.
    
    Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
    Reviewed-by: Jean Delvare <jdelvare@suse.de>
    Tested-by: Jean Delvare <jdelvare@suse.de>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Stable-dep-of: c1c9d0f6f7f1 ("i2c: i801: Fix block process call transactions")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
i3c: master: cdns: Update maximum prescaler value for i2c clock [+ + +]
Author: Harshit Shah <harshitshah.opendev@gmail.com>
Date:   Sat Dec 30 14:41:23 2023 +0530

    i3c: master: cdns: Update maximum prescaler value for i2c clock
    
    [ Upstream commit 374c13f9080a1b9835a5ed3e7bea93cf8e2dc262 ]
    
    As per the Cadence IP document fixed the I2C clock divider value limit from
    16 bits instead of 10 bits. Without this change setting up the I2C clock to
    low frequencies will not work as the prescaler value might be greater than
    10 bit number.
    
    I3C clock divider value is 10 bits only. Updating the macro names for both.
    
    Signed-off-by: Harshit Shah <harshitshah.opendev@gmail.com>
    Link: https://lore.kernel.org/r/1703927483-28682-1-git-send-email-harshitshah.opendev@gmail.com
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
i40e: Fix waiting for queues of all VSIs to be disabled [+ + +]
Author: Ivan Vecera <ivecera@redhat.com>
Date:   Wed Nov 8 17:01:03 2023 +0100

    i40e: Fix waiting for queues of all VSIs to be disabled
    
    [ Upstream commit c73729b64bb692186da080602cd13612783f52ac ]
    
    The function i40e_pf_wait_queues_disabled() iterates all PF's VSIs
    up to 'pf->hw.func_caps.num_vsis' but this is incorrect because
    the real number of VSIs can be up to 'pf->num_alloc_vsi' that
    can be higher. Fix this loop.
    
    Fixes: 69129dc39fac ("i40e: Modify Tx disable wait flow in case of DCB reconfiguration")
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
    Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
IB/ipoib: Fix mcast list locking [+ + +]
Author: Daniel Vacek <neelx@redhat.com>
Date:   Tue Dec 12 09:07:45 2023 +0100

    IB/ipoib: Fix mcast list locking
    
    [ Upstream commit 4f973e211b3b1c6d36f7c6a19239d258856749f9 ]
    
    Releasing the `priv->lock` while iterating the `priv->multicast_list` in
    `ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to
    remove the items while in the middle of iteration. If the mcast is removed
    while the lock was dropped, the for loop spins forever resulting in a hard
    lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):
    
        Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)
        -----------------------------------+-----------------------------------
        ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)
          spin_lock_irq(&priv->lock)       | __ipoib_ib_dev_flush(priv, ...)
          list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv->dev)
              &priv->multicast_list, list) |
            ipoib_mcast_join(dev, mcast)   |
              spin_unlock_irq(&priv->lock) |
                                           |   spin_lock_irqsave(&priv->lock, flags)
                                           |   list_for_each_entry_safe(mcast, tmcast,
                                           |                  &priv->multicast_list, list)
                                           |     list_del(&mcast->list);
                                           |     list_add_tail(&mcast->list, &remove_list)
                                           |   spin_unlock_irqrestore(&priv->lock, flags)
              spin_lock_irq(&priv->lock)   |
                                           |   ipoib_mcast_remove_list(&remove_list)
       (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,
        `priv->multicast_list` and we keep |                            remove_list, list)
        spinning on the `remove_list` of   |  >>>  wait_for_completion(&mcast->done)
        the other thread which is blocked  |
        and the list is still valid on     |
        it's stack.)
    
    Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent
    eventual sleeps.
    Unfortunately we could not reproduce the lockup and confirm this fix but
    based on the code review I think this fix should address such lockups.
    
    crash> bc 31
    PID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: "kworker/u72:2"
    --
        [exception RIP: ipoib_mcast_join_task+0x1b1]
        RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002
        RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000
                                      work (&priv->mcast_task{,.work})
        RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000
               &mcast->list
        RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000
        R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00
                                                             mcast
        R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8
               dev                    priv (&priv->lock)     &priv->multicast_list (aka head)
        ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
    
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC [+ + +]
Author: zhili.liu <zhili.liu@ucas.com.cn>
Date:   Tue Jan 2 09:07:11 2024 +0800

    iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC
    
    commit 792595bab4925aa06532a14dd256db523eb4fa5e upstream.
    
    Recently, we encounter kernel crash in function rm3100_common_probe
    caused by out of bound access of array rm3100_samp_rates (because of
    underlying hardware failures). Add boundary check to prevent out of
    bound access.
    
    Fixes: 121354b2eceb ("iio: magnetometer: Add driver support for PNI RM3100")
    Suggested-by: Zhouyi Zhou <zhouzhouyi@gmail.com>
    Signed-off-by: zhili.liu <zhili.liu@ucas.com.cn>
    Link: https://lore.kernel.org/r/1704157631-3814-1-git-send-email-zhouzhouyi@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
include/linux/units.h: add helpers for kelvin to/from Celsius conversion [+ + +]
Author: Akinobu Mita <akinobu.mita@gmail.com>
Date:   Thu Jan 30 22:15:28 2020 -0800

    include/linux/units.h: add helpers for kelvin to/from Celsius conversion
    
    [ Upstream commit 23331e4893614deb555c65cdf115c8a28ed32471 ]
    
    Patch series "add header file for kelvin to/from Celsius conversion
    helpers", v4.
    
    There are several helper macros to convert kelvin to/from Celsius in
    <linux/thermal.h> for thermal drivers.  These are useful for any other
    drivers or subsystems, but it's odd to include <linux/thermal.h> just
    for the helpers.
    
    This adds a new <linux/units.h> that provides the equivalent inline
    functions for any drivers or subsystems, and switches all the users of
    conversion helpers in <linux/thermal.h> to use <linux/units.h> helpers.
    
    This patch (of 12):
    
    There are several helper macros to convert kelvin to/from Celsius in
    <linux/thermal.h> for thermal drivers.  These are useful for any other
    drivers or subsystems, but it's odd to include <linux/thermal.h> just
    for the helpers.
    
    This adds a new <linux/units.h> that provides the equivalent inline
    functions for any drivers or subsystems.  It is intended to replace the
    helpers in <linux/thermal.h>.
    
    Link: http://lkml.kernel.org/r/1576386975-7941-2-git-send-email-akinobu.mita@gmail.com
    Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Cc: Sujith Thomas <sujith.thomas@intel.com>
    Cc: Darren Hart <dvhart@infradead.org>
    Cc: Zhang Rui <rui.zhang@intel.com>
    Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
    Cc: Amit Kucheria <amit.kucheria@verdurent.com>
    Cc: Jean Delvare <jdelvare@suse.com>
    Cc: Guenter Roeck <linux@roeck-us.net>
    Cc: Keith Busch <kbusch@kernel.org>
    Cc: Jens Axboe <axboe@fb.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Sagi Grimberg <sagi@grimberg.me>
    Cc: Kalle Valo <kvalo@codeaurora.org>
    Cc: Stanislaw Gruszka <sgruszka@redhat.com>
    Cc: Johannes Berg <johannes.berg@intel.com>
    Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Cc: Luca Coelho <luciano.coelho@intel.com>
    Cc: Jonathan Cameron <jic23@kernel.org>
    Cc: Hartmut Knaack <knaack.h@gmx.de>
    Cc: Lars-Peter Clausen <lars@metafoo.de>
    Cc: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
    Cc: Andy Shevchenko <andy@infradead.org>
    Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Stable-dep-of: 3ef79cd14122 ("serial: sc16is7xx: set safe default SPI clock frequency")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
inet: read sk->sk_family once in inet_recv_error() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Feb 2 09:54:04 2024 +0000

    inet: read sk->sk_family once in inet_recv_error()
    
    [ Upstream commit eef00a82c568944f113f2de738156ac591bbd5cd ]
    
    inet_recv_error() is called without holding the socket lock.
    
    IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM
    socket option and trigger a KCSAN warning.
    
    Fixes: f4713a3dfad0 ("net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Willem de Bruijn <willemb@google.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID [+ + +]
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Fri Jan 26 17:07:23 2024 +0100

    Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID
    
    commit 683cd8259a9b883a51973511f860976db2550a6e upstream.
    
    After commit 936e4d49ecbc ("Input: atkbd - skip ATKBD_CMD_GETID in
    translated mode") the keyboard on Dell XPS 13 9350 / 9360 / 9370 models
    has stopped working after a suspend/resume.
    
    The problem appears to be that atkbd_probe() fails when called
    from atkbd_reconnect() on resume, which on systems where
    ATKBD_CMD_GETID is skipped can only happen by ATKBD_CMD_SETLEDS
    failing. ATKBD_CMD_SETLEDS failing because ATKBD_CMD_GETID was
    skipped is weird, but apparently that is what is happening.
    
    Fix this by also skipping ATKBD_CMD_SETLEDS when skipping
    ATKBD_CMD_GETID.
    
    Fixes: 936e4d49ecbc ("Input: atkbd - skip ATKBD_CMD_GETID in translated mode")
    Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
    Closes: https://lore.kernel.org/linux-input/0aa4a61f-c939-46fe-a572-08022e8931c7@molgen.mpg.de/
    Closes: https://bbs.archlinux.org/viewtopic.php?pid=2146300
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218424
    Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2260517
    Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20240126160724.13278-2-hdegoede@redhat.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses [+ + +]
Author: Helge Deller <deller@kernel.org>
Date:   Fri Jan 26 09:32:20 2024 +0100

    ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
    
    [ Upstream commit 60365049ccbacd101654a66ddcb299abfabd4fc5 ]
    
    On a parisc64 kernel I sometimes notice this kernel warning:
    Kernel unaligned access to 0x40ff8814 at ndisc_send_skb+0xc0/0x4d8
    
    The address 0x40ff8814 points to the in6addr_linklocal_allrouters
    variable and the warning simply means that some ipv6 function tries to
    read a 64-bit word directly from the not-64-bit aligned
    in6addr_linklocal_allrouters variable.
    
    Unaligned accesses are non-critical as the architecture or exception
    handlers usually will fix it up at runtime. Nevertheless it may trigger
    a performance penality for some architectures. For details read the
    "unaligned-memory-access" kernel documentation.
    
    The patch below ensures that the ipv6 loopback and router addresses will
    always be naturally aligned. This prevents the unaligned accesses for
    all architectures.
    
    Signed-off-by: Helge Deller <deller@gmx.de>
    Fixes: 034dfc5df99eb ("ipv6: export in6addr_loopback to modules")
    Acked-by: Paolo Abeni <pabeni@redhat.com>
    Link: https://lore.kernel.org/r/ZbNuFM1bFqoH-UoY@p100
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
irqchip/irq-brcmstb-l2: Add write memory barrier before exit [+ + +]
Author: Doug Berger <opendmb@gmail.com>
Date:   Fri Feb 9 17:24:49 2024 -0800

    irqchip/irq-brcmstb-l2: Add write memory barrier before exit
    
    commit b0344d6854d25a8b3b901c778b1728885dd99007 upstream.
    
    It was observed on Broadcom devices that use GIC v3 architecture L1
    interrupt controllers as the parent of brcmstb-l2 interrupt controllers
    that the deactivation of the parent interrupt could happen before the
    brcmstb-l2 deasserted its output. This would lead the GIC to reactivate the
    interrupt only to find that no L2 interrupt was pending. The result was a
    spurious interrupt invoking handle_bad_irq() with its associated
    messaging. While this did not create a functional problem it is a waste of
    cycles.
    
    The hazard exists because the memory mapped bus writes to the brcmstb-l2
    registers are buffered and the GIC v3 architecture uses a very efficient
    system register write to deactivate the interrupt.
    
    Add a write memory barrier prior to invoking chained_irq_exit() to
    introduce a dsb(st) on those systems to ensure the system register write
    cannot be executed until the memory mapped writes are visible to the
    system.
    
    [ florian: Added Fixes tag ]
    
    Fixes: 7f646e92766e ("irqchip: brcmstb-l2: Add Broadcom Set Top Box  Level-2 interrupt controller")
    Signed-off-by: Doug Berger <opendmb@gmail.com>
    Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Acked-by: Marc Zyngier <maz@kernel.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240210012449.3009125-1-florian.fainelli@broadcom.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sat Jan 20 18:25:36 2024 +0100

    ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
    
    [ Upstream commit bbc404d20d1b46d89b461918bc44587620eda200 ]
    
    All error handling paths, except this one, go to 'out' where
    release_swfw_sync() is called.
    This call balances the acquire_swfw_sync() call done at the beginning of
    the function.
    
    Branch to the error handling path in order to correctly release some
    resources in case of error.
    
    Fixes: ae14a1d8e104 ("ixgbe: Fix IOSF SB access issues")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ixgbe: Refactor overtemp event handling [+ + +]
Author: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Date:   Mon Dec 18 11:39:25 2023 +0100

    ixgbe: Refactor overtemp event handling
    
    [ Upstream commit 6c1b4af8c1b20c70dde01e58381685d6a4a1d2c8 ]
    
    Currently ixgbe driver is notified of overheating events
    via internal IXGBE_ERR_OVERTEMP error code.
    
    Change the approach for handle_lasi() to use freshly introduced
    is_overtemp function parameter which set when such event occurs.
    Change check_overtemp() to bool and return true if overtemp
    event occurs.
    
    Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
    Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
    Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ixgbe: Refactor returning internal error codes [+ + +]
Author: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Date:   Mon Dec 18 11:39:26 2023 +0100

    ixgbe: Refactor returning internal error codes
    
    [ Upstream commit 5795f533f30a80aa0473652876296ebc9129e33a ]
    
    Change returning codes to the kernel ones instead of
    the internal ones for the entire ixgbe driver.
    
    Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
    Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
    Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Stable-dep-of: bbc404d20d1b ("ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ixgbe: Remove non-inclusive language [+ + +]
Author: Piotr Skajewski <piotrx.skajewski@intel.com>
Date:   Tue Jan 11 11:27:23 2022 +0100

    ixgbe: Remove non-inclusive language
    
    [ Upstream commit 93b067f154b3edfd3d75a272fd9433bf787e2e1d ]
    
    Remove non-inclusive language from the driver.
    
    Additionally correct the duplication "from from"
    reported by checkpatch after the changes above.
    
    Signed-off-by: Piotr Skajewski <piotrx.skajewski@intel.com>
    Tested-by: Dave Switzer <david.switzer@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Stable-dep-of: bbc404d20d1b ("ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
jfs: fix array-index-out-of-bounds in dbAdjTree [+ + +]
Author: Manas Ghandat <ghandatmanas@gmail.com>
Date:   Tue Oct 17 17:33:56 2023 +0530

    jfs: fix array-index-out-of-bounds in dbAdjTree
    
    [ Upstream commit 74ecdda68242b174920fe7c6133a856fb7d8559b ]
    
    Currently there is a bound check missing in the dbAdjTree while
    accessing the dmt_stree. To add the required check added the bool is_ctl
    which is required to determine the size as suggest in the following
    commit.
    https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/
    
    Reported-by: syzbot+39ba34a099ac2e9bd3cb@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=39ba34a099ac2e9bd3cb
    Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

jfs: fix array-index-out-of-bounds in diNewExt [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Tue Dec 12 09:36:22 2023 +0800

    jfs: fix array-index-out-of-bounds in diNewExt
    
    [ Upstream commit 49f9637aafa6e63ba686c13cb8549bf5e6920402 ]
    
    [Syz report]
    UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2
    index -878706688 is out of range for type 'struct iagctl[128]'
    CPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
     ubsan_epilogue lib/ubsan.c:217 [inline]
     __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348
     diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360
     diAllocExt fs/jfs/jfs_imap.c:1949 [inline]
     diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666
     diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587
     ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
     jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225
     vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106
     do_mkdirat+0x264/0x3a0 fs/namei.c:4129
     __do_sys_mkdir fs/namei.c:4149 [inline]
     __se_sys_mkdir fs/namei.c:4147 [inline]
     __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147
     do_syscall_x64 arch/x86/entry/common.c:51 [inline]
     do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    RIP: 0033:0x7fcb7e6a0b57
    Code: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053
    RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57
    RDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140
    RBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    
    [Analysis]
    When the agstart is too large, it can cause agno overflow.
    
    [Fix]
    After obtaining agno, if the value is invalid, exit the subsequent process.
    
    Reported-and-tested-by: syzbot+553d90297e6d2f50dbc7@syzkaller.appspotmail.com
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    
    Modified the test from agno > MAXAG to agno >= MAXAG based on linux-next
    report by kernel test robot (Dan Carpenter).
    
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

jfs: fix slab-out-of-bounds Read in dtSearch [+ + +]
Author: Manas Ghandat <ghandatmanas@gmail.com>
Date:   Wed Oct 25 11:39:07 2023 +0530

    jfs: fix slab-out-of-bounds Read in dtSearch
    
    [ Upstream commit fa5492ee89463a7590a1449358002ff7ef63529f ]
    
    Currently while searching for current page in the sorted entry table
    of the page there is a out of bound access. Added a bound check to fix
    the error.
    
    Dave:
    Set return code to -EIO
    
    Reported-by: kernel test robot <lkp@intel.com>
    Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
    Closes: https://lore.kernel.org/r/202310241724.Ed02yUz9-lkp@intel.com/
    Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

jfs: fix uaf in jfs_evict_inode [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Tue Oct 31 13:39:04 2023 +0800

    jfs: fix uaf in jfs_evict_inode
    
    [ Upstream commit e0e1958f4c365e380b17ccb35617345b31ef7bf3 ]
    
    When the execution of diMount(ipimap) fails, the object ipimap that has been
    released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs
    when rcu_core() calls jfs_free_node().
    
    Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as
    ipimap.
    
    Reported-and-tested-by: syzbot+01cf2dbcbe2022454388@syzkaller.appspotmail.com
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
kbuild: Fix changing ELF file type for output of gen_btf for big endian [+ + +]
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Mon Feb 12 19:05:10 2024 -0700

    kbuild: Fix changing ELF file type for output of gen_btf for big endian
    
    commit e3a9ee963ad8ba677ca925149812c5932b49af69 upstream.
    
    Commit 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF")
    changed the ELF type of .btf.vmlinux.bin.o to ET_REL via dd, which works
    fine for little endian platforms:
    
       00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
      -00000010  03 00 b7 00 01 00 00 00  00 00 00 80 00 80 ff ff  |................|
      +00000010  01 00 b7 00 01 00 00 00  00 00 00 80 00 80 ff ff  |................|
    
    However, for big endian platforms, it changes the wrong byte, resulting
    in an invalid ELF file type, which ld.lld rejects:
    
       00000000  7f 45 4c 46 02 02 01 00  00 00 00 00 00 00 00 00  |.ELF............|
      -00000010  00 03 00 16 00 00 00 01  00 00 00 00 00 10 00 00  |................|
      +00000010  01 03 00 16 00 00 00 01  00 00 00 00 00 10 00 00  |................|
    
      Type:                              <unknown>: 103
    
      ld.lld: error: .btf.vmlinux.bin.o: unknown file type
    
    Fix this by updating the entire 16-bit e_type field rather than just a
    single byte, so that everything works correctly for all platforms and
    linkers.
    
       00000000  7f 45 4c 46 02 02 01 00  00 00 00 00 00 00 00 00  |.ELF............|
      -00000010  00 03 00 16 00 00 00 01  00 00 00 00 00 10 00 00  |................|
      +00000010  00 01 00 16 00 00 00 01  00 00 00 00 00 10 00 00  |................|
    
      Type:                              REL (Relocatable file)
    
    While in the area, update the comment to mention that binutils 2.35+
    matches LLD's behavior of rejecting an ET_EXEC input, which occurred
    after the comment was added.
    
    Cc: stable@vger.kernel.org
    Fixes: 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF")
    Link: https://github.com/llvm/llvm-project/pull/75643
    Suggested-by: Masahiro Yamada <masahiroy@kernel.org>
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Reviewed-by: Fangrui Song <maskray@google.com>
    Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Reviewed-by: Justin Stitt <justinstitt@google.com>
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    [nathan: Fix silent conflict due to lack of 7d153696e5db in older trees]
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache [+ + +]
Author: Oliver Upton <oliver.upton@linux.dev>
Date:   Thu Jan 4 18:32:32 2024 +0000

    KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
    
    [ Upstream commit ad362fe07fecf0aba839ff2cc59a3617bd42c33f ]
    
    There is a potential UAF scenario in the case of an LPI translation
    cache hit racing with an operation that invalidates the cache, such
    as a DISCARD ITS command. The root of the problem is that
    vgic_its_check_cache() does not elevate the refcount on the vgic_irq
    before dropping the lock that serializes refcount changes.
    
    Have vgic_its_check_cache() raise the refcount on the returned vgic_irq
    and add the corresponding decrement after queueing the interrupt.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20240104183233.3560639-1-oliver.upton@linux.dev
    Signed-off-by: Sasha Levin <sashal@kernel.org>

KVM: s390: fix setting of fpc register [+ + +]
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Thu Nov 30 18:56:00 2023 +0100

    KVM: s390: fix setting of fpc register
    
    [ Upstream commit b988b1bb0053c0dcd26187d29ef07566a565cf55 ]
    
    kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control
    (fpc) register of a guest cpu. The new value is tested for validity by
    temporarily loading it into the fpc register.
    
    This may lead to corruption of the fpc register of the host process:
    if an interrupt happens while the value is temporarily loaded into the fpc
    register, and within interrupt context floating point or vector registers
    are used, the current fp/vx registers are saved with save_fpu_regs()
    assuming they belong to user space and will be loaded into fp/vx registers
    when returning to user space.
    
    test_fp_ctl() restores the original user space / host process fpc register
    value, however it will be discarded, when returning to user space.
    
    In result the host process will incorrectly continue to run with the value
    that was supposed to be used for a guest cpu.
    
    Fix this by simply removing the test. There is another test right before
    the SIE context is entered which will handles invalid values.
    
    This results in a change of behaviour: invalid values will now be accepted
    instead of that the ioctl fails with -EINVAL. This seems to be acceptable,
    given that this interface is most likely not used anymore, and this is in
    addition the same behaviour implemented with the memory mapped interface
    (replace invalid values with zero) - see sync_regs() in kvm-s390.c.
    
    Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
    Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
leds: trigger: panic: Don't register panic notifier if creating the trigger failed [+ + +]
Author: Heiner Kallweit <hkallweit1@gmail.com>
Date:   Sat Dec 16 21:05:33 2023 +0100

    leds: trigger: panic: Don't register panic notifier if creating the trigger failed
    
    [ Upstream commit afacb21834bb02785ddb0c3ec197208803b74faa ]
    
    It doesn't make sense to register the panic notifier if creating the
    panic trigger failed.
    
    Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
    Link: https://lore.kernel.org/r/8a61e229-5388-46c7-919a-4d18cc7362b2@gmail.com
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
libsubcmd: Fix memory leak in uniq() [+ + +]
Author: Ian Rogers <irogers@google.com>
Date:   Thu Dec 7 16:05:13 2023 -0800

    libsubcmd: Fix memory leak in uniq()
    
    [ Upstream commit ad30469a841b50dbb541df4d6971d891f703c297 ]
    
    uniq() will write one command name over another causing the overwritten
    string to be leaked. Fix by doing a pass that removes duplicates and a
    second that removes the holes.
    
    Signed-off-by: Ian Rogers <irogers@google.com>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Chenyuan Mi <cymi20@fudan.edu.cn>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Link: https://lore.kernel.org/r/20231208000515.1693746-1-irogers@google.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Linux: Linux 5.4.269 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Feb 23 08:25:15 2024 +0100

    Linux 5.4.269
    
    Link: https://lore.kernel.org/r/20240221125940.058369148@linuxfoundation.org
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: kernelci.org bot <bot@kernelci.org>
    Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
llc: call sock_orphan() at release time [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jan 26 16:55:32 2024 +0000

    llc: call sock_orphan() at release time
    
    [ Upstream commit aa2b2eb3934859904c287bf5434647ba72e14c1c ]
    
    syzbot reported an interesting trace [1] caused by a stale sk->sk_wq
    pointer in a closed llc socket.
    
    In commit ff7b11aa481f ("net: socket: set sock->sk to NULL after
    calling proto_ops::release()") Eric Biggers hinted that some protocols
    are missing a sock_orphan(), we need to perform a full audit.
    
    In net-next, I plan to clear sock->sk from sock_orphan() and
    amend Eric patch to add a warning.
    
    [1]
     BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]
     BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]
     BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]
     BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
    Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27
    
    CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
    Call Trace:
     <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:377 [inline]
      print_report+0xc4/0x620 mm/kasan/report.c:488
      kasan_report+0xda/0x110 mm/kasan/report.c:601
      list_empty include/linux/list.h:373 [inline]
      waitqueue_active include/linux/wait.h:127 [inline]
      sock_def_write_space_wfree net/core/sock.c:3384 [inline]
      sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
      skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080
      skb_release_all net/core/skbuff.c:1092 [inline]
      napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404
      e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970
      e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]
      e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801
      __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576
      napi_poll net/core/dev.c:6645 [inline]
      net_rx_action+0x956/0xe90 net/core/dev.c:6778
      __do_softirq+0x21a/0x8de kernel/softirq.c:553
      run_ksoftirqd kernel/softirq.c:921 [inline]
      run_ksoftirqd+0x31/0x60 kernel/softirq.c:913
      smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164
      kthread+0x2c6/0x3a0 kernel/kthread.c:388
      ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
      ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
     </TASK>
    
    Allocated by task 5167:
      kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
      kasan_save_track+0x14/0x30 mm/kasan/common.c:68
      unpoison_slab_object mm/kasan/common.c:314 [inline]
      __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340
      kasan_slab_alloc include/linux/kasan.h:201 [inline]
      slab_post_alloc_hook mm/slub.c:3813 [inline]
      slab_alloc_node mm/slub.c:3860 [inline]
      kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879
      alloc_inode_sb include/linux/fs.h:3019 [inline]
      sock_alloc_inode+0x25/0x1c0 net/socket.c:308
      alloc_inode+0x5d/0x220 fs/inode.c:260
      new_inode_pseudo+0x16/0x80 fs/inode.c:1005
      sock_alloc+0x40/0x270 net/socket.c:634
      __sock_create+0xbc/0x800 net/socket.c:1535
      sock_create net/socket.c:1622 [inline]
      __sys_socket_create net/socket.c:1659 [inline]
      __sys_socket+0x14c/0x260 net/socket.c:1706
      __do_sys_socket net/socket.c:1720 [inline]
      __se_sys_socket net/socket.c:1718 [inline]
      __x64_sys_socket+0x72/0xb0 net/socket.c:1718
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    Freed by task 0:
      kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
      kasan_save_track+0x14/0x30 mm/kasan/common.c:68
      kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640
      poison_slab_object mm/kasan/common.c:241 [inline]
      __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257
      kasan_slab_free include/linux/kasan.h:184 [inline]
      slab_free_hook mm/slub.c:2121 [inline]
      slab_free mm/slub.c:4299 [inline]
      kmem_cache_free+0x129/0x350 mm/slub.c:4363
      i_callback+0x43/0x70 fs/inode.c:249
      rcu_do_batch kernel/rcu/tree.c:2158 [inline]
      rcu_core+0x819/0x1680 kernel/rcu/tree.c:2433
      __do_softirq+0x21a/0x8de kernel/softirq.c:553
    
    Last potentially related work creation:
      kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
      __kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:586
      __call_rcu_common.constprop.0+0x9a/0x7b0 kernel/rcu/tree.c:2683
      destroy_inode+0x129/0x1b0 fs/inode.c:315
      iput_final fs/inode.c:1739 [inline]
      iput.part.0+0x560/0x7b0 fs/inode.c:1765
      iput+0x5c/0x80 fs/inode.c:1755
      dentry_unlink_inode+0x292/0x430 fs/dcache.c:400
      __dentry_kill+0x1ca/0x5f0 fs/dcache.c:603
      dput.part.0+0x4ac/0x9a0 fs/dcache.c:845
      dput+0x1f/0x30 fs/dcache.c:835
      __fput+0x3b9/0xb70 fs/file_table.c:384
      task_work_run+0x14d/0x240 kernel/task_work.c:180
      exit_task_work include/linux/task_work.h:38 [inline]
      do_exit+0xa8a/0x2ad0 kernel/exit.c:871
      do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
      __do_sys_exit_group kernel/exit.c:1031 [inline]
      __se_sys_exit_group kernel/exit.c:1029 [inline]
      __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    The buggy address belongs to the object at ffff88802f4fc800
     which belongs to the cache sock_inode_cache of size 1408
    The buggy address is located 128 bytes inside of
     freed 1408-byte region [ffff88802f4fc800, ffff88802f4fcd80)
    
    The buggy address belongs to the physical page:
    page:ffffea0000bd3e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f4f8
    head:ffffea0000bd3e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
    anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
    page_type: 0xffffffff()
    raw: 00fff00000000840 ffff888013b06b40 0000000000000000 0000000000000001
    raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    page_owner tracks the page as allocated
    page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 4956, tgid 4956 (sshd), ts 31423924727, free_ts 0
      set_page_owner include/linux/page_owner.h:31 [inline]
      post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1533
      prep_new_page mm/page_alloc.c:1540 [inline]
      get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
      __alloc_pages+0x22f/0x2440 mm/page_alloc.c:4567
      __alloc_pages_node include/linux/gfp.h:238 [inline]
      alloc_pages_node include/linux/gfp.h:261 [inline]
      alloc_slab_page mm/slub.c:2190 [inline]
      allocate_slab mm/slub.c:2354 [inline]
      new_slab+0xcc/0x3a0 mm/slub.c:2407
      ___slab_alloc+0x4af/0x19a0 mm/slub.c:3540
      __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3625
      __slab_alloc_node mm/slub.c:3678 [inline]
      slab_alloc_node mm/slub.c:3850 [inline]
      kmem_cache_alloc_lru+0x379/0x6f0 mm/slub.c:3879
      alloc_inode_sb include/linux/fs.h:3019 [inline]
      sock_alloc_inode+0x25/0x1c0 net/socket.c:308
      alloc_inode+0x5d/0x220 fs/inode.c:260
      new_inode_pseudo+0x16/0x80 fs/inode.c:1005
      sock_alloc+0x40/0x270 net/socket.c:634
      __sock_create+0xbc/0x800 net/socket.c:1535
      sock_create net/socket.c:1622 [inline]
      __sys_socket_create net/socket.c:1659 [inline]
      __sys_socket+0x14c/0x260 net/socket.c:1706
      __do_sys_socket net/socket.c:1720 [inline]
      __se_sys_socket net/socket.c:1718 [inline]
      __x64_sys_socket+0x72/0xb0 net/socket.c:1718
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    page_owner free stack trace missing
    
    Memory state around the buggy address:
     ffff88802f4fc780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff88802f4fc800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff88802f4fc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                       ^
     ffff88802f4fc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff88802f4fc980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    
    Fixes: 43815482370c ("net: sock_def_readable() and friends RCU conversion")
    Reported-and-tested-by: syzbot+32b89eaa102b372ff76d@syzkaller.appspotmail.com
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Eric Biggers <ebiggers@google.com>
    Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://lore.kernel.org/r/20240126165532.3396702-1-edumazet@google.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

llc: Drop support for ETH_P_TR_802_2. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Thu Jan 18 17:55:15 2024 -0800

    llc: Drop support for ETH_P_TR_802_2.
    
    [ Upstream commit e3f9bed9bee261e3347131764e42aeedf1ffea61 ]
    
    syzbot reported an uninit-value bug below. [0]
    
    llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2
    (0x0011), and syzbot abused the latter to trigger the bug.
    
      write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16)
    
    llc_conn_handler() initialises local variables {saddr,daddr}.mac
    based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes
    them to __llc_lookup().
    
    However, the initialisation is done only when skb->protocol is
    htons(ETH_P_802_2), otherwise, __llc_lookup_established() and
    __llc_lookup_listener() will read garbage.
    
    The missing initialisation existed prior to commit 211ed865108e
    ("net: delete all instances of special processing for token ring").
    
    It removed the part to kick out the token ring stuff but forgot to
    close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().
    
    Let's remove llc_tr_packet_type and complete the deprecation.
    
    [0]:
    BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90
     __llc_lookup_established+0xe9d/0xf90
     __llc_lookup net/llc/llc_conn.c:611 [inline]
     llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791
     llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206
     __netif_receive_skb_one_core net/core/dev.c:5527 [inline]
     __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641
     netif_receive_skb_internal net/core/dev.c:5727 [inline]
     netif_receive_skb+0x58/0x660 net/core/dev.c:5786
     tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
     tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002
     tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
     call_write_iter include/linux/fs.h:2020 [inline]
     new_sync_write fs/read_write.c:491 [inline]
     vfs_write+0x8ef/0x1490 fs/read_write.c:584
     ksys_write+0x20f/0x4c0 fs/read_write.c:637
     __do_sys_write fs/read_write.c:649 [inline]
     __se_sys_write fs/read_write.c:646 [inline]
     __x64_sys_write+0x93/0xd0 fs/read_write.c:646
     do_syscall_x64 arch/x86/entry/common.c:51 [inline]
     do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    Local variable daddr created at:
     llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783
     llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206
    
    CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
    
    Fixes: 211ed865108e ("net: delete all instances of special processing for token ring")
    Reported-by: syzbot+b5ad66046b913bc04c6f@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=b5ad66046b913bc04c6f
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://lore.kernel.org/r/20240119015515.61898-1-kuniyu@amazon.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

llc: make llc_ui_sendmsg() more robust against bonding changes [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jan 18 18:36:25 2024 +0000

    llc: make llc_ui_sendmsg() more robust against bonding changes
    
    [ Upstream commit dad555c816a50c6a6a8a86be1f9177673918c647 ]
    
    syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no
    headroom, but subsequently trying to push 14 bytes of Ethernet header [1]
    
    Like some others, llc_ui_sendmsg() releases the socket lock before
    calling sock_alloc_send_skb().
    Then it acquires it again, but does not redo all the sanity checks
    that were performed.
    
    This fix:
    
    - Uses LL_RESERVED_SPACE() to reserve space.
    - Check all conditions again after socket lock is held again.
    - Do not account Ethernet header for mtu limitation.
    
    [1]
    
    skbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0
    
     kernel BUG at net/core/skbuff.c:193 !
    Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
    Modules linked in:
    CPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
    pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : skb_panic net/core/skbuff.c:189 [inline]
     pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203
     lr : skb_panic net/core/skbuff.c:189 [inline]
     lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203
    sp : ffff800096f97000
    x29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000
    x26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2
    x23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0
    x20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce
    x17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001
    x14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000
    x11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400
    x8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000
    x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714
    x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089
    Call trace:
      skb_panic net/core/skbuff.c:189 [inline]
      skb_under_panic+0x13c/0x140 net/core/skbuff.c:203
      skb_push+0xf0/0x108 net/core/skbuff.c:2451
      eth_header+0x44/0x1f8 net/ethernet/eth.c:83
      dev_hard_header include/linux/netdevice.h:3188 [inline]
      llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33
      llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85
      llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]
      llc_sap_next_state net/llc/llc_sap.c:182 [inline]
      llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209
      llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270
      llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg net/socket.c:745 [inline]
      sock_sendmsg+0x194/0x274 net/socket.c:767
      splice_to_socket+0x7cc/0xd58 fs/splice.c:881
      do_splice_from fs/splice.c:933 [inline]
      direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142
      splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088
      do_splice_direct+0x20c/0x348 fs/splice.c:1194
      do_sendfile+0x4bc/0xc70 fs/read_write.c:1254
      __do_sys_sendfile64 fs/read_write.c:1322 [inline]
      __se_sys_sendfile64 fs/read_write.c:1308 [inline]
      __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308
      __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
      invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
      el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
      do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
      el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
      el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
      el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
    Code: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-and-tested-by: syzbot+2a7024e9502df538e8ef@syzkaller.appspotmail.com
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://lore.kernel.org/r/20240118183625.4007013-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
lsm: new security_file_ioctl_compat() hook [+ + +]
Author: Alfred Piccioni <alpic@google.com>
Date:   Tue Dec 19 10:09:09 2023 +0100

    lsm: new security_file_ioctl_compat() hook
    
    commit f1bb47a31dff6d4b34fb14e99850860ee74bb003 upstream.
    
    Some ioctl commands do not require ioctl permission, but are routed to
    other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is
    done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*).
    
    However, if a 32-bit process is running on a 64-bit kernel, it emits
    32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are
    being checked erroneously, which leads to these ioctl operations being
    routed to the ioctl permission, rather than the correct file
    permissions.
    
    This was also noted in a RED-PEN finding from a while back -
    "/* RED-PEN how should LSM module know it's handling 32bit? */".
    
    This patch introduces a new hook, security_file_ioctl_compat(), that is
    called from the compat ioctl syscall. All current LSMs have been changed
    to support this hook.
    
    Reviewing the three places where we are currently using
    security_file_ioctl(), it appears that only SELinux needs a dedicated
    compat change; TOMOYO and SMACK appear to be functional without any
    change.
    
    Cc: stable@vger.kernel.org
    Fixes: 0b24dcb7f2f7 ("Revert "selinux: simplify ioctl checking"")
    Signed-off-by: Alfred Piccioni <alpic@google.com>
    Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
    [PM: subject tweak, line length fixes, and alignment corrections]
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
md: Whenassemble the array, consult the superblock of the freshest device [+ + +]
Author: Alex Lyakas <alex.lyakas@zadara.com>
Date:   Wed Dec 13 14:24:31 2023 +0200

    md: Whenassemble the array, consult the superblock of the freshest device
    
    [ Upstream commit dc1cc22ed58f11d58d8553c5ec5f11cbfc3e3039 ]
    
    Upon assembling the array, both kernel and mdadm allow the devices to have event
    counter difference of 1, and still consider them as up-to-date.
    However, a device whose event count is behind by 1, may in fact not be up-to-date,
    and array resync with such a device may cause data corruption.
    To avoid this, consult the superblock of the freshest device about the status
    of a device, whose event counter is behind by 1.
    
    Signed-off-by: Alex Lyakas <alex.lyakas@zadara.com>
    Signed-off-by: Song Liu <song@kernel.org>
    Link: https://lore.kernel.org/r/1702470271-16073-1-git-send-email-alex.lyakas@zadara.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
media: ddbridge: fix an error code problem in ddb_probe [+ + +]
Author: Su Hui <suhui@nfschina.com>
Date:   Fri Oct 20 17:17:23 2023 +0800

    media: ddbridge: fix an error code problem in ddb_probe
    
    [ Upstream commit 09b4195021be69af1e1936cca995712a6d0f2562 ]
    
    Error code is assigned to 'stat', return 'stat' rather than '-1'.
    
    Signed-off-by: Su Hui <suhui@nfschina.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: rockchip: rga: fix swizzling for RGB formats [+ + +]
Author: Michael Tretter <m.tretter@pengutronix.de>
Date:   Fri Oct 13 13:00:22 2023 +0200

    media: rockchip: rga: fix swizzling for RGB formats
    
    [ Upstream commit 9e7dc39260edac180c206bb6149595a40eabae3e ]
    
    When using 32 bit RGB formats, the RGA on the rk3568 produces wrong
    colors as the wrong color channels are read or written.  The reason is
    that the format description for the channel swizzeling is wrong and the
    wrong bits are configured. For example, when converting ARGB32 to NV12,
    the alpha channel is used as blue channel.. This doesn't happen if the
    color format is the same on both sides.
    
    Fix the color_swap settings of the formats to correctly handle 32 bit
    RGB formats.
    
    For RGA_COLOR_FMT_XBGR8888, the RGA_COLOR_ALPHA_SWAP bit doesn't have an
    effect. Thus, it isn't possible to handle the V4L2_PIX_FMT_XRGB32. Thus,
    it is removed from the list of supported formats.
    
    Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: stk1160: Fixed high volume of stk1160_dbg messages [+ + +]
Author: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
Date:   Sat Nov 25 14:32:36 2023 +0530

    media: stk1160: Fixed high volume of stk1160_dbg messages
    
    [ Upstream commit b3695e86d25aafbe175dd51f6aaf6f68d341d590 ]
    
    The function stk1160_dbg gets called too many times, which causes
    the output to get flooded with messages. Since stk1160_dbg uses
    printk, it is now replaced with printk_ratelimited.
    
    Suggested-by: Phillip Potter <phil@philpotter.co.uk>
    Signed-off-by: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mfd: ti_am335x_tscadc: Fix TI SoC dependencies [+ + +]
Author: Peter Robinson <pbrobinson@gmail.com>
Date:   Wed Dec 20 15:56:39 2023 +0000

    mfd: ti_am335x_tscadc: Fix TI SoC dependencies
    
    [ Upstream commit 284d16c456e5d4b143f375b8ccc4038ab3f4ee0f ]
    
    The ti_am335x_tscadc is specific to some TI SoCs, update
    the dependencies for those SoCs and compile testing.
    
    Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
    Link: https://lore.kernel.org/r/20231220155643.445849-1-pbrobinson@gmail.com
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler [+ + +]
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Sun Feb 11 08:08:37 2024 -0800

    MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler
    
    [ Upstream commit d55347bfe4e66dce2e1e7501e5492f4af3e315f8 ]
    
    After 'lib: checksum: Use aligned accesses for ip_fast_csum and
    csum_ipv6_magic tests' was applied, the test_csum_ipv6_magic unit test
    started failing for all mips platforms, both little and bit endian.
    Oddly enough, adding debug code into test_csum_ipv6_magic() made the
    problem disappear.
    
    The gcc manual says:
    
    "The "memory" clobber tells the compiler that the assembly code performs
     memory reads or writes to items other than those listed in the input
     and output operands (for example, accessing the memory pointed to by one
     of the input parameters)
    "
    
    This is definitely the case for csum_ipv6_magic(). Indeed, adding the
    'memory' clobber fixes the problem.
    
    Cc: Charlie Jenkins <charlie@rivosinc.com>
    Cc: Palmer Dabbelt <palmer@rivosinc.com>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan [+ + +]
Author: Xi Ruoyao <xry111@xry111.site>
Date:   Sat Jan 27 05:05:57 2024 +0800

    mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan
    
    commit 59be5c35850171e307ca5d3d703ee9ff4096b948 upstream.
    
    If we still own the FPU after initializing fcr31, when we are preempted
    the dirty value in the FPU will be read out and stored into fcr31,
    clobbering our setting.  This can cause an improper floating-point
    environment after execve().  For example:
    
        zsh% cat measure.c
        #include <fenv.h>
        int main() { return fetestexcept(FE_INEXACT); }
        zsh% cc measure.c -o measure -lm
        zsh% echo $((1.0/3)) # raising FE_INEXACT
        0.33333333333333331
        zsh% while ./measure; do ; done
        (stopped in seconds)
    
    Call lose_fpu(0) before setting fcr31 to prevent this.
    
    Closes: https://lore.kernel.org/linux-mips/7a6aa1bbdbbe2e63ae96ff163fab0349f58f1b9e.camel@xry111.site/
    Fixes: 9b26616c8d9d ("MIPS: Respect the ISA level in FCSR handling")
    Cc: stable@vger.kernel.org
    Signed-off-by: Xi Ruoyao <xry111@xry111.site>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mips: Fix max_mapnr being uninitialized on early stages [+ + +]
Author: Serge Semin <fancer.lancer@gmail.com>
Date:   Sat Dec 2 14:14:20 2023 +0300

    mips: Fix max_mapnr being uninitialized on early stages
    
    [ Upstream commit e1a9ae45736989c972a8d1c151bc390678ae6205 ]
    
    max_mapnr variable is utilized in the pfn_valid() method in order to
    determine the upper PFN space boundary. Having it uninitialized
    effectively makes any PFN passed to that method invalid. That in its turn
    causes the kernel mm-subsystem occasion malfunctions even after the
    max_mapnr variable is actually properly updated. For instance,
    pfn_valid() is called in the init_unavailable_range() method in the
    framework of the calls-chain on MIPS:
    setup_arch()
    +-> paging_init()
        +-> free_area_init()
            +-> memmap_init()
                +-> memmap_init_zone_range()
                    +-> init_unavailable_range()
    
    Since pfn_valid() always returns "false" value before max_mapnr is
    initialized in the mem_init() method, any flatmem page-holes will be left
    in the poisoned/uninitialized state including the IO-memory pages. Thus
    any further attempts to map/remap the IO-memory by using MMU may fail.
    In particular it happened in my case on attempt to map the SRAM region.
    The kernel bootup procedure just crashed on the unhandled unaligned access
    bug raised in the __update_cache() method:
    
    > Unhandled kernel unaligned access[#1]:
    > CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc1-XXX-dirty #2056
    > ...
    > Call Trace:
    > [<8011ef9c>] __update_cache+0x88/0x1bc
    > [<80385944>] ioremap_page_range+0x110/0x2a4
    > [<80126948>] ioremap_prot+0x17c/0x1f4
    > [<80711b80>] __devm_ioremap+0x8c/0x120
    > [<80711e0c>] __devm_ioremap_resource+0xf4/0x218
    > [<808bf244>] sram_probe+0x4f4/0x930
    > [<80889d20>] platform_probe+0x68/0xec
    > ...
    
    Let's fix the problem by initializing the max_mapnr variable as soon as
    the required data is available. In particular it can be done right in the
    paging_init() method before free_area_init() is called since all the PFN
    zone boundaries have already been calculated by that time.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Serge Semin <fancer.lancer@gmail.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
misc: fastrpc: Mark all sessions as invalid in cb_remove [+ + +]
Author: Ekansh Gupta <quic_ekangupt@quicinc.com>
Date:   Mon Jan 8 17:18:33 2024 +0530

    misc: fastrpc: Mark all sessions as invalid in cb_remove
    
    commit a4e61de63e34860c36a71d1a364edba16fb6203b upstream.
    
    In remoteproc shutdown sequence, rpmsg_remove will get called which
    would depopulate all the child nodes that have been created during
    rpmsg_probe. This would result in cb_remove call for all the context
    banks for the remoteproc. In cb_remove function, session 0 is
    getting skipped which is not correct as session 0 will never become
    available again. Add changes to mark session 0 also as invalid.
    
    Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
    Link: https://lore.kernel.org/r/20240108114833.20480-1-quic_ekangupt@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again [+ + +]
Author: Zach O'Keefe <zokeefe@google.com>
Date:   Thu Jan 18 10:19:53 2024 -0800

    mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
    
    commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78 upstream.
    
    (struct dirty_throttle_control *)->thresh is an unsigned long, but is
    passed as the u32 divisor argument to div_u64().  On architectures where
    unsigned long is 64 bytes, the argument will be implicitly truncated.
    
    Use div64_u64() instead of div_u64() so that the value used in the "is
    this a safe division" check is the same as the divisor.
    
    Also, remove redundant cast of the numerator to u64, as that should happen
    implicitly.
    
    This would be difficult to exploit in memcg domain, given the ratio-based
    arithmetic domain_drity_limits() uses, but is much easier in global
    writeback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g.
    vm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)
    
    Link: https://lkml.kernel.org/r/20240118181954.1415197-1-zokeefe@google.com
    Fixes: f6789593d5ce ("mm/page-writeback.c: fix divide by zero in bdi_dirty_limits()")
    Signed-off-by: Zach O'Keefe <zokeefe@google.com>
    Cc: Maxim Patlasov <MPatlasov@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mmc: core: Use mrq.sbc in close-ended ffu [+ + +]
Author: Avri Altman <avri.altman@wdc.com>
Date:   Wed Nov 29 11:25:35 2023 +0200

    mmc: core: Use mrq.sbc in close-ended ffu
    
    commit 4d0c8d0aef6355660b6775d57ccd5d4ea2e15802 upstream.
    
    Field Firmware Update (ffu) may use close-ended or open ended sequence.
    Each such sequence is comprised of a write commands enclosed between 2
    switch commands - to and from ffu mode. So for the close-ended case, it
    will be: cmd6->cmd23-cmd25-cmd6.
    
    Some host controllers however, get confused when multi-block rw is sent
    without sbc, and may generate auto-cmd12 which breaks the ffu sequence.
    I encountered  this issue while testing fwupd (github.com/fwupd/fwupd)
    on HP Chromebook x2, a qualcomm based QC-7c, code name - strongbad.
    
    Instead of a quirk, or hooking the request function of the msm ops,
    it would be better to fix the ioctl handling and make it use mrq.sbc
    instead of issuing SET_BLOCK_COUNT separately.
    
    Signed-off-by: Avri Altman <avri.altman@wdc.com>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20231129092535.3278-1-avri.altman@wdc.com
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mmc: slot-gpio: Allow non-sleeping GPIO ro [+ + +]
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
Date:   Tue Feb 6 09:39:12 2024 +0100

    mmc: slot-gpio: Allow non-sleeping GPIO ro
    
    commit cc9432c4fb159a3913e0ce3173b8218cd5bad2e0 upstream.
    
    This change uses the appropriate _cansleep or non-sleeping API for
    reading GPIO read-only state. This allows users with GPIOs that
    never sleepbeing called in atomic context.
    
    Implement the same mechanism as in commit 52af318c93e97 ("mmc: Allow
    non-sleeping GPIO cd").
    
    Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240206083912.2543142-1-alexander.stein@ew.tq-group.com
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mtd: spinand: macronix: Fix MX35LFxGE4AD page size [+ + +]
Author: JaimeLiao <jaimeliao@mxic.com.tw>
Date:   Thu Jan 25 10:48:16 2024 +0800

    mtd: spinand: macronix: Fix MX35LFxGE4AD page size
    
    Support for MX35LF{2,4}GE4AD chips was added in mainline through
    upstream commit 5ece78de88739b4c68263e9f2582380c1fd8314f.
    
    The patch was later adapted to 5.4.y and backported through
    stable commit 85258ae3070848d9d0f6fbee385be2db80e8cf26.
    
    Fix the backport mentioned right above as it is wrong: the bigger chip
    features 4kiB pages and not 2kiB pages.
    
    Fixes: 85258ae30708 ("mtd: spinand: macronix: Add support for MX35LFxGE4AD")
    Cc: stable@vger.kernel.org # v5.4.y
    Cc: Miquel Raynal <miquel.raynal@bootlin.com>
    Signed-off-by: JaimeLiao <jaimeliao@mxic.com.tw>
    Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net/af_iucv: clean up a try_then_request_module() [+ + +]
Author: Julian Wiedmann <jwi@linux.ibm.com>
Date:   Mon Aug 9 10:30:47 2021 +0200

    net/af_iucv: clean up a try_then_request_module()
    
    [ Upstream commit 4eb9eda6ba64114d98827e2870e024d5ab7cd35b ]
    
    Use IS_ENABLED(CONFIG_IUCV) to determine whether the iucv_if symbol
    is available, and let depmod deal with the module dependency.
    
    This was introduced back with commit 6fcd61f7bf5d ("af_iucv: use
    loadable iucv interface"). And to avoid sprinkling IS_ENABLED() over
    all the code, we're keeping the indirection through pr_iucv->...().
    
    Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
    Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/mlx5: DR, Use the right GVMI number for drop action [+ + +]
Author: Yevgeny Kliteynik <kliteyn@nvidia.com>
Date:   Sun Dec 17 11:24:08 2023 +0200

    net/mlx5: DR, Use the right GVMI number for drop action
    
    [ Upstream commit 5665954293f13642f9c052ead83c1e9d8cff186f ]
    
    When FW provides ICM addresses for drop RX/TX, the provided capability
    is 64 bits that contain its GVMI as well as the ICM address itself.
    In case of TX DROP this GVMI is different from the GVMI that the
    domain is operating on.
    
    This patch fixes the action to use these GVMI IDs, as provided by FW.
    
    Fixes: 9db810ed2d37 ("net/mlx5: DR, Expose steering action functionality")
    Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/mlx5: Use kfree(ft->g) in arfs_create_groups() [+ + +]
Author: Denis Efremov <efremov@linux.com>
Date:   Fri Jun 5 22:22:35 2020 +0300

    net/mlx5: Use kfree(ft->g) in arfs_create_groups()
    
    [ Upstream commit 360000b26e37a75b3000bf0585b263809d96ffd3 ]
    
    Use kfree() instead of kvfree() on ft->g in arfs_create_groups() because
    the memory is allocated with kcalloc().
    
    Signed-off-by: Denis Efremov <efremov@linux.com>
    Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
    Stable-dep-of: 3c6d5189246f ("net/mlx5e: fix a double-free in arfs_create_groups")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/mlx5e: fix a double-free in arfs_create_groups [+ + +]
Author: Zhipeng Lu <alexious@zju.edu.cn>
Date:   Wed Jan 17 15:17:36 2024 +0800

    net/mlx5e: fix a double-free in arfs_create_groups
    
    [ Upstream commit 3c6d5189246f590e4e1f167991558bdb72a4738b ]
    
    When `in` allocated by kvzalloc fails, arfs_create_groups will free
    ft->g and return an error. However, arfs_create_table, the only caller of
    arfs_create_groups, will hold this error and call to
    mlx5e_destroy_flow_table, in which the ft->g will be freed again.
    
    Fixes: 1cabe6b0965e ("net/mlx5e: Create aRFS flow tables")
    Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv [+ + +]
Author: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Date:   Fri Jan 19 17:48:39 2024 -0800

    net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
    
    [ Upstream commit 13e788deb7348cc88df34bed736c3b3b9927ea52 ]
    
    Syzcaller UBSAN crash occurs in rds_cmsg_recv(),
    which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1),
    but with array size of 4 (RDS_RX_MAX_TRACES).
    Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from
    trace.rx_trace_pos[i] in rds_recv_track_latency(),
    with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the
    off-by-one bounds check in rds_recv_track_latency() to prevent
    a potential crash in rds_cmsg_recv().
    
    Found by syzcaller:
    =================================================================
    UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39
    index 4 is out of range for type 'u64 [4]'
    CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
    BIOS 1.15.0-1 04/01/2014
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
     ubsan_epilogue lib/ubsan.c:217 [inline]
     __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348
     rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585
     rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716
     sock_recvmsg_nosec net/socket.c:1044 [inline]
     sock_recvmsg+0xe2/0x160 net/socket.c:1066
     __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246
     __do_sys_recvfrom net/socket.c:2264 [inline]
     __se_sys_recvfrom net/socket.c:2260 [inline]
     __x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260
     do_syscall_x64 arch/x86/entry/common.c:51 [inline]
     do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    ==================================================================
    
    Fixes: 3289025aedc0 ("RDS: add receive message trace used by application")
    Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
    Closes: https://lore.kernel.org/linux-rdma/CALGdzuoVdq-wtQ4Az9iottBqC5cv9ZhcE5q8N7LfYFvkRsOVcw@mail.gmail.com/
    Signed-off-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/smc: fix illegal rmb_desc access in SMC-D connection dump [+ + +]
Author: Wen Gu <guwen@linux.alibaba.com>
Date:   Thu Jan 18 12:32:10 2024 +0800

    net/smc: fix illegal rmb_desc access in SMC-D connection dump
    
    [ Upstream commit dbc153fd3c142909e564bb256da087e13fbf239c ]
    
    A crash was found when dumping SMC-D connections. It can be reproduced
    by following steps:
    
    - run nginx/wrk test:
      smc_run nginx
      smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>
    
    - continuously dump SMC-D connections in parallel:
      watch -n 1 'smcss -D'
    
     BUG: kernel NULL pointer dereference, address: 0000000000000030
     CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G  E      6.7.0+ #55
     RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
     Call Trace:
      <TASK>
      ? __die+0x24/0x70
      ? page_fault_oops+0x66/0x150
      ? exc_page_fault+0x69/0x140
      ? asm_exc_page_fault+0x26/0x30
      ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
      ? __kmalloc_node_track_caller+0x35d/0x430
      ? __alloc_skb+0x77/0x170
      smc_diag_dump_proto+0xd0/0xf0 [smc_diag]
      smc_diag_dump+0x26/0x60 [smc_diag]
      netlink_dump+0x19f/0x320
      __netlink_dump_start+0x1dc/0x300
      smc_diag_handler_dump+0x6a/0x80 [smc_diag]
      ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]
      sock_diag_rcv_msg+0x121/0x140
      ? __pfx_sock_diag_rcv_msg+0x10/0x10
      netlink_rcv_skb+0x5a/0x110
      sock_diag_rcv+0x28/0x40
      netlink_unicast+0x22a/0x330
      netlink_sendmsg+0x1f8/0x420
      __sock_sendmsg+0xb0/0xc0
      ____sys_sendmsg+0x24e/0x300
      ? copy_msghdr_from_user+0x62/0x80
      ___sys_sendmsg+0x7c/0xd0
      ? __do_fault+0x34/0x160
      ? do_read_fault+0x5f/0x100
      ? do_fault+0xb0/0x110
      ? __handle_mm_fault+0x2b0/0x6c0
      __sys_sendmsg+0x4d/0x80
      do_syscall_64+0x69/0x180
      entry_SYSCALL_64_after_hwframe+0x6e/0x76
    
    It is possible that the connection is in process of being established
    when we dump it. Assumed that the connection has been registered in a
    link group by smc_conn_create() but the rmb_desc has not yet been
    initialized by smc_buf_create(), thus causing the illegal access to
    conn->rmb_desc. So fix it by checking before dump.
    
    Fixes: 4b1b7d3b30a6 ("net/smc: add SMC-D diag support")
    Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
    Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
    Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: bcmgenet: Fix EEE implementation [+ + +]
Author: Florian Fainelli <florian.fainelli@broadcom.com>
Date:   Tue Jun 6 14:43:47 2023 -0700

    net: bcmgenet: Fix EEE implementation
    
    commit a9f31047baca57d47440c879cf259b86f900260c upstream.
    
    We had a number of short comings:
    
    - EEE must be re-evaluated whenever the state machine detects a link
      change as wight be switching from a link partner with EEE
      enabled/disabled
    
    - tx_lpi_enabled controls whether EEE should be enabled/disabled for the
      transmit path, which applies to the TBUF block
    
    - We do not need to forcibly enable EEE upon system resume, as the PHY
      state machine will trigger a link event that will do that, too
    
    Fixes: 6ef398ea60d9 ("net: bcmgenet: add EEE support")
    Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Link: https://lore.kernel.org/r/20230606214348.2408018-1-florian.fainelli@broadcom.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: fec: fix the unhandled context fault from smmu [+ + +]
Author: Shenwei Wang <shenwei.wang@nxp.com>
Date:   Tue Jan 23 10:51:41 2024 -0600

    net: fec: fix the unhandled context fault from smmu
    
    [ Upstream commit 5e344807735023cd3a67c37a1852b849caa42620 ]
    
    When repeatedly changing the interface link speed using the command below:
    
    ethtool -s eth0 speed 100 duplex full
    ethtool -s eth0 speed 1000 duplex full
    
    The following errors may sometimes be reported by the ARM SMMU driver:
    
    [ 5395.035364] fec 5b040000.ethernet eth0: Link is Down
    [ 5395.039255] arm-smmu 51400000.iommu: Unhandled context fault:
    fsr=0x402, iova=0x00000000, fsynr=0x100001, cbfrsynra=0x852, cb=2
    [ 5398.108460] fec 5b040000.ethernet eth0: Link is Up - 100Mbps/Full -
    flow control off
    
    It is identified that the FEC driver does not properly stop the TX queue
    during the link speed transitions, and this results in the invalid virtual
    I/O address translations from the SMMU and causes the context faults.
    
    Fixes: dbc64a8ea231 ("net: fec: move calls to quiesce/resume packet processing out of fec_restart()")
    Signed-off-by: Shenwei Wang <shenwei.wang@nxp.com>
    Link: https://lore.kernel.org/r/20240123165141.2008104-1-shenwei.wang@nxp.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ipv4: fix a memleak in ip_setup_cork [+ + +]
Author: Zhipeng Lu <alexious@zju.edu.cn>
Date:   Mon Jan 29 17:10:17 2024 +0800

    net: ipv4: fix a memleak in ip_setup_cork
    
    [ Upstream commit 5dee6d6923458e26966717f2a3eae7d09fc10bf6 ]
    
    When inetdev_valid_mtu fails, cork->opt should be freed if it is
    allocated in ip_setup_cork. Otherwise there could be a memleak.
    
    Fixes: 501a90c94510 ("inet: protect against too small mtu values.")
    Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://lore.kernel.org/r/20240129091017.2938835-1-alexious@zju.edu.cn
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: prevent mss overflow in skb_segment() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Dec 12 16:46:21 2023 +0000

    net: prevent mss overflow in skb_segment()
    
    commit 23d05d563b7e7b0314e65c8e882bc27eac2da8e7 upstream.
    
    Once again syzbot is able to crash the kernel in skb_segment() [1]
    
    GSO_BY_FRAGS is a forbidden value, but unfortunately the following
    computation in skb_segment() can reach it quite easily :
    
            mss = mss * partial_segs;
    
    65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to
    a bad final result.
    
    Make sure to limit segmentation so that the new mss value is smaller
    than GSO_BY_FRAGS.
    
    [1]
    
    general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
    CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
    RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
    Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
    RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
    RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
    RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
    RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
    R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
    R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
    FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    <TASK>
    udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109
    ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120
    skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53
    __skb_gso_segment+0x339/0x710 net/core/gso.c:124
    skb_gso_segment include/net/gso.h:83 [inline]
    validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626
    __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338
    dev_queue_xmit include/linux/netdevice.h:3134 [inline]
    packet_xmit+0x257/0x380 net/packet/af_packet.c:276
    packet_snd net/packet/af_packet.c:3087 [inline]
    packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119
    sock_sendmsg_nosec net/socket.c:730 [inline]
    __sock_sendmsg+0xd5/0x180 net/socket.c:745
    __sys_sendto+0x255/0x340 net/socket.c:2190
    __do_sys_sendto net/socket.c:2202 [inline]
    __se_sys_sendto net/socket.c:2198 [inline]
    __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x63/0x6b
    RIP: 0033:0x7f8692032aa9
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
    RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9
    RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003
    RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014
    R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480
    R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003
    </TASK>
    Modules linked in:
    ---[ end trace 0000000000000000 ]---
    RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
    Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
    RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
    RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
    RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
    RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
    R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
    R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
    FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    
    Fixes: 3953c46c3ac7 ("sk_buff: allow segmenting based on frag sizes")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Link: https://lore.kernel.org/r/20231212164621.4131800-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: remove unneeded break [+ + +]
Author: Tom Rix <trix@redhat.com>
Date:   Mon Oct 19 10:26:07 2020 -0700

    net: remove unneeded break
    
    [ Upstream commit 7ebb9db011088f9bd357791f49cb7012e66f29e2 ]
    
    A break is not needed if it is preceded by a return or goto
    
    Signed-off-by: Tom Rix <trix@redhat.com>
    Link: https://lore.kernel.org/r/20201019172607.31622-1-trix@redhat.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Stable-dep-of: bbc404d20d1b ("ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: stmmac: xgmac: fix a typo of register name in DPP safety handling [+ + +]
Author: Furong Xu <0x1207@gmail.com>
Date:   Sat Feb 3 13:31:33 2024 +0800

    net: stmmac: xgmac: fix a typo of register name in DPP safety handling
    
    commit 1ce2654d87e2fb91fea83b288bd9b2641045e42a upstream.
    
    DDPP is copied from Synopsys Data book:
    
    DDPP: Disable Data path Parity Protection.
        When it is 0x0, Data path Parity Protection is enabled.
        When it is 0x1, Data path Parity Protection is disabled.
    
    The macro name should be XGMAC_DPP_DISABLE.
    
    Fixes: 46eba193d04f ("net: stmmac: xgmac: fix handling of DPP safety error for DMA channels")
    Signed-off-by: Furong Xu <0x1207@gmail.com>
    Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
    Link: https://lore.kernel.org/r/20240203053133.1129236-1-0x1207@gmail.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: stmmac: xgmac: fix handling of DPP safety error for DMA channels [+ + +]
Author: Furong Xu <0x1207@gmail.com>
Date:   Wed Jan 31 10:08:28 2024 +0800

    net: stmmac: xgmac: fix handling of DPP safety error for DMA channels
    
    [ Upstream commit 46eba193d04f8bd717e525eb4110f3c46c12aec3 ]
    
    Commit 56e58d6c8a56 ("net: stmmac: Implement Safety Features in
    XGMAC core") checks and reports safety errors, but leaves the
    Data Path Parity Errors for each channel in DMA unhandled at all, lead to
    a storm of interrupt.
    Fix it by checking and clearing the DMA_DPP_Interrupt_Status register.
    
    Fixes: 56e58d6c8a56 ("net: stmmac: Implement Safety Features in XGMAC core")
    Signed-off-by: Furong Xu <0x1207@gmail.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: stmmac: xgmac: use #define for string constants [+ + +]
Author: Simon Horman <horms@kernel.org>
Date:   Thu Feb 8 09:48:27 2024 +0000

    net: stmmac: xgmac: use #define for string constants
    
    commit 1692b9775e745f84b69dc8ad0075b0855a43db4e upstream.
    
    The cited commit introduces and uses the string constants dpp_tx_err and
    dpp_rx_err. These are assigned to constant fields of the array
    dwxgmac3_error_desc.
    
    It has been reported that on GCC 6 and 7.5.0 this results in warnings
    such as:
    
      .../dwxgmac2_core.c:836:20: error: initialiser element is not constant
       { true, "TDPES0", dpp_tx_err },
    
    I have been able to reproduce this using: GCC 7.5.0, 8.4.0, 9.4.0 and 10.5.0.
    But not GCC 13.2.0.
    
    So it seems this effects older compilers but not newer ones.
    As Jon points out in his report, the minimum compiler supported by
    the kernel is GCC 5.1, so it does seem that this ought to be fixed.
    
    It is not clear to me what combination of 'const', if any, would address
    this problem.  So this patch takes of using #defines for the string
    constants
    
    Compile tested only.
    
    Fixes: 46eba193d04f ("net: stmmac: xgmac: fix handling of DPP safety error for DMA channels")
    Reported-by: Jon Hunter <jonathanh@nvidia.com>
    Closes: https://lore.kernel.org/netdev/c25eb595-8d91-40ea-9f52-efa15ebafdbc@nvidia.com/
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/oe-kbuild-all/202402081135.lAxxBXHk-lkp@intel.com/
    Signed-off-by: Simon Horman <horms@kernel.org>
    Link: https://lore.kernel.org/r/20240208-xgmac-const-v1-1-e69a1eeabfc8@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: sysfs: Fix /sys/class/net/ path [+ + +]
Author: Breno Leitao <leitao@debian.org>
Date:   Wed Jan 31 02:21:49 2024 -0800

    net: sysfs: Fix /sys/class/net/<iface> path
    
    [ Upstream commit ae3f4b44641dfff969604735a0dcbf931f383285 ]
    
    The documentation is pointing to the wrong path for the interface.
    Documentation is pointing to /sys/class/<iface>, instead of
    /sys/class/net/<iface>.
    
    Fix it by adding the `net/` directory before the interface.
    
    Fixes: 1a02ef76acfa ("net: sysfs: add documentation entries for /sys/class/<iface>/queues")
    Signed-off-by: Breno Leitao <leitao@debian.org>
    Link: https://lore.kernel.org/r/20240131102150.728960-2-leitao@debian.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netfilter: ipset: fix performance regression in swap operation [+ + +]
Author: Jozsef Kadlecsik <kadlec@netfilter.org>
Date:   Mon Jan 29 10:57:01 2024 +0100

    netfilter: ipset: fix performance regression in swap operation
    
    commit 97f7cf1cd80eeed3b7c808b7c12463295c751001 upstream.
    
    The patch "netfilter: ipset: fix race condition between swap/destroy
    and kernel side add/del/test", commit 28628fa9 fixes a race condition.
    But the synchronize_rcu() added to the swap function unnecessarily slows
    it down: it can safely be moved to destroy and use call_rcu() instead.
    
    Eric Dumazet pointed out that simply calling the destroy functions as
    rcu callback does not work: sets with timeout use garbage collectors
    which need cancelling at destroy which can wait. Therefore the destroy
    functions are split into two: cancelling garbage collectors safely at
    executing the command received by netlink and moving the remaining
    part only into the rcu callback.
    
    Link: https://lore.kernel.org/lkml/C0829B10-EAA6-4809-874E-E1E9C05A8D84@automattic.com/
    Fixes: 28628fa952fe ("netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test")
    Reported-by: Ale Crismani <ale.crismani@automattic.com>
    Reported-by: David Wang <00107082@163.com>
    Tested-by: David Wang <00107082@163.com>
    Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

netfilter: ipset: Missing gc cancellations fixed [+ + +]
Author: Jozsef Kadlecsik <kadlec@netfilter.org>
Date:   Sun Feb 4 16:26:42 2024 +0100

    netfilter: ipset: Missing gc cancellations fixed
    
    commit 27c5a095e2518975e20a10102908ae8231699879 upstream.
    
    The patch fdb8e12cc2cc ("netfilter: ipset: fix performance regression
    in swap operation") missed to add the calls to gc cancellations
    at the error path of create operations and at module unload. Also,
    because the half of the destroy operations now executed by a
    function registered by call_rcu(), neither NFNL_SUBSYS_IPSET mutex
    or rcu read lock is held and therefore the checking of them results
    false warnings.
    
    Fixes: 97f7cf1cd80e ("netfilter: ipset: fix performance regression in swap operation")
    Reported-by: syzbot+52bbc0ad036f6f0d4a25@syzkaller.appspotmail.com
    Reported-by: Brad Spengler <spender@grsecurity.net>
    Reported-by: Стас Ничипорович <stasn77@gmail.com>
    Tested-by: Brad Spengler <spender@grsecurity.net>
    Tested-by: Стас Ничипорович <stasn77@gmail.com>
    Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Jan 29 11:09:43 2024 +0100

    netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
    
    [ Upstream commit 259eb32971e9eb24d1777a28d82730659f50fdcb ]
    
    Module reference is bumped for each user, this should not ever happen.
    
    But BUG_ON check should use rcu_access_pointer() instead.
    
    If this ever happens, do WARN_ON_ONCE() instead of BUG_ON() and
    consolidate pointer check under the rcu read side lock section.
    
    Fixes: fab4085f4e24 ("netfilter: log: nf_log_packet() as real unified interface")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Fri Nov 3 09:42:51 2023 +0300

    netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
    
    commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 upstream.
    
    The problem is in nft_byteorder_eval() where we are iterating through a
    loop and writing to dst[0], dst[1], dst[2] and so on...  On each
    iteration we are writing 8 bytes.  But dst[] is an array of u32 so each
    element only has space for 4 bytes.  That means that every iteration
    overwrites part of the previous element.
    
    I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
    nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
    issue.  I think that the reason we have not detected this bug in testing
    is that most of time we only write one element.
    
    Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    [Ajay: Modified to apply on v5.4.y]
    Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

netfilter: nf_tables: reject QUEUE/DROP verdict parameters [+ + +]
Author: Florian Westphal <fw@strlen.de>
Date:   Sat Jan 20 22:50:04 2024 +0100

    netfilter: nf_tables: reject QUEUE/DROP verdict parameters
    
    commit f342de4e2f33e0e39165d8639387aa6c19dff660 upstream.
    
    This reverts commit e0abdadcc6e1.
    
    core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP
    verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar,
    or 0.
    
    Due to the reverted commit, its possible to provide a positive
    value, e.g. NF_ACCEPT (1), which results in use-after-free.
    
    Its not clear to me why this commit was made.
    
    NF_QUEUE is not used by nftables; "queue" rules in nftables
    will result in use of "nft_queue" expression.
    
    If we later need to allow specifiying errno values from userspace
    (do not know why), this has to call NF_DROP_GETERR and check that
    "err <= 0" holds true.
    
    Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters")
    Cc: stable@vger.kernel.org
    Reported-by: Notselwyn <notselwyn@pwning.tech>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

netfilter: nf_tables: restrict anonymous set and map names to 16 bytes [+ + +]
Author: Florian Westphal <fw@strlen.de>
Date:   Fri Jan 19 13:34:32 2024 +0100

    netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
    
    [ Upstream commit b462579b2b86a8f5230543cadd3a4836be27baf7 ]
    
    nftables has two types of sets/maps, one where userspace defines the
    name, and anonymous sets/maps, where userspace defines a template name.
    
    For the latter, kernel requires presence of exactly one "%d".
    nftables uses "__set%d" and "__map%d" for this.  The kernel will
    expand the format specifier and replaces it with the smallest unused
    number.
    
    As-is, userspace could define a template name that allows to move
    the set name past the 256 bytes upperlimit (post-expansion).
    
    I don't see how this could be a problem, but I would prefer if userspace
    cannot do this, so add a limit of 16 bytes for the '%d' template name.
    
    16 bytes is the old total upper limit for set names that existed when
    nf_tables was merged initially.
    
    Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nf_tables: validate NFPROTO_* family [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue Jan 23 16:38:25 2024 +0100

    netfilter: nf_tables: validate NFPROTO_* family
    
    [ Upstream commit d0009effa8862c20a13af4cb7475d9771b905693 ]
    
    Several expressions explicitly refer to NF_INET_* hook definitions
    from expr->ops->validate, however, family is not validated.
    
    Bail out with EOPNOTSUPP in case they are used from unsupported
    families.
    
    Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
    Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression")
    Fixes: 2fa841938c64 ("netfilter: nf_tables: introduce routing expression")
    Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
    Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
    Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
    Fixes: 6c47260250fc ("netfilter: nf_tables: add xfrm expression")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nft_compat: reject unused compat flag [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Feb 1 23:33:29 2024 +0100

    netfilter: nft_compat: reject unused compat flag
    
    [ Upstream commit 292781c3c5485ce33bd22b2ef1b2bed709b4d672 ]
    
    Flag (1 << 0) is ignored is set, never used, reject it it with EINVAL
    instead.
    
    Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nft_compat: restrict match/target protocol to u16 [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Feb 2 00:05:23 2024 +0100

    netfilter: nft_compat: restrict match/target protocol to u16
    
    [ Upstream commit d694b754894c93fb4d71a7f3699439dec111decc ]
    
    xt_check_{match,target} expects u16, but NFTA_RULE_COMPAT_PROTO is u32.
    
    NLA_POLICY_MAX(NLA_BE32, 65535) cannot be used because .max in
    nla_policy is s16, see 3e48be05f3c7 ("netlink: add attribute range
    validation to policy").
    
    Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nft_ct: reject direction for ct id [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Feb 5 14:59:24 2024 +0100

    netfilter: nft_ct: reject direction for ct id
    
    [ Upstream commit 38ed1c7062ada30d7c11e7a7acc749bf27aa14aa ]
    
    Direction attribute is ignored, reject it in case this ever needs to be
    supported
    
    Fixes: 3087c3f7c23b ("netfilter: nft_ct: Add ct id support")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Jan 29 13:12:33 2024 +0100

    netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
    
    [ Upstream commit 8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4 ]
    
    - Disallow families other than NFPROTO_{IPV4,IPV6,INET}.
    - Disallow layer 4 protocol with no ports, since destination port is a
      mandatory attribute for this object.
    
    Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nft_set_rbtree: skip end interval element from gc [+ + +]
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Wed Feb 7 18:49:51 2024 +0100

    netfilter: nft_set_rbtree: skip end interval element from gc
    
    commit 60c0c230c6f046da536d3df8b39a20b9a9fd6af0 upstream.
    
    rbtree lazy gc on insert might collect an end interval element that has
    been just added in this transactions, skip end interval elements that
    are not yet active.
    
    Fixes: f718863aca46 ("netfilter: nft_set_rbtree: fix overlap expiration walk")
    Cc: stable@vger.kernel.org
    Reported-by: lonial con <kongln9170@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
netlink: fix potential sleeping issue in mqueue_flush_file [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Mon Jan 22 09:18:07 2024 +0800

    netlink: fix potential sleeping issue in mqueue_flush_file
    
    [ Upstream commit 234ec0b6034b16869d45128b8cd2dc6ffe596f04 ]
    
    I analyze the potential sleeping issue of the following processes:
    Thread A                                Thread B
    ...                                     netlink_create  //ref = 1
    do_mq_notify                            ...
      sock = netlink_getsockbyfilp          ...     //ref = 2
      info->notify_sock = sock;             ...
    ...                                     netlink_sendmsg
    ...                                       skb = netlink_alloc_large_skb  //skb->head is vmalloced
    ...                                       netlink_unicast
    ...                                         sk = netlink_getsockbyportid //ref = 3
    ...                                         netlink_sendskb
    ...                                           __netlink_sendskb
    ...                                             skb_queue_tail //put skb to sk_receive_queue
    ...                                         sock_put //ref = 2
    ...                                     ...
    ...                                     netlink_release
    ...                                       deferred_put_nlk_sk //ref = 1
    mqueue_flush_file
      spin_lock
      remove_notification
        netlink_sendskb
          sock_put  //ref = 0
            sk_free
              ...
              __sk_destruct
                netlink_sock_destruct
                  skb_queue_purge  //get skb from sk_receive_queue
                    ...
                    __skb_queue_purge_reason
                      kfree_skb_reason
                        __kfree_skb
                        ...
                        skb_release_all
                          skb_release_head_state
                            netlink_skb_destructor
                              vfree(skb->head)  //sleeping while holding spinlock
    
    In netlink_sendmsg, if the memory pointed to by skb->head is allocated by
    vmalloc, and is put to sk_receive_queue queue, also the skb is not freed.
    When the mqueue executes flush, the sleeping bug will occur. Use
    vfree_atomic instead of vfree in netlink_skb_destructor to solve the issue.
    
    Fixes: c05cdb1b864f ("netlink: allow large data transfers from user-space")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20240122011807.2110357-1-shaozhengchao@huawei.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nfc: nci: free rx_data_reassembly skb on NCI device cleanup [+ + +]
Author: Fedor Pchelkin <pchelkin@ispras.ru>
Date:   Thu Jan 25 12:53:09 2024 +0300

    nfc: nci: free rx_data_reassembly skb on NCI device cleanup
    
    commit bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c upstream.
    
    rx_data_reassembly skb is stored during NCI data exchange for processing
    fragmented packets. It is dropped only when the last fragment is processed
    or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.
    However, the NCI device may be deallocated before that which leads to skb
    leak.
    
    As by design the rx_data_reassembly skb is bound to the NCI device and
    nothing prevents the device to be freed before the skb is processed in
    some way and cleaned, free it on the NCI device cleanup.
    
    Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
    
    Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
    Cc: stable@vger.kernel.org
    Reported-by: syzbot+6b7c68d9c21e4ee4251b@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/lkml/000000000000f43987060043da7b@google.com/
    Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
nfp: flower: prevent re-adding mac index for bonded port [+ + +]
Author: Daniel de Villiers <daniel.devilliers@corigine.com>
Date:   Fri Feb 2 13:37:18 2024 +0200

    nfp: flower: prevent re-adding mac index for bonded port
    
    commit 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 upstream.
    
    When physical ports are reset (either through link failure or manually
    toggled down and up again) that are slaved to a Linux bond with a tunnel
    endpoint IP address on the bond device, not all tunnel packets arriving
    on the bond port are decapped as expected.
    
    The bond dev assigns the same MAC address to itself and each of its
    slaves. When toggling a slave device, the same MAC address is therefore
    offloaded to the NFP multiple times with different indexes.
    
    The issue only occurs when re-adding the shared mac. The
    nfp_tunnel_add_shared_mac() function has a conditional check early on
    that checks if a mac entry already exists and if that mac entry is
    global: (entry && nfp_tunnel_is_mac_idx_global(entry->index)). In the
    case of a bonded device (For example br-ex), the mac index is obtained,
    and no new index is assigned.
    
    We therefore modify the conditional in nfp_tunnel_add_shared_mac() to
    check if the port belongs to the LAG along with the existing checks to
    prevent a new global mac index from being re-assigned to the slave port.
    
    Fixes: 20cce8865098 ("nfp: flower: enable MAC address sharing for offloadable devs")
    CC: stable@vger.kernel.org # 5.1+
    Signed-off-by: Daniel de Villiers <daniel.devilliers@corigine.com>
    Signed-off-by: Louis Peens <louis.peens@corigine.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nfp: use correct macro for LengthSelect in BAR config [+ + +]
Author: Daniel Basilio <daniel.basilio@corigine.com>
Date:   Fri Feb 2 13:37:17 2024 +0200

    nfp: use correct macro for LengthSelect in BAR config
    
    commit b3d4f7f2288901ed2392695919b3c0e24c1b4084 upstream.
    
    The 1st and 2nd expansion BAR configuration registers are configured,
    when the driver starts up, in variables 'barcfg_msix_general' and
    'barcfg_msix_xpb', respectively. The 'LengthSelect' field is ORed in
    from bit 0, which is incorrect. The 'LengthSelect' field should
    start from bit 27.
    
    This has largely gone un-noticed because
    NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT happens to be 0.
    
    Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
    Cc: stable@vger.kernel.org # 4.11+
    Signed-off-by: Daniel Basilio <daniel.basilio@corigine.com>
    Signed-off-by: Louis Peens <louis.peens@corigine.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
nilfs2: fix data corruption in dsync block recovery for small block sizes [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Wed Jan 24 21:19:36 2024 +0900

    nilfs2: fix data corruption in dsync block recovery for small block sizes
    
    commit 67b8bcbaed4777871bb0dcc888fb02a614a98ab1 upstream.
    
    The helper function nilfs_recovery_copy_block() of
    nilfs_recovery_dsync_blocks(), which recovers data from logs created by
    data sync writes during a mount after an unclean shutdown, incorrectly
    calculates the on-page offset when copying repair data to the file's page
    cache.  In environments where the block size is smaller than the page
    size, this flaw can cause data corruption and leak uninitialized memory
    bytes during the recovery process.
    
    Fix these issues by correcting this byte offset calculation on the page.
    
    Link: https://lkml.kernel.org/r/20240124121936.10575-1-konishi.ryusuke@gmail.com
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Wed Jan 31 23:56:57 2024 +0900

    nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
    
    commit 38296afe3c6ee07319e01bb249aa4bb47c07b534 upstream.
    
    Syzbot reported a hang issue in migrate_pages_batch() called by mbind()
    and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.
    
    While migrate_pages_batch() locks a folio and waits for the writeback to
    complete, the log writer thread that should bring the writeback to
    completion picks up the folio being written back in
    nilfs_lookup_dirty_data_buffers() that it calls for subsequent log
    creation and was trying to lock the folio.  Thus causing a deadlock.
    
    In the first place, it is unexpected that folios/pages in the middle of
    writeback will be updated and become dirty.  Nilfs2 adds a checksum to
    verify the validity of the log being written and uses it for recovery at
    mount, so data changes during writeback are suppressed.  Since this is
    broken, an unclean shutdown could potentially cause recovery to fail.
    
    Investigation revealed that the root cause is that the wait for writeback
    completion in nilfs_page_mkwrite() is conditional, and if the backing
    device does not require stable writes, data may be modified without
    waiting.
    
    Fix these issues by making nilfs_page_mkwrite() wait for writeback to
    finish regardless of the stable write requirement of the backing device.
    
    Link: https://lkml.kernel.org/r/20240131145657.4209-1-konishi.ryusuke@gmail.com
    Fixes: 1d1d1a767206 ("mm: only enforce stable page writes if the backing device requires it")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+ee2ae68da3b22d04cd8d@syzkaller.appspotmail.com
    Closes: https://lkml.kernel.org/r/00000000000047d819061004ad6c@google.com
    Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: fix potential bug in end_buffer_async_write [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Sun Feb 4 01:16:45 2024 +0900

    nilfs2: fix potential bug in end_buffer_async_write
    
    commit 5bc09b397cbf1221f8a8aacb1152650c9195b02b upstream.
    
    According to a syzbot report, end_buffer_async_write(), which handles the
    completion of block device writes, may detect abnormal condition of the
    buffer async_write flag and cause a BUG_ON failure when using nilfs2.
    
    Nilfs2 itself does not use end_buffer_async_write().  But, the async_write
    flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue
    with race condition of competition between segments for dirty blocks") as
    a means of resolving double list insertion of dirty blocks in
    nilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the
    resulting crash.
    
    This modification is safe as long as it is used for file data and b-tree
    node blocks where the page caches are independent.  However, it was
    irrelevant and redundant to also introduce async_write for segment summary
    and super root blocks that share buffers with the backing device.  This
    led to the possibility that the BUG_ON check in end_buffer_async_write
    would fail as described above, if independent writebacks of the backing
    device occurred in parallel.
    
    The use of async_write for segment summary buffers has already been
    removed in a previous change.
    
    Fix this issue by removing the manipulation of the async_write flag for
    the remaining super root block buffer.
    
    Link: https://lkml.kernel.org/r/20240203161645.4992-1-konishi.ryusuke@gmail.com
    Fixes: 7f42ec394156 ("nilfs2: fix issue with race condition of competition between segments for dirty blocks")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+5c04210f7c7f897c1e7f@syzkaller.appspotmail.com
    Closes: https://lkml.kernel.org/r/00000000000019a97c05fd42f8c8@google.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
nouveau/vmm: don't set addr on the fail path to avoid warning [+ + +]
Author: Dave Airlie <airlied@redhat.com>
Date:   Thu Jan 18 06:19:57 2024 +1000

    nouveau/vmm: don't set addr on the fail path to avoid warning
    
    commit cacea81390fd8c8c85404e5eb2adeb83d87a912e upstream.
    
    nvif_vmm_put gets called if addr is set, but if the allocation
    fails we don't need to call put, otherwise we get a warning like
    
    [523232.435671] ------------[ cut here ]------------
    [523232.435674] WARNING: CPU: 8 PID: 1505697 at drivers/gpu/drm/nouveau/nvif/vmm.c:68 nvif_vmm_put+0x72/0x80 [nouveau]
    [523232.435795] Modules linked in: uinput rfcomm snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink qrtr bnep sunrpc binfmt_misc intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common isst_if_common iwlmvm nfit libnvdimm vfat fat x86_pkg_temp_thermal intel_powerclamp mac80211 snd_soc_avs snd_soc_hda_codec coretemp snd_hda_ext_core snd_soc_core snd_hda_codec_realtek kvm_intel snd_hda_codec_hdmi snd_compress snd_hda_codec_generic ac97_bus snd_pcm_dmaengine snd_hda_intel libarc4 snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm iwlwifi snd_hda_core btusb snd_hwdep btrtl snd_seq btintel irqbypass btbcm rapl snd_seq_device eeepc_wmi btmtk intel_cstate iTCO_wdt cfg80211 snd_pcm asus_wmi bluetooth intel_pmc_bxt iTCO_vendor_support snd_timer ledtrig_audio pktcdvd snd mei_me
    [523232.435828]  sparse_keymap intel_uncore i2c_i801 platform_profile wmi_bmof mei pcspkr ioatdma soundcore i2c_smbus rfkill idma64 dca joydev acpi_tad loop zram nouveau drm_ttm_helper ttm video drm_exec drm_gpuvm gpu_sched crct10dif_pclmul i2c_algo_bit nvme crc32_pclmul crc32c_intel drm_display_helper polyval_clmulni nvme_core polyval_generic e1000e mxm_wmi cec ghash_clmulni_intel r8169 sha512_ssse3 nvme_common wmi pinctrl_sunrisepoint uas usb_storage ip6_tables ip_tables fuse
    [523232.435849] CPU: 8 PID: 1505697 Comm: gnome-shell Tainted: G        W          6.6.0-rc7-nvk-uapi+ #12
    [523232.435851] Hardware name: System manufacturer System Product Name/ROG STRIX X299-E GAMING II, BIOS 1301 09/24/2021
    [523232.435852] RIP: 0010:nvif_vmm_put+0x72/0x80 [nouveau]
    [523232.435934] Code: 00 00 48 89 e2 be 02 00 00 00 48 c7 04 24 00 00 00 00 48 89 44 24 08 e8 fc bf ff ff 85
    c0 75 0a 48 c7 43 08 00 00 00 00 eb b3 <0f> 0b eb f2 e8 f5 c9 b2 e6 0f 1f 44 00 00 90 90 90 90 90 90 90 90
    [523232.435936] RSP: 0018:ffffc900077ffbd8 EFLAGS: 00010282
    [523232.435937] RAX: 00000000fffffffe RBX: ffffc900077ffc00 RCX: 0000000000000010
    [523232.435938] RDX: 0000000000000010 RSI: ffffc900077ffb38 RDI: ffffc900077ffbd8
    [523232.435940] RBP: ffff888e1c4f2140 R08: 0000000000000000 R09: 0000000000000000
    [523232.435940] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888503811800
    [523232.435941] R13: ffffc900077ffca0 R14: ffff888e1c4f2140 R15: ffff88810317e1e0
    [523232.435942] FS:  00007f933a769640(0000) GS:ffff88905fa00000(0000) knlGS:0000000000000000
    [523232.435943] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [523232.435944] CR2: 00007f930bef7000 CR3: 00000005d0322001 CR4: 00000000003706e0
    [523232.435945] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [523232.435946] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [523232.435964] Call Trace:
    [523232.435965]  <TASK>
    [523232.435966]  ? nvif_vmm_put+0x72/0x80 [nouveau]
    [523232.436051]  ? __warn+0x81/0x130
    [523232.436055]  ? nvif_vmm_put+0x72/0x80 [nouveau]
    [523232.436138]  ? report_bug+0x171/0x1a0
    [523232.436142]  ? handle_bug+0x3c/0x80
    [523232.436144]  ? exc_invalid_op+0x17/0x70
    [523232.436145]  ? asm_exc_invalid_op+0x1a/0x20
    [523232.436149]  ? nvif_vmm_put+0x72/0x80 [nouveau]
    [523232.436230]  ? nvif_vmm_put+0x64/0x80 [nouveau]
    [523232.436342]  nouveau_vma_del+0x80/0xd0 [nouveau]
    [523232.436506]  nouveau_vma_new+0x1a0/0x210 [nouveau]
    [523232.436671]  nouveau_gem_object_open+0x1d0/0x1f0 [nouveau]
    [523232.436835]  drm_gem_handle_create_tail+0xd1/0x180
    [523232.436840]  drm_prime_fd_to_handle_ioctl+0x12e/0x200
    [523232.436844]  ? __pfx_drm_prime_fd_to_handle_ioctl+0x10/0x10
    [523232.436847]  drm_ioctl_kernel+0xd3/0x180
    [523232.436849]  drm_ioctl+0x26d/0x4b0
    [523232.436851]  ? __pfx_drm_prime_fd_to_handle_ioctl+0x10/0x10
    [523232.436855]  nouveau_drm_ioctl+0x5a/0xb0 [nouveau]
    [523232.437032]  __x64_sys_ioctl+0x94/0xd0
    [523232.437036]  do_syscall_64+0x5d/0x90
    [523232.437040]  ? syscall_exit_to_user_mode+0x2b/0x40
    [523232.437044]  ? do_syscall_64+0x6c/0x90
    [523232.437046]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
    
    Reported-by: Faith Ekstrand <faith.ekstrand@collabora.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240117213852.295565-1-airlied@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
of: gpio unittest kfree() wrong object [+ + +]
Author: Frank Rowand <frowand.list@gmail.com>
Date:   Wed Mar 25 20:45:30 2020 -0500

    of: gpio unittest kfree() wrong object
    
    commit fb227f597d612c6660888d1947e68a25fed7b9cc upstream.
    
    kernel test robot reported "WARNING: held lock freed!" triggered by
    unittest_gpio_remove().  unittest_gpio_remove() was unexpectedly
    called due to an error in overlay tracking.  The remove had not
    been tested because the gpio overlay removal tests have not been
    implemented.
    
    kfree() gdev instead of pdev.
    
    Fixes: f4056e705b2e ("of: unittest: add overlay gpio test to catch gpio hog problem")
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Frank Rowand <frank.rowand@sony.com>
    Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

of: unittest: add overlay gpio test to catch gpio hog problem [+ + +]
Author: Frank Rowand <frowand.list@gmail.com>
Date:   Thu Feb 20 12:40:20 2020 -0600

    of: unittest: add overlay gpio test to catch gpio hog problem
    
    [ Upstream commit f4056e705b2ef7f123a188f6aee23ade70e7d793 ]
    
    Geert reports that gpio hog nodes are not properly processed when
    the gpio hog node is added via an overlay reply and provides an
    RFC patch to fix the problem [1].
    
    Add a unittest that shows the problem.  Unittest will report "1 failed"
    test before applying Geert's RFC patch and "0 failed" after applying
    Geert's RFC patch.
    
    [1] https://lore.kernel.org/linux-devicetree/20191230133852.5890-1-geert+renesas@glider.be/
    
    Signed-off-by: Frank Rowand <frank.rowand@sony.com>
    Signed-off-by: Rob Herring <robh@kernel.org>
    Stable-dep-of: 607aad1e4356 ("of: unittest: Fix compile in the non-dynamic case")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

of: unittest: Fix compile in the non-dynamic case [+ + +]
Author: Christian A. Ehrhardt <lk@c--e.de>
Date:   Mon Jan 29 20:25:56 2024 +0100

    of: unittest: Fix compile in the non-dynamic case
    
    [ Upstream commit 607aad1e4356c210dbef9022955a3089377909b2 ]
    
    If CONFIG_OF_KOBJ is not set, a device_node does not contain a
    kobj and attempts to access the embedded kobj via kref_read break
    the compile.
    
    Replace affected kref_read calls with a macro that reads the
    refcount if it exists and returns 1 if there is no embedded kobj.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/oe-kbuild-all/202401291740.VP219WIz-lkp@intel.com/
    Fixes: 4dde83569832 ("of: Fix double free in of_parse_phandle_with_args_map")
    Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
    Link: https://lore.kernel.org/r/20240129192556.403271-1-lk@c--e.de
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

of: unittest: fix EXPECT text for gpio hog errors [+ + +]
Author: Frank Rowand <frowand.list@gmail.com>
Date:   Thu Oct 28 20:32:25 2021 -0500

    of: unittest: fix EXPECT text for gpio hog errors
    
    commit e85860e5bc077865a04f0a88d0b0335d3200484a upstream.
    
    The console message text for gpio hog errors does not match
    what unittest expects.
    
    Fixes: f4056e705b2ef ("of: unittest: add overlay gpio test to catch gpio hog problem")
    Signed-off-by: Frank Rowand <frank.rowand@sony.com>
    Link: https://lore.kernel.org/r/20211029013225.2048695-1-frowand.list@gmail.com
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
parisc/firmware: Fix F-extend for PDC addresses [+ + +]
Author: Helge Deller <deller@gmx.de>
Date:   Wed Jan 3 21:02:16 2024 +0100

    parisc/firmware: Fix F-extend for PDC addresses
    
    commit 735ae74f73e55c191d48689bd11ff4a06ea0508f upstream.
    
    When running with narrow firmware (64-bit kernel using a 32-bit
    firmware), extend PDC addresses into the 0xfffffff0.00000000
    region instead of the 0xf0f0f0f0.00000000 region.
    
    This fixes the power button on the C3700 machine in qemu (64-bit CPU
    with 32-bit firmware), and my assumption is that the previous code was
    really never used (because most 64-bit machines have a 64-bit firmware),
    or it just worked on very old machines because they may only decode
    40-bit of virtual addresses.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
PCI/AER: Decode Requester ID when no error info found [+ + +]
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Wed Dec 6 16:42:30 2023 -0600

    PCI/AER: Decode Requester ID when no error info found
    
    [ Upstream commit 1291b716bbf969e101d517bfb8ba18d958f758b8 ]
    
    When a device with AER detects an error, it logs error information in its
    own AER Error Status registers.  It may send an Error Message to the Root
    Port (RCEC in the case of an RCiEP), which logs the fact that an Error
    Message was received (Root Error Status) and the Requester ID of the
    message source (Error Source Identification).
    
    aer_print_port_info() prints the Requester ID from the Root Port Error
    Source in the usual Linux "bb:dd.f" format, but when find_source_device()
    finds no error details in the hierarchy below the Root Port, it printed the
    raw Requester ID without decoding it.
    
    Decode the Requester ID in the usual Linux format so it matches other
    messages.
    
    Sample message changes:
    
      - pcieport 0000:00:1c.5: AER: Correctable error received: 0000:00:1c.5
      - pcieport 0000:00:1c.5: AER: can't find device of ID00e5
      + pcieport 0000:00:1c.5: AER: Correctable error message received from 0000:00:1c.5
      + pcieport 0000:00:1c.5: AER: found no error details for 0000:00:1c.5
    
    Link: https://lore.kernel.org/r/20231206224231.732765-3-helgaas@kernel.org
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
PCI: add INTEL_HDA_ARL to pci_ids.h [+ + +]
Author: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Date:   Mon Dec 4 15:27:06 2023 -0600

    PCI: add INTEL_HDA_ARL to pci_ids.h
    
    [ Upstream commit 5ec42bf04d72fd6d0a6855810cc779e0ee31dfd7 ]
    
    The PCI ID insertion follows the increasing order in the table, but
    this hardware follows MTL (MeteorLake).
    
    Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
    Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
    Acked-by: Mark Brown <broonie@kernel.org>
    Link: https://lore.kernel.org/r/20231204212710.185976-2-pierre-louis.bossart@linux.intel.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

PCI: Add no PM reset quirk for NVIDIA Spectrum devices [+ + +]
Author: Ido Schimmel <idosch@nvidia.com>
Date:   Wed Nov 15 13:17:16 2023 +0100

    PCI: Add no PM reset quirk for NVIDIA Spectrum devices
    
    [ Upstream commit 3ed48c80b28d8dcd584d6ddaf00c75b7673e1a05 ]
    
    Spectrum-{1,2,3,4} devices report that a D3hot->D0 transition causes a
    reset (i.e., they advertise NoSoftRst-). However, this transition does
    not have any effect on the device: It continues to be operational and
    network ports remain up. Advertising this support makes it seem as if a
    PM reset is viable for these devices. Mark it as unavailable to skip it
    when testing reset methods.
    
    Before:
    
     # cat /sys/bus/pci/devices/0000\:03\:00.0/reset_method
     pm bus
    
    After:
    
     # cat /sys/bus/pci/devices/0000\:03\:00.0/reset_method
     bus
    
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>
    Acked-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Petr Machata <petrm@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

PCI: mediatek: Clear interrupt status before dispatching handler [+ + +]
Author: qizhong cheng <qizhong.cheng@mediatek.com>
Date:   Mon Dec 11 17:49:23 2023 +0800

    PCI: mediatek: Clear interrupt status before dispatching handler
    
    [ Upstream commit 4e11c29873a8a296a20f99b3e03095e65ebf897d ]
    
    We found a failure when using the iperf tool during WiFi performance
    testing, where some MSIs were received while clearing the interrupt
    status, and these MSIs cannot be serviced.
    
    The interrupt status can be cleared even if the MSI status remains pending.
    As such, given the edge-triggered interrupt type, its status should be
    cleared before being dispatched to the handler of the underling device.
    
    [kwilczynski: commit log, code comment wording]
    Link: https://lore.kernel.org/linux-pci/20231211094923.31967-1-jianjun.wang@mediatek.com
    Fixes: 43e6409db64d ("PCI: mediatek: Add MSI support for MT2712 and MT7622")
    Signed-off-by: qizhong cheng <qizhong.cheng@mediatek.com>
    Signed-off-by: Jianjun Wang <jianjun.wang@mediatek.com>
    Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
    [bhelgaas: rewrap comment]
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Cc:  <stable@vger.kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
PCI: Only override AMD USB controller if required [+ + +]
Author: Guilherme G. Piccoli <gpiccoli@igalia.com>
Date:   Mon Nov 20 13:04:36 2023 -0300

    PCI: Only override AMD USB controller if required
    
    [ Upstream commit e585a37e5061f6d5060517aed1ca4ccb2e56a34c ]
    
    By running a Van Gogh device (Steam Deck), the following message
    was noticed in the kernel log:
    
      pci 0000:04:00.3: PCI class overridden (0x0c03fe -> 0x0c03fe) so dwc3 driver can claim this instead of xhci
    
    Effectively this means the quirk executed but changed nothing, since the
    class of this device was already the proper one (likely adjusted by newer
    firmware versions).
    
    Check and perform the override only if necessary.
    
    Link: https://lore.kernel.org/r/20231120160531.361552-1-gpiccoli@igalia.com
    Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: Huang Rui <ray.huang@amd.com>
    Cc: Vicki Pfau <vi@endrift.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

PCI: switchtec: Fix stdev_release() crash after surprise hot remove [+ + +]
Author: Daniel Stodden <dns@arista.com>
Date:   Tue Nov 21 20:23:16 2023 -0800

    PCI: switchtec: Fix stdev_release() crash after surprise hot remove
    
    [ Upstream commit df25461119d987b8c81d232cfe4411e91dcabe66 ]
    
    A PCI device hot removal may occur while stdev->cdev is held open. The call
    to stdev_release() then happens during close or exit, at a point way past
    switchtec_pci_remove(). Otherwise the last ref would vanish with the
    trailing put_device(), just before return.
    
    At that later point in time, the devm cleanup has already removed the
    stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted
    one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause
    a fatal page fault, and the subsequent dma_free_coherent(), if reached,
    would pass a stale &stdev->pdev->dev pointer.
    
    Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after
    stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent
    future accidents.
    
    Reproducible via the script at
    https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com
    
    Link: https://lore.kernel.org/r/20231122042316.91208-2-dns@arista.com
    Signed-off-by: Daniel Stodden <dns@arista.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
    Reviewed-by: Dmitry Safonov <dima@arista.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file [+ + +]
Author: Greg KH <gregkh@linuxfoundation.org>
Date:   Mon Jun 12 15:09:09 2023 +0200

    perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
    
    [ Upstream commit 652ffc2104ec1f69dd4a46313888c33527145ccf ]
    
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/2023061204-decal-flyable-6090@gregkh
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf: Fix the nr_addr_filters fix [+ + +]
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Wed Nov 22 11:07:56 2023 +0100

    perf: Fix the nr_addr_filters fix
    
    [ Upstream commit 388a1fb7da6aaa1970c7e2a7d7fcd983a87a8484 ]
    
    Thomas reported that commit 652ffc2104ec ("perf/core: Fix narrow
    startup race when creating the perf nr_addr_filters sysfs file") made
    the entire attribute group vanish, instead of only the nr_addr_filters
    attribute.
    
    Additionally a stray return.
    
    Insufficient coffee was involved with both writing and merging the
    patch.
    
    Fixes: 652ffc2104ec ("perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file")
    Reported-by: Thomas Richter <tmricht@linux.ibm.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Tested-by: Thomas Richter <tmricht@linux.ibm.com>
    Link: https://lkml.kernel.org/r/20231122100756.GP8262@noisy.programming.kicks-ass.net
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
phy: renesas: rcar-gen3-usb2: Fix returning wrong error code [+ + +]
Author: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Date:   Fri Jan 5 18:37:03 2024 +0900

    phy: renesas: rcar-gen3-usb2: Fix returning wrong error code
    
    [ Upstream commit 249abaf3bf0dd07f5ddebbb2fe2e8f4d675f074e ]
    
    Even if device_create_file() returns error code,
    rcar_gen3_phy_usb2_probe() will return zero because the "ret" is
    variable shadowing.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Reported-by: Dan Carpenter <error27@gmail.com>
    Closes: https://lore.kernel.org/r/202312161021.gOLDl48K-lkp@intel.com/
    Fixes: 441a681b8843 ("phy: rcar-gen3-usb2: fix implementation for runtime PM")
    Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Link: https://lore.kernel.org/r/20240105093703.3359949-1-yoshihiro.shimoda.uh@renesas.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP [+ + +]
Author: Tony Lindgren <tony@atomide.com>
Date:   Sun Jan 28 14:05:54 2024 +0200

    phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
    
    [ Upstream commit 7104ba0f1958adb250319e68a15eff89ec4fd36d ]
    
    If the external phy working together with phy-omap-usb2 does not implement
    send_srp(), we may still attempt to call it. This can happen on an idle
    Ethernet gadget triggering a wakeup for example:
    
    configfs-gadget.g1 gadget.0: ECM Suspend
    configfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup
    ...
    Unable to handle kernel NULL pointer dereference at virtual address
    00000000 when execute
    ...
    PC is at 0x0
    LR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]
    ...
    musb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]
    usb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]
    eth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c
    dev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4
    sch_direct_xmit from __dev_queue_xmit+0x334/0xd88
    __dev_queue_xmit from arp_solicit+0xf0/0x268
    arp_solicit from neigh_probe+0x54/0x7c
    neigh_probe from __neigh_event_send+0x22c/0x47c
    __neigh_event_send from neigh_resolve_output+0x14c/0x1c0
    neigh_resolve_output from ip_finish_output2+0x1c8/0x628
    ip_finish_output2 from ip_send_skb+0x40/0xd8
    ip_send_skb from udp_send_skb+0x124/0x340
    udp_send_skb from udp_sendmsg+0x780/0x984
    udp_sendmsg from __sys_sendto+0xd8/0x158
    __sys_sendto from ret_fast_syscall+0x0/0x58
    
    Let's fix the issue by checking for send_srp() and set_vbus() before
    calling them. For USB peripheral only cases these both could be NULL.
    
    Fixes: 657b306a7bdf ("usb: phy: add a new driver for omap usb2 phy")
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Link: https://lore.kernel.org/r/20240128120556.8848-1-tony@atomide.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
PM: hibernate: Enforce ordering during image compression/decompression [+ + +]
Author: Hongchen Zhang <zhanghongchen@loongson.cn>
Date:   Thu Nov 16 08:56:09 2023 +0800

    PM: hibernate: Enforce ordering during image compression/decompression
    
    commit 71cd7e80cfde548959952eac7063aeaea1f2e1c6 upstream.
    
    An S4 (suspend to disk) test on the LoongArch 3A6000 platform sometimes
    fails with the following error messaged in the dmesg log:
    
            Invalid LZO compressed length
    
    That happens because when compressing/decompressing the image, the
    synchronization between the control thread and the compress/decompress/crc
    thread is based on a relaxed ordering interface, which is unreliable, and the
    following situation may occur:
    
    CPU 0                                   CPU 1
    save_image_lzo                          lzo_compress_threadfn
                                              atomic_set(&d->stop, 1);
      atomic_read(&data[thr].stop)
      data[thr].cmp = data[thr].cmp_len;
                                              WRITE data[thr].cmp_len
    
    Then CPU0 gets a stale cmp_len and writes it to disk. During resume from S4,
    wrong cmp_len is loaded.
    
    To maintain data consistency between the two threads, use the acquire/release
    variants of atomic set and read operations.
    
    Fixes: 081a9d043c98 ("PM / Hibernate: Improve performance of LZO/plain hibernation, checksum image")
    Cc: All applicable <stable@vger.kernel.org>
    Signed-off-by: Hongchen Zhang <zhanghongchen@loongson.cn>
    Co-developed-by: Weihao Li <liweihao@loongson.cn>
    Signed-off-by: Weihao Li <liweihao@loongson.cn>
    [ rjw: Subject rewrite and changelog edits ]
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PM: runtime: add devm_pm_runtime_enable helper [+ + +]
Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Date:   Mon Jan 29 16:09:00 2024 +0530

    PM: runtime: add devm_pm_runtime_enable helper
    
    [ Upstream commit b3636a3a2c51715736d3ec45f635ed03191962ce ]
    
    A typical code pattern for pm_runtime_enable() call is to call it in the
    _probe function and to call pm_runtime_disable() both from _probe error
    path and from _remove function. For some drivers the whole remove
    function would consist of the call to pm_remove_disable().
    
    Add helper function to replace this bolierplate piece of code. Calling
    devm_pm_runtime_enable() removes the need for calling
    pm_runtime_disable() both in the probe()'s error path and in the
    remove() function.
    
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20210731195034.979084-2-dmitry.baryshkov@linaro.org
    Acked-by: Rafael J. Wysocki <rafael@kernel.org>
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Stable-dep-of: 3d07a411b4fa ("drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks")
    Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend() [+ + +]
Author: Douglas Anderson <dianders@chromium.org>
Date:   Mon Jan 29 16:09:01 2024 +0530

    PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()
    
    [ Upstream commit b4060db9251f919506e4d672737c6b8ab9a84701 ]
    
    The PM Runtime docs say:
    
      Drivers in ->remove() callback should undo the runtime PM changes done
      in ->probe(). Usually this means calling pm_runtime_disable(),
      pm_runtime_dont_use_autosuspend() etc.
    
    >From grepping code, it's clear that many people aren't aware of the
    need to call pm_runtime_dont_use_autosuspend().
    
    When brainstorming solutions, one idea that came up was to leverage
    the new-ish devm_pm_runtime_enable() function. The idea here is that:
    
     * When the devm action is called we know that the driver is being
       removed. It's the perfect time to undo the use_autosuspend.
    
     * The code of pm_runtime_dont_use_autosuspend() already handles the
       case of being called when autosuspend wasn't enabled.
    
    Suggested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Douglas Anderson <dianders@chromium.org>
    Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Stable-dep-of: 3d07a411b4fa ("drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks")
    Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
pmdomain: core: Move the unused cleanup to a _sync initcall [+ + +]
Author: Konrad Dybcio <konrad.dybcio@linaro.org>
Date:   Wed Dec 27 16:21:24 2023 +0100

    pmdomain: core: Move the unused cleanup to a _sync initcall
    
    commit 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 upstream.
    
    The unused clock cleanup uses the _sync initcall to give all users at
    earlier initcalls time to probe. Do the same to avoid leaving some PDs
    dangling at "on" (which actually happened on qcom!).
    
    Fixes: 2fe71dcdfd10 ("PM / domains: Add late_initcall to disable unused PM domains")
    Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20231227-topic-pmdomain_sync_cleanup-v1-1-5f36769d538b@linaro.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
PNP: ACPI: fix fortify warning [+ + +]
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date:   Tue Nov 28 05:52:10 2023 +0300

    PNP: ACPI: fix fortify warning
    
    [ Upstream commit ba3f5058db437d919f8468db50483dd9028ff688 ]
    
    When compiling with gcc version 14.0.0 20231126 (experimental)
    and CONFIG_FORTIFY_SOURCE=y, I've noticed the following:
    
    In file included from ./include/linux/string.h:295,
                     from ./include/linux/bitmap.h:12,
                     from ./include/linux/cpumask.h:12,
                     from ./arch/x86/include/asm/paravirt.h:17,
                     from ./arch/x86/include/asm/cpuid.h:62,
                     from ./arch/x86/include/asm/processor.h:19,
                     from ./arch/x86/include/asm/cpufeature.h:5,
                     from ./arch/x86/include/asm/thread_info.h:53,
                     from ./include/linux/thread_info.h:60,
                     from ./arch/x86/include/asm/preempt.h:9,
                     from ./include/linux/preempt.h:79,
                     from ./include/linux/spinlock.h:56,
                     from ./include/linux/mmzone.h:8,
                     from ./include/linux/gfp.h:7,
                     from ./include/linux/slab.h:16,
                     from ./include/linux/resource_ext.h:11,
                     from ./include/linux/acpi.h:13,
                     from drivers/pnp/pnpacpi/rsparser.c:11:
    In function 'fortify_memcpy_chk',
        inlined from 'pnpacpi_parse_allocated_vendor' at drivers/pnp/pnpacpi/rsparser.c:158:3,
        inlined from 'pnpacpi_allocated_resource' at drivers/pnp/pnpacpi/rsparser.c:249:3:
    ./include/linux/fortify-string.h:588:25: warning: call to '__read_overflow2_field'
    declared with attribute warning: detected read beyond size of field (2nd parameter);
    maybe use struct_group()? [-Wattribute-warning]
      588 |                         __read_overflow2_field(q_size_field, size);
          |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    According to the comments in include/linux/fortify-string.h, 'memcpy()',
    'memmove()' and 'memset()' must not be used beyond individual struct
    members to ensure that the compiler can enforce protection against
    buffer overflows, and, IIUC, this also applies to partial copies from
    the particular member ('vendor->byte_data' in this case). So it should
    be better (and safer) to do both copies at once (and 'byte_data' of
    'struct acpi_resource_vendor_typed' seems to be a good candidate for
    '__counted_by(byte_length)' as well).
    
    Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc/lib: Validate size for vector operations [+ + +]
Author: Naveen N Rao <naveen@kernel.org>
Date:   Thu Nov 23 12:47:05 2023 +0530

    powerpc/lib: Validate size for vector operations
    
    [ Upstream commit 8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 ]
    
    Some of the fp/vmx code in sstep.c assume a certain maximum size for the
    instructions being emulated. The size of those operations however is
    determined separately in analyse_instr().
    
    Add a check to validate the assumption on the maximum size of the
    operations, so as to prevent any unintended kernel stack corruption.
    
    Signed-off-by: Naveen N Rao <naveen@kernel.org>
    Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
    Build-tested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20231123071705.397625-1-naveen@kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() [+ + +]
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Thu Nov 30 22:44:32 2023 +1100

    powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
    
    [ Upstream commit d8c3f243d4db24675b653f0568bb65dae34e6455 ]
    
    With NUMA=n and FA_DUMP=y or PRESERVE_FA_DUMP=y the build fails with:
    
      arch/powerpc/kernel/fadump.c:1739:22: error: no previous prototype for ‘arch_reserved_kernel_pages’ [-Werror=missing-prototypes]
      1739 | unsigned long __init arch_reserved_kernel_pages(void)
           |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~
    
    The prototype for arch_reserved_kernel_pages() is in include/linux/mm.h,
    but it's guarded by __HAVE_ARCH_RESERVED_KERNEL_PAGES. The powerpc
    headers define __HAVE_ARCH_RESERVED_KERNEL_PAGES in asm/mmzone.h, which
    is not included into the generic headers when NUMA=n.
    
    Move the definition of __HAVE_ARCH_RESERVED_KERNEL_PAGES into asm/mmu.h
    which is included regardless of NUMA=n.
    
    Additionally the ifdef around __HAVE_ARCH_RESERVED_KERNEL_PAGES needs to
    also check for CONFIG_PRESERVE_FA_DUMP.
    
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20231130114433.3053544-1-mpe@ellerman.id.au
    Signed-off-by: Sasha Levin <sashal@kernel.org>

powerpc/mm: Fix null-pointer dereference in pgtable_cache_add [+ + +]
Author: Kunwu Chan <chentao@kylinos.cn>
Date:   Mon Dec 4 10:32:23 2023 +0800

    powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
    
    [ Upstream commit f46c8a75263f97bda13c739ba1c90aced0d3b071 ]
    
    kasprintf() returns a pointer to dynamically allocated memory
    which can be NULL upon failure. Ensure the allocation was successful
    by checking the pointer validity.
    
    Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20231204023223.2447523-1-chentao@kylinos.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc: Fix build error due to is_valid_bugaddr() [+ + +]
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Thu Nov 30 22:44:33 2023 +1100

    powerpc: Fix build error due to is_valid_bugaddr()
    
    [ Upstream commit f8d3555355653848082c351fa90775214fb8a4fa ]
    
    With CONFIG_GENERIC_BUG=n the build fails with:
    
      arch/powerpc/kernel/traps.c:1442:5: error: no previous prototype for ‘is_valid_bugaddr’ [-Werror=missing-prototypes]
      1442 | int is_valid_bugaddr(unsigned long addr)
           |     ^~~~~~~~~~~~~~~~
    
    The prototype is only defined, and the function is only needed, when
    CONFIG_GENERIC_BUG=y, so move the implementation under that.
    
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20231130114433.3053544-2-mpe@ellerman.id.au
    Signed-off-by: Sasha Levin <sashal@kernel.org>

powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE [+ + +]
Author: Stephen Rothwell <sfr@canb.auug.org.au>
Date:   Mon Nov 27 13:28:09 2023 +1100

    powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
    
    [ Upstream commit 0d555b57ee660d8a871781c0eebf006e855e918d ]
    
    The linux-next build of powerpc64 allnoconfig fails with:
    
      arch/powerpc/mm/book3s64/pgtable.c:557:5: error: no previous prototype for 'pmd_move_must_withdraw'
        557 | int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl,
            |     ^~~~~~~~~~~~~~~~~~~~~~
    
    Caused by commit:
    
      c6345dfa6e3e ("Makefile.extrawarn: turn on missing-prototypes globally")
    
    Fix it by moving the function definition under
    CONFIG_TRANSPARENT_HUGEPAGE like the prototype. The function is only
    called when CONFIG_TRANSPARENT_HUGEPAGE=y.
    
    Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
    [mpe: Flesh out change log from linux-next patch]
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20231127132809.45c2b398@canb.auug.org.au
    Signed-off-by: Sasha Levin <sashal@kernel.org>

powerpc: Use always instead of always-y in for crtsavres.o [+ + +]
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Fri Jan 26 10:37:02 2024 -0700

    powerpc: Use always instead of always-y in for crtsavres.o
    
    This commit is for linux-5.4.y only, it has no direct upstream
    equivalent.
    
    Prior to commit 5f2fb52fac15 ("kbuild: rename hostprogs-y/always to
    hostprogs/always-y"), always-y did not exist, making the backport of
    mainline commit 1b1e38002648 ("powerpc: add crtsavres.o to always-y
    instead of extra-y") to linux-5.4.y as commit 245da9eebba0 ("powerpc:
    add crtsavres.o to always-y instead of extra-y") incorrect, breaking the
    build with linkers that need crtsavres.o:
    
      ld.lld: error: cannot open arch/powerpc/lib/crtsavres.o: No such file or directory
    
    Backporting the aforementioned kbuild commit is not suitable for stable
    due to its size and number of conflicts, so transform the always-y usage
    to an equivalent form using always, which resolves the build issues.
    
    Fixes: 245da9eebba0 ("powerpc: add crtsavres.o to always-y instead of extra-y")
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ppp_async: limit MRU to 64K [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Feb 5 17:10:04 2024 +0000

    ppp_async: limit MRU to 64K
    
    [ Upstream commit cb88cb53badb8aeb3955ad6ce80b07b598e310b8 ]
    
    syzbot triggered a warning [1] in __alloc_pages():
    
    WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)
    
    Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K")
    
    Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)
    
    [1]:
    
     WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
    Modules linked in:
    CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
    Workqueue: events_unbound flush_to_ldisc
    pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
     lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537
    sp : ffff800093967580
    x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000
    x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0
    x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8
    x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120
    x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005
    x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000
    x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001
    x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f
    x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020
    x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0
    Call trace:
      __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
      __alloc_pages_node include/linux/gfp.h:238 [inline]
      alloc_pages_node include/linux/gfp.h:261 [inline]
      __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926
      __do_kmalloc_node mm/slub.c:3969 [inline]
      __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001
      kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590
      __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651
      __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715
      netdev_alloc_skb include/linux/skbuff.h:3235 [inline]
      dev_alloc_skb include/linux/skbuff.h:3248 [inline]
      ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]
      ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341
      tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390
      tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37
      receive_buf drivers/tty/tty_buffer.c:444 [inline]
      flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494
      process_one_work+0x694/0x1204 kernel/workqueue.c:2633
      process_scheduled_works kernel/workqueue.c:2706 [inline]
      worker_thread+0x938/0xef4 kernel/workqueue.c:2787
      kthread+0x288/0x310 kernel/kthread.c:388
      ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-and-tested-by: syzbot+c5da1f087c9e4ec6c933@syzkaller.appspotmail.com
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Link: https://lore.kernel.org/r/20240205171004.1059724-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
pstore/ram: Fix crash when setting number of cpus to an odd number [+ + +]
Author: Weichen Chen <weichen.chen@mediatek.com>
Date:   Fri Feb 24 10:36:32 2023 +0800

    pstore/ram: Fix crash when setting number of cpus to an odd number
    
    [ Upstream commit d49270a04623ce3c0afddbf3e984cb245aa48e9c ]
    
    When the number of cpu cores is adjusted to 7 or other odd numbers,
    the zone size will become an odd number.
    The address of the zone will become:
        addr of zone0 = BASE
        addr of zone1 = BASE + zone_size
        addr of zone2 = BASE + zone_size*2
        ...
    The address of zone1/3/5/7 will be mapped to non-alignment va.
    Eventually crashes will occur when accessing these va.
    
    So, use ALIGN_DOWN() to make sure the zone size is even
    to avoid this bug.
    
    Signed-off-by: Weichen Chen <weichen.chen@mediatek.com>
    Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
    Tested-by: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
    Link: https://lore.kernel.org/r/20230224023632.6840-1-weichen.chen@mediatek.com
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
rbd: don't move requests to the running list on errors [+ + +]
Author: Ilya Dryomov <idryomov@gmail.com>
Date:   Wed Jan 17 18:59:44 2024 +0100

    rbd: don't move requests to the running list on errors
    
    commit ded080c86b3f99683774af0441a58fc2e3d60cae upstream.
    
    The running list is supposed to contain requests that are pinning the
    exclusive lock, i.e. those that must be flushed before exclusive lock
    is released.  When wake_lock_waiters() is called to handle an error,
    requests on the acquiring list are failed with that error and no
    flushing takes place.  Briefly moving them to the running list is not
    only pointless but also harmful: if exclusive lock gets acquired
    before all of their state machines are scheduled and go through
    rbd_lock_del_request(), we trigger
    
        rbd_assert(list_empty(&rbd_dev->running_list));
    
    in rbd_try_acquire_lock().
    
    Cc: stable@vger.kernel.org
    Fixes: 637cd060537d ("rbd: new exclusive lock wait/wake code")
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Reviewed-by: Dongsheng Yang <dongsheng.yang@easystack.cn>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
RDMA/IPoIB: Fix error code return in ipoib_mcast_join [+ + +]
Author: Jack Wang <jinpu.wang@ionos.com>
Date:   Tue Nov 21 14:03:15 2023 +0100

    RDMA/IPoIB: Fix error code return in ipoib_mcast_join
    
    [ Upstream commit 753fff78f430704548f45eda52d6d55371a52c0f ]
    
    Return the error code in case of ib_sa_join_multicast fail.
    
    Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
    Link: https://lore.kernel.org/r/20231121130316.126364-2-jinpu.wang@ionos.com
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
regulator: core: Only increment use_count when enable_count changes [+ + +]
Author: Rui Zhang <zr.zhang@vivo.com>
Date:   Fri Nov 3 15:42:31 2023 +0800

    regulator: core: Only increment use_count when enable_count changes
    
    [ Upstream commit 7993d3a9c34f609c02171e115fd12c10e2105ff4 ]
    
    The use_count of a regulator should only be incremented when the
    enable_count changes from 0 to 1. Similarly, the use_count should
    only be decremented when the enable_count changes from 1 to 0.
    
    In the previous implementation, use_count was sometimes decremented
    to 0 when some consumer called unbalanced disable,
    leading to unexpected disable even the regulator is enabled by
    other consumers. With this change, the use_count accurately reflects
    the number of users which the regulator is enabled.
    
    This should make things more robust in the case where a consumer does
    leak references.
    
    Signed-off-by: Rui Zhang <zr.zhang@vivo.com>
    Link: https://lore.kernel.org/r/20231103074231.8031-1-zr.zhang@vivo.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
rename(): fix the locking of subdirectories [+ + +]
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sun Nov 19 20:25:58 2023 -0500

    rename(): fix the locking of subdirectories
    
    commit 22e111ed6c83dcde3037fc81176012721bc34c0b upstream.
    
            We should never lock two subdirectories without having taken
    ->s_vfs_rename_mutex; inode pointer order or not, the "order" proposed
    in 28eceeda130f "fs: Lock moved directories" is not transitive, with
    the usual consequences.
    
            The rationale for locking renamed subdirectory in all cases was
    the possibility of race between rename modifying .. in a subdirectory to
    reflect the new parent and another thread modifying the same subdirectory.
    For a lot of filesystems that's not a problem, but for some it can lead
    to trouble (e.g. the case when short directory contents is kept in the
    inode, but creating a file in it might push it across the size limit
    and copy its contents into separate data block(s)).
    
            However, we need that only in case when the parent does change -
    otherwise ->rename() doesn't need to do anything with .. entry in the
    first place.  Some instances are lazy and do a tautological update anyway,
    but it's really not hard to avoid.
    
    Amended locking rules for rename():
            find the parent(s) of source and target
            if source and target have the same parent
                    lock the common parent
            else
                    lock ->s_vfs_rename_mutex
                    lock both parents, in ancestor-first order; if neither
                    is an ancestor of another, lock the parent of source
                    first.
            find the source and target.
            if source and target have the same parent
                    if operation is an overwriting rename of a subdirectory
                            lock the target subdirectory
            else
                    if source is a subdirectory
                            lock the source
                    if target is a subdirectory
                            lock the target
            lock non-directories involved, in inode pointer order if both
            source and target are such.
    
    That way we are guaranteed that parents are locked (for obvious reasons),
    that any renamed non-directory is locked (nfsd relies upon that),
    that any victim is locked (emptiness check needs that, among other things)
    and subdirectory that changes parent is locked (needed to protect the update
    of .. entries).  We are also guaranteed that any operation locking more
    than one directory either takes ->s_vfs_rename_mutex or locks a parent
    followed by its child.
    
    Cc: stable@vger.kernel.org
    Fixes: 28eceeda130f "fs: Lock moved directories"
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" [+ + +]
Author: Junxiao Bi <junxiao.bi@oracle.com>
Date:   Wed Nov 8 10:22:16 2023 -0800

    Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
    
    [ Upstream commit bed9e27baf52a09b7ba2a3714f1e24e17ced386d ]
    
    This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74.
    
    That commit introduced the following race and can cause system hung.
    
     md_write_start:             raid5d:
     // mddev->in_sync == 1
     set "MD_SB_CHANGE_PENDING"
                                // running before md_write_start wakeup it
                                 waiting "MD_SB_CHANGE_PENDING" cleared
                                 >>>>>>>>> hung
     wakeup mddev->thread
     ...
     waiting "MD_SB_CHANGE_PENDING" cleared
     >>>> hung, raid5d should clear this flag
     but get hung by same flag.
    
    The issue reverted commit fixing is fixed by last patch in a new way.
    
    Fixes: 5e2cf333b7bd ("md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d")
    Cc: stable@vger.kernel.org # v5.19+
    Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
    Reviewed-by: Yu Kuai <yukuai3@huawei.com>
    Signed-off-by: Song Liu <song@kernel.org>
    Link: https://lore.kernel.org/r/20231108182216.73611-2-junxiao.bi@oracle.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Revert "Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting"" [+ + +]
Author: Max Krummenacher <max.krummenacher@toradex.com>
Date:   Wed Feb 7 18:49:11 2024 +0100

    Revert "Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting""
    
    This reverts commit 15a3adfe75937c9e4e0e48f0ed40dd39a0e526e2.
    
    The backport of [1] relies on having [2] also backported. Having only
    one of the two results in a bogus hw->timing1 setting.
    
    If only [2] is backportet the 16 bit register value likely underflows
    resulting in a busy_wait_timeout of 0.
    Or if only [1] is applied the value likely overflows with chances of
    having last 16 LSBs all 0 which would then result in a
    busy_wait_timeout of 0 too.
    
    Both cases may lead to NAND data corruption, e.g. on a Colibri iMX7
    setup this has been seen.
    
    [1] commit 0fddf9ad06fd ("mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times")
    [2] commit 06781a5026350 ("mtd: rawnand: gpmi: Fix setting busy timeout setting")
    
    Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ring-buffer: Clean ring_buffer_poll_wait() error return [+ + +]
Author: Vincent Donnefort <vdonnefort@google.com>
Date:   Wed Jan 31 14:09:55 2024 +0000

    ring-buffer: Clean ring_buffer_poll_wait() error return
    
    commit 66bbea9ed6446b8471d365a22734dc00556c4785 upstream.
    
    The return type for ring_buffer_poll_wait() is __poll_t. This is behind
    the scenes an unsigned where we can set event bits. In case of a
    non-allocated CPU, we do return instead -EINVAL (0xffffffea). Lucky us,
    this ends up setting few error bits (EPOLLERR | EPOLLHUP | EPOLLNVAL), so
    user-space at least is aware something went wrong.
    
    Nonetheless, this is an incorrect code. Replace that -EINVAL with a
    proper EPOLLERR to clean that output. As this doesn't change the
    behaviour, there's no need to treat this change as a bug fix.
    
    Link: https://lore.kernel.org/linux-trace-kernel/20240131140955.3322792-1-vdonnefort@google.com
    
    Cc: stable@vger.kernel.org
    Fixes: 6721cb6002262 ("ring-buffer: Do not poll non allocated cpu buffers")
    Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
rpmsg: virtio: Free driver_override when rpmsg_remove() [+ + +]
Author: Xiaolei Wang <xiaolei.wang@windriver.com>
Date:   Fri Dec 15 10:00:49 2023 +0800

    rpmsg: virtio: Free driver_override when rpmsg_remove()
    
    commit d5362c37e1f8a40096452fc201c30e705750e687 upstream.
    
    Free driver_override when rpmsg_remove(), otherwise
    the following memory leak will occur:
    
    unreferenced object 0xffff0000d55d7080 (size 128):
      comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s)
      hex dump (first 32 bytes):
        72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00  rpmsg_ns........
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320
        [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70
        [<00000000228a60c3>] kstrndup+0x4c/0x90
        [<0000000077158695>] driver_set_override+0xd0/0x164
        [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170
        [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30
        [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec
        [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280
        [<00000000443331cc>] really_probe+0xbc/0x2dc
        [<00000000391064b1>] __driver_probe_device+0x78/0xe0
        [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160
        [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140
        [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4
        [<000000003b929a36>] __device_attach+0x9c/0x19c
        [<00000000a94e0ba8>] device_initial_probe+0x14/0x20
        [<000000003c999637>] bus_probe_device+0xa0/0xac
    
    Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
    Fixes: b0b03b811963 ("rpmsg: Release rpmsg devices in backends")
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20231215020049.78750-1-xiaolei.wang@windriver.com
    Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
rxrpc: Fix response to PING RESPONSE ACKs to a dead call [+ + +]
Author: David Howells <dhowells@redhat.com>
Date:   Fri Feb 2 15:19:15 2024 +0000

    rxrpc: Fix response to PING RESPONSE ACKs to a dead call
    
    [ Upstream commit 6f769f22822aa4124b556339781b04d810f0e038 ]
    
    Stop rxrpc from sending a DUP ACK in response to a PING RESPONSE ACK on a
    dead call.  We may have initiated the ping but the call may have beaten the
    response to completion.
    
    Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor")
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Marc Dionne <marc.dionne@auristor.com>
    cc: "David S. Miller" <davem@davemloft.net>
    cc: Eric Dumazet <edumazet@google.com>
    cc: Jakub Kicinski <kuba@kernel.org>
    cc: Paolo Abeni <pabeni@redhat.com>
    cc: linux-afs@lists.infradead.org
    cc: netdev@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock() [+ + +]
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Fri Nov 17 17:48:46 2023 +0100

    rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
    
    [ Upstream commit bad1a11c0f061aa073bab785389fe04f19ba02e1 ]
    
    rxrpc_find_service_conn_rcu() should make the "seq" counter odd on the
    second pass, otherwise read_seqbegin_or_lock() never takes the lock.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Marc Dionne <marc.dionne@auristor.com>
    cc: linux-afs@lists.infradead.org
    Link: https://lore.kernel.org/r/20231117164846.GA10410@redhat.com/
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
s390/ptrace: handle setting of fpc register correctly [+ + +]
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Thu Nov 30 18:55:59 2023 +0100

    s390/ptrace: handle setting of fpc register correctly
    
    [ Upstream commit 8b13601d19c541158a6e18b278c00ba69ae37829 ]
    
    If the content of the floating point control (fpc) register of a traced
    process is modified with the ptrace interface the new value is tested for
    validity by temporarily loading it into the fpc register.
    
    This may lead to corruption of the fpc register of the tracing process:
    if an interrupt happens while the value is temporarily loaded into the
    fpc register, and within interrupt context floating point or vector
    registers are used, the current fp/vx registers are saved with
    save_fpu_regs() assuming they belong to user space and will be loaded into
    fp/vx registers when returning to user space.
    
    test_fp_ctl() restores the original user space fpc register value, however
    it will be discarded, when returning to user space.
    
    In result the tracer will incorrectly continue to run with the value that
    was supposed to be used for the traced process.
    
    Fix this by saving fpu register contents with save_fpu_regs() before using
    test_fp_ctl().
    
    Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sched/membarrier: reduce the ability to hammer on sys_membarrier [+ + +]
Author: Linus Torvalds <torvalds@linuxfoundation.org>
Date:   Sun Feb 4 15:25:12 2024 +0000

    sched/membarrier: reduce the ability to hammer on sys_membarrier
    
    commit 944d5fe50f3f03daacfea16300e656a1691c4a23 upstream.
    
    On some systems, sys_membarrier can be very expensive, causing overall
    slowdowns for everything.  So put a lock on the path in order to
    serialize the accesses to prevent the ability for this to be called at
    too high of a frequency and saturate the machine.
    
    Reviewed-and-tested-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Acked-by: Borislav Petkov <bp@alien8.de>
    Fixes: 22e4ebb97582 ("membarrier: Provide expedited private command")
    Fixes: c5f58bd58f43 ("membarrier: Provide GLOBAL_EXPEDITED command")
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    [ converted to explicit mutex_*() calls - cleanup.h is not in this stable
      branch - gregkh ]
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
scsi: isci: Fix an error code problem in isci_io_request_build() [+ + +]
Author: Su Hui <suhui@nfschina.com>
Date:   Fri Jan 12 12:19:27 2024 +0800

    scsi: isci: Fix an error code problem in isci_io_request_build()
    
    [ Upstream commit 658365c6b0857e6a306436e315a8633937e3af42 ]
    
    Clang static complains that Value stored to 'status' is never read. Return
    'status' rather than 'SCI_SUCCESS'.
    
    Fixes: f1f52e75939b ("isci: uplevel request infrastructure")
    Signed-off-by: Su Hui <suhui@nfschina.com>
    Link: https://lore.kernel.org/r/20240112041926.3924315-1-suhui@nfschina.com
    Reviewed-by: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

scsi: libfc: Don't schedule abort twice [+ + +]
Author: Hannes Reinecke <hare@suse.de>
Date:   Wed Nov 29 17:58:30 2023 +0100

    scsi: libfc: Don't schedule abort twice
    
    [ Upstream commit b57c4db5d23b9df0118a25e2441c9288edd73710 ]
    
    The current FC error recovery is sending up to three REC (recovery) frames
    in 10 second intervals, and as a final step sending an ABTS after 30
    seconds for the command itself.  Unfortunately sending an ABTS is also the
    action for the SCSI abort handler, and the default timeout for SCSI
    commands is also 30 seconds. This causes two ABTS to be scheduled, with the
    libfc one slightly earlier. The ABTS scheduled by SCSI EH then sees the
    command to be already aborted, and will always return with a 'GOOD' status
    irrespective on the actual result from the first ABTS.  This causes the
    SCSI EH abort handler to always succeed, and SCSI EH never to be engaged.
    Fix this by not issuing an ABTS when a SCSI command is present for the
    exchange, but rather wait for the abort scheduled from SCSI EH.  And warn
    if an abort is already scheduled to avoid similar errors in the future.
    
    Signed-off-by: Hannes Reinecke <hare@suse.de>
    Link: https://lore.kernel.org/r/20231129165832.224100-2-hare@kernel.org
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

scsi: libfc: Fix up timeout error in fc_fcp_rec_error() [+ + +]
Author: Hannes Reinecke <hare@suse.de>
Date:   Wed Nov 29 17:58:31 2023 +0100

    scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
    
    [ Upstream commit 53122a49f49796beb2c4a1bb702303b66347e29f ]
    
    We should set the status to FC_TIMED_OUT when a timeout error is passed to
    fc_fcp_rec_error().
    
    Signed-off-by: Hannes Reinecke <hare@suse.de>
    Link: https://lore.kernel.org/r/20231129165832.224100-3-hare@kernel.org
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

scsi: lpfc: Fix possible file string name overflow when updating firmware [+ + +]
Author: Justin Tee <justin.tee@broadcom.com>
Date:   Tue Oct 31 12:12:17 2023 -0700

    scsi: lpfc: Fix possible file string name overflow when updating firmware
    
    [ Upstream commit f5779b529240b715f0e358489ad0ed933bf77c97 ]
    
    Because file_name and phba->ModelName are both declared a size 80 bytes,
    the extra ".grp" file extension could cause an overflow into file_name.
    
    Define a ELX_FW_NAME_SIZE macro with value 84.  84 incorporates the 4 extra
    characters from ".grp".  file_name is changed to be declared as a char and
    initialized to zeros i.e. null chars.
    
    Signed-off-by: Justin Tee <justin.tee@broadcom.com>
    Link: https://lore.kernel.org/r/20231031191224.150862-3-justintee8345@gmail.com
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock" [+ + +]
Author: Lee Duncan <lduncan@suse.com>
Date:   Fri Feb 9 10:07:34 2024 -0800

    scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock"
    
    commit 977fe773dcc7098d8eaf4ee6382cb51e13e784cb upstream.
    
    This reverts commit 1a1975551943f681772720f639ff42fbaa746212.
    
    This commit causes interrupts to be lost for FCoE devices, since it changed
    sping locks from "bh" to "irqsave".
    
    Instead, a work queue should be used, and will be addressed in a separate
    commit.
    
    Fixes: 1a1975551943 ("scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock")
    Signed-off-by: Lee Duncan <lduncan@suse.com>
    Link: https://lore.kernel.org/r/c578cdcd46b60470535c4c4a953e6a1feca0dffd.1707500786.git.lduncan@suse.com
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
selftests/bpf: Fix pyperf180 compilation failure with clang18 [+ + +]
Author: Yonghong Song <yonghong.song@linux.dev>
Date:   Fri Nov 10 11:36:44 2023 -0800

    selftests/bpf: Fix pyperf180 compilation failure with clang18
    
    [ Upstream commit 100888fb6d8a185866b1520031ee7e3182b173de ]
    
    With latest clang18 (main branch of llvm-project repo), when building bpf selftests,
        [~/work/bpf-next (master)]$ make -C tools/testing/selftests/bpf LLVM=1 -j
    
    The following compilation error happens:
        fatal error: error in backend: Branch target out of insn range
        ...
        Stack dump:
        0.      Program arguments: clang -g -Wall -Werror -D__TARGET_ARCH_x86 -mlittle-endian
          -I/home/yhs/work/bpf-next/tools/testing/selftests/bpf/tools/include
          -I/home/yhs/work/bpf-next/tools/testing/selftests/bpf -I/home/yhs/work/bpf-next/tools/include/uapi
          -I/home/yhs/work/bpf-next/tools/testing/selftests/usr/include -idirafter
          /home/yhs/work/llvm-project/llvm/build.18/install/lib/clang/18/include -idirafter /usr/local/include
          -idirafter /usr/include -Wno-compare-distinct-pointer-types -DENABLE_ATOMICS_TESTS -O2 --target=bpf
          -c progs/pyperf180.c -mcpu=v3 -o /home/yhs/work/bpf-next/tools/testing/selftests/bpf/pyperf180.bpf.o
        1.      <eof> parser at end of file
        2.      Code generation
        ...
    
    The compilation failure only happens to cpu=v2 and cpu=v3. cpu=v4 is okay
    since cpu=v4 supports 32-bit branch target offset.
    
    The above failure is due to upstream llvm patch [1] where some inlining behavior
    are changed in clang18.
    
    To workaround the issue, previously all 180 loop iterations are fully unrolled.
    The bpf macro __BPF_CPU_VERSION__ (implemented in clang18 recently) is used to avoid
    unrolling changes if cpu=v4. If __BPF_CPU_VERSION__ is not available and the
    compiler is clang18, the unrollng amount is unconditionally reduced.
    
      [1] https://github.com/llvm/llvm-project/commit/1a2e77cf9e11dbf56b5720c607313a566eebb16e
    
    Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Tested-by: Alan Maguire <alan.maguire@oracle.com>
    Link: https://lore.kernel.org/bpf/20231110193644.3130906-1-yonghong.song@linux.dev
    Signed-off-by: Sasha Levin <sashal@kernel.org>

selftests/bpf: satisfy compiler by having explicit return in btf test [+ + +]
Author: Andrii Nakryiko <andrii@kernel.org>
Date:   Wed Nov 1 20:37:44 2023 -0700

    selftests/bpf: satisfy compiler by having explicit return in btf test
    
    [ Upstream commit f4c7e887324f5776eef6e6e47a90e0ac8058a7a8 ]
    
    Some compilers complain about get_pprint_mapv_size() not returning value
    in some code paths. Fix with explicit return.
    
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/r/20231102033759.2541186-3-andrii@kernel.org
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests: net: avoid just another constant wait [+ + +]
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Thu Feb 1 19:42:41 2024 +0100

    selftests: net: avoid just another constant wait
    
    [ Upstream commit 691bb4e49c98a47bc643dd808453136ce78b15b4 ]
    
    Using hard-coded constant timeout to wait for some expected
    event is deemed to fail sooner or later, especially in slow
    env.
    
    Our CI has spotted another of such race:
       # TEST: ipv6: cleanup of cached exceptions - nexthop objects          [FAIL]
       #   can't delete veth device in a timely manner, PMTU dst likely leaked
    
    Replace the crude sleep with a loop looking for the expected condition
    at low interval for a much longer range.
    
    Fixes: b3cc4f8a8a41 ("selftests: pmtu: add explicit tests for PMTU exceptions cleanup")
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Link: https://lore.kernel.org/r/fd5c745e9bb665b724473af6a9373a8c2a62b247.1706812005.git.pabeni@redhat.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
serial: max310x: improve crystal stable clock detection [+ + +]
Author: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Date:   Tue Jan 16 16:29:59 2024 -0500

    serial: max310x: improve crystal stable clock detection
    
    commit 93cd256ab224c2519e7c4e5f58bb4f1ac2bf0965 upstream.
    
    Some people are seeing a warning similar to this when using a crystal:
    
        max310x 11-006c: clock is not stable yet
    
    The datasheet doesn't mention the maximum time to wait for the clock to be
    stable when using a crystal, and it seems that the 10ms delay in the driver
    is not always sufficient.
    
    Jan Kundrát reported that it took three tries (each separated by 10ms) to
    get a stable clock.
    
    Modify behavior to check stable clock ready bit multiple times (20), and
    waiting 10ms between each try.
    
    Note: the first draft of the driver originally used a 50ms delay, without
    checking the clock stable bit.
    Then a loop with 1000 retries was implemented, each time reading the clock
    stable bit.
    
    Fixes: 4cf9a888fd3c ("serial: max310x: Check the clock readiness")
    Cc: stable@vger.kernel.org
    Suggested-by: Jan Kundrát <jan.kundrat@cesnet.cz>
    Link: https://www.spinics.net/lists/linux-serial/msg35773.html
    Link: https://lore.kernel.org/all/20240110174015.6f20195fde08e5c9e64e5675@hugovil.com/raw
    Link: https://github.com/boundarydevices/linux/commit/e5dfe3e4a751392515d78051973190301a37ca9a
    Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
    Link: https://lore.kernel.org/r/20240116213001.3691629-3-hugo@hugovil.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

serial: max310x: set default value when reading clock ready bit [+ + +]
Author: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Date:   Tue Jan 16 16:29:58 2024 -0500

    serial: max310x: set default value when reading clock ready bit
    
    commit 0419373333c2f2024966d36261fd82a453281e80 upstream.
    
    If regmap_read() returns a non-zero value, the 'val' variable can be left
    uninitialized.
    
    Clear it before calling regmap_read() to make sure we properly detect
    the clock ready bit.
    
    Fixes: 4cf9a888fd3c ("serial: max310x: Check the clock readiness")
    Cc: stable@vger.kernel.org
    Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
    Link: https://lore.kernel.org/r/20240116213001.3691629-2-hugo@hugovil.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

serial: sc16is7xx: add check for unsupported SPI modes during probe [+ + +]
Author: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Date:   Thu Dec 21 18:18:09 2023 -0500

    serial: sc16is7xx: add check for unsupported SPI modes during probe
    
    [ Upstream commit 6d710b769c1f5f0d55c9ad9bb49b7dce009ec103 ]
    
    The original comment is confusing because it implies that variants other
    than the SC16IS762 supports other SPI modes beside SPI_MODE_0.
    
    Extract from datasheet:
        The SC16IS762 differs from the SC16IS752 in that it supports SPI clock
        speeds up to 15 Mbit/s instead of the 4 Mbit/s supported by the
        SC16IS752... In all other aspects, the SC16IS762 is functionally and
        electrically the same as the SC16IS752.
    
    The same is also true of the SC16IS760 variant versus the SC16IS740 and
    SC16IS750 variants.
    
    For all variants, only SPI mode 0 is supported.
    
    Change comment and abort probing if the specified SPI mode is not
    SPI_MODE_0.
    
    Fixes: 2c837a8a8f9f ("sc16is7xx: spi interface is added")
    Cc:  <stable@vger.kernel.org>
    Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
    Link: https://lore.kernel.org/r/20231221231823.2327894-3-hugo@hugovil.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

serial: sc16is7xx: set safe default SPI clock frequency [+ + +]
Author: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Date:   Thu Dec 21 18:18:10 2023 -0500

    serial: sc16is7xx: set safe default SPI clock frequency
    
    [ Upstream commit 3ef79cd1412236d884ab0c46b4d1921380807b48 ]
    
    15 MHz is supported only by 76x variants.
    
    If the SPI clock frequency is not specified, use a safe default clock value
    of 4 MHz that is supported by all variants.
    
    Also use HZ_PER_MHZ macro to improve readability.
    
    Fixes: 2c837a8a8f9f ("sc16is7xx: spi interface is added")
    Cc:  <stable@vger.kernel.org>
    Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
    Link: https://lore.kernel.org/r/20231221231823.2327894-4-hugo@hugovil.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
spi: bcm-qspi: fix SFDP BFPT read by usig mspi read [+ + +]
Author: Kamal Dasu <kamal.dasu@broadcom.com>
Date:   Tue Jan 9 16:00:32 2024 -0500

    spi: bcm-qspi: fix SFDP BFPT read by usig mspi read
    
    [ Upstream commit 574bf7bbe83794a902679846770f75a9b7f28176 ]
    
    SFDP read shall use the mspi reads when using the bcm_qspi_exec_mem_op()
    call. This fixes SFDP parameter page read failures seen with parts that
    now use SFDP protocol to read the basic flash parameter table.
    
    Fixes: 5f195ee7d830 ("spi: bcm-qspi: Implement the spi_mem interface")
    Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Link: https://msgid.link/r/20240109210033.43249-1-kamal.dasu@broadcom.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

spi: introduce SPI_MODE_X_MASK macro [+ + +]
Author: Oleksij Rempel <o.rempel@pengutronix.de>
Date:   Tue Oct 27 10:57:23 2020 +0100

    spi: introduce SPI_MODE_X_MASK macro
    
    [ Upstream commit 029b42d8519cef70c4fb5fcaccd08f1053ed2bf0 ]
    
    Provide a macro to filter all SPI_MODE_0,1,2,3 mode in one run.
    
    The latest SPI framework will parse the devicetree in following call
    sequence: of_register_spi_device() -> of_spi_parse_dt()
    So, driver do not need to pars the devicetree and will get prepared
    flags in the probe.
    
    On one hand it is good far most drivers. On other hand some drivers need to
    filter flags provide by SPI framework and apply know to work flags. This drivers
    may use SPI_MODE_X_MASK to filter MODE flags and set own, known flags:
      spi->flags &= ~SPI_MODE_X_MASK;
      spi->flags |= SPI_MODE_0;
    
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Link: https://lore.kernel.org/r/20201027095724.18654-2-o.rempel@pengutronix.de
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Stable-dep-of: 6d710b769c1f ("serial: sc16is7xx: add check for unsupported SPI modes during probe")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

spi: ppc4xx: Drop write-only variable [+ + +]
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Sat Feb 10 17:40:08 2024 +0100

    spi: ppc4xx: Drop write-only variable
    
    [ Upstream commit b3aa619a8b4706f35cb62f780c14e68796b37f3f ]
    
    Since commit 24778be20f87 ("spi: convert drivers to use
    bits_per_word_mask") the bits_per_word variable is only written to. The
    check that was there before isn't needed any more as the spi core
    ensures that only 8 bit transfers are used, so the variable can go away
    together with all assignments to it.
    
    Fixes: 24778be20f87 ("spi: convert drivers to use bits_per_word_mask")
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Link: https://lore.kernel.org/r/20240210164006.208149-8-u.kleine-koenig@pengutronix.de
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
staging: iio: ad5933: fix type mismatch regression [+ + +]
Author: David Schiller <david.schiller@jku.at>
Date:   Mon Jan 22 14:49:17 2024 +0100

    staging: iio: ad5933: fix type mismatch regression
    
    commit 6db053cd949fcd6254cea9f2cd5d39f7bd64379c upstream.
    
    Commit 4c3577db3e4f ("Staging: iio: impedance-analyzer: Fix sparse
    warning") fixed a compiler warning, but introduced a bug that resulted
    in one of the two 16 bit IIO channels always being zero (when both are
    enabled).
    
    This is because int is 32 bits wide on most architectures and in the
    case of a little-endian machine the two most significant bytes would
    occupy the buffer for the second channel as 'val' is being passed as a
    void pointer to 'iio_push_to_buffers()'.
    
    Fix by defining 'val' as u16. Tested working on ARM64.
    
    Fixes: 4c3577db3e4f ("Staging: iio: impedance-analyzer: Fix sparse warning")
    Signed-off-by: David Schiller <david.schiller@jku.at>
    Link: https://lore.kernel.org/r/20240122134916.2137957-1-david.schiller@jku.at
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
SUNRPC: Fix a suspicious RCU usage warning [+ + +]
Author: Anna Schumaker <Anna.Schumaker@Netapp.com>
Date:   Mon Nov 27 17:06:18 2023 -0500

    SUNRPC: Fix a suspicious RCU usage warning
    
    [ Upstream commit 31b62908693c90d4d07db597e685d9f25a120073 ]
    
    I received the following warning while running cthon against an ontap
    server running pNFS:
    
    [   57.202521] =============================
    [   57.202522] WARNING: suspicious RCU usage
    [   57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted
    [   57.202525] -----------------------------
    [   57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!
    [   57.202527]
                   other info that might help us debug this:
    
    [   57.202528]
                   rcu_scheduler_active = 2, debug_locks = 1
    [   57.202529] no locks held by test5/3567.
    [   57.202530]
                   stack backtrace:
    [   57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e
    [   57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022
    [   57.202536] Call Trace:
    [   57.202537]  <TASK>
    [   57.202540]  dump_stack_lvl+0x77/0xb0
    [   57.202551]  lockdep_rcu_suspicious+0x154/0x1a0
    [   57.202556]  rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
    [   57.202596]  rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
    [   57.202621]  ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
    [   57.202646]  rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
    [   57.202671]  ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]
    [   57.202696]  nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]
    [   57.202728]  ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]
    [   57.202754]  nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]
    [   57.202760]  filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]
    [   57.202765]  pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]
    [   57.202788]  __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
    [   57.202813]  nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
    [   57.202831]  nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
    [   57.202849]  nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
    [   57.202866]  write_cache_pages+0x265/0x450
    [   57.202870]  ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
    [   57.202891]  nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
    [   57.202913]  do_writepages+0xd2/0x230
    [   57.202917]  ? filemap_fdatawrite_wbc+0x5c/0x80
    [   57.202921]  filemap_fdatawrite_wbc+0x67/0x80
    [   57.202924]  filemap_write_and_wait_range+0xd9/0x170
    [   57.202930]  nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]
    [   57.202947]  nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]
    [   57.202969]  __se_sys_close+0x46/0xd0
    [   57.202972]  do_syscall_64+0x68/0x100
    [   57.202975]  ? do_syscall_64+0x77/0x100
    [   57.202976]  ? do_syscall_64+0x77/0x100
    [   57.202979]  entry_SYSCALL_64_after_hwframe+0x6e/0x76
    [   57.202982] RIP: 0033:0x7fe2b12e4a94
    [   57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3
    [   57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
    [   57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94
    [   57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003
    [   57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49
    [   57.202993] R10: 00007fe2b11f8300 R11: 0000000000000202 R12: 0000000000000000
    [   57.202994] R13: 00007ffe857dfd80 R14: 00007fe2b1445000 R15: 0000000000000000
    [   57.202999]  </TASK>
    
    The problem seems to be that two out of three callers aren't taking the
    rcu_read_lock() before calling the list_for_each_entry_rcu() function in
    rpc_xprt_switch_has_addr(). I fix this by having
    rpc_xprt_switch_has_addr() unconditionaly take the rcu_read_lock(),
    which is okay to do recursively in the case that the lock has already
    been taken by a caller.
    
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp: Add memory barrier to tcp_push() [+ + +]
Author: Salvatore Dipietro <dipiets@amazon.com>
Date:   Fri Jan 19 11:01:33 2024 -0800

    tcp: Add memory barrier to tcp_push()
    
    [ Upstream commit 7267e8dcad6b2f9fce05a6a06335d7040acbc2b6 ]
    
    On CPUs with weak memory models, reads and updates performed by tcp_push
    to the sk variables can get reordered leaving the socket throttled when
    it should not. The tasklet running tcp_wfree() may also not observe the
    memory updates in time and will skip flushing any packets throttled by
    tcp_push(), delaying the sending. This can pathologically cause 40ms
    extra latency due to bad interactions with delayed acks.
    
    Adding a memory barrier in tcp_push removes the bug, similarly to the
    previous commit bf06200e732d ("tcp: tsq: fix nonagle handling").
    smp_mb__after_atomic() is used to not incur in unnecessary overhead
    on x86 since not affected.
    
    Patch has been tested using an AWS c7g.2xlarge instance with Ubuntu
    22.04 and Apache Tomcat 9.0.83 running the basic servlet below:
    
    import java.io.IOException;
    import java.io.OutputStreamWriter;
    import java.io.PrintWriter;
    import javax.servlet.ServletException;
    import javax.servlet.http.HttpServlet;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    
    public class HelloWorldServlet extends HttpServlet {
        @Override
        protected void doGet(HttpServletRequest request, HttpServletResponse response)
          throws ServletException, IOException {
            response.setContentType("text/html;charset=utf-8");
            OutputStreamWriter osw = new OutputStreamWriter(response.getOutputStream(),"UTF-8");
            String s = "a".repeat(3096);
            osw.write(s,0,s.length());
            osw.flush();
        }
    }
    
    Load was applied using wrk2 (https://github.com/kinvolk/wrk2) from an AWS
    c6i.8xlarge instance. Before the patch an additional 40ms latency from P99.99+
    values is observed while, with the patch, the extra latency disappears.
    
    No patch and tcp_autocorking=1
    ./wrk -t32 -c128 -d40s --latency -R10000  http://172.31.60.173:8080/hello/hello
      ...
     50.000%    0.91ms
     75.000%    1.13ms
     90.000%    1.46ms
     99.000%    1.74ms
     99.900%    1.89ms
     99.990%   41.95ms  <<< 40+ ms extra latency
     99.999%   48.32ms
    100.000%   48.96ms
    
    With patch and tcp_autocorking=1
    ./wrk -t32 -c128 -d40s --latency -R10000  http://172.31.60.173:8080/hello/hello
      ...
     50.000%    0.90ms
     75.000%    1.13ms
     90.000%    1.45ms
     99.000%    1.72ms
     99.900%    1.83ms
     99.990%    2.11ms  <<< no 40+ ms extra latency
     99.999%    2.53ms
    100.000%    2.62ms
    
    Patch has been also tested on x86 (m7i.2xlarge instance) which it is not
    affected by this issue and the patch doesn't introduce any additional
    delay.
    
    Fixes: 7aa5470c2c09 ("tcp: tsq: move tsq_flags close to sk_wmem_alloc")
    Signed-off-by: Salvatore Dipietro <dipiets@amazon.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://lore.kernel.org/r/20240119190133.43698-1-dipiets@amazon.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tick/sched: Preserve number of idle sleeps across CPU hotplug events [+ + +]
Author: Tim Chen <tim.c.chen@linux.intel.com>
Date:   Mon Jan 22 15:35:34 2024 -0800

    tick/sched: Preserve number of idle sleeps across CPU hotplug events
    
    commit 9a574ea9069be30b835a3da772c039993c43369b upstream.
    
    Commit 71fee48f ("tick-sched: Fix idle and iowait sleeptime accounting vs
    CPU hotplug") preserved total idle sleep time and iowait sleeptime across
    CPU hotplug events.
    
    Similar reasoning applies to the number of idle calls and idle sleeps to
    get the proper average of sleep time per idle invocation.
    
    Preserve those fields too.
    
    Fixes: 71fee48f ("tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug")
    Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240122233534.3094238-1-tim.c.chen@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() [+ + +]
Author: Shigeru Yoshida <syoshida@redhat.com>
Date:   Thu Feb 1 00:23:09 2024 +0900

    tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()
    
    [ Upstream commit 3871aa01e1a779d866fa9dfdd5a836f342f4eb87 ]
    
    syzbot reported the following general protection fault [1]:
    
    general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]
    ...
    RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291
    ...
    Call Trace:
     <TASK>
     tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646
     tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089
     genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
     genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
     genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
     netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544
     genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
     netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
     netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367
     netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909
     sock_sendmsg_nosec net/socket.c:730 [inline]
     __sock_sendmsg+0xd5/0x180 net/socket.c:745
     ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
     ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
     __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    The cause of this issue is that when tipc_nl_bearer_add() is called with
    the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called
    even if the bearer is not UDP.
    
    tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that
    the media_ptr field of the tipc_bearer has an udp_bearer type object, so
    the function goes crazy for non-UDP bearers.
    
    This patch fixes the issue by checking the bearer type before calling
    tipc_udp_nl_bearer_add() in tipc_nl_bearer_add().
    
    Fixes: ef20cd4dd163 ("tipc: introduce UDP replicast")
    Reported-and-tested-by: syzbot+5142b87a9abc510e14fa@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=5142b87a9abc510e14fa [1]
    Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
    Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
    Link: https://lore.kernel.org/r/20240131152310.4089541-1-syoshida@redhat.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tracing/trigger: Fix to return error if failed to alloc snapshot [+ + +]
Author: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Date:   Fri Jan 26 09:42:58 2024 +0900

    tracing/trigger: Fix to return error if failed to alloc snapshot
    
    commit 0958b33ef5a04ed91f61cef4760ac412080c4e08 upstream.
    
    Fix register_snapshot_trigger() to return error code if it failed to
    allocate a snapshot instead of 0 (success). Unless that, it will register
    snapshot trigger without an error.
    
    Link: https://lore.kernel.org/linux-trace-kernel/170622977792.270660.2789298642759362200.stgit@devnote2
    
    Fixes: 0bbe7f719985 ("tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation")
    Cc: stable@vger.kernel.org
    Cc: Vincent Donnefort <vdonnefort@google.com>
    Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
tracing: Ensure visibility when inserting an element into tracing_map [+ + +]
Author: Petr Pavlu <petr.pavlu@suse.com>
Date:   Mon Jan 22 16:09:28 2024 +0100

    tracing: Ensure visibility when inserting an element into tracing_map
    
    [ Upstream commit 2b44760609e9eaafc9d234a6883d042fc21132a7 ]
    
    Running the following two commands in parallel on a multi-processor
    AArch64 machine can sporadically produce an unexpected warning about
    duplicate histogram entries:
    
     $ while true; do
         echo hist:key=id.syscall:val=hitcount > \
           /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger
         cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist
         sleep 0.001
       done
     $ stress-ng --sysbadaddr $(nproc)
    
    The warning looks as follows:
    
    [ 2911.172474] ------------[ cut here ]------------
    [ 2911.173111] Duplicates detected: 1
    [ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408
    [ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)
    [ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1
    [ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G            E      6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01
    [ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018
    [ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
    [ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408
    [ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408
    [ 2911.185310] sp : ffff8000a1513900
    [ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001
    [ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008
    [ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180
    [ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff
    [ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8
    [ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731
    [ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c
    [ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8
    [ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000
    [ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480
    [ 2911.194259] Call trace:
    [ 2911.194626]  tracing_map_sort_entries+0x3e0/0x408
    [ 2911.195220]  hist_show+0x124/0x800
    [ 2911.195692]  seq_read_iter+0x1d4/0x4e8
    [ 2911.196193]  seq_read+0xe8/0x138
    [ 2911.196638]  vfs_read+0xc8/0x300
    [ 2911.197078]  ksys_read+0x70/0x108
    [ 2911.197534]  __arm64_sys_read+0x24/0x38
    [ 2911.198046]  invoke_syscall+0x78/0x108
    [ 2911.198553]  el0_svc_common.constprop.0+0xd0/0xf8
    [ 2911.199157]  do_el0_svc+0x28/0x40
    [ 2911.199613]  el0_svc+0x40/0x178
    [ 2911.200048]  el0t_64_sync_handler+0x13c/0x158
    [ 2911.200621]  el0t_64_sync+0x1a8/0x1b0
    [ 2911.201115] ---[ end trace 0000000000000000 ]---
    
    The problem appears to be caused by CPU reordering of writes issued from
    __tracing_map_insert().
    
    The check for the presence of an element with a given key in this
    function is:
    
     val = READ_ONCE(entry->val);
     if (val && keys_match(key, val->key, map->key_size)) ...
    
    The write of a new entry is:
    
     elt = get_free_elt(map);
     memcpy(elt->key, key, map->key_size);
     entry->val = elt;
    
    The "memcpy(elt->key, key, map->key_size);" and "entry->val = elt;"
    stores may become visible in the reversed order on another CPU. This
    second CPU might then incorrectly determine that a new key doesn't match
    an already present val->key and subsequently insert a new element,
    resulting in a duplicate.
    
    Fix the problem by adding a write barrier between
    "memcpy(elt->key, key, map->key_size);" and "entry->val = elt;", and for
    good measure, also use WRITE_ONCE(entry->val, elt) for publishing the
    element. The sequence pairs with the mentioned "READ_ONCE(entry->val);"
    and the "val->key" check which has an address dependency.
    
    The barrier is placed on a path executed when adding an element for
    a new key. Subsequent updates targeting the same key remain unaffected.
    
    From the user's perspective, the issue was introduced by commit
    c193707dde77 ("tracing: Remove code which merges duplicates"), which
    followed commit cbf4100efb8f ("tracing: Add support to detect and avoid
    duplicates"). The previous code operated differently; it inherently
    expected potential races which result in duplicates but merged them
    later when they occurred.
    
    Link: https://lore.kernel.org/linux-trace-kernel/20240122150928.27725-1-petr.pavlu@suse.com
    
    Fixes: c193707dde77 ("tracing: Remove code which merges duplicates")
    Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
    Acked-by: Tom Zanussi <tom.zanussi@linux.intel.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tracing: Fix wasted memory in saved_cmdlines logic [+ + +]
Author: Steven Rostedt (Google) <rostedt@goodmis.org>
Date:   Fri Feb 9 06:36:22 2024 -0500

    tracing: Fix wasted memory in saved_cmdlines logic
    
    commit 44dc5c41b5b1267d4dd037d26afc0c4d3a568acb upstream.
    
    While looking at improving the saved_cmdlines cache I found a huge amount
    of wasted memory that should be used for the cmdlines.
    
    The tracing data saves pids during the trace. At sched switch, if a trace
    occurred, it will save the comm of the task that did the trace. This is
    saved in a "cache" that maps pids to comms and exposed to user space via
    the /sys/kernel/tracing/saved_cmdlines file. Currently it only caches by
    default 128 comms.
    
    The structure that uses this creates an array to store the pids using
    PID_MAX_DEFAULT (which is usually set to 32768). This causes the structure
    to be of the size of 131104 bytes on 64 bit machines.
    
    In hex: 131104 = 0x20020, and since the kernel allocates generic memory in
    powers of two, the kernel would allocate 0x40000 or 262144 bytes to store
    this structure. That leaves 131040 bytes of wasted space.
    
    Worse, the structure points to an allocated array to store the comm names,
    which is 16 bytes times the amount of names to save (currently 128), which
    is 2048 bytes. Instead of allocating a separate array, make the structure
    end with a variable length string and use the extra space for that.
    
    This is similar to a recommendation that Linus had made about eventfs_inode names:
    
      https://lore.kernel.org/all/20240130190355.11486-5-torvalds@linux-foundation.org/
    
    Instead of allocating a separate string array to hold the saved comms,
    have the structure end with: char saved_cmdlines[]; and round up to the
    next power of two over sizeof(struct saved_cmdline_buffers) + num_cmdlines * TASK_COMM_LEN
    It will use this extra space for the saved_cmdline portion.
    
    Now, instead of saving only 128 comms by default, by using this wasted
    space at the end of the structure it can save over 8000 comms and even
    saves space by removing the need for allocating the other array.
    
    Link: https://lore.kernel.org/linux-trace-kernel/20240209063622.1f7b6d5f@rorschach.local.home
    
    Cc: stable@vger.kernel.org
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Cc: Vincent Donnefort <vdonnefort@google.com>
    Cc: Sven Schnelle <svens@linux.ibm.com>
    Cc: Mete Durlu <meted@linux.ibm.com>
    Fixes: 939c7a4f04fcd ("tracing: Introduce saved_cmdlines_size file")
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tracing: Inform kmemleak of saved_cmdlines allocation [+ + +]
Author: Steven Rostedt (Google) <rostedt@goodmis.org>
Date:   Wed Feb 14 11:20:46 2024 -0500

    tracing: Inform kmemleak of saved_cmdlines allocation
    
    commit 2394ac4145ea91b92271e675a09af2a9ea6840b7 upstream.
    
    The allocation of the struct saved_cmdlines_buffer structure changed from:
    
            s = kmalloc(sizeof(*s), GFP_KERNEL);
            s->saved_cmdlines = kmalloc_array(TASK_COMM_LEN, val, GFP_KERNEL);
    
    to:
    
            orig_size = sizeof(*s) + val * TASK_COMM_LEN;
            order = get_order(orig_size);
            size = 1 << (order + PAGE_SHIFT);
            page = alloc_pages(GFP_KERNEL, order);
            if (!page)
                    return NULL;
    
            s = page_address(page);
            memset(s, 0, sizeof(*s));
    
            s->saved_cmdlines = kmalloc_array(TASK_COMM_LEN, val, GFP_KERNEL);
    
    Where that s->saved_cmdlines allocation looks to be a dangling allocation
    to kmemleak. That's because kmemleak only keeps track of kmalloc()
    allocations. For allocations that use page_alloc() directly, the kmemleak
    needs to be explicitly informed about it.
    
    Add kmemleak_alloc() and kmemleak_free() around the page allocation so
    that it doesn't give the following false positive:
    
    unreferenced object 0xffff8881010c8000 (size 32760):
      comm "swapper", pid 0, jiffies 4294667296
      hex dump (first 32 bytes):
        ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
        ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
      backtrace (crc ae6ec1b9):
        [<ffffffff86722405>] kmemleak_alloc+0x45/0x80
        [<ffffffff8414028d>] __kmalloc_large_node+0x10d/0x190
        [<ffffffff84146ab1>] __kmalloc+0x3b1/0x4c0
        [<ffffffff83ed7103>] allocate_cmdlines_buffer+0x113/0x230
        [<ffffffff88649c34>] tracer_alloc_buffers.isra.0+0x124/0x460
        [<ffffffff8864a174>] early_trace_init+0x14/0xa0
        [<ffffffff885dd5ae>] start_kernel+0x12e/0x3c0
        [<ffffffff885f5758>] x86_64_start_reservations+0x18/0x30
        [<ffffffff885f582b>] x86_64_start_kernel+0x7b/0x80
        [<ffffffff83a001c3>] secondary_startup_64_no_verify+0x15e/0x16b
    
    Link: https://lore.kernel.org/linux-trace-kernel/87r0hfnr9r.fsf@kernel.org/
    Link: https://lore.kernel.org/linux-trace-kernel/20240214112046.09a322d6@gandalf.local.home
    
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Fixes: 44dc5c41b5b1 ("tracing: Fix wasted memory in saved_cmdlines logic")
    Reported-by: Kalle Valo <kvalo@kernel.org>
    Tested-by: Kalle Valo <kvalo@kernel.org>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path [+ + +]
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Fri Dec 22 16:54:46 2023 +0800

    ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
    
    commit 1e022216dcd248326a5bb95609d12a6815bca4e2 upstream.
    
    For error handling path in ubifs_symlink(), inode will be marked as
    bad first, then iput() is invoked. If inode->i_link is initialized by
    fscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't
    be freed by callchain ubifs_free_inode -> fscrypt_free_inode in error
    handling path, because make_bad_inode() has changed 'inode->i_mode' as
    'S_IFREG'.
    Following kmemleak is easy to be reproduced by injecting error in
    ubifs_jnl_update() when doing symlink in encryption scenario:
     unreferenced object 0xffff888103da3d98 (size 8):
      comm "ln", pid 1692, jiffies 4294914701 (age 12.045s)
      backtrace:
       kmemdup+0x32/0x70
       __fscrypt_encrypt_symlink+0xed/0x1c0
       ubifs_symlink+0x210/0x300 [ubifs]
       vfs_symlink+0x216/0x360
       do_symlinkat+0x11a/0x190
       do_syscall_64+0x3b/0xe0
    There are two ways fixing it:
     1. Remove make_bad_inode() in error handling path. We can do that
        because ubifs_evict_inode() will do same processes for good
        symlink inode and bad symlink inode, for inode->i_nlink checking
        is before is_bad_inode().
     2. Free inode->i_link before marking inode bad.
    Method 2 is picked, it has less influence, personally, I think.
    
    Cc: stable@vger.kernel.org
    Fixes: 2c58d548f570 ("fscrypt: cache decrypted symlink target in ->i_link")
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Suggested-by: Eric Biggers <ebiggers@kernel.org>
    Reviewed-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
UBSAN: array-index-out-of-bounds in dtSplitRoot [+ + +]
Author: Osama Muhammad <osmtendev@gmail.com>
Date:   Sat Oct 14 00:10:28 2023 +0500

    UBSAN: array-index-out-of-bounds in dtSplitRoot
    
    [ Upstream commit 27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16 ]
    
    Syzkaller reported the following issue:
    
    oop0: detected capacity change from 0 to 32768
    
    UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9
    index -2 is out of range for type 'struct dtslot [128]'
    CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
     ubsan_epilogue lib/ubsan.c:151 [inline]
     __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283
     dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971
     dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]
     dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863
     jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270
     vfs_mkdir+0x3b3/0x590 fs/namei.c:4013
     do_mkdirat+0x279/0x550 fs/namei.c:4038
     __do_sys_mkdirat fs/namei.c:4053 [inline]
     __se_sys_mkdirat fs/namei.c:4051 [inline]
     __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    RIP: 0033:0x7fcdc0113fd9
    Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9
    RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
    RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0
    R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000
    R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000
     </TASK>
    
    The issue is caused when the value of fsi becomes less than -1.
    The check to break the loop when fsi value becomes -1 is present
    but syzbot was able to produce value less than -1 which cause the error.
    This patch simply add the change for the values less than 0.
    
    The patch is tested via syzbot.
    
    Reported-and-tested-by: syzbot+d4b1df2e9d4ded6488ec@syzkaller.appspotmail.com
    Link: https://syzkaller.appspot.com/bug?extid=d4b1df2e9d4ded6488ec
    Signed-off-by: Osama Muhammad <osmtendev@gmail.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
um: Don't use vfprintf() for os_info() [+ + +]
Author: Benjamin Berg <benjamin@sipsolutions.net>
Date:   Fri Nov 10 12:03:41 2023 +0100

    um: Don't use vfprintf() for os_info()
    
    [ Upstream commit 236f9fe39b02c15fa5530b53e9cca48354394389 ]
    
    The threads allocated inside the kernel have only a single page of
    stack. Unfortunately, the vfprintf function in standard glibc may use
    too much stack-space, overflowing it.
    
    To make os_info safe to be used by helper threads, use the kernel
    vscnprintf function into a smallish buffer and write out the information
    to stderr.
    
    Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

um: Fix naming clash between UML and scheduler [+ + +]
Author: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Date:   Thu Sep 21 15:34:44 2023 +0100

    um: Fix naming clash between UML and scheduler
    
    [ Upstream commit 541d4e4d435c8b9bfd29f70a1da4a2db97794e0a ]
    
    __cant_sleep was already used and exported by the scheduler.
    The name had to be changed to a UML specific one.
    
    Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
    Reviewed-by: Peter Lafreniere <peter@n8pjl.ca>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

um: net: Fix return type of uml_net_start_xmit() [+ + +]
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Wed Dec 6 09:49:46 2023 -0700

    um: net: Fix return type of uml_net_start_xmit()
    
    [ Upstream commit 7d748f60a4b82b50bf25fad1bd42d33f049f76aa ]
    
    With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
    indirect call targets are validated against the expected function
    pointer prototype to make sure the call target is valid to help mitigate
    ROP attacks. If they are not identical, there is a failure at run time,
    which manifests as either a kernel panic or thread getting killed. A
    warning in clang aims to catch these at compile time, which reveals:
    
      arch/um/drivers/net_kern.c:353:21: warning: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Wincompatible-function-pointer-types-strict]
        353 |         .ndo_start_xmit         = uml_net_start_xmit,
            |                                   ^~~~~~~~~~~~~~~~~~
      1 warning generated.
    
    ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
    'netdev_tx_t', not 'int'. Adjust the return type of uml_net_start_xmit()
    to match the prototype's to resolve the warning. While UML does not
    currently implement support for kCFI, it could in the future, which
    means this warning becomes a fatal CFI failure at run time.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/oe-kbuild-all/202310031340.v1vPh207-lkp@intel.com/
    Acked-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
units: add the HZ macros [+ + +]
Author: Daniel Lezcano <daniel.lezcano@linaro.org>
Date:   Tue Sep 7 19:57:48 2021 -0700

    units: add the HZ macros
    
    [ Upstream commit e2c77032fcbe515194107994d12cd72ddb77b022 ]
    
    The macros for the unit conversion for frequency are duplicated in
    different places.
    
    Provide these macros in the 'units' header, so they can be reused.
    
    Link: https://lkml.kernel.org/r/20210816114732.1834145-3-daniel.lezcano@linaro.org
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Reviewed-by: Christian Eggers <ceggers@arri.de>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: Chanwoo Choi <cw00.choi@samsung.com>
    Cc: Guenter Roeck <linux@roeck-us.net>
    Cc: Jonathan Cameron <jic23@kernel.org>
    Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Cc: Kyungmin Park <kyungmin.park@samsung.com>
    Cc: Lars-Peter Clausen <lars@metafoo.de>
    Cc: Lukasz Luba <lukasz.luba@arm.com>
    Cc: Maxime Coquelin <mcoquelin.stm32@gmail.com>
    Cc: Miquel Raynal <miquel.raynal@bootlin.com>
    Cc: MyungJoo Ham <myungjoo.ham@samsung.com>
    Cc: Peter Meerwald <pmeerw@pmeerw.net>
    Cc: "Rafael J. Wysocki" <rafael@kernel.org>
    Cc: Zhang Rui <rui.zhang@intel.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Stable-dep-of: 3ef79cd14122 ("serial: sc16is7xx: set safe default SPI clock frequency")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

units: Add Watt units [+ + +]
Author: Daniel Lezcano <daniel.lezcano@linaro.org>
Date:   Tue Dec 8 17:41:42 2020 +0100

    units: Add Watt units
    
    [ Upstream commit 2ee5f8f05949735fa2f4c463a5e13fcb3660c719 ]
    
    As there are the temperature units, let's add the Watt macros definition.
    
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Stable-dep-of: 3ef79cd14122 ("serial: sc16is7xx: set safe default SPI clock frequency")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

units: change from 'L' to 'UL' [+ + +]
Author: Daniel Lezcano <daniel.lezcano@linaro.org>
Date:   Tue Sep 7 19:57:44 2021 -0700

    units: change from 'L' to 'UL'
    
    [ Upstream commit c9221919a2d2df5741ab074dfec5bdfc6f1e043b ]
    
    Patch series "Add Hz macros", v3.
    
    There are multiple definitions of the HZ_PER_MHZ or HZ_PER_KHZ in the
    different drivers.  Instead of duplicating this definition again and
    again, add one in the units.h header to be reused in all the place the
    redefiniton occurs.
    
    At the same time, change the type of the Watts, as they can not be
    negative.
    
    This patch (of 10):
    
    The users of the macros are safe to be assigned with an unsigned instead
    of signed as the variables using them are themselves unsigned.
    
    Link: https://lkml.kernel.org/r/20210816114732.1834145-1-daniel.lezcano@linaro.org
    Link: https://lkml.kernel.org/r/20210816114732.1834145-2-daniel.lezcano@linaro.org
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: Jonathan Cameron <jic23@kernel.org>
    Cc: Christian Eggers <ceggers@arri.de>
    Cc: Lukasz Luba <lukasz.luba@arm.com>
    Cc: MyungJoo Ham <myungjoo.ham@samsung.com>
    Cc: Kyungmin Park <kyungmin.park@samsung.com>
    Cc: Lars-Peter Clausen <lars@metafoo.de>
    Cc: Peter Meerwald <pmeerw@pmeerw.net>
    Cc: Zhang Rui <rui.zhang@intel.com>
    Cc: Guenter Roeck <linux@roeck-us.net>
    Cc: Miquel Raynal <miquel.raynal@bootlin.com>
    Cc: Maxime Coquelin <mcoquelin.stm32@gmail.com>
    Cc: "Rafael J. Wysocki" <rafael@kernel.org>
    Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
    Cc: Chanwoo Choi <cw00.choi@samsung.com>
    Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Stable-dep-of: 3ef79cd14122 ("serial: sc16is7xx: set safe default SPI clock frequency")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
usb: f_mass_storage: forbid async queue when shutdown happen [+ + +]
Author: yuan linyu <yuanlinyu@hihonor.com>
Date:   Tue Jan 23 11:48:29 2024 +0800

    usb: f_mass_storage: forbid async queue when shutdown happen
    
    commit b2d2d7ea0dd09802cf5a0545bf54d8ad8987d20c upstream.
    
    When write UDC to empty and unbind gadget driver from gadget device, it is
    possible that there are many queue failures for mass storage function.
    
    The root cause is mass storage main thread alaways try to queue request to
    receive a command from host if running flag is on, on platform like dwc3,
    if pull down called, it will not queue request again and return
    -ESHUTDOWN, but it not affect running flag of mass storage function.
    
    Check return code from mass storage function and clear running flag if it
    is -ESHUTDOWN, also indicate start in/out transfer failure to break loops.
    
    Cc: stable <stable@kernel.org>
    Signed-off-by: yuan linyu <yuanlinyu@hihonor.com>
    Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
    Link: https://lore.kernel.org/r/20240123034829.3848409-1-yuanlinyu@hihonor.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT [+ + +]
Author: Oliver Neukum <oneukum@suse.com>
Date:   Mon Jan 22 16:35:32 2024 +0100

    USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT
    
    commit f17c34ffc792bbb520e4b61baa16b6cfc7d44b13 upstream.
    
    The OTG 1.3 spec has the feature A_ALT_HNP_SUPPORT, which tells
    a device that it is connected to the wrong port. Some devices
    refuse to operate if you enable that feature, because it indicates
    to them that they ought to request to be connected to another port.
    
    According to the spec this feature may be used based only the following
    three conditions:
    
    6.5.3 a_alt_hnp_support
    Setting this feature indicates to the B-device that it is connected to
    an A-device port that is not capable of HNP, but that the A-device does
    have an alternate port that is capable of HNP.
    The A-device is required to set this feature under the following conditions:
    • the A-device has multiple receptacles
    • the A-device port that connects to the B-device does not support HNP
    • the A-device has another port that does support HNP
    
    A check for the third and first condition is missing. Add it.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Cc: stable <stable@kernel.org>
    Fixes: 7d2d641c44269 ("usb: otg: don't set a_alt_hnp_support feature for OTG 2.0 device")
    Link: https://lore.kernel.org/r/20240122153545.12284-1-oneukum@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: hub: Replace hardcoded quirk value with BIT() macro [+ + +]
Author: Hardik Gajjar <hgajjar@de.adit-jv.com>
Date:   Tue Dec 5 19:18:28 2023 +0100

    usb: hub: Replace hardcoded quirk value with BIT() macro
    
    [ Upstream commit 6666ea93d2c422ebeb8039d11e642552da682070 ]
    
    This patch replaces the hardcoded quirk value in the macro with
    BIT().
    
    Signed-off-by: Hardik Gajjar <hgajjar@de.adit-jv.com>
    Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
    Link: https://lore.kernel.org/r/20231205181829.127353-1-hgajjar@de.adit-jv.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
USB: serial: cp210x: add ID for IMST iM871A-USB [+ + +]
Author: Leonard Dallmayr <leonard.dallmayr@mailbox.org>
Date:   Fri Jan 5 13:35:51 2024 +0100

    USB: serial: cp210x: add ID for IMST iM871A-USB
    
    commit 12b17b4eb82a41977eb848048137b5908d52845c upstream.
    
    The device IMST USB-Stick for Smart Meter is a rebranded IMST iM871A-USB
    Wireless M-Bus USB-adapter. It is used to read wireless water, gas and
    electricity meters.
    
    Signed-off-by: Leonard Dallmayr <leonard.dallmayr@mailbox.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Fibocom FM101-GL variant [+ + +]
Author: Puliang Lu <puliang.lu@fibocom.com>
Date:   Wed Jan 31 17:12:24 2024 +0800

    USB: serial: option: add Fibocom FM101-GL variant
    
    commit b4a1f4eaf1d798066affc6ad040f76eb1a16e1c9 upstream.
    
    Update the USB serial option driver support for the Fibocom
    FM101-GL
    LTE modules as there are actually several different variants.
    - VID:PID 2cb7:01a3, FM101-GL are laptop M.2 cards (with
    MBIM interfaces for /Linux/Chrome OS)
    
    0x01a3:mbim,gnss
    
    Here are the outputs of usb-devices:
    
    T:  Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  3 Spd=5000 MxCh= 0
    D:  Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs=  1
    P:  Vendor=2cb7 ProdID=01a3 Rev=05.04
    S:  Manufacturer=Fibocom Wireless Inc.
    S:  Product=Fibocom FM101-GL Module
    S:  SerialNumber=5ccd5cd4
    C:  #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=81(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
    E:  Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    
    Signed-off-by: Puliang Lu <puliang.lu@fibocom.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e [+ + +]
Author: JackBB Wu <wojackbb@gmail.com>
Date:   Tue Jan 23 17:39:48 2024 +0800

    USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e
    
    commit 129690fb229a20b6e563a77a2c85266acecf20bc upstream.
    
    Add support for Dell DW5826e with USB-id 0x413c:0x8217 & 0x413c:0x8218.
    
    It is 0x413c:0x8217
    T:  Bus=02 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#=  4 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=413c ProdID=8217 Rev= 5.04
    S:  Manufacturer=DELL
    S:  Product=COMPAL Electronics EXM-G1A
    S:  SerialNumber=359302940050401
    C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=qcserial
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=qcserial
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=qcserial
    E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=87(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
    E:  Ad=88(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    E:  Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    It is 0x413c:0x8218
    T:  Bus=02 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=413c ProdID=8218 Rev= 0.00
    S:  Manufacturer=DELL
    S:  Product=COMPAL Electronics EXM-G1A
    S:  SerialNumber=359302940050401
    C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=  2mA
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=qcserial
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: JackBB Wu <wojackbb@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
vhost: use kzalloc() instead of kmalloc() followed by memset() [+ + +]
Author: Prathu Baronia <prathubaronia2011@gmail.com>
Date:   Mon May 22 14:20:19 2023 +0530

    vhost: use kzalloc() instead of kmalloc() followed by memset()
    
    commit 4d8df0f5f79f747d75a7d356d9b9ea40a4e4c8a9 upstream.
    
    Use kzalloc() to allocate new zeroed out msg node instead of
    memsetting a node allocated with kmalloc().
    
    Signed-off-by: Prathu Baronia <prathubaronia2011@gmail.com>
    Message-Id: <20230522085019.42914-1-prathubaronia2011@gmail.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
    Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings [+ + +]
Author: Zhu Yanjun <yanjun.zhu@linux.dev>
Date:   Thu Jan 4 10:09:02 2024 +0800

    virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
    
    [ Upstream commit e3fe8d28c67bf6c291e920c6d04fa22afa14e6e4 ]
    
    Fix the warnings when building virtio_net driver.
    
    "
    drivers/net/virtio_net.c: In function ‘init_vqs’:
    drivers/net/virtio_net.c:4551:48: warning: ‘%d’ directive writing between 1 and 11 bytes into a region of size 10 [-Wformat-overflow=]
     4551 |                 sprintf(vi->rq[i].name, "input.%d", i);
          |                                                ^~
    In function ‘virtnet_find_vqs’,
        inlined from ‘init_vqs’ at drivers/net/virtio_net.c:4645:8:
    drivers/net/virtio_net.c:4551:41: note: directive argument in the range [-2147483643, 65534]
     4551 |                 sprintf(vi->rq[i].name, "input.%d", i);
          |                                         ^~~~~~~~~~
    drivers/net/virtio_net.c:4551:17: note: ‘sprintf’ output between 8 and 18 bytes into a destination of size 16
     4551 |                 sprintf(vi->rq[i].name, "input.%d", i);
          |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/net/virtio_net.c: In function ‘init_vqs’:
    drivers/net/virtio_net.c:4552:49: warning: ‘%d’ directive writing between 1 and 11 bytes into a region of size 9 [-Wformat-overflow=]
     4552 |                 sprintf(vi->sq[i].name, "output.%d", i);
          |                                                 ^~
    In function ‘virtnet_find_vqs’,
        inlined from ‘init_vqs’ at drivers/net/virtio_net.c:4645:8:
    drivers/net/virtio_net.c:4552:41: note: directive argument in the range [-2147483643, 65534]
     4552 |                 sprintf(vi->sq[i].name, "output.%d", i);
          |                                         ^~~~~~~~~~~
    drivers/net/virtio_net.c:4552:17: note: ‘sprintf’ output between 9 and 19 bytes into a destination of size 16
     4552 |                 sprintf(vi->sq[i].name, "output.%d", i);
    
    "
    
    Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
    Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
    Link: https://lore.kernel.org/r/20240104020902.2753599-1-yanjun.zhu@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING [+ + +]
Author: Lin Ma <linma@zju.edu.cn>
Date:   Thu Jan 18 21:03:06 2024 +0800

    vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
    
    [ Upstream commit 6c21660fe221a15c789dee2bc2fd95516bc5aeaf ]
    
    In the vlan_changelink function, a loop is used to parse the nested
    attributes IFLA_VLAN_EGRESS_QOS and IFLA_VLAN_INGRESS_QOS in order to
    obtain the struct ifla_vlan_qos_mapping. These two nested attributes are
    checked in the vlan_validate_qos_map function, which calls
    nla_validate_nested_deprecated with the vlan_map_policy.
    
    However, this deprecated validator applies a LIBERAL strictness, allowing
    the presence of an attribute with the type IFLA_VLAN_QOS_UNSPEC.
    Consequently, the loop in vlan_changelink may parse an attribute of type
    IFLA_VLAN_QOS_UNSPEC and believe it carries a payload of
    struct ifla_vlan_qos_mapping, which is not necessarily true.
    
    To address this issue and ensure compatibility, this patch introduces two
    type checks that skip attributes whose type is not IFLA_VLAN_QOS_MAPPING.
    
    Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
    Signed-off-by: Lin Ma <linma@zju.edu.cn>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://lore.kernel.org/r/20240118130306.1644001-1-linma@zju.edu.cn
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() [+ + +]
Author: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Date:   Wed Nov 22 20:31:04 2023 +0200

    wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
    
    [ Upstream commit 2adc886244dff60f948497b59affb6c6ebb3c348 ]
    
    Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug
    occurs when txs->cnt, data from a URB provided by a USB device, is
    bigger than the size of the array txs->txstatus, which is
    HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug
    handling code after the check. Make the function return if that is the
    case.
    
    Found by a modified version of syzkaller.
    
    UBSAN: array-index-out-of-bounds in htc_drv_txrx.c
    index 13 is out of range for type '__wmi_event_txstatus [12]'
    Call Trace:
     ath9k_htc_txstatus
     ath9k_wmi_event_tasklet
     tasklet_action_common
     __do_softirq
     irq_exit_rxu
     sysvec_apic_timer_interrupt
    
    Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
    Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://lore.kernel.org/r/20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Wed Jan 3 20:13:51 2024 +0800

    wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
    
    [ Upstream commit 1184950e341c11b6f82bc5b59564411d9537ab27 ]
    
    Replace rcu_dereference() with rcu_access_pointer() since we hold
    the lock here (and aren't in an RCU critical section).
    
    Fixes: 32af9a9e1069 ("wifi: cfg80211: free beacon_ies when overridden from hidden BSS")
    Reported-and-tested-by: syzbot+864a269c27ee06b58374@syzkaller.appspotmail.com
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    Link: https://msgid.link/tencent_BF8F0DF0258C8DBF124CDDE4DD8D992DCF07@qq.com
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: cfg80211: free beacon_ies when overridden from hidden BSS [+ + +]
Author: Benjamin Berg <benjamin.berg@intel.com>
Date:   Wed Dec 20 13:41:41 2023 +0200

    wifi: cfg80211: free beacon_ies when overridden from hidden BSS
    
    [ Upstream commit 32af9a9e1069e55bc02741fb00ac9d0ca1a2eaef ]
    
    This is a more of a cosmetic fix. The branch will only be taken if
    proberesp_ies is set, which implies that beacon_ies is not set unless we
    are connected to an AP that just did a channel switch. And, in that case
    we should have found the BSS in the internal storage to begin with.
    
    Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
    Reviewed-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
    Link: https://msgid.link/20231220133549.b898e22dadff.Id8c4c10aedd176ef2e18a4cad747b299f150f9df@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: rt2x00: restart beacon queue when hardware reset [+ + +]
Author: Shiji Yang <yangshiji66@outlook.com>
Date:   Sat Nov 4 16:58:00 2023 +0800

    wifi: rt2x00: restart beacon queue when hardware reset
    
    [ Upstream commit a11d965a218f0cd95b13fe44d0bcd8a20ce134a8 ]
    
    When a hardware reset is triggered, all registers are reset, so all
    queues are forced to stop in hardware interface. However, mac80211
    will not automatically stop the queue. If we don't manually stop the
    beacon queue, the queue will be deadlocked and unable to start again.
    This patch fixes the issue where Apple devices cannot connect to the
    AP after calling ieee80211_restart_hw().
    
    Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
    Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/TYAP286MB031530EB6D98DCE4DF20766CBCA4A@TYAP286MB0315.JPNP286.PROD.OUTLOOK.COM
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices [+ + +]
Author: Zenm Chen <zenmchen@gmail.com>
Date:   Sun Dec 17 20:30:17 2023 +0800

    wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
    
    [ Upstream commit 4e87ca403e2008b9e182239e1abbf6876a55eb33 ]
    
    Add additional USB IDs found in the vendor driver from
    https://github.com/Mange/rtl8192eu-linux-driver to support more
    RTL8192EU devices.
    
    Signed-off-by: Zenm Chen <zenmchen@gmail.com>
    Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://msgid.link/20231217123017.1982-1-zenmchen@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() [+ + +]
Author: Su Hui <suhui@nfschina.com>
Date:   Tue Dec 19 14:57:39 2023 +0800

    wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
    
    [ Upstream commit 5c16618bc06a41ad68fd8499a21d35ef57ca06c2 ]
    
    Using calculate_bit_shift() to replace rtl8723_phy_calculate_bit_shift().
    And fix an undefined bitwise shift behavior problem.
    
    Signed-off-by: Su Hui <suhui@nfschina.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://msgid.link/20231219065739.1895666-12-suhui@nfschina.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum [+ + +]
Author: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Date:   Thu Jan 25 19:05:02 2024 +0100

    x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum
    
    The stable kernel version backport of the patch disabling XSAVES on AMD
    Zen family 0x17 applied this change to the wrong function (init_amd_k6()),
    one which isn't called for Zen CPUs.
    
    Move the erratum to the init_amd_zn() function instead.
    
    Add an explicit family 0x17 check to the erratum so nothing will break if
    someone naively makes this kernel version call init_amd_zn() also for
    family 0x19 in the future (as the current upstream code does).
    
    Fixes: e40c1e9da1ec ("x86/CPU/AMD: Disable XSAVES on AMD family 0x17")
    Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
x86/entry/ia32: Ensure s32 is sign extended to s64 [+ + +]
Author: Richard Palethorpe <rpalethorpe@suse.com>
Date:   Wed Jan 10 15:01:22 2024 +0200

    x86/entry/ia32: Ensure s32 is sign extended to s64
    
    commit 56062d60f117dccfb5281869e0ab61e090baf864 upstream.
    
    Presently ia32 registers stored in ptregs are unconditionally cast to
    unsigned int by the ia32 stub. They are then cast to long when passed to
    __se_sys*, but will not be sign extended.
    
    This takes the sign of the syscall argument into account in the ia32
    stub. It still casts to unsigned int to avoid implementation specific
    behavior. However then casts to int or unsigned int as necessary. So that
    the following cast to long sign extends the value.
    
    This fixes the io_pgetevents02 LTP test when compiled with -m32. Presently
    the systemcall io_pgetevents_time64() unexpectedly accepts -1 for the
    maximum number of events.
    
    It doesn't appear other systemcalls with signed arguments are effected
    because they all have compat variants defined and wired up.
    
    Fixes: ebeb8c82ffaf ("syscalls/x86: Use 'struct pt_regs' based syscall calling for IA32_EMULATION and x32")
    Suggested-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
    Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Arnd Bergmann <arnd@arndb.de>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20240110130122.3836513-1-nik.borisov@suse.com
    Link: https://lore.kernel.org/ltp/20210921130127.24131-1-rpalethorpe@suse.com/
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 [+ + +]
Author: Aleksander Mazur <deweloper@wp.pl>
Date:   Tue Jan 23 14:43:00 2024 +0100

    x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
    
    commit f6a1892585cd19e63c4ef2334e26cd536d5b678d upstream.
    
    The kernel built with MCRUSOE is unbootable on Transmeta Crusoe.  It shows
    the following error message:
    
      This kernel requires an i686 CPU, but only detected an i586 CPU.
      Unable to boot - please use a kernel appropriate for your CPU.
    
    Remove MCRUSOE from the condition introduced in commit in Fixes, effectively
    changing X86_MINIMUM_CPU_FAMILY back to 5 on that machine, which matches the
    CPU family given by CPUID.
    
      [ bp: Massage commit message. ]
    
    Fixes: 25d76ac88821 ("x86/Kconfig: Explicitly enumerate i686-class CPUs in Kconfig")
    Signed-off-by: Aleksander Mazur <deweloper@wp.pl>
    Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
    Acked-by: H. Peter Anvin <hpa@zytor.com>
    Cc: <stable@kernel.org>
    Link: https://lore.kernel.org/r/20240123134309.1117782-1-deweloper@wp.pl
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel [+ + +]
Author: Zhiquan Li <zhiquan1.li@intel.com>
Date:   Thu Oct 26 08:39:03 2023 +0800

    x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
    
    [ Upstream commit 9f3b130048bfa2e44a8cfb1b616f826d9d5d8188 ]
    
    Memory errors don't happen very often, especially fatal ones. However,
    in large-scale scenarios such as data centers, that probability
    increases with the amount of machines present.
    
    When a fatal machine check happens, mce_panic() is called based on the
    severity grading of that error. The page containing the error is not
    marked as poison.
    
    However, when kexec is enabled, tools like makedumpfile understand when
    pages are marked as poison and do not touch them so as not to cause
    a fatal machine check exception again while dumping the previous
    kernel's memory.
    
    Therefore, mark the page containing the error as poisoned so that the
    kexec'ed kernel can avoid accessing the page.
    
      [ bp: Rewrite commit message and comment. ]
    
    Co-developed-by: Youquan Song <youquan.song@intel.com>
    Signed-off-by: Youquan Song <youquan.song@intel.com>
    Signed-off-by: Zhiquan Li <zhiquan1.li@intel.com>
    Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
    Reviewed-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
    Link: https://lore.kernel.org/r/20231014051754.3759099-1-zhiquan1.li@intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
x86/mm/ident_map: Use gbpages only where full GB page should be mapped. [+ + +]
Author: Steve Wahl <steve.wahl@hpe.com>
Date:   Fri Jan 26 10:48:41 2024 -0600

    x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
    
    commit d794734c9bbfe22f86686dc2909c25f5ffe1a572 upstream.
    
    When ident_pud_init() uses only gbpages to create identity maps, large
    ranges of addresses not actually requested can be included in the
    resulting table; a 4K request will map a full GB.  On UV systems, this
    ends up including regions that will cause hardware to halt the system
    if accessed (these are marked "reserved" by BIOS).  Even processor
    speculation into these regions is enough to trigger the system halt.
    
    Only use gbpages when map creation requests include the full GB page
    of space.  Fall back to using smaller 2M pages when only portions of a
    GB page are included in the request.
    
    No attempt is made to coalesce mapping requests. If a request requires
    a map entry at the 2M (pmd) level, subsequent mapping requests within
    the same 1G region will also be at the pmd level, even if adjacent or
    overlapping such requests could have been combined to map a full
    gbpage.  Existing usage starts with larger regions and then adds
    smaller regions, so this should not have any great consequence.
    
    [ dhansen: fix up comment formatting, simplifty changelog ]
    
    Signed-off-by: Steve Wahl <steve.wahl@hpe.com>
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/all/20240126164841.170866-1-steve.wahl%40hpe.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
xen-netback: properly sync TX responses [+ + +]
Author: Jan Beulich <jbeulich@suse.com>
Date:   Mon Jan 29 14:03:08 2024 +0100

    xen-netback: properly sync TX responses
    
    commit 7b55984c96ffe9e236eb9c82a2196e0b1f84990d upstream.
    
    Invoking the make_tx_response() / push_tx_responses() pair with no lock
    held would be acceptable only if all such invocations happened from the
    same context (NAPI instance or dealloc thread). Since this isn't the
    case, and since the interface "spec" also doesn't demand that multicast
    operations may only be performed with no in-flight transmits,
    MCAST_{ADD,DEL} processing also needs to acquire the response lock
    around the invocations.
    
    To prevent similar mistakes going forward, "downgrade" the present
    functions to private helpers of just the two remaining ones using them
    directly, with no forward declarations anymore. This involves renaming
    what so far was make_tx_response(), for the new function of that name
    to serve the new (wrapper) purpose.
    
    While there,
    - constify the txp parameters,
    - correct xenvif_idx_release()'s status parameter's type,
    - rename {,_}make_tx_response()'s status parameters for consistency with
      xenvif_idx_release()'s.
    
    Fixes: 210c34dcd8d9 ("xen-netback: add support for multicast control")
    Cc: stable@vger.kernel.org
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Reviewed-by: Paul Durrant <paul@xen.org>
    Link: https://lore.kernel.org/r/980c6c3d-e10e-4459-8565-e8fbde122f00@suse.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>