Linux 5.15.79

 
ALSA: hda/ca0132: add quirk for EVGA Z390 DARK [+ + +]
Author: Xian Wang <dev@xianwang.io>
Date:   Fri Nov 4 13:29:13 2022 -0700

    ALSA: hda/ca0132: add quirk for EVGA Z390 DARK
    
    commit 0c423e2ffa7edd3f8f9bcf17ce73fa9c7509b99e upstream.
    
    The Z390 DARK mainboard uses a CA0132 audio controller. The quirk is
    needed to enable surround sound and 3.5mm headphone jack handling in
    the front audio connector as well as in the rear of the board when in
    stereo mode.
    
    Page 97 of the linked manual contains instructions to setup the
    controller.
    
    Signed-off-by: Xian Wang <dev@xianwang.io>
    Cc: stable@vger.kernel.org
    Link: https://www.evga.com/support/manuals/files/131-CS-E399.pdf
    Link: https://lore.kernel.org/r/20221104202913.13904-1-dev@xianwang.io
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda/hdmi - enable runtime pm for more AMD display audio [+ + +]
Author: Evan Quan <evan.quan@amd.com>
Date:   Tue Nov 8 16:47:46 2022 +0800

    ALSA: hda/hdmi - enable runtime pm for more AMD display audio
    
    commit fdcc4c22b7ab20e90b97f8bc6225d876b72b8f16 upstream.
    
    We are able to power down the GPU and audio via the GPU driver
    so flag these asics as supporting runtime pm.
    
    Signed-off-by: Evan Quan <evan.quan@amd.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20221108084746.583058-1-evan.quan@amd.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda/realtek: Add Positivo C6300 model quirk [+ + +]
Author: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
Date:   Wed Nov 9 13:17:32 2022 -0400

    ALSA: hda/realtek: Add Positivo C6300 model quirk
    
    commit 79e28f2ab3440e08f5fbf65648b008341c37b496 upstream.
    
    Positivo Master C6300 (1849:a233) require quirk for anabling headset-mic
    
    Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20221109171732.5417-1-edson.drosdeck@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda: fix potential memleak in 'add_widget_node' [+ + +]
Author: Ye Bin <yebin10@huawei.com>
Date:   Thu Nov 10 22:45:39 2022 +0800

    ALSA: hda: fix potential memleak in 'add_widget_node'
    
    commit 9a5523f72bd2b0d66eef3d58810c6eb7b5ffc143 upstream.
    
    As 'kobject_add' may allocated memory for 'kobject->name' when return error.
    And in this function, if call 'kobject_add' failed didn't free kobject.
    So call 'kobject_put' to recycling resources.
    
    Signed-off-by: Ye Bin <yebin10@huawei.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20221110144539.2989354-1-yebin@huaweicloud.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: usb-audio: Add DSD support for Accuphase DAC-60 [+ + +]
Author: Jussi Laako <jussi@sonarnerd.net>
Date:   Wed Nov 9 00:12:41 2022 +0200

    ALSA: usb-audio: Add DSD support for Accuphase DAC-60
    
    commit 8cbd4725ffff3eface1f5f3397af02acad5b2831 upstream.
    
    Accuphase DAC-60 option card supports native DSD up to DSD256,
    but doesn't have support for auto-detection. Explicitly enable
    DSD support for the correct altsetting.
    
    Signed-off-by: Jussi Laako <jussi@sonarnerd.net>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20221108221241.1220878-1-jussi@sonarnerd.net
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: usb-audio: Add quirk entry for M-Audio Micro [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Nov 8 15:07:21 2022 +0100

    ALSA: usb-audio: Add quirk entry for M-Audio Micro
    
    commit 2f01a612d4758b45f775dbb88a49cf534ba47275 upstream.
    
    M-Audio Micro (0762:201a) defines the descriptor as vendor-specific,
    while the content seems class-compliant.  Just overriding the probe
    makes the device working.
    
    Reported-by: Ash Logan <ash@heyquark.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/7ecd4417-d860-4773-c1c1-b07433342390@heyquark.com
    Link: https://lore.kernel.org/r/20221108140721.24248-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: usb-audio: Yet more regression for for the delayed card registration [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Nov 8 07:58:23 2022 +0100

    ALSA: usb-audio: Yet more regression for for the delayed card registration
    
    commit 971cb608d1c5d95533a43b549bb8ec9637f10043 upstream.
    
    Although we tried to fix the regression for the recent changes with
    the delayed card registration, it doesn't seem covering the all
    cases; e.g. on Roland EDIROL M-100FX, where the generic quirk for
    Roland devices is applied, it misses the card registration because the
    detection of the last interface (apparently for MIDI) fails.
    
    This patch is an attempt to recover from those failures by calling the
    card register also at the error path for the secondary interfaces.
    The card register condition is also extended to match with the old
    check in the previous patch, too (i.e. the simple check of the
    interface number) for catching the probe with errors.
    
    Fixes: 39efc9c8a973 ("ALSA: usb-audio: Fix last interface check for registration")
    Cc: <stable@vger.kernel.org>
    Link: https://bugzilla.suse.com/show_bug.cgi?id=1205111
    Link: https://lore.kernel.org/r/20221108065824.14418-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
arm64: efi: Fix handling of misaligned runtime regions and drop warning [+ + +]
Author: Ard Biesheuvel <ardb@kernel.org>
Date:   Sun Nov 6 15:53:54 2022 +0100

    arm64: efi: Fix handling of misaligned runtime regions and drop warning
    
    commit 9b9eaee9828fe98b030cf43ac50065a54a2f5d52 upstream.
    
    Currently, when mapping the EFI runtime regions in the EFI page tables,
    we complain about misaligned regions in a rather noisy way, using
    WARN().
    
    Not only does this produce a lot of irrelevant clutter in the log, it is
    factually incorrect, as misaligned runtime regions are actually allowed
    by the EFI spec as long as they don't require conflicting memory types
    within the same 64k page.
    
    So let's drop the warning, and tweak the code so that we
    - take both the start and end of the region into account when checking
      for misalignment
    - only revert to RWX mappings for non-code regions if misaligned code
      regions are also known to exist.
    
    Cc: <stable@vger.kernel.org>
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure [+ + +]
Author: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Date:   Mon Nov 7 13:02:29 2022 +0900

    ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure
    
    commit ea045fd344cb15c164e9ffc8b8cffb6883df8475 upstream.
    
    SAT SCSI/ATA Translation specification requires SCSI SYNCHRONIZE CACHE
    (10) and (16) commands both shall be translated to ATA flush command.
    Also, ZBC Zoned Block Commands specification mandates SYNCHRONIZE CACHE
    (16) command support. However, libata translates only SYNCHRONIZE CACHE
    (10). This results in SYNCHRONIZE CACHE (16) command failures on SATA
    drives and then libata translation does not conform to ZBC. To avoid the
    failure, add support for SYNCHRONIZE CACHE (16).
    
    Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
bnxt_en: Fix possible crash in bnxt_hwrm_set_coal() [+ + +]
Author: Michael Chan <michael.chan@broadcom.com>
Date:   Thu Nov 3 19:33:26 2022 -0400

    bnxt_en: Fix possible crash in bnxt_hwrm_set_coal()
    
    [ Upstream commit 6d81ea3765dfa6c8a20822613c81edad1c4a16a0 ]
    
    During the error recovery sequence, the rtnl_lock is not held for the
    entire duration and some datastructures may be freed during the sequence.
    Check for the BNXT_STATE_OPEN flag instead of netif_running() to ensure
    that the device is fully operational before proceeding to reconfigure
    the coalescing settings.
    
    This will fix a possible crash like this:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
    PGD 0 P4D 0
    Oops: 0000 [#1] SMP NOPTI
    CPU: 10 PID: 181276 Comm: ethtool Kdump: loaded Tainted: G          IOE    --------- -  - 4.18.0-348.el8.x86_64 #1
    Hardware name: Dell Inc. PowerEdge R740/0F9N89, BIOS 2.3.10 08/15/2019
    RIP: 0010:bnxt_hwrm_set_coal+0x1fb/0x2a0 [bnxt_en]
    Code: c2 66 83 4e 22 08 66 89 46 1c e8 10 cb 00 00 41 83 c6 01 44 39 b3 68 01 00 00 0f 8e a3 00 00 00 48 8b 93 c8 00 00 00 49 63 c6 <48> 8b 2c c2 48 8b 85 b8 02 00 00 48 85 c0 74 2e 48 8b 74 24 08 f6
    RSP: 0018:ffffb11c8dcaba50 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffff8d168a8b0ac0 RCX: 00000000000000c5
    RDX: 0000000000000000 RSI: ffff8d162f72c000 RDI: ffff8d168a8b0b28
    RBP: 0000000000000000 R08: b6e1f68a12e9a7eb R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000037 R12: ffff8d168a8b109c
    R13: ffff8d168a8b10aa R14: 0000000000000000 R15: ffffffffc01ac4e0
    FS:  00007f3852e4c740(0000) GS:ffff8d24c0080000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 000000041b3ee003 CR4: 00000000007706e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    PKRU: 55555554
    Call Trace:
     ethnl_set_coalesce+0x3ce/0x4c0
     genl_family_rcv_msg_doit.isra.15+0x10f/0x150
     genl_family_rcv_msg+0xb3/0x160
     ? coalesce_fill_reply+0x480/0x480
     genl_rcv_msg+0x47/0x90
     ? genl_family_rcv_msg+0x160/0x160
     netlink_rcv_skb+0x4c/0x120
     genl_rcv+0x24/0x40
     netlink_unicast+0x196/0x230
     netlink_sendmsg+0x204/0x3d0
     sock_sendmsg+0x4c/0x50
     __sys_sendto+0xee/0x160
     ? syscall_trace_enter+0x1d3/0x2c0
     ? __audit_syscall_exit+0x249/0x2a0
     __x64_sys_sendto+0x24/0x30
     do_syscall_64+0x5b/0x1a0
     entry_SYSCALL_64_after_hwframe+0x65/0xca
    RIP: 0033:0x7f38524163bb
    
    Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.")
    Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer [+ + +]
Author: Alex Barba <alex.barba@broadcom.com>
Date:   Thu Nov 3 19:33:27 2022 -0400

    bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer
    
    [ Upstream commit 02597d39145bb0aa81d04bf39b6a913ce9a9d465 ]
    
    In the bnxt_en driver ndo_rx_flow_steer returns '0' whenever an entry
    that we are attempting to steer is already found.  This is not the
    correct behavior.  The return code should be the value/index that
    corresponds to the entry.  Returning zero all the time causes the
    RFS records to be incorrect unless entry '0' is the correct one.  As
    flows migrate to different cores this can create entries that are not
    correct.
    
    Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
    Reported-by: Akshay Navgire <anavgire@purestorage.com>
    Signed-off-by: Alex Barba <alex.barba@broadcom.com>
    Signed-off-by: Andy Gospodarek <gospo@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf, sock_map: Move cancel_work_sync() out of sock lock [+ + +]
Author: Cong Wang <cong.wang@bytedance.com>
Date:   Tue Nov 1 21:34:17 2022 -0700

    bpf, sock_map: Move cancel_work_sync() out of sock lock
    
    [ Upstream commit 8bbabb3fddcd0f858be69ed5abc9b470a239d6f2 ]
    
    Stanislav reported a lockdep warning, which is caused by the
    cancel_work_sync() called inside sock_map_close(), as analyzed
    below by Jakub:
    
    psock->work.func = sk_psock_backlog()
      ACQUIRE psock->work_mutex
        sk_psock_handle_skb()
          skb_send_sock()
            __skb_send_sock()
              sendpage_unlocked()
                kernel_sendpage()
                  sock->ops->sendpage = inet_sendpage()
                    sk->sk_prot->sendpage = tcp_sendpage()
                      ACQUIRE sk->sk_lock
                        tcp_sendpage_locked()
                      RELEASE sk->sk_lock
      RELEASE psock->work_mutex
    
    sock_map_close()
      ACQUIRE sk->sk_lock
      sk_psock_stop()
        sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED)
        cancel_work_sync()
          __cancel_work_timer()
            __flush_work()
              // wait for psock->work to finish
      RELEASE sk->sk_lock
    
    We can move the cancel_work_sync() out of the sock lock protection,
    but still before saved_close() was called.
    
    Fixes: 799aa7f98d53 ("skmsg: Avoid lock_sock() in sk_psock_backlog()")
    Reported-by: Stanislav Fomichev <sdf@google.com>
    Signed-off-by: Cong Wang <cong.wang@bytedance.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
    Acked-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
    Link: https://lore.kernel.org/bpf/20221102043417.279409-1-xiyou.wangcong@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues [+ + +]
Author: Wang Yufen <wangyufen@huawei.com>
Date:   Tue May 24 15:53:11 2022 +0800

    bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues
    
    [ Upstream commit d8616ee2affcff37c5d315310da557a694a3303d ]
    
    During TCP sockmap redirect pressure test, the following warning is triggered:
    
    WARNING: CPU: 3 PID: 2145 at net/core/stream.c:205 sk_stream_kill_queues+0xbc/0xd0
    CPU: 3 PID: 2145 Comm: iperf Kdump: loaded Tainted: G        W         5.10.0+ #9
    Call Trace:
     inet_csk_destroy_sock+0x55/0x110
     inet_csk_listen_stop+0xbb/0x380
     tcp_close+0x41b/0x480
     inet_release+0x42/0x80
     __sock_release+0x3d/0xa0
     sock_close+0x11/0x20
     __fput+0x9d/0x240
     task_work_run+0x62/0x90
     exit_to_user_mode_prepare+0x110/0x120
     syscall_exit_to_user_mode+0x27/0x190
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    The reason we observed is that:
    
    When the listener is closing, a connection may have completed the three-way
    handshake but not accepted, and the client has sent some packets. The child
    sks in accept queue release by inet_child_forget()->inet_csk_destroy_sock(),
    but psocks of child sks have not released.
    
    To fix, add sock_map_destroy to release psocks.
    
    Signed-off-by: Wang Yufen <wangyufen@huawei.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
    Acked-by: John Fastabend <john.fastabend@gmail.com>
    Link: https://lore.kernel.org/bpf/20220524075311.649153-1-wangyufen@huawei.com
    Stable-dep-of: 8bbabb3fddcd ("bpf, sock_map: Move cancel_work_sync() out of sock lock")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues [+ + +]
Author: Wang Yufen <wangyufen@huawei.com>
Date:   Tue Nov 1 09:31:36 2022 +0800

    bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues
    
    [ Upstream commit 8ec95b94716a1e4d126edc3fb2bc426a717e2dba ]
    
    When running `test_sockmap` selftests, the following warning appears:
    
      WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0
      Call Trace:
      <TASK>
      inet_csk_destroy_sock+0x55/0x110
      tcp_rcv_state_process+0xd28/0x1380
      ? tcp_v4_do_rcv+0x77/0x2c0
      tcp_v4_do_rcv+0x77/0x2c0
      __release_sock+0x106/0x130
      __tcp_close+0x1a7/0x4e0
      tcp_close+0x20/0x70
      inet_release+0x3c/0x80
      __sock_release+0x3a/0xb0
      sock_close+0x14/0x20
      __fput+0xa3/0x260
      task_work_run+0x59/0xb0
      exit_to_user_mode_prepare+0x1b3/0x1c0
      syscall_exit_to_user_mode+0x19/0x50
      do_syscall_64+0x48/0x90
      entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    The root case is in commit 84472b436e76 ("bpf, sockmap: Fix more uncharged
    while msg has more_data"), where I used msg->sg.size to replace the tosend,
    causing breakage:
    
      if (msg->apply_bytes && msg->apply_bytes < tosend)
        tosend = psock->apply_bytes;
    
    Fixes: 84472b436e76 ("bpf, sockmap: Fix more uncharged while msg has more_data")
    Reported-by: Jakub Sitnicki <jakub@cloudflare.com>
    Signed-off-by: Wang Yufen <wangyufen@huawei.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
    Link: https://lore.kernel.org/bpf/1667266296-8794-1-git-send-email-wangyufen@huawei.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf, verifier: Fix memory leak in array reallocation for stack state [+ + +]
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Oct 28 19:54:30 2022 -0700

    bpf, verifier: Fix memory leak in array reallocation for stack state
    
    [ Upstream commit 42378a9ca55347102bbf86708776061d8fe3ece2 ]
    
    If an error (NULL) is returned by krealloc(), callers of realloc_array()
    were setting their allocation pointers to NULL, but on error krealloc()
    does not touch the original allocation. This would result in a memory
    resource leak. Instead, free the old allocation on the error handling
    path.
    
    The memory leak information is as follows as also reported by Zhengchao:
    
      unreferenced object 0xffff888019801800 (size 256):
      comm "bpf_repo", pid 6490, jiffies 4294959200 (age 17.170s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0
        [<0000000086712a0b>] krealloc+0x83/0xd0
        [<00000000139aab02>] realloc_array+0x82/0xe2
        [<00000000b1ca41d1>] grow_stack_state+0xfb/0x186
        [<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341
        [<0000000081780455>] do_check_common+0x5358/0xb350
        [<0000000015f6b091>] bpf_check.cold+0xc3/0x29d
        [<000000002973c690>] bpf_prog_load+0x13db/0x2240
        [<00000000028d1644>] __sys_bpf+0x1605/0x4ce0
        [<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0
        [<0000000056fedaf5>] do_syscall_64+0x35/0x80
        [<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Fixes: c69431aab67a ("bpf: verifier: Improve function state reallocation")
    Reported-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Reported-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: Bill Wendling <morbo@google.com>
    Cc: Lorenz Bauer <oss@lmb.io>
    Link: https://lore.kernel.org/bpf/20221029025433.2533810-1-keescook@chromium.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf: Add helper macro bpf_for_each_reg_in_vstate [+ + +]
Author: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Date:   Sun Sep 4 22:41:28 2022 +0200

    bpf: Add helper macro bpf_for_each_reg_in_vstate
    
    [ Upstream commit b239da34203f49c40b5d656220c39647c3ff0b3c ]
    
    For a lot of use cases in future patches, we will want to modify the
    state of registers part of some same 'group' (e.g. same ref_obj_id). It
    won't just be limited to releasing reference state, but setting a type
    flag dynamically based on certain actions, etc.
    
    Hence, we need a way to easily pass a callback to the function that
    iterates over all registers in current bpf_verifier_state in all frames
    upto (and including) the curframe.
    
    While in C++ we would be able to easily use a lambda to pass state and
    the callback together, sadly we aren't using C++ in the kernel. The next
    best thing to avoid defining a function for each case seems like
    statement expressions in GNU C. The kernel already uses them heavily,
    hence they can passed to the macro in the style of a lambda. The
    statement expression will then be substituted in the for loop bodies.
    
    Variables __state and __reg are set to current bpf_func_state and reg
    for each invocation of the expression inside the passed in verifier
    state.
    
    Then, convert mark_ptr_or_null_regs, clear_all_pkt_pointers,
    release_reference, find_good_pkt_pointers, find_equal_scalars to
    use bpf_for_each_reg_in_vstate.
    
    Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
    Link: https://lore.kernel.org/r/20220904204145.3089-16-memxor@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Stable-dep-of: f1db20814af5 ("bpf: Fix wrong reg type conversion in release_reference()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: Fix sockmap calling sleepable function in teardown path [+ + +]
Author: John Fastabend <john.fastabend@gmail.com>
Date:   Mon Jun 27 20:58:03 2022 -0700

    bpf: Fix sockmap calling sleepable function in teardown path
    
    [ Upstream commit 697fb80a53642be624f5121b6ca9d66769c180e0 ]
    
    syzbot reproduced the bug ...
    
     BUG: sleeping function called from invalid context at kernel/workqueue.c:3010
    
    ... with the following stack trace fragment ...
    
     start_flush_work kernel/workqueue.c:3010 [inline]
     __flush_work+0x109/0xb10 kernel/workqueue.c:3074
     __cancel_work_timer+0x3f9/0x570 kernel/workqueue.c:3162
     sk_psock_stop+0x4cb/0x630 net/core/skmsg.c:802
     sock_map_destroy+0x333/0x760 net/core/sock_map.c:1581
     inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1130
     __tcp_close+0xd5b/0x12b0 net/ipv4/tcp.c:2897
     tcp_close+0x29/0xc0 net/ipv4/tcp.c:2909
    
    ... introduced by d8616ee2affc. Do a quick trace of the code path and the
    bug is obvious:
    
       inet_csk_destroy_sock(sk)
         sk_prot->destroy(sk);      <--- sock_map_destroy
            sk_psock_stop(, true);   <--- true so cancel workqueue
              cancel_work_sync()     <--- splat, because *_bh_disable()
    
    We can not call cancel_work_sync() from inside destroy path. So mark
    the sk_psock_stop call to skip this cancel_work_sync(). This will avoid
    the BUG, but means we may run sk_psock_backlog after or during the
    destroy op. We zapped the ingress_skb queue in sk_psock_stop (safe to
    do with local_bh_disable) so its empty and the sk_psock_backlog work
    item will not find any pkts to process here. However, because we are
    not going to wait for it or clear its ->state its possible it kicks off
    or is already running. This should be 'safe' up until psock drops its
    refcnt to psock->sk. The sock_put() that drops this reference is only
    done at psock destroy time from sk_psock_destroy(). This is done through
    workqueue when sk_psock_drop() is called on psock refnt reaches 0.
    And importantly sk_psock_destroy() does a cancel_work_sync(). So trivial
    fix works.
    
    I've had hit or miss luck reproducing this caught it once or twice with
    the provided reproducer when running with many runners. However, syzkaller
    is very good at reproducing so relying on syzkaller to verify fix.
    
    Fixes: d8616ee2affc ("bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues")
    Reported-by: syzbot+140186ceba0c496183bc@syzkaller.appspotmail.com
    Suggested-by: Hillf Danton <hdanton@sina.com>
    Signed-off-by: John Fastabend <john.fastabend@gmail.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Cc: Wang Yufen <wangyufen@huawei.com>
    Link: https://lore.kernel.org/bpf/20220628035803.317876-1-john.fastabend@gmail.com
    Stable-dep-of: 8bbabb3fddcd ("bpf, sock_map: Move cancel_work_sync() out of sock lock")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: Fix wrong reg type conversion in release_reference() [+ + +]
Author: Youlin Li <liulin063@gmail.com>
Date:   Thu Nov 3 17:34:39 2022 +0800

    bpf: Fix wrong reg type conversion in release_reference()
    
    [ Upstream commit f1db20814af532f85e091231223e5e4818e8464b ]
    
    Some helper functions will allocate memory. To avoid memory leaks, the
    verifier requires the eBPF program to release these memories by calling
    the corresponding helper functions.
    
    When a resource is released, all pointer registers corresponding to the
    resource should be invalidated. The verifier use release_references() to
    do this job, by apply  __mark_reg_unknown() to each relevant register.
    
    It will give these registers the type of SCALAR_VALUE. A register that
    will contain a pointer value at runtime, but of type SCALAR_VALUE, which
    may allow the unprivileged user to get a kernel pointer by storing this
    register into a map.
    
    Using __mark_reg_not_init() while NOT allow_ptr_leaks can mitigate this
    problem.
    
    Fixes: fd978bf7fd31 ("bpf: Add reference tracking to verifier")
    Signed-off-by: Youlin Li <liulin063@gmail.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/20221103093440.3161-1-liulin063@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK} without FILE [+ + +]
Author: Pu Lehui <pulehui@huawei.com>
Date:   Wed Nov 2 16:40:34 2022 +0800

    bpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK} without FILE
    
    [ Upstream commit 34de8e6e0e1f66e431abf4123934a2581cb5f133 ]
    
    When using bpftool to pin {PROG, MAP, LINK} without FILE,
    segmentation fault will occur. The reson is that the lack
    of FILE will cause strlen to trigger NULL pointer dereference.
    The corresponding stacktrace is shown below:
    
    do_pin
      do_pin_any
        do_pin_fd
          mount_bpffs_for_pin
            strlen(name) <- NULL pointer dereference
    
    Fix it by adding validation to the common process.
    
    Fixes: 75a1e792c335 ("tools: bpftool: Allow all prog/map handles for pinning objects")
    Signed-off-by: Pu Lehui <pulehui@huawei.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: Quentin Monnet <quentin@isovalent.com>
    Link: https://lore.kernel.org/bpf/20221102084034.3342995-1-pulehui@huaweicloud.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
btrfs: fix match incorrectly in dev_args_match_device [+ + +]
Author: Liu Shixin <liushixin2@huawei.com>
Date:   Thu Nov 3 16:33:01 2022 +0800

    btrfs: fix match incorrectly in dev_args_match_device
    
    commit 0fca385d6ebc3cabb20f67bcf8a71f1448bdc001 upstream.
    
    syzkaller found a failed assertion:
    
      assertion failed: (args->devid != (u64)-1) || args->missing, in fs/btrfs/volumes.c:6921
    
    This can be triggered when we set devid to (u64)-1 by ioctl. In this
    case, the match of devid will be skipped and the match of device may
    succeed incorrectly.
    
    Patch 562d7b1512f7 introduced this function which is used to match device.
    This function contains two matching scenarios, we can distinguish them by
    checking the value of args->missing rather than check whether args->devid
    and args->uuid is default value.
    
    Reported-by: syzbot+031687116258450f9853@syzkaller.appspotmail.com
    Fixes: 562d7b1512f7 ("btrfs: handle device lookup with btrfs_dev_lookup_args")
    CC: stable@vger.kernel.org # 5.16+
    Reviewed-by: Nikolay Borisov <nborisov@suse.com>
    Signed-off-by: Liu Shixin <liushixin2@huawei.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: selftests: fix wrong error check in btrfs_free_dummy_root() [+ + +]
Author: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Date:   Tue Nov 1 10:53:54 2022 +0800

    btrfs: selftests: fix wrong error check in btrfs_free_dummy_root()
    
    commit 9b2f20344d450137d015b380ff0c2e2a6a170135 upstream.
    
    The btrfs_alloc_dummy_root() uses ERR_PTR as the error return value
    rather than NULL, if error happened, there will be a NULL pointer
    dereference:
    
      BUG: KASAN: null-ptr-deref in btrfs_free_dummy_root+0x21/0x50 [btrfs]
      Read of size 8 at addr 000000000000002c by task insmod/258926
    
      CPU: 2 PID: 258926 Comm: insmod Tainted: G        W          6.1.0-rc2+ #5
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl+0x34/0x44
       kasan_report+0xb7/0x140
       kasan_check_range+0x145/0x1a0
       btrfs_free_dummy_root+0x21/0x50 [btrfs]
       btrfs_test_free_space_cache+0x1a8c/0x1add [btrfs]
       btrfs_run_sanity_tests+0x65/0x80 [btrfs]
       init_btrfs_fs+0xec/0x154 [btrfs]
       do_one_initcall+0x87/0x2a0
       do_init_module+0xdf/0x320
       load_module+0x3006/0x3390
       __do_sys_finit_module+0x113/0x1b0
       do_syscall_64+0x35/0x80
     entry_SYSCALL_64_after_hwframe+0x46/0xb0
    
    Fixes: aaedb55bc08f ("Btrfs: add tests for btrfs_get_extent")
    CC: stable@vger.kernel.org # 4.9+
    Reviewed-by: Anand Jain <anand.jain@oracle.com>
    Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: zoned: initialize device's zone info for seeding [+ + +]
Author: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Date:   Fri Nov 4 07:12:34 2022 -0700

    btrfs: zoned: initialize device's zone info for seeding
    
    commit a8d1b1647bf8244a5f270538e9e636e2657fffa3 upstream.
    
    When performing seeding on a zoned filesystem it is necessary to
    initialize each zoned device's btrfs_zoned_device_info structure,
    otherwise mounting the filesystem will cause a NULL pointer dereference.
    
    This was uncovered by fstests' testcase btrfs/163.
    
    CC: stable@vger.kernel.org # 5.15+
    Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
can: af_can: fix NULL pointer dereference in can_rx_register() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Fri Oct 28 16:56:50 2022 +0800

    can: af_can: fix NULL pointer dereference in can_rx_register()
    
    [ Upstream commit 8aa59e355949442c408408c2d836e561794c40a1 ]
    
    It causes NULL pointer dereference when testing as following:
    (a) use syscall(__NR_socket, 0x10ul, 3ul, 0) to create netlink socket.
    (b) use syscall(__NR_sendmsg, ...) to create bond link device and vxcan
        link device, and bind vxcan device to bond device (can also use
        ifenslave command to bind vxcan device to bond device).
    (c) use syscall(__NR_socket, 0x1dul, 3ul, 1) to create CAN socket.
    (d) use syscall(__NR_bind, ...) to bind the bond device to CAN socket.
    
    The bond device invokes the can-raw protocol registration interface to
    receive CAN packets. However, ml_priv is not allocated to the dev,
    dev_rcv_lists is assigned to NULL in can_rx_register(). In this case,
    it will occur the NULL pointer dereference issue.
    
    The following is the stack information:
    BUG: kernel NULL pointer dereference, address: 0000000000000008
    PGD 122a4067 P4D 122a4067 PUD 1223c067 PMD 0
    Oops: 0000 [#1] PREEMPT SMP
    RIP: 0010:can_rx_register+0x12d/0x1e0
    Call Trace:
    <TASK>
    raw_enable_filters+0x8d/0x120
    raw_enable_allfilters+0x3b/0x130
    raw_bind+0x118/0x4f0
    __sys_bind+0x163/0x1a0
    __x64_sys_bind+0x1e/0x30
    do_syscall_64+0x35/0x80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    </TASK>
    
    Fixes: 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Reviewed-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Link: https://lore.kernel.org/all/20221028085650.170470-1-shaozhengchao@huawei.com
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

can: j1939: j1939_send_one(): fix missing CAN header initialization [+ + +]
Author: Oliver Hartkopp <socketcan@hartkopp.net>
Date:   Fri Nov 4 08:50:00 2022 +0100

    can: j1939: j1939_send_one(): fix missing CAN header initialization
    
    commit 3eb3d283e8579a22b81dd2ac3987b77465b2a22f upstream.
    
    The read access to struct canxl_frame::len inside of a j1939 created
    skbuff revealed a missing initialization of reserved and later filled
    elements in struct can_frame.
    
    This patch initializes the 8 byte CAN header with zero.
    
    Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
    Cc: Oleksij Rempel <o.rempel@pengutronix.de>
    Link: https://lore.kernel.org/linux-can/20221104052235.GA6474@pengutronix.de
    Reported-by: syzbot+d168ec0caca4697e03b1@syzkaller.appspotmail.com
    Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Link: https://lore.kernel.org/all/20221104075000.105414-1-socketcan@hartkopp.net
    Cc: stable@vger.kernel.org
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
capabilities: fix undefined behavior in bit shift for CAP_TO_MASK [+ + +]
Author: Gaosheng Cui <cuigaosheng1@huawei.com>
Date:   Mon Oct 31 19:25:36 2022 +0800

    capabilities: fix undefined behavior in bit shift for CAP_TO_MASK
    
    [ Upstream commit 46653972e3ea64f79e7f8ae3aa41a4d3fdb70a13 ]
    
    Shifting signed 32-bit value by 31 bits is undefined, so changing
    significant bit to unsigned. The UBSAN warning calltrace like below:
    
    UBSAN: shift-out-of-bounds in security/commoncap.c:1252:2
    left shift of 1 by 31 places cannot be represented in type 'int'
    Call Trace:
     <TASK>
     dump_stack_lvl+0x7d/0xa5
     dump_stack+0x15/0x1b
     ubsan_epilogue+0xe/0x4e
     __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
     cap_task_prctl+0x561/0x6f0
     security_task_prctl+0x5a/0xb0
     __x64_sys_prctl+0x61/0x8f0
     do_syscall_64+0x58/0x80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
     </TASK>
    
    Fixes: e338d263a76a ("Add 64-bit capability support to the kernel")
    Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
    Acked-by: Andrew G. Morgan <morgan@kernel.org>
    Reviewed-by: Serge Hallyn <serge@hallyn.com>
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cert host tools: Stop complaining about deprecated OpenSSL functions [+ + +]
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Jun 8 13:18:39 2022 -0700

    cert host tools: Stop complaining about deprecated OpenSSL functions
    
    commit 6bfb56e93bcef41859c2d5ab234ffd80b691be35 upstream.
    
    OpenSSL 3.0 deprecated the OpenSSL's ENGINE API.  That is as may be, but
    the kernel build host tools still use it.  Disable the warning about
    deprecated declarations until somebody who cares fixes it.
    
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
cxgb4vf: shut down the adapter when t4vf_update_port_info() failed in cxgb4vf_open() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Wed Nov 9 09:21:00 2022 +0800

    cxgb4vf: shut down the adapter when t4vf_update_port_info() failed in cxgb4vf_open()
    
    [ Upstream commit c6092ea1e6d7bd12acd881f6aa2b5054cd70e096 ]
    
    When t4vf_update_port_info() failed in cxgb4vf_open(), resources applied
    during adapter goes up are not cleared. Fix it. Only be compiled, not be
    tested.
    
    Fixes: 18d79f721e0a ("cxgb4vf: Update port information in cxgb4vf_open()")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20221109012100.99132-1-shaozhengchao@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
dmaengine: at_hdmac: Check return code of dma_async_device_register [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:49 2022 +0300

    dmaengine: at_hdmac: Check return code of dma_async_device_register
    
    commit c47e6403fa099f200868d6b106701cb42d181d2b upstream.
    
    dma_async_device_register() can fail, check the return code and display an
    error.
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-16-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Do not call the complete callback on device_terminate_all [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:39 2022 +0300

    dmaengine: at_hdmac: Do not call the complete callback on device_terminate_all
    
    commit f645f85ae1104f8bd882f962ac0a69a1070076dd upstream.
    
    The method was wrong because it violated the dmaengine API. For aborted
    transfers the complete callback should not be called. Fix the behavior and
    do not call the complete callback on device_terminate_all.
    
    Fixes: 808347f6a317 ("dmaengine: at_hdmac: add DMA slave transfers")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-6-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Don't allow CPU to reorder channel enable [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:47 2022 +0300

    dmaengine: at_hdmac: Don't allow CPU to reorder channel enable
    
    commit 580ee84405c27d6ed419abe4d2b3de1968abdafd upstream.
    
    at_hdmac uses __raw_writel for register writes. In the absence of a
    barrier, the CPU may reorder the register operations.
    Introduce a write memory barrier so that the CPU does not reorder the
    channel enable, thus the start of the transfer, without making sure that
    all the pre-required register fields are already written.
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-14-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Don't start transactions at tx_submit level [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:36 2022 +0300

    dmaengine: at_hdmac: Don't start transactions at tx_submit level
    
    commit 7176a6a8982d311e50a7c1168868d26e65bbba19 upstream.
    
    tx_submit is supposed to push the current transaction descriptor to a
    pending queue, waiting for issue_pending() to be called. issue_pending()
    must start the transfer, not tx_submit(), thus remove atc_dostart() from
    atc_tx_submit(). Clients of at_xdmac that assume that tx_submit() starts
    the transfer must be updated and call dma_async_issue_pending() if they
    miss to call it.
    The vdbg print was moved to after the lock is released. It is desirable to
    do the prints without the lock held if possible, and because the if
    statement disappears there's no reason why to do the print while holding
    the lock.
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-3-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Fix at_lli struct definition [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:35 2022 +0300

    dmaengine: at_hdmac: Fix at_lli struct definition
    
    commit f1171bbdd2ba2a50ee64bb198a78c268a5baf5f1 upstream.
    
    Those hardware registers are all of 32 bits, while dma_addr_t ca be of
    type u64 or u32 depending on CONFIG_ARCH_DMA_ADDR_T_64BIT. Force u32 to
    comply with what the hardware expects.
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-2-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Fix completion of unissued descriptor in case of errors [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:46 2022 +0300

    dmaengine: at_hdmac: Fix completion of unissued descriptor in case of errors
    
    commit ef2cb4f0ce479f77607b04c4b0414bf32f863ee8 upstream.
    
    In case the controller detected an error, the code took the chance to move
    all the queued (submitted) descriptors to the active (issued) list. This
    was wrong as if there were any descriptors in the submitted list they were
    moved to the issued list without actually issuing them to the controller,
    thus a completion could be raised without even fireing the descriptor.
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-13-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Fix concurrency over descriptor [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:42 2022 +0300

    dmaengine: at_hdmac: Fix concurrency over descriptor
    
    commit 06988949df8c3007ad82036d3606d8ae72ed9000 upstream.
    
    The descriptor was added to the free_list before calling the callback,
    which could result in reissuing of the same descriptor and calling of a
    single callback for both. Move the decriptor to the free list after the
    callback is invoked.
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-9-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Fix concurrency over the active list [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:44 2022 +0300

    dmaengine: at_hdmac: Fix concurrency over the active list
    
    commit 03ed9ba357cc78116164b90b87f45eacab60b561 upstream.
    
    The tasklet (atc_advance_work()) did not held the channel lock when
    retrieving the first active descriptor, causing concurrency problems if
    issue_pending() was called in between. If issue_pending() was called
    exactly after the lock was released in the tasklet (atc_advance_work()),
    atc_chain_complete() could complete a descriptor for which the controller
    has not yet raised an interrupt.
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-11-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Fix concurrency problems by removing atc_complete_all() [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:41 2022 +0300

    dmaengine: at_hdmac: Fix concurrency problems by removing atc_complete_all()
    
    commit c6babed879fbe82796a601bf097649e07382db46 upstream.
    
    atc_complete_all() had concurrency bugs, thus remove it:
    1/ atc_complete_all() in its entirety was buggy, as when the atchan->queue
    list (the one that contains descriptors that are not yet issued to the
    hardware) contained descriptors, it fired just the first from the
    atchan->queue, but moved all the desc from atchan->queue to
    atchan->active_list and considered them all as fired. This could result in
    calling the completion of a descriptor that was not yet issued to the
    hardware.
    2/ when in tasklet at atc_advance_work() time, atchan->active_list was
    queried without holding the lock of the chan. This can result in
    atchan->active_list concurrency problems between the tasklet and
    issue_pending().
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-8-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Fix descriptor handling when issuing it to hardware [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:45 2022 +0300

    dmaengine: at_hdmac: Fix descriptor handling when issuing it to hardware
    
    commit ba2423633ba646e1df20e30cb3cf35495c16f173 upstream.
    
    As it was before, the descriptor was issued to the hardware without adding
    it to the active (issued) list. This could result in a completion of other
    descriptor, or/and in the descriptor never being completed.
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-12-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Fix impossible condition [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:48 2022 +0300

    dmaengine: at_hdmac: Fix impossible condition
    
    commit 28cbe5a0a46a6637adbda52337d7b2777fc04027 upstream.
    
    The iterator can not be greater than ATC_MAX_DSCR_TRIALS, as the for loop
    will stop when i == ATC_MAX_DSCR_TRIALS. While here, use the common "i"
    name for the iterator.
    
    Fixes: 93dce3a6434f ("dmaengine: at_hdmac: fix residue computation")
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-15-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Fix premature completion of desc in issue_pending [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:38 2022 +0300

    dmaengine: at_hdmac: Fix premature completion of desc in issue_pending
    
    commit fcd37565efdaffeac179d0f0ce980ac79bfdf569 upstream.
    
    Multiple calls to atc_issue_pending() could result in a premature
    completion of a descriptor from the atchan->active list, as the method
    always completed the first active descriptor from the list. Instead,
    issue_pending() should just take the first transaction descriptor from the
    pending queue, move it to active_list and start the transfer.
    
    Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-5-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Free the memset buf without holding the chan lock [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:43 2022 +0300

    dmaengine: at_hdmac: Free the memset buf without holding the chan lock
    
    commit 6ba826cbb57d675f447b59323204d1473bbd5593 upstream.
    
    There's no need to hold the channel lock when freeing the memset buf, as
    the operation has already completed. Free the memset buf without holding
    the channel lock.
    
    Fixes: 4d112426c344 ("dmaengine: hdmac: Add memset capabilities")
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-10-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Protect atchan->status with the channel lock [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:40 2022 +0300

    dmaengine: at_hdmac: Protect atchan->status with the channel lock
    
    commit 6e5ad28d16f082efeae3d0bd2e31f24bed218019 upstream.
    
    Now that the complete callback call was removed from
    device_terminate_all(), we can protect the atchan->status with the channel
    lock. The atomic bitops on atchan->status do not substitute proper locking
    on the status, as one could still modify the status after the lock was
    dropped in atc_terminate_all() but before the atomic bitops were executed.
    
    Fixes: 078a6506141a ("dmaengine: at_hdmac: Fix deadlocks")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-7-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: at_hdmac: Start transfer for cyclic channels in issue_pending [+ + +]
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Oct 25 12:02:37 2022 +0300

    dmaengine: at_hdmac: Start transfer for cyclic channels in issue_pending
    
    commit 8a47221fc28417ff8a32a4f92d4448a56c3cf7e1 upstream.
    
    Cyclic channels must too call issue_pending in order to start a transfer.
    Start the transfer in issue_pending regardless of the type of channel.
    This wrongly worked before, because in the past the transfer was started
    at tx_submit level when only a desc in the transfer list.
    
    Fixes: 53830cc75974 ("dmaengine: at_hdmac: add cyclic DMA operation support")
    Reported-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
    Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
    Link: https://lore.kernel.org/r/20221025090306.297886-4-tudor.ambarus@microchip.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove() [+ + +]
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Mon Oct 24 21:50:09 2022 +0200

    dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove()
    
    [ Upstream commit 081195d17a0c4c636da2b869bd5809d42e8cbb13 ]
    
    A clk_prepare_enable() call in the probe is not balanced by a corresponding
    clk_disable_unprepare() in the remove function.
    
    Add the missing call.
    
    Fixes: 3cd2c313f1d6 ("dmaengine: mv_xor_v2: Fix clock resource by adding a register clock")
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Link: https://lore.kernel.org/r/e9e3837a680c9bd2438e4db2b83270c6c052d005.1666640987.git.christophe.jaillet@wanadoo.fr
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

dmaengine: pxa_dma: use platform_get_irq_optional [+ + +]
Author: Doug Brown <doug@schmorgal.com>
Date:   Mon Sep 5 17:07:09 2022 -0700

    dmaengine: pxa_dma: use platform_get_irq_optional
    
    [ Upstream commit b3d726cb8497c6b12106fd617d46eef11763ea86 ]
    
    The first IRQ is required, but IRQs 1 through (nb_phy_chans - 1) are
    optional, because on some platforms (e.g. PXA168) there is a single IRQ
    shared between all channels.
    
    This change inhibits a flood of "IRQ index # not found" messages at
    startup. Tested on a PXA168-based device.
    
    Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()")
    Signed-off-by: Doug Brown <doug@schmorgal.com>
    Link: https://lore.kernel.org/r/20220906000709.52705-1-doug@schmorgal.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

dmaengine: ti: k3-udma-glue: fix memory leak when register device fail [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Thu Oct 20 14:28:27 2022 +0800

    dmaengine: ti: k3-udma-glue: fix memory leak when register device fail
    
    [ Upstream commit ac2b9f34f02052709aea7b34bb2a165e1853eb41 ]
    
    If device_register() fails, it should call put_device() to give
    up reference, the name allocated in dev_set_name() can be freed
    in callback function kobject_cleanup().
    
    Fixes: 5b65781d06ea ("dmaengine: ti: k3-udma-glue: Add support for K3 PKTDMA")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
    Link: https://lore.kernel.org/r/20221020062827.2914148-1-yangyingliang@huawei.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drivers: net: xgene: disable napi when register irq failed in xgene_enet_open() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Mon Nov 7 12:30:32 2022 +0800

    drivers: net: xgene: disable napi when register irq failed in xgene_enet_open()
    
    [ Upstream commit ce9e57feeed81d17d5e80ed86f516ff0d39c3867 ]
    
    When failed to register irq in xgene_enet_open() for opening device,
    napi isn't disabled. When open xgene device next time, it will reports
    a invalid opcode issue. Fix it. Only be compiled, not be tested.
    
    Fixes: aeb20b6b3f4e ("drivers: net: xgene: fix: ifconfig up/down crash")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20221107043032.357673-1-shaozhengchao@huawei.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/amdgpu: disable BACO on special BEIGE_GOBY card [+ + +]
Author: Guchun Chen <guchun.chen@amd.com>
Date:   Mon Nov 7 16:46:59 2022 +0800

    drm/amdgpu: disable BACO on special BEIGE_GOBY card
    
    commit 0c85c067c9d9d7a1b2cc2e01a236d5d0d4a872b5 upstream.
    
    Still avoid intermittent failure.
    
    Signed-off-by: Guchun Chen <guchun.chen@amd.com>
    Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
    Acked-by: Evan Quan <evan.quan@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amdkfd: avoid recursive lock in migrations back to RAM [+ + +]
Author: Alex Sierra <alex.sierra@amd.com>
Date:   Fri Oct 29 13:30:40 2021 -0500

    drm/amdkfd: avoid recursive lock in migrations back to RAM
    
    [ Upstream commit a6283010e2907a5576f96b839e1a1c82659f137c ]
    
    [Why]:
    When we call hmm_range_fault to map memory after a migration, we don't
    expect memory to be migrated again as a result of hmm_range_fault. The
    driver ensures that all memory is in GPU-accessible locations so that
    no migration should be needed. However, there is one corner case where
    hmm_range_fault can unexpectedly cause a migration from DEVICE_PRIVATE
    back to system memory due to a write-fault when a system memory page in
    the same range was mapped read-only (e.g. COW). Ranges with individual
    pages in different locations are usually the result of failed page
    migrations (e.g. page lock contention). The unexpected migration back
    to system memory causes a deadlock from recursive locking in our
    driver.
    
    [How]:
    Creating a task reference new member under svm_range_list struct.
    Setting this with "current" reference, right before the hmm_range_fault
    is called. This member is checked against "current" reference at
    svm_migrate_to_ram callback function. If equal, the migration will be
    ignored.
    
    Signed-off-by: Alex Sierra <alex.sierra@amd.com>
    Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Stable-dep-of: 5b994354af3c ("drm/amdkfd: Fix NULL pointer dereference in svm_migrate_to_ram()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdkfd: Fix NULL pointer dereference in svm_migrate_to_ram() [+ + +]
Author: Yang Li <yang.lee@linux.alibaba.com>
Date:   Wed Oct 26 10:00:54 2022 +0800

    drm/amdkfd: Fix NULL pointer dereference in svm_migrate_to_ram()
    
    [ Upstream commit 5b994354af3cab770bf13386469c5725713679af ]
    
    ./drivers/gpu/drm/amd/amdkfd/kfd_migrate.c:985:58-62: ERROR: p is NULL but dereferenced.
    
    Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2549
    Reported-by: Abaci Robot <abaci@linux.alibaba.com>
    Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
    Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdkfd: handle CPU fault on COW mapping [+ + +]
Author: Philip Yang <Philip.Yang@amd.com>
Date:   Wed Sep 7 12:30:12 2022 -0400

    drm/amdkfd: handle CPU fault on COW mapping
    
    [ Upstream commit e1f84eef313f4820cca068a238c645d0a38c6a9b ]
    
    If CPU page fault in a page with zone_device_data svm_bo from another
    process, that means it is COW mapping in the child process and the
    range is migrated to VRAM by parent process. Migrate the parent
    process range back to system memory to recover the CPU page fault.
    
    Signed-off-by: Philip Yang <Philip.Yang@amd.com>
    Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Stable-dep-of: 5b994354af3c ("drm/amdkfd: Fix NULL pointer dereference in svm_migrate_to_ram()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdkfd: Migrate in CPU page fault use current mm [+ + +]
Author: Philip Yang <Philip.Yang@amd.com>
Date:   Thu Sep 8 17:56:09 2022 -0400

    drm/amdkfd: Migrate in CPU page fault use current mm
    
    commit 3a876060892ba52dd67d197c78b955e62657d906 upstream.
    
    migrate_vma_setup shows below warning because we don't hold another
    process mm mmap_lock. We should use current vmf->vma->vm_mm instead, the
    caller already hold current mmap lock inside CPU page fault handler.
    
     WARNING: CPU: 10 PID: 3054 at include/linux/mmap_lock.h:155 find_vma
     Call Trace:
      walk_page_range+0x76/0x150
      migrate_vma_setup+0x18a/0x640
      svm_migrate_vram_to_ram+0x245/0xa10 [amdgpu]
      svm_migrate_to_ram+0x36f/0x470 [amdgpu]
      do_swap_page+0xcfe/0xec0
      __handle_mm_fault+0x96b/0x15e0
      handle_mm_fault+0x13f/0x3e0
      do_user_addr_fault+0x1e7/0x690
    
    Fixes: e1f84eef313f ("drm/amdkfd: handle CPU fault on COW mapping")
    Signed-off-by: Philip Yang <Philip.Yang@amd.com>
    Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/i915/dmabuf: fix sg_table handling in map_dma_buf [+ + +]
Author: Matthew Auld <matthew.auld@intel.com>
Date:   Fri Oct 28 16:50:26 2022 +0100

    drm/i915/dmabuf: fix sg_table handling in map_dma_buf
    
    commit f90daa975911961b65070ec72bd7dd8d448f9ef7 upstream.
    
    We need to iterate over the original entries here for the sg_table,
    pulling out the struct page for each one, to be remapped. However
    currently this incorrectly iterates over the final dma mapped entries,
    which is likely just one gigantic sg entry if the iommu is enabled,
    leading to us only mapping the first struct page (and any physically
    contiguous pages following it), even if there is potentially lots more
    data to follow.
    
    Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7306
    Fixes: 1286ff739773 ("i915: add dmabuf/prime buffer sharing support.")
    Signed-off-by: Matthew Auld <matthew.auld@intel.com>
    Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
    Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
    Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Cc: Michael J. Ruhl <michael.j.ruhl@intel.com>
    Cc: <stable@vger.kernel.org> # v3.5+
    Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20221028155029.494736-1-matthew.auld@intel.com
    (cherry picked from commit 28d52f99bbca7227008cf580c9194c9b3516968e)
    Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/vc4: Fix missing platform_unregister_drivers() call in vc4_drm_register() [+ + +]
Author: Yuan Can <yuancan@huawei.com>
Date:   Thu Nov 3 01:47:05 2022 +0000

    drm/vc4: Fix missing platform_unregister_drivers() call in vc4_drm_register()
    
    [ Upstream commit cf53db768a8790fdaae2fa3a81322b080285f7e5 ]
    
    A problem about modprobe vc4 failed is triggered with the following log
    given:
    
     [  420.327987] Error: Driver 'vc4_hvs' is already registered, aborting...
     [  420.333904] failed to register platform driver vc4_hvs_driver [vc4]: -16
     modprobe: ERROR: could not insert 'vc4': Device or resource busy
    
    The reason is that vc4_drm_register() returns platform_driver_register()
    directly without checking its return value, if platform_driver_register()
    fails, it returns without unregistering all the vc4 drivers, resulting the
    vc4 can never be installed later.
    A simple call graph is shown as below:
    
     vc4_drm_register()
       platform_register_drivers() # all vc4 drivers are registered
       platform_driver_register()
         driver_register()
           bus_add_driver()
             priv = kzalloc(...) # OOM happened
       # return without unregister drivers
    
    Fixing this problem by checking the return value of
    platform_driver_register() and do platform_unregister_drivers() if
    error happened.
    
    Fixes: c8b75bca92cb ("drm/vc4: Add KMS support for Raspberry Pi.")
    Signed-off-by: Yuan Can <yuancan@huawei.com>
    Signed-off-by: Maxime Ripard <maxime@cerno.tech>
    Link: https://patchwork.freedesktop.org/patch/msgid/20221103014705.109322-1-yuancan@huawei.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ethernet: s2io: disable napi when start nic failed in s2io_card_up() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Wed Nov 9 10:37:41 2022 +0800

    ethernet: s2io: disable napi when start nic failed in s2io_card_up()
    
    [ Upstream commit 0348c1ab980c1d43fb37b758d4b760990c066cb5 ]
    
    When failed to start nic or add interrupt service routine in
    s2io_card_up() for opening device, napi isn't disabled. When open
    s2io device next time, it will trigger a BUG_ON()in napi_enable().
    Compile tested only.
    
    Fixes: 5f490c968056 ("S2io: Fixed synchronization between scheduling of napi with card reset and close")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20221109023741.131552-1-shaozhengchao@huawei.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ethernet: tundra: free irq when alloc ring failed in tsi108_open() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Wed Nov 9 12:40:16 2022 +0800

    ethernet: tundra: free irq when alloc ring failed in tsi108_open()
    
    [ Upstream commit acce40037041f97baad18142bb253064491ebde3 ]
    
    When alloc tx/rx ring failed in tsi108_open(), it doesn't free irq. Fix
    it.
    
    Fixes: 5e123b844a1c ("[PATCH] Add tsi108/9 On Chip Ethernet device driver support")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20221109044016.126866-1-shaozhengchao@huawei.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
fuse: fix readdir cache race [+ + +]
Author: Miklos Szeredi <mszeredi@redhat.com>
Date:   Thu Oct 20 17:18:58 2022 +0200

    fuse: fix readdir cache race
    
    [ Upstream commit 9fa248c65bdbf5af0a2f74dd38575acfc8dfd2bf ]
    
    There's a race in fuse's readdir cache that can result in an uninitilized
    page being read.  The page lock is supposed to prevent this from happening
    but in the following case it doesn't:
    
    Two fuse_add_dirent_to_cache() start out and get the same parameters
    (size=0,offset=0).  One of them wins the race to create and lock the page,
    after which it fills in data, sets rdc.size and unlocks the page.
    
    In the meantime the page gets evicted from the cache before the other
    instance gets to run.  That one also creates the page, but finds the
    size to be mismatched, bails out and leaves the uninitialized page in the
    cache.
    
    Fix by marking a filled page uptodate and ignoring non-uptodate pages.
    
    Reported-by: Frank Sorenson <fsorenso@redhat.com>
    Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache")
    Cc: <stable@vger.kernel.org> # v4.20
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hamradio: fix issue of dev reference count leakage in bpq_device_event() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Thu Nov 3 17:09:05 2022 +0800

    hamradio: fix issue of dev reference count leakage in bpq_device_event()
    
    [ Upstream commit 85cbaf032d3cd9f595152625eda5d4ecb1d6d78d ]
    
    When following tests are performed, it will cause dev reference counting
    leakage.
    a)ip link add bond2 type bond mode balance-rr
    b)ip link set bond2 up
    c)ifenslave -f bond2 rose1
    d)ip link del bond2
    
    When new bond device is created, the default type of the bond device is
    ether. And the bond device is up, bpq_device_event() receives the message
    and creates a new bpq device. In this case, the reference count value of
    dev is hold once. But after "ifenslave -f bond2 rose1" command is
    executed, the type of the bond device is changed to rose. When the bond
    device is unregistered, bpq_device_event() will not put the dev reference
    count.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
HID: hyperv: fix possible memory leak in mousevsc_probe() [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Fri Oct 28 21:40:43 2022 +0800

    HID: hyperv: fix possible memory leak in mousevsc_probe()
    
    [ Upstream commit b5bcb94b0954a026bbd671741fdb00e7141f9c91 ]
    
    If hid_add_device() returns error, it should call hid_destroy_device()
    to free hid_dev which is allocated in hid_allocate_device().
    
    Fixes: 74c4fb058083 ("HID: hv_mouse: Properly add the hid device")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Reviewed-by: Wei Liu <wei.liu@kernel.org>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hwspinlock: qcom: correct MMIO max register for newer SoCs [+ + +]
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Fri Sep 9 11:20:23 2022 +0200

    hwspinlock: qcom: correct MMIO max register for newer SoCs
    
    [ Upstream commit 90cb380f9ceb811059340d06ff5fd0c0e93ecbe1 ]
    
    Newer ARMv8 Qualcomm SoCs using 0x1000 register stride have maximum
    register 0x20000 (32 mutexes * 0x1000).
    
    Fixes: 7a1e6fb1c606 ("hwspinlock: qcom: Allow mmio usage in addition to syscon")
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Link: https://lore.kernel.org/r/20220909092035.223915-4-krzysztof.kozlowski@linaro.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network [+ + +]
Author: Alexander Potapenko <glider@google.com>
Date:   Fri Nov 4 11:32:16 2022 +0100

    ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network
    
    [ Upstream commit c23fb2c82267638f9d206cb96bb93e1f93ad7828 ]
    
    When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved
    remained uninitialized, resulting in a 1-byte infoleak:
    
      BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841
       __netdev_start_xmit ./include/linux/netdevice.h:4841
       netdev_start_xmit ./include/linux/netdevice.h:4857
       xmit_one net/core/dev.c:3590
       dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606
       __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256
       dev_queue_xmit ./include/linux/netdevice.h:3009
       __netlink_deliver_tap_skb net/netlink/af_netlink.c:307
       __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325
       netlink_deliver_tap net/netlink/af_netlink.c:338
       __netlink_sendskb net/netlink/af_netlink.c:1263
       netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272
       netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360
       nlmsg_unicast ./include/net/netlink.h:1061
       rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758
       ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628
       rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
      ...
      Uninit was created at:
       slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742
       slab_alloc_node mm/slub.c:3398
       __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437
       __do_kmalloc_node mm/slab_common.c:954
       __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975
       kmalloc_reserve net/core/skbuff.c:437
       __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509
       alloc_skb ./include/linux/skbuff.h:1267
       nlmsg_new ./include/net/netlink.h:964
       ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608
       rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
       netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540
       rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109
       netlink_unicast_kernel net/netlink/af_netlink.c:1319
       netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345
       netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921
      ...
    
    This patch ensures that the reserved field is always initialized.
    
    Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com
    Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.")
    Signed-off-by: Alexander Potapenko <glider@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
KVM: s390: pv: don't allow userspace to set the clock under PV [+ + +]
Author: Nico Boehr <nrb@linux.ibm.com>
Date:   Tue Oct 11 18:07:12 2022 +0200

    KVM: s390: pv: don't allow userspace to set the clock under PV
    
    [ Upstream commit 6973091d1b50ab4042f6a2d495f59e9db3662ab8 ]
    
    When running under PV, the guest's TOD clock is under control of the
    ultravisor and the hypervisor isn't allowed to change it. Hence, don't
    allow userspace to change the guest's TOD clock by returning
    -EOPNOTSUPP.
    
    When userspace changes the guest's TOD clock, KVM updates its
    kvm.arch.epoch field and, in addition, the epoch field in all state
    descriptions of all VCPUs.
    
    But, under PV, the ultravisor will ignore the epoch field in the state
    description and simply overwrite it on next SIE exit with the actual
    guest epoch. This leads to KVM having an incorrect view of the guest's
    TOD clock: it has updated its internal kvm.arch.epoch field, but the
    ultravisor ignores the field in the state description.
    
    Whenever a guest is now waiting for a clock comparator, KVM will
    incorrectly calculate the time when the guest should wake up, possibly
    causing the guest to sleep for much longer than expected.
    
    With this change, kvm_s390_set_tod() will now take the kvm->lock to be
    able to call kvm_s390_pv_is_protected(). Since kvm_s390_set_tod_clock()
    also takes kvm->lock, use __kvm_s390_set_tod_clock() instead.
    
    The function kvm_s390_set_tod_clock is now unused, hence remove it.
    Update the documentation to indicate the TOD clock attr calls can now
    return -EOPNOTSUPP.
    
    Fixes: 0f3035047140 ("KVM: s390: protvirt: Do only reset registers that are accessible")
    Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
    Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
    Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
    Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
    Link: https://lore.kernel.org/r/20221011160712.928239-2-nrb@linux.ibm.com
    Message-Id: <20221011160712.928239-2-nrb@linux.ibm.com>
    Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Linux: Linux 5.15.79 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Nov 16 09:58:31 2022 +0100

    Linux 5.15.79
    
    Link: https://lore.kernel.org/r/20221114124448.729235104@linuxfoundation.org
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Slade Watkins <srw@sladewatkins.net>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Kelsey Steele <kelseysteele@linux.microsoft.com>
    Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Tested-by: Ron Economos <re@w6rz.net>
    Link: https://lore.kernel.org/r/20221115140300.534663914@linuxfoundation.org
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Allen Pais <apais@linux.microsoft.com>
    Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
macsec: clear encryption keys from the stack after setting up offload [+ + +]
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Wed Nov 2 22:33:16 2022 +0100

    macsec: clear encryption keys from the stack after setting up offload
    
    [ Upstream commit aaab73f8fba4fd38f4d2617440d541a1c334e819 ]
    
    macsec_add_rxsa and macsec_add_txsa copy the key to an on-stack
    offloading context to pass it to the drivers, but leaves it there when
    it's done. Clear it with memzero_explicit as soon as it's not needed
    anymore.
    
    Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure")
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Reviewed-by: Antoine Tenart <atenart@kernel.org>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

macsec: delete new rxsc when offload fails [+ + +]
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Wed Nov 2 22:33:13 2022 +0100

    macsec: delete new rxsc when offload fails
    
    [ Upstream commit 93a30947821c203d08865c4e17ea181c9668ce52 ]
    
    Currently we get an inconsistent state:
     - netlink returns the error to userspace
     - the RXSC is installed but not offloaded
    
    Then the device could get confused when we try to add an RXSA, because
    the RXSC isn't supposed to exist.
    
    Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure")
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Reviewed-by: Antoine Tenart <atenart@kernel.org>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

macsec: fix detection of RXSCs when toggling offloading [+ + +]
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Wed Nov 2 22:33:15 2022 +0100

    macsec: fix detection of RXSCs when toggling offloading
    
    [ Upstream commit 80df4706357a5a06bbbc70273bf2611df1ceee04 ]
    
    macsec_is_configured incorrectly uses secy->n_rx_sc to check if some
    RXSCs exist. secy->n_rx_sc only counts the number of active RXSCs, but
    there can also be inactive SCs as well, which may be stored in the
    driver (in case we're disabling offloading), or would have to be
    pushed to the device (in case we're trying to enable offloading).
    
    As long as RXSCs active on creation and never turned off, the issue is
    not visible.
    
    Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection")
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Reviewed-by: Antoine Tenart <atenart@kernel.org>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

macsec: fix secy->n_rx_sc accounting [+ + +]
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Wed Nov 2 22:33:14 2022 +0100

    macsec: fix secy->n_rx_sc accounting
    
    [ Upstream commit 73a4b31c9d11f98ae3bc5286d5382930adb0e9c7 ]
    
    secy->n_rx_sc is supposed to be the number of _active_ rxsc's within a
    secy. This is then used by macsec_send_sci to help decide if we should
    add the SCI to the header or not.
    
    This logic is currently broken when we create a new RXSC and turn it
    off at creation, as create_rx_sc always sets ->active to true (and
    immediately uses that to increment n_rx_sc), and only later
    macsec_add_rxsc sets rx_sc->active.
    
    Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Reviewed-by: Antoine Tenart <atenart@kernel.org>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
marvell: octeontx2: build error: unknown type name 'u64' [+ + +]
Author: Anders Roxell <anders.roxell@linaro.org>
Date:   Wed Oct 13 15:57:43 2021 +0200

    marvell: octeontx2: build error: unknown type name 'u64'
    
    commit 6312d52838b21f5c4a5afa1269a00df4364fd354 upstream.
    
    Building an allmodconfig kernel arm64 kernel, the following build error
    shows up:
    
    In file included from drivers/crypto/marvell/octeontx2/cn10k_cpt.c:4:
    include/linux/soc/marvell/octeontx2/asm.h:38:15: error: unknown type name 'u64'
       38 | static inline u64 otx2_atomic64_fetch_add(u64 incr, u64 *ptr)
          |               ^~~
    
    Include linux/types.h in asm.h so the compiler knows what the type
    'u64' are.
    
    Fixes: af3826db74d1 ("octeontx2-pf: Use hardware register for CQE count")
    Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
    Link: https://lore.kernel.org/r/20211013135743.3826594-1-anders.roxell@linaro.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mctp: Fix an error handling path in mctp_init() [+ + +]
Author: Wei Yongjun <weiyongjun1@huawei.com>
Date:   Tue Nov 8 09:55:17 2022 +0000

    mctp: Fix an error handling path in mctp_init()
    
    [ Upstream commit d4072058af4fd8fb4658e7452289042a406a9398 ]
    
    If mctp_neigh_init() return error, the routes resources should
    be released in the error handling path. Otherwise some resources
    leak.
    
    Fixes: 4d8b9319282a ("mctp: Add neighbour implementation")
    Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
    Acked-by: Matt Johnston <matt@codeconstruct.com.au>
    Link: https://lore.kernel.org/r/20221108095517.620115-1-weiyongjun@huaweicloud.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
MIPS: jump_label: Fix compat branch range check [+ + +]
Author: Jiaxun Yang <jiaxun.yang@flygoat.com>
Date:   Thu Nov 3 15:10:53 2022 +0000

    MIPS: jump_label: Fix compat branch range check
    
    commit 64ac0befe75bdfaffc396c2b4a0ed5ae6920eeee upstream.
    
    Cast upper bound of branch range to long to do signed compare,
    avoid negative offset trigger this warning.
    
    Fixes: 9b6584e35f40 ("MIPS: jump_label: Use compact branches for >= r6")
    Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mm/damon/dbgfs: check if rm_contexts input is for a real context [+ + +]
Author: SeongJae Park <sj@kernel.org>
Date:   Mon Nov 7 16:50:00 2022 +0000

    mm/damon/dbgfs: check if rm_contexts input is for a real context
    
    commit 1de09a7281edecfdba19b3a07417f6d65243ab5f upstream.
    
    A user could write a name of a file under 'damon/' debugfs directory,
    which is not a user-created context, to 'rm_contexts' file.  In the case,
    'dbgfs_rm_context()' just assumes it's the valid DAMON context directory
    only if a file of the name exist.  As a result, invalid memory access
    could happen as below.  Fix the bug by checking if the given input is for
    a directory.  This check can filter out non-context inputs because
    directories under 'damon/' debugfs directory can be created via only
    'mk_contexts' file.
    
    This bug has found by syzbot[1].
    
    [1] https://lore.kernel.org/damon/000000000000ede3ac05ec4abf8e@google.com/
    
    Link: https://lkml.kernel.org/r/20221107165001.5717-2-sj@kernel.org
    Fixes: 75c1c2b53c78 ("mm/damon/dbgfs: support multiple contexts")
    Signed-off-by: SeongJae Park <sj@kernel.org>
    Reported-by: syzbot+6087eafb76a94c4ac9eb@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>    [5.15.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mm/memremap.c: map FS_DAX device memory as decrypted [+ + +]
Author: Pankaj Gupta <pankaj.gupta@amd.com>
Date:   Wed Nov 2 11:07:28 2022 -0500

    mm/memremap.c: map FS_DAX device memory as decrypted
    
    commit 867400af90f1f953ff9e10b1b87ecaf9369a7eb8 upstream.
    
    virtio_pmem use devm_memremap_pages() to map the device memory.  By
    default this memory is mapped as encrypted with SEV.  Guest reboot changes
    the current encryption key and guest no longer properly decrypts the FSDAX
    device meta data.
    
    Mark the corresponding device memory region for FSDAX devices (mapped with
    memremap_pages) as decrypted to retain the persistent memory property.
    
    Link: https://lkml.kernel.org/r/20221102160728.3184016-1-pankaj.gupta@amd.com
    Fixes: b7b3c01b19159 ("mm/memremap_pages: support multiple ranges per invocation")
    Signed-off-by: Pankaj Gupta <pankaj.gupta@amd.com>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Cc: Tom Lendacky <thomas.lendacky@amd.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mm/shmem: use page_mapping() to detect page cache for uffd continue [+ + +]
Author: Peter Xu <peterx@redhat.com>
Date:   Wed Nov 2 14:41:52 2022 -0400

    mm/shmem: use page_mapping() to detect page cache for uffd continue
    
    commit 93b0d9178743a68723babe8448981f658aebc58e upstream.
    
    mfill_atomic_install_pte() checks page->mapping to detect whether one page
    is used in the page cache.  However as pointed out by Matthew, the page
    can logically be a tail page rather than always the head in the case of
    uffd minor mode with UFFDIO_CONTINUE.  It means we could wrongly install
    one pte with shmem thp tail page assuming it's an anonymous page.
    
    It's not that clear even for anonymous page, since normally anonymous
    pages also have page->mapping being setup with the anon vma.  It's safe
    here only because the only such caller to mfill_atomic_install_pte() is
    always passing in a newly allocated page (mcopy_atomic_pte()), whose
    page->mapping is not yet setup.  However that's not extremely obvious
    either.
    
    For either of above, use page_mapping() instead.
    
    Link: https://lkml.kernel.org/r/Y2K+y7wnhC4vbnP2@x1n
    Fixes: 153132571f02 ("userfaultfd/shmem: support UFFDIO_CONTINUE for shmem")
    Signed-off-by: Peter Xu <peterx@redhat.com>
    Reported-by: Matthew Wilcox <willy@infradead.org>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Axel Rasmussen <axelrasmussen@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mmc: cqhci: Provide helper for resetting both SDHCI and CQHCI [+ + +]
Author: Brian Norris <briannorris@chromium.org>
Date:   Wed Oct 26 12:42:03 2022 -0700

    mmc: cqhci: Provide helper for resetting both SDHCI and CQHCI
    
    commit ebb5fd38f41132e6924cb33b647337f4a5d5360c upstream.
    
    Several SDHCI drivers need to deactivate command queueing in their reset
    hook (see sdhci_cqhci_reset() / sdhci-pci-core.c, for example), and
    several more are coming.
    
    Those reset implementations have some small subtleties (e.g., ordering
    of initialization of SDHCI vs. CQHCI might leave us resetting with a
    NULL ->cqe_private), and are often identical across different host
    drivers.
    
    We also don't want to force a dependency between SDHCI and CQHCI, or
    vice versa; non-SDHCI drivers use CQHCI, and SDHCI drivers might support
    command queueing through some other means.
    
    So, implement a small helper, to avoid repeating the same mistakes in
    different drivers. Simply stick it in a header, because it's so small it
    doesn't deserve its own module right now, and inlining to each driver is
    pretty reasonable.
    
    This is marked for -stable, as it is an important prerequisite patch for
    several SDHCI controller bugfixes that follow.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Brian Norris <briannorris@chromium.org>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Link: https://lore.kernel.org/r/20221026124150.v4.1.Ie85faa09432bfe1b0890d8c24ff95e17f3097317@changeid
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mmc: sdhci-esdhc-imx: use the correct host caps for MMC_CAP_8_BIT_DATA [+ + +]
Author: Haibo Chen <haibo.chen@nxp.com>
Date:   Tue Nov 8 15:45:03 2022 +0800

    mmc: sdhci-esdhc-imx: use the correct host caps for MMC_CAP_8_BIT_DATA
    
    commit f002f45a00ee14214d96b18b9a555fe2c56afb20 upstream.
    
    MMC_CAP_8_BIT_DATA belongs to struct mmc_host, not struct sdhci_host.
    So correct it here.
    
    Fixes: 1ed5c3b22fc7 ("mmc: sdhci-esdhc-imx: Propagate ESDHC_FLAG_HS400* only on 8bit bus")
    Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
    Cc: stable@vger.kernel.org
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Link: https://lore.kernel.org/r/1667893503-20583-1-git-send-email-haibo.chen@nxp.com
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mmc: sdhci-of-arasan: Fix SDHCI_RESET_ALL for CQHCI [+ + +]
Author: Brian Norris <briannorris@chromium.org>
Date:   Wed Oct 26 12:42:04 2022 -0700

    mmc: sdhci-of-arasan: Fix SDHCI_RESET_ALL for CQHCI
    
    commit 5d249ac37fc2396e8acc1adb0650cdacae5a990d upstream.
    
    SDHCI_RESET_ALL resets will reset the hardware CQE state, but we aren't
    tracking that properly in software. When out of sync, we may trigger
    various timeouts.
    
    It's not typical to perform resets while CQE is enabled, but one
    particular case I hit commonly enough: mmc_suspend() -> mmc_power_off().
    Typically we will eventually deactivate CQE (cqhci_suspend() ->
    cqhci_deactivate()), but that's not guaranteed -- in particular, if
    we perform a partial (e.g., interrupted) system suspend.
    
    The same bug was already found and fixed for two other drivers, in v5.7
    and v5.9:
    
      5cf583f1fb9c ("mmc: sdhci-msm: Deactivate CQE during SDHC reset")
      df57d73276b8 ("mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel
                     GLK-based controllers")
    
    The latter is especially prescient, saying "other drivers using CQHCI
    might benefit from a similar change, if they also have CQHCI reset by
    SDHCI_RESET_ALL."
    
    So like these other patches, deactivate CQHCI when resetting the
    controller. Do this via the new sdhci_and_cqhci_reset() helper.
    
    This patch depends on (and should not compile without) the patch
    entitled "mmc: cqhci: Provide helper for resetting both SDHCI and
    CQHCI".
    
    Fixes: 84362d79f436 ("mmc: sdhci-of-arasan: Add CQHCI support for arasan,sdhci-5.1")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Brian Norris <briannorris@chromium.org>
    Reviewed-by: Guenter Roeck <linux@roeck-us.net>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Link: https://lore.kernel.org/r/20221026124150.v4.2.I29f6a2189e84e35ad89c1833793dca9e36c64297@changeid
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mmc: sdhci-tegra: Fix SDHCI_RESET_ALL for CQHCI [+ + +]
Author: Brian Norris <briannorris@chromium.org>
Date:   Wed Oct 26 12:42:07 2022 -0700

    mmc: sdhci-tegra: Fix SDHCI_RESET_ALL for CQHCI
    
    commit 836078449464e6af3b66ae6652dae79af176f21e upstream.
    
    [[ NOTE: this is completely untested by the author, but included solely
        because, as noted in commit df57d73276b8 ("mmc: sdhci-pci: Fix
        SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers"), "other
        drivers using CQHCI might benefit from a similar change, if they
        also have CQHCI reset by SDHCI_RESET_ALL." We've now seen the same
        bug on at least MSM, Arasan, and Intel hardware. ]]
    
    SDHCI_RESET_ALL resets will reset the hardware CQE state, but we aren't
    tracking that properly in software. When out of sync, we may trigger
    various timeouts.
    
    It's not typical to perform resets while CQE is enabled, but this may
    occur in some suspend or error recovery scenarios.
    
    Include this fix by way of the new sdhci_and_cqhci_reset() helper.
    
    This patch depends on (and should not compile without) the patch
    entitled "mmc: cqhci: Provide helper for resetting both SDHCI and
    CQHCI".
    
    Fixes: 3c4019f97978 ("mmc: tegra: HW Command Queue Support for Tegra SDMMC")
    Signed-off-by: Brian Norris <briannorris@chromium.org>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20221026124150.v4.5.I418c9eaaf754880fcd2698113e8c3ef821a944d7@changeid
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mmc: sdhci_am654: Fix SDHCI_RESET_ALL for CQHCI [+ + +]
Author: Brian Norris <briannorris@chromium.org>
Date:   Wed Oct 26 12:42:08 2022 -0700

    mmc: sdhci_am654: Fix SDHCI_RESET_ALL for CQHCI
    
    commit 162503fd1c3a1d4e14dbe7f399c1d1bec1c8abbc upstream.
    
    [[ NOTE: this is completely untested by the author, but included solely
        because, as noted in commit df57d73276b8 ("mmc: sdhci-pci: Fix
        SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers"), "other
        drivers using CQHCI might benefit from a similar change, if they
        also have CQHCI reset by SDHCI_RESET_ALL." We've now seen the same
        bug on at least MSM, Arasan, and Intel hardware. ]]
    
    SDHCI_RESET_ALL resets will reset the hardware CQE state, but we aren't
    tracking that properly in software. When out of sync, we may trigger
    various timeouts.
    
    It's not typical to perform resets while CQE is enabled, but this may
    occur in some suspend or error recovery scenarios.
    
    Include this fix by way of the new sdhci_and_cqhci_reset() helper.
    
    This patch depends on (and should not compile without) the patch
    entitled "mmc: cqhci: Provide helper for resetting both SDHCI and
    CQHCI".
    
    Fixes: f545702b74f9 ("mmc: sdhci_am654: Add Support for Command Queuing Engine to J721E")
    Signed-off-by: Brian Norris <briannorris@chromium.org>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20221026124150.v4.6.I35ca9d6220ba48304438b992a76647ca8e5b126f@changeid
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI [+ + +]
Author: Brian Norris <briannorris@chromium.org>
Date:   Wed Oct 26 12:42:06 2022 -0700

    mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI
    
    commit fb1dec44c6750bb414f47b929c8c175a1a127c31 upstream.
    
    [[ NOTE: this is completely untested by the author, but included solely
        because, as noted in commit df57d73276b8 ("mmc: sdhci-pci: Fix
        SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers"), "other
        drivers using CQHCI might benefit from a similar change, if they
        also have CQHCI reset by SDHCI_RESET_ALL." We've now seen the same
        bug on at least MSM, Arasan, and Intel hardware. ]]
    
    SDHCI_RESET_ALL resets will reset the hardware CQE state, but we aren't
    tracking that properly in software. When out of sync, we may trigger
    various timeouts.
    
    It's not typical to perform resets while CQE is enabled, but this may
    occur in some suspend or error recovery scenarios.
    
    Include this fix by way of the new sdhci_and_cqhci_reset() helper.
    
    This patch depends on (and should not compile without) the patch
    entitled "mmc: cqhci: Provide helper for resetting both SDHCI and
    CQHCI".
    
    Fixes: bb6e358169bf ("mmc: sdhci-esdhc-imx: add CMDQ support")
    Signed-off-by: Brian Norris <briannorris@chromium.org>
    Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20221026124150.v4.4.I7d01f9ad11bacdc9213dee61b7918982aea39115@changeid
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net/mlx5: Allow async trigger completion execution on single CPU systems [+ + +]
Author: Roy Novich <royno@nvidia.com>
Date:   Wed Nov 2 23:55:38 2022 -0700

    net/mlx5: Allow async trigger completion execution on single CPU systems
    
    [ Upstream commit 2808b37b59288ad8f1897e3546c2296df3384b65 ]
    
    For a single CPU system, the kernel thread executing mlx5_cmd_flush()
    never releases the CPU but calls down_trylock(&cmd→sem) in a busy loop.
    On a single processor system, this leads to a deadlock as the kernel
    thread which executes mlx5_cmd_invoke() never gets scheduled. Fix this,
    by adding the cond_resched() call to the loop, allow the command
    completion kernel thread to execute.
    
    Fixes: 8e715cd613a1 ("net/mlx5: Set command entry semaphore up once got index free")
    Signed-off-by: Alexander Schmidt <alexschm@de.ibm.com>
    Signed-off-by: Roy Novich <royno@nvidia.com>
    Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/mlx5: Bridge, verify LAG state when adding bond to bridge [+ + +]
Author: Vlad Buslov <vladbu@nvidia.com>
Date:   Wed Nov 2 23:55:37 2022 -0700

    net/mlx5: Bridge, verify LAG state when adding bond to bridge
    
    [ Upstream commit 15f8f168952f54d3c86d734dc764f20844e423ac ]
    
    Mlx5 LAG is initialized asynchronously on a workqueue which means that for
    a brief moment after setting mlx5 UL representors as lower devices of a
    bond netdevice the LAG itself is not fully initialized in the driver. When
    adding such bond device to a bridge mlx5 bridge code will not consider it
    as offload-capable, skip creating necessary bookkeeping and fail any
    further bridge offload-related commands with it (setting VLANs, offloading
    FDBs, etc.). In order to make the error explicit during bridge
    initialization stage implement the code that detects such condition during
    NETDEV_PRECHANGEUPPER event and returns an error.
    
    Fixes: ff9b7521468b ("net/mlx5: Bridge, support LAG")
    Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
    Reviewed-by: Roi Dayan <roid@nvidia.com>
    Reviewed-by: Mark Bloch <mbloch@nvidia.com>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/mlx5e: E-Switch, Fix comparing termination table instance [+ + +]
Author: Roi Dayan <roid@nvidia.com>
Date:   Wed Nov 2 23:55:46 2022 -0700

    net/mlx5e: E-Switch, Fix comparing termination table instance
    
    [ Upstream commit f4f4096b410e8d31c3f07f39de3b17d144edd53d ]
    
    The pkt_reformat pointer being saved under flow_act and not
    dest attribute in the termination table instance.
    Fix the comparison pointers.
    
    Also fix returning success if one pkt_reformat pointer is null
    and the other is not.
    
    Fixes: 249ccc3c95bd ("net/mlx5e: Add support for offloading traffic from uplink to uplink")
    Signed-off-by: Roi Dayan <roid@nvidia.com>
    Reviewed-by: Chris Mi <cmi@nvidia.com>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: atlantic: macsec: clear encryption keys from the stack [+ + +]
Author: Antoine Tenart <atenart@kernel.org>
Date:   Tue Nov 8 16:34:59 2022 +0100

    net: atlantic: macsec: clear encryption keys from the stack
    
    [ Upstream commit 879785def0f5e71d54399de0f8a5cb399db14171 ]
    
    Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after
    setting up offload") made sure to clean encryption keys from the stack
    after setting up offloading, but the atlantic driver made a copy and did
    not clear it. Fix this.
    
    [4 Fixes tags below, all part of the same series, no need to split this]
    
    Fixes: 9ff40a751a6f ("net: atlantic: MACSec ingress offload implementation")
    Fixes: b8f8a0b7b5cb ("net: atlantic: MACSec ingress offload HW bindings")
    Fixes: 27736563ce32 ("net: atlantic: MACSec egress offload implementation")
    Fixes: 9d106c6dd81b ("net: atlantic: MACSec egress offload HW bindings")
    Signed-off-by: Antoine Tenart <atenart@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: broadcom: Fix BCMGENET Kconfig [+ + +]
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Sat Nov 5 17:02:45 2022 +0800

    net: broadcom: Fix BCMGENET Kconfig
    
    [ Upstream commit 8d820bc9d12b8beebca836cceaf2bbe68216c2f8 ]
    
    While BCMGENET select BROADCOM_PHY as y, but PTP_1588_CLOCK_OPTIONAL is m,
    kconfig warning and build errors:
    
    WARNING: unmet direct dependencies detected for BROADCOM_PHY
      Depends on [m]: NETDEVICES [=y] && PHYLIB [=y] && PTP_1588_CLOCK_OPTIONAL [=m]
      Selected by [y]:
      - BCMGENET [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && HAS_IOMEM [=y] && ARCH_BCM2835 [=y]
    
    drivers/net/phy/broadcom.o: In function `bcm54xx_suspend':
    broadcom.c:(.text+0x6ac): undefined reference to `bcm_ptp_stop'
    drivers/net/phy/broadcom.o: In function `bcm54xx_phy_probe':
    broadcom.c:(.text+0x784): undefined reference to `bcm_ptp_probe'
    drivers/net/phy/broadcom.o: In function `bcm54xx_config_init':
    broadcom.c:(.text+0xd4c): undefined reference to `bcm_ptp_config_init'
    
    Fixes: 99addbe31f55 ("net: broadcom: Select BROADCOM_PHY for BCMGENET")
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Acked-by: Florian Fainelli <f.fainelli@broadcom.com>
    Link: https://lore.kernel.org/r/20221105090245.8508-1-yuehaibing@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: cpsw: disable napi in cpsw_ndo_open() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Wed Nov 9 09:15:37 2022 +0800

    net: cpsw: disable napi in cpsw_ndo_open()
    
    [ Upstream commit 6d47b53fb3f363a74538a1dbd09954af3d8d4131 ]
    
    When failed to create xdp rxqs or fill rx channels in cpsw_ndo_open() for
    opening device, napi isn't disabled. When open cpsw device next time, it
    will report a invalid opcode issue. Compiled tested only.
    
    Fixes: d354eb85d618 ("drivers: net: cpsw: dual_emac: simplify napi usage")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20221109011537.96975-1-shaozhengchao@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: cxgb3_main: disable napi when bind qsets failed in cxgb_up() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Wed Nov 9 10:14:51 2022 +0800

    net: cxgb3_main: disable napi when bind qsets failed in cxgb_up()
    
    [ Upstream commit d75aed1428da787cbe42bc073d76f1354f364d92 ]
    
    When failed to bind qsets in cxgb_up() for opening device, napi isn't
    disabled. When open cxgb3 device next time, it will trigger a BUG_ON()
    in napi_enable(). Compile tested only.
    
    Fixes: 48c4b6dbb7e2 ("cxgb3 - fix port up/down error path")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20221109021451.121490-1-shaozhengchao@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: fman: Unregister ethernet device on removal [+ + +]
Author: Sean Anderson <sean.anderson@seco.com>
Date:   Thu Nov 3 14:28:30 2022 -0400

    net: fman: Unregister ethernet device on removal
    
    [ Upstream commit b7cbc6740bd6ad5d43345a2504f7e4beff0d709f ]
    
    When the mac device gets removed, it leaves behind the ethernet device.
    This will result in a segfault next time the ethernet device accesses
    mac_dev. Remove the ethernet device when we get removed to prevent
    this. This is not completely reversible, since some resources aren't
    cleaned up properly, but that can be addressed later.
    
    Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver")
    Signed-off-by: Sean Anderson <sean.anderson@seco.com>
    Link: https://lore.kernel.org/r/20221103182831.2248833-1-sean.anderson@seco.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: gso: fix panic on frag_list with mixed head alloc types [+ + +]
Author: Jiri Benc <jbenc@redhat.com>
Date:   Wed Nov 2 17:53:25 2022 +0100

    net: gso: fix panic on frag_list with mixed head alloc types
    
    [ Upstream commit 9e4b7a99a03aefd37ba7bb1f022c8efab5019165 ]
    
    Since commit 3dcbdb134f32 ("net: gso: Fix skb_segment splat when
    splitting gso_size mangled skb having linear-headed frag_list"), it is
    allowed to change gso_size of a GRO packet. However, that commit assumes
    that "checking the first list_skb member suffices; i.e if either of the
    list_skb members have non head_frag head, then the first one has too".
    
    It turns out this assumption does not hold. We've seen BUG_ON being hit
    in skb_segment when skbs on the frag_list had differing head_frag with
    the vmxnet3 driver. This happens because __netdev_alloc_skb and
    __napi_alloc_skb can return a skb that is page backed or kmalloced
    depending on the requested size. As the result, the last small skb in
    the GRO packet can be kmalloced.
    
    There are three different locations where this can be fixed:
    
    (1) We could check head_frag in GRO and not allow GROing skbs with
        different head_frag. However, that would lead to performance
        regression on normal forward paths with unmodified gso_size, where
        !head_frag in the last packet is not a problem.
    
    (2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating
        that NETIF_F_SG is undesirable. That would need to eat a bit in
        sk_buff. Furthermore, that flag can be unset when all skbs on the
        frag_list are page backed. To retain good performance,
        bpf_skb_net_grow/shrink would have to walk the frag_list.
    
    (3) Walk the frag_list in skb_segment when determining whether
        NETIF_F_SG should be cleared. This of course slows things down.
    
    This patch implements (3). To limit the performance impact in
    skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set
    that have gso_size changed. Normal paths thus will not hit it.
    
    We could check only the last skb but since we need to walk the whole
    list anyway, let's stay on the safe side.
    
    Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list")
    Signed-off-by: Jiri Benc <jbenc@redhat.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Link: https://lore.kernel.org/r/e04426a6a91baf4d1081e1b478c82b5de25fdf21.1667407944.git.jbenc@redhat.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: lapbether: fix issue of dev reference count leakage in lapbeth_device_event() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Thu Nov 3 17:05:37 2022 +0800

    net: lapbether: fix issue of dev reference count leakage in lapbeth_device_event()
    
    [ Upstream commit 531705a765493655472c993627106e19f7e5a6d2 ]
    
    When following tests are performed, it will cause dev reference counting
    leakage.
    a)ip link add bond2 type bond mode balance-rr
    b)ip link set bond2 up
    c)ifenslave -f bond2 rose1
    d)ip link del bond2
    
    When new bond device is created, the default type of the bond device is
    ether. And the bond device is up, lapbeth_device_event() receives the
    message and creates a new lapbeth device. In this case, the reference
    count value of dev is hold once. But after "ifenslave -f bond2 rose1"
    command is executed, the type of the bond device is changed to rose. When
    the bond device is unregistered, lapbeth_device_event() will not put the
    dev reference count.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: lapbether: fix issue of invalid opcode in lapbeth_open() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Mon Nov 7 09:14:45 2022 +0800

    net: lapbether: fix issue of invalid opcode in lapbeth_open()
    
    [ Upstream commit 3faf7e14ec0c3462c2d747fa6793b8645d1391df ]
    
    If lapb_register() failed when lapb device goes to up for the first time,
    the NAPI is not disabled. As a result, the invalid opcode issue is
    reported when the lapb device goes to up for the second time.
    
    The stack info is as follows:
    [ 1958.311422][T11356] kernel BUG at net/core/dev.c:6442!
    [ 1958.312206][T11356] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
    [ 1958.315979][T11356] RIP: 0010:napi_enable+0x16a/0x1f0
    [ 1958.332310][T11356] Call Trace:
    [ 1958.332817][T11356]  <TASK>
    [ 1958.336135][T11356]  lapbeth_open+0x18/0x90
    [ 1958.337446][T11356]  __dev_open+0x258/0x490
    [ 1958.341672][T11356]  __dev_change_flags+0x4d4/0x6a0
    [ 1958.345325][T11356]  dev_change_flags+0x93/0x160
    [ 1958.346027][T11356]  devinet_ioctl+0x1276/0x1bf0
    [ 1958.346738][T11356]  inet_ioctl+0x1c8/0x2d0
    [ 1958.349638][T11356]  sock_ioctl+0x5d1/0x750
    [ 1958.356059][T11356]  __x64_sys_ioctl+0x3ec/0x1790
    [ 1958.365594][T11356]  do_syscall_64+0x35/0x80
    [ 1958.366239][T11356]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
    [ 1958.377381][T11356]  </TASK>
    
    Fixes: 514e1150da9c ("net: x25: Queue received packets in the drivers instead of per-CPU queues")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20221107011445.207372-1-shaozhengchao@huawei.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: macvlan: fix memory leaks of macvlan_common_newlink [+ + +]
Author: Chuang Wang <nashuiliang@gmail.com>
Date:   Wed Nov 9 17:07:34 2022 +0800

    net: macvlan: fix memory leaks of macvlan_common_newlink
    
    [ Upstream commit 23569b5652ee8e8e55a12f7835f59af6f3cefc30 ]
    
    kmemleak reports memory leaks in macvlan_common_newlink, as follows:
    
     ip link add link eth0 name .. type macvlan mode source macaddr add
     <MAC-ADDR>
    
    kmemleak reports:
    
    unreferenced object 0xffff8880109bb140 (size 64):
      comm "ip", pid 284, jiffies 4294986150 (age 430.108s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 b8 aa 5a 12 80 88 ff ff  ..........Z.....
        80 1b fa 0d 80 88 ff ff 1e ff ac af c7 c1 6b 6b  ..............kk
      backtrace:
        [<ffffffff813e06a7>] kmem_cache_alloc_trace+0x1c7/0x300
        [<ffffffff81b66025>] macvlan_hash_add_source+0x45/0xc0
        [<ffffffff81b66a67>] macvlan_changelink_sources+0xd7/0x170
        [<ffffffff81b6775c>] macvlan_common_newlink+0x38c/0x5a0
        [<ffffffff81b6797e>] macvlan_newlink+0xe/0x20
        [<ffffffff81d97f8f>] __rtnl_newlink+0x7af/0xa50
        [<ffffffff81d98278>] rtnl_newlink+0x48/0x70
        ...
    
    In the scenario where the macvlan mode is configured as 'source',
    macvlan_changelink_sources() will be execured to reconfigure list of
    remote source mac addresses, at the same time, if register_netdevice()
    return an error, the resource generated by macvlan_changelink_sources()
    is not cleaned up.
    
    Using this patch, in the case of an error, it will execute
    macvlan_flush_sources() to ensure that the resource is cleaned up.
    
    Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.")
    Signed-off-by: Chuang Wang <nashuiliang@gmail.com>
    Link: https://lore.kernel.org/r/20221109090735.690500-1-nashuiliang@gmail.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: marvell: prestera: fix memory leak in prestera_rxtx_switch_init() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Tue Nov 8 10:56:07 2022 +0800

    net: marvell: prestera: fix memory leak in prestera_rxtx_switch_init()
    
    [ Upstream commit 519b58bbfa825f042fcf80261cc18e1e35f85ffd ]
    
    When prestera_sdma_switch_init() failed, the memory pointed to by
    sw->rxtx isn't released. Fix it. Only be compiled, not be tested.
    
    Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Reviewed-by: Vadym Kochan <vadym.kochan@plvision.eu>
    Link: https://lore.kernel.org/r/20221108025607.338450-1-shaozhengchao@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: mv643xx_eth: disable napi when init rxq or txq failed in mv643xx_eth_open() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Wed Nov 9 10:54:32 2022 +0800

    net: mv643xx_eth: disable napi when init rxq or txq failed in mv643xx_eth_open()
    
    [ Upstream commit f111606b63ff2282428ffbac0447c871eb957b6c ]
    
    When failed to init rxq or txq in mv643xx_eth_open() for opening device,
    napi isn't disabled. When open mv643xx_eth device next time, it will
    trigger a BUG_ON() in napi_enable(). Compile tested only.
    
    Fixes: 2257e05c1705 ("mv643xx_eth: get rid of receive-side locking")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20221109025432.80900-1-shaozhengchao@huawei.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: nixge: disable napi when enable interrupts failed in nixge_open() [+ + +]
Author: Zhengchao Shao <shaozhengchao@huawei.com>
Date:   Mon Nov 7 18:14:43 2022 +0800

    net: nixge: disable napi when enable interrupts failed in nixge_open()
    
    [ Upstream commit b06334919c7a068d54ba5b219c05e919d89943f7 ]
    
    When failed to enable interrupts in nixge_open() for opening device,
    napi isn't disabled. When open nixge device next time, it will reports
    a invalid opcode issue. Fix it. Only be compiled, not be tested.
    
    Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
    Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
    Link: https://lore.kernel.org/r/20221107101443.120205-1-shaozhengchao@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: phy: mscc: macsec: clear encryption keys when freeing a flow [+ + +]
Author: Antoine Tenart <atenart@kernel.org>
Date:   Tue Nov 8 16:34:58 2022 +0100

    net: phy: mscc: macsec: clear encryption keys when freeing a flow
    
    [ Upstream commit 1b16b3fdf675cca15a537572bac50cc5354368fc ]
    
    Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after
    setting up offload") made sure to clean encryption keys from the stack
    after setting up offloading, but the MSCC PHY driver made a copy, kept
    it in the flow data and did not clear it when freeing a flow. Fix this.
    
    Fixes: 28c5107aa904 ("net: phy: mscc: macsec support")
    Signed-off-by: Antoine Tenart <atenart@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: stmmac: dwmac-meson8b: fix meson8b_devm_clk_prepare_enable() [+ + +]
Author: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Date:   Fri Nov 4 09:30:04 2022 +0100

    net: stmmac: dwmac-meson8b: fix meson8b_devm_clk_prepare_enable()
    
    [ Upstream commit ed4314f7729714d788698ade4f9905ee5378ebc0 ]
    
    There are two problems with meson8b_devm_clk_prepare_enable(),
    introduced in commit a54dc4a49045 ("net: stmmac: dwmac-meson8b:
    Make the clock enabling code re-usable"):
    
    - It doesn't pass the clk argument, but instead always the
      rgmii_tx_clk of the device.
    
    - It silently ignores the return value of devm_add_action_or_reset().
    
    The former didn't become an actual bug until another user showed up in
    the next commit 9308c47640d5 ("net: stmmac: dwmac-meson8b: add support
    for the RX delay configuration"). The latter means the callers could
    end up with the clock not actually prepared/enabled.
    
    Fixes: a54dc4a49045 ("net: stmmac: dwmac-meson8b: Make the clock enabling code re-usable")
    Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    Link: https://lore.kernel.org/r/20221104083004.2212520-1-linux@rasmusvillemoes.dk
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: tun: call napi_schedule_prep() to ensure we own a napi [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Nov 7 18:00:11 2022 +0000

    net: tun: call napi_schedule_prep() to ensure we own a napi
    
    commit 07d120aa33cc9d9115753d159f64d20c94458781 upstream.
    
    A recent patch exposed another issue in napi_get_frags()
    caught by syzbot [1]
    
    Before feeding packets to GRO, and calling napi_complete()
    we must first grab NAPI_STATE_SCHED.
    
    [1]
    WARNING: CPU: 0 PID: 3612 at net/core/dev.c:6076 napi_complete_done+0x45b/0x880 net/core/dev.c:6076
    Modules linked in:
    CPU: 0 PID: 3612 Comm: syz-executor408 Not tainted 6.1.0-rc3-syzkaller-00175-g1118b2049d77 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
    RIP: 0010:napi_complete_done+0x45b/0x880 net/core/dev.c:6076
    Code: c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 24 04 00 00 41 89 5d 1c e9 73 fc ff ff e8 b5 53 22 fa <0f> 0b e9 82 fe ff ff e8 a9 53 22 fa 48 8b 5c 24 08 31 ff 48 89 de
    RSP: 0018:ffffc90003c4f920 EFLAGS: 00010293
    RAX: 0000000000000000 RBX: 0000000000000030 RCX: 0000000000000000
    RDX: ffff8880251c0000 RSI: ffffffff875a58db RDI: 0000000000000007
    RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000001 R12: ffff888072d02628
    R13: ffff888072d02618 R14: ffff888072d02634 R15: 0000000000000000
    FS: 0000555555f13300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000055c44d3892b8 CR3: 00000000172d2000 CR4: 00000000003506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    <TASK>
    napi_complete include/linux/netdevice.h:510 [inline]
    tun_get_user+0x206d/0x3a60 drivers/net/tun.c:1980
    tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2027
    call_write_iter include/linux/fs.h:2191 [inline]
    do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735
    do_iter_write+0x182/0x700 fs/read_write.c:861
    vfs_writev+0x1aa/0x630 fs/read_write.c:934
    do_writev+0x133/0x2f0 fs/read_write.c:977
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    RIP: 0033:0x7f37021a3c19
    
    Fixes: 1118b2049d77 ("net: tun: Fix memory leaks of napi_get_frags")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Wang Yufen <wangyufen@huawei.com>
    Link: https://lore.kernel.org/r/20221107180011.188437-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: tun: Fix memory leaks of napi_get_frags [+ + +]
Author: Wang Yufen <wangyufen@huawei.com>
Date:   Wed Nov 2 17:41:19 2022 +0800

    net: tun: Fix memory leaks of napi_get_frags
    
    [ Upstream commit 1118b2049d77ca0b505775fc1a8d1909cf19a7ec ]
    
    kmemleak reports after running test_progs:
    
    unreferenced object 0xffff8881b1672dc0 (size 232):
      comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s)
      hex dump (first 32 bytes):
        e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff  .........,g.....
        00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00  .@..............
      backtrace:
        [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150
        [<0000000041c7fc09>] __napi_build_skb+0x15/0x50
        [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540
        [<000000003ecfa30e>] napi_get_frags+0x59/0x140
        [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]
        [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]
        [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320
        [<000000008f338ea2>] do_iter_write+0x135/0x630
        [<000000008a3377a4>] vfs_writev+0x12e/0x440
        [<00000000a6b5639a>] do_writev+0x104/0x280
        [<00000000ccf065d8>] do_syscall_64+0x3b/0x90
        [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    The issue occurs in the following scenarios:
    tun_get_user()
      napi_gro_frags()
        napi_frags_finish()
          case GRO_NORMAL:
            gro_normal_one()
              list_add_tail(&skb->list, &napi->rx_list);
              <-- While napi->rx_count < READ_ONCE(gro_normal_batch),
              <-- gro_normal_list() is not called, napi->rx_list is not empty
      <-- not ask to complete the gro work, will cause memory leaks in
      <-- following tun_napi_del()
    ...
    tun_napi_del()
      netif_napi_del()
        __netif_napi_del()
        <-- &napi->rx_list is not empty, which caused memory leaks
    
    To fix, add napi_complete() after napi_gro_frags().
    
    Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
    Signed-off-by: Wang Yufen <wangyufen@huawei.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: wwan: iosm: fix memory leak in ipc_pcie_read_bios_cfg [+ + +]
Author: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
Date:   Mon Nov 7 13:04:49 2022 +0530

    net: wwan: iosm: fix memory leak in ipc_pcie_read_bios_cfg
    
    [ Upstream commit d38a648d2d6cc7bee11c6f533ff9426a00c2a74c ]
    
    ipc_pcie_read_bios_cfg() is using the acpi_evaluate_dsm() to
    obtain the wwan power state configuration from BIOS but is
    not freeing the acpi_object. The acpi_evaluate_dsm() returned
    acpi_object to be freed.
    
    Free the acpi_object after use.
    
    Fixes: 7e98d785ae61 ("net: iosm: entry point")
    Signed-off-by: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: wwan: iosm: fix memory leak in ipc_wwan_dellink [+ + +]
Author: HW He <hw.he@mediatek.com>
Date:   Thu Nov 3 18:40:00 2022 +0800

    net: wwan: iosm: fix memory leak in ipc_wwan_dellink
    
    [ Upstream commit f25caaca424703d5a0607310f0452f978f1f78d9 ]
    
    IOSM driver registers network device without setting the
    needs_free_netdev flag, and does NOT call free_netdev() when
    unregisters network device, which causes a memory leak.
    
    This patch sets needs_free_netdev to true when registers
    network device, which makes netdev subsystem call free_netdev()
    automatically after unregister_netdevice().
    
    Fixes: 2a54f2c77934 ("net: iosm: net driver")
    Signed-off-by: HW He <hw.he@mediatek.com>
    Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
    Signed-off-by: Zhaoping Shu <zhaoping.shu@mediatek.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: wwan: mhi: fix memory leak in mhi_mbim_dellink [+ + +]
Author: HW He <hw.he@mediatek.com>
Date:   Thu Nov 3 18:54:19 2022 +0800

    net: wwan: mhi: fix memory leak in mhi_mbim_dellink
    
    [ Upstream commit 668205b9c9f94d5ed6ab00cce9a46a654c2b5d16 ]
    
    MHI driver registers network device without setting the
    needs_free_netdev flag, and does NOT call free_netdev() when
    unregisters network device, which causes a memory leak.
    
    This patch sets needs_free_netdev to true when registers
    network device, which makes netdev subsystem call free_netdev()
    automatically after unregister_netdevice().
    
    Fixes: aa730a9905b7 ("net: wwan: Add MHI MBIM network driver")
    Signed-off-by: HW He <hw.he@mediatek.com>
    Signed-off-by: Zhaoping Shu <zhaoping.shu@mediatek.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netfilter: Cleanup nft_net->module_list from nf_tables_exit_net() [+ + +]
Author: Shigeru Yoshida <syoshida@redhat.com>
Date:   Thu Nov 3 22:08:49 2022 +0900

    netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()
    
    [ Upstream commit 03c1f1ef1584c981935fab2fa0c45d3e43e2c235 ]
    
    syzbot reported a warning like below [1]:
    
    WARNING: CPU: 3 PID: 9 at net/netfilter/nf_tables_api.c:10096 nf_tables_exit_net+0x71c/0x840
    Modules linked in:
    CPU: 2 PID: 9 Comm: kworker/u8:0 Tainted: G        W          6.1.0-rc3-00072-g8e5423e991e8 #47
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
    Workqueue: netns cleanup_net
    RIP: 0010:nf_tables_exit_net+0x71c/0x840
    ...
    Call Trace:
     <TASK>
     ? __nft_release_table+0xfc0/0xfc0
     ops_exit_list+0xb5/0x180
     cleanup_net+0x506/0xb10
     ? unregister_pernet_device+0x80/0x80
     process_one_work+0xa38/0x1730
     ? pwq_dec_nr_in_flight+0x2b0/0x2b0
     ? rwlock_bug.part.0+0x90/0x90
     ? _raw_spin_lock_irq+0x46/0x50
     worker_thread+0x67e/0x10e0
     ? process_one_work+0x1730/0x1730
     kthread+0x2e5/0x3a0
     ? kthread_complete_and_exit+0x40/0x40
     ret_from_fork+0x1f/0x30
     </TASK>
    
    In nf_tables_exit_net(), there is a case where nft_net->commit_list is
    empty but nft_net->module_list is not empty.  Such a case occurs with
    the following scenario:
    
    1. nfnetlink_rcv_batch() is called
    2. nf_tables_newset() returns -EAGAIN and NFNL_BATCH_FAILURE bit is
       set to status
    3. nf_tables_abort() is called with NFNL_ABORT_AUTOLOAD
       (nft_net->commit_list is released, but nft_net->module_list is not
       because of NFNL_ABORT_AUTOLOAD flag)
    4. Jump to replay label
    5. netlink_skb_clone() fails and returns from the function (this is
       caused by fault injection in the reproducer of syzbot)
    
    This patch fixes this issue by calling __nf_tables_abort() when
    nft_net->module_list is not empty in nf_tables_exit_net().
    
    Fixes: eb014de4fd41 ("netfilter: nf_tables: autoload modules from the abort path")
    Link: https://syzkaller.appspot.com/bug?id=802aba2422de4218ad0c01b46c9525cc9d4e4aa3 [1]
    Reported-by: syzbot+178efee9e2d7f87f5103@syzkaller.appspotmail.com
    Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg() [+ + +]
Author: Ziyang Xuan <william.xuanziyang@huawei.com>
Date:   Thu Nov 3 09:12:02 2022 +0800

    netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg()
    
    [ Upstream commit 03832a32bf8ff0a8305d94ddd3979835a807248f ]
    
    When type is NFNL_CB_MUTEX and -EAGAIN error occur in nfnetlink_rcv_msg(),
    it does not execute nfnl_unlock(). That would trigger potential dead lock.
    
    Fixes: 50f2db9e368f ("netfilter: nfnetlink: consolidate callback types")
    Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nilfs2: fix deadlock in nilfs_count_free_blocks() [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Sat Oct 29 13:49:12 2022 +0900

    nilfs2: fix deadlock in nilfs_count_free_blocks()
    
    commit 8ac932a4921a96ca52f61935dbba64ea87bbd5dc upstream.
    
    A semaphore deadlock can occur if nilfs_get_block() detects metadata
    corruption while locating data blocks and a superblock writeback occurs at
    the same time:
    
    task 1                               task 2
    ------                               ------
    * A file operation *
    nilfs_truncate()
      nilfs_get_block()
        down_read(rwsem A) <--
        nilfs_bmap_lookup_contig()
          ...                            generic_shutdown_super()
                                           nilfs_put_super()
                                             * Prepare to write superblock *
                                             down_write(rwsem B) <--
                                             nilfs_cleanup_super()
          * Detect b-tree corruption *         nilfs_set_log_cursor()
          nilfs_bmap_convert_error()             nilfs_count_free_blocks()
            __nilfs_error()                        down_read(rwsem A) <--
              nilfs_set_error()
                down_write(rwsem B) <--
    
                               *** DEADLOCK ***
    
    Here, nilfs_get_block() readlocks rwsem A (= NILFS_MDT(dat_inode)->mi_sem)
    and then calls nilfs_bmap_lookup_contig(), but if it fails due to metadata
    corruption, __nilfs_error() is called from nilfs_bmap_convert_error()
    inside the lock section.
    
    Since __nilfs_error() calls nilfs_set_error() unless the filesystem is
    read-only and nilfs_set_error() attempts to writelock rwsem B (=
    nilfs->ns_sem) to write back superblock exclusively, hierarchical lock
    acquisition occurs in the order rwsem A -> rwsem B.
    
    Now, if another task starts updating the superblock, it may writelock
    rwsem B during the lock sequence above, and can deadlock trying to
    readlock rwsem A in nilfs_count_free_blocks().
    
    However, there is actually no need to take rwsem A in
    nilfs_count_free_blocks() because it, within the lock section, only reads
    a single integer data on a shared struct with
    nilfs_sufile_get_ncleansegs().  This has been the case after commit
    aa474a220180 ("nilfs2: add local variable to cache the number of clean
    segments"), that is, even before this bug was introduced.
    
    So, this resolves the deadlock problem by just not taking the semaphore in
    nilfs_count_free_blocks().
    
    Link: https://lkml.kernel.org/r/20221029044912.9139-1-konishi.ryusuke@gmail.com
    Fixes: e828949e5b42 ("nilfs2: call nilfs_error inside bmap routines")
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+45d6ce7b7ad7ef455d03@syzkaller.appspotmail.com
    Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: <stable@vger.kernel.org>    [2.6.38+
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: fix use-after-free bug of ns_writer on remount [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Fri Nov 4 23:29:59 2022 +0900

    nilfs2: fix use-after-free bug of ns_writer on remount
    
    commit 8cccf05fe857a18ee26e20d11a8455a73ffd4efd upstream.
    
    If a nilfs2 filesystem is downgraded to read-only due to metadata
    corruption on disk and is remounted read/write, or if emergency read-only
    remount is performed, detaching a log writer and synchronizing the
    filesystem can be done at the same time.
    
    In these cases, use-after-free of the log writer (hereinafter
    nilfs->ns_writer) can happen as shown in the scenario below:
    
     Task1                               Task2
     --------------------------------    ------------------------------
     nilfs_construct_segment
       nilfs_segctor_sync
         init_wait
         init_waitqueue_entry
         add_wait_queue
         schedule
                                         nilfs_remount (R/W remount case)
                                           nilfs_attach_log_writer
                                             nilfs_detach_log_writer
                                               nilfs_segctor_destroy
                                                 kfree
         finish_wait
           _raw_spin_lock_irqsave
             __raw_spin_lock_irqsave
               do_raw_spin_lock
                 debug_spin_lock_before  <-- use-after-free
    
    While Task1 is sleeping, nilfs->ns_writer is freed by Task2.  After Task1
    waked up, Task1 accesses nilfs->ns_writer which is already freed.  This
    scenario diagram is based on the Shigeru Yoshida's post [1].
    
    This patch fixes the issue by not detaching nilfs->ns_writer on remount so
    that this UAF race doesn't happen.  Along with this change, this patch
    also inserts a few necessary read-only checks with superblock instance
    where only the ns_writer pointer was used to check if the filesystem is
    read-only.
    
    Link: https://syzkaller.appspot.com/bug?id=79a4c002e960419ca173d55e863bd09e8112df8b
    Link: https://lkml.kernel.org/r/20221103141759.1836312-1-syoshida@redhat.com [1]
    Link: https://lkml.kernel.org/r/20221104142959.28296-1-konishi.ryusuke@gmail.com
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+f816fa82f8783f7a02bb@syzkaller.appspotmail.com
    Reported-by: Shigeru Yoshida <syoshida@redhat.com>
    Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
octeontx2-pf: NIX TX overwrites SQ_CTX_HW_S[SQ_INT] [+ + +]
Author: Ratheesh Kannoth <rkannoth@marvell.com>
Date:   Wed Nov 2 08:41:13 2022 +0530

    octeontx2-pf: NIX TX overwrites SQ_CTX_HW_S[SQ_INT]
    
    [ Upstream commit 51afe9026d0c63263abe9840e629f118d7405b36 ]
    
    In scenarios where multiple errors have occurred
    for a SQ before SW starts handling error interrupt,
    SQ_CTX[OP_INT] may get overwritten leading to
    NIX_LF_SQ_OP_INT returning incorrect value.
    To workaround this read LMT, MNQ and SQ individual
    error status registers to determine the cause of error.
    
    Fixes: 4ff7d1488a84 ("octeontx2-pf: Error handling support")
    Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
    Reviewed-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

octeontx2-pf: Use hardware register for CQE count [+ + +]
Author: Geetha sowjanya <gakula@marvell.com>
Date:   Tue Sep 28 11:25:26 2021 +0530

    octeontx2-pf: Use hardware register for CQE count
    
    [ Upstream commit af3826db74d184bc9c2c9d3ff34548e5f317a6f3 ]
    
    Current driver uses software CQ head pointer to poll on CQE
    header in memory to determine if CQE is valid. Software needs
    to make sure, that the reads of the CQE do not get re-ordered
    so much that it ends up with an inconsistent view of the CQE.
    To ensure that DMB barrier after read to first CQE cacheline
    and before reading of the rest of the CQE is needed.
    But having barrier for every CQE read will impact the performance,
    instead use hardware CQ head and tail pointers to find the
    valid number of CQEs.
    
    Signed-off-by: Geetha sowjanya <gakula@marvell.com>
    Signed-off-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Stable-dep-of: 51afe9026d0c ("octeontx2-pf: NIX TX overwrites SQ_CTX_HW_S[SQ_INT]")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf stat: Fix printing os->prefix in CSV metrics output [+ + +]
Author: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Date:   Tue Oct 18 14:26:04 2022 +0530

    perf stat: Fix printing os->prefix in CSV metrics output
    
    [ Upstream commit ad353b710c7493df3d4fc2d3a51819126bed2e81 ]
    
    'perf stat' with CSV output option prints an extra empty string as first
    field in metrics output line.  Sample output below:
    
            # ./perf stat -x, --per-socket -a -C 1 ls
            S0,1,1.78,msec,cpu-clock,1785146,100.00,0.973,CPUs utilized
            S0,1,26,,context-switches,1781750,100.00,0.015,M/sec
            S0,1,1,,cpu-migrations,1780526,100.00,0.561,K/sec
            S0,1,1,,page-faults,1779060,100.00,0.561,K/sec
            S0,1,875807,,cycles,1769826,100.00,0.491,GHz
            S0,1,85281,,stalled-cycles-frontend,1767512,100.00,9.74,frontend cycles idle
            S0,1,576839,,stalled-cycles-backend,1766260,100.00,65.86,backend cycles idle
            S0,1,288430,,instructions,1762246,100.00,0.33,insn per cycle
    ====>   ,S0,1,,,,,,,2.00,stalled cycles per insn
    
    The above command line uses field separator as "," via "-x," option and
    per-socket option displays socket value as first field. But here the
    last line for "stalled cycles per insn" has "," in the beginning.
    
    Sample output using interval mode:
    
            # ./perf stat -I 1000 -x, --per-socket -a -C 1 ls
            0.001813453,S0,1,1.87,msec,cpu-clock,1872052,100.00,0.002,CPUs utilized
            0.001813453,S0,1,2,,context-switches,1868028,100.00,1.070,K/sec
            ------
            0.001813453,S0,1,85379,,instructions,1856754,100.00,0.32,insn per cycle
    ====>   0.001813453,,S0,1,,,,,,,1.34,stalled cycles per insn
    
    Above result also has an extra CSV separator after
    the timestamp. Patch addresses extra field separator
    in the beginning of the metric output line.
    
    The counter stats are displayed by function
    "perf_stat__print_shadow_stats" in code
    "util/stat-shadow.c". While printing the stats info
    for "stalled cycles per insn", function "new_line_csv"
    is used as new_line callback.
    
    The new_line_csv function has check for "os->prefix"
    and if prefix is not null, it will be printed along
    with cvs separator.
    Snippet from "new_line_csv":
            if (os->prefix)
                   fprintf(os->fh, "%s%s", os->prefix, config->csv_sep);
    
    Here os->prefix gets printed followed by ","
    which is the cvs separator. The os->prefix is
    used in interval mode option ( -I ), to print
    time stamp on every new line. But prefix is
    already set to contain CSV separator when used
    in interval mode for CSV option.
    
    Reference: Function "static void print_interval"
    Snippet:
            sprintf(prefix, "%6lu.%09lu%s", ts->tv_sec, ts->tv_nsec, config->csv_sep);
    
    Also if prefix is not assigned (if not used with
    -I option), it gets set to empty string.
    Reference: function printout() in util/stat-display.c
    Snippet:
            .prefix = prefix ? prefix : "",
    
    Since prefix already set to contain cvs_sep in interval
    option, patch removes printing config->csv_sep in
    new_line_csv function to avoid printing extra field.
    
    After the patch:
    
            # ./perf stat -x, --per-socket -a -C 1 ls
            S0,1,2.04,msec,cpu-clock,2045202,100.00,1.013,CPUs utilized
            S0,1,2,,context-switches,2041444,100.00,979.289,/sec
            S0,1,0,,cpu-migrations,2040820,100.00,0.000,/sec
            S0,1,2,,page-faults,2040288,100.00,979.289,/sec
            S0,1,254589,,cycles,2036066,100.00,0.125,GHz
            S0,1,82481,,stalled-cycles-frontend,2032420,100.00,32.40,frontend cycles idle
            S0,1,113170,,stalled-cycles-backend,2031722,100.00,44.45,backend cycles idle
            S0,1,88766,,instructions,2030942,100.00,0.35,insn per cycle
            S0,1,,,,,,,1.27,stalled cycles per insn
    
    Fixes: 92a61f6412d3a09d ("perf stat: Implement CSV metrics output")
    Reported-by: Disha Goel <disgoel@linux.vnet.ibm.com>
    Reviewed-By: Kajol Jain <kjain@linux.ibm.com>
    Signed-off-by: Athira Jajeev <atrajeev@linux.vnet.ibm.com>
    Tested-by: Disha Goel <disgoel@linux.vnet.ibm.com>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: Ian Rogers <irogers@google.com>
    Cc: James Clark <james.clark@arm.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: linuxppc-dev@lists.ozlabs.org
    Cc: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
    Cc: Michael Ellerman <mpe@ellerman.id.au>
    Cc: Nageswara R Sastry <rnsastry@linux.ibm.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Link: https://lore.kernel.org/r/20221018085605.63834-1-atrajeev@linux.vnet.ibm.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf tools: Add the include/perf/ directory to .gitignore [+ + +]
Author: Donglin Peng <dolinux.peng@gmail.com>
Date:   Thu Nov 3 02:27:04 2022 -0700

    perf tools: Add the include/perf/ directory to .gitignore
    
    [ Upstream commit 94d957ae513fc420d0a5a9bac815eb49ffebb56f ]
    
    Commit 3af1dfdd51e06697 ("perf build: Move perf_dlfilters.h in the
    source tree") moved perf_dlfilters.h to the include/perf/ directory
    while include/perf is ignored because it has 'perf' in the name.  Newly
    created files in the include/perf/ directory will be ignored.
    
    Testing:
    
    Before:
    
      $ touch tools/perf/include/perf/junk
      $ git status | grep junk
      $ git check-ignore -v tools/perf/include/perf/junk
      tools/perf/.gitignore:6:perf    tools/perf/include/perf/junk
    
    After:
    
      $ git status | grep junk
      tools/perf/include/perf/junk
      $ git check-ignore -v tools/perf/include/perf/junk
    
    Add !include/perf/ to perf's .gitignore file.
    
    Fixes: 3af1dfdd51e06697 ("perf build: Move perf_dlfilters.h in the source tree")
    Signed-off-by: Donglin Peng <dolinux.peng@gmail.com>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Link: https://lore.kernel.org/r/20221103092704.173391-1-dolinux.peng@gmail.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
phy: ralink: mt7621-pci: add sentinel to quirks table [+ + +]
Author: John Thomson <git@johnthomson.fastmail.com.au>
Date:   Sat Nov 5 06:52:41 2022 +1000

    phy: ralink: mt7621-pci: add sentinel to quirks table
    
    [ Upstream commit 819b885cd886c193782891c4f51bbcab3de119a4 ]
    
    With mt7621 soc_dev_attr fixed to register the soc as a device,
    kernel will experience an oops in soc_device_match_attr
    
    This quirk test was introduced in the staging driver in
    commit 9445ccb3714c ("staging: mt7621-pci-phy: add quirks for 'E2'
    revision using 'soc_device_attribute'"). The staging driver was removed,
    and later re-added in commit d87da32372a0 ("phy: ralink: Add PHY driver
    for MT7621 PCIe PHY") for kernel 5.11
    
    Link: https://lore.kernel.org/lkml/26ebbed1-0fe9-4af9-8466-65f841d0b382@app.fastmail.com
    Fixes: d87da32372a0 ("phy: ralink: Add PHY driver for MT7621 PCIe PHY")
    Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
    Acked-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
    Link: https://lore.kernel.org/r/20221104205242.3440388-2-git@johnthomson.fastmail.com.au
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

phy: stm32: fix an error code in probe [+ + +]
Author: Dan Carpenter <error27@gmail.com>
Date:   Fri Oct 14 12:25:06 2022 +0300

    phy: stm32: fix an error code in probe
    
    [ Upstream commit ca1c73628f5bd0c1ef6e46073cc3be2450605b06 ]
    
    If "index > usbphyc->nphys" is true then this returns success but it
    should return -EINVAL.
    
    Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
    Link: https://lore.kernel.org/r/Y0kq8j6S+5nDdMpr@kili
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi [+ + +]
Author: Jorge Lopez <jorge.lopez2@hp.com>
Date:   Fri Oct 28 10:55:27 2022 -0500

    platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi
    
    commit 1598bfa8e1faa932de42e1ee7628a1c4c4263f0a upstream.
    
    After upgrading BIOS to U82 01.02.01 Rev.A, the console is flooded
    strange char "^@" which printed out every second and makes login
    nearly impossible. Also the below messages were shown both in console
    and journal/dmesg every second:
    
    usb 1-3: Device not responding to setup address.
    usb 1-3: device not accepting address 4, error -71
    usb 1-3: device descriptor read/all, error -71
    usb usb1-port3: unable to enumerate USB device
    
    Wifi is soft blocked by checking rfkill. When unblocked manually,
    after few seconds it would be soft blocked again. So I was suspecting
    something triggered rfkill to soft block wifi.  At the end it was
    fixed by removing hp_wmi module.
    
    The root cause is the way hp-wmi driver handles command 1B on
    post-2009 BIOS.  In pre-2009 BIOS, command 1Bh return 0x4 to indicate
    that BIOS no longer controls the power for the wireless devices.
    
    Signed-off-by: Jorge Lopez <jorge.lopez2@hp.com>
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=216468
    Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
    Link: https://lore.kernel.org/r/20221028155527.7724-1-jorge.lopez2@hp.com
    Cc: stable@vger.kernel.org
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
riscv: fix reserved memory setup [+ + +]
Author: Conor Dooley <conor.dooley@microchip.com>
Date:   Mon Nov 7 15:15:25 2022 +0000

    riscv: fix reserved memory setup
    
    [ Upstream commit 50e63dd8ed92045eb70a72d7ec725488320fb68b ]
    
    Currently, RISC-V sets up reserved memory using the "early" copy of the
    device tree. As a result, when trying to get a reserved memory region
    using of_reserved_mem_lookup(), the pointer to reserved memory regions
    is using the early, pre-virtual-memory address which causes a kernel
    panic when trying to use the buffer's name:
    
     Unable to handle kernel paging request at virtual address 00000000401c31ac
     Oops [#1]
     Modules linked in:
     CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1
     Hardware name: Microchip PolarFire-SoC Icicle Kit (DT)
     epc : string+0x4a/0xea
      ra : vsnprintf+0x1e4/0x336
     epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0
      gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000
      t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20
      s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000
      a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff
      a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff
      s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008
      s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00
      s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002
      s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617
      t5 : ffffffff812f3618 t6 : ffffffff81203d08
     status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d
     [<ffffffff80338936>] vsnprintf+0x1e4/0x336
     [<ffffffff80055ae2>] vprintk_store+0xf6/0x344
     [<ffffffff80055d86>] vprintk_emit+0x56/0x192
     [<ffffffff80055ed8>] vprintk_default+0x16/0x1e
     [<ffffffff800563d2>] vprintk+0x72/0x80
     [<ffffffff806813b2>] _printk+0x36/0x50
     [<ffffffff8068af48>] print_reserved_mem+0x1c/0x24
     [<ffffffff808057ec>] paging_init+0x528/0x5bc
     [<ffffffff808031ae>] setup_arch+0xd0/0x592
     [<ffffffff8080070e>] start_kernel+0x82/0x73c
    
    early_init_fdt_scan_reserved_mem() takes no arguments as it operates on
    initial_boot_params, which is populated by early_init_dt_verify(). On
    RISC-V, early_init_dt_verify() is called twice. Once, directly, in
    setup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly,
    very early in the boot process, by parse_dtb() when it calls
    early_init_dt_scan_nodes().
    
    This first call uses dtb_early_va to set initial_boot_params, which is
    not usable later in the boot process when
    early_init_fdt_scan_reserved_mem() is called. On arm64 for example, the
    corresponding call to early_init_dt_scan_nodes() uses fixmap addresses
    and doesn't suffer the same fate.
    
    Move early_init_fdt_scan_reserved_mem() further along the boot sequence,
    after the direct call to early_init_dt_verify() in setup_arch() so that
    the names use the correct virtual memory addresses. The above supposed
    that CONFIG_BUILTIN_DTB was not set, but should work equally in the case
    where it is - unflatted_and_copy_device_tree() also updates
    initial_boot_params.
    
    Reported-by: Valentina Fernandez <valentina.fernandezalanis@microchip.com>
    Reported-by: Evgenii Shatokhin <e.shatokhin@yadro.com>
    Link: https://lore.kernel.org/linux-riscv/f8e67f82-103d-156c-deb0-d6d6e2756f5e@microchip.com/
    Fixes: 922b0375fc93 ("riscv: Fix memblock reservation for device tree blob")
    Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
    Tested-by: Evgenii Shatokhin <e.shatokhin@yadro.com>
    Link: https://lore.kernel.org/r/20221107151524.3941467-1-conor.dooley@microchip.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

riscv: process: fix kernel info leakage [+ + +]
Author: Jisheng Zhang <jszhang@kernel.org>
Date:   Sat Oct 29 19:34:50 2022 +0800

    riscv: process: fix kernel info leakage
    
    [ Upstream commit 6510c78490c490a6636e48b61eeaa6fb65981f4b ]
    
    thread_struct's s[12] may contain random kernel memory content, which
    may be finally leaked to userspace. This is a security hole. Fix it
    by clearing the s[12] array in thread_struct when fork.
    
    As for kthread case, it's better to clear the s[12] array as well.
    
    Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
    Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
    Tested-by: Guo Ren <guoren@kernel.org>
    Link: https://lore.kernel.org/r/20221029113450.4027-1-jszhang@kernel.org
    Reviewed-by: Guo Ren <guoren@kernel.org>
    Link: https://lore.kernel.org/r/CAJF2gTSdVyAaM12T%2B7kXAdRPGS4VyuO08X1c7paE-n4Fr8OtRA@mail.gmail.com/
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

riscv: vdso: fix build with llvm [+ + +]
Author: Jisheng Zhang <jszhang@kernel.org>
Date:   Tue Nov 1 02:29:43 2022 +0800

    riscv: vdso: fix build with llvm
    
    [ Upstream commit 50f4dd657a0fcf90aa8da8dc2794a8100ff4c37c ]
    
    Even after commit 89fd4a1df829 ("riscv: jump_label: mark arguments as
    const to satisfy asm constraints"), building with CC_OPTIMIZE_FOR_SIZE
    + LLVM=1 can reproduce below build error:
    
      CC      arch/riscv/kernel/vdso/vgettimeofday.o
    In file included from <built-in>:4:
    In file included from lib/vdso/gettimeofday.c:5:
    In file included from include/vdso/datapage.h:17:
    In file included from include/vdso/processor.h:10:
    In file included from arch/riscv/include/asm/vdso/processor.h:7:
    In file included from include/linux/jump_label.h:112:
    arch/riscv/include/asm/jump_label.h:42:3: error:
    invalid operand for inline asm constraint 'i'
                    "       .option push                            \n\t"
                    ^
    1 error generated.
    
    I think the problem is when "-Os" is passed as CFLAGS, it's removed by
    "CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) -Os" which is
    introduced in commit e05d57dcb8c7 ("riscv: Fixup __vdso_gettimeofday
    broke dynamic ftrace"), thus no optimization at all for vgettimeofday.c
    arm64 does remove "-Os" as well, but it forces "-O2" after removing
    "-Os".
    
    I compared the generated vgettimeofday.o with "-O2" and "-Os",
    I think no big performance difference. So let's tell the kbuild not
    to remove "-Os" rather than follow arm64 style.
    
    vdso related performance can be improved a lot when building kernel with
    CC_OPTIMIZE_FOR_SIZE after this commit, ("-Os" VS no optimization)
    
    Fixes: e05d57dcb8c7 ("riscv: Fixup __vdso_gettimeofday broke dynamic ftrace")
    Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
    Tested-by: Conor Dooley <conor.dooley@microchip.com>
    Link: https://lore.kernel.org/r/20221031182943.2453-1-jszhang@kernel.org
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
soundwire: qcom: check for outanding writes before doing a read [+ + +]
Author: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Date:   Wed Oct 26 12:02:06 2022 +0100

    soundwire: qcom: check for outanding writes before doing a read
    
    [ Upstream commit 49a467310dc4fae591a3547860ee04d8730780f4 ]
    
    Reading will increase the fifo count, so check for outstanding cmd wrt.
    write fifo depth to avoid overflow as read will also increase
    write fifo cnt.
    
    Fixes: a661308c34de ("soundwire: qcom: wait for fifo space to be available before read/write")
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20221026110210.6575-3-srinivas.kandagatla@linaro.org
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

soundwire: qcom: reinit broadcast completion [+ + +]
Author: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Date:   Wed Oct 26 12:02:05 2022 +0100

    soundwire: qcom: reinit broadcast completion
    
    [ Upstream commit f936fa7a954b262cb3908bbc8f01ba19dfaf9fbf ]
    
    For some reason we never reinit the broadcast completion, there is a
    danger that broadcast commands could be treated as completed by driver
    from previous complete status.
    Fix this by reinitializing the completion before sending a broadcast command.
    
    Fixes: ddea6cf7b619 ("soundwire: qcom: update register read/write routine")
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20221026110210.6575-2-srinivas.kandagatla@linaro.org
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
stmmac: dwmac-loongson: fix missing of_node_put() while module exiting [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Tue Nov 8 19:46:47 2022 +0800

    stmmac: dwmac-loongson: fix missing of_node_put() while module exiting
    
    [ Upstream commit 7f94d0498f9c763f37172c08059ae91804c3075a ]
    
    The node returned by of_get_child_by_name() with refcount decremented,
    of_node_put() needs be called when finish using it. So add it in the
    error path in loongson_dwmac_probe() and in loongson_dwmac_remove().
    
    Fixes: 2ae34111fe4e ("stmmac: dwmac-loongson: fix invalid mdio_node")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

stmmac: dwmac-loongson: fix missing pci_disable_device() in loongson_dwmac_probe() [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Tue Nov 8 19:46:46 2022 +0800

    stmmac: dwmac-loongson: fix missing pci_disable_device() in loongson_dwmac_probe()
    
    [ Upstream commit fe5b3ce8b4377e543960220f539b989a927afd8a ]
    
    Add missing pci_disable_device() in the error path in loongson_dwmac_probe().
    
    Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

stmmac: dwmac-loongson: fix missing pci_disable_msi() while module exiting [+ + +]
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Tue Nov 8 19:46:45 2022 +0800

    stmmac: dwmac-loongson: fix missing pci_disable_msi() while module exiting
    
    [ Upstream commit f2d45fdf9a0ed2c94c01c422a0d0add8ffd42099 ]
    
    pci_enable_msi() has been called in loongson_dwmac_probe(),
    so pci_disable_msi() needs be called in remove path and error
    path of probe().
    
    Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

stmmac: intel: Enable 2.5Gbps for Intel AlderLake-S [+ + +]
Author: Wong Vee Khee <vee.khee.wong@linux.intel.com>
Date:   Fri Feb 25 10:33:25 2022 +0800

    stmmac: intel: Enable 2.5Gbps for Intel AlderLake-S
    
    [ Upstream commit 23d743301198f7903d732d5abb4f2b44f22f5df0 ]
    
    Intel AlderLake-S platform is capable of running on 2.5GBps link speed.
    
    This patch enables 2.5Gbps link speed on AlderLake-S platform.
    
    Signed-off-by: Wong Vee Khee <vee.khee.wong@linux.intel.com>
    Link: https://lore.kernel.org/r/20220225023325.474242-1-vee.khee.wong@linux.intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Stable-dep-of: dcea1a8107c0 ("stmmac: intel: Update PCH PTP clock rate from 200MHz to 204.8MHz")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

stmmac: intel: Update PCH PTP clock rate from 200MHz to 204.8MHz [+ + +]
Author: Tan, Tee Min <tee.min.tan@intel.com>
Date:   Mon Nov 7 21:08:11 2022 -0500

    stmmac: intel: Update PCH PTP clock rate from 200MHz to 204.8MHz
    
    [ Upstream commit dcea1a8107c04b9521dee1dd37971757a22db162 ]
    
    Current Intel platform has an output of ~976ms interval
    when probed on 1 Pulse-per-Second(PPS) hardware pin.
    
    The correct PTP clock frequency for PCH GbE should be 204.8MHz
    instead of 200MHz. PSE GbE PTP clock rate remains at 200MHz.
    
    Fixes: 58da0cfa6cf1 ("net: stmmac: create dwmac-intel.c to contain all Intel platform")
    Signed-off-by: Ling Pei Lee <pei.lee.ling@intel.com>
    Signed-off-by: Tan, Tee Min <tee.min.tan@intel.com>
    Signed-off-by: Voon Weifeng <weifeng.voon@intel.com>
    Signed-off-by: Gan Yi Fang <yi.fang.gan@intel.com>
    Link: https://lore.kernel.org/r/20221108020811.12919-1-yi.fang.gan@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp: prohibit TCP_REPAIR_OPTIONS if data was already sent [+ + +]
Author: Lu Wei <luwei32@huawei.com>
Date:   Fri Nov 4 10:27:23 2022 +0800

    tcp: prohibit TCP_REPAIR_OPTIONS if data was already sent
    
    [ Upstream commit 0c175da7b0378445f5ef53904247cfbfb87e0b78 ]
    
    If setsockopt with option name of TCP_REPAIR_OPTIONS and opt_code
    of TCPOPT_SACK_PERM is called to enable sack after data is sent
    and dupacks are received , it will trigger a warning in function
    tcp_verify_left_out() as follows:
    
    ============================================
    WARNING: CPU: 8 PID: 0 at net/ipv4/tcp_input.c:2132
    tcp_timeout_mark_lost+0x154/0x160
    tcp_enter_loss+0x2b/0x290
    tcp_retransmit_timer+0x50b/0x640
    tcp_write_timer_handler+0x1c8/0x340
    tcp_write_timer+0xe5/0x140
    call_timer_fn+0x3a/0x1b0
    __run_timers.part.0+0x1bf/0x2d0
    run_timer_softirq+0x43/0xb0
    __do_softirq+0xfd/0x373
    __irq_exit_rcu+0xf6/0x140
    
    The warning is caused in the following steps:
    1. a socket named socketA is created
    2. socketA enters repair mode without build a connection
    3. socketA calls connect() and its state is changed to TCP_ESTABLISHED
       directly
    4. socketA leaves repair mode
    5. socketA calls sendmsg() to send data, packets_out and sack_outs(dup
       ack receives) increase
    6. socketA enters repair mode again
    7. socketA calls setsockopt with TCPOPT_SACK_PERM to enable sack
    8. retransmit timer expires, it calls tcp_timeout_mark_lost(), lost_out
       increases
    9. sack_outs + lost_out > packets_out triggers since lost_out and
       sack_outs increase repeatly
    
    In function tcp_timeout_mark_lost(), tp->sacked_out will be cleared if
    Step7 not happen and the warning will not be triggered. As suggested by
    Denis and Eric, TCP_REPAIR_OPTIONS should be prohibited if data was
    already sent.
    
    socket-tcp tests in CRIU has been tested as follows:
    $ sudo ./test/zdtm.py run -t zdtm/static/socket-tcp*  --keep-going \
           --ignore-taint
    
    socket-tcp* represent all socket-tcp tests in test/zdtm/static/.
    
    Fixes: b139ba4e90dc ("tcp: Repair connection-time negotiated parameters")
    Signed-off-by: Lu Wei <luwei32@huawei.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
thunderbolt: Add DP OUT resource when DP tunnel is discovered [+ + +]
Author: Sanjay R Mehta <sanju.mehta@amd.com>
Date:   Thu Aug 4 05:48:38 2022 -0500

    thunderbolt: Add DP OUT resource when DP tunnel is discovered
    
    commit b60e31bf18a7064032dbcb73dcb5b58f8a00a110 upstream.
    
    If the boot firmware implements a connection manager of its own it may
    create a DisplayPort tunnel and will be handed off to Linux connection
    manager, but the DP OUT resource is not saved in the dp_resource list.
    
    This patch adds tunnelled DP OUT port to the dp_resource list once the
    DP tunnel is discovered.
    
    Signed-off-by: Sanjay R Mehta <sanju.mehta@amd.com>
    Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
    Tested-by: Renjith Pananchikkal <Renjith.Pananchikkal@amd.com>
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Cc: "Limonciello, Mario" <Mario.Limonciello@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

thunderbolt: Tear down existing tunnels when resuming from hibernate [+ + +]
Author: Mika Westerberg <mika.westerberg@linux.intel.com>
Date:   Sun Nov 14 17:20:59 2021 +0200

    thunderbolt: Tear down existing tunnels when resuming from hibernate
    
    commit 43bddb26e20af916249b5318200cfe1734c1700c upstream.
    
    If the boot firmware implements connection manager of its own it may not
    create the paths in the same way or order we do. For example it may
    create first PCIe tunnel and then USB3 tunnel. When we restore our
    tunnels (first de-activating them) we may be doing that over completely
    different tunnels and that leaves them possibly non-functional. For this
    reason we re-use the tunnel discovery functionality and find out all the
    existing tunnels, and tear them down. Once that is done we can restore
    our tunnels.
    
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Cc: "Limonciello, Mario" <Mario.Limonciello@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
tipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_header [+ + +]
Author: Xin Long <lucien.xin@gmail.com>
Date:   Fri Nov 4 16:48:53 2022 -0400

    tipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_header
    
    [ Upstream commit 1c075b192fe41030457cd4a5f7dea730412bca40 ]
    
    This is a follow-up for commit 974cb0e3e7c9 ("tipc: fix uninit-value
    in tipc_nl_compat_name_table_dump") where it should have type casted
    sizeof(..) to int to work when TLV_GET_DATA_LEN() returns a negative
    value.
    
    syzbot reported a call trace because of it:
    
      BUG: KMSAN: uninit-value in ...
       tipc_nl_compat_name_table_dump+0x841/0xea0 net/tipc/netlink_compat.c:934
       __tipc_nl_compat_dumpit+0xab2/0x1320 net/tipc/netlink_compat.c:238
       tipc_nl_compat_dumpit+0x991/0xb50 net/tipc/netlink_compat.c:321
       tipc_nl_compat_recv+0xb6e/0x1640 net/tipc/netlink_compat.c:1324
       genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
       genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
       genl_rcv_msg+0x103f/0x1260 net/netlink/genetlink.c:792
       netlink_rcv_skb+0x3a5/0x6c0 net/netlink/af_netlink.c:2501
       genl_rcv+0x3c/0x50 net/netlink/genetlink.c:803
       netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
       netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345
       netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921
       sock_sendmsg_nosec net/socket.c:714 [inline]
       sock_sendmsg net/socket.c:734 [inline]
    
    Reported-by: syzbot+e5dbaaa238680ce206ea@syzkaller.appspotmail.com
    Fixes: 974cb0e3e7c9 ("tipc: fix uninit-value in tipc_nl_compat_name_table_dump")
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Link: https://lore.kernel.org/r/ccd6a7ea801b15aec092c3b532a883b4c5708695.1667594933.git.lucien.xin@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
udf: Fix a slab-out-of-bounds write bug in udf_find_entry() [+ + +]
Author: ZhangPeng <zhangpeng362@huawei.com>
Date:   Wed Nov 9 01:35:42 2022 +0000

    udf: Fix a slab-out-of-bounds write bug in udf_find_entry()
    
    commit c8af247de385ce49afabc3bf1cf4fd455c94bfe8 upstream.
    
    Syzbot reported a slab-out-of-bounds Write bug:
    
    loop0: detected capacity change from 0 to 2048
    ==================================================================
    BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0
    fs/udf/namei.c:253
    Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610
    
    CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted
    6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
    Hardware name: Google Compute Engine/Google Compute Engine, BIOS
    Google 10/11/2022
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
     print_address_description+0x74/0x340 mm/kasan/report.c:284
     print_report+0x107/0x1f0 mm/kasan/report.c:395
     kasan_report+0xcd/0x100 mm/kasan/report.c:495
     kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
     memcpy+0x3c/0x60 mm/kasan/shadow.c:66
     udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253
     udf_lookup+0xef/0x340 fs/udf/namei.c:309
     lookup_open fs/namei.c:3391 [inline]
     open_last_lookups fs/namei.c:3481 [inline]
     path_openat+0x10e6/0x2df0 fs/namei.c:3710
     do_filp_open+0x264/0x4f0 fs/namei.c:3740
     do_sys_openat2+0x124/0x4e0 fs/open.c:1310
     do_sys_open fs/open.c:1326 [inline]
     __do_sys_creat fs/open.c:1402 [inline]
     __se_sys_creat fs/open.c:1396 [inline]
     __x64_sys_creat+0x11f/0x160 fs/open.c:1396
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    RIP: 0033:0x7ffab0d164d9
    Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89
    f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
    f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9
    RDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180
    RBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000
    R10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
     </TASK>
    
    Allocated by task 3610:
     kasan_save_stack mm/kasan/common.c:45 [inline]
     kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
     ____kasan_kmalloc mm/kasan/common.c:371 [inline]
     __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380
     kmalloc include/linux/slab.h:576 [inline]
     udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243
     udf_lookup+0xef/0x340 fs/udf/namei.c:309
     lookup_open fs/namei.c:3391 [inline]
     open_last_lookups fs/namei.c:3481 [inline]
     path_openat+0x10e6/0x2df0 fs/namei.c:3710
     do_filp_open+0x264/0x4f0 fs/namei.c:3740
     do_sys_openat2+0x124/0x4e0 fs/open.c:1310
     do_sys_open fs/open.c:1326 [inline]
     __do_sys_creat fs/open.c:1402 [inline]
     __se_sys_creat fs/open.c:1396 [inline]
     __x64_sys_creat+0x11f/0x160 fs/open.c:1396
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    The buggy address belongs to the object at ffff8880123ff800
     which belongs to the cache kmalloc-256 of size 256
    The buggy address is located 150 bytes inside of
     256-byte region [ffff8880123ff800, ffff8880123ff900)
    
    The buggy address belongs to the physical page:
    page:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000
    index:0x0 pfn:0x123fe
    head:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0
    flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
    raw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40
    raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    page_owner tracks the page as allocated
    page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(),
    pid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0
     create_dummy_stack mm/page_owner.c:67 [inline]
     register_early_stack+0x77/0xd0 mm/page_owner.c:83
     init_page_owner+0x3a/0x731 mm/page_owner.c:93
     kernel_init_freeable+0x41c/0x5d5 init/main.c:1629
     kernel_init+0x19/0x2b0 init/main.c:1519
    page_owner free stack trace missing
    
    Memory state around the buggy address:
     ffff8880123ff780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff8880123ff800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    >ffff8880123ff880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
                                                                    ^
     ffff8880123ff900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff8880123ff980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    ==================================================================
    
    Fix this by changing the memory size allocated for copy_name from
    UDF_NAME_LEN(254) to UDF_NAME_LEN_CS0(255), because the total length
    (lfi) of subsequent memcpy can be up to 255.
    
    CC: stable@vger.kernel.org
    Reported-by: syzbot+69c9fdccc6dd08961d34@syzkaller.appspotmail.com
    Fixes: 066b9cded00b ("udf: Use separate buffer for copying split names")
    Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20221109013542.442790-1-zhangpeng362@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
vmlinux.lds.h: Fix placement of '.data..decrypted' section [+ + +]
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Tue Nov 8 10:49:34 2022 -0700

    vmlinux.lds.h: Fix placement of '.data..decrypted' section
    
    commit 000f8870a47bdc36730357883b6aef42bced91ee upstream.
    
    Commit d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP")
    fixed an orphan section warning by adding the '.data..decrypted' section
    to the linker script under the PERCPU_DECRYPTED_SECTION define but that
    placement introduced a panic with !SMP, as the percpu sections are not
    instantiated with that configuration so attempting to access variables
    defined with DEFINE_PER_CPU_DECRYPTED() will result in a page fault.
    
    Move the '.data..decrypted' section to the DATA_MAIN define so that the
    variables in it are properly instantiated at boot time with
    CONFIG_SMP=n.
    
    Cc: stable@vger.kernel.org
    Fixes: d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP")
    Link: https://lore.kernel.org/cbbd3548-880c-d2ca-1b67-5bb93b291d5f@huawei.com/
    Debugged-by: Ard Biesheuvel <ardb@kernel.org>
    Reported-by: Zhao Wenhui <zhaowenhui8@huawei.com>
    Tested-by: xiafukun <xiafukun@huawei.com>
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Link: https://lore.kernel.org/r/20221108174934.3384275-1-nathan@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update() [+ + +]
Author: Wen Gong <quic_wgong@quicinc.com>
Date:   Wed Nov 2 13:48:03 2022 +0200

    wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update()
    
    commit f45cb6b29cd36514e13f7519770873d8c0457008 upstream.
    
    (cherry picked from commit d99884ad9e3673a12879bc2830f6e5a66cccbd78 in ath-next
    as users are seeing this bug more now, also cc stable)
    
    Running this test in a loop it is easy to reproduce an rtnl deadlock:
    
    iw reg set FI
    ifconfig wlan0 down
    
    What happens is that thread A (workqueue) tries to update the regulatory:
    
        try to acquire the rtnl_lock of ar->regd_update_work
    
        rtnl_lock+0x17/0x20
        ath11k_regd_update+0x15a/0x260 [ath11k]
        ath11k_regd_update_work+0x15/0x20 [ath11k]
        process_one_work+0x228/0x670
        worker_thread+0x4d/0x440
        kthread+0x16d/0x1b0
        ret_from_fork+0x22/0x30
    
    And thread B (ifconfig) tries to stop the interface:
    
        try to cancel_work_sync(&ar->regd_update_work) in ath11k_mac_op_stop().
        ifconfig  3109 [003]  2414.232506: probe:
    
        ath11k_mac_op_stop: (ffffffffc14187a0)
        drv_stop+0x30 ([mac80211])
        ieee80211_do_stop+0x5d2 ([mac80211])
        ieee80211_stop+0x3e ([mac80211])
        __dev_close_many+0x9e ([kernel.kallsyms])
        __dev_change_flags+0xbe ([kernel.kallsyms])
        dev_change_flags+0x23 ([kernel.kallsyms])
        devinet_ioctl+0x5e3 ([kernel.kallsyms])
        inet_ioctl+0x197 ([kernel.kallsyms])
        sock_do_ioctl+0x4d ([kernel.kallsyms])
        sock_ioctl+0x264 ([kernel.kallsyms])
        __x64_sys_ioctl+0x92 ([kernel.kallsyms])
        do_syscall_64+0x3a ([kernel.kallsyms])
        entry_SYSCALL_64_after_hwframe+0x63 ([kernel.kallsyms])
        __GI___ioctl+0x7 (/lib/x86_64-linux-gnu/libc-2.23.so)
    
    The sequence of deadlock is:
    
    1. Thread B calls rtnl_lock().
    
    2. Thread A starts to run and calls rtnl_lock() from within
       ath11k_regd_update_work(), then enters wait state because the lock is owned by
       thread B.
    
    3. Thread B continues to run and tries to call
       cancel_work_sync(&ar->regd_update_work), but thread A is in
       ath11k_regd_update_work() waiting for rtnl_lock(). So cancel_work_sync()
       forever waits for ath11k_regd_update_work() to finish and we have a deadlock.
    
    Fix this by switching from using regulatory_set_wiphy_regd_sync() to
    regulatory_set_wiphy_regd(). Now cfg80211 will schedule another workqueue which
    handles the locking on it's own. So the ath11k workqueue can simply exit without
    taking any locks, avoiding the deadlock.
    
    Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
    [kvalo: improve commit log]
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: cfg80211: fix memory leak in query_regdb_file() [+ + +]
Author: Arend van Spriel <arend.vanspriel@broadcom.com>
Date:   Thu Oct 20 13:40:40 2022 +0200

    wifi: cfg80211: fix memory leak in query_regdb_file()
    
    [ Upstream commit 57b962e627ec0ae53d4d16d7bd1033e27e67677a ]
    
    In the function query_regdb_file() the alpha2 parameter is duplicated
    using kmemdup() and subsequently freed in regdb_fw_cb(). However,
    request_firmware_nowait() can fail without calling regdb_fw_cb() and
    thus leak memory.
    
    Fixes: 007f6c5e6eb4 ("cfg80211: support loading regulatory database as firmware file")
    Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: cfg80211: silence a sparse RCU warning [+ + +]
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Thu Oct 13 19:41:51 2022 +0200

    wifi: cfg80211: silence a sparse RCU warning
    
    [ Upstream commit 03c0ad4b06c3566de624b4f4b78ac1a5d1e4c8e7 ]
    
    All we're going to do with this pointer is assign it to
    another __rcu pointer, but sparse can't see that, so
    use rcu_access_pointer() to silence the warning here.
    
    Fixes: c90b93b5b782 ("wifi: cfg80211: update hidden BSSes to avoid WARN_ON")
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mac80211: Set TWT Information Frame Disabled bit as 1 [+ + +]
Author: Howard Hsu <howard-yh.hsu@mediatek.com>
Date:   Thu Oct 27 09:56:53 2022 +0800

    wifi: mac80211: Set TWT Information Frame Disabled bit as 1
    
    [ Upstream commit 30ac96f7cc973bb850c718c9bbe1fdcedfbe826b ]
    
    The TWT Information Frame Disabled bit of control field of TWT Setup
    frame shall be set to 1 since handling TWT Information frame is not
    supported by current mac80211 implementation.
    
    Fixes: f5a4c24e689f ("mac80211: introduce individual TWT support in AP mode")
    Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
    Link: https://lore.kernel.org/r/20221027015653.1448-1-howard-yh.hsu@mediatek.com
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
x86/cpu: Restore AMD's DE_CFG MSR after resume [+ + +]
Author: Borislav Petkov <bp@suse.de>
Date:   Mon Nov 14 12:44:01 2022 +0100

    x86/cpu: Restore AMD's DE_CFG MSR after resume
    
    commit 2632daebafd04746b4b96c2f26a6021bc38f6209 upstream.
    
    DE_CFG contains the LFENCE serializing bit, restore it on resume too.
    This is relevant to older families due to the way how they do S3.
    
    Unify and correct naming while at it.
    
    Fixes: e4d0e84e4907 ("x86/cpu/AMD: Make LFENCE a serializing instruction")
    Reported-by: Andrew Cooper <Andrew.Cooper3@citrix.com>
    Reported-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Cc: <stable@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>