Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-38430

An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.

CVE
#ios#android#mac#google#linux#debian#git#oracle#intel#c++#perl#samba#pdf#lenovo#amd#bios#buffer_overflow#alibaba#asus#samsung#huawei#auth#ibm#dell#rpm#chrome#sap#wifi

commit 00d3ac724541a0661b148b16cf34fac135a4fd53 Author: Greg Kroah-Hartman Date: Wed Jun 21 16:02:19 2023 +0200 Linux 6.3.9 Link: https://lore.kernel.org/r/[email protected] Tested-by: Ronald Warsow Tested-by: Markus Reichelt Tested-by: Salvatore Bonaccorso Tested-by: Florian Fainelli Tested-by: Ron Economos Tested-by: Linux Kernel Functional Testing Tested-by: Chris Paterson (CIP) Tested-by: Jon Hunter Tested-by: Conor Dooley Tested-by: Sudip Mukherjee Tested-by: Allen Pais Tested-by: Shuah Khan Tested-by: Guenter Roeck Tested-by: Justin M. Forbes Signed-off-by: Greg Kroah-Hartman commit 0f6090d90f627d8c58f939067d6c6821ce1b3c68 Author: Ming Lei Date: Sat Jun 10 07:42:49 2023 +0800 blk-cgroup: Flush stats before releasing blkcg_gq commit 20cb1c2fb7568a6054c55defe044311397e01ddb upstream. As noted by Michal, the blkg_iostat_set’s in the lockless list hold reference to blkg’s to protect against their removal. Those blkg’s hold reference to blkcg. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn() which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. It is less a problem if the cgroup to be destroyed also has other controllers like memory that will call cgroup_rstat_flush() which will clean up the reference count. If block is the only controller that uses rstat, these offline blkcg and blkgs may never be freed leaking more and more memory over time. To prevent this potential memory leak: - flush blkcg per-cpu stats list in __blkg_release(), when no new stat can be added - add global blkg_stat_lock for covering concurrent parent blkg stat update - don’t grab bio->bi_blkg reference when adding the stats into blkcg’s per-cpu stat list since all stats are guaranteed to be consumed before releasing blkg instance, and grabbing blkg reference for stats was the most fragile part of original patch Based on Waiman’s patch: https://lore.kernel.org/linux-block/[email protected]/ Fixes: 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") Cc: [email protected] Reported-by: Jay Shin Acked-by: Tejun Heo Cc: Waiman Long Cc: [email protected] Cc: Yosry Ahmed Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 0c7d966f54a488cf412688de2d1b47783e612f7f Author: Bob Pearson Date: Tue Jun 13 09:43:00 2023 -0500 scsi: target: core: Fix error path in target_setup_session() commit 91271699228bfc66f1bc8abc0327169dc156d854 upstream. In the error exits in target_setup_session(), if a branch is taken to free_sess: transport_free_session() may call to target_free_cmd_counter() and then fall through to call target_free_cmd_counter() a second time. This can, and does, sometimes cause seg faults since the data field in cmd_cnt->refcnt has been freed in the first call. Fix this problem by simply returning after the call to transport_free_session(). The second call is redundant for those cases. Fixes: 4edba7e4a8f3 (“scsi: target: Move cmd counter allocation”) Signed-off-by: Bob Pearson Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit b0ec36dddffb3e772dcad634f332a59c573c15a4 Author: Leon Romanovsky Date: Wed Mar 8 11:23:13 2023 +0200 neighbour: delete neigh_lookup_nodev as not used commit 76b9bf965c98c9b53ef7420b3b11438dbd764f92 upstream. neigh_lookup_nodev isn’t used in the kernel after removal of DECnet. So let’s remove it. Fixes: 1202cdd66531 (“Remove DECnet support from kernel”) Signed-off-by: Leon Romanovsky Reviewed-by: Eric Dumazet Reviewed-by: Nikolay Aleksandrov Link: https://lore.kernel.org/r/eb5656200d7964b2d177a36b77efa3c597d6d72d.1678267343.git.leonro@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 1e022fa0c3494c1fd1cf4020ee2618c0b03570c9 Author: Konrad Dybcio Date: Wed May 17 04:18:50 2023 +0200 arm64: dts: qcom: sm8550: Use the correct LLCC register scheme commit 661a4f089317c877aecd598fb70cd46510cc8d29 upstream. During the ABI-breaking (for good reasons) conversion of the LLCC register description, SM8550 was not taken into account, resulting in LLCC being broken on any kernel containing the patch referenced in the fixes tag. Fix it by describing the regions properly. Fixes: ee13b5008707 (“qcom: llcc/edac: Fix the base address used for accessing LLCC banks”) Signed-off-by: Konrad Dybcio Acked-by: Manivannan Sadhasivam Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit cc7983031668debb46595b6011e7ea27b88cb22f Author: Ben Hutchings Date: Thu Jun 15 00:00:02 2023 +0200 parisc: Delete redundant register definitions in commit b5b2a02bcaac7c287694aa0db4837a07bf178626 upstream. We define sp and ipsw in using ".reg", and when using current binutils (snapshot 2.40.50.20230611) the definitions in using “=” conflict with those: arch/parisc/include/asm/assembly.h: Assembler messages: arch/parisc/include/asm/assembly.h:93: Error: symbol `sp’ is already defined arch/parisc/include/asm/assembly.h:95: Error: symbol `ipsw’ is already defined Delete the duplicate definitions in . Also delete the definition of gp, which isn’t used anywhere. Signed-off-by: Ben Hutchings Cc: [email protected] # v6.0+ Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit b246f755ae8bc39d13edbf479c1c358252ac3134 Author: David Howells Date: Fri Jun 16 22:39:39 2023 +0100 afs: Fix vlserver probe RTT handling [ Upstream commit ba00b190670809c1a89326d80de96d714f6004f2 ] In the same spirit as commit ca57f02295f1 (“afs: Fix fileserver probe RTT handling”), don’t rule out using a vlserver just because there haven’t been enough packets yet to calculate a real rtt. Always set the server’s probe rtt from the estimate provided by rxrpc_kernel_get_srtt, which is capped at 1 second. This could lead to EDESTADDRREQ errors when accessing a cell for the first time, even though the vl servers are known and have responded to a probe. Fixes: 1d4adfaf6574 (“rxrpc: Make rxrpc_kernel_get_srtt() indicate validity”) Signed-off-by: Marc Dionne Signed-off-by: David Howells cc: [email protected] Link: http://lists.infradead.org/pipermail/linux-afs/2023-June/006746.html Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit c7329a5c87eb6051b4d68572ced6d8f21a28d6d1 Author: Jiasheng Jiang Date: Thu Jun 15 11:34:00 2023 +0800 octeon_ep: Add missing check for ioremap [ Upstream commit 9a36e2d44d122fe73a2a76ba73f1d50a65cf8210 ] Add check for ioremap() and return the error if it fails in order to guarantee the success of ioremap(). Fixes: 862cd659a6fb (“octeon_ep: Add driver framework and device initialization”) Signed-off-by: Jiasheng Jiang Reviewed-by: Kalesh AP Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit bd64e928241787698710d47330d75d441320acb4 Author: Alex Maftei Date: Thu Jun 15 09:34:04 2023 +0100 selftests/ptp: Fix timestamp printf format for PTP_SYS_OFFSET [ Upstream commit 76a4c8b82938bc5020b67663db41f451684bf327 ] Previously, timestamps were printed using “%lld.%u” which is incorrect for nanosecond values lower than 100,000,000 as they’re fractional digits, therefore leading zeros are meaningful. This patch changes the format strings to “%lld.%09u” in order to add leading zeros to the nanosecond value. Fixes: 568ebc5985f5 (“ptp: add the PTP_SYS_OFFSET ioctl to the testptp program”) Fixes: 4ec54f95736f (“ptp: Fix compiler warnings in the testptp utility”) Fixes: 6ab0e475f1f3 (“Documentation: fix misc. warnings”) Signed-off-by: Alex Maftei Acked-by: Richard Cochran Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 140f15279ae84fff6c9940db955b024f931cbb3a Author: Lin Ma Date: Wed Jun 14 20:06:04 2023 +0800 net: tipc: resize nlattr array to correct size [ Upstream commit 44194cb1b6045dea33ae9a0d54fb7e7cd93a2e09 ] According to nla_parse_nested_deprecated(), the tb[] is supposed to the destination array with maxtype+1 elements. In current tipc_nl_media_get() and __tipc_nl_media_set(), a larger array is used which is unnecessary. This patch resize them to a proper size. Fixes: 1e55417d8fc6 (“tipc: add media set to new netlink api”) Fixes: 46f15c6794fb (“tipc: add media get/dump to new netlink api”) Signed-off-by: Lin Ma Reviewed-by: Florian Westphal Reviewed-by: Tung Nguyen Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 051f16acfeba7eab58a2a84dbeaf978b8ee76bd8 Author: Li Lingfeng Date: Thu Jun 1 14:14:23 2023 +0800 dm: don’t lock fs when the map is NULL during suspend or resume [ Upstream commit 2760904d895279f87196f0fa9ec570c79fe6a2e4 ] As described in commit 38d11da522aa (“dm: don’t lock fs when the map is NULL in process of resume”), a deadlock may be triggered between do_resume() and do_mount(). This commit preserves the fix from commit 38d11da522aa but moves it to where it also serves to fix a similar deadlock between do_suspend() and do_mount(). It does so, if the active map is NULL, by clearing DM_SUSPEND_LOCKFS_FLAG in dm_suspend() which is called by both do_suspend() and do_resume(). Fixes: 38d11da522aa (“dm: don’t lock fs when the map is NULL in process of resume”) Signed-off-by: Li Lingfeng Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 7e06e393d6a9ffa6bddf9d21bbed26d607d2e670 Author: Íñigo Huguet Date: Tue Jun 13 15:38:54 2023 +0200 sfc: fix XDP queues mode with legacy IRQ [ Upstream commit e84a1e1e683f3558e30f437d7c99df35afb8b52c ] In systems without MSI-X capabilities, xdp_txq_queues_mode is calculated in efx_allocate_msix_channels, but when enabling MSI-X fails, it was not changed to a proper default value. This was leading to the driver thinking that it has dedicated XDP queues, when it didn’t. Fix it by setting xdp_txq_queues_mode to the correct value if the driver fallbacks to MSI or legacy IRQ mode. The correct value is EFX_XDP_TX_QUEUES_BORROWED because there are no XDP dedicated queues. The issue can be easily visible if the kernel is started with pci=nomsi, then a call trace is shown. It is not shown only with sfc’s modparam interrupt_mode=2. Call trace example: WARNING: CPU: 2 PID: 663 at drivers/net/ethernet/sfc/efx_channels.c:828 efx_set_xdp_channels+0x124/0x260 [sfc] […skip…] Call Trace: efx_set_channels+0x5c/0xc0 [sfc] efx_probe_nic+0x9b/0x15a [sfc] efx_probe_all+0x10/0x1a2 [sfc] efx_pci_probe_main+0x12/0x156 [sfc] efx_pci_probe_post_io+0x18/0x103 [sfc] efx_pci_probe.cold+0x154/0x257 [sfc] local_pci_probe+0x42/0x80 Fixes: 6215b608a8c4 (“sfc: last resort fallback for lack of xdp tx queues”) Reported-by: Yanghang Liu Signed-off-by: Íñigo Huguet Acked-by: Martin Habets Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e6ebb82279c70f7c575d10b04e3bf28d0a832e73 Author: Fedor Pchelkin Date: Tue Jun 13 22:22:20 2023 +0300 net: macsec: fix double free of percpu stats [ Upstream commit 0c0cf3db83f8c7c9bb141c2771a34043bcf952ef ] Inside macsec_add_dev() we free percpu macsec->secy.tx_sc.stats and macsec->stats on some of the memory allocation failure paths. However, the net_device is already registered to that moment: in macsec_newlink(), just before calling macsec_add_dev(). This means that during unregister process its priv_destructor - macsec_free_netdev() - will be called and will free the stats again. Remove freeing percpu stats inside macsec_add_dev() because macsec_free_netdev() will correctly free the already allocated ones. The pointers to unallocated stats stay NULL, and free_percpu() treats that correctly. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 0a28bfd4971f (“net/macsec: Add MACsec skb_metadata_dst Tx Data path support”) Fixes: c09440f7dcb3 (“macsec: introduce IEEE 802.1AE driver”) Signed-off-by: Fedor Pchelkin Reviewed-by: Sabrina Dubroca Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4a9ef83a06ef8b10b06c59c44c77a743fea14fc0 Author: Eric Dumazet Date: Wed Jun 14 16:18:02 2023 +0000 net: lapbether: only support ethernet devices [ Upstream commit 9eed321cde22fc1afd76eac563ce19d899e0d6b2 ] It probbaly makes no sense to support arbitrary network devices for lapbether. syzbot reported: skbuff: skb_under_panic: text:ffff80008934c100 len:44 put:40 head:ffff0000d18dd200 data:ffff0000d18dd1ea tail:0x16 end:0x140 dev:bond1 kernel BUG at net/core/skbuff.c:200 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 5643 Comm: dhcpcd Not tainted 6.4.0-rc5-syzkaller-g4641cff8e810 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : skb_panic net/core/skbuff.c:196 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:210 lr : skb_panic net/core/skbuff.c:196 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:210 sp : ffff8000973b7260 x29: ffff8000973b7270 x28: ffff8000973b7360 x27: dfff800000000000 x26: ffff0000d85d8150 x25: 0000000000000016 x24: ffff0000d18dd1ea x23: ffff0000d18dd200 x22: 000000000000002c x21: 0000000000000140 x20: 0000000000000028 x19: ffff80008934c100 x18: ffff8000973b68a0 x17: 0000000000000000 x16: ffff80008a43bfbc x15: 0000000000000202 x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001 x11: 0000000000000201 x10: 0000000000000000 x9 : f22f7eb937cced00 x8 : f22f7eb937cced00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000973b6b78 x4 : ffff80008df9ee80 x3 : ffff8000805974f4 x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 Call trace: skb_panic net/core/skbuff.c:196 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:210 skb_push+0xf0/0x108 net/core/skbuff.c:2409 ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1383 dev_hard_header include/linux/netdevice.h:3137 [inline] lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 lapb_establish_data_link+0x94/0xec lapb_device_event+0x348/0x4e0 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 __dev_notify_flags+0x2bc/0x544 dev_change_flags+0xd0/0x15c net/core/dev.c:8643 devinet_ioctl+0x858/0x17e4 net/ipv4/devinet.c:1150 inet_ioctl+0x2ac/0x4d8 net/ipv4/af_inet.c:979 sock_do_ioctl+0x134/0x2dc net/socket.c:1201 sock_ioctl+0x4ec/0x858 net/socket.c:1318 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x244 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:191 el0_svc+0x4c/0x160 arch/arm64/kernel/entry-common.c:647 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: aa1803e6 aa1903e7 a90023f5 947730f5 (d4210000) Fixes: 1da177e4c3f4 (“Linux-2.6.12-rc2”) Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Martin Schiller Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 514c54caa69f9d99ff29bd1e48c46a3afe83bbf2 Author: Vladimir Oltean Date: Tue Jun 13 20:09:07 2023 +0300 net: dsa: felix: fix taprio guard band overflow at 10Mbps with jumbo frames [ Upstream commit 6ac7a27a8b07588497ed53dfd885df9c72bc67e0 ] The DEV_MAC_MAXLEN_CFG register contains a 16-bit value - up to 65535. Plus 2 * VLAN_HLEN (4), that is up to 65543. The picos_per_byte variable is the largest when “speed” is lowest - SPEED_10 = 10. In that case it is (1000000L * 8) / 10 = 800000. Their product - 52434400000 - exceeds 32 bits, which is a problem, because apparently, a multiplication between two 32-bit factors is evaluated as 32-bit before being assigned to a 64-bit variable. In fact it’s a problem for any MTU value larger than 5368. Cast one of the factors of the multiplication to u64 to force the multiplication to take place on 64 bits. Issue found by Coverity. Fixes: 55a515b1f5a9 (“net: dsa: felix: drop oversized frames with tc-taprio instead of hanging the port”) Signed-off-by: Vladimir Oltean Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 7c38cc7b2780e8b03699eb4f11607f9fc8c69a55 Author: Vlad Buslov Date: Mon Jun 12 11:34:26 2023 +0200 net/sched: cls_api: Fix lockup on flushing explicitly created chain [ Upstream commit c9a82bec02c339cdda99b37c5e62b3b71fc4209c ] Mingshuai Ren reports: When a new chain is added by using tc, one soft lockup alarm will be generated after delete the prio 0 filter of the chain. To reproduce the problem, perform the following steps: (1) tc qdisc add dev eth0 root handle 1: htb default 1 (2) tc chain add dev eth0 (3) tc filter del dev eth0 chain 0 parent 1: prio 0 (4) tc filter add dev eth0 chain 0 parent 1: Fix the issue by accounting for additional reference to chains that are explicitly created by RTM_NEWCHAIN message as opposed to implicitly by RTM_NEWTFILTER message. Fixes: 726d061286ce (“net: sched: prevent insertion of new classifiers during chain flush”) Reported-by: Mingshuai Ren Closes: https://lore.kernel.org/lkml/[email protected]/T/ Signed-off-by: Vlad Buslov Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 19e6b85e556e910fc808abdf97d1b4c9b4821e40 Author: Jakub Buchocki Date: Mon Jun 12 10:14:21 2023 -0700 ice: Fix ice module unload [ Upstream commit 24b454bc354ab7b1aa918a4fe3d7696516f592d4 ] Clearing the interrupt scheme before PFR reset, during the removal routine, could cause the hardware errors and possibly lead to system reboot, as the PF reset can cause the interrupt to be generated. Place the call for PFR reset inside ice_deinit_dev(), wait until reset and all pending transactions are done, then call ice_clear_interrupt_scheme(). This introduces a PFR reset to multiple error paths. Additionally, remove the call for the reset from ice_load() - it will be a part of ice_unload() now. Error example: [ 75.229328] ice 0000:ca:00.1: Failed to read Tx Scheduler Tree - User Selection data from flash [ 77.571315] {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [ 77.571418] {1}[Hardware Error]: event severity: recoverable [ 77.571459] {1}[Hardware Error]: Error 0, type: recoverable [ 77.571500] {1}[Hardware Error]: section_type: PCIe error [ 77.571540] {1}[Hardware Error]: port_type: 4, root port [ 77.571580] {1}[Hardware Error]: version: 3.0 [ 77.571615] {1}[Hardware Error]: command: 0x0547, status: 0x4010 [ 77.571661] {1}[Hardware Error]: device_id: 0000:c9:02.0 [ 77.571703] {1}[Hardware Error]: slot: 25 [ 77.571736] {1}[Hardware Error]: secondary_bus: 0xca [ 77.571773] {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x347a [ 77.571821] {1}[Hardware Error]: class_code: 060400 [ 77.571858] {1}[Hardware Error]: bridge: secondary_status: 0x2800, control: 0x0013 [ 77.572490] pcieport 0000:c9:02.0: AER: aer_status: 0x00200000, aer_mask: 0x00100020 [ 77.572870] pcieport 0000:c9:02.0: [21] ACSViol (First) [ 77.573222] pcieport 0000:c9:02.0: AER: aer_layer=Transaction Layer, aer_agent=Receiver ID [ 77.573554] pcieport 0000:c9:02.0: AER: aer_uncor_severity: 0x00463010 [ 77.691273] {2}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [ 77.691738] {2}[Hardware Error]: event severity: recoverable [ 77.691971] {2}[Hardware Error]: Error 0, type: recoverable [ 77.692192] {2}[Hardware Error]: section_type: PCIe error [ 77.692403] {2}[Hardware Error]: port_type: 4, root port [ 77.692616] {2}[Hardware Error]: version: 3.0 [ 77.692825] {2}[Hardware Error]: command: 0x0547, status: 0x4010 [ 77.693032] {2}[Hardware Error]: device_id: 0000:c9:02.0 [ 77.693238] {2}[Hardware Error]: slot: 25 [ 77.693440] {2}[Hardware Error]: secondary_bus: 0xca [ 77.693641] {2}[Hardware Error]: vendor_id: 0x8086, device_id: 0x347a [ 77.693853] {2}[Hardware Error]: class_code: 060400 [ 77.694054] {2}[Hardware Error]: bridge: secondary_status: 0x0800, control: 0x0013 [ 77.719115] pci 0000:ca:00.1: AER: can’t recover (no error_detected callback) [ 77.719140] pcieport 0000:c9:02.0: AER: device recovery failed [ 77.719216] pcieport 0000:c9:02.0: AER: aer_status: 0x00200000, aer_mask: 0x00100020 [ 77.719390] pcieport 0000:c9:02.0: [21] ACSViol (First) [ 77.719557] pcieport 0000:c9:02.0: AER: aer_layer=Transaction Layer, aer_agent=Receiver ID [ 77.719723] pcieport 0000:c9:02.0: AER: aer_uncor_severity: 0x00463010 Fixes: 5b246e533d01 (“ice: split probe into smaller functions”) Signed-off-by: Jakub Buchocki Reviewed-by: Przemek Kitszel Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 355cb62c1a9ed39293c1ea4527af63efe7e11c74 Author: Fabio M. De Francesco Date: Wed Jun 14 12:02:55 2023 +0200 ext4: drop the call to ext4_error() from ext4_get_group_info() [ Upstream commit f451fd97dd2b78f286379203a47d9d295c467255 ] A recent patch added a call to ext4_error() which is problematic since some callers of the ext4_get_group_info() function may be holding a spinlock, whereas ext4_error() must never be called in atomic context. This triggered a report from Syzbot: “BUG: sleeping function called from invalid context in ext4_update_super” (see the link below). Therefore, drop the call to ext4_error() from ext4_get_group_info(). In the meantime use eight characters tabs instead of nine characters ones. Reported-by: [email protected] Closes: https://lore.kernel.org/all/[email protected]/ Fixes: 5354b2af3406 (“ext4: allow ext4_get_group_info() to fail”) Suggested-by: Theodore Ts’o Signed-off-by: Fabio M. De Francesco Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sasha Levin commit 7cfab4c9dc09ca3a9d57c187894055a22bdcda78 Author: Mauro Carvalho Chehab Date: Fri Jun 9 09:16:21 2023 +0100 Revert “media: dvb-core: Fix use-after-free on race condition at dvb_frontend” [ Upstream commit ec21a38df77a5aefbd2f70c48127003b6f259cf3 ] As reported by Thomas Voegtle , sometimes a DVB card does not initialize properly booting Linux 6.4-rc4. This is not always, maybe in 3 out of 4 attempts. After double-checking, the root cause seems to be related to the UAF fix, which is causing a race issue: [ 26.332149] tda10071 7-0005: found a ‘NXP TDA10071’ in cold state, will try to load a firmware [ 26.340779] tda10071 7-0005: downloading firmware from file ‘dvb-fe-tda10071.fw’ [ 989.277402] INFO: task vdr:743 blocked for more than 491 seconds. [ 989.283504] Not tainted 6.4.0-rc5-i5 #249 [ 989.288036] “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. [ 989.295860] task:vdr state:D stack:0 pid:743 ppid:711 flags:0x00004002 [ 989.295865] Call Trace: [ 989.295867] [ 989.295869] __schedule+0x2ea/0x12d0 [ 989.295877] ? asm_sysvec_apic_timer_interrupt+0x16/0x20 [ 989.295881] schedule+0x57/0xc0 [ 989.295884] schedule_preempt_disabled+0xc/0x20 [ 989.295887] __mutex_lock.isra.16+0x237/0x480 [ 989.295891] ? dvb_get_property.isra.10+0x1bc/0xa50 [ 989.295898] ? dvb_frontend_stop+0x36/0x180 [ 989.338777] dvb_frontend_stop+0x36/0x180 [ 989.338781] dvb_frontend_open+0x2f1/0x470 [ 989.338784] dvb_device_open+0x81/0xf0 [ 989.338804] ? exact_lock+0x20/0x20 [ 989.338808] chrdev_open+0x7f/0x1c0 [ 989.338811] ? generic_permission+0x1a2/0x230 [ 989.338813] ? link_path_walk.part.63+0x340/0x380 [ 989.338815] ? exact_lock+0x20/0x20 [ 989.338817] do_dentry_open+0x18e/0x450 [ 989.374030] path_openat+0xca5/0xe00 [ 989.374031] ? terminate_walk+0xec/0x100 [ 989.374034] ? path_lookupat+0x93/0x140 [ 989.374036] do_filp_open+0xc0/0x140 [ 989.374038] ? __call_rcu_common.constprop.91+0x92/0x240 [ 989.374041] ? __check_object_size+0x147/0x260 [ 989.374043] ? __check_object_size+0x147/0x260 [ 989.374045] ? alloc_fd+0xbb/0x180 [ 989.374048] ? do_sys_openat2+0x243/0x310 [ 989.374050] do_sys_openat2+0x243/0x310 [ 989.374052] do_sys_open+0x52/0x80 [ 989.374055] do_syscall_64+0x5b/0x80 [ 989.421335] ? __task_pid_nr_ns+0x92/0xa0 [ 989.421337] ? syscall_exit_to_user_mode+0x20/0x40 [ 989.421339] ? do_syscall_64+0x67/0x80 [ 989.421341] ? syscall_exit_to_user_mode+0x20/0x40 [ 989.421343] ? do_syscall_64+0x67/0x80 [ 989.421345] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 989.421348] RIP: 0033:0x7fe895d067e3 [ 989.421349] RSP: 002b:00007fff933c2ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 [ 989.421351] RAX: ffffffffffffffda RBX: 00007fff933c2c10 RCX: 00007fe895d067e3 [ 989.421352] RDX: 0000000000000802 RSI: 00005594acdce160 RDI: 00000000ffffff9c [ 989.421353] RBP: 0000000000000802 R08: 0000000000000000 R09: 0000000000000000 [ 989.421353] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 989.421354] R13: 00007fff933c2ca0 R14: 00000000ffffffff R15: 00007fff933c2c90 [ 989.421355] This reverts commit 6769a0b7ee0c3b31e1b22c3fadff2bfb642de23f. Fixes: 6769a0b7ee0c (“media: dvb-core: Fix use-after-free on race condition at dvb_frontend”) Link: https://lore.kernel.org/all/[email protected]/ Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4fd75daf7f32daec54c0d821b9bbdc16e2260fca Author: Bob Pearson Date: Mon Jun 12 10:50:33 2023 -0500 RDMA/rxe: Fix rxe_cq_post [ Upstream commit 0c7e314a6352664e12ec465f576cf039e95f8369 ] A recent patch replaced a tasklet execution of cq->comp_handler by a direct call. While this made sense it let changes to cq->notify state be unprotected and assumed that the cq completion machinery and the ulp done callbacks were reentrant. The result is that in some cases completion events can be lost. This patch moves the cq->comp_handler call inside of the spinlock in rxe_cq_post which solves both issues. This is compatible with the matching code in the request notify verb. Fixes: 78b26a335310 (“RDMA/rxe: Remove tasklet call from rxe_cq.c”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 3d90b261588c089aab5efe0796d87f5c8d25fa5e Author: Steve French Date: Sun Jun 11 11:23:32 2023 -0500 cifs: fix lease break oops in xfstest generic/098 [ Upstream commit c774e6779f38bf36f0cce65e30793704bab4b0d7 ] umount can race with lease break so need to check if tcon->ses->server is still valid to send the lease break response. Reviewed-by: Bharath SM Reviewed-by: Shyam Prasad N Fixes: 59a556aebc43 (“SMB3: drop reference to cfile before sending oplock break”) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 8edf4b9fdf31b4aeb58eabc657eb847c731896fa Author: Danielle Ratson Date: Mon Jun 12 16:34:58 2023 +0200 selftests: forwarding: hw_stats_l3: Set addrgenmode in a separate step [ Upstream commit bef68e201e538eaa3a91f97aae8161eb2d0a8ed7 ] Setting the IPv6 address generation mode of a net device during its creation never worked, but after commit b0ad3c179059 (“rtnetlink: call validate_linkmsg in rtnl_create_link”) it explicitly fails [1]. The failure is caused by the fact that validate_linkmsg() is called before the net device is registered, when it still does not have an ‘inet6_dev’. Likewise, raising the net device before setting the address generation mode is meaningless, because by the time the mode is set, the address has already been generated. Therefore, fix the test to first create the net device, then set its IPv6 address generation mode and finally bring it up. [1] # ip link add name mydev addrgenmode eui64 type dummy RTNETLINK answers: Address family not supported by protocol Fixes: ba95e7930957 (“selftests: forwarding: hw_stats_l3: Add a new test”) Signed-off-by: Danielle Ratson Reviewed-by: Ido Schimmel Signed-off-by: Petr Machata Link: https://lore.kernel.org/r/f3b05d85b2bc0c3d6168fe8f7207c6c8365703db.1686580046.git.petrm@nvidia.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 4ba62831247717dcd3878f4f65883a52d7e298f1 Author: Peilin Ye Date: Sat Jun 10 20:30:25 2023 -0700 net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting [ Upstream commit 84ad0af0bccd3691cb951c2974c5cb2c10594d4a ] mini_Qdisc_pair::p_miniq is a double pointer to mini_Qdisc, initialized in ingress_init() to point to net_device::miniq_ingress. ingress Qdiscs access this per-net_device pointer in mini_qdisc_pair_swap(). Similar for clsact Qdiscs and miniq_egress. Unfortunately, after introducing RTNL-unlocked RTM_{NEW,DEL,GET}TFILTER requests (thanks Hillf Danton for the hint), when replacing ingress or clsact Qdiscs, for example, the old Qdisc (“@old”) could access the same miniq_{in,e}gress pointer(s) concurrently with the new Qdisc (“@new”), causing race conditions [1] including a use-after-free bug in mini_qdisc_pair_swap() reported by syzbot: BUG: KASAN: slab-use-after-free in mini_qdisc_pair_swap+0x1c2/0x1f0 net/sched/sch_generic.c:1573 Write of size 8 at addr ffff888045b31308 by task syz-executor690/14901 … Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:319 print_report mm/kasan/report.c:430 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:536 mini_qdisc_pair_swap+0x1c2/0x1f0 net/sched/sch_generic.c:1573 tcf_chain_head_change_item net/sched/cls_api.c:495 [inline] tcf_chain0_head_change.isra.0+0xb9/0x120 net/sched/cls_api.c:509 tcf_chain_tp_insert net/sched/cls_api.c:1826 [inline] tcf_chain_tp_insert_unique net/sched/cls_api.c:1875 [inline] tc_new_tfilter+0x1de6/0x2290 net/sched/cls_api.c:2266 … @old and @new should not affect each other. In other words, @old should never modify miniq_{in,e}gress after @new, and @new should not update @old’s RCU state. Fixing without changing sch_api.c turned out to be difficult (please refer to Closes: for discussions). Instead, make sure @new’s first call always happen after @old’s last call (in {ingress,clsact}_destroy()) has finished: In qdisc_graft(), return -EBUSY if @old has any ongoing filter requests, and call qdisc_destroy() for @old before grafting @new. Introduce qdisc_refcount_dec_if_one() as the counterpart of qdisc_refcount_inc_nz() used for filter requests. Introduce a non-static version of qdisc_destroy() that does a TCQ_F_BUILTIN check, just like qdisc_put() etc. Depends on patch “net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs". [1] To illustrate, the syzkaller reproducer adds ingress Qdiscs under TC_H_ROOT (no longer possible after commit c7cfbd115001 (“net/sched: sch_ingress: Only create under TC_H_INGRESS”)) on eth0 that has 8 transmission queues: Thread 1 creates ingress Qdisc A (containing mini Qdisc a1 and a2), then adds a flower filter X to A. Thread 2 creates another ingress Qdisc B (containing mini Qdisc b1 and b2) to replace A, then adds a flower filter Y to B. Thread 1 A’s refcnt Thread 2 RTM_NEWQDISC (A, RTNL-locked) qdisc_create(A) 1 qdisc_graft(A) 9 RTM_NEWTFILTER (X, RTNL-unlocked) __tcf_qdisc_find(A) 10 tcf_chain0_head_change(A) mini_qdisc_pair_swap(A) (1st) | | RTM_NEWQDISC (B, RTNL-locked) RCU sync 2 qdisc_graft(B) | 1 notify_and_destroy(A) | tcf_block_release(A) 0 RTM_NEWTFILTER (Y, RTNL-unlocked) qdisc_destroy(A) tcf_chain0_head_change(B) tcf_chain0_head_change_cb_del(A) mini_qdisc_pair_swap(B) (2nd) mini_qdisc_pair_swap(A) (3rd) | … … Here, B calls mini_qdisc_pair_swap(), pointing eth0->miniq_ingress to its mini Qdisc, b1. Then, A calls mini_qdisc_pair_swap() again during ingress_destroy(), setting eth0->miniq_ingress to NULL, so ingress packets on eth0 will not find filter Y in sch_handle_ingress(). This is just one of the possible consequences of concurrently accessing miniq_{in,e}gress pointers. Fixes: 7a096d579e8e (“net: sched: ingress: set ‘unlocked’ flag for Qdisc ops”) Fixes: 87f373921c4e (“net: sched: ingress: set ‘unlocked’ flag for clsact Qdisc ops”) Reported-by: [email protected] Closes: https://lore.kernel.org/r/[email protected]/ Cc: Hillf Danton Cc: Vlad Buslov Signed-off-by: Peilin Ye Acked-by: Jamal Hadi Salim Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 2f3eba600e24acad504baa3ff4623367f09d83d2 Author: Peilin Ye Date: Sat Jun 10 20:30:15 2023 -0700 net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs [ Upstream commit 2d5f6a8d7aef7852a9ecc555f88c673a1c91754f ] Grafting ingress and clsact Qdiscs does not need a for-loop in qdisc_graft(). Refactor it. No functional changes intended. Tested-by: Pedro Tammela Acked-by: Jamal Hadi Salim Reviewed-by: Jamal Hadi Salim Reviewed-by: Vlad Buslov Signed-off-by: Peilin Ye Signed-off-by: Paolo Abeni Stable-dep-of: 84ad0af0bccd (“net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting”) Signed-off-by: Sasha Levin commit e8ce1475219c9314dc3ced3d0ba5eecb3fdadb02 Author: Paul Blakey Date: Fri Jun 9 15:22:59 2023 +0300 net/sched: act_ct: Fix promotion of offloaded unreplied tuple [ Upstream commit 41f2c7c342d3adb1c4dd5f2e3dd831adff16a669 ] Currently UNREPLIED and UNASSURED connections are added to the nf flow table. This causes the following connection packets to be processed by the flow table which then skips conntrack_in(), and thus such the connections will remain UNREPLIED and UNASSURED even if reply traffic is then seen. Even still, the unoffloaded reply packets are the ones triggering hardware update from new to established state, and if there aren’t any to triger an update and/or previous update was missed, hardware can get out of sync with sw and still mark packets as new. Fix the above by: 1) Not skipping conntrack_in() for UNASSURED packets, but still refresh for hardware, as before the cited patch. 2) Try and force a refresh by reply-direction packets that update the hardware rules from new to established state. 3) Remove any bidirectional flows that didn’t failed to update in hardware for re-insertion as bidrectional once any new packet arrives. Fixes: 6a9bad0069cf (“net/sched: act_ct: offload UDP NEW connections”) Co-developed-by: Vlad Buslov Signed-off-by: Vlad Buslov Signed-off-by: Paul Blakey Reviewed-by: Florian Westphal Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 04f5f9b0e6e6dd352996d253b344928abf16ecb2 Author: Vlad Buslov Date: Mon Jun 12 09:57:11 2023 +0200 selftests/tc-testing: Fix SFB db test [ Upstream commit b39d8c41c7a8336ce85c376b5d4906089524a0ae ] Setting very small value of db like 10ms introduces rounding errors when converting to/from jiffies on some kernel configs. For example, on 250hz the actual value will be set to 12ms which causes the test to fail: # $ sudo ./tdc.py -d eth2 -e 3410 # – ns/SubPlugin.__init__ # Test 3410: Create SFB with db setting # # All test results: # # 1…1 # not ok 1 3410 - Create SFB with db setting # Could not match regex pattern. Verify command output: # qdisc sfb 1: root refcnt 2 rehash 600s db 12ms limit 1000p max 25p target 20p increment 0.000503548 decrement 4.57771e-05 penalty_rate 10pps penalty_burst 20p Set the value to 100ms instead which currently seem to work on 100hz, 250hz, 300hz and 1000hz kernel configs. Fixes: 6ad92dc56fca (“selftests/tc-testing: add selftests for sfb qdisc”) Signed-off-by: Vlad Buslov Reviewed-by: Pedro Tammela Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 082e289ac418c56f6ace38410a829d5406fc3801 Author: Vlad Buslov Date: Mon Jun 12 09:57:10 2023 +0200 selftests/tc-testing: Fix Error: failed to find target LOG [ Upstream commit b849c566ee9c6ed78288a522278dcaf419f8e239 ] Add missing netfilter config dependency. Fixes following example error when running tests via tdc.sh for all XT tests: # $ sudo ./tdc.py -d eth2 -e 2029 # Test 2029: Add xt action with log-prefix # exit: 255 # exit: 0 # failed to find target LOG # # bad action parsing # parse_action: bad value (7:xt)! # Illegal “action” # # -----> teardown stage *** Could not execute: “$TC actions flush action xt” # # -----> teardown stage *** Error message: “Error: Cannot flush unknown TC action. # We have an error flushing # " # returncode 1; expected [0] # # -----> teardown stage *** Aborting test run. # # <_io.BufferedReader name=3> *** stdout *** # # <_io.BufferedReader name=5> *** stderr *** # "-----> teardown stage” did not complete successfully # Exception ('teardown’, ' failed to find target LOG\n\nbad action parsing\nparse_action: bad value (7:xt)!\nIllegal “action"\n’, '”-----> teardown stage” did not complete successfully’) (caught in test_runner, running test 2 2029 Add xt action with log-prefix stage teardown) # --------------- # traceback # File “/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 495, in test_runner # res = run_one_test(pm, args, index, tidx) # File “/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 434, in run_one_test # prepare_env(args, pm, 'teardown’, '-----> teardown stage’, tidx[‘teardown’], procout) # File “/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 245, in prepare_env # raise PluginMgrTestFail( # --------------- # accumulated output for this test: # failed to find target LOG # # bad action parsing # parse_action: bad value (7:xt)! # Illegal “action” # # --------------- # # All test results: # # 1…1 # ok 1 2029 - Add xt action with log-prefix # skipped - "-----> teardown stage” did not complete successfully Fixes: 910d504bc187 (“selftests/tc-testings: add selftests for xt action”) Signed-off-by: Vlad Buslov Reviewed-by: Pedro Tammela Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit de1f92033998a1aecba7cea29f285c6a820de189 Author: Vlad Buslov Date: Mon Jun 12 09:57:09 2023 +0200 selftests/tc-testing: Fix Error: Specified qdisc kind is unknown. [ Upstream commit aef6e908b54200d04f2d77dab31509fcff2e60ae ] All TEQL tests assume that sch_teql module is loaded. Load module in tdc.sh before running qdisc tests. Fixes following example error when running tests via tdc.sh for all TEQL tests: # $ sudo ./tdc.py -d eth2 -e 84a0 # – ns/SubPlugin.__init__ # Test 84a0: Create TEQL with default setting # exit: 2 # exit: 0 # Error: Specified qdisc kind is unknown. # # -----> teardown stage *** Could not execute: “$TC qdisc del dev $DUMMY handle 1: root” # # -----> teardown stage *** Error message: “Error: Invalid handle. # " # returncode 2; expected [0] # # -----> teardown stage *** Aborting test run. # # <_io.BufferedReader name=3> *** stdout *** # # <_io.BufferedReader name=5> *** stderr *** # "-----> teardown stage” did not complete successfully # Exception ('teardown’, 'Error: Specified qdisc kind is unknown.\n’, '”-----> teardown stage” did not complete successfully’) (caught in test_runner, running test 2 84a0 Create TEQL with default setting stage teardown) # --------------- # traceback # File "/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 495, in test_runner # res = run_one_test(pm, args, index, tidx) # File “/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 434, in run_one_test # prepare_env(args, pm, 'teardown’, '-----> teardown stage’, tidx[‘teardown’], procout) # File “/images/src/linux/tools/testing/selftests/tc-testing/./tdc.py", line 245, in prepare_env # raise PluginMgrTestFail( # --------------- # accumulated output for this test: # Error: Specified qdisc kind is unknown. # # --------------- # # All test results: # # 1…1 # ok 1 84a0 - Create TEQL with default setting # skipped - "-----> teardown stage” did not complete successfully Fixes: cc62fbe114c9 (“selftests/tc-testing: add selftests for teql qdisc”) Signed-off-by: Vlad Buslov Reviewed-by: Victor Nogueira Reviewed-by: Pedro Tammela Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 019d9b7d5dc2cc5ac0e94918f6b4c750d449af7b Author: Dan Carpenter Date: Mon Jun 12 10:18:50 2023 +0300 net: ethernet: ti: am65-cpsw: Call of_node_put() on error path [ Upstream commit 374283a1001277e4d07491387aac1fad5aa08d43 ] This code returns directly but it should instead call of_node_put() to drop some reference counts. Fixes: dab2b265dd23 (“net: ethernet: ti: am65-cpsw: Add support for SERDES configuration”) Signed-off-by: Dan Carpenter Reviewed-by: Roger Quadros Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 8e74c4f50189a45f3eeae7256542d914cbde2223 Author: Natalia Petrova Date: Fri May 12 13:33:20 2023 +0300 drm/nouveau: add nv_encoder pointer check for NULL [ Upstream commit 55b94bb8c42464bad3d2217f6874aa1a85664eac ] Pointer nv_encoder could be dereferenced at nouveau_connector.c in case it’s equal to NULL by jumping to goto label. This patch adds a NULL-check to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 3195c5f9784a (“drm/nouveau: set encoder for lvds”) Signed-off-by: Natalia Petrova Reviewed-by: Lyude Paul [Fixed patch title] Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Sasha Levin commit 61a69025acf0d14abb11e9462ced7caaa50c17a7 Author: Natalia Petrova Date: Fri May 12 14:15:26 2023 +0300 drm/nouveau/dp: check for NULL nv_connector->native_mode [ Upstream commit 20a2ce87fbaf81e4c3dcb631d738e423959eb320 ] Add checking for NULL before calling nouveau_connector_detect_depth() in nouveau_connector_get_modes() function because nv_connector->native_mode could be dereferenced there since connector pointer passed to nouveau_connector_detect_depth() and the same value of nv_connector->native_mode is used there. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: d4c2c99bdc83 (“drm/nouveau/dp: remove broken display depth function, use the improved one”) Signed-off-by: Natalia Petrova Reviewed-by: Lyude Paul Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Sasha Levin commit b59231e8afa04e03a18046f0d3f63df361c43355 Author: Su Hui Date: Thu Jun 8 09:24:43 2023 +0800 drm/bridge: ti-sn65dsi86: Avoid possible buffer overflow [ Upstream commit 95011f267c44a4d1f9ca1769e8a29ab2c559e004 ] Smatch error:buffer overflow ‘ti_sn_bridge_refclk_lut’ 5 <= 5. Fixes: cea86c5bb442 (“drm/bridge: ti-sn65dsi86: Implement the pwm_chip”) Signed-off-by: Su Hui Reviewed-by: Douglas Anderson Signed-off-by: Douglas Anderson Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Sasha Levin commit b77d8c97fc7d53857829bd2db73fa4a9d64e6240 Author: Ratchanan Srirattanamet Date: Wed May 24 04:11:56 2023 +0700 drm/nouveau: don’t detect DSM for non-NVIDIA device [ Upstream commit 11d24327c2d7ad7f24fcc44fb00e1fa91ebf6525 ] The call site of nouveau_dsm_pci_probe() uses single set of output variables for all invocations. So, we must not write anything to them unless it’s an NVIDIA device. Otherwise, if we are called with another device after the NVIDIA device, we’ll clober the result of the NVIDIA device. For example, if the other device doesn’t have _PR3 resources, the detection later would miss the presence of power resource support, and the rest of the code will keep using Optimus DSM, breaking power management for that machine. Also, because we’re detecting NVIDIA’s DSM, it doesn’t make sense to run this detection on a non-NVIDIA device anyway. Thus, check at the beginning of the detection code if this is an NVIDIA card, and just return if it isn’t. This, together with commit d22915d22ded (“drm/nouveau/devinit/tu102-: wait for GFW_BOOT_PROGRESS == COMPLETED”) developed independently and landed earlier, fixes runtime power management of the NVIDIA card in Lenovo Legion 5-15ARH05. Without this patch, the GPU resumption code will “timeout", sometimes hanging userspace. As a bonus, we’ll also stop preventing _PR3 usage from the bridge for unrelated devices, which is always nice, I guess. Fixes: ccfc2d5cdb02 (“drm/nouveau: Use generic helper to check _PR3 presence”) Signed-off-by: Ratchanan Srirattanamet Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/79 Reviewed-by: Karol Herbst Signed-off-by: Karol Herbst Link: https://patchwork.freedesktop.org/patch/msgid/DM6PR19MB2780805D4BE1E3F9B3AC96D0BC409@DM6PR19MB2780.namprd19.prod.outlook.com Signed-off-by: Sasha Levin commit 264f7236f80d811eda580228b20468b0f9561cf1 Author: Maxime Chevallier Date: Fri Jun 9 10:03:05 2023 +0200 net: phylink: use a dedicated helper to parse usgmii control word [ Upstream commit 923454c0368b8092e9d05c020f50abca577e7290 ] Q-USGMII is a derivative of USGMII, that uses a specific formatting for the control word. The layout is close to the USXGMII control word, but doesn’t support speeds over 1Gbps. Use a dedicated decoding logic for the USGMII control word, re-using USXGMII definitions but only considering 10/100/1000Mbps speeds Fixes: 5e61fe157a27 (“net: phy: Introduce QUSGMII PHY mode”) Signed-off-by: Maxime Chevallier Reviewed-by: Russell King (Oracle) Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit efb1315eb06ffd8169d609ab68df667ed68d94ae Author: Maxime Chevallier Date: Fri Jun 9 10:03:04 2023 +0200 net: phylink: report correct max speed for QUSGMII [ Upstream commit b9dc1046edfeb7d9dbc2272c8d9ad5a8c47f3199 ] Q-USGMII is the quad port version of USGMII, and supports a max speed of 1Gbps on each line. Make so that phylink_interface_max_speed() reports this information correctly. Fixes: ae0e4bb2a0e0 (“net: phylink: Adjust link settings based on rate matching”) Signed-off-by: Maxime Chevallier Reviewed-by: Russell King (Oracle) Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 85f0c05f17da43337dad0707e73cd8f441ee5586 Author: Aleksandr Loktionov Date: Tue Apr 25 17:44:14 2023 +0200 igb: fix nvm.ops.read() error handling [ Upstream commit 48a821fd58837800750ec1b3962f0f799630a844 ] Add error handling into igb_set_eeprom() function, in case nvm.ops.read() fails just quit with error code asap. Fixes: 9d5c824399de (“igb: PCI-Express 82575 Gigabit Ethernet driver”) Signed-off-by: Aleksandr Loktionov Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 8bd9a42614a4895ad002bf89856dbb0baafa85a6 Author: Vinicius Costa Gomes Date: Mon Apr 17 15:18:39 2023 -0700 igc: Fix possible system crash when loading module [ Upstream commit c080fe262f9e73a00934b70c16b1479cf40cd2bd ] Guarantee that when probe() is run again, PTM and PCI busmaster will be in the same state as it was if the driver was never loaded. Avoid an i225/i226 hardware issue that PTM requests can be made even though PCI bus mastering is not enabled. These unexpected PTM requests can crash some systems. So, “force” disable PTM and busmastering before removing the driver, so they can be re-enabled in the right order during probe(). This is more like a workaround and should be applicable for i225 and i226, in any platform. Fixes: 1b5d73fb8624 (“igc: Enable PCIe PTM”) Signed-off-by: Vinicius Costa Gomes Reviewed-by: Muhammad Husaini Zulkifli Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit eb22ce98c2fcf5e4a81d17b7f69262ae9324788d Author: Muhammad Husaini Zulkifli Date: Mon May 15 23:49:36 2023 +0800 igc: Clean the TX buffer and TX descriptor ring [ Upstream commit e43516f5978d11d36511ce63d31d1da4db916510 ] There could be a race condition during link down where interrupt being generated and igc_clean_tx_irq() been called to perform the TX completion. Properly clear the TX buffer/descriptor ring and disable the TX Queue ring in igc_free_tx_resources() to avoid that. Kernel trace: [ 108.237177] Hardware name: Intel Corporation Tiger Lake Client Platform/TigerLake U DDR4 SODIMM RVP, BIOS TGLIFUI1.R00.4204.A00.2105270302 05/27/2021 [ 108.237178] RIP: 0010:refcount_warn_saturate+0x55/0x110 [ 108.242143] RSP: 0018:ffff9e7980003db0 EFLAGS: 00010286 [ 108.245555] Code: 84 bc 00 00 00 c3 cc cc cc cc 85 f6 74 46 80 3d 20 8c 4d 01 00 75 ee 48 c7 c7 88 f4 03 ab c6 05 10 8c 4d 01 01 e8 0b 10 96 ff <0f> 0b c3 cc cc cc cc 80 3d fc 8b 4d 01 00 75 cb 48 c7 c7 b0 f4 03 [ 108.250434] [ 108.250434] RSP: 0018:ffff9e798125f910 EFLAGS: 00010286 [ 108.254358] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 108.259325] [ 108.259325] RAX: 0000000000000000 RBX: ffff8ddb935b8000 RCX: 0000000000000027 [ 108.261868] RDX: ffff8de250a28800 RSI: ffff8de250a1c580 RDI: ffff8de250a1c580 [ 108.265538] RDX: 0000000000000027 RSI: 0000000000000002 RDI: ffff8de250a9c588 [ 108.265539] RBP: ffff8ddb935b8000 R08: ffffffffab2655a0 R09: ffff9e798125f898 [ 108.267914] RBP: ffff8ddb8a5b8d80 R08: 0000005648eba354 R09: 0000000000000000 [ 108.270196] R10: 0000000000000001 R11: 000000002d2d2d2d R12: ffff9e798125f948 [ 108.270197] R13: ffff9e798125fa1c R14: ffff8ddb8a5b8d80 R15: 7fffffffffffffff [ 108.273001] R10: 000000002d2d2d2d R11: 000000002d2d2d2d R12: ffff8ddb8a5b8ed4 [ 108.276410] FS: 00007f605851b740(0000) GS:ffff8de250a80000(0000) knlGS:0000000000000000 [ 108.280597] R13: 00000000000002ac R14: 00000000ffffff99 R15: ffff8ddb92561b80 [ 108.282966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 108.282967] CR2: 00007f053c039248 CR3: 0000000185850003 CR4: 0000000000f70ee0 [ 108.286206] FS: 0000000000000000(0000) GS:ffff8de250a00000(0000) knlGS:0000000000000000 [ 108.289701] PKRU: 55555554 [ 108.289702] Call Trace: [ 108.289704] [ 108.293977] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 108.297562] sock_alloc_send_pskb+0x20c/0x240 [ 108.301494] CR2: 00007f053c03a168 CR3: 0000000184394002 CR4: 0000000000f70ef0 [ 108.301495] PKRU: 55555554 [ 108.306464] __ip_append_data.isra.0+0x96f/0x1040 [ 108.309441] Call Trace: [ 108.309443] ? __pfx_ip_generic_getfrag+0x10/0x10 [ 108.314927] [ 108.314928] sock_wfree+0x1c7/0x1d0 [ 108.318078] ? __pfx_ip_generic_getfrag+0x10/0x10 [ 108.320276] skb_release_head_state+0x32/0x90 [ 108.324812] ip_make_skb+0xf6/0x130 [ 108.327188] skb_release_all+0x16/0x40 [ 108.330775] ? udp_sendmsg+0x9f3/0xcb0 [ 108.332626] napi_consume_skb+0x48/0xf0 [ 108.334134] ? xfrm_lookup_route+0x23/0xb0 [ 108.344285] igc_poll+0x787/0x1620 [igc] [ 108.346659] udp_sendmsg+0x9f3/0xcb0 [ 108.360010] ? ttwu_do_activate+0x40/0x220 [ 108.365237] ? __pfx_ip_generic_getfrag+0x10/0x10 [ 108.366744] ? try_to_wake_up+0x289/0x5e0 [ 108.376987] ? sock_sendmsg+0x81/0x90 [ 108.395698] ? __pfx_process_timeout+0x10/0x10 [ 108.395701] sock_sendmsg+0x81/0x90 [ 108.409052] __napi_poll+0x29/0x1c0 [ 108.414279] ____sys_sendmsg+0x284/0x310 [ 108.419507] net_rx_action+0x257/0x2d0 [ 108.438216] ___sys_sendmsg+0x7c/0xc0 [ 108.439723] __do_softirq+0xc1/0x2a8 [ 108.444950] ? finish_task_switch+0xb4/0x2f0 [ 108.452077] irq_exit_rcu+0xa9/0xd0 [ 108.453584] ? __schedule+0x372/0xd00 [ 108.460713] common_interrupt+0x84/0xa0 [ 108.467840] ? clockevents_program_event+0x95/0x100 [ 108.474968] [ 108.482096] ? do_nanosleep+0x88/0x130 [ 108.489224] [ 108.489225] asm_common_interrupt+0x26/0x40 [ 108.496353] ? __rseq_handle_notify_resume+0xa9/0x4f0 [ 108.503478] RIP: 0010:cpu_idle_poll+0x2c/0x100 [ 108.510607] __sys_sendmsg+0x5d/0xb0 [ 108.518687] Code: 05 e1 d9 c8 00 65 8b 15 de 64 85 55 85 c0 7f 57 e8 b9 ef ff ff fb 65 48 8b 1c 25 00 cc 02 00 48 8b 03 a8 08 74 0b eb 1c f3 90 <48> 8b 03 a8 08 75 13 8b 05 77 63 cd 00 85 c0 75 ed e8 ce ec ff ff [ 108.525817] do_syscall_64+0x44/0xa0 [ 108.531563] RSP: 0018:ffffffffab203e70 EFLAGS: 00000202 [ 108.538693] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 108.546775] [ 108.546777] RIP: 0033:0x7f605862b7f7 [ 108.549495] RAX: 0000000000000001 RBX: ffffffffab20c940 RCX: 000000000000003b [ 108.551955] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 [ 108.554068] RDX: 4000000000000000 RSI: 000000002da97f6a RDI: 00000000002b8ff4 [ 108.559816] RSP: 002b:00007ffc99264058 EFLAGS: 00000246 [ 108.564178] RBP: 0000000000000000 R08: 00000000002b8ff4 R09: ffff8ddb01554c80 [ 108.571302] ORIG_RAX: 000000000000002e [ 108.571303] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f605862b7f7 [ 108.574023] R10: 000000000000015b R11: 000000000000000f R12: ffffffffab20c940 [ 108.574024] R13: 0000000000000000 R14: ffff8de26fbeef40 R15: ffffffffab20c940 [ 108.578727] RDX: 0000000000000000 RSI: 00007ffc992640a0 RDI: 0000000000000003 [ 108.578728] RBP: 00007ffc99264110 R08: 0000000000000000 R09: 175f48ad1c3a9c00 [ 108.581187] do_idle+0x62/0x230 [ 108.585890] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc992642d8 [ 108.585891] R13: 00005577814ab2ba R14: 00005577814addf0 R15: 00007f605876d000 [ 108.587920] cpu_startup_entry+0x1d/0x20 [ 108.591422] [ 108.596127] rest_init+0xc5/0xd0 [ 108.600490] —[ end trace 0000000000000000 ]— Test Setup: DUT: - Change mac address on DUT Side. Ensure NIC not having same MAC Address - Running udp_tai on DUT side. Let udp_tai running throughout the test Example: ./udp_tai -i enp170s0 -P 100000 -p 90 -c 1 -t 0 -u 30004 Host: - Perform link up/down every 5 second. Result: Kernel panic will happen on DUT Side. Fixes: 13b5b7fd6a4a (“igc: Add support for Tx/Rx rings”) Signed-off-by: Muhammad Husaini Zulkifli Tested-by: Naama Meir Reviewed-by: Maciej Fijalkowski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 370cacd9b193cddea5e25f0d540345c56879e4e2 Author: Dan Carpenter Date: Fri Jun 9 14:05:19 2023 +0300 sctp: fix an error code in sctp_sf_eat_auth() [ Upstream commit 75e6def3b26736e7ff80639810098c9074229737 ] The sctp_sf_eat_auth() function is supposed to enum sctp_disposition values and returning a kernel error code will cause issues in the caller. Change -ENOMEM to SCTP_DISPOSITION_NOMEM. Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.”) Signed-off-by: Dan Carpenter Acked-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 42511198ce9b56da1b13ea171f86dec42823e2c0 Author: Hangbin Liu Date: Fri Jun 9 17:15:02 2023 +0800 ipvlan: fix bound dev checking for IPv6 l3s mode [ Upstream commit ce57adc222aba32431c42632b396e9213d0eb0b8 ] The commit 59a0b022aa24 (“ipvlan: Make skb->skb_iif track skb->dev for l3s mode”) fixed ipvlan bonded dev checking by updating skb skb_iif. This fix works for IPv4, as in raw_v4_input() the dif is from inet_iif(skb), which is skb->skb_iif when there is no route. But for IPv6, the fix is not enough, because in ipv6_raw_deliver() -> raw_v6_match(), the dif is inet6_iif(skb), which is returns IP6CB(skb)->iif instead of skb->skb_iif if it’s not a l3_slave. To fix the IPv6 part issue. Let’s set IP6CB(skb)->iif to correct ifindex. BTW, ipvlan handles NS/NA specifically. Since it works fine, I will not reset IP6CB(skb)->iif when addr->atype is IPVL_ICMPV6. Fixes: c675e06a98a4 (“ipvlan: decouple l3s mode dependencies from other modes”) Link: https://bugzilla.redhat.com/show_bug.cgi?id=2196710 Signed-off-by: Hangbin Liu Reviewed-by: Larysa Zaremba Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fff9253c6fcea13d363342c5400d57e07cd03788 Author: Benjamin Berg Date: Sun Jun 11 12:14:29 2023 +0300 wifi: mac80211: fragment per STA profile correctly [ Upstream commit d094482c9974a543851a18a1c587a7d132a81659 ] When fragmenting the ML per STA profile, the element ID should be IEEE80211_MLE_SUBELEM_PER_STA_PROFILE rather than WLAN_EID_FRAGMENT. Change the helper function to take the to be used element ID and pass the appropriate value for each of the fragmentation levels. Fixes: 81151ce462e5 (“wifi: mac80211: support MLO authentication/association with one link”) Signed-off-by: Benjamin Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230611121219.9b5c793d904b.I7dad952bea8e555e2f3139fbd415d0cd2b3a08c3@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 1ce8b510a6c6073baceb7a38ba98d1d1e0f8c7cb Author: Jakub Kicinski Date: Thu Jun 8 09:23:44 2023 -0700 net: ethtool: correct MAX attribute value for stats [ Upstream commit 52f79609c0c5b25fddb88e85f25ce08aa7e3fb42 ] When compiling YNL generated code compiler complains about array-initializer-out-of-bounds. Turns out the MAX value for STATS_GRP uses the value for STATS. This may lead to random corruptions in user space (kernel itself doesn’t use this value as it never parses stats). Fixes: f09ea6fb1272 (“ethtool: add a new command for reading standard stats”) Signed-off-by: Jakub Kicinski Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2f884e6df67347301e51e6be5ad4b61cc8989114 Author: Saravanan Vajravel Date: Tue Jun 6 03:25:31 2023 -0700 IB/isert: Fix incorrect release of isert connection [ Upstream commit 699826f4e30ab76a62c238c86fbef7e826639c8d ] The ib_isert module is releasing the isert connection both in isert_wait_conn() handler as well as isert_free_conn() handler. In isert_wait_conn() handler, it is expected to wait for iSCSI session logout operation to complete. It should free the isert connection only in isert_free_conn() handler. When a bunch of iSER target is cleared, this issue can lead to use-after-free memory issue as isert conn is twice released Fixes: b02efbfc9a05 (“iser-target: Fix implicit termination of connections”) Reviewed-by: Sagi Grimberg Signed-off-by: Saravanan Vajravel Signed-off-by: Selvin Xavier Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit fb0f216bf043476782ee07e7a2bb420767ee58d8 Author: Saravanan Vajravel Date: Tue Jun 6 03:25:30 2023 -0700 IB/isert: Fix possible list corruption in CMA handler [ Upstream commit 7651e2d6c5b359a28c2d4c904fec6608d1021ca8 ] When ib_isert module receives connection error event, it is releasing the isert session and removes corresponding list node but it doesn’t take appropriate mutex lock to remove the list node. This can lead to linked list corruption Fixes: bd3792205aae (“iser-target: Fix pending connections handling in target stack shutdown sequnce”) Signed-off-by: Selvin Xavier Signed-off-by: Saravanan Vajravel Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit d578ba2d9cd150c2857255209deea9efc887f7c9 Author: Saravanan Vajravel Date: Tue Jun 6 03:25:29 2023 -0700 IB/isert: Fix dead lock in ib_isert [ Upstream commit 691b0480933f0ce88a81ed1d1a0aff340ff6293a ] - When a iSER session is released, ib_isert module is taking a mutex lock and releasing all pending connections. As part of this, ib_isert is destroying rdma cm_id. To destroy cm_id, rdma_cm module is sending CM events to CMA handler of ib_isert. This handler is taking same mutex lock. Hence it leads to deadlock between ib_isert & rdma_cm modules. - For fix, created local list of pending connections and release the connection outside of mutex lock. Calltrace: --------- [ 1229.791410] INFO: task kworker/10:1:642 blocked for more than 120 seconds. [ 1229.791416] Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1 [ 1229.791418] “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. [ 1229.791419] task:kworker/10:1 state:D stack: 0 pid: 642 ppid: 2 flags:0x80004000 [ 1229.791424] Workqueue: ib_cm cm_work_handler [ib_cm] [ 1229.791436] Call Trace: [ 1229.791438] __schedule+0x2d1/0x830 [ 1229.791445] ? select_idle_sibling+0x23/0x6f0 [ 1229.791449] schedule+0x35/0xa0 [ 1229.791451] schedule_preempt_disabled+0xa/0x10 [ 1229.791453] __mutex_lock.isra.7+0x310/0x420 [ 1229.791456] ? select_task_rq_fair+0x351/0x990 [ 1229.791459] isert_cma_handler+0x224/0x330 [ib_isert] [ 1229.791463] ? ttwu_queue_wakelist+0x159/0x170 [ 1229.791466] cma_cm_event_handler+0x25/0xd0 [rdma_cm] [ 1229.791474] cma_ib_handler+0xa7/0x2e0 [rdma_cm] [ 1229.791478] cm_process_work+0x22/0xf0 [ib_cm] [ 1229.791483] cm_work_handler+0xf4/0xf30 [ib_cm] [ 1229.791487] ? move_linked_works+0x6e/0xa0 [ 1229.791490] process_one_work+0x1a7/0x360 [ 1229.791491] ? create_worker+0x1a0/0x1a0 [ 1229.791493] worker_thread+0x30/0x390 [ 1229.791494] ? create_worker+0x1a0/0x1a0 [ 1229.791495] kthread+0x10a/0x120 [ 1229.791497] ? set_kthread_struct+0x40/0x40 [ 1229.791499] ret_from_fork+0x1f/0x40 [ 1229.791739] INFO: task targetcli:28666 blocked for more than 120 seconds. [ 1229.791740] Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1 [ 1229.791741] “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. [ 1229.791742] task:targetcli state:D stack: 0 pid:28666 ppid: 5510 flags:0x00004080 [ 1229.791743] Call Trace: [ 1229.791744] __schedule+0x2d1/0x830 [ 1229.791746] schedule+0x35/0xa0 [ 1229.791748] schedule_preempt_disabled+0xa/0x10 [ 1229.791749] __mutex_lock.isra.7+0x310/0x420 [ 1229.791751] rdma_destroy_id+0x15/0x20 [rdma_cm] [ 1229.791755] isert_connect_release+0x115/0x130 [ib_isert] [ 1229.791757] isert_free_np+0x87/0x140 [ib_isert] [ 1229.791761] iscsit_del_np+0x74/0x120 [iscsi_target_mod] [ 1229.791776] lio_target_np_driver_store+0xe9/0x140 [iscsi_target_mod] [ 1229.791784] configfs_write_file+0xb2/0x110 [ 1229.791788] vfs_write+0xa5/0x1a0 [ 1229.791792] ksys_write+0x4f/0xb0 [ 1229.791794] do_syscall_64+0x5b/0x1a0 [ 1229.791798] entry_SYSCALL_64_after_hwframe+0x65/0xca Fixes: bd3792205aae (“iser-target: Fix pending connections handling in target stack shutdown sequnce”) Reviewed-by: Sagi Grimberg Signed-off-by: Selvin Xavier Signed-off-by: Saravanan Vajravel Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 58b5965c0d5aba1f905062faf4d8a8d7256b3a12 Author: Mark Bloch Date: Mon Jun 5 13:33:26 2023 +0300 RDMA/mlx5: Fix affinity assignment [ Upstream commit 617f5db1a626f18d5cbb7c7faf7bf8f9ea12be78 ] The cited commit aimed to ensure that Virtual Functions (VFs) assign a queue affinity to a Queue Pair (QP) to distribute traffic when the LAG master creates a hardware LAG. If the affinity was set while the hardware was not in LAG, the firmware would ignore the affinity value. However, this commit unintentionally assigned an affinity to QPs on the LAG master’s VPORT even if the RDMA device was not marked as LAG-enabled. In most cases, this was not an issue because when the hardware entered hardware LAG configuration, the RDMA device of the LAG master would be destroyed and a new one would be created, marked as LAG-enabled. The problem arises when a user configures Equal-Cost Multipath (ECMP). In ECMP mode, traffic can be directed to different physical ports based on the queue affinity, which is intended for use by VPORTS other than the E-Switch manager. ECMP mode is supported only if both E-Switch managers are in switchdev mode and the appropriate route is configured via IP. In this configuration, the RDMA device is not destroyed, and we retain the RDMA device that is not marked as LAG-enabled. To ensure correct behavior, Send Queues (SQs) opened by the E-Switch manager through verbs should be assigned strict affinity. This means they will only be able to communicate through the native physical port associated with the E-Switch manager. This will prevent the firmware from assigning affinity and will not allow the SQs to be remapped in case of failover. Fixes: 802dcc7fc5ec (“RDMA/mlx5: Support TX port affinity for VF drivers in LAG mode”) Reviewed-by: Maor Gottlieb Signed-off-by: Mark Bloch Link: https://lore.kernel.org/r/425b05f4da840bc684b0f7e8ebf61aeb5cef09b0.1685960567.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 422c4d8cc67a12d5e3b272237d557f802e3e7663 Author: Yishai Hadas Date: Mon Jun 5 13:33:25 2023 +0300 IB/uverbs: Fix to consider event queue closing also upon non-blocking mode [ Upstream commit 62fab312fa1683e812e605db20d4f22de3e3fb2f ] Fix ib_uverbs_event_read() to consider event queue closing also upon non-blocking mode. Once the queue is closed (e.g. hot-plug flow) all the existing events are cleaned-up as part of ib_uverbs_free_event_queue(). An application that uses the non-blocking FD mode should get -EIO in that case to let it knows that the device was removed already. Otherwise, it can loose the indication that the device was removed and won’t recover. As part of that, refactor the code to have a single flow with regards to ‘is_closed’ for both blocking and non-blocking modes. Fixes: 14e23bd6d221 (“RDMA/core: Fix locking in ib_uverbs_event_read”) Reviewed-by: Maor Gottlieb Signed-off-by: Yishai Hadas Link: https://lore.kernel.org/r/97b00116a1e1e13f8dc4ec38a5ea81cf8c030210.1685960567.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 61c0e08b4a3356c4909db1ff3b944b5536fa60b7 Author: Mark Zhang Date: Mon Jun 5 13:33:23 2023 +0300 RDMA/cma: Always set static rate to 0 for RoCE [ Upstream commit 58030c76cce473b6cfd630bbecb97215def0dff8 ] Set static rate to 0 as it should be discovered by path query and has no meaning for RoCE. This also avoid of using the rtnl lock and ethtool API, which is a bottleneck when try to setup many rdma-cm connections at the same time, especially with multiple processes. Fixes: 3c86aa70bf67 (“RDMA/cm: Add RDMA CM support for IBoE devices”) Signed-off-by: Mark Zhang Link: https://lore.kernel.org/r/f72a4f8b667b803aee9fa794069f61afb5839ce4.1685960567.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 5e118e20170d9b754344f0293e40a39aae40ceb8 Author: Mark Bloch Date: Mon Jun 5 13:33:18 2023 +0300 RDMA/mlx5: Create an indirect flow table for steering anchor [ Upstream commit e1f4a52ac171dd863fe89055e749ef5e0a0bc5ce ] A misbehaved user can create a steering anchor that points to a kernel flow table and then destroy the anchor without freeing the associated STC. This creates a problem as the kernel can’t destroy the flow table since there is still a reference to it. As a result, this can exhaust all available flow table resources, preventing other users from using the RDMA device. To prevent this problem, a solution is implemented where a special flow table with two steering rules is created when a user creates a steering anchor for the first time. The rules include one that drops all traffic and another that points to the kernel flow table. If the steering anchor is destroyed, only the rule pointing to the kernel’s flow table is removed. Any traffic reaching the special flow table after that is dropped. Since the special flow table is not destroyed when the steering anchor is destroyed, any issues are prevented from occurring. The remaining resources are only destroyed when the RDMA device is destroyed, which happens after all DEVX objects are freed, including the STCs, thus mitigating the issue. Fixes: 0c6ab0ca9a66 (“RDMA/mlx5: Expose steering anchor to userspace”) Signed-off-by: Mark Bloch Reviewed-by: Maor Gottlieb Link: https://lore.kernel.org/r/b4a88a871d651fa4e8f98d552553c1cfe9ba2cd6.1685960567.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 5e4a7b06c037d0f28c9560f92e790049b126c013 Author: Maher Sanalla Date: Mon Jun 5 13:33:17 2023 +0300 RDMA/mlx5: Initiate dropless RQ for RAW Ethernet functions [ Upstream commit ee4d269eccfea6c17b18281bef482700d898e86f ] Delay drop data is initiated for PFs that have the capability of rq_delay_drop and are in roce profile. However, PFs with RAW ethernet profile do not initiate delay drop data on function load, causing kernel panic if delay drop struct members are accessed later on in case a dropless RQ is created. Thus, stage the delay drop initialization as part of RAW ethernet PF loading process. Fixes: b5ca15ad7e61 (“IB/mlx5: Add proper representors support”) Signed-off-by: Maher Sanalla Reviewed-by: Maor Gottlieb Link: https://lore.kernel.org/r/2e9d386785043d48c38711826eb910315c1de141.1685960567.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 05d044d686c9b6219b23827be08c1e57001837d2 Author: Nithin Dabilpuram Date: Thu Jun 8 17:12:01 2023 +0530 octeontx2-af: fix lbk link credits on cn10k [ Upstream commit 87e12a17eef476bbf768dc3a74419ad461f36fbc ] Fix LBK link credits on CN10K to be same as CN9K i.e 16 * MAX_LBK_DATA_RATE instead of current scheme of calculation based on LBK buf length / FIFO size. Fixes: 6e54e1c5399a (“octeontx2-af: cn10K: Add MTU configuration”) Signed-off-by: Nithin Dabilpuram Signed-off-by: Naveen Mamindlapalli Reviewed-by: Sridhar Samudrala Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4f08f987f7998dab3b45ea96732d75b5fa9b691b Author: Satha Rao Date: Thu Jun 8 17:12:00 2023 +0530 octeontx2-af: fixed resource availability check [ Upstream commit 4e635f9d86165e47f5440196f2ebdb258efb8341 ] txschq_alloc response have two different arrays to store continuous and non-continuous schedulers of each level. Requested count should be checked for each array separately. Fixes: 5d9b976d4480 (“octeontx2-af: Support fixed transmit scheduler topology”) Signed-off-by: Satha Rao Signed-off-by: Sunil Kovvuri Goutham Signed-off-by: Naveen Mamindlapalli Reviewed-by: Sridhar Samudrala Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 920f87848f19c1fd5215bc28c52fb5907a2452c4 Author: Ahmed Zaki Date: Thu Jun 8 13:02:26 2023 -0700 iavf: remove mask from iavf_irq_enable_queues() [ Upstream commit c37cf54c12cfaa51e7aaf88708167b0d3259e64e ] Enable more than 32 IRQs by removing the u32 bit mask in iavf_irq_enable_queues(). There is no need for the mask as there are no callers that select individual IRQs through the bitmask. Also, if the PF allocates more than 32 IRQs, this mask will prevent us from using all of them. Modify the comment in iavf_register.h to show that the maximum number allowed for the IRQ index is 63 as per the iAVF standard 1.0 [1]. link: [1] https://www.intel.com/content/dam/www/public/us/en/documents/product-specifications/ethernet-adaptive-virtual-function-hardware-spec.pdf Fixes: 5eae00c57f5e (“i40evf: main driver core”) Signed-off-by: Ahmed Zaki Tested-by: Rafal Romanowski Reviewed-by: Simon Horman Reviewed-by: Maciej Fijalkowski Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2896bf8589414b3e860e2d49e35c5bc6b9bfe4ff Author: Zhu Yanjun Date: Fri Jun 2 11:54:08 2023 +0800 RDMA/rxe: Fix the use-before-initialization error of resp_pkts [ Upstream commit 2a62b6210ce876c596086ab8fd4c8a0c3d10611a ] In the following: Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 assign_lock_key kernel/locking/lockdep.c:982 [inline] register_lock_class+0xdb6/0x1120 kernel/locking/lockdep.c:1295 __lock_acquire+0x10a/0x5df0 kernel/locking/lockdep.c:4951 lock_acquire kernel/locking/lockdep.c:5691 [inline] lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5656 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 skb_dequeue+0x20/0x180 net/core/skbuff.c:3639 drain_resp_pkts drivers/infiniband/sw/rxe/rxe_comp.c:555 [inline] rxe_completer+0x250d/0x3cc0 drivers/infiniband/sw/rxe/rxe_comp.c:652 rxe_qp_do_cleanup+0x1be/0x820 drivers/infiniband/sw/rxe/rxe_qp.c:761 execute_in_process_context+0x3b/0x150 kernel/workqueue.c:3473 __rxe_cleanup+0x21e/0x370 drivers/infiniband/sw/rxe/rxe_pool.c:233 rxe_create_qp+0x3f6/0x5f0 drivers/infiniband/sw/rxe/rxe_verbs.c:583 This is a use-before-initialization problem. It happens because rxe_qp_do_cleanup is called during error unwind before the struct has been fully initialized. Move the initialization of the skb earlier. Fixes: 8700e3e7c485 (“Soft RoCE driver”) Link: https://lore.kernel.org/r/[email protected] Reported-by: [email protected] Signed-off-by: Zhu Yanjun Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e16449d3daae91f2d4337eb7841f50370894ac27 Author: Benjamin Berg Date: Thu Jun 8 16:36:02 2023 +0300 wifi: mac80211: take lock before setting vif links [ Upstream commit 15846f95ab01b71fdb1cef8df73680aad41edf70 ] ieee80211_vif_set_links requires the sdata->local->mtx lock to be held. Add the appropriate locking around the calls in both the link add and remove handlers. This causes a warning when e.g. ieee80211_link_release_channel is called via ieee80211_link_stop from ieee80211_vif_update_links. Fixes: 0d8c4a3c8688 (“wifi: mac80211: implement add/del interface link callbacks”) Signed-off-by: Benjamin Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230608163202.fa0c6597fdad.I83dd70359f6cda30f86df8418d929c2064cf4995@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 10b957e6651fb862195c1e4fe3a7f8eaac7f7dc8 Author: Benjamin Berg Date: Thu Jun 8 16:36:01 2023 +0300 wifi: cfg80211: fix link del callback to call correct handler [ Upstream commit 1ff56684fa8682bdfbbce4e12cf67ab23cb1db05 ] The wrapper function was incorrectly calling the add handler instead of the del handler. This had no negative side effect as the default handlers are essentially identical. Fixes: f2a0290b2df2 (“wifi: cfg80211: add optional link add/remove callbacks”) Signed-off-by: Benjamin Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230608163202.ebd00e000459.Iaff7dc8d1cdecf77f53ea47a0e5080caa36ea02a@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 448933e8df091a7d8a278944a836c4fd88321c9c Author: Johannes Berg Date: Thu Jun 8 16:35:59 2023 +0300 wifi: mac80211: fix link activation settings order [ Upstream commit 01605ad6c3e8608d7e147c9b75d67eb8a3d27d88 ] In the normal MLME code we always call ieee80211_mgd_set_link_qos_params() before ieee80211_link_info_change_notify() and some drivers, notably iwlwifi, rely on that as they don’t do anything (but store the data) in their conf_tx. Fix the order here to be the same as in the normal code paths, so this isn’t broken. Fixes: 3d9011029227 (“wifi: mac80211: implement link switching”) Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230608163202.a2a86bba2f80.Iac97e04827966d22161e63bb6e201b4061e9651b@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 4efd555a43dc24f3342bcc036522c430f5869e6f Author: Lee Jones Date: Thu Jun 8 08:29:03 2023 +0100 net/sched: cls_u32: Fix reference counter leak leading to overflow [ Upstream commit 04c55383fa5689357bcdd2c8036725a55ed632bc ] In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things’. In order to prevent this, move the point of possible failure above the point where the reference counter is incremented. Also save any meaningful return values to be applied to the return data at the appropriate point in time. This issue was caught with KASAN. Fixes: 705c7091262d (“net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct”) Suggested-by: Eric Dumazet Signed-off-by: Lee Jones Reviewed-by: Eric Dumazet Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 10b2933325d2b5c1b11eb014a10319f927297ffa Author: Zhengchao Shao Date: Thu Jun 8 14:27:56 2023 +0800 net/sched: taprio: fix slab-out-of-bounds Read in taprio_dequeue_from_txq [ Upstream commit be3618d9651002cd5ff190dbfc6cf78f03e34e27 ] As shown in [1], out-of-bounds access occurs in two cases: 1)when the qdisc of the taprio type is used to replace the previously configured taprio, count and offset in tc_to_txq can be set to 0. In this case, the value of *txq in taprio_next_tc_txq() will increases continuously. When the number of accessed queues exceeds the number of queues on the device, out-of-bounds access occurs. 2)When packets are dequeued, taprio can be deleted. In this case, the tc rule of dev is cleared. The count and offset values are also set to 0. In this case, out-of-bounds access is also caused. Now the restriction on the queue number is added. [1] https://groups.google.com/g/syzkaller-bugs/c/_lYOKgkBVMg Fixes: 2f530df76c8c (“net/sched: taprio: give higher priority to higher TCs in software dequeue mode”) Reported-by: [email protected] Signed-off-by: Zhengchao Shao Tested-by: Pedro Tammela Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 407a94572eb733950e297ba78b10d5f2ee22ed1a Author: Ratheesh Kannoth Date: Thu Jun 8 10:46:25 2023 +0530 octeontx2-af: Fix promiscuous mode [ Upstream commit c0e489372a294044feea650b38f38c888eff57a4 ] CN10KB silicon introduced a new exact match feature, which is used for DMAC filtering. The state of installed DMAC filters in this exact match table is getting corrupted when promiscuous mode is toggled. Fix this by not touching Exact match related config when promiscuous mode is toggled. Fixes: 2dba9459d2c9 (“octeontx2-af: Wrapper functions for MAC addr add/del/update/reset”) Signed-off-by: Ratheesh Kannoth Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9a1d99918f33ec06b1e76a23f04df81957a2ba56 Author: Yoshihiro Shimoda Date: Thu Jun 8 10:57:27 2023 +0900 net: renesas: rswitch: Fix timestamp feature after all descriptors are used [ Upstream commit 0ad4982c520ed87ea7ebfc9381ea1f617ed75364 ] The timestamp descriptors were intended to act cyclically. Descriptors from index 0 through gq->ring_size - 1 contain actual information, and the last index (gq->ring_size) should have LINKFIX to indicate the first index 0 descriptor. However, the LINKFIX value is missing, causing the timestamp feature to stop after all descriptors are used. To resolve this issue, set the LINKFIX to the timestamp descritors. Reported-by: Phong Hoang Fixes: 33f5d733b589 (“net: renesas: rswitch: Improve TX timestamp accuracy”) Signed-off-by: Yoshihiro Shimoda Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3dcabbdb00d1e431b3579b7eaaadc5f3f504a6c4 Author: Max Tottenham Date: Wed Jun 7 12:23:54 2023 -0400 net/sched: act_pedit: Parse L3 Header for L4 offset [ Upstream commit 6c02568fd1ae53099b4ab86365c5be1ff15f586b ] Instead of relying on skb->transport_header being set correctly, opt instead to parse the L3 header length out of the L3 headers for both IPv4/IPv6 when the Extended Layer Op for tcp/udp is used. This fixes a bug if GRO is disabled, when GRO is disabled skb->transport_header is set by __netif_receive_skb_core() to point to the L3 header, it’s later fixed by the upper protocol layers, but act_pedit will receive the SKB before the fixups are completed. The existing behavior causes the following to edit the L3 header if GRO is disabled instead of the UDP header: tc filter add dev eth0 ingress protocol ip flower ip_proto udp \ dst_ip 192.168.1.3 action pedit ex munge udp set dport 18053 Also re-introduce a rate-limited warning if we were unable to extract the header offset when using the ‘ex’ interface. Fixes: 71d0ed7079df (“net/act_pedit: Support using offset relative to the conventional network headers”) Signed-off-by: Max Tottenham Reviewed-by: Josh Hunt Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/ Reviewed-by: Pedro Tammela Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cb3d30d2a46c02c687b794f18f2a32c6debf89d0 Author: Pedro Tammela Date: Fri Apr 21 18:25:16 2023 -0300 net/sched: act_pedit: remove extra check for key type [ Upstream commit 577140180ba28d0d37bc898c7bd6702c83aa106f ] The netlink parsing already validates the key 'htype’. Remove the datapath check as it’s redundant. Reviewed-by: Jamal Hadi Salim Reviewed-by: Simon Horman Signed-off-by: Pedro Tammela Signed-off-by: David S. Miller Stable-dep-of: 6c02568fd1ae (“net/sched: act_pedit: Parse L3 Header for L4 offset”) Signed-off-by: Sasha Levin commit 6c179b4d0caef6f71abbde27fc20e548e04cfc7f Author: Yuezhen Luan Date: Wed Jun 7 09:41:16 2023 -0700 igb: Fix extts capture value format for 82580/i354/i350 [ Upstream commit 6292d7436cf2f0a2ea8800a1d2cbb155d237818a ] 82580/i354/i350 features circle-counter-like timestamp registers that are different with newer i210. The EXTTS capture value in AUXTSMPx should be converted from raw circle counter value to timestamp value in resolution of 1 nanosec by the driver. This issue can be reproduced on i350 nics, connecting an 1PPS signal to a SDP pin, and run ‘ts2phc’ command to read external 1PPS timestamp value. On i210 this works fine, but on i350 the extts is not correctly converted. The i350/i354/82580’s SYSTIM and other timestamp registers are 40bit counters, presenting time range of 2^40 ns, that means these registers overflows every about 1099s. This causes all these regs can’t be used directly in contrast to the newer i210/i211s. The igb driver needs to convert these raw register values to valid time stamp format by using kernel timecounter apis for i350s families. Here the igb_extts() just forgot to do the convert. Fixes: 38970eac41db (“igb: support EXTTS on 82580/i354/i350”) Signed-off-by: Yuezhen Luan Reviewed-by: Jacob Keller Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 4131bceaf8c1083db13dc60e5e0a98db1b32c6a9 Author: Guillaume Nault Date: Wed Jun 7 18:05:02 2023 +0200 ping6: Fix send to link-local addresses with VRF. [ Upstream commit 91ffd1bae1dafbb9e34b46813f5b058581d9144d ] Ping sockets can’t send packets when they’re bound to a VRF master device and the output interface is set to a slave device. For example, when net.ipv4.ping_group_range is properly set, so that ping6 can use ping sockets, the following kind of commands fails: $ ip vrf exec red ping6 fe80::854:e7ff:fe88:4bf1%eth1 What happens is that sk->sk_bound_dev_if is set to the VRF master device, but ‘oif’ is set to the real output device. Since both are set but different, ping_v6_sendmsg() sees their value as inconsistent and fails. Fix this by allowing ‘oif’ to be a slave device of ->sk_bound_dev_if. This fixes the following kselftest failure: $ ./fcnal-test.sh -t ipv6_ping […] TEST: ping out, vrf device+address bind - ns-B IPv6 LLA [FAIL] Reported-by: Mirsad Todorovac Closes: https://lore.kernel.org/netdev/[email protected]/ Tested-by: Mirsad Todorovac Fixes: 5e457896986e (“net: ipv6: Fix ping to link-local addresses.”) Signed-off-by: Guillaume Nault Reviewed-by: David Ahern Link: https://lore.kernel.org/r/6c8b53108816a8d0d5705ae37bdc5a8322b5e3d9.1686153846.git.gnault@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 8d926f026fc81a6ee167beb5ba00d57ef40c3ff1 Author: Wei Fang Date: Wed Jun 7 17:10:48 2023 +0800 net: enetc: correct the indexes of highest and 2nd highest TCs [ Upstream commit 21225873be1472b7c59ed3650396af0e40578112 ] For ENETC hardware, the TCs are numbered from 0 to N-1, where N is the number of TCs. Numerically higher TC has higher priority. It’s obvious that the highest priority TC index should be N-1 and the 2nd highest priority TC index should be N-2. However, the previous logic uses netdev_get_prio_tc_map() to get the indexes of highest priority and 2nd highest priority TCs, it does not make sense and is incorrect to give a “tc” argument to netdev_get_prio_tc_map(). So the driver may get the wrong indexes of the two highest priotiry TCs which would lead to failed to set the CBS for the two highest priotiry TCs. e.g. $ tc qdisc add dev eno0 parent root handle 100: mqprio num_tc 6 \ map 0 0 1 1 2 3 4 5 queues 1@0 1@1 1@2 1@3 2@4 2@6 hw 1 $ tc qdisc replace dev eno0 parent 100:6 cbs idleslope 100000 \ sendslope -900000 hicredit 12 locredit -113 offload 1 $ Error: Specified device failed to setup cbs hardware offload. ^^^^^ In this example, the previous logic deems the indexes of the two highest priotiry TCs should be 3 and 2. Actually, the indexes are 5 and 4, because the number of TCs is 6. So it would be failed to configure the CBS for the two highest priority TCs. Fixes: c431047c4efe (“enetc: add support Credit Based Shaper(CBS) for hardware offload”) Signed-off-by: Wei Fang Reviewed-by: Vladimir Oltean Reviewed-by: Maciej Fijalkowski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bdace3b1a51887211d3e49417a18fdbd315a313b Author: Pablo Neira Ayuso Date: Thu Jun 8 02:32:02 2023 +0200 netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE [ Upstream commit 1240eb93f0616b21c675416516ff3d74798fdc97 ] In case of error when adding a new rule that refers to an anonymous set, deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. Thus, the lookup expression marks anonymous sets as inactive in the next generation to ensure it is not reachable in this transaction anymore and decrement the set refcount as introduced by c1592a89942e (“netfilter: nf_tables: deactivate anonymous set from preparation phase”). The abort step takes care of undoing the anonymous set. This is also consistent with rule deletion, where NFT_TRANS_PREPARE is used. Note that this error path is exercised in the preparation step of the commit protocol. This patch replaces nf_tables_rule_release() by the deactivate and destroy calls, this time with NFT_TRANS_PREPARE. Due to this incorrect error handling, it is possible to access a dangling pointer to the anonymous set that remains in the transaction list. [1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 [1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 [1009.379128] Call Trace: [1009.379132] [1009.379135] dump_stack_lvl+0x33/0x50 [1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379191] print_address_description.constprop.0+0x27/0x300 [1009.379201] kasan_report+0x107/0x120 [1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] [1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] [1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] [1009.379441] ? kasan_unpoison+0x23/0x50 [1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] [1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] [1009.379485] ? __alloc_skb+0xb8/0x1e0 [1009.379493] ? __alloc_skb+0xb8/0x1e0 [1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [1009.379509] ? unwind_get_return_address+0x2a/0x40 [1009.379517] ? write_profile+0xc0/0xc0 [1009.379524] ? avc_lookup+0x8f/0xc0 [1009.379532] ? __rcu_read_unlock+0x43/0x60 Fixes: 958bee14d071 (“netfilter: nf_tables: use new transaction infrastructure to handle sets”) Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 7aa62487efe1a48ba03cab287034149c2018b9fd Author: Kamil Maziarz Date: Tue Jun 6 12:33:58 2023 +0200 ice: Fix XDP memory leak when NIC is brought up and down [ Upstream commit 78c50d6961fc05491ebbc71c35d87324b1a4f49a ] Fix the buffer leak that occurs while switching the port up and down with traffic and XDP by checking for an active XDP program and freeing all empty TX buffers. Fixes: efc2214b6047 (“ice: Add support for XDP”) Signed-off-by: Kamil Maziarz Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) Acked-by: Maciej Fijalkowski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 282bad2e59c9c82ce13b54594ecedbed64a92af5 Author: Simon Horman Date: Thu May 25 12:52:58 2023 +0200 ice: Don’t dereference NULL in ice_gnss_read error path [ Upstream commit 05a1308a2e08e4a375bf60eb4c6c057a201d81fc ] If pf is NULL in ice_gnss_read() then it will be dereferenced in the error path by a call to dev_dbg(ice_pf_to_dev(pf), …). Avoid this by simply returning in this case. If logging is desired an alternate approach might be to use pr_err() before returning. Flagged by Smatch as: …/ice_gnss.c:196 ice_gnss_read() error: we previously assumed ‘pf’ could be null (see line 131) Fixes: 43113ff73453 (“ice: add TTY for GNSS module for E810T device”) Signed-off-by: Simon Horman Reviewed-by: Tariq Toukan Tested-by: Sunitha Mekala (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 8b71592a52d7a82a61ea723187076327a7ef7b82 Author: Michal Schmidt Date: Wed Apr 12 10:19:24 2023 +0200 ice: do not busy-wait to read GNSS data [ Upstream commit 2f8fdcb0a73a1831cc4f205f23493a17c0e5536f ] The ice-gnss- kernel thread, which reads data from the u-blox GNSS module, keep a CPU core almost 100% busy. The main reason is that it busy-waits for data to become available. A simple improvement would be to replace the “mdelay(10);” in ice_gnss_read() with sleeping. A better fix is to not do any waiting directly in the function and just requeue this delayed work as needed. The advantage is that canceling the work from ice_gnss_exit() becomes immediate, rather than taking up to ~2.5 seconds (ICE_MAX_UBX_READ_TRIES * 10 ms). This lowers the CPU usage of the ice-gnss- thread on my system from ~90 % to ~8 %. I am not sure if the larger 0.1 s pause after inserting data into the gnss subsystem is really necessary, but I’m keeping that as it was. Of course, ideally the driver would not have to poll at all, but I don’t know if the E810 can watch for GNSS data availability over the i2c bus by itself and notify the driver. Signed-off-by: Michal Schmidt Reviewed-by: Arkadiusz Kubalewski Reviewed-by: Simon Horman Tested-by: Sunitha Mekala (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Stable-dep-of: 05a1308a2e08 (“ice: Don’t dereference NULL in ice_gnss_read error path”) Signed-off-by: Sasha Levin commit fb1b1bbec5c218f9f518776530d0b34e76b1b3aa Author: Pablo Neira Ayuso Date: Thu Jun 8 00:19:12 2023 +0200 netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM [ Upstream commit a1a64a151dae8ac3581c1cbde44b672045cb658b ] If caller reports ENOMEM, then stop iterating over the batch and send a single netlink message to userspace to report OOM. Fixes: cbb8125eb40b (“netfilter: nfnetlink: deliver netlink errors on batch completion”) Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit e10dcbcec3726e9e985d314a36ce5f24d1e0399f Author: Pablo Neira Ayuso Date: Wed Jun 7 11:55:42 2023 +0200 netfilter: nf_tables: integrate pipapo into commit protocol [ Upstream commit 212ed75dc5fb9d1423b3942c8f872a868cda3466 ] The pipapo set backend follows copy-on-update approach, maintaining one clone of the existing datastructure that is being updated. The clone and current datastructures are swapped via rcu from the commit step. The existing integration with the commit protocol is flawed because there is no operation to clean up the clone if the transaction is aborted. Moreover, the datastructure swap happens on set element activation. This patch adds two new operations for sets: commit and abort, these new operations are invoked from the commit and abort steps, after the transactions have been digested, and it updates the pipapo set backend to use it. This patch adds a new ->pending_update field to sets to maintain a list of sets that require this new commit and abort operations. Fixes: 3c4287f62044 (“nf_tables: Add set type for arbitrary concatenation of ranges”) Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 8ba9eea238cb28504819e8a24a1f5ce615de2594 Author: Abel Vesa Date: Mon Jun 5 14:56:07 2023 +0300 regulator: qcom-rpmh: Fix regulators for PM8550 [ Upstream commit b00de0000a69579f4d730077fe3ea8ca31404255 ] The PM8550 uses only NLDOs 515 and the LDO 6 through 8 are low voltage type, so fix accordingly. Fixes: e6e3776d682d (“regulator: qcom-rpmh: Add support for PM8550 regulators”) Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 55ca60fa50dd9ffdb45f4d71acc5189ce217745e Author: Bartosz Golaszewski Date: Thu Apr 6 21:28:10 2023 +0200 regulator: qcom-rpmh: add support for pmm8654au regulators [ Upstream commit 65f1b1dc0cc90236ed9be3970f4a763e853f3aab ] Add the RPMH regulators exposed by the PMM8654au PMIC and its variants. Signed-off-by: Bartosz Golaszewski Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Stable-dep-of: b00de0000a69 (“regulator: qcom-rpmh: Fix regulators for PM8550”) Signed-off-by: Sasha Levin commit e365a2e065a1eda569930ce03772a3c57c4c8164 Author: Vladimir Oltean Date: Tue May 30 01:34:02 2023 +0300 spi: fsl-dspi: avoid SCK glitches with continuous transfers [ Upstream commit c5c31fb71f16ba75bad4ade208abbae225305b65 ] The DSPI controller has configurable timing for (a) tCSC: the interval between the assertion of the chip select and the first clock edge (b) tASC: the interval between the last clock edge and the deassertion of the chip select What is a bit surprising, but is documented in the figure “Example of continuous transfer (CPHA=1, CONT=1)" in the datasheet, is that when the chip select stays asserted between multiple TX FIFO writes, the tCSC and tASC times still apply. With CONT=1, chip select remains asserted, but SCK takes a break and goes to the idle state for tASC + tCSC ns. In other words, the default values (of 0 and 0 ns) result in SCK glitches where the SCK transition to the idle state, as well as the SCK transition from the idle state, will have no delay in between, and it may appear that a SCK cycle has simply gone missing. The resulting timing violation might cause data corruption in many peripherals, as their chip select is asserted. The driver has device tree bindings for tCSC (“fsl,spi-cs-sck-delay”) and tASC (“fsl,spi-sck-cs-delay”), but these are only specified to apply when the chip select toggles in the first place, and this timing characteristic depends on each peripheral. Many peripherals do not have explicit timing requirements, so many device trees do not have these properties present at all. Nonetheless, the lack of SCK glitches is a common sense requirement, and since the SCK stays in the idle state during transfers for tCSC+tASC ns, and that in itself should look like half a cycle, then let’s ensure that tCSC and tASC are at least a quarter of a SCK period, such that their sum is at least half of one. Fixes: 95bf15f38641 (“spi: fsl-dspi: Add ~50ns delay between cs and sck”) Reported-by: Lisa Chen (陈敏捷) Debugged-by: Lisa Chen (陈敏捷) Tested-by: Lisa Chen (陈敏捷) Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 123a23bede635a030f031afa37d975cb7b19335d Author: Jiasheng Jiang Date: Tue Jun 6 17:38:59 2023 +0800 spi: cadence-quadspi: Add missing check for dma_set_mask [ Upstream commit 947c70a213769f60e9d5aca2bc88b50a1cfaf5a6 ] Add check for dma_set_mask() and return the error if it fails. Fixes: 1a6f854f7daa (“spi: cadence-quadspi: Add Xilinx Versal external DMA support”) Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 61537a0c33145cf0feeb9d339e1bd07668fc6d00 Author: Kamal Heib Date: Mon May 29 11:35:26 2023 -0400 RDMA/bnxt_re: Fix reporting active_{speed,width} attributes [ Upstream commit 18e7e3e4217083a682e2c7282011c70c8a1ba070 ] After commit 6d758147c7b8 (“RDMA/bnxt_re: Use auxiliary driver interface”) the active_{speed, width} attributes are reported incorrectly, This is happening because ib_get_eth_speed() is called only once from bnxt_re_ib_init() - Fix this issue by calling ib_get_eth_speed() from bnxt_re_query_port(). Fixes: 6d758147c7b8 (“RDMA/bnxt_re: Use auxiliary driver interface”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Kamal Heib Acked-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit ffcfc288e9c12ce986c11eb8a568d5403199b808 Author: Bob Pearson Date: Wed May 17 16:15:10 2023 -0500 RDMA/rxe: Fix ref count error in check_rkey() [ Upstream commit b00683422fd79dd07c9b75efdce1660e5e19150e ] There is a reference count error in error path code and a potential race in check_rkey() in rxe_resp.c. When looking up the rkey for a memory window the reference to the mw from rxe_lookup_mw() is dropped before a reference is taken on the mr referenced by the mw. If the mr is destroyed immediately after the call to rxe_put(mw) the mr pointer is unprotected and may end up pointing at freed memory. The rxe_get(mr) call should take place before the rxe_put(mw) call. All errors in check_rkey() call rxe_put(mw) if mw is not NULL but it was already called after the above. The mw pointer should be set to NULL after the rxe_put(mw) call to prevent this from happening. Fixes: cdd0b85675ae (“RDMA/rxe: Implement memory access through MWs”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 6e82de15d6225dd64da591b670ad95cfc3b09295 Author: Bob Pearson Date: Wed May 17 12:22:42 2023 -0500 RDMA/rxe: Fix packet length checks [ Upstream commit 9a3763e87379c97a78b7c6c6f40720b1e877174f ] In rxe_net.c a received packet, from udp or loopback, is passed to rxe_rcv() in rxe_recv.c as a udp packet. I.e. skb->data is pointing at the udp header. But rxe_rcv() makes length checks to verify the packet is long enough to hold the roce headers as if it were a roce packet. I.e. skb->data pointing at the bth header. A runt packet would appear to have 8 more bytes than it actually does which may lead to incorrect behavior. This patch calls skb_pull() to adjust the skb to point at the bth header before calling rxe_rcv() which fixes this error. Fixes: 8700e3e7c485 (“Soft RoCE driver”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit cb1461ecf0e0d06e3c29c95d5b34a68c84732cb9 Author: Li Zhijian Date: Tue Apr 25 01:02:43 2023 +0000 RDMA/rtrs: Fix rxe_dealloc_pd warning [ Upstream commit 9c29c8c7df0688f358d2df5ddd16c97c2f7292b4 ] In current design: 1. PD and clt_path->s.dev are shared among connections. 2. every con[n]'s cleanup phase will call destroy_con_cq_qp() 3. clt_path->s.dev will be always decreased in destroy_con_cq_qp(), and when clt_path->s.dev become zero, it will destroy PD. 4. when con[1] failed to create, con[1] will not take clt_path->s.dev, but it try to decreased clt_path->s.dev So, in case create_cm(con[0]) succeeds but create_cm(con[1]) fails, destroy_con_cq_qp(con[1]) will be called first which will destroy the PD while this PD is still taken by con[0]. Here, we refactor the error path of create_cm() and init_conns(), so that we do the cleanup in the order they are created. The warning occurs when destroying RXE PD whose reference count is not zero. rnbd_client L597: Mapping device /dev/nvme0n1 on session client, (access_mode: rw, nr_poll_queues: 0) ------------[ cut here ]------------ WARNING: CPU: 0 PID: 26407 at drivers/infiniband/sw/rxe/rxe_pool.c:256 __rxe_cleanup+0x13a/0x170 [rdma_rxe] Modules linked in: rpcrdma rdma_ucm ib_iser rnbd_client libiscsi rtrs_client scsi_transport_iscsi rtrs_core rdma_cm iw_cm ib_cm crc32_generic rdma_rxe udp_tunnel ib_uverbs ib_core kmem device_dax nd_pmem dax_pmem nd_vme crc32c_intel fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua dm_mirror dm_region_hash dm_log dm_mod CPU: 0 PID: 26407 Comm: rnbd-client.sh Kdump: loaded Not tainted 6.2.0-rc6-roce-flush+ #53 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__rxe_cleanup+0x13a/0x170 [rdma_rxe] Code: 45 84 e4 0f 84 5a ff ff ff 48 89 ef e8 5f 18 71 f9 84 c0 75 90 be c8 00 00 00 48 89 ef e8 be 89 1f fa 85 c0 0f 85 7b ff ff ff <0f> 0b 41 bc ea ff ff ff e9 71 ff ff ff e8 84 7f 1f fa e9 d0 fe ff RSP: 0018:ffffb09880b6f5f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff99401f15d6a8 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffffbac8234b RDI: 00000000ffffffff RBP: ffff99401f15d6d0 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000002d82 R11: 0000000000000000 R12: 0000000000000001 R13: ffff994101eff208 R14: ffffb09880b6f6a0 R15: 00000000fffffe00 FS: 00007fe113904740(0000) GS:ffff99413bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff6cde656c8 CR3: 000000001f108004 CR4: 00000000001706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rxe_dealloc_pd+0x16/0x20 [rdma_rxe] ib_dealloc_pd_user+0x4b/0x80 [ib_core] rtrs_ib_dev_put+0x79/0xd0 [rtrs_core] destroy_con_cq_qp+0x8a/0xa0 [rtrs_client] init_path+0x1e7/0x9a0 [rtrs_client] ? __pfx_autoremove_wake_function+0x10/0x10 ? lock_is_held_type+0xd7/0x130 ? rcu_read_lock_sched_held+0x43/0x80 ? pcpu_alloc+0x3dd/0x7d0 ? rtrs_clt_init_stats+0x18/0x40 [rtrs_client] rtrs_clt_open+0x24f/0x5a0 [rtrs_client] ? __pfx_rnbd_clt_link_ev+0x10/0x10 [rnbd_client] rnbd_clt_map_device+0x6a5/0xe10 [rnbd_client] Fixes: 6a98d71daea1 (“RDMA/rtrs: client: main functionality”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Li Zhijian Acked-by: Jack Wang Tested-by: Jack Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 53f93d46e1be5fe0338b3d81091969c3e17b202f Author: Li Zhijian Date: Tue Apr 25 01:02:42 2023 +0000 RDMA/rtrs: Fix the last iu->buf leak in err path [ Upstream commit 3bf3a7c6985c625f64e73baefdaa36f1c2045a29 ] The last iu->buf will leak if ib_dma_mapping_error() fails. Fixes: c0894b3ea69d (“RDMA/rtrs: core: lib functions shared between client and server modules”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Li Zhijian Acked-by: Guoqing Jiang Acked-by: Jack Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 880f667291598a94d25ec6f49d2e8343b7ce5a6e Author: Elson Roy Serrao Date: Thu Jun 1 14:27:30 2023 -0700 usb: dwc3: gadget: Reset num TRBs before giving back the request commit 00f8205ffcf112dcef14f8151d78075d38d22c08 upstream. Consider a scenario where cable disconnect happens when there is an active usb reqest queued to the UDC. As part of the disconnect we would issue an end transfer with no interrupt-on-completion before giving back this request. Since we are giving back the request without skipping TRBs the num_trbs field of dwc3_request still holds the stale value previously used. Function drivers re-use same request for a given bind-unbind session and hence their dwc3_request context gets preserved across cable disconnect/connect. When such a request gets re-queued after cable connect, we would increase the num_trbs field on top of the previous stale value thus incorrectly representing the number of TRBs used. Fix this by resetting num_trbs field before giving back the request. Fixes: 09fe1f8d7e2f (“usb: dwc3: gadget: track number of TRBs per request”) Cc: stable Signed-off-by: Elson Roy Serrao Acked-by: Thinh Nguyen Message-ID: <[email protected]> Signed-off-by: Greg Kroah-Hartman commit 9184183f20e2731dac4b95bed14c25f0df5c74b4 Author: Johan Hovold Date: Wed Jun 7 12:05:40 2023 +0200 USB: dwc3: fix use-after-free on core driver unbind commit e3dbb657571509044be15184a13134fa7c1fdca1 upstream. Some dwc3 glue drivers are currently accessing the driver data of the child core device directly, which is clearly a bad idea as the child may not have probed yet or may have been unbound from its driver. As a workaround until the glue drivers have been fixed, clear the driver data pointer before allowing the glue parent device to runtime suspend to prevent its driver from accessing data that has been freed during unbind. Fixes: 6dd2565989b4 (“usb: dwc3: add imx8mp dwc3 glue layer driver”) Fixes: 6895ea55c385 (“usb: dwc3: qcom: Configure wakeup interrupts during suspend”) Cc: [email protected] # 5.12 Cc: Li Jun Cc: Sandeep Maheswaram Cc: Krishna Kurapati Signed-off-by: Johan Hovold Acked-by: Thinh Nguyen Reviewed-by: Manivannan Sadhasivam Message-ID: [email protected] Signed-off-by: Greg Kroah-Hartman commit 81ebc532ae3610e65b7737a2d669a5f6fb8756b0 Author: Johan Hovold Date: Wed Jun 7 12:05:39 2023 +0200 USB: dwc3: qcom: fix NULL-deref on suspend commit d2d69354226de0b333d4405981f3d9c41ba8430a upstream. The Qualcomm dwc3 glue driver is currently accessing the driver data of the child core device during suspend and on wakeup interrupts. This is clearly a bad idea as the child may not have probed yet or could have been unbound from its driver. The first such layering violation was part of the initial version of the driver, but this was later made worse when the hack that accesses the driver data of the grand child xhci device to configure the wakeup interrupts was added. Fixing this properly is not that easily done, so add a sanity check to make sure that the child driver data is non-NULL before dereferencing it for now. Note that this relies on subtleties like the fact that driver core is making sure that the parent is not suspended while the child is probing. Reported-by: Manivannan Sadhasivam Link: https://lore.kernel.org/all/[email protected]/ Fixes: d9152161b4bf (“usb: dwc3: Add Qualcomm DWC3 glue layer driver”) Fixes: 6895ea55c385 (“usb: dwc3: qcom: Configure wakeup interrupts during suspend”) Cc: [email protected] # 3.18: a872ab303d5d: “usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup” Cc: Sandeep Maheswaram Cc: Krishna Kurapati Signed-off-by: Johan Hovold Acked-by: Thinh Nguyen Reviewed-by: Manivannan Sadhasivam Message-ID: [email protected] Signed-off-by: Greg Kroah-Hartman commit 2e88e75bff60a2eb8f9bc06a72ee77d1c1deb0f7 Author: Biju Das Date: Tue May 30 17:17:20 2023 +0100 usb: gadget: udc: renesas_usb3: Fix RZ/V2M {modprobe,bind} error commit 3e6ac852fbc71a234de24b5455086f6b98d3d958 upstream. Currently {modprobe, bind} after {rmmod, unbind} results in probe failure. genirq: Flags mismatch irq 22. 00000004 (85070400.usb3drd) vs. 00000004 (85070400.usb3drd) renesas_usb3: probe of 85070000.usb3peri failed with error -16 The reason is, it is trying to register an interrupt handler for the same IRQ twice. The devm_request_irq() was called with the parent device. So the interrupt handler won’t be unregistered when the usb3-peri device is unbound. Fix this issue by replacing “parent dev”->"dev” as the irq resource is managed by this driver. Fixes: 9cad72dfc556 (“usb: gadget: Add support for RZ/V2M USB3DRD driver”) Cc: stable Signed-off-by: Biju Das Reviewed-by: Geert Uytterhoeven Message-ID: [email protected] Signed-off-by: Greg Kroah-Hartman commit 85102a45c7390caf124a3a5796574446f1e037b9 Author: Badhri Jagan Sridharan Date: Fri Jun 9 01:02:27 2023 +0000 usb: gadget: udc: core: Prevent soft_connect_store() race commit 286d9975a838d0a54da049765fa1d1fb96b89682 upstream. usb_udc_connect_control(), soft_connect_store() and usb_gadget_deactivate() can potentially race against each other to invoke usb_gadget_connect()/usb_gadget_disconnect(). To prevent this, guard udc->started, gadget->allow_connect, gadget->deactivate and gadget->connect with connect_lock so that ->pullup() is only invoked when the gadget is bound, started and not deactivated. The routines usb_gadget_connect_locked(), usb_gadget_disconnect_locked(), usb_udc_connect_control_locked(), usb_gadget_udc_start_locked(), usb_gadget_udc_stop_locked() are called with this lock held. An earlier version of this commit was reverted due to the crash reported in https://lore.kernel.org/all/[email protected]/. commit 16737e78d190 (“usb: gadget: udc: core: Offload usb_udc_vbus_handler processing”) addresses the crash reported. Cc: [email protected] Fixes: 628ef0d273a6 (“usb: udc: add usb_udc_vbus_handler”) Signed-off-by: Badhri Jagan Sridharan Reviewed-by: Alan Stern Message-ID: [email protected] Signed-off-by: Greg Kroah-Hartman commit 632afdf2f782bf48b01877bcd29370ba6e7fc7e4 Author: Badhri Jagan Sridharan Date: Fri Jun 9 01:02:26 2023 +0000 usb: gadget: udc: core: Offload usb_udc_vbus_handler processing commit 50966da807c81c5eb3bdfd392990fe0bba94d1ee upstream. usb_udc_vbus_handler() can be invoked from interrupt context by irq handlers of the gadget drivers, however, usb_udc_connect_control() has to run in non-atomic context due to the following: a. Some of the gadget driver implementations expect the ->pullup callback to be invoked in non-atomic context. b. usb_gadget_disconnect() acquires udc_lock which is a mutex. Hence offload invocation of usb_udc_connect_control() to workqueue. UDC should not be pulled up unless gadget driver is bound. The new flag “allow_connect” is now set by gadget_bind_driver() and cleared by gadget_unbind_driver(). This prevents work item to pull up the gadget even if queued when the gadget driver is already unbound. Cc: [email protected] Fixes: 1016fc0c096c (“USB: gadget: Fix obscure lockdep violation for udc_mutex”) Signed-off-by: Badhri Jagan Sridharan Reviewed-by: Alan Stern Message-ID: [email protected] Signed-off-by: Greg Kroah-Hartman commit 45ae0c32d81632753e9d00af2279c52d234af0d9 Author: Pavan Holla Date: Wed Jun 7 19:33:26 2023 +0000 usb: typec: Fix fast_role_swap_current show function commit 92c9c3baad6b1fd584fbabeaa4756f9b77926cb5 upstream. The current implementation mistakenly performs a & operation on the output of sysfs_emit. This patch performs the & operation before calling sysfs_emit. Fixes: 662a60102c12 (“usb: typec: Separate USB Power Delivery from USB Type-C”) Cc: stable Reported-by: Benson Leung Signed-off-by: Pavan Holla Reviewed-by: Heikki Krogerus Reviewed-by: Benson Leung Message-ID: [email protected] Signed-off-by: Greg Kroah-Hartman commit b028c1cefc4058eb99f912346ab1af7cd6436697 Author: Heikki Krogerus Date: Tue Jun 6 14:58:02 2023 +0300 usb: typec: ucsi: Fix command cancellation commit c4a8bfabefed706bb9150867db528ceefd5cb5fe upstream. The Cancel command was passed to the write callback as the offset instead of as the actual command which caused NULL pointer dereference. Reported-by: Stephan Bolten Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217517 Fixes: 094902bc6a3c (“usb: typec: ucsi: Always cancel the command if PPM reports BUSY condition”) Cc: [email protected] Signed-off-by: Heikki Krogerus Message-ID: [email protected] Signed-off-by: Greg Kroah-Hartman commit fb3404cdc6cd014dd7432a0693df5c28ab4e9466 Author: Robert Hodaszi Date: Fri Jun 9 14:13:34 2023 +0200 tty: serial: fsl_lpuart: reduce RX watermark to 0 on LS1028A commit a82c3df955f8c1c726e4976527aa6ae924a67dd9 upstream. LS1028A is using DMA with LPUART. Having RX watermark set to 1, means DMA transactions are started only after receiving the second character. On other platforms with newer LPUART IP, Receiver Idle Empty function initiates the DMA request after the receiver is idling for 4 characters. But this feature is missing on LS1028A, which is causing a 1-character delay in the RX direction on this platform. Set RX watermark to 0 to initiate RX DMA after each character. Link: https://lore.kernel.org/linux-serial/[email protected]/ Fixes: 9ad9df844754 (“tty: serial: fsl_lpuart: Fix the wrong RXWATER setting for rx dma case”) Cc: stable Signed-off-by: Robert Hodaszi Message-ID: [email protected] Signed-off-by: Greg Kroah-Hartman commit f9eb22d8059f6b2fd641a24f52395cfe9b011ed1 Author: Bernhard Seibold Date: Fri Jun 2 15:30:29 2023 +0200 serial: lantiq: add missing interrupt ack commit 306320034e8fbe7ee1cc4f5269c55658b4612048 upstream. Currently, the error interrupt is never acknowledged, so once active it will stay active indefinitely, causing the handler to be called in an infinite loop. Fixes: 2f0fc4159a6a (“SERIAL: Lantiq: Add driver for MIPS Lantiq SOCs.”) Cc: Signed-off-by: Bernhard Seibold Reviewed-by: Ilpo Järvinen Message-ID: [email protected] Signed-off-by: Greg Kroah-Hartman commit 56d0ea152f4eeaf15eb6ef1468543bf851ca5ac5 Author: Jerry Meng Date: Wed May 31 11:51:16 2023 +0800 USB: serial: option: add Quectel EM061KGL series commit f1832e2b5e498e258b090af3b065b85cf8cc5161 upstream. Add support for Quectel EM061KGL series which are based on Qualcomm SDX12 chip: EM061KGL_LTA(0x2c7c / 0x0123): MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL EM061KGL_LMS(0x2c7c / 0x0124): MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL EM061KGL_LWW(0x2c7c / 0x6008): MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL EM061KGL_LCN(0x2c7c / 0x6009): MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL Above products use the exact same interface layout and option driver is for interfaces DIAG, NMEA and AT. T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=2c7c ProdID=6008 Rev= 5.04 S: Manufacturer=Quectel S: Product=Quectel EM061K-GL S: SerialNumber=f6fa08b6 C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Jerry Meng Cc: [email protected] Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 5d272f4eb6a51f0035c112d47e51700d72e179b6 Author: Arnd Bergmann Date: Thu May 11 12:58:33 2023 +0200 clk: pxa: fix NULL pointer dereference in pxa3xx_clk_update_accr commit 23200a4c8ac284f8b4263d7cecaefecaa3ad6732 upstream. sparse points out an embarrasing bug in an older patch of mine, which uses the register offset instead of an __iomem pointer: drivers/clk/pxa/clk-pxa3xx.c:167:9: sparse: sparse: Using plain integer as NULL pointer Unlike sparse, gcc and clang ignore this bug and fail to warn because a literal ‘0’ is considered a valid representation of a NULL pointer. Fixes: 3c816d950a49 (“ARM: pxa: move clk register definitions to driver”) Cc: [email protected] Reported-by: kernel test robot Link: https://lore.kernel.org/oe-kbuild-all/[email protected]/ Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit d826dc20ff0548476291b1395089d048e2553c8e Author: Mika Westerberg Date: Tue May 30 08:48:29 2023 +0300 thunderbolt: Mask ring interrupt on Intel hardware as well commit 9f9666e65359d5047089aef97ac87c50f624ecb0 upstream. When resuming from system sleep states the driver issues following warning on Intel hardware: thunderbolt 0000:07:00.0: interrupt for TX ring 0 is already enabled The reason for this is that the commit in question did not mask the ring interrupt on Intel hardware leaving the interrupt active. Fix this by masking it also in Intel hardware. Reported-by: beld zhang Tested-by: beld zhang Closes: https://lore.kernel.org/linux-usb/[email protected]/ Fixes: c4af8e3fecd0 (“thunderbolt: Clear registers properly when auto clear isn’t in use”) Cc: [email protected] Reviewed-by: Mario Limonciello Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit 1c7431e0f963d297fe47f1962448ad1ce25c8e0b Author: Mika Westerberg Date: Wed Mar 29 13:23:04 2023 +0300 thunderbolt: dma_test: Use correct value for absent rings when creating paths commit 70c2e03e9aaf17496c63f6e42333c012f5ae5307 upstream. Both tb_xdomain_enable_paths() and tb_xdomain_disable_paths() expect -1, not 0, if the corresponding ring is not needed. For this reason change the driver to use correct value for the rings that are not needed. Fixes: 180b0689425c (“thunderbolt: Allow multiple DMA tunnels over a single XDomain connection”) Cc: [email protected] Reported-by: Pengfei Xu Tested-by: Pengfei Xu Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit e805d0e51ab662f6efa8d4dd76bbf6b5e18a80c6 Author: Mika Westerberg Date: Wed May 24 13:47:04 2023 +0300 thunderbolt: Do not touch CL state configuration during discovery commit 3fe95742af29b8b4eccab2ba94bc521805c6e10c upstream. If the boot firmware has already established tunnels, especially ones that have special requirements from the link such as DisplayPort, we should not blindly enable CL states (nor change the TMU configuration). Otherwise the existing tunnels may not work as expected. For this reason, skip the CL state enabling when we go over the existing topology. This will also keep the TMU settings untouched because we do not change the TMU configuration when CL states are not enabled. Reported-by: Koba Ko Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7831 Cc: [email protected] # v6.0+ Acked-By: Yehezkel Bernat Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit 7539823e53dae6b35ffc7615b2a9e0c9a265183e Author: Mika Westerberg Date: Wed May 24 10:41:57 2023 +0300 thunderbolt: Increase DisplayPort Connection Manager handshake timeout commit b6d572aeb58a5e0be86bd51ea514c4feba996cc4 upstream. It turns out that when plugging in VGA cable through USB-C to VGA/DVI dongle the Connection Manager handshake can take longer time, at least on Intel Titan Ridge based docks such as Dell WD91TB. This leads to following error in the dmesg: thunderbolt 0000:00:0d.3: 3:10: DP tunnel activation failed, aborting and the display stays blank (because we failed to establish the tunnel). For this reason increase the timeout to 3s. Reported-by: Koba Ko Cc: [email protected] Acked-By: Yehezkel Bernat Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit 47483707fcb774633726bf8a324fc7798b2889c7 Author: Edson Juliano Drosdeck Date: Fri Jun 9 17:10:58 2023 -0300 ALSA: hda/realtek: Add a quirk for Compaq N14JP6 commit a2a871483161014f1bcc4e9a04354b01aa77cedb upstream. Add a quirk for Compaq N14JP6 to fixup ALC897 headset MIC no sound. Signed-off-by: Edson Juliano Drosdeck Cc: Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0b4e8d90f2623cc0f17d972c046b501cb84d045d Author: Jiadong Zhu Date: Thu May 25 16:52:55 2023 +0800 drm/amdgpu: Modify indirect buffer packages for resubmission commit 87af86ae89963c227a3beb4d914f3dc7959a690e upstream. When the preempted IB frame resubmitted to cp, we need to modify the frame data including: 1. set PRE_RESUME 1 in CONTEXT_CONTROL. 2. use meta data(DE and CE) read from CSA in WRITE_DATA. Add functions to save the location the first time IBs emitted and callback to patch the package when resubmission happens. Signed-off-by: Jiadong Zhu Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: [email protected] # 6.3.x Signed-off-by: Greg Kroah-Hartman commit e61d275f1aaf53a5232d9e847cffeb0aec6734cc Author: Jiadong Zhu Date: Thu May 25 18:42:15 2023 +0800 drm/amdgpu: Implement gfx9 patch functions for resubmission commit 5b711e7f9c73e5ff44d6ac865711d9a05c2a0360 upstream. Patch the packages including CONTEXT_CONTROL and WRITE_DATA for gfx9 during the resubmission scenario. Signed-off-by: Jiadong Zhu Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: [email protected] # 6.3.x Signed-off-by: Greg Kroah-Hartman commit edcff657081e0453d518e323407afa9ae5139c34 Author: Jiadong Zhu Date: Wed May 24 16:51:32 2023 +0800 drm/amdgpu: Program gds backup address as zero if no gds allocated commit 94034b306ddde4a4a9c1a597ae7f61f04b710dc7 upstream. It is firmware requirement to set gds_backup_addrlo and gds_backup_addrhi of DE meta both zero if no gds partition is allocated for the frame. Signed-off-by: Jiadong Zhu Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: [email protected] # 6.3.x Signed-off-by: Greg Kroah-Hartman commit 3be6bfdf9f074cbe608c59cc2bfea0703ed2f993 Author: Jiadong Zhu Date: Wed May 24 11:42:19 2023 +0800 drm/amdgpu: Reset CP_VMID_PREEMPT after trailing fence signaled commit 1dbcf770cc2d15baf8a1e8174d6fd014a68b45ca upstream. When MEC executes unmap_queue for mid command buffer preemption, it will kick the write pointer of the gfx ring, set CP_VMID_PREEMPT to trigger the preemption and wait for CP_VMID_PREEMPT becomes zero after the preemption done. There is a race condition that PFP may excute the resetting command before MEC set CP_VMID_PREEMPT. As a result, hang happens as CP_VMID_PREEMPT is always 0xffff. To avoid this, we send resetting CP_VMID_PREEMPT command after the trailing fence is siganled and update gfx write pointer explicitly. Signed-off-by: Jiadong Zhu Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: [email protected] # 6.3.x Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2535 Signed-off-by: Greg Kroah-Hartman commit 4e33d192a1b146c9d6fb729941ec3165bad3b99a Author: Alex Deucher Date: Tue Jun 6 11:14:04 2023 -0400 drm/amdgpu: add missing radeon secondary PCI ID commit e61f67749b351c19455ce3085af2ae9af80023bc upstream. 0x5b70 is a missing RV370 secondary id. Add it so we don’t try and probe it with amdgpu. Cc: [email protected] Reviewed-by: Michel Dänzer Tested-by: Michel Dänzer Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 7bee5b37b26f67b056375a070e8193564fac2a94 Author: Kenneth Feng Date: Thu Jun 8 22:07:11 2023 +0800 drm/amd/pm: workaround for compute workload type on some skus commit 7ca302d488f80cf4529620acc1c545f9022d8bb8 upstream. On smu 13.0.0, the compute workload type cannot be set on all the skus due to some other problems. This workaround is to make sure compute workload type can also run on some specific skus. v2: keep the variable consistent Signed-off-by: Kenneth Feng Acked-by: Lijo Lazar Reviewed-by: Feifei Xu Signed-off-by: Alex Deucher Cc: [email protected] # 6.1.x Signed-off-by: Greg Kroah-Hartman commit 701a8896ca5b6244b2f9ed9e8dc2c8652a044d3a Author: Mario Limonciello Date: Wed Jun 7 01:45:20 2023 -0500 drm/amd: Tighten permissions on VBIOS flashing attributes commit 7ab1a4913d0051cf5196ef7987b5fa42c25e13b6 upstream. Non-root users shouldn’t be able to try to trigger a VBIOS flash or query the flashing status. This should be reserved for users with the appropriate permissions. Cc: [email protected] Fixes: 8424f2ccb3c0 (“drm/amdgpu/psp: Add vbflash sysfs interface support”) Reviewed-by: Alex Deucher Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit b28035cb5690cea8e3d01deab3023d56e99751ff Author: Mario Limonciello Date: Wed Jun 7 01:41:22 2023 -0500 drm/amd: Make sure image is written to trigger VBIOS image update flow commit 3eb1a3a04056ba3df3205e169b8acc9da0c65a94 upstream. The VBIOS image update flow requires userspace to: 1) Write the image to `psp_vbflash` 2) Read `psp_vbflash` 3) Poll `psp_vbflash_status` to check for completion If userspace reads `psp_vbflash` before writing an image, it’s possible that it causes problems that can put the dGPU into an invalid state. Explicitly check that an image has been written before letting a read succeed. Cc: [email protected] Fixes: 8424f2ccb3c0 (“drm/amdgpu/psp: Add vbflash sysfs interface support”) Reviewed-by: Alex Deucher Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit edcfed8671ee57bb599184f2e12a1b3e11b32306 Author: Hersen Wu Date: Thu May 25 08:37:40 2023 -0400 drm/amd/display: edp do not add non-edid timings commit e749dd10e5f292061ad63d2b030194bf7d7d452c upstream. [Why] most edp support only timings from edid. applying non-edid timings, especially those timings out of edp bandwidth, may damage edp. [How] do not add non-edid timings for edp. Cc: Mario Limonciello Cc: Alex Deucher Cc: [email protected] Acked-by: Stylon Wang Signed-off-by: Hersen Wu Reviewed-by: Roman Li Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 2eb1915a9569022ae2b1f41d8826a5271298d559 Author: Peichen Huang Date: Wed May 31 13:36:14 2023 +0800 drm/amd/display: limit DPIA link rate to HBR3 commit 7c5835bcb9176df94683396f1c0e5df6bf5094b3 upstream. [Why] DPIA doesn’t support UHBR, driver should not enable UHBR for dp tunneling [How] limit DPIA link rate to HBR3 Cc: Mario Limonciello Cc: Alex Deucher Cc: [email protected] Acked-by: Stylon Wang Signed-off-by: Peichen Huang Reviewed-by: Mustapha Ghaddar Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit f64a1498030ec2065efda5f6e75ac014072ed416 Author: Wes Huang Date: Thu Jun 8 11:01:42 2023 +0800 net: usb: qmi_wwan: add support for Compal RXM-G1 commit 863199199713908afaa47ba09332b87621c12496 upstream. Add support for Compal RXM-G1 which is based on Qualcomm SDX55 chip. This patch adds support for two compositions: 0x9091: DIAG + MODEM + QMI_RMNET + ADB 0x90db: DIAG + DUN + RMNET + DPL + QDSS(Trace) + ADB T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=05c6 ProdID=9091 Rev= 4.14 S: Manufacturer=QCOM S: Product=SDXPRAIRIE-MTP _SN:719AB680 S: SerialNumber=719ab680 C:* #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=896mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=05c6 ProdID=90db Rev= 4.14 S: Manufacturer=QCOM S: Product=SDXPRAIRIE-MTP _SN:719AB680 S: SerialNumber=719ab680 C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=896mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=8f(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms Cc: [email protected] Signed-off-by: Wes Huang Acked-by: Bjørn Mork Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 893692962cdf598d95c7e0d026ee54d16898f1a5 Author: Sonny Jiang Date: Tue Jun 6 17:18:52 2023 -0400 drm/amdgpu: vcn_4_0 set instance 0 init sched score to 1 commit 9db5ec1ceb5303398ec4f899d691073d531257c3 upstream. Only vcn0 can process AV1 codecx. In order to use both vcn0 and vcn1 in h264/265 transcode to AV1 cases, set vcn0 sched score to 1 at initialization time. Signed-off-by: Sonny Jiang Reviewed-by: Leo Liu Signed-off-by: Alex Deucher Cc: [email protected] # 6.1.x Signed-off-by: Greg Kroah-Hartman commit b544377122d07b0c65ca65e4199783f0f1503cd1 Author: Edward Srouji Date: Mon Jun 5 13:33:24 2023 +0300 RDMA/uverbs: Restrict usage of privileged QKEYs commit 0cadb4db79e1d9eea66711c4031e435c2191907e upstream. According to the IB specification rel-1.6, section 3.5.3: “QKEYs with the most significant bit set are considered controlled QKEYs, and a HCA does not allow a consumer to arbitrarily specify a controlled QKEY.” Thus, block non-privileged users from setting such a QKEY. Cc: [email protected] Fixes: bc38a6abdd5a ("[PATCH] IB uverbs: core implementation”) Signed-off-by: Edward Srouji Link: https://lore.kernel.org/r/c00c809ddafaaf87d6f6cb827978670989a511b3.1685960567.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Greg Kroah-Hartman commit bf8d33f446dc62e9ec0ddd700dd4df691f07a37c Author: Haibo Li Date: Fri May 26 10:21:25 2023 +0800 mm/gup_test: fix ioctl fail for compat task commit 4f572f0074b8be8a70bd150d96a749aa94c8d85f upstream. When tools/testing/selftests/mm/gup_test.c is compiled as 32bit, then run on arm64 kernel, it reports "ioctl: Inappropriate ioctl for device". Fix it by filling compat_ioctl in gup_test_fops Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Haibo Li Acked-by: David Hildenbrand Cc: AngeloGioacchino Del Regno Cc: Matthias Brugger Cc: John Hubbard Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 6cc39618903e523eaff9739f90a3c4247336134f Author: Dave Airlie Date: Thu Jun 15 12:22:11 2023 +1000 nouveau: fix client work fence deletion race commit c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 upstream. This seems to have existed for ever but is now more apparant after commit 9bff18d13473 (“drm/ttm: use per BO cleanup workers”) My analysis: two threads are running, one in the irq signalling the fence, in dma_fence_signal_timestamp_locked, it has done the DMA_FENCE_FLAG_SIGNALLED_BIT setting, but hasn’t yet reached the callbacks. The second thread in nouveau_cli_work_ready, where it sees the fence is signalled, so then puts the fence, cleanups the object and frees the work item, which contains the callback. Thread one goes again and tries to call the callback and causes the use-after-free. Proposed fix: lock the fence signalled check in nouveau_cli_work_ready, so either the callbacks are done or the memory is freed. Reviewed-by: Karol Herbst Fixes: 11e451e74050 (“drm/nouveau: remove fence wait code from deferred client work handler”) Cc: [email protected] Signed-off-by: Dave Airlie Link: https://lore.kernel.org/dri-devel/[email protected]/ Signed-off-by: Greg Kroah-Hartman commit 50314129ec54774c5293228bb58dda554dff31c1 Author: Christian Marangi Date: Wed Jun 14 11:17:14 2023 +0200 net: ethernet: stmicro: stmmac: fix possible memory leak in __stmmac_open commit 30134b7c47bd28fdb4db4d12aef824e0579cfee4 upstream. Fix a possible memory leak in __stmmac_open when stmmac_init_phy fails. It’s also needed to free everything allocated by stmmac_setup_dma_desc and not just the dma_conf struct. Drop free_dma_desc_resources from __stmmac_open and correctly call free_dma_desc_resources on each user of __stmmac_open on error. Reported-by: Jose Abreu Fixes: ba39b344e924 (“net: ethernet: stmicro: stmmac: generate stmmac dma conf before open”) Signed-off-by: Christian Marangi Cc: [email protected] Reviewed-by: Simon Horman Reviewed-by: Jose Abreu Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit e5d9e0107993434f12798ca3794392d9ab3d2f34 Author: Mike Snitzer Date: Tue Jun 13 20:05:34 2023 -0400 dm thin: fix issue_discard to pass GFP_NOIO to __blkdev_issue_discard commit 722d90822321497e2837cfc9000202e256e6b32f upstream. issue_discard() passes GFP_NOWAIT to __blkdev_issue_discard() despite its code assuming bio_alloc() always succeeds. Commit 3dba53a958a75 (“dm thin: use __blkdev_issue_discard for async discard support”) clearly shows where things went bad: Before commit 3dba53a958a75, dm-thin.c’s open-coded __blkdev_issue_discard_async() properly handled using GFP_NOWAIT. Unfortunately __blkdev_issue_discard() doesn’t and it was missed during review. Cc: [email protected] Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit a548701d0b0d5e045d1704a04c35213b390bd2ea Author: Li Lingfeng Date: Tue Jun 6 20:20:24 2023 +0800 dm thin metadata: check fail_io before using data_sm commit cb65b282c9640c27d3129e2e04b711ce1b352838 upstream. Must check pmd->fail_io before using pmd->data_sm since pmd->data_sm may be destroyed by other processes. P1(kworker) P2(message) do_worker process_prepared process_prepared_discard_passdown_pt2 dm_pool_dec_data_range pool_message commit dm_pool_commit_metadata ↓ // commit failed metadata_operation_failed abort_transaction dm_pool_abort_metadata __open_or_format_metadata ↓ dm_sm_disk_open ↓ // open failed // pmd->data_sm is NULL dm_sm_dec_blocks ↓ // try to access pmd->data_sm --> UAF As shown above, if dm_pool_commit_metadata() and dm_pool_abort_metadata() fail in pool_message process, kworker may trigger UAF. Fixes: be500ed721a6 (“dm space maps: improve performance with inc/dec on ranges of blocks”) Cc: [email protected] Signed-off-by: Li Lingfeng Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 8f8ffd565f6db56eca3d90ad5749541bbda34489 Author: Julian Ruess Date: Tue Jun 13 14:25:37 2023 +0200 s390/ism: Fix trying to free already-freed IRQ by repeated ism_dev_exit() commit 78d0f94902afce8ec2c7a60f600cc0e3729d7412 upstream. This patch prevents the system from crashing when unloading the ISM module. How to reproduce: Attach an ISM device and execute 'rmmod ism’. Error-Log: - Trying to free already-free IRQ 0 - WARNING: CPU: 1 PID: 966 at kernel/irq/manage.c:1890 free_irq+0x140/0x540 After calling ism_dev_exit() for each ISM device in the exit routine, pci_unregister_driver() will execute ism_remove() for each ISM device. Because ism_remove() also calls ism_dev_exit(), free_irq(pci_irq_vector(pdev, 0), ism) is called twice for each ISM device. This results in a crash with the error 'Trying to free already-free IRQ’. In the exit routine, it is enough to call pci_unregister_driver() because it ensures that ism_dev_exit() is called once per ISM device. Cc: # 6.3+ Fixes: 89e7d2ba61b7 (“net/ism: Add new API for client registration”) Reviewed-by: Niklas Schnelle Signed-off-by: Julian Ruess Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d1855b95455009f108b121baca06bef1aab34cc4 Author: Lukasz Tyl Date: Wed Jun 14 14:25:24 2023 +0200 ALSA: usb-audio: Add quirk flag for HEM devices to enable native DSD playback commit 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b upstream. This commit adds new DEVICE_FLG with QUIRK_FLAG_DSD_RAW and Vendor Id for HEM devices which supports native DSD. Prior to this change Linux kernel was not enabling native DSD playback for HEM devices, and as a result, DSD audio was being converted to PCM "on the fly". HEM devices, when connected to the system, would only play audio in PCM format, even if the source material was in DSD format. With the addition of new VENDOR_FLG in the quircks.c file, the devices are now correctly recognized, and raw DSD data is transmitted to the device, allowing for native DSD playback. Signed-off-by: Lukasz Tyl Cc: Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 82bb49722b199ec1fbe8bbb5d7175c7fef9a4fde Author: Takashi Iwai Date: Mon Jun 12 15:28:18 2023 +0200 ALSA: usb-audio: Fix broken resume due to UAC3 power state commit 8ba61c9f6c9bdfbf9d197b0282641d24ae909778 upstream. As reported in the bugzilla below, the PM resume of a UAC3 device may fail due to the incomplete power state change, stuck at D1. The reason is that the driver expects the full D0 power state change only at hw_params, while the normal PCM resume procedure doesn’t call hw_params. For fixing the bug, we add the same power state update to D0 at the prepare callback, which is certainly called by the resume procedure. Note that, with this change, the power state change in the hw_params becomes almost redundant, since snd_usb_hw_params() doesn’t touch the parameters (at least it tires so). But dropping it is still a bit risky (e.g. we have the media-driver binding), so I leave the D0 power state change in snd_usb_hw_params() as is for now. Fixes: a0a4959eb4e9 (“ALSA: usb-audio: Operate UAC3 Power Domains in PCM callbacks”) Cc: Link: https://bugzilla.kernel.org/show_bug.cgi?id=217539 Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ed4dc4735ed88c1dda245e937a5865924203d784 Author: Chris Mason Date: Fri Jun 9 10:53:41 2023 -0700 btrfs: can_nocow_file_extent should pass down args->strict from callers commit deccae40e4b30f98837e44225194d80c8baf2233 upstream. Commit 619104ba453ad0 (“btrfs: move common NOCOW checks against a file extent into a helper”) changed our call to btrfs_cross_ref_exist() to always pass false for the ‘strict’ parameter. We’re passing this down through the stack so that we can do a full check for cross references during swapfile activation. With strict always false, this test fails: btrfs subvol create swappy chattr +C swappy fallocate -l1G swappy/swapfile chmod 600 swappy/swapfile mkswap swappy/swapfile btrfs subvol snap swappy swapsnap btrfs subvol del -C swapsnap btrfs fi sync / sync;sync;sync swapon swappy/swapfile The fix is to just use args->strict, and everyone except swapfile activation is passing false. Fixes: 619104ba453ad0 (“btrfs: move common NOCOW checks against a file extent into a helper”) CC: [email protected] # 6.1+ Reviewed-by: Filipe Manana Signed-off-by: Chris Mason Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 8aa2879c28891e10902e336873ec03b91cd4b3b6 Author: Christoph Hellwig Date: Thu Jun 8 11:10:25 2023 +0200 btrfs: fix iomap_begin length for nocow writes commit 7833b865953c8e62abc76a3261c04132b2fb69de upstream. can_nocow_extent can reduce the len passed in, which needs to be propagated to btrfs_dio_iomap_begin so that iomap does not submit more data then is mapped. This problems exists since the btrfs_get_blocks_direct helper was added in commit c5794e51784a (“btrfs: Factor out write portion of btrfs_get_blocks_direct”), but the ordered_extent splitting added in commit b73a6fd1b1ef (“btrfs: split partial dio bios before submit”) added a WARN_ON that made a syzkaller test fail. Reported-by: [email protected] Fixes: c5794e51784a (“btrfs: Factor out write portion of btrfs_get_blocks_direct”) CC: [email protected] # 6.1+ Tested-by: [email protected] Reviewed-by: Filipe Manana Signed-off-by: Christoph Hellwig Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit ee2575289a017f1f3b83dfda8ac6c1d9959aa2ca Author: Qu Wenruo Date: Sun Jun 11 08:09:13 2023 +0800 btrfs: do not ASSERT() on duplicated global roots commit 745806fb4554f334e6406fa82b328562aa48f08f upstream. [BUG] Syzbot reports a reproducible ASSERT() when using rescue=usebackuproot mount option on a corrupted fs. The full report can be found here: https://syzkaller.appspot.com/bug?extid=c4614eae20a166c25bf0 BTRFS error (device loop0: state C): failed to load root csum assertion failed: !tmp, in fs/btrfs/disk-io.c:1103 ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.h:3664! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 3608 Comm: syz-executor356 Not tainted 6.0.0-rc7-syzkaller-00029-g3800a713b607 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 RIP: 0010:assertfail+0x1a/0x1c fs/btrfs/ctree.h:3663 RSP: 0018:ffffc90003aaf250 EFLAGS: 00010246 RAX: 0000000000000032 RBX: 0000000000000000 RCX: f21c13f886638400 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff888021c640a0 R08: ffffffff816bd38d R09: ffffed10173667f1 R10: ffffed10173667f1 R11: 1ffff110173667f0 R12: dffffc0000000000 R13: ffff8880229c21f7 R14: ffff888021c64060 R15: ffff8880226c0000 FS: 0000555556a73300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055a2637d7a00 CR3: 00000000709c4000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: btrfs_global_root_insert+0x1a7/0x1b0 fs/btrfs/disk-io.c:1103 load_global_roots_objectid+0x482/0x8c0 fs/btrfs/disk-io.c:2467 load_global_roots fs/btrfs/disk-io.c:2501 [inline] btrfs_read_roots fs/btrfs/disk-io.c:2528 [inline] init_tree_roots+0xccb/0x203c fs/btrfs/disk-io.c:2939 open_ctree+0x1e53/0x33df fs/btrfs/disk-io.c:3574 btrfs_fill_super+0x1c6/0x2d0 fs/btrfs/super.c:1456 btrfs_mount_root+0x885/0x9a0 fs/btrfs/super.c:1824 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1530 fc_mount fs/namespace.c:1043 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1073 btrfs_mount+0x3d3/0xbb0 fs/btrfs/super.c:1884 [CAUSE] Since the introduction of global roots, we handle csum/extent/free-space-tree roots as global roots, even if no extent-tree-v2 feature is enabled. So for regular csum/extent/fst roots, we load them into fs_info::global_root_tree rb tree. And we should not expect any conflicts in that rb tree, thus we have an ASSERT() inside btrfs_global_root_insert(). But rescue=usebackuproot can break the assumption, as we will try to load those trees again and again as long as we have bad roots and have backup roots slot remaining. So in that case we can have conflicting roots in the rb tree, and triggering the ASSERT() crash. [FIX] We can safely remove that ASSERT(), as the caller will properly put the offending root. To make further debugging easier, also add two explicit error messages: - Error message for conflicting global roots - Error message when using backup roots slot Reported-by: [email protected] Fixes: abed4aaae4f7 (“btrfs: track the csum, extent, and free space trees in a rb tree”) CC: [email protected] # 6.1+ Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 1c8666127f0adcf588777751482f38d013e687c3 Author: Chris Mason Date: Mon Jun 5 12:03:15 2023 -0700 btrfs: properly enable async discard when switching from RO->RW commit 981a37bab5e5f16137266d3f00cf2bd018af36ef upstream. The async discard uses the BTRFS_FS_DISCARD_RUNNING bit in the fs_info to force discards off when the filesystem has aborted or we’re generally not able to run discards. This gets flipped on when we’re mounted rw, and also when we go from ro->rw. Commit 63a7cb13071842 (“btrfs: auto enable discard=async when possible”) enabled async discard by default, and this meant “mount -o ro /dev/xxx /yyy” had async discards turned on. Unfortunately, this meant our check in btrfs_remount_cleanup() would see that discards are already on: /* If we toggled discard async */ if (!btrfs_raw_test_opt(old_opts, DISCARD_ASYNC) && btrfs_test_opt(fs_info, DISCARD_ASYNC)) btrfs_discard_resume(fs_info); So, we’d never call btrfs_discard_resume() when remounting the root filesystem from ro->rw. drgn shows this really nicely: import os import sys from drgn.helpers.linux.fs import path_lookup from drgn import NULL, Object, Type, cast def btrfs_sb(sb): return cast("struct btrfs_fs_info *", sb.s_fs_info) if len(sys.argv) == 1: path = “/” else: path = sys.argv[1] fs_info = cast("struct btrfs_fs_info *", path_lookup(prog, path).mnt.mnt_sb.s_fs_info) BTRFS_FS_DISCARD_RUNNING = 1 << prog[‘BTRFS_FS_DISCARD_RUNNING’] if fs_info.flags & BTRFS_FS_DISCARD_RUNNING: print(“discard running flag is on”) else: print(“discard running flag is off”) [root]# mount | grep nvme /dev/nvme0n1p3 on / type btrfs (rw,relatime,compress-force=zstd:3,ssd,discard=async,space_cache=v2,subvolid=5,subvol=/) [root]# ./discard_running.drgn discard running flag is off [root]# mount -o remount,discard=sync / [root]# mount -o remount,discard=async / [root]# ./discard_running.drgn discard running flag is on The fix is to call btrfs_discard_resume() when we’re going from ro->rw. It already checks to make sure the async discard flag is on, so it’ll do the right thing. Fixes: 63a7cb13071842 (“btrfs: auto enable discard=async when possible”) CC: [email protected] # 6.3+ Reviewed-by: Boris Burkov Signed-off-by: Chris Mason Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 1cfba7edb9b64f910b5cc43384617f5b01e94081 Author: Qu Wenruo Date: Fri May 26 20:30:20 2023 +0800 btrfs: subpage: fix a crash in metadata repair path commit 917ac77846b907dfdbd878688a9a61236ad6c51e upstream. [BUG] Test case btrfs/027 would crash with subpage (64K page size, 4K sectorsize) with the following dying messages: debug: map_length=16384 length=65536 type=metadata|raid6(0x104) assertion failed: map_length >= length, in fs/btrfs/volumes.c:8093 ------------[ cut here ]------------ kernel BUG at fs/btrfs/messages.c:259! Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: btrfs_assertfail+0x28/0x2c [btrfs] btrfs_map_repair_block+0x150/0x2b8 [btrfs] btrfs_repair_io_failure+0xd4/0x31c [btrfs] btrfs_read_extent_buffer+0x150/0x16c [btrfs] read_tree_block+0x38/0xbc [btrfs] read_tree_root_path+0xfc/0x1bc [btrfs] btrfs_get_root_ref.part.0+0xd4/0x3a8 [btrfs] open_ctree+0xa30/0x172c [btrfs] btrfs_mount_root+0x3c4/0x4a4 [btrfs] legacy_get_tree+0x30/0x60 vfs_get_tree+0x28/0xec vfs_kern_mount.part.0+0x90/0xd4 vfs_kern_mount+0x14/0x28 btrfs_mount+0x114/0x418 [btrfs] legacy_get_tree+0x30/0x60 vfs_get_tree+0x28/0xec path_mount+0x3e0/0xb64 __arm64_sys_mount+0x200/0x2d8 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0x60/0x11c do_el0_svc+0x38/0x98 el0_svc+0x40/0xa8 el0t_64_sync_handler+0xf4/0x120 el0t_64_sync+0x190/0x194 Code: aa0403e2 b0fff060 91010000 959c2024 (d4210000) [CAUSE] In btrfs/027 we test RAID6 with missing devices, in this particular case, we’re repairing a metadata at the end of a data stripe. But at btrfs_repair_io_failure(), we always pass a full PAGE for repair, and for subpage case this can cross stripe boundary and lead to the above BUG_ON(). This metadata repair code is always there, since the introduction of subpage support, but this can trigger BUG_ON() after the bio split ability at btrfs_map_bio(). [FIX] Instead of passing the old PAGE_SIZE, we calculate the correct length based on the eb size and page size for both regular and subpage cases. CC: [email protected] # 6.3+ Reviewed-by: Christoph Hellwig Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 4f96a4a4943265b4bf7ad702eaef67d9aafd8790 Author: Ricardo Ribalda Date: Fri May 19 16:47:38 2023 +0200 powerpc/purgatory: remove PGO flags commit 20188baceb7a1463dc0bcb0c8678b69c2f447df6 upstream. If profile-guided optimization is enabled, the purgatory ends up with multiple .text sections. This is not supported by kexec and crashes the system. Link: https://lkml.kernel.org/r/[email protected] Fixes: 930457057abe (“kernel/kexec_file.c: split up __kexec_load_puragory”) Signed-off-by: Ricardo Ribalda Cc: Michael Ellerman Cc: Nicholas Piggin Cc: Christophe Leroy Cc: Cc: Albert Ou Cc: Baoquan He Cc: Borislav Petkov (AMD) Cc: Dave Hansen Cc: Dave Young Cc: Eric W. Biederman Cc: “H. Peter Anvin” Cc: Ingo Molnar Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Palmer Dabbelt Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Philipp Rudo Cc: Ross Zwisler Cc: Simon Horman Cc: Steven Rostedt (Google) Cc: Thomas Gleixner Cc: Tom Rix Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit cc9497ad8f3ce1be2301c92a76ffb69a9a890b0e Author: Ricardo Ribalda Date: Fri May 19 16:47:39 2023 +0200 riscv/purgatory: remove PGO flags commit 88ac3bbcf73853880a9b2a65c67e6854390741cc upstream. If profile-guided optimization is enabled, the purgatory ends up with multiple .text sections. This is not supported by kexec and crashes the system. Link: https://lkml.kernel.org/r/[email protected] Fixes: 930457057abe (“kernel/kexec_file.c: split up __kexec_load_puragory”) Signed-off-by: Ricardo Ribalda Acked-by: Palmer Dabbelt Cc: Cc: Albert Ou Cc: Baoquan He Cc: Borislav Petkov (AMD) Cc: Christophe Leroy Cc: Dave Hansen Cc: Dave Young Cc: Eric W. Biederman Cc: “H. Peter Anvin” Cc: Ingo Molnar Cc: Michael Ellerman Cc: Nathan Chancellor Cc: Nicholas Piggin Cc: Nick Desaulniers Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Philipp Rudo Cc: Ross Zwisler Cc: Simon Horman Cc: Steven Rostedt (Google) Cc: Thomas Gleixner Cc: Tom Rix Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ee8b1d9cc9dc57572c7931a27101bce6650a9f76 Author: Ricardo Ribalda Date: Fri May 19 16:47:37 2023 +0200 x86/purgatory: remove PGO flags commit 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e upstream. If profile-guided optimization is enabled, the purgatory ends up with multiple .text sections. This is not supported by kexec and crashes the system. Link: https://lkml.kernel.org/r/[email protected] Fixes: 930457057abe (“kernel/kexec_file.c: split up __kexec_load_puragory”) Signed-off-by: Ricardo Ribalda Cc: Cc: Albert Ou Cc: Baoquan He Cc: Borislav Petkov (AMD) Cc: Christophe Leroy Cc: Dave Hansen Cc: Dave Young Cc: Eric W. Biederman Cc: “H. Peter Anvin” Cc: Ingo Molnar Cc: Michael Ellerman Cc: Nathan Chancellor Cc: Nicholas Piggin Cc: Nick Desaulniers Cc: Palmer Dabbelt Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Philipp Rudo Cc: Ross Zwisler Cc: Simon Horman Cc: Steven Rostedt (Google) Cc: Thomas Gleixner Cc: Tom Rix Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit cb1638618545182a01444b2b20a4ed6b9d2a8c8f Author: Ricardo Ribalda Date: Fri May 19 16:47:36 2023 +0200 kexec: support purgatories with .text.hot sections commit 8652d44f466ad5772e7d1756e9457046189b0dfc upstream. Patch series "kexec: Fix kexec_file_load for llvm16 with PGO", v7. When upreving llvm I realised that kexec stopped working on my test platform. The reason seems to be that due to PGO there are multiple .text sections on the purgatory, and kexec does not supports that. This patch (of 4): Clang16 links the purgatory text in two sections when PGO is in use: [ 1] .text PROGBITS 0000000000000000 00000040 00000000000011a1 0000000000000000 AX 0 0 16 [ 2] .rela.text RELA 0000000000000000 00003498 0000000000000648 0000000000000018 I 24 1 8 … [17] .text.hot. PROGBITS 0000000000000000 00003220 000000000000020b 0000000000000000 AX 0 0 1 [18] .rela.text.hot. RELA 0000000000000000 00004428 0000000000000078 0000000000000018 I 24 17 8 And both of them have their range [sh_addr … sh_addr+sh_size] on the area pointed by `e_entry`. This causes that image->start is calculated twice, once for .text and another time for .text.hot. The second calculation leaves image->start in a random location. Because of this, the system crashes immediately after: kexec_core: Starting new kernel Link: https://lkml.kernel.org/r/[email protected] Link: https://lkml.kernel.org/r/[email protected] Fixes: 930457057abe (“kernel/kexec_file.c: split up __kexec_load_puragory”) Signed-off-by: Ricardo Ribalda Reviewed-by: Ross Zwisler Reviewed-by: Steven Rostedt (Google) Reviewed-by: Philipp Rudo Cc: Albert Ou Cc: Baoquan He Cc: Borislav Petkov (AMD) Cc: Christophe Leroy Cc: Dave Hansen Cc: Dave Young Cc: Eric W. Biederman Cc: “H. Peter Anvin” Cc: Ingo Molnar Cc: Michael Ellerman Cc: Nathan Chancellor Cc: Nicholas Piggin Cc: Nick Desaulniers Cc: Palmer Dabbelt Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Simon Horman Cc: Thomas Gleixner Cc: Tom Rix Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ec1412d7de48194c0009ed91494fb55e08b8ac86 Author: Arunpravin Paneer Selvam Date: Fri Jun 9 06:18:41 2023 -0700 Revert “drm/amdgpu: remove TOPDOWN flags when allocating VRAM in large bar system” commit 34e5a54327dce5033582f3609eb54812a8c61b90 upstream. This reverts commit c105518679b6e87232874ffc989ec403bee59664. This patch disables the TOPDOWN flag for APU and few dGPU cards which has the VRAM size equal to the BAR size. When we enable the TOPDOWN flag, we get the free blocks at the highest available memory region and we don’t split the lower order blocks. This change is required to keep off the fragmentation related issues particularly in ASIC which has VRAM space <= 500MiB Hence, we are reverting this patch. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2270 Signed-off-by: Arunpravin Paneer Selvam Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 573c5ace50109518ed8a183aff93399c1c17eb73 Author: Jens Axboe Date: Mon Jun 12 13:51:36 2023 -0600 io_uring/net: save msghdr->msg_control for retries commit cac9e4418f4cbd548ccb065b3adcafe073f7f7d2 upstream. If the application sets ->msg_control and we have to later retry this command, or if it got queued with IOSQE_ASYNC to begin with, then we need to retain the original msg_control value. This is due to the net stack overwriting this field with an in-kernel pointer, to copy it in. Hitting that path for the second time will now fail the copy from user, as it’s attempting to copy from a non-user address. Cc: [email protected] # 5.10+ Link: https://github.com/axboe/liburing/issues/880 Reported-and-tested-by: Marek Majkowski Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 2cdd9e85af154f4d4b0cc449885e89654b52af36 Author: Huacai Chen Date: Thu Jun 15 14:35:52 2023 +0800 LoongArch: Fix perf event id calculation commit 962369120d750cbc9c4dc492f32b4304669ff6aa upstream. LoongArch PMCFG has 10bit event id rather than 8 bit, so fix it. Cc: [email protected] Signed-off-by: Jun Yi Signed-off-by: Huacai Chen Signed-off-by: Greg Kroah-Hartman commit f3c8b43d72c0fa89e2d940fe725657ac54b600fc Author: Immad Mir Date: Thu Jun 15 14:35:56 2023 +0800 LoongArch: Fix debugfs_create_dir() error checking commit 41efbb682de1231c3f6361039f46ad149e3ff5b9 upstream. The debugfs_create_dir() returns ERR_PTR in case of an error and the correct way of checking it is using the IS_ERR_OR_NULL inline function rather than the simple null comparision. This patch fixes the issue. Cc: [email protected] Suggested-By: Ivan Orlov Signed-off-by: Immad Mir Signed-off-by: Huacai Chen Signed-off-by: Greg Kroah-Hartman commit de4a6917c4cb5fee1f998a1eb29b7d2c40085cad Author: Ryusuke Konishi Date: Fri May 26 11:13:32 2023 +0900 nilfs2: reject devices with insufficient block count commit 92c5d1b860e9581d64baca76779576c0ab0d943d upstream. The current sanity check for nilfs2 geometry information lacks checks for the number of segments stored in superblocks, so even for device images that have been destructively truncated or have an unusually high number of segments, the mount operation may succeed. This causes out-of-bounds block I/O on file system block reads or log writes to the segments, the latter in particular causing “a_ops->writepages” to repeatedly fail, resulting in sync_inodes_sb() to hang. Fix this issue by checking the number of segments stored in the superblock and avoiding mounting devices that can cause out-of-bounds accesses. To eliminate the possibility of overflow when calculating the number of blocks required for the device from the number of segments, this also adds a helper function to calculate the upper bound on the number of segments and inserts a check using it. Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Ryusuke Konishi Reported-by: [email protected] Link: https://syzkaller.appspot.com/bug?extid=7d50f1e54a12ba3aeae2 Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 2cdaace450fc6431ac3ba2c030203912a8df93cb Author: Ryusuke Konishi Date: Wed May 24 18:43:48 2023 +0900 nilfs2: fix possible out-of-bounds segment allocation in resize ioctl commit fee5eaecca86afa544355569b831c1f90f334b85 upstream. Syzbot reports that in its stress test for resize ioctl, the log writing function nilfs_segctor_do_construct hits a WARN_ON in nilfs_segctor_truncate_segments(). It turned out that there is a problem with the current implementation of the resize ioctl, which changes the writable range on the device (the range of allocatable segments) at the end of the resize process. This order is necessary for file system expansion to avoid corrupting the superblock at trailing edge. However, in the case of a file system shrink, if log writes occur after truncating out-of-bounds trailing segments and before the resize is complete, segments may be allocated from the truncated space. The userspace resize tool was fine as it limits the range of allocatable segments before performing the resize, but it can run into this issue if the resize ioctl is called alone. Fix this issue by changing nilfs_sufile_resize() to update the range of allocatable segments immediately after successful truncation of segment space in case of file system shrink. Link: https://lkml.kernel.org/r/[email protected] Fixes: 4e33f9eab07e (“nilfs2: implement resize ioctl”) Signed-off-by: Ryusuke Konishi Reported-by: [email protected] Closes: https://lkml.kernel.org/r/[email protected] Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 781308dfe5653a019f8397e0b29165ccbf4298be Author: Ryusuke Konishi Date: Sat May 13 19:24:28 2023 +0900 nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key() commit 2f012f2baca140c488e43d27a374029c1e59098d upstream. A syzbot fault injection test reported that nilfs_btnode_create_block, a helper function that allocates a new node block for b-trees, causes a kernel BUG for disk images where the file system block size is smaller than the page size. This was due to unexpected flags on the newly allocated buffer head, and it turned out to be because the buffer flags were not cleared by nilfs_btnode_abort_change_key() after an error occurred during a b-tree update operation and the buffer was later reused in that state. Fix this issue by using nilfs_btnode_delete() to abandon the unused preallocated buffer in nilfs_btnode_abort_change_key(). Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Ryusuke Konishi Reported-by: [email protected] Closes: https://lkml.kernel.org/r/[email protected] Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit a6ba2a8a81d6637d07bf8db03a74b5430d2ca695 Author: Peter Xu Date: Wed May 17 15:09:15 2023 -0400 mm/uffd: fix vma operation where start addr cuts part of vma commit 270aa010620697fb27b8f892cc4e194bc2b7d134 upstream. Patch series "mm/uffd: Fix vma merge/split", v2. This series contains two patches that fix vma merge/split for userfaultfd on two separate issues. Patch 1 fixes a regression since 6.1+ due to something we overlooked when converting to maple tree apis. The plan is we use patch 1 to replace the commit "2f628010799e (mm: userfaultfd: avoid passing an invalid range to vma_merge())" in mm-hostfixes-unstable tree if possible, so as to bring uffd vma operations back aligned with the rest code again. Patch 2 fixes a long standing issue that vma can be left unmerged even if we can for either uffd register or unregister. Many thanks to Lorenzo on either noticing this issue from the assert movement patch, looking at this problem, and also provided a reproducer on the unmerged vma issue [1]. [1] https://gist.github.com/lorenzo-stoakes/a11a10f5f479e7a977fc456331266e0e This patch (of 2): It seems vma merging with uffd paths is broken with either register/unregister, where right now we can feed wrong parameters to vma_merge() and it’s found by recent patch which moved asserts upwards in vma_merge() by Lorenzo Stoakes: https://lore.kernel.org/all/[email protected]/ It’s possible that “start” is contained within vma but not clamped to its start. We need to convert this into either “cannot merge” case or “can merge” case 4 which permits subdivision of prev by assigning vma to prev. As we loop, each subsequent VMA will be clamped to the start. This patch will eliminate the report and make sure vma_merge() calls will become legal again. One thing to mention is that the “Fixes: 29417d292bd0” below is there only to help explain where the warning can start to trigger, the real commit to fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the issue, but unfortunately we may want to keep it in Fixes too just to ease kernel backporters for easier tracking. Link: https://lkml.kernel.org/r/[email protected] Link: https://lkml.kernel.org/r/[email protected] Fixes: 69dbe6daf104 (“userfaultfd: use maple tree iterator to iterate VMAs”) Signed-off-by: Peter Xu Reported-by: Mark Rutland Reviewed-by: Lorenzo Stoakes Reviewed-by: Liam R. Howlett Closes: https://lore.kernel.org/all/[email protected]/ Cc: Lorenzo Stoakes Cc: Mike Rapoport (IBM) Cc: Liam R. Howlett Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 40eae517df5e59cc56550140efac95829ee3af7a Author: Janne Grunau Date: Sun Feb 12 13:16:32 2023 +0100 nios2: dts: Fix tse_mac “max-frame-size” property commit 85041e12418fd0c08ff972b7729f7971afb361f8 upstream. The given value of 1518 seems to refer to the layer 2 ethernet frame size without 802.1Q tag. Actual use of the “max-frame-size” including in the consumer of the “altr,tse-1.0” compatible is the MTU. Fixes: 95acd4c7b69c (“nios2: Device tree support”) Fixes: 61c610ec61bb (“nios2: Add Max10 device tree”) Cc: Signed-off-by: Janne Grunau Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman commit 2b179d3e9e698eec261a6db18724d14fb7a8589d Author: Kefeng Wang Date: Sat May 27 11:21:01 2023 +0800 mm/damon/core: fix divide error in damon_nr_accesses_to_accesses_bp() commit 5ff6e2fff88ef9bf110c5e85a48e7b557bfc64c1 upstream. If ‘aggr_interval’ is smaller than 'sample_interval’, max_nr_accesses in damon_nr_accesses_to_accesses_bp() becomes zero which leads to divide error, let’s validate the values of them in damon_set_attrs() to fix it, which similar to others attrs check. Link: https://lkml.kernel.org/r/[email protected] Fixes: 2f5bef5a590b (“mm/damon/core: update monitoring results for new monitoring attributes”) Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=841a46899768ec7bec67 Link: https://lore.kernel.org/damon/[email protected]/ Reviewed-by: SeongJae Park Signed-off-by: Kefeng Wang Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit eda847aacab7c2fa4d0dcfc91c026914c58a6b60 Author: Nhat Pham Date: Tue May 30 15:24:40 2023 -0700 zswap: do not shrink if cgroup may not zswap commit 0bdf0efa180a9cb1361cbded4e2260a49306ac89 upstream. Before storing a page, zswap first checks if the number of stored pages exceeds the limit specified by memory.zswap.max, for each cgroup in the hierarchy. If this limit is reached or exceeded, then zswap shrinking is triggered and short-circuits the store attempt. However, since the zswap’s LRU is not memcg-aware, this can create the following pathological behavior: the cgroup whose zswap limit is 0 will evict pages from other cgroups continually, without lowering its own zswap usage. This means the shrinking will continue until the need for swap ceases or the pool becomes empty. As a result of this, we observe a disproportionate amount of zswap writeback and a perpetually small zswap pool in our experiments, even though the pool limit is never hit. More generally, a cgroup might unnecessarily evict pages from other cgroups before we drive the memcg back below its limit. This patch fixes the issue by rejecting zswap store attempt without shrinking the pool when obj_cgroup_may_zswap() returns false. [[email protected]: fix return of unintialized value] [[email protected]: s/ENOSPC/ENOMEM/] Link: https://lkml.kernel.org/r/[email protected] Link: https://lkml.kernel.org/r/[email protected] Fixes: f4840ccfca25 (“zswap: memcg accounting”) Signed-off-by: Nhat Pham Cc: Dan Streetman Cc: Domenico Cerasuolo Cc: Johannes Weiner Cc: Seth Jennings Cc: Vitaly Wool Cc: Yosry Ahmed Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 95b733eaedcf5cb07015a3642661ce3c075adc34 Author: Luís Henriques Date: Mon May 29 16:26:45 2023 +0100 ocfs2: check new file size on fallocate call commit 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 upstream. When changing a file size with fallocate() the new size isn’t being checked. In particular, the FSIZE ulimit isn’t being checked, which makes fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes this issue. Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Luís Henriques Reviewed-by: Mark Fasheh Reviewed-by: Joseph Qi Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 6ef5175d95b981cb17a3eb3b4965cd7866f9c7df Author: Luís Henriques Date: Mon May 22 11:21:12 2023 +0100 ocfs2: fix use-after-free when unmounting read-only filesystem commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. It’s trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After a read-only remount, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 Read of size 8 at addr ffff8880389a8208 by task umount/669 … Call Trace: … timer_delete+0x54/0xc0 try_to_grab_pending+0x31/0x230 __cancel_work_timer+0x6c/0x270 ocfs2_disable_quotas.isra.0+0x3e/0xf0 [ocfs2] ocfs2_dismount_volume+0xdd/0x450 [ocfs2] generic_shutdown_super+0xaa/0x280 kill_block_super+0x46/0x70 deactivate_locked_super+0x4d/0xb0 cleanup_mnt+0x135/0x1f0 … Allocated by task 632: kasan_save_stack+0x1c/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x8b/0x90 ocfs2_local_read_info+0xe3/0x9a0 [ocfs2] dquot_load_quota_sb+0x34b/0x680 dquot_load_quota_inode+0xfe/0x1a0 ocfs2_enable_quotas+0x190/0x2f0 [ocfs2] ocfs2_fill_super+0x14ef/0x2120 [ocfs2] mount_bdev+0x1be/0x200 legacy_get_tree+0x6c/0xb0 vfs_get_tree+0x3e/0x110 path_mount+0xa90/0xe10 __x64_sys_mount+0x16f/0x1a0 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 650: kasan_save_stack+0x1c/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0xf9/0x150 __kmem_cache_free+0x89/0x180 ocfs2_local_free_info+0x2ba/0x3f0 [ocfs2] dquot_disable+0x35f/0xa70 ocfs2_susp_quotas.isra.0+0x159/0x1a0 [ocfs2] ocfs2_remount+0x150/0x580 [ocfs2] reconfigure_super+0x1a5/0x3a0 path_mount+0xc8a/0xe10 __x64_sys_mount+0x16f/0x1a0 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Luís Henriques Reviewed-by: Joseph Qi Tested-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 7d9792a8abccfe7392f6b1f13f3b374f698c75fe Author: Benjamin Segall Date: Tue May 30 11:32:28 2023 -0700 epoll: ep_autoremove_wake_function should use list_del_init_careful commit 2192bba03d80f829233bfa34506b428f71e531e7 upstream. autoremove_wake_function uses list_del_init_careful, so should epoll’s more aggressive variant. It only doesn’t because it was copied from an older wait.c rather than the most recent. [[email protected]: add comment] Link: https://lkml.kernel.org/r/[email protected] Link: https://lkml.kernel.org/r/[email protected] Fixes: a16ceb139610 (“epoll: autoremove wakers even more aggressively”) Signed-off-by: Ben Segall Cc: Al Viro Cc: Christian Brauner Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 360b56b0be3d9a5b90fc379755ff9c586c92579f Author: Dan Carpenter Date: Fri Jun 9 13:48:44 2023 +0300 wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid() commit 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 upstream. The locking was changed recently so now the caller holds the wiphy_lock() lock. Taking the lock inside the reg_wdev_chan_valid() function will lead to a deadlock. Fixes: f7e60032c661 (“wifi: cfg80211: fix locking in regulatory disconnect”) Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 9a0eba345f7bdae9cb1cf2077a979185dcd1c66c Author: Johannes Berg Date: Tue Jun 6 14:34:48 2023 +0200 wifi: cfg80211: fix locking in regulatory disconnect commit f7e60032c6618dfd643c7210d5cba2789e2de2e2 upstream. This should use wiphy_lock() now instead of requiring the RTNL, since __cfg80211_leave() via cfg80211_leave() is now requiring that lock to be held. Fixes: a05829a7222e (“cfg80211: avoid holding the RTNL when calling the driver”) Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit b398bb0384a5e49a133253fd175835c344aadd61 Author: Marc Zyngier Date: Tue May 30 11:01:22 2023 +0100 irqchip/gic: Correctly validate OF quirk descriptors [ Upstream commit 91539341a3b6e9c868024a4292455dae36e6f58c ] When checking for OF quirks, make sure either ‘compatible’ or ‘property’ is set, and give up otherwise. This avoids non-OF quirks being randomly applied as they don’t have any of the OF data that need checking. Cc: Douglas Anderson Reported-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven Fixes: 44bd78dd2b88 (“irqchip/gic-v3: Disable pseudo NMIs on Mediatek devices w/ firmware issues”) Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit a3e4eb017c959ee0762f7b659a426b84343ba5ae Author: Tatsuki Sugiura Date: Sat May 20 21:23:50 2023 +0900 NVMe: Add MAXIO 1602 to bogus nid list. [ Upstream commit a3a9d63dcd15535e7fdf4c7c1b32bfaed762973a ] HIKSEMI FUTURE M.2 SSD uses the same dummy nguid and eui64. I confirmed it with my two devices. This patch marks the controller as NVME_QUIRK_BOGUS_NID. --------------------------------------------------------- sugi@tempest:~% sudo nvme id-ctrl /dev/nvme0 NVME Identify Controller: vid : 0x1e4b ssvid : 0x1e4b sn : 30096022612 mn : HS-SSD-FUTURE 2048G fr : SN10542 rab : 0 ieee : 000000 cmic : 0 mdts : 7 cntlid : 0 ver : 0x10400 rtd3r : 0x7a120 rtd3e : 0x1e8480 oaes : 0x200 ctratt : 0x2 rrls : 0 cntrltype : 1 fguid : 00000000-0000-0000-0000-000000000000 --------------------------------------------------------- --------------------------------------------------------- sugi@tempest:~% sudo nvme id-ns /dev/nvme0n1 NVME Identify Namespace 1: nguid : 00000000000000000000000000000000 eui64 : 0000000000000002 lbaf 0 : ms:0 lbads:9 rp:0 (in use) --------------------------------------------------------- Signed-off-by: Tatsuki Sugiura Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit 5bf82a1bc7265004b41b624547e37014d108c5ca Author: Wenwen Chen Date: Thu May 25 16:26:26 2023 +0800 io_uring: unlock sqd->lock before sq thread release CPU [ Upstream commit 533ab73f5b5c95dcb4152b52d5482abcc824c690 ] The sq thread actively releases CPU resources by calling the cond_resched() and schedule() interfaces when it is idle. Therefore, more resources are available for other threads to run. There exists a problem in sq thread: it does not unlock sqd->lock before releasing CPU resources every time. This makes other threads pending on sqd->lock for a long time. For example, the following interfaces all require sqd->lock: io_sq_offload_create(), io_register_iowq_max_workers() and io_ring_exit_work(). Before the sq thread releases CPU resources, unlocking sqd->lock will provide the user a better experience because it can respond quickly to user requests. Signed-off-by: Kanchan Joshi Signed-off-by: Wenwen Chen Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6c4510b2e61376399c2e2637751c896d1e3f6926 Author: Sukrut Bellary Date: Wed May 3 16:15:07 2023 -0700 drm:amd:amdgpu: Fix missing buffer object unlock in failure path [ Upstream commit 60ecaaf54886b0642d5c4744f7fbf1ff0d6b3e42 ] smatch warning - 1) drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c:3615 gfx_v9_0_kiq_resume() warn: inconsistent returns 'ring->mqd_obj->tbo.base.resv’. 2) drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c:6901 gfx_v10_0_kiq_resume() warn: inconsistent returns 'ring->mqd_obj->tbo.base.resv’. Signed-off-by: Sukrut Bellary Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8765aec0cb17628db93c5732b55130222a955abc Author: Ross Lagerwall Date: Wed Apr 26 17:40:05 2023 +0100 xen/blkfront: Only check REQ_FUA for writes [ Upstream commit b6ebaa8100090092aa602530d7e8316816d0c98d ] The existing code silently converts read operations with the REQ_FUA bit set into write-barrier operations. This results in data loss as the backend scribbles zeroes over the data instead of returning it. While the REQ_FUA bit doesn’t make sense on a read operation, at least one well-known out-of-tree kernel module does set it and since it results in data loss, let’s be safe here and only look at REQ_FUA for writes. Signed-off-by: Ross Lagerwall Acked-by: Juergen Gross Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 7a7a438f91f1da5e138b35e69e766aefaa948f3a Author: Maxim Kochetkov Date: Fri May 12 14:03:42 2023 +0300 ASoC: dwc: move DMA init to snd_soc_dai_driver probe() [ Upstream commit 011a8719d6105dcb48077ea7a6a88ac019d4aa50 ] When using DMA mode we are facing with Oops: [ 396.458157] Unable to handle kernel access to user memory without uaccess routines at virtual address 000000000000000c [ 396.469374] Oops [#1] [ 396.471839] Modules linked in: [ 396.475144] CPU: 0 PID: 114 Comm: arecord Not tainted 6.0.0-00164-g9a8eccdaf2be-dirty #68 [ 396.483619] Hardware name: YMP ELCT FPGA (DT) [ 396.488156] epc : dmaengine_pcm_open+0x1d2/0x342 [ 396.493227] ra : dmaengine_pcm_open+0x1d2/0x342 [ 396.498140] epc : ffffffff807fe346 ra : ffffffff807fe346 sp : ffffffc804e138f0 [ 396.505602] gp : ffffffff817bf730 tp : ffffffd8042c8ac0 t0 : 6500000000000000 [ 396.513045] t1 : 0000000000000064 t2 : 656e69676e65616d s0 : ffffffc804e13990 [ 396.520477] s1 : ffffffd801b86a18 a0 : 0000000000000026 a1 : ffffffff816920f8 [ 396.527897] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000 [ 396.535319] a5 : 0000000000000000 a6 : ffffffd801b87040 a7 : 0000000000000038 [ 396.542740] s2 : ffffffd801b94a00 s3 : 0000000000000000 s4 : ffffffd80427f5e8 [ 396.550153] s5 : ffffffd80427f5e8 s6 : ffffffd801b44410 s7 : fffffffffffffff5 [ 396.557569] s8 : 0000000000000800 s9 : 0000000000000001 s10: ffffffff8066d254 [ 396.564978] s11: ffffffd8059cf768 t3 : ffffffff817d5577 t4 : ffffffff817d5577 [ 396.572391] t5 : ffffffff817d5578 t6 : ffffffc804e136e8 [ 396.577876] status: 0000000200000120 badaddr: 000000000000000c cause: 000000000000000d [ 396.586007] [] snd_soc_component_open+0x1a/0x68 [ 396.592439] [] __soc_pcm_open+0xf0/0x502 [ 396.598217] [] soc_pcm_open+0x2e/0x4e [ 396.603741] [] snd_pcm_open_substream+0x442/0x68e [ 396.610313] [] snd_pcm_open+0xfa/0x212 [ 396.615868] [] snd_pcm_capture_open+0x3a/0x60 [ 396.622048] [] snd_open+0xa8/0x17a [ 396.627421] [] chrdev_open+0xa0/0x218 [ 396.632893] [] do_dentry_open+0x17c/0x2a6 [ 396.638713] [] vfs_open+0x1e/0x26 [ 396.643850] [] path_openat+0x96e/0xc96 [ 396.649518] [] do_filp_open+0x7c/0xf6 [ 396.655034] [] do_sys_openat2+0x8a/0x11e [ 396.660765] [] sys_openat+0x50/0x7c [ 396.666068] [] ret_from_syscall+0x0/0x2 [ 396.674964] —[ end trace 0000000000000000 ]— It happens because of play_dma_data/capture_dma_data pointers are NULL. Current implementation assigns these pointers at snd_soc_dai_driver startup() callback and reset them back to NULL at shutdown(). But soc_pcm_open() sequence uses DMA pointers in dmaengine_pcm_open() before snd_soc_dai_driver startup(). Most generic DMA capable I2S drivers use snd_soc_dai_driver probe() callback to init DMA pointers only once at probe. So move DMA init to dw_i2s_dai_probe and drop shutdown() and startup() callbacks. Signed-off-by: Maxim Kochetkov Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dba19e1c67fd3d9eea2bf299a4981673561cb7bf Author: Stefan Binding Date: Fri Apr 14 16:25:51 2023 +0100 ASoC: cs35l41: Fix default regmap values for some registers [ Upstream commit e2d035f5a7d597bbabc268e236ec6c0408c4af0e ] Several values do not match the defaults of CS35L41, fix them. Signed-off-by: Stefan Binding Acked-by: Mark Brown Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0b930fa315395d140ac064da04b5f94c655ca2bc Author: Liviu Dudau Date: Tue May 9 18:29:21 2023 +0100 mips: Move initrd_start check after initrd address sanitisation. [ Upstream commit 4897a898a216058dec55e5e5902534e6e224fcdf ] PAGE_OFFSET is technically a virtual address so when checking the value of initrd_start against it we should make sure that it has been sanitised from the values passed by the bootloader. Without this change, even with a bootloader that passes correct addresses for an initrd, we are failing to load it on MT7621 boards, for example. Signed-off-by: Liviu Dudau Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 5fc220360ef3b45b6c2054d0c5efee4b2e333b29 Author: Manuel Lauss Date: Thu May 11 17:30:10 2023 +0200 MIPS: Alchemy: fix dbdma2 [ Upstream commit 2d645604f69f3a772d58ead702f9a8e84ab2b342 ] Various fixes for the Au1200/Au1550/Au1300 DBDMA2 code: - skip cache invalidation if chip has working coherency circuitry. - invalidate KSEG0-portion of the (physical) data address. - force the dma channel doorbell write out to bus immediately with a sync. Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit b5e46d634e581a4afe0fff5e8c6c368dad3a0922 Author: Manuel Lauss Date: Wed May 10 12:33:23 2023 +0200 MIPS: Restore Au1300 support [ Upstream commit f2041708dee30a3425f680265c337acd28293782 ] The Au1300, at least the one I have to test, uses the NetLogic vendor ID, but commit 95b8a5e0111a (“MIPS: Remove NETLOGIC support”) also dropped Au1300 detection. Restore Au1300 detection. Tested on DB1300 with Au1380 chip. Signed-off-by: Manuel Lauss Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit cb051b5e314ff5cdc8e1ef5d61378068b289ffeb Author: Manuel Lauss Date: Tue May 9 20:57:44 2023 +0200 MIPS: unhide PATA_PLATFORM [ Upstream commit 75b18aac6fa39a1720677970cfcb52ecea1eb44c ] Alchemy DB1200/DB1300 boards can use the pata_platform driver. Unhide the config entry in all of MIPS. Signed-off-by: Manuel Lauss Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 25b96ba0158bbd28b010868085cec45e50a26a52 Author: Gao Xiang Date: Mon May 22 17:21:41 2023 +0800 erofs: use HIPRI by default if per-cpu kthreads are enabled [ Upstream commit cf7f2732b4b83026842832e7e4e04bf862108ac2 ] As Sandeep shown [1], high priority RT per-cpu kthreads are typically helpful for Android scenarios to minimize the scheduling latencies. Switch EROFS_FS_PCPU_KTHREAD_HIPRI on by default if EROFS_FS_PCPU_KTHREAD is on since it’s the typical use cases for EROFS_FS_PCPU_KTHREAD. Also clean up unneeded sched_set_normal(). [1] https://lore.kernel.org/r/CAB=BE-SBtO6vcoyLNA9F-9VaN5R0t3o_Zn+FW8GbO6wyUqFneQ@mail.gmail.com Reviewed-by: Yue Hu Reviewed-by: Sandeep Dhavale Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sasha Levin commit a8f9355ee9c66df00a801e3a73d5a8a44cbe611b Author: Helge Deller Date: Wed May 17 15:54:40 2023 +0200 parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory() [ Upstream commit d703797380c540bbeac03f104ebcfc364eaf47cc ] Flush caches after changing gatt entries and calculate entry according to SBA requirements. Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 6f50472d6441eadc05036e7e9692d8dbd8596129 Author: Helge Deller Date: Wed May 17 15:52:30 2023 +0200 parisc: Improve cache flushing for PCXL in arch_sync_dma_for_cpu() [ Upstream commit 59fa12646d9f56c842b4d5b6418ed77af625c588 ] Add comment in arch_sync_dma_for_device() and handle the direction flag in arch_sync_dma_for_cpu(). When receiving data from the device (DMA_FROM_DEVICE) unconditionally purge the data cache in arch_sync_dma_for_cpu(). Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 0f32085e687530daf31c5a325802ad780708b74a Author: Amadeusz Sławiński Date: Fri May 19 22:17:11 2023 +0200 ASoC: Intel: avs: Add missing checks on FE startup [ Upstream commit 25148f57a2a6d157779bae494852e172952ba980 ] Constraint functions have return values, they should be checked for potential errors. Reviewed-by: Cezary Rojewski Signed-off-by: Amadeusz Sławiński Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f2962f40f9bf66feeeab4e07eff02bd42b24ff21 Author: Amadeusz Sławiński Date: Fri May 19 22:17:10 2023 +0200 ASoC: Intel: avs: Fix avs_path_module::instance_id size [ Upstream commit 320f4d868b83a804e3a4bd61a5b7d0f1db66380e ] All IPCs using instance_id use 8 bit value. Original commit used 16 bit value because FW reports possible max value in 16 bit field, but in practice FW limits the value to 8 bits. Reviewed-by: Cezary Rojewski Signed-off-by: Amadeusz Sławiński Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ada354839c630bd48973c0b5d65f48721892de59 Author: Cezary Rojewski Date: Fri May 19 22:17:09 2023 +0200 ASoC: Intel: avs: Account for UID of ACPI device [ Upstream commit 836855100b87b4dd7a82546131779dc255c18b67 ] Configurations with multiple codecs attached to the platform are supported but only if each from the set is different. Add new field representing the ‘Unique ID’ so that codecs that share Vendor and Part IDs can be differentiated and thus enabling support for such configurations. Signed-off-by: Cezary Rojewski Signed-off-by: Amadeusz Sławiński Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8d28bb699354bf821dd8ddb211373d29ff6286d1 Author: Alejandro Lucero Date: Thu May 18 06:48:22 2023 +0100 sfc: fix devlink info error handling [ Upstream commit cfcb942863f6fce9266e1957a021e6c7295dee42 ] Avoid early devlink info return if errors arise with MCDI commands executed for getting the required info from the device. The rationale is some commands can fail but later ones could still give useful data. Moreover, some nvram partitions could not be present which needs to be handled as a non error. The specific errors are reported through system messages and if any error appears, it will be reported generically through extack. Fixes 14743ddd2495 (“sfc: add devlink info support for ef100”) Signed-off-by: Alejandro Lucero Acked-by: Martin Habets Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9d72fed8d81d072db1f654912ec5fa9abd30a690 Author: Ranjani Sridharan Date: Wed May 17 13:57:31 2023 -0500 ASoC: soc-pcm: test if a BE can be prepared [ Upstream commit e123036be377ddf628226a7c6d4f9af5efd113d3 ] In the BE hw_params configuration, the existing code checks if any of the existing FEs are prepared, running, paused or suspended - and skips the configuration in those cases. This allows multiple calls of hw_params which the ALSA state machine supports. This check is not handled for the prepare stage, which can lead to the same BE being prepared multiple times. This patch adds a check similar to that of the hw_params, with the main difference being that the suspended state is allowed: the ALSA state machine allows a transition from suspended to prepared with hw_params skipped. This problem was detected on Intel IPC4/SoundWire devices, where the BE dailink .prepare stage is used to configure the SoundWire stream with a bank switch. Multiple .prepare calls lead to conflicts with the .trigger operation with IPC4 configurations. This problem was not detected earlier on Intel devices, HDaudio BE dailinks detect that the link is already prepared and skip the configuration, and for IPC3 devices there is no BE trigger. Link: https://github.com/thesofproject/sof/issues/7596 Signed-off-by: Ranjani Sridharan commit 38cb20b671954a3a6e293a1d376ddeff608b12de Author: Johannes Thumshirn Date: Thu May 4 13:58:13 2023 +0200 btrfs: handle memory allocation failure in btrfs_csum_one_bio [ Upstream commit 806570c0bb7b4847828c22c4934fcf2dc8fc572f ] Since f8a53bb58ec7 (“btrfs: handle checksum generation in the storage layer”) the failures of btrfs_csum_one_bio() are handled via bio_end_io(). This means, we can return BLK_STS_RESOURCE from btrfs_csum_one_bio() in case the allocation of the ordered sums fails. This also fixes a syzkaller report, where injecting a failure into the kvzalloc() call results in a BUG_ON(). Reported-by: [email protected] Reviewed-by: Christoph Hellwig Reviewed-by: Anand Jain Signed-off-by: Johannes Thumshirn Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit a96cad9a4771233b2b61036020b8e80158c441ae Author: Qu Wenruo Date: Thu Apr 13 13:57:17 2023 +0800 btrfs: scrub: try harder to mark RAID56 block groups read-only [ Upstream commit 7561551e7ba870b9659083b95feb520fb2dacce3 ] Currently we allow a block group not to be marked read-only for scrub. But for RAID56 block groups if we require the block group to be read-only, then we’re allowed to use cached content from scrub stripe to reduce unnecessary RAID56 reads. So this patch would: - Make btrfs_inc_block_group_ro() try harder During my tests, for cases like btrfs/061 and btrfs/064, we can hit ENOSPC from btrfs_inc_block_group_ro() calls during scrub. The reason is if we only have one single data chunk, and trying to scrub it, we won’t have any space left for any newer data writes. But this check should be done by the caller, especially for scrub cases we only temporarily mark the chunk read-only. And newer data writes would always try to allocate a new data chunk when needed. - Return error for scrub if we failed to mark a RAID56 chunk read-only Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 0ec0a1fc66f3f0665e56c000322d7bdfd4750117 Author: Maya Matuszczyk Date: Mon May 15 20:48:43 2023 +0200 drm: panel-orientation-quirks: Change Air’s quirk to support Air Plus [ Upstream commit 1aa7f416175619e0286fddc5fc44e968b06bf2aa ] It turned out that Aya Neo Air Plus had a different board name than expected. This patch changes Aya Neo Air’s quirk to account for that, as both devices share “Air” in DMI product name. Tested on Air claiming to be an Air Pro, and on Air Plus. Signed-off-by: Maya Matuszczyk Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Sasha Levin commit 261ee49f4f4a841696f32b31e29300939186f8ad Author: Mario Limonciello Date: Tue May 16 13:25:40 2023 -0500 power: supply: Fix logic checking if system is running from battery [ Upstream commit 95339f40a8b652b5b1773def31e63fc53c26378a ] The logic used for power_supply_is_system_supplied() counts all power supplies and assumes that the system is running from AC if there is either a non-battery power-supply reporting to be online or if no power-supplies exist at all. The second rule is for desktop systems, that don’t have any battery/charger devices. These systems will incorrectly report to be powered from battery once a device scope power-supply is registered (e.g. a HID device), since these power-supplies increase the counter. Apart from HID devices, recent dGPUs provide UCSI power supplies on a desktop systems. The dGPU by default doesn’t have anything plugged in so it’s 'offline’. This makes power_supply_is_system_supplied() return 0 with a count of 1 meaning all drivers that use this get a wrong judgement. To fix this case adjust the logic to also examine the scope of the power supply. If the power supply is deemed a device power supply, then don’t count it. Cc: Evan Quan Suggested-by: Lijo Lazar Signed-off-by: Mario Limonciello Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 4cde65f65d689fdd31cb298496b5a13e6110c49c Author: Krzysztof Kozlowski Date: Fri May 12 18:45:06 2023 +0200 irqchip/meson-gpio: Mark OF related data as maybe unused [ Upstream commit 14130211be5366a91ec07c3284c183b75d8fba17 ] The driver can be compile tested with !CONFIG_OF making certain data unused: drivers/irqchip/irq-meson-gpio.c:153:34: error: ‘meson_irq_gpio_matches’ defined but not used [-Werror=unused-const-variable=] Acked-by: Martin Blumenstingl Signed-off-by: Krzysztof Kozlowski Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sasha Levin commit 8d6f0adef1f751ac56f69c70e01f2067a7a550d8 Author: Douglas Anderson Date: Mon May 15 13:13:51 2023 -0700 irqchip/gic-v3: Disable pseudo NMIs on Mediatek devices w/ firmware issues [ Upstream commit 44bd78dd2b8897f59b7e3963f088caadb7e4f047 ] Some Chromebooks with Mediatek SoCs have a problem where the firmware doesn’t properly save/restore certain GICR registers. Newer Chromebooks should fix this issue and we may be able to do firmware updates for old Chromebooks. At the moment, the only known issue with these Chromebooks is that we can’t enable “pseudo NMIs” since the priority register can be lost. Enabling “pseudo NMIs” on Chromebooks with the problematic firmware causes crashes and freezes. Let’s detect devices with this problem and then disable “pseudo NMIs” on them. We’ll detect the problem by looking for the presence of the “mediatek,broken-save-restore-fw” property in the GIC device tree node. Any devices with fixed firmware will not have this property. Our detection plan works because we never bake a Chromebook’s device tree into firmware. Instead, device trees are always bundled with the kernel. We’ll update the device trees of all affected Chromebooks and then we’ll never enable “pseudo NMI” on a kernel that is bundled with old device trees. When a firmware update is shipped that fixes this issue it will know to patch the device tree to remove the property. In order to make this work, the quick detection mechanism of the GICv3 code is extended to be able to look for properties in addition to looking at "compatible". Reviewed-by: Julius Werner Signed-off-by: Douglas Anderson Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20230515131353.v2.2.I88dc0a0eb1d9d537de61604cd8994ecc55c0cac1@changeid Signed-off-by: Sasha Levin commit 041b5a74fa8ad93ff40f022619d10b58a54c17e6 Author: Osama Muhammad Date: Mon May 15 22:29:38 2023 +0500 regulator: Fix error checking for debugfs_create_dir [ Upstream commit 2bf1c45be3b8f3a3f898d0756c1282f09719debd ] This patch fixes the error checking in core.c in debugfs_create_dir. The correct way to check if an error occurred is ‘IS_ERR’ inline function. Signed-off-by: Osama Muhammad commit 8a12d8fa8453103388c17d86bfb70b6e430fdce9 Author: Alexandru Sorodoc Date: Fri May 12 13:15:17 2023 +0300 platform/x86: asus-wmi: Ignore WMI events with codes 0x7B, 0xC0 [ Upstream commit 362c1f2ec82cb65940e1c73e15a395a7a891fc6f ] On ASUS GU604V the key 0x7B is issued when the charger is connected or disconnected, and key 0xC0 is issued when an external display is connected or disconnected. This commit maps them to KE_IGNORE to slience kernel messages about unknown keys, such as: kernel: asus_wmi: Unknown key code 0x7b Signed-off-by: Alexandru Sorodoc Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 1188afef30509eed231a9fbcf58f9e38e6b07faf Author: Mika Westerberg Date: Thu May 11 15:19:05 2023 +0300 PCI/DPC: Quirk PIO log size for Intel Ice Lake Root Ports [ Upstream commit 3b8803494a0612acdeee714cb72aa142b1e05ce5 ] Commit 5459c0b70467 (“PCI/DPC: Quirk PIO log size for certain Intel Root Ports”) added quirks for Tiger and Alder Lake Root Ports but missed that the same issue exists also in the previous generation, Ice Lake. Apply the quirk for Ice Lake Root Ports as well. This prevents kernel complaints like: DPC: RP PIO log size 0 is invalid and also enables the DPC driver to dump the RP PIO Log registers when DPC is triggered. [bhelgaas: add dmesg warning and RP PIO Log dump info] Closes: https://bugzilla.kernel.org/show_bug.cgi?id=209943 Link: https://lore.kernel.org/r/[email protected] Reported-by: Mark Blakeney Signed-off-by: Mika Westerberg Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit ce6be28394399dbc3aed3e736c8bbbb4c94e76eb Author: Marek Vasut Date: Sun Mar 5 21:52:26 2023 +0100 power: supply: Ratelimit no data debug output [ Upstream commit 155c45a25679f571c2ae57d10db843a9dfc63430 ] Reduce the amount of output this dev_dbg() statement emits into logs, otherwise if system software polls the sysfs entry for data and keeps getting -ENODATA, it could end up filling the logs up. This does in fact make systemd journald choke, since during boot the sysfs power supply entries are polled and if journald starts at the same time, the journal is just being repeatedly filled up, and the system stops on trying to start journald without booting any further. Signed-off-by: Marek Vasut Reviewed-by: Hans de Goede Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 086a317e4a1df6bcac054fc3e4603de34931bb4c Author: Mirsad Todorovac Date: Tue Apr 11 20:15:20 2023 +0300 selftests: gpio: gpio-sim: Fix BUG: test FAILED due to recent change [ Upstream commit 976d3c6778e99390c6d854d140b746d12ea18a51 ] According to Mirsad the gpio-sim.sh test appears to FAIL in a wrong way due to missing initialisation of shell variables: 4.2. Bias settings work correctly cat: /sys/devices/platform/gpio-sim.0/gpiochip18/sim_gpio0/value: No such file or directory ./gpio-sim.sh: line 393: test: =: unary operator expected bias setting does not work GPIO gpio-sim test FAIL After this change the test passed: 4.2. Bias settings work correctly GPIO gpio-sim test PASS His testing environment is AlmaLinux 8.7 on Lenovo desktop box with the latest Linux kernel based on v6.2: Linux 6.2.0-mglru-kmlk-andy-09238-gd2980d8d8265 x86_64 Suggested-by: Mirsad Todorovac Signed-off-by: Andy Shevchenko Tested-by: Mirsad Goran Todorovac Signed-off-by: Mirsad Goran Todorovac Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 3ee609408f18c21e5023526801746500fad1b270 Author: Milo Spadacini Date: Mon May 8 15:18:48 2023 +0200 tools: gpio: fix debounce_period_us output of lsgpio [ Upstream commit eb4b8eca1bad98f4b8574558a74f041f9acb5a54 ] Fix incorrect output that could occur when more attributes are used and GPIO_V2_LINE_ATTR_ID_DEBOUNCE is not the first one. Signed-off-by: Milo Spadacini Reviewed-by: Linus Walleij Reviewed-by: Andy Shevchenko Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit e949f90914826b19d8e22ed9e3f67da561cd03c5 Author: Krzysztof Kozlowski Date: Sat Apr 22 00:32:12 2023 +0200 arm64: dts: arm: add missing cache properties [ Upstream commit 55b37d9c8ba23d28c584aef0801fb1e60e4a817c ] As all level 2 and level 3 caches are unified, add required cache-unified properties to fix warnings like: foundation-v8.dtb: l2-cache0: ‘cache-unified’ is a required property Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit 1885be1fb246f4b9df8a18f33bc92e369939be88 Author: Krzysztof Kozlowski Date: Sun Apr 23 17:08:37 2023 +0200 ARM: dts: vexpress: add missing cache properties [ Upstream commit 328acc5657c6197753238d7ce0a6924ead829347 ] As all level 2 and level 3 caches are unified, add required cache-unified property to fix warnings like: vexpress-v2p-ca5s.dtb: cache-controller@2c0f0000: ‘cache-unified’ is a required property Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit baaf9bb212bb4a133b71c46e73c2f1b2f65118e4 Author: Hans de Goede Date: Sat Apr 15 20:23:39 2023 +0200 power: supply: bq27xxx: Use mod_delayed_work() instead of cancel() + schedule() [ Upstream commit 59dddea9879713423c7b2ade43c423bb71e0d216 ] Use mod_delayed_work() instead of separate cancel_delayed_work_sync() + schedule_delayed_work() calls. Signed-off-by: Hans de Goede Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 3ad78f1c378b7760bbcc76de166c20d2807cf5ff Author: Hans de Goede Date: Sat Apr 15 18:07:32 2023 +0200 power: supply: sc27xx: Fix external_power_changed race [ Upstream commit 4d5c129d6c8993fe96e9ae712141eedcb9ca68c2 ] sc27xx_fgu_external_power_changed() dereferences data->battery, which gets sets in ab8500_btemp_probe() like this: data->battery = devm_power_supply_register(dev, &sc27xx_fgu_desc, &fgu_cfg); As soon as devm_power_supply_register() has called device_add() the external_power_changed callback can get called. So there is a window where sc27xx_fgu_external_power_changed() may get called while data->battery has not been set yet leading to a NULL pointer dereference. Fixing this is easy. The external_power_changed callback gets passed the power_supply which will eventually get stored in data->battery, so sc27xx_fgu_external_power_changed() can simply directly use the passed in psy argument which is always valid. After this change sc27xx_fgu_external_power_changed() is reduced to just “power_supply_changed(psy);” and it has the same prototype. While at it simply replace it with making the external_power_changed callback directly point to power_supply_changed. Cc: Orson Zhai Cc: Chunyan Zhang Signed-off-by: Hans de Goede Reviewed-by: Baolin Wang Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 59007bd4692195a883e24fad884cafa8546835d6 Author: Hans de Goede Date: Sat Apr 15 18:07:29 2023 +0200 power: supply: ab8500: Fix external_power_changed race [ Upstream commit a5299ce4e96f3e8930e9c051b28d8093ada87b08 ] ab8500_btemp_external_power_changed() dereferences di->btemp_psy, which gets sets in ab8500_btemp_probe() like this: di->btemp_psy = devm_power_supply_register(dev, &ab8500_btemp_desc, &psy_cfg); As soon as devm_power_supply_register() has called device_add() the external_power_changed callback can get called. So there is a window where ab8500_btemp_external_power_changed() may get called while di->btemp_psy has not been set yet leading to a NULL pointer dereference. Fixing this is easy. The external_power_changed callback gets passed the power_supply which will eventually get stored in di->btemp_psy, so ab8500_btemp_external_power_changed() can simply directly use the passed in psy argument which is always valid. And the same applies to ab8500_fg_external_power_changed(). Signed-off-by: Hans de Goede Reviewed-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 602c66f75329f20fe50f6af5bf0c6e8118bdb1f9 Author: Kunihiko Hayashi Date: Fri Jun 2 11:05:02 2023 +0900 of: overlay: Fix missing of_node_put() in error case of init_overlay_changeset() [ Upstream commit 39affd1fdf65983904fafc07cf607cff737eaf30 ] In init_overlay_changeset(), the variable “node” is from of_get_child_by_name(), and the “node” should be discarded in error case. Fixes: d1651b03c2df (“of: overlay: add overlay symbols to live device tree”) Signed-off-by: Kunihiko Hayashi Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 75e7d81679ef7995422adc84ef597fded99c24a6 Author: Namjae Jeon Date: Wed May 31 17:59:32 2023 +0900 ksmbd: validate smb request protocol id [ Upstream commit 1c1bcf2d3ea061613119b534f57507c377df20f9 ] This patch add the validation for smb request protocol id. If it is not one of the four ids(SMB1_PROTO_NUMBER, SMB2_PROTO_NUMBER, SMB2_TRANSFORM_PROTO_NUM, SMB2_COMPRESSION_TRANSFORM_ID), don’t allow processing the request. And this will fix the following KASAN warning also. [ 13.905265] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1b9/0x1f0 [ 13.905900] Read of size 16 at addr ffff888005fd2f34 by task kworker/0:2/44 … [ 13.908553] Call Trace: [ 13.908793] [ 13.908995] dump_stack_lvl+0x33/0x50 [ 13.909369] print_report+0xcc/0x620 [ 13.910870] kasan_report+0xae/0xe0 [ 13.911519] kasan_check_range+0x35/0x1b0 [ 13.911796] init_smb2_rsp_hdr+0x1b9/0x1f0 [ 13.912492] handle_ksmbd_work+0xe5/0x820 Cc: [email protected] Reported-by: Chih-Yen Chang Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Sasha Levin commit dc7d1dba5fbd670a1dc69586b62a0c4b80efd214 Author: Manivannan Sadhasivam Date: Wed May 17 17:16:35 2023 +0530 EDAC/qcom: Get rid of hardcoded register offsets [ Upstream commit cbd77119b6355872cd308a60e99f9ca678435d15 ] The LLCC EDAC register offsets varies between each SoC. Hardcoding the register offsets won’t work and will often result in crash due to accessing the wrong locations. Hence, get the register offsets from the LLCC driver matching the individual SoCs. Cc: # 6.0: 5365cea199c7 (“soc: qcom: llcc: Rename reg_offset structs to reflect LLCC version”) Cc: # 6.0: c13d7d261e36 (“soc: qcom: llcc: Pass LLCC version based register offsets to EDAC driver”) Cc: # 6.0 Fixes: a6e9d7ef252c (“soc: qcom: llcc: Add configuration data for SM8450 SoC”) Acked-by: Borislav Petkov (AMD) Signed-off-by: Manivannan Sadhasivam Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sasha Levin commit 570e825bcb6c484311a25a5b35cfb7a6f0d20caa Author: Manivannan Sadhasivam Date: Tue Mar 14 13:34:41 2023 +0530 qcom: llcc/edac: Fix the base address used for accessing LLCC banks [ Upstream commit ee13b5008707948d3052c1b5aab485c6cd53658e ] The Qualcomm LLCC/EDAC drivers were using a fixed register stride for accessing the (Control and Status Registers) CSRs of each LLCC bank. This stride only works for some SoCs like SDM845 for which driver support was initially added. But the later SoCs use different register stride that vary between the banks with holes in-between. So it is not possible to use a single register stride for accessing the CSRs of each bank. By doing so could result in a crash. For fixing this issue, let’s obtain the base address of each LLCC bank from devicetree and get rid of the fixed stride. This also means, there is no need to rely on reg-names property and the base addresses can be obtained using the index. First index is LLCC bank 0 and last index is LLCC broadcast. If the SoC supports more than one bank, then those need to be defined in devicetree for index from 1…N-1. Reported-by: Parikshit Pareek Tested-by: Luca Weiss Tested-by: Steev Klimaszewski # Thinkpad X13s Tested-by: Andrew Halaney # sa8540p-ride Reviewed-by: Borislav Petkov (AMD) Signed-off-by: Manivannan Sadhasivam Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/[email protected] Stable-dep-of: cbd77119b635 (“EDAC/qcom: Get rid of hardcoded register offsets”) Signed-off-by: Sasha Levin commit 8064c5a5692296032d9b03c072879efe2c902181 Author: Qi Zheng Date: Wed May 17 07:45:45 2023 +0000 cgroup: fix missing cpus_read_{lock,unlock}() in cgroup_transfer_tasks() [ Upstream commit ab1de7ead871ebe6d12a774c3c25de0388cde082 ] The commit 4f7e7236435c (“cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock”) fixed the deadlock between cgroup_threadgroup_rwsem and cpus_read_lock() by introducing cgroup_attach_{lock,unlock}() and removing cpus_read_{lock,unlock}() from cpuset_attach(). But cgroup_transfer_tasks() was missed and not handled, which will cause th following warning: WARNING: CPU: 0 PID: 589 at kernel/cpu.c:526 lockdep_assert_cpus_held+0x32/0x40 CPU: 0 PID: 589 Comm: kworker/1:4 Not tainted 6.4.0-rc2-next-20230517 #50 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Workqueue: events cpuset_hotplug_workfn RIP: 0010:lockdep_assert_cpus_held+0x32/0x40 <…> Call Trace: cpuset_attach+0x40/0x240 cgroup_migrate_execute+0x452/0x5e0 ? _raw_spin_unlock_irq+0x28/0x40 cgroup_transfer_tasks+0x1f3/0x360 ? find_held_lock+0x32/0x90 ? cpuset_hotplug_workfn+0xc81/0xed0 cpuset_hotplug_workfn+0xcb1/0xed0 ? process_one_work+0x248/0x5b0 process_one_work+0x2b9/0x5b0 worker_thread+0x56/0x3b0 ? process_one_work+0x5b0/0x5b0 kthread+0xf1/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 So just use the cgroup_attach_{lock,unlock}() helper to fix it. Reported-by: Zhao Gongyi Signed-off-by: Qi Zheng Acked-by: Muchun Song Fixes: 05c7b7a92cc8 (“cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug”) Cc: [email protected] # v5.17+ Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit e70e46386860edde148817794ec8a840bffea486 Author: John Sperbeck Date: Sun May 21 19:29:53 2023 +0000 cgroup: always put cset in cgroup_css_set_put_fork [ Upstream commit 2bd110339288c18823dcace602b63b0d8627e520 ] A successful call to cgroup_css_set_fork() will always have taken a ref on kargs->cset (regardless of CLONE_INTO_CGROUP), so always do a corresponding put in cgroup_css_set_put_fork(). Without this, a cset and its contained css structures will be leaked for some fork failures. The following script reproduces the leak for a fork failure due to exceeding pids.max in the pids controller. A similar thing can happen if we jump to the bad_fork_cancel_cgroup label in copy_process(). [ -z “$1” ] && echo “Usage $0 pids-root” && exit 1 PID_ROOT=$1 CGROUP=$PID_ROOT/foo [ -e $CGROUP ] && rmdir -f $CGROUP mkdir $CGROUP echo 5 > $CGROUP/pids.max echo $$ > $CGROUP/cgroup.procs fork_bomb() { set -e for i in $(seq 10); do /bin/sleep 3600 & done } (fork_bomb) & wait echo $$ > $PID_ROOT/cgroup.procs kill $(cat $CGROUP/cgroup.procs) rmdir $CGROUP Fixes: ef2c41cf38a7 (“clone3: allow spawning processes into cgroups”) Cc: [email protected] # v5.7+ Signed-off-by: John Sperbeck Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit fdf31f33f2201bf4aa7ba643955f06b57e124993 Author: Kamalesh Babulal Date: Fri Mar 3 15:23:10 2023 +0530 cgroup: bpf: use cgroup_lock()/cgroup_unlock() wrappers [ Upstream commit 4cdb91b0dea7d7f59fa84a13c7753cd434fdedcf ] Replace mutex_[un]lock() with cgroup_[un]lock() wrappers to stay consistent across cgroup core and other subsystem code, while operating on the cgroup_mutex. Signed-off-by: Kamalesh Babulal Acked-by: Alexei Starovoitov Reviewed-by: Christian Brauner Signed-off-by: Tejun Heo Stable-dep-of: 2bd110339288 (“cgroup: always put cset in cgroup_css_set_put_fork”) Signed-off-by: Sasha Levin commit de5a1156802545991248bc83aadd7eccd5ae6df7 Author: Tom Lendacky Date: Wed May 17 11:26:41 2023 -0500 x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed [ Upstream commit a37f2699c36a7f6606ba3300f243227856c5ad6b ] The call to startup_64_setup_env() will install a new GDT but does not actually switch to using the KERNEL_CS entry until returning from the function call. Commit bcce82908333 (“x86/sev: Detect/setup SEV/SME features earlier in boot”) moved the call to sme_enable() earlier in the boot process and in between the call to startup_64_setup_env() and the switch to KERNEL_CS. An SEV-ES or an SEV-SNP guest will trigger #VC exceptions during the call to sme_enable() and if the CS pushed on the stack as part of the exception and used by IRETQ is not mapped by the new GDT, then problems occur. Today, the current CS when entering startup_64 is the kernel CS value because it was set up by the decompressor code, so no issue is seen. However, a recent patchset that looked to avoid using the legacy decompressor during an EFI boot exposed this bug. At entry to startup_64, the CS value is that of EFI and is not mapped in the new kernel GDT. So when a #VC exception occurs, the CS value used by IRETQ is not valid and the guest boot crashes. Fix this issue by moving the block that switches to the KERNEL_CS value to be done immediately after returning from startup_64_setup_env(). Fixes: bcce82908333 (“x86/sev: Detect/setup SEV/SME features earlier in boot”) Signed-off-by: Tom Lendacky Signed-off-by: Dave Hansen Reviewed-by: Joerg Roedel Link: https://lore.kernel.org/all/6ff1f28af2829cc9aea357ebee285825f90a431f.1684340801.git.thomas.lendacky%40amd.com Signed-off-by: Sasha Levin

Related news

Ubuntu Security Notice USN-6725-2

Ubuntu Security Notice 6725-2 - Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate certain data structure fields when parsing lease contexts, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service or possibly expose sensitive information. Quentin Minster discovered that a race condition existed in the KSMBD implementation in the Linux kernel, leading to a use-after-free vulnerability. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-6725-1

Ubuntu Security Notice 6725-1 - Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate certain data structure fields when parsing lease contexts, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service or possibly expose sensitive information. Quentin Minster discovered that a race condition existed in the KSMBD implementation in the Linux kernel, leading to a use-after-free vulnerability. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-6466-1

Ubuntu Security Notice 6466-1 - Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel contained a race condition during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. Hyunwoo Kim discovered that the Technotrend/Hauppauge USB DEC driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service.

Ubuntu Security Notice USN-6285-1

Ubuntu Security Notice 6285-1 - It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information. Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. A local attacker could possibly use this to gain elevated privileges.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907